Context Navigation

ssl_tls.c

Last change on this file was 20366, checked in by Itms, 7 years ago

Alpha 12 version of Premake 5, including prebuilt binary for Windows.
Directly taken from https://premake.github.io/.

File size: 236.4 KB

Line
1	/*
2	* SSLv3/TLSv1 shared functions
3	*
4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5	* SPDX-License-Identifier: Apache-2.0
6	*
7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
8	* not use this file except in compliance with the License.
9	* You may obtain a copy of the License at
10	*
11	* http://www.apache.org/licenses/LICENSE-2.0
12	*
13	* Unless required by applicable law or agreed to in writing, software
14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16	* See the License for the specific language governing permissions and
17	* limitations under the License.
18	*
19	* This file is part of mbed TLS (https://tls.mbed.org)
20	*/
21	/*
22	* The SSL 3.0 specification was drafted by Netscape in 1996,
23	* and became an IETF standard in 1999.
24	*
25	* http://wp.netscape.com/eng/ssl3/
26	* http://www.ietf.org/rfc/rfc2246.txt
27	* http://www.ietf.org/rfc/rfc4346.txt
28	*/
29
30	#if !defined(MBEDTLS_CONFIG_FILE)
31	#include "mbedtls/config.h"
32	#else
33	#include MBEDTLS_CONFIG_FILE
34	#endif
35
36	#if defined(MBEDTLS_SSL_TLS_C)
37
38	#include "mbedtls/debug.h"
39	#include "mbedtls/ssl.h"
40	#include "mbedtls/ssl_internal.h"
41
42	#include <string.h>
43
44	#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
45	defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
46	#include "mbedtls/oid.h"
47	#endif
48
49	#if defined(MBEDTLS_PLATFORM_C)
50	#include "mbedtls/platform.h"
51	#else
52	#include <stdlib.h>
53	#define mbedtls_calloc calloc
54	#define mbedtls_free free
55	#endif
56
57	/* Implementation that should never be optimized out by the compiler */
58	static void mbedtls_zeroize( void *v, size_t n ) {
59	volatile unsigned char p = v; while( n-- ) p++ = 0;
60	}
61
62	/* Length of the "epoch" field in the record header */
63	static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
64	{
65	#if defined(MBEDTLS_SSL_PROTO_DTLS)
66	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
67	return( 2 );
68	#else
69	((void) ssl);
70	#endif
71	return( 0 );
72	}
73
74	/*
75	* Start a timer.
76	* Passing millisecs = 0 cancels a running timer.
77	*/
78	static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
79	{
80	if( ssl->f_set_timer == NULL )
81	return;
82
83	MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
84	ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
85	}
86
87	/*
88	* Return -1 is timer is expired, 0 if it isn't.
89	*/
90	static int ssl_check_timer( mbedtls_ssl_context *ssl )
91	{
92	if( ssl->f_get_timer == NULL )
93	return( 0 );
94
95	if( ssl->f_get_timer( ssl->p_timer ) == 2 )
96	{
97	MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
98	return( -1 );
99	}
100
101	return( 0 );
102	}
103
104	#if defined(MBEDTLS_SSL_PROTO_DTLS)
105	/*
106	* Double the retransmit timeout value, within the allowed range,
107	* returning -1 if the maximum value has already been reached.
108	*/
109	static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
110	{
111	uint32_t new_timeout;
112
113	if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
114	return( -1 );
115
116	new_timeout = 2 * ssl->handshake->retransmit_timeout;
117
118	/* Avoid arithmetic overflow and range overflow */
119	if( new_timeout < ssl->handshake->retransmit_timeout \|\|
120	new_timeout > ssl->conf->hs_timeout_max )
121	{
122	new_timeout = ssl->conf->hs_timeout_max;
123	}
124
125	ssl->handshake->retransmit_timeout = new_timeout;
126	MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
127	ssl->handshake->retransmit_timeout ) );
128
129	return( 0 );
130	}
131
132	static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
133	{
134	ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
135	MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
136	ssl->handshake->retransmit_timeout ) );
137	}
138	#endif /* MBEDTLS_SSL_PROTO_DTLS */
139
140	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
141	/*
142	* Convert max_fragment_length codes to length.
143	* RFC 6066 says:
144	* enum{
145	* 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
146	* } MaxFragmentLength;
147	* and we add 0 -> extension unused
148	*/
149	static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
150	{
151	MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
152	512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */
153	1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
154	2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
155	4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
156	};
157	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
158
159	#if defined(MBEDTLS_SSL_CLI_C)
160	static int ssl_session_copy( mbedtls_ssl_session dst, const mbedtls_ssl_session src )
161	{
162	mbedtls_ssl_session_free( dst );
163	memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
164
165	#if defined(MBEDTLS_X509_CRT_PARSE_C)
166	if( src->peer_cert != NULL )
167	{
168	int ret;
169
170	dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
171	if( dst->peer_cert == NULL )
172	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
173
174	mbedtls_x509_crt_init( dst->peer_cert );
175
176	if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
177	src->peer_cert->raw.len ) ) != 0 )
178	{
179	mbedtls_free( dst->peer_cert );
180	dst->peer_cert = NULL;
181	return( ret );
182	}
183	}
184	#endif /* MBEDTLS_X509_CRT_PARSE_C */
185
186	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
187	if( src->ticket != NULL )
188	{
189	dst->ticket = mbedtls_calloc( 1, src->ticket_len );
190	if( dst->ticket == NULL )
191	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
192
193	memcpy( dst->ticket, src->ticket, src->ticket_len );
194	}
195	#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
196
197	return( 0 );
198	}
199	#endif /* MBEDTLS_SSL_CLI_C */
200
201	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
202	int (mbedtls_ssl_hw_record_init)( mbedtls_ssl_context ssl,
203	const unsigned char key_enc, const unsigned char key_dec,
204	size_t keylen,
205	const unsigned char iv_enc, const unsigned char iv_dec,
206	size_t ivlen,
207	const unsigned char mac_enc, const unsigned char mac_dec,
208	size_t maclen ) = NULL;
209	int (mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context ssl, int direction) = NULL;
210	int (mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context ssl ) = NULL;
211	int (mbedtls_ssl_hw_record_write)( mbedtls_ssl_context ssl ) = NULL;
212	int (mbedtls_ssl_hw_record_read)( mbedtls_ssl_context ssl ) = NULL;
213	int (mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context ssl ) = NULL;
214	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
215
216	/*
217	* Key material generation
218	*/
219	#if defined(MBEDTLS_SSL_PROTO_SSL3)
220	static int ssl3_prf( const unsigned char *secret, size_t slen,
221	const char *label,
222	const unsigned char *random, size_t rlen,
223	unsigned char *dstbuf, size_t dlen )
224	{
225	size_t i;
226	mbedtls_md5_context md5;
227	mbedtls_sha1_context sha1;
228	unsigned char padding[16];
229	unsigned char sha1sum[20];
230	((void)label);
231
232	mbedtls_md5_init( &md5 );
233	mbedtls_sha1_init( &sha1 );
234
235	/*
236	* SSLv3:
237	* block =
238	* MD5( secret + SHA1( 'A' + secret + random ) ) +
239	* MD5( secret + SHA1( 'BB' + secret + random ) ) +
240	* MD5( secret + SHA1( 'CCC' + secret + random ) ) +
241	* ...
242	*/
243	for( i = 0; i < dlen / 16; i++ )
244	{
245	memset( padding, (unsigned char) ('A' + i), 1 + i );
246
247	mbedtls_sha1_starts( &sha1 );
248	mbedtls_sha1_update( &sha1, padding, 1 + i );
249	mbedtls_sha1_update( &sha1, secret, slen );
250	mbedtls_sha1_update( &sha1, random, rlen );
251	mbedtls_sha1_finish( &sha1, sha1sum );
252
253	mbedtls_md5_starts( &md5 );
254	mbedtls_md5_update( &md5, secret, slen );
255	mbedtls_md5_update( &md5, sha1sum, 20 );
256	mbedtls_md5_finish( &md5, dstbuf + i * 16 );
257	}
258
259	mbedtls_md5_free( &md5 );
260	mbedtls_sha1_free( &sha1 );
261
262	mbedtls_zeroize( padding, sizeof( padding ) );
263	mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
264
265	return( 0 );
266	}
267	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
268
269	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
270	static int tls1_prf( const unsigned char *secret, size_t slen,
271	const char *label,
272	const unsigned char *random, size_t rlen,
273	unsigned char *dstbuf, size_t dlen )
274	{
275	size_t nb, hs;
276	size_t i, j, k;
277	const unsigned char S1, S2;
278	unsigned char tmp[128];
279	unsigned char h_i[20];
280	const mbedtls_md_info_t *md_info;
281	mbedtls_md_context_t md_ctx;
282	int ret;
283
284	mbedtls_md_init( &md_ctx );
285
286	if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
287	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
288
289	hs = ( slen + 1 ) / 2;
290	S1 = secret;
291	S2 = secret + slen - hs;
292
293	nb = strlen( label );
294	memcpy( tmp + 20, label, nb );
295	memcpy( tmp + 20 + nb, random, rlen );
296	nb += rlen;
297
298	/*
299	* First compute P_md5(secret,label+random)[0..dlen]
300	*/
301	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
302	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
303
304	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
305	return( ret );
306
307	mbedtls_md_hmac_starts( &md_ctx, S1, hs );
308	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
309	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
310
311	for( i = 0; i < dlen; i += 16 )
312	{
313	mbedtls_md_hmac_reset ( &md_ctx );
314	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
315	mbedtls_md_hmac_finish( &md_ctx, h_i );
316
317	mbedtls_md_hmac_reset ( &md_ctx );
318	mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
319	mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
320
321	k = ( i + 16 > dlen ) ? dlen % 16 : 16;
322
323	for( j = 0; j < k; j++ )
324	dstbuf[i + j] = h_i[j];
325	}
326
327	mbedtls_md_free( &md_ctx );
328
329	/*
330	* XOR out with P_sha1(secret,label+random)[0..dlen]
331	*/
332	if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
333	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
334
335	if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
336	return( ret );
337
338	mbedtls_md_hmac_starts( &md_ctx, S2, hs );
339	mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
340	mbedtls_md_hmac_finish( &md_ctx, tmp );
341
342	for( i = 0; i < dlen; i += 20 )
343	{
344	mbedtls_md_hmac_reset ( &md_ctx );
345	mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
346	mbedtls_md_hmac_finish( &md_ctx, h_i );
347
348	mbedtls_md_hmac_reset ( &md_ctx );
349	mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
350	mbedtls_md_hmac_finish( &md_ctx, tmp );
351
352	k = ( i + 20 > dlen ) ? dlen % 20 : 20;
353
354	for( j = 0; j < k; j++ )
355	dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
356	}
357
358	mbedtls_md_free( &md_ctx );
359
360	mbedtls_zeroize( tmp, sizeof( tmp ) );
361	mbedtls_zeroize( h_i, sizeof( h_i ) );
362
363	return( 0 );
364	}
365	#endif /* MBEDTLS_SSL_PROTO_TLS1) \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
366
367	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
368	static int tls_prf_generic( mbedtls_md_type_t md_type,
369	const unsigned char *secret, size_t slen,
370	const char *label,
371	const unsigned char *random, size_t rlen,
372	unsigned char *dstbuf, size_t dlen )
373	{
374	size_t nb;
375	size_t i, j, k, md_len;
376	unsigned char tmp[128];
377	unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
378	const mbedtls_md_info_t *md_info;
379	mbedtls_md_context_t md_ctx;
380	int ret;
381
382	mbedtls_md_init( &md_ctx );
383
384	if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
385	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
386
387	md_len = mbedtls_md_get_size( md_info );
388
389	if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
390	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
391
392	nb = strlen( label );
393	memcpy( tmp + md_len, label, nb );
394	memcpy( tmp + md_len + nb, random, rlen );
395	nb += rlen;
396
397	/*
398	* Compute P_<hash>(secret, label + random)[0..dlen]
399	*/
400	if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
401	return( ret );
402
403	mbedtls_md_hmac_starts( &md_ctx, secret, slen );
404	mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
405	mbedtls_md_hmac_finish( &md_ctx, tmp );
406
407	for( i = 0; i < dlen; i += md_len )
408	{
409	mbedtls_md_hmac_reset ( &md_ctx );
410	mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
411	mbedtls_md_hmac_finish( &md_ctx, h_i );
412
413	mbedtls_md_hmac_reset ( &md_ctx );
414	mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
415	mbedtls_md_hmac_finish( &md_ctx, tmp );
416
417	k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
418
419	for( j = 0; j < k; j++ )
420	dstbuf[i + j] = h_i[j];
421	}
422
423	mbedtls_md_free( &md_ctx );
424
425	mbedtls_zeroize( tmp, sizeof( tmp ) );
426	mbedtls_zeroize( h_i, sizeof( h_i ) );
427
428	return( 0 );
429	}
430
431	#if defined(MBEDTLS_SHA256_C)
432	static int tls_prf_sha256( const unsigned char *secret, size_t slen,
433	const char *label,
434	const unsigned char *random, size_t rlen,
435	unsigned char *dstbuf, size_t dlen )
436	{
437	return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
438	label, random, rlen, dstbuf, dlen ) );
439	}
440	#endif /* MBEDTLS_SHA256_C */
441
442	#if defined(MBEDTLS_SHA512_C)
443	static int tls_prf_sha384( const unsigned char *secret, size_t slen,
444	const char *label,
445	const unsigned char *random, size_t rlen,
446	unsigned char *dstbuf, size_t dlen )
447	{
448	return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
449	label, random, rlen, dstbuf, dlen ) );
450	}
451	#endif /* MBEDTLS_SHA512_C */
452	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
453
454	static void ssl_update_checksum_start( mbedtls_ssl_context , const unsigned char , size_t );
455
456	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
457	defined(MBEDTLS_SSL_PROTO_TLS1_1)
458	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context , const unsigned char , size_t );
459	#endif
460
461	#if defined(MBEDTLS_SSL_PROTO_SSL3)
462	static void ssl_calc_verify_ssl( mbedtls_ssl_context , unsigned char );
463	static void ssl_calc_finished_ssl( mbedtls_ssl_context , unsigned char , int );
464	#endif
465
466	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
467	static void ssl_calc_verify_tls( mbedtls_ssl_context , unsigned char );
468	static void ssl_calc_finished_tls( mbedtls_ssl_context , unsigned char , int );
469	#endif
470
471	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
472	#if defined(MBEDTLS_SHA256_C)
473	static void ssl_update_checksum_sha256( mbedtls_ssl_context , const unsigned char , size_t );
474	static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context ,unsigned char );
475	static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context ,unsigned char , int );
476	#endif
477
478	#if defined(MBEDTLS_SHA512_C)
479	static void ssl_update_checksum_sha384( mbedtls_ssl_context , const unsigned char , size_t );
480	static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context , unsigned char );
481	static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context , unsigned char , int );
482	#endif
483	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
484
485	int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
486	{
487	int ret = 0;
488	unsigned char tmp[64];
489	unsigned char keyblk[256];
490	unsigned char *key1;
491	unsigned char *key2;
492	unsigned char *mac_enc;
493	unsigned char *mac_dec;
494	size_t iv_copy_len;
495	const mbedtls_cipher_info_t *cipher_info;
496	const mbedtls_md_info_t *md_info;
497
498	mbedtls_ssl_session *session = ssl->session_negotiate;
499	mbedtls_ssl_transform *transform = ssl->transform_negotiate;
500	mbedtls_ssl_handshake_params *handshake = ssl->handshake;
501
502	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
503
504	cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
505	if( cipher_info == NULL )
506	{
507	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
508	transform->ciphersuite_info->cipher ) );
509	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
510	}
511
512	md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
513	if( md_info == NULL )
514	{
515	MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
516	transform->ciphersuite_info->mac ) );
517	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
518	}
519
520	/*
521	* Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
522	*/
523	#if defined(MBEDTLS_SSL_PROTO_SSL3)
524	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
525	{
526	handshake->tls_prf = ssl3_prf;
527	handshake->calc_verify = ssl_calc_verify_ssl;
528	handshake->calc_finished = ssl_calc_finished_ssl;
529	}
530	else
531	#endif
532	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
533	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
534	{
535	handshake->tls_prf = tls1_prf;
536	handshake->calc_verify = ssl_calc_verify_tls;
537	handshake->calc_finished = ssl_calc_finished_tls;
538	}
539	else
540	#endif
541	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
542	#if defined(MBEDTLS_SHA512_C)
543	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
544	transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
545	{
546	handshake->tls_prf = tls_prf_sha384;
547	handshake->calc_verify = ssl_calc_verify_tls_sha384;
548	handshake->calc_finished = ssl_calc_finished_tls_sha384;
549	}
550	else
551	#endif
552	#if defined(MBEDTLS_SHA256_C)
553	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
554	{
555	handshake->tls_prf = tls_prf_sha256;
556	handshake->calc_verify = ssl_calc_verify_tls_sha256;
557	handshake->calc_finished = ssl_calc_finished_tls_sha256;
558	}
559	else
560	#endif
561	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
562	{
563	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
564	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
565	}
566
567	/*
568	* SSLv3:
569	* master =
570	* MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
571	* MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
572	* MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
573	*
574	* TLSv1+:
575	* master = PRF( premaster, "master secret", randbytes )[0..47]
576	*/
577	if( handshake->resume == 0 )
578	{
579	MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
580	handshake->pmslen );
581
582	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
583	if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
584	{
585	unsigned char session_hash[48];
586	size_t hash_len;
587
588	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
589
590	ssl->handshake->calc_verify( ssl, session_hash );
591
592	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
593	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
594	{
595	#if defined(MBEDTLS_SHA512_C)
596	if( ssl->transform_negotiate->ciphersuite_info->mac ==
597	MBEDTLS_MD_SHA384 )
598	{
599	hash_len = 48;
600	}
601	else
602	#endif
603	hash_len = 32;
604	}
605	else
606	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
607	hash_len = 36;
608
609	MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
610
611	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
612	"extended master secret",
613	session_hash, hash_len,
614	session->master, 48 );
615	if( ret != 0 )
616	{
617	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
618	return( ret );
619	}
620
621	}
622	else
623	#endif
624	ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
625	"master secret",
626	handshake->randbytes, 64,
627	session->master, 48 );
628	if( ret != 0 )
629	{
630	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
631	return( ret );
632	}
633
634	mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) );
635	}
636	else
637	MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
638
639	/*
640	* Swap the client and server random values.
641	*/
642	memcpy( tmp, handshake->randbytes, 64 );
643	memcpy( handshake->randbytes, tmp + 32, 32 );
644	memcpy( handshake->randbytes + 32, tmp, 32 );
645	mbedtls_zeroize( tmp, sizeof( tmp ) );
646
647	/*
648	* SSLv3:
649	* key block =
650	* MD5( master + SHA1( 'A' + master + randbytes ) ) +
651	* MD5( master + SHA1( 'BB' + master + randbytes ) ) +
652	* MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
653	* MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
654	* ...
655	*
656	* TLSv1:
657	* key block = PRF( master, "key expansion", randbytes )
658	*/
659	ret = handshake->tls_prf( session->master, 48, "key expansion",
660	handshake->randbytes, 64, keyblk, 256 );
661	if( ret != 0 )
662	{
663	MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
664	return( ret );
665	}
666
667	MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
668	mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
669	MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
670	MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
671	MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
672
673	mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
674
675	/*
676	* Determine the appropriate key, IV and MAC length.
677	*/
678
679	transform->keylen = cipher_info->key_bitlen / 8;
680
681	if( cipher_info->mode == MBEDTLS_MODE_GCM \|\|
682	cipher_info->mode == MBEDTLS_MODE_CCM )
683	{
684	transform->maclen = 0;
685
686	transform->ivlen = 12;
687	transform->fixed_ivlen = 4;
688
689	/* Minimum length is expicit IV + tag */
690	transform->minlen = transform->ivlen - transform->fixed_ivlen
691	+ ( transform->ciphersuite_info->flags &
692	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
693	}
694	else
695	{
696	/* Initialize HMAC contexts */
697	if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 \|\|
698	( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
699	{
700	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
701	return( ret );
702	}
703
704	/* Get MAC length */
705	transform->maclen = mbedtls_md_get_size( md_info );
706
707	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
708	/*
709	* If HMAC is to be truncated, we shall keep the leftmost bytes,
710	* (rfc 6066 page 13 or rfc 2104 section 4),
711	* so we only need to adjust the length here.
712	*/
713	if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
714	transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
715	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
716
717	/* IV length */
718	transform->ivlen = cipher_info->iv_size;
719
720	/* Minimum length */
721	if( cipher_info->mode == MBEDTLS_MODE_STREAM )
722	transform->minlen = transform->maclen;
723	else
724	{
725	/*
726	* GenericBlockCipher:
727	* 1. if EtM is in use: one block plus MAC
728	* otherwise: * first multiple of blocklen greater than maclen
729	* 2. IV except for SSL3 and TLS 1.0
730	*/
731	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
732	if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
733	{
734	transform->minlen = transform->maclen
735	+ cipher_info->block_size;
736	}
737	else
738	#endif
739	{
740	transform->minlen = transform->maclen
741	+ cipher_info->block_size
742	- transform->maclen % cipher_info->block_size;
743	}
744
745	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
746	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 \|\|
747	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
748	; /* No need to adjust minlen */
749	else
750	#endif
751	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
752	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 \|\|
753	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
754	{
755	transform->minlen += transform->ivlen;
756	}
757	else
758	#endif
759	{
760	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
761	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
762	}
763	}
764	}
765
766	MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
767	transform->keylen, transform->minlen, transform->ivlen,
768	transform->maclen ) );
769
770	/*
771	* Finally setup the cipher contexts, IVs and MAC secrets.
772	*/
773	#if defined(MBEDTLS_SSL_CLI_C)
774	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
775	{
776	key1 = keyblk + transform->maclen * 2;
777	key2 = keyblk + transform->maclen * 2 + transform->keylen;
778
779	mac_enc = keyblk;
780	mac_dec = keyblk + transform->maclen;
781
782	/*
783	* This is not used in TLS v1.1.
784	*/
785	iv_copy_len = ( transform->fixed_ivlen ) ?
786	transform->fixed_ivlen : transform->ivlen;
787	memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
788	memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
789	iv_copy_len );
790	}
791	else
792	#endif /* MBEDTLS_SSL_CLI_C */
793	#if defined(MBEDTLS_SSL_SRV_C)
794	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
795	{
796	key1 = keyblk + transform->maclen * 2 + transform->keylen;
797	key2 = keyblk + transform->maclen * 2;
798
799	mac_enc = keyblk + transform->maclen;
800	mac_dec = keyblk;
801
802	/*
803	* This is not used in TLS v1.1.
804	*/
805	iv_copy_len = ( transform->fixed_ivlen ) ?
806	transform->fixed_ivlen : transform->ivlen;
807	memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
808	memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
809	iv_copy_len );
810	}
811	else
812	#endif /* MBEDTLS_SSL_SRV_C */
813	{
814	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
815	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
816	}
817
818	#if defined(MBEDTLS_SSL_PROTO_SSL3)
819	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
820	{
821	if( transform->maclen > sizeof transform->mac_enc )
822	{
823	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
824	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
825	}
826
827	memcpy( transform->mac_enc, mac_enc, transform->maclen );
828	memcpy( transform->mac_dec, mac_dec, transform->maclen );
829	}
830	else
831	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
832	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
833	defined(MBEDTLS_SSL_PROTO_TLS1_2)
834	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
835	{
836	mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
837	mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
838	}
839	else
840	#endif
841	{
842	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
843	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
844	}
845
846	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
847	if( mbedtls_ssl_hw_record_init != NULL )
848	{
849	int ret = 0;
850
851	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
852
853	if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
854	transform->iv_enc, transform->iv_dec,
855	iv_copy_len,
856	mac_enc, mac_dec,
857	transform->maclen ) ) != 0 )
858	{
859	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
860	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
861	}
862	}
863	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
864
865	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
866	if( ssl->conf->f_export_keys != NULL )
867	{
868	ssl->conf->f_export_keys( ssl->conf->p_export_keys,
869	session->master, keyblk,
870	transform->maclen, transform->keylen,
871	iv_copy_len );
872	}
873	#endif
874
875	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
876	cipher_info ) ) != 0 )
877	{
878	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
879	return( ret );
880	}
881
882	if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
883	cipher_info ) ) != 0 )
884	{
885	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
886	return( ret );
887	}
888
889	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
890	cipher_info->key_bitlen,
891	MBEDTLS_ENCRYPT ) ) != 0 )
892	{
893	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
894	return( ret );
895	}
896
897	if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
898	cipher_info->key_bitlen,
899	MBEDTLS_DECRYPT ) ) != 0 )
900	{
901	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
902	return( ret );
903	}
904
905	#if defined(MBEDTLS_CIPHER_MODE_CBC)
906	if( cipher_info->mode == MBEDTLS_MODE_CBC )
907	{
908	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
909	MBEDTLS_PADDING_NONE ) ) != 0 )
910	{
911	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
912	return( ret );
913	}
914
915	if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
916	MBEDTLS_PADDING_NONE ) ) != 0 )
917	{
918	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
919	return( ret );
920	}
921	}
922	#endif /* MBEDTLS_CIPHER_MODE_CBC */
923
924	mbedtls_zeroize( keyblk, sizeof( keyblk ) );
925
926	#if defined(MBEDTLS_ZLIB_SUPPORT)
927	// Initialize compression
928	//
929	if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
930	{
931	if( ssl->compress_buf == NULL )
932	{
933	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
934	ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
935	if( ssl->compress_buf == NULL )
936	{
937	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
938	MBEDTLS_SSL_BUFFER_LEN ) );
939	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
940	}
941	}
942
943	MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
944
945	memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
946	memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
947
948	if( deflateInit( &transform->ctx_deflate,
949	Z_DEFAULT_COMPRESSION ) != Z_OK \|\|
950	inflateInit( &transform->ctx_inflate ) != Z_OK )
951	{
952	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
953	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
954	}
955	}
956	#endif /* MBEDTLS_ZLIB_SUPPORT */
957
958	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
959
960	return( 0 );
961	}
962
963	#if defined(MBEDTLS_SSL_PROTO_SSL3)
964	void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
965	{
966	mbedtls_md5_context md5;
967	mbedtls_sha1_context sha1;
968	unsigned char pad_1[48];
969	unsigned char pad_2[48];
970
971	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
972
973	mbedtls_md5_init( &md5 );
974	mbedtls_sha1_init( &sha1 );
975
976	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
977	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
978
979	memset( pad_1, 0x36, 48 );
980	memset( pad_2, 0x5C, 48 );
981
982	mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 );
983	mbedtls_md5_update( &md5, pad_1, 48 );
984	mbedtls_md5_finish( &md5, hash );
985
986	mbedtls_md5_starts( &md5 );
987	mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 );
988	mbedtls_md5_update( &md5, pad_2, 48 );
989	mbedtls_md5_update( &md5, hash, 16 );
990	mbedtls_md5_finish( &md5, hash );
991
992	mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 );
993	mbedtls_sha1_update( &sha1, pad_1, 40 );
994	mbedtls_sha1_finish( &sha1, hash + 16 );
995
996	mbedtls_sha1_starts( &sha1 );
997	mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 );
998	mbedtls_sha1_update( &sha1, pad_2, 40 );
999	mbedtls_sha1_update( &sha1, hash + 16, 20 );
1000	mbedtls_sha1_finish( &sha1, hash + 16 );
1001
1002	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1003	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1004
1005	mbedtls_md5_free( &md5 );
1006	mbedtls_sha1_free( &sha1 );
1007
1008	return;
1009	}
1010	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1011
1012	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
1013	void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
1014	{
1015	mbedtls_md5_context md5;
1016	mbedtls_sha1_context sha1;
1017
1018	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
1019
1020	mbedtls_md5_init( &md5 );
1021	mbedtls_sha1_init( &sha1 );
1022
1023	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1024	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
1025
1026	mbedtls_md5_finish( &md5, hash );
1027	mbedtls_sha1_finish( &sha1, hash + 16 );
1028
1029	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1030	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1031
1032	mbedtls_md5_free( &md5 );
1033	mbedtls_sha1_free( &sha1 );
1034
1035	return;
1036	}
1037	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
1038
1039	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1040	#if defined(MBEDTLS_SHA256_C)
1041	void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
1042	{
1043	mbedtls_sha256_context sha256;
1044
1045	mbedtls_sha256_init( &sha256 );
1046
1047	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
1048
1049	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
1050	mbedtls_sha256_finish( &sha256, hash );
1051
1052	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
1053	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1054
1055	mbedtls_sha256_free( &sha256 );
1056
1057	return;
1058	}
1059	#endif /* MBEDTLS_SHA256_C */
1060
1061	#if defined(MBEDTLS_SHA512_C)
1062	void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
1063	{
1064	mbedtls_sha512_context sha512;
1065
1066	mbedtls_sha512_init( &sha512 );
1067
1068	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
1069
1070	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
1071	mbedtls_sha512_finish( &sha512, hash );
1072
1073	MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
1074	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1075
1076	mbedtls_sha512_free( &sha512 );
1077
1078	return;
1079	}
1080	#endif /* MBEDTLS_SHA512_C */
1081	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1082
1083	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1084	int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
1085	{
1086	unsigned char *p = ssl->handshake->premaster;
1087	unsigned char *end = p + sizeof( ssl->handshake->premaster );
1088	const unsigned char *psk = ssl->conf->psk;
1089	size_t psk_len = ssl->conf->psk_len;
1090
1091	/* If the psk callback was called, use its result */
1092	if( ssl->handshake->psk != NULL )
1093	{
1094	psk = ssl->handshake->psk;
1095	psk_len = ssl->handshake->psk_len;
1096	}
1097
1098	/*
1099	* PMS = struct {
1100	* opaque other_secret<0..2^16-1>;
1101	* opaque psk<0..2^16-1>;
1102	* };
1103	* with "other_secret" depending on the particular key exchange
1104	*/
1105	#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1106	if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
1107	{
1108	if( end - p < 2 )
1109	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1110
1111	*(p++) = (unsigned char)( psk_len >> 8 );
1112	*(p++) = (unsigned char)( psk_len );
1113
1114	if( end < p \|\| (size_t)( end - p ) < psk_len )
1115	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1116
1117	memset( p, 0, psk_len );
1118	p += psk_len;
1119	}
1120	else
1121	#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1122	#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1123	if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
1124	{
1125	/*
1126	* other_secret already set by the ClientKeyExchange message,
1127	* and is 48 bytes long
1128	*/
1129	*p++ = 0;
1130	*p++ = 48;
1131	p += 48;
1132	}
1133	else
1134	#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1135	#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1136	if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
1137	{
1138	int ret;
1139	size_t len;
1140
1141	/* Write length only when we know the actual value */
1142	if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
1143	p + 2, end - ( p + 2 ), &len,
1144	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1145	{
1146	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
1147	return( ret );
1148	}
1149	*(p++) = (unsigned char)( len >> 8 );
1150	*(p++) = (unsigned char)( len );
1151	p += len;
1152
1153	MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1154	}
1155	else
1156	#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1157	#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1158	if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
1159	{
1160	int ret;
1161	size_t zlen;
1162
1163	if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
1164	p + 2, end - ( p + 2 ),
1165	ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1166	{
1167	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
1168	return( ret );
1169	}
1170
1171	*(p++) = (unsigned char)( zlen >> 8 );
1172	*(p++) = (unsigned char)( zlen );
1173	p += zlen;
1174
1175	MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
1176	}
1177	else
1178	#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1179	{
1180	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1181	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1182	}
1183
1184	/* opaque psk<0..2^16-1>; */
1185	if( end - p < 2 )
1186	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1187
1188	*(p++) = (unsigned char)( psk_len >> 8 );
1189	*(p++) = (unsigned char)( psk_len );
1190
1191	if( end < p \|\| (size_t)( end - p ) < psk_len )
1192	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1193
1194	memcpy( p, psk, psk_len );
1195	p += psk_len;
1196
1197	ssl->handshake->pmslen = p - ssl->handshake->premaster;
1198
1199	return( 0 );
1200	}
1201	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
1202
1203	#if defined(MBEDTLS_SSL_PROTO_SSL3)
1204	/*
1205	* SSLv3.0 MAC functions
1206	*/
1207	static void ssl_mac( mbedtls_md_context_t md_ctx, unsigned char secret,
1208	unsigned char *buf, size_t len,
1209	unsigned char *ctr, int type )
1210	{
1211	unsigned char header[11];
1212	unsigned char padding[48];
1213	int padlen;
1214	int md_size = mbedtls_md_get_size( md_ctx->md_info );
1215	int md_type = mbedtls_md_get_type( md_ctx->md_info );
1216
1217	/* Only MD5 and SHA-1 supported */
1218	if( md_type == MBEDTLS_MD_MD5 )
1219	padlen = 48;
1220	else
1221	padlen = 40;
1222
1223	memcpy( header, ctr, 8 );
1224	header[ 8] = (unsigned char) type;
1225	header[ 9] = (unsigned char)( len >> 8 );
1226	header[10] = (unsigned char)( len );
1227
1228	memset( padding, 0x36, padlen );
1229	mbedtls_md_starts( md_ctx );
1230	mbedtls_md_update( md_ctx, secret, md_size );
1231	mbedtls_md_update( md_ctx, padding, padlen );
1232	mbedtls_md_update( md_ctx, header, 11 );
1233	mbedtls_md_update( md_ctx, buf, len );
1234	mbedtls_md_finish( md_ctx, buf + len );
1235
1236	memset( padding, 0x5C, padlen );
1237	mbedtls_md_starts( md_ctx );
1238	mbedtls_md_update( md_ctx, secret, md_size );
1239	mbedtls_md_update( md_ctx, padding, padlen );
1240	mbedtls_md_update( md_ctx, buf + len, md_size );
1241	mbedtls_md_finish( md_ctx, buf + len );
1242	}
1243	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1244
1245	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER) \|\| \
1246	( defined(MBEDTLS_CIPHER_MODE_CBC) && \
1247	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) ) )
1248	#define SSL_SOME_MODES_USE_MAC
1249	#endif
1250
1251	/*
1252	* Encryption/decryption functions
1253	*/
1254	static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
1255	{
1256	mbedtls_cipher_mode_t mode;
1257	int auth_done = 0;
1258
1259	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
1260
1261	if( ssl->session_out == NULL \|\| ssl->transform_out == NULL )
1262	{
1263	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1264	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1265	}
1266
1267	mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
1268
1269	MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1270	ssl->out_msg, ssl->out_msglen );
1271
1272	/*
1273	* Add MAC before if needed
1274	*/
1275	#if defined(SSL_SOME_MODES_USE_MAC)
1276	if( mode == MBEDTLS_MODE_STREAM \|\|
1277	( mode == MBEDTLS_MODE_CBC
1278	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1279	&& ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
1280	#endif
1281	) )
1282	{
1283	#if defined(MBEDTLS_SSL_PROTO_SSL3)
1284	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1285	{
1286	ssl_mac( &ssl->transform_out->md_ctx_enc,
1287	ssl->transform_out->mac_enc,
1288	ssl->out_msg, ssl->out_msglen,
1289	ssl->out_ctr, ssl->out_msgtype );
1290	}
1291	else
1292	#endif
1293	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
1294	defined(MBEDTLS_SSL_PROTO_TLS1_2)
1295	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
1296	{
1297	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
1298	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
1299	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
1300	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
1301	ssl->out_msg, ssl->out_msglen );
1302	mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
1303	ssl->out_msg + ssl->out_msglen );
1304	mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1305	}
1306	else
1307	#endif
1308	{
1309	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1310	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1311	}
1312
1313	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
1314	ssl->out_msg + ssl->out_msglen,
1315	ssl->transform_out->maclen );
1316
1317	ssl->out_msglen += ssl->transform_out->maclen;
1318	auth_done++;
1319	}
1320	#endif /* AEAD not the only option */
1321
1322	/*
1323	* Encrypt
1324	*/
1325	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER)
1326	if( mode == MBEDTLS_MODE_STREAM )
1327	{
1328	int ret;
1329	size_t olen = 0;
1330
1331	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1332	"including %d bytes of padding",
1333	ssl->out_msglen, 0 ) );
1334
1335	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1336	ssl->transform_out->iv_enc,
1337	ssl->transform_out->ivlen,
1338	ssl->out_msg, ssl->out_msglen,
1339	ssl->out_msg, &olen ) ) != 0 )
1340	{
1341	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1342	return( ret );
1343	}
1344
1345	if( ssl->out_msglen != olen )
1346	{
1347	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1348	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1349	}
1350	}
1351	else
1352	#endif /* MBEDTLS_ARC4_C \|\| MBEDTLS_CIPHER_NULL_CIPHER */
1353	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CCM_C)
1354	if( mode == MBEDTLS_MODE_GCM \|\|
1355	mode == MBEDTLS_MODE_CCM )
1356	{
1357	int ret;
1358	size_t enc_msglen, olen;
1359	unsigned char *enc_msg;
1360	unsigned char add_data[13];
1361	unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
1362	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
1363
1364	memcpy( add_data, ssl->out_ctr, 8 );
1365	add_data[8] = ssl->out_msgtype;
1366	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
1367	ssl->conf->transport, add_data + 9 );
1368	add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1369	add_data[12] = ssl->out_msglen & 0xFF;
1370
1371	MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1372	add_data, 13 );
1373
1374	/*
1375	* Generate IV
1376	*/
1377	#if defined(MBEDTLS_SSL_AEAD_RANDOM_IV)
1378	ret = ssl->conf->f_rng( ssl->conf->p_rng,
1379	ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1380	ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1381	if( ret != 0 )
1382	return( ret );
1383
1384	memcpy( ssl->out_iv,
1385	ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1386	ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1387	#else
1388	if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
1389	{
1390	/* Reminder if we ever add an AEAD mode with a different size */
1391	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1392	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1393	}
1394
1395	memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1396	ssl->out_ctr, 8 );
1397	memcpy( ssl->out_iv, ssl->out_ctr, 8 );
1398	#endif
1399
1400	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1401	ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1402
1403	/*
1404	* Fix pointer positions and message length with added IV
1405	*/
1406	enc_msg = ssl->out_msg;
1407	enc_msglen = ssl->out_msglen;
1408	ssl->out_msglen += ssl->transform_out->ivlen -
1409	ssl->transform_out->fixed_ivlen;
1410
1411	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1412	"including %d bytes of padding",
1413	ssl->out_msglen, 0 ) );
1414
1415	/*
1416	* Encrypt and authenticate
1417	*/
1418	if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
1419	ssl->transform_out->iv_enc,
1420	ssl->transform_out->ivlen,
1421	add_data, 13,
1422	enc_msg, enc_msglen,
1423	enc_msg, &olen,
1424	enc_msg + enc_msglen, taglen ) ) != 0 )
1425	{
1426	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
1427	return( ret );
1428	}
1429
1430	if( olen != enc_msglen )
1431	{
1432	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1433	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1434	}
1435
1436	ssl->out_msglen += taglen;
1437	auth_done++;
1438
1439	MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
1440	}
1441	else
1442	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C */
1443	#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
1444	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) )
1445	if( mode == MBEDTLS_MODE_CBC )
1446	{
1447	int ret;
1448	unsigned char *enc_msg;
1449	size_t enc_msglen, padlen, olen = 0, i;
1450
1451	padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1452	ssl->transform_out->ivlen;
1453	if( padlen == ssl->transform_out->ivlen )
1454	padlen = 0;
1455
1456	for( i = 0; i <= padlen; i++ )
1457	ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1458
1459	ssl->out_msglen += padlen + 1;
1460
1461	enc_msglen = ssl->out_msglen;
1462	enc_msg = ssl->out_msg;
1463
1464	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
1465	/*
1466	* Prepend per-record IV for block cipher in TLS v1.1 and up as per
1467	* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1468	*/
1469	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1470	{
1471	/*
1472	* Generate IV
1473	*/
1474	ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
1475	ssl->transform_out->ivlen );
1476	if( ret != 0 )
1477	return( ret );
1478
1479	memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1480	ssl->transform_out->ivlen );
1481
1482	/*
1483	* Fix pointer positions and message length with added IV
1484	*/
1485	enc_msg = ssl->out_msg;
1486	enc_msglen = ssl->out_msglen;
1487	ssl->out_msglen += ssl->transform_out->ivlen;
1488	}
1489	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
1490
1491	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1492	"including %d bytes of IV and %d bytes of padding",
1493	ssl->out_msglen, ssl->transform_out->ivlen,
1494	padlen + 1 ) );
1495
1496	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1497	ssl->transform_out->iv_enc,
1498	ssl->transform_out->ivlen,
1499	enc_msg, enc_msglen,
1500	enc_msg, &olen ) ) != 0 )
1501	{
1502	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1503	return( ret );
1504	}
1505
1506	if( enc_msglen != olen )
1507	{
1508	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1509	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1510	}
1511
1512	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
1513	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
1514	{
1515	/*
1516	* Save IV in SSL3 and TLS1
1517	*/
1518	memcpy( ssl->transform_out->iv_enc,
1519	ssl->transform_out->cipher_ctx_enc.iv,
1520	ssl->transform_out->ivlen );
1521	}
1522	#endif
1523
1524	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1525	if( auth_done == 0 )
1526	{
1527	/*
1528	* MAC(MAC_write_key, seq_num +
1529	* TLSCipherText.type +
1530	* TLSCipherText.version +
1531	* length_of( (IV +) ENC(...) ) +
1532	* IV + // except for TLS 1.0
1533	* ENC(content + padding + padding_length));
1534	*/
1535	unsigned char pseudo_hdr[13];
1536
1537	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1538
1539	memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
1540	memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
1541	pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
1542	pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
1543
1544	MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
1545
1546	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
1547	mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
1548	ssl->out_iv, ssl->out_msglen );
1549	mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc,
1550	ssl->out_iv + ssl->out_msglen );
1551	mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1552
1553	ssl->out_msglen += ssl->transform_out->maclen;
1554	auth_done++;
1555	}
1556	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1557	}
1558	else
1559	#endif /* MBEDTLS_CIPHER_MODE_CBC &&
1560	( MBEDTLS_AES_C \|\| MBEDTLS_CAMELLIA_C ) */
1561	{
1562	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1563	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1564	}
1565
1566	/* Make extra sure authentication was performed, exactly once */
1567	if( auth_done != 1 )
1568	{
1569	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1570	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1571	}
1572
1573	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1574
1575	return( 0 );
1576	}
1577
1578	#define SSL_MAX_MAC_SIZE 48
1579
1580	static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
1581	{
1582	size_t i;
1583	mbedtls_cipher_mode_t mode;
1584	int auth_done = 0;
1585	#if defined(SSL_SOME_MODES_USE_MAC)
1586	size_t padlen = 0, correct = 1;
1587	#endif
1588
1589	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1590
1591	if( ssl->session_in == NULL \|\| ssl->transform_in == NULL )
1592	{
1593	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1594	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1595	}
1596
1597	mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
1598
1599	if( ssl->in_msglen < ssl->transform_in->minlen )
1600	{
1601	MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1602	ssl->in_msglen, ssl->transform_in->minlen ) );
1603	return( MBEDTLS_ERR_SSL_INVALID_MAC );
1604	}
1605
1606	#if defined(MBEDTLS_ARC4_C) \|\| defined(MBEDTLS_CIPHER_NULL_CIPHER)
1607	if( mode == MBEDTLS_MODE_STREAM )
1608	{
1609	int ret;
1610	size_t olen = 0;
1611
1612	padlen = 0;
1613
1614	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1615	ssl->transform_in->iv_dec,
1616	ssl->transform_in->ivlen,
1617	ssl->in_msg, ssl->in_msglen,
1618	ssl->in_msg, &olen ) ) != 0 )
1619	{
1620	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1621	return( ret );
1622	}
1623
1624	if( ssl->in_msglen != olen )
1625	{
1626	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1627	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1628	}
1629	}
1630	else
1631	#endif /* MBEDTLS_ARC4_C \|\| MBEDTLS_CIPHER_NULL_CIPHER */
1632	#if defined(MBEDTLS_GCM_C) \|\| defined(MBEDTLS_CCM_C)
1633	if( mode == MBEDTLS_MODE_GCM \|\|
1634	mode == MBEDTLS_MODE_CCM )
1635	{
1636	int ret;
1637	size_t dec_msglen, olen;
1638	unsigned char *dec_msg;
1639	unsigned char *dec_msg_result;
1640	unsigned char add_data[13];
1641	unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
1642	MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
1643	size_t explicit_iv_len = ssl->transform_in->ivlen -
1644	ssl->transform_in->fixed_ivlen;
1645
1646	if( ssl->in_msglen < explicit_iv_len + taglen )
1647	{
1648	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1649	"+ taglen (%d)", ssl->in_msglen,
1650	explicit_iv_len, taglen ) );
1651	return( MBEDTLS_ERR_SSL_INVALID_MAC );
1652	}
1653	dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
1654
1655	dec_msg = ssl->in_msg;
1656	dec_msg_result = ssl->in_msg;
1657	ssl->in_msglen = dec_msglen;
1658
1659	memcpy( add_data, ssl->in_ctr, 8 );
1660	add_data[8] = ssl->in_msgtype;
1661	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
1662	ssl->conf->transport, add_data + 9 );
1663	add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1664	add_data[12] = ssl->in_msglen & 0xFF;
1665
1666	MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1667	add_data, 13 );
1668
1669	memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1670	ssl->in_iv,
1671	ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1672
1673	MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1674	ssl->transform_in->ivlen );
1675	MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
1676
1677	/*
1678	* Decrypt and authenticate
1679	*/
1680	if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
1681	ssl->transform_in->iv_dec,
1682	ssl->transform_in->ivlen,
1683	add_data, 13,
1684	dec_msg, dec_msglen,
1685	dec_msg_result, &olen,
1686	dec_msg + dec_msglen, taglen ) ) != 0 )
1687	{
1688	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
1689
1690	if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1691	return( MBEDTLS_ERR_SSL_INVALID_MAC );
1692
1693	return( ret );
1694	}
1695	auth_done++;
1696
1697	if( olen != dec_msglen )
1698	{
1699	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1700	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1701	}
1702	}
1703	else
1704	#endif /* MBEDTLS_GCM_C \|\| MBEDTLS_CCM_C */
1705	#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
1706	( defined(MBEDTLS_AES_C) \|\| defined(MBEDTLS_CAMELLIA_C) )
1707	if( mode == MBEDTLS_MODE_CBC )
1708	{
1709	/*
1710	* Decrypt and check the padding
1711	*/
1712	int ret;
1713	unsigned char *dec_msg;
1714	unsigned char *dec_msg_result;
1715	size_t dec_msglen;
1716	size_t minlen = 0;
1717	size_t olen = 0;
1718
1719	/*
1720	* Check immediate ciphertext sanity
1721	*/
1722	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
1723	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1724	minlen += ssl->transform_in->ivlen;
1725	#endif
1726
1727	if( ssl->in_msglen < minlen + ssl->transform_in->ivlen \|\|
1728	ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1729	{
1730	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1731	"+ 1 ) ( + expl IV )", ssl->in_msglen,
1732	ssl->transform_in->ivlen,
1733	ssl->transform_in->maclen ) );
1734	return( MBEDTLS_ERR_SSL_INVALID_MAC );
1735	}
1736
1737	dec_msglen = ssl->in_msglen;
1738	dec_msg = ssl->in_msg;
1739	dec_msg_result = ssl->in_msg;
1740
1741	/*
1742	* Authenticate before decrypt if enabled
1743	*/
1744	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1745	if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
1746	{
1747	unsigned char computed_mac[SSL_MAX_MAC_SIZE];
1748	unsigned char pseudo_hdr[13];
1749
1750	MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1751
1752	dec_msglen -= ssl->transform_in->maclen;
1753	ssl->in_msglen -= ssl->transform_in->maclen;
1754
1755	memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
1756	memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
1757	pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
1758	pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
1759
1760	MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
1761
1762	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
1763	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
1764	ssl->in_iv, ssl->in_msglen );
1765	mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
1766	mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
1767
1768	MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
1769	ssl->transform_in->maclen );
1770	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
1771	ssl->transform_in->maclen );
1772
1773	if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
1774	ssl->transform_in->maclen ) != 0 )
1775	{
1776	MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1777
1778	return( MBEDTLS_ERR_SSL_INVALID_MAC );
1779	}
1780	auth_done++;
1781	}
1782	#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1783
1784	/*
1785	* Check length sanity
1786	*/
1787	if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1788	{
1789	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1790	ssl->in_msglen, ssl->transform_in->ivlen ) );
1791	return( MBEDTLS_ERR_SSL_INVALID_MAC );
1792	}
1793
1794	#if defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_2)
1795	/*
1796	* Initialize for prepended IV for block cipher in TLS v1.1 and up
1797	*/
1798	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1799	{
1800	dec_msglen -= ssl->transform_in->ivlen;
1801	ssl->in_msglen -= ssl->transform_in->ivlen;
1802
1803	for( i = 0; i < ssl->transform_in->ivlen; i++ )
1804	ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1805	}
1806	#endif /* MBEDTLS_SSL_PROTO_TLS1_1 \|\| MBEDTLS_SSL_PROTO_TLS1_2 */
1807
1808	if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1809	ssl->transform_in->iv_dec,
1810	ssl->transform_in->ivlen,
1811	dec_msg, dec_msglen,
1812	dec_msg_result, &olen ) ) != 0 )
1813	{
1814	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1815	return( ret );
1816	}
1817
1818	if( dec_msglen != olen )
1819	{
1820	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1821	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1822	}
1823
1824	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1)
1825	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
1826	{
1827	/*
1828	* Save IV in SSL3 and TLS1
1829	*/
1830	memcpy( ssl->transform_in->iv_dec,
1831	ssl->transform_in->cipher_ctx_dec.iv,
1832	ssl->transform_in->ivlen );
1833	}
1834	#endif
1835
1836	padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1837
1838	if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
1839	auth_done == 0 )
1840	{
1841	#if defined(MBEDTLS_SSL_DEBUG_ALL)
1842	MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1843	ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1844	#endif
1845	padlen = 0;
1846	correct = 0;
1847	}
1848
1849	#if defined(MBEDTLS_SSL_PROTO_SSL3)
1850	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1851	{
1852	if( padlen > ssl->transform_in->ivlen )
1853	{
1854	#if defined(MBEDTLS_SSL_DEBUG_ALL)
1855	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1856	"should be no more than %d",
1857	padlen, ssl->transform_in->ivlen ) );
1858	#endif
1859	correct = 0;
1860	}
1861	}
1862	else
1863	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1864	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
1865	defined(MBEDTLS_SSL_PROTO_TLS1_2)
1866	if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
1867	{
1868	/*
1869	* TLSv1+: always check the padding up to the first failure
1870	* and fake check up to 256 bytes of padding
1871	*/
1872	size_t pad_count = 0, real_count = 1;
1873	size_t padding_idx = ssl->in_msglen - padlen - 1;
1874
1875	/*
1876	* Padding is guaranteed to be incorrect if:
1877	* 1. padlen >= ssl->in_msglen
1878	*
1879	* 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
1880	* ssl->transform_in->maclen
1881	*
1882	* In both cases we reset padding_idx to a safe value (0) to
1883	* prevent out-of-buffer reads.
1884	*/
1885	correct &= ( ssl->in_msglen >= padlen + 1 );
1886	correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN +
1887	ssl->transform_in->maclen );
1888
1889	padding_idx *= correct;
1890
1891	for( i = 1; i <= 256; i++ )
1892	{
1893	real_count &= ( i <= padlen );
1894	pad_count += real_count *
1895	( ssl->in_msg[padding_idx + i] == padlen - 1 );
1896	}
1897
1898	correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1899
1900	#if defined(MBEDTLS_SSL_DEBUG_ALL)
1901	if( padlen > 0 && correct == 0 )
1902	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1903	#endif
1904	padlen &= correct * 0x1FF;
1905	}
1906	else
1907	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
1908	MBEDTLS_SSL_PROTO_TLS1_2 */
1909	{
1910	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1911	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1912	}
1913
1914	ssl->in_msglen -= padlen;
1915	}
1916	else
1917	#endif /* MBEDTLS_CIPHER_MODE_CBC &&
1918	( MBEDTLS_AES_C \|\| MBEDTLS_CAMELLIA_C ) */
1919	{
1920	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1921	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1922	}
1923
1924	MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1925	ssl->in_msg, ssl->in_msglen );
1926
1927	/*
1928	* Authenticate if not done yet.
1929	* Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
1930	*/
1931	#if defined(SSL_SOME_MODES_USE_MAC)
1932	if( auth_done == 0 )
1933	{
1934	unsigned char tmp[SSL_MAX_MAC_SIZE];
1935
1936	ssl->in_msglen -= ssl->transform_in->maclen;
1937
1938	ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
1939	ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
1940
1941	memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1942
1943	#if defined(MBEDTLS_SSL_PROTO_SSL3)
1944	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1945	{
1946	ssl_mac( &ssl->transform_in->md_ctx_dec,
1947	ssl->transform_in->mac_dec,
1948	ssl->in_msg, ssl->in_msglen,
1949	ssl->in_ctr, ssl->in_msgtype );
1950	}
1951	else
1952	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1953	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
1954	defined(MBEDTLS_SSL_PROTO_TLS1_2)
1955	if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
1956	{
1957	/*
1958	* Process MAC and always update for padlen afterwards to make
1959	* total time independent of padlen
1960	*
1961	* extra_run compensates MAC check for padlen
1962	*
1963	* Known timing attacks:
1964	* - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1965	*
1966	* We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1967	* correctly. (We round down instead of up, so -56 is the correct
1968	* value for our calculations instead of -55)
1969	*/
1970	size_t j, extra_run = 0;
1971	extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1972	( 13 + ssl->in_msglen + 8 ) / 64;
1973
1974	extra_run &= correct * 0xFF;
1975
1976	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
1977	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
1978	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
1979	mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
1980	ssl->in_msglen );
1981	mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec,
1982	ssl->in_msg + ssl->in_msglen );
1983	/* Call mbedtls_md_process at least once due to cache attacks */
1984	for( j = 0; j < extra_run + 1; j++ )
1985	mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1986
1987	mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
1988	}
1989	else
1990	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
1991	MBEDTLS_SSL_PROTO_TLS1_2 */
1992	{
1993	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1994	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1995	}
1996
1997	MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1998	MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1999	ssl->transform_in->maclen );
2000
2001	if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
2002	ssl->transform_in->maclen ) != 0 )
2003	{
2004	#if defined(MBEDTLS_SSL_DEBUG_ALL)
2005	MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
2006	#endif
2007	correct = 0;
2008	}
2009	auth_done++;
2010
2011	/*
2012	* Finally check the correct flag
2013	*/
2014	if( correct == 0 )
2015	return( MBEDTLS_ERR_SSL_INVALID_MAC );
2016	}
2017	#endif /* SSL_SOME_MODES_USE_MAC */
2018
2019	/* Make extra sure authentication was performed, exactly once */
2020	if( auth_done != 1 )
2021	{
2022	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2023	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2024	}
2025
2026	if( ssl->in_msglen == 0 )
2027	{
2028	ssl->nb_zero++;
2029
2030	/*
2031	* Three or more empty messages may be a DoS attack
2032	* (excessive CPU consumption).
2033	*/
2034	if( ssl->nb_zero > 3 )
2035	{
2036	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
2037	"messages, possible DoS attack" ) );
2038	return( MBEDTLS_ERR_SSL_INVALID_MAC );
2039	}
2040	}
2041	else
2042	ssl->nb_zero = 0;
2043
2044	#if defined(MBEDTLS_SSL_PROTO_DTLS)
2045	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2046	{
2047	; /* in_ctr read from peer, not maintained internally */
2048	}
2049	else
2050	#endif
2051	{
2052	for( i = 8; i > ssl_ep_len( ssl ); i-- )
2053	if( ++ssl->in_ctr[i - 1] != 0 )
2054	break;
2055
2056	/* The loop goes to its end iff the counter is wrapping */
2057	if( i == ssl_ep_len( ssl ) )
2058	{
2059	MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
2060	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2061	}
2062	}
2063
2064	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
2065
2066	return( 0 );
2067	}
2068
2069	#undef MAC_NONE
2070	#undef MAC_PLAINTEXT
2071	#undef MAC_CIPHERTEXT
2072
2073	#if defined(MBEDTLS_ZLIB_SUPPORT)
2074	/*
2075	* Compression/decompression functions
2076	*/
2077	static int ssl_compress_buf( mbedtls_ssl_context *ssl )
2078	{
2079	int ret;
2080	unsigned char *msg_post = ssl->out_msg;
2081	size_t len_pre = ssl->out_msglen;
2082	unsigned char *msg_pre = ssl->compress_buf;
2083
2084	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
2085
2086	if( len_pre == 0 )
2087	return( 0 );
2088
2089	memcpy( msg_pre, ssl->out_msg, len_pre );
2090
2091	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
2092	ssl->out_msglen ) );
2093
2094	MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
2095	ssl->out_msg, ssl->out_msglen );
2096
2097	ssl->transform_out->ctx_deflate.next_in = msg_pre;
2098	ssl->transform_out->ctx_deflate.avail_in = len_pre;
2099	ssl->transform_out->ctx_deflate.next_out = msg_post;
2100	ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN;
2101
2102	ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
2103	if( ret != Z_OK )
2104	{
2105	MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
2106	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
2107	}
2108
2109	ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
2110	ssl->transform_out->ctx_deflate.avail_out;
2111
2112	MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
2113	ssl->out_msglen ) );
2114
2115	MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
2116	ssl->out_msg, ssl->out_msglen );
2117
2118	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
2119
2120	return( 0 );
2121	}
2122
2123	static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
2124	{
2125	int ret;
2126	unsigned char *msg_post = ssl->in_msg;
2127	size_t len_pre = ssl->in_msglen;
2128	unsigned char *msg_pre = ssl->compress_buf;
2129
2130	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
2131
2132	if( len_pre == 0 )
2133	return( 0 );
2134
2135	memcpy( msg_pre, ssl->in_msg, len_pre );
2136
2137	MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
2138	ssl->in_msglen ) );
2139
2140	MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
2141	ssl->in_msg, ssl->in_msglen );
2142
2143	ssl->transform_in->ctx_inflate.next_in = msg_pre;
2144	ssl->transform_in->ctx_inflate.avail_in = len_pre;
2145	ssl->transform_in->ctx_inflate.next_out = msg_post;
2146	ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN;
2147
2148	ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
2149	if( ret != Z_OK )
2150	{
2151	MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
2152	return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
2153	}
2154
2155	ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN -
2156	ssl->transform_in->ctx_inflate.avail_out;
2157
2158	MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
2159	ssl->in_msglen ) );
2160
2161	MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
2162	ssl->in_msg, ssl->in_msglen );
2163
2164	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
2165
2166	return( 0 );
2167	}
2168	#endif /* MBEDTLS_ZLIB_SUPPORT */
2169
2170	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2171	static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
2172
2173	#if defined(MBEDTLS_SSL_PROTO_DTLS)
2174	static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
2175	{
2176	/* If renegotiation is not enforced, retransmit until we would reach max
2177	* timeout if we were using the usual handshake doubling scheme */
2178	if( ssl->conf->renego_max_records < 0 )
2179	{
2180	uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
2181	unsigned char doublings = 1;
2182
2183	while( ratio != 0 )
2184	{
2185	++doublings;
2186	ratio >>= 1;
2187	}
2188
2189	if( ++ssl->renego_records_seen > doublings )
2190	{
2191	MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
2192	return( 0 );
2193	}
2194	}
2195
2196	return( ssl_write_hello_request( ssl ) );
2197	}
2198	#endif
2199	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
2200
2201	/*
2202	* Fill the input message buffer by appending data to it.
2203	* The amount of data already fetched is in ssl->in_left.
2204	*
2205	* If we return 0, is it guaranteed that (at least) nb_want bytes are
2206	* available (from this read and/or a previous one). Otherwise, an error code
2207	* is returned (possibly EOF or WANT_READ).
2208	*
2209	* With stream transport (TLS) on success ssl->in_left == nb_want, but
2210	* with datagram transport (DTLS) on success ssl->in_left >= nb_want,
2211	* since we always read a whole datagram at once.
2212	*
2213	* For DTLS, it is up to the caller to set ssl->next_record_offset when
2214	* they're done reading a record.
2215	*/
2216	int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
2217	{
2218	int ret;
2219	size_t len;
2220
2221	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
2222
2223	if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
2224	{
2225	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
2226	"or mbedtls_ssl_set_bio()" ) );
2227	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2228	}
2229
2230	if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
2231	{
2232	MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2233	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2234	}
2235
2236	#if defined(MBEDTLS_SSL_PROTO_DTLS)
2237	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2238	{
2239	uint32_t timeout;
2240
2241	/* Just to be sure */
2242	if( ssl->f_set_timer == NULL \|\| ssl->f_get_timer == NULL )
2243	{
2244	MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
2245	"mbedtls_ssl_set_timer_cb() for DTLS" ) );
2246	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2247	}
2248
2249	/*
2250	* The point is, we need to always read a full datagram at once, so we
2251	* sometimes read more then requested, and handle the additional data.
2252	* It could be the rest of the current record (while fetching the
2253	* header) and/or some other records in the same datagram.
2254	*/
2255
2256	/*
2257	* Move to the next record in the already read datagram if applicable
2258	*/
2259	if( ssl->next_record_offset != 0 )
2260	{
2261	if( ssl->in_left < ssl->next_record_offset )
2262	{
2263	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2264	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2265	}
2266
2267	ssl->in_left -= ssl->next_record_offset;
2268
2269	if( ssl->in_left != 0 )
2270	{
2271	MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
2272	ssl->next_record_offset ) );
2273	memmove( ssl->in_hdr,
2274	ssl->in_hdr + ssl->next_record_offset,
2275	ssl->in_left );
2276	}
2277
2278	ssl->next_record_offset = 0;
2279	}
2280
2281	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2282	ssl->in_left, nb_want ) );
2283
2284	/*
2285	* Done if we already have enough data.
2286	*/
2287	if( nb_want <= ssl->in_left)
2288	{
2289	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2290	return( 0 );
2291	}
2292
2293	/*
2294	* A record can't be split accross datagrams. If we need to read but
2295	* are not at the beginning of a new record, the caller did something
2296	* wrong.
2297	*/
2298	if( ssl->in_left != 0 )
2299	{
2300	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2301	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2302	}
2303
2304	/*
2305	* Don't even try to read if time's out already.
2306	* This avoids by-passing the timer when repeatedly receiving messages
2307	* that will end up being dropped.
2308	*/
2309	if( ssl_check_timer( ssl ) != 0 )
2310	ret = MBEDTLS_ERR_SSL_TIMEOUT;
2311	else
2312	{
2313	len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
2314
2315	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
2316	timeout = ssl->handshake->retransmit_timeout;
2317	else
2318	timeout = ssl->conf->read_timeout;
2319
2320	MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
2321
2322	if( ssl->f_recv_timeout != NULL )
2323	ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
2324	timeout );
2325	else
2326	ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
2327
2328	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
2329
2330	if( ret == 0 )
2331	return( MBEDTLS_ERR_SSL_CONN_EOF );
2332	}
2333
2334	if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
2335	{
2336	MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
2337	ssl_set_timer( ssl, 0 );
2338
2339	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
2340	{
2341	if( ssl_double_retransmit_timeout( ssl ) != 0 )
2342	{
2343	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
2344	return( MBEDTLS_ERR_SSL_TIMEOUT );
2345	}
2346
2347	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
2348	{
2349	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
2350	return( ret );
2351	}
2352
2353	return( MBEDTLS_ERR_SSL_WANT_READ );
2354	}
2355	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2356	else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
2357	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
2358	{
2359	if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
2360	{
2361	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
2362	return( ret );
2363	}
2364
2365	return( MBEDTLS_ERR_SSL_WANT_READ );
2366	}
2367	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
2368	}
2369
2370	if( ret < 0 )
2371	return( ret );
2372
2373	ssl->in_left = ret;
2374	}
2375	else
2376	#endif
2377	{
2378	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2379	ssl->in_left, nb_want ) );
2380
2381	while( ssl->in_left < nb_want )
2382	{
2383	len = nb_want - ssl->in_left;
2384
2385	if( ssl_check_timer( ssl ) != 0 )
2386	ret = MBEDTLS_ERR_SSL_TIMEOUT;
2387	else
2388	{
2389	if( ssl->f_recv_timeout != NULL )
2390	{
2391	ret = ssl->f_recv_timeout( ssl->p_bio,
2392	ssl->in_hdr + ssl->in_left, len,
2393	ssl->conf->read_timeout );
2394	}
2395	else
2396	{
2397	ret = ssl->f_recv( ssl->p_bio,
2398	ssl->in_hdr + ssl->in_left, len );
2399	}
2400	}
2401
2402	MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2403	ssl->in_left, nb_want ) );
2404	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
2405
2406	if( ret == 0 )
2407	return( MBEDTLS_ERR_SSL_CONN_EOF );
2408
2409	if( ret < 0 )
2410	return( ret );
2411
2412	ssl->in_left += ret;
2413	}
2414	}
2415
2416	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2417
2418	return( 0 );
2419	}
2420
2421	/*
2422	* Flush any data not yet written
2423	*/
2424	int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
2425	{
2426	int ret;
2427	unsigned char *buf, i;
2428
2429	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
2430
2431	if( ssl->f_send == NULL )
2432	{
2433	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
2434	"or mbedtls_ssl_set_bio()" ) );
2435	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2436	}
2437
2438	/* Avoid incrementing counter if data is flushed */
2439	if( ssl->out_left == 0 )
2440	{
2441	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2442	return( 0 );
2443	}
2444
2445	while( ssl->out_left > 0 )
2446	{
2447	MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
2448	mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
2449
2450	buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) +
2451	ssl->out_msglen - ssl->out_left;
2452	ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
2453
2454	MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
2455
2456	if( ret <= 0 )
2457	return( ret );
2458
2459	ssl->out_left -= ret;
2460	}
2461
2462	for( i = 8; i > ssl_ep_len( ssl ); i-- )
2463	if( ++ssl->out_ctr[i - 1] != 0 )
2464	break;
2465
2466	/* The loop goes to its end iff the counter is wrapping */
2467	if( i == ssl_ep_len( ssl ) )
2468	{
2469	MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2470	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2471	}
2472
2473	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2474
2475	return( 0 );
2476	}
2477
2478	/*
2479	* Functions to handle the DTLS retransmission state machine
2480	*/
2481	#if defined(MBEDTLS_SSL_PROTO_DTLS)
2482	/*
2483	* Append current handshake message to current outgoing flight
2484	*/
2485	static int ssl_flight_append( mbedtls_ssl_context *ssl )
2486	{
2487	mbedtls_ssl_flight_item *msg;
2488
2489	/* Allocate space for current message */
2490	if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
2491	{
2492	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
2493	sizeof( mbedtls_ssl_flight_item ) ) );
2494	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2495	}
2496
2497	if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
2498	{
2499	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
2500	mbedtls_free( msg );
2501	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2502	}
2503
2504	/* Copy current handshake message with headers */
2505	memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2506	msg->len = ssl->out_msglen;
2507	msg->type = ssl->out_msgtype;
2508	msg->next = NULL;
2509
2510	/* Append to the current flight */
2511	if( ssl->handshake->flight == NULL )
2512	ssl->handshake->flight = msg;
2513	else
2514	{
2515	mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
2516	while( cur->next != NULL )
2517	cur = cur->next;
2518	cur->next = msg;
2519	}
2520
2521	return( 0 );
2522	}
2523
2524	/*
2525	* Free the current flight of handshake messages
2526	*/
2527	static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
2528	{
2529	mbedtls_ssl_flight_item *cur = flight;
2530	mbedtls_ssl_flight_item *next;
2531
2532	while( cur != NULL )
2533	{
2534	next = cur->next;
2535
2536	mbedtls_free( cur->p );
2537	mbedtls_free( cur );
2538
2539	cur = next;
2540	}
2541	}
2542
2543	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
2544	static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
2545	#endif
2546
2547	/*
2548	* Swap transform_out and out_ctr with the alternative ones
2549	*/
2550	static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
2551	{
2552	mbedtls_ssl_transform *tmp_transform;
2553	unsigned char tmp_out_ctr[8];
2554
2555	if( ssl->transform_out == ssl->handshake->alt_transform_out )
2556	{
2557	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
2558	return;
2559	}
2560
2561	MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
2562
2563	/* Swap transforms */
2564	tmp_transform = ssl->transform_out;
2565	ssl->transform_out = ssl->handshake->alt_transform_out;
2566	ssl->handshake->alt_transform_out = tmp_transform;
2567
2568	/* Swap epoch + sequence_number */
2569	memcpy( tmp_out_ctr, ssl->out_ctr, 8 );
2570	memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 );
2571	memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
2572
2573	/* Adjust to the newly activated transform */
2574	if( ssl->transform_out != NULL &&
2575	ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
2576	{
2577	ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen -
2578	ssl->transform_out->fixed_ivlen;
2579	}
2580	else
2581	ssl->out_msg = ssl->out_iv;
2582
2583	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2584	if( mbedtls_ssl_hw_record_activate != NULL )
2585	{
2586	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
2587	{
2588	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
2589	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2590	}
2591	}
2592	#endif
2593	}
2594
2595	/*
2596	* Retransmit the current flight of messages.
2597	*
2598	* Need to remember the current message in case flush_output returns
2599	* WANT_WRITE, causing us to exit this function and come back later.
2600	* This function must be called until state is no longer SENDING.
2601	*/
2602	int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2603	{
2604	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2605
2606	if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
2607	{
2608	MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) );
2609
2610	ssl->handshake->cur_msg = ssl->handshake->flight;
2611	ssl_swap_epochs( ssl );
2612
2613	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
2614	}
2615
2616	while( ssl->handshake->cur_msg != NULL )
2617	{
2618	int ret;
2619	mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg;
2620
2621	/* Swap epochs before sending Finished: we can't do it after
2622	* sending ChangeCipherSpec, in case write returns WANT_READ.
2623	* Must be done before copying, may change out_msg pointer */
2624	if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2625	cur->p[0] == MBEDTLS_SSL_HS_FINISHED )
2626	{
2627	ssl_swap_epochs( ssl );
2628	}
2629
2630	memcpy( ssl->out_msg, cur->p, cur->len );
2631	ssl->out_msglen = cur->len;
2632	ssl->out_msgtype = cur->type;
2633
2634	ssl->handshake->cur_msg = cur->next;
2635
2636	MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 );
2637
2638	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
2639	{
2640	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2641	return( ret );
2642	}
2643	}
2644
2645	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
2646	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2647	else
2648	{
2649	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2650	ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2651	}
2652
2653	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2654
2655	return( 0 );
2656	}
2657
2658	/*
2659	* To be called when the last message of an incoming flight is received.
2660	*/
2661	void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
2662	{
2663	/* We won't need to resend that one any more */
2664	ssl_flight_free( ssl->handshake->flight );
2665	ssl->handshake->flight = NULL;
2666	ssl->handshake->cur_msg = NULL;
2667
2668	/* The next incoming flight will start with this msg_seq */
2669	ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2670
2671	/* Cancel timer */
2672	ssl_set_timer( ssl, 0 );
2673
2674	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2675	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2676	{
2677	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2678	}
2679	else
2680	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
2681	}
2682
2683	/*
2684	* To be called when the last message of an outgoing flight is send.
2685	*/
2686	void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
2687	{
2688	ssl_reset_retransmit_timeout( ssl );
2689	ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2690
2691	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2692	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2693	{
2694	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2695	}
2696	else
2697	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2698	}
2699	#endif /* MBEDTLS_SSL_PROTO_DTLS */
2700
2701	/*
2702	* Record layer functions
2703	*/
2704
2705	/*
2706	* Write current record.
2707	* Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg.
2708	*/
2709	int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
2710	{
2711	int ret, done = 0;
2712	size_t len = ssl->out_msglen;
2713
2714	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
2715
2716	#if defined(MBEDTLS_SSL_PROTO_DTLS)
2717	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2718	ssl->handshake != NULL &&
2719	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
2720	{
2721	; /* Skip special handshake treatment when resending */
2722	}
2723	else
2724	#endif
2725	if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
2726	{
2727	if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST &&
2728	ssl->handshake == NULL )
2729	{
2730	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2731	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2732	}
2733
2734	ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
2735	ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
2736	ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
2737
2738	/*
2739	* DTLS has additional fields in the Handshake layer,
2740	* between the length field and the actual payload:
2741	* uint16 message_seq;
2742	* uint24 fragment_offset;
2743	* uint24 fragment_length;
2744	*/
2745	#if defined(MBEDTLS_SSL_PROTO_DTLS)
2746	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2747	{
2748	/* Make room for the additional DTLS fields */
2749	memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
2750	ssl->out_msglen += 8;
2751	len += 8;
2752
2753	/* Write message_seq and update it, except for HelloRequest */
2754	if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST )
2755	{
2756	ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
2757	ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
2758	++( ssl->handshake->out_msg_seq );
2759	}
2760	else
2761	{
2762	ssl->out_msg[4] = 0;
2763	ssl->out_msg[5] = 0;
2764	}
2765
2766	/* We don't fragment, so frag_offset = 0 and frag_len = len */
2767	memset( ssl->out_msg + 6, 0x00, 3 );
2768	memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
2769	}
2770	#endif /* MBEDTLS_SSL_PROTO_DTLS */
2771
2772	if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST )
2773	ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
2774	}
2775
2776	/* Save handshake and CCS messages for resending */
2777	#if defined(MBEDTLS_SSL_PROTO_DTLS)
2778	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2779	ssl->handshake != NULL &&
2780	ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING &&
2781	( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC \|\|
2782	ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) )
2783	{
2784	if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2785	{
2786	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
2787	return( ret );
2788	}
2789	}
2790	#endif
2791
2792	#if defined(MBEDTLS_ZLIB_SUPPORT)
2793	if( ssl->transform_out != NULL &&
2794	ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
2795	{
2796	if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2797	{
2798	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
2799	return( ret );
2800	}
2801
2802	len = ssl->out_msglen;
2803	}
2804	#endif /MBEDTLS_ZLIB_SUPPORT /
2805
2806	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2807	if( mbedtls_ssl_hw_record_write != NULL )
2808	{
2809	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
2810
2811	ret = mbedtls_ssl_hw_record_write( ssl );
2812	if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2813	{
2814	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
2815	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2816	}
2817
2818	if( ret == 0 )
2819	done = 1;
2820	}
2821	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
2822	if( !done )
2823	{
2824	ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2825	mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2826	ssl->conf->transport, ssl->out_hdr + 1 );
2827
2828	ssl->out_len[0] = (unsigned char)( len >> 8 );
2829	ssl->out_len[1] = (unsigned char)( len );
2830
2831	if( ssl->transform_out != NULL )
2832	{
2833	if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
2834	{
2835	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2836	return( ret );
2837	}
2838
2839	len = ssl->out_msglen;
2840	ssl->out_len[0] = (unsigned char)( len >> 8 );
2841	ssl->out_len[1] = (unsigned char)( len );
2842	}
2843
2844	ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen;
2845
2846	MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2847	"version = [%d:%d], msglen = %d",
2848	ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
2849	( ssl->out_len[0] << 8 ) \| ssl->out_len[1] ) );
2850
2851	MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
2852	ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen );
2853	}
2854
2855	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2856	{
2857	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
2858	return( ret );
2859	}
2860
2861	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2862
2863	return( 0 );
2864	}
2865
2866	#if defined(MBEDTLS_SSL_PROTO_DTLS)
2867	/*
2868	* Mark bits in bitmask (used for DTLS HS reassembly)
2869	*/
2870	static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
2871	{
2872	unsigned int start_bits, end_bits;
2873
2874	start_bits = 8 - ( offset % 8 );
2875	if( start_bits != 8 )
2876	{
2877	size_t first_byte_idx = offset / 8;
2878
2879	/* Special case */
2880	if( len <= start_bits )
2881	{
2882	for( ; len != 0; len-- )
2883	mask[first_byte_idx] \|= 1 << ( start_bits - len );
2884
2885	/* Avoid potential issues with offset or len becoming invalid */
2886	return;
2887	}
2888
2889	offset += start_bits; /* Now offset % 8 == 0 */
2890	len -= start_bits;
2891
2892	for( ; start_bits != 0; start_bits-- )
2893	mask[first_byte_idx] \|= 1 << ( start_bits - 1 );
2894	}
2895
2896	end_bits = len % 8;
2897	if( end_bits != 0 )
2898	{
2899	size_t last_byte_idx = ( offset + len ) / 8;
2900
2901	len -= end_bits; /* Now len % 8 == 0 */
2902
2903	for( ; end_bits != 0; end_bits-- )
2904	mask[last_byte_idx] \|= 1 << ( 8 - end_bits );
2905	}
2906
2907	memset( mask + offset / 8, 0xFF, len / 8 );
2908	}
2909
2910	/*
2911	* Check that bitmask is full
2912	*/
2913	static int ssl_bitmask_check( unsigned char *mask, size_t len )
2914	{
2915	size_t i;
2916
2917	for( i = 0; i < len / 8; i++ )
2918	if( mask[i] != 0xFF )
2919	return( -1 );
2920
2921	for( i = 0; i < len % 8; i++ )
2922	if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
2923	return( -1 );
2924
2925	return( 0 );
2926	}
2927
2928	/*
2929	* Reassemble fragmented DTLS handshake messages.
2930	*
2931	* Use a temporary buffer for reassembly, divided in two parts:
2932	* - the first holds the reassembled message (including handshake header),
2933	* - the second holds a bitmask indicating which parts of the message
2934	* (excluding headers) have been received so far.
2935	*/
2936	static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
2937	{
2938	unsigned char msg, bitmask;
2939	size_t frag_len, frag_off;
2940	size_t msg_len = ssl->in_hslen - 12; /* Without headers */
2941
2942	if( ssl->handshake == NULL )
2943	{
2944	MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) );
2945	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2946	}
2947
2948	/*
2949	* For first fragment, check size and allocate buffer
2950	*/
2951	if( ssl->handshake->hs_msg == NULL )
2952	{
2953	size_t alloc_len;
2954
2955	MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
2956	msg_len ) );
2957
2958	if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
2959	{
2960	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
2961	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2962	}
2963
2964	/* The bitmask needs one bit per byte of message excluding header */
2965	alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 );
2966
2967	ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len );
2968	if( ssl->handshake->hs_msg == NULL )
2969	{
2970	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) );
2971	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2972	}
2973
2974	/* Prepare final header: copy msg_type, length and message_seq,
2975	* then add standardised fragment_offset and fragment_length */
2976	memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 );
2977	memset( ssl->handshake->hs_msg + 6, 0, 3 );
2978	memcpy( ssl->handshake->hs_msg + 9,
2979	ssl->handshake->hs_msg + 1, 3 );
2980	}
2981	else
2982	{
2983	/* Make sure msg_type and length are consistent */
2984	if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 )
2985	{
2986	MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) );
2987	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2988	}
2989	}
2990
2991	msg = ssl->handshake->hs_msg + 12;
2992	bitmask = msg + msg_len;
2993
2994	/*
2995	* Check and copy current fragment
2996	*/
2997	frag_off = ( ssl->in_msg[6] << 16 ) \|
2998	( ssl->in_msg[7] << 8 ) \|
2999	ssl->in_msg[8];
3000	frag_len = ( ssl->in_msg[9] << 16 ) \|
3001	( ssl->in_msg[10] << 8 ) \|
3002	ssl->in_msg[11];
3003
3004	if( frag_off + frag_len > msg_len )
3005	{
3006	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d",
3007	frag_off, frag_len, msg_len ) );
3008	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3009	}
3010
3011	if( frag_len + 12 > ssl->in_msglen )
3012	{
3013	MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d",
3014	frag_len, ssl->in_msglen ) );
3015	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3016	}
3017
3018	MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
3019	frag_off, frag_len ) );
3020
3021	memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
3022	ssl_bitmask_set( bitmask, frag_off, frag_len );
3023
3024	/*
3025	* Do we have the complete message by now?
3026	* If yes, finalize it, else ask to read the next record.
3027	*/
3028	if( ssl_bitmask_check( bitmask, msg_len ) != 0 )
3029	{
3030	MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) );
3031	return( MBEDTLS_ERR_SSL_WANT_READ );
3032	}
3033
3034	MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) );
3035
3036	if( frag_len + 12 < ssl->in_msglen )
3037	{
3038	/*
3039	* We'got more handshake messages in the same record.
3040	* This case is not handled now because no know implementation does
3041	* that and it's hard to test, so we prefer to fail cleanly for now.
3042	*/
3043	MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) );
3044	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3045	}
3046
3047	if( ssl->in_left > ssl->next_record_offset )
3048	{
3049	/*
3050	* We've got more data in the buffer after the current record,
3051	* that we don't want to overwrite. Move it before writing the
3052	* reassembled message, and adjust in_left and next_record_offset.
3053	*/
3054	unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset;
3055	unsigned char *new_remain = ssl->in_msg + ssl->in_hslen;
3056	size_t remain_len = ssl->in_left - ssl->next_record_offset;
3057
3058	/* First compute and check new lengths */
3059	ssl->next_record_offset = new_remain - ssl->in_hdr;
3060	ssl->in_left = ssl->next_record_offset + remain_len;
3061
3062	if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
3063	(size_t)( ssl->in_hdr - ssl->in_buf ) )
3064	{
3065	MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
3066	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3067	}
3068
3069	memmove( new_remain, cur_remain, remain_len );
3070	}
3071
3072	memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen );
3073
3074	mbedtls_free( ssl->handshake->hs_msg );
3075	ssl->handshake->hs_msg = NULL;
3076
3077	MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message",
3078	ssl->in_msg, ssl->in_hslen );
3079
3080	return( 0 );
3081	}
3082	#endif /* MBEDTLS_SSL_PROTO_DTLS */
3083
3084	static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
3085	{
3086	if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
3087	{
3088	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
3089	ssl->in_msglen ) );
3090	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3091	}
3092
3093	ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + (
3094	( ssl->in_msg[1] << 16 ) \|
3095	( ssl->in_msg[2] << 8 ) \|
3096	ssl->in_msg[3] );
3097
3098	MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
3099	" %d, type = %d, hslen = %d",
3100	ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
3101
3102	#if defined(MBEDTLS_SSL_PROTO_DTLS)
3103	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3104	{
3105	int ret;
3106	unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) \| ssl->in_msg[5];
3107
3108	/* ssl->handshake is NULL when receiving ClientHello for renego */
3109	if( ssl->handshake != NULL &&
3110	recv_msg_seq != ssl->handshake->in_msg_seq )
3111	{
3112	/* Retransmit only on last message from previous flight, to avoid
3113	* too many retransmissions.
3114	* Besides, No sane server ever retransmits HelloVerifyRequest */
3115	if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
3116	ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
3117	{
3118	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
3119	"message_seq = %d, start_of_flight = %d",
3120	recv_msg_seq,
3121	ssl->handshake->in_flight_start_seq ) );
3122
3123	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3124	{
3125	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
3126	return( ret );
3127	}
3128	}
3129	else
3130	{
3131	MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
3132	"message_seq = %d, expected = %d",
3133	recv_msg_seq,
3134	ssl->handshake->in_msg_seq ) );
3135	}
3136
3137	return( MBEDTLS_ERR_SSL_WANT_READ );
3138	}
3139	/* Wait until message completion to increment in_msg_seq */
3140
3141	/* Reassemble if current message is fragmented or reassembly is
3142	* already in progress */
3143	if( ssl->in_msglen < ssl->in_hslen \|\|
3144	memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 \|\|
3145	memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 \|\|
3146	( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) )
3147	{
3148	MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
3149
3150	if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 )
3151	{
3152	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret );
3153	return( ret );
3154	}
3155	}
3156	}
3157	else
3158	#endif /* MBEDTLS_SSL_PROTO_DTLS */
3159	/* With TLS we don't handle fragmentation (for now) */
3160	if( ssl->in_msglen < ssl->in_hslen )
3161	{
3162	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
3163	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3164	}
3165
3166	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
3167	ssl->handshake != NULL )
3168	{
3169	ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
3170	}
3171
3172	/* Handshake message is complete, increment counter */
3173	#if defined(MBEDTLS_SSL_PROTO_DTLS)
3174	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3175	ssl->handshake != NULL )
3176	{
3177	ssl->handshake->in_msg_seq++;
3178	}
3179	#endif
3180
3181	return( 0 );
3182	}
3183
3184	/*
3185	* DTLS anti-replay: RFC 6347 4.1.2.6
3186	*
3187	* in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
3188	* Bit n is set iff record number in_window_top - n has been seen.
3189	*
3190	* Usually, in_window_top is the last record number seen and the lsb of
3191	* in_window is set. The only exception is the initial state (record number 0
3192	* not seen yet).
3193	*/
3194	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3195	static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
3196	{
3197	ssl->in_window_top = 0;
3198	ssl->in_window = 0;
3199	}
3200
3201	static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
3202	{
3203	return( ( (uint64_t) buf[0] << 40 ) \|
3204	( (uint64_t) buf[1] << 32 ) \|
3205	( (uint64_t) buf[2] << 24 ) \|
3206	( (uint64_t) buf[3] << 16 ) \|
3207	( (uint64_t) buf[4] << 8 ) \|
3208	( (uint64_t) buf[5] ) );
3209	}
3210
3211	/*
3212	* Return 0 if sequence number is acceptable, -1 otherwise
3213	*/
3214	int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
3215	{
3216	uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3217	uint64_t bit;
3218
3219	if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3220	return( 0 );
3221
3222	if( rec_seqnum > ssl->in_window_top )
3223	return( 0 );
3224
3225	bit = ssl->in_window_top - rec_seqnum;
3226
3227	if( bit >= 64 )
3228	return( -1 );
3229
3230	if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3231	return( -1 );
3232
3233	return( 0 );
3234	}
3235
3236	/*
3237	* Update replay window on new validated record
3238	*/
3239	void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
3240	{
3241	uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3242
3243	if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3244	return;
3245
3246	if( rec_seqnum > ssl->in_window_top )
3247	{
3248	/* Update window_top and the contents of the window */
3249	uint64_t shift = rec_seqnum - ssl->in_window_top;
3250
3251	if( shift >= 64 )
3252	ssl->in_window = 1;
3253	else
3254	{
3255	ssl->in_window <<= shift;
3256	ssl->in_window \|= 1;
3257	}
3258
3259	ssl->in_window_top = rec_seqnum;
3260	}
3261	else
3262	{
3263	/* Mark that number as seen in the current window */
3264	uint64_t bit = ssl->in_window_top - rec_seqnum;
3265
3266	if( bit < 64 ) /* Always true, but be extra sure */
3267	ssl->in_window \|= (uint64_t) 1 << bit;
3268	}
3269	}
3270	#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
3271
3272	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3273	/* Forward declaration */
3274	static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
3275
3276	/*
3277	* Without any SSL context, check if a datagram looks like a ClientHello with
3278	* a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
3279	* Both input and output include full DTLS headers.
3280	*
3281	* - if cookie is valid, return 0
3282	* - if ClientHello looks superficially valid but cookie is not,
3283	* fill obuf and set olen, then
3284	* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3285	* - otherwise return a specific error code
3286	*/
3287	static int ssl_check_dtls_clihlo_cookie(
3288	mbedtls_ssl_cookie_write_t *f_cookie_write,
3289	mbedtls_ssl_cookie_check_t *f_cookie_check,
3290	void *p_cookie,
3291	const unsigned char *cli_id, size_t cli_id_len,
3292	const unsigned char *in, size_t in_len,
3293	unsigned char obuf, size_t buf_len, size_t olen )
3294	{
3295	size_t sid_len, cookie_len;
3296	unsigned char *p;
3297
3298	if( f_cookie_write == NULL \|\| f_cookie_check == NULL )
3299	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3300
3301	/*
3302	* Structure of ClientHello with record and handshake headers,
3303	* and expected values. We don't need to check a lot, more checks will be
3304	* done when actually parsing the ClientHello - skipping those checks
3305	* avoids code duplication and does not make cookie forging any easier.
3306	*
3307	* 0-0 ContentType type; copied, must be handshake
3308	* 1-2 ProtocolVersion version; copied
3309	* 3-4 uint16 epoch; copied, must be 0
3310	* 5-10 uint48 sequence_number; copied
3311	* 11-12 uint16 length; (ignored)
3312	*
3313	* 13-13 HandshakeType msg_type; (ignored)
3314	* 14-16 uint24 length; (ignored)
3315	* 17-18 uint16 message_seq; copied
3316	* 19-21 uint24 fragment_offset; copied, must be 0
3317	* 22-24 uint24 fragment_length; (ignored)
3318	*
3319	* 25-26 ProtocolVersion client_version; (ignored)
3320	* 27-58 Random random; (ignored)
3321	* 59-xx SessionID session_id; 1 byte len + sid_len content
3322	* 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3323	* ...
3324	*
3325	* Minimum length is 61 bytes.
3326	*/
3327	if( in_len < 61 \|\|
3328	in[0] != MBEDTLS_SSL_MSG_HANDSHAKE \|\|
3329	in[3] != 0 \|\| in[4] != 0 \|\|
3330	in[19] != 0 \|\| in[20] != 0 \|\| in[21] != 0 )
3331	{
3332	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3333	}
3334
3335	sid_len = in[59];
3336	if( sid_len > in_len - 61 )
3337	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3338
3339	cookie_len = in[60 + sid_len];
3340	if( cookie_len > in_len - 60 )
3341	return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
3342
3343	if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
3344	cli_id, cli_id_len ) == 0 )
3345	{
3346	/* Valid cookie */
3347	return( 0 );
3348	}
3349
3350	/*
3351	* If we get here, we've got an invalid cookie, let's prepare HVR.
3352	*
3353	* 0-0 ContentType type; copied
3354	* 1-2 ProtocolVersion version; copied
3355	* 3-4 uint16 epoch; copied
3356	* 5-10 uint48 sequence_number; copied
3357	* 11-12 uint16 length; olen - 13
3358	*
3359	* 13-13 HandshakeType msg_type; hello_verify_request
3360	* 14-16 uint24 length; olen - 25
3361	* 17-18 uint16 message_seq; copied
3362	* 19-21 uint24 fragment_offset; copied
3363	* 22-24 uint24 fragment_length; olen - 25
3364	*
3365	* 25-26 ProtocolVersion server_version; 0xfe 0xff
3366	* 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3367	*
3368	* Minimum length is 28.
3369	*/
3370	if( buf_len < 28 )
3371	return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3372
3373	/* Copy most fields and adapt others */
3374	memcpy( obuf, in, 25 );
3375	obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3376	obuf[25] = 0xfe;
3377	obuf[26] = 0xff;
3378
3379	/* Generate and write actual cookie */
3380	p = obuf + 28;
3381	if( f_cookie_write( p_cookie,
3382	&p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
3383	{
3384	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3385	}
3386
3387	*olen = p - obuf;
3388
3389	/* Go back and fill length fields */
3390	obuf[27] = (unsigned char)( *olen - 28 );
3391
3392	obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
3393	obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
3394	obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
3395
3396	obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
3397	obuf[12] = (unsigned char)( ( *olen - 13 ) );
3398
3399	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3400	}
3401
3402	/*
3403	* Handle possible client reconnect with the same UDP quadruplet
3404	* (RFC 6347 Section 4.2.8).
3405	*
3406	* Called by ssl_parse_record_header() in case we receive an epoch 0 record
3407	* that looks like a ClientHello.
3408	*
3409	* - if the input looks like a ClientHello without cookies,
3410	* send back HelloVerifyRequest, then
3411	* return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3412	* - if the input looks like a ClientHello with a valid cookie,
3413	* reset the session of the current context, and
3414	* return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
3415	* - if anything goes wrong, return a specific error code
3416	*
3417	* mbedtls_ssl_read_record() will ignore the record if anything else than
3418	* MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
3419	* cannot not return 0.
3420	*/
3421	static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3422	{
3423	int ret;
3424	size_t len;
3425
3426	ret = ssl_check_dtls_clihlo_cookie(
3427	ssl->conf->f_cookie_write,
3428	ssl->conf->f_cookie_check,
3429	ssl->conf->p_cookie,
3430	ssl->cli_id, ssl->cli_id_len,
3431	ssl->in_buf, ssl->in_left,
3432	ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
3433
3434	MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
3435
3436	if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
3437	{
3438	/* Dont check write errors as we can't do anything here.
3439	* If the error is permanent we'll catch it later,
3440	* if it's not, then hopefully it'll work next time. */
3441	(void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3442
3443	return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3444	}
3445
3446	if( ret == 0 )
3447	{
3448	/* Got a valid cookie, partially reset context */
3449	if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
3450	{
3451	MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3452	return( ret );
3453	}
3454
3455	return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
3456	}
3457
3458	return( ret );
3459	}
3460	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3461
3462	/*
3463	* ContentType type;
3464	* ProtocolVersion version;
3465	* uint16 epoch; // DTLS only
3466	* uint48 sequence_number; // DTLS only
3467	* uint16 length;
3468	*
3469	* Return 0 if header looks sane (and, for DTLS, the record is expected)
3470	* MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
3471	* MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3472	*
3473	* With DTLS, mbedtls_ssl_read_record() will:
3474	* 1. proceed with the record if this function returns 0
3475	* 2. drop only the current record if this function returns UNEXPECTED_RECORD
3476	* 3. return CLIENT_RECONNECT if this function return that value
3477	* 4. drop the whole datagram if this function returns anything else.
3478	* Point 2 is needed when the peer is resending, and we have already received
3479	* the first record from a datagram but are still waiting for the others.
3480	*/
3481	static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
3482	{
3483	int ret;
3484	int major_ver, minor_ver;
3485
3486	MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
3487
3488	ssl->in_msgtype = ssl->in_hdr[0];
3489	ssl->in_msglen = ( ssl->in_len[0] << 8 ) \| ssl->in_len[1];
3490	mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
3491
3492	MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
3493	"version = [%d:%d], msglen = %d",
3494	ssl->in_msgtype,
3495	major_ver, minor_ver, ssl->in_msglen ) );
3496
3497	/* Check record type */
3498	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
3499	ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
3500	ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3501	ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3502	{
3503	MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3504
3505	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
3506	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3507	MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
3508	{
3509	return( ret );
3510	}
3511
3512	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3513	}
3514
3515	/* Check version */
3516	if( major_ver != ssl->major_ver )
3517	{
3518	MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3519	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3520	}
3521
3522	if( minor_ver > ssl->conf->max_minor_ver )
3523	{
3524	MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3525	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3526	}
3527
3528	/* Check length against the size of our buffer */
3529	if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
3530	- (size_t)( ssl->in_msg - ssl->in_buf ) )
3531	{
3532	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3533	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3534	}
3535
3536	/* Check length against bounds of the current transform and version */
3537	if( ssl->transform_in == NULL )
3538	{
3539	if( ssl->in_msglen < 1 \|\|
3540	ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
3541	{
3542	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3543	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3544	}
3545	}
3546	else
3547	{
3548	if( ssl->in_msglen < ssl->transform_in->minlen )
3549	{
3550	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3551	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3552	}
3553
3554	#if defined(MBEDTLS_SSL_PROTO_SSL3)
3555	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
3556	ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
3557	{
3558	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3559	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3560	}
3561	#endif
3562	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
3563	defined(MBEDTLS_SSL_PROTO_TLS1_2)
3564	/*
3565	* TLS encrypted messages can have up to 256 bytes of padding
3566	*/
3567	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
3568	ssl->in_msglen > ssl->transform_in->minlen +
3569	MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
3570	{
3571	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3572	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3573	}
3574	#endif
3575	}
3576
3577	/*
3578	* DTLS-related tests done last, because most of them may result in
3579	* silently dropping the record (but not the whole datagram), and we only
3580	* want to consider that after ensuring that the "basic" fields (type,
3581	* version, length) are sane.
3582	*/
3583	#if defined(MBEDTLS_SSL_PROTO_DTLS)
3584	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3585	{
3586	unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) \| ssl->in_ctr[1];
3587
3588	/* Drop unexpected ChangeCipherSpec messages */
3589	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3590	ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
3591	ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
3592	{
3593	MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
3594	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3595	}
3596
3597	/* Drop unexpected ApplicationData records,
3598	* except at the beginning of renegotiations */
3599	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
3600	ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
3601	#if defined(MBEDTLS_SSL_RENEGOTIATION)
3602	&& ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
3603	ssl->state == MBEDTLS_SSL_SERVER_HELLO )
3604	#endif
3605	)
3606	{
3607	MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
3608	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3609	}
3610
3611	/* Check epoch (and sequence number) with DTLS */
3612	if( rec_epoch != ssl->in_epoch )
3613	{
3614	MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
3615	"expected %d, received %d",
3616	ssl->in_epoch, rec_epoch ) );
3617
3618	#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3619	/*
3620	* Check for an epoch 0 ClientHello. We can't use in_msg here to
3621	* access the first byte of record content (handshake type), as we
3622	* have an active transform (possibly iv_len != 0), so use the
3623	* fact that the record header len is 13 instead.
3624	*/
3625	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3626	ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3627	rec_epoch == 0 &&
3628	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3629	ssl->in_left > 13 &&
3630	ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3631	{
3632	MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3633	"from the same port" ) );
3634	return( ssl_handle_possible_reconnect( ssl ) );
3635	}
3636	else
3637	#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3638	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3639	}
3640
3641	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3642	/* Replay detection only works for the current epoch */
3643	if( rec_epoch == ssl->in_epoch &&
3644	mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
3645	{
3646	MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3647	return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3648	}
3649	#endif
3650	}
3651	#endif /* MBEDTLS_SSL_PROTO_DTLS */
3652
3653	return( 0 );
3654	}
3655
3656	/*
3657	* If applicable, decrypt (and decompress) record content
3658	*/
3659	static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
3660	{
3661	int ret, done = 0;
3662
3663	MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
3664	ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
3665
3666	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3667	if( mbedtls_ssl_hw_record_read != NULL )
3668	{
3669	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
3670
3671	ret = mbedtls_ssl_hw_record_read( ssl );
3672	if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
3673	{
3674	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
3675	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3676	}
3677
3678	if( ret == 0 )
3679	done = 1;
3680	}
3681	#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
3682	if( !done && ssl->transform_in != NULL )
3683	{
3684	if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
3685	{
3686	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
3687	return( ret );
3688	}
3689
3690	MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
3691	ssl->in_msg, ssl->in_msglen );
3692
3693	if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
3694	{
3695	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3696	return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3697	}
3698	}
3699
3700	#if defined(MBEDTLS_ZLIB_SUPPORT)
3701	if( ssl->transform_in != NULL &&
3702	ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
3703	{
3704	if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
3705	{
3706	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
3707	return( ret );
3708	}
3709
3710	// TODO: what's the purpose of these lines? is in_len used?
3711	ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
3712	ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
3713	}
3714	#endif /* MBEDTLS_ZLIB_SUPPORT */
3715
3716	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3717	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3718	{
3719	mbedtls_ssl_dtls_replay_update( ssl );
3720	}
3721	#endif
3722
3723	return( 0 );
3724	}
3725
3726	static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
3727
3728	/*
3729	* Read a record.
3730	*
3731	* Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3732	* RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3733	*
3734	*/
3735	int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
3736	{
3737	int ret;
3738
3739	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
3740
3741	if( ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen )
3742	{
3743	/*
3744	* Get next Handshake message in the current record
3745	*/
3746	ssl->in_msglen -= ssl->in_hslen;
3747
3748	memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
3749	ssl->in_msglen );
3750
3751	MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
3752	ssl->in_msg, ssl->in_msglen );
3753
3754	if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
3755	return( ret );
3756
3757	return( 0 );
3758	}
3759
3760	ssl->in_hslen = 0;
3761
3762	/*
3763	* Read the record header and parse it
3764	*/
3765	read_record_header:
3766	if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
3767	{
3768	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
3769	return( ret );
3770	}
3771
3772	if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
3773	{
3774	#if defined(MBEDTLS_SSL_PROTO_DTLS)
3775	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3776	ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
3777	{
3778	if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
3779	{
3780	/* Skip unexpected record (but not whole datagram) */
3781	ssl->next_record_offset = ssl->in_msglen
3782	+ mbedtls_ssl_hdr_len( ssl );
3783
3784	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
3785	"(header)" ) );
3786	}
3787	else
3788	{
3789	/* Skip invalid record and the rest of the datagram */
3790	ssl->next_record_offset = 0;
3791	ssl->in_left = 0;
3792
3793	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
3794	"(header)" ) );
3795	}
3796
3797	/* Get next record */
3798	goto read_record_header;
3799	}
3800	#endif
3801	return( ret );
3802	}
3803
3804	/*
3805	* Read and optionally decrypt the message contents
3806	*/
3807	if( ( ret = mbedtls_ssl_fetch_input( ssl,
3808	mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
3809	{
3810	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
3811	return( ret );
3812	}
3813
3814	/* Done reading this record, get ready for the next one */
3815	#if defined(MBEDTLS_SSL_PROTO_DTLS)
3816	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3817	ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
3818	else
3819	#endif
3820	ssl->in_left = 0;
3821
3822	if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
3823	{
3824	#if defined(MBEDTLS_SSL_PROTO_DTLS)
3825	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3826	{
3827	/* Silently discard invalid records */
3828	if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD \|\|
3829	ret == MBEDTLS_ERR_SSL_INVALID_MAC )
3830	{
3831	/* Except when waiting for Finished as a bad mac here
3832	* probably means something went wrong in the handshake
3833	* (eg wrong psk used, mitm downgrade attempt, etc.) */
3834	if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED \|\|
3835	ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
3836	{
3837	#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
3838	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
3839	{
3840	mbedtls_ssl_send_alert_message( ssl,
3841	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3842	MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
3843	}
3844	#endif
3845	return( ret );
3846	}
3847
3848	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
3849	if( ssl->conf->badmac_limit != 0 &&
3850	++ssl->badmac_seen >= ssl->conf->badmac_limit )
3851	{
3852	MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
3853	return( MBEDTLS_ERR_SSL_INVALID_MAC );
3854	}
3855	#endif
3856
3857	MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
3858	goto read_record_header;
3859	}
3860
3861	return( ret );
3862	}
3863	else
3864	#endif
3865	{
3866	/* Error out (and send alert) on invalid records */
3867	#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
3868	if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
3869	{
3870	mbedtls_ssl_send_alert_message( ssl,
3871	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3872	MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
3873	}
3874	#endif
3875	return( ret );
3876	}
3877	}
3878
3879	/*
3880	* When we sent the last flight of the handshake, we MUST respond to a
3881	* retransmit of the peer's previous flight with a retransmit. (In
3882	* practice, only the Finished message will make it, other messages
3883	* including CCS use the old transform so they're dropped as invalid.)
3884	*
3885	* If the record we received is not a handshake message, however, it
3886	* means the peer received our last flight so we can clean up
3887	* handshake info.
3888	*
3889	* This check needs to be done before prepare_handshake() due to an edge
3890	* case: if the client immediately requests renegotiation, this
3891	* finishes the current handshake first, avoiding the new ClientHello
3892	* being mistaken for an ancient message in the current handshake.
3893	*/
3894	#if defined(MBEDTLS_SSL_PROTO_DTLS)
3895	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3896	ssl->handshake != NULL &&
3897	ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
3898	{
3899	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3900	ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
3901	{
3902	MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) );
3903
3904	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3905	{
3906	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
3907	return( ret );
3908	}
3909
3910	return( MBEDTLS_ERR_SSL_WANT_READ );
3911	}
3912	else
3913	{
3914	ssl_handshake_wrapup_free_hs_transform( ssl );
3915	}
3916	}
3917	#endif
3918
3919	/*
3920	* Handle particular types of records
3921	*/
3922	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
3923	{
3924	if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 )
3925	return( ret );
3926	}
3927
3928	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
3929	{
3930	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
3931	ssl->in_msg[0], ssl->in_msg[1] ) );
3932
3933	/*
3934	* Ignore non-fatal alerts, except close_notify and no_renegotiation
3935	*/
3936	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
3937	{
3938	MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
3939	ssl->in_msg[1] ) );
3940	return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
3941	}
3942
3943	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
3944	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
3945	{
3946	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
3947	return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
3948	}
3949
3950	#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
3951	if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
3952	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
3953	{
3954	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
3955	/* Will be handled when trying to parse ServerHello */
3956	return( 0 );
3957	}
3958	#endif
3959
3960	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
3961	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
3962	ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3963	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
3964	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
3965	{
3966	MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
3967	/* Will be handled in mbedtls_ssl_parse_certificate() */
3968	return( 0 );
3969	}
3970	#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
3971
3972	/* Silently ignore: fetch new message */
3973	goto read_record_header;
3974	}
3975
3976	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
3977
3978	return( 0 );
3979	}
3980
3981	int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
3982	{
3983	int ret;
3984
3985	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
3986	MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3987	MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
3988	{
3989	return( ret );
3990	}
3991
3992	return( 0 );
3993	}
3994
3995	int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
3996	unsigned char level,
3997	unsigned char message )
3998	{
3999	int ret;
4000
4001	if( ssl == NULL \|\| ssl->conf == NULL )
4002	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4003
4004	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
4005
4006	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
4007	ssl->out_msglen = 2;
4008	ssl->out_msg[0] = level;
4009	ssl->out_msg[1] = message;
4010
4011	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
4012	{
4013	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
4014	return( ret );
4015	}
4016
4017	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
4018
4019	return( 0 );
4020	}
4021
4022	/*
4023	* Handshake functions
4024	*/
4025	#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
4026	!defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
4027	!defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
4028	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
4029	!defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
4030	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
4031	!defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
4032	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
4033	{
4034	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
4035
4036	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
4037
4038	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
4039	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
4040	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
4041	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4042	{
4043	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
4044	ssl->state++;
4045	return( 0 );
4046	}
4047
4048	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4049	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4050	}
4051
4052	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
4053	{
4054	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
4055
4056	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
4057
4058	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
4059	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
4060	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
4061	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4062	{
4063	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
4064	ssl->state++;
4065	return( 0 );
4066	}
4067
4068	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4069	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4070	}
4071	#else
4072	int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
4073	{
4074	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4075	size_t i, n;
4076	const mbedtls_x509_crt *crt;
4077	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
4078
4079	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
4080
4081	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
4082	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
4083	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
4084	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4085	{
4086	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
4087	ssl->state++;
4088	return( 0 );
4089	}
4090
4091	#if defined(MBEDTLS_SSL_CLI_C)
4092	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
4093	{
4094	if( ssl->client_auth == 0 )
4095	{
4096	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
4097	ssl->state++;
4098	return( 0 );
4099	}
4100
4101	#if defined(MBEDTLS_SSL_PROTO_SSL3)
4102	/*
4103	* If using SSLv3 and got no cert, send an Alert message
4104	* (otherwise an empty Certificate message will be sent).
4105	*/
4106	if( mbedtls_ssl_own_cert( ssl ) == NULL &&
4107	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
4108	{
4109	ssl->out_msglen = 2;
4110	ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
4111	ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
4112	ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
4113
4114	MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
4115	goto write_msg;
4116	}
4117	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
4118	}
4119	#endif /* MBEDTLS_SSL_CLI_C */
4120	#if defined(MBEDTLS_SSL_SRV_C)
4121	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
4122	{
4123	if( mbedtls_ssl_own_cert( ssl ) == NULL )
4124	{
4125	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
4126	return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
4127	}
4128	}
4129	#endif
4130
4131	MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
4132
4133	/*
4134	* 0 . 0 handshake type
4135	* 1 . 3 handshake length
4136	* 4 . 6 length of all certs
4137	* 7 . 9 length of cert. 1
4138	* 10 . n-1 peer certificate
4139	* n . n+2 length of cert. 2
4140	* n+3 . ... upper level cert, etc.
4141	*/
4142	i = 7;
4143	crt = mbedtls_ssl_own_cert( ssl );
4144
4145	while( crt != NULL )
4146	{
4147	n = crt->raw.len;
4148	if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
4149	{
4150	MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
4151	i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
4152	return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
4153	}
4154
4155	ssl->out_msg[i ] = (unsigned char)( n >> 16 );
4156	ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
4157	ssl->out_msg[i + 2] = (unsigned char)( n );
4158
4159	i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
4160	i += n; crt = crt->next;
4161	}
4162
4163	ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
4164	ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
4165	ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
4166
4167	ssl->out_msglen = i;
4168	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4169	ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
4170
4171	#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
4172	write_msg:
4173	#endif
4174
4175	ssl->state++;
4176
4177	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
4178	{
4179	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
4180	return( ret );
4181	}
4182
4183	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
4184
4185	return( ret );
4186	}
4187
4188	int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
4189	{
4190	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4191	size_t i, n;
4192	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
4193	int authmode = ssl->conf->authmode;
4194
4195	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
4196
4197	if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK \|\|
4198	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK \|\|
4199	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK \|\|
4200	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4201	{
4202	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
4203	ssl->state++;
4204	return( 0 );
4205	}
4206
4207	#if defined(MBEDTLS_SSL_SRV_C)
4208	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4209	ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
4210	{
4211	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
4212	ssl->state++;
4213	return( 0 );
4214	}
4215
4216	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4217	if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
4218	authmode = ssl->handshake->sni_authmode;
4219	#endif
4220
4221	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4222	authmode == MBEDTLS_SSL_VERIFY_NONE )
4223	{
4224	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
4225	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
4226	ssl->state++;
4227	return( 0 );
4228	}
4229	#endif
4230
4231	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
4232	{
4233	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
4234	return( ret );
4235	}
4236
4237	ssl->state++;
4238
4239	#if defined(MBEDTLS_SSL_SRV_C)
4240	#if defined(MBEDTLS_SSL_PROTO_SSL3)
4241	/*
4242	* Check if the client sent an empty certificate
4243	*/
4244	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4245	ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
4246	{
4247	if( ssl->in_msglen == 2 &&
4248	ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
4249	ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4250	ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
4251	{
4252	MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
4253
4254	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
4255	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
4256	return( 0 );
4257	else
4258	return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
4259	}
4260	}
4261	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
4262
4263	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
4264	defined(MBEDTLS_SSL_PROTO_TLS1_2)
4265	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4266	ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
4267	{
4268	if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
4269	ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
4270	ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
4271	memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
4272	{
4273	MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
4274
4275	ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
4276	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
4277	return( 0 );
4278	else
4279	return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
4280	}
4281	}
4282	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\| \
4283	MBEDTLS_SSL_PROTO_TLS1_2 */
4284	#endif /* MBEDTLS_SSL_SRV_C */
4285
4286	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
4287	{
4288	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4289	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
4290	}
4291
4292	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE \|\|
4293	ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
4294	{
4295	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4296	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
4297	}
4298
4299	i = mbedtls_ssl_hs_hdr_len( ssl );
4300
4301	/*
4302	* Same message structure as in mbedtls_ssl_write_certificate()
4303	*/
4304	n = ( ssl->in_msg[i+1] << 8 ) \| ssl->in_msg[i+2];
4305
4306	if( ssl->in_msg[i] != 0 \|\|
4307	ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
4308	{
4309	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4310	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
4311	}
4312
4313	/* In case we tried to reuse a session but it failed */
4314	if( ssl->session_negotiate->peer_cert != NULL )
4315	{
4316	mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
4317	mbedtls_free( ssl->session_negotiate->peer_cert );
4318	}
4319
4320	if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
4321	sizeof( mbedtls_x509_crt ) ) ) == NULL )
4322	{
4323	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
4324	sizeof( mbedtls_x509_crt ) ) );
4325	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
4326	}
4327
4328	mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
4329
4330	i += 3;
4331
4332	while( i < ssl->in_hslen )
4333	{
4334	if( ssl->in_msg[i] != 0 )
4335	{
4336	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4337	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
4338	}
4339
4340	n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
4341	\| (unsigned int) ssl->in_msg[i + 2];
4342	i += 3;
4343
4344	if( n < 128 \|\| i + n > ssl->in_hslen )
4345	{
4346	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4347	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
4348	}
4349
4350	ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
4351	ssl->in_msg + i, n );
4352	if( ret != 0 )
4353	{
4354	MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
4355	return( ret );
4356	}
4357
4358	i += n;
4359	}
4360
4361	MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
4362
4363	/*
4364	* On client, make sure the server cert doesn't change during renego to
4365	* avoid "triple handshake" attack: https://secure-resumption.com/
4366	*/
4367	#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
4368	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4369	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
4370	{
4371	if( ssl->session->peer_cert == NULL )
4372	{
4373	MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
4374	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
4375	}
4376
4377	if( ssl->session->peer_cert->raw.len !=
4378	ssl->session_negotiate->peer_cert->raw.len \|\|
4379	memcmp( ssl->session->peer_cert->raw.p,
4380	ssl->session_negotiate->peer_cert->raw.p,
4381	ssl->session->peer_cert->raw.len ) != 0 )
4382	{
4383	MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
4384	return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
4385	}
4386	}
4387	#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
4388
4389	if( authmode != MBEDTLS_SSL_VERIFY_NONE )
4390	{
4391	mbedtls_x509_crt *ca_chain;
4392	mbedtls_x509_crl *ca_crl;
4393
4394	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4395	if( ssl->handshake->sni_ca_chain != NULL )
4396	{
4397	ca_chain = ssl->handshake->sni_ca_chain;
4398	ca_crl = ssl->handshake->sni_ca_crl;
4399	}
4400	else
4401	#endif
4402	{
4403	ca_chain = ssl->conf->ca_chain;
4404	ca_crl = ssl->conf->ca_crl;
4405	}
4406
4407	if( ca_chain == NULL )
4408	{
4409	MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
4410	return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED );
4411	}
4412
4413	/*
4414	* Main check: verify certificate
4415	*/
4416	ret = mbedtls_x509_crt_verify_with_profile(
4417	ssl->session_negotiate->peer_cert,
4418	ca_chain, ca_crl,
4419	ssl->conf->cert_profile,
4420	ssl->hostname,
4421	&ssl->session_negotiate->verify_result,
4422	ssl->conf->f_vrfy, ssl->conf->p_vrfy );
4423
4424	if( ret != 0 )
4425	{
4426	MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
4427	}
4428
4429	/*
4430	* Secondary checks: always done, but change 'ret' only if it was 0
4431	*/
4432
4433	#if defined(MBEDTLS_ECP_C)
4434	{
4435	const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
4436
4437	/* If certificate uses an EC key, make sure the curve is OK */
4438	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
4439	mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
4440	{
4441	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
4442	if( ret == 0 )
4443	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
4444	}
4445	}
4446	#endif /* MBEDTLS_ECP_C */
4447
4448	if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
4449	ciphersuite_info,
4450	! ssl->conf->endpoint,
4451	&ssl->session_negotiate->verify_result ) != 0 )
4452	{
4453	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
4454	if( ret == 0 )
4455	ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
4456	}
4457
4458	if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
4459	ret = 0;
4460	}
4461
4462	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
4463
4464	return( ret );
4465	}
4466	#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
4467	!MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
4468	!MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
4469	!MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
4470	!MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
4471	!MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
4472	!MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
4473
4474	int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
4475	{
4476	int ret;
4477
4478	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
4479
4480	ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4481	ssl->out_msglen = 1;
4482	ssl->out_msg[0] = 1;
4483
4484	ssl->state++;
4485
4486	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
4487	{
4488	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
4489	return( ret );
4490	}
4491
4492	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
4493
4494	return( 0 );
4495	}
4496
4497	int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
4498	{
4499	int ret;
4500
4501	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
4502
4503	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
4504	{
4505	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
4506	return( ret );
4507	}
4508
4509	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
4510	{
4511	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
4512	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
4513	}
4514
4515	if( ssl->in_msglen != 1 \|\| ssl->in_msg[0] != 1 )
4516	{
4517	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
4518	return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
4519	}
4520
4521	/*
4522	* Switch to our negotiated transform and session parameters for inbound
4523	* data.
4524	*/
4525	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
4526	ssl->transform_in = ssl->transform_negotiate;
4527	ssl->session_in = ssl->session_negotiate;
4528
4529	#if defined(MBEDTLS_SSL_PROTO_DTLS)
4530	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4531	{
4532	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4533	ssl_dtls_replay_reset( ssl );
4534	#endif
4535
4536	/* Increment epoch */
4537	if( ++ssl->in_epoch == 0 )
4538	{
4539	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
4540	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
4541	}
4542	}
4543	else
4544	#endif /* MBEDTLS_SSL_PROTO_DTLS */
4545	memset( ssl->in_ctr, 0, 8 );
4546
4547	/*
4548	* Set the in_msg pointer to the correct location based on IV length
4549	*/
4550	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
4551	{
4552	ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
4553	ssl->transform_negotiate->fixed_ivlen;
4554	}
4555	else
4556	ssl->in_msg = ssl->in_iv;
4557
4558	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4559	if( mbedtls_ssl_hw_record_activate != NULL )
4560	{
4561	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
4562	{
4563	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
4564	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
4565	}
4566	}
4567	#endif
4568
4569	ssl->state++;
4570
4571	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
4572
4573	return( 0 );
4574	}
4575
4576	void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
4577	const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
4578	{
4579	((void) ciphersuite_info);
4580
4581	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
4582	defined(MBEDTLS_SSL_PROTO_TLS1_1)
4583	if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
4584	ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
4585	else
4586	#endif
4587	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4588	#if defined(MBEDTLS_SHA512_C)
4589	if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
4590	ssl->handshake->update_checksum = ssl_update_checksum_sha384;
4591	else
4592	#endif
4593	#if defined(MBEDTLS_SHA256_C)
4594	if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
4595	ssl->handshake->update_checksum = ssl_update_checksum_sha256;
4596	else
4597	#endif
4598	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4599	{
4600	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4601	return;
4602	}
4603	}
4604
4605	void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
4606	{
4607	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
4608	defined(MBEDTLS_SSL_PROTO_TLS1_1)
4609	mbedtls_md5_starts( &ssl->handshake->fin_md5 );
4610	mbedtls_sha1_starts( &ssl->handshake->fin_sha1 );
4611	#endif
4612	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4613	#if defined(MBEDTLS_SHA256_C)
4614	mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
4615	#endif
4616	#if defined(MBEDTLS_SHA512_C)
4617	mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
4618	#endif
4619	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4620	}
4621
4622	static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
4623	const unsigned char *buf, size_t len )
4624	{
4625	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
4626	defined(MBEDTLS_SSL_PROTO_TLS1_1)
4627	mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len );
4628	mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len );
4629	#endif
4630	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4631	#if defined(MBEDTLS_SHA256_C)
4632	mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
4633	#endif
4634	#if defined(MBEDTLS_SHA512_C)
4635	mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
4636	#endif
4637	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4638	}
4639
4640	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
4641	defined(MBEDTLS_SSL_PROTO_TLS1_1)
4642	static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
4643	const unsigned char *buf, size_t len )
4644	{
4645	mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len );
4646	mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len );
4647	}
4648	#endif
4649
4650	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4651	#if defined(MBEDTLS_SHA256_C)
4652	static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
4653	const unsigned char *buf, size_t len )
4654	{
4655	mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
4656	}
4657	#endif
4658
4659	#if defined(MBEDTLS_SHA512_C)
4660	static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
4661	const unsigned char *buf, size_t len )
4662	{
4663	mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
4664	}
4665	#endif
4666	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4667
4668	#if defined(MBEDTLS_SSL_PROTO_SSL3)
4669	static void ssl_calc_finished_ssl(
4670	mbedtls_ssl_context ssl, unsigned char buf, int from )
4671	{
4672	const char *sender;
4673	mbedtls_md5_context md5;
4674	mbedtls_sha1_context sha1;
4675
4676	unsigned char padbuf[48];
4677	unsigned char md5sum[16];
4678	unsigned char sha1sum[20];
4679
4680	mbedtls_ssl_session *session = ssl->session_negotiate;
4681	if( !session )
4682	session = ssl->session;
4683
4684	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
4685
4686	mbedtls_md5_init( &md5 );
4687	mbedtls_sha1_init( &sha1 );
4688
4689	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
4690	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
4691
4692	/*
4693	* SSLv3:
4694	* hash =
4695	* MD5( master + pad2 +
4696	* MD5( handshake + sender + master + pad1 ) )
4697	* + SHA1( master + pad2 +
4698	* SHA1( handshake + sender + master + pad1 ) )
4699	*/
4700
4701	#if !defined(MBEDTLS_MD5_ALT)
4702	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
4703	md5.state, sizeof( md5.state ) );
4704	#endif
4705
4706	#if !defined(MBEDTLS_SHA1_ALT)
4707	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
4708	sha1.state, sizeof( sha1.state ) );
4709	#endif
4710
4711	sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
4712	: "SRVR";
4713
4714	memset( padbuf, 0x36, 48 );
4715
4716	mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 );
4717	mbedtls_md5_update( &md5, session->master, 48 );
4718	mbedtls_md5_update( &md5, padbuf, 48 );
4719	mbedtls_md5_finish( &md5, md5sum );
4720
4721	mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 );
4722	mbedtls_sha1_update( &sha1, session->master, 48 );
4723	mbedtls_sha1_update( &sha1, padbuf, 40 );
4724	mbedtls_sha1_finish( &sha1, sha1sum );
4725
4726	memset( padbuf, 0x5C, 48 );
4727
4728	mbedtls_md5_starts( &md5 );
4729	mbedtls_md5_update( &md5, session->master, 48 );
4730	mbedtls_md5_update( &md5, padbuf, 48 );
4731	mbedtls_md5_update( &md5, md5sum, 16 );
4732	mbedtls_md5_finish( &md5, buf );
4733
4734	mbedtls_sha1_starts( &sha1 );
4735	mbedtls_sha1_update( &sha1, session->master, 48 );
4736	mbedtls_sha1_update( &sha1, padbuf , 40 );
4737	mbedtls_sha1_update( &sha1, sha1sum, 20 );
4738	mbedtls_sha1_finish( &sha1, buf + 16 );
4739
4740	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
4741
4742	mbedtls_md5_free( &md5 );
4743	mbedtls_sha1_free( &sha1 );
4744
4745	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
4746	mbedtls_zeroize( md5sum, sizeof( md5sum ) );
4747	mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
4748
4749	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
4750	}
4751	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
4752
4753	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1)
4754	static void ssl_calc_finished_tls(
4755	mbedtls_ssl_context ssl, unsigned char buf, int from )
4756	{
4757	int len = 12;
4758	const char *sender;
4759	mbedtls_md5_context md5;
4760	mbedtls_sha1_context sha1;
4761	unsigned char padbuf[36];
4762
4763	mbedtls_ssl_session *session = ssl->session_negotiate;
4764	if( !session )
4765	session = ssl->session;
4766
4767	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
4768
4769	mbedtls_md5_init( &md5 );
4770	mbedtls_sha1_init( &sha1 );
4771
4772	mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
4773	mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
4774
4775	/*
4776	* TLSv1:
4777	* hash = PRF( master, finished_label,
4778	* MD5( handshake ) + SHA1( handshake ) )[0..11]
4779	*/
4780
4781	#if !defined(MBEDTLS_MD5_ALT)
4782	MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
4783	md5.state, sizeof( md5.state ) );
4784	#endif
4785
4786	#if !defined(MBEDTLS_SHA1_ALT)
4787	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
4788	sha1.state, sizeof( sha1.state ) );
4789	#endif
4790
4791	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
4792	? "client finished"
4793	: "server finished";
4794
4795	mbedtls_md5_finish( &md5, padbuf );
4796	mbedtls_sha1_finish( &sha1, padbuf + 16 );
4797
4798	ssl->handshake->tls_prf( session->master, 48, sender,
4799	padbuf, 36, buf, len );
4800
4801	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
4802
4803	mbedtls_md5_free( &md5 );
4804	mbedtls_sha1_free( &sha1 );
4805
4806	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
4807
4808	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
4809	}
4810	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 */
4811
4812	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4813	#if defined(MBEDTLS_SHA256_C)
4814	static void ssl_calc_finished_tls_sha256(
4815	mbedtls_ssl_context ssl, unsigned char buf, int from )
4816	{
4817	int len = 12;
4818	const char *sender;
4819	mbedtls_sha256_context sha256;
4820	unsigned char padbuf[32];
4821
4822	mbedtls_ssl_session *session = ssl->session_negotiate;
4823	if( !session )
4824	session = ssl->session;
4825
4826	mbedtls_sha256_init( &sha256 );
4827
4828	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
4829
4830	mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
4831
4832	/*
4833	* TLSv1.2:
4834	* hash = PRF( master, finished_label,
4835	* Hash( handshake ) )[0.11]
4836	*/
4837
4838	#if !defined(MBEDTLS_SHA256_ALT)
4839	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
4840	sha256.state, sizeof( sha256.state ) );
4841	#endif
4842
4843	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
4844	? "client finished"
4845	: "server finished";
4846
4847	mbedtls_sha256_finish( &sha256, padbuf );
4848
4849	ssl->handshake->tls_prf( session->master, 48, sender,
4850	padbuf, 32, buf, len );
4851
4852	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
4853
4854	mbedtls_sha256_free( &sha256 );
4855
4856	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
4857
4858	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
4859	}
4860	#endif /* MBEDTLS_SHA256_C */
4861
4862	#if defined(MBEDTLS_SHA512_C)
4863	static void ssl_calc_finished_tls_sha384(
4864	mbedtls_ssl_context ssl, unsigned char buf, int from )
4865	{
4866	int len = 12;
4867	const char *sender;
4868	mbedtls_sha512_context sha512;
4869	unsigned char padbuf[48];
4870
4871	mbedtls_ssl_session *session = ssl->session_negotiate;
4872	if( !session )
4873	session = ssl->session;
4874
4875	mbedtls_sha512_init( &sha512 );
4876
4877	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
4878
4879	mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
4880
4881	/*
4882	* TLSv1.2:
4883	* hash = PRF( master, finished_label,
4884	* Hash( handshake ) )[0.11]
4885	*/
4886
4887	#if !defined(MBEDTLS_SHA512_ALT)
4888	MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
4889	sha512.state, sizeof( sha512.state ) );
4890	#endif
4891
4892	sender = ( from == MBEDTLS_SSL_IS_CLIENT )
4893	? "client finished"
4894	: "server finished";
4895
4896	mbedtls_sha512_finish( &sha512, padbuf );
4897
4898	ssl->handshake->tls_prf( session->master, 48, sender,
4899	padbuf, 48, buf, len );
4900
4901	MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
4902
4903	mbedtls_sha512_free( &sha512 );
4904
4905	mbedtls_zeroize( padbuf, sizeof( padbuf ) );
4906
4907	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
4908	}
4909	#endif /* MBEDTLS_SHA512_C */
4910	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4911
4912	static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
4913	{
4914	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
4915
4916	/*
4917	* Free our handshake params
4918	*/
4919	mbedtls_ssl_handshake_free( ssl->handshake );
4920	mbedtls_free( ssl->handshake );
4921	ssl->handshake = NULL;
4922
4923	/*
4924	* Free the previous transform and swith in the current one
4925	*/
4926	if( ssl->transform )
4927	{
4928	mbedtls_ssl_transform_free( ssl->transform );
4929	mbedtls_free( ssl->transform );
4930	}
4931	ssl->transform = ssl->transform_negotiate;
4932	ssl->transform_negotiate = NULL;
4933
4934	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
4935	}
4936
4937	void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
4938	{
4939	int resume = ssl->handshake->resume;
4940
4941	MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
4942
4943	#if defined(MBEDTLS_SSL_RENEGOTIATION)
4944	if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
4945	{
4946	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
4947	ssl->renego_records_seen = 0;
4948	}
4949	#endif
4950
4951	/*
4952	* Free the previous session and switch in the current one
4953	*/
4954	if( ssl->session )
4955	{
4956	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4957	/* RFC 7366 3.1: keep the EtM state */
4958	ssl->session_negotiate->encrypt_then_mac =
4959	ssl->session->encrypt_then_mac;
4960	#endif
4961
4962	mbedtls_ssl_session_free( ssl->session );
4963	mbedtls_free( ssl->session );
4964	}
4965	ssl->session = ssl->session_negotiate;
4966	ssl->session_negotiate = NULL;
4967
4968	/*
4969	* Add cache entry
4970	*/
4971	if( ssl->conf->f_set_cache != NULL &&
4972	ssl->session->id_len != 0 &&
4973	resume == 0 )
4974	{
4975	if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
4976	MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
4977	}
4978
4979	#if defined(MBEDTLS_SSL_PROTO_DTLS)
4980	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4981	ssl->handshake->flight != NULL )
4982	{
4983	/* Cancel handshake timer */
4984	ssl_set_timer( ssl, 0 );
4985
4986	/* Keep last flight around in case we need to resend it:
4987	* we need the handshake and transform structures for that */
4988	MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
4989	}
4990	else
4991	#endif
4992	ssl_handshake_wrapup_free_hs_transform( ssl );
4993
4994	ssl->state++;
4995
4996	MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
4997	}
4998
4999	int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
5000	{
5001	int ret, hash_len;
5002
5003	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
5004
5005	/*
5006	* Set the out_msg pointer to the correct location based on IV length
5007	*/
5008	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
5009	{
5010	ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
5011	ssl->transform_negotiate->fixed_ivlen;
5012	}
5013	else
5014	ssl->out_msg = ssl->out_iv;
5015
5016	ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
5017
5018	// TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
5019	hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
5020
5021	#if defined(MBEDTLS_SSL_RENEGOTIATION)
5022	ssl->verify_data_len = hash_len;
5023	memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
5024	#endif
5025
5026	ssl->out_msglen = 4 + hash_len;
5027	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5028	ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
5029
5030	/*
5031	* In case of session resuming, invert the client and server
5032	* ChangeCipherSpec messages order.
5033	*/
5034	if( ssl->handshake->resume != 0 )
5035	{
5036	#if defined(MBEDTLS_SSL_CLI_C)
5037	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5038	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
5039	#endif
5040	#if defined(MBEDTLS_SSL_SRV_C)
5041	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
5042	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
5043	#endif
5044	}
5045	else
5046	ssl->state++;
5047
5048	/*
5049	* Switch to our negotiated transform and session parameters for outbound
5050	* data.
5051	*/
5052	MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
5053
5054	#if defined(MBEDTLS_SSL_PROTO_DTLS)
5055	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5056	{
5057	unsigned char i;
5058
5059	/* Remember current epoch settings for resending */
5060	ssl->handshake->alt_transform_out = ssl->transform_out;
5061	memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 );
5062
5063	/* Set sequence_number to zero */
5064	memset( ssl->out_ctr + 2, 0, 6 );
5065
5066	/* Increment epoch */
5067	for( i = 2; i > 0; i-- )
5068	if( ++ssl->out_ctr[i - 1] != 0 )
5069	break;
5070
5071	/* The loop goes to its end iff the counter is wrapping */
5072	if( i == 0 )
5073	{
5074	MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
5075	return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
5076	}
5077	}
5078	else
5079	#endif /* MBEDTLS_SSL_PROTO_DTLS */
5080	memset( ssl->out_ctr, 0, 8 );
5081
5082	ssl->transform_out = ssl->transform_negotiate;
5083	ssl->session_out = ssl->session_negotiate;
5084
5085	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
5086	if( mbedtls_ssl_hw_record_activate != NULL )
5087	{
5088	if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
5089	{
5090	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
5091	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
5092	}
5093	}
5094	#endif
5095
5096	#if defined(MBEDTLS_SSL_PROTO_DTLS)
5097	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5098	mbedtls_ssl_send_flight_completed( ssl );
5099	#endif
5100
5101	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
5102	{
5103	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
5104	return( ret );
5105	}
5106
5107	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
5108
5109	return( 0 );
5110	}
5111
5112	#if defined(MBEDTLS_SSL_PROTO_SSL3)
5113	#define SSL_MAX_HASH_LEN 36
5114	#else
5115	#define SSL_MAX_HASH_LEN 12
5116	#endif
5117
5118	int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
5119	{
5120	int ret;
5121	unsigned int hash_len;
5122	unsigned char buf[SSL_MAX_HASH_LEN];
5123
5124	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
5125
5126	ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
5127
5128	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
5129	{
5130	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5131	return( ret );
5132	}
5133
5134	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
5135	{
5136	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
5137	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5138	}
5139
5140	/* There is currently no ciphersuite using another length with TLS 1.2 */
5141	#if defined(MBEDTLS_SSL_PROTO_SSL3)
5142	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
5143	hash_len = 36;
5144	else
5145	#endif
5146	hash_len = 12;
5147
5148	if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED \|\|
5149	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
5150	{
5151	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
5152	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
5153	}
5154
5155	if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
5156	buf, hash_len ) != 0 )
5157	{
5158	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
5159	return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
5160	}
5161
5162	#if defined(MBEDTLS_SSL_RENEGOTIATION)
5163	ssl->verify_data_len = hash_len;
5164	memcpy( ssl->peer_verify_data, buf, hash_len );
5165	#endif
5166
5167	if( ssl->handshake->resume != 0 )
5168	{
5169	#if defined(MBEDTLS_SSL_CLI_C)
5170	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5171	ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
5172	#endif
5173	#if defined(MBEDTLS_SSL_SRV_C)
5174	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
5175	ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
5176	#endif
5177	}
5178	else
5179	ssl->state++;
5180
5181	#if defined(MBEDTLS_SSL_PROTO_DTLS)
5182	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5183	mbedtls_ssl_recv_flight_completed( ssl );
5184	#endif
5185
5186	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
5187
5188	return( 0 );
5189	}
5190
5191	static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
5192	{
5193	memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
5194
5195	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
5196	defined(MBEDTLS_SSL_PROTO_TLS1_1)
5197	mbedtls_md5_init( &handshake->fin_md5 );
5198	mbedtls_sha1_init( &handshake->fin_sha1 );
5199	mbedtls_md5_starts( &handshake->fin_md5 );
5200	mbedtls_sha1_starts( &handshake->fin_sha1 );
5201	#endif
5202	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5203	#if defined(MBEDTLS_SHA256_C)
5204	mbedtls_sha256_init( &handshake->fin_sha256 );
5205	mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
5206	#endif
5207	#if defined(MBEDTLS_SHA512_C)
5208	mbedtls_sha512_init( &handshake->fin_sha512 );
5209	mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
5210	#endif
5211	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5212
5213	handshake->update_checksum = ssl_update_checksum_start;
5214	handshake->sig_alg = MBEDTLS_SSL_HASH_SHA1;
5215
5216	#if defined(MBEDTLS_DHM_C)
5217	mbedtls_dhm_init( &handshake->dhm_ctx );
5218	#endif
5219	#if defined(MBEDTLS_ECDH_C)
5220	mbedtls_ecdh_init( &handshake->ecdh_ctx );
5221	#endif
5222	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
5223	mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
5224	#if defined(MBEDTLS_SSL_CLI_C)
5225	handshake->ecjpake_cache = NULL;
5226	handshake->ecjpake_cache_len = 0;
5227	#endif
5228	#endif
5229
5230	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5231	handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
5232	#endif
5233	}
5234
5235	static void ssl_transform_init( mbedtls_ssl_transform *transform )
5236	{
5237	memset( transform, 0, sizeof(mbedtls_ssl_transform) );
5238
5239	mbedtls_cipher_init( &transform->cipher_ctx_enc );
5240	mbedtls_cipher_init( &transform->cipher_ctx_dec );
5241
5242	mbedtls_md_init( &transform->md_ctx_enc );
5243	mbedtls_md_init( &transform->md_ctx_dec );
5244	}
5245
5246	void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
5247	{
5248	memset( session, 0, sizeof(mbedtls_ssl_session) );
5249	}
5250
5251	static int ssl_handshake_init( mbedtls_ssl_context *ssl )
5252	{
5253	/* Clear old handshake information if present */
5254	if( ssl->transform_negotiate )
5255	mbedtls_ssl_transform_free( ssl->transform_negotiate );
5256	if( ssl->session_negotiate )
5257	mbedtls_ssl_session_free( ssl->session_negotiate );
5258	if( ssl->handshake )
5259	mbedtls_ssl_handshake_free( ssl->handshake );
5260
5261	/*
5262	* Either the pointers are now NULL or cleared properly and can be freed.
5263	* Now allocate missing structures.
5264	*/
5265	if( ssl->transform_negotiate == NULL )
5266	{
5267	ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
5268	}
5269
5270	if( ssl->session_negotiate == NULL )
5271	{
5272	ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
5273	}
5274
5275	if( ssl->handshake == NULL )
5276	{
5277	ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
5278	}
5279
5280	/* All pointers should exist and can be directly freed without issue */
5281	if( ssl->handshake == NULL \|\|
5282	ssl->transform_negotiate == NULL \|\|
5283	ssl->session_negotiate == NULL )
5284	{
5285	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
5286
5287	mbedtls_free( ssl->handshake );
5288	mbedtls_free( ssl->transform_negotiate );
5289	mbedtls_free( ssl->session_negotiate );
5290
5291	ssl->handshake = NULL;
5292	ssl->transform_negotiate = NULL;
5293	ssl->session_negotiate = NULL;
5294
5295	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5296	}
5297
5298	/* Initialize structures */
5299	mbedtls_ssl_session_init( ssl->session_negotiate );
5300	ssl_transform_init( ssl->transform_negotiate );
5301	ssl_handshake_params_init( ssl->handshake );
5302
5303	#if defined(MBEDTLS_SSL_PROTO_DTLS)
5304	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5305	{
5306	ssl->handshake->alt_transform_out = ssl->transform_out;
5307
5308	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5309	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
5310	else
5311	ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
5312
5313	ssl_set_timer( ssl, 0 );
5314	}
5315	#endif
5316
5317	return( 0 );
5318	}
5319
5320	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5321	/* Dummy cookie callbacks for defaults */
5322	static int ssl_cookie_write_dummy( void *ctx,
5323	unsigned char *p, unsigned char end,
5324	const unsigned char *cli_id, size_t cli_id_len )
5325	{
5326	((void) ctx);
5327	((void) p);
5328	((void) end);
5329	((void) cli_id);
5330	((void) cli_id_len);
5331
5332	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
5333	}
5334
5335	static int ssl_cookie_check_dummy( void *ctx,
5336	const unsigned char *cookie, size_t cookie_len,
5337	const unsigned char *cli_id, size_t cli_id_len )
5338	{
5339	((void) ctx);
5340	((void) cookie);
5341	((void) cookie_len);
5342	((void) cli_id);
5343	((void) cli_id_len);
5344
5345	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
5346	}
5347	#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
5348
5349	/*
5350	* Initialize an SSL context
5351	*/
5352	void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
5353	{
5354	memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
5355	}
5356
5357	/*
5358	* Setup an SSL context
5359	*/
5360	int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
5361	const mbedtls_ssl_config *conf )
5362	{
5363	int ret;
5364	const size_t len = MBEDTLS_SSL_BUFFER_LEN;
5365
5366	ssl->conf = conf;
5367
5368	/*
5369	* Prepare base structures
5370	*/
5371	if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL \|\|
5372	( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
5373	{
5374	MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
5375	mbedtls_free( ssl->in_buf );
5376	ssl->in_buf = NULL;
5377	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5378	}
5379
5380	#if defined(MBEDTLS_SSL_PROTO_DTLS)
5381	if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5382	{
5383	ssl->out_hdr = ssl->out_buf;
5384	ssl->out_ctr = ssl->out_buf + 3;
5385	ssl->out_len = ssl->out_buf + 11;
5386	ssl->out_iv = ssl->out_buf + 13;
5387	ssl->out_msg = ssl->out_buf + 13;
5388
5389	ssl->in_hdr = ssl->in_buf;
5390	ssl->in_ctr = ssl->in_buf + 3;
5391	ssl->in_len = ssl->in_buf + 11;
5392	ssl->in_iv = ssl->in_buf + 13;
5393	ssl->in_msg = ssl->in_buf + 13;
5394	}
5395	else
5396	#endif
5397	{
5398	ssl->out_ctr = ssl->out_buf;
5399	ssl->out_hdr = ssl->out_buf + 8;
5400	ssl->out_len = ssl->out_buf + 11;
5401	ssl->out_iv = ssl->out_buf + 13;
5402	ssl->out_msg = ssl->out_buf + 13;
5403
5404	ssl->in_ctr = ssl->in_buf;
5405	ssl->in_hdr = ssl->in_buf + 8;
5406	ssl->in_len = ssl->in_buf + 11;
5407	ssl->in_iv = ssl->in_buf + 13;
5408	ssl->in_msg = ssl->in_buf + 13;
5409	}
5410
5411	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
5412	return( ret );
5413
5414	return( 0 );
5415	}
5416
5417	/*
5418	* Reset an initialized and used SSL context for re-use while retaining
5419	* all application-set variables, function pointers and data.
5420	*
5421	* If partial is non-zero, keep data in the input buffer and client ID.
5422	* (Use when a DTLS client reconnects from the same port.)
5423	*/
5424	static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
5425	{
5426	int ret;
5427
5428	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
5429
5430	/* Cancel any possibly running timer */
5431	ssl_set_timer( ssl, 0 );
5432
5433	#if defined(MBEDTLS_SSL_RENEGOTIATION)
5434	ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
5435	ssl->renego_records_seen = 0;
5436
5437	ssl->verify_data_len = 0;
5438	memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
5439	memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
5440	#endif
5441	ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
5442
5443	ssl->in_offt = NULL;
5444
5445	ssl->in_msg = ssl->in_buf + 13;
5446	ssl->in_msgtype = 0;
5447	ssl->in_msglen = 0;
5448	if( partial == 0 )
5449	ssl->in_left = 0;
5450	#if defined(MBEDTLS_SSL_PROTO_DTLS)
5451	ssl->next_record_offset = 0;
5452	ssl->in_epoch = 0;
5453	#endif
5454	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5455	ssl_dtls_replay_reset( ssl );
5456	#endif
5457
5458	ssl->in_hslen = 0;
5459	ssl->nb_zero = 0;
5460	ssl->record_read = 0;
5461
5462	ssl->out_msg = ssl->out_buf + 13;
5463	ssl->out_msgtype = 0;
5464	ssl->out_msglen = 0;
5465	ssl->out_left = 0;
5466	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
5467	if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
5468	ssl->split_done = 0;
5469	#endif
5470
5471	ssl->transform_in = NULL;
5472	ssl->transform_out = NULL;
5473
5474	memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
5475	if( partial == 0 )
5476	memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
5477
5478	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
5479	if( mbedtls_ssl_hw_record_reset != NULL )
5480	{
5481	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
5482	if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
5483	{
5484	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
5485	return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
5486	}
5487	}
5488	#endif
5489
5490	if( ssl->transform )
5491	{
5492	mbedtls_ssl_transform_free( ssl->transform );
5493	mbedtls_free( ssl->transform );
5494	ssl->transform = NULL;
5495	}
5496
5497	if( ssl->session )
5498	{
5499	mbedtls_ssl_session_free( ssl->session );
5500	mbedtls_free( ssl->session );
5501	ssl->session = NULL;
5502	}
5503
5504	#if defined(MBEDTLS_SSL_ALPN)
5505	ssl->alpn_chosen = NULL;
5506	#endif
5507
5508	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5509	if( partial == 0 )
5510	{
5511	mbedtls_free( ssl->cli_id );
5512	ssl->cli_id = NULL;
5513	ssl->cli_id_len = 0;
5514	}
5515	#endif
5516
5517	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
5518	return( ret );
5519
5520	return( 0 );
5521	}
5522
5523	/*
5524	* Reset an initialized and used SSL context for re-use while retaining
5525	* all application-set variables, function pointers and data.
5526	*/
5527	int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
5528	{
5529	return( ssl_session_reset_int( ssl, 0 ) );
5530	}
5531
5532	/*
5533	* SSL set accessors
5534	*/
5535	void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
5536	{
5537	conf->endpoint = endpoint;
5538	}
5539
5540	void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
5541	{
5542	conf->transport = transport;
5543	}
5544
5545	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5546	void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
5547	{
5548	conf->anti_replay = mode;
5549	}
5550	#endif
5551
5552	#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
5553	void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
5554	{
5555	conf->badmac_limit = limit;
5556	}
5557	#endif
5558
5559	#if defined(MBEDTLS_SSL_PROTO_DTLS)
5560	void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max )
5561	{
5562	conf->hs_timeout_min = min;
5563	conf->hs_timeout_max = max;
5564	}
5565	#endif
5566
5567	void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
5568	{
5569	conf->authmode = authmode;
5570	}
5571
5572	#if defined(MBEDTLS_X509_CRT_PARSE_C)
5573	void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
5574	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
5575	void *p_vrfy )
5576	{
5577	conf->f_vrfy = f_vrfy;
5578	conf->p_vrfy = p_vrfy;
5579	}
5580	#endif /* MBEDTLS_X509_CRT_PARSE_C */
5581
5582	void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
5583	int (f_rng)(void , unsigned char *, size_t),
5584	void *p_rng )
5585	{
5586	conf->f_rng = f_rng;
5587	conf->p_rng = p_rng;
5588	}
5589
5590	void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
5591	void (f_dbg)(void , int, const char , int, const char ),
5592	void *p_dbg )
5593	{
5594	conf->f_dbg = f_dbg;
5595	conf->p_dbg = p_dbg;
5596	}
5597
5598	void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
5599	void *p_bio,
5600	int (f_send)(void , const unsigned char *, size_t),
5601	int (f_recv)(void , unsigned char *, size_t),
5602	int (f_recv_timeout)(void , unsigned char *, size_t, uint32_t) )
5603	{
5604	ssl->p_bio = p_bio;
5605	ssl->f_send = f_send;
5606	ssl->f_recv = f_recv;
5607	ssl->f_recv_timeout = f_recv_timeout;
5608	}
5609
5610	void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
5611	{
5612	conf->read_timeout = timeout;
5613	}
5614
5615	void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
5616	void *p_timer,
5617	void (f_set_timer)(void , uint32_t int_ms, uint32_t fin_ms),
5618	int (f_get_timer)(void ) )
5619	{
5620	ssl->p_timer = p_timer;
5621	ssl->f_set_timer = f_set_timer;
5622	ssl->f_get_timer = f_get_timer;
5623
5624	/* Make sure we start with no timer running */
5625	ssl_set_timer( ssl, 0 );
5626	}
5627
5628	#if defined(MBEDTLS_SSL_SRV_C)
5629	void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
5630	void *p_cache,
5631	int (f_get_cache)(void , mbedtls_ssl_session *),
5632	int (f_set_cache)(void , const mbedtls_ssl_session *) )
5633	{
5634	conf->p_cache = p_cache;
5635	conf->f_get_cache = f_get_cache;
5636	conf->f_set_cache = f_set_cache;
5637	}
5638	#endif /* MBEDTLS_SSL_SRV_C */
5639
5640	#if defined(MBEDTLS_SSL_CLI_C)
5641	int mbedtls_ssl_set_session( mbedtls_ssl_context ssl, const mbedtls_ssl_session session )
5642	{
5643	int ret;
5644
5645	if( ssl == NULL \|\|
5646	session == NULL \|\|
5647	ssl->session_negotiate == NULL \|\|
5648	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
5649	{
5650	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5651	}
5652
5653	if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
5654	return( ret );
5655
5656	ssl->handshake->resume = 1;
5657
5658	return( 0 );
5659	}
5660	#endif /* MBEDTLS_SSL_CLI_C */
5661
5662	void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
5663	const int *ciphersuites )
5664	{
5665	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
5666	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
5667	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
5668	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
5669	}
5670
5671	void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
5672	const int *ciphersuites,
5673	int major, int minor )
5674	{
5675	if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
5676	return;
5677
5678	if( minor < MBEDTLS_SSL_MINOR_VERSION_0 \|\| minor > MBEDTLS_SSL_MINOR_VERSION_3 )
5679	return;
5680
5681	conf->ciphersuite_list[minor] = ciphersuites;
5682	}
5683
5684	#if defined(MBEDTLS_X509_CRT_PARSE_C)
5685	void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
5686	const mbedtls_x509_crt_profile *profile )
5687	{
5688	conf->cert_profile = profile;
5689	}
5690
5691	/* Append a new keycert entry to a (possibly empty) list */
5692	static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
5693	mbedtls_x509_crt *cert,
5694	mbedtls_pk_context *key )
5695	{
5696	mbedtls_ssl_key_cert *new;
5697
5698	new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
5699	if( new == NULL )
5700	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5701
5702	new->cert = cert;
5703	new->key = key;
5704	new->next = NULL;
5705
5706	/* Update head is the list was null, else add to the end */
5707	if( *head == NULL )
5708	{
5709	*head = new;
5710	}
5711	else
5712	{
5713	mbedtls_ssl_key_cert cur = head;
5714	while( cur->next != NULL )
5715	cur = cur->next;
5716	cur->next = new;
5717	}
5718
5719	return( 0 );
5720	}
5721
5722	int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
5723	mbedtls_x509_crt *own_cert,
5724	mbedtls_pk_context *pk_key )
5725	{
5726	return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
5727	}
5728
5729	void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
5730	mbedtls_x509_crt *ca_chain,
5731	mbedtls_x509_crl *ca_crl )
5732	{
5733	conf->ca_chain = ca_chain;
5734	conf->ca_crl = ca_crl;
5735	}
5736	#endif /* MBEDTLS_X509_CRT_PARSE_C */
5737
5738	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5739	int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
5740	mbedtls_x509_crt *own_cert,
5741	mbedtls_pk_context *pk_key )
5742	{
5743	return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
5744	own_cert, pk_key ) );
5745	}
5746
5747	void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
5748	mbedtls_x509_crt *ca_chain,
5749	mbedtls_x509_crl *ca_crl )
5750	{
5751	ssl->handshake->sni_ca_chain = ca_chain;
5752	ssl->handshake->sni_ca_crl = ca_crl;
5753	}
5754
5755	void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
5756	int authmode )
5757	{
5758	ssl->handshake->sni_authmode = authmode;
5759	}
5760	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
5761
5762	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
5763	/*
5764	* Set EC J-PAKE password for current handshake
5765	*/
5766	int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
5767	const unsigned char *pw,
5768	size_t pw_len )
5769	{
5770	mbedtls_ecjpake_role role;
5771
5772	if( ssl->handshake == NULL && ssl->conf == NULL )
5773	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5774
5775	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
5776	role = MBEDTLS_ECJPAKE_SERVER;
5777	else
5778	role = MBEDTLS_ECJPAKE_CLIENT;
5779
5780	return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
5781	role,
5782	MBEDTLS_MD_SHA256,
5783	MBEDTLS_ECP_DP_SECP256R1,
5784	pw, pw_len ) );
5785	}
5786	#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
5787
5788	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
5789	int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
5790	const unsigned char *psk, size_t psk_len,
5791	const unsigned char *psk_identity, size_t psk_identity_len )
5792	{
5793	if( psk == NULL \|\| psk_identity == NULL )
5794	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5795
5796	if( psk_len > MBEDTLS_PSK_MAX_LEN )
5797	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5798
5799	/* Identity len will be encoded on two bytes */
5800	if( ( psk_identity_len >> 16 ) != 0 \|\|
5801	psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
5802	{
5803	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5804	}
5805
5806	if( conf->psk != NULL \|\| conf->psk_identity != NULL )
5807	{
5808	mbedtls_free( conf->psk );
5809	mbedtls_free( conf->psk_identity );
5810	conf->psk = NULL;
5811	conf->psk_identity = NULL;
5812	}
5813
5814	if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL \|\|
5815	( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
5816	{
5817	mbedtls_free( conf->psk );
5818	mbedtls_free( conf->psk_identity );
5819	conf->psk = NULL;
5820	conf->psk_identity = NULL;
5821	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5822	}
5823
5824	conf->psk_len = psk_len;
5825	conf->psk_identity_len = psk_identity_len;
5826
5827	memcpy( conf->psk, psk, conf->psk_len );
5828	memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
5829
5830	return( 0 );
5831	}
5832
5833	int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
5834	const unsigned char *psk, size_t psk_len )
5835	{
5836	if( psk == NULL \|\| ssl->handshake == NULL )
5837	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5838
5839	if( psk_len > MBEDTLS_PSK_MAX_LEN )
5840	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5841
5842	if( ssl->handshake->psk != NULL )
5843	mbedtls_free( ssl->handshake->psk );
5844
5845	if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
5846	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5847
5848	ssl->handshake->psk_len = psk_len;
5849	memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
5850
5851	return( 0 );
5852	}
5853
5854	void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
5855	int (f_psk)(void , mbedtls_ssl_context , const unsigned char ,
5856	size_t),
5857	void *p_psk )
5858	{
5859	conf->f_psk = f_psk;
5860	conf->p_psk = p_psk;
5861	}
5862	#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
5863
5864	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5865	int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config conf, const char dhm_P, const char *dhm_G )
5866	{
5867	int ret;
5868
5869	if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 \|\|
5870	( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
5871	{
5872	mbedtls_mpi_free( &conf->dhm_P );
5873	mbedtls_mpi_free( &conf->dhm_G );
5874	return( ret );
5875	}
5876
5877	return( 0 );
5878	}
5879
5880	int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config conf, mbedtls_dhm_context dhm_ctx )
5881	{
5882	int ret;
5883
5884	if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 \|\|
5885	( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
5886	{
5887	mbedtls_mpi_free( &conf->dhm_P );
5888	mbedtls_mpi_free( &conf->dhm_G );
5889	return( ret );
5890	}
5891
5892	return( 0 );
5893	}
5894	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
5895
5896	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
5897	/*
5898	* Set the minimum length for Diffie-Hellman parameters
5899	*/
5900	void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
5901	unsigned int bitlen )
5902	{
5903	conf->dhm_min_bitlen = bitlen;
5904	}
5905	#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
5906
5907	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
5908	/*
5909	* Set allowed/preferred hashes for handshake signatures
5910	*/
5911	void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
5912	const int *hashes )
5913	{
5914	conf->sig_hashes = hashes;
5915	}
5916	#endif
5917
5918	#if defined(MBEDTLS_ECP_C)
5919	/*
5920	* Set the allowed elliptic curves
5921	*/
5922	void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
5923	const mbedtls_ecp_group_id *curve_list )
5924	{
5925	conf->curve_list = curve_list;
5926	}
5927	#endif
5928
5929	#if defined(MBEDTLS_X509_CRT_PARSE_C)
5930	int mbedtls_ssl_set_hostname( mbedtls_ssl_context ssl, const char hostname )
5931	{
5932	size_t hostname_len;
5933
5934	if( hostname == NULL )
5935	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5936
5937	hostname_len = strlen( hostname );
5938
5939	if( hostname_len + 1 == 0 )
5940	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5941
5942	if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
5943	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5944
5945	ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
5946
5947	if( ssl->hostname == NULL )
5948	return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5949
5950	memcpy( ssl->hostname, hostname, hostname_len );
5951
5952	ssl->hostname[hostname_len] = '\0';
5953
5954	return( 0 );
5955	}
5956	#endif
5957
5958	#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5959	void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
5960	int (f_sni)(void , mbedtls_ssl_context *,
5961	const unsigned char *, size_t),
5962	void *p_sni )
5963	{
5964	conf->f_sni = f_sni;
5965	conf->p_sni = p_sni;
5966	}
5967	#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
5968
5969	#if defined(MBEDTLS_SSL_ALPN)
5970	int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config conf, const char *protos )
5971	{
5972	size_t cur_len, tot_len;
5973	const char **p;
5974
5975	/*
5976	* "Empty strings MUST NOT be included and byte strings MUST NOT be
5977	* truncated". Check lengths now rather than later.
5978	*/
5979	tot_len = 0;
5980	for( p = protos; *p != NULL; p++ )
5981	{
5982	cur_len = strlen( *p );
5983	tot_len += cur_len;
5984
5985	if( cur_len == 0 \|\| cur_len > 255 \|\| tot_len > 65535 )
5986	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5987	}
5988
5989	conf->alpn_list = protos;
5990
5991	return( 0 );
5992	}
5993
5994	const char mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context ssl )
5995	{
5996	return( ssl->alpn_chosen );
5997	}
5998	#endif /* MBEDTLS_SSL_ALPN */
5999
6000	void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
6001	{
6002	conf->max_major_ver = major;
6003	conf->max_minor_ver = minor;
6004	}
6005
6006	void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
6007	{
6008	conf->min_major_ver = major;
6009	conf->min_minor_ver = minor;
6010	}
6011
6012	#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
6013	void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
6014	{
6015	conf->fallback = fallback;
6016	}
6017	#endif
6018
6019	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
6020	void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
6021	{
6022	conf->encrypt_then_mac = etm;
6023	}
6024	#endif
6025
6026	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6027	void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
6028	{
6029	conf->extended_ms = ems;
6030	}
6031	#endif
6032
6033	#if defined(MBEDTLS_ARC4_C)
6034	void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
6035	{
6036	conf->arc4_disabled = arc4;
6037	}
6038	#endif
6039
6040	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
6041	int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
6042	{
6043	if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID \|\|
6044	mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
6045	{
6046	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6047	}
6048
6049	conf->mfl_code = mfl_code;
6050
6051	return( 0 );
6052	}
6053	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
6054
6055	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
6056	void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
6057	{
6058	conf->trunc_hmac = truncate;
6059	}
6060	#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
6061
6062	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
6063	void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
6064	{
6065	conf->cbc_record_splitting = split;
6066	}
6067	#endif
6068
6069	void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
6070	{
6071	conf->allow_legacy_renegotiation = allow_legacy;
6072	}
6073
6074	#if defined(MBEDTLS_SSL_RENEGOTIATION)
6075	void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
6076	{
6077	conf->disable_renegotiation = renegotiation;
6078	}
6079
6080	void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
6081	{
6082	conf->renego_max_records = max_records;
6083	}
6084
6085	void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
6086	const unsigned char period[8] )
6087	{
6088	memcpy( conf->renego_period, period, 8 );
6089	}
6090	#endif /* MBEDTLS_SSL_RENEGOTIATION */
6091
6092	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
6093	#if defined(MBEDTLS_SSL_CLI_C)
6094	void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
6095	{
6096	conf->session_tickets = use_tickets;
6097	}
6098	#endif
6099
6100	#if defined(MBEDTLS_SSL_SRV_C)
6101	void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
6102	mbedtls_ssl_ticket_write_t *f_ticket_write,
6103	mbedtls_ssl_ticket_parse_t *f_ticket_parse,
6104	void *p_ticket )
6105	{
6106	conf->f_ticket_write = f_ticket_write;
6107	conf->f_ticket_parse = f_ticket_parse;
6108	conf->p_ticket = p_ticket;
6109	}
6110	#endif
6111	#endif /* MBEDTLS_SSL_SESSION_TICKETS */
6112
6113	#if defined(MBEDTLS_SSL_EXPORT_KEYS)
6114	void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
6115	mbedtls_ssl_export_keys_t *f_export_keys,
6116	void *p_export_keys )
6117	{
6118	conf->f_export_keys = f_export_keys;
6119	conf->p_export_keys = p_export_keys;
6120	}
6121	#endif
6122
6123	/*
6124	* SSL get accessors
6125	*/
6126	size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
6127	{
6128	return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
6129	}
6130
6131	uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
6132	{
6133	if( ssl->session != NULL )
6134	return( ssl->session->verify_result );
6135
6136	if( ssl->session_negotiate != NULL )
6137	return( ssl->session_negotiate->verify_result );
6138
6139	return( 0xFFFFFFFF );
6140	}
6141
6142	const char mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context ssl )
6143	{
6144	if( ssl == NULL \|\| ssl->session == NULL )
6145	return( NULL );
6146
6147	return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
6148	}
6149
6150	const char mbedtls_ssl_get_version( const mbedtls_ssl_context ssl )
6151	{
6152	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6153	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6154	{
6155	switch( ssl->minor_ver )
6156	{
6157	case MBEDTLS_SSL_MINOR_VERSION_2:
6158	return( "DTLSv1.0" );
6159
6160	case MBEDTLS_SSL_MINOR_VERSION_3:
6161	return( "DTLSv1.2" );
6162
6163	default:
6164	return( "unknown (DTLS)" );
6165	}
6166	}
6167	#endif
6168
6169	switch( ssl->minor_ver )
6170	{
6171	case MBEDTLS_SSL_MINOR_VERSION_0:
6172	return( "SSLv3.0" );
6173
6174	case MBEDTLS_SSL_MINOR_VERSION_1:
6175	return( "TLSv1.0" );
6176
6177	case MBEDTLS_SSL_MINOR_VERSION_2:
6178	return( "TLSv1.1" );
6179
6180	case MBEDTLS_SSL_MINOR_VERSION_3:
6181	return( "TLSv1.2" );
6182
6183	default:
6184	return( "unknown" );
6185	}
6186	}
6187
6188	int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
6189	{
6190	size_t transform_expansion;
6191	const mbedtls_ssl_transform *transform = ssl->transform_out;
6192
6193	#if defined(MBEDTLS_ZLIB_SUPPORT)
6194	if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
6195	return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
6196	#endif
6197
6198	if( transform == NULL )
6199	return( (int) mbedtls_ssl_hdr_len( ssl ) );
6200
6201	switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
6202	{
6203	case MBEDTLS_MODE_GCM:
6204	case MBEDTLS_MODE_CCM:
6205	case MBEDTLS_MODE_STREAM:
6206	transform_expansion = transform->minlen;
6207	break;
6208
6209	case MBEDTLS_MODE_CBC:
6210	transform_expansion = transform->maclen
6211	+ mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc );
6212	break;
6213
6214	default:
6215	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
6216	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
6217	}
6218
6219	return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
6220	}
6221
6222	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
6223	size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
6224	{
6225	size_t max_len;
6226
6227	/*
6228	* Assume mfl_code is correct since it was checked when set
6229	*/
6230	max_len = mfl_code_to_length[ssl->conf->mfl_code];
6231
6232	/*
6233	* Check if a smaller max length was negotiated
6234	*/
6235	if( ssl->session_out != NULL &&
6236	mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
6237	{
6238	max_len = mfl_code_to_length[ssl->session_out->mfl_code];
6239	}
6240
6241	return max_len;
6242	}
6243	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
6244
6245	#if defined(MBEDTLS_X509_CRT_PARSE_C)
6246	const mbedtls_x509_crt mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context ssl )
6247	{
6248	if( ssl == NULL \|\| ssl->session == NULL )
6249	return( NULL );
6250
6251	return( ssl->session->peer_cert );
6252	}
6253	#endif /* MBEDTLS_X509_CRT_PARSE_C */
6254
6255	#if defined(MBEDTLS_SSL_CLI_C)
6256	int mbedtls_ssl_get_session( const mbedtls_ssl_context ssl, mbedtls_ssl_session dst )
6257	{
6258	if( ssl == NULL \|\|
6259	dst == NULL \|\|
6260	ssl->session == NULL \|\|
6261	ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
6262	{
6263	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6264	}
6265
6266	return( ssl_session_copy( dst, ssl->session ) );
6267	}
6268	#endif /* MBEDTLS_SSL_CLI_C */
6269
6270	/*
6271	* Perform a single step of the SSL handshake
6272	*/
6273	int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
6274	{
6275	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6276
6277	if( ssl == NULL \|\| ssl->conf == NULL )
6278	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6279
6280	#if defined(MBEDTLS_SSL_CLI_C)
6281	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
6282	ret = mbedtls_ssl_handshake_client_step( ssl );
6283	#endif
6284	#if defined(MBEDTLS_SSL_SRV_C)
6285	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
6286	ret = mbedtls_ssl_handshake_server_step( ssl );
6287	#endif
6288
6289	return( ret );
6290	}
6291
6292	/*
6293	* Perform the SSL handshake
6294	*/
6295	int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
6296	{
6297	int ret = 0;
6298
6299	if( ssl == NULL \|\| ssl->conf == NULL )
6300	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6301
6302	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
6303
6304	while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
6305	{
6306	ret = mbedtls_ssl_handshake_step( ssl );
6307
6308	if( ret != 0 )
6309	break;
6310	}
6311
6312	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
6313
6314	return( ret );
6315	}
6316
6317	#if defined(MBEDTLS_SSL_RENEGOTIATION)
6318	#if defined(MBEDTLS_SSL_SRV_C)
6319	/*
6320	* Write HelloRequest to request renegotiation on server
6321	*/
6322	static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
6323	{
6324	int ret;
6325
6326	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
6327
6328	ssl->out_msglen = 4;
6329	ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
6330	ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
6331
6332	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
6333	{
6334	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
6335	return( ret );
6336	}
6337
6338	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
6339
6340	return( 0 );
6341	}
6342	#endif /* MBEDTLS_SSL_SRV_C */
6343
6344	/*
6345	* Actually renegotiate current connection, triggered by either:
6346	* - any side: calling mbedtls_ssl_renegotiate(),
6347	* - client: receiving a HelloRequest during mbedtls_ssl_read(),
6348	* - server: receiving any handshake message on server during mbedtls_ssl_read() after
6349	* the initial handshake is completed.
6350	* If the handshake doesn't complete due to waiting for I/O, it will continue
6351	* during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
6352	*/
6353	static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
6354	{
6355	int ret;
6356
6357	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
6358
6359	if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
6360	return( ret );
6361
6362	/* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
6363	* the ServerHello will have message_seq = 1" */
6364	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6365	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
6366	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
6367	{
6368	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
6369	ssl->handshake->out_msg_seq = 1;
6370	else
6371	ssl->handshake->in_msg_seq = 1;
6372	}
6373	#endif
6374
6375	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
6376	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
6377
6378	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
6379	{
6380	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
6381	return( ret );
6382	}
6383
6384	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
6385
6386	return( 0 );
6387	}
6388
6389	/*
6390	* Renegotiate current connection on client,
6391	* or request renegotiation on server
6392	*/
6393	int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
6394	{
6395	int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6396
6397	if( ssl == NULL \|\| ssl->conf == NULL )
6398	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6399
6400	#if defined(MBEDTLS_SSL_SRV_C)
6401	/* On server, just send the request */
6402	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
6403	{
6404	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
6405	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6406
6407	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
6408
6409	/* Did we already try/start sending HelloRequest? */
6410	if( ssl->out_left != 0 )
6411	return( mbedtls_ssl_flush_output( ssl ) );
6412
6413	return( ssl_write_hello_request( ssl ) );
6414	}
6415	#endif /* MBEDTLS_SSL_SRV_C */
6416
6417	#if defined(MBEDTLS_SSL_CLI_C)
6418	/*
6419	* On client, either start the renegotiation process or,
6420	* if already in progress, continue the handshake
6421	*/
6422	if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
6423	{
6424	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
6425	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6426
6427	if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
6428	{
6429	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
6430	return( ret );
6431	}
6432	}
6433	else
6434	{
6435	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
6436	{
6437	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
6438	return( ret );
6439	}
6440	}
6441	#endif /* MBEDTLS_SSL_CLI_C */
6442
6443	return( ret );
6444	}
6445
6446	/*
6447	* Check record counters and renegotiate if they're above the limit.
6448	*/
6449	static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
6450	{
6451	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER \|\|
6452	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING \|\|
6453	ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
6454	{
6455	return( 0 );
6456	}
6457
6458	if( memcmp( ssl->in_ctr, ssl->conf->renego_period, 8 ) <= 0 &&
6459	memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 )
6460	{
6461	return( 0 );
6462	}
6463
6464	MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
6465	return( mbedtls_ssl_renegotiate( ssl ) );
6466	}
6467	#endif /* MBEDTLS_SSL_RENEGOTIATION */
6468
6469	/*
6470	* Receive application data decrypted from the SSL layer
6471	*/
6472	int mbedtls_ssl_read( mbedtls_ssl_context ssl, unsigned char buf, size_t len )
6473	{
6474	int ret, record_read = 0;
6475	size_t n;
6476
6477	if( ssl == NULL \|\| ssl->conf == NULL )
6478	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6479
6480	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
6481
6482	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6483	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6484	{
6485	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
6486	return( ret );
6487
6488	if( ssl->handshake != NULL &&
6489	ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
6490	{
6491	if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
6492	return( ret );
6493	}
6494	}
6495	#endif
6496
6497	#if defined(MBEDTLS_SSL_RENEGOTIATION)
6498	if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
6499	{
6500	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
6501	return( ret );
6502	}
6503	#endif
6504
6505	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
6506	{
6507	ret = mbedtls_ssl_handshake( ssl );
6508	if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
6509	{
6510	record_read = 1;
6511	}
6512	else if( ret != 0 )
6513	{
6514	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
6515	return( ret );
6516	}
6517	}
6518
6519	if( ssl->in_offt == NULL )
6520	{
6521	/* Start timer if not already running */
6522	if( ssl->f_get_timer != NULL &&
6523	ssl->f_get_timer( ssl->p_timer ) == -1 )
6524	{
6525	ssl_set_timer( ssl, ssl->conf->read_timeout );
6526	}
6527
6528	if( ! record_read )
6529	{
6530	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
6531	{
6532	if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
6533	return( 0 );
6534
6535	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
6536	return( ret );
6537	}
6538	}
6539
6540	if( ssl->in_msglen == 0 &&
6541	ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
6542	{
6543	/*
6544	* OpenSSL sends empty messages to randomize the IV
6545	*/
6546	if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
6547	{
6548	if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
6549	return( 0 );
6550
6551	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
6552	return( ret );
6553	}
6554	}
6555
6556	#if defined(MBEDTLS_SSL_RENEGOTIATION)
6557	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
6558	{
6559	MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
6560
6561	#if defined(MBEDTLS_SSL_CLI_C)
6562	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
6563	( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST \|\|
6564	ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
6565	{
6566	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
6567
6568	/* With DTLS, drop the packet (probably from last handshake) */
6569	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6570	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6571	return( MBEDTLS_ERR_SSL_WANT_READ );
6572	#endif
6573	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
6574	}
6575
6576	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
6577	ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
6578	{
6579	MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
6580
6581	/* With DTLS, drop the packet (probably from last handshake) */
6582	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6583	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6584	return( MBEDTLS_ERR_SSL_WANT_READ );
6585	#endif
6586	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
6587	}
6588	#endif
6589
6590	if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED \|\|
6591	( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
6592	ssl->conf->allow_legacy_renegotiation ==
6593	MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) )
6594	{
6595	MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
6596
6597	#if defined(MBEDTLS_SSL_PROTO_SSL3)
6598	if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
6599	{
6600	/*
6601	* SSLv3 does not have a "no_renegotiation" alert
6602	*/
6603	if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
6604	return( ret );
6605	}
6606	else
6607	#endif /* MBEDTLS_SSL_PROTO_SSL3 */
6608	#if defined(MBEDTLS_SSL_PROTO_TLS1) \|\| defined(MBEDTLS_SSL_PROTO_TLS1_1) \|\| \
6609	defined(MBEDTLS_SSL_PROTO_TLS1_2)
6610	if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
6611	{
6612	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
6613	MBEDTLS_SSL_ALERT_LEVEL_WARNING,
6614	MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
6615	{
6616	return( ret );
6617	}
6618	}
6619	else
6620	#endif /* MBEDTLS_SSL_PROTO_TLS1 \|\| MBEDTLS_SSL_PROTO_TLS1_1 \|\|
6621	MBEDTLS_SSL_PROTO_TLS1_2 */
6622	{
6623	MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
6624	return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
6625	}
6626	}
6627	else
6628	{
6629	/* DTLS clients need to know renego is server-initiated */
6630	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6631	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
6632	ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
6633	{
6634	ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
6635	}
6636	#endif
6637	ret = ssl_start_renegotiation( ssl );
6638	if( ret == MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
6639	{
6640	record_read = 1;
6641	}
6642	else if( ret != 0 )
6643	{
6644	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
6645	return( ret );
6646	}
6647	}
6648
6649	/* If a non-handshake record was read during renego, fallthrough,
6650	* else tell the user they should call mbedtls_ssl_read() again */
6651	if( ! record_read )
6652	return( MBEDTLS_ERR_SSL_WANT_READ );
6653	}
6654	else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
6655	{
6656
6657	if( ssl->conf->renego_max_records >= 0 )
6658	{
6659	if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
6660	{
6661	MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
6662	"but not honored by client" ) );
6663	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
6664	}
6665	}
6666	}
6667	#endif /* MBEDTLS_SSL_RENEGOTIATION */
6668
6669	/* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
6670	if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
6671	{
6672	MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
6673	return( MBEDTLS_ERR_SSL_WANT_READ );
6674	}
6675
6676	if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
6677	{
6678	MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
6679	return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
6680	}
6681
6682	ssl->in_offt = ssl->in_msg;
6683
6684	/* We're going to return something now, cancel timer,
6685	* except if handshake (renegotiation) is in progress */
6686	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
6687	ssl_set_timer( ssl, 0 );
6688
6689	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6690	/* If we requested renego but received AppData, resend HelloRequest.
6691	* Do it now, after setting in_offt, to avoid taking this branch
6692	* again if ssl_write_hello_request() returns WANT_WRITE */
6693	#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
6694	if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
6695	ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
6696	{
6697	if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
6698	{
6699	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
6700	return( ret );
6701	}
6702	}
6703	#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
6704	#endif
6705	}
6706
6707	n = ( len < ssl->in_msglen )
6708	? len : ssl->in_msglen;
6709
6710	memcpy( buf, ssl->in_offt, n );
6711	ssl->in_msglen -= n;
6712
6713	if( ssl->in_msglen == 0 )
6714	/* all bytes consumed */
6715	ssl->in_offt = NULL;
6716	else
6717	/* more data available */
6718	ssl->in_offt += n;
6719
6720	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
6721
6722	return( (int) n );
6723	}
6724
6725	/*
6726	* Send application data to be encrypted by the SSL layer,
6727	* taking care of max fragment length and buffer size
6728	*/
6729	static int ssl_write_real( mbedtls_ssl_context *ssl,
6730	const unsigned char *buf, size_t len )
6731	{
6732	int ret;
6733	#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
6734	size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
6735
6736	if( len > max_len )
6737	{
6738	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6739	if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6740	{
6741	MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
6742	"maximum fragment length: %d > %d",
6743	len, max_len ) );
6744	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6745	}
6746	else
6747	#endif
6748	len = max_len;
6749	}
6750	#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
6751
6752	if( ssl->out_left != 0 )
6753	{
6754	if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
6755	{
6756	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
6757	return( ret );
6758	}
6759	}
6760	else
6761	{
6762	ssl->out_msglen = len;
6763	ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
6764	memcpy( ssl->out_msg, buf, len );
6765
6766	if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
6767	{
6768	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
6769	return( ret );
6770	}
6771	}
6772
6773	return( (int) len );
6774	}
6775
6776	/*
6777	* Write application data, doing 1/n-1 splitting if necessary.
6778	*
6779	* With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
6780	* then the caller will call us again with the same arguments, so
6781	* remember wether we already did the split or not.
6782	*/
6783	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
6784	static int ssl_write_split( mbedtls_ssl_context *ssl,
6785	const unsigned char *buf, size_t len )
6786	{
6787	int ret;
6788
6789	if( ssl->conf->cbc_record_splitting ==
6790	MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED \|\|
6791	len <= 1 \|\|
6792	ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 \|\|
6793	mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
6794	!= MBEDTLS_MODE_CBC )
6795	{
6796	return( ssl_write_real( ssl, buf, len ) );
6797	}
6798
6799	if( ssl->split_done == 0 )
6800	{
6801	if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
6802	return( ret );
6803	ssl->split_done = 1;
6804	}
6805
6806	if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
6807	return( ret );
6808	ssl->split_done = 0;
6809
6810	return( ret + 1 );
6811	}
6812	#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
6813
6814	/*
6815	* Write application data (public-facing wrapper)
6816	*/
6817	int mbedtls_ssl_write( mbedtls_ssl_context ssl, const unsigned char buf, size_t len )
6818	{
6819	int ret;
6820
6821	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
6822
6823	if( ssl == NULL \|\| ssl->conf == NULL )
6824	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6825
6826	#if defined(MBEDTLS_SSL_RENEGOTIATION)
6827	if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
6828	{
6829	MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
6830	return( ret );
6831	}
6832	#endif
6833
6834	if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
6835	{
6836	if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
6837	{
6838	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
6839	return( ret );
6840	}
6841	}
6842
6843	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
6844	ret = ssl_write_split( ssl, buf, len );
6845	#else
6846	ret = ssl_write_real( ssl, buf, len );
6847	#endif
6848
6849	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
6850
6851	return( ret );
6852	}
6853
6854	/*
6855	* Notify the peer that the connection is being closed
6856	*/
6857	int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
6858	{
6859	int ret;
6860
6861	if( ssl == NULL \|\| ssl->conf == NULL )
6862	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6863
6864	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
6865
6866	if( ssl->out_left != 0 )
6867	return( mbedtls_ssl_flush_output( ssl ) );
6868
6869	if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
6870	{
6871	if( ( ret = mbedtls_ssl_send_alert_message( ssl,
6872	MBEDTLS_SSL_ALERT_LEVEL_WARNING,
6873	MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
6874	{
6875	MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
6876	return( ret );
6877	}
6878	}
6879
6880	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
6881
6882	return( 0 );
6883	}
6884
6885	void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
6886	{
6887	if( transform == NULL )
6888	return;
6889
6890	#if defined(MBEDTLS_ZLIB_SUPPORT)
6891	deflateEnd( &transform->ctx_deflate );
6892	inflateEnd( &transform->ctx_inflate );
6893	#endif
6894
6895	mbedtls_cipher_free( &transform->cipher_ctx_enc );
6896	mbedtls_cipher_free( &transform->cipher_ctx_dec );
6897
6898	mbedtls_md_free( &transform->md_ctx_enc );
6899	mbedtls_md_free( &transform->md_ctx_dec );
6900
6901	mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
6902	}
6903
6904	#if defined(MBEDTLS_X509_CRT_PARSE_C)
6905	static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
6906	{
6907	mbedtls_ssl_key_cert cur = key_cert, next;
6908
6909	while( cur != NULL )
6910	{
6911	next = cur->next;
6912	mbedtls_free( cur );
6913	cur = next;
6914	}
6915	}
6916	#endif /* MBEDTLS_X509_CRT_PARSE_C */
6917
6918	void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
6919	{
6920	if( handshake == NULL )
6921	return;
6922
6923	#if defined(MBEDTLS_SSL_PROTO_SSL3) \|\| defined(MBEDTLS_SSL_PROTO_TLS1) \|\| \
6924	defined(MBEDTLS_SSL_PROTO_TLS1_1)
6925	mbedtls_md5_free( &handshake->fin_md5 );
6926	mbedtls_sha1_free( &handshake->fin_sha1 );
6927	#endif
6928	#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6929	#if defined(MBEDTLS_SHA256_C)
6930	mbedtls_sha256_free( &handshake->fin_sha256 );
6931	#endif
6932	#if defined(MBEDTLS_SHA512_C)
6933	mbedtls_sha512_free( &handshake->fin_sha512 );
6934	#endif
6935	#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6936
6937	#if defined(MBEDTLS_DHM_C)
6938	mbedtls_dhm_free( &handshake->dhm_ctx );
6939	#endif
6940	#if defined(MBEDTLS_ECDH_C)
6941	mbedtls_ecdh_free( &handshake->ecdh_ctx );
6942	#endif
6943	#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
6944	mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
6945	#if defined(MBEDTLS_SSL_CLI_C)
6946	mbedtls_free( handshake->ecjpake_cache );
6947	handshake->ecjpake_cache = NULL;
6948	handshake->ecjpake_cache_len = 0;
6949	#endif
6950	#endif
6951
6952	#if defined(MBEDTLS_ECDH_C) \|\| defined(MBEDTLS_ECDSA_C)
6953	/* explicit void pointer cast for buggy MS compiler */
6954	mbedtls_free( (void *) handshake->curves );
6955	#endif
6956
6957	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
6958	if( handshake->psk != NULL )
6959	{
6960	mbedtls_zeroize( handshake->psk, handshake->psk_len );
6961	mbedtls_free( handshake->psk );
6962	}
6963	#endif
6964
6965	#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
6966	defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
6967	/*
6968	* Free only the linked list wrapper, not the keys themselves
6969	* since the belong to the SNI callback
6970	*/
6971	if( handshake->sni_key_cert != NULL )
6972	{
6973	mbedtls_ssl_key_cert cur = handshake->sni_key_cert, next;
6974
6975	while( cur != NULL )
6976	{
6977	next = cur->next;
6978	mbedtls_free( cur );
6979	cur = next;
6980	}
6981	}
6982	#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
6983
6984	#if defined(MBEDTLS_SSL_PROTO_DTLS)
6985	mbedtls_free( handshake->verify_cookie );
6986	mbedtls_free( handshake->hs_msg );
6987	ssl_flight_free( handshake->flight );
6988	#endif
6989
6990	mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) );
6991	}
6992
6993	void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
6994	{
6995	if( session == NULL )
6996	return;
6997
6998	#if defined(MBEDTLS_X509_CRT_PARSE_C)
6999	if( session->peer_cert != NULL )
7000	{
7001	mbedtls_x509_crt_free( session->peer_cert );
7002	mbedtls_free( session->peer_cert );
7003	}
7004	#endif
7005
7006	#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
7007	mbedtls_free( session->ticket );
7008	#endif
7009
7010	mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) );
7011	}
7012
7013	/*
7014	* Free an SSL context
7015	*/
7016	void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
7017	{
7018	if( ssl == NULL )
7019	return;
7020
7021	MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
7022
7023	if( ssl->out_buf != NULL )
7024	{
7025	mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
7026	mbedtls_free( ssl->out_buf );
7027	}
7028
7029	if( ssl->in_buf != NULL )
7030	{
7031	mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
7032	mbedtls_free( ssl->in_buf );
7033	}
7034
7035	#if defined(MBEDTLS_ZLIB_SUPPORT)
7036	if( ssl->compress_buf != NULL )
7037	{
7038	mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
7039	mbedtls_free( ssl->compress_buf );
7040	}
7041	#endif
7042
7043	if( ssl->transform )
7044	{
7045	mbedtls_ssl_transform_free( ssl->transform );
7046	mbedtls_free( ssl->transform );
7047	}
7048
7049	if( ssl->handshake )
7050	{
7051	mbedtls_ssl_handshake_free( ssl->handshake );
7052	mbedtls_ssl_transform_free( ssl->transform_negotiate );
7053	mbedtls_ssl_session_free( ssl->session_negotiate );
7054
7055	mbedtls_free( ssl->handshake );
7056	mbedtls_free( ssl->transform_negotiate );
7057	mbedtls_free( ssl->session_negotiate );
7058	}
7059
7060	if( ssl->session )
7061	{
7062	mbedtls_ssl_session_free( ssl->session );
7063	mbedtls_free( ssl->session );
7064	}
7065
7066	#if defined(MBEDTLS_X509_CRT_PARSE_C)
7067	if( ssl->hostname != NULL )
7068	{
7069	mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
7070	mbedtls_free( ssl->hostname );
7071	}
7072	#endif
7073
7074	#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
7075	if( mbedtls_ssl_hw_record_finish != NULL )
7076	{
7077	MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
7078	mbedtls_ssl_hw_record_finish( ssl );
7079	}
7080	#endif
7081
7082	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
7083	mbedtls_free( ssl->cli_id );
7084	#endif
7085
7086	MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
7087
7088	/* Actually clear after last debug message */
7089	mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
7090	}
7091
7092	/*
7093	* Initialze mbedtls_ssl_config
7094	*/
7095	void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
7096	{
7097	memset( conf, 0, sizeof( mbedtls_ssl_config ) );
7098	}
7099
7100	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7101	static int ssl_preset_default_hashes[] = {
7102	#if defined(MBEDTLS_SHA512_C)
7103	MBEDTLS_MD_SHA512,
7104	MBEDTLS_MD_SHA384,
7105	#endif
7106	#if defined(MBEDTLS_SHA256_C)
7107	MBEDTLS_MD_SHA256,
7108	MBEDTLS_MD_SHA224,
7109	#endif
7110	#if defined(MBEDTLS_SHA1_C)
7111	MBEDTLS_MD_SHA1,
7112	#endif
7113	MBEDTLS_MD_NONE
7114	};
7115	#endif
7116
7117	static int ssl_preset_suiteb_ciphersuites[] = {
7118	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
7119	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
7120	0
7121	};
7122
7123	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7124	static int ssl_preset_suiteb_hashes[] = {
7125	MBEDTLS_MD_SHA256,
7126	MBEDTLS_MD_SHA384,
7127	MBEDTLS_MD_NONE
7128	};
7129	#endif
7130
7131	#if defined(MBEDTLS_ECP_C)
7132	static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
7133	MBEDTLS_ECP_DP_SECP256R1,
7134	MBEDTLS_ECP_DP_SECP384R1,
7135	MBEDTLS_ECP_DP_NONE
7136	};
7137	#endif
7138
7139	/*
7140	* Load default in mbedtls_ssl_config
7141	*/
7142	int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
7143	int endpoint, int transport, int preset )
7144	{
7145	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
7146	int ret;
7147	#endif
7148
7149	/* Use the functions here so that they are covered in tests,
7150	* but otherwise access member directly for efficiency */
7151	mbedtls_ssl_conf_endpoint( conf, endpoint );
7152	mbedtls_ssl_conf_transport( conf, transport );
7153
7154	/*
7155	* Things that are common to all presets
7156	*/
7157	#if defined(MBEDTLS_SSL_CLI_C)
7158	if( endpoint == MBEDTLS_SSL_IS_CLIENT )
7159	{
7160	conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
7161	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
7162	conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
7163	#endif
7164	}
7165	#endif
7166
7167	#if defined(MBEDTLS_ARC4_C)
7168	conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
7169	#endif
7170
7171	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
7172	conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
7173	#endif
7174
7175	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7176	conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
7177	#endif
7178
7179	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
7180	conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
7181	#endif
7182
7183	#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
7184	conf->f_cookie_write = ssl_cookie_write_dummy;
7185	conf->f_cookie_check = ssl_cookie_check_dummy;
7186	#endif
7187
7188	#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
7189	conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
7190	#endif
7191
7192	#if defined(MBEDTLS_SSL_PROTO_DTLS)
7193	conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
7194	conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
7195	#endif
7196
7197	#if defined(MBEDTLS_SSL_RENEGOTIATION)
7198	conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
7199	memset( conf->renego_period, 0xFF, 7 );
7200	conf->renego_period[7] = 0x00;
7201	#endif
7202
7203	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
7204	if( endpoint == MBEDTLS_SSL_IS_SERVER )
7205	{
7206	if( ( ret = mbedtls_ssl_conf_dh_param( conf,
7207	MBEDTLS_DHM_RFC5114_MODP_2048_P,
7208	MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
7209	{
7210	return( ret );
7211	}
7212	}
7213	#endif
7214
7215	/*
7216	* Preset-specific defaults
7217	*/
7218	switch( preset )
7219	{
7220	/*
7221	* NSA Suite B
7222	*/
7223	case MBEDTLS_SSL_PRESET_SUITEB:
7224	conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
7225	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
7226	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
7227	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
7228
7229	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
7230	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
7231	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
7232	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
7233	ssl_preset_suiteb_ciphersuites;
7234
7235	#if defined(MBEDTLS_X509_CRT_PARSE_C)
7236	conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
7237	#endif
7238
7239	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7240	conf->sig_hashes = ssl_preset_suiteb_hashes;
7241	#endif
7242
7243	#if defined(MBEDTLS_ECP_C)
7244	conf->curve_list = ssl_preset_suiteb_curves;
7245	#endif
7246	break;
7247
7248	/*
7249	* Default
7250	*/
7251	default:
7252	conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
7253	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
7254	conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
7255	conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
7256
7257	#if defined(MBEDTLS_SSL_PROTO_DTLS)
7258	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7259	conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
7260	#endif
7261
7262	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
7263	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
7264	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
7265	conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
7266	mbedtls_ssl_list_ciphersuites();
7267
7268	#if defined(MBEDTLS_X509_CRT_PARSE_C)
7269	conf->cert_profile = &mbedtls_x509_crt_profile_default;
7270	#endif
7271
7272	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7273	conf->sig_hashes = ssl_preset_default_hashes;
7274	#endif
7275
7276	#if defined(MBEDTLS_ECP_C)
7277	conf->curve_list = mbedtls_ecp_grp_id_list();
7278	#endif
7279
7280	#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
7281	conf->dhm_min_bitlen = 1024;
7282	#endif
7283	}
7284
7285	return( 0 );
7286	}
7287
7288	/*
7289	* Free mbedtls_ssl_config
7290	*/
7291	void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
7292	{
7293	#if defined(MBEDTLS_DHM_C)
7294	mbedtls_mpi_free( &conf->dhm_P );
7295	mbedtls_mpi_free( &conf->dhm_G );
7296	#endif
7297
7298	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
7299	if( conf->psk != NULL )
7300	{
7301	mbedtls_zeroize( conf->psk, conf->psk_len );
7302	mbedtls_zeroize( conf->psk_identity, conf->psk_identity_len );
7303	mbedtls_free( conf->psk );
7304	mbedtls_free( conf->psk_identity );
7305	conf->psk_len = 0;
7306	conf->psk_identity_len = 0;
7307	}
7308	#endif
7309
7310	#if defined(MBEDTLS_X509_CRT_PARSE_C)
7311	ssl_key_cert_free( conf->key_cert );
7312	#endif
7313
7314	mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) );
7315	}
7316
7317	#if defined(MBEDTLS_PK_C) && \
7318	( defined(MBEDTLS_RSA_C) \|\| defined(MBEDTLS_ECDSA_C) )
7319	/*
7320	* Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
7321	*/
7322	unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
7323	{
7324	#if defined(MBEDTLS_RSA_C)
7325	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
7326	return( MBEDTLS_SSL_SIG_RSA );
7327	#endif
7328	#if defined(MBEDTLS_ECDSA_C)
7329	if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
7330	return( MBEDTLS_SSL_SIG_ECDSA );
7331	#endif
7332	return( MBEDTLS_SSL_SIG_ANON );
7333	}
7334
7335	mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
7336	{
7337	switch( sig )
7338	{
7339	#if defined(MBEDTLS_RSA_C)
7340	case MBEDTLS_SSL_SIG_RSA:
7341	return( MBEDTLS_PK_RSA );
7342	#endif
7343	#if defined(MBEDTLS_ECDSA_C)
7344	case MBEDTLS_SSL_SIG_ECDSA:
7345	return( MBEDTLS_PK_ECDSA );
7346	#endif
7347	default:
7348	return( MBEDTLS_PK_NONE );
7349	}
7350	}
7351	#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C \|\| MBEDTLS_ECDSA_C ) */
7352
7353	/*
7354	* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
7355	*/
7356	mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
7357	{
7358	switch( hash )
7359	{
7360	#if defined(MBEDTLS_MD5_C)
7361	case MBEDTLS_SSL_HASH_MD5:
7362	return( MBEDTLS_MD_MD5 );
7363	#endif
7364	#if defined(MBEDTLS_SHA1_C)
7365	case MBEDTLS_SSL_HASH_SHA1:
7366	return( MBEDTLS_MD_SHA1 );
7367	#endif
7368	#if defined(MBEDTLS_SHA256_C)
7369	case MBEDTLS_SSL_HASH_SHA224:
7370	return( MBEDTLS_MD_SHA224 );
7371	case MBEDTLS_SSL_HASH_SHA256:
7372	return( MBEDTLS_MD_SHA256 );
7373	#endif
7374	#if defined(MBEDTLS_SHA512_C)
7375	case MBEDTLS_SSL_HASH_SHA384:
7376	return( MBEDTLS_MD_SHA384 );
7377	case MBEDTLS_SSL_HASH_SHA512:
7378	return( MBEDTLS_MD_SHA512 );
7379	#endif
7380	default:
7381	return( MBEDTLS_MD_NONE );
7382	}
7383	}
7384
7385	/*
7386	* Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
7387	*/
7388	unsigned char mbedtls_ssl_hash_from_md_alg( int md )
7389	{
7390	switch( md )
7391	{
7392	#if defined(MBEDTLS_MD5_C)
7393	case MBEDTLS_MD_MD5:
7394	return( MBEDTLS_SSL_HASH_MD5 );
7395	#endif
7396	#if defined(MBEDTLS_SHA1_C)
7397	case MBEDTLS_MD_SHA1:
7398	return( MBEDTLS_SSL_HASH_SHA1 );
7399	#endif
7400	#if defined(MBEDTLS_SHA256_C)
7401	case MBEDTLS_MD_SHA224:
7402	return( MBEDTLS_SSL_HASH_SHA224 );
7403	case MBEDTLS_MD_SHA256:
7404	return( MBEDTLS_SSL_HASH_SHA256 );
7405	#endif
7406	#if defined(MBEDTLS_SHA512_C)
7407	case MBEDTLS_MD_SHA384:
7408	return( MBEDTLS_SSL_HASH_SHA384 );
7409	case MBEDTLS_MD_SHA512:
7410	return( MBEDTLS_SSL_HASH_SHA512 );
7411	#endif
7412	default:
7413	return( MBEDTLS_SSL_HASH_NONE );
7414	}
7415	}
7416
7417	#if defined(MBEDTLS_ECP_C)
7418	/*
7419	* Check if a curve proposed by the peer is in our list.
7420	* Return 0 if we're willing to use it, -1 otherwise.
7421	*/
7422	int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
7423	{
7424	const mbedtls_ecp_group_id *gid;
7425
7426	if( ssl->conf->curve_list == NULL )
7427	return( -1 );
7428
7429	for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
7430	if( *gid == grp_id )
7431	return( 0 );
7432
7433	return( -1 );
7434	}
7435	#endif /* MBEDTLS_ECP_C */
7436
7437	#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7438	/*
7439	* Check if a hash proposed by the peer is in our list.
7440	* Return 0 if we're willing to use it, -1 otherwise.
7441	*/
7442	int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
7443	mbedtls_md_type_t md )
7444	{
7445	const int *cur;
7446
7447	if( ssl->conf->sig_hashes == NULL )
7448	return( -1 );
7449
7450	for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
7451	if( *cur == (int) md )
7452	return( 0 );
7453
7454	return( -1 );
7455	}
7456	#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
7457
7458	#if defined(MBEDTLS_X509_CRT_PARSE_C)
7459	int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
7460	const mbedtls_ssl_ciphersuite_t *ciphersuite,
7461	int cert_endpoint,
7462	uint32_t *flags )
7463	{
7464	int ret = 0;
7465	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
7466	int usage = 0;
7467	#endif
7468	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
7469	const char *ext_oid;
7470	size_t ext_len;
7471	#endif
7472
7473	#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
7474	!defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
7475	((void) cert);
7476	((void) cert_endpoint);
7477	((void) flags);
7478	#endif
7479
7480	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
7481	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
7482	{
7483	/* Server part of the key exchange */
7484	switch( ciphersuite->key_exchange )
7485	{
7486	case MBEDTLS_KEY_EXCHANGE_RSA:
7487	case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
7488	usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
7489	break;
7490
7491	case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
7492	case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
7493	case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
7494	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
7495	break;
7496
7497	case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
7498	case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
7499	usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
7500	break;
7501
7502	/* Don't use default: we want warnings when adding new values */
7503	case MBEDTLS_KEY_EXCHANGE_NONE:
7504	case MBEDTLS_KEY_EXCHANGE_PSK:
7505	case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
7506	case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
7507	case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
7508	usage = 0;
7509	}
7510	}
7511	else
7512	{
7513	/* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
7514	usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
7515	}
7516
7517	if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
7518	{
7519	*flags \|= MBEDTLS_X509_BADCERT_KEY_USAGE;
7520	ret = -1;
7521	}
7522	#else
7523	((void) ciphersuite);
7524	#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
7525
7526	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
7527	if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
7528	{
7529	ext_oid = MBEDTLS_OID_SERVER_AUTH;
7530	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
7531	}
7532	else
7533	{
7534	ext_oid = MBEDTLS_OID_CLIENT_AUTH;
7535	ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
7536	}
7537
7538	if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
7539	{
7540	*flags \|= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
7541	ret = -1;
7542	}
7543	#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
7544
7545	return( ret );
7546	}
7547	#endif /* MBEDTLS_X509_CRT_PARSE_C */
7548
7549	/*
7550	* Convert version numbers to/from wire format
7551	* and, for DTLS, to/from TLS equivalent.
7552	*
7553	* For TLS this is the identity.
7554	* For DTLS, use one complement (v -> 255 - v, and then map as follows:
7555	* 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
7556	* 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
7557	*/
7558	void mbedtls_ssl_write_version( int major, int minor, int transport,
7559	unsigned char ver[2] )
7560	{
7561	#if defined(MBEDTLS_SSL_PROTO_DTLS)
7562	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7563	{
7564	if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
7565	--minor; /* DTLS 1.0 stored as TLS 1.1 internally */
7566
7567	ver[0] = (unsigned char)( 255 - ( major - 2 ) );
7568	ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
7569	}
7570	else
7571	#else
7572	((void) transport);
7573	#endif
7574	{
7575	ver[0] = (unsigned char) major;
7576	ver[1] = (unsigned char) minor;
7577	}
7578	}
7579
7580	void mbedtls_ssl_read_version( int major, int minor, int transport,
7581	const unsigned char ver[2] )
7582	{
7583	#if defined(MBEDTLS_SSL_PROTO_DTLS)
7584	if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7585	{
7586	*major = 255 - ver[0] + 2;
7587	*minor = 255 - ver[1] + 1;
7588
7589	if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
7590	++minor; / DTLS 1.0 stored as TLS 1.1 internally */
7591	}
7592	else
7593	#else
7594	((void) transport);
7595	#endif
7596	{
7597	*major = ver[0];
7598	*minor = ver[1];
7599	}
7600	}
7601
7602	#endif /* MBEDTLS_SSL_TLS_C */

Note: See TracBrowser for help on using the repository browser.

This Trac instance is not used for development anymore!

Context Navigation

source: ps/trunk/build/premake/premake5/contrib/mbedtls/library/ssl_tls.c

Download in other formats: