blob: c56ae0d325423dda166f55ffc3050b1cd214a944 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +01004 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +000034#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000035
Paul Bakker40e46942009-01-03 21:51:57 +000036#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000037
Paul Bakker40e46942009-01-03 21:51:57 +000038#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000040#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +000041#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +000044#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000045
Paul Bakkerca4ab492012-04-18 14:23:57 +000046#if defined(POLARSSL_GCM_C)
47#include "polarssl/gcm.h"
48#endif
49
Paul Bakker5121ce52009-01-03 21:22:43 +000050#include <stdlib.h>
51#include <time.h>
52
Paul Bakkeraf5c85f2011-04-18 03:47:52 +000053#if defined _MSC_VER && !defined strcasecmp
54#define strcasecmp _stricmp
55#endif
56
Paul Bakker05ef8352012-05-08 09:17:57 +000057#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58int (*ssl_hw_record_init)(ssl_context *ssl,
59 const unsigned char *key_enc, const unsigned char *key_dec,
Paul Bakker07eb38b2012-12-19 14:42:06 +010060 size_t keylen,
Paul Bakker05ef8352012-05-08 09:17:57 +000061 const unsigned char *iv_enc, const unsigned char *iv_dec,
Paul Bakker07eb38b2012-12-19 14:42:06 +010062 size_t ivlen,
63 const unsigned char *mac_enc, const unsigned char *mac_dec,
64 size_t maclen) = NULL;
65int (*ssl_hw_record_activate)(ssl_context *ssl, int direction) = NULL;
Paul Bakker05ef8352012-05-08 09:17:57 +000066int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
67int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
68int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
69int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
70#endif
71
Paul Bakkered27a042013-04-18 22:46:23 +020072#if defined(POLARSSL_RSA_C)
Paul Bakkereb2c6582012-09-27 19:15:01 +000073static int ssl_rsa_decrypt( void *ctx, int mode, size_t *olen,
74 const unsigned char *input, unsigned char *output,
75 size_t output_max_len )
76{
77 return rsa_pkcs1_decrypt( (rsa_context *) ctx, mode, olen, input, output,
78 output_max_len );
79}
80
81static int ssl_rsa_sign( void *ctx,
82 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
83 int mode, int hash_id, unsigned int hashlen,
84 const unsigned char *hash, unsigned char *sig )
85{
86 return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
87 hashlen, hash, sig );
88}
89
90static size_t ssl_rsa_key_len( void *ctx )
91{
92 return ( (rsa_context *) ctx )->len;
93}
Paul Bakkered27a042013-04-18 22:46:23 +020094#endif /* POLARSSL_RSA_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +000095
Paul Bakker5121ce52009-01-03 21:22:43 +000096/*
97 * Key material generation
98 */
Paul Bakker5f70b252012-09-13 14:23:06 +000099static int ssl3_prf( unsigned char *secret, size_t slen, char *label,
100 unsigned char *random, size_t rlen,
101 unsigned char *dstbuf, size_t dlen )
102{
103 size_t i;
104 md5_context md5;
105 sha1_context sha1;
106 unsigned char padding[16];
107 unsigned char sha1sum[20];
108 ((void)label);
109
110 /*
111 * SSLv3:
112 * block =
113 * MD5( secret + SHA1( 'A' + secret + random ) ) +
114 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
115 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
116 * ...
117 */
118 for( i = 0; i < dlen / 16; i++ )
119 {
120 memset( padding, 'A' + i, 1 + i );
121
122 sha1_starts( &sha1 );
123 sha1_update( &sha1, padding, 1 + i );
124 sha1_update( &sha1, secret, slen );
125 sha1_update( &sha1, random, rlen );
126 sha1_finish( &sha1, sha1sum );
127
128 md5_starts( &md5 );
129 md5_update( &md5, secret, slen );
130 md5_update( &md5, sha1sum, 20 );
131 md5_finish( &md5, dstbuf + i * 16 );
132 }
133
134 memset( &md5, 0, sizeof( md5 ) );
135 memset( &sha1, 0, sizeof( sha1 ) );
136
137 memset( padding, 0, sizeof( padding ) );
138 memset( sha1sum, 0, sizeof( sha1sum ) );
139
140 return( 0 );
141}
142
Paul Bakker23986e52011-04-24 08:57:21 +0000143static int tls1_prf( unsigned char *secret, size_t slen, char *label,
144 unsigned char *random, size_t rlen,
145 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000146{
Paul Bakker23986e52011-04-24 08:57:21 +0000147 size_t nb, hs;
148 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000149 unsigned char *S1, *S2;
150 unsigned char tmp[128];
151 unsigned char h_i[20];
152
153 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000154 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000155
156 hs = ( slen + 1 ) / 2;
157 S1 = secret;
158 S2 = secret + slen - hs;
159
160 nb = strlen( label );
161 memcpy( tmp + 20, label, nb );
162 memcpy( tmp + 20 + nb, random, rlen );
163 nb += rlen;
164
165 /*
166 * First compute P_md5(secret,label+random)[0..dlen]
167 */
168 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
169
170 for( i = 0; i < dlen; i += 16 )
171 {
172 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
173 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
174
175 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
176
177 for( j = 0; j < k; j++ )
178 dstbuf[i + j] = h_i[j];
179 }
180
181 /*
182 * XOR out with P_sha1(secret,label+random)[0..dlen]
183 */
184 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
185
186 for( i = 0; i < dlen; i += 20 )
187 {
188 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
189 sha1_hmac( S2, hs, tmp, 20, tmp );
190
191 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
192
193 for( j = 0; j < k; j++ )
194 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
195 }
196
197 memset( tmp, 0, sizeof( tmp ) );
198 memset( h_i, 0, sizeof( h_i ) );
199
200 return( 0 );
201}
202
Paul Bakker1ef83d62012-04-11 12:09:53 +0000203static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
204 unsigned char *random, size_t rlen,
205 unsigned char *dstbuf, size_t dlen )
206{
207 size_t nb;
208 size_t i, j, k;
209 unsigned char tmp[128];
210 unsigned char h_i[32];
211
212 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
213 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
214
215 nb = strlen( label );
216 memcpy( tmp + 32, label, nb );
217 memcpy( tmp + 32 + nb, random, rlen );
218 nb += rlen;
219
220 /*
221 * Compute P_<hash>(secret, label + random)[0..dlen]
222 */
223 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
224
225 for( i = 0; i < dlen; i += 32 )
226 {
227 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
228 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
229
230 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
231
232 for( j = 0; j < k; j++ )
233 dstbuf[i + j] = h_i[j];
234 }
235
236 memset( tmp, 0, sizeof( tmp ) );
237 memset( h_i, 0, sizeof( h_i ) );
238
239 return( 0 );
240}
241
Paul Bakker769075d2012-11-24 11:26:46 +0100242#if defined(POLARSSL_SHA4_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +0000243static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
244 unsigned char *random, size_t rlen,
245 unsigned char *dstbuf, size_t dlen )
246{
247 size_t nb;
248 size_t i, j, k;
249 unsigned char tmp[128];
250 unsigned char h_i[48];
251
252 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
253 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
254
255 nb = strlen( label );
256 memcpy( tmp + 48, label, nb );
257 memcpy( tmp + 48 + nb, random, rlen );
258 nb += rlen;
259
260 /*
261 * Compute P_<hash>(secret, label + random)[0..dlen]
262 */
263 sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
264
265 for( i = 0; i < dlen; i += 48 )
266 {
267 sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
268 sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
269
270 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
271
272 for( j = 0; j < k; j++ )
273 dstbuf[i + j] = h_i[j];
274 }
275
276 memset( tmp, 0, sizeof( tmp ) );
277 memset( h_i, 0, sizeof( h_i ) );
278
279 return( 0 );
280}
Paul Bakker769075d2012-11-24 11:26:46 +0100281#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000282
Paul Bakker380da532012-04-18 16:10:25 +0000283static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
284static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
285static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
Paul Bakker380da532012-04-18 16:10:25 +0000286
287static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
288static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
289static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
Paul Bakker380da532012-04-18 16:10:25 +0000290
Paul Bakkerca4ab492012-04-18 14:23:57 +0000291static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
292static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
293static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
Paul Bakker769075d2012-11-24 11:26:46 +0100294
295#if defined(POLARSSL_SHA4_C)
296static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
297static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
Paul Bakkerca4ab492012-04-18 14:23:57 +0000298static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker769075d2012-11-24 11:26:46 +0100299#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000300
Paul Bakker5121ce52009-01-03 21:22:43 +0000301int ssl_derive_keys( ssl_context *ssl )
302{
Paul Bakker5121ce52009-01-03 21:22:43 +0000303 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000304 unsigned char keyblk[256];
305 unsigned char *key1;
306 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100307 unsigned char *mac_enc;
308 unsigned char *mac_dec;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000309 unsigned int iv_copy_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100310 const cipher_info_t *cipher_info;
311 const md_info_t *md_info;
312
Paul Bakker48916f92012-09-16 19:57:18 +0000313 ssl_session *session = ssl->session_negotiate;
314 ssl_transform *transform = ssl->transform_negotiate;
315 ssl_handshake_params *handshake = ssl->handshake;
Paul Bakker5121ce52009-01-03 21:22:43 +0000316
317 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
318
Paul Bakker68884e32013-01-07 18:20:04 +0100319 cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
320 if( cipher_info == NULL )
321 {
Paul Bakkerf7abd422013-04-16 13:15:56 +0200322 SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100323 transform->ciphersuite_info->cipher ) );
324 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
325 }
326
327 md_info = md_info_from_type( transform->ciphersuite_info->mac );
328 if( md_info == NULL )
329 {
Paul Bakkerf7abd422013-04-16 13:15:56 +0200330 SSL_DEBUG_MSG( 1, ( "md info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100331 transform->ciphersuite_info->mac ) );
332 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
333 }
334
Paul Bakker5121ce52009-01-03 21:22:43 +0000335 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000336 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000337 */
338 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000339 {
Paul Bakker48916f92012-09-16 19:57:18 +0000340 handshake->tls_prf = ssl3_prf;
341 handshake->calc_verify = ssl_calc_verify_ssl;
342 handshake->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000343 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000344 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000345 {
Paul Bakker48916f92012-09-16 19:57:18 +0000346 handshake->tls_prf = tls1_prf;
347 handshake->calc_verify = ssl_calc_verify_tls;
348 handshake->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000349 }
Paul Bakker769075d2012-11-24 11:26:46 +0100350#if defined(POLARSSL_SHA4_C)
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100351 else if( transform->ciphersuite_info->mac ==
352 POLARSSL_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000353 {
Paul Bakker48916f92012-09-16 19:57:18 +0000354 handshake->tls_prf = tls_prf_sha384;
355 handshake->calc_verify = ssl_calc_verify_tls_sha384;
356 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000357 }
Paul Bakker769075d2012-11-24 11:26:46 +0100358#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000359 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000360 {
Paul Bakker48916f92012-09-16 19:57:18 +0000361 handshake->tls_prf = tls_prf_sha256;
362 handshake->calc_verify = ssl_calc_verify_tls_sha256;
363 handshake->calc_finished = ssl_calc_finished_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000364 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000365
366 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000367 * SSLv3:
368 * master =
369 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
370 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
371 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakkerf7abd422013-04-16 13:15:56 +0200372 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000373 * TLSv1:
374 * master = PRF( premaster, "master secret", randbytes )[0..47]
375 */
Paul Bakker0a597072012-09-25 21:55:46 +0000376 if( handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000377 {
Paul Bakker48916f92012-09-16 19:57:18 +0000378 SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
379 handshake->pmslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000380
Paul Bakker48916f92012-09-16 19:57:18 +0000381 handshake->tls_prf( handshake->premaster, handshake->pmslen,
382 "master secret",
383 handshake->randbytes, 64, session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000384
Paul Bakker48916f92012-09-16 19:57:18 +0000385 memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000386 }
387 else
388 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
389
390 /*
391 * Swap the client and server random values.
392 */
Paul Bakker48916f92012-09-16 19:57:18 +0000393 memcpy( tmp, handshake->randbytes, 64 );
394 memcpy( handshake->randbytes, tmp + 32, 32 );
395 memcpy( handshake->randbytes + 32, tmp, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000396 memset( tmp, 0, sizeof( tmp ) );
397
398 /*
399 * SSLv3:
400 * key block =
401 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
402 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
403 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
404 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
405 * ...
406 *
407 * TLSv1:
408 * key block = PRF( master, "key expansion", randbytes )
409 */
Paul Bakker48916f92012-09-16 19:57:18 +0000410 handshake->tls_prf( session->master, 48, "key expansion",
411 handshake->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000412
Paul Bakker48916f92012-09-16 19:57:18 +0000413 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
414 ssl_get_ciphersuite_name( session->ciphersuite ) ) );
415 SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
416 SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000417 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
418
Paul Bakker48916f92012-09-16 19:57:18 +0000419 memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000420
421 /*
422 * Determine the appropriate key, IV and MAC length.
423 */
Paul Bakker68884e32013-01-07 18:20:04 +0100424
425 if( cipher_info->mode == POLARSSL_MODE_GCM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000426 {
Paul Bakker68884e32013-01-07 18:20:04 +0100427 transform->keylen = cipher_info->key_length;
428 transform->keylen /= 8;
429 transform->minlen = 1;
430 transform->ivlen = 12;
431 transform->fixed_ivlen = 4;
432 transform->maclen = 0;
433 }
434 else
435 {
436 if( md_info->type != POLARSSL_MD_NONE )
437 {
438 md_init_ctx( &transform->md_ctx_enc, md_info );
439 md_init_ctx( &transform->md_ctx_dec, md_info );
Paul Bakker5121ce52009-01-03 21:22:43 +0000440
Paul Bakker68884e32013-01-07 18:20:04 +0100441 transform->maclen = md_get_size( md_info );
442 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000443
Paul Bakker68884e32013-01-07 18:20:04 +0100444 transform->keylen = cipher_info->key_length;
445 transform->keylen /= 8;
446 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000447
Paul Bakker68884e32013-01-07 18:20:04 +0100448 transform->minlen = transform->keylen;
449 if( transform->minlen < transform->maclen )
450 {
451 if( cipher_info->mode == POLARSSL_MODE_STREAM )
452 transform->minlen = transform->maclen;
453 else
454 transform->minlen += transform->keylen;
455 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000456 }
457
458 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000459 transform->keylen, transform->minlen, transform->ivlen,
460 transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000461
462 /*
463 * Finally setup the cipher contexts, IVs and MAC secrets.
