File Coverage

inc/matrixssl-3-9-3-open/matrixssl/sslEncode.c

Criterion	Covered	Total	%
statement	967	2372	40.7
branch	513	1464	35.0
condition			n/a
subroutine			n/a
pod			n/a
total	1480	3836	38.5

line	stmt	bran	code
1			/**
2			* @file sslEncode.c
3			* @version 950bba4 (HEAD -> master)
4			*
5			* Secure Sockets Layer protocol message encoding portion of MatrixSSL.
6			*/
7			/*
8			* Copyright (c) 2013-2017 INSIDE Secure Corporation
9			* Copyright (c) PeerSec Networks, 2002-2011
10			* All Rights Reserved
11			*
12			* The latest version of this code is available at http://www.matrixssl.org
13			*
14			* This software is open source; you can redistribute it and/or modify
15			* it under the terms of the GNU General Public License as published by
16			* the Free Software Foundation; either version 2 of the License, or
17			* (at your option) any later version.
18			*
19			* This General Public License does NOT permit incorporating this software
20			* into proprietary programs. If you are unable to comply with the GPL, a
21			* commercial license for this software may be purchased from INSIDE at
22			* http://www.insidesecure.com/
23			*
24			* This program is distributed in WITHOUT ANY WARRANTY; without even the
25			* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
26			* See the GNU General Public License for more details.
27			*
28			* You should have received a copy of the GNU General Public License
29			* along with this program; if not, write to the Free Software
30			* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31			* http://www.gnu.org/copyleft/gpl.html
32			*/
33			/******************************************************************************/
34
35			#include "matrixsslImpl.h"
36
37			/******************************************************************************/
38
39			# ifndef USE_ONLY_PSK_CIPHER_SUITE
40			static int32 writeCertificate(ssl_t ssl, sslBuf_t out, int32 notEmpty);
41			# if defined(USE_OCSP) && defined(USE_SERVER_SIDE_SSL)
42			static int32 writeCertificateStatus(ssl_t ssl, sslBuf_t out);
43			# endif
44			# endif
45			static int32 writeChangeCipherSpec(ssl_t ssl, sslBuf_t out);
46			static int32 writeFinished(ssl_t ssl, sslBuf_t out);
47			static int32 writeAlert(ssl_t *ssl, unsigned char level,
48			unsigned char description, sslBuf_t out, uint32 requiredLen);
49			static int32_t writeRecordHeader(ssl_t *ssl, uint8_t type, uint8_t hsType,
50			psSize_t messageSize, uint8_t padLen,
51			unsigned char **encryptStart,
52			const unsigned char end, unsigned char *c);
53			# ifdef USE_DTLS
54			# ifdef USE_SERVER_SIDE_SSL
55			static int32 writeHelloVerifyRequest(ssl_t ssl, sslBuf_t out);
56			# endif
57			# endif /* USE_DTLS */
58
59			static int32 encryptRecord(ssl_t *ssl, int32 type, int32 hsMsgType,
60			int32 messageSize, int32 padLen, unsigned char *pt,
61			sslBuf_t out, unsigned char *c);
62
63			# ifdef USE_CLIENT_SIDE_SSL
64			static int32 writeClientKeyExchange(ssl_t ssl, sslBuf_t out);
65			# endif /* USE_CLIENT_SIDE_SSL */
66
67			# ifndef USE_ONLY_PSK_CIPHER_SUITE
68			# if defined(USE_SERVER_SIDE_SSL) && defined(USE_CLIENT_AUTH)
69			static int32 writeCertificateRequest(ssl_t ssl, sslBuf_t out, int32 certLen,
70			int32 certCount);
71			static int32 writeMultiRecordCertRequest(ssl_t ssl, sslBuf_t out,
72			int32 certLen, int32 certCount, int32 sigHashLen);
73			# endif
74			# if defined(USE_CLIENT_SIDE_SSL) && defined(USE_CLIENT_AUTH)
75			static int32 writeCertificateVerify(ssl_t ssl, sslBuf_t out);
76			static int32 nowDoCvPka(ssl_t ssl, psBuf_t out);
77			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
78			static int32_t handleAsyncCvSigOp(ssl_t ssl, pkaAfter_t pka, unsigned char *hash);
79			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
80			# endif
81			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
82
83			# ifdef USE_SERVER_SIDE_SSL
84			static int32 writeServerHello(ssl_t ssl, sslBuf_t out);
85			static int32 writeServerHelloDone(ssl_t ssl, sslBuf_t out);
86			# ifdef USE_PSK_CIPHER_SUITE
87			static int32 writePskServerKeyExchange(ssl_t ssl, sslBuf_t out);
88			# endif /* USE_PSK_CIPHER_SUITE */
89			# ifdef USE_DHE_CIPHER_SUITE
90			static int32 writeServerKeyExchange(ssl_t ssl, sslBuf_t out, uint32 pLen,
91			unsigned char p, uint32 gLen, unsigned char g);
92			# endif /* USE_DHE_CIPHER_SUITE */
93			# ifdef USE_STATELESS_SESSION_TICKETS /* Already inside a USE_SERVER_SIDE block */
94			static int32 writeNewSessionTicket(ssl_t ssl, sslBuf_t out);
95			# endif
96			# endif /* USE_SERVER_SIDE_SSL */
97
98			static int32 secureWriteAdditions(ssl_t *ssl, int32 numRecs);
99			static int32 encryptFlight(ssl_t ssl, unsigned char *end);
100
101			# ifdef USE_ZLIB_COMPRESSION
102			# define MAX_ZLIB_COMPRESSED_OH 128/* Only FINISHED message supported */
103			# endif
104			/******************************************************************************/
105			/*
106			This works for both in-situ and external buf
107
108			buf in Start of allocated buffer (header bytes beyond are overwritten)
109			out Start of encrypted data on function success
110
111			size in Total size of the allocated buffer
112
113			ptBuf in Pointer to front of the plain text data to be encrypted
114
115			len in Length of incoming plain text
116			out Length of encypted text on function success
117			out Length of required 'size' on SSL_FULL
118			*/
119	4125		int32 matrixSslEncode(ssl_t ssl, unsigned char buf, uint32 size,
120			unsigned char ptBuf, uint32 len)
121			{
122			unsigned char c, end, *encryptStart;
123			uint8_t padLen;
124			psSize_t messageSize;
125			int32_t rc;
126			psBuf_t tmpout;
127
128			/* If we've had a protocol error, don't allow further use of the session
129			Also, don't allow a application data record to be encoded unless the
130			handshake is complete.
131			*/
132	4125	50	if (ssl->flags & SSL_FLAGS_ERROR \|\| ssl->hsState != SSL_HS_DONE \|\|
		50
		100
133	4125		ssl->flags & SSL_FLAGS_CLOSED)
134			{
135			psTraceInfo("Bad SSL state for matrixSslEncode call attempt: ");
136			psTraceIntInfo(" flags %d,", ssl->flags);
137			psTraceIntInfo(" state %d\n", ssl->hsState);
138	1		return MATRIXSSL_ERROR;
139			}
140
141	4124		c = buf;
142	4124		end = buf + size;
143
144			# ifdef USE_BEAST_WORKAROUND
145	4124	50	if (ssl->bFlags & BFLAG_STOP_BEAST)
146			{
147	0		messageSize = ssl->recordHeadLen + 1; /* single byte is the fix */
148	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_APPLICATION_DATA, 0,
149			&messageSize, &padLen, &encryptStart, end, &c)) < 0)
150			{
151	0	0	if (rc == SSL_FULL)
152			{
153	0		*len = messageSize;
154			}
155	0		return rc;
156			}
157	0	0	psAssert(encryptStart == buf + ssl->recordHeadLen);
158	0		c += 1;
159	0		*len -= 1;
160
161	0		tmpout.buf = tmpout.start = tmpout.end = buf;
162	0		tmpout.size = size;
163	0	0	if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_APPLICATION_DATA, 0,
164			messageSize, padLen, ptBuf, &tmpout, &c)) < 0)
165			{
166	0		return rc;
167			}
168	0		ptBuf += 1;
169	0		tmpout.end = tmpout.end + (c - buf);
170
171			}
172			# endif
173			/*
174			writeRecordHeader will determine SSL_FULL cases. The expected
175			messageSize to writeRecored header is the plain text length plus the
176			record header length
177			*/
178	4124		messageSize = ssl->recordHeadLen + *len;
179
180	4124	50	if (messageSize > SSL_MAX_BUF_SIZE)
181			{
182			psTraceIntInfo("Message too large for matrixSslEncode: %d\n",
183			messageSize);
184	0		return PS_MEM_FAIL;
185			}
186	4124	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_APPLICATION_DATA, 0,
187			&messageSize, &padLen, &encryptStart, end, &c)) < 0)
188			{
189	0	0	if (rc == SSL_FULL)
190			{
191	0		*len = messageSize;
192			}
193	0		return rc;
194			}
195
196	4124		c += *len;
197			# ifdef USE_BEAST_WORKAROUND
198	4124	50	if (ssl->bFlags & BFLAG_STOP_BEAST)
199			{
200			/* The tmpout buf already contains the single byte record and has
201			updated pointers for current location. Disable at this time */
202	0		ssl->bFlags &= ~BFLAG_STOP_BEAST;
203			}
204			else
205			{
206	4124		tmpout.buf = tmpout.start = tmpout.end = buf;
207	4124		tmpout.size = size;
208			}
209			# else
210			tmpout.buf = tmpout.start = tmpout.end = buf;
211			tmpout.size = size;
212			# endif
213
214	4124	50	if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_APPLICATION_DATA, 0,
215			messageSize, padLen, ptBuf, &tmpout, &c)) < 0)
216			{
217	0		return rc;
218			}
219	4124		*len = (int32) (c - buf);
220
221			# ifdef SSL_REHANDSHAKES_ENABLED
222	4124		ssl->rehandshakeBytes += *len;
223	4124	50	if (ssl->rehandshakeBytes >= BYTES_BEFORE_RH_CREDIT)
224			{
225	0	0	if (ssl->rehandshakeCount < 0x8000)
226			{
227			/* Don't increment if disabled (-1) */
228	0	0	if (ssl->rehandshakeCount >= 0)
229			{
230	0		ssl->rehandshakeCount++;
231			}
232			}
233	0		ssl->rehandshakeBytes = 0;
234			}
235			# endif /* SSL_REHANDSHAKES_ENABLED */
236	4125		return *len;
237			}
238
239			/******************************************************************************/
240			/*
241			A helper function for matrixSslGetWritebuf to determine the correct
242			destination size before allocating an output buffer.
243			*/
244	4125		int32 matrixSslGetEncodedSize(ssl_t *ssl, uint32 len)
245			{
246	4125		len += ssl->recordHeadLen;
247	4125	50	if (ssl->flags & SSL_FLAGS_WRITE_SECURE)
248			{
249	4125		len += ssl->enMacSize;
250			# ifdef USE_TLS_1_1
251			/*
252			If a block cipher is being used TLS 1.1 requires the use
253			of an explicit IV. This is an extra random block of data
254			prepended to the plaintext before encryption. Account for
255			that extra length here.
256			*/
257	4125	50	if ((ssl->flags & SSL_FLAGS_WRITE_SECURE) &&
		50
258	4125	100	(ssl->flags & SSL_FLAGS_TLS_1_1) && (ssl->enBlockSize > 1))
259			{
260	1		len += ssl->enBlockSize;
261			}
262	4125	100	if (ssl->flags & SSL_FLAGS_AEAD_W)
263			{
264	4124	50	len += AEAD_TAG_LEN(ssl) + AEAD_NONCE_LEN(ssl);
		50
265			}
266			# endif /* USE_TLS_1_1 */
267
268			# ifdef USE_BEAST_WORKAROUND
269	4125	50	if (ssl->bFlags & BFLAG_STOP_BEAST)
270			{
271			/* Original message less one */
272	0	0	len += psPadLenPwr2(len - 1 - ssl->recordHeadLen, ssl->enBlockSize);
273			/* The single byte record overhead */
274	0		len += ssl->recordHeadLen + ssl->enMacSize;
275	0	0	len += psPadLenPwr2(1 + ssl->enMacSize, ssl->enBlockSize);
276			}
277			else
278			{
279	4125	100	len += psPadLenPwr2(len - ssl->recordHeadLen, ssl->enBlockSize);
280			}
281			# else
282			len += psPadLenPwr2(len - ssl->recordHeadLen, ssl->enBlockSize);
283			# endif
284			}
285	4125		return len;
286			}
287
288			# ifndef USE_ONLY_PSK_CIPHER_SUITE
289			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
290			/* Second parameter includes handshake header length */
291	0		static int32 addCertFragOverhead(ssl_t *ssl, int32 totalCertLen)
292			{
293	0		int32 oh = 0;
294
295			/* For each additional record, we'll need a record header and
296			secureWriteAdditions. Borrowing ssl->fragIndex and ssl->fragTotal */
297	0		ssl->fragTotal = totalCertLen;
298	0		ssl->fragIndex = 0;
299	0	0	while (ssl->fragTotal > 0)
300			{
301	0	0	if (ssl->fragIndex == 0)
302			{
303			/* First one is accounted for below as normal */
304	0		ssl->fragTotal -= ssl->maxPtFrag;
305	0		ssl->fragIndex++;
306			}
307			else
308			{
309			/* Remember this stage is simply for SSL_FULL test
310			so just incr totalCertLen to add overhead */
311	0		oh += secureWriteAdditions(ssl, 1);
312	0		oh += ssl->recordHeadLen;
313	0	0	if (ssl->fragTotal > (uint32) ssl->maxPtFrag)
314			{
315	0		ssl->fragTotal -= ssl->maxPtFrag;
316			}
317			else
318			{
319	0		ssl->fragTotal = 0;
320			}
321			}
322			}
323	0		return oh;
324			}
325			# endif /* SERVER \|\| CLIENT_AUTH */
326			# endif /* ! ONLY_PSK */
327
328			# ifdef USE_ECC
329			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
330			# ifndef USE_ONLY_PSK_CIPHER_SUITE
331			/* ECDSA signature is two DER INTEGER values. Either integer could result
332			in the high bit being set which is interpreted as a negative number
333			unless proceeded by a 0x0 byte. MatrixSSL predicts one of the two will
334			be negative when creating the empty buffer spot where the signature
335			will be written. If this guess isn't correct, this function is called
336			to correct the buffer size */
337	0		static int accountForEcdsaSizeChange(ssl_t ssl, pkaAfter_t pka, int real,
338			unsigned char sig, psBuf_t out, int hsMsg)
339			{
340			flightEncode_t *flightMsg;
341			unsigned char whereToMoveFrom, whereToMoveTo, *msgLenLoc;
342			int howMuchToMove, howFarToMove, msgLen, addOrSub;
343			int sigSizeChange, newPadLen;
344
345	0	0	if (real > pka->user)
346			{
347			/* ECDSA SIGNATURE IS LONGER THAN DEFAULT */
348	0		addOrSub = 1;
349			/* Push outbuf backwards */
350	0		sigSizeChange = real - pka->user;
351			}
352			else
353			{
354			/* ECDSA SIGNATURE IS SHORTER THAN DEFAULT */
355	0		addOrSub = 0;
356			/* Pull outbuf forward */
357	0		sigSizeChange = pka->user - real;
358			}
359			# ifdef USE_DTLS
360			if (ssl->flags & SSL_FLAGS_DTLS)
361			{
362			/* Needed somewhere to store the size change for DTLS retransmits */
363			ssl->ecdsaSizeChange = real - pka->user;
364			}
365			# endif
366	0	0	if (sigSizeChange > 12)
367			{
368			/* Sanity */
369			psTraceIntInfo("ECDSA sig length change too big: %d\n", sigSizeChange);
370	0		return MATRIXSSL_ERROR;
371			}
372			/* Get the flightEncode for this message early because the
373			distance to shift things could depend on the padding bytes in
374			addition to the basic ECDSA mismatch if we are rehandshaking */
375	0		flightMsg = ssl->flightEncode;
376	0	0	while (flightMsg != NULL && flightMsg->hsMsg != hsMsg)
		0
377			{
378	0		flightMsg = flightMsg->next;
379			}
380	0	0	if (flightMsg == NULL)
381			{
382	0		return MATRIXSSL_ERROR;
383			}
384
385	0	0	if ((ssl->flags & SSL_FLAGS_WRITE_SECURE) && (ssl->enBlockSize > 1))
		0
386			{
387			/* rehandshaking with block cipher */
388	0		msgLen = (flightMsg->messageSize - ssl->recordHeadLen) -
389	0		flightMsg->padLen;
390	0	0	if (addOrSub)
391			{
392	0		msgLen += sigSizeChange;
393			}
394			else
395			{
396	0		msgLen -= sigSizeChange;
397			}
398	0	0	newPadLen = psPadLenPwr2(msgLen, ssl->enBlockSize);
399	0		flightMsg->padLen = newPadLen;
400	0		msgLen += newPadLen + ssl->recordHeadLen;
401
402	0	0	if (flightMsg->messageSize >= msgLen)
403			{
404	0		howFarToMove = flightMsg->messageSize - msgLen;
405			}
406			else
407			{
408	0		howFarToMove = msgLen - flightMsg->messageSize;
409			}
410			}
411			else
412			{
413	0		howFarToMove = sigSizeChange;
414			}
415
416	0		howMuchToMove = out->end - (pka->outbuf + pka->user);
417	0	0	psAssert(howMuchToMove > 0);
418	0		whereToMoveFrom = pka->outbuf + pka->user;
419
420	0	0	if (addOrSub)
421			{
422	0		whereToMoveTo = whereToMoveFrom + howFarToMove;
423			/* enough room to push into? Extra two bytes should already
424			have been accounted for but this is still nice for sanity */
425	0	0	if (((out->start + out->size) - out->end) < howFarToMove)
426			{
427	0		return MATRIXSSL_ERROR;
428			}
429			}
430			else
431			{
432	0		whereToMoveTo = whereToMoveFrom - howFarToMove;
433			}
434	0		memmove(whereToMoveTo, whereToMoveFrom, howMuchToMove);
435	0	0	if (addOrSub)
436			{
437	0		out->end += howFarToMove;
438	0		flightMsg->len += sigSizeChange;
439	0		flightMsg->messageSize += howFarToMove;
440			}
441			else
442			{
443	0		out->end -= howFarToMove;
444	0		flightMsg->len -= sigSizeChange;
445	0		flightMsg->messageSize -= howFarToMove;
446			}
447			/* Now put in ECDSA sig */
448	0		memcpy(pka->outbuf, sig, real);
449
450			/* Now update the record message length - We can use the
451			flightEncode entry to help us find the handshake header
452			start. The record header len is only 2 bytes behind here...
453			subtract nonce for AEAD */
454	0		msgLenLoc = flightMsg->start - 2;
455	0		msgLen = flightMsg->messageSize - ssl->recordHeadLen;
456
457	0	0	if ((ssl->flags & SSL_FLAGS_WRITE_SECURE) &&
		0
458	0		(ssl->flags & SSL_FLAGS_AEAD_W))
459			{
460	0	0	msgLenLoc -= AEAD_NONCE_LEN(ssl);
461			}
462
463	0		msgLenLoc[0] = msgLen >> 8;
464	0		msgLenLoc[1] = msgLen;
465
466			/* Now update the handshake header length with same techique. */
467	0		msgLenLoc = flightMsg->start + 1; /* Skip hsType byte */
468	0		msgLen = flightMsg->len - ssl->hshakeHeadLen;
469			# ifdef USE_TLS_1_1
470			/* Account for explicit IV in TLS_1_1 and above. */
471	0	0	if ((ssl->flags & SSL_FLAGS_WRITE_SECURE) &&
		0
472	0	0	(ssl->flags & SSL_FLAGS_TLS_1_1) && (ssl->enBlockSize > 1))
473			{
474	0		msgLen -= ssl->enBlockSize;
475	0		msgLenLoc += ssl->enBlockSize;
476			}
477			# endif
478
479			# ifdef USE_DTLS
480			if (ssl->flags & SSL_FLAGS_DTLS)
481			{
482			/* Will also be a fragment length to update in handshake header.
483			Only supporting if there is no fragmentation here. The magic
484			5 is skipping over the 3 byte length iteself, 2 byte sequence
485			and 3 byte offset */
486			if (memcmp(msgLenLoc, msgLenLoc + 8, 3) != 0)
487			{
488			psTraceInfo("ERROR: ECDSA SKE DTLS fragmentation unsupported\n");
489			return MATRIXSSL_ERROR;
490			}
491			}
492			# endif
493
494	0		msgLenLoc[0] = msgLen >> 16;
495	0		msgLenLoc[1] = msgLen >> 8;
496	0		msgLenLoc[2] = msgLen;
497
498			# ifdef USE_DTLS
499			if (ssl->flags & SSL_FLAGS_DTLS)
500			{
501			/* Update the fragLen as well. Sanity test was performed above */
502			msgLenLoc[8] = msgLen >> 16;
503			msgLenLoc[9] = msgLen >> 8;
504			msgLenLoc[10] = msgLen;
505			}
506			# endif
507
508			/* All messages that follow in the flight have to be updated now */
509	0		flightMsg = flightMsg->next;
510	0	0	while (flightMsg != NULL)
511			{
512	0	0	if (addOrSub)
513			{
514	0		flightMsg->start += howFarToMove;
515	0	0	if (flightMsg->seqDelay)
516			{
517	0		flightMsg->seqDelay += howFarToMove;
518			}
519			}
520			else
521			{
522	0		flightMsg->start -= howFarToMove;
523	0	0	if (flightMsg->seqDelay)
524			{
525	0		flightMsg->seqDelay -= howFarToMove;
526			}
527			}
528	0	0	if (flightMsg->hsMsg == SSL_HS_FINISHED)
529			{
530			/* The finished message has set aside a pointer as well */
531	0	0	if (addOrSub)
532			{
533	0		ssl->delayHsHash += howFarToMove;
534			}
535			else
536			{
537	0		ssl->delayHsHash -= howFarToMove;
538			}
539			}
540	0		flightMsg = flightMsg->next;
541			}
542	0		return PS_SUCCESS;
543			}
544			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
545			# endif /* USE_SERVER_SIDE_SSL \|\| USE_CLIENT_AUTH */
546			# endif /* USE_ECC */
547
548			# ifdef USE_SERVER_SIDE_SSL
549			/* The ServerKeyExchange delayed PKA op */
550	1146		static int32 nowDoSkePka(ssl_t ssl, psBuf_t out)
551			{
552	1146		int32_t rc = PS_SUCCESS;
553
554			# ifndef USE_ONLY_PSK_CIPHER_SUITE
555			pkaAfter_t *pka;
556			# if defined(USE_ECC_CIPHER_SUITE) \|\| defined(USE_RSA_CIPHER_SUITE)
557	1146		psPool_t *pkiPool = NULL;
558			# endif /* USE_ECC_CIPHER_SUITE \|\| USE_RSA_CIPHER_SUITE */
559
560			# ifdef USE_DTLS
561			if (ssl->flags & SSL_FLAGS_DTLS)
562			{
563			if (ssl->retransmit)
564			{
565			/* Was already copied out in writeServerKeyExchange */
566			/* Would not expect to see this because pkaAfter.type should
567			never be set */
568			return PS_SUCCESS;
569			}
570			}
571			# endif /* USE_DTLS */
572
573			/* Always first one. clearPkaAfter will move 1 to 0 if needed */
574	1146		pka = &ssl->pkaAfter[0];
575
576			# ifdef USE_RSA_CIPHER_SUITE
577	1146	50	if (pka->type == PKA_AFTER_RSA_SIG_GEN_ELEMENT \|\|
		0
578	0		pka->type == PKA_AFTER_RSA_SIG_GEN)
579			{
580
581			# ifdef USE_TLS_1_2
582	1146	50	if (ssl->flags & SSL_FLAGS_TLS_1_2)
583			{
584	1146	50	if ((rc = privRsaEncryptSignedElement(pkiPool,
585	1146		&ssl->keys->privKey.key.rsa,
586	2292		pka->inbuf, pka->inlen, pka->outbuf,
587	1146		ssl->keys->privKey.keysize, pka->data)) < 0)
588			{
589	0	0	if (rc != PS_PENDING)
590			{
591			psTraceIntInfo("Unable to sign SKE digital element %d\n",
592			rc);
593	0		return MATRIXSSL_ERROR;
594			}
595			/* If the result is going directly inline to the output
596			buffer we unflag 'type' so this function isn't called
597			again on the way back around. Also, we can safely
598			free inbuf because it has been copied out */
599	0		psFree(pka->inbuf, ssl->hsPool); pka->inbuf = NULL;
600	0		pka->type = 0;
601	0		return PS_PENDING;
602			}
603			}
604			else
605			{
606	0	0	if ((rc = psRsaEncryptPriv(pkiPool, &ssl->keys->privKey.key.rsa, pka->inbuf,
607	0		pka->inlen, pka->outbuf, ssl->keys->privKey.keysize,
608			pka->data)) < 0)
609			{
610	0	0	if (rc != PS_PENDING)
611			{
612			psTraceInfo("Unable to sign SERVER_KEY_EXCHANGE message\n");
613	0		return MATRIXSSL_ERROR;
614			}
615			/* If the result is going directly inline to the output
616			buffer we unflag 'type' so this function isn't called
617			again on the way back around. Also, we can safely free
618			inbuf becuase it has been copied out */
619	0		psFree(pka->inbuf, ssl->hsPool); pka->inbuf = NULL;
620	0		pka->type = 0;
621	0		return PS_PENDING;
622			}
623			}
624			# else /* !USE_TLS_1_2 */
625			if ((rc = psRsaEncryptPriv(pkiPool, &ssl->keys->privKey.key.rsa, pka->inbuf,
626			pka->inlen, pka->outbuf, ssl->keys->privKey.keysize,
627			pka->data)) < 0)
628			{
629			if (rc != PS_PENDING)
630			{
631			psTraceInfo("Unable to sign SERVER_KEY_EXCHANGE message\n");
632			return MATRIXSSL_ERROR;
633			}
634			/* If the result is going directly inline to the output
635			buffer we unflag 'type' so this function isn't called
636			again on the way back around */
637			psFree(pka->inbuf, ssl->hsPool); pka->inbuf = NULL;
638			pka->type = 0;
639			return PS_PENDING;
640			}
641			# endif /* USE_TLS_1_2 */
642
643
644			# ifdef USE_DTLS
645			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 0))
646			{
647			/* Using existing ckeMsg and ckeSize that clients are using but
648			this should be totally fine on the server side because it is
649			freed at FINISHED parse */
650			ssl->ckeSize = ssl->keys->privKey.keysize;
651			if ((ssl->ckeMsg = psMalloc(ssl->hsPool, ssl->ckeSize)) == NULL)
652			{
653			psTraceInfo("Memory allocation error ckeMsg\n");
654			return PS_MEM_FAIL;
655			}
656			memcpy(ssl->ckeMsg, pka->outbuf, ssl->ckeSize);
657			}
658			# endif /* USE_DTLS */
659
660	1146		clearPkaAfter(ssl); /* Blocking success case */
661			}
662			# endif /* USE_RSA_CIPHER_SUITE */
663
664			# ifdef USE_ECC_CIPHER_SUITE
665	1146	50	if (pka->type == PKA_AFTER_ECDSA_SIG_GEN)
666			{
667
668			int32_t err;
669			psSize_t len;
670			/* New temp location for ECDSA sig which can be one len byte different
671			than what we originally calculated (pka->user is holding) */
672			unsigned char *tmpEcdsa;
673
674			/* Only need to allocate 1 larger because 1 has already been added
675			at creation */
676	0	0	if ((tmpEcdsa = psMalloc(ssl->hsPool, pka->user + 1)) == NULL)
677			{
678	0		return PS_MEM_FAIL;
679			}
680
681	0		len = pka->user + 1;
682
683			# ifdef USE_DTLS
684			ssl->ecdsaSizeChange = 0;
685			# endif
686	0	0	if ((err = psEccDsaSign(pkiPool, &ssl->keys->privKey.key.ecc,
687	0		pka->inbuf, pka->inlen, tmpEcdsa, &len, 1, pka->data)) != 0)
688			{
689			/* DO NOT close pool (unless failed). It is kept around in
690			pkaCmdInfo for result until finished and is closed there */
691	0	0	if (err != PS_PENDING)
692			{
693	0		psFree(tmpEcdsa, ssl->hsPool);
694	0		return MATRIXSSL_ERROR;
695			}
696
697			/* ASYNC: tmpEcdsa is not saved as output location so correct to
698			free here */
699	0		psFree(tmpEcdsa, ssl->hsPool);
700	0		return PS_PENDING;
701			}
702	0	0	if (len != pka->user)
703			{
704			/* Confirmed ECDSA is not default size */
705	0	0	if (accountForEcdsaSizeChange(ssl, pka, len, tmpEcdsa, out,
706			SSL_HS_SERVER_KEY_EXCHANGE) < 0)
707			{
708	0		clearPkaAfter(ssl);
709	0		psFree(tmpEcdsa, ssl->hsPool);
710	0		return MATRIXSSL_ERROR;
711			}
712			}
713			else
714			{
715	0		memcpy(pka->outbuf, tmpEcdsa, pka->user);
716			}
717	0		psFree(tmpEcdsa, ssl->hsPool);
718
719			# ifdef USE_DTLS
720			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 0))
721			{
722			/* ECC signatures have random bytes so need to save aside for
723			retransmit cases. Using existing ckeMsg and ckeSize that
724			clients are using but this should be totally fine on the
725			server side because it is freed at FINISHED parse */
726			ssl->ckeSize = len;
727			if ((ssl->ckeMsg = psMalloc(ssl->hsPool, ssl->ckeSize)) == NULL)
728			{
729			psTraceInfo("Memory allocation error ckeMsg\n");
730			return PS_MEM_FAIL;
731			}
732			memcpy(ssl->ckeMsg, pka->outbuf, ssl->ckeSize);
733			}
734			# endif /* USE_DTLS */
735
736	0		clearPkaAfter(ssl);
737			}
738			# endif /* USE_ECC_CIPHER_SUITE */
739			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
740	1146		return rc;
741			}
742			# endif /* USE_SERVER_SIDE_SSL */
743
744
745			# ifdef USE_CLIENT_SIDE_SSL
746
747			/*********/
748			/* A test feature to allow clients to reuse the CKE RSA encryption output
749			for each connection to remove the CPU overhead of pubkey operation when
750			testing against high performance servers. The same premaster must be
751			used each time as well though. */
752			/* #define REUSE_CKE */
753			# ifdef REUSE_CKE
754			# pragma message("!! DO NOT USE REUSE_CKE IN PRODUCTION !!")
755			static char g_reusePremaster[SSL_HS_RSA_PREMASTER_SIZE] = { 0 };
756			static int16 g_reusePreLen = 0;
757			static char g_reuseRSAEncrypt[512] = { 0 }; /* Encrypted pre-master */
758			static int16 g_reuseRSALen = 0;
759			static psRsaKey_t g_reuseRSAKey;
760			# endif
761			/*********/
762
763			/* The ClientKeyExchange delayed PKA ops */
764	1058		static int32 nowDoCkePka(ssl_t *ssl)
765			{
766	1058		int32 rc = PS_FAIL;
767			pkaAfter_t *pka;
768
769			# ifdef REQUIRE_DH_PARAMS
770	1058		uint8_t cleared = 0;
771			# endif
772
773			# ifdef USE_DTLS
774			if (ssl->flags & SSL_FLAGS_DTLS)
775			{
776			if (ssl->retransmit)
777			{
778			/* Was already copied out in writeClientKeyExchange */
779			/* In fact, would not expect to hit this because pkaAfter.type
780			should never be set to re-enter this routine */
781			psAssert(0);
782			return PS_SUCCESS;
783			}
784			}
785			# endif /* USE_DTLS */
786
787			/* Always the first one. clearPkaAfter will move 1 to 0 if needed */
788	1058		pka = &ssl->pkaAfter[0];
789
790			/* The flags logic is used for the cipher type and then the pkaAfter.type
791			value is validated */
792			# ifdef USE_DHE_CIPHER_SUITE
793	1058	100	if (ssl->flags & SSL_FLAGS_DHE_KEY_EXCH)
794			{
795
796			# ifdef USE_ECC_CIPHER_SUITE
797	1057	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
798			{
799			/* ECDHE suite */
800	1057	50	psAssert(pka->outbuf == ssl->sec.premaster);
801	1057	50	if (pka->type == PKA_AFTER_ECDH_SECRET_GEN)
802			{
803	1057	50	if ((rc = psEccGenSharedSecret(ssl->sec.eccDhKeyPool,
804	1057		ssl->sec.eccKeyPriv, ssl->sec.eccKeyPub,
805			ssl->sec.premaster, &ssl->sec.premasterSize,
806			pka->data)) < 0)
807			{
808	0	0	if (rc != PS_PENDING)
809			{
810	0		psFree(ssl->sec.premaster, ssl->hsPool);
811	0		ssl->sec.premaster = NULL;
812	0		return MATRIXSSL_ERROR;
813			}
814	0		pka->type = PKA_AFTER_ECDH_SECRET_GEN_DONE; /* Bypass next*/
815	0		return rc;
816			}
817			}
818	1057		clearPkaAfter(ssl);
819	1057		psEccDeleteKey(&ssl->sec.eccKeyPub);
820	1057		psEccDeleteKey(&ssl->sec.eccKeyPriv);
821			}
822			else
823			{
824			# endif /* USE_ECC_CIPHER_SUITE */
825
826			# ifdef REQUIRE_DH_PARAMS
827
828	0	0	psAssert(pka->outbuf == ssl->sec.premaster);
829	0	0	psAssert(pka->type == PKA_AFTER_DH_KEY_GEN);
830
831	0	0	if ((rc = psDhGenSharedSecret(ssl->sec.dhKeyPool,
832	0		ssl->sec.dhKeyPriv, ssl->sec.dhKeyPub, ssl->sec.dhP,
833	0		ssl->sec.dhPLen, ssl->sec.premaster,
834			&ssl->sec.premasterSize, pka->data)) < 0)
835			{
836
837	0	0	if (rc != PS_PENDING)
838			{
839	0		return MATRIXSSL_ERROR;
840			}
841	0		return rc;
842			}
843
844			# ifdef USE_PSK_CIPHER_SUITE
845			/* DHE PSK ciphers make dual use of the pkaAfter storage */
846	0	0	if (!(ssl->flags & SSL_FLAGS_PSK_CIPHER))
847			{
848	0	0	if (cleared == 0)
849			{
850	0		clearPkaAfter(ssl); cleared = 1;
851			}
852			}
853			# else
854			if (cleared == 0)
855			{
856			clearPkaAfter(ssl); cleared = 1;
857			}
858			# endif
859
860	0		psFree(ssl->sec.dhP, ssl->hsPool);
861	0		ssl->sec.dhP = NULL; ssl->sec.dhPLen = 0;
862	0		psDhClearKey(ssl->sec.dhKeyPub);
863	0		psFree(ssl->sec.dhKeyPub, ssl->hsPool);
864	0		ssl->sec.dhKeyPub = NULL;
865	0		psDhClearKey(ssl->sec.dhKeyPriv);
866	0		psFree(ssl->sec.dhKeyPriv, ssl->sec.dhKeyPool);
867	0		ssl->sec.dhKeyPriv = NULL;
868
869			# ifdef USE_PSK_CIPHER_SUITE
870	0	0	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
871			{
872
873			unsigned char *pskKey;
874			uint8_t pskIdLen;
875
876			/* RFC4279: The premaster secret is formed as follows.
877			First, perform the Diffie-Hellman computation in the same way
878			as for other Diffie-Hellman-based ciphersuites. Let Z be the
879			value produced by this computation. Concatenate a uint16
880			containing the length of Z (in octets), Z itself, a uint16
881			containing the length of the PSK (in octets), and the PSK itself.
882
883			The pskId is held in the pkaAfter inbuf */
884	0		matrixSslPskGetKey(ssl, pka->inbuf, pka->inlen, &pskKey,
885			&pskIdLen);
886	0	0	if (pskKey == NULL)
887			{
888	0		psFree(ssl->sec.premaster, ssl->hsPool);
889	0		ssl->sec.premaster = NULL;
890	0		return MATRIXSSL_ERROR;
891			}
892			/* Need to prepend a psSize_t length to the premaster key. */
893	0		memmove(&ssl->sec.premaster[2], ssl->sec.premaster,
894	0		ssl->sec.premasterSize);
895	0		ssl->sec.premaster[0] = (ssl->sec.premasterSize & 0xFF00) >> 8;
896	0		ssl->sec.premaster[1] = (ssl->sec.premasterSize & 0xFF);
897			/* Next, uint8_t length of PSK and key itself */
898	0		ssl->sec.premaster[ssl->sec.premasterSize + 2] = 0;
899	0		ssl->sec.premaster[ssl->sec.premasterSize + 3] =
900			(pskIdLen & 0xFF);
901	0		memcpy(&ssl->sec.premaster[ssl->sec.premasterSize + 4], pskKey,
902			pskIdLen);
903			/* Lastly, adjust the premasterSize */
904	0		ssl->sec.premasterSize += pskIdLen + 4;
905			}
906	0	0	if (cleared == 0)
907			{
908	1057		clearPkaAfter(ssl); cleared = 1; /* Standard and PSK DHE */
909			}
910			# else
911			if (cleared == 0)
912			{
913			clearPkaAfter(ssl); cleared = 1; /* Standard DHE, PSK disabled*/
914			}
915			# endif /* PSK */
916
917			# endif /* REQUIRE_DH_PARAMS */
918
919			# ifdef USE_ECC_CIPHER_SUITE
920			}
921			# endif /* USE_ECC_CIPHER_SUITE */
922
923			}
924			else
925			{
926			# endif /* USE_DHE_CIPHER_SUITE */
927
928			/* Else case for non-DHE, which still could mean ECDH static or
929			standard RSA */
930			# ifdef USE_ECC_CIPHER_SUITE
931	1	50	if (ssl->cipher->type == CS_ECDH_ECDSA \|\|
		50
932	1		ssl->cipher->type == CS_ECDH_RSA)
933			{
934
935			/* This case is unique becuase it has two PKA ops for a single CKE
936			message. The key generation is done and then secret is
937			generated. The 'type' will change after the first one */
938
939	0	0	if (pka->type == PKA_AFTER_ECDH_KEY_GEN)
940			{
941	0	0	if (psEccNewKey(pka->pool, &ssl->sec.eccKeyPriv,
942	0		ssl->sec.cert->publicKey.key.ecc.curve) < 0)
943			{
944	0		return PS_MEM_FAIL;
945			}
946	0	0	if ((rc = matrixSslGenEphemeralEcKey(ssl->keys,
947			ssl->sec.eccKeyPriv,
948	0		ssl->sec.cert->publicKey.key.ecc.curve,
949			pka->data)) < 0)
950			{
951
952	0	0	if (rc == PS_PENDING)
953			{
954	0		return rc;
955			}
956	0		psEccDeleteKey(&ssl->sec.eccKeyPriv);
957			psTraceInfo("GenEphemeralEcc failed\n");
958	0		ssl->err = SSL_ALERT_INTERNAL_ERROR;
959	0		return MATRIXSSL_ERROR;
960			}
961
962			/* key len must be valid */
963	0	0	if (psEccX963ExportKey(ssl->hsPool, ssl->sec.eccKeyPriv,
964	0		pka->outbuf, &pka->user) < 0)
965			{
966			psTraceInfo("psEccX963ExportKey in CKE failed\n");
967	0		return MATRIXSSL_ERROR;
968			}
969			/* Does written len equal stated len? */
970	0	0	psAssert(pka->user == (int32) * (pka->outbuf - 1));
971
972			# ifdef USE_DTLS
973			/* Save aside for retransmits */
974			if (ssl->flags & SSL_FLAGS_DTLS)
975			{
976			ssl->ckeSize = pka->user + 1; /* The size is wrote first */
977			ssl->ckeMsg = psMalloc(ssl->hsPool, ssl->ckeSize);
978			if (ssl->ckeMsg == NULL)
979			{
980			return SSL_MEM_ERROR;
981			}
982			ssl->ckeMsg[0] = pka->user & 0xFF;
983			memcpy(ssl->ckeMsg + 1, pka->outbuf, ssl->ckeSize - 1);
984			}
985			# endif /* USE_DTLS */
986
987			/* NOTE: Do not clearPkaAfter. We will just use the current
988			context since there is no special state data required
989			for this next EccGenSharedSecret call. We don't clear
990			because the certificateVerify info might be sitting in the
991			second pkaAfter slot */
992			/* Set for the next operation now using same pkaAfter slot */
993	0		pka->type = PKA_AFTER_ECDH_SECRET_GEN;
994			}
995
996			/* Second PKA operation */
997	0	0	if (pka->type == PKA_AFTER_ECDH_SECRET_GEN)
998			{
999
1000	0	0	if ((rc = psEccGenSharedSecret(pka->pool,
1001	0		ssl->sec.eccKeyPriv, &ssl->sec.cert->publicKey.key.ecc,
1002			ssl->sec.premaster, &ssl->sec.premasterSize,
1003			pka->data)) < 0)
1004			{
1005	0	0	if (rc == PS_PENDING)
1006			{
1007	0		pka->type = PKA_AFTER_ECDH_SECRET_GEN_DONE; /* Bypass */
1008	0		return rc;
1009			}
1010	0		psFree(ssl->sec.premaster, ssl->hsPool);
1011	0		ssl->sec.premaster = NULL;
1012	0		return MATRIXSSL_ERROR;
1013			}
1014			}
1015			/* Successfully completed both PKA operations and key write */
1016	0		psEccDeleteKey(&ssl->sec.eccKeyPriv);
1017	0		clearPkaAfter(ssl);
1018
1019			}
1020			else
1021			{
1022			# endif /* USE_ECC_CIPHER_SUITE */
1023
1024			# ifdef USE_RSA_CIPHER_SUITE
1025			/* Standard RSA suite entry point */
1026	1	50	psAssert(pka->type == PKA_AFTER_RSA_ENCRYPT);
1027
1028			# ifdef REUSE_CKE
1029			if (g_reusePreLen)
1030			{
1031			if (psRsaCmpPubKey(&g_reuseRSAKey, &ssl->sec.cert->publicKey.key.rsa) == 0)
1032			{
1033			memcpy(ssl->sec.premaster, g_reusePremaster, g_reusePreLen);
1034			memcpy(pka->outbuf, g_reuseRSAEncrypt, g_reuseRSALen);
1035			}
1036			else
1037			{
1038			memzero_s(g_reusePremaster, g_reusePreLen);
1039			g_reusePreLen = 0;
1040			memzero_s(g_reuseRSAEncrypt, g_reuseRSALen);
1041			g_reuseRSALen = 0;
1042			psRsaClearKey(&g_reuseRSAKey);
1043			}
1044			}
1045			else
1046			{
1047			# endif
1048			/* pkaAfter.user is buffer len */
1049	1	50	if ((rc = psRsaEncryptPub(pka->pool,
1050	1		&ssl->sec.cert->publicKey.key.rsa,
1051	2		ssl->sec.premaster, ssl->sec.premasterSize, pka->outbuf,
1052	1		pka->user, pka->data)) < 0)
1053			{
1054	0	0	if (rc == PS_PENDING)
1055			{
1056			/* For these ClientKeyExchange paths, we do want to come
1057			back through nowDoCkePka for a double pass so each
1058			case can manage its own pkaAfter and to make sure
1059			psX509FreeCert and sslCreateKeys() are hit below. */
1060	0		return rc;
1061			}
1062			psTraceIntInfo("psRsaEncryptPub in CKE failed %d\n", rc);
1063	0		return MATRIXSSL_ERROR;
1064			}
1065			# ifdef REUSE_CKE
1066			}
1067			if (g_reusePreLen == 0)
1068			{
1069			printf("REUSE_CKE ENABLED!! NOT FOR PRODUCTION USE\n");
1070			g_reusePreLen = ssl->sec.premasterSize;
1071			g_reuseRSALen = psRsaSize(&ssl->sec.cert->publicKey.key.rsa);
1072			memcpy(g_reusePremaster, ssl->sec.premaster, g_reusePreLen);
1073			memcpy(g_reuseRSAEncrypt, pka->outbuf, g_reuseRSALen);
1074			/* TODO this key is allocated once and leaked */
1075			if (psRsaCopyKey(&g_reuseRSAKey, &ssl->sec.cert->publicKey.key.rsa) < 0)
1076			{
1077			return MATRIXSSL_ERROR;
1078			}
1079			}
1080			# endif
1081			/* RSA closed the pool on second pass */
1082			/* CHANGE NOTE: This comment looks specific to async and this
1083			pool is not being closed in clearPkaAfter if set to NULL here
1084			on the normal case. So commenting this line out for now */
1085			/* pka->pool = NULL; */
1086			# ifdef USE_DTLS
1087			/* This was first pass for DH ckex so set it aside */
1088
1089			if (ssl->flags & SSL_FLAGS_DTLS)
1090			{
1091
1092			ssl->ckeMsg = psMalloc(ssl->hsPool, pka->user);
1093			if (ssl->ckeMsg == NULL)
1094			{
1095			return SSL_MEM_ERROR;
1096			}
1097			ssl->ckeSize = pka->user;
1098			memcpy(ssl->ckeMsg, pka->outbuf, pka->user);
1099			}
1100			# endif /* USE_DTLS */
1101	1		clearPkaAfter(ssl);
1102			# else /* RSA is the 'default' so if that didn't get hit there is a problem */
1103			psTraceInfo("There is no handler for writeClientKeyExchange. ERROR\n");
1104			return MATRIXSSL_ERROR;
1105			# endif /* USE_RSA_CIPHER_SUITE */
1106
1107
1108			# ifdef USE_ECC_CIPHER_SUITE
1109			}
1110			# endif /* USE_ECC_CIPHER_SUITE */
1111
1112			# ifdef USE_DHE_CIPHER_SUITE
1113			}
1114			# endif /* USE_DHE_CIPHER_SUITE */
1115
1116			/*
1117			Now that we've got the premaster secret, derive the various symmetric
1118			keys using it and the client and server random values.
1119
1120			However, if extended_master_secret is being used we must delay the
1121			master secret creation until the CKE handshake message has been added
1122			to the rolling handshake hash. Key generation will be done in encryptRecord
1123			*/
1124	1058	50	if (ssl->extFlags.extended_master_secret == 0)
1125			{
1126	0	0	if ((rc = sslCreateKeys(ssl)) < 0)
1127			{
1128	0		return rc;
1129			}
1130			}
1131
1132			# ifdef USE_DTLS
1133			/* Can't free cert in DTLS in case of retransmit */
1134			if (ssl->flags & SSL_FLAGS_DTLS)
1135			{
1136			return rc;
1137			}
1138			# endif
1139
1140			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1141			/* This used to be freed in writeFinished but had to stay around longer
1142			for key material in PKA after ops */
1143	1058	50	if (!(ssl->bFlags & BFLAG_KEEP_PEER_CERTS))
1144			{
1145	1058	50	if (ssl->sec.cert)
1146			{
1147	1058		psX509FreeCert(ssl->sec.cert);
1148	1058		ssl->sec.cert = NULL;
1149			}
1150			}
1151			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
1152
1153	1058		return rc;
1154			}
1155			# endif /* USE_CLIENT_SIDE_SSL */
1156
1157			/******************************************************************************/
1158			/*
1159			We indicate to the caller through return codes in sslDecode when we need
1160			to write internal data to the remote host. The caller will call this
1161			function to generate a message appropriate to our state.
1162			*/
1163	3360		int32 sslEncodeResponse(ssl_t ssl, psBuf_t out, uint32 *requiredLen)
1164			{
1165	3360		int32 messageSize = 0;
1166	3360		int32 rc = MATRIXSSL_ERROR;
1167			uint32 alertReqLen;
1168
1169			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
1170			int32 i;
1171			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1172			psX509Cert_t *cert;
1173			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
1174			# endif /* USE_SERVER_SIDE_SSL */
1175
1176			# if defined(USE_SERVER_SIDE_SSL)
1177			int32 extSize;
1178			int32 stotalCertLen;
1179			# endif
1180
1181			# ifdef USE_CLIENT_SIDE_SSL
1182			int32 ckeSize;
1183			# ifdef USE_CLIENT_AUTH
1184			int32 ctotalCertLen;
1185			# endif
1186			# endif /* USE_CLIENT_SIDE_SSL */
1187
1188			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1189			# if defined(USE_SERVER_SIDE_SSL) && defined(USE_CLIENT_AUTH)
1190			psX509Cert_t *CAcert;
1191	3360		int32 certCount = 0, certReqLen = 0, CAcertLen = 0;
1192			# endif /* USE_SERVER_SIDE_SSL && USE_CLIENT_AUTH */
1193			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
1194			# if defined(USE_SERVER_SIDE_SSL) && defined(USE_DHE_CIPHER_SUITE)
1195			int32 srvKeyExLen;
1196			# endif /* USE_SERVER_SIDE_SSL && USE_DHE_CIPHER_SUITE */
1197
1198			# ifdef USE_DTLS
1199			sslSessOpts_t options;
1200			memset(&options, 0x0, sizeof(sslSessOpts_t));
1201			# endif
1202
1203			/*
1204			We may be trying to encode an alert response if there is an error marked
1205			on the connection.
1206			*/
1207	3360	100	if (ssl->err != SSL_ALERT_NONE)
1208			{
1209	90		rc = writeAlert(ssl, SSL_ALERT_LEVEL_FATAL, (unsigned char) ssl->err,
1210			out, requiredLen);
1211	90	50	if (rc == MATRIXSSL_ERROR)
1212			{
1213			/* We'll be returning an error code from this call so the typical
1214			alert SEND_RESPONSE handler will not be hit to set this error
1215			flag for us. We do it ourself to prevent further session use
1216			and the result of this error will be that the connection is
1217			silently closed rather than this alert making it out */
1218	0		ssl->flags \|= SSL_FLAGS_ERROR;
1219			}
1220			# ifdef USE_SERVER_SIDE_SSL
1221			/*
1222			Writing a fatal alert on this session. Let's remove this client from
1223			the session table as a precaution. Additionally, if this alert is
1224			happening mid-handshake the master secret might not even be valid
1225			*/
1226	90	50	if (ssl->flags & SSL_FLAGS_SERVER)
1227			{
1228	0		matrixClearSession(ssl, 1);
1229			}
1230			# endif /* USE_SERVER_SIDE_SSL */
1231	90		return rc;
1232			}
1233
1234			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
1235			if (ssl->hwflags & SSL_HWFLAGS_PENDING_PKA_W &&
1236			ssl->extCvSigOpPending)
1237			{
1238			psAssert(ssl->extCvSigOpInUse);
1239			/* Case of delayed PKA operation in a flight WRITE */
1240			ssl->hwflags &= ~SSL_HWFLAGS_PENDING_PKA_W;
1241			goto resumeFlightEncryption;
1242			}
1243			# endif
1244
1245			# ifdef USE_DTLS
1246			if (ssl->flags & SSL_FLAGS_DTLS)
1247			{
1248			/* This function takes care of writing out entire flights so we know
1249			to capture the current MSN and Epoch as the resends so that a
1250			resend of this flight will contain the identical MSN and Epoch
1251			for each resent message. */
1252			ssl->resendMsn = ssl->msn;
1253			ssl->resendEpoch[0] = ssl->epoch[0];
1254			ssl->resendEpoch[1] = ssl->epoch[1];
1255			}
1256			# endif /* USE_DTLS */
1257
1258			/*
1259			We encode a set of response messages based on our current state
1260			We have to pre-verify the size of the outgoing buffer against
1261			all the messages to make the routine transactional. If the first
1262			write succeeds and the second fails because of size, we cannot
1263			rollback the state of the cipher and MAC.
1264			*/
1265	3270		switch (ssl->hsState)
1266			{
1267			/*
1268			If we're waiting for the ClientKeyExchange message, then we need to
1269			send the messages that would prompt that result on the client
1270			*/
1271			# ifdef USE_SERVER_SIDE_SSL
1272			case SSL_HS_CLIENT_KEY_EXCHANGE:
1273			# ifdef USE_CLIENT_AUTH
1274			/*
1275			This message is also suitable for the client authentication case
1276			where the server is in the CERTIFICATE state.
1277			*/
1278			case SSL_HS_CERTIFICATE:
1279			/*
1280			Account for the certificateRequest message if client auth is on.
1281			First two bytes are the certificate_types member (rsa_sign (1) and
1282			ecdsa_sign (64) are supported). Remainder of length is the
1283			list of BER encoded distinguished names this server is
1284			willing to accept children certificates of. If there
1285			are no valid CAs to work with, client auth can't be done.
1286			*/
1287			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1288	1151	50	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
1289			{
1290	0		CAcert = ssl->keys->CAcerts;
1291	0		certCount = certReqLen = CAcertLen = 0;
1292			# ifdef USE_TLS_1_2
1293	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
1294			{
1295			/* TLS 1.2 has a SigAndHashAlgorithm member in certRequest */
1296	0		certReqLen += 2;
1297			# ifdef USE_ECC
1298			# ifdef USE_SHA384
1299	0		certReqLen += 6;
1300			# else
1301			certReqLen += 4;
1302			# endif /* USE_SHA */
1303			# endif /* USE_ECC */
1304			# ifdef USE_RSA
1305			# ifdef USE_SHA384
1306	0		certReqLen += 6;
1307			# else
1308			certReqLen += 4;
1309			# endif /* USE_SHA */
1310			# endif /* USE_RSA */
1311			}
1312			# endif /* USE_TLS_1_2 */
1313
1314	0	0	if (CAcert)
1315			{
1316	0		certReqLen += 4 + ssl->recordHeadLen + ssl->hshakeHeadLen;
1317			# ifdef USE_ECC
1318	0		certReqLen += 1; /* Add on ECDSA_SIGN support */
1319			# endif /* USE_ECC */
1320	0	0	while (CAcert)
1321			{
1322	0		certReqLen += 2; /* 2 bytes for specifying each cert len */
1323	0		CAcertLen += CAcert->subject.dnencLen;
1324	0		CAcert = CAcert->next;
1325	0		certCount++;
1326			}
1327			# ifdef USE_DTLS
1328			/* if (ssl->flags & SSL_FLAGS_DTLS) { */
1329			/* if (certReqLen + CAcertLen > ssl->pmtu) { */
1330			/* / * Decrease the CA count or contact support if a */
1331			/* needed requirement * / */
1332			/* psTraceDtls("ERROR: No fragmentation support for "); */
1333			/* psTraceDtls("CERTIFICATE_REQUEST message/n"); */
1334			/* return MATRIXSSL_ERROR; */
1335			/* } */
1336			/* } */
1337			# endif
1338			}
1339			else
1340			{
1341			# ifdef SERVER_CAN_SEND_EMPTY_CERT_REQUEST
1342	0		certReqLen += 4 + ssl->recordHeadLen + ssl->hshakeHeadLen;
1343			# ifdef USE_ECC
1344	0		certReqLen += 1; /* Add on ECDSA_SIGN support */
1345			# endif /* USE_ECC */
1346			# else
1347			psTraceInfo("No server CAs loaded for client authentication\n");
1348			return MATRIXSSL_ERROR;
1349			# endif
1350			}
1351			}
1352			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
1353			# endif /* USE_CLIENT_AUTH */
1354
1355			# ifdef USE_DHE_CIPHER_SUITE
1356	1151		srvKeyExLen = 0;
1357	1151	100	if (ssl->flags & SSL_FLAGS_DHE_KEY_EXCH)
1358			{
1359			# ifdef USE_ECC_CIPHER_SUITE
1360	1150	50	if (!(ssl->flags & SSL_FLAGS_ECC_CIPHER))
1361			{
1362			# endif /* USE_ECC_CIPHER_SUITE */
1363			# ifdef REQUIRE_DH_PARAMS
1364			/*
1365			Extract p and g parameters from key to session context. Going
1366			to send these in the SERVER_KEY_EXCHANGE message. This is
1367			wrapped in a test of whether or not the values have already
1368			been extracted because an SSL_FULL scenario below will cause
1369			this code to be executed again with a larger buffer.
1370			*/
1371	0	0	if (ssl->sec.dhPLen == 0 && ssl->sec.dhP == NULL)
		0
1372			{
1373	0	0	if (psDhExportParameters(ssl->hsPool, &ssl->keys->dhParams,
1374			&ssl->sec.dhP, &ssl->sec.dhPLen,
1375			&ssl->sec.dhG, &ssl->sec.dhGLen) < 0)
1376			{
1377	0		return MATRIXSSL_ERROR;
1378			}
1379			}
1380			# endif
1381			# ifdef USE_ECC_CIPHER_SUITE
1382			}
1383			# endif /* USE_ECC_CIPHER_SUITE */
1384			# ifdef USE_ANON_DH_CIPHER_SUITE
1385	1150	50	if (ssl->flags & SSL_FLAGS_ANON_CIPHER)
1386			{
1387			/*
1388			If we are an anonymous cipher, we don't send the certificate.
1389			The messages are simply SERVER_HELLO, SERVER_KEY_EXCHANGE,
1390			and SERVER_HELLO_DONE
1391			*/
1392	0		stotalCertLen = 0;
1393
1394	0		srvKeyExLen = ssl->sec.dhPLen + 2 + ssl->sec.dhGLen + 2 +
1395	0		ssl->sec.dhKeyPriv->size + 2;
1396
1397			# ifdef USE_PSK_CIPHER_SUITE
1398	0	0	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
1399			{
1400			/*
1401			* struct {
1402			* select (KeyExchangeAlgorithm) {
1403			* case diffie_hellman_psk: * NEW *
1404			* opaque psk_identity_hint<0..2^16-1>;
1405			* ServerDHParams params;
1406			* };
1407			* } ServerKeyExchange;
1408			*/
1409			if (SSL_PSK_MAX_HINT_SIZE > 0)
1410			{
1411	0		srvKeyExLen += SSL_PSK_MAX_HINT_SIZE + 2;
1412			}
1413			}
1414			# endif /* USE_PSK_CIPHER_SUITE */
1415
1416	0		messageSize =
1417	0		3 * ssl->recordHeadLen +
1418	0		3 * ssl->hshakeHeadLen +
1419	0		38 + SSL_MAX_SESSION_ID_SIZE + /* server hello */
1420			srvKeyExLen; /* server key exchange */
1421
1422	0		messageSize += secureWriteAdditions(ssl, 3);
1423			}
1424			else
1425			{
1426			# endif /* USE_ANON_DH_CIPHER_SUITE */
1427
1428			# ifdef USE_ECC_CIPHER_SUITE
1429	1150	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
1430			{
1431	1150	50	if (ssl->flags & SSL_FLAGS_DHE_WITH_RSA)
1432			{
1433			/*
1434			Magic 7: 1byte ECCurveType named, 2bytes NamedCurve id
1435			1 byte pub key len, 2 byte privkeysize len,
1436			1 byte 0x04 inside the eccKey itself
1437			*/
1438	1150		srvKeyExLen = (ssl->sec.eccKeyPriv->curve->size * 2) + 7 +
1439	1150		ssl->keys->privKey.keysize;
1440			}
1441	0	0	else if (ssl->flags & SSL_FLAGS_DHE_WITH_DSA)
1442			{
1443			/* ExportKey plus signature */
1444	0		srvKeyExLen = (ssl->sec.eccKeyPriv->curve->size * 2) + 7 +
1445	0		6 + /* 6 = 2 ASN_SEQ, 4 ASN_BIG */
1446	0		ssl->keys->privKey.keysize;
1447	0	0	if (ssl->keys->privKey.keysize >= 128)
1448			{
1449	0		srvKeyExLen += 1; /* Extra len byte in ASN.1 sig */
1450			}
1451			/* NEGATIVE ECDSA - For purposes of SSL_FULL we
1452			add 2 extra bytes to account for the two possible
1453			0x0 bytes in signature */
1454	0		srvKeyExLen += 2;
1455			}
1456			# ifdef USE_TLS_1_2
1457	1150	50	if (ssl->flags & SSL_FLAGS_TLS_1_2)
1458			{
1459	1150		srvKeyExLen += 2; /* hashSigAlg */
1460			}
1461			# endif /* USE_TLS_1_2 */
1462			}
1463			else
1464			{
1465			# endif /* USE_ECC_CIPHER_SUITE */
1466			# ifdef REQUIRE_DH_PARAMS
1467			/*
1468			The AUTH versions of the DHE cipher suites include a
1469			signature value in the SERVER_KEY_EXCHANGE message.
1470			Account for that length here. Also, the CERTIFICATE
1471			message is sent in this flight as well for normal
1472			authentication.
1473			*/
1474	0		srvKeyExLen = ssl->sec.dhPLen + 2 + ssl->sec.dhGLen + 2 +
1475	0		ssl->sec.dhKeyPriv->size + 2 +
1476	0		ssl->keys->privKey.keysize + 2;
1477			# ifdef USE_TLS_1_2
1478	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
1479			{
1480	0		srvKeyExLen += 2; /* hashSigAlg */
1481			}
1482			# endif /* USE_TLS_1_2 */
1483
1484			# endif /* REQUIRE_DH_PARAMS */
1485			# ifdef USE_ECC_CIPHER_SUITE
1486			}
1487			# endif /* USE_ECC_CIPHER_SUITE */
1488	1150		stotalCertLen = i = 0;
1489			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1490	1150		cert = ssl->keys->cert;
1491	2300	100	for (i = 0; cert != NULL; i++)
1492			{
1493	1150		stotalCertLen += cert->binLen;
1494	1150		cert = cert->next;
1495			}
1496			/* Are we going to have to fragment the CERTIFICATE message? */
1497	1150	50	if ((stotalCertLen + 3 + (i * 3) + ssl->hshakeHeadLen) >
1498	1150		ssl->maxPtFrag)
1499			{
1500	0		stotalCertLen += addCertFragOverhead(ssl,
1501	0		stotalCertLen + 3 + (i * 3) + ssl->hshakeHeadLen);
1502			}
1503			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
1504	1150		messageSize =
1505	2300		4 * ssl->recordHeadLen +
1506	1150		4 * ssl->hshakeHeadLen +
1507			38 + SSL_MAX_SESSION_ID_SIZE + /* server hello */
1508			srvKeyExLen + /* server key exchange */
1509	1150		3 + (i * 3) + stotalCertLen; /* certificate */
1510			# ifdef USE_CLIENT_AUTH
1511			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1512	1150	50	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
1513			{
1514			/* Are we going to have to fragment the
1515			CERTIFICATE_REQUEST message? */
1516	0	0	if (certReqLen + CAcertLen > ssl->maxPtFrag)
1517			{
1518	0		certReqLen += addCertFragOverhead(ssl,
1519			certReqLen + CAcertLen);
1520			}
1521			/* Account for the CertificateRequest message */
1522	0		messageSize += certReqLen + CAcertLen;
1523	0		messageSize += secureWriteAdditions(ssl, 1);
1524			}
1525			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
1526			# endif /* USE_CLIENT_AUTH */
1527	1150		messageSize += secureWriteAdditions(ssl, 4);
1528			# ifdef USE_ANON_DH_CIPHER_SUITE
1529			}
1530			# endif /* USE_ANON_DH_CIPHER_SUITE */
1531			}
1532			else
1533			{
1534			# endif /* USE_DHE_CIPHER_SUITE */
1535			/*
1536			This is the entry point for a server encoding the first flight
1537			of a non-DH, non-client-auth handshake.
1538			*/
1539	1		stotalCertLen = 0;
1540			# ifdef USE_PSK_CIPHER_SUITE
1541	1	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
1542			{
1543			/*
1544			Omit the CERTIFICATE message but (possibly) including the
1545			SERVER_KEY_EXCHANGE.
1546			*/
1547	0		messageSize =
1548	0		2 * ssl->recordHeadLen +
1549	0		2 * ssl->hshakeHeadLen +
1550	0		38 + SSL_MAX_SESSION_ID_SIZE; /* server hello */
1551			if (SSL_PSK_MAX_HINT_SIZE > 0)
1552			{
1553	0		messageSize += 2 + SSL_PSK_MAX_HINT_SIZE + /* SKE */
1554	0		ssl->recordHeadLen + ssl->hshakeHeadLen;
1555			}
1556			else
1557			{
1558			/*
1559			Assuming 3 messages below when only two are going to exist
1560			*/
1561			messageSize -= secureWriteAdditions(ssl, 1);
1562			}
1563			}
1564			else
1565			{
1566			# endif
1567			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1568	1		cert = ssl->keys->cert;
1569	2	100	for (i = 0; cert != NULL; i++)
1570			{
1571	1	50	psAssert(cert->unparsedBin != NULL);
1572	1		stotalCertLen += cert->binLen;
1573	1		cert = cert->next;
1574			}
1575			/* Are we going to have to fragment the CERTIFICATE message? */
1576	1	50	if ((stotalCertLen + 3 + (i * 3) + ssl->hshakeHeadLen) >
1577	1		ssl->maxPtFrag)
1578			{
1579	0		stotalCertLen += addCertFragOverhead(ssl,
1580	0		stotalCertLen + 3 + (i * 3) + ssl->hshakeHeadLen);
1581			}
1582	1		messageSize =
1583	2		3 * ssl->recordHeadLen +
1584	1		3 * ssl->hshakeHeadLen +
1585			38 + SSL_MAX_SESSION_ID_SIZE + /* server hello */
1586	1		3 + (i * 3) + stotalCertLen; /* certificate */
1587			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
1588			# ifdef USE_PSK_CIPHER_SUITE
1589			}
1590			# endif /* USE_PSK_CIPHER_SUITE */
1591
1592			# ifdef USE_CLIENT_AUTH
1593			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1594	1	50	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
1595			{
1596			/* Are we going to have to fragment the CERTIFICATE_REQUEST
1597			message? This is the SSL fragment level */
1598	0	0	if (certReqLen + CAcertLen > ssl->maxPtFrag)
1599			{
1600	0		certReqLen += addCertFragOverhead(ssl,
1601			certReqLen + CAcertLen);
1602			}
1603	0		messageSize += certReqLen + CAcertLen; /* certificate request */
1604	0		messageSize += secureWriteAdditions(ssl, 1);
1605			# ifdef USE_DTLS
1606			if (ssl->flags & SSL_FLAGS_DTLS)
1607			{
1608			/* DTLS pmtu CERTIFICATE_REQUEST */
1609			messageSize += (MAX_FRAGMENTS - 1) *
1610			(ssl->recordHeadLen + ssl->hshakeHeadLen);
1611			if (ssl->flags & SSL_FLAGS_WRITE_SECURE)
1612			{
1613			messageSize += secureWriteAdditions(ssl,
1614			MAX_FRAGMENTS - 1);
1615			}
1616			}
1617			# endif /* USE_DTLS */
1618			}
1619			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
1620			# endif /* USE_CLIENT_AUTH */
1621
1622	1		messageSize += secureWriteAdditions(ssl, 3);
1623
1624			# ifdef USE_DHE_CIPHER_SUITE
1625			}
1626			# endif /* USE_DHE_CIPHER_SUITE */
1627
1628			# ifdef USE_DTLS
1629			if (ssl->flags & SSL_FLAGS_DTLS)
1630			{
1631			/*
1632			If DTLS, make sure the max fragment overhead is accounted for
1633			on any flight containing the CERTIFICATE message. If
1634			SSL_FULL is hit mid-flight creation, the updates that happen
1635			on the handshake hash on that first pass will really mess us up
1636			*/
1637			messageSize += (MAX_FRAGMENTS - 1) *
1638			(ssl->recordHeadLen + ssl->hshakeHeadLen);
1639			if (ssl->flags & SSL_FLAGS_WRITE_SECURE)
1640			{
1641			messageSize += secureWriteAdditions(ssl, MAX_FRAGMENTS - 1);
1642			}
1643			}
1644			# endif /* USE_DTLS */
1645
1646			/*
1647			Add extensions
1648			*/
1649	1151		extSize = 0; /* Two byte total length for all extensions */
1650	1151	50	if (ssl->maxPtFrag < SSL_MAX_PLAINTEXT_LEN)
1651			{
1652	0		extSize = 2;
1653	0		messageSize += 5; /* 2 type, 2 length, 1 value */
1654			}
1655
1656	1151	50	if (ssl->extFlags.truncated_hmac)
1657			{
1658	0		extSize = 2;
1659	0		messageSize += 4; /* 2 type, 2 length, 0 value */
1660			}
1661
1662	1151	50	if (ssl->extFlags.extended_master_secret)
1663			{
1664	1151		extSize = 2;
1665	1151		messageSize += 4; /* 2 type, 2 length, 0 value */
1666			}
1667
1668			# ifdef USE_OCSP
1669			/* If we are sending the OCSP status_request extension, we are also
1670			sending the CERTIFICATE_STATUS handshake message */
1671	1151	50	if (ssl->extFlags.status_request)
1672			{
1673	0		extSize = 2;
1674	0		messageSize += 4; /* 2 type, 2 length, 0 value */
1675
1676			/* And the handshake message oh. 1 type, 3 len, x OCSPResponse
1677			The status_request flag will only have been set if a
1678			ssl->keys->OCSPResponseBuf was present during extension parse */
1679	0		messageSize += ssl->hshakeHeadLen + ssl->recordHeadLen + 4 +
1680	0		ssl->keys->OCSPResponseBufLen;
1681	0		messageSize += secureWriteAdditions(ssl, 1);
1682			}
1683			# endif
1684
1685			#ifdef USE_SCT
1686	1151	50	if (ssl->extFlags.signed_certificate_timestamp) {
1687	0		extSize = 2;
1688	0		messageSize += 2 + 2 + 2 + ssl->keys->SCTResponseBufLen; /* 2 type, 2 length, data */
1689			}
1690			#endif
1691
1692			# ifdef USE_STATELESS_SESSION_TICKETS
1693	1151	50	if (ssl->sid &&
		0
1694	0		ssl->sid->sessionTicketState == SESS_TICKET_STATE_RECVD_EXT)
1695			{
1696	0		extSize = 2;
1697	0		messageSize += 4; /* 2 type, 2 length, 0 value */
1698			}
1699			# endif
1700	1151	50	if (ssl->extFlags.sni)
1701			{
1702	0		extSize = 2;
1703	0		messageSize += 4;
1704			}
1705
1706			# ifdef USE_ALPN
1707	1151	50	if (ssl->alpnLen)
1708			{
1709	0		extSize = 2;
1710	0		messageSize += 6 + 1 + ssl->alpnLen; /* 6 type/len + 1 len + data */
1711			}
1712			# endif
1713
1714			# ifdef ENABLE_SECURE_REHANDSHAKES
1715			/*
1716			The RenegotiationInfo extension lengths are well known
1717			*/
1718	1151	50	if (ssl->secureRenegotiationFlag == PS_TRUE &&
		100
1719	1151		ssl->myVerifyDataLen == 0)
1720			{
1721	1142		extSize = 2;
1722	1142		messageSize += 5; /* ff 01 00 01 00 */
1723			}
1724	9	50	else if (ssl->secureRenegotiationFlag == PS_TRUE &&
		50
1725	9		ssl->myVerifyDataLen > 0)
1726			{
1727	9		extSize = 2;
1728	9		messageSize += 5 + ssl->myVerifyDataLen +
1729	9		ssl->peerVerifyDataLen; /* 2 for total len, 5 for type+len */
1730			}
1731			# endif /* ENABLE_SECURE_REHANDSHAKES */
1732
1733			# ifdef USE_ECC_CIPHER_SUITE
1734			/*
1735			Server Hello ECC extension
1736			*/
1737	1151	100	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
1738			{
1739	1150		extSize = 2;
1740			/* EXT_ELLIPTIC_POINTS - hardcoded to 'uncompressed' support */
1741	1150		messageSize += 6; /* 00 0B 00 02 01 00 */
1742			}
1743			# endif /* USE_ECC_CIPHER_SUITE */
1744			/*
1745			Done with extensions. If had some, add the two byte total length
1746			*/
1747	1151		messageSize += extSize;
1748
1749	1151	100	if ((out->buf + out->size) - out->end < messageSize)
1750			{
1751	4		*requiredLen = messageSize;
1752	4		return SSL_FULL;
1753			}
1754			/*
1755			Message size complete. Begin the flight write
1756			*/
1757	1147		rc = writeServerHello(ssl, out);
1758
1759			# ifdef USE_DHE_CIPHER_SUITE
1760	1147	100	if (ssl->flags & SSL_FLAGS_DHE_KEY_EXCH)
1761			{
1762			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1763	1146	50	if (ssl->flags & SSL_FLAGS_DHE_WITH_RSA \|\|
		0
1764	0		ssl->flags & SSL_FLAGS_DHE_WITH_DSA)
1765			{
1766	1146	50	if (rc == MATRIXSSL_SUCCESS)
1767			{
1768	1146		rc = writeCertificate(ssl, out, 1);
1769			}
1770			# ifdef USE_OCSP
1771	1146	50	if (rc == MATRIXSSL_SUCCESS)
1772			{
1773	1146		rc = writeCertificateStatus(ssl, out);
1774			}
1775			# endif
1776			}
1777			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
1778	1146	50	if (rc == MATRIXSSL_SUCCESS)
1779			{
1780			# ifdef USE_ECC_CIPHER_SUITE
1781	1146	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
1782			{
1783	1146		rc = writeServerKeyExchange(ssl, out, 0, NULL, 0, NULL);
1784			}
1785			else
1786			{
1787			# endif /* USE_ECC_CIPHER_SUITE */
1788			# ifdef REQUIRE_DH_PARAMS
1789	1146		rc = writeServerKeyExchange(ssl, out, ssl->sec.dhPLen,
1790	0		ssl->sec.dhP, ssl->sec.dhGLen, ssl->sec.dhG);
1791			# endif /* REQUIRE_DH_PARAMS */
1792			# ifdef USE_ECC_CIPHER_SUITE
1793			}
1794			# endif /* USE_ECC_CIPHER_SUITE */
1795			}
1796			}
1797			else
1798			{
1799			# endif /* USE_DHE_CIPHER_SUITE */
1800			# ifdef USE_PSK_CIPHER_SUITE
1801	1	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
1802			{
1803	0	0	if (rc == MATRIXSSL_SUCCESS)
1804			{
1805	0		rc = writePskServerKeyExchange(ssl, out);
1806			}
1807			}
1808			else
1809			{
1810			# endif /* USE_PSK_CIPHER_SUITE */
1811			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1812	1	50	if (rc == MATRIXSSL_SUCCESS)
1813			{
1814	1		rc = writeCertificate(ssl, out, 1);
1815			}
1816			# ifdef USE_OCSP
1817	1	50	if (rc == MATRIXSSL_SUCCESS)
1818			{
1819	1		rc = writeCertificateStatus(ssl, out);
1820			}
1821			# endif
1822			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
1823			# ifdef USE_PSK_CIPHER_SUITE
1824			}
1825			# endif /* USE_PSK_CIPHER_SUITE */
1826			# ifdef USE_DHE_CIPHER_SUITE
1827			}
1828			# endif /* USE_DHE_CIPHER_SUITE */
1829
1830			# ifndef USE_ONLY_PSK_CIPHER_SUITE
1831			# ifdef USE_CLIENT_AUTH
1832	1147	50	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
1833			{
1834	0	0	if (rc == MATRIXSSL_SUCCESS)
1835			{
1836	0		rc = writeCertificateRequest(ssl, out, CAcertLen, certCount);
1837			}
1838			}
1839			# endif /* USE_CLIENT_AUTH */
1840			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
1841
1842	1147	50	if (rc == MATRIXSSL_SUCCESS)
1843			{
1844	1147		rc = writeServerHelloDone(ssl, out);
1845			}
1846	1147	50	if (rc == SSL_FULL)
1847			{
1848			psTraceInfo("Bad flight messageSize calculation");
1849	0		ssl->err = SSL_ALERT_INTERNAL_ERROR;
1850	0		out->end = out->start;
1851	0		alertReqLen = out->size;
1852			/* Going recursive */
1853	0		return sslEncodeResponse(ssl, out, &alertReqLen);
1854			}
1855	1147		break;
1856
1857			# ifdef USE_DTLS
1858			/*
1859			Got a cookie-less CLIENT_HELLO, need a HELLO_VERIFY_REQUEST message
1860			*/
1861			case SSL_HS_CLIENT_HELLO:
1862			messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
1863			DTLS_COOKIE_SIZE + 3;
1864			messageSize += secureWriteAdditions(ssl, 1);
1865
1866			if ((out->buf + out->size) - out->end < messageSize)
1867			{
1868			*requiredLen = messageSize;
1869			return SSL_FULL;
1870			}
1871			rc = writeHelloVerifyRequest(ssl, out);
1872			break;
1873			# endif /* USE_DTLS */
1874			# endif /* USE_SERVER_SIDE_SSL */
1875
1876			/*
1877			If we're not waiting for any message from client, then we need to
1878			send our finished message
1879			*/
1880			case SSL_HS_DONE:
1881	2118		messageSize = 2 * ssl->recordHeadLen +
1882	1059		ssl->hshakeHeadLen +
1883			1 + /* change cipher spec */
1884			MD5_HASH_SIZE + SHA1_HASH_SIZE; /* finished */
1885			/*
1886			Account for possible overhead in CCS message with secureWriteAdditions
1887			then always account for the encryption overhead on FINISHED message.
1888			Correct to use ssl->cipher values for mac and block since those will
1889			be the ones used when encrypting FINISHED
1890			*/
1891	1059		messageSize += secureWriteAdditions(ssl, 1);
1892	1059		messageSize += ssl->cipher->macSize + ssl->cipher->blockSize;
1893
1894			# if defined(USE_STATELESS_SESSION_TICKETS) && defined(USE_SERVER_SIDE_SSL)
1895	1059	100	if (ssl->flags & SSL_FLAGS_SERVER)
1896			{
1897	1057	50	if (ssl->sid &&
		0
1898	0		(ssl->sid->sessionTicketState == SESS_TICKET_STATE_RECVD_EXT))
1899			{
1900	0		messageSize += ssl->recordHeadLen +
1901	0		ssl->hshakeHeadLen + matrixSessionTicketLen() + 6;
1902			}
1903			}
1904			# endif
1905
1906			# ifdef USE_TLS
1907			/*
1908			Account for the smaller finished message size for TLS.
1909			*/
1910	1059	50	if (ssl->flags & SSL_FLAGS_TLS)
1911			{
1912	1059		messageSize += TLS_HS_FINISHED_SIZE -
1913			(MD5_HASH_SIZE + SHA1_HASH_SIZE);
1914			}
1915			# endif /* USE_TLS */
1916			# ifdef USE_TLS_1_1
1917			/*
1918			Adds explict IV overhead to the FINISHED message
1919			*/
1920	1059	50	if (ssl->flags & SSL_FLAGS_TLS_1_1)
1921			{
1922	1059	100	if (ssl->flags & SSL_FLAGS_AEAD_W)
1923			{
1924			/* The magic 1 back into messageSize is because the
1925			macSize + blockSize above ends up subtracting one on AEAD */
1926	7	50	messageSize += AEAD_TAG_LEN(ssl) + AEAD_NONCE_LEN(ssl) + 1;
		50
1927			}
1928			else
1929			{
1930	1052		messageSize += ssl->cipher->blockSize;
1931			}
1932			}
1933			# endif /* USE_TLS_1_1 */
1934
1935			# ifdef USE_ZLIB_COMPRESSION
1936			/* Lastly, add the zlib overhead for the FINISHED message */
1937			if (ssl->compression)
1938			{
1939			messageSize += MAX_ZLIB_COMPRESSED_OH;
1940			}
1941			# endif
1942	1059	50	if ((out->buf + out->size) - out->end < messageSize)
1943			{
1944	0		*requiredLen = messageSize;
1945	0		return SSL_FULL;
1946			}
1947	1059		rc = MATRIXSSL_SUCCESS;
1948
1949			# if defined(USE_STATELESS_SESSION_TICKETS) && defined(USE_SERVER_SIDE_SSL)
1950	1059	100	if (ssl->flags & SSL_FLAGS_SERVER)
1951			{
1952	1057	50	if (ssl->sid &&
		0
1953	0		(ssl->sid->sessionTicketState == SESS_TICKET_STATE_RECVD_EXT))
1954			{
1955	0		rc = writeNewSessionTicket(ssl, out);
1956			}
1957			}
1958			# endif
1959	1059	50	if (rc == MATRIXSSL_SUCCESS)
1960			{
1961	1059		rc = writeChangeCipherSpec(ssl, out);
1962			}
1963	1059	50	if (rc == MATRIXSSL_SUCCESS)
1964			{
1965	1059		rc = writeFinished(ssl, out);
1966			}
1967
1968	1059	50	if (rc == SSL_FULL)
1969			{
1970			psTraceInfo("Bad flight messageSize calculation");
1971	0		ssl->err = SSL_ALERT_INTERNAL_ERROR;
1972	0		out->end = out->start;
1973	0		alertReqLen = out->size;
1974			/* Going recursive */
1975	0		return sslEncodeResponse(ssl, out, &alertReqLen);
1976			}
1977	1059		break;
1978			/*
1979			If we're expecting a Finished message, as a server we're doing
1980			session resumption. As a client, we're completing a normal
1981			handshake
1982			*/
1983			case SSL_HS_FINISHED:
1984			# ifdef USE_SERVER_SIDE_SSL
1985	1060	100	if (ssl->flags & SSL_FLAGS_SERVER)
1986			{
1987	2		messageSize =
1988	4		3 * ssl->recordHeadLen +
1989	2		2 * ssl->hshakeHeadLen +
1990			38 + SSL_MAX_SESSION_ID_SIZE + /* server hello */
1991			1 + /* change cipher spec */
1992			MD5_HASH_SIZE + SHA1_HASH_SIZE; /* finished */
1993			/*
1994			Account for possible overhead with secureWriteAdditions
1995			then always account for the encrypted FINISHED message. Correct
1996			to use the ssl->cipher values for mac and block since those will
1997			always be the values used to encrypt the FINISHED message
1998			*/
1999	2		messageSize += secureWriteAdditions(ssl, 2);
2000	2		messageSize += ssl->cipher->macSize + ssl->cipher->blockSize;
2001			# ifdef ENABLE_SECURE_REHANDSHAKES
2002			/*
2003			The RenegotiationInfo extension lengths are well known
2004			*/
2005	2	50	if (ssl->secureRenegotiationFlag == PS_TRUE &&
		50
2006	2		ssl->myVerifyDataLen == 0)
2007			{
2008	0		messageSize += 7; /* 00 05 ff 01 00 01 00 */
2009			}
2010	2	50	else if (ssl->secureRenegotiationFlag == PS_TRUE &&
		50
2011	2		ssl->myVerifyDataLen > 0)
2012			{
2013	2		messageSize += 2 + 5 + ssl->myVerifyDataLen +
2014	2		ssl->peerVerifyDataLen; /* 2 for tot len, 5 for type+len */
2015			}
2016			# endif /* ENABLE_SECURE_REHANDSHAKES */
2017
2018			# ifdef USE_ECC_CIPHER_SUITE
2019	2	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
2020			{
2021			# ifndef ENABLE_SECURE_REHANDSHAKES
2022			messageSize += 2; /* ext 2 byte len has not been included */
2023			# endif /* ENABLE_SECURE_REHANDSHAKES */
2024			/* EXT_ELLIPTIC_POINTS - hardcoded to 'uncompressed' support */
2025	2		messageSize += 6; /* 00 0B 00 02 01 00 */
2026			}
2027			# endif /* USE_ECC_CIPHER_SUITE */
2028
2029			# ifdef USE_TLS
2030			/*
2031			Account for the smaller finished message size for TLS.
2032			The MD5+SHA1 is SSLv3. TLS is 12 bytes.
2033			*/
2034	2	50	if (ssl->flags & SSL_FLAGS_TLS)
2035			{
2036	2		messageSize += TLS_HS_FINISHED_SIZE -
2037			(MD5_HASH_SIZE + SHA1_HASH_SIZE);
2038			}
2039			# endif /* USE_TLS */
2040			# ifdef USE_TLS_1_1
2041			/*
2042			Adds explict IV overhead to the FINISHED message. Always added
2043			because FINISHED is never accounted for in secureWriteAdditions
2044			*/
2045	2	50	if (ssl->flags & SSL_FLAGS_TLS_1_1)
2046			{
2047	2	50	if (ssl->cipher->flags &
2048			(CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_CCM))
2049			{
2050			/* The magic 1 back into messageSize is because the
2051			blockSize -1 above ends up subtracting one on AEAD */
2052	2	50	messageSize += AEAD_TAG_LEN(ssl) + TLS_EXPLICIT_NONCE_LEN + 1;
2053			}
2054	0	0	else if (ssl->cipher->flags & CRYPTO_FLAGS_CHACHA)
2055			{
2056	0	0	messageSize += AEAD_TAG_LEN(ssl) + 1;
2057			}
2058			else
2059			{
2060	0		messageSize += ssl->cipher->blockSize; /* explicitIV */
2061			}
2062			}
2063			# endif /* USE_TLS_1_1 */
2064
2065			# ifdef USE_ZLIB_COMPRESSION
2066			/* Lastly, add the zlib overhead for the FINISHED message */
2067			if (ssl->compression)
2068			{
2069			messageSize += MAX_ZLIB_COMPRESSED_OH;
2070			}
2071			# endif
2072	2	50	if ((out->buf + out->size) - out->end < messageSize)
2073			{
2074	0		*requiredLen = messageSize;
2075	0		return SSL_FULL;
2076			}
2077	2		rc = writeServerHello(ssl, out);
2078	2	50	if (rc == MATRIXSSL_SUCCESS)
2079			{
2080	2		rc = writeChangeCipherSpec(ssl, out);
2081			}
2082	2	50	if (rc == MATRIXSSL_SUCCESS)
2083			{
2084	2		rc = writeFinished(ssl, out);
2085			}
2086			}
2087			# endif /* USE_SERVER_SIDE_SSL */
2088			# ifdef USE_CLIENT_SIDE_SSL
2089			/*
2090			Encode entry point for client side final flight encodes.
2091			First task here is to find out size of ClientKeyExchange message
2092			*/
2093	1060	100	if (!(ssl->flags & SSL_FLAGS_SERVER))
2094			{
2095	1058		ckeSize = 0;
2096			# ifdef USE_DHE_CIPHER_SUITE
2097	1058	100	if (ssl->flags & SSL_FLAGS_DHE_KEY_EXCH)
2098			{
2099			# ifdef USE_DTLS
2100			if (ssl->flags & SSL_FLAGS_DTLS && ssl->retransmit == 1)
2101			{
2102			ckeSize = ssl->ckeSize; /* Keys have been freed */
2103			}
2104			else
2105			{
2106			# endif /* USE_DTLS */
2107			# ifdef USE_ECC_CIPHER_SUITE
2108	1057	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
2109			{
2110	1057		ckeSize = (ssl->sec.eccKeyPriv->curve->size * 2) + 2;
2111			}
2112			else
2113			{
2114			# endif /* USE_ECC_CIPHER_SUITE */
2115			# ifdef REQUIRE_DH_PARAMS
2116	0		ckeSize = ssl->sec.dhKeyPriv->size;
2117			# endif /* REQUIRE_DH_PARAMS */
2118			# ifdef USE_ECC_CIPHER_SUITE
2119			}
2120			# endif /* USE_ECC_CIPHER_SUITE */
2121			# ifdef USE_DTLS
2122			}
2123			# endif /* USE_DTLS */
2124			# ifdef USE_PSK_CIPHER_SUITE
2125			/*
2126			This is the DHE_PSK suite case.
2127			PSK suites add the key identity with psSize_t size
2128			*/
2129	1057	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
2130			{
2131	1057		ckeSize += SSL_PSK_MAX_ID_SIZE + 2;
2132			}
2133			# endif /* USE_PSK_CIPHER_SUITE */
2134			}
2135			else
2136			{
2137			# endif /* USE_DHE_CIPHER_SUITE */
2138			# ifdef USE_PSK_CIPHER_SUITE
2139			/*
2140			This is the basic PSK case
2141			PSK suites add the key identity with psSize_t size
2142			*/
2143	1	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
2144			{
2145	0		ckeSize += SSL_PSK_MAX_ID_SIZE + 2;
2146			}
2147			else
2148			{
2149			# endif /* USE_PSK_CIPHER_SUITE */
2150			# ifndef USE_ONLY_PSK_CIPHER_SUITE
2151			# ifdef USE_ECC_CIPHER_SUITE
2152	1	50	if (ssl->cipher->type == CS_ECDH_ECDSA \|\|
		50
2153	1		ssl->cipher->type == CS_ECDH_RSA)
2154			{
2155	0		ckeSize = (ssl->sec.cert->publicKey.key.ecc.curve->size
2156	0		* 2) + 2;
2157			}
2158			else
2159			{
2160			# endif /* USE_ECC_CIPHER_SUITE */
2161			/*
2162			Normal RSA auth cipher suite case
2163			*/
2164	1	50	if (ssl->sec.cert == NULL)
2165			{
2166	0		ssl->flags \|= SSL_FLAGS_ERROR;
2167	0		return MATRIXSSL_ERROR;
2168			}
2169	1		ckeSize = ssl->sec.cert->publicKey.keysize;
2170
2171			# ifdef USE_ECC_CIPHER_SUITE
2172			}
2173			# endif /* USE_ECC_CIPHER_SUITE */
2174			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
2175			# ifdef USE_PSK_CIPHER_SUITE
2176			}
2177			# endif /* USE_PSK_CIPHER_SUITE */
2178			# ifdef USE_DHE_CIPHER_SUITE
2179			}
2180			# endif /* USE_DHE_CIPHER_SUITE */
2181
2182	1058		messageSize = 0;
2183
2184	1058	50	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
2185			{
2186			/*
2187			Client authentication requires the client to send a CERTIFICATE
2188			and CERTIFICATE_VERIFY message. Account for the length. It
2189			is possible the client didn't have a match for the requested cert.
