mbedtls-slave-prot-prod - mbed TLS Build

Users » williequesada » Code » mbedtls-slave-prot-prod

mbed TLS Build

library/ssl_tls.c@1:1a219dea6cb5, 2019-06-04 (annotated)

Committer:: williequesada
Date:: Tue Jun 04 16:03:38 2019 +0000
Revision:: 1:1a219dea6cb5
Parent:: 0:cdf462088d13

compartir a Pablo

Who changed what in which revision?

User	Revision	Line number	New contents of line
markrad	0:cdf462088d13	1	/*
markrad	0:cdf462088d13	2	* SSLv3/TLSv1 shared functions
markrad	0:cdf462088d13	3	*
markrad	0:cdf462088d13	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
markrad	0:cdf462088d13	5	* SPDX-License-Identifier: Apache-2.0
markrad	0:cdf462088d13	6	*
markrad	0:cdf462088d13	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
markrad	0:cdf462088d13	8	* not use this file except in compliance with the License.
markrad	0:cdf462088d13	9	* You may obtain a copy of the License at
markrad	0:cdf462088d13	10	*
markrad	0:cdf462088d13	11	* http://www.apache.org/licenses/LICENSE-2.0
markrad	0:cdf462088d13	12	*
markrad	0:cdf462088d13	13	* Unless required by applicable law or agreed to in writing, software
markrad	0:cdf462088d13	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
markrad	0:cdf462088d13	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
markrad	0:cdf462088d13	16	* See the License for the specific language governing permissions and
markrad	0:cdf462088d13	17	* limitations under the License.
markrad	0:cdf462088d13	18	*
markrad	0:cdf462088d13	19	* This file is part of mbed TLS (https://tls.mbed.org)
markrad	0:cdf462088d13	20	*/
markrad	0:cdf462088d13	21	/*
markrad	0:cdf462088d13	22	* The SSL 3.0 specification was drafted by Netscape in 1996,
markrad	0:cdf462088d13	23	* and became an IETF standard in 1999.
markrad	0:cdf462088d13	24	*
markrad	0:cdf462088d13	25	* http://wp.netscape.com/eng/ssl3/
markrad	0:cdf462088d13	26	* http://www.ietf.org/rfc/rfc2246.txt
markrad	0:cdf462088d13	27	* http://www.ietf.org/rfc/rfc4346.txt
markrad	0:cdf462088d13	28	*/
markrad	0:cdf462088d13	29
markrad	0:cdf462088d13	30	#if !defined(MBEDTLS_CONFIG_FILE)
markrad	0:cdf462088d13	31	#include "mbedtls/config.h"
markrad	0:cdf462088d13	32	#else
markrad	0:cdf462088d13	33	#include MBEDTLS_CONFIG_FILE
markrad	0:cdf462088d13	34	#endif
markrad	0:cdf462088d13	35
markrad	0:cdf462088d13	36	#if defined(MBEDTLS_SSL_TLS_C)
markrad	0:cdf462088d13	37
markrad	0:cdf462088d13	38	#if defined(MBEDTLS_PLATFORM_C)
markrad	0:cdf462088d13	39	#include "mbedtls/platform.h"
markrad	0:cdf462088d13	40	#else
markrad	0:cdf462088d13	41	#include <stdlib.h>
markrad	0:cdf462088d13	42	#define mbedtls_calloc calloc
markrad	0:cdf462088d13	43	#define mbedtls_free free
markrad	0:cdf462088d13	44	#endif
markrad	0:cdf462088d13	45
markrad	0:cdf462088d13	46	#include "mbedtls/debug.h"
markrad	0:cdf462088d13	47	#include "mbedtls/ssl.h"
markrad	0:cdf462088d13	48	#include "mbedtls/ssl_internal.h"
markrad	0:cdf462088d13	49
markrad	0:cdf462088d13	50	#include <string.h>
markrad	0:cdf462088d13	51
markrad	0:cdf462088d13	52	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	53	#include "mbedtls/oid.h"
markrad	0:cdf462088d13	54	#endif
markrad	0:cdf462088d13	55
markrad	0:cdf462088d13	56	/* Implementation that should never be optimized out by the compiler */
markrad	0:cdf462088d13	57	static void mbedtls_zeroize( void *v, size_t n ) {
markrad	0:cdf462088d13	58	volatile unsigned char p = v; while( n-- ) p++ = 0;
markrad	0:cdf462088d13	59	}
markrad	0:cdf462088d13	60
markrad	0:cdf462088d13	61	/* Length of the "epoch" field in the record header */
markrad	0:cdf462088d13	62	static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	63	{
markrad	0:cdf462088d13	64	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	65	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	66	return( 2 );
markrad	0:cdf462088d13	67	#else
markrad	0:cdf462088d13	68	((void) ssl);
markrad	0:cdf462088d13	69	#endif
markrad	0:cdf462088d13	70	return( 0 );
markrad	0:cdf462088d13	71	}
markrad	0:cdf462088d13	72
markrad	0:cdf462088d13	73	/*
markrad	0:cdf462088d13	74	* Start a timer.
markrad	0:cdf462088d13	75	* Passing millisecs = 0 cancels a running timer.
markrad	0:cdf462088d13	76	*/
markrad	0:cdf462088d13	77	static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
markrad	0:cdf462088d13	78	{
markrad	0:cdf462088d13	79	if( ssl->f_set_timer == NULL )
markrad	0:cdf462088d13	80	return;
markrad	0:cdf462088d13	81
markrad	0:cdf462088d13	82	MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
markrad	0:cdf462088d13	83	ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
markrad	0:cdf462088d13	84	}
markrad	0:cdf462088d13	85
markrad	0:cdf462088d13	86	/*
markrad	0:cdf462088d13	87	* Return -1 is timer is expired, 0 if it isn't.
markrad	0:cdf462088d13	88	*/
markrad	0:cdf462088d13	89	static int ssl_check_timer( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	90	{
markrad	0:cdf462088d13	91	if( ssl->f_get_timer == NULL )
markrad	0:cdf462088d13	92	return( 0 );
markrad	0:cdf462088d13	93
markrad	0:cdf462088d13	94	if( ssl->f_get_timer( ssl->p_timer ) == 2 )
markrad	0:cdf462088d13	95	{
markrad	0:cdf462088d13	96	MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
markrad	0:cdf462088d13	97	return( -1 );
markrad	0:cdf462088d13	98	}
markrad	0:cdf462088d13	99
markrad	0:cdf462088d13	100	return( 0 );
markrad	0:cdf462088d13	101	}
markrad	0:cdf462088d13	102
markrad	0:cdf462088d13	103	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	104	/*
markrad	0:cdf462088d13	105	* Double the retransmit timeout value, within the allowed range,
markrad	0:cdf462088d13	106	* returning -1 if the maximum value has already been reached.
markrad	0:cdf462088d13	107	*/
markrad	0:cdf462088d13	108	static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	109	{
markrad	0:cdf462088d13	110	uint32_t new_timeout;
markrad	0:cdf462088d13	111
markrad	0:cdf462088d13	112	if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
markrad	0:cdf462088d13	113	return( -1 );
markrad	0:cdf462088d13	114
markrad	0:cdf462088d13	115	new_timeout = 2 * ssl->handshake->retransmit_timeout;
markrad	0:cdf462088d13	116
markrad	0:cdf462088d13	117	/* Avoid arithmetic overflow and range overflow */
markrad	0:cdf462088d13	118	if( new_timeout < ssl->handshake->retransmit_timeout \|\|
markrad	0:cdf462088d13	119	new_timeout > ssl->conf->hs_timeout_max )
markrad	0:cdf462088d13	120	{
markrad	0:cdf462088d13	121	new_timeout = ssl->conf->hs_timeout_max;
markrad	0:cdf462088d13	122	}
markrad	0:cdf462088d13	123
markrad	0:cdf462088d13	124	ssl->handshake->retransmit_timeout = new_timeout;
markrad	0:cdf462088d13	125	MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
markrad	0:cdf462088d13	126	ssl->handshake->retransmit_timeout ) );
markrad	0:cdf462088d13	127
markrad	0:cdf462088d13	128	return( 0 );
markrad	0:cdf462088d13	129	}
markrad	0:cdf462088d13	130
markrad	0:cdf462088d13	131	static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	132	{
markrad	0:cdf462088d13	133	ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
markrad	0:cdf462088d13	134	MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
markrad	0:cdf462088d13	135	ssl->handshake->retransmit_timeout ) );
markrad	0:cdf462088d13	136	}
markrad	0:cdf462088d13	137	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	138
markrad	0:cdf462088d13	139	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad	0:cdf462088d13	140	/*
markrad	0:cdf462088d13	141	* Convert max_fragment_length codes to length.
markrad	0:cdf462088d13	142	* RFC 6066 says:
markrad	0:cdf462088d13	143	* enum{
markrad	0:cdf462088d13	144	* 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
markrad	0:cdf462088d13	145	* } MaxFragmentLength;
markrad	0:cdf462088d13	146	* and we add 0 -> extension unused
markrad	0:cdf462088d13	147	*/
markrad	0:cdf462088d13	148	static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
markrad	0:cdf462088d13	149	{
markrad	0:cdf462088d13	150	MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
markrad	0:cdf462088d13	151	512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */
markrad	0:cdf462088d13	152	1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
markrad	0:cdf462088d13	153	2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
markrad	0:cdf462088d13	154	4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
markrad	0:cdf462088d13	155	};
markrad	0:cdf462088d13	156	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad	0:cdf462088d13	157
markrad	0:cdf462088d13	158	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	159	static int ssl_session_copy( mbedtls_ssl_session dst, const mbedtls_ssl_session src )
markrad	0:cdf462088d13	160	{
markrad	0:cdf462088d13	161	mbedtls_ssl_session_free( dst );
markrad	0:cdf462088d13	162	memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
markrad	0:cdf462088d13	163
markrad	0:cdf462088d13	164	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	165	if( src->peer_cert != NULL )
markrad	0:cdf462088d13	166	{
markrad	0:cdf462088d13	167	int ret;
markrad	0:cdf462088d13	168
markrad	0:cdf462088d13	169	dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
markrad	0:cdf462088d13	170	if( dst->peer_cert == NULL )
markrad	0:cdf462088d13	171	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	172
markrad	0:cdf462088d13	173	mbedtls_x509_crt_init( dst->peer_cert );
markrad	0:cdf462088d13	174
markrad	0:cdf462088d13	175	if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
markrad	0:cdf462088d13	176	src->peer_cert->raw.len ) ) != 0 )
markrad	0:cdf462088d13	177	{
markrad	0:cdf462088d13	178	mbedtls_free( dst->peer_cert );
markrad	0:cdf462088d13	179	dst->peer_cert = NULL;
markrad	0:cdf462088d13	180	return( ret );
markrad	0:cdf462088d13	181	}
markrad	0:cdf462088d13	182	}
markrad	0:cdf462088d13	183	#endif /* MBEDTLS_X509_CRT_PARSE_C */
markrad	0:cdf462088d13	184
markrad	0:cdf462088d13	185	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	186	if( src->ticket != NULL )
markrad	0:cdf462088d13	187	{
markrad	0:cdf462088d13	188	dst->ticket = mbedtls_calloc( 1, src->ticket_len );
markrad	0:cdf462088d13	189	if( dst->ticket == NULL )
markrad	0:cdf462088d13	190	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	191
markrad	0:cdf462088d13	192	memcpy( dst->ticket, src->ticket, src->ticket_len );
markrad	0:cdf462088d13	193	}
markrad	0:cdf462088d13	194	#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	195
markrad	0:cdf462088d13	196	return( 0 );
markrad	0:cdf462088d13	197	}
markrad	0:cdf462088d13	198	#endif /* MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	199
markrad	0:cdf462088d13	200	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	201	int (mbedtls_ssl_hw_record_init)( mbedtls_ssl_context ssl,
markrad	0:cdf462088d13	202	const unsigned char key_enc, const unsigned char key_dec,
markrad	0:cdf462088d13	203	size_t keylen,
markrad	0:cdf462088d13	204	const unsigned char iv_enc, const unsigned char iv_dec,
markrad	0:cdf462088d13	205	size_t ivlen,
markrad	0:cdf462088d13	206	const unsigned char mac_enc, const unsigned char mac_dec,
markrad	0:cdf462088d13	207	size_t maclen ) = NULL;
markrad	0:cdf462088d13	208	int (mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context ssl, int direction) = NULL;
markrad	0:cdf462088d13	209	int (mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context ssl ) = NULL;
markrad	0:cdf462088d13	210	int (mbedtls_ssl_hw_record_write)( mbedtls_ssl_context ssl ) = NULL;
markrad	0:cdf462088d13	211	int (mbedtls_ssl_hw_record_read)( mbedtls_ssl_context ssl ) = NULL;
markrad	0:cdf462088d13	212	int (mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context ssl ) = NULL;
markrad	0:cdf462088d13	213	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
markrad	0:cdf462088d13	214
markrad	0:cdf462088d13	215	/*
markrad	0:cdf462088d13	216	* Key material generation
markrad	0:cdf462088d13	217	*/
markrad	0:cdf462088d13	218	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	219	static int ssl3_prf( const unsigned char *secret, size_t slen,
markrad	0:cdf462088d13	220	const char *label,
markrad	0:cdf462088d13	221	const unsigned char *random, size_t rlen,
markrad	0:cdf462088d13	222	unsigned char *dstbuf, size_t dlen )
markrad	0:cdf462088d13	223	{
markrad	0:cdf462088d13	224	size_t i;
markrad	0:cdf462088d13	225	mbedtls_md5_context md5;
markrad	0:cdf462088d13	226	mbedtls_sha1_context sha1;
markrad	0:cdf462088d13	227	unsigned char padding[16];
markrad	0:cdf462088d13	228	unsigned char sha1sum[20];
markrad	0:cdf462088d13	229	((void)label);
markrad	0:cdf462088d13	230
markrad	0:cdf462088d13	231	mbedtls_md5_init( &md5 );
markrad	0:cdf462088d13	232	mbedtls_sha1_init( &sha1 );
markrad	0:cdf462088d13	233
markrad	0:cdf462088d13	234	/*
markrad	0:cdf462088d13	235	* SSLv3:
markrad	0:cdf462088d13	236	* block =
markrad	0:cdf462088d13	237	* MD5( secret + SHA1( 'A' + secret + random ) ) +
markrad	0:cdf462088d13	238	* MD5( secret + SHA1( 'BB' + secret + random ) ) +
markrad	0:cdf462088d13	239	* MD5( secret + SHA1( 'CCC' + secret + random ) ) +
markrad	0:cdf462088d13	240	* ...
markrad	0:cdf462088d13	241	*/
markrad	0:cdf462088d13	242	for( i = 0; i < dlen / 16; i++ )
markrad	0:cdf462088d13	243	{
markrad	0:cdf462088d13	244	memset( padding, (unsigned char) ('A' + i), 1 + i );
markrad	0:cdf462088d13	245
markrad	0:cdf462088d13	246	mbedtls_sha1_starts( &sha1 );
markrad	0:cdf462088d13	247	mbedtls_sha1_update( &sha1, padding, 1 + i );
markrad	0:cdf462088d13	248	mbedtls_sha1_update( &sha1, secret, slen );
markrad	0:cdf462088d13	249	mbedtls_sha1_update( &sha1, random, rlen );
markrad	0:cdf462088d13	250	mbedtls_sha1_finish( &sha1, sha1sum );
markrad	0:cdf462088d13	251
markrad	0:cdf462088d13	252	mbedtls_md5_starts( &md5 );
markrad	0:cdf462088d13	253	mbedtls_md5_update( &md5, secret, slen );
markrad	0:cdf462088d13	254	mbedtls_md5_update( &md5, sha1sum, 20 );
markrad	0:cdf462088d13	255	mbedtls_md5_finish( &md5, dstbuf + i * 16 );
markrad	0:cdf462088d13	256	}
markrad	0:cdf462088d13	257
markrad	0:cdf462088d13	258	mbedtls_md5_free( &md5 );
markrad	0:cdf462088d13	259	mbedtls_sha1_free( &sha1 );
markrad	0:cdf462088d13	260
markrad	0:cdf462088d13	261	mbedtls_zeroize( padding, sizeof( padding ) );
markrad	0:cdf462088d13	262	mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
markrad	0:cdf462088d13	263
markrad	0:cdf462088d13	264	return( 0 );
markrad	0:cdf462088d13	265	}
markrad	0:cdf462088d13	266	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	267
markrad	0:cdf462088d13	268	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	269	static int tls1_prf( const unsigned char *secret, size_t slen,
markrad	0:cdf462088d13	270	const char *label,
markrad	0:cdf462088d13	271	const unsigned char *random, size_t rlen,
markrad	0:cdf462088d13	272	unsigned char *dstbuf, size_t dlen )
markrad	0:cdf462088d13	273	{
markrad	0:cdf462088d13	274	size_t nb, hs;
markrad	0:cdf462088d13	275	size_t i, j, k;
markrad	0:cdf462088d13	276	const unsigned char S1, S2;
markrad	0:cdf462088d13	277	unsigned char tmp[128];
markrad	0:cdf462088d13	278	unsigned char h_i[20];
markrad	0:cdf462088d13	279	const mbedtls_md_info_t *md_info;
markrad	0:cdf462088d13	280	mbedtls_md_context_t md_ctx;
markrad	0:cdf462088d13	281	int ret;
markrad	0:cdf462088d13	282
markrad	0:cdf462088d13	283	mbedtls_md_init( &md_ctx );
markrad	0:cdf462088d13	284
markrad	0:cdf462088d13	285	if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
markrad	0:cdf462088d13	286	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	287
markrad	0:cdf462088d13	288	hs = ( slen + 1 ) / 2;
markrad	0:cdf462088d13	289	S1 = secret;
markrad	0:cdf462088d13	290	S2 = secret + slen - hs;
markrad	0:cdf462088d13	291
markrad	0:cdf462088d13	292	nb = strlen( label );
markrad	0:cdf462088d13	293	memcpy( tmp + 20, label, nb );
markrad	0:cdf462088d13	294	memcpy( tmp + 20 + nb, random, rlen );
markrad	0:cdf462088d13	295	nb += rlen;
markrad	0:cdf462088d13	296
markrad	0:cdf462088d13	297	/*
markrad	0:cdf462088d13	298	* First compute P_md5(secret,label+random)[0..dlen]
markrad	0:cdf462088d13	299	*/
markrad	0:cdf462088d13	300	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
markrad	0:cdf462088d13	301	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	302
markrad	0:cdf462088d13	303	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
markrad	0:cdf462088d13	304	return( ret );
markrad	0:cdf462088d13	305
markrad	0:cdf462088d13	306	mbedtls_md_hmac_starts( &md_ctx, S1, hs );
markrad	0:cdf462088d13	307	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
markrad	0:cdf462088d13	308	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
markrad	0:cdf462088d13	309
markrad	0:cdf462088d13	310	for( i = 0; i < dlen; i += 16 )
markrad	0:cdf462088d13	311	{
markrad	0:cdf462088d13	312	mbedtls_md_hmac_reset ( &md_ctx );
markrad	0:cdf462088d13	313	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
markrad	0:cdf462088d13	314	mbedtls_md_hmac_finish( &md_ctx, h_i );
markrad	0:cdf462088d13	315
markrad	0:cdf462088d13	316	mbedtls_md_hmac_reset ( &md_ctx );
markrad	0:cdf462088d13	317	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
markrad	0:cdf462088d13	318	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
markrad	0:cdf462088d13	319
markrad	0:cdf462088d13	320	k = ( i + 16 > dlen ) ? dlen % 16 : 16;
markrad	0:cdf462088d13	321
markrad	0:cdf462088d13	322	for( j = 0; j < k; j++ )
markrad	0:cdf462088d13	323	dstbuf[i + j] = h_i[j];
markrad	0:cdf462088d13	324	}
markrad	0:cdf462088d13	325
markrad	0:cdf462088d13	326	mbedtls_md_free( &md_ctx );
markrad	0:cdf462088d13	327
markrad	0:cdf462088d13	328	/*
markrad	0:cdf462088d13	329	* XOR out with P_sha1(secret,label+random)[0..dlen]
markrad	0:cdf462088d13	330	*/
markrad	0:cdf462088d13	331	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
markrad	0:cdf462088d13	332	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	333
markrad	0:cdf462088d13	334	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
markrad	0:cdf462088d13	335	return( ret );
markrad	0:cdf462088d13	336
markrad	0:cdf462088d13	337	mbedtls_md_hmac_starts( &md_ctx, S2, hs );
markrad	0:cdf462088d13	338	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
markrad	0:cdf462088d13	339	mbedtls_md_hmac_finish( &md_ctx, tmp );
markrad	0:cdf462088d13	340
markrad	0:cdf462088d13	341	for( i = 0; i < dlen; i += 20 )
markrad	0:cdf462088d13	342	{
markrad	0:cdf462088d13	343	mbedtls_md_hmac_reset ( &md_ctx );
markrad	0:cdf462088d13	344	mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
markrad	0:cdf462088d13	345	mbedtls_md_hmac_finish( &md_ctx, h_i );
markrad	0:cdf462088d13	346
markrad	0:cdf462088d13	347	mbedtls_md_hmac_reset ( &md_ctx );
markrad	0:cdf462088d13	348	mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
markrad	0:cdf462088d13	349	mbedtls_md_hmac_finish( &md_ctx, tmp );
markrad	0:cdf462088d13	350
markrad	0:cdf462088d13	351	k = ( i + 20 > dlen ) ? dlen % 20 : 20;
markrad	0:cdf462088d13	352
markrad	0:cdf462088d13	353	for( j = 0; j < k; j++ )
markrad	0:cdf462088d13	354	dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
markrad	0:cdf462088d13	355	}
markrad	0:cdf462088d13	356
markrad	0:cdf462088d13	357	mbedtls_md_free( &md_ctx );
markrad	0:cdf462088d13	358
markrad	0:cdf462088d13	359	mbedtls_zeroize( tmp, sizeof( tmp ) );
markrad	0:cdf462088d13	360	mbedtls_zeroize( h_i, sizeof( h_i ) );
markrad	0:cdf462088d13	361
markrad	0:cdf462088d13	362	return( 0 );
markrad	0:cdf462088d13	363	}
markrad	0:cdf462088d13	364	#endif /* MBEDTLS_SSL_PROTO_TLS1) \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
markrad	0:cdf462088d13	365
markrad	0:cdf462088d13	366	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	367	static int tls_prf_generic( mbedtls_md_type_t md_type,
markrad	0:cdf462088d13	368	const unsigned char *secret, size_t slen,
markrad	0:cdf462088d13	369	const char *label,
markrad	0:cdf462088d13	370	const unsigned char *random, size_t rlen,
markrad	0:cdf462088d13	371	unsigned char *dstbuf, size_t dlen )
markrad	0:cdf462088d13	372	{
markrad	0:cdf462088d13	373	size_t nb;
markrad	0:cdf462088d13	374	size_t i, j, k, md_len;
markrad	0:cdf462088d13	375	unsigned char tmp[128];
markrad	0:cdf462088d13	376	unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
markrad	0:cdf462088d13	377	const mbedtls_md_info_t *md_info;
markrad	0:cdf462088d13	378	mbedtls_md_context_t md_ctx;
markrad	0:cdf462088d13	379	int ret;
markrad	0:cdf462088d13	380
markrad	0:cdf462088d13	381	mbedtls_md_init( &md_ctx );
markrad	0:cdf462088d13	382
markrad	0:cdf462088d13	383	if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
markrad	0:cdf462088d13	384	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	385
markrad	0:cdf462088d13	386	md_len = mbedtls_md_get_size( md_info );
markrad	0:cdf462088d13	387
markrad	0:cdf462088d13	388	if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
markrad	0:cdf462088d13	389	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	390
markrad	0:cdf462088d13	391	nb = strlen( label );
markrad	0:cdf462088d13	392	memcpy( tmp + md_len, label, nb );
markrad	0:cdf462088d13	393	memcpy( tmp + md_len + nb, random, rlen );
markrad	0:cdf462088d13	394	nb += rlen;
markrad	0:cdf462088d13	395
markrad	0:cdf462088d13	396	/*
markrad	0:cdf462088d13	397	* Compute P_<hash>(secret, label + random)[0..dlen]
markrad	0:cdf462088d13	398	*/
markrad	0:cdf462088d13	399	if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
markrad	0:cdf462088d13	400	return( ret );
markrad	0:cdf462088d13	401
markrad	0:cdf462088d13	402	mbedtls_md_hmac_starts( &md_ctx, secret, slen );
markrad	0:cdf462088d13	403	mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
markrad	0:cdf462088d13	404	mbedtls_md_hmac_finish( &md_ctx, tmp );
markrad	0:cdf462088d13	405
markrad	0:cdf462088d13	406	for( i = 0; i < dlen; i += md_len )
markrad	0:cdf462088d13	407	{
markrad	0:cdf462088d13	408	mbedtls_md_hmac_reset ( &md_ctx );
markrad	0:cdf462088d13	409	mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
markrad	0:cdf462088d13	410	mbedtls_md_hmac_finish( &md_ctx, h_i );
markrad	0:cdf462088d13	411
markrad	0:cdf462088d13	412	mbedtls_md_hmac_reset ( &md_ctx );
markrad	0:cdf462088d13	413	mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
markrad	0:cdf462088d13	414	mbedtls_md_hmac_finish( &md_ctx, tmp );
markrad	0:cdf462088d13	415
markrad	0:cdf462088d13	416	k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
markrad	0:cdf462088d13	417
markrad	0:cdf462088d13	418	for( j = 0; j < k; j++ )
markrad	0:cdf462088d13	419	dstbuf[i + j] = h_i[j];
markrad	0:cdf462088d13	420	}
markrad	0:cdf462088d13	421
markrad	0:cdf462088d13	422	mbedtls_md_free( &md_ctx );
markrad	0:cdf462088d13	423
markrad	0:cdf462088d13	424	mbedtls_zeroize( tmp, sizeof( tmp ) );
markrad	0:cdf462088d13	425	mbedtls_zeroize( h_i, sizeof( h_i ) );
markrad	0:cdf462088d13	426
markrad	0:cdf462088d13	427	return( 0 );
markrad	0:cdf462088d13	428	}
markrad	0:cdf462088d13	429
markrad	0:cdf462088d13	430	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	431	static int tls_prf_sha256( const unsigned char *secret, size_t slen,
markrad	0:cdf462088d13	432	const char *label,
markrad	0:cdf462088d13	433	const unsigned char *random, size_t rlen,
markrad	0:cdf462088d13	434	unsigned char *dstbuf, size_t dlen )
markrad	0:cdf462088d13	435	{
markrad	0:cdf462088d13	436	return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
markrad	0:cdf462088d13	437	label, random, rlen, dstbuf, dlen ) );
markrad	0:cdf462088d13	438	}
markrad	0:cdf462088d13	439	#endif /* MBEDTLS_SHA256_C */
markrad	0:cdf462088d13	440
markrad	0:cdf462088d13	441	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	442	static int tls_prf_sha384( const unsigned char *secret, size_t slen,
markrad	0:cdf462088d13	443	const char *label,
markrad	0:cdf462088d13	444	const unsigned char *random, size_t rlen,
markrad	0:cdf462088d13	445	unsigned char *dstbuf, size_t dlen )
markrad	0:cdf462088d13	446	{
markrad	0:cdf462088d13	447	return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
markrad	0:cdf462088d13	448	label, random, rlen, dstbuf, dlen ) );
markrad	0:cdf462088d13	449	}
markrad	0:cdf462088d13	450	#endif /* MBEDTLS_SHA512_C */
markrad	0:cdf462088d13	451	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	452
markrad	0:cdf462088d13	453	static void ssl_update_checksum_start( mbedtls_ssl_context , const unsigned char , size_t );
markrad	0:cdf462088d13	454
markrad	0:cdf462088d13	455	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	456	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	457	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context , const unsigned char , size_t );
markrad	0:cdf462088d13	458	#endif
markrad	0:cdf462088d13	459
markrad	0:cdf462088d13	460	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	461	static void ssl_calc_verify_ssl( mbedtls_ssl_context , unsigned char );
markrad	0:cdf462088d13	462	static void ssl_calc_finished_ssl( mbedtls_ssl_context , unsigned char , int );
markrad	0:cdf462088d13	463	#endif
markrad	0:cdf462088d13	464
markrad	0:cdf462088d13	465	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	466	static void ssl_calc_verify_tls( mbedtls_ssl_context , unsigned char );
markrad	0:cdf462088d13	467	static void ssl_calc_finished_tls( mbedtls_ssl_context , unsigned char , int );
markrad	0:cdf462088d13	468	#endif
markrad	0:cdf462088d13	469
markrad	0:cdf462088d13	470	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	471	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	472	static void ssl_update_checksum_sha256( mbedtls_ssl_context , const unsigned char , size_t );
markrad	0:cdf462088d13	473	static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context ,unsigned char );
markrad	0:cdf462088d13	474	static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context ,unsigned char , int );
markrad	0:cdf462088d13	475	#endif
markrad	0:cdf462088d13	476
markrad	0:cdf462088d13	477	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	478	static void ssl_update_checksum_sha384( mbedtls_ssl_context , const unsigned char , size_t );
markrad	0:cdf462088d13	479	static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context , unsigned char );
markrad	0:cdf462088d13	480	static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context , unsigned char , int );
markrad	0:cdf462088d13	481	#endif
markrad	0:cdf462088d13	482	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	483
markrad	0:cdf462088d13	484	int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	485	{
markrad	0:cdf462088d13	486	int ret = 0;
markrad	0:cdf462088d13	487	unsigned char tmp[64];
markrad	0:cdf462088d13	488	unsigned char keyblk[256];
markrad	0:cdf462088d13	489	unsigned char *key1;
markrad	0:cdf462088d13	490	unsigned char *key2;
markrad	0:cdf462088d13	491	unsigned char *mac_enc;
markrad	0:cdf462088d13	492	unsigned char *mac_dec;
markrad	0:cdf462088d13	493	size_t iv_copy_len;
markrad	0:cdf462088d13	494	const mbedtls_cipher_info_t *cipher_info;
markrad	0:cdf462088d13	495	const mbedtls_md_info_t *md_info;
markrad	0:cdf462088d13	496
markrad	0:cdf462088d13	497	mbedtls_ssl_session *session = ssl->session_negotiate;
markrad	0:cdf462088d13	498	mbedtls_ssl_transform *transform = ssl->transform_negotiate;
markrad	0:cdf462088d13	499	mbedtls_ssl_handshake_params *handshake = ssl->handshake;
markrad	0:cdf462088d13	500
markrad	0:cdf462088d13	501	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
markrad	0:cdf462088d13	502
markrad	0:cdf462088d13	503	cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
markrad	0:cdf462088d13	504	if( cipher_info == NULL )
markrad	0:cdf462088d13	505	{
markrad	0:cdf462088d13	506	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
markrad	0:cdf462088d13	507	transform->ciphersuite_info->cipher ) );
markrad	0:cdf462088d13	508	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	509	}
markrad	0:cdf462088d13	510
markrad	0:cdf462088d13	511	md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
markrad	0:cdf462088d13	512	if( md_info == NULL )
markrad	0:cdf462088d13	513	{
markrad	0:cdf462088d13	514	MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
markrad	0:cdf462088d13	515	transform->ciphersuite_info->mac ) );
markrad	0:cdf462088d13	516	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	517	}
markrad	0:cdf462088d13	518
markrad	0:cdf462088d13	519	/*
markrad	0:cdf462088d13	520	* Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
markrad	0:cdf462088d13	521	*/
markrad	0:cdf462088d13	522	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	523	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	524	{
markrad	0:cdf462088d13	525	handshake->tls_prf = ssl3_prf;
markrad	0:cdf462088d13	526	handshake->calc_verify = ssl_calc_verify_ssl;
markrad	0:cdf462088d13	527	handshake->calc_finished = ssl_calc_finished_ssl;
markrad	0:cdf462088d13	528	}
markrad	0:cdf462088d13	529	else
markrad	0:cdf462088d13	530	#endif
markrad	0:cdf462088d13	531	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	532	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	533	{
markrad	0:cdf462088d13	534	handshake->tls_prf = tls1_prf;
markrad	0:cdf462088d13	535	handshake->calc_verify = ssl_calc_verify_tls;
markrad	0:cdf462088d13	536	handshake->calc_finished = ssl_calc_finished_tls;
markrad	0:cdf462088d13	537	}
markrad	0:cdf462088d13	538	else
markrad	0:cdf462088d13	539	#endif
markrad	0:cdf462088d13	540	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	541	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	542	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
markrad	0:cdf462088d13	543	transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
markrad	0:cdf462088d13	544	{
markrad	0:cdf462088d13	545	handshake->tls_prf = tls_prf_sha384;
markrad	0:cdf462088d13	546	handshake->calc_verify = ssl_calc_verify_tls_sha384;
markrad	0:cdf462088d13	547	handshake->calc_finished = ssl_calc_finished_tls_sha384;
markrad	0:cdf462088d13	548	}
markrad	0:cdf462088d13	549	else
markrad	0:cdf462088d13	550	#endif
markrad	0:cdf462088d13	551	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	552	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	553	{
markrad	0:cdf462088d13	554	handshake->tls_prf = tls_prf_sha256;
markrad	0:cdf462088d13	555	handshake->calc_verify = ssl_calc_verify_tls_sha256;
markrad	0:cdf462088d13	556	handshake->calc_finished = ssl_calc_finished_tls_sha256;
markrad	0:cdf462088d13	557	}
markrad	0:cdf462088d13	558	else
markrad	0:cdf462088d13	559	#endif
markrad	0:cdf462088d13	560	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	561	{
markrad	0:cdf462088d13	562	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	563	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	564	}
markrad	0:cdf462088d13	565
markrad	0:cdf462088d13	566	/*
markrad	0:cdf462088d13	567	* SSLv3:
markrad	0:cdf462088d13	568	* master =
markrad	0:cdf462088d13	569	* MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
markrad	0:cdf462088d13	570	* MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
markrad	0:cdf462088d13	571	* MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
markrad	0:cdf462088d13	572	*
markrad	0:cdf462088d13	573	* TLSv1+:
markrad	0:cdf462088d13	574	* master = PRF( premaster, "master secret", randbytes )[0..47]
markrad	0:cdf462088d13	575	*/
markrad	0:cdf462088d13	576	if( handshake->resume == 0 )
markrad	0:cdf462088d13	577	{
markrad	0:cdf462088d13	578	MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
markrad	0:cdf462088d13	579	handshake->pmslen );
markrad	0:cdf462088d13	580
markrad	0:cdf462088d13	581	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad	0:cdf462088d13	582	if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
markrad	0:cdf462088d13	583	{
markrad	0:cdf462088d13	584	unsigned char session_hash[48];
markrad	0:cdf462088d13	585	size_t hash_len;
markrad	0:cdf462088d13	586
markrad	0:cdf462088d13	587	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
markrad	0:cdf462088d13	588
markrad	0:cdf462088d13	589	ssl->handshake->calc_verify( ssl, session_hash );
markrad	0:cdf462088d13	590
markrad	0:cdf462088d13	591	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	592	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	593	{
markrad	0:cdf462088d13	594	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	595	if( ssl->transform_negotiate->ciphersuite_info->mac ==
markrad	0:cdf462088d13	596	MBEDTLS_MD_SHA384 )
markrad	0:cdf462088d13	597	{
markrad	0:cdf462088d13	598	hash_len = 48;
markrad	0:cdf462088d13	599	}
markrad	0:cdf462088d13	600	else
markrad	0:cdf462088d13	601	#endif
markrad	0:cdf462088d13	602	hash_len = 32;
markrad	0:cdf462088d13	603	}
markrad	0:cdf462088d13	604	else
markrad	0:cdf462088d13	605	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	606	hash_len = 36;
markrad	0:cdf462088d13	607
markrad	0:cdf462088d13	608	MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
markrad	0:cdf462088d13	609
markrad	0:cdf462088d13	610	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
markrad	0:cdf462088d13	611	"extended master secret",
markrad	0:cdf462088d13	612	session_hash, hash_len,
markrad	0:cdf462088d13	613	session->master, 48 );
markrad	0:cdf462088d13	614	if( ret != 0 )
markrad	0:cdf462088d13	615	{
markrad	0:cdf462088d13	616	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
markrad	0:cdf462088d13	617	return( ret );
markrad	0:cdf462088d13	618	}
markrad	0:cdf462088d13	619
markrad	0:cdf462088d13	620	}
markrad	0:cdf462088d13	621	else
markrad	0:cdf462088d13	622	#endif
markrad	0:cdf462088d13	623	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
markrad	0:cdf462088d13	624	"master secret",
markrad	0:cdf462088d13	625	handshake->randbytes, 64,
markrad	0:cdf462088d13	626	session->master, 48 );
markrad	0:cdf462088d13	627	if( ret != 0 )
markrad	0:cdf462088d13	628	{
markrad	0:cdf462088d13	629	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
markrad	0:cdf462088d13	630	return( ret );
markrad	0:cdf462088d13	631	}
markrad	0:cdf462088d13	632
markrad	0:cdf462088d13	633	mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) );
markrad	0:cdf462088d13	634	}
markrad	0:cdf462088d13	635	else
markrad	0:cdf462088d13	636	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
markrad	0:cdf462088d13	637
markrad	0:cdf462088d13	638	/*
markrad	0:cdf462088d13	639	* Swap the client and server random values.
markrad	0:cdf462088d13	640	*/
markrad	0:cdf462088d13	641	memcpy( tmp, handshake->randbytes, 64 );
markrad	0:cdf462088d13	642	memcpy( handshake->randbytes, tmp + 32, 32 );
markrad	0:cdf462088d13	643	memcpy( handshake->randbytes + 32, tmp, 32 );
markrad	0:cdf462088d13	644	mbedtls_zeroize( tmp, sizeof( tmp ) );
markrad	0:cdf462088d13	645
markrad	0:cdf462088d13	646	/*
markrad	0:cdf462088d13	647	* SSLv3:
markrad	0:cdf462088d13	648	* key block =
markrad	0:cdf462088d13	649	* MD5( master + SHA1( 'A' + master + randbytes ) ) +
markrad	0:cdf462088d13	650	* MD5( master + SHA1( 'BB' + master + randbytes ) ) +
markrad	0:cdf462088d13	651	* MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
markrad	0:cdf462088d13	652	* MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
markrad	0:cdf462088d13	653	* ...
markrad	0:cdf462088d13	654	*
markrad	0:cdf462088d13	655	* TLSv1:
markrad	0:cdf462088d13	656	* key block = PRF( master, "key expansion", randbytes )
markrad	0:cdf462088d13	657	*/
markrad	0:cdf462088d13	658	ret = handshake->tls_prf( session->master, 48, "key expansion",
markrad	0:cdf462088d13	659	handshake->randbytes, 64, keyblk, 256 );
markrad	0:cdf462088d13	660	if( ret != 0 )
markrad	0:cdf462088d13	661	{
markrad	0:cdf462088d13	662	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
markrad	0:cdf462088d13	663	return( ret );
markrad	0:cdf462088d13	664	}
markrad	0:cdf462088d13	665
markrad	0:cdf462088d13	666	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
markrad	0:cdf462088d13	667	mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
markrad	0:cdf462088d13	668	MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
markrad	0:cdf462088d13	669	MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
markrad	0:cdf462088d13	670	MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
markrad	0:cdf462088d13	671
markrad	0:cdf462088d13	672	mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
markrad	0:cdf462088d13	673
markrad	0:cdf462088d13	674	/*
markrad	0:cdf462088d13	675	* Determine the appropriate key, IV and MAC length.
markrad	0:cdf462088d13	676	*/
markrad	0:cdf462088d13	677
markrad	0:cdf462088d13	678	transform->keylen = cipher_info->key_bitlen / 8;
markrad	0:cdf462088d13	679
markrad	0:cdf462088d13	680	if( cipher_info->mode == MBEDTLS_MODE_GCM \|\|
markrad	0:cdf462088d13	681	cipher_info->mode == MBEDTLS_MODE_CCM )
markrad	0:cdf462088d13	682	{
markrad	0:cdf462088d13	683	transform->maclen = 0;
markrad	0:cdf462088d13	684
markrad	0:cdf462088d13	685	transform->ivlen = 12;
markrad	0:cdf462088d13	686	transform->fixed_ivlen = 4;
markrad	0:cdf462088d13	687
markrad	0:cdf462088d13	688	/* Minimum length is expicit IV + tag */
markrad	0:cdf462088d13	689	transform->minlen = transform->ivlen - transform->fixed_ivlen
markrad	0:cdf462088d13	690	+ ( transform->ciphersuite_info->flags &
markrad	0:cdf462088d13	691	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
markrad	0:cdf462088d13	692	}
markrad	0:cdf462088d13	693	else
markrad	0:cdf462088d13	694	{
markrad	0:cdf462088d13	695	/* Initialize HMAC contexts */
markrad	0:cdf462088d13	696	if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 \|\|
markrad	0:cdf462088d13	697	( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
markrad	0:cdf462088d13	698	{
markrad	0:cdf462088d13	699	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
markrad	0:cdf462088d13	700	return( ret );
markrad	0:cdf462088d13	701	}
markrad	0:cdf462088d13	702
markrad	0:cdf462088d13	703	/* Get MAC length */
markrad	0:cdf462088d13	704	transform->maclen = mbedtls_md_get_size( md_info );
markrad	0:cdf462088d13	705
markrad	0:cdf462088d13	706	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad	0:cdf462088d13	707	/*
markrad	0:cdf462088d13	708	* If HMAC is to be truncated, we shall keep the leftmost bytes,
markrad	0:cdf462088d13	709	* (rfc 6066 page 13 or rfc 2104 section 4),
markrad	0:cdf462088d13	710	* so we only need to adjust the length here.
markrad	0:cdf462088d13	711	*/
markrad	0:cdf462088d13	712	if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
markrad	0:cdf462088d13	713	transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
markrad	0:cdf462088d13	714	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
markrad	0:cdf462088d13	715
markrad	0:cdf462088d13	716	/* IV length */
markrad	0:cdf462088d13	717	transform->ivlen = cipher_info->iv_size;
markrad	0:cdf462088d13	718
markrad	0:cdf462088d13	719	/* Minimum length */
markrad	0:cdf462088d13	720	if( cipher_info->mode == MBEDTLS_MODE_STREAM )
markrad	0:cdf462088d13	721	transform->minlen = transform->maclen;
markrad	0:cdf462088d13	722	else
markrad	0:cdf462088d13	723	{
markrad	0:cdf462088d13	724	/*
markrad	0:cdf462088d13	725	* GenericBlockCipher:
markrad	0:cdf462088d13	726	* 1. if EtM is in use: one block plus MAC
markrad	0:cdf462088d13	727	* otherwise: * first multiple of blocklen greater than maclen
markrad	0:cdf462088d13	728	* 2. IV except for SSL3 and TLS 1.0
markrad	0:cdf462088d13	729	*/
markrad	0:cdf462088d13	730	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	731	if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
markrad	0:cdf462088d13	732	{
markrad	0:cdf462088d13	733	transform->minlen = transform->maclen
markrad	0:cdf462088d13	734	+ cipher_info->block_size;
markrad	0:cdf462088d13	735	}
markrad	0:cdf462088d13	736	else
markrad	0:cdf462088d13	737	#endif
markrad	0:cdf462088d13	738	{
markrad	0:cdf462088d13	739	transform->minlen = transform->maclen
markrad	0:cdf462088d13	740	+ cipher_info->block_size
markrad	0:cdf462088d13	741	- transform->maclen % cipher_info->block_size;
markrad	0:cdf462088d13	742	}
markrad	0:cdf462088d13	743
markrad	0:cdf462088d13	744	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
markrad	0:cdf462088d13	745	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
markrad	0:cdf462088d13	746	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
markrad	0:cdf462088d13	747	; /* No need to adjust minlen */
markrad	0:cdf462088d13	748	else
markrad	0:cdf462088d13	749	#endif
markrad	0:cdf462088d13	750	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	751	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 \|\|
markrad	0:cdf462088d13	752	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	753	{
markrad	0:cdf462088d13	754	transform->minlen += transform->ivlen;
markrad	0:cdf462088d13	755	}
markrad	0:cdf462088d13	756	else
markrad	0:cdf462088d13	757	#endif
markrad	0:cdf462088d13	758	{
markrad	0:cdf462088d13	759	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	760	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	761	}
markrad	0:cdf462088d13	762	}
markrad	0:cdf462088d13	763	}
markrad	0:cdf462088d13	764
markrad	0:cdf462088d13	765	MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
markrad	0:cdf462088d13	766	transform->keylen, transform->minlen, transform->ivlen,
markrad	0:cdf462088d13	767	transform->maclen ) );
markrad	0:cdf462088d13	768
markrad	0:cdf462088d13	769	/*
markrad	0:cdf462088d13	770	* Finally setup the cipher contexts, IVs and MAC secrets.
markrad	0:cdf462088d13	771	*/
markrad	0:cdf462088d13	772	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	773	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	774	{
markrad	0:cdf462088d13	775	key1 = keyblk + transform->maclen * 2;
markrad	0:cdf462088d13	776	key2 = keyblk + transform->maclen * 2 + transform->keylen;
markrad	0:cdf462088d13	777
markrad	0:cdf462088d13	778	mac_enc = keyblk;
markrad	0:cdf462088d13	779	mac_dec = keyblk + transform->maclen;
markrad	0:cdf462088d13	780
markrad	0:cdf462088d13	781	/*
markrad	0:cdf462088d13	782	* This is not used in TLS v1.1.
markrad	0:cdf462088d13	783	*/
markrad	0:cdf462088d13	784	iv_copy_len = ( transform->fixed_ivlen ) ?
markrad	0:cdf462088d13	785	transform->fixed_ivlen : transform->ivlen;
markrad	0:cdf462088d13	786	memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
markrad	0:cdf462088d13	787	memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
markrad	0:cdf462088d13	788	iv_copy_len );
markrad	0:cdf462088d13	789	}
markrad	0:cdf462088d13	790	else
markrad	0:cdf462088d13	791	#endif /* MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	792	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	793	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	794	{
markrad	0:cdf462088d13	795	key1 = keyblk + transform->maclen * 2 + transform->keylen;
markrad	0:cdf462088d13	796	key2 = keyblk + transform->maclen * 2;
markrad	0:cdf462088d13	797
markrad	0:cdf462088d13	798	mac_enc = keyblk + transform->maclen;
markrad	0:cdf462088d13	799	mac_dec = keyblk;
markrad	0:cdf462088d13	800
markrad	0:cdf462088d13	801	/*
markrad	0:cdf462088d13	802	* This is not used in TLS v1.1.
markrad	0:cdf462088d13	803	*/
markrad	0:cdf462088d13	804	iv_copy_len = ( transform->fixed_ivlen ) ?
markrad	0:cdf462088d13	805	transform->fixed_ivlen : transform->ivlen;
markrad	0:cdf462088d13	806	memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
markrad	0:cdf462088d13	807	memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
markrad	0:cdf462088d13	808	iv_copy_len );
markrad	0:cdf462088d13	809	}
markrad	0:cdf462088d13	810	else
markrad	0:cdf462088d13	811	#endif /* MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	812	{
markrad	0:cdf462088d13	813	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	814	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	815	}
markrad	0:cdf462088d13	816
markrad	0:cdf462088d13	817	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	818	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	819	{
markrad	0:cdf462088d13	820	if( transform->maclen > sizeof transform->mac_enc )
markrad	0:cdf462088d13	821	{
markrad	0:cdf462088d13	822	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	823	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	824	}
markrad	0:cdf462088d13	825
markrad	0:cdf462088d13	826	memcpy( transform->mac_enc, mac_enc, transform->maclen );
markrad	0:cdf462088d13	827	memcpy( transform->mac_dec, mac_dec, transform->maclen );
markrad	0:cdf462088d13	828	}
markrad	0:cdf462088d13	829	else
markrad	0:cdf462088d13	830	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	831	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	832	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	833	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
markrad	0:cdf462088d13	834	{
markrad	0:cdf462088d13	835	mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
markrad	0:cdf462088d13	836	mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
markrad	0:cdf462088d13	837	}
markrad	0:cdf462088d13	838	else
markrad	0:cdf462088d13	839	#endif
markrad	0:cdf462088d13	840	{
markrad	0:cdf462088d13	841	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	842	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	843	}
markrad	0:cdf462088d13	844
markrad	0:cdf462088d13	845	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	846	if( mbedtls_ssl_hw_record_init != NULL )
markrad	0:cdf462088d13	847	{
markrad	0:cdf462088d13	848	int ret = 0;
markrad	0:cdf462088d13	849
markrad	0:cdf462088d13	850	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
markrad	0:cdf462088d13	851
markrad	0:cdf462088d13	852	if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
markrad	0:cdf462088d13	853	transform->iv_enc, transform->iv_dec,
markrad	0:cdf462088d13	854	iv_copy_len,
markrad	0:cdf462088d13	855	mac_enc, mac_dec,
markrad	0:cdf462088d13	856	transform->maclen ) ) != 0 )
markrad	0:cdf462088d13	857	{
markrad	0:cdf462088d13	858	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
markrad	0:cdf462088d13	859	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
markrad	0:cdf462088d13	860	}
markrad	0:cdf462088d13	861	}
markrad	0:cdf462088d13	862	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
markrad	0:cdf462088d13	863
markrad	0:cdf462088d13	864	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
markrad	0:cdf462088d13	865	if( ssl->conf->f_export_keys != NULL )
markrad	0:cdf462088d13	866	{
markrad	0:cdf462088d13	867	ssl->conf->f_export_keys( ssl->conf->p_export_keys,
markrad	0:cdf462088d13	868	session->master, keyblk,
markrad	0:cdf462088d13	869	transform->maclen, transform->keylen,
markrad	0:cdf462088d13	870	iv_copy_len );
markrad	0:cdf462088d13	871	}
markrad	0:cdf462088d13	872	#endif
markrad	0:cdf462088d13	873
markrad	0:cdf462088d13	874	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
markrad	0:cdf462088d13	875	cipher_info ) ) != 0 )
markrad	0:cdf462088d13	876	{
markrad	0:cdf462088d13	877	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
markrad	0:cdf462088d13	878	return( ret );
markrad	0:cdf462088d13	879	}
markrad	0:cdf462088d13	880
markrad	0:cdf462088d13	881	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
markrad	0:cdf462088d13	882	cipher_info ) ) != 0 )
markrad	0:cdf462088d13	883	{
markrad	0:cdf462088d13	884	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
markrad	0:cdf462088d13	885	return( ret );
markrad	0:cdf462088d13	886	}
markrad	0:cdf462088d13	887
markrad	0:cdf462088d13	888	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
markrad	0:cdf462088d13	889	cipher_info->key_bitlen,
markrad	0:cdf462088d13	890	MBEDTLS_ENCRYPT ) ) != 0 )
markrad	0:cdf462088d13	891	{
markrad	0:cdf462088d13	892	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
markrad	0:cdf462088d13	893	return( ret );
markrad	0:cdf462088d13	894	}
markrad	0:cdf462088d13	895
markrad	0:cdf462088d13	896	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
markrad	0:cdf462088d13	897	cipher_info->key_bitlen,
markrad	0:cdf462088d13	898	MBEDTLS_DECRYPT ) ) != 0 )
markrad	0:cdf462088d13	899	{
markrad	0:cdf462088d13	900	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
markrad	0:cdf462088d13	901	return( ret );
markrad	0:cdf462088d13	902	}
markrad	0:cdf462088d13	903
markrad	0:cdf462088d13	904	#if defined(MBEDTLS_CIPHER_MODE_CBC)
markrad	0:cdf462088d13	905	if( cipher_info->mode == MBEDTLS_MODE_CBC )
markrad	0:cdf462088d13	906	{
markrad	0:cdf462088d13	907	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
markrad	0:cdf462088d13	908	MBEDTLS_PADDING_NONE ) ) != 0 )
markrad	0:cdf462088d13	909	{
markrad	0:cdf462088d13	910	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
markrad	0:cdf462088d13	911	return( ret );
markrad	0:cdf462088d13	912	}
markrad	0:cdf462088d13	913
markrad	0:cdf462088d13	914	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
markrad	0:cdf462088d13	915	MBEDTLS_PADDING_NONE ) ) != 0 )
markrad	0:cdf462088d13	916	{
markrad	0:cdf462088d13	917	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
markrad	0:cdf462088d13	918	return( ret );
markrad	0:cdf462088d13	919	}
markrad	0:cdf462088d13	920	}
markrad	0:cdf462088d13	921	#endif /* MBEDTLS_CIPHER_MODE_CBC */
markrad	0:cdf462088d13	922
markrad	0:cdf462088d13	923	mbedtls_zeroize( keyblk, sizeof( keyblk ) );
markrad	0:cdf462088d13	924
markrad	0:cdf462088d13	925	#if defined(MBEDTLS_ZLIB_SUPPORT)
markrad	0:cdf462088d13	926	// Initialize compression
markrad	0:cdf462088d13	927	//
markrad	0:cdf462088d13	928	if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
markrad	0:cdf462088d13	929	{
markrad	0:cdf462088d13	930	if( ssl->compress_buf == NULL )
markrad	0:cdf462088d13	931	{
markrad	0:cdf462088d13	932	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
markrad	0:cdf462088d13	933	ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
markrad	0:cdf462088d13	934	if( ssl->compress_buf == NULL )
markrad	0:cdf462088d13	935	{
markrad	0:cdf462088d13	936	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
markrad	0:cdf462088d13	937	MBEDTLS_SSL_BUFFER_LEN ) );
markrad	0:cdf462088d13	938	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	939	}
markrad	0:cdf462088d13	940	}
markrad	0:cdf462088d13	941
markrad	0:cdf462088d13	942	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
markrad	0:cdf462088d13	943
markrad	0:cdf462088d13	944	memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
markrad	0:cdf462088d13	945	memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
markrad	0:cdf462088d13	946
markrad	0:cdf462088d13	947	if( deflateInit( &transform->ctx_deflate,
markrad	0:cdf462088d13	948	Z_DEFAULT_COMPRESSION ) != Z_OK \|\|
markrad	0:cdf462088d13	949	inflateInit( &transform->ctx_inflate ) != Z_OK )
markrad	0:cdf462088d13	950	{
markrad	0:cdf462088d13	951	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
markrad	0:cdf462088d13	952	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
markrad	0:cdf462088d13	953	}
markrad	0:cdf462088d13	954	}
markrad	0:cdf462088d13	955	#endif /* MBEDTLS_ZLIB_SUPPORT */
markrad	0:cdf462088d13	956
markrad	0:cdf462088d13	957	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
markrad	0:cdf462088d13	958
markrad	0:cdf462088d13	959	return( 0 );
markrad	0:cdf462088d13	960	}
markrad	0:cdf462088d13	961
markrad	0:cdf462088d13	962	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	963	void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
markrad	0:cdf462088d13	964	{
markrad	0:cdf462088d13	965	mbedtls_md5_context md5;
markrad	0:cdf462088d13	966	mbedtls_sha1_context sha1;
markrad	0:cdf462088d13	967	unsigned char pad_1[48];
markrad	0:cdf462088d13	968	unsigned char pad_2[48];
markrad	0:cdf462088d13	969
markrad	0:cdf462088d13	970	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
markrad	0:cdf462088d13	971
markrad	0:cdf462088d13	972	mbedtls_md5_init( &md5 );
markrad	0:cdf462088d13	973	mbedtls_sha1_init( &sha1 );
markrad	0:cdf462088d13	974
markrad	0:cdf462088d13	975	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
markrad	0:cdf462088d13	976	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
markrad	0:cdf462088d13	977
markrad	0:cdf462088d13	978	memset( pad_1, 0x36, 48 );
markrad	0:cdf462088d13	979	memset( pad_2, 0x5C, 48 );
markrad	0:cdf462088d13	980
markrad	0:cdf462088d13	981	mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 );
markrad	0:cdf462088d13	982	mbedtls_md5_update( &md5, pad_1, 48 );
markrad	0:cdf462088d13	983	mbedtls_md5_finish( &md5, hash );
markrad	0:cdf462088d13	984
markrad	0:cdf462088d13	985	mbedtls_md5_starts( &md5 );
markrad	0:cdf462088d13	986	mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 );
markrad	0:cdf462088d13	987	mbedtls_md5_update( &md5, pad_2, 48 );
markrad	0:cdf462088d13	988	mbedtls_md5_update( &md5, hash, 16 );
markrad	0:cdf462088d13	989	mbedtls_md5_finish( &md5, hash );
markrad	0:cdf462088d13	990
markrad	0:cdf462088d13	991	mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 );
markrad	0:cdf462088d13	992	mbedtls_sha1_update( &sha1, pad_1, 40 );
markrad	0:cdf462088d13	993	mbedtls_sha1_finish( &sha1, hash + 16 );
markrad	0:cdf462088d13	994
markrad	0:cdf462088d13	995	mbedtls_sha1_starts( &sha1 );
markrad	0:cdf462088d13	996	mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 );
markrad	0:cdf462088d13	997	mbedtls_sha1_update( &sha1, pad_2, 40 );
markrad	0:cdf462088d13	998	mbedtls_sha1_update( &sha1, hash + 16, 20 );
markrad	0:cdf462088d13	999	mbedtls_sha1_finish( &sha1, hash + 16 );
markrad	0:cdf462088d13	1000
markrad	0:cdf462088d13	1001	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
markrad	0:cdf462088d13	1002	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
markrad	0:cdf462088d13	1003
markrad	0:cdf462088d13	1004	mbedtls_md5_free( &md5 );
markrad	0:cdf462088d13	1005	mbedtls_sha1_free( &sha1 );
markrad	0:cdf462088d13	1006
markrad	0:cdf462088d13	1007	return;
markrad	0:cdf462088d13	1008	}
markrad	0:cdf462088d13	1009	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	1010
markrad	0:cdf462088d13	1011	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	1012	void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
markrad	0:cdf462088d13	1013	{
markrad	0:cdf462088d13	1014	mbedtls_md5_context md5;
markrad	0:cdf462088d13	1015	mbedtls_sha1_context sha1;
markrad	0:cdf462088d13	1016
markrad	0:cdf462088d13	1017	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
markrad	0:cdf462088d13	1018
markrad	0:cdf462088d13	1019	mbedtls_md5_init( &md5 );
markrad	0:cdf462088d13	1020	mbedtls_sha1_init( &sha1 );
markrad	0:cdf462088d13	1021
markrad	0:cdf462088d13	1022	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
markrad	0:cdf462088d13	1023	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
markrad	0:cdf462088d13	1024
markrad	0:cdf462088d13	1025	mbedtls_md5_finish( &md5, hash );
markrad	0:cdf462088d13	1026	mbedtls_sha1_finish( &sha1, hash + 16 );
markrad	0:cdf462088d13	1027
markrad	0:cdf462088d13	1028	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
markrad	0:cdf462088d13	1029	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
markrad	0:cdf462088d13	1030
markrad	0:cdf462088d13	1031	mbedtls_md5_free( &md5 );
markrad	0:cdf462088d13	1032	mbedtls_sha1_free( &sha1 );
markrad	0:cdf462088d13	1033
markrad	0:cdf462088d13	1034	return;
markrad	0:cdf462088d13	1035	}
markrad	0:cdf462088d13	1036	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
markrad	0:cdf462088d13	1037
markrad	0:cdf462088d13	1038	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	1039	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	1040	void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
markrad	0:cdf462088d13	1041	{
markrad	0:cdf462088d13	1042	mbedtls_sha256_context sha256;
markrad	0:cdf462088d13	1043
markrad	0:cdf462088d13	1044	mbedtls_sha256_init( &sha256 );
markrad	0:cdf462088d13	1045
markrad	0:cdf462088d13	1046	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
markrad	0:cdf462088d13	1047
markrad	0:cdf462088d13	1048	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
markrad	0:cdf462088d13	1049	mbedtls_sha256_finish( &sha256, hash );
markrad	0:cdf462088d13	1050
markrad	0:cdf462088d13	1051	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
markrad	0:cdf462088d13	1052	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
markrad	0:cdf462088d13	1053
markrad	0:cdf462088d13	1054	mbedtls_sha256_free( &sha256 );
markrad	0:cdf462088d13	1055
markrad	0:cdf462088d13	1056	return;
markrad	0:cdf462088d13	1057	}
markrad	0:cdf462088d13	1058	#endif /* MBEDTLS_SHA256_C */
markrad	0:cdf462088d13	1059
markrad	0:cdf462088d13	1060	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	1061	void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
markrad	0:cdf462088d13	1062	{
markrad	0:cdf462088d13	1063	mbedtls_sha512_context sha512;
markrad	0:cdf462088d13	1064
markrad	0:cdf462088d13	1065	mbedtls_sha512_init( &sha512 );
markrad	0:cdf462088d13	1066
markrad	0:cdf462088d13	1067	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
markrad	0:cdf462088d13	1068
markrad	0:cdf462088d13	1069	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
markrad	0:cdf462088d13	1070	mbedtls_sha512_finish( &sha512, hash );
markrad	0:cdf462088d13	1071
markrad	0:cdf462088d13	1072	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
markrad	0:cdf462088d13	1073	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
markrad	0:cdf462088d13	1074
markrad	0:cdf462088d13	1075	mbedtls_sha512_free( &sha512 );
markrad	0:cdf462088d13	1076
markrad	0:cdf462088d13	1077	return;
markrad	0:cdf462088d13	1078	}
markrad	0:cdf462088d13	1079	#endif /* MBEDTLS_SHA512_C */
markrad	0:cdf462088d13	1080	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	1081
markrad	0:cdf462088d13	1082	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
markrad	0:cdf462088d13	1083	int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
markrad	0:cdf462088d13	1084	{
markrad	0:cdf462088d13	1085	unsigned char *p = ssl->handshake->premaster;
markrad	0:cdf462088d13	1086	unsigned char *end = p + sizeof( ssl->handshake->premaster );
markrad	0:cdf462088d13	1087	const unsigned char *psk = ssl->conf->psk;
markrad	0:cdf462088d13	1088	size_t psk_len = ssl->conf->psk_len;
markrad	0:cdf462088d13	1089
markrad	0:cdf462088d13	1090	/* If the psk callback was called, use its result */
markrad	0:cdf462088d13	1091	if( ssl->handshake->psk != NULL )
markrad	0:cdf462088d13	1092	{
markrad	0:cdf462088d13	1093	psk = ssl->handshake->psk;
markrad	0:cdf462088d13	1094	psk_len = ssl->handshake->psk_len;
markrad	0:cdf462088d13	1095	}
markrad	0:cdf462088d13	1096
markrad	0:cdf462088d13	1097	/*
markrad	0:cdf462088d13	1098	* PMS = struct {
markrad	0:cdf462088d13	1099	* opaque other_secret<0..2^16-1>;
markrad	0:cdf462088d13	1100	* opaque psk<0..2^16-1>;
markrad	0:cdf462088d13	1101	* };
markrad	0:cdf462088d13	1102	* with "other_secret" depending on the particular key exchange
markrad	0:cdf462088d13	1103	*/
markrad	0:cdf462088d13	1104	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
markrad	0:cdf462088d13	1105	if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
markrad	0:cdf462088d13	1106	{
markrad	0:cdf462088d13	1107	if( end - p < 2 )
markrad	0:cdf462088d13	1108	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	1109
markrad	0:cdf462088d13	1110	*(p++) = (unsigned char)( psk_len >> 8 );
markrad	0:cdf462088d13	1111	*(p++) = (unsigned char)( psk_len );
markrad	0:cdf462088d13	1112
markrad	0:cdf462088d13	1113	if( end < p \|\| (size_t)( end - p ) < psk_len )
markrad	0:cdf462088d13	1114	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	1115
markrad	0:cdf462088d13	1116	memset( p, 0, psk_len );
markrad	0:cdf462088d13	1117	p += psk_len;
markrad	0:cdf462088d13	1118	}
markrad	0:cdf462088d13	1119	else
markrad	0:cdf462088d13	1120	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
markrad	0:cdf462088d13	1121	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
markrad	0:cdf462088d13	1122	if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
markrad	0:cdf462088d13	1123	{
markrad	0:cdf462088d13	1124	/*
markrad	0:cdf462088d13	1125	* other_secret already set by the ClientKeyExchange message,
markrad	0:cdf462088d13	1126	* and is 48 bytes long
markrad	0:cdf462088d13	1127	*/
markrad	0:cdf462088d13	1128	*p++ = 0;
markrad	0:cdf462088d13	1129	*p++ = 48;
markrad	0:cdf462088d13	1130	p += 48;
markrad	0:cdf462088d13	1131	}
markrad	0:cdf462088d13	1132	else
markrad	0:cdf462088d13	1133	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
markrad	0:cdf462088d13	1134	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
markrad	0:cdf462088d13	1135	if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
markrad	0:cdf462088d13	1136	{
markrad	0:cdf462088d13	1137	int ret;
markrad	0:cdf462088d13	1138	size_t len;
markrad	0:cdf462088d13	1139
markrad	0:cdf462088d13	1140	/* Write length only when we know the actual value */
markrad	0:cdf462088d13	1141	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
markrad	0:cdf462088d13	1142	p + 2, end - ( p + 2 ), &len,
markrad	0:cdf462088d13	1143	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad	0:cdf462088d13	1144	{
markrad	0:cdf462088d13	1145	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
markrad	0:cdf462088d13	1146	return( ret );
markrad	0:cdf462088d13	1147	}
markrad	0:cdf462088d13	1148	*(p++) = (unsigned char)( len >> 8 );
markrad	0:cdf462088d13	1149	*(p++) = (unsigned char)( len );
markrad	0:cdf462088d13	1150	p += len;
markrad	0:cdf462088d13	1151
markrad	0:cdf462088d13	1152	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
markrad	0:cdf462088d13	1153	}
markrad	0:cdf462088d13	1154	else
markrad	0:cdf462088d13	1155	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
markrad	0:cdf462088d13	1156	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
markrad	0:cdf462088d13	1157	if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
markrad	0:cdf462088d13	1158	{
markrad	0:cdf462088d13	1159	int ret;
markrad	0:cdf462088d13	1160	size_t zlen;
markrad	0:cdf462088d13	1161
markrad	0:cdf462088d13	1162	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
markrad	0:cdf462088d13	1163	p + 2, end - ( p + 2 ),
markrad	0:cdf462088d13	1164	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad	0:cdf462088d13	1165	{
markrad	0:cdf462088d13	1166	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
markrad	0:cdf462088d13	1167	return( ret );
markrad	0:cdf462088d13	1168	}
markrad	0:cdf462088d13	1169
markrad	0:cdf462088d13	1170	*(p++) = (unsigned char)( zlen >> 8 );
markrad	0:cdf462088d13	1171	*(p++) = (unsigned char)( zlen );
markrad	0:cdf462088d13	1172	p += zlen;
markrad	0:cdf462088d13	1173
markrad	0:cdf462088d13	1174	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
markrad	0:cdf462088d13	1175	}
markrad	0:cdf462088d13	1176	else
markrad	0:cdf462088d13	1177	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
markrad	0:cdf462088d13	1178	{
markrad	0:cdf462088d13	1179	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1180	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1181	}
markrad	0:cdf462088d13	1182
markrad	0:cdf462088d13	1183	/* opaque psk<0..2^16-1>; */
markrad	0:cdf462088d13	1184	if( end - p < 2 )
markrad	0:cdf462088d13	1185	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	1186
markrad	0:cdf462088d13	1187	*(p++) = (unsigned char)( psk_len >> 8 );
markrad	0:cdf462088d13	1188	*(p++) = (unsigned char)( psk_len );
markrad	0:cdf462088d13	1189
markrad	0:cdf462088d13	1190	if( end < p \|\| (size_t)( end - p ) < psk_len )
markrad	0:cdf462088d13	1191	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	1192
markrad	0:cdf462088d13	1193	memcpy( p, psk, psk_len );
markrad	0:cdf462088d13	1194	p += psk_len;
markrad	0:cdf462088d13	1195
markrad	0:cdf462088d13	1196	ssl->handshake->pmslen = p - ssl->handshake->premaster;
markrad	0:cdf462088d13	1197
markrad	0:cdf462088d13	1198	return( 0 );
markrad	0:cdf462088d13	1199	}
markrad	0:cdf462088d13	1200	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
markrad	0:cdf462088d13	1201
markrad	0:cdf462088d13	1202	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	1203	/*
markrad	0:cdf462088d13	1204	* SSLv3.0 MAC functions
markrad	0:cdf462088d13	1205	*/
markrad	0:cdf462088d13	1206	static void ssl_mac( mbedtls_md_context_t md_ctx, unsigned char secret,
markrad	0:cdf462088d13	1207	unsigned char *buf, size_t len,
markrad	0:cdf462088d13	1208	unsigned char *ctr, int type )
markrad	0:cdf462088d13	1209	{
markrad	0:cdf462088d13	1210	unsigned char header[11];
markrad	0:cdf462088d13	1211	unsigned char padding[48];
markrad	0:cdf462088d13	1212	int padlen;
markrad	0:cdf462088d13	1213	int md_size = mbedtls_md_get_size( md_ctx->md_info );
markrad	0:cdf462088d13	1214	int md_type = mbedtls_md_get_type( md_ctx->md_info );
markrad	0:cdf462088d13	1215
markrad	0:cdf462088d13	1216	/* Only MD5 and SHA-1 supported */
markrad	0:cdf462088d13	1217	if( md_type == MBEDTLS_MD_MD5 )
markrad	0:cdf462088d13	1218	padlen = 48;
markrad	0:cdf462088d13	1219	else
markrad	0:cdf462088d13	1220	padlen = 40;
markrad	0:cdf462088d13	1221
markrad	0:cdf462088d13	1222	memcpy( header, ctr, 8 );
markrad	0:cdf462088d13	1223	header[ 8] = (unsigned char) type;
markrad	0:cdf462088d13	1224	header[ 9] = (unsigned char)( len >> 8 );
markrad	0:cdf462088d13	1225	header[10] = (unsigned char)( len );
markrad	0:cdf462088d13	1226
markrad	0:cdf462088d13	1227	memset( padding, 0x36, padlen );
markrad	0:cdf462088d13	1228	mbedtls_md_starts( md_ctx );
markrad	0:cdf462088d13	1229	mbedtls_md_update( md_ctx, secret, md_size );
markrad	0:cdf462088d13	1230	mbedtls_md_update( md_ctx, padding, padlen );
markrad	0:cdf462088d13	1231	mbedtls_md_update( md_ctx, header, 11 );
markrad	0:cdf462088d13	1232	mbedtls_md_update( md_ctx, buf, len );
markrad	0:cdf462088d13	1233	mbedtls_md_finish( md_ctx, buf + len );
markrad	0:cdf462088d13	1234
markrad	0:cdf462088d13	1235	memset( padding, 0x5C, padlen );
markrad	0:cdf462088d13	1236	mbedtls_md_starts( md_ctx );
markrad	0:cdf462088d13	1237	mbedtls_md_update( md_ctx, secret, md_size );
markrad	0:cdf462088d13	1238	mbedtls_md_update( md_ctx, padding, padlen );
markrad	0:cdf462088d13	1239	mbedtls_md_update( md_ctx, buf + len, md_size );
markrad	0:cdf462088d13	1240	mbedtls_md_finish( md_ctx, buf + len );
markrad	0:cdf462088d13	1241	}
markrad	0:cdf462088d13	1242	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	1243
markrad	0:cdf462088d13	1244	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER) \|\| \
markrad	0:cdf462088d13	1245	( defined(MBEDTLS_CIPHER_MODE_CBC) && \
markrad	0:cdf462088d13	1246	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) ) )
markrad	0:cdf462088d13	1247	#define SSL_SOME_MODES_USE_MAC
markrad	0:cdf462088d13	1248	#endif
markrad	0:cdf462088d13	1249
markrad	0:cdf462088d13	1250	/*
markrad	0:cdf462088d13	1251	* Encryption/decryption functions
markrad	0:cdf462088d13	1252	*/
markrad	0:cdf462088d13	1253	static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	1254	{
markrad	0:cdf462088d13	1255	mbedtls_cipher_mode_t mode;
markrad	0:cdf462088d13	1256	int auth_done = 0;
markrad	0:cdf462088d13	1257
markrad	0:cdf462088d13	1258	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
markrad	0:cdf462088d13	1259
markrad	0:cdf462088d13	1260	if( ssl->session_out == NULL \|\| ssl->transform_out == NULL )
markrad	0:cdf462088d13	1261	{
markrad	0:cdf462088d13	1262	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1263	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1264	}
markrad	0:cdf462088d13	1265
markrad	0:cdf462088d13	1266	mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
markrad	0:cdf462088d13	1267
markrad	0:cdf462088d13	1268	MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
markrad	0:cdf462088d13	1269	ssl->out_msg, ssl->out_msglen );
markrad	0:cdf462088d13	1270
markrad	0:cdf462088d13	1271	/*
markrad	0:cdf462088d13	1272	* Add MAC before if needed
markrad	0:cdf462088d13	1273	*/
markrad	0:cdf462088d13	1274	#if defined(SSL_SOME_MODES_USE_MAC)
markrad	0:cdf462088d13	1275	if( mode == MBEDTLS_MODE_STREAM \|\|
markrad	0:cdf462088d13	1276	( mode == MBEDTLS_MODE_CBC
markrad	0:cdf462088d13	1277	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	1278	&& ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
markrad	0:cdf462088d13	1279	#endif
markrad	0:cdf462088d13	1280	) )
markrad	0:cdf462088d13	1281	{
markrad	0:cdf462088d13	1282	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	1283	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	1284	{
markrad	0:cdf462088d13	1285	ssl_mac( &ssl->transform_out->md_ctx_enc,
markrad	0:cdf462088d13	1286	ssl->transform_out->mac_enc,
markrad	0:cdf462088d13	1287	ssl->out_msg, ssl->out_msglen,
markrad	0:cdf462088d13	1288	ssl->out_ctr, ssl->out_msgtype );
markrad	0:cdf462088d13	1289	}
markrad	0:cdf462088d13	1290	else
markrad	0:cdf462088d13	1291	#endif
markrad	0:cdf462088d13	1292	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	1293	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	1294	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
markrad	0:cdf462088d13	1295	{
markrad	0:cdf462088d13	1296	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
markrad	0:cdf462088d13	1297	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
markrad	0:cdf462088d13	1298	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
markrad	0:cdf462088d13	1299	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
markrad	0:cdf462088d13	1300	ssl->out_msg, ssl->out_msglen );
markrad	0:cdf462088d13	1301	mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
markrad	0:cdf462088d13	1302	ssl->out_msg + ssl->out_msglen );
markrad	0:cdf462088d13	1303	mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
markrad	0:cdf462088d13	1304	}
markrad	0:cdf462088d13	1305	else
markrad	0:cdf462088d13	1306	#endif
markrad	0:cdf462088d13	1307	{
markrad	0:cdf462088d13	1308	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1309	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1310	}
markrad	0:cdf462088d13	1311
markrad	0:cdf462088d13	1312	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
markrad	0:cdf462088d13	1313	ssl->out_msg + ssl->out_msglen,
markrad	0:cdf462088d13	1314	ssl->transform_out->maclen );
markrad	0:cdf462088d13	1315
markrad	0:cdf462088d13	1316	ssl->out_msglen += ssl->transform_out->maclen;
markrad	0:cdf462088d13	1317	auth_done++;
markrad	0:cdf462088d13	1318	}
markrad	0:cdf462088d13	1319	#endif /* AEAD not the only option */
markrad	0:cdf462088d13	1320
markrad	0:cdf462088d13	1321	/*
markrad	0:cdf462088d13	1322	* Encrypt
markrad	0:cdf462088d13	1323	*/
markrad	0:cdf462088d13	1324	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER)
markrad	0:cdf462088d13	1325	if( mode == MBEDTLS_MODE_STREAM )
markrad	0:cdf462088d13	1326	{
markrad	0:cdf462088d13	1327	int ret;
markrad	0:cdf462088d13	1328	size_t olen = 0;
markrad	0:cdf462088d13	1329
markrad	0:cdf462088d13	1330	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
markrad	0:cdf462088d13	1331	"including %d bytes of padding",
markrad	0:cdf462088d13	1332	ssl->out_msglen, 0 ) );
markrad	0:cdf462088d13	1333
markrad	0:cdf462088d13	1334	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
markrad	0:cdf462088d13	1335	ssl->transform_out->iv_enc,
markrad	0:cdf462088d13	1336	ssl->transform_out->ivlen,
markrad	0:cdf462088d13	1337	ssl->out_msg, ssl->out_msglen,
markrad	0:cdf462088d13	1338	ssl->out_msg, &olen ) ) != 0 )
markrad	0:cdf462088d13	1339	{
markrad	0:cdf462088d13	1340	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
markrad	0:cdf462088d13	1341	return( ret );
markrad	0:cdf462088d13	1342	}
markrad	0:cdf462088d13	1343
markrad	0:cdf462088d13	1344	if( ssl->out_msglen != olen )
markrad	0:cdf462088d13	1345	{
markrad	0:cdf462088d13	1346	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1347	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1348	}
markrad	0:cdf462088d13	1349	}
markrad	0:cdf462088d13	1350	else
markrad	0:cdf462088d13	1351	#endif /* MBEDTLS_ARC4_C \|\| MBEDTLS_CIPHER_NULL_CIPHER */
markrad	0:cdf462088d13	1352	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CCM_C)
markrad	0:cdf462088d13	1353	if( mode == MBEDTLS_MODE_GCM \|\|
markrad	0:cdf462088d13	1354	mode == MBEDTLS_MODE_CCM )
markrad	0:cdf462088d13	1355	{
markrad	0:cdf462088d13	1356	int ret;
markrad	0:cdf462088d13	1357	size_t enc_msglen, olen;
markrad	0:cdf462088d13	1358	unsigned char *enc_msg;
markrad	0:cdf462088d13	1359	unsigned char add_data[13];
markrad	0:cdf462088d13	1360	unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
markrad	0:cdf462088d13	1361	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
markrad	0:cdf462088d13	1362
markrad	0:cdf462088d13	1363	memcpy( add_data, ssl->out_ctr, 8 );
markrad	0:cdf462088d13	1364	add_data[8] = ssl->out_msgtype;
markrad	0:cdf462088d13	1365	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
markrad	0:cdf462088d13	1366	ssl->conf->transport, add_data + 9 );
markrad	0:cdf462088d13	1367	add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
markrad	0:cdf462088d13	1368	add_data[12] = ssl->out_msglen & 0xFF;
markrad	0:cdf462088d13	1369
markrad	0:cdf462088d13	1370	MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
markrad	0:cdf462088d13	1371	add_data, 13 );
markrad	0:cdf462088d13	1372
markrad	0:cdf462088d13	1373	/*
markrad	0:cdf462088d13	1374	* Generate IV
markrad	0:cdf462088d13	1375	*/
markrad	0:cdf462088d13	1376	if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
markrad	0:cdf462088d13	1377	{
markrad	0:cdf462088d13	1378	/* Reminder if we ever add an AEAD mode with a different size */
markrad	0:cdf462088d13	1379	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1380	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1381	}
markrad	0:cdf462088d13	1382
markrad	0:cdf462088d13	1383	memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
markrad	0:cdf462088d13	1384	ssl->out_ctr, 8 );
markrad	0:cdf462088d13	1385	memcpy( ssl->out_iv, ssl->out_ctr, 8 );
markrad	0:cdf462088d13	1386
markrad	0:cdf462088d13	1387	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
markrad	0:cdf462088d13	1388	ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
markrad	0:cdf462088d13	1389
markrad	0:cdf462088d13	1390	/*
markrad	0:cdf462088d13	1391	* Fix pointer positions and message length with added IV
markrad	0:cdf462088d13	1392	*/
markrad	0:cdf462088d13	1393	enc_msg = ssl->out_msg;
markrad	0:cdf462088d13	1394	enc_msglen = ssl->out_msglen;
markrad	0:cdf462088d13	1395	ssl->out_msglen += ssl->transform_out->ivlen -
markrad	0:cdf462088d13	1396	ssl->transform_out->fixed_ivlen;
markrad	0:cdf462088d13	1397
markrad	0:cdf462088d13	1398	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
markrad	0:cdf462088d13	1399	"including %d bytes of padding",
markrad	0:cdf462088d13	1400	ssl->out_msglen, 0 ) );
markrad	0:cdf462088d13	1401
markrad	0:cdf462088d13	1402	/*
markrad	0:cdf462088d13	1403	* Encrypt and authenticate
markrad	0:cdf462088d13	1404	*/
markrad	0:cdf462088d13	1405	if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
markrad	0:cdf462088d13	1406	ssl->transform_out->iv_enc,
markrad	0:cdf462088d13	1407	ssl->transform_out->ivlen,
markrad	0:cdf462088d13	1408	add_data, 13,
markrad	0:cdf462088d13	1409	enc_msg, enc_msglen,
markrad	0:cdf462088d13	1410	enc_msg, &olen,
markrad	0:cdf462088d13	1411	enc_msg + enc_msglen, taglen ) ) != 0 )
markrad	0:cdf462088d13	1412	{
markrad	0:cdf462088d13	1413	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
markrad	0:cdf462088d13	1414	return( ret );
markrad	0:cdf462088d13	1415	}
markrad	0:cdf462088d13	1416
markrad	0:cdf462088d13	1417	if( olen != enc_msglen )
markrad	0:cdf462088d13	1418	{
markrad	0:cdf462088d13	1419	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1420	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1421	}
markrad	0:cdf462088d13	1422
markrad	0:cdf462088d13	1423	ssl->out_msglen += taglen;
markrad	0:cdf462088d13	1424	auth_done++;
markrad	0:cdf462088d13	1425
markrad	0:cdf462088d13	1426	MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
markrad	0:cdf462088d13	1427	}
markrad	0:cdf462088d13	1428	else
markrad	0:cdf462088d13	1429	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C */
markrad	0:cdf462088d13	1430	#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
markrad	0:cdf462088d13	1431	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) )
markrad	0:cdf462088d13	1432	if( mode == MBEDTLS_MODE_CBC )
markrad	0:cdf462088d13	1433	{
markrad	0:cdf462088d13	1434	int ret;
markrad	0:cdf462088d13	1435	unsigned char *enc_msg;
markrad	0:cdf462088d13	1436	size_t enc_msglen, padlen, olen = 0, i;
markrad	0:cdf462088d13	1437
markrad	0:cdf462088d13	1438	padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
markrad	0:cdf462088d13	1439	ssl->transform_out->ivlen;
markrad	0:cdf462088d13	1440	if( padlen == ssl->transform_out->ivlen )
markrad	0:cdf462088d13	1441	padlen = 0;
markrad	0:cdf462088d13	1442
markrad	0:cdf462088d13	1443	for( i = 0; i <= padlen; i++ )
markrad	0:cdf462088d13	1444	ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
markrad	0:cdf462088d13	1445
markrad	0:cdf462088d13	1446	ssl->out_msglen += padlen + 1;
markrad	0:cdf462088d13	1447
markrad	0:cdf462088d13	1448	enc_msglen = ssl->out_msglen;
markrad	0:cdf462088d13	1449	enc_msg = ssl->out_msg;
markrad	0:cdf462088d13	1450
markrad	0:cdf462088d13	1451	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	1452	/*
markrad	0:cdf462088d13	1453	* Prepend per-record IV for block cipher in TLS v1.1 and up as per
markrad	0:cdf462088d13	1454	* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
markrad	0:cdf462088d13	1455	*/
markrad	0:cdf462088d13	1456	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	1457	{
markrad	0:cdf462088d13	1458	/*
markrad	0:cdf462088d13	1459	* Generate IV
markrad	0:cdf462088d13	1460	*/
markrad	0:cdf462088d13	1461	ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
markrad	0:cdf462088d13	1462	ssl->transform_out->ivlen );
markrad	0:cdf462088d13	1463	if( ret != 0 )
markrad	0:cdf462088d13	1464	return( ret );
markrad	0:cdf462088d13	1465
markrad	0:cdf462088d13	1466	memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
markrad	0:cdf462088d13	1467	ssl->transform_out->ivlen );
markrad	0:cdf462088d13	1468
markrad	0:cdf462088d13	1469	/*
markrad	0:cdf462088d13	1470	* Fix pointer positions and message length with added IV
markrad	0:cdf462088d13	1471	*/
markrad	0:cdf462088d13	1472	enc_msg = ssl->out_msg;
markrad	0:cdf462088d13	1473	enc_msglen = ssl->out_msglen;
markrad	0:cdf462088d13	1474	ssl->out_msglen += ssl->transform_out->ivlen;
markrad	0:cdf462088d13	1475	}
markrad	0:cdf462088d13	1476	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	1477
markrad	0:cdf462088d13	1478	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
markrad	0:cdf462088d13	1479	"including %d bytes of IV and %d bytes of padding",
markrad	0:cdf462088d13	1480	ssl->out_msglen, ssl->transform_out->ivlen,
markrad	0:cdf462088d13	1481	padlen + 1 ) );
markrad	0:cdf462088d13	1482
markrad	0:cdf462088d13	1483	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
markrad	0:cdf462088d13	1484	ssl->transform_out->iv_enc,
markrad	0:cdf462088d13	1485	ssl->transform_out->ivlen,
markrad	0:cdf462088d13	1486	enc_msg, enc_msglen,
markrad	0:cdf462088d13	1487	enc_msg, &olen ) ) != 0 )
markrad	0:cdf462088d13	1488	{
markrad	0:cdf462088d13	1489	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
markrad	0:cdf462088d13	1490	return( ret );
markrad	0:cdf462088d13	1491	}
markrad	0:cdf462088d13	1492
markrad	0:cdf462088d13	1493	if( enc_msglen != olen )
markrad	0:cdf462088d13	1494	{
markrad	0:cdf462088d13	1495	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1496	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1497	}
markrad	0:cdf462088d13	1498
markrad	0:cdf462088d13	1499	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
markrad	0:cdf462088d13	1500	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	1501	{
markrad	0:cdf462088d13	1502	/*
markrad	0:cdf462088d13	1503	* Save IV in SSL3 and TLS1
markrad	0:cdf462088d13	1504	*/
markrad	0:cdf462088d13	1505	memcpy( ssl->transform_out->iv_enc,
markrad	0:cdf462088d13	1506	ssl->transform_out->cipher_ctx_enc.iv,
markrad	0:cdf462088d13	1507	ssl->transform_out->ivlen );
markrad	0:cdf462088d13	1508	}
markrad	0:cdf462088d13	1509	#endif
markrad	0:cdf462088d13	1510
markrad	0:cdf462088d13	1511	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	1512	if( auth_done == 0 )
markrad	0:cdf462088d13	1513	{
markrad	0:cdf462088d13	1514	/*
markrad	0:cdf462088d13	1515	* MAC(MAC_write_key, seq_num +
markrad	0:cdf462088d13	1516	* TLSCipherText.type +
markrad	0:cdf462088d13	1517	* TLSCipherText.version +
markrad	0:cdf462088d13	1518	* length_of( (IV +) ENC(...) ) +
markrad	0:cdf462088d13	1519	* IV + // except for TLS 1.0
markrad	0:cdf462088d13	1520	* ENC(content + padding + padding_length));
markrad	0:cdf462088d13	1521	*/
markrad	0:cdf462088d13	1522	unsigned char pseudo_hdr[13];
markrad	0:cdf462088d13	1523
markrad	0:cdf462088d13	1524	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
markrad	0:cdf462088d13	1525
markrad	0:cdf462088d13	1526	memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
markrad	0:cdf462088d13	1527	memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
markrad	0:cdf462088d13	1528	pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
markrad	0:cdf462088d13	1529	pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
markrad	0:cdf462088d13	1530
markrad	0:cdf462088d13	1531	MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
markrad	0:cdf462088d13	1532
markrad	0:cdf462088d13	1533	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
markrad	0:cdf462088d13	1534	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
markrad	0:cdf462088d13	1535	ssl->out_iv, ssl->out_msglen );
markrad	0:cdf462088d13	1536	mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
markrad	0:cdf462088d13	1537	ssl->out_iv + ssl->out_msglen );
markrad	0:cdf462088d13	1538	mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
markrad	0:cdf462088d13	1539
markrad	0:cdf462088d13	1540	ssl->out_msglen += ssl->transform_out->maclen;
markrad	0:cdf462088d13	1541	auth_done++;
markrad	0:cdf462088d13	1542	}
markrad	0:cdf462088d13	1543	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
markrad	0:cdf462088d13	1544	}
markrad	0:cdf462088d13	1545	else
markrad	0:cdf462088d13	1546	#endif /* MBEDTLS_CIPHER_MODE_CBC &&
markrad	0:cdf462088d13	1547	( MBEDTLS_AES_C \|\| MBEDTLS_CAMELLIA_C ) */
markrad	0:cdf462088d13	1548	{
markrad	0:cdf462088d13	1549	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1550	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1551	}
markrad	0:cdf462088d13	1552
markrad	0:cdf462088d13	1553	/* Make extra sure authentication was performed, exactly once */
markrad	0:cdf462088d13	1554	if( auth_done != 1 )
markrad	0:cdf462088d13	1555	{
markrad	0:cdf462088d13	1556	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1557	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1558	}
markrad	0:cdf462088d13	1559
markrad	0:cdf462088d13	1560	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
markrad	0:cdf462088d13	1561
markrad	0:cdf462088d13	1562	return( 0 );
markrad	0:cdf462088d13	1563	}
markrad	0:cdf462088d13	1564
markrad	0:cdf462088d13	1565	#define SSL_MAX_MAC_SIZE 48
markrad	0:cdf462088d13	1566
markrad	0:cdf462088d13	1567	static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	1568	{
markrad	0:cdf462088d13	1569	size_t i;
markrad	0:cdf462088d13	1570	mbedtls_cipher_mode_t mode;
markrad	0:cdf462088d13	1571	int auth_done = 0;
markrad	0:cdf462088d13	1572	#if defined(SSL_SOME_MODES_USE_MAC)
markrad	0:cdf462088d13	1573	size_t padlen = 0, correct = 1;
markrad	0:cdf462088d13	1574	#endif
markrad	0:cdf462088d13	1575
markrad	0:cdf462088d13	1576	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
markrad	0:cdf462088d13	1577
markrad	0:cdf462088d13	1578	if( ssl->session_in == NULL \|\| ssl->transform_in == NULL )
markrad	0:cdf462088d13	1579	{
markrad	0:cdf462088d13	1580	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1581	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1582	}
markrad	0:cdf462088d13	1583
markrad	0:cdf462088d13	1584	mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
markrad	0:cdf462088d13	1585
markrad	0:cdf462088d13	1586	if( ssl->in_msglen < ssl->transform_in->minlen )
markrad	0:cdf462088d13	1587	{
markrad	0:cdf462088d13	1588	MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
markrad	0:cdf462088d13	1589	ssl->in_msglen, ssl->transform_in->minlen ) );
markrad	0:cdf462088d13	1590	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	1591	}
markrad	0:cdf462088d13	1592
markrad	0:cdf462088d13	1593	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER)
markrad	0:cdf462088d13	1594	if( mode == MBEDTLS_MODE_STREAM )
markrad	0:cdf462088d13	1595	{
markrad	0:cdf462088d13	1596	int ret;
markrad	0:cdf462088d13	1597	size_t olen = 0;
markrad	0:cdf462088d13	1598
markrad	0:cdf462088d13	1599	padlen = 0;
markrad	0:cdf462088d13	1600
markrad	0:cdf462088d13	1601	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
markrad	0:cdf462088d13	1602	ssl->transform_in->iv_dec,
markrad	0:cdf462088d13	1603	ssl->transform_in->ivlen,
markrad	0:cdf462088d13	1604	ssl->in_msg, ssl->in_msglen,
markrad	0:cdf462088d13	1605	ssl->in_msg, &olen ) ) != 0 )
markrad	0:cdf462088d13	1606	{
markrad	0:cdf462088d13	1607	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
markrad	0:cdf462088d13	1608	return( ret );
markrad	0:cdf462088d13	1609	}
markrad	0:cdf462088d13	1610
markrad	0:cdf462088d13	1611	if( ssl->in_msglen != olen )
markrad	0:cdf462088d13	1612	{
markrad	0:cdf462088d13	1613	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1614	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1615	}
markrad	0:cdf462088d13	1616	}
markrad	0:cdf462088d13	1617	else
markrad	0:cdf462088d13	1618	#endif /* MBEDTLS_ARC4_C \|\| MBEDTLS_CIPHER_NULL_CIPHER */
markrad	0:cdf462088d13	1619	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CCM_C)
markrad	0:cdf462088d13	1620	if( mode == MBEDTLS_MODE_GCM \|\|
markrad	0:cdf462088d13	1621	mode == MBEDTLS_MODE_CCM )
markrad	0:cdf462088d13	1622	{
markrad	0:cdf462088d13	1623	int ret;
markrad	0:cdf462088d13	1624	size_t dec_msglen, olen;
markrad	0:cdf462088d13	1625	unsigned char *dec_msg;
markrad	0:cdf462088d13	1626	unsigned char *dec_msg_result;
markrad	0:cdf462088d13	1627	unsigned char add_data[13];
markrad	0:cdf462088d13	1628	unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
markrad	0:cdf462088d13	1629	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
markrad	0:cdf462088d13	1630	size_t explicit_iv_len = ssl->transform_in->ivlen -
markrad	0:cdf462088d13	1631	ssl->transform_in->fixed_ivlen;
markrad	0:cdf462088d13	1632
markrad	0:cdf462088d13	1633	if( ssl->in_msglen < explicit_iv_len + taglen )
markrad	0:cdf462088d13	1634	{
markrad	0:cdf462088d13	1635	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
markrad	0:cdf462088d13	1636	"+ taglen (%d)", ssl->in_msglen,
markrad	0:cdf462088d13	1637	explicit_iv_len, taglen ) );
markrad	0:cdf462088d13	1638	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	1639	}
markrad	0:cdf462088d13	1640	dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
markrad	0:cdf462088d13	1641
markrad	0:cdf462088d13	1642	dec_msg = ssl->in_msg;
markrad	0:cdf462088d13	1643	dec_msg_result = ssl->in_msg;
markrad	0:cdf462088d13	1644	ssl->in_msglen = dec_msglen;
markrad	0:cdf462088d13	1645
markrad	0:cdf462088d13	1646	memcpy( add_data, ssl->in_ctr, 8 );
markrad	0:cdf462088d13	1647	add_data[8] = ssl->in_msgtype;
markrad	0:cdf462088d13	1648	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
markrad	0:cdf462088d13	1649	ssl->conf->transport, add_data + 9 );
markrad	0:cdf462088d13	1650	add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
markrad	0:cdf462088d13	1651	add_data[12] = ssl->in_msglen & 0xFF;
markrad	0:cdf462088d13	1652
markrad	0:cdf462088d13	1653	MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
markrad	0:cdf462088d13	1654	add_data, 13 );
markrad	0:cdf462088d13	1655
markrad	0:cdf462088d13	1656	memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
markrad	0:cdf462088d13	1657	ssl->in_iv,
markrad	0:cdf462088d13	1658	ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
markrad	0:cdf462088d13	1659
markrad	0:cdf462088d13	1660	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
markrad	0:cdf462088d13	1661	ssl->transform_in->ivlen );
markrad	0:cdf462088d13	1662	MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
markrad	0:cdf462088d13	1663
markrad	0:cdf462088d13	1664	/*
markrad	0:cdf462088d13	1665	* Decrypt and authenticate
markrad	0:cdf462088d13	1666	*/
markrad	0:cdf462088d13	1667	if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
markrad	0:cdf462088d13	1668	ssl->transform_in->iv_dec,
markrad	0:cdf462088d13	1669	ssl->transform_in->ivlen,
markrad	0:cdf462088d13	1670	add_data, 13,
markrad	0:cdf462088d13	1671	dec_msg, dec_msglen,
markrad	0:cdf462088d13	1672	dec_msg_result, &olen,
markrad	0:cdf462088d13	1673	dec_msg + dec_msglen, taglen ) ) != 0 )
markrad	0:cdf462088d13	1674	{
markrad	0:cdf462088d13	1675	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
markrad	0:cdf462088d13	1676
markrad	0:cdf462088d13	1677	if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
markrad	0:cdf462088d13	1678	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	1679
markrad	0:cdf462088d13	1680	return( ret );
markrad	0:cdf462088d13	1681	}
markrad	0:cdf462088d13	1682	auth_done++;
markrad	0:cdf462088d13	1683
markrad	0:cdf462088d13	1684	if( olen != dec_msglen )
markrad	0:cdf462088d13	1685	{
markrad	0:cdf462088d13	1686	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1687	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1688	}
markrad	0:cdf462088d13	1689	}
markrad	0:cdf462088d13	1690	else
markrad	0:cdf462088d13	1691	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C */
markrad	0:cdf462088d13	1692	#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
markrad	0:cdf462088d13	1693	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) )
markrad	0:cdf462088d13	1694	if( mode == MBEDTLS_MODE_CBC )
markrad	0:cdf462088d13	1695	{
markrad	0:cdf462088d13	1696	/*
markrad	0:cdf462088d13	1697	* Decrypt and check the padding
markrad	0:cdf462088d13	1698	*/
markrad	0:cdf462088d13	1699	int ret;
markrad	0:cdf462088d13	1700	unsigned char *dec_msg;
markrad	0:cdf462088d13	1701	unsigned char *dec_msg_result;
markrad	0:cdf462088d13	1702	size_t dec_msglen;
markrad	0:cdf462088d13	1703	size_t minlen = 0;
markrad	0:cdf462088d13	1704	size_t olen = 0;
markrad	0:cdf462088d13	1705
markrad	0:cdf462088d13	1706	/*
markrad	0:cdf462088d13	1707	* Check immediate ciphertext sanity
markrad	0:cdf462088d13	1708	*/
markrad	0:cdf462088d13	1709	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	1710	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	1711	minlen += ssl->transform_in->ivlen;
markrad	0:cdf462088d13	1712	#endif
markrad	0:cdf462088d13	1713
markrad	0:cdf462088d13	1714	if( ssl->in_msglen < minlen + ssl->transform_in->ivlen \|\|
markrad	0:cdf462088d13	1715	ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
markrad	0:cdf462088d13	1716	{
markrad	0:cdf462088d13	1717	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
markrad	0:cdf462088d13	1718	"+ 1 ) ( + expl IV )", ssl->in_msglen,
markrad	0:cdf462088d13	1719	ssl->transform_in->ivlen,
markrad	0:cdf462088d13	1720	ssl->transform_in->maclen ) );
markrad	0:cdf462088d13	1721	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	1722	}
markrad	0:cdf462088d13	1723
markrad	0:cdf462088d13	1724	dec_msglen = ssl->in_msglen;
markrad	0:cdf462088d13	1725	dec_msg = ssl->in_msg;
markrad	0:cdf462088d13	1726	dec_msg_result = ssl->in_msg;
markrad	0:cdf462088d13	1727
markrad	0:cdf462088d13	1728	/*
markrad	0:cdf462088d13	1729	* Authenticate before decrypt if enabled
markrad	0:cdf462088d13	1730	*/
markrad	0:cdf462088d13	1731	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	1732	if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
markrad	0:cdf462088d13	1733	{
markrad	0:cdf462088d13	1734	unsigned char computed_mac[SSL_MAX_MAC_SIZE];
markrad	0:cdf462088d13	1735	unsigned char pseudo_hdr[13];
markrad	0:cdf462088d13	1736
markrad	0:cdf462088d13	1737	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
markrad	0:cdf462088d13	1738
markrad	0:cdf462088d13	1739	dec_msglen -= ssl->transform_in->maclen;
markrad	0:cdf462088d13	1740	ssl->in_msglen -= ssl->transform_in->maclen;
markrad	0:cdf462088d13	1741
markrad	0:cdf462088d13	1742	memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
markrad	0:cdf462088d13	1743	memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
markrad	0:cdf462088d13	1744	pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
markrad	0:cdf462088d13	1745	pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
markrad	0:cdf462088d13	1746
markrad	0:cdf462088d13	1747	MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
markrad	0:cdf462088d13	1748
markrad	0:cdf462088d13	1749	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
markrad	0:cdf462088d13	1750	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
markrad	0:cdf462088d13	1751	ssl->in_iv, ssl->in_msglen );
markrad	0:cdf462088d13	1752	mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
markrad	0:cdf462088d13	1753	mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
markrad	0:cdf462088d13	1754
markrad	0:cdf462088d13	1755	MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
markrad	0:cdf462088d13	1756	ssl->transform_in->maclen );
markrad	0:cdf462088d13	1757	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
markrad	0:cdf462088d13	1758	ssl->transform_in->maclen );
markrad	0:cdf462088d13	1759
markrad	0:cdf462088d13	1760	if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
markrad	0:cdf462088d13	1761	ssl->transform_in->maclen ) != 0 )
markrad	0:cdf462088d13	1762	{
markrad	0:cdf462088d13	1763	MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
markrad	0:cdf462088d13	1764
markrad	0:cdf462088d13	1765	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	1766	}
markrad	0:cdf462088d13	1767	auth_done++;
markrad	0:cdf462088d13	1768	}
markrad	0:cdf462088d13	1769	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
markrad	0:cdf462088d13	1770
markrad	0:cdf462088d13	1771	/*
markrad	0:cdf462088d13	1772	* Check length sanity
markrad	0:cdf462088d13	1773	*/
markrad	0:cdf462088d13	1774	if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
markrad	0:cdf462088d13	1775	{
markrad	0:cdf462088d13	1776	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
markrad	0:cdf462088d13	1777	ssl->in_msglen, ssl->transform_in->ivlen ) );
markrad	0:cdf462088d13	1778	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	1779	}
markrad	0:cdf462088d13	1780
markrad	0:cdf462088d13	1781	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	1782	/*
markrad	0:cdf462088d13	1783	* Initialize for prepended IV for block cipher in TLS v1.1 and up
markrad	0:cdf462088d13	1784	*/
markrad	0:cdf462088d13	1785	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	1786	{
markrad	0:cdf462088d13	1787	dec_msglen -= ssl->transform_in->ivlen;
markrad	0:cdf462088d13	1788	ssl->in_msglen -= ssl->transform_in->ivlen;
markrad	0:cdf462088d13	1789
markrad	0:cdf462088d13	1790	for( i = 0; i < ssl->transform_in->ivlen; i++ )
markrad	0:cdf462088d13	1791	ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
markrad	0:cdf462088d13	1792	}
markrad	0:cdf462088d13	1793	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	1794
markrad	0:cdf462088d13	1795	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
markrad	0:cdf462088d13	1796	ssl->transform_in->iv_dec,
markrad	0:cdf462088d13	1797	ssl->transform_in->ivlen,
markrad	0:cdf462088d13	1798	dec_msg, dec_msglen,
markrad	0:cdf462088d13	1799	dec_msg_result, &olen ) ) != 0 )
markrad	0:cdf462088d13	1800	{
markrad	0:cdf462088d13	1801	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
markrad	0:cdf462088d13	1802	return( ret );
markrad	0:cdf462088d13	1803	}
markrad	0:cdf462088d13	1804
markrad	0:cdf462088d13	1805	if( dec_msglen != olen )
markrad	0:cdf462088d13	1806	{
markrad	0:cdf462088d13	1807	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1808	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1809	}
markrad	0:cdf462088d13	1810
markrad	0:cdf462088d13	1811	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
markrad	0:cdf462088d13	1812	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	1813	{
markrad	0:cdf462088d13	1814	/*
markrad	0:cdf462088d13	1815	* Save IV in SSL3 and TLS1
markrad	0:cdf462088d13	1816	*/
markrad	0:cdf462088d13	1817	memcpy( ssl->transform_in->iv_dec,
markrad	0:cdf462088d13	1818	ssl->transform_in->cipher_ctx_dec.iv,
markrad	0:cdf462088d13	1819	ssl->transform_in->ivlen );
markrad	0:cdf462088d13	1820	}
markrad	0:cdf462088d13	1821	#endif
markrad	0:cdf462088d13	1822
markrad	0:cdf462088d13	1823	padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
markrad	0:cdf462088d13	1824
markrad	0:cdf462088d13	1825	if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
markrad	0:cdf462088d13	1826	auth_done == 0 )
markrad	0:cdf462088d13	1827	{
markrad	0:cdf462088d13	1828	#if defined(MBEDTLS_SSL_DEBUG_ALL)
markrad	0:cdf462088d13	1829	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
markrad	0:cdf462088d13	1830	ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
markrad	0:cdf462088d13	1831	#endif
markrad	0:cdf462088d13	1832	padlen = 0;
markrad	0:cdf462088d13	1833	correct = 0;
markrad	0:cdf462088d13	1834	}
markrad	0:cdf462088d13	1835
markrad	0:cdf462088d13	1836	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	1837	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	1838	{
markrad	0:cdf462088d13	1839	if( padlen > ssl->transform_in->ivlen )
markrad	0:cdf462088d13	1840	{
markrad	0:cdf462088d13	1841	#if defined(MBEDTLS_SSL_DEBUG_ALL)
markrad	0:cdf462088d13	1842	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
markrad	0:cdf462088d13	1843	"should be no more than %d",
markrad	0:cdf462088d13	1844	padlen, ssl->transform_in->ivlen ) );
markrad	0:cdf462088d13	1845	#endif
markrad	0:cdf462088d13	1846	correct = 0;
markrad	0:cdf462088d13	1847	}
markrad	0:cdf462088d13	1848	}
markrad	0:cdf462088d13	1849	else
markrad	0:cdf462088d13	1850	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	1851	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	1852	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	1853	if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	1854	{
markrad	0:cdf462088d13	1855	/*
markrad	0:cdf462088d13	1856	* TLSv1+: always check the padding up to the first failure
markrad	0:cdf462088d13	1857	* and fake check up to 256 bytes of padding
markrad	0:cdf462088d13	1858	*/
markrad	0:cdf462088d13	1859	size_t pad_count = 0, real_count = 1;
markrad	0:cdf462088d13	1860	size_t padding_idx = ssl->in_msglen - padlen - 1;
markrad	0:cdf462088d13	1861
markrad	0:cdf462088d13	1862	/*
markrad	0:cdf462088d13	1863	* Padding is guaranteed to be incorrect if:
markrad	0:cdf462088d13	1864	* 1. padlen >= ssl->in_msglen
markrad	0:cdf462088d13	1865	*
markrad	0:cdf462088d13	1866	* 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
markrad	0:cdf462088d13	1867	* ssl->transform_in->maclen
markrad	0:cdf462088d13	1868	*
markrad	0:cdf462088d13	1869	* In both cases we reset padding_idx to a safe value (0) to
markrad	0:cdf462088d13	1870	* prevent out-of-buffer reads.