464 */
465 if( ssl->endpoint == SSL_IS_CLIENT )
466 {
Paul Bakker48916f92012-09-16 19:57:18 +0000467 key1 = keyblk + transform->maclen * 2;
468 key2 = keyblk + transform->maclen * 2 + transform->keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000469
Paul Bakker68884e32013-01-07 18:20:04 +0100470 mac_enc = keyblk;
471 mac_dec = keyblk + transform->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000472
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000473 /*
474 * This is not used in TLS v1.1.
475 */
Paul Bakker48916f92012-09-16 19:57:18 +0000476 iv_copy_len = ( transform->fixed_ivlen ) ?
477 transform->fixed_ivlen : transform->ivlen;
478 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
479 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000480 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000481 }
482 else
483 {
Paul Bakker48916f92012-09-16 19:57:18 +0000484 key1 = keyblk + transform->maclen * 2 + transform->keylen;
485 key2 = keyblk + transform->maclen * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000486
Paul Bakker68884e32013-01-07 18:20:04 +0100487 mac_enc = keyblk + transform->maclen;
488 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000489
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000490 /*
491 * This is not used in TLS v1.1.
492 */
Paul Bakker48916f92012-09-16 19:57:18 +0000493 iv_copy_len = ( transform->fixed_ivlen ) ?
494 transform->fixed_ivlen : transform->ivlen;
495 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
496 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000497 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000498 }
499
Paul Bakker68884e32013-01-07 18:20:04 +0100500 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
501 {
502 memcpy( transform->mac_enc, mac_enc, transform->maclen );
503 memcpy( transform->mac_dec, mac_dec, transform->maclen );
504 }
505 else
506 {
507 md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
508 md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
509 }
510
Paul Bakker05ef8352012-05-08 09:17:57 +0000511#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
512 if( ssl_hw_record_init != NULL)
513 {
514 int ret = 0;
515
516 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
517
Paul Bakker07eb38b2012-12-19 14:42:06 +0100518 if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
519 transform->iv_enc, transform->iv_dec,
520 iv_copy_len,
Paul Bakker68884e32013-01-07 18:20:04 +0100521 mac_enc, mac_dec,
Paul Bakker07eb38b2012-12-19 14:42:06 +0100522 transform->maclen ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000523 {
524 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
525 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
526 }
527 }
528#endif
529
Paul Bakker68884e32013-01-07 18:20:04 +0100530 switch( cipher_info->type )
Paul Bakker5121ce52009-01-03 21:22:43 +0000531 {
Paul Bakker40e46942009-01-03 21:51:57 +0000532#if defined(POLARSSL_ARC4_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100533 case POLARSSL_CIPHER_ARC4_128:
Paul Bakker48916f92012-09-16 19:57:18 +0000534 arc4_setup( (arc4_context *) transform->ctx_enc, key1,
535 transform->keylen );
536 arc4_setup( (arc4_context *) transform->ctx_dec, key2,
537 transform->keylen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000538 break;
539#endif
540
Paul Bakker40e46942009-01-03 21:51:57 +0000541#if defined(POLARSSL_DES_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100542 case POLARSSL_CIPHER_DES_EDE3_CBC:
543 des3_set3key_enc( (des3_context *) transform->ctx_enc, key1 );
544 des3_set3key_dec( (des3_context *) transform->ctx_dec, key2 );
545 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000546#endif
547
Paul Bakker40e46942009-01-03 21:51:57 +0000548#if defined(POLARSSL_AES_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100549 case POLARSSL_CIPHER_AES_128_CBC:
550 case POLARSSL_CIPHER_AES_256_CBC:
551 aes_setkey_enc( (aes_context*) transform->ctx_enc, key1,
552 cipher_info->key_length );
553 aes_setkey_dec( (aes_context*) transform->ctx_dec, key2,
554 cipher_info->key_length );
Paul Bakker5121ce52009-01-03 21:22:43 +0000555 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000556#endif
557
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000558#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100559 case POLARSSL_CIPHER_CAMELLIA_128_CBC:
560 case POLARSSL_CIPHER_CAMELLIA_256_CBC:
561 camellia_setkey_enc( (camellia_context*) transform->ctx_enc, key1,
562 cipher_info->key_length );
563 camellia_setkey_dec( (camellia_context*) transform->ctx_dec, key2,
564 cipher_info->key_length );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000565 break;
566#endif
567
Paul Bakkerfab5c822012-02-06 16:45:10 +0000568#if defined(POLARSSL_DES_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100569 case POLARSSL_CIPHER_DES_CBC:
Paul Bakker48916f92012-09-16 19:57:18 +0000570 des_setkey_enc( (des_context *) transform->ctx_enc, key1 );
571 des_setkey_dec( (des_context *) transform->ctx_dec, key2 );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000572 break;
573#endif
Paul Bakker68884e32013-01-07 18:20:04 +0100574
575#if defined(POLARSSL_GCM_C)
576 case POLARSSL_CIPHER_AES_128_GCM:
577 case POLARSSL_CIPHER_AES_256_GCM:
578 gcm_init( (gcm_context *) transform->ctx_enc, key1,
579 cipher_info->key_length );
580 gcm_init( (gcm_context *) transform->ctx_dec, key2,
581 cipher_info->key_length );
582 break;
583#endif
584
585 case POLARSSL_CIPHER_NULL:
586 break;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000587
Paul Bakker5121ce52009-01-03 21:22:43 +0000588 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000589 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000590 }
591
592 memset( keyblk, 0, sizeof( keyblk ) );
593
Paul Bakker2770fbd2012-07-03 13:30:23 +0000594#if defined(POLARSSL_ZLIB_SUPPORT)
595 // Initialize compression
596 //
Paul Bakker48916f92012-09-16 19:57:18 +0000597 if( session->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000598 {
599 SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
600
Paul Bakker48916f92012-09-16 19:57:18 +0000601 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
602 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000603
Paul Bakker48916f92012-09-16 19:57:18 +0000604 if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
605 inflateInit( &transform->ctx_inflate ) != Z_OK )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000606 {
607 SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
608 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
609 }
610 }
611#endif /* POLARSSL_ZLIB_SUPPORT */
612
Paul Bakker5121ce52009-01-03 21:22:43 +0000613 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
614
615 return( 0 );
616}
617
Paul Bakker380da532012-04-18 16:10:25 +0000618void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000619{
620 md5_context md5;
621 sha1_context sha1;
622 unsigned char pad_1[48];
623 unsigned char pad_2[48];
624
Paul Bakker380da532012-04-18 16:10:25 +0000625 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000626
Paul Bakker48916f92012-09-16 19:57:18 +0000627 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
628 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000629
Paul Bakker380da532012-04-18 16:10:25 +0000630 memset( pad_1, 0x36, 48 );
631 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000632
Paul Bakker48916f92012-09-16 19:57:18 +0000633 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000634 md5_update( &md5, pad_1, 48 );
635 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000636
Paul Bakker380da532012-04-18 16:10:25 +0000637 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +0000638 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000639 md5_update( &md5, pad_2, 48 );
640 md5_update( &md5, hash, 16 );
641 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000642
Paul Bakker48916f92012-09-16 19:57:18 +0000643 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000644 sha1_update( &sha1, pad_1, 40 );
645 sha1_finish( &sha1, hash + 16 );
646
647 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +0000648 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000649 sha1_update( &sha1, pad_2, 40 );
650 sha1_update( &sha1, hash + 16, 20 );
651 sha1_finish( &sha1, hash + 16 );
652
653 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
654 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
655
656 return;
657}
658
659void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
660{
661 md5_context md5;
662 sha1_context sha1;
663
664 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
665
Paul Bakker48916f92012-09-16 19:57:18 +0000666 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
667 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000668
Paul Bakker48916f92012-09-16 19:57:18 +0000669 md5_finish( &md5, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000670 sha1_finish( &sha1, hash + 16 );
671
672 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
673 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
674
675 return;
676}
677
678void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
679{
680 sha2_context sha2;
681
682 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
683
Paul Bakker48916f92012-09-16 19:57:18 +0000684 memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000685 sha2_finish( &sha2, hash );
686
687 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
688 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
689
690 return;
691}
692
Paul Bakker769075d2012-11-24 11:26:46 +0100693#if defined(POLARSSL_SHA4_C)
Paul Bakker380da532012-04-18 16:10:25 +0000694void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
695{
696 sha4_context sha4;
697
698 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
699
Paul Bakker48916f92012-09-16 19:57:18 +0000700 memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000701 sha4_finish( &sha4, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000702
Paul Bakkerca4ab492012-04-18 14:23:57 +0000703 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000704 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
705
706 return;
707}
Paul Bakker769075d2012-11-24 11:26:46 +0100708#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000709
710/*
711 * SSLv3.0 MAC functions
712 */
Paul Bakker68884e32013-01-07 18:20:04 +0100713static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
714 unsigned char *buf, size_t len,
715 unsigned char *ctr, int type )
Paul Bakker5121ce52009-01-03 21:22:43 +0000716{
717 unsigned char header[11];
718 unsigned char padding[48];
Paul Bakker68884e32013-01-07 18:20:04 +0100719 int padlen = 0;
720 int md_size = md_get_size( md_ctx->md_info );
721 int md_type = md_get_type( md_ctx->md_info );
722
723 if( md_type == POLARSSL_MD_MD5 )
724 padlen = 48;
725 else if( md_type == POLARSSL_MD_SHA1 )
726 padlen = 40;
727 else if( md_type == POLARSSL_MD_SHA256 )
728 padlen = 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000729
730 memcpy( header, ctr, 8 );
731 header[ 8] = (unsigned char) type;
732 header[ 9] = (unsigned char)( len >> 8 );
733 header[10] = (unsigned char)( len );
734
Paul Bakker68884e32013-01-07 18:20:04 +0100735 memset( padding, 0x36, padlen );
736 md_starts( md_ctx );
737 md_update( md_ctx, secret, md_size );
738 md_update( md_ctx, padding, padlen );
739 md_update( md_ctx, header, 11 );
740 md_update( md_ctx, buf, len );
741 md_finish( md_ctx, buf + len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000742
Paul Bakker68884e32013-01-07 18:20:04 +0100743 memset( padding, 0x5C, padlen );
744 md_starts( md_ctx );
745 md_update( md_ctx, secret, md_size );
746 md_update( md_ctx, padding, padlen );
747 md_update( md_ctx, buf + len, md_size );
748 md_finish( md_ctx, buf + len );
Paul Bakker5f70b252012-09-13 14:23:06 +0000749}
750
Paul Bakker5121ce52009-01-03 21:22:43 +0000751/*
752 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +0200753 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000754static int ssl_encrypt_buf( ssl_context *ssl )
755{
Paul Bakker23986e52011-04-24 08:57:21 +0000756 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000757
758 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
759
760 /*
761 * Add MAC then encrypt
762 */
763 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
764 {
Paul Bakker68884e32013-01-07 18:20:04 +0100765 ssl_mac( &ssl->transform_out->md_ctx_enc,
766 ssl->transform_out->mac_enc,
767 ssl->out_msg, ssl->out_msglen,
768 ssl->out_ctr, ssl->out_msgtype );
Paul Bakker5121ce52009-01-03 21:22:43 +0000769 }
770 else
771 {
Paul Bakker68884e32013-01-07 18:20:04 +0100772 md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
773 md_hmac_update( &ssl->transform_out->md_ctx_enc,
774 ssl->out_msg, ssl->out_msglen );
775 md_hmac_finish( &ssl->transform_out->md_ctx_enc,
776 ssl->out_msg + ssl->out_msglen );
777 md_hmac_reset( &ssl->transform_out->md_ctx_enc );
Paul Bakker5121ce52009-01-03 21:22:43 +0000778 }
779
780 SSL_DEBUG_BUF( 4, "computed mac",
Paul Bakker48916f92012-09-16 19:57:18 +0000781 ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000782
Paul Bakker48916f92012-09-16 19:57:18 +0000783 ssl->out_msglen += ssl->transform_out->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000784
Paul Bakker68884e32013-01-07 18:20:04 +0100785#if defined(POLARSSL_CIPHER_NULL_CIPHER)
786 if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_NULL )
787 {
788 padlen = 0;
789 }
790 else
791#endif /* POLARSSL_CIPHER_NULL_CIPHER */
792#if defined(POLARSSL_ARC4_C)
793 if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000794 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000795 padlen = 0;
796
797 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
798 "including %d bytes of padding",
799 ssl->out_msglen, 0 ) );
800
801 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
802 ssl->out_msg, ssl->out_msglen );
803
Paul Bakker68884e32013-01-07 18:20:04 +0100804 arc4_crypt( (arc4_context *) ssl->transform_out->ctx_enc,
805 ssl->out_msglen, ssl->out_msg,
806 ssl->out_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000807 }
Paul Bakker68884e32013-01-07 18:20:04 +0100808 else
809#endif /* POLARSSL_ARC4_C */
810#if defined(POLARSSL_GCM_C)
811 if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_128_GCM ||
812 ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_256_GCM )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000813 {
814 size_t enc_msglen;
815 unsigned char *enc_msg;
816 unsigned char add_data[13];
817 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
818
819 padlen = 0;
820 enc_msglen = ssl->out_msglen;
821
822 memcpy( add_data, ssl->out_ctr, 8 );
823 add_data[8] = ssl->out_msgtype;
824 add_data[9] = ssl->major_ver;
825 add_data[10] = ssl->minor_ver;
826 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
827 add_data[12] = ssl->out_msglen & 0xFF;
828
829 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
830 add_data, 13 );
831
Paul Bakker68884e32013-01-07 18:20:04 +0100832 /*
833 * Generate IV
834 */
835 ret = ssl->f_rng( ssl->p_rng,
Paul Bakker48916f92012-09-16 19:57:18 +0000836 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
Paul Bakker68884e32013-01-07 18:20:04 +0100837 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
838 if( ret != 0 )
839 return( ret );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000840
Paul Bakker68884e32013-01-07 18:20:04 +0100841 memcpy( ssl->out_iv,
842 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
843 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000844
Paul Bakker68884e32013-01-07 18:20:04 +0100845 /*
846 * Fix pointer positions and message length with added IV
847 */
848 enc_msg = ssl->out_msg;
849 enc_msglen = ssl->out_msglen;
850 ssl->out_msglen += ssl->transform_out->ivlen -
851 ssl->transform_out->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000852
Paul Bakker68884e32013-01-07 18:20:04 +0100853 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
854 "including %d bytes of padding",
855 ssl->out_msglen, 0 ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000856
Paul Bakker68884e32013-01-07 18:20:04 +0100857 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
858 ssl->out_msg, ssl->out_msglen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000859
Paul Bakker68884e32013-01-07 18:20:04 +0100860 /*
861 * Adjust for tag
862 */
863 ssl->out_msglen += 16;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000864
Paul Bakker68884e32013-01-07 18:20:04 +0100865 gcm_crypt_and_tag( (gcm_context *) ssl->transform_out->ctx_enc,
866 GCM_ENCRYPT, enc_msglen,
867 ssl->transform_out->iv_enc, ssl->transform_out->ivlen,
868 add_data, 13,
869 enc_msg, enc_msg,
870 16, enc_msg + enc_msglen );
871
872 SSL_DEBUG_BUF( 4, "after encrypt: tag",
873 enc_msg + enc_msglen, 16 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000874 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000875 else
Paul Bakker68884e32013-01-07 18:20:04 +0100876#endif /* POLARSSL_GCM_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000877 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000878 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000879 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000880
Paul Bakker48916f92012-09-16 19:57:18 +0000881 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
882 ssl->transform_out->ivlen;
883 if( padlen == ssl->transform_out->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000884 padlen = 0;
885
886 for( i = 0; i <= padlen; i++ )
887 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
888
889 ssl->out_msglen += padlen + 1;
890
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000891 enc_msglen = ssl->out_msglen;
892 enc_msg = ssl->out_msg;
893
894 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000895 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
896 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000897 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000898 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000899 {
900 /*
901 * Generate IV
902 */
Paul Bakker48916f92012-09-16 19:57:18 +0000903 int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
904 ssl->transform_out->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +0000905 if( ret != 0 )
906 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000907
Paul Bakker92be97b2013-01-02 17:30:03 +0100908 memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +0000909 ssl->transform_out->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000910
911 /*
912 * Fix pointer positions and message length with added IV
913 */
Paul Bakker92be97b2013-01-02 17:30:03 +0100914 enc_msg = ssl->out_msg;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000915 enc_msglen = ssl->out_msglen;
Paul Bakker48916f92012-09-16 19:57:18 +0000916 ssl->out_msglen += ssl->transform_out->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000917 }
918
Paul Bakker5121ce52009-01-03 21:22:43 +0000919 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000920 "including %d bytes of IV and %d bytes of padding",
Paul Bakker48916f92012-09-16 19:57:18 +0000921 ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000922
923 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Paul Bakker92be97b2013-01-02 17:30:03 +0100924 ssl->out_iv, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000925
Paul Bakker68884e32013-01-07 18:20:04 +0100926 switch( ssl->transform_out->ciphersuite_info->cipher )
Paul Bakker5121ce52009-01-03 21:22:43 +0000927 {
Paul Bakker68884e32013-01-07 18:20:04 +0100928 case POLARSSL_CIPHER_DES_CBC:
929 des_crypt_cbc( (des_context *) ssl->transform_out->ctx_enc,
930 DES_ENCRYPT, enc_msglen,
931 ssl->transform_out->iv_enc, enc_msg, enc_msg );
932 break;
933
934 case POLARSSL_CIPHER_DES_EDE3_CBC:
935 des3_crypt_cbc( (des3_context *) ssl->transform_out->ctx_enc,
936 DES_ENCRYPT, enc_msglen,
937 ssl->transform_out->iv_enc, enc_msg, enc_msg );
938 break;
939
940 case POLARSSL_CIPHER_AES_128_CBC:
941 case POLARSSL_CIPHER_AES_256_CBC:
942 aes_crypt_cbc( (aes_context *) ssl->transform_out->ctx_enc,
943 AES_ENCRYPT, enc_msglen,
944 ssl->transform_out->iv_enc, enc_msg, enc_msg );
945 break;
946
947 case POLARSSL_CIPHER_CAMELLIA_128_CBC:
948 case POLARSSL_CIPHER_CAMELLIA_256_CBC:
949 camellia_crypt_cbc( (camellia_context *) ssl->transform_out->ctx_enc,
950 CAMELLIA_ENCRYPT, enc_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000951 ssl->transform_out->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000952 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000953
954 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000955 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000956 }
957 }
958
Paul Bakkerca4ab492012-04-18 14:23:57 +0000959 for( i = 8; i > 0; i-- )
960 if( ++ssl->out_ctr[i - 1] != 0 )
961 break;
962
Paul Bakker5121ce52009-01-03 21:22:43 +0000963 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
964
965 return( 0 );
966}
967
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100968#define POLARSSL_SSL_MAX_MAC_SIZE 48
Paul Bakkerfab5c822012-02-06 16:45:10 +0000969
Paul Bakker5121ce52009-01-03 21:22:43 +0000970static int ssl_decrypt_buf( ssl_context *ssl )
971{
Paul Bakker45829992013-01-03 14:52:21 +0100972 size_t i, padlen = 0, correct = 1;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000973 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000974
975 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
976
Paul Bakker48916f92012-09-16 19:57:18 +0000977 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000978 {
979 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
Paul Bakker48916f92012-09-16 19:57:18 +0000980 ssl->in_msglen, ssl->transform_in->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000981 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000982 }
983
Paul Bakker68884e32013-01-07 18:20:04 +0100984#if defined(POLARSSL_CIPHER_NULL_CIPHER)
985 if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000986 {
Paul Bakker68884e32013-01-07 18:20:04 +0100987 padlen = 0;
988 }
989 else
990#endif /* POLARSSL_CIPHER_NULL_CIPHER */
Paul Bakker40e46942009-01-03 21:51:57 +0000991#if defined(POLARSSL_ARC4_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100992 if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
993 {
994 padlen = 0;
995
996 arc4_crypt( (arc4_context *) ssl->transform_in->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000997 ssl->in_msglen, ssl->in_msg,
998 ssl->in_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000999 }
Paul Bakker68884e32013-01-07 18:20:04 +01001000 else
1001#endif /* POLARSSL_ARC4_C */
1002#if defined(POLARSSL_GCM_C)
1003 if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_128_GCM ||
1004 ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_256_GCM )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001005 {
1006 unsigned char *dec_msg;
1007 unsigned char *dec_msg_result;
1008 size_t dec_msglen;
1009 unsigned char add_data[13];
1010 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1011
Paul Bakker68884e32013-01-07 18:20:04 +01001012 padlen = 0;
1013
1014 dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1015 ssl->transform_in->fixed_ivlen );
1016 dec_msglen -= 16;
1017 dec_msg = ssl->in_msg;
1018 dec_msg_result = ssl->in_msg;
1019 ssl->in_msglen = dec_msglen;
1020
1021 memcpy( add_data, ssl->in_ctr, 8 );
1022 add_data[8] = ssl->in_msgtype;
1023 add_data[9] = ssl->major_ver;
1024 add_data[10] = ssl->minor_ver;
1025 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1026 add_data[12] = ssl->in_msglen & 0xFF;
1027
1028 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1029 add_data, 13 );
1030
1031 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1032 ssl->in_iv,
1033 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1034
1035 SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1036 ssl->transform_in->ivlen );
1037 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1038
1039 ret = gcm_auth_decrypt( (gcm_context *) ssl->transform_in->ctx_dec,
1040 dec_msglen,
1041 ssl->transform_in->iv_dec,
1042 ssl->transform_in->ivlen,
1043 add_data, 13,
1044 dec_msg + dec_msglen, 16,
1045 dec_msg, dec_msg_result );
1046
1047 if( ret != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001048 {
Paul Bakker68884e32013-01-07 18:20:04 +01001049 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1050 -ret ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001051
Paul Bakker68884e32013-01-07 18:20:04 +01001052 return( POLARSSL_ERR_SSL_INVALID_MAC );
1053 }
Paul Bakkerca4ab492012-04-18 14:23:57 +00001054 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001055 else
Paul Bakker68884e32013-01-07 18:20:04 +01001056#endif /* POLARSSL_GCM_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00001057 {
Paul Bakker45829992013-01-03 14:52:21 +01001058 /*
1059 * Decrypt and check the padding
1060 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001061 unsigned char *dec_msg;
1062 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +00001063 size_t dec_msglen;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001064 size_t minlen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001065
Paul Bakker5121ce52009-01-03 21:22:43 +00001066 /*
Paul Bakker45829992013-01-03 14:52:21 +01001067 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +00001068 */
Paul Bakker48916f92012-09-16 19:57:18 +00001069 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001070 {
1071 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Paul Bakker48916f92012-09-16 19:57:18 +00001072 ssl->in_msglen, ssl->transform_in->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001073 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001074 }
1075
Paul Bakker45829992013-01-03 14:52:21 +01001076 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1077 minlen += ssl->transform_in->ivlen;
1078
1079 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1080 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1081 {
1082 SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1083 ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1084 return( POLARSSL_ERR_SSL_INVALID_MAC );
1085 }
1086
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001087 dec_msglen = ssl->in_msglen;
1088 dec_msg = ssl->in_msg;
1089 dec_msg_result = ssl->in_msg;
1090
1091 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +00001092 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001093 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00001094 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001095 {
Paul Bakker48916f92012-09-16 19:57:18 +00001096 dec_msglen -= ssl->transform_in->ivlen;
1097 ssl->in_msglen -= ssl->transform_in->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001098
Paul Bakker48916f92012-09-16 19:57:18 +00001099 for( i = 0; i < ssl->transform_in->ivlen; i++ )
Paul Bakker92be97b2013-01-02 17:30:03 +01001100 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001101 }
1102
Paul Bakker68884e32013-01-07 18:20:04 +01001103 switch( ssl->transform_in->ciphersuite_info->cipher )
Paul Bakker5121ce52009-01-03 21:22:43 +00001104 {
Paul Bakker68884e32013-01-07 18:20:04 +01001105 case POLARSSL_CIPHER_DES_CBC:
1106 des_crypt_cbc( (des_context *) ssl->transform_in->ctx_dec,
1107 DES_DECRYPT, dec_msglen,
1108 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +00001109 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00001110
Paul Bakker68884e32013-01-07 18:20:04 +01001111 case POLARSSL_CIPHER_DES_EDE3_CBC:
1112 des3_crypt_cbc( (des3_context *) ssl->transform_in->ctx_dec,
1113 DES_DECRYPT, dec_msglen,
1114 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1115 break;
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +00001116
Paul Bakker68884e32013-01-07 18:20:04 +01001117 case POLARSSL_CIPHER_AES_128_CBC:
1118 case POLARSSL_CIPHER_AES_256_CBC:
1119 aes_crypt_cbc( (aes_context *) ssl->transform_in->ctx_dec,
1120 AES_DECRYPT, dec_msglen,
1121 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1122 break;
1123
1124 case POLARSSL_CIPHER_CAMELLIA_128_CBC:
1125 case POLARSSL_CIPHER_CAMELLIA_256_CBC:
1126 camellia_crypt_cbc( (camellia_context *) ssl->transform_in->ctx_dec,
1127 CAMELLIA_DECRYPT, dec_msglen,
1128 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1129 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00001130
1131 default:
Paul Bakker40e46942009-01-03 21:51:57 +00001132 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001133 }
1134
1135 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
Paul Bakker45829992013-01-03 14:52:21 +01001136
1137 if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1138 {
Paul Bakkerd66f0702013-01-31 16:57:45 +01001139#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker45829992013-01-03 14:52:21 +01001140 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1141 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001142#endif
Paul Bakker45829992013-01-03 14:52:21 +01001143 padlen = 0;
Paul Bakker45829992013-01-03 14:52:21 +01001144 correct = 0;
1145 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001146
1147 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1148 {
Paul Bakker48916f92012-09-16 19:57:18 +00001149 if( padlen > ssl->transform_in->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001150 {
Paul Bakkerd66f0702013-01-31 16:57:45 +01001151#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker5121ce52009-01-03 21:22:43 +00001152 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1153 "should be no more than %d",
Paul Bakker48916f92012-09-16 19:57:18 +00001154 padlen, ssl->transform_in->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001155#endif
Paul Bakker45829992013-01-03 14:52:21 +01001156 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001157 }
1158 }
1159 else
1160 {
1161 /*
Paul Bakker45829992013-01-03 14:52:21 +01001162 * TLSv1+: always check the padding up to the first failure
1163 * and fake check up to 256 bytes of padding
Paul Bakker5121ce52009-01-03 21:22:43 +00001164 */
Paul Bakkere47b34b2013-02-27 14:48:00 +01001165 size_t pad_count = 0, fake_pad_count = 0;
1166 size_t padding_idx = ssl->in_msglen - padlen - 1;
1167
Paul Bakker5121ce52009-01-03 21:22:43 +00001168 for( i = 1; i <= padlen; i++ )
Paul Bakkere47b34b2013-02-27 14:48:00 +01001169 pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1170
1171 for( ; i <= 256; i++ )
1172 fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1173
1174 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1175 correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
1176
Paul Bakkerd66f0702013-01-31 16:57:45 +01001177#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker45829992013-01-03 14:52:21 +01001178 if( padlen > 0 && correct == 0)
1179 SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001180#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +01001181 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +00001182 }
1183 }
1184
1185 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1186 ssl->in_msg, ssl->in_msglen );
1187
1188 /*
1189 * Always compute the MAC (RFC4346, CBCTIME).
