mbedtls - mbed TLS Build

Users » markrad » Code » mbedtls

mbed TLS Build

Dependents: Encrypt_Decrypt1 mbed_blink_tls encrypt encrypt

library/ssl_srv.c@0:cdf462088d13, 2017-01-05 (annotated)

Committer:: markrad
Date:: Thu Jan 05 00:18:44 2017 +0000
Revision:: 0:cdf462088d13

Initial commit

Who changed what in which revision?

User	Revision	Line number	New contents of line
markrad	0:cdf462088d13	1	/*
markrad	0:cdf462088d13	2	* SSLv3/TLSv1 server-side functions
markrad	0:cdf462088d13	3	*
markrad	0:cdf462088d13	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
markrad	0:cdf462088d13	5	* SPDX-License-Identifier: Apache-2.0
markrad	0:cdf462088d13	6	*
markrad	0:cdf462088d13	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
markrad	0:cdf462088d13	8	* not use this file except in compliance with the License.
markrad	0:cdf462088d13	9	* You may obtain a copy of the License at
markrad	0:cdf462088d13	10	*
markrad	0:cdf462088d13	11	* http://www.apache.org/licenses/LICENSE-2.0
markrad	0:cdf462088d13	12	*
markrad	0:cdf462088d13	13	* Unless required by applicable law or agreed to in writing, software
markrad	0:cdf462088d13	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
markrad	0:cdf462088d13	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
markrad	0:cdf462088d13	16	* See the License for the specific language governing permissions and
markrad	0:cdf462088d13	17	* limitations under the License.
markrad	0:cdf462088d13	18	*
markrad	0:cdf462088d13	19	* This file is part of mbed TLS (https://tls.mbed.org)
markrad	0:cdf462088d13	20	*/
markrad	0:cdf462088d13	21
markrad	0:cdf462088d13	22	#if !defined(MBEDTLS_CONFIG_FILE)
markrad	0:cdf462088d13	23	#include "mbedtls/config.h"
markrad	0:cdf462088d13	24	#else
markrad	0:cdf462088d13	25	#include MBEDTLS_CONFIG_FILE
markrad	0:cdf462088d13	26	#endif
markrad	0:cdf462088d13	27
markrad	0:cdf462088d13	28	#if defined(MBEDTLS_SSL_SRV_C)
markrad	0:cdf462088d13	29
markrad	0:cdf462088d13	30	#if defined(MBEDTLS_PLATFORM_C)
markrad	0:cdf462088d13	31	#include "mbedtls/platform.h"
markrad	0:cdf462088d13	32	#else
markrad	0:cdf462088d13	33	#include <stdlib.h>
markrad	0:cdf462088d13	34	#define mbedtls_calloc calloc
markrad	0:cdf462088d13	35	#define mbedtls_free free
markrad	0:cdf462088d13	36	#endif
markrad	0:cdf462088d13	37
markrad	0:cdf462088d13	38	#include "mbedtls/debug.h"
markrad	0:cdf462088d13	39	#include "mbedtls/ssl.h"
markrad	0:cdf462088d13	40	#include "mbedtls/ssl_internal.h"
markrad	0:cdf462088d13	41
markrad	0:cdf462088d13	42	#include <string.h>
markrad	0:cdf462088d13	43
markrad	0:cdf462088d13	44	#if defined(MBEDTLS_ECP_C)
markrad	0:cdf462088d13	45	#include "mbedtls/ecp.h"
markrad	0:cdf462088d13	46	#endif
markrad	0:cdf462088d13	47
markrad	0:cdf462088d13	48	#if defined(MBEDTLS_HAVE_TIME)
markrad	0:cdf462088d13	49	#include "mbedtls/platform_time.h"
markrad	0:cdf462088d13	50	#endif
markrad	0:cdf462088d13	51
markrad	0:cdf462088d13	52	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	53	/* Implementation that should never be optimized out by the compiler */
markrad	0:cdf462088d13	54	static void mbedtls_zeroize( void *v, size_t n ) {
markrad	0:cdf462088d13	55	volatile unsigned char p = v; while( n-- ) p++ = 0;
markrad	0:cdf462088d13	56	}
markrad	0:cdf462088d13	57	#endif
markrad	0:cdf462088d13	58
markrad	0:cdf462088d13	59	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
markrad	0:cdf462088d13	60	int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	61	const unsigned char *info,
markrad	0:cdf462088d13	62	size_t ilen )
markrad	0:cdf462088d13	63	{
markrad	0:cdf462088d13	64	if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
markrad	0:cdf462088d13	65	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	66
markrad	0:cdf462088d13	67	mbedtls_free( ssl->cli_id );
markrad	0:cdf462088d13	68
markrad	0:cdf462088d13	69	if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
markrad	0:cdf462088d13	70	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	71
markrad	0:cdf462088d13	72	memcpy( ssl->cli_id, info, ilen );
markrad	0:cdf462088d13	73	ssl->cli_id_len = ilen;
markrad	0:cdf462088d13	74
markrad	0:cdf462088d13	75	return( 0 );
markrad	0:cdf462088d13	76	}
markrad	0:cdf462088d13	77
markrad	0:cdf462088d13	78	void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
markrad	0:cdf462088d13	79	mbedtls_ssl_cookie_write_t *f_cookie_write,
markrad	0:cdf462088d13	80	mbedtls_ssl_cookie_check_t *f_cookie_check,
markrad	0:cdf462088d13	81	void *p_cookie )
markrad	0:cdf462088d13	82	{
markrad	0:cdf462088d13	83	conf->f_cookie_write = f_cookie_write;
markrad	0:cdf462088d13	84	conf->f_cookie_check = f_cookie_check;
markrad	0:cdf462088d13	85	conf->p_cookie = p_cookie;
markrad	0:cdf462088d13	86	}
markrad	0:cdf462088d13	87	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
markrad	0:cdf462088d13	88
markrad	0:cdf462088d13	89	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	90	static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	91	const unsigned char *buf,
markrad	0:cdf462088d13	92	size_t len )
markrad	0:cdf462088d13	93	{
markrad	0:cdf462088d13	94	int ret;
markrad	0:cdf462088d13	95	size_t servername_list_size, hostname_len;
markrad	0:cdf462088d13	96	const unsigned char *p;
markrad	0:cdf462088d13	97
markrad	0:cdf462088d13	98	MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
markrad	0:cdf462088d13	99
markrad	0:cdf462088d13	100	servername_list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
markrad	0:cdf462088d13	101	if( servername_list_size + 2 != len )
markrad	0:cdf462088d13	102	{
markrad	0:cdf462088d13	103	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	104	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	105	}
markrad	0:cdf462088d13	106
markrad	0:cdf462088d13	107	p = buf + 2;
markrad	0:cdf462088d13	108	while( servername_list_size > 0 )
markrad	0:cdf462088d13	109	{
markrad	0:cdf462088d13	110	hostname_len = ( ( p[1] << 8 ) \| p[2] );
markrad	0:cdf462088d13	111	if( hostname_len + 3 > servername_list_size )
markrad	0:cdf462088d13	112	{
markrad	0:cdf462088d13	113	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	114	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	115	}
markrad	0:cdf462088d13	116
markrad	0:cdf462088d13	117	if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
markrad	0:cdf462088d13	118	{
markrad	0:cdf462088d13	119	ret = ssl->conf->f_sni( ssl->conf->p_sni,
markrad	0:cdf462088d13	120	ssl, p + 3, hostname_len );
markrad	0:cdf462088d13	121	if( ret != 0 )
markrad	0:cdf462088d13	122	{
markrad	0:cdf462088d13	123	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
markrad	0:cdf462088d13	124	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	125	MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
markrad	0:cdf462088d13	126	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	127	}
markrad	0:cdf462088d13	128	return( 0 );
markrad	0:cdf462088d13	129	}
markrad	0:cdf462088d13	130
markrad	0:cdf462088d13	131	servername_list_size -= hostname_len + 3;
markrad	0:cdf462088d13	132	p += hostname_len + 3;
markrad	0:cdf462088d13	133	}
markrad	0:cdf462088d13	134
markrad	0:cdf462088d13	135	if( servername_list_size != 0 )
markrad	0:cdf462088d13	136	{
markrad	0:cdf462088d13	137	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	138	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	139	}
markrad	0:cdf462088d13	140
markrad	0:cdf462088d13	141	return( 0 );
markrad	0:cdf462088d13	142	}
markrad	0:cdf462088d13	143	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
markrad	0:cdf462088d13	144
markrad	0:cdf462088d13	145	static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	146	const unsigned char *buf,
markrad	0:cdf462088d13	147	size_t len )
markrad	0:cdf462088d13	148	{
markrad	0:cdf462088d13	149	int ret;
markrad	0:cdf462088d13	150
markrad	0:cdf462088d13	151	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	152	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad	0:cdf462088d13	153	{
markrad	0:cdf462088d13	154	/* Check verify-data in constant-time. The length OTOH is no secret */
markrad	0:cdf462088d13	155	if( len != 1 + ssl->verify_data_len \|\|
markrad	0:cdf462088d13	156	buf[0] != ssl->verify_data_len \|\|
markrad	0:cdf462088d13	157	mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
markrad	0:cdf462088d13	158	ssl->verify_data_len ) != 0 )
markrad	0:cdf462088d13	159	{
markrad	0:cdf462088d13	160	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
markrad	0:cdf462088d13	161
markrad	0:cdf462088d13	162	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad	0:cdf462088d13	163	return( ret );
markrad	0:cdf462088d13	164
markrad	0:cdf462088d13	165	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	166	}
markrad	0:cdf462088d13	167	}
markrad	0:cdf462088d13	168	else
markrad	0:cdf462088d13	169	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	170	{
markrad	0:cdf462088d13	171	if( len != 1 \|\| buf[0] != 0x0 )
markrad	0:cdf462088d13	172	{
markrad	0:cdf462088d13	173	MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
markrad	0:cdf462088d13	174
markrad	0:cdf462088d13	175	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad	0:cdf462088d13	176	return( ret );
markrad	0:cdf462088d13	177
markrad	0:cdf462088d13	178	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	179	}
markrad	0:cdf462088d13	180
markrad	0:cdf462088d13	181	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
markrad	0:cdf462088d13	182	}
markrad	0:cdf462088d13	183
markrad	0:cdf462088d13	184	return( 0 );
markrad	0:cdf462088d13	185	}
markrad	0:cdf462088d13	186
markrad	0:cdf462088d13	187	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
markrad	0:cdf462088d13	188	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad	0:cdf462088d13	189	static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	190	const unsigned char *buf,
markrad	0:cdf462088d13	191	size_t len )
markrad	0:cdf462088d13	192	{
markrad	0:cdf462088d13	193	size_t sig_alg_list_size;
markrad	0:cdf462088d13	194	const unsigned char *p;
markrad	0:cdf462088d13	195	const unsigned char *end = buf + len;
markrad	0:cdf462088d13	196	const int *md_cur;
markrad	0:cdf462088d13	197
markrad	0:cdf462088d13	198
markrad	0:cdf462088d13	199	sig_alg_list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
markrad	0:cdf462088d13	200	if( sig_alg_list_size + 2 != len \|\|
markrad	0:cdf462088d13	201	sig_alg_list_size % 2 != 0 )
markrad	0:cdf462088d13	202	{
markrad	0:cdf462088d13	203	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	204	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	205	}
markrad	0:cdf462088d13	206
markrad	0:cdf462088d13	207	/*
markrad	0:cdf462088d13	208	* For now, ignore the SignatureAlgorithm part and rely on offered
markrad	0:cdf462088d13	209	* ciphersuites only for that part. To be fixed later.
markrad	0:cdf462088d13	210	*
markrad	0:cdf462088d13	211	* So, just look at the HashAlgorithm part.
markrad	0:cdf462088d13	212	*/
markrad	0:cdf462088d13	213	for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) {
markrad	0:cdf462088d13	214	for( p = buf + 2; p < end; p += 2 ) {
markrad	0:cdf462088d13	215	if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) {
markrad	0:cdf462088d13	216	ssl->handshake->sig_alg = p[0];
markrad	0:cdf462088d13	217	goto have_sig_alg;
markrad	0:cdf462088d13	218	}
markrad	0:cdf462088d13	219	}
markrad	0:cdf462088d13	220	}
markrad	0:cdf462088d13	221
markrad	0:cdf462088d13	222	/* Some key echanges do not need signatures at all */
markrad	0:cdf462088d13	223	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
markrad	0:cdf462088d13	224	return( 0 );
markrad	0:cdf462088d13	225
markrad	0:cdf462088d13	226	have_sig_alg:
markrad	0:cdf462088d13	227	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
markrad	0:cdf462088d13	228	ssl->handshake->sig_alg ) );
markrad	0:cdf462088d13	229
markrad	0:cdf462088d13	230	return( 0 );
markrad	0:cdf462088d13	231	}
markrad	0:cdf462088d13	232	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
markrad	0:cdf462088d13	233	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
markrad	0:cdf462088d13	234
markrad	0:cdf462088d13	235	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
markrad	0:cdf462088d13	236	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	237	static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	238	const unsigned char *buf,
markrad	0:cdf462088d13	239	size_t len )
markrad	0:cdf462088d13	240	{
markrad	0:cdf462088d13	241	size_t list_size, our_size;
markrad	0:cdf462088d13	242	const unsigned char *p;
markrad	0:cdf462088d13	243	const mbedtls_ecp_curve_info curve_info, *curves;
markrad	0:cdf462088d13	244
markrad	0:cdf462088d13	245	list_size = ( ( buf[0] << 8 ) \| ( buf[1] ) );
markrad	0:cdf462088d13	246	if( list_size + 2 != len \|\|
markrad	0:cdf462088d13	247	list_size % 2 != 0 )
markrad	0:cdf462088d13	248	{
markrad	0:cdf462088d13	249	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	250	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	251	}
markrad	0:cdf462088d13	252
markrad	0:cdf462088d13	253	/* Should never happen unless client duplicates the extension */
markrad	0:cdf462088d13	254	if( ssl->handshake->curves != NULL )
markrad	0:cdf462088d13	255	{
markrad	0:cdf462088d13	256	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	257	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	258	}
markrad	0:cdf462088d13	259
markrad	0:cdf462088d13	260	/* Don't allow our peer to make us allocate too much memory,
markrad	0:cdf462088d13	261	* and leave room for a final 0 */
markrad	0:cdf462088d13	262	our_size = list_size / 2 + 1;
markrad	0:cdf462088d13	263	if( our_size > MBEDTLS_ECP_DP_MAX )
markrad	0:cdf462088d13	264	our_size = MBEDTLS_ECP_DP_MAX;
markrad	0:cdf462088d13	265
markrad	0:cdf462088d13	266	if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
markrad	0:cdf462088d13	267	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad	0:cdf462088d13	268
markrad	0:cdf462088d13	269	ssl->handshake->curves = curves;
markrad	0:cdf462088d13	270
markrad	0:cdf462088d13	271	p = buf + 2;
markrad	0:cdf462088d13	272	while( list_size > 0 && our_size > 1 )
markrad	0:cdf462088d13	273	{
markrad	0:cdf462088d13	274	curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) \| p[1] );
markrad	0:cdf462088d13	275
markrad	0:cdf462088d13	276	if( curve_info != NULL )
markrad	0:cdf462088d13	277	{
markrad	0:cdf462088d13	278	*curves++ = curve_info;
markrad	0:cdf462088d13	279	our_size--;
markrad	0:cdf462088d13	280	}
markrad	0:cdf462088d13	281
markrad	0:cdf462088d13	282	list_size -= 2;
markrad	0:cdf462088d13	283	p += 2;
markrad	0:cdf462088d13	284	}
markrad	0:cdf462088d13	285
markrad	0:cdf462088d13	286	return( 0 );
markrad	0:cdf462088d13	287	}
markrad	0:cdf462088d13	288
markrad	0:cdf462088d13	289	static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	290	const unsigned char *buf,
markrad	0:cdf462088d13	291	size_t len )
markrad	0:cdf462088d13	292	{
markrad	0:cdf462088d13	293	size_t list_size;
markrad	0:cdf462088d13	294	const unsigned char *p;
markrad	0:cdf462088d13	295
markrad	0:cdf462088d13	296	list_size = buf[0];
markrad	0:cdf462088d13	297	if( list_size + 1 != len )
markrad	0:cdf462088d13	298	{
markrad	0:cdf462088d13	299	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	300	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	301	}
markrad	0:cdf462088d13	302
markrad	0:cdf462088d13	303	p = buf + 1;
markrad	0:cdf462088d13	304	while( list_size > 0 )
markrad	0:cdf462088d13	305	{
markrad	0:cdf462088d13	306	if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED \|\|
markrad	0:cdf462088d13	307	p[0] == MBEDTLS_ECP_PF_COMPRESSED )
markrad	0:cdf462088d13	308	{
markrad	0:cdf462088d13	309	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
markrad	0:cdf462088d13	310	ssl->handshake->ecdh_ctx.point_format = p[0];
markrad	0:cdf462088d13	311	#endif
markrad	0:cdf462088d13	312	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	313	ssl->handshake->ecjpake_ctx.point_format = p[0];
markrad	0:cdf462088d13	314	#endif
markrad	0:cdf462088d13	315	MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
markrad	0:cdf462088d13	316	return( 0 );
markrad	0:cdf462088d13	317	}
markrad	0:cdf462088d13	318
markrad	0:cdf462088d13	319	list_size--;
markrad	0:cdf462088d13	320	p++;
markrad	0:cdf462088d13	321	}
markrad	0:cdf462088d13	322
markrad	0:cdf462088d13	323	return( 0 );
markrad	0:cdf462088d13	324	}
markrad	0:cdf462088d13	325	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
markrad	0:cdf462088d13	326	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	327
markrad	0:cdf462088d13	328	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	329	static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	330	const unsigned char *buf,
markrad	0:cdf462088d13	331	size_t len )
markrad	0:cdf462088d13	332	{
markrad	0:cdf462088d13	333	int ret;
markrad	0:cdf462088d13	334
markrad	0:cdf462088d13	335	if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
markrad	0:cdf462088d13	336	{
markrad	0:cdf462088d13	337	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
markrad	0:cdf462088d13	338	return( 0 );
markrad	0:cdf462088d13	339	}
markrad	0:cdf462088d13	340
markrad	0:cdf462088d13	341	if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
markrad	0:cdf462088d13	342	buf, len ) ) != 0 )
markrad	0:cdf462088d13	343	{
markrad	0:cdf462088d13	344	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
markrad	0:cdf462088d13	345	return( ret );
markrad	0:cdf462088d13	346	}
markrad	0:cdf462088d13	347
markrad	0:cdf462088d13	348	/* Only mark the extension as OK when we're sure it is */
markrad	0:cdf462088d13	349	ssl->handshake->cli_exts \|= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
markrad	0:cdf462088d13	350
markrad	0:cdf462088d13	351	return( 0 );
markrad	0:cdf462088d13	352	}
markrad	0:cdf462088d13	353	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	354
markrad	0:cdf462088d13	355	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad	0:cdf462088d13	356	static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	357	const unsigned char *buf,
markrad	0:cdf462088d13	358	size_t len )
markrad	0:cdf462088d13	359	{
markrad	0:cdf462088d13	360	if( len != 1 \|\| buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
markrad	0:cdf462088d13	361	{
markrad	0:cdf462088d13	362	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	363	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	364	}
markrad	0:cdf462088d13	365
markrad	0:cdf462088d13	366	ssl->session_negotiate->mfl_code = buf[0];
markrad	0:cdf462088d13	367
markrad	0:cdf462088d13	368	return( 0 );
markrad	0:cdf462088d13	369	}
markrad	0:cdf462088d13	370	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad	0:cdf462088d13	371
markrad	0:cdf462088d13	372	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad	0:cdf462088d13	373	static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	374	const unsigned char *buf,
markrad	0:cdf462088d13	375	size_t len )
markrad	0:cdf462088d13	376	{
markrad	0:cdf462088d13	377	if( len != 0 )
markrad	0:cdf462088d13	378	{
markrad	0:cdf462088d13	379	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	380	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	381	}
markrad	0:cdf462088d13	382
markrad	0:cdf462088d13	383	((void) buf);
markrad	0:cdf462088d13	384
markrad	0:cdf462088d13	385	if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
markrad	0:cdf462088d13	386	ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
markrad	0:cdf462088d13	387
markrad	0:cdf462088d13	388	return( 0 );
markrad	0:cdf462088d13	389	}
markrad	0:cdf462088d13	390	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
markrad	0:cdf462088d13	391
markrad	0:cdf462088d13	392	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	393	static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	394	const unsigned char *buf,
markrad	0:cdf462088d13	395	size_t len )
markrad	0:cdf462088d13	396	{
markrad	0:cdf462088d13	397	if( len != 0 )
markrad	0:cdf462088d13	398	{
markrad	0:cdf462088d13	399	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	400	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	401	}
markrad	0:cdf462088d13	402
markrad	0:cdf462088d13	403	((void) buf);
markrad	0:cdf462088d13	404
markrad	0:cdf462088d13	405	if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
markrad	0:cdf462088d13	406	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	407	{
markrad	0:cdf462088d13	408	ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
markrad	0:cdf462088d13	409	}
markrad	0:cdf462088d13	410
markrad	0:cdf462088d13	411	return( 0 );
markrad	0:cdf462088d13	412	}
markrad	0:cdf462088d13	413	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
markrad	0:cdf462088d13	414
markrad	0:cdf462088d13	415	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad	0:cdf462088d13	416	static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	417	const unsigned char *buf,
markrad	0:cdf462088d13	418	size_t len )
markrad	0:cdf462088d13	419	{
markrad	0:cdf462088d13	420	if( len != 0 )
markrad	0:cdf462088d13	421	{
markrad	0:cdf462088d13	422	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	423	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	424	}
markrad	0:cdf462088d13	425
markrad	0:cdf462088d13	426	((void) buf);
markrad	0:cdf462088d13	427
markrad	0:cdf462088d13	428	if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
markrad	0:cdf462088d13	429	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	430	{
markrad	0:cdf462088d13	431	ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
markrad	0:cdf462088d13	432	}
markrad	0:cdf462088d13	433
markrad	0:cdf462088d13	434	return( 0 );
markrad	0:cdf462088d13	435	}
markrad	0:cdf462088d13	436	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
markrad	0:cdf462088d13	437
markrad	0:cdf462088d13	438	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	439	static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	440	unsigned char *buf,
markrad	0:cdf462088d13	441	size_t len )
markrad	0:cdf462088d13	442	{
markrad	0:cdf462088d13	443	int ret;
markrad	0:cdf462088d13	444	mbedtls_ssl_session session;
markrad	0:cdf462088d13	445
markrad	0:cdf462088d13	446	mbedtls_ssl_session_init( &session );
markrad	0:cdf462088d13	447
markrad	0:cdf462088d13	448	if( ssl->conf->f_ticket_parse == NULL \|\|
markrad	0:cdf462088d13	449	ssl->conf->f_ticket_write == NULL )
markrad	0:cdf462088d13	450	{
markrad	0:cdf462088d13	451	return( 0 );
markrad	0:cdf462088d13	452	}
markrad	0:cdf462088d13	453
markrad	0:cdf462088d13	454	/* Remember the client asked us to send a new ticket */
markrad	0:cdf462088d13	455	ssl->handshake->new_session_ticket = 1;
markrad	0:cdf462088d13	456
markrad	0:cdf462088d13	457	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
markrad	0:cdf462088d13	458
markrad	0:cdf462088d13	459	if( len == 0 )
markrad	0:cdf462088d13	460	return( 0 );
markrad	0:cdf462088d13	461
markrad	0:cdf462088d13	462	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	463	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad	0:cdf462088d13	464	{
markrad	0:cdf462088d13	465	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
markrad	0:cdf462088d13	466	return( 0 );
markrad	0:cdf462088d13	467	}
markrad	0:cdf462088d13	468	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	469
markrad	0:cdf462088d13	470	/*
markrad	0:cdf462088d13	471	* Failures are ok: just ignore the ticket and proceed.