markrad	0:cdf462088d13	1871	*/
markrad	0:cdf462088d13	1872	correct &= ( ssl->in_msglen >= padlen + 1 );
markrad	0:cdf462088d13	1873	correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
markrad	0:cdf462088d13	1874	ssl->transform_in->maclen );
markrad	0:cdf462088d13	1875
markrad	0:cdf462088d13	1876	padding_idx *= correct;
markrad	0:cdf462088d13	1877
markrad	0:cdf462088d13	1878	for( i = 1; i <= 256; i++ )
markrad	0:cdf462088d13	1879	{
markrad	0:cdf462088d13	1880	real_count &= ( i <= padlen );
markrad	0:cdf462088d13	1881	pad_count += real_count *
markrad	0:cdf462088d13	1882	( ssl->in_msg[padding_idx + i] == padlen - 1 );
markrad	0:cdf462088d13	1883	}
markrad	0:cdf462088d13	1884
markrad	0:cdf462088d13	1885	correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
markrad	0:cdf462088d13	1886
markrad	0:cdf462088d13	1887	#if defined(MBEDTLS_SSL_DEBUG_ALL)
markrad	0:cdf462088d13	1888	if( padlen > 0 && correct == 0 )
markrad	0:cdf462088d13	1889	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
markrad	0:cdf462088d13	1890	#endif
markrad	0:cdf462088d13	1891	padlen &= correct * 0x1FF;
markrad	0:cdf462088d13	1892	}
markrad	0:cdf462088d13	1893	else
markrad	0:cdf462088d13	1894	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
markrad	0:cdf462088d13	1895	MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	1896	{
markrad	0:cdf462088d13	1897	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1898	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1899	}
markrad	0:cdf462088d13	1900
markrad	0:cdf462088d13	1901	ssl->in_msglen -= padlen;
markrad	0:cdf462088d13	1902	}
markrad	0:cdf462088d13	1903	else
markrad	0:cdf462088d13	1904	#endif /* MBEDTLS_CIPHER_MODE_CBC &&
markrad	0:cdf462088d13	1905	( MBEDTLS_AES_C \|\| MBEDTLS_CAMELLIA_C ) */
markrad	0:cdf462088d13	1906	{
markrad	0:cdf462088d13	1907	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1908	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1909	}
markrad	0:cdf462088d13	1910
markrad	0:cdf462088d13	1911	MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
markrad	0:cdf462088d13	1912	ssl->in_msg, ssl->in_msglen );
markrad	0:cdf462088d13	1913
markrad	0:cdf462088d13	1914	/*
markrad	0:cdf462088d13	1915	* Authenticate if not done yet.
markrad	0:cdf462088d13	1916	* Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
markrad	0:cdf462088d13	1917	*/
markrad	0:cdf462088d13	1918	#if defined(SSL_SOME_MODES_USE_MAC)
markrad	0:cdf462088d13	1919	if( auth_done == 0 )
markrad	0:cdf462088d13	1920	{
markrad	0:cdf462088d13	1921	unsigned char tmp[SSL_MAX_MAC_SIZE];
markrad	0:cdf462088d13	1922
markrad	0:cdf462088d13	1923	ssl->in_msglen -= ssl->transform_in->maclen;
markrad	0:cdf462088d13	1924
markrad	0:cdf462088d13	1925	ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
markrad	0:cdf462088d13	1926	ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
markrad	0:cdf462088d13	1927
markrad	0:cdf462088d13	1928	memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
markrad	0:cdf462088d13	1929
markrad	0:cdf462088d13	1930	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	1931	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	1932	{
markrad	0:cdf462088d13	1933	ssl_mac( &ssl->transform_in->md_ctx_dec,
markrad	0:cdf462088d13	1934	ssl->transform_in->mac_dec,
markrad	0:cdf462088d13	1935	ssl->in_msg, ssl->in_msglen,
markrad	0:cdf462088d13	1936	ssl->in_ctr, ssl->in_msgtype );
markrad	0:cdf462088d13	1937	}
markrad	0:cdf462088d13	1938	else
markrad	0:cdf462088d13	1939	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	1940	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	1941	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	1942	if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	1943	{
markrad	0:cdf462088d13	1944	/*
markrad	0:cdf462088d13	1945	* Process MAC and always update for padlen afterwards to make
markrad	0:cdf462088d13	1946	* total time independent of padlen
markrad	0:cdf462088d13	1947	*
markrad	0:cdf462088d13	1948	* extra_run compensates MAC check for padlen
markrad	0:cdf462088d13	1949	*
markrad	0:cdf462088d13	1950	* Known timing attacks:
markrad	0:cdf462088d13	1951	* - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
markrad	0:cdf462088d13	1952	*
markrad	0:cdf462088d13	1953	* We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
markrad	0:cdf462088d13	1954	* correctly. (We round down instead of up, so -56 is the correct
markrad	0:cdf462088d13	1955	* value for our calculations instead of -55)
markrad	0:cdf462088d13	1956	*/
markrad	0:cdf462088d13	1957	size_t j, extra_run = 0;
markrad	0:cdf462088d13	1958	extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
markrad	0:cdf462088d13	1959	( 13 + ssl->in_msglen + 8 ) / 64;
markrad	0:cdf462088d13	1960
markrad	0:cdf462088d13	1961	extra_run &= correct * 0xFF;
markrad	0:cdf462088d13	1962
markrad	0:cdf462088d13	1963	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
markrad	0:cdf462088d13	1964	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
markrad	0:cdf462088d13	1965	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
markrad	0:cdf462088d13	1966	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
markrad	0:cdf462088d13	1967	ssl->in_msglen );
markrad	0:cdf462088d13	1968	mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec,
markrad	0:cdf462088d13	1969	ssl->in_msg + ssl->in_msglen );
markrad	0:cdf462088d13	1970	/* Call mbedtls_md_process at least once due to cache attacks */
markrad	0:cdf462088d13	1971	for( j = 0; j < extra_run + 1; j++ )
markrad	0:cdf462088d13	1972	mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
markrad	0:cdf462088d13	1973
markrad	0:cdf462088d13	1974	mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
markrad	0:cdf462088d13	1975	}
markrad	0:cdf462088d13	1976	else
markrad	0:cdf462088d13	1977	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
markrad	0:cdf462088d13	1978	MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	1979	{
markrad	0:cdf462088d13	1980	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	1981	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	1982	}
markrad	0:cdf462088d13	1983
markrad	0:cdf462088d13	1984	MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
markrad	0:cdf462088d13	1985	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
markrad	0:cdf462088d13	1986	ssl->transform_in->maclen );
markrad	0:cdf462088d13	1987
markrad	0:cdf462088d13	1988	if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
markrad	0:cdf462088d13	1989	ssl->transform_in->maclen ) != 0 )
markrad	0:cdf462088d13	1990	{
markrad	0:cdf462088d13	1991	#if defined(MBEDTLS_SSL_DEBUG_ALL)
markrad	0:cdf462088d13	1992	MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
markrad	0:cdf462088d13	1993	#endif
markrad	0:cdf462088d13	1994	correct = 0;
markrad	0:cdf462088d13	1995	}
markrad	0:cdf462088d13	1996	auth_done++;
markrad	0:cdf462088d13	1997
markrad	0:cdf462088d13	1998	/*
markrad	0:cdf462088d13	1999	* Finally check the correct flag
markrad	0:cdf462088d13	2000	*/
markrad	0:cdf462088d13	2001	if( correct == 0 )
markrad	0:cdf462088d13	2002	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	2003	}
markrad	0:cdf462088d13	2004	#endif /* SSL_SOME_MODES_USE_MAC */
markrad	0:cdf462088d13	2005
markrad	0:cdf462088d13	2006	/* Make extra sure authentication was performed, exactly once */
markrad	0:cdf462088d13	2007	if( auth_done != 1 )
markrad	0:cdf462088d13	2008	{
markrad	0:cdf462088d13	2009	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	2010	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	2011	}
markrad	0:cdf462088d13	2012
markrad	0:cdf462088d13	2013	if( ssl->in_msglen == 0 )
markrad	0:cdf462088d13	2014	{
markrad	0:cdf462088d13	2015	ssl->nb_zero++;
markrad	0:cdf462088d13	2016
markrad	0:cdf462088d13	2017	/*
markrad	0:cdf462088d13	2018	* Three or more empty messages may be a DoS attack
markrad	0:cdf462088d13	2019	* (excessive CPU consumption).
markrad	0:cdf462088d13	2020	*/
markrad	0:cdf462088d13	2021	if( ssl->nb_zero > 3 )
markrad	0:cdf462088d13	2022	{
markrad	0:cdf462088d13	2023	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
markrad	0:cdf462088d13	2024	"messages, possible DoS attack" ) );
markrad	0:cdf462088d13	2025	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	2026	}
markrad	0:cdf462088d13	2027	}
markrad	0:cdf462088d13	2028	else
markrad	0:cdf462088d13	2029	ssl->nb_zero = 0;
markrad	0:cdf462088d13	2030
markrad	0:cdf462088d13	2031	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	2032	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	2033	{
markrad	0:cdf462088d13	2034	; /* in_ctr read from peer, not maintained internally */
markrad	0:cdf462088d13	2035	}
markrad	0:cdf462088d13	2036	else
markrad	0:cdf462088d13	2037	#endif
markrad	0:cdf462088d13	2038	{
markrad	0:cdf462088d13	2039	for( i = 8; i > ssl_ep_len( ssl ); i-- )
markrad	0:cdf462088d13	2040	if( ++ssl->in_ctr[i - 1] != 0 )
markrad	0:cdf462088d13	2041	break;
markrad	0:cdf462088d13	2042
markrad	0:cdf462088d13	2043	/* The loop goes to its end iff the counter is wrapping */
markrad	0:cdf462088d13	2044	if( i == ssl_ep_len( ssl ) )
markrad	0:cdf462088d13	2045	{
markrad	0:cdf462088d13	2046	MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
markrad	0:cdf462088d13	2047	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
markrad	0:cdf462088d13	2048	}
markrad	0:cdf462088d13	2049	}
markrad	0:cdf462088d13	2050
markrad	0:cdf462088d13	2051	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
markrad	0:cdf462088d13	2052
markrad	0:cdf462088d13	2053	return( 0 );
markrad	0:cdf462088d13	2054	}
markrad	0:cdf462088d13	2055
markrad	0:cdf462088d13	2056	#undef MAC_NONE
markrad	0:cdf462088d13	2057	#undef MAC_PLAINTEXT
markrad	0:cdf462088d13	2058	#undef MAC_CIPHERTEXT
markrad	0:cdf462088d13	2059
markrad	0:cdf462088d13	2060	#if defined(MBEDTLS_ZLIB_SUPPORT)
markrad	0:cdf462088d13	2061	/*
markrad	0:cdf462088d13	2062	* Compression/decompression functions
markrad	0:cdf462088d13	2063	*/
markrad	0:cdf462088d13	2064	static int ssl_compress_buf( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2065	{
markrad	0:cdf462088d13	2066	int ret;
markrad	0:cdf462088d13	2067	unsigned char *msg_post = ssl->out_msg;
markrad	0:cdf462088d13	2068	size_t len_pre = ssl->out_msglen;
markrad	0:cdf462088d13	2069	unsigned char *msg_pre = ssl->compress_buf;
markrad	0:cdf462088d13	2070
markrad	0:cdf462088d13	2071	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
markrad	0:cdf462088d13	2072
markrad	0:cdf462088d13	2073	if( len_pre == 0 )
markrad	0:cdf462088d13	2074	return( 0 );
markrad	0:cdf462088d13	2075
markrad	0:cdf462088d13	2076	memcpy( msg_pre, ssl->out_msg, len_pre );
markrad	0:cdf462088d13	2077
markrad	0:cdf462088d13	2078	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
markrad	0:cdf462088d13	2079	ssl->out_msglen ) );
markrad	0:cdf462088d13	2080
markrad	0:cdf462088d13	2081	MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
markrad	0:cdf462088d13	2082	ssl->out_msg, ssl->out_msglen );
markrad	0:cdf462088d13	2083
markrad	0:cdf462088d13	2084	ssl->transform_out->ctx_deflate.next_in = msg_pre;
markrad	0:cdf462088d13	2085	ssl->transform_out->ctx_deflate.avail_in = len_pre;
markrad	0:cdf462088d13	2086	ssl->transform_out->ctx_deflate.next_out = msg_post;
markrad	0:cdf462088d13	2087	ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN;
markrad	0:cdf462088d13	2088
markrad	0:cdf462088d13	2089	ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
markrad	0:cdf462088d13	2090	if( ret != Z_OK )
markrad	0:cdf462088d13	2091	{
markrad	0:cdf462088d13	2092	MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
markrad	0:cdf462088d13	2093	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
markrad	0:cdf462088d13	2094	}
markrad	0:cdf462088d13	2095
markrad	0:cdf462088d13	2096	ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
markrad	0:cdf462088d13	2097	ssl->transform_out->ctx_deflate.avail_out;
markrad	0:cdf462088d13	2098
markrad	0:cdf462088d13	2099	MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
markrad	0:cdf462088d13	2100	ssl->out_msglen ) );
markrad	0:cdf462088d13	2101
markrad	0:cdf462088d13	2102	MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
markrad	0:cdf462088d13	2103	ssl->out_msg, ssl->out_msglen );
markrad	0:cdf462088d13	2104
markrad	0:cdf462088d13	2105	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
markrad	0:cdf462088d13	2106
markrad	0:cdf462088d13	2107	return( 0 );
markrad	0:cdf462088d13	2108	}
markrad	0:cdf462088d13	2109
markrad	0:cdf462088d13	2110	static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2111	{
markrad	0:cdf462088d13	2112	int ret;
markrad	0:cdf462088d13	2113	unsigned char *msg_post = ssl->in_msg;
markrad	0:cdf462088d13	2114	size_t len_pre = ssl->in_msglen;
markrad	0:cdf462088d13	2115	unsigned char *msg_pre = ssl->compress_buf;
markrad	0:cdf462088d13	2116
markrad	0:cdf462088d13	2117	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
markrad	0:cdf462088d13	2118
markrad	0:cdf462088d13	2119	if( len_pre == 0 )
markrad	0:cdf462088d13	2120	return( 0 );
markrad	0:cdf462088d13	2121
markrad	0:cdf462088d13	2122	memcpy( msg_pre, ssl->in_msg, len_pre );
markrad	0:cdf462088d13	2123
markrad	0:cdf462088d13	2124	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
markrad	0:cdf462088d13	2125	ssl->in_msglen ) );
markrad	0:cdf462088d13	2126
markrad	0:cdf462088d13	2127	MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
markrad	0:cdf462088d13	2128	ssl->in_msg, ssl->in_msglen );
markrad	0:cdf462088d13	2129
markrad	0:cdf462088d13	2130	ssl->transform_in->ctx_inflate.next_in = msg_pre;
markrad	0:cdf462088d13	2131	ssl->transform_in->ctx_inflate.avail_in = len_pre;
markrad	0:cdf462088d13	2132	ssl->transform_in->ctx_inflate.next_out = msg_post;
markrad	0:cdf462088d13	2133	ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN;
markrad	0:cdf462088d13	2134
markrad	0:cdf462088d13	2135	ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
markrad	0:cdf462088d13	2136	if( ret != Z_OK )
markrad	0:cdf462088d13	2137	{
markrad	0:cdf462088d13	2138	MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
markrad	0:cdf462088d13	2139	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
markrad	0:cdf462088d13	2140	}
markrad	0:cdf462088d13	2141
markrad	0:cdf462088d13	2142	ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN -
markrad	0:cdf462088d13	2143	ssl->transform_in->ctx_inflate.avail_out;
markrad	0:cdf462088d13	2144
markrad	0:cdf462088d13	2145	MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
markrad	0:cdf462088d13	2146	ssl->in_msglen ) );
markrad	0:cdf462088d13	2147
markrad	0:cdf462088d13	2148	MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
markrad	0:cdf462088d13	2149	ssl->in_msg, ssl->in_msglen );
markrad	0:cdf462088d13	2150
markrad	0:cdf462088d13	2151	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
markrad	0:cdf462088d13	2152
markrad	0:cdf462088d13	2153	return( 0 );
markrad	0:cdf462088d13	2154	}
markrad	0:cdf462088d13	2155	#endif /* MBEDTLS_ZLIB_SUPPORT */
markrad	0:cdf462088d13	2156
markrad	0:cdf462088d13	2157	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	2158	static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
markrad	0:cdf462088d13	2159
markrad	0:cdf462088d13	2160	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	2161	static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2162	{
markrad	0:cdf462088d13	2163	/* If renegotiation is not enforced, retransmit until we would reach max
markrad	0:cdf462088d13	2164	* timeout if we were using the usual handshake doubling scheme */
markrad	0:cdf462088d13	2165	if( ssl->conf->renego_max_records < 0 )
markrad	0:cdf462088d13	2166	{
markrad	0:cdf462088d13	2167	uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
markrad	0:cdf462088d13	2168	unsigned char doublings = 1;
markrad	0:cdf462088d13	2169
markrad	0:cdf462088d13	2170	while( ratio != 0 )
markrad	0:cdf462088d13	2171	{
markrad	0:cdf462088d13	2172	++doublings;
markrad	0:cdf462088d13	2173	ratio >>= 1;
markrad	0:cdf462088d13	2174	}
markrad	0:cdf462088d13	2175
markrad	0:cdf462088d13	2176	if( ++ssl->renego_records_seen > doublings )
markrad	0:cdf462088d13	2177	{
markrad	0:cdf462088d13	2178	MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
markrad	0:cdf462088d13	2179	return( 0 );
markrad	0:cdf462088d13	2180	}
markrad	0:cdf462088d13	2181	}
markrad	0:cdf462088d13	2182
markrad	0:cdf462088d13	2183	return( ssl_write_hello_request( ssl ) );
markrad	0:cdf462088d13	2184	}
markrad	0:cdf462088d13	2185	#endif
markrad	0:cdf462088d13	2186	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	2187
markrad	0:cdf462088d13	2188	/*
markrad	0:cdf462088d13	2189	* Fill the input message buffer by appending data to it.
markrad	0:cdf462088d13	2190	* The amount of data already fetched is in ssl->in_left.
markrad	0:cdf462088d13	2191	*
markrad	0:cdf462088d13	2192	* If we return 0, is it guaranteed that (at least) nb_want bytes are
markrad	0:cdf462088d13	2193	* available (from this read and/or a previous one). Otherwise, an error code
markrad	0:cdf462088d13	2194	* is returned (possibly EOF or WANT_READ).
markrad	0:cdf462088d13	2195	*
markrad	0:cdf462088d13	2196	* With stream transport (TLS) on success ssl->in_left == nb_want, but
markrad	0:cdf462088d13	2197	* with datagram transport (DTLS) on success ssl->in_left >= nb_want,
markrad	0:cdf462088d13	2198	* since we always read a whole datagram at once.
markrad	0:cdf462088d13	2199	*
markrad	0:cdf462088d13	2200	* For DTLS, it is up to the caller to set ssl->next_record_offset when
markrad	0:cdf462088d13	2201	* they're done reading a record.
markrad	0:cdf462088d13	2202	*/
markrad	0:cdf462088d13	2203	int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
markrad	0:cdf462088d13	2204	{
markrad	0:cdf462088d13	2205	int ret;
markrad	0:cdf462088d13	2206	size_t len;
markrad	0:cdf462088d13	2207
markrad	0:cdf462088d13	2208	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
markrad	0:cdf462088d13	2209
markrad	0:cdf462088d13	2210	if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
markrad	0:cdf462088d13	2211	{
markrad	0:cdf462088d13	2212	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
markrad	0:cdf462088d13	2213	"or mbedtls_ssl_set_bio()" ) );
markrad	0:cdf462088d13	2214	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	2215	}
markrad	0:cdf462088d13	2216
markrad	0:cdf462088d13	2217	if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
markrad	0:cdf462088d13	2218	{
markrad	0:cdf462088d13	2219	MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
markrad	0:cdf462088d13	2220	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	2221	}
markrad	0:cdf462088d13	2222
markrad	0:cdf462088d13	2223	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	2224	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	2225	{
markrad	0:cdf462088d13	2226	uint32_t timeout;
markrad	0:cdf462088d13	2227
markrad	0:cdf462088d13	2228	/* Just to be sure */
markrad	0:cdf462088d13	2229	if( ssl->f_set_timer == NULL \|\| ssl->f_get_timer == NULL )
markrad	0:cdf462088d13	2230	{
markrad	0:cdf462088d13	2231	MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
markrad	0:cdf462088d13	2232	"mbedtls_ssl_set_timer_cb() for DTLS" ) );
markrad	0:cdf462088d13	2233	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	2234	}
markrad	0:cdf462088d13	2235
markrad	0:cdf462088d13	2236	/*
markrad	0:cdf462088d13	2237	* The point is, we need to always read a full datagram at once, so we
markrad	0:cdf462088d13	2238	* sometimes read more then requested, and handle the additional data.
markrad	0:cdf462088d13	2239	* It could be the rest of the current record (while fetching the
markrad	0:cdf462088d13	2240	* header) and/or some other records in the same datagram.
markrad	0:cdf462088d13	2241	*/
markrad	0:cdf462088d13	2242
markrad	0:cdf462088d13	2243	/*
markrad	0:cdf462088d13	2244	* Move to the next record in the already read datagram if applicable
markrad	0:cdf462088d13	2245	*/
markrad	0:cdf462088d13	2246	if( ssl->next_record_offset != 0 )
markrad	0:cdf462088d13	2247	{
markrad	0:cdf462088d13	2248	if( ssl->in_left < ssl->next_record_offset )
markrad	0:cdf462088d13	2249	{
markrad	0:cdf462088d13	2250	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	2251	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	2252	}
markrad	0:cdf462088d13	2253
markrad	0:cdf462088d13	2254	ssl->in_left -= ssl->next_record_offset;
markrad	0:cdf462088d13	2255
markrad	0:cdf462088d13	2256	if( ssl->in_left != 0 )
markrad	0:cdf462088d13	2257	{
markrad	0:cdf462088d13	2258	MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
markrad	0:cdf462088d13	2259	ssl->next_record_offset ) );
markrad	0:cdf462088d13	2260	memmove( ssl->in_hdr,
markrad	0:cdf462088d13	2261	ssl->in_hdr + ssl->next_record_offset,
markrad	0:cdf462088d13	2262	ssl->in_left );
markrad	0:cdf462088d13	2263	}
markrad	0:cdf462088d13	2264
markrad	0:cdf462088d13	2265	ssl->next_record_offset = 0;
markrad	0:cdf462088d13	2266	}
markrad	0:cdf462088d13	2267
markrad	0:cdf462088d13	2268	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
markrad	0:cdf462088d13	2269	ssl->in_left, nb_want ) );
markrad	0:cdf462088d13	2270
markrad	0:cdf462088d13	2271	/*
markrad	0:cdf462088d13	2272	* Done if we already have enough data.
markrad	0:cdf462088d13	2273	*/
markrad	0:cdf462088d13	2274	if( nb_want <= ssl->in_left)
markrad	0:cdf462088d13	2275	{
markrad	0:cdf462088d13	2276	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
markrad	0:cdf462088d13	2277	return( 0 );
markrad	0:cdf462088d13	2278	}
markrad	0:cdf462088d13	2279
markrad	0:cdf462088d13	2280	/*
markrad	0:cdf462088d13	2281	* A record can't be split accross datagrams. If we need to read but
markrad	0:cdf462088d13	2282	* are not at the beginning of a new record, the caller did something
markrad	0:cdf462088d13	2283	* wrong.
markrad	0:cdf462088d13	2284	*/
markrad	0:cdf462088d13	2285	if( ssl->in_left != 0 )
markrad	0:cdf462088d13	2286	{
markrad	0:cdf462088d13	2287	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	2288	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	2289	}
markrad	0:cdf462088d13	2290
markrad	0:cdf462088d13	2291	/*
markrad	0:cdf462088d13	2292	* Don't even try to read if time's out already.
markrad	0:cdf462088d13	2293	* This avoids by-passing the timer when repeatedly receiving messages
markrad	0:cdf462088d13	2294	* that will end up being dropped.
markrad	0:cdf462088d13	2295	*/
markrad	0:cdf462088d13	2296	if( ssl_check_timer( ssl ) != 0 )
markrad	0:cdf462088d13	2297	ret = MBEDTLS_ERR_SSL_TIMEOUT;
markrad	0:cdf462088d13	2298	else
markrad	0:cdf462088d13	2299	{
markrad	0:cdf462088d13	2300	len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
markrad	0:cdf462088d13	2301
markrad	0:cdf462088d13	2302	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	2303	timeout = ssl->handshake->retransmit_timeout;
markrad	0:cdf462088d13	2304	else
markrad	0:cdf462088d13	2305	timeout = ssl->conf->read_timeout;
markrad	0:cdf462088d13	2306
markrad	0:cdf462088d13	2307	MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
markrad	0:cdf462088d13	2308
markrad	0:cdf462088d13	2309	if( ssl->f_recv_timeout != NULL )
markrad	0:cdf462088d13	2310	ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
markrad	0:cdf462088d13	2311	timeout );
markrad	0:cdf462088d13	2312	else
markrad	0:cdf462088d13	2313	ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
markrad	0:cdf462088d13	2314
markrad	0:cdf462088d13	2315	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
markrad	0:cdf462088d13	2316
markrad	0:cdf462088d13	2317	if( ret == 0 )
markrad	0:cdf462088d13	2318	return( MBEDTLS_ERR_SSL_CONN_EOF );
markrad	0:cdf462088d13	2319	}
markrad	0:cdf462088d13	2320
markrad	0:cdf462088d13	2321	if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
markrad	0:cdf462088d13	2322	{
markrad	0:cdf462088d13	2323	MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
markrad	0:cdf462088d13	2324	ssl_set_timer( ssl, 0 );
markrad	0:cdf462088d13	2325
markrad	0:cdf462088d13	2326	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	2327	{
markrad	0:cdf462088d13	2328	if( ssl_double_retransmit_timeout( ssl ) != 0 )
markrad	0:cdf462088d13	2329	{
markrad	0:cdf462088d13	2330	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
markrad	0:cdf462088d13	2331	return( MBEDTLS_ERR_SSL_TIMEOUT );
markrad	0:cdf462088d13	2332	}
markrad	0:cdf462088d13	2333
markrad	0:cdf462088d13	2334	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
markrad	0:cdf462088d13	2335	{
markrad	0:cdf462088d13	2336	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
markrad	0:cdf462088d13	2337	return( ret );
markrad	0:cdf462088d13	2338	}
markrad	0:cdf462088d13	2339
markrad	0:cdf462088d13	2340	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	2341	}
markrad	0:cdf462088d13	2342	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	2343	else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	2344	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
markrad	0:cdf462088d13	2345	{
markrad	0:cdf462088d13	2346	if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
markrad	0:cdf462088d13	2347	{
markrad	0:cdf462088d13	2348	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
markrad	0:cdf462088d13	2349	return( ret );
markrad	0:cdf462088d13	2350	}
markrad	0:cdf462088d13	2351
markrad	0:cdf462088d13	2352	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	2353	}
markrad	0:cdf462088d13	2354	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	2355	}
markrad	0:cdf462088d13	2356
markrad	0:cdf462088d13	2357	if( ret < 0 )
markrad	0:cdf462088d13	2358	return( ret );
markrad	0:cdf462088d13	2359
markrad	0:cdf462088d13	2360	ssl->in_left = ret;
markrad	0:cdf462088d13	2361	}
markrad	0:cdf462088d13	2362	else
markrad	0:cdf462088d13	2363	#endif
markrad	0:cdf462088d13	2364	{
markrad	0:cdf462088d13	2365	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
markrad	0:cdf462088d13	2366	ssl->in_left, nb_want ) );
markrad	0:cdf462088d13	2367
markrad	0:cdf462088d13	2368	while( ssl->in_left < nb_want )
markrad	0:cdf462088d13	2369	{
markrad	0:cdf462088d13	2370	len = nb_want - ssl->in_left;
markrad	0:cdf462088d13	2371
markrad	0:cdf462088d13	2372	if( ssl_check_timer( ssl ) != 0 )
markrad	0:cdf462088d13	2373	ret = MBEDTLS_ERR_SSL_TIMEOUT;
markrad	0:cdf462088d13	2374	else
markrad	0:cdf462088d13	2375	{
markrad	0:cdf462088d13	2376	if( ssl->f_recv_timeout != NULL )
markrad	0:cdf462088d13	2377	{
markrad	0:cdf462088d13	2378	ret = ssl->f_recv_timeout( ssl->p_bio,
markrad	0:cdf462088d13	2379	ssl->in_hdr + ssl->in_left, len,
markrad	0:cdf462088d13	2380	ssl->conf->read_timeout );
markrad	0:cdf462088d13	2381	}
markrad	0:cdf462088d13	2382	else
markrad	0:cdf462088d13	2383	{
markrad	0:cdf462088d13	2384	ret = ssl->f_recv( ssl->p_bio,
markrad	0:cdf462088d13	2385	ssl->in_hdr + ssl->in_left, len );
markrad	0:cdf462088d13	2386	}
markrad	0:cdf462088d13	2387	}
markrad	0:cdf462088d13	2388
markrad	0:cdf462088d13	2389	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
markrad	0:cdf462088d13	2390	ssl->in_left, nb_want ) );
markrad	0:cdf462088d13	2391	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
markrad	0:cdf462088d13	2392
markrad	0:cdf462088d13	2393	if( ret == 0 )
markrad	0:cdf462088d13	2394	return( MBEDTLS_ERR_SSL_CONN_EOF );
markrad	0:cdf462088d13	2395
markrad	0:cdf462088d13	2396	if( ret < 0 )
markrad	0:cdf462088d13	2397	return( ret );
markrad	0:cdf462088d13	2398
markrad	0:cdf462088d13	2399	ssl->in_left += ret;
markrad	0:cdf462088d13	2400	}
markrad	0:cdf462088d13	2401	}
markrad	0:cdf462088d13	2402
markrad	0:cdf462088d13	2403	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
markrad	0:cdf462088d13	2404
markrad	0:cdf462088d13	2405	return( 0 );
markrad	0:cdf462088d13	2406	}
markrad	0:cdf462088d13	2407
markrad	0:cdf462088d13	2408	/*
markrad	0:cdf462088d13	2409	* Flush any data not yet written
markrad	0:cdf462088d13	2410	*/
markrad	0:cdf462088d13	2411	int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2412	{
markrad	0:cdf462088d13	2413	int ret;
markrad	0:cdf462088d13	2414	unsigned char *buf, i;
markrad	0:cdf462088d13	2415
markrad	0:cdf462088d13	2416	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
markrad	0:cdf462088d13	2417
markrad	0:cdf462088d13	2418	if( ssl->f_send == NULL )
markrad	0:cdf462088d13	2419	{
markrad	0:cdf462088d13	2420	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
markrad	0:cdf462088d13	2421	"or mbedtls_ssl_set_bio()" ) );
markrad	0:cdf462088d13	2422	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	2423	}
markrad	0:cdf462088d13	2424
markrad	0:cdf462088d13	2425	/* Avoid incrementing counter if data is flushed */
markrad	0:cdf462088d13	2426	if( ssl->out_left == 0 )
markrad	0:cdf462088d13	2427	{
markrad	0:cdf462088d13	2428	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
markrad	0:cdf462088d13	2429	return( 0 );
markrad	0:cdf462088d13	2430	}
markrad	0:cdf462088d13	2431
markrad	0:cdf462088d13	2432	while( ssl->out_left > 0 )
markrad	0:cdf462088d13	2433	{
markrad	0:cdf462088d13	2434	MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
markrad	0:cdf462088d13	2435	mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
markrad	0:cdf462088d13	2436
markrad	0:cdf462088d13	2437	buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) +
markrad	0:cdf462088d13	2438	ssl->out_msglen - ssl->out_left;
markrad	0:cdf462088d13	2439	ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
markrad	0:cdf462088d13	2440
markrad	0:cdf462088d13	2441	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
markrad	0:cdf462088d13	2442
markrad	0:cdf462088d13	2443	if( ret <= 0 )
markrad	0:cdf462088d13	2444	return( ret );
markrad	0:cdf462088d13	2445
markrad	0:cdf462088d13	2446	ssl->out_left -= ret;
markrad	0:cdf462088d13	2447	}
markrad	0:cdf462088d13	2448
markrad	0:cdf462088d13	2449	for( i = 8; i > ssl_ep_len( ssl ); i-- )
markrad	0:cdf462088d13	2450	if( ++ssl->out_ctr[i - 1] != 0 )
markrad	0:cdf462088d13	2451	break;
markrad	0:cdf462088d13	2452
markrad	0:cdf462088d13	2453	/* The loop goes to its end iff the counter is wrapping */
markrad	0:cdf462088d13	2454	if( i == ssl_ep_len( ssl ) )
markrad	0:cdf462088d13	2455	{
markrad	0:cdf462088d13	2456	MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
markrad	0:cdf462088d13	2457	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
markrad	0:cdf462088d13	2458	}
markrad	0:cdf462088d13	2459
markrad	0:cdf462088d13	2460	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
markrad	0:cdf462088d13	2461
markrad	0:cdf462088d13	2462	return( 0 );
markrad	0:cdf462088d13	2463	}
markrad	0:cdf462088d13	2464
markrad	0:cdf462088d13	2465	/*
markrad	0:cdf462088d13	2466	* Functions to handle the DTLS retransmission state machine
markrad	0:cdf462088d13	2467	*/
markrad	0:cdf462088d13	2468	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	2469	/*
markrad	0:cdf462088d13	2470	* Append current handshake message to current outgoing flight
markrad	0:cdf462088d13	2471	*/
markrad	0:cdf462088d13	2472	static int ssl_flight_append( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2473	{
markrad	0:cdf462088d13	2474	mbedtls_ssl_flight_item *msg;
markrad	0:cdf462088d13	2475
markrad	0:cdf462088d13	2476	/* Allocate space for current message */
markrad	0:cdf462088d13	2477	if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
markrad	0:cdf462088d13	2478	{
markrad	0:cdf462088d13	2479	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
markrad	0:cdf462088d13	2480	sizeof( mbedtls_ssl_flight_item ) ) );
markrad	0:cdf462088d13	2481	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	2482	}
markrad	0:cdf462088d13	2483
markrad	0:cdf462088d13	2484	if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
markrad	0:cdf462088d13	2485	{
markrad	0:cdf462088d13	2486	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
markrad	0:cdf462088d13	2487	mbedtls_free( msg );
markrad	0:cdf462088d13	2488	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	2489	}
markrad	0:cdf462088d13	2490
markrad	0:cdf462088d13	2491	/* Copy current handshake message with headers */
markrad	0:cdf462088d13	2492	memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
markrad	0:cdf462088d13	2493	msg->len = ssl->out_msglen;
markrad	0:cdf462088d13	2494	msg->type = ssl->out_msgtype;
markrad	0:cdf462088d13	2495	msg->next = NULL;
markrad	0:cdf462088d13	2496
markrad	0:cdf462088d13	2497	/* Append to the current flight */
markrad	0:cdf462088d13	2498	if( ssl->handshake->flight == NULL )
markrad	0:cdf462088d13	2499	ssl->handshake->flight = msg;
markrad	0:cdf462088d13	2500	else
markrad	0:cdf462088d13	2501	{
markrad	0:cdf462088d13	2502	mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
markrad	0:cdf462088d13	2503	while( cur->next != NULL )
markrad	0:cdf462088d13	2504	cur = cur->next;
markrad	0:cdf462088d13	2505	cur->next = msg;
markrad	0:cdf462088d13	2506	}
markrad	0:cdf462088d13	2507
markrad	0:cdf462088d13	2508	return( 0 );
markrad	0:cdf462088d13	2509	}
markrad	0:cdf462088d13	2510
markrad	0:cdf462088d13	2511	/*
markrad	0:cdf462088d13	2512	* Free the current flight of handshake messages
markrad	0:cdf462088d13	2513	*/
markrad	0:cdf462088d13	2514	static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
markrad	0:cdf462088d13	2515	{
markrad	0:cdf462088d13	2516	mbedtls_ssl_flight_item *cur = flight;
markrad	0:cdf462088d13	2517	mbedtls_ssl_flight_item *next;
markrad	0:cdf462088d13	2518
markrad	0:cdf462088d13	2519	while( cur != NULL )
markrad	0:cdf462088d13	2520	{
markrad	0:cdf462088d13	2521	next = cur->next;
markrad	0:cdf462088d13	2522
markrad	0:cdf462088d13	2523	mbedtls_free( cur->p );
markrad	0:cdf462088d13	2524	mbedtls_free( cur );
markrad	0:cdf462088d13	2525
markrad	0:cdf462088d13	2526	cur = next;
markrad	0:cdf462088d13	2527	}
markrad	0:cdf462088d13	2528	}
markrad	0:cdf462088d13	2529
markrad	0:cdf462088d13	2530	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	2531	static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
markrad	0:cdf462088d13	2532	#endif
markrad	0:cdf462088d13	2533
markrad	0:cdf462088d13	2534	/*
markrad	0:cdf462088d13	2535	* Swap transform_out and out_ctr with the alternative ones
markrad	0:cdf462088d13	2536	*/
markrad	0:cdf462088d13	2537	static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2538	{
markrad	0:cdf462088d13	2539	mbedtls_ssl_transform *tmp_transform;
markrad	0:cdf462088d13	2540	unsigned char tmp_out_ctr[8];
markrad	0:cdf462088d13	2541
markrad	0:cdf462088d13	2542	if( ssl->transform_out == ssl->handshake->alt_transform_out )
markrad	0:cdf462088d13	2543	{
markrad	0:cdf462088d13	2544	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
markrad	0:cdf462088d13	2545	return;
markrad	0:cdf462088d13	2546	}
markrad	0:cdf462088d13	2547
markrad	0:cdf462088d13	2548	MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
markrad	0:cdf462088d13	2549
markrad	0:cdf462088d13	2550	/* Swap transforms */
markrad	0:cdf462088d13	2551	tmp_transform = ssl->transform_out;
markrad	0:cdf462088d13	2552	ssl->transform_out = ssl->handshake->alt_transform_out;
markrad	0:cdf462088d13	2553	ssl->handshake->alt_transform_out = tmp_transform;
markrad	0:cdf462088d13	2554
markrad	0:cdf462088d13	2555	/* Swap epoch + sequence_number */
markrad	0:cdf462088d13	2556	memcpy( tmp_out_ctr, ssl->out_ctr, 8 );
markrad	0:cdf462088d13	2557	memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 );
markrad	0:cdf462088d13	2558	memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
markrad	0:cdf462088d13	2559
markrad	0:cdf462088d13	2560	/* Adjust to the newly activated transform */
markrad	0:cdf462088d13	2561	if( ssl->transform_out != NULL &&
markrad	0:cdf462088d13	2562	ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	2563	{
markrad	0:cdf462088d13	2564	ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen -
markrad	0:cdf462088d13	2565	ssl->transform_out->fixed_ivlen;
markrad	0:cdf462088d13	2566	}
markrad	0:cdf462088d13	2567	else
markrad	0:cdf462088d13	2568	ssl->out_msg = ssl->out_iv;
markrad	0:cdf462088d13	2569
markrad	0:cdf462088d13	2570	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	2571	if( mbedtls_ssl_hw_record_activate != NULL )
markrad	0:cdf462088d13	2572	{
markrad	0:cdf462088d13	2573	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
markrad	0:cdf462088d13	2574	{
markrad	0:cdf462088d13	2575	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
markrad	0:cdf462088d13	2576	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
markrad	0:cdf462088d13	2577	}
markrad	0:cdf462088d13	2578	}
markrad	0:cdf462088d13	2579	#endif
markrad	0:cdf462088d13	2580	}
markrad	0:cdf462088d13	2581
markrad	0:cdf462088d13	2582	/*
markrad	0:cdf462088d13	2583	* Retransmit the current flight of messages.
markrad	0:cdf462088d13	2584	*
markrad	0:cdf462088d13	2585	* Need to remember the current message in case flush_output returns
markrad	0:cdf462088d13	2586	* WANT_WRITE, causing us to exit this function and come back later.
markrad	0:cdf462088d13	2587	* This function must be called until state is no longer SENDING.
markrad	0:cdf462088d13	2588	*/
markrad	0:cdf462088d13	2589	int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2590	{
markrad	0:cdf462088d13	2591	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
markrad	0:cdf462088d13	2592
markrad	0:cdf462088d13	2593	if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
markrad	0:cdf462088d13	2594	{
markrad	0:cdf462088d13	2595	MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) );
markrad	0:cdf462088d13	2596
markrad	0:cdf462088d13	2597	ssl->handshake->cur_msg = ssl->handshake->flight;
markrad	0:cdf462088d13	2598	ssl_swap_epochs( ssl );
markrad	0:cdf462088d13	2599
markrad	0:cdf462088d13	2600	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
markrad	0:cdf462088d13	2601	}
markrad	0:cdf462088d13	2602
markrad	0:cdf462088d13	2603	while( ssl->handshake->cur_msg != NULL )
markrad	0:cdf462088d13	2604	{
markrad	0:cdf462088d13	2605	int ret;
markrad	0:cdf462088d13	2606	mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg;
markrad	0:cdf462088d13	2607
markrad	0:cdf462088d13	2608	/* Swap epochs before sending Finished: we can't do it after
markrad	0:cdf462088d13	2609	* sending ChangeCipherSpec, in case write returns WANT_READ.
markrad	0:cdf462088d13	2610	* Must be done before copying, may change out_msg pointer */
markrad	0:cdf462088d13	2611	if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
markrad	0:cdf462088d13	2612	cur->p[0] == MBEDTLS_SSL_HS_FINISHED )
markrad	0:cdf462088d13	2613	{
markrad	0:cdf462088d13	2614	ssl_swap_epochs( ssl );
markrad	0:cdf462088d13	2615	}
markrad	0:cdf462088d13	2616
markrad	0:cdf462088d13	2617	memcpy( ssl->out_msg, cur->p, cur->len );
markrad	0:cdf462088d13	2618	ssl->out_msglen = cur->len;
markrad	0:cdf462088d13	2619	ssl->out_msgtype = cur->type;
markrad	0:cdf462088d13	2620
markrad	0:cdf462088d13	2621	ssl->handshake->cur_msg = cur->next;
markrad	0:cdf462088d13	2622
markrad	0:cdf462088d13	2623	MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 );
markrad	0:cdf462088d13	2624
markrad	0:cdf462088d13	2625	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	2626	{
markrad	0:cdf462088d13	2627	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	2628	return( ret );
markrad	0:cdf462088d13	2629	}
markrad	0:cdf462088d13	2630	}
markrad	0:cdf462088d13	2631
markrad	0:cdf462088d13	2632	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	2633	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
markrad	0:cdf462088d13	2634	else
markrad	0:cdf462088d13	2635	{
markrad	0:cdf462088d13	2636	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
markrad	0:cdf462088d13	2637	ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
markrad	0:cdf462088d13	2638	}
markrad	0:cdf462088d13	2639
markrad	0:cdf462088d13	2640	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
markrad	0:cdf462088d13	2641
markrad	0:cdf462088d13	2642	return( 0 );
markrad	0:cdf462088d13	2643	}
markrad	0:cdf462088d13	2644
markrad	0:cdf462088d13	2645	/*
markrad	0:cdf462088d13	2646	* To be called when the last message of an incoming flight is received.
markrad	0:cdf462088d13	2647	*/
markrad	0:cdf462088d13	2648	void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2649	{
markrad	0:cdf462088d13	2650	/* We won't need to resend that one any more */
markrad	0:cdf462088d13	2651	ssl_flight_free( ssl->handshake->flight );
markrad	0:cdf462088d13	2652	ssl->handshake->flight = NULL;
markrad	0:cdf462088d13	2653	ssl->handshake->cur_msg = NULL;
markrad	0:cdf462088d13	2654
markrad	0:cdf462088d13	2655	/* The next incoming flight will start with this msg_seq */
markrad	0:cdf462088d13	2656	ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
markrad	0:cdf462088d13	2657
markrad	0:cdf462088d13	2658	/* Cancel timer */
markrad	0:cdf462088d13	2659	ssl_set_timer( ssl, 0 );
markrad	0:cdf462088d13	2660
markrad	0:cdf462088d13	2661	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
markrad	0:cdf462088d13	2662	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
markrad	0:cdf462088d13	2663	{
markrad	0:cdf462088d13	2664	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
markrad	0:cdf462088d13	2665	}
markrad	0:cdf462088d13	2666	else
markrad	0:cdf462088d13	2667	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
markrad	0:cdf462088d13	2668	}
markrad	0:cdf462088d13	2669
markrad	0:cdf462088d13	2670	/*
markrad	0:cdf462088d13	2671	* To be called when the last message of an outgoing flight is send.
markrad	0:cdf462088d13	2672	*/
markrad	0:cdf462088d13	2673	void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2674	{
markrad	0:cdf462088d13	2675	ssl_reset_retransmit_timeout( ssl );
markrad	0:cdf462088d13	2676	ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
markrad	0:cdf462088d13	2677
markrad	0:cdf462088d13	2678	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
markrad	0:cdf462088d13	2679	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
markrad	0:cdf462088d13	2680	{
markrad	0:cdf462088d13	2681	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
markrad	0:cdf462088d13	2682	}
markrad	0:cdf462088d13	2683	else
markrad	0:cdf462088d13	2684	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
markrad	0:cdf462088d13	2685	}
markrad	0:cdf462088d13	2686	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	2687
markrad	0:cdf462088d13	2688	/*
markrad	0:cdf462088d13	2689	* Record layer functions
markrad	0:cdf462088d13	2690	*/
markrad	0:cdf462088d13	2691
markrad	0:cdf462088d13	2692	/*
markrad	0:cdf462088d13	2693	* Write current record.
markrad	0:cdf462088d13	2694	* Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg.
markrad	0:cdf462088d13	2695	*/
markrad	0:cdf462088d13	2696	int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2697	{
markrad	0:cdf462088d13	2698	int ret, done = 0, out_msg_type;
markrad	0:cdf462088d13	2699	size_t len = ssl->out_msglen;
markrad	0:cdf462088d13	2700
markrad	0:cdf462088d13	2701	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
markrad	0:cdf462088d13	2702
markrad	0:cdf462088d13	2703	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	2704	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	2705	ssl->handshake != NULL &&
markrad	0:cdf462088d13	2706	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
markrad	0:cdf462088d13	2707	{
markrad	0:cdf462088d13	2708	; /* Skip special handshake treatment when resending */
markrad	0:cdf462088d13	2709	}
markrad	0:cdf462088d13	2710	else
markrad	0:cdf462088d13	2711	#endif
markrad	0:cdf462088d13	2712	if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
markrad	0:cdf462088d13	2713	{
markrad	0:cdf462088d13	2714	out_msg_type = ssl->out_msg[0];
markrad	0:cdf462088d13	2715
markrad	0:cdf462088d13	2716	if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST &&
markrad	0:cdf462088d13	2717	ssl->handshake == NULL )
markrad	0:cdf462088d13	2718	{
markrad	0:cdf462088d13	2719	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	2720	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	2721	}
markrad	0:cdf462088d13	2722
markrad	0:cdf462088d13	2723	ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
markrad	0:cdf462088d13	2724	ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
markrad	0:cdf462088d13	2725	ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
markrad	0:cdf462088d13	2726
markrad	0:cdf462088d13	2727	/*
markrad	0:cdf462088d13	2728	* DTLS has additional fields in the Handshake layer,
markrad	0:cdf462088d13	2729	* between the length field and the actual payload:
markrad	0:cdf462088d13	2730	* uint16 message_seq;
markrad	0:cdf462088d13	2731	* uint24 fragment_offset;
markrad	0:cdf462088d13	2732	* uint24 fragment_length;
markrad	0:cdf462088d13	2733	*/
markrad	0:cdf462088d13	2734	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	2735	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	2736	{
markrad	0:cdf462088d13	2737	/* Make room for the additional DTLS fields */
markrad	0:cdf462088d13	2738	memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
markrad	0:cdf462088d13	2739	ssl->out_msglen += 8;
markrad	0:cdf462088d13	2740	len += 8;
markrad	0:cdf462088d13	2741
markrad	0:cdf462088d13	2742	/* Write message_seq and update it, except for HelloRequest */
markrad	0:cdf462088d13	2743	if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
markrad	0:cdf462088d13	2744	{
markrad	0:cdf462088d13	2745	ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
markrad	0:cdf462088d13	2746	ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
markrad	0:cdf462088d13	2747	++( ssl->handshake->out_msg_seq );
markrad	0:cdf462088d13	2748	}
markrad	0:cdf462088d13	2749	else
markrad	0:cdf462088d13	2750	{
markrad	0:cdf462088d13	2751	ssl->out_msg[4] = 0;
markrad	0:cdf462088d13	2752	ssl->out_msg[5] = 0;
markrad	0:cdf462088d13	2753	}
markrad	0:cdf462088d13	2754
markrad	0:cdf462088d13	2755	/* We don't fragment, so frag_offset = 0 and frag_len = len */
markrad	0:cdf462088d13	2756	memset( ssl->out_msg + 6, 0x00, 3 );
markrad	0:cdf462088d13	2757	memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
markrad	0:cdf462088d13	2758	}
markrad	0:cdf462088d13	2759	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	2760
markrad	0:cdf462088d13	2761	if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
markrad	0:cdf462088d13	2762	ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
markrad	0:cdf462088d13	2763	}
markrad	0:cdf462088d13	2764
markrad	0:cdf462088d13	2765	/* Save handshake and CCS messages for resending */
markrad	0:cdf462088d13	2766	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	2767	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	2768	ssl->handshake != NULL &&
markrad	0:cdf462088d13	2769	ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING &&
markrad	0:cdf462088d13	2770	( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC \|\|
markrad	0:cdf462088d13	2771	ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) )
markrad	0:cdf462088d13	2772	{
markrad	0:cdf462088d13	2773	if( ( ret = ssl_flight_append( ssl ) ) != 0 )
markrad	0:cdf462088d13	2774	{
markrad	0:cdf462088d13	2775	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
markrad	0:cdf462088d13	2776	return( ret );
markrad	0:cdf462088d13	2777	}
markrad	0:cdf462088d13	2778	}
markrad	0:cdf462088d13	2779	#endif
markrad	0:cdf462088d13	2780
markrad	0:cdf462088d13	2781	#if defined(MBEDTLS_ZLIB_SUPPORT)
markrad	0:cdf462088d13	2782	if( ssl->transform_out != NULL &&
markrad	0:cdf462088d13	2783	ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
markrad	0:cdf462088d13	2784	{
markrad	0:cdf462088d13	2785	if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
markrad	0:cdf462088d13	2786	{
markrad	0:cdf462088d13	2787	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
markrad	0:cdf462088d13	2788	return( ret );
markrad	0:cdf462088d13	2789	}
markrad	0:cdf462088d13	2790
markrad	0:cdf462088d13	2791	len = ssl->out_msglen;
markrad	0:cdf462088d13	2792	}
markrad	0:cdf462088d13	2793	#endif /MBEDTLS_ZLIB_SUPPORT /
markrad	0:cdf462088d13	2794
markrad	0:cdf462088d13	2795	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	2796	if( mbedtls_ssl_hw_record_write != NULL )
markrad	0:cdf462088d13	2797	{
markrad	0:cdf462088d13	2798	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
markrad	0:cdf462088d13	2799
markrad	0:cdf462088d13	2800	ret = mbedtls_ssl_hw_record_write( ssl );
markrad	0:cdf462088d13	2801	if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
markrad	0:cdf462088d13	2802	{
markrad	0:cdf462088d13	2803	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
markrad	0:cdf462088d13	2804	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
markrad	0:cdf462088d13	2805	}
markrad	0:cdf462088d13	2806
markrad	0:cdf462088d13	2807	if( ret == 0 )
markrad	0:cdf462088d13	2808	done = 1;
markrad	0:cdf462088d13	2809	}
markrad	0:cdf462088d13	2810	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
markrad	0:cdf462088d13	2811	if( !done )
markrad	0:cdf462088d13	2812	{
markrad	0:cdf462088d13	2813	ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
markrad	0:cdf462088d13	2814	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
markrad	0:cdf462088d13	2815	ssl->conf->transport, ssl->out_hdr + 1 );
markrad	0:cdf462088d13	2816
markrad	0:cdf462088d13	2817	ssl->out_len[0] = (unsigned char)( len >> 8 );
markrad	0:cdf462088d13	2818	ssl->out_len[1] = (unsigned char)( len );
markrad	0:cdf462088d13	2819
markrad	0:cdf462088d13	2820	if( ssl->transform_out != NULL )
markrad	0:cdf462088d13	2821	{
markrad	0:cdf462088d13	2822	if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
markrad	0:cdf462088d13	2823	{
markrad	0:cdf462088d13	2824	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
markrad	0:cdf462088d13	2825	return( ret );
markrad	0:cdf462088d13	2826	}
markrad	0:cdf462088d13	2827
markrad	0:cdf462088d13	2828	len = ssl->out_msglen;
markrad	0:cdf462088d13	2829	ssl->out_len[0] = (unsigned char)( len >> 8 );
markrad	0:cdf462088d13	2830	ssl->out_len[1] = (unsigned char)( len );
markrad	0:cdf462088d13	2831	}
markrad	0:cdf462088d13	2832
markrad	0:cdf462088d13	2833	ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen;
markrad	0:cdf462088d13	2834
markrad	0:cdf462088d13	2835	MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
markrad	0:cdf462088d13	2836	"version = [%d:%d], msglen = %d",
markrad	0:cdf462088d13	2837	ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
markrad	0:cdf462088d13	2838	( ssl->out_len[0] << 8 ) \| ssl->out_len[1] ) );
markrad	0:cdf462088d13	2839
markrad	0:cdf462088d13	2840	MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
markrad	0:cdf462088d13	2841	ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen );
markrad	0:cdf462088d13	2842	}
markrad	0:cdf462088d13	2843
markrad	0:cdf462088d13	2844	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
markrad	0:cdf462088d13	2845	{
markrad	0:cdf462088d13	2846	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
markrad	0:cdf462088d13	2847	return( ret );
markrad	0:cdf462088d13	2848	}
markrad	0:cdf462088d13	2849
markrad	0:cdf462088d13	2850	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
markrad	0:cdf462088d13	2851
markrad	0:cdf462088d13	2852	return( 0 );
markrad	0:cdf462088d13	2853	}
markrad	0:cdf462088d13	2854
markrad	0:cdf462088d13	2855	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	2856	/*
markrad	0:cdf462088d13	2857	* Mark bits in bitmask (used for DTLS HS reassembly)
markrad	0:cdf462088d13	2858	*/
markrad	0:cdf462088d13	2859	static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
markrad	0:cdf462088d13	2860	{
markrad	0:cdf462088d13	2861	unsigned int start_bits, end_bits;
markrad	0:cdf462088d13	2862
markrad	0:cdf462088d13	2863	start_bits = 8 - ( offset % 8 );
markrad	0:cdf462088d13	2864	if( start_bits != 8 )
markrad	0:cdf462088d13	2865	{
markrad	0:cdf462088d13	2866	size_t first_byte_idx = offset / 8;
markrad	0:cdf462088d13	2867
markrad	0:cdf462088d13	2868	/* Special case */
markrad	0:cdf462088d13	2869	if( len <= start_bits )
markrad	0:cdf462088d13	2870	{
markrad	0:cdf462088d13	2871	for( ; len != 0; len-- )
markrad	0:cdf462088d13	2872	mask[first_byte_idx] \|= 1 << ( start_bits - len );
markrad	0:cdf462088d13	2873
markrad	0:cdf462088d13	2874	/* Avoid potential issues with offset or len becoming invalid */
markrad	0:cdf462088d13	2875	return;
markrad	0:cdf462088d13	2876	}
markrad	0:cdf462088d13	2877
markrad	0:cdf462088d13	2878	offset += start_bits; /* Now offset % 8 == 0 */
markrad	0:cdf462088d13	2879	len -= start_bits;
markrad	0:cdf462088d13	2880
markrad	0:cdf462088d13	2881	for( ; start_bits != 0; start_bits-- )
markrad	0:cdf462088d13	2882	mask[first_byte_idx] \|= 1 << ( start_bits - 1 );
markrad	0:cdf462088d13	2883	}
markrad	0:cdf462088d13	2884
markrad	0:cdf462088d13	2885	end_bits = len % 8;
markrad	0:cdf462088d13	2886	if( end_bits != 0 )
markrad	0:cdf462088d13	2887	{
markrad	0:cdf462088d13	2888	size_t last_byte_idx = ( offset + len ) / 8;
markrad	0:cdf462088d13	2889
markrad	0:cdf462088d13	2890	len -= end_bits; /* Now len % 8 == 0 */
markrad	0:cdf462088d13	2891
markrad	0:cdf462088d13	2892	for( ; end_bits != 0; end_bits-- )
markrad	0:cdf462088d13	2893	mask[last_byte_idx] \|= 1 << ( 8 - end_bits );
markrad	0:cdf462088d13	2894	}
markrad	0:cdf462088d13	2895
markrad	0:cdf462088d13	2896	memset( mask + offset / 8, 0xFF, len / 8 );
markrad	0:cdf462088d13	2897	}
markrad	0:cdf462088d13	2898
markrad	0:cdf462088d13	2899	/*
markrad	0:cdf462088d13	2900	* Check that bitmask is full
markrad	0:cdf462088d13	2901	*/
markrad	0:cdf462088d13	2902	static int ssl_bitmask_check( unsigned char *mask, size_t len )
markrad	0:cdf462088d13	2903	{
markrad	0:cdf462088d13	2904	size_t i;
markrad	0:cdf462088d13	2905
markrad	0:cdf462088d13	2906	for( i = 0; i < len / 8; i++ )
markrad	0:cdf462088d13	2907	if( mask[i] != 0xFF )
markrad	0:cdf462088d13	2908	return( -1 );
markrad	0:cdf462088d13	2909
markrad	0:cdf462088d13	2910	for( i = 0; i < len % 8; i++ )
markrad	0:cdf462088d13	2911	if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
markrad	0:cdf462088d13	2912	return( -1 );
markrad	0:cdf462088d13	2913
markrad	0:cdf462088d13	2914	return( 0 );
markrad	0:cdf462088d13	2915	}
markrad	0:cdf462088d13	2916
markrad	0:cdf462088d13	2917	/*
markrad	0:cdf462088d13	2918	* Reassemble fragmented DTLS handshake messages.
markrad	0:cdf462088d13	2919	*
markrad	0:cdf462088d13	2920	* Use a temporary buffer for reassembly, divided in two parts:
markrad	0:cdf462088d13	2921	* - the first holds the reassembled message (including handshake header),
markrad	0:cdf462088d13	2922	* - the second holds a bitmask indicating which parts of the message
markrad	0:cdf462088d13	2923	* (excluding headers) have been received so far.
markrad	0:cdf462088d13	2924	*/
markrad	0:cdf462088d13	2925	static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2926	{
markrad	0:cdf462088d13	2927	unsigned char msg, bitmask;
markrad	0:cdf462088d13	2928	size_t frag_len, frag_off;
markrad	0:cdf462088d13	2929	size_t msg_len = ssl->in_hslen - 12; /* Without headers */
markrad	0:cdf462088d13	2930
markrad	0:cdf462088d13	2931	if( ssl->handshake == NULL )
markrad	0:cdf462088d13	2932	{
markrad	0:cdf462088d13	2933	MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) );
markrad	0:cdf462088d13	2934	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad	0:cdf462088d13	2935	}
markrad	0:cdf462088d13	2936
markrad	0:cdf462088d13	2937	/*
markrad	0:cdf462088d13	2938	* For first fragment, check size and allocate buffer
markrad	0:cdf462088d13	2939	*/
markrad	0:cdf462088d13	2940	if( ssl->handshake->hs_msg == NULL )
markrad	0:cdf462088d13	2941	{
markrad	0:cdf462088d13	2942	size_t alloc_len;
markrad	0:cdf462088d13	2943
markrad	0:cdf462088d13	2944	MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
markrad	0:cdf462088d13	2945	msg_len ) );
markrad	0:cdf462088d13	2946
markrad	0:cdf462088d13	2947	if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
markrad	0:cdf462088d13	2948	{
markrad	0:cdf462088d13	2949	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
markrad	0:cdf462088d13	2950	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad	0:cdf462088d13	2951	}
markrad	0:cdf462088d13	2952
markrad	0:cdf462088d13	2953	/* The bitmask needs one bit per byte of message excluding header */
markrad	0:cdf462088d13	2954	alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 );
markrad	0:cdf462088d13	2955
markrad	0:cdf462088d13	2956	ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len );
markrad	0:cdf462088d13	2957	if( ssl->handshake->hs_msg == NULL )
markrad	0:cdf462088d13	2958	{
markrad	0:cdf462088d13	2959	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) );
markrad	0:cdf462088d13	2960	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	2961	}
markrad	0:cdf462088d13	2962
markrad	0:cdf462088d13	2963	/* Prepare final header: copy msg_type, length and message_seq,
markrad	0:cdf462088d13	2964	* then add standardised fragment_offset and fragment_length */
markrad	0:cdf462088d13	2965	memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 );
markrad	0:cdf462088d13	2966	memset( ssl->handshake->hs_msg + 6, 0, 3 );
markrad	0:cdf462088d13	2967	memcpy( ssl->handshake->hs_msg + 9,
markrad	0:cdf462088d13	2968	ssl->handshake->hs_msg + 1, 3 );
markrad	0:cdf462088d13	2969	}
markrad	0:cdf462088d13	2970	else
markrad	0:cdf462088d13	2971	{
markrad	0:cdf462088d13	2972	/* Make sure msg_type and length are consistent */
markrad	0:cdf462088d13	2973	if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 )
markrad	0:cdf462088d13	2974	{
markrad	0:cdf462088d13	2975	MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) );
markrad	0:cdf462088d13	2976	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	2977	}
markrad	0:cdf462088d13	2978	}
markrad	0:cdf462088d13	2979
markrad	0:cdf462088d13	2980	msg = ssl->handshake->hs_msg + 12;
markrad	0:cdf462088d13	2981	bitmask = msg + msg_len;
markrad	0:cdf462088d13	2982
markrad	0:cdf462088d13	2983	/*
markrad	0:cdf462088d13	2984	* Check and copy current fragment
markrad	0:cdf462088d13	2985	*/
markrad	0:cdf462088d13	2986	frag_off = ( ssl->in_msg[6] << 16 ) \|
markrad	0:cdf462088d13	2987	( ssl->in_msg[7] << 8 ) \|
markrad	0:cdf462088d13	2988	ssl->in_msg[8];
markrad	0:cdf462088d13	2989	frag_len = ( ssl->in_msg[9] << 16 ) \|
markrad	0:cdf462088d13	2990	( ssl->in_msg[10] << 8 ) \|
markrad	0:cdf462088d13	2991	ssl->in_msg[11];
markrad	0:cdf462088d13	2992
markrad	0:cdf462088d13	2993	if( frag_off + frag_len > msg_len )
markrad	0:cdf462088d13	2994	{
markrad	0:cdf462088d13	2995	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d",
markrad	0:cdf462088d13	2996	frag_off, frag_len, msg_len ) );
markrad	0:cdf462088d13	2997	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	2998	}
markrad	0:cdf462088d13	2999
markrad	0:cdf462088d13	3000	if( frag_len + 12 > ssl->in_msglen )
markrad	0:cdf462088d13	3001	{
markrad	0:cdf462088d13	3002	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d",
markrad	0:cdf462088d13	3003	frag_len, ssl->in_msglen ) );
markrad	0:cdf462088d13	3004	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3005	}
markrad	0:cdf462088d13	3006
markrad	0:cdf462088d13	3007	MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
markrad	0:cdf462088d13	3008	frag_off, frag_len ) );
markrad	0:cdf462088d13	3009
markrad	0:cdf462088d13	3010	memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
markrad	0:cdf462088d13	3011	ssl_bitmask_set( bitmask, frag_off, frag_len );
markrad	0:cdf462088d13	3012
markrad	0:cdf462088d13	3013	/*
markrad	0:cdf462088d13	3014	* Do we have the complete message by now?
markrad	0:cdf462088d13	3015	* If yes, finalize it, else ask to read the next record.
markrad	0:cdf462088d13	3016	*/
markrad	0:cdf462088d13	3017	if( ssl_bitmask_check( bitmask, msg_len ) != 0 )
markrad	0:cdf462088d13	3018	{
markrad	0:cdf462088d13	3019	MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) );
markrad	0:cdf462088d13	3020	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	3021	}
markrad	0:cdf462088d13	3022
markrad	0:cdf462088d13	3023	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) );
markrad	0:cdf462088d13	3024
markrad	0:cdf462088d13	3025	if( frag_len + 12 < ssl->in_msglen )
markrad	0:cdf462088d13	3026	{
markrad	0:cdf462088d13	3027	/*
markrad	0:cdf462088d13	3028	* We'got more handshake messages in the same record.
markrad	0:cdf462088d13	3029	* This case is not handled now because no know implementation does
markrad	0:cdf462088d13	3030	* that and it's hard to test, so we prefer to fail cleanly for now.
markrad	0:cdf462088d13	3031	*/
markrad	0:cdf462088d13	3032	MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) );
markrad	0:cdf462088d13	3033	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad	0:cdf462088d13	3034	}
markrad	0:cdf462088d13	3035
markrad	0:cdf462088d13	3036	if( ssl->in_left > ssl->next_record_offset )
markrad	0:cdf462088d13	3037	{
markrad	0:cdf462088d13	3038	/*
markrad	0:cdf462088d13	3039	* We've got more data in the buffer after the current record,
markrad	0:cdf462088d13	3040	* that we don't want to overwrite. Move it before writing the
markrad	0:cdf462088d13	3041	* reassembled message, and adjust in_left and next_record_offset.
markrad	0:cdf462088d13	3042	*/
markrad	0:cdf462088d13	3043	unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset;
markrad	0:cdf462088d13	3044	unsigned char *new_remain = ssl->in_msg + ssl->in_hslen;
markrad	0:cdf462088d13	3045	size_t remain_len = ssl->in_left - ssl->next_record_offset;
markrad	0:cdf462088d13	3046
markrad	0:cdf462088d13	3047	/* First compute and check new lengths */
markrad	0:cdf462088d13	3048	ssl->next_record_offset = new_remain - ssl->in_hdr;
markrad	0:cdf462088d13	3049	ssl->in_left = ssl->next_record_offset + remain_len;
markrad	0:cdf462088d13	3050
markrad	0:cdf462088d13	3051	if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
markrad	0:cdf462088d13	3052	(size_t)( ssl->in_hdr - ssl->in_buf ) )
markrad	0:cdf462088d13	3053	{
markrad	0:cdf462088d13	3054	MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
markrad	0:cdf462088d13	3055	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
markrad	0:cdf462088d13	3056	}
markrad	0:cdf462088d13	3057
markrad	0:cdf462088d13	3058	memmove( new_remain, cur_remain, remain_len );
markrad	0:cdf462088d13	3059	}
markrad	0:cdf462088d13	3060
markrad	0:cdf462088d13	3061	memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen );
markrad	0:cdf462088d13	3062
markrad	0:cdf462088d13	3063	mbedtls_free( ssl->handshake->hs_msg );
markrad	0:cdf462088d13	3064	ssl->handshake->hs_msg = NULL;
markrad	0:cdf462088d13	3065
markrad	0:cdf462088d13	3066	MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message",
markrad	0:cdf462088d13	3067	ssl->in_msg, ssl->in_hslen );
markrad	0:cdf462088d13	3068
markrad	0:cdf462088d13	3069	return( 0 );
markrad	0:cdf462088d13	3070	}
markrad	0:cdf462088d13	3071	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	3072
markrad	0:cdf462088d13	3073	int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3074	{
markrad	0:cdf462088d13	3075	if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
markrad	0:cdf462088d13	3076	{
markrad	0:cdf462088d13	3077	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
markrad	0:cdf462088d13	3078	ssl->in_msglen ) );
markrad	0:cdf462088d13	3079	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3080	}
markrad	0:cdf462088d13	3081
markrad	0:cdf462088d13	3082	ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + (
markrad	0:cdf462088d13	3083	( ssl->in_msg[1] << 16 ) \|
markrad	0:cdf462088d13	3084	( ssl->in_msg[2] << 8 ) \|
markrad	0:cdf462088d13	3085	ssl->in_msg[3] );
markrad	0:cdf462088d13	3086
markrad	0:cdf462088d13	3087	MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
markrad	0:cdf462088d13	3088	" %d, type = %d, hslen = %d",
markrad	0:cdf462088d13	3089	ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
markrad	0:cdf462088d13	3090
markrad	0:cdf462088d13	3091	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3092	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	3093	{
markrad	0:cdf462088d13	3094	int ret;
markrad	0:cdf462088d13	3095	unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) \| ssl->in_msg[5];
markrad	0:cdf462088d13	3096
markrad	0:cdf462088d13	3097	/* ssl->handshake is NULL when receiving ClientHello for renego */
markrad	0:cdf462088d13	3098	if( ssl->handshake != NULL &&
markrad	0:cdf462088d13	3099	recv_msg_seq != ssl->handshake->in_msg_seq )
markrad	0:cdf462088d13	3100	{
markrad	0:cdf462088d13	3101	/* Retransmit only on last message from previous flight, to avoid
markrad	0:cdf462088d13	3102	* too many retransmissions.
markrad	0:cdf462088d13	3103	* Besides, No sane server ever retransmits HelloVerifyRequest */
markrad	0:cdf462088d13	3104	if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
markrad	0:cdf462088d13	3105	ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
markrad	0:cdf462088d13	3106	{
markrad	0:cdf462088d13	3107	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
markrad	0:cdf462088d13	3108	"message_seq = %d, start_of_flight = %d",
markrad	0:cdf462088d13	3109	recv_msg_seq,
markrad	0:cdf462088d13	3110	ssl->handshake->in_flight_start_seq ) );
markrad	0:cdf462088d13	3111
markrad	0:cdf462088d13	3112	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
markrad	0:cdf462088d13	3113	{
markrad	0:cdf462088d13	3114	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
markrad	0:cdf462088d13	3115	return( ret );
markrad	0:cdf462088d13	3116	}
markrad	0:cdf462088d13	3117	}
markrad	0:cdf462088d13	3118	else
markrad	0:cdf462088d13	3119	{
markrad	0:cdf462088d13	3120	MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
markrad	0:cdf462088d13	3121	"message_seq = %d, expected = %d",
markrad	0:cdf462088d13	3122	recv_msg_seq,
markrad	0:cdf462088d13	3123	ssl->handshake->in_msg_seq ) );
markrad	0:cdf462088d13	3124	}
markrad	0:cdf462088d13	3125
markrad	0:cdf462088d13	3126	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	3127	}
markrad	0:cdf462088d13	3128	/* Wait until message completion to increment in_msg_seq */
markrad	0:cdf462088d13	3129
markrad	0:cdf462088d13	3130	/* Reassemble if current message is fragmented or reassembly is
markrad	0:cdf462088d13	3131	* already in progress */
markrad	0:cdf462088d13	3132	if( ssl->in_msglen < ssl->in_hslen \|\|
markrad	0:cdf462088d13	3133	memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 \|\|
markrad	0:cdf462088d13	3134	memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 \|\|
markrad	0:cdf462088d13	3135	( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) )
markrad	0:cdf462088d13	3136	{
markrad	0:cdf462088d13	3137	MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
markrad	0:cdf462088d13	3138
markrad	0:cdf462088d13	3139	if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 )
markrad	0:cdf462088d13	3140	{
markrad	0:cdf462088d13	3141	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret );
markrad	0:cdf462088d13	3142	return( ret );
markrad	0:cdf462088d13	3143	}
markrad	0:cdf462088d13	3144	}
markrad	0:cdf462088d13	3145	}
markrad	0:cdf462088d13	3146	else
markrad	0:cdf462088d13	3147	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	3148	/* With TLS we don't handle fragmentation (for now) */
markrad	0:cdf462088d13	3149	if( ssl->in_msglen < ssl->in_hslen )
markrad	0:cdf462088d13	3150	{
markrad	0:cdf462088d13	3151	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
markrad	0:cdf462088d13	3152	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad	0:cdf462088d13	3153	}
markrad	0:cdf462088d13	3154
markrad	0:cdf462088d13	3155	return( 0 );
markrad	0:cdf462088d13	3156	}
markrad	0:cdf462088d13	3157
markrad	0:cdf462088d13	3158	void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3159	{
markrad	0:cdf462088d13	3160
markrad	0:cdf462088d13	3161	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
markrad	0:cdf462088d13	3162	ssl->handshake != NULL )
markrad	0:cdf462088d13	3163	{
markrad	0:cdf462088d13	3164	ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
markrad	0:cdf462088d13	3165	}
markrad	0:cdf462088d13	3166
markrad	0:cdf462088d13	3167	/* Handshake message is complete, increment counter */
markrad	0:cdf462088d13	3168	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3169	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	3170	ssl->handshake != NULL )
markrad	0:cdf462088d13	3171	{
markrad	0:cdf462088d13	3172	ssl->handshake->in_msg_seq++;
markrad	0:cdf462088d13	3173	}
markrad	0:cdf462088d13	3174	#endif
markrad	0:cdf462088d13	3175	}
markrad	0:cdf462088d13	3176
markrad	0:cdf462088d13	3177	/*
markrad	0:cdf462088d13	3178	* DTLS anti-replay: RFC 6347 4.1.2.6
markrad	0:cdf462088d13	3179	*
markrad	0:cdf462088d13	3180	* in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
markrad	0:cdf462088d13	3181	* Bit n is set iff record number in_window_top - n has been seen.
markrad	0:cdf462088d13	3182	*
markrad	0:cdf462088d13	3183	* Usually, in_window_top is the last record number seen and the lsb of
markrad	0:cdf462088d13	3184	* in_window is set. The only exception is the initial state (record number 0
markrad	0:cdf462088d13	3185	* not seen yet).
markrad	0:cdf462088d13	3186	*/
markrad	0:cdf462088d13	3187	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	3188	static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3189	{
markrad	0:cdf462088d13	3190	ssl->in_window_top = 0;
markrad	0:cdf462088d13	3191	ssl->in_window = 0;
markrad	0:cdf462088d13	3192	}
markrad	0:cdf462088d13	3193
markrad	0:cdf462088d13	3194	static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
markrad	0:cdf462088d13	3195	{
markrad	0:cdf462088d13	3196	return( ( (uint64_t) buf[0] << 40 ) \|
markrad	0:cdf462088d13	3197	( (uint64_t) buf[1] << 32 ) \|
markrad	0:cdf462088d13	3198	( (uint64_t) buf[2] << 24 ) \|
markrad	0:cdf462088d13	3199	( (uint64_t) buf[3] << 16 ) \|
markrad	0:cdf462088d13	3200	( (uint64_t) buf[4] << 8 ) \|
markrad	0:cdf462088d13	3201	( (uint64_t) buf[5] ) );
markrad	0:cdf462088d13	3202	}
markrad	0:cdf462088d13	3203
markrad	0:cdf462088d13	3204	/*
markrad	0:cdf462088d13	3205	* Return 0 if sequence number is acceptable, -1 otherwise
markrad	0:cdf462088d13	3206	*/
markrad	0:cdf462088d13	3207	int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3208	{
markrad	0:cdf462088d13	3209	uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
markrad	0:cdf462088d13	3210	uint64_t bit;
markrad	0:cdf462088d13	3211
markrad	0:cdf462088d13	3212	if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
markrad	0:cdf462088d13	3213	return( 0 );
markrad	0:cdf462088d13	3214
markrad	0:cdf462088d13	3215	if( rec_seqnum > ssl->in_window_top )
markrad	0:cdf462088d13	3216	return( 0 );
markrad	0:cdf462088d13	3217
markrad	0:cdf462088d13	3218	bit = ssl->in_window_top - rec_seqnum;
markrad	0:cdf462088d13	3219
markrad	0:cdf462088d13	3220	if( bit >= 64 )
markrad	0:cdf462088d13	3221	return( -1 );
markrad	0:cdf462088d13	3222
markrad	0:cdf462088d13	3223	if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
markrad	0:cdf462088d13	3224	return( -1 );
markrad	0:cdf462088d13	3225
markrad	0:cdf462088d13	3226	return( 0 );
markrad	0:cdf462088d13	3227	}
markrad	0:cdf462088d13	3228
markrad	0:cdf462088d13	3229	/*
markrad	0:cdf462088d13	3230	* Update replay window on new validated record
markrad	0:cdf462088d13	3231	*/
markrad	0:cdf462088d13	3232	void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3233	{
markrad	0:cdf462088d13	3234	uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
markrad	0:cdf462088d13	3235
markrad	0:cdf462088d13	3236	if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
markrad	0:cdf462088d13	3237	return;
markrad	0:cdf462088d13	3238
markrad	0:cdf462088d13	3239	if( rec_seqnum > ssl->in_window_top )
markrad	0:cdf462088d13	3240	{
markrad	0:cdf462088d13	3241	/* Update window_top and the contents of the window */
markrad	0:cdf462088d13	3242	uint64_t shift = rec_seqnum - ssl->in_window_top;
markrad	0:cdf462088d13	3243
markrad	0:cdf462088d13	3244	if( shift >= 64 )
markrad	0:cdf462088d13	3245	ssl->in_window = 1;
markrad	0:cdf462088d13	3246	else
markrad	0:cdf462088d13	3247	{
markrad	0:cdf462088d13	3248	ssl->in_window <<= shift;
markrad	0:cdf462088d13	3249	ssl->in_window \|= 1;
markrad	0:cdf462088d13	3250	}
markrad	0:cdf462088d13	3251
markrad	0:cdf462088d13	3252	ssl->in_window_top = rec_seqnum;
markrad	0:cdf462088d13	3253	}
markrad	0:cdf462088d13	3254	else
markrad	0:cdf462088d13	3255	{
markrad	0:cdf462088d13	3256	/* Mark that number as seen in the current window */
markrad	0:cdf462088d13	3257	uint64_t bit = ssl->in_window_top - rec_seqnum;
markrad	0:cdf462088d13	3258
markrad	0:cdf462088d13	3259	if( bit < 64 ) /* Always true, but be extra sure */
markrad	0:cdf462088d13	3260	ssl->in_window \|= (uint64_t) 1 << bit;
markrad	0:cdf462088d13	3261	}
markrad	0:cdf462088d13	3262	}
markrad	0:cdf462088d13	3263	#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
markrad	0:cdf462088d13	3264
markrad	0:cdf462088d13	3265	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	3266	/* Forward declaration */
markrad	0:cdf462088d13	3267	static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
markrad	0:cdf462088d13	3268
markrad	0:cdf462088d13	3269	/*
markrad	0:cdf462088d13	3270	* Without any SSL context, check if a datagram looks like a ClientHello with
markrad	0:cdf462088d13	3271	* a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
markrad	0:cdf462088d13	3272	* Both input and output include full DTLS headers.
markrad	0:cdf462088d13	3273	*
markrad	0:cdf462088d13	3274	* - if cookie is valid, return 0
markrad	0:cdf462088d13	3275	* - if ClientHello looks superficially valid but cookie is not,
markrad	0:cdf462088d13	3276	* fill obuf and set olen, then
markrad	0:cdf462088d13	3277	* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
markrad	0:cdf462088d13	3278	* - otherwise return a specific error code
markrad	0:cdf462088d13	3279	*/
markrad	0:cdf462088d13	3280	static int ssl_check_dtls_clihlo_cookie(
markrad	0:cdf462088d13	3281	mbedtls_ssl_cookie_write_t *f_cookie_write,
markrad	0:cdf462088d13	3282	mbedtls_ssl_cookie_check_t *f_cookie_check,
markrad	0:cdf462088d13	3283	void *p_cookie,
markrad	0:cdf462088d13	3284	const unsigned char *cli_id, size_t cli_id_len,
markrad	0:cdf462088d13	3285	const unsigned char *in, size_t in_len,
markrad	0:cdf462088d13	3286	unsigned char obuf, size_t buf_len, size_t olen )
markrad	0:cdf462088d13	3287	{
markrad	0:cdf462088d13	3288	size_t sid_len, cookie_len;
markrad	0:cdf462088d13	3289	unsigned char *p;
markrad	0:cdf462088d13	3290
markrad	0:cdf462088d13	3291	if( f_cookie_write == NULL \|\| f_cookie_check == NULL )
markrad	0:cdf462088d13	3292	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	3293
markrad	0:cdf462088d13	3294	/*
markrad	0:cdf462088d13	3295	* Structure of ClientHello with record and handshake headers,
markrad	0:cdf462088d13	3296	* and expected values. We don't need to check a lot, more checks will be
markrad	0:cdf462088d13	3297	* done when actually parsing the ClientHello - skipping those checks
markrad	0:cdf462088d13	3298	* avoids code duplication and does not make cookie forging any easier.
markrad	0:cdf462088d13	3299	*
markrad	0:cdf462088d13	3300	* 0-0 ContentType type; copied, must be handshake
markrad	0:cdf462088d13	3301	* 1-2 ProtocolVersion version; copied
markrad	0:cdf462088d13	3302	* 3-4 uint16 epoch; copied, must be 0
markrad	0:cdf462088d13	3303	* 5-10 uint48 sequence_number; copied
markrad	0:cdf462088d13	3304	* 11-12 uint16 length; (ignored)
markrad	0:cdf462088d13	3305	*
markrad	0:cdf462088d13	3306	* 13-13 HandshakeType msg_type; (ignored)
markrad	0:cdf462088d13	3307	* 14-16 uint24 length; (ignored)
markrad	0:cdf462088d13	3308	* 17-18 uint16 message_seq; copied
markrad	0:cdf462088d13	3309	* 19-21 uint24 fragment_offset; copied, must be 0
markrad	0:cdf462088d13	3310	* 22-24 uint24 fragment_length; (ignored)
markrad	0:cdf462088d13	3311	*
markrad	0:cdf462088d13	3312	* 25-26 ProtocolVersion client_version; (ignored)
markrad	0:cdf462088d13	3313	* 27-58 Random random; (ignored)
markrad	0:cdf462088d13	3314	* 59-xx SessionID session_id; 1 byte len + sid_len content
markrad	0:cdf462088d13	3315	* 60+ opaque cookie<0..2^8-1>; 1 byte len + content
markrad	0:cdf462088d13	3316	* ...
markrad	0:cdf462088d13	3317	*
markrad	0:cdf462088d13	3318	* Minimum length is 61 bytes.
markrad	0:cdf462088d13	3319	*/
markrad	0:cdf462088d13	3320	if( in_len < 61 \|\|
markrad	0:cdf462088d13	3321	in[0] != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
markrad	0:cdf462088d13	3322	in[3] != 0 \|\| in[4] != 0 \|\|
markrad	0:cdf462088d13	3323	in[19] != 0 \|\| in[20] != 0 \|\| in[21] != 0 )
markrad	0:cdf462088d13	3324	{
markrad	0:cdf462088d13	3325	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	3326	}
markrad	0:cdf462088d13	3327
markrad	0:cdf462088d13	3328	sid_len = in[59];
markrad	0:cdf462088d13	3329	if( sid_len > in_len - 61 )
markrad	0:cdf462088d13	3330	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	3331
markrad	0:cdf462088d13	3332	cookie_len = in[60 + sid_len];
markrad	0:cdf462088d13	3333	if( cookie_len > in_len - 60 )
markrad	0:cdf462088d13	3334	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	3335
markrad	0:cdf462088d13	3336	if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
markrad	0:cdf462088d13	3337	cli_id, cli_id_len ) == 0 )
markrad	0:cdf462088d13	3338	{
markrad	0:cdf462088d13	3339	/* Valid cookie */
markrad	0:cdf462088d13	3340	return( 0 );
markrad	0:cdf462088d13	3341	}
markrad	0:cdf462088d13	3342
markrad	0:cdf462088d13	3343	/*
markrad	0:cdf462088d13	3344	* If we get here, we've got an invalid cookie, let's prepare HVR.
markrad	0:cdf462088d13	3345	*
markrad	0:cdf462088d13	3346	* 0-0 ContentType type; copied
markrad	0:cdf462088d13	3347	* 1-2 ProtocolVersion version; copied
markrad	0:cdf462088d13	3348	* 3-4 uint16 epoch; copied
markrad	0:cdf462088d13	3349	* 5-10 uint48 sequence_number; copied
markrad	0:cdf462088d13	3350	* 11-12 uint16 length; olen - 13
markrad	0:cdf462088d13	3351	*
markrad	0:cdf462088d13	3352	* 13-13 HandshakeType msg_type; hello_verify_request
markrad	0:cdf462088d13	3353	* 14-16 uint24 length; olen - 25
markrad	0:cdf462088d13	3354	* 17-18 uint16 message_seq; copied
markrad	0:cdf462088d13	3355	* 19-21 uint24 fragment_offset; copied
markrad	0:cdf462088d13	3356	* 22-24 uint24 fragment_length; olen - 25
markrad	0:cdf462088d13	3357	*
markrad	0:cdf462088d13	3358	* 25-26 ProtocolVersion server_version; 0xfe 0xff
markrad	0:cdf462088d13	3359	* 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
markrad	0:cdf462088d13	3360	*
markrad	0:cdf462088d13	3361	* Minimum length is 28.
markrad	0:cdf462088d13	3362	*/
markrad	0:cdf462088d13	3363	if( buf_len < 28 )
markrad	0:cdf462088d13	3364	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
markrad	0:cdf462088d13	3365
markrad	0:cdf462088d13	3366	/* Copy most fields and adapt others */
markrad	0:cdf462088d13	3367	memcpy( obuf, in, 25 );
markrad	0:cdf462088d13	3368	obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
markrad	0:cdf462088d13	3369	obuf[25] = 0xfe;
markrad	0:cdf462088d13	3370	obuf[26] = 0xff;
markrad	0:cdf462088d13	3371
markrad	0:cdf462088d13	3372	/* Generate and write actual cookie */
markrad	0:cdf462088d13	3373	p = obuf + 28;
markrad	0:cdf462088d13	3374	if( f_cookie_write( p_cookie,
markrad	0:cdf462088d13	3375	&p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
markrad	0:cdf462088d13	3376	{
markrad	0:cdf462088d13	3377	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	3378	}
markrad	0:cdf462088d13	3379
markrad	0:cdf462088d13	3380	*olen = p - obuf;
markrad	0:cdf462088d13	3381
markrad	0:cdf462088d13	3382	/* Go back and fill length fields */
markrad	0:cdf462088d13	3383	obuf[27] = (unsigned char)( *olen - 28 );
markrad	0:cdf462088d13	3384
markrad	0:cdf462088d13	3385	obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
markrad	0:cdf462088d13	3386	obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
markrad	0:cdf462088d13	3387	obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
markrad	0:cdf462088d13	3388
markrad	0:cdf462088d13	3389	obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
markrad	0:cdf462088d13	3390	obuf[12] = (unsigned char)( ( *olen - 13 ) );
markrad	0:cdf462088d13	3391
markrad	0:cdf462088d13	3392	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
markrad	0:cdf462088d13	3393	}
markrad	0:cdf462088d13	3394
markrad	0:cdf462088d13	3395	/*
markrad	0:cdf462088d13	3396	* Handle possible client reconnect with the same UDP quadruplet
markrad	0:cdf462088d13	3397	* (RFC 6347 Section 4.2.8).
markrad	0:cdf462088d13	3398	*
markrad	0:cdf462088d13	3399	* Called by ssl_parse_record_header() in case we receive an epoch 0 record
markrad	0:cdf462088d13	3400	* that looks like a ClientHello.
markrad	0:cdf462088d13	3401	*
markrad	0:cdf462088d13	3402	* - if the input looks like a ClientHello without cookies,
markrad	0:cdf462088d13	3403	* send back HelloVerifyRequest, then
markrad	0:cdf462088d13	3404	* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
markrad	0:cdf462088d13	3405	* - if the input looks like a ClientHello with a valid cookie,
markrad	0:cdf462088d13	3406	* reset the session of the current context, and
markrad	0:cdf462088d13	3407	* return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
markrad	0:cdf462088d13	3408	* - if anything goes wrong, return a specific error code
markrad	0:cdf462088d13	3409	*
markrad	0:cdf462088d13	3410	* mbedtls_ssl_read_record() will ignore the record if anything else than
markrad	0:cdf462088d13	3411	* MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
markrad	0:cdf462088d13	3412	* cannot not return 0.
markrad	0:cdf462088d13	3413	*/
markrad	0:cdf462088d13	3414	static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3415	{
markrad	0:cdf462088d13	3416	int ret;
markrad	0:cdf462088d13	3417	size_t len;
markrad	0:cdf462088d13	3418
markrad	0:cdf462088d13	3419	ret = ssl_check_dtls_clihlo_cookie(
markrad	0:cdf462088d13	3420	ssl->conf->f_cookie_write,
markrad	0:cdf462088d13	3421	ssl->conf->f_cookie_check,
markrad	0:cdf462088d13	3422	ssl->conf->p_cookie,
markrad	0:cdf462088d13	3423	ssl->cli_id, ssl->cli_id_len,
markrad	0:cdf462088d13	3424	ssl->in_buf, ssl->in_left,
markrad	0:cdf462088d13	3425	ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
markrad	0:cdf462088d13	3426
markrad	0:cdf462088d13	3427	MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
markrad	0:cdf462088d13	3428
markrad	0:cdf462088d13	3429	if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
markrad	0:cdf462088d13	3430	{
markrad	0:cdf462088d13	3431	/* Don't check write errors as we can't do anything here.
markrad	0:cdf462088d13	3432	* If the error is permanent we'll catch it later,
markrad	0:cdf462088d13	3433	* if it's not, then hopefully it'll work next time. */
markrad	0:cdf462088d13	3434	(void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
markrad	0:cdf462088d13	3435
markrad	0:cdf462088d13	3436	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
markrad	0:cdf462088d13	3437	}
markrad	0:cdf462088d13	3438
markrad	0:cdf462088d13	3439	if( ret == 0 )
markrad	0:cdf462088d13	3440	{
markrad	0:cdf462088d13	3441	/* Got a valid cookie, partially reset context */
markrad	0:cdf462088d13	3442	if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
markrad	0:cdf462088d13	3443	{
markrad	0:cdf462088d13	3444	MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
markrad	0:cdf462088d13	3445	return( ret );
markrad	0:cdf462088d13	3446	}
markrad	0:cdf462088d13	3447
markrad	0:cdf462088d13	3448	return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
markrad	0:cdf462088d13	3449	}
markrad	0:cdf462088d13	3450
markrad	0:cdf462088d13	3451	return( ret );
markrad	0:cdf462088d13	3452	}
markrad	0:cdf462088d13	3453	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	3454
markrad	0:cdf462088d13	3455	/*
markrad	0:cdf462088d13	3456	* ContentType type;
markrad	0:cdf462088d13	3457	* ProtocolVersion version;
markrad	0:cdf462088d13	3458	* uint16 epoch; // DTLS only
markrad	0:cdf462088d13	3459	* uint48 sequence_number; // DTLS only
markrad	0:cdf462088d13	3460	* uint16 length;
markrad	0:cdf462088d13	3461	*
markrad	0:cdf462088d13	3462	* Return 0 if header looks sane (and, for DTLS, the record is expected)
markrad	0:cdf462088d13	3463	* MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
markrad	0:cdf462088d13	3464	* MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
markrad	0:cdf462088d13	3465	*
markrad	0:cdf462088d13	3466	* With DTLS, mbedtls_ssl_read_record() will:
markrad	0:cdf462088d13	3467	* 1. proceed with the record if this function returns 0
markrad	0:cdf462088d13	3468	* 2. drop only the current record if this function returns UNEXPECTED_RECORD
markrad	0:cdf462088d13	3469	* 3. return CLIENT_RECONNECT if this function return that value
markrad	0:cdf462088d13	3470	* 4. drop the whole datagram if this function returns anything else.
markrad	0:cdf462088d13	3471	* Point 2 is needed when the peer is resending, and we have already received
markrad	0:cdf462088d13	3472	* the first record from a datagram but are still waiting for the others.
markrad	0:cdf462088d13	3473	*/
markrad	0:cdf462088d13	3474	static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3475	{
markrad	0:cdf462088d13	3476	int ret;
markrad	0:cdf462088d13	3477	int major_ver, minor_ver;
markrad	0:cdf462088d13	3478
markrad	0:cdf462088d13	3479	MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
markrad	0:cdf462088d13	3480
markrad	0:cdf462088d13	3481	ssl->in_msgtype = ssl->in_hdr[0];
markrad	0:cdf462088d13	3482	ssl->in_msglen = ( ssl->in_len[0] << 8 ) \| ssl->in_len[1];
markrad	0:cdf462088d13	3483	mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
markrad	0:cdf462088d13	3484
markrad	0:cdf462088d13	3485	MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
markrad	0:cdf462088d13	3486	"version = [%d:%d], msglen = %d",
markrad	0:cdf462088d13	3487	ssl->in_msgtype,
markrad	0:cdf462088d13	3488	major_ver, minor_ver, ssl->in_msglen ) );
markrad	0:cdf462088d13	3489
markrad	0:cdf462088d13	3490	/* Check record type */
markrad	0:cdf462088d13	3491	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
markrad	0:cdf462088d13	3492	ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
markrad	0:cdf462088d13	3493	ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
markrad	0:cdf462088d13	3494	ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
markrad	0:cdf462088d13	3495	{
markrad	0:cdf462088d13	3496	MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
markrad	0:cdf462088d13	3497
markrad	0:cdf462088d13	3498	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
markrad	0:cdf462088d13	3499	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	3500	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
markrad	0:cdf462088d13	3501	{
markrad	0:cdf462088d13	3502	return( ret );
markrad	0:cdf462088d13	3503	}
markrad	0:cdf462088d13	3504
markrad	0:cdf462088d13	3505	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3506	}
markrad	0:cdf462088d13	3507
markrad	0:cdf462088d13	3508	/* Check version */
markrad	0:cdf462088d13	3509	if( major_ver != ssl->major_ver )
markrad	0:cdf462088d13	3510	{
markrad	0:cdf462088d13	3511	MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
markrad	0:cdf462088d13	3512	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3513	}
markrad	0:cdf462088d13	3514
markrad	0:cdf462088d13	3515	if( minor_ver > ssl->conf->max_minor_ver )
markrad	0:cdf462088d13	3516	{
markrad	0:cdf462088d13	3517	MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
markrad	0:cdf462088d13	3518	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3519	}
markrad	0:cdf462088d13	3520
markrad	0:cdf462088d13	3521	/* Check length against the size of our buffer */
markrad	0:cdf462088d13	3522	if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
markrad	0:cdf462088d13	3523	- (size_t)( ssl->in_msg - ssl->in_buf ) )
markrad	0:cdf462088d13	3524	{
markrad	0:cdf462088d13	3525	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
markrad	0:cdf462088d13	3526	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3527	}
markrad	0:cdf462088d13	3528
markrad	0:cdf462088d13	3529	/* Check length against bounds of the current transform and version */
markrad	0:cdf462088d13	3530	if( ssl->transform_in == NULL )
markrad	0:cdf462088d13	3531	{
markrad	0:cdf462088d13	3532	if( ssl->in_msglen < 1 \|\|
markrad	0:cdf462088d13	3533	ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
markrad	0:cdf462088d13	3534	{
markrad	0:cdf462088d13	3535	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
markrad	0:cdf462088d13	3536	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3537	}
markrad	0:cdf462088d13	3538	}
markrad	0:cdf462088d13	3539	else
markrad	0:cdf462088d13	3540	{
markrad	0:cdf462088d13	3541	if( ssl->in_msglen < ssl->transform_in->minlen )
markrad	0:cdf462088d13	3542	{
markrad	0:cdf462088d13	3543	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
markrad	0:cdf462088d13	3544	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3545	}
markrad	0:cdf462088d13	3546
markrad	0:cdf462088d13	3547	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	3548	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
markrad	0:cdf462088d13	3549	ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
markrad	0:cdf462088d13	3550	{
markrad	0:cdf462088d13	3551	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
markrad	0:cdf462088d13	3552	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3553	}
markrad	0:cdf462088d13	3554	#endif
markrad	0:cdf462088d13	3555	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	3556	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	3557	/*
markrad	0:cdf462088d13	3558	* TLS encrypted messages can have up to 256 bytes of padding
markrad	0:cdf462088d13	3559	*/
markrad	0:cdf462088d13	3560	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
markrad	0:cdf462088d13	3561	ssl->in_msglen > ssl->transform_in->minlen +
markrad	0:cdf462088d13	3562	MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
markrad	0:cdf462088d13	3563	{
markrad	0:cdf462088d13	3564	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
markrad	0:cdf462088d13	3565	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3566	}
markrad	0:cdf462088d13	3567	#endif
markrad	0:cdf462088d13	3568	}
markrad	0:cdf462088d13	3569
markrad	0:cdf462088d13	3570	/*
markrad	0:cdf462088d13	3571	* DTLS-related tests done last, because most of them may result in
markrad	0:cdf462088d13	3572	* silently dropping the record (but not the whole datagram), and we only
markrad	0:cdf462088d13	3573	* want to consider that after ensuring that the "basic" fields (type,
markrad	0:cdf462088d13	3574	* version, length) are sane.
markrad	0:cdf462088d13	3575	*/
markrad	0:cdf462088d13	3576	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3577	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	3578	{
markrad	0:cdf462088d13	3579	unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) \| ssl->in_ctr[1];
markrad	0:cdf462088d13	3580
markrad	0:cdf462088d13	3581	/* Drop unexpected ChangeCipherSpec messages */
markrad	0:cdf462088d13	3582	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
markrad	0:cdf462088d13	3583	ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
markrad	0:cdf462088d13	3584	ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
markrad	0:cdf462088d13	3585	{
markrad	0:cdf462088d13	3586	MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
markrad	0:cdf462088d13	3587	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
markrad	0:cdf462088d13	3588	}
markrad	0:cdf462088d13	3589
markrad	0:cdf462088d13	3590	/* Drop unexpected ApplicationData records,
markrad	0:cdf462088d13	3591	* except at the beginning of renegotiations */
markrad	0:cdf462088d13	3592	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
markrad	0:cdf462088d13	3593	ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
markrad	0:cdf462088d13	3594	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	3595	&& ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
markrad	0:cdf462088d13	3596	ssl->state == MBEDTLS_SSL_SERVER_HELLO )
markrad	0:cdf462088d13	3597	#endif
markrad	0:cdf462088d13	3598	)
markrad	0:cdf462088d13	3599	{
markrad	0:cdf462088d13	3600	MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
markrad	0:cdf462088d13	3601	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
markrad	0:cdf462088d13	3602	}
markrad	0:cdf462088d13	3603
markrad	0:cdf462088d13	3604	/* Check epoch (and sequence number) with DTLS */
markrad	0:cdf462088d13	3605	if( rec_epoch != ssl->in_epoch )
markrad	0:cdf462088d13	3606	{
markrad	0:cdf462088d13	3607	MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
markrad	0:cdf462088d13	3608	"expected %d, received %d",
markrad	0:cdf462088d13	3609	ssl->in_epoch, rec_epoch ) );
markrad	0:cdf462088d13	3610
markrad	0:cdf462088d13	3611	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	3612	/*
markrad	0:cdf462088d13	3613	* Check for an epoch 0 ClientHello. We can't use in_msg here to
markrad	0:cdf462088d13	3614	* access the first byte of record content (handshake type), as we
markrad	0:cdf462088d13	3615	* have an active transform (possibly iv_len != 0), so use the
markrad	0:cdf462088d13	3616	* fact that the record header len is 13 instead.
markrad	0:cdf462088d13	3617	*/
markrad	0:cdf462088d13	3618	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	3619	ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
markrad	0:cdf462088d13	3620	rec_epoch == 0 &&
markrad	0:cdf462088d13	3621	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
markrad	0:cdf462088d13	3622	ssl->in_left > 13 &&
markrad	0:cdf462088d13	3623	ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
markrad	0:cdf462088d13	3624	{
markrad	0:cdf462088d13	3625	MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
markrad	0:cdf462088d13	3626	"from the same port" ) );
markrad	0:cdf462088d13	3627	return( ssl_handle_possible_reconnect( ssl ) );
markrad	0:cdf462088d13	3628	}
markrad	0:cdf462088d13	3629	else
markrad	0:cdf462088d13	3630	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	3631	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
markrad	0:cdf462088d13	3632	}
markrad	0:cdf462088d13	3633
markrad	0:cdf462088d13	3634	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	3635	/* Replay detection only works for the current epoch */
markrad	0:cdf462088d13	3636	if( rec_epoch == ssl->in_epoch &&
markrad	0:cdf462088d13	3637	mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
markrad	0:cdf462088d13	3638	{
markrad	0:cdf462088d13	3639	MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
markrad	0:cdf462088d13	3640	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
markrad	0:cdf462088d13	3641	}
markrad	0:cdf462088d13	3642	#endif
markrad	0:cdf462088d13	3643	}
markrad	0:cdf462088d13	3644	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	3645
markrad	0:cdf462088d13	3646	return( 0 );
markrad	0:cdf462088d13	3647	}
markrad	0:cdf462088d13	3648
markrad	0:cdf462088d13	3649	/*
markrad	0:cdf462088d13	3650	* If applicable, decrypt (and decompress) record content
markrad	0:cdf462088d13	3651	*/
markrad	0:cdf462088d13	3652	static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3653	{
markrad	0:cdf462088d13	3654	int ret, done = 0;
markrad	0:cdf462088d13	3655
markrad	0:cdf462088d13	3656	MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
markrad	0:cdf462088d13	3657	ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
markrad	0:cdf462088d13	3658
markrad	0:cdf462088d13	3659	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	3660	if( mbedtls_ssl_hw_record_read != NULL )
markrad	0:cdf462088d13	3661	{
markrad	0:cdf462088d13	3662	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
markrad	0:cdf462088d13	3663
markrad	0:cdf462088d13	3664	ret = mbedtls_ssl_hw_record_read( ssl );
markrad	0:cdf462088d13	3665	if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
markrad	0:cdf462088d13	3666	{
markrad	0:cdf462088d13	3667	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
markrad	0:cdf462088d13	3668	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
markrad	0:cdf462088d13	3669	}
markrad	0:cdf462088d13	3670
markrad	0:cdf462088d13	3671	if( ret == 0 )
markrad	0:cdf462088d13	3672	done = 1;
markrad	0:cdf462088d13	3673	}
markrad	0:cdf462088d13	3674	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
markrad	0:cdf462088d13	3675	if( !done && ssl->transform_in != NULL )
markrad	0:cdf462088d13	3676	{
markrad	0:cdf462088d13	3677	if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
markrad	0:cdf462088d13	3678	{
markrad	0:cdf462088d13	3679	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
markrad	0:cdf462088d13	3680	return( ret );
markrad	0:cdf462088d13	3681	}
markrad	0:cdf462088d13	3682
markrad	0:cdf462088d13	3683	MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
markrad	0:cdf462088d13	3684	ssl->in_msg, ssl->in_msglen );
markrad	0:cdf462088d13	3685
markrad	0:cdf462088d13	3686	if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
markrad	0:cdf462088d13	3687	{
markrad	0:cdf462088d13	3688	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
markrad	0:cdf462088d13	3689	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
markrad	0:cdf462088d13	3690	}
markrad	0:cdf462088d13	3691	}
markrad	0:cdf462088d13	3692
markrad	0:cdf462088d13	3693	#if defined(MBEDTLS_ZLIB_SUPPORT)
markrad	0:cdf462088d13	3694	if( ssl->transform_in != NULL &&
markrad	0:cdf462088d13	3695	ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
markrad	0:cdf462088d13	3696	{
markrad	0:cdf462088d13	3697	if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
markrad	0:cdf462088d13	3698	{
markrad	0:cdf462088d13	3699	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
markrad	0:cdf462088d13	3700	return( ret );
markrad	0:cdf462088d13	3701	}
markrad	0:cdf462088d13	3702	}
markrad	0:cdf462088d13	3703	#endif /* MBEDTLS_ZLIB_SUPPORT */
markrad	0:cdf462088d13	3704
markrad	0:cdf462088d13	3705	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	3706	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	3707	{
markrad	0:cdf462088d13	3708	mbedtls_ssl_dtls_replay_update( ssl );
markrad	0:cdf462088d13	3709	}
markrad	0:cdf462088d13	3710	#endif
markrad	0:cdf462088d13	3711
markrad	0:cdf462088d13	3712	return( 0 );
markrad	0:cdf462088d13	3713	}
markrad	0:cdf462088d13	3714
markrad	0:cdf462088d13	3715	static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
markrad	0:cdf462088d13	3716
markrad	0:cdf462088d13	3717	/*
markrad	0:cdf462088d13	3718	* Read a record.
markrad	0:cdf462088d13	3719	*
markrad	0:cdf462088d13	3720	* Silently ignore non-fatal alert (and for DTLS, invalid records as well,
markrad	0:cdf462088d13	3721	* RFC 6347 4.1.2.7) and continue reading until a valid record is found.