1190 */
Paul Bakker48916f92012-09-16 19:57:18 +00001191 ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001192
1193 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1194 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1195
Paul Bakker45829992013-01-03 14:52:21 +01001196 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001197
1198 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1199 {
Paul Bakker68884e32013-01-07 18:20:04 +01001200 ssl_mac( &ssl->transform_in->md_ctx_dec,
1201 ssl->transform_in->mac_dec,
1202 ssl->in_msg, ssl->in_msglen,
1203 ssl->in_ctr, ssl->in_msgtype );
Paul Bakker5121ce52009-01-03 21:22:43 +00001204 }
1205 else
1206 {
Paul Bakker45829992013-01-03 14:52:21 +01001207 /*
1208 * Process MAC and always update for padlen afterwards to make
1209 * total time independent of padlen
Paul Bakkere47b34b2013-02-27 14:48:00 +01001210 *
1211 * extra_run compensates MAC check for padlen
1212 *
1213 * Known timing attacks:
1214 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1215 *
1216 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1217 * correctly. (We round down instead of up, so -56 is the correct
1218 * value for our calculations instead of -55)
Paul Bakker45829992013-01-03 14:52:21 +01001219 */
Paul Bakkere47b34b2013-02-27 14:48:00 +01001220 int j, extra_run = 0;
1221 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1222 ( 13 + ssl->in_msglen + 8 ) / 64;
1223
1224 extra_run &= correct * 0xFF;
1225
Paul Bakker68884e32013-01-07 18:20:04 +01001226 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1227 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
1228 ssl->in_msglen );
1229 md_hmac_finish( &ssl->transform_in->md_ctx_dec,
1230 ssl->in_msg + ssl->in_msglen );
1231 for( j = 0; j < extra_run; j++ )
1232 md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
Paul Bakkere47b34b2013-02-27 14:48:00 +01001233
Paul Bakker68884e32013-01-07 18:20:04 +01001234 md_hmac_reset( &ssl->transform_in->md_ctx_dec );
Paul Bakker5121ce52009-01-03 21:22:43 +00001235 }
1236
Paul Bakker48916f92012-09-16 19:57:18 +00001237 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001238 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +00001239 ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001240
1241 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +00001242 ssl->transform_in->maclen ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001243 {
Paul Bakkere47b34b2013-02-27 14:48:00 +01001244#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker5121ce52009-01-03 21:22:43 +00001245 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +01001246#endif
Paul Bakker45829992013-01-03 14:52:21 +01001247 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001248 }
1249
1250 /*
Paul Bakker45829992013-01-03 14:52:21 +01001251 * Finally check the correct flag
Paul Bakker5121ce52009-01-03 21:22:43 +00001252 */
Paul Bakker45829992013-01-03 14:52:21 +01001253 if( correct == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +00001254 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001255
1256 if( ssl->in_msglen == 0 )
1257 {
1258 ssl->nb_zero++;
1259
1260 /*
1261 * Three or more empty messages may be a DoS attack
1262 * (excessive CPU consumption).
1263 */
1264 if( ssl->nb_zero > 3 )
1265 {
1266 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1267 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001268 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001269 }
1270 }
1271 else
1272 ssl->nb_zero = 0;
Paul Bakkerf7abd422013-04-16 13:15:56 +02001273
Paul Bakker23986e52011-04-24 08:57:21 +00001274 for( i = 8; i > 0; i-- )
1275 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001276 break;
1277
1278 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1279
1280 return( 0 );
1281}
1282
Paul Bakker2770fbd2012-07-03 13:30:23 +00001283#if defined(POLARSSL_ZLIB_SUPPORT)
1284/*
1285 * Compression/decompression functions
1286 */
1287static int ssl_compress_buf( ssl_context *ssl )
1288{
1289 int ret;
1290 unsigned char *msg_post = ssl->out_msg;
1291 size_t len_pre = ssl->out_msglen;
1292 unsigned char *msg_pre;
1293
1294 SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1295
1296 msg_pre = (unsigned char*) malloc( len_pre );
1297 if( msg_pre == NULL )
1298 {
1299 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1300 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1301 }
1302
1303 memcpy( msg_pre, ssl->out_msg, len_pre );
1304
1305 SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1306 ssl->out_msglen ) );
1307
1308 SSL_DEBUG_BUF( 4, "before compression: output payload",
1309 ssl->out_msg, ssl->out_msglen );
1310
Paul Bakker48916f92012-09-16 19:57:18 +00001311 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1312 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1313 ssl->transform_out->ctx_deflate.next_out = msg_post;
1314 ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001315
Paul Bakker48916f92012-09-16 19:57:18 +00001316 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001317 if( ret != Z_OK )
1318 {
1319 SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1320 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1321 }
1322
Paul Bakker48916f92012-09-16 19:57:18 +00001323 ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001324
1325 free( msg_pre );
1326
1327 SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1328 ssl->out_msglen ) );
1329
1330 SSL_DEBUG_BUF( 4, "after compression: output payload",
1331 ssl->out_msg, ssl->out_msglen );
1332
1333 SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1334
1335 return( 0 );
1336}
1337
1338static int ssl_decompress_buf( ssl_context *ssl )
1339{
1340 int ret;
1341 unsigned char *msg_post = ssl->in_msg;
1342 size_t len_pre = ssl->in_msglen;
1343 unsigned char *msg_pre;
1344
1345 SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1346
1347 msg_pre = (unsigned char*) malloc( len_pre );
1348 if( msg_pre == NULL )
1349 {
1350 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1351 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1352 }
1353
1354 memcpy( msg_pre, ssl->in_msg, len_pre );
1355
1356 SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1357 ssl->in_msglen ) );
1358
1359 SSL_DEBUG_BUF( 4, "before decompression: input payload",
1360 ssl->in_msg, ssl->in_msglen );
1361
Paul Bakker48916f92012-09-16 19:57:18 +00001362 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1363 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1364 ssl->transform_in->ctx_inflate.next_out = msg_post;
1365 ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001366
Paul Bakker48916f92012-09-16 19:57:18 +00001367 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001368 if( ret != Z_OK )
1369 {
1370 SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1371 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1372 }
1373
Paul Bakker48916f92012-09-16 19:57:18 +00001374 ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001375
1376 free( msg_pre );
1377
1378 SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1379 ssl->in_msglen ) );
1380
1381 SSL_DEBUG_BUF( 4, "after decompression: input payload",
1382 ssl->in_msg, ssl->in_msglen );
1383
1384 SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1385
1386 return( 0 );
1387}
1388#endif /* POLARSSL_ZLIB_SUPPORT */
1389
Paul Bakker5121ce52009-01-03 21:22:43 +00001390/*
1391 * Fill the input message buffer
1392 */
Paul Bakker23986e52011-04-24 08:57:21 +00001393int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +00001394{
Paul Bakker23986e52011-04-24 08:57:21 +00001395 int ret;
1396 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +00001397
1398 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1399
1400 while( ssl->in_left < nb_want )
1401 {
1402 len = nb_want - ssl->in_left;
1403 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1404
1405 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1406 ssl->in_left, nb_want ) );
1407 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1408
Paul Bakker831a7552011-05-18 13:32:51 +00001409 if( ret == 0 )
1410 return( POLARSSL_ERR_SSL_CONN_EOF );
1411
Paul Bakker5121ce52009-01-03 21:22:43 +00001412 if( ret < 0 )
1413 return( ret );
1414
1415 ssl->in_left += ret;
1416 }
1417
1418 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1419
1420 return( 0 );
1421}
1422
1423/*
1424 * Flush any data not yet written
1425 */
1426int ssl_flush_output( ssl_context *ssl )
1427{
1428 int ret;
1429 unsigned char *buf;
1430
1431 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1432
1433 while( ssl->out_left > 0 )
1434 {
1435 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1436 5 + ssl->out_msglen, ssl->out_left ) );
1437
Paul Bakker5bd42292012-12-19 14:40:42 +01001438 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
Paul Bakker5121ce52009-01-03 21:22:43 +00001439 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +00001440
Paul Bakker5121ce52009-01-03 21:22:43 +00001441 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1442
1443 if( ret <= 0 )
1444 return( ret );
1445
1446 ssl->out_left -= ret;
1447 }
1448
1449 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1450
1451 return( 0 );
1452}
1453
1454/*
1455 * Record layer functions
1456 */
1457int ssl_write_record( ssl_context *ssl )
1458{
Paul Bakker05ef8352012-05-08 09:17:57 +00001459 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +00001460 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +00001461
1462 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1463
Paul Bakker5121ce52009-01-03 21:22:43 +00001464 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1465 {
1466 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1467 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1468 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1469
Paul Bakker48916f92012-09-16 19:57:18 +00001470 ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001471 }
1472
Paul Bakker2770fbd2012-07-03 13:30:23 +00001473#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00001474 if( ssl->transform_out != NULL &&
1475 ssl->session_out->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00001476 {
1477 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1478 {
1479 SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1480 return( ret );
1481 }
1482
1483 len = ssl->out_msglen;
1484 }
1485#endif /*POLARSSL_ZLIB_SUPPORT */
1486
Paul Bakker05ef8352012-05-08 09:17:57 +00001487#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1488 if( ssl_hw_record_write != NULL)
Paul Bakker5121ce52009-01-03 21:22:43 +00001489 {
Paul Bakker05ef8352012-05-08 09:17:57 +00001490 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001491
Paul Bakker05ef8352012-05-08 09:17:57 +00001492 ret = ssl_hw_record_write( ssl );
1493 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1494 {
1495 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1496 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1497 }
Paul Bakkerc7878112012-12-19 14:41:14 +01001498
1499 if( ret == 0 )
1500 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00001501 }
1502#endif
1503 if( !done )
1504 {
1505 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1506 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1507 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +00001508 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1509 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +00001510
Paul Bakker48916f92012-09-16 19:57:18 +00001511 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00001512 {
1513 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1514 {
1515 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1516 return( ret );
1517 }
1518
1519 len = ssl->out_msglen;
1520 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1521 ssl->out_hdr[4] = (unsigned char)( len );
1522 }
1523
1524 ssl->out_left = 5 + ssl->out_msglen;
1525
1526 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1527 "version = [%d:%d], msglen = %d",
1528 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1529 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1530
1531 SSL_DEBUG_BUF( 4, "output record sent to network",
Paul Bakker5bd42292012-12-19 14:40:42 +01001532 ssl->out_hdr, 5 + ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001533 }
1534
Paul Bakker5121ce52009-01-03 21:22:43 +00001535 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1536 {
1537 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1538 return( ret );
1539 }
1540
1541 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1542
1543 return( 0 );
1544}
1545
1546int ssl_read_record( ssl_context *ssl )
1547{
Paul Bakker05ef8352012-05-08 09:17:57 +00001548 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001549
1550 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1551
Paul Bakker68884e32013-01-07 18:20:04 +01001552 SSL_DEBUG_BUF( 4, "input record from network",
1553 ssl->in_hdr, 5 + ssl->in_msglen );
1554
Paul Bakker5121ce52009-01-03 21:22:43 +00001555 if( ssl->in_hslen != 0 &&
1556 ssl->in_hslen < ssl->in_msglen )
1557 {
1558 /*
1559 * Get next Handshake message in the current record
1560 */
1561 ssl->in_msglen -= ssl->in_hslen;
1562
Paul Bakker8934a982011-08-05 11:11:53 +00001563 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker48916f92012-09-16 19:57:18 +00001564 ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001565
1566 ssl->in_hslen = 4;
1567 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1568
1569 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1570 " %d, type = %d, hslen = %d",
1571 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1572
1573 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1574 {
1575 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001576 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001577 }
1578
1579 if( ssl->in_msglen < ssl->in_hslen )
1580 {
1581 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001582 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001583 }
1584
Paul Bakker48916f92012-09-16 19:57:18 +00001585 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001586
1587 return( 0 );
1588 }
1589
1590 ssl->in_hslen = 0;
1591
1592 /*
1593 * Read the record header and validate it
1594 */
1595 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1596 {
1597 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1598 return( ret );
1599 }
1600
1601 ssl->in_msgtype = ssl->in_hdr[0];
1602 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1603
1604 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1605 "version = [%d:%d], msglen = %d",
1606 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1607 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1608
1609 if( ssl->in_hdr[1] != ssl->major_ver )
1610 {
1611 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001612 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001613 }
1614
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001615 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +00001616 {
1617 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001618 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001619 }
1620
1621 /*
1622 * Make sure the message length is acceptable
1623 */
Paul Bakker48916f92012-09-16 19:57:18 +00001624 if( ssl->transform_in == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001625 {
1626 if( ssl->in_msglen < 1 ||
1627 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1628 {
1629 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001630 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001631 }
1632 }
1633 else
1634 {
Paul Bakker48916f92012-09-16 19:57:18 +00001635 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001636 {
1637 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001638 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001639 }
1640
1641 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
Paul Bakker48916f92012-09-16 19:57:18 +00001642 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +00001643 {
1644 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001645 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001646 }
1647
1648 /*
1649 * TLS encrypted messages can have up to 256 bytes of padding
1650 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00001651 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker48916f92012-09-16 19:57:18 +00001652 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001653 {
1654 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001655 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001656 }
1657 }
1658
1659 /*
1660 * Read and optionally decrypt the message contents
1661 */
1662 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1663 {
1664 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1665 return( ret );
1666 }
1667
1668 SSL_DEBUG_BUF( 4, "input record from network",
1669 ssl->in_hdr, 5 + ssl->in_msglen );
1670
Paul Bakker05ef8352012-05-08 09:17:57 +00001671#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1672 if( ssl_hw_record_read != NULL)
1673 {
1674 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1675
1676 ret = ssl_hw_record_read( ssl );
1677 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1678 {
1679 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1680 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1681 }
Paul Bakkerc7878112012-12-19 14:41:14 +01001682
1683 if( ret == 0 )
1684 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00001685 }
1686#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001687 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001688 {
1689 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1690 {
Paul Bakker40865c82013-01-31 17:13:13 +01001691#if defined(POLARSSL_SSL_ALERT_MESSAGES)
1692 if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
1693 {
1694 ssl_send_alert_message( ssl,
1695 SSL_ALERT_LEVEL_FATAL,
1696 SSL_ALERT_MSG_BAD_RECORD_MAC );
1697 }
1698#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001699 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1700 return( ret );
1701 }
1702
1703 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1704 ssl->in_msg, ssl->in_msglen );
1705
1706 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1707 {
1708 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001709 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001710 }
1711 }
1712
Paul Bakker2770fbd2012-07-03 13:30:23 +00001713#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00001714 if( ssl->transform_in != NULL &&
1715 ssl->session_in->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00001716 {
1717 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
1718 {
1719 SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
1720 return( ret );
1721 }
1722
1723 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1724 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1725 }
1726#endif /* POLARSSL_ZLIB_SUPPORT */
1727
Paul Bakker0a925182012-04-16 06:46:41 +00001728 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1729 ssl->in_msgtype != SSL_MSG_ALERT &&
1730 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1731 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1732 {
1733 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1734
Paul Bakker48916f92012-09-16 19:57:18 +00001735 if( ( ret = ssl_send_alert_message( ssl,
1736 SSL_ALERT_LEVEL_FATAL,
1737 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +00001738 {
1739 return( ret );
1740 }
1741
1742 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1743 }
1744
Paul Bakker5121ce52009-01-03 21:22:43 +00001745 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1746 {
1747 ssl->in_hslen = 4;
1748 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1749
1750 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1751 " %d, type = %d, hslen = %d",
1752 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1753
1754 /*
1755 * Additional checks to validate the handshake header
1756 */
1757 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1758 {
1759 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001760 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001761 }
1762
1763 if( ssl->in_msglen < ssl->in_hslen )
1764 {
1765 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001766 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001767 }
1768
Paul Bakker48916f92012-09-16 19:57:18 +00001769 if( ssl->state != SSL_HANDSHAKE_OVER )
1770 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001771 }
1772
1773 if( ssl->in_msgtype == SSL_MSG_ALERT )
1774 {
1775 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1776 ssl->in_msg[0], ssl->in_msg[1] ) );
1777
1778 /*
1779 * Ignore non-fatal alerts, except close_notify
1780 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001781 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001782 {
Paul Bakker2770fbd2012-07-03 13:30:23 +00001783 SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
1784 ssl->in_msg[1] ) );
Paul Bakker9d781402011-05-09 16:17:09 +00001785 /**
1786 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1787 * error identifier.