markrad	0:cdf462088d13	472	*/
markrad	0:cdf462088d13	473	if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
markrad	0:cdf462088d13	474	buf, len ) ) != 0 )
markrad	0:cdf462088d13	475	{
markrad	0:cdf462088d13	476	mbedtls_ssl_session_free( &session );
markrad	0:cdf462088d13	477
markrad	0:cdf462088d13	478	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
markrad	0:cdf462088d13	479	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
markrad	0:cdf462088d13	480	else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
markrad	0:cdf462088d13	481	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
markrad	0:cdf462088d13	482	else
markrad	0:cdf462088d13	483	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
markrad	0:cdf462088d13	484
markrad	0:cdf462088d13	485	return( 0 );
markrad	0:cdf462088d13	486	}
markrad	0:cdf462088d13	487
markrad	0:cdf462088d13	488	/*
markrad	0:cdf462088d13	489	* Keep the session ID sent by the client, since we MUST send it back to
markrad	0:cdf462088d13	490	* inform them we're accepting the ticket (RFC 5077 section 3.4)
markrad	0:cdf462088d13	491	*/
markrad	0:cdf462088d13	492	session.id_len = ssl->session_negotiate->id_len;
markrad	0:cdf462088d13	493	memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
markrad	0:cdf462088d13	494
markrad	0:cdf462088d13	495	mbedtls_ssl_session_free( ssl->session_negotiate );
markrad	0:cdf462088d13	496	memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
markrad	0:cdf462088d13	497
markrad	0:cdf462088d13	498	/* Zeroize instead of free as we copied the content */
markrad	0:cdf462088d13	499	mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
markrad	0:cdf462088d13	500
markrad	0:cdf462088d13	501	MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
markrad	0:cdf462088d13	502
markrad	0:cdf462088d13	503	ssl->handshake->resume = 1;
markrad	0:cdf462088d13	504
markrad	0:cdf462088d13	505	/* Don't send a new ticket after all, this one is OK */
markrad	0:cdf462088d13	506	ssl->handshake->new_session_ticket = 0;
markrad	0:cdf462088d13	507
markrad	0:cdf462088d13	508	return( 0 );
markrad	0:cdf462088d13	509	}
markrad	0:cdf462088d13	510	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad	0:cdf462088d13	511
markrad	0:cdf462088d13	512	#if defined(MBEDTLS_SSL_ALPN)
markrad	0:cdf462088d13	513	static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	514	const unsigned char *buf, size_t len )
markrad	0:cdf462088d13	515	{
markrad	0:cdf462088d13	516	size_t list_len, cur_len, ours_len;
markrad	0:cdf462088d13	517	const unsigned char theirs, start, *end;
markrad	0:cdf462088d13	518	const char **ours;
markrad	0:cdf462088d13	519
markrad	0:cdf462088d13	520	/* If ALPN not configured, just ignore the extension */
markrad	0:cdf462088d13	521	if( ssl->conf->alpn_list == NULL )
markrad	0:cdf462088d13	522	return( 0 );
markrad	0:cdf462088d13	523
markrad	0:cdf462088d13	524	/*
markrad	0:cdf462088d13	525	* opaque ProtocolName<1..2^8-1>;
markrad	0:cdf462088d13	526	*
markrad	0:cdf462088d13	527	* struct {
markrad	0:cdf462088d13	528	* ProtocolName protocol_name_list<2..2^16-1>
markrad	0:cdf462088d13	529	* } ProtocolNameList;
markrad	0:cdf462088d13	530	*/
markrad	0:cdf462088d13	531
markrad	0:cdf462088d13	532	/* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
markrad	0:cdf462088d13	533	if( len < 4 )
markrad	0:cdf462088d13	534	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	535
markrad	0:cdf462088d13	536	list_len = ( buf[0] << 8 ) \| buf[1];
markrad	0:cdf462088d13	537	if( list_len != len - 2 )
markrad	0:cdf462088d13	538	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	539
markrad	0:cdf462088d13	540	/*
markrad	0:cdf462088d13	541	* Use our order of preference
markrad	0:cdf462088d13	542	*/
markrad	0:cdf462088d13	543	start = buf + 2;
markrad	0:cdf462088d13	544	end = buf + len;
markrad	0:cdf462088d13	545	for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
markrad	0:cdf462088d13	546	{
markrad	0:cdf462088d13	547	ours_len = strlen( *ours );
markrad	0:cdf462088d13	548	for( theirs = start; theirs != end; theirs += cur_len )
markrad	0:cdf462088d13	549	{
markrad	0:cdf462088d13	550	/* If the list is well formed, we should get equality first */
markrad	0:cdf462088d13	551	if( theirs > end )
markrad	0:cdf462088d13	552	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	553
markrad	0:cdf462088d13	554	cur_len = *theirs++;
markrad	0:cdf462088d13	555
markrad	0:cdf462088d13	556	/* Empty strings MUST NOT be included */
markrad	0:cdf462088d13	557	if( cur_len == 0 )
markrad	0:cdf462088d13	558	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	559
markrad	0:cdf462088d13	560	if( cur_len == ours_len &&
markrad	0:cdf462088d13	561	memcmp( theirs, *ours, cur_len ) == 0 )
markrad	0:cdf462088d13	562	{
markrad	0:cdf462088d13	563	ssl->alpn_chosen = *ours;
markrad	0:cdf462088d13	564	return( 0 );
markrad	0:cdf462088d13	565	}
markrad	0:cdf462088d13	566	}
markrad	0:cdf462088d13	567	}
markrad	0:cdf462088d13	568
markrad	0:cdf462088d13	569	/* If we get there, no match was found */
markrad	0:cdf462088d13	570	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	571	MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
markrad	0:cdf462088d13	572	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	573	}
markrad	0:cdf462088d13	574	#endif /* MBEDTLS_SSL_ALPN */
markrad	0:cdf462088d13	575
markrad	0:cdf462088d13	576	/*
markrad	0:cdf462088d13	577	* Auxiliary functions for ServerHello parsing and related actions
markrad	0:cdf462088d13	578	*/
markrad	0:cdf462088d13	579
markrad	0:cdf462088d13	580	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	581	/*
markrad	0:cdf462088d13	582	* Return 0 if the given key uses one of the acceptable curves, -1 otherwise
markrad	0:cdf462088d13	583	*/
markrad	0:cdf462088d13	584	#if defined(MBEDTLS_ECDSA_C)
markrad	0:cdf462088d13	585	static int ssl_check_key_curve( mbedtls_pk_context *pk,
markrad	0:cdf462088d13	586	const mbedtls_ecp_curve_info **curves )
markrad	0:cdf462088d13	587	{
markrad	0:cdf462088d13	588	const mbedtls_ecp_curve_info **crv = curves;
markrad	0:cdf462088d13	589	mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
markrad	0:cdf462088d13	590
markrad	0:cdf462088d13	591	while( *crv != NULL )
markrad	0:cdf462088d13	592	{
markrad	0:cdf462088d13	593	if( (*crv)->grp_id == grp_id )
markrad	0:cdf462088d13	594	return( 0 );
markrad	0:cdf462088d13	595	crv++;
markrad	0:cdf462088d13	596	}
markrad	0:cdf462088d13	597
markrad	0:cdf462088d13	598	return( -1 );
markrad	0:cdf462088d13	599	}
markrad	0:cdf462088d13	600	#endif /* MBEDTLS_ECDSA_C */
markrad	0:cdf462088d13	601
markrad	0:cdf462088d13	602	/*
markrad	0:cdf462088d13	603	* Try picking a certificate for this ciphersuite,
markrad	0:cdf462088d13	604	* return 0 on success and -1 on failure.
markrad	0:cdf462088d13	605	*/
markrad	0:cdf462088d13	606	static int ssl_pick_cert( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	607	const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
markrad	0:cdf462088d13	608	{
markrad	0:cdf462088d13	609	mbedtls_ssl_key_cert cur, list, *fallback = NULL;
markrad	0:cdf462088d13	610	mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
markrad	0:cdf462088d13	611	uint32_t flags;
markrad	0:cdf462088d13	612
markrad	0:cdf462088d13	613	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	614	if( ssl->handshake->sni_key_cert != NULL )
markrad	0:cdf462088d13	615	list = ssl->handshake->sni_key_cert;
markrad	0:cdf462088d13	616	else
markrad	0:cdf462088d13	617	#endif
markrad	0:cdf462088d13	618	list = ssl->conf->key_cert;
markrad	0:cdf462088d13	619
markrad	0:cdf462088d13	620	if( pk_alg == MBEDTLS_PK_NONE )
markrad	0:cdf462088d13	621	return( 0 );
markrad	0:cdf462088d13	622
markrad	0:cdf462088d13	623	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
markrad	0:cdf462088d13	624
markrad	0:cdf462088d13	625	if( list == NULL )
markrad	0:cdf462088d13	626	{
markrad	0:cdf462088d13	627	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
markrad	0:cdf462088d13	628	return( -1 );
markrad	0:cdf462088d13	629	}
markrad	0:cdf462088d13	630
markrad	0:cdf462088d13	631	for( cur = list; cur != NULL; cur = cur->next )
markrad	0:cdf462088d13	632	{
markrad	0:cdf462088d13	633	MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
markrad	0:cdf462088d13	634	cur->cert );
markrad	0:cdf462088d13	635
markrad	0:cdf462088d13	636	if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
markrad	0:cdf462088d13	637	{
markrad	0:cdf462088d13	638	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
markrad	0:cdf462088d13	639	continue;
markrad	0:cdf462088d13	640	}
markrad	0:cdf462088d13	641
markrad	0:cdf462088d13	642	/*
markrad	0:cdf462088d13	643	* This avoids sending the client a cert it'll reject based on
markrad	0:cdf462088d13	644	* keyUsage or other extensions.
markrad	0:cdf462088d13	645	*
markrad	0:cdf462088d13	646	* It also allows the user to provision different certificates for
markrad	0:cdf462088d13	647	* different uses based on keyUsage, eg if they want to avoid signing
markrad	0:cdf462088d13	648	* and decrypting with the same RSA key.
markrad	0:cdf462088d13	649	*/
markrad	0:cdf462088d13	650	if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
markrad	0:cdf462088d13	651	MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
markrad	0:cdf462088d13	652	{
markrad	0:cdf462088d13	653	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
markrad	0:cdf462088d13	654	"(extended) key usage extension" ) );
markrad	0:cdf462088d13	655	continue;
markrad	0:cdf462088d13	656	}
markrad	0:cdf462088d13	657
markrad	0:cdf462088d13	658	#if defined(MBEDTLS_ECDSA_C)
markrad	0:cdf462088d13	659	if( pk_alg == MBEDTLS_PK_ECDSA &&
markrad	0:cdf462088d13	660	ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
markrad	0:cdf462088d13	661	{
markrad	0:cdf462088d13	662	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
markrad	0:cdf462088d13	663	continue;
markrad	0:cdf462088d13	664	}
markrad	0:cdf462088d13	665	#endif
markrad	0:cdf462088d13	666
markrad	0:cdf462088d13	667	/*
markrad	0:cdf462088d13	668	* Try to select a SHA-1 certificate for pre-1.2 clients, but still
markrad	0:cdf462088d13	669	* present them a SHA-higher cert rather than failing if it's the only
markrad	0:cdf462088d13	670	* one we got that satisfies the other conditions.
markrad	0:cdf462088d13	671	*/
markrad	0:cdf462088d13	672	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
markrad	0:cdf462088d13	673	cur->cert->sig_md != MBEDTLS_MD_SHA1 )
markrad	0:cdf462088d13	674	{
markrad	0:cdf462088d13	675	if( fallback == NULL )
markrad	0:cdf462088d13	676	fallback = cur;
markrad	0:cdf462088d13	677	{
markrad	0:cdf462088d13	678	MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
markrad	0:cdf462088d13	679	"sha-2 with pre-TLS 1.2 client" ) );
markrad	0:cdf462088d13	680	continue;
markrad	0:cdf462088d13	681	}
markrad	0:cdf462088d13	682	}
markrad	0:cdf462088d13	683
markrad	0:cdf462088d13	684	/* If we get there, we got a winner */
markrad	0:cdf462088d13	685	break;
markrad	0:cdf462088d13	686	}
markrad	0:cdf462088d13	687
markrad	0:cdf462088d13	688	if( cur == NULL )
markrad	0:cdf462088d13	689	cur = fallback;
markrad	0:cdf462088d13	690
markrad	0:cdf462088d13	691	/* Do not update ssl->handshake->key_cert unless there is a match */
markrad	0:cdf462088d13	692	if( cur != NULL )
markrad	0:cdf462088d13	693	{
markrad	0:cdf462088d13	694	ssl->handshake->key_cert = cur;
markrad	0:cdf462088d13	695	MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
markrad	0:cdf462088d13	696	ssl->handshake->key_cert->cert );
markrad	0:cdf462088d13	697	return( 0 );
markrad	0:cdf462088d13	698	}
markrad	0:cdf462088d13	699
markrad	0:cdf462088d13	700	return( -1 );
markrad	0:cdf462088d13	701	}
markrad	0:cdf462088d13	702	#endif /* MBEDTLS_X509_CRT_PARSE_C */
markrad	0:cdf462088d13	703
markrad	0:cdf462088d13	704	/*
markrad	0:cdf462088d13	705	* Check if a given ciphersuite is suitable for use with our config/keys/etc
markrad	0:cdf462088d13	706	* Sets ciphersuite_info only if the suite matches.
markrad	0:cdf462088d13	707	*/
markrad	0:cdf462088d13	708	static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
markrad	0:cdf462088d13	709	const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
markrad	0:cdf462088d13	710	{
markrad	0:cdf462088d13	711	const mbedtls_ssl_ciphersuite_t *suite_info;
markrad	0:cdf462088d13	712
markrad	0:cdf462088d13	713	suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
markrad	0:cdf462088d13	714	if( suite_info == NULL )
markrad	0:cdf462088d13	715	{
markrad	0:cdf462088d13	716	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	717	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	718	}
markrad	0:cdf462088d13	719
markrad	0:cdf462088d13	720	MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
markrad	0:cdf462088d13	721
markrad	0:cdf462088d13	722	if( suite_info->min_minor_ver > ssl->minor_ver \|\|
markrad	0:cdf462088d13	723	suite_info->max_minor_ver < ssl->minor_ver )
markrad	0:cdf462088d13	724	{
markrad	0:cdf462088d13	725	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
markrad	0:cdf462088d13	726	return( 0 );
markrad	0:cdf462088d13	727	}
markrad	0:cdf462088d13	728
markrad	0:cdf462088d13	729	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	730	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	731	( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
markrad	0:cdf462088d13	732	return( 0 );
markrad	0:cdf462088d13	733	#endif
markrad	0:cdf462088d13	734
markrad	0:cdf462088d13	735	#if defined(MBEDTLS_ARC4_C)
markrad	0:cdf462088d13	736	if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
markrad	0:cdf462088d13	737	suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
markrad	0:cdf462088d13	738	{
markrad	0:cdf462088d13	739	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
markrad	0:cdf462088d13	740	return( 0 );
markrad	0:cdf462088d13	741	}
markrad	0:cdf462088d13	742	#endif
markrad	0:cdf462088d13	743
markrad	0:cdf462088d13	744	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	745	if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
markrad	0:cdf462088d13	746	( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
markrad	0:cdf462088d13	747	{
markrad	0:cdf462088d13	748	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
markrad	0:cdf462088d13	749	"not configured or ext missing" ) );
markrad	0:cdf462088d13	750	return( 0 );
markrad	0:cdf462088d13	751	}
markrad	0:cdf462088d13	752	#endif
markrad	0:cdf462088d13	753
markrad	0:cdf462088d13	754
markrad	0:cdf462088d13	755	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
markrad	0:cdf462088d13	756	if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
markrad	0:cdf462088d13	757	( ssl->handshake->curves == NULL \|\|
markrad	0:cdf462088d13	758	ssl->handshake->curves[0] == NULL ) )
markrad	0:cdf462088d13	759	{
markrad	0:cdf462088d13	760	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
markrad	0:cdf462088d13	761	"no common elliptic curve" ) );
markrad	0:cdf462088d13	762	return( 0 );
markrad	0:cdf462088d13	763	}
markrad	0:cdf462088d13	764	#endif
markrad	0:cdf462088d13	765
markrad	0:cdf462088d13	766	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
markrad	0:cdf462088d13	767	/* If the ciphersuite requires a pre-shared key and we don't
markrad	0:cdf462088d13	768	* have one, skip it now rather than failing later */
markrad	0:cdf462088d13	769	if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
markrad	0:cdf462088d13	770	ssl->conf->f_psk == NULL &&
markrad	0:cdf462088d13	771	( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL \|\|
markrad	0:cdf462088d13	772	ssl->conf->psk_identity_len == 0 \|\| ssl->conf->psk_len == 0 ) )
markrad	0:cdf462088d13	773	{
markrad	0:cdf462088d13	774	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
markrad	0:cdf462088d13	775	return( 0 );
markrad	0:cdf462088d13	776	}
markrad	0:cdf462088d13	777	#endif
markrad	0:cdf462088d13	778
markrad	0:cdf462088d13	779	#if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad	0:cdf462088d13	780	/*
markrad	0:cdf462088d13	781	* Final check: if ciphersuite requires us to have a
markrad	0:cdf462088d13	782	* certificate/key of a particular type:
markrad	0:cdf462088d13	783	* - select the appropriate certificate if we have one, or
markrad	0:cdf462088d13	784	* - try the next ciphersuite if we don't
markrad	0:cdf462088d13	785	* This must be done last since we modify the key_cert list.
markrad	0:cdf462088d13	786	*/
markrad	0:cdf462088d13	787	if( ssl_pick_cert( ssl, suite_info ) != 0 )
markrad	0:cdf462088d13	788	{
markrad	0:cdf462088d13	789	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
markrad	0:cdf462088d13	790	"no suitable certificate" ) );
markrad	0:cdf462088d13	791	return( 0 );
markrad	0:cdf462088d13	792	}
markrad	0:cdf462088d13	793	#endif
markrad	0:cdf462088d13	794
markrad	0:cdf462088d13	795	*ciphersuite_info = suite_info;
markrad	0:cdf462088d13	796	return( 0 );
markrad	0:cdf462088d13	797	}
markrad	0:cdf462088d13	798
markrad	0:cdf462088d13	799	#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
markrad	0:cdf462088d13	800	static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	801	{
markrad	0:cdf462088d13	802	int ret, got_common_suite;
markrad	0:cdf462088d13	803	unsigned int i, j;
markrad	0:cdf462088d13	804	size_t n;
markrad	0:cdf462088d13	805	unsigned int ciph_len, sess_len, chal_len;
markrad	0:cdf462088d13	806	unsigned char buf, p;
markrad	0:cdf462088d13	807	const int *ciphersuites;
markrad	0:cdf462088d13	808	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
markrad	0:cdf462088d13	809
markrad	0:cdf462088d13	810	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
markrad	0:cdf462088d13	811
markrad	0:cdf462088d13	812	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	813	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad	0:cdf462088d13	814	{
markrad	0:cdf462088d13	815	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
markrad	0:cdf462088d13	816
markrad	0:cdf462088d13	817	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad	0:cdf462088d13	818	return( ret );
markrad	0:cdf462088d13	819
markrad	0:cdf462088d13	820	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	821	}
markrad	0:cdf462088d13	822	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	823
markrad	0:cdf462088d13	824	buf = ssl->in_hdr;
markrad	0:cdf462088d13	825
markrad	0:cdf462088d13	826	MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
markrad	0:cdf462088d13	827
markrad	0:cdf462088d13	828	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
markrad	0:cdf462088d13	829	buf[2] ) );
markrad	0:cdf462088d13	830	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
markrad	0:cdf462088d13	831	( ( buf[0] & 0x7F ) << 8 ) \| buf[1] ) );
markrad	0:cdf462088d13	832	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
markrad	0:cdf462088d13	833	buf[3], buf[4] ) );
markrad	0:cdf462088d13	834
markrad	0:cdf462088d13	835	/*
markrad	0:cdf462088d13	836	* SSLv2 Client Hello
markrad	0:cdf462088d13	837	*
markrad	0:cdf462088d13	838	* Record layer:
markrad	0:cdf462088d13	839	* 0 . 1 message length
markrad	0:cdf462088d13	840	*
markrad	0:cdf462088d13	841	* SSL layer:
markrad	0:cdf462088d13	842	* 2 . 2 message type
markrad	0:cdf462088d13	843	* 3 . 4 protocol version
markrad	0:cdf462088d13	844	*/
markrad	0:cdf462088d13	845	if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO \|\|
markrad	0:cdf462088d13	846	buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
markrad	0:cdf462088d13	847	{
markrad	0:cdf462088d13	848	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	849	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	850	}
markrad	0:cdf462088d13	851
markrad	0:cdf462088d13	852	n = ( ( buf[0] << 8 ) \| buf[1] ) & 0x7FFF;
markrad	0:cdf462088d13	853
markrad	0:cdf462088d13	854	if( n < 17 \|\| n > 512 )
markrad	0:cdf462088d13	855	{
markrad	0:cdf462088d13	856	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	857	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	858	}
markrad	0:cdf462088d13	859
markrad	0:cdf462088d13	860	ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
markrad	0:cdf462088d13	861	ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
markrad	0:cdf462088d13	862	? buf[4] : ssl->conf->max_minor_ver;
markrad	0:cdf462088d13	863
markrad	0:cdf462088d13	864	if( ssl->minor_ver < ssl->conf->min_minor_ver )
markrad	0:cdf462088d13	865	{
markrad	0:cdf462088d13	866	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
markrad	0:cdf462088d13	867	" [%d:%d] < [%d:%d]",
markrad	0:cdf462088d13	868	ssl->major_ver, ssl->minor_ver,
markrad	0:cdf462088d13	869	ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
markrad	0:cdf462088d13	870
markrad	0:cdf462088d13	871	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	872	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
markrad	0:cdf462088d13	873	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
markrad	0:cdf462088d13	874	}
markrad	0:cdf462088d13	875
markrad	0:cdf462088d13	876	ssl->handshake->max_major_ver = buf[3];
markrad	0:cdf462088d13	877	ssl->handshake->max_minor_ver = buf[4];
markrad	0:cdf462088d13	878
markrad	0:cdf462088d13	879	if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
markrad	0:cdf462088d13	880	{
markrad	0:cdf462088d13	881	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
markrad	0:cdf462088d13	882	return( ret );
markrad	0:cdf462088d13	883	}
markrad	0:cdf462088d13	884
markrad	0:cdf462088d13	885	ssl->handshake->update_checksum( ssl, buf + 2, n );
markrad	0:cdf462088d13	886
markrad	0:cdf462088d13	887	buf = ssl->in_msg;
markrad	0:cdf462088d13	888	n = ssl->in_left - 5;
markrad	0:cdf462088d13	889
markrad	0:cdf462088d13	890	/*
markrad	0:cdf462088d13	891	* 0 . 1 ciphersuitelist length
markrad	0:cdf462088d13	892	* 2 . 3 session id length
markrad	0:cdf462088d13	893	* 4 . 5 challenge length
markrad	0:cdf462088d13	894	* 6 . .. ciphersuitelist
markrad	0:cdf462088d13	895	* .. . .. session id
markrad	0:cdf462088d13	896	* .. . .. challenge
markrad	0:cdf462088d13	897	*/
markrad	0:cdf462088d13	898	MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
markrad	0:cdf462088d13	899
markrad	0:cdf462088d13	900	ciph_len = ( buf[0] << 8 ) \| buf[1];
markrad	0:cdf462088d13	901	sess_len = ( buf[2] << 8 ) \| buf[3];
markrad	0:cdf462088d13	902	chal_len = ( buf[4] << 8 ) \| buf[5];
markrad	0:cdf462088d13	903
markrad	0:cdf462088d13	904	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
markrad	0:cdf462088d13	905	ciph_len, sess_len, chal_len ) );
markrad	0:cdf462088d13	906
markrad	0:cdf462088d13	907	/*
markrad	0:cdf462088d13	908	* Make sure each parameter length is valid
markrad	0:cdf462088d13	909	*/
markrad	0:cdf462088d13	910	if( ciph_len < 3 \|\| ( ciph_len % 3 ) != 0 )
markrad	0:cdf462088d13	911	{
markrad	0:cdf462088d13	912	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	913	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	914	}
markrad	0:cdf462088d13	915
markrad	0:cdf462088d13	916	if( sess_len > 32 )
markrad	0:cdf462088d13	917	{
markrad	0:cdf462088d13	918	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	919	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	920	}
markrad	0:cdf462088d13	921
markrad	0:cdf462088d13	922	if( chal_len < 8 \|\| chal_len > 32 )
markrad	0:cdf462088d13	923	{
markrad	0:cdf462088d13	924	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	925	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	926	}
markrad	0:cdf462088d13	927
markrad	0:cdf462088d13	928	if( n != 6 + ciph_len + sess_len + chal_len )
markrad	0:cdf462088d13	929	{
markrad	0:cdf462088d13	930	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	931	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	932	}
markrad	0:cdf462088d13	933
markrad	0:cdf462088d13	934	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
markrad	0:cdf462088d13	935	buf + 6, ciph_len );
markrad	0:cdf462088d13	936	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
markrad	0:cdf462088d13	937	buf + 6 + ciph_len, sess_len );
markrad	0:cdf462088d13	938	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
markrad	0:cdf462088d13	939	buf + 6 + ciph_len + sess_len, chal_len );
markrad	0:cdf462088d13	940
markrad	0:cdf462088d13	941	p = buf + 6 + ciph_len;
markrad	0:cdf462088d13	942	ssl->session_negotiate->id_len = sess_len;
markrad	0:cdf462088d13	943	memset( ssl->session_negotiate->id, 0,
markrad	0:cdf462088d13	944	sizeof( ssl->session_negotiate->id ) );
markrad	0:cdf462088d13	945	memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
markrad	0:cdf462088d13	946
markrad	0:cdf462088d13	947	p += sess_len;
markrad	0:cdf462088d13	948	memset( ssl->handshake->randbytes, 0, 64 );
markrad	0:cdf462088d13	949	memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
markrad	0:cdf462088d13	950
markrad	0:cdf462088d13	951	/*
markrad	0:cdf462088d13	952	* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
markrad	0:cdf462088d13	953	*/
markrad	0:cdf462088d13	954	for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
markrad	0:cdf462088d13	955	{
markrad	0:cdf462088d13	956	if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
markrad	0:cdf462088d13	957	{
markrad	0:cdf462088d13	958	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
markrad	0:cdf462088d13	959	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	960	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad	0:cdf462088d13	961	{
markrad	0:cdf462088d13	962	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
markrad	0:cdf462088d13	963	"during renegotiation" ) );
markrad	0:cdf462088d13	964
markrad	0:cdf462088d13	965	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad	0:cdf462088d13	966	return( ret );
markrad	0:cdf462088d13	967
markrad	0:cdf462088d13	968	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	969	}
markrad	0:cdf462088d13	970	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	971	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
markrad	0:cdf462088d13	972	break;
markrad	0:cdf462088d13	973	}
markrad	0:cdf462088d13	974	}
markrad	0:cdf462088d13	975
markrad	0:cdf462088d13	976	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
markrad	0:cdf462088d13	977	for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
markrad	0:cdf462088d13	978	{
markrad	0:cdf462088d13	979	if( p[0] == 0 &&
markrad	0:cdf462088d13	980	p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
markrad	0:cdf462088d13	981	p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
markrad	0:cdf462088d13	982	{
markrad	0:cdf462088d13	983	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
markrad	0:cdf462088d13	984
markrad	0:cdf462088d13	985	if( ssl->minor_ver < ssl->conf->max_minor_ver )
markrad	0:cdf462088d13	986	{
markrad	0:cdf462088d13	987	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
markrad	0:cdf462088d13	988
markrad	0:cdf462088d13	989	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	990	MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
markrad	0:cdf462088d13	991
markrad	0:cdf462088d13	992	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	993	}
markrad	0:cdf462088d13	994
markrad	0:cdf462088d13	995	break;
markrad	0:cdf462088d13	996	}
markrad	0:cdf462088d13	997	}
markrad	0:cdf462088d13	998	#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
markrad	0:cdf462088d13	999
markrad	0:cdf462088d13	1000	got_common_suite = 0;
markrad	0:cdf462088d13	1001	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
markrad	0:cdf462088d13	1002	ciphersuite_info = NULL;
markrad	0:cdf462088d13	1003	#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
markrad	0:cdf462088d13	1004	for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
markrad	0:cdf462088d13	1005	{
markrad	0:cdf462088d13	1006	for( i = 0; ciphersuites[i] != 0; i++ )
markrad	0:cdf462088d13	1007	#else
markrad	0:cdf462088d13	1008	for( i = 0; ciphersuites[i] != 0; i++ )
markrad	0:cdf462088d13	1009	{
markrad	0:cdf462088d13	1010	for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
markrad	0:cdf462088d13	1011	#endif
markrad	0:cdf462088d13	1012	{
markrad	0:cdf462088d13	1013	if( p[0] != 0 \|\|
markrad	0:cdf462088d13	1014	p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) \|\|
markrad	0:cdf462088d13	1015	p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
markrad	0:cdf462088d13	1016	continue;
markrad	0:cdf462088d13	1017
markrad	0:cdf462088d13	1018	got_common_suite = 1;
markrad	0:cdf462088d13	1019
markrad	0:cdf462088d13	1020	if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
markrad	0:cdf462088d13	1021	&ciphersuite_info ) ) != 0 )
markrad	0:cdf462088d13	1022	return( ret );
markrad	0:cdf462088d13	1023
markrad	0:cdf462088d13	1024	if( ciphersuite_info != NULL )
markrad	0:cdf462088d13	1025	goto have_ciphersuite_v2;
markrad	0:cdf462088d13	1026	}
markrad	0:cdf462088d13	1027	}
markrad	0:cdf462088d13	1028
markrad	0:cdf462088d13	1029	if( got_common_suite )
markrad	0:cdf462088d13	1030	{
markrad	0:cdf462088d13	1031	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
markrad	0:cdf462088d13	1032	"but none of them usable" ) );
markrad	0:cdf462088d13	1033	return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
markrad	0:cdf462088d13	1034	}
markrad	0:cdf462088d13	1035	else
markrad	0:cdf462088d13	1036	{
markrad	0:cdf462088d13	1037	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
markrad	0:cdf462088d13	1038	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
markrad	0:cdf462088d13	1039	}
markrad	0:cdf462088d13	1040
markrad	0:cdf462088d13	1041	have_ciphersuite_v2:
markrad	0:cdf462088d13	1042	MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
markrad	0:cdf462088d13	1043
markrad	0:cdf462088d13	1044	ssl->session_negotiate->ciphersuite = ciphersuites[i];
markrad	0:cdf462088d13	1045	ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
markrad	0:cdf462088d13	1046
markrad	0:cdf462088d13	1047	/*
markrad	0:cdf462088d13	1048	* SSLv2 Client Hello relevant renegotiation security checks
markrad	0:cdf462088d13	1049	*/
markrad	0:cdf462088d13	1050	if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
markrad	0:cdf462088d13	1051	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
markrad	0:cdf462088d13	1052	{
markrad	0:cdf462088d13	1053	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
markrad	0:cdf462088d13	1054
markrad	0:cdf462088d13	1055	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad	0:cdf462088d13	1056	return( ret );
markrad	0:cdf462088d13	1057
markrad	0:cdf462088d13	1058	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1059	}
markrad	0:cdf462088d13	1060
markrad	0:cdf462088d13	1061	ssl->in_left = 0;
markrad	0:cdf462088d13	1062	ssl->state++;
markrad	0:cdf462088d13	1063
markrad	0:cdf462088d13	1064	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
markrad	0:cdf462088d13	1065
markrad	0:cdf462088d13	1066	return( 0 );
markrad	0:cdf462088d13	1067	}
markrad	0:cdf462088d13	1068	#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
markrad	0:cdf462088d13	1069
markrad	0:cdf462088d13	1070	static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	1071	{
markrad	0:cdf462088d13	1072	int ret, got_common_suite;
markrad	0:cdf462088d13	1073	size_t i, j;
markrad	0:cdf462088d13	1074	size_t ciph_offset, comp_offset, ext_offset;
markrad	0:cdf462088d13	1075	size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
markrad	0:cdf462088d13	1076	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	1077	size_t cookie_offset, cookie_len;
markrad	0:cdf462088d13	1078	#endif
markrad	0:cdf462088d13	1079	unsigned char buf, p, *ext;
markrad	0:cdf462088d13	1080	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1081	int renegotiation_info_seen = 0;
markrad	0:cdf462088d13	1082	#endif
markrad	0:cdf462088d13	1083	int handshake_failure = 0;
markrad	0:cdf462088d13	1084	const int *ciphersuites;
markrad	0:cdf462088d13	1085	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
markrad	0:cdf462088d13	1086	int major, minor;
markrad	0:cdf462088d13	1087
markrad	0:cdf462088d13	1088	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
markrad	0:cdf462088d13	1089
markrad	0:cdf462088d13	1090	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	1091	read_record_header:
markrad	0:cdf462088d13	1092	#endif
markrad	0:cdf462088d13	1093	/*
markrad	0:cdf462088d13	1094	* If renegotiating, then the input was read with mbedtls_ssl_read_record(),
markrad	0:cdf462088d13	1095	* otherwise read it ourselves manually in order to support SSLv2
markrad	0:cdf462088d13	1096	* ClientHello, which doesn't use the same record layer format.