markrad	0:cdf462088d13	3722	*
markrad	0:cdf462088d13	3723	*/
markrad	0:cdf462088d13	3724	int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3725	{
markrad	0:cdf462088d13	3726	int ret;
markrad	0:cdf462088d13	3727
markrad	0:cdf462088d13	3728	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
markrad	0:cdf462088d13	3729
markrad	0:cdf462088d13	3730	do {
markrad	0:cdf462088d13	3731
markrad	0:cdf462088d13	3732	if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
markrad	0:cdf462088d13	3733	{
markrad	0:cdf462088d13	3734	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
markrad	0:cdf462088d13	3735	return( ret );
markrad	0:cdf462088d13	3736	}
markrad	0:cdf462088d13	3737
markrad	0:cdf462088d13	3738	ret = mbedtls_ssl_handle_message_type( ssl );
markrad	0:cdf462088d13	3739
markrad	0:cdf462088d13	3740	} while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
markrad	0:cdf462088d13	3741
markrad	0:cdf462088d13	3742	if( 0 != ret )
markrad	0:cdf462088d13	3743	{
markrad	0:cdf462088d13	3744	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
markrad	0:cdf462088d13	3745	return( ret );
markrad	0:cdf462088d13	3746	}
markrad	0:cdf462088d13	3747
markrad	0:cdf462088d13	3748	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
markrad	0:cdf462088d13	3749	{
markrad	0:cdf462088d13	3750	mbedtls_ssl_update_handshake_status( ssl );
markrad	0:cdf462088d13	3751	}
markrad	0:cdf462088d13	3752
markrad	0:cdf462088d13	3753	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
markrad	0:cdf462088d13	3754
markrad	0:cdf462088d13	3755	return( 0 );
markrad	0:cdf462088d13	3756	}
markrad	0:cdf462088d13	3757
markrad	0:cdf462088d13	3758	int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3759	{
markrad	0:cdf462088d13	3760	int ret;
markrad	0:cdf462088d13	3761
markrad	0:cdf462088d13	3762	if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen )
markrad	0:cdf462088d13	3763	{
markrad	0:cdf462088d13	3764	/*
markrad	0:cdf462088d13	3765	* Get next Handshake message in the current record
markrad	0:cdf462088d13	3766	*/
markrad	0:cdf462088d13	3767	ssl->in_msglen -= ssl->in_hslen;
markrad	0:cdf462088d13	3768
markrad	0:cdf462088d13	3769	memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
markrad	0:cdf462088d13	3770	ssl->in_msglen );
markrad	0:cdf462088d13	3771
markrad	0:cdf462088d13	3772	MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
markrad	0:cdf462088d13	3773	ssl->in_msg, ssl->in_msglen );
markrad	0:cdf462088d13	3774
markrad	0:cdf462088d13	3775	return( 0 );
markrad	0:cdf462088d13	3776	}
markrad	0:cdf462088d13	3777
markrad	0:cdf462088d13	3778	ssl->in_hslen = 0;
markrad	0:cdf462088d13	3779
markrad	0:cdf462088d13	3780	/*
markrad	0:cdf462088d13	3781	* Read the record header and parse it
markrad	0:cdf462088d13	3782	*/
markrad	0:cdf462088d13	3783	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3784	read_record_header:
markrad	0:cdf462088d13	3785	#endif
markrad	0:cdf462088d13	3786
markrad	0:cdf462088d13	3787	if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
markrad	0:cdf462088d13	3788	{
markrad	0:cdf462088d13	3789	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
markrad	0:cdf462088d13	3790	return( ret );
markrad	0:cdf462088d13	3791	}
markrad	0:cdf462088d13	3792
markrad	0:cdf462088d13	3793	if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
markrad	0:cdf462088d13	3794	{
markrad	0:cdf462088d13	3795	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3796	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	3797	ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
markrad	0:cdf462088d13	3798	{
markrad	0:cdf462088d13	3799	if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
markrad	0:cdf462088d13	3800	{
markrad	0:cdf462088d13	3801	/* Skip unexpected record (but not whole datagram) */
markrad	0:cdf462088d13	3802	ssl->next_record_offset = ssl->in_msglen
markrad	0:cdf462088d13	3803	+ mbedtls_ssl_hdr_len( ssl );
markrad	0:cdf462088d13	3804
markrad	0:cdf462088d13	3805	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
markrad	0:cdf462088d13	3806	"(header)" ) );
markrad	0:cdf462088d13	3807	}
markrad	0:cdf462088d13	3808	else
markrad	0:cdf462088d13	3809	{
markrad	0:cdf462088d13	3810	/* Skip invalid record and the rest of the datagram */
markrad	0:cdf462088d13	3811	ssl->next_record_offset = 0;
markrad	0:cdf462088d13	3812	ssl->in_left = 0;
markrad	0:cdf462088d13	3813
markrad	0:cdf462088d13	3814	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
markrad	0:cdf462088d13	3815	"(header)" ) );
markrad	0:cdf462088d13	3816	}
markrad	0:cdf462088d13	3817
markrad	0:cdf462088d13	3818	/* Get next record */
markrad	0:cdf462088d13	3819	goto read_record_header;
markrad	0:cdf462088d13	3820	}
markrad	0:cdf462088d13	3821	#endif
markrad	0:cdf462088d13	3822	return( ret );
markrad	0:cdf462088d13	3823	}
markrad	0:cdf462088d13	3824
markrad	0:cdf462088d13	3825	/*
markrad	0:cdf462088d13	3826	* Read and optionally decrypt the message contents
markrad	0:cdf462088d13	3827	*/
markrad	0:cdf462088d13	3828	if( ( ret = mbedtls_ssl_fetch_input( ssl,
markrad	0:cdf462088d13	3829	mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
markrad	0:cdf462088d13	3830	{
markrad	0:cdf462088d13	3831	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
markrad	0:cdf462088d13	3832	return( ret );
markrad	0:cdf462088d13	3833	}
markrad	0:cdf462088d13	3834
markrad	0:cdf462088d13	3835	/* Done reading this record, get ready for the next one */
markrad	0:cdf462088d13	3836	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3837	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	3838	ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
markrad	0:cdf462088d13	3839	else
markrad	0:cdf462088d13	3840	#endif
markrad	0:cdf462088d13	3841	ssl->in_left = 0;
markrad	0:cdf462088d13	3842
markrad	0:cdf462088d13	3843	if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
markrad	0:cdf462088d13	3844	{
markrad	0:cdf462088d13	3845	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3846	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	3847	{
markrad	0:cdf462088d13	3848	/* Silently discard invalid records */
markrad	0:cdf462088d13	3849	if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD \|\|
markrad	0:cdf462088d13	3850	ret == MBEDTLS_ERR_SSL_INVALID_MAC )
markrad	0:cdf462088d13	3851	{
markrad	0:cdf462088d13	3852	/* Except when waiting for Finished as a bad mac here
markrad	0:cdf462088d13	3853	* probably means something went wrong in the handshake
markrad	0:cdf462088d13	3854	* (eg wrong psk used, mitm downgrade attempt, etc.) */
markrad	0:cdf462088d13	3855	if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED \|\|
markrad	0:cdf462088d13	3856	ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
markrad	0:cdf462088d13	3857	{
markrad	0:cdf462088d13	3858	#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
markrad	0:cdf462088d13	3859	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
markrad	0:cdf462088d13	3860	{
markrad	0:cdf462088d13	3861	mbedtls_ssl_send_alert_message( ssl,
markrad	0:cdf462088d13	3862	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	3863	MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
markrad	0:cdf462088d13	3864	}
markrad	0:cdf462088d13	3865	#endif
markrad	0:cdf462088d13	3866	return( ret );
markrad	0:cdf462088d13	3867	}
markrad	0:cdf462088d13	3868
markrad	0:cdf462088d13	3869	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
markrad	0:cdf462088d13	3870	if( ssl->conf->badmac_limit != 0 &&
markrad	0:cdf462088d13	3871	++ssl->badmac_seen >= ssl->conf->badmac_limit )
markrad	0:cdf462088d13	3872	{
markrad	0:cdf462088d13	3873	MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
markrad	0:cdf462088d13	3874	return( MBEDTLS_ERR_SSL_INVALID_MAC );
markrad	0:cdf462088d13	3875	}
markrad	0:cdf462088d13	3876	#endif
markrad	0:cdf462088d13	3877
markrad	0:cdf462088d13	3878	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
markrad	0:cdf462088d13	3879	goto read_record_header;
markrad	0:cdf462088d13	3880	}
markrad	0:cdf462088d13	3881
markrad	0:cdf462088d13	3882	return( ret );
markrad	0:cdf462088d13	3883	}
markrad	0:cdf462088d13	3884	else
markrad	0:cdf462088d13	3885	#endif
markrad	0:cdf462088d13	3886	{
markrad	0:cdf462088d13	3887	/* Error out (and send alert) on invalid records */
markrad	0:cdf462088d13	3888	#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
markrad	0:cdf462088d13	3889	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
markrad	0:cdf462088d13	3890	{
markrad	0:cdf462088d13	3891	mbedtls_ssl_send_alert_message( ssl,
markrad	0:cdf462088d13	3892	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	3893	MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
markrad	0:cdf462088d13	3894	}
markrad	0:cdf462088d13	3895	#endif
markrad	0:cdf462088d13	3896	return( ret );
markrad	0:cdf462088d13	3897	}
markrad	0:cdf462088d13	3898	}
markrad	0:cdf462088d13	3899
markrad	0:cdf462088d13	3900	/*
markrad	0:cdf462088d13	3901	* When we sent the last flight of the handshake, we MUST respond to a
markrad	0:cdf462088d13	3902	* retransmit of the peer's previous flight with a retransmit. (In
markrad	0:cdf462088d13	3903	* practice, only the Finished message will make it, other messages
markrad	0:cdf462088d13	3904	* including CCS use the old transform so they're dropped as invalid.)
markrad	0:cdf462088d13	3905	*
markrad	0:cdf462088d13	3906	* If the record we received is not a handshake message, however, it
markrad	0:cdf462088d13	3907	* means the peer received our last flight so we can clean up
markrad	0:cdf462088d13	3908	* handshake info.
markrad	0:cdf462088d13	3909	*
markrad	0:cdf462088d13	3910	* This check needs to be done before prepare_handshake() due to an edge
markrad	0:cdf462088d13	3911	* case: if the client immediately requests renegotiation, this
markrad	0:cdf462088d13	3912	* finishes the current handshake first, avoiding the new ClientHello
markrad	0:cdf462088d13	3913	* being mistaken for an ancient message in the current handshake.
markrad	0:cdf462088d13	3914	*/
markrad	0:cdf462088d13	3915	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3916	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	3917	ssl->handshake != NULL &&
markrad	0:cdf462088d13	3918	ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	3919	{
markrad	0:cdf462088d13	3920	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
markrad	0:cdf462088d13	3921	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
markrad	0:cdf462088d13	3922	{
markrad	0:cdf462088d13	3923	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) );
markrad	0:cdf462088d13	3924
markrad	0:cdf462088d13	3925	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
markrad	0:cdf462088d13	3926	{
markrad	0:cdf462088d13	3927	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
markrad	0:cdf462088d13	3928	return( ret );
markrad	0:cdf462088d13	3929	}
markrad	0:cdf462088d13	3930
markrad	0:cdf462088d13	3931	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	3932	}
markrad	0:cdf462088d13	3933	else
markrad	0:cdf462088d13	3934	{
markrad	0:cdf462088d13	3935	ssl_handshake_wrapup_free_hs_transform( ssl );
markrad	0:cdf462088d13	3936	}
markrad	0:cdf462088d13	3937	}
markrad	0:cdf462088d13	3938	#endif
markrad	0:cdf462088d13	3939
markrad	0:cdf462088d13	3940	return( 0 );
markrad	0:cdf462088d13	3941	}
markrad	0:cdf462088d13	3942
markrad	0:cdf462088d13	3943	int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3944	{
markrad	0:cdf462088d13	3945	int ret;
markrad	0:cdf462088d13	3946
markrad	0:cdf462088d13	3947	/*
markrad	0:cdf462088d13	3948	* Handle particular types of records
markrad	0:cdf462088d13	3949	*/
markrad	0:cdf462088d13	3950	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
markrad	0:cdf462088d13	3951	{
markrad	0:cdf462088d13	3952	if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	3953	{
markrad	0:cdf462088d13	3954	return( ret );
markrad	0:cdf462088d13	3955	}
markrad	0:cdf462088d13	3956	}
markrad	0:cdf462088d13	3957
markrad	0:cdf462088d13	3958	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
markrad	0:cdf462088d13	3959	{
markrad	0:cdf462088d13	3960	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
markrad	0:cdf462088d13	3961	ssl->in_msg[0], ssl->in_msg[1] ) );
markrad	0:cdf462088d13	3962
markrad	0:cdf462088d13	3963	/*
markrad	0:cdf462088d13	3964	* Ignore non-fatal alerts, except close_notify and no_renegotiation
markrad	0:cdf462088d13	3965	*/
markrad	0:cdf462088d13	3966	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
markrad	0:cdf462088d13	3967	{
markrad	0:cdf462088d13	3968	MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
markrad	0:cdf462088d13	3969	ssl->in_msg[1] ) );
markrad	0:cdf462088d13	3970	return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
markrad	0:cdf462088d13	3971	}
markrad	0:cdf462088d13	3972
markrad	0:cdf462088d13	3973	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
markrad	0:cdf462088d13	3974	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
markrad	0:cdf462088d13	3975	{
markrad	0:cdf462088d13	3976	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
markrad	0:cdf462088d13	3977	return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
markrad	0:cdf462088d13	3978	}
markrad	0:cdf462088d13	3979
markrad	0:cdf462088d13	3980	#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
markrad	0:cdf462088d13	3981	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
markrad	0:cdf462088d13	3982	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
markrad	0:cdf462088d13	3983	{
markrad	0:cdf462088d13	3984	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
markrad	0:cdf462088d13	3985	/* Will be handled when trying to parse ServerHello */
markrad	0:cdf462088d13	3986	return( 0 );
markrad	0:cdf462088d13	3987	}
markrad	0:cdf462088d13	3988	#endif
markrad	0:cdf462088d13	3989
markrad	0:cdf462088d13	3990	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	3991	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
markrad	0:cdf462088d13	3992	ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	3993	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
markrad	0:cdf462088d13	3994	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
markrad	0:cdf462088d13	3995	{
markrad	0:cdf462088d13	3996	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
markrad	0:cdf462088d13	3997	/* Will be handled in mbedtls_ssl_parse_certificate() */
markrad	0:cdf462088d13	3998	return( 0 );
markrad	0:cdf462088d13	3999	}
markrad	0:cdf462088d13	4000	#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	4001
markrad	0:cdf462088d13	4002	/* Silently ignore: fetch new message */
markrad	0:cdf462088d13	4003	return MBEDTLS_ERR_SSL_NON_FATAL;
markrad	0:cdf462088d13	4004	}
markrad	0:cdf462088d13	4005
markrad	0:cdf462088d13	4006	return( 0 );
markrad	0:cdf462088d13	4007	}
markrad	0:cdf462088d13	4008
markrad	0:cdf462088d13	4009	int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4010	{
markrad	0:cdf462088d13	4011	int ret;
markrad	0:cdf462088d13	4012
markrad	0:cdf462088d13	4013	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
markrad	0:cdf462088d13	4014	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	4015	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
markrad	0:cdf462088d13	4016	{
markrad	0:cdf462088d13	4017	return( ret );
markrad	0:cdf462088d13	4018	}
markrad	0:cdf462088d13	4019
markrad	0:cdf462088d13	4020	return( 0 );
markrad	0:cdf462088d13	4021	}
markrad	0:cdf462088d13	4022
markrad	0:cdf462088d13	4023	int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	4024	unsigned char level,
markrad	0:cdf462088d13	4025	unsigned char message )
markrad	0:cdf462088d13	4026	{
markrad	0:cdf462088d13	4027	int ret;
markrad	0:cdf462088d13	4028
markrad	0:cdf462088d13	4029	if( ssl == NULL \|\| ssl->conf == NULL )
markrad	0:cdf462088d13	4030	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	4031
markrad	0:cdf462088d13	4032	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
markrad	0:cdf462088d13	4033
markrad	0:cdf462088d13	4034	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
markrad	0:cdf462088d13	4035	ssl->out_msglen = 2;
markrad	0:cdf462088d13	4036	ssl->out_msg[0] = level;
markrad	0:cdf462088d13	4037	ssl->out_msg[1] = message;
markrad	0:cdf462088d13	4038
markrad	0:cdf462088d13	4039	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	4040	{
markrad	0:cdf462088d13	4041	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	4042	return( ret );
markrad	0:cdf462088d13	4043	}
markrad	0:cdf462088d13	4044
markrad	0:cdf462088d13	4045	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
markrad	0:cdf462088d13	4046
markrad	0:cdf462088d13	4047	return( 0 );
markrad	0:cdf462088d13	4048	}
markrad	0:cdf462088d13	4049
markrad	0:cdf462088d13	4050	/*
markrad	0:cdf462088d13	4051	* Handshake functions
markrad	0:cdf462088d13	4052	*/
markrad	0:cdf462088d13	4053	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
markrad	0:cdf462088d13	4054	!defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
markrad	0:cdf462088d13	4055	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
markrad	0:cdf462088d13	4056	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
markrad	0:cdf462088d13	4057	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
markrad	0:cdf462088d13	4058	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
markrad	0:cdf462088d13	4059	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
markrad	0:cdf462088d13	4060	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4061	{
markrad	0:cdf462088d13	4062	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	4063
markrad	0:cdf462088d13	4064	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
markrad	0:cdf462088d13	4065
markrad	0:cdf462088d13	4066	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	4067	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	4068	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
markrad	0:cdf462088d13	4069	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	4070	{
markrad	0:cdf462088d13	4071	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
markrad	0:cdf462088d13	4072	ssl->state++;
markrad	0:cdf462088d13	4073	return( 0 );
markrad	0:cdf462088d13	4074	}
markrad	0:cdf462088d13	4075
markrad	0:cdf462088d13	4076	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	4077	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	4078	}
markrad	0:cdf462088d13	4079
markrad	0:cdf462088d13	4080	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4081	{
markrad	0:cdf462088d13	4082	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	4083
markrad	0:cdf462088d13	4084	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
markrad	0:cdf462088d13	4085
markrad	0:cdf462088d13	4086	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	4087	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	4088	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
markrad	0:cdf462088d13	4089	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	4090	{
markrad	0:cdf462088d13	4091	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
markrad	0:cdf462088d13	4092	ssl->state++;
markrad	0:cdf462088d13	4093	return( 0 );
markrad	0:cdf462088d13	4094	}
markrad	0:cdf462088d13	4095
markrad	0:cdf462088d13	4096	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	4097	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	4098	}
markrad	0:cdf462088d13	4099	#else
markrad	0:cdf462088d13	4100	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4101	{
markrad	0:cdf462088d13	4102	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad	0:cdf462088d13	4103	size_t i, n;
markrad	0:cdf462088d13	4104	const mbedtls_x509_crt *crt;
markrad	0:cdf462088d13	4105	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	4106
markrad	0:cdf462088d13	4107	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
markrad	0:cdf462088d13	4108
markrad	0:cdf462088d13	4109	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	4110	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	4111	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
markrad	0:cdf462088d13	4112	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	4113	{
markrad	0:cdf462088d13	4114	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
markrad	0:cdf462088d13	4115	ssl->state++;
markrad	0:cdf462088d13	4116	return( 0 );
markrad	0:cdf462088d13	4117	}
markrad	0:cdf462088d13	4118
markrad	0:cdf462088d13	4119	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	4120	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	4121	{
markrad	0:cdf462088d13	4122	if( ssl->client_auth == 0 )
markrad	0:cdf462088d13	4123	{
markrad	0:cdf462088d13	4124	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
markrad	0:cdf462088d13	4125	ssl->state++;
markrad	0:cdf462088d13	4126	return( 0 );
markrad	0:cdf462088d13	4127	}
markrad	0:cdf462088d13	4128
markrad	0:cdf462088d13	4129	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	4130	/*
markrad	0:cdf462088d13	4131	* If using SSLv3 and got no cert, send an Alert message
markrad	0:cdf462088d13	4132	* (otherwise an empty Certificate message will be sent).
markrad	0:cdf462088d13	4133	*/
markrad	0:cdf462088d13	4134	if( mbedtls_ssl_own_cert( ssl ) == NULL &&
markrad	0:cdf462088d13	4135	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	4136	{
markrad	0:cdf462088d13	4137	ssl->out_msglen = 2;
markrad	0:cdf462088d13	4138	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
markrad	0:cdf462088d13	4139	ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
markrad	0:cdf462088d13	4140	ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
markrad	0:cdf462088d13	4141
markrad	0:cdf462088d13	4142	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
markrad	0:cdf462088d13	4143	goto write_msg;
markrad	0:cdf462088d13	4144	}
markrad	0:cdf462088d13	4145	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	4146	}
markrad	0:cdf462088d13	4147	#endif /* MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	4148	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	4149	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	4150	{
markrad	0:cdf462088d13	4151	if( mbedtls_ssl_own_cert( ssl ) == NULL )
markrad	0:cdf462088d13	4152	{
markrad	0:cdf462088d13	4153	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
markrad	0:cdf462088d13	4154	return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
markrad	0:cdf462088d13	4155	}
markrad	0:cdf462088d13	4156	}
markrad	0:cdf462088d13	4157	#endif
markrad	0:cdf462088d13	4158
markrad	0:cdf462088d13	4159	MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
markrad	0:cdf462088d13	4160
markrad	0:cdf462088d13	4161	/*
markrad	0:cdf462088d13	4162	* 0 . 0 handshake type
markrad	0:cdf462088d13	4163	* 1 . 3 handshake length
markrad	0:cdf462088d13	4164	* 4 . 6 length of all certs
markrad	0:cdf462088d13	4165	* 7 . 9 length of cert. 1
markrad	0:cdf462088d13	4166	* 10 . n-1 peer certificate
markrad	0:cdf462088d13	4167	* n . n+2 length of cert. 2
markrad	0:cdf462088d13	4168	* n+3 . ... upper level cert, etc.
markrad	0:cdf462088d13	4169	*/
markrad	0:cdf462088d13	4170	i = 7;
markrad	0:cdf462088d13	4171	crt = mbedtls_ssl_own_cert( ssl );
markrad	0:cdf462088d13	4172
markrad	0:cdf462088d13	4173	while( crt != NULL )
markrad	0:cdf462088d13	4174	{
markrad	0:cdf462088d13	4175	n = crt->raw.len;
markrad	0:cdf462088d13	4176	if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
markrad	0:cdf462088d13	4177	{
markrad	0:cdf462088d13	4178	MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
markrad	0:cdf462088d13	4179	i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
markrad	0:cdf462088d13	4180	return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
markrad	0:cdf462088d13	4181	}
markrad	0:cdf462088d13	4182
markrad	0:cdf462088d13	4183	ssl->out_msg[i ] = (unsigned char)( n >> 16 );
markrad	0:cdf462088d13	4184	ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
markrad	0:cdf462088d13	4185	ssl->out_msg[i + 2] = (unsigned char)( n );
markrad	0:cdf462088d13	4186
markrad	0:cdf462088d13	4187	i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
markrad	0:cdf462088d13	4188	i += n; crt = crt->next;
markrad	0:cdf462088d13	4189	}
markrad	0:cdf462088d13	4190
markrad	0:cdf462088d13	4191	ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
markrad	0:cdf462088d13	4192	ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
markrad	0:cdf462088d13	4193	ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
markrad	0:cdf462088d13	4194
markrad	0:cdf462088d13	4195	ssl->out_msglen = i;
markrad	0:cdf462088d13	4196	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	4197	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
markrad	0:cdf462088d13	4198
markrad	0:cdf462088d13	4199	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	4200	write_msg:
markrad	0:cdf462088d13	4201	#endif
markrad	0:cdf462088d13	4202
markrad	0:cdf462088d13	4203	ssl->state++;
markrad	0:cdf462088d13	4204
markrad	0:cdf462088d13	4205	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	4206	{
markrad	0:cdf462088d13	4207	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	4208	return( ret );
markrad	0:cdf462088d13	4209	}
markrad	0:cdf462088d13	4210
markrad	0:cdf462088d13	4211	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
markrad	0:cdf462088d13	4212
markrad	0:cdf462088d13	4213	return( ret );
markrad	0:cdf462088d13	4214	}
markrad	0:cdf462088d13	4215
markrad	0:cdf462088d13	4216	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4217	{
markrad	0:cdf462088d13	4218	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad	0:cdf462088d13	4219	size_t i, n;
markrad	0:cdf462088d13	4220	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	4221	int authmode = ssl->conf->authmode;
markrad	0:cdf462088d13	4222
markrad	0:cdf462088d13	4223	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
markrad	0:cdf462088d13	4224
markrad	0:cdf462088d13	4225	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	4226	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	4227	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
markrad	0:cdf462088d13	4228	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	4229	{
markrad	0:cdf462088d13	4230	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
markrad	0:cdf462088d13	4231	ssl->state++;
markrad	0:cdf462088d13	4232	return( 0 );
markrad	0:cdf462088d13	4233	}
markrad	0:cdf462088d13	4234
markrad	0:cdf462088d13	4235	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	4236	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	4237	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
markrad	0:cdf462088d13	4238	{
markrad	0:cdf462088d13	4239	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
markrad	0:cdf462088d13	4240	ssl->state++;
markrad	0:cdf462088d13	4241	return( 0 );
markrad	0:cdf462088d13	4242	}
markrad	0:cdf462088d13	4243
markrad	0:cdf462088d13	4244	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	4245	if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
markrad	0:cdf462088d13	4246	authmode = ssl->handshake->sni_authmode;
markrad	0:cdf462088d13	4247	#endif
markrad	0:cdf462088d13	4248
markrad	0:cdf462088d13	4249	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	4250	authmode == MBEDTLS_SSL_VERIFY_NONE )
markrad	0:cdf462088d13	4251	{
markrad	0:cdf462088d13	4252	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
markrad	0:cdf462088d13	4253	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
markrad	0:cdf462088d13	4254	ssl->state++;
markrad	0:cdf462088d13	4255	return( 0 );
markrad	0:cdf462088d13	4256	}
markrad	0:cdf462088d13	4257	#endif
markrad	0:cdf462088d13	4258
markrad	0:cdf462088d13	4259	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	4260	{
markrad	0:cdf462088d13	4261	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
markrad	0:cdf462088d13	4262	return( ret );
markrad	0:cdf462088d13	4263	}
markrad	0:cdf462088d13	4264
markrad	0:cdf462088d13	4265	ssl->state++;
markrad	0:cdf462088d13	4266
markrad	0:cdf462088d13	4267	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	4268	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	4269	/*
markrad	0:cdf462088d13	4270	* Check if the client sent an empty certificate
markrad	0:cdf462088d13	4271	*/
markrad	0:cdf462088d13	4272	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	4273	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	4274	{
markrad	0:cdf462088d13	4275	if( ssl->in_msglen == 2 &&
markrad	0:cdf462088d13	4276	ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
markrad	0:cdf462088d13	4277	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
markrad	0:cdf462088d13	4278	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
markrad	0:cdf462088d13	4279	{
markrad	0:cdf462088d13	4280	MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
markrad	0:cdf462088d13	4281
markrad	0:cdf462088d13	4282	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
markrad	0:cdf462088d13	4283	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
markrad	0:cdf462088d13	4284	return( 0 );
markrad	0:cdf462088d13	4285	else
markrad	0:cdf462088d13	4286	return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
markrad	0:cdf462088d13	4287	}
markrad	0:cdf462088d13	4288	}
markrad	0:cdf462088d13	4289	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	4290
markrad	0:cdf462088d13	4291	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	4292	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	4293	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	4294	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	4295	{
markrad	0:cdf462088d13	4296	if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
markrad	0:cdf462088d13	4297	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
markrad	0:cdf462088d13	4298	ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
markrad	0:cdf462088d13	4299	memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
markrad	0:cdf462088d13	4300	{
markrad	0:cdf462088d13	4301	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
markrad	0:cdf462088d13	4302
markrad	0:cdf462088d13	4303	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
markrad	0:cdf462088d13	4304	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
markrad	0:cdf462088d13	4305	return( 0 );
markrad	0:cdf462088d13	4306	else
markrad	0:cdf462088d13	4307	return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
markrad	0:cdf462088d13	4308	}
markrad	0:cdf462088d13	4309	}
markrad	0:cdf462088d13	4310	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
markrad	0:cdf462088d13	4311	MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	4312	#endif /* MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	4313
markrad	0:cdf462088d13	4314	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
markrad	0:cdf462088d13	4315	{
markrad	0:cdf462088d13	4316	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
markrad	0:cdf462088d13	4317	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
markrad	0:cdf462088d13	4318	}
markrad	0:cdf462088d13	4319
markrad	0:cdf462088d13	4320	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE \|\|
markrad	0:cdf462088d13	4321	ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
markrad	0:cdf462088d13	4322	{
markrad	0:cdf462088d13	4323	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
markrad	0:cdf462088d13	4324	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
markrad	0:cdf462088d13	4325	}
markrad	0:cdf462088d13	4326
markrad	0:cdf462088d13	4327	i = mbedtls_ssl_hs_hdr_len( ssl );
markrad	0:cdf462088d13	4328
markrad	0:cdf462088d13	4329	/*
markrad	0:cdf462088d13	4330	* Same message structure as in mbedtls_ssl_write_certificate()
markrad	0:cdf462088d13	4331	*/
markrad	0:cdf462088d13	4332	n = ( ssl->in_msg[i+1] << 8 ) \| ssl->in_msg[i+2];
markrad	0:cdf462088d13	4333
markrad	0:cdf462088d13	4334	if( ssl->in_msg[i] != 0 \|\|
markrad	0:cdf462088d13	4335	ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
markrad	0:cdf462088d13	4336	{
markrad	0:cdf462088d13	4337	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
markrad	0:cdf462088d13	4338	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
markrad	0:cdf462088d13	4339	}
markrad	0:cdf462088d13	4340
markrad	0:cdf462088d13	4341	/* In case we tried to reuse a session but it failed */
markrad	0:cdf462088d13	4342	if( ssl->session_negotiate->peer_cert != NULL )
markrad	0:cdf462088d13	4343	{
markrad	0:cdf462088d13	4344	mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
markrad	0:cdf462088d13	4345	mbedtls_free( ssl->session_negotiate->peer_cert );
markrad	0:cdf462088d13	4346	}
markrad	0:cdf462088d13	4347
markrad	0:cdf462088d13	4348	if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
markrad	0:cdf462088d13	4349	sizeof( mbedtls_x509_crt ) ) ) == NULL )
markrad	0:cdf462088d13	4350	{
markrad	0:cdf462088d13	4351	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
markrad	0:cdf462088d13	4352	sizeof( mbedtls_x509_crt ) ) );
markrad	0:cdf462088d13	4353	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	4354	}
markrad	0:cdf462088d13	4355
markrad	0:cdf462088d13	4356	mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
markrad	0:cdf462088d13	4357
markrad	0:cdf462088d13	4358	i += 3;
markrad	0:cdf462088d13	4359
markrad	0:cdf462088d13	4360	while( i < ssl->in_hslen )
markrad	0:cdf462088d13	4361	{
markrad	0:cdf462088d13	4362	if( ssl->in_msg[i] != 0 )
markrad	0:cdf462088d13	4363	{
markrad	0:cdf462088d13	4364	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
markrad	0:cdf462088d13	4365	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
markrad	0:cdf462088d13	4366	}
markrad	0:cdf462088d13	4367
markrad	0:cdf462088d13	4368	n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
markrad	0:cdf462088d13	4369	\| (unsigned int) ssl->in_msg[i + 2];
markrad	0:cdf462088d13	4370	i += 3;
markrad	0:cdf462088d13	4371
markrad	0:cdf462088d13	4372	if( n < 128 \|\| i + n > ssl->in_hslen )
markrad	0:cdf462088d13	4373	{
markrad	0:cdf462088d13	4374	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
markrad	0:cdf462088d13	4375	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
markrad	0:cdf462088d13	4376	}
markrad	0:cdf462088d13	4377
markrad	0:cdf462088d13	4378	ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
markrad	0:cdf462088d13	4379	ssl->in_msg + i, n );
markrad	0:cdf462088d13	4380	if( 0 != ret && ( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND ) != ret )
markrad	0:cdf462088d13	4381	{
markrad	0:cdf462088d13	4382	MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
markrad	0:cdf462088d13	4383	return( ret );
markrad	0:cdf462088d13	4384	}
markrad	0:cdf462088d13	4385
markrad	0:cdf462088d13	4386	i += n;
markrad	0:cdf462088d13	4387	}
markrad	0:cdf462088d13	4388
markrad	0:cdf462088d13	4389	MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
markrad	0:cdf462088d13	4390
markrad	0:cdf462088d13	4391	/*
markrad	0:cdf462088d13	4392	* On client, make sure the server cert doesn't change during renego to
markrad	0:cdf462088d13	4393	* avoid "triple handshake" attack: https://secure-resumption.com/
markrad	0:cdf462088d13	4394	*/
markrad	0:cdf462088d13	4395	#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	4396	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
markrad	0:cdf462088d13	4397	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad	0:cdf462088d13	4398	{
markrad	0:cdf462088d13	4399	if( ssl->session->peer_cert == NULL )
markrad	0:cdf462088d13	4400	{
markrad	0:cdf462088d13	4401	MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
markrad	0:cdf462088d13	4402	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
markrad	0:cdf462088d13	4403	}
markrad	0:cdf462088d13	4404
markrad	0:cdf462088d13	4405	if( ssl->session->peer_cert->raw.len !=
markrad	0:cdf462088d13	4406	ssl->session_negotiate->peer_cert->raw.len \|\|
markrad	0:cdf462088d13	4407	memcmp( ssl->session->peer_cert->raw.p,
markrad	0:cdf462088d13	4408	ssl->session_negotiate->peer_cert->raw.p,
markrad	0:cdf462088d13	4409	ssl->session->peer_cert->raw.len ) != 0 )
markrad	0:cdf462088d13	4410	{
markrad	0:cdf462088d13	4411	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
markrad	0:cdf462088d13	4412	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
markrad	0:cdf462088d13	4413	}
markrad	0:cdf462088d13	4414	}
markrad	0:cdf462088d13	4415	#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	4416
markrad	0:cdf462088d13	4417	if( authmode != MBEDTLS_SSL_VERIFY_NONE )
markrad	0:cdf462088d13	4418	{
markrad	0:cdf462088d13	4419	mbedtls_x509_crt *ca_chain;
markrad	0:cdf462088d13	4420	mbedtls_x509_crl *ca_crl;
markrad	0:cdf462088d13	4421
markrad	0:cdf462088d13	4422	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	4423	if( ssl->handshake->sni_ca_chain != NULL )
markrad	0:cdf462088d13	4424	{
markrad	0:cdf462088d13	4425	ca_chain = ssl->handshake->sni_ca_chain;
markrad	0:cdf462088d13	4426	ca_crl = ssl->handshake->sni_ca_crl;
markrad	0:cdf462088d13	4427	}
markrad	0:cdf462088d13	4428	else
markrad	0:cdf462088d13	4429	#endif
markrad	0:cdf462088d13	4430	{
markrad	0:cdf462088d13	4431	ca_chain = ssl->conf->ca_chain;
markrad	0:cdf462088d13	4432	ca_crl = ssl->conf->ca_crl;
markrad	0:cdf462088d13	4433	}
markrad	0:cdf462088d13	4434
markrad	0:cdf462088d13	4435	if( ca_chain == NULL )
markrad	0:cdf462088d13	4436	{
markrad	0:cdf462088d13	4437	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
markrad	0:cdf462088d13	4438	return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED );
markrad	0:cdf462088d13	4439	}
markrad	0:cdf462088d13	4440
markrad	0:cdf462088d13	4441	/*
markrad	0:cdf462088d13	4442	* Main check: verify certificate
markrad	0:cdf462088d13	4443	*/
markrad	0:cdf462088d13	4444	ret = mbedtls_x509_crt_verify_with_profile(
markrad	0:cdf462088d13	4445	ssl->session_negotiate->peer_cert,
markrad	0:cdf462088d13	4446	ca_chain, ca_crl,
markrad	0:cdf462088d13	4447	ssl->conf->cert_profile,
markrad	0:cdf462088d13	4448	ssl->hostname,
markrad	0:cdf462088d13	4449	&ssl->session_negotiate->verify_result,
markrad	0:cdf462088d13	4450	ssl->conf->f_vrfy, ssl->conf->p_vrfy );
markrad	0:cdf462088d13	4451
markrad	0:cdf462088d13	4452	if( ret != 0 )
markrad	0:cdf462088d13	4453	{
markrad	0:cdf462088d13	4454	MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
markrad	0:cdf462088d13	4455	}
markrad	0:cdf462088d13	4456
markrad	0:cdf462088d13	4457	/*
markrad	0:cdf462088d13	4458	* Secondary checks: always done, but change 'ret' only if it was 0
markrad	0:cdf462088d13	4459	*/
markrad	0:cdf462088d13	4460
markrad	0:cdf462088d13	4461	#if defined(MBEDTLS_ECP_C)
markrad	0:cdf462088d13	4462	{
markrad	0:cdf462088d13	4463	const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
markrad	0:cdf462088d13	4464
markrad	0:cdf462088d13	4465	/* If certificate uses an EC key, make sure the curve is OK */
markrad	0:cdf462088d13	4466	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
markrad	0:cdf462088d13	4467	mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
markrad	0:cdf462088d13	4468	{
markrad	0:cdf462088d13	4469	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
markrad	0:cdf462088d13	4470	if( ret == 0 )
markrad	0:cdf462088d13	4471	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
markrad	0:cdf462088d13	4472	}
markrad	0:cdf462088d13	4473	}
markrad	0:cdf462088d13	4474	#endif /* MBEDTLS_ECP_C */
markrad	0:cdf462088d13	4475
markrad	0:cdf462088d13	4476	if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
markrad	0:cdf462088d13	4477	ciphersuite_info,
markrad	0:cdf462088d13	4478	! ssl->conf->endpoint,
markrad	0:cdf462088d13	4479	&ssl->session_negotiate->verify_result ) != 0 )
markrad	0:cdf462088d13	4480	{
markrad	0:cdf462088d13	4481	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
markrad	0:cdf462088d13	4482	if( ret == 0 )
markrad	0:cdf462088d13	4483	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
markrad	0:cdf462088d13	4484	}
markrad	0:cdf462088d13	4485
markrad	0:cdf462088d13	4486	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
markrad	0:cdf462088d13	4487	ret = 0;
markrad	0:cdf462088d13	4488	}
markrad	0:cdf462088d13	4489
markrad	0:cdf462088d13	4490	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
markrad	0:cdf462088d13	4491
markrad	0:cdf462088d13	4492	return( ret );
markrad	0:cdf462088d13	4493	}
markrad	0:cdf462088d13	4494	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
markrad	0:cdf462088d13	4495	!MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
markrad	0:cdf462088d13	4496	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
markrad	0:cdf462088d13	4497	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
markrad	0:cdf462088d13	4498	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
markrad	0:cdf462088d13	4499	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
markrad	0:cdf462088d13	4500	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
markrad	0:cdf462088d13	4501
markrad	0:cdf462088d13	4502	int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4503	{
markrad	0:cdf462088d13	4504	int ret;
markrad	0:cdf462088d13	4505
markrad	0:cdf462088d13	4506	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
markrad	0:cdf462088d13	4507
markrad	0:cdf462088d13	4508	ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
markrad	0:cdf462088d13	4509	ssl->out_msglen = 1;
markrad	0:cdf462088d13	4510	ssl->out_msg[0] = 1;
markrad	0:cdf462088d13	4511
markrad	0:cdf462088d13	4512	ssl->state++;
markrad	0:cdf462088d13	4513
markrad	0:cdf462088d13	4514	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	4515	{
markrad	0:cdf462088d13	4516	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	4517	return( ret );
markrad	0:cdf462088d13	4518	}
markrad	0:cdf462088d13	4519
markrad	0:cdf462088d13	4520	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
markrad	0:cdf462088d13	4521
markrad	0:cdf462088d13	4522	return( 0 );
markrad	0:cdf462088d13	4523	}
markrad	0:cdf462088d13	4524
markrad	0:cdf462088d13	4525	int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4526	{
markrad	0:cdf462088d13	4527	int ret;
markrad	0:cdf462088d13	4528
markrad	0:cdf462088d13	4529	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
markrad	0:cdf462088d13	4530
markrad	0:cdf462088d13	4531	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	4532	{
markrad	0:cdf462088d13	4533	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
markrad	0:cdf462088d13	4534	return( ret );
markrad	0:cdf462088d13	4535	}
markrad	0:cdf462088d13	4536
markrad	0:cdf462088d13	4537	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
markrad	0:cdf462088d13	4538	{
markrad	0:cdf462088d13	4539	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
markrad	0:cdf462088d13	4540	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
markrad	0:cdf462088d13	4541	}
markrad	0:cdf462088d13	4542
markrad	0:cdf462088d13	4543	if( ssl->in_msglen != 1 \|\| ssl->in_msg[0] != 1 )
markrad	0:cdf462088d13	4544	{
markrad	0:cdf462088d13	4545	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
markrad	0:cdf462088d13	4546	return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
markrad	0:cdf462088d13	4547	}
markrad	0:cdf462088d13	4548
markrad	0:cdf462088d13	4549	/*
markrad	0:cdf462088d13	4550	* Switch to our negotiated transform and session parameters for inbound
markrad	0:cdf462088d13	4551	* data.