2190			Send an empty certificate message in that case (or alert for SSLv3)
2191			*/
2192			# ifndef USE_ONLY_PSK_CIPHER_SUITE
2193			# ifdef USE_CLIENT_AUTH
2194	0	0	if (ssl->sec.certMatch > 0)
2195			{
2196			/*
2197			Account for the certificate and certificateVerify messages
2198			*/
2199	0		cert = ssl->keys->cert;
2200	0		ctotalCertLen = 0;
2201	0	0	for (i = 0; cert != NULL; i++)
2202			{
2203	0		ctotalCertLen += cert->binLen;
2204	0		cert = cert->next;
2205			}
2206			/* Are we going to have to fragment the CERT message? */
2207	0	0	if ((ctotalCertLen + 3 + (i * 3) + ssl->hshakeHeadLen) >
2208	0		ssl->maxPtFrag)
2209			{
2210	0		ctotalCertLen += addCertFragOverhead(ssl,
2211	0		ctotalCertLen + 3 + (i * 3) + ssl->hshakeHeadLen);
2212			}
2213	0		messageSize += (2 * ssl->recordHeadLen) + 3 + (i * 3) +
2214	0		(2 * ssl->hshakeHeadLen) + ctotalCertLen +
2215	0		2 + ssl->keys->privKey.keysize;
2216
2217			# ifdef USE_ECC
2218			/* Overhead ASN.1 in psEccSignHash */
2219	0	0	if (ssl->keys->cert->pubKeyAlgorithm == OID_ECDSA_KEY_ALG)
2220			{
2221			/* NEGATIVE ECDSA - For purposes of SSL_FULL we
2222			add 2 extra bytes to account for the two 0x0
2223			bytes in signature */
2224	0		messageSize += 6 + 2;
2225	0	0	if (ssl->keys->privKey.keysize >= 128)
2226			{
2227	0		messageSize += 1; /* Extra len byte in ASN.1 sig */
2228			}
2229			}
2230			# endif /* USE_ECC */
2231			}
2232			else
2233			{
2234			# endif /* USE_CLIENT_AUTH */
2235			/*
2236			SSLv3 sends a no_certificate warning alert for no match
2237			*/
2238	0	0	if (ssl->majVer == SSL3_MAJ_VER
2239	0	0	&& ssl->minVer == SSL3_MIN_VER)
2240			{
2241	0		messageSize += 2 + ssl->recordHeadLen;
2242			}
2243			else
2244			{
2245			/*
2246			TLS just sends an empty certificate message
2247			*/
2248	0		messageSize += 3 + ssl->recordHeadLen +
2249	0		ssl->hshakeHeadLen;
2250			}
2251			# ifdef USE_CLIENT_AUTH
2252			}
2253			# endif /* USE_CLIENT_AUTH */
2254			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
2255			}
2256			/*
2257			Account for the header and message size for all records. The
2258			finished message will always be encrypted, so account for one
2259			largest possible MAC size and block size. The finished message is
2260			not accounted for in the writeSecureAddition calls below since it
2261			is accounted for here.
2262			*/
2263	1058		messageSize +=
2264	2116		3 * ssl->recordHeadLen +
2265	2116		2 * ssl->hshakeHeadLen + /* change cipher has no hsHead */
2266			ckeSize + /* client key exchange */
2267			1 + /* change cipher spec */
2268	1058		MD5_HASH_SIZE + SHA1_HASH_SIZE + /* SSLv3 finished payload */
2269	2116		ssl->cipher->macSize +
2270	1058		ssl->cipher->blockSize; /* finished overhead */
2271			# ifdef USE_TLS
2272			/*
2273			Must add the 2 bytes key size length to the client key exchange
2274			message. Also, at this time we can account for the smaller finished
2275			message size for TLS. The MD5+SHA1 is SSLv3. TLS is 12 bytes.
2276			*/
2277	1058	50	if (ssl->flags & SSL_FLAGS_TLS)
2278			{
2279	1058		messageSize += 2 - MD5_HASH_SIZE - SHA1_HASH_SIZE +
2280			TLS_HS_FINISHED_SIZE;
2281			}
2282			# endif /* USE_TLS */
2283	1058	50	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
2284			{
2285			/*
2286			Secure write for ClientKeyExchange, ChangeCipherSpec,
2287			Certificate, and CertificateVerify. Don't account for
2288			Certificate and/or CertificateVerify message if no auth cert.
2289			This will also cover the NO_CERTIFICATE alert sent in
2290			replacement of the NULL certificate message in SSLv3.
2291			*/
2292	0	0	if (ssl->sec.certMatch > 0)
2293			{
2294			# ifdef USE_TLS_1_2
2295	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
2296			{
2297	0		messageSize += 2; /* hashSigAlg in CertificateVerify */
2298			}
2299			# endif
2300	0		messageSize += secureWriteAdditions(ssl, 4);
2301			}
2302			else
2303			{
2304	0		messageSize += secureWriteAdditions(ssl, 3);
2305			}
2306			}
2307			else
2308			{
2309	1058		messageSize += secureWriteAdditions(ssl, 2);
2310			}
2311
2312			# ifdef USE_DTLS
2313			if (ssl->flags & SSL_FLAGS_DTLS)
2314			{
2315			/*
2316			If DTLS, make sure the max fragment overhead is accounted for
2317			on any flight containing the CERTIFICATE message. If
2318			SSL_FULL is hit mid-flight creation, the updates that happen
2319			on the handshake hash on that first pass will really mess us up
2320			*/
2321			messageSize += (MAX_FRAGMENTS - 1) *
2322			(ssl->recordHeadLen + ssl->hshakeHeadLen);
2323			if (ssl->flags & SSL_FLAGS_WRITE_SECURE)
2324			{
2325			messageSize += secureWriteAdditions(ssl, MAX_FRAGMENTS - 1);
2326			}
2327			}
2328			# endif /* USE_DTLS */
2329			# ifdef USE_TLS_1_1
2330			/*
2331			Adds explict IV overhead to the FINISHED message. Always added
2332			because FINISHED is never accounted for in secureWriteAdditions
2333			*/
2334	1058	50	if (ssl->flags & SSL_FLAGS_TLS_1_1)
2335			{
2336	1058	100	if (ssl->cipher->flags &
2337			(CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_CCM))
2338			{
2339			/* The magic 1 back into messageSize is because the
2340			blockSize -1 above ends up subtracting one on AEAD */
2341	1057	50	messageSize += AEAD_TAG_LEN(ssl) + TLS_EXPLICIT_NONCE_LEN + 1;
2342			}
2343	1	50	else if (ssl->cipher->flags & CRYPTO_FLAGS_CHACHA)
2344			{
2345	0	0	messageSize += AEAD_TAG_LEN(ssl) + 1;
2346			}
2347			else
2348			{
2349	1		messageSize += ssl->cipher->blockSize; /* explicitIV */
2350			}
2351			}
2352			# endif /* USE_TLS_1_1 */
2353			# ifdef USE_ZLIB_COMPRESSION
2354			/* Lastly, add the zlib overhead for the FINISHED message */
2355			if (ssl->compression)
2356			{
2357			messageSize += MAX_ZLIB_COMPRESSED_OH;
2358			}
2359			# endif
2360			/*
2361			The actual buffer size test to hold this flight
2362			*/
2363	1058	50	if ((out->buf + out->size) - out->end < messageSize)
2364			{
2365	0		*requiredLen = messageSize;
2366	0		return SSL_FULL;
2367			}
2368	1058		rc = MATRIXSSL_SUCCESS;
2369
2370			# ifndef USE_ONLY_PSK_CIPHER_SUITE
2371	1058	50	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
2372			{
2373			/*
2374			The TLS RFC is fairly clear that an empty certificate message
2375			be sent if there is no certificate match. SSLv3 tends to lean
2376			toward a NO_CERTIFIATE warning alert message
2377			*/
2378	0	0	if (ssl->sec.certMatch == 0 && ssl->majVer == SSL3_MAJ_VER
		0
2379	0	0	&& ssl->minVer == SSL3_MIN_VER)
2380			{
2381	0		rc = writeAlert(ssl, SSL_ALERT_LEVEL_WARNING,
2382			SSL_ALERT_NO_CERTIFICATE, out, requiredLen);
2383			}
2384			else
2385			{
2386	0		rc = writeCertificate(ssl, out, ssl->sec.certMatch);
2387			}
2388			}
2389			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
2390
2391	1058	50	if (rc == MATRIXSSL_SUCCESS)
2392			{
2393	1058		rc = writeClientKeyExchange(ssl, out);
2394			}
2395			# ifndef USE_ONLY_PSK_CIPHER_SUITE
2396			# ifdef USE_CLIENT_AUTH
2397	1058	50	if (ssl->flags & SSL_FLAGS_CLIENT_AUTH)
2398			{
2399	0	0	if (rc == MATRIXSSL_SUCCESS && ssl->sec.certMatch > 0)
		0
2400			{
2401	0		rc = writeCertificateVerify(ssl, out);
2402			}
2403			}
2404			# endif /* USE_CLIENT_AUTH */
2405			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
2406
2407	1058	50	if (rc == MATRIXSSL_SUCCESS)
2408			{
2409	1058		rc = writeChangeCipherSpec(ssl, out);
2410			}
2411	1058	50	if (rc == MATRIXSSL_SUCCESS)
2412			{
2413	1058		rc = writeFinished(ssl, out);
2414			}
2415			}
2416			# endif /* USE_CLIENT_SIDE_SSL */
2417	1060	50	if (rc == SSL_FULL)
2418			{
2419			psTraceInfo("Bad flight messageSize calculation");
2420	0		ssl->err = SSL_ALERT_INTERNAL_ERROR;
2421	0		out->end = out->start;
2422	0		alertReqLen = out->size;
2423			/* Going recursive */
2424	0		return sslEncodeResponse(ssl, out, &alertReqLen);
2425			}
2426	1060		break;
2427			# ifdef USE_DTLS
2428			/*
2429			If we a client being invoked from here in the HS_SERVER_HELLO state,
2430			we are being asked for a CLIENT_HELLO with a cookie. It's already
2431			been parsed out of the server HELLO_VERIFY_REQUEST message, so
2432			we can simply call matrixSslEncodeClientHello again and essentially
2433			start over again.
2434			*/
2435			case SSL_HS_SERVER_HELLO:
2436			rc = matrixSslEncodeClientHello(ssl, out, ssl->cipherSpec,
2437			ssl->cipherSpecLen, requiredLen, NULL, &options);
2438			break;
2439			# endif /* USE_DTLS */
2440			}
2441
2442	3266	50	if (rc < MATRIXSSL_SUCCESS && rc != SSL_FULL)
		0
2443			{
2444			/* Indication one of the message creations failed and setting the flag to
2445			prevent other API calls from working. We want to send a fatal
2446			internal error alert in this case. Make sure to write to front of
2447			buffer since we can't trust the data in there due to the creation
2448			failure. */
2449			psTraceIntInfo("ERROR: Handshake flight creation failed %d\n", rc);
2450	0	0	if (rc == PS_UNSUPPORTED_FAIL)
2451			{
2452			/* Single out this particular error as a handshake failure
2453			because there are combinations of cipher negotiations where
2454			we don't know until handshake creation that we can't support.
2455			For example, the server key material test will be bypassed
2456			if an SNI callback is registered. We won't know until SKE
2457			creation that we can't support the requested cipher. This is
2458			a user error so don't report an INTERNAL_ERROR */
2459	0		ssl->err = SSL_ALERT_HANDSHAKE_FAILURE;
2460			}
2461			else
2462			{
2463	0		ssl->err = SSL_ALERT_INTERNAL_ERROR;
2464			}
2465	0		out->end = out->start;
2466	0		alertReqLen = out->size;
2467			/* Going recursive */
2468	0		return sslEncodeResponse(ssl, out, &alertReqLen);
2469			}
2470
2471			# if defined(USE_HARDWARE_CRYPTO_RECORD) \|\| defined(USE_HARDWARE_CRYPTO_PKA) \|\| defined(USE_EXT_CERTIFICATE_VERIFY_SIGNING)
2472			resumeFlightEncryption:
2473			# endif
2474
2475			# ifdef USE_SERVER_SIDE_SSL
2476			/* Post-flight write PKA operation. Support is for the signature
2477			generation during ServerKeyExchange write. */
2478	3266	100	if (ssl->flags & SSL_FLAGS_SERVER)
2479			{
2480	2206	100	if (ssl->pkaAfter[0].type > 0)
2481			{
2482	1146	50	if ((rc = nowDoSkePka(ssl, out)) < 0)
2483			{
2484	0		return rc;
2485			}
2486			}
2487			}
2488			# endif
2489
2490			# ifdef USE_CLIENT_SIDE_SSL
2491			/* Post-flight write PKA operation. */
2492	3266	100	if (!(ssl->flags & SSL_FLAGS_SERVER))
2493			{
2494			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
2495			/* Handle delayed CertificateVerify write. */
2496			if (ssl->extCvSigOpInUse &&
2497			(ssl->pkaAfter[0].type == PKA_AFTER_RSA_SIG_GEN_ELEMENT \|\|
2498			ssl->pkaAfter[0].type == PKA_AFTER_ECDSA_SIG_GEN))
2499			{
2500			/* Ensure that the signature is now ready. No point in
2501			continuing if it is not. */
2502			if (ssl->extCvSigOpPending &&
2503			ssl->extCvSigLen == 0)
2504			{
2505			psTraceInfo("sslEncodeResponse called too soon; " \
2506			"CertificateVerify signature has not been set " \
2507			"with matrixSslSetCvSignature().\n");
2508			return PS_PENDING;
2509			}
2510			}
2511			else
2512			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
2513			/* Handle delayed ClientKeyExchange write. */
2514	1060	100	if (ssl->pkaAfter[0].type > 0)
2515			{
2516	1058	50	if ((rc = nowDoCkePka(ssl)) < 0)
2517			{
2518	0		return rc;
2519			}
2520			}
2521			}
2522			# endif
2523
2524			/* Encrypt Flight */
2525	3266	50	if (ssl->flightEncode)
2526			{
2527	3266	50	if ((rc = encryptFlight(ssl, &out->end)) < 0)
2528			{
2529	0		return rc;
2530			}
2531			}
2532
2533	3360		return rc;
2534			}
2535
2536	25580		void clearFlightList(ssl_t *ssl)
2537			{
2538			flightEncode_t msg, next;
2539
2540	25580		msg = ssl->flightEncode;
2541	25580	50	while (msg)
2542			{
2543	0		next = msg->next;
2544	0		psFree(msg, ssl->flightPool);
2545	0		msg = next;
2546			}
2547	25580		ssl->flightEncode = NULL;
2548	25580		}
2549
2550	3266		static int32 encryptFlight(ssl_t ssl, unsigned char *end)
2551			{
2552			flightEncode_t msg, remove;
2553			sslBuf_t out;
2554
2555			# if defined(USE_CLIENT_SIDE_SSL) && defined(USE_CLIENT_AUTH)
2556			sslBuf_t cvFlight;
2557			# endif
2558			unsigned char c, origEnd;
2559			int32 rc;
2560
2561			/* NEGATIVE ECDSA - save the end of the flight buffer */
2562	3266		origEnd = *end;
2563			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
2564			if (!ssl->extCvSigOpPending)
2565			{
2566			ssl->extCvOrigFlightEnd = origEnd;
2567			}
2568			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
2569			/* PS_VARIABLE_SET_BUT_UNUSED(origEnd); */
2570
2571	3266		msg = ssl->flightEncode;
2572	13151	100	while (msg)
2573			{
2574	9885		c = msg->start + msg->len;
2575			# ifdef USE_DTLS
2576			if (ssl->flags & SSL_FLAGS_DTLS)
2577			{
2578			if (msg->hsMsg == SSL_HS_FINISHED)
2579			{
2580			/* Epoch is incremented and the sequence numbers are reset for
2581			this message */
2582			incrTwoByte(ssl, ssl->epoch, 1);
2583			zeroSixByte(ssl->rsn);
2584			}
2585			psTraceIntDtls("RSN %d, ", ssl->rsn[5]);
2586			psTraceIntDtls("MSN %d, ", ssl->msn);
2587			psTraceIntDtls("Epoch %d\n", ssl->epoch[1]);
2588			*msg->seqDelay = ssl->epoch[0]; msg->seqDelay++;
2589			*msg->seqDelay = ssl->epoch[1]; msg->seqDelay++;
2590			*msg->seqDelay = ssl->rsn[0]; msg->seqDelay++;
2591			*msg->seqDelay = ssl->rsn[1]; msg->seqDelay++;
2592			*msg->seqDelay = ssl->rsn[2]; msg->seqDelay++;
2593			*msg->seqDelay = ssl->rsn[3]; msg->seqDelay++;
2594			*msg->seqDelay = ssl->rsn[4]; msg->seqDelay++;
2595			*msg->seqDelay = ssl->rsn[5]; msg->seqDelay++;
2596			msg->seqDelay++;
2597			msg->seqDelay++; /* Last two incremements skipped recLen */
2598			}
2599			# endif
2600	9885	100	if (msg->hsMsg == SSL_HS_FINISHED)
2601			{
2602			/* If it was just a ChangeCipherSpec message that was encoded we can
2603			activate the write cipher */
2604	2119	50	if ((rc = sslActivateWriteCipher(ssl)) < 0)
2605			{
2606			psTraceInfo("Error Activating Write Cipher\n");
2607	0		clearFlightList(ssl);
2608	0		return rc;
2609			}
2610
2611			/* The finished message had to hold off snapshoting the handshake
2612			hash because those updates are done in the encryptRecord call
2613			below for each message. THAT was done because of a possible
2614			delay in a PKA op */
2615	2119		rc = sslSnapshotHSHash(ssl, ssl->delayHsHash,
2616	2119		ssl->flags & SSL_FLAGS_SERVER);
2617	2119	50	if (rc <= 0)
2618			{
2619			psTraceIntInfo("Error snapshotting HS hash flight %d\n", rc);
2620	0		clearFlightList(ssl);
2621	0		return rc;
2622			}
2623
2624			# ifdef ENABLE_SECURE_REHANDSHAKES
2625			/* The rehandshake verify data is the previous handshake msg hash */
2626			# ifdef USE_DTLS
2627			if (ssl->flags & SSL_FLAGS_DTLS)
2628			{
2629			if (ssl->myVerifyDataLen > 0)
2630			{
2631			memcpy(ssl->omyVerifyData, ssl->myVerifyData,
2632			ssl->myVerifyDataLen);
2633			ssl->omyVerifyDataLen = ssl->myVerifyDataLen;
2634			}
2635			}
2636			# endif /* USE_DTLS */
2637	2119		memcpy(ssl->myVerifyData, ssl->delayHsHash, rc);
2638	2119		ssl->myVerifyDataLen = rc;
2639			# endif /* ENABLE_SECURE_REHANDSHAKES */
2640			} /* End SSL_HS_FINISHED processing */
2641
2642	9885	100	if (ssl->flags & SSL_FLAGS_NONCE_W
2643			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
2644			&& !ssl->extCvSigOpPending
2645			# endif
2646			)
2647			{
2648	2157		out.start = out.buf = out.end = msg->start - ssl->recordHeadLen -
2649			TLS_EXPLICIT_NONCE_LEN;
2650			# ifdef USE_DTLS
2651			if (ssl->flags & SSL_FLAGS_DTLS)
2652			{
2653			/* nonce */
2654			*msg->seqDelay = ssl->epoch[0]; msg->seqDelay++;
2655			*msg->seqDelay = ssl->epoch[1]; msg->seqDelay++;
2656			*msg->seqDelay = ssl->rsn[0]; msg->seqDelay++;
2657			*msg->seqDelay = ssl->rsn[1]; msg->seqDelay++;
2658			*msg->seqDelay = ssl->rsn[2]; msg->seqDelay++;
2659			*msg->seqDelay = ssl->rsn[3]; msg->seqDelay++;
2660			*msg->seqDelay = ssl->rsn[4]; msg->seqDelay++;
2661			*msg->seqDelay = ssl->rsn[5]; msg->seqDelay++;
2662			}
2663			else
2664			{
2665			# endif
2666	2157		*msg->seqDelay = ssl->sec.seq[0]; msg->seqDelay++;
2667	2157		*msg->seqDelay = ssl->sec.seq[1]; msg->seqDelay++;
2668	2157		*msg->seqDelay = ssl->sec.seq[2]; msg->seqDelay++;
2669	2157		*msg->seqDelay = ssl->sec.seq[3]; msg->seqDelay++;
2670	2157		*msg->seqDelay = ssl->sec.seq[4]; msg->seqDelay++;
2671	2157		*msg->seqDelay = ssl->sec.seq[5]; msg->seqDelay++;
2672	2157		*msg->seqDelay = ssl->sec.seq[6]; msg->seqDelay++;
2673	2157		*msg->seqDelay = ssl->sec.seq[7];
2674			# ifdef USE_DTLS
2675			}
2676			# endif
2677			}
2678			else
2679			{
2680	7728		out.start = out.buf = out.end = msg->start - ssl->recordHeadLen;
2681			}
2682
2683			# ifndef USE_ONLY_PSK_CIPHER_SUITE
2684			# if defined(USE_CLIENT_SIDE_SSL) && defined(USE_CLIENT_AUTH)
2685	9885	50	if (msg->hsMsg == SSL_HS_CERTIFICATE_VERIFY)
2686			{
2687			/* This delayed PKA op has to be done mid flight encode because
2688			the contents of the signature is the hash of the handshake
2689			messages. */
2690			/* NEGATIVE ECDSA - Need psBuf_t to work in */
2691	0		cvFlight.start = cvFlight.buf = out.start;
2692			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
2693			if (ssl->extCvSigOpInUse)
2694			{
2695			cvFlight.end = ssl->extCvOrigFlightEnd;
2696			}
2697			else
2698			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
2699	0		cvFlight.end = origEnd;
2700	0		cvFlight.size = ssl->insize - (cvFlight.end - cvFlight.buf);
2701
2702	0		rc = nowDoCvPka(ssl, &cvFlight);
2703			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
2704			if (rc == PS_PENDING)
2705			{
2706			psAssert(ssl->extCvSigOpInUse);
2707			psAssert(ssl->extCvHash != NULL);
2708			psAssert(ssl->extCvHashLen >= 20);
2709			/* Now it's up to the caller of the library to provide
2710			the signature and then retry. */
2711			return rc;
2712			}
2713			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
2714	0	0	if (rc < 0)
2715	0		return rc;
2716
2717			/* NEGATIVE ECDSA - account for message may have changed size */
2718	0		c = msg->start + msg->len;
2719	0	0	if (ssl->flags & SSL_FLAGS_AEAD_W)
2720			{
2721	0		out.start = out.buf = out.end
2722	0	0	= (msg->start - ssl->recordHeadLen) - AEAD_NONCE_LEN(ssl);
2723			}
2724			else
2725			{
2726	0		out.start = out.buf = out.end = msg->start - ssl->recordHeadLen;
2727			}
2728			}
2729			# endif /* Client */
2730			# endif /* !PSK_ONLY */
2731
2732			# ifdef USE_DTLS
2733			if (ssl->flags & SSL_FLAGS_DTLS && msg->fragCount > 0)
2734			{
2735			# ifndef USE_ONLY_PSK_CIPHER_SUITE
2736			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
2737			rc = dtlsEncryptFragRecord(ssl, msg, &out, &c);
2738			# endif /* SERVER \|\| CLIENT_AUTH */
2739			# endif /* PSK_ONLY */
2740			}
2741			else
2742			{
2743			rc = encryptRecord(ssl, msg->type, msg->hsMsg, msg->messageSize,
2744			msg->padLen, msg->start, &out, &c);
2745			}
2746			# else
2747	9885		rc = encryptRecord(ssl, msg->type, msg->hsMsg, msg->messageSize, msg->padLen,
2748			msg->start, &out, &c);
2749			# endif /* DTLS */
2750
2751	9885		*end = c;
2752	9885	50	if (rc == PS_PENDING)
2753			{
2754			/* Eat this message from flight encode, moving next to the front */
2755			/* Save how far along we are to be picked up next time */
2756	0		*end = msg->start + msg->messageSize - ssl->recordHeadLen;
2757	0	0	if (ssl->flags & SSL_FLAGS_AEAD_W)
2758			{
2759	0	0	*end -= AEAD_NONCE_LEN(ssl);
2760			}
2761	0		ssl->flightEncode = msg->next;
2762	0		psFree(msg, ssl->flightPool);
2763	0		return rc;
2764			}
2765	9885	50	if (rc < 0)
2766			{
2767			psTraceIntInfo("Error encrypting record from flight %d\n", rc);
2768	0		clearFlightList(ssl);
2769	0		return rc;
2770			}
2771	9885		remove = msg;
2772	9885		ssl->flightEncode = msg = msg->next;
2773	9885		psFree(remove, ssl->flightPool);
2774			}
2775	3266		clearFlightList(ssl);
2776	3266		return PS_SUCCESS;
2777			}
2778
2779			/* One message flight requires 2 PKA "after" operations so need to store both */
2780	2204		pkaAfter_t getPkaAfter(ssl_t ssl)
2781			{
2782	2204	50	if (ssl->pkaAfter[0].type == 0)
2783			{
2784	2204		return &ssl->pkaAfter[0];
2785			}
2786	0	0	else if (ssl->pkaAfter[1].type == 0)
2787			{
2788	0		return &ssl->pkaAfter[1];
2789			}
2790			else
2791			{
2792	0		return NULL;
2793			}
2794			}
2795
2796	0		pkaAfter_t getPkaAfterCv(ssl_t ssl)
2797			{
2798			int i;
2799
2800			/* First look for the pkaAfter that was used previously by
2801			writeCertificateVerify. Reuse if found. */
2802	0	0	for (i = 0; i < 2; i++)
2803			{
2804	0	0	if (ssl->pkaAfter[i].type == PKA_AFTER_RSA_SIG_GEN_ELEMENT
2805	0	0	\|\| ssl->pkaAfter[i].type == PKA_AFTER_ECDSA_SIG_GEN
2806	0	0	\|\| ssl->pkaAfter[i].type == PKA_AFTER_RSA_SIG_GEN)
2807			{
2808	0		return &ssl->pkaAfter[i];
2809			}
2810			}
2811			/* Reusable pkaAfter not found, use a clean one. */
2812	0		return getPkaAfter(ssl);
2813			}
2814
2815	22314		void freePkaAfter(ssl_t *ssl)
2816			{
2817			/* Just call clear twice */
2818	22314		clearPkaAfter(ssl);
2819	22314		clearPkaAfter(ssl);
2820	22314		}
2821
2822
2823			/* Clear pkaAfter[0] and move pkaAfter[1] to [0]. Will be zeroed if no [1] */
2824	46832		void clearPkaAfter(ssl_t *ssl)
2825			{
2826	46832	100	if (ssl->pkaAfter[0].inbuf)
2827			{
2828			/* If it was a TMP_PKI pool with PENDING, it will have been saved
2829			aside in the pkaAfter.pool. Otherwise, it's in handshake pool */
2830	1146	50	if (ssl->pkaAfter[0].pool)
2831			{
2832	0		psFree(ssl->pkaAfter[0].inbuf, ssl->pkaAfter[0].pool);
2833			}
2834			else
2835			{
2836	1146		psFree(ssl->pkaAfter[0].inbuf, ssl->hsPool);
2837			}
2838	1146		ssl->pkaAfter[0].inbuf = NULL;
2839			}
2840	46832		if (ssl->pkaAfter[0].pool)
2841			{
2842			}
2843	46832		ssl->pkaAfter[0].type = 0;
2844	46832		ssl->pkaAfter[0].outbuf = NULL;
2845	46832		ssl->pkaAfter[0].data = NULL;
2846	46832		ssl->pkaAfter[0].inlen = 0;
2847	46832		ssl->pkaAfter[0].user = 0;
2848
2849	46832	50	if (ssl->pkaAfter[1].type != 0)
2850			{
2851	0		ssl->pkaAfter[0].type = ssl->pkaAfter[1].type;
2852	0		ssl->pkaAfter[0].outbuf = ssl->pkaAfter[1].outbuf;
2853	0		ssl->pkaAfter[0].data = ssl->pkaAfter[1].data;
2854	0		ssl->pkaAfter[0].inlen = ssl->pkaAfter[1].inlen;
2855	0		ssl->pkaAfter[0].user = ssl->pkaAfter[1].user;
2856
2857	0		ssl->pkaAfter[1].type = 0;
2858	0		ssl->pkaAfter[1].outbuf = NULL;
2859	0		ssl->pkaAfter[1].data = NULL;
2860	0		ssl->pkaAfter[1].inlen = 0;
2861	0		ssl->pkaAfter[1].user = 0;
2862			}
2863	46832		}
2864
2865			/******************************************************************************/
2866			/*
2867			Message size must account for any additional length a secure-write
2868			would add to the message. It would be too late to check length in
2869			the writeRecordHeader() call since some of the handshake hashing could
2870			have already taken place and we can't rewind those hashes.
2871			*/
2872	3270		static int32 secureWriteAdditions(ssl_t *ssl, int32 numRecs)
2873			{
2874	3270		int32 add = 0;
2875
2876			/*
2877			There is a slim chance for a false FULL message due to the fact that
2878			the maximum padding is being calculated rather than the actual number.
2879			Caller must simply grow buffer and try again. Not subtracting 1 for
2880			the padding overhead to support NULL ciphers that will have 0 enBlockSize
2881			*/
2882	3270	100	if (ssl->flags & SSL_FLAGS_WRITE_SECURE)
2883			{
2884	46		add += (numRecs * ssl->enMacSize) + /* handshake msg hash */
2885	23		(numRecs * (ssl->enBlockSize)); /* padding */
2886			# ifdef USE_TLS_1_1
2887			/*
2888			Checks here for TLS1.1 with block cipher for explict IV additions.
2889			*/
2890	23	50	if ((ssl->flags & SSL_FLAGS_TLS_1_1) && (ssl->enBlockSize > 1))
		50
2891			{
2892	0		add += (numRecs * ssl->enBlockSize); /* explicitIV */
2893			}
2894			# endif /* USE_TLS_1_1 */
2895	23	50	if (ssl->flags & SSL_FLAGS_AEAD_W)
2896			{
2897	23	50	add += (numRecs * (AEAD_TAG_LEN(ssl) + AEAD_NONCE_LEN(ssl)));
		50
2898			}
2899			}
2900	3270		return add;
2901			}
2902
2903			/******************************************************************************/
2904			/*
2905			Write out a closure alert message (the only user initiated alert message)
2906			The user would call this when about to initate a socket close
2907			NOTICE: This is the internal function, there is a similarly named public
2908			API called matrixSslEncodeClosureAlert
2909			*/
2910	1		int32 sslEncodeClosureAlert(ssl_t ssl, sslBuf_t out, uint32 *reqLen)
2911			{
2912			/*
2913			If we've had a protocol error, don't allow further use of the session
2914			*/
2915	1	50	if (ssl->flags & SSL_FLAGS_ERROR)
2916			{
2917	0		return MATRIXSSL_ERROR;
2918			}
2919	1		return writeAlert(ssl, SSL_ALERT_LEVEL_WARNING, SSL_ALERT_CLOSE_NOTIFY,
2920			out, reqLen);
2921			}
2922
2923			/******************************************************************************/
2924			/*
2925			Generic record header construction for alerts, handshake messages, and
2926			change cipher spec. Determines message length for encryption and
2927			writes out to buffer up to the real message data.
2928
2929			The FINISHED message is given special treatment here to move through the
2930			encrypted stages because the postponed flight encoding mechanism will
2931			not have moved to the SECURE_WRITE state until the CHANGE_CIPHER_SPEC
2932			has been encoded. This means we have to look at the hsType and the
2933			ssl->cipher profile to see what is needed.
2934
2935			Incoming messageSize is the plaintext message length plus the header
2936			lengths.
2937			*/
2938	25263		static int32_t writeRecordHeader(ssl_t *ssl, uint8_t type, uint8_t hsType,
2939			psSize_t messageSize, uint8_t padLen,
2940			unsigned char *encryptStart, const unsigned char end,
2941			unsigned char **c)
2942			{
2943			int32 messageData, msn;
2944
2945	25263		messageData = *messageSize - ssl->recordHeadLen;
2946	25263	100	if (type == SSL_RECORD_TYPE_HANDSHAKE)
2947			{
2948	18929		messageData -= ssl->hshakeHeadLen;
2949			}
2950	25263	50	if (type == SSL_RECORD_TYPE_HANDSHAKE_FIRST_FRAG)
2951			{
2952	0		messageData -= ssl->hshakeHeadLen;
2953	0		*messageSize = ssl->maxPtFrag + ssl->recordHeadLen;
2954	0		type = SSL_RECORD_TYPE_HANDSHAKE;
2955			}
2956
2957			# ifdef USE_TLS_1_1
2958			/*
2959			If a block cipher is being used TLS 1.1 requires the use
2960			of an explicit IV. This is an extra random block of data
2961			prepended to the plaintext before encryption. Account for
2962			that extra length here. */
2963	25263	100	if (hsType == SSL_HS_FINISHED && (ssl->flags & SSL_FLAGS_TLS_1_1))
		50
2964			{
2965	2121	100	if (ssl->cipher->blockSize > 1)
2966			{
2967	2		*messageSize += ssl->cipher->blockSize;
2968			}
2969			}
2970	23144	100	else if ((ssl->flags & SSL_FLAGS_WRITE_SECURE) &&
		50
2971	4172	100	(ssl->flags & SSL_FLAGS_TLS_1_1) && (ssl->enBlockSize > 1))
2972			{
2973	1		*messageSize += ssl->enBlockSize;
2974			}
2975			# endif /* USE_TLS_1_1 */
2976
2977			/* This is to catch the FINISHED write for the postponed encode */
2978	25263	100	if (hsType == SSL_HS_FINISHED)
2979			{
2980	2119	100	if (ssl->cipher->flags &
2981			(CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_CCM))
2982			{
2983	2117	50	*messageSize += AEAD_TAG_LEN(ssl) + TLS_EXPLICIT_NONCE_LEN;
2984			}
2985	2	50	else if (ssl->cipher->flags & CRYPTO_FLAGS_CHACHA)
2986			{
2987	2119	0	*messageSize += AEAD_TAG_LEN(ssl);
2988			}
2989			}
2990	23144	100	else if (ssl->flags & SSL_FLAGS_AEAD_W)
2991			{
2992	4171	50	*messageSize += (AEAD_TAG_LEN(ssl) + AEAD_NONCE_LEN(ssl));
		50
2993			}
2994			/*
2995			If this session is already in a secure-write state, determine padding.
2996			Again, the FINISHED message is explicitly checked due to the delay
2997			of the ActivateWriteCipher for flight encodings. In this case, cipher
2998			sizes are taken from ssl->cipher rather than the active values
2999			*/
3000	25263		*padLen = 0;
3001	25263	100	if (hsType == SSL_HS_FINISHED)
3002			{
3003	2119	100	if (ssl->cipher->macSize > 0)
3004			{
3005	2	50	if (ssl->extFlags.truncated_hmac)
3006			{
3007	0		*messageSize += 10;
3008			}
3009			else
3010			{
3011	2		*messageSize += ssl->cipher->macSize;
3012			}
3013			}
3014	2119	100	padLen = psPadLenPwr2(messageSize - ssl->recordHeadLen,
3015			ssl->cipher->blockSize);
3016	2119		messageSize += padLen;
3017			}
3018	23144	100	else if ((ssl->flags & SSL_FLAGS_WRITE_SECURE) &&
		100
3019	4172		!(ssl->flags & SSL_FLAGS_AEAD_W))
3020			{
3021	1		*messageSize += ssl->enMacSize;
3022	1	50	padLen = psPadLenPwr2(messageSize - ssl->recordHeadLen,
3023			ssl->enBlockSize);
3024	1		messageSize += padLen;
3025			}
3026
3027	25263	50	if (end - c < messageSize)
3028			{
3029			/*
3030			Callers other than sslEncodeResponse do not necessarily check for
3031			FULL before calling. We do it here for them.
3032			*/
3033	0		return SSL_FULL;
3034			}
3035
3036			# ifdef USE_DTLS
3037			/*
3038			This routine does not deal with DTLS fragmented messages, but it was
3039			necessary to call for all the length computations to happen in here.
3040			*/
3041			if (ssl->flags & SSL_FLAGS_DTLS)
3042			{
3043			if (*messageSize > ssl->pmtu)
3044			{
3045			psTraceIntDtls("Datagram size %d ", ssl->pmtu);
3046			psTraceIntDtls("too small for message: %d\n", *messageSize);
3047			return DTLS_MUST_FRAG;
3048			}
3049			}
3050			# endif /* USE_DTLS */
3051
3052	25263		*c += psWriteRecordInfo(ssl, (unsigned char) type,
3053	50526		messageSize - ssl->recordHeadLen, c, hsType);
3054
3055			/*
3056			All data written after this point is to be encrypted (if secure-write)
3057			*/
3058	25263		encryptStart = c;
3059	25263		msn = 0;
3060
3061			# ifdef USE_TLS_1_1
3062			/*
3063			Explicit IV notes taken from TLS 1.1 ietf draft.
3064
3065			Generate a cryptographically strong random number R of
3066			length CipherSpec.block_length and prepend it to the plaintext
3067			prior to encryption. In this case either:
3068
3069			The CBC residue from the previous record may be used
3070			as the mask. This preserves maximum code compatibility
3071			with TLS 1.0 and SSL 3. It also has the advantage that
3072			it does not require the ability to quickly reset the IV,
3073			which is known to be a problem on some systems.
3074
3075			The data (R \|\| data) is fed into the encryption process.
3076			The first cipher block containing E(mask XOR R) is placed
3077			in the IV field. The first block of content contains
3078			E(IV XOR data)
3079			*/
3080
3081	25263	100	if (hsType == SSL_HS_FINISHED)
3082			{
3083	2119	50	if ((ssl->flags & SSL_FLAGS_TLS_1_1) && (ssl->cipher->blockSize > 1))
		100
3084			{
3085	2		if (psGetPrngLocked(*c, ssl->cipher->blockSize,
3086			ssl->userPtr) < 0)
3087			{
3088			psTraceInfo("WARNING: psGetPrngLocked failed\n");
3089			}
3090	2119		*c += ssl->cipher->blockSize;
3091			}
3092			}
3093	23144	100	else if ((ssl->flags & SSL_FLAGS_WRITE_SECURE) &&
		50
3094	4172	100	(ssl->flags & SSL_FLAGS_TLS_1_1) &&
3095	4172		(ssl->enBlockSize > 1))
3096			{
3097	1		if (psGetPrngLocked(*c, ssl->enBlockSize, ssl->userPtr) < 0)
3098			{
3099			psTraceInfo("WARNING: psGetPrngLocked failed\n");
3100			}
3101	1		*c += ssl->enBlockSize;
3102			}
3103			# endif /* USE_TLS_1_1 */
3104
3105			/*
3106			Handshake records have another header layer to write here
3107			*/
3108	25263	100	if (type == SSL_RECORD_TYPE_HANDSHAKE)
3109			{
3110			# ifdef USE_DTLS
3111			if (ssl->flags & SSL_FLAGS_DTLS)
3112			{
3113			/*
3114			A message sequence number is unique for each handshake message. It
3115			is not incremented on a resend; that is the record sequence number.