markrad	0:cdf462088d13	1097	*/
markrad	0:cdf462088d13	1098	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1099	if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad	0:cdf462088d13	1100	#endif
markrad	0:cdf462088d13	1101	{
markrad	0:cdf462088d13	1102	if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
markrad	0:cdf462088d13	1103	{
markrad	0:cdf462088d13	1104	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
markrad	0:cdf462088d13	1105	return( ret );
markrad	0:cdf462088d13	1106	}
markrad	0:cdf462088d13	1107	}
markrad	0:cdf462088d13	1108
markrad	0:cdf462088d13	1109	buf = ssl->in_hdr;
markrad	0:cdf462088d13	1110
markrad	0:cdf462088d13	1111	#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
markrad	0:cdf462088d13	1112	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	1113	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
markrad	0:cdf462088d13	1114	#endif
markrad	0:cdf462088d13	1115	if( ( buf[0] & 0x80 ) != 0 )
markrad	0:cdf462088d13	1116	return ssl_parse_client_hello_v2( ssl );
markrad	0:cdf462088d13	1117	#endif
markrad	0:cdf462088d13	1118
markrad	0:cdf462088d13	1119	MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
markrad	0:cdf462088d13	1120
markrad	0:cdf462088d13	1121	/*
markrad	0:cdf462088d13	1122	* SSLv3/TLS Client Hello
markrad	0:cdf462088d13	1123	*
markrad	0:cdf462088d13	1124	* Record layer:
markrad	0:cdf462088d13	1125	* 0 . 0 message type
markrad	0:cdf462088d13	1126	* 1 . 2 protocol version
markrad	0:cdf462088d13	1127	* 3 . 11 DTLS: epoch + record sequence number
markrad	0:cdf462088d13	1128	* 3 . 4 message length
markrad	0:cdf462088d13	1129	*/
markrad	0:cdf462088d13	1130	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
markrad	0:cdf462088d13	1131	buf[0] ) );
markrad	0:cdf462088d13	1132
markrad	0:cdf462088d13	1133	if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
markrad	0:cdf462088d13	1134	{
markrad	0:cdf462088d13	1135	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1136	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1137	}
markrad	0:cdf462088d13	1138
markrad	0:cdf462088d13	1139	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
markrad	0:cdf462088d13	1140	( ssl->in_len[0] << 8 ) \| ssl->in_len[1] ) );
markrad	0:cdf462088d13	1141
markrad	0:cdf462088d13	1142	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
markrad	0:cdf462088d13	1143	buf[1], buf[2] ) );
markrad	0:cdf462088d13	1144
markrad	0:cdf462088d13	1145	mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
markrad	0:cdf462088d13	1146
markrad	0:cdf462088d13	1147	/* According to RFC 5246 Appendix E.1, the version here is typically
markrad	0:cdf462088d13	1148	* "{03,00}, the lowest version number supported by the client, [or] the
markrad	0:cdf462088d13	1149	* value of ClientHello.client_version", so the only meaningful check here
markrad	0:cdf462088d13	1150	* is the major version shouldn't be less than 3 */
markrad	0:cdf462088d13	1151	if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
markrad	0:cdf462088d13	1152	{
markrad	0:cdf462088d13	1153	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1154	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1155	}
markrad	0:cdf462088d13	1156
markrad	0:cdf462088d13	1157	/* For DTLS if this is the initial handshake, remember the client sequence
markrad	0:cdf462088d13	1158	* number to use it in our next message (RFC 6347 4.2.1) */
markrad	0:cdf462088d13	1159	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	1160	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
markrad	0:cdf462088d13	1161	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1162	&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
markrad	0:cdf462088d13	1163	#endif
markrad	0:cdf462088d13	1164	)
markrad	0:cdf462088d13	1165	{
markrad	0:cdf462088d13	1166	/* Epoch should be 0 for initial handshakes */
markrad	0:cdf462088d13	1167	if( ssl->in_ctr[0] != 0 \|\| ssl->in_ctr[1] != 0 )
markrad	0:cdf462088d13	1168	{
markrad	0:cdf462088d13	1169	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1170	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1171	}
markrad	0:cdf462088d13	1172
markrad	0:cdf462088d13	1173	memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
markrad	0:cdf462088d13	1174
markrad	0:cdf462088d13	1175	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad	0:cdf462088d13	1176	if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
markrad	0:cdf462088d13	1177	{
markrad	0:cdf462088d13	1178	MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
markrad	0:cdf462088d13	1179	ssl->next_record_offset = 0;
markrad	0:cdf462088d13	1180	ssl->in_left = 0;
markrad	0:cdf462088d13	1181	goto read_record_header;
markrad	0:cdf462088d13	1182	}
markrad	0:cdf462088d13	1183
markrad	0:cdf462088d13	1184	/* No MAC to check yet, so we can update right now */
markrad	0:cdf462088d13	1185	mbedtls_ssl_dtls_replay_update( ssl );
markrad	0:cdf462088d13	1186	#endif
markrad	0:cdf462088d13	1187	}
markrad	0:cdf462088d13	1188	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	1189
markrad	0:cdf462088d13	1190	msg_len = ( ssl->in_len[0] << 8 ) \| ssl->in_len[1];
markrad	0:cdf462088d13	1191
markrad	0:cdf462088d13	1192	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1193	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad	0:cdf462088d13	1194	{
markrad	0:cdf462088d13	1195	/* Set by mbedtls_ssl_read_record() */
markrad	0:cdf462088d13	1196	msg_len = ssl->in_hslen;
markrad	0:cdf462088d13	1197	}
markrad	0:cdf462088d13	1198	else
markrad	0:cdf462088d13	1199	#endif
markrad	0:cdf462088d13	1200	{
markrad	0:cdf462088d13	1201	if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
markrad	0:cdf462088d13	1202	{
markrad	0:cdf462088d13	1203	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1204	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1205	}
markrad	0:cdf462088d13	1206
markrad	0:cdf462088d13	1207	if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
markrad	0:cdf462088d13	1208	{
markrad	0:cdf462088d13	1209	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
markrad	0:cdf462088d13	1210	return( ret );
markrad	0:cdf462088d13	1211	}
markrad	0:cdf462088d13	1212
markrad	0:cdf462088d13	1213	/* Done reading this record, get ready for the next one */
markrad	0:cdf462088d13	1214	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	1215	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	1216	ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
markrad	0:cdf462088d13	1217	else
markrad	0:cdf462088d13	1218	#endif
markrad	0:cdf462088d13	1219	ssl->in_left = 0;
markrad	0:cdf462088d13	1220	}
markrad	0:cdf462088d13	1221
markrad	0:cdf462088d13	1222	buf = ssl->in_msg;
markrad	0:cdf462088d13	1223
markrad	0:cdf462088d13	1224	MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
markrad	0:cdf462088d13	1225
markrad	0:cdf462088d13	1226	ssl->handshake->update_checksum( ssl, buf, msg_len );
markrad	0:cdf462088d13	1227
markrad	0:cdf462088d13	1228	/*
markrad	0:cdf462088d13	1229	* Handshake layer:
markrad	0:cdf462088d13	1230	* 0 . 0 handshake type
markrad	0:cdf462088d13	1231	* 1 . 3 handshake length
markrad	0:cdf462088d13	1232	* 4 . 5 DTLS only: message seqence number
markrad	0:cdf462088d13	1233	* 6 . 8 DTLS only: fragment offset
markrad	0:cdf462088d13	1234	* 9 . 11 DTLS only: fragment length
markrad	0:cdf462088d13	1235	*/
markrad	0:cdf462088d13	1236	if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
markrad	0:cdf462088d13	1237	{
markrad	0:cdf462088d13	1238	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1239	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1240	}
markrad	0:cdf462088d13	1241
markrad	0:cdf462088d13	1242	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
markrad	0:cdf462088d13	1243
markrad	0:cdf462088d13	1244	if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
markrad	0:cdf462088d13	1245	{
markrad	0:cdf462088d13	1246	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1247	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1248	}
markrad	0:cdf462088d13	1249
markrad	0:cdf462088d13	1250	MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
markrad	0:cdf462088d13	1251	( buf[1] << 16 ) \| ( buf[2] << 8 ) \| buf[3] ) );
markrad	0:cdf462088d13	1252
markrad	0:cdf462088d13	1253	/* We don't support fragmentation of ClientHello (yet?) */
markrad	0:cdf462088d13	1254	if( buf[1] != 0 \|\|
markrad	0:cdf462088d13	1255	msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) \| buf[3] ) )
markrad	0:cdf462088d13	1256	{
markrad	0:cdf462088d13	1257	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1258	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1259	}
markrad	0:cdf462088d13	1260
markrad	0:cdf462088d13	1261	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	1262	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	1263	{
markrad	0:cdf462088d13	1264	/*
markrad	0:cdf462088d13	1265	* Copy the client's handshake message_seq on initial handshakes,
markrad	0:cdf462088d13	1266	* check sequence number on renego.
markrad	0:cdf462088d13	1267	*/
markrad	0:cdf462088d13	1268	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1269	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad	0:cdf462088d13	1270	{
markrad	0:cdf462088d13	1271	/* This couldn't be done in ssl_prepare_handshake_record() */
markrad	0:cdf462088d13	1272	unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) \|
markrad	0:cdf462088d13	1273	ssl->in_msg[5];
markrad	0:cdf462088d13	1274
markrad	0:cdf462088d13	1275	if( cli_msg_seq != ssl->handshake->in_msg_seq )
markrad	0:cdf462088d13	1276	{
markrad	0:cdf462088d13	1277	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
markrad	0:cdf462088d13	1278	"%d (expected %d)", cli_msg_seq,
markrad	0:cdf462088d13	1279	ssl->handshake->in_msg_seq ) );
markrad	0:cdf462088d13	1280	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1281	}
markrad	0:cdf462088d13	1282
markrad	0:cdf462088d13	1283	ssl->handshake->in_msg_seq++;
markrad	0:cdf462088d13	1284	}
markrad	0:cdf462088d13	1285	else
markrad	0:cdf462088d13	1286	#endif
markrad	0:cdf462088d13	1287	{
markrad	0:cdf462088d13	1288	unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) \|
markrad	0:cdf462088d13	1289	ssl->in_msg[5];
markrad	0:cdf462088d13	1290	ssl->handshake->out_msg_seq = cli_msg_seq;
markrad	0:cdf462088d13	1291	ssl->handshake->in_msg_seq = cli_msg_seq + 1;
markrad	0:cdf462088d13	1292	}
markrad	0:cdf462088d13	1293
markrad	0:cdf462088d13	1294	/*
markrad	0:cdf462088d13	1295	* For now we don't support fragmentation, so make sure
markrad	0:cdf462088d13	1296	* fragment_offset == 0 and fragment_length == length
markrad	0:cdf462088d13	1297	*/
markrad	0:cdf462088d13	1298	if( ssl->in_msg[6] != 0 \|\| ssl->in_msg[7] != 0 \|\| ssl->in_msg[8] != 0 \|\|
markrad	0:cdf462088d13	1299	memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
markrad	0:cdf462088d13	1300	{
markrad	0:cdf462088d13	1301	MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
markrad	0:cdf462088d13	1302	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad	0:cdf462088d13	1303	}
markrad	0:cdf462088d13	1304	}
markrad	0:cdf462088d13	1305	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	1306
markrad	0:cdf462088d13	1307	buf += mbedtls_ssl_hs_hdr_len( ssl );
markrad	0:cdf462088d13	1308	msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
markrad	0:cdf462088d13	1309
markrad	0:cdf462088d13	1310	/*
markrad	0:cdf462088d13	1311	* ClientHello layer:
markrad	0:cdf462088d13	1312	* 0 . 1 protocol version
markrad	0:cdf462088d13	1313	* 2 . 33 random bytes (starting with 4 bytes of Unix time)
markrad	0:cdf462088d13	1314	* 34 . 35 session id length (1 byte)
markrad	0:cdf462088d13	1315	* 35 . 34+x session id
markrad	0:cdf462088d13	1316	* 35+x . 35+x DTLS only: cookie length (1 byte)
markrad	0:cdf462088d13	1317	* 36+x . .. DTLS only: cookie
markrad	0:cdf462088d13	1318	* .. . .. ciphersuite list length (2 bytes)
markrad	0:cdf462088d13	1319	* .. . .. ciphersuite list
markrad	0:cdf462088d13	1320	* .. . .. compression alg. list length (1 byte)
markrad	0:cdf462088d13	1321	* .. . .. compression alg. list
markrad	0:cdf462088d13	1322	* .. . .. extensions length (2 bytes, optional)
markrad	0:cdf462088d13	1323	* .. . .. extensions (optional)
markrad	0:cdf462088d13	1324	*/
markrad	0:cdf462088d13	1325
markrad	0:cdf462088d13	1326	/*
markrad	0:cdf462088d13	1327	* Minimal length (with everything empty and extensions ommitted) is
markrad	0:cdf462088d13	1328	* 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
markrad	0:cdf462088d13	1329	* read at least up to session id length without worrying.
markrad	0:cdf462088d13	1330	*/
markrad	0:cdf462088d13	1331	if( msg_len < 38 )
markrad	0:cdf462088d13	1332	{
markrad	0:cdf462088d13	1333	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1334	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1335	}
markrad	0:cdf462088d13	1336
markrad	0:cdf462088d13	1337	/*
markrad	0:cdf462088d13	1338	* Check and save the protocol version
markrad	0:cdf462088d13	1339	*/
markrad	0:cdf462088d13	1340	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
markrad	0:cdf462088d13	1341
markrad	0:cdf462088d13	1342	mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
markrad	0:cdf462088d13	1343	ssl->conf->transport, buf );
markrad	0:cdf462088d13	1344
markrad	0:cdf462088d13	1345	ssl->handshake->max_major_ver = ssl->major_ver;
markrad	0:cdf462088d13	1346	ssl->handshake->max_minor_ver = ssl->minor_ver;
markrad	0:cdf462088d13	1347
markrad	0:cdf462088d13	1348	if( ssl->major_ver < ssl->conf->min_major_ver \|\|
markrad	0:cdf462088d13	1349	ssl->minor_ver < ssl->conf->min_minor_ver )
markrad	0:cdf462088d13	1350	{
markrad	0:cdf462088d13	1351	MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
markrad	0:cdf462088d13	1352	" [%d:%d] < [%d:%d]",
markrad	0:cdf462088d13	1353	ssl->major_ver, ssl->minor_ver,
markrad	0:cdf462088d13	1354	ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
markrad	0:cdf462088d13	1355
markrad	0:cdf462088d13	1356	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	1357	MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
markrad	0:cdf462088d13	1358
markrad	0:cdf462088d13	1359	return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
markrad	0:cdf462088d13	1360	}
markrad	0:cdf462088d13	1361
markrad	0:cdf462088d13	1362	if( ssl->major_ver > ssl->conf->max_major_ver )
markrad	0:cdf462088d13	1363	{
markrad	0:cdf462088d13	1364	ssl->major_ver = ssl->conf->max_major_ver;
markrad	0:cdf462088d13	1365	ssl->minor_ver = ssl->conf->max_minor_ver;
markrad	0:cdf462088d13	1366	}
markrad	0:cdf462088d13	1367	else if( ssl->minor_ver > ssl->conf->max_minor_ver )
markrad	0:cdf462088d13	1368	ssl->minor_ver = ssl->conf->max_minor_ver;
markrad	0:cdf462088d13	1369
markrad	0:cdf462088d13	1370	/*
markrad	0:cdf462088d13	1371	* Save client random (inc. Unix time)
markrad	0:cdf462088d13	1372	*/
markrad	0:cdf462088d13	1373	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
markrad	0:cdf462088d13	1374
markrad	0:cdf462088d13	1375	memcpy( ssl->handshake->randbytes, buf + 2, 32 );
markrad	0:cdf462088d13	1376
markrad	0:cdf462088d13	1377	/*
markrad	0:cdf462088d13	1378	* Check the session ID length and save session ID
markrad	0:cdf462088d13	1379	*/
markrad	0:cdf462088d13	1380	sess_len = buf[34];
markrad	0:cdf462088d13	1381
markrad	0:cdf462088d13	1382	if( sess_len > sizeof( ssl->session_negotiate->id ) \|\|
markrad	0:cdf462088d13	1383	sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
markrad	0:cdf462088d13	1384	{
markrad	0:cdf462088d13	1385	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1386	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1387	}
markrad	0:cdf462088d13	1388
markrad	0:cdf462088d13	1389	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
markrad	0:cdf462088d13	1390
markrad	0:cdf462088d13	1391	ssl->session_negotiate->id_len = sess_len;
markrad	0:cdf462088d13	1392	memset( ssl->session_negotiate->id, 0,
markrad	0:cdf462088d13	1393	sizeof( ssl->session_negotiate->id ) );
markrad	0:cdf462088d13	1394	memcpy( ssl->session_negotiate->id, buf + 35,
markrad	0:cdf462088d13	1395	ssl->session_negotiate->id_len );
markrad	0:cdf462088d13	1396
markrad	0:cdf462088d13	1397	/*
markrad	0:cdf462088d13	1398	* Check the cookie length and content
markrad	0:cdf462088d13	1399	*/
markrad	0:cdf462088d13	1400	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	1401	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	1402	{
markrad	0:cdf462088d13	1403	cookie_offset = 35 + sess_len;
markrad	0:cdf462088d13	1404	cookie_len = buf[cookie_offset];
markrad	0:cdf462088d13	1405
markrad	0:cdf462088d13	1406	if( cookie_offset + 1 + cookie_len + 2 > msg_len )
markrad	0:cdf462088d13	1407	{
markrad	0:cdf462088d13	1408	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1409	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1410	}
markrad	0:cdf462088d13	1411
markrad	0:cdf462088d13	1412	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
markrad	0:cdf462088d13	1413	buf + cookie_offset + 1, cookie_len );
markrad	0:cdf462088d13	1414
markrad	0:cdf462088d13	1415	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
markrad	0:cdf462088d13	1416	if( ssl->conf->f_cookie_check != NULL
markrad	0:cdf462088d13	1417	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1418	&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
markrad	0:cdf462088d13	1419	#endif
markrad	0:cdf462088d13	1420	)
markrad	0:cdf462088d13	1421	{
markrad	0:cdf462088d13	1422	if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
markrad	0:cdf462088d13	1423	buf + cookie_offset + 1, cookie_len,
markrad	0:cdf462088d13	1424	ssl->cli_id, ssl->cli_id_len ) != 0 )
markrad	0:cdf462088d13	1425	{
markrad	0:cdf462088d13	1426	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
markrad	0:cdf462088d13	1427	ssl->handshake->verify_cookie_len = 1;
markrad	0:cdf462088d13	1428	}
markrad	0:cdf462088d13	1429	else
markrad	0:cdf462088d13	1430	{
markrad	0:cdf462088d13	1431	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
markrad	0:cdf462088d13	1432	ssl->handshake->verify_cookie_len = 0;
markrad	0:cdf462088d13	1433	}
markrad	0:cdf462088d13	1434	}
markrad	0:cdf462088d13	1435	else
markrad	0:cdf462088d13	1436	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
markrad	0:cdf462088d13	1437	{
markrad	0:cdf462088d13	1438	/* We know we didn't send a cookie, so it should be empty */
markrad	0:cdf462088d13	1439	if( cookie_len != 0 )
markrad	0:cdf462088d13	1440	{
markrad	0:cdf462088d13	1441	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1442	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1443	}
markrad	0:cdf462088d13	1444
markrad	0:cdf462088d13	1445	MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
markrad	0:cdf462088d13	1446	}
markrad	0:cdf462088d13	1447
markrad	0:cdf462088d13	1448	/*
markrad	0:cdf462088d13	1449	* Check the ciphersuitelist length (will be parsed later)
markrad	0:cdf462088d13	1450	*/
markrad	0:cdf462088d13	1451	ciph_offset = cookie_offset + 1 + cookie_len;
markrad	0:cdf462088d13	1452	}
markrad	0:cdf462088d13	1453	else
markrad	0:cdf462088d13	1454	#endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad	0:cdf462088d13	1455	ciph_offset = 35 + sess_len;
markrad	0:cdf462088d13	1456
markrad	0:cdf462088d13	1457	ciph_len = ( buf[ciph_offset + 0] << 8 )
markrad	0:cdf462088d13	1458	\| ( buf[ciph_offset + 1] );
markrad	0:cdf462088d13	1459
markrad	0:cdf462088d13	1460	if( ciph_len < 2 \|\|
markrad	0:cdf462088d13	1461	ciph_len + 2 + ciph_offset + 1 > msg_len \|\| /* 1 for comp. alg. len */
markrad	0:cdf462088d13	1462	( ciph_len % 2 ) != 0 )
markrad	0:cdf462088d13	1463	{
markrad	0:cdf462088d13	1464	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1465	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1466	}
markrad	0:cdf462088d13	1467
markrad	0:cdf462088d13	1468	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
markrad	0:cdf462088d13	1469	buf + ciph_offset + 2, ciph_len );
markrad	0:cdf462088d13	1470
markrad	0:cdf462088d13	1471	/*
markrad	0:cdf462088d13	1472	* Check the compression algorithms length and pick one
markrad	0:cdf462088d13	1473	*/
markrad	0:cdf462088d13	1474	comp_offset = ciph_offset + 2 + ciph_len;
markrad	0:cdf462088d13	1475
markrad	0:cdf462088d13	1476	comp_len = buf[comp_offset];
markrad	0:cdf462088d13	1477
markrad	0:cdf462088d13	1478	if( comp_len < 1 \|\|
markrad	0:cdf462088d13	1479	comp_len > 16 \|\|
markrad	0:cdf462088d13	1480	comp_len + comp_offset + 1 > msg_len )
markrad	0:cdf462088d13	1481	{
markrad	0:cdf462088d13	1482	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1483	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1484	}
markrad	0:cdf462088d13	1485
markrad	0:cdf462088d13	1486	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
markrad	0:cdf462088d13	1487	buf + comp_offset + 1, comp_len );
markrad	0:cdf462088d13	1488
markrad	0:cdf462088d13	1489	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
markrad	0:cdf462088d13	1490	#if defined(MBEDTLS_ZLIB_SUPPORT)
markrad	0:cdf462088d13	1491	for( i = 0; i < comp_len; ++i )
markrad	0:cdf462088d13	1492	{
markrad	0:cdf462088d13	1493	if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
markrad	0:cdf462088d13	1494	{
markrad	0:cdf462088d13	1495	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
markrad	0:cdf462088d13	1496	break;
markrad	0:cdf462088d13	1497	}
markrad	0:cdf462088d13	1498	}
markrad	0:cdf462088d13	1499	#endif
markrad	0:cdf462088d13	1500
markrad	0:cdf462088d13	1501	/* See comments in ssl_write_client_hello() */
markrad	0:cdf462088d13	1502	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	1503	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	1504	ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
markrad	0:cdf462088d13	1505	#endif
markrad	0:cdf462088d13	1506
markrad	0:cdf462088d13	1507	/* Do not parse the extensions if the protocol is SSLv3 */
markrad	0:cdf462088d13	1508	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	1509	if( ( ssl->major_ver != 3 ) \|\| ( ssl->minor_ver != 0 ) )
markrad	0:cdf462088d13	1510	{
markrad	0:cdf462088d13	1511	#endif
markrad	0:cdf462088d13	1512	/*
markrad	0:cdf462088d13	1513	* Check the extension length
markrad	0:cdf462088d13	1514	*/
markrad	0:cdf462088d13	1515	ext_offset = comp_offset + 1 + comp_len;
markrad	0:cdf462088d13	1516	if( msg_len > ext_offset )
markrad	0:cdf462088d13	1517	{
markrad	0:cdf462088d13	1518	if( msg_len < ext_offset + 2 )
markrad	0:cdf462088d13	1519	{
markrad	0:cdf462088d13	1520	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1521	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1522	}
markrad	0:cdf462088d13	1523
markrad	0:cdf462088d13	1524	ext_len = ( buf[ext_offset + 0] << 8 )
markrad	0:cdf462088d13	1525	\| ( buf[ext_offset + 1] );
markrad	0:cdf462088d13	1526
markrad	0:cdf462088d13	1527	if( ( ext_len > 0 && ext_len < 4 ) \|\|
markrad	0:cdf462088d13	1528	msg_len != ext_offset + 2 + ext_len )
markrad	0:cdf462088d13	1529	{
markrad	0:cdf462088d13	1530	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1531	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1532	}
markrad	0:cdf462088d13	1533	}
markrad	0:cdf462088d13	1534	else
markrad	0:cdf462088d13	1535	ext_len = 0;
markrad	0:cdf462088d13	1536
markrad	0:cdf462088d13	1537	ext = buf + ext_offset + 2;
markrad	0:cdf462088d13	1538	MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
markrad	0:cdf462088d13	1539
markrad	0:cdf462088d13	1540	while( ext_len != 0 )
markrad	0:cdf462088d13	1541	{
markrad	0:cdf462088d13	1542	unsigned int ext_id = ( ( ext[0] << 8 )
markrad	0:cdf462088d13	1543	\| ( ext[1] ) );
markrad	0:cdf462088d13	1544	unsigned int ext_size = ( ( ext[2] << 8 )
markrad	0:cdf462088d13	1545	\| ( ext[3] ) );
markrad	0:cdf462088d13	1546
markrad	0:cdf462088d13	1547	if( ext_size + 4 > ext_len )
markrad	0:cdf462088d13	1548	{
markrad	0:cdf462088d13	1549	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1550	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1551	}
markrad	0:cdf462088d13	1552	switch( ext_id )
markrad	0:cdf462088d13	1553	{
markrad	0:cdf462088d13	1554	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	1555	case MBEDTLS_TLS_EXT_SERVERNAME:
markrad	0:cdf462088d13	1556	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
markrad	0:cdf462088d13	1557	if( ssl->conf->f_sni == NULL )
markrad	0:cdf462088d13	1558	break;
markrad	0:cdf462088d13	1559
markrad	0:cdf462088d13	1560	ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1561	if( ret != 0 )
markrad	0:cdf462088d13	1562	return( ret );
markrad	0:cdf462088d13	1563	break;
markrad	0:cdf462088d13	1564	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
markrad	0:cdf462088d13	1565
markrad	0:cdf462088d13	1566	case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
markrad	0:cdf462088d13	1567	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
markrad	0:cdf462088d13	1568	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1569	renegotiation_info_seen = 1;
markrad	0:cdf462088d13	1570	#endif
markrad	0:cdf462088d13	1571
markrad	0:cdf462088d13	1572	ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1573	if( ret != 0 )
markrad	0:cdf462088d13	1574	return( ret );
markrad	0:cdf462088d13	1575	break;
markrad	0:cdf462088d13	1576
markrad	0:cdf462088d13	1577	#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
markrad	0:cdf462088d13	1578	defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad	0:cdf462088d13	1579	case MBEDTLS_TLS_EXT_SIG_ALG:
markrad	0:cdf462088d13	1580	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
markrad	0:cdf462088d13	1581	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1582	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad	0:cdf462088d13	1583	break;
markrad	0:cdf462088d13	1584	#endif
markrad	0:cdf462088d13	1585
markrad	0:cdf462088d13	1586	ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1587	if( ret != 0 )
markrad	0:cdf462088d13	1588	return( ret );
markrad	0:cdf462088d13	1589	break;
markrad	0:cdf462088d13	1590	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
markrad	0:cdf462088d13	1591	MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
markrad	0:cdf462088d13	1592
markrad	0:cdf462088d13	1593	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
markrad	0:cdf462088d13	1594	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	1595	case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
markrad	0:cdf462088d13	1596	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
markrad	0:cdf462088d13	1597
markrad	0:cdf462088d13	1598	ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1599	if( ret != 0 )
markrad	0:cdf462088d13	1600	return( ret );
markrad	0:cdf462088d13	1601	break;
markrad	0:cdf462088d13	1602
markrad	0:cdf462088d13	1603	case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
markrad	0:cdf462088d13	1604	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
markrad	0:cdf462088d13	1605	ssl->handshake->cli_exts \|= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
markrad	0:cdf462088d13	1606
markrad	0:cdf462088d13	1607	ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1608	if( ret != 0 )
markrad	0:cdf462088d13	1609	return( ret );
markrad	0:cdf462088d13	1610	break;
markrad	0:cdf462088d13	1611	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\|
markrad	0:cdf462088d13	1612	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	1613
markrad	0:cdf462088d13	1614	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	1615	case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
markrad	0:cdf462088d13	1616	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
markrad	0:cdf462088d13	1617
markrad	0:cdf462088d13	1618	ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1619	if( ret != 0 )
markrad	0:cdf462088d13	1620	return( ret );
markrad	0:cdf462088d13	1621	break;
markrad	0:cdf462088d13	1622	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	1623
markrad	0:cdf462088d13	1624	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad	0:cdf462088d13	1625	case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
markrad	0:cdf462088d13	1626	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
markrad	0:cdf462088d13	1627
markrad	0:cdf462088d13	1628	ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1629	if( ret != 0 )
markrad	0:cdf462088d13	1630	return( ret );
markrad	0:cdf462088d13	1631	break;
markrad	0:cdf462088d13	1632	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad	0:cdf462088d13	1633
markrad	0:cdf462088d13	1634	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad	0:cdf462088d13	1635	case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
markrad	0:cdf462088d13	1636	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
markrad	0:cdf462088d13	1637
markrad	0:cdf462088d13	1638	ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1639	if( ret != 0 )
markrad	0:cdf462088d13	1640	return( ret );
markrad	0:cdf462088d13	1641	break;
markrad	0:cdf462088d13	1642	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
markrad	0:cdf462088d13	1643
markrad	0:cdf462088d13	1644	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	1645	case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
markrad	0:cdf462088d13	1646	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
markrad	0:cdf462088d13	1647
markrad	0:cdf462088d13	1648	ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1649	if( ret != 0 )
markrad	0:cdf462088d13	1650	return( ret );
markrad	0:cdf462088d13	1651	break;
markrad	0:cdf462088d13	1652	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
markrad	0:cdf462088d13	1653
markrad	0:cdf462088d13	1654	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad	0:cdf462088d13	1655	case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
markrad	0:cdf462088d13	1656	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
markrad	0:cdf462088d13	1657
markrad	0:cdf462088d13	1658	ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1659	if( ret != 0 )
markrad	0:cdf462088d13	1660	return( ret );
markrad	0:cdf462088d13	1661	break;
markrad	0:cdf462088d13	1662	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
markrad	0:cdf462088d13	1663
markrad	0:cdf462088d13	1664	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	1665	case MBEDTLS_TLS_EXT_SESSION_TICKET:
markrad	0:cdf462088d13	1666	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
markrad	0:cdf462088d13	1667
markrad	0:cdf462088d13	1668	ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1669	if( ret != 0 )
markrad	0:cdf462088d13	1670	return( ret );
markrad	0:cdf462088d13	1671	break;
markrad	0:cdf462088d13	1672	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad	0:cdf462088d13	1673
markrad	0:cdf462088d13	1674	#if defined(MBEDTLS_SSL_ALPN)
markrad	0:cdf462088d13	1675	case MBEDTLS_TLS_EXT_ALPN:
markrad	0:cdf462088d13	1676	MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
markrad	0:cdf462088d13	1677
markrad	0:cdf462088d13	1678	ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
markrad	0:cdf462088d13	1679	if( ret != 0 )
markrad	0:cdf462088d13	1680	return( ret );
markrad	0:cdf462088d13	1681	break;
markrad	0:cdf462088d13	1682	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad	0:cdf462088d13	1683
markrad	0:cdf462088d13	1684	default:
markrad	0:cdf462088d13	1685	MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
markrad	0:cdf462088d13	1686	ext_id ) );
markrad	0:cdf462088d13	1687	}
markrad	0:cdf462088d13	1688
markrad	0:cdf462088d13	1689	ext_len -= 4 + ext_size;
markrad	0:cdf462088d13	1690	ext += 4 + ext_size;
markrad	0:cdf462088d13	1691
markrad	0:cdf462088d13	1692	if( ext_len > 0 && ext_len < 4 )
markrad	0:cdf462088d13	1693	{
markrad	0:cdf462088d13	1694	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad	0:cdf462088d13	1695	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1696	}
markrad	0:cdf462088d13	1697	}
markrad	0:cdf462088d13	1698	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	1699	}
markrad	0:cdf462088d13	1700	#endif
markrad	0:cdf462088d13	1701
markrad	0:cdf462088d13	1702	#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
markrad	0:cdf462088d13	1703	for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
markrad	0:cdf462088d13	1704	{
markrad	0:cdf462088d13	1705	if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
markrad	0:cdf462088d13	1706	p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
markrad	0:cdf462088d13	1707	{
markrad	0:cdf462088d13	1708	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
markrad	0:cdf462088d13	1709
markrad	0:cdf462088d13	1710	if( ssl->minor_ver < ssl->conf->max_minor_ver )
markrad	0:cdf462088d13	1711	{
markrad	0:cdf462088d13	1712	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
markrad	0:cdf462088d13	1713
markrad	0:cdf462088d13	1714	mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	1715	MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
markrad	0:cdf462088d13	1716
markrad	0:cdf462088d13	1717	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1718	}
markrad	0:cdf462088d13	1719
markrad	0:cdf462088d13	1720	break;
markrad	0:cdf462088d13	1721	}
markrad	0:cdf462088d13	1722	}
markrad	0:cdf462088d13	1723	#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
markrad	0:cdf462088d13	1724
markrad	0:cdf462088d13	1725	/*
markrad	0:cdf462088d13	1726	* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
markrad	0:cdf462088d13	1727	*/
markrad	0:cdf462088d13	1728	for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
markrad	0:cdf462088d13	1729	{
markrad	0:cdf462088d13	1730	if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
markrad	0:cdf462088d13	1731	{
markrad	0:cdf462088d13	1732	MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
markrad	0:cdf462088d13	1733	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1734	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad	0:cdf462088d13	1735	{
markrad	0:cdf462088d13	1736	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
markrad	0:cdf462088d13	1737
markrad	0:cdf462088d13	1738	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad	0:cdf462088d13	1739	return( ret );
markrad	0:cdf462088d13	1740
markrad	0:cdf462088d13	1741	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1742	}
markrad	0:cdf462088d13	1743	#endif
markrad	0:cdf462088d13	1744	ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
markrad	0:cdf462088d13	1745	break;
markrad	0:cdf462088d13	1746	}
markrad	0:cdf462088d13	1747	}
markrad	0:cdf462088d13	1748
markrad	0:cdf462088d13	1749	/*
markrad	0:cdf462088d13	1750	* Renegotiation security checks
markrad	0:cdf462088d13	1751	*/
markrad	0:cdf462088d13	1752	if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
markrad	0:cdf462088d13	1753	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
markrad	0:cdf462088d13	1754	{
markrad	0:cdf462088d13	1755	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
markrad	0:cdf462088d13	1756	handshake_failure = 1;
markrad	0:cdf462088d13	1757	}
markrad	0:cdf462088d13	1758	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1759	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
markrad	0:cdf462088d13	1760	ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
markrad	0:cdf462088d13	1761	renegotiation_info_seen == 0 )
markrad	0:cdf462088d13	1762	{
markrad	0:cdf462088d13	1763	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
markrad	0:cdf462088d13	1764	handshake_failure = 1;
markrad	0:cdf462088d13	1765	}
markrad	0:cdf462088d13	1766	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
markrad	0:cdf462088d13	1767	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
markrad	0:cdf462088d13	1768	ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
markrad	0:cdf462088d13	1769	{
markrad	0:cdf462088d13	1770	MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
markrad	0:cdf462088d13	1771	handshake_failure = 1;
markrad	0:cdf462088d13	1772	}
markrad	0:cdf462088d13	1773	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
markrad	0:cdf462088d13	1774	ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
markrad	0:cdf462088d13	1775	renegotiation_info_seen == 1 )
markrad	0:cdf462088d13	1776	{
markrad	0:cdf462088d13	1777	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
markrad	0:cdf462088d13	1778	handshake_failure = 1;
markrad	0:cdf462088d13	1779	}
markrad	0:cdf462088d13	1780	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	1781
markrad	0:cdf462088d13	1782	if( handshake_failure == 1 )
markrad	0:cdf462088d13	1783	{
markrad	0:cdf462088d13	1784	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad	0:cdf462088d13	1785	return( ret );
markrad	0:cdf462088d13	1786
markrad	0:cdf462088d13	1787	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad	0:cdf462088d13	1788	}
markrad	0:cdf462088d13	1789
markrad	0:cdf462088d13	1790	/*
markrad	0:cdf462088d13	1791	* Search for a matching ciphersuite
markrad	0:cdf462088d13	1792	* (At the end because we need information from the EC-based extensions
markrad	0:cdf462088d13	1793	* and certificate from the SNI callback triggered by the SNI extension.)
markrad	0:cdf462088d13	1794	*/
markrad	0:cdf462088d13	1795	got_common_suite = 0;
markrad	0:cdf462088d13	1796	ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
markrad	0:cdf462088d13	1797	ciphersuite_info = NULL;
markrad	0:cdf462088d13	1798	#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
markrad	0:cdf462088d13	1799	for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
markrad	0:cdf462088d13	1800	{
markrad	0:cdf462088d13	1801	for( i = 0; ciphersuites[i] != 0; i++ )
markrad	0:cdf462088d13	1802	#else
markrad	0:cdf462088d13	1803	for( i = 0; ciphersuites[i] != 0; i++ )
markrad	0:cdf462088d13	1804	{
markrad	0:cdf462088d13	1805	for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
markrad	0:cdf462088d13	1806	#endif
markrad	0:cdf462088d13	1807	{
markrad	0:cdf462088d13	1808	if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) \|\|
markrad	0:cdf462088d13	1809	p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
markrad	0:cdf462088d13	1810	continue;
markrad	0:cdf462088d13	1811
markrad	0:cdf462088d13	1812	got_common_suite = 1;
markrad	0:cdf462088d13	1813
markrad	0:cdf462088d13	1814	if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
markrad	0:cdf462088d13	1815	&ciphersuite_info ) ) != 0 )
markrad	0:cdf462088d13	1816	return( ret );
markrad	0:cdf462088d13	1817
markrad	0:cdf462088d13	1818	if( ciphersuite_info != NULL )
markrad	0:cdf462088d13	1819	goto have_ciphersuite;
markrad	0:cdf462088d13	1820	}
markrad	0:cdf462088d13	1821	}
markrad	0:cdf462088d13	1822
markrad	0:cdf462088d13	1823	if( got_common_suite )
markrad	0:cdf462088d13	1824	{
markrad	0:cdf462088d13	1825	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
markrad	0:cdf462088d13	1826	"but none of them usable" ) );
markrad	0:cdf462088d13	1827	mbedtls_ssl_send_fatal_handshake_failure( ssl );
markrad	0:cdf462088d13	1828	return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
markrad	0:cdf462088d13	1829	}
markrad	0:cdf462088d13	1830	else
markrad	0:cdf462088d13	1831	{
markrad	0:cdf462088d13	1832	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
markrad	0:cdf462088d13	1833	mbedtls_ssl_send_fatal_handshake_failure( ssl );
markrad	0:cdf462088d13	1834	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
markrad	0:cdf462088d13	1835	}
markrad	0:cdf462088d13	1836
markrad	0:cdf462088d13	1837	have_ciphersuite:
markrad	0:cdf462088d13	1838	MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
markrad	0:cdf462088d13	1839
markrad	0:cdf462088d13	1840	ssl->session_negotiate->ciphersuite = ciphersuites[i];
markrad	0:cdf462088d13	1841	ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
markrad	0:cdf462088d13	1842
markrad	0:cdf462088d13	1843	ssl->state++;
markrad	0:cdf462088d13	1844
markrad	0:cdf462088d13	1845	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	1846	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	1847	mbedtls_ssl_recv_flight_completed( ssl );
markrad	0:cdf462088d13	1848	#endif
markrad	0:cdf462088d13	1849
markrad	0:cdf462088d13	1850	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
markrad	0:cdf462088d13	1851
markrad	0:cdf462088d13	1852	return( 0 );
markrad	0:cdf462088d13	1853	}
markrad	0:cdf462088d13	1854
markrad	0:cdf462088d13	1855	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad	0:cdf462088d13	1856	static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	1857	unsigned char *buf,
markrad	0:cdf462088d13	1858	size_t *olen )
markrad	0:cdf462088d13	1859	{
markrad	0:cdf462088d13	1860	unsigned char *p = buf;
markrad	0:cdf462088d13	1861
markrad	0:cdf462088d13	1862	if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
markrad	0:cdf462088d13	1863	{
markrad	0:cdf462088d13	1864	*olen = 0;
markrad	0:cdf462088d13	1865	return;
markrad	0:cdf462088d13	1866	}
markrad	0:cdf462088d13	1867
markrad	0:cdf462088d13	1868	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
markrad	0:cdf462088d13	1869
markrad	0:cdf462088d13	1870	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
markrad	0:cdf462088d13	1871	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
markrad	0:cdf462088d13	1872
markrad	0:cdf462088d13	1873	*p++ = 0x00;
markrad	0:cdf462088d13	1874	*p++ = 0x00;
markrad	0:cdf462088d13	1875
markrad	0:cdf462088d13	1876	*olen = 4;
markrad	0:cdf462088d13	1877	}
markrad	0:cdf462088d13	1878	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
markrad	0:cdf462088d13	1879
markrad	0:cdf462088d13	1880	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	1881	static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	1882	unsigned char *buf,
markrad	0:cdf462088d13	1883	size_t *olen )
markrad	0:cdf462088d13	1884	{
markrad	0:cdf462088d13	1885	unsigned char *p = buf;
markrad	0:cdf462088d13	1886	const mbedtls_ssl_ciphersuite_t *suite = NULL;
markrad	0:cdf462088d13	1887	const mbedtls_cipher_info_t *cipher = NULL;
markrad	0:cdf462088d13	1888
markrad	0:cdf462088d13	1889	if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
markrad	0:cdf462088d13	1890	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	1891	{
markrad	0:cdf462088d13	1892	*olen = 0;
markrad	0:cdf462088d13	1893	return;
markrad	0:cdf462088d13	1894	}
markrad	0:cdf462088d13	1895
markrad	0:cdf462088d13	1896	/*
markrad	0:cdf462088d13	1897	* RFC 7366: "If a server receives an encrypt-then-MAC request extension
markrad	0:cdf462088d13	1898	* from a client and then selects a stream or Authenticated Encryption
markrad	0:cdf462088d13	1899	* with Associated Data (AEAD) ciphersuite, it MUST NOT send an
markrad	0:cdf462088d13	1900	* encrypt-then-MAC response extension back to the client."