markrad	0:cdf462088d13	4552	*/
markrad	0:cdf462088d13	4553	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
markrad	0:cdf462088d13	4554	ssl->transform_in = ssl->transform_negotiate;
markrad	0:cdf462088d13	4555	ssl->session_in = ssl->session_negotiate;
markrad	0:cdf462088d13	4556
markrad	0:cdf462088d13	4557	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	4558	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	4559	{
markrad	0:cdf462088d13	4560	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	4561	ssl_dtls_replay_reset( ssl );
markrad	0:cdf462088d13	4562	#endif
markrad	0:cdf462088d13	4563
markrad	0:cdf462088d13	4564	/* Increment epoch */
markrad	0:cdf462088d13	4565	if( ++ssl->in_epoch == 0 )
markrad	0:cdf462088d13	4566	{
markrad	0:cdf462088d13	4567	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
markrad	0:cdf462088d13	4568	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
markrad	0:cdf462088d13	4569	}
markrad	0:cdf462088d13	4570	}
markrad	0:cdf462088d13	4571	else
markrad	0:cdf462088d13	4572	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	4573	memset( ssl->in_ctr, 0, 8 );
markrad	0:cdf462088d13	4574
markrad	0:cdf462088d13	4575	/*
markrad	0:cdf462088d13	4576	* Set the in_msg pointer to the correct location based on IV length
markrad	0:cdf462088d13	4577	*/
markrad	0:cdf462088d13	4578	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	4579	{
markrad	0:cdf462088d13	4580	ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
markrad	0:cdf462088d13	4581	ssl->transform_negotiate->fixed_ivlen;
markrad	0:cdf462088d13	4582	}
markrad	0:cdf462088d13	4583	else
markrad	0:cdf462088d13	4584	ssl->in_msg = ssl->in_iv;
markrad	0:cdf462088d13	4585
markrad	0:cdf462088d13	4586	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	4587	if( mbedtls_ssl_hw_record_activate != NULL )
markrad	0:cdf462088d13	4588	{
markrad	0:cdf462088d13	4589	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
markrad	0:cdf462088d13	4590	{
markrad	0:cdf462088d13	4591	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
markrad	0:cdf462088d13	4592	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
markrad	0:cdf462088d13	4593	}
markrad	0:cdf462088d13	4594	}
markrad	0:cdf462088d13	4595	#endif
markrad	0:cdf462088d13	4596
markrad	0:cdf462088d13	4597	ssl->state++;
markrad	0:cdf462088d13	4598
markrad	0:cdf462088d13	4599	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
markrad	0:cdf462088d13	4600
markrad	0:cdf462088d13	4601	return( 0 );
markrad	0:cdf462088d13	4602	}
markrad	0:cdf462088d13	4603
markrad	0:cdf462088d13	4604	void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	4605	const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
markrad	0:cdf462088d13	4606	{
markrad	0:cdf462088d13	4607	((void) ciphersuite_info);
markrad	0:cdf462088d13	4608
markrad	0:cdf462088d13	4609	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	4610	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	4611	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	4612	ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
markrad	0:cdf462088d13	4613	else
markrad	0:cdf462088d13	4614	#endif
markrad	0:cdf462088d13	4615	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	4616	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	4617	if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
markrad	0:cdf462088d13	4618	ssl->handshake->update_checksum = ssl_update_checksum_sha384;
markrad	0:cdf462088d13	4619	else
markrad	0:cdf462088d13	4620	#endif
markrad	0:cdf462088d13	4621	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	4622	if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
markrad	0:cdf462088d13	4623	ssl->handshake->update_checksum = ssl_update_checksum_sha256;
markrad	0:cdf462088d13	4624	else
markrad	0:cdf462088d13	4625	#endif
markrad	0:cdf462088d13	4626	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	4627	{
markrad	0:cdf462088d13	4628	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	4629	return;
markrad	0:cdf462088d13	4630	}
markrad	0:cdf462088d13	4631	}
markrad	0:cdf462088d13	4632
markrad	0:cdf462088d13	4633	void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4634	{
markrad	0:cdf462088d13	4635	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	4636	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	4637	mbedtls_md5_starts( &ssl->handshake->fin_md5 );
markrad	0:cdf462088d13	4638	mbedtls_sha1_starts( &ssl->handshake->fin_sha1 );
markrad	0:cdf462088d13	4639	#endif
markrad	0:cdf462088d13	4640	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	4641	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	4642	mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
markrad	0:cdf462088d13	4643	#endif
markrad	0:cdf462088d13	4644	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	4645	mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
markrad	0:cdf462088d13	4646	#endif
markrad	0:cdf462088d13	4647	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	4648	}
markrad	0:cdf462088d13	4649
markrad	0:cdf462088d13	4650	static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	4651	const unsigned char *buf, size_t len )
markrad	0:cdf462088d13	4652	{
markrad	0:cdf462088d13	4653	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	4654	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	4655	mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len );
markrad	0:cdf462088d13	4656	mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len );
markrad	0:cdf462088d13	4657	#endif
markrad	0:cdf462088d13	4658	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	4659	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	4660	mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
markrad	0:cdf462088d13	4661	#endif
markrad	0:cdf462088d13	4662	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	4663	mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
markrad	0:cdf462088d13	4664	#endif
markrad	0:cdf462088d13	4665	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	4666	}
markrad	0:cdf462088d13	4667
markrad	0:cdf462088d13	4668	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	4669	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	4670	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	4671	const unsigned char *buf, size_t len )
markrad	0:cdf462088d13	4672	{
markrad	0:cdf462088d13	4673	mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len );
markrad	0:cdf462088d13	4674	mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len );
markrad	0:cdf462088d13	4675	}
markrad	0:cdf462088d13	4676	#endif
markrad	0:cdf462088d13	4677
markrad	0:cdf462088d13	4678	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	4679	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	4680	static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	4681	const unsigned char *buf, size_t len )
markrad	0:cdf462088d13	4682	{
markrad	0:cdf462088d13	4683	mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
markrad	0:cdf462088d13	4684	}
markrad	0:cdf462088d13	4685	#endif
markrad	0:cdf462088d13	4686
markrad	0:cdf462088d13	4687	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	4688	static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	4689	const unsigned char *buf, size_t len )
markrad	0:cdf462088d13	4690	{
markrad	0:cdf462088d13	4691	mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
markrad	0:cdf462088d13	4692	}
markrad	0:cdf462088d13	4693	#endif
markrad	0:cdf462088d13	4694	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	4695
markrad	0:cdf462088d13	4696	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	4697	static void ssl_calc_finished_ssl(
markrad	0:cdf462088d13	4698	mbedtls_ssl_context ssl, unsigned char buf, int from )
markrad	0:cdf462088d13	4699	{
markrad	0:cdf462088d13	4700	const char *sender;
markrad	0:cdf462088d13	4701	mbedtls_md5_context md5;
markrad	0:cdf462088d13	4702	mbedtls_sha1_context sha1;
markrad	0:cdf462088d13	4703
markrad	0:cdf462088d13	4704	unsigned char padbuf[48];
markrad	0:cdf462088d13	4705	unsigned char md5sum[16];
markrad	0:cdf462088d13	4706	unsigned char sha1sum[20];
markrad	0:cdf462088d13	4707
markrad	0:cdf462088d13	4708	mbedtls_ssl_session *session = ssl->session_negotiate;
markrad	0:cdf462088d13	4709	if( !session )
markrad	0:cdf462088d13	4710	session = ssl->session;
markrad	0:cdf462088d13	4711
markrad	0:cdf462088d13	4712	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
markrad	0:cdf462088d13	4713
markrad	0:cdf462088d13	4714	mbedtls_md5_init( &md5 );
markrad	0:cdf462088d13	4715	mbedtls_sha1_init( &sha1 );
markrad	0:cdf462088d13	4716
markrad	0:cdf462088d13	4717	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
markrad	0:cdf462088d13	4718	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
markrad	0:cdf462088d13	4719
markrad	0:cdf462088d13	4720	/*
markrad	0:cdf462088d13	4721	* SSLv3:
markrad	0:cdf462088d13	4722	* hash =
markrad	0:cdf462088d13	4723	* MD5( master + pad2 +
markrad	0:cdf462088d13	4724	* MD5( handshake + sender + master + pad1 ) )
markrad	0:cdf462088d13	4725	* + SHA1( master + pad2 +
markrad	0:cdf462088d13	4726	* SHA1( handshake + sender + master + pad1 ) )
markrad	0:cdf462088d13	4727	*/
markrad	0:cdf462088d13	4728
markrad	0:cdf462088d13	4729	#if !defined(MBEDTLS_MD5_ALT)
markrad	0:cdf462088d13	4730	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
markrad	0:cdf462088d13	4731	md5.state, sizeof( md5.state ) );
markrad	0:cdf462088d13	4732	#endif
markrad	0:cdf462088d13	4733
markrad	0:cdf462088d13	4734	#if !defined(MBEDTLS_SHA1_ALT)
markrad	0:cdf462088d13	4735	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
markrad	0:cdf462088d13	4736	sha1.state, sizeof( sha1.state ) );
markrad	0:cdf462088d13	4737	#endif
markrad	0:cdf462088d13	4738
markrad	0:cdf462088d13	4739	sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
markrad	0:cdf462088d13	4740	: "SRVR";
markrad	0:cdf462088d13	4741
markrad	0:cdf462088d13	4742	memset( padbuf, 0x36, 48 );
markrad	0:cdf462088d13	4743
markrad	0:cdf462088d13	4744	mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 );
markrad	0:cdf462088d13	4745	mbedtls_md5_update( &md5, session->master, 48 );
markrad	0:cdf462088d13	4746	mbedtls_md5_update( &md5, padbuf, 48 );
markrad	0:cdf462088d13	4747	mbedtls_md5_finish( &md5, md5sum );
markrad	0:cdf462088d13	4748
markrad	0:cdf462088d13	4749	mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 );
markrad	0:cdf462088d13	4750	mbedtls_sha1_update( &sha1, session->master, 48 );
markrad	0:cdf462088d13	4751	mbedtls_sha1_update( &sha1, padbuf, 40 );
markrad	0:cdf462088d13	4752	mbedtls_sha1_finish( &sha1, sha1sum );
markrad	0:cdf462088d13	4753
markrad	0:cdf462088d13	4754	memset( padbuf, 0x5C, 48 );
markrad	0:cdf462088d13	4755
markrad	0:cdf462088d13	4756	mbedtls_md5_starts( &md5 );
markrad	0:cdf462088d13	4757	mbedtls_md5_update( &md5, session->master, 48 );
markrad	0:cdf462088d13	4758	mbedtls_md5_update( &md5, padbuf, 48 );
markrad	0:cdf462088d13	4759	mbedtls_md5_update( &md5, md5sum, 16 );
markrad	0:cdf462088d13	4760	mbedtls_md5_finish( &md5, buf );
markrad	0:cdf462088d13	4761
markrad	0:cdf462088d13	4762	mbedtls_sha1_starts( &sha1 );
markrad	0:cdf462088d13	4763	mbedtls_sha1_update( &sha1, session->master, 48 );
markrad	0:cdf462088d13	4764	mbedtls_sha1_update( &sha1, padbuf , 40 );
markrad	0:cdf462088d13	4765	mbedtls_sha1_update( &sha1, sha1sum, 20 );
markrad	0:cdf462088d13	4766	mbedtls_sha1_finish( &sha1, buf + 16 );
markrad	0:cdf462088d13	4767
markrad	0:cdf462088d13	4768	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
markrad	0:cdf462088d13	4769
markrad	0:cdf462088d13	4770	mbedtls_md5_free( &md5 );
markrad	0:cdf462088d13	4771	mbedtls_sha1_free( &sha1 );
markrad	0:cdf462088d13	4772
markrad	0:cdf462088d13	4773	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
markrad	0:cdf462088d13	4774	mbedtls_zeroize( md5sum, sizeof( md5sum ) );
markrad	0:cdf462088d13	4775	mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
markrad	0:cdf462088d13	4776
markrad	0:cdf462088d13	4777	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
markrad	0:cdf462088d13	4778	}
markrad	0:cdf462088d13	4779	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	4780
markrad	0:cdf462088d13	4781	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	4782	static void ssl_calc_finished_tls(
markrad	0:cdf462088d13	4783	mbedtls_ssl_context ssl, unsigned char buf, int from )
markrad	0:cdf462088d13	4784	{
markrad	0:cdf462088d13	4785	int len = 12;
markrad	0:cdf462088d13	4786	const char *sender;
markrad	0:cdf462088d13	4787	mbedtls_md5_context md5;
markrad	0:cdf462088d13	4788	mbedtls_sha1_context sha1;
markrad	0:cdf462088d13	4789	unsigned char padbuf[36];
markrad	0:cdf462088d13	4790
markrad	0:cdf462088d13	4791	mbedtls_ssl_session *session = ssl->session_negotiate;
markrad	0:cdf462088d13	4792	if( !session )
markrad	0:cdf462088d13	4793	session = ssl->session;
markrad	0:cdf462088d13	4794
markrad	0:cdf462088d13	4795	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
markrad	0:cdf462088d13	4796
markrad	0:cdf462088d13	4797	mbedtls_md5_init( &md5 );
markrad	0:cdf462088d13	4798	mbedtls_sha1_init( &sha1 );
markrad	0:cdf462088d13	4799
markrad	0:cdf462088d13	4800	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
markrad	0:cdf462088d13	4801	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
markrad	0:cdf462088d13	4802
markrad	0:cdf462088d13	4803	/*
markrad	0:cdf462088d13	4804	* TLSv1:
markrad	0:cdf462088d13	4805	* hash = PRF( master, finished_label,
markrad	0:cdf462088d13	4806	* MD5( handshake ) + SHA1( handshake ) )[0..11]
markrad	0:cdf462088d13	4807	*/
markrad	0:cdf462088d13	4808
markrad	0:cdf462088d13	4809	#if !defined(MBEDTLS_MD5_ALT)
markrad	0:cdf462088d13	4810	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
markrad	0:cdf462088d13	4811	md5.state, sizeof( md5.state ) );
markrad	0:cdf462088d13	4812	#endif
markrad	0:cdf462088d13	4813
markrad	0:cdf462088d13	4814	#if !defined(MBEDTLS_SHA1_ALT)
markrad	0:cdf462088d13	4815	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
markrad	0:cdf462088d13	4816	sha1.state, sizeof( sha1.state ) );
markrad	0:cdf462088d13	4817	#endif
markrad	0:cdf462088d13	4818
markrad	0:cdf462088d13	4819	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	4820	? "client finished"
markrad	0:cdf462088d13	4821	: "server finished";
markrad	0:cdf462088d13	4822
markrad	0:cdf462088d13	4823	mbedtls_md5_finish( &md5, padbuf );
markrad	0:cdf462088d13	4824	mbedtls_sha1_finish( &sha1, padbuf + 16 );
markrad	0:cdf462088d13	4825
markrad	0:cdf462088d13	4826	ssl->handshake->tls_prf( session->master, 48, sender,
markrad	0:cdf462088d13	4827	padbuf, 36, buf, len );
markrad	0:cdf462088d13	4828
markrad	0:cdf462088d13	4829	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
markrad	0:cdf462088d13	4830
markrad	0:cdf462088d13	4831	mbedtls_md5_free( &md5 );
markrad	0:cdf462088d13	4832	mbedtls_sha1_free( &sha1 );
markrad	0:cdf462088d13	4833
markrad	0:cdf462088d13	4834	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
markrad	0:cdf462088d13	4835
markrad	0:cdf462088d13	4836	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
markrad	0:cdf462088d13	4837	}
markrad	0:cdf462088d13	4838	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
markrad	0:cdf462088d13	4839
markrad	0:cdf462088d13	4840	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	4841	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	4842	static void ssl_calc_finished_tls_sha256(
markrad	0:cdf462088d13	4843	mbedtls_ssl_context ssl, unsigned char buf, int from )
markrad	0:cdf462088d13	4844	{
markrad	0:cdf462088d13	4845	int len = 12;
markrad	0:cdf462088d13	4846	const char *sender;
markrad	0:cdf462088d13	4847	mbedtls_sha256_context sha256;
markrad	0:cdf462088d13	4848	unsigned char padbuf[32];
markrad	0:cdf462088d13	4849
markrad	0:cdf462088d13	4850	mbedtls_ssl_session *session = ssl->session_negotiate;
markrad	0:cdf462088d13	4851	if( !session )
markrad	0:cdf462088d13	4852	session = ssl->session;
markrad	0:cdf462088d13	4853
markrad	0:cdf462088d13	4854	mbedtls_sha256_init( &sha256 );
markrad	0:cdf462088d13	4855
markrad	0:cdf462088d13	4856	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
markrad	0:cdf462088d13	4857
markrad	0:cdf462088d13	4858	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
markrad	0:cdf462088d13	4859
markrad	0:cdf462088d13	4860	/*
markrad	0:cdf462088d13	4861	* TLSv1.2:
markrad	0:cdf462088d13	4862	* hash = PRF( master, finished_label,
markrad	0:cdf462088d13	4863	* Hash( handshake ) )[0.11]
markrad	0:cdf462088d13	4864	*/
markrad	0:cdf462088d13	4865
markrad	0:cdf462088d13	4866	#if !defined(MBEDTLS_SHA256_ALT)
markrad	0:cdf462088d13	4867	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
markrad	0:cdf462088d13	4868	sha256.state, sizeof( sha256.state ) );
markrad	0:cdf462088d13	4869	#endif
markrad	0:cdf462088d13	4870
markrad	0:cdf462088d13	4871	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	4872	? "client finished"
markrad	0:cdf462088d13	4873	: "server finished";
markrad	0:cdf462088d13	4874
markrad	0:cdf462088d13	4875	mbedtls_sha256_finish( &sha256, padbuf );
markrad	0:cdf462088d13	4876
markrad	0:cdf462088d13	4877	ssl->handshake->tls_prf( session->master, 48, sender,
markrad	0:cdf462088d13	4878	padbuf, 32, buf, len );
markrad	0:cdf462088d13	4879
markrad	0:cdf462088d13	4880	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
markrad	0:cdf462088d13	4881
markrad	0:cdf462088d13	4882	mbedtls_sha256_free( &sha256 );
markrad	0:cdf462088d13	4883
markrad	0:cdf462088d13	4884	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
markrad	0:cdf462088d13	4885
markrad	0:cdf462088d13	4886	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
markrad	0:cdf462088d13	4887	}
markrad	0:cdf462088d13	4888	#endif /* MBEDTLS_SHA256_C */
markrad	0:cdf462088d13	4889
markrad	0:cdf462088d13	4890	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	4891	static void ssl_calc_finished_tls_sha384(
markrad	0:cdf462088d13	4892	mbedtls_ssl_context ssl, unsigned char buf, int from )
markrad	0:cdf462088d13	4893	{
markrad	0:cdf462088d13	4894	int len = 12;
markrad	0:cdf462088d13	4895	const char *sender;
markrad	0:cdf462088d13	4896	mbedtls_sha512_context sha512;
markrad	0:cdf462088d13	4897	unsigned char padbuf[48];
markrad	0:cdf462088d13	4898
markrad	0:cdf462088d13	4899	mbedtls_ssl_session *session = ssl->session_negotiate;
markrad	0:cdf462088d13	4900	if( !session )
markrad	0:cdf462088d13	4901	session = ssl->session;
markrad	0:cdf462088d13	4902
markrad	0:cdf462088d13	4903	mbedtls_sha512_init( &sha512 );
markrad	0:cdf462088d13	4904
markrad	0:cdf462088d13	4905	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
markrad	0:cdf462088d13	4906
markrad	0:cdf462088d13	4907	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
markrad	0:cdf462088d13	4908
markrad	0:cdf462088d13	4909	/*
markrad	0:cdf462088d13	4910	* TLSv1.2:
markrad	0:cdf462088d13	4911	* hash = PRF( master, finished_label,
markrad	0:cdf462088d13	4912	* Hash( handshake ) )[0.11]
markrad	0:cdf462088d13	4913	*/
markrad	0:cdf462088d13	4914
markrad	0:cdf462088d13	4915	#if !defined(MBEDTLS_SHA512_ALT)
markrad	0:cdf462088d13	4916	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
markrad	0:cdf462088d13	4917	sha512.state, sizeof( sha512.state ) );
markrad	0:cdf462088d13	4918	#endif
markrad	0:cdf462088d13	4919
markrad	0:cdf462088d13	4920	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	4921	? "client finished"
markrad	0:cdf462088d13	4922	: "server finished";
markrad	0:cdf462088d13	4923
markrad	0:cdf462088d13	4924	mbedtls_sha512_finish( &sha512, padbuf );
markrad	0:cdf462088d13	4925
markrad	0:cdf462088d13	4926	ssl->handshake->tls_prf( session->master, 48, sender,
markrad	0:cdf462088d13	4927	padbuf, 48, buf, len );
markrad	0:cdf462088d13	4928
markrad	0:cdf462088d13	4929	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
markrad	0:cdf462088d13	4930
markrad	0:cdf462088d13	4931	mbedtls_sha512_free( &sha512 );
markrad	0:cdf462088d13	4932
markrad	0:cdf462088d13	4933	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
markrad	0:cdf462088d13	4934
markrad	0:cdf462088d13	4935	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
markrad	0:cdf462088d13	4936	}
markrad	0:cdf462088d13	4937	#endif /* MBEDTLS_SHA512_C */
markrad	0:cdf462088d13	4938	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	4939
markrad	0:cdf462088d13	4940	static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4941	{
markrad	0:cdf462088d13	4942	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
markrad	0:cdf462088d13	4943
markrad	0:cdf462088d13	4944	/*
markrad	0:cdf462088d13	4945	* Free our handshake params
markrad	0:cdf462088d13	4946	*/
markrad	0:cdf462088d13	4947	mbedtls_ssl_handshake_free( ssl->handshake );
markrad	0:cdf462088d13	4948	mbedtls_free( ssl->handshake );
markrad	0:cdf462088d13	4949	ssl->handshake = NULL;
markrad	0:cdf462088d13	4950
markrad	0:cdf462088d13	4951	/*
markrad	0:cdf462088d13	4952	* Free the previous transform and swith in the current one
markrad	0:cdf462088d13	4953	*/
markrad	0:cdf462088d13	4954	if( ssl->transform )
markrad	0:cdf462088d13	4955	{
markrad	0:cdf462088d13	4956	mbedtls_ssl_transform_free( ssl->transform );
markrad	0:cdf462088d13	4957	mbedtls_free( ssl->transform );
markrad	0:cdf462088d13	4958	}
markrad	0:cdf462088d13	4959	ssl->transform = ssl->transform_negotiate;
markrad	0:cdf462088d13	4960	ssl->transform_negotiate = NULL;
markrad	0:cdf462088d13	4961
markrad	0:cdf462088d13	4962	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
markrad	0:cdf462088d13	4963	}
markrad	0:cdf462088d13	4964
markrad	0:cdf462088d13	4965	void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	4966	{
markrad	0:cdf462088d13	4967	int resume = ssl->handshake->resume;
markrad	0:cdf462088d13	4968
markrad	0:cdf462088d13	4969	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
markrad	0:cdf462088d13	4970
markrad	0:cdf462088d13	4971	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	4972	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad	0:cdf462088d13	4973	{
markrad	0:cdf462088d13	4974	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
markrad	0:cdf462088d13	4975	ssl->renego_records_seen = 0;
markrad	0:cdf462088d13	4976	}
markrad	0:cdf462088d13	4977	#endif
markrad	0:cdf462088d13	4978
markrad	0:cdf462088d13	4979	/*
markrad	0:cdf462088d13	4980	* Free the previous session and switch in the current one
markrad	0:cdf462088d13	4981	*/
markrad	0:cdf462088d13	4982	if( ssl->session )
markrad	0:cdf462088d13	4983	{
markrad	0:cdf462088d13	4984	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	4985	/* RFC 7366 3.1: keep the EtM state */
markrad	0:cdf462088d13	4986	ssl->session_negotiate->encrypt_then_mac =
markrad	0:cdf462088d13	4987	ssl->session->encrypt_then_mac;
markrad	0:cdf462088d13	4988	#endif
markrad	0:cdf462088d13	4989
markrad	0:cdf462088d13	4990	mbedtls_ssl_session_free( ssl->session );
markrad	0:cdf462088d13	4991	mbedtls_free( ssl->session );
markrad	0:cdf462088d13	4992	}
markrad	0:cdf462088d13	4993	ssl->session = ssl->session_negotiate;
markrad	0:cdf462088d13	4994	ssl->session_negotiate = NULL;
markrad	0:cdf462088d13	4995
markrad	0:cdf462088d13	4996	/*
markrad	0:cdf462088d13	4997	* Add cache entry
markrad	0:cdf462088d13	4998	*/
markrad	0:cdf462088d13	4999	if( ssl->conf->f_set_cache != NULL &&
markrad	0:cdf462088d13	5000	ssl->session->id_len != 0 &&
markrad	0:cdf462088d13	5001	resume == 0 )
markrad	0:cdf462088d13	5002	{
markrad	0:cdf462088d13	5003	if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
markrad	0:cdf462088d13	5004	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
markrad	0:cdf462088d13	5005	}
markrad	0:cdf462088d13	5006
markrad	0:cdf462088d13	5007	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	5008	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	5009	ssl->handshake->flight != NULL )
markrad	0:cdf462088d13	5010	{
markrad	0:cdf462088d13	5011	/* Cancel handshake timer */
markrad	0:cdf462088d13	5012	ssl_set_timer( ssl, 0 );
markrad	0:cdf462088d13	5013
markrad	0:cdf462088d13	5014	/* Keep last flight around in case we need to resend it:
markrad	0:cdf462088d13	5015	* we need the handshake and transform structures for that */
markrad	0:cdf462088d13	5016	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
markrad	0:cdf462088d13	5017	}
markrad	0:cdf462088d13	5018	else
markrad	0:cdf462088d13	5019	#endif
markrad	0:cdf462088d13	5020	ssl_handshake_wrapup_free_hs_transform( ssl );
markrad	0:cdf462088d13	5021
markrad	0:cdf462088d13	5022	ssl->state++;
markrad	0:cdf462088d13	5023
markrad	0:cdf462088d13	5024	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
markrad	0:cdf462088d13	5025	}
markrad	0:cdf462088d13	5026
markrad	0:cdf462088d13	5027	int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	5028	{
markrad	0:cdf462088d13	5029	int ret, hash_len;
markrad	0:cdf462088d13	5030
markrad	0:cdf462088d13	5031	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
markrad	0:cdf462088d13	5032
markrad	0:cdf462088d13	5033	/*
markrad	0:cdf462088d13	5034	* Set the out_msg pointer to the correct location based on IV length
markrad	0:cdf462088d13	5035	*/
markrad	0:cdf462088d13	5036	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	5037	{
markrad	0:cdf462088d13	5038	ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
markrad	0:cdf462088d13	5039	ssl->transform_negotiate->fixed_ivlen;
markrad	0:cdf462088d13	5040	}
markrad	0:cdf462088d13	5041	else
markrad	0:cdf462088d13	5042	ssl->out_msg = ssl->out_iv;
markrad	0:cdf462088d13	5043
markrad	0:cdf462088d13	5044	ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
markrad	0:cdf462088d13	5045
markrad	0:cdf462088d13	5046	/*
markrad	0:cdf462088d13	5047	* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
markrad	0:cdf462088d13	5048	* may define some other value. Currently (early 2016), no defined
markrad	0:cdf462088d13	5049	* ciphersuite does this (and this is unlikely to change as activity has
markrad	0:cdf462088d13	5050	* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
markrad	0:cdf462088d13	5051	*/
markrad	0:cdf462088d13	5052	hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
markrad	0:cdf462088d13	5053
markrad	0:cdf462088d13	5054	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	5055	ssl->verify_data_len = hash_len;
markrad	0:cdf462088d13	5056	memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
markrad	0:cdf462088d13	5057	#endif
markrad	0:cdf462088d13	5058
markrad	0:cdf462088d13	5059	ssl->out_msglen = 4 + hash_len;
markrad	0:cdf462088d13	5060	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	5061	ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
markrad	0:cdf462088d13	5062
markrad	0:cdf462088d13	5063	/*
markrad	0:cdf462088d13	5064	* In case of session resuming, invert the client and server
markrad	0:cdf462088d13	5065	* ChangeCipherSpec messages order.
markrad	0:cdf462088d13	5066	*/
markrad	0:cdf462088d13	5067	if( ssl->handshake->resume != 0 )
markrad	0:cdf462088d13	5068	{
markrad	0:cdf462088d13	5069	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	5070	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	5071	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
markrad	0:cdf462088d13	5072	#endif
markrad	0:cdf462088d13	5073	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	5074	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	5075	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
markrad	0:cdf462088d13	5076	#endif
markrad	0:cdf462088d13	5077	}
markrad	0:cdf462088d13	5078	else
markrad	0:cdf462088d13	5079	ssl->state++;
markrad	0:cdf462088d13	5080
markrad	0:cdf462088d13	5081	/*
markrad	0:cdf462088d13	5082	* Switch to our negotiated transform and session parameters for outbound
markrad	0:cdf462088d13	5083	* data.
markrad	0:cdf462088d13	5084	*/
markrad	0:cdf462088d13	5085	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
markrad	0:cdf462088d13	5086
markrad	0:cdf462088d13	5087	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	5088	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	5089	{
markrad	0:cdf462088d13	5090	unsigned char i;
markrad	0:cdf462088d13	5091
markrad	0:cdf462088d13	5092	/* Remember current epoch settings for resending */
markrad	0:cdf462088d13	5093	ssl->handshake->alt_transform_out = ssl->transform_out;
markrad	0:cdf462088d13	5094	memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 );
markrad	0:cdf462088d13	5095
markrad	0:cdf462088d13	5096	/* Set sequence_number to zero */
markrad	0:cdf462088d13	5097	memset( ssl->out_ctr + 2, 0, 6 );
markrad	0:cdf462088d13	5098
markrad	0:cdf462088d13	5099	/* Increment epoch */
markrad	0:cdf462088d13	5100	for( i = 2; i > 0; i-- )
markrad	0:cdf462088d13	5101	if( ++ssl->out_ctr[i - 1] != 0 )
markrad	0:cdf462088d13	5102	break;
markrad	0:cdf462088d13	5103
markrad	0:cdf462088d13	5104	/* The loop goes to its end iff the counter is wrapping */
markrad	0:cdf462088d13	5105	if( i == 0 )
markrad	0:cdf462088d13	5106	{
markrad	0:cdf462088d13	5107	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
markrad	0:cdf462088d13	5108	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
markrad	0:cdf462088d13	5109	}
markrad	0:cdf462088d13	5110	}
markrad	0:cdf462088d13	5111	else
markrad	0:cdf462088d13	5112	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	5113	memset( ssl->out_ctr, 0, 8 );
markrad	0:cdf462088d13	5114
markrad	0:cdf462088d13	5115	ssl->transform_out = ssl->transform_negotiate;
markrad	0:cdf462088d13	5116	ssl->session_out = ssl->session_negotiate;
markrad	0:cdf462088d13	5117
markrad	0:cdf462088d13	5118	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	5119	if( mbedtls_ssl_hw_record_activate != NULL )
markrad	0:cdf462088d13	5120	{
markrad	0:cdf462088d13	5121	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
markrad	0:cdf462088d13	5122	{
markrad	0:cdf462088d13	5123	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
markrad	0:cdf462088d13	5124	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
markrad	0:cdf462088d13	5125	}
markrad	0:cdf462088d13	5126	}
markrad	0:cdf462088d13	5127	#endif
markrad	0:cdf462088d13	5128
markrad	0:cdf462088d13	5129	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	5130	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	5131	mbedtls_ssl_send_flight_completed( ssl );
markrad	0:cdf462088d13	5132	#endif
markrad	0:cdf462088d13	5133
markrad	0:cdf462088d13	5134	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	5135	{
markrad	0:cdf462088d13	5136	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	5137	return( ret );
markrad	0:cdf462088d13	5138	}
markrad	0:cdf462088d13	5139
markrad	0:cdf462088d13	5140	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
markrad	0:cdf462088d13	5141
markrad	0:cdf462088d13	5142	return( 0 );
markrad	0:cdf462088d13	5143	}
markrad	0:cdf462088d13	5144
markrad	0:cdf462088d13	5145	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	5146	#define SSL_MAX_HASH_LEN 36
markrad	0:cdf462088d13	5147	#else
markrad	0:cdf462088d13	5148	#define SSL_MAX_HASH_LEN 12
markrad	0:cdf462088d13	5149	#endif
markrad	0:cdf462088d13	5150
markrad	0:cdf462088d13	5151	int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	5152	{
markrad	0:cdf462088d13	5153	int ret;
markrad	0:cdf462088d13	5154	unsigned int hash_len;
markrad	0:cdf462088d13	5155	unsigned char buf[SSL_MAX_HASH_LEN];
markrad	0:cdf462088d13	5156
markrad	0:cdf462088d13	5157	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
markrad	0:cdf462088d13	5158
markrad	0:cdf462088d13	5159	ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
markrad	0:cdf462088d13	5160
markrad	0:cdf462088d13	5161	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	5162	{
markrad	0:cdf462088d13	5163	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
markrad	0:cdf462088d13	5164	return( ret );
markrad	0:cdf462088d13	5165	}
markrad	0:cdf462088d13	5166
markrad	0:cdf462088d13	5167	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
markrad	0:cdf462088d13	5168	{
markrad	0:cdf462088d13	5169	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
markrad	0:cdf462088d13	5170	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
markrad	0:cdf462088d13	5171	}
markrad	0:cdf462088d13	5172
markrad	0:cdf462088d13	5173	/* There is currently no ciphersuite using another length with TLS 1.2 */
markrad	0:cdf462088d13	5174	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	5175	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	5176	hash_len = 36;
markrad	0:cdf462088d13	5177	else
markrad	0:cdf462088d13	5178	#endif
markrad	0:cdf462088d13	5179	hash_len = 12;
markrad	0:cdf462088d13	5180
markrad	0:cdf462088d13	5181	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED \|\|
markrad	0:cdf462088d13	5182	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
markrad	0:cdf462088d13	5183	{
markrad	0:cdf462088d13	5184	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
markrad	0:cdf462088d13	5185	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
markrad	0:cdf462088d13	5186	}
markrad	0:cdf462088d13	5187
markrad	0:cdf462088d13	5188	if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
markrad	0:cdf462088d13	5189	buf, hash_len ) != 0 )
markrad	0:cdf462088d13	5190	{
markrad	0:cdf462088d13	5191	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
markrad	0:cdf462088d13	5192	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
markrad	0:cdf462088d13	5193	}
markrad	0:cdf462088d13	5194
markrad	0:cdf462088d13	5195	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	5196	ssl->verify_data_len = hash_len;
markrad	0:cdf462088d13	5197	memcpy( ssl->peer_verify_data, buf, hash_len );
markrad	0:cdf462088d13	5198	#endif
markrad	0:cdf462088d13	5199
markrad	0:cdf462088d13	5200	if( ssl->handshake->resume != 0 )
markrad	0:cdf462088d13	5201	{
markrad	0:cdf462088d13	5202	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	5203	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	5204	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
markrad	0:cdf462088d13	5205	#endif
markrad	0:cdf462088d13	5206	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	5207	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	5208	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
markrad	0:cdf462088d13	5209	#endif
markrad	0:cdf462088d13	5210	}
markrad	0:cdf462088d13	5211	else
markrad	0:cdf462088d13	5212	ssl->state++;
markrad	0:cdf462088d13	5213
markrad	0:cdf462088d13	5214	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	5215	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	5216	mbedtls_ssl_recv_flight_completed( ssl );
markrad	0:cdf462088d13	5217	#endif
markrad	0:cdf462088d13	5218
markrad	0:cdf462088d13	5219	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
markrad	0:cdf462088d13	5220
markrad	0:cdf462088d13	5221	return( 0 );
markrad	0:cdf462088d13	5222	}
markrad	0:cdf462088d13	5223
markrad	0:cdf462088d13	5224	static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
markrad	0:cdf462088d13	5225	{
markrad	0:cdf462088d13	5226	memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
markrad	0:cdf462088d13	5227
markrad	0:cdf462088d13	5228	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	5229	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	5230	mbedtls_md5_init( &handshake->fin_md5 );
markrad	0:cdf462088d13	5231	mbedtls_sha1_init( &handshake->fin_sha1 );
markrad	0:cdf462088d13	5232	mbedtls_md5_starts( &handshake->fin_md5 );
markrad	0:cdf462088d13	5233	mbedtls_sha1_starts( &handshake->fin_sha1 );
markrad	0:cdf462088d13	5234	#endif
markrad	0:cdf462088d13	5235	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	5236	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	5237	mbedtls_sha256_init( &handshake->fin_sha256 );
markrad	0:cdf462088d13	5238	mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
markrad	0:cdf462088d13	5239	#endif
markrad	0:cdf462088d13	5240	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	5241	mbedtls_sha512_init( &handshake->fin_sha512 );
markrad	0:cdf462088d13	5242	mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
markrad	0:cdf462088d13	5243	#endif
markrad	0:cdf462088d13	5244	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	5245
markrad	0:cdf462088d13	5246	handshake->update_checksum = ssl_update_checksum_start;
markrad	0:cdf462088d13	5247	handshake->sig_alg = MBEDTLS_SSL_HASH_SHA1;
markrad	0:cdf462088d13	5248
markrad	0:cdf462088d13	5249	#if defined(MBEDTLS_DHM_C)
markrad	0:cdf462088d13	5250	mbedtls_dhm_init( &handshake->dhm_ctx );
markrad	0:cdf462088d13	5251	#endif
markrad	0:cdf462088d13	5252	#if defined(MBEDTLS_ECDH_C)
markrad	0:cdf462088d13	5253	mbedtls_ecdh_init( &handshake->ecdh_ctx );
markrad	0:cdf462088d13	5254	#endif
markrad	0:cdf462088d13	5255	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	5256	mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
markrad	0:cdf462088d13	5257	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	5258	handshake->ecjpake_cache = NULL;
markrad	0:cdf462088d13	5259	handshake->ecjpake_cache_len = 0;
markrad	0:cdf462088d13	5260	#endif
markrad	0:cdf462088d13	5261	#endif
markrad	0:cdf462088d13	5262
markrad	0:cdf462088d13	5263	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	5264	handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
markrad	0:cdf462088d13	5265	#endif
markrad	0:cdf462088d13	5266	}
markrad	0:cdf462088d13	5267
markrad	0:cdf462088d13	5268	static void ssl_transform_init( mbedtls_ssl_transform *transform )
markrad	0:cdf462088d13	5269	{
markrad	0:cdf462088d13	5270	memset( transform, 0, sizeof(mbedtls_ssl_transform) );
markrad	0:cdf462088d13	5271
markrad	0:cdf462088d13	5272	mbedtls_cipher_init( &transform->cipher_ctx_enc );
markrad	0:cdf462088d13	5273	mbedtls_cipher_init( &transform->cipher_ctx_dec );
markrad	0:cdf462088d13	5274
markrad	0:cdf462088d13	5275	mbedtls_md_init( &transform->md_ctx_enc );
markrad	0:cdf462088d13	5276	mbedtls_md_init( &transform->md_ctx_dec );
markrad	0:cdf462088d13	5277	}
markrad	0:cdf462088d13	5278
markrad	0:cdf462088d13	5279	void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
markrad	0:cdf462088d13	5280	{
markrad	0:cdf462088d13	5281	memset( session, 0, sizeof(mbedtls_ssl_session) );
markrad	0:cdf462088d13	5282	}
markrad	0:cdf462088d13	5283
markrad	0:cdf462088d13	5284	static int ssl_handshake_init( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	5285	{
markrad	0:cdf462088d13	5286	/* Clear old handshake information if present */
markrad	0:cdf462088d13	5287	if( ssl->transform_negotiate )
markrad	0:cdf462088d13	5288	mbedtls_ssl_transform_free( ssl->transform_negotiate );
markrad	0:cdf462088d13	5289	if( ssl->session_negotiate )
markrad	0:cdf462088d13	5290	mbedtls_ssl_session_free( ssl->session_negotiate );
markrad	0:cdf462088d13	5291	if( ssl->handshake )
markrad	0:cdf462088d13	5292	mbedtls_ssl_handshake_free( ssl->handshake );
markrad	0:cdf462088d13	5293
markrad	0:cdf462088d13	5294	/*
markrad	0:cdf462088d13	5295	* Either the pointers are now NULL or cleared properly and can be freed.
markrad	0:cdf462088d13	5296	* Now allocate missing structures.
markrad	0:cdf462088d13	5297	*/
markrad	0:cdf462088d13	5298	if( ssl->transform_negotiate == NULL )
markrad	0:cdf462088d13	5299	{
markrad	0:cdf462088d13	5300	ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
markrad	0:cdf462088d13	5301	}
markrad	0:cdf462088d13	5302
markrad	0:cdf462088d13	5303	if( ssl->session_negotiate == NULL )
markrad	0:cdf462088d13	5304	{
markrad	0:cdf462088d13	5305	ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
markrad	0:cdf462088d13	5306	}
markrad	0:cdf462088d13	5307
markrad	0:cdf462088d13	5308	if( ssl->handshake == NULL )
markrad	0:cdf462088d13	5309	{
markrad	0:cdf462088d13	5310	ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
markrad	0:cdf462088d13	5311	}
markrad	0:cdf462088d13	5312
markrad	0:cdf462088d13	5313	/* All pointers should exist and can be directly freed without issue */
markrad	0:cdf462088d13	5314	if( ssl->handshake == NULL \|\|
markrad	0:cdf462088d13	5315	ssl->transform_negotiate == NULL \|\|
markrad	0:cdf462088d13	5316	ssl->session_negotiate == NULL )
markrad	0:cdf462088d13	5317	{
markrad	0:cdf462088d13	5318	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
markrad	0:cdf462088d13	5319
markrad	0:cdf462088d13	5320	mbedtls_free( ssl->handshake );
markrad	0:cdf462088d13	5321	mbedtls_free( ssl->transform_negotiate );
markrad	0:cdf462088d13	5322	mbedtls_free( ssl->session_negotiate );
markrad	0:cdf462088d13	5323
markrad	0:cdf462088d13	5324	ssl->handshake = NULL;
markrad	0:cdf462088d13	5325	ssl->transform_negotiate = NULL;
markrad	0:cdf462088d13	5326	ssl->session_negotiate = NULL;
markrad	0:cdf462088d13	5327
markrad	0:cdf462088d13	5328	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	5329	}
markrad	0:cdf462088d13	5330
markrad	0:cdf462088d13	5331	/* Initialize structures */
markrad	0:cdf462088d13	5332	mbedtls_ssl_session_init( ssl->session_negotiate );
markrad	0:cdf462088d13	5333	ssl_transform_init( ssl->transform_negotiate );
markrad	0:cdf462088d13	5334	ssl_handshake_params_init( ssl->handshake );
markrad	0:cdf462088d13	5335
markrad	0:cdf462088d13	5336	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	5337	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	5338	{
markrad	0:cdf462088d13	5339	ssl->handshake->alt_transform_out = ssl->transform_out;
markrad	0:cdf462088d13	5340
markrad	0:cdf462088d13	5341	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	5342	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
markrad	0:cdf462088d13	5343	else
markrad	0:cdf462088d13	5344	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
markrad	0:cdf462088d13	5345
markrad	0:cdf462088d13	5346	ssl_set_timer( ssl, 0 );
markrad	0:cdf462088d13	5347	}
markrad	0:cdf462088d13	5348	#endif
markrad	0:cdf462088d13	5349
markrad	0:cdf462088d13	5350	return( 0 );
markrad	0:cdf462088d13	5351	}
markrad	0:cdf462088d13	5352
markrad	0:cdf462088d13	5353	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	5354	/* Dummy cookie callbacks for defaults */
markrad	0:cdf462088d13	5355	static int ssl_cookie_write_dummy( void *ctx,
markrad	0:cdf462088d13	5356	unsigned char *p, unsigned char end,
markrad	0:cdf462088d13	5357	const unsigned char *cli_id, size_t cli_id_len )
markrad	0:cdf462088d13	5358	{
markrad	0:cdf462088d13	5359	((void) ctx);
markrad	0:cdf462088d13	5360	((void) p);
markrad	0:cdf462088d13	5361	((void) end);
markrad	0:cdf462088d13	5362	((void) cli_id);
markrad	0:cdf462088d13	5363	((void) cli_id_len);
markrad	0:cdf462088d13	5364
markrad	0:cdf462088d13	5365	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad	0:cdf462088d13	5366	}
markrad	0:cdf462088d13	5367
markrad	0:cdf462088d13	5368	static int ssl_cookie_check_dummy( void *ctx,
markrad	0:cdf462088d13	5369	const unsigned char *cookie, size_t cookie_len,
markrad	0:cdf462088d13	5370	const unsigned char *cli_id, size_t cli_id_len )
markrad	0:cdf462088d13	5371	{
markrad	0:cdf462088d13	5372	((void) ctx);
markrad	0:cdf462088d13	5373	((void) cookie);
markrad	0:cdf462088d13	5374	((void) cookie_len);
markrad	0:cdf462088d13	5375	((void) cli_id);
markrad	0:cdf462088d13	5376	((void) cli_id_len);
markrad	0:cdf462088d13	5377
markrad	0:cdf462088d13	5378	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad	0:cdf462088d13	5379	}
markrad	0:cdf462088d13	5380	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	5381
markrad	0:cdf462088d13	5382	/*
markrad	0:cdf462088d13	5383	* Initialize an SSL context
markrad	0:cdf462088d13	5384	*/
markrad	0:cdf462088d13	5385	void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	5386	{
markrad	0:cdf462088d13	5387	memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
markrad	0:cdf462088d13	5388	}
markrad	0:cdf462088d13	5389
markrad	0:cdf462088d13	5390	/*
markrad	0:cdf462088d13	5391	* Setup an SSL context
markrad	0:cdf462088d13	5392	*/
markrad	0:cdf462088d13	5393	int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	5394	const mbedtls_ssl_config *conf )
markrad	0:cdf462088d13	5395	{
markrad	0:cdf462088d13	5396	int ret;
markrad	0:cdf462088d13	5397	const size_t len = MBEDTLS_SSL_BUFFER_LEN;
markrad	0:cdf462088d13	5398
markrad	0:cdf462088d13	5399	ssl->conf = conf;
markrad	0:cdf462088d13	5400
markrad	0:cdf462088d13	5401	/*
markrad	0:cdf462088d13	5402	* Prepare base structures
markrad	0:cdf462088d13	5403	*/
markrad	0:cdf462088d13	5404	if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL \|\|
markrad	0:cdf462088d13	5405	( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
markrad	0:cdf462088d13	5406	{
markrad	0:cdf462088d13	5407	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
markrad	0:cdf462088d13	5408	mbedtls_free( ssl->in_buf );
markrad	0:cdf462088d13	5409	ssl->in_buf = NULL;
markrad	0:cdf462088d13	5410	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	5411	}
markrad	0:cdf462088d13	5412
markrad	0:cdf462088d13	5413	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	5414	if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	5415	{
markrad	0:cdf462088d13	5416	ssl->out_hdr = ssl->out_buf;
markrad	0:cdf462088d13	5417	ssl->out_ctr = ssl->out_buf + 3;
markrad	0:cdf462088d13	5418	ssl->out_len = ssl->out_buf + 11;
markrad	0:cdf462088d13	5419	ssl->out_iv = ssl->out_buf + 13;
markrad	0:cdf462088d13	5420	ssl->out_msg = ssl->out_buf + 13;
markrad	0:cdf462088d13	5421
markrad	0:cdf462088d13	5422	ssl->in_hdr = ssl->in_buf;
markrad	0:cdf462088d13	5423	ssl->in_ctr = ssl->in_buf + 3;
markrad	0:cdf462088d13	5424	ssl->in_len = ssl->in_buf + 11;
markrad	0:cdf462088d13	5425	ssl->in_iv = ssl->in_buf + 13;
markrad	0:cdf462088d13	5426	ssl->in_msg = ssl->in_buf + 13;
markrad	0:cdf462088d13	5427	}
markrad	0:cdf462088d13	5428	else
markrad	0:cdf462088d13	5429	#endif
markrad	0:cdf462088d13	5430	{
markrad	0:cdf462088d13	5431	ssl->out_ctr = ssl->out_buf;
markrad	0:cdf462088d13	5432	ssl->out_hdr = ssl->out_buf + 8;
markrad	0:cdf462088d13	5433	ssl->out_len = ssl->out_buf + 11;
markrad	0:cdf462088d13	5434	ssl->out_iv = ssl->out_buf + 13;
markrad	0:cdf462088d13	5435	ssl->out_msg = ssl->out_buf + 13;
markrad	0:cdf462088d13	5436
markrad	0:cdf462088d13	5437	ssl->in_ctr = ssl->in_buf;
markrad	0:cdf462088d13	5438	ssl->in_hdr = ssl->in_buf + 8;
markrad	0:cdf462088d13	5439	ssl->in_len = ssl->in_buf + 11;
markrad	0:cdf462088d13	5440	ssl->in_iv = ssl->in_buf + 13;
markrad	0:cdf462088d13	5441	ssl->in_msg = ssl->in_buf + 13;
markrad	0:cdf462088d13	5442	}
markrad	0:cdf462088d13	5443
markrad	0:cdf462088d13	5444	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
markrad	0:cdf462088d13	5445	return( ret );
markrad	0:cdf462088d13	5446
markrad	0:cdf462088d13	5447	return( 0 );
markrad	0:cdf462088d13	5448	}
markrad	0:cdf462088d13	5449
markrad	0:cdf462088d13	5450	/*
markrad	0:cdf462088d13	5451	* Reset an initialized and used SSL context for re-use while retaining
markrad	0:cdf462088d13	5452	* all application-set variables, function pointers and data.
markrad	0:cdf462088d13	5453	*
markrad	0:cdf462088d13	5454	* If partial is non-zero, keep data in the input buffer and client ID.
markrad	0:cdf462088d13	5455	* (Use when a DTLS client reconnects from the same port.)
markrad	0:cdf462088d13	5456	*/
markrad	0:cdf462088d13	5457	static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
markrad	0:cdf462088d13	5458	{
markrad	0:cdf462088d13	5459	int ret;
markrad	0:cdf462088d13	5460
markrad	0:cdf462088d13	5461	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
markrad	0:cdf462088d13	5462
markrad	0:cdf462088d13	5463	/* Cancel any possibly running timer */
markrad	0:cdf462088d13	5464	ssl_set_timer( ssl, 0 );
markrad	0:cdf462088d13	5465
markrad	0:cdf462088d13	5466	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	5467	ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
markrad	0:cdf462088d13	5468	ssl->renego_records_seen = 0;
markrad	0:cdf462088d13	5469
markrad	0:cdf462088d13	5470	ssl->verify_data_len = 0;
markrad	0:cdf462088d13	5471	memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
markrad	0:cdf462088d13	5472	memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
markrad	0:cdf462088d13	5473	#endif
markrad	0:cdf462088d13	5474	ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
markrad	0:cdf462088d13	5475
markrad	0:cdf462088d13	5476	ssl->in_offt = NULL;
markrad	0:cdf462088d13	5477
markrad	0:cdf462088d13	5478	ssl->in_msg = ssl->in_buf + 13;
markrad	0:cdf462088d13	5479	ssl->in_msgtype = 0;
markrad	0:cdf462088d13	5480	ssl->in_msglen = 0;
markrad	0:cdf462088d13	5481	if( partial == 0 )
markrad	0:cdf462088d13	5482	ssl->in_left = 0;
markrad	0:cdf462088d13	5483	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	5484	ssl->next_record_offset = 0;
markrad	0:cdf462088d13	5485	ssl->in_epoch = 0;
markrad	0:cdf462088d13	5486	#endif
markrad	0:cdf462088d13	5487	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	5488	ssl_dtls_replay_reset( ssl );
markrad	0:cdf462088d13	5489	#endif
markrad	0:cdf462088d13	5490
markrad	0:cdf462088d13	5491	ssl->in_hslen = 0;
markrad	0:cdf462088d13	5492	ssl->nb_zero = 0;
markrad	0:cdf462088d13	5493	ssl->record_read = 0;
markrad	0:cdf462088d13	5494
markrad	0:cdf462088d13	5495	ssl->out_msg = ssl->out_buf + 13;
markrad	0:cdf462088d13	5496	ssl->out_msgtype = 0;
markrad	0:cdf462088d13	5497	ssl->out_msglen = 0;
markrad	0:cdf462088d13	5498	ssl->out_left = 0;
markrad	0:cdf462088d13	5499	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
markrad	0:cdf462088d13	5500	if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
markrad	0:cdf462088d13	5501	ssl->split_done = 0;
markrad	0:cdf462088d13	5502	#endif
markrad	0:cdf462088d13	5503
markrad	0:cdf462088d13	5504	ssl->transform_in = NULL;
markrad	0:cdf462088d13	5505	ssl->transform_out = NULL;
markrad	0:cdf462088d13	5506
markrad	0:cdf462088d13	5507	memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
markrad	0:cdf462088d13	5508	if( partial == 0 )
markrad	0:cdf462088d13	5509	memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
markrad	0:cdf462088d13	5510
markrad	0:cdf462088d13	5511	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	5512	if( mbedtls_ssl_hw_record_reset != NULL )
markrad	0:cdf462088d13	5513	{
markrad	0:cdf462088d13	5514	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
markrad	0:cdf462088d13	5515	if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
markrad	0:cdf462088d13	5516	{
markrad	0:cdf462088d13	5517	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
markrad	0:cdf462088d13	5518	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
markrad	0:cdf462088d13	5519	}
markrad	0:cdf462088d13	5520	}
markrad	0:cdf462088d13	5521	#endif
markrad	0:cdf462088d13	5522
markrad	0:cdf462088d13	5523	if( ssl->transform )
markrad	0:cdf462088d13	5524	{
markrad	0:cdf462088d13	5525	mbedtls_ssl_transform_free( ssl->transform );
markrad	0:cdf462088d13	5526	mbedtls_free( ssl->transform );
markrad	0:cdf462088d13	5527	ssl->transform = NULL;
markrad	0:cdf462088d13	5528	}
markrad	0:cdf462088d13	5529
markrad	0:cdf462088d13	5530	if( ssl->session )
markrad	0:cdf462088d13	5531	{
markrad	0:cdf462088d13	5532	mbedtls_ssl_session_free( ssl->session );
markrad	0:cdf462088d13	5533	mbedtls_free( ssl->session );
markrad	0:cdf462088d13	5534	ssl->session = NULL;
markrad	0:cdf462088d13	5535	}
markrad	0:cdf462088d13	5536
markrad	0:cdf462088d13	5537	#if defined(MBEDTLS_SSL_ALPN)
markrad	0:cdf462088d13	5538	ssl->alpn_chosen = NULL;
markrad	0:cdf462088d13	5539	#endif
markrad	0:cdf462088d13	5540
markrad	0:cdf462088d13	5541	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	5542	if( partial == 0 )
markrad	0:cdf462088d13	5543	{
markrad	0:cdf462088d13	5544	mbedtls_free( ssl->cli_id );
markrad	0:cdf462088d13	5545	ssl->cli_id = NULL;
markrad	0:cdf462088d13	5546	ssl->cli_id_len = 0;
markrad	0:cdf462088d13	5547	}
markrad	0:cdf462088d13	5548	#endif
markrad	0:cdf462088d13	5549
markrad	0:cdf462088d13	5550	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
markrad	0:cdf462088d13	5551	return( ret );
markrad	0:cdf462088d13	5552
markrad	0:cdf462088d13	5553	return( 0 );
markrad	0:cdf462088d13	5554	}
markrad	0:cdf462088d13	5555
markrad	0:cdf462088d13	5556	/*
markrad	0:cdf462088d13	5557	* Reset an initialized and used SSL context for re-use while retaining
markrad	0:cdf462088d13	5558	* all application-set variables, function pointers and data.
markrad	0:cdf462088d13	5559	*/
markrad	0:cdf462088d13	5560	int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	5561	{
markrad	0:cdf462088d13	5562	return( ssl_session_reset_int( ssl, 0 ) );
markrad	0:cdf462088d13	5563	}
markrad	0:cdf462088d13	5564
markrad	0:cdf462088d13	5565	/*
markrad	0:cdf462088d13	5566	* SSL set accessors
markrad	0:cdf462088d13	5567	*/
markrad	0:cdf462088d13	5568	void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
markrad	0:cdf462088d13	5569	{
markrad	0:cdf462088d13	5570	conf->endpoint = endpoint;
markrad	0:cdf462088d13	5571	}
markrad	0:cdf462088d13	5572
markrad	0:cdf462088d13	5573	void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
markrad	0:cdf462088d13	5574	{
markrad	0:cdf462088d13	5575	conf->transport = transport;
markrad	0:cdf462088d13	5576	}
markrad	0:cdf462088d13	5577
markrad	0:cdf462088d13	5578	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	5579	void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
markrad	0:cdf462088d13	5580	{
markrad	0:cdf462088d13	5581	conf->anti_replay = mode;
markrad	0:cdf462088d13	5582	}
markrad	0:cdf462088d13	5583	#endif
markrad	0:cdf462088d13	5584
markrad	0:cdf462088d13	5585	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
markrad	0:cdf462088d13	5586	void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
markrad	0:cdf462088d13	5587	{
markrad	0:cdf462088d13	5588	conf->badmac_limit = limit;
markrad	0:cdf462088d13	5589	}
markrad	0:cdf462088d13	5590	#endif
markrad	0:cdf462088d13	5591
markrad	0:cdf462088d13	5592	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	5593	void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max )
markrad	0:cdf462088d13	5594	{
markrad	0:cdf462088d13	5595	conf->hs_timeout_min = min;
markrad	0:cdf462088d13	5596	conf->hs_timeout_max = max;
markrad	0:cdf462088d13	5597	}
markrad	0:cdf462088d13	5598	#endif
markrad	0:cdf462088d13	5599
markrad	0:cdf462088d13	5600	void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
markrad	0:cdf462088d13	5601	{
markrad	0:cdf462088d13	5602	conf->authmode = authmode;
markrad	0:cdf462088d13	5603	}
markrad	0:cdf462088d13	5604
markrad	0:cdf462088d13	5605	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	5606	void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5607	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
markrad	0:cdf462088d13	5608	void *p_vrfy )
markrad	0:cdf462088d13	5609	{
markrad	0:cdf462088d13	5610	conf->f_vrfy = f_vrfy;
markrad	0:cdf462088d13	5611	conf->p_vrfy = p_vrfy;
markrad	0:cdf462088d13	5612	}
markrad	0:cdf462088d13	5613	#endif /* MBEDTLS_X509_CRT_PARSE_C */
markrad	0:cdf462088d13	5614
markrad	0:cdf462088d13	5615	void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5616	int (f_rng)(void , unsigned char *, size_t),
markrad	0:cdf462088d13	5617	void *p_rng )
markrad	0:cdf462088d13	5618	{
markrad	0:cdf462088d13	5619	conf->f_rng = f_rng;
markrad	0:cdf462088d13	5620	conf->p_rng = p_rng;
markrad	0:cdf462088d13	5621	}
markrad	0:cdf462088d13	5622
markrad	0:cdf462088d13	5623	void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5624	void (f_dbg)(void , int, const char , int, const char ),
markrad	0:cdf462088d13	5625	void *p_dbg )
markrad	0:cdf462088d13	5626	{
markrad	0:cdf462088d13	5627	conf->f_dbg = f_dbg;
markrad	0:cdf462088d13	5628	conf->p_dbg = p_dbg;
markrad	0:cdf462088d13	5629	}
markrad	0:cdf462088d13	5630
markrad	0:cdf462088d13	5631	void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	5632	void *p_bio,
markrad	0:cdf462088d13	5633	mbedtls_ssl_send_t *f_send,
markrad	0:cdf462088d13	5634	mbedtls_ssl_recv_t *f_recv,
markrad	0:cdf462088d13	5635	mbedtls_ssl_recv_timeout_t *f_recv_timeout )
markrad	0:cdf462088d13	5636	{
markrad	0:cdf462088d13	5637	ssl->p_bio = p_bio;
markrad	0:cdf462088d13	5638	ssl->f_send = f_send;
markrad	0:cdf462088d13	5639	ssl->f_recv = f_recv;
markrad	0:cdf462088d13	5640	ssl->f_recv_timeout = f_recv_timeout;
markrad	0:cdf462088d13	5641	}
markrad	0:cdf462088d13	5642
markrad	0:cdf462088d13	5643	void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
markrad	0:cdf462088d13	5644	{
markrad	0:cdf462088d13	5645	conf->read_timeout = timeout;
markrad	0:cdf462088d13	5646	}
markrad	0:cdf462088d13	5647
markrad	0:cdf462088d13	5648	void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	5649	void *p_timer,
markrad	0:cdf462088d13	5650	mbedtls_ssl_set_timer_t *f_set_timer,
markrad	0:cdf462088d13	5651	mbedtls_ssl_get_timer_t *f_get_timer )
markrad	0:cdf462088d13	5652	{
markrad	0:cdf462088d13	5653	ssl->p_timer = p_timer;
markrad	0:cdf462088d13	5654	ssl->f_set_timer = f_set_timer;
markrad	0:cdf462088d13	5655	ssl->f_get_timer = f_get_timer;
markrad	0:cdf462088d13	5656
markrad	0:cdf462088d13	5657	/* Make sure we start with no timer running */
markrad	0:cdf462088d13	5658	ssl_set_timer( ssl, 0 );
markrad	0:cdf462088d13	5659	}
markrad	0:cdf462088d13	5660
markrad	0:cdf462088d13	5661	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	5662	void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5663	void *p_cache,
markrad	0:cdf462088d13	5664	int (f_get_cache)(void , mbedtls_ssl_session *),
markrad	0:cdf462088d13	5665	int (f_set_cache)(void , const mbedtls_ssl_session *) )
markrad	0:cdf462088d13	5666	{
markrad	0:cdf462088d13	5667	conf->p_cache = p_cache;
markrad	0:cdf462088d13	5668	conf->f_get_cache = f_get_cache;
markrad	0:cdf462088d13	5669	conf->f_set_cache = f_set_cache;
markrad	0:cdf462088d13	5670	}
markrad	0:cdf462088d13	5671	#endif /* MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	5672
markrad	0:cdf462088d13	5673	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	5674	int mbedtls_ssl_set_session( mbedtls_ssl_context ssl, const mbedtls_ssl_session session )
markrad	0:cdf462088d13	5675	{
markrad	0:cdf462088d13	5676	int ret;
markrad	0:cdf462088d13	5677
markrad	0:cdf462088d13	5678	if( ssl == NULL \|\|
markrad	0:cdf462088d13	5679	session == NULL \|\|
markrad	0:cdf462088d13	5680	ssl->session_negotiate == NULL \|\|
markrad	0:cdf462088d13	5681	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	5682	{
markrad	0:cdf462088d13	5683	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5684	}
markrad	0:cdf462088d13	5685
markrad	0:cdf462088d13	5686	if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
markrad	0:cdf462088d13	5687	return( ret );
markrad	0:cdf462088d13	5688
markrad	0:cdf462088d13	5689	ssl->handshake->resume = 1;
markrad	0:cdf462088d13	5690
markrad	0:cdf462088d13	5691	return( 0 );
markrad	0:cdf462088d13	5692	}
markrad	0:cdf462088d13	5693	#endif /* MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	5694
markrad	0:cdf462088d13	5695	void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5696	const int *ciphersuites )
markrad	0:cdf462088d13	5697	{
markrad	0:cdf462088d13	5698	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
markrad	0:cdf462088d13	5699	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
markrad	0:cdf462088d13	5700	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
markrad	0:cdf462088d13	5701	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
markrad	0:cdf462088d13	5702	}
markrad	0:cdf462088d13	5703
markrad	0:cdf462088d13	5704	void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5705	const int *ciphersuites,
markrad	0:cdf462088d13	5706	int major, int minor )
markrad	0:cdf462088d13	5707	{
markrad	0:cdf462088d13	5708	if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
markrad	0:cdf462088d13	5709	return;
markrad	0:cdf462088d13	5710
markrad	0:cdf462088d13	5711	if( minor < MBEDTLS_SSL_MINOR_VERSION_0 \|\| minor > MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	5712	return;
markrad	0:cdf462088d13	5713
markrad	0:cdf462088d13	5714	conf->ciphersuite_list[minor] = ciphersuites;
markrad	0:cdf462088d13	5715	}
markrad	0:cdf462088d13	5716
markrad	0:cdf462088d13	5717	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	5718	void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5719	const mbedtls_x509_crt_profile *profile )
markrad	0:cdf462088d13	5720	{
markrad	0:cdf462088d13	5721	conf->cert_profile = profile;
markrad	0:cdf462088d13	5722	}
markrad	0:cdf462088d13	5723
markrad	0:cdf462088d13	5724	/* Append a new keycert entry to a (possibly empty) list */
markrad	0:cdf462088d13	5725	static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
markrad	0:cdf462088d13	5726	mbedtls_x509_crt *cert,
markrad	0:cdf462088d13	5727	mbedtls_pk_context *key )
markrad	0:cdf462088d13	5728	{
markrad	0:cdf462088d13	5729	mbedtls_ssl_key_cert *new;
markrad	0:cdf462088d13	5730
markrad	0:cdf462088d13	5731	new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
markrad	0:cdf462088d13	5732	if( new == NULL )
markrad	0:cdf462088d13	5733	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	5734
markrad	0:cdf462088d13	5735	new->cert = cert;
markrad	0:cdf462088d13	5736	new->key = key;
markrad	0:cdf462088d13	5737	new->next = NULL;
markrad	0:cdf462088d13	5738
markrad	0:cdf462088d13	5739	/* Update head is the list was null, else add to the end */
markrad	0:cdf462088d13	5740	if( *head == NULL )
markrad	0:cdf462088d13	5741	{
markrad	0:cdf462088d13	5742	*head = new;
markrad	0:cdf462088d13	5743	}
markrad	0:cdf462088d13	5744	else
markrad	0:cdf462088d13	5745	{
markrad	0:cdf462088d13	5746	mbedtls_ssl_key_cert cur = head;
markrad	0:cdf462088d13	5747	while( cur->next != NULL )
markrad	0:cdf462088d13	5748	cur = cur->next;
markrad	0:cdf462088d13	5749	cur->next = new;
markrad	0:cdf462088d13	5750	}
markrad	0:cdf462088d13	5751
markrad	0:cdf462088d13	5752	return( 0 );
markrad	0:cdf462088d13	5753	}
markrad	0:cdf462088d13	5754
markrad	0:cdf462088d13	5755	int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5756	mbedtls_x509_crt *own_cert,
markrad	0:cdf462088d13	5757	mbedtls_pk_context *pk_key )
markrad	0:cdf462088d13	5758	{
markrad	0:cdf462088d13	5759	return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
markrad	0:cdf462088d13	5760	}
markrad	0:cdf462088d13	5761
markrad	0:cdf462088d13	5762	void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5763	mbedtls_x509_crt *ca_chain,
markrad	0:cdf462088d13	5764	mbedtls_x509_crl *ca_crl )
markrad	0:cdf462088d13	5765	{
markrad	0:cdf462088d13	5766	conf->ca_chain = ca_chain;
markrad	0:cdf462088d13	5767	conf->ca_crl = ca_crl;
markrad	0:cdf462088d13	5768	}
markrad	0:cdf462088d13	5769	#endif /* MBEDTLS_X509_CRT_PARSE_C */
markrad	0:cdf462088d13	5770
markrad	0:cdf462088d13	5771	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	5772	int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	5773	mbedtls_x509_crt *own_cert,
markrad	0:cdf462088d13	5774	mbedtls_pk_context *pk_key )
markrad	0:cdf462088d13	5775	{
markrad	0:cdf462088d13	5776	return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
markrad	0:cdf462088d13	5777	own_cert, pk_key ) );
markrad	0:cdf462088d13	5778	}
markrad	0:cdf462088d13	5779
markrad	0:cdf462088d13	5780	void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	5781	mbedtls_x509_crt *ca_chain,
markrad	0:cdf462088d13	5782	mbedtls_x509_crl *ca_crl )
markrad	0:cdf462088d13	5783	{
markrad	0:cdf462088d13	5784	ssl->handshake->sni_ca_chain = ca_chain;
markrad	0:cdf462088d13	5785	ssl->handshake->sni_ca_crl = ca_crl;
markrad	0:cdf462088d13	5786	}
markrad	0:cdf462088d13	5787
markrad	0:cdf462088d13	5788	void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	5789	int authmode )
markrad	0:cdf462088d13	5790	{
markrad	0:cdf462088d13	5791	ssl->handshake->sni_authmode = authmode;
markrad	0:cdf462088d13	5792	}
markrad	0:cdf462088d13	5793	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
markrad	0:cdf462088d13	5794
markrad	0:cdf462088d13	5795	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	5796	/*
markrad	0:cdf462088d13	5797	* Set EC J-PAKE password for current handshake
markrad	0:cdf462088d13	5798	*/
markrad	0:cdf462088d13	5799	int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	5800	const unsigned char *pw,
markrad	0:cdf462088d13	5801	size_t pw_len )
markrad	0:cdf462088d13	5802	{
markrad	0:cdf462088d13	5803	mbedtls_ecjpake_role role;
markrad	0:cdf462088d13	5804
markrad	0:cdf462088d13	5805	if( ssl->handshake == NULL \|\| ssl->conf == NULL )
markrad	0:cdf462088d13	5806	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5807
markrad	0:cdf462088d13	5808	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	5809	role = MBEDTLS_ECJPAKE_SERVER;
markrad	0:cdf462088d13	5810	else
markrad	0:cdf462088d13	5811	role = MBEDTLS_ECJPAKE_CLIENT;
markrad	0:cdf462088d13	5812
markrad	0:cdf462088d13	5813	return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
markrad	0:cdf462088d13	5814	role,
markrad	0:cdf462088d13	5815	MBEDTLS_MD_SHA256,
markrad	0:cdf462088d13	5816	MBEDTLS_ECP_DP_SECP256R1,
markrad	0:cdf462088d13	5817	pw, pw_len ) );
markrad	0:cdf462088d13	5818	}
markrad	0:cdf462088d13	5819	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	5820
markrad	0:cdf462088d13	5821	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
markrad	0:cdf462088d13	5822	int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5823	const unsigned char *psk, size_t psk_len,
markrad	0:cdf462088d13	5824	const unsigned char *psk_identity, size_t psk_identity_len )
markrad	0:cdf462088d13	5825	{
markrad	0:cdf462088d13	5826	if( psk == NULL \|\| psk_identity == NULL )
markrad	0:cdf462088d13	5827	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5828
markrad	0:cdf462088d13	5829	if( psk_len > MBEDTLS_PSK_MAX_LEN )
markrad	0:cdf462088d13	5830	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5831
markrad	0:cdf462088d13	5832	/* Identity len will be encoded on two bytes */
markrad	0:cdf462088d13	5833	if( ( psk_identity_len >> 16 ) != 0 \|\|
markrad	0:cdf462088d13	5834	psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
markrad	0:cdf462088d13	5835	{
markrad	0:cdf462088d13	5836	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5837	}
markrad	0:cdf462088d13	5838
markrad	0:cdf462088d13	5839	if( conf->psk != NULL \|\| conf->psk_identity != NULL )
markrad	0:cdf462088d13	5840	{
markrad	0:cdf462088d13	5841	mbedtls_free( conf->psk );
markrad	0:cdf462088d13	5842	mbedtls_free( conf->psk_identity );
markrad	0:cdf462088d13	5843	conf->psk = NULL;
markrad	0:cdf462088d13	5844	conf->psk_identity = NULL;
markrad	0:cdf462088d13	5845	}
markrad	0:cdf462088d13	5846
markrad	0:cdf462088d13	5847	if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL \|\|
markrad	0:cdf462088d13	5848	( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
markrad	0:cdf462088d13	5849	{
markrad	0:cdf462088d13	5850	mbedtls_free( conf->psk );
markrad	0:cdf462088d13	5851	mbedtls_free( conf->psk_identity );
markrad	0:cdf462088d13	5852	conf->psk = NULL;
markrad	0:cdf462088d13	5853	conf->psk_identity = NULL;
markrad	0:cdf462088d13	5854	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	5855	}
markrad	0:cdf462088d13	5856
markrad	0:cdf462088d13	5857	conf->psk_len = psk_len;
markrad	0:cdf462088d13	5858	conf->psk_identity_len = psk_identity_len;
markrad	0:cdf462088d13	5859
markrad	0:cdf462088d13	5860	memcpy( conf->psk, psk, conf->psk_len );
markrad	0:cdf462088d13	5861	memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
markrad	0:cdf462088d13	5862
markrad	0:cdf462088d13	5863	return( 0 );
markrad	0:cdf462088d13	5864	}
markrad	0:cdf462088d13	5865
markrad	0:cdf462088d13	5866	int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	5867	const unsigned char *psk, size_t psk_len )
markrad	0:cdf462088d13	5868	{
markrad	0:cdf462088d13	5869	if( psk == NULL \|\| ssl->handshake == NULL )
markrad	0:cdf462088d13	5870	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5871
markrad	0:cdf462088d13	5872	if( psk_len > MBEDTLS_PSK_MAX_LEN )
markrad	0:cdf462088d13	5873	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5874
markrad	0:cdf462088d13	5875	if( ssl->handshake->psk != NULL )
markrad	0:cdf462088d13	5876	mbedtls_free( ssl->handshake->psk );
markrad	0:cdf462088d13	5877
markrad	0:cdf462088d13	5878	if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
markrad	0:cdf462088d13	5879	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	5880
markrad	0:cdf462088d13	5881	ssl->handshake->psk_len = psk_len;
markrad	0:cdf462088d13	5882	memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
markrad	0:cdf462088d13	5883
markrad	0:cdf462088d13	5884	return( 0 );
markrad	0:cdf462088d13	5885	}
markrad	0:cdf462088d13	5886
markrad	0:cdf462088d13	5887	void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5888	int (f_psk)(void , mbedtls_ssl_context , const unsigned char ,
markrad	0:cdf462088d13	5889	size_t),
markrad	0:cdf462088d13	5890	void *p_psk )
markrad	0:cdf462088d13	5891	{
markrad	0:cdf462088d13	5892	conf->f_psk = f_psk;
markrad	0:cdf462088d13	5893	conf->p_psk = p_psk;
markrad	0:cdf462088d13	5894	}
markrad	0:cdf462088d13	5895	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
markrad	0:cdf462088d13	5896
markrad	0:cdf462088d13	5897	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	5898	int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config conf, const char dhm_P, const char *dhm_G )
markrad	0:cdf462088d13	5899	{
markrad	0:cdf462088d13	5900	int ret;
markrad	0:cdf462088d13	5901
markrad	0:cdf462088d13	5902	if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 \|\|
markrad	0:cdf462088d13	5903	( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
markrad	0:cdf462088d13	5904	{
markrad	0:cdf462088d13	5905	mbedtls_mpi_free( &conf->dhm_P );
markrad	0:cdf462088d13	5906	mbedtls_mpi_free( &conf->dhm_G );
markrad	0:cdf462088d13	5907	return( ret );
markrad	0:cdf462088d13	5908	}
markrad	0:cdf462088d13	5909
markrad	0:cdf462088d13	5910	return( 0 );
markrad	0:cdf462088d13	5911	}
markrad	0:cdf462088d13	5912
markrad	0:cdf462088d13	5913	int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config conf, mbedtls_dhm_context dhm_ctx )
markrad	0:cdf462088d13	5914	{
markrad	0:cdf462088d13	5915	int ret;
markrad	0:cdf462088d13	5916
markrad	0:cdf462088d13	5917	if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 \|\|
markrad	0:cdf462088d13	5918	( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
markrad	0:cdf462088d13	5919	{
markrad	0:cdf462088d13	5920	mbedtls_mpi_free( &conf->dhm_P );
markrad	0:cdf462088d13	5921	mbedtls_mpi_free( &conf->dhm_G );
markrad	0:cdf462088d13	5922	return( ret );
markrad	0:cdf462088d13	5923	}
markrad	0:cdf462088d13	5924
markrad	0:cdf462088d13	5925	return( 0 );
markrad	0:cdf462088d13	5926	}
markrad	0:cdf462088d13	5927	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	5928
markrad	0:cdf462088d13	5929	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	5930	/*
markrad	0:cdf462088d13	5931	* Set the minimum length for Diffie-Hellman parameters
markrad	0:cdf462088d13	5932	*/
markrad	0:cdf462088d13	5933	void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5934	unsigned int bitlen )
markrad	0:cdf462088d13	5935	{
markrad	0:cdf462088d13	5936	conf->dhm_min_bitlen = bitlen;
markrad	0:cdf462088d13	5937	}
markrad	0:cdf462088d13	5938	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	5939
markrad	0:cdf462088d13	5940	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad	0:cdf462088d13	5941	/*
markrad	0:cdf462088d13	5942	* Set allowed/preferred hashes for handshake signatures
markrad	0:cdf462088d13	5943	*/
markrad	0:cdf462088d13	5944	void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5945	const int *hashes )
markrad	0:cdf462088d13	5946	{
markrad	0:cdf462088d13	5947	conf->sig_hashes = hashes;
markrad	0:cdf462088d13	5948	}
markrad	0:cdf462088d13	5949	#endif
markrad	0:cdf462088d13	5950
markrad	0:cdf462088d13	5951	#if defined(MBEDTLS_ECP_C)
markrad	0:cdf462088d13	5952	/*
markrad	0:cdf462088d13	5953	* Set the allowed elliptic curves
markrad	0:cdf462088d13	5954	*/
markrad	0:cdf462088d13	5955	void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5956	const mbedtls_ecp_group_id *curve_list )
markrad	0:cdf462088d13	5957	{
markrad	0:cdf462088d13	5958	conf->curve_list = curve_list;
markrad	0:cdf462088d13	5959	}
markrad	0:cdf462088d13	5960	#endif
markrad	0:cdf462088d13	5961
markrad	0:cdf462088d13	5962	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	5963	int mbedtls_ssl_set_hostname( mbedtls_ssl_context ssl, const char hostname )
markrad	0:cdf462088d13	5964	{
markrad	0:cdf462088d13	5965	size_t hostname_len;
markrad	0:cdf462088d13	5966
markrad	0:cdf462088d13	5967	if( hostname == NULL )
markrad	0:cdf462088d13	5968	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5969
markrad	0:cdf462088d13	5970	hostname_len = strlen( hostname );
markrad	0:cdf462088d13	5971
markrad	0:cdf462088d13	5972	if( hostname_len + 1 == 0 )
markrad	0:cdf462088d13	5973	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5974
markrad	0:cdf462088d13	5975	if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
markrad	0:cdf462088d13	5976	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	5977
markrad	0:cdf462088d13	5978	ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
markrad	0:cdf462088d13	5979
markrad	0:cdf462088d13	5980	if( ssl->hostname == NULL )
markrad	0:cdf462088d13	5981	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	5982
markrad	0:cdf462088d13	5983	memcpy( ssl->hostname, hostname, hostname_len );
markrad	0:cdf462088d13	5984
markrad	0:cdf462088d13	5985	ssl->hostname[hostname_len] = '\0';
markrad	0:cdf462088d13	5986
markrad	0:cdf462088d13	5987	return( 0 );
markrad	0:cdf462088d13	5988	}
markrad	0:cdf462088d13	5989	#endif
markrad	0:cdf462088d13	5990
markrad	0:cdf462088d13	5991	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	5992	void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	5993	int (f_sni)(void , mbedtls_ssl_context *,
markrad	0:cdf462088d13	5994	const unsigned char *, size_t),
markrad	0:cdf462088d13	5995	void *p_sni )
markrad	0:cdf462088d13	5996	{
markrad	0:cdf462088d13	5997	conf->f_sni = f_sni;
markrad	0:cdf462088d13	5998	conf->p_sni = p_sni;
markrad	0:cdf462088d13	5999	}
markrad	0:cdf462088d13	6000	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
markrad	0:cdf462088d13	6001
markrad	0:cdf462088d13	6002	#if defined(MBEDTLS_SSL_ALPN)
markrad	0:cdf462088d13	6003	int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config conf, const char *protos )
markrad	0:cdf462088d13	6004	{
markrad	0:cdf462088d13	6005	size_t cur_len, tot_len;
markrad	0:cdf462088d13	6006	const char **p;
markrad	0:cdf462088d13	6007
markrad	0:cdf462088d13	6008	/*
markrad	0:cdf462088d13	6009	* RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
markrad	0:cdf462088d13	6010	* MUST NOT be truncated."
markrad	0:cdf462088d13	6011	* We check lengths now rather than later.
markrad	0:cdf462088d13	6012	*/
markrad	0:cdf462088d13	6013	tot_len = 0;
markrad	0:cdf462088d13	6014	for( p = protos; *p != NULL; p++ )
markrad	0:cdf462088d13	6015	{
markrad	0:cdf462088d13	6016	cur_len = strlen( *p );
markrad	0:cdf462088d13	6017	tot_len += cur_len;
markrad	0:cdf462088d13	6018
markrad	0:cdf462088d13	6019	if( cur_len == 0 \|\| cur_len > 255 \|\| tot_len > 65535 )
markrad	0:cdf462088d13	6020	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6021	}
markrad	0:cdf462088d13	6022
markrad	0:cdf462088d13	6023	conf->alpn_list = protos;
markrad	0:cdf462088d13	6024
markrad	0:cdf462088d13	6025	return( 0 );
markrad	0:cdf462088d13	6026	}
markrad	0:cdf462088d13	6027
markrad	0:cdf462088d13	6028	const char mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context ssl )
markrad	0:cdf462088d13	6029	{
markrad	0:cdf462088d13	6030	return( ssl->alpn_chosen );
markrad	0:cdf462088d13	6031	}
markrad	0:cdf462088d13	6032	#endif /* MBEDTLS_SSL_ALPN */
markrad	0:cdf462088d13	6033
markrad	0:cdf462088d13	6034	void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
markrad	0:cdf462088d13	6035	{
markrad	0:cdf462088d13	6036	conf->max_major_ver = major;
markrad	0:cdf462088d13	6037	conf->max_minor_ver = minor;
markrad	0:cdf462088d13	6038	}
markrad	0:cdf462088d13	6039
markrad	0:cdf462088d13	6040	void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
markrad	0:cdf462088d13	6041	{
markrad	0:cdf462088d13	6042	conf->min_major_ver = major;
markrad	0:cdf462088d13	6043	conf->min_minor_ver = minor;
markrad	0:cdf462088d13	6044	}
markrad	0:cdf462088d13	6045
markrad	0:cdf462088d13	6046	#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	6047	void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
markrad	0:cdf462088d13	6048	{
markrad	0:cdf462088d13	6049	conf->fallback = fallback;
markrad	0:cdf462088d13	6050	}
markrad	0:cdf462088d13	6051	#endif
markrad	0:cdf462088d13	6052
markrad	0:cdf462088d13	6053	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	6054	void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
markrad	0:cdf462088d13	6055	{
markrad	0:cdf462088d13	6056	conf->encrypt_then_mac = etm;
markrad	0:cdf462088d13	6057	}
markrad	0:cdf462088d13	6058	#endif
markrad	0:cdf462088d13	6059
markrad	0:cdf462088d13	6060	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad	0:cdf462088d13	6061	void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
markrad	0:cdf462088d13	6062	{
markrad	0:cdf462088d13	6063	conf->extended_ms = ems;
markrad	0:cdf462088d13	6064	}
markrad	0:cdf462088d13	6065	#endif
markrad	0:cdf462088d13	6066
markrad	0:cdf462088d13	6067	#if defined(MBEDTLS_ARC4_C)
markrad	0:cdf462088d13	6068	void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
markrad	0:cdf462088d13	6069	{
markrad	0:cdf462088d13	6070	conf->arc4_disabled = arc4;
markrad	0:cdf462088d13	6071	}
markrad	0:cdf462088d13	6072	#endif
markrad	0:cdf462088d13	6073
markrad	0:cdf462088d13	6074	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad	0:cdf462088d13	6075	int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
markrad	0:cdf462088d13	6076	{
markrad	0:cdf462088d13	6077	if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID \|\|
markrad	0:cdf462088d13	6078	mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
markrad	0:cdf462088d13	6079	{
markrad	0:cdf462088d13	6080	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6081	}
markrad	0:cdf462088d13	6082
markrad	0:cdf462088d13	6083	conf->mfl_code = mfl_code;
markrad	0:cdf462088d13	6084
markrad	0:cdf462088d13	6085	return( 0 );
markrad	0:cdf462088d13	6086	}
markrad	0:cdf462088d13	6087	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad	0:cdf462088d13	6088
markrad	0:cdf462088d13	6089	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad	0:cdf462088d13	6090	void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
markrad	0:cdf462088d13	6091	{
markrad	0:cdf462088d13	6092	conf->trunc_hmac = truncate;
markrad	0:cdf462088d13	6093	}
markrad	0:cdf462088d13	6094	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
markrad	0:cdf462088d13	6095
markrad	0:cdf462088d13	6096	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
markrad	0:cdf462088d13	6097	void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
markrad	0:cdf462088d13	6098	{
markrad	0:cdf462088d13	6099	conf->cbc_record_splitting = split;
markrad	0:cdf462088d13	6100	}
markrad	0:cdf462088d13	6101	#endif
markrad	0:cdf462088d13	6102
markrad	0:cdf462088d13	6103	void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
markrad	0:cdf462088d13	6104	{
markrad	0:cdf462088d13	6105	conf->allow_legacy_renegotiation = allow_legacy;
markrad	0:cdf462088d13	6106	}
markrad	0:cdf462088d13	6107
markrad	0:cdf462088d13	6108	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	6109	void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
markrad	0:cdf462088d13	6110	{
markrad	0:cdf462088d13	6111	conf->disable_renegotiation = renegotiation;
markrad	0:cdf462088d13	6112	}
markrad	0:cdf462088d13	6113
markrad	0:cdf462088d13	6114	void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
markrad	0:cdf462088d13	6115	{
markrad	0:cdf462088d13	6116	conf->renego_max_records = max_records;
markrad	0:cdf462088d13	6117	}
markrad	0:cdf462088d13	6118
markrad	0:cdf462088d13	6119	void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	6120	const unsigned char period[8] )
markrad	0:cdf462088d13	6121	{
markrad	0:cdf462088d13	6122	memcpy( conf->renego_period, period, 8 );
markrad	0:cdf462088d13	6123	}
markrad	0:cdf462088d13	6124	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	6125
markrad	0:cdf462088d13	6126	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	6127	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	6128	void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
markrad	0:cdf462088d13	6129	{
markrad	0:cdf462088d13	6130	conf->session_tickets = use_tickets;
markrad	0:cdf462088d13	6131	}
markrad	0:cdf462088d13	6132	#endif
markrad	0:cdf462088d13	6133
markrad	0:cdf462088d13	6134	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	6135	void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	6136	mbedtls_ssl_ticket_write_t *f_ticket_write,
markrad	0:cdf462088d13	6137	mbedtls_ssl_ticket_parse_t *f_ticket_parse,
markrad	0:cdf462088d13	6138	void *p_ticket )
markrad	0:cdf462088d13	6139	{
markrad	0:cdf462088d13	6140	conf->f_ticket_write = f_ticket_write;
markrad	0:cdf462088d13	6141	conf->f_ticket_parse = f_ticket_parse;
markrad	0:cdf462088d13	6142	conf->p_ticket = p_ticket;
markrad	0:cdf462088d13	6143	}
markrad	0:cdf462088d13	6144	#endif
markrad	0:cdf462088d13	6145	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad	0:cdf462088d13	6146
markrad	0:cdf462088d13	6147	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
markrad	0:cdf462088d13	6148	void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	6149	mbedtls_ssl_export_keys_t *f_export_keys,
markrad	0:cdf462088d13	6150	void *p_export_keys )
markrad	0:cdf462088d13	6151	{
markrad	0:cdf462088d13	6152	conf->f_export_keys = f_export_keys;
markrad	0:cdf462088d13	6153	conf->p_export_keys = p_export_keys;
markrad	0:cdf462088d13	6154	}
markrad	0:cdf462088d13	6155	#endif
markrad	0:cdf462088d13	6156
markrad	0:cdf462088d13	6157	/*
markrad	0:cdf462088d13	6158	* SSL get accessors
markrad	0:cdf462088d13	6159	*/
markrad	0:cdf462088d13	6160	size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6161	{
markrad	0:cdf462088d13	6162	return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
markrad	0:cdf462088d13	6163	}
markrad	0:cdf462088d13	6164
markrad	0:cdf462088d13	6165	uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6166	{
markrad	0:cdf462088d13	6167	if( ssl->session != NULL )
markrad	0:cdf462088d13	6168	return( ssl->session->verify_result );
markrad	0:cdf462088d13	6169
markrad	0:cdf462088d13	6170	if( ssl->session_negotiate != NULL )
markrad	0:cdf462088d13	6171	return( ssl->session_negotiate->verify_result );
markrad	0:cdf462088d13	6172
markrad	0:cdf462088d13	6173	return( 0xFFFFFFFF );
markrad	0:cdf462088d13	6174	}
markrad	0:cdf462088d13	6175
markrad	0:cdf462088d13	6176	const char mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context ssl )
markrad	0:cdf462088d13	6177	{
markrad	0:cdf462088d13	6178	if( ssl == NULL \|\| ssl->session == NULL )
markrad	0:cdf462088d13	6179	return( NULL );
markrad	0:cdf462088d13	6180
markrad	0:cdf462088d13	6181	return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
markrad	0:cdf462088d13	6182	}
markrad	0:cdf462088d13	6183
markrad	0:cdf462088d13	6184	const char mbedtls_ssl_get_version( const mbedtls_ssl_context ssl )
markrad	0:cdf462088d13	6185	{
markrad	0:cdf462088d13	6186	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	6187	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	6188	{
markrad	0:cdf462088d13	6189	switch( ssl->minor_ver )
markrad	0:cdf462088d13	6190	{
markrad	0:cdf462088d13	6191	case MBEDTLS_SSL_MINOR_VERSION_2:
markrad	0:cdf462088d13	6192	return( "DTLSv1.0" );
markrad	0:cdf462088d13	6193
markrad	0:cdf462088d13	6194	case MBEDTLS_SSL_MINOR_VERSION_3:
markrad	0:cdf462088d13	6195	return( "DTLSv1.2" );
markrad	0:cdf462088d13	6196
markrad	0:cdf462088d13	6197	default:
markrad	0:cdf462088d13	6198	return( "unknown (DTLS)" );
markrad	0:cdf462088d13	6199	}
markrad	0:cdf462088d13	6200	}
markrad	0:cdf462088d13	6201	#endif
markrad	0:cdf462088d13	6202
markrad	0:cdf462088d13	6203	switch( ssl->minor_ver )
markrad	0:cdf462088d13	6204	{
markrad	0:cdf462088d13	6205	case MBEDTLS_SSL_MINOR_VERSION_0:
markrad	0:cdf462088d13	6206	return( "SSLv3.0" );
markrad	0:cdf462088d13	6207
markrad	0:cdf462088d13	6208	case MBEDTLS_SSL_MINOR_VERSION_1:
markrad	0:cdf462088d13	6209	return( "TLSv1.0" );
markrad	0:cdf462088d13	6210
markrad	0:cdf462088d13	6211	case MBEDTLS_SSL_MINOR_VERSION_2:
markrad	0:cdf462088d13	6212	return( "TLSv1.1" );
markrad	0:cdf462088d13	6213
markrad	0:cdf462088d13	6214	case MBEDTLS_SSL_MINOR_VERSION_3:
markrad	0:cdf462088d13	6215	return( "TLSv1.2" );
markrad	0:cdf462088d13	6216
markrad	0:cdf462088d13	6217	default:
markrad	0:cdf462088d13	6218	return( "unknown" );
markrad	0:cdf462088d13	6219	}
markrad	0:cdf462088d13	6220	}
markrad	0:cdf462088d13	6221
markrad	0:cdf462088d13	6222	int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6223	{
markrad	0:cdf462088d13	6224	size_t transform_expansion;
markrad	0:cdf462088d13	6225	const mbedtls_ssl_transform *transform = ssl->transform_out;
markrad	0:cdf462088d13	6226
markrad	0:cdf462088d13	6227	#if defined(MBEDTLS_ZLIB_SUPPORT)
markrad	0:cdf462088d13	6228	if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
markrad	0:cdf462088d13	6229	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad	0:cdf462088d13	6230	#endif
markrad	0:cdf462088d13	6231
markrad	0:cdf462088d13	6232	if( transform == NULL )
markrad	0:cdf462088d13	6233	return( (int) mbedtls_ssl_hdr_len( ssl ) );
markrad	0:cdf462088d13	6234
markrad	0:cdf462088d13	6235	switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
markrad	0:cdf462088d13	6236	{
markrad	0:cdf462088d13	6237	case MBEDTLS_MODE_GCM:
markrad	0:cdf462088d13	6238	case MBEDTLS_MODE_CCM:
markrad	0:cdf462088d13	6239	case MBEDTLS_MODE_STREAM:
markrad	0:cdf462088d13	6240	transform_expansion = transform->minlen;
markrad	0:cdf462088d13	6241	break;
markrad	0:cdf462088d13	6242
markrad	0:cdf462088d13	6243	case MBEDTLS_MODE_CBC:
markrad	0:cdf462088d13	6244	transform_expansion = transform->maclen
markrad	0:cdf462088d13	6245	+ mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc );
markrad	0:cdf462088d13	6246	break;
markrad	0:cdf462088d13	6247
markrad	0:cdf462088d13	6248	default:
markrad	0:cdf462088d13	6249	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	6250	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	6251	}
markrad	0:cdf462088d13	6252
markrad	0:cdf462088d13	6253	return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
markrad	0:cdf462088d13	6254	}
markrad	0:cdf462088d13	6255
markrad	0:cdf462088d13	6256	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad	0:cdf462088d13	6257	size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6258	{
markrad	0:cdf462088d13	6259	size_t max_len;
markrad	0:cdf462088d13	6260
markrad	0:cdf462088d13	6261	/*
markrad	0:cdf462088d13	6262	* Assume mfl_code is correct since it was checked when set
markrad	0:cdf462088d13	6263	*/
markrad	0:cdf462088d13	6264	max_len = mfl_code_to_length[ssl->conf->mfl_code];
markrad	0:cdf462088d13	6265
markrad	0:cdf462088d13	6266	/*
markrad	0:cdf462088d13	6267	* Check if a smaller max length was negotiated
markrad	0:cdf462088d13	6268	*/
markrad	0:cdf462088d13	6269	if( ssl->session_out != NULL &&
markrad	0:cdf462088d13	6270	mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
markrad	0:cdf462088d13	6271	{
markrad	0:cdf462088d13	6272	max_len = mfl_code_to_length[ssl->session_out->mfl_code];
markrad	0:cdf462088d13	6273	}
markrad	0:cdf462088d13	6274
markrad	0:cdf462088d13	6275	return max_len;
markrad	0:cdf462088d13	6276	}
markrad	0:cdf462088d13	6277	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad	0:cdf462088d13	6278
markrad	0:cdf462088d13	6279	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	6280	const mbedtls_x509_crt mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context ssl )
markrad	0:cdf462088d13	6281	{
markrad	0:cdf462088d13	6282	if( ssl == NULL \|\| ssl->session == NULL )
markrad	0:cdf462088d13	6283	return( NULL );
markrad	0:cdf462088d13	6284
markrad	0:cdf462088d13	6285	return( ssl->session->peer_cert );
markrad	0:cdf462088d13	6286	}
markrad	0:cdf462088d13	6287	#endif /* MBEDTLS_X509_CRT_PARSE_C */
markrad	0:cdf462088d13	6288
markrad	0:cdf462088d13	6289	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	6290	int mbedtls_ssl_get_session( const mbedtls_ssl_context ssl, mbedtls_ssl_session dst )
markrad	0:cdf462088d13	6291	{
markrad	0:cdf462088d13	6292	if( ssl == NULL \|\|
markrad	0:cdf462088d13	6293	dst == NULL \|\|
markrad	0:cdf462088d13	6294	ssl->session == NULL \|\|
markrad	0:cdf462088d13	6295	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	6296	{
markrad	0:cdf462088d13	6297	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6298	}
markrad	0:cdf462088d13	6299
markrad	0:cdf462088d13	6300	return( ssl_session_copy( dst, ssl->session ) );
markrad	0:cdf462088d13	6301	}
markrad	0:cdf462088d13	6302	#endif /* MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	6303
markrad	0:cdf462088d13	6304	/*
markrad	0:cdf462088d13	6305	* Perform a single step of the SSL handshake
markrad	0:cdf462088d13	6306	*/
markrad	0:cdf462088d13	6307	int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6308	{
markrad	0:cdf462088d13	6309	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad	0:cdf462088d13	6310
markrad	0:cdf462088d13	6311	if( ssl == NULL \|\| ssl->conf == NULL )
markrad	0:cdf462088d13	6312	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6313
markrad	0:cdf462088d13	6314	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	6315	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	6316	ret = mbedtls_ssl_handshake_client_step( ssl );
markrad	0:cdf462088d13	6317	#endif
markrad	0:cdf462088d13	6318	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	6319	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	6320	ret = mbedtls_ssl_handshake_server_step( ssl );
markrad	0:cdf462088d13	6321	#endif
markrad	0:cdf462088d13	6322
markrad	0:cdf462088d13	6323	return( ret );
markrad	0:cdf462088d13	6324	}
markrad	0:cdf462088d13	6325
markrad	0:cdf462088d13	6326	/*
markrad	0:cdf462088d13	6327	* Perform the SSL handshake
markrad	0:cdf462088d13	6328	*/
markrad	0:cdf462088d13	6329	int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6330	{
markrad	0:cdf462088d13	6331	int ret = 0;
markrad	0:cdf462088d13	6332
markrad	0:cdf462088d13	6333	if( ssl == NULL \|\| ssl->conf == NULL )
markrad	0:cdf462088d13	6334	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6335
markrad	0:cdf462088d13	6336	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
markrad	0:cdf462088d13	6337
markrad	0:cdf462088d13	6338	while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	6339	{
markrad	0:cdf462088d13	6340	ret = mbedtls_ssl_handshake_step( ssl );
markrad	0:cdf462088d13	6341
markrad	0:cdf462088d13	6342	if( ret != 0 )
markrad	0:cdf462088d13	6343	break;
markrad	0:cdf462088d13	6344	}
markrad	0:cdf462088d13	6345
markrad	0:cdf462088d13	6346	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
markrad	0:cdf462088d13	6347
markrad	0:cdf462088d13	6348	return( ret );
markrad	0:cdf462088d13	6349	}
markrad	0:cdf462088d13	6350
markrad	0:cdf462088d13	6351	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	6352	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	6353	/*
markrad	0:cdf462088d13	6354	* Write HelloRequest to request renegotiation on server
markrad	0:cdf462088d13	6355	*/
markrad	0:cdf462088d13	6356	static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6357	{
markrad	0:cdf462088d13	6358	int ret;
markrad	0:cdf462088d13	6359
markrad	0:cdf462088d13	6360	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
markrad	0:cdf462088d13	6361
markrad	0:cdf462088d13	6362	ssl->out_msglen = 4;
markrad	0:cdf462088d13	6363	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	6364	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
markrad	0:cdf462088d13	6365
markrad	0:cdf462088d13	6366	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	6367	{
markrad	0:cdf462088d13	6368	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	6369	return( ret );
markrad	0:cdf462088d13	6370	}
markrad	0:cdf462088d13	6371
markrad	0:cdf462088d13	6372	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
markrad	0:cdf462088d13	6373
markrad	0:cdf462088d13	6374	return( 0 );
markrad	0:cdf462088d13	6375	}
markrad	0:cdf462088d13	6376	#endif /* MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	6377
markrad	0:cdf462088d13	6378	/*
markrad	0:cdf462088d13	6379	* Actually renegotiate current connection, triggered by either:
markrad	0:cdf462088d13	6380	* - any side: calling mbedtls_ssl_renegotiate(),
markrad	0:cdf462088d13	6381	* - client: receiving a HelloRequest during mbedtls_ssl_read(),
markrad	0:cdf462088d13	6382	* - server: receiving any handshake message on server during mbedtls_ssl_read() after
markrad	0:cdf462088d13	6383	* the initial handshake is completed.
markrad	0:cdf462088d13	6384	* If the handshake doesn't complete due to waiting for I/O, it will continue
markrad	0:cdf462088d13	6385	* during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
markrad	0:cdf462088d13	6386	*/
markrad	0:cdf462088d13	6387	static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6388	{
markrad	0:cdf462088d13	6389	int ret;
markrad	0:cdf462088d13	6390
markrad	0:cdf462088d13	6391	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
markrad	0:cdf462088d13	6392
markrad	0:cdf462088d13	6393	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
markrad	0:cdf462088d13	6394	return( ret );
markrad	0:cdf462088d13	6395
markrad	0:cdf462088d13	6396	/* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
markrad	0:cdf462088d13	6397	* the ServerHello will have message_seq = 1" */
markrad	0:cdf462088d13	6398	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	6399	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	6400	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
markrad	0:cdf462088d13	6401	{
markrad	0:cdf462088d13	6402	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	6403	ssl->handshake->out_msg_seq = 1;
markrad	0:cdf462088d13	6404	else
markrad	0:cdf462088d13	6405	ssl->handshake->in_msg_seq = 1;
markrad	0:cdf462088d13	6406	}
markrad	0:cdf462088d13	6407	#endif
markrad	0:cdf462088d13	6408
markrad	0:cdf462088d13	6409	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
markrad	0:cdf462088d13	6410	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
markrad	0:cdf462088d13	6411
markrad	0:cdf462088d13	6412	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
markrad	0:cdf462088d13	6413	{
markrad	0:cdf462088d13	6414	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
markrad	0:cdf462088d13	6415	return( ret );
markrad	0:cdf462088d13	6416	}
markrad	0:cdf462088d13	6417
markrad	0:cdf462088d13	6418	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
markrad	0:cdf462088d13	6419
markrad	0:cdf462088d13	6420	return( 0 );
markrad	0:cdf462088d13	6421	}
markrad	0:cdf462088d13	6422
markrad	0:cdf462088d13	6423	/*
markrad	0:cdf462088d13	6424	* Renegotiate current connection on client,
markrad	0:cdf462088d13	6425	* or request renegotiation on server
markrad	0:cdf462088d13	6426	*/
markrad	0:cdf462088d13	6427	int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6428	{
markrad	0:cdf462088d13	6429	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad	0:cdf462088d13	6430
markrad	0:cdf462088d13	6431	if( ssl == NULL \|\| ssl->conf == NULL )
markrad	0:cdf462088d13	6432	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6433
markrad	0:cdf462088d13	6434	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	6435	/* On server, just send the request */
markrad	0:cdf462088d13	6436	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	6437	{
markrad	0:cdf462088d13	6438	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	6439	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6440
markrad	0:cdf462088d13	6441	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
markrad	0:cdf462088d13	6442
markrad	0:cdf462088d13	6443	/* Did we already try/start sending HelloRequest? */
markrad	0:cdf462088d13	6444	if( ssl->out_left != 0 )
markrad	0:cdf462088d13	6445	return( mbedtls_ssl_flush_output( ssl ) );
markrad	0:cdf462088d13	6446
markrad	0:cdf462088d13	6447	return( ssl_write_hello_request( ssl ) );
markrad	0:cdf462088d13	6448	}
markrad	0:cdf462088d13	6449	#endif /* MBEDTLS_SSL_SRV_C */
markrad	0:cdf462088d13	6450
markrad	0:cdf462088d13	6451	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	6452	/*
markrad	0:cdf462088d13	6453	* On client, either start the renegotiation process or,
markrad	0:cdf462088d13	6454	* if already in progress, continue the handshake
markrad	0:cdf462088d13	6455	*/
markrad	0:cdf462088d13	6456	if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad	0:cdf462088d13	6457	{
markrad	0:cdf462088d13	6458	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	6459	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6460
markrad	0:cdf462088d13	6461	if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
markrad	0:cdf462088d13	6462	{
markrad	0:cdf462088d13	6463	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
markrad	0:cdf462088d13	6464	return( ret );
markrad	0:cdf462088d13	6465	}
markrad	0:cdf462088d13	6466	}
markrad	0:cdf462088d13	6467	else
markrad	0:cdf462088d13	6468	{
markrad	0:cdf462088d13	6469	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
markrad	0:cdf462088d13	6470	{
markrad	0:cdf462088d13	6471	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
markrad	0:cdf462088d13	6472	return( ret );
markrad	0:cdf462088d13	6473	}
markrad	0:cdf462088d13	6474	}
markrad	0:cdf462088d13	6475	#endif /* MBEDTLS_SSL_CLI_C */
markrad	0:cdf462088d13	6476
markrad	0:cdf462088d13	6477	return( ret );
markrad	0:cdf462088d13	6478	}
markrad	0:cdf462088d13	6479
markrad	0:cdf462088d13	6480	/*
markrad	0:cdf462088d13	6481	* Check record counters and renegotiate if they're above the limit.
markrad	0:cdf462088d13	6482	*/
markrad	0:cdf462088d13	6483	static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6484	{
markrad	0:cdf462088d13	6485	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER \|\|
markrad	0:cdf462088d13	6486	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING \|\|
markrad	0:cdf462088d13	6487	ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
markrad	0:cdf462088d13	6488	{
markrad	0:cdf462088d13	6489	return( 0 );
markrad	0:cdf462088d13	6490	}
markrad	0:cdf462088d13	6491
markrad	0:cdf462088d13	6492	if( memcmp( ssl->in_ctr, ssl->conf->renego_period, 8 ) <= 0 &&
markrad	0:cdf462088d13	6493	memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 )
markrad	0:cdf462088d13	6494	{
markrad	0:cdf462088d13	6495	return( 0 );
markrad	0:cdf462088d13	6496	}
markrad	0:cdf462088d13	6497
markrad	0:cdf462088d13	6498	MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
markrad	0:cdf462088d13	6499	return( mbedtls_ssl_renegotiate( ssl ) );
markrad	0:cdf462088d13	6500	}
markrad	0:cdf462088d13	6501	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	6502
markrad	0:cdf462088d13	6503	/*
markrad	0:cdf462088d13	6504	* Receive application data decrypted from the SSL layer
markrad	0:cdf462088d13	6505	*/
markrad	0:cdf462088d13	6506	int mbedtls_ssl_read( mbedtls_ssl_context ssl, unsigned char buf, size_t len )
markrad	0:cdf462088d13	6507	{
markrad	0:cdf462088d13	6508	int ret, record_read = 0;
markrad	0:cdf462088d13	6509	size_t n;
markrad	0:cdf462088d13	6510
markrad	0:cdf462088d13	6511	if( ssl == NULL \|\| ssl->conf == NULL )
markrad	0:cdf462088d13	6512	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6513
markrad	0:cdf462088d13	6514	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
markrad	0:cdf462088d13	6515
markrad	0:cdf462088d13	6516	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	6517	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	6518	{
markrad	0:cdf462088d13	6519	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
markrad	0:cdf462088d13	6520	return( ret );
markrad	0:cdf462088d13	6521
markrad	0:cdf462088d13	6522	if( ssl->handshake != NULL &&
markrad	0:cdf462088d13	6523	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
markrad	0:cdf462088d13	6524	{
markrad	0:cdf462088d13	6525	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
markrad	0:cdf462088d13	6526	return( ret );
markrad	0:cdf462088d13	6527	}
markrad	0:cdf462088d13	6528	}
markrad	0:cdf462088d13	6529	#endif
markrad	0:cdf462088d13	6530
markrad	0:cdf462088d13	6531	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	6532	if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
markrad	0:cdf462088d13	6533	{
markrad	0:cdf462088d13	6534	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
markrad	0:cdf462088d13	6535	return( ret );
markrad	0:cdf462088d13	6536	}
markrad	0:cdf462088d13	6537	#endif
markrad	0:cdf462088d13	6538
markrad	0:cdf462088d13	6539	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	6540	{
markrad	0:cdf462088d13	6541	ret = mbedtls_ssl_handshake( ssl );
markrad	0:cdf462088d13	6542	if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
markrad	0:cdf462088d13	6543	{
markrad	0:cdf462088d13	6544	record_read = 1;
markrad	0:cdf462088d13	6545	}
markrad	0:cdf462088d13	6546	else if( ret != 0 )
markrad	0:cdf462088d13	6547	{
markrad	0:cdf462088d13	6548	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
markrad	0:cdf462088d13	6549	return( ret );
markrad	0:cdf462088d13	6550	}
markrad	0:cdf462088d13	6551	}
markrad	0:cdf462088d13	6552
markrad	0:cdf462088d13	6553	if( ssl->in_offt == NULL )
markrad	0:cdf462088d13	6554	{
markrad	0:cdf462088d13	6555	/* Start timer if not already running */
markrad	0:cdf462088d13	6556	if( ssl->f_get_timer != NULL &&
markrad	0:cdf462088d13	6557	ssl->f_get_timer( ssl->p_timer ) == -1 )
markrad	0:cdf462088d13	6558	{
markrad	0:cdf462088d13	6559	ssl_set_timer( ssl, ssl->conf->read_timeout );
markrad	0:cdf462088d13	6560	}
markrad	0:cdf462088d13	6561
markrad	0:cdf462088d13	6562	if( ! record_read )
markrad	0:cdf462088d13	6563	{
markrad	0:cdf462088d13	6564	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	6565	{
markrad	0:cdf462088d13	6566	if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
markrad	0:cdf462088d13	6567	return( 0 );
markrad	0:cdf462088d13	6568
markrad	0:cdf462088d13	6569	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
markrad	0:cdf462088d13	6570	return( ret );
markrad	0:cdf462088d13	6571	}
markrad	0:cdf462088d13	6572	}
markrad	0:cdf462088d13	6573
markrad	0:cdf462088d13	6574	if( ssl->in_msglen == 0 &&
markrad	0:cdf462088d13	6575	ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
markrad	0:cdf462088d13	6576	{
markrad	0:cdf462088d13	6577	/*
markrad	0:cdf462088d13	6578	* OpenSSL sends empty messages to randomize the IV
markrad	0:cdf462088d13	6579	*/
markrad	0:cdf462088d13	6580	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	6581	{
markrad	0:cdf462088d13	6582	if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
markrad	0:cdf462088d13	6583	return( 0 );
markrad	0:cdf462088d13	6584
markrad	0:cdf462088d13	6585	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
markrad	0:cdf462088d13	6586	return( ret );
markrad	0:cdf462088d13	6587	}
markrad	0:cdf462088d13	6588	}
markrad	0:cdf462088d13	6589
markrad	0:cdf462088d13	6590	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	6591	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
markrad	0:cdf462088d13	6592	{
markrad	0:cdf462088d13	6593	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
markrad	0:cdf462088d13	6594
markrad	0:cdf462088d13	6595	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	6596	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
markrad	0:cdf462088d13	6597	( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST \|\|
markrad	0:cdf462088d13	6598	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
markrad	0:cdf462088d13	6599	{
markrad	0:cdf462088d13	6600	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
markrad	0:cdf462088d13	6601
markrad	0:cdf462088d13	6602	/* With DTLS, drop the packet (probably from last handshake) */
markrad	0:cdf462088d13	6603	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	6604	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	6605	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	6606	#endif
markrad	0:cdf462088d13	6607	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
markrad	0:cdf462088d13	6608	}
markrad	0:cdf462088d13	6609
markrad	0:cdf462088d13	6610	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	6611	ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
markrad	0:cdf462088d13	6612	{
markrad	0:cdf462088d13	6613	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
markrad	0:cdf462088d13	6614
markrad	0:cdf462088d13	6615	/* With DTLS, drop the packet (probably from last handshake) */
markrad	0:cdf462088d13	6616	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	6617	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	6618	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	6619	#endif
markrad	0:cdf462088d13	6620	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
markrad	0:cdf462088d13	6621	}
markrad	0:cdf462088d13	6622	#endif
markrad	0:cdf462088d13	6623
markrad	0:cdf462088d13	6624	if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED \|\|
markrad	0:cdf462088d13	6625	( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
markrad	0:cdf462088d13	6626	ssl->conf->allow_legacy_renegotiation ==
markrad	0:cdf462088d13	6627	MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) )
markrad	0:cdf462088d13	6628	{
markrad	0:cdf462088d13	6629	MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
markrad	0:cdf462088d13	6630
markrad	0:cdf462088d13	6631	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	6632	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	6633	{
markrad	0:cdf462088d13	6634	/*
markrad	0:cdf462088d13	6635	* SSLv3 does not have a "no_renegotiation" alert
markrad	0:cdf462088d13	6636	*/
markrad	0:cdf462088d13	6637	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad	0:cdf462088d13	6638	return( ret );
markrad	0:cdf462088d13	6639	}
markrad	0:cdf462088d13	6640	else
markrad	0:cdf462088d13	6641	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
markrad	0:cdf462088d13	6642	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	6643	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	6644	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
markrad	0:cdf462088d13	6645	{
markrad	0:cdf462088d13	6646	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
markrad	0:cdf462088d13	6647	MBEDTLS_SSL_ALERT_LEVEL_WARNING,
markrad	0:cdf462088d13	6648	MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
markrad	0:cdf462088d13	6649	{
markrad	0:cdf462088d13	6650	return( ret );
markrad	0:cdf462088d13	6651	}
markrad	0:cdf462088d13	6652	}
markrad	0:cdf462088d13	6653	else
markrad	0:cdf462088d13	6654	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\|
markrad	0:cdf462088d13	6655	MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	6656	{
markrad	0:cdf462088d13	6657	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	6658	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	6659	}
markrad	0:cdf462088d13	6660	}
markrad	0:cdf462088d13	6661	else
markrad	0:cdf462088d13	6662	{
markrad	0:cdf462088d13	6663	/* DTLS clients need to know renego is server-initiated */
markrad	0:cdf462088d13	6664	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	6665	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	6666	ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	6667	{
markrad	0:cdf462088d13	6668	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
markrad	0:cdf462088d13	6669	}
markrad	0:cdf462088d13	6670	#endif
markrad	0:cdf462088d13	6671	ret = ssl_start_renegotiation( ssl );
markrad	0:cdf462088d13	6672	if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
markrad	0:cdf462088d13	6673	{
markrad	0:cdf462088d13	6674	record_read = 1;
markrad	0:cdf462088d13	6675	}
markrad	0:cdf462088d13	6676	else if( ret != 0 )
markrad	0:cdf462088d13	6677	{
markrad	0:cdf462088d13	6678	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
markrad	0:cdf462088d13	6679	return( ret );
markrad	0:cdf462088d13	6680	}
markrad	0:cdf462088d13	6681	}
markrad	0:cdf462088d13	6682
markrad	0:cdf462088d13	6683	/* If a non-handshake record was read during renego, fallthrough,
markrad	0:cdf462088d13	6684	* else tell the user they should call mbedtls_ssl_read() again */
markrad	0:cdf462088d13	6685	if( ! record_read )
markrad	0:cdf462088d13	6686	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	6687	}
markrad	0:cdf462088d13	6688	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
markrad	0:cdf462088d13	6689	{
markrad	0:cdf462088d13	6690
markrad	0:cdf462088d13	6691	if( ssl->conf->renego_max_records >= 0 )
markrad	0:cdf462088d13	6692	{
markrad	0:cdf462088d13	6693	if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
markrad	0:cdf462088d13	6694	{
markrad	0:cdf462088d13	6695	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
markrad	0:cdf462088d13	6696	"but not honored by client" ) );
markrad	0:cdf462088d13	6697	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
markrad	0:cdf462088d13	6698	}
markrad	0:cdf462088d13	6699	}
markrad	0:cdf462088d13	6700	}
markrad	0:cdf462088d13	6701	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	6702
markrad	0:cdf462088d13	6703	/* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
markrad	0:cdf462088d13	6704	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
markrad	0:cdf462088d13	6705	{
markrad	0:cdf462088d13	6706	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
markrad	0:cdf462088d13	6707	return( MBEDTLS_ERR_SSL_WANT_READ );
markrad	0:cdf462088d13	6708	}
markrad	0:cdf462088d13	6709
markrad	0:cdf462088d13	6710	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
markrad	0:cdf462088d13	6711	{
markrad	0:cdf462088d13	6712	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
markrad	0:cdf462088d13	6713	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
markrad	0:cdf462088d13	6714	}
markrad	0:cdf462088d13	6715
markrad	0:cdf462088d13	6716	ssl->in_offt = ssl->in_msg;
markrad	0:cdf462088d13	6717
markrad	0:cdf462088d13	6718	/* We're going to return something now, cancel timer,
markrad	0:cdf462088d13	6719	* except if handshake (renegotiation) is in progress */
markrad	0:cdf462088d13	6720	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	6721	ssl_set_timer( ssl, 0 );
markrad	0:cdf462088d13	6722
markrad	0:cdf462088d13	6723	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	6724	/* If we requested renego but received AppData, resend HelloRequest.
markrad	0:cdf462088d13	6725	* Do it now, after setting in_offt, to avoid taking this branch
markrad	0:cdf462088d13	6726	* again if ssl_write_hello_request() returns WANT_WRITE */
markrad	0:cdf462088d13	6727	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	6728	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
markrad	0:cdf462088d13	6729	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
markrad	0:cdf462088d13	6730	{
markrad	0:cdf462088d13	6731	if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
markrad	0:cdf462088d13	6732	{
markrad	0:cdf462088d13	6733	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
markrad	0:cdf462088d13	6734	return( ret );
markrad	0:cdf462088d13	6735	}
markrad	0:cdf462088d13	6736	}
markrad	0:cdf462088d13	6737	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	6738	#endif
markrad	0:cdf462088d13	6739	}
markrad	0:cdf462088d13	6740
markrad	0:cdf462088d13	6741	n = ( len < ssl->in_msglen )
markrad	0:cdf462088d13	6742	? len : ssl->in_msglen;
markrad	0:cdf462088d13	6743
markrad	0:cdf462088d13	6744	memcpy( buf, ssl->in_offt, n );
markrad	0:cdf462088d13	6745	ssl->in_msglen -= n;
markrad	0:cdf462088d13	6746
markrad	0:cdf462088d13	6747	if( ssl->in_msglen == 0 )
markrad	0:cdf462088d13	6748	/* all bytes consumed */
markrad	0:cdf462088d13	6749	ssl->in_offt = NULL;
markrad	0:cdf462088d13	6750	else
markrad	0:cdf462088d13	6751	/* more data available */
markrad	0:cdf462088d13	6752	ssl->in_offt += n;
markrad	0:cdf462088d13	6753
markrad	0:cdf462088d13	6754	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
markrad	0:cdf462088d13	6755
markrad	0:cdf462088d13	6756	return( (int) n );
markrad	0:cdf462088d13	6757	}
markrad	0:cdf462088d13	6758
markrad	0:cdf462088d13	6759	/*
markrad	0:cdf462088d13	6760	* Send application data to be encrypted by the SSL layer,
markrad	0:cdf462088d13	6761	* taking care of max fragment length and buffer size
markrad	0:cdf462088d13	6762	*/
markrad	0:cdf462088d13	6763	static int ssl_write_real( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	6764	const unsigned char *buf, size_t len )
markrad	0:cdf462088d13	6765	{
markrad	0:cdf462088d13	6766	int ret;
markrad	0:cdf462088d13	6767	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad	0:cdf462088d13	6768	size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
markrad	0:cdf462088d13	6769
markrad	0:cdf462088d13	6770	if( len > max_len )
markrad	0:cdf462088d13	6771	{
markrad	0:cdf462088d13	6772	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	6773	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	6774	{
markrad	0:cdf462088d13	6775	MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
markrad	0:cdf462088d13	6776	"maximum fragment length: %d > %d",
markrad	0:cdf462088d13	6777	len, max_len ) );
markrad	0:cdf462088d13	6778	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6779	}
markrad	0:cdf462088d13	6780	else
markrad	0:cdf462088d13	6781	#endif
markrad	0:cdf462088d13	6782	len = max_len;
markrad	0:cdf462088d13	6783	}
markrad	0:cdf462088d13	6784	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad	0:cdf462088d13	6785
markrad	0:cdf462088d13	6786	if( ssl->out_left != 0 )
markrad	0:cdf462088d13	6787	{
markrad	0:cdf462088d13	6788	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
markrad	0:cdf462088d13	6789	{
markrad	0:cdf462088d13	6790	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
markrad	0:cdf462088d13	6791	return( ret );
markrad	0:cdf462088d13	6792	}
markrad	0:cdf462088d13	6793	}
markrad	0:cdf462088d13	6794	else
markrad	0:cdf462088d13	6795	{
markrad	0:cdf462088d13	6796	ssl->out_msglen = len;
markrad	0:cdf462088d13	6797	ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
markrad	0:cdf462088d13	6798	memcpy( ssl->out_msg, buf, len );
markrad	0:cdf462088d13	6799
markrad	0:cdf462088d13	6800	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	6801	{
markrad	0:cdf462088d13	6802	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	6803	return( ret );
markrad	0:cdf462088d13	6804	}
markrad	0:cdf462088d13	6805	}
markrad	0:cdf462088d13	6806
markrad	0:cdf462088d13	6807	return( (int) len );
markrad	0:cdf462088d13	6808	}
markrad	0:cdf462088d13	6809
markrad	0:cdf462088d13	6810	/*
markrad	0:cdf462088d13	6811	* Write application data, doing 1/n-1 splitting if necessary.
markrad	0:cdf462088d13	6812	*
markrad	0:cdf462088d13	6813	* With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
markrad	0:cdf462088d13	6814	* then the caller will call us again with the same arguments, so
markrad	0:cdf462088d13	6815	* remember wether we already did the split or not.
markrad	0:cdf462088d13	6816	*/
markrad	0:cdf462088d13	6817	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
markrad	0:cdf462088d13	6818	static int ssl_write_split( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	6819	const unsigned char *buf, size_t len )
markrad	0:cdf462088d13	6820	{
markrad	0:cdf462088d13	6821	int ret;
markrad	0:cdf462088d13	6822
markrad	0:cdf462088d13	6823	if( ssl->conf->cbc_record_splitting ==
markrad	0:cdf462088d13	6824	MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED \|\|
markrad	0:cdf462088d13	6825	len <= 1 \|\|
markrad	0:cdf462088d13	6826	ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 \|\|
markrad	0:cdf462088d13	6827	mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
markrad	0:cdf462088d13	6828	!= MBEDTLS_MODE_CBC )
markrad	0:cdf462088d13	6829	{
markrad	0:cdf462088d13	6830	return( ssl_write_real( ssl, buf, len ) );
markrad	0:cdf462088d13	6831	}
markrad	0:cdf462088d13	6832
markrad	0:cdf462088d13	6833	if( ssl->split_done == 0 )
markrad	0:cdf462088d13	6834	{
markrad	0:cdf462088d13	6835	if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
markrad	0:cdf462088d13	6836	return( ret );
markrad	0:cdf462088d13	6837	ssl->split_done = 1;
markrad	0:cdf462088d13	6838	}
markrad	0:cdf462088d13	6839
markrad	0:cdf462088d13	6840	if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
markrad	0:cdf462088d13	6841	return( ret );
markrad	0:cdf462088d13	6842	ssl->split_done = 0;
markrad	0:cdf462088d13	6843
markrad	0:cdf462088d13	6844	return( ret + 1 );
markrad	0:cdf462088d13	6845	}
markrad	0:cdf462088d13	6846	#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
markrad	0:cdf462088d13	6847
markrad	0:cdf462088d13	6848	/*
markrad	0:cdf462088d13	6849	* Write application data (public-facing wrapper)
markrad	0:cdf462088d13	6850	*/
markrad	0:cdf462088d13	6851	int mbedtls_ssl_write( mbedtls_ssl_context ssl, const unsigned char buf, size_t len )
markrad	0:cdf462088d13	6852	{
markrad	0:cdf462088d13	6853	int ret;
markrad	0:cdf462088d13	6854
markrad	0:cdf462088d13	6855	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
markrad	0:cdf462088d13	6856
markrad	0:cdf462088d13	6857	if( ssl == NULL \|\| ssl->conf == NULL )
markrad	0:cdf462088d13	6858	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6859
markrad	0:cdf462088d13	6860	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	6861	if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
markrad	0:cdf462088d13	6862	{
markrad	0:cdf462088d13	6863	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
markrad	0:cdf462088d13	6864	return( ret );
markrad	0:cdf462088d13	6865	}
markrad	0:cdf462088d13	6866	#endif
markrad	0:cdf462088d13	6867
markrad	0:cdf462088d13	6868	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	6869	{
markrad	0:cdf462088d13	6870	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
markrad	0:cdf462088d13	6871	{
markrad	0:cdf462088d13	6872	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
markrad	0:cdf462088d13	6873	return( ret );
markrad	0:cdf462088d13	6874	}
markrad	0:cdf462088d13	6875	}
markrad	0:cdf462088d13	6876
markrad	0:cdf462088d13	6877	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
markrad	0:cdf462088d13	6878	ret = ssl_write_split( ssl, buf, len );
markrad	0:cdf462088d13	6879	#else
markrad	0:cdf462088d13	6880	ret = ssl_write_real( ssl, buf, len );
markrad	0:cdf462088d13	6881	#endif
markrad	0:cdf462088d13	6882
markrad	0:cdf462088d13	6883	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
markrad	0:cdf462088d13	6884
markrad	0:cdf462088d13	6885	return( ret );
markrad	0:cdf462088d13	6886	}
markrad	0:cdf462088d13	6887
markrad	0:cdf462088d13	6888	/*
markrad	0:cdf462088d13	6889	* Notify the peer that the connection is being closed
markrad	0:cdf462088d13	6890	*/
markrad	0:cdf462088d13	6891	int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	6892	{
markrad	0:cdf462088d13	6893	int ret;
markrad	0:cdf462088d13	6894
markrad	0:cdf462088d13	6895	if( ssl == NULL \|\| ssl->conf == NULL )
markrad	0:cdf462088d13	6896	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	6897
markrad	0:cdf462088d13	6898	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
markrad	0:cdf462088d13	6899
markrad	0:cdf462088d13	6900	if( ssl->out_left != 0 )
markrad	0:cdf462088d13	6901	return( mbedtls_ssl_flush_output( ssl ) );
markrad	0:cdf462088d13	6902
markrad	0:cdf462088d13	6903	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
markrad	0:cdf462088d13	6904	{
markrad	0:cdf462088d13	6905	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
markrad	0:cdf462088d13	6906	MBEDTLS_SSL_ALERT_LEVEL_WARNING,
markrad	0:cdf462088d13	6907	MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
markrad	0:cdf462088d13	6908	{
markrad	0:cdf462088d13	6909	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
markrad	0:cdf462088d13	6910	return( ret );
markrad	0:cdf462088d13	6911	}
markrad	0:cdf462088d13	6912	}
markrad	0:cdf462088d13	6913
markrad	0:cdf462088d13	6914	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
markrad	0:cdf462088d13	6915
markrad	0:cdf462088d13	6916	return( 0 );
markrad	0:cdf462088d13	6917	}
markrad	0:cdf462088d13	6918
markrad	0:cdf462088d13	6919	void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
markrad	0:cdf462088d13	6920	{
markrad	0:cdf462088d13	6921	if( transform == NULL )
markrad	0:cdf462088d13	6922	return;
markrad	0:cdf462088d13	6923
markrad	0:cdf462088d13	6924	#if defined(MBEDTLS_ZLIB_SUPPORT)
markrad	0:cdf462088d13	6925	deflateEnd( &transform->ctx_deflate );
markrad	0:cdf462088d13	6926	inflateEnd( &transform->ctx_inflate );
markrad	0:cdf462088d13	6927	#endif
markrad	0:cdf462088d13	6928
markrad	0:cdf462088d13	6929	mbedtls_cipher_free( &transform->cipher_ctx_enc );
markrad	0:cdf462088d13	6930	mbedtls_cipher_free( &transform->cipher_ctx_dec );
markrad	0:cdf462088d13	6931
markrad	0:cdf462088d13	6932	mbedtls_md_free( &transform->md_ctx_enc );
markrad	0:cdf462088d13	6933	mbedtls_md_free( &transform->md_ctx_dec );
markrad	0:cdf462088d13	6934
markrad	0:cdf462088d13	6935	mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
markrad	0:cdf462088d13	6936	}
markrad	0:cdf462088d13	6937
markrad	0:cdf462088d13	6938	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	6939	static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
markrad	0:cdf462088d13	6940	{
markrad	0:cdf462088d13	6941	mbedtls_ssl_key_cert cur = key_cert, next;
markrad	0:cdf462088d13	6942
markrad	0:cdf462088d13	6943	while( cur != NULL )
markrad	0:cdf462088d13	6944	{
markrad	0:cdf462088d13	6945	next = cur->next;
markrad	0:cdf462088d13	6946	mbedtls_free( cur );
markrad	0:cdf462088d13	6947	cur = next;
markrad	0:cdf462088d13	6948	}
markrad	0:cdf462088d13	6949	}
markrad	0:cdf462088d13	6950	#endif /* MBEDTLS_X509_CRT_PARSE_C */
markrad	0:cdf462088d13	6951
markrad	0:cdf462088d13	6952	void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
markrad	0:cdf462088d13	6953	{
markrad	0:cdf462088d13	6954	if( handshake == NULL )
markrad	0:cdf462088d13	6955	return;
markrad	0:cdf462088d13	6956
markrad	0:cdf462088d13	6957	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	6958	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	6959	mbedtls_md5_free( &handshake->fin_md5 );
markrad	0:cdf462088d13	6960	mbedtls_sha1_free( &handshake->fin_sha1 );
markrad	0:cdf462088d13	6961	#endif
markrad	0:cdf462088d13	6962	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	6963	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	6964	mbedtls_sha256_free( &handshake->fin_sha256 );
markrad	0:cdf462088d13	6965	#endif
markrad	0:cdf462088d13	6966	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	6967	mbedtls_sha512_free( &handshake->fin_sha512 );
markrad	0:cdf462088d13	6968	#endif
markrad	0:cdf462088d13	6969	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	6970
markrad	0:cdf462088d13	6971	#if defined(MBEDTLS_DHM_C)
markrad	0:cdf462088d13	6972	mbedtls_dhm_free( &handshake->dhm_ctx );
markrad	0:cdf462088d13	6973	#endif
markrad	0:cdf462088d13	6974	#if defined(MBEDTLS_ECDH_C)
markrad	0:cdf462088d13	6975	mbedtls_ecdh_free( &handshake->ecdh_ctx );
markrad	0:cdf462088d13	6976	#endif
markrad	0:cdf462088d13	6977	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	6978	mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
markrad	0:cdf462088d13	6979	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	6980	mbedtls_free( handshake->ecjpake_cache );
markrad	0:cdf462088d13	6981	handshake->ecjpake_cache = NULL;
markrad	0:cdf462088d13	6982	handshake->ecjpake_cache_len = 0;
markrad	0:cdf462088d13	6983	#endif
markrad	0:cdf462088d13	6984	#endif
markrad	0:cdf462088d13	6985
markrad	0:cdf462088d13	6986	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
markrad	0:cdf462088d13	6987	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	6988	/* explicit void pointer cast for buggy MS compiler */
markrad	0:cdf462088d13	6989	mbedtls_free( (void *) handshake->curves );
markrad	0:cdf462088d13	6990	#endif
markrad	0:cdf462088d13	6991
markrad	0:cdf462088d13	6992	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
markrad	0:cdf462088d13	6993	if( handshake->psk != NULL )
markrad	0:cdf462088d13	6994	{
markrad	0:cdf462088d13	6995	mbedtls_zeroize( handshake->psk, handshake->psk_len );
markrad	0:cdf462088d13	6996	mbedtls_free( handshake->psk );
markrad	0:cdf462088d13	6997	}
markrad	0:cdf462088d13	6998	#endif
markrad	0:cdf462088d13	6999
markrad	0:cdf462088d13	7000	#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
markrad	0:cdf462088d13	7001	defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	7002	/*
markrad	0:cdf462088d13	7003	* Free only the linked list wrapper, not the keys themselves
markrad	0:cdf462088d13	7004	* since the belong to the SNI callback
markrad	0:cdf462088d13	7005	*/
markrad	0:cdf462088d13	7006	if( handshake->sni_key_cert != NULL )
markrad	0:cdf462088d13	7007	{
markrad	0:cdf462088d13	7008	mbedtls_ssl_key_cert cur = handshake->sni_key_cert, next;
markrad	0:cdf462088d13	7009
markrad	0:cdf462088d13	7010	while( cur != NULL )
markrad	0:cdf462088d13	7011	{
markrad	0:cdf462088d13	7012	next = cur->next;
markrad	0:cdf462088d13	7013	mbedtls_free( cur );
markrad	0:cdf462088d13	7014	cur = next;
markrad	0:cdf462088d13	7015	}
markrad	0:cdf462088d13	7016	}
markrad	0:cdf462088d13	7017	#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
markrad	0:cdf462088d13	7018
markrad	0:cdf462088d13	7019	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	7020	mbedtls_free( handshake->verify_cookie );
markrad	0:cdf462088d13	7021	mbedtls_free( handshake->hs_msg );
markrad	0:cdf462088d13	7022	ssl_flight_free( handshake->flight );
markrad	0:cdf462088d13	7023	#endif
markrad	0:cdf462088d13	7024
markrad	0:cdf462088d13	7025	mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) );
markrad	0:cdf462088d13	7026	}
markrad	0:cdf462088d13	7027
markrad	0:cdf462088d13	7028	void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
markrad	0:cdf462088d13	7029	{
markrad	0:cdf462088d13	7030	if( session == NULL )
markrad	0:cdf462088d13	7031	return;
markrad	0:cdf462088d13	7032
markrad	0:cdf462088d13	7033	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	7034	if( session->peer_cert != NULL )
markrad	0:cdf462088d13	7035	{
markrad	0:cdf462088d13	7036	mbedtls_x509_crt_free( session->peer_cert );
markrad	0:cdf462088d13	7037	mbedtls_free( session->peer_cert );
markrad	0:cdf462088d13	7038	}
markrad	0:cdf462088d13	7039	#endif
markrad	0:cdf462088d13	7040
markrad	0:cdf462088d13	7041	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	7042	mbedtls_free( session->ticket );
markrad	0:cdf462088d13	7043	#endif
markrad	0:cdf462088d13	7044
markrad	0:cdf462088d13	7045	mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) );
markrad	0:cdf462088d13	7046	}
markrad	0:cdf462088d13	7047
markrad	0:cdf462088d13	7048	/*
markrad	0:cdf462088d13	7049	* Free an SSL context
markrad	0:cdf462088d13	7050	*/
markrad	0:cdf462088d13	7051	void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	7052	{
markrad	0:cdf462088d13	7053	if( ssl == NULL )
markrad	0:cdf462088d13	7054	return;
markrad	0:cdf462088d13	7055
markrad	0:cdf462088d13	7056	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
markrad	0:cdf462088d13	7057
markrad	0:cdf462088d13	7058	if( ssl->out_buf != NULL )
markrad	0:cdf462088d13	7059	{
markrad	0:cdf462088d13	7060	mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
markrad	0:cdf462088d13	7061	mbedtls_free( ssl->out_buf );
markrad	0:cdf462088d13	7062	}
markrad	0:cdf462088d13	7063
markrad	0:cdf462088d13	7064	if( ssl->in_buf != NULL )
markrad	0:cdf462088d13	7065	{
markrad	0:cdf462088d13	7066	mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
markrad	0:cdf462088d13	7067	mbedtls_free( ssl->in_buf );
markrad	0:cdf462088d13	7068	}
markrad	0:cdf462088d13	7069
markrad	0:cdf462088d13	7070	#if defined(MBEDTLS_ZLIB_SUPPORT)
markrad	0:cdf462088d13	7071	if( ssl->compress_buf != NULL )
markrad	0:cdf462088d13	7072	{
markrad	0:cdf462088d13	7073	mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
markrad	0:cdf462088d13	7074	mbedtls_free( ssl->compress_buf );
markrad	0:cdf462088d13	7075	}
markrad	0:cdf462088d13	7076	#endif
markrad	0:cdf462088d13	7077
markrad	0:cdf462088d13	7078	if( ssl->transform )
markrad	0:cdf462088d13	7079	{
markrad	0:cdf462088d13	7080	mbedtls_ssl_transform_free( ssl->transform );
markrad	0:cdf462088d13	7081	mbedtls_free( ssl->transform );
markrad	0:cdf462088d13	7082	}
markrad	0:cdf462088d13	7083
markrad	0:cdf462088d13	7084	if( ssl->handshake )
markrad	0:cdf462088d13	7085	{
markrad	0:cdf462088d13	7086	mbedtls_ssl_handshake_free( ssl->handshake );
markrad	0:cdf462088d13	7087	mbedtls_ssl_transform_free( ssl->transform_negotiate );
markrad	0:cdf462088d13	7088	mbedtls_ssl_session_free( ssl->session_negotiate );
markrad	0:cdf462088d13	7089
markrad	0:cdf462088d13	7090	mbedtls_free( ssl->handshake );
markrad	0:cdf462088d13	7091	mbedtls_free( ssl->transform_negotiate );
markrad	0:cdf462088d13	7092	mbedtls_free( ssl->session_negotiate );
markrad	0:cdf462088d13	7093	}
markrad	0:cdf462088d13	7094
markrad	0:cdf462088d13	7095	if( ssl->session )
markrad	0:cdf462088d13	7096	{
markrad	0:cdf462088d13	7097	mbedtls_ssl_session_free( ssl->session );
markrad	0:cdf462088d13	7098	mbedtls_free( ssl->session );
markrad	0:cdf462088d13	7099	}
markrad	0:cdf462088d13	7100
markrad	0:cdf462088d13	7101	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	7102	if( ssl->hostname != NULL )
markrad	0:cdf462088d13	7103	{
markrad	0:cdf462088d13	7104	mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
markrad	0:cdf462088d13	7105	mbedtls_free( ssl->hostname );
markrad	0:cdf462088d13	7106	}
markrad	0:cdf462088d13	7107	#endif
markrad	0:cdf462088d13	7108
markrad	0:cdf462088d13	7109	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
markrad	0:cdf462088d13	7110	if( mbedtls_ssl_hw_record_finish != NULL )
markrad	0:cdf462088d13	7111	{
markrad	0:cdf462088d13	7112	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
markrad	0:cdf462088d13	7113	mbedtls_ssl_hw_record_finish( ssl );
markrad	0:cdf462088d13	7114	}
markrad	0:cdf462088d13	7115	#endif
markrad	0:cdf462088d13	7116
markrad	0:cdf462088d13	7117	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	7118	mbedtls_free( ssl->cli_id );
markrad	0:cdf462088d13	7119	#endif
markrad	0:cdf462088d13	7120
markrad	0:cdf462088d13	7121	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
markrad	0:cdf462088d13	7122
markrad	0:cdf462088d13	7123	/* Actually clear after last debug message */
markrad	0:cdf462088d13	7124	mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
markrad	0:cdf462088d13	7125	}
markrad	0:cdf462088d13	7126
markrad	0:cdf462088d13	7127	/*
markrad	0:cdf462088d13	7128	* Initialze mbedtls_ssl_config
markrad	0:cdf462088d13	7129	*/
markrad	0:cdf462088d13	7130	void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
markrad	0:cdf462088d13	7131	{
markrad	0:cdf462088d13	7132	memset( conf, 0, sizeof( mbedtls_ssl_config ) );
markrad	0:cdf462088d13	7133	}
markrad	0:cdf462088d13	7134
markrad	0:cdf462088d13	7135	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad	0:cdf462088d13	7136	static int ssl_preset_default_hashes[] = {
markrad	0:cdf462088d13	7137	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	7138	MBEDTLS_MD_SHA512,
markrad	0:cdf462088d13	7139	MBEDTLS_MD_SHA384,
markrad	0:cdf462088d13	7140	#endif
markrad	0:cdf462088d13	7141	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	7142	MBEDTLS_MD_SHA256,
markrad	0:cdf462088d13	7143	MBEDTLS_MD_SHA224,
markrad	0:cdf462088d13	7144	#endif
markrad	0:cdf462088d13	7145	#if defined(MBEDTLS_SHA1_C)
markrad	0:cdf462088d13	7146	MBEDTLS_MD_SHA1,
markrad	0:cdf462088d13	7147	#endif
markrad	0:cdf462088d13	7148	MBEDTLS_MD_NONE
markrad	0:cdf462088d13	7149	};
markrad	0:cdf462088d13	7150	#endif
markrad	0:cdf462088d13	7151
markrad	0:cdf462088d13	7152	static int ssl_preset_suiteb_ciphersuites[] = {
markrad	0:cdf462088d13	7153	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
markrad	0:cdf462088d13	7154	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
markrad	0:cdf462088d13	7155	0
markrad	0:cdf462088d13	7156	};
markrad	0:cdf462088d13	7157
markrad	0:cdf462088d13	7158	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad	0:cdf462088d13	7159	static int ssl_preset_suiteb_hashes[] = {
markrad	0:cdf462088d13	7160	MBEDTLS_MD_SHA256,
markrad	0:cdf462088d13	7161	MBEDTLS_MD_SHA384,
markrad	0:cdf462088d13	7162	MBEDTLS_MD_NONE
markrad	0:cdf462088d13	7163	};
markrad	0:cdf462088d13	7164	#endif
markrad	0:cdf462088d13	7165
markrad	0:cdf462088d13	7166	#if defined(MBEDTLS_ECP_C)
markrad	0:cdf462088d13	7167	static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
markrad	0:cdf462088d13	7168	MBEDTLS_ECP_DP_SECP256R1,
markrad	0:cdf462088d13	7169	MBEDTLS_ECP_DP_SECP384R1,
markrad	0:cdf462088d13	7170	MBEDTLS_ECP_DP_NONE
markrad	0:cdf462088d13	7171	};
markrad	0:cdf462088d13	7172	#endif
markrad	0:cdf462088d13	7173
markrad	0:cdf462088d13	7174	/*
markrad	0:cdf462088d13	7175	* Load default in mbedtls_ssl_config
markrad	0:cdf462088d13	7176	*/
markrad	0:cdf462088d13	7177	int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	7178	int endpoint, int transport, int preset )
markrad	0:cdf462088d13	7179	{
markrad	0:cdf462088d13	7180	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	7181	int ret;
markrad	0:cdf462088d13	7182	#endif
markrad	0:cdf462088d13	7183
markrad	0:cdf462088d13	7184	/* Use the functions here so that they are covered in tests,
markrad	0:cdf462088d13	7185	* but otherwise access member directly for efficiency */
markrad	0:cdf462088d13	7186	mbedtls_ssl_conf_endpoint( conf, endpoint );
markrad	0:cdf462088d13	7187	mbedtls_ssl_conf_transport( conf, transport );
markrad	0:cdf462088d13	7188
markrad	0:cdf462088d13	7189	/*
markrad	0:cdf462088d13	7190	* Things that are common to all presets
markrad	0:cdf462088d13	7191	*/
markrad	0:cdf462088d13	7192	#if defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	7193	if( endpoint == MBEDTLS_SSL_IS_CLIENT )
markrad	0:cdf462088d13	7194	{
markrad	0:cdf462088d13	7195	conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
markrad	0:cdf462088d13	7196	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	7197	conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
markrad	0:cdf462088d13	7198	#endif
markrad	0:cdf462088d13	7199	}
markrad	0:cdf462088d13	7200	#endif
markrad	0:cdf462088d13	7201
markrad	0:cdf462088d13	7202	#if defined(MBEDTLS_ARC4_C)
markrad	0:cdf462088d13	7203	conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
markrad	0:cdf462088d13	7204	#endif
markrad	0:cdf462088d13	7205
markrad	0:cdf462088d13	7206	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	7207	conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
markrad	0:cdf462088d13	7208	#endif
markrad	0:cdf462088d13	7209
markrad	0:cdf462088d13	7210	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad	0:cdf462088d13	7211	conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
markrad	0:cdf462088d13	7212	#endif
markrad	0:cdf462088d13	7213
markrad	0:cdf462088d13	7214	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
markrad	0:cdf462088d13	7215	conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
markrad	0:cdf462088d13	7216	#endif
markrad	0:cdf462088d13	7217
markrad	0:cdf462088d13	7218	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	7219	conf->f_cookie_write = ssl_cookie_write_dummy;
markrad	0:cdf462088d13	7220	conf->f_cookie_check = ssl_cookie_check_dummy;
markrad	0:cdf462088d13	7221	#endif
markrad	0:cdf462088d13	7222
markrad	0:cdf462088d13	7223	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	7224	conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
markrad	0:cdf462088d13	7225	#endif
markrad	0:cdf462088d13	7226
markrad	0:cdf462088d13	7227	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	7228	conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
markrad	0:cdf462088d13	7229	conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
markrad	0:cdf462088d13	7230	#endif
markrad	0:cdf462088d13	7231
markrad	0:cdf462088d13	7232	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	7233	conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
markrad	0:cdf462088d13	7234	memset( conf->renego_period, 0xFF, 7 );
markrad	0:cdf462088d13	7235	conf->renego_period[7] = 0x00;
markrad	0:cdf462088d13	7236	#endif
markrad	0:cdf462088d13	7237
markrad	0:cdf462088d13	7238	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	7239	if( endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	7240	{
markrad	0:cdf462088d13	7241	if( ( ret = mbedtls_ssl_conf_dh_param( conf,
markrad	0:cdf462088d13	7242	MBEDTLS_DHM_RFC5114_MODP_2048_P,
markrad	0:cdf462088d13	7243	MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
markrad	0:cdf462088d13	7244	{
markrad	0:cdf462088d13	7245	return( ret );
markrad	0:cdf462088d13	7246	}
markrad	0:cdf462088d13	7247	}
markrad	0:cdf462088d13	7248	#endif
markrad	0:cdf462088d13	7249
markrad	0:cdf462088d13	7250	/*
markrad	0:cdf462088d13	7251	* Preset-specific defaults
markrad	0:cdf462088d13	7252	*/
markrad	0:cdf462088d13	7253	switch( preset )
markrad	0:cdf462088d13	7254	{
markrad	0:cdf462088d13	7255	/*
markrad	0:cdf462088d13	7256	* NSA Suite B
markrad	0:cdf462088d13	7257	*/
markrad	0:cdf462088d13	7258	case MBEDTLS_SSL_PRESET_SUITEB:
markrad	0:cdf462088d13	7259	conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
markrad	0:cdf462088d13	7260	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
markrad	0:cdf462088d13	7261	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
markrad	0:cdf462088d13	7262	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
markrad	0:cdf462088d13	7263
markrad	0:cdf462088d13	7264	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
markrad	0:cdf462088d13	7265	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
markrad	0:cdf462088d13	7266	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
markrad	0:cdf462088d13	7267	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
markrad	0:cdf462088d13	7268	ssl_preset_suiteb_ciphersuites;
markrad	0:cdf462088d13	7269
markrad	0:cdf462088d13	7270	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	7271	conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
markrad	0:cdf462088d13	7272	#endif
markrad	0:cdf462088d13	7273
markrad	0:cdf462088d13	7274	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad	0:cdf462088d13	7275	conf->sig_hashes = ssl_preset_suiteb_hashes;
markrad	0:cdf462088d13	7276	#endif
markrad	0:cdf462088d13	7277
markrad	0:cdf462088d13	7278	#if defined(MBEDTLS_ECP_C)
markrad	0:cdf462088d13	7279	conf->curve_list = ssl_preset_suiteb_curves;
markrad	0:cdf462088d13	7280	#endif
markrad	0:cdf462088d13	7281	break;
markrad	0:cdf462088d13	7282
markrad	0:cdf462088d13	7283	/*
markrad	0:cdf462088d13	7284	* Default
markrad	0:cdf462088d13	7285	*/
markrad	0:cdf462088d13	7286	default:
markrad	0:cdf462088d13	7287	conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
markrad	0:cdf462088d13	7288	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
markrad	0:cdf462088d13	7289	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
markrad	0:cdf462088d13	7290	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
markrad	0:cdf462088d13	7291
markrad	0:cdf462088d13	7292	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	7293	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	7294	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
markrad	0:cdf462088d13	7295	#endif
markrad	0:cdf462088d13	7296
markrad	0:cdf462088d13	7297	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
markrad	0:cdf462088d13	7298	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
markrad	0:cdf462088d13	7299	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
markrad	0:cdf462088d13	7300	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
markrad	0:cdf462088d13	7301	mbedtls_ssl_list_ciphersuites();
markrad	0:cdf462088d13	7302
markrad	0:cdf462088d13	7303	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	7304	conf->cert_profile = &mbedtls_x509_crt_profile_default;
markrad	0:cdf462088d13	7305	#endif
markrad	0:cdf462088d13	7306
markrad	0:cdf462088d13	7307	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad	0:cdf462088d13	7308	conf->sig_hashes = ssl_preset_default_hashes;
markrad	0:cdf462088d13	7309	#endif
markrad	0:cdf462088d13	7310
markrad	0:cdf462088d13	7311	#if defined(MBEDTLS_ECP_C)
markrad	0:cdf462088d13	7312	conf->curve_list = mbedtls_ecp_grp_id_list();
markrad	0:cdf462088d13	7313	#endif
markrad	0:cdf462088d13	7314
markrad	0:cdf462088d13	7315	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
markrad	0:cdf462088d13	7316	conf->dhm_min_bitlen = 1024;
markrad	0:cdf462088d13	7317	#endif
markrad	0:cdf462088d13	7318	}
markrad	0:cdf462088d13	7319
markrad	0:cdf462088d13	7320	return( 0 );
markrad	0:cdf462088d13	7321	}
markrad	0:cdf462088d13	7322
markrad	0:cdf462088d13	7323	/*
markrad	0:cdf462088d13	7324	* Free mbedtls_ssl_config
markrad	0:cdf462088d13	7325	*/
markrad	0:cdf462088d13	7326	void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
markrad	0:cdf462088d13	7327	{
markrad	0:cdf462088d13	7328	#if defined(MBEDTLS_DHM_C)
markrad	0:cdf462088d13	7329	mbedtls_mpi_free( &conf->dhm_P );
markrad	0:cdf462088d13	7330	mbedtls_mpi_free( &conf->dhm_G );
markrad	0:cdf462088d13	7331	#endif
markrad	0:cdf462088d13	7332
markrad	0:cdf462088d13	7333	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
markrad	0:cdf462088d13	7334	if( conf->psk != NULL )
markrad	0:cdf462088d13	7335	{
markrad	0:cdf462088d13	7336	mbedtls_zeroize( conf->psk, conf->psk_len );
markrad	0:cdf462088d13	7337	mbedtls_zeroize( conf->psk_identity, conf->psk_identity_len );
markrad	0:cdf462088d13	7338	mbedtls_free( conf->psk );
markrad	0:cdf462088d13	7339	mbedtls_free( conf->psk_identity );
markrad	0:cdf462088d13	7340	conf->psk_len = 0;
markrad	0:cdf462088d13	7341	conf->psk_identity_len = 0;
markrad	0:cdf462088d13	7342	}
markrad	0:cdf462088d13	7343	#endif
markrad	0:cdf462088d13	7344
markrad	0:cdf462088d13	7345	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	7346	ssl_key_cert_free( conf->key_cert );
markrad	0:cdf462088d13	7347	#endif
markrad	0:cdf462088d13	7348
markrad	0:cdf462088d13	7349	mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) );
markrad	0:cdf462088d13	7350	}
markrad	0:cdf462088d13	7351
markrad	0:cdf462088d13	7352	#if defined(MBEDTLS_PK_C) && \
markrad	0:cdf462088d13	7353	( defined(MBEDTLS_RSA_C) \|\| defined(MBEDTLS_ECDSA_C) )
markrad	0:cdf462088d13	7354	/*
markrad	0:cdf462088d13	7355	* Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
markrad	0:cdf462088d13	7356	*/
markrad	0:cdf462088d13	7357	unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
markrad	0:cdf462088d13	7358	{
markrad	0:cdf462088d13	7359	#if defined(MBEDTLS_RSA_C)
markrad	0:cdf462088d13	7360	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
markrad	0:cdf462088d13	7361	return( MBEDTLS_SSL_SIG_RSA );
markrad	0:cdf462088d13	7362	#endif
markrad	0:cdf462088d13	7363	#if defined(MBEDTLS_ECDSA_C)
markrad	0:cdf462088d13	7364	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
markrad	0:cdf462088d13	7365	return( MBEDTLS_SSL_SIG_ECDSA );
markrad	0:cdf462088d13	7366	#endif
markrad	0:cdf462088d13	7367	return( MBEDTLS_SSL_SIG_ANON );
markrad	0:cdf462088d13	7368	}
markrad	0:cdf462088d13	7369
markrad	0:cdf462088d13	7370	mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
markrad	0:cdf462088d13	7371	{
markrad	0:cdf462088d13	7372	switch( sig )
markrad	0:cdf462088d13	7373	{
markrad	0:cdf462088d13	7374	#if defined(MBEDTLS_RSA_C)
markrad	0:cdf462088d13	7375	case MBEDTLS_SSL_SIG_RSA:
markrad	0:cdf462088d13	7376	return( MBEDTLS_PK_RSA );
markrad	0:cdf462088d13	7377	#endif
markrad	0:cdf462088d13	7378	#if defined(MBEDTLS_ECDSA_C)
markrad	0:cdf462088d13	7379	case MBEDTLS_SSL_SIG_ECDSA:
markrad	0:cdf462088d13	7380	return( MBEDTLS_PK_ECDSA );
markrad	0:cdf462088d13	7381	#endif
markrad	0:cdf462088d13	7382	default:
markrad	0:cdf462088d13	7383	return( MBEDTLS_PK_NONE );
markrad	0:cdf462088d13	7384	}
markrad	0:cdf462088d13	7385	}
markrad	0:cdf462088d13	7386	#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C \|\| MBEDTLS_ECDSA_C ) */
markrad	0:cdf462088d13	7387
markrad	0:cdf462088d13	7388	/*
markrad	0:cdf462088d13	7389	* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
markrad	0:cdf462088d13	7390	*/
markrad	0:cdf462088d13	7391	mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
markrad	0:cdf462088d13	7392	{
markrad	0:cdf462088d13	7393	switch( hash )
markrad	0:cdf462088d13	7394	{
markrad	0:cdf462088d13	7395	#if defined(MBEDTLS_MD5_C)
markrad	0:cdf462088d13	7396	case MBEDTLS_SSL_HASH_MD5:
markrad	0:cdf462088d13	7397	return( MBEDTLS_MD_MD5 );
markrad	0:cdf462088d13	7398	#endif
markrad	0:cdf462088d13	7399	#if defined(MBEDTLS_SHA1_C)
markrad	0:cdf462088d13	7400	case MBEDTLS_SSL_HASH_SHA1:
markrad	0:cdf462088d13	7401	return( MBEDTLS_MD_SHA1 );
markrad	0:cdf462088d13	7402	#endif
markrad	0:cdf462088d13	7403	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	7404	case MBEDTLS_SSL_HASH_SHA224:
markrad	0:cdf462088d13	7405	return( MBEDTLS_MD_SHA224 );
markrad	0:cdf462088d13	7406	case MBEDTLS_SSL_HASH_SHA256:
markrad	0:cdf462088d13	7407	return( MBEDTLS_MD_SHA256 );
markrad	0:cdf462088d13	7408	#endif
markrad	0:cdf462088d13	7409	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	7410	case MBEDTLS_SSL_HASH_SHA384:
markrad	0:cdf462088d13	7411	return( MBEDTLS_MD_SHA384 );
markrad	0:cdf462088d13	7412	case MBEDTLS_SSL_HASH_SHA512:
markrad	0:cdf462088d13	7413	return( MBEDTLS_MD_SHA512 );
markrad	0:cdf462088d13	7414	#endif
markrad	0:cdf462088d13	7415	default:
markrad	0:cdf462088d13	7416	return( MBEDTLS_MD_NONE );
markrad	0:cdf462088d13	7417	}
markrad	0:cdf462088d13	7418	}
markrad	0:cdf462088d13	7419
markrad	0:cdf462088d13	7420	/*
markrad	0:cdf462088d13	7421	* Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
markrad	0:cdf462088d13	7422	*/
markrad	0:cdf462088d13	7423	unsigned char mbedtls_ssl_hash_from_md_alg( int md )
markrad	0:cdf462088d13	7424	{
markrad	0:cdf462088d13	7425	switch( md )
markrad	0:cdf462088d13	7426	{
markrad	0:cdf462088d13	7427	#if defined(MBEDTLS_MD5_C)
markrad	0:cdf462088d13	7428	case MBEDTLS_MD_MD5:
markrad	0:cdf462088d13	7429	return( MBEDTLS_SSL_HASH_MD5 );
markrad	0:cdf462088d13	7430	#endif
markrad	0:cdf462088d13	7431	#if defined(MBEDTLS_SHA1_C)
markrad	0:cdf462088d13	7432	case MBEDTLS_MD_SHA1:
markrad	0:cdf462088d13	7433	return( MBEDTLS_SSL_HASH_SHA1 );
markrad	0:cdf462088d13	7434	#endif
markrad	0:cdf462088d13	7435	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	7436	case MBEDTLS_MD_SHA224:
markrad	0:cdf462088d13	7437	return( MBEDTLS_SSL_HASH_SHA224 );
markrad	0:cdf462088d13	7438	case MBEDTLS_MD_SHA256:
markrad	0:cdf462088d13	7439	return( MBEDTLS_SSL_HASH_SHA256 );
markrad	0:cdf462088d13	7440	#endif
markrad	0:cdf462088d13	7441	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	7442	case MBEDTLS_MD_SHA384:
markrad	0:cdf462088d13	7443	return( MBEDTLS_SSL_HASH_SHA384 );
markrad	0:cdf462088d13	7444	case MBEDTLS_MD_SHA512:
markrad	0:cdf462088d13	7445	return( MBEDTLS_SSL_HASH_SHA512 );
markrad	0:cdf462088d13	7446	#endif
markrad	0:cdf462088d13	7447	default:
markrad	0:cdf462088d13	7448	return( MBEDTLS_SSL_HASH_NONE );
markrad	0:cdf462088d13	7449	}
markrad	0:cdf462088d13	7450	}
markrad	0:cdf462088d13	7451
markrad	0:cdf462088d13	7452	#if defined(MBEDTLS_ECP_C)
markrad	0:cdf462088d13	7453	/*
markrad	0:cdf462088d13	7454	* Check if a curve proposed by the peer is in our list.
markrad	0:cdf462088d13	7455	* Return 0 if we're willing to use it, -1 otherwise.
markrad	0:cdf462088d13	7456	*/
markrad	0:cdf462088d13	7457	int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
markrad	0:cdf462088d13	7458	{
markrad	0:cdf462088d13	7459	const mbedtls_ecp_group_id *gid;
markrad	0:cdf462088d13	7460
markrad	0:cdf462088d13	7461	if( ssl->conf->curve_list == NULL )
markrad	0:cdf462088d13	7462	return( -1 );
markrad	0:cdf462088d13	7463
markrad	0:cdf462088d13	7464	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
markrad	0:cdf462088d13	7465	if( *gid == grp_id )
markrad	0:cdf462088d13	7466	return( 0 );
markrad	0:cdf462088d13	7467
markrad	0:cdf462088d13	7468	return( -1 );
markrad	0:cdf462088d13	7469	}
markrad	0:cdf462088d13	7470	#endif /* MBEDTLS_ECP_C */
markrad	0:cdf462088d13	7471
markrad	0:cdf462088d13	7472	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad	0:cdf462088d13	7473	/*
markrad	0:cdf462088d13	7474	* Check if a hash proposed by the peer is in our list.
markrad	0:cdf462088d13	7475	* Return 0 if we're willing to use it, -1 otherwise.
markrad	0:cdf462088d13	7476	*/
markrad	0:cdf462088d13	7477	int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	7478	mbedtls_md_type_t md )
markrad	0:cdf462088d13	7479	{
markrad	0:cdf462088d13	7480	const int *cur;
markrad	0:cdf462088d13	7481
markrad	0:cdf462088d13	7482	if( ssl->conf->sig_hashes == NULL )
markrad	0:cdf462088d13	7483	return( -1 );
markrad	0:cdf462088d13	7484
markrad	0:cdf462088d13	7485	for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
markrad	0:cdf462088d13	7486	if( *cur == (int) md )
markrad	0:cdf462088d13	7487	return( 0 );
markrad	0:cdf462088d13	7488
markrad	0:cdf462088d13	7489	return( -1 );
markrad	0:cdf462088d13	7490	}
markrad	0:cdf462088d13	7491	#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
markrad	0:cdf462088d13	7492
markrad	0:cdf462088d13	7493	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	7494	int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
markrad	0:cdf462088d13	7495	const mbedtls_ssl_ciphersuite_t *ciphersuite,
markrad	0:cdf462088d13	7496	int cert_endpoint,
markrad	0:cdf462088d13	7497	uint32_t *flags )
markrad	0:cdf462088d13	7498	{
markrad	0:cdf462088d13	7499	int ret = 0;
markrad	0:cdf462088d13	7500	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
markrad	0:cdf462088d13	7501	int usage = 0;
markrad	0:cdf462088d13	7502	#endif
markrad	0:cdf462088d13	7503	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
markrad	0:cdf462088d13	7504	const char *ext_oid;
markrad	0:cdf462088d13	7505	size_t ext_len;
markrad	0:cdf462088d13	7506	#endif
markrad	0:cdf462088d13	7507
markrad	0:cdf462088d13	7508	#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
markrad	0:cdf462088d13	7509	!defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
markrad	0:cdf462088d13	7510	((void) cert);
markrad	0:cdf462088d13	7511	((void) cert_endpoint);
markrad	0:cdf462088d13	7512	((void) flags);
markrad	0:cdf462088d13	7513	#endif
markrad	0:cdf462088d13	7514
markrad	0:cdf462088d13	7515	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
markrad	0:cdf462088d13	7516	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	7517	{
markrad	0:cdf462088d13	7518	/* Server part of the key exchange */
markrad	0:cdf462088d13	7519	switch( ciphersuite->key_exchange )
markrad	0:cdf462088d13	7520	{
markrad	0:cdf462088d13	7521	case MBEDTLS_KEY_EXCHANGE_RSA:
markrad	0:cdf462088d13	7522	case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
markrad	0:cdf462088d13	7523	usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
markrad	0:cdf462088d13	7524	break;
markrad	0:cdf462088d13	7525
markrad	0:cdf462088d13	7526	case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
markrad	0:cdf462088d13	7527	case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
markrad	0:cdf462088d13	7528	case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
markrad	0:cdf462088d13	7529	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
markrad	0:cdf462088d13	7530	break;
markrad	0:cdf462088d13	7531
markrad	0:cdf462088d13	7532	case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
markrad	0:cdf462088d13	7533	case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
markrad	0:cdf462088d13	7534	usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
markrad	0:cdf462088d13	7535	break;
markrad	0:cdf462088d13	7536
markrad	0:cdf462088d13	7537	/* Don't use default: we want warnings when adding new values */
markrad	0:cdf462088d13	7538	case MBEDTLS_KEY_EXCHANGE_NONE:
markrad	0:cdf462088d13	7539	case MBEDTLS_KEY_EXCHANGE_PSK:
markrad	0:cdf462088d13	7540	case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
markrad	0:cdf462088d13	7541	case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
markrad	0:cdf462088d13	7542	case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
markrad	0:cdf462088d13	7543	usage = 0;
markrad	0:cdf462088d13	7544	}
markrad	0:cdf462088d13	7545	}
markrad	0:cdf462088d13	7546	else
markrad	0:cdf462088d13	7547	{
markrad	0:cdf462088d13	7548	/* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
markrad	0:cdf462088d13	7549	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
markrad	0:cdf462088d13	7550	}
markrad	0:cdf462088d13	7551
markrad	0:cdf462088d13	7552	if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
markrad	0:cdf462088d13	7553	{
markrad	0:cdf462088d13	7554	*flags \|= MBEDTLS_X509_BADCERT_KEY_USAGE;
markrad	0:cdf462088d13	7555	ret = -1;
markrad	0:cdf462088d13	7556	}
markrad	0:cdf462088d13	7557	#else
markrad	0:cdf462088d13	7558	((void) ciphersuite);
markrad	0:cdf462088d13	7559	#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
markrad	0:cdf462088d13	7560
markrad	0:cdf462088d13	7561	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
markrad	0:cdf462088d13	7562	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	7563	{
markrad	0:cdf462088d13	7564	ext_oid = MBEDTLS_OID_SERVER_AUTH;
markrad	0:cdf462088d13	7565	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
markrad	0:cdf462088d13	7566	}
markrad	0:cdf462088d13	7567	else
markrad	0:cdf462088d13	7568	{
markrad	0:cdf462088d13	7569	ext_oid = MBEDTLS_OID_CLIENT_AUTH;
markrad	0:cdf462088d13	7570	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
markrad	0:cdf462088d13	7571	}
markrad	0:cdf462088d13	7572
markrad	0:cdf462088d13	7573	if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
markrad	0:cdf462088d13	7574	{
markrad	0:cdf462088d13	7575	*flags \|= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
markrad	0:cdf462088d13	7576	ret = -1;
markrad	0:cdf462088d13	7577	}
markrad	0:cdf462088d13	7578	#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
markrad	0:cdf462088d13	7579
markrad	0:cdf462088d13	7580	return( ret );
markrad	0:cdf462088d13	7581	}
markrad	0:cdf462088d13	7582	#endif /* MBEDTLS_X509_CRT_PARSE_C */
markrad	0:cdf462088d13	7583
markrad	0:cdf462088d13	7584	/*
markrad	0:cdf462088d13	7585	* Convert version numbers to/from wire format
markrad	0:cdf462088d13	7586	* and, for DTLS, to/from TLS equivalent.
markrad	0:cdf462088d13	7587	*
markrad	0:cdf462088d13	7588	* For TLS this is the identity.
markrad	0:cdf462088d13	7589	* For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
markrad	0:cdf462088d13	7590	* 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
markrad	0:cdf462088d13	7591	* 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
markrad	0:cdf462088d13	7592	*/
markrad	0:cdf462088d13	7593	void mbedtls_ssl_write_version( int major, int minor, int transport,
markrad	0:cdf462088d13	7594	unsigned char ver[2] )
markrad	0:cdf462088d13	7595	{
markrad	0:cdf462088d13	7596	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	7597	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	7598	{
markrad	0:cdf462088d13	7599	if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
markrad	0:cdf462088d13	7600	--minor; /* DTLS 1.0 stored as TLS 1.1 internally */
markrad	0:cdf462088d13	7601
markrad	0:cdf462088d13	7602	ver[0] = (unsigned char)( 255 - ( major - 2 ) );
markrad	0:cdf462088d13	7603	ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
markrad	0:cdf462088d13	7604	}
markrad	0:cdf462088d13	7605	else
markrad	0:cdf462088d13	7606	#else
markrad	0:cdf462088d13	7607	((void) transport);
markrad	0:cdf462088d13	7608	#endif
markrad	0:cdf462088d13	7609	{
markrad	0:cdf462088d13	7610	ver[0] = (unsigned char) major;
markrad	0:cdf462088d13	7611	ver[1] = (unsigned char) minor;
markrad	0:cdf462088d13	7612	}
markrad	0:cdf462088d13	7613	}
markrad	0:cdf462088d13	7614
markrad	0:cdf462088d13	7615	void mbedtls_ssl_read_version( int major, int minor, int transport,
markrad	0:cdf462088d13	7616	const unsigned char ver[2] )
markrad	0:cdf462088d13	7617	{
markrad	0:cdf462088d13	7618	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	7619	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	7620	{
markrad	0:cdf462088d13	7621	*major = 255 - ver[0] + 2;
markrad	0:cdf462088d13	7622	*minor = 255 - ver[1] + 1;
markrad	0:cdf462088d13	7623
markrad	0:cdf462088d13	7624	if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
markrad	0:cdf462088d13	7625	++minor; / DTLS 1.0 stored as TLS 1.1 internally */
markrad	0:cdf462088d13	7626	}
markrad	0:cdf462088d13	7627	else
markrad	0:cdf462088d13	7628	#else
markrad	0:cdf462088d13	7629	((void) transport);
markrad	0:cdf462088d13	7630	#endif
markrad	0:cdf462088d13	7631	{
markrad	0:cdf462088d13	7632	*major = ver[0];
markrad	0:cdf462088d13	7633	*minor = ver[1];
markrad	0:cdf462088d13	7634	}
markrad	0:cdf462088d13	7635	}
markrad	0:cdf462088d13	7636
markrad	0:cdf462088d13	7637	int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
markrad	0:cdf462088d13	7638	{
markrad	0:cdf462088d13	7639	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	7640	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	7641	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
markrad	0:cdf462088d13	7642
markrad	0:cdf462088d13	7643	switch( md )
markrad	0:cdf462088d13	7644	{
markrad	0:cdf462088d13	7645	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	7646	#if defined(MBEDTLS_MD5_C)
markrad	0:cdf462088d13	7647	case MBEDTLS_SSL_HASH_MD5:
markrad	0:cdf462088d13	7648	ssl->handshake->calc_verify = ssl_calc_verify_tls;
markrad	0:cdf462088d13	7649	break;
markrad	0:cdf462088d13	7650	#endif
markrad	0:cdf462088d13	7651	#if defined(MBEDTLS_SHA1_C)
markrad	0:cdf462088d13	7652	case MBEDTLS_SSL_HASH_SHA1:
markrad	0:cdf462088d13	7653	ssl->handshake->calc_verify = ssl_calc_verify_tls;
markrad	0:cdf462088d13	7654	break;
markrad	0:cdf462088d13	7655	#endif
markrad	0:cdf462088d13	7656	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
markrad	0:cdf462088d13	7657	#if defined(MBEDTLS_SHA512_C)
markrad	0:cdf462088d13	7658	case MBEDTLS_SSL_HASH_SHA384:
markrad	0:cdf462088d13	7659	ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
markrad	0:cdf462088d13	7660	break;
markrad	0:cdf462088d13	7661	#endif
markrad	0:cdf462088d13	7662	#if defined(MBEDTLS_SHA256_C)
markrad	0:cdf462088d13	7663	case MBEDTLS_SSL_HASH_SHA256:
markrad	0:cdf462088d13	7664	ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
markrad	0:cdf462088d13	7665	break;
markrad	0:cdf462088d13	7666	#endif
markrad	0:cdf462088d13	7667	default:
markrad	0:cdf462088d13	7668	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
markrad	0:cdf462088d13	7669	}
markrad	0:cdf462088d13	7670
markrad	0:cdf462088d13	7671	return 0;
markrad	0:cdf462088d13	7672	#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	7673	(void) ssl;
markrad	0:cdf462088d13	7674	(void) md;
markrad	0:cdf462088d13	7675
markrad	0:cdf462088d13	7676	return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
markrad	0:cdf462088d13	7677	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	7678	}
markrad	0:cdf462088d13	7679
markrad	0:cdf462088d13	7680	#endif /* MBEDTLS_SSL_TLS_C */

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	04 Jun 2019
Imports:	1
Forks:	0
Commits:	2
Dependents:	1
Dependencies:	0
Followers:	2

Developers

Willie Solano

Pablo Andrés Araya Castillo

library/ssl_tls.c@1:1a219dea6cb5, 2019-06-04 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Developers

Important Information for this Arm website

Access Warning