3116			*/
3117			msn = ssl->msn;
3118			ssl->msn++;
3119			/* These aren't useful anymore because of the seqDelay mechanism */
3120			/* psTraceIntDtls("RSN %d, ", ssl->rsn[5]); */
3121			/* psTraceIntDtls("MSN %d, ", msn); */
3122			/* psTraceIntDtls("Epoch %d\n", ssl->epoch[1]); */
3123			}
3124			# endif /* USE_DTLS */
3125	18929		*c += psWriteHandshakeHeader(ssl, (unsigned char) hsType, messageData,
3126			msn, 0, messageData, *c);
3127			}
3128
3129	25263		return PS_SUCCESS;
3130			}
3131
3132
3133			# ifdef USE_ZLIB_COMPRESSION
3134			static int32 encryptCompressedRecord(ssl_t *ssl, int32 type, int32 messageSize,
3135			unsigned char pt, sslBuf_t out, unsigned char **c)
3136			{
3137			unsigned char encryptStart, dataToMacAndEncrypt;
3138			int32 rc, ptLen, divLen, modLen, dataToMacAndEncryptLen;
3139			int32 zret, ztmp;
3140			int32 padLen;
3141
3142
3143			encryptStart = out->end + ssl->recordHeadLen;
3144			if (ssl->flags & SSL_FLAGS_AEAD_W)
3145			{
3146			encryptStart += AEAD_NONCE_LEN(ssl); /* Move past the plaintext nonce */
3147			ssl->outRecType = (unsigned char) type;
3148			}
3149			ptLen = *c - encryptStart;
3150
3151			# ifdef USE_TLS_1_1
3152			if ((ssl->flags & SSL_FLAGS_TLS_1_1) && (ssl->enBlockSize > 1))
3153			{
3154			/* Do not compress IV */
3155			if (type == SSL_RECORD_TYPE_APPLICATION_DATA)
3156			{
3157			/* FUTURE: Application data is passed in with real pt from user but
3158			with the length of the explict IV added already. Can just
3159			encrypt IV in-siture now since the rest of the encypts will be
3160			coming from zlibBuffer */
3161			rc = ssl->encrypt(ssl, encryptStart, encryptStart,
3162			ssl->enBlockSize);
3163			if (rc < 0)
3164			{
3165			psTraceIntInfo("Error encrypting IV: %d\n", rc);
3166			return MATRIXSSL_ERROR;
3167			}
3168			ptLen -= ssl->enBlockSize;
3169			encryptStart += ssl->enBlockSize;
3170			}
3171			else
3172			{
3173			/* Handshake messages have been passed in with plaintext that
3174			begins with the explicit IV and size included. Can just
3175			encrypt IV in-situ now since the rest of the encypts will be
3176			coming from zlibBuffer */
3177			rc = ssl->encrypt(ssl, pt, pt, ssl->enBlockSize);
3178			if (rc < 0)
3179			{
3180			psTraceIntInfo("Error encrypting IV: %d\n", rc);
3181			return MATRIXSSL_ERROR;
3182			}
3183			pt += ssl->enBlockSize;
3184			ptLen -= ssl->enBlockSize;
3185			encryptStart += ssl->enBlockSize;
3186			}
3187			}
3188			# endif
3189
3190			/* Compression is done only on the data itself so the prior work that
3191			was just put into message size calcuations and padding length will
3192			need to be done again after deflate */
3193			ssl->zlibBuffer = psMalloc(ssl->bufferPool, ptLen + MAX_ZLIB_COMPRESSED_OH);
3194			memset(ssl->zlibBuffer, 0, ptLen + MAX_ZLIB_COMPRESSED_OH);
3195			if (ssl->zlibBuffer == NULL)
3196			{
3197			psTraceInfo("Error allocating compression buffer\n");
3198			return MATRIXSSL_ERROR;
3199			}
3200			dataToMacAndEncrypt = ssl->zlibBuffer;
3201			dataToMacAndEncryptLen = ssl->deflate.total_out; /* tmp for later */
3202			/* psTraceBytes("pre deflate", pt, ptLen); */
3203			ssl->deflate.avail_out = ptLen + MAX_ZLIB_COMPRESSED_OH;
3204			ssl->deflate.next_out = dataToMacAndEncrypt;
3205			ssl->deflate.avail_in = ztmp = ptLen;
3206			ssl->deflate.next_in = pt;
3207
3208			/* FUTURE: Deflate would need to be in a smarter loop if large amounts
3209			of data are ever passed through here */
3210			if ((zret = deflate(&ssl->deflate, Z_SYNC_FLUSH)) != Z_OK)
3211			{
3212			psTraceIntInfo("ZLIB deflate error %d\n", zret);
3213			psFree(ssl->zlibBuffer, ssl->bufferPool); ssl->zlibBuffer = NULL;
3214			return MATRIXSSL_ERROR;
3215			}
3216			if (ssl->deflate.avail_in != 0)
3217			{
3218			psTraceIntInfo("ZLIB didn't deflate %d bytes in single pass\n", ptLen);
3219			psFree(ssl->zlibBuffer, ssl->bufferPool); ssl->zlibBuffer = NULL;
3220			deflateEnd(&ssl->deflate);
3221			return MATRIXSSL_ERROR;
3222			}
3223
3224			dataToMacAndEncryptLen = ssl->deflate.total_out - dataToMacAndEncryptLen;
3225			/* psTraceBytes("post deflate", dataToMacAndEncrypt,
3226			dataToMacAndEncryptLen); */
3227			if (dataToMacAndEncryptLen > ztmp)
3228			{
3229			/* Case where compression grew the data. Push out end */
3230			*c += dataToMacAndEncryptLen - ztmp;
3231			}
3232			else
3233			{
3234			/* Compression did good job to shrink. Pull back in */
3235			*c -= ztmp - dataToMacAndEncryptLen;
3236			}
3237
3238			/* Can now calculate new padding length */
3239			padLen = psPadLenPwr2(dataToMacAndEncryptLen + ssl->enMacSize,
3240			ssl->enBlockSize);
3241
3242			/* Now see how this has changed the data lengths */
3243			ztmp = dataToMacAndEncryptLen + ssl->recordHeadLen + ssl->enMacSize + padLen;
3244
3245			# ifdef USE_TLS_1_1
3246			if ((ssl->flags & SSL_FLAGS_TLS_1_1) && (ssl->enBlockSize > 1))
3247			{
3248			ztmp += ssl->enBlockSize;
3249			}
3250			# endif
3251
3252			if (ssl->flags & SSL_FLAGS_AEAD_W)
3253			{
3254			psAssert(padLen == 0);
3255			/* This += works fine because padLen will be zero because enBlockSize
3256			and enMacSize are 0 */
3257			ztmp += AEAD_TAG_LEN(ssl) + AEAD_NONCE_LEN(ssl);
3258
3259			}
3260
3261			/* Possible the length hasn't changed if compression didn't do much */
3262			if (messageSize != ztmp)
3263			{
3264			messageSize = ztmp;
3265			ztmp -= ssl->recordHeadLen;
3266			out->end[3] = (ztmp & 0xFF00) >> 8;
3267			out->end[4] = ztmp & 0xFF;
3268			}
3269
3270			if (type == SSL_RECORD_TYPE_HANDSHAKE)
3271			{
3272			sslUpdateHSHash(ssl, pt, ptLen);
3273			}
3274
3275			if (ssl->generateMac)
3276			{
3277			*c += ssl->generateMac(ssl, (unsigned char) type,
3278			dataToMacAndEncrypt, dataToMacAndEncryptLen, *c);
3279			}
3280
3281			c += sslWritePad(c, (unsigned char) padLen);
3282
3283			if (ssl->flags & SSL_FLAGS_AEAD_W)
3284			{
3285			c += AEAD_TAG_LEN(ssl); / c is tracking end of record here and the
3286			tag has not yet been accounted for */
3287			}
3288
3289			/* Will always be non-insitu since the compressed data is in zlibBuffer.
3290			Requres two encrypts, one for plaintext and one for the
3291			any < blockSize remainder of the plaintext and the mac and pad */
3292			if (ssl->cipher->blockSize > 1)
3293			{
3294			divLen = dataToMacAndEncryptLen & ~(ssl->cipher->blockSize - 1);
3295			modLen = dataToMacAndEncryptLen & (ssl->cipher->blockSize - 1);
3296			}
3297			else
3298			{
3299			if (ssl->flags & SSL_FLAGS_AEAD_W)
3300			{
3301			divLen = dataToMacAndEncryptLen + AEAD_TAG_LEN(ssl);
3302			modLen = 0;
3303			}
3304			else
3305			{
3306			divLen = dataToMacAndEncryptLen;
3307			modLen = 0;
3308			}
3309			}
3310			if (divLen > 0)
3311			{
3312			rc = ssl->encrypt(ssl, dataToMacAndEncrypt, encryptStart,
3313			divLen);
3314			if (rc < 0)
3315			{
3316			psFree(ssl->zlibBuffer, ssl->bufferPool); ssl->zlibBuffer = NULL;
3317			deflateEnd(&ssl->deflate);
3318			psTraceIntInfo("Error encrypting 2: %d\n", rc);
3319			return MATRIXSSL_ERROR;
3320			}
3321			}
3322			if (modLen > 0)
3323			{
3324			memcpy(encryptStart + divLen, dataToMacAndEncrypt + divLen,
3325			modLen);
3326			}
3327			rc = ssl->encrypt(ssl, encryptStart + divLen,
3328			encryptStart + divLen, modLen + ssl->enMacSize + padLen);
3329
3330			if (rc < 0 \|\| (*c - out->end != messageSize))
3331			{
3332			psFree(ssl->zlibBuffer, ssl->bufferPool); ssl->zlibBuffer = NULL;
3333			deflateEnd(&ssl->deflate);
3334			psTraceIntInfo("Error encrypting 3: %d\n", rc);
3335			return MATRIXSSL_ERROR;
3336			}
3337			psFree(ssl->zlibBuffer, ssl->bufferPool); ssl->zlibBuffer = NULL;
3338			/* Will not need the context any longer since FINISHED is the only
3339			supported message */
3340			deflateEnd(&ssl->deflate);
3341
3342			# ifdef USE_DTLS
3343			/*
3344			Waited to increment record sequence number until completely finished
3345			with the encoding because the HMAC in DTLS uses the rsn of current record
3346			*/
3347			if (ssl->flags & SSL_FLAGS_DTLS)
3348			{
3349			dtlsIncrRsn(ssl);
3350			}
3351			# endif /* USE_DTLS */
3352
3353			return MATRIXSSL_SUCCESS;
3354			}
3355			# endif /* USE_ZLIB_COMPRESSION */
3356
3357
3358			/******************************************************************************/
3359			/*
3360			Flights are encypted after they are fully written so this function
3361			just moves the buffer forward to account for the encryption overhead that
3362			will be filled in later
3363			*/
3364	9885		static int32 postponeEncryptRecord(ssl_t *ssl, int32 type, int32 hsMsg,
3365			int32 messageSize, int32 padLen, unsigned char *pt,
3366			sslBuf_t out, unsigned char *c)
3367			{
3368			flightEncode_t flight, prev;
3369			unsigned char *encryptStart;
3370			int32 ptLen;
3371
3372	9885	50	if ((flight = psMalloc(ssl->flightPool, sizeof(flightEncode_t))) == NULL)
3373			{
3374	0		return PS_MEM_FAIL;
3375			}
3376	9885		memset(flight, 0x0, sizeof(flightEncode_t));
3377	9885	100	if (ssl->flightEncode == NULL)
3378			{
3379	3266		ssl->flightEncode = flight;
3380			}
3381			else
3382			{
3383	6619		prev = ssl->flightEncode;
3384	11118	100	while (prev->next)
3385			{
3386	4499		prev = prev->next;
3387			}
3388	6619		prev->next = flight;
3389			}
3390	9885		encryptStart = out->end + ssl->recordHeadLen;
3391
3392	9885	100	if (hsMsg == SSL_HS_FINISHED)
3393			{
3394	2119	100	if (ssl->cipher->flags & (CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_CCM))
3395			{
3396	2119		encryptStart += TLS_EXPLICIT_NONCE_LEN;
3397			}
3398			}
3399	7766	100	else if (ssl->flags & SSL_FLAGS_AEAD_W)
3400			{
3401	40	50	encryptStart += AEAD_NONCE_LEN(ssl); /* Move past the plaintext nonce */
3402			}
3403
3404	9885		ptLen = (int32) (*c - encryptStart);
3405
3406	9885		flight->start = pt;
3407	9885		flight->len = ptLen;
3408	9885		flight->type = type;
3409	9885		flight->padLen = padLen;
3410	9885		flight->messageSize = messageSize;
3411	9885		flight->hsMsg = hsMsg;
3412	9885		flight->seqDelay = ssl->seqDelay;
3413
3414	9885	100	if (hsMsg == SSL_HS_FINISHED)
3415			{
3416	2119	100	if (!(ssl->cipher->flags &
3417			(CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_CHACHA \| CRYPTO_FLAGS_CCM)))
3418			{
3419	2	50	if (ssl->extFlags.truncated_hmac)
3420			{
3421	0		*c += 10;
3422			}
3423			else
3424			{
3425	2		*c += ssl->cipher->macSize;
3426			}
3427			}
3428			else
3429			{
3430	2119		*c += ssl->cipher->macSize;
3431			}
3432			}
3433			else
3434			{
3435	7766		*c += ssl->enMacSize;
3436			}
3437	9885		*c += padLen;
3438
3439	9885	100	if (hsMsg == SSL_HS_FINISHED)
3440			{
3441	2119	100	if (ssl->cipher->flags &
3442			(CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_CHACHA \| CRYPTO_FLAGS_CCM))
3443			{
3444	2119	50	*c += AEAD_TAG_LEN(ssl);
3445			}
3446			}
3447	7766	100	else if (ssl->flags & SSL_FLAGS_AEAD_W)
3448			{
3449	40	50	c += AEAD_TAG_LEN(ssl); / c is tracking end of record here and the
3450			tag has not yet been accounted for */
3451			}
3452
3453			# ifdef USE_TLS_1_1
3454			# endif /* USE_TLS_1_1 */
3455
3456	9885	50	if (*c - out->end != messageSize)
3457			{
3458			psTraceIntInfo("postponeEncryptRecord length test failed: wanted %d ",
3459			messageSize);
3460			psTraceIntInfo("but generated %d\n", (int32) (*c - out->end));
3461	0		return MATRIXSSL_ERROR;
3462			}
3463	9885		return MATRIXSSL_SUCCESS;
3464			}
3465
3466			/******************************************************************************/
3467			/*
3468			Encrypt the message using the current cipher. This call is used in
3469			conjunction with the writeRecordHeader() function above to finish writing
3470			an SSL record. Updates handshake hash if necessary, generates message
3471			MAC, writes the padding, and does the encryption.
3472
3473			messageSize is the final size, with header, mac and padding of the output
3474			messageSize - 5 = ssl.recLen
3475			* c - encryptStart = plaintext length
3476			*/
3477	25263		static int32 encryptRecord(ssl_t *ssl, int32 type, int32 hsMsgType,
3478			int32 messageSize, int32 padLen, unsigned char *pt,
3479			sslBuf_t out, unsigned char *c)
3480			{
3481			unsigned char *encryptStart;
3482			int32 rc, ptLen, divLen, modLen;
3483
3484			# ifdef USE_ZLIB_COMPRESSION
3485			/* In the current implementation, MatrixSSL will only internally handle
3486			the compression and decompression of the FINISHED message. Application
3487			data will be compressed and decompressed by the caller.
3488			Re-handshakes are not supported and this would have been caught
3489			earlier in the state machine so if the record type is HANDSHAKE we
3490			can be sure this is the FINISHED message
3491
3492			This should allow compatibility with SSL implementations that support
3493			ZLIB compression */
3494			if (ssl->flags & SSL_FLAGS_WRITE_SECURE && ssl->compression &&
3495			type == SSL_RECORD_TYPE_HANDSHAKE)
3496			{
3497			return encryptCompressedRecord(ssl, type, messageSize, pt, out, c);
3498			}
3499			# endif
3500
3501	25263		encryptStart = out->end + ssl->recordHeadLen;
3502
3503	25263	100	if (ssl->flags & SSL_FLAGS_AEAD_W)
3504			{
3505	6288	50	encryptStart += AEAD_NONCE_LEN(ssl); /* Move past the plaintext nonce */
3506	6288		ssl->outRecType = (unsigned char) type;
3507			}
3508
3509	25263		ptLen = (int32) (*c - encryptStart);
3510			# ifdef USE_TLS
3511			# ifdef USE_TLS_1_1
3512	25263	100	if ((ssl->flags & SSL_FLAGS_WRITE_SECURE) &&
		50
3513	6291	100	(ssl->flags & SSL_FLAGS_TLS_1_1) && (ssl->enBlockSize > 1))
3514			{
3515			/*
3516			Don't add the random bytes into the hash of the message. Makes
3517			things very easy on the other side to simply discard the randoms
3518			*/
3519	3	100	if (type == SSL_RECORD_TYPE_HANDSHAKE)
3520			{
3521	2		sslUpdateHSHash(ssl, pt + ssl->enBlockSize,
3522	2		ptLen - ssl->enBlockSize);
3523	2	50	if (hsMsgType == SSL_HS_CLIENT_KEY_EXCHANGE &&
		0
3524	0		ssl->extFlags.extended_master_secret == 1)
3525			{
3526	0	0	if (tlsExtendedDeriveKeys(ssl) < 0)
3527			{
3528	0		return MATRIXSSL_ERROR;
3529			}
3530			}
3531			}
3532	6	100	if (type == SSL_RECORD_TYPE_APPLICATION_DATA)
3533			{
3534			/* Application data is passed in with real pt from user but
3535			with the length of the explict IV added already */
3536	1		*c += ssl->generateMac(ssl, (unsigned char) type,
3537	1		pt, ptLen - ssl->enBlockSize, *c);
3538			/* While we are in here, let's see if this is an in-situ case */
3539	1	50	if (encryptStart + ssl->enBlockSize == pt)
3540			{
3541	0		pt = encryptStart;
3542			}
3543			else
3544			{
3545			/* Not in-situ. Encrypt the explict IV now */
3546	1	50	if ((rc = ssl->encrypt(ssl, encryptStart,
3547	1		encryptStart, ssl->enBlockSize)) < 0)
3548			{
3549			psTraceIntInfo("Error encrypting explicit IV: %d\n", rc);
3550	0		return MATRIXSSL_ERROR;
3551			}
3552	1		encryptStart += ssl->enBlockSize;
3553	1		ptLen -= ssl->enBlockSize;
3554			}
3555			}
3556			else
3557			{
3558			/* Handshake messages have been passed in with plaintext that
3559			begins with the explicit IV and size included */
3560	2		*c += ssl->generateMac(ssl, (unsigned char) type,
3561	4		pt + ssl->enBlockSize, ptLen - ssl->enBlockSize, *c);
3562			}
3563			}
3564			else
3565			{
3566			# endif /* USE_TLS_1_1 */
3567	25260	100	if (type == SSL_RECORD_TYPE_HANDSHAKE)
3568			{
3569	18927	50	if ((rc = sslUpdateHSHash(ssl, pt, ptLen)) < 0)
3570			{
3571	0		return rc;
3572			}
3573			/* Explicit state test for peforming the extended master secret
3574			calculation. The sslUpdateHsHash immediately above has just
3575			ran the ClientKeyExchange message through the hash so now
3576			we can snapshot and create the key block */
3577	18927	100	if (hsMsgType == SSL_HS_CLIENT_KEY_EXCHANGE &&
		50
3578	1058		ssl->extFlags.extended_master_secret == 1)
3579			{
3580	1058	50	if (tlsExtendedDeriveKeys(ssl) < 0)
3581			{
3582	0		return MATRIXSSL_ERROR;
3583			}
3584			}
3585			}
3586	25260	100	if (ssl->generateMac)
3587			{
3588	18972		c += ssl->generateMac(ssl, (unsigned char) type, pt, ptLen, c);
3589			}
3590			# ifdef USE_TLS_1_1
3591			}
3592			# endif /* USE_TLS_1_1 */
3593			# else /* USE_TLS */
3594			if (type == SSL_RECORD_TYPE_HANDSHAKE)
3595			{
3596			sslUpdateHSHash(ssl, pt, ptLen);
3597			}
3598			*c += ssl->generateMac(ssl, (unsigned char) type, pt,
3599			ptLen, *c);
3600			# endif /* USE_TLS */
3601
3602	25263		c += sslWritePad(c, (unsigned char) padLen);
3603
3604	25263	100	if (ssl->flags & SSL_FLAGS_AEAD_W)
3605			{
3606	6288	50	c += AEAD_TAG_LEN(ssl); / c is tracking end of record here and the
3607			tag has not yet been accounted for */
3608			}
3609
3610	25263	100	if (pt == encryptStart)
3611			{
3612			/* In-situ encode */
3613	21139	50	if ((rc = ssl->encrypt(ssl, pt, encryptStart,
3614	21139	50	(uint32) (*c - encryptStart))) < 0 \|\|
3615	21139		*c - out->end != messageSize)
3616			{
3617			psTraceIntInfo("Error encrypting 1: %d\n", rc);
3618			psTraceIntInfo("messageSize is %d\n", messageSize);
3619			psTraceIntInfo("pointer diff %d\n", *c - out->end);
3620			psTraceIntInfo("cipher suite %d\n", ssl->cipher->ident);
3621	0		return MATRIXSSL_ERROR;
3622			}
3623			}
3624			else
3625			{
3626			/*
3627			Non-insitu requres two encrypts, one for plaintext and one for the
3628			any < blockSize remainder of the plaintext and the mac and pad
3629			*/
3630	4124	50	if (ssl->flags & SSL_FLAGS_WRITE_SECURE)
3631			{
3632	4124	100	if (ssl->cipher->blockSize > 1)
3633			{
3634	1		divLen = ptLen & ~(ssl->cipher->blockSize - 1);
3635	1		modLen = ptLen & (ssl->cipher->blockSize - 1);
3636			}
3637			else
3638			{
3639	4123	50	if (ssl->flags & SSL_FLAGS_AEAD_W)
3640			{
3641	4123	50	divLen = ptLen + AEAD_TAG_LEN(ssl);
3642	4123		modLen = 0;
3643			}
3644			else
3645			{
3646	0		divLen = ptLen;
3647	0		modLen = 0;
3648			}
3649			}
3650	4124	50	if (divLen > 0)
3651			{
3652	4124		rc = ssl->encrypt(ssl, pt, encryptStart, divLen);
3653	4124	50	if (rc < 0)
3654			{
3655			psTraceIntInfo("Error encrypting 2: %d\n", rc);
3656	0		return MATRIXSSL_ERROR;
3657			}
3658			}
3659	4124	100	if (modLen > 0)
3660			{
3661	1		memcpy(encryptStart + divLen, pt + divLen, modLen);
3662			}
3663	4124		rc = ssl->encrypt(ssl, encryptStart + divLen,
3664	4124		encryptStart + divLen, modLen + ssl->enMacSize + padLen);
3665			}
3666			else
3667			{
3668	0		rc = ssl->encrypt(ssl, pt, encryptStart,
3669	0		(uint32) (*c - encryptStart));
3670			}
3671	4124	50	if (rc < 0 \|\| (*c - out->end != messageSize))
		50
3672			{
3673			psTraceIntInfo("Error encrypting 3: %d\n", rc);
3674	0		return MATRIXSSL_ERROR;
3675			}
3676			}
3677			# ifdef USE_DTLS
3678			/*
3679			Waited to increment record sequence number until completely finished
3680			with the encoding because the HMAC in DTLS uses the rsn of current record
3681			*/
3682			if (ssl->flags & SSL_FLAGS_DTLS)
3683			{
3684			dtlsIncrRsn(ssl);
3685			}
3686			# endif /* USE_DTLS */
3687
3688	25263	50	if (*c - out->end != messageSize)
3689			{
3690			psTraceInfo("encryptRecord length sanity test failed\n");
3691	0		return MATRIXSSL_ERROR;
3692			}
3693	25263		return MATRIXSSL_SUCCESS;
3694			}
3695
3696			# ifdef USE_SERVER_SIDE_SSL
3697			/******************************************************************************/
3698			/*
3699			Write out the ServerHello message
3700			*/
3701	1149		static int32 writeServerHello(ssl_t ssl, sslBuf_t out)
3702			{
3703			unsigned char c, end, *encryptStart;
3704			psSize_t messageSize;
3705			uint8_t padLen;
3706	1149		int32 t, rc, extLen = 0;
3707
3708			psTraceHs("<<< Server creating SERVER_HELLO message\n");
3709	1149		c = out->end;
3710	1149		end = out->buf + out->size;
3711			/*
3712			Calculate the size of the message up front, and verify we have room
3713			We assume there will be a sessionId in the message, and make adjustments
3714			below if there is no sessionId.
3715			*/
3716	2298		messageSize =
3717	1149		ssl->recordHeadLen +
3718	1149		ssl->hshakeHeadLen +
3719			38 + SSL_MAX_SESSION_ID_SIZE;
3720
3721			# ifdef ENABLE_SECURE_REHANDSHAKES
3722			# ifdef USE_DTLS
3723			/*
3724			Can run into a problem if doing a new resumed handshake because the flight
3725			is SERVER_HELLO, CCS, and FINISHED which will populate myVerifyData
3726			which will confuse the resend logic here that we are doing a rehandshake.
3727			If peerVerifyData isn't available and we're doing a retransmit we know
3728			this is the problematic case so forget we have a myVerifyData
3729			*/
3730			if (ssl->flags & SSL_FLAGS_DTLS)
3731			{
3732			if ((ssl->secureRenegotiationFlag == PS_TRUE) && (ssl->retransmit == 1)
3733			&& (ssl->myVerifyDataLen > 0) && (ssl->peerVerifyDataLen == 0))
3734			{
3735			ssl->myVerifyDataLen = 0;
3736			}
3737			}
3738			# endif
3739			/*
3740			The RenegotiationInfo extension lengths are well known
3741			*/
3742	1149	50	if (ssl->secureRenegotiationFlag == PS_TRUE && ssl->myVerifyDataLen == 0)
		100
3743			{
3744	1142		extLen = 7; /* 00 05 ff 01 00 01 00 */
3745			}
3746	7	50	else if (ssl->secureRenegotiationFlag == PS_TRUE &&
		50
3747	7		ssl->myVerifyDataLen > 0)
3748			{
3749	7		extLen = 2 + 5 + ssl->myVerifyDataLen + ssl->peerVerifyDataLen;
3750			}
3751			# endif /* ENABLE_SECURE_REHANDSHAKES */
3752
3753			# ifdef USE_ECC_CIPHER_SUITE
3754	1149	100	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
3755			{
3756	1148	50	if (extLen == 0)
3757			{
3758	0		extLen = 2; /* if first extension, add two byte total len */
3759			}
3760			/* EXT_ELLIPTIC_POINTS - hardcoded to 'uncompressed' support */
3761	1148		extLen += 6; /* 00 0B 00 02 01 00 */
3762			}
3763			# endif /* USE_ECC_CIPHER_SUITE */
3764
3765	1149	50	if (ssl->maxPtFrag < SSL_MAX_PLAINTEXT_LEN)
3766			{
3767	0	0	if (extLen == 0)
3768			{
3769	0		extLen = 2;
3770			}
3771	0		extLen += 5;
3772			}
3773
3774	1149	50	if (ssl->extFlags.truncated_hmac)
3775			{
3776	0	0	if (extLen == 0)
3777			{
3778	0		extLen = 2;
3779			}
3780	0		extLen += 4;
3781			}
3782
3783	1149	50	if (ssl->extFlags.extended_master_secret)
3784			{
3785	1149	50	if (extLen == 0)
3786			{
3787	0		extLen = 2;
3788			}
3789	1149		extLen += 4;
3790			}
3791
3792			# ifdef USE_STATELESS_SESSION_TICKETS
3793	1149	50	if (ssl->sid && ssl->sid->sessionTicketState == SESS_TICKET_STATE_RECVD_EXT)
		0
3794			{
3795	0	0	if (extLen == 0)
3796			{
3797	0		extLen = 2;
3798			}
3799	0		extLen += 4;
3800			}
3801			# endif
3802
3803	1149	50	if (ssl->extFlags.sni)
3804			{
3805	0	0	if (extLen == 0)
3806			{
3807	0		extLen = 2;
3808			}
3809	0		extLen += 4;
3810			}
3811			# ifdef USE_OCSP
3812	1149	50	if (ssl->extFlags.status_request)
3813			{
3814	0	0	if (extLen == 0)
3815			{
3816	0		extLen = 2;
3817			}
3818	0		extLen += 4;
3819			}
3820			# endif
3821
3822			# ifdef USE_SCT
3823	1149	50	if (ssl->extFlags.signed_certificate_timestamp) {
3824	0	0	if (extLen == 0) {
3825	0		extLen = 2;
3826			}
3827	0		extLen += 2 + 2 + 2 + ssl->keys->SCTResponseBufLen; /* 2 type, 2 len, data */
3828			}
3829			# endif
3830
3831			# ifdef USE_ALPN
3832	1149	50	if (ssl->alpnLen)
3833			{
3834	0	0	if (extLen == 0)
3835			{
3836	0		extLen = 2;
3837			}
3838	0		extLen += 6 + 1 + ssl->alpnLen; /* 6 type/len + 1 len + data */
3839			}
3840			# endif
3841
3842	1149		messageSize += extLen;
3843	1149		t = 1;
3844			# ifdef USE_DTLS
3845			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 1))
3846			{
3847			/*
3848			All retransmits must generate identical handshake messages as the
3849			original. This is to ensure both sides are running the same material
3850			through the handshake hash
3851			*/
3852			t = 0;
3853			}
3854			# endif /* USE_DTLS */
3855
3856	1149	50	if (t)
3857			{
3858			/** @security RFC says to set the first 4 bytes to time, but best common practice is
3859			to use full 32 bytes of random. This is forward looking to TLS 1.3, and also works
3860			better for embedded platforms and FIPS secret key material.
3861			@see https://www.ietf.org/mail-archive/web/tls/current/msg09861.html */
3862			# ifdef SEND_HELLO_RANDOM_TIME
3863			/* First 4 bytes of the serverRandom are the unix time to prevent replay
3864			attacks, the rest are random */
3865			t = psGetTime(NULL, ssl->userPtr);
3866			ssl->sec.serverRandom[0] = (unsigned char) ((t & 0xFF000000) >> 24);
3867			ssl->sec.serverRandom[1] = (unsigned char) ((t & 0xFF0000) >> 16);
3868			ssl->sec.serverRandom[2] = (unsigned char) ((t & 0xFF00) >> 8);
3869			ssl->sec.serverRandom[3] = (unsigned char) (t & 0xFF);
3870			if (psGetPrngLocked(ssl->sec.serverRandom + 4,
3871			SSL_HS_RANDOM_SIZE - 4, ssl->userPtr) < 0)
3872			{
3873			return MATRIXSSL_ERROR;
3874			}
3875			# else
3876	1149	50	if (psGetPrngLocked(ssl->sec.serverRandom,
3877			SSL_HS_RANDOM_SIZE, ssl->userPtr) < 0)
3878			{
3879	0		return MATRIXSSL_ERROR;
3880			}
3881			# endif
3882			}
3883
3884			/*
3885			We register session here because at this point the serverRandom value is
3886			populated. If we are able to register the session, the sessionID and
3887			sessionIdLen fields will be non-NULL, otherwise the session couldn't
3888			be registered.
3889			*/
3890	1149	100	if (!(ssl->flags & SSL_FLAGS_RESUMED))
3891			{
3892	1147		matrixRegisterSession(ssl);
3893			}
3894	1149		messageSize -= (SSL_MAX_SESSION_ID_SIZE - ssl->sessionIdLen);
3895
3896	1149	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
3897			SSL_HS_SERVER_HELLO, &messageSize, &padLen, &encryptStart,
3898			end, &c)) < 0)
3899			{
3900	0		return rc;
3901			}
3902			/*
3903			First two fields in the ServerHello message are the major and minor
3904			SSL protocol versions we agree to talk with
3905			*/
3906	1149		*c = ssl->majVer; c++;
3907	1149		*c = ssl->minVer; c++;
3908
3909			/*
3910			The next 32 bytes are the server's random value, to be combined with
3911			the client random and premaster for key generation later
3912			*/
3913	1149		memcpy(c, ssl->sec.serverRandom, SSL_HS_RANDOM_SIZE);
3914	1149		c += SSL_HS_RANDOM_SIZE;
3915			/*
3916			The next data is a single byte containing the session ID length,
3917			and up to 32 bytes containing the session id.
3918			First register the session, which will give us a session id and length
3919			if not all session slots in the table are used
3920			*/
3921	1149		*c = (unsigned char) ssl->sessionIdLen; c++;
3922	1149	50	if (ssl->sessionIdLen > 0)
3923			{
3924	1149		memcpy(c, ssl->sessionId, ssl->sessionIdLen);
3925	1149		c += ssl->sessionIdLen;
3926			}
3927			/*
3928			Two byte cipher suite we've chosen based on the list sent by the client
3929			and what we support.
3930			One byte compression method (always zero)
3931			*/
3932	1149		*c = (ssl->cipher->ident & 0xFF00) >> 8; c++;
3933	1149		*c = ssl->cipher->ident & 0xFF; c++;
3934			# ifdef USE_ZLIB_COMPRESSION
3935			if (ssl->compression)
3936			{
3937			*c = 1; c++;
3938			}
3939			else
3940			{
3941			*c = 0; c++;
3942			}
3943			# else
3944	1149		*c = 0; c++;
3945			# endif
3946
3947	1149	50	if (extLen != 0)
3948			{
3949	1149		extLen -= 2; /* Don't add self to total extension len */
3950	1149		*c = (extLen & 0xFF00) >> 8; c++;
3951	1149		*c = extLen & 0xFF; c++;
3952
3953	1149	50	if (ssl->maxPtFrag < SSL_MAX_PLAINTEXT_LEN)
3954			{
3955	0		*c = 0x0; c++;
3956	0		*c = 0x1; c++;
3957	0		*c = 0x0; c++;
3958	0		*c = 0x1; c++;
3959
3960	0	0	if (ssl->maxPtFrag == 0x200)
3961			{
3962	0		*c = 0x1; c++;
3963			}
3964	0	0	if (ssl->maxPtFrag == 0x400)
3965			{
3966	0		*c = 0x2; c++;
3967			}
3968	0	0	if (ssl->maxPtFrag == 0x800)
3969			{
3970	0		*c = 0x3; c++;
3971			}
3972	0	0	if (ssl->maxPtFrag == 0x1000)
3973			{
3974	0		*c = 0x4; c++;
3975			}
3976			}
3977	1149	50	if (ssl->extFlags.truncated_hmac)
3978			{
3979	0		*c = (EXT_TRUNCATED_HMAC & 0xFF00) >> 8; c++;
3980	0		*c = EXT_TRUNCATED_HMAC & 0xFF; c++;
3981	0		*c = 0; c++;
3982	0		*c = 0; c++;
3983			}
3984	1149	50	if (ssl->extFlags.extended_master_secret)
3985			{
3986	1149		*c = (EXT_EXTENDED_MASTER_SECRET & 0xFF00) >> 8; c++;
3987	1149		*c = EXT_EXTENDED_MASTER_SECRET & 0xFF; c++;
3988	1149		*c = 0; c++;
3989	1149		*c = 0; c++;
3990			}
3991
3992			# ifdef USE_STATELESS_SESSION_TICKETS
3993	1149	50	if (ssl->sid &&
		0
3994	0		ssl->sid->sessionTicketState == SESS_TICKET_STATE_RECVD_EXT)
3995			{
3996			/* This empty extension is ALWAYS an indication to the client that
3997			a NewSessionTicket handshake message will be sent */
3998	0		*c = (EXT_SESSION_TICKET & 0xFF00) >> 8; c++;
3999	0		*c = EXT_SESSION_TICKET & 0xFF; c++;
4000	0		*c = 0; c++;
4001	0		*c = 0; c++;
4002			}
4003			# endif
4004
4005	1149	50	if (ssl->extFlags.sni)
4006			{
4007	0		*c = (EXT_SNI & 0xFF00) >> 8; c++;
4008	0		*c = EXT_SNI & 0xFF; c++;
4009	0		*c = 0; c++;
4010	0		*c = 0; c++;
4011			}
4012			# ifdef USE_OCSP
4013	1149	50	if (ssl->extFlags.status_request)
4014			{
4015	0		*c = (EXT_STATUS_REQUEST & 0xFF00) >> 8; c++;
4016	0		*c = EXT_STATUS_REQUEST & 0xFF; c++;
4017	0		*c = 0; c++;
4018	0		*c = 0; c++;
4019			}
4020			# endif
4021
4022			# ifdef USE_SCT
4023	1149	50	if (ssl->extFlags.signed_certificate_timestamp)
4024			{
4025	0		*c = (EXT_SIGNED_CERTIFICATE_TIMESTAMP & 0xFF00) >> 8; c++;
4026	0		*c = EXT_SIGNED_CERTIFICATE_TIMESTAMP & 0xFF; c++;
4027	0		*c = ((ssl->keys->SCTResponseBufLen + 2) & 0xFF00) >> 8; c++;
4028	0		*c = (ssl->keys->SCTResponseBufLen + 2) & 0xFF; c++;
4029	0		*c = (ssl->keys->SCTResponseBufLen & 0xFF00) >> 8; c++;
4030	0		*c = ssl->keys->SCTResponseBufLen & 0xFF; c++;
4031	0		memcpy(c, ssl->keys->SCTResponseBuf, ssl->keys->SCTResponseBufLen);
4032	0		c += ssl->keys->SCTResponseBufLen;
4033			}
4034			# endif
4035
4036			# ifdef USE_ALPN
4037	1149	50	if (ssl->alpnLen)
4038			{
4039	0		*c = (EXT_ALPN & 0xFF00) >> 8; c++;
4040	0		*c = EXT_ALPN & 0xFF; c++;
4041			/* Total ext len can be hardcoded +3 because only one proto reply */
4042	0		*c = ((ssl->alpnLen + 3) & 0xFF00) >> 8; c++;
4043	0		*c = (ssl->alpnLen + 3) & 0xFF; c++;
4044			/* Can only ever be a reply of one proto so explict len +1 works */
4045	0		*c = ((ssl->alpnLen + 1) & 0xFF00) >> 8; c++;
4046	0		*c = (ssl->alpnLen + 1) & 0xFF; c++;
4047	0		*c = ssl->alpnLen; c++;
4048	0		memcpy(c, ssl->alpn, ssl->alpnLen);
4049	0		c += ssl->alpnLen;
4050	0		psFree(ssl->alpn, ssl->sPool); ssl->alpn = NULL; /* app must store if needed */
4051	0		ssl->alpnLen = 0;
4052			}
4053			# endif
4054
4055			# ifdef ENABLE_SECURE_REHANDSHAKES
4056	1149	50	if (ssl->secureRenegotiationFlag == PS_TRUE)
4057			{
4058			/* RenegotiationInfo*/
4059	1149		*c = (EXT_RENEGOTIATION_INFO & 0xFF00) >> 8; c++;
4060	1149		*c = EXT_RENEGOTIATION_INFO & 0xFF; c++;
4061	1149	100	if (ssl->myVerifyDataLen == 0)
4062			{
4063	1142		*c = 0; c++;
4064	1142		*c = 1; c++;
4065	1142		*c = 0; c++;
4066			}
4067			else
4068			{
4069	7		*c = ((ssl->myVerifyDataLen + ssl->peerVerifyDataLen + 1) & 0xFF00) >> 8;
4070	7		c++;
4071	7		*c = (ssl->myVerifyDataLen + ssl->peerVerifyDataLen + 1) & 0xFF;
4072	7		c++;
4073	7		*c = (ssl->myVerifyDataLen + ssl->peerVerifyDataLen) & 0xFF; c++;
4074	7		memcpy(c, ssl->peerVerifyData, ssl->peerVerifyDataLen);
4075	7		c += ssl->peerVerifyDataLen;
4076	7		memcpy(c, ssl->myVerifyData, ssl->myVerifyDataLen);
4077	7		c += ssl->myVerifyDataLen;
4078			}
4079			}
4080			# endif /* ENABLE_SECURE_REHANDSHAKES */
4081
4082			# ifdef USE_ECC_CIPHER_SUITE
4083	1149	100	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
4084			{
4085	1148		*c = (EXT_ELLIPTIC_POINTS & 0xFF00) >> 8; c++;
4086	1148		*c = EXT_ELLIPTIC_POINTS & 0xFF; c++;
4087	1148		*c = 0x00; c++;
4088	1148		*c = 0x02; c++;
4089	1148		*c = 0x01; c++;
4090	1148		*c = 0x00; c++;
4091			}
4092			# endif /* USE_ECC_CIPHER_SUITE */
4093			}
4094
4095	1149	50	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4096			SSL_HS_SERVER_HELLO, messageSize, padLen, encryptStart, out, &c))
4097			< 0)
4098			{
4099	0		return rc;
4100			}
4101			/*
4102			If we're resuming a session, we now have the clientRandom, master and
4103			serverRandom, so we can derive keys which we'll be using shortly.
4104			*/
4105	1149	100	if (ssl->flags & SSL_FLAGS_RESUMED)
4106			{
4107	2	50	if ((rc = sslCreateKeys(ssl)) < 0)
4108			{
4109	0		return rc;
4110			}
4111			}
4112	1149		out->end = c;
4113
4114			# ifdef USE_MATRIXSSL_STATS
4115			matrixsslUpdateStat(ssl, SH_SENT_STAT, 1);
4116			# endif
4117	1149		return MATRIXSSL_SUCCESS;
4118			}
4119
4120			/******************************************************************************/
4121			/*
4122			ServerHelloDone message is a blank handshake message
4123			*/
4124	1147		static int32 writeServerHelloDone(ssl_t ssl, sslBuf_t out)
4125			{
4126			unsigned char c, end, *encryptStart;
4127			uint8_t padLen;
4128			psSize_t messageSize;
4129			int32_t rc;
4130
4131			psTraceHs("<<< Server creating SERVER_HELLO_DONE message\n");
4132	1147		c = out->end;
4133	1147		end = out->buf + out->size;
4134	2294		messageSize =
4135	1147		ssl->recordHeadLen +
4136	1147		ssl->hshakeHeadLen;
4137
4138	1147	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4139			SSL_HS_SERVER_HELLO_DONE, &messageSize, &padLen,
4140			&encryptStart, end, &c)) < 0)
4141			{
4142	0		return rc;
4143			}
4144
4145	1147	50	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4146			SSL_HS_SERVER_HELLO_DONE, messageSize, padLen, encryptStart, out,
4147			&c)) < 0)
4148			{
4149	0		return rc;
4150			}
4151	1147		out->end = c;
4152	1147		return MATRIXSSL_SUCCESS;
4153			}
4154			# ifdef USE_PSK_CIPHER_SUITE
4155			/******************************************************************************/
4156			/*
4157			The PSK cipher version of ServerKeyExchange. Was able to single this
4158			message out with a dedicated write simply due to the flight
4159			logic of DH ciphers. The ClientKeyExchange message for PSK was rolled
4160			into the generic function, for example.