markrad	0:cdf462088d13	1901	*/
markrad	0:cdf462088d13	1902	if( ( suite = mbedtls_ssl_ciphersuite_from_id(
markrad	0:cdf462088d13	1903	ssl->session_negotiate->ciphersuite ) ) == NULL \|\|
markrad	0:cdf462088d13	1904	( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL \|\|
markrad	0:cdf462088d13	1905	cipher->mode != MBEDTLS_MODE_CBC )
markrad	0:cdf462088d13	1906	{
markrad	0:cdf462088d13	1907	*olen = 0;
markrad	0:cdf462088d13	1908	return;
markrad	0:cdf462088d13	1909	}
markrad	0:cdf462088d13	1910
markrad	0:cdf462088d13	1911	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
markrad	0:cdf462088d13	1912
markrad	0:cdf462088d13	1913	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
markrad	0:cdf462088d13	1914	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
markrad	0:cdf462088d13	1915
markrad	0:cdf462088d13	1916	*p++ = 0x00;
markrad	0:cdf462088d13	1917	*p++ = 0x00;
markrad	0:cdf462088d13	1918
markrad	0:cdf462088d13	1919	*olen = 4;
markrad	0:cdf462088d13	1920	}
markrad	0:cdf462088d13	1921	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
markrad	0:cdf462088d13	1922
markrad	0:cdf462088d13	1923	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad	0:cdf462088d13	1924	static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	1925	unsigned char *buf,
markrad	0:cdf462088d13	1926	size_t *olen )
markrad	0:cdf462088d13	1927	{
markrad	0:cdf462088d13	1928	unsigned char *p = buf;
markrad	0:cdf462088d13	1929
markrad	0:cdf462088d13	1930	if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED \|\|
markrad	0:cdf462088d13	1931	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	1932	{
markrad	0:cdf462088d13	1933	*olen = 0;
markrad	0:cdf462088d13	1934	return;
markrad	0:cdf462088d13	1935	}
markrad	0:cdf462088d13	1936
markrad	0:cdf462088d13	1937	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
markrad	0:cdf462088d13	1938	"extension" ) );
markrad	0:cdf462088d13	1939
markrad	0:cdf462088d13	1940	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
markrad	0:cdf462088d13	1941	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
markrad	0:cdf462088d13	1942
markrad	0:cdf462088d13	1943	*p++ = 0x00;
markrad	0:cdf462088d13	1944	*p++ = 0x00;
markrad	0:cdf462088d13	1945
markrad	0:cdf462088d13	1946	*olen = 4;
markrad	0:cdf462088d13	1947	}
markrad	0:cdf462088d13	1948	#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
markrad	0:cdf462088d13	1949
markrad	0:cdf462088d13	1950	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	1951	static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	1952	unsigned char *buf,
markrad	0:cdf462088d13	1953	size_t *olen )
markrad	0:cdf462088d13	1954	{
markrad	0:cdf462088d13	1955	unsigned char *p = buf;
markrad	0:cdf462088d13	1956
markrad	0:cdf462088d13	1957	if( ssl->handshake->new_session_ticket == 0 )
markrad	0:cdf462088d13	1958	{
markrad	0:cdf462088d13	1959	*olen = 0;
markrad	0:cdf462088d13	1960	return;
markrad	0:cdf462088d13	1961	}
markrad	0:cdf462088d13	1962
markrad	0:cdf462088d13	1963	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
markrad	0:cdf462088d13	1964
markrad	0:cdf462088d13	1965	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
markrad	0:cdf462088d13	1966	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
markrad	0:cdf462088d13	1967
markrad	0:cdf462088d13	1968	*p++ = 0x00;
markrad	0:cdf462088d13	1969	*p++ = 0x00;
markrad	0:cdf462088d13	1970
markrad	0:cdf462088d13	1971	*olen = 4;
markrad	0:cdf462088d13	1972	}
markrad	0:cdf462088d13	1973	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad	0:cdf462088d13	1974
markrad	0:cdf462088d13	1975	static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	1976	unsigned char *buf,
markrad	0:cdf462088d13	1977	size_t *olen )
markrad	0:cdf462088d13	1978	{
markrad	0:cdf462088d13	1979	unsigned char *p = buf;
markrad	0:cdf462088d13	1980
markrad	0:cdf462088d13	1981	if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
markrad	0:cdf462088d13	1982	{
markrad	0:cdf462088d13	1983	*olen = 0;
markrad	0:cdf462088d13	1984	return;
markrad	0:cdf462088d13	1985	}
markrad	0:cdf462088d13	1986
markrad	0:cdf462088d13	1987	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
markrad	0:cdf462088d13	1988
markrad	0:cdf462088d13	1989	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
markrad	0:cdf462088d13	1990	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
markrad	0:cdf462088d13	1991
markrad	0:cdf462088d13	1992	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	1993	if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad	0:cdf462088d13	1994	{
markrad	0:cdf462088d13	1995	*p++ = 0x00;
markrad	0:cdf462088d13	1996	p++ = ( ssl->verify_data_len 2 + 1 ) & 0xFF;
markrad	0:cdf462088d13	1997	p++ = ssl->verify_data_len 2 & 0xFF;
markrad	0:cdf462088d13	1998
markrad	0:cdf462088d13	1999	memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
markrad	0:cdf462088d13	2000	p += ssl->verify_data_len;
markrad	0:cdf462088d13	2001	memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
markrad	0:cdf462088d13	2002	p += ssl->verify_data_len;
markrad	0:cdf462088d13	2003	}
markrad	0:cdf462088d13	2004	else
markrad	0:cdf462088d13	2005	#endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad	0:cdf462088d13	2006	{
markrad	0:cdf462088d13	2007	*p++ = 0x00;
markrad	0:cdf462088d13	2008	*p++ = 0x01;
markrad	0:cdf462088d13	2009	*p++ = 0x00;
markrad	0:cdf462088d13	2010	}
markrad	0:cdf462088d13	2011
markrad	0:cdf462088d13	2012	*olen = p - buf;
markrad	0:cdf462088d13	2013	}
markrad	0:cdf462088d13	2014
markrad	0:cdf462088d13	2015	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad	0:cdf462088d13	2016	static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	2017	unsigned char *buf,
markrad	0:cdf462088d13	2018	size_t *olen )
markrad	0:cdf462088d13	2019	{
markrad	0:cdf462088d13	2020	unsigned char *p = buf;
markrad	0:cdf462088d13	2021
markrad	0:cdf462088d13	2022	if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
markrad	0:cdf462088d13	2023	{
markrad	0:cdf462088d13	2024	*olen = 0;
markrad	0:cdf462088d13	2025	return;
markrad	0:cdf462088d13	2026	}
markrad	0:cdf462088d13	2027
markrad	0:cdf462088d13	2028	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
markrad	0:cdf462088d13	2029
markrad	0:cdf462088d13	2030	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
markrad	0:cdf462088d13	2031	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
markrad	0:cdf462088d13	2032
markrad	0:cdf462088d13	2033	*p++ = 0x00;
markrad	0:cdf462088d13	2034	*p++ = 1;
markrad	0:cdf462088d13	2035
markrad	0:cdf462088d13	2036	*p++ = ssl->session_negotiate->mfl_code;
markrad	0:cdf462088d13	2037
markrad	0:cdf462088d13	2038	*olen = 5;
markrad	0:cdf462088d13	2039	}
markrad	0:cdf462088d13	2040	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad	0:cdf462088d13	2041
markrad	0:cdf462088d13	2042	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
markrad	0:cdf462088d13	2043	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	2044	static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	2045	unsigned char *buf,
markrad	0:cdf462088d13	2046	size_t *olen )
markrad	0:cdf462088d13	2047	{
markrad	0:cdf462088d13	2048	unsigned char *p = buf;
markrad	0:cdf462088d13	2049	((void) ssl);
markrad	0:cdf462088d13	2050
markrad	0:cdf462088d13	2051	if( ( ssl->handshake->cli_exts &
markrad	0:cdf462088d13	2052	MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
markrad	0:cdf462088d13	2053	{
markrad	0:cdf462088d13	2054	*olen = 0;
markrad	0:cdf462088d13	2055	return;
markrad	0:cdf462088d13	2056	}
markrad	0:cdf462088d13	2057
markrad	0:cdf462088d13	2058	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
markrad	0:cdf462088d13	2059
markrad	0:cdf462088d13	2060	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
markrad	0:cdf462088d13	2061	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
markrad	0:cdf462088d13	2062
markrad	0:cdf462088d13	2063	*p++ = 0x00;
markrad	0:cdf462088d13	2064	*p++ = 2;
markrad	0:cdf462088d13	2065
markrad	0:cdf462088d13	2066	*p++ = 1;
markrad	0:cdf462088d13	2067	*p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
markrad	0:cdf462088d13	2068
markrad	0:cdf462088d13	2069	*olen = 6;
markrad	0:cdf462088d13	2070	}
markrad	0:cdf462088d13	2071	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C \|\| MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	2072
markrad	0:cdf462088d13	2073	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	2074	static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	2075	unsigned char *buf,
markrad	0:cdf462088d13	2076	size_t *olen )
markrad	0:cdf462088d13	2077	{
markrad	0:cdf462088d13	2078	int ret;
markrad	0:cdf462088d13	2079	unsigned char *p = buf;
markrad	0:cdf462088d13	2080	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
markrad	0:cdf462088d13	2081	size_t kkpp_len;
markrad	0:cdf462088d13	2082
markrad	0:cdf462088d13	2083	*olen = 0;
markrad	0:cdf462088d13	2084
markrad	0:cdf462088d13	2085	/* Skip costly computation if not needed */
markrad	0:cdf462088d13	2086	if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
markrad	0:cdf462088d13	2087	MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	2088	return;
markrad	0:cdf462088d13	2089
markrad	0:cdf462088d13	2090	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
markrad	0:cdf462088d13	2091
markrad	0:cdf462088d13	2092	if( end - p < 4 )
markrad	0:cdf462088d13	2093	{
markrad	0:cdf462088d13	2094	MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
markrad	0:cdf462088d13	2095	return;
markrad	0:cdf462088d13	2096	}
markrad	0:cdf462088d13	2097
markrad	0:cdf462088d13	2098	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
markrad	0:cdf462088d13	2099	*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
markrad	0:cdf462088d13	2100
markrad	0:cdf462088d13	2101	ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
markrad	0:cdf462088d13	2102	p + 2, end - p - 2, &kkpp_len,
markrad	0:cdf462088d13	2103	ssl->conf->f_rng, ssl->conf->p_rng );
markrad	0:cdf462088d13	2104	if( ret != 0 )
markrad	0:cdf462088d13	2105	{
markrad	0:cdf462088d13	2106	MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
markrad	0:cdf462088d13	2107	return;
markrad	0:cdf462088d13	2108	}
markrad	0:cdf462088d13	2109
markrad	0:cdf462088d13	2110	*p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
markrad	0:cdf462088d13	2111	*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
markrad	0:cdf462088d13	2112
markrad	0:cdf462088d13	2113	*olen = kkpp_len + 4;
markrad	0:cdf462088d13	2114	}
markrad	0:cdf462088d13	2115	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	2116
markrad	0:cdf462088d13	2117	#if defined(MBEDTLS_SSL_ALPN )
markrad	0:cdf462088d13	2118	static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	2119	unsigned char buf, size_t olen )
markrad	0:cdf462088d13	2120	{
markrad	0:cdf462088d13	2121	if( ssl->alpn_chosen == NULL )
markrad	0:cdf462088d13	2122	{
markrad	0:cdf462088d13	2123	*olen = 0;
markrad	0:cdf462088d13	2124	return;
markrad	0:cdf462088d13	2125	}
markrad	0:cdf462088d13	2126
markrad	0:cdf462088d13	2127	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
markrad	0:cdf462088d13	2128
markrad	0:cdf462088d13	2129	/*
markrad	0:cdf462088d13	2130	* 0 . 1 ext identifier
markrad	0:cdf462088d13	2131	* 2 . 3 ext length
markrad	0:cdf462088d13	2132	* 4 . 5 protocol list length
markrad	0:cdf462088d13	2133	* 6 . 6 protocol name length
markrad	0:cdf462088d13	2134	* 7 . 7+n protocol name
markrad	0:cdf462088d13	2135	*/
markrad	0:cdf462088d13	2136	buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
markrad	0:cdf462088d13	2137	buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
markrad	0:cdf462088d13	2138
markrad	0:cdf462088d13	2139	*olen = 7 + strlen( ssl->alpn_chosen );
markrad	0:cdf462088d13	2140
markrad	0:cdf462088d13	2141	buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
markrad	0:cdf462088d13	2142	buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
markrad	0:cdf462088d13	2143
markrad	0:cdf462088d13	2144	buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
markrad	0:cdf462088d13	2145	buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
markrad	0:cdf462088d13	2146
markrad	0:cdf462088d13	2147	buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
markrad	0:cdf462088d13	2148
markrad	0:cdf462088d13	2149	memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
markrad	0:cdf462088d13	2150	}
markrad	0:cdf462088d13	2151	#endif /* MBEDTLS_ECDH_C \|\| MBEDTLS_ECDSA_C */
markrad	0:cdf462088d13	2152
markrad	0:cdf462088d13	2153	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
markrad	0:cdf462088d13	2154	static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2155	{
markrad	0:cdf462088d13	2156	int ret;
markrad	0:cdf462088d13	2157	unsigned char *p = ssl->out_msg + 4;
markrad	0:cdf462088d13	2158	unsigned char *cookie_len_byte;
markrad	0:cdf462088d13	2159
markrad	0:cdf462088d13	2160	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
markrad	0:cdf462088d13	2161
markrad	0:cdf462088d13	2162	/*
markrad	0:cdf462088d13	2163	* struct {
markrad	0:cdf462088d13	2164	* ProtocolVersion server_version;
markrad	0:cdf462088d13	2165	* opaque cookie<0..2^8-1>;
markrad	0:cdf462088d13	2166	* } HelloVerifyRequest;
markrad	0:cdf462088d13	2167	*/
markrad	0:cdf462088d13	2168
markrad	0:cdf462088d13	2169	/* The RFC is not clear on this point, but sending the actual negotiated
markrad	0:cdf462088d13	2170	* version looks like the most interoperable thing to do. */
markrad	0:cdf462088d13	2171	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
markrad	0:cdf462088d13	2172	ssl->conf->transport, p );
markrad	0:cdf462088d13	2173	MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
markrad	0:cdf462088d13	2174	p += 2;
markrad	0:cdf462088d13	2175
markrad	0:cdf462088d13	2176	/* If we get here, f_cookie_check is not null */
markrad	0:cdf462088d13	2177	if( ssl->conf->f_cookie_write == NULL )
markrad	0:cdf462088d13	2178	{
markrad	0:cdf462088d13	2179	MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
markrad	0:cdf462088d13	2180	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	2181	}
markrad	0:cdf462088d13	2182
markrad	0:cdf462088d13	2183	/* Skip length byte until we know the length */
markrad	0:cdf462088d13	2184	cookie_len_byte = p++;
markrad	0:cdf462088d13	2185
markrad	0:cdf462088d13	2186	if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
markrad	0:cdf462088d13	2187	&p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
markrad	0:cdf462088d13	2188	ssl->cli_id, ssl->cli_id_len ) ) != 0 )
markrad	0:cdf462088d13	2189	{
markrad	0:cdf462088d13	2190	MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
markrad	0:cdf462088d13	2191	return( ret );
markrad	0:cdf462088d13	2192	}
markrad	0:cdf462088d13	2193
markrad	0:cdf462088d13	2194	*cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
markrad	0:cdf462088d13	2195
markrad	0:cdf462088d13	2196	MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
markrad	0:cdf462088d13	2197
markrad	0:cdf462088d13	2198	ssl->out_msglen = p - ssl->out_msg;
markrad	0:cdf462088d13	2199	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	2200	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
markrad	0:cdf462088d13	2201
markrad	0:cdf462088d13	2202	ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
markrad	0:cdf462088d13	2203
markrad	0:cdf462088d13	2204	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	2205	{
markrad	0:cdf462088d13	2206	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	2207	return( ret );
markrad	0:cdf462088d13	2208	}
markrad	0:cdf462088d13	2209
markrad	0:cdf462088d13	2210	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
markrad	0:cdf462088d13	2211
markrad	0:cdf462088d13	2212	return( 0 );
markrad	0:cdf462088d13	2213	}
markrad	0:cdf462088d13	2214	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
markrad	0:cdf462088d13	2215
markrad	0:cdf462088d13	2216	static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2217	{
markrad	0:cdf462088d13	2218	#if defined(MBEDTLS_HAVE_TIME)
markrad	0:cdf462088d13	2219	mbedtls_time_t t;
markrad	0:cdf462088d13	2220	#endif
markrad	0:cdf462088d13	2221	int ret;
markrad	0:cdf462088d13	2222	size_t olen, ext_len = 0, n;
markrad	0:cdf462088d13	2223	unsigned char buf, p;
markrad	0:cdf462088d13	2224
markrad	0:cdf462088d13	2225	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
markrad	0:cdf462088d13	2226
markrad	0:cdf462088d13	2227	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
markrad	0:cdf462088d13	2228	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	2229	ssl->handshake->verify_cookie_len != 0 )
markrad	0:cdf462088d13	2230	{
markrad	0:cdf462088d13	2231	MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
markrad	0:cdf462088d13	2232	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
markrad	0:cdf462088d13	2233
markrad	0:cdf462088d13	2234	return( ssl_write_hello_verify_request( ssl ) );
markrad	0:cdf462088d13	2235	}
markrad	0:cdf462088d13	2236	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
markrad	0:cdf462088d13	2237
markrad	0:cdf462088d13	2238	if( ssl->conf->f_rng == NULL )
markrad	0:cdf462088d13	2239	{
markrad	0:cdf462088d13	2240	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
markrad	0:cdf462088d13	2241	return( MBEDTLS_ERR_SSL_NO_RNG );
markrad	0:cdf462088d13	2242	}
markrad	0:cdf462088d13	2243
markrad	0:cdf462088d13	2244	/*
markrad	0:cdf462088d13	2245	* 0 . 0 handshake type
markrad	0:cdf462088d13	2246	* 1 . 3 handshake length
markrad	0:cdf462088d13	2247	* 4 . 5 protocol version
markrad	0:cdf462088d13	2248	* 6 . 9 UNIX time()
markrad	0:cdf462088d13	2249	* 10 . 37 random bytes
markrad	0:cdf462088d13	2250	*/
markrad	0:cdf462088d13	2251	buf = ssl->out_msg;
markrad	0:cdf462088d13	2252	p = buf + 4;
markrad	0:cdf462088d13	2253
markrad	0:cdf462088d13	2254	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
markrad	0:cdf462088d13	2255	ssl->conf->transport, p );
markrad	0:cdf462088d13	2256	p += 2;
markrad	0:cdf462088d13	2257
markrad	0:cdf462088d13	2258	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
markrad	0:cdf462088d13	2259	buf[4], buf[5] ) );
markrad	0:cdf462088d13	2260
markrad	0:cdf462088d13	2261	#if defined(MBEDTLS_HAVE_TIME)
markrad	0:cdf462088d13	2262	t = mbedtls_time( NULL );
markrad	0:cdf462088d13	2263	*p++ = (unsigned char)( t >> 24 );
markrad	0:cdf462088d13	2264	*p++ = (unsigned char)( t >> 16 );
markrad	0:cdf462088d13	2265	*p++ = (unsigned char)( t >> 8 );
markrad	0:cdf462088d13	2266	*p++ = (unsigned char)( t );
markrad	0:cdf462088d13	2267
markrad	0:cdf462088d13	2268	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
markrad	0:cdf462088d13	2269	#else
markrad	0:cdf462088d13	2270	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
markrad	0:cdf462088d13	2271	return( ret );
markrad	0:cdf462088d13	2272
markrad	0:cdf462088d13	2273	p += 4;
markrad	0:cdf462088d13	2274	#endif /* MBEDTLS_HAVE_TIME */
markrad	0:cdf462088d13	2275
markrad	0:cdf462088d13	2276	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
markrad	0:cdf462088d13	2277	return( ret );
markrad	0:cdf462088d13	2278
markrad	0:cdf462088d13	2279	p += 28;
markrad	0:cdf462088d13	2280
markrad	0:cdf462088d13	2281	memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
markrad	0:cdf462088d13	2282
markrad	0:cdf462088d13	2283	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
markrad	0:cdf462088d13	2284
markrad	0:cdf462088d13	2285	/*
markrad	0:cdf462088d13	2286	* Resume is 0 by default, see ssl_handshake_init().
markrad	0:cdf462088d13	2287	* It may be already set to 1 by ssl_parse_session_ticket_ext().
markrad	0:cdf462088d13	2288	* If not, try looking up session ID in our cache.
markrad	0:cdf462088d13	2289	*/
markrad	0:cdf462088d13	2290	if( ssl->handshake->resume == 0 &&
markrad	0:cdf462088d13	2291	#if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad	0:cdf462088d13	2292	ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
markrad	0:cdf462088d13	2293	#endif
markrad	0:cdf462088d13	2294	ssl->session_negotiate->id_len != 0 &&
markrad	0:cdf462088d13	2295	ssl->conf->f_get_cache != NULL &&
markrad	0:cdf462088d13	2296	ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
markrad	0:cdf462088d13	2297	{
markrad	0:cdf462088d13	2298	MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
markrad	0:cdf462088d13	2299	ssl->handshake->resume = 1;
markrad	0:cdf462088d13	2300	}
markrad	0:cdf462088d13	2301
markrad	0:cdf462088d13	2302	if( ssl->handshake->resume == 0 )
markrad	0:cdf462088d13	2303	{
markrad	0:cdf462088d13	2304	/*
markrad	0:cdf462088d13	2305	* New session, create a new session id,
markrad	0:cdf462088d13	2306	* unless we're about to issue a session ticket
markrad	0:cdf462088d13	2307	*/
markrad	0:cdf462088d13	2308	ssl->state++;
markrad	0:cdf462088d13	2309
markrad	0:cdf462088d13	2310	#if defined(MBEDTLS_HAVE_TIME)
markrad	0:cdf462088d13	2311	ssl->session_negotiate->start = mbedtls_time( NULL );
markrad	0:cdf462088d13	2312	#endif
markrad	0:cdf462088d13	2313
markrad	0:cdf462088d13	2314	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	2315	if( ssl->handshake->new_session_ticket != 0 )
markrad	0:cdf462088d13	2316	{
markrad	0:cdf462088d13	2317	ssl->session_negotiate->id_len = n = 0;
markrad	0:cdf462088d13	2318	memset( ssl->session_negotiate->id, 0, 32 );
markrad	0:cdf462088d13	2319	}
markrad	0:cdf462088d13	2320	else
markrad	0:cdf462088d13	2321	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad	0:cdf462088d13	2322	{
markrad	0:cdf462088d13	2323	ssl->session_negotiate->id_len = n = 32;
markrad	0:cdf462088d13	2324	if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
markrad	0:cdf462088d13	2325	n ) ) != 0 )
markrad	0:cdf462088d13	2326	return( ret );
markrad	0:cdf462088d13	2327	}
markrad	0:cdf462088d13	2328	}
markrad	0:cdf462088d13	2329	else
markrad	0:cdf462088d13	2330	{
markrad	0:cdf462088d13	2331	/*
markrad	0:cdf462088d13	2332	* Resuming a session
markrad	0:cdf462088d13	2333	*/
markrad	0:cdf462088d13	2334	n = ssl->session_negotiate->id_len;
markrad	0:cdf462088d13	2335	ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
markrad	0:cdf462088d13	2336
markrad	0:cdf462088d13	2337	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
markrad	0:cdf462088d13	2338	{
markrad	0:cdf462088d13	2339	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
markrad	0:cdf462088d13	2340	return( ret );
markrad	0:cdf462088d13	2341	}
markrad	0:cdf462088d13	2342	}
markrad	0:cdf462088d13	2343
markrad	0:cdf462088d13	2344	/*
markrad	0:cdf462088d13	2345	* 38 . 38 session id length
markrad	0:cdf462088d13	2346	* 39 . 38+n session id
markrad	0:cdf462088d13	2347	* 39+n . 40+n chosen ciphersuite
markrad	0:cdf462088d13	2348	* 41+n . 41+n chosen compression alg.
markrad	0:cdf462088d13	2349	* 42+n . 43+n extensions length
markrad	0:cdf462088d13	2350	* 44+n . 43+n+m extensions
markrad	0:cdf462088d13	2351	*/
markrad	0:cdf462088d13	2352	*p++ = (unsigned char) ssl->session_negotiate->id_len;
markrad	0:cdf462088d13	2353	memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
markrad	0:cdf462088d13	2354	p += ssl->session_negotiate->id_len;
markrad	0:cdf462088d13	2355
markrad	0:cdf462088d13	2356	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
markrad	0:cdf462088d13	2357	MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
markrad	0:cdf462088d13	2358	MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
markrad	0:cdf462088d13	2359	ssl->handshake->resume ? "a" : "no" ) );
markrad	0:cdf462088d13	2360
markrad	0:cdf462088d13	2361	*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
markrad	0:cdf462088d13	2362	*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
markrad	0:cdf462088d13	2363	*p++ = (unsigned char)( ssl->session_negotiate->compression );
markrad	0:cdf462088d13	2364
markrad	0:cdf462088d13	2365	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
markrad	0:cdf462088d13	2366	mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
markrad	0:cdf462088d13	2367	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
markrad	0:cdf462088d13	2368	ssl->session_negotiate->compression ) );
markrad	0:cdf462088d13	2369
markrad	0:cdf462088d13	2370	/* Do not write the extensions if the protocol is SSLv3 */
markrad	0:cdf462088d13	2371	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	2372	if( ( ssl->major_ver != 3 ) \|\| ( ssl->minor_ver != 0 ) )
markrad	0:cdf462088d13	2373	{
markrad	0:cdf462088d13	2374	#endif
markrad	0:cdf462088d13	2375
markrad	0:cdf462088d13	2376	/*
markrad	0:cdf462088d13	2377	* First write extensions, then the total length
markrad	0:cdf462088d13	2378	*/
markrad	0:cdf462088d13	2379	ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2380	ext_len += olen;
markrad	0:cdf462088d13	2381
markrad	0:cdf462088d13	2382	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad	0:cdf462088d13	2383	ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2384	ext_len += olen;
markrad	0:cdf462088d13	2385	#endif
markrad	0:cdf462088d13	2386
markrad	0:cdf462088d13	2387	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad	0:cdf462088d13	2388	ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2389	ext_len += olen;
markrad	0:cdf462088d13	2390	#endif
markrad	0:cdf462088d13	2391
markrad	0:cdf462088d13	2392	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad	0:cdf462088d13	2393	ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2394	ext_len += olen;
markrad	0:cdf462088d13	2395	#endif
markrad	0:cdf462088d13	2396
markrad	0:cdf462088d13	2397	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad	0:cdf462088d13	2398	ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2399	ext_len += olen;
markrad	0:cdf462088d13	2400	#endif
markrad	0:cdf462088d13	2401
markrad	0:cdf462088d13	2402	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	2403	ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2404	ext_len += olen;
markrad	0:cdf462088d13	2405	#endif
markrad	0:cdf462088d13	2406
markrad	0:cdf462088d13	2407	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C) \|\| \
markrad	0:cdf462088d13	2408	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	2409	ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2410	ext_len += olen;
markrad	0:cdf462088d13	2411	#endif
markrad	0:cdf462088d13	2412
markrad	0:cdf462088d13	2413	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	2414	ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2415	ext_len += olen;
markrad	0:cdf462088d13	2416	#endif
markrad	0:cdf462088d13	2417
markrad	0:cdf462088d13	2418	#if defined(MBEDTLS_SSL_ALPN)
markrad	0:cdf462088d13	2419	ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
markrad	0:cdf462088d13	2420	ext_len += olen;
markrad	0:cdf462088d13	2421	#endif
markrad	0:cdf462088d13	2422
markrad	0:cdf462088d13	2423	MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
markrad	0:cdf462088d13	2424
markrad	0:cdf462088d13	2425	if( ext_len > 0 )
markrad	0:cdf462088d13	2426	{
markrad	0:cdf462088d13	2427	*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
markrad	0:cdf462088d13	2428	*p++ = (unsigned char)( ( ext_len ) & 0xFF );
markrad	0:cdf462088d13	2429	p += ext_len;
markrad	0:cdf462088d13	2430	}
markrad	0:cdf462088d13	2431
markrad	0:cdf462088d13	2432	#if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad	0:cdf462088d13	2433	}
markrad	0:cdf462088d13	2434	#endif
markrad	0:cdf462088d13	2435
markrad	0:cdf462088d13	2436	ssl->out_msglen = p - buf;
markrad	0:cdf462088d13	2437	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	2438	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
markrad	0:cdf462088d13	2439
markrad	0:cdf462088d13	2440	ret = mbedtls_ssl_write_record( ssl );
markrad	0:cdf462088d13	2441
markrad	0:cdf462088d13	2442	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
markrad	0:cdf462088d13	2443
markrad	0:cdf462088d13	2444	return( ret );
markrad	0:cdf462088d13	2445	}
markrad	0:cdf462088d13	2446
markrad	0:cdf462088d13	2447	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
markrad	0:cdf462088d13	2448	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
markrad	0:cdf462088d13	2449	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
markrad	0:cdf462088d13	2450	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
markrad	0:cdf462088d13	2451	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
markrad	0:cdf462088d13	2452	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
markrad	0:cdf462088d13	2453	static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2454	{
markrad	0:cdf462088d13	2455	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	2456
markrad	0:cdf462088d13	2457	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
markrad	0:cdf462088d13	2458
markrad	0:cdf462088d13	2459	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	2460	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
markrad	0:cdf462088d13	2461	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	2462	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
markrad	0:cdf462088d13	2463	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	2464	{
markrad	0:cdf462088d13	2465	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
markrad	0:cdf462088d13	2466	ssl->state++;
markrad	0:cdf462088d13	2467	return( 0 );
markrad	0:cdf462088d13	2468	}
markrad	0:cdf462088d13	2469
markrad	0:cdf462088d13	2470	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	2471	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	2472	}
markrad	0:cdf462088d13	2473	#else
markrad	0:cdf462088d13	2474	static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2475	{
markrad	0:cdf462088d13	2476	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad	0:cdf462088d13	2477	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	2478	size_t dn_size, total_dn_size; /* excluding length bytes */
markrad	0:cdf462088d13	2479	size_t ct_len, sa_len; /* including length bytes */
markrad	0:cdf462088d13	2480	unsigned char buf, p;
markrad	0:cdf462088d13	2481	const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
markrad	0:cdf462088d13	2482	const mbedtls_x509_crt *crt;
markrad	0:cdf462088d13	2483	int authmode;
markrad	0:cdf462088d13	2484
markrad	0:cdf462088d13	2485	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
markrad	0:cdf462088d13	2486
markrad	0:cdf462088d13	2487	ssl->state++;
markrad	0:cdf462088d13	2488
markrad	0:cdf462088d13	2489	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	2490	if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
markrad	0:cdf462088d13	2491	authmode = ssl->handshake->sni_authmode;
markrad	0:cdf462088d13	2492	else
markrad	0:cdf462088d13	2493	#endif
markrad	0:cdf462088d13	2494	authmode = ssl->conf->authmode;
markrad	0:cdf462088d13	2495
markrad	0:cdf462088d13	2496	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	2497	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
markrad	0:cdf462088d13	2498	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	2499	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
markrad	0:cdf462088d13	2500	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE \|\|
markrad	0:cdf462088d13	2501	authmode == MBEDTLS_SSL_VERIFY_NONE )
markrad	0:cdf462088d13	2502	{
markrad	0:cdf462088d13	2503	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
markrad	0:cdf462088d13	2504	return( 0 );
markrad	0:cdf462088d13	2505	}
markrad	0:cdf462088d13	2506
markrad	0:cdf462088d13	2507	/*
markrad	0:cdf462088d13	2508	* 0 . 0 handshake type
markrad	0:cdf462088d13	2509	* 1 . 3 handshake length
markrad	0:cdf462088d13	2510	* 4 . 4 cert type count
markrad	0:cdf462088d13	2511	* 5 .. m-1 cert types
markrad	0:cdf462088d13	2512	* m .. m+1 sig alg length (TLS 1.2 only)
markrad	0:cdf462088d13	2513	* m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
markrad	0:cdf462088d13	2514	* n .. n+1 length of all DNs
markrad	0:cdf462088d13	2515	* n+2 .. n+3 length of DN 1
markrad	0:cdf462088d13	2516	* n+4 .. ... Distinguished Name #1
markrad	0:cdf462088d13	2517	* ... .. ... length of DN 2, etc.
