Lines Matching defs:ssl
14 #include "mbedtls/ssl.h"
48 int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
52 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
56 mbedtls_free(ssl->cli_id);
58 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
62 memcpy(ssl->cli_id, info, ilen);
63 ssl->cli_id_len = ilen;
107 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
112 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
114 if (len != 1 + ssl->verify_data_len ||
115 buf[0] != ssl->verify_data_len ||
116 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
117 ssl->verify_data_len) != 0) {
119 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
128 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
133 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
181 static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
191 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
199 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
205 if (ssl->handshake->curves_tls_id != NULL) {
207 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
221 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
226 ssl->handshake->curves_tls_id = curves_tls_id;
246 static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
255 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
267 ssl->handshake->ecdh_ctx.point_format = p[0];
271 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
290 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
297 if (ssl->handshake->psa_pake_ctx_is_ok != 1)
299 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
308 &ssl->handshake->psa_pake_ctx, buf, len,
310 psa_destroy_key(ssl->handshake->psa_pake_password);
311 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
315 ssl,
322 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
325 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
332 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
340 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
346 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
351 ssl->session_negotiate->mfl_code = buf[0];
359 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
366 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
368 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
381 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
391 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
397 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
398 /* Leave ssl->handshake->cid_in_use in its default
406 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
411 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
412 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
413 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
424 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
430 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
437 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
438 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
447 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
453 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
460 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
461 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
470 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
479 if (ssl->conf->f_ticket_parse == NULL ||
480 ssl->conf->f_ticket_write == NULL) {
485 ssl->handshake->new_session_ticket = 1;
494 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
503 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
522 session.id_len = ssl->session_negotiate->id_len;
523 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
525 mbedtls_ssl_session_free(ssl->session_negotiate);
526 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
533 ssl->handshake->resume = 1;
536 ssl->handshake->new_session_ticket = 0;
544 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
556 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
557 (ssl->conf->dtls_srtp_profile_list == NULL) ||
558 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
580 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
585 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
594 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
614 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
615 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
616 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
623 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
633 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
639 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
641 ssl->dtls_srtp_info.mki_len = mki_length;
643 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
645 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
646 ssl->dtls_srtp_info.mki_len);
687 static int ssl_pick_cert(mbedtls_ssl_context *ssl,
703 if (ssl->handshake->sni_key_cert != NULL) {
704 list = ssl->handshake->sni_key_cert;
707 list = ssl->conf->key_cert;
734 key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
735 ssl->conf->f_async_decrypt_start != NULL ||
768 ssl->handshake->curves_tls_id) != 0) {
778 /* Do not update ssl->handshake->key_cert unless there is a match */
780 ssl->handshake->key_cert = cur;
782 ssl->handshake->key_cert->cert);
795 static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
813 if (suite_info->min_tls_version > ssl->tls_version ||
814 suite_info->max_tls_version < ssl->tls_version) {
821 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
832 (ssl->handshake->curves_tls_id == NULL ||
833 ssl->handshake->curves_tls_id[0] == 0)) {
844 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
858 if (ssl_pick_cert(ssl, suite_info) != 0) {
871 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
887 static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
924 * flag ssl->keep_current_message is raised.
928 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
930 if (!renegotiating && !ssl->keep_current_message) {
931 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
938 buf = ssl->in_hdr;
940 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
960 MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
968 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
970 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
974 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
979 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
980 sizeof(ssl->cur_out_ctr) - 2);
983 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
985 ssl->next_record_offset = 0;
986 ssl->in_left = 0;
991 mbedtls_ssl_dtls_replay_update(ssl);
996 msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
999 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1001 msg_len = ssl->in_hslen;
1005 if (ssl->keep_current_message) {
1006 ssl->keep_current_message = 0;
1013 if ((ret = mbedtls_ssl_fetch_input(ssl,
1014 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1021 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1022 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1025 ssl->in_left = 0;
1029 buf = ssl->in_msg;
1033 ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1047 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1072 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1075 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1082 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1088 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1090 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
1091 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1094 ssl->handshake->in_msg_seq));
1098 ssl->handshake->in_msg_seq++;
1102 unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
1103 ssl->handshake->out_msg_seq = cli_msg_seq;
1104 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1112 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1113 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1114 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
1127 buf += mbedtls_ssl_hs_hdr_len(ssl);
1128 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
1161 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1162 ssl->conf->transport);
1163 ssl->session_negotiate->tls_version = ssl->tls_version;
1164 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1166 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1168 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1178 memcpy(ssl->handshake->randbytes, buf + 2, 32);
1185 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1188 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1195 ssl->session_negotiate->id_len = sess_len;
1196 memset(ssl->session_negotiate->id, 0,
1197 sizeof(ssl->session_negotiate->id));
1198 memcpy(ssl->session_negotiate->id, buf + 35,
1199 ssl->session_negotiate->id_len);
1205 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1211 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1220 if (ssl->conf->f_cookie_check != NULL
1222 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1225 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1227 ssl->cli_id, ssl->cli_id_len) != 0) {
1229 ssl->handshake->cookie_verify_result = 1;
1232 ssl->handshake->cookie_verify_result = 0;
1261 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1283 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1298 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1307 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1323 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1332 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1340 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1354 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1364 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1379 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1387 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1389 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1402 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1413 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1424 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1435 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1446 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1457 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1468 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1480 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1503 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1532 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1535 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1540 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1548 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1549 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1554 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1555 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1559 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1560 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1561 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1564 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1565 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1573 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1581 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1586 ssl->handshake->sni_name = NULL;
1587 ssl->handshake->sni_name_len = 0;
1597 ciphersuites = ssl->conf->ciphersuite_list;
1600 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1609 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1628 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1643 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1648 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1656 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1657 ssl->handshake->ciphersuite_info = ciphersuite_info;
1659 ssl->state++;
1662 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1663 mbedtls_ssl_recv_flight_completed(ssl);
1673 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1688 static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1694 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1700 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
1704 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1706 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1720 ext_len = (size_t) ssl->own_cid_len + 1;
1724 *p++ = (uint8_t) ssl->own_cid_len;
1725 memcpy(p, ssl->own_cid, ssl->own_cid_len);
1727 *olen = ssl->own_cid_len + 5;
1732 static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1746 ssl->session_negotiate->ciphersuite);
1748 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
1752 ssl->session_negotiate->encrypt_then_mac,
1756 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
1760 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
1778 static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1784 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
1803 static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1809 if (ssl->handshake->new_session_ticket == 0) {
1826 static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1832 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
1843 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1845 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
1846 *p++ = ssl->verify_data_len * 2 & 0xFF;
1848 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
1849 p += ssl->verify_data_len;
1850 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
1851 p += ssl->verify_data_len;
1864 static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1870 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
1883 *p++ = ssl->session_negotiate->mfl_code;
1892 static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1897 ((void) ssl);
1899 if ((ssl->handshake->cli_exts &
1923 static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1929 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1935 if (ssl->handshake->ciphersuite_info->key_exchange !=
1951 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
1955 psa_destroy_key(ssl->handshake->psa_pake_password);
1956 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1961 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
1963 ssl->conf->f_rng, ssl->conf->p_rng);
1978 static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1984 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1988 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1989 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
1995 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
1996 mki_len = ssl->dtls_srtp_info.mki_len;
2025 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2034 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
2042 static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
2045 unsigned char *p = ssl->out_msg + 4;
2059 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2064 if (ssl->conf->f_cookie_write == NULL) {
2072 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2073 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2074 ssl->cli_id, ssl->cli_id_len)) != 0) {
2083 ssl->out_msglen = (size_t) (p - ssl->out_msg);
2084 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2085 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2087 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2089 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2095 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2096 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2108 static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
2112 mbedtls_ssl_session * const session = ssl->session_negotiate;
2116 if (ssl->handshake->resume == 1) {
2122 if (ssl->conf->f_get_cache == NULL) {
2126 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
2133 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2152 ssl->handshake->resume = 1;
2160 static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
2172 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2173 ssl->handshake->cookie_verify_result != 0) {
2177 return ssl_write_hello_verify_request(ssl);
2188 buf = ssl->out_msg;
2191 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2205 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2212 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
2225 if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2238 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2244 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
2248 ssl_handle_id_based_session_resumption(ssl);
2250 if (ssl->handshake->resume == 0) {
2255 ssl->state++;
2258 ssl->session_negotiate->start = mbedtls_time(NULL);
2262 if (ssl->handshake->new_session_ticket != 0) {
2263 ssl->session_negotiate->id_len = n = 0;
2264 memset(ssl->session_negotiate->id, 0, 32);
2268 ssl->session_negotiate->id_len = n = 32;
2269 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2278 n = ssl->session_negotiate->id_len;
2279 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2281 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2295 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2296 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
2297 p += ssl->session_negotiate->id_len;
2302 ssl->handshake->resume ? "a" : "no"));
2304 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2309 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2316 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
2320 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
2325 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
2330 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
2335 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
2340 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
2348 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2350 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
2356 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
2362 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2371 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
2383 ssl->out_msglen = (size_t) (p - buf);
2384 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2385 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2387 ret = mbedtls_ssl_write_handshake_msg(ssl);
2396 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2399 ssl->handshake->ciphersuite_info;
2405 ssl->state++;
2414 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2418 ssl->handshake->ciphersuite_info;
2422 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2428 ssl->state++;
2431 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
2432 authmode = ssl->handshake->sni_authmode;
2435 authmode = ssl->conf->authmode;
2455 buf = ssl->out_msg;
2491 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2499 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
2502 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
2527 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
2535 if (ssl->handshake->dn_hints != NULL) {
2536 crt = ssl->handshake->dn_hints;
2539 if (ssl->conf->dn_hints != NULL) {
2540 crt = ssl->conf->dn_hints;
2544 if (ssl->handshake->sni_ca_chain != NULL) {
2545 crt = ssl->handshake->sni_ca_chain;
2548 crt = ssl->conf->ca_chain;
2572 ssl->out_msglen = (size_t) (p - buf);
2573 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2574 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2575 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
2577 ret = mbedtls_ssl_write_handshake_msg(ssl);
2589 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2605 pk = mbedtls_ssl_own_key(ssl);
2631 ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
2632 ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
2638 ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2639 ssl->handshake->xxdh_psa_privkey_is_external = 1;
2650 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2651 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
2659 &ssl->handshake->xxdh_psa_privkey);
2667 ssl->handshake->xxdh_psa_privkey_is_external = 0;
2690 &ssl->handshake->xxdh_psa_bits);
2692 ssl->handshake->xxdh_psa_type = key_type;
2698 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2699 psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
2708 &ssl->handshake->xxdh_psa_privkey);
2731 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2735 const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2746 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
2747 mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
2762 static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2765 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2769 * ssl->out_msglen. */
2770 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
2771 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2773 int ret = ssl->conf->f_async_resume(ssl,
2776 ssl->handshake->async_in_progress = 0;
2777 mbedtls_ssl_set_async_operation_data(ssl, NULL);
2789 static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2793 ssl->handshake->ciphersuite_info;
2808 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
2810 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
2814 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
2829 unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2830 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2831 ssl->out_msglen;
2852 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2857 psa_destroy_key(ssl->handshake->psa_pake_password);
2858 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2864 ssl->out_msglen += output_offset;
2869 &ssl->handshake->ecjpake_ctx,
2870 ssl->out_msg + ssl->out_msglen,
2871 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
2872 ssl->conf->f_rng, ssl->conf->p_rng);
2878 ssl->out_msglen += len;
2892 ssl->out_msg[ssl->out_msglen++] = 0x00;
2893 ssl->out_msg[ssl->out_msglen++] = 0x00;
2906 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2920 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2921 &ssl->conf->dhm_P,
2922 &ssl->conf->dhm_G)) != 0) {
2928 &ssl->handshake->dhm_ctx,
2929 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2930 ssl->out_msg + ssl->out_msglen, &len,
2931 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2937 dig_signed = ssl->out_msg + ssl->out_msglen;
2940 ssl->out_msglen += len;
2942 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2943 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2944 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2945 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
2962 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
2963 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
2972 for (curr_tls_id = ssl->handshake->curves_tls_id;
2992 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2993 uint8_t *p = ssl->out_msg + ssl->out_msglen;
3053 - (own_pubkey - ssl->out_msg));
3075 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3082 &ssl->handshake->ecdh_ctx, &len,
3083 ssl->out_msg + ssl->out_msglen,
3084 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3085 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3090 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3095 dig_signed = ssl->out_msg + ssl->out_msglen;
3098 ssl->out_msglen += len;
3115 size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
3132 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
3151 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3184 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3185 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
3188 if (ssl->conf->f_async_sign_start != NULL) {
3189 ret = ssl->conf->f_async_sign_start(ssl,
3190 mbedtls_ssl_own_cert(ssl),
3197 ssl->handshake->async_in_progress = 1;
3198 return ssl_resume_server_key_exchange(ssl, signature_len);
3200 ssl->handshake->async_in_progress = 1;
3209 if (mbedtls_ssl_own_key(ssl) == NULL) {
3214 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3218 * ssl->out_msglen. */
3219 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3221 ssl->out_msg + ssl->out_msglen + 2,
3222 out_buf_len - ssl->out_msglen - 2,
3224 ssl->conf->f_rng,
3225 ssl->conf->p_rng)) != 0) {
3240 static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
3246 ssl->handshake->ciphersuite_info;
3259 ret = ssl_get_ecdh_params_from_cert(ssl);
3270 ssl->state++;
3279 if (ssl->handshake->async_in_progress != 0) {
3281 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3287 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
3291 /* If we're starting to write a new message, set ssl->out_msglen
3298 ssl->out_msglen = 0;
3308 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3309 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
3312 ssl->out_msg + ssl->out_msglen,
3316 ssl->out_msglen += signature_len;
3321 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3322 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3324 ssl->state++;
3326 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3336 static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
3342 ssl->out_msglen = 4;
3343 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3344 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3346 ssl->state++;
3349 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3350 mbedtls_ssl_send_flight_completed(ssl);
3354 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3360 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3361 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3375 static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3397 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3404 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
3416 static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3421 int ret = ssl->conf->f_async_resume(ssl,
3424 ssl->handshake->async_in_progress = 0;
3425 mbedtls_ssl_set_async_operation_data(ssl, NULL);
3433 static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3442 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3448 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3454 if (ssl->handshake->async_in_progress != 0) {
3456 return ssl_resume_decrypt_pms(ssl,
3483 if (ssl->conf->f_async_decrypt_start != NULL) {
3484 ret = ssl->conf->f_async_decrypt_start(ssl,
3485 mbedtls_ssl_own_cert(ssl),
3492 ssl->handshake->async_in_progress = 1;
3493 return ssl_resume_decrypt_pms(ssl,
3498 ssl->handshake->async_in_progress = 1;
3514 ssl->conf->f_rng, ssl->conf->p_rng);
3519 static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3525 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3541 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3552 mbedtls_ssl_write_version(ver, ssl->conf->transport,
3553 ssl->session_negotiate->tls_version);
3572 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3585 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3586 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3590 ssl->handshake->pmslen = 48;
3594 mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
3603 static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3609 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3630 if (ssl->conf->f_psk != NULL) {
3631 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
3637 if (n != ssl->conf->psk_identity_len ||
3638 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
3645 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3657 static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
3663 ciphersuite_info = ssl->handshake->ciphersuite_info;
3672 (ssl->handshake->async_in_progress != 0)) {
3679 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3684 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3685 end = ssl->in_msg + ssl->in_hslen;
3687 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3692 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3699 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3709 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3710 ssl->handshake->premaster,
3712 &ssl->handshake->pmslen,
3713 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3718 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3733 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3791 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3797 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3800 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3801 &ssl->handshake->pmslen,
3802 ssl->handshake->premaster,
3804 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3809 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3819 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3830 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3842 if (ssl->handshake->async_in_progress != 0) {
3849 p += ssl->conf->psk_identity_len + 2;
3852 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3857 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3863 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3874 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3878 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3889 unsigned char *pms = ssl->handshake->premaster;
3890 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
3894 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3896 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3903 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3905 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3921 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3923 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3969 unsigned char *psm = ssl->handshake->premaster;
3971 psm + sizeof(ssl->handshake->premaster);
3999 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4004 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
4010 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
4013 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
4024 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
4034 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
4036 psa_destroy_key(ssl->handshake->psa_pake_password);
4037 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
4043 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
4050 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4051 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4052 ssl->conf->f_rng, ssl->conf->p_rng);
4065 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4070 ssl->state++;
4079 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4082 ssl->handshake->ciphersuite_info;
4088 ssl->state++;
4097 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4107 ssl->handshake->ciphersuite_info;
4114 ssl->state++;
4119 if (ssl->session_negotiate->peer_cert == NULL) {
4121 ssl->state++;
4125 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4127 ssl->state++;
4133 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4139 ssl->state++;
4142 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4143 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4148 i = mbedtls_ssl_hs_hdr_len(ssl);
4151 peer_pk = &ssl->handshake->peer_pubkey;
4153 if (ssl->session_negotiate->peer_cert == NULL) {
4157 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4166 if (i + 2 > ssl->in_hslen) {
4174 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
4176 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4196 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4213 if (i + 2 > ssl->in_hslen) {
4218 sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
4221 if (i + sig_len != ssl->in_hslen) {
4229 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4238 ssl->in_msg + i, sig_len)) != 0) {
4243 ret = mbedtls_ssl_update_handshake_status(ssl);
4257 static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
4265 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4266 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4280 ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
4282 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4283 ssl->session_negotiate,
4284 ssl->out_msg + 10,
4285 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4291 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4292 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
4293 ssl->out_msglen = 10 + tlen;
4296 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4299 ssl->handshake->new_session_ticket = 0;
4301 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4315 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
4319 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
4321 switch (ssl->state) {
4323 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4330 ret = ssl_parse_client_hello(ssl);
4346 ret = ssl_write_server_hello(ssl);
4350 ret = mbedtls_ssl_write_certificate(ssl);
4354 ret = ssl_write_server_key_exchange(ssl);
4358 ret = ssl_write_certificate_request(ssl);
4362 ret = ssl_write_server_hello_done(ssl);
4373 ret = mbedtls_ssl_parse_certificate(ssl);
4377 ret = ssl_parse_client_key_exchange(ssl);
4381 ret = ssl_parse_certificate_verify(ssl);
4385 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
4389 ret = mbedtls_ssl_parse_finished(ssl);
4399 if (ssl->handshake->new_session_ticket != 0) {
4400 ret = ssl_write_new_session_ticket(ssl);
4403 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
4407 ret = mbedtls_ssl_write_finished(ssl);
4412 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4416 mbedtls_ssl_handshake_wrapup(ssl);
4420 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));