4161			*/
4162	0		static int32 writePskServerKeyExchange(ssl_t ssl, sslBuf_t out)
4163			{
4164			unsigned char c, end, *encryptStart;
4165			unsigned char *hint;
4166			psSize_t messageSize;
4167			uint8_t padLen, hintLen;
4168			int32_t rc;
4169
4170			psTraceHs("<<< Server creating SERVER_KEY_EXCHANGE message\n");
4171			# ifdef USE_DHE_CIPHER_SUITE
4172			/*
4173			This test prevents a second ServerKeyExchange from being written if a
4174			PSK_DHE cipher was choosen. This is an ugly side-effect of the many
4175			combinations of cipher suites being supported in the 'flight' based
4176			state machine model
4177			*/
4178	0	0	if (ssl->flags & SSL_FLAGS_DHE_KEY_EXCH)
4179			{
4180	0		return MATRIXSSL_SUCCESS;
4181			}
4182			# endif /* USE_DHE_CIPHER_SUITE */
4183
4184	0	0	if (matrixPskGetHint(ssl, &hint, &hintLen) < 0)
4185			{
4186	0		return MATRIXSSL_ERROR;
4187			}
4188	0	0	if (hint == NULL \|\| hintLen == 0)
		0
4189			{
4190	0		return MATRIXSSL_SUCCESS;
4191			}
4192
4193	0		c = out->end;
4194	0		end = out->buf + out->size;
4195
4196	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen + hintLen + 2;
4197
4198	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4199			SSL_HS_SERVER_KEY_EXCHANGE, &messageSize, &padLen,
4200			&encryptStart, end, &c)) < 0)
4201			{
4202	0		return rc;
4203			}
4204
4205	0		*c = 0; c++;
4206	0		*c = (hintLen & 0xFF); c++;
4207	0		memcpy(c, hint, hintLen);
4208	0		c += hintLen;
4209
4210	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4211			SSL_HS_SERVER_KEY_EXCHANGE, messageSize, padLen, encryptStart,
4212			out, &c)) < 0)
4213			{
4214	0		return rc;
4215			}
4216	0		out->end = c;
4217	0		return MATRIXSSL_SUCCESS;
4218			}
4219			# endif /* USE_PSK_CIPHER_SUITE */
4220
4221			# ifdef USE_STATELESS_SESSION_TICKETS /* Already inside a USE_SERVER_SIDE block */
4222	0		static int32 writeNewSessionTicket(ssl_t ssl, sslBuf_t out)
4223			{
4224			unsigned char c, end, *encryptStart;
4225			uint8_t padLen;
4226			psSize_t messageSize;
4227			int32_t rc;
4228
4229			psTraceHs("<<< Server creating NEW_SESSION_TICKET message\n");
4230	0		c = out->end;
4231	0		end = out->buf + out->size;
4232
4233			/* magic 6 is 4 bytes lifetime hint and 2 bytes len */
4234	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
4235	0		matrixSessionTicketLen() + 6;
4236
4237	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4238			SSL_HS_NEW_SESSION_TICKET, &messageSize, &padLen,
4239			&encryptStart, end, &c)) < 0)
4240			{
4241	0		return rc;
4242			}
4243
4244	0		rc = (int32) (end - c);
4245	0	0	if (matrixCreateSessionTicket(ssl, c, &rc) < 0)
4246			{
4247			psTraceInfo("Error generating session ticket\n");
4248	0		return MATRIXSSL_ERROR;
4249			}
4250	0		c += rc;
4251
4252	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4253			SSL_HS_NEW_SESSION_TICKET, messageSize, padLen, encryptStart, out,
4254			&c)) < 0)
4255			{
4256	0		return rc;
4257			}
4258	0		out->end = c;
4259
4260	0		ssl->sid->sessionTicketState = SESS_TICKET_STATE_USING_TICKET;
4261
4262	0		return PS_SUCCESS;
4263			}
4264			# endif /* USE_STATELESS_SESSION_TICKETS */
4265
4266			# ifdef USE_DHE_CIPHER_SUITE /* Already inside a USE_SERVER_SIDE block */
4267			/******************************************************************************/
4268			/*
4269			Write out the ServerKeyExchange message.
4270			*/
4271	1146		static int32 writeServerKeyExchange(ssl_t ssl, sslBuf_t out, uint32 pLen,
4272			unsigned char p, uint32 gLen, unsigned char g)
4273			{
4274			unsigned char c, end, *encryptStart;
4275			uint8_t padLen;
4276	1146		psSize_t messageSize = 0;
4277			int32_t rc;
4278
4279			# ifndef USE_ONLY_PSK_CIPHER_SUITE
4280			psSize_t hashSize;
4281			unsigned char hsMsgHash, sigStart;
4282			psDigestContext_t digestCtx;
4283			pkaAfter_t *pkaAfter;
4284	1146		void *pkiData = ssl->userPtr;
4285			# endif
4286
4287			# if defined(USE_PSK_CIPHER_SUITE) && defined(USE_ANON_DH_CIPHER_SUITE)
4288			unsigned char *hint;
4289			uint8_t hintLen;
4290			# endif /* USE_PSK_CIPHER_SUITE && USE_ANON_DH_CIPHER_SUITE */
4291			# ifdef USE_ECC_CIPHER_SUITE
4292			psSize_t eccPubKeyLen;
4293			# endif /* USE_ECC_CIPHER_SUITE */
4294
4295			psTraceHs("<<< Server creating SERVER_KEY_EXCHANGE message\n");
4296	1146		c = out->end;
4297	1146		end = out->buf + out->size;
4298
4299			/*
4300			Calculate the size of the message up front, and verify we have room
4301			*/
4302			# ifdef USE_ANON_DH_CIPHER_SUITE
4303	1146	50	if (ssl->flags & SSL_FLAGS_ANON_CIPHER)
4304			{
4305	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
4306	0		6 + pLen + gLen + ssl->sec.dhKeyPriv->size;
4307			# ifdef USE_TLS_1_2
4308	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
4309			{
4310	0		messageSize -= 2; /* hashSigAlg not going to be needed */
4311			}
4312			# endif
4313
4314			# ifdef USE_PSK_CIPHER_SUITE
4315	0	0	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
4316			{
4317	0	0	if (matrixPskGetHint(ssl, &hint, &hintLen) < 0)
4318			{
4319	0		return MATRIXSSL_ERROR;
4320			}
4321			/*
4322			* RFC4279: In the absence of an application profile specification
4323			* specifying otherwise, servers SHOULD NOT provide an identity hint
4324			* and clients MUST ignore the identity hint field. Applications that
4325			* do use this field MUST specify its contents, how the value is
4326			* chosen by the TLS server, and what the TLS client is expected to do
4327			* with the value.
4328			* @note Unlike pure PSK cipher which will omit the ServerKeyExchange
4329			* message if the hint is NULL, the DHE_PSK exchange simply puts
4330			* two zero bytes in this case, since the message must still be sent
4331			* to exchange the DHE public key.
4332			*/
4333	0		messageSize += 2; /* length of hint (even if zero) */
4334	0	0	if (hintLen != 0 && hint != NULL)
		0
4335			{
4336	0		messageSize += hintLen;
4337			}
4338			}
4339			# endif /* USE_PSK_CIPHER_SUITE */
4340			}
4341			else
4342			{
4343			# endif /* USE_ANON_DH_CIPHER_SUITE */
4344			# ifdef USE_ECC_CIPHER_SUITE
4345	1146	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
4346			{
4347			/* ExportKey portion */
4348	1146		eccPubKeyLen = (ssl->sec.eccKeyPriv->curve->size * 2) + 1;
4349
4350	1146	50	if (ssl->flags & SSL_FLAGS_DHE_WITH_RSA)
4351			{
4352	1146		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
4353	1146		eccPubKeyLen + 4 + ssl->keys->privKey.keysize + 2;
4354			}
4355	0	0	else if (ssl->flags & SSL_FLAGS_DHE_WITH_DSA)
4356			{
4357	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen + 6 +
4358			eccPubKeyLen;
4359			/* NEGATIVE ECDSA - Adding ONE spot for a 0x0 byte in the
4360			ECDSA signature. This will allow us to be right ~50% of
4361			the time and not require any manual manipulation
4362
4363			However, if this is a 521 curve there is no chance
4364			the final byte could be negative if the full 66
4365			bytes are needed because there can only be a single
4366			low bit for that sig size. So subtract that byte
4367			back out to stay around the 50% no-move goal */
4368	0	0	if (ssl->keys->privKey.keysize != 132)
4369			{
4370	0		messageSize += 1;
4371			}
4372	0		messageSize += ssl->keys->privKey.keysize;
4373			/* Signature portion */
4374	0		messageSize += 6; /* 6 = 2 ASN_SEQ, 4 ASN_BIG */
4375			/* BIG EC KEY. The sig is 2 bytes len, 1 byte SEQ,
4376			1 byte length (+1 OPTIONAL byte if length is >=128),
4377			1 byte INT, 1 byte rLen, r, 1 byte INT, 1 byte sLen, s.
4378			So the +4 here are the 2 INT and 2 rLen/sLen bytes on
4379			top of the keysize */
4380	0	0	if (ssl->keys->privKey.keysize + 4 >= 128)
4381			{
4382	1146		messageSize++; /* Extra byte for 'long' asn.1 encode */
4383			}
4384			# ifdef USE_DTLS
4385			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 1))
4386			{
4387			/* We already know if this signature got resized */
4388			messageSize += ssl->ecdsaSizeChange;
4389			}
4390			# endif
4391			}
4392			}
4393			else
4394			{
4395			# endif /* USE_ECC_CIPHER_SUITE */
4396			# ifdef REQUIRE_DH_PARAMS
4397	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
4398	0		8 + pLen + gLen + ssl->sec.dhKeyPriv->size +
4399	0		ssl->keys->privKey.keysize;
4400			# endif /* REQUIRE_DH_PARAMS */
4401			# ifdef USE_ECC_CIPHER_SUITE
4402			}
4403			# endif /* USE_ECC_CIPHER_SUITE */
4404			# ifdef USE_ANON_DH_CIPHER_SUITE
4405			}
4406			# endif /* USE_ANON_DH_CIPHER_SUITE */
4407
4408	1146	50	if (messageSize == 0)
4409			{
4410			/* This api was called without DHE, PSK and ECC enabled */
4411	0		return MATRIXSSL_ERROR;
4412			}
4413			# ifdef USE_TLS_1_2
4414	1146	50	if (ssl->flags & SSL_FLAGS_TLS_1_2)
4415			{
4416	1146		messageSize += 2; /* hashSigAlg */
4417			}
4418			# endif
4419	1146	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4420			SSL_HS_SERVER_KEY_EXCHANGE, &messageSize, &padLen,
4421			&encryptStart, end, &c)) < 0)
4422			{
4423	0		return rc;
4424			}
4425			# ifndef USE_ONLY_PSK_CIPHER_SUITE
4426	1146		sigStart = c;
4427			# endif
4428
4429			# if defined(USE_PSK_CIPHER_SUITE) && defined(USE_ANON_DH_CIPHER_SUITE)
4430			/* PSK suites have a leading PSK identity hint (may be zero length) */
4431	1146	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
4432			{
4433	0		*c = 0; c++;
4434	0		*c = (hintLen & 0xFF); c++;
4435	0	0	if (hintLen != 0 && hint != NULL)
		0
4436			{
4437	0		memcpy(c, hint, hintLen);
4438	0		c += hintLen;
4439			}
4440			}
4441			# endif /* USE_PSK_CIPHER_SUITE && USE_ANON_DH_CIPHER_SUITE */
4442
4443			# ifdef USE_ECC_CIPHER_SUITE
4444	1146	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
4445			{
4446			/*
4447			1 byte - ECCurveType (NamedCurve enum is 3)
4448			2 byte - NamedCurve id
4449			*/
4450	1146		c = 3; c++; / NamedCurve enum */
4451	1146		*c = (ssl->sec.eccKeyPriv->curve->curveId & 0xFF00) >> 8; c++;
4452	1146		*c = (ssl->sec.eccKeyPriv->curve->curveId & 0xFF); c++;
4453	1146		*c = eccPubKeyLen & 0xFF; c++;
4454	1146	50	if (psEccX963ExportKey(ssl->hsPool, ssl->sec.eccKeyPriv, c,
4455			&eccPubKeyLen) != 0)
4456			{
4457	0		return MATRIXSSL_ERROR;
4458			}
4459	1146		c += eccPubKeyLen;
4460
4461			}
4462			else
4463			{
4464			# endif
4465			# ifdef REQUIRE_DH_PARAMS
4466			/*
4467			The message itself;
4468			2 bytes p len, p, 2 bytes g len, g, 2 bytes pubKeyLen, pubKey
4469
4470			Size tests have all ready been taken care of a level up from this
4471			*/
4472	0		*c = (pLen & 0xFF00) >> 8; c++;
4473	0		*c = pLen & 0xFF; c++;
4474	0		memcpy(c, p, pLen);
4475	0		c += pLen;
4476	0		*c = (gLen & 0xFF00) >> 8; c++;
4477	0		*c = gLen & 0xFF; c++;
4478	0		memcpy(c, g, gLen);
4479	0		c += gLen;
4480	0		*c = (ssl->sec.dhKeyPriv->size & 0xFF00) >> 8; c++;
4481	0		*c = ssl->sec.dhKeyPriv->size & 0xFF; c++;
4482			{
4483	0		psSize_t dhLen = end - c;
4484	0	0	if (psDhExportPubKey(ssl->hsPool, ssl->sec.dhKeyPriv, c, &dhLen) < 0)
4485			{
4486	0		return MATRIXSSL_ERROR;
4487			}
4488	0	0	psAssert(dhLen == ssl->sec.dhKeyPriv->size);
4489			}
4490	0		c += ssl->sec.dhKeyPriv->size;
4491			# endif /* REQUIRE_DH_PARAMS */
4492			# ifdef USE_ECC_CIPHER_SUITE
4493			}
4494			# endif /* USE_ECC_CIPHER_SUITE */
4495
4496			/* RFC 5246 - 7.4.3. Server Key Exchange Message
4497			In addition, the hash and signature algorithms MUST be compatible
4498			with the key in the server's end-entity certificate. RSA keys MAY be
4499			used with any permitted hash algorithm, subject to restrictions in
4500			the certificate, if any. */
4501
4502			# ifdef USE_RSA_CIPHER_SUITE
4503			/*
4504			RSA authentication requires an additional signature portion to the message
4505			*/
4506	1146	50	if (ssl->flags & SSL_FLAGS_DHE_WITH_RSA)
4507			{
4508			# ifndef USE_ONLY_PSK_CIPHER_SUITE
4509			/* Saved aside for pkaAfter_t */
4510	1146	50	if ((hsMsgHash = psMalloc(ssl->hsPool, SHA384_HASH_SIZE)) == NULL)
4511			{
4512	0		return PS_MEM_FAIL;
4513			}
4514			# endif
4515			# ifdef USE_TLS_1_2
4516	1146	50	if (ssl->flags & SSL_FLAGS_TLS_1_2)
4517			{
4518			/* Using the algorithm from the certificate */
4519	1146	50	if (ssl->keys->cert->sigAlgorithm == OID_SHA256_RSA_SIG)
4520			{
4521	1146		hashSize = SHA256_HASH_SIZE;
4522	1146		psSha256PreInit(&digestCtx.sha256);
4523	1146		psSha256Init(&digestCtx.sha256);
4524	1146		psSha256Update(&digestCtx.sha256, ssl->sec.clientRandom,
4525			SSL_HS_RANDOM_SIZE);
4526	1146		psSha256Update(&digestCtx.sha256, ssl->sec.serverRandom,
4527			SSL_HS_RANDOM_SIZE);
4528	1146		psSha256Update(&digestCtx.sha256, sigStart,
4529	1146		(uint32) (c - sigStart));
4530	1146		psSha256Final(&digestCtx.sha256, hsMsgHash);
4531	1146		*c++ = 0x4;
4532	1146		*c++ = 0x1;
4533			# ifdef USE_SHA384
4534			}
4535	0	0	else if (ssl->keys->cert->sigAlgorithm == OID_SHA384_RSA_SIG)
4536			{
4537	0		hashSize = SHA384_HASH_SIZE;
4538	0		psSha384PreInit(&digestCtx.sha384);
4539	0		psSha384Init(&digestCtx.sha384);
4540	0		psSha384Update(&digestCtx.sha384, ssl->sec.clientRandom,
4541			SSL_HS_RANDOM_SIZE);
4542	0		psSha384Update(&digestCtx.sha384, ssl->sec.serverRandom,
4543			SSL_HS_RANDOM_SIZE);
4544	0		psSha384Update(&digestCtx.sha384, sigStart,
4545	0		(uint32) (c - sigStart));
4546	0		psSha384Final(&digestCtx.sha384, hsMsgHash);
4547	0		*c++ = 0x5;
4548	0		*c++ = 0x1;
4549			# endif /* USE_SHA384 */
4550			/* If MD5, just send a SHA1. Don't want to contribute to any
4551			longevity of MD5 */
4552			# ifdef USE_SHA1
4553			}
4554	0	0	else if (ssl->keys->cert->sigAlgorithm == OID_SHA1_RSA_SIG \|\|
		0
4555	0		ssl->keys->cert->sigAlgorithm == OID_MD5_RSA_SIG)
4556			{
4557	0		hashSize = SHA1_HASH_SIZE;
4558	0		psSha1PreInit(&digestCtx.sha1);
4559	0		psSha1Init(&digestCtx.sha1);
4560	0		psSha1Update(&digestCtx.sha1, ssl->sec.clientRandom,
4561			SSL_HS_RANDOM_SIZE);
4562	0		psSha1Update(&digestCtx.sha1, ssl->sec.serverRandom,
4563			SSL_HS_RANDOM_SIZE);
4564	0		psSha1Update(&digestCtx.sha1, sigStart, (uint32) (c - sigStart));
4565	0		psSha1Final(&digestCtx.sha1, hsMsgHash);
4566	0		*c++ = 0x2;
4567	0		*c++ = 0x1;
4568			# endif
4569			}
4570			else
4571			{
4572			psTraceIntInfo("Unavailable sigAlgorithm for SKE write: %d\n",
4573			ssl->keys->cert->sigAlgorithm);
4574	0		psFree(hsMsgHash, ssl->hsPool);
4575	1146		return PS_UNSUPPORTED_FAIL;
4576			}
4577			}
4578			else
4579			{
4580			# ifdef USE_MD5SHA1
4581	0		hashSize = MD5SHA1_HASHLEN;
4582	0		psMd5Sha1PreInit(&digestCtx.md5sha1);
4583	0		psMd5Sha1Init(&digestCtx.md5sha1);
4584	0		psMd5Sha1Update(&digestCtx.md5sha1, ssl->sec.clientRandom,
4585			SSL_HS_RANDOM_SIZE);
4586	0		psMd5Sha1Update(&digestCtx.md5sha1, ssl->sec.serverRandom,
4587			SSL_HS_RANDOM_SIZE);
4588	0		psMd5Sha1Update(&digestCtx.md5sha1, sigStart, (uint32) (c - sigStart));
4589	0		psMd5Sha1Final(&digestCtx.md5sha1, hsMsgHash);
4590			# else
4591			psTraceIntInfo("Unavailable sigAlgorithm for SKE write: %d\n",
4592			ssl->keys->cert->sigAlgorithm);
4593			psFree(hsMsgHash, ssl->hsPool);
4594			return PS_UNSUPPORTED_FAIL;
4595			# endif /* USE_MD5SHA1 */
4596			}
4597			# else /* USE_TLS_1_2 */
4598			# ifdef USE_MD5SHA1
4599			hashSize = MD5SHA1_HASHLEN;
4600			psMd5Sha1PreInit(&digestCtx.md5sha1);
4601			psMd5Sha1Init(&digestCtx.md5sha1);
4602			psMd5Sha1Update(&digestCtx.md5sha1, ssl->sec.clientRandom,
4603			SSL_HS_RANDOM_SIZE);
4604			psMd5Sha1Update(&digestCtx.md5sha1, ssl->sec.serverRandom,
4605			SSL_HS_RANDOM_SIZE);
4606			psMd5Sha1Update(&digestCtx.md5sha1, sigStart, (uint32) (c - sigStart));
4607			psMd5Sha1Final(&digestCtx.md5sha1, hsMsgHash);
4608			# else
4609			psTraceIntInfo("Unavailable sigAlgorithm for SKE write: %d\n",
4610			ssl->keys->cert->sigAlgorithm);
4611			psFree(hsMsgHash, ssl->hsPool);
4612			return PS_UNSUPPORTED_FAIL;
4613			# endif /* USE_MD5SHA1 */
4614			# endif /* USE_TLS_1_2 */
4615
4616	1146		*c = (ssl->keys->privKey.keysize & 0xFF00) >> 8; c++;
4617	1146		*c = ssl->keys->privKey.keysize & 0xFF; c++;
4618
4619			# ifdef USE_DTLS
4620			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 1))
4621			{
4622			/* It is not optimal to have run through the above digest updates
4623			again on a retransmit just to free the hash here but the
4624			saved message is ONLY the signature portion done in nowDoSke
4625			so the few hashSigAlg bytes and keysize done above during the
4626			hash are important to rewrite */
4627			psFree(hsMsgHash, ssl->hsPool);
4628			memcpy(c, ssl->ckeMsg, ssl->ckeSize);
4629			c += ssl->ckeSize;
4630			}
4631			else /* closed below */
4632			{
4633			# endif /* USE_DTLS */
4634	1146		pkaAfter = getPkaAfter(ssl);
4635			# ifdef USE_TLS_1_2
4636	1146	50	if (ssl->flags & SSL_FLAGS_TLS_1_2)
4637			{
4638	1146		pkaAfter->type = PKA_AFTER_RSA_SIG_GEN_ELEMENT;
4639			}
4640			else
4641			{
4642	0		pkaAfter->type = PKA_AFTER_RSA_SIG_GEN;
4643			}
4644			# else /* !USE_TLS_1_2 */
4645			pkaAfter->type = PKA_AFTER_RSA_SIG_GEN;
4646			# endif /* USE_TLS_1_2 */
4647
4648	1146		pkaAfter->inbuf = hsMsgHash;
4649	1146		pkaAfter->outbuf = c;
4650	1146		pkaAfter->data = pkiData;
4651	1146		pkaAfter->inlen = hashSize;
4652	1146		c += ssl->keys->privKey.keysize;
4653			# ifdef USE_DTLS
4654			}
4655			# endif /* USE_DTLS */
4656			}
4657			# endif /* USE_RSA_CIPHER_SUITE */
4658
4659			# ifdef USE_ECC_CIPHER_SUITE
4660	1146	50	if (ssl->flags & SSL_FLAGS_DHE_WITH_DSA)
4661			{
4662			# ifndef USE_ONLY_PSK_CIPHER_SUITE
4663			/* Saved aside for pkaAfter_t */
4664	0	0	if ((hsMsgHash = psMalloc(ssl->hsPool, SHA384_HASH_SIZE)) == NULL)
4665			{
4666	0		return PS_MEM_FAIL;
4667			}
4668			# endif
4669			# ifdef USE_TLS_1_2
4670	0	0	if ((ssl->flags & SSL_FLAGS_TLS_1_2) &&
		0
4671	0		(ssl->keys->cert->sigAlgorithm == OID_SHA256_ECDSA_SIG))
4672			{
4673	0		hashSize = SHA256_HASH_SIZE;
4674	0		psSha256PreInit(&digestCtx.sha256);
4675	0		psSha256Init(&digestCtx.sha256);
4676	0		psSha256Update(&digestCtx.sha256, ssl->sec.clientRandom,
4677			SSL_HS_RANDOM_SIZE);
4678	0		psSha256Update(&digestCtx.sha256, ssl->sec.serverRandom,
4679			SSL_HS_RANDOM_SIZE);
4680	0		psSha256Update(&digestCtx.sha256, sigStart, (int32) (c - sigStart));
4681	0		psSha256Final(&digestCtx.sha256, hsMsgHash);
4682	0		c++ = 0x4; / SHA256 */
4683	0		c++ = 0x3; / ECDSA */
4684			# ifdef USE_SHA384
4685			}
4686	0	0	else if ((ssl->flags & SSL_FLAGS_TLS_1_2) &&
		0
4687	0		(ssl->keys->cert->sigAlgorithm == OID_SHA384_ECDSA_SIG))
4688			{
4689	0		hashSize = SHA384_HASH_SIZE;
4690	0		psSha384PreInit(&digestCtx.sha384);
4691	0		psSha384Init(&digestCtx.sha384);
4692	0		psSha384Update(&digestCtx.sha384, ssl->sec.clientRandom,
4693			SSL_HS_RANDOM_SIZE);
4694	0		psSha384Update(&digestCtx.sha384, ssl->sec.serverRandom,
4695			SSL_HS_RANDOM_SIZE);
4696	0		psSha384Update(&digestCtx.sha384, sigStart, (int32) (c - sigStart));
4697	0		psSha384Final(&digestCtx.sha384, hsMsgHash);
4698	0		c++ = 0x5; / SHA384 */
4699	0		c++ = 0x3; / ECDSA */
4700			# endif
4701			# ifdef USE_SHA1
4702			}
4703	0	0	else if (ssl->minVer < TLS_1_2_MIN_VER \|\|
		0
4704			# ifdef USE_DTLS
4705			/* DTLS 1.0 is same at TLS 1.1 */
4706			ssl->minVer == DTLS_MIN_VER \|\|
4707			# endif
4708	0	0	((ssl->flags & SSL_FLAGS_TLS_1_2) &&
4709	0		(ssl->keys->cert->sigAlgorithm == OID_SHA1_ECDSA_SIG)))
4710			{
4711	0		hashSize = SHA1_HASH_SIZE;
4712	0		psSha1PreInit(&digestCtx.sha1);
4713	0		psSha1Init(&digestCtx.sha1);
4714	0		psSha1Update(&digestCtx.sha1, ssl->sec.clientRandom,
4715			SSL_HS_RANDOM_SIZE);
4716	0		psSha1Update(&digestCtx.sha1, ssl->sec.serverRandom,
4717			SSL_HS_RANDOM_SIZE);
4718	0		psSha1Update(&digestCtx.sha1, sigStart, (int32) (c - sigStart));
4719	0		psSha1Final(&digestCtx.sha1, hsMsgHash);
4720	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
4721			{
4722	0		c++ = 0x2; / SHA1 */
4723	0		c++ = 0x3; / ECDSA */
4724			}
4725			# endif
4726			}
4727			else
4728			{
4729	0		psFree(hsMsgHash, ssl->hsPool);
4730	0		return PS_UNSUPPORTED_FAIL;
4731			}
4732			# else
4733			hashSize = SHA1_HASH_SIZE;
4734			psSha1PreInit(&digestCtx.sha1);
4735			psSha1Init(&digestCtx.sha1);
4736			psSha1Update(&digestCtx.sha1, ssl->sec.clientRandom,
4737			SSL_HS_RANDOM_SIZE);
4738			psSha1Update(&digestCtx.sha1, ssl->sec.serverRandom,
4739			SSL_HS_RANDOM_SIZE);
4740			psSha1Update(&digestCtx.sha1, sigStart, (int32) (c - sigStart));
4741			psSha1Final(&digestCtx.sha1, hsMsgHash);
4742			# endif
4743
4744			# ifdef USE_DTLS
4745			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 1))
4746			{
4747			/* It is not optimal to have run through the above digest updates
4748			again on a retransmit just to free the hash here but the
4749			saved message is ONLY the signature portion done in nowDoSke
4750			so the few hashSigAlg bytes and keysize done above during the
4751			hash are important to rewrite */
4752			psFree(hsMsgHash, ssl->hsPool);
4753			memcpy(c, ssl->ckeMsg, ssl->ckeSize);
4754			c += ssl->ckeSize;
4755			}
4756			else /* closed below */
4757			{
4758			# endif /* USE_DTLS */
4759
4760	0	0	if ((pkaAfter = getPkaAfter(ssl)) == NULL)
4761			{
4762			psTraceInfo("getPkaAfter error\n");
4763	0		return PS_PLATFORM_FAIL;
4764			}
4765	0		pkaAfter->inbuf = hsMsgHash;
4766	0		pkaAfter->outbuf = c;
4767	0		pkaAfter->data = pkiData;
4768	0		pkaAfter->inlen = hashSize;
4769	0		pkaAfter->type = PKA_AFTER_ECDSA_SIG_GEN;
4770	0		rc = ssl->keys->privKey.keysize + 8;
4771			/* NEGATIVE ECDSA - Adding spot for ONE 0x0 byte in ECDSA so we'll
4772			be right 50% of the time... 521 curve doesn't need */
4773	0	0	if (ssl->keys->privKey.keysize != 132)
4774			{
4775	0		rc += 1;
4776			}
4777			/* Above we added in the 8 bytes of overhead (2 sigLen, 1 SEQ,
4778			1 len (possibly 2!), 1 INT, 1 rLen, 1 INT, 1 sLen) and now
4779			subtract the first 3 bytes to see if the 1 len needs to be 2 */
4780	0	0	if (rc - 3 >= 128)
4781			{
4782	0		rc++;
4783			}
4784	0		pkaAfter->user = rc; /* outlen for later */
4785	0		c += rc;
4786			# ifdef USE_DTLS
4787			}
4788			# endif /* USE_DTLS */
4789			}
4790			# endif /* USE_ECC_CIPHER_SUITE */
4791
4792	1146	50	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4793			SSL_HS_SERVER_KEY_EXCHANGE, messageSize, padLen, encryptStart, out,
4794			&c)) < 0)
4795			{
4796	0		return rc;
4797			}
4798	1146		out->end = c;
4799	1146		return MATRIXSSL_SUCCESS;
4800			}
4801			# endif /* USE_DHE_CIPHER_SUITE */
4802
4803			/******************************************************************************/
4804			/*
4805			Server initiated rehandshake public API call.
4806			*/
4807	0		int32 matrixSslEncodeHelloRequest(ssl_t ssl, sslBuf_t out,
4808			uint32 *requiredLen)
4809			{
4810			unsigned char c, end, *encryptStart;
4811			uint8_t padLen;
4812			psSize_t messageSize;
4813			int32_t rc;
4814
4815	0		*requiredLen = 0;
4816			psTraceHs("<<< Server creating HELLO_REQUEST message\n");
4817	0	0	if (ssl->flags & SSL_FLAGS_ERROR \|\| ssl->flags & SSL_FLAGS_CLOSED)
		0
4818			{
4819			psTraceInfo("SSL flag error in matrixSslEncodeHelloRequest\n");
4820	0		return MATRIXSSL_ERROR;
4821			}
4822	0	0	if (!(ssl->flags & SSL_FLAGS_SERVER) \|\| (ssl->hsState != SSL_HS_DONE))
		0
4823			{
4824			psTraceInfo("SSL state error in matrixSslEncodeHelloRequest\n");
4825	0		return MATRIXSSL_ERROR;
4826			}
4827
4828	0		c = out->end;
4829	0		end = out->buf + out->size;
4830	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen;
4831	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4832			SSL_HS_HELLO_REQUEST, &messageSize, &padLen,
4833			&encryptStart, end, &c)) < 0)
4834			{
4835	0		*requiredLen = messageSize;
4836	0		return rc;
4837			}
4838
4839	0	0	if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, 0, messageSize,
4840			padLen, encryptStart, out, &c)) < 0)
4841			{
4842	0		return rc;
4843			}
4844	0		out->end = c;
4845
4846	0		return MATRIXSSL_SUCCESS;
4847			}
4848			# else /* USE_SERVER_SIDE_SSL */
4849			int32 matrixSslEncodeHelloRequest(ssl_t ssl, sslBuf_t out,
4850			uint32 *requiredLen)
4851			{
4852			psTraceInfo("Library not built with USE_SERVER_SIDE_SSL\n");
4853			return PS_UNSUPPORTED_FAIL;
4854			}
4855			# endif /* USE_SERVER_SIDE_SSL */
4856
4857
4858			# ifndef USE_ONLY_PSK_CIPHER_SUITE
4859			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
4860			/*
4861			A fragmented write of the CERTIFICATE handhshake message. This is the
4862			only handshake message that supports fragmentation because it is the only
4863			message where the 512byte plaintext max of the max_fragment extension can
4864			be exceeded.
4865			*/
4866	0		static int32 writeMultiRecordCertificate(ssl_t ssl, sslBuf_t out,
4867			int32 notEmpty, int32 totalClen, int32 lsize)
4868			{
4869			psX509Cert_t cert, future;
4870			unsigned char c, end, *encryptStart;
4871			uint8_t padLen;
4872			psSize_t messageSize;
4873			uint32_t certLen;
4874			int32_t rc;
4875	0		int32 midWrite, midSizeWrite, countDown, firstOne = 1;
4876
4877	0		c = out->end;
4878	0		end = out->buf + out->size;
4879
4880	0		midSizeWrite = midWrite = certLen = 0;
4881	0		cert = NULL;
4882
4883	0	0	while (totalClen > 0)
4884			{
4885	0	0	if (firstOne)
4886			{
4887	0		firstOne = 0;
4888	0		countDown = ssl->maxPtFrag;
4889	0		messageSize = totalClen + lsize + ssl->recordHeadLen + ssl->hshakeHeadLen;
4890	0	0	if ((rc = writeRecordHeader(ssl,
4891			SSL_RECORD_TYPE_HANDSHAKE_FIRST_FRAG, SSL_HS_CERTIFICATE,
4892			&messageSize, &padLen, &encryptStart, end, &c)) < 0)
4893			{
4894	0		return rc;
4895			}
4896			/* Write out the certs */
4897	0		*c = (unsigned char) (((totalClen + (lsize - 3)) & 0xFF0000) >> 16);
4898	0		c++;
4899	0		*c = ((totalClen + (lsize - 3)) & 0xFF00) >> 8; c++;
4900	0		*c = ((totalClen + (lsize - 3)) & 0xFF); c++;
4901	0		countDown -= ssl->hshakeHeadLen + 3;
4902
4903	0	0	if (notEmpty)
4904			{
4905	0		cert = ssl->keys->cert;
4906	0	0	while (cert)
4907			{
4908	0	0	psAssert(cert->unparsedBin != NULL);
4909	0		certLen = cert->binLen;
4910	0		midWrite = 0;
4911	0	0	if (certLen > 0)
4912			{
4913	0	0	if (countDown <= 3)
4914			{
4915			/* Fragment falls right on cert len write. Has
4916			to be at least one byte or countDown would have
4917			been 0 and got us out of here already*/
4918	0		*c = (unsigned char) ((certLen & 0xFF0000) >> 16);
4919	0		c++; countDown--;
4920	0		midSizeWrite = 2;
4921	0	0	if (countDown != 0)
4922			{
4923	0		*c = (certLen & 0xFF00) >> 8; c++; countDown--;
4924	0		midSizeWrite = 1;
4925	0	0	if (countDown != 0)
4926			{
4927	0		*c = (certLen & 0xFF); c++; countDown--;
4928	0		midSizeWrite = 0;
4929			}
4930			}
4931	0		break;
4932			}
4933			else
4934			{
4935	0		*c = (unsigned char) ((certLen & 0xFF0000) >> 16);
4936	0		c++;
4937	0		*c = (certLen & 0xFF00) >> 8; c++;
4938	0		*c = (certLen & 0xFF); c++;
4939	0		countDown -= 3;
4940			}
4941	0		midWrite = min(certLen, countDown);
4942	0		memcpy(c, cert->unparsedBin, midWrite);
4943	0		certLen -= midWrite;
4944	0		c += midWrite;
4945	0		totalClen -= midWrite;
4946	0		countDown -= midWrite;
4947	0	0	if (countDown == 0)
4948			{
4949	0		break;
4950			}
4951			}
4952	0		cert = cert->next;
4953			}
4954			}
4955	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
4956			SSL_HS_CERTIFICATE, messageSize, padLen, encryptStart, out,
4957			&c)) < 0)
4958			{
4959	0		return rc;
4960			}
4961	0		out->end = c;
4962			}
4963			else
4964			{
4965			/* Not-first fragments */
4966	0	0	if (!cert)
4967			{
4968	0		return PS_FAIL;
4969			}
4970	0	0	if (midSizeWrite > 0)
4971			{
4972	0		messageSize = midSizeWrite;
4973			}
4974			else
4975			{
4976	0		messageSize = 0;
4977			}
4978	0	0	if ((certLen + messageSize) > ssl->maxPtFrag)
4979			{
4980	0		messageSize += ssl->maxPtFrag;
4981			}
4982			else
4983			{
4984	0		messageSize += certLen;
4985	0	0	if (cert->next != NULL)
4986			{
4987	0		future = cert->next;
4988	0	0	while (future != NULL)
4989			{
4990	0	0	if (messageSize + future->binLen + 3 >
4991	0		(uint32) ssl->maxPtFrag)
4992			{
4993	0		messageSize = ssl->maxPtFrag;
4994	0		future = NULL;
4995			}
4996			else
4997			{
4998	0		messageSize += 3 + future->binLen;
4999	0		future = future->next;
5000			}
5001
5002			}
5003			}
5004			}
5005
5006	0		countDown = messageSize;
5007	0		messageSize += ssl->recordHeadLen;
5008			/* Second, etc... */
5009	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE_FRAG,
5010			SSL_HS_CERTIFICATE, &messageSize, &padLen, &encryptStart,
5011			end, &c)) < 0)
5012			{
5013	0		return rc;
5014			}
5015
5016	0	0	if (midSizeWrite > 0)
5017			{
5018	0	0	if (midSizeWrite == 2)
5019			{
5020	0		*c = (certLen & 0xFF00) >> 8; c++;
5021	0		*c = (certLen & 0xFF); c++;
5022	0		countDown -= 2;
5023			}
5024			else
5025			{
5026	0		*c = (certLen & 0xFF); c++;
5027	0		countDown -= 1;
5028			}
5029	0		midSizeWrite = 0;
5030			}
5031
5032	0	0	if (countDown < certLen)
5033			{
5034	0		memcpy(c, cert->unparsedBin + midWrite, countDown);
5035	0		certLen -= countDown;
5036	0		c += countDown;
5037	0		totalClen -= countDown;
5038	0		midWrite += countDown;
5039	0		countDown = 0;
5040			}
5041			else
5042			{
5043	0		memcpy(c, cert->unparsedBin + midWrite, certLen);
5044	0		c += certLen;
5045	0		totalClen -= certLen;
5046	0		countDown -= certLen;
5047	0		certLen -= certLen;
5048			}
5049
5050	0	0	while (countDown > 0)
5051			{
5052	0		cert = cert->next;
5053	0	0	if (!cert)
5054			{
5055	0		return PS_FAIL;
5056			}
5057	0		certLen = cert->binLen;
5058	0		midWrite = 0;
5059	0	0	if (countDown <= 3)
5060			{
5061			/* Fragment falls right on cert len write */
5062	0		*c = (unsigned char) ((certLen & 0xFF0000) >> 16);
5063	0		c++; countDown--;
5064	0		midSizeWrite = 2;
5065	0	0	if (countDown != 0)
5066			{
5067	0		*c = (certLen & 0xFF00) >> 8; c++; countDown--;
5068	0		midSizeWrite = 1;
5069	0	0	if (countDown != 0)
5070			{
5071	0		*c = (certLen & 0xFF); c++; countDown--;
5072	0		midSizeWrite = 0;
5073			}
5074			}
5075	0		break;
5076			}
5077			else
5078			{
5079	0		*c = (unsigned char) ((certLen & 0xFF0000) >> 16);
5080	0		c++;
5081	0		*c = (certLen & 0xFF00) >> 8; c++;
5082	0		*c = (certLen & 0xFF); c++;
5083	0		countDown -= 3;
5084			}
5085	0		midWrite = min(certLen, countDown);
5086	0		memcpy(c, cert->unparsedBin, midWrite);
5087	0		certLen -= midWrite;
5088	0		c += midWrite;
5089	0		totalClen -= midWrite;
5090	0		countDown -= midWrite;
5091	0	0	if (countDown == 0)
5092			{
5093	0		break;
5094			}
5095
5096			}
5097	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
5098			SSL_HS_CERTIFICATE, messageSize, padLen, encryptStart, out,
5099			&c)) < 0)
5100			{
5101	0		return rc;
5102			}
5103	0		out->end = c;
5104			}
5105			}
5106
5107	0		out->end = c;
5108	0		return MATRIXSSL_SUCCESS;
5109			}
5110			# endif /* USE_SERVER_SIDE_SSL \|\| USE_CLIENT_AUTH */
5111
5112
5113			# if defined(USE_OCSP) && defined(USE_SERVER_SIDE_SSL)
5114	1147		static int32 writeCertificateStatus(ssl_t ssl, sslBuf_t out)
5115			{
5116			unsigned char c, end, *encryptStart;
5117			uint8_t padLen;
5118			int32 rc;
5119			psSize_t messageSize, ocspLen;
5120
5121
5122			/* Easier to exclude this message internally rather than futher muddy the
5123			numerous #ifdef and ssl_t tests in the caller */
5124	1147	50	if (ssl->extFlags.status_request == 0)
5125			{
5126	1147		return MATRIXSSL_SUCCESS;
5127			}
5128
5129			psTraceHs("<<< Server creating CERTIFICATE_STATUS message\n");
5130
5131	0		c = out->end;
5132	0		end = out->buf + out->size;
5133
5134	0		ocspLen = ssl->keys->OCSPResponseBufLen;
5135	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen + 4 + ocspLen;
5136
5137	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
5138			SSL_HS_CERTIFICATE_STATUS, &messageSize, &padLen, &encryptStart,
5139			end, &c)) < 0)
5140			{
5141	0		return rc;
5142			}
5143			/* struct {
5144			CertificateStatusType status_type;
5145			select (status_type) {
5146			case ocsp: OCSPResponse;
5147			} response;
5148			} CertificateStatus; */
5149	0		*c = 0x1; c++;
5150			/* ocspLen is 16 bit value. */
5151	0		*c = 0; c++;
5152	0		*c = (ocspLen & 0xFF00) >> 8; c++;
5153	0		*c = (ocspLen & 0xFF); c++;
5154	0		memcpy(c, ssl->keys->OCSPResponseBuf, ocspLen);
5155	0		c += ocspLen;
5156
5157	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
5158			SSL_HS_CERTIFICATE_STATUS, messageSize, padLen, encryptStart, out,
5159			&c)) < 0)
5160			{
5161	0		return rc;
5162			}
5163	0		out->end = c;
5164	1147		return MATRIXSSL_SUCCESS;
5165
5166			}
5167			# endif /* OCSP && SERVER_SIDE_SSL */
5168
5169			/******************************************************************************/
5170			/*
5171			Write a Certificate message.
5172			The encoding of the message is as follows:
5173			3 byte length of certificate data (network byte order)
5174			If there is no certificate,
5175			3 bytes of 0
5176			If there is one certificate,
5177			3 byte length of certificate + 3
5178			3 byte length of certificate
5179			certificate data
5180			For more than one certificate:
5181			3 byte length of all certificate data
5182			3 byte length of first certificate
5183			first certificate data
5184			3 byte length of second certificate
5185			second certificate data
5186			Certificate data is the base64 section of an X.509 certificate file
5187			in PEM format decoded to binary. No additional interpretation is required.
5188			*/
5189	1147		static int32 writeCertificate(ssl_t ssl, sslBuf_t out, int32 notEmpty)
5190			{
5191			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
5192			psX509Cert_t *cert;
5193			uint32 certLen;
5194			# endif /* USE_SERVER_SIDE_SSL \|\| USE_CLIENT_AUTH */
5195
5196			unsigned char c, end, *encryptStart;
5197			uint8_t padLen;
5198			int32 totalCertLen, lsize, i, rc;
5199			psSize_t messageSize;
5200
5201			psTraceStrHs("<<< %s creating CERTIFICATE message\n",
5202			(ssl->flags & SSL_FLAGS_SERVER) ? "Server" : "Client");
5203
5204			# ifdef USE_PSK_CIPHER_SUITE
5205			/*
5206			Easier to exclude this message internally rather than futher muddy the
5207			numerous #ifdef and ssl->flags tests for DH, CLIENT_AUTH, and PSK states.
5208			A PSK or DHE_PSK cipher will never send this message
5209			*/
5210	1147	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
5211			{
5212	0		return MATRIXSSL_SUCCESS;
5213			}
5214			# endif /* USE_PSK_CIPHER_SUITE */
5215
5216	1147		c = out->end;
5217	1147		end = out->buf + out->size;
5218
5219			/*
5220			Determine total length of certs
5221			*/
5222	1147		totalCertLen = i = 0;
5223	1147	50	if (notEmpty)
5224			{
5225			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
5226	1147		cert = ssl->keys->cert;
5227	2294	100	for (; cert != NULL; i++)
5228			{
5229	1147	50	psAssert(cert->unparsedBin != NULL);
5230	1147		totalCertLen += cert->binLen;
5231	1147		cert = cert->next;
5232			}
5233			# else
5234			return PS_DISABLED_FEATURE_FAIL;
5235			# endif /* USE_SERVER_SIDE_SSL \|\| USE_CLIENT_AUTH */
5236			}
5237
5238			/*
5239			Account for the 3 bytes of certChain len for each cert and get messageSize
5240			*/
5241	1147		lsize = 3 + (i * 3);
5242
5243			/* TODO DTLS: Make sure this maxPtFrag is consistent with the fragment
5244			extension and is not interfering with DTLS notions of fragmentation */
5245	1147	50	if ((totalCertLen + lsize + ssl->hshakeHeadLen) > ssl->maxPtFrag)
5246			{
5247			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
5248	0		return writeMultiRecordCertificate(ssl, out, notEmpty,
5249			totalCertLen, lsize);
5250			# endif /* USE_SERVER_SIDE_SSL \|\| USE_CLIENT_AUTH */
5251			}
5252			else
5253			{
5254	2294		messageSize =
5255	1147		ssl->recordHeadLen +
5256	1147		ssl->hshakeHeadLen +
5257			lsize + totalCertLen;
5258
5259	1147	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
5260			SSL_HS_CERTIFICATE, &messageSize, &padLen, &encryptStart,
5261			end, &c)) < 0)
5262			{
5263			# ifdef USE_DTLS
5264			if (ssl->flags & SSL_FLAGS_DTLS)
5265			{
5266			/*
5267			Is this the fragment case?
5268			*/
5269			if (rc == DTLS_MUST_FRAG)
5270			{
5271			rc = dtlsWriteCertificate(ssl, totalCertLen, lsize, c);
5272			if (rc < 0)
5273			{
5274			return rc;
5275			}
5276			c += rc;
5277			out->end = c;
5278			return MATRIXSSL_SUCCESS;
5279			}
5280			}
5281			# endif /* USE_DTLS */
5282	0		return rc;
5283			}
5284
5285			/*
5286			Write out the certs
5287			*/
5288	1147		*c = (unsigned char) (((totalCertLen + (lsize - 3)) & 0xFF0000) >> 16);
5289	1147		c++;
5290	1147		*c = ((totalCertLen + (lsize - 3)) & 0xFF00) >> 8; c++;
5291	1147		*c = ((totalCertLen + (lsize - 3)) & 0xFF); c++;
5292
5293			# if defined(USE_SERVER_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
5294	1147	50	if (notEmpty)
5295			{
5296	1147		cert = ssl->keys->cert;
5297	2294	100	while (cert)
5298			{
5299	1147	50	psAssert(cert->unparsedBin != NULL);
5300	1147		certLen = cert->binLen;
5301	1147	50	if (certLen > 0)
5302			{
5303	1147		*c = (unsigned char) ((certLen & 0xFF0000) >> 16); c++;
5304	1147		*c = (certLen & 0xFF00) >> 8; c++;
5305	1147		*c = (certLen & 0xFF); c++;
5306	1147		memcpy(c, cert->unparsedBin, certLen);
5307	1147		c += certLen;
5308			}
5309	1147		cert = cert->next;
5310			}
5311			}
5312			# endif /* USE_SERVER_SIDE_SSL \|\| USE_CLIENT_AUTH */
5313
5314	1147	50	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
5315			SSL_HS_CERTIFICATE, messageSize, padLen, encryptStart, out,
5316			&c)) < 0)
5317			{
5318	0		return rc;
5319			}
5320	1147		out->end = c;
5321			}
5322	1147		return MATRIXSSL_SUCCESS;
5323			}
5324			# endif /* USE_ONLY_PSK_CIPHER_SUITE */
5325
5326			/******************************************************************************/
5327			/*
5328			Write the ChangeCipherSpec message. It has its own message type
5329			and contains just one byte of value one. It is not a handshake
5330			message, so it isn't included in the handshake hash.
5331			*/
5332	2119		static int32_t writeChangeCipherSpec(ssl_t ssl, sslBuf_t out)
5333			{
5334			unsigned char c, end, *encryptStart;
5335			uint8_t padLen;
5336			psSize_t messageSize;
5337			int32_t rc;
5338
5339			psTraceStrHs("<<< %s creating CHANGE_CIPHER_SPEC message\n",
5340			(ssl->flags & SSL_FLAGS_SERVER) ? "Server" : "Client");
5341
5342	2119		c = out->end;
5343	2119		end = out->buf + out->size;
5344	2119		messageSize = ssl->recordHeadLen + 1;
5345
5346	2119	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC, 0,
5347			&messageSize, &padLen, &encryptStart, end, &c)) < 0)
5348			{
5349	0		return rc;
5350			}
5351	2119		*c = 1; c++;
5352
5353	2119	50	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC,
5354			0, messageSize, padLen, encryptStart, out, &c)) < 0)
5355			{
5356	0		return rc;
5357			}
5358	2119		out->end = c;
5359
5360	2119		return MATRIXSSL_SUCCESS;
5361			}
5362
5363	2119		static int32 postponeSnapshotHSHash(ssl_t ssl, unsigned char c, int32 sender)
5364			{
5365	2119		ssl->delayHsHash = c;
5366			# ifdef USE_TLS
5367	2119	50	if (ssl->flags & SSL_FLAGS_TLS)
5368			{
5369	2119		return TLS_HS_FINISHED_SIZE;
5370			}
5371			else
5372			{
5373			# endif /* USE_TLS */
5374	0		return MD5_HASH_SIZE + SHA1_HASH_SIZE;
5375			# ifdef USE_TLS
5376			}
5377			# endif /* USE_TLS */
5378
5379			}
5380
5381			/******************************************************************************/
5382			/*
5383			Write the Finished message
5384			The message contains the 36 bytes, the 16 byte MD5 and 20 byte SHA1 hash
5385			of all the handshake messages so far (excluding this one!)
5386			*/
5387	2119		static int32 writeFinished(ssl_t ssl, sslBuf_t out)
5388			{
5389			unsigned char c, end, *encryptStart;
5390			uint8_t padLen;
5391			psSize_t messageSize, verifyLen;
5392			int32_t rc;
5393
5394			psTraceStrHs("<<< %s creating FINISHED message\n",
5395			(ssl->flags & SSL_FLAGS_SERVER) ? "Server" : "Client");
5396
5397	2119		c = out->end;
5398	2119		end = out->buf + out->size;
5399
5400	2119		verifyLen = MD5_HASH_SIZE + SHA1_HASH_SIZE;
5401			# ifdef USE_TLS
5402	2119	50	if (ssl->flags & SSL_FLAGS_TLS)
5403			{
5404	2119		verifyLen = TLS_HS_FINISHED_SIZE;
5405			}
5406			# endif /* USE_TLS */
5407	2119		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen + verifyLen;
5408
5409	2119	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE, SSL_HS_FINISHED,
5410			&messageSize, &padLen, &encryptStart, end, &c)) < 0)
5411			{
5412	0		return rc;
5413			}
5414			/*
5415			Output the hash of messages we've been collecting so far into the buffer
5416			*/
5417	2119		c += postponeSnapshotHSHash(ssl, c, ssl->flags & SSL_FLAGS_SERVER);
5418
5419	2119	50	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
5420			SSL_HS_FINISHED, messageSize, padLen, encryptStart, out, &c)) < 0)
5421			{
5422	0		return rc;
5423			}
5424	2119		out->end = c;
5425
5426
5427			# ifdef USE_DTLS
5428			if (ssl->flags & SSL_FLAGS_DTLS)
5429			{
5430			/*
5431			Can't free the sec.cert buffer or close the handshake pool if
5432			using DTLS as we may be coming back around through this flight on
5433			a retransmit. These frees are only taken care of once DTLS is
5434			positive the handshake has completed.
5435			*/
5436			return MATRIXSSL_SUCCESS;
5437			}
5438			# endif /* USE_DTLS */
5439
5440			# ifndef USE_ONLY_PSK_CIPHER_SUITE
5441			# if defined(USE_CLIENT_SIDE_SSL) \|\| defined(USE_CLIENT_AUTH)
5442			/* In client cases, there will be an outstanding PKA operation that
5443			could require the key from the cert so we can't free it yet */
5444	2119	100	if (ssl->pkaAfter[0].type == 0)
5445			{
5446	1061	50	if (!(ssl->bFlags & BFLAG_KEEP_PEER_CERTS))
5447			{
5448	1061	50	if (ssl->sec.cert)
5449			{
5450	0		psX509FreeCert(ssl->sec.cert);
5451	0		ssl->sec.cert = NULL;
5452			}
5453			}
5454			}
5455			# endif /* USE_CLIENT_SIDE_SSL \|\| USE_CLIENT_AUTH */
5456			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
5457	2119		return MATRIXSSL_SUCCESS;
5458			}
5459
5460			/******************************************************************************/
5461			/*
5462			Write an Alert message
5463			The message contains two bytes: AlertLevel and AlertDescription
5464			*/
5465	91		static int32 writeAlert(ssl_t *ssl, unsigned char level,
5466			unsigned char description, sslBuf_t *out,
5467			uint32 *requiredLen)
5468			{
5469			unsigned char c, end, *encryptStart;
5470			uint8_t padLen;
5471			psSize_t messageSize;
5472			int32_t rc;
5473
5474			# ifdef USE_SSL_HANDSHAKE_MSG_TRACE
5475			if (ssl->flags & SSL_FLAGS_SERVER)
5476			{
5477			psTraceHs("<<< Server");
5478			}
5479			else
5480			{
5481			psTraceHs("<<< Client");
5482			}
5483			if (description == SSL_ALERT_CLOSE_NOTIFY)
5484			{
5485			psTraceHs(" creating ALERT (CLOSE_NOTIFY) message\n");
5486			}
5487			else
5488			{
5489			psTraceHs(" creating ALERT message\n");
5490			}
5491			# endif
5492			psTraceIntInfo("Creating alert %d\n", description);
5493	91		c = out->end;
5494	91		end = out->buf + out->size;
5495	91		messageSize = 2 + ssl->recordHeadLen;
5496
5497			/* Force the alert to WARNING if the spec says the alert MUST be that */
5498	91	50	if (description == (unsigned char) SSL_ALERT_NO_RENEGOTIATION)
5499			{
5500	0		level = (unsigned char) SSL_ALERT_LEVEL_WARNING;
5501	0		ssl->err = SSL_ALERT_NONE;
5502			}
5503
5504	91	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_ALERT, 0, &messageSize,
5505			&padLen, &encryptStart, end, &c)) < 0)
5506			{
5507	0		*requiredLen = messageSize;
5508	0		return rc;
5509			}
5510	91		*c = level; c++;
5511	91		*c = description; c++;
5512
5513	91	50	if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_ALERT, 0, messageSize,
5514			padLen, encryptStart, out, &c)) < 0)
5515			{
5516	0		*requiredLen = messageSize;
5517	0		return rc;
5518			}
5519	91		out->end = c;
5520			# ifdef USE_MATRIXSSL_STATS
5521			matrixsslUpdateStat(ssl, ALERT_SENT_STAT, (int32) (description));
5522			# endif
5523	91		return MATRIXSSL_SUCCESS;
5524			}
5525
5526			#ifdef USE_CLIENT_SIDE_SSL
5527			# ifdef USE_TRUSTED_CA_INDICATION
5528			static int32_t trustedCAindicationExtLen(psX509Cert_t *certs)
5529			{
5530			psX509Cert_t *next;
5531			int32_t len;
5532
5533			len = 0;
5534			/* Using the cert_sha1_hash identifier_type */
5535			next = certs;
5536			while (next)
5537			{
5538			len += 21; /* 1 id_type, 20 hash */
5539			next = next->next;
5540			}
5541			return len;
5542			}
5543
5544			static void writeTrustedCAindication(psX509Cert_t certs, unsigned char *pp)
5545			{
5546			psX509Cert_t *next;
5547			int32_t len;
5548			unsigned char p = pp;
5549
5550			len = trustedCAindicationExtLen(certs);
5551			*p = (len & 0xFF00) >> 8; p++;
5552			*p = len & 0xFF; p++;
5553
5554			next = certs;
5555			while (next)
5556			{
5557			p = 0x3; p++; / cert_sha1_hash */
5558			memcpy(p, next->sha1CertHash, 20);
5559			p += 20;
5560			next = next->next;
5561			}
5562			psAssert((p - *pp) == (len + 2));
5563			*pp = p;
5564			}
5565			# endif /* USE_TRUSTED_CA_INDICATION */
5566
5567			/******************************************************************************/
5568			/*
5569			Write out the ClientHello message to a buffer
5570			*/
5571	11164		int32_t matrixSslEncodeClientHello(ssl_t ssl, sslBuf_t out,
5572			const psCipher16_t cipherSpecs[], uint8_t cipherSpecLen,
5573			uint32 requiredLen, tlsExtension_t userExt, sslSessOpts_t *options)
5574			{
5575			unsigned char c, end, *encryptStart;
5576			uint8_t padLen;
5577			int32 rc, t;
5578			psSize_t messageSize, cipherLen, cookieLen, addRenegotiationScsv;
5579			tlsExtension_t *ext;
5580			uint32 extLen;
5581			const sslCipherSpec_t *cipherDetails;
5582			short i, useTicket;
5583			# ifdef USE_TLS_1_2
5584			psSize_t sigHashLen, sigHashFlags;
5585			unsigned char sigHash[18]; /* 2b len + 2b * 8 sig hash combos */
5586			# endif
5587			# ifdef USE_ECC_CIPHER_SUITE
5588			unsigned char eccCurveList[32];
5589			uint8_t curveListLen;
5590			# endif /* USE_ECC_CIPHER_SUITE */
5591			# ifdef USE_DTLS
5592			unsigned char *extStart = NULL;
5593			int cipherCount;
5594			# endif
5595
5596			psTraceHs("<<< Client creating CLIENT_HELLO message\n");
5597	11164		*requiredLen = 0;
5598	11164	50	if (out == NULL \|\| out->buf == NULL \|\| ssl == NULL \|\| options == NULL)
		50
		50
		50
5599			{
5600	0		return PS_ARG_FAIL;
5601			}
5602	11164	100	if (cipherSpecLen > 0 && (cipherSpecs == NULL \|\| cipherSpecs[0] == 0))
		50
		50
5603			{
5604	0		return PS_ARG_FAIL;
5605			}
5606	11164	50	if (ssl->flags & SSL_FLAGS_ERROR \|\| ssl->flags & SSL_FLAGS_CLOSED)
		50
5607			{
5608			psTraceInfo("SSL flag error in matrixSslEncodeClientHello\n");
5609	0		return MATRIXSSL_ERROR;
5610			}
5611	11164	50	if (ssl->flags & SSL_FLAGS_SERVER \|\| (ssl->hsState != SSL_HS_SERVER_HELLO &&
		100
		50
5612	0	0	ssl->hsState != SSL_HS_DONE &&
5613	0		ssl->hsState != SSL_HS_HELLO_REQUEST ))
5614			{
5615			psTraceInfo("SSL state error in matrixSslEncodeClientHello\n");
5616	0		return MATRIXSSL_ERROR;
5617			}
5618
5619	11164		sslInitHSHash(ssl);
5620
5621	11164		cookieLen = 0;
5622			# ifdef USE_DTLS
5623			if (ssl->flags & SSL_FLAGS_DTLS)
5624			{
5625			/* TODO DTLS make sure a block cipher suite is being used */
5626			if (ssl->haveCookie)
5627			{
5628			cookieLen = ssl->cookieLen + 1; /* account for length byte */
5629			}
5630			else
5631			{
5632			cookieLen = 1; /* Always send the length (0) even if no cookie */
5633			}
5634			/* save for next time called for VERIFY_REQUEST response */
5635			ssl->cipherSpecLen = min(8, cipherSpecLen); /* 8 is arbitrary limit */
5636			for (cipherCount = 0; cipherCount < ssl->cipherSpecLen; cipherCount++)
5637			{
5638			ssl->cipherSpec[cipherCount] = cipherSpecs[cipherCount];
5639			}
5640			}
5641			# endif
5642			/* If no resumption, clear the RESUMED flag in case the caller is
5643			attempting to bypass matrixSslEncodeRehandshake. */
5644	11164	100	if (ssl->sessionIdLen <= 0)
5645			{
5646	11162		ssl->flags &= ~SSL_FLAGS_RESUMED;
5647			}
5648
5649	11164	100	if (cipherSpecLen == 0 \|\| cipherSpecs == NULL \|\| cipherSpecs[0] == 0)
		50
		50
5650			{
5651	11162	50	if ((cipherLen = sslGetCipherSpecListLen(ssl)) == 2)
5652			{
5653			psTraceInfo("No cipher suites enabled (or no key material)\n");
5654	0		return MATRIXSSL_ERROR;
5655			}
5656			}
5657			else
5658			{
5659			/* If ciphers are specified it is two bytes length and two bytes data */
5660	2		cipherLen = 2;
5661	3	100	for (i = 0; i < cipherSpecLen; i++)
5662			{
5663	2	100	if ((cipherDetails = sslGetCipherSpec(ssl, cipherSpecs[i]))
5664			== NULL)
5665			{
5666			psTraceIntInfo("Cipher suite not supported: %d\n",
5667			cipherSpecs[i]);
5668	1		return PS_UNSUPPORTED_FAIL;
5669			}
5670	1		cipherLen += 2;
5671			}
5672			}
5673
5674	11163		addRenegotiationScsv = 0;
5675			# ifdef ENABLE_SECURE_REHANDSHAKES
5676			/* Initial CLIENT_HELLO will use the SCSV mechanism for greatest compat */
5677	11163	100	if (ssl->myVerifyDataLen == 0)
5678			{
5679	11156		cipherLen += 2; /* signalling cipher id 0x00FF */
5680	11156		addRenegotiationScsv = 1;
5681			}
5682			# endif
5683	11163	50	if (options->fallbackScsv)
5684			{
5685	0	0	if (ssl->minVer == TLS_HIGHEST_MINOR)
5686			{
5687			/** If a client sets ClientHello.client_version to its highest
5688			supported protocol version, it MUST NOT include TLS_FALLBACK_SCSV.
5689			@see https://tools.ietf.org/html/rfc7507#section-4 */
5690			psTraceInfo("Cannot set fallbackScsv if using maximum supported TLS version.\n");
5691	0		return MATRIXSSL_ERROR;
5692			}
5693	0	0	if (ssl->sessionIdLen > 0)
5694			{
5695			/** when a client intends to resume a session and sets ClientHello.client_version
5696			to the protocol version negotiated for that session, it MUST NOT include
5697			TLS_FALLBACK_SCSV.
5698			@see https://tools.ietf.org/html/rfc7507#section-4 */
5699			psTraceInfo("Cannot set fallbackScsv if attempting to resume a connection.\n");
5700	0		return MATRIXSSL_ERROR;
5701			}
5702	0		cipherLen += 2; /* signalling cipher id 0x5600 */
5703	0		ssl->extFlags.req_fallback_scsv = 1;
5704			}
5705			else
5706			{
5707			/** If a client sends a ClientHello.client_version containing a lower
5708			value than the latest (highest-valued) version supported by the
5709			client, it SHOULD include the TLS_FALLBACK_SCSV.
5710			@see https://tools.ietf.org/html/rfc7507#section-4
5711			We warn because this is a SHOULD not a MUST.
5712			@security The only reason (outside testing) that we should propose a TLS version
5713			lower than what we support is if we had already tried to negotiate the highest
5714			version but the server did not support it. In that case, the fallbackScsv
5715			option should have been specified to mitigate version rollback attacks.
5716			*/
5717	11163		if (ssl->minVer < TLS_HIGHEST_MINOR)
5718			{
5719			psTraceInfo("Warning, if this is a fallback connection, set fallbackScsv?\n");
5720			}
5721			}
5722
5723			/* Calculate the size of the message up front, and write header */
5724	22326		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
5725	11163		5 + SSL_HS_RANDOM_SIZE + ssl->sessionIdLen + cipherLen + cookieLen;
5726
5727			# ifdef USE_ZLIB_COMPRESSION
5728			messageSize += 1;
5729			# endif
5730
5731			/* Extension lengths */
5732	11163		extLen = 0;
5733
5734			/* Max Fragment extension request */
5735	11163		ssl->maxPtFrag = SSL_MAX_PLAINTEXT_LEN;
5736	11163	50	if (ssl->minVer > 0 && (options->maxFragLen > 0) &&
		50
		0
5737	0		(options->maxFragLen < SSL_MAX_PLAINTEXT_LEN))
5738			{
5739	0	0	if (options->maxFragLen == 0x200 \|\|
		0
5740	0	0	options->maxFragLen == 0x400 \|\|
5741	0	0	options->maxFragLen == 0x800 \|\|
5742	0		options->maxFragLen == 0x1000)
5743			{
5744	0		extLen = 2 + 5; /* 2 for total ext len + 5 for ourselves */
5745	0		ssl->maxPtFrag = options->maxFragLen;
5746			/* Also indicate that we're requesting a different plaintext size */
5747	0		ssl->maxPtFrag \|= 0x10000;
5748			}
5749			else
5750			{
5751			psTraceInfo("Unsupported maxFragLen value to session options\n");
5752	0		return PS_ARG_FAIL;
5753			}
5754			}
5755
5756	11163	50	if (options->truncHmac)
5757			{
5758	0	0	if (extLen == 0)
5759			{
5760	0		extLen = 2; /* First extension found so total len */
5761			}
5762	0		extLen += 4; /* empty "extension_data" */
5763			}
5764
5765	11163	50	if (options->extendedMasterSecret >= 0)
5766			{
5767	11163	50	if (extLen == 0)
5768			{
5769	11163		extLen = 2; /* First extension found so total len */
5770			}
5771	11163		extLen += 4; /* empty extension */
5772			}
5773
5774			# ifdef USE_TRUSTED_CA_INDICATION
5775			if (options->trustedCAindication)
5776			{
5777			if (extLen == 0)
5778			{
5779			extLen = 2; /* First extension found so total len */
5780			}
5781			/* Magic 4 is extension id and length as usual */
5782			extLen += trustedCAindicationExtLen(ssl->keys->CAcerts) + 4;
5783			}
5784			# endif
5785
5786			# ifdef ENABLE_SECURE_REHANDSHAKES
5787			/* Subsequent CLIENT_HELLOs must use a populated RenegotiationInfo extension */
5788	11163	100	if (ssl->myVerifyDataLen != 0)
5789			{
5790	7	50	if (extLen == 0)
5791			{
5792	0		extLen = 2; /* First extension found so total len */
5793			}
5794	7		extLen += ssl->myVerifyDataLen + 5; /* 5 type/len/len */
5795			}
5796			# endif /* ENABLE_SECURE_REHANDSHAKES */
5797
5798			# ifdef USE_ECC_CIPHER_SUITE
5799	11163		curveListLen = 0;
5800	11163	100	if (eccSuitesSupported(ssl, cipherSpecs, cipherSpecLen))
5801			{
5802			/* Getting the curve list from crypto directly */
5803	11162		curveListLen = sizeof(eccCurveList);
5804	11162	100	if (options->ecFlags)
5805			{
5806	6		userSuppliedEccList(eccCurveList, &curveListLen, options->ecFlags);
5807			}
5808			else
5809			{
5810			/* Use all that are enabled */
5811	11156		psGetEccCurveIdList(eccCurveList, &curveListLen);
5812			}
5813	11162	50	if (curveListLen > 0)
5814			{
5815	11162	50	if (extLen == 0)
5816			{
5817	0		extLen = 2; /* First extension found so total len */
5818			}
5819			/* EXT_ELLIPTIC_CURVE */
5820	11162		extLen += curveListLen + 6; /* 2 id, 2 for ext len, 2 len */
5821			/* EXT_ELLIPTIC_POINTS - hardcoded to 'uncompressed' support */
5822	11162		extLen += 6; /* 00 0B 00 02 01 00 */
5823			}
5824			}
5825			# endif /* USE_ECC_CIPHER_SUITE */
5826
5827	11163		useTicket = 0;
5828			# ifdef USE_STATELESS_SESSION_TICKETS
5829	11163	50	if (options && options->ticketResumption == 1)
		50
5830			{
5831	0		useTicket = 1;
5832			}
5833	11163	50	if (useTicket && ssl->sid)
		0
5834			{
5835	0	0	if (extLen == 0)
5836			{
5837	0		extLen = 2; /* First extension found so total len */
5838			}
5839	0		extLen += 4; /* 2 type, 2 length */
5840	0	0	if (ssl->sid->sessionTicketLen > 0 &&
		0
5841	0		ssl->sid->sessionTicketState == SESS_TICKET_STATE_USING_TICKET)
5842			{
5843	0		extLen += ssl->sid->sessionTicketLen;
5844			}
5845			}
5846			# endif
5847
5848			# ifdef USE_OCSP
5849	11163	50	if (options && options->OCSPstapling == 1)
		50
5850			{
5851	0	0	if (extLen == 0)
5852			{
5853	0		extLen = 2; /* First extension found so total len */
5854			}
5855			/* Currently only supporting an empty status_request extension */
5856	0		extLen += 9;
5857			}
5858			# endif
5859
5860			# ifdef USE_TLS_1_2
5861			/*
5862			TLS 1.2 clients must add the SignatureAndHashAlgorithm extension,
5863			(although not sending them implies SHA-1, and it's unused for
5864			non-certificate based ciphers like PSK).
5865			Sending all the algorithms that are enabled at compile time.
5866			Always sends SHA256 since it must be enabled for TLS 1.2
5867
5868			enum {
5869			none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
5870			sha512(6), (255)
5871			} HashAlgorithm;
5872			enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } SigAlgorithm;
5873			*/
5874
5875			# define ADD_SIG_HASH(A, B) \
5876			{ \
5877			sigHashFlags \|= HASH_SIG_MASK(A, B); \
5878			sigHash[sigHashLen] = A; \
5879			sigHash[sigHashLen + 1] = B; \
5880			sigHashLen += 2; \
5881			}
5882	11163		sigHashFlags = 0;
5883	11163		sigHashLen = 2; /* Length of buffer, Start with 2b len */
5884
5885			# ifdef USE_ECC
5886			/* Always support SHA256 */
5887	11163		ADD_SIG_HASH(HASH_SIG_SHA256, HASH_SIG_ECDSA);
5888
5889			# ifdef USE_SHA512
5890	11163		ADD_SIG_HASH(HASH_SIG_SHA512, HASH_SIG_ECDSA);
5891			# endif
5892			# ifdef USE_SHA384
5893	11163		ADD_SIG_HASH(HASH_SIG_SHA384, HASH_SIG_ECDSA);
5894			# endif
5895			# ifdef USE_SHA1
5896	11163		ADD_SIG_HASH(HASH_SIG_SHA1, HASH_SIG_ECDSA);
5897			# endif
5898			# endif /* USE_ECC */
5899
5900			# ifdef USE_RSA
5901			/* Always support SHA256 */
5902	11163		ADD_SIG_HASH(HASH_SIG_SHA256, HASH_SIG_RSA);
5903
5904			# ifdef USE_SHA512
5905	11163		ADD_SIG_HASH(HASH_SIG_SHA512, HASH_SIG_RSA);
5906			# endif
5907			# ifdef USE_SHA384
5908	11163		ADD_SIG_HASH(HASH_SIG_SHA384, HASH_SIG_RSA);
5909			# endif
5910			# ifdef USE_SHA1
5911	11163		ADD_SIG_HASH(HASH_SIG_SHA1, HASH_SIG_RSA);
5912			# endif
5913			# endif /* USE_RSA */
5914
5915			# ifdef USE_ONLY_PSK_CIPHER_SUITE
5916			/* Have to pass something */
5917			ADD_SIG_HASH(HASH_SIG_SHA1, HASH_SIG_RSA);
5918			# endif
5919
5920			# undef ADD_SIG_HASH
5921
5922			/* First two bytes is the byte count of remaining data */
5923			/* Note that in PSK mode, there will be no supported sig alg hashes */
5924	11163		sigHash[0] = 0x0;
5925	11163		sigHash[1] = sigHashLen - 2; /* 2 b len*/
5926
5927	11163	50	if (extLen == 0)
5928			{
5929	0		extLen = 2; /* First extension found so total len */
5930			}
5931	11163		extLen += 2 + 2 + sigHashLen; /* 2 ext type, 2 ext length */
5932
5933			/* On the client side, the value is set to the algorithms offered */
5934	11163		ssl->hashSigAlg = sigHashFlags;
5935
5936			# endif /* USE_TLS_1_2 */
5937
5938			/* Add any user-provided extensions */
5939	11163		ext = userExt;
5940	11163	50	if (ext && extLen == 0)
		0
5941			{
5942	0		extLen = 2; /* Start with the initial len */
5943			}
5944	11163	50	while (ext)
5945			{
5946	0		extLen += ext->extLen + 4; /* +4 for type and length of each */
5947	0		ext = ext->next;
5948			}
5949
5950			# ifdef USE_DTLS
5951			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->helloExtLen > 0))
5952			{
5953			/* Override all the extension calculations and just grab what was
5954			sent the first time. Can't rebuild because there is no good line
5955			between the extensions we add and the extensions the user adds and
5956			no user extensions will have been passed in here on a retransmit */
5957			extLen = ssl->helloExtLen;
5958			}
5959			# endif
5960	11163		messageSize += extLen;
5961
5962	11163		c = out->end;
5963	11163		end = out->buf + out->size;
5964
5965	11163	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
5966			SSL_HS_CLIENT_HELLO, &messageSize, &padLen, &encryptStart,
5967			end, &c)) < 0)
5968			{
5969	0		*requiredLen = messageSize;
5970	0		return rc;
5971			}
5972
5973	11163		t = 1;
5974			# ifdef USE_DTLS
5975			/*
5976			Test if this is DTLS response to the HelloVerify server message.
5977			If so, we use the exact same one (+cookie) as before to prove to the
5978			server we are legit. The only thing that should change in this message
5979			is the client random so we make sure to use the original one
5980
5981			struct {
5982			ProtocolVersion client_version;
5983			Random random;
5984			SessionID session_id;
5985			opaque cookie<0..32>; // New field
5986			CipherSuite cipher_suites<2..2^16-1>;
5987			CompressionMethod compression_methods<1..2^8-1>;
5988			} ClientHello;
5989			*/
5990			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->haveCookie))
5991			{
5992			t = 0;
5993			}
5994			/* Also test for retransmit */
5995			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 1))
5996			{
5997			t = 0;
5998			}
5999			# endif
6000
6001	11163	50	if (t)
6002			{
6003			/** @security RFC says to set the first 4 bytes to time, but best common practice is
6004			to use full 32 bytes of random. This is forward looking to TLS 1.3, and also works
6005			better for embedded platforms and FIPS secret key material.
6006			@see https://www.ietf.org/mail-archive/web/tls/current/msg09861.html */
6007			# ifdef SEND_HELLO_RANDOM_TIME
6008			/* First 4 bytes of the serverRandom are the unix time to prevent
6009			replay attacks, the rest are random */
6010			t = psGetTime(NULL, ssl->userPtr);
6011			ssl->sec.clientRandom[0] = (unsigned char) ((t & 0xFF000000) >> 24);
6012			ssl->sec.clientRandom[1] = (unsigned char) ((t & 0xFF0000) >> 16);
6013			ssl->sec.clientRandom[2] = (unsigned char) ((t & 0xFF00) >> 8);
6014			ssl->sec.clientRandom[3] = (unsigned char) (t & 0xFF);
6015			if ((rc = psGetPrngLocked(ssl->sec.clientRandom + 4,
6016			SSL_HS_RANDOM_SIZE - 4, ssl->userPtr)) < PS_SUCCESS)
6017			{
6018			return rc;
6019			}
6020			# else
6021	11163	50	if ((rc = psGetPrngLocked(ssl->sec.clientRandom,
6022			SSL_HS_RANDOM_SIZE, ssl->userPtr)) < PS_SUCCESS)
6023			{
6024	0		return rc;
6025			}
6026			# endif
6027			}
6028			/*
6029			First two fields in the ClientHello message are the maximum major
6030			and minor SSL protocol versions we support.
6031			*/
6032	11163		*c = ssl->majVer; c++;
6033	11163		*c = ssl->minVer; c++;
6034
6035			/*
6036			The next 32 bytes are the server's random value, to be combined with
6037			the client random and premaster for key generation later
6038			*/
6039	11163		memcpy(c, ssl->sec.clientRandom, SSL_HS_RANDOM_SIZE);
6040	11163		c += SSL_HS_RANDOM_SIZE;
6041			/*
6042			The next data is a single byte containing the session ID length,
6043			and up to 32 bytes containing the session id.
6044			If we are asking to resume a session, then the sessionId would have
6045			been set at session creation time.
6046			*/
6047	11163		*c = (unsigned char) ssl->sessionIdLen; c++;
6048	11163	100	if (ssl->sessionIdLen > 0)
6049			{
6050	2		memcpy(c, ssl->sessionId, ssl->sessionIdLen);
6051	2		c += ssl->sessionIdLen;
6052			# ifdef USE_MATRIXSSL_STATS
6053			matrixsslUpdateStat(ssl, RESUMPTIONS_STAT, 1);
6054			# endif
6055			}
6056			# ifdef USE_DTLS
6057			if (ssl->flags & SSL_FLAGS_DTLS)
6058			{
6059			if (ssl->haveCookie)
6060			{
6061			*c = (unsigned char) ssl->cookieLen; c++;
6062			memcpy(c, ssl->cookie, ssl->cookieLen);
6063			c += ssl->cookieLen;
6064			}
6065			else
6066			{
6067			/* This condition is an empty cookie client hello. Still must
6068			send a zero length specifier. */
6069			*c = 0; c++;
6070			}
6071			}
6072			# endif
6073			/*
6074			Write out the length and ciphers we support
6075			Client can request a single specific cipher in the cipherSpec param
6076			*/
6077	11163	100	if (cipherSpecLen == 0 \|\| cipherSpecs == NULL \|\| cipherSpecs[0] == 0)
		50
		50
6078			{
6079	11162	50	if ((rc = sslGetCipherSpecList(ssl, c, (int32) (end - c), addRenegotiationScsv)) < 0)
6080			{
6081	0		return SSL_FULL;
6082			}
6083	11162		c += rc;
6084			}
6085			else
6086			{
6087	1	50	if ((int32) (end - c) < cipherLen)
6088			{
6089	0		return SSL_FULL;
6090			}
6091	1		cipherLen -= 2; /* don't include yourself */
6092	1		*c = (cipherLen & 0xFF00) >> 8; c++;
6093	1		*c = cipherLen & 0xFF; c++;
6094			/* Safe to include all cipher suites in the list because they were
6095			checked above */
6096	2	100	for (i = 0; i < cipherSpecLen; i++)
6097			{
6098	1		*c = (cipherSpecs[i] & 0xFF00) >> 8; c++;
6099	1		*c = cipherSpecs[i] & 0xFF; c++;
6100			}
6101			# ifdef ENABLE_SECURE_REHANDSHAKES
6102	1	50	if (addRenegotiationScsv == 1)
6103			{
6104	0		ssl->extFlags.req_renegotiation_info = 1;
6105	0		*c = ((TLS_EMPTY_RENEGOTIATION_INFO_SCSV & 0xFF00) >> 8); c++;
6106	0		*c = TLS_EMPTY_RENEGOTIATION_INFO_SCSV & 0xFF; c++;
6107			}
6108			# endif
6109	1	50	if (ssl->extFlags.req_fallback_scsv)
6110			{
6111	0		*c = (TLS_FALLBACK_SCSV >> 8) & 0xFF; c++;
6112	0		*c = TLS_FALLBACK_SCSV & 0xFF; c++;
6113			}
6114			}
6115			/*
6116			Compression. Length byte and 0 for 'none' and possibly 1 for zlib
6117			*/
6118			# ifdef USE_ZLIB_COMPRESSION
6119			*c = 2; c++;
6120			*c = 0; c++;
6121			*c = 1; c++;
6122			# else
6123	11163		*c = 1; c++;
6124	11163		*c = 0; c++;
6125			# endif
6126
6127			# ifdef USE_DTLS
6128			if (ssl->flags & SSL_FLAGS_DTLS)
6129			{
6130			/* Need to save aside (or recall) extensions because the resend
6131			path doesn't go back to the user to rebuild them. */
6132			extStart = c;
6133			}
6134			# endif
6135			/*
6136			Extensions
6137			*/
6138	11163	50	if (extLen > 0)
6139			{
6140	11163		extLen -= 2; /* Don't include yourself in the length */
6141	11163		c = (extLen & 0xFF00) >> 8; c++; / Total list length */
6142	11163		*c = extLen & 0xFF; c++;
6143
6144			/* User-provided extensions. Do them first in case something
6145			like a ServerNameIndication is here that will influence a
6146			later extension such as the sigHashAlgs */
6147	11163	50	if (userExt)
6148			{
6149	0		ext = userExt;
6150	0	0	while (ext)
6151			{
6152	0		switch (ext->extType)
6153			{
6154			case EXT_SNI:
6155	0		ssl->extFlags.req_sni = 1;
6156	0		break;
6157			case EXT_ALPN:
6158	0		ssl->extFlags.req_alpn = 1;
6159			# ifdef USE_ALPN
6160	0		if (ssl->extCb == NULL)
6161			{
6162			psTraceInfo("WARNING: Providing ALPN extension without "
6163			"registering extension callback to receive server reply\n");
6164			}
6165			# endif
6166	0		break;
6167			default:
6168	0		break;
6169			}
6170	0		*c = (ext->extType & 0xFF00) >> 8; c++;
6171	0		*c = ext->extType & 0xFF; c++;
6172
6173	0		*c = (ext->extLen & 0xFF00) >> 8; c++;
6174	0		*c = ext->extLen & 0xFF; c++;
6175	0	0	if (ext->extLen == 1 && ext->extData == NULL)
		0
6176			{
6177	0		memset(c, 0x0, 1);
6178			}
6179			else
6180			{
6181	0		memcpy(c, ext->extData, ext->extLen);
6182			}
6183	0		c += ext->extLen;
6184	0		ext = ext->next;
6185			}
6186			}
6187
6188			/* Max fragment extension */
6189	11163	50	if (ssl->maxPtFrag & 0x10000)
6190			{
6191	0		ssl->extFlags.req_max_fragment_len = 1;
6192	0		*c = 0x00; c++;
6193	0		*c = 0x01; c++;
6194	0		*c = 0x00; c++;
6195	0		*c = 0x01; c++;
6196	0	0	if (options->maxFragLen == 0x200)
6197			{
6198	0		*c = 0x01; c++;
6199			}
6200	0	0	else if (options->maxFragLen == 0x400)
6201			{
6202	0		*c = 0x02; c++;
6203			}
6204	0	0	else if (options->maxFragLen == 0x800)
6205			{
6206	0		*c = 0x03; c++;
6207			}
6208	0	0	else if (options->maxFragLen == 0x1000)
6209			{
6210	0		*c = 0x04; c++;
6211			}
6212			}
6213			# ifdef ENABLE_SECURE_REHANDSHAKES
6214			/*
6215			Populated RenegotiationInfo extension
6216			*/
6217	11163	100	if (ssl->myVerifyDataLen > 0)
6218			{
6219	7		ssl->extFlags.req_renegotiation_info = 1;
6220	7		*c = (EXT_RENEGOTIATION_INFO & 0xFF00) >> 8; c++;
6221	7		*c = EXT_RENEGOTIATION_INFO & 0xFF; c++;
6222	7		*c = ((ssl->myVerifyDataLen + 1) & 0xFF00) >> 8; c++;
6223	7		*c = (ssl->myVerifyDataLen + 1) & 0xFF; c++;
6224	7		*c = ssl->myVerifyDataLen & 0xFF; c++;
6225	7		memcpy(c, ssl->myVerifyData, ssl->myVerifyDataLen);
6226	7		c += ssl->myVerifyDataLen;
6227			}
6228			# endif /* ENABLE_SECURE_REHANDSHAKES */
6229
6230			# ifdef USE_ECC_CIPHER_SUITE
6231	11163	100	if (curveListLen > 0)
6232			{
6233	11162		ssl->extFlags.req_elliptic_curve = 1;
6234	11162		*c = (EXT_ELLIPTIC_CURVE & 0xFF00) >> 8; c++;
6235	11162		*c = EXT_ELLIPTIC_CURVE & 0xFF; c++;
6236	11162		*c = ((curveListLen + 2) & 0xFF00) >> 8; c++;
6237	11162		*c = (curveListLen + 2) & 0xFF; c++;
6238	11162		c = 0; c++; / High byte always zero */
6239	11162		*c = curveListLen & 0xFF; c++;
6240	11162		memcpy(c, eccCurveList, curveListLen);
6241	11162		c += curveListLen;
6242
6243	11162		ssl->extFlags.req_elliptic_points = 1;
6244	11162		*c = (EXT_ELLIPTIC_POINTS & 0xFF00) >> 8; c++;
6245	11162		*c = EXT_ELLIPTIC_POINTS & 0xFF; c++;
6246	11162		*c = 0x00; c++;
6247	11162		*c = 0x02; c++;
6248	11162		*c = 0x01; c++;
6249	11162		*c = 0x00; c++;
6250			}
6251			# endif /* USE_ECC_CIPHER_SUITE */
6252
6253			# ifdef USE_TLS_1_2
6254			/* Will always exist in some form if TLS 1.2 is enabled */
6255	11163		ssl->extFlags.req_signature_algorithms = 1;
6256	11163		*c = (EXT_SIGNATURE_ALGORITHMS & 0xFF00) >> 8; c++;
6257	11163		*c = EXT_SIGNATURE_ALGORITHMS & 0xFF; c++;
6258	11163		*c = (sigHashLen & 0xFF00) >> 8; c++;
6259	11163		*c = sigHashLen & 0xFF; c++;
6260	11163		memcpy(c, sigHash, sigHashLen);
6261	11163		c += sigHashLen;
6262			# endif
6263
6264			# ifdef USE_STATELESS_SESSION_TICKETS
6265			/* If ticket exists and is marked "USING" then it can be used */
6266	11163	50	if (useTicket && ssl->sid)
		0
6267			{
6268	0	0	if (ssl->sid->sessionTicketLen == 0 \|\|
		0
6269	0		ssl->sid->sessionTicketState != SESS_TICKET_STATE_USING_TICKET)
6270			{
6271
6272	0		ssl->extFlags.req_session_ticket = 1;
6273	0		*c = (EXT_SESSION_TICKET & 0xFF00) >> 8; c++;
6274	0		*c = EXT_SESSION_TICKET & 0xFF; c++;
6275	0		*c = 0x00; c++;
6276	0		*c = 0x00; c++;
6277	0		ssl->sid->sessionTicketState = SESS_TICKET_STATE_SENT_EMPTY;
6278			}
6279			else
6280			{
6281	0		ssl->extFlags.req_session_ticket = 1;
6282	0		*c = (EXT_SESSION_TICKET & 0xFF00) >> 8; c++;
6283	0		*c = EXT_SESSION_TICKET & 0xFF; c++;
6284	0		*c = (ssl->sid->sessionTicketLen & 0xFF00) >> 8; c++;
6285	0		*c = ssl->sid->sessionTicketLen & 0xFF; c++;
6286	0		memcpy(c, ssl->sid->sessionTicket, ssl->sid->sessionTicketLen);
6287	0		c += ssl->sid->sessionTicketLen;
6288	0		ssl->sid->sessionTicketState = SESS_TICKET_STATE_SENT_TICKET;
6289			# ifdef USE_MATRIXSSL_STATS
6290			matrixsslUpdateStat(ssl, RESUMPTIONS_STAT, 1);
6291			# endif
6292			}
6293			}
6294			# endif /* USE_STATELESS_SESSION_TICKETS */
6295
6296			# ifdef USE_OCSP
6297	11163	50	if (options->OCSPstapling)
6298			{
6299	0		ssl->extFlags.req_status_request = 1;
6300	0		*c = (EXT_STATUS_REQUEST & 0xFF00) >> 8; c++;
6301	0		*c = EXT_STATUS_REQUEST & 0xFF; c++;
6302	0		*c = 0x00; c++;
6303	0		*c = 0x05; c++;
6304	0		*c = 0x01; c++;
6305	0		*c = 0x00; c++;
6306	0		*c = 0x00; c++;
6307	0		*c = 0x00; c++;
6308	0		*c = 0x00; c++;
6309			}
6310			# endif
6311
6312			# ifdef USE_TRUSTED_CA_INDICATION
6313			if (options->trustedCAindication)
6314			{
6315			*c = (EXT_TRUSTED_CA_KEYS & 0xFF00) >> 8; c++;
6316			*c = EXT_TRUSTED_CA_KEYS & 0xFF; c++;
6317			writeTrustedCAindication(ssl->keys->CAcerts, &c);
6318			}
6319			# endif
6320	11163	50	if (options->truncHmac)
6321			{
6322	0		ssl->extFlags.req_truncated_hmac = 1;
6323	0		*c = (EXT_TRUNCATED_HMAC & 0xFF00) >> 8; c++;
6324	0		*c = EXT_TRUNCATED_HMAC & 0xFF; c++;
6325	0		*c = 0x00; c++;
6326	0		*c = 0x00; c++;
6327			}
6328
6329	11163	50	if (options->extendedMasterSecret >= 0)
6330			{
6331	11163	100	if (options->extendedMasterSecret > 0)
6332			{
6333			/* User is REQUIRING the server to support it */
6334	7		ssl->extFlags.require_extended_master_secret = 1;
6335			}
6336	11163		ssl->extFlags.req_extended_master_secret = 1;
6337	11163		*c = (EXT_EXTENDED_MASTER_SECRET & 0xFF00) >> 8; c++;
6338	11163		*c = EXT_EXTENDED_MASTER_SECRET & 0xFF; c++;
6339	11163		*c = 0x00; c++;
6340	11163		*c = 0x00; c++;
6341			}
6342
6343			}
6344
6345			# ifdef USE_DTLS
6346			if ((ssl->flags & SSL_FLAGS_DTLS) && (extLen > 0))
6347			{
6348			if (ssl->helloExtLen == 0)
6349			{
6350			ssl->helloExtLen = (int32) (c - extStart);
6351			ssl->helloExt = psMalloc(ssl->hsPool, ssl->helloExtLen);
6352			if (ssl->helloExt == NULL)
6353			{
6354			return SSL_MEM_ERROR;
6355			}
6356			memcpy(ssl->helloExt, extStart, ssl->helloExtLen);
6357			}
6358			else
6359			{
6360			/* Forget the extensions we wrote above and use the saved ones */
6361			c = extStart;
6362			memcpy(c, ssl->helloExt, ssl->helloExtLen);
6363			c += ssl->helloExtLen;
6364			}
6365			}
6366			# endif /* USE_DTLS */
6367
6368	11163	50	if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, 0, messageSize,
6369			padLen, encryptStart, out, &c)) < 0)
6370			{
6371	0		return rc;
6372			}
6373	11163		out->end = c;
6374
6375			/*
6376			Could be a rehandshake so clean up old context if necessary.
6377			Always explicitly set state to beginning.
6378			*/
6379	11163	100	if (ssl->hsState == SSL_HS_DONE)
6380			{
6381	7		sslResetContext(ssl);
6382			}
6383
6384			/*
6385			Could be a rehandshake on a previous connection that used client auth.
6386			Reset our local client auth state as the server is always the one
6387			responsible for initiating it.
6388			*/
6389	11163		ssl->flags &= ~SSL_FLAGS_CLIENT_AUTH;
6390	11163		ssl->hsState = SSL_HS_SERVER_HELLO;
6391
6392			# ifdef USE_MATRIXSSL_STATS
6393			matrixsslUpdateStat(ssl, CH_SENT_STAT, 1);
6394			# endif
6395	11164		return MATRIXSSL_SUCCESS;
6396
6397			}
6398
6399			/******************************************************************************/
6400			/*
6401			Write a ClientKeyExchange message.
6402			*/
6403	1058		static int32 writeClientKeyExchange(ssl_t ssl, sslBuf_t out)
6404			{
6405			unsigned char c, end, *encryptStart;
6406			uint8_t padLen;
6407			psSize_t keyLen, messageSize, explicitLen;
6408			int32_t rc;
6409			pkaAfter_t *pkaAfter;
6410
6411			# ifdef USE_PSK_CIPHER_SUITE
6412			unsigned char pskId, pskKey;
6413			uint8_t pskIdLen;
6414			# endif /* USE_PSK_CIPHER_SUITE */
6415	1058		void *pkiData = ssl->userPtr;
6416			# ifndef USE_ONLY_PSK_CIPHER_SUITE
6417			# if defined(USE_ECC_CIPHER_SUITE) \|\| defined(USE_RSA_CIPHER_SUITE)
6418	1058		psPool_t *pkiPool = NULL;
6419			# endif /* USE_ECC_CIPHER_SUITE \|\| USE_RSA_CIPHER_SUITE */
6420			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
6421
6422			psTraceHs("<<< Client creating CLIENT_KEY_EXCHANGE message\n");
6423
6424	1058		c = out->end;
6425	1058		end = out->buf + out->size;
6426	1058		messageSize = keyLen = 0;
6427
6428	1058	50	if ((pkaAfter = getPkaAfter(ssl)) == NULL)
6429			{
6430	0		return PS_PLATFORM_FAIL;
6431			}
6432
6433			# ifdef USE_PSK_CIPHER_SUITE
6434	1058	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
6435			{
6436			/* Get the key id to send in the clientKeyExchange message. */
6437	0	0	if (matrixSslPskGetKeyId(ssl, &pskId, &pskIdLen,
6438	0		ssl->sec.hint, ssl->sec.hintLen) < 0)
6439			{
6440	0		psFree(ssl->sec.hint, ssl->hsPool); ssl->sec.hint = NULL;
6441	0		return MATRIXSSL_ERROR;
6442			}
6443			# ifdef USE_DTLS
6444			/* Need to save for retransmit? */
6445			if (!(ssl->flags & SSL_FLAGS_DTLS))
6446			{
6447			psFree(ssl->sec.hint, ssl->hsPool); ssl->sec.hint = NULL;
6448			}
6449			# else
6450	0		psFree(ssl->sec.hint, ssl->hsPool); ssl->sec.hint = NULL;
6451			# endif
6452
6453			}
6454			# endif /* USE_PSK_CIPHER_SUITE */
6455
6456			/*
6457			Determine messageSize for the record header
6458			*/
6459			# ifdef USE_DHE_CIPHER_SUITE
6460	1058	100	if (ssl->flags & SSL_FLAGS_DHE_KEY_EXCH)
6461			{
6462			# ifdef USE_DTLS
6463			if (ssl->flags & SSL_FLAGS_DTLS && ssl->retransmit == 1)
6464			{
6465			keyLen = ssl->ckeSize;
6466			}
6467			else
6468			{
6469			# endif
6470			# ifdef USE_ECC_CIPHER_SUITE
6471	1057	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
6472			{
6473	1057		keyLen = (ssl->sec.eccKeyPriv->curve->size * 2) + 2;
6474			}
6475			else
6476			{
6477			# endif /* USE_ECC_CIPHER_SUITE */
6478			# ifdef REQUIRE_DH_PARAMS
6479	0		keyLen += ssl->sec.dhKeyPriv->size;
6480			# endif /* REQUIRE_DH_PARAMS */
6481			# ifdef USE_ECC_CIPHER_SUITE
6482			}
6483			# endif /* USE_ECC_CIPHER_SUITE */
6484			# ifdef USE_DTLS
6485			}
6486			# endif
6487			# ifdef USE_PSK_CIPHER_SUITE
6488			/*
6489			Leave keyLen as the native DH or RSA key to keep the write
6490			logic untouched below. Just directly increment the messageSize
6491			for the PSK id information
6492			*/
6493			/* DHE_PSK suites */
6494	1057	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
6495			{
6496	1057		messageSize += pskIdLen + 2;
6497			}
6498			# endif /* USE_PSK_CIPHER_SUITE */
6499			}
6500			else
6501			{
6502			# endif /* USE_DHE_CIPHER_SUITE */
6503			# ifdef USE_PSK_CIPHER_SUITE
6504			/* basic PSK suites */
6505	1	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
6506			{
6507	0		messageSize += pskIdLen; /* don't need the +2 */
6508			}
6509			else
6510			{
6511			# endif /* USE_PSK_CIPHER_SUITE */
6512			# ifndef USE_ONLY_PSK_CIPHER_SUITE
6513			# ifdef USE_ECC_CIPHER_SUITE
6514	1	50	if (ssl->cipher->type == CS_ECDH_ECDSA \|\|
		50
6515	1		ssl->cipher->type == CS_ECDH_RSA)
6516			{
6517	0		keyLen = (ssl->sec.cert->publicKey.key.ecc.curve->size * 2) + 2;
6518			}
6519			else
6520			{
6521			# endif /* USE_ECC_CIPHER_SUITE */
6522			/* Standard RSA auth suites */
6523	1		keyLen = ssl->sec.cert->publicKey.keysize;
6524			# ifdef USE_ECC_CIPHER_SUITE
6525			}
6526			# endif /* USE_ECC_CIPHER_SUITE */
6527			# endif /* !USE_PSK_CIPHER_SUITE */
6528			# ifdef USE_PSK_CIPHER_SUITE
6529			}
6530			# endif /* USE_PSK_CIPHER_SUITE */
6531			# ifdef USE_DHE_CIPHER_SUITE
6532			}
6533			# endif /* USE_DHE_CIPHER_SUITE */
6534
6535	1058		messageSize += ssl->recordHeadLen + ssl->hshakeHeadLen + keyLen;
6536	1058		explicitLen = 0;
6537			# ifdef USE_TLS
6538			/* Must always add the key size length to the message */
6539	1058	50	if (ssl->flags & SSL_FLAGS_TLS)
6540			{
6541	1058		messageSize += 2;
6542	1058		explicitLen = 1;
6543			}
6544			# endif /* USE_TLS */
6545
6546			# ifdef USE_DHE_CIPHER_SUITE
6547			/* DHE must include the explicit key size regardless of protocol */
6548	1058	100	if (ssl->flags & SSL_FLAGS_DHE_KEY_EXCH)
6549			{
6550	1057	50	if (explicitLen == 0)
6551			{
6552	0		messageSize += 2;
6553	0		explicitLen = 1;
6554			}
6555			}
6556			# endif /* USE_DHE_CIPHER_SUITE */
6557
6558			# ifdef USE_PSK_CIPHER_SUITE
6559			/* Standard PSK suite in SSLv3 will not have accounted for +2 yet */
6560	1058	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
6561			{
6562	0	0	if (explicitLen == 0)
6563			{
6564	0		messageSize += 2;
6565	0		explicitLen = 1;
6566			}
6567			}
6568			# endif
6569
6570			# ifdef USE_ECC_CIPHER_SUITE
6571	1058	100	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
6572			{
6573	1057	50	if (explicitLen == 1)
6574			{
6575	1057		messageSize -= 2; /* For some reason, ECC CKE doesn't use 2 len */
6576	1057		explicitLen = 0;
6577			}
6578			}
6579			# endif /* USE_ECC_CIPHER_SUITE */
6580
6581	1058	50	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
6582			SSL_HS_CLIENT_KEY_EXCHANGE, &messageSize, &padLen,
6583			&encryptStart, end, &c)) < 0)
6584			{
6585	0		return rc;
6586			}
6587
6588			/*
6589			ClientKeyExchange message contains the encrypted premaster secret.
6590			The base premaster is the original SSL protocol version we asked for
6591			followed by 46 bytes of random data.
6592			These 48 bytes are padded to the current RSA key length and encrypted
6593			with the RSA key.
6594			*/
6595	1058	100	if (explicitLen == 1)
6596			{
6597			# ifdef USE_PSK_CIPHER_SUITE
6598	1	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
6599			{
6600			/* pskIdLen is uint8_t. */
6601	0		*c = 0; c++;
6602	0		*c = (pskIdLen & 0xFF); c++;
6603			/*
6604			The cke message begins with the ID of the desired key
6605			*/
6606	0		memcpy(c, pskId, pskIdLen);
6607	0		c += pskIdLen;
6608			}
6609			# endif /* USE_PSK_CIPHER_SUITE */
6610			/*
6611			Add the two bytes of key length
6612			*/
6613	1	50	if (keyLen > 0)
6614			{
6615	1		*c = (keyLen & 0xFF00) >> 8; c++;
6616	1		*c = (keyLen & 0xFF); c++;
6617			}
6618			}
6619
6620			# ifdef USE_DTLS
6621			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 1))
6622			{
6623			/*
6624			Retransmit case. Must use the cached encrypted msg from
6625			the first flight to keep handshake hash same
6626			*/
6627			memcpy(c, ssl->ckeMsg, ssl->ckeSize);
6628			c += ssl->ckeSize;
6629			}
6630			else
6631			{
6632			# endif /* USE_DTLS */
6633
6634			# ifdef USE_DHE_CIPHER_SUITE
6635	1058	100	if (ssl->flags & SSL_FLAGS_DHE_KEY_EXCH)
6636			{
6637			/* For DHE, the clientKeyExchange message is simply the public
6638			key for this client. No public/private encryption here
6639			because there is no authentication (so not necessary or
6640			meaningful to activate public cipher). Just check ECDHE or DHE */
6641			# ifdef USE_ECC_CIPHER_SUITE
6642	1057	50	if (ssl->flags & SSL_FLAGS_ECC_CIPHER)
6643			{
6644	1057		keyLen--;
6645	1057		*c = keyLen & 0xFF; c++;
6646	1057	50	if (psEccX963ExportKey(ssl->hsPool, ssl->sec.eccKeyPriv, c,
6647			&keyLen) < 0)
6648			{
6649	0		return MATRIXSSL_ERROR;
6650			}
6651	1057	50	psAssert(keyLen == (uint32) * (c - 1));
6652			# ifdef USE_DTLS
6653			if (ssl->flags & SSL_FLAGS_DTLS)
6654			{
6655			/* Set aside retransmit for this case here since there is
6656			nothing happening in nowDoCke related to the handshake
6657			message output */
6658			ssl->ckeSize = keyLen + 1;
6659			ssl->ckeMsg = psMalloc(ssl->hsPool, ssl->ckeSize);
6660			if (ssl->ckeMsg == NULL)
6661			{
6662			return SSL_MEM_ERROR;
6663			}
6664			memcpy(ssl->ckeMsg, c - 1, ssl->ckeSize);
6665			}
6666			# endif
6667	1057		c += keyLen;
6668			/*
6669			Generate premaster and free ECC key material
6670			*/
6671	1057		ssl->sec.premasterSize = ssl->sec.eccKeyPriv->curve->size;
6672	1057		ssl->sec.premaster = psMalloc(ssl->hsPool, ssl->sec.premasterSize);
6673	1057	50	if (ssl->sec.premaster == NULL)
6674			{
6675	0		return SSL_MEM_ERROR;
6676			}
6677
6678			/* Schedule EC secret generation */
6679	1057		pkaAfter->type = PKA_AFTER_ECDH_SECRET_GEN;
6680	1057		pkaAfter->inbuf = NULL;
6681	1057		pkaAfter->inlen = 0;
6682	1057		pkaAfter->outbuf = ssl->sec.premaster;
6683	1057		pkaAfter->data = pkiData;
6684
6685			}
6686			else
6687			{
6688			# endif /* USE_ECC_CIPHER_SUITE */
6689			# ifdef REQUIRE_DH_PARAMS
6690			{
6691	0		psSize_t dhLen = end - c;
6692			/* Write out the public key part of our private key */
6693	0	0	if (psDhExportPubKey(ssl->hsPool, ssl->sec.dhKeyPriv, c, &dhLen) < 0)
6694			{
6695	0		return MATRIXSSL_ERROR;
6696			}
6697	0	0	psAssert(dhLen == keyLen);
6698			}
6699			# ifdef USE_DTLS
6700			if (ssl->flags & SSL_FLAGS_DTLS)
6701			{
6702			/* Set aside retransmit for this case here since there is
6703			nothing happening in nowDoCke related to the handshake
6704			message output */
6705			ssl->ckeSize = keyLen;
6706			ssl->ckeMsg = psMalloc(ssl->hsPool, ssl->ckeSize);
6707			if (ssl->ckeMsg == NULL)
6708			{
6709			return SSL_MEM_ERROR;
6710			}
6711			memcpy(ssl->ckeMsg, c, ssl->ckeSize);
6712			}
6713			# endif
6714	0		c += keyLen;
6715
6716			/* Schedule DH secret gen.*/
6717	0		pkaAfter->type = PKA_AFTER_DH_KEY_GEN;
6718	0		pkaAfter->inbuf = NULL;
6719	0		pkaAfter->inlen = 0;
6720			# ifdef USE_PSK_CIPHER_SUITE
6721			/* Borrowing the inbuf and inlen params to hold pskId information */
6722	0	0	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
6723			{
6724	0		pkaAfter->inlen = pskIdLen;
6725	0	0	if ((pkaAfter->inbuf = psMalloc(ssl->hsPool, pskIdLen)) == NULL)
6726			{
6727	0		return PS_MEM_FAIL;
6728			}
6729	0		memcpy(pkaAfter->inbuf, pskId, pskIdLen);
6730			}
6731			# endif
6732	0		pkaAfter->outbuf = ssl->sec.premaster;
6733	0		pkaAfter->user = ssl->sec.premasterSize;
6734	1057		pkaAfter->data = pkiData;
6735
6736			# endif /* REQUIRE_DH_PARAMS */
6737			# ifdef USE_ECC_CIPHER_SUITE
6738			}
6739			# endif /* USE_ECC_CIPHER_SUITE */
6740
6741			}
6742			else
6743			{
6744			# endif /* USE_DHE_CIPHER_SUITE */
6745			# ifdef USE_PSK_CIPHER_SUITE
6746			/*
6747			Create the premaster for basic PSK suites
6748			*/
6749	1	50	if (ssl->flags & SSL_FLAGS_PSK_CIPHER)
6750			{
6751			/*
6752			RFC4279: The premaster secret is formed as follows: if the PSK is
6753			N octets long, concatenate a uint16 with the value N, N zero octets,
6754			a second uint16 with the value N, and the PSK itself.
6755			@note pskIdLen will contain the length of pskKey after this call.
6756			*/
6757	0		matrixSslPskGetKey(ssl, pskId, pskIdLen, &pskKey, &pskIdLen);
6758	0	0	if (pskKey == NULL)
6759			{
6760	0		return MATRIXSSL_ERROR;
6761			}
6762	0		ssl->sec.premasterSize = (pskIdLen * 2) + 4;
6763	0		ssl->sec.premaster = psMalloc(ssl->hsPool, ssl->sec.premasterSize);
6764	0	0	if (ssl->sec.premaster == NULL)
6765			{
6766	0		return SSL_MEM_ERROR;
6767			}
6768	0		memset(ssl->sec.premaster, 0, ssl->sec.premasterSize);
6769	0		ssl->sec.premaster[0] = 0;
6770	0		ssl->sec.premaster[1] = (pskIdLen & 0xFF);
6771			/* memset to 0 handled middle portion */
6772	0		ssl->sec.premaster[2 + pskIdLen] = 0;
6773	0		ssl->sec.premaster[3 + pskIdLen] = (pskIdLen & 0xFF);
6774	0		memcpy(&ssl->sec.premaster[4 + pskIdLen], pskKey, pskIdLen);
6775			/* Now that we've got the premaster secret, derive the various
6776			symmetrics. Correct this is only a PSK requirement here because
6777			there is no pkaAfter to call it later
6778
6779			However, if extended_master_secret is being used we must delay
6780			the master secret creation until the CKE handshake message has
6781			been added to the rolling handshake hash. Key generation will
6782			be done in encryptRecord */
6783	0	0	if (ssl->extFlags.extended_master_secret == 0)
6784			{
6785	0	0	if ((rc = sslCreateKeys(ssl)) < 0)
6786			{
6787	0		return rc;
6788			}
6789			}
6790
6791			}
6792			else
6793			{
6794			# endif /* USE_PSK_CIPHER_SUITE */
6795			# ifndef USE_ONLY_PSK_CIPHER_SUITE
6796			/* Non-DHE cases below */
6797			# ifdef USE_ECC_CIPHER_SUITE
6798	1	50	if (ssl->cipher->type == CS_ECDH_ECDSA \|\|
		50
6799	1		ssl->cipher->type == CS_ECDH_RSA)
6800			{
6801
6802			/* Write key len */
6803	0		keyLen--;
6804	0		*c = keyLen & 0xFF; c++;
6805
6806			/* Tricky case where a key generation, public key write, and
6807			then secret generation are needed. Schedule the key gen.
6808			The combination of the cipher suite type and the pkaAfter
6809			type will be used to locate this case */
6810	0		pkaAfter->type = PKA_AFTER_ECDH_KEY_GEN;
6811	0		pkaAfter->outbuf = c; /* Where the public key will be written */
6812	0		pkaAfter->pool = pkiPool;
6813	0		pkaAfter->data = pkiData;
6814	0		pkaAfter->user = keyLen;
6815
6816	0		c += keyLen;
6817
6818			/* Allocate premaster and free ECC key material */
6819
6820	0		ssl->sec.premasterSize =
6821	0		ssl->sec.cert->publicKey.key.ecc.curve->size;
6822	0		ssl->sec.premaster = psMalloc(ssl->hsPool,
6823			ssl->sec.premasterSize);
6824	0	0	if (ssl->sec.premaster == NULL)
6825			{
6826	0		return SSL_MEM_ERROR;
6827			}
6828
6829			}
6830			else
6831			{
6832			# endif /* USE_ECC_CIPHER_SUITE */
6833			# ifdef USE_RSA_CIPHER_SUITE
6834			/*
6835			Standard RSA suite
6836			*/
6837	1		ssl->sec.premasterSize = SSL_HS_RSA_PREMASTER_SIZE;
6838	1		ssl->sec.premaster = psMalloc(ssl->hsPool,
6839			SSL_HS_RSA_PREMASTER_SIZE);
6840	1	50	if (ssl->sec.premaster == NULL)
6841			{
6842	0		return SSL_MEM_ERROR;
6843			}
6844
6845	1		ssl->sec.premaster[0] = ssl->reqMajVer;
6846	1		ssl->sec.premaster[1] = ssl->reqMinVer;
6847	1	50	if (psGetPrngLocked(ssl->sec.premaster + 2,
6848			SSL_HS_RSA_PREMASTER_SIZE - 2, ssl->userPtr) < 0)
6849			{
6850	0		return MATRIXSSL_ERROR;
6851			}
6852
6853			/* Shedule RSA encryption. Put tmp pool under control of After */
6854	1		pkaAfter->type = PKA_AFTER_RSA_ENCRYPT;
6855	1		pkaAfter->outbuf = c;
6856	1		pkaAfter->data = pkiData;
6857	1		pkaAfter->pool = pkiPool;
6858	1		pkaAfter->user = keyLen; /* Available space */
6859
6860	1		c += keyLen;
6861			# else /* RSA is the 'default' so if that didn't get hit there is a problem */
6862			psTraceInfo("There is no handler for writeClientKeyExchange. ERROR\n");
6863			return MATRIXSSL_ERROR;
6864			# endif /* USE_RSA_CIPHER_SUITE */
6865			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
6866
6867			# ifdef USE_ECC_CIPHER_SUITE
6868			}
6869			# endif /* USE_ECC_CIPHER_SUITE */
6870			# ifdef USE_PSK_CIPHER_SUITE
6871			}
6872			# endif /* USE_PSK_CIPHER_SUITE */
6873			# ifdef USE_DHE_CIPHER_SUITE
6874			}
6875			# endif /* USE_DHE_CIPHER_SUITE */
6876
6877			# ifdef USE_DTLS
6878			}
6879			# endif /* USE_DTLS */
6880
6881	1058	50	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
6882			SSL_HS_CLIENT_KEY_EXCHANGE, messageSize, padLen, encryptStart, out,
6883			&c)) < 0)
6884			{
6885	0		return rc;
6886			}
6887
6888	1058		out->end = c;
6889	1058		return MATRIXSSL_SUCCESS;
6890			}
6891
6892			# ifndef USE_ONLY_PSK_CIPHER_SUITE
6893			# ifdef USE_CLIENT_AUTH
6894			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
6895			/** Handle the asynchronous signature operation for CertificateVerify.
6896
6897			Precondition: ssl->extCvSigOp == 1
6898			(i.e. the run-time switch that enables this feature must be on.)
6899			*/
6900			static int32_t handleAsyncCvSigOp(ssl_t ssl, pkaAfter_t pka, unsigned char *hash)
6901			{
6902			/*
6903			Case 1: First entry (for this connection).
6904			Setup state variables to request the external signature from the client
6905			application. Prepare to hand over the hash to sign to the client
6906			via the matrixSslGetHSMessagesHash function.
6907			The PS_PENDING return value gets passed down all the way to the client.
6908			*/
6909			if (!ssl->extCvSigOpPending &&
6910			ssl->extCvSigLen == 0)
6911			{
6912			unsigned char *hash_tbs;
6913			size_t hash_tbs_len;
6914
6915			ssl->extCvSigOpPending = 1;
6916
6917			if (pka->type != PKA_AFTER_ECDSA_SIG_GEN)
6918			{
6919			pka->type = PKA_AFTER_RSA_SIG_GEN_ELEMENT;
6920			ssl->extCvSigAlg = PS_RSA;
6921			}
6922			else
6923			{
6924			ssl->extCvSigAlg = PS_ECC;
6925			}
6926
6927			if (ssl->flags & SSL_FLAGS_TLS_1_2 \|\| ssl->extCvSigAlg == PS_RSA)
6928			{
6929			hash_tbs = hash;
6930			hash_tbs_len = pka->inlen;
6931			}
6932			else
6933			{
6934			/*
6935			TLS <1.2 uses the combined MD5-SHA1 handshake hash.
6936			But the ECDSA signature in CertificateVerify is computed
6937			only over the SHA-1 part (RFC 4492).
6938			*/
6939			hash_tbs = hash + MD5_HASH_SIZE;
6940			hash_tbs_len = SHA1_HASH_SIZE;
6941			}
6942
6943			ssl->extCvHash = psMalloc(NULL, hash_tbs_len);
6944			if (ssl->extCvHash == NULL)
6945			{
6946			return MATRIXSSL_ERROR;
6947			}
6948
6949			memcpy(ssl->extCvHash,
6950			hash_tbs,
6951			hash_tbs_len);
6952			ssl->extCvHashLen = hash_tbs_len;
6953			ssl->hwflags \|= SSL_HWFLAGS_PENDING_PKA_W;
6954			return PS_PENDING;
6955			}
6956			/*
6957			Case 2. Previously asked for external signing.
6958			But the signature is not ready yet.
6959			*/
6960			if (ssl->extCvSigOpPending &&
6961			ssl->extCvSigLen == 0)
6962			{
6963			return PS_PENDING;
6964			}
6965			/*
6966			Case 3. Previously asked for external signing.
6967			And now the signature is ready.
6968			*/
6969			if (ssl->extCvSigOpPending &&
6970			ssl->extCvSigLen > 0)
6971			{
6972			if (ssl->extCvSigAlg == PS_RSA)
6973			{
6974			memcpy(pka->outbuf,
6975			ssl->extCvSig,
6976			ssl->extCvSigLen);
6977			psFree(ssl->extCvHash, NULL);
6978			psFree(ssl->extCvSig, NULL);
6979			}
6980			/*
6981			For ECDSA, postpone do the memcpy and the psFrees
6982			to nowDoCvPka(). This is because we may need to adjust
6983			the output stream first with accountForEcdsaSizeChange.
6984			*/
6985			ssl->extCvSigOpPending = 0;
6986			/*
6987			Continue the flight encoding.
6988			*/
6989			return PS_SUCCESS;
6990			}
6991
6992			return MATRIXSSL_ERROR;
6993			}
6994			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
6995
6996	0		static int32 getSnapshotHSHash(ssl_t *ssl,
6997			unsigned char msgHash[SHA512_HASH_SIZE],
6998			pkaAfter_t *pka)
6999			{
7000			/* Does a smart default hash automatically for us */
7001	0	0	if (sslSnapshotHSHash(ssl, msgHash, -1) <= 0)
7002			{
7003			psTraceInfo("Internal error: handshake hash failed\n");
7004	0		return MATRIXSSL_ERROR;
7005			}
7006			# ifdef USE_TLS_1_2
7007			/* Tweak if needed */
7008	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7009			{
7010	0		switch (pka->inlen)
7011			{
7012			# ifdef USE_SHA1
7013			case SHA1_HASH_SIZE:
7014	0		sslSha1SnapshotHSHash(ssl, msgHash);
7015	0		break;
7016			# endif
7017			# ifdef USE_SHA384
7018			case SHA384_HASH_SIZE:
7019	0		sslSha384SnapshotHSHash(ssl, msgHash);
7020	0		break;
7021			# endif
7022			# ifdef USE_SHA512
7023			case SHA512_HASH_SIZE:
7024	0		sslSha512SnapshotHSHash(ssl, msgHash);
7025	0		break;
7026			# endif
7027			default:
7028	0		break;
7029			}
7030			}
7031			# endif /* USE_TLS_1_2 */
7032
7033	0		return PS_SUCCESS;
7034			}
7035
7036			# ifdef USE_ECC
7037	0		static int nowDoCvPkaInnerECDSA(ssl_t ssl, pkaAfter_t pka,
7038			unsigned char msgHash[SHA512_HASH_SIZE], psBuf_t *out)
7039			{
7040	0		psPool_t *pkiPool = NULL;
7041
7042	0		int32_t rc = PS_SUCCESS;
7043			unsigned char *tmpEcdsa;
7044			psSize_t len, hashTbsLen;
7045			unsigned char *hashTbs;
7046
7047			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
7048			if (ssl->extCvSigOpInUse)
7049			{
7050			/*
7051			PS_SUCCESS: the externally computed signature is ready;
7052			continue execution of this function, but skip signature
7053			generation code.
7054			PS_PENDING or error: hand over to the caller.
7055			*/
7056			rc = handleAsyncCvSigOp(ssl, pka, msgHash);
7057			if (rc == PS_SUCCESS)
7058			{
7059			len = ssl->extCvSigLen;
7060			}
7061			else
7062			{
7063			return rc;
7064			}
7065			}
7066			else
7067			{
7068			/*
7069			External signing not enabled for this connection;
7070			compute the signature internally as usual.
7071			*/
7072			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
7073
7074			/* Only need to allocate 1 larger because 1 has already been added */
7075	0	0	if ((tmpEcdsa = psMalloc(ssl->hsPool, pka->user + 1)) == NULL)
7076			{
7077	0		return PS_MEM_FAIL;
7078			}
7079
7080			# ifdef USE_TLS_1_2
7081	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7082			{
7083			/*
7084			TLS 1.2 defined and used.
7085			*/
7086	0		hashTbs = msgHash;
7087	0		hashTbsLen = pka->inlen;
7088			}
7089			else
7090			{
7091			/*
7092			TLS 1.2 defined but not used.
7093
7094			TLS <1.2 uses the combined MD5-SHA1 handshake hash.
7095			But the ECDSA signature in CertificateVerify is computed
7096			only over the SHA-1 part (RFC 4492).
7097
7098			We need to skip over the first 16 bytes of MD5 that
7099			the SSL hash stores
7100			*/
7101	0		hashTbs = msgHash + MD5_HASH_SIZE;
7102	0		hashTbsLen = SHA1_HASH_SIZE;
7103			}
7104			# else /* USE_TLS_1_2 */
7105			/*
7106			TLS 1.2 not defined (and thus, not used). See comment above.
7107			*/
7108			hashTbs = msgHash + MD5_HASH_SIZE;
7109			hashTbsLen = SHA1_HASH_SIZE;
7110			# endif /* USE_TLS_1_2 */
7111
7112			# ifdef USE_DTLS
7113			ssl->ecdsaSizeChange = 0;
7114			# endif
7115
7116			/*
7117			NEGATIVE ECDSA: write the signature into a temp buffer (tmpEcdsa)
7118			instead of writing it directly into the output stream (pka->outbuf).
7119			Length of outbuf is increased by 1.
7120			*/
7121	0		len = pka->user + 1;
7122	0		rc = psEccDsaSign(pkiPool, &ssl->keys->privKey.key.ecc,
7123			hashTbs, hashTbsLen, tmpEcdsa, &len, 1, pka->data);
7124	0	0	if (rc != PS_SUCCESS)
7125			{
7126	0		goto out;
7127			}
7128			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
7129			} /* closing brace for: if (ssl->extCvSigOpInUse) { ... } else { */
7130			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
7131
7132			/*
7133			Now the ECDSA signature is ready (in tmpEcdsa or ssl->extCvSig)
7134			and len contains the actual length of the signature.
7135			We estimated the signature size earlier in writeCertificateVerify.
7136			Check whether our guess was correct.
7137			*/
7138
7139	0	0	if (len == pka->user)
7140			{
7141			/*
7142			Case 1: ECDSA signature is of expected size.
7143			Just copy the signature into the output buffer.
7144			*/
7145			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
7146			if (ssl->extCvSigOpInUse)
7147			{
7148			memcpy(pka->outbuf, ssl->extCvSig, pka->user);
7149			}
7150			else
7151			{
7152			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
7153	0		memcpy(pka->outbuf, tmpEcdsa, pka->user);
7154			}
7155			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
7156			}
7157			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
7158			else
7159			{
7160			unsigned char *sig_buf;
7161
7162			/*
7163			Case 2: ECDSA signature has unexpected size.
7164			Ask accountForEcdsaSizeChange to fix up the output buffer
7165			and to copy the signature to the correct spot.
7166			*/
7167			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
7168			if (ssl->extCvSigOpInUse)
7169			{
7170			sig_buf = ssl->extCvSig;
7171			}
7172			else
7173			{
7174			sig_buf = tmpEcdsa;
7175			}
7176			# else
7177	0		sig_buf = tmpEcdsa;
7178			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
7179
7180	0		rc = accountForEcdsaSizeChange(ssl, pka, len, sig_buf,
7181			out, SSL_HS_CERTIFICATE_VERIFY);
7182	0	0	if (rc < 0)
7183			{
7184	0		goto out;
7185			}
7186			} /* endif (len == pka->user) */
7187
7188			# ifdef USE_DTLS
7189			if (ssl->flags & SSL_FLAGS_DTLS)
7190			{
7191			int32_t saveSize;
7192
7193			saveSize = len;
7194
7195			ssl->certVerifyMsgLen = saveSize;
7196			ssl->certVerifyMsg = psMalloc(ssl->hsPool, saveSize);
7197			if (ssl->certVerifyMsg == NULL)
7198			{
7199			rc = SSL_MEM_ERROR;
7200			goto out;
7201			}
7202			memcpy(ssl->certVerifyMsg, pka->outbuf, saveSize);
7203			}
7204			# endif /* USE_DTLS */
7205
7206			out:
7207
7208			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
7209			if (ssl->extCvSigOpInUse)
7210			{
7211			psFree(ssl->extCvHash, NULL);
7212			psFree(ssl->extCvSig, NULL);
7213			}
7214			else
7215			{
7216			psFree(tmpEcdsa, ssl->hsPool);
7217			}
7218			# else
7219	0		psFree(tmpEcdsa, ssl->hsPool);
7220			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
7221
7222	0		clearPkaAfter(ssl);
7223
7224	0		return rc;
7225			}
7226			# endif /* USE_ECC */
7227
7228			# ifdef USE_RSA
7229	0		static int nowDoCvPkaInnerRSA(ssl_t ssl, pkaAfter_t pka,
7230			unsigned char msgHash[SHA512_HASH_SIZE], psBuf_t *out)
7231			{
7232	0		psPool_t *pkiPool = NULL;
7233
7234			int32_t rc;
7235			int32_t using_tls_1_2;
7236
7237			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
7238			if (ssl->extCvSigOpInUse)
7239			{
7240			rc = handleAsyncCvSigOp(ssl, pka, msgHash);
7241			/*
7242			PS_SUCCESS: the externally computed signature is ready;
7243			continue execution of this function, but skip signature
7244			generation code.
7245			PS_PENDING or error: hand over to the caller.
7246			*/
7247			if (rc != PS_SUCCESS)
7248			{
7249			return rc;
7250			}
7251			}
7252			else
7253			{
7254			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
7255
7256			# ifdef USE_TLS_1_2
7257	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7258			{
7259			/* RFC: "The hash and signature algorithms used in the
7260			signature MUST be one of those present in the
7261			supported_signature_algorithms field of the
7262			CertificateRequest message. In addition, the hash and
7263			signature algorithms MUST be compatible with the key in the
7264			client's end-entity certificate.
7265
7266			We've done the above tests in the parse of the
7267			CertificateRequest message and wouldn't be here if our
7268			certs didn't match the sigAlgs. However, we do have
7269			to test for both sig algorithm types here to find the
7270			hash strength because the sig alg might not match the
7271			pubkey alg. This was also already confirmed in
7272			CertRequest parse so wouldn't be here if not allowed */
7273	0		using_tls_1_2 = 1; /* TLS 1.2 defined and used. */
7274			}
7275			else
7276			{
7277	0		using_tls_1_2 = 0; /* TLS 1.2 defined but not used. */
7278			}
7279			# else /* ! USE_TLS_1_2 */
7280			use_tls_1_2 = 0; /* TLS 1.2 not defined and thus not used. */
7281			# endif /* USE_TLS_1_2 */
7282
7283	0	0	psAssert(using_tls_1_2 == 0 \|\| using_tls_1_2 == 1);
		0
7284
7285			# ifdef USE_TLS_1_2
7286			/*
7287			In TLS 1.2, the RSASSA-PKCS1-v1_5 signature scheme must
7288			be used. In this scheme, the signed element is not the raw hash
7289			but a DER-encoded DigestInfo struct. Only privRsaEncryptSignedElement
7290			can handle this case.
7291			*/
7292	0	0	if (using_tls_1_2)
7293			{
7294	0		rc = privRsaEncryptSignedElement(pkiPool, &ssl->keys->privKey.key.rsa,
7295	0		msgHash, pka->inlen, pka->outbuf,
7296	0		ssl->keys->privKey.keysize, pka->data);
7297			}
7298			# endif /* USE_TLS_1_2 */
7299
7300	0	0	if (!using_tls_1_2)
7301			{
7302	0		rc = psRsaEncryptPriv(pkiPool, &ssl->keys->privKey.key.rsa, msgHash,
7303	0		pka->inlen, pka->outbuf, ssl->keys->privKey.keysize,
7304			pka->data);
7305			}
7306
7307	0	0	if (rc < 0)
7308			{
7309	0		rc = MATRIXSSL_ERROR;
7310	0		goto out;
7311			}
7312			# ifdef USE_EXT_CERTIFICATE_VERIFY_SIGNING
7313			} /* Closing brace for: if (ssl->extCvSigOpInUse) { } ... else { .. */
7314			# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
7315
7316			# ifdef USE_DTLS
7317			if (ssl->flags & SSL_FLAGS_DTLS)
7318			{
7319			int32_t saveSize;
7320
7321			saveSize = ssl->keys->privKey.keysize;
7322
7323			ssl->certVerifyMsgLen = saveSize;
7324			ssl->certVerifyMsg = psMalloc(ssl->hsPool, saveSize);
7325			if (ssl->certVerifyMsg == NULL)
7326			{
7327			rc = SSL_MEM_ERROR;
7328			goto out;
7329			}
7330			memcpy(ssl->certVerifyMsg, pka->outbuf, saveSize);
7331			}
7332			# endif /* USE_DTLS */
7333
7334			out:
7335	0		clearPkaAfter(ssl);
7336
7337	0		return PS_SUCCESS;
7338			}
7339			# endif /* USE_RSA */
7340
7341			/******************************************************************************/
7342			/* Postponed CERTIFICATE_VERIFY PKA operation */
7343	0		static int32 nowDoCvPka(ssl_t ssl, psBuf_t out)
7344			{
7345			pkaAfter_t *pka;
7346			unsigned char msgHash[SHA512_HASH_SIZE];
7347			int32_t rc;
7348
7349	0		pka = &ssl->pkaAfter[0];
7350
7351			# ifdef USE_DTLS
7352			if (ssl->flags & SSL_FLAGS_DTLS)
7353			{
7354			if (ssl->retransmit)
7355			{
7356			/* This call is not gated on pkaAfter.type so we test for
7357			retransmits manaully. The retransmit will have already been
7358			written in writeCertifiateVerify if true */
7359			return PS_SUCCESS;
7360			}
7361			}
7362			# endif /* USE_DTLS */
7363
7364			/*
7365			Compute the handshake_messages hash.
7366			*/
7367	0	0	if (getSnapshotHSHash(ssl, msgHash, pka) < 0)
7368			{
7369	0		return MATRIXSSL_ERROR;
7370			}
7371
7372			/*
7373			Sign it.
7374			*/
7375	0		switch (pka->type)
7376			{
7377			# ifdef USE_ECC
7378			case PKA_AFTER_ECDSA_SIG_GEN:
7379	0		rc = nowDoCvPkaInnerECDSA(ssl, pka, msgHash, out);
7380	0		break;
7381			# endif /* USE_ECC */
7382			# ifdef USE_RSA
7383			case PKA_AFTER_RSA_SIG_GEN:
7384			case PKA_AFTER_RSA_SIG_GEN_ELEMENT:
7385	0		rc = nowDoCvPkaInnerRSA(ssl, pka, msgHash, out);
7386	0		break;
7387			default:
7388			psTraceInfo("Unsupported algorithm type in nowDoCvPka\n");
7389	0		return MATRIXSSL_ERROR;
7390			# endif /* USE_RSA */
7391			}
7392
7393			# if !defined(USE_ECC) && !defined(USE_RSA)
7394			psTraceInfo("Error: no algorithm support for CertificateVerify signature\n");
7395			return MATRIXSSL_ERROR;
7396			# endif /* !USE_ECC && !USE_RSA */
7397
7398	0	0	if (rc < 0)
7399			{
7400	0		return rc; /* PS_PENDING or error. */
7401
7402			}
7403	0		return PS_SUCCESS;
7404			}
7405
7406			/******************************************************************************/
7407			/*
7408			Write the CertificateVerify message (client auth only)
7409			The message contains the signed hash of the handshake messages.
7410
7411			The PKA operation is delayed
7412			*/
7413	0		static int32 writeCertificateVerify(ssl_t ssl, sslBuf_t out)
7414			{
7415			unsigned char c, end, *encryptStart;
7416			uint8_t padLen;
7417			psSize_t messageSize, hashSize;
7418			int32_t rc;
7419			pkaAfter_t *pkaAfter;
7420	0		void *pkiData = ssl->userPtr;
7421
7422			psTraceHs("<<< Client creating CERTIFICATE_VERIFY message\n");
7423	0		c = out->end;
7424	0		end = out->buf + out->size;
7425
7426	0	0	if ((pkaAfter = getPkaAfterCv(ssl)) == NULL)
7427			{
7428			psTraceInfo("getPkaAfter error for certVerify\n");
7429	0		return MATRIXSSL_ERROR;
7430			}
7431
7432	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
7433	0		2 + ssl->keys->privKey.keysize;
7434
7435			# ifdef USE_ECC
7436			/* Additional ASN.1 overhead from psEccSignHash */
7437	0	0	if (ssl->keys->cert->pubKeyAlgorithm == OID_ECDSA_KEY_ALG)
7438			{
7439	0		messageSize += 6;
7440			/* NEGATIVE ECDSA - Adding ONE spot for a 0x0 byte in the
7441			ECDSA signature. This will allow us to be right ~50% of
7442			the time and not require any manual manipulation
7443
7444			However, if this is a 521 curve there is no chance
7445			the final byte could be negative if the full 66
7446			bytes are needed because there can only be a single
7447			low bit for that sig size. So subtract that byte
7448			back out to stay around the 50% no-move goal */
7449	0	0	if (ssl->keys->privKey.keysize != 132)
7450			{
7451	0		messageSize += 1;
7452			}
7453			/* BIG EC KEY. The sig is 2 bytes len, 1 byte SEQ,
7454			1 byte length (+1 OPTIONAL byte if length is >=128),
7455			1 byte INT, 1 byte rLen, r, 1 byte INT, 1 byte sLen, s.
7456			So the +4 here are the 2 INT and 2 rLen/sLen bytes on
7457			top of the keysize */
7458	0	0	if (ssl->keys->privKey.keysize + 4 >= 128)
7459			{
7460	0		messageSize++; /* Extra byte for 'long' asn.1 encode */
7461			}
7462			# ifdef USE_DTLS
7463			if ((ssl->flags & SSL_FLAGS_DTLS) && (ssl->retransmit == 1))
7464			{
7465			/* We already know if this signature got resized */
7466			messageSize += ssl->ecdsaSizeChange;
7467			}
7468			# endif
7469			}
7470			# endif /* USE_ECC */
7471
7472			# ifdef USE_TLS_1_2
7473			/* RFC: "This is the concatenation of all the
7474			Handshake structures (as defined in Section 7.4) exchanged thus
7475			far. Note that this requires both sides to either buffer the
7476			messages or compute running hashes for all potential hash
7477			algorithms up to the time of the CertificateVerify computation.
7478			Servers can minimize this computation cost by offering a
7479			restricted set of digest algorithms in the CertificateRequest
7480			message."
7481
7482			We're certainly not going to buffer the messages so the
7483			handshake hash update and snapshot functions have to keep the
7484			running total. Not a huge deal for the updating but
7485			the current snapshot framework didn't support this so there
7486			are one-off algorithm specific snapshots where needed. */
7487	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7488			{
7489	0		messageSize += 2; /* hashSigAlg */
7490			}
7491			# endif
7492	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
7493			SSL_HS_CERTIFICATE_VERIFY, &messageSize, &padLen,
7494			&encryptStart, end, &c)) < 0)
7495			{
7496	0		return rc;
7497			}
7498
7499			/*
7500			Correct to be looking at the child-most cert here because that is the
7501			one associated with the private key.
7502			*/
7503			# ifdef USE_ECC
7504	0	0	if (ssl->keys->cert->pubKeyAlgorithm == OID_ECDSA_KEY_ALG)
7505			{
7506	0		hashSize = MD5_HASH_SIZE + SHA1_HASH_SIZE;
7507			# ifdef USE_TLS_1_2
7508	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7509			{
7510			/* RFC: "The hash and signature algorithms used in the
7511			signature MUST be one of those present in the
7512			supported_signature_algorithms field of the
7513			CertificateRequest message. In addition, the hash and
7514			signature algorithms MUST be compatible with the key in the
7515			client's end-entity certificate."
7516
7517			We've done the above tests in the parse of the
7518			CertificateRequest message and wouldn't be here if our
7519			certs didn't match the sigAlgs. However, we do have
7520			to test for both sig algorithm types here to find the
7521			hash strength because the sig alg might not match the
7522			pubkey alg. This was also already confirmed in
7523			CertRequest parse so wouldn't be here if not allowed */
7524	0	0	if ((ssl->keys->cert->sigAlgorithm == OID_SHA1_ECDSA_SIG) \|\|
		0
7525	0		(ssl->keys->cert->sigAlgorithm == OID_SHA1_RSA_SIG))
7526			{
7527	0		c = 0x2; c++; / SHA1 */
7528	0		c = 0x3; c++; / ECDSA */
7529	0		hashSize = SHA1_HASH_SIZE;
7530			}
7531	0	0	else if ((ssl->keys->cert->sigAlgorithm ==
7532	0	0	OID_SHA256_ECDSA_SIG) \|\| (ssl->keys->cert->sigAlgorithm
7533			== OID_SHA256_RSA_SIG))
7534			{
7535	0		c = 0x4; c++; / SHA256 */
7536	0		c = 0x3; c++; / ECDSA */
7537	0		hashSize = SHA256_HASH_SIZE;
7538			# ifdef USE_SHA384
7539			}
7540	0	0	else if ((ssl->keys->cert->sigAlgorithm ==
7541	0	0	OID_SHA384_ECDSA_SIG) \|\| (ssl->keys->cert->sigAlgorithm
7542			== OID_SHA384_RSA_SIG))
7543			{
7544	0		c = 0x5; c++; / SHA384 */
7545	0		c = 0x3; c++; / ECDSA */
7546	0		hashSize = SHA384_HASH_SIZE;
7547			# endif
7548			# ifdef USE_SHA512
7549			}
7550	0	0	else if ((ssl->keys->cert->sigAlgorithm ==
7551	0	0	OID_SHA512_ECDSA_SIG) \|\| (ssl->keys->cert->sigAlgorithm
7552			== OID_SHA512_RSA_SIG))
7553			{
7554	0		c = 0x6; c++; / SHA512 */
7555	0		c = 0x3; c++; / ECDSA */
7556	0		hashSize = SHA512_HASH_SIZE;
7557			# endif
7558			}
7559			else
7560			{
7561			psTraceInfo("Need more hash support for certVerify\n");
7562	0		return MATRIXSSL_ERROR;
7563			}
7564			}
7565			# endif /* USE_TLS_1_2 */
7566
7567
7568			# ifdef USE_DTLS
7569			if (ssl->flags & SSL_FLAGS_DTLS && ssl->retransmit)
7570			{
7571			memcpy(c, ssl->certVerifyMsg, ssl->certVerifyMsgLen);
7572			c += ssl->certVerifyMsgLen;
7573			}
7574			else
7575			{
7576			# endif
7577
7578	0		pkaAfter->inlen = hashSize;
7579	0		pkaAfter->type = PKA_AFTER_ECDSA_SIG_GEN;
7580	0		pkaAfter->data = pkiData;
7581	0		pkaAfter->outbuf = c;
7582	0		rc = ssl->keys->privKey.keysize + 8;
7583			/* NEGATIVE ECDSA - Adding spot for ONE 0x0 byte in ECDSA so we'll
7584			be right 50% of the time. 521 curve doesn't need */
7585	0	0	if (ssl->keys->privKey.keysize != 132)
7586			{
7587	0		rc += 1;
7588			}
7589			/* Above we added in the 8 bytes of overhead (2 sigLen, 1 SEQ,
7590			1 len (possibly 2!), 1 INT, 1 rLen, 1 INT, 1 sLen) and now
7591			subtract the first 3 bytes to see if the 1 len needs to be 2 */
7592	0	0	if (rc - 3 >= 128)
7593			{
7594	0		rc++;
7595			}
7596	0		pkaAfter->user = rc;
7597	0		c += rc;
7598			# ifdef USE_DTLS
7599			}
7600			# endif
7601			}
7602			else
7603			{
7604			# endif /* USE_ECC */
7605
7606			# ifdef USE_RSA
7607	0		hashSize = MD5_HASH_SIZE + SHA1_HASH_SIZE;
7608			# ifdef USE_TLS_1_2
7609	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7610			{
7611			/* RFC: "The hash and signature algorithms used in the
7612			signature MUST be one of those present in the
7613			supported_signature_algorithms field of the
7614			CertificateRequest message. In addition, the hash and
7615			signature algorithms MUST be compatible with the key in the
7616			client's end-entity certificate.
7617
7618			We've done the above tests in the parse of the
7619			CertificateRequest message and wouldn't be here if our
7620			certs didn't match the sigAlgs. However, we do have
7621			to test for both sig algorithm types here to find the
7622			hash strength because the sig alg might not match the
7623			pubkey alg. This was also already confirmed in
7624			CertRequest parse so wouldn't be here if not allowed */
7625	0	0	if (ssl->keys->cert->sigAlgorithm == OID_SHA1_RSA_SIG \|\|
		0
7626	0	0	ssl->keys->cert->sigAlgorithm == OID_MD5_RSA_SIG \|\|
7627	0		ssl->keys->cert->sigAlgorithm == OID_SHA1_ECDSA_SIG)
7628			{
7629	0		c = 0x2; c++; / SHA1 */
7630	0		c = 0x1; c++; / RSA */
7631	0		hashSize = SHA1_HASH_SIZE;
7632			}
7633	0	0	else if (ssl->keys->cert->sigAlgorithm == OID_SHA256_RSA_SIG \|\|
		0
7634	0		ssl->keys->cert->sigAlgorithm == OID_SHA256_ECDSA_SIG)
7635			{
7636	0		c = 0x4; c++; / SHA256 */
7637	0		c = 0x1; c++; / RSA */
7638			/* Normal handshake hash uses SHA256 and has been done above */
7639	0		hashSize = SHA256_HASH_SIZE;
7640			# ifdef USE_SHA384
7641			}
7642	0	0	else if (ssl->keys->cert->sigAlgorithm == OID_SHA384_RSA_SIG \|\|
		0
7643	0		ssl->keys->cert->sigAlgorithm == OID_SHA384_ECDSA_SIG)
7644			{
7645	0		c = 0x5; c++; / SHA384 */
7646	0		c = 0x1; c++; / RSA */
7647	0		hashSize = SHA384_HASH_SIZE;
7648			# endif /* USE_SHA384 */
7649			# ifdef USE_SHA512
7650			}
7651	0	0	else if (ssl->keys->cert->sigAlgorithm == OID_SHA512_RSA_SIG \|\|
		0
7652	0		ssl->keys->cert->sigAlgorithm == OID_SHA512_ECDSA_SIG)
7653			{
7654	0		c = 0x6; c++; / SHA512 */
7655	0		c = 0x1; c++; / RSA */
7656	0		hashSize = SHA512_HASH_SIZE;
7657			# endif /* USE_SHA512 */
7658			# ifdef USE_PKCS1_PSS
7659			}
7660	0	0	else if (ssl->keys->cert->sigAlgorithm == OID_RSASSA_PSS)
7661			{
7662	0	0	if (ssl->keys->cert->pssHash == PKCS1_SHA1_ID \|\|
		0
7663	0		ssl->keys->cert->pssHash == PKCS1_MD5_ID)
7664			{
7665	0		*c = 0x2; c++;
7666	0		hashSize = SHA1_HASH_SIZE;
7667			}
7668	0	0	else if (ssl->keys->cert->pssHash == PKCS1_SHA256_ID)
7669			{
7670	0		*c = 0x4; c++;
7671	0		hashSize = SHA256_HASH_SIZE;
7672			# ifdef USE_SHA384
7673			}
7674	0	0	else if (ssl->keys->cert->pssHash == PKCS1_SHA384_ID)
7675			{
7676	0		*c = 0x5; c++;
7677	0		hashSize = SHA384_HASH_SIZE;
7678			# endif
7679			# ifdef USE_SHA512
7680			}
7681	0	0	else if (ssl->keys->cert->pssHash == PKCS1_SHA512_ID)
7682			{
7683	0		*c = 0x6; c++;
7684	0		hashSize = SHA512_HASH_SIZE;
7685			# endif
7686			}
7687			else
7688			{
7689			psTraceInfo("Need additional hash support for certVerify\n");
7690	0		return MATRIXSSL_ERROR;
7691			}
7692	0		c = 0x1; c++; / RSA */
7693			# endif
7694			}
7695			else
7696			{
7697			psTraceInfo("Need additional hash support for certVerify\n");
7698	0		return MATRIXSSL_ERROR;
7699			}
7700
7701	0		pkaAfter->type = PKA_AFTER_RSA_SIG_GEN_ELEMENT; /* this one */
7702			}
7703			else
7704			{
7705	0		pkaAfter->type = PKA_AFTER_RSA_SIG_GEN;
7706			}
7707			# else /* ! USE_TLS_1_2 */
7708			pkaAfter->type = PKA_AFTER_RSA_SIG_GEN;
7709			# endif /* USE_TLS_1_2 */
7710
7711	0		*c = (ssl->keys->privKey.keysize & 0xFF00) >> 8; c++;
7712	0		*c = (ssl->keys->privKey.keysize & 0xFF); c++;
7713
7714			# ifdef USE_DTLS
7715			if (ssl->flags & SSL_FLAGS_DTLS && ssl->retransmit)
7716			{
7717			pkaAfter->type = 0; /* reset so AFTER logic doesn't trigger */
7718			memcpy(c, ssl->certVerifyMsg, ssl->certVerifyMsgLen);
7719			c += ssl->certVerifyMsgLen;
7720			}
7721			else
7722			{
7723			# endif
7724	0		pkaAfter->data = pkiData;
7725	0		pkaAfter->inlen = hashSize;
7726	0		pkaAfter->outbuf = c;
7727	0		c += ssl->keys->privKey.keysize;
7728			# ifdef USE_DTLS
7729			}
7730			# endif
7731
7732			# else /* RSA is the 'default' so if that didn't get hit there is a problem */
7733			psTraceInfo("There is no handler for writeCertificateVerify. ERROR\n");
7734			return MATRIXSSL_ERROR;
7735			# endif /* USE_RSA */
7736			# ifdef USE_ECC
7737			} /* Closing sigAlgorithm test */
7738			# endif /* USE_ECC */
7739
7740	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
7741			SSL_HS_CERTIFICATE_VERIFY, messageSize, padLen, encryptStart, out,
7742			&c)) < 0)
7743			{
7744	0		return rc;
7745			}
7746	0		out->end = c;
7747
7748	0		return MATRIXSSL_SUCCESS;
7749			}
7750			# endif /* USE_CLIENT_AUTH */
7751			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
7752
7753			#else /* USE_CLIENT_SIDE_SSL */
7754			/******************************************************************************/
7755			/*
7756			Stub out this function rather than ifdef it out in the public header
7757			*/
7758			int32_t matrixSslEncodeClientHello(ssl_t ssl, sslBuf_t out,
7759			const psCipher16_t cipherSpec[], uint8_t cipherSpecLen,
7760			uint32 requiredLen, tlsExtension_t userExt,
7761			sslSessOpts_t *options)
7762			{
7763			psTraceInfo("Library not built with USE_CLIENT_SIDE_SSL\n");
7764			return PS_UNSUPPORTED_FAIL;
7765			}
7766			#endif /* USE_CLIENT_SIDE_SSL */
7767
7768			# ifndef USE_ONLY_PSK_CIPHER_SUITE
7769			# if defined(USE_SERVER_SIDE_SSL) && defined(USE_CLIENT_AUTH)
7770			/******************************************************************************/
7771			/*
7772			Write the CertificateRequest message (client auth only)
7773			The message contains the list of CAs the server is willing to accept
7774			children certificates of from the client.
7775			*/
7776	0		static int32 writeCertificateRequest(ssl_t ssl, sslBuf_t out, int32 certLen,
7777			int32 certCount)
7778			{
7779			unsigned char c, end, *encryptStart;
7780			psX509Cert_t *cert;
7781			uint8_t padLen;
7782	0		psSize_t messageSize, sigHashLen = 0;
7783			int32_t rc;
7784
7785			psTraceHs("<<< Server creating CERTIFICATE_REQUEST message\n");
7786	0		c = out->end;
7787	0		end = out->buf + out->size;
7788
7789	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
7790			4 + (certCount * 2) + certLen;
7791			# ifdef USE_ECC
7792	0		messageSize += 1; /* Adding ECDSA_SIGN type */
7793			# endif /* USE_ECC */
7794
7795			# ifdef USE_TLS_1_2
7796	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7797			{
7798			/* TLS 1.2 has a SignatureAndHashAlgorithm type after CertType */
7799	0		sigHashLen = 2;
7800			# ifdef USE_ECC
7801			# ifdef USE_SHA384
7802	0		sigHashLen += 6;
7803			# else
7804			sigHashLen += 4;
7805			# endif /* USE_SHA */
7806			# endif /* USE_ECC */
7807			# ifdef USE_RSA
7808			# ifdef USE_SHA384
7809	0		sigHashLen += 6;
7810			# else
7811			sigHashLen += 4;
7812			# endif /* USE_SHA */
7813			# endif /* USE_RSA */
7814	0		messageSize += sigHashLen;
7815			}
7816			# endif /* TLS_1_2 */
7817
7818	0	0	if ((messageSize - ssl->recordHeadLen) > ssl->maxPtFrag)
7819			{
7820	0		return writeMultiRecordCertRequest(ssl, out, certLen, certCount,
7821			sigHashLen);
7822			}
7823
7824	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
7825			SSL_HS_CERTIFICATE_REQUEST, &messageSize, &padLen,
7826			&encryptStart, end, &c)) < 0)
7827			{
7828			# ifdef USE_DTLS
7829			if (ssl->flags & SSL_FLAGS_DTLS)
7830			{
7831			/*
7832			Is this the fragment case?
7833			*/
7834			if (rc == DTLS_MUST_FRAG)
7835			{
7836			# ifdef USE_CLIENT_AUTH
7837			rc = dtlsWriteCertificateRequest(ssl->hsPool, ssl,
7838			certLen, certCount, sigHashLen, c);
7839			if (rc < 0)
7840			{
7841			return rc;
7842			}
7843			c += rc;
7844			# endif /* USE_CLIENT_AUTH */
7845			out->end = c;
7846			return MATRIXSSL_SUCCESS;
7847			}
7848			}
7849			# endif /* USE_DTLS */
7850	0		return rc;
7851			}
7852
7853			# ifdef USE_ECC
7854	0		*c++ = 2;
7855	0		*c++ = ECDSA_SIGN;
7856			# else
7857			*c++ = 1;
7858			# endif
7859	0		*c++ = RSA_SIGN;
7860			# ifdef USE_TLS_1_2
7861	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7862			{
7863			/* RFC: "The interaction of the certificate_types and
7864			supported_signature_algorithms fields is somewhat complicated.
7865			certificate_types has been present in TLS since SSLv3, but was
7866			somewhat underspecified. Much of its functionality is superseded
7867			by supported_signature_algorithms."
7868
7869			The spec says the cert must support the hash/sig algorithm but
7870			it's a bit confusing what this means for the hash portion.
7871			Just going to use SHA1, SHA256, and SHA384 support.
7872
7873			We're just sending the raw list of all sig algorithms that are
7874			compiled into the library. It might be smart to look through the
7875			individual CA files here only send the pub key operations that
7876			they use but the CA info is sent explicitly anyway so the client
7877			can confirm they have a proper match.
7878
7879			If a new algorithm is added here it will require additions to
7880			messageSize directly above in this function and in the flight
7881			calculation in sslEncodeResponse */
7882	0		*c++ = 0x0;
7883	0		*c++ = sigHashLen - 2;
7884			# ifdef USE_ECC
7885			# ifdef USE_SHA384
7886	0		c++ = 0x5; / SHA384 */
7887	0		c++ = 0x3; / ECDSA */
7888	0		c++ = 0x4; / SHA256 */
7889	0		c++ = 0x3; / ECDSA */
7890	0		c++ = 0x2; / SHA1 */
7891	0		c++ = 0x3; / ECDSA */
7892			# else
7893			c++ = 0x4; / SHA256 */
7894			c++ = 0x3; / ECDSA */
7895			c++ = 0x2; / SHA1 */
7896			c++ = 0x3; / ECDSA */
7897			# endif
7898			# endif
7899
7900			# ifdef USE_RSA
7901			# ifdef USE_SHA384
7902	0		c++ = 0x5; / SHA384 */
7903	0		c++ = 0x1; / RSA */
7904	0		c++ = 0x4; / SHA256 */
7905	0		c++ = 0x1; / RSA */
7906	0		c++ = 0x2; / SHA1 */
7907	0		c++ = 0x1; / RSA */
7908			# else
7909			c++ = 0x4; / SHA256 */
7910			c++ = 0x1; / RSA */
7911			c++ = 0x2; / SHA1 */
7912			c++ = 0x1; / RSA */
7913			# endif
7914			# endif /* USE_RSA */
7915			}
7916			# endif /* TLS_1_2 */
7917
7918	0		cert = ssl->keys->CAcerts;
7919	0	0	if (cert)
7920			{
7921	0		c = ((certLen + (certCount 2)) & 0xFF00) >> 8; c++;
7922	0		c = (certLen + (certCount 2)) & 0xFF; c++;
7923	0	0	while (cert)
7924			{
7925	0	0	if (cert->subject.dnenc == NULL)
7926			{
7927	0		return PS_FAIL;
7928			}
7929	0		*c = (cert->subject.dnencLen & 0xFF00) >> 8; c++;
7930	0		*c = cert->subject.dnencLen & 0xFF; c++;
7931	0		memcpy(c, cert->subject.dnenc, cert->subject.dnencLen);
7932	0		c += cert->subject.dnencLen;
7933	0		cert = cert->next;
7934			}
7935			}
7936			else
7937			{
7938	0		c++ = 0; / Cert len */
7939	0		*c++ = 0;
7940			}
7941	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
7942			SSL_HS_CERTIFICATE_REQUEST, messageSize, padLen, encryptStart, out,
7943			&c)) < 0)
7944			{
7945	0		return rc;
7946			}
7947	0		out->end = c;
7948	0		return MATRIXSSL_SUCCESS;
7949			}
7950
7951
7952
7953	0		static int32 writeMultiRecordCertRequest(ssl_t ssl, sslBuf_t out,
7954			int32 certLen, int32 certCount, int32 sigHashLen)
7955			{
7956	0		psX509Cert_t *cert = NULL;
7957			psX509Cert_t *future;
7958			unsigned char c, end, *encryptStart;
7959			uint8_t padLen;
7960	0		psSize_t messageSize, dnencLen = 0;
7961	0		int32 midWrite, midSizeWrite, countDown, firstOne = 1;
7962			int32_t rc;
7963
7964	0		c = out->end;
7965	0		end = out->buf + out->size;
7966
7967	0		midSizeWrite = midWrite = 0;
7968
7969	0	0	while (certLen > 0)
7970			{
7971	0	0	if (firstOne)
7972			{
7973	0		firstOne = 0;
7974	0		countDown = ssl->maxPtFrag;
7975	0		messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
7976			4 + (certCount * 2) + certLen + sigHashLen;
7977			# ifdef USE_ECC
7978	0		messageSize += 1; /* Adding ECDSA_SIGN type */
7979			# endif /* USE_ECC */
7980	0	0	if ((rc = writeRecordHeader(ssl,
7981			SSL_RECORD_TYPE_HANDSHAKE_FIRST_FRAG,
7982			SSL_HS_CERTIFICATE_REQUEST, &messageSize, &padLen,
7983			&encryptStart, end, &c)) < 0)
7984			{
7985	0		return rc;
7986			}
7987			# ifdef USE_ECC
7988	0		*c++ = 2;
7989	0		*c++ = ECDSA_SIGN;
7990	0		countDown -= 2;
7991			# else
7992			*c++ = 1;
7993			countDown--;
7994			# endif
7995	0		*c++ = RSA_SIGN;
7996	0		countDown--;
7997			# ifdef USE_TLS_1_2
7998	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
7999			{
8000	0		*c++ = 0x0;
8001	0		*c++ = sigHashLen - 2;
8002			# ifdef USE_ECC
8003			# ifdef USE_SHA384
8004	0		c++ = 0x5; / SHA384 */
8005	0		c++ = 0x3; / ECDSA */
8006	0		c++ = 0x4; / SHA256 */
8007	0		c++ = 0x3; / ECDSA */
8008	0		c++ = 0x2; / SHA1 */
8009	0		c++ = 0x3; / ECDSA */
8010			# else
8011			c++ = 0x4; / SHA256 */
8012			c++ = 0x3; / ECDSA */
8013			c++ = 0x2; / SHA1 */
8014			c++ = 0x3; / ECDSA */
8015			# endif
8016			# endif
8017
8018			# ifdef USE_RSA
8019			# ifdef USE_SHA384
8020	0		c++ = 0x5; / SHA384 */
8021	0		c++ = 0x1; / RSA */
8022	0		c++ = 0x4; / SHA256 */
8023	0		c++ = 0x1; / RSA */
8024	0		c++ = 0x2; / SHA1 */
8025	0		c++ = 0x1; / RSA */
8026			# else
8027			c++ = 0x4; / SHA256 */
8028			c++ = 0x1; / RSA */
8029			c++ = 0x2; / SHA1 */
8030			c++ = 0x1; / RSA */
8031			# endif
8032			# endif /* USE_RSA */
8033	0		countDown -= sigHashLen;
8034			}
8035			# endif /* TLS_1_2 */
8036	0		cert = ssl->keys->CAcerts;
8037	0		c = ((certLen + (certCount 2)) & 0xFF00) >> 8; c++;
8038	0		c = (certLen + (certCount 2)) & 0xFF; c++;
8039	0		countDown -= ssl->hshakeHeadLen + 2;
8040	0	0	while (cert)
8041			{
8042	0	0	if (cert->subject.dnenc == NULL)
8043			{
8044	0		return PS_FAIL;
8045			}
8046	0		midWrite = 0;
8047	0		dnencLen = cert->subject.dnencLen;
8048	0	0	if (dnencLen > 0)
8049			{
8050	0	0	if (countDown < 2)
8051			{
8052			/* Fragment falls right on dn len write. Has
8053			to be at least one byte or countDown would have
8054			been 0 and got us out of here already*/
8055	0		*c = (cert->subject.dnencLen & 0xFF00) >> 8; c++;
8056	0		midSizeWrite = 1;
8057	0		break;
8058			}
8059			else
8060			{
8061	0		*c = (cert->subject.dnencLen & 0xFF00) >> 8; c++;
8062	0		*c = cert->subject.dnencLen & 0xFF; c++;
8063	0		countDown -= 2;
8064			}
8065	0		midWrite = min(dnencLen, countDown);
8066	0		memcpy(c, cert->subject.dnenc, midWrite);
8067	0		dnencLen -= midWrite;
8068	0		c += midWrite;
8069	0		certLen -= midWrite;
8070	0		countDown -= midWrite;
8071	0	0	if (countDown == 0)
8072			{
8073	0		break;
8074			}
8075			}
8076	0		cert = cert->next;
8077			}
8078	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
8079			SSL_HS_CERTIFICATE_REQUEST, messageSize, padLen,
8080			encryptStart, out, &c)) < 0)
8081			{
8082	0		return rc;
8083			}
8084	0		out->end = c;
8085			}
8086			else
8087			{
8088	0	0	if (cert == NULL \|\| cert->subject.dnenc == NULL)
		0
8089			{
8090	0		return PS_FAIL;
8091			}
8092			/* Not-first fragments */
8093	0	0	if (midSizeWrite > 0)
8094			{
8095	0		messageSize = midSizeWrite;
8096			}
8097			else
8098			{
8099	0		messageSize = 0;
8100			}
8101	0	0	if ((certLen + messageSize) > ssl->maxPtFrag)
8102			{
8103	0		messageSize += ssl->maxPtFrag;
8104			}
8105			else
8106			{
8107	0		messageSize += dnencLen;
8108	0	0	if (cert->next != NULL)
8109			{
8110	0		future = cert->next;
8111	0	0	while (future != NULL)
8112			{
8113	0	0	if (messageSize + future->subject.dnencLen + 2 >
8114	0		(uint32) ssl->maxPtFrag)
8115			{
8116	0		messageSize = ssl->maxPtFrag;
8117	0		future = NULL;
8118			}
8119			else
8120			{
8121	0		messageSize += 2 + future->subject.dnencLen;
8122	0		future = future->next;
8123			}
8124
8125			}
8126			}
8127			}
8128	0		countDown = messageSize;
8129	0		messageSize += ssl->recordHeadLen;
8130			/* Second, etc... */
8131	0	0	if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE_FRAG,
8132			SSL_HS_CERTIFICATE_REQUEST, &messageSize, &padLen,
8133			&encryptStart, end, &c)) < 0)
8134			{
8135	0		return rc;
8136			}
8137	0	0	if (midSizeWrite > 0)
8138			{
8139	0		*c = (dnencLen & 0xFF); c++;
8140	0		countDown -= 1;
8141			}
8142	0		midSizeWrite = 0;
8143	0	0	if (countDown < dnencLen)
8144			{
8145	0		memcpy(c, cert->subject.dnenc + midWrite, countDown);
8146	0		dnencLen -= countDown;
8147	0		c += countDown;
8148	0		certLen -= countDown;
8149	0		midWrite += countDown;
8150	0		countDown = 0;
8151			}
8152			else
8153			{
8154	0		memcpy(c, cert->subject.dnenc + midWrite, dnencLen);
8155	0		c += dnencLen;
8156	0		certLen -= dnencLen;
8157	0		countDown -= dnencLen;
8158	0		dnencLen -= dnencLen;
8159			}
8160	0	0	while (countDown > 0)
8161			{
8162	0		cert = cert->next;
8163	0	0	if (cert == NULL \|\| cert->subject.dnenc == NULL)
		0
8164			{
8165	0		return PS_FAIL;
8166			}
8167	0		dnencLen = cert->subject.dnencLen;
8168	0		midWrite = 0;
8169	0	0	if (countDown < 2)
8170			{
8171			/* Fragment falls right on cert len write */
8172	0		*c = (unsigned char) ((dnencLen & 0xFF00) >> 8);
8173	0		c++; countDown--;
8174	0		midSizeWrite = 1;
8175	0		break;
8176			}
8177			else
8178			{
8179	0		*c = (unsigned char) ((dnencLen & 0xFF00) >> 8); c++;
8180	0		*c = (dnencLen & 0xFF); c++;
8181	0		countDown -= 2;
8182			}
8183	0		midWrite = min(dnencLen, countDown);
8184	0		memcpy(c, cert->subject.dnenc, midWrite);
8185	0		dnencLen -= midWrite;
8186	0		c += midWrite;
8187	0		certLen -= midWrite;
8188	0		countDown -= midWrite;
8189	0	0	if (countDown == 0)
8190			{
8191	0		break;
8192			}
8193			}
8194	0	0	if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
8195			SSL_HS_CERTIFICATE_REQUEST, messageSize, padLen,
8196			encryptStart, out, &c)) < 0)
8197			{
8198	0		return rc;
8199			}
8200	0		out->end = c;
8201
8202			}
8203
8204			}
8205	0		out->end = c;
8206	0		return MATRIXSSL_SUCCESS;
8207			}
8208			# endif /* USE_SERVER_SIDE && USE_CLIENT_AUTH */
8209			# endif /* !USE_ONLY_PSK_CIPHER_SUITE */
8210
8211			# ifdef USE_DTLS
8212			# ifdef USE_SERVER_SIDE_SSL
8213			/******************************************************************************/
8214			/*
8215			DTLS specific handshake message to verify client existence
8216			*/
8217			static int32 writeHelloVerifyRequest(ssl_t ssl, sslBuf_t out)
8218			{
8219			unsigned char c, end, *encryptStart;
8220			uint8_t padLen;
8221			psSize_t messageSize;
8222			int32_t rc;
8223
8224			psTraceHs("<<< Server creating HELLO_VERIFY_REQUEST message\n");
8225			c = out->end;
8226			end = out->buf + out->size;
8227			/*
8228			The magic 3 bytes consist of the 2 byte TLS version and the 1 byte length
8229			*/
8230			messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
8231			DTLS_COOKIE_SIZE + 3;
8232
8233			/*
8234			Always have to reset msn to zero because we don't know if this is a
8235			resend to a cookie-less CLIENT_HELLO that never receieved our verify
8236			request
8237			*/
8238			ssl->msn = 0;
8239
8240			if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
8241			SSL_HS_HELLO_VERIFY_REQUEST, &messageSize, &padLen,
8242			&encryptStart, end, &c)) < 0)
8243			{
8244			return rc;
8245			}
8246
8247			/*
8248			Message content is version, cookie length, and cookie itself
8249			*/
8250			*c++ = ssl->rec.majVer;
8251			*c++ = ssl->rec.minVer;
8252			*c++ = DTLS_COOKIE_SIZE;
8253			memcpy(c, ssl->srvCookie, DTLS_COOKIE_SIZE);
8254			c += DTLS_COOKIE_SIZE;
8255
8256			if ((rc = postponeEncryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE,
8257			SSL_HS_HELLO_VERIFY_REQUEST, messageSize, padLen, encryptStart,
8258			out, &c)) < 0)
8259			{
8260			return rc;
8261			}
8262			out->end = c;
8263			return MATRIXSSL_SUCCESS;
8264			}
8265			# endif /* USE_SERVER_SIDE_SSL */
8266			# endif /* USE_DTLS */
8267
8268			/******************************************************************************/
8269			/*
8270			Write out a SSLv3 record header.
8271			Assumes 'c' points to a buffer of at least SSL3_HEADER_LEN bytes
8272			1 byte type (SSL_RECORD_TYPE_*)
8273			1 byte major version
8274			1 byte minor version
8275			2 bytes length (network byte order)
8276			Returns the number of bytes written
8277			*/
8278	25263		int32 psWriteRecordInfo(ssl_t *ssl, unsigned char type, int32 len,
8279			unsigned char *c, int32 hsType)
8280			{
8281	25263		int32 explicitNonce = 0;
8282
8283	25263	50	if (type == SSL_RECORD_TYPE_HANDSHAKE_FRAG)
8284			{
8285	0		type = SSL_RECORD_TYPE_HANDSHAKE;
8286			}
8287	25263		*c = type; c++;
8288	25263		*c = ssl->majVer; c++;
8289	25263		*c = ssl->minVer; c++;
8290			# ifdef USE_DTLS
8291			if (ssl->flags & SSL_FLAGS_DTLS)
8292			{
8293			ssl->seqDelay = c;
8294			*c = ssl->epoch[0]; c++;
8295			*c = ssl->epoch[1]; c++;
8296			*c = ssl->rsn[0]; c++;
8297			*c = ssl->rsn[1]; c++;
8298			*c = ssl->rsn[2]; c++;
8299			*c = ssl->rsn[3]; c++;
8300			*c = ssl->rsn[4]; c++;
8301			*c = ssl->rsn[5]; c++;
8302			}
8303			# endif /* USE_DTLS */
8304	25263		*c = (len & 0xFF00) >> 8; c++;
8305	25263		*c = (len & 0xFF);
8306
8307	25263	100	if (hsType == SSL_HS_FINISHED)
8308			{
8309	2119	100	if (ssl->cipher->flags & (CRYPTO_FLAGS_GCM \| CRYPTO_FLAGS_CCM))
8310			{
8311	2119		explicitNonce++;
8312			}
8313			}
8314	23144	100	else if (ssl->flags & SSL_FLAGS_NONCE_W)
8315			{
8316	4171		explicitNonce++;
8317			}
8318	25263	100	if (explicitNonce)
8319			{
8320			# ifdef USE_DTLS
8321			if (ssl->flags & SSL_FLAGS_DTLS)
8322			{
8323			c++;
8324			*c = ssl->epoch[0]; c++;
8325			*c = ssl->epoch[1]; c++;
8326			*c = ssl->rsn[0]; c++;
8327			*c = ssl->rsn[1]; c++;
8328			*c = ssl->rsn[2]; c++;
8329			*c = ssl->rsn[3]; c++;
8330			*c = ssl->rsn[4]; c++;
8331			*c = ssl->rsn[5]; c++;
8332			}
8333			else
8334			{
8335			# endif /* USE_DTLS */
8336	6288		c++;
8337	6288		ssl->seqDelay = c; /* not being incremented in postpone mechanism */
8338	6288		*c = ssl->sec.seq[0]; c++;
8339	6288		*c = ssl->sec.seq[1]; c++;
8340	6288		*c = ssl->sec.seq[2]; c++;
8341	6288		*c = ssl->sec.seq[3]; c++;
8342	6288		*c = ssl->sec.seq[4]; c++;
8343	6288		*c = ssl->sec.seq[5]; c++;
8344	6288		*c = ssl->sec.seq[6]; c++;
8345	6288		*c = ssl->sec.seq[7];
8346			# ifdef USE_DTLS
8347			}
8348			# endif
8349	6288		return ssl->recordHeadLen + TLS_EXPLICIT_NONCE_LEN;
8350			}
8351
8352	18975		return ssl->recordHeadLen;
8353			}
8354
8355			/******************************************************************************/
8356			/*
8357			Write out an ssl handshake message header.
8358			Assumes 'c' points to a buffer of at least ssl->hshakeHeadLen bytes
8359			1 byte type (SSL_HS_*)
8360			3 bytes length (network byte order)
8361			Returns the number of bytes written
8362			*/
8363	18929		int32 psWriteHandshakeHeader(ssl_t *ssl, unsigned char type, int32 len,
8364			int32 seq, int32 fragOffset, int32 fragLen,
8365			unsigned char *c)
8366			{
8367	18929		*c = type; c++;
8368	18929		*c = (unsigned char) ((len & 0xFF0000) >> 16); c++;
8369	18929		*c = (len & 0xFF00) >> 8; c++;
8370			# ifdef USE_DTLS
8371			if (ssl->flags & SSL_FLAGS_DTLS)
8372			{
8373			*c = (len & 0xFF); c++;
8374			*c = (seq & 0xFF00) >> 8; c++;
8375			*c = (seq & 0xFF); c++;
8376			*c = (unsigned char) ((fragOffset & 0xFF0000) >> 16); c++;
8377			*c = (fragOffset & 0xFF00) >> 8; c++;
8378			*c = (fragOffset & 0xFF); c++;
8379			*c = (unsigned char) ((fragLen & 0xFF0000) >> 16); c++;
8380			*c = (fragLen & 0xFF00) >> 8; c++;
8381			*c = (fragLen & 0xFF);
8382			}
8383			else
8384			{
8385			*c = (len & 0xFF);
8386			}
8387			# else
8388	18929		*c = (len & 0xFF);
8389			# endif /* USE_DTLS */
8390
8391	18929		ssl->encState = type;
8392	18929		return ssl->hshakeHeadLen;
8393			}
8394
8395			/******************************************************************************/
8396			/*
8397			Write pad bytes and pad length per the TLS spec. Most block cipher
8398			padding fills each byte with the number of padding bytes, but SSL/TLS
8399			pretends one of these bytes is a pad length, and the remaining bytes are
8400			filled with that length. The end result is that the padding is identical
8401			to standard padding except the values are one less. For SSLv3 we are not
8402			required to have any specific pad values, but they don't hurt.
8403
8404			PadLen Result
8405			0
8406			1 00
8407			2 01 01
8408			3 02 02 02
8409			4 03 03 03 03
8410			5 04 04 04 04 04
8411			6 05 05 05 05 05 05
8412			7 06 06 06 06 06 06 06
8413			8 07 07 07 07 07 07 07 07
8414			9 08 08 08 08 08 08 08 08 08
8415			...
8416			15 ...
8417
8418			We calculate the length of padding required for a record using
8419			psPadLenPwr2()
8420			*/
8421	25263		int32 sslWritePad(unsigned char *p, unsigned char padLen)
8422			{
8423	25263		unsigned char c = padLen;
8424
8425	25297	100	while (c > 0)
8426			{
8427	34		*p++ = padLen - 1;
8428	34		c--;
8429			}
8430	25263		return padLen;
8431			}
8432
8433			/******************************************************************************/
8434