1788 */
Paul Bakker2770fbd2012-07-03 13:30:23 +00001789 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001790 }
1791
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001792 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1793 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +00001794 {
1795 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001796 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00001797 }
1798 }
1799
1800 ssl->in_left = 0;
1801
1802 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1803
1804 return( 0 );
1805}
1806
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001807int ssl_send_fatal_handshake_failure( ssl_context *ssl )
1808{
1809 int ret;
1810
1811 if( ( ret = ssl_send_alert_message( ssl,
1812 SSL_ALERT_LEVEL_FATAL,
1813 SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
1814 {
1815 return( ret );
1816 }
1817
1818 return( 0 );
1819}
1820
Paul Bakker0a925182012-04-16 06:46:41 +00001821int ssl_send_alert_message( ssl_context *ssl,
1822 unsigned char level,
1823 unsigned char message )
1824{
1825 int ret;
1826
1827 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1828
1829 ssl->out_msgtype = SSL_MSG_ALERT;
1830 ssl->out_msglen = 2;
1831 ssl->out_msg[0] = level;
1832 ssl->out_msg[1] = message;
1833
1834 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1835 {
1836 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1837 return( ret );
1838 }
1839
1840 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1841
1842 return( 0 );
1843}
1844
Paul Bakker5121ce52009-01-03 21:22:43 +00001845/*
1846 * Handshake functions
1847 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001848#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1849 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1850 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00001851int ssl_write_certificate( ssl_context *ssl )
1852{
Paul Bakkered27a042013-04-18 22:46:23 +02001853 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001854 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001855
1856 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1857
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001858 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1859 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001860 {
1861 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1862 ssl->state++;
1863 return( 0 );
1864 }
1865
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001866 return( ret );
1867}
1868
1869int ssl_parse_certificate( ssl_context *ssl )
1870{
1871 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1872 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1873
1874 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1875
1876 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1877 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1878 {
1879 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1880 ssl->state++;
1881 return( 0 );
1882 }
1883
1884 return( ret );
1885}
1886#else
1887int ssl_write_certificate( ssl_context *ssl )
1888{
1889 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1890 size_t i, n;
1891 const x509_cert *crt;
1892 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1893
1894 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1895
1896 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1897 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1898 {
1899 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1900 ssl->state++;
1901 return( 0 );
1902 }
1903
Paul Bakker5121ce52009-01-03 21:22:43 +00001904 if( ssl->endpoint == SSL_IS_CLIENT )
1905 {
1906 if( ssl->client_auth == 0 )
1907 {
1908 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1909 ssl->state++;
1910 return( 0 );
1911 }
1912
1913 /*
1914 * If using SSLv3 and got no cert, send an Alert message
1915 * (otherwise an empty Certificate message will be sent).
1916 */
1917 if( ssl->own_cert == NULL &&
1918 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1919 {
1920 ssl->out_msglen = 2;
1921 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001922 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1923 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +00001924
1925 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1926 goto write_msg;
1927 }
1928 }
1929 else /* SSL_IS_SERVER */
1930 {
1931 if( ssl->own_cert == NULL )
1932 {
1933 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001934 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00001935 }
1936 }
1937
1938 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1939
1940 /*
1941 * 0 . 0 handshake type
1942 * 1 . 3 handshake length
1943 * 4 . 6 length of all certs
1944 * 7 . 9 length of cert. 1
1945 * 10 . n-1 peer certificate
1946 * n . n+2 length of cert. 2
1947 * n+3 . ... upper level cert, etc.
1948 */
1949 i = 7;
1950 crt = ssl->own_cert;
1951
Paul Bakker29087132010-03-21 21:03:34 +00001952 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001953 {
1954 n = crt->raw.len;
1955 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1956 {
1957 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1958 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001959 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001960 }
1961
1962 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1963 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1964 ssl->out_msg[i + 2] = (unsigned char)( n );
1965
1966 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1967 i += n; crt = crt->next;
1968 }
1969
1970 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1971 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1972 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1973
1974 ssl->out_msglen = i;
1975 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1976 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1977
1978write_msg:
1979
1980 ssl->state++;
1981
1982 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1983 {
1984 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1985 return( ret );
1986 }
1987
1988 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1989
Paul Bakkered27a042013-04-18 22:46:23 +02001990 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001991}
1992
1993int ssl_parse_certificate( ssl_context *ssl )
1994{
Paul Bakkered27a042013-04-18 22:46:23 +02001995 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker23986e52011-04-24 08:57:21 +00001996 size_t i, n;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001997 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001998
1999 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2000
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002001 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2002 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002003 {
2004 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2005 ssl->state++;
2006 return( 0 );
2007 }
2008
Paul Bakker5121ce52009-01-03 21:22:43 +00002009 if( ssl->endpoint == SSL_IS_SERVER &&
2010 ssl->authmode == SSL_VERIFY_NONE )
2011 {
Paul Bakkercdf07e92011-01-30 17:05:13 +00002012 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +00002013 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2014 ssl->state++;
2015 return( 0 );
2016 }
2017
2018 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2019 {
2020 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2021 return( ret );
2022 }
2023
2024 ssl->state++;
2025
2026 /*
2027 * Check if the client sent an empty certificate
2028 */
2029 if( ssl->endpoint == SSL_IS_SERVER &&
2030 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2031 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002032 if( ssl->in_msglen == 2 &&
2033 ssl->in_msgtype == SSL_MSG_ALERT &&
2034 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2035 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +00002036 {
2037 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2038
Paul Bakkercdf07e92011-01-30 17:05:13 +00002039 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002040 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2041 return( 0 );
2042 else
Paul Bakker40e46942009-01-03 21:51:57 +00002043 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002044 }
2045 }
2046
2047 if( ssl->endpoint == SSL_IS_SERVER &&
2048 ssl->minor_ver != SSL_MINOR_VERSION_0 )
2049 {
2050 if( ssl->in_hslen == 7 &&
2051 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2052 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2053 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2054 {
2055 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2056
Paul Bakkercdf07e92011-01-30 17:05:13 +00002057 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002058 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +00002059 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002060 else
2061 return( 0 );
2062 }
2063 }
2064
2065 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2066 {
2067 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002068 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002069 }
2070
2071 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2072 {
2073 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002074 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002075 }
2076
2077 /*
2078 * Same message structure as in ssl_write_certificate()
2079 */
2080 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2081
2082 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2083 {
2084 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002085 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002086 }
2087
Paul Bakker48916f92012-09-16 19:57:18 +00002088 if( ( ssl->session_negotiate->peer_cert = (x509_cert *) malloc(
Paul Bakker5121ce52009-01-03 21:22:43 +00002089 sizeof( x509_cert ) ) ) == NULL )
2090 {
2091 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2092 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +00002093 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002094 }
2095
Paul Bakker48916f92012-09-16 19:57:18 +00002096 memset( ssl->session_negotiate->peer_cert, 0, sizeof( x509_cert ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002097
2098 i = 7;
2099
2100 while( i < ssl->in_hslen )
2101 {
2102 if( ssl->in_msg[i] != 0 )
2103 {
2104 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002105 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002106 }
2107
2108 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2109 | (unsigned int) ssl->in_msg[i + 2];
2110 i += 3;
2111
2112 if( n < 128 || i + n > ssl->in_hslen )
2113 {
2114 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002115 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002116 }
2117
Paul Bakker89ecb2d2013-06-24 19:06:15 +02002118 ret = x509parse_crt_der( ssl->session_negotiate->peer_cert,
2119 ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00002120 if( ret != 0 )
2121 {
2122 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2123 return( ret );
2124 }
2125
2126 i += n;
2127 }
2128
Paul Bakker48916f92012-09-16 19:57:18 +00002129 SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +00002130
2131 if( ssl->authmode != SSL_VERIFY_NONE )
2132 {
2133 if( ssl->ca_chain == NULL )
2134 {
2135 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002136 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002137 }
2138
Paul Bakker48916f92012-09-16 19:57:18 +00002139 ret = x509parse_verify( ssl->session_negotiate->peer_cert,
2140 ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +00002141 ssl->peer_cn, &ssl->verify_result,
2142 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +00002143
2144 if( ret != 0 )
2145 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2146
2147 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2148 ret = 0;
2149 }
2150
2151 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2152
2153 return( ret );
2154}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002155#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2156 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2157 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002158
2159int ssl_write_change_cipher_spec( ssl_context *ssl )
2160{
2161 int ret;
2162
2163 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2164
2165 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2166 ssl->out_msglen = 1;
2167 ssl->out_msg[0] = 1;
2168
Paul Bakker5121ce52009-01-03 21:22:43 +00002169 ssl->state++;
2170
2171 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2172 {
2173 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2174 return( ret );
2175 }
2176
2177 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2178
2179 return( 0 );
2180}
2181
2182int ssl_parse_change_cipher_spec( ssl_context *ssl )
2183{
2184 int ret;
2185
2186 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2187
Paul Bakker5121ce52009-01-03 21:22:43 +00002188 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2189 {
2190 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2191 return( ret );
2192 }
2193
2194 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2195 {
2196 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002197 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002198 }
2199
2200 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2201 {
2202 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002203 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +00002204 }
2205
2206 ssl->state++;
2207
2208 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2209
2210 return( 0 );
2211}
2212
Paul Bakker41c83d32013-03-20 14:39:14 +01002213void ssl_optimize_checksum( ssl_context *ssl,
2214 const ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +00002215{
Paul Bakker769075d2012-11-24 11:26:46 +01002216#if !defined(POLARSSL_SHA4_C)
2217 ((void) ciphersuite);
2218#endif
2219
Paul Bakker380da532012-04-18 16:10:25 +00002220 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakker48916f92012-09-16 19:57:18 +00002221 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
Paul Bakker769075d2012-11-24 11:26:46 +01002222#if defined(POLARSSL_SHA4_C)
Paul Bakkerb7149bc2013-03-20 15:30:09 +01002223 else if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
Paul Bakker380da532012-04-18 16:10:25 +00002224 {
Paul Bakker48916f92012-09-16 19:57:18 +00002225 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
Paul Bakker380da532012-04-18 16:10:25 +00002226 }
Paul Bakker769075d2012-11-24 11:26:46 +01002227#endif
Paul Bakker380da532012-04-18 16:10:25 +00002228 else
Paul Bakker48916f92012-09-16 19:57:18 +00002229 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakker380da532012-04-18 16:10:25 +00002230}
Paul Bakkerf7abd422013-04-16 13:15:56 +02002231
Paul Bakker380da532012-04-18 16:10:25 +00002232static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2233 size_t len )
2234{
Paul Bakker48916f92012-09-16 19:57:18 +00002235 md5_update( &ssl->handshake->fin_md5 , buf, len );
2236 sha1_update( &ssl->handshake->fin_sha1, buf, len );
2237 sha2_update( &ssl->handshake->fin_sha2, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01002238#if defined(POLARSSL_SHA4_C)
Paul Bakker48916f92012-09-16 19:57:18 +00002239 sha4_update( &ssl->handshake->fin_sha4, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01002240#endif
Paul Bakker380da532012-04-18 16:10:25 +00002241}
2242
2243static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2244 size_t len )
2245{
Paul Bakker48916f92012-09-16 19:57:18 +00002246 md5_update( &ssl->handshake->fin_md5 , buf, len );
2247 sha1_update( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00002248}
2249
2250static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2251 size_t len )
2252{
Paul Bakker48916f92012-09-16 19:57:18 +00002253 sha2_update( &ssl->handshake->fin_sha2, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00002254}
2255
Paul Bakker769075d2012-11-24 11:26:46 +01002256#if defined(POLARSSL_SHA4_C)
Paul Bakker380da532012-04-18 16:10:25 +00002257static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2258 size_t len )
2259{
Paul Bakker48916f92012-09-16 19:57:18 +00002260 sha4_update( &ssl->handshake->fin_sha4, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00002261}
Paul Bakker769075d2012-11-24 11:26:46 +01002262#endif
Paul Bakker380da532012-04-18 16:10:25 +00002263
Paul Bakker1ef83d62012-04-11 12:09:53 +00002264static void ssl_calc_finished_ssl(
2265 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00002266{
Paul Bakker3c2122f2013-06-24 19:03:14 +02002267 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002268 md5_context md5;
2269 sha1_context sha1;
2270
Paul Bakker5121ce52009-01-03 21:22:43 +00002271 unsigned char padbuf[48];
2272 unsigned char md5sum[16];
2273 unsigned char sha1sum[20];
2274
Paul Bakker48916f92012-09-16 19:57:18 +00002275 ssl_session *session = ssl->session_negotiate;
2276 if( !session )
2277 session = ssl->session;
2278
Paul Bakker1ef83d62012-04-11 12:09:53 +00002279 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2280
Paul Bakker48916f92012-09-16 19:57:18 +00002281 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2282 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002283
2284 /*
2285 * SSLv3:
2286 * hash =
2287 * MD5( master + pad2 +
2288 * MD5( handshake + sender + master + pad1 ) )
2289 * + SHA1( master + pad2 +
2290 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00002291 */
2292
Paul Bakker90995b52013-06-24 19:20:35 +02002293#if !defined(POLARSSL_MD5_ALT)
Paul Bakker5121ce52009-01-03 21:22:43 +00002294 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002295 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002296#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002297
Paul Bakker90995b52013-06-24 19:20:35 +02002298#if !defined(POLARSSL_SHA1_ALT)
Paul Bakker5121ce52009-01-03 21:22:43 +00002299 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002300 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002301#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002302
Paul Bakker3c2122f2013-06-24 19:03:14 +02002303 sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2304 : "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +00002305
Paul Bakker1ef83d62012-04-11 12:09:53 +00002306 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002307
Paul Bakker3c2122f2013-06-24 19:03:14 +02002308 md5_update( &md5, (const unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +00002309 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002310 md5_update( &md5, padbuf, 48 );
2311 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00002312
Paul Bakker3c2122f2013-06-24 19:03:14 +02002313 sha1_update( &sha1, (const unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +00002314 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002315 sha1_update( &sha1, padbuf, 40 );
2316 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00002317
Paul Bakker1ef83d62012-04-11 12:09:53 +00002318 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002319
Paul Bakker1ef83d62012-04-11 12:09:53 +00002320 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +00002321 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002322 md5_update( &md5, padbuf, 48 );
2323 md5_update( &md5, md5sum, 16 );
2324 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00002325
Paul Bakker1ef83d62012-04-11 12:09:53 +00002326 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +00002327 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002328 sha1_update( &sha1, padbuf , 40 );
2329 sha1_update( &sha1, sha1sum, 20 );
2330 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002331
Paul Bakker1ef83d62012-04-11 12:09:53 +00002332 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002333
Paul Bakker1ef83d62012-04-11 12:09:53 +00002334 memset( &md5, 0, sizeof( md5_context ) );
2335 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002336
2337 memset( padbuf, 0, sizeof( padbuf ) );
2338 memset( md5sum, 0, sizeof( md5sum ) );
2339 memset( sha1sum, 0, sizeof( sha1sum ) );
2340
2341 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2342}
2343
Paul Bakker1ef83d62012-04-11 12:09:53 +00002344static void ssl_calc_finished_tls(
2345 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00002346{
Paul Bakker1ef83d62012-04-11 12:09:53 +00002347 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002348 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002349 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +00002350 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002351 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +00002352
Paul Bakker48916f92012-09-16 19:57:18 +00002353 ssl_session *session = ssl->session_negotiate;
2354 if( !session )
2355 session = ssl->session;
2356
Paul Bakker1ef83d62012-04-11 12:09:53 +00002357 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002358
Paul Bakker48916f92012-09-16 19:57:18 +00002359 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2360 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002361
Paul Bakker1ef83d62012-04-11 12:09:53 +00002362 /*
2363 * TLSv1:
2364 * hash = PRF( master, finished_label,
2365 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2366 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002367
Paul Bakker90995b52013-06-24 19:20:35 +02002368#if !defined(POLARSSL_MD5_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002369 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2370 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002371#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002372
Paul Bakker90995b52013-06-24 19:20:35 +02002373#if !defined(POLARSSL_SHA1_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002374 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2375 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002376#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002377
2378 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02002379 ? "client finished"
2380 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00002381
2382 md5_finish( &md5, padbuf );
2383 sha1_finish( &sha1, padbuf + 16 );
2384
Paul Bakker3c2122f2013-06-24 19:03:14 +02002385 ssl->handshake->tls_prf( session->master, 48, (char *) sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002386 padbuf, 36, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002387
2388 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2389
2390 memset( &md5, 0, sizeof( md5_context ) );
2391 memset( &sha1, 0, sizeof( sha1_context ) );
2392
2393 memset( padbuf, 0, sizeof( padbuf ) );
2394
2395 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2396}
2397
Paul Bakkerca4ab492012-04-18 14:23:57 +00002398static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +00002399 ssl_context *ssl, unsigned char *buf, int from )
2400{
2401 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002402 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002403 sha2_context sha2;
2404 unsigned char padbuf[32];
2405
Paul Bakker48916f92012-09-16 19:57:18 +00002406 ssl_session *session = ssl->session_negotiate;
2407 if( !session )
2408 session = ssl->session;
2409
Paul Bakker380da532012-04-18 16:10:25 +00002410 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002411
Paul Bakker48916f92012-09-16 19:57:18 +00002412 memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002413
2414 /*
2415 * TLSv1.2:
2416 * hash = PRF( master, finished_label,
2417 * Hash( handshake ) )[0.11]
2418 */
2419
Paul Bakker90995b52013-06-24 19:20:35 +02002420#if !defined(POLARSSL_SHA2_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002421 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2422 sha2.state, sizeof( sha2.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002423#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002424
2425 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02002426 ? "client finished"
2427 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00002428
2429 sha2_finish( &sha2, padbuf );
2430
Paul Bakker3c2122f2013-06-24 19:03:14 +02002431 ssl->handshake->tls_prf( session->master, 48, (char *) sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002432 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002433
2434 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2435
2436 memset( &sha2, 0, sizeof( sha2_context ) );
2437
2438 memset( padbuf, 0, sizeof( padbuf ) );
2439
2440 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2441}
2442
Paul Bakker769075d2012-11-24 11:26:46 +01002443#if defined(POLARSSL_SHA4_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00002444static void ssl_calc_finished_tls_sha384(
2445 ssl_context *ssl, unsigned char *buf, int from )
2446{
2447 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002448 const char *sender;
Paul Bakkerca4ab492012-04-18 14:23:57 +00002449 sha4_context sha4;
2450 unsigned char padbuf[48];
2451
Paul Bakker48916f92012-09-16 19:57:18 +00002452 ssl_session *session = ssl->session_negotiate;
2453 if( !session )
2454 session = ssl->session;
2455
Paul Bakker380da532012-04-18 16:10:25 +00002456 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002457
Paul Bakker48916f92012-09-16 19:57:18 +00002458 memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002459
2460 /*
2461 * TLSv1.2:
2462 * hash = PRF( master, finished_label,
2463 * Hash( handshake ) )[0.11]
2464 */
2465
Paul Bakker90995b52013-06-24 19:20:35 +02002466#if !defined(POLARSSL_SHA4_ALT)
Paul Bakkerca4ab492012-04-18 14:23:57 +00002467 SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2468 sha4.state, sizeof( sha4.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002469#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002470
2471 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02002472 ? "client finished"
2473 : "server finished";
Paul Bakkerca4ab492012-04-18 14:23:57 +00002474
2475 sha4_finish( &sha4, padbuf );
2476
Paul Bakker3c2122f2013-06-24 19:03:14 +02002477 ssl->handshake->tls_prf( session->master, 48, (char *) sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002478 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002479
2480 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2481
2482 memset( &sha4, 0, sizeof( sha4_context ) );
2483
2484 memset( padbuf, 0, sizeof( padbuf ) );
2485
2486 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2487}
Paul Bakker769075d2012-11-24 11:26:46 +01002488#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002489
Paul Bakker48916f92012-09-16 19:57:18 +00002490void ssl_handshake_wrapup( ssl_context *ssl )
2491{
2492 SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
2493
2494 /*
2495 * Free our handshake params
2496 */
2497 ssl_handshake_free( ssl->handshake );
2498 free( ssl->handshake );
2499 ssl->handshake = NULL;
2500
2501 /*
2502 * Switch in our now active transform context
2503 */
2504 if( ssl->transform )
2505 {
2506 ssl_transform_free( ssl->transform );
2507 free( ssl->transform );
2508 }
2509 ssl->transform = ssl->transform_negotiate;
2510 ssl->transform_negotiate = NULL;
2511
Paul Bakker0a597072012-09-25 21:55:46 +00002512 if( ssl->session )
2513 {
2514 ssl_session_free( ssl->session );
2515 free( ssl->session );
2516 }
2517 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002518 ssl->session_negotiate = NULL;
2519
Paul Bakker0a597072012-09-25 21:55:46 +00002520 /*
2521 * Add cache entry
2522 */
2523 if( ssl->f_set_cache != NULL )
2524 if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
2525 SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
2526
Paul Bakker48916f92012-09-16 19:57:18 +00002527 ssl->state++;
2528
2529 SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
2530}
2531
Paul Bakker1ef83d62012-04-11 12:09:53 +00002532int ssl_write_finished( ssl_context *ssl )
2533{
2534 int ret, hash_len;
2535
2536 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2537
Paul Bakker92be97b2013-01-02 17:30:03 +01002538 /*
2539 * Set the out_msg pointer to the correct location based on IV length
2540 */
2541 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
2542 {
2543 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
2544 ssl->transform_negotiate->fixed_ivlen;
2545 }
2546 else
2547 ssl->out_msg = ssl->out_iv;
2548
Paul Bakker48916f92012-09-16 19:57:18 +00002549 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002550
2551 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +00002552 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2553
Paul Bakker48916f92012-09-16 19:57:18 +00002554 ssl->verify_data_len = hash_len;
2555 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
2556
Paul Bakker5121ce52009-01-03 21:22:43 +00002557 ssl->out_msglen = 4 + hash_len;
2558 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2559 ssl->out_msg[0] = SSL_HS_FINISHED;
2560
2561 /*
2562 * In case of session resuming, invert the client and server
2563 * ChangeCipherSpec messages order.
2564 */
Paul Bakker0a597072012-09-25 21:55:46 +00002565 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002566 {
2567 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker48916f92012-09-16 19:57:18 +00002568 ssl->state = SSL_HANDSHAKE_WRAPUP;
Paul Bakker5121ce52009-01-03 21:22:43 +00002569 else
2570 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2571 }
2572 else
2573 ssl->state++;
2574
Paul Bakker48916f92012-09-16 19:57:18 +00002575 /*
2576 * Switch to our negotiated transform and session parameters for outbound data.
2577 */
2578 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
2579 ssl->transform_out = ssl->transform_negotiate;
2580 ssl->session_out = ssl->session_negotiate;
2581 memset( ssl->out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002582
Paul Bakker07eb38b2012-12-19 14:42:06 +01002583#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2584 if( ssl_hw_record_activate != NULL)
2585 {
2586 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
2587 {
2588 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
2589 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2590 }
2591 }
2592#endif
2593
Paul Bakker5121ce52009-01-03 21:22:43 +00002594 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2595 {
2596 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2597 return( ret );
2598 }
2599
2600 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2601
2602 return( 0 );
2603}
2604
2605int ssl_parse_finished( ssl_context *ssl )
2606{
Paul Bakker23986e52011-04-24 08:57:21 +00002607 int ret;
2608 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00002609 unsigned char buf[36];
2610
2611 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2612
Paul Bakker48916f92012-09-16 19:57:18 +00002613 ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002614
Paul Bakker48916f92012-09-16 19:57:18 +00002615 /*
2616 * Switch to our negotiated transform and session parameters for inbound data.
2617 */
2618 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
2619 ssl->transform_in = ssl->transform_negotiate;
2620 ssl->session_in = ssl->session_negotiate;
2621 memset( ssl->in_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002622
Paul Bakker92be97b2013-01-02 17:30:03 +01002623 /*
2624 * Set the in_msg pointer to the correct location based on IV length
2625 */
2626 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
2627 {
2628 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
2629 ssl->transform_negotiate->fixed_ivlen;
2630 }
2631 else
2632 ssl->in_msg = ssl->in_iv;
2633
Paul Bakker07eb38b2012-12-19 14:42:06 +01002634#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2635 if( ssl_hw_record_activate != NULL)
2636 {
2637 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
2638 {
2639 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
2640 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2641 }
2642 }
2643#endif
2644
Paul Bakker5121ce52009-01-03 21:22:43 +00002645 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2646 {
2647 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2648 return( ret );
2649 }
2650
2651 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2652 {
2653 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002654 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002655 }
2656
Paul Bakker1ef83d62012-04-11 12:09:53 +00002657 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +00002658 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2659
2660 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2661 ssl->in_hslen != 4 + hash_len )
2662 {
2663 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002664 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002665 }
2666
Paul Bakker5121ce52009-01-03 21:22:43 +00002667 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2668 {
2669 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002670 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002671 }
2672
Paul Bakker48916f92012-09-16 19:57:18 +00002673 ssl->verify_data_len = hash_len;
2674 memcpy( ssl->peer_verify_data, buf, hash_len );
2675
Paul Bakker0a597072012-09-25 21:55:46 +00002676 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002677 {
2678 if( ssl->endpoint == SSL_IS_CLIENT )
2679 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2680
2681 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker48916f92012-09-16 19:57:18 +00002682 ssl->state = SSL_HANDSHAKE_WRAPUP;
Paul Bakker5121ce52009-01-03 21:22:43 +00002683 }
2684 else
2685 ssl->state++;
2686
2687 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2688
2689 return( 0 );
2690}
2691
Paul Bakker48916f92012-09-16 19:57:18 +00002692int ssl_handshake_init( ssl_context *ssl )
2693{
2694 if( ssl->transform_negotiate )
2695 ssl_transform_free( ssl->transform_negotiate );
2696 else
2697 ssl->transform_negotiate = malloc( sizeof(ssl_transform) );
2698
2699 if( ssl->session_negotiate )
2700 ssl_session_free( ssl->session_negotiate );
2701 else
2702 ssl->session_negotiate = malloc( sizeof(ssl_session) );
2703
2704 if( ssl->handshake )
2705 ssl_handshake_free( ssl->handshake );
2706 else
2707 ssl->handshake = malloc( sizeof(ssl_handshake_params) );
2708
2709 if( ssl->handshake == NULL ||
2710 ssl->transform_negotiate == NULL ||
2711 ssl->session_negotiate == NULL )
2712 {
2713 SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
2714 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2715 }
2716
2717 memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
2718 memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
2719 memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
2720
2721 md5_starts( &ssl->handshake->fin_md5 );
2722 sha1_starts( &ssl->handshake->fin_sha1 );
2723 sha2_starts( &ssl->handshake->fin_sha2, 0 );
Paul Bakker769075d2012-11-24 11:26:46 +01002724#if defined(POLARSSL_SHA4_C)
Paul Bakker48916f92012-09-16 19:57:18 +00002725 sha4_starts( &ssl->handshake->fin_sha4, 1 );
Paul Bakker769075d2012-11-24 11:26:46 +01002726#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002727
2728 ssl->handshake->update_checksum = ssl_update_checksum_start;
Paul Bakker23f36802012-09-28 14:15:14 +00002729 ssl->handshake->sig_alg = SSL_HASH_SHA1;
Paul Bakkerf7abd422013-04-16 13:15:56 +02002730
Paul Bakker48916f92012-09-16 19:57:18 +00002731 return( 0 );
2732}
2733
Paul Bakker5121ce52009-01-03 21:22:43 +00002734/*
2735 * Initialize an SSL context
2736 */
2737int ssl_init( ssl_context *ssl )
2738{
Paul Bakker48916f92012-09-16 19:57:18 +00002739 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00002740 int len = SSL_BUFFER_LEN;
2741
2742 memset( ssl, 0, sizeof( ssl_context ) );
2743
Paul Bakker62f2dee2012-09-28 07:31:51 +00002744 /*
2745 * Sane defaults
2746 */
Paul Bakkered27a042013-04-18 22:46:23 +02002747#if defined(POLARSSL_RSA_C)
Paul Bakkereb2c6582012-09-27 19:15:01 +00002748 ssl->rsa_decrypt = ssl_rsa_decrypt;
2749 ssl->rsa_sign = ssl_rsa_sign;
2750 ssl->rsa_key_len = ssl_rsa_key_len;
Paul Bakkered27a042013-04-18 22:46:23 +02002751#endif
Paul Bakkereb2c6582012-09-27 19:15:01 +00002752
Paul Bakker1d29fb52012-09-28 13:28:45 +00002753 ssl->min_major_ver = SSL_MAJOR_VERSION_3;
2754 ssl->min_minor_ver = SSL_MINOR_VERSION_0;
2755
Paul Bakker8f4ddae2013-04-15 15:09:54 +02002756 ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
Paul Bakker645ce3a2012-10-31 12:32:41 +00002757
Paul Bakker62f2dee2012-09-28 07:31:51 +00002758#if defined(POLARSSL_DHM_C)
2759 if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
2760 POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
2761 ( ret = mpi_read_string( &ssl->dhm_G, 16,
2762 POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
2763 {
2764 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2765 return( ret );
2766 }
2767#endif
2768
2769 /*
2770 * Prepare base structures
2771 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002772 ssl->in_ctr = (unsigned char *) malloc( len );
2773 ssl->in_hdr = ssl->in_ctr + 8;
Paul Bakker92be97b2013-01-02 17:30:03 +01002774 ssl->in_iv = ssl->in_ctr + 13;
Paul Bakker5121ce52009-01-03 21:22:43 +00002775 ssl->in_msg = ssl->in_ctr + 13;
2776
2777 if( ssl->in_ctr == NULL )
2778 {
2779 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +00002780 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002781 }
2782
2783 ssl->out_ctr = (unsigned char *) malloc( len );
2784 ssl->out_hdr = ssl->out_ctr + 8;
Paul Bakker92be97b2013-01-02 17:30:03 +01002785 ssl->out_iv = ssl->out_ctr + 13;
Paul Bakker5bd42292012-12-19 14:40:42 +01002786 ssl->out_msg = ssl->out_ctr + 13;
Paul Bakker5121ce52009-01-03 21:22:43 +00002787
2788 if( ssl->out_ctr == NULL )
2789 {
2790 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2791 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +00002792 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002793 }
2794
2795 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2796 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2797
2798 ssl->hostname = NULL;
2799 ssl->hostname_len = 0;
2800
Paul Bakker48916f92012-09-16 19:57:18 +00002801 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
2802 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002803
2804 return( 0 );
2805}
2806
2807/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00002808 * Reset an initialized and used SSL context for re-use while retaining
2809 * all application-set variables, function pointers and data.
2810 */
Paul Bakker2770fbd2012-07-03 13:30:23 +00002811int ssl_session_reset( ssl_context *ssl )
Paul Bakker7eb013f2011-10-06 12:37:39 +00002812{
Paul Bakker48916f92012-09-16 19:57:18 +00002813 int ret;
2814
Paul Bakker7eb013f2011-10-06 12:37:39 +00002815 ssl->state = SSL_HELLO_REQUEST;
Paul Bakker48916f92012-09-16 19:57:18 +00002816 ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
2817 ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
2818
2819 ssl->verify_data_len = 0;
2820 memset( ssl->own_verify_data, 0, 36 );
2821 memset( ssl->peer_verify_data, 0, 36 );
2822
Paul Bakker7eb013f2011-10-06 12:37:39 +00002823 ssl->in_offt = NULL;
2824
Paul Bakker92be97b2013-01-02 17:30:03 +01002825 ssl->in_msg = ssl->in_ctr + 13;
Paul Bakker7eb013f2011-10-06 12:37:39 +00002826 ssl->in_msgtype = 0;
2827 ssl->in_msglen = 0;
2828 ssl->in_left = 0;
2829
2830 ssl->in_hslen = 0;
2831 ssl->nb_zero = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002832 ssl->record_read = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00002833
Paul Bakker92be97b2013-01-02 17:30:03 +01002834 ssl->out_msg = ssl->out_ctr + 13;
Paul Bakker7eb013f2011-10-06 12:37:39 +00002835 ssl->out_msgtype = 0;
2836 ssl->out_msglen = 0;
2837 ssl->out_left = 0;
2838
Paul Bakker48916f92012-09-16 19:57:18 +00002839 ssl->transform_in = NULL;
2840 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +00002841
2842 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2843 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
Paul Bakker05ef8352012-05-08 09:17:57 +00002844
2845#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2846 if( ssl_hw_record_reset != NULL)
2847 {
2848 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
Paul Bakker07eb38b2012-12-19 14:42:06 +01002849 if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002850 {
2851 SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
2852 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2853 }
Paul Bakker05ef8352012-05-08 09:17:57 +00002854 }
2855#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +00002856
Paul Bakker48916f92012-09-16 19:57:18 +00002857 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002858 {
Paul Bakker48916f92012-09-16 19:57:18 +00002859 ssl_transform_free( ssl->transform );
2860 free( ssl->transform );
2861 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002862 }
Paul Bakker48916f92012-09-16 19:57:18 +00002863
Paul Bakkerc0463502013-02-14 11:19:38 +01002864 if( ssl->session )
2865 {
2866 ssl_session_free( ssl->session );
2867 free( ssl->session );
2868 ssl->session = NULL;
2869 }
2870
Paul Bakker48916f92012-09-16 19:57:18 +00002871 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
2872 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002873
2874 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +00002875}
2876
2877/*
Paul Bakker5121ce52009-01-03 21:22:43 +00002878 * SSL set accessors
2879 */
2880void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2881{
2882 ssl->endpoint = endpoint;
2883}
2884
2885void ssl_set_authmode( ssl_context *ssl, int authmode )
2886{
2887 ssl->authmode = authmode;
2888}
2889
Paul Bakkered27a042013-04-18 22:46:23 +02002890#if defined(POLARSSL_X509_PARSE_C)
Paul Bakkerb63b0af2011-01-13 17:54:59 +00002891void ssl_set_verify( ssl_context *ssl,
Paul Bakker915275b2012-09-28 07:10:55 +00002892 int (*f_vrfy)(void *, x509_cert *, int, int *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +00002893 void *p_vrfy )
2894{
2895 ssl->f_vrfy = f_vrfy;
2896 ssl->p_vrfy = p_vrfy;
2897}
Paul Bakkered27a042013-04-18 22:46:23 +02002898#endif /* POLARSSL_X509_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00002899
Paul Bakker5121ce52009-01-03 21:22:43 +00002900void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +00002901 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +00002902 void *p_rng )
2903{
2904 ssl->f_rng = f_rng;
2905 ssl->p_rng = p_rng;
2906}
2907
2908void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +00002909 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +00002910 void *p_dbg )
2911{
2912 ssl->f_dbg = f_dbg;
2913 ssl->p_dbg = p_dbg;
2914}
2915
2916void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +00002917 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +00002918 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +00002919{
2920 ssl->f_recv = f_recv;
2921 ssl->f_send = f_send;
2922 ssl->p_recv = p_recv;
2923 ssl->p_send = p_send;
2924}
2925
Paul Bakker0a597072012-09-25 21:55:46 +00002926void ssl_set_session_cache( ssl_context *ssl,
2927 int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
2928 int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
Paul Bakker5121ce52009-01-03 21:22:43 +00002929{
Paul Bakker0a597072012-09-25 21:55:46 +00002930 ssl->f_get_cache = f_get_cache;
2931 ssl->p_get_cache = p_get_cache;
2932 ssl->f_set_cache = f_set_cache;
2933 ssl->p_set_cache = p_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00002934}
2935
Paul Bakker0a597072012-09-25 21:55:46 +00002936void ssl_set_session( ssl_context *ssl, const ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +00002937{
Paul Bakker0a597072012-09-25 21:55:46 +00002938 memcpy( ssl->session_negotiate, session, sizeof(ssl_session) );
2939 ssl->handshake->resume = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +00002940}
2941
Paul Bakkerb68cad62012-08-23 08:34:18 +00002942void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +00002943{
Paul Bakker8f4ddae2013-04-15 15:09:54 +02002944 ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
2945 ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
2946 ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
2947 ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
2948}
2949
2950void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
2951 int major, int minor )
2952{
2953 if( major != SSL_MAJOR_VERSION_3 )
2954 return;
2955
2956 if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
2957 return;
2958
2959 ssl->ciphersuite_list[minor] = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00002960}
2961
Paul Bakkered27a042013-04-18 22:46:23 +02002962#if defined(POLARSSL_X509_PARSE_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00002963void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +00002964 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +00002965{
2966 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +00002967 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +00002968 ssl->peer_cn = peer_cn;
2969}
2970
2971void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2972 rsa_context *rsa_key )
2973{
2974 ssl->own_cert = own_cert;
2975 ssl->rsa_key = rsa_key;
2976}
2977
Paul Bakkereb2c6582012-09-27 19:15:01 +00002978void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
2979 void *rsa_key,
2980 rsa_decrypt_func rsa_decrypt,
2981 rsa_sign_func rsa_sign,
2982 rsa_key_len_func rsa_key_len )
Paul Bakker43b7e352011-01-18 15:27:19 +00002983{
2984 ssl->own_cert = own_cert;
Paul Bakkereb2c6582012-09-27 19:15:01 +00002985 ssl->rsa_key = rsa_key;
2986 ssl->rsa_decrypt = rsa_decrypt;
2987 ssl->rsa_sign = rsa_sign;
2988 ssl->rsa_key_len = rsa_key_len;
Paul Bakker43b7e352011-01-18 15:27:19 +00002989}
Paul Bakkered27a042013-04-18 22:46:23 +02002990#endif /* POLARSSL_X509_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00002991
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002992#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
2993void ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
2994 const unsigned char *psk_identity, size_t psk_identity_len )
2995{
2996 ssl->psk = psk;
2997 ssl->psk_len = psk_len;
2998 ssl->psk_identity = psk_identity;
2999 ssl->psk_identity_len = psk_identity_len;
3000}
3001#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +00003002
Paul Bakker48916f92012-09-16 19:57:18 +00003003#if defined(POLARSSL_DHM_C)
Paul Bakkerff60ee62010-03-16 21:09:09 +00003004int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +00003005{
3006 int ret;
3007
Paul Bakker48916f92012-09-16 19:57:18 +00003008 if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003009 {
3010 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3011 return( ret );
3012 }
3013
Paul Bakker48916f92012-09-16 19:57:18 +00003014 if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003015 {
3016 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3017 return( ret );
3018 }
3019
3020 return( 0 );
3021}
3022
Paul Bakker1b57b062011-01-06 15:48:19 +00003023int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3024{
3025 int ret;
3026
Paul Bakker48916f92012-09-16 19:57:18 +00003027 if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +00003028 {
3029 SSL_DEBUG_RET( 1, "mpi_copy", ret );
3030 return( ret );
3031 }
3032
Paul Bakker48916f92012-09-16 19:57:18 +00003033 if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +00003034 {
3035 SSL_DEBUG_RET( 1, "mpi_copy", ret );
3036 return( ret );
3037 }
3038
3039 return( 0 );
3040}
Paul Bakker48916f92012-09-16 19:57:18 +00003041#endif /* POLARSSL_DHM_C */
Paul Bakker1b57b062011-01-06 15:48:19 +00003042
Paul Bakkerff60ee62010-03-16 21:09:09 +00003043int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +00003044{
3045 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +00003046 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00003047
3048 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +00003049 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003050
Paul Bakkerb15b8512012-01-13 13:44:06 +00003051 if( ssl->hostname == NULL )
3052 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3053
Paul Bakker3c2122f2013-06-24 19:03:14 +02003054 memcpy( ssl->hostname, (const unsigned char *) hostname,
Paul Bakker5121ce52009-01-03 21:22:43 +00003055 ssl->hostname_len );
Paul Bakkerf7abd422013-04-16 13:15:56 +02003056
Paul Bakker40ea7de2009-05-03 10:18:48 +00003057 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +00003058
3059 return( 0 );
3060}
3061
Paul Bakker5701cdc2012-09-27 21:49:42 +00003062void ssl_set_sni( ssl_context *ssl,
3063 int (*f_sni)(void *, ssl_context *,
3064 const unsigned char *, size_t),
3065 void *p_sni )
3066{
3067 ssl->f_sni = f_sni;
3068 ssl->p_sni = p_sni;
3069}
3070
Paul Bakker490ecc82011-10-06 13:04:09 +00003071void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3072{
3073 ssl->max_major_ver = major;
3074 ssl->max_minor_ver = minor;
3075}
3076
Paul Bakker1d29fb52012-09-28 13:28:45 +00003077void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3078{
3079 ssl->min_major_ver = major;
3080 ssl->min_minor_ver = minor;
3081}
3082
Paul Bakker48916f92012-09-16 19:57:18 +00003083void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3084{
3085 ssl->disable_renegotiation = renegotiation;
3086}
3087
3088void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3089{
3090 ssl->allow_legacy_renegotiation = allow_legacy;
3091}
3092
Paul Bakker5121ce52009-01-03 21:22:43 +00003093/*
3094 * SSL get accessors
3095 */
Paul Bakker23986e52011-04-24 08:57:21 +00003096size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003097{
3098 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3099}
3100
Paul Bakkerff60ee62010-03-16 21:09:09 +00003101int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003102{
3103 return( ssl->verify_result );
3104}
3105
Paul Bakkere3166ce2011-01-27 17:40:50 +00003106const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +00003107{
Paul Bakker926c8e42013-03-06 10:23:34 +01003108 if( ssl == NULL || ssl->session == NULL )
3109 return NULL;
3110
Paul Bakkere3166ce2011-01-27 17:40:50 +00003111 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +00003112}
3113
Paul Bakker43ca69c2011-01-15 17:35:19 +00003114const char *ssl_get_version( const ssl_context *ssl )
3115{
3116 switch( ssl->minor_ver )
3117 {
3118 case SSL_MINOR_VERSION_0:
3119 return( "SSLv3.0" );
3120
3121 case SSL_MINOR_VERSION_1:
3122 return( "TLSv1.0" );
3123
3124 case SSL_MINOR_VERSION_2:
3125 return( "TLSv1.1" );
3126
Paul Bakker1ef83d62012-04-11 12:09:53 +00003127 case SSL_MINOR_VERSION_3:
3128 return( "TLSv1.2" );
3129
Paul Bakker43ca69c2011-01-15 17:35:19 +00003130 default:
3131 break;
3132 }
3133 return( "unknown" );
3134}
3135
Paul Bakkered27a042013-04-18 22:46:23 +02003136#if defined(POLARSSL_X509_PARSE_C)
Paul Bakkerb0550d92012-10-30 07:51:03 +00003137const x509_cert *ssl_get_peer_cert( const ssl_context *ssl )
3138{
3139 if( ssl == NULL || ssl->session == NULL )
3140 return NULL;
3141
3142 return ssl->session->peer_cert;
3143}
Paul Bakkered27a042013-04-18 22:46:23 +02003144#endif /* POLARSSL_X509_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00003145
Paul Bakker5121ce52009-01-03 21:22:43 +00003146/*
Paul Bakker1961b702013-01-25 14:49:24 +01003147 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00003148 */
Paul Bakker1961b702013-01-25 14:49:24 +01003149int ssl_handshake_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003150{
Paul Bakker40e46942009-01-03 21:51:57 +00003151 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +00003152
Paul Bakker40e46942009-01-03 21:51:57 +00003153#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003154 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker1961b702013-01-25 14:49:24 +01003155 ret = ssl_handshake_client_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00003156#endif
3157
Paul Bakker40e46942009-01-03 21:51:57 +00003158#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003159 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker1961b702013-01-25 14:49:24 +01003160 ret = ssl_handshake_server_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00003161#endif
3162
Paul Bakker1961b702013-01-25 14:49:24 +01003163 return( ret );
3164}
3165
3166/*
3167 * Perform the SSL handshake
3168 */
3169int ssl_handshake( ssl_context *ssl )
3170{
3171 int ret = 0;
3172
3173 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3174
3175 while( ssl->state != SSL_HANDSHAKE_OVER )
3176 {
3177 ret = ssl_handshake_step( ssl );
3178
3179 if( ret != 0 )
3180 break;
3181 }
3182
Paul Bakker5121ce52009-01-03 21:22:43 +00003183 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3184
3185 return( ret );
3186}
3187
3188/*
Paul Bakker48916f92012-09-16 19:57:18 +00003189 * Renegotiate current connection
3190 */
3191int ssl_renegotiate( ssl_context *ssl )
3192{
3193 int ret;
3194
3195 SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
3196
3197 if( ssl->state != SSL_HANDSHAKE_OVER )
3198 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3199
3200 ssl->state = SSL_HELLO_REQUEST;
3201 ssl->renegotiation = SSL_RENEGOTIATION;
3202
3203 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3204 return( ret );
3205
3206 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3207 {
3208 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3209 return( ret );
3210 }
3211
3212 SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
3213
3214 return( 0 );
3215}
3216
3217/*
Paul Bakker5121ce52009-01-03 21:22:43 +00003218 * Receive application data decrypted from the SSL layer
3219 */
Paul Bakker23986e52011-04-24 08:57:21 +00003220int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00003221{
Paul Bakker23986e52011-04-24 08:57:21 +00003222 int ret;
3223 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +00003224
3225 SSL_DEBUG_MSG( 2, ( "=> read" ) );
3226
3227 if( ssl->state != SSL_HANDSHAKE_OVER )
3228 {
3229 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3230 {
3231 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3232 return( ret );
3233 }
3234 }
3235
3236 if( ssl->in_offt == NULL )
3237 {
3238 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3239 {
Paul Bakker831a7552011-05-18 13:32:51 +00003240 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3241 return( 0 );
3242
Paul Bakker5121ce52009-01-03 21:22:43 +00003243 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3244 return( ret );
3245 }
3246
3247 if( ssl->in_msglen == 0 &&
3248 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3249 {
3250 /*
3251 * OpenSSL sends empty messages to randomize the IV
3252 */
3253 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3254 {
Paul Bakker831a7552011-05-18 13:32:51 +00003255 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3256 return( 0 );
3257
Paul Bakker5121ce52009-01-03 21:22:43 +00003258 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3259 return( ret );
3260 }
3261 }
3262
Paul Bakker48916f92012-09-16 19:57:18 +00003263 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
3264 {
3265 SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
3266
3267 if( ssl->endpoint == SSL_IS_CLIENT &&
3268 ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
3269 ssl->in_hslen != 4 ) )
3270 {
3271 SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
3272 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
3273 }
3274
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00003275 if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
3276 ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
3277 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) )
Paul Bakker48916f92012-09-16 19:57:18 +00003278 {
3279 SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
3280
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00003281 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +00003282 {
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00003283 /*
3284 * SSLv3 does not have a "no_renegotiation" alert
3285 */
3286 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
3287 return( ret );
3288 }
3289 else
3290 {
3291 if( ( ret = ssl_send_alert_message( ssl,
3292 SSL_ALERT_LEVEL_WARNING,
3293 SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
3294 {
3295 return( ret );
3296 }
Paul Bakker48916f92012-09-16 19:57:18 +00003297 }
3298 }
3299 else
3300 {
3301 if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
3302 {
3303 SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
3304 return( ret );
3305 }
3306
3307 return( POLARSSL_ERR_NET_WANT_READ );
3308 }
3309 }
3310 else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +00003311 {
3312 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003313 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00003314 }
3315
3316 ssl->in_offt = ssl->in_msg;
3317 }
3318
3319 n = ( len < ssl->in_msglen )
3320 ? len : ssl->in_msglen;
3321
3322 memcpy( buf, ssl->in_offt, n );
3323 ssl->in_msglen -= n;
3324
3325 if( ssl->in_msglen == 0 )
3326 /* all bytes consumed */
3327 ssl->in_offt = NULL;
3328 else
3329 /* more data available */
3330 ssl->in_offt += n;
3331
3332 SSL_DEBUG_MSG( 2, ( "<= read" ) );
3333
Paul Bakker23986e52011-04-24 08:57:21 +00003334 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00003335}
3336
3337/*
3338 * Send application data to be encrypted by the SSL layer
3339 */
Paul Bakker23986e52011-04-24 08:57:21 +00003340int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00003341{
Paul Bakker23986e52011-04-24 08:57:21 +00003342 int ret;
3343 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +00003344
3345 SSL_DEBUG_MSG( 2, ( "=> write" ) );
3346
3347 if( ssl->state != SSL_HANDSHAKE_OVER )
3348 {
3349 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3350 {
3351 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3352 return( ret );
3353 }
3354 }
3355
Paul Bakker887bd502011-06-08 13:10:54 +00003356 n = ( len < SSL_MAX_CONTENT_LEN )
3357 ? len : SSL_MAX_CONTENT_LEN;
3358
Paul Bakker5121ce52009-01-03 21:22:43 +00003359 if( ssl->out_left != 0 )
3360 {
3361 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3362 {
3363 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3364 return( ret );
3365 }
3366 }
Paul Bakker887bd502011-06-08 13:10:54 +00003367 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +00003368 {
Paul Bakker887bd502011-06-08 13:10:54 +00003369 ssl->out_msglen = n;
3370 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3371 memcpy( ssl->out_msg, buf, n );
3372
3373 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3374 {
3375 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3376 return( ret );
3377 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003378 }
3379
3380 SSL_DEBUG_MSG( 2, ( "<= write" ) );
3381
Paul Bakker23986e52011-04-24 08:57:21 +00003382 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00003383}
3384
3385/*
3386 * Notify the peer that the connection is being closed
3387 */
3388int ssl_close_notify( ssl_context *ssl )
3389{
3390 int ret;
3391
3392 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3393
3394 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3395 {
3396 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3397 return( ret );
3398 }
3399
3400 if( ssl->state == SSL_HANDSHAKE_OVER )
3401 {
Paul Bakker48916f92012-09-16 19:57:18 +00003402 if( ( ret = ssl_send_alert_message( ssl,
3403 SSL_ALERT_LEVEL_WARNING,
3404 SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003405 {
Paul Bakker5121ce52009-01-03 21:22:43 +00003406 return( ret );
3407 }
3408 }
3409
3410 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3411
3412 return( ret );
3413}
3414
Paul Bakker48916f92012-09-16 19:57:18 +00003415void ssl_transform_free( ssl_transform *transform )
3416{
3417#if defined(POLARSSL_ZLIB_SUPPORT)
3418 deflateEnd( &transform->ctx_deflate );
3419 inflateEnd( &transform->ctx_inflate );
3420#endif
3421
3422 memset( transform, 0, sizeof( ssl_transform ) );
3423}
3424
3425void ssl_handshake_free( ssl_handshake_params *handshake )
3426{
3427#if defined(POLARSSL_DHM_C)
3428 dhm_free( &handshake->dhm_ctx );
3429#endif
3430 memset( handshake, 0, sizeof( ssl_handshake_params ) );
3431}
3432
3433void ssl_session_free( ssl_session *session )
3434{
Paul Bakkered27a042013-04-18 22:46:23 +02003435#if defined(POLARSSL_X509_PARSE_C)
Paul Bakker0a597072012-09-25 21:55:46 +00003436 if( session->peer_cert != NULL )
Paul Bakker48916f92012-09-16 19:57:18 +00003437 {
Paul Bakker0a597072012-09-25 21:55:46 +00003438 x509_free( session->peer_cert );
3439 free( session->peer_cert );
Paul Bakker48916f92012-09-16 19:57:18 +00003440 }
Paul Bakkered27a042013-04-18 22:46:23 +02003441#endif
Paul Bakker0a597072012-09-25 21:55:46 +00003442
3443 memset( session, 0, sizeof( ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +00003444}
3445
Paul Bakker5121ce52009-01-03 21:22:43 +00003446/*
3447 * Free an SSL context
3448 */
3449void ssl_free( ssl_context *ssl )
3450{
3451 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3452
Paul Bakker5121ce52009-01-03 21:22:43 +00003453 if( ssl->out_ctr != NULL )
3454 {
3455 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3456 free( ssl->out_ctr );
3457 }
3458
3459 if( ssl->in_ctr != NULL )
3460 {
3461 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3462 free( ssl->in_ctr );
3463 }
3464
Paul Bakker40e46942009-01-03 21:51:57 +00003465#if defined(POLARSSL_DHM_C)
Paul Bakker48916f92012-09-16 19:57:18 +00003466 mpi_free( &ssl->dhm_P );
3467 mpi_free( &ssl->dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +00003468#endif
3469
Paul Bakker48916f92012-09-16 19:57:18 +00003470 if( ssl->transform )
3471 {
3472 ssl_transform_free( ssl->transform );
3473 free( ssl->transform );
3474 }
3475
3476 if( ssl->handshake )
3477 {
3478 ssl_handshake_free( ssl->handshake );
3479 ssl_transform_free( ssl->transform_negotiate );
3480 ssl_session_free( ssl->session_negotiate );
3481
3482 free( ssl->handshake );
3483 free( ssl->transform_negotiate );
3484 free( ssl->session_negotiate );
3485 }
3486
Paul Bakkerc0463502013-02-14 11:19:38 +01003487 if( ssl->session )
3488 {
3489 ssl_session_free( ssl->session );
3490 free( ssl->session );
3491 }
3492
Paul Bakker5121ce52009-01-03 21:22:43 +00003493 if ( ssl->hostname != NULL)
3494 {
3495 memset( ssl->hostname, 0, ssl->hostname_len );
3496 free( ssl->hostname );
3497 ssl->hostname_len = 0;
3498 }
3499
Paul Bakker05ef8352012-05-08 09:17:57 +00003500#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3501 if( ssl_hw_record_finish != NULL )
3502 {
3503 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3504 ssl_hw_record_finish( ssl );
3505 }
3506#endif
3507
Paul Bakker5121ce52009-01-03 21:22:43 +00003508 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +00003509
Paul Bakker86f04f42013-02-14 11:20:09 +01003510 /* Actually clear after last debug message */
Paul Bakker2da561c2009-02-05 18:00:28 +00003511 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003512}
3513
3514#endif