diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index e76b2366f771..6d76609e3ee1 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1,23 +1,23 @@ /* -* TLS 1.3 client-side functions -* -* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved -* SPDX-License-Identifier: Apache-2.0 -* -* Licensed under the Apache License, Version 2.0 (the "License"); you may -* not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -* -* This file is part of mbed TLS (https://tls.mbed.org) -*/ + * TLS 1.3 client-side functions + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -54,232 +54,233 @@ #endif -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) /* TODO: Code for MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED missing */ -static int check_ecdh_params(const mbedtls_ssl_context *ssl) +static int check_ecdh_params( const mbedtls_ssl_context *ssl ) { - const mbedtls_ecp_curve_info *curve_info; + const mbedtls_ecp_curve_info *curve_info; - curve_info = mbedtls_ecp_curve_info_from_grp_id(ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id); - if (curve_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id ); + if( curve_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", curve_info->name)); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); #if defined(MBEDTLS_ECP_C) - if (mbedtls_ssl_check_curve(ssl, ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id) != 0) + if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id ) != 0 ) #else - if (ssl->handshake->ecdh_ctx.grp.nbits < 163 || - ssl->handshake->ecdh_ctx.grp.nbits > 521) + if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || + ssl->handshake->ecdh_ctx.grp.nbits > 521 ) #endif - return(-1); + return( -1 ); - MBEDTLS_SSL_DEBUG_ECP(3, "ECDH: Qp", &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].Qp); + MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].Qp ); - return(0); + return( 0 ); } #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_ZERO_RTT) -static int mbedtls_ssl_write_end_of_early_data(mbedtls_ssl_context *ssl) +static int mbedtls_ssl_write_end_of_early_data( mbedtls_ssl_context *ssl ) { - int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData")); + int ret; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write EndOfEarlyData" ) ); - ssl->out_msglen = mbedtls_ssl_hs_hdr_len(ssl); /* length of the handshake message header */; - /* We will add the additional byte for the ContentType later */; - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_END_OF_EARLY_DATA; + ssl->out_msglen = mbedtls_ssl_hs_hdr_len( ssl ); /* length of the handshake message header */; + /* We will add the additional byte for the ContentType later */; + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_END_OF_EARLY_DATA; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_send_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_send_flight_completed( ssl ); #endif - if ((ret = mbedtls_ssl_write_record(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret); - return(ret); - } + if( ( ret = mbedtls_ssl_write_record( ssl )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); + return( ret ); + } - if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret); - return(ret); - } + if( ( ret = mbedtls_ssl_flush_output( ssl )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); + return( ret ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write EndOfEarlyData" ) ); - return(0); + return( 0 ); } #endif /* MBEDTLS_ZERO_RTT */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -static void ssl_write_hostname_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = buf; - size_t hostname_len; - - *olen = 0; + unsigned char *p = buf; + size_t hostname_len; + + *olen = 0; + + if( ssl->hostname == NULL ) + return; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", + ssl->hostname ) ); + + hostname_len = strlen( ssl->hostname ); + + if( end < p || (size_t)( end - p ) < hostname_len + 9 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return; + } + + /* + * struct { + * NameType name_type; + * select ( name_type ) { + * case host_name: HostName; + * } name; + * } ServerName; + * + * enum { + * host_name( 0 ), ( 255 ) + * } NameType; + * + * opaque HostName<1..2^16-1>; + * + * struct { + * ServerName server_name_list<1..2^16-1> + * } ServerNameList; + */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); - if (ssl->hostname == NULL) - return; + *p++ = ( unsigned char )( ( ( hostname_len + 5 ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ( hostname_len + 5 )) & 0xFF ); - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding server name extension: %s", - ssl->hostname)); + *p++ = ( unsigned char )( ( ( hostname_len + 3 ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ( hostname_len + 3 )) & 0xFF ); - hostname_len = strlen(ssl->hostname); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); + *p++ = ( unsigned char )( ( hostname_len >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( hostname_len ) & 0xFF ); - if (end < p || (size_t)(end - p) < hostname_len + 9) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return; - } + memcpy( p, ssl->hostname, hostname_len ); - /* - * struct { - * NameType name_type; - * select (name_type) { - * case host_name: HostName; - * } name; - * } ServerName; - * - * enum { - * host_name(0), (255) - * } NameType; - * - * opaque HostName<1..2^16-1>; - * - * struct { - * ServerName server_name_list<1..2^16-1> - * } ServerNameList; - */ - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SERVERNAME >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SERVERNAME) & 0xFF); - - *p++ = (unsigned char)(((hostname_len + 5) >> 8) & 0xFF); - *p++ = (unsigned char)(((hostname_len + 5)) & 0xFF); - - *p++ = (unsigned char)(((hostname_len + 3) >> 8) & 0xFF); - *p++ = (unsigned char)(((hostname_len + 3)) & 0xFF); - - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) & 0xFF); - *p++ = (unsigned char)((hostname_len >> 8) & 0xFF); - *p++ = (unsigned char)((hostname_len) & 0xFF); - - memcpy(p, ssl->hostname, hostname_len); - - *olen = hostname_len + 9; + *olen = hostname_len + 9; } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ /* - * ssl_write_supported_versions_ext(): + * ssl_write_supported_versions_ext( ): * * struct { * ProtocolVersion versions<2..254>; * } SupportedVersions; */ -static void ssl_write_supported_versions_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +static void ssl_write_supported_versions_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = buf; + unsigned char *p = buf; - *olen = 0; + *olen = 0; - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported version extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported version extension" ) ); - if (end < p || (size_t)(end - p) < 7) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return; - } + if( end < p || (size_t)( end - p ) < 7 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return; + } - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS) & 0xFF); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ) & 0xFF ); - // total length - *p++ = 0x00; - *p++ = 3; + /* total length */ + *p++ = 0x00; + *p++ = 3; - // length of next field - *p++ = 0x2; + /* length of next field */ + *p++ = 0x2; - /* This implementation only supports a single TLS version, and only - * advertises a single value. - */ - mbedtls_ssl_write_version(ssl->conf->max_major_ver, ssl->conf->max_minor_ver, - ssl->conf->transport, p); + /* This implementation only supports a single TLS version, and only + * advertises a single value. + */ + mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, + ssl->conf->transport, p ); - MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%d:%d]", ssl->conf->max_major_ver, ssl->conf->max_minor_ver)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%d:%d]", ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); - *olen = 7; + *olen = 7; } #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /* - * ssl_write_max_fragment_length_ext(): + * ssl_write_max_fragment_length_ext( ): * * enum{ - * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) + * 2^9( 1 ), 2^10( 2 ), 2^11( 3 ), 2^12( 4 ), ( 255 ) * } MaxFragmentLength; * */ -static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, - unsigned char *buf, - size_t buflen, - size_t *olen) +static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { - unsigned char *p = buf; - const unsigned char* end = buf + buflen; + unsigned char *p = buf; + const unsigned char* end = buf + buflen; - *olen = 0; + *olen = 0; - if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { - return 0; - } + if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) + { + return 0; + } - if (end < p || (size_t)(end - p) < 5) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } + if( end < p || (size_t)( end - p ) < 5 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding max_fragment_length extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH) & 0xFF); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); - *p++ = 0x00; - *p++ = 1; + *p++ = 0x00; + *p++ = 1; - *p++ = ssl->conf->mfl_code; - MBEDTLS_SSL_DEBUG_MSG(3, ("Maximum fragment length = %d", ssl->conf->mfl_code)); + *p++ = ssl->conf->mfl_code; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Maximum fragment length = %d", ssl->conf->mfl_code ) ); - *olen = 5; - return 0; + *olen = 5; + return 0; } #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_ALPN) /* - * ssl_write_alpn_ext() structure: + * ssl_write_alpn_ext( ) structure: * * opaque ProtocolName<1..2^8-1>; * @@ -288,1466 +289,1498 @@ static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, * } ProtocolNameList; * */ -static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl, - unsigned char *buf, - size_t buflen, - size_t *olen) +static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { - unsigned char *p = buf; - const unsigned char* end = buf + buflen; - size_t alpnlen = 0; - const char **cur; - - *olen = 0; - - if (ssl->conf->alpn_list == NULL) - { - return 0; - } - - for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) - alpnlen += (unsigned char)(strlen(*cur) & 0xFF) + 1; - - if (end < p || (size_t)(end - p) < 6 + alpnlen) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } - - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension")); + unsigned char *p = buf; + const unsigned char* end = buf + buflen; + size_t alpnlen = 0; + const char **cur; + + *olen = 0; + + if( ssl->conf->alpn_list == NULL ) + { + return 0; + } + + for ( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) + alpnlen += ( unsigned char )( strlen( *cur ) & 0xFF ) + 1; + + if( end < p || (size_t)( end - p ) < 6 + alpnlen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); + + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); + + /* + * opaque ProtocolName<1..2^8-1>; + * + * struct { + * ProtocolName protocol_name_list<2..2^16-1> + * } ProtocolNameList; + */ - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ALPN >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ALPN) & 0xFF); + /* Skip writing extension and list length for now */ + p += 4; - /* - * opaque ProtocolName<1..2^8-1>; - * - * struct { - * ProtocolName protocol_name_list<2..2^16-1> - * } ProtocolNameList; - */ + for ( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) + { + *p = ( unsigned char )( strlen( *cur ) & 0xFF ); + memcpy( p + 1, *cur, *p ); + p += 1 + *p; + } - /* Skip writing extension and list length for now */ - p += 4; + *olen = p - buf; - for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) - { - *p = (unsigned char)(strlen(*cur) & 0xFF); - memcpy(p + 1, *cur, *p); - p += 1 + *p; - } + /* List length = olen - 2 ( ext_type ) - 2 ( ext_len ) - 2 ( list_len ) */ + buf[4] = ( unsigned char )( ( ( *olen - 6 ) >> 8 ) & 0xFF ); + buf[5] = ( unsigned char )( ( *olen - 6 ) & 0xFF ); - *olen = p - buf; + /* Extension length = olen - 2 ( ext_type ) - 2 ( ext_len ) */ + buf[2] = ( unsigned char )( ( ( *olen - 4 ) >> 8 ) & 0xFF ); + buf[3] = ( unsigned char )( ( *olen - 4 ) & 0xFF ); - /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ - buf[4] = (unsigned char)(((*olen - 6) >> 8) & 0xFF); - buf[5] = (unsigned char)((*olen - 6) & 0xFF); - - /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ - buf[2] = (unsigned char)(((*olen - 4) >> 8) & 0xFF); - buf[3] = (unsigned char)((*olen - 4) & 0xFF); - - return 0; + return 0; } #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) /* - * ssl_write_psk_key_exchange_modes_ext() structure: + * ssl_write_psk_key_exchange_modes_ext( ) structure: * - * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode; + * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode; * * struct { * PskKeyExchangeMode ke_modes<1..255>; * } PskKeyExchangeModes; */ -static int ssl_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +static int ssl_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = (unsigned char *) buf; - *olen = 0; - - // Check whether we have any PSK credentials configured. - //if (ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || - // ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0) - //{ - // MBEDTLS_SSL_DEBUG_MSG(3, ("No key for use with the pre_shared_key extension available.")); - // return(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED); - //} - - // max length of this extension is 7 bytes - if ((size_t)(end - p) < (7)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Not enough buffer")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } - - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding psk_key_exchange_modes extension")); - - // Extension Type - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES) & 0xFF); - - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) { - - // Extension Length - *p++ = 0; - *p++ = 3; - - // 1 byte length field for array of PskKeyExchangeMode - *p++ = 2; - *p++ = KEY_EXCHANGE_MODE_PSK_KE; - *p++ = KEY_EXCHANGE_MODE_PSK_DHE_KE; - *olen = 7; - - MBEDTLS_SSL_DEBUG_MSG(5, ("Adding %d and %d psk_key_exchange_modes", KEY_EXCHANGE_MODE_PSK_KE, KEY_EXCHANGE_MODE_PSK_DHE_KE)); - } - else { - // Extension Length - *p++ = 0; - *p++ = 2; - - // 1 byte length field for array of PskKeyExchangeMode - *p++ = 1; - *p++= ssl->conf->key_exchange_modes; - *olen = 6; - - MBEDTLS_SSL_DEBUG_MSG(5, ("Adding %d psk_key_exchange_mode", ssl->conf->key_exchange_modes)); - } - - return (0); + unsigned char *p = ( unsigned char * ) buf; + *olen = 0; + + /* Check whether we have any PSK credentials configured. */ + /*if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || */ + /* ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) */ + /*{ */ + /* MBEDTLS_SSL_DEBUG_MSG( 3, ( "No key for use with the pre_shared_key extension available." ) ); */ + /* return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); */ + /*} */ + + /* max length of this extension is 7 bytes */ + if( (size_t)( end - p ) < ( 7 )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Not enough buffer" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding psk_key_exchange_modes extension" ) ); + + /* Extension Type */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES ) & 0xFF ); + + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) { + + /* Extension Length */ + *p++ = 0; + *p++ = 3; + + /* 1 byte length field for array of PskKeyExchangeMode */ + *p++ = 2; + *p++ = KEY_EXCHANGE_MODE_PSK_KE; + *p++ = KEY_EXCHANGE_MODE_PSK_DHE_KE; + *olen = 7; + + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Adding %d and %d psk_key_exchange_modes", KEY_EXCHANGE_MODE_PSK_KE, KEY_EXCHANGE_MODE_PSK_DHE_KE ) ); + } + else + { + /* Extension Length */ + *p++ = 0; + *p++ = 2; + + /* 1 byte length field for array of PskKeyExchangeMode */ + *p++ = 1; + *p++= ssl->conf->key_exchange_modes; + *olen = 6; + + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Adding %d psk_key_exchange_mode", ssl->conf->key_exchange_modes ) ); + } + + return ( 0 ); } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ /* -* ssl_write_pre_shared_key_ext() structure: -* -* struct { -* opaque identity<1..2^16-1>; -* uint32 obfuscated_ticket_age; -* } PskIdentity; -* -* opaque PskBinderEntry<32..255>; -* -* struct { -* select (Handshake.msg_type) { -* -* case client_hello: -* PskIdentity identities<7..2^16-1>; -* PskBinderEntry binders<33..2^16-1>; -* -* case server_hello: -* uint16 selected_identity; -* }; -* -* } PreSharedKeyExtension; -* -* -* dummy_run = 0 --> initial run -* dummy_run == 1 --> second run -*/ + * ssl_write_pre_shared_key_ext( ) structure: + * + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * select ( Handshake.msg_type ) { + * + * case client_hello: + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * + * case server_hello: + * uint16 selected_identity; + * }; + * + * } PreSharedKeyExtension; + * + * + * dummy_run = 0 --> initial run + * dummy_run == 1 --> second run + */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) -/* ssl_create_binder(): - -0 -| -v -PSK -> HKDF-Extract -| -v -Early Secret -| -| -+------> Derive-Secret(., -| "ext binder" | -| "res binder", -| "") -| = binder_key -| -+-----> Derive-Secret(., "c e traffic", -| ClientHello) -| = client_early_traffic_secret +/* ssl_create_binder( ): + + 0 + | + v + PSK -> HKDF-Extract + | + v + Early Secret + | + | + +------> Derive-Secret( ., + | "ext binder" | + | "res binder", + | "" ) + | = binder_key + | + +-----> Derive-Secret( ., "c e traffic", + | ClientHello ) + | = client_early_traffic_secret */ -int ssl_create_binder(mbedtls_ssl_context *ssl, unsigned char *psk, size_t psk_len, const mbedtls_md_info_t *md, const mbedtls_ssl_ciphersuite_t *suite_info, unsigned char *buffer, size_t blen, unsigned char *result) { - int ret = 0; - int hash_length; - unsigned char salt[MBEDTLS_MD_MAX_SIZE]; - unsigned char padbuf[MBEDTLS_MD_MAX_SIZE]; - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; - unsigned char binder_key[MBEDTLS_MD_MAX_SIZE]; - unsigned char finished_key[MBEDTLS_MD_MAX_SIZE]; +int ssl_create_binder( mbedtls_ssl_context *ssl, unsigned char *psk, size_t psk_len, const mbedtls_md_info_t *md, const mbedtls_ssl_ciphersuite_t *suite_info, unsigned char *buffer, size_t blen, unsigned char *result ) { + int ret = 0; + int hash_length; + unsigned char salt[MBEDTLS_MD_MAX_SIZE]; + unsigned char padbuf[MBEDTLS_MD_MAX_SIZE]; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + unsigned char binder_key[MBEDTLS_MD_MAX_SIZE]; + unsigned char finished_key[MBEDTLS_MD_MAX_SIZE]; #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; + mbedtls_sha256_context sha256; #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; + mbedtls_sha512_context sha512; #endif - hash_length = mbedtls_hash_size_for_ciphersuite(suite_info); + hash_length = mbedtls_hash_size_for_ciphersuite( suite_info ); - if (hash_length == -1) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite == -1, ssl_create_binder failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( hash_length == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite == -1, ssl_create_binder failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - /* + /* - Compute Early Secret with HKDF-Extract(0, PSK) + Compute Early Secret with HKDF-Extract( 0, PSK ) - */ - memset(salt, 0x0, hash_length); - ret = mbedtls_hkdf_extract(md, salt, hash_length, psk, psk_len, ssl->handshake->early_secret); + */ + memset( salt, 0x0, hash_length ); + ret = mbedtls_hkdf_extract( md, salt, hash_length, psk, psk_len, ssl->handshake->early_secret ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hkdf_extract() with early_secret", ret); - return ret; - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hkdf_extract( ) with early_secret", ret ); + return ret; + } - MBEDTLS_SSL_DEBUG_MSG(5, ("HKDF Extract -- early_secret")); - MBEDTLS_SSL_DEBUG_BUF(5, "Salt", salt, hash_length); - MBEDTLS_SSL_DEBUG_BUF(5, "Input", psk, psk_len); - MBEDTLS_SSL_DEBUG_BUF(5, "Output", ssl->handshake->early_secret, hash_length); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "HKDF Extract -- early_secret" ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Salt", salt, hash_length ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Input", psk, psk_len ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Output", ssl->handshake->early_secret, hash_length ); - /* + /* - Compute binder_key with Derive-Secret(early_secret, "ext binder" | "res binder","") + Compute binder_key with Derive-Secret( early_secret, "ext binder" | "res binder","" ) - */ + */ - /* Create hash of empty message first. - * TBD: replace by constant. - * - * For SHA256 the constant is - * e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - * - * For SHA384 the constant is - * 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b - */ + /* Create hash of empty message first. + * TBD: replace by constant. + * + * For SHA256 the constant is + * e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + * + * For SHA384 the constant is + * 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b + */ - if (suite_info->mac == MBEDTLS_MD_SHA256) { + if( suite_info->mac == MBEDTLS_MD_SHA256 ) + { #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256((const unsigned char *)"", 0, hash, 0); + mbedtls_sha256( ( const unsigned char * )"", 0, hash, 0 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } - else if (suite_info->mac == MBEDTLS_MD_SHA384) { + } + else if( suite_info->mac == MBEDTLS_MD_SHA384 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512( (const unsigned char *)"", 0, hash, 1 /* for SHA384 */); + mbedtls_sha512( ( const unsigned char * )"", 0, hash, 1 /* for SHA384 */ ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } - - if (ssl->conf->resumption_mode == 1) { - ret = Derive_Secret(ssl, mbedtls_md_get_type(md), - ssl->handshake->early_secret, hash_length, - (const unsigned char *)"res binder", strlen("res binder"), - hash, hash_length, binder_key, hash_length); - MBEDTLS_SSL_DEBUG_MSG(5, ("Derive Early Secret with 'res binder'")); - } - else - { - ret = Derive_Secret(ssl, mbedtls_md_get_type(md), - ssl->handshake->early_secret, hash_length, - (const unsigned char *)"ext binder", strlen("ext binder"), - hash, hash_length, binder_key, hash_length); - MBEDTLS_SSL_DEBUG_MSG(5, ("Derive Early Secret with 'ext binder'")); - } - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret() with binder_key: Error", ret); - return ret; - } - - if (suite_info->mac == MBEDTLS_MD_SHA256) { + } + + if( ssl->conf->resumption_mode == 1 ) + { + ret = Derive_Secret( ssl, mbedtls_md_get_type( md ), + ssl->handshake->early_secret, hash_length, + ( const unsigned char * )"res binder", strlen( "res binder" ), + hash, hash_length, binder_key, hash_length ); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Derive Early Secret with 'res binder'" ) ); + } + else + { + ret = Derive_Secret( ssl, mbedtls_md_get_type( md ), + ssl->handshake->early_secret, hash_length, + ( const unsigned char * )"ext binder", strlen( "ext binder" ), + hash, hash_length, binder_key, hash_length ); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Derive Early Secret with 'ext binder'" ) ); + } + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret( ) with binder_key: Error", ret ); + return ret; + } + + if( suite_info->mac == MBEDTLS_MD_SHA256 ) + { #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_init(&sha256); - mbedtls_sha256_starts(&sha256, 0 /* = use SHA256 */); - // TBD: Should we clone the hash? - // mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); - MBEDTLS_SSL_DEBUG_BUF(5, "finished sha256 state", (unsigned char *)sha256.state, sizeof(sha256.state)); - mbedtls_sha256_update(&sha256, buffer, blen); - MBEDTLS_SSL_DEBUG_BUF(5, "input buffer for psk binder", buffer, blen); - mbedtls_sha256_finish(&sha256, padbuf); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash for psk binder", padbuf, 32); + mbedtls_sha256_init( &sha256 ); + mbedtls_sha256_starts( &sha256, 0 /* = use SHA256 */ ); + /* TBD: Should we clone the hash? */ + /* mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); */ + MBEDTLS_SSL_DEBUG_BUF( 5, "finished sha256 state", ( unsigned char * )sha256.state, sizeof( sha256.state ) ); + mbedtls_sha256_update( &sha256, buffer, blen ); + MBEDTLS_SSL_DEBUG_BUF( 5, "input buffer for psk binder", buffer, blen ); + mbedtls_sha256_finish( &sha256, padbuf ); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash for psk binder", padbuf, 32 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } - else if (suite_info->mac == MBEDTLS_MD_SHA384) { + } + else if( suite_info->mac == MBEDTLS_MD_SHA384 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 1 /* = use SHA384 */); - mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - MBEDTLS_SSL_DEBUG_BUF(4, "finished sha384 state", (unsigned char *)sha512.state, 48); - mbedtls_sha512_update(&sha512, buffer, blen); - mbedtls_sha512_finish(&sha512, padbuf); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash for psk binder", padbuf, 48); - } - else if (suite_info->mac == MBEDTLS_MD_SHA512) { - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 0 /* = use SHA512 */); - mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - MBEDTLS_SSL_DEBUG_BUF(4, "finished sha512 state", (unsigned char *)sha512.state, 64); - mbedtls_sha512_update(&sha512, buffer, blen); - mbedtls_sha512_finish(&sha512, padbuf); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash for psk binder", padbuf, 64); - } - else { + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 1 /* = use SHA384 */ ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha384 state", ( unsigned char * )sha512.state, 48 ); + mbedtls_sha512_update( &sha512, buffer, blen ); + mbedtls_sha512_finish( &sha512, padbuf ); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash for psk binder", padbuf, 48 ); + } + else if( suite_info->mac == MBEDTLS_MD_SHA512 ) + { + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 0 /* = use SHA512 */ ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", ( unsigned char * )sha512.state, 64 ); + mbedtls_sha512_update( &sha512, buffer, blen ); + mbedtls_sha512_finish( &sha512, padbuf ); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash for psk binder", padbuf, 64 ); + } + else + { #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } + } + + /* + * finished_key = + * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length ) + * + * The binding_value is computed in the same way as the Finished message + * but with the BaseKey being the binder_key. + */ - /* - * finished_key = - * HKDF-Expand-Label(BaseKey, "finished", "", Hash.length) - * - * The binding_value is computed in the same way as the Finished message - * but with the BaseKey being the binder_key. - */ + ret = hkdfExpandLabel( suite_info->mac, binder_key, hash_length, ( const unsigned char * )"finished", strlen( "finished" ), ( const unsigned char * )"", 0, hash_length, finished_key, hash_length ); - ret = hkdfExpandLabel(suite_info->mac, binder_key, hash_length, (const unsigned char *)"finished", strlen("finished"), (const unsigned char *)"", 0, hash_length, finished_key, hash_length); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "Creating the finished_key failed", ret ); + return ( ret ); + } - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "Creating the finished_key failed", ret); - return (ret); - } + MBEDTLS_SSL_DEBUG_BUF( 3, "finished_key", finished_key, hash_length ); - MBEDTLS_SSL_DEBUG_BUF(3, "finished_key", finished_key, hash_length); + /* compute mac and write it into the buffer */ + ret = mbedtls_md_hmac( md, finished_key, hash_length, padbuf, hash_length, result ); - // compute mac and write it into the buffer - ret = mbedtls_md_hmac(md, finished_key, hash_length, padbuf, hash_length, result); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac", ret ); + return ( ret ); + } - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_hmac", ret); - return (ret); - } - - MBEDTLS_SSL_DEBUG_MSG(3, ("verify_data of psk binder")); - MBEDTLS_SSL_DEBUG_BUF(3, "Input", padbuf, hash_length); - MBEDTLS_SSL_DEBUG_BUF(3, "Key", finished_key, hash_length); - MBEDTLS_SSL_DEBUG_BUF(3, "Output", result, hash_length); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "verify_data of psk binder" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Input", padbuf, hash_length ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Key", finished_key, hash_length ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Output", result, hash_length ); #if defined(MBEDTLS_SHA256_C) - if (suite_info->mac == MBEDTLS_MD_SHA256) { - mbedtls_sha256_free(&sha256); - } - else + if( suite_info->mac == MBEDTLS_MD_SHA256 ) + { + mbedtls_sha256_free( &sha256 ); + } + else #endif #if defined(MBEDTLS_SHA512_C) - if (suite_info->mac == MBEDTLS_MD_SHA384) { - mbedtls_sha512_free(&sha512); - } - else + if( suite_info->mac == MBEDTLS_MD_SHA384 ) + { + mbedtls_sha512_free( &sha512 ); + } + else #endif - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - mbedtls_platform_zeroize(finished_key, hash_length); + mbedtls_platform_zeroize( finished_key, hash_length ); - return ret; + return ret; } -int ssl_write_pre_shared_key_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, unsigned char* end, size_t* olen, int dummy_run) +int ssl_write_pre_shared_key_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, unsigned char* end, size_t* olen, int dummy_run ) { - unsigned char *p = (unsigned char *) buf, *truncated_clienthello_end, *truncated_clienthello_start = ssl->out_msg; - size_t ext_length = 0; - uint32_t obfuscated_ticket_age=0; - const mbedtls_ssl_ciphersuite_t *suite_info; - int hash_len=-1, ret; - const int *ciphersuites; + unsigned char *p = ( unsigned char * ) buf, *truncated_clienthello_end, *truncated_clienthello_start = ssl->out_msg; + size_t ext_length = 0; + uint32_t obfuscated_ticket_age=0; + const mbedtls_ssl_ciphersuite_t *suite_info; + int hash_len=-1, ret; + const int *ciphersuites; #if defined(MBEDTLS_HAVE_TIME) - time_t now; + time_t now; #endif - *olen = 0; + *olen = 0; - if (!(ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("The psk_key_exchange_modes extension has not been added.")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( !( ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "The psk_key_exchange_modes extension has not been added." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - // Check whether we have any PSK credentials configured. - if (ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || - ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("No externally configured PSK available.")); + /* Check whether we have any PSK credentials configured. */ + if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || + ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "No externally configured PSK available." ) ); - return(0); - } + return( 0 ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding pre_shared_key extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding pre_shared_key extension" ) ); - /* - * Ciphersuite list - */ - ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; + /* + * Ciphersuite list + */ + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; - for (int i = 0; ciphersuites[i] != 0; i++) - { - suite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]); + for ( int i = 0; ciphersuites[i] != 0; i++ ) + { + suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); - if (suite_info == NULL) - continue; + if( suite_info == NULL ) + continue; - hash_len = mbedtls_hash_size_for_ciphersuite(suite_info); + hash_len = mbedtls_hash_size_for_ciphersuite( suite_info ); - if (hash_len == -1) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite in ssl_write_pre_shared_key_ext failed: Unknown hash function")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( hash_len == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite in ssl_write_pre_shared_key_ext failed: Unknown hash function" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - // In this implementation we only add one pre-shared-key extension. - ssl->session_negotiate->ciphersuite = ciphersuites[i]; - ssl->transform_negotiate->ciphersuite_info = suite_info; + /* In this implementation we only add one pre-shared-key extension. */ + ssl->session_negotiate->ciphersuite = ciphersuites[i]; + ssl->transform_negotiate->ciphersuite_info = suite_info; #if defined(MBEDTLS_ZERO_RTT) - /* Even if we include a key_share extension in the ClientHello - * message it will not be used at this stage for the key derivation. - */ - if (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON) { - ssl->session_negotiate->key_exchange = KEY_EXCHANGE_MODE_PSK_KE; - } + /* Even if we include a key_share extension in the ClientHello + * message it will not be used at this stage for the key derivation. + */ + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + { + ssl->session_negotiate->key_exchange = KEY_EXCHANGE_MODE_PSK_KE; + } #endif - break; - } - if (hash_len == -1) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite in ssl_write_pre_shared_key_ext failed: Unknown hash function")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - - /* - * The length (excluding the extension header) includes: - * - * - 2 bytes for total length of identities - * - 2 bytes for length of first identity value - * - identity value (of length len; min(len)>=1) - * - 4 bytes for obfuscated_ticket_age - * ... - * - 2 bytes for total length of psk binders - * - 1 byte for length of first psk binder value - * - 32 bytes (with SHA256), or 48 bytes (with SHA384) for psk binder value - * ... - * - * Note: Currently we assume we have only one PSK credential configured per server. - */ - ext_length = 2 + 2 + ssl->conf->psk_identity_len + 4 + 2 + 1 + hash_len; - - // ext_length + Extension Type (2 bytes) + Extension Length (2 bytes) - if (end < p || (size_t)(end - p) < (ext_length + 4)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too short")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } - - if (dummy_run == 0) { - memset(p, 0, ext_length); - } - else { - // Extension Type - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_PRE_SHARED_KEY >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_PRE_SHARED_KEY) & 0xFF); - - // Extension Length - *p++ = (unsigned char)((ext_length >> 8) & 0xFF); - *p++ = (unsigned char)(ext_length & 0xFF); - - // 2 bytes length field for array of PskIdentity - *p++ = (unsigned char)(((ssl->conf->psk_identity_len + 4 + 2) >> 8) & 0xFF); - *p++ = (unsigned char)((ssl->conf->psk_identity_len + 4 + 2) & 0xFF); - - // 2 bytes length field for psk_identity - *p++ = (unsigned char)(((ssl->conf->psk_identity_len) >> 8) & 0xFF); - *p++ = (unsigned char)((ssl->conf->psk_identity_len) & 0xFF); - - // actual psk_identity - memcpy(p, ssl->conf->psk_identity, ssl->conf->psk_identity_len); - - p += ssl->conf->psk_identity_len; - - // Calculate obfuscated_ticket_age - // (but not for externally configured PSKs) - if (ssl->conf->ticket_age_add > 0) { + break; + } + if( hash_len == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite in ssl_write_pre_shared_key_ext failed: Unknown hash function" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + /* + * The length ( excluding the extension header ) includes: + * + * - 2 bytes for total length of identities + * - 2 bytes for length of first identity value + * - identity value ( of length len; min( len )>=1 ) + * - 4 bytes for obfuscated_ticket_age + * ... + * - 2 bytes for total length of psk binders + * - 1 byte for length of first psk binder value + * - 32 bytes ( with SHA256 ), or 48 bytes ( with SHA384 ) for psk binder value + * ... + * + * Note: Currently we assume we have only one PSK credential configured per server. + */ + ext_length = 2 + 2 + ssl->conf->psk_identity_len + 4 + 2 + 1 + hash_len; + + /* ext_length + Extension Type ( 2 bytes ) + Extension Length ( 2 bytes ) */ + if( end < p || (size_t)( end - p ) < ( ext_length + 4 )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too short" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } + + if( dummy_run == 0 ) + { + memset( p, 0, ext_length ); + } + else + { + /* Extension Type */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_PRE_SHARED_KEY >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) & 0xFF ); + + /* Extension Length */ + *p++ = ( unsigned char )( ( ext_length >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ext_length & 0xFF ); + + /* 2 bytes length field for array of PskIdentity */ + *p++ = ( unsigned char )( ( ( ssl->conf->psk_identity_len + 4 + 2 ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ssl->conf->psk_identity_len + 4 + 2 ) & 0xFF ); + + /* 2 bytes length field for psk_identity */ + *p++ = ( unsigned char )( ( ( ssl->conf->psk_identity_len ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ssl->conf->psk_identity_len ) & 0xFF ); + + /* actual psk_identity */ + memcpy( p, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); + + p += ssl->conf->psk_identity_len; + + /* Calculate obfuscated_ticket_age */ + /* ( but not for externally configured PSKs ) */ + if( ssl->conf->ticket_age_add > 0 ) + { #if defined(MBEDTLS_HAVE_TIME) - now = time(NULL); + now = time( NULL ); - if (!(ssl->conf->ticket_received <= now && now - ssl->conf->ticket_received < 7 * 86400 * 1000)) { - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket expired")); - // TBD: We would have to fall back to another PSK - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( !( ssl->conf->ticket_received <= now && now - ssl->conf->ticket_received < 7 * 86400 * 1000 )) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket expired" ) ); + /* TBD: We would have to fall back to another PSK */ + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - obfuscated_ticket_age = (uint32_t)(now - ssl->conf->ticket_received) + ssl->conf->ticket_age_add; - MBEDTLS_SSL_DEBUG_MSG(5, ("obfuscated_ticket_age: %u", obfuscated_ticket_age)); + obfuscated_ticket_age = ( uint32_t )( now - ssl->conf->ticket_received ) + ssl->conf->ticket_age_add; + MBEDTLS_SSL_DEBUG_MSG( 5, ( "obfuscated_ticket_age: %u", obfuscated_ticket_age ) ); #endif /* MBEDTLS_HAVE_TIME */ - } + } - // add obfuscated ticket age - *p++ = (obfuscated_ticket_age >> 24) & 0xFF; - *p++ = (obfuscated_ticket_age >> 16) & 0xFF; - *p++ = (obfuscated_ticket_age >> 8) & 0xFF; - *p++ = (obfuscated_ticket_age) & 0xFF; -// p += 4; + /* add obfuscated ticket age */ + *p++ = ( obfuscated_ticket_age >> 24 ) & 0xFF; + *p++ = ( obfuscated_ticket_age >> 16 ) & 0xFF; + *p++ = ( obfuscated_ticket_age >> 8 ) & 0xFF; + *p++ = ( obfuscated_ticket_age ) & 0xFF; +/* p += 4; */ - /* Store this pointer since we need it to compute the psk binder */ - truncated_clienthello_end = p; + /* Store this pointer since we need it to compute the psk binder */ + truncated_clienthello_end = p; - /* Add PSK binder for included identity */ + /* Add PSK binder for included identity */ - // 2 bytes length field for array of psk binders - *p++ = (unsigned char)(((hash_len + 1) >> 8) & 0xFF); - *p++ = (unsigned char)((hash_len + 1) & 0xFF); + /* 2 bytes length field for array of psk binders */ + *p++ = ( unsigned char )( ( ( hash_len + 1 ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( hash_len + 1 ) & 0xFF ); - // 1 bytes length field for next psk binder - *p++ = (unsigned char)((hash_len) & 0xFF); + /* 1 bytes length field for next psk binder */ + *p++ = ( unsigned char )( ( hash_len ) & 0xFF ); - MBEDTLS_SSL_DEBUG_BUF(3, "ssl_calc_binder computed over ", truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start); + MBEDTLS_SSL_DEBUG_BUF( 3, "ssl_calc_binder computed over ", truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start ); - ret = ssl_create_binder(ssl, ssl->conf->psk, ssl->conf->psk_len, mbedtls_md_info_from_type(suite_info->mac), - suite_info, truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start, p); + ret = ssl_create_binder( ssl, ssl->conf->psk, ssl->conf->psk_len, mbedtls_md_info_from_type( suite_info->mac ), + suite_info, truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start, p ); - if (ret != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "create_binder in ssl_write_pre_shared_key_ext failed: %d", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - } - *olen = ext_length + 4; - return 0; + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "create_binder in ssl_write_pre_shared_key_ext failed: %d", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + } + *olen = ext_length + 4; + return 0; } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ -static int ssl_write_cookie_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +static int ssl_write_cookie_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = buf; + unsigned char *p = buf; - *olen = 0; + *olen = 0; - if (ssl->handshake->verify_cookie == NULL) { - MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension")); - return 0; - } + if( ssl->handshake->verify_cookie == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) ); + return 0; + } - MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", - ssl->handshake->verify_cookie, - ssl->handshake->verify_cookie_len); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", + ssl->handshake->verify_cookie, + ssl->handshake->verify_cookie_len ); - if( end < p || - (size_t)( end - p ) < ( ssl->handshake->verify_cookie_len + 4 ) ) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } + if( end < p || + (size_t)( end - p ) < ( ssl->handshake->verify_cookie_len + 4 ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) ); - // Extension Type - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_COOKIE >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_COOKIE) & 0xFF); + /* Extension Type */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_COOKIE >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_COOKIE ) & 0xFF ); - // Extension Length - *p++ = (unsigned char)((ssl->handshake->verify_cookie_len >> 8) & 0xFF); - *p++ = (unsigned char)(ssl->handshake->verify_cookie_len & 0xFF); + /* Extension Length */ + *p++ = ( unsigned char )( ( ssl->handshake->verify_cookie_len >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ssl->handshake->verify_cookie_len & 0xFF ); - // Copy Cookie - memcpy(p, ssl->handshake->verify_cookie, ssl->handshake->verify_cookie_len); + /* Copy Cookie */ + memcpy( p, ssl->handshake->verify_cookie, ssl->handshake->verify_cookie_len ); - *olen = ssl->handshake->verify_cookie_len + 4; + *olen = ssl->handshake->verify_cookie_len + 4; - return 0; + return 0; } #if defined(MBEDTLS_ECDH_C) /* -Supported Groups Extension + Supported Groups Extension -In versions of TLS prior to TLS 1.3, this extension was named -'elliptic_curves' and only contained elliptic curve groups. + In versions of TLS prior to TLS 1.3, this extension was named + 'elliptic_curves' and only contained elliptic curve groups. */ -static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = buf; - unsigned char *elliptic_curve_list = p + 6; - size_t elliptic_curve_len = 0; - const mbedtls_ecp_curve_info *info; + unsigned char *p = buf; + unsigned char *elliptic_curve_list = p + 6; + size_t elliptic_curve_len = 0; + const mbedtls_ecp_curve_info *info; #if defined(MBEDTLS_ECP_C) - const mbedtls_ecp_group_id *grp_id; + const mbedtls_ecp_group_id *grp_id; #else - ((void)ssl); + ( (void)ssl ); #endif - *olen = 0; + *olen = 0; #if defined(MBEDTLS_ECP_C) - for (grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++) - { -// info = mbedtls_ecp_curve_info_from_grp_id(*grp_id); + for ( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) + { +/* info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); */ #else - for (info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++) + for ( info = mbedtls_ecp_curve_list( ); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) { #endif - elliptic_curve_len += 2; + elliptic_curve_len += 2; } - if (elliptic_curve_len == 0) { - /* If we have no curves configured then we are in trouble. */ - MBEDTLS_SSL_DEBUG_MSG(1, ("No curves configured.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + if( elliptic_curve_len == 0 ) + { + /* If we have no curves configured then we are in trouble. */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "No curves configured." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - if (end < p || (size_t)(end - p) < 6 + elliptic_curve_len) + if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; } - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported_groups extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_groups extension" ) ); elliptic_curve_len = 0; #if defined(MBEDTLS_ECP_C) - for (grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++) + for ( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) { - info = mbedtls_ecp_curve_info_from_grp_id(*grp_id); + info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - if (info == NULL) return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + if( info == NULL ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #else - for (info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++) - { + for ( info = mbedtls_ecp_curve_list( ); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) + { #endif elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; - MBEDTLS_SSL_DEBUG_MSG(5, ("Named Curve: %s (%x)", mbedtls_ecp_curve_info_from_tls_id(info->tls_id)->name, info->tls_id)); - } + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Named Curve: %s ( %x )", mbedtls_ecp_curve_info_from_tls_id( info->tls_id )->name, info->tls_id ) ); + } - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_GROUPS >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_GROUPS) & 0xFF); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SUPPORTED_GROUPS >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SUPPORTED_GROUPS ) & 0xFF ); - *p++ = (unsigned char)(((elliptic_curve_len + 2) >> 8) & 0xFF); - *p++ = (unsigned char)(((elliptic_curve_len + 2)) & 0xFF); + *p++ = ( unsigned char )( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ( elliptic_curve_len + 2 )) & 0xFF ); - *p++ = (unsigned char)(((elliptic_curve_len) >> 8) & 0xFF); - *p++ = (unsigned char)(((elliptic_curve_len)) & 0xFF); + *p++ = ( unsigned char )( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ( elliptic_curve_len )) & 0xFF ); - MBEDTLS_SSL_DEBUG_BUF(3, "Supported groups extension", buf + 4, elliptic_curve_len + 2); + MBEDTLS_SSL_DEBUG_BUF( 3, "Supported groups extension", buf + 4, elliptic_curve_len + 2 ); - *olen = 6 + elliptic_curve_len; - return 0; -} + *olen = 6 + elliptic_curve_len; + return 0; + } #endif /* defined(MBEDTLS_ECDH_C) */ /* -Key Shares Extension + Key Shares Extension -enum { - // Elliptic Curve Groups (ECDHE) - obsolete_RESERVED(1..22), - secp256r1(23), secp384r1(24), secp521r1(25), - obsolete_RESERVED(26..28), - x25519(29), x448(30), + enum { + obsolete_RESERVED( 1..22 ), + secp256r1( 23 ), secp384r1( 24 ), secp521r1( 25 ), + obsolete_RESERVED( 26..28 ), + x25519( 29 ), x448( 30 ), - // Finite Field Groups (DHE) - ffdhe2048(256), ffdhe3072(257), ffdhe4096(258), - ffdhe6144(259), ffdhe8192(260), + ffdhe2048( 256 ), ffdhe3072( 257 ), ffdhe4096( 258 ), + ffdhe6144( 259 ), ffdhe8192( 260 ), - // Reserved Code Points - ffdhe_private_use(0x01FC..0x01FF), - ecdhe_private_use(0xFE00..0xFEFF), - obsolete_RESERVED(0xFF01..0xFF02), - (0xFFFF) -} NamedGroup; + ffdhe_private_use( 0x01FC..0x01FF ), + ecdhe_private_use( 0xFE00..0xFEFF ), + obsolete_RESERVED( 0xFF01..0xFF02 ), + ( 0xFFFF ) + } NamedGroup; -struct { + struct { NamedGroup group; opaque key_exchange<1..2^16-1>; -} KeyShareEntry; - -struct { - select (role) { - case client: - KeyShareEntry client_shares<0..2^16-1>; - case server: - KeyShareEntry server_share; + } KeyShareEntry; + + struct { + select ( role ) { + case client: + KeyShareEntry client_shares<0..2^16-1>; + case server: + KeyShareEntry server_share; } -} KeyShare; + } KeyShare; */ -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) -static int ssl_write_key_shares_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) -{ - unsigned char* p; - unsigned char *header = buf; // Pointer where the header has to go. - size_t len; - int ret; - int nr; - //const int *ciphersuites; + static int ssl_write_key_shares_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) + { + unsigned char* p; + unsigned char *header = buf; /* Pointer where the header has to go. */ + size_t len; + int ret; + int nr; + /*const int *ciphersuites; */ - /* TODO: Add bounds checks! Only then remove the next line. */ - ((void) end); + /* TODO: Add bounds checks! Only then remove the next line. */ + ((void) end); #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) - { + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { p = buf + 2; - } - else + } + else #endif /* MBEDTLS_CTLS */ - { + { p = buf + 4; - } + } - const mbedtls_ecp_curve_info *info = NULL; - const mbedtls_ecp_group_id *grp_id; - // int max_size = 0; - //const mbedtls_ssl_ciphersuite_t *suite_info; + const mbedtls_ecp_curve_info *info = NULL; + const mbedtls_ecp_group_id *grp_id; + /* int max_size = 0; */ + /*const mbedtls_ssl_ciphersuite_t *suite_info; */ - *olen = 0; + *olen = 0; - if (ssl->conf->curve_list == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, key share extension: empty curve list")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ssl->conf->curve_list == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, key share extension: empty curve list" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding key share extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding key share extension" ) ); - if (ssl->session_negotiate == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("ssl->session_negotiate == NULL")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ssl->session_negotiate == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ssl->session_negotiate == NULL" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - /* - * Ciphersuite list - * - ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; + /* + * Ciphersuite list + * + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; - for (int i = 0; ciphersuites[i] != 0; i++) - { - suite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]); + for ( int i = 0; ciphersuites[i] != 0; i++ ) + { + suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); - if (suite_info == NULL) - continue; + if( suite_info == NULL ) + continue; - if (suite_info->hash == MBEDTLS_MD_SHA256) max_size = 128; - else if (suite_info->hash == MBEDTLS_MD_SHA384) max_size = 384; - } + if( suite_info->hash == MBEDTLS_MD_SHA256 ) max_size = 128; + else if( suite_info->hash == MBEDTLS_MD_SHA384 ) max_size = 384; + } - MBEDTLS_SSL_DEBUG_MSG(3, ("Ciphersuites require a key length of max %d bits", max_size)); - */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ciphersuites require a key length of max %d bits", max_size ) ); + */ - /* The key_shares_curve_list provides us information about what we are expected to - * send, either based on the info provided by the app or by info offered by the server - * using the HRR. - */ - nr = 0; + /* The key_shares_curve_list provides us information about what we are expected to + * send, either based on the info provided by the app or by info offered by the server + * using the HRR. + */ + nr = 0; - for (grp_id = ssl->handshake->key_shares_curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++) { + for ( grp_id = ssl->handshake->key_shares_curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) { - info = mbedtls_ecp_curve_info_from_grp_id(*grp_id); + info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); /* Check whether the key share matches the selected ciphersuite - * in terms of key length. - * - * Hence, AES-128 should go with a group bit size of 192 and 224 bits. - * - * TBD: Do we need this check? - - switch (max_size) { - case 128: if (info->bit_size != 256 && info->bit_size!=192 && info->bit_size!= 224) continue; - break; - case 384: if (info->bit_size != 384) continue; - break; - } + * in terms of key length. + * + * Hence, AES-128 should go with a group bit size of 192 and 224 bits. + * + * TBD: Do we need this check? + + switch ( max_size ) { + case 128: if( info->bit_size != 256 && info->bit_size!=192 && info->bit_size!= 224 ) continue; + break; + case 384: if( info->bit_size != 384 ) continue; + break; + } */ - MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", info->name)); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", info->name ) ); - if ((ret = mbedtls_ecp_group_load(&ssl->handshake->ecdh_ctx[nr].grp, info->grp_id)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret); - return(ret); + if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx[nr].grp, info->grp_id )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); + return( ret ); } - if ((ret = mbedtls_ecdh_make_params(&ssl->handshake->ecdh_ctx[nr], &len, - p+2, MBEDTLS_SSL_MAX_CONTENT_LEN - *olen, - ssl->conf->f_rng, ssl->conf->p_rng)) != 0) + if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx[nr], &len, + p+2, MBEDTLS_SSL_MAX_CONTENT_LEN - *olen, + ssl->conf->f_rng, ssl->conf->p_rng )) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); + return( ret ); } - // Write length of the key_exchange entry - *p++ = (unsigned char)(((len) >> 8) & 0xFF); - *p++ = (unsigned char)(((len)) & 0xFF); + /* Write length of the key_exchange entry */ + *p++ = ( unsigned char )( ( ( len ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ( len )) & 0xFF ); p += len; *olen += len + 2; - MBEDTLS_SSL_DEBUG_ECP(3, "ECDHE: Q ", &ssl->handshake->ecdh_ctx[nr].Q); + MBEDTLS_SSL_DEBUG_ECP( 3, "ECDHE: Q ", &ssl->handshake->ecdh_ctx[nr].Q ); nr++; - if (nr == MBEDTLS_SSL_MAX_KEY_SHARES) { - MBEDTLS_SSL_DEBUG_MSG(4, ("Reached maximum number of KeyShareEntries: %d", nr)); - break; + if( nr == MBEDTLS_SSL_MAX_KEY_SHARES ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reached maximum number of KeyShareEntries: %d", nr ) ); + break; } - } + } - // Write extension header - *header++ = (unsigned char)((MBEDTLS_TLS_EXT_KEY_SHARES >> 8) & 0xFF); - *header++ = (unsigned char)((MBEDTLS_TLS_EXT_KEY_SHARES) & 0xFF); + /* Write extension header */ + *header++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_KEY_SHARES >> 8 ) & 0xFF ); + *header++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_KEY_SHARES ) & 0xFF ); #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) { - *olen += 2; // 2 bytes for fixed header - } else + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + *olen += 2; /* 2 bytes for fixed header */ + } else #endif /* MBEDTLS_CTLS */ - { - // Write total extension length - *header++ = (unsigned char)((*olen >> 8) & 0xFF); - *header++ = (unsigned char)(*olen & 0xFF); + { + /* Write total extension length */ + *header++ = ( unsigned char )( ( *olen >> 8 ) & 0xFF ); + *header++ = ( unsigned char )( *olen & 0xFF ); - *olen += 4; // 4 bytes for fixed header - } + *olen += 4; /* 4 bytes for fixed header */ + } - return 0; -} + return 0; + } #endif /* MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C */ /* Main entry point; orchestrates the other functions */ -static int ssl_client_hello_process(mbedtls_ssl_context* ssl); - -static int ssl_client_hello_prepare(mbedtls_ssl_context* ssl); -static int ssl_client_hello_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen); - -static int ssl_client_hello_process(mbedtls_ssl_context* ssl) -{ - int ret = 0; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello")); - - if (ssl->handshake->state_local.cli_hello_out.preparation_done == 0) - { - MBEDTLS_SSL_PROC_CHK(ssl_client_hello_prepare(ssl)); + static int ssl_client_hello_process( mbedtls_ssl_context* ssl ); + + static int ssl_client_hello_prepare( mbedtls_ssl_context* ssl ); + static int ssl_client_hello_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ); + + static int ssl_client_hello_process( mbedtls_ssl_context* ssl ) + { + int ret = 0; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); + + if( ssl->handshake->state_local.cli_hello_out.preparation_done == 0 ) + { + MBEDTLS_SSL_PROC_CHK( ssl_client_hello_prepare( ssl ) ); ssl->handshake->state_local.cli_hello_out.preparation_done = 1; - } + } - /* Make sure we can write a new message. */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_flush_output(ssl)); + /* Make sure we can write a new message. */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); - /* Prepare ClientHello message in output buffer. */ - MBEDTLS_SSL_PROC_CHK(ssl_client_hello_write(ssl, ssl->out_msg, - MBEDTLS_SSL_MAX_CONTENT_LEN, - &ssl->out_msglen)); + /* Prepare ClientHello message in output buffer. */ + MBEDTLS_SSL_PROC_CHK( ssl_client_hello_write( ssl, ssl->out_msg, + MBEDTLS_SSL_MAX_CONTENT_LEN, + &ssl->out_msglen ) ); - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; - MBEDTLS_SSL_DEBUG_BUF(3, "ClientHello", ssl->out_msg, ssl->out_msglen); + MBEDTLS_SSL_DEBUG_BUF( 3, "ClientHello", ssl->out_msg, ssl->out_msglen ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_send_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_send_flight_completed( ssl ); #endif - /* Dispatch message */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl)); - - /* NOTE: With the new messaging layer, the postprocessing - * step might come after the dispatching step if the - * latter doesn't send the message immediately. - * At the moment, we must do the postprocessing - * prior to the dispatching because if the latter - * returns WANT_WRITE, we want the handshake state - * to be updated in order to not enter - * this function again on retry. - * - * Further, once the two calls can be re-ordered, the two - * calls can be consolidated. - */ - -cleanup: - - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello")); - return(ret); -} - -static int ssl_client_hello_prepare(mbedtls_ssl_context* ssl) -{ - int ret; - size_t rand_bytes_len; - - if (ssl->conf->f_rng == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); - return(MBEDTLS_ERR_SSL_NO_RNG); - } + /* Dispatch message */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl ) ); + + /* NOTE: With the new messaging layer, the postprocessing + * step might come after the dispatching step if the + * latter doesn't send the message immediately. + * At the moment, we must do the postprocessing + * prior to the dispatching because if the latter + * returns WANT_WRITE, we want the handshake state + * to be updated in order to not enter + * this function again on retry. + * + * Further, once the two calls can be re-ordered, the two + * calls can be consolidated. + */ + + cleanup: + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); + return( ret ); + } + + static int ssl_client_hello_prepare( mbedtls_ssl_context* ssl ) + { + int ret; + size_t rand_bytes_len; + + if( ssl->conf->f_rng == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) ); + return( MBEDTLS_ERR_SSL_NO_RNG ); + } #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) { + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { rand_bytes_len = MBEDTLS_CTLS_RANDOM_MAX_LENGTH; - } - else + } + else #endif /* MBEDTLS_CTLS */ - { + { rand_bytes_len = 32; - } + } - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->handshake->randbytes, rand_bytes_len)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_generate_random", ret); - return(ret); - } + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->handshake->randbytes, rand_bytes_len )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); + return( ret ); + } #if defined(MBEDTLS_COMPATIBILITY_MODE) - // Determine whether session id has not been created already - if (ssl->session_negotiate->id_len == 0) { - - // Creating a session id with 32 byte length - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id, 32)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret); - return(ret); + /* Determine whether session id has not been created already */ + if( ssl->session_negotiate->id_len == 0 ) + { + + /* Creating a session id with 32 byte length */ + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "creating session id failed", ret ); + return( ret ); } - } + } - ssl->session_negotiate->id_len = 32; + ssl->session_negotiate->id_len = 32; #endif /* MBEDTLS_COMPATIBILITY_MODE */ - return(0); -} - -static int ssl_client_hello_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen) -{ - int ret; - - // Extensions - - /* extension_start - * Used during extension writing where the - * buffer pointer to the beginning of the - * extension list must be kept to write - * the total extension list size in the end. - */ - unsigned char* extension_start; - size_t cur_ext_len; /* Size of the current extension */ - size_t total_ext_len; /* Size of list of extensions */ - - // Length information - size_t const tls_hs_hdr_len = 4; - size_t rand_bytes_len; - size_t version_len; - - // Buffer management - unsigned char* start = buf; - unsigned char* end = buf + buflen; - - // Ciphersuite-related variables - const int* ciphersuites; - const mbedtls_ssl_ciphersuite_t* ciphersuite_info; - size_t i; /* used to iterate through ciphersuite list */ - /* ciphersuite_start points to the start of the ciphersuite list, i.e. to the length field*/ - unsigned char* ciphersuite_start; - size_t ciphersuite_count; - - // Keeping track of the included extensions - ssl->handshake->extensions_present = NO_EXTENSION; + return( 0 ); + } + + static int ssl_client_hello_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ) + { + int ret; + + /* Extensions */ + + /* extension_start + * Used during extension writing where the + * buffer pointer to the beginning of the + * extension list must be kept to write + * the total extension list size in the end. + */ + unsigned char* extension_start; + size_t cur_ext_len; /* Size of the current extension */ + size_t total_ext_len; /* Size of list of extensions */ + + /* Length information */ + size_t const tls_hs_hdr_len = 4; + size_t rand_bytes_len; + size_t version_len; + + /* Buffer management */ + unsigned char* start = buf; + unsigned char* end = buf + buflen; + + /* Ciphersuite-related variables */ + const int* ciphersuites; + const mbedtls_ssl_ciphersuite_t* ciphersuite_info; + size_t i; /* used to iterate through ciphersuite list */ + /* ciphersuite_start points to the start of the ciphersuite list, i.e. to the length field*/ + unsigned char* ciphersuite_start; + size_t ciphersuite_count; + + /* Keeping track of the included extensions */ + ssl->handshake->extensions_present = NO_EXTENSION; #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) { + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { rand_bytes_len = MBEDTLS_CTLS_RANDOM_MAX_LENGTH; - } - else + } + else #endif /* MBEDTLS_CTLS */ - { + { rand_bytes_len = 32; - } - - /* NOTE: - * Even for DTLS 1.3, we are writing a TLS handshake header here. - * The actual DTLS 1.3 handshake header is inserted in - * the record writing routine mbedtls_ssl_write_record(). - * - * For cTLS the length, and the version field - * are elided. The random bytes are shorter. - */ + } + + /* NOTE: + * Even for DTLS 1.3, we are writing a TLS handshake header here. + * The actual DTLS 1.3 handshake header is inserted in + * the record writing routine mbedtls_ssl_write_record( ). + * + * For cTLS the length, and the version field + * are elided. The random bytes are shorter. + */ #if defined(MBEDTLS_CTLS) - // With cTLS the version field is elided. - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) - { + /* With cTLS the version field is elided. */ + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { version_len = 0; - } - else + } + else #endif /* MBEDTLS_CTLS */ - { + { version_len = 2; - } - - if (buflen < tls_hs_hdr_len + version_len + rand_bytes_len) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small to hold ClientHello")); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - } - - buf += tls_hs_hdr_len; - buflen -= tls_hs_hdr_len; - - if (ssl->conf->max_major_ver == 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("configured max major version is invalid, " - "consider using mbedtls_ssl_config_defaults()")); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } - - ssl->major_ver = ssl->conf->min_major_ver; - ssl->minor_ver = ssl->conf->min_minor_ver; - - /* For TLS 1.3 we use the legacy version number {0x03, 0x03} - * instead of the true version number. - * - * For DTLS 1.3 we use the legacy version number - * {254,253}. - * - * In cTLS the version number is elided. - */ + } + + if( buflen < tls_hs_hdr_len + version_len + rand_bytes_len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + + buf += tls_hs_hdr_len; + buflen -= tls_hs_hdr_len; + + if( ssl->conf->max_major_ver == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " + "consider using mbedtls_ssl_config_defaults( )" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + + ssl->major_ver = ssl->conf->min_major_ver; + ssl->minor_ver = ssl->conf->min_minor_ver; + + /* For TLS 1.3 we use the legacy version number {0x03, 0x03} + * instead of the true version number. + * + * For DTLS 1.3 we use the legacy version number + * {254,253}. + * + * In cTLS the version number is elided. + */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { + { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - *buf++ = 0xfe; // 254 - *buf++ = 0xfd; // 253 + *buf++ = 0xfe; /* 254 */ + *buf++ = 0xfd; /* 253 */ } else #else { - *buf++ = 0x03; - *buf++ = 0x03; + *buf++ = 0x03; + *buf++ = 0x03; } #endif /* MBEDTLS_SSL_PROTO_DTLS */ buflen -= version_len; - } - - // Write random bytes - memcpy(buf, ssl->handshake->randbytes, rand_bytes_len); - MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf, rand_bytes_len); - - buf += rand_bytes_len; - buflen -= rand_bytes_len; - - /* Versions of TLS before TLS 1.3 supported a - * "session resumption" feature which has been merged with pre-shared - * keys in this version. A client which has a - * cached session ID set by a pre-TLS 1.3 server SHOULD set this - * field to that value. In compatibility mode, - * this field MUST be non-empty, so a client not offering a - * pre-TLS 1.3 session MUST generate a new 32-byte value. This value - * need not be random but SHOULD be unpredictable to avoid - * implementations fixating on a specific value (also known as - * ossification). Otherwise, it MUST be set as a zero-length vector - * (i.e., a zero-valued single byte length field). - */ + } + + /* Write random bytes */ + memcpy( buf, ssl->handshake->randbytes, rand_bytes_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf, rand_bytes_len ); + + buf += rand_bytes_len; + buflen -= rand_bytes_len; + + /* Versions of TLS before TLS 1.3 supported a + * "session resumption" feature which has been merged with pre-shared + * keys in this version. A client which has a + * cached session ID set by a pre-TLS 1.3 server SHOULD set this + * field to that value. In compatibility mode, + * this field MUST be non-empty, so a client not offering a + * pre-TLS 1.3 session MUST generate a new 32-byte value. This value + * need not be random but SHOULD be unpredictable to avoid + * implementations fixating on a specific value ( also known as + * ossification ). Otherwise, it MUST be set as a zero-length vector + * ( i.e., a zero-valued single byte length field ). + */ #if defined(MBEDTLS_COMPATIBILITY_MODE) - if (buflen < (ssl->session_negotiate->id_len + 1)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small to hold ClientHello")); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - } + if( buflen < ( ssl->session_negotiate->id_len + 1 )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } - *buff++ = (unsigned char)ssl->session_negotiate->id_len; // write session id length - memcpy(buf, ssl->session_negotiate->id, ssl->session_negotiate->id_len); // write session id + *buff++ = ( unsigned char )ssl->session_negotiate->id_len; /* write session id length */ + memcpy( buf, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); /* write session id */ - buf += ssl->session_negotiate->id_len; - buflen -= ssl->session_negotiate->id_len; + buf += ssl->session_negotiate->id_len; + buflen -= ssl->session_negotiate->id_len; - MBEDTLS_SSL_DEBUG_MSG(3, ("session id len.: %d", ssl->session_negotiate->id_len)); - MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "session id len.: %d", ssl->session_negotiate->id_len ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len ); #else #if defined(MBEDTLS_CTLS) - // For cTLS we are not using a session id - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + /* For cTLS we are not using a session id */ + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - if (buflen < 1) + { + if( buflen < 1 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small to hold ClientHello")); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } - *buf++ = 0; // session id length set to zero + *buf++ = 0; /* session id length set to zero */ buflen -= 1; - } + } #endif /* MBEDTLS_COMPATIBILITY_MODE */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* - * DTLS cookie - */ + /* + * DTLS cookie + */ - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { /* For DTLS 1.3 we don't put the cookie in the ClientHello header * but rather into an extension. - */ - MBEDTLS_SSL_DEBUG_MSG(3, ("DTLS 1.3: no cookie in header")); + */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "DTLS 1.3: no cookie in header" ) ); - if (buflen < 1) + if( buflen < 1 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small to hold ClientHello")); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } - *buf++ = 0; // Cookie length set to zero + *buf++ = 0; /* Cookie length set to zero */ buflen -= 1; - } + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* - * Ciphersuite list - * - * This is a list of the symmetric cipher options supported by - * the client, specifically the record protection algorithm - * (including secret key length) and a hash to be used with - * HKDF, in descending order of client preference. - */ - ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; - - if (buflen < 2 /* for ciphersuite list length */) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small to hold ClientHello")); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - } - - /* Skip writing ciphersuite length for now */ - ciphersuite_count = 0; - ciphersuite_start = buf; - buf += 2; - buflen -= 2; - - for (i = 0; ciphersuites[i] != 0; i++) - { - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]); - - if (ciphersuite_info == NULL) - continue; - - if (ciphersuite_info->min_minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 || - ciphersuite_info->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_4) - continue; - - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %04x, %s", - ciphersuites[i], ciphersuite_info->name)); + /* + * Ciphersuite list + * + * This is a list of the symmetric cipher options supported by + * the client, specifically the record protection algorithm + * ( including secret key length ) and a hash to be used with + * HKDF, in descending order of client preference. + */ + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; + + if( buflen < 2 /* for ciphersuite list length */ ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + + /* Skip writing ciphersuite length for now */ + ciphersuite_count = 0; + ciphersuite_start = buf; + buf += 2; + buflen -= 2; + + for ( i = 0; ciphersuites[i] != 0; i++ ) + { + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); + + if( ciphersuite_info == NULL ) + continue; + + if( ciphersuite_info->min_minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 || + ciphersuite_info->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 ) + continue; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s", + ciphersuites[i], ciphersuite_info->name ) ); ciphersuite_count++; - if (buflen < 2 /* for ciphersuite list length */) + if( buflen < 2 /* for ciphersuite list length */ ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small to hold ClientHello")); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } - *buf++ = (unsigned char)(ciphersuites[i] >> 8); - *buf++ = (unsigned char)(ciphersuites[i]); + *buf++ = ( unsigned char )( ciphersuites[i] >> 8 ); + *buf++ = ( unsigned char )( ciphersuites[i] ); buflen -= 2; #if defined(MBEDTLS_ZERO_RTT) - // For ZeroRTT we only add a single ciphersuite. + /* For ZeroRTT we only add a single ciphersuite. */ break; #endif /* MBEDTLS_ZERO_RTT */ - } + } - /* write ciphersuite length now */ - *ciphersuite_start++ = (unsigned char)(ciphersuite_count*2 >> 8); - *ciphersuite_start++ = (unsigned char)(ciphersuite_count*2); + /* write ciphersuite length now */ + *ciphersuite_start++ = ( unsigned char )( ciphersuite_count*2 >> 8 ); + *ciphersuite_start++ = ( unsigned char )( ciphersuite_count*2 ); - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, got %d ciphersuites", ciphersuite_count)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", ciphersuite_count ) ); - /* For every TLS 1.3 ClientHello, this vector MUST contain exactly - * one byte set to zero, which corresponds to the 'null' compression - * method in prior versions of TLS. - * - * For cTLS this field is elided. - */ + /* For every TLS 1.3 ClientHello, this vector MUST contain exactly + * one byte set to zero, which corresponds to the 'null' compression + * method in prior versions of TLS. + * + * For cTLS this field is elided. + */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - if (buflen < 2 /* for ciphersuite list length */) + { + if( buflen < 2 /* for ciphersuite list length */ ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small to hold ClientHello")); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } *buf++ = 1; *buf++ = MBEDTLS_SSL_COMPRESS_NULL; buflen -= 2; - } - - // First write extensions, then the total length - extension_start = buf; - total_ext_len = 0; - buf += 2; - - /* Supported Versions Extension is mandatory with TLS 1.3. - * - * For cTLS we only need to provide it if there is more than one version - * and currently there is only one. - */ + } + + /* First write extensions, then the total length */ + extension_start = buf; + total_ext_len = 0; + buf += 2; + + /* Supported Versions Extension is mandatory with TLS 1.3. + * + * For cTLS we only need to provide it if there is more than one version + * and currently there is only one. + */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - ssl_write_supported_versions_ext(ssl, buf, end, &cur_ext_len); + { + ssl_write_supported_versions_ext( ssl, buf, end, &cur_ext_len ); total_ext_len += cur_ext_len; buf += cur_ext_len; - } + } - /* For TLS / DTLS 1.3 we need to support the use of cookies - * (if the server provided them) */ - ssl_write_cookie_ext(ssl, buf, end, &cur_ext_len); - total_ext_len += cur_ext_len; - buf += cur_ext_len; + /* For TLS / DTLS 1.3 we need to support the use of cookies + * ( if the server provided them ) */ + ssl_write_cookie_ext( ssl, buf, end, &cur_ext_len ); + total_ext_len += cur_ext_len; + buf += cur_ext_len; #if defined(MBEDTLS_SSL_ALPN) - ssl_write_alpn_ext(ssl, buf, end, &cur_ext_len); - total_ext_len += cur_ext_len; - buf += cur_ext_len; + ssl_write_alpn_ext( ssl, buf, end, &cur_ext_len ); + total_ext_len += cur_ext_len; + buf += cur_ext_len; #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - ssl_write_max_fragment_length_ext(ssl, buf, end, &cur_ext_len); - total_ext_len += cur_ext_len; - buf += cur_ext_len; + ssl_write_max_fragment_length_ext( ssl, buf, end, &cur_ext_len ); + total_ext_len += cur_ext_len; + buf += cur_ext_len; #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_ZERO_RTT) - ssl_write_early_data_ext(ssl, buf, end, &cur_ext_len); - total_ext_len += cur_ext_len; - buf += cur_ext_len; + ssl_write_early_data_ext( ssl, buf, end, &cur_ext_len ); + total_ext_len += cur_ext_len; + buf += cur_ext_len; #endif /* MBEDTLS_ZERO_RTT */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - // For PSK-based ciphersuites we don't really need the SNI extension - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { - ssl_write_hostname_ext(ssl, buf, end, &cur_ext_len); + /* For PSK-based ciphersuites we don't really need the SNI extension */ + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) { + ssl_write_hostname_ext( ssl, buf, end, &cur_ext_len ); total_ext_len += cur_ext_len; buf += cur_ext_len; - } + } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_CID) - ssl_write_cid_ext(ssl, buf, end, &cur_ext_len); - total_ext_len += cur_ext_len; - buf += cur_ext_len; + ssl_write_cid_ext( ssl, buf, end, &cur_ext_len ); + total_ext_len += cur_ext_len; + buf += cur_ext_len; #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - /* For PSK-based ciphersuites we need the pre-shared-key extension - * and the psk_key_exchange_modes extension. - * - * The pre_shared_key_ext extension MUST be the last extension in the ClientHello. - * Servers MUST check that it is the last extension and otherwise fail the handshake - * with an "illegal_parameter" alert. - */ - - /* Add the psk_key_exchange_modes extension. - */ - if (ssl->conf->key_exchange_modes != KEY_EXCHANGE_MODE_ECDHE_ECDSA) { - ret = ssl_write_psk_key_exchange_modes_ext(ssl, buf, end, &cur_ext_len); + /* For PSK-based ciphersuites we need the pre-shared-key extension + * and the psk_key_exchange_modes extension. + * + * The pre_shared_key_ext extension MUST be the last extension in the ClientHello. + * Servers MUST check that it is the last extension and otherwise fail the handshake + * with an "illegal_parameter" alert. + */ + + /* Add the psk_key_exchange_modes extension. + */ + if( ssl->conf->key_exchange_modes != KEY_EXCHANGE_MODE_ECDHE_ECDSA ) + { + ret = ssl_write_psk_key_exchange_modes_ext( ssl, buf, end, &cur_ext_len ); total_ext_len += cur_ext_len; buf += cur_ext_len; - if (ret == 0) ssl->handshake->extensions_present += PSK_KEY_EXCHANGE_MODES_EXTENSION; - } + if( ret == 0 ) ssl->handshake->extensions_present += PSK_KEY_EXCHANGE_MODES_EXTENSION; + } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) - /* The supported_groups and the key_share extensions are - * REQUIRED for ECDHE ciphersuites. - */ - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || + /* The supported_groups and the key_share extensions are + * REQUIRED for ECDHE ciphersuites. + */ + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) { - ret = ssl_write_supported_groups_ext(ssl, buf, end, &cur_ext_len); + ret = ssl_write_supported_groups_ext( ssl, buf, end, &cur_ext_len ); total_ext_len += cur_ext_len; buf += cur_ext_len; - if (ret == 0) ssl->handshake->extensions_present += SUPPORTED_GROUPS_EXTENSION; - } + if( ret == 0 ) ssl->handshake->extensions_present += SUPPORTED_GROUPS_EXTENSION; + } - /* The supported_signature_algorithms extension is REQUIRED for - * certificate authenticated ciphersuites. - */ + /* The supported_signature_algorithms extension is REQUIRED for + * certificate authenticated ciphersuites. + */ - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { - ret = ssl_write_signature_algorithms_ext(ssl, buf, end, &cur_ext_len); + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) { + ret = ssl_write_signature_algorithms_ext( ssl, buf, end, &cur_ext_len ); total_ext_len += cur_ext_len; buf += cur_ext_len; - if (ret == 0) ssl->handshake->extensions_present += SIGNATURE_ALGORITHM_EXTENSION; - } - /* We need to send the key shares under three conditions: - * 1) A certificate-based ciphersuite is being offered. In this case - * supported_groups and supported_signature extensions have been successfully added. - * 2) A PSK-based ciphersuite with ECDHE is offered. In this case the - * psk_key_exchange_modes has been added as the last extension. - * 3) Or, in case all ciphers are supported (which includes #1 and #2 from above) - */ - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || + if( ret == 0 ) ssl->handshake->extensions_present += SIGNATURE_ALGORITHM_EXTENSION; + } + /* We need to send the key shares under three conditions: + * 1 ) A certificate-based ciphersuite is being offered. In this case + * supported_groups and supported_signature extensions have been successfully added. + * 2 ) A PSK-based ciphersuite with ECDHE is offered. In this case the + * psk_key_exchange_modes has been added as the last extension. + * 3 ) Or, in case all ciphers are supported ( which includes #1 and #2 from above ) + */ + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { - // We are using a PSK-based key exchange with DHE - ret = ssl_write_key_shares_ext(ssl, buf, end, &cur_ext_len); + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) { + /* We are using a PSK-based key exchange with DHE */ + ret = ssl_write_key_shares_ext( ssl, buf, end, &cur_ext_len ); total_ext_len += cur_ext_len; buf += cur_ext_len; - if (ret == 0) ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; - } - else if (ssl->handshake->extensions_present & SUPPORTED_GROUPS_EXTENSION && ssl->handshake->extensions_present & SIGNATURE_ALGORITHM_EXTENSION) { - // We are using a certificate-based key exchange - ret = ssl_write_key_shares_ext(ssl, buf, end, &cur_ext_len); + if( ret == 0 ) ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; + } + else if( ssl->handshake->extensions_present & SUPPORTED_GROUPS_EXTENSION && ssl->handshake->extensions_present & SIGNATURE_ALGORITHM_EXTENSION ) + { + /* We are using a certificate-based key exchange */ + ret = ssl_write_key_shares_ext( ssl, buf, end, &cur_ext_len ); total_ext_len += cur_ext_len; buf += cur_ext_len; - if (ret == 0) ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; - } + if( ret == 0 ) ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; + } #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) { /* We need to save the pointer to the pre-shared key extension * because it has to be updated later. */ ssl->handshake->ptr_to_psk_ext = buf; - ret = ssl_write_pre_shared_key_ext(ssl, buf, end, &cur_ext_len,0 ); + ret = ssl_write_pre_shared_key_ext( ssl, buf, end, &cur_ext_len,0 ); total_ext_len += cur_ext_len; buf += cur_ext_len; - if (ret == 0) ssl->handshake->extensions_present += PRE_SHARED_KEY_EXTENSION; - } + if( ret == 0 ) ssl->handshake->extensions_present += PRE_SHARED_KEY_EXTENSION; + } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %d", - total_ext_len)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", + total_ext_len ) ); - MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", extension_start, total_ext_len); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", extension_start, total_ext_len ); - // Write extension length - *extension_start++ = (unsigned char)((total_ext_len >> 8) & 0xFF); - *extension_start++ = (unsigned char)((total_ext_len) & 0xFF); - buflen -= 2 + total_ext_len; + /* Write extension length */ + *extension_start++ = ( unsigned char )( ( total_ext_len >> 8 ) & 0xFF ); + *extension_start++ = ( unsigned char )( ( total_ext_len ) & 0xFF ); + buflen -= 2 + total_ext_len; - *olen = buf - start; - return(0); -} + *olen = buf - start; + return( 0 ); + } -static int ssl_parse_supported_version_ext(mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t len) -{ + static int ssl_parse_supported_version_ext( mbedtls_ssl_context* ssl, + const unsigned char* buf, + size_t len ) + { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - if (len != 2 && buf[0] != 254 && buf[1] != 253) { - MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + if( len != 2 && buf[0] != 254 && buf[1] != 253 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - } - else + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - if (len != 2 && buf[0] != 0x3 && buf[1] != 0x3) { - MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + { + if( len != 2 && buf[0] != 0x3 && buf[1] != 0x3 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - } + } - return(0); -} + return( 0 ); + } #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) -{ - /* - * server should use the extension only if we did, - * and if so the server's value should match ours (and len is always 1) - */ - if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || + static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) + { + /* + * server should use the extension only if we did, + * and if so the server's value should match ours ( and len is always 1 ) + */ + if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || len != 1 || - buf[0] != ssl->conf->mfl_code) - { - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + buf[0] != ssl->conf->mfl_code ) + { + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } - return(0); -} + return( 0 ); + } #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ @@ -1762,7 +1795,7 @@ static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, * opaque PskBinderEntry<32..255>; * * struct { - * select (Handshake.msg_type) { + * select ( Handshake.msg_type ) { * case client_hello: * PskIdentity identities<7..2^16-1>; * PskBinderEntry binders<33..2^16-1>; @@ -1774,192 +1807,194 @@ static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, * */ -static int ssl_parse_server_psk_identity_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) -{ - int ret = 0; - size_t selected_identity; - - if (ssl->conf->f_psk == NULL && - (ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || - ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key")); - return(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED); - } - - if (len != (size_t)2) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad psk_identity extension in server hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } - - selected_identity = (buf[0] << 8) | buf[1]; - - if (selected_identity > 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown identity")); - - if ((ret = mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY)) != 0) + static int ssl_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) + { + int ret = 0; + size_t selected_identity; + + if( ssl->conf->f_psk == NULL && + ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || + ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); + return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); + } + + if( len != (size_t)2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk_identity extension in server hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } + + selected_identity = ( buf[0] << 8 ) | buf[1]; + + if( selected_identity > 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown identity" ) ); + + if( ( ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY )) != 0 ) { - return(ret); + return( ret ); } - return(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY); - } + return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); + } -// buf += 2; - ssl->handshake->extensions_present += PRE_SHARED_KEY_EXTENSION; - return(0); -} +/* buf += 2; */ + ssl->handshake->extensions_present += PRE_SHARED_KEY_EXTENSION; + return( 0 ); + } #endif -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) /* TODO: Code for MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED missing */ /* -ssl_parse_key_shares_ext() verifies whether the information in the extension -is correct and stores the provided key shares. + ssl_parse_key_shares_ext( ) verifies whether the information in the extension + is correct and stores the provided key shares. */ -/* The ssl_parse_key_shares_ext() function is used -* by the client to parse a KeyShare extension in -* a ServerHello message. -* -* The server only provides a single KeyShareEntry. -*/ -static int ssl_parse_key_shares_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) { - - int ret = 0; - unsigned char *end = (unsigned char*)buf + len; - unsigned char *start = (unsigned char*)buf; - int named_group; - int i; - const mbedtls_ecp_curve_info *curve_info; - int match_found = 0; - mbedtls_ecp_group_id gid; - - // Is there a key share available at the server config? - /* if (ssl->conf->keyshare_ctx == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no key share context")); - - if ((ret = mbedtls_ssl_send_fatal_handshake_failure(ssl)) != 0) - return(ret); - - return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; - } - */ - - // read named group - named_group = (buf[0] << 8) | buf[1]; - - /* We need to find out which key share the server had selected from - * those sent out. - */ - - for( i=0; - ssl->handshake->key_shares_curve_list[i] != MBEDTLS_ECP_DP_NONE; - i++ ) { +/* The ssl_parse_key_shares_ext( ) function is used + * by the client to parse a KeyShare extension in + * a ServerHello message. + * + * The server only provides a single KeyShareEntry. + */ + static int ssl_parse_key_shares_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { + + int ret = 0; + unsigned char *end = ( unsigned char* )buf + len; + unsigned char *start = ( unsigned char* )buf; + int named_group; + int i; + const mbedtls_ecp_curve_info *curve_info; + int match_found = 0; + mbedtls_ecp_group_id gid; + + /* Is there a key share available at the server config? */ + /* if( ssl->conf->keyshare_ctx == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no key share context" ) ); + + if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl )) != 0 ) + return( ret ); + + return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; + } + */ + + /* read named group */ + named_group = ( buf[0] << 8 ) | buf[1]; + + /* We need to find out which key share the server had selected from + * those sent out. + */ + + for( i=0; + ssl->handshake->key_shares_curve_list[i] != MBEDTLS_ECP_DP_NONE; + i++ ) { gid = ssl->handshake->key_shares_curve_list[i]; - curve_info = mbedtls_ecp_curve_info_from_grp_id(gid); + curve_info = mbedtls_ecp_curve_info_from_grp_id( gid ); /* If we find a match then we need to read the key share - * provided by the server and store it alongside the - * respective key share structure. - */ - if (curve_info->tls_id == named_group) { - match_found = 1; - - break; + * provided by the server and store it alongside the + * respective key share structure. + */ + if( curve_info->tls_id == named_group ) + { + match_found = 1; + + break; } - } + } - if (match_found == 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE")); + if( match_found == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; - } - - /* We store the server-selected key share at a given place - * in our array of ECDH parameters. - */ - ssl->handshake->ecdh_ctx_selected = i; - - if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx[i], - (const unsigned char **)&start, end)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret); - return(ret); - } - - if (check_ecdh_params(ssl) != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("check_ecdh_params() failed!")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE); - } - - ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; - return ret; -} + } + + /* We store the server-selected key share at a given place + * in our array of ECDH parameters. + */ + ssl->handshake->ecdh_ctx_selected = i; + + if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx[i], + ( const unsigned char ** )&start, end )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); + return( ret ); + } + + if( check_ecdh_params( ssl ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "check_ecdh_params( ) failed!" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + } + + ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; + return ret; + } #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_SSL_ALPN) -static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len) -{ - size_t list_len, name_len; - const char **p; - - /* If we didn't send it, the server shouldn't send it */ - if (ssl->conf->alpn_list == NULL) - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - - /* - * opaque ProtocolName<1..2^8-1>; - * - * struct { - * ProtocolName protocol_name_list<2..2^16-1> - * } ProtocolNameList; - * - * the "ProtocolNameList" MUST contain exactly one "ProtocolName" - */ - - /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ - if (len < 4) - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - - list_len = (buf[0] << 8) | buf[1]; - if (list_len != len - 2) - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - - name_len = buf[2]; - if (name_len != list_len - 1) - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - - /* Check that the server chosen protocol was in our list and save it */ - for (p = ssl->conf->alpn_list; *p != NULL; p++) - { - if (name_len == strlen(*p) && - memcmp(buf + 3, *p, name_len) == 0) + static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ) + { + size_t list_len, name_len; + const char **p; + + /* If we didn't send it, the server shouldn't send it */ + if( ssl->conf->alpn_list == NULL ) + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + + /* + * opaque ProtocolName<1..2^8-1>; + * + * struct { + * ProtocolName protocol_name_list<2..2^16-1> + * } ProtocolNameList; + * + * the "ProtocolNameList" MUST contain exactly one "ProtocolName" + */ + + /* Min length is 2 ( list_len ) + 1 ( name_len ) + 1 ( name ) */ + if( len < 4 ) + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + + list_len = ( buf[0] << 8 ) | buf[1]; + if( list_len != len - 2 ) + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + + name_len = buf[2]; + if( name_len != list_len - 1 ) + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + + /* Check that the server chosen protocol was in our list and save it */ + for ( p = ssl->conf->alpn_list; *p != NULL; p++ ) + { + if( name_len == strlen( *p ) && + memcmp( buf + 3, *p, name_len ) == 0 ) { - ssl->alpn_chosen = *p; - return(0); + ssl->alpn_chosen = *p; + return( 0 ); } - } + } - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); -} + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } #endif /* MBEDTLS_SSL_ALPN */ /* @@ -1968,12 +2003,12 @@ static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, * */ - /* - * Overview - */ + /* + * Overview + */ - /* Main entry point; orchestrates the other functions */ -static int ssl_certificate_request_process(mbedtls_ssl_context* ssl); + /* Main entry point; orchestrates the other functions */ + static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ); /* Coordination: * Deals with the ambiguity of not knowing if a CertificateRequest @@ -1984,147 +2019,148 @@ static int ssl_certificate_request_process(mbedtls_ssl_context* ssl); */ #define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0 #define SSL_CERTIFICATE_REQUEST_SKIP 1 -static int ssl_certificate_request_coordinate(mbedtls_ssl_context* ssl); + static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_request_parse(mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen); + static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, + unsigned char const* buf, + size_t buflen ); #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_certificate_request_postprocess(mbedtls_ssl_context* ssl); + static int ssl_certificate_request_postprocess( mbedtls_ssl_context* ssl ); /* * Implementation */ - /* Main entry point; orchestrates the other functions */ -static int ssl_certificate_request_process(mbedtls_ssl_context* ssl) -{ - int ret = 0; + /* Main entry point; orchestrates the other functions */ + static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ) + { + int ret = 0; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); - /* Coordination step - * - Fetch record - * - Make sure it's either a CertificateRequest or a ServerHelloDone - */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_request_coordinate(ssl)); + /* Coordination step + * - Fetch record + * - Make sure it's either a CertificateRequest or a ServerHelloDone + */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_coordinate( ssl ) ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) - { + if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST ) + { /* Parsing step */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_request_parse(ssl, ssl->in_msg, - ssl->in_hslen)); - } - else + MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_parse( ssl, ssl->in_msg, + ssl->in_hslen ) ); + } + else #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - if (ret == SSL_CERTIFICATE_REQUEST_SKIP) + if( ret == SSL_CERTIFICATE_REQUEST_SKIP ) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); } else { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_request_postprocess(ssl)); + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_postprocess( ssl ) ); - MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request", - ssl->client_auth ? "a" : "no")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", + ssl->client_auth ? "a" : "no" ) ); -cleanup: + cleanup: - /* In the MPS one would close the read-port here to - * ensure there's no overlap of reading and writing. */ + /* In the MPS one would close the read-port here to + * ensure there's no overlap of reading and writing. */ - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request")); - return(ret); -} + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); + return( ret ); + } -static int ssl_certificate_request_coordinate(mbedtls_ssl_context* ssl) -{ - int ret; + static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ) + { + int ret; - if (ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("<= skip parse certificate request")); - return(SSL_CERTIFICATE_REQUEST_SKIP); - } + if( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || + ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= skip parse certificate request" ) ); + return( SSL_CERTIFICATE_REQUEST_SKIP ); + } #if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - ((void)ret); - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + ( (void)ret ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #else - if (ssl->keep_current_message == 0) { - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) + if( ssl->keep_current_message == 0 ) + { + if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); + return( ret ); } - } + } - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - return(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); - } + if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } - if (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST) - { - return(SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST); - } + if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) + { + return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST ); + } - ssl->keep_current_message = 1; - return(SSL_CERTIFICATE_REQUEST_SKIP); -#endif /* (MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) */ -} + ssl->keep_current_message = 1; + return( SSL_CERTIFICATE_REQUEST_SKIP ); +#endif /* ( MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ + } #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_request_parse(mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen) -{ + static int ssl_certificate_request_parse( mbedtls_ssl_context* ssl, + const unsigned char* buf, + size_t buflen ) + { - int ret; - const unsigned char* p; - unsigned char* ext; - size_t ext_len = 0, total_len; - int context_len = 0; + int ret; + const unsigned char* p; + unsigned char* ext; + size_t ext_len = 0, total_len; + int context_len = 0; - /* TODO: Add bounds checks! Only then remove the next line. */ - ((void) buflen); + /* TODO: Add bounds checks! Only then remove the next line. */ + ((void) buflen); - /* - * - * struct { - * opaque certificate_request_context<0..2^8-1>; - * Extension extensions<2..2^16-1>; - * } CertificateRequest; - * - */ + /* + * + * struct { + * opaque certificate_request_context<0..2^8-1>; + * Extension extensions<2..2^16-1>; + * } CertificateRequest; + * + */ - p = buf; + p = buf; - // Determine total message length - total_len = (p[2] << 8) | p[3]; + /* Determine total message length */ + total_len = ( p[2] << 8 ) | p[3]; - p += mbedtls_ssl_hs_hdr_len(ssl); + p += mbedtls_ssl_hs_hdr_len( ssl ); #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { + { /* - * Parse certificate_request_context - */ + * Parse certificate_request_context + */ context_len = p[0]; - // skip context_len + /* skip context_len */ p++; /* Fixed length fields are: @@ -2134,104 +2170,107 @@ static int ssl_certificate_request_parse(mbedtls_ssl_context* ssl, * 3 bytes */ - if (total_len < (size_t)(3 + context_len)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST); + if( total_len < (size_t)( 3 + context_len ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); } - // store context (if necessary) - if (context_len > 0) { - MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context", p, context_len); - - ssl->handshake->certificate_request_context = mbedtls_calloc(context_len, 1); - if (ssl->handshake->certificate_request_context == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return (MBEDTLS_ERR_SSL_ALLOC_FAILED); - } - memcpy(ssl->handshake->certificate_request_context, p, context_len); - - // jump over certificate_request_context - p += context_len; + /* store context ( if necessary ) */ + if( context_len > 0 ) + { + MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context", p, context_len ); + + ssl->handshake->certificate_request_context = mbedtls_calloc( context_len, 1 ); + if( ssl->handshake->certificate_request_context == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return ( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + memcpy( ssl->handshake->certificate_request_context, p, context_len ); + + /* jump over certificate_request_context */ + p += context_len; } - } + } - /* - * Parse extensions - */ - ext_len = (p[0] << 8) | (p[1]); + /* + * Parse extensions + */ + ext_len = ( p[0] << 8 ) | ( p[1] ); - // At least one extension needs to be present, namely signature_algorithms ext. - if (ext_len < 4) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST); - } + /* At least one extension needs to be present, namely signature_algorithms ext. */ + if( ext_len < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); + } - // skip total extension length - p += 2; + /* skip total extension length */ + p += 2; - ext = (unsigned char*)p; // jump to extensions - while (ext_len) - { + ext = ( unsigned char* )p; /* jump to extensions */ + while ( ext_len ) + { - unsigned int ext_id = ((ext[0] << 8) | (ext[1])); - unsigned int ext_size = ((ext[2] << 8) | (ext[3])); + unsigned int ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) ); + unsigned int ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) ); - if (ext_size + 4 > ext_len) + if( ext_size + 4 > ext_len ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); } - switch (ext_id) + switch ( ext_id ) { - case MBEDTLS_TLS_EXT_SIG_ALG: - MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); + case MBEDTLS_TLS_EXT_SIG_ALG: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); - if ((ret = ssl_parse_signature_algorithms_ext(ssl, ext + 4, (size_t)ext_size)) != 0) + if( ( ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, (size_t)ext_size )) != 0 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("ssl_parse_signature_algorithms_ext")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ssl_parse_signature_algorithms_ext" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( ret ); } break; - default: - MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %d (ignoring)", - ext_id)); + default: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d ( ignoring )", + ext_id ) ); } ext_len -= 4 + ext_size; ext += 4 + ext_size; - if (ext_len > 0 && ext_len < 4) + if( ext_len > 0 && ext_len < 4 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); } - } + } - ssl->client_auth = 1; - return(0); -} -#endif /* (MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) */ + ssl->client_auth = 1; + return( 0 ); + } +#endif /* ( MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ -static int ssl_certificate_request_postprocess(mbedtls_ssl_context* ssl) -{ + static int ssl_certificate_request_postprocess( mbedtls_ssl_context* ssl ) + { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE); - return(0); -} + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); + return( 0 ); + } /* * @@ -2242,162 +2281,165 @@ static int ssl_certificate_request_postprocess(mbedtls_ssl_context* ssl) * the cryptographic context. */ - /* - * Overview - */ + /* + * Overview + */ - /* Main entry point; orchestrates the other functions */ -static int ssl_encrypted_extensions_process(mbedtls_ssl_context* ssl); + /* Main entry point; orchestrates the other functions */ + static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ); -static int ssl_encrypted_extensions_prepare(mbedtls_ssl_context* ssl); -static int ssl_encrypted_extensions_parse(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen); -static int ssl_encrypted_extensions_postprocess(mbedtls_ssl_context* ssl); + static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ); + static int ssl_encrypted_extensions_parse( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen ); + static int ssl_encrypted_extensions_postprocess( mbedtls_ssl_context* ssl ); -static int ssl_encrypted_extensions_process(mbedtls_ssl_context* ssl) -{ - int ret; + static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ) + { + int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) ); - MBEDTLS_SSL_PROC_CHK(ssl_encrypted_extensions_prepare(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_prepare( ssl ) ); - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); + if( ( ret = mbedtls_ssl_read_record( ssl )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); goto cleanup; - } + } - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad encrypted extensions")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); + if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad encrypted extensions" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; goto cleanup; - } + } - if (ssl->in_msg[0] != MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad encrypted extensions")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); + if( ssl->in_msg[0] != MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad encrypted extensions" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); ret = MBEDTLS_ERR_SSL_BAD_HS_ENCRYPTED_EXTENSIONS; goto cleanup; - } + } - MBEDTLS_SSL_PROC_CHK(ssl_encrypted_extensions_parse(ssl, ssl->in_msg, ssl->in_hslen)); + MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_parse( ssl, ssl->in_msg, ssl->in_hslen ) ); - MBEDTLS_SSL_PROC_CHK(ssl_encrypted_extensions_postprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_postprocess( ssl ) ); cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions")); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) ); + return( ret ); -} + } -static int ssl_encrypted_extensions_prepare(mbedtls_ssl_context* ssl) { + static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ) { - int ret; - KeySet traffic_keys; + int ret; + KeySet traffic_keys; - if (ssl->transform_in == NULL) { - ret = mbedtls_ssl_key_derivation(ssl, &traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_key_derivation", ret); - return (ret); + if( ssl->transform_in == NULL ) + { + ret = mbedtls_ssl_key_derivation( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_key_derivation", ret ); + return ( ret ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) traffic_keys.epoch = 2; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ret = mbedtls_set_traffic_key(ssl, &traffic_keys, ssl->transform_negotiate, 0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); + ret = mbedtls_set_traffic_key( ssl, &traffic_keys, ssl->transform_negotiate, 0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); } - } + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value (2) is used for messages - * protected using keys derived from the handshake_traffic_secret - */ - ssl->in_epoch = 2; - ssl->out_epoch = 2; + /* epoch value ( 2 ) is used for messages + * protected using keys derived from the handshake_traffic_secret + */ + ssl->in_epoch = 2; + ssl->out_epoch = 2; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - return 0; -} + return 0; + } -static int ssl_encrypted_extensions_parse(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen) -{ - int ret=0; - size_t ext_len; - unsigned char *ext; + static int ssl_encrypted_extensions_parse( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen ) + { + int ret=0; + size_t ext_len; + unsigned char *ext; - /* TODO: Add bounds checks! Only then remove the next line. */ - ((void) buflen); + /* TODO: Add bounds checks! Only then remove the next line. */ + ((void) buflen); - // skip handshake header - buf += mbedtls_ssl_hs_hdr_len(ssl); + /* skip handshake header */ + buf += mbedtls_ssl_hs_hdr_len( ssl ); - ext_len = ((buf[0] << 8) | (buf[1])); + ext_len = ( ( buf[0] << 8 ) | ( buf[1] ) ); - buf += 2; // skip extension length - ext = buf; + buf += 2; /* skip extension length */ + ext = buf; - /* Checking for an extension length that is too short */ - if (ext_len > 0UL && ext_len < 4UL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Extension length too short - bad encrypted extensions message")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + /* Checking for an extension length that is too short */ + if( ext_len > 0UL && ext_len < 4UL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Extension length too short - bad encrypted extensions message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } - /* Checking for an extension length that is not aligned with the rest of the message */ - if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 2 + ext_len) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Extension length misaligned - bad encrypted extensions message")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + /* Checking for an extension length that is not aligned with the rest of the message */ + if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 2 + ext_len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Extension length misaligned - bad encrypted extensions message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("encrypted extensions, total extension length: %d", ext_len)); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "encrypted extensions, total extension length: %d", ext_len ) ); - MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions extensions", ext, ext_len); + MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions extensions", ext, ext_len ); - while (ext_len) - { - unsigned int ext_id = ((ext[0] << 8) - | (ext[1])); - unsigned int ext_size = ((ext[2] << 8) - | (ext[3])); + while ( ext_len ) + { + unsigned int ext_id = ( ( ext[0] << 8 ) + | ( ext[1] ) ); + unsigned int ext_size = ( ( ext[2] << 8 ) + | ( ext[3] ) ); - if (ext_size + 4 > ext_len) + if( ext_size + 4 > ext_len ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad encrypted extensions message")); - return(MBEDTLS_ERR_SSL_BAD_HS_ENCRYPTED_EXTENSIONS); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad encrypted extensions message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_ENCRYPTED_EXTENSIONS ); } /* TBD: The client MUST check EncryptedExtensions for the - * presence of any forbidden extensions and if any are found MUST abort - * the handshake with an "illegal_parameter" alert. - */ + * presence of any forbidden extensions and if any are found MUST abort + * the handshake with an "illegal_parameter" alert. + */ - switch (ext_id) + switch ( ext_id ) { #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: - MBEDTLS_SSL_DEBUG_MSG(3, ("found max_fragment_length extension")); + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); - if ((ret = ssl_parse_max_fragment_length_ext(ssl, - ext + 4, ext_size)) != 0) + if( ( ret = ssl_parse_max_fragment_length_ext( ssl, + ext + 4, ext_size )) != 0 ) { - return(ret); + return( ret ); } break; @@ -2405,68 +2447,69 @@ static int ssl_encrypted_extensions_parse(mbedtls_ssl_context* ssl, #if defined(MBEDTLS_SSL_ALPN) - case MBEDTLS_TLS_EXT_ALPN: - MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); + case MBEDTLS_TLS_EXT_ALPN: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); - if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, (size_t)ext_size)) != 0) + if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, (size_t)ext_size )) != 0 ) { - return(ret); + return( ret ); } break; #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - case MBEDTLS_TLS_EXT_SERVERNAME: - MBEDTLS_SSL_DEBUG_MSG(3, ("found server_name extension")); + case MBEDTLS_TLS_EXT_SERVERNAME: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found server_name extension" ) ); - // The server_name extension is an empty extension + /* The server_name extension is an empty extension */ break; #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - default: - MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %d (ignoring)", ext_id)); + default: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d ( ignoring )", ext_id ) ); } ext_len -= 4 + ext_size; ext += 4 + ext_size; - if (ext_len > 0 && ext_len < 4) + if( ext_len > 0 && ext_len < 4 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad encrypted extensions message")); - return(MBEDTLS_ERR_SSL_BAD_HS_ENCRYPTED_EXTENSIONS); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad encrypted extensions message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_ENCRYPTED_EXTENSIONS ); } - } + } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extension")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extension" ) ); - return ret; -} + return ret; + } -static int ssl_encrypted_extensions_postprocess(mbedtls_ssl_context* ssl) { + static int ssl_encrypted_extensions_postprocess( mbedtls_ssl_context* ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_ZERO_RTT) - if (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); - } - else + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); + } + else #endif /* MBEDTLS_ZERO_RTT */ - { + { #if defined(MBEDTLS_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_CERTIFICATE_REQUEST); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_CERTIFICATE_REQUEST ); #else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); #endif /* MBEDTLS_COMPATIBILITY_MODE */ - } + } - return 0; -} + return 0; + } /* @@ -2475,12 +2518,12 @@ static int ssl_encrypted_extensions_postprocess(mbedtls_ssl_context* ssl) { * */ - /* - * Overview - */ + /* + * Overview + */ - /* Main entry point; orchestrates the other functions */ -static int ssl_server_hello_process(mbedtls_ssl_context* ssl); + /* Main entry point; orchestrates the other functions */ + static int ssl_server_hello_process( mbedtls_ssl_context* ssl ); /* Fetch and preprocess * Returns a negative value on failure, and otherwise @@ -2489,171 +2532,172 @@ static int ssl_server_hello_process(mbedtls_ssl_context* ssl); * to indicate which message is expected and to be parsed next. */ #define SSL_SERVER_HELLO_COORDINATE_HELLO 0 #define SSL_SERVER_HELLO_COORDINATE_HRR 1 -static int ssl_server_hello_coordinate(mbedtls_ssl_context* ssl); + static int ssl_server_hello_coordinate( mbedtls_ssl_context* ssl ); /* Parse ServerHello */ -static int ssl_server_hello_parse(mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen); + static int ssl_server_hello_parse( mbedtls_ssl_context* ssl, + const unsigned char* buf, + size_t buflen ); -static int ssl_server_hello_postprocess(mbedtls_ssl_context* ssl); + static int ssl_server_hello_postprocess( mbedtls_ssl_context* ssl ); -static int ssl_hrr_parse(mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen); + static int ssl_hrr_parse( mbedtls_ssl_context* ssl, + const unsigned char* buf, + size_t buflen ); -static int ssl_hrr_postprocess(mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen); + static int ssl_hrr_postprocess( mbedtls_ssl_context* ssl, + const unsigned char* buf, + size_t buflen ); /* * Implementation */ -static int ssl_server_hello_process(mbedtls_ssl_context* ssl) -{ - int ret = 0; - int msg_expect; - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello")); - - /* Coordination step - * - Fetch record - * - Make sure it's either a ServerHello or a HRR. - * - Switch processing routine in case of HRR - */ - - MBEDTLS_SSL_PROC_CHK(ssl_server_hello_coordinate(ssl)); - msg_expect = ret; - - /* Parsing step - * We know what message to expect by now and call - * the respective parsing function. - */ - - if (msg_expect == SSL_SERVER_HELLO_COORDINATE_HELLO) - { - MBEDTLS_SSL_PROC_CHK(ssl_server_hello_parse(ssl, ssl->in_msg, - ssl->in_hslen)); - } - else - { - MBEDTLS_SSL_PROC_CHK(ssl_hrr_parse(ssl, ssl->in_msg, ssl->in_hslen)); - } - - /* Post-processing step */ - if (msg_expect == SSL_SERVER_HELLO_COORDINATE_HELLO) - { - MBEDTLS_SSL_PROC_CHK(ssl_server_hello_postprocess(ssl)); - } - else - { - MBEDTLS_SSL_PROC_CHK(ssl_hrr_postprocess(ssl, ssl->in_msg, ssl->in_hslen)); - } - -cleanup: - - /* In the MPS one would close the read-port here to - * ensure there's no overlap of reading and writing. */ - - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); - return(ret); -} - -static int ssl_server_hello_coordinate(mbedtls_ssl_context* ssl) -{ - int ret; - // SHA-256 of "HelloRetryRequest" stored in magic_hrr_string to distinguish HRR from regular ServerHello - const char magic_hrr_string[32] = { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33 ,0x9C }; - - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) - { + static int ssl_server_hello_process( mbedtls_ssl_context* ssl ) + { + int ret = 0; + int msg_expect; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); + + /* Coordination step + * - Fetch record + * - Make sure it's either a ServerHello or a HRR. + * - Switch processing routine in case of HRR + */ + + MBEDTLS_SSL_PROC_CHK( ssl_server_hello_coordinate( ssl ) ); + msg_expect = ret; + + /* Parsing step + * We know what message to expect by now and call + * the respective parsing function. + */ + + if( msg_expect == SSL_SERVER_HELLO_COORDINATE_HELLO ) + { + MBEDTLS_SSL_PROC_CHK( ssl_server_hello_parse( ssl, ssl->in_msg, + ssl->in_hslen ) ); + } + else + { + MBEDTLS_SSL_PROC_CHK( ssl_hrr_parse( ssl, ssl->in_msg, ssl->in_hslen ) ); + } + + /* Post-processing step */ + if( msg_expect == SSL_SERVER_HELLO_COORDINATE_HELLO ) + { + MBEDTLS_SSL_PROC_CHK( ssl_server_hello_postprocess( ssl ) ); + } + else + { + MBEDTLS_SSL_PROC_CHK( ssl_hrr_postprocess( ssl, ssl->in_msg, ssl->in_hslen ) ); + } + + cleanup: + + /* In the MPS one would close the read-port here to + * ensure there's no overlap of reading and writing. */ + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); + return( ret ); + } + + static int ssl_server_hello_coordinate( mbedtls_ssl_context* ssl ) + { + int ret; + /* SHA-256 of "HelloRetryRequest" stored in magic_hrr_string to distinguish HRR from regular ServerHello */ + const char magic_hrr_string[32] = { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33 ,0x9C }; + + if( ( ret = mbedtls_ssl_read_record( ssl )) != 0 ) + { /* No alert on a read error. */ - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - return(ret); - } - - /* TBD: If we do an HRR, keep track of the number - * of ClientHello's we sent, and fail if it - * exceeds the configured threshold. */ - - if ((ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) && (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected message")); - - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - return(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); - } - - /* Check whether this message is a HelloRetryRequest (HRR) message. - * - * ServerHello and HRR are only distinguished by Random set to the - * special value of the SHA-256 of "HelloRetryRequest". - * - * struct { - * ProtocolVersion legacy_version = 0x0303; - * Random random; - * opaque legacy_session_id_echo<0..32>; - * CipherSuite cipher_suite; - * uint8 legacy_compression_method = 0; - * Extension extensions<6..2 ^ 16 - 1>; - * } ServerHello; - * - */ - if (memcmp(&ssl->in_msg[0] + mbedtls_ssl_hs_hdr_len(ssl) + 2, &magic_hrr_string[0], 32) == 0) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message")); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); + return( ret ); + } + + /* TBD: If we do an HRR, keep track of the number + * of ClientHello's we sent, and fail if it + * exceeds the configured threshold. */ + + if( ( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) && ( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected message" ) ); + + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } + + /* Check whether this message is a HelloRetryRequest ( HRR ) message. + * + * ServerHello and HRR are only distinguished by Random set to the + * special value of the SHA-256 of "HelloRetryRequest". + * + * struct { + * ProtocolVersion legacy_version = 0x0303; + * Random random; + * opaque legacy_session_id_echo<0..32>; + * CipherSuite cipher_suite; + * uint8 legacy_compression_method = 0; + * Extension extensions<6..2 ^ 16 - 1>; + * } ServerHello; + * + */ + if( memcmp( &ssl->in_msg[0] + mbedtls_ssl_hs_hdr_len( ssl ) + 2, &magic_hrr_string[0], 32 ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) ); ret = SSL_SERVER_HELLO_COORDINATE_HRR; - } - else - { + } + else + { /* - TBD: When we made it through a cookie exchange we need to delete the state again. + TBD: When we made it through a cookie exchange we need to delete the state again. - mbedtls_free(ssl->handshake->verify_cookie); - ssl->handshake->verify_cookie = NULL; - ssl->handshake->verify_cookie_len = 0; + mbedtls_free( ssl->handshake->verify_cookie ); + ssl->handshake->verify_cookie = NULL; + ssl->handshake->verify_cookie_len = 0; */ ret = SSL_SERVER_HELLO_COORDINATE_HELLO; - } + } - return(ret); -} + return( ret ); + } -static int ssl_server_hello_parse(mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen) -{ + static int ssl_server_hello_parse( mbedtls_ssl_context* ssl, + const unsigned char* buf, + size_t buflen ) + { - int ret; // return value - int i; // scratch value - const unsigned char* msg_end = buf + buflen; // pointer to the end of the buffer for length checks + int ret; /* return value */ + int i; /* scratch value */ + const unsigned char* msg_end = buf + buflen; /* pointer to the end of the buffer for length checks */ - size_t ext_len; // stores length of all extensions - unsigned int ext_id; // id of an extension - const unsigned char* ext; // pointer to an individual extension - unsigned int ext_size; // size of an individual extension + size_t ext_len; /* stores length of all extensions */ + unsigned int ext_id; /* id of an extension */ + const unsigned char* ext; /* pointer to an individual extension */ + unsigned int ext_size; /* size of an individual extension */ - const mbedtls_ssl_ciphersuite_t* suite_info; // pointer to ciphersuite + const mbedtls_ssl_ciphersuite_t* suite_info; /* pointer to ciphersuite */ - // Check for minimal length + /* Check for minimal length */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) - { - // TBD: Add message header figure here. - // 18 = 16 (random bytes) + 1 (ciphersuite) + 1 (version) + - if (buflen < 18 + mbedtls_ssl_hs_hdr_len(ssl)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message - min size not reached")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + /* TBD: Add message header figure here. */ + /* 18 = 16 ( random bytes ) + 1 ( ciphersuite ) + 1 ( version ) + */ + if( buflen < 18 + mbedtls_ssl_hs_hdr_len( ssl )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message - min size not reached" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - } - else + } + else #endif /* MBEDTLS_CTLS */ - { + { /* struct { * ProtocolVersion legacy_version = 0x0303; * Random random; @@ -2664,367 +2708,375 @@ static int ssl_server_hello_parse(mbedtls_ssl_context* ssl, * } ServerHello; * * - * 38 = 32 (random bytes) + 2 (ciphersuite) + 2 (version) + - * 1 (legacy_compression_method) + 1 (minimum for legacy_session_id_echo) + * 38 = 32 ( random bytes ) + 2 ( ciphersuite ) + 2 ( version ) + + * 1 ( legacy_compression_method ) + 1 ( minimum for legacy_session_id_echo ) */ - if ((buflen < 38 + mbedtls_ssl_hs_hdr_len(ssl)) || - buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message - min size not reached")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + if( ( buflen < 38 + mbedtls_ssl_hs_hdr_len( ssl )) || + buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message - min size not reached" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - } + } - MBEDTLS_SSL_DEBUG_BUF(5, "server hello", buf, buflen); + MBEDTLS_SSL_DEBUG_BUF( 5, "server hello", buf, buflen ); - // skip header - buf += mbedtls_ssl_hs_hdr_len(ssl); + /* skip header */ + buf += mbedtls_ssl_hs_hdr_len( ssl ); #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf + 0, 2); - mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver, - ssl->conf->transport, buf + 0); + { + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); + mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, + ssl->conf->transport, buf + 0 ); /* The version field in the ServerHello must contain 0x303 */ - if (buf[0] != 0x03 || buf[1] != 0x03) + if( buf[0] != 0x03 || buf[1] != 0x03 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS.")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); - return(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION); + return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); } - // skip version + /* skip version */ buf += 2; - } + } - // Internally we use the correct 1.3 version - ssl->major_ver = 0x03; - ssl->minor_ver = 0x04; + /* Internally we use the correct 1.3 version */ + ssl->major_ver = 0x03; + ssl->minor_ver = 0x04; - // store server-provided random values + /* store server-provided random values */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) - { - memcpy(ssl->handshake->randbytes + 16, buf, 16); - MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 16); + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + memcpy( ssl->handshake->randbytes + 16, buf, 16 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 16 ); - // skip random bytes + /* skip random bytes */ buf += 16; - } - else + } + else #endif /* MBEDTLS_CTLS */ - { - memcpy(ssl->handshake->randbytes + 32, buf, 32); - MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32); + { + memcpy( ssl->handshake->randbytes + 32, buf, 32 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); - // skip random bytes + /* skip random bytes */ buf += 32; - } + } #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { + { #if defined(MBEDTLS_COMPATIBILITY_MODE) - // legacy_session_id_echo - if (ssl->session_negotiate->id_len != buf[0]) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Mismatch of session id length")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + /* legacy_session_id_echo */ + if( ssl->session_negotiate->id_len != buf[0] ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Mismatch of session id length" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - buf++; // skip session id length + buf++; /* skip session id length */ - if (memcmp(ssl->session_negotiate->id, &buf[0], ssl->session_negotiate->id_len) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Mismatch of session id")); - MBEDTLS_SSL_DEBUG_BUF(3, "- expected session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len); - MBEDTLS_SSL_DEBUG_BUF(3, "- received session id", &buf[0], ssl->session_negotiate->id_len); + if( memcmp( ssl->session_negotiate->id, &buf[0], ssl->session_negotiate->id_len ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Mismatch of session id" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "- expected session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "- received session id", &buf[0], ssl->session_negotiate->id_len ); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - buf += ssl->session_negotiate->id_len; // skip session id + buf += ssl->session_negotiate->id_len; /* skip session id */ - MBEDTLS_SSL_DEBUG_MSG(3, ("session id length (%d)", ssl->session_negotiate->id_len)); - MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "session id length ( %d )", ssl->session_negotiate->id_len ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len ); #else - // Length of the session id must be zero - if (*buf == 0) { - buf++; // skip session id length + /* Length of the session id must be zero */ + if( *buf == 0 ) + { + buf++; /* skip session id length */ } - else { - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + else + { + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } #endif /* MBEDTLS_COMPATIBILITY_MODE */ - } + } #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) - { - // read server-selected ciphersuite, which follows random bytes - i = (buf[0] << 8) | buf[1]; + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + /* read server-selected ciphersuite, which follows random bytes */ + i = ( buf[0] << 8 ) | buf[1]; - // skip ciphersuite + /* skip ciphersuite */ buf += 2; - } - else + } + else #endif /* MBEDTLS_CTLS*/ - { - // read server-selected ciphersuite, which follows random bytes - i = (buf[0] << 8) | buf[1]; + { + /* read server-selected ciphersuite, which follows random bytes */ + i = ( buf[0] << 8 ) | buf[1]; - // skip ciphersuite + /* skip ciphersuite */ buf += 2; - } + } - // TBD: Check whether we have offered this ciphersuite - // Via the force_ciphersuite version we may have instructed the client - // to use a difference ciphersuite. + /* TBD: Check whether we have offered this ciphersuite */ + /* Via the force_ciphersuite version we may have instructed the client */ + /* to use a difference ciphersuite. */ - // Configure ciphersuites - ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i); + /* Configure ciphersuites */ + ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); - if (ssl->transform_negotiate->ciphersuite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %04x not found", i)); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + if( ssl->transform_negotiate->ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - mbedtls_ssl_optimize_checksum(ssl, ssl->transform_negotiate->ciphersuite_info); + mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); - ssl->session_negotiate->ciphersuite = i; + ssl->session_negotiate->ciphersuite = i; - suite_info = mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); - if (suite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); + if( suite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: (%04x) - %s", i, suite_info->name)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s", i, suite_info->name ) ); #if defined(MBEDTLS_HAVE_TIME) - ssl->session_negotiate->start = time(NULL); + ssl->session_negotiate->start = time( NULL ); #endif /* MBEDTLS_HAVE_TIME */ - i = 0; - while (1) - { - if (ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0) + i = 0; + while ( 1 ) + { + if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - if (ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == - ssl->session_negotiate->ciphersuite) + if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == + ssl->session_negotiate->ciphersuite ) { - break; + break; } - } + } #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - // Ensure that compression method is set to zero - if (buf[0] != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + { + /* Ensure that compression method is set to zero */ + if( buf[0] != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - // skip compression + /* skip compression */ buf++; - } + } - // Are we reading beyond the message buffer? - if ((buf + 2) > msg_end) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + /* Are we reading beyond the message buffer? */ + if( ( buf + 2 ) > msg_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } - ext_len = ((buf[0] << 8) | (buf[1])); - buf += 2; // skip extension length + ext_len = ( ( buf[0] << 8 ) | ( buf[1] ) ); + buf += 2; /* skip extension length */ - // Are we reading beyond the message buffer? - if ((buf + ext_len) > msg_end) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + /* Are we reading beyond the message buffer? */ + if( ( buf + ext_len ) > msg_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } - ext = buf; + ext = buf; - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %d", ext_len)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); - MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", ext, ext_len); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", ext, ext_len ); - while (ext_len) - { - ext_id = ((ext[0] << 8) | (ext[1])); - ext_size = ((ext[2] << 8) | (ext[3])); + while ( ext_len ) + { + ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) ); + ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) ); - if (ext_size + 4 > ext_len) + if( ext_size + 4 > ext_len ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - switch (ext_id) + switch ( ext_id ) { #if defined(MBEDTLS_CID) - case MBEDTLS_TLS_EXT_CID: - MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); - if (ssl->conf->cid == MBEDTLS_CID_CONF_DISABLED) - break; - - ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size); - if (ret != 0) - return(ret); + case MBEDTLS_TLS_EXT_CID: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) ); + if( ssl->conf->cid == MBEDTLS_CID_CONF_DISABLED ) + break; + + ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); break; #endif /* MBEDTLS_CID */ - case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: - MBEDTLS_SSL_DEBUG_MSG(3, ("found supported_versions extension")); + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_versions extension" ) ); - ret = ssl_parse_supported_version_ext(ssl, ext + 4, ext_size); - if (ret != 0) - return(ret); + ret = ssl_parse_supported_version_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); break; #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: - MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension")); - if ((ret = ssl_parse_server_psk_identity_ext(ssl, ext + 4, (size_t)ext_size)) != 0) + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); + if( ( ret = ssl_parse_server_psk_identity_ext( ssl, ext + 4, (size_t)ext_size )) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_server_psk_identity_ext"), ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_server_psk_identity_ext" ), ret ); + return( ret ); } break; #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) - case MBEDTLS_TLS_EXT_KEY_SHARES: - MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension")); + case MBEDTLS_TLS_EXT_KEY_SHARES: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) ); - if ((ret = ssl_parse_key_shares_ext(ssl, ext + 4, (size_t)ext_size)) != 0) + if( ( ret = ssl_parse_key_shares_ext( ssl, ext + 4, (size_t)ext_size )) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_key_shares_ext", ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_key_shares_ext", ret ); + return( ret ); } break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ - default: - MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %d (ignoring)", ext_id)); + default: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d ( ignoring )", ext_id ) ); } ext_len -= 4 + ext_size; ext += 4 + ext_size; - if (ext_len > 0 && ext_len < 4) + if( ext_len > 0 && ext_len < 4 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - } - - return(0); -} - - -static int ssl_server_hello_postprocess(mbedtls_ssl_context* ssl) -{ - /* We need to set the key exchange algorithm based on the - * following rules: - * - * 1) IF PRE_SHARED_KEY extension was received - * THEN set MBEDTLS_KEY_EXCHANGE_PSK - * 2) IF PRE_SHARED_KEY extension && KEY_SHARE was received - * THEN set MBEDTLS_KEY_EXCHANGE_ECDHE_PSK - * 3) IF KEY_SHARES extension was received && SIG_ALG extension received - * THEN set MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA - * ELSE unknown key exchange mechanism. - */ - - if (ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION) - { - if (ssl->handshake->extensions_present & KEY_SHARE_EXTENSION) - ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_PSK; + } + + return( 0 ); + } + + + static int ssl_server_hello_postprocess( mbedtls_ssl_context* ssl ) + { + /* We need to set the key exchange algorithm based on the + * following rules: + * + * 1 ) IF PRE_SHARED_KEY extension was received + * THEN set MBEDTLS_KEY_EXCHANGE_PSK + * 2 ) IF PRE_SHARED_KEY extension && KEY_SHARE was received + * THEN set MBEDTLS_KEY_EXCHANGE_ECDHE_PSK + * 3 ) IF KEY_SHARES extension was received && SIG_ALG extension received + * THEN set MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA + * ELSE unknown key exchange mechanism. + */ + + if( ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION ) + { + if( ssl->handshake->extensions_present & KEY_SHARE_EXTENSION ) + ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_PSK; else - ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_PSK; - } - else if (ssl->handshake->extensions_present & KEY_SHARE_EXTENSION) + ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_PSK; + } + else if( ssl->handshake->extensions_present & KEY_SHARE_EXTENSION ) ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA; - else - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange.")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } #if defined(MBEDTLS_CID) - // Server does not want to use CID -> recover resources - if (ssl->session_negotiate->cid == MBEDTLS_CID_DISABLED && - ssl->in_cid_len > 0) { - free(ssl->in_cid); + /* Server does not want to use CID -> recover resources */ + if( ssl->session_negotiate->cid == MBEDTLS_CID_DISABLED && + ssl->in_cid_len > 0 ) { + free( ssl->in_cid ); ssl->in_cid_len = 0; - } + } #endif /* MBEDTLS_CID */ - return(0); -} + return( 0 ); + } -static int ssl_hrr_parse(mbedtls_ssl_context* ssl, - const unsigned char* buf, size_t buflen) -{ - int ret; // return value - int i; // scratch value - int found = 0; - const unsigned char* msg_end = buf + buflen; // pointer to the end of the buffer for length checks + static int ssl_hrr_parse( mbedtls_ssl_context* ssl, + const unsigned char* buf, size_t buflen ) + { + int ret; /* return value */ + int i; /* scratch value */ + int found = 0; + const unsigned char* msg_end = buf + buflen; /* pointer to the end of the buffer for length checks */ - size_t ext_len; // stores length of all extensions - unsigned int ext_id; // id of an extension - const unsigned char* ext; // pointer to an individual extension - unsigned int ext_size; // size of an individual extension + size_t ext_len; /* stores length of all extensions */ + unsigned int ext_id; /* id of an extension */ + const unsigned char* ext; /* pointer to an individual extension */ + unsigned int ext_size; /* size of an individual extension */ - const mbedtls_ssl_ciphersuite_t* suite_info; // pointer to ciphersuite + const mbedtls_ssl_ciphersuite_t* suite_info; /* pointer to ciphersuite */ #if defined(MBEDTLS_ECDH_C) - /* Variables for parsing the key_share */ - const mbedtls_ecp_group_id* grp_id; - const mbedtls_ecp_curve_info* info, * curve = NULL; - int tls_id; + /* Variables for parsing the key_share */ + const mbedtls_ecp_group_id* grp_id; + const mbedtls_ecp_curve_info* info, * curve = NULL; + int tls_id; #endif /* MBEDTLS_ECDH_C */ - // Check for minimal length + /* Check for minimal length */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) - { - // TBD: Add message header figure here. - // 18 = 16 (random bytes) + 1 (ciphersuite) + 1 (version) + - if (buflen < 18 + mbedtls_ssl_hs_hdr_len(ssl)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request - min size not reached")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + /* TBD: Add message header figure here. */ + /* 18 = 16 ( random bytes ) + 1 ( ciphersuite ) + 1 ( version ) + */ + if( buflen < 18 + mbedtls_ssl_hs_hdr_len( ssl )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request - min size not reached" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } - } - else + } + else #endif /* MBEDTLS_CTLS */ - { + { /* struct { * ProtocolVersion legacy_version = 0x0303; * Random random; @@ -3035,266 +3087,274 @@ static int ssl_hrr_parse(mbedtls_ssl_context* ssl, * } ServerHello; * * - * 38 = 32 (random bytes) + 2 (ciphersuite) + 2 (version) + - * 1 (legacy_compression_method) + 1 (minimum for legacy_session_id_echo) + * 38 = 32 ( random bytes ) + 2 ( ciphersuite ) + 2 ( version ) + + * 1 ( legacy_compression_method ) + 1 ( minimum for legacy_session_id_echo ) */ - if ((buflen < 38 + mbedtls_ssl_hs_hdr_len(ssl)) || - buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) + if( ( buflen < 38 + mbedtls_ssl_hs_hdr_len( ssl )) || + buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request message - min size not reached")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message - min size not reached" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } - } + } - MBEDTLS_SSL_DEBUG_BUF(5, "hello retry request", buf, buflen); + MBEDTLS_SSL_DEBUG_BUF( 5, "hello retry request", buf, buflen ); - // skip header - buf += mbedtls_ssl_hs_hdr_len(ssl); + /* skip header */ + buf += mbedtls_ssl_hs_hdr_len( ssl ); #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - MBEDTLS_SSL_DEBUG_BUF(3, "hello retry request, version", buf + 0, 2); - mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver, - ssl->conf->transport, buf + 0); + { + MBEDTLS_SSL_DEBUG_BUF( 3, "hello retry request, version", buf + 0, 2 ); + mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, + ssl->conf->transport, buf + 0 ); /* The version field must contain 0x303 */ - if (buf[0] != 0x03 || buf[1] != 0x03) + if( buf[0] != 0x03 || buf[1] != 0x03 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS.")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); - return(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION); + return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); } - // skip version + /* skip version */ buf += 2; - } + } - // Internally we use the correct 1.3 version - ssl->major_ver = 0x03; - ssl->minor_ver = 0x04; + /* Internally we use the correct 1.3 version */ + ssl->major_ver = 0x03; + ssl->minor_ver = 0x04; - // store server-provided random values + /* store server-provided random values */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) - { - memcpy(ssl->handshake->randbytes + 16, buf, 16); - MBEDTLS_SSL_DEBUG_BUF(3, "hello retry request, random bytes", buf + 2, 16); + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + memcpy( ssl->handshake->randbytes + 16, buf, 16 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "hello retry request, random bytes", buf + 2, 16 ); - // skip random bytes + /* skip random bytes */ buf += 16; - } - else + } + else #endif /* MBEDTLS_CTLS */ - { - memcpy(ssl->handshake->randbytes + 32, buf, 32); - MBEDTLS_SSL_DEBUG_BUF(3, "hello retry request, random bytes", buf + 2, 32); + { + memcpy( ssl->handshake->randbytes + 32, buf, 32 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "hello retry request, random bytes", buf + 2, 32 ); - // skip random bytes + /* skip random bytes */ buf += 32; - } + } #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { + { #if defined(MBEDTLS_COMPATIBILITY_MODE) - // legacy_session_id_echo - if (ssl->session_negotiate->id_len != buf[0]) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Mismatch of session id length")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + /* legacy_session_id_echo */ + if( ssl->session_negotiate->id_len != buf[0] ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Mismatch of session id length" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } - buf++; // skip session id length + buf++; /* skip session id length */ - if (memcmp(ssl->session_negotiate->id, &buf[0], ssl->session_negotiate->id_len) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Mismatch of session id")); - MBEDTLS_SSL_DEBUG_BUF(3, "- expected session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len); - MBEDTLS_SSL_DEBUG_BUF(3, "- received session id", &buf[0], ssl->session_negotiate->id_len); + if( memcmp( ssl->session_negotiate->id, &buf[0], ssl->session_negotiate->id_len ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Mismatch of session id" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "- expected session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "- received session id", &buf[0], ssl->session_negotiate->id_len ); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } - buf += ssl->session_negotiate->id_len; // skip session id + buf += ssl->session_negotiate->id_len; /* skip session id */ - MBEDTLS_SSL_DEBUG_MSG(3, ("session id length (%d)", ssl->session_negotiate->id_len)); - MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "session id length ( %d )", ssl->session_negotiate->id_len ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len ); #else - // Length of the session id must be zero - if (*buf == 0) { - buf++; // skip session id length + /* Length of the session id must be zero */ + if( *buf == 0 ) + { + buf++; /* skip session id length */ } - else { - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + else + { + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } #endif /* MBEDTLS_COMPATIBILITY_MODE */ - } + } #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) - { - // read server-selected ciphersuite, which follows random bytes - i = (buf[0] << 8) | buf[1]; + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + /* read server-selected ciphersuite, which follows random bytes */ + i = ( buf[0] << 8 ) | buf[1]; - // skip ciphersuite + /* skip ciphersuite */ buf += 2; - } - else + } + else #endif /* MBEDTLS_CTLS*/ - { - // read server-selected ciphersuite, which follows random bytes - i = (buf[0] << 8) | buf[1]; + { + /* read server-selected ciphersuite, which follows random bytes */ + i = ( buf[0] << 8 ) | buf[1]; - // skip ciphersuite + /* skip ciphersuite */ buf += 2; - } + } - // TBD: Check whether we have offered this ciphersuite - // Via the force_ciphersuite version we may have instructed the client - // to use a difference ciphersuite. + /* TBD: Check whether we have offered this ciphersuite */ + /* Via the force_ciphersuite version we may have instructed the client */ + /* to use a difference ciphersuite. */ - // Configure ciphersuites - ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i); + /* Configure ciphersuites */ + ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); - if (ssl->transform_negotiate->ciphersuite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %04x not found", i)); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + if( ssl->transform_negotiate->ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - mbedtls_ssl_optimize_checksum(ssl, ssl->transform_negotiate->ciphersuite_info); + mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); - ssl->session_negotiate->ciphersuite = i; + ssl->session_negotiate->ciphersuite = i; - suite_info = mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); - if (suite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); - } + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); + if( suite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("hello retry request, chosen ciphersuite: (%04x) - %s", i, suite_info->name)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "hello retry request, chosen ciphersuite: ( %04x ) - %s", i, suite_info->name ) ); #if defined(MBEDTLS_HAVE_TIME) - ssl->session_negotiate->start = time(NULL); + ssl->session_negotiate->start = time( NULL ); #endif /* MBEDTLS_HAVE_TIME */ - i = 0; - while (1) - { - if (ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0) + i = 0; + while ( 1 ) + { + if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } - if (ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == - ssl->session_negotiate->ciphersuite) + if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == + ssl->session_negotiate->ciphersuite ) { - break; + break; } - } + } #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - // Ensure that compression method is set to zero - if (buf[0] != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + { + /* Ensure that compression method is set to zero */ + if( buf[0] != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } - // skip compression + /* skip compression */ buf++; - } + } - // Are we reading beyond the message buffer? - if ((buf + 2) > msg_end) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); - } + /* Are we reading beyond the message buffer? */ + if( ( buf + 2 ) > msg_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); + } - ext_len = ((buf[0] << 8) | (buf[1])); - buf += 2; // skip extension length + ext_len = ( ( buf[0] << 8 ) | ( buf[1] ) ); + buf += 2; /* skip extension length */ - // Are we reading beyond the message buffer? - if ((buf + ext_len) > msg_end) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); - } + /* Are we reading beyond the message buffer? */ + if( ( buf + ext_len ) > msg_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); + } - ext = buf; + ext = buf; - MBEDTLS_SSL_DEBUG_MSG(3, ("hello retry request, total extension length: %d", ext_len)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "hello retry request, total extension length: %d", ext_len ) ); - MBEDTLS_SSL_DEBUG_BUF(3, "extensions", ext, ext_len); + MBEDTLS_SSL_DEBUG_BUF( 3, "extensions", ext, ext_len ); - while (ext_len) - { - ext_id = ((ext[0] << 8) | (ext[1])); - ext_size = ((ext[2] << 8) | (ext[3])); + while ( ext_len ) + { + ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) ); + ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) ); - if (ext_size + 4 > ext_len) + if( ext_size + 4 > ext_len ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } - switch (ext_id) + switch ( ext_id ) { #if defined(MBEDTLS_SSL_COOKIE_C) - case MBEDTLS_TLS_EXT_COOKIE: + case MBEDTLS_TLS_EXT_COOKIE: - MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", ext + 4, ext_size); + MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", ext + 4, ext_size ); - mbedtls_free(ssl->handshake->verify_cookie); + mbedtls_free( ssl->handshake->verify_cookie ); - ssl->handshake->verify_cookie = mbedtls_calloc(1, ext_size); - if (ssl->handshake->verify_cookie == NULL) + ssl->handshake->verify_cookie = mbedtls_calloc( 1, ext_size ); + if( ssl->handshake->verify_cookie == NULL ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", ext_size)); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed ( %d bytes )", ext_size ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); } - memcpy(ssl->handshake->verify_cookie, ext + 4, ext_size); - ssl->handshake->verify_cookie_len = (unsigned char)ext_size; + memcpy( ssl->handshake->verify_cookie, ext + 4, ext_size ); + ssl->handshake->verify_cookie_len = ( unsigned char )ext_size; break; #endif /* MBEDTLS_SSL_COOKIE_C */ - case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: - MBEDTLS_SSL_DEBUG_MSG(3, ("found supported_versions extension")); + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_versions extension" ) ); - ret = ssl_parse_supported_version_ext(ssl, ext + 4, ext_size); - if (ret != 0) - return(ret); + ret = ssl_parse_supported_version_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); break; #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) - case MBEDTLS_TLS_EXT_KEY_SHARES: + case MBEDTLS_TLS_EXT_KEY_SHARES: - MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", ext + 4, ext_size); + MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", ext + 4, ext_size ); - // Read selected_group - tls_id = ((ext[4] << 8) | (ext[5])); - MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group (%d)", tls_id)); + /* Read selected_group */ + tls_id = ( ( ext[4] << 8 ) | ( ext[5] ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", tls_id ) ); - info = mbedtls_ecp_curve_info_from_tls_id(tls_id); + info = mbedtls_ecp_curve_info_from_tls_id( tls_id ); - if (info != NULL) { - MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group by name (%s)", info->name)); + if( info != NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group by name ( %s )", info->name ) ); } /* * Upon receipt of this extension in a HelloRetryRequest, the client @@ -3305,28 +3365,30 @@ static int ssl_hrr_parse(mbedtls_ssl_context* ssl, * The supported_group was based on the info in ssl->conf->curve_list. */ - for (grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++) { - /* In the initial ClientHello we transmitted the key shares based on - * key_shares_curve_list. - */ - info = mbedtls_ecp_curve_info_from_grp_id(*grp_id); + for ( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) { + /* In the initial ClientHello we transmitted the key shares based on + * key_shares_curve_list. + */ + info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - if (info == NULL) return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + if( info == NULL ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - if (info->tls_id == tls_id) { - // We found a match - found = 1; - break; - } + if( info->tls_id == tls_id ) + { + /* We found a match */ + found = 1; + break; + } } /* If the server provided a key share that was not sent in the ClientHello * then the client MUST abort the handshake with an "illegal_parameter" alert. */ - if (found == 0) { - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - MBEDTLS_SSL_DEBUG_MSG(1, ("bad HRR (server provided key share that was not sent in ClientHello)")); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + if( found == 0 ) + { + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad HRR ( server provided key share that was not sent in ClientHello )" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } /* @@ -3335,27 +3397,29 @@ static int ssl_hrr_parse(mbedtls_ssl_context* ssl, * "key_share" extension in the original ClientHello. */ found = 0; - for (grp_id = ssl->conf->key_shares_curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++) { + for ( grp_id = ssl->conf->key_shares_curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) { - info = mbedtls_ecp_curve_info_from_grp_id(*grp_id); + info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - if (info == NULL) return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + if( info == NULL ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - if (info->tls_id == tls_id) { - // We found a match - found = 1; - break; - } + if( info->tls_id == tls_id ) + { + /* We found a match */ + found = 1; + break; + } } /* If the server sent an HRR message with a key share already * provided in the ClientHello then the client MUST abort the * handshake with an "illegal_parameter" alert. */ - if (found == 1) { - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); - MBEDTLS_SSL_DEBUG_MSG(1, ("bad HRR (server sent HRR with a key share already provided in ClientHello)")); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + if( found == 1 ) + { + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad HRR ( server sent HRR with a key share already provided in ClientHello )" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } /* Modify key_shares_curve_list for next ClientHello @@ -3363,270 +3427,277 @@ static int ssl_hrr_parse(mbedtls_ssl_context* ssl, * ClientHello we only send the key share expected * by the server. */ - curve = mbedtls_ecp_curve_info_from_tls_id(tls_id); + curve = mbedtls_ecp_curve_info_from_tls_id( tls_id ); - if (curve == NULL) return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + if( curve == NULL ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); ssl->handshake->key_shares_curve_list[0] = curve->grp_id; ssl->handshake->key_shares_curve_list[1] = MBEDTLS_ECP_DP_NONE; break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ - default: - MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %d (ignoring)", ext_id)); + default: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d ( ignoring )", ext_id ) ); } - // Jump to next extension + /* Jump to next extension */ ext_len -= 4 + ext_size; ext += 4 + ext_size; - if (ext_len > 0 && ext_len < 4) + if( ext_len > 0 && ext_len < 4 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad hello retry request message")); - return(MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad hello retry request message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_HELLO_RETRY_REQUEST ); } - } - - return(0); -} - -static int ssl_hrr_postprocess(mbedtls_ssl_context* ssl, - const unsigned char* orig_buf, - size_t orig_msg_len) -{ - unsigned char transcript[MBEDTLS_MD_MAX_SIZE + 4]; // used to store the ClientHello1 msg - int hash_length; - - ssl->handshake->hello_retry_requests_received++; - - MBEDTLS_SSL_DEBUG_MSG(5, ("--- Update Checksum (ssl_prepare_handshake_record, stateless transcript hash for HRR)")); - - /* A special handling of the transcript hash is needed. We skipped - * updating the transcript hash when the HRR message was received. - * - * 1. The current transcript hash was computed over the first ClientHello. - * We need to compute a final hash of ClientHello1 and then put it - * into the following structure: - * - * Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN) = - * Hash(message_hash || // Handshake Type - * 00 00 Hash.length || // Handshake message length - * Hash(ClientHello1) || // Hash of ClientHello1 - * HelloRetryRequest ... MN) - * - * 2. Then, we need to reset the transcript and put the hash of the above- - * computed value. - * - */ - - transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH; - transcript[1] = 0; - transcript[2] = 0; - - hash_length = mbedtls_hash_size_for_ciphersuite(ssl->transform_negotiate->ciphersuite_info); - - if (hash_length == -1) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite == -1")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - - transcript[3] = (uint8_t)hash_length; - - /* #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; - #endif - - #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; - #endif - */ - if (ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA256) { + } + + return( 0 ); + } + + static int ssl_hrr_postprocess( mbedtls_ssl_context* ssl, + const unsigned char* orig_buf, + size_t orig_msg_len ) + { + unsigned char transcript[MBEDTLS_MD_MAX_SIZE + 4]; /* used to store the ClientHello1 msg */ + int hash_length; + + ssl->handshake->hello_retry_requests_received++; + + MBEDTLS_SSL_DEBUG_MSG( 5, ( "--- Update Checksum ( ssl_prepare_handshake_record, stateless transcript hash for HRR )" ) ); + + /* A special handling of the transcript hash is needed. We skipped + * updating the transcript hash when the HRR message was received. + * + * 1. The current transcript hash was computed over the first ClientHello. + * We need to compute a final hash of ClientHello1 and then put it + * into the following structure: + * + * Transcript-Hash( ClientHello1, HelloRetryRequest, ... MN ) = + * Hash( message_hash || + * 00 00 Hash.length || + * Hash( ClientHello1 ) || + * HelloRetryRequest ... MN ) + * + * 2. Then, we need to reset the transcript and put the hash of the above- + * computed value. + * + */ + + transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH; + transcript[1] = 0; + transcript[2] = 0; + + hash_length = mbedtls_hash_size_for_ciphersuite( ssl->transform_negotiate->ciphersuite_info ); + + if( hash_length == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite == -1" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + transcript[3] = ( uint8_t )hash_length; + + /* #if defined(MBEDTLS_SHA256_C) + mbedtls_sha256_context sha256; + #endif + + #if defined(MBEDTLS_SHA512_C) + mbedtls_sha512_context sha512; + #endif + */ + if( ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA256 ) + { #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_finish(&ssl->handshake->fin_sha256, &transcript[4]); - MBEDTLS_SSL_DEBUG_BUF(5, "Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN)", &transcript[0], 32 + 4); + mbedtls_sha256_finish( &ssl->handshake->fin_sha256, &transcript[4] ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Transcript-Hash( ClientHello1, HelloRetryRequest, ... MN )", &transcript[0], 32 + 4 ); - // reset transcript - mbedtls_sha256_init(&ssl->handshake->fin_sha256); - mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0 /* = use SHA256 */); - //mbedtls_sha256_update(&ssl->handshake->fin_sha256, &transcript[0], hash_length + 4); + /* reset transcript */ + mbedtls_sha256_init( &ssl->handshake->fin_sha256 ); + mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 /* = use SHA256 */ ); + /*mbedtls_sha256_update( &ssl->handshake->fin_sha256, &transcript[0], hash_length + 4 ); */ #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA256_C */ - } - else if (ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { + } + else if( ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_finish(&ssl->handshake->fin_sha512, &transcript[4]); - MBEDTLS_SSL_DEBUG_BUF(5, "Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN)", &transcript[0], 48 + 4); + mbedtls_sha512_finish( &ssl->handshake->fin_sha512, &transcript[4] ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Transcript-Hash( ClientHello1, HelloRetryRequest, ... MN )", &transcript[0], 48 + 4 ); - // reset transcript - mbedtls_sha512_init(&ssl->handshake->fin_sha512); - mbedtls_sha512_starts(&ssl->handshake->fin_sha512, 1 /* = use SHA384 */); - //mbedtls_sha256_update(&ssl->handshake->fin_sha512, &transcript[0], hash_length + 4); + /* reset transcript */ + mbedtls_sha512_init( &ssl->handshake->fin_sha512 ); + mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 /* = use SHA384 */ ); + /*mbedtls_sha256_update( &ssl->handshake->fin_sha512, &transcript[0], hash_length + 4 ); */ #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA512_C */ - } - else if (ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA512) { + } + else if( ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA512 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_finish(&ssl->handshake->fin_sha512, &transcript[4]); - MBEDTLS_SSL_DEBUG_BUF(5, "Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN)", &transcript[0], 64 + 4); - - // reset transcript - mbedtls_sha512_init(&ssl->handshake->fin_sha512); - mbedtls_sha512_starts(&ssl->handshake->fin_sha512, 0 /* = use SHA512 */); - //mbedtls_sha256_update(&ssl->handshake->fin_sha512, &transcript[0], hash_length + 4); - } - else { + mbedtls_sha512_finish( &ssl->handshake->fin_sha512, &transcript[4] ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Transcript-Hash( ClientHello1, HelloRetryRequest, ... MN )", &transcript[0], 64 + 4 ); + + /* reset transcript */ + mbedtls_sha512_init( &ssl->handshake->fin_sha512 ); + mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 0 /* = use SHA512 */ ); + /*mbedtls_sha256_update( &ssl->handshake->fin_sha512, &transcript[0], hash_length + 4 ); */ + } + else + { #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA512_C */ - } + } - // hash modified transcript for ClientHello1 - ssl->handshake->update_checksum(ssl, &transcript[0], hash_length + 4); - // Add transcript for HRR - ssl->handshake->update_checksum(ssl, orig_buf, orig_msg_len); + /* hash modified transcript for ClientHello1 */ + ssl->handshake->update_checksum( ssl, &transcript[0], hash_length + 4 ); + /* Add transcript for HRR */ + ssl->handshake->update_checksum( ssl, orig_buf, orig_msg_len ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - mbedtls_ssl_recv_flight_completed(ssl); + mbedtls_ssl_recv_flight_completed( ssl ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - return(0); -} + return( 0 ); + } #if !defined(foobar) -static void mbedtls_patch_pointers(mbedtls_ssl_context* ssl) -{ - ((void)ssl); -} + static void mbedtls_patch_pointers( mbedtls_ssl_context* ssl ) + { + ( (void)ssl ); + } #else -static void mbedtls_patch_pointers(mbedtls_ssl_context* ssl) -{ - /* In case we negotiated the use of CIDs then we need to - * adjust the pointers to various header fields. If we - * did not negotiate the use of a CID or our peer requested - * us not to add a CID value to the record header then the - * out_cid_len or in_cid_len will be zero. - */ + static void mbedtls_patch_pointers( mbedtls_ssl_context* ssl ) + { + /* In case we negotiated the use of CIDs then we need to + * adjust the pointers to various header fields. If we + * did not negotiate the use of a CID or our peer requested + * us not to add a CID value to the record header then the + * out_cid_len or in_cid_len will be zero. + */ #if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_CID) - size_t out_cid_len = ssl->out_cid_len; - size_t in_cid_len = ssl->in_cid_len; + size_t out_cid_len = ssl->out_cid_len; + size_t in_cid_len = ssl->in_cid_len; #else - size_t out_cid_len = 0; - size_t in_cid_len = 0; + size_t out_cid_len = 0; + size_t in_cid_len = 0; #endif /* MBEDTLS_CID */ - if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) && - (out_cid_len > 0)) - { + if( ( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) && + ( out_cid_len > 0 )) + { ssl->out_hdr = ssl->out_buf; ssl->out_ctr = ssl->out_buf + 1 + out_cid_len; - ssl->out_len = ssl->out_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_negotiate) - 2; - ssl->out_iv = ssl->out_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_negotiate); - /* ssl->out_msg = ssl->out_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT) + ssl->transform_negotiate->ivlen - - ssl->transform_negotiate->fixed_ivlen; */ + ssl->out_len = ssl->out_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_negotiate ) - 2; + ssl->out_iv = ssl->out_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_negotiate ); + /* ssl->out_msg = ssl->out_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT ) + ssl->transform_negotiate->ivlen - + ssl->transform_negotiate->fixed_ivlen; */ ssl->out_msg = ssl->out_iv; - } + } - if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) && - (in_cid_len > 0)) - { + if( ( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) && + ( in_cid_len > 0 )) + { ssl->in_hdr = ssl->in_buf; ssl->in_ctr = ssl->in_buf + 1 + in_cid_len; - ssl->in_len = ssl->in_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_negotiate) - 2; - ssl->in_iv = ssl->in_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_negotiate); - /* ssl->in_msg = ssl->in_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT) + ssl->transform_negotiate->ivlen - - ssl->transform_negotiate->fixed_ivlen; */ + ssl->in_len = ssl->in_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_negotiate ) - 2; + ssl->in_iv = ssl->in_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_negotiate ); + /* ssl->in_msg = ssl->in_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT ) + ssl->transform_negotiate->ivlen - + ssl->transform_negotiate->fixed_ivlen; */ ssl->in_msg = ssl->in_iv; - } - else + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - ((void)ssl); - } -} + { + ( (void)ssl ); + } + } #endif /* foobar */ /* -* TLS and DTLS 1.3 State Maschine -- client side -*/ -int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl) -{ - int ret = 0; + * TLS and DTLS 1.3 State Maschine -- client side + */ + int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) + { + int ret = 0; - if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("Handshake completed but ssl->handshake is NULL.\n")); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } - MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %d", ssl->state)); + if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Handshake completed but ssl->handshake is NULL.\n" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); - if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) - return(ret); + if( ( ret = mbedtls_ssl_flush_output( ssl )) != 0 ) + return( ret ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) - { - if ((ret = mbedtls_ssl_resend(ssl)) != 0) - return(ret); - } + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) + { + if( ( ret = mbedtls_ssl_resend( ssl )) != 0 ) + return( ret ); + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - switch (ssl->state) - { - case MBEDTLS_SSL_HELLO_REQUEST: - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); - // Reset hello_retry_requests_receive since we have not seen an HRR msg yet. - ssl->handshake->hello_retry_requests_received = 0; + switch ( ssl->state ) + { + case MBEDTLS_SSL_HELLO_REQUEST: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); + /* Reset hello_retry_requests_receive since we have not seen an HRR msg yet. */ + ssl->handshake->hello_retry_requests_received = 0; #if defined(MBEDTLS_COMPATIBILITY_MODE) - // Reset session id - memset(ssl->session_negotiate->id, 0, 32); - ssl->session_negotiate->id_len = 0; + /* Reset session id */ + memset( ssl->session_negotiate->id, 0, 32 ); + ssl->session_negotiate->id_len = 0; #endif /* MBEDTLS_COMPATIBILITY_MODE */ #if defined(MBEDTLS_ECP_C) - // We need to initialize the handshake->key_shares_curve_list. - if (ssl->handshake->key_shares_curve_list == NULL) { - // We need to allocate one additional key share for the delimiter. - ssl->handshake->key_shares_curve_list = mbedtls_calloc(1, sizeof(mbedtls_ecp_group_id*) * (MBEDTLS_SSL_MAX_KEY_SHARES+1)); - if (ssl->conf->key_shares_curve_list == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + /* We need to initialize the handshake->key_shares_curve_list. */ + if( ssl->handshake->key_shares_curve_list == NULL ) + { + /* We need to allocate one additional key share for the delimiter. */ + ssl->handshake->key_shares_curve_list = mbedtls_calloc( 1, sizeof( mbedtls_ecp_group_id* ) * ( MBEDTLS_SSL_MAX_KEY_SHARES+1 ) ); + if( ssl->conf->key_shares_curve_list == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - memcpy(ssl->handshake->key_shares_curve_list, ssl->conf->key_shares_curve_list, sizeof(mbedtls_ecp_group_id*) * (MBEDTLS_SSL_MAX_KEY_SHARES+1)); + memcpy( ssl->handshake->key_shares_curve_list, ssl->conf->key_shares_curve_list, sizeof( mbedtls_ecp_group_id* ) * ( MBEDTLS_SSL_MAX_KEY_SHARES+1 ) ); - // We need to put a delimiter to the end of the key shares curve list + /* We need to put a delimiter to the end of the key shares curve list */ ssl->handshake->key_shares_curve_list[MBEDTLS_SSL_MAX_KEY_SHARES] = MBEDTLS_ECP_DP_NONE; - } + } #endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - // nothing sent or received so far - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - mbedtls_ack_clear_all(ssl, MBEDTLS_SSL_ACK_RECORDS_SENT); - mbedtls_ack_clear_all(ssl, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); - } + /* nothing sent or received so far */ + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + mbedtls_ack_clear_all( ssl, MBEDTLS_SSL_ACK_RECORDS_SENT ); + mbedtls_ack_clear_all( ssl, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - break; + break; - /* ----- WRITE CLIENT HELLO ----*/ + /* ----- WRITE CLIENT HELLO ----*/ - case MBEDTLS_SSL_CLIENT_HELLO: - // Reset pointers to buffers + case MBEDTLS_SSL_CLIENT_HELLO: + /* Reset pointers to buffers */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { ssl->out_hdr = ssl->out_buf; ssl->out_ctr = ssl->out_buf + 3; ssl->out_len = ssl->out_buf + 11; @@ -3638,422 +3709,446 @@ int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl) ssl->in_len = ssl->in_buf + 11; ssl->in_iv = ssl->in_buf + 13; ssl->in_msg = ssl->in_buf + 13; - } + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value (0) is used with unencrypted messages */ - ssl->in_epoch = 0; - ssl->out_epoch = 0; + /* epoch value ( 0 ) is used with unencrypted messages */ + ssl->in_epoch = 0; + ssl->out_epoch = 0; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ret = ssl_client_hello_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_client_hello", ret); - return (ret); - } + ret = ssl_client_hello_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_client_hello", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, MBEDTLS_SSL_ACK_RECORDS_SENT); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, MBEDTLS_SSL_ACK_RECORDS_SENT ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_ZERO_RTT) - if (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON) { + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + { #if defined(MBEDTLS_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO ); #else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_EARLY_APP_DATA); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); #endif /* MBEDTLS_COMPATIBILITY_MODE */ - } - else + } + else #endif /* MBEDTLS_ZERO_RTT */ - { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); - } + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_send_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_send_flight_completed( ssl ); #endif - break; + break; #if defined(MBEDTLS_ZERO_RTT) - /* ----- WRITE CHANGE CIPHER SPEC ----*/ + /* ----- WRITE CHANGE CIPHER SPEC ----*/ #if defined(MBEDTLS_COMPATIBILITY_MODE) - case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: + case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: - ret = mbedtls_ssl_write_change_cipher_spec(ssl); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_EARLY_APP_DATA); + ret = mbedtls_ssl_write_change_cipher_spec( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); - break; + break; #endif /* MBEDTLS_COMPATIBILITY_MODE */ - /* ----- WRITE EARLY DATA ----*/ + /* ----- WRITE EARLY DATA ----*/ - case MBEDTLS_SSL_EARLY_APP_DATA: + case MBEDTLS_SSL_EARLY_APP_DATA: - ret = mbedtls_ssl_early_data_key_derivation(ssl, &traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_key_derivation", ret); - return (ret); - } + ret = mbedtls_ssl_early_data_key_derivation( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_key_derivation", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - traffic_keys.epoch = 1; + traffic_keys.epoch = 1; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ret = mbedtls_set_traffic_key(ssl, &traffic_keys, ssl->transform_negotiate,0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); - } + ret = mbedtls_set_traffic_key( ssl, &traffic_keys, ssl->transform_negotiate,0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value(1) is used for messages protected using keys derived - * from early_traffic_secret. - */ - ssl->in_epoch = 1; - ssl->out_epoch = 1; + /* epoch value( 1 ) is used for messages protected using keys derived + * from early_traffic_secret. + */ + ssl->in_epoch = 1; + ssl->out_epoch = 1; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - // TBD: Add bounds check here. - memcpy(ssl->out_msg, ssl->conf->early_data_buf, ssl->conf->early_data_len); - ssl->out_msglen = ssl->conf->early_data_len; - ssl->out_msg[ssl->out_msglen] = MBEDTLS_SSL_MSG_APPLICATION_DATA; - ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; - ssl->out_msglen++; + /* TBD: Add bounds check here. */ + memcpy( ssl->out_msg, ssl->conf->early_data_buf, ssl->conf->early_data_len ); + ssl->out_msglen = ssl->conf->early_data_len; + ssl->out_msg[ssl->out_msglen] = MBEDTLS_SSL_MSG_APPLICATION_DATA; + ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; + ssl->out_msglen++; - MBEDTLS_SSL_DEBUG_BUF(3, "Early Data", ssl->out_msg, ssl->out_msglen); + MBEDTLS_SSL_DEBUG_BUF( 3, "Early Data", ssl->out_msg, ssl->out_msglen ); - ret = mbedtls_ssl_write_record(ssl); -// ret = mbedtls_ssl_write(ssl, buf, strlen(buf)); + ret = mbedtls_ssl_write_record( ssl ); +/* ret = mbedtls_ssl_write( ssl, buf, strlen( buf ) ); */ - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_real", ret); - return (ret); - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_real", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_send_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_send_flight_completed( ssl ); #endif - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); - break; + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); + break; #endif /* MBEDTLS_ZERO_RTT */ - /* ----- READ SERVER HELLO ----*/ + /* ----- READ SERVER HELLO ----*/ - case MBEDTLS_SSL_SERVER_HELLO: - /* In this state the client is expecting a ServerHello - * message but the server could also return a HelloRetryRequest. - * - * Reset extensions we have seen so far. - */ - ssl->handshake->extensions_present = NO_EXTENSION; - ret = ssl_server_hello_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_server_hello", ret); - return (ret); - } + case MBEDTLS_SSL_SERVER_HELLO: + /* In this state the client is expecting a ServerHello + * message but the server could also return a HelloRetryRequest. + * + * Reset extensions we have seen so far. + */ + ssl->handshake->extensions_present = NO_EXTENSION; + ret = ssl_server_hello_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_server_hello", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_clear_all(ssl, MBEDTLS_SSL_ACK_RECORDS_SENT); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_clear_all( ssl, MBEDTLS_SSL_ACK_RECORDS_SENT ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if (ssl->handshake->hello_retry_requests_received > 0) { - // If we received the HRR msg then we send another ClientHello + if( ssl->handshake->hello_retry_requests_received > 0 ) + { + /* If we received the HRR msg then we send another ClientHello */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_HELLO_RETRY_REQUEST, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_HELLO_RETRY_REQUEST, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_COMPATIBILITY_MODE) /* If not offering early data, the client sends a dummy - * change_cipher_spec record immediately before its - * second flight. This may either be before its second - * ClientHello or before its encrypted handshake flight. - */ - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO); + * change_cipher_spec record immediately before its + * second flight. This may either be before its second + * ClientHello or before its encrypted handshake flight. + */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO ); #else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO ); #endif /* MBEDTLS_COMPATIBILITY_MODE */ - } else { - // Otherwise we continue with the handshake + } + else + { + /* Otherwise we continue with the handshake */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_SERVER_HELLO, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_SERVER_HELLO, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_patch_pointers(ssl); + mbedtls_patch_pointers( ssl ); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); - } - break; + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); + } + break; - /* ----- WRITE CHANGE_CIPHER_SPEC ----*/ + /* ----- WRITE CHANGE_CIPHER_SPEC ----*/ #if defined(MBEDTLS_COMPATIBILITY_MODE) - case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: - ret = mbedtls_ssl_write_change_cipher_spec(ssl); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO); + ret = mbedtls_ssl_write_change_cipher_spec( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO ); - break; + break; #endif /* MBEDTLS_COMPATIBILITY_MODE */ - /* ----- WRITE 2nd CLIENT HELLO ----*/ - case MBEDTLS_SSL_SECOND_CLIENT_HELLO: - ret = ssl_client_hello_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_client_hello", ret); - return (ret); - } - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SECOND_SERVER_HELLO); + /* ----- WRITE 2nd CLIENT HELLO ----*/ + case MBEDTLS_SSL_SECOND_CLIENT_HELLO: + ret = ssl_client_hello_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_client_hello", ret ); + return ( ret ); + } + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SECOND_SERVER_HELLO ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, MBEDTLS_SSL_ACK_RECORDS_SENT); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, MBEDTLS_SSL_ACK_RECORDS_SENT ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_send_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_send_flight_completed( ssl ); #endif - break; + break; - /* ----- READ 2nd SERVER HELLO ----*/ + /* ----- READ 2nd SERVER HELLO ----*/ - case MBEDTLS_SSL_SECOND_SERVER_HELLO: - /* In this state the client is expecting a ServerHello - * message and not the HRR anymore. - */ - // reset extensions we have seen so far - ssl->handshake->extensions_present = NO_EXTENSION; - ret = ssl_server_hello_process(ssl); + case MBEDTLS_SSL_SECOND_SERVER_HELLO: + /* In this state the client is expecting a ServerHello + * message and not the HRR anymore. + */ + /* reset extensions we have seen so far */ + ssl->handshake->extensions_present = NO_EXTENSION; + ret = ssl_server_hello_process( ssl ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_server_hello", ret); - return (ret); - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_server_hello", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_clear_all(ssl, MBEDTLS_SSL_ACK_RECORDS_SENT); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_clear_all( ssl, MBEDTLS_SSL_ACK_RECORDS_SENT ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - // if we received a second HRR we abort - if (ssl->handshake->hello_retry_requests_received == 2) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HelloRetryRequests received from server; I give up.")); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - return (MBEDTLS_ERR_SSL_BAD_HS_TOO_MANY_HRR); - } - mbedtls_patch_pointers(ssl); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); - break; + /* if we received a second HRR we abort */ + if( ssl->handshake->hello_retry_requests_received == 2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HelloRetryRequests received from server; I give up." ) ); + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); + return ( MBEDTLS_ERR_SSL_BAD_HS_TOO_MANY_HRR ); + } + mbedtls_patch_pointers( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); + break; - /* ----- READ ENCRYPTED EXTENSIONS ----*/ + /* ----- READ ENCRYPTED EXTENSIONS ----*/ - case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: + case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: - ret = ssl_encrypted_extensions_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_encrypted_extensions", ret); - return (ret); - } + ret = ssl_encrypted_extensions_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_encrypted_extensions", ret ); + return ( ret ); + } - break; + break; - /* ----- WRITE CHANGE CIPHER SPEC ----*/ + /* ----- WRITE CHANGE CIPHER SPEC ----*/ #if defined(MBEDTLS_COMPATIBILITY_MODE) - case MBEDTLS_SSL_CLIENT_CCS_BEFORE_CERTIFICATE_REQUEST: + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_CERTIFICATE_REQUEST: - ret = mbedtls_ssl_write_change_cipher_spec(ssl); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); + ret = mbedtls_ssl_write_change_cipher_spec( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); - break; + break; #endif /* MBEDTLS_COMPATIBILITY_MODE */ - /* ----- READ CERTIFICATE REQUEST ----*/ + /* ----- READ CERTIFICATE REQUEST ----*/ - case MBEDTLS_SSL_CERTIFICATE_REQUEST: - ret = ssl_certificate_request_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_certificate_request_process", ret); - return (ret); - } + case MBEDTLS_SSL_CERTIFICATE_REQUEST: + ret = ssl_certificate_request_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_certificate_request_process", ret ); + return ( ret ); + } - break; + break; - /* ----- READ SERVER CERTIFICATE ----*/ + /* ----- READ SERVER CERTIFICATE ----*/ - case MBEDTLS_SSL_SERVER_CERTIFICATE: - ret = ssl_read_certificate_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_read_certificate_process", ret); - return (ret); - } - break; + case MBEDTLS_SSL_SERVER_CERTIFICATE: + ret = ssl_read_certificate_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_read_certificate_process", ret ); + return ( ret ); + } + break; - /* ----- READ CERTIFICATE VERIFY ----*/ + /* ----- READ CERTIFICATE VERIFY ----*/ - case MBEDTLS_SSL_CERTIFICATE_VERIFY: - ret = ssl_read_certificate_verify_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_read_certificate_verify_process", ret); - return (ret); - } + case MBEDTLS_SSL_CERTIFICATE_VERIFY: + ret = ssl_read_certificate_verify_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_read_certificate_verify_process", ret ); + return ( ret ); + } - break; + break; - /* ----- READ FINISHED ----*/ + /* ----- READ FINISHED ----*/ - case MBEDTLS_SSL_SERVER_FINISHED: + case MBEDTLS_SSL_SERVER_FINISHED: - ret = ssl_finished_in_process(ssl); + ret = ssl_finished_in_process( ssl ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_finished_in_process", ret); - return (ret); - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_finished_in_process", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_FINISHED, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_FINISHED, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_ZERO_RTT) - if (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_EARLY_DATA); - } - else + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_DATA ); + } + else #endif /* MBEDTLS_ZERO_RTT */ - { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); - } - break; + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); + } + break; #if defined(MBEDTLS_ZERO_RTT) - /* ----- WRITE END-OF-EARLY-DATA ----*/ + /* ----- WRITE END-OF-EARLY-DATA ----*/ - case MBEDTLS_SSL_EARLY_DATA: - ret = mbedtls_ssl_early_data_key_derivation(ssl, &traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_key_derivation", ret); - return (ret); - } + case MBEDTLS_SSL_EARLY_DATA: + ret = mbedtls_ssl_early_data_key_derivation( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_key_derivation", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - traffic_keys.epoch = 1; + traffic_keys.epoch = 1; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ret = mbedtls_set_traffic_key(ssl, &traffic_keys, ssl->transform_negotiate,0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); - } + ret = mbedtls_set_traffic_key( ssl, &traffic_keys, ssl->transform_negotiate,0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value (1) is used for messages protected using keys derived - * from early_traffic_secret. - */ - ssl->in_epoch = 1; - ssl->out_epoch = 1; + /* epoch value ( 1 ) is used for messages protected using keys derived + * from early_traffic_secret. + */ + ssl->in_epoch = 1; + ssl->out_epoch = 1; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ret = mbedtls_ssl_write_end_of_early_data(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_end_of_early_data", ret); - return (ret); - } + ret = mbedtls_ssl_write_end_of_early_data( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_end_of_early_data", ret ); + return ( ret ); + } - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); - break; + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + break; #endif /* MBEDTLS_ZERO_RTT */ - /* ----- WRITE CERTIFICATE ----*/ + /* ----- WRITE CERTIFICATE ----*/ - case MBEDTLS_SSL_CLIENT_CERTIFICATE: + case MBEDTLS_SSL_CLIENT_CERTIFICATE: - ret = ssl_write_certificate_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_certificate", ret); - return (ret); - } - break; + ret = ssl_write_certificate_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_certificate", ret ); + return ( ret ); + } + break; - /* ----- WRITE CLIENT CERTIFICATE VERIFY ----*/ + /* ----- WRITE CLIENT CERTIFICATE VERIFY ----*/ - case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: - ret = ssl_certificate_verify_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_certificate_verify_process", ret); - return (ret); - } - break; + case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: + ret = ssl_certificate_verify_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_certificate_verify_process", ret ); + return ( ret ); + } + break; - /* ----- WRITE CHANGE CIPHER SPEC ----*/ + /* ----- WRITE CHANGE CIPHER SPEC ----*/ #if defined(MBEDTLS_COMPATIBILITY_MODE) - case MBEDTLS_SSL_CLIENT_CCS_BEFORE_FINISHED: + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_FINISHED: - if (ssl->transform_out == NULL) - ret = mbedtls_ssl_write_change_cipher_spec(ssl); + if( ssl->transform_out == NULL ) + ret = mbedtls_ssl_write_change_cipher_spec( ssl ); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); - break; + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + break; #endif /* MBEDTLS_COMPATIBILITY_MODE */ - /* ----- WRITE CLIENT FINISHED ----*/ + /* ----- WRITE CLIENT FINISHED ----*/ - case MBEDTLS_SSL_CLIENT_FINISHED: - ret = ssl_finished_out_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_finished_out_process", ret); - return (ret); - } - break; + case MBEDTLS_SSL_CLIENT_FINISHED: + ret = ssl_finished_out_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_finished_out_process", ret ); + return ( ret ); + } + break; #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* ----- READ ACK ----*/ + /* ----- READ ACK ----*/ - case MBEDTLS_SSL_HANDSHAKE_FINISH_ACK: - /* The server needs to reply with an ACK message after parsing - * the Finish message from the client. - */ -// ret = mbedtls_ssl_parse_ack(ssl); -// if (ret != 0) { -// MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_parse_ack", ret); -// return (ret); -// } + case MBEDTLS_SSL_HANDSHAKE_FINISH_ACK: + /* The server needs to reply with an ACK message after parsing + * the Finish message from the client. + */ +/* ret = mbedtls_ssl_parse_ack( ssl ); */ +/* if( ret != 0 ) { */ +/* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_parse_ack", ret ); */ +/* return ( ret ); */ +/* } */ - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_clear_all(ssl, MBEDTLS_SSL_ACK_RECORDS_SENT); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_clear_all( ssl, MBEDTLS_SSL_ACK_RECORDS_SENT ); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS); - break; + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS ); + break; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - case MBEDTLS_SSL_FLUSH_BUFFERS: - MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); - break; + case MBEDTLS_SSL_FLUSH_BUFFERS: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); + break; - case MBEDTLS_SSL_HANDSHAKE_WRAPUP: - mbedtls_ssl_handshake_wrapup(ssl); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); - break; + case MBEDTLS_SSL_HANDSHAKE_WRAPUP: + mbedtls_ssl_handshake_wrapup( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); + break; - default: - MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - return(ret); -} + return( ret ); + } #endif /* MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 68649e8085e3..60117ed2308d 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1,11 +1,11 @@ /* * Handshake-related functions shared between the TLS/DTLS client - * and server (ssl_tls13_client.c and ssl_tls13_server.c). + * and server ( ssl_tls13_client.c and ssl_tls13_server.c). * - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright ( C ) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * - * Licensed under the Apache License, Version 2.0 (the "License"); you may + * Licensed under the Apache License, Version 2.0 ( the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * @@ -17,7 +17,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of mbed TLS ( https://tls.mbed.org) */ @@ -29,7 +29,7 @@ #if defined(MBEDTLS_SSL_TLS_C) -#if defined (MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -45,7 +45,7 @@ #include "mbedtls/hkdf.h" #include -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) #include "mbedtls/oid.h" #endif @@ -59,486 +59,509 @@ #endif /* MBEDTLS_PLATFORM_C */ #if defined(MBEDTLS_SHA256_C) -static int ssl_calc_verify_tls_sha256(mbedtls_ssl_context*, unsigned char*, int); -static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context*, unsigned char*, int); + static int ssl_calc_verify_tls_sha256( mbedtls_ssl_context*, unsigned char*, int ); +static int ssl_calc_finished_tls_sha256( mbedtls_ssl_context*, unsigned char*, int ); #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) -static int ssl_calc_verify_tls_sha384(mbedtls_ssl_context*, unsigned char*, int); -static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context*, unsigned char*, int); +static int ssl_calc_verify_tls_sha384( mbedtls_ssl_context*, unsigned char*, int ); +static int ssl_calc_finished_tls_sha384( mbedtls_ssl_context*, unsigned char*, int ); #endif /* MBEDTLS_SHA512_C */ #if defined(MBEDTLS_CTLS) -static enum varint_length_enum set_varint_length(uint32_t input, uint32_t* output) +static enum varint_length_enum set_varint_length( uint32_t input, uint32_t* output ) { - if (input <= 127) { - *output = input; - return VARINT_LENGTH_1_BYTE; - } - else if (input <= 16383) { - *output = input; - *output |= MBEDTLS_VARINT_HDR_1; - *output &= ~(MBEDTLS_VARINT_HDR_2); - return VARINT_LENGTH_2_BYTE; - } - else if (input <= 4194303) { - *output = input; - *output |= MBEDTLS_VARINT_HDR_1; - *output |= MBEDTLS_VARINT_HDR_2; - return VARINT_LENGTH_3_BYTE; - } + if( input <= 127 ) + { + *output = input; + return VARINT_LENGTH_1_BYTE; + } + else if( input <= 16383 ) + { + *output = input; + *output |= MBEDTLS_VARINT_HDR_1; + *output &= ~( MBEDTLS_VARINT_HDR_2 ); + return VARINT_LENGTH_2_BYTE; + } + else if( input <= 4194303 ) + { + *output = input; + *output |= MBEDTLS_VARINT_HDR_1; + *output |= MBEDTLS_VARINT_HDR_2; + return VARINT_LENGTH_3_BYTE; + } - return VARINT_LENGTH_FAILURE; + return VARINT_LENGTH_FAILURE; } -static uint8_t get_varint_length(const uint8_t input) +static uint8_t get_varint_length( const uint8_t input ) { - // Is bit 8 set? - if (input & MBEDTLS_VARINT_HDR_1) - { - // Is bit 7 set? - if (input & MBEDTLS_VARINT_HDR_2) - { - // length = 3 bytes - return (3); - } - else - { - // length = 2 bytes - return (2); - } - } - else - { - // length = 1 bytes - return (1); - } + /* Is bit 8 set? */ + if( input & MBEDTLS_VARINT_HDR_1 ) + { + /* Is bit 7 set? */ + if( input & MBEDTLS_VARINT_HDR_2 ) + { + /* length = 3 bytes */ + return ( 3 ); + } + else + { + /* length = 2 bytes */ + return ( 2 ); + } + } + else + { + /* length = 1 bytes */ + return ( 1 ); + } } -static uint32_t get_varint_value(const uint32_t input) +static uint32_t get_varint_value( const uint32_t input ) { - uint32_t output; + uint32_t output; - // Is bit 8 set? - if (input & MBEDTLS_VARINT_HDR_1) - { - // Is bit 7 set? - if (input & MBEDTLS_VARINT_HDR_2) - { - // length = 3 bytes - output = input & ~(MBEDTLS_VARINT_HDR_1); - output = output & ~(MBEDTLS_VARINT_HDR_2); - return (output); - } - else - { - // length = 2 bytes - output = input & ~(MBEDTLS_VARINT_HDR_1); - return (output); - } - } - else - { - // length = 1 bytes - return (input); - } + /* Is bit 8 set? */ + if( input & MBEDTLS_VARINT_HDR_1 ) + { + /* Is bit 7 set? */ + if( input & MBEDTLS_VARINT_HDR_2 ) + { + /* length = 3 bytes */ + output = input & ~( MBEDTLS_VARINT_HDR_1 ); + output = output & ~( MBEDTLS_VARINT_HDR_2 ); + return ( output ); + } + else + { + /* length = 2 bytes */ + output = input & ~( MBEDTLS_VARINT_HDR_1 ); + return ( output ); + } + } + else + { + /* length = 1 bytes */ + return ( input ); + } } #endif /* MBEDTLS_CTLS */ #if defined(MBEDTLS_SHA256_C) static int ssl_calc_finished_tls_sha256( - mbedtls_ssl_context* ssl, unsigned char* buf, int from) + mbedtls_ssl_context* ssl, unsigned char* buf, int from ) { - int ret; - mbedtls_sha256_context sha256; - unsigned char padbuf[32]; - unsigned char* finished_key; - const mbedtls_md_info_t* md; + int ret; + mbedtls_sha256_context sha256; + unsigned char padbuf[32]; + unsigned char* finished_key; + const mbedtls_md_info_t* md; - md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256); + md = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ); - if (md == NULL) { - MBEDTLS_SSL_DEBUG_MSG(2, ("mbedtls_md_info_from_type failed")); - return (MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( md == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "mbedtls_md_info_from_type failed" ) ); + return ( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - mbedtls_sha256_init(&sha256); + mbedtls_sha256_init( &sha256 ); - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha256")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); - mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); + mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); - /* - #if !defined(MBEDTLS_SHA256_ALT) - MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *) - sha256.state, sizeof( sha256.state ) ); - #endif // !MBEDTLS_SHA256_ALT - */ + /* + #if !defined(MBEDTLS_SHA256_ALT) + MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", ( unsigned char * ) + sha256.state, sizeof( sha256.state ) ); + #endif + */ - mbedtls_sha256_finish(&sha256, padbuf); - - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash", padbuf, 32); - - /* TLS 1.3 Finished message - * - * struct { - * opaque verify_data[Hash.length]; - * } Finished; - * - * verify_data = - * HMAC(finished_key, Hash( - * Handshake Context + - * Certificate* + - * CertificateVerify*) - * ) - * - * * Only included if present. - */ + mbedtls_sha256_finish( &sha256, padbuf ); + + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash", padbuf, 32 ); + /* TLS 1.3 Finished message + * + * struct { + * opaque verify_data[Hash.length]; + * } Finished; + * + * verify_data = + * HMAC( finished_key, Hash( + * Handshake Context + + * Certificate* + + * CertificateVerify* ) + * ) + * + * * Only included if present. + */ - /* - * finished_key = - * HKDF-Expand-Label(BaseKey, "finished", "", Hash.length) - * - * The binding_value is computed in the same way as the Finished message - * but with the BaseKey being the binder_key. - */ - // create client finished_key - ret = hkdfExpandLabel(MBEDTLS_MD_SHA256, ssl->handshake->client_handshake_traffic_secret, 32, (const unsigned char*)"finished", strlen("finished"), (const unsigned char*)"", 0, 32, ssl->handshake->client_finished_key, 32); + /* + * finished_key = + * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length ) + * + * The binding_value is computed in the same way as the Finished message + * but with the BaseKey being the binder_key. + */ - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "Creating the client_finished_key failed", ret); - return (ret); - } + /* create client finished_key */ + ret = hkdfExpandLabel( MBEDTLS_MD_SHA256, ssl->handshake->client_handshake_traffic_secret, 32, ( const unsigned char* )"finished", strlen( "finished" ), ( const unsigned char* )"", 0, 32, ssl->handshake->client_finished_key, 32 ); - MBEDTLS_SSL_DEBUG_BUF(3, "client_finished_key", ssl->handshake->client_finished_key, 32); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "Creating the client_finished_key failed", ret ); + return ( ret ); + } - // create server finished_key - ret = hkdfExpandLabel(MBEDTLS_MD_SHA256, ssl->handshake->server_handshake_traffic_secret, 32, (const unsigned char*)"finished", strlen("finished"), (const unsigned char*)"", 0, 32, ssl->handshake->server_finished_key, 32); + MBEDTLS_SSL_DEBUG_BUF( 3, "client_finished_key", ssl->handshake->client_finished_key, 32 ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "Creating the server_finished_key failed", ret); - return (ret); - } + /* create server finished_key */ + ret = hkdfExpandLabel( MBEDTLS_MD_SHA256, ssl->handshake->server_handshake_traffic_secret, 32, ( const unsigned char* )"finished", strlen( "finished" ), ( const unsigned char* )"", 0, 32, ssl->handshake->server_finished_key, 32 ); - MBEDTLS_SSL_DEBUG_BUF(3, "server_finished_key", ssl->handshake->server_finished_key, 32); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "Creating the server_finished_key failed", ret ); + return ( ret ); + } - if (from == MBEDTLS_SSL_IS_CLIENT) { - /* In this case the server is receiving a finished message - * sent by the client. It therefore needs to use the client_finished_key. - */ - MBEDTLS_SSL_DEBUG_MSG(3, ("Using client_finished_key to compute mac (for creating finished message)")); - finished_key = ssl->handshake->client_finished_key; - } - else { - /* If the server is sending a finished message then it needs to use - * the server_finished_key. - */ - MBEDTLS_SSL_DEBUG_MSG(3, ("Using server_finished_key to compute mac (for verification procedure)")); - finished_key = ssl->handshake->server_finished_key; - } + MBEDTLS_SSL_DEBUG_BUF( 3, "server_finished_key", ssl->handshake->server_finished_key, 32 ); - // compute mac and write it into the buffer - ret = mbedtls_md_hmac(md, finished_key, 32, padbuf, 32, buf); + if( from == MBEDTLS_SSL_IS_CLIENT ) + { + /* In this case the server is receiving a finished message + * sent by the client. It therefore needs to use the client_finished_key. + */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using client_finished_key to compute mac ( for creating finished message )" ) ); + finished_key = ssl->handshake->client_finished_key; + } + else + { + /* If the server is sending a finished message then it needs to use + * the server_finished_key. + */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using server_finished_key to compute mac ( for verification procedure )" ) ); + finished_key = ssl->handshake->server_finished_key; + } - ssl->handshake->state_local.finished_out.digest_len = 32; + /* compute mac and write it into the buffer */ + ret = mbedtls_md_hmac( md, finished_key, 32, padbuf, 32, buf ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_hmac", ret); - return (ret); - } + ssl->handshake->state_local.finished_out.digest_len = 32; - MBEDTLS_SSL_DEBUG_MSG(3, ("verify_data of Finished message")); - MBEDTLS_SSL_DEBUG_BUF(3, "Input", padbuf, 32); - MBEDTLS_SSL_DEBUG_BUF(3, "Key", finished_key, 32); - MBEDTLS_SSL_DEBUG_BUF(3, "Output", buf, 32); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac", ret ); + return ( ret ); + } - mbedtls_sha256_free(&sha256); - mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "verify_data of Finished message" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Input", padbuf, 32 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Key", finished_key, 32 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Output", buf, 32 ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); - return (0); + mbedtls_sha256_free( &sha256 ); + mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); + return ( 0 ); } #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) static int ssl_calc_finished_tls_sha384( - mbedtls_ssl_context* ssl, unsigned char* buf, int from) + mbedtls_ssl_context* ssl, unsigned char* buf, int from ) { - mbedtls_sha512_context sha512; - int ret; - unsigned char padbuf[48]; - unsigned char* finished_key; - const mbedtls_md_info_t* md; + mbedtls_sha512_context sha512; + int ret; + unsigned char padbuf[48]; + unsigned char* finished_key; + const mbedtls_md_info_t* md; - md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA384); + md = mbedtls_md_info_from_type( MBEDTLS_MD_SHA384 ); - if (md == NULL) { - MBEDTLS_SSL_DEBUG_MSG(2, ("mbedtls_md_info_from_type failed")); - return (MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( md == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "mbedtls_md_info_from_type failed" ) ); + return ( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 1 /* = use SHA384 */); - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha384")); - - mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - - /* TLS 1.3 Finished message - * - * struct { - * opaque verify_data[Hash.length]; - * } Finished; - * - * verify_data = - * HMAC(finished_key, Hash( - * Handshake Context + - * Certificate* + - * CertificateVerify* - * ) - * ) - * - * * Only included if present. - */ + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 1 /* = use SHA384 */ ); - /*#if !defined(MBEDTLS_SHA512_ALT) - MBEDTLS_SSL_DEBUG_BUF(4, "finished sha512 state", (unsigned char *) - sha512.state, sizeof(sha512.state)); - #endif - */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); - mbedtls_sha512_finish(&sha512, padbuf); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash", padbuf, 48); + /* TLS 1.3 Finished message + * + * struct { + * opaque verify_data[Hash.length]; + * } Finished; + * + * verify_data = + * HMAC( finished_key, Hash( + * Handshake Context + + * Certificate* + + * CertificateVerify* + * ) + * ) + * + * * Only included if present. + */ - // create client finished_key - ret = hkdfExpandLabel(MBEDTLS_MD_SHA384, ssl->handshake->client_handshake_traffic_secret, 48, (const unsigned char*)"finished", strlen("finished"), (const unsigned char*)"", 0, 48, ssl->handshake->client_finished_key, 48); + /*#if !defined(MBEDTLS_SHA512_ALT) + MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", ( unsigned char * ) + sha512.state, sizeof( sha512.state ) ); + #endif + */ - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "Creating the client_finished_key failed", ret); - return (ret); - } + mbedtls_sha512_finish( &sha512, padbuf ); - MBEDTLS_SSL_DEBUG_BUF(3, "client_finished_key", ssl->handshake->client_finished_key, 48); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash", padbuf, 48 ); - // create server finished_key - ret = hkdfExpandLabel(MBEDTLS_MD_SHA384, ssl->handshake->server_handshake_traffic_secret, 48, (const unsigned char*)"finished", strlen("finished"), (const unsigned char*)"", 0, 48, ssl->handshake->server_finished_key, 48); + /* create client finished_key */ + ret = hkdfExpandLabel( MBEDTLS_MD_SHA384, ssl->handshake->client_handshake_traffic_secret, 48, ( const unsigned char* )"finished", strlen( "finished" ), ( const unsigned char* )"", 0, 48, ssl->handshake->client_finished_key, 48 ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "Creating the server_finished_key failed", ret); - return (ret); - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "Creating the client_finished_key failed", ret ); + return ( ret ); + } - MBEDTLS_SSL_DEBUG_BUF(3, "server_finished_key", ssl->handshake->server_finished_key, 48); + MBEDTLS_SSL_DEBUG_BUF( 3, "client_finished_key", ssl->handshake->client_finished_key, 48 ); + /* create server finished_key */ + ret = hkdfExpandLabel( MBEDTLS_MD_SHA384, ssl->handshake->server_handshake_traffic_secret, 48, ( const unsigned char* )"finished", strlen( "finished" ), ( const unsigned char* )"", 0, 48, ssl->handshake->server_finished_key, 48 ); - if (from == MBEDTLS_SSL_IS_CLIENT) { - /* In this case the server is receiving a finished message - * sent by the client. It therefore needs to use the client_finished_key. - */ - MBEDTLS_SSL_DEBUG_MSG(2, ("Using client_finished_key to compute mac (for creating finished message)")); - finished_key = ssl->handshake->client_finished_key; - } - else { - /* If the server is sending a finished message then it needs to use - * the server_finished_key. - */ - MBEDTLS_SSL_DEBUG_MSG(2, ("Using server_finished_key to compute mac (for verification procedure)")); - finished_key = ssl->handshake->server_finished_key; - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "Creating the server_finished_key failed", ret ); + return ( ret ); + } - // compute mac and write it into the buffer - ret = mbedtls_md_hmac(md, finished_key, 48, padbuf, 48, buf); + MBEDTLS_SSL_DEBUG_BUF( 3, "server_finished_key", ssl->handshake->server_finished_key, 48 ); - ssl->handshake->state_local.finished_out.digest_len = 48; - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_md_hmac", ret); - return (ret); - } + if( from == MBEDTLS_SSL_IS_CLIENT ) + { + /* In this case the server is receiving a finished message + * sent by the client. It therefore needs to use the client_finished_key. + */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Using client_finished_key to compute mac ( for creating finished message )" ) ); + finished_key = ssl->handshake->client_finished_key; + } + else + { + /* If the server is sending a finished message then it needs to use + * the server_finished_key. + */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Using server_finished_key to compute mac ( for verification procedure )" ) ); + finished_key = ssl->handshake->server_finished_key; + } + + /* compute mac and write it into the buffer */ + ret = mbedtls_md_hmac( md, finished_key, 48, padbuf, 48, buf ); - MBEDTLS_SSL_DEBUG_MSG(2, ("verify_data of Finished message")); - MBEDTLS_SSL_DEBUG_BUF(3, "Input", padbuf, 48); - MBEDTLS_SSL_DEBUG_BUF(3, "Key", finished_key, 48); - MBEDTLS_SSL_DEBUG_BUF(3, "Output", buf, 48); + ssl->handshake->state_local.finished_out.digest_len = 48; - mbedtls_sha512_free(&sha512); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_md_hmac", ret ); + return ( ret ); + } + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "verify_data of Finished message" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Input", padbuf, 48 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Key", finished_key, 48 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Output", buf, 48 ); + + mbedtls_sha512_free( &sha512 ); - mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); + mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); - return(0); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); + return( 0 ); } #endif /* MBEDTLS_SHA512_C */ #if defined(MBEDTLS_CID) -void ssl_write_cid_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +void ssl_write_cid_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = buf; - int ret; -// const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; + unsigned char *p = buf; + int ret; +/* const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; */ - *olen = 0; + *olen = 0; - if (ssl->conf->cid == MBEDTLS_CID_CONF_DISABLED) { - ssl->session_negotiate->cid = MBEDTLS_CID_DISABLED; - MBEDTLS_SSL_DEBUG_MSG(3, ("CID disabled.")); - return; - } + if( ssl->conf->cid == MBEDTLS_CID_CONF_DISABLED ) + { + ssl->session_negotiate->cid = MBEDTLS_CID_DISABLED; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID disabled." ) ); + return; + } - if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("CID can only be used with DTLS.")); - return; - } + if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID can only be used with DTLS." ) ); + return; + } - MBEDTLS_SSL_DEBUG_MSG(3, ("adding cid extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding cid extension" ) ); - if (end < p || (size_t)(end - p) < (3 + MBEDTLS_CID_MAX_SIZE)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return; - } + if( end < p || (size_t)( end - p ) < ( 3 + MBEDTLS_CID_MAX_SIZE ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return; + } - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_CID >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_CID) & 0xFF); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_CID ) & 0xFF ); - if (ssl->conf->cid == MBEDTLS_CID_CONF_ZERO_LENGTH) { + if( ssl->conf->cid == MBEDTLS_CID_CONF_ZERO_LENGTH ) + { - *p++ = (unsigned char)((1 >> 8) & 0xFF); - *p++ = (unsigned char)(1 & 0xFF); + *p++ = ( unsigned char )( ( 1 >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( 1 & 0xFF ); - // 1 byte length field set to zero - *p++ = 0; - *olen = 5; - ssl->out_cid_len = 0; - MBEDTLS_SSL_DEBUG_MSG(3, ("We don't want the peer to send CID in a packet.")); - return; - } + /* 1 byte length field set to zero */ + *p++ = 0; + *olen = 5; + ssl->out_cid_len = 0; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "We don't want the peer to send CID in a packet." ) ); + return; + } - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { - ssl->session_negotiate->cid = MBEDTLS_CID_ENABLED; - } - ssl->in_cid_len = MBEDTLS_CID_MAX_SIZE; + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + ssl->session_negotiate->cid = MBEDTLS_CID_ENABLED; + } + ssl->in_cid_len = MBEDTLS_CID_MAX_SIZE; - *p++ = (unsigned char)(((ssl->in_cid_len + 1) >> 8) & 0xFF); - *p++ = (unsigned char)(((ssl->in_cid_len + 1)) & 0xFF); + *p++ = ( unsigned char )( ( ( ssl->in_cid_len + 1 ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ( ssl->in_cid_len + 1 ) ) & 0xFF ); - // Length field set to MBEDTLS_CID_MAX_SIZE - *p++ = MBEDTLS_CID_MAX_SIZE; + /* Length field set to MBEDTLS_CID_MAX_SIZE */ + *p++ = MBEDTLS_CID_MAX_SIZE; - // allocate CID value - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->in_cid, MBEDTLS_CID_MAX_SIZE)) != 0) { - MBEDTLS_SSL_DEBUG_MSG(3, ("CID allocation failed.")); - return; - } + /* allocate CID value */ + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->in_cid, MBEDTLS_CID_MAX_SIZE ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID allocation failed." ) ); + return; + } - memcpy(p, ssl->in_cid, MBEDTLS_CID_MAX_SIZE); - MBEDTLS_SSL_DEBUG_BUF(3, "CID (incoming)", p, MBEDTLS_CID_MAX_SIZE); - p += MBEDTLS_CID_MAX_SIZE; + memcpy( p, ssl->in_cid, MBEDTLS_CID_MAX_SIZE ); + MBEDTLS_SSL_DEBUG_BUF( 3, "CID ( incoming )", p, MBEDTLS_CID_MAX_SIZE ); + p += MBEDTLS_CID_MAX_SIZE; - *olen = 5 + MBEDTLS_CID_MAX_SIZE; + *olen = 5 + MBEDTLS_CID_MAX_SIZE; } -int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) +int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - const unsigned char *p = buf; - uint8_t len_inner = 0; + const unsigned char *p = buf; + uint8_t len_inner = 0; - if (ssl->conf->cid == MBEDTLS_CID_CONF_DISABLED) { - ssl->session_negotiate->cid = MBEDTLS_CID_DISABLED; - MBEDTLS_SSL_DEBUG_MSG(3, ("CID disabled.")); - return(0); - } + if( ssl->conf->cid == MBEDTLS_CID_CONF_DISABLED ) + { + ssl->session_negotiate->cid = MBEDTLS_CID_DISABLED; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID disabled." ) ); + return( 0 ); + } - // Read length of the CID - if (len > 1) len_inner = *p; + /* Read length of the CID */ + if( len > 1 ) len_inner = *p; - if (len_inner == 0) { - MBEDTLS_SSL_DEBUG_MSG(5, ("No CID value will be placed in outgoing records.")); - ssl->out_cid_len = 0; - memset(ssl->out_cid, '\0', MBEDTLS_CID_MAX_SIZE); - return (0); - } + if( len_inner == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 5, ( "No CID value will be placed in outgoing records." ) ); + ssl->out_cid_len = 0; + memset( ssl->out_cid, '\0', MBEDTLS_CID_MAX_SIZE ); + return ( 0 ); + } - // Check for correct length and whether have enough space for the CID value - if ((len_inner != (len - 1)) && (len_inner < MBEDTLS_CID_MAX_SIZE)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Incorrect CID extension length")); + /* Check for correct length and whether have enough space for the CID value */ + if( ( len_inner != ( len - 1 ) ) && ( len_inner < MBEDTLS_CID_MAX_SIZE ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Incorrect CID extension length" ) ); #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); #endif /* MBEDTLS_SSL_SRV_C */ - } + } - // skip the length field to read the cid value - p++; + /* skip the length field to read the cid value */ + p++; - // The other end provided us with the CID value it - // would like us to use for packet sent to it. + /* The other end provided us with the CID value it */ + /* would like us to use for packet sent to it. */ - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { - ssl->session_negotiate->cid = MBEDTLS_CID_CONF_ENABLED; - } - ssl->out_cid_len = len_inner; - memcpy(ssl->out_cid, p, len_inner); + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + ssl->session_negotiate->cid = MBEDTLS_CID_CONF_ENABLED; + } + ssl->out_cid_len = len_inner; + memcpy( ssl->out_cid, p, len_inner ); - MBEDTLS_SSL_DEBUG_BUF(5, "CID (outgoing)", p, len_inner); + MBEDTLS_SSL_DEBUG_BUF( 5, "CID ( outgoing )", p, len_inner ); - return(0); + return( 0 ); } #endif /* MBEDTLS_CID */ #if defined(MBEDTLS_COMPATIBILITY_MODE) -int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl) - { - int ret; +int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) +{ + int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write change cipher spec")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); - ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; - ssl->out_msglen = 1; - ssl->out_msg[0] = 1; + ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; + ssl->out_msglen = 1; + ssl->out_msg[0] = 1; - MBEDTLS_SSL_DEBUG_BUF(3, "CCS", ssl->out_msg, ssl->out_msglen); + MBEDTLS_SSL_DEBUG_BUF( 3, "CCS", ssl->out_msg, ssl->out_msglen ); - if ((ret = mbedtls_ssl_write_record(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret); - return(ret); - } + if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); + return( ret ); + } -/* if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) +/* if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); + return( ret ); } */ - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); - return(0); - } + return( 0 ); +} #endif /* MBEDTLS_COMPATIBILITY_MODE */ @@ -549,613 +572,634 @@ int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl) * ACK Message Handling * ***********************/ -void mbedtls_ack_clear_all(mbedtls_ssl_context* ssl, int mode) +void mbedtls_ack_clear_all( mbedtls_ssl_context* ssl, int mode ) { - if (mode == MBEDTLS_SSL_ACK_RECORDS_SENT) - memset(ssl->record_numbers_sent, 0x0, sizeof(ssl->record_numbers_sent)); - else - memset(ssl->record_numbers_received, 0x0, sizeof(ssl->record_numbers_received)); + if( mode == MBEDTLS_SSL_ACK_RECORDS_SENT ) + memset( ssl->record_numbers_sent, 0x0, sizeof( ssl->record_numbers_sent ) ); + else + memset( ssl->record_numbers_received, 0x0, sizeof( ssl->record_numbers_received ) ); } -int mbedtls_ack_add_record(mbedtls_ssl_context* ssl, uint8_t record, int mode) +int mbedtls_ack_add_record( mbedtls_ssl_context* ssl, uint8_t record, int mode ) { - int i = 0; - uint8_t* p; - - if (mode == MBEDTLS_SSL_ACK_RECORDS_SENT) p = &ssl->record_numbers_sent[0]; - else p = &ssl->record_numbers_received[0]; - - do { - if (p[i] == 0) - { - p[i] = record; - break; - } - else i++; - } while (i <= 7); - - // something went terribly wrong - if (p[i] != record) - return (MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - - return(0); + int i = 0; + uint8_t* p; + + if( mode == MBEDTLS_SSL_ACK_RECORDS_SENT ) p = &ssl->record_numbers_sent[0]; + else p = &ssl->record_numbers_received[0]; + + do { + if( p[i] == 0 ) + { + p[i] = record; + break; + } + else i++; + } while ( i <= 7 ); + + /* something went terribly wrong */ + if( p[i] != record ) + return ( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + + return( 0 ); } -int mbedtls_ssl_parse_ack(mbedtls_ssl_context *ssl) +int mbedtls_ssl_parse_ack( mbedtls_ssl_context *ssl ) { - int ret = 0; - uint8_t record_numbers[8]; + int ret = 0; + uint8_t record_numbers[8]; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse ack")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse ack" ) ); - if (ssl->in_msglen != 8 || ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad ack message")); - return(MBEDTLS_ERR_SSL_BAD_ACK); - } + if( ssl->in_msglen != 8 || ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad ack message" ) ); + return( MBEDTLS_ERR_SSL_BAD_ACK ); + } - mbedtls_ssl_safer_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), - record_numbers, sizeof(record_numbers)); + mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), + record_numbers, sizeof( record_numbers ) ); - // Determine whether we received every message or not. - // TBD: Do ack processing here + /* Determine whether we received every message or not. */ + /* TBD: Do ack processing here */ - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_recv_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_recv_flight_completed( ssl ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse ack")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse ack" ) ); - return(ret); + return( ret ); } -int mbedtls_ssl_write_ack(mbedtls_ssl_context *ssl) +int mbedtls_ssl_write_ack( mbedtls_ssl_context *ssl ) { - int ret; - int size; + int ret; + int size; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write Ack msg")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write Ack msg" ) ); - // Do we have space for the fixed length part of the ticket - if (MBEDTLS_SSL_MAX_CONTENT_LEN < 1) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_ack: not enough space", ret); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - } - size = sizeof(ssl->record_numbers_received); + /* Do we have space for the fixed length part of the ticket */ + if( MBEDTLS_SSL_MAX_CONTENT_LEN < 1 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_ack: not enough space", ret ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + size = sizeof( ssl->record_numbers_received ); - /* Length = 8 bytes for record_numbers + 1 byte for content length */ - ssl->out_msglen = 1+size; - ssl->out_msgtype = MBEDTLS_SSL_MSG_ACK; - memcpy(ssl->out_msg, ssl->record_numbers_received, size); - ssl->out_msg[size] = MBEDTLS_SSL_MSG_ACK; + /* Length = 8 bytes for record_numbers + 1 byte for content length */ + ssl->out_msglen = 1+size; + ssl->out_msgtype = MBEDTLS_SSL_MSG_ACK; + memcpy( ssl->out_msg, ssl->record_numbers_received, size ); + ssl->out_msg[size] = MBEDTLS_SSL_MSG_ACK; - if ((ret = mbedtls_ssl_write_record(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret); - return(ret); - } + if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); + return( ret ); + } - if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret); - return(ret); - } + if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); + return( ret ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write Ack msg")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write Ack msg" ) ); - return(0); + return( 0 ); } #endif /* MBEDTLS_SSL_PROTO_DTLS */ /* -* ssl_write_signature_algorithms_ext() -* -* enum { -* .... -* // ECDSA algorithms -* ecdsa_secp256r1_sha256(0x0403), -* ecdsa_secp384r1_sha384(0x0503), -* ecdsa_secp521r1_sha512(0x0603), -* .... -* } SignatureScheme; -* -* struct { -* SignatureScheme supported_signature_algorithms<2..2^16-2>; -* } SignatureSchemeList; -* -* Only if we handle at least one key exchange that needs signatures. -*/ + * ssl_write_signature_algorithms_ext( ) + * + * enum { + * .... + * ecdsa_secp256r1_sha256( 0x0403 ), + * ecdsa_secp384r1_sha384( 0x0503 ), + * ecdsa_secp521r1_sha512( 0x0603 ), + * .... + * } SignatureScheme; + * + * struct { + * SignatureScheme supported_signature_algorithms<2..2^16-2>; + * } SignatureSchemeList; + * + * Only if we handle at least one key exchange that needs signatures. + */ #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) -int ssl_write_signature_algorithms_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = buf; - size_t sig_alg_len = 0; - const int *md; - unsigned char *sig_alg_list = buf + 6; + unsigned char *p = buf; + size_t sig_alg_len = 0; + const int *md; + unsigned char *sig_alg_list = buf + 6; - *olen = 0; + *olen = 0; - MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) ); - /* - * Determine length of the signature scheme list - */ - for (md = ssl->conf->signature_schemes; *md != SIGNATURE_NONE; md++) - { - sig_alg_len += 2; - } + /* + * Determine length of the signature scheme list + */ + for ( md = ssl->conf->signature_schemes; *md != SIGNATURE_NONE; md++ ) + { + sig_alg_len += 2; + } - if (end < p || (size_t)(end - p) < sig_alg_len + 6) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } + if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } - /* - * Write signature schemes - */ + /* + * Write signature schemes + */ - for (md = ssl->conf->signature_schemes; *md != SIGNATURE_NONE; md++) - { - *sig_alg_list++ = (unsigned char)((*md >> 8) & 0xFF); - *sig_alg_list++ = (unsigned char)((*md) & 0xFF); - MBEDTLS_SSL_DEBUG_MSG(3, ("signature scheme [%x]", *md)); - } + for ( md = ssl->conf->signature_schemes; *md != SIGNATURE_NONE; md++ ) + { + *sig_alg_list++ = ( unsigned char )( ( *md >> 8 ) & 0xFF ); + *sig_alg_list++ = ( unsigned char )( ( *md ) & 0xFF ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *md ) ); + } - /* - * Write extension header - */ + /* + * Write extension header + */ - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SIG_ALG >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SIG_ALG) & 0xFF); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); - *p++ = (unsigned char)(((sig_alg_len + 2) >> 8) & 0xFF); - *p++ = (unsigned char)(((sig_alg_len + 2)) & 0xFF); + *p++ = ( unsigned char )( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( ( sig_alg_len + 2 ) ) & 0xFF ); - *p++ = (unsigned char)((sig_alg_len >> 8) & 0xFF); - *p++ = (unsigned char)((sig_alg_len) & 0xFF); + *p++ = ( unsigned char )( ( sig_alg_len >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( sig_alg_len ) & 0xFF ); - *olen = 6 + sig_alg_len; + *olen = 6 + sig_alg_len; - return 0; + return 0; } -int ssl_parse_signature_algorithms_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) +int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - size_t sig_alg_list_size; - const unsigned char *p; - const unsigned char *end = buf + len; - const int *md_cur; - int offered_signature_scheme; - - sig_alg_list_size = ((buf[0] << 8) | (buf[1])); - if (sig_alg_list_size + 2 != len || - sig_alg_list_size % 2 != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad signature_algorithms extension")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + size_t sig_alg_list_size; + const unsigned char *p; + const unsigned char *end = buf + len; + const int *md_cur; + int offered_signature_scheme; + + sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); + if( sig_alg_list_size + 2 != len || + sig_alg_list_size % 2 != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad signature_algorithms extension" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - for (md_cur = ssl->conf->signature_schemes; *md_cur != SIGNATURE_NONE; md_cur++) { - for (p = buf + 2; p < end; p += 2) { - offered_signature_scheme = (p[0] << 8) | p[1]; + for ( md_cur = ssl->conf->signature_schemes; *md_cur != SIGNATURE_NONE; md_cur++ ) { + for ( p = buf + 2; p < end; p += 2 ) { + offered_signature_scheme = ( p[0] << 8 ) | p[1]; - if (*md_cur == offered_signature_scheme) { - ssl->handshake->signature_scheme = offered_signature_scheme; - goto have_sig_alg; - } - } - } + if( *md_cur == offered_signature_scheme ) + { + ssl->handshake->signature_scheme = offered_signature_scheme; + goto have_sig_alg; + } + } + } - MBEDTLS_SSL_DEBUG_MSG(3, ("no signature_algorithm in common")); - return(0); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) ); + return( 0 ); have_sig_alg: - MBEDTLS_SSL_DEBUG_MSG(3, ("signature_algorithm ext: %d", ssl->handshake->signature_scheme)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature_algorithm ext: %d", ssl->handshake->signature_scheme ) ); - return(0); + return( 0 ); } #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -/* mbedtls_ssl_derive_traffic_keys() generates keys necessary for +/* mbedtls_ssl_derive_traffic_keys( ) generates keys necessary for * protecting the handshake messages, as described in Section 7 of * TLS 1.3. */ -int mbedtls_ssl_derive_traffic_keys(mbedtls_ssl_context *ssl, KeySet *traffic_keys) +int mbedtls_ssl_derive_traffic_keys( mbedtls_ssl_context *ssl, KeySet *traffic_keys ) { - int ret = 0; - const mbedtls_cipher_info_t *cipher_info; - const mbedtls_md_info_t *md_info; - mbedtls_ssl_transform *transform = ssl->transform_negotiate; - mbedtls_ssl_handshake_params *handshake = ssl->handshake; + int ret = 0; + const mbedtls_cipher_info_t *cipher_info; + const mbedtls_md_info_t *md_info; + mbedtls_ssl_transform *transform = ssl->transform_negotiate; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; const mbedtls_ssl_ciphersuite_t *suite_info; - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; + mbedtls_sha256_context sha256; #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; + mbedtls_sha512_context sha512; #endif - MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive traffic keys")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive traffic keys" ) ); - cipher_info = mbedtls_cipher_info_from_type(transform->ciphersuite_info->cipher); - if (cipher_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %d not found", - transform->ciphersuite_info->cipher)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); + if( cipher_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", + transform->ciphersuite_info->cipher ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - md_info = mbedtls_md_info_from_type(transform->ciphersuite_info->mac); - if (md_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %d not found", - transform->ciphersuite_info->mac)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); + if( md_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", + transform->ciphersuite_info->mac ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - suite_info = mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); - if (suite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_ciphersuite_from_id in mbedtls_ssl_derive_traffic_keys failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); + if( suite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_ciphersuite_from_id in mbedtls_ssl_derive_traffic_keys failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 32) { + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 32 ) + { #if defined(MBEDTLS_SHA256_C) - handshake->calc_verify = ssl_calc_verify_tls_sha256; - handshake->calc_finished = ssl_calc_finished_tls_sha256; + handshake->calc_verify = ssl_calc_verify_tls_sha256; + handshake->calc_finished = ssl_calc_finished_tls_sha256; #else - MBEDTLS_SSL_DEBUG_MSG(1, ("MBEDTLS_SHA256_C not set but ciphersuite with SHA256 negotiated")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "MBEDTLS_SHA256_C not set but ciphersuite with SHA256 negotiated" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA256_C */ - } + } - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 48) { + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 48 ) + { #if defined(MBEDTLS_SHA512_C) - handshake->calc_verify = ssl_calc_verify_tls_sha384; - handshake->calc_finished = ssl_calc_finished_tls_sha384; + handshake->calc_verify = ssl_calc_verify_tls_sha384; + handshake->calc_finished = ssl_calc_finished_tls_sha384; #else - MBEDTLS_SSL_DEBUG_MSG(1, ("MBEDTLS_SHA512_C not set but ciphersuite with SHA384 negotiated")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "MBEDTLS_SHA512_C not set but ciphersuite with SHA384 negotiated" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA512_C */ - } + } - if ((mbedtls_hash_size_for_ciphersuite(suite_info) != 32) && (mbedtls_hash_size_for_ciphersuite(suite_info) != 48) ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown hash function negotiated.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ( mbedtls_hash_size_for_ciphersuite( suite_info ) != 32 ) && ( mbedtls_hash_size_for_ciphersuite( suite_info ) != 48 ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown hash function negotiated." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } #if defined(MBEDTLS_SHA256_C) - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 32) { - mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); - mbedtls_sha256_finish(&sha256, hash); - } - else + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 32 ) + { + mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); + mbedtls_sha256_finish( &sha256, hash ); + } + else #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 48) { - mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - mbedtls_sha512_finish(&sha512, hash); - } - else + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 48 ) + { + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + mbedtls_sha512_finish( &sha512, hash ); + } + else #endif /* MBEDTLS_SHA512_C */ - { - MBEDTLS_SSL_DEBUG_MSG(2, ("Unsupported hash function in mbedtls_ssl_derive_traffic_keys")); - return (MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - - MBEDTLS_SSL_DEBUG_BUF(3, "rolling hash", hash, mbedtls_hash_size_for_ciphersuite(suite_info)); - - /* - * - * Handshake Secret - * | - * +-----> Derive-Secret(., "c hs traffic", - * | ClientHello...ServerHello) - * | = client_handshake_traffic_secret - * | - * +-----> Derive-Secret(., "s hs traffic", - * | ClientHello...ServerHello) - * | = server_handshake_traffic_secret - * - */ + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Unsupported hash function in mbedtls_ssl_derive_traffic_keys" ) ); + return ( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + MBEDTLS_SSL_DEBUG_BUF( 3, "rolling hash", hash, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - /* - * Compute client_handshake_traffic_secret with - * Derive-Secret(., "c hs traffic", ClientHello...ServerHello) - */ - - ret = Derive_Secret(ssl, mbedtls_md_get_type(md_info), - (const unsigned char*) ssl->handshake->handshake_secret, (int) mbedtls_hash_size_for_ciphersuite(suite_info), - (const unsigned char*) "c hs traffic", strlen("c hs traffic"), - (const unsigned char *) hash, (int) mbedtls_hash_size_for_ciphersuite(suite_info), - (unsigned char *) ssl->handshake->client_handshake_traffic_secret, (int) mbedtls_hash_size_for_ciphersuite(suite_info)); - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret() with client_handshake_traffic_secret: Error", ret); - return ret; - } + /* + * + * Handshake Secret + * | + * +-----> Derive-Secret( ., "c hs traffic", + * | ClientHello...ServerHello ) + * | = client_handshake_traffic_secret + * | + * +-----> Derive-Secret( ., "s hs traffic", + * | ClientHello...ServerHello ) + * | = server_handshake_traffic_secret + * + */ - MBEDTLS_SSL_DEBUG_MSG(5, ("HKDF Expand: label=[TLS 1.3, c hs traffic], requested length %d", mbedtls_hash_size_for_ciphersuite(suite_info))); - MBEDTLS_SSL_DEBUG_BUF(5, "Secret: ", ssl->handshake->handshake_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); - MBEDTLS_SSL_DEBUG_BUF(5, "Hash:", hash, mbedtls_hash_size_for_ciphersuite(suite_info)); - MBEDTLS_SSL_DEBUG_BUF(5, "client_handshake_traffic_secret", ssl->handshake->client_handshake_traffic_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); - /* - * Compute server_handshake_traffic_secret with - * Derive-Secret(., "s hs traffic", ClientHello...ServerHello) - */ - - ret = Derive_Secret(ssl, mbedtls_md_get_type(md_info), - ssl->handshake->handshake_secret, mbedtls_hash_size_for_ciphersuite(suite_info), - (const unsigned char*) "s hs traffic", strlen("s hs traffic"), - hash, mbedtls_hash_size_for_ciphersuite(suite_info), - ssl->handshake->server_handshake_traffic_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret() with server_handshake_traffic_secret: Error", ret); - return ret; - } + /* + * Compute client_handshake_traffic_secret with + * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello ) + */ - MBEDTLS_SSL_DEBUG_MSG(5, ("HKDF Expand: label=[TLS 1.3, s hs traffic], requested length %d", mbedtls_hash_size_for_ciphersuite(suite_info))); - MBEDTLS_SSL_DEBUG_BUF(5, "Secret: ", ssl->handshake->handshake_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); - MBEDTLS_SSL_DEBUG_BUF(5, "Hash:", hash, mbedtls_hash_size_for_ciphersuite(suite_info)); - MBEDTLS_SSL_DEBUG_BUF(5, "server_handshake_traffic_secret", ssl->handshake->server_handshake_traffic_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); - - /* - * Compute exporter_secret with - * DeriveSecret(Master Secret, "exp master", ClientHello...Server Finished) - */ - - ret = Derive_Secret(ssl, mbedtls_md_get_type(md_info), - ssl->handshake->master_secret, mbedtls_hash_size_for_ciphersuite(suite_info), - (const unsigned char*)"exp master", strlen("exp master"), - hash, mbedtls_hash_size_for_ciphersuite(suite_info), - ssl->handshake->exporter_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret() with exporter_secret: Error", ret); - return ret; - } + ret = Derive_Secret( ssl, mbedtls_md_get_type( md_info ), + ( const unsigned char* ) ssl->handshake->handshake_secret, ( int ) mbedtls_hash_size_for_ciphersuite( suite_info ), + ( const unsigned char* ) "c hs traffic", strlen( "c hs traffic" ), + ( const unsigned char * ) hash, ( int ) mbedtls_hash_size_for_ciphersuite( suite_info ), + ( unsigned char * ) ssl->handshake->client_handshake_traffic_secret, ( int ) mbedtls_hash_size_for_ciphersuite( suite_info ) ); - MBEDTLS_SSL_DEBUG_BUF(5, "exporter_secret", ssl->handshake->exporter_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret( ) with client_handshake_traffic_secret: Error", ret ); + return ret; + } - /* - * Compute keys to protect the handshake messages utilizing MakeTrafficKey - */ + MBEDTLS_SSL_DEBUG_MSG( 5, ( "HKDF Expand: label=[TLS 1.3, c hs traffic], requested length %d", mbedtls_hash_size_for_ciphersuite( suite_info ) ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Secret: ", ssl->handshake->handshake_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Hash:", hash, mbedtls_hash_size_for_ciphersuite( suite_info ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake_traffic_secret", ssl->handshake->client_handshake_traffic_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - /* Settings for GCM, CCM, and CCM_8 */ - transform->maclen = 0; - transform->fixed_ivlen = 4; - transform->ivlen = cipher_info->iv_size; - transform->keylen = cipher_info->key_bitlen / 8; + /* + * Compute server_handshake_traffic_secret with + * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello ) + */ - /* Minimum length for an encrypted handshake message is - * - Handshake header - * - 1 byte for handshake type appended to the end of the message - * - Authentication tag (which depends on the mode of operation) - */ - if (transform->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8) transform->minlen = 8; - else transform->minlen = 16; + ret = Derive_Secret( ssl, mbedtls_md_get_type( md_info ), + ssl->handshake->handshake_secret, mbedtls_hash_size_for_ciphersuite( suite_info ), + ( const unsigned char* ) "s hs traffic", strlen( "s hs traffic" ), + hash, mbedtls_hash_size_for_ciphersuite( suite_info ), + ssl->handshake->server_handshake_traffic_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - // TBD: Temporarily changed to test encrypted alert messages - // transform->minlen += mbedtls_ssl_hs_hdr_len(ssl); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret( ) with server_handshake_traffic_secret: Error", ret ); + return ret; + } - transform->minlen += 1; + MBEDTLS_SSL_DEBUG_MSG( 5, ( "HKDF Expand: label=[TLS 1.3, s hs traffic], requested length %d", mbedtls_hash_size_for_ciphersuite( suite_info ) ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Secret: ", ssl->handshake->handshake_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Hash:", hash, mbedtls_hash_size_for_ciphersuite( suite_info ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "server_handshake_traffic_secret", ssl->handshake->server_handshake_traffic_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - MBEDTLS_SSL_DEBUG_MSG(3, ("-->>Calling makeTrafficKeys() with the following parameters:")); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Hash Algorithm: %s", mbedtls_md_get_name(md_info))); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Handshake Traffic Secret Length: %d bytes", mbedtls_hash_size_for_ciphersuite(suite_info))); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Key Length: %d bytes", transform->keylen)); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- IV Length: %d bytes", transform->ivlen)); + /* + * Compute exporter_secret with + * DeriveSecret( Master Secret, "exp master", ClientHello...Server Finished ) + */ - if ((ret = makeTrafficKeys(mbedtls_md_get_type(md_info), - ssl->handshake->client_handshake_traffic_secret, - ssl->handshake->server_handshake_traffic_secret, - mbedtls_hash_size_for_ciphersuite(suite_info), - transform->keylen, transform->ivlen, traffic_keys)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "makeTrafficKeys failed", ret); - return(ret); - } + ret = Derive_Secret( ssl, mbedtls_md_get_type( md_info ), + ssl->handshake->master_secret, mbedtls_hash_size_for_ciphersuite( suite_info ), + ( const unsigned char* )"exp master", strlen( "exp master" ), + hash, mbedtls_hash_size_for_ciphersuite( suite_info ), + ssl->handshake->exporter_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - /* TEST - if ((ret = makeTrafficKeys(mbedtls_md_get_type(md_info), - ssl->handshake->server_handshake_traffic_secret, - ssl->handshake->client_handshake_traffic_secret, - mbedtls_hash_size_for_ciphersuite(suite_info), - transform->keylen, transform->ivlen, traffic_keys)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "makeTrafficKeys failed", ret); - return(ret); - } -*/ - MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive traffic keys")); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret( ) with exporter_secret: Error", ret ); + return ret; + } + + MBEDTLS_SSL_DEBUG_BUF( 5, "exporter_secret", ssl->handshake->exporter_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); + + /* + * Compute keys to protect the handshake messages utilizing MakeTrafficKey + */ - return(0); + /* Settings for GCM, CCM, and CCM_8 */ + transform->maclen = 0; + transform->fixed_ivlen = 4; + transform->ivlen = cipher_info->iv_size; + transform->keylen = cipher_info->key_bitlen / 8; + + /* Minimum length for an encrypted handshake message is + * - Handshake header + * - 1 byte for handshake type appended to the end of the message + * - Authentication tag ( which depends on the mode of operation ) + */ + if( transform->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8 ) transform->minlen = 8; + else transform->minlen = 16; + + /* TBD: Temporarily changed to test encrypted alert messages */ + /* transform->minlen += mbedtls_ssl_hs_hdr_len( ssl ); */ + + transform->minlen += 1; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-->>Calling makeTrafficKeys( ) with the following parameters:" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Hash Algorithm: %s", mbedtls_md_get_name( md_info ) ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Handshake Traffic Secret Length: %d bytes", mbedtls_hash_size_for_ciphersuite( suite_info ) ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Key Length: %d bytes", transform->keylen ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- IV Length: %d bytes", transform->ivlen ) ); + + if( ( ret = makeTrafficKeys( mbedtls_md_get_type( md_info ), + ssl->handshake->client_handshake_traffic_secret, + ssl->handshake->server_handshake_traffic_secret, + mbedtls_hash_size_for_ciphersuite( suite_info ), + transform->keylen, transform->ivlen, traffic_keys ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "makeTrafficKeys failed", ret ); + return( ret ); + } + + /* TEST + if( ( ret = makeTrafficKeys( mbedtls_md_get_type( md_info ), + ssl->handshake->server_handshake_traffic_secret, + ssl->handshake->client_handshake_traffic_secret, + mbedtls_hash_size_for_ciphersuite( suite_info ), + transform->keylen, transform->ivlen, traffic_keys ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "makeTrafficKeys failed", ret ); + return( ret ); + } + */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive traffic keys" ) ); + + return( 0 ); } -int incrementSequenceNumber(unsigned char *sequenceNumber, unsigned char *nonce, size_t ivlen) { +int incrementSequenceNumber( unsigned char *sequenceNumber, unsigned char *nonce, size_t ivlen ) { - if (ivlen == 0) return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + if( ivlen == 0 ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - for (size_t i = ivlen - 1; i > ivlen - 8; i--) { - sequenceNumber[i]++; - nonce[i] ^= (sequenceNumber[i] - 1) ^ sequenceNumber[i]; - if (sequenceNumber[i] != 0) { - return (0); - } - } + for ( size_t i = ivlen - 1; i > ivlen - 8; i-- ) { + sequenceNumber[i]++; + nonce[i] ^= ( sequenceNumber[i] - 1 ) ^ sequenceNumber[i]; + if( sequenceNumber[i] != 0 ) + { + return ( 0 ); + } + } - return(MBEDTLS_ERR_SSL_COUNTER_WRAPPING); + return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); } #if defined(MBEDTLS_SHA256_C) -static int ssl_calc_verify_tls_sha256(mbedtls_ssl_context *ssl, unsigned char hash[32], int from) +static int ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32], int from ) { - mbedtls_sha256_context sha256; - unsigned char handshake_hash[32]; - unsigned char *verify_buffer; - unsigned char *context_string; - size_t context_string_len; - - mbedtls_sha256_init(&sha256); - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256")); - - mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); - mbedtls_sha256_finish(&sha256, handshake_hash); - - MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", handshake_hash, 32); - - /* - * The digital signature is then computed using the signing key over the concatenation of: - * - 64 bytes of octet 32 - * - The context string (which is either "TLS 1.3, client CertificateVerify" or "TLS 1.3, server CertificateVerify") - * - A single 0 byte which servers as the separator - * - The content to be signed, which is Hash(Handshake Context + Certificate) + Hash(resumption_context) - * - */ - - if (from == MBEDTLS_SSL_IS_CLIENT) { - context_string_len = strlen("TLS 1.3, client CertificateVerify"); - context_string = mbedtls_calloc(context_string_len,1); - - if (context_string == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("malloc failed in ssl_calc_verify_tls_sha256()")); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } - memcpy(context_string, "TLS 1.3, client CertificateVerify", context_string_len); - } else { // from == MBEDTLS_SSL_IS_SERVER - context_string_len = strlen("TLS 1.3, server CertificateVerify"); - context_string = mbedtls_calloc(context_string_len,1); - if (context_string == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("malloc failed in ssl_calc_verify_tls_sha256()")); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } - memcpy(context_string, "TLS 1.3, server CertificateVerify", context_string_len); - } + mbedtls_sha256_context sha256; + unsigned char handshake_hash[32]; + unsigned char *verify_buffer; + unsigned char *context_string; + size_t context_string_len; - verify_buffer = mbedtls_calloc(64 + context_string_len + 1 + 32 + 32,1); + mbedtls_sha256_init( &sha256 ); - if (verify_buffer == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("malloc failed in ssl_calc_verify_tls_sha256()")); - mbedtls_free(context_string); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); + + mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); + mbedtls_sha256_finish( &sha256, handshake_hash ); + + MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", handshake_hash, 32 ); + + /* + * The digital signature is then computed using the signing key over the concatenation of: + * - 64 bytes of octet 32 + * - The context string ( which is either "TLS 1.3, client CertificateVerify" or "TLS 1.3, server CertificateVerify" ) + * - A single 0 byte which servers as the separator + * - The content to be signed, which is Hash( Handshake Context + Certificate ) + Hash( resumption_context ) + * + */ + + if( from == MBEDTLS_SSL_IS_CLIENT ) + { + context_string_len = strlen( "TLS 1.3, client CertificateVerify" ); + context_string = mbedtls_calloc( context_string_len,1 ); + + if( context_string == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc failed in ssl_calc_verify_tls_sha256( )" ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + memcpy( context_string, "TLS 1.3, client CertificateVerify", context_string_len ); + } + else /* from == MBEDTLS_SSL_IS_SERVER */ + { + context_string_len = strlen( "TLS 1.3, server CertificateVerify" ); + context_string = mbedtls_calloc( context_string_len,1 ); + if( context_string == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc failed in ssl_calc_verify_tls_sha256( )" ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + memcpy( context_string, "TLS 1.3, server CertificateVerify", context_string_len ); + } + + verify_buffer = mbedtls_calloc( 64 + context_string_len + 1 + 32 + 32,1 ); + + if( verify_buffer == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc failed in ssl_calc_verify_tls_sha256( )" ) ); + mbedtls_free( context_string ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } - memset(verify_buffer, 32, 64); - memcpy(verify_buffer + 64, context_string, context_string_len); - verify_buffer[64 + context_string_len] = 0x0; - memcpy(verify_buffer + 64 + context_string_len + 1, handshake_hash, 32); + memset( verify_buffer, 32, 64 ); + memcpy( verify_buffer + 64, context_string, context_string_len ); + verify_buffer[64 + context_string_len] = 0x0; + memcpy( verify_buffer + 64 + context_string_len + 1, handshake_hash, 32 ); - MBEDTLS_SSL_DEBUG_BUF(3, "verify buffer", verify_buffer, 64 + context_string_len + 1 + 32); + MBEDTLS_SSL_DEBUG_BUF( 3, "verify buffer", verify_buffer, 64 + context_string_len + 1 + 32 ); - mbedtls_sha256(verify_buffer, 64 + context_string_len + 1 + 32, hash, 0 /* for SHA-256 instead of SHA-224 */); + mbedtls_sha256( verify_buffer, 64 + context_string_len + 1 + 32, hash, 0 /* for SHA-256 instead of SHA-224 */ ); - MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", hash, 32); + MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", hash, 32 ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); - mbedtls_sha256_free(&sha256); - mbedtls_free(verify_buffer); - mbedtls_free(context_string); + mbedtls_sha256_free( &sha256 ); + mbedtls_free( verify_buffer ); + mbedtls_free( context_string ); - return 0; + return 0; } #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) -static int ssl_calc_verify_tls_sha384(mbedtls_ssl_context *ssl, unsigned char hash[48], int from) +static int ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48], int from ) { - mbedtls_sha512_context sha384; - unsigned char handshake_hash[48]; - unsigned char *verify_buffer; - unsigned char *context_string; - size_t context_string_len; + mbedtls_sha512_context sha384; + unsigned char handshake_hash[48]; + unsigned char *verify_buffer; + unsigned char *context_string; + size_t context_string_len; - mbedtls_sha512_init(&sha384); - mbedtls_sha512_starts(&sha384, 1 /* = use SHA384 */); + mbedtls_sha512_init( &sha384 ); + mbedtls_sha512_starts( &sha384, 1 /* = use SHA384 */ ); - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); - mbedtls_sha512_clone(&sha384, &ssl->handshake->fin_sha512); - mbedtls_sha512_finish(&sha384, handshake_hash); + mbedtls_sha512_clone( &sha384, &ssl->handshake->fin_sha512 ); + mbedtls_sha512_finish( &sha384, handshake_hash ); - MBEDTLS_SSL_DEBUG_BUF(3, "handshake hash", handshake_hash, 48); + MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", handshake_hash, 48 ); - /* - * The digital signature is then computed using the signing key over the concatenation of: - * - 64 bytes of octet 32 - * - The context string (which is either "TLS 1.3, client CertificateVerify" or "TLS 1.3, server CertificateVerify") - * - A single 0 byte which servers as the separator - * - The content to be signed, which is Hash(Handshake Context + Certificate) + Hash(resumption_context) - * - */ + /* + * The digital signature is then computed using the signing key over the concatenation of: + * - 64 bytes of octet 32 + * - The context string ( which is either "TLS 1.3, client CertificateVerify" or "TLS 1.3, server CertificateVerify" ) + * - A single 0 byte which servers as the separator + * - The content to be signed, which is Hash( Handshake Context + Certificate ) + Hash( resumption_context ) + * + */ - if (from == MBEDTLS_SSL_IS_CLIENT) { - context_string_len = strlen("TLS 1.3, client CertificateVerify"); - context_string = mbedtls_calloc(context_string_len, 1); + if( from == MBEDTLS_SSL_IS_CLIENT ) + { + context_string_len = strlen( "TLS 1.3, client CertificateVerify" ); + context_string = mbedtls_calloc( context_string_len, 1 ); - if (context_string == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("malloc failed in ssl_calc_verify_tls_sha384()")); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } - memcpy(context_string, "TLS 1.3, client CertificateVerify", context_string_len); - } - else { // from == MBEDTLS_SSL_IS_SERVER - context_string_len = strlen("TLS 1.3, server CertificateVerify"); - context_string = mbedtls_calloc(context_string_len, 1); - if (context_string == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("malloc failed in ssl_calc_verify_tls_sha384()")); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } - memcpy(context_string, "TLS 1.3, server CertificateVerify", context_string_len); - } + if( context_string == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc failed in ssl_calc_verify_tls_sha384( )" ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + memcpy( context_string, "TLS 1.3, client CertificateVerify", context_string_len ); + } + else + { /* from == MBEDTLS_SSL_IS_SERVER */ + context_string_len = strlen( "TLS 1.3, server CertificateVerify" ); + context_string = mbedtls_calloc( context_string_len, 1 ); + if( context_string == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc failed in ssl_calc_verify_tls_sha384( )" ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + memcpy( context_string, "TLS 1.3, server CertificateVerify", context_string_len ); + } - verify_buffer = mbedtls_calloc(64 + context_string_len + 1 + 48 + 48, 1); + verify_buffer = mbedtls_calloc( 64 + context_string_len + 1 + 48 + 48, 1 ); - if (verify_buffer == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("malloc failed in ssl_calc_verify_tls_sha384()")); - mbedtls_free(context_string); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } + if( verify_buffer == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc failed in ssl_calc_verify_tls_sha384( )" ) ); + mbedtls_free( context_string ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } - memset(verify_buffer, 32, 64); - memcpy(verify_buffer + 64, context_string, context_string_len); - verify_buffer[64 + context_string_len] = 0x0; - memcpy(verify_buffer + 64 + context_string_len + 1, handshake_hash, 48); + memset( verify_buffer, 32, 64 ); + memcpy( verify_buffer + 64, context_string, context_string_len ); + verify_buffer[64 + context_string_len] = 0x0; + memcpy( verify_buffer + 64 + context_string_len + 1, handshake_hash, 48 ); - MBEDTLS_SSL_DEBUG_BUF(3, "verify buffer", verify_buffer, 64 + context_string_len + 1 + 48); + MBEDTLS_SSL_DEBUG_BUF( 3, "verify buffer", verify_buffer, 64 + context_string_len + 1 + 48 ); - mbedtls_sha512(verify_buffer, 64 + context_string_len + 1 + 48, hash, 1 /* for SHA-384 */); + mbedtls_sha512( verify_buffer, 64 + context_string_len + 1 + 48, hash, 1 /* for SHA-384 */ ); - MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", hash, 48); + MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", hash, 48 ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); - mbedtls_sha512_free(&sha384); - mbedtls_free(verify_buffer); - mbedtls_free(context_string); + mbedtls_sha512_free( &sha384 ); + mbedtls_free( verify_buffer ); + mbedtls_free( context_string ); - return 0; + return 0; } #endif /* MBEDTLS_SHA512_C */ -/* mbedtls_ssl_derive_master_secret() +/* mbedtls_ssl_derive_master_secret( ) * * Generates the keys based on the TLS 1.3 key hierachy: * @@ -1165,285 +1209,298 @@ static int ssl_calc_verify_tls_sha384(mbedtls_ssl_context *ssl, unsigned char ha * PSK -> HKDF-Extract = Early Secret * | * v - * Derive-Secret(., "derived", "") + * Derive-Secret( ., "derived", "" ) * | * v - * (EC)DHE -> HKDF-Extract = Handshake Secret + * ( EC )DHE -> HKDF-Extract = Handshake Secret * | * v - * Derive-Secret(., "derived", "") + * Derive-Secret( ., "derived", "" ) * | * v * 0 -> HKDF-Extract = Master Secret * */ -int mbedtls_ssl_derive_master_secret(mbedtls_ssl_context *ssl) { +int mbedtls_ssl_derive_master_secret( mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) - unsigned char salt[32]; - unsigned char ECDHE[32]; - unsigned char null_ikm[32]; - unsigned char intermediary_secret[32]; -#else // MBEDTLS_SHA512_C - unsigned char salt[64]; - unsigned char ECDHE[66]; - unsigned char null_ikm[64]; - unsigned char intermediary_secret[64]; + unsigned char salt[32]; + unsigned char ECDHE[32]; + unsigned char null_ikm[32]; + unsigned char intermediary_secret[32]; +#else /* MBEDTLS_SHA512_C */ + unsigned char salt[64]; + unsigned char ECDHE[66]; + unsigned char null_ikm[64]; + unsigned char intermediary_secret[64]; #endif #if defined(MBEDTLS_SHA256_C) - // SHA256 hash of "" string of length 0. - static const unsigned char NULL_HASH_SHA256[32] = + /* SHA256 hash of "" string of length 0. */ + static const unsigned char NULL_HASH_SHA256[32] = { 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 }; #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) - // SHA384 hash of "" string of length 0. - static const unsigned char NULL_HASH_SHA384[48] = + /* SHA384 hash of "" string of length 0. */ + static const unsigned char NULL_HASH_SHA384[48] = { 0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38, 0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a, 0x21, 0xfd, 0xb7, 0x11, 0x14, 0xbe, 0x07, 0x43, 0x4c, 0x0c, 0xc7, 0xbf, 0x63, 0xf6, 0xe1, 0xda, 0x27, 0x4e, 0xde, 0xbf, 0xe7, 0x6f, 0x65, 0xfb, 0xd5, 0x1a, 0xd2, 0xf1, 0x48, 0x98, 0xb9, 0x5b }; #endif /* MBEDTLS_SHA512_C */ - size_t ECDHE_len; - int ret = 0; - const mbedtls_md_info_t *md; - const mbedtls_ssl_ciphersuite_t *suite_info; - unsigned char *psk; - size_t psk_len; - unsigned char *padbuf; - unsigned int psk_allocated = 0; - int hash_size; + size_t ECDHE_len; + int ret = 0; + const mbedtls_md_info_t *md; + const mbedtls_ssl_ciphersuite_t *suite_info; + unsigned char *psk; + size_t psk_len; + unsigned char *padbuf; + unsigned int psk_allocated = 0; + int hash_size; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - psk = ssl->conf->psk; - psk_len = ssl->conf->psk_len; + psk = ssl->conf->psk; + psk_len = ssl->conf->psk_len; #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ - if (ssl->transform_in == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("transform_in == NULL, mbedtls_ssl_derive_master_secret failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ssl->transform_in == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "transform_in == NULL, mbedtls_ssl_derive_master_secret failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - if (ssl->session_negotiate == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("session_negotiate == NULL, mbedtls_ssl_derive_master_secret failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ssl->session_negotiate == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "session_negotiate == NULL, mbedtls_ssl_derive_master_secret failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - md = mbedtls_md_info_from_type(ssl->transform_in->ciphersuite_info->mac); - if (md == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("md == NULL, mbedtls_ssl_derive_master_secret failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + md = mbedtls_md_info_from_type( ssl->transform_in->ciphersuite_info->mac ); + if( md == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "md == NULL, mbedtls_ssl_derive_master_secret failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - suite_info = mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); - if (suite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("suite_info == NULL, mbedtls_ssl_derive_master_secret failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); + if( suite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "suite_info == NULL, mbedtls_ssl_derive_master_secret failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - /* Determine hash size */ - hash_size = mbedtls_hash_size_for_ciphersuite(suite_info); - if (hash_size == -1) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite() failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + /* Determine hash size */ + hash_size = mbedtls_hash_size_for_ciphersuite( suite_info ); + if( hash_size == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite( ) failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - /* If the psk callback was called, use its result */ - if ((ssl->handshake->psk != NULL) && - (ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK)) - { - psk = ssl->handshake->psk; - psk_len = ssl->handshake->psk_len; - } + /* If the psk callback was called, use its result */ + if( ( ssl->handshake->psk != NULL ) && + ( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || + ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) ) + { + psk = ssl->handshake->psk; + psk_len = ssl->handshake->psk_len; + } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - if (ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { - - /* If we are not using a PSK-based ciphersuite then the - * psk identity is set to a 0 vector. - */ - - psk = mbedtls_calloc(hash_size,1); - if (psk == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("malloc for psk == NULL, mbedtls_ssl_derive_master_secret failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - psk_allocated = 1; - memset(psk, 0x0, hash_size); - psk_len = hash_size; - } + if( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) + { + + /* If we are not using a PSK-based ciphersuite then the + * psk identity is set to a 0 vector. + */ + + psk = mbedtls_calloc( hash_size,1 ); + if( psk == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc for psk == NULL, mbedtls_ssl_derive_master_secret failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + psk_allocated = 1; + memset( psk, 0x0, hash_size ); + psk_len = hash_size; + } #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - /* We point the padbuf variable to the appropriate constant */ - if (hash_size == 32) { + /* We point the padbuf variable to the appropriate constant */ + if( hash_size == 32 ) + { #if defined(MBEDTLS_SHA256_C) - padbuf = (unsigned char*) NULL_HASH_SHA256; + padbuf = ( unsigned char* ) NULL_HASH_SHA256; #else - MBEDTLS_SSL_DEBUG_MSG(1, ("MBEDTLS_SHA256_C not set but ciphersuite with SHA256 negotiated")); - if (psk_allocated == 1) mbedtls_free(psk); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "MBEDTLS_SHA256_C not set but ciphersuite with SHA256 negotiated" ) ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA256_C */ - } else - if (hash_size == 48) { + } else + if( hash_size == 48 ) + { #if defined(MBEDTLS_SHA512_C) - padbuf = (unsigned char*) NULL_HASH_SHA384; + padbuf = ( unsigned char* ) NULL_HASH_SHA384; #else - MBEDTLS_SSL_DEBUG_MSG(1, ("MBEDTLS_SHA512_C not set but ciphersuite with SHA384 negotiated")); - if (psk_allocated == 1) mbedtls_free(psk); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "MBEDTLS_SHA512_C not set but ciphersuite with SHA384 negotiated" ) ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA512_C */ } else { - MBEDTLS_SSL_DEBUG_MSG(1, ("unknown ciphersuite hash size, mbedtls_ssl_derive_master_secret failed")); - if (psk_allocated == 1) mbedtls_free(psk); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown ciphersuite hash size, mbedtls_ssl_derive_master_secret failed" ) ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - /* - * Compute Early Secret with HKDF-Extract(0, PSK) - */ + /* + * Compute Early Secret with HKDF-Extract( 0, PSK ) + */ - memset(salt, 0x0, hash_size); - ret = mbedtls_hkdf_extract(md, salt, hash_size, psk, psk_len, ssl->handshake->early_secret); + memset( salt, 0x0, hash_size ); + ret = mbedtls_hkdf_extract( md, salt, hash_size, psk, psk_len, ssl->handshake->early_secret ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hkdf_extract() with early_secret", ret); - if (psk_allocated == 1) mbedtls_free(psk); - return ret; - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hkdf_extract( ) with early_secret", ret ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return ret; + } - MBEDTLS_SSL_DEBUG_MSG(5, ("HKDF Extract -- early_secret")); - MBEDTLS_SSL_DEBUG_BUF(5, "Salt", salt, hash_size); - MBEDTLS_SSL_DEBUG_BUF(5, "Input", psk, psk_len); - MBEDTLS_SSL_DEBUG_BUF(5, "Output", ssl->handshake->early_secret, hash_size); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "HKDF Extract -- early_secret" ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Salt", salt, hash_size ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Input", psk, psk_len ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Output", ssl->handshake->early_secret, hash_size ); - /* - * Derive-Secret(., "derived", "") - */ + /* + * Derive-Secret( ., "derived", "" ) + */ /* - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 32) { -#if defined(MBEDTLS_SHA256_C) - mbedtls_sha256((const unsigned char*) "", 0, padbuf, 0); // / 0 = use SHA256 -#else - MBEDTLS_SSL_DEBUG_MSG(1, ("MBEDTLS_SHA256_C not set but ciphersuite with SHA256 negotiated")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); -#endif - } + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 32 ) { + #if defined(MBEDTLS_SHA256_C) + mbedtls_sha256( ( const unsigned char* ) "", 0, padbuf, 0 ); + #else + MBEDTLS_SSL_DEBUG_MSG( 1, ( "MBEDTLS_SHA256_C not set but ciphersuite with SHA256 negotiated" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + #endif + } - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 48) { -#if defined(MBEDTLS_SHA512_C) - mbedtls_sha512((const unsigned char*) "", 0, padbuf, 1 ); // 1 = use SHA384 -#else - MBEDTLS_SSL_DEBUG_MSG(1, ("MBEDTLS_SHA512_C not set but ciphersuite with SHA384 negotiated")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); -#endif - } + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 48 ) { + #if defined(MBEDTLS_SHA512_C) + mbedtls_sha512( ( const unsigned char* ) "", 0, padbuf, 1 ); + #else + MBEDTLS_SSL_DEBUG_MSG( 1, ( "MBEDTLS_SHA512_C not set but ciphersuite with SHA384 negotiated" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + #endif + } */ - ret = Derive_Secret(ssl, ssl->transform_in->ciphersuite_info->mac, - ssl->handshake->early_secret, hash_size, - (const unsigned char*)"derived", strlen("derived"), - padbuf, hash_size, - intermediary_secret, hash_size); + ret = Derive_Secret( ssl, ssl->transform_in->ciphersuite_info->mac, + ssl->handshake->early_secret, hash_size, + ( const unsigned char* )"derived", strlen( "derived" ), + padbuf, hash_size, + intermediary_secret, hash_size ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive-Secret(., 'derived', ''): Error", ret); - if (psk_allocated == 1) mbedtls_free(psk); - return ret; - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive-Secret( ., 'derived', '' ): Error", ret ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return ret; + } - /* - * Compute Handshake Secret with HKDF-Extract(Intermediary Secret, ECDHE) - */ + /* + * Compute Handshake Secret with HKDF-Extract( Intermediary Secret, ECDHE ) + */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) - if ((ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) || - (ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA)){ - - if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected], - &ECDHE_len, - ECDHE, - sizeof(ECDHE), - ssl->conf->f_rng, ssl->conf->p_rng)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); - if (psk_allocated == 1) mbedtls_free(psk); - return(ret); - } - - MBEDTLS_SSL_DEBUG_MPI(3, "ECDHE:", &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].z); + if( ( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) || + ( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) ){ + + if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected], + &ECDHE_len, + ECDHE, + sizeof( ECDHE ), + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return( ret ); + } - } else + MBEDTLS_SSL_DEBUG_MPI( 3, "ECDHE:", &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].z ); + + } else #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if (ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { - memset(ECDHE, 0x0, hash_size); - MBEDTLS_SSL_DEBUG_BUF(3, "ECDHE", ECDHE, hash_size); - ECDHE_len=hash_size; + if( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) + { + memset( ECDHE, 0x0, hash_size ); + MBEDTLS_SSL_DEBUG_BUF( 3, "ECDHE", ECDHE, hash_size ); + ECDHE_len=hash_size; } else #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported key exchange -- mbedtls_ssl_derive_master_secret failed.")); - if (psk_allocated == 1) mbedtls_free(psk); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported key exchange -- mbedtls_ssl_derive_master_secret failed." ) ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - ret = mbedtls_hkdf_extract(md, intermediary_secret, hash_size, - ECDHE, ECDHE_len, ssl->handshake->handshake_secret); + ret = mbedtls_hkdf_extract( md, intermediary_secret, hash_size, + ECDHE, ECDHE_len, ssl->handshake->handshake_secret ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hkdf_extract() with handshake_secret: Error", ret); - if (psk_allocated == 1) mbedtls_free(psk); - return ret; - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hkdf_extract( ) with handshake_secret: Error", ret ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return ret; + } - MBEDTLS_SSL_DEBUG_MSG(5, ("HKDF Extract -- handshake_secret")); - MBEDTLS_SSL_DEBUG_BUF(5, "Salt", intermediary_secret, hash_size); - MBEDTLS_SSL_DEBUG_BUF(5, "Input (ECDHE)", ECDHE, hash_size); - MBEDTLS_SSL_DEBUG_BUF(5, "Output", ssl->handshake->handshake_secret, hash_size); - - /* - * Derive-Secret(., "derived", "") - */ - - ret = Derive_Secret(ssl, ssl->transform_in->ciphersuite_info->mac, - ssl->handshake->handshake_secret, hash_size, - (const unsigned char*)"derived", strlen("derived"), - padbuf, hash_size, - intermediary_secret, hash_size); - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive-Secret(., 'derived', ''): Error", ret); - if (psk_allocated == 1) mbedtls_free(psk); - return ret; - } + MBEDTLS_SSL_DEBUG_MSG( 5, ( "HKDF Extract -- handshake_secret" ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Salt", intermediary_secret, hash_size ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Input ( ECDHE )", ECDHE, hash_size ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Output", ssl->handshake->handshake_secret, hash_size ); - /* - * Compute Master Secret with HKDF-Extract(Intermediary Secret, 0) - */ + /* + * Derive-Secret( ., "derived", "" ) + */ - memset(null_ikm, 0x0, hash_size); + ret = Derive_Secret( ssl, ssl->transform_in->ciphersuite_info->mac, + ssl->handshake->handshake_secret, hash_size, + ( const unsigned char* )"derived", strlen( "derived" ), + padbuf, hash_size, + intermediary_secret, hash_size ); - ret = mbedtls_hkdf_extract(md, intermediary_secret, hash_size, - null_ikm, hash_size, ssl->handshake->master_secret); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive-Secret( ., 'derived', '' ): Error", ret ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return ret; + } - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hkdf_extract() with master_secret: Error %d.", ret); - if (psk_allocated == 1) mbedtls_free(psk); - return ret; - } + /* + * Compute Master Secret with HKDF-Extract( Intermediary Secret, 0 ) + */ - MBEDTLS_SSL_DEBUG_MSG(5, ("HKDF Extract -- master_secret")); - MBEDTLS_SSL_DEBUG_BUF(5, "Salt", intermediary_secret, hash_size); - MBEDTLS_SSL_DEBUG_BUF(5, "Input", null_ikm, hash_size); - MBEDTLS_SSL_DEBUG_BUF(5, "Output", ssl->handshake->master_secret, hash_size); + memset( null_ikm, 0x0, hash_size ); - if (psk_allocated == 1) mbedtls_free(psk); - return(0); + ret = mbedtls_hkdf_extract( md, intermediary_secret, hash_size, + null_ikm, hash_size, ssl->handshake->master_secret ); + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hkdf_extract( ) with master_secret: Error %d.", ret ); + if( psk_allocated == 1 ) mbedtls_free( psk ); + return ret; + } + + MBEDTLS_SSL_DEBUG_MSG( 5, ( "HKDF Extract -- master_secret" ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Salt", intermediary_secret, hash_size ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Input", null_ikm, hash_size ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Output", ssl->handshake->master_secret, hash_size ); + + if( psk_allocated == 1 ) mbedtls_free( psk ); + return( 0 ); } @@ -1454,12 +1511,12 @@ int mbedtls_ssl_derive_master_secret(mbedtls_ssl_context *ssl) { * */ - /* - * Overview - */ +/* + * Overview + */ - /* Main entry point: orchestrates the other functions. */ -int ssl_certificate_verify_process(mbedtls_ssl_context* ssl); +/* Main entry point: orchestrates the other functions. */ +int ssl_certificate_verify_process( mbedtls_ssl_context* ssl ); /* Coordinate: Check whether a certificate verify message should be sent. * Returns a negative value on failure, and otherwise @@ -1469,237 +1526,240 @@ int ssl_certificate_verify_process(mbedtls_ssl_context* ssl); */ #define SSL_CERTIFICATE_VERIFY_SKIP 0 #define SSL_CERTIFICATE_VERIFY_SEND 1 -static int ssl_certificate_verify_coordinate(mbedtls_ssl_context* ssl); +static int ssl_certificate_verify_coordinate( mbedtls_ssl_context* ssl ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_verify_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen); +static int ssl_certificate_verify_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ); #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_certificate_verify_postprocess(mbedtls_ssl_context* ssl); +static int ssl_certificate_verify_postprocess( mbedtls_ssl_context* ssl ); /* * Implementation */ -int ssl_certificate_verify_process(mbedtls_ssl_context* ssl) +int ssl_certificate_verify_process( mbedtls_ssl_context* ssl ) { - int ret = 0; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); + int ret = 0; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); - /* Coordination step: Check if we need to send a CertificateVerify */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_verify_coordinate(ssl)); + /* Coordination step: Check if we need to send a CertificateVerify */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_verify_coordinate( ssl ) ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - if (ret == SSL_CERTIFICATE_VERIFY_SEND) - { - /* Make sure we can write a new message. */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_flush_output(ssl)); - - /* Prepare CertificateVerify message in output buffer. */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_verify_write(ssl, ssl->out_msg, - MBEDTLS_SSL_MAX_CONTENT_LEN, - &ssl->out_msglen)); - - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; - - /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_verify_postprocess(ssl)); - - /* Dispatch message */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl)); - - /* NOTE: With the new messaging layer, the postprocessing - * step might come after the dispatching step if the - * latter doesn't send the message immediately. - * At the moment, we must do the postprocessing - * prior to the dispatching because if the latter - * returns WANT_WRITE, we want the handshake state - * to be updated in order to not enter - * this function again on retry. - * - * Further, once the two calls can be re-ordered, the two - * calls to ssl_certificate_verify_postprocess() can be - * consolidated. */ - } - else + if( ret == SSL_CERTIFICATE_VERIFY_SEND ) + { + /* Make sure we can write a new message. */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); + + /* Prepare CertificateVerify message in output buffer. */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_verify_write( ssl, ssl->out_msg, + MBEDTLS_SSL_MAX_CONTENT_LEN, + &ssl->out_msglen ) ); + + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; + + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_verify_postprocess( ssl ) ); + + /* Dispatch message */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl ) ); + + /* NOTE: With the new messaging layer, the postprocessing + * step might come after the dispatching step if the + * latter doesn't send the message immediately. + * At the moment, we must do the postprocessing + * prior to the dispatching because if the latter + * returns WANT_WRITE, we want the handshake state + * to be updated in order to not enter + * this function again on retry. + * + * Further, once the two calls can be re-ordered, the two + * calls to ssl_certificate_verify_postprocess( ) can be + * consolidated. */ + } + else #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - if (ret == SSL_CERTIFICATE_VERIFY_SKIP) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); - - /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_verify_postprocess(ssl)); - } - else - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ret == SSL_CERTIFICATE_VERIFY_SKIP ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); + + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_verify_postprocess( ssl ) ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify")); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); + return( ret ); } -static int ssl_certificate_verify_coordinate(mbedtls_ssl_context* ssl) +static int ssl_certificate_verify_coordinate( mbedtls_ssl_context* ssl ) { - int have_own_cert = 1; + int have_own_cert = 1; - if (ssl->session_negotiate->key_exchange != MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); - return(SSL_CERTIFICATE_VERIFY_SKIP); - } + if( ssl->session_negotiate->key_exchange != MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); + return( SSL_CERTIFICATE_VERIFY_SKIP ); + } #if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #else - if (mbedtls_ssl_own_cert(ssl) == NULL) have_own_cert = 0; - - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { - if (ssl->client_auth == 0 || have_own_cert == 0 || ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); - return(0); - } - } + if( mbedtls_ssl_own_cert( ssl ) == NULL ) have_own_cert = 0; - if (have_own_cert == 0 && ssl->client_auth == 1 && ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no certificate")); - return(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED); - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + if( ssl->client_auth == 0 || have_own_cert == 0 || ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); + return( 0 ); + } + } - /* - * Check whether the signature scheme corresponds to the key we are using - */ - if (mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl)) != MBEDTLS_SSL_SIG_ECDSA) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate Verify: Only ECDSA signature algorithm is currently supported.")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); - } + if( have_own_cert == 0 && ssl->client_auth == 1 && ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate" ) ); + return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); + } - /* - * Check whether the signature scheme corresponds to the hash algorithm of the negotiated ciphersuite - * TBD: Double-check whether this is really a good approach. + /* + * Check whether the signature scheme corresponds to the key we are using + */ + if( mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ) != MBEDTLS_SSL_SIG_ECDSA ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Only ECDSA signature algorithm is currently supported." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + } - if ((ssl->handshake->signature_scheme == SIGNATURE_ECDSA_SECP256r1_SHA256) && (ciphersuite_info->hash != MBEDTLS_MD_SHA256)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate Verify: SIGNATURE_ECDSA_SECP256r1_SHA256 only matches with MBEDTLS_MD_SHA256.")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); - } - else if ((ssl->handshake->signature_scheme == SIGNATURE_ECDSA_SECP384r1_SHA384) && (ciphersuite_info->hash != MBEDTLS_MD_SHA384)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate Verify: SIGNATURE_ECDSA_SECP384r1_SHA384 only matches with MBEDTLS_MD_SHA384.")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); - } - else if ((ssl->handshake->signature_scheme == SIGNATURE_ECDSA_SECP521r1_SHA512) && (ciphersuite_info->hash != MBEDTLS_MD_SHA512)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate Verify: SIGNATURE_ECDSA_SECP521r1_SHA512 only matches with MBEDTLS_MD_SHA512.")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); - } - */ + /* + * Check whether the signature scheme corresponds to the hash algorithm of the negotiated ciphersuite + * TBD: Double-check whether this is really a good approach. + + if( ( ssl->handshake->signature_scheme == SIGNATURE_ECDSA_SECP256r1_SHA256 ) && ( ciphersuite_info->hash != MBEDTLS_MD_SHA256 ) ) { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: SIGNATURE_ECDSA_SECP256r1_SHA256 only matches with MBEDTLS_MD_SHA256." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + } + else if( ( ssl->handshake->signature_scheme == SIGNATURE_ECDSA_SECP384r1_SHA384 ) && ( ciphersuite_info->hash != MBEDTLS_MD_SHA384 ) ) { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: SIGNATURE_ECDSA_SECP384r1_SHA384 only matches with MBEDTLS_MD_SHA384." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + } + else if( ( ssl->handshake->signature_scheme == SIGNATURE_ECDSA_SECP521r1_SHA512 ) && ( ciphersuite_info->hash != MBEDTLS_MD_SHA512 ) ) { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: SIGNATURE_ECDSA_SECP521r1_SHA512 only matches with MBEDTLS_MD_SHA512." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + } + */ - return(SSL_CERTIFICATE_VERIFY_SEND); + return( SSL_CERTIFICATE_VERIFY_SEND ); #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ } #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_verify_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen) +static int ssl_certificate_verify_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ) { - int ret; - const mbedtls_ssl_ciphersuite_t* ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; - size_t n = 0, offset = 0; + int ret; + const mbedtls_ssl_ciphersuite_t* ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; + size_t n = 0, offset = 0; - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; - unsigned char* hash_start = hash; - unsigned int hashlen; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + unsigned char* hash_start = hash; + unsigned int hashlen; - /* TODO: Add bounds checks! Only then remove the next line. */ - ((void) buflen); + /* TODO: Add bounds checks! Only then remove the next line. */ + ((void) buflen); - /* - * Make a signature of the handshake transcript - */ - ret = ssl->handshake->calc_verify(ssl, hash, ssl->conf->endpoint); + /* + * Make a signature of the handshake transcript + */ + ret = ssl->handshake->calc_verify( ssl, hash, ssl->conf->endpoint ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret); - return(ret); - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "calc_verify", ret ); + return( ret ); + } - /* - * struct { - * SignatureScheme algorithm; - * opaque signature<0..2^16-1>; - * } CertificateVerify; - */ + /* + * struct { + * SignatureScheme algorithm; + * opaque signature<0..2^16-1>; + * } CertificateVerify; + */ - /* The algorithm used for computing the hash above must - * correspond to the algorithm indicated in the signature_scheme below. - * - * TBD: ssl->handshake->signature_scheme should already contain the correct value - * based on the parsing of the ClientHello / transmission of the ServerHello - * message. - */ + /* The algorithm used for computing the hash above must + * correspond to the algorithm indicated in the signature_scheme below. + * + * TBD: ssl->handshake->signature_scheme should already contain the correct value + * based on the parsing of the ClientHello / transmission of the ServerHello + * message. + */ - switch (ciphersuite_info->mac) { + switch ( ciphersuite_info->mac ) { case MBEDTLS_MD_SHA256: ssl->handshake->signature_scheme = SIGNATURE_ECDSA_SECP256r1_SHA256; break; case MBEDTLS_MD_SHA384: ssl->handshake->signature_scheme = SIGNATURE_ECDSA_SECP384r1_SHA384; break; case MBEDTLS_MD_SHA512: ssl->handshake->signature_scheme = SIGNATURE_ECDSA_SECP521r1_SHA512; break; - default: MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate Verify: Unknown hash algorithm.")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); - } + default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown hash algorithm." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + } - buf[4] = (unsigned char)((ssl->handshake->signature_scheme >> 8) & 0xFF); - buf[5] = (unsigned char)((ssl->handshake->signature_scheme) & 0xFF); + buf[4] = ( unsigned char )( ( ssl->handshake->signature_scheme >> 8 ) & 0xFF ); + buf[5] = ( unsigned char )( ( ssl->handshake->signature_scheme ) & 0xFF ); - /* Info from ssl->transform_negotiate->ciphersuite_info->mac will be used instead */ - hashlen = 0; - offset = 2; + /* Info from ssl->transform_negotiate->ciphersuite_info->mac will be used instead */ + hashlen = 0; + offset = 2; - if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl), ciphersuite_info->mac, hash_start, hashlen, - buf + 6 + offset, &n, - ssl->conf->f_rng, ssl->conf->p_rng)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); - return(ret); - } + if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), ciphersuite_info->mac, hash_start, hashlen, + buf + 6 + offset, &n, + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); + return( ret ); + } - buf[4 + offset] = (unsigned char)(n >> 8); - buf[5 + offset] = (unsigned char)(n); + buf[4 + offset] = ( unsigned char )( n >> 8 ); + buf[5 + offset] = ( unsigned char )( n ); - *olen = 6 + n + offset; + *olen = 6 + n + offset; - return(ret); + return( ret ); } #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_certificate_verify_postprocess(mbedtls_ssl_context* ssl) +static int ssl_certificate_verify_postprocess( mbedtls_ssl_context* ssl ) { - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, MBEDTLS_SSL_ACK_RECORDS_SENT); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, MBEDTLS_SSL_ACK_RECORDS_SENT ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_FINISHED); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_FINISHED ); #else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); #endif /* MBEDTLS_COMPATIBILITY_MODE */ - } - else { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); - } - return(0); + } + else + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); + } + return( 0 ); } /* @@ -1708,12 +1768,12 @@ static int ssl_certificate_verify_postprocess(mbedtls_ssl_context* ssl) * */ - /* - * Overview - */ +/* + * Overview + */ - /* Main entry point; orchestrates the other functions */ -int ssl_read_certificate_verify_process(mbedtls_ssl_context* ssl); +/* Main entry point; orchestrates the other functions */ +int ssl_read_certificate_verify_process( mbedtls_ssl_context* ssl ); /* Coordinate: Check whether a certificate verify message is expected. * Returns a negative value on failure, and otherwise @@ -1723,7 +1783,7 @@ int ssl_read_certificate_verify_process(mbedtls_ssl_context* ssl); */ #define SSL_CERTIFICATE_VERIFY_SKIP 0 #define SSL_CERTIFICATE_VERIFY_READ 1 -static int ssl_read_certificate_verify_coordinate(mbedtls_ssl_context* ssl); +static int ssl_read_certificate_verify_coordinate( mbedtls_ssl_context* ssl ); #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* Parse and validate CertificateVerify message @@ -1732,71 +1792,71 @@ static int ssl_read_certificate_verify_coordinate(mbedtls_ssl_context* ssl); * hold the transcript given the selected hash algorithm. * No bounds-checking is done inside the function. */ -static int ssl_read_certificate_verify_parse(mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen, - unsigned char const* hash, - size_t hashlen); +static int ssl_read_certificate_verify_parse( mbedtls_ssl_context* ssl, + unsigned char const* buf, + size_t buflen, + unsigned char const* hash, + size_t hashlen ); #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ /* Update handshake state machine */ -static int ssl_read_certificate_verify_postprocess(mbedtls_ssl_context* ssl); +static int ssl_read_certificate_verify_postprocess( mbedtls_ssl_context* ssl ); /* * Implementation */ -int ssl_read_certificate_verify_process(mbedtls_ssl_context* ssl) +int ssl_read_certificate_verify_process( mbedtls_ssl_context* ssl ) { int ret; unsigned char hash[MBEDTLS_MD_MAX_SIZE]; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); /* Coordination step */ - MBEDTLS_SSL_PROC_CHK(ssl_read_certificate_verify_coordinate(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_verify_coordinate( ssl ) ); #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) - if (ret == SSL_CERTIFICATE_VERIFY_READ) + if( ret == SSL_CERTIFICATE_VERIFY_READ ) { /* Need to calculate the hash of the transcript first * before reading the message since otherwise it gets *included in the transcript */ - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - ssl->handshake->calc_verify(ssl, hash, MBEDTLS_SSL_IS_CLIENT); + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + ssl->handshake->calc_verify( ssl, hash, MBEDTLS_SSL_IS_CLIENT ); else - ssl->handshake->calc_verify(ssl, hash, MBEDTLS_SSL_IS_SERVER); + ssl->handshake->calc_verify( ssl, hash, MBEDTLS_SSL_IS_SERVER ); /* Read message */ - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) + if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record_layer"), ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); + return( ret ); } - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || - ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) + if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || + ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } /* Process the message contents */ - MBEDTLS_SSL_PROC_CHK(ssl_read_certificate_verify_parse(ssl, ssl->in_msg, - ssl->in_hslen, (unsigned char const*) &hash, MBEDTLS_MD_MAX_SIZE)); + MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_verify_parse( ssl, ssl->in_msg, + ssl->in_hslen, ( unsigned char const* ) &hash, MBEDTLS_MD_MAX_SIZE ) ); } else #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ - if (ret == SSL_CERTIFICATE_VERIFY_SKIP) + if( ret == SSL_CERTIFICATE_VERIFY_SKIP ) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); } else { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } /* Update state machine and handshake checksum state. @@ -1805,39 +1865,40 @@ int ssl_read_certificate_verify_process(mbedtls_ssl_context* ssl) * done manually here because we couldn't have it done automatically * when reading the message. */ - MBEDTLS_SSL_PROC_CHK(ssl_read_certificate_verify_postprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_verify_postprocess( ssl ) ); cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); + return( ret ); } -static int ssl_read_certificate_verify_coordinate(mbedtls_ssl_context* ssl) +static int ssl_read_certificate_verify_coordinate( mbedtls_ssl_context* ssl ) { - if (ssl->session_negotiate->key_exchange != MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { - return(SSL_CERTIFICATE_VERIFY_SKIP); + if( ssl->session_negotiate->key_exchange != MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) + { + return( SSL_CERTIFICATE_VERIFY_SKIP ); } #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #else - if (ssl->session_negotiate->peer_cert == NULL) - return(SSL_CERTIFICATE_VERIFY_SKIP); + if( ssl->session_negotiate->peer_cert == NULL ) + return( SSL_CERTIFICATE_VERIFY_SKIP ); - return(SSL_CERTIFICATE_VERIFY_READ); + return( SSL_CERTIFICATE_VERIFY_READ ); #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ } #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) -static int ssl_read_certificate_verify_parse(mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen, - unsigned char const* hash, - size_t hashlen) +static int ssl_read_certificate_verify_parse( mbedtls_ssl_context* ssl, + unsigned char const* buf, + size_t buflen, + unsigned char const* hash, + size_t hashlen ) { int ret; int signature_scheme; @@ -1848,14 +1909,14 @@ static int ssl_read_certificate_verify_parse(mbedtls_ssl_context* ssl, /* TODO: Why don't we use `hashlen` here? Look at this. */ ((void) hashlen); - if (buflen < mbedtls_ssl_hs_hdr_len(ssl)) + if( buflen < mbedtls_ssl_hs_hdr_len( ssl ) ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - buflen -= mbedtls_ssl_hs_hdr_len(ssl); - buf += mbedtls_ssl_hs_hdr_len(ssl); + buflen -= mbedtls_ssl_hs_hdr_len( ssl ); + buf += mbedtls_ssl_hs_hdr_len( ssl ); /* * struct { @@ -1865,103 +1926,103 @@ static int ssl_read_certificate_verify_parse(mbedtls_ssl_context* ssl, * */ - if (buflen < 2) + if( buflen < 2 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - signature_scheme = (buf[0] << 8) | buf[1]; - - // We currently only support ECDSA-based signatures - switch (signature_scheme) { - case SIGNATURE_ECDSA_SECP256r1_SHA256: - md_alg = MBEDTLS_MD_SHA256; - pk_alg = MBEDTLS_PK_ECDSA; - break; - case SIGNATURE_ECDSA_SECP384r1_SHA384: - md_alg = MBEDTLS_MD_SHA384; - pk_alg = MBEDTLS_PK_ECDSA; - break; - case SIGNATURE_ECDSA_SECP521r1_SHA512: - md_alg = MBEDTLS_MD_SHA512; - pk_alg = MBEDTLS_PK_ECDSA; - break; - default: - MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate Verify: Unknown signature algorithm.")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); + signature_scheme = ( buf[0] << 8 ) | buf[1]; + + /* We currently only support ECDSA-based signatures */ + switch ( signature_scheme ) { + case SIGNATURE_ECDSA_SECP256r1_SHA256: + md_alg = MBEDTLS_MD_SHA256; + pk_alg = MBEDTLS_PK_ECDSA; + break; + case SIGNATURE_ECDSA_SECP384r1_SHA384: + md_alg = MBEDTLS_MD_SHA384; + pk_alg = MBEDTLS_PK_ECDSA; + break; + case SIGNATURE_ECDSA_SECP521r1_SHA512: + md_alg = MBEDTLS_MD_SHA512; + pk_alg = MBEDTLS_PK_ECDSA; + break; + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate Verify: Signature algorithm (%04x)", signature_scheme)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )", signature_scheme ) ); buflen -= 2; buf += 2; /* - * Signature - */ + * Signature + */ /* - * Check the certificate's key type matches the signature alg - */ - if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, pk_alg)) + * Check the certificate's key type matches the signature alg + */ + if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - if (buflen < 2) + if( buflen < 2 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - sig_len = (buf[0] << 8) | buf[1]; + sig_len = ( buf[0] << 8 ) | buf[1]; buf += 2; buflen -= 2; - if (buflen != sig_len) + if( buflen != sig_len ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - // hashlen set to 0 so that hash len is used from md_alg - if ((ret = mbedtls_pk_verify(&ssl->session_negotiate->peer_cert->pk, - md_alg, hash, 0, - buf, sig_len)) != 0) + /* hashlen set to 0 so that hash len is used from md_alg */ + if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, + md_alg, hash, 0, + buf, sig_len ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); + return( ret ); } - return(0); + return( 0 ); } #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -static int ssl_read_certificate_verify_postprocess(mbedtls_ssl_context* ssl) +static int ssl_read_certificate_verify_postprocess( mbedtls_ssl_context* ssl ) { #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); } else #endif /* MBEDTLS_SSL_SRV_C */ { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); } - return(0); + return( 0 ); } @@ -1972,17 +2033,17 @@ static int ssl_read_certificate_verify_postprocess(mbedtls_ssl_context* ssl) * */ - /* - * Overview - */ +/* + * Overview + */ - /* Main state-handling entry point; orchestrates the other functions. */ -int ssl_write_certificate_process(mbedtls_ssl_context* ssl); +/* Main state-handling entry point; orchestrates the other functions. */ +int ssl_write_certificate_process( mbedtls_ssl_context* ssl ); /* Check if a certificate should be written, and if yes, * if it is available. - * Returns a negative error code on failure (such as no certificate - * being available on the server), and otherwise + * Returns a negative error code on failure ( such as no certificate + * being available on the server ), and otherwise * SSL_WRITE_CERTIFICATE_AVAILABLE or * SSL_WRITE_CERTIFICATE_SKIP * indicating that a Certificate message should be written based @@ -1991,101 +2052,101 @@ int ssl_write_certificate_process(mbedtls_ssl_context* ssl); #define SSL_WRITE_CERTIFICATE_AVAILABLE 0 #define SSL_WRITE_CERTIFICATE_SKIP 1 -static int ssl_write_certificate_coordinate(mbedtls_ssl_context* ssl); +static int ssl_write_certificate_coordinate( mbedtls_ssl_context* ssl ); #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* Write certificate message based on the configured certificate */ -static int ssl_write_certificate_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen); +static int ssl_write_certificate_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ); #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ /* Update the state after handling the outgoing certificate message. */ -static int ssl_write_certificate_postprocess(mbedtls_ssl_context* ssl); +static int ssl_write_certificate_postprocess( mbedtls_ssl_context* ssl ); /* * Implementation */ -int ssl_write_certificate_process(mbedtls_ssl_context* ssl) +int ssl_write_certificate_process( mbedtls_ssl_context* ssl ) { int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); /* Coordination: Check if we need to send a certificate. */ - MBEDTLS_SSL_PROC_CHK(ssl_write_certificate_coordinate(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_write_certificate_coordinate( ssl ) ); #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) - if (ret == SSL_WRITE_CERTIFICATE_AVAILABLE) + if( ret == SSL_WRITE_CERTIFICATE_AVAILABLE ) { /* Make sure we can write a new message. */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_flush_output(ssl)); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); /* Write certificate to message buffer. */ - MBEDTLS_SSL_PROC_CHK(ssl_write_certificate_write(ssl, ssl->out_msg, - MBEDTLS_SSL_MAX_CONTENT_LEN, - &ssl->out_msglen)); + MBEDTLS_SSL_PROC_CHK( ssl_write_certificate_write( ssl, ssl->out_msg, + MBEDTLS_SSL_MAX_CONTENT_LEN, + &ssl->out_msglen ) ); ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; /* Dispatch message */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl)); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl ) ); /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_write_certificate_postprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_write_certificate_postprocess( ssl ) ); } else #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ - if (ret == SSL_WRITE_CERTIFICATE_SKIP) + if( ret == SSL_WRITE_CERTIFICATE_SKIP ) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_write_certificate_postprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_write_certificate_postprocess( ssl ) ); } else { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); + return( ret ); } -static int ssl_write_certificate_coordinate(mbedtls_ssl_context* ssl) +static int ssl_write_certificate_coordinate( mbedtls_ssl_context* ssl ) { int have_own_cert = 1; #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - // Pre-configuration + /* Pre-configuration */ ssl->transform_out = ssl->transform_negotiate; ssl->session_out = ssl->session_negotiate; - memset(ssl->transform_out->sequence_number_enc, 0x0, 12); /* Set sequence number to zero */ + memset( ssl->transform_out->sequence_number_enc, 0x0, 12 ); /* Set sequence number to zero */ } #endif /* MBEDTLS_SSL_CLI_C */ /* For PSK and ECDHE-PSK ciphersuites there is no certificate to exchange. */ - if (ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) + if( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || + ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); - return(SSL_WRITE_CERTIFICATE_SKIP); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); + return( SSL_WRITE_CERTIFICATE_SKIP ); } #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #else #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { /* The client MUST send a Certificate message if and only * if the server has requested client authentication via a @@ -2094,34 +2155,35 @@ static int ssl_write_certificate_coordinate(mbedtls_ssl_context* ssl) * client_auth indicates whether the server had requested * client authentication. */ - if (ssl->client_auth == 0) + if( ssl->client_auth == 0 ) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); - return(SSL_WRITE_CERTIFICATE_SKIP); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); + return( SSL_WRITE_CERTIFICATE_SKIP ); } } #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - if (have_own_cert == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no certificate to send")); - return(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED); + if( have_own_cert == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); + return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ); } } #endif /* MBEDTLS_SSL_SRV_C */ - return(SSL_WRITE_CERTIFICATE_AVAILABLE); + return( SSL_WRITE_CERTIFICATE_AVAILABLE ); #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ } #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) -static int ssl_write_certificate_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen) +static int ssl_write_certificate_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ) { size_t i, n, total_len; const mbedtls_x509_crt* crt; @@ -2131,7 +2193,7 @@ static int ssl_write_certificate_write(mbedtls_ssl_context* ssl, ((void) buflen); /* - * Handshake Header is 4 (before adding DTLS-specific fields, which is done later) + * Handshake Header is 4 ( before adding DTLS-specific fields, which is done later ) * Certificate Request Context: 1 byte * Length of CertificateEntry: 3 bytes * Length of cert. 1: 2 bytes @@ -2141,7 +2203,7 @@ static int ssl_write_certificate_write(mbedtls_ssl_context* ssl, */ i = 4; - // empty certificate_request_context with length 0 + /* empty certificate_request_context with length 0 */ buf[i] = 0; /* Skip length of certificate_request_context and * the length of CertificateEntry @@ -2152,12 +2214,13 @@ static int ssl_write_certificate_write(mbedtls_ssl_context* ssl, /* If the server requests client authentication but no suitable * certificate is available, the client MUST send a * Certificate message containing no certificates - * (i.e., with the "certificate_list" field having length 0). + * ( i.e., with the "certificate_list" field having length 0 ). * * authmode indicates whether the client configuration required authentication. */ - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ((mbedtls_ssl_own_cert(ssl) == NULL) || ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE)) { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write empty client certificate")); + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ( ( mbedtls_ssl_own_cert( ssl ) == NULL ) || ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write empty client certificate" ) ); buf[i] = 0; buf[i + 1] = 0; buf[i + 2] = 0; @@ -2168,26 +2231,26 @@ static int ssl_write_certificate_write(mbedtls_ssl_context* ssl, #endif /* MBEDTLS_SSL_CLI_C */ start = &buf[i]; - crt = mbedtls_ssl_own_cert(ssl); - MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl)); + crt = mbedtls_ssl_own_cert( ssl ); + MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); i += 3; - while (crt != NULL) + while ( crt != NULL ) { n = crt->raw.len; - if (n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i) + if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %d > %d", - i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN)); - return(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d", + i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) ); + return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE ); } - buf[i] = (unsigned char)(n >> 16); - buf[i + 1] = (unsigned char)(n >> 8); - buf[i + 2] = (unsigned char)(n); + buf[i] = ( unsigned char )( n >> 16 ); + buf[i + 1] = ( unsigned char )( n >> 8 ); + buf[i + 2] = ( unsigned char )( n ); - i += 3; memcpy(buf + i, crt->raw.p, n); + i += 3; memcpy( buf + i, crt->raw.p, n ); i += n; crt = crt->next; /* Currently, we don't have any certificate extensions defined. @@ -2198,54 +2261,54 @@ static int ssl_write_certificate_write(mbedtls_ssl_context* ssl, i += 2; } total_len = &buf[i] - start - 3; - *start++ = (unsigned char)((total_len) >> 16); - *start++ = (unsigned char)((total_len) >> 8); - *start++ = (unsigned char)((total_len)); + *start++ = ( unsigned char )( ( total_len ) >> 16 ); + *start++ = ( unsigned char )( ( total_len ) >> 8 ); + *start++ = ( unsigned char )( ( total_len ) ); #if defined(MBEDTLS_SSL_CLI_C) - empty_cert: +empty_cert: #endif /* MBEDTLS_SSL_CLI_C */ * olen = i; - return(0); + return( 0 ); } #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ /* Update the state after handling the outgoing certificate message. */ -static int ssl_write_certificate_postprocess(mbedtls_ssl_context* ssl) +static int ssl_write_certificate_postprocess( mbedtls_ssl_context* ssl ) { #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_clear_all(ssl, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_clear_all( ssl, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_CERTIFICATE, MBEDTLS_SSL_ACK_RECORDS_SENT); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_CERTIFICATE, MBEDTLS_SSL_ACK_RECORDS_SENT ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); - return(0); + return( 0 ); } else #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY); - return(0); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); + return( 0 ); } #endif /* MBEDTLS_SSL_SRV_C */ - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } @@ -2256,12 +2319,12 @@ static int ssl_write_certificate_postprocess(mbedtls_ssl_context* ssl) * */ - /* - * Overview - */ +/* + * Overview + */ - /* Main state-handling entry point; orchestrates the other functions. */ -int ssl_read_certificate_process(mbedtls_ssl_context* ssl); +/* Main state-handling entry point; orchestrates the other functions. */ +int ssl_read_certificate_process( mbedtls_ssl_context* ssl ); /* Coordination: Check if a certificate is expected. * Returns a negative error code on failure, and otherwise @@ -2271,735 +2334,746 @@ int ssl_read_certificate_process(mbedtls_ssl_context* ssl); */ #define SSL_CERTIFICATE_EXPECTED 0 #define SSL_CERTIFICATE_SKIP 1 -static int ssl_read_certificate_coordinate(mbedtls_ssl_context* ssl); +static int ssl_read_certificate_coordinate( mbedtls_ssl_context* ssl ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) /* Parse certificate chain send by the peer. */ -static int ssl_read_certificate_parse(mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen); +static int ssl_read_certificate_parse( mbedtls_ssl_context* ssl, + unsigned char const* buf, + size_t buflen ); /* Validate certificate chain sent by the peer. */ -static int ssl_read_certificate_validate(mbedtls_ssl_context* ssl); +static int ssl_read_certificate_validate( mbedtls_ssl_context* ssl ); #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ /* Update the state after handling the incoming certificate message. */ -static int ssl_read_certificate_postprocess(mbedtls_ssl_context* ssl); +static int ssl_read_certificate_postprocess( mbedtls_ssl_context* ssl ); /* * Implementation */ -int ssl_read_certificate_process(mbedtls_ssl_context* ssl) +int ssl_read_certificate_process( mbedtls_ssl_context* ssl ) { - int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); + int ret; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); - /* Coordination: - * Check if we expect a certificate, and if yes, - * check if a non-empty certificate has been sent. */ - MBEDTLS_SSL_PROC_CHK(ssl_read_certificate_coordinate(ssl)); + /* Coordination: + * Check if we expect a certificate, and if yes, + * check if a non-empty certificate has been sent. */ + MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_coordinate( ssl ) ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - if (ret == SSL_CERTIFICATE_EXPECTED) - { - /* Reading step */ - if (ssl->keep_current_message == 0) { - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) - { - /* mbedtls_ssl_read_record may have sent an alert already. We - let it decide whether to alert. */ - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - goto cleanup; - } - } - else { - ssl->keep_current_message = 0; - } - - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || - ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; - goto cleanup; - } - else - { - /* Parse the certificate chain sent by the peer. */ - MBEDTLS_SSL_PROC_CHK(ssl_read_certificate_parse(ssl, ssl->in_msg, - ssl->in_hslen)); - } - - /* Validate the certificate chain and set the verification results. */ - MBEDTLS_SSL_PROC_CHK(ssl_read_certificate_validate(ssl)); - } - else -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - if (ret == SSL_CERTIFICATE_SKIP) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); - } - else - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - - /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_read_certificate_postprocess(ssl)); + if( ret == SSL_CERTIFICATE_EXPECTED ) + { + /* Reading step */ + if( ssl->keep_current_message == 0 ) + { + if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) + { + /* mbedtls_ssl_read_record may have sent an alert already. We + let it decide whether to alert. */ + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); + goto cleanup; + } + } + else + { + ssl->keep_current_message = 0; + } + + if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || + ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); + ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + goto cleanup; + } + else + { + /* Parse the certificate chain sent by the peer. */ + MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_parse( ssl, ssl->in_msg, + ssl->in_hslen ) ); + } + + /* Validate the certificate chain and set the verification results. */ + MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_validate( ssl ) ); + } + else +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ + if( ret == SSL_CERTIFICATE_SKIP ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_read_certificate_postprocess( ssl ) ); cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); + return( ret ); } -static int ssl_read_certificate_coordinate(mbedtls_ssl_context* ssl) +static int ssl_read_certificate_coordinate( mbedtls_ssl_context* ssl ) { - int authmode = ssl->conf->authmode; + int authmode = ssl->conf->authmode; - if (ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) - { - return(SSL_CERTIFICATE_SKIP); - } + if( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || + ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + { + return( SSL_CERTIFICATE_SKIP ); + } #if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - ((void)authmode); - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + ( (void)authmode ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #else #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { - /* If SNI was used, overwrite authentication mode - * from the configuration. */ + /* If SNI was used, overwrite authentication mode + * from the configuration. */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) - authmode = ssl->handshake->sni_authmode; + if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) + authmode = ssl->handshake->sni_authmode; #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - if (authmode == MBEDTLS_SSL_VERIFY_NONE) - { - /* NOTE: Is it intentional that we set verify_result - * to SKIP_VERIFY on server-side only? */ - ssl->session_negotiate->verify_result = - MBEDTLS_X509_BADCERT_SKIP_VERIFY; - return(SSL_CERTIFICATE_SKIP); - } - } + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + { + /* NOTE: Is it intentional that we set verify_result + * to SKIP_VERIFY on server-side only? */ + ssl->session_negotiate->verify_result = + MBEDTLS_X509_BADCERT_SKIP_VERIFY; + return( SSL_CERTIFICATE_SKIP ); + } + } #endif /* MBEDTLS_SSL_SRV_C */ - return(SSL_CERTIFICATE_EXPECTED); + return( SSL_CERTIFICATE_EXPECTED ); #endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ } #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) /* Write certificate message based on the configured certificate */ -static int ssl_read_certificate_parse(mbedtls_ssl_context* ssl, - unsigned char const* buf, - size_t buflen) +static int ssl_read_certificate_parse( mbedtls_ssl_context* ssl, + unsigned char const* buf, + size_t buflen ) { - int ret; - size_t i, n, certificate_request_context_len; - int authmode = ssl->conf->authmode; + int ret; + size_t i, n, certificate_request_context_len; + int authmode = ssl->conf->authmode; #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { - // read certificate request context length - certificate_request_context_len = (size_t) * (buf + mbedtls_ssl_hs_hdr_len(ssl)); - - // verify message length - if (buflen < 3 + certificate_request_context_len + 1 + mbedtls_ssl_hs_hdr_len(ssl)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE); - } - - // check whether we got an empty certificate message - if (memcmp(buf + 1 + certificate_request_context_len + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("client has no certificate - empty certificate message received")); - - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) - return(0); - else - return(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE); - } - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + /* read certificate request context length */ + certificate_request_context_len = (size_t) * ( buf + mbedtls_ssl_hs_hdr_len( ssl ) ); + + /* verify message length */ + if( buflen < 3 + certificate_request_context_len + 1 + mbedtls_ssl_hs_hdr_len( ssl ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); + } + + /* check whether we got an empty certificate message */ + if( memcmp( buf + 1 + certificate_request_context_len + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "client has no certificate - empty certificate message received" ) ); + + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; + if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) + return( 0 ); + else + return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + } + } #endif /* MBEDTLS_SSL_SRV_C */ - if (buflen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE); - } + if( buflen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); + } - i = mbedtls_ssl_hs_hdr_len(ssl); + i = mbedtls_ssl_hs_hdr_len( ssl ); - // length information of certificate_request_context - certificate_request_context_len = buf[i + 1]; + /* length information of certificate_request_context */ + certificate_request_context_len = buf[i + 1]; - // skip certificate_request_context - i += certificate_request_context_len + 1; + /* skip certificate_request_context */ + i += certificate_request_context_len + 1; - n = (buf[i + 1] << 8) | buf[i + 2]; + n = ( buf[i + 1] << 8 ) | buf[i + 2]; - if (buf[i] != 0 || - buflen != (n + 3 + certificate_request_context_len + 1 + mbedtls_ssl_hs_hdr_len(ssl))) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE); - } + if( buf[i] != 0 || + buflen != ( n + 3 + certificate_request_context_len + 1 + mbedtls_ssl_hs_hdr_len( ssl ) ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); + } - /* In case we tried to reuse a session but it failed */ - if (ssl->session_negotiate->peer_cert != NULL) - { - mbedtls_x509_crt_free(ssl->session_negotiate->peer_cert); - mbedtls_free(ssl->session_negotiate->peer_cert); - } + /* In case we tried to reuse a session but it failed */ + if( ssl->session_negotiate->peer_cert != NULL ) + { + mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); + mbedtls_free( ssl->session_negotiate->peer_cert ); + } - if ((ssl->session_negotiate->peer_cert = mbedtls_calloc(1, - sizeof(mbedtls_x509_crt))) == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed", - sizeof(mbedtls_x509_crt))); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } + if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1, + sizeof( mbedtls_x509_crt ) ) ) == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %d bytes ) failed", + sizeof( mbedtls_x509_crt ) ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } - mbedtls_x509_crt_init(ssl->session_negotiate->peer_cert); + mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); - i += 3; + i += 3; - while (i < buflen) - { - if (buf[i] != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE); - } - - n = ((unsigned int)buf[i + 1] << 8) - | (unsigned int)buf[i + 2]; - i += 3; - - if (n < 128 || i + n > buflen) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE); - } - - ret = mbedtls_x509_crt_parse_der(ssl->session_negotiate->peer_cert, - buf + i, n); - - switch (ret) - { - case 0: /*ok*/ - case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: - /* Ignore certificate with an unknown algorithm: maybe a - prior certificate was already trusted. */ - break; - - case MBEDTLS_ERR_X509_ALLOC_FAILED: - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); - MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); - return(ret); - - case MBEDTLS_ERR_X509_UNKNOWN_VERSION: - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); - MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); - return(ret); - - default: - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT); - MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); - return(ret); - } - - i += n; - - // length information of certificate extensions - n = (buf[i] << 8) | buf[i + 1]; - - // we ignore the certificate extension right now - i += 2 + n; - } - - MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", ssl->session_negotiate->peer_cert); - - return(0); + while ( i < buflen ) + { + if( buf[i] != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); + } + + n = ( (unsigned int)buf[i + 1] << 8 ) + | (unsigned int)buf[i + 2]; + i += 3; + + if( n < 128 || i + n > buflen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); + } + + ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, + buf + i, n ); + + switch ( ret ) + { + case 0: /*ok*/ + case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: + /* Ignore certificate with an unknown algorithm: maybe a + prior certificate was already trusted. */ + break; + + case MBEDTLS_ERR_X509_ALLOC_FAILED: + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); + return( ret ); + + case MBEDTLS_ERR_X509_UNKNOWN_VERSION: + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT ); + MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); + return( ret ); + + default: + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT ); + MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); + return( ret ); + } + + i += n; + + /* length information of certificate extensions */ + n = ( buf[i] << 8 ) | buf[i + 1]; + + /* we ignore the certificate extension right now */ + i += 2 + n; + } + + MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); + + return( 0 ); } #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_read_certificate_validate(mbedtls_ssl_context* ssl) +static int ssl_read_certificate_validate( mbedtls_ssl_context* ssl ) { - int ret = 0; - int authmode = ssl->conf->authmode; - mbedtls_x509_crt* ca_chain; - mbedtls_x509_crl* ca_crl; + int ret = 0; + int authmode = ssl->conf->authmode; + mbedtls_x509_crt* ca_chain; + mbedtls_x509_crl* ca_crl; - /* If SNI was used, overwrite authentication mode - * from the configuration. */ + /* If SNI was used, overwrite authentication mode + * from the configuration. */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) - authmode = ssl->handshake->sni_authmode; + if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) + authmode = ssl->handshake->sni_authmode; #endif - /* - * If the client hasn't sent a certificate (i.e. it sent - * an empty certificate chain), this is reflected in the peer CRT - * structure being unset. - * Check for that and handle it depending on the - * server's authentication mode. - */ + /* + * If the client hasn't sent a certificate ( i.e. it sent + * an empty certificate chain ), this is reflected in the peer CRT + * structure being unset. + * Check for that and handle it depending on the + * server's authentication mode. + */ #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - ssl->session_negotiate->peer_cert == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("client has no certificate")); - - /* The client was asked for a certificate but didn't send - one. The client should know what's going on, so we - don't send an alert. */ - - /* Note that for authmode == VERIFY_NONE we don't end up in this - * routine in the first place, because ssl_read_certificate_coordinate - * will return CERTIFICATE_SKIP. */ - ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) - return(0); - else - return(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE); - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + ssl->session_negotiate->peer_cert == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "client has no certificate" ) ); + + /* The client was asked for a certificate but didn't send + one. The client should know what's going on, so we + don't send an alert. */ + + /* Note that for authmode == VERIFY_NONE we don't end up in this + * routine in the first place, because ssl_read_certificate_coordinate + * will return CERTIFICATE_SKIP. */ + ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; + if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) + return( 0 ); + else + return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + } #endif /* MBEDTLS_SSL_SRV_C */ - if (authmode == MBEDTLS_SSL_VERIFY_NONE) - { - /* NOTE: This happens on client-side only, with the - * server-side case of VERIFY_NONE being handled earlier - * and leading to `ssl->verify_result` being set to - * MBEDTLS_X509_BADCERT_SKIP_VERIFY -- - * is this difference intentional? */ - return(0); - } + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + { + /* NOTE: This happens on client-side only, with the + * server-side case of VERIFY_NONE being handled earlier + * and leading to `ssl->verify_result` being set to + * MBEDTLS_X509_BADCERT_SKIP_VERIFY -- + * is this difference intentional? */ + return( 0 ); + } #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->sni_ca_chain != NULL) - { - ca_chain = ssl->handshake->sni_ca_chain; - ca_crl = ssl->handshake->sni_ca_crl; - } - else + if( ssl->handshake->sni_ca_chain != NULL ) + { + ca_chain = ssl->handshake->sni_ca_chain; + ca_crl = ssl->handshake->sni_ca_crl; + } + else #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - { - ca_chain = ssl->conf->ca_chain; - ca_crl = ssl->conf->ca_crl; - } + { + ca_chain = ssl->conf->ca_chain; + ca_crl = ssl->conf->ca_crl; + } - /* - * Main check: verify certificate - */ - ret = mbedtls_x509_crt_verify_with_profile( - ssl->session_negotiate->peer_cert, - ca_chain, ca_crl, - ssl->conf->cert_profile, - ssl->hostname, - &ssl->session_negotiate->verify_result, - ssl->conf->f_vrfy, ssl->conf->p_vrfy); - - if (ret != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); - } + /* + * Main check: verify certificate + */ + ret = mbedtls_x509_crt_verify_with_profile( + ssl->session_negotiate->peer_cert, + ca_chain, ca_crl, + ssl->conf->cert_profile, + ssl->hostname, + &ssl->session_negotiate->verify_result, + ssl->conf->f_vrfy, ssl->conf->p_vrfy ); + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); + } - /* - * Secondary checks: always done, but change 'ret' only if it was 0 - */ + /* + * Secondary checks: always done, but change 'ret' only if it was 0 + */ #if defined(MBEDTLS_ECP_C) - { - const mbedtls_pk_context* pk = &ssl->session_negotiate->peer_cert->pk; - - /* If certificate uses an EC key, make sure the curve is OK */ - if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY) && - mbedtls_ssl_check_curve(ssl, mbedtls_pk_ec(*pk)->grp.id) != 0) - { - ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; - - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); - if (ret == 0) - ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; - } - } + { + const mbedtls_pk_context* pk = &ssl->session_negotiate->peer_cert->pk; + + /* If certificate uses an EC key, make sure the curve is OK */ + if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && + mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 ) + { + ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) ); + if( ret == 0 ) + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; + } + } #endif /* MBEDTLS_ECP_C */ - if (mbedtls_ssl_check_cert_usage(ssl->session_negotiate->peer_cert, - ssl->session_negotiate->key_exchange,// ciphersuite_info, - !ssl->conf->endpoint, - &ssl->session_negotiate->verify_result) != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); - if (ret == 0) - ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; - } + if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, + ssl->session_negotiate->key_exchange,/* ciphersuite_info, */ + !ssl->conf->endpoint, + &ssl->session_negotiate->verify_result ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) ); + if( ret == 0 ) + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; + } - /* mbedtls_x509_crt_verify_with_profile is supposed to report a - * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, - * with details encoded in the verification flags. All other kinds - * of error codes, including those from the user provided f_vrfy - * functions, are treated as fatal and lead to a failure of - * ssl_parse_certificate even if verification was optional. */ - if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && - (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || - ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE)) - { - ret = 0; - } + /* mbedtls_x509_crt_verify_with_profile is supposed to report a + * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, + * with details encoded in the verification flags. All other kinds + * of error codes, including those from the user provided f_vrfy + * functions, are treated as fatal and lead to a failure of + * ssl_parse_certificate even if verification was optional. */ + if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && + ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || + ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) ) + { + ret = 0; + } - if (ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); - ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; - } + if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); + ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; + } - if (ret != 0) - { - /* The certificate may have been rejected for several reasons. - Pick one and send the corresponding alert. Which alert to send - may be a subject of debate in some cases. */ - if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED); - else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA); - else - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN); - } + if( ret != 0 ) + { + /* The certificate may have been rejected for several reasons. + Pick one and send the corresponding alert. Which alert to send + may be a subject of debate in some cases. */ + if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED ); + else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA ); + else + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN ); + } #if defined(MBEDTLS_DEBUG_C) - if (ssl->session_negotiate->verify_result != 0) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %x", - ssl->session_negotiate->verify_result)); - } - else - { - MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); - } + if( ssl->session_negotiate->verify_result != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x", + ssl->session_negotiate->verify_result ) ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); + } #endif /* MBEDTLS_DEBUG_C */ - return(ret); + return( ret ); } #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_read_certificate_postprocess(mbedtls_ssl_context* ssl) +static int ssl_read_certificate_postprocess( mbedtls_ssl_context* ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_CERTIFICATE, MBEDTLS_SSL_ACK_RECORDS_RECEIVED); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_CERTIFICATE, MBEDTLS_SSL_ACK_RECORDS_RECEIVED ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY); - - /* - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_parse_certificate", ret); - switch (ret) { - case MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_BAD_CERT); - break; - case MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); - break; - case MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_CERT_REQUIRED); - break; - case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA); - break; - default: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); - } - return (ret); - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); + + /* + if( ret != 0 ) { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_parse_certificate", ret ); + switch ( ret ) { + case MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_BAD_CERT ); + break; + case MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); + break; + case MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_CERT_REQUIRED ); + break; + case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA ); + break; + default: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT ); + } + return ( ret ); + } */ } else #endif /* MBEDTLS_SSL_SRV_C */ { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY ); } - return(0); + return( 0 ); } /* Generate resumption_master_secret for use with the ticket exchange. */ -int mbedtls_ssl_generate_resumption_master_secret(mbedtls_ssl_context *ssl) { - int ret = 0; +int mbedtls_ssl_generate_resumption_master_secret( mbedtls_ssl_context *ssl ) { + int ret = 0; #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - const mbedtls_md_info_t *md_info; - const mbedtls_ssl_ciphersuite_t *suite_info; - mbedtls_ssl_transform *transform = ssl->transform_negotiate; - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + const mbedtls_md_info_t *md_info; + const mbedtls_ssl_ciphersuite_t *suite_info; + mbedtls_ssl_transform *transform = ssl->transform_negotiate; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; + mbedtls_sha256_context sha256; #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; + mbedtls_sha512_context sha512; #endif - md_info = mbedtls_md_info_from_type(transform->ciphersuite_info->mac); - if (md_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %d not found", - transform->ciphersuite_info->mac)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); + if( md_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", + transform->ciphersuite_info->mac ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - suite_info = mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); - if (suite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_ciphersuite_from_id in mbedtls_ssl_derive_traffic_keys failed")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); + if( suite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_ciphersuite_from_id in mbedtls_ssl_derive_traffic_keys failed" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } #if defined(MBEDTLS_SHA256_C) - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 32) { - mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); - mbedtls_sha256_finish(&sha256, hash); - } - else + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 32 ) + { + mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); + mbedtls_sha256_finish( &sha256, hash ); + } + else #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 48) { - mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - mbedtls_sha512_finish(&sha512, hash); - } - else + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 48 ) + { + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + mbedtls_sha512_finish( &sha512, hash ); + } + else #endif /* MBEDTLS_SHA512_C */ - { - MBEDTLS_SSL_DEBUG_MSG(2, ("Unsupported hash function in mbedtls_ssl_derive_traffic_keys")); - return (MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - - /* - * Compute resumption_master_secret with - * DeriveSecret(Master Secret, "res master", ClientHello...client Finished - */ + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Unsupported hash function in mbedtls_ssl_derive_traffic_keys" ) ); + return ( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - ret = Derive_Secret(ssl, mbedtls_md_get_type(md_info), - ssl->handshake->master_secret, mbedtls_hash_size_for_ciphersuite(suite_info), - (const unsigned char*)"res master", strlen("res master"), - hash, mbedtls_hash_size_for_ciphersuite(suite_info), - ssl->session_negotiate->resumption_master_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); + /* + * Compute resumption_master_secret with + * DeriveSecret( Master Secret, "res master", ClientHello...client Finished + */ - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret() with resumption_master_secret: Error", ret); - return ret; - } + ret = Derive_Secret( ssl, mbedtls_md_get_type( md_info ), + ssl->handshake->master_secret, mbedtls_hash_size_for_ciphersuite( suite_info ), + ( const unsigned char* )"res master", strlen( "res master" ), + hash, mbedtls_hash_size_for_ciphersuite( suite_info ), + ssl->session_negotiate->resumption_master_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret( ) with resumption_master_secret: Error", ret ); + return ret; + } - MBEDTLS_SSL_DEBUG_BUF(5, "resumption_master_secret", ssl->session_negotiate->resumption_master_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); + MBEDTLS_SSL_DEBUG_BUF( 5, "resumption_master_secret", ssl->session_negotiate->resumption_master_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ - return ret; + return ret; } /* Generate application traffic keys since any records following a 1-RTT Finished message * MUST be encrypted under the application traffic key. */ -int mbedtls_ssl_generate_application_traffic_keys(mbedtls_ssl_context *ssl, KeySet *traffic_keys) { - int ret; - const mbedtls_md_info_t *md_info; - const mbedtls_ssl_ciphersuite_t *suite_info; - const mbedtls_cipher_info_t *cipher_info; - mbedtls_ssl_transform *transform = ssl->transform_negotiate; +int mbedtls_ssl_generate_application_traffic_keys( mbedtls_ssl_context *ssl, KeySet *traffic_keys ) { + int ret; + const mbedtls_md_info_t *md_info; + const mbedtls_ssl_ciphersuite_t *suite_info; + const mbedtls_cipher_info_t *cipher_info; + mbedtls_ssl_transform *transform = ssl->transform_negotiate; - unsigned char padbuf[MBEDTLS_MD_MAX_SIZE]; + unsigned char padbuf[MBEDTLS_MD_MAX_SIZE]; #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; + mbedtls_sha256_context sha256; #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; + mbedtls_sha512_context sha512; #endif - MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive application traffic keys")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) ); - cipher_info = mbedtls_cipher_info_from_type(transform->ciphersuite_info->cipher); - if (cipher_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %d not found", - transform->ciphersuite_info->cipher)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); + if( cipher_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", + transform->ciphersuite_info->cipher ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - md_info = mbedtls_md_info_from_type(transform->ciphersuite_info->mac); - if (md_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %d not found", - transform->ciphersuite_info->mac)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); + if( md_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", + transform->ciphersuite_info->mac ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - suite_info = mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); - if (suite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_ciphersuite_from_id in mbedtls_ssl_derive_traffic_keys failed")); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO); - } + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); + if( suite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_ciphersuite_from_id in mbedtls_ssl_derive_traffic_keys failed" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); + } - /* - * Determine the appropriate key, IV and MAC length. - */ + /* + * Determine the appropriate key, IV and MAC length. + */ - /* Settings for GCM, CCM, and CCM_8 */ - transform->maclen = 0; - transform->fixed_ivlen = 4; - transform->ivlen = cipher_info->iv_size; - transform->keylen = cipher_info->key_bitlen / 8; + /* Settings for GCM, CCM, and CCM_8 */ + transform->maclen = 0; + transform->fixed_ivlen = 4; + transform->ivlen = cipher_info->iv_size; + transform->keylen = cipher_info->key_bitlen / 8; - /* Minimum length for an encrypted handshake message is - * - Handshake header - * - 1 byte for handshake type appended to the end of the message - * - Authentication tag (which depends on the mode of operation) - */ - if (transform->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8) transform->minlen = 8; - else transform->minlen = 16; + /* Minimum length for an encrypted handshake message is + * - Handshake header + * - 1 byte for handshake type appended to the end of the message + * - Authentication tag ( which depends on the mode of operation ) + */ + if( transform->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8 ) transform->minlen = 8; + else transform->minlen = 16; - // TBD: Temporarily changed to test encrypted alert messages -// transform->minlen += mbedtls_ssl_hs_hdr_len(ssl); + /* TBD: Temporarily changed to test encrypted alert messages */ +/* transform->minlen += mbedtls_ssl_hs_hdr_len( ssl ); */ - transform->minlen += 1; + transform->minlen += 1; - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 32) { + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 32 ) + { #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_init(&sha256); - mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); - mbedtls_sha256_finish(&sha256, padbuf); + mbedtls_sha256_init( &sha256 ); + mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); + mbedtls_sha256_finish( &sha256, padbuf ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("MBEDTLS_SHA256_C not set but ciphersuite with SHA256 negotiated")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "MBEDTLS_SHA256_C not set but ciphersuite with SHA256 negotiated" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } + } - if (mbedtls_hash_size_for_ciphersuite(suite_info) == 48) { + if( mbedtls_hash_size_for_ciphersuite( suite_info ) == 48 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 1 /* = use SHA384 */); - mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - mbedtls_sha512_finish(&sha512, padbuf); + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 1 /* = use SHA384 */ ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + mbedtls_sha512_finish( &sha512, padbuf ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("MBEDTLS_SHA512_C not set but ciphersuite with SHA384 negotiated")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "MBEDTLS_SHA512_C not set but ciphersuite with SHA384 negotiated" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } + } - /* Generate client_application_traffic_secret_0 - * - * Master Secret - * | - * +-----> Derive-Secret(., "c ap traffic", - * | ClientHello...server Finished) - * | = client_application_traffic_secret_0 - */ - - ret = Derive_Secret(ssl, mbedtls_md_get_type(md_info), - ssl->handshake->master_secret, mbedtls_hash_size_for_ciphersuite(suite_info), - (const unsigned char*)"c ap traffic", strlen("c ap traffic"), - padbuf, mbedtls_hash_size_for_ciphersuite(suite_info), - ssl->handshake->client_traffic_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret() with client_traffic_secret_0: Error", ret); - return ret; - } + /* Generate client_application_traffic_secret_0 + * + * Master Secret + * | + * +-----> Derive-Secret( ., "c ap traffic", + * | ClientHello...server Finished ) + * | = client_application_traffic_secret_0 + */ - /* Generate server_application_traffic_secret_0 - * - * Master Secret - * | - * +---------> Derive-Secret(., "s ap traffic", - * | ClientHello...Server Finished) - * | = server_application_traffic_secret_0 - */ + ret = Derive_Secret( ssl, mbedtls_md_get_type( md_info ), + ssl->handshake->master_secret, mbedtls_hash_size_for_ciphersuite( suite_info ), + ( const unsigned char* )"c ap traffic", strlen( "c ap traffic" ), + padbuf, mbedtls_hash_size_for_ciphersuite( suite_info ), + ssl->handshake->client_traffic_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - ret = Derive_Secret(ssl, mbedtls_md_get_type(md_info), - ssl->handshake->master_secret, mbedtls_hash_size_for_ciphersuite(suite_info), - (const unsigned char*)"s ap traffic", strlen("s ap traffic"), - padbuf, mbedtls_hash_size_for_ciphersuite(suite_info), - ssl->handshake->server_traffic_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret( ) with client_traffic_secret_0: Error", ret ); + return ret; + } - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret() with server_traffic_secret_0: Error", ret); - return ret; - } + /* Generate server_application_traffic_secret_0 + * + * Master Secret + * | + * +---------> Derive-Secret( ., "s ap traffic", + * | ClientHello...Server Finished ) + * | = server_application_traffic_secret_0 + */ - /* Generate application traffic keys since any records following a 1-RTT Finished message - * MUST be encrypted under the application traffic key. - */ + ret = Derive_Secret( ssl, mbedtls_md_get_type( md_info ), + ssl->handshake->master_secret, mbedtls_hash_size_for_ciphersuite( suite_info ), + ( const unsigned char* )"s ap traffic", strlen( "s ap traffic" ), + padbuf, mbedtls_hash_size_for_ciphersuite( suite_info ), + ssl->handshake->server_traffic_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - MBEDTLS_SSL_DEBUG_MSG(3, ("-->>Calling makeTrafficKeys() with the following parameters:")); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Hash Algorithm: %s", mbedtls_md_get_name(md_info))); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Handshake Traffic Secret Length: %d bytes", mbedtls_hash_size_for_ciphersuite(suite_info))); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Key Length: %d bytes", transform->keylen)); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- IV Length: %d bytes", transform->ivlen)); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret( ) with server_traffic_secret_0: Error", ret ); + return ret; + } - if ((ret = makeTrafficKeys(mbedtls_md_get_type(md_info), - ssl->handshake->client_traffic_secret, - ssl->handshake->server_traffic_secret, - mbedtls_hash_size_for_ciphersuite(suite_info), transform->keylen, transform->ivlen, traffic_keys)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "makeTrafficKeys failed", ret); - return(ret); - } + /* Generate application traffic keys since any records following a 1-RTT Finished message + * MUST be encrypted under the application traffic key. + */ - MBEDTLS_SSL_DEBUG_BUF(3, "Record Type = Application Data, clientWriteKey:", traffic_keys->clientWriteKey, transform->keylen); - MBEDTLS_SSL_DEBUG_BUF(3, "Record Type = Application Data, serverWriteKey:", traffic_keys->serverWriteKey, transform->keylen); - MBEDTLS_SSL_DEBUG_BUF(3, "Record Type = Application Data, clientWriteIV:", traffic_keys->clientWriteIV, transform->ivlen); - MBEDTLS_SSL_DEBUG_BUF(3, "Record Type = Application Data, serverWriteIV:", traffic_keys->serverWriteIV, transform->ivlen); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-->>Calling makeTrafficKeys( ) with the following parameters:" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Hash Algorithm: %s", mbedtls_md_get_name( md_info ) ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Handshake Traffic Secret Length: %d bytes", mbedtls_hash_size_for_ciphersuite( suite_info ) ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Key Length: %d bytes", transform->keylen ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- IV Length: %d bytes", transform->ivlen ) ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive application traffic keys")); + if( ( ret = makeTrafficKeys( mbedtls_md_get_type( md_info ), + ssl->handshake->client_traffic_secret, + ssl->handshake->server_traffic_secret, + mbedtls_hash_size_for_ciphersuite( suite_info ), transform->keylen, transform->ivlen, traffic_keys ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "makeTrafficKeys failed", ret ); + return( ret ); + } - return(0); + MBEDTLS_SSL_DEBUG_BUF( 3, "Record Type = Application Data, clientWriteKey:", traffic_keys->clientWriteKey, transform->keylen ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Record Type = Application Data, serverWriteKey:", traffic_keys->serverWriteKey, transform->keylen ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Record Type = Application Data, clientWriteIV:", traffic_keys->clientWriteIV, transform->ivlen ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Record Type = Application Data, serverWriteIV:", traffic_keys->serverWriteIV, transform->ivlen ); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) ); + + return( 0 ); } -/* mbedtls_set_traffic_key() activates keys and IVs for +/* mbedtls_set_traffic_key( ) activates keys and IVs for * the negotiated ciphersuite for use with encryption/decryption. * The sequence numbers are also set to zero. * @@ -3007,410 +3081,421 @@ int mbedtls_ssl_generate_application_traffic_keys(mbedtls_ssl_context *ssl, KeyS * - Do not backup keys -- use 1 * - Backup keys -- use 0 */ -int mbedtls_set_traffic_key(mbedtls_ssl_context *ssl, KeySet *traffic_keys, mbedtls_ssl_transform *transform, int mode) { - mbedtls_cipher_info_t const *cipher_info; - int ret; - unsigned char *key1; - unsigned char *key2; - size_t out_cid_len; - size_t in_cid_len; +int mbedtls_set_traffic_key( mbedtls_ssl_context *ssl, KeySet *traffic_keys, mbedtls_ssl_transform *transform, int mode ) { + mbedtls_cipher_info_t const *cipher_info; + int ret; + unsigned char *key1; + unsigned char *key2; + size_t out_cid_len; + size_t in_cid_len; #if defined(MBEDTLS_SSL_PROTO_DTLS) - unsigned char *temp; + unsigned char *temp; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if (transform == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("transform == NULL")); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + if( transform == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "transform == NULL" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - if (traffic_keys == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("traffic_keys == NULL")); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + if( traffic_keys == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "traffic_keys == NULL" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - if (transform->ciphersuite_info == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("transform->ciphersuite_info == NULL")); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + if( transform->ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "transform->ciphersuite_info == NULL" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - cipher_info = mbedtls_cipher_info_from_type(transform->ciphersuite_info->cipher); - if (cipher_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %d not found", - transform->ciphersuite_info->cipher)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); + if( cipher_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", + transform->ciphersuite_info->cipher ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, - cipher_info)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); - return(ret); - } + if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, + cipher_info ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); + return( ret ); + } - if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, - cipher_info)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); - return(ret); - } + if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, + cipher_info ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); + return( ret ); + } - if (mode == 0) { - // Copy current traffic_key structure to previous - transform->traffic_keys_previous.clientWriteIV = transform->traffic_keys.clientWriteIV; - transform->traffic_keys_previous.clientWriteKey = transform->traffic_keys.clientWriteKey; + if( mode == 0 ) + { + /* Copy current traffic_key structure to previous */ + transform->traffic_keys_previous.clientWriteIV = transform->traffic_keys.clientWriteIV; + transform->traffic_keys_previous.clientWriteKey = transform->traffic_keys.clientWriteKey; #if defined(MBEDTLS_SSL_PROTO_DTLS) - transform->traffic_keys_previous.epoch = transform->traffic_keys.epoch; + transform->traffic_keys_previous.epoch = transform->traffic_keys.epoch; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - transform->traffic_keys_previous.ivLen = transform->traffic_keys.ivLen; - transform->traffic_keys_previous.keyLen = transform->traffic_keys.keyLen; - transform->traffic_keys_previous.serverWriteIV = transform->traffic_keys.serverWriteIV; - transform->traffic_keys_previous.serverWriteKey = transform->traffic_keys.serverWriteKey; - memcpy(transform->traffic_keys_previous.iv, transform->traffic_keys.iv, transform->ivlen); + transform->traffic_keys_previous.ivLen = transform->traffic_keys.ivLen; + transform->traffic_keys_previous.keyLen = transform->traffic_keys.keyLen; + transform->traffic_keys_previous.serverWriteIV = transform->traffic_keys.serverWriteIV; + transform->traffic_keys_previous.serverWriteKey = transform->traffic_keys.serverWriteKey; + memcpy( transform->traffic_keys_previous.iv, transform->traffic_keys.iv, transform->ivlen ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - transform->traffic_keys_previous.client_sn_key = transform->traffic_keys.client_sn_key; - transform->traffic_keys_previous.server_sn_key = transform->traffic_keys.server_sn_key; + transform->traffic_keys_previous.client_sn_key = transform->traffic_keys.client_sn_key; + transform->traffic_keys_previous.server_sn_key = transform->traffic_keys.server_sn_key; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - // Store current traffic_key structure - transform->traffic_keys.clientWriteIV = traffic_keys->clientWriteIV; - transform->traffic_keys.clientWriteKey = traffic_keys->clientWriteKey; + /* Store current traffic_key structure */ + transform->traffic_keys.clientWriteIV = traffic_keys->clientWriteIV; + transform->traffic_keys.clientWriteKey = traffic_keys->clientWriteKey; #if defined(MBEDTLS_SSL_PROTO_DTLS) - transform->traffic_keys.epoch = traffic_keys->epoch; + transform->traffic_keys.epoch = traffic_keys->epoch; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - transform->traffic_keys.ivLen = traffic_keys->ivLen; - transform->traffic_keys.keyLen = traffic_keys->keyLen; - transform->traffic_keys.serverWriteIV = traffic_keys->serverWriteIV; - transform->traffic_keys.serverWriteKey = traffic_keys->serverWriteKey; + transform->traffic_keys.ivLen = traffic_keys->ivLen; + transform->traffic_keys.keyLen = traffic_keys->keyLen; + transform->traffic_keys.serverWriteIV = traffic_keys->serverWriteIV; + transform->traffic_keys.serverWriteKey = traffic_keys->serverWriteKey; #if defined(MBEDTLS_SSL_PROTO_DTLS) - transform->traffic_keys.client_sn_key = traffic_keys->client_sn_key; - transform->traffic_keys.server_sn_key = traffic_keys->server_sn_key; + transform->traffic_keys.client_sn_key = traffic_keys->client_sn_key; + transform->traffic_keys.server_sn_key = traffic_keys->server_sn_key; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - } + } #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { - key1 = traffic_keys->serverWriteKey; // encryption key for the server - key2 = traffic_keys->clientWriteKey; // decryption key for the server + key1 = traffic_keys->serverWriteKey; /* encryption key for the server */ + key2 = traffic_keys->clientWriteKey; /* decryption key for the server */ - transform->iv_enc = traffic_keys->serverWriteIV; - transform->iv_dec = traffic_keys->clientWriteIV; - // Restore the most recent nonce - if (mode == 1) { - memcpy(transform->iv_dec, transform->traffic_keys_previous.clientWriteIV, transform->ivlen); - } + transform->iv_enc = traffic_keys->serverWriteIV; + transform->iv_dec = traffic_keys->clientWriteIV; + /* Restore the most recent nonce */ + if( mode == 1 ) + { + memcpy( transform->iv_dec, transform->traffic_keys_previous.clientWriteIV, transform->ivlen ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* Reverse the keys for server */ - temp = transform->traffic_keys.client_sn_key; - transform->traffic_keys.client_sn_key = transform->traffic_keys.server_sn_key; - transform->traffic_keys.server_sn_key = temp; + /* Reverse the keys for server */ + temp = transform->traffic_keys.client_sn_key; + transform->traffic_keys.client_sn_key = transform->traffic_keys.server_sn_key; + transform->traffic_keys.server_sn_key = temp; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - } + } #endif /* MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { - key1 = traffic_keys->clientWriteKey; // encryption key for the client - key2 = traffic_keys->serverWriteKey; // decryption key for the client + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + key1 = traffic_keys->clientWriteKey; /* encryption key for the client */ + key2 = traffic_keys->serverWriteKey; /* decryption key for the client */ - transform->iv_enc = traffic_keys->clientWriteIV; - transform->iv_dec = traffic_keys->serverWriteIV; - // Restore the most recent nonce - if (mode == 1) { - memcpy(transform->iv_dec, transform->traffic_keys_previous.serverWriteIV, transform->ivlen); - } + transform->iv_enc = traffic_keys->clientWriteIV; + transform->iv_dec = traffic_keys->serverWriteIV; + /* Restore the most recent nonce */ + if( mode == 1 ) + { + memcpy( transform->iv_dec, transform->traffic_keys_previous.serverWriteIV, transform->ivlen ); + } - } + } #endif /* MBEDTLS_SSL_CLI_C */ - if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1, - cipher_info->key_bitlen, - MBEDTLS_ENCRYPT)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); - return(ret); - } + if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, + cipher_info->key_bitlen, + MBEDTLS_ENCRYPT ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); + return( ret ); + } - if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2, - cipher_info->key_bitlen, - MBEDTLS_DECRYPT)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); - return(ret); - } + if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, + cipher_info->key_bitlen, + MBEDTLS_DECRYPT ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); + return( ret ); + } -// memset(ssl->transform_in->sequence_number_dec, 0x0, 12); -// memset(ssl->transform_out->sequence_number_enc, 0x0, 12); - memset(transform->sequence_number_dec, 0x0, 12); - memset(transform->sequence_number_enc, 0x0, 12); +/* memset( ssl->transform_in->sequence_number_dec, 0x0, 12 ); */ +/* memset( ssl->transform_out->sequence_number_enc, 0x0, 12 ); */ + memset( transform->sequence_number_dec, 0x0, 12 ); + memset( transform->sequence_number_enc, 0x0, 12 ); - /* In case we negotiated the use of CIDs then we need to - * adjust the pointers to various header fields. If we - * did not negotiate the use of a CID or our peer requested - * us not to add a CID value to the record header then the - * out_cid_len or in_cid_len will be zero. - */ + /* In case we negotiated the use of CIDs then we need to + * adjust the pointers to various header fields. If we + * did not negotiate the use of a CID or our peer requested + * us not to add a CID value to the record header then the + * out_cid_len or in_cid_len will be zero. + */ #if defined(MBEDTLS_CID) && defined(MBEDTLS_SSL_PROTO_DTLS) - out_cid_len = ssl->out_cid_len; + out_cid_len = ssl->out_cid_len; #else - out_cid_len = 0; + out_cid_len = 0; #endif /* MBEDTLS_CID && MBEDTLS_SSL_PROTO_DTLS */ - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - ssl->out_hdr = ssl->out_buf; - ssl->out_ctr = ssl->out_buf + 1 + out_cid_len; - ssl->out_len = ssl->out_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, transform) - 2; - ssl->out_iv = ssl->out_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, transform); - /* ssl->out_msg = ssl->out_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT) + ssl->transform_negotiate->ivlen - - ssl->transform_negotiate->fixed_ivlen; */ - ssl->out_msg = ssl->out_iv; - } + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl->out_hdr = ssl->out_buf; + ssl->out_ctr = ssl->out_buf + 1 + out_cid_len; + ssl->out_len = ssl->out_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, transform ) - 2; + ssl->out_iv = ssl->out_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, transform ); + /* ssl->out_msg = ssl->out_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT ) + ssl->transform_negotiate->ivlen - + ssl->transform_negotiate->fixed_ivlen; */ + ssl->out_msg = ssl->out_iv; + } #if defined(MBEDTLS_CID) && defined(MBEDTLS_SSL_PROTO_DTLS) - in_cid_len = ssl->in_cid_len; + in_cid_len = ssl->in_cid_len; #else - in_cid_len = 0; + in_cid_len = 0; #endif /* MBEDTLS_CID && MBEDTLS_SSL_PROTO_DTLS */ - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - ssl->in_hdr = ssl->in_buf; - ssl->in_ctr = ssl->in_buf + 1 + in_cid_len; - ssl->in_len = ssl->in_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, transform) - 2; - ssl->in_iv = ssl->in_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, transform); - /* ssl->in_msg = ssl->in_buf + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT) + ssl->transform_negotiate->ivlen - - ssl->transform_negotiate->fixed_ivlen; */ - ssl->in_msg = ssl->in_iv; - } + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl->in_hdr = ssl->in_buf; + ssl->in_ctr = ssl->in_buf + 1 + in_cid_len; + ssl->in_len = ssl->in_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, transform ) - 2; + ssl->in_iv = ssl->in_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, transform ); + /* ssl->in_msg = ssl->in_buf + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT ) + ssl->transform_negotiate->ivlen - + ssl->transform_negotiate->fixed_ivlen; */ + ssl->in_msg = ssl->in_iv; + } - return (0); + return ( 0 ); } #if defined(MBEDTLS_ZERO_RTT) /* Early Data Key Derivation for TLS 1.3 -* -* Three tasks: -* - Switch transform -* - Generate client_early_traffic_secret -* - Generate traffic key material -*/ -int mbedtls_ssl_early_data_key_derivation(mbedtls_ssl_context *ssl, KeySet *traffic_keys) + * + * Three tasks: + * - Switch transform + * - Generate client_early_traffic_secret + * - Generate traffic key material + */ +int mbedtls_ssl_early_data_key_derivation( mbedtls_ssl_context *ssl, KeySet *traffic_keys ) { - int ret; - int hash_length; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - const mbedtls_cipher_info_t *cipher_info; - const mbedtls_md_info_t *md; - unsigned char padbuf[MBEDTLS_MD_MAX_SIZE]; - mbedtls_ssl_transform *transform; + int ret; + int hash_length; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + const mbedtls_cipher_info_t *cipher_info; + const mbedtls_md_info_t *md; + unsigned char padbuf[MBEDTLS_MD_MAX_SIZE]; + mbedtls_ssl_transform *transform; #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; + mbedtls_sha256_context sha256; #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; + mbedtls_sha512_context sha512; #endif - MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_early_data_key_derivation")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_early_data_key_derivation" ) ); - // sanity checks - if (ssl->transform_negotiate == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("transform_negotiate == NULL, mbedtls_ssl_early_data_key_derivation failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + /* sanity checks */ + if( ssl->transform_negotiate == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "transform_negotiate == NULL, mbedtls_ssl_early_data_key_derivation failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - if (ssl->transform_negotiate->ciphersuite_info == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("transform_negotiate->ciphersuite_info == NULL, mbedtls_ssl_early_data_key_derivation failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ssl->transform_negotiate->ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "transform_negotiate->ciphersuite_info == NULL, mbedtls_ssl_early_data_key_derivation failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - if (ssl->session_negotiate == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("session_negotiate == NULL, mbedtls_ssl_early_data_key_derivation failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ssl->session_negotiate == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "session_negotiate == NULL, mbedtls_ssl_early_data_key_derivation failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for inbound data")); - ssl->transform_in = ssl->transform_negotiate; - ssl->session_in = ssl->session_negotiate; - transform = ssl->transform_negotiate; - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); + ssl->transform_in = ssl->transform_negotiate; + ssl->session_in = ssl->session_negotiate; + transform = ssl->transform_negotiate; + } #endif #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data")); - ssl->transform_out = ssl->transform_negotiate; - ssl->session_out = ssl->session_negotiate; - transform = ssl->transform_negotiate; - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); + ssl->transform_out = ssl->transform_negotiate; + ssl->session_out = ssl->session_negotiate; + transform = ssl->transform_negotiate; + } #endif - ciphersuite_info = transform->ciphersuite_info; - if (ciphersuite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite_info == NULL")); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + ciphersuite_info = transform->ciphersuite_info; + if( ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite_info == NULL" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher); - if (cipher_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %d not found", - ciphersuite_info->cipher)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); - } + cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); + if( cipher_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", + ciphersuite_info->cipher ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } - md = mbedtls_md_info_from_type(transform->ciphersuite_info->hash); - if (md == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("md == NULL, mbedtls_ssl_early_data_key_derivation failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + md = mbedtls_md_info_from_type( transform->ciphersuite_info->hash ); + if( md == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "md == NULL, mbedtls_ssl_early_data_key_derivation failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - hash_length = mbedtls_hash_size_for_ciphersuite(ciphersuite_info); + hash_length = mbedtls_hash_size_for_ciphersuite( ciphersuite_info ); - if (hash_length == -1) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite == -1, mbedtls_ssl_early_data_key_derivation failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( hash_length == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite == -1, mbedtls_ssl_early_data_key_derivation failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { - memset(transform->sequence_number_dec, 0x0, 12); /* Set sequence number to zero */ - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + memset( transform->sequence_number_dec, 0x0, 12 ); /* Set sequence number to zero */ + } #endif #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { - memset(transform->sequence_number_enc, 0x0, 12); /* Set sequence number to zero */ - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + memset( transform->sequence_number_enc, 0x0, 12 ); /* Set sequence number to zero */ + } #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - ssl_dtls_replay_reset(ssl); - } + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl_dtls_replay_reset( ssl ); + } #endif /* MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_SSL_DTLS_ANTI_REPLAY */ - if (ciphersuite_info->hash == MBEDTLS_MD_SHA256) - { + if( ciphersuite_info->hash == MBEDTLS_MD_SHA256 ) + { #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_init(&sha256); - mbedtls_sha256_starts(&sha256, 0 /* = use SHA256 */); - mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); - MBEDTLS_SSL_DEBUG_BUF(5, "finished sha256 state", (unsigned char *)sha256.state, sizeof(sha256.state)); - mbedtls_sha256_finish(&sha256, padbuf); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash", padbuf, 32); + mbedtls_sha256_init( &sha256 ); + mbedtls_sha256_starts( &sha256, 0 /* = use SHA256 */ ); + mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); + MBEDTLS_SSL_DEBUG_BUF( 5, "finished sha256 state", ( unsigned char * )sha256.state, sizeof( sha256.state ) ); + mbedtls_sha256_finish( &sha256, padbuf ); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash", padbuf, 32 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } - else if (ciphersuite_info->hash == MBEDTLS_MD_SHA384) - { + } + else if( ciphersuite_info->hash == MBEDTLS_MD_SHA384 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 1 /* = use SHA384 */); - mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - MBEDTLS_SSL_DEBUG_BUF(4, "finished sha384 state", (unsigned char *)sha512.state, 48); - mbedtls_sha512_finish(&sha512, padbuf); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash", padbuf, 48); + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 1 /* = use SHA384 */ ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha384 state", ( unsigned char * )sha512.state, 48 ); + mbedtls_sha512_finish( &sha512, padbuf ); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash", padbuf, 48 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } - else if (ciphersuite_info->hash == MBEDTLS_MD_SHA512) - { + } + else if( ciphersuite_info->hash == MBEDTLS_MD_SHA512 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 0 /* = use SHA512 */); - mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - MBEDTLS_SSL_DEBUG_BUF(4, "finished sha512 state", (unsigned char *)sha512.state, 64); - mbedtls_sha512_finish(&sha512, padbuf); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash for psk binder", padbuf, 64); - } - else - { + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 0 /* = use SHA512 */ ); + mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); + MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", ( unsigned char * )sha512.state, 64 ); + mbedtls_sha512_finish( &sha512, padbuf ); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash for psk binder", padbuf, 64 ); + } + else + { #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif - } + } - /* Create client_early_traffic_secret */ - ret = Derive_Secret(ssl, mbedtls_md_get_type(md), - ssl->handshake->early_secret, hash_length, - (const unsigned char*)"c e traffic", strlen("c e traffic"), - padbuf, hash_length, ssl->handshake->client_early_traffic_secret, hash_length); + /* Create client_early_traffic_secret */ + ret = Derive_Secret( ssl, mbedtls_md_get_type( md ), + ssl->handshake->early_secret, hash_length, + ( const unsigned char* )"c e traffic", strlen( "c e traffic" ), + padbuf, hash_length, ssl->handshake->client_early_traffic_secret, hash_length ); - MBEDTLS_SSL_DEBUG_BUF(5, "early_secret", ssl->handshake->early_secret, hash_length); - MBEDTLS_SSL_DEBUG_BUF(5, "client_early_traffic_secret", ssl->handshake->client_early_traffic_secret, hash_length); + MBEDTLS_SSL_DEBUG_BUF( 5, "early_secret", ssl->handshake->early_secret, hash_length ); + MBEDTLS_SSL_DEBUG_BUF( 5, "client_early_traffic_secret", ssl->handshake->client_early_traffic_secret, hash_length ); - MBEDTLS_SSL_DEBUG_MSG(5, ("Derive_Secret with 'c e traffic'")); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Derive_Secret with 'c e traffic'" ) ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret", ret); - return(ret); - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret", ret ); + return( ret ); + } - /* Creating the Traffic Keys */ + /* Creating the Traffic Keys */ - /* Settings for GCM, CCM, and CCM_8 */ - transform->maclen = 0; - transform->fixed_ivlen = 4; - transform->ivlen = cipher_info->iv_size; - transform->keylen = cipher_info->key_bitlen / 8; + /* Settings for GCM, CCM, and CCM_8 */ + transform->maclen = 0; + transform->fixed_ivlen = 4; + transform->ivlen = cipher_info->iv_size; + transform->keylen = cipher_info->key_bitlen / 8; - /* Minimum length for an encrypted handshake message is - * - Handshake header - * - 1 byte for handshake type appended to the end of the message - * - Authentication tag (which depends on the mode of operation) - */ - if (transform->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8) transform->minlen = 8; - else transform->minlen = 16; + /* Minimum length for an encrypted handshake message is + * - Handshake header + * - 1 byte for handshake type appended to the end of the message + * - Authentication tag ( which depends on the mode of operation ) + */ + if( transform->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8 ) transform->minlen = 8; + else transform->minlen = 16; - // TBD: Temporarily changed to test encrypted alert messages - // transform->minlen += mbedtls_ssl_hs_hdr_len(ssl); + /* TBD: Temporarily changed to test encrypted alert messages */ + /* transform->minlen += mbedtls_ssl_hs_hdr_len( ssl ); */ - transform->minlen += 1; + transform->minlen += 1; - MBEDTLS_SSL_DEBUG_MSG(3, ("-->>Calling makeTrafficKeys() with the following parameters:")); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Hash Algorithm: %s", mbedtls_md_get_name(md))); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Early Traffic Secret Length: %d bytes", mbedtls_hash_size_for_ciphersuite(ciphersuite_info))); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- Key Length: %d bytes", transform->keylen)); - MBEDTLS_SSL_DEBUG_MSG(3, ("-- IV Length: %d bytes", transform->ivlen)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-->>Calling makeTrafficKeys( ) with the following parameters:" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Hash Algorithm: %s", mbedtls_md_get_name( md ) ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Early Traffic Secret Length: %d bytes", mbedtls_hash_size_for_ciphersuite( ciphersuite_info ) ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- Key Length: %d bytes", transform->keylen ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "-- IV Length: %d bytes", transform->ivlen ) ); - if ((ret = makeTrafficKeys(mbedtls_md_get_type(md), - ssl->handshake->client_early_traffic_secret, - ssl->handshake->client_early_traffic_secret, - mbedtls_hash_size_for_ciphersuite(ciphersuite_info), - transform->keylen, transform->ivlen, traffic_keys)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "makeTrafficKeys failed", ret); - return(ret); - } + if( ( ret = makeTrafficKeys( mbedtls_md_get_type( md ), + ssl->handshake->client_early_traffic_secret, + ssl->handshake->client_early_traffic_secret, + mbedtls_hash_size_for_ciphersuite( ciphersuite_info ), + transform->keylen, transform->ivlen, traffic_keys ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "makeTrafficKeys failed", ret ); + return( ret ); + } - MBEDTLS_SSL_DEBUG_BUF(3, "[TLS 1.3, ] + handshake key expansion, clientWriteKey:", traffic_keys->clientWriteKey, transform->keylen); - MBEDTLS_SSL_DEBUG_BUF(3, "[TLS 1.3, ] + handshake key expansion, serverWriteKey:", traffic_keys->serverWriteKey, transform->keylen); - MBEDTLS_SSL_DEBUG_BUF(3, "[TLS 1.3, ] + handshake key expansion, clientWriteIV:", traffic_keys->clientWriteIV, transform->ivlen); - MBEDTLS_SSL_DEBUG_BUF(3, "[TLS 1.3, ] + handshake key expansion, serverWriteIV:", traffic_keys->serverWriteIV, transform->ivlen); + MBEDTLS_SSL_DEBUG_BUF( 3, "[TLS 1.3, ] + handshake key expansion, clientWriteKey:", traffic_keys->clientWriteKey, transform->keylen ); + MBEDTLS_SSL_DEBUG_BUF( 3, "[TLS 1.3, ] + handshake key expansion, serverWriteKey:", traffic_keys->serverWriteKey, transform->keylen ); + MBEDTLS_SSL_DEBUG_BUF( 3, "[TLS 1.3, ] + handshake key expansion, clientWriteIV:", traffic_keys->clientWriteIV, transform->ivlen ); + MBEDTLS_SSL_DEBUG_BUF( 3, "[TLS 1.3, ] + handshake key expansion, serverWriteIV:", traffic_keys->serverWriteIV, transform->ivlen ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_early_data_key_derivation")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_early_data_key_derivation" ) ); - return(0); + return( 0 ); } #endif /* MBEDTLS_ZERO_RTT */ @@ -3421,57 +3506,57 @@ int mbedtls_ssl_early_data_key_derivation(mbedtls_ssl_context *ssl, KeySet *traf * - Generate master key * - Generate handshake traffic keys */ -int mbedtls_ssl_key_derivation(mbedtls_ssl_context *ssl, KeySet *traffic_keys) +int mbedtls_ssl_key_derivation( mbedtls_ssl_context *ssl, KeySet *traffic_keys ) { - int ret; + int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_key_derivation")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_key_derivation" ) ); - MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for inbound data")); - ssl->transform_in = ssl->transform_negotiate; - ssl->session_in = ssl->session_negotiate; - memset(ssl->transform_in->sequence_number_dec, 0x0, 12); /* Set sequence number to zero */ - memset(ssl->in_ctr, 0, 8); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); + ssl->transform_in = ssl->transform_negotiate; + ssl->session_in = ssl->session_negotiate; + memset( ssl->transform_in->sequence_number_dec, 0x0, 12 ); /* Set sequence number to zero */ + memset( ssl->in_ctr, 0, 8 ); #if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - ssl_dtls_replay_reset(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + ssl_dtls_replay_reset( ssl ); #endif /* MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_SSL_DTLS_ANTI_REPLAY */ - /* Creating the Master Secret (TLS 1.3) */ - if ((ret = mbedtls_ssl_derive_master_secret(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_master_secret", ret); - return(ret); - } + /* Creating the Master Secret ( TLS 1.3 ) */ + if( ( ret = mbedtls_ssl_derive_master_secret( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_master_secret", ret ); + return( ret ); + } - /* Creating the Traffic Keys (TLS 1.3) */ - if ((ret = mbedtls_ssl_derive_traffic_keys(ssl, traffic_keys)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_traffic_keys", ret); - return(ret); - } + /* Creating the Traffic Keys ( TLS 1.3 ) */ + if( ( ret = mbedtls_ssl_derive_traffic_keys( ssl, traffic_keys ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_traffic_keys", ret ); + return( ret ); + } - /* - * Set the in_msg pointer to the correct location based on IV length - * For TLS 1.3 the record layer header has changed and hence we need to accomodate for it. - */ - ssl->in_msg = ssl->in_iv; + /* + * Set the in_msg pointer to the correct location based on IV length + * For TLS 1.3 the record layer header has changed and hence we need to accomodate for it. + */ + ssl->in_msg = ssl->in_iv; #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) - if (mbedtls_ssl_hw_record_activate != NULL) - { - if ((ret = mbedtls_ssl_hw_record_activate(ssl, MBEDTLS_SSL_CHANNEL_INBOUND)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_activate", ret); - return(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); - } - } + if( mbedtls_ssl_hw_record_activate != NULL ) + { + if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ - MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_key_derivation")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_key_derivation" ) ); - return(0); + return( 0 ); } @@ -3495,14 +3580,15 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) ssl->session_negotiate = NULL; - /* With DTLS 1.3 we keep the handshake and transform structures alive. */ + /* With DTLS 1.3 we keep the handshake and transform structures alive. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform")); - } + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) ); + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); } /* @@ -3511,19 +3597,19 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) * */ - /* - * Overview - */ +/* + * Overview + */ - /* Main entry point: orchestrates the other functions */ -int ssl_finished_out_process(mbedtls_ssl_context* ssl); +/* Main entry point: orchestrates the other functions */ +int ssl_finished_out_process( mbedtls_ssl_context* ssl ); -static int ssl_finished_out_prepare(mbedtls_ssl_context* ssl); -static int ssl_finished_out_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen); -static int ssl_finished_out_postprocess(mbedtls_ssl_context* ssl); +static int ssl_finished_out_prepare( mbedtls_ssl_context* ssl ); +static int ssl_finished_out_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ); +static int ssl_finished_out_postprocess( mbedtls_ssl_context* ssl ); /* @@ -3531,218 +3617,224 @@ static int ssl_finished_out_postprocess(mbedtls_ssl_context* ssl); */ -int ssl_finished_out_process(mbedtls_ssl_context* ssl) +int ssl_finished_out_process( mbedtls_ssl_context* ssl ) { - int ret; + int ret; KeySet traffic_keys; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); - memset((void*)&traffic_keys, 0, sizeof(KeySet)); + memset( ( void* )&traffic_keys, 0, sizeof( KeySet ) ); ssl->handshake->state_local.finished_out.traffic_keys = &traffic_keys; - if (!ssl->handshake->state_local.finished_out.preparation_done) - { - MBEDTLS_SSL_PROC_CHK(ssl_finished_out_prepare(ssl)); - ssl->handshake->state_local.finished_out.preparation_done = 1; - } + if( !ssl->handshake->state_local.finished_out.preparation_done ) + { + MBEDTLS_SSL_PROC_CHK( ssl_finished_out_prepare( ssl ) ); + ssl->handshake->state_local.finished_out.preparation_done = 1; + } - /* Make sure we can write a new message. */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_flush_output(ssl)); + /* Make sure we can write a new message. */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); - MBEDTLS_SSL_PROC_CHK(ssl_finished_out_write(ssl, ssl->out_msg, - MBEDTLS_SSL_MAX_CONTENT_LEN, - &ssl->out_msglen)); - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; + MBEDTLS_SSL_PROC_CHK( ssl_finished_out_write( ssl, ssl->out_msg, + MBEDTLS_SSL_MAX_CONTENT_LEN, + &ssl->out_msglen ) ); + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl)); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl ) ); - MBEDTLS_SSL_PROC_CHK(ssl_finished_out_postprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_finished_out_postprocess( ssl ) ); cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished")); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); + return( ret ); } -static int ssl_finished_out_prepare(mbedtls_ssl_context* ssl) +static int ssl_finished_out_prepare( mbedtls_ssl_context* ssl ) { - int ret; + int ret; KeySet* traffic_keys=ssl->handshake->state_local.finished_out.traffic_keys; #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { #if defined(MBEDTLS_ZERO_RTT) - if (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON) - { - ssl->transform_out = ssl->transform_negotiate; - ssl->session_out = ssl->session_negotiate; - memset(ssl->transform_out->sequence_number_enc, 0x0, 12); /* Set sequence number to zero */ - - ret = mbedtls_ssl_key_derivation(ssl, traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_key_derivation", ret); - return (ret); - } + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + { + ssl->transform_out = ssl->transform_negotiate; + ssl->session_out = ssl->session_negotiate; + memset( ssl->transform_out->sequence_number_enc, 0x0, 12 ); /* Set sequence number to zero */ + + ret = mbedtls_ssl_key_derivation( ssl, traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_key_derivation", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - traffic_keys.epoch = 2; + traffic_keys.epoch = 2; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ret = mbedtls_set_traffic_key(ssl, traffic_keys, ssl->transform_out, 0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); - } + ret = mbedtls_set_traffic_key( ssl, traffic_keys, ssl->transform_out, 0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value (2) is used for messages protected using keys derived - * from the handshake_traffic_secret. - */ - ssl->in_epoch = 2; - ssl->out_epoch = 2; + /* epoch value ( 2 ) is used for messages protected using keys derived + * from the handshake_traffic_secret. + */ + ssl->in_epoch = 2; + ssl->out_epoch = 2; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - } + } #endif /* MBEDTLS_ZERO_RTT */ - ret = mbedtls_ssl_generate_application_traffic_keys(ssl, traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_generate_application_traffic_keys", ret); - return (ret); - } + ret = mbedtls_ssl_generate_application_traffic_keys( ssl, traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_generate_application_traffic_keys", ret ); + return ( ret ); + } - } + } #endif /* MBEDTLS_SSL_CLI_C */ - /* - * Set the out_msg pointer to the correct location based on IV length - */ + /* + * Set the out_msg pointer to the correct location based on IV length + */ #if !defined(MBEDTLS_SSL_PROTO_DTLS) - ssl->out_msg = ssl->out_iv; + ssl->out_msg = ssl->out_iv; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* Compute transcript of handshake up to now. */ + /* Compute transcript of handshake up to now. */ - ret = ssl->handshake->calc_finished(ssl, ssl->handshake->state_local.finished_out.digest, ssl->conf->endpoint); + ret = ssl->handshake->calc_finished( ssl, ssl->handshake->state_local.finished_out.digest, ssl->conf->endpoint ); - ssl->handshake->calc_finished(ssl, - ssl->handshake->state_local.finished_out.digest, - ssl->conf->endpoint); + ssl->handshake->calc_finished( ssl, + ssl->handshake->state_local.finished_out.digest, + ssl->conf->endpoint ); #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) - if (mbedtls_ssl_hw_record_activate != NULL) - { - if ((ret = mbedtls_ssl_hw_record_activate(ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_activate", ret); - return(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); - } - } + if( mbedtls_ssl_hw_record_activate != NULL ) + { + if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_send_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_send_flight_completed( ssl ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - return(0); + return( 0 ); } -static int ssl_finished_out_postprocess(mbedtls_ssl_context* ssl) +static int ssl_finished_out_postprocess( mbedtls_ssl_context* ssl ) { - int ret; + int ret; KeySet* traffic_keys = ssl->handshake->state_local.finished_out.traffic_keys; #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ack_add_record(ssl, MBEDTLS_SSL_HS_FINISHED, MBEDTLS_SSL_ACK_RECORDS_SENT); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ack_add_record( ssl, MBEDTLS_SSL_HS_FINISHED, MBEDTLS_SSL_ACK_RECORDS_SENT ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* Compute resumption_master_secret */ + /* Compute resumption_master_secret */ - ret = mbedtls_ssl_generate_resumption_master_secret(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_generate_resumption_master_secret ", ret); - return (ret); - } + ret = mbedtls_ssl_generate_resumption_master_secret( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_generate_resumption_master_secret ", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - traffic_keys.epoch = 3; + traffic_keys.epoch = 3; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ret = mbedtls_set_traffic_key(ssl, traffic_keys, ssl->transform_negotiate, 0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); - } + ret = mbedtls_set_traffic_key( ssl, traffic_keys, ssl->transform_negotiate, 0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value (3) is used for payloads protected using keys - * derived from the initial traffic_secret_0. - */ - ssl->in_epoch = 3; - ssl->out_epoch = 3; + /* epoch value ( 3 ) is used for payloads protected using keys + * derived from the initial traffic_secret_0. + */ + ssl->in_epoch = 3; + ssl->out_epoch = 3; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_FINISH_ACK); - else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_FINISH_ACK ); + else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS ); - } + } #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { #if defined(MBEDTLS_ZERO_RTT) - if (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_EARLY_DATA); - } - else + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_DATA ); + } + else #endif /* MBEDTLS_ZERO_RTT */ - { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); - } + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); + } - } + } #endif /* MBEDTLS_SSL_SRV_C */ - return(0); + return( 0 ); } -static int ssl_finished_out_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen) +static int ssl_finished_out_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ) { - size_t const tls_hs_hdr_len = 4; + size_t const tls_hs_hdr_len = 4; - /* Note: Even if DTLS is used, the current message writing functions - * write TLS headers, and it is only at sending time that the actual - * DTLS header is generated. That's why we unconditionally shift by - * 4 bytes here as opposed to mbedtls_ssl_hs_hdr_len( ssl ). */ + /* Note: Even if DTLS is used, the current message writing functions + * write TLS headers, and it is only at sending time that the actual + * DTLS header is generated. That's why we unconditionally shift by + * 4 bytes here as opposed to mbedtls_ssl_hs_hdr_len( ssl ). */ - if (buflen < tls_hs_hdr_len - + ssl->handshake->state_local.finished_out.digest_len) - { - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - } + if( buflen < tls_hs_hdr_len + + ssl->handshake->state_local.finished_out.digest_len ) + { + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } - memcpy(buf + tls_hs_hdr_len, - ssl->handshake->state_local.finished_out.digest, - ssl->handshake->state_local.finished_out.digest_len); + memcpy( buf + tls_hs_hdr_len, + ssl->handshake->state_local.finished_out.digest, + ssl->handshake->state_local.finished_out.digest_len ); - *olen = tls_hs_hdr_len + ssl->handshake->state_local.finished_out.digest_len; + *olen = tls_hs_hdr_len + ssl->handshake->state_local.finished_out.digest_len; - return(0); + return( 0 ); } /* @@ -3751,182 +3843,184 @@ static int ssl_finished_out_write(mbedtls_ssl_context* ssl, * */ - /* - * Overview - */ +/* + * Overview + */ - /* Main entry point: orchestrates the other functions */ -int ssl_finished_in_process(mbedtls_ssl_context* ssl); +/* Main entry point: orchestrates the other functions */ +int ssl_finished_in_process( mbedtls_ssl_context* ssl ); -static int ssl_finished_in_preprocess(mbedtls_ssl_context* ssl); -static int ssl_finished_in_postprocess(mbedtls_ssl_context* ssl); -static int ssl_finished_in_parse(mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen); +static int ssl_finished_in_preprocess( mbedtls_ssl_context* ssl ); +static int ssl_finished_in_postprocess( mbedtls_ssl_context* ssl ); +static int ssl_finished_in_parse( mbedtls_ssl_context* ssl, + const unsigned char* buf, + size_t buflen ); /* * Implementation */ -int ssl_finished_in_process(mbedtls_ssl_context* ssl) +int ssl_finished_in_process( mbedtls_ssl_context* ssl ) { int ret = 0; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); /* Preprocessing step: Compute handshake digest */ - MBEDTLS_SSL_PROC_CHK(ssl_finished_in_preprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_finished_in_preprocess( ssl ) ); /* Fetching step */ - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) + if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); goto cleanup; } - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || - ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) + if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || + ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; goto cleanup; } /* Parsing step */ - MBEDTLS_SSL_PROC_CHK(ssl_finished_in_parse(ssl, - ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), - ssl->in_hslen - mbedtls_ssl_hs_hdr_len(ssl))); + MBEDTLS_SSL_PROC_CHK( ssl_finished_in_parse( ssl, + ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), + ssl->in_hslen - mbedtls_ssl_hs_hdr_len( ssl ) ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_recv_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_recv_flight_completed( ssl ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ /* Postprocessing step: Update state machine */ - MBEDTLS_SSL_PROC_CHK(ssl_finished_in_postprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_finished_in_postprocess( ssl ) ); cleanup: /* In the MPS one would close the read-port here to * ensure there's no overlap of reading and writing. */ - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished")); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); + return( ret ); } -static int ssl_finished_in_preprocess(mbedtls_ssl_context* ssl) +static int ssl_finished_in_preprocess( mbedtls_ssl_context* ssl ) { unsigned int hash_len; const mbedtls_ssl_ciphersuite_t* suite_info; - suite_info = mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); - if (suite_info == NULL) + if( suite_info == NULL ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_ciphersuite_from_id in ssl_finished_in_preprocess failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_ciphersuite_from_id in ssl_finished_in_preprocess failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - hash_len = mbedtls_hash_size_for_ciphersuite(suite_info); + hash_len = mbedtls_hash_size_for_ciphersuite( suite_info ); - if (hash_len == 0) + if( hash_len == 0 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite in ssl_finished_in_preprocess failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite in ssl_finished_in_preprocess failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } ssl->handshake->state_local.finished_in.digest_len = hash_len; - ssl->handshake->calc_finished(ssl, - ssl->handshake->state_local.finished_in.digest, - ssl->conf->endpoint ^ 1); + ssl->handshake->calc_finished( ssl, + ssl->handshake->state_local.finished_in.digest, + ssl->conf->endpoint ^ 1 ); - return(0); + return( 0 ); } -static int ssl_finished_in_parse(mbedtls_ssl_context* ssl, - const unsigned char* buf, - size_t buflen) +static int ssl_finished_in_parse( mbedtls_ssl_context* ssl, + const unsigned char* buf, + size_t buflen ) { /* Structural validation */ - if (buflen != ssl->handshake->state_local.finished_in.digest_len) + if( buflen != ssl->handshake->state_local.finished_in.digest_len ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_FINISHED); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); } - MBEDTLS_SSL_DEBUG_MSG(5, ("Verify finished message")); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Verify finished message" ) ); - MBEDTLS_SSL_DEBUG_BUF(5, "Hash (self-computed):", - ssl->handshake->state_local.finished_in.digest, ssl->handshake->state_local.finished_in.digest_len); - MBEDTLS_SSL_DEBUG_BUF(5, "Hash (received message):", buf, ssl->handshake->state_local.finished_in.digest_len); + MBEDTLS_SSL_DEBUG_BUF( 5, "Hash ( self-computed ):", + ssl->handshake->state_local.finished_in.digest, ssl->handshake->state_local.finished_in.digest_len ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Hash ( received message ):", buf, ssl->handshake->state_local.finished_in.digest_len ); /* Semantic validation */ - if (mbedtls_ssl_safer_memcmp(buf, - ssl->handshake->state_local.finished_in.digest, - ssl->handshake->state_local.finished_in.digest_len) != 0) + if( mbedtls_ssl_safer_memcmp( buf, + ssl->handshake->state_local.finished_in.digest, + ssl->handshake->state_local.finished_in.digest_len ) != 0 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); - SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); - return(MBEDTLS_ERR_SSL_BAD_HS_FINISHED); + SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); } - return(0); + return( 0 ); } -static int ssl_finished_in_postprocess(mbedtls_ssl_context* ssl) +static int ssl_finished_in_postprocess( mbedtls_ssl_context* ssl ) { /* Update logic state machine */ #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { } #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { } #endif /* MBEDTLS_SSL_SRV_C */ - return(0); + return( 0 ); } #if defined(MBEDTLS_CID) -void mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, unsigned int cid) +void mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, unsigned int cid ) { - if (cid == MBEDTLS_CID_CONF_DISABLED || cid == MBEDTLS_CID_CONF_ENABLED || - cid == MBEDTLS_CID_CONF_ZERO_LENGTH) - conf->cid = cid; + if( cid == MBEDTLS_CID_CONF_DISABLED || cid == MBEDTLS_CID_CONF_ENABLED || + cid == MBEDTLS_CID_CONF_ZERO_LENGTH ) + conf->cid = cid; } #endif #if defined(MBEDTLS_ZERO_RTT) -void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf, int early_data, char *buffer, unsigned int len, int(*early_data_callback)(mbedtls_ssl_context *, - unsigned char *, size_t)) +void mbedtls_ssl_conf_early_data( mbedtls_ssl_config *conf, int early_data, char *buffer, unsigned int len, int( *early_data_callback )( mbedtls_ssl_context *, + unsigned char *, size_t ) ) { - if (conf != NULL) { - conf->early_data = early_data; - if (buffer != NULL && len >0 && early_data==MBEDTLS_SSL_EARLY_DATA_ENABLED) { - conf->early_data_buf = buffer; - conf->early_data_len = len; - conf->early_data_callback = early_data_callback; - } - } + if( conf != NULL ) + { + conf->early_data = early_data; + if( buffer != NULL && len >0 && early_data==MBEDTLS_SSL_EARLY_DATA_ENABLED ) + { + conf->early_data_buf = buffer; + conf->early_data_len = len; + conf->early_data_callback = early_data_callback; + } + } } #endif /* MBEDTLS_ZERO_RTT */ #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) -/* The ssl_parse_new_session_ticket() function is used by the +/* The ssl_parse_new_session_ticket( ) function is used by the * client to parse the NewSessionTicket message, which contains * the ticket and meta-data provided by the server in a post- * handshake message. @@ -3934,185 +4028,189 @@ void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf, int early_data, char * The code is located in ssl_tls.c since the function is called * mbedtls_ssl_read. It is a post-handshake message. */ -int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl) +int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) { - int ret; - uint32_t lifetime, ticket_age_add; - uint8_t ticket_nonce_len; - size_t ticket_len, ext_len; - unsigned char *ticket; - const unsigned char *msg, *extensions; - const mbedtls_ssl_ciphersuite_t *suite_info; - unsigned int msg_len; + int ret; + uint32_t lifetime, ticket_age_add; + uint8_t ticket_nonce_len; + size_t ticket_len, ext_len; + unsigned char *ticket; + const unsigned char *msg, *extensions; + const mbedtls_ssl_ciphersuite_t *suite_info; + unsigned int msg_len; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); - msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); - msg_len = (ssl->in_msg[2] << 8) | ssl->in_msg[3]; + msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); + msg_len = ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3]; - if (msg_len+ mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_msglen) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); - return(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET); - } + if( msg_len+ mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_msglen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); + } - /* Ticket lifetime */ - lifetime = (msg[0] << 24) | (msg[1] << 16) | - (msg[2] << 8) | (msg[3]); + /* Ticket lifetime */ + lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | + ( msg[2] << 8 ) | ( msg[3] ); - ssl->session->ticket_lifetime = lifetime; - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket->lifetime: %d", lifetime)); + ssl->session->ticket_lifetime = lifetime; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->lifetime: %d", lifetime ) ); - /* Ticket Age Add */ - ticket_age_add = (msg[4] << 24) | (msg[5] << 16) | - (msg[6] << 8) | (msg[7]); + /* Ticket Age Add */ + ticket_age_add = ( msg[4] << 24 ) | ( msg[5] << 16 ) | + ( msg[6] << 8 ) | ( msg[7] ); - ssl->session->ticket_age_add = ticket_age_add; + ssl->session->ticket_age_add = ticket_age_add; - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket->age_add: %u", ticket_age_add)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->age_add: %u", ticket_age_add ) ); - /* Ticket Nonce */ - ticket_nonce_len = msg[8]; + /* Ticket Nonce */ + ticket_nonce_len = msg[8]; - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket->nonce_length: %d", ticket_nonce_len)); - MBEDTLS_SSL_DEBUG_BUF(3, "ticket->nonce:", (unsigned char*)&msg[9], ticket_nonce_len); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->nonce_length: %d", ticket_nonce_len ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "ticket->nonce:", ( unsigned char* )&msg[9], ticket_nonce_len ); - /* Check if we previously received a ticket already. If we did, then we should - * re-use already allocated nonce-space. - */ - if (ssl->session->ticket_nonce != NULL || ssl->session->ticket_nonce_len > 0) { - mbedtls_free(ssl->session->ticket_nonce); - ssl->session->ticket_nonce = NULL; - ssl->session->ticket_nonce_len = 0; - } + /* Check if we previously received a ticket already. If we did, then we should + * re-use already allocated nonce-space. + */ + if( ssl->session->ticket_nonce != NULL || ssl->session->ticket_nonce_len > 0 ) + { + mbedtls_free( ssl->session->ticket_nonce ); + ssl->session->ticket_nonce = NULL; + ssl->session->ticket_nonce_len = 0; + } - if ((ssl->session->ticket_nonce = mbedtls_calloc(1, ticket_nonce_len)) == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("ticket_nonce alloc failed")); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } + if( ( ssl->session->ticket_nonce = mbedtls_calloc( 1, ticket_nonce_len ) ) == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket_nonce alloc failed" ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } - memcpy(ssl->session->ticket_nonce, &msg[9], ticket_nonce_len); + memcpy( ssl->session->ticket_nonce, &msg[9], ticket_nonce_len ); - ssl->session->ticket_nonce_len = ticket_nonce_len; + ssl->session->ticket_nonce_len = ticket_nonce_len; - /* Ticket Length */ - /* Check whether access to the ticket nonce length moves - * out of the bounds of the buffer. - */ - if (&msg[10 + ticket_nonce_len] > (msg + msg_len)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Bad NewSessionTicket message: ticket nonce length field incorect")); - return(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET); - } - ticket_len = (msg[9+ ticket_nonce_len] << 8) | (msg[10+ ticket_nonce_len]); + /* Ticket Length */ + /* Check whether access to the ticket nonce length moves + * out of the bounds of the buffer. + */ + if( &msg[10 + ticket_nonce_len] > ( msg + msg_len ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad NewSessionTicket message: ticket nonce length field incorect" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); + } + ticket_len = ( msg[9+ ticket_nonce_len] << 8 ) | ( msg[10+ ticket_nonce_len] ); - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket->length: %d", ticket_len)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->length: %d", ticket_len ) ); - /* Ticket Extension Length */ - /* Check whether access to the ticket length moves out - * of the bounds of the buffer. - */ - if (&msg[12 + ticket_nonce_len + ticket_len] > (msg + msg_len)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Bad NewSessionTicket message: ticket nonce length field incorect")); - return(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET); - } - ext_len = (msg[11+ ticket_nonce_len +ticket_len] << 8) | (msg[12+ ticket_nonce_len + ticket_len]); + /* Ticket Extension Length */ + /* Check whether access to the ticket length moves out + * of the bounds of the buffer. + */ + if( &msg[12 + ticket_nonce_len + ticket_len] > ( msg + msg_len ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad NewSessionTicket message: ticket nonce length field incorect" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); + } + ext_len = ( msg[11+ ticket_nonce_len +ticket_len] << 8 ) | ( msg[12+ ticket_nonce_len + ticket_len] ); - // Check whether the length field is correct - if ((ticket_len + ticket_nonce_len + ext_len + 13 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_msglen) - && ticket_len >0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Bad NewSessionTicket message: ticket length field incorect")); - return(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET); - } + /* Check whether the length field is correct */ + if( ( ticket_len + ticket_nonce_len + ext_len + 13 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_msglen ) + && ticket_len >0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad NewSessionTicket message: ticket length field incorect" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); + } - /* Check if we previously received a ticket already. */ - if (ssl->session->ticket != NULL || ssl->session->ticket_len > 0) { - mbedtls_free(ssl->session->ticket); - ssl->session->ticket = NULL; - ssl->session->ticket_len = 0; - } + /* Check if we previously received a ticket already. */ + if( ssl->session->ticket != NULL || ssl->session->ticket_len > 0 ) + { + mbedtls_free( ssl->session->ticket ); + ssl->session->ticket = NULL; + ssl->session->ticket_len = 0; + } - if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed")); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } + if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } - memcpy(ticket, msg + 11 + ticket_nonce_len, ticket_len); - ssl->session->ticket = ticket; - ssl->session->ticket_len = ticket_len; + memcpy( ticket, msg + 11 + ticket_nonce_len, ticket_len ); + ssl->session->ticket = ticket; + ssl->session->ticket_len = ticket_len; - MBEDTLS_SSL_DEBUG_BUF(3, "ticket", ticket, ticket_len); + MBEDTLS_SSL_DEBUG_BUF( 3, "ticket", ticket, ticket_len ); - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket->extension length: %d", ext_len)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->extension length: %d", ext_len ) ); - // We are not storing any extensions at the moment - if (ext_len > 0) { - extensions = &msg[13 + ticket_nonce_len + ticket_len]; - MBEDTLS_SSL_DEBUG_BUF(3, "ticket->extension", extensions, ext_len); - } + /* We are not storing any extensions at the moment */ + if( ext_len > 0 ) + { + extensions = &msg[13 + ticket_nonce_len + ticket_len]; + MBEDTLS_SSL_DEBUG_BUF( 3, "ticket->extension", extensions, ext_len ); + } - /* Compute PSK based on received nonce and resumption_master_secret - * in the following style: - * - * HKDF-Expand-Label(resumption_master_secret, - * "resumption", ticket_nonce, Hash.length) - */ + /* Compute PSK based on received nonce and resumption_master_secret + * in the following style: + * + * HKDF-Expand-Label( resumption_master_secret, + * "resumption", ticket_nonce, Hash.length ) + */ - suite_info = mbedtls_ssl_ciphersuite_from_id(ssl->session->ciphersuite); + suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session->ciphersuite ); - if (suite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("suite_info == NULL, ssl_parse_new_session_ticket failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( suite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "suite_info == NULL, ssl_parse_new_session_ticket failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret", ssl->session->resumption_master_secret, mbedtls_hash_size_for_ciphersuite(suite_info)); + MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret", ssl->session->resumption_master_secret, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - ret = hkdfExpandLabel(suite_info->mac, ssl->session->resumption_master_secret, mbedtls_hash_size_for_ciphersuite(suite_info), (const unsigned char *)"resumption", strlen("resumption"), ssl->session->ticket_nonce, ssl->session->ticket_nonce_len, mbedtls_hash_size_for_ciphersuite(suite_info), ssl->session->key, mbedtls_hash_size_for_ciphersuite(suite_info)); + ret = hkdfExpandLabel( suite_info->mac, ssl->session->resumption_master_secret, mbedtls_hash_size_for_ciphersuite( suite_info ), ( const unsigned char * )"resumption", strlen( "resumption" ), ssl->session->ticket_nonce, ssl->session->ticket_nonce_len, mbedtls_hash_size_for_ciphersuite( suite_info ), ssl->session->key, mbedtls_hash_size_for_ciphersuite( suite_info ) ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "Creating the ticket-resumed PSK failed", ret); - return (ret); - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "Creating the ticket-resumed PSK failed", ret ); + return ( ret ); + } - MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK", ssl->session->key, mbedtls_hash_size_for_ciphersuite(suite_info)); - MBEDTLS_SSL_DEBUG_MSG(3, ("Key_len: %d", mbedtls_hash_size_for_ciphersuite(suite_info))); + MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK", ssl->session->key, mbedtls_hash_size_for_ciphersuite( suite_info ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Key_len: %d", mbedtls_hash_size_for_ciphersuite( suite_info ) ) ); #if defined(MBEDTLS_HAVE_TIME) - // Store ticket creation time - ssl->session->ticket_received = time(NULL); + /* Store ticket creation time */ + ssl->session->ticket_received = time( NULL ); #endif - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); - return(0); + return( 0 ); } -/* mbedtls_ssl_conf_ticket_meta() allows to set a 32-bit value that is +/* mbedtls_ssl_conf_ticket_meta( ) allows to set a 32-bit value that is * used to obscure the age of the ticket. For externally configured PSKs * this value is zero. Additionally, the time when the ticket was * received will be set. */ #if defined(MBEDTLS_HAVE_TIME) -int mbedtls_ssl_conf_ticket_meta(mbedtls_ssl_config *conf, - const uint32_t ticket_age_add, - const time_t ticket_received) +int mbedtls_ssl_conf_ticket_meta( mbedtls_ssl_config *conf, + const uint32_t ticket_age_add, + const time_t ticket_received ) #else -int mbedtls_ssl_conf_ticket_meta(mbedtls_ssl_config *conf, - const uint32_t ticket_age_add) +int mbedtls_ssl_conf_ticket_meta( mbedtls_ssl_config *conf, + const uint32_t ticket_age_add ) #endif /* MBEDTLS_HAVE_TIME */ { - conf->ticket_age_add = ticket_age_add; + conf->ticket_age_add = ticket_age_add; #if defined(MBEDTLS_HAVE_TIME) - conf->ticket_received = ticket_received; + conf->ticket_received = ticket_received; #endif /* MBEDTLS_HAVE_TIME */ - return 0; + return 0; } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ @@ -4123,152 +4221,157 @@ int mbedtls_ssl_conf_ticket_meta(mbedtls_ssl_config *conf, #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) /* -* Init ticket structure -*/ + * Init ticket structure + */ -void mbedtls_ssl_init_client_ticket(mbedtls_ssl_ticket *ticket) +void mbedtls_ssl_init_client_ticket( mbedtls_ssl_ticket *ticket ) { - if (ticket == NULL) - return; + if( ticket == NULL ) + return; - ticket->ticket = NULL; - memset(ticket->key,0,sizeof(ticket->key)); + ticket->ticket = NULL; + memset( ticket->key,0,sizeof( ticket->key ) ); } /* -* Free an ticket structure -*/ -void mbedtls_ssl_del_client_ticket(mbedtls_ssl_ticket *ticket) + * Free an ticket structure + */ +void mbedtls_ssl_del_client_ticket( mbedtls_ssl_ticket *ticket ) { - if (ticket == NULL) - return; + if( ticket == NULL ) + return; - if (ticket->ticket != NULL) - { - mbedtls_platform_zeroize(ticket->ticket, ticket->ticket_len); - mbedtls_free(ticket->ticket); - } + if( ticket->ticket != NULL ) + { + mbedtls_platform_zeroize( ticket->ticket, ticket->ticket_len ); + mbedtls_free( ticket->ticket ); + } - mbedtls_platform_zeroize(ticket->key, sizeof(ticket->key)); + mbedtls_platform_zeroize( ticket->key, sizeof( ticket->key ) ); } -int mbedtls_ssl_conf_client_ticket(const mbedtls_ssl_context *ssl, mbedtls_ssl_ticket *ticket) { +int mbedtls_ssl_conf_client_ticket( const mbedtls_ssl_context *ssl, mbedtls_ssl_ticket *ticket ) { - int ret; - mbedtls_ssl_config *conf = (mbedtls_ssl_config *) ssl->conf; + int ret; + mbedtls_ssl_config *conf = ( mbedtls_ssl_config * ) ssl->conf; - // basic consistency checks - if (conf == NULL) return -1; - if (ticket == NULL) return -1; - if (ticket->key_len == 0) return -1; - if (ticket->ticket_len == 0) return -1; - if (ticket->ticket == NULL) return -1; + /* basic consistency checks */ + if( conf == NULL ) return -1; + if( ticket == NULL ) return -1; + if( ticket->key_len == 0 ) return -1; + if( ticket->ticket_len == 0 ) return -1; + if( ticket->ticket == NULL ) return -1; - /* We don't request another ticket from the server. - * TBD: This function could be moved to an application-visible API call. - */ - mbedtls_ssl_conf_session_tickets(conf, 0); + /* We don't request another ticket from the server. + * TBD: This function could be moved to an application-visible API call. + */ + mbedtls_ssl_conf_session_tickets( conf, 0 ); - // Set the psk and psk_identity - ret = mbedtls_ssl_conf_psk(conf, ticket->key, ticket->key_len, - (const unsigned char *)ticket->ticket, - ticket->ticket_len); + /* Set the psk and psk_identity */ + ret = mbedtls_ssl_conf_psk( conf, ticket->key, ticket->key_len, + ( const unsigned char * )ticket->ticket, + ticket->ticket_len ); - if (ret != 0) return -1; + if( ret != 0 ) return -1; - /* Set the key exchange mode to PSK - * TBD: Ideally, the application developer should have the option - * to decide between plain PSK-KE and PSK-KE-DH - */ - ret = mbedtls_ssl_conf_ke(conf, 0); + /* Set the key exchange mode to PSK + * TBD: Ideally, the application developer should have the option + * to decide between plain PSK-KE and PSK-KE-DH + */ + ret = mbedtls_ssl_conf_ke( conf, 0 ); - if (ret != 0) return -1; + if( ret != 0 ) return -1; /* We set the ticket_age_add and the time we received the ticket */ #if defined(MBEDTLS_HAVE_TIME) - ret = mbedtls_ssl_conf_ticket_meta(conf, ticket->ticket_age_add, ticket->start); + ret = mbedtls_ssl_conf_ticket_meta( conf, ticket->ticket_age_add, ticket->start ); #else - ret = mbedtls_ssl_conf_ticket_meta(conf, ticket->ticket_age_add); + ret = mbedtls_ssl_conf_ticket_meta( conf, ticket->ticket_age_add ); #endif /* MBEDTLS_HAVE_TIME */ - if (ret != 0) return -1; + if( ret != 0 ) return -1; - return 0; + return 0; } -int mbedtls_ssl_get_client_ticket(const mbedtls_ssl_context *ssl, mbedtls_ssl_ticket *ticket) +int mbedtls_ssl_get_client_ticket( const mbedtls_ssl_context *ssl, mbedtls_ssl_ticket *ticket ) { - const mbedtls_ssl_ciphersuite_t *cur; - int hash_size; - - if (ssl->session == NULL) return -1; - - // Check whether we got a ticket already - if (ssl->session->ticket != NULL) { - - // store ticket - ticket->ticket_len = ssl->session->ticket_len; - if (ticket->ticket_len == 0) return -1; - ticket->ticket = mbedtls_calloc(ticket->ticket_len,1); - if (ticket->ticket == NULL) return -1; - memcpy(ticket->ticket, ssl->session->ticket, ticket->ticket_len); - - // store ticket lifetime - ticket->ticket_lifetime = ssl->session->ticket_lifetime; - - // store psk key and key length - cur = mbedtls_ssl_ciphersuite_from_id(ssl->session->ciphersuite); - if (cur == NULL) { - mbedtls_free(ticket->ticket); - return -1; - } - - hash_size=mbedtls_hash_size_for_ciphersuite(cur); - - if (hash_size < 0) { - mbedtls_free(ticket->ticket); - return -1; - } - else { - ticket->key_len = hash_size; - } - memcpy(ticket->key, ssl->session->key, ticket->key_len); - ssl->session->key_len = ticket->key_len; - - // store ticket_age_add - ticket->ticket_age_add = ssl->session->ticket_age_add; + const mbedtls_ssl_ciphersuite_t *cur; + int hash_size; -#if defined(MBEDTLS_HAVE_TIME) - // store time we received the ticket - ticket->start = ssl->session->ticket_received; + if( ssl->session == NULL ) return -1; + + /* Check whether we got a ticket already */ + if( ssl->session->ticket != NULL ) + { + + /* store ticket */ + ticket->ticket_len = ssl->session->ticket_len; + if( ticket->ticket_len == 0 ) return -1; + ticket->ticket = mbedtls_calloc( ticket->ticket_len,1 ); + if( ticket->ticket == NULL ) return -1; + memcpy( ticket->ticket, ssl->session->ticket, ticket->ticket_len ); + + /* store ticket lifetime */ + ticket->ticket_lifetime = ssl->session->ticket_lifetime; + + /* store psk key and key length */ + cur = mbedtls_ssl_ciphersuite_from_id( ssl->session->ciphersuite ); + if( cur == NULL ) + { + mbedtls_free( ticket->ticket ); + return -1; + } + + hash_size=mbedtls_hash_size_for_ciphersuite( cur ); + + if( hash_size < 0 ) + { + mbedtls_free( ticket->ticket ); + return -1; + } + else + { + ticket->key_len = hash_size; + } + memcpy( ticket->key, ssl->session->key, ticket->key_len ); + ssl->session->key_len = ticket->key_len; + + /* store ticket_age_add */ + ticket->ticket_age_add = ssl->session->ticket_age_add; + +#if defined(MBEDTLS_HAVE_TIME) + /* store time we received the ticket */ + ticket->start = ssl->session->ticket_received; #endif /* MBEDTLS_HAVE_TIME */ - return 0; - } - else { - // no ticket available - return 1; - } + return 0; + } + else + { + /* no ticket available */ + return 1; + } } -void mbedtls_ssl_conf_client_ticket_enable(mbedtls_ssl_context *ssl) +void mbedtls_ssl_conf_client_ticket_enable( mbedtls_ssl_context *ssl ) { - mbedtls_ssl_config *conf; - if (ssl == NULL) return; - conf = (mbedtls_ssl_config *) ssl->conf; - if (conf == NULL) return; - conf->resumption_mode = 1; // enable resumption mode + mbedtls_ssl_config *conf; + if( ssl == NULL ) return; + conf = ( mbedtls_ssl_config * ) ssl->conf; + if( conf == NULL ) return; + conf->resumption_mode = 1; /* enable resumption mode */ } -void mbedtls_ssl_conf_client_ticket_disable(mbedtls_ssl_context *ssl) +void mbedtls_ssl_conf_client_ticket_disable( mbedtls_ssl_context *ssl ) { - mbedtls_ssl_config *conf; + mbedtls_ssl_config *conf; - if (ssl == NULL) return; - conf = (mbedtls_ssl_config *) ssl->conf; - if (conf == NULL) return; - conf->resumption_mode = 0; // set full exchange + if( ssl == NULL ) return; + conf = ( mbedtls_ssl_config * ) ssl->conf; + if( conf == NULL ) return; + conf->resumption_mode = 0; /* set full exchange */ } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ @@ -4278,84 +4381,84 @@ void mbedtls_ssl_conf_client_ticket_disable(mbedtls_ssl_context *ssl) /* Early Data Extension -* -* struct {} Empty; -* -* struct { -* select (Handshake.msg_type) { -* case new_session_ticket: uint32 max_early_data_size; -* case client_hello: Empty; -* case encrypted_extensions: Empty; -* }; -* } EarlyDataIndication; -*/ + * + * struct {} Empty; + * + * struct { + * select ( Handshake.msg_type ) { + * case new_session_ticket: uint32 max_early_data_size; + * case client_hello: Empty; + * case encrypted_extensions: Empty; + * }; + * } EarlyDataIndication; + */ #if defined(MBEDTLS_ZERO_RTT) -int ssl_write_early_data_ext(mbedtls_ssl_context *ssl, - unsigned char *buf, - size_t buflen, - size_t *olen) +int ssl_write_early_data_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { - unsigned char *p = buf; - const unsigned char* end = buf + buflen; + unsigned char *p = buf; + const unsigned char* end = buf + buflen; #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { - if (ssl->conf->key_exchange_modes != KEY_EXCHANGE_MODE_PSK_KE || - ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_DISABLED) { + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + if( ssl->conf->key_exchange_modes != KEY_EXCHANGE_MODE_PSK_KE || + ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_DISABLED ) { - MBEDTLS_SSL_DEBUG_MSG(2, ("skip write early_data extension")); - ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF; - return(0); - } - } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write early_data extension" ) ); + ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF; + return( 0 ); + } + } #endif /* MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || - ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_DISABLED) { + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || + ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_DISABLED ) { -// MBEDTLS_SSL_DEBUG_MSG(5, ("<= skip write early_data extension")); - ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF; - return(0); - } - } +/* MBEDTLS_SSL_DEBUG_MSG( 5, ( "<= skip write early_data extension" ) ); */ + ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF; + return( 0 ); + } + } #endif /* MBEDTLS_SSL_CLI_C */ - if ((size_t)(end - p) < 4) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } + if( (size_t)( end - p ) < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } #if defined(MBEDTLS_SSL_CLI_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding early_data extension")); - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding early_data extension" ) ); + } #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding early_data extension")); - } + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding early_data extension" ) ); + } #endif /* MBEDTLS_SSL_SRV_C */ - ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; + ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; - // Write extension header - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_EARLY_DATA >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_EARLY_DATA) & 0xFF); + /* Write extension header */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_EARLY_DATA >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_EARLY_DATA ) & 0xFF ); - // Write total extension length - *p++ = 0; - *p++ = 0; + /* Write total extension length */ + *p++ = 0; + *p++ = 0; - *olen = 4; - return 0; + *olen = 4; + return 0; } #endif /* MBEDTLS_ZERO_RTT */ diff --git a/library/ssl_tls13_messaging.c b/library/ssl_tls13_messaging.c index 64ab02b4d94e..326d8c07f39c 100644 --- a/library/ssl_tls13_messaging.c +++ b/library/ssl_tls13_messaging.c @@ -1,10 +1,10 @@ /* * Messaging layer for use with TLS/DTLS 1.3 * - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright ( C ) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * - * Licensed under the Apache License, Version 2.0 (the "License"); you may + * Licensed under the Apache License, Version 2.0 ( the "License" ); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * @@ -16,7 +16,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of mbed TLS ( https://tls.mbed.org ) */ /* This code will be merged into MPS: @@ -31,7 +31,7 @@ #if defined(MBEDTLS_SSL_TLS_C) -#if defined (MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -46,7 +46,7 @@ #include "mbedtls/hkdf.h" #include -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) #include "mbedtls/oid.h" #endif @@ -60,25 +60,25 @@ #endif /* MBEDTLS_PLATFORM_C */ - /* Once ssl->out_hdr as the address of the beginning of the - * next outgoing record is set, deduce the other pointers. - * - * Note: For TLS, we save the implicit record sequence number - * (entering MAC computation) in the 8 bytes before ssl->out_hdr, - * and the caller has to make sure there's space for this. - */ +/* Once ssl->out_hdr as the address of the beginning of the + * next outgoing record is set, deduce the other pointers. + * + * Note: For TLS, we save the implicit record sequence number + * ( entering MAC computation ) in the 8 bytes before ssl->out_hdr, + * and the caller has to make sure there's space for this. + */ -void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context* ssl, - mbedtls_ssl_transform* transform) +void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context* ssl, + mbedtls_ssl_transform* transform ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { ssl->out_ctr = ssl->out_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ssl->out_cid = ssl->out_ctr + 8; ssl->out_len = ssl->out_cid; - if (transform != NULL) + if( transform != NULL ) ssl->out_len += transform->out_cid_len; #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ ssl->out_len = ssl->out_ctr + 8; @@ -97,8 +97,8 @@ void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context* ssl, } /* Adjust out_msg to make space for explicit IV, if used. */ - if (transform != NULL && - ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2) + if( transform != NULL && + ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) { ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen; } @@ -110,11 +110,11 @@ void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context* ssl, * next incoming record is set, deduce the other pointers. * * Note: For TLS, we save the implicit record sequence number - * (entering MAC computation) in the 8 bytes before ssl->in_hdr, + * ( entering MAC computation ) in the 8 bytes before ssl->in_hdr, * and the caller has to make sure there's space for this. */ -void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context* ssl) +void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context* ssl ) { /* This function sets the pointers to match the case * of unprotected TLS/DTLS records, with both ssl->in_iv @@ -127,12 +127,12 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context* ssl) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* This sets the header pointers to match records * without CID. When we receive a record containing * a CID, the fields are shifted accordingly in - * ssl_parse_record_header(). */ + * ssl_parse_record_header( ). */ ssl->in_ctr = ssl->in_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ssl->in_cid = ssl->in_ctr + 8; @@ -159,15 +159,15 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context* ssl) - /* - * Setup an SSL context - */ +/* + * Setup an SSL context + */ -void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context* ssl) +void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context* ssl ) { /* Set the incoming and outgoing record pointers. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { ssl->out_hdr = ssl->out_buf; ssl->in_hdr = ssl->in_buf; @@ -180,8 +180,8 @@ void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context* ssl) } /* Derive other internal pointers. */ - mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */); - mbedtls_ssl_update_in_pointers(ssl); + mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ ); + mbedtls_ssl_update_in_pointers( ssl ); } @@ -189,9 +189,9 @@ void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context* ssl) /* * SSL get accessors */ -size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context* ssl) +size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context* ssl ) { - return(ssl->in_offt == NULL ? 0 : ssl->in_msglen); + return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); } @@ -214,21 +214,21 @@ static int ssl_check_timer( mbedtls_ssl_context *ssl ) /* Length of the "epoch" field in the record header */ -static inline size_t ssl_ep_len(const mbedtls_ssl_context* ssl) +static inline size_t ssl_ep_len( const mbedtls_ssl_context* ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - return(2); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + return( 2 ); #else - ((void)ssl); + ( ( void )ssl ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ - return(0); + return( 0 ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* +/* * Double the retransmit timeout value, within the allowed range, * returning -1 if the maximum value has already been reached. */ @@ -250,7 +250,7 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) ssl->handshake->retransmit_timeout = new_timeout; MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", - ssl->handshake->retransmit_timeout ) ); + ssl->handshake->retransmit_timeout ) ); return( 0 ); } @@ -259,7 +259,7 @@ static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) { ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", - ssl->handshake->retransmit_timeout ) ); + ssl->handshake->retransmit_timeout ) ); } #endif /* MBEDTLS_SSL_PROTO_DTLS */ @@ -283,100 +283,100 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ); - MBEDTLS_SSL_DEBUG_BUF( 4, "plaintext (before encryption)", - ssl->out_msg, ssl->out_msglen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "plaintext ( before encryption )", + ssl->out_msg, ssl->out_msglen ); /* * Encrypt */ #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) - if (mode == MBEDTLS_MODE_GCM || - mode == MBEDTLS_MODE_CCM || mode == MBEDTLS_MODE_CCM_8) - { - int ret; - size_t enc_msglen, olen; - unsigned char* enc_msg; - unsigned char add_data[5]; - size_t add_data_len; - unsigned char taglen; - - // Currently there is only one cipher with a short authentication tag defined - if (ssl->transform_out->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8) - taglen = 8; - else taglen = 16; + if( mode == MBEDTLS_MODE_GCM || + mode == MBEDTLS_MODE_CCM || mode == MBEDTLS_MODE_CCM_8 ) + { + int ret; + size_t enc_msglen, olen; + unsigned char* enc_msg; + unsigned char add_data[5]; + size_t add_data_len; + unsigned char taglen; + + /* Currently there is only one cipher with a short authentication tag defined */ + if( ssl->transform_out->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8 ) + taglen = 8; + else taglen = 16; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - /* TBD: We need to adjust the additional data calculation for CID use */ + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + /* TBD: We need to adjust the additional data calculation for CID use */ - /* Adding the (fake) content type to additional data */ - add_data[0] = 23; + /* Adding the ( fake ) content type to additional data */ + add_data[0] = 23; - /* Adding the version to additional data */ - add_data[1] = 0xfe; - add_data[2] = 0xfd; + /* Adding the version to additional data */ + add_data[1] = 0xfe; + add_data[2] = 0xfd; - /* Adding the length to additional data */ - add_data[3] = ((ssl->out_msglen + taglen) >> 8) & 0xFF; - add_data[4] = (ssl->out_msglen + taglen) & 0xFF; + /* Adding the length to additional data */ + add_data[3] = ( ( ssl->out_msglen + taglen ) >> 8 ) & 0xFF; + add_data[4] = ( ssl->out_msglen + taglen ) & 0xFF; - add_data_len = 5; - } - else + add_data_len = 5; + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - /* Adding the content type to additional data */ - add_data[0] = ssl->out_hdr[0]; + { + /* Adding the content type to additional data */ + add_data[0] = ssl->out_hdr[0]; - /* Adding the version to additional data */ - add_data[1] = ssl->out_hdr[1]; - add_data[2] = ssl->out_hdr[2]; + /* Adding the version to additional data */ + add_data[1] = ssl->out_hdr[1]; + add_data[2] = ssl->out_hdr[2]; - /* Adding the length to additional data */ - add_data[3] = ((ssl->out_msglen + taglen) >> 8) & 0xFF; - add_data[4] = (ssl->out_msglen + taglen) & 0xFF; + /* Adding the length to additional data */ + add_data[3] = ( ( ssl->out_msglen + taglen ) >> 8 ) & 0xFF; + add_data[4] = ( ssl->out_msglen + taglen ) & 0xFF; - add_data_len = 5; - } + add_data_len = 5; + } - enc_msg = ssl->out_msg; - enc_msglen = ssl->out_msglen; - // We adjust the message length since the authentication tag also consumes space. - ssl->out_msglen += taglen; + enc_msg = ssl->out_msg; + enc_msglen = ssl->out_msglen; + /* We adjust the message length since the authentication tag also consumes space. */ + ssl->out_msglen += taglen; - MBEDTLS_SSL_DEBUG_MSG(4, ("msglen (%d)", ssl->out_msglen)); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "msglen ( %d )", ssl->out_msglen ) ); - MBEDTLS_SSL_DEBUG_BUF(4, "Nonce (before)", ssl->transform_out->iv_enc, ssl->transform_out->ivlen); + MBEDTLS_SSL_DEBUG_BUF( 4, "Nonce ( before )", ssl->transform_out->iv_enc, ssl->transform_out->ivlen ); - MBEDTLS_SSL_DEBUG_BUF(4, "Sequence Number (before):", ssl->transform_out->sequence_number_enc, 12); + MBEDTLS_SSL_DEBUG_BUF( 4, "Sequence Number ( before ):", ssl->transform_out->sequence_number_enc, 12 ); - MBEDTLS_SSL_DEBUG_BUF(4, "Additional data used", add_data, add_data_len); + MBEDTLS_SSL_DEBUG_BUF( 4, "Additional data used", add_data, add_data_len ); - MBEDTLS_SSL_DEBUG_BUF(4, "Plaintext message:", enc_msg, enc_msglen); + MBEDTLS_SSL_DEBUG_BUF( 4, "Plaintext message:", enc_msg, enc_msglen ); - if ((ret = mbedtls_cipher_auth_encrypt(&ssl->transform_out->cipher_ctx_enc, - ssl->transform_out->iv_enc, - ssl->transform_out->ivlen, - add_data, add_data_len, - enc_msg, enc_msglen, - enc_msg, &olen, - enc_msg + enc_msglen, taglen)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_encrypt", ret); - return(ret); - } + if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc, + ssl->transform_out->iv_enc, + ssl->transform_out->ivlen, + add_data, add_data_len, + enc_msg, enc_msglen, + enc_msg, &olen, + enc_msg + enc_msglen, taglen ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); + return( ret ); + } - if (olen != enc_msglen) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( olen != enc_msglen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - //ssl->out_msglen += taglen; - auth_done++; + /* ssl->out_msglen += taglen; */ + auth_done++; - /* The size of the sequence number varies with DTLS 1.2 and DTLS 1.3, + /* The size of the sequence number varies with DTLS 1.2 and DTLS 1.3, * as well as been encrypted and plaintext payloads. * * Cases for the sequence numbers and epochs: @@ -384,58 +384,59 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) * - DTLS 1.2 ciphertext: 48 bit seqnr + 16 bit epoch * - DTLS 1.3 plaintext: 48 bit seqnr + 16 bit epoch * - DTLS 1.3 ciphertext: 16 bit or 8 bit seqnr + 2 bit epoch - * (encrypted seqnr) + * ( encrypted seqnr ) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - // For DTLS 1.3 and encrypted payloads only - if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) && - (ssl->transform_out != NULL)) - { - // TBD: Need to optimize this code section - - unsigned char mask[16]; - mbedtls_aes_context aes_ctx; - mbedtls_aes_init(&aes_ctx); - - /* For a working sequence number encryption solution we need 16 or more bytes - * of encrypted payload. We do a sanity check for the message length. - */ - if (enc_msglen + taglen < 16) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Sequence number encryption failed - msg payload too short.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - - /* Need to adjust to the key size and algorithm */ - mbedtls_aes_setkey_enc(&aes_ctx, ssl->transform_out->traffic_keys.client_sn_key, 128); - - /* Mask = AES-ECB(sn_key, Ciphertext[0..15]) */ - mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT, ssl->out_msg, mask); - - /* The encrypted sequence number is computed by XORing the leading bytes - * of the Mask with the sequence number. - */ - ssl->out_ctr[0] ^= mask[0]; - ssl->out_ctr[1] ^= mask[1]; - - mbedtls_aes_free(&aes_ctx); - } + /* For DTLS 1.3 and encrypted payloads only */ + if( ( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) && + ( ssl->transform_out != NULL ) ) + { + /* TBD: Need to optimize this code section */ + + unsigned char mask[16]; + mbedtls_aes_context aes_ctx; + mbedtls_aes_init( &aes_ctx ); + + /* For a working sequence number encryption solution we need 16 or more bytes + * of encrypted payload. We do a sanity check for the message length. + */ + if( enc_msglen + taglen < 16 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Sequence number encryption failed - msg payload too short." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* Need to adjust to the key size and algorithm */ + mbedtls_aes_setkey_enc( &aes_ctx, ssl->transform_out->traffic_keys.client_sn_key, 128 ); + + /* Mask = AES-ECB( sn_key, Ciphertext[0..15] ) */ + mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, ssl->out_msg, mask ); + + /* The encrypted sequence number is computed by XORing the leading bytes + * of the Mask with the sequence number. + */ + ssl->out_ctr[0] ^= mask[0]; + ssl->out_ctr[1] ^= mask[1]; + + mbedtls_aes_free( &aes_ctx ); + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if ((ret = incrementSequenceNumber(&ssl->transform_out->sequence_number_enc[0], ssl->transform_out->iv_enc, ssl->transform_out->ivlen)) != 0) { + if( ( ret = incrementSequenceNumber( &ssl->transform_out->sequence_number_enc[0], ssl->transform_out->iv_enc, ssl->transform_out->ivlen ) ) != 0 ) + { - MBEDTLS_SSL_DEBUG_RET(1, "Error in sequence number processing", ret); - return(ret); - } + MBEDTLS_SSL_DEBUG_RET( 1, "Error in sequence number processing", ret ); + return( ret ); + } - MBEDTLS_SSL_DEBUG_BUF(4, "Nonce (after)", ssl->transform_out->iv_enc, ssl->transform_out->ivlen); - MBEDTLS_SSL_DEBUG_BUF(4, "Sequence Number (after):", ssl->transform_out->sequence_number_enc, 12); + MBEDTLS_SSL_DEBUG_BUF( 4, "Nonce ( after )", ssl->transform_out->iv_enc, ssl->transform_out->ivlen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Sequence Number ( after ):", ssl->transform_out->sequence_number_enc, 12 ); - MBEDTLS_SSL_DEBUG_BUF(4, "Encrypted message (with tag): ", enc_msg, ssl->out_msglen); - MBEDTLS_SSL_DEBUG_BUF(4, "Tag", enc_msg + enc_msglen, taglen); - MBEDTLS_SSL_DEBUG_BUF(4, "Encrypted message (without tag): ", enc_msg, ssl->out_msglen - taglen); - } else + MBEDTLS_SSL_DEBUG_BUF( 4, "Encrypted message ( with tag ): ", enc_msg, ssl->out_msglen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Tag", enc_msg + enc_msglen, taglen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Encrypted message ( without tag ): ", enc_msg, ssl->out_msglen - taglen ); + } else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); @@ -473,145 +474,145 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) if( ssl->in_msglen < ssl->transform_in->minlen ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)", - ssl->in_msglen, ssl->transform_in->minlen ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen ( %d ) < minlen ( %d )", + ssl->in_msglen, ssl->transform_in->minlen ) ); return( MBEDTLS_ERR_SSL_INVALID_MAC ); } #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) - if (mode == MBEDTLS_MODE_GCM || - mode == MBEDTLS_MODE_CCM || - mode == MBEDTLS_MODE_CCM_8) - { - int ret; - size_t dec_msglen, olen; - unsigned char* dec_msg; - unsigned char* dec_msg_result; - unsigned char taglen; - unsigned char add_data[5]; - size_t add_data_len; - - // Currently there is only one cipher with a short authentication tag defined - if (ssl->transform_in->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8) - taglen = 8; - else taglen = 16; + if( mode == MBEDTLS_MODE_GCM || + mode == MBEDTLS_MODE_CCM || + mode == MBEDTLS_MODE_CCM_8 ) + { + int ret; + size_t dec_msglen, olen; + unsigned char* dec_msg; + unsigned char* dec_msg_result; + unsigned char taglen; + unsigned char add_data[5]; + size_t add_data_len; + + /* Currently there is only one cipher with a short authentication tag defined */ + if( ssl->transform_in->ciphersuite_info->cipher == MBEDTLS_CIPHER_AES_128_CCM_8 ) + taglen = 8; + else taglen = 16; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - /* Adding the content type to additional data */ - add_data[0] = 0x17; + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + /* Adding the content type to additional data */ + add_data[0] = 0x17; - /* Adding the version to additional data */ - add_data[1] = 0xfe; - add_data[2] = 0xfd; + /* Adding the version to additional data */ + add_data[1] = 0xfe; + add_data[2] = 0xfd; - /* Adding the length to additional data */ - add_data[3] = ssl->in_hdr[3]; - add_data[4] = ssl->in_hdr[4]; + /* Adding the length to additional data */ + add_data[3] = ssl->in_hdr[3]; + add_data[4] = ssl->in_hdr[4]; - add_data_len = 5; + add_data_len = 5; - dec_msglen = ssl->in_msglen - taglen; - dec_msg = ssl->in_msg; - dec_msg_result = ssl->in_msg; // We write the result into the input buffer - ssl->in_msglen = dec_msglen; // We adjust the message length since the authentication tag also consumes space. + dec_msglen = ssl->in_msglen - taglen; + dec_msg = ssl->in_msg; + dec_msg_result = ssl->in_msg; /* We write the result into the input buffer */ + ssl->in_msglen = dec_msglen; /* We adjust the message length since the authentication tag also consumes space. */ - MBEDTLS_SSL_DEBUG_MSG(4, ("msglen (%d)", ssl->in_msglen)); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "msglen ( %d )", ssl->in_msglen ) ); - MBEDTLS_SSL_DEBUG_BUF(4, "Nonce (before)", ssl->transform_in->iv_dec, ssl->transform_in->ivlen); + MBEDTLS_SSL_DEBUG_BUF( 4, "Nonce ( before )", ssl->transform_in->iv_dec, ssl->transform_in->ivlen ); - MBEDTLS_SSL_DEBUG_BUF(4, "Sequence Number (before):", ssl->transform_in->sequence_number_dec, 12); + MBEDTLS_SSL_DEBUG_BUF( 4, "Sequence Number ( before ):", ssl->transform_in->sequence_number_dec, 12 ); - MBEDTLS_SSL_DEBUG_BUF(4, "Additional data used", add_data, add_data_len); + MBEDTLS_SSL_DEBUG_BUF( 4, "Additional data used", add_data, add_data_len ); - MBEDTLS_SSL_DEBUG_BUF(4, "Encrypted message (with tag):", dec_msg, dec_msglen + taglen); - MBEDTLS_SSL_DEBUG_BUF(4, "Tag", dec_msg + dec_msglen, taglen); - MBEDTLS_SSL_DEBUG_BUF(4, "Encrypted message (without tag):", dec_msg, dec_msglen); - } - else + MBEDTLS_SSL_DEBUG_BUF( 4, "Encrypted message ( with tag ):", dec_msg, dec_msglen + taglen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Tag", dec_msg + dec_msglen, taglen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Encrypted message ( without tag ):", dec_msg, dec_msglen ); + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - /* Adding the content type to additional data */ - add_data[0] = ssl->in_hdr[0]; + { + /* Adding the content type to additional data */ + add_data[0] = ssl->in_hdr[0]; - /* Adding the version to additional data */ - add_data[1] = ssl->in_hdr[1]; - add_data[2] = ssl->in_hdr[2]; + /* Adding the version to additional data */ + add_data[1] = ssl->in_hdr[1]; + add_data[2] = ssl->in_hdr[2]; - /* Adding the length to additional data */ - add_data[3] = ssl->in_hdr[3]; - add_data[4] = ssl->in_hdr[4]; + /* Adding the length to additional data */ + add_data[3] = ssl->in_hdr[3]; + add_data[4] = ssl->in_hdr[4]; - add_data_len = 5; + add_data_len = 5; - dec_msglen = ssl->in_msglen - taglen; - dec_msg = ssl->in_msg; - dec_msg_result = ssl->in_msg; // We write the result into the input buffer - ssl->in_msglen = dec_msglen; // We adjust the message length since the authentication tag also consumes space. + dec_msglen = ssl->in_msglen - taglen; + dec_msg = ssl->in_msg; + dec_msg_result = ssl->in_msg; /* We write the result into the input buffer */ + ssl->in_msglen = dec_msglen; /* We adjust the message length since the authentication tag also consumes space. */ - MBEDTLS_SSL_DEBUG_MSG(4, ("msglen (%d)", ssl->in_msglen)); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "msglen ( %d )", ssl->in_msglen ) ); - MBEDTLS_SSL_DEBUG_BUF(4, "Nonce (before)", ssl->transform_in->iv_dec, ssl->transform_in->ivlen); + MBEDTLS_SSL_DEBUG_BUF( 4, "Nonce ( before )", ssl->transform_in->iv_dec, ssl->transform_in->ivlen ); - MBEDTLS_SSL_DEBUG_BUF(4, "Sequence Number (before):", ssl->transform_in->sequence_number_dec, 12); + MBEDTLS_SSL_DEBUG_BUF( 4, "Sequence Number ( before ):", ssl->transform_in->sequence_number_dec, 12 ); - MBEDTLS_SSL_DEBUG_BUF(4, "Additional data used", add_data, add_data_len); + MBEDTLS_SSL_DEBUG_BUF( 4, "Additional data used", add_data, add_data_len ); - MBEDTLS_SSL_DEBUG_BUF(4, "Encrypted message (with tag):", dec_msg, dec_msglen + taglen); - MBEDTLS_SSL_DEBUG_BUF(4, "Tag", dec_msg + dec_msglen, taglen); - MBEDTLS_SSL_DEBUG_BUF(4, "Encrypted message (without tag):", dec_msg, dec_msglen); - } + MBEDTLS_SSL_DEBUG_BUF( 4, "Encrypted message ( with tag ):", dec_msg, dec_msglen + taglen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Tag", dec_msg + dec_msglen, taglen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Encrypted message ( without tag ):", dec_msg, dec_msglen ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_CID) - // For DTLS 1.3 and encrypted payloads we need to decrypt the sequence number - if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) && - (ssl->transform_out != NULL)) - { - // TBD: Need to optimize this code section - // Need to find out whether this section is only executed when the CID extension has been agreed. - - unsigned char mask[16]; - mbedtls_aes_context aes_ctx; - mbedtls_aes_init(&aes_ctx); - - /* For a working sequence number encryption solution we need 16 or more bytes - * of encrypted payload. We do a sanity check for the message length. - */ - if (dec_msglen + taglen < 16) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Sequence number encryption failed - msg payload too short.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - /* Need to adjust to the key size and algorithm */ - mbedtls_aes_setkey_enc(&aes_ctx, ssl->transform_out->traffic_keys.server_sn_key, 128); - - /* Mask = AES-ECB(sn_key, Ciphertext[0..15]) */ - mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT, dec_msg, mask); - - /* Decrypt the sequence number using XOR with the leading bytes - * of the Mask. - */ - ssl->in_ctr[0] ^= mask[0]; - ssl->in_ctr[1] ^= mask[1]; - - mbedtls_aes_free(&aes_ctx); + /* For DTLS 1.3 and encrypted payloads we need to decrypt the sequence number */ + if( ( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) && + ( ssl->transform_out != NULL ) ) + { + /* TBD: Need to optimize this code section */ + /* Need to find out whether this section is only executed when the CID extension has been agreed. */ + + unsigned char mask[16]; + mbedtls_aes_context aes_ctx; + mbedtls_aes_init( &aes_ctx ); + + /* For a working sequence number encryption solution we need 16 or more bytes + * of encrypted payload. We do a sanity check for the message length. + */ + if( dec_msglen + taglen < 16 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Sequence number encryption failed - msg payload too short." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + /* Need to adjust to the key size and algorithm */ + mbedtls_aes_setkey_enc( &aes_ctx, ssl->transform_out->traffic_keys.server_sn_key, 128 ); + + /* Mask = AES-ECB( sn_key, Ciphertext[0..15] ) */ + mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, dec_msg, mask ); + + /* Decrypt the sequence number using XOR with the leading bytes + * of the Mask. + */ + ssl->in_ctr[0] ^= mask[0]; + ssl->in_ctr[1] ^= mask[1]; + + mbedtls_aes_free( &aes_ctx ); } #endif /* MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_CID */ /* * Decrypt and authenticate */ - if ((ret = mbedtls_cipher_auth_decrypt(&ssl->transform_in->cipher_ctx_dec, - ssl->transform_in->iv_dec, - ssl->transform_in->ivlen, - add_data, add_data_len, - dec_msg, dec_msglen, - dec_msg_result, &olen, - dec_msg + dec_msglen, taglen)) != 0) + if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec, + ssl->transform_in->iv_dec, + ssl->transform_in->ivlen, + add_data, add_data_len, + dec_msg, dec_msglen, + dec_msg_result, &olen, + dec_msg + dec_msglen, taglen ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "Error in mbedtls_cipher_auth_decrypt()", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "Error in mbedtls_cipher_auth_decrypt( )", ret ); if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) return( MBEDTLS_ERR_SSL_INVALID_MAC ); @@ -620,20 +621,21 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) } auth_done++; - if ((ret = incrementSequenceNumber(&ssl->transform_in->sequence_number_dec[0], ssl->transform_in->iv_dec, ssl->transform_in->ivlen)) != 0) { + if( ( ret = incrementSequenceNumber( &ssl->transform_in->sequence_number_dec[0], ssl->transform_in->iv_dec, ssl->transform_in->ivlen ) ) != 0 ) + { - MBEDTLS_SSL_DEBUG_RET(1, "Error in sequence number processing", ret); - return(ret); - } + MBEDTLS_SSL_DEBUG_RET( 1, "Error in sequence number processing", ret ); + return( ret ); + } - MBEDTLS_SSL_DEBUG_BUF(4, "Nonce (after)", ssl->transform_in->iv_dec, ssl->transform_in->ivlen); - MBEDTLS_SSL_DEBUG_BUF(4, "Sequence Number (after):", ssl->transform_in->sequence_number_dec, 12); + MBEDTLS_SSL_DEBUG_BUF( 4, "Nonce ( after )", ssl->transform_in->iv_dec, ssl->transform_in->ivlen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "Sequence Number ( after ):", ssl->transform_in->sequence_number_dec, 12 ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - // always copy the most recent IV used for incoming data. - memcpy(ssl->transform_in->traffic_keys_previous.iv, ssl->transform_in->iv_dec, ssl->transform_in->ivlen); + /* Always copy the most recent IV used for incoming data. */ + memcpy( ssl->transform_in->traffic_keys_previous.iv, ssl->transform_in->iv_dec, ssl->transform_in->ivlen ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ @@ -642,8 +644,8 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - /* This is now the structure of the resulting decrypted message: - * struct { + /* This is now the structure of the resulting decrypted message: + * struct { * opaque content[TLSPlaintext.length]; * ContentType type; * uint8 zeros[length_of_padding]; @@ -670,12 +672,12 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) /* * Three or more empty messages may be a DoS attack - * (excessive CPU consumption). + * ( excessive CPU consumption ). */ if( ssl->nb_zero > 3 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " - "messages, possible DoS attack" ) ); + "messages, possible DoS attack" ) ); return( MBEDTLS_ERR_SSL_INVALID_MAC ); } } @@ -712,12 +714,12 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) * Fill the input message buffer by appending data to it. * The amount of data already fetched is in ssl->in_left. * - * If we return 0, is it guaranteed that (at least) nb_want bytes are - * available (from this read and/or a previous one). Otherwise, an error code - * is returned (possibly EOF or WANT_READ). + * If we return 0, is it guaranteed that ( at least ) nb_want bytes are + * available ( from this read and/or a previous one ). Otherwise, an error code + * is returned ( possibly EOF or WANT_READ ). * - * With stream transport (TLS) on success ssl->in_left == nb_want, but - * with datagram transport (DTLS) on success ssl->in_left >= nb_want, + * With stream transport ( TLS ) on success ssl->in_left == nb_want, but + * with datagram transport ( DTLS ) on success ssl->in_left >= nb_want, * since we always read a whole datagram at once. * * For DTLS, it is up to the caller to set ssl->next_record_offset when @@ -732,12 +734,12 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio()" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio( ) " + "or mbedtls_ssl_set_bio( )" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) ) + if( nb_want > MBEDTLS_SSL_BUFFER_LEN - ( size_t )( ssl->in_hdr - ssl->in_buf ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -752,15 +754,15 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use " - "mbedtls_ssl_set_timer_cb() for DTLS" ) ); + "mbedtls_ssl_set_timer_cb( ) for DTLS" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } /* * The point is, we need to always read a full datagram at once, so we * sometimes read more then requested, and handle the additional data. - * It could be the rest of the current record (while fetching the - * header) and/or some other records in the same datagram. + * It could be the rest of the current record ( while fetching the + * header ) and/or some other records in the same datagram. */ /* @@ -779,7 +781,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->in_left != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d", - ssl->next_record_offset ) ); + ssl->next_record_offset ) ); memmove( ssl->in_hdr, ssl->in_hdr + ssl->next_record_offset, ssl->in_left ); @@ -789,12 +791,12 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) } MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", - ssl->in_left, nb_want ) ); + ssl->in_left, nb_want ) ); /* * Done if we already have enough data. */ - if( nb_want <= ssl->in_left) + if( nb_want <= ssl->in_left ) { MBEDTLS_SSL_DEBUG_MSG( 5, ( "<= fetch input" ) ); return( 0 ); @@ -831,11 +833,11 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->f_recv_timeout != NULL ) ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, - timeout ); + timeout ); else ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); - MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); + MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv( _timeout )", ret ); if( ret == 0 ) return( MBEDTLS_ERR_SSL_CONN_EOF ); @@ -873,7 +875,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) #endif /* MBEDTLS_SSL_PROTO_DTLS */ { MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", - ssl->in_left, nb_want ) ); + ssl->in_left, nb_want ) ); while( ssl->in_left < nb_want ) { @@ -898,7 +900,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", ssl->in_left, nb_want ) ); - MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); + MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv( _timeout )", ret ); if( ret == 0 ) return( MBEDTLS_ERR_SSL_CONN_EOF ); @@ -927,8 +929,8 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) if( ssl->f_send == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio()" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio( ) " + "or mbedtls_ssl_set_bio( )" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -942,38 +944,39 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) while( ssl->out_left > 0 ) { - buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_out) + - ssl->out_msglen - ssl->out_left; + buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_out ) + + ssl->out_msglen - ssl->out_left; ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); if( ret <= 0 ) return( ret ); - else { - MBEDTLS_SSL_DEBUG_BUF(4, "SENT TO THE NETWORK", - ssl->out_hdr, mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_out) + ssl->out_msglen); + else + { + MBEDTLS_SSL_DEBUG_BUF( 4, "SENT TO THE NETWORK", + ssl->out_hdr, mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_out ) + ssl->out_msglen ); - MBEDTLS_SSL_DEBUG_MSG(2, ("message length: %d, out_left: %d", - mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_out) + ssl->out_msglen, ssl->out_left)); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d", + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_out ) + ssl->out_msglen, ssl->out_left ) ); - MBEDTLS_SSL_DEBUG_RET(2, "ssl->f_send", ret); - } + MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); + } ssl->out_left -= ret; } - /* Increment record layer sequence number */ - for (i = 8; i > ssl_ep_len(ssl); i--) - if (++ssl->out_ctr[i - 1] != 0) - break; + /* Increment record layer sequence number */ + for ( i = 8; i > ssl_ep_len( ssl ); i-- ) + if( ++ssl->out_ctr[i - 1] != 0 ) + break; - /* The loop goes to its end iff the sequence number is wrapping */ - if (i == ssl_ep_len(ssl)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("outgoing message counter / sequence number would wrap")); - return(MBEDTLS_ERR_SSL_COUNTER_WRAPPING); - } + /* The loop goes to its end iff the sequence number is wrapping */ + if( i == ssl_ep_len( ssl ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter / sequence number would wrap" ) ); + return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); + } - MBEDTLS_SSL_DEBUG_MSG( 5, ( "<= flush output" ) ); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "<= flush output" ) ); return( 0 ); } @@ -993,7 +996,7 @@ static int ssl_flight_append( mbedtls_ssl_context *ssl ) if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", - sizeof( mbedtls_ssl_flight_item ) ) ); + sizeof( mbedtls_ssl_flight_item ) ) ); return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); } @@ -1078,7 +1081,7 @@ static void ssl_swap_epochs( mbedtls_ssl_context *ssl ) ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) { ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen - - ssl->transform_out->fixed_ivlen; + ssl->transform_out->fixed_ivlen; } else ssl->out_msg = ssl->out_iv; @@ -1203,406 +1206,416 @@ void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) * Write current record. * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg. */ -int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl) +int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) { - int ret, done = 0; - size_t dummy_length; - size_t len = ssl->out_msglen; + int ret, done = 0; + size_t dummy_length; + size_t len = ssl->out_msglen; - MBEDTLS_SSL_DEBUG_MSG(5, ("=> write record")); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "=> write record" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake != NULL && - ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) - { - ; /* Skip special handshake treatment when resending */ - } - else + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->handshake != NULL && + ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) + { + ; /* Skip special handshake treatment when resending */ + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - if ((ssl->out_msg != NULL) && (ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE)) { - - if (ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST && - ssl->handshake == NULL && ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - - /* - * TLS / DTLS 1.3 Handshake Message - * + { + if( ( ssl->out_msg != NULL ) && ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) ) + { + + if( ssl->out_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST && + ssl->handshake == NULL && ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* + * TLS / DTLS 1.3 Handshake Message + * * struct { - * HandshakeType msg_type; // handshake type - * uint24 length; // bytes in message - * uint16 message_seq; // DTLS only - * uint24 fragment_offset; // DTLS only - * uint24 fragment_length; // DTLS-required field - * select(HandshakeType) { + * HandshakeType msg_type; // handshake type + * uint24 length; // bytes in message + * uint16 message_seq; // DTLS only + * uint24 fragment_offset; // DTLS only + * uint24 fragment_length; // DTLS-required field + * select( HandshakeType ) { * case client_hello: ClientHello; - * case server_hello: ServerHello; - * case end_of_early_data: EndOfEarlyData; - * case encrypted_extensions: EncryptedExtensions; - * case certificate_request: CertificateRequest; - * case certificate: Certificate; - * case certificate_verify: CertificateVerify; - * case finished: Finished; - * case new_session_ticket: NewSessionTicket; - * case key_update: KeyUpdate; - * } body; - * } Handshake; - * - */ - /* Add handshake message length */ - ssl->out_msg[1] = (unsigned char)((len - 4) >> 16); - ssl->out_msg[2] = (unsigned char)((len - 4) >> 8); - ssl->out_msg[3] = (unsigned char)((len - 4)); - - if (ssl->transform_out != NULL) { - // We add the ContentType to the end of the payload - // and fake the one visible from the outside. - ssl->out_msg[len] = MBEDTLS_SSL_MSG_HANDSHAKE; - len += 1; - ssl->out_msglen += 1; - } + * case server_hello: ServerHello; + * case end_of_early_data: EndOfEarlyData; + * case encrypted_extensions: EncryptedExtensions; + * case certificate_request: CertificateRequest; + * case certificate: Certificate; + * case certificate_verify: CertificateVerify; + * case finished: Finished; + * case new_session_ticket: NewSessionTicket; + * case key_update: KeyUpdate; + * } body; + * } Handshake; + * + */ + /* Add handshake message length */ + ssl->out_msg[1] = ( unsigned char )( ( len - 4 ) >> 16 ); + ssl->out_msg[2] = ( unsigned char )( ( len - 4 ) >> 8 ); + ssl->out_msg[3] = ( unsigned char )( ( len - 4 ) ); + + if( ssl->transform_out != NULL ) + { + /* We add the ContentType to the end of the payload + and fake the one visible from the outside. */ + ssl->out_msg[len] = MBEDTLS_SSL_MSG_HANDSHAKE; + len += 1; + ssl->out_msglen += 1; + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* - * DTLS has additional fields in the Handshake layer, - * between the length field and the actual payload: - * uint16 message_seq; - * uint24 fragment_offset; - * uint24 fragment_length; - */ - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - /* Make room for the additional DTLS fields */ - memmove(ssl->out_msg + mbedtls_ssl_hs_hdr_len(ssl), ssl->out_msg + 4, len - 4); - ssl->out_msglen += 8; + /* + * DTLS has additional fields in the Handshake layer, + * between the length field and the actual payload: + * uint16 message_seq; + * uint24 fragment_offset; + * uint24 fragment_length; + */ + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + /* Make room for the additional DTLS fields */ + memmove( ssl->out_msg + mbedtls_ssl_hs_hdr_len( ssl ), ssl->out_msg + 4, len - 4 ); + ssl->out_msglen += 8; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - // Advancing also the pointer to the pre_shared_key extension (if used) - if ((ssl->handshake != NULL) && (ssl->handshake->pre_shared_key_pointer != NULL)) { - ssl->handshake->pre_shared_key_pointer += 8; - } + /* Advancing also the pointer to the pre_shared_key extension (if used) */ + if( ( ssl->handshake != NULL ) && ( ssl->handshake->pre_shared_key_pointer != NULL ) ) + { + ssl->handshake->pre_shared_key_pointer += 8; + } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ - len += 8; - - /* Write message_seq and update it */ - if (ssl->out_msg[0] == MBEDTLS_SSL_HS_NEW_SESSION_TICKET) { - /* TBD: Here we just fake the sequence number field. - * In the future we need to store the sequence number in the - * session state (instead of the handshake state). - */ - // ssl->out_msg[4] = 5; - // ssl->out_msg[5] = 0; - // Add Handshake sequence number - ssl->out_msg[4] = (ssl->handshake->out_msg_seq >> 8) & 0xFF; - ssl->out_msg[5] = (ssl->handshake->out_msg_seq) & 0xFF; - ++(ssl->handshake->out_msg_seq); - } - else - { - // Add Handshake sequence number - ssl->out_msg[4] = (ssl->handshake->out_msg_seq >> 8) & 0xFF; - ssl->out_msg[5] = (ssl->handshake->out_msg_seq) & 0xFF; - ++(ssl->handshake->out_msg_seq); - } - - /* We don't fragment, so frag_offset = 0 and frag_len = len */ - memset(ssl->out_msg + 6, 0x00, 3); - - /* Copying the length field back into the shifted area */ - memcpy(ssl->out_msg + 9, ssl->out_msg + 1, 3); - } + len += 8; + + /* Write message_seq and update it */ + if( ssl->out_msg[0] == MBEDTLS_SSL_HS_NEW_SESSION_TICKET ) + { + /* TBD: Here we just fake the sequence number field. + * In the future we need to store the sequence number in the + * session state ( instead of the handshake state ). + */ + /* Add Handshake sequence number */ + ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; + ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; + ++( ssl->handshake->out_msg_seq ); + } + else + { + /* Add Handshake sequence number */ + ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; + ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; + ++( ssl->handshake->out_msg_seq ); + } + + /* We don't fragment, so frag_offset = 0 and frag_len = len */ + memset( ssl->out_msg + 6, 0x00, 3 ); + + /* Copying the length field back into the shifted area */ + memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - /* We need to patch the psk binder by - * re-running the function to get the correct length information for the extension. - * But: we only do that when in ClientHello state and when using a PSK mode - */ - if ((ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) - && - (ssl->state == MBEDTLS_SSL_CLIENT_HELLO) - && - (ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION) - && - (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE || - ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE)) { - - ssl_write_pre_shared_key_ext(ssl, ssl->handshake->ptr_to_psk_ext, &ssl->out_msg[len], &dummy_length, 1); - } + /* We need to patch the psk binder by + * re-running the function to get the correct length information for the extension. + * But: we only do that when in ClientHello state and when using a PSK mode + */ + if( ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + && + ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ) + && + ( ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION ) + && + ( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL || + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE || + ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE ) ) { + + ssl_write_pre_shared_key_ext( ssl, ssl->handshake->ptr_to_psk_ext, &ssl->out_msg[len], &dummy_length, 1 ); + } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ - // For post-handshake messages we do not need to update the hash anymore - if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) { - - // if (ssl->transform_out != NULL && ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { - if (ssl->transform_out != NULL) { - /* If we append the handshake type to the message then we - * don't include it in the handshake hash. */ - - MBEDTLS_SSL_DEBUG_MSG(5, ("--- Update Checksum (mbedtls_ssl_write_record-1)")); - - ssl->handshake->update_checksum(ssl, ssl->out_msg, len - 1); - } - else - { - MBEDTLS_SSL_DEBUG_MSG(5, ("--- Update Checksum (mbedtls_ssl_write_record)")); - ssl->handshake->update_checksum(ssl, ssl->out_msg, len); - } - } - } - } + /* For post-handshake messages we do not need to update the hash anymore */ + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + { + if( ssl->transform_out != NULL ) + { + /* If we append the handshake type to the message then we + * don't include it in the handshake hash. */ + + MBEDTLS_SSL_DEBUG_MSG( 5, ( "--- Update Checksum ( mbedtls_ssl_write_record-1 )" ) ); - /* Save handshake and CCS messages for resending */ + ssl->handshake->update_checksum( ssl, ssl->out_msg, len - 1 ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 5, ( "--- Update Checksum ( mbedtls_ssl_write_record )" ) ); + ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); + } + } + } + } + + /* Save handshake and CCS messages for resending */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake != NULL && - ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && - (ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || - ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE)) - { - if ((ret = ssl_flight_append(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_flight_append", ret); - return(ret); - } - } + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->handshake != NULL && + ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && + ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || + ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) ) + { + if( ( ret = ssl_flight_append( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); + return( ret ); + } + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) - if (mbedtls_ssl_hw_record_write != NULL) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("going for mbedtls_ssl_hw_record_write()")); - - ret = mbedtls_ssl_hw_record_write(ssl); - if (ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_write", ret); - return(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); - } - - if (ret == 0) - done = 1; - } + if( mbedtls_ssl_hw_record_write != NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write( )" ) ); + + ret = mbedtls_ssl_hw_record_write( ssl ); + if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + if( ret == 0 ) + done = 1; + } #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ - if (!done) - { + if( !done ) + { #if defined(MBEDTLS_SSL_PROTO_DTLS) - size_t i=0; - - /* - * - * --- DTLS 1.3 Record Layer Header --- - * - * struct { - * ContentType type; - * ProtocolVersion legacy_record_version; - * uint16 epoch = 0 // DTLS field - * uint48 sequence_number; // DTLS field - * uint16 length; - * opaque fragment[DTLSPlaintext.length]; - * } DTLSPlaintext; - - * struct { - * opaque content[DTLSPlaintext.length]; - * ContentType type; - * uint8 zeros[length_of_padding]; - * } DTLSInnerPlaintext; - * - * struct { - * opaque unified_hdr[variable]; - * opaque encrypted_record[length]; - * } DTLSCiphertext; - * - * 0 1 2 3 4 5 6 7 - * +-+-+-+-+-+-+-+-+ - * |0|0|1|C|S|L|E E| - * +-+-+-+-+-+-+-+-+ - * | Connection ID | Legend: - * | (if any, | - * / length as / C - CID present - * | negotiated) | S - Sequence number length - * +-+-+-+-+-+-+-+-+ L - Length present - * | 8 or 16 bit | E - Epoch - * |Sequence Number| - * +-+-+-+-+-+-+-+-+ - * | 16 bit Length | - * | (if present) | - * +-+-+-+-+-+-+-+-+ - * - */ - - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - - if (ssl->transform_out == NULL) { - /* Plaintext DTLS payload */ - - /* Set ContentType */ - ssl->out_hdr[0] = ssl->out_msgtype; - - /* Write version */ - mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver, - ssl->conf->transport, ssl->out_hdr + 1); - - /* Write epoch */ - ssl->out_buf[3] = (char)(ssl->out_epoch >> 8) & 0xFF; - ssl->out_buf[4] = (char)(ssl->out_epoch) & 0xFF; - - /* Write sequence number */ - // TBD - - /* Write Length */ - ssl->out_len[0] = (unsigned char)(len >> 8); - ssl->out_len[1] = (unsigned char)(len); - - } - else { - /* Encrypted DTLS payload */ - - /* Set flags in unified header */ - ssl->out_hdr[0] = MBEDTLS_SSL_UNIFIED_HDR_PREAMBLE_3; + size_t i=0; + + /* + * + * --- DTLS 1.3 Record Layer Header --- + * + * struct { + * ContentType type; + * ProtocolVersion legacy_record_version; + * uint16 epoch = 0 // DTLS field + * uint48 sequence_number; // DTLS field + * uint16 length; + * opaque fragment[DTLSPlaintext.length]; + * } DTLSPlaintext; + + * struct { + * opaque content[DTLSPlaintext.length]; + * ContentType type; + * uint8 zeros[length_of_padding]; + * } DTLSInnerPlaintext; + * + * struct { + * opaque unified_hdr[variable]; + * opaque encrypted_record[length]; + * } DTLSCiphertext; + * + * 0 1 2 3 4 5 6 7 + * +-+-+-+-+-+-+-+-+ + * |0|0|1|C|S|L|E E| + * +-+-+-+-+-+-+-+-+ + * | Connection ID | Legend: + * | ( if any, | + * / length as / C - CID present + * | negotiated ) | S - Sequence number length + * +-+-+-+-+-+-+-+-+ L - Length present + * | 8 or 16 bit | E - Epoch + * |Sequence Number| + * +-+-+-+-+-+-+-+-+ + * | 16 bit Length | + * | ( if present ) | + * +-+-+-+-+-+-+-+-+ + * + */ + + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + + if( ssl->transform_out == NULL ) + { + /* Plaintext DTLS payload */ + + /* Set ContentType */ + ssl->out_hdr[0] = ssl->out_msgtype; + + /* Write version */ + mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, + ssl->conf->transport, ssl->out_hdr + 1 ); + + /* Write epoch */ + ssl->out_buf[3] = ( char )( ssl->out_epoch >> 8 ) & 0xFF; + ssl->out_buf[4] = ( char )( ssl->out_epoch ) & 0xFF; + + /* Write sequence number */ + /* TBD */ + + /* Write Length */ + ssl->out_len[0] = ( unsigned char )( len >> 8 ); + ssl->out_len[1] = ( unsigned char )( len ); + + } + else + { + /* Encrypted DTLS payload */ + + /* Set flags in unified header */ + ssl->out_hdr[0] = MBEDTLS_SSL_UNIFIED_HDR_PREAMBLE_3; #if defined(MBEDTLS_CID) - if (ssl->out_cid_len > 0) { + if( ssl->out_cid_len > 0 ) + { - ssl->out_hdr[0] = ssl->out_hdr[0] | MBEDTLS_SSL_UNIFIED_HDR_CID; + ssl->out_hdr[0] = ssl->out_hdr[0] | MBEDTLS_SSL_UNIFIED_HDR_CID; - // Write the CID of the outgoing datagram - memcpy(&ssl->out_hdr[1], ssl->out_cid, ssl->out_cid_len); - i += ssl->out_cid_len; - } + /* Write the CID of the outgoing datagram */ + memcpy( &ssl->out_hdr[1], ssl->out_cid, ssl->out_cid_len ); + i += ssl->out_cid_len; + } #endif /* MBEDTLS_CID */ - /* Write epoch */ - switch (ssl->out_epoch % 4) { + /* Write epoch */ + switch ( ssl->out_epoch % 4 ) { - case 0: /* clear epoch 1 and 2 */ - ssl->out_hdr[0] &= ~(MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1); - ssl->out_hdr[0] &= ~(MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2); - break; + case 0: /* clear epoch 1 and 2 */ + ssl->out_hdr[0] &= ~( MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1 ); + ssl->out_hdr[0] &= ~( MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2 ); + break; - case 1: /* Set epoch 1 and clear epoch 2 */ - ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1; - ssl->out_hdr[0] &= ~(MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2); - break; + case 1: /* Set epoch 1 and clear epoch 2 */ + ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1; + ssl->out_hdr[0] &= ~( MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2 ); + break; - case 2: /* Clear epoch 1 and set epoch 2 */ - ssl->out_hdr[0] &= ~(MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1); - ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2; - break; + case 2: /* Clear epoch 1 and set epoch 2 */ + ssl->out_hdr[0] &= ~( MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1 ); + ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2; + break; - case 3: /* Set epoch 1 and 2 */ - ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1; - ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2; - } + case 3: /* Set epoch 1 and 2 */ + ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1; + ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2; + } - /* Write 16 bit sequence number */ - ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_SNR; + /* Write 16 bit sequence number */ + ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_SNR; - // Change pointer for where to store the sequence number fields - ssl->out_ctr = &ssl->out_hdr[1 + i]; + /* Change pointer for where to store the sequence number fields */ + ssl->out_ctr = &ssl->out_hdr[1 + i]; - /* Write 16 bit length */ - ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_LEN; - ssl->out_hdr[3 + i] = (unsigned char)(len >> 8); - ssl->out_hdr[4 + i] = (unsigned char)(len); + /* Write 16 bit length */ + ssl->out_hdr[0] |= MBEDTLS_SSL_UNIFIED_HDR_LEN; + ssl->out_hdr[3 + i] = ( unsigned char )( len >> 8 ); + ssl->out_hdr[4 + i] = ( unsigned char )( len ); - /* Change pointer to length field */ - ssl->out_len = &ssl->out_hdr[3 + i]; + /* Change pointer to length field */ + ssl->out_len = &ssl->out_hdr[3 + i]; - /* Change pointer to message contents */ - ssl->out_msg = &ssl->out_hdr[3 + i + 2]; - } - } - else + /* Change pointer to message contents */ + ssl->out_msg = &ssl->out_hdr[3 + i + 2]; + } + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - - /* - * - * --- TLS 1.3 Record Layer Header --- - * - * struct { - * ContentType type; - * ProtocolVersion record_version = { 3, 1 }; - * uint16 length; - * opaque fragment[TLSPlaintext.length]; - * } TLSPlaintext; - */ - - /* Set ContentType */ - if (ssl->transform_out != NULL) { - /* In case of TLS 1.3 for encrypted payloads we claim that we are - * sending application data but in reality we are using - * an encrypted handshake message. - */ - ssl->out_hdr[0] = MBEDTLS_SSL_MSG_APPLICATION_DATA; - } - else { - ssl->out_hdr[0] = ssl->out_msgtype; - } - - /* TLS 1.3 re-uses the version {3, 4} in the ClientHello, Serverhello, - * etc. but the record layer uses {3, 3} (or {3,1} for compatibility reasons, - * and hence we need to patch it. - */ - mbedtls_ssl_write_version(3, 3, ssl->conf->transport, ssl->out_hdr + 1); - - /* Write Length */ - ssl->out_len[0] = (unsigned char)(len >> 8); - ssl->out_len[1] = (unsigned char)(len); - } - - if (ssl->transform_out != NULL) - { - if ((ret = ssl_encrypt_buf(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret); - return(ret); - } - - len = ssl->out_msglen; - ssl->out_len[0] = (unsigned char)(len >> 8); - ssl->out_len[1] = (unsigned char)(len); - } - - /* Calculate the number of bytes we have to put on the wire */ - ssl->out_left = mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_out) + ssl->out_msglen; - - if (ssl->transform_out != NULL) { - MBEDTLS_SSL_DEBUG_MSG(3, ("output record: msgtype = %d, " - "version = [%d:%d], msglen = %d", - ssl->out_msgtype, ssl->major_ver, ssl->minor_ver, - (ssl->out_len[0] << 8) | ssl->out_len[1])); - } - else { - MBEDTLS_SSL_DEBUG_MSG(3, ("output record: msgtype = %d, " - "version = [%d:%d], msglen = %d", - ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], - (ssl->out_len[0] << 8) | ssl->out_len[1])); - } - } + { - if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flush_output", ret); - return(ret); - } + /* + * + * --- TLS 1.3 Record Layer Header --- + * + * struct { + * ContentType type; + * ProtocolVersion record_version = { 3, 1 }; + * uint16 length; + * opaque fragment[TLSPlaintext.length]; + * } TLSPlaintext; + */ + + /* Set ContentType */ + if( ssl->transform_out != NULL ) + { + /* In case of TLS 1.3 for encrypted payloads we claim that we are + * sending application data but in reality we are using + * an encrypted handshake message. + */ + ssl->out_hdr[0] = MBEDTLS_SSL_MSG_APPLICATION_DATA; + } + else + { + ssl->out_hdr[0] = ssl->out_msgtype; + } + + /* TLS 1.3 re-uses the version {3, 4} in the ClientHello, Serverhello, + * etc. but the record layer uses {3, 3} ( or {3,1} for compatibility reasons, + * and hence we need to patch it. + */ + mbedtls_ssl_write_version( 3, 3, ssl->conf->transport, ssl->out_hdr + 1 ); - MBEDTLS_SSL_DEBUG_MSG(5, ("<= write record")); + /* Write Length */ + ssl->out_len[0] = ( unsigned char )( len >> 8 ); + ssl->out_len[1] = ( unsigned char )( len ); + } - return(0); + if( ssl->transform_out != NULL ) + { + if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); + return( ret ); + } + + len = ssl->out_msglen; + ssl->out_len[0] = ( unsigned char )( len >> 8 ); + ssl->out_len[1] = ( unsigned char )( len ); + } + + /* Calculate the number of bytes we have to put on the wire */ + ssl->out_left = mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, ssl->transform_out ) + ssl->out_msglen; + + if( ssl->transform_out != NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " + "version = [%d:%d], msglen = %d", + ssl->out_msgtype, ssl->major_ver, ssl->minor_ver, + ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " + "version = [%d:%d], msglen = %d", + ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], + ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) ); + } + } + + if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_MSG( 5, ( "<= write record" ) ); + + return( 0 ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) /* - * Mark bits in bitmask (used for DTLS HS reassembly) + * Mark bits in bitmask ( used for DTLS HS reassembly ) */ static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) { @@ -1666,9 +1679,9 @@ static int ssl_bitmask_check( unsigned char *mask, size_t len ) * Reassemble fragmented DTLS handshake messages. * * Use a temporary buffer for reassembly, divided in two parts: - * - the first holds the reassembled message (including handshake header), + * - the first holds the reassembled message ( including handshake header ), * - the second holds a bitmask indicating which parts of the message - * (excluding headers) have been received so far. + * ( excluding headers ) have been received so far. */ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) { @@ -1678,7 +1691,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) if( ssl->handshake == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake ( for now )" ) ); return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } @@ -1690,7 +1703,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) size_t alloc_len; MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d", - msg_len ) ); + msg_len ) ); if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN ) { @@ -1704,7 +1717,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len ); if( ssl->handshake->hs_msg == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed ( %d bytes )", alloc_len ) ); return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); } @@ -1732,28 +1745,28 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) * Check and copy current fragment */ frag_off = ( ssl->in_msg[6] << 16 ) | - ( ssl->in_msg[7] << 8 ) | - ssl->in_msg[8]; + ( ssl->in_msg[7] << 8 ) | + ssl->in_msg[8]; frag_len = ( ssl->in_msg[9] << 16 ) | - ( ssl->in_msg[10] << 8 ) | - ssl->in_msg[11]; + ( ssl->in_msg[10] << 8 ) | + ssl->in_msg[11]; if( frag_off + frag_len > msg_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d", - frag_off, frag_len, msg_len ) ); + frag_off, frag_len, msg_len ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } if( frag_len + 12 > ssl->in_msglen ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d", - frag_len, ssl->in_msglen ) ); + frag_len, ssl->in_msglen ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d", - frag_off, frag_len ) ); + frag_off, frag_len ) ); memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); ssl_bitmask_set( bitmask, frag_off, frag_len ); @@ -1797,7 +1810,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) ssl->in_left = ssl->next_record_offset + remain_len; if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN - - (size_t)( ssl->in_hdr - ssl->in_buf ) ) + ( size_t )( ssl->in_hdr - ssl->in_buf ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) ); return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); @@ -1812,7 +1825,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) ssl->handshake->hs_msg = NULL; MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message", - ssl->in_msg, ssl->in_hslen ); + ssl->in_msg, ssl->in_hslen ); return( 0 ); } @@ -1825,18 +1838,18 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d", - ssl->in_msglen ) ); + ssl->in_msglen ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ( - ( ssl->in_msg[1] << 16 ) | - ( ssl->in_msg[2] << 8 ) | - ssl->in_msg[3] ); + ( ssl->in_msg[1] << 16 ) | + ( ssl->in_msg[2] << 8 ) | + ssl->in_msg[3] ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" - " %d, type = %d, hslen = %d", - ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); + " %d, type = %d, hslen = %d", + ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) @@ -1855,9 +1868,9 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " - "message_seq = %d, start_of_flight = %d", - recv_msg_seq, - ssl->handshake->in_flight_start_seq ) ); + "message_seq = %d, start_of_flight = %d", + recv_msg_seq, + ssl->handshake->in_flight_start_seq ) ); if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) { @@ -1868,9 +1881,9 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) else { MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " - "message_seq = %d, expected = %d", - recv_msg_seq, - ssl->handshake->in_msg_seq ) ); + "message_seq = %d, expected = %d", + recv_msg_seq, + ssl->handshake->in_msg_seq ) ); } return( MBEDTLS_ERR_SSL_WANT_READ ); @@ -1895,29 +1908,30 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* With TLS we don't handle fragmentation (for now) */ - if( ssl->in_msglen < ssl->in_hslen ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); - return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); - } + /* With TLS we don't handle fragmentation ( for now ) */ + if( ssl->in_msglen < ssl->in_hslen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && ssl->handshake != NULL ) { - /* - * If the server responds with the HRR message then a special handling - * with the modified transcript hash is necessary. We compute this hash later. - */ - if ((ssl->in_msg[0] == MBEDTLS_SSL_HS_SERVER_HELLO) && - (memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl) + 2, &magic_hrr_string[0], 32) == 0)) + /* + * If the server responds with the HRR message then a special handling + * with the modified transcript hash is necessary. We compute this hash later. + */ + if( ( ssl->in_msg[0] == MBEDTLS_SSL_HS_SERVER_HELLO ) && + ( memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ) + 2, &magic_hrr_string[0], 32 ) == 0 ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 5, ( "--- Special HRR Checksum Processing" ) ); + } + else { - MBEDTLS_SSL_DEBUG_MSG(5, ("--- Special HRR Checksum Processing")); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "--- Update Checksum ( ssl_prepare_handshake_record )" ) ); + ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); } - else { - MBEDTLS_SSL_DEBUG_MSG(5, ("--- Update Checksum (ssl_prepare_handshake_record)")); - ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen); - } } /* Handshake message is complete, increment counter */ @@ -1935,12 +1949,12 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) /* * DTLS anti-replay: RFC 6347 4.1.2.6 * - * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). + * in_window is a field of bits numbered from 0 ( lsb ) to 63 ( msb ). * Bit n is set iff record number in_window_top - n has been seen. * * Usually, in_window_top is the last record number seen and the lsb of - * in_window is set. The only exception is the initial state (record number 0 - * not seen yet). + * in_window is set. The only exception is the initial state ( record number 0 + * not seen yet ). */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) @@ -1951,12 +1965,12 @@ static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) { - return( ( (uint64_t) buf[0] << 40 ) | - ( (uint64_t) buf[1] << 32 ) | - ( (uint64_t) buf[2] << 24 ) | - ( (uint64_t) buf[3] << 16 ) | - ( (uint64_t) buf[4] << 8 ) | - ( (uint64_t) buf[5] ) ); + return( ( ( uint64_t ) buf[0] << 40 ) | + ( ( uint64_t ) buf[1] << 32 ) | + ( ( uint64_t ) buf[2] << 24 ) | + ( ( uint64_t ) buf[3] << 16 ) | + ( ( uint64_t ) buf[4] << 8 ) | + ( ( uint64_t ) buf[5] ) ); } /* @@ -1978,7 +1992,7 @@ int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) if( bit >= 64 ) return( -1 ); - if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) + if( ( ssl->in_window & ( ( uint64_t ) 1 << bit ) ) != 0 ) return( -1 ); return( 0 ); @@ -2015,7 +2029,7 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) uint64_t bit = ssl->in_window_top - rec_seqnum; if( bit < 64 ) /* Always true, but be extra sure */ - ssl->in_window |= (uint64_t) 1 << bit; + ssl->in_window |= ( uint64_t ) 1 << bit; } } #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ @@ -2036,12 +2050,12 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); * - otherwise return a specific error code */ static int ssl_check_dtls_clihlo_cookie( - mbedtls_ssl_cookie_write_t *f_cookie_write, - mbedtls_ssl_cookie_check_t *f_cookie_check, - void *p_cookie, - const unsigned char *cli_id, size_t cli_id_len, - const unsigned char *in, size_t in_len, - unsigned char *obuf, size_t buf_len, size_t *olen ) + mbedtls_ssl_cookie_write_t *f_cookie_write, + mbedtls_ssl_cookie_check_t *f_cookie_check, + void *p_cookie, + const unsigned char *cli_id, size_t cli_id_len, + const unsigned char *in, size_t in_len, + unsigned char *obuf, size_t buf_len, size_t *olen ) { size_t sid_len, cookie_len; unsigned char *p; @@ -2059,16 +2073,16 @@ static int ssl_check_dtls_clihlo_cookie( * 1-2 ProtocolVersion version; copied * 3-4 uint16 epoch; copied, must be 0 * 5-10 uint48 sequence_number; copied - * 11-12 uint16 length; (ignored) + * 11-12 uint16 length; ( ignored ) * - * 13-13 HandshakeType msg_type; (ignored) - * 14-16 uint24 length; (ignored) + * 13-13 HandshakeType msg_type; ( ignored ) + * 14-16 uint24 length; ( ignored ) * 17-18 uint16 message_seq; copied * 19-21 uint24 fragment_offset; copied, must be 0 - * 22-24 uint24 fragment_length; (ignored) + * 22-24 uint24 fragment_length; ( ignored ) * - * 25-26 ProtocolVersion client_version; (ignored) - * 27-58 Random random; (ignored) + * 25-26 ProtocolVersion client_version; ( ignored ) + * 27-58 Random random; ( ignored ) * 59-xx SessionID session_id; 1 byte len + sid_len content * 60+ opaque cookie<0..2^8-1>; 1 byte len + content * ... @@ -2138,23 +2152,23 @@ static int ssl_check_dtls_clihlo_cookie( *olen = p - obuf; /* Go back and fill length fields */ - obuf[27] = (unsigned char)( *olen - 28 ); + obuf[27] = ( unsigned char )( *olen - 28 ); - obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); - obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); - obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); + obuf[14] = obuf[22] = ( unsigned char )( ( *olen - 25 ) >> 16 ); + obuf[15] = obuf[23] = ( unsigned char )( ( *olen - 25 ) >> 8 ); + obuf[16] = obuf[24] = ( unsigned char )( ( *olen - 25 ) ); - obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); - obuf[12] = (unsigned char)( ( *olen - 13 ) ); + obuf[11] = ( unsigned char )( ( *olen - 13 ) >> 8 ); + obuf[12] = ( unsigned char )( ( *olen - 13 ) ); return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); } /* * Handle possible client reconnect with the same UDP quadruplet - * (RFC 6347 Section 4.2.8). + * ( RFC 6347 Section 4.2.8 ). * - * Called by ssl_parse_record_header() in case we receive an epoch 0 record + * Called by ssl_parse_record_header( ) in case we receive an epoch 0 record * that looks like a ClientHello. * * - if the input looks like a ClientHello without cookies, @@ -2165,7 +2179,7 @@ static int ssl_check_dtls_clihlo_cookie( * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT * - if anything goes wrong, return a specific error code * - * mbedtls_ssl_read_record() will ignore the record if anything else than + * mbedtls_ssl_read_record( ) will ignore the record if anything else than * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function * cannot not return 0. */ @@ -2175,12 +2189,12 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) size_t len; ret = ssl_check_dtls_clihlo_cookie( - ssl->conf->f_cookie_write, - ssl->conf->f_cookie_check, - ssl->conf->p_cookie, - ssl->cli_id, ssl->cli_id_len, - ssl->in_buf, ssl->in_left, - ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); + ssl->conf->f_cookie_write, + ssl->conf->f_cookie_check, + ssl->conf->p_cookie, + ssl->cli_id, ssl->cli_id_len, + ssl->in_buf, ssl->in_left, + ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); @@ -2189,7 +2203,7 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) /* Dont check write errors as we can't do anything here. * If the error is permanent we'll catch it later, * if it's not, then hopefully it'll work next time. */ - (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); + ( void ) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); } @@ -2217,184 +2231,191 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) * uint48 sequence_number; // DTLS only * uint16 length; */ -static int ssl_parse_record_header(mbedtls_ssl_context* ssl) +static int ssl_parse_record_header( mbedtls_ssl_context* ssl ) { - int ret; - int major_ver, minor_ver; + int ret; + int major_ver, minor_ver; #if defined(MBEDTLS_SSL_PROTO_DTLS) - int ptr_to_len; + int ptr_to_len; - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->transform_in != NULL) { - /* For DTLS 1.3 we need to process the variable length - * header incrementally. */ + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->transform_in != NULL ) { + /* For DTLS 1.3 we need to process the variable length + * header incrementally. */ - MBEDTLS_SSL_DEBUG_BUF(4, "input DTLS 1.3 unified header", ssl->in_hdr, 1); + MBEDTLS_SSL_DEBUG_BUF( 4, "input DTLS 1.3 unified header", ssl->in_hdr, 1 ); - } - else + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - MBEDTLS_SSL_DEBUG_BUF(4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in)); + { + MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in ) ); - ssl->in_msgtype = ssl->in_hdr[0]; - ssl->in_msglen = (ssl->in_len[0] << 8) | ssl->in_len[1]; - mbedtls_ssl_read_version(&major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1); + ssl->in_msgtype = ssl->in_hdr[0]; + ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; + mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); - MBEDTLS_SSL_DEBUG_MSG(3, ("input record: msgtype = %d, " - "version = [%d:%d], msglen = %d", - ssl->in_msgtype, - major_ver, minor_ver, ssl->in_msglen)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " + "version = [%d:%d], msglen = %d", + ssl->in_msgtype, + major_ver, minor_ver, ssl->in_msglen ) ); - /* Check record type */ - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && - ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT && + /* Check record type */ + if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && + ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT && #if defined(MBEDTLS_COMPATIBILITY_MODE) - ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && + ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && #endif /* MBEDTLS_COMPATIBILITY_MODE */ - ssl->in_msgtype != MBEDTLS_SSL_MSG_ACK && - ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("unknown record type")); - - if ((ret = mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE)) != 0) - { - return(ret); - } - - return(MBEDTLS_ERR_SSL_INVALID_RECORD); - } - } + ssl->in_msgtype != MBEDTLS_SSL_MSG_ACK && + ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); + + if( ( ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 ) + { + return( ret ); + } + + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->transform_in != NULL) { + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->transform_in != NULL ) { - /* For DTLS 1.3 we need to determine how long the header of the - * received packet actually is. */ + /* For DTLS 1.3 we need to determine how long the header of the + * received packet actually is. */ - size_t fetch_len = 1; + size_t fetch_len = 1; - /* Check header for correctness. */ - if ((ssl->in_hdr[0] & (MBEDTLS_SSL_UNIFIED_HDR_PREAMBLE_1 | MBEDTLS_SSL_UNIFIED_HDR_PREAMBLE_1 | MBEDTLS_SSL_UNIFIED_HDR_PREAMBLE_3)) != 4) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Unified header contains invalid preamble.")); - return(MBEDTLS_ERR_SSL_INVALID_RECORD); - } + /* Check header for correctness. */ + if( ( ssl->in_hdr[0] & ( MBEDTLS_SSL_UNIFIED_HDR_PREAMBLE_1 | MBEDTLS_SSL_UNIFIED_HDR_PREAMBLE_1 | MBEDTLS_SSL_UNIFIED_HDR_PREAMBLE_3 ) ) != 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unified header contains invalid preamble." ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } - /* Store message type */ -// ssl->in_msgtype = MBEDTLS_SSL_MSG_TLS_CID; (in DTLS 1.3 we shouldn't be using this message type) - ssl->in_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; + /* Store message type */ +/* ssl->in_msgtype = MBEDTLS_SSL_MSG_TLS_CID; ( in DTLS 1.3 we shouldn't be using this message type ) */ + ssl->in_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; #if defined(MBEDTLS_CID) - if (ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_CID) { - /* Datagram contains a CID */ - fetch_len += ssl->in_cid_len; - } + if( ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_CID ) + { + /* Datagram contains a CID */ + fetch_len += ssl->in_cid_len; + } #endif /* MBEDTLS_CID */ - if (ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_SNR) { - /* Datagram contains a sequence number of 2 bytes length */ - fetch_len += 2; - } - else { - /* Datagram contains a sequence number of 1 byte length */ - fetch_len++; - } - - if (ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_LEN) { - /* Datagram contains a length field */ - ptr_to_len = fetch_len; - fetch_len += 2; - } - else { - MBEDTLS_SSL_DEBUG_MSG(1, ("no length information in the DTLS 1.3 header")); - return(MBEDTLS_ERR_SSL_INVALID_RECORD); - } - - /* Read the entire header */ - if (ssl->in_left < fetch_len) { - /* TBD (Experimental): Fetch the rest of the header, if - * we do not have enough data in the input buffer yet. - */ - if ((ret = mbedtls_ssl_fetch_input(ssl, fetch_len)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); - return(ret); - } - } - /* Retrieve message length info */ - ssl->in_msglen = (ssl->in_hdr[ptr_to_len] << 8) | ssl->in_hdr[ptr_to_len + 1]; + if( ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_SNR ) + { + /* Datagram contains a sequence number of 2 bytes length */ + fetch_len += 2; + } + else + { + /* Datagram contains a sequence number of 1 byte length */ + fetch_len++; + } - } - else + if( ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_LEN ) + { + /* Datagram contains a length field */ + ptr_to_len = fetch_len; + fetch_len += 2; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no length information in the DTLS 1.3 header" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + + /* Read the entire header */ + if( ssl->in_left < fetch_len ) + { + /* TBD ( Experimental ): Fetch the rest of the header, if + * we do not have enough data in the input buffer yet. + */ + if( ( ret = mbedtls_ssl_fetch_input( ssl, fetch_len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); + return( ret ); + } + } + /* Retrieve message length info */ + ssl->in_msglen = ( ssl->in_hdr[ptr_to_len] << 8 ) | ssl->in_hdr[ptr_to_len + 1]; + + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - /* Check version */ - if (major_ver != ssl->major_ver) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("major version mismatch")); - return(MBEDTLS_ERR_SSL_INVALID_RECORD); - } - - if (minor_ver > ssl->conf->max_minor_ver) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("minor version mismatch")); - return(MBEDTLS_ERR_SSL_INVALID_RECORD); - } - } - /* Check epoch with DTLS */ + { + /* Check version */ + if( major_ver != ssl->major_ver ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + + if( minor_ver > ssl->conf->max_minor_ver ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } + } + /* Check epoch with DTLS */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - unsigned int rec_epoch = 0; - - if (ssl->transform_in != NULL) - { - if (ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1) - rec_epoch += 1; - - if (ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2) - rec_epoch += 2; - } - else - { - rec_epoch = (ssl->in_ctr[0] << 8) | ssl->in_ctr[1]; - } - - if (rec_epoch != ssl->in_epoch) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("record from another epoch: " - "expected %d, received %d", - ssl->in_epoch, rec_epoch)); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + unsigned int rec_epoch = 0; + + if( ssl->transform_in != NULL ) + { + if( ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_EPOCH_1 ) + rec_epoch += 1; + + if( ssl->in_hdr[0] & MBEDTLS_SSL_UNIFIED_HDR_EPOCH_2 ) + rec_epoch += 2; + } + else + { + rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; + } + + if( rec_epoch != ssl->in_epoch ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " + "expected %d, received %d", + ssl->in_epoch, rec_epoch ) ); #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) - /* - * Check for an epoch 0 ClientHello. We can't use in_msg here to - * access the first byte of record content (handshake type), as we - * have an active transform (possibly iv_len != 0), so use the - * fact that the record header len is 13 instead. - */ - if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && - ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && - rec_epoch == 0 && - ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && - ssl->in_left > 13 && - ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("possible client reconnect " - "from the same port")); - return(ssl_handle_possible_reconnect(ssl)); - } - else + /* + * Check for an epoch 0 ClientHello. We can't use in_msg here to + * access the first byte of record content ( handshake type ), as we + * have an active transform ( possibly iv_len != 0 ), so use the + * fact that the record header len is 13 instead. + */ + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && + rec_epoch == 0 && + ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && + ssl->in_left > 13 && + ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " + "from the same port" ) ); + return( ssl_handle_possible_reconnect( ssl ) ); + } + else #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ - { - /* TBD: Check return statement for DTLS 1.3 */ - return(MBEDTLS_ERR_SSL_INVALID_RECORD); - } + { + /* TBD: Check return statement for DTLS 1.3 */ + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) @@ -2407,15 +2428,15 @@ static int ssl_parse_record_header(mbedtls_ssl_context* ssl) } #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ - /* We store the epoch value received from the other side */ - ssl->rec_epoch = rec_epoch; + /* We store the epoch value received from the other side */ + ssl->rec_epoch = rec_epoch; - } + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ /* Check length against the size of our buffer */ if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN - - (size_t)( ssl->in_msg - ssl->in_buf ) ) + - ( size_t )( ssl->in_msg - ssl->in_buf ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); @@ -2434,9 +2455,9 @@ static int ssl_parse_record_header(mbedtls_ssl_context* ssl) else { #if !defined(MBEDTLS_COMPATIBILITY_MODE) - /* In compatibility mode we will receive - * Change Cipher Spec messages, which are - * ssl->in_msglen = 1 in length. */ + /* In compatibility mode we will receive + * Change Cipher Spec messages, which are + * ssl->in_msglen = 1 in length. */ if( ssl->in_msglen < ssl->transform_in->minlen ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); @@ -2444,16 +2465,16 @@ static int ssl_parse_record_header(mbedtls_ssl_context* ssl) } #endif /* !MBEDTLS_COMPATIBILITY_MODE */ - /* + /* * TLS encrypted messages can have up to 256 bytes of padding */ - if( + if( #if defined(MBEDTLS_COMPATIBILITY_MODE) - ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && + ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && #endif /* MBEDTLS_COMPATIBILITY_MODE */ - ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && + ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && ssl->in_msglen > ssl->transform_in->minlen + - MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) + MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); @@ -2464,85 +2485,87 @@ static int ssl_parse_record_header(mbedtls_ssl_context* ssl) } /* - * If applicable, decrypt (and decompress) record content + * If applicable, decrypt ( and decompress ) record content */ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) { int ret, done = 0; MBEDTLS_SSL_DEBUG_BUF( 4, "RECEIVED FROM NETWORK", - ssl->in_hdr, mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in) + ssl->in_msglen); + ssl->in_hdr, mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in ) + ssl->in_msglen ); #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) - if (mbedtls_ssl_hw_record_read != NULL) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("going for mbedtls_ssl_hw_record_read()")); - - ret = mbedtls_ssl_hw_record_read(ssl); - if (ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_read", ret); - return(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); - } - - if (ret == 0) - done = 1; - } + if( mbedtls_ssl_hw_record_read != NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read( )" ) ); + + ret = mbedtls_ssl_hw_record_read( ssl ); + if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + if( ret == 0 ) + done = 1; + } #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ - if (!done && ssl->transform_in != NULL) - { + if( !done && ssl->transform_in != NULL ) + { #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* If we received an old record (based on the epoch value) - * then we need to change the keys. */ - if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) && - (ssl->rec_epoch != ssl->in_epoch) && - (ssl->transform_in->traffic_keys_previous.epoch == ssl->rec_epoch)) - { - ret = mbedtls_set_traffic_key(ssl, &ssl->transform_in->traffic_keys_previous, ssl->transform_in,1); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); - } - } + /* If we received an old record ( based on the epoch value ) + * then we need to change the keys. */ + if( ( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) && + ( ssl->rec_epoch != ssl->in_epoch ) && + ( ssl->transform_in->traffic_keys_previous.epoch == ssl->rec_epoch ) ) + { + ret = mbedtls_set_traffic_key( ssl, &ssl->transform_in->traffic_keys_previous, ssl->transform_in,1 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return( ret ); + } + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_COMPATIBILITY_MODE) - if (ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) - return(0); + if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) + return( 0 ); #endif /* MBEDTLS_COMPATIBILITY_MODE */ - if ((ret = ssl_decrypt_buf(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret); - return(ret); - } + if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); + return( ret ); + } - MBEDTLS_SSL_DEBUG_BUF(4, "input payload after decrypt", - ssl->in_msg, ssl->in_msglen); + MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", + ssl->in_msg, ssl->in_msglen ); - if (ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad message length")); - return(MBEDTLS_ERR_SSL_INVALID_RECORD); - } + if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); + return( MBEDTLS_ERR_SSL_INVALID_RECORD ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* We re-set the key. */ - - if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) && - (ssl->rec_epoch != ssl->in_epoch) && - (ssl->transform_in->traffic_keys_previous.epoch == ssl->rec_epoch)) - { - ret = mbedtls_set_traffic_key(ssl, &ssl->transform_in->traffic_keys, ssl->transform_in,1); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); - } - } + /* We re-set the key. */ + + if( ( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) && + ( ssl->rec_epoch != ssl->in_epoch ) && + ( ssl->transform_in->traffic_keys_previous.epoch == ssl->rec_epoch ) ) + { + ret = mbedtls_set_traffic_key( ssl, &ssl->transform_in->traffic_keys, ssl->transform_in,1 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return( ret ); + } + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - } + } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) @@ -2558,17 +2581,17 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ); /* - * Read a record. (TLS 1.3 only) + * Read a record. ( TLS 1.3 only ) * - * Silently ignore non-fatal alert (and for DTLS, invalid records as well, - * RFC 6347 4.1.2.7) and continue reading until a valid record is found. + * Silently ignore non-fatal alert ( and for DTLS, invalid records as well, + * RFC 6347 4.1.2.7 ) and continue reading until a valid record is found. * */ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) { int ret; - int fetch_len; + int fetch_len; MBEDTLS_SSL_DEBUG_MSG( 5, ( "=> read record" ) ); @@ -2583,7 +2606,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) ssl->in_msglen ); MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", - ssl->in_msg, ssl->in_msglen ); + ssl->in_msg, ssl->in_msglen ); if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 ) return( ret ); @@ -2596,10 +2619,10 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) /* * Read the record header and parse it */ - fetch_len = mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in); + fetch_len = mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in ); read_record_header: - if( ( ret = mbedtls_ssl_fetch_input( ssl, fetch_len) ) != 0 ) + if( ( ret = mbedtls_ssl_fetch_input( ssl, fetch_len ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); return( ret ); @@ -2617,7 +2640,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) ssl->next_record_offset = 0; ssl->in_left = 0; - MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (header)" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record ( header )" ) ); goto read_record_header; } #endif /* MBEDTLS_SSL_PROTO_DTLS */ @@ -2627,7 +2650,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) /* * Read message contents */ - if( ( ret = mbedtls_ssl_fetch_input( ssl, fetch_len + ssl->in_msglen ) ) != 0 ) + if( ( ret = mbedtls_ssl_fetch_input( ssl, fetch_len + ssl->in_msglen ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); return( ret ); @@ -2637,14 +2660,14 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in); + ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in ); else #endif /* MBEDTLS_SSL_PROTO_DTLS */ ssl->in_left = 0; - /* - * optionally decrypt message - */ + /* + * optionally decrypt message + */ if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) { @@ -2657,7 +2680,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) { /* Except when waiting for Finished as a bad mac here * probably means something went wrong in the handshake - * (eg wrong psk used, mitm downgrade attempt, etc.) */ + * ( eg wrong psk used, mitm downgrade attempt, etc. ) */ if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) { @@ -2665,8 +2688,8 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) { mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); } #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */ return( ret ); @@ -2681,7 +2704,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ - MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record ( mac )" ) ); goto read_record_header; } @@ -2690,13 +2713,13 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_SSL_PROTO_DTLS */ { - /* Error out (and send alert) on invalid records */ + /* Error out ( and send alert ) on invalid records */ #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) { mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); } #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */ return( ret ); @@ -2712,173 +2735,176 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) return( ret ); } - /* In TLS / DTLS 1.3 most of the messages are encrypted and appear to be - * application data payloads with the true message type hidden inside. - */ - if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA || ssl->in_msgtype == MBEDTLS_SSL_MSG_TLS_CID) - { - /* The structure of the payload should be as follows: - * struct { - * opaque content[TLSPlaintext.length]; - * ContentType type; - * uint8 zeros[length_of_padding]; - * } TLSInnerPlaintext; - * - * We will check whether the ContentType is indeed a - * handshake message. - * - * We will walk backwards in the decrypted message - * to scan over eventually available padding bytes. - * - * A similiar structure is used for DTLS 1.3, namely - * - * struct { + /* In TLS / DTLS 1.3 most of the messages are encrypted and appear to be + * application data payloads with the true message type hidden inside. + */ + if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA || ssl->in_msgtype == MBEDTLS_SSL_MSG_TLS_CID ) + { + /* The structure of the payload should be as follows: + * struct { + * opaque content[TLSPlaintext.length]; + * ContentType type; + * uint8 zeros[length_of_padding]; + * } TLSInnerPlaintext; + * + * We will check whether the ContentType is indeed a + * handshake message. + * + * We will walk backwards in the decrypted message + * to scan over eventually available padding bytes. + * + * A similiar structure is used for DTLS 1.3, namely + * + * struct { * opaque content[DTLSPlaintext.length]; * ContentType type; * uint8 zeros[length_of_padding]; * } DTLSInnerPlaintext; - * - */ - - // Set handshake message to an invalid type - ssl->in_msgtype = 0; - - for (int i = ssl->in_msglen; i > 0; i--) - { - switch (ssl->in_msg[i - 1]) - { - case 0: - // This is padding. - break; - - case MBEDTLS_SSL_MSG_HANDSHAKE: - // We received an encrypted handshake message - ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - // skip the ContentType and padding - ssl->in_msglen = i - 1; - //ssl->in_hslen = ((ssl->in_msg[1] << 16) | (ssl->in_msg[2] << 8) | (ssl->in_msg[3])) + mbedtls_ssl_hs_hdr_len(ssl); - - if ((ret = ssl_prepare_handshake_record(ssl)) != 0) return(ret); - - break; - case MBEDTLS_SSL_MSG_APPLICATION_DATA: - // We received application data - ssl->in_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; - // skip the ContentType and padding - ssl->in_msglen = i - 1; - break; - case MBEDTLS_SSL_MSG_ALERT: - // We received an alert - ssl->in_msgtype = MBEDTLS_SSL_MSG_ALERT; - // skip the ContentType and padding - ssl->in_msglen = i - 1; - break; + * + */ + + /* Set handshake message to an invalid type */ + ssl->in_msgtype = 0; + + for ( int i = ssl->in_msglen; i > 0; i-- ) + { + switch ( ssl->in_msg[i - 1] ) + { + case 0: + /* This is padding. */ + break; + + case MBEDTLS_SSL_MSG_HANDSHAKE: + /* We received an encrypted handshake message */ + ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + /* Skip the ContentType and padding */ + ssl->in_msglen = i - 1; + /* ssl->in_hslen = ( ( ssl->in_msg[1] << 16 ) | ( ssl->in_msg[2] << 8 ) | ( ssl->in_msg[3] ) ) + mbedtls_ssl_hs_hdr_len( ssl ); */ + + if( ( ret = ssl_prepare_handshake_record( ssl ) ) != 0 ) return( ret ); + + break; + case MBEDTLS_SSL_MSG_APPLICATION_DATA: + /* We received application data */ + ssl->in_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; + /* Skip the ContentType and padding */ + ssl->in_msglen = i - 1; + break; + case MBEDTLS_SSL_MSG_ALERT: + /* We received an alert */ + ssl->in_msgtype = MBEDTLS_SSL_MSG_ALERT; + /* Skip the ContentType and padding */ + ssl->in_msglen = i - 1; + break; #if defined(MBEDTLS_SSL_PROTO_DTLS) - case MBEDTLS_SSL_MSG_ACK: - // We received an ack - ssl->in_msgtype = MBEDTLS_SSL_MSG_ACK; - // skip the ContentType and padding - ssl->in_msglen = i - 1; + case MBEDTLS_SSL_MSG_ACK: + /* We received an ACK */ + ssl->in_msgtype = MBEDTLS_SSL_MSG_ACK; + /* Skip the ContentType and padding */ + ssl->in_msglen = i - 1; - if ((ret = mbedtls_ssl_parse_ack(ssl)) != 0) - return(ret); + if( ( ret = mbedtls_ssl_parse_ack( ssl ) ) != 0 ) + return( ret ); - break; + break; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - default: - MBEDTLS_SSL_DEBUG_MSG(1, ("unknown message")); + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown message" ) ); - mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); + mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); - return(MBEDTLS_ERR_SSL_BAD_HS_UNKNOWN_MSG); - } + return( MBEDTLS_ERR_SSL_BAD_HS_UNKNOWN_MSG ); + } - if (ssl->in_msgtype != 0) { - // we found an appropriate type - break; - } - } - } + if( ssl->in_msgtype != 0 ) + { + /* we found an appropriate type. */ + break; + } + } + } - if (ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("got an alert message, type: [%d:%d]", - ssl->in_msg[0], ssl->in_msg[1])); - - /* - * Ignore non-fatal alerts, except close_notify and no_renegotiation - */ - if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("is a fatal alert message (msg %d)", - ssl->in_msg[1])); - return(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE); - } - - if (ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && - ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("is a close notify message")); - return(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY); - } - - /* Silently ignore: fetch new message */ - goto read_record_header; - } + if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]", + ssl->in_msg[0], ssl->in_msg[1] ) ); + + /* + * Ignore non-fatal alerts, except close_notify and no_renegotiation + */ + if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message ( msg %d )", + ssl->in_msg[1] ) ); + return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); + } + + if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && + ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); + return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); + } + + /* Silently ignore: fetch new message */ + goto read_record_header; + } #if defined(MBEDTLS_COMPATIBILITY_MODE) - /* We ignore incoming ChangeCipherSpec messages */ - if (ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("Received ChangeCipherSpec message")); - - if (ssl->in_msglen != 1) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad CCS message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC); - } - - MBEDTLS_SSL_DEBUG_MSG(3, ("CCS, message len.: %d", ssl->in_msglen)); - - /* - if ((ret = mbedtls_ssl_fetch_input(ssl, mbedtls_ssl_hdr_len(ssl) + ssl->in_msglen)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC); - } - */ - - // Message payload is 1-byte long; check whether it is set to '1' - if (ssl->in_msg[0] == 1) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring CCS.")); - - /* Done reading this record, get ready for the next one */ + /* We ignore incoming ChangeCipherSpec messages */ + if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Received ChangeCipherSpec message" ) ); + + if( ssl->in_msglen != 1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad CCS message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); + } + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "CCS, message len.: %d", ssl->in_msglen ) ); + + /* + if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); + } + */ + + /* Message payload is 1-byte long; check whether it is set to '1' */ + if( ssl->in_msg[0] == 1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ignoring CCS." ) ); + + /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - ssl->next_record_offset = mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN) + ssl->in_msglen; - } - else + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl->next_record_offset = mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN ) + ssl->in_msglen; + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - ssl->in_left = 0; - } - - /* Silently ignore: fetch new message */ - goto read_record_header; - } - else - { - if ((ret = mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE)) != 0) - { - return(ret); - } - return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); - } - } + { + ssl->in_left = 0; + } + + /* Silently ignore: fetch new message */ + goto read_record_header; + } + else + { + if( ( ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 ) + { + return( ret ); + } + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } + } #endif /* MBEDTLS_COMPATIBILITY_MODE */ MBEDTLS_SSL_DEBUG_MSG( 5, ( "<= read record" ) ); @@ -2891,8 +2917,8 @@ int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) int ret; if( ( ret = mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 ) + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 ) { return( ret ); } @@ -2901,8 +2927,8 @@ int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) } int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, - unsigned char level, - unsigned char message ) + unsigned char level, + unsigned char message ) { int ret; @@ -2912,20 +2938,22 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; - ssl->out_msg[0] = level; - ssl->out_msg[1] = message; - - // TBD: We need to check what alert messages are sent encrypted. - // Particularly for alerts that are send after cleaning the - // handshake will potentially transmitted in cleartext. - if (ssl->transform != NULL || ssl->transform_out!=NULL) { - // If we encrypt then we add the content type and optionally padding - ssl->out_msglen = 3; // 3 includes the content type as well - // we use no padding - ssl->out_msg[2] = MBEDTLS_SSL_MSG_ALERT; - } else { - ssl->out_msglen = 2; - } + ssl->out_msg[0] = level; + ssl->out_msg[1] = message; + + /* TBD: We need to check what alert messages are sent encrypted. + Particularly for alerts that are send after cleaning the + handshake will potentially transmitted in cleartext. */ + if( ssl->transform != NULL || ssl->transform_out!=NULL ) + { + /* If we encrypt then we add the content type and optionally padding. */ + ssl->out_msglen = 3; // 3 includes the content type as well + /* We use no padding. */ + ssl->out_msg[2] = MBEDTLS_SSL_MSG_ALERT; + } else + { + ssl->out_msglen = 2; + } if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) { @@ -2947,24 +2975,24 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl, int direct mbedtls_ssl_transform *transform = ssl->transform_out; - if( transform == NULL && direction == MBEDTLS_SSL_DIRECTION_IN) - return( (int) mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, transform) ); + if( transform == NULL && direction == MBEDTLS_SSL_DIRECTION_IN ) + return( ( int ) mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, transform ) ); - if (transform == NULL && direction == MBEDTLS_SSL_DIRECTION_OUT) - return((int)mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, transform)); + if( transform == NULL && direction == MBEDTLS_SSL_DIRECTION_OUT ) + return( ( int )mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, transform ) ); switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) { case MBEDTLS_MODE_GCM: case MBEDTLS_MODE_CCM: - case MBEDTLS_MODE_CCM_8: + case MBEDTLS_MODE_CCM_8: case MBEDTLS_MODE_STREAM: transform_expansion = transform->minlen; break; case MBEDTLS_MODE_CBC: transform_expansion = transform->maclen - + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); + + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); break; default: @@ -2972,10 +3000,10 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl, int direct return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - if (direction == MBEDTLS_SSL_DIRECTION_IN) - return( (int)( mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, transform) + transform_expansion ) ); - else - return((int)(mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_OUT, transform) + transform_expansion)); + if( direction == MBEDTLS_SSL_DIRECTION_IN ) + return( ( int )( mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, transform ) + transform_expansion ) ); + else + return( ( int )( mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_OUT, transform ) + transform_expansion ) ); } @@ -3023,34 +3051,34 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } } - if (ssl->in_offt == NULL) - { - /* Start timer if not already running */ - if (ssl->f_get_timer != NULL && - ssl->f_get_timer(ssl->p_timer) == -1) - { - mbedtls_ssl_set_timer(ssl, ssl->conf->read_timeout); - } + if( ssl->in_offt == NULL ) + { + /* Start timer if not already running */ + if( ssl->f_get_timer != NULL && + ssl->f_get_timer( ssl->p_timer ) == -1 ) + { + mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout ); + } - if (!record_read) - { - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) - { - if (ret == MBEDTLS_ERR_SSL_CONN_EOF) - return(0); + if( !record_read ) + { + if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) + { + if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) + return( 0 ); - if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) - return(ret); + if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ) + return( ret ); - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - return(ret); - } - } + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); + return( ret ); + } + } - /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ + /* Fatal and closure alerts handled by mbedtls_ssl_read_record( ) */ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); @@ -3058,63 +3086,65 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - /* Post-Handshake messages, like the NewSessionTicket message, appear after the finished - * message was sent */ - if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) { - MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message")); + /* Post-Handshake messages, like the NewSessionTicket message, appear after the finished + * message was sent */ + if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "received post-handshake message" ) ); #if defined(MBEDTLS_SSL_CLI_C) - if ((ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) && - (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl)) && - (ssl->in_msg[0] == MBEDTLS_SSL_HS_NEW_SESSION_TICKET)) { - MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received")); - - if ((ret = ssl_parse_new_session_ticket(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_new_session_ticket", ret); - return(ret); - } - } + if( ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) && + ( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) && + ( ssl->in_msg[0] == MBEDTLS_SSL_HS_NEW_SESSION_TICKET ) ) { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket received" ) ); + + if( ( ret = ssl_parse_new_session_ticket( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_new_session_ticket", ret ); + return( ret ); + } + } #endif /* MBEDTLS_SSL_CLI_C */ - } else + } else #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->in_msgtype == MBEDTLS_SSL_MSG_ACK) - { - // We will not pass the Ack msg to the application - ssl->in_offt = NULL; - ssl->in_msglen = 0; - MBEDTLS_SSL_DEBUG_MSG(2, ("<= read")); - return(MBEDTLS_ERR_SSL_WANT_READ); - } - else + if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ACK ) + { + /* We will not pass the Ack msg to the application. */ + ssl->in_offt = NULL; + ssl->in_msglen = 0; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); + return( MBEDTLS_ERR_SSL_WANT_READ ); + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); - } - + if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } - if ((ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) && - (ssl->in_msg[0] == MBEDTLS_SSL_HS_NEW_SESSION_TICKET)) - { - // We will not pass a NewSessionTicket to the application - ssl->in_offt = NULL; - ssl->in_msglen = 0; - n = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET; - MBEDTLS_SSL_DEBUG_MSG(2, ("<= read")); - /* For a post-handshake message we may need to return - * an ACK message - */ - // TBD. - return (int) n; + if( ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) && + ( ssl->in_msg[0] == MBEDTLS_SSL_HS_NEW_SESSION_TICKET ) ) + { + /* We will not pass a NewSessionTicket to the application. */ + ssl->in_offt = NULL; + ssl->in_msglen = 0; + n = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); + + /* For a post-handshake message we may need to return + * an ACK message + */ + /* TBD. */ + return( ( int ) n ); - } - else { - ssl->in_offt = ssl->in_msg; - } + } + else + { + ssl->in_offt = ssl->in_msg; + } } @@ -3133,7 +3163,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); - return( (int) n ); + return( ( int ) n ); } /* @@ -3153,9 +3183,9 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " - "maximum fragment length: %d > %d", - len, max_len ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the ( negotiated ) " + "maximum fragment length: %d > %d", + len, max_len ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } else @@ -3177,10 +3207,10 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; memcpy( ssl->out_msg, buf, len ); - /* Adding content type at the end of the data*/ - ssl->out_msg[len] = MBEDTLS_SSL_MSG_APPLICATION_DATA; - ssl->out_msglen = len + 1; - len++; + /* Adding content type at the end of the data*/ + ssl->out_msg[len] = MBEDTLS_SSL_MSG_APPLICATION_DATA; + ssl->out_msglen = len + 1; + len++; if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) { @@ -3189,13 +3219,13 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, } } - return( (int) len ); + return( ( int ) len ); } /* - * Write application data (public-facing wrapper) + * Write application data ( public-facing wrapper ) */ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { @@ -3208,18 +3238,18 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ #if defined(MBEDTLS_ZERO_RTT) - if ((ssl->handshake!= NULL) && (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_OFF)) + if( ( ssl->handshake!= NULL ) && ( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_OFF ) ) #endif/* MBEDTLS_ZERO_RTT */ - { - if (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) - { - if ((ret = mbedtls_ssl_handshake(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); - return(ret); - } - } - } + { + if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) + { + if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); + return( ret ); + } + } + } ret = ssl_write_real( ssl, buf, len ); @@ -3246,8 +3276,8 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { if( ( ret = mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_WARNING, - MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) + MBEDTLS_SSL_ALERT_LEVEL_WARNING, + MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); return( ret ); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 49161f64357c..5b91fe2d3d3e 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1,10 +1,10 @@ /* * TLSv1.3 server-side functions * -* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved +* Copyright ( C ) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * -* Licensed under the Apache License, Version 2.0 (the "License"); you may +* Licensed under the Apache License, Version 2.0 ( the "License" ); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * @@ -16,7 +16,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * -* This file is part of mbed TLS (https://tls.mbed.org) +* This file is part of mbed TLS ( https://tls.mbed.org ) */ @@ -27,7 +27,7 @@ #endif -#if defined (MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_SRV_C) @@ -62,1526 +62,1510 @@ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -static int ssl_write_sni_server_ext(mbedtls_ssl_context *ssl, - unsigned char *buf, - size_t buflen, - size_t *olen) +static int ssl_write_sni_server_ext( + mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t buflen, + size_t *olen ) { - unsigned char *p = buf; + unsigned char *p = buf; - MBEDTLS_SSL_DEBUG_MSG(3, ("adding server_name extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding server_name extension" ) ); - if (buflen < 4) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } + if( buflen < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } - // Write extension header - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SERVERNAME >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SERVERNAME) & 0xFF); + /* Write extension header */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); - // Write total extension length - *p++ = 0; - *p++ = 0; + /* Write total extension length */ + *p++ = 0; + *p++ = 0; - *olen = 4; + *olen = 4; - return 0; + return 0; } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ /* -Key Shares Extension - -enum { -// Elliptic Curve Groups (ECDHE) -obsolete_RESERVED(1..22), -secp256r1(23), secp384r1(24), secp521r1(25), -obsolete_RESERVED(26..28), -x25519(29), x448(30), - -// Finite Field Groups (DHE) -ffdhe2048(256), ffdhe3072(257), ffdhe4096(258), -ffdhe6144(259), ffdhe8192(260), - -// Reserved Code Points -ffdhe_private_use(0x01FC..0x01FF), -ecdhe_private_use(0xFE00..0xFEFF), -obsolete_RESERVED(0xFF01..0xFF02), -(0xFFFF) -} NamedGroup; - -struct { -NamedGroup group; -opaque key_exchange<1..2^16-1>; -} KeyShareEntry; - -struct { -select (role) { -case client: -KeyShareEntry client_shares<0..2^16-1>; -case server: -KeyShareEntry server_share; -} -} KeyShare; + Key Shares Extension + + enum { + obsolete_RESERVED( 1..22 ), + secp256r1( 23 ), secp384r1( 24 ), secp521r1( 25 ), + obsolete_RESERVED( 26..28 ), + x25519( 29 ), x448( 30 ), + + ffdhe2048( 256 ), ffdhe3072( 257 ), ffdhe4096( 258 ), + ffdhe6144( 259 ), ffdhe8192( 260 ), + + ffdhe_private_use( 0x01FC..0x01FF ), + ecdhe_private_use( 0xFE00..0xFEFF ), + obsolete_RESERVED( 0xFF01..0xFF02 ), + ( 0xFFFF ) + } NamedGroup; + + struct { + NamedGroup group; + opaque key_exchange<1..2^16-1>; + } KeyShareEntry; + + struct { + select ( role ) { + case client: + KeyShareEntry client_shares<0..2^16-1>; + case server: + KeyShareEntry server_share; + } + } KeyShare; */ -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) -static int ssl_write_key_shares_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +static int ssl_write_key_shares_ext( + mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = buf + 4; - unsigned char *header = buf; // Pointer where the header has to go. - size_t len; - int ret; + unsigned char *p = buf + 4; + unsigned char *header = buf; /* Pointer where the header has to go. */ + size_t len; + int ret; - const mbedtls_ecp_curve_info *info = NULL; - // const mbedtls_ecp_group_id *grp_id; + const mbedtls_ecp_curve_info *info = NULL; + /* const mbedtls_ecp_group_id *grp_id; */ - *olen = 0; + *olen = 0; - // TBD: Can we say something about the smallest number of bytes needed for the ecdhe parameters - if (end < p || (end - p) < 4) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } + /* TBD: Can we say something about the smallest number of bytes needed for the ecdhe parameters */ + if( end < p || ( end - p ) < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } - if (ssl->conf->curve_list == NULL) - { - /* This should never happen since we previously checked the - * server-supported curves against the client-provided curves. - * We should have returned a HelloRetryRequest instead. - */ - MBEDTLS_SSL_DEBUG_MSG(3, ("server key share extension: empty curve list")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ssl->conf->curve_list == NULL ) + { + /* This should never happen since we previously checked the + * server-supported curves against the client-provided curves. + * We should have returned a HelloRetryRequest instead. + */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server key share extension: empty curve list" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding key share extension" ) ); - /* Fetching the agreed curve. */ - info = mbedtls_ecp_curve_info_from_grp_id(ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id); + /* Fetching the agreed curve. */ + info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id ); - if (info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("server key share extension: fetching agreed curve failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", info->name)); + if( info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server key share extension: fetching agreed curve failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", info->name ) ); - if ((ret = mbedtls_ecp_group_load(&ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp, info->grp_id)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret); - return(ret); - } + if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp, info->grp_id )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); + return( ret ); + } - if ((ret = mbedtls_ecdh_make_params(&ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected], &len, - p, end-buf, - ssl->conf->f_rng, ssl->conf->p_rng)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret); - return(ret); - } + if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected], &len, + p, end-buf, + ssl->conf->f_rng, ssl->conf->p_rng )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); + return( ret ); + } - p += len; + p += len; - MBEDTLS_SSL_DEBUG_ECP(3, "ECDHE: Q ", &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].Q); + MBEDTLS_SSL_DEBUG_ECP( 3, "ECDHE: Q ", &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].Q ); - // Write extension header - *header++ = (unsigned char)((MBEDTLS_TLS_EXT_KEY_SHARES >> 8) & 0xFF); - *header++ = (unsigned char)((MBEDTLS_TLS_EXT_KEY_SHARES) & 0xFF); + /* Write extension header */ + *header++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_KEY_SHARES >> 8 ) & 0xFF ); + *header++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_KEY_SHARES ) & 0xFF ); - // Write total extension length - *header++ = (unsigned char)(((len) >> 8) & 0xFF); - *header++ = (unsigned char)(((len)) & 0xFF); + /* Write total extension length */ + *header++ = ( unsigned char )( ( ( len ) >> 8 ) & 0xFF ); + *header++ = ( unsigned char )( ( ( len )) & 0xFF ); - *olen = len + 4; // 4 bytes for fixed header + length of key share + *olen = len + 4; /* 4 bytes for fixed header + length of key share */ - return 0; + return 0; } #endif /* MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_ZERO_RTT) -static int mbedtls_ssl_parse_end_of_early_data(mbedtls_ssl_context *ssl) +static int mbedtls_ssl_parse_end_of_early_data( mbedtls_ssl_context *ssl ) { - int ret; + int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse end_of_early_data")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse end_of_early_data" ) ); - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - return(ret); - } + if( ( ret = mbedtls_ssl_read_record( ssl )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); + return( ret ); + } - if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || - ssl->in_msg[0] != MBEDTLS_SSL_HS_END_OF_EARLY_DATA) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad end_of_early_data message")); - return(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); - } + if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || + ssl->in_msg[0] != MBEDTLS_SSL_HS_END_OF_EARLY_DATA ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad end_of_early_data message" ) ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse end_of_early_data")); - return(0); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse end_of_early_data" ) ); + return( 0 ); } #endif /* MBEDTLS_ZERO_RTT */ -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) /* TODO: Code for MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED missing */ -static int check_ecdh_params(const mbedtls_ssl_context *ssl) +static int check_ecdh_params( const mbedtls_ssl_context *ssl ) { - const mbedtls_ecp_curve_info *curve_info; + const mbedtls_ecp_curve_info *curve_info; - curve_info = mbedtls_ecp_curve_info_from_grp_id(ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id); - if (curve_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id ); + if( curve_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", curve_info->name)); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); #if defined(MBEDTLS_ECP_C) - if (mbedtls_ssl_check_curve(ssl, ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id) != 0) + if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id ) != 0 ) #else - if (ssl->handshake->ecdh_ctx.grp.nbits < 163 || - ssl->handshake->ecdh_ctx.grp.nbits > 521) + if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || + ssl->handshake->ecdh_ctx.grp.nbits > 521 ) #endif /* MBEDTLS_ECP_C */ - return(-1); + return( -1 ); - MBEDTLS_SSL_DEBUG_ECP(3, "ECDH: Qp", &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].Qp); + MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].Qp ); - return(0); + return( 0 ); } -#endif /* MBEDTLS_ECDH_C || (MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C || ( MBEDTLS_ECDSA_C */ -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) /* -ssl_parse_supported_groups_ext() processes the received -supported groups extension and copies the client provided -groups into ssl->handshake->curves. + ssl_parse_supported_groups_ext( ) processes the received + supported groups extension and copies the client provided + groups into ssl->handshake->curves. -Possible response values are: -- MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS -- MBEDTLS_ERR_SSL_ALLOC_FAILED + Possible response values are: + - MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS + - MBEDTLS_ERR_SSL_ALLOC_FAILED */ -int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len) { - - size_t list_size, our_size; - const unsigned char *p; - const mbedtls_ecp_curve_info *curve_info, **curves; - - MBEDTLS_SSL_DEBUG_BUF(3, "Received supported groups", buf, len); - - list_size = ((buf[0] << 8) | (buf[1])); - if (list_size + 2 != len || - list_size % 2 != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad supported groups extension")); - return(MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS); - } +int ssl_parse_supported_groups_ext( + mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ) { + + size_t list_size, our_size; + const unsigned char *p; + const mbedtls_ecp_curve_info *curve_info, **curves; + + MBEDTLS_SSL_DEBUG_BUF( 3, "Received supported groups", buf, len ); + + list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); + if( list_size + 2 != len || + list_size % 2 != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad supported groups extension" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS ); + } - /* Should never happen unless client duplicates the extension */ - /* if (ssl->handshake->curves != NULL) + /* Should never happen unless client duplicates the extension */ + /* if( ssl->handshake->curves != NULL ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad supported groups extension")); - return(MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS); - } - */ - /* Don't allow our peer to make us allocate too much memory, - * and leave room for a final 0 */ - our_size = list_size / 2 + 1; - if (our_size > MBEDTLS_ECP_DP_MAX) - our_size = MBEDTLS_ECP_DP_MAX; - - if ((curves = mbedtls_calloc(our_size, sizeof(*curves))) == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_calloc failed")); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad supported groups extension" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS ); + } + */ + /* Don't allow our peer to make us allocate too much memory, + * and leave room for a final 0 */ + our_size = list_size / 2 + 1; + if( our_size > MBEDTLS_ECP_DP_MAX ) + our_size = MBEDTLS_ECP_DP_MAX; + + if( ( curves = mbedtls_calloc( our_size, sizeof( *curves )) ) == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_calloc failed" ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } - ssl->handshake->curves = curves; + ssl->handshake->curves = curves; - p = buf + 2; - while (list_size > 0 && our_size > 1) - { - curve_info = mbedtls_ecp_curve_info_from_tls_id((p[0] << 8) | p[1]); + p = buf + 2; + while ( list_size > 0 && our_size > 1 ) + { + curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); - /* - mbedtls_ecp_curve_info_from_tls_id() uses the mbedtls_ecp_curve_info - data structure (defined in ecp.c), which only includes the list of - curves implemented. Hence, we only add curves that are also supported - and implemented by the server. - */ + /* + mbedtls_ecp_curve_info_from_tls_id( ) uses the mbedtls_ecp_curve_info + data structure ( defined in ecp.c ), which only includes the list of + curves implemented. Hence, we only add curves that are also supported + and implemented by the server. + */ - if (curve_info != NULL) - { - *curves++ = curve_info; - our_size--; - } + if( curve_info != NULL ) + { + *curves++ = curve_info; + our_size--; + } - list_size -= 2; - p += 2; - } + list_size -= 2; + p += 2; + } - return(0); + return( 0 ); } -#endif /* MBEDTLS_ECDH_C || (MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_ECDH_C || ( MBEDTLS_ECDSA_C */ -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) /* TODO: Code for MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED missing */ /* -ssl_parse_key_shares_ext() verifies whether the information in the extension -is correct and stores the provided key shares. Whether this is an acceptable -key share depends on the selected ciphersuite. + ssl_parse_key_shares_ext( ) verifies whether the information in the extension + is correct and stores the provided key shares. Whether this is an acceptable + key share depends on the selected ciphersuite. -Possible return values are: + Possible return values are: + - 0: Successful processing of the client provided key share extension. + - MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE: The key share provided by the client + does not match a group supported by the server. A HelloRetryRequest will + be needed. -0: Successful processing of the client provided key share extension. - -MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE: The key share provided by the client -does not match a group supported by the server. A HelloRetryRequest will -be needed. - -MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE: Problem encountered with the key -share provided by the client. + MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE: Problem encountered with the key + share provided by the client. */ -static int ssl_parse_key_shares_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) { +static int ssl_parse_key_shares_ext( + mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - int ret = 0, final_ret = 0, extensions_available = 1; - unsigned char *end = (unsigned char*)buf + len; - unsigned char *start = (unsigned char*)buf; - unsigned char *old; + int ret = 0, final_ret = 0, extensions_available = 1; + unsigned char *end = ( unsigned char* )buf + len; + unsigned char *start = ( unsigned char* )buf; + unsigned char *old; #if !defined(MBEDTLS_CTLS) - size_t n; - unsigned int ks_entry_size; + size_t n; + unsigned int ks_entry_size; #endif /* MBEDTLS_CTLS */ - int match_found = 0; + int match_found = 0; - const mbedtls_ecp_group_id *gid; + const mbedtls_ecp_group_id *gid; - // Is there a key share available at the server config? - /* if (ssl->conf->keyshare_ctx == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no key share context")); + /* Is there a key share available at the server config? */ + /* if( ssl->conf->keyshare_ctx == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no key share context" ) ); - if ((ret = mbedtls_ssl_send_fatal_handshake_failure(ssl)) != 0) - return(ret); + if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl )) != 0 ) + return( ret ); - return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; - } - */ + return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; + } + */ - // With CTLS there is only one key share + /* With CTLS there is only one key share */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - - /* Pick the first KeyShareEntry */ - n = (buf[0] << 8) | buf[1]; - - if (n + 2 > len) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad key share extension in client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE); - } - start += 2; - - /* We try to find a suitable key share entry and copy it to the - * handshake context. Later, we have to find out whether we can do - * something with the provided key share or whether we have to - * dismiss it and send a HelloRetryRequest message. */ - } + { + + /* Pick the first KeyShareEntry */ + n = ( buf[0] << 8 ) | buf[1]; + + if( n + 2 > len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad key share extension in client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE ); + } + start += 2; + + /* We try to find a suitable key share entry and copy it to the + * handshake context. Later, we have to find out whether we can do + * something with the provided key share or whether we have to + * dismiss it and send a HelloRetryRequest message. */ + } - /* - * Ephemeral ECDH parameters: - * - * struct { - * NamedGroup group; // 2 bytes - * opaque key_exchange<1..2^16-1>; - * } KeyShareEntry; - */ - // Jump over extension length field to the first KeyShareEntry by advancing buf+2 - old = start; - while (extensions_available) { - - if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected], - (const unsigned char **)&start, end)) != 0) - { - /* For some reason we didn't recognize the key share. We jump - * to the next one - */ + /* + * Ephemeral ECDH parameters: + * + * struct { + * NamedGroup group; + * opaque key_exchange<1..2^16-1>; + * } KeyShareEntry; + */ + /* Jump over extension length field to the first KeyShareEntry by advancing buf+2 */ + old = start; + while ( extensions_available ) { + + if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected], + ( const unsigned char ** )&start, end )) != 0 ) + { + /* For some reason we didn't recognize the key share. We jump + * to the next one + */ - MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params failed "), ret); - final_ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE; - goto skip_parsing_key_share_entry; - } + MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params failed " ), ret ); + final_ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE; + goto skip_parsing_key_share_entry; + } - // Does the provided key share match any of our supported groups - for (gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++) { - // Currently we only support a single key share - // Hence, we do not need a loop - if (ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id == *gid) { - match_found = 1; + /* Does the provided key share match any of our supported groups */ + for ( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) { + /* Currently we only support a single key share */ + /* Hence, we do not need a loop */ + if( ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id == *gid ) + { + match_found = 1; - ret = check_ecdh_params(ssl); + ret = check_ecdh_params( ssl ); - if (ret != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, ("check_ecdh_params: %d"), ret); - final_ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE; - goto skip_parsing_key_share_entry; - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "check_ecdh_params: %d" ), ret ); + final_ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE; + goto skip_parsing_key_share_entry; + } - break; - } - } - - if (match_found == 0) { - // A HelloRetryRequest is needed - MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE")); - final_ret = MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE; - } - else { - // The key share matched our supported groups - MBEDTLS_SSL_DEBUG_MSG(2, ("Key share matched our supported group: %s", mbedtls_ecp_curve_info_from_grp_id(ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id)->name)); - final_ret = 0; - goto finish_key_share_parsing; - } - skip_parsing_key_share_entry: + break; + } + } + + if( match_found == 0 ) + { + /* A HelloRetryRequest is needed */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); + final_ret = MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE; + } + else { + /* The key share matched our supported groups */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Key share matched our supported group: %s", mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx[ssl->handshake->ecdh_ctx_selected].grp.id )->name ) ); + final_ret = 0; + goto finish_key_share_parsing; + } + skip_parsing_key_share_entry: #if !defined(MBEDTLS_CTLS) - // we jump to the next key share entry, if there is one - ks_entry_size = ((old[2] << 8) | (old[3])); - // skip named group id + length field + key share entry length - start = old + (ks_entry_size + 4); - old = start; - if (start >= end) { - // we reached the end - final_ret = MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE; - extensions_available = 0; - } + /* we jump to the next key share entry, if there is one */ + ks_entry_size = ( ( old[2] << 8 ) | ( old[3] ) ); + /* skip named group id + length field + key share entry length */ + start = old + ( ks_entry_size + 4 ); + old = start; + if( start >= end ) + { + /* we reached the end */ + final_ret = MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE; + extensions_available = 0; + } #else - ((void) buf); + ((void) buf); #endif /* MBEDTLS_CTLS */ - } + } finish_key_share_parsing: - if (final_ret == 0) { - // we found a key share we like - return (0); - } - else { - ((void) buf); - return (final_ret); + if( final_ret == 0 ) + { + /* we found a key share we like */ + return ( 0 ); + } + else { + ((void) buf); + return ( final_ret ); } } #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) -int mbedtls_ssl_parse_new_session_ticket_server(mbedtls_ssl_context *ssl, - unsigned char *buf, - size_t len, mbedtls_ssl_ticket *ticket) +int mbedtls_ssl_parse_new_session_ticket_server( + mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t len, mbedtls_ssl_ticket *ticket ) { - int ret; - unsigned char *ticket_buffer; + int ret; + unsigned char *ticket_buffer; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); - if (ssl->conf->f_ticket_parse == NULL || - ssl->conf->f_ticket_write == NULL) - { - return(0); - } - - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %d", len)); - - if (len == 0) return(0); - - /* We create a copy of the encrypted ticket since decrypting - * it into the same buffer will wipe-out the original content. - * We do, however, need the original buffer for computing the - * psk binder value. - */ - ticket_buffer = mbedtls_calloc(len,1); - if (ticket_buffer == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return (MBEDTLS_ERR_SSL_ALLOC_FAILED); - } else memcpy(ticket_buffer, buf, len); - - if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, ticket, - ticket_buffer, len)) != 0) - { - mbedtls_platform_zeroize(&ticket, sizeof(mbedtls_ssl_ticket)); - mbedtls_free(ticket_buffer); - if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); - else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); - else - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret); + if( ssl->conf->f_ticket_parse == NULL || + ssl->conf->f_ticket_write == NULL ) + { + return( 0 ); + } - return(ret); - } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); + + if( len == 0 ) return( 0 ); + + /* We create a copy of the encrypted ticket since decrypting + * it into the same buffer will wipe-out the original content. + * We do, however, need the original buffer for computing the + * psk binder value. + */ + ticket_buffer = mbedtls_calloc( len,1 ); + if( ticket_buffer == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return ( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } else memcpy( ticket_buffer, buf, len ); + + if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, ticket, + ticket_buffer, len )) != 0 ) + { + mbedtls_platform_zeroize( &ticket, sizeof( mbedtls_ssl_ticket ) ); + mbedtls_free( ticket_buffer ); + if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); + else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); + else + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); + + return( ret ); + } - // We delete the temporary buffer - mbedtls_free(ticket_buffer); + /* We delete the temporary buffer */ + mbedtls_free( ticket_buffer ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); - return(0); + return( 0 ); } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ -/* ssl_calc_binder(): +/* -0 -| -v -PSK -> HKDF-Extract -| -v -Early Secret -| -| -+------> Derive-Secret(., -| "ext binder" | -| "res binder", -| "") -| = binder_key + ssl_calc_binder( ): + + 0 + | + v + PSK -> HKDF-Extract + | + v + Early Secret + | + | + +------> Derive-Secret( ., + | "ext binder" | + | "res binder", + | "" ) + | = binder_key */ -static int ssl_calc_binder(mbedtls_ssl_context *ssl, unsigned char *psk, size_t psk_len, const mbedtls_md_info_t *md, const mbedtls_ssl_ciphersuite_t *suite_info, unsigned char *buffer, size_t blen, unsigned char *computed_binder) { - int ret = 0; - int hash_length; - - /* TBD: With dynamic memory allocations or a different hash function API - * we could make a more efficient memory allocation. - * Currently, we always allocate 64 bytes (512 bits) even if we only need - * 48 bytes (384 bits) as needed by a SHA384 hash function. - */ - unsigned char salt[MBEDTLS_MD_MAX_SIZE]; - unsigned char padbuf[MBEDTLS_MD_MAX_SIZE]; - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; -// unsigned char early_secret[MBEDTLS_MD_MAX_SIZE]; - unsigned char binder_key[MBEDTLS_MD_MAX_SIZE]; - unsigned char finished_key[MBEDTLS_MD_MAX_SIZE]; +static int ssl_calc_binder( mbedtls_ssl_context *ssl, unsigned char *psk, size_t psk_len, const mbedtls_md_info_t *md, const mbedtls_ssl_ciphersuite_t *suite_info, unsigned char *buffer, size_t blen, unsigned char *computed_binder ) { + int ret = 0; + int hash_length; + + /* TBD: With dynamic memory allocations or a different hash function API + * we could make a more efficient memory allocation. + * Currently, we always allocate 64 bytes ( 512 bits ) even if we only need + * 48 bytes ( 384 bits ) as needed by a SHA384 hash function. + */ + unsigned char salt[MBEDTLS_MD_MAX_SIZE]; + unsigned char padbuf[MBEDTLS_MD_MAX_SIZE]; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; +/* unsigned char early_secret[MBEDTLS_MD_MAX_SIZE]; */ + unsigned char binder_key[MBEDTLS_MD_MAX_SIZE]; + unsigned char finished_key[MBEDTLS_MD_MAX_SIZE]; #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; + mbedtls_sha256_context sha256; #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; + mbedtls_sha512_context sha512; #endif /* MBEDTLS_SHA512_C */ - hash_length = mbedtls_hash_size_for_ciphersuite(suite_info); + hash_length = mbedtls_hash_size_for_ciphersuite( suite_info ); - if (hash_length == -1) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite == -1, ssl_calc_binder failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( hash_length == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite == -1, ssl_calc_binder failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - /* + /* - Compute Early Secret with HKDF-Extract(0, PSK) + Compute Early Secret with HKDF-Extract( 0, PSK ) - */ - memset(salt, 0x0, hash_length); - ret = mbedtls_hkdf_extract(md, salt, hash_length, psk, psk_len, ssl->handshake->early_secret); + */ + memset( salt, 0x0, hash_length ); + ret = mbedtls_hkdf_extract( md, salt, hash_length, psk, psk_len, ssl->handshake->early_secret ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hkdf_extract() with early_secret", ret); - return ret; - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hkdf_extract( ) with early_secret", ret ); + return ret; + } - MBEDTLS_SSL_DEBUG_MSG(5, ("HKDF Extract -- early_secret")); - MBEDTLS_SSL_DEBUG_BUF(5, "Salt", salt, hash_length); - MBEDTLS_SSL_DEBUG_BUF(5, "Input", psk, psk_len); - MBEDTLS_SSL_DEBUG_BUF(5, "Output", ssl->handshake->early_secret, hash_length); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "HKDF Extract -- early_secret" ) ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Salt", salt, hash_length ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Input", psk, psk_len ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Output", ssl->handshake->early_secret, hash_length ); - /* + /* - Compute binder_key with Derive-Secret(early_secret, "ext binder" | "res binder","") + Compute binder_key with Derive-Secret( early_secret, "ext binder" | "res binder","" ) - */ + */ - /* Create hash of empty message first. - * TBD: replace by constant. - * - * For SHA256 the constant is - * e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - * - * For SHA384 the constant is - * 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b - */ + /* Create hash of empty message first. + * TBD: replace by constant. + * + * For SHA256 the constant is + * e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + * + * For SHA384 the constant is + * 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b + */ - if (suite_info->mac == MBEDTLS_MD_SHA256) { + if( suite_info->mac == MBEDTLS_MD_SHA256 ) + { #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256((const unsigned char*)"", 0, hash, 0); + mbedtls_sha256( ( const unsigned char* )"", 0, hash, 0 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA256_C */ - } - else if (suite_info->mac == MBEDTLS_MD_SHA384) { + } + else if( suite_info->mac == MBEDTLS_MD_SHA384 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512((const unsigned char*)"", 0, hash, 1 /* for SHA384 */); + mbedtls_sha512( ( const unsigned char* )"", 0, hash, 1 /* for SHA384 */ ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA512_C */ - } + } #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_NEW_SESSION_TICKET) -if ((ssl->handshake->resume == 1) || (ssl->conf->resumption_mode == 1)) { - ret = Derive_Secret(ssl, mbedtls_md_get_type(md), - ssl->handshake->early_secret, hash_length, - (const unsigned char*)"res binder", strlen("res binder"), - hash, hash_length, binder_key, hash_length); - MBEDTLS_SSL_DEBUG_MSG(5, ("Derive Early Secret with 'res binder'")); - } - else + if( ( ssl->handshake->resume == 1 ) || ( ssl->conf->resumption_mode == 1 ) ) + { + ret = Derive_Secret( ssl, mbedtls_md_get_type( md ), + ssl->handshake->early_secret, hash_length, + ( const unsigned char* )"res binder", strlen( "res binder" ), + hash, hash_length, binder_key, hash_length ); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Derive Early Secret with 'res binder'" ) ); + } + else #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_NEW_SESSION_TICKET */ - { - ret = Derive_Secret(ssl, mbedtls_md_get_type(md), - ssl->handshake->early_secret, hash_length, - (const unsigned char*)"ext binder", strlen("ext binder"), - hash, hash_length, binder_key, hash_length); - MBEDTLS_SSL_DEBUG_MSG(5, ("Derive Early Secret with 'ext binder'")); - } + { + ret = Derive_Secret( ssl, mbedtls_md_get_type( md ), + ssl->handshake->early_secret, hash_length, + ( const unsigned char* )"ext binder", strlen( "ext binder" ), + hash, hash_length, binder_key, hash_length ); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "Derive Early Secret with 'ext binder'" ) ); + } - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Derive_Secret() with binder_key: Error", ret); - return ret; - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Derive_Secret( ) with binder_key: Error", ret ); + return ret; + } - if (suite_info->mac == MBEDTLS_MD_SHA256) { + if( suite_info->mac == MBEDTLS_MD_SHA256 ) + { #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_init(&sha256); - mbedtls_sha256_starts(&sha256, 0 /* = use SHA256 */ ); - //mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256); - MBEDTLS_SSL_DEBUG_BUF(4, "finished sha256 state", (unsigned char *)sha256.state, sizeof(sha256.state)); - mbedtls_sha256_update(&sha256, buffer, blen); - MBEDTLS_SSL_DEBUG_BUF(5, "input buffer for psk binder", buffer, blen); - mbedtls_sha256_finish(&sha256, padbuf); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash for psk binder", padbuf, 32); + mbedtls_sha256_init( &sha256 ); + mbedtls_sha256_starts( &sha256, 0 /* = use SHA256 */ ); + /*mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); */ + MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha256 state", ( unsigned char * )sha256.state, sizeof( sha256.state ) ); + mbedtls_sha256_update( &sha256, buffer, blen ); + MBEDTLS_SSL_DEBUG_BUF( 5, "input buffer for psk binder", buffer, blen ); + mbedtls_sha256_finish( &sha256, padbuf ); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash for psk binder", padbuf, 32 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA256_C */ - } - else if (suite_info->mac == MBEDTLS_MD_SHA384) { + } + else if( suite_info->mac == MBEDTLS_MD_SHA384 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 1 /* = use SHA384 */); - //mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha512); - MBEDTLS_SSL_DEBUG_BUF(4, "finished sha384 state ", (unsigned char *)sha512.state, 48); - mbedtls_sha512_update(&sha512, buffer, blen); - mbedtls_sha512_finish(&sha512, padbuf); - MBEDTLS_SSL_DEBUG_BUF(5, "handshake hash for psk binder", padbuf, 48); + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 1 /* = use SHA384 */ ); + /*mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); */ + MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha384 state ", ( unsigned char * )sha512.state, 48 ); + mbedtls_sha512_update( &sha512, buffer, blen ); + mbedtls_sha512_finish( &sha512, padbuf ); + MBEDTLS_SSL_DEBUG_BUF( 5, "handshake hash for psk binder", padbuf, 48 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA512_C */ - } + } - /* - * finished_key = - * HKDF-Expand-Label(BaseKey, "finished", "", Hash.length) - * - * The binding_value is computed in the same way as the Finished message - * but with the BaseKey being the binder_key. - */ - - ret = hkdfExpandLabel(suite_info->mac, binder_key, hash_length, (const unsigned char*)"finished", strlen("finished"), (const unsigned char*)"", 0, hash_length, finished_key, hash_length); - - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "Creating the finished_key failed", ret); - return (ret); - } + /* + * finished_key = + * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length ) + * + * The binding_value is computed in the same way as the Finished message + * but with the BaseKey being the binder_key. + */ - MBEDTLS_SSL_DEBUG_BUF(3, "finished_key", finished_key, hash_length); + ret = hkdfExpandLabel( suite_info->mac, binder_key, hash_length, ( const unsigned char* )"finished", strlen( "finished" ), ( const unsigned char* )"", 0, hash_length, finished_key, hash_length ); - // compute mac and write it into the buffer - ret = mbedtls_md_hmac(md, finished_key, hash_length, padbuf, hash_length, computed_binder); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "Creating the finished_key failed", ret ); + return ( ret ); + } - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_hmac", ret); - return (ret); - } + MBEDTLS_SSL_DEBUG_BUF( 3, "finished_key", finished_key, hash_length ); + + /* compute mac and write it into the buffer */ + ret = mbedtls_md_hmac( md, finished_key, hash_length, padbuf, hash_length, computed_binder ); + + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac", ret ); + return ( ret ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("verify_data of psk binder")); - MBEDTLS_SSL_DEBUG_BUF(3, "Input", padbuf, hash_length); - MBEDTLS_SSL_DEBUG_BUF(3, "Key", finished_key, hash_length); - MBEDTLS_SSL_DEBUG_BUF(3, "Output", computed_binder, hash_length); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "verify_data of psk binder" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Input", padbuf, hash_length ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Key", finished_key, hash_length ); + MBEDTLS_SSL_DEBUG_BUF( 3, "Output", computed_binder, hash_length ); #if defined(MBEDTLS_SHA256_C) - if (suite_info->mac == MBEDTLS_MD_SHA256) { - mbedtls_sha256_free(&sha256); - } - else + if( suite_info->mac == MBEDTLS_MD_SHA256 ) + { + mbedtls_sha256_free( &sha256 ); + } + else #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) - if (suite_info->mac == MBEDTLS_MD_SHA384) { - mbedtls_sha512_free(&sha512); - } - else + if( suite_info->mac == MBEDTLS_MD_SHA384 ) + { + mbedtls_sha512_free( &sha512 ); + } + else #endif /* MBEDTLS_SHA512_C */ { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - mbedtls_platform_zeroize(finished_key, hash_length); + mbedtls_platform_zeroize( finished_key, hash_length ); - return ret; + return ret; } #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) -int ssl_parse_client_psk_identity_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) +int ssl_parse_client_psk_identity_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - int ret = 0; - unsigned char *truncated_clienthello_end, *truncated_clienthello_start = ssl->in_msg; - unsigned int item_array_length, item_length, sum, length_so_far; - unsigned char server_computed_binder[MBEDTLS_MD_MAX_SIZE]; - uint32_t obfuscated_ticket_age; - mbedtls_ssl_ticket ticket; + int ret = 0; + unsigned char *truncated_clienthello_end, *truncated_clienthello_start = ssl->in_msg; + unsigned int item_array_length, item_length, sum, length_so_far; + unsigned char server_computed_binder[MBEDTLS_MD_MAX_SIZE]; + uint32_t obfuscated_ticket_age; + mbedtls_ssl_ticket ticket; #if defined(MBEDTLS_HAVE_TIME) - time_t now; - int64_t diff; + time_t now; + int64_t diff; #endif /* MBEDTLS_HAVE_TIME */ -/* if (ssl->conf->f_psk == NULL && - (ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || - ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0)) +/* if( ssl->conf->f_psk == NULL && + ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || + ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 )) { - MBEDTLS_SSL_DEBUG_MSG(1, ("no pre-shared key configured")); - return(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no pre-shared key configured" ) ); + return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); } */ - // Read length of array of identities - item_array_length = (buf[0] << 8) | buf[1]; - - length_so_far = item_array_length + 2; - buf += 2; - if (length_so_far > len) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad psk_identity extension in client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - sum = 2; - while (sum < item_array_length+2) { - - // Read to psk identity length - item_length = (buf[0] << 8) | buf[1]; - sum = sum + 2 + item_length; - - if (sum > len) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("psk_identity length mismatch")); - - if ((ret = mbedtls_ssl_send_fatal_handshake_failure(ssl)) != 0) - return(ret); - - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - - /* - * Extract pre-shared key identity provided by the client - */ - // jump to identity value itself - buf += 2; - - MBEDTLS_SSL_DEBUG_BUF(3, "received psk identity", buf, item_length); - - if (ssl->conf->f_psk != NULL) - { - if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, buf, item_length) != 0) - ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; - } - else - { - /* Identity is not a big secret since clients send it in the clear, - * but treat it carefully anyway, just in case */ - if (item_length != ssl->conf->psk_identity_len || - mbedtls_ssl_safer_memcmp(ssl->conf->psk_identity, buf, item_length) != 0) - { - ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; - } - else { - // skip obfuscated ticket age - // TBD: Process obfuscated ticket age (zero for externally configured PSKs?!) - buf = buf + item_length + 4; /* 4 for obfuscated ticket age */; - goto psk_parsing_successful; - - } + /* Read length of array of identities */ + item_array_length = ( buf[0] << 8 ) | buf[1]; + + length_so_far = item_array_length + 2; + buf += 2; + if( length_so_far > len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk_identity extension in client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + sum = 2; + while ( sum < item_array_length+2 ) { + + /* Read to psk identity length */ + item_length = ( buf[0] << 8 ) | buf[1]; + sum = sum + 2 + item_length; + + if( sum > len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk_identity length mismatch" ) ); + + if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl )) != 0 ) + return( ret ); + + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + /* + * Extract pre-shared key identity provided by the client + */ + /* jump to identity value itself */ + buf += 2; + + MBEDTLS_SSL_DEBUG_BUF( 3, "received psk identity", buf, item_length ); + + if( ssl->conf->f_psk != NULL ) + { + if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, buf, item_length ) != 0 ) + ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; + } + else + { + /* Identity is not a big secret since clients send it in the clear, + * but treat it carefully anyway, just in case */ + if( item_length != ssl->conf->psk_identity_len || + mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, buf, item_length ) != 0 ) + { + ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; + } + else { + /* skip obfuscated ticket age */ + /* TBD: Process obfuscated ticket age ( zero for externally configured PSKs?! ) */ + buf = buf + item_length + 4; /* 4 for obfuscated ticket age */; + goto psk_parsing_successful; + + } #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - /* Check the ticket cache if previous lookup was unsuccessful */ - if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { - // copy ticket since it acts as the psk_identity - if (ssl->session_negotiate->ticket != NULL) { - mbedtls_free(ssl->session_negotiate->ticket); - } - ssl->session_negotiate->ticket = mbedtls_calloc(1, item_length); - if (ssl->session_negotiate->ticket == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", item_length)); - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); - } - memcpy(ssl->session_negotiate->ticket, buf, item_length); - ssl->session_negotiate->ticket_len = item_length; - - ret = mbedtls_ssl_parse_new_session_ticket_server(ssl, ssl->session_negotiate->ticket, item_length, &ticket); - if (ret == 0) { - // found a match in the ticket cache; everything is OK - ssl->handshake->resume = 1; - - /* We put the resumption_master_secret into the handshake->psk - * - * Note: The key in the ticket is already the final PSK, - * i.e., the HKDF-Expand-Label(resumption_master_secret, "resumption", ticket_nonce, Hash.length) - * function has already been applied. - */ - mbedtls_ssl_set_hs_psk(ssl, ticket.key, ticket.key_len); - MBEDTLS_SSL_DEBUG_BUF(5, "ticket: key", ticket.key, ticket.key_len); - - // obfuscated ticket age follows the identity field, which is item_length long, containing the ticket - memcpy(&obfuscated_ticket_age, buf+item_length, 4); - MBEDTLS_SSL_DEBUG_BUF(5, "ticket: obfuscated_ticket_age", (const unsigned char *) &obfuscated_ticket_age, 4); - /* - * A server MUST validate that the ticket age for the selected PSK identity - * is within a small tolerance of the time since the ticket was issued. - */ + /* Check the ticket cache if previous lookup was unsuccessful */ + if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) + { + /* copy ticket since it acts as the psk_identity */ + if( ssl->session_negotiate->ticket != NULL ) + { + mbedtls_free( ssl->session_negotiate->ticket ); + } + ssl->session_negotiate->ticket = mbedtls_calloc( 1, item_length ); + if( ssl->session_negotiate->ticket == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed ( %d bytes )", item_length ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + memcpy( ssl->session_negotiate->ticket, buf, item_length ); + ssl->session_negotiate->ticket_len = item_length; + + ret = mbedtls_ssl_parse_new_session_ticket_server( ssl, ssl->session_negotiate->ticket, item_length, &ticket ); + if( ret == 0 ) + { + /* found a match in the ticket cache; everything is OK */ + ssl->handshake->resume = 1; + + /* We put the resumption_master_secret into the handshake->psk + * + * Note: The key in the ticket is already the final PSK, + * i.e., the HKDF-Expand-Label( resumption_master_secret, "resumption", ticket_nonce, Hash.length ) + * function has already been applied. + */ + mbedtls_ssl_set_hs_psk( ssl, ticket.key, ticket.key_len ); + MBEDTLS_SSL_DEBUG_BUF( 5, "ticket: key", ticket.key, ticket.key_len ); + + /* obfuscated ticket age follows the identity field, which is item_length long, containing the ticket */ + memcpy( &obfuscated_ticket_age, buf+item_length, 4 ); + MBEDTLS_SSL_DEBUG_BUF( 5, "ticket: obfuscated_ticket_age", ( const unsigned char * ) &obfuscated_ticket_age, 4 ); + /* + * A server MUST validate that the ticket age for the selected PSK identity + * is within a small tolerance of the time since the ticket was issued. + */ #if defined(MBEDTLS_HAVE_TIME) - now = time(NULL); + now = time( NULL ); - /* Check #1: - * Is the time when the ticket was issued later than now? - */ + /* Check #1: + * Is the time when the ticket was issued later than now? + */ - if (now < ticket.start) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket expired: now=%d, ticket.start=%d",now, ticket.start)); - ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; - } + if( now < ticket.start ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket expired: now=%d, ticket.start=%d",now, ticket.start ) ); + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; + } - /* Check #2: - * Is the ticket expired already? - */ + /* Check #2: + * Is the ticket expired already? + */ - if (now - ticket.start > ticket.ticket_lifetime) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket expired (now - ticket.start=%d, ticket.ticket_lifetime=%d", now - ticket.start, ticket.ticket_lifetime)); - ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; - } + if( now - ticket.start > ticket.ticket_lifetime ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket expired ( now - ticket.start=%d, ticket.ticket_lifetime=%d", now - ticket.start, ticket.ticket_lifetime ) ); + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; + } - /* Check #3: - * Is the ticket age for the selected PSK identity (computed by subtracting ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) - * within a small tolerance of the time since the ticket was issued? - */ + /* Check #3: + * Is the ticket age for the selected PSK identity ( computed by subtracting ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32 ) + * within a small tolerance of the time since the ticket was issued? + */ - diff = (now - ticket.start) - (obfuscated_ticket_age - ticket.ticket_age_add); + diff = ( now - ticket.start ) - ( obfuscated_ticket_age - ticket.ticket_age_add ); - if (diff > MBEDTLS_SSL_TICKET_AGE_TOLERANCE ) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket age outside tolerance window (diff=%d)", diff)); - ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; - } + if( diff > MBEDTLS_SSL_TICKET_AGE_TOLERANCE ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket age outside tolerance window ( diff=%d )", diff ) ); + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; + } #if defined(MBEDTLS_ZERO_RTT) - if (ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED) { - if (diff <= MBEDTLS_SSL_EARLY_DATA_MAX_DELAY) { - ssl->session_negotiate->process_early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; - } - else { - ssl->session_negotiate->process_early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; - ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; - } - } + if( ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED ) + { + if( diff <= MBEDTLS_SSL_EARLY_DATA_MAX_DELAY ) + { + ssl->session_negotiate->process_early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; + } + else + { + ssl->session_negotiate->process_early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; + } + } #endif /* MBEDTLS_ZERO_RTT */ #endif /* MBEDTLS_HAVE_TIME */ - // TBD: check ALPN, ciphersuite and SNI as well + /* TBD: check ALPN, ciphersuite and SNI as well */ - /* - * If the check failed, the server SHOULD proceed with the handshake but - * reject 0-RTT, and SHOULD NOT take any other action that assumes that - * this ClientHello is fresh. - */ + /* + * If the check failed, the server SHOULD proceed with the handshake but + * reject 0-RTT, and SHOULD NOT take any other action that assumes that + * this ClientHello is fresh. + */ - // Disable 0-RTT - if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { + /* Disable 0-RTT */ + if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) + { #if defined(MBEDTLS_ZERO_RTT) - if (ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED) { - ssl->session_negotiate->process_early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; - } + if( ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED ) + { + ssl->session_negotiate->process_early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; + } #else - ((void)buf); + ( (void)buf ); #endif /* MBEDTLS_ZERO_RTT */ - } - } - } + } + } + } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ - } - // skip the processed identity field and the obfuscated ticket age field - buf += item_length; - buf += 4; - sum = sum + 4; - } + } + /* skip the processed identity field and the obfuscated ticket age field */ + buf += item_length; + buf += 4; + sum = sum + 4; + } - if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { + if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) + { - MBEDTLS_SSL_DEBUG_MSG(1, ("Neither PSK nor ticket found.")); - if ((ret = mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY)) != 0) - { - return(ret); - } - - return(ret); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Neither PSK nor ticket found." ) ); + if( ( ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY )) != 0 ) + { + return( ret ); + } - if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) - { - MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", buf, item_length); - if ((ret = mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY)) != 0) - { - return(ret); - } + return( ret ); + } - return(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY); - } + if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) + { + MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", buf, item_length ); + if( ( ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY )) != 0 ) + { + return( ret ); + } + + return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); + } - if (length_so_far != sum) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad psk_identity extension in client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( length_so_far != sum ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk_identity extension in client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } psk_parsing_successful: - /* Store this pointer since we need it to compute - * the psk binder. - */ - truncated_clienthello_end = (unsigned char*) buf; + /* Store this pointer since we need it to compute + * the psk binder. + */ + truncated_clienthello_end = ( unsigned char* ) buf; - // read length of psk binder array - item_array_length = (buf[0] << 8) | buf[1]; - length_so_far += item_array_length; - buf += 2; + /* read length of psk binder array */ + item_array_length = ( buf[0] << 8 ) | buf[1]; + length_so_far += item_array_length; + buf += 2; - sum = 0; - while (sum < item_array_length) { + sum = 0; + while ( sum < item_array_length ) { - // Read to psk binder length - item_length = buf[0]; - sum = sum + 1 + item_length; - buf += 1; + /* Read to psk binder length */ + item_length = buf[0]; + sum = sum + 1 + item_length; + buf += 1; - if (sum > item_array_length) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("psk binder length mismatch")); + if( sum > item_array_length ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk binder length mismatch" ) ); - if ((ret = mbedtls_ssl_send_fatal_handshake_failure(ssl)) != 0) - return(ret); + if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl )) != 0 ) + return( ret ); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - MBEDTLS_SSL_DEBUG_BUF(3, "ssl_calc_binder computed over ", truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start); + MBEDTLS_SSL_DEBUG_BUF( 3, "ssl_calc_binder computed over ", truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start ); - if (ssl->handshake->resume == 1) { - // Case 1: We are using the PSK from a ticket - ret = ssl_calc_binder(ssl, ssl->handshake->psk, ssl->handshake->psk_len, - mbedtls_md_info_from_type(ssl->transform_negotiate->ciphersuite_info->mac), ssl->transform_negotiate->ciphersuite_info, - truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start, server_computed_binder); - } - else { - // Case 2: We are using an externally configured PSK - ret = ssl_calc_binder(ssl, ssl->conf->psk, ssl->conf->psk_len, - mbedtls_md_info_from_type(ssl->transform_negotiate->ciphersuite_info->mac), ssl->transform_negotiate->ciphersuite_info, - truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start, server_computed_binder); - } + if( ssl->handshake->resume == 1 ) + { + /* Case 1: We are using the PSK from a ticket */ + ret = ssl_calc_binder( ssl, ssl->handshake->psk, ssl->handshake->psk_len, + mbedtls_md_info_from_type( ssl->transform_negotiate->ciphersuite_info->mac ), ssl->transform_negotiate->ciphersuite_info, + truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start, server_computed_binder ); + } + else { + /* Case 2: We are using an externally configured PSK */ + ret = ssl_calc_binder( ssl, ssl->conf->psk, ssl->conf->psk_len, + mbedtls_md_info_from_type( ssl->transform_negotiate->ciphersuite_info->mac ), ssl->transform_negotiate->ciphersuite_info, + truncated_clienthello_start, truncated_clienthello_end - truncated_clienthello_start, server_computed_binder ); + } - // We do not check for multiple binders - if (ret != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Psk binder calculation failed.")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + /* We do not check for multiple binders */ + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Psk binder calculation failed." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - MBEDTLS_SSL_DEBUG_BUF(3, "psk binder (computed): ", server_computed_binder, item_length); - MBEDTLS_SSL_DEBUG_BUF(3, "psk binder (received): ", buf, item_length); + MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ", server_computed_binder, item_length ); + MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", buf, item_length ); - if (mbedtls_ssl_safer_memcmp(server_computed_binder, buf, item_length) != 0) { + if( mbedtls_ssl_safer_memcmp( server_computed_binder, buf, item_length ) != 0 ) + { - MBEDTLS_SSL_DEBUG_MSG(1, ("Received psk binder does not match computed psk binder.")); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received psk binder does not match computed psk binder." ) ); - if ((ret = mbedtls_ssl_send_fatal_handshake_failure(ssl)) != 0) - return(ret); + if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl )) != 0 ) + return( ret ); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - buf += item_length; + buf += item_length; - return 0; - } + return 0; + } - // no valid psk binder value found - MBEDTLS_SSL_DEBUG_RET(1, "create_binder in ssl_parse_pre_shared_key_ext failed:", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); + /* no valid psk binder value found */ + MBEDTLS_SSL_DEBUG_RET( 1, "create_binder in ssl_parse_pre_shared_key_ext failed:", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED*/ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) /* -* struct { -* select (Handshake.msg_type) { -* case client_hello: -* PskIdentity identities<6..2^16-1>; -* -* case server_hello: -* uint16 selected_identity; -* } -* } PreSharedKeyExtension; -*/ + * struct { + * select ( Handshake.msg_type ) { + * case client_hello: + * PskIdentity identities<6..2^16-1>; + * + * case server_hello: + * uint16 selected_identity; + * } + * } PreSharedKeyExtension; + */ -static int ssl_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +static int ssl_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = (unsigned char*)buf; - size_t selected_identity; - int ret=0; - - *olen = 0; - - // Are we using an external PSK? - if (ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || - ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0) - ret = MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; - - // Are we using resumption? - if (ssl->handshake->resume == 0 && ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("No pre-shared-key available.")); - return(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED); - } + unsigned char *p = ( unsigned char* )buf; + size_t selected_identity; + int ret=0; + + *olen = 0; + + /* Are we using an external PSK? */ + if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || + ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) + ret = MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; + + /* Are we using resumption? */ + if( ssl->handshake->resume == 0 && ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "No pre-shared-key available." ) ); + return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) ); - if (end < p || (end - p) < 6) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } + if( end < p || ( end - p ) < 6 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } - // Extension Type - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_PRE_SHARED_KEY >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_PRE_SHARED_KEY) & 0xFF); + /* Extension Type */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_PRE_SHARED_KEY >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_PRE_SHARED_KEY ) & 0xFF ); - // Extension Length - *p++ = (unsigned char)((2 >> 8) & 0xFF); - *p++ = (unsigned char)(2 & 0xFF); + /* Extension Length */ + *p++ = ( unsigned char )( ( 2 >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( 2 & 0xFF ); - // retrieve selected_identity - selected_identity = 0; + /* retrieve selected_identity */ + selected_identity = 0; - // Write selected_identity - *p++ = (unsigned char)((selected_identity >> 8) & 0xFF); - *p++ = (unsigned char)(selected_identity & 0xFF); + /* Write selected_identity */ + *p++ = ( unsigned char )( ( selected_identity >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( selected_identity & 0xFF ); - *olen = 6; + *olen = 6; - MBEDTLS_SSL_DEBUG_MSG(5, ("sent selected_identity: %d", selected_identity)); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "sent selected_identity: %d", selected_identity ) ); - return 0; + return 0; } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_SSL_COOKIE_C) -int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, - const unsigned char *info, - size_t ilen) +int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, + const unsigned char *info, + size_t ilen ) { - if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - mbedtls_free(ssl->cli_id); + mbedtls_free( ssl->cli_id ); - if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) - return(MBEDTLS_ERR_SSL_ALLOC_FAILED); + if( ( ssl->cli_id = mbedtls_calloc( 1, ilen )) == NULL ) + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - memcpy(ssl->cli_id, info, ilen); - ssl->cli_id_len = ilen; + memcpy( ssl->cli_id, info, ilen ); + ssl->cli_id_len = ilen; - return(0); + return( 0 ); } #endif /* MBEDTLS_SSL_COOKIE_C */ #if defined(MBEDTLS_SSL_COOKIE_C) -void mbedtls_ssl_conf_cookies(mbedtls_ssl_config *conf, - mbedtls_ssl_cookie_write_t *f_cookie_write, - mbedtls_ssl_cookie_check_t *f_cookie_check, - void *p_cookie, - unsigned int rr_config) +void mbedtls_ssl_conf_cookies( mbedtls_ssl_config *conf, + mbedtls_ssl_cookie_write_t *f_cookie_write, + mbedtls_ssl_cookie_check_t *f_cookie_check, + void *p_cookie, + unsigned int rr_config ) { - conf->f_cookie_write = f_cookie_write; - conf->f_cookie_check = f_cookie_check; - conf->p_cookie = p_cookie; - conf->rr_config = rr_config; + conf->f_cookie_write = f_cookie_write; + conf->f_cookie_check = f_cookie_check; + conf->p_cookie = p_cookie; + conf->rr_config = rr_config; } #endif /* MBEDTLS_SSL_COOKIE_C */ #if defined(MBEDTLS_SSL_COOKIE_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) -static int ssl_parse_cookie_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) +static int ssl_parse_cookie_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - int ret = 0; - // size_t servername_list_size , hostname_len; - // const unsigned char *p; - - MBEDTLS_SSL_DEBUG_MSG(3, ("parse cookie extension")); - - if (ssl->conf->f_cookie_check != NULL) - { - MBEDTLS_SSL_DEBUG_BUF(3, "Received cookie", buf, len); - - if (ssl->conf->f_cookie_check(ssl->conf->p_cookie, - buf, len, ssl->cli_id, ssl->cli_id_len) != 0) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed")); - ssl->handshake->verify_cookie_len = 1; - ret = MBEDTLS_ERR_SSL_BAD_HS_COOKIE_EXT; - } - else - { - MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed")); - ssl->handshake->verify_cookie_len = 0; - } - } - else { - // TBD: Check under what cases this is appropriate - MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped")); - } + int ret = 0; + /* size_t servername_list_size , hostname_len; */ + /* const unsigned char *p; */ + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse cookie extension" ) ); + + if( ssl->conf->f_cookie_check != NULL ) + { + MBEDTLS_SSL_DEBUG_BUF( 3, "Received cookie", buf, len ); + + if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, + buf, len, ssl->cli_id, ssl->cli_id_len ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); + ssl->handshake->verify_cookie_len = 1; + ret = MBEDTLS_ERR_SSL_BAD_HS_COOKIE_EXT; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); + ssl->handshake->verify_cookie_len = 0; + } + } + else { + /* TBD: Check under what cases this is appropriate */ + MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); + } - return(ret); + return( ret ); } #endif /* MBEDTLS_SSL_COOKIE_C && MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -static int ssl_parse_servername_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) +static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - int ret; - size_t servername_list_size, hostname_len; - const unsigned char *p; - - - if (ssl->conf->p_sni == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("No SNI callback configured. Skip SNI parsing.")); - return(0); - } + int ret; + size_t servername_list_size, hostname_len; + const unsigned char *p; - MBEDTLS_SSL_DEBUG_MSG(3, ("Parse ServerName extension")); - servername_list_size = ((buf[0] << 8) | (buf[1])); - if (servername_list_size + 2 != len) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( ssl->conf->p_sni == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "No SNI callback configured. Skip SNI parsing." ) ); + return( 0 ); + } - p = buf + 2; - while (servername_list_size > 0) - { - hostname_len = ((p[1] << 8) | p[2]); - if (hostname_len + 3 > servername_list_size) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Parse ServerName extension" ) ); - if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) - { - ret = ssl->conf->f_sni(ssl->conf->p_sni, - ssl, p + 3, hostname_len); - if (ret != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - return(0); - } + servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); + if( servername_list_size + 2 != len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - servername_list_size -= hostname_len + 3; - p += hostname_len + 3; - } + p = buf + 2; + while ( servername_list_size > 0 ) + { + hostname_len = ( ( p[1] << 8 ) | p[2] ); + if( hostname_len + 3 > servername_list_size ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) + { + ret = ssl->conf->f_sni( ssl->conf->p_sni, + ssl, p + 3, hostname_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + return( 0 ); + } + + servername_list_size -= hostname_len + 3; + p += hostname_len + 3; + } - if (servername_list_size != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( servername_list_size != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - return(0); + return( 0 ); } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_ZERO_RTT) /* -static int ssl_parse_early_data_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) -{ - ((void*)ssl); - ((void*)buf); - return(0); -} + static int ssl_parse_early_data_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) + { + ( ( void* )ssl ); + ( ( void* )buf ); + return( 0 ); + } */ #endif /* MBEDTLS_ZERO_RTT */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) +static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - ssl->session_negotiate->mfl_code = buf[0]; - MBEDTLS_SSL_DEBUG_MSG(3, ("Maximum fragment length = %d", buf[0])); + ssl->session_negotiate->mfl_code = buf[0]; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Maximum fragment length = %d", buf[0] ) ); - return(0); + return( 0 ); } #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) /* -* ssl_parse_key_exchange_modes_ext() structure: -* -* enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode; -* -* struct { -* PskKeyExchangeMode ke_modes<1..255>; -* } PskKeyExchangeModes; -*/ + * ssl_parse_key_exchange_modes_ext( ) structure: + * + * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode; + * + * struct { + * PskKeyExchangeMode ke_modes<1..255>; + * } PskKeyExchangeModes; + */ -static int ssl_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, - size_t len) +static int ssl_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + size_t len ) { - int ret = 0; + int ret = 0; - // Length has to be either 1 or 2 based on the currently defined psk key exchange modes - if (len < 2 || len >3) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad psk key exchange modes extension in client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + /* Length has to be either 1 or 2 based on the currently defined psk key exchange modes */ + if( len < 2 || len >3 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk key exchange modes extension in client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - // We check for the allowed combinations and set the key_exchange_modes variable accordingly - if (buf[0] == 2) { - if ((buf[1] == KEY_EXCHANGE_MODE_PSK_KE || buf[1] == KEY_EXCHANGE_MODE_PSK_DHE_KE) && - (buf[2] == KEY_EXCHANGE_MODE_PSK_KE || buf[2] == KEY_EXCHANGE_MODE_PSK_DHE_KE)) { - ssl->session_negotiate->key_exchange_modes = KEY_EXCHANGE_MODE_PSK_ALL; - } - else ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; - } - else if (buf[0] == 1) { - switch (buf[1]) - { - case 0: - ssl->session_negotiate->key_exchange_modes = KEY_EXCHANGE_MODE_PSK_KE; - break; - case 1: - ssl->session_negotiate->key_exchange_modes = KEY_EXCHANGE_MODE_PSK_DHE_KE; - break; - default: - ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; - } - } - else ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; + /* We check for the allowed combinations and set the key_exchange_modes variable accordingly */ + if( buf[0] == 2 ) + { + if( ( buf[1] == KEY_EXCHANGE_MODE_PSK_KE || buf[1] == KEY_EXCHANGE_MODE_PSK_DHE_KE ) && + ( buf[2] == KEY_EXCHANGE_MODE_PSK_KE || buf[2] == KEY_EXCHANGE_MODE_PSK_DHE_KE )) { + ssl->session_negotiate->key_exchange_modes = KEY_EXCHANGE_MODE_PSK_ALL; + } + else ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; + } + else if( buf[0] == 1 ) + { + switch ( buf[1] ) + { + case 0: + ssl->session_negotiate->key_exchange_modes = KEY_EXCHANGE_MODE_PSK_KE; + break; + case 1: + ssl->session_negotiate->key_exchange_modes = KEY_EXCHANGE_MODE_PSK_DHE_KE; + break; + default: + ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; + } + } + else ret = MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO; - if (ret != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad psk key exchange modes extension in client hello message")); - return(ret); - } + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk key exchange modes extension in client hello message" ) ); + return( ret ); + } - return (0); + return ( 0 ); } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ /* - * ssl_write_supported_version_ext(): - * (as sent by server) + * ssl_write_supported_version_ext( ): + * ( as sent by server ) * * case server_hello: * ProtocolVersion selected_version; */ -static int ssl_write_supported_version_ext(mbedtls_ssl_context *ssl, - unsigned char* buf, - unsigned char* end, - size_t* olen) +static int ssl_write_supported_version_ext( mbedtls_ssl_context *ssl, + unsigned char* buf, + unsigned char* end, + size_t* olen ) { - unsigned char *p = buf; + unsigned char *p = buf; - *olen = 0; + *olen = 0; - MBEDTLS_SSL_DEBUG_MSG(3, ("adding supported version extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding supported version extension" ) ); - if (end < p || (size_t)(end - p) < 6) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; - } + if( end < p || (size_t)( end - p ) < 6 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + } - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS) & 0xFF); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ) & 0xFF ); - // length - *p++ = 0x00; - *p++ = 2; + /* length */ + *p++ = 0x00; + *p++ = 2; - // For TLS 1.3 and for DTLS 1.3 we use 0x0304 - *p++ = 0x03; - *p++ = 0x04; - MBEDTLS_SSL_DEBUG_MSG(3, ("version [%d:%d]", *(p-2), *(p-1))); + /* For TLS 1.3 and for DTLS 1.3 we use 0x0304 */ + *p++ = 0x03; + *p++ = 0x04; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "version [%d:%d]", *( p-2 ), *( p-1 )) ); - *olen = 6; + *olen = 6; - return(0); + return( 0 ); } -static int ssl_parse_supported_versions_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len) +static int ssl_parse_supported_versions_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ) { - size_t list_len; - int major_ver, minor_ver; - - if (len < 3) { - MBEDTLS_SSL_DEBUG_MSG(1, ("ssl_parse_supported_versions_ext: Incorrect length")); - return(MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_VERSIONS_EXT); - } - - while (len > 0) { -// list_len = (buf[0] << 8) | buf[1]; - list_len = buf[0]; + size_t list_len; + int major_ver, minor_ver; - // length has to be at least 2 bytes long - if (list_len < 2) { - MBEDTLS_SSL_DEBUG_MSG(1, ("ssl_parse_supported_versions_ext: Incorrect length")); - return(MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_VERSIONS_EXT); - } - - // skip length field - buf++; - - mbedtls_ssl_read_version(&major_ver, &minor_ver, ssl->conf->transport, buf); + if( len < 3 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ssl_parse_supported_versions_ext: Incorrect length" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_VERSIONS_EXT ); + } - // In this implementation we only support TLS 1.3 and DTLS 1.3. - if (major_ver == (int)0x03 && - minor_ver == (int)0x04) - { - // we found a supported version - goto found_version; - } else - { - // if no match found, check next entry - buf += 2; - len -= 3; - } - } + while ( len > 0 ) { +/* list_len = ( buf[0] << 8 ) | buf[1]; */ + list_len = buf[0]; + + /* length has to be at least 2 bytes long */ + if( list_len < 2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ssl_parse_supported_versions_ext: Incorrect length" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_VERSIONS_EXT ); + } + + /* skip length field */ + buf++; + + mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, buf ); + + /* In this implementation we only support TLS 1.3 and DTLS 1.3. */ + if( major_ver == ( int )0x03 && + minor_ver == ( int )0x04 ) + { + /* we found a supported version */ + goto found_version; + } else + { + /* if no match found, check next entry */ + buf += 2; + len -= 3; + } + } - // If we got here then we have no version in common - MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS. Supported is [%d:%d]", - ssl->conf->min_major_ver, ssl->conf->min_minor_ver)); + /* If we got here then we have no version in common */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS. Supported is [%d:%d]", + ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); - return(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION); + return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); found_version: - MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version. Supported is [%d:%d]", - major_ver, minor_ver)); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%d:%d]", + major_ver, minor_ver ) ); - // version in common - ssl->major_ver = major_ver; - ssl->minor_ver = minor_ver; - ssl->handshake->max_major_ver = ssl->major_ver; - ssl->handshake->max_minor_ver = ssl->minor_ver; + /* version in common */ + ssl->major_ver = major_ver; + ssl->minor_ver = minor_ver; + ssl->handshake->max_major_ver = ssl->major_ver; + ssl->handshake->max_minor_ver = ssl->minor_ver; - return(0); + return( 0 ); } #if defined(MBEDTLS_SSL_ALPN) -static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len) +static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len ) { - size_t list_len, cur_len, ours_len; - const unsigned char *theirs, *start, *end; - const char **ours; - - /* If ALPN not configured, just ignore the extension */ - if (ssl->conf->alpn_list == NULL) - return(0); - - /* - * opaque ProtocolName<1..2^8-1>; - * - * struct { - * ProtocolName protocol_name_list<2..2^16-1> - * } ProtocolNameList; - */ - - /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ - if (len < 4) - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - - list_len = (buf[0] << 8) | buf[1]; - if (list_len != len - 2) - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - - /* - * Use our order of preference - */ - start = buf + 2; - end = buf + len; - for (ours = ssl->conf->alpn_list; *ours != NULL; ours++) - { - ours_len = strlen(*ours); - for (theirs = start; theirs != end; theirs += cur_len) - { - /* If the list is well formed, we should get equality first */ - if (theirs > end) - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - - cur_len = *theirs++; - - /* Empty strings MUST NOT be included */ - if (cur_len == 0) - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - - if (cur_len == ours_len && - memcmp(theirs, *ours, cur_len) == 0) - { - ssl->alpn_chosen = *ours; - return(0); - } - } - } + size_t list_len, cur_len, ours_len; + const unsigned char *theirs, *start, *end; + const char **ours; + + /* If ALPN not configured, just ignore the extension */ + if( ssl->conf->alpn_list == NULL ) + return( 0 ); + + /* + * opaque ProtocolName<1..2^8-1>; + * + * struct { + * ProtocolName protocol_name_list<2..2^16-1> + * } ProtocolNameList; + */ + + /* Min length is 2 ( list_len ) + 1 ( name_len ) + 1 ( name ) */ + if( len < 4 ) + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + + list_len = ( buf[0] << 8 ) | buf[1]; + if( list_len != len - 2 ) + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + + /* + * Use our order of preference + */ + start = buf + 2; + end = buf + len; + for ( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) + { + ours_len = strlen( *ours ); + for ( theirs = start; theirs != end; theirs += cur_len ) + { + /* If the list is well formed, we should get equality first */ + if( theirs > end ) + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + + cur_len = *theirs++; + + /* Empty strings MUST NOT be included */ + if( cur_len == 0 ) + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + + if( cur_len == ours_len && + memcmp( theirs, *ours, cur_len ) == 0 ) + { + ssl->alpn_chosen = *ours; + return( 0 ); + } + } + } - /* If we get there, no match was found */ - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); + /* If we get there, no match was found */ + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); } #endif /* MBEDTLS_SSL_ALPN */ - -/* -* Check if a given ciphersuite is suitable for use with our config/keys/etc -* Sets ciphersuite_info only if the suite matches. Return code other than 0 -* is only used to indicate a fatal failure. Hence, a return value of zero -* does not indicate whether there is a match or a mismatch. -*/ - -/* We are not using this function anymore. - -static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, - const mbedtls_ssl_ciphersuite_t **ciphersuite_info) -{ - const mbedtls_ssl_ciphersuite_t *suite_info; -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) - const mbedtls_ecp_curve_info *curve_info; -#endif - - suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); - if (suite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("ssl_ciphersuite_match: should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - - MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %s", suite_info->name)); - - if (suite_info->min_minor_ver > ssl->minor_ver || - suite_info->max_minor_ver < ssl->minor_ver) - { - MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version")); - return(0); - } - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - (suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS)) - return(0); -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) - // Check whether we received a key share from the client - // Currently we assume that only a single key share has been provided by the client. - - curve_info = mbedtls_ecp_curve_info_from_grp_id(ssl->handshake->ecdh_ctx.grp.id); - if (curve_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("No key share available with use with %s", suite_info->name)); - return(0); - } - - // We only support ECC-groups at the moment (and no DHE groups) -#endif - - *ciphersuite_info = suite_info; - return(0); -} -*/ - #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) /* This function creates a NewSessionTicket message in the following format. * The ticket inside the NewSessionTicket is an encrypted container carrying @@ -1598,195 +1582,205 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, * * The following fields are populated in the ticket: * - * - creation time (start) - * - flags (flags) - * - lifetime (ticket_lifetime) - * - age add (ticket_age_add) - * - key (key) - * - key length (key_len) - * - ciphersuite (ciphersuite) - * - certificate of the peer (peer_cert) + * - creation time ( start ) + * - flags ( flags ) + * - lifetime ( ticket_lifetime ) + * - age add ( ticket_age_add ) + * - key ( key ) + * - key length ( key_len ) + * - ciphersuite ( ciphersuite ) + * - certificate of the peer ( peer_cert ) * */ -static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) +static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) { - int ret; - size_t tlen; - size_t ext_len = 0; - mbedtls_ssl_ciphersuite_t *suite_info; - int hash_length; - mbedtls_ssl_ticket ticket; - mbedtls_ssl_ticket_context *ctx = ssl->conf->p_ticket; - - // Check whether the use of session tickets is enabled - if (ssl->conf->session_tickets == 0) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Use of tickets disabled.")); - return (0); - } + int ret; + size_t tlen; + size_t ext_len = 0; + mbedtls_ssl_ciphersuite_t *suite_info; + int hash_length; + mbedtls_ssl_ticket ticket; + mbedtls_ssl_ticket_context *ctx = ssl->conf->p_ticket; + + /* Check whether the use of session tickets is enabled */ + if( ssl->conf->session_tickets == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of tickets disabled." ) ); + return ( 0 ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) ); - // Do we have space for the fixed length part of the ticket - if (MBEDTLS_SSL_MAX_CONTENT_LEN < (16 + MBEDTLS_SSL_TICKET_NONCE_LENGTH) ) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_new_session_ticket: not enough space", ret); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - } + /* Do we have space for the fixed length part of the ticket */ + if( MBEDTLS_SSL_MAX_CONTENT_LEN < ( 16 + MBEDTLS_SSL_TICKET_NONCE_LENGTH ) ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_new_session_ticket: not enough space", ret ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, (unsigned char*) &ticket.ticket_age_add, 4)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "Generating the ticket_age_add failed", ret); - return(ret); - } + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ( unsigned char* ) &ticket.ticket_age_add, 4 )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "Generating the ticket_age_add failed", ret ); + return( ret ); + } - suite_info = (mbedtls_ssl_ciphersuite_t *) ssl->transform_negotiate->ciphersuite_info; - hash_length = mbedtls_hash_size_for_ciphersuite(suite_info); + suite_info = ( mbedtls_ssl_ciphersuite_t * ) ssl->transform_negotiate->ciphersuite_info; + hash_length = mbedtls_hash_size_for_ciphersuite( suite_info ); - if (hash_length == -1) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite == -1, ssl_write_new_session_ticket failed")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( hash_length == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite == -1, ssl_write_new_session_ticket failed" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } #if defined(MBEDTLS_HAVE_TIME) - // Store time when ticket was created. - ticket.start = time(NULL); + /* Store time when ticket was created. */ + ticket.start = time( NULL ); #endif /* MBEDTLS_HAVE_TIME */ - ticket.flags = ctx->flags; - ticket.ticket_lifetime = ctx->ticket_lifetime; - // In this code the psk key length equals the length of the hash - ticket.key_len = hash_length; - ticket.ciphersuite = ssl->transform_negotiate->ciphersuite_info->id; + ticket.flags = ctx->flags; + ticket.ticket_lifetime = ctx->ticket_lifetime; + /* In this code the psk key length equals the length of the hash */ + ticket.key_len = hash_length; + ticket.ciphersuite = ssl->transform_negotiate->ciphersuite_info->id; #if defined(MBEDTLS_X509_CRT_PARSE_C) - // Check whether the client provided a certificate during the exchange - if (ssl->session->peer_cert != NULL) - ticket.peer_cert = ssl->session->peer_cert; - else - ticket.peer_cert = NULL; + /* Check whether the client provided a certificate during the exchange */ + if( ssl->session->peer_cert != NULL ) + ticket.peer_cert = ssl->session->peer_cert; + else + ticket.peer_cert = NULL; #endif /* MBEDTLS_X509_CRT_PARSE_C */ - /* - * HKDF-Expand-Label(resumption_master_secret, - * "resumption", ticket_nonce, Hash.length) - */ + /* + * HKDF-Expand-Label( resumption_master_secret, + * "resumption", ticket_nonce, Hash.length ) + */ - /* Compute nonce (and write it already into the outgoing NewSessionTicket message */ - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, &ssl->out_msg[13], MBEDTLS_SSL_TICKET_NONCE_LENGTH)) != 0) - return(ret); + /* Compute nonce ( and write it already into the outgoing NewSessionTicket message */ + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, &ssl->out_msg[13], MBEDTLS_SSL_TICKET_NONCE_LENGTH )) != 0 ) + return( ret ); - MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret", ssl->session->resumption_master_secret, hash_length); - MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", &ssl->out_msg[13], MBEDTLS_SSL_TICKET_NONCE_LENGTH); + MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret", ssl->session->resumption_master_secret, hash_length ); + MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", &ssl->out_msg[13], MBEDTLS_SSL_TICKET_NONCE_LENGTH ); - ret = hkdfExpandLabel(suite_info->mac, ssl->session->resumption_master_secret, hash_length, (const unsigned char *)"resumption", strlen("resumption"), (const unsigned char *)&ssl->out_msg[13], MBEDTLS_SSL_TICKET_NONCE_LENGTH, hash_length, ticket.key, hash_length); + ret = hkdfExpandLabel( suite_info->mac, ssl->session->resumption_master_secret, hash_length, ( const unsigned char * )"resumption", strlen( "resumption" ), ( const unsigned char * )&ssl->out_msg[13], MBEDTLS_SSL_TICKET_NONCE_LENGTH, hash_length, ticket.key, hash_length ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(2, "Creating the ticket-resumed PSK failed", ret); - return (ret); - } - - MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK", ticket.key, ticket.key_len); - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket->key_len: %d", ticket.key_len)); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 2, "Creating the ticket-resumed PSK failed", ret ); + return ( ret ); + } - /* Ticket */ - if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, - &ticket, - &ssl->out_msg[15+ MBEDTLS_SSL_TICKET_NONCE_LENGTH], - ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, - &tlen, &ticket.ticket_lifetime, &ticket.flags)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ticket->mbedtls_ssl_ticket_write", ret); -// tlen = 0; - return (ret); - } + MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK", ticket.key, ticket.key_len ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->key_len: %d", ticket.key_len ) ); + + /* Ticket */ + if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, + &ticket, + &ssl->out_msg[15+ MBEDTLS_SSL_TICKET_NONCE_LENGTH], + ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, + &tlen, &ticket.ticket_lifetime, &ticket.flags )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ticket->mbedtls_ssl_ticket_write", ret ); +/* tlen = 0; */ + return ( ret ); + } - /* Ticket Lifetime */ - ssl->out_msg[4] = (ticket.ticket_lifetime >> 24) & 0xFF; - ssl->out_msg[5] = (ticket.ticket_lifetime >> 16) & 0xFF; - ssl->out_msg[6] = (ticket.ticket_lifetime >> 8) & 0xFF; - ssl->out_msg[7] = (ticket.ticket_lifetime) & 0xFF; + /* Ticket Lifetime */ + ssl->out_msg[4] = ( ticket.ticket_lifetime >> 24 ) & 0xFF; + ssl->out_msg[5] = ( ticket.ticket_lifetime >> 16 ) & 0xFF; + ssl->out_msg[6] = ( ticket.ticket_lifetime >> 8 ) & 0xFF; + ssl->out_msg[7] = ( ticket.ticket_lifetime ) & 0xFF; - MBEDTLS_SSL_DEBUG_MSG(3, ("ticket->ticket_lifetime: %d", ticket.ticket_lifetime)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket->ticket_lifetime: %d", ticket.ticket_lifetime ) ); - /* Ticket Age Add */ - ssl->out_msg[8] = (ticket.ticket_age_add >> 24) & 0xFF; - ssl->out_msg[9] = (ticket.ticket_age_add >> 16) & 0xFF; - ssl->out_msg[10] = (ticket.ticket_age_add >> 8) & 0xFF; - ssl->out_msg[11] = (ticket.ticket_age_add) & 0xFF; + /* Ticket Age Add */ + ssl->out_msg[8] = ( ticket.ticket_age_add >> 24 ) & 0xFF; + ssl->out_msg[9] = ( ticket.ticket_age_add >> 16 ) & 0xFF; + ssl->out_msg[10] = ( ticket.ticket_age_add >> 8 ) & 0xFF; + ssl->out_msg[11] = ( ticket.ticket_age_add ) & 0xFF; - MBEDTLS_SSL_DEBUG_BUF(3, "ticket->ticket_age_add:", (const unsigned char *)&ticket.ticket_age_add, 4); + MBEDTLS_SSL_DEBUG_BUF( 3, "ticket->ticket_age_add:", ( const unsigned char * )&ticket.ticket_age_add, 4 ); - /* Nonce Length */ - ssl->out_msg[12] = MBEDTLS_SSL_TICKET_NONCE_LENGTH; + /* Nonce Length */ + ssl->out_msg[12] = MBEDTLS_SSL_TICKET_NONCE_LENGTH; - MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket (nonce length): %d", MBEDTLS_SSL_TICKET_NONCE_LENGTH)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket ( nonce length ): %d", MBEDTLS_SSL_TICKET_NONCE_LENGTH ) ); - /* Ticket Length */ - ssl->out_msg[13+ MBEDTLS_SSL_TICKET_NONCE_LENGTH] = (unsigned char)((tlen >> 8) & 0xFF); - ssl->out_msg[14+ MBEDTLS_SSL_TICKET_NONCE_LENGTH] = (unsigned char)((tlen) & 0xFF); + /* Ticket Length */ + ssl->out_msg[13+ MBEDTLS_SSL_TICKET_NONCE_LENGTH] = ( unsigned char )( ( tlen >> 8 ) & 0xFF ); + ssl->out_msg[14+ MBEDTLS_SSL_TICKET_NONCE_LENGTH] = ( unsigned char )( ( tlen ) & 0xFF ); - // no extensions for now -> set length to zero - ssl->out_msg[15+ MBEDTLS_SSL_TICKET_NONCE_LENGTH +tlen] = (ext_len >> 8) & 0xFF; - ssl->out_msg[16+ MBEDTLS_SSL_TICKET_NONCE_LENGTH +tlen] = (ext_len) & 0xFF; + /* no extensions for now -> set length to zero */ + ssl->out_msg[15+ MBEDTLS_SSL_TICKET_NONCE_LENGTH +tlen] = ( ext_len >> 8 ) & 0xFF; + ssl->out_msg[16+ MBEDTLS_SSL_TICKET_NONCE_LENGTH +tlen] = ( ext_len ) & 0xFF; - ssl->out_msglen = 17+ MBEDTLS_SSL_TICKET_NONCE_LENGTH + tlen; + ssl->out_msglen = 17+ MBEDTLS_SSL_TICKET_NONCE_LENGTH + tlen; - MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket (extension_length): %d", ext_len)); -// MBEDTLS_SSL_DEBUG_BUF(3, "NewSessionTicket (extension):", extensions, ext_len); - MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket (ticket length): %d", tlen)); - MBEDTLS_SSL_DEBUG_BUF(3, "NewSessionTicket (ticket dump):", &ssl->out_msg[15 + MBEDTLS_SSL_TICKET_NONCE_LENGTH], tlen); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket ( extension_length ): %d", ext_len ) ); +/* MBEDTLS_SSL_DEBUG_BUF( 3, "NewSessionTicket ( extension ):", extensions, ext_len ); */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket ( ticket length ): %d", tlen ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "NewSessionTicket ( ticket dump ):", &ssl->out_msg[15 + MBEDTLS_SSL_TICKET_NONCE_LENGTH], tlen ); - if ((ret = mbedtls_ssl_write_record(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret); - return(ret); - } + if( ( ret = mbedtls_ssl_write_record( ssl )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); + return( ret ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); - return(0); + return( 0 ); } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ #if defined(MBEDTLS_ZERO_RTT) -/* ssl_parse_early_data() parses application data +/* ssl_parse_early_data( ) parses application data * provided by the client following the ClientHello msg. */ -static int ssl_parse_early_data(mbedtls_ssl_context *ssl) +static int ssl_parse_early_data( mbedtls_ssl_context *ssl ) { - int ret; + int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse early application data ")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse early application data " ) ); - if ((ret = mbedtls_ssl_read_record(ssl)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); - return(ret); - } + if( ( ret = mbedtls_ssl_read_record( ssl )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); + return( ret ); + } - // Check whether there is early data - if (ssl->in_msg != NULL && ssl->in_msglen > 0) { - // Check whether we have enough buffer space - if (ssl->in_msglen <= ssl->conf->early_data_len) { - // copy data to staging area - memcpy(ssl->conf->early_data_buf, ssl->in_msg, ssl->in_msglen); - // execute callback to process application data - ssl->conf->early_data_callback(ssl, (unsigned char *) ssl->conf->early_data_buf, ssl->in_msglen); - } - else { - MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer too small")); - return (MBEDTLS_ERR_SSL_ALLOC_FAILED); - } + /* Check whether there is early data */ + if( ssl->in_msg != NULL && ssl->in_msglen > 0 ) + { + /* Check whether we have enough buffer space */ + if( ssl->in_msglen <= ssl->conf->early_data_len ) + { + /* copy data to staging area */ + memcpy( ssl->conf->early_data_buf, ssl->in_msg, ssl->in_msglen ); + /* execute callback to process application data */ + ssl->conf->early_data_callback( ssl, ( unsigned char * ) ssl->conf->early_data_buf, ssl->in_msglen ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer too small" ) ); + return ( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } - } else { - MBEDTLS_SSL_DEBUG_MSG(1, ("No early data received!")); - return(MBEDTLS_ERR_SSL_BAD_EARLY_DATA); - } + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "No early data received!" ) ); + return( MBEDTLS_ERR_SSL_BAD_EARLY_DATA ); + } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse early application data")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse early application data" ) ); - return 0; + return 0; } #endif /* MBEDTLS_ZERO_RTT */ @@ -1800,1142 +1794,1176 @@ static int ssl_parse_early_data(mbedtls_ssl_context *ssl) /* -ssl_parse_client_hello() processes the first message provided -by the client. + ssl_parse_client_hello( ) processes the first message provided + by the client. -The function may return: + The function may return: -0: Successful processing of the ClientHello + 0: Successful processing of the ClientHello -MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO: Generic parsing failure -with the ClientHello + MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO: Generic parsing failure + with the ClientHello -MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE + MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE -MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN + MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN -MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE: A feature is not available -that prevents further processing. + MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE: A feature is not available + that prevents further processing. -MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION: Version negotiation -problem + MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION: Version negotiation + problem -MBEDTLS_ERR_SSL_INTERNAL_ERROR + MBEDTLS_ERR_SSL_INTERNAL_ERROR -Furthermore, there are various errors in parsing extensions: + Furthermore, there are various errors in parsing extensions: -MBEDTLS_ERR_SSL_BAD_HS_SERVERNAME_EXT -MBEDTLS_ERR_SSL_BAD_HS_PRE_SHARED_KEY_EXT -MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE -MBEDTLS_ERR_SSL_BAD_HS_MAX_FRAGMENT_LENGTH_EXT -MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS -MBEDTLS_ERR_SSL_BAD_HS_ALPN_EXT + MBEDTLS_ERR_SSL_BAD_HS_SERVERNAME_EXT + MBEDTLS_ERR_SSL_BAD_HS_PRE_SHARED_KEY_EXT + MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE + MBEDTLS_ERR_SSL_BAD_HS_MAX_FRAGMENT_LENGTH_EXT + MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS + MBEDTLS_ERR_SSL_BAD_HS_ALPN_EXT -MBEDTLS_ERR_SSL_BAD_HS_MISSING_COOKIE_EXT + MBEDTLS_ERR_SSL_BAD_HS_MISSING_COOKIE_EXT */ - /* - * Overview - */ +/* + * Overview + */ - /* Main entry point from the state machine; orchestrates the otherfunctions. */ -static int ssl_client_hello_process(mbedtls_ssl_context* ssl); -static int ssl_client_hello_fetch(mbedtls_ssl_context* ssl, - unsigned char** buf, - size_t* buflen); -static int ssl_client_hello_parse(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen); +/* Main entry point from the state machine; orchestrates the otherfunctions. */ +static int ssl_client_hello_process( mbedtls_ssl_context* ssl ); +static int ssl_client_hello_fetch( mbedtls_ssl_context* ssl, + unsigned char** buf, + size_t* buflen ); +static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen ); /* Update the handshake state machine */ /* TODO: At the moment, this doesn't update the state machine - why? */ -static int ssl_client_hello_postprocess(mbedtls_ssl_context* ssl, int ret); +static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl, int ret ); /* * Implementation */ -static int ssl_client_hello_process(mbedtls_ssl_context* ssl) +static int ssl_client_hello_process( mbedtls_ssl_context* ssl ) { - int ret; - unsigned char* buf = NULL; - size_t buflen = 0; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); + int ret; + unsigned char* buf = NULL; + size_t buflen = 0; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); - MBEDTLS_SSL_PROC_CHK(ssl_client_hello_fetch(ssl, &buf, &buflen)); + MBEDTLS_SSL_PROC_CHK( ssl_client_hello_fetch( ssl, &buf, &buflen ) ); - MBEDTLS_SSL_PROC_CHK(ssl_client_hello_parse(ssl, buf, buflen)); + MBEDTLS_SSL_PROC_CHK( ssl_client_hello_parse( ssl, buf, buflen ) ); - MBEDTLS_SSL_PROC_CHK(ssl_client_hello_postprocess(ssl, ret)); + MBEDTLS_SSL_PROC_CHK( ssl_client_hello_postprocess( ssl, ret ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_recv_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_recv_flight_completed( ssl ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello")); - return(ret); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); + return( ret ); } -static int ssl_client_hello_fetch(mbedtls_ssl_context* ssl, - unsigned char** dst, - size_t* dstlen) +static int ssl_client_hello_fetch( mbedtls_ssl_context* ssl, + unsigned char** dst, + size_t* dstlen ) { - int ret; - unsigned char* buf; - size_t msg_len; + int ret; + unsigned char* buf; + size_t msg_len; #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - read_record_header: +read_record_header: #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ - if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - buf = ssl->in_hdr; + buf = ssl->in_hdr; - MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_negotiate)); + MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_negotiate ) ); - /* - * TLS Client Hello - * - * Record layer: - * 0 . 0 message type - * 1 . 2 protocol version - * 3 . 11 DTLS: epoch + record sequence number - * 3 . 4 message length - */ - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d", buf[0])); - - if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) { + /* + * TLS Client Hello + * + * Record layer: + * 0 . 0 message type + * 1 . 2 protocol version + * 3 . 11 DTLS: epoch + record sequence number + * 3 . 4 message length + */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, message type: %d", buf[0] ) ); + + if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) + { #if defined(MBEDTLS_COMPATIBILITY_MODE) - if (buf[0] == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC) - { + if( buf[0] == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) + { - msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1]; + msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; - if (msg_len != 1) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad CCS message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC); - } + if( msg_len != 1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad CCS message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("CCS, message len.: %d", msg_len)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "CCS, message len.: %d", msg_len ) ); - if ((ret = mbedtls_ssl_fetch_input(ssl, mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN) + msg_len)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC); - } + if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN ) + msg_len )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); + } - if (ssl->in_msg[0] == 1) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Change Cipher Spec message received and ignoring it.")); + if( ssl->in_msg[0] == 1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Change Cipher Spec message received and ignoring it." ) ); - // Done reading this record, get ready for the next one + /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN); - } - else + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN ); + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - ssl->in_left = 0; - } - - return (MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC); - } - else - { - if ((ret = mbedtls_ssl_send_alert_message(ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE)) != 0) - { - return(ret); - } - return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); - } - } - else + { + ssl->in_left = 0; + } + + return ( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); + } + else + { + if( ( ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE )) != 0 ) + { + return( ret ); + } + return ( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } + } + else #endif /* MBEDTLS_COMPATIBILITY_MODE */ - { - MBEDTLS_SSL_DEBUG_MSG(1, ("Spurious message (maybe alert message)")); + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Spurious message ( maybe alert message )" ) ); - return(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); - } - } + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } + } - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d", - (ssl->in_len[0] << 8) | ssl->in_len[1])); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, message len.: %d", + ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); - /* For DTLS if this is the initial handshake, remember the client sequence - * number to use it in our next message (RFC 6347 4.2.1) */ + /* For DTLS if this is the initial handshake, remember the client sequence + * number to use it in our next message ( RFC 6347 4.2.1 ) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - /* Epoch should be 0 for initial handshakes */ - if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + /* Epoch should be 0 for initial handshakes */ + if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - memcpy(ssl->out_ctr + 2, ssl->in_ctr + 2, 6); + memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 ); #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - if (mbedtls_ssl_dtls_replay_check(ssl) != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding")); - ssl->next_record_offset = 0; - ssl->in_left = 0; - goto read_record_header; - } - - /* No MAC to check yet, so we can update right now */ - mbedtls_ssl_dtls_replay_update(ssl); + if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); + ssl->next_record_offset = 0; + ssl->in_left = 0; + goto read_record_header; + } + + /* No MAC to check yet, so we can update right now */ + mbedtls_ssl_dtls_replay_update( ssl ); #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ - } + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1]; + msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; - if (msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - if ((ret = mbedtls_ssl_fetch_input(ssl, mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in) + msg_len)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in ) + msg_len )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - /* Done reading this record, get ready for the next one */ + /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len(ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in); - } - else + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl, MBEDTLS_SSL_DIRECTION_IN, ssl->transform_in ); + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - ssl->in_left = 0; - } - buf = ssl->in_msg; + { + ssl->in_left = 0; + } + buf = ssl->in_msg; - MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len); + MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); - /* - * Handshake layer: - * 0 . 0 handshake type - * 1 . 3 handshake length - * 4 . 5 DTLS only: message seqence number - * 6 . 8 DTLS only: fragment offset - * 9 . 11 DTLS only: fragment length - */ - if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + /* + * Handshake layer: + * 0 . 0 handshake type + * 1 . 3 handshake length + * 4 . 5 DTLS only: message seqence number + * 6 . 8 DTLS only: fragment offset + * 9 . 11 DTLS only: fragment length + */ + if( msg_len < mbedtls_ssl_hs_hdr_len( ssl )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0])); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); - if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %d", - (buf[1] << 16) | (buf[2] << 8) | buf[3])); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", + ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); - /* We don't support fragmentation of ClientHello (yet?) */ - if (buf[1] != 0 || - msg_len != mbedtls_ssl_hs_hdr_len(ssl) + ((buf[2] << 8) | buf[3])) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + /* We don't support fragmentation of ClientHello ( yet? ) */ + if( buf[1] != 0 || + msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - /* - * Copy the client's handshake message_seq on initial handshakes, - * check sequence number on renego. - */ - { - - unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) | - ssl->in_msg[5]; - ssl->handshake->out_msg_seq = cli_msg_seq; - ssl->handshake->in_msg_seq = cli_msg_seq + 1; - } - - /* - * For now we don't support fragmentation, so make sure - * fragment_offset == 0 and fragment_length == length - */ - if (ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || - memcmp(ssl->in_msg + 1, ssl->in_msg + 9, 3) != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported")); - return(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); - } - } + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + /* + * Copy the client's handshake message_seq on initial handshakes, + * check sequence number on renego. + */ + { + + unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | + ssl->in_msg[5]; + ssl->handshake->out_msg_seq = cli_msg_seq; + ssl->handshake->in_msg_seq = cli_msg_seq + 1; + } + + /* + * For now we don't support fragmentation, so make sure + * fragment_offset == 0 and fragment_length == length + */ + if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || + memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - *dst = ssl->in_msg; - *dstlen = msg_len; - return 0; + *dst = ssl->in_msg; + *dstlen = msg_len; + return 0; } -static int ssl_client_hello_parse(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen) +static int ssl_client_hello_parse( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen ) { - int ret, final_ret = 0, got_common_suite; - size_t i, j; - size_t comp_len, sess_len; - size_t orig_msg_len, ciph_len, ext_len, ext_len_psk_ext = 0; - unsigned char *orig_buf, *end = buf + buflen; - unsigned char *ciph_offset; + int ret, final_ret = 0, got_common_suite; + size_t i, j; + size_t comp_len, sess_len; + size_t orig_msg_len, ciph_len, ext_len, ext_len_psk_ext = 0; + unsigned char *orig_buf, *end = buf + buflen; + unsigned char *ciph_offset; #if defined(MBEDTLS_SSL_COOKIE_C) && defined(MBEDTLS_SSL_PROTO_DTLS) - size_t cookie_offset, cookie_len; + size_t cookie_offset, cookie_len; #endif /* MBEDTLS_SSL_COOKIE_C && MBEDTLS_SSL_PROTO_DTLS */ - unsigned char* p, * ext, * ext_psk_ptr = NULL; + unsigned char* p, * ext, * ext_psk_ptr = NULL; #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; + mbedtls_sha256_context sha256; #endif /* MBEDTLS_SHA256_C */ #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; + mbedtls_sha512_context sha512; #endif /* MBEDTLS_SHA512_C */ - const int* ciphersuites; - const mbedtls_ssl_ciphersuite_t* ciphersuite_info; - - ssl->handshake->extensions_present = NO_EXTENSION; - ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_NONE; - - // TBD: Refactor - orig_buf = buf; - orig_msg_len = mbedtls_ssl_hs_hdr_len(ssl) + ((ssl->in_msg[2] << 8) | ssl->in_msg[3]); - - /* - * ClientHello layer: - * 0 . 1 protocol version - * 2 . 33 random bytes (starting with 4 bytes of Unix time) - * 34 . 35 session id length (1 byte) - * 35 . 34+x session id - * 35+x . 35+x DTLS only: cookie length (1 byte) - * 36+x . .. DTLS only: cookie - * .. . .. ciphersuite list length (2 bytes) - * .. . .. ciphersuite list - * .. . .. compression alg. list length (1 byte) - * .. . .. compression alg. list - * .. . .. extensions length (2 bytes, optional) - * .. . .. extensions (optional) - */ - - buf += mbedtls_ssl_hs_hdr_len(ssl); - buflen -= mbedtls_ssl_hs_hdr_len(ssl); - - /* TBD: Needs to be updated due to mandatory extensions - * Minimal length (with everything empty and extensions ommitted) is - * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can - * read at least up to session id length without worrying. - */ - if (buflen < 38) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - - /* - * We ignore the version field in the ClientHello. - * We use the version field in the extension. - */ + const int* ciphersuites; + const mbedtls_ssl_ciphersuite_t* ciphersuite_info; + + ssl->handshake->extensions_present = NO_EXTENSION; + ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_NONE; + + /* TBD: Refactor */ + orig_buf = buf; + orig_msg_len = mbedtls_ssl_hs_hdr_len( ssl ) + ( ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3] ); + + /* + * ClientHello layer: + * 0 . 1 protocol version + * 2 . 33 random bytes ( starting with 4 bytes of Unix time ) + * 34 . 35 session id length ( 1 byte ) + * 35 . 34+x session id + * 35+x . 35+x DTLS only: cookie length ( 1 byte ) + * 36+x . .. DTLS only: cookie + * .. . .. ciphersuite list length ( 2 bytes ) + * .. . .. ciphersuite list + * .. . .. compression alg. list length ( 1 byte ) + * .. . .. compression alg. list + * .. . .. extensions length ( 2 bytes, optional ) + * .. . .. extensions ( optional ) + */ + + buf += mbedtls_ssl_hs_hdr_len( ssl ); + buflen -= mbedtls_ssl_hs_hdr_len( ssl ); + + /* TBD: Needs to be updated due to mandatory extensions + * Minimal length ( with everything empty and extensions ommitted ) is + * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can + * read at least up to session id length without worrying. + */ + if( buflen < 38 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + /* + * We ignore the version field in the ClientHello. + * We use the version field in the extension. + */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) { - buf += 1; // skip version - } else + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + buf += 1; /* skip version */ + } + else #endif /* MBEDTLS_CTLS */ - { - buf += 2; // skip version - } + { + buf += 2; /* skip version */ + } - /* - * Save client random - */ + /* + * Save client random + */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) { - MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf, 16); + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf, 16 ); - memcpy(&ssl->handshake->randbytes[0], buf, 16); - buf += 16; // skip random bytes - } else + memcpy( &ssl->handshake->randbytes[0], buf, 16 ); + buf += 16; /* skip random bytes */ + } + else #endif /* MBEDTLS_CTLS */ - { - MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf, 32); + { + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf, 32 ); - memcpy(&ssl->handshake->randbytes[0], buf, 32); - buf += 32; // skip random bytes - } + memcpy( &ssl->handshake->randbytes[0], buf, 32 ); + buf += 32; /* skip random bytes */ + } #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - /* - * Parse session ID - */ - sess_len = buf[0]; - buf++; // skip session id length - - if (sess_len > 32) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - - ssl->session_negotiate->id_len = sess_len; - - /* Note that this field is echoed even if - * the client�s value corresponded to a cached pre-TLS 1.3 session - * which the server has chosen not to resume. A client which - * receives a legacy_session_id_echo field that does not match what - * it sent in the ClientHello MUST abort the handshake with an - * "illegal_parameter" alert. - */ - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, session id length (%d)", sess_len)); - MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf, sess_len); - - memcpy(&ssl->session_negotiate->id[0], buf, sess_len); // write session id - buf += sess_len; - } + { + /* + * Parse session ID + */ + sess_len = buf[0]; + buf++; /* skip session id length */ + + if( sess_len > 32 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + ssl->session_negotiate->id_len = sess_len; + + /* Note that this field is echoed even if + * the client�s value corresponded to a cached pre-TLS 1.3 session + * which the server has chosen not to resume. A client which + * receives a legacy_session_id_echo field that does not match what + * it sent in the ClientHello MUST abort the handshake with an + * "illegal_parameter" alert. + */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id length ( %d )", sess_len ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf, sess_len ); + + memcpy( &ssl->session_negotiate->id[0], buf, sess_len ); /* write session id */ + buf += sess_len; + } - /* - * Check the cookie length and content - */ + /* + * Check the cookie length and content + */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - cookie_len = buf[0]; + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + cookie_len = buf[0]; - // Length check - if (buf + cookie_len > msg_end) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + /* Length check */ + if( buf + cookie_len > msg_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - buf++; // skip cookie length + buf++; /* skip cookie length */ - MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", - buf, cookie_len); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", + buf, cookie_len ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - if (ssl->conf->f_cookie_check != NULL - ) - { - if (ssl->conf->f_cookie_check(ssl->conf->p_cookie, - buf, cookie_len, - ssl->cli_id, ssl->cli_id_len) != 0) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed")); - ssl->handshake->verify_cookie_len = 1; - } - else - { - MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed")); - ssl->handshake->verify_cookie_len = 0; - } - } - else + if( ssl->conf->f_cookie_check != NULL + ) + { + if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, + buf, cookie_len, + ssl->cli_id, ssl->cli_id_len ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); + ssl->handshake->verify_cookie_len = 1; + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); + ssl->handshake->verify_cookie_len = 0; + } + } + else #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ - { - /* We know we didn't send a cookie, so it should be empty */ - if (cookie_len != 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - - MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped")); - } - - // skip cookie length - buf += cookie_len; - } + { + /* We know we didn't send a cookie, so it should be empty */ + if( cookie_len != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); + } + + /* skip cookie length */ + buf += cookie_len; + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ciph_len = (buf[0] << 8) | (buf[1]); + ciph_len = ( buf[0] << 8 ) | ( buf[1] ); - // Length check - if (buf + ciph_len > end) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + /* Length check */ + if( buf + ciph_len > end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - // store pointer to ciphersuite list - ciph_offset = buf; + /* store pointer to ciphersuite list */ + ciph_offset = buf; - // skip cipher length - buf += 2; + /* skip cipher length */ + buf += 2; - MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist", - buf, ciph_len); + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", + buf, ciph_len ); - // skip ciphersuites for now - buf += ciph_len; + /* skip ciphersuites for now */ + buf += ciph_len; #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ - { - /* - * For TLS 1.3 we are not using compression. - */ - comp_len = buf[0]; - - if (buf + comp_len > end) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - - buf++; // skip compression length - MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression", - buf, comp_len); - - // Determine whether we are indeed using null compression - if ((comp_len != 1) && (buf[1] == 0)) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - - // skip compression - buf++; - } - - /* - * Check the extension length - */ - if (buf+2>end) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - - ext_len = (buf[0] << 8) | (buf[1]); - - if ((ext_len > 0 && ext_len < 4) || - buf + 2 + ext_len > end) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } + { + /* + * For TLS 1.3 we are not using compression. + */ + comp_len = buf[0]; + + if( buf + comp_len > end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + buf++; /* skip compression length */ + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", + buf, comp_len ); + + /* Determine whether we are indeed using null compression */ + if( ( comp_len != 1 ) && ( buf[1] == 0 )) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + /* skip compression */ + buf++; + } - buf += 2; + /* + * Check the extension length + */ + if( buf+2 > end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - ext = buf; - MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len); + ext_len = ( buf[0] << 8 ) | ( buf[1] ); - while (ext_len != 0) - { - unsigned int ext_id = ((ext[0] << 8) - | (ext[1])); - unsigned int ext_size = ((ext[2] << 8) - | (ext[3])); + if( ( ext_len > 0 && ext_len < 4 ) || + buf + 2 + ext_len > end ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } - if (ext_size + 4 > ext_len) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - switch (ext_id) - { + buf += 2; + + ext = buf; + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); + + while ( ext_len != 0 ) + { + unsigned int ext_id = ( ( ext[0] << 8 ) + | ( ext[1] ) ); + unsigned int ext_size = ( ( ext[2] << 8 ) + | ( ext[3] ) ); + + if( ext_size + 4 > ext_len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + switch ( ext_id ) + { #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - case MBEDTLS_TLS_EXT_SERVERNAME: - MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension")); - ret = ssl_parse_servername_ext(ssl, ext + 4, ext_size); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_servername_ext", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_SERVERNAME_EXT); - } - ssl->handshake->extensions_present += SERVERNAME_EXTENSION; - break; + case MBEDTLS_TLS_EXT_SERVERNAME: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); + ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_servername_ext", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_SERVERNAME_EXT ); + } + ssl->handshake->extensions_present += SERVERNAME_EXTENSION; + break; #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_CID) - case MBEDTLS_TLS_EXT_CID: - MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); - if (ssl->conf->cid == MBEDTLS_CID_CONF_DISABLED) - break; - - ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size); - if (ret != 0) - { - final_ret = MBEDTLS_ERR_SSL_BAD_HS_CID_EXT; - } - else if (ret == 0) // cid extension present and processed succesfully - { - ssl->handshake->extensions_present += CID_EXTENSION; - } - break; + case MBEDTLS_TLS_EXT_CID: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) ); + if( ssl->conf->cid == MBEDTLS_CID_CONF_DISABLED ) + break; + + ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + { + final_ret = MBEDTLS_ERR_SSL_BAD_HS_CID_EXT; + } + else if( ret == 0 ) /* cid extension present and processed succesfully */ + { + ssl->handshake->extensions_present += CID_EXTENSION; + } + break; #endif /* MBEDTLS_CID */ #if defined(MBEDTLS_SSL_COOKIE_C) - case MBEDTLS_TLS_EXT_COOKIE: - MBEDTLS_SSL_DEBUG_MSG(3, ("found cookie extension")); - - ret = ssl_parse_cookie_ext(ssl, ext + 4, ext_size); - - // if cookie verification failed then we return a hello retry message - if (ret == MBEDTLS_ERR_SSL_BAD_HS_COOKIE_EXT) - { - final_ret = MBEDTLS_ERR_SSL_BAD_HS_COOKIE_EXT; - } - else if (ret == 0) // cookie extension present and processed succesfully - { - ssl->handshake->extensions_present += COOKIE_EXTENSION; - } - break; + case MBEDTLS_TLS_EXT_COOKIE: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found cookie extension" ) ); + + ret = ssl_parse_cookie_ext( ssl, ext + 4, ext_size ); + + /* if cookie verification failed then we return a hello retry message */ + if( ret == MBEDTLS_ERR_SSL_BAD_HS_COOKIE_EXT ) + { + final_ret = MBEDTLS_ERR_SSL_BAD_HS_COOKIE_EXT; + } + else if( ret == 0 ) /* cookie extension present and processed succesfully */ + { + ssl->handshake->extensions_present += COOKIE_EXTENSION; + } + break; #endif /* MBEDTLS_SSL_COOKIE_C */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: - MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension")); - /* Delay processing of the PSK identity once we have - * found out which algorithms to use. We keep a pointer - * to the buffer and the size for later processing. - */ - ext_len_psk_ext = ext_size; - ext_psk_ptr = ext + 4; - - ssl->handshake->extensions_present += PRE_SHARED_KEY_EXTENSION; - break; + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); + /* Delay processing of the PSK identity once we have + * found out which algorithms to use. We keep a pointer + * to the buffer and the size for later processing. + */ + ext_len_psk_ext = ext_size; + ext_psk_ptr = ext + 4; + + ssl->handshake->extensions_present += PRE_SHARED_KEY_EXTENSION; + break; #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ #if defined(MBEDTLS_ZERO_RTT) - case MBEDTLS_TLS_EXT_EARLY_DATA: - MBEDTLS_SSL_DEBUG_MSG(3, ("found early_data extension")); - - /* There is nothing really to process with this extension. - - ret = ssl_parse_early_data_ext(ssl, ext + 4, ext_size); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_supported_groups_ext", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS); - } - */ - ssl->handshake->extensions_present += EARLY_DATA_EXTENSION; - break; + case MBEDTLS_TLS_EXT_EARLY_DATA: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found early_data extension" ) ); + + /* There is nothing really to process with this extension. + + ret = ssl_parse_early_data_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_supported_groups_ext", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS ); + } + */ + ssl->handshake->extensions_present += EARLY_DATA_EXTENSION; + break; #endif /* MBEDTLS_ZERO_RTT */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) - case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: - MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension")); - - /* Supported Groups Extension - * - * When sent by the client, the "supported_groups" extension - * indicates the named groups which the client supports, - * ordered from most preferred to least preferred. - */ - ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_supported_groups_ext", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS); - } - - ssl->handshake->extensions_present += SUPPORTED_GROUPS_EXTENSION; - break; + case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) ); + + /* Supported Groups Extension + * + * When sent by the client, the "supported_groups" extension + * indicates the named groups which the client supports, + * ordered from most preferred to least preferred. + */ + ret = ssl_parse_supported_groups_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_supported_groups_ext", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_GROUPS ); + } + + ssl->handshake->extensions_present += SUPPORTED_GROUPS_EXTENSION; + break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: - MBEDTLS_SSL_DEBUG_MSG(3, ("found psk key exchange modes extension")); + case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) ); - ret = ssl_parse_key_exchange_modes_ext(ssl, ext + 4, ext_size); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_key_exchange_modes_ext", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_PSK_KEY_EXCHANGE_MODES_EXT); - } + ret = ssl_parse_key_exchange_modes_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_key_exchange_modes_ext", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_PSK_KEY_EXCHANGE_MODES_EXT ); + } - ssl->handshake->extensions_present += PSK_KEY_EXCHANGE_MODES_EXTENSION; - break; + ssl->handshake->extensions_present += PSK_KEY_EXCHANGE_MODES_EXTENSION; + break; #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) - case MBEDTLS_TLS_EXT_KEY_SHARES: - MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension")); - - /* - * Key Share Extension - * - * When sent by the client, the "key_share" extension - * contains the endpoint's cryptographic parameters for - * ECDHE/DHE key establishment methods. - */ - ret = ssl_parse_key_shares_ext(ssl, ext + 4, ext_size); - if (ret == MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE) { - // We parsed the extension incorrectly - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_key_shares_ext", ret); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE); - break; - } - else if (ret == MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE) { - /* We need to send a HelloRetryRequest message - * but we still have to determine the ciphersuite. - * Note: We got the key share - we just didn't like - * the content of it. - */ - final_ret = MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE; - ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; - break; - } - ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; - break; +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) + case MBEDTLS_TLS_EXT_KEY_SHARES: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) ); + + /* + * Key Share Extension + * + * When sent by the client, the "key_share" extension + * contains the endpoint's cryptographic parameters for + * ECDHE/DHE key establishment methods. + */ + ret = ssl_parse_key_shares_ext( ssl, ext + 4, ext_size ); + if( ret == MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE ) + { + /* We parsed the extension incorrectly */ + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_key_shares_ext", ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE ); + break; + } + else if( ret == MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE ) + { + /* We need to send a HelloRetryRequest message + * but we still have to determine the ciphersuite. + * Note: We got the key share - we just didn't like + * the content of it. + */ + final_ret = MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE; + ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; + break; + } + ssl->handshake->extensions_present += KEY_SHARE_EXTENSION; + break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: - MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension")); - - ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_max_fragment_length_ext"), ret); - return(MBEDTLS_ERR_SSL_BAD_HS_MAX_FRAGMENT_LENGTH_EXT); - } - ssl->handshake->extensions_present += MAX_FRAGMENT_LENGTH_EXTENSION; - break; + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); + + ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_max_fragment_length_ext" ), ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_MAX_FRAGMENT_LENGTH_EXT ); + } + ssl->handshake->extensions_present += MAX_FRAGMENT_LENGTH_EXTENSION; + break; #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ - case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: - MBEDTLS_SSL_DEBUG_MSG(3, ("found supported versions extension")); + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) ); - ret = ssl_parse_supported_versions_ext(ssl, ext + 4, ext_size); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_supported_versions_ext"), ret); - return(MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_VERSIONS_EXT); - } - ssl->handshake->extensions_present += SUPPORTED_VERSION_EXTENSION; - break; + ret = ssl_parse_supported_versions_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_supported_versions_ext" ), ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_SUPPORTED_VERSIONS_EXT ); + } + ssl->handshake->extensions_present += SUPPORTED_VERSION_EXTENSION; + break; #if defined(MBEDTLS_SSL_ALPN) - case MBEDTLS_TLS_EXT_ALPN: - MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); - - ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_alpn_ext"), ret); - return(MBEDTLS_ERR_SSL_BAD_HS_ALPN_EXT); - } - ssl->handshake->extensions_present += ALPN_EXTENSION; - break; + case MBEDTLS_TLS_EXT_ALPN: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); + + ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_alpn_ext" ), ret ); + return( MBEDTLS_ERR_SSL_BAD_HS_ALPN_EXT ); + } + ssl->handshake->extensions_present += ALPN_EXTENSION; + break; #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) - case MBEDTLS_TLS_EXT_SIG_ALG: - MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); - - ret = ssl_parse_signature_algorithms_ext(ssl, ext + 4, ext_size); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("ssl_parse_supported_signature_algorithms_server_ext (%d)", ret)); - return(ret); - } - ssl->handshake->extensions_present += SIGNATURE_ALGORITHM_EXTENSION; - break; + case MBEDTLS_TLS_EXT_SIG_ALG: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); + + ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )", ret ) ); + return( ret ); + } + ssl->handshake->extensions_present += SIGNATURE_ALGORITHM_EXTENSION; + break; #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ - default: - MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %d (ignoring)", ext_id)); - } + default: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d ( ignoring )", ext_id ) ); + } - ext_len -= 4 + ext_size; - ext += 4 + ext_size; + ext_len -= 4 + ext_size; + ext += 4 + ext_size; - if (ext_len > 0 && ext_len < 4) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); - return(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO); - } - } + if( ext_len > 0 && ext_len < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + } - /* - * Search for a matching ciphersuite - */ - got_common_suite = 0; - ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; - ciphersuite_info = NULL; + /* + * Search for a matching ciphersuite + */ + got_common_suite = 0; + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; + ciphersuite_info = NULL; #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) - for (j = 0, p = ciph_offset + 2; j < ciph_len; j += 2, p += 2) - { - for (i = 0; ciphersuites[i] != 0; i++) + for ( j = 0, p = ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) + { + for ( i = 0; ciphersuites[i] != 0; i++ ) #else - for (i = 0; ciphersuites[i] != 0; i++) - { - for (j = 0, p = ciph_offset + 2; j < ciph_len; j += 2, p += 2) + for ( i = 0; ciphersuites[i] != 0; i++ ) + { + for ( j = 0, p = ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) #endif /* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE */ { - if (p[0] != ((ciphersuites[i] >> 8) & 0xFF) || - p[1] != ((ciphersuites[i]) & 0xFF)) - continue; + if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || + p[1] != ( ( ciphersuites[i] ) & 0xFF )) + continue; - got_common_suite = 1; - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]); + got_common_suite = 1; + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); - if (ciphersuite_info == NULL) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_ciphersuite_from_id: should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( ciphersuite_info == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_ciphersuite_from_id: should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - goto have_ciphersuite; - /* - if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], - &ciphersuite_info ) ) != 0 ) - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + goto have_ciphersuite; + /* + if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], + &ciphersuite_info ) ) != 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - if( ciphersuite_info != NULL ) - goto have_ciphersuite; - */ + if( ciphersuite_info != NULL ) + goto have_ciphersuite; + */ } - } + } - if (got_common_suite) + if( got_common_suite ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, but none of them usable")); - //mbedtls_ssl_send_fatal_handshake_failure( ssl ); - return(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, but none of them usable" ) ); + /*mbedtls_ssl_send_fatal_handshake_failure( ssl ); */ + return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); } else { - MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common")); - //mbedtls_ssl_send_fatal_handshake_failure( ssl ); - return(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); + /*mbedtls_ssl_send_fatal_handshake_failure( ssl ); */ + return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); } -have_ciphersuite: + have_ciphersuite: - MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name)); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); ssl->session_negotiate->ciphersuite = ciphersuites[i]; ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; - // List all the extensions we have received + /* List all the extensions we have received */ - MBEDTLS_SSL_DEBUG_MSG(3, ("Supported Extensions:")); - MBEDTLS_SSL_DEBUG_MSG(3, ("- KEY_SHARE_EXTENSION (%s)", ((ssl->handshake->extensions_present & KEY_SHARE_EXTENSION) > 0 ) ? "TRUE" : "FALSE")); - MBEDTLS_SSL_DEBUG_MSG(3, ("- PSK_KEY_EXCHANGE_MODES_EXTENSION (%s)", ((ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION) > 0) ? "TRUE" : "FALSE")); - MBEDTLS_SSL_DEBUG_MSG(3, ("- PRE_SHARED_KEY_EXTENSION (%s)", ((ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION) > 0) ? "TRUE" : "FALSE")); - MBEDTLS_SSL_DEBUG_MSG(3, ("- SIGNATURE_ALGORITHM_EXTENSION (%s)", ((ssl->handshake->extensions_present & SIGNATURE_ALGORITHM_EXTENSION) >0) ? "TRUE" : "FALSE")); - MBEDTLS_SSL_DEBUG_MSG(3, ("- SUPPORTED_GROUPS_EXTENSION (%s)", ((ssl->handshake->extensions_present & SUPPORTED_GROUPS_EXTENSION) >0) ? "TRUE" : "FALSE" )); - MBEDTLS_SSL_DEBUG_MSG(3, ("- SUPPORTED_VERSION_EXTENSION (%s)", ((ssl->handshake->extensions_present & SUPPORTED_VERSION_EXTENSION) > 0) ? "TRUE" : "FALSE")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- KEY_SHARE_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & KEY_SHARE_EXTENSION ) > 0 ) ? "TRUE" : "FALSE" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION ) > 0 ) ? "TRUE" : "FALSE" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- PRE_SHARED_KEY_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION ) > 0 ) ? "TRUE" : "FALSE" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & SIGNATURE_ALGORITHM_EXTENSION ) >0 ) ? "TRUE" : "FALSE" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- SUPPORTED_GROUPS_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & SUPPORTED_GROUPS_EXTENSION ) >0 ) ? "TRUE" : "FALSE" ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- SUPPORTED_VERSION_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & SUPPORTED_VERSION_EXTENSION ) > 0 ) ? "TRUE" : "FALSE" ) ); #if defined(MBEDTLS_CID) - MBEDTLS_SSL_DEBUG_MSG(3, ("- CID_EXTENSION (%s)", ((ssl->handshake->extensions_present & CID_EXTENSION) > 0) ? "TRUE" : "FALSE")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- CID_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & CID_EXTENSION ) > 0 ) ? "TRUE" : "FALSE" ) ); #endif /* MBEDTLS_CID */ -#if defined (MBEDTLS_SSL_SERVER_NAME_INDICATION) - MBEDTLS_SSL_DEBUG_MSG(3, ("- SERVERNAME_EXTENSION (%s)", ((ssl->handshake->extensions_present & SERVERNAME_EXTENSION) > 0) ? "TRUE" : "FALSE")); +#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- SERVERNAME_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & SERVERNAME_EXTENSION ) > 0 ) ? "TRUE" : "FALSE" ) ); #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined (MBEDTLS_SSL_ALPN) - MBEDTLS_SSL_DEBUG_MSG(3, ("- ALPN_EXTENSION (%s)", ((ssl->handshake->extensions_present & ALPN_EXTENSION) > 0) ? "TRUE" : "FALSE")); +#if defined ( MBEDTLS_SSL_ALPN ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- ALPN_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & ALPN_EXTENSION ) > 0 ) ? "TRUE" : "FALSE" ) ); #endif /* MBEDTLS_SSL_ALPN */ -#if defined (MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - MBEDTLS_SSL_DEBUG_MSG(3, ("- MAX_FRAGMENT_LENGTH_EXTENSION (%s)", ((ssl->handshake->extensions_present & MAX_FRAGMENT_LENGTH_EXTENSION) > 0) ? "TRUE" : "FALSE")); +#if defined ( MBEDTLS_SSL_MAX_FRAGMENT_LENGTH ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- MAX_FRAGMENT_LENGTH_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & MAX_FRAGMENT_LENGTH_EXTENSION ) > 0 ) ? "TRUE" : "FALSE" ) ); #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ -#if defined (MBEDTLS_SSL_COOKIE_C) - MBEDTLS_SSL_DEBUG_MSG(3, ("- COOKIE_EXTENSION (%s)", ((ssl->handshake->extensions_present & COOKIE_EXTENSION) >0) ? "TRUE" : "FALSE")); +#if defined ( MBEDTLS_SSL_COOKIE_C ) + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- COOKIE_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & COOKIE_EXTENSION ) >0 ) ? "TRUE" : "FALSE" ) ); #endif /* MBEDTLS_SSL_COOKIE_C */ #if defined(MBEDTLS_ZERO_RTT) - MBEDTLS_SSL_DEBUG_MSG(3, ("- EARLY_DATA_EXTENSION (%s)", ((ssl->handshake->extensions_present & EARLY_DATA_EXTENSION) >0) ? "TRUE" : "FALSE")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "- EARLY_DATA_EXTENSION ( %s )", ( ( ssl->handshake->extensions_present & EARLY_DATA_EXTENSION ) >0 ) ? "TRUE" : "FALSE" ) ); #endif /* MBEDTLS_ZERO_RTT*/ /* Determine key exchange algorithm to use. There are three types of key exchanges -* supported in TLS 1.3, namely (EC)DH with ECDSA, (EC)DH with PSK, and plain PSK. -* Additionally, we need to consider the ZeroRTT exchange as well. -*/ + * supported in TLS 1.3, namely ( EC )DH with ECDSA, ( EC )DH with PSK, and plain PSK. + * Additionally, we need to consider the ZeroRTT exchange as well. + */ #if defined(MBEDTLS_ZERO_RTT) /* - * 0) Zero-RTT Exchange / Early Data - * It requires early_data extension, at least key_exchange_modes and the pre_shared_key extension - * It may additionally provide key share, and supported_groups - */ - if (ssl->handshake->extensions_present & EARLY_DATA_EXTENSION) { - - // Pure PSK mode - if ((ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED) && - (ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION) && - (ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION)) { - // Test whether we are allowed to use this mode (server-side check) - if ((ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE) || - (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL) || - (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL)) { - // Test whether we are allowed to use this mode (client-side check) - if ((ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE) || - (ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL)) { - - if ((ret = ssl_parse_client_psk_identity_ext(ssl, ext_psk_ptr, ext_len_psk_ext)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); - return(ret); - } - MBEDTLS_SSL_DEBUG_MSG(3, ("Using a PSK key exchange")); - ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_PSK; - ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; - goto end_client_hello; - } - } - } - // ECDHE-PSK mode - if ((ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED) && - (ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION) && - (ssl->handshake->extensions_present & KEY_SHARE_EXTENSION) && - (ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION)) { - // Test whether we are allowed to use this mode (server-side check) - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { - // Test whether we are allowed to use this mode (client-side check) - if (ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL) { - - if ((ret = ssl_parse_client_psk_identity_ext(ssl, ext_psk_ptr, ext_len_psk_ext)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); - return(ret); - } - - MBEDTLS_SSL_DEBUG_MSG(3, ("Using a ECDHE-PSK key exchange")); - ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_PSK; - ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; - goto end_client_hello; - } - } - } + * 0 ) Zero-RTT Exchange / Early Data + * It requires early_data extension, at least key_exchange_modes and the pre_shared_key extension + * It may additionally provide key share, and supported_groups + */ + if( ssl->handshake->extensions_present & EARLY_DATA_EXTENSION ) + { + + /* Pure PSK mode */ + if( ( ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED ) && + ( ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION ) && + ( ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION )) { + /* Test whether we are allowed to use this mode ( server-side check ) */ + if( ( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE ) || + ( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL ) || + ( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL )) { + /* Test whether we are allowed to use this mode ( client-side check ) */ + if( ( ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE ) || + ( ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL )) { + + if( ( ret = ssl_parse_client_psk_identity_ext( ssl, ext_psk_ptr, ext_len_psk_ext )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); + return( ret ); + } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using a PSK key exchange" ) ); + ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_PSK; + ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; + goto end_client_hello; + } + } + } + /* ECDHE-PSK mode */ + if( ( ssl->conf->early_data == MBEDTLS_SSL_EARLY_DATA_ENABLED ) && + ( ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION ) && + ( ssl->handshake->extensions_present & KEY_SHARE_EXTENSION ) && + ( ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION )) { + /* Test whether we are allowed to use this mode ( server-side check ) */ + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) + { + /* Test whether we are allowed to use this mode ( client-side check ) */ + if( ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL ) + { + + if( ( ret = ssl_parse_client_psk_identity_ext( ssl, ext_psk_ptr, ext_len_psk_ext )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using a ECDHE-PSK key exchange" ) ); + ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_PSK; + ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON; + goto end_client_hello; + } + } + } } #endif /* MBEDTLS_ZERO_RTT*/ /* The order of preference is - * 1) Plain PSK Mode - * 2) (EC)DHE-PSK Mode - * 3) Certificate Mode + * 1 ) Plain PSK Mode + * 2 ) ( EC )DHE-PSK Mode + * 3 ) Certificate Mode * * Currently, the preference order is hard-coded - not configurable. */ /* - * 1) Plain PSK-based key exchange - * Requires key_exchange_modes and the pre_shared_key extension - * - */ - if ((ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION) && (ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION)) { - // Test whether we are allowed to use this mode (server-side check) - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { - // Test whether we are allowed to use this mode (client-side check) - if (ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE || ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL) { - - if ((ret = ssl_parse_client_psk_identity_ext(ssl, ext_psk_ptr, ext_len_psk_ext)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); - return(ret); - } - MBEDTLS_SSL_DEBUG_MSG(3, ("Using a PSK key exchange")); - ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_PSK; - goto end_client_hello; - } - } + * 1 ) Plain PSK-based key exchange + * Requires key_exchange_modes and the pre_shared_key extension + * + */ + if( ( ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION ) && ( ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION ) ) + { + /* Test whether we are allowed to use this mode ( server-side check ) */ + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) + { + /* Test whether we are allowed to use this mode ( client-side check ) */ + if( ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_KE || ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL ) + { + + if( ( ret = ssl_parse_client_psk_identity_ext( ssl, ext_psk_ptr, ext_len_psk_ext ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); + return( ret ); + } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using a PSK key exchange" ) ); + ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_PSK; + goto end_client_hello; + } + } } /* - * 2) (EC)DHE-PSK-based key exchange - * Requires key share, supported_groups, key_exchange_modes and the pre_shared_key extension - * - */ - if ((ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION) && (ssl->handshake->extensions_present & KEY_SHARE_EXTENSION) && (ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION)) { - // Test whether we are allowed to use this mode (server-side check) - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { - // Test whether we are allowed to use this mode (client-side check) - if (ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL) { - - if ((ret = ssl_parse_client_psk_identity_ext(ssl, ext_psk_ptr, ext_len_psk_ext)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); - return(ret); - } - - MBEDTLS_SSL_DEBUG_MSG(3, ("Using a ECDHE-PSK key exchange")); - ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_PSK; - goto end_client_hello; - } - } + * 2 ) ( EC )DHE-PSK-based key exchange + * Requires key share, supported_groups, key_exchange_modes and the pre_shared_key extension + * + */ + if( ( ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION ) && ( ssl->handshake->extensions_present & KEY_SHARE_EXTENSION ) && ( ssl->handshake->extensions_present & PSK_KEY_EXCHANGE_MODES_EXTENSION ) ) + { + /* Test whether we are allowed to use this mode ( server-side check ) */ + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) + { + /* Test whether we are allowed to use this mode ( client-side check ) */ + if( ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_DHE_KE || ssl->session_negotiate->key_exchange_modes == KEY_EXCHANGE_MODE_PSK_ALL ) + { + + if( ( ret = ssl_parse_client_psk_identity_ext( ssl, ext_psk_ptr, ext_len_psk_ext )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using a ECDHE-PSK key exchange" ) ); + ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_PSK; + goto end_client_hello; + } + } } /* - * 3) Certificate-based key exchange - * It requires supported_groups, supported_signature extensions, and key share - * - */ - if ((ssl->handshake->extensions_present & SUPPORTED_GROUPS_EXTENSION) && (ssl->handshake->extensions_present & SIGNATURE_ALGORITHM_EXTENSION) && (ssl->handshake->extensions_present & KEY_SHARE_EXTENSION)) + * 3 ) Certificate-based key exchange + * It requires supported_groups, supported_signature extensions, and key share + * + */ + if( ( ssl->handshake->extensions_present & SUPPORTED_GROUPS_EXTENSION ) && ( ssl->handshake->extensions_present & SIGNATURE_ALGORITHM_EXTENSION ) && ( ssl->handshake->extensions_present & KEY_SHARE_EXTENSION )) { - // Test whether we are allowed to use this mode (server-side check) - if (ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL) { - MBEDTLS_SSL_DEBUG_MSG(3, ("Using a ECDSA-ECDHE key exchange")); - ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA; - goto end_client_hello; - } + /* Test whether we are allowed to use this mode ( server-side check ) */ + if( ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ECDHE_ECDSA || ssl->conf->key_exchange_modes == KEY_EXCHANGE_MODE_ALL ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Using a ECDSA-ECDHE key exchange" ) ); + ssl->session_negotiate->key_exchange = MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA; + goto end_client_hello; + } } /* If we previously determined that an HRR is needed then - * we will send it now. - */ - if (final_ret == MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE) - return(MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE); + * we will send it now. + */ + if( final_ret == MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE ) + return( MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE ); -// if (ssl->session_negotiate->key_exchange == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello message misses mandatory extensions.")); - return(MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT); -// } +/* if( ssl->session_negotiate->key_exchange == 0 ) { */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello message misses mandatory extensions." ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT ); +/* } */ -end_client_hello: + end_client_hello: #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_recv_flight_completed(ssl); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_recv_flight_completed( ssl ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_COOKIE_C) - /* If we failed to see a cookie extension, and we required it through the - * configuration settings (rr_config), then we need to send a HRR msg. - * Conceptually, this is similiar to having received a cookie that failed - * the verification check. - */ - if ((ssl->conf->rr_config == MBEDTLS_SSL_FORCE_RR_CHECK_ON) && - !(ssl->handshake->extensions_present & COOKIE_EXTENSION)) { - MBEDTLS_SSL_DEBUG_MSG(2, ("Cookie extension missing. Need to send a HRR.")); - final_ret = MBEDTLS_ERR_SSL_BAD_HS_MISSING_COOKIE_EXT; + /* If we failed to see a cookie extension, and we required it through the + * configuration settings ( rr_config ), then we need to send a HRR msg. + * Conceptually, this is similiar to having received a cookie that failed + * the verification check. + */ + if( ( ssl->conf->rr_config == MBEDTLS_SSL_FORCE_RR_CHECK_ON ) && + !( ssl->handshake->extensions_present & COOKIE_EXTENSION )) { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Cookie extension missing. Need to send a HRR." ) ); + final_ret = MBEDTLS_ERR_SSL_BAD_HS_MISSING_COOKIE_EXT; } #endif /* MBEDTLS_SSL_COOKIE_C */ - if (final_ret == MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE || final_ret == MBEDTLS_ERR_SSL_BAD_HS_MISSING_COOKIE_EXT) { - // create stateless transcript hash for HRR + if( final_ret == MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE || final_ret == MBEDTLS_ERR_SSL_BAD_HS_MISSING_COOKIE_EXT ) + { + /* create stateless transcript hash for HRR */ - unsigned char transcript[MBEDTLS_MD_MAX_SIZE + 4]; // used to store the ClientHello1 msg - int hash_length; + unsigned char transcript[MBEDTLS_MD_MAX_SIZE + 4]; /* used to store the ClientHello1 msg */ + int hash_length; - MBEDTLS_SSL_DEBUG_MSG(5, ("--- Checksum (ssl_parse_client_hello, stateless transcript hash for HRR)")); + MBEDTLS_SSL_DEBUG_MSG( 5, ( "--- Checksum ( ssl_parse_client_hello, stateless transcript hash for HRR )" ) ); - /* - * Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN) = - * Hash(message_hash || // Handshake Type - * 00 00 Hash.length || // Handshake message length - * Hash(ClientHello1) || // Hash of ClientHello1 - * HelloRetryRequest ... MN) - * - */ - transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH; - transcript[1] = 0; - transcript[2] = 0; + /* + * Transcript-Hash( ClientHello1, HelloRetryRequest, ... MN ) = + * Hash( message_hash || + * 00 00 Hash.length || + * Hash( ClientHello1 ) || + * HelloRetryRequest ... MN ) + * + */ + transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH; + transcript[1] = 0; + transcript[2] = 0; - hash_length = mbedtls_hash_size_for_ciphersuite(ssl->transform_negotiate->ciphersuite_info); + hash_length = mbedtls_hash_size_for_ciphersuite( ssl->transform_negotiate->ciphersuite_info ); - if (hash_length == -1) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_size_for_ciphersuite == -1")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } + if( hash_length == -1 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_hash_size_for_ciphersuite == -1" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } - transcript[3] = (uint8_t)hash_length; + transcript[3] = ( uint8_t )hash_length; - if (ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA256) { + if( ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA256 ) + { #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_init(&sha256); - mbedtls_sha256_starts(&sha256, 0 /* = use SHA256 */); - mbedtls_sha256_update(&sha256, orig_buf, orig_msg_len); // hash ClientHello message - mbedtls_sha256_finish(&sha256, &transcript[4]); - MBEDTLS_SSL_DEBUG_BUF(5, "Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN)", &transcript[0], 32+4); + mbedtls_sha256_init( &sha256 ); + mbedtls_sha256_starts( &sha256, 0 /* = use SHA256 */ ); + mbedtls_sha256_update( &sha256, orig_buf, orig_msg_len ); /* hash ClientHello message */ + mbedtls_sha256_finish( &sha256, &transcript[4] ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Transcript-Hash( ClientHello1, HelloRetryRequest, ... MN )", &transcript[0], 32+4 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA256_C */ - } - else if (ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { + } + else if( ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 1 /* = use SHA384 */); - mbedtls_sha512_update(&sha512, orig_buf, orig_msg_len); // hash ClientHello message - mbedtls_sha512_finish(&sha512, &transcript[4]); - MBEDTLS_SSL_DEBUG_BUF(5, "Transcript-Hash(ClientHello1, HelloRetryRequest, ... MN)", &transcript[0], 48+4); + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 1 /* = use SHA384 */ ); + mbedtls_sha512_update( &sha512, orig_buf, orig_msg_len ); /* hash ClientHello message */ + mbedtls_sha512_finish( &sha512, &transcript[4] ); + MBEDTLS_SSL_DEBUG_BUF( 5, "Transcript-Hash( ClientHello1, HelloRetryRequest, ... MN )", &transcript[0], 48+4 ); #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA512_C */ - } - else if (ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA512) { + } + else if( ssl->transform_negotiate->ciphersuite_info->mac == MBEDTLS_MD_SHA512 ) + { #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_init(&sha512); - mbedtls_sha512_starts(&sha512, 0 /* = use SHA512 */); - mbedtls_sha512_update(&sha512, orig_buf, orig_msg_len); // hash ClientHello message - mbedtls_sha512_finish(&sha512, &transcript[4]); - MBEDTLS_SSL_DEBUG_BUF(5, "ClientHello hash", &transcript[4], 64); - } - else { + mbedtls_sha512_init( &sha512 ); + mbedtls_sha512_starts( &sha512, 0 /* = use SHA512 */ ); + mbedtls_sha512_update( &sha512, orig_buf, orig_msg_len ); /* hash ClientHello message */ + mbedtls_sha512_finish( &sha512, &transcript[4] ); + MBEDTLS_SSL_DEBUG_BUF( 5, "ClientHello hash", &transcript[4], 64 ); + } + else { #else - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_ssl_derive_master_secret: Unknow hash function.")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_derive_master_secret: Unknow hash function." ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #endif /* MBEDTLS_SHA512_C*/ - } - ssl->handshake->update_checksum(ssl, &transcript[0], hash_length + 4); + } + ssl->handshake->update_checksum( ssl, &transcript[0], hash_length + 4 ); } else { - // create normal transcript hash - MBEDTLS_SSL_DEBUG_MSG(5, ("--- Checksum (ssl_parse_client_hello, normal transcript hash)")); - ssl->handshake->update_checksum(ssl, orig_buf, orig_msg_len); + /* create normal transcript hash */ + MBEDTLS_SSL_DEBUG_MSG( 5, ( "--- Checksum ( ssl_parse_client_hello, normal transcript hash )" ) ); + ssl->handshake->update_checksum( ssl, orig_buf, orig_msg_len ); } - mbedtls_ssl_optimize_checksum(ssl, ssl->transform_negotiate->ciphersuite_info); + mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); - return(final_ret); -} + return( final_ret ); + } -static int ssl_client_hello_postprocess(mbedtls_ssl_context* ssl, int ret) { + static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl, int ret ) { ((void) ssl); ((void) ret); - return (0); -} + return ( 0 ); + } #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, - unsigned char *buf, - size_t *olen) -{ + static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + size_t *olen ) + { unsigned char *p = buf; - if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) + if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { - *olen = 0; - return; + *olen = 0; + return; } - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH) & 0xFF); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); *p++ = 0x00; *p++ = 1; @@ -2943,45 +2971,45 @@ static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, *p++ = ssl->session_negotiate->mfl_code; *olen = 5; -} + } #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ -#if defined(MBEDTLS_SSL_ALPN ) -static void ssl_write_alpn_ext(mbedtls_ssl_context *ssl, - unsigned char *buf, size_t *olen) -{ - if (ssl->alpn_chosen == NULL) +#if defined(MBEDTLS_SSL_ALPN) + static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, size_t *olen ) + { + if( ssl->alpn_chosen == NULL ) { - *olen = 0; - return; + *olen = 0; + return; } - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding alpn extension")); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); /* - * 0 . 1 ext identifier - * 2 . 3 ext length - * 4 . 5 protocol list length - * 6 . 6 protocol name length - * 7 . 7+n protocol name - */ - buf[0] = (unsigned char)((MBEDTLS_TLS_EXT_ALPN >> 8) & 0xFF); - buf[1] = (unsigned char)((MBEDTLS_TLS_EXT_ALPN) & 0xFF); + * 0 . 1 ext identifier + * 2 . 3 ext length + * 4 . 5 protocol list length + * 6 . 6 protocol name length + * 7 . 7+n protocol name + */ + buf[0] = ( unsigned char )( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); + buf[1] = ( unsigned char )( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); - *olen = 7 + strlen(ssl->alpn_chosen); + *olen = 7 + strlen( ssl->alpn_chosen ); - buf[2] = (unsigned char)(((*olen - 4) >> 8) & 0xFF); - buf[3] = (unsigned char)((*olen - 4) & 0xFF); + buf[2] = ( unsigned char )( ( ( *olen - 4 ) >> 8 ) & 0xFF ); + buf[3] = ( unsigned char )( ( *olen - 4 ) & 0xFF ); - buf[4] = (unsigned char)(((*olen - 6) >> 8) & 0xFF); - buf[5] = (unsigned char)((*olen - 6) & 0xFF); + buf[4] = ( unsigned char )( ( ( *olen - 6 ) >> 8 ) & 0xFF ); + buf[5] = ( unsigned char )( ( *olen - 6 ) & 0xFF ); - buf[6] = (unsigned char)((*olen - 7) & 0xFF); + buf[6] = ( unsigned char )( ( *olen - 7 ) & 0xFF ); - memcpy(buf + 7, ssl->alpn_chosen, *olen - 7); -} + memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); + } #endif /* MBEDTLS_SSL_ALPN */ @@ -2995,47 +3023,47 @@ static void ssl_write_alpn_ext(mbedtls_ssl_context *ssl, * the cryptographic context. */ - /* - * Overview - */ + /* + * Overview + */ - /* Main entry point; orchestrates the other functions */ -static int ssl_encrypted_extensions_process(mbedtls_ssl_context* ssl); + /* Main entry point; orchestrates the other functions */ + static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ); -static int ssl_encrypted_extensions_prepare(mbedtls_ssl_context* ssl); -static int ssl_encrypted_extensions_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen); -static int ssl_encrypted_extensions_postprocess(mbedtls_ssl_context* ssl); + static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ); + static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ); + static int ssl_encrypted_extensions_postprocess( mbedtls_ssl_context* ssl ); -static int ssl_encrypted_extensions_process(mbedtls_ssl_context* ssl) -{ + static int ssl_encrypted_extensions_process( mbedtls_ssl_context* ssl ) + { int ret; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extension")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write encrypted extension" ) ); /* Make sure we can write a new message. */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_flush_output(ssl)); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); - MBEDTLS_SSL_PROC_CHK(ssl_encrypted_extensions_prepare(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_prepare( ssl ) ); - MBEDTLS_SSL_PROC_CHK(ssl_encrypted_extensions_write(ssl, ssl->out_msg, - MBEDTLS_SSL_MAX_CONTENT_LEN, - &ssl->out_msglen)); + MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_write( ssl, ssl->out_msg, + MBEDTLS_SSL_MAX_CONTENT_LEN, + &ssl->out_msglen ) ); ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_ENCRYPTED_EXTENSION; - MBEDTLS_SSL_DEBUG_BUF(3, "EncryptedExtensions", ssl->out_msg, ssl->out_msglen); + MBEDTLS_SSL_DEBUG_BUF( 3, "EncryptedExtensions", ssl->out_msg, ssl->out_msglen ); /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_encrypted_extensions_postprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_encrypted_extensions_postprocess( ssl ) ); /* Dispatch message */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl)); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl ) ); /* NOTE: For the new messaging layer, the postprocessing step * might come after the dispatching step if the latter @@ -3046,113 +3074,115 @@ static int ssl_encrypted_extensions_process(mbedtls_ssl_context* ssl) * to be updated in order to not enter * this function again on retry. */ -cleanup: + cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extension")); - return(ret); -} + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write encrypted extension" ) ); + return( ret ); + } -static int ssl_encrypted_extensions_prepare(mbedtls_ssl_context* ssl) -{ + static int ssl_encrypted_extensions_prepare( mbedtls_ssl_context* ssl ) + { int ret; KeySet traffic_keys; - ret = mbedtls_ssl_key_derivation(ssl, &traffic_keys); + ret = mbedtls_ssl_key_derivation( ssl, &traffic_keys ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_key_derivation", ret); - return (ret); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_key_derivation", ret ); + return ( ret ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - /* Remember current sequence number / epoch settings for resending */ - ssl->handshake->alt_transform_out = ssl->transform_out; - memcpy(ssl->handshake->alt_out_ctr, ssl->out_ctr, 8); + /* Remember current sequence number / epoch settings for resending */ + ssl->handshake->alt_transform_out = ssl->transform_out; + memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 ); } #endif ssl->transform_out = ssl->transform_negotiate; ssl->session_out = ssl->session_negotiate; - ret = mbedtls_set_traffic_key(ssl, &traffic_keys, ssl->transform_negotiate, 0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); + ret = mbedtls_set_traffic_key( ssl, &traffic_keys, ssl->transform_negotiate, 0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); } /* - * Set the out_msg pointer to the correct location based on IV length - */ + * Set the out_msg pointer to the correct location based on IV length + */ ssl->out_msg = ssl->out_iv; /* - * Switch to our negotiated transform and session parameters for outbound - * data. - */ - MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data")); + * Switch to our negotiated transform and session parameters for outbound + * data. + */ + MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - /* Remember current sequence number / epoch settings for resending */ - //ssl->handshake->alt_transform_out = ssl->transform_out; - //memcpy(ssl->handshake->alt_out_ctr, ssl->out_ctr, 8); + /* Remember current sequence number / epoch settings for resending */ + /*ssl->handshake->alt_transform_out = ssl->transform_out; */ + /*memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 ); */ - /* Set sequence_number of record layer to zero */ - memset(ssl->out_ctr + 2, 0, 6); + /* Set sequence_number of record layer to zero */ + memset( ssl->out_ctr + 2, 0, 6 ); - /* - unsigned char i; + /* + unsigned char i; - // Increment epoch - for (i = 2; i > 0; i--) - if (++ssl->out_ctr[i - 1] != 0) - break; + /* Increment epoch */ + for ( i = 2; i > 0; i-- ) + if( ++ssl->out_ctr[i - 1] != 0 ) + break; - // The loop goes to its end iff the counter is wrapping - if (i == 0) - { - MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap")); - return(MBEDTLS_ERR_SSL_COUNTER_WRAPPING); - } - */ + /* The loop goes to its end iff the counter is wrapping */ + if( i == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); + return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); + } + */ } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - memset(ssl->out_ctr, 0, 8); + memset( ssl->out_ctr, 0, 8 ); /* Set sequence number used at the handshake header to zero */ - memset(ssl->transform_out->sequence_number_enc, 0x0, 12); + memset( ssl->transform_out->sequence_number_enc, 0x0, 12 ); #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) - if (mbedtls_ssl_hw_record_activate != NULL) + if( mbedtls_ssl_hw_record_activate != NULL ) { - if ((ret = mbedtls_ssl_hw_record_activate(ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_hw_record_activate", ret); - return(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); - } + if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } } #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value (2) is used for messages protected + /* epoch value ( 2 ) is used for messages protected * using keys derived from the handshake_traffic_secret. - */ + */ ssl->in_epoch = 2; ssl->out_epoch = 2; #endif /* MBEDTLS_SSL_PROTO_DTLS */ return 0; -} + } -static int ssl_encrypted_extensions_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen) -{ + static int ssl_encrypted_extensions_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ) + { int ret; size_t n; unsigned char *p, *end; @@ -3162,86 +3192,93 @@ static int ssl_encrypted_extensions_write(mbedtls_ssl_context* ssl, end = buf + buflen; - if (buflen < (4)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); + if( buflen < ( 4 ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } - // Skip HS header + /* Skip HS header */ p = buf + 4; /* - * struct { - * Extension extensions<0..2 ^ 16 - 1>; - * } EncryptedExtensions; - * - */ + * struct { + * Extension extensions<0..2 ^ 16 - 1>; + * } EncryptedExtensions; + * + */ - // Skip extension length; first write extensions, then update length + /* Skip extension length; first write extensions, then update length */ p += 2; #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->extensions_present & SERVERNAME_EXTENSION) { - ret=ssl_write_sni_server_ext(ssl, p, end-p, &n); - if (ret != 0) return(ret); + if( ssl->handshake->extensions_present & SERVERNAME_EXTENSION ) + { + ret=ssl_write_sni_server_ext( ssl, p, end - p, &n ); + if( ret != 0 ) + return( ret ); - p += n; + p += n; } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_SSL_ALPN) - if (ssl->handshake->extensions_present & ALPN_EXTENSION) { - ret=ssl_write_alpn_ext(ssl, p, end-p, &n); - - p += n; + if( ssl->handshake->extensions_present & ALPN_EXTENSION ) + { + ret = ssl_write_alpn_ext( ssl, p, end - p, &n ); + p += n; } #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - if (ssl->handshake->extensions_present & MAX_FRAGMENT_LENGTH_EXTENSION) { - ret=ssl_write_max_fragment_length_ext(ssl, p, end-p, &n); - if (ret != 0) return(ret); + if( ssl->handshake->extensions_present & MAX_FRAGMENT_LENGTH_EXTENSION ) + { + ret=ssl_write_max_fragment_length_ext( ssl, p, end - p, &n ); + if( ret != 0 ) + return( ret ); - p += n; + p += n; } #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_ZERO_RTT) - if (ssl->handshake->extensions_present & EARLY_DATA_EXTENSION) { - ret=ssl_write_early_data_ext(ssl, p, end-p, &n); - if (ret != 0) return(ret); + if( ssl->handshake->extensions_present & EARLY_DATA_EXTENSION ) + { + ret = ssl_write_early_data_ext( ssl, p, end - p, &n ); + if( ret != 0 ) + return( ret ); - p += n; + p += n; } #endif /* MBEDTLS_ZERO_RTT */ *olen = p - buf; - *(buf + 4 ) = (unsigned char)(((*olen - 4 - 2 ) >> 8) & 0xFF); - *(buf + 5) = (unsigned char)((*olen - 4 - 2) & 0xFF); + *( buf + 4 ) = ( unsigned char )( ( ( *olen - 4 - 2 ) >> 8 ) & 0xFF ); + *( buf + 5 ) = ( unsigned char )( ( *olen - 4 - 2 ) & 0xFF ); - return(0); -} + return( 0 ); + } -static int ssl_encrypted_extensions_postprocess(mbedtls_ssl_context* ssl) -{ - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); + static int ssl_encrypted_extensions_postprocess( mbedtls_ssl_context* ssl ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); return 0; -} + } -/* ssl_write_hello_retry_request() to transmit a HelloRetryRequest message -* -* Servers send this message in response to a ClientHello message when -* the server was able to find an acceptable set of algorithms and groups -* that are mutually supported, but the client�s KeyShare did not contain -* an acceptable offer. -* -* We also send this message with DTLS 1.3 to perform a return-routability -* check (and we include a cookie). -*/ -static int ssl_write_hello_retry_request(mbedtls_ssl_context *ssl) -{ +/* ssl_write_hello_retry_request( ) to transmit a HelloRetryRequest message + * + * Servers send this message in response to a ClientHello message when + * the server was able to find an acceptable set of algorithms and groups + * that are mutually supported, but the client�s KeyShare did not contain + * an acceptable offer. + * + * We also send this message with DTLS 1.3 to perform a return-routability + * check ( and we include a cookie ). + */ + static int ssl_write_hello_retry_request( mbedtls_ssl_context *ssl ) + { int ret; unsigned char *p = ssl->out_msg + 4; unsigned char *ext_len_byte; @@ -3253,125 +3290,126 @@ static int ssl_write_hello_retry_request(mbedtls_ssl_context *ssl) const mbedtls_ecp_group_id *gid; const mbedtls_ecp_curve_info **curve = NULL; #endif /* MBEDTLS_ECDH_C */ - //const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + /*const mbedtls_ssl_ciphersuite_t *ciphersuite_info; */ - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) ); /* - * struct { - * ProtocolVersion legacy_version = 0x0303; - * Random random (with magic value); - * opaque legacy_session_id_echo<0..32>; - * CipherSuite cipher_suite; - * uint8 legacy_compression_method = 0; - * Extension extensions<0..2^16-1>; - * } ServerHello; --- aka HelloRetryRequest - */ + * struct { + * ProtocolVersion legacy_version = 0x0303; + * Random random ( with magic value ); + * opaque legacy_session_id_echo<0..32>; + * CipherSuite cipher_suite; + * uint8 legacy_compression_method = 0; + * Extension extensions<0..2^16-1>; + * } ServerHello; --- aka HelloRetryRequest + */ /* For TLS 1.3 we use the legacy version number {0x03, 0x03} - * instead of the true version number. - * - * For DTLS 1.3 we use the legacy version number - * {254,253}. - * - * In cTLS the version number is elided. - */ + * instead of the true version number. + * + * For DTLS 1.3 we use the legacy version number + * {254,253}. + * + * In cTLS the version number is elided. + */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - { - *p++ = 0xfe; // 254 - *p++ = 0xfd; // 253 - MBEDTLS_SSL_DEBUG_BUF(3, "server version", p - 2, 2); - } - else + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + *p++ = 0xfe; /* 254 */ + *p++ = 0xfd; /* 253 */ + MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p - 2, 2 ); + } + else #else - { - *p++ = 0x03; - *p++ = 0x03; - MBEDTLS_SSL_DEBUG_BUF(3, "server version", p - 2, 2); - } + { + *p++ = 0x03; + *p++ = 0x03; + MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p - 2, 2 ); + } #endif /* MBEDTLS_SSL_PROTO_DTLS */ } - if (ssl->transform_negotiate == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("ssl_write_hello_retry_request: ssl->transform_negotiate == NULL")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + if( ssl->transform_negotiate == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "ssl_write_hello_retry_request: ssl->transform_negotiate == NULL" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - //ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; + /*ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; */ - // write magic string (as a replacement for the random value) - memcpy(p, &magic_hrr_string[0], 32); - MBEDTLS_SSL_DEBUG_BUF(3, "random bytes", p, 32); + /* write magic string ( as a replacement for the random value ) */ + memcpy( p, &magic_hrr_string[0], 32 ); + MBEDTLS_SSL_DEBUG_BUF( 3, "random bytes", p, 32 ); p += 32; - // write legacy_session_id_echo - *p++ = (unsigned char) ssl->session_negotiate->id_len; - memcpy(p, &ssl->session_negotiate->id[0], ssl->session_negotiate->id_len); - MBEDTLS_SSL_DEBUG_BUF(3, "session id", p, ssl->session_negotiate->id_len); + /* write legacy_session_id_echo */ + *p++ = ( unsigned char ) ssl->session_negotiate->id_len; + memcpy( p, &ssl->session_negotiate->id[0], ssl->session_negotiate->id_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "session id", p, ssl->session_negotiate->id_len ); p += ssl->session_negotiate->id_len; - // write ciphersuite (2 bytes) - *p++ = (unsigned char)(ssl->session_negotiate->ciphersuite >> 8); - *p++ = (unsigned char)(ssl->session_negotiate->ciphersuite); - MBEDTLS_SSL_DEBUG_BUF(3, "ciphersuite", p-2, 2); + /* write ciphersuite ( 2 bytes ) */ + *p++ = ( unsigned char )( ssl->session_negotiate->ciphersuite >> 8 ); + *p++ = ( unsigned char )( ssl->session_negotiate->ciphersuite ); + MBEDTLS_SSL_DEBUG_BUF( 3, "ciphersuite", p-2, 2 ); - // write legacy_compression_method (0) + /* write legacy_compression_method ( 0 ) */ *p++ = 0x0; - MBEDTLS_SSL_DEBUG_MSG(3, ("legacy compression method: [%d]", *(p-1))); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "legacy compression method: [%d]", *( p-1 )) ); - // write extensions + /* write extensions */ extension_start = p; - // Extension starts with a 2 byte length field; we skip it and write it later + /* Extension starts with a 2 byte length field; we skip it and write it later */ p += 2; #if defined(MBEDTLS_SSL_COOKIE_C) /* Cookie Extension - * - * struct { - * opaque cookie<0..2^16-1>; - * } Cookie; - * - */ + * + * struct { + * opaque cookie<0..2^16-1>; + * } Cookie; + * + */ - // Write extension header - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_COOKIE >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_COOKIE) & 0xFF); + /* Write extension header */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_COOKIE >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_COOKIE ) & 0xFF ); /* Write total extension length - * (Skip it for now till we know the length) - */ + * ( Skip it for now till we know the length ) + */ ext_len_byte = p; p = p + 2; /* If we get here, f_cookie_check is not null */ - if (ssl->conf->f_cookie_write == NULL) + if( ssl->conf->f_cookie_write == NULL ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie, - &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, - ssl->cli_id, ssl->cli_id_len)) != 0) + if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, + &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, + ssl->cli_id, ssl->cli_id_len )) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); + return( ret ); } - ext_length = (p - (ext_len_byte + 2)); + ext_length = ( p - ( ext_len_byte + 2 ) ); - MBEDTLS_SSL_DEBUG_BUF(3, "Cookie", ext_len_byte + 2, ext_length); + MBEDTLS_SSL_DEBUG_BUF( 3, "Cookie", ext_len_byte + 2, ext_length ); - // Write length - *ext_len_byte++ = (unsigned char)((ext_length >> 8) & 0xFF); - *ext_len_byte = (unsigned char)(ext_length & 0xFF); + /* Write length */ + *ext_len_byte++ = ( unsigned char )( ( ext_length >> 8 ) & 0xFF ); + *ext_len_byte = ( unsigned char )( ext_length & 0xFF ); total_ext_len += ext_length + 4 /* 2 bytes for extension_type and 2 bytes for length field */; #endif /* MBEDTLS_SSL_COOKIE_C */ @@ -3379,79 +3417,81 @@ static int ssl_write_hello_retry_request(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_ECDH_C) /* key_share Extension - * - * struct { - * select (Handshake.msg_type) { - * case client_hello: - * KeyShareEntry client_shares<0..2^16-1>; - * - * case hello_retry_request: - * NamedGroup selected_group; - * - * case server_hello: - * KeyShareEntry server_share; - * }; - * } KeyShare; - * - */ + * + * struct { + * select ( Handshake.msg_type ) { + * case client_hello: + * KeyShareEntry client_shares<0..2^16-1>; + * + * case hello_retry_request: + * NamedGroup selected_group; + * + * case server_hello: + * KeyShareEntry server_share; + * }; + * } KeyShare; + * + */ /* For a pure PSK-based ciphersuite there is no key share to declare. * Hence, we focus on ECDHE-EDSA and ECDHE-PSK. */ - if (ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { + if( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + { - // Write extension header - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_KEY_SHARES >> 8) & 0xFF); - *p++ = (unsigned char)((MBEDTLS_TLS_EXT_KEY_SHARES) & 0xFF); + /* Write extension header */ + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_KEY_SHARES >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( MBEDTLS_TLS_EXT_KEY_SHARES ) & 0xFF ); - ext_len_byte = p; + ext_len_byte = p; - // Write length - *p++ = 0; - *p++ = 2; - ext_length = 2; + /* Write length */ + *p++ = 0; + *p++ = 2; + ext_length = 2; - for (gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++) { - for (curve = ssl->handshake->curves; *curve != NULL; curve++) { - if ((*curve)->grp_id == *gid) - goto curve_matching_done; - } - } + for ( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) { + for ( curve = ssl->handshake->curves; *curve != NULL; curve++ ) { + if( ( *curve )->grp_id == *gid ) + goto curve_matching_done; + } + } curve_matching_done: - if (curve == NULL || *curve == NULL) { - // This case should not happen - MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found")); - return(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN); - } + if( curve == NULL || *curve == NULL ) + { + /* This case should not happen */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching named group found" ) ); + return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); + } - // Write selected group - *p++ = (*curve)->tls_id >> 8; - *p++ = (*curve)->tls_id & 0xFF; + /* Write selected group */ + *p++ = ( *curve )->tls_id >> 8; + *p++ = ( *curve )->tls_id & 0xFF; - MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup in HRR: %s", (*curve)->name)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "NamedGroup in HRR: %s", ( *curve )->name ) ); } total_ext_len += ext_length + 4 /* 2 bytes for extension_type and 2 bytes for length field */; #endif /* MBEDTLS_ECDH_C */ - *extension_start++ = (unsigned char)((total_ext_len >> 8) & 0xFF); - *extension_start++ = (unsigned char)((total_ext_len) & 0xFF); + *extension_start++ = ( unsigned char )( ( total_ext_len >> 8 ) & 0xFF ); + *extension_start++ = ( unsigned char )( ( total_ext_len ) & 0xFF ); ssl->out_msglen = p - ssl->out_msg; ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; - if ((ret = mbedtls_ssl_write_record(ssl)) != 0) + if( ( ret = mbedtls_ssl_write_record( ssl )) != 0 ) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_record", ret); - return(ret); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); + return( ret ); } - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) ); - return(0); -} + return( 0 ); + } /* * @@ -3459,55 +3499,55 @@ static int ssl_write_hello_retry_request(mbedtls_ssl_context *ssl) * */ - /* - * Overview - */ + /* + * Overview + */ - /* Main entry point; orchestrates the other functions */ -static int ssl_server_hello_process(mbedtls_ssl_context* ssl); + /* Main entry point; orchestrates the other functions */ + static int ssl_server_hello_process( mbedtls_ssl_context* ssl ); /* ServerHello handling sub-routines */ -static int ssl_server_hello_prepare(mbedtls_ssl_context* ssl); -static int ssl_server_hello_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen); -static int ssl_server_hello_postprocess(mbedtls_ssl_context* ssl); + static int ssl_server_hello_prepare( mbedtls_ssl_context* ssl ); + static int ssl_server_hello_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ); + static int ssl_server_hello_postprocess( mbedtls_ssl_context* ssl ); -static int ssl_server_hello_process(mbedtls_ssl_context* ssl) { + static int ssl_server_hello_process( mbedtls_ssl_context* ssl ) { int ret = 0; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); /* Coordination */ /* Preprocessing */ - /* This might lead to ssl_process_server_hello() being called multiple - * times. The implementation of ssl_process_server_hello_preprocess() + /* This might lead to ssl_process_server_hello( ) being called multiple + * times. The implementation of ssl_process_server_hello_preprocess( ) * must either be safe to be called multiple times, or we need to add - * state to omit this call once we're calling ssl_process_server_hello() + * state to omit this call once we're calling ssl_process_server_hello( ) * multiple times. */ - MBEDTLS_SSL_PROC_CHK(ssl_server_hello_prepare(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_server_hello_prepare( ssl ) ); /* Writing */ /* Make sure we can write a new message. */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_flush_output(ssl)); - MBEDTLS_SSL_PROC_CHK(ssl_server_hello_write(ssl, ssl->out_msg, MBEDTLS_SSL_MAX_CONTENT_LEN, &ssl->out_msglen)); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); + MBEDTLS_SSL_PROC_CHK( ssl_server_hello_write( ssl, ssl->out_msg, MBEDTLS_SSL_MAX_CONTENT_LEN, &ssl->out_msglen ) ); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; /* Postprocess */ - MBEDTLS_SSL_PROC_CHK(ssl_server_hello_postprocess(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_server_hello_postprocess( ssl ) ); /* Dispatch */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl)); + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl ) ); /* NOTE: For the new messaging layer, the postprocessing step * might come after the dispatching step if the latter @@ -3518,44 +3558,45 @@ static int ssl_server_hello_process(mbedtls_ssl_context* ssl) { * to be updated in order to not enter * this function again on retry. */ -cleanup: + cleanup: - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); - return(ret); -} + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); + return( ret ); + } /* IMPORTANT: This function can currently be called multiple times - * in case the call to mbedtls_ssl_flush_output() that - * follows it in ssl_process_server_hello() fails. + * in case the call to mbedtls_ssl_flush_output( ) that + * follows it in ssl_process_server_hello( ) fails. * * Make sure that the preparations in this function * can safely be repeated multiple times, or add logic - * to ssl_process_server_hello() to never call it twice. + * to ssl_process_server_hello( ) to never call it twice. */ -static int ssl_server_hello_prepare(mbedtls_ssl_context* ssl) -{ + static int ssl_server_hello_prepare( mbedtls_ssl_context* ssl ) + { int ret; #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) { + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->handshake->randbytes + 16, 16)) != 0) - return(ret); + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->handshake->randbytes + 16, 16 )) != 0 ) + return( ret ); - MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", ssl->handshake->randbytes + 16, 16); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", ssl->handshake->randbytes + 16, 16 ); } else #endif /* MBEDTLS_CTLS */ { - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->handshake->randbytes + 32, 32)) != 0) - return(ret); + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->handshake->randbytes + 32, 32 )) != 0 ) + return( ret ); - MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", ssl->handshake->randbytes + 32, 32); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", ssl->handshake->randbytes + 32, 32 ); } #if defined(MBEDTLS_HAVE_TIME) - ssl->session_negotiate->start = time(NULL); + ssl->session_negotiate->start = time( NULL ); #endif /* MBEDTLS_HAVE_TIME */ @@ -3563,16 +3604,16 @@ static int ssl_server_hello_prepare(mbedtls_ssl_context* ssl) * */ - return(0); -} + return( 0 ); + } -static int ssl_server_hello_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen) -{ + static int ssl_server_hello_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ) + { int ret=0; - // Extensions + /* Extensions */ /* extension_start * Used during extension writing where the @@ -3585,114 +3626,117 @@ static int ssl_server_hello_write(mbedtls_ssl_context* ssl, size_t total_ext_len; /* Size of list of extensions */ size_t rand_bytes_len; - // Buffer management + /* Buffer management */ unsigned char* start = buf; unsigned char* end = buf + buflen; #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) { - rand_bytes_len = MBEDTLS_CTLS_RANDOM_MAX_LENGTH; + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) + { + rand_bytes_len = MBEDTLS_CTLS_RANDOM_MAX_LENGTH; } else #endif /* MBEDTLS_CTLS */ { - rand_bytes_len = 32; + rand_bytes_len = 32; } /* Ensure we have enough room for ServerHello - * up to but excluding the extensions. */ - if (buflen < (4+32+2+2+1+ssl->session_negotiate->id_len+1+1)) // TBD: FIXME + * up to but excluding the extensions. */ + if( buflen < ( 4+32+2+2+1+ssl->session_negotiate->id_len+1+1 )) /* TBD: FIXME */ { - return(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } /* * TLS 1.3 * 0 . 0 handshake type - * 1 . 3 handshake length + * 1 . 3 handshake length * * cTLS * 0 . 0 handshake type * - * The header is set by ssl_write_record. + * The header is set by ssl_write_record. * For DTLS 1.3 the other fields are adjusted. */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_USE ) { - buf++; // skip handshake type - buflen--; + buf++; /* skip handshake type */ + buflen--; } else #endif /* MBEDTLS_CTLS */ { - buf += 4; // skip handshake type + length - buflen -=4; + buf += 4; /* skip handshake type + length */ + buflen -=4; } /* Version */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) { #endif /* MBEDTLS_CTLS */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - *buf++ = (unsigned char)0xfe; - *buf++ = (unsigned char)0xfd; - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [0xfe:0xfd]")); - } else + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + *buf++ = ( unsigned char ) 0xfe; + *buf++ = ( unsigned char ) 0xfd; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [0xfe:0xfd]" ) ); + } + else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - *buf++ = (unsigned char)0x3; - *buf++ = (unsigned char)0x3; - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [0x3:0x3]")); - } - buflen -= 2; + { + *buf++ = ( unsigned char )0x3; + *buf++ = ( unsigned char )0x3; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [0x3:0x3]" ) ); + } + buflen -= 2; #if defined(MBEDTLS_CTLS) } #endif /* MBEDTLS_CTLS */ - // Write random bytes - memcpy(buf, ssl->handshake->randbytes, rand_bytes_len); - MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf, rand_bytes_len); + /* Write random bytes */ + memcpy( buf, ssl->handshake->randbytes, rand_bytes_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf, rand_bytes_len ); buf += rand_bytes_len; buflen -= rand_bytes_len; #if defined(MBEDTLS_HAVE_TIME) - ssl->session_negotiate->start = time(NULL); + ssl->session_negotiate->start = time( NULL ); #endif /* MBEDTLS_HAVE_TIME */ - // Write legacy session id + /* Write legacy session id */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ { - *buf++ = (unsigned char)ssl->session_negotiate->id_len; - buflen--; - memcpy(buf, &ssl->session_negotiate->id[0], ssl->session_negotiate->id_len); - buf += ssl->session_negotiate->id_len; - MBEDTLS_SSL_DEBUG_MSG(3, ("session id length (%d)", ssl->session_negotiate->id_len)); - MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len); - buflen -= ssl->session_negotiate->id_len; - } - - // write selected ciphersuite (2 bytes) - *buf++ = (unsigned char)(ssl->session_negotiate->ciphersuite >> 8); - *buf++ = (unsigned char)(ssl->session_negotiate->ciphersuite); + *buf++ = ( unsigned char )ssl->session_negotiate->id_len; + buflen--; + memcpy( buf, &ssl->session_negotiate->id[0], ssl->session_negotiate->id_len ); + buf += ssl->session_negotiate->id_len; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "session id length ( %d )", ssl->session_negotiate->id_len ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id, ssl->session_negotiate->id_len ); + buflen -= ssl->session_negotiate->id_len; + } + + /* write selected ciphersuite ( 2 bytes ) */ + *buf++ = ( unsigned char )( ssl->session_negotiate->ciphersuite >> 8 ); + *buf++ = ( unsigned char )( ssl->session_negotiate->ciphersuite ); buflen -= 2; - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s (id=%d)", mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite), ssl->session_negotiate->ciphersuite)); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s ( id=%d )", mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ), ssl->session_negotiate->ciphersuite ) ); #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ { - // write legacy_compression_method (0) - *buf++ = 0x0; - buflen--; + /* write legacy_compression_method ( 0 ) */ + *buf++ = 0x0; + buflen--; } - // First write extensions, then the total length + /* First write extensions, then the total length */ extension_start = buf; total_ext_len = 0; buf += 2; @@ -3701,82 +3745,83 @@ static int ssl_server_hello_write(mbedtls_ssl_context* ssl, /* Only add the pre_shared_key extension if the client provided it in the ClientHello * and if the key exchange supports PSK */ - if (ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION && ( + if( ssl->handshake->extensions_present & PRE_SHARED_KEY_EXTENSION && ( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK)) + ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )) { - ssl_write_server_pre_shared_key_ext(ssl, buf, end, &cur_ext_len); - total_ext_len += cur_ext_len; - buf += cur_ext_len; + ssl_write_server_pre_shared_key_ext( ssl, buf, end, &cur_ext_len ); + total_ext_len += cur_ext_len; + buf += cur_ext_len; } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) /* Only add the key_share extension if the client provided it in the ClientHello * and if the appropriate key exchange mechanism was selected */ - if (ssl->handshake->extensions_present & KEY_SHARE_EXTENSION && ( + if( ssl->handshake->extensions_present & KEY_SHARE_EXTENSION && ( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA)) + ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )) { - if ((ret = ssl_write_key_shares_ext(ssl, buf, end, &cur_ext_len)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_key_shares_ext", ret); - return(ret); - } + if( ( ret = ssl_write_key_shares_ext( ssl, buf, end, &cur_ext_len )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_key_shares_ext", ret ); + return( ret ); + } - total_ext_len += cur_ext_len; - buf += cur_ext_len; + total_ext_len += cur_ext_len; + buf += cur_ext_len; } -#endif /* (MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ +#endif /* ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ /* Add supported_version extension */ - if (ssl->handshake->extensions_present & SUPPORTED_VERSION_EXTENSION) { - - if ((ret = ssl_write_supported_version_ext(ssl, buf, end, &cur_ext_len)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_version_ext", ret); - return(ret); - } + if( ssl->handshake->extensions_present & SUPPORTED_VERSION_EXTENSION ) + { + if( ( ret = ssl_write_supported_version_ext( ssl, buf, end, &cur_ext_len )) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_version_ext", ret ); + return( ret ); + } - total_ext_len += cur_ext_len; - buf += cur_ext_len; + total_ext_len += cur_ext_len; + buf += cur_ext_len; } #if defined(MBEDTLS_CID) - if (ssl->handshake->extensions_present & CID_EXTENSION) { - if ((ret = ssl_write_cid_ext(ssl, buf, end, &cur_ext_len)) != 0) - { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret); - return(ret); - } + if( ssl->handshake->extensions_present & CID_EXTENSION ) + { + if( ( ret = ssl_write_cid_ext( ssl, buf, end, &cur_ext_len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_cid_ext", ret ); + return( ret ); + } - total_ext_len += cur_ext_len; - buf += cur_ext_len; + total_ext_len += cur_ext_len; + buf += cur_ext_len; } #endif /* MBEDTLS_CID */ - MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions", extension_start, total_ext_len); + MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions", extension_start, total_ext_len ); - // Write length information - *extension_start++ = (unsigned char)((total_ext_len >> 8) & 0xFF); - *extension_start++ = (unsigned char)((total_ext_len) & 0xFF); + /* Write length information */ + *extension_start++ = ( unsigned char )( ( total_ext_len >> 8 ) & 0xFF ); + *extension_start++ = ( unsigned char )( ( total_ext_len ) & 0xFF ); buflen -= 2 + total_ext_len; *olen = buf - start; - MBEDTLS_SSL_DEBUG_BUF(3, "server hello", start, *olen); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", start, *olen ); - return(ret); -} + return( ret ); + } -static int ssl_server_hello_postprocess(mbedtls_ssl_context* ssl) -{ +static int ssl_server_hello_postprocess( mbedtls_ssl_context* ssl ) + { int ret = 0; ((void) ssl); return( ret ); -} + } /* @@ -3785,8 +3830,8 @@ static int ssl_server_hello_postprocess(mbedtls_ssl_context* ssl) * */ - /* Main entry point; orchestrates the other functions */ -static int ssl_certificate_request_process(mbedtls_ssl_context* ssl); + /* Main entry point; orchestrates the other functions */ + static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ); /* Coordination: * Check whether a CertificateRequest message should be written. @@ -3798,117 +3843,117 @@ static int ssl_certificate_request_process(mbedtls_ssl_context* ssl); */ #define SSL_CERTIFICATE_REQUEST_SEND 0 #define SSL_CERTIFICATE_REQUEST_SKIP 1 -static int ssl_certificate_request_coordinate(mbedtls_ssl_context* ssl); + static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -static int ssl_certificate_request_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen); + static int ssl_certificate_request_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ); #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -static int ssl_certificate_request_postprocess(mbedtls_ssl_context* ssl); + static int ssl_certificate_request_postprocess( mbedtls_ssl_context* ssl ); /* * Implementation */ -static int ssl_certificate_request_process(mbedtls_ssl_context* ssl) -{ + static int ssl_certificate_request_process( mbedtls_ssl_context* ssl ) + { int ret = 0; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); /* Coordination step: Check if we need to send a CertificateRequest */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_request_coordinate(ssl)); + MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_coordinate( ssl ) ); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - if (ret == SSL_CERTIFICATE_REQUEST_SEND) + if( ret == SSL_CERTIFICATE_REQUEST_SEND ) { - /* Make sure we can write a new message. */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_flush_output(ssl)); - - /* Prepare CertificateRequest message in output buffer. */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_request_write(ssl, ssl->out_msg, - MBEDTLS_SSL_MAX_CONTENT_LEN, - &ssl->out_msglen)); - - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; - - /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_request_postprocess(ssl)); - - /* Dispatch message */ - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl)); - - /* NOTE: With the new messaging layer, the postprocessing - * step might come after the dispatching step if the - * latter doesn't send the message immediately. - * At the moment, we must do the postprocessing - * prior to the dispatching because if the latter - * returns WANT_WRITE, we want the handshake state - * to be updated in order to not enter - * this function again on retry. - * - * Further, once the two calls can be re-ordered, the two - * calls to ssl_certificate_request_postprocess() can be - * consolidated. */ + /* Make sure we can write a new message. */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) ); + + /* Prepare CertificateRequest message in output buffer. */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_write( ssl, ssl->out_msg, + MBEDTLS_SSL_MAX_CONTENT_LEN, + &ssl->out_msglen ) ); + + ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; + ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; + + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_postprocess( ssl ) ); + + /* Dispatch message */ + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl ) ); + + /* NOTE: With the new messaging layer, the postprocessing + * step might come after the dispatching step if the + * latter doesn't send the message immediately. + * At the moment, we must do the postprocessing + * prior to the dispatching because if the latter + * returns WANT_WRITE, we want the handshake state + * to be updated in order to not enter + * this function again on retry. + * + * Further, once the two calls can be re-ordered, the two + * calls to ssl_certificate_request_postprocess( ) can be + * consolidated. */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ - if (ret == SSL_CERTIFICATE_REQUEST_SKIP) - { - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); - - /* Update state */ - MBEDTLS_SSL_PROC_CHK(ssl_certificate_request_postprocess(ssl)); - } - else - { - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); - } - -cleanup: - - MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); - return(ret); -} + if( ret == SSL_CERTIFICATE_REQUEST_SKIP ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); + + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_certificate_request_postprocess( ssl ) ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + cleanup: + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); + return( ret ); + } -static int ssl_certificate_request_coordinate(mbedtls_ssl_context* ssl) -{ + static int ssl_certificate_request_coordinate( mbedtls_ssl_context* ssl ) + { int authmode; - if ((ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK)) - return(SSL_CERTIFICATE_REQUEST_SKIP); + if( ( ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || + ssl->session_negotiate->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )) + return( SSL_CERTIFICATE_REQUEST_SKIP ); #if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - ((void)authmode); - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return(MBEDTLS_ERR_SSL_INTERNAL_ERROR); + ( (void)authmode ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); #else #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) - authmode = ssl->handshake->sni_authmode; + if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) + authmode = ssl->handshake->sni_authmode; else #endif - authmode = ssl->conf->authmode; + authmode = ssl->conf->authmode; - if (authmode == MBEDTLS_SSL_VERIFY_NONE) - return(SSL_CERTIFICATE_REQUEST_SKIP); + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) + return( SSL_CERTIFICATE_REQUEST_SKIP ); - return(SSL_CERTIFICATE_REQUEST_SEND); + return( SSL_CERTIFICATE_REQUEST_SEND ); #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -} + } -static int ssl_certificate_request_write(mbedtls_ssl_context* ssl, - unsigned char* buf, - size_t buflen, - size_t* olen) -{ + static int ssl_certificate_request_write( mbedtls_ssl_context* ssl, + unsigned char* buf, + size_t buflen, + size_t* olen ) + { int ret; unsigned char* p; unsigned char* end = buf + buflen; @@ -3920,102 +3965,101 @@ static int ssl_certificate_request_write(mbedtls_ssl_context* ssl, * NOTE: * Even for DTLS, we are skipping 4 bytes for the TLS handshake * header. The actual DTLS handshake header is inserted in - * the record writing routine mbedtls_ssl_write_record(). + * the record writing routine mbedtls_ssl_write_record( ). */ p = buf + tls_hs_hdr_len; - if (p + tls_hs_hdr_len + 1 + 2 > end) + if( p + tls_hs_hdr_len + 1 + 2 > end ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); - return (MBEDTLS_ERR_SSL_ALLOC_FAILED); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); + return ( MBEDTLS_ERR_SSL_ALLOC_FAILED ); } /* - * - * struct { - * opaque certificate_request_context<0..2^8-1>; - * Extension extensions<2..2^16-1>; - * } CertificateRequest; - * - */ + * + * struct { + * opaque certificate_request_context<0..2^8-1>; + * Extension extensions<2..2^16-1>; + * } CertificateRequest; + * + */ /* - * Write certificate_request_context - */ + * Write certificate_request_context + */ /* * We use a zero length context for the normal handshake * messages. For post-authentication handshake messages * this request context would be set to a non-zero value. - */ + */ #if defined(MBEDTLS_CTLS) - if (ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE) + if( ssl->handshake->ctls == MBEDTLS_CTLS_DO_NOT_USE ) #endif /* MBEDTLS_CTLS */ { - *p++ = 0x0; + *p++ = 0x0; } /* - * Write extensions - */ + * Write extensions + */ - // The extensions must contain the signature_algorithms. - // Currently we don't use any other extension - ret = ssl_write_signature_algorithms_ext(ssl, p+2, end, olen); - if (ret != 0) return ret; + /* The extensions must contain the signature_algorithms. */ + /* Currently we don't use any other extension */ + ret = ssl_write_signature_algorithms_ext( ssl, p+2, end, olen ); + if( ret != 0 ) return ret; - // length field for all extensions - *p++ = (unsigned char)((*olen >> 8) & 0xFF); - *p++ = (unsigned char)((*olen) & 0xFF); + /* length field for all extensions */ + *p++ = ( unsigned char )( ( *olen >> 8 ) & 0xFF ); + *p++ = ( unsigned char )( ( *olen ) & 0xFF ); p += *olen; *olen = p - buf; - return(ret); -} - + return( ret ); + } -static int ssl_certificate_request_postprocess(mbedtls_ssl_context* ssl) { - // next state - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE); - return(0); +static int ssl_certificate_request_postprocess( mbedtls_ssl_context* ssl ) +{ + /* next state */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); + return( 0 ); } - /* -* TLS and DTLS 1.3 State Maschine -- server side -*/ -int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) -{ + * TLS and DTLS 1.3 State Maschine -- server side + */ + int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) + { int ret = 0; KeySet traffic_keys; - if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state)); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); - if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) - return(ret); + if( ( ret = mbedtls_ssl_flush_output( ssl )) != 0 ) + return( ret ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { - if ((ret = mbedtls_ssl_resend(ssl)) != 0) - return(ret); + if( ( ret = mbedtls_ssl_resend( ssl )) != 0 ) + return( ret ); } #endif - switch (ssl->state) + switch ( ssl->state ) { - // start state - case MBEDTLS_SSL_HELLO_REQUEST: + /* start state */ + case MBEDTLS_SSL_HELLO_REQUEST: ssl->handshake->hello_retry_requests_sent = 0; - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value (0) is used with unencrypted messages */ + /* epoch value ( 0 ) is used with unencrypted messages */ ssl->out_epoch = 0; ssl->in_epoch = 0; #endif /* MBEDTLS_SSL_PROTO_DTLS */ @@ -4028,243 +4072,250 @@ int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) /* ----- READ CLIENT HELLO ----*/ - case MBEDTLS_SSL_CLIENT_HELLO: + case MBEDTLS_SSL_CLIENT_HELLO: - // Reset pointers to buffers + /* Reset pointers to buffers */ #if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_CID) - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - ssl->out_hdr = ssl->out_buf; - ssl->out_ctr = ssl->out_buf + 3; - ssl->out_len = ssl->out_buf + 11; - ssl->out_iv = ssl->out_buf + 13; - ssl->out_msg = ssl->out_buf + 13; - - ssl->in_hdr = ssl->in_buf; - ssl->in_ctr = ssl->in_buf + 3; - ssl->in_len = ssl->in_buf + 11; - ssl->in_iv = ssl->in_buf + 13; - ssl->in_msg = ssl->in_buf + 13; + ssl->out_hdr = ssl->out_buf; + ssl->out_ctr = ssl->out_buf + 3; + ssl->out_len = ssl->out_buf + 11; + ssl->out_iv = ssl->out_buf + 13; + ssl->out_msg = ssl->out_buf + 13; + + ssl->in_hdr = ssl->in_buf; + ssl->in_ctr = ssl->in_buf + 3; + ssl->in_len = ssl->in_buf + 11; + ssl->in_iv = ssl->in_buf + 13; + ssl->in_msg = ssl->in_buf + 13; } #endif /* MBEDTLS_CID && MBEDTLS_SSL_PROTO_DTLS */ - ret = ssl_client_hello_process(ssl); + ret = ssl_client_hello_process( ssl ); - //ret = MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE; // for testing purposes - switch (ret) { - case 0: + /*ret = MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE; // for testing purposes */ + switch ( ret ) { + case 0: #if defined(MBEDTLS_SSL_COOKIE_C) && defined(MBEDTLS_SSL_PROTO_DTLS) /* If we use DTLS 1.3 then we may need to send a HRR instead of a ClientHello - * to do a return-routability check. We use the ssl->conf->rr_config - * variable for determining the preference to use the RR-check. - */ - if (ssl->handshake->hello_retry_requests_sent == 0 && - ssl->conf->rr_config == MBEDTLS_SSL_FORCE_RR_CHECK_ON) + * to do a return-routability check. We use the ssl->conf->rr_config + * variable for determining the preference to use the RR-check. + */ + if( ssl->handshake->hello_retry_requests_sent == 0 && + ssl->conf->rr_config == MBEDTLS_SSL_FORCE_RR_CHECK_ON ) { - // Transmit Hello Retry Request - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST); + /* Transmit Hello Retry Request */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST ); } else #endif /* MBEDTLS_SSL_COOKIE_C && MBEDTLS_SSL_PROTO_DTLS */ { #if defined(MBEDTLS_ZERO_RTT) - if (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_EARLY_APP_DATA); - } - else + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_EARLY_APP_DATA ); + } + else #endif /* MBEDTLS_ZERO_RTT */ - { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); - } + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); + } } break; -#if (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) - case MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE: - // Wrong key share --> send HRR - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST); +#if ( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) + case MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE: + /* Wrong key share --> send HRR */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST ); ret = 0; break; - case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE: - // Failed to parse the key share correctly --> send HRR - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST); + case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_SHARE: + /* Failed to parse the key share correctly --> send HRR */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST ); ret = 0; break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ - case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); + case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); break; - case MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN: - mbedtls_ssl_send_fatal_handshake_failure(ssl); + case MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN: + mbedtls_ssl_send_fatal_handshake_failure( ssl ); break; - case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: - mbedtls_ssl_send_fatal_handshake_failure(ssl); + case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: + mbedtls_ssl_send_fatal_handshake_failure( ssl ); break; #if defined(MBEDTLS_SSL_COOKIE_C) - case MBEDTLS_ERR_SSL_BAD_HS_COOKIE_EXT: + case MBEDTLS_ERR_SSL_BAD_HS_COOKIE_EXT: /* Cookie verification failed. This case is conceptually similar - * to MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE with the exception - * that we are definitely going to include a cookie. --> Send HRR - */ - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST); + * to MBEDTLS_ERR_SSL_BAD_HS_WRONG_KEY_SHARE with the exception + * that we are definitely going to include a cookie. --> Send HRR + */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST ); ret = 0; break; - case MBEDTLS_ERR_SSL_BAD_HS_MISSING_COOKIE_EXT: + case MBEDTLS_ERR_SSL_BAD_HS_MISSING_COOKIE_EXT: /* Cookie extension missing. Send HRR - */ - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST); + */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST ); ret = 0; break; #endif /* MBEDTLS_SSL_COOKIE_C */ - case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO: - // We have encountered a problem parsing the ClientHello - // Let us jump back to the initial state - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST); + case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO: + /* We have encountered a problem parsing the ClientHello */ + /* Let us jump back to the initial state */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_REQUEST ); ret = 0; break; - case MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION); - return (MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT); + case MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ); + return ( MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT ); break; - case MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE: - return (MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); + case MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE: + return ( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); break; #if defined(MBEDTLS_COMPATIBILITY_MODE) - case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO_CCS: - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); + case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO_CCS: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); ret = 0; break; #endif /* MBEDTLS_COMPATIBILITY_MODE */ - default: - // Something went wrong and we jump back to initial state - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST); - /* TBD: Should we rather return an error here -- return (ret)? */ + default: + /* Something went wrong and we jump back to initial state */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_REQUEST ); + /* TBD: Should we rather return an error here -- return ( ret )? */ ret = 0; } break; /* ----- WRITE EARLY APP DATA ----*/ #if defined(MBEDTLS_ZERO_RTT) - case MBEDTLS_SSL_EARLY_APP_DATA: + case MBEDTLS_SSL_EARLY_APP_DATA: - ret = mbedtls_ssl_early_data_key_derivation(ssl, &traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_early_data_key_derivation", ret); - return (ret); + ret = mbedtls_ssl_early_data_key_derivation( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_early_data_key_derivation", ret ); + return ( ret ); } - ret = mbedtls_set_traffic_key(ssl, &traffic_keys, ssl->transform_negotiate, 0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); + ret = mbedtls_set_traffic_key( ssl, &traffic_keys, ssl->transform_negotiate, 0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value(1) is used for messages protected using keys derived + /* epoch value( 1 ) is used for messages protected using keys derived * from early_traffic_secret. - */ + */ ssl->in_epoch = 1; ssl->out_epoch = 1; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - ret = ssl_parse_early_data(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_parse_early_data", ret); - return (ret); + ret = ssl_parse_early_data( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_parse_early_data", ret ); + return ( ret ); } - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); break; #endif /* MBEDTLS_ZERO_RTT */ /* ----- WRITE HELLO RETRY REQUEST ----*/ - case MBEDTLS_SSL_HELLO_RETRY_REQUEST: + case MBEDTLS_SSL_HELLO_RETRY_REQUEST: - if (ssl->handshake->hello_retry_requests_sent > 1) + if( ssl->handshake->hello_retry_requests_sent > 1 ) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs")); - return (MBEDTLS_ERR_SSL_BAD_HS_TOO_MANY_HRR); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) ); + return ( MBEDTLS_ERR_SSL_BAD_HS_TOO_MANY_HRR ); } - ret = ssl_write_hello_retry_request(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_hello_retry_request", ret); - return (ret); + ret = ssl_write_hello_retry_request( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hello_retry_request", ret ); + return ( ret ); } ssl->handshake->hello_retry_requests_sent++; #if defined(MBEDTLS_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HRR); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HRR ); #else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); #endif /* MBEDTLS_COMPATIBILITY_MODE */ break; /* ----- WRITE CHANGE CIPHER SPEC ----*/ #if defined(MBEDTLS_COMPATIBILITY_MODE) - case MBEDTLS_SSL_SERVER_CCS_AFTER_HRR: + case MBEDTLS_SSL_SERVER_CCS_AFTER_HRR: - ret = mbedtls_ssl_write_change_cipher_spec(ssl); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO); + ret = mbedtls_ssl_write_change_cipher_spec( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO ); ssl->handshake->ccs_sent++; break; #endif /* MBEDTLS_COMPATIBILITY_MODE */ /* ----- READ 2nd CLIENT HELLO ----*/ - case MBEDTLS_SSL_SECOND_CLIENT_HELLO: + case MBEDTLS_SSL_SECOND_CLIENT_HELLO: - ret = ssl_client_hello_process(ssl); + ret = ssl_client_hello_process( ssl ); - switch (ret) { - case 0: - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); + switch ( ret ) { + case 0: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO ); break; - case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); + case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); break; - case MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN: - mbedtls_ssl_send_fatal_handshake_failure(ssl); + case MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN: + mbedtls_ssl_send_fatal_handshake_failure( ssl ); break; - case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: - mbedtls_ssl_send_fatal_handshake_failure(ssl); + case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: + mbedtls_ssl_send_fatal_handshake_failure( ssl ); break; - case MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT: - mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION); - return (MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT); + case MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT: + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ); + return ( MBEDTLS_ERR_SSL_BAD_HS_MISSING_EXTENSION_EXT ); break; - case MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC: - // Stay in this state - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO); + case MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC: + /* Stay in this state */ + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SECOND_CLIENT_HELLO ); ret = 0; break; - default: - return (ret); + default: + return ( ret ); } break; /* ----- WRITE SERVER HELLO ----*/ - case MBEDTLS_SSL_SERVER_HELLO: - ret = ssl_server_hello_process(ssl); + case MBEDTLS_SSL_SERVER_HELLO: + ret = ssl_server_hello_process( ssl ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_server_hello", ret); - return (ret); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_server_hello", ret ); + return ( ret ); } #if defined(MBEDTLS_COMPATIBILITY_MODE) - if (ssl->handshake->ccs_sent > 1) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO); + if( ssl->handshake->ccs_sent > 1 ) + { + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO ); } else { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); } #else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); #endif /* MBEDTLS_COMPATIBILITY_MODE */ break; @@ -4272,15 +4323,15 @@ int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) /* ----- WRITE CHANGE CIPHER SPEC ----*/ #if defined(MBEDTLS_COMPATIBILITY_MODE) - case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: + case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: /* Only transmit the CCS if we have not done so * earlier already after the HRR. */ - if (ssl->handshake->hello_retry_requests_sent == 0) - ret = mbedtls_ssl_write_change_cipher_spec(ssl); + if( ssl->handshake->hello_retry_requests_sent == 0 ) + ret = mbedtls_ssl_write_change_cipher_spec( ssl ); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS ); #if defined(MBEDTLS_COMPATIBILITY_MODE) ssl->handshake->ccs_sent++; #endif /* MBEDTLS_COMPATIBILITY_MODE */ @@ -4290,197 +4341,216 @@ int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) /* ----- WRITE ENCRYPTED EXTENSIONS ----*/ - case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: + case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: - ret = ssl_encrypted_extensions_process(ssl); + ret = ssl_encrypted_extensions_process( ssl ); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypted_extensions_process", ret); - return (ret); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypted_extensions_process", ret ); + return ( ret ); } break; /* ----- WRITE CERTIFICATE REQUEST ----*/ - case MBEDTLS_SSL_CERTIFICATE_REQUEST: - ret = ssl_certificate_request_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_certificate_request_process", ret); - return (ret); + case MBEDTLS_SSL_CERTIFICATE_REQUEST: + ret = ssl_certificate_request_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_certificate_request_process", ret ); + return ( ret ); } break; /* ----- WRITE SERVER CERTIFICATE ----*/ - case MBEDTLS_SSL_SERVER_CERTIFICATE: - ret = ssl_write_certificate_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_certificate", ret); - return (ret); + case MBEDTLS_SSL_SERVER_CERTIFICATE: + ret = ssl_write_certificate_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_certificate", ret ); + return ( ret ); } break; /* ----- WRITE SERVER CERTIFICATE VERIFY ----*/ - case MBEDTLS_SSL_CERTIFICATE_VERIFY: - ret = ssl_certificate_verify_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_certificate_verify_process", ret); - return (ret); + case MBEDTLS_SSL_CERTIFICATE_VERIFY: + ret = ssl_certificate_verify_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_certificate_verify_process", ret ); + return ( ret ); } break; /* ----- WRITE FINISHED ----*/ - case MBEDTLS_SSL_SERVER_FINISHED: - ret = ssl_finished_out_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_finished_out_process", ret); - return (ret); + case MBEDTLS_SSL_SERVER_FINISHED: + ret = ssl_finished_out_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_finished_out_process", ret ); + return ( ret ); } break; /* ----- READ CLIENT CERTIFICATE ----*/ - case MBEDTLS_SSL_CLIENT_CERTIFICATE: - ret = ssl_read_certificate_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_read_certificate_process", ret); - return (ret); + case MBEDTLS_SSL_CLIENT_CERTIFICATE: + ret = ssl_read_certificate_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_read_certificate_process", ret ); + return ( ret ); } break; /* ----- READ CLIENT CERTIFICATE VERIFY ----*/ - case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: - ret=ssl_read_certificate_verify_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_read_certificate_verify_process", ret); - return (ret); + case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: + ret=ssl_read_certificate_verify_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_read_certificate_verify_process", ret ); + return ( ret ); } break; #if defined(MBEDTLS_ZERO_RTT) - case MBEDTLS_SSL_EARLY_DATA: - ret = mbedtls_ssl_early_data_key_derivation(ssl, &traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_early_data_key_derivation", ret); - return (ret); + case MBEDTLS_SSL_EARLY_DATA: + ret = mbedtls_ssl_early_data_key_derivation( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_early_data_key_derivation", ret ); + return ( ret ); } - ret = mbedtls_set_traffic_key(ssl, &traffic_keys, ssl->transform_negotiate,0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); + ret = mbedtls_set_traffic_key( ssl, &traffic_keys, ssl->transform_negotiate,0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); } - ret = mbedtls_ssl_parse_end_of_early_data(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_parse_end_of_early_data", ret); - return (ret); + ret = mbedtls_ssl_parse_end_of_early_data( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_parse_end_of_early_data", ret ); + return ( ret ); } - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); break; #endif /* MBEDTLS_ZERO_RTT */ /* ----- READ FINISHED ----*/ - case MBEDTLS_SSL_CLIENT_FINISHED: + case MBEDTLS_SSL_CLIENT_FINISHED: #if defined(MBEDTLS_ZERO_RTT) - if (ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON) { - ret = mbedtls_ssl_key_derivation(ssl, &traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_key_derivation", ret); - return (ret); - } - - ret = mbedtls_set_traffic_key(ssl, &traffic_keys, ssl->transform_negotiate,0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); - } + if( ssl->handshake->early_data == MBEDTLS_SSL_EARLY_DATA_ON ) + { + ret = mbedtls_ssl_key_derivation( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_key_derivation", ret ); + return ( ret ); + } + + ret = mbedtls_set_traffic_key( ssl, &traffic_keys, ssl->transform_negotiate,0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); + } } #endif /* MBEDTLS_ZERO_RTT */ - ret = mbedtls_ssl_generate_application_traffic_keys(ssl, &traffic_keys); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_generate_application_traffic_keys", ret); - return (ret); + ret = mbedtls_ssl_generate_application_traffic_keys( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_generate_application_traffic_keys", ret ); + return ( ret ); } - ret = ssl_finished_in_process(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_finished_in_process", ret); - return (ret); + ret = ssl_finished_in_process( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_finished_in_process", ret ); + return ( ret ); } /* Compute resumption_master_secret */ - ret = mbedtls_ssl_generate_resumption_master_secret(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_generate_resumption_master_secret ", ret); - return (ret); + ret = mbedtls_ssl_generate_resumption_master_secret( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_generate_resumption_master_secret ", ret ); + return ( ret ); } - ret = mbedtls_set_traffic_key(ssl, &traffic_keys, ssl->transform_negotiate,0); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_set_traffic_key", ret); - return (ret); + ret = mbedtls_set_traffic_key( ssl, &traffic_keys, ssl->transform_negotiate,0 ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_set_traffic_key", ret ); + return ( ret ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) - /* epoch value (3) is used for payloads protected - * using keys derived from the initial traffic_secret_0. - */ + /* epoch value ( 3 ) is used for payloads protected + * using keys derived from the initial traffic_secret_0. + */ ssl->in_epoch = 3; ssl->out_epoch = 3; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_FINISH_ACK); + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_FINISH_ACK ); else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); break; #if defined(MBEDTLS_SSL_PROTO_DTLS) - case MBEDTLS_SSL_HANDSHAKE_FINISH_ACK: + case MBEDTLS_SSL_HANDSHAKE_FINISH_ACK: /* The server needs to reply with an ACK message after parsing * the Finish message from the client. */ - ret = mbedtls_ssl_write_ack(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_ack", ret); - return (ret); + ret = mbedtls_ssl_write_ack( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_ack", ret ); + return ( ret ); } - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP ); break; #endif /* MBEDTLS_SSL_PROTO_DTLS */ - case MBEDTLS_SSL_HANDSHAKE_WRAPUP: - MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); - mbedtls_ssl_handshake_wrapup(ssl); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + case MBEDTLS_SSL_HANDSHAKE_WRAPUP: + MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); + mbedtls_ssl_handshake_wrapup( ssl ); + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER ); #if defined(MBEDTLS_SSL_NEW_SESSION_TICKET) - ret = ssl_write_new_session_ticket(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_new_session_ticket ", ret); - return (ret); + ret = ssl_write_new_session_ticket( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_new_session_ticket ", ret ); + return ( ret ); } #endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */ break; - default: - MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); - return(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - return(ret); -} + return( ret ); + } #endif /* MBEDTLS_SSL_SRV_C */