markrad	0:cdf462088d13	2518	*/
markrad	0:cdf462088d13	2519	buf = ssl->out_msg;
markrad	0:cdf462088d13	2520	p = buf + 4;
markrad	0:cdf462088d13	2521
markrad	0:cdf462088d13	2522	/*
markrad	0:cdf462088d13	2523	* Supported certificate types
markrad	0:cdf462088d13	2524	*
markrad	0:cdf462088d13	2525	* ClientCertificateType certificate_types<1..2^8-1>;
markrad	0:cdf462088d13	2526	* enum { (255) } ClientCertificateType;
markrad	0:cdf462088d13	2527	*/
markrad	0:cdf462088d13	2528	ct_len = 0;
markrad	0:cdf462088d13	2529
markrad	0:cdf462088d13	2530	#if defined(MBEDTLS_RSA_C)
markrad	0:cdf462088d13	2531	p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
markrad	0:cdf462088d13	2532	#endif
markrad	0:cdf462088d13	2533	#if defined(MBEDTLS_ECDSA_C)
markrad	0:cdf462088d13	2534	p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
markrad	0:cdf462088d13	2535	#endif
markrad	0:cdf462088d13	2536
markrad	0:cdf462088d13	2537	p[0] = (unsigned char) ct_len++;
markrad	0:cdf462088d13	2538	p += ct_len;
markrad	0:cdf462088d13	2539
markrad	0:cdf462088d13	2540	sa_len = 0;
markrad	0:cdf462088d13	2541	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	2542	/*
markrad	0:cdf462088d13	2543	* Add signature_algorithms for verify (TLS 1.2)
markrad	0:cdf462088d13	2544	*
markrad	0:cdf462088d13	2545	* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
markrad	0:cdf462088d13	2546	*
markrad	0:cdf462088d13	2547	* struct {
markrad	0:cdf462088d13	2548	* HashAlgorithm hash;
markrad	0:cdf462088d13	2549	* SignatureAlgorithm signature;
markrad	0:cdf462088d13	2550	* } SignatureAndHashAlgorithm;
markrad	0:cdf462088d13	2551	*
markrad	0:cdf462088d13	2552	* enum { (255) } HashAlgorithm;
markrad	0:cdf462088d13	2553	* enum { (255) } SignatureAlgorithm;
markrad	0:cdf462088d13	2554	*/
markrad	0:cdf462088d13	2555	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	2556	{
markrad	0:cdf462088d13	2557	const int *cur;
markrad	0:cdf462088d13	2558
markrad	0:cdf462088d13	2559	/*
markrad	0:cdf462088d13	2560	* Supported signature algorithms
markrad	0:cdf462088d13	2561	*/
markrad	0:cdf462088d13	2562	for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
markrad	0:cdf462088d13	2563	{
markrad	0:cdf462088d13	2564	unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
markrad	0:cdf462088d13	2565
markrad	0:cdf462088d13	2566	if( MBEDTLS_SSL_HASH_NONE == hash \|\| mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
markrad	0:cdf462088d13	2567	continue;
markrad	0:cdf462088d13	2568
markrad	0:cdf462088d13	2569	#if defined(MBEDTLS_RSA_C)
markrad	0:cdf462088d13	2570	p[2 + sa_len++] = hash;
markrad	0:cdf462088d13	2571	p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
markrad	0:cdf462088d13	2572	#endif
markrad	0:cdf462088d13	2573	#if defined(MBEDTLS_ECDSA_C)
markrad	0:cdf462088d13	2574	p[2 + sa_len++] = hash;
markrad	0:cdf462088d13	2575	p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
markrad	0:cdf462088d13	2576	#endif
markrad	0:cdf462088d13	2577	}
markrad	0:cdf462088d13	2578
markrad	0:cdf462088d13	2579	p[0] = (unsigned char)( sa_len >> 8 );
markrad	0:cdf462088d13	2580	p[1] = (unsigned char)( sa_len );
markrad	0:cdf462088d13	2581	sa_len += 2;
markrad	0:cdf462088d13	2582	p += sa_len;
markrad	0:cdf462088d13	2583	}
markrad	0:cdf462088d13	2584	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	2585
markrad	0:cdf462088d13	2586	/*
markrad	0:cdf462088d13	2587	* DistinguishedName certificate_authorities<0..2^16-1>;
markrad	0:cdf462088d13	2588	* opaque DistinguishedName<1..2^16-1>;
markrad	0:cdf462088d13	2589	*/
markrad	0:cdf462088d13	2590	p += 2;
markrad	0:cdf462088d13	2591	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad	0:cdf462088d13	2592	if( ssl->handshake->sni_ca_chain != NULL )
markrad	0:cdf462088d13	2593	crt = ssl->handshake->sni_ca_chain;
markrad	0:cdf462088d13	2594	else
markrad	0:cdf462088d13	2595	#endif
markrad	0:cdf462088d13	2596	crt = ssl->conf->ca_chain;
markrad	0:cdf462088d13	2597
markrad	0:cdf462088d13	2598	total_dn_size = 0;
markrad	0:cdf462088d13	2599	while( crt != NULL && crt->version != 0 )
markrad	0:cdf462088d13	2600	{
markrad	0:cdf462088d13	2601	dn_size = crt->subject_raw.len;
markrad	0:cdf462088d13	2602
markrad	0:cdf462088d13	2603	if( end < p \|\|
markrad	0:cdf462088d13	2604	(size_t)( end - p ) < dn_size \|\|
markrad	0:cdf462088d13	2605	(size_t)( end - p ) < 2 + dn_size )
markrad	0:cdf462088d13	2606	{
markrad	0:cdf462088d13	2607	MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
markrad	0:cdf462088d13	2608	break;
markrad	0:cdf462088d13	2609	}
markrad	0:cdf462088d13	2610
markrad	0:cdf462088d13	2611	*p++ = (unsigned char)( dn_size >> 8 );
markrad	0:cdf462088d13	2612	*p++ = (unsigned char)( dn_size );
markrad	0:cdf462088d13	2613	memcpy( p, crt->subject_raw.p, dn_size );
markrad	0:cdf462088d13	2614	p += dn_size;
markrad	0:cdf462088d13	2615
markrad	0:cdf462088d13	2616	MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
markrad	0:cdf462088d13	2617
markrad	0:cdf462088d13	2618	total_dn_size += 2 + dn_size;
markrad	0:cdf462088d13	2619	crt = crt->next;
markrad	0:cdf462088d13	2620	}
markrad	0:cdf462088d13	2621
markrad	0:cdf462088d13	2622	ssl->out_msglen = p - buf;
markrad	0:cdf462088d13	2623	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	2624	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
markrad	0:cdf462088d13	2625	ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
markrad	0:cdf462088d13	2626	ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
markrad	0:cdf462088d13	2627
markrad	0:cdf462088d13	2628	ret = mbedtls_ssl_write_record( ssl );
markrad	0:cdf462088d13	2629
markrad	0:cdf462088d13	2630	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
markrad	0:cdf462088d13	2631
markrad	0:cdf462088d13	2632	return( ret );
markrad	0:cdf462088d13	2633	}
markrad	0:cdf462088d13	2634	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
markrad	0:cdf462088d13	2635	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
markrad	0:cdf462088d13	2636	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
markrad	0:cdf462088d13	2637	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
markrad	0:cdf462088d13	2638	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
markrad	0:cdf462088d13	2639	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
markrad	0:cdf462088d13	2640
markrad	0:cdf462088d13	2641	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2642	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
markrad	0:cdf462088d13	2643	static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2644	{
markrad	0:cdf462088d13	2645	int ret;
markrad	0:cdf462088d13	2646
markrad	0:cdf462088d13	2647	if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
markrad	0:cdf462088d13	2648	{
markrad	0:cdf462088d13	2649	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
markrad	0:cdf462088d13	2650	return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
markrad	0:cdf462088d13	2651	}
markrad	0:cdf462088d13	2652
markrad	0:cdf462088d13	2653	if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
markrad	0:cdf462088d13	2654	mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
markrad	0:cdf462088d13	2655	MBEDTLS_ECDH_OURS ) ) != 0 )
markrad	0:cdf462088d13	2656	{
markrad	0:cdf462088d13	2657	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
markrad	0:cdf462088d13	2658	return( ret );
markrad	0:cdf462088d13	2659	}
markrad	0:cdf462088d13	2660
markrad	0:cdf462088d13	2661	return( 0 );
markrad	0:cdf462088d13	2662	}
markrad	0:cdf462088d13	2663	#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\|
markrad	0:cdf462088d13	2664	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
markrad	0:cdf462088d13	2665
markrad	0:cdf462088d13	2666	static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	2667	{
markrad	0:cdf462088d13	2668	int ret;
markrad	0:cdf462088d13	2669	size_t n = 0;
markrad	0:cdf462088d13	2670	const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
markrad	0:cdf462088d13	2671	ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	2672
markrad	0:cdf462088d13	2673	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2674	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) \|\| \
markrad	0:cdf462088d13	2675	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2676	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) \|\| \
markrad	0:cdf462088d13	2677	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2678	defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	2679	unsigned char *p = ssl->out_msg + 4;
markrad	0:cdf462088d13	2680	unsigned char *dig_signed = p;
markrad	0:cdf462088d13	2681	size_t dig_signed_len = 0, len;
markrad	0:cdf462088d13	2682	((void) dig_signed);
markrad	0:cdf462088d13	2683	((void) dig_signed_len);
markrad	0:cdf462088d13	2684	((void) len);
markrad	0:cdf462088d13	2685	#endif
markrad	0:cdf462088d13	2686
markrad	0:cdf462088d13	2687	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
markrad	0:cdf462088d13	2688
markrad	0:cdf462088d13	2689	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2690	defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) \|\| \
markrad	0:cdf462088d13	2691	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
markrad	0:cdf462088d13	2692	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA \|\|
markrad	0:cdf462088d13	2693	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	2694	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
markrad	0:cdf462088d13	2695	{
markrad	0:cdf462088d13	2696	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
markrad	0:cdf462088d13	2697	ssl->state++;
markrad	0:cdf462088d13	2698	return( 0 );
markrad	0:cdf462088d13	2699	}
markrad	0:cdf462088d13	2700	#endif
markrad	0:cdf462088d13	2701
markrad	0:cdf462088d13	2702	#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2703	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
markrad	0:cdf462088d13	2704	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
markrad	0:cdf462088d13	2705	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
markrad	0:cdf462088d13	2706	{
markrad	0:cdf462088d13	2707	ssl_get_ecdh_params_from_cert( ssl );
markrad	0:cdf462088d13	2708
markrad	0:cdf462088d13	2709	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
markrad	0:cdf462088d13	2710	ssl->state++;
markrad	0:cdf462088d13	2711	return( 0 );
markrad	0:cdf462088d13	2712	}
markrad	0:cdf462088d13	2713	#endif
markrad	0:cdf462088d13	2714
markrad	0:cdf462088d13	2715	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	2716	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	2717	{
markrad	0:cdf462088d13	2718	size_t jlen;
markrad	0:cdf462088d13	2719	const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
markrad	0:cdf462088d13	2720
markrad	0:cdf462088d13	2721	ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
markrad	0:cdf462088d13	2722	p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng );
markrad	0:cdf462088d13	2723	if( ret != 0 )
markrad	0:cdf462088d13	2724	{
markrad	0:cdf462088d13	2725	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
markrad	0:cdf462088d13	2726	return( ret );
markrad	0:cdf462088d13	2727	}
markrad	0:cdf462088d13	2728
markrad	0:cdf462088d13	2729	p += jlen;
markrad	0:cdf462088d13	2730	n += jlen;
markrad	0:cdf462088d13	2731	}
markrad	0:cdf462088d13	2732	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	2733
markrad	0:cdf462088d13	2734	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) \|\| \
markrad	0:cdf462088d13	2735	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
markrad	0:cdf462088d13	2736	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	2737	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
markrad	0:cdf462088d13	2738	{
markrad	0:cdf462088d13	2739	/* Note: we don't support identity hints, until someone asks
markrad	0:cdf462088d13	2740	* for them. */
markrad	0:cdf462088d13	2741	*(p++) = 0x00;
markrad	0:cdf462088d13	2742	*(p++) = 0x00;
markrad	0:cdf462088d13	2743
markrad	0:cdf462088d13	2744	n += 2;
markrad	0:cdf462088d13	2745	}
markrad	0:cdf462088d13	2746	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \|\|
markrad	0:cdf462088d13	2747	MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
markrad	0:cdf462088d13	2748
markrad	0:cdf462088d13	2749	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2750	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
markrad	0:cdf462088d13	2751	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
markrad	0:cdf462088d13	2752	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
markrad	0:cdf462088d13	2753	{
markrad	0:cdf462088d13	2754	if( ssl->conf->dhm_P.p == NULL \|\| ssl->conf->dhm_G.p == NULL )
markrad	0:cdf462088d13	2755	{
markrad	0:cdf462088d13	2756	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
markrad	0:cdf462088d13	2757	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	2758	}
markrad	0:cdf462088d13	2759
markrad	0:cdf462088d13	2760	/*
markrad	0:cdf462088d13	2761	* Ephemeral DH parameters:
markrad	0:cdf462088d13	2762	*
markrad	0:cdf462088d13	2763	* struct {
markrad	0:cdf462088d13	2764	* opaque dh_p<1..2^16-1>;
markrad	0:cdf462088d13	2765	* opaque dh_g<1..2^16-1>;
markrad	0:cdf462088d13	2766	* opaque dh_Ys<1..2^16-1>;
markrad	0:cdf462088d13	2767	* } ServerDHParams;
markrad	0:cdf462088d13	2768	*/
markrad	0:cdf462088d13	2769	if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 \|\|
markrad	0:cdf462088d13	2770	( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
markrad	0:cdf462088d13	2771	{
markrad	0:cdf462088d13	2772	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
markrad	0:cdf462088d13	2773	return( ret );
markrad	0:cdf462088d13	2774	}
markrad	0:cdf462088d13	2775
markrad	0:cdf462088d13	2776	if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
markrad	0:cdf462088d13	2777	(int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
markrad	0:cdf462088d13	2778	p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad	0:cdf462088d13	2779	{
markrad	0:cdf462088d13	2780	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
markrad	0:cdf462088d13	2781	return( ret );
markrad	0:cdf462088d13	2782	}
markrad	0:cdf462088d13	2783
markrad	0:cdf462088d13	2784	dig_signed = p;
markrad	0:cdf462088d13	2785	dig_signed_len = len;
markrad	0:cdf462088d13	2786
markrad	0:cdf462088d13	2787	p += len;
markrad	0:cdf462088d13	2788	n += len;
markrad	0:cdf462088d13	2789
markrad	0:cdf462088d13	2790	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
markrad	0:cdf462088d13	2791	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
markrad	0:cdf462088d13	2792	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
markrad	0:cdf462088d13	2793	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
markrad	0:cdf462088d13	2794	}
markrad	0:cdf462088d13	2795	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
markrad	0:cdf462088d13	2796	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
markrad	0:cdf462088d13	2797
markrad	0:cdf462088d13	2798	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
markrad	0:cdf462088d13	2799	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
markrad	0:cdf462088d13	2800	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
markrad	0:cdf462088d13	2801	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
markrad	0:cdf462088d13	2802	{
markrad	0:cdf462088d13	2803	/*
markrad	0:cdf462088d13	2804	* Ephemeral ECDH parameters:
markrad	0:cdf462088d13	2805	*
markrad	0:cdf462088d13	2806	* struct {
markrad	0:cdf462088d13	2807	* ECParameters curve_params;
markrad	0:cdf462088d13	2808	* ECPoint public;
markrad	0:cdf462088d13	2809	* } ServerECDHParams;
markrad	0:cdf462088d13	2810	*/
markrad	0:cdf462088d13	2811	const mbedtls_ecp_curve_info **curve = NULL;
markrad	0:cdf462088d13	2812	const mbedtls_ecp_group_id *gid;
markrad	0:cdf462088d13	2813
markrad	0:cdf462088d13	2814	/* Match our preference list against the offered curves */
markrad	0:cdf462088d13	2815	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
markrad	0:cdf462088d13	2816	for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
markrad	0:cdf462088d13	2817	if( (curve)->grp_id == gid )
markrad	0:cdf462088d13	2818	goto curve_matching_done;
markrad	0:cdf462088d13	2819
markrad	0:cdf462088d13	2820	curve_matching_done:
markrad	0:cdf462088d13	2821	if( curve == NULL \|\| *curve == NULL )
markrad	0:cdf462088d13	2822	{
markrad	0:cdf462088d13	2823	MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
markrad	0:cdf462088d13	2824	return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
markrad	0:cdf462088d13	2825	}
markrad	0:cdf462088d13	2826
markrad	0:cdf462088d13	2827	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
markrad	0:cdf462088d13	2828
markrad	0:cdf462088d13	2829	if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
markrad	0:cdf462088d13	2830	(*curve)->grp_id ) ) != 0 )
markrad	0:cdf462088d13	2831	{
markrad	0:cdf462088d13	2832	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
markrad	0:cdf462088d13	2833	return( ret );
markrad	0:cdf462088d13	2834	}
markrad	0:cdf462088d13	2835
markrad	0:cdf462088d13	2836	if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
markrad	0:cdf462088d13	2837	p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
markrad	0:cdf462088d13	2838	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad	0:cdf462088d13	2839	{
markrad	0:cdf462088d13	2840	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
markrad	0:cdf462088d13	2841	return( ret );
markrad	0:cdf462088d13	2842	}
markrad	0:cdf462088d13	2843
markrad	0:cdf462088d13	2844	dig_signed = p;
markrad	0:cdf462088d13	2845	dig_signed_len = len;
markrad	0:cdf462088d13	2846
markrad	0:cdf462088d13	2847	p += len;
markrad	0:cdf462088d13	2848	n += len;
markrad	0:cdf462088d13	2849
markrad	0:cdf462088d13	2850	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
markrad	0:cdf462088d13	2851	}
markrad	0:cdf462088d13	2852	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
markrad	0:cdf462088d13	2853
markrad	0:cdf462088d13	2854	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2855	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	2856	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
markrad	0:cdf462088d13	2857	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA \|\|
markrad	0:cdf462088d13	2858	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
markrad	0:cdf462088d13	2859	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
markrad	0:cdf462088d13	2860	{
markrad	0:cdf462088d13	2861	size_t signature_len = 0;
markrad	0:cdf462088d13	2862	unsigned int hashlen = 0;
markrad	0:cdf462088d13	2863	unsigned char hash[64];
markrad	0:cdf462088d13	2864	mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
markrad	0:cdf462088d13	2865
markrad	0:cdf462088d13	2866	/*
markrad	0:cdf462088d13	2867	* Choose hash algorithm. NONE means MD5 + SHA1 here.
markrad	0:cdf462088d13	2868	*/
markrad	0:cdf462088d13	2869	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	2870	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	2871	{
markrad	0:cdf462088d13	2872	md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg );
markrad	0:cdf462088d13	2873
markrad	0:cdf462088d13	2874	if( md_alg == MBEDTLS_MD_NONE )
markrad	0:cdf462088d13	2875	{
markrad	0:cdf462088d13	2876	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	2877	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	2878	}
markrad	0:cdf462088d13	2879	}
markrad	0:cdf462088d13	2880	else
markrad	0:cdf462088d13	2881	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	2882	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	2883	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	2884	if( ciphersuite_info->key_exchange ==
markrad	0:cdf462088d13	2885	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
markrad	0:cdf462088d13	2886	{
markrad	0:cdf462088d13	2887	md_alg = MBEDTLS_MD_SHA1;
markrad	0:cdf462088d13	2888	}
markrad	0:cdf462088d13	2889	else
markrad	0:cdf462088d13	2890	#endif
markrad	0:cdf462088d13	2891	{
markrad	0:cdf462088d13	2892	md_alg = MBEDTLS_MD_NONE;
markrad	0:cdf462088d13	2893	}
markrad	0:cdf462088d13	2894
markrad	0:cdf462088d13	2895	/*
markrad	0:cdf462088d13	2896	* Compute the hash to be signed
markrad	0:cdf462088d13	2897	*/
markrad	0:cdf462088d13	2898	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	2899	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	2900	if( md_alg == MBEDTLS_MD_NONE )
markrad	0:cdf462088d13	2901	{
markrad	0:cdf462088d13	2902	mbedtls_md5_context mbedtls_md5;
markrad	0:cdf462088d13	2903	mbedtls_sha1_context mbedtls_sha1;
markrad	0:cdf462088d13	2904
markrad	0:cdf462088d13	2905	mbedtls_md5_init( &mbedtls_md5 );
markrad	0:cdf462088d13	2906	mbedtls_sha1_init( &mbedtls_sha1 );
markrad	0:cdf462088d13	2907
markrad	0:cdf462088d13	2908	/*
markrad	0:cdf462088d13	2909	* digitally-signed struct {
markrad	0:cdf462088d13	2910	* opaque md5_hash[16];
markrad	0:cdf462088d13	2911	* opaque sha_hash[20];
markrad	0:cdf462088d13	2912	* };
markrad	0:cdf462088d13	2913	*
markrad	0:cdf462088d13	2914	* md5_hash
markrad	0:cdf462088d13	2915	* MD5(ClientHello.random + ServerHello.random
markrad	0:cdf462088d13	2916	* + ServerParams);
markrad	0:cdf462088d13	2917	* sha_hash
markrad	0:cdf462088d13	2918	* SHA(ClientHello.random + ServerHello.random
markrad	0:cdf462088d13	2919	* + ServerParams);
markrad	0:cdf462088d13	2920	*/
markrad	0:cdf462088d13	2921	mbedtls_md5_starts( &mbedtls_md5 );
markrad	0:cdf462088d13	2922	mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
markrad	0:cdf462088d13	2923	mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
markrad	0:cdf462088d13	2924	mbedtls_md5_finish( &mbedtls_md5, hash );
markrad	0:cdf462088d13	2925
markrad	0:cdf462088d13	2926	mbedtls_sha1_starts( &mbedtls_sha1 );
markrad	0:cdf462088d13	2927	mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
markrad	0:cdf462088d13	2928	mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len );
markrad	0:cdf462088d13	2929	mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
markrad	0:cdf462088d13	2930
markrad	0:cdf462088d13	2931	hashlen = 36;
markrad	0:cdf462088d13	2932
markrad	0:cdf462088d13	2933	mbedtls_md5_free( &mbedtls_md5 );
markrad	0:cdf462088d13	2934	mbedtls_sha1_free( &mbedtls_sha1 );
markrad	0:cdf462088d13	2935	}
markrad	0:cdf462088d13	2936	else
markrad	0:cdf462088d13	2937	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\| \
markrad	0:cdf462088d13	2938	MBEDTLS_SSL_PROTO_TLS1_1 */
markrad	0:cdf462088d13	2939	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	2940	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	2941	if( md_alg != MBEDTLS_MD_NONE )
markrad	0:cdf462088d13	2942	{
markrad	0:cdf462088d13	2943	mbedtls_md_context_t ctx;
markrad	0:cdf462088d13	2944	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
markrad	0:cdf462088d13	2945
markrad	0:cdf462088d13	2946	mbedtls_md_init( &ctx );
markrad	0:cdf462088d13	2947
markrad	0:cdf462088d13	2948	/* Info from md_alg will be used instead */
markrad	0:cdf462088d13	2949	hashlen = 0;
markrad	0:cdf462088d13	2950
markrad	0:cdf462088d13	2951	/*
markrad	0:cdf462088d13	2952	* digitally-signed struct {
markrad	0:cdf462088d13	2953	* opaque client_random[32];
markrad	0:cdf462088d13	2954	* opaque server_random[32];
markrad	0:cdf462088d13	2955	* ServerDHParams params;
markrad	0:cdf462088d13	2956	* };
markrad	0:cdf462088d13	2957	*/
markrad	0:cdf462088d13	2958	if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
markrad	0:cdf462088d13	2959	{
markrad	0:cdf462088d13	2960	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
markrad	0:cdf462088d13	2961	return( ret );
markrad	0:cdf462088d13	2962	}
markrad	0:cdf462088d13	2963
markrad	0:cdf462088d13	2964	mbedtls_md_starts( &ctx );
markrad	0:cdf462088d13	2965	mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
markrad	0:cdf462088d13	2966	mbedtls_md_update( &ctx, dig_signed, dig_signed_len );
markrad	0:cdf462088d13	2967	mbedtls_md_finish( &ctx, hash );
markrad	0:cdf462088d13	2968	mbedtls_md_free( &ctx );
markrad	0:cdf462088d13	2969	}
markrad	0:cdf462088d13	2970	else
markrad	0:cdf462088d13	2971	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
markrad	0:cdf462088d13	2972	MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	2973	{
markrad	0:cdf462088d13	2974	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	2975	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	2976	}
markrad	0:cdf462088d13	2977
markrad	0:cdf462088d13	2978	MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
markrad	0:cdf462088d13	2979	(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
markrad	0:cdf462088d13	2980
markrad	0:cdf462088d13	2981	/*
markrad	0:cdf462088d13	2982	* Make the signature
markrad	0:cdf462088d13	2983	*/
markrad	0:cdf462088d13	2984	if( mbedtls_ssl_own_key( ssl ) == NULL )
markrad	0:cdf462088d13	2985	{
markrad	0:cdf462088d13	2986	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
markrad	0:cdf462088d13	2987	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
markrad	0:cdf462088d13	2988	}
markrad	0:cdf462088d13	2989
markrad	0:cdf462088d13	2990	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	2991	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	2992	{
markrad	0:cdf462088d13	2993	*(p++) = ssl->handshake->sig_alg;
markrad	0:cdf462088d13	2994	*(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
markrad	0:cdf462088d13	2995
markrad	0:cdf462088d13	2996	n += 2;
markrad	0:cdf462088d13	2997	}
markrad	0:cdf462088d13	2998	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	2999
markrad	0:cdf462088d13	3000	if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
markrad	0:cdf462088d13	3001	p + 2 , &signature_len,
markrad	0:cdf462088d13	3002	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad	0:cdf462088d13	3003	{
markrad	0:cdf462088d13	3004	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
markrad	0:cdf462088d13	3005	return( ret );
markrad	0:cdf462088d13	3006	}
markrad	0:cdf462088d13	3007
markrad	0:cdf462088d13	3008	*(p++) = (unsigned char)( signature_len >> 8 );
markrad	0:cdf462088d13	3009	*(p++) = (unsigned char)( signature_len );
markrad	0:cdf462088d13	3010	n += 2;
markrad	0:cdf462088d13	3011
markrad	0:cdf462088d13	3012	MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
markrad	0:cdf462088d13	3013
markrad	0:cdf462088d13	3014	n += signature_len;
markrad	0:cdf462088d13	3015	}
markrad	0:cdf462088d13	3016	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\|
markrad	0:cdf462088d13	3017	MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
markrad	0:cdf462088d13	3018	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
markrad	0:cdf462088d13	3019
markrad	0:cdf462088d13	3020	ssl->out_msglen = 4 + n;
markrad	0:cdf462088d13	3021	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	3022	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
markrad	0:cdf462088d13	3023
markrad	0:cdf462088d13	3024	ssl->state++;
markrad	0:cdf462088d13	3025
markrad	0:cdf462088d13	3026	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	3027	{
markrad	0:cdf462088d13	3028	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	3029	return( ret );
markrad	0:cdf462088d13	3030	}
markrad	0:cdf462088d13	3031
markrad	0:cdf462088d13	3032	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
markrad	0:cdf462088d13	3033
markrad	0:cdf462088d13	3034	return( 0 );
markrad	0:cdf462088d13	3035	}
markrad	0:cdf462088d13	3036
markrad	0:cdf462088d13	3037	static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3038	{
markrad	0:cdf462088d13	3039	int ret;
markrad	0:cdf462088d13	3040
markrad	0:cdf462088d13	3041	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
markrad	0:cdf462088d13	3042
markrad	0:cdf462088d13	3043	ssl->out_msglen = 4;
markrad	0:cdf462088d13	3044	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	3045	ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
markrad	0:cdf462088d13	3046
markrad	0:cdf462088d13	3047	ssl->state++;
markrad	0:cdf462088d13	3048
markrad	0:cdf462088d13	3049	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3050	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad	0:cdf462088d13	3051	mbedtls_ssl_send_flight_completed( ssl );
markrad	0:cdf462088d13	3052	#endif
markrad	0:cdf462088d13	3053
markrad	0:cdf462088d13	3054	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	3055	{
markrad	0:cdf462088d13	3056	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	3057	return( ret );
markrad	0:cdf462088d13	3058	}
markrad	0:cdf462088d13	3059
markrad	0:cdf462088d13	3060	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
markrad	0:cdf462088d13	3061
markrad	0:cdf462088d13	3062	return( 0 );
markrad	0:cdf462088d13	3063	}
markrad	0:cdf462088d13	3064
markrad	0:cdf462088d13	3065	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	3066	defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
markrad	0:cdf462088d13	3067	static int ssl_parse_client_dh_public( mbedtls_ssl_context ssl, unsigned char *p,
markrad	0:cdf462088d13	3068	const unsigned char *end )
markrad	0:cdf462088d13	3069	{
markrad	0:cdf462088d13	3070	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad	0:cdf462088d13	3071	size_t n;
markrad	0:cdf462088d13	3072
markrad	0:cdf462088d13	3073	/*
markrad	0:cdf462088d13	3074	* Receive G^Y mod P, premaster = (G^Y)^X mod P
markrad	0:cdf462088d13	3075	*/
markrad	0:cdf462088d13	3076	if( *p + 2 > end )
markrad	0:cdf462088d13	3077	{
markrad	0:cdf462088d13	3078	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3079	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3080	}
markrad	0:cdf462088d13	3081
markrad	0:cdf462088d13	3082	n = ( (p)[0] << 8 ) \| (p)[1];
markrad	0:cdf462088d13	3083	*p += 2;
markrad	0:cdf462088d13	3084
markrad	0:cdf462088d13	3085	if( *p + n > end )
markrad	0:cdf462088d13	3086	{
markrad	0:cdf462088d13	3087	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3088	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3089	}
markrad	0:cdf462088d13	3090
markrad	0:cdf462088d13	3091	if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
markrad	0:cdf462088d13	3092	{
markrad	0:cdf462088d13	3093	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
markrad	0:cdf462088d13	3094	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
markrad	0:cdf462088d13	3095	}
markrad	0:cdf462088d13	3096
markrad	0:cdf462088d13	3097	*p += n;
markrad	0:cdf462088d13	3098
markrad	0:cdf462088d13	3099	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
markrad	0:cdf462088d13	3100
markrad	0:cdf462088d13	3101	return( ret );
markrad	0:cdf462088d13	3102	}
markrad	0:cdf462088d13	3103	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \|\|
markrad	0:cdf462088d13	3104	MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
markrad	0:cdf462088d13	3105
markrad	0:cdf462088d13	3106	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	3107	defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
markrad	0:cdf462088d13	3108	static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
markrad	0:cdf462088d13	3109	const unsigned char *p,
markrad	0:cdf462088d13	3110	const unsigned char *end,
markrad	0:cdf462088d13	3111	size_t pms_offset )
markrad	0:cdf462088d13	3112	{
markrad	0:cdf462088d13	3113	int ret;
markrad	0:cdf462088d13	3114	size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
markrad	0:cdf462088d13	3115	unsigned char *pms = ssl->handshake->premaster + pms_offset;
markrad	0:cdf462088d13	3116	unsigned char ver[2];
markrad	0:cdf462088d13	3117	unsigned char fake_pms[48], peer_pms[48];
markrad	0:cdf462088d13	3118	unsigned char mask;
markrad	0:cdf462088d13	3119	size_t i, peer_pmslen;
markrad	0:cdf462088d13	3120	unsigned int diff;
markrad	0:cdf462088d13	3121
markrad	0:cdf462088d13	3122	if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
markrad	0:cdf462088d13	3123	{
markrad	0:cdf462088d13	3124	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
markrad	0:cdf462088d13	3125	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
markrad	0:cdf462088d13	3126	}
markrad	0:cdf462088d13	3127
markrad	0:cdf462088d13	3128	/*
markrad	0:cdf462088d13	3129	* Decrypt the premaster using own private RSA key
markrad	0:cdf462088d13	3130	*/
markrad	0:cdf462088d13	3131	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
markrad	0:cdf462088d13	3132	defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	3133	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
markrad	0:cdf462088d13	3134	{
markrad	0:cdf462088d13	3135	if( *p++ != ( ( len >> 8 ) & 0xFF ) \|\|
markrad	0:cdf462088d13	3136	*p++ != ( ( len ) & 0xFF ) )
markrad	0:cdf462088d13	3137	{
markrad	0:cdf462088d13	3138	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3139	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3140	}
markrad	0:cdf462088d13	3141	}
markrad	0:cdf462088d13	3142	#endif
markrad	0:cdf462088d13	3143
markrad	0:cdf462088d13	3144	if( p + len != end )
markrad	0:cdf462088d13	3145	{
markrad	0:cdf462088d13	3146	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3147	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3148	}
markrad	0:cdf462088d13	3149
markrad	0:cdf462088d13	3150	mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
markrad	0:cdf462088d13	3151	ssl->handshake->max_minor_ver,
markrad	0:cdf462088d13	3152	ssl->conf->transport, ver );
markrad	0:cdf462088d13	3153
markrad	0:cdf462088d13	3154	/*
markrad	0:cdf462088d13	3155	* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
markrad	0:cdf462088d13	3156	* must not cause the connection to end immediately; instead, send a
markrad	0:cdf462088d13	3157	* bad_record_mac later in the handshake.
markrad	0:cdf462088d13	3158	* Also, avoid data-dependant branches here to protect against
markrad	0:cdf462088d13	3159	* timing-based variants.
markrad	0:cdf462088d13	3160	*/
markrad	0:cdf462088d13	3161	ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
markrad	0:cdf462088d13	3162	if( ret != 0 )
markrad	0:cdf462088d13	3163	return( ret );
markrad	0:cdf462088d13	3164
markrad	0:cdf462088d13	3165	ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
markrad	0:cdf462088d13	3166	peer_pms, &peer_pmslen,
markrad	0:cdf462088d13	3167	sizeof( peer_pms ),
markrad	0:cdf462088d13	3168	ssl->conf->f_rng, ssl->conf->p_rng );
markrad	0:cdf462088d13	3169
markrad	0:cdf462088d13	3170	diff = (unsigned int) ret;
markrad	0:cdf462088d13	3171	diff \|= peer_pmslen ^ 48;
markrad	0:cdf462088d13	3172	diff \|= peer_pms[0] ^ ver[0];
markrad	0:cdf462088d13	3173	diff \|= peer_pms[1] ^ ver[1];
markrad	0:cdf462088d13	3174
markrad	0:cdf462088d13	3175	#if defined(MBEDTLS_SSL_DEBUG_ALL)
markrad	0:cdf462088d13	3176	if( diff != 0 )
markrad	0:cdf462088d13	3177	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3178	#endif
markrad	0:cdf462088d13	3179
markrad	0:cdf462088d13	3180	if( sizeof( ssl->handshake->premaster ) < pms_offset \|\|
markrad	0:cdf462088d13	3181	sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
markrad	0:cdf462088d13	3182	{
markrad	0:cdf462088d13	3183	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	3184	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	3185	}
markrad	0:cdf462088d13	3186	ssl->handshake->pmslen = 48;
markrad	0:cdf462088d13	3187
markrad	0:cdf462088d13	3188	/* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
markrad	0:cdf462088d13	3189	/* MSVC has a warning about unary minus on unsigned, but this is
markrad	0:cdf462088d13	3190	* well-defined and precisely what we want to do here */
markrad	0:cdf462088d13	3191	#if defined(_MSC_VER)
markrad	0:cdf462088d13	3192	#pragma warning( push )
markrad	0:cdf462088d13	3193	#pragma warning( disable : 4146 )
markrad	0:cdf462088d13	3194	#endif
markrad	0:cdf462088d13	3195	mask = - ( ( diff \| - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
markrad	0:cdf462088d13	3196	#if defined(_MSC_VER)
markrad	0:cdf462088d13	3197	#pragma warning( pop )
markrad	0:cdf462088d13	3198	#endif
markrad	0:cdf462088d13	3199
markrad	0:cdf462088d13	3200	for( i = 0; i < ssl->handshake->pmslen; i++ )
markrad	0:cdf462088d13	3201	pms[i] = ( mask & fake_pms[i] ) \| ( (~mask) & peer_pms[i] );
markrad	0:cdf462088d13	3202
markrad	0:cdf462088d13	3203	return( 0 );
markrad	0:cdf462088d13	3204	}
markrad	0:cdf462088d13	3205	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \|\|
markrad	0:cdf462088d13	3206	MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
markrad	0:cdf462088d13	3207
markrad	0:cdf462088d13	3208	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
markrad	0:cdf462088d13	3209	static int ssl_parse_client_psk_identity( mbedtls_ssl_context ssl, unsigned char *p,
markrad	0:cdf462088d13	3210	const unsigned char *end )
markrad	0:cdf462088d13	3211	{
markrad	0:cdf462088d13	3212	int ret = 0;
markrad	0:cdf462088d13	3213	size_t n;
markrad	0:cdf462088d13	3214
markrad	0:cdf462088d13	3215	if( ssl->conf->f_psk == NULL &&
markrad	0:cdf462088d13	3216	( ssl->conf->psk == NULL \|\| ssl->conf->psk_identity == NULL \|\|
markrad	0:cdf462088d13	3217	ssl->conf->psk_identity_len == 0 \|\| ssl->conf->psk_len == 0 ) )
markrad	0:cdf462088d13	3218	{
markrad	0:cdf462088d13	3219	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
markrad	0:cdf462088d13	3220	return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
markrad	0:cdf462088d13	3221	}
markrad	0:cdf462088d13	3222
markrad	0:cdf462088d13	3223	/*
markrad	0:cdf462088d13	3224	* Receive client pre-shared key identity name
markrad	0:cdf462088d13	3225	*/
markrad	0:cdf462088d13	3226	if( *p + 2 > end )
markrad	0:cdf462088d13	3227	{
markrad	0:cdf462088d13	3228	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3229	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3230	}
markrad	0:cdf462088d13	3231
markrad	0:cdf462088d13	3232	n = ( (p)[0] << 8 ) \| (p)[1];
markrad	0:cdf462088d13	3233	*p += 2;
markrad	0:cdf462088d13	3234
markrad	0:cdf462088d13	3235	if( n < 1 \|\| n > 65535 \|\| *p + n > end )
markrad	0:cdf462088d13	3236	{
markrad	0:cdf462088d13	3237	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3238	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3239	}
markrad	0:cdf462088d13	3240
markrad	0:cdf462088d13	3241	if( ssl->conf->f_psk != NULL )
markrad	0:cdf462088d13	3242	{
markrad	0:cdf462088d13	3243	if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
markrad	0:cdf462088d13	3244	ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
markrad	0:cdf462088d13	3245	}
markrad	0:cdf462088d13	3246	else
markrad	0:cdf462088d13	3247	{
markrad	0:cdf462088d13	3248	/* Identity is not a big secret since clients send it in the clear,
markrad	0:cdf462088d13	3249	* but treat it carefully anyway, just in case */
markrad	0:cdf462088d13	3250	if( n != ssl->conf->psk_identity_len \|\|
markrad	0:cdf462088d13	3251	mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
markrad	0:cdf462088d13	3252	{
markrad	0:cdf462088d13	3253	ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
markrad	0:cdf462088d13	3254	}
markrad	0:cdf462088d13	3255	}
markrad	0:cdf462088d13	3256
markrad	0:cdf462088d13	3257	if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
markrad	0:cdf462088d13	3258	{
markrad	0:cdf462088d13	3259	MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
markrad	0:cdf462088d13	3260	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
markrad	0:cdf462088d13	3261	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad	0:cdf462088d13	3262	MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
markrad	0:cdf462088d13	3263	{
markrad	0:cdf462088d13	3264	return( ret );
markrad	0:cdf462088d13	3265	}
markrad	0:cdf462088d13	3266
markrad	0:cdf462088d13	3267	return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
markrad	0:cdf462088d13	3268	}
markrad	0:cdf462088d13	3269
markrad	0:cdf462088d13	3270	*p += n;
markrad	0:cdf462088d13	3271
markrad	0:cdf462088d13	3272	return( 0 );
markrad	0:cdf462088d13	3273	}
markrad	0:cdf462088d13	3274	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
markrad	0:cdf462088d13	3275
markrad	0:cdf462088d13	3276	static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3277	{
markrad	0:cdf462088d13	3278	int ret;
markrad	0:cdf462088d13	3279	const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
markrad	0:cdf462088d13	3280	unsigned char p, end;
markrad	0:cdf462088d13	3281
markrad	0:cdf462088d13	3282	ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	3283
markrad	0:cdf462088d13	3284	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
markrad	0:cdf462088d13	3285
markrad	0:cdf462088d13	3286	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	3287	{
markrad	0:cdf462088d13	3288	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
markrad	0:cdf462088d13	3289	return( ret );
markrad	0:cdf462088d13	3290	}
markrad	0:cdf462088d13	3291
markrad	0:cdf462088d13	3292	p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
markrad	0:cdf462088d13	3293	end = ssl->in_msg + ssl->in_hslen;
markrad	0:cdf462088d13	3294
markrad	0:cdf462088d13	3295	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
markrad	0:cdf462088d13	3296	{
markrad	0:cdf462088d13	3297	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3298	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3299	}
markrad	0:cdf462088d13	3300
markrad	0:cdf462088d13	3301	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
markrad	0:cdf462088d13	3302	{
markrad	0:cdf462088d13	3303	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad	0:cdf462088d13	3304	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3305	}
markrad	0:cdf462088d13	3306
markrad	0:cdf462088d13	3307	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
markrad	0:cdf462088d13	3308	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
markrad	0:cdf462088d13	3309	{
markrad	0:cdf462088d13	3310	if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
markrad	0:cdf462088d13	3311	{
markrad	0:cdf462088d13	3312	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
markrad	0:cdf462088d13	3313	return( ret );
markrad	0:cdf462088d13	3314	}
markrad	0:cdf462088d13	3315
markrad	0:cdf462088d13	3316	if( p != end )
markrad	0:cdf462088d13	3317	{
markrad	0:cdf462088d13	3318	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
markrad	0:cdf462088d13	3319	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3320	}
markrad	0:cdf462088d13	3321
markrad	0:cdf462088d13	3322	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
markrad	0:cdf462088d13	3323	ssl->handshake->premaster,
markrad	0:cdf462088d13	3324	MBEDTLS_PREMASTER_SIZE,
markrad	0:cdf462088d13	3325	&ssl->handshake->pmslen,
markrad	0:cdf462088d13	3326	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad	0:cdf462088d13	3327	{
markrad	0:cdf462088d13	3328	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
markrad	0:cdf462088d13	3329	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
markrad	0:cdf462088d13	3330	}
markrad	0:cdf462088d13	3331
markrad	0:cdf462088d13	3332	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
markrad	0:cdf462088d13	3333	}
markrad	0:cdf462088d13	3334	else
markrad	0:cdf462088d13	3335	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
markrad	0:cdf462088d13	3336	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	3337	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) \|\| \
markrad	0:cdf462088d13	3338	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \|\| \
markrad	0:cdf462088d13	3339	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
markrad	0:cdf462088d13	3340	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA \|\|
markrad	0:cdf462088d13	3341	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA \|\|
markrad	0:cdf462088d13	3342	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA \|\|
markrad	0:cdf462088d13	3343	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
markrad	0:cdf462088d13	3344	{
markrad	0:cdf462088d13	3345	if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
markrad	0:cdf462088d13	3346	p, end - p) ) != 0 )
markrad	0:cdf462088d13	3347	{
markrad	0:cdf462088d13	3348	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
markrad	0:cdf462088d13	3349	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
markrad	0:cdf462088d13	3350	}
markrad	0:cdf462088d13	3351
markrad	0:cdf462088d13	3352	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
markrad	0:cdf462088d13	3353
markrad	0:cdf462088d13	3354	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
markrad	0:cdf462088d13	3355	&ssl->handshake->pmslen,
markrad	0:cdf462088d13	3356	ssl->handshake->premaster,
markrad	0:cdf462088d13	3357	MBEDTLS_MPI_MAX_SIZE,
markrad	0:cdf462088d13	3358	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad	0:cdf462088d13	3359	{
markrad	0:cdf462088d13	3360	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
markrad	0:cdf462088d13	3361	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
markrad	0:cdf462088d13	3362	}
markrad	0:cdf462088d13	3363
markrad	0:cdf462088d13	3364	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
markrad	0:cdf462088d13	3365	}
markrad	0:cdf462088d13	3366	else
markrad	0:cdf462088d13	3367	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \|\|
markrad	0:cdf462088d13	3368	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \|\|
markrad	0:cdf462088d13	3369	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \|\|
markrad	0:cdf462088d13	3370	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
markrad	0:cdf462088d13	3371	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
markrad	0:cdf462088d13	3372	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
markrad	0:cdf462088d13	3373	{
markrad	0:cdf462088d13	3374	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
markrad	0:cdf462088d13	3375	{
markrad	0:cdf462088d13	3376	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
markrad	0:cdf462088d13	3377	return( ret );
markrad	0:cdf462088d13	3378	}
markrad	0:cdf462088d13	3379
markrad	0:cdf462088d13	3380	if( p != end )
markrad	0:cdf462088d13	3381	{
markrad	0:cdf462088d13	3382	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
markrad	0:cdf462088d13	3383	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3384	}
markrad	0:cdf462088d13	3385
markrad	0:cdf462088d13	3386	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
markrad	0:cdf462088d13	3387	ciphersuite_info->key_exchange ) ) != 0 )
markrad	0:cdf462088d13	3388	{
markrad	0:cdf462088d13	3389	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
markrad	0:cdf462088d13	3390	return( ret );
markrad	0:cdf462088d13	3391	}
markrad	0:cdf462088d13	3392	}
markrad	0:cdf462088d13	3393	else
markrad	0:cdf462088d13	3394	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
markrad	0:cdf462088d13	3395	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
markrad	0:cdf462088d13	3396	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
markrad	0:cdf462088d13	3397	{
markrad	0:cdf462088d13	3398	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
markrad	0:cdf462088d13	3399	{
markrad	0:cdf462088d13	3400	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
markrad	0:cdf462088d13	3401	return( ret );
markrad	0:cdf462088d13	3402	}
markrad	0:cdf462088d13	3403
markrad	0:cdf462088d13	3404	if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
markrad	0:cdf462088d13	3405	{
markrad	0:cdf462088d13	3406	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
markrad	0:cdf462088d13	3407	return( ret );
markrad	0:cdf462088d13	3408	}
markrad	0:cdf462088d13	3409
markrad	0:cdf462088d13	3410	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
markrad	0:cdf462088d13	3411	ciphersuite_info->key_exchange ) ) != 0 )
markrad	0:cdf462088d13	3412	{
markrad	0:cdf462088d13	3413	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
markrad	0:cdf462088d13	3414	return( ret );
markrad	0:cdf462088d13	3415	}
markrad	0:cdf462088d13	3416	}
markrad	0:cdf462088d13	3417	else
markrad	0:cdf462088d13	3418	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
markrad	0:cdf462088d13	3419	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
markrad	0:cdf462088d13	3420	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
markrad	0:cdf462088d13	3421	{
markrad	0:cdf462088d13	3422	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
markrad	0:cdf462088d13	3423	{
markrad	0:cdf462088d13	3424	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
markrad	0:cdf462088d13	3425	return( ret );
markrad	0:cdf462088d13	3426	}
markrad	0:cdf462088d13	3427	if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
markrad	0:cdf462088d13	3428	{
markrad	0:cdf462088d13	3429	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
markrad	0:cdf462088d13	3430	return( ret );
markrad	0:cdf462088d13	3431	}
markrad	0:cdf462088d13	3432
markrad	0:cdf462088d13	3433	if( p != end )
markrad	0:cdf462088d13	3434	{
markrad	0:cdf462088d13	3435	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
markrad	0:cdf462088d13	3436	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad	0:cdf462088d13	3437	}
markrad	0:cdf462088d13	3438
markrad	0:cdf462088d13	3439	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
markrad	0:cdf462088d13	3440	ciphersuite_info->key_exchange ) ) != 0 )
markrad	0:cdf462088d13	3441	{
markrad	0:cdf462088d13	3442	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
markrad	0:cdf462088d13	3443	return( ret );
markrad	0:cdf462088d13	3444	}
markrad	0:cdf462088d13	3445	}
markrad	0:cdf462088d13	3446	else
markrad	0:cdf462088d13	3447	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
markrad	0:cdf462088d13	3448	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
markrad	0:cdf462088d13	3449	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
markrad	0:cdf462088d13	3450	{
markrad	0:cdf462088d13	3451	if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
markrad	0:cdf462088d13	3452	{
markrad	0:cdf462088d13	3453	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
markrad	0:cdf462088d13	3454	return( ret );
markrad	0:cdf462088d13	3455	}
markrad	0:cdf462088d13	3456
markrad	0:cdf462088d13	3457	if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
markrad	0:cdf462088d13	3458	p, end - p ) ) != 0 )
markrad	0:cdf462088d13	3459	{
markrad	0:cdf462088d13	3460	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
markrad	0:cdf462088d13	3461	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
markrad	0:cdf462088d13	3462	}
markrad	0:cdf462088d13	3463
markrad	0:cdf462088d13	3464	MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
markrad	0:cdf462088d13	3465
markrad	0:cdf462088d13	3466	if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
markrad	0:cdf462088d13	3467	ciphersuite_info->key_exchange ) ) != 0 )
markrad	0:cdf462088d13	3468	{
markrad	0:cdf462088d13	3469	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
markrad	0:cdf462088d13	3470	return( ret );
markrad	0:cdf462088d13	3471	}
markrad	0:cdf462088d13	3472	}
markrad	0:cdf462088d13	3473	else
markrad	0:cdf462088d13	3474	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
markrad	0:cdf462088d13	3475	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
markrad	0:cdf462088d13	3476	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
markrad	0:cdf462088d13	3477	{
markrad	0:cdf462088d13	3478	if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
markrad	0:cdf462088d13	3479	{
markrad	0:cdf462088d13	3480	MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
markrad	0:cdf462088d13	3481	return( ret );
markrad	0:cdf462088d13	3482	}
markrad	0:cdf462088d13	3483	}
markrad	0:cdf462088d13	3484	else
markrad	0:cdf462088d13	3485	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
markrad	0:cdf462088d13	3486	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad	0:cdf462088d13	3487	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	3488	{
markrad	0:cdf462088d13	3489	ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
markrad	0:cdf462088d13	3490	p, end - p );
markrad	0:cdf462088d13	3491	if( ret != 0 )
markrad	0:cdf462088d13	3492	{
markrad	0:cdf462088d13	3493	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
markrad	0:cdf462088d13	3494	return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
markrad	0:cdf462088d13	3495	}
markrad	0:cdf462088d13	3496
markrad	0:cdf462088d13	3497	ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
markrad	0:cdf462088d13	3498	ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
markrad	0:cdf462088d13	3499	ssl->conf->f_rng, ssl->conf->p_rng );
markrad	0:cdf462088d13	3500	if( ret != 0 )
markrad	0:cdf462088d13	3501	{
markrad	0:cdf462088d13	3502	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
markrad	0:cdf462088d13	3503	return( ret );
markrad	0:cdf462088d13	3504	}
markrad	0:cdf462088d13	3505	}
markrad	0:cdf462088d13	3506	else
markrad	0:cdf462088d13	3507	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad	0:cdf462088d13	3508	{
markrad	0:cdf462088d13	3509	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	3510	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	3511	}
markrad	0:cdf462088d13	3512
markrad	0:cdf462088d13	3513	if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
markrad	0:cdf462088d13	3514	{
markrad	0:cdf462088d13	3515	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
markrad	0:cdf462088d13	3516	return( ret );
markrad	0:cdf462088d13	3517	}
markrad	0:cdf462088d13	3518
markrad	0:cdf462088d13	3519	ssl->state++;
markrad	0:cdf462088d13	3520
markrad	0:cdf462088d13	3521	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
markrad	0:cdf462088d13	3522
markrad	0:cdf462088d13	3523	return( 0 );
markrad	0:cdf462088d13	3524	}
markrad	0:cdf462088d13	3525
markrad	0:cdf462088d13	3526	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
markrad	0:cdf462088d13	3527	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
markrad	0:cdf462088d13	3528	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
markrad	0:cdf462088d13	3529	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
markrad	0:cdf462088d13	3530	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
markrad	0:cdf462088d13	3531	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
markrad	0:cdf462088d13	3532	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3533	{
markrad	0:cdf462088d13	3534	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	3535
markrad	0:cdf462088d13	3536	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
markrad	0:cdf462088d13	3537
markrad	0:cdf462088d13	3538	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	3539	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
markrad	0:cdf462088d13	3540	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
markrad	0:cdf462088d13	3541	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	3542	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad	0:cdf462088d13	3543	{
markrad	0:cdf462088d13	3544	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
markrad	0:cdf462088d13	3545	ssl->state++;
markrad	0:cdf462088d13	3546	return( 0 );
markrad	0:cdf462088d13	3547	}
markrad	0:cdf462088d13	3548
markrad	0:cdf462088d13	3549	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	3550	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	3551	}
markrad	0:cdf462088d13	3552	#else
markrad	0:cdf462088d13	3553	static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3554	{
markrad	0:cdf462088d13	3555	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad	0:cdf462088d13	3556	size_t i, sig_len;
markrad	0:cdf462088d13	3557	unsigned char hash[48];
markrad	0:cdf462088d13	3558	unsigned char *hash_start = hash;
markrad	0:cdf462088d13	3559	size_t hashlen;
markrad	0:cdf462088d13	3560	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	3561	mbedtls_pk_type_t pk_alg;
markrad	0:cdf462088d13	3562	#endif
markrad	0:cdf462088d13	3563	mbedtls_md_type_t md_alg;
markrad	0:cdf462088d13	3564	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad	0:cdf462088d13	3565
markrad	0:cdf462088d13	3566	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
markrad	0:cdf462088d13	3567
markrad	0:cdf462088d13	3568	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
markrad	0:cdf462088d13	3569	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK \|\|
markrad	0:cdf462088d13	3570	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
markrad	0:cdf462088d13	3571	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
markrad	0:cdf462088d13	3572	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE \|\|
markrad	0:cdf462088d13	3573	ssl->session_negotiate->peer_cert == NULL )
markrad	0:cdf462088d13	3574	{
markrad	0:cdf462088d13	3575	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
markrad	0:cdf462088d13	3576	ssl->state++;
markrad	0:cdf462088d13	3577	return( 0 );
markrad	0:cdf462088d13	3578	}
markrad	0:cdf462088d13	3579
markrad	0:cdf462088d13	3580	/* Read the message without adding it to the checksum */
markrad	0:cdf462088d13	3581	do {
markrad	0:cdf462088d13	3582
markrad	0:cdf462088d13	3583	if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
markrad	0:cdf462088d13	3584	{
markrad	0:cdf462088d13	3585	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
markrad	0:cdf462088d13	3586	return( ret );
markrad	0:cdf462088d13	3587	}
markrad	0:cdf462088d13	3588
markrad	0:cdf462088d13	3589	ret = mbedtls_ssl_handle_message_type( ssl );
markrad	0:cdf462088d13	3590
markrad	0:cdf462088d13	3591	} while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
markrad	0:cdf462088d13	3592
markrad	0:cdf462088d13	3593	if( 0 != ret )
markrad	0:cdf462088d13	3594	{
markrad	0:cdf462088d13	3595	MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
markrad	0:cdf462088d13	3596	return( ret );
markrad	0:cdf462088d13	3597	}
markrad	0:cdf462088d13	3598
markrad	0:cdf462088d13	3599	ssl->state++;
markrad	0:cdf462088d13	3600
markrad	0:cdf462088d13	3601	/* Process the message contents */
markrad	0:cdf462088d13	3602	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
markrad	0:cdf462088d13	3603	ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
markrad	0:cdf462088d13	3604	{
markrad	0:cdf462088d13	3605	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
markrad	0:cdf462088d13	3606	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad	0:cdf462088d13	3607	}
markrad	0:cdf462088d13	3608
markrad	0:cdf462088d13	3609	i = mbedtls_ssl_hs_hdr_len( ssl );
markrad	0:cdf462088d13	3610
markrad	0:cdf462088d13	3611	/*
markrad	0:cdf462088d13	3612	* struct {
markrad	0:cdf462088d13	3613	* SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
markrad	0:cdf462088d13	3614	* opaque signature<0..2^16-1>;
markrad	0:cdf462088d13	3615	* } DigitallySigned;
markrad	0:cdf462088d13	3616	*/
markrad	0:cdf462088d13	3617	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
markrad	0:cdf462088d13	3618	defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad	0:cdf462088d13	3619	if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	3620	{
markrad	0:cdf462088d13	3621	md_alg = MBEDTLS_MD_NONE;
markrad	0:cdf462088d13	3622	hashlen = 36;
markrad	0:cdf462088d13	3623
markrad	0:cdf462088d13	3624	/* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
markrad	0:cdf462088d13	3625	if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
markrad	0:cdf462088d13	3626	MBEDTLS_PK_ECDSA ) )
markrad	0:cdf462088d13	3627	{
markrad	0:cdf462088d13	3628	hash_start += 16;
markrad	0:cdf462088d13	3629	hashlen -= 16;
markrad	0:cdf462088d13	3630	md_alg = MBEDTLS_MD_SHA1;
markrad	0:cdf462088d13	3631	}
markrad	0:cdf462088d13	3632	}
markrad	0:cdf462088d13	3633	else
markrad	0:cdf462088d13	3634	#endif /* MBEDTLS_SSL_PROTO_SSL3 \|\| MBEDTLS_SSL_PROTO_TLS1 \|\|
markrad	0:cdf462088d13	3635	MBEDTLS_SSL_PROTO_TLS1_1 */
markrad	0:cdf462088d13	3636	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad	0:cdf462088d13	3637	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad	0:cdf462088d13	3638	{
markrad	0:cdf462088d13	3639	if( i + 2 > ssl->in_hslen )
markrad	0:cdf462088d13	3640	{
markrad	0:cdf462088d13	3641	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
markrad	0:cdf462088d13	3642	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad	0:cdf462088d13	3643	}
markrad	0:cdf462088d13	3644
markrad	0:cdf462088d13	3645	/*
markrad	0:cdf462088d13	3646	* Hash
markrad	0:cdf462088d13	3647	*/
markrad	0:cdf462088d13	3648	md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
markrad	0:cdf462088d13	3649
markrad	0:cdf462088d13	3650	if( md_alg == MBEDTLS_MD_NONE \|\| mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
markrad	0:cdf462088d13	3651	{
markrad	0:cdf462088d13	3652	MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
markrad	0:cdf462088d13	3653	" for verify message" ) );
markrad	0:cdf462088d13	3654	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad	0:cdf462088d13	3655	}
markrad	0:cdf462088d13	3656
markrad	0:cdf462088d13	3657	#if !defined(MBEDTLS_MD_SHA1)
markrad	0:cdf462088d13	3658	if( MBEDTLS_MD_SHA1 == md_alg )
markrad	0:cdf462088d13	3659	hash_start += 16;
markrad	0:cdf462088d13	3660	#endif
markrad	0:cdf462088d13	3661
markrad	0:cdf462088d13	3662	/* Info from md_alg will be used instead */
markrad	0:cdf462088d13	3663	hashlen = 0;
markrad	0:cdf462088d13	3664
markrad	0:cdf462088d13	3665	i++;
markrad	0:cdf462088d13	3666
markrad	0:cdf462088d13	3667	/*
markrad	0:cdf462088d13	3668	* Signature
markrad	0:cdf462088d13	3669	*/
markrad	0:cdf462088d13	3670	if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
markrad	0:cdf462088d13	3671	== MBEDTLS_PK_NONE )
markrad	0:cdf462088d13	3672	{
markrad	0:cdf462088d13	3673	MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
markrad	0:cdf462088d13	3674	" for verify message" ) );
markrad	0:cdf462088d13	3675	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad	0:cdf462088d13	3676	}
markrad	0:cdf462088d13	3677
markrad	0:cdf462088d13	3678	/*
markrad	0:cdf462088d13	3679	* Check the certificate's key type matches the signature alg
markrad	0:cdf462088d13	3680	*/
markrad	0:cdf462088d13	3681	if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
markrad	0:cdf462088d13	3682	{
markrad	0:cdf462088d13	3683	MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
markrad	0:cdf462088d13	3684	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad	0:cdf462088d13	3685	}
markrad	0:cdf462088d13	3686
markrad	0:cdf462088d13	3687	i++;
markrad	0:cdf462088d13	3688	}
markrad	0:cdf462088d13	3689	else
markrad	0:cdf462088d13	3690	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad	0:cdf462088d13	3691	{
markrad	0:cdf462088d13	3692	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad	0:cdf462088d13	3693	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad	0:cdf462088d13	3694	}
markrad	0:cdf462088d13	3695
markrad	0:cdf462088d13	3696	if( i + 2 > ssl->in_hslen )
markrad	0:cdf462088d13	3697	{
markrad	0:cdf462088d13	3698	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
markrad	0:cdf462088d13	3699	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad	0:cdf462088d13	3700	}
markrad	0:cdf462088d13	3701
markrad	0:cdf462088d13	3702	sig_len = ( ssl->in_msg[i] << 8 ) \| ssl->in_msg[i+1];
markrad	0:cdf462088d13	3703	i += 2;
markrad	0:cdf462088d13	3704
markrad	0:cdf462088d13	3705	if( i + sig_len != ssl->in_hslen )
markrad	0:cdf462088d13	3706	{
markrad	0:cdf462088d13	3707	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
markrad	0:cdf462088d13	3708	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad	0:cdf462088d13	3709	}
markrad	0:cdf462088d13	3710
markrad	0:cdf462088d13	3711	/* Calculate hash and verify signature */
markrad	0:cdf462088d13	3712	ssl->handshake->calc_verify( ssl, hash );
markrad	0:cdf462088d13	3713
markrad	0:cdf462088d13	3714	if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
markrad	0:cdf462088d13	3715	md_alg, hash_start, hashlen,
markrad	0:cdf462088d13	3716	ssl->in_msg + i, sig_len ) ) != 0 )
markrad	0:cdf462088d13	3717	{
markrad	0:cdf462088d13	3718	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
markrad	0:cdf462088d13	3719	return( ret );
markrad	0:cdf462088d13	3720	}
markrad	0:cdf462088d13	3721
markrad	0:cdf462088d13	3722	mbedtls_ssl_update_handshake_status( ssl );
markrad	0:cdf462088d13	3723
markrad	0:cdf462088d13	3724	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
markrad	0:cdf462088d13	3725
markrad	0:cdf462088d13	3726	return( ret );
markrad	0:cdf462088d13	3727	}
markrad	0:cdf462088d13	3728	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
markrad	0:cdf462088d13	3729	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
markrad	0:cdf462088d13	3730	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
markrad	0:cdf462088d13	3731	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
markrad	0:cdf462088d13	3732	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
markrad	0:cdf462088d13	3733	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
markrad	0:cdf462088d13	3734
markrad	0:cdf462088d13	3735	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	3736	static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3737	{
markrad	0:cdf462088d13	3738	int ret;
markrad	0:cdf462088d13	3739	size_t tlen;
markrad	0:cdf462088d13	3740	uint32_t lifetime;
markrad	0:cdf462088d13	3741
markrad	0:cdf462088d13	3742	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
markrad	0:cdf462088d13	3743
markrad	0:cdf462088d13	3744	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad	0:cdf462088d13	3745	ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
markrad	0:cdf462088d13	3746
markrad	0:cdf462088d13	3747	/*
markrad	0:cdf462088d13	3748	* struct {
markrad	0:cdf462088d13	3749	* uint32 ticket_lifetime_hint;
markrad	0:cdf462088d13	3750	* opaque ticket<0..2^16-1>;
markrad	0:cdf462088d13	3751	* } NewSessionTicket;
markrad	0:cdf462088d13	3752	*
markrad	0:cdf462088d13	3753	* 4 . 7 ticket_lifetime_hint (0 = unspecified)
markrad	0:cdf462088d13	3754	* 8 . 9 ticket_len (n)
markrad	0:cdf462088d13	3755	* 10 . 9+n ticket content
markrad	0:cdf462088d13	3756	*/
markrad	0:cdf462088d13	3757
markrad	0:cdf462088d13	3758	if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
markrad	0:cdf462088d13	3759	ssl->session_negotiate,
markrad	0:cdf462088d13	3760	ssl->out_msg + 10,
markrad	0:cdf462088d13	3761	ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
markrad	0:cdf462088d13	3762	&tlen, &lifetime ) ) != 0 )
markrad	0:cdf462088d13	3763	{
markrad	0:cdf462088d13	3764	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
markrad	0:cdf462088d13	3765	tlen = 0;
markrad	0:cdf462088d13	3766	}
markrad	0:cdf462088d13	3767
markrad	0:cdf462088d13	3768	ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
markrad	0:cdf462088d13	3769	ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
markrad	0:cdf462088d13	3770	ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
markrad	0:cdf462088d13	3771	ssl->out_msg[7] = ( lifetime ) & 0xFF;
markrad	0:cdf462088d13	3772
markrad	0:cdf462088d13	3773	ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
markrad	0:cdf462088d13	3774	ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
markrad	0:cdf462088d13	3775
markrad	0:cdf462088d13	3776	ssl->out_msglen = 10 + tlen;
markrad	0:cdf462088d13	3777
markrad	0:cdf462088d13	3778	/*
markrad	0:cdf462088d13	3779	* Morally equivalent to updating ssl->state, but NewSessionTicket and
markrad	0:cdf462088d13	3780	* ChangeCipherSpec share the same state.
markrad	0:cdf462088d13	3781	*/
markrad	0:cdf462088d13	3782	ssl->handshake->new_session_ticket = 0;
markrad	0:cdf462088d13	3783
markrad	0:cdf462088d13	3784	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad	0:cdf462088d13	3785	{
markrad	0:cdf462088d13	3786	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad	0:cdf462088d13	3787	return( ret );
markrad	0:cdf462088d13	3788	}
markrad	0:cdf462088d13	3789
markrad	0:cdf462088d13	3790	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
markrad	0:cdf462088d13	3791
markrad	0:cdf462088d13	3792	return( 0 );
markrad	0:cdf462088d13	3793	}
markrad	0:cdf462088d13	3794	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad	0:cdf462088d13	3795
markrad	0:cdf462088d13	3796	/*
markrad	0:cdf462088d13	3797	* SSL handshake -- server side -- single step
markrad	0:cdf462088d13	3798	*/
markrad	0:cdf462088d13	3799	int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
markrad	0:cdf462088d13	3800	{
markrad	0:cdf462088d13	3801	int ret = 0;
markrad	0:cdf462088d13	3802
markrad	0:cdf462088d13	3803	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER \|\| ssl->handshake == NULL )
markrad	0:cdf462088d13	3804	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	3805
markrad	0:cdf462088d13	3806	MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
markrad	0:cdf462088d13	3807
markrad	0:cdf462088d13	3808	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
markrad	0:cdf462088d13	3809	return( ret );
markrad	0:cdf462088d13	3810
markrad	0:cdf462088d13	3811	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3812	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad	0:cdf462088d13	3813	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
markrad	0:cdf462088d13	3814	{
markrad	0:cdf462088d13	3815	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
markrad	0:cdf462088d13	3816	return( ret );
markrad	0:cdf462088d13	3817	}
markrad	0:cdf462088d13	3818	#endif
markrad	0:cdf462088d13	3819
markrad	0:cdf462088d13	3820	switch( ssl->state )
markrad	0:cdf462088d13	3821	{
markrad	0:cdf462088d13	3822	case MBEDTLS_SSL_HELLO_REQUEST:
markrad	0:cdf462088d13	3823	ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
markrad	0:cdf462088d13	3824	break;
markrad	0:cdf462088d13	3825
markrad	0:cdf462088d13	3826	/*
markrad	0:cdf462088d13	3827	* <== ClientHello
markrad	0:cdf462088d13	3828	*/
markrad	0:cdf462088d13	3829	case MBEDTLS_SSL_CLIENT_HELLO:
markrad	0:cdf462088d13	3830	ret = ssl_parse_client_hello( ssl );
markrad	0:cdf462088d13	3831	break;
markrad	0:cdf462088d13	3832
markrad	0:cdf462088d13	3833	#if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad	0:cdf462088d13	3834	case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
markrad	0:cdf462088d13	3835	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
markrad	0:cdf462088d13	3836	#endif
markrad	0:cdf462088d13	3837
markrad	0:cdf462088d13	3838	/*
markrad	0:cdf462088d13	3839	* ==> ServerHello
markrad	0:cdf462088d13	3840	* Certificate
markrad	0:cdf462088d13	3841	* ( ServerKeyExchange )
markrad	0:cdf462088d13	3842	* ( CertificateRequest )
markrad	0:cdf462088d13	3843	* ServerHelloDone
markrad	0:cdf462088d13	3844	*/
markrad	0:cdf462088d13	3845	case MBEDTLS_SSL_SERVER_HELLO:
markrad	0:cdf462088d13	3846	ret = ssl_write_server_hello( ssl );
markrad	0:cdf462088d13	3847	break;
markrad	0:cdf462088d13	3848
markrad	0:cdf462088d13	3849	case MBEDTLS_SSL_SERVER_CERTIFICATE:
markrad	0:cdf462088d13	3850	ret = mbedtls_ssl_write_certificate( ssl );
markrad	0:cdf462088d13	3851	break;
markrad	0:cdf462088d13	3852
markrad	0:cdf462088d13	3853	case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
markrad	0:cdf462088d13	3854	ret = ssl_write_server_key_exchange( ssl );
markrad	0:cdf462088d13	3855	break;
markrad	0:cdf462088d13	3856
markrad	0:cdf462088d13	3857	case MBEDTLS_SSL_CERTIFICATE_REQUEST:
markrad	0:cdf462088d13	3858	ret = ssl_write_certificate_request( ssl );
markrad	0:cdf462088d13	3859	break;
markrad	0:cdf462088d13	3860
markrad	0:cdf462088d13	3861	case MBEDTLS_SSL_SERVER_HELLO_DONE:
markrad	0:cdf462088d13	3862	ret = ssl_write_server_hello_done( ssl );
markrad	0:cdf462088d13	3863	break;
markrad	0:cdf462088d13	3864
markrad	0:cdf462088d13	3865	/*
markrad	0:cdf462088d13	3866	* <== ( Certificate/Alert )
markrad	0:cdf462088d13	3867	* ClientKeyExchange
markrad	0:cdf462088d13	3868	* ( CertificateVerify )
markrad	0:cdf462088d13	3869	* ChangeCipherSpec
markrad	0:cdf462088d13	3870	* Finished
markrad	0:cdf462088d13	3871	*/
markrad	0:cdf462088d13	3872	case MBEDTLS_SSL_CLIENT_CERTIFICATE:
markrad	0:cdf462088d13	3873	ret = mbedtls_ssl_parse_certificate( ssl );
markrad	0:cdf462088d13	3874	break;
markrad	0:cdf462088d13	3875
markrad	0:cdf462088d13	3876	case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
markrad	0:cdf462088d13	3877	ret = ssl_parse_client_key_exchange( ssl );
markrad	0:cdf462088d13	3878	break;
markrad	0:cdf462088d13	3879
markrad	0:cdf462088d13	3880	case MBEDTLS_SSL_CERTIFICATE_VERIFY:
markrad	0:cdf462088d13	3881	ret = ssl_parse_certificate_verify( ssl );
markrad	0:cdf462088d13	3882	break;
markrad	0:cdf462088d13	3883
markrad	0:cdf462088d13	3884	case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
markrad	0:cdf462088d13	3885	ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
markrad	0:cdf462088d13	3886	break;
markrad	0:cdf462088d13	3887
markrad	0:cdf462088d13	3888	case MBEDTLS_SSL_CLIENT_FINISHED:
markrad	0:cdf462088d13	3889	ret = mbedtls_ssl_parse_finished( ssl );
markrad	0:cdf462088d13	3890	break;
markrad	0:cdf462088d13	3891
markrad	0:cdf462088d13	3892	/*
markrad	0:cdf462088d13	3893	* ==> ( NewSessionTicket )
markrad	0:cdf462088d13	3894	* ChangeCipherSpec
markrad	0:cdf462088d13	3895	* Finished
markrad	0:cdf462088d13	3896	*/
markrad	0:cdf462088d13	3897	case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
markrad	0:cdf462088d13	3898	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad	0:cdf462088d13	3899	if( ssl->handshake->new_session_ticket != 0 )
markrad	0:cdf462088d13	3900	ret = ssl_write_new_session_ticket( ssl );
markrad	0:cdf462088d13	3901	else
markrad	0:cdf462088d13	3902	#endif
markrad	0:cdf462088d13	3903	ret = mbedtls_ssl_write_change_cipher_spec( ssl );
markrad	0:cdf462088d13	3904	break;
markrad	0:cdf462088d13	3905
markrad	0:cdf462088d13	3906	case MBEDTLS_SSL_SERVER_FINISHED:
markrad	0:cdf462088d13	3907	ret = mbedtls_ssl_write_finished( ssl );
markrad	0:cdf462088d13	3908	break;
markrad	0:cdf462088d13	3909
markrad	0:cdf462088d13	3910	case MBEDTLS_SSL_FLUSH_BUFFERS:
markrad	0:cdf462088d13	3911	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
markrad	0:cdf462088d13	3912	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
markrad	0:cdf462088d13	3913	break;
markrad	0:cdf462088d13	3914
markrad	0:cdf462088d13	3915	case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
markrad	0:cdf462088d13	3916	mbedtls_ssl_handshake_wrapup( ssl );
markrad	0:cdf462088d13	3917	break;
markrad	0:cdf462088d13	3918
markrad	0:cdf462088d13	3919	default:
markrad	0:cdf462088d13	3920	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
markrad	0:cdf462088d13	3921	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad	0:cdf462088d13	3922	}
markrad	0:cdf462088d13	3923
markrad	0:cdf462088d13	3924	return( ret );
markrad	0:cdf462088d13	3925	}
markrad	0:cdf462088d13	3926	#endif /* MBEDTLS_SSL_SRV_C */

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	05 Jan 2017
Imports:	525
Forks:	0
Commits:	1
Dependents:	4
Dependencies:	0
Followers:	32

The code in this repository is Apache licensed.

library/ssl_srv.c@0:cdf462088d13, 2017-01-05 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning