TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 8308e68d53263b981cb6a42edf75f8e161b9df1d / . / library / ssl_tls.c
blob: 88c6e55def4256ba8a1a3f6e5d1aafbb95dd6721 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]46#if defined(POLARSSL_GCM_C)
47#include "polarssl/gcm.h"
48#endif
49
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50#include <stdlib.h>
51#include <time.h>
52
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]53#if defined _MSC_VER && !defined strcasecmp
54#define strcasecmp _stricmp
55#endif
56
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]57/*
58 * Key material generation
59 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]60static int tls1_prf( unsigned char *secret, size_t slen, char *label,
61 unsigned char *random, size_t rlen,
62 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]64 size_t nb, hs;
65 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66 unsigned char *S1, *S2;
67 unsigned char tmp[128];
68 unsigned char h_i[20];
69
70 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]71 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
73 hs = ( slen + 1 ) / 2;
74 S1 = secret;
75 S2 = secret + slen - hs;
76
77 nb = strlen( label );
78 memcpy( tmp + 20, label, nb );
79 memcpy( tmp + 20 + nb, random, rlen );
80 nb += rlen;
81
82 /*
83 * First compute P_md5(secret,label+random)[0..dlen]
84 */
85 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
86
87 for( i = 0; i < dlen; i += 16 )
88 {
89 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
90 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
91
92 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
93
94 for( j = 0; j < k; j++ )
95 dstbuf[i + j] = h_i[j];
96 }
97
98 /*
99 * XOR out with P_sha1(secret,label+random)[0..dlen]
100 */
101 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
102
103 for( i = 0; i < dlen; i += 20 )
104 {
105 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
106 sha1_hmac( S2, hs, tmp, 20, tmp );
107
108 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
109
110 for( j = 0; j < k; j++ )
111 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
112 }
113
114 memset( tmp, 0, sizeof( tmp ) );
115 memset( h_i, 0, sizeof( h_i ) );
116
117 return( 0 );
118}
119
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]120static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
121 unsigned char *random, size_t rlen,
122 unsigned char *dstbuf, size_t dlen )
123{
124 size_t nb;
125 size_t i, j, k;
126 unsigned char tmp[128];
127 unsigned char h_i[32];
128
129 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
130 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
131
132 nb = strlen( label );
133 memcpy( tmp + 32, label, nb );
134 memcpy( tmp + 32 + nb, random, rlen );
135 nb += rlen;
136
137 /*
138 * Compute P_<hash>(secret, label + random)[0..dlen]
139 */
140 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
141
142 for( i = 0; i < dlen; i += 32 )
143 {
144 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
145 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
146
147 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
148
149 for( j = 0; j < k; j++ )
150 dstbuf[i + j] = h_i[j];
151 }
152
153 memset( tmp, 0, sizeof( tmp ) );
154 memset( h_i, 0, sizeof( h_i ) );
155
156 return( 0 );
157}
158
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]159static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
160 unsigned char *random, size_t rlen,
161 unsigned char *dstbuf, size_t dlen )
162{
163 size_t nb;
164 size_t i, j, k;
165 unsigned char tmp[128];
166 unsigned char h_i[48];
167
168 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
169 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
170
171 nb = strlen( label );
172 memcpy( tmp + 48, label, nb );
173 memcpy( tmp + 48 + nb, random, rlen );
174 nb += rlen;
175
176 /*
177 * Compute P_<hash>(secret, label + random)[0..dlen]
178 */
179 sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
180
181 for( i = 0; i < dlen; i += 48 )
182 {
183 sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
184 sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
185
186 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
187
188 for( j = 0; j < k; j++ )
189 dstbuf[i + j] = h_i[j];
190 }
191
192 memset( tmp, 0, sizeof( tmp ) );
193 memset( h_i, 0, sizeof( h_i ) );
194
195 return( 0 );
196}
197
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]198static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
199static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
200static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
201static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
202
203static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
204static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
205static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
206static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
207
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]208static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
209static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
210static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
211static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]212
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]213int ssl_derive_keys( ssl_context *ssl )
214{
215 int i;
216 md5_context md5;
217 sha1_context sha1;
218 unsigned char tmp[64];
219 unsigned char padding[16];
220 unsigned char sha1sum[20];
221 unsigned char keyblk[256];
222 unsigned char *key1;
223 unsigned char *key2;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]224 unsigned int iv_copy_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]225
226 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
227
228 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]229 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]230 */
231 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]232 {
233 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]234 ssl->calc_verify = ssl_calc_verify_ssl;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]235 ssl->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]236 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]237 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]238 {
239 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]240 ssl->calc_verify = ssl_calc_verify_tls;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]241 ssl->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]242 }
243 else if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
244 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
245 {
246 ssl->tls_prf = tls_prf_sha384;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]247 ssl->calc_verify = ssl_calc_verify_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]248 ssl->calc_finished = ssl_calc_finished_tls_sha384;
249 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]250 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]251 {
252 ssl->tls_prf = tls_prf_sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]253 ssl->calc_verify = ssl_calc_verify_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]254 ssl->calc_finished = ssl_calc_finished_tls_sha256;
255 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]256
257 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]258 * SSLv3:
259 * master =
260 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
261 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
262 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
263 *
264 * TLSv1:
265 * master = PRF( premaster, "master secret", randbytes )[0..47]
266 */
267 if( ssl->resume == 0 )
268 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]269 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]270
271 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
272
273 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
274 {
275 for( i = 0; i < 3; i++ )
276 {
277 memset( padding, 'A' + i, 1 + i );
278
279 sha1_starts( &sha1 );
280 sha1_update( &sha1, padding, 1 + i );
281 sha1_update( &sha1, ssl->premaster, len );
282 sha1_update( &sha1, ssl->randbytes, 64 );
283 sha1_finish( &sha1, sha1sum );
284
285 md5_starts( &md5 );
286 md5_update( &md5, ssl->premaster, len );
287 md5_update( &md5, sha1sum, 20 );
288 md5_finish( &md5, ssl->session->master + i * 16 );
289 }
290 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]291 else
292 ssl->tls_prf( ssl->premaster, len, "master secret",
293 ssl->randbytes, 64, ssl->session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]294
295 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
296 }
297 else
298 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
299
300 /*
301 * Swap the client and server random values.
302 */
303 memcpy( tmp, ssl->randbytes, 64 );
304 memcpy( ssl->randbytes, tmp + 32, 32 );
305 memcpy( ssl->randbytes + 32, tmp, 32 );
306 memset( tmp, 0, sizeof( tmp ) );
307
308 /*
309 * SSLv3:
310 * key block =
311 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
312 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
313 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
314 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
315 * ...
316 *
317 * TLSv1:
318 * key block = PRF( master, "key expansion", randbytes )
319 */
320 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
321 {
322 for( i = 0; i < 16; i++ )
323 {
324 memset( padding, 'A' + i, 1 + i );
325
326 sha1_starts( &sha1 );
327 sha1_update( &sha1, padding, 1 + i );
328 sha1_update( &sha1, ssl->session->master, 48 );
329 sha1_update( &sha1, ssl->randbytes, 64 );
330 sha1_finish( &sha1, sha1sum );
331
332 md5_starts( &md5 );
333 md5_update( &md5, ssl->session->master, 48 );
334 md5_update( &md5, sha1sum, 20 );
335 md5_finish( &md5, keyblk + i * 16 );
336 }
337
338 memset( &md5, 0, sizeof( md5 ) );
339 memset( &sha1, 0, sizeof( sha1 ) );
340
341 memset( padding, 0, sizeof( padding ) );
342 memset( sha1sum, 0, sizeof( sha1sum ) );
343 }
344 else
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]345 ssl->tls_prf( ssl->session->master, 48, "key expansion",
346 ssl->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]348 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
350 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
351 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
352
353 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
354
355 /*
356 * Determine the appropriate key, IV and MAC length.
357 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]358 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]360#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361 case SSL_RSA_RC4_128_MD5:
362 ssl->keylen = 16; ssl->minlen = 16;
363 ssl->ivlen = 0; ssl->maclen = 16;
364 break;
365
366 case SSL_RSA_RC4_128_SHA:
367 ssl->keylen = 16; ssl->minlen = 20;
368 ssl->ivlen = 0; ssl->maclen = 20;
369 break;
370#endif
371
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]372#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373 case SSL_RSA_DES_168_SHA:
374 case SSL_EDH_RSA_DES_168_SHA:
375 ssl->keylen = 24; ssl->minlen = 24;
376 ssl->ivlen = 8; ssl->maclen = 20;
377 break;
378#endif
379
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]380#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]381 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]382 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]383 ssl->keylen = 16; ssl->minlen = 32;
384 ssl->ivlen = 16; ssl->maclen = 20;
385 break;
386
387 case SSL_RSA_AES_256_SHA:
388 case SSL_EDH_RSA_AES_256_SHA:
389 ssl->keylen = 32; ssl->minlen = 32;
390 ssl->ivlen = 16; ssl->maclen = 20;
391 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]392
393#if defined(POLARSSL_SHA2_C)
394 case SSL_RSA_AES_128_SHA256:
395 case SSL_EDH_RSA_AES_128_SHA256:
396 ssl->keylen = 16; ssl->minlen = 32;
397 ssl->ivlen = 16; ssl->maclen = 32;
398 break;
399
400 case SSL_RSA_AES_256_SHA256:
401 case SSL_EDH_RSA_AES_256_SHA256:
402 ssl->keylen = 32; ssl->minlen = 32;
403 ssl->ivlen = 16; ssl->maclen = 32;
404 break;
405#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]406#if defined(POLARSSL_GCM_C)
407 case SSL_RSA_AES_128_GCM_SHA256:
408 case SSL_EDH_RSA_AES_128_GCM_SHA256:
409 ssl->keylen = 16; ssl->minlen = 1;
410 ssl->ivlen = 12; ssl->maclen = 0;
411 ssl->fixed_ivlen = 4;
412 break;
413
414 case SSL_RSA_AES_256_GCM_SHA384:
415 case SSL_EDH_RSA_AES_256_GCM_SHA384:
416 ssl->keylen = 32; ssl->minlen = 1;
417 ssl->ivlen = 12; ssl->maclen = 0;
418 ssl->fixed_ivlen = 4;
419 break;
420#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421#endif
422
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]423#if defined(POLARSSL_CAMELLIA_C)
424 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]425 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]426 ssl->keylen = 16; ssl->minlen = 32;
427 ssl->ivlen = 16; ssl->maclen = 20;
428 break;
429
430 case SSL_RSA_CAMELLIA_256_SHA:
431 case SSL_EDH_RSA_CAMELLIA_256_SHA:
432 ssl->keylen = 32; ssl->minlen = 32;
433 ssl->ivlen = 16; ssl->maclen = 20;
434 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]435
436#if defined(POLARSSL_SHA2_C)
437 case SSL_RSA_CAMELLIA_128_SHA256:
438 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
439 ssl->keylen = 16; ssl->minlen = 32;
440 ssl->ivlen = 16; ssl->maclen = 32;
441 break;
442
443 case SSL_RSA_CAMELLIA_256_SHA256:
444 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
445 ssl->keylen = 32; ssl->minlen = 32;
446 ssl->ivlen = 16; ssl->maclen = 32;
447 break;
448#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]449#endif
450
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]451#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
452#if defined(POLARSSL_CIPHER_NULL_CIPHER)
453 case SSL_RSA_NULL_MD5:
454 ssl->keylen = 0; ssl->minlen = 0;
455 ssl->ivlen = 0; ssl->maclen = 16;
456 break;
457
458 case SSL_RSA_NULL_SHA:
459 ssl->keylen = 0; ssl->minlen = 0;
460 ssl->ivlen = 0; ssl->maclen = 20;
461 break;
462
463 case SSL_RSA_NULL_SHA256:
464 ssl->keylen = 0; ssl->minlen = 0;
465 ssl->ivlen = 0; ssl->maclen = 32;
466 break;
467#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
468
469#if defined(POLARSSL_DES_C)
470 case SSL_RSA_DES_SHA:
471 case SSL_EDH_RSA_DES_SHA:
472 ssl->keylen = 8; ssl->minlen = 8;
473 ssl->ivlen = 8; ssl->maclen = 20;
474 break;
475#endif
476#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
477
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]479 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
480 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]481 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482 }
483
484 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
485 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
486
487 /*
488 * Finally setup the cipher contexts, IVs and MAC secrets.
489 */
490 if( ssl->endpoint == SSL_IS_CLIENT )
491 {
492 key1 = keyblk + ssl->maclen * 2;
493 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
494
495 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
496 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
497
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]498 /*
499 * This is not used in TLS v1.1.
500 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]501 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
502 memcpy( ssl->iv_enc, key2 + ssl->keylen, iv_copy_len );
503 memcpy( ssl->iv_dec, key2 + ssl->keylen + iv_copy_len,
504 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505 }
506 else
507 {
508 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
509 key2 = keyblk + ssl->maclen * 2;
510
511 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
512 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
513
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]514 /*
515 * This is not used in TLS v1.1.
516 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]517 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
518 memcpy( ssl->iv_dec, key1 + ssl->keylen, iv_copy_len );
519 memcpy( ssl->iv_enc, key1 + ssl->keylen + iv_copy_len,
520 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521 }
522
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]523 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]525#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]526 case SSL_RSA_RC4_128_MD5:
527 case SSL_RSA_RC4_128_SHA:
528 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
529 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
530 break;
531#endif
532
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]533#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]534 case SSL_RSA_DES_168_SHA:
535 case SSL_EDH_RSA_DES_168_SHA:
536 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
537 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
538 break;
539#endif
540
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]541#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]542 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]543 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]544 case SSL_RSA_AES_128_SHA256:
545 case SSL_EDH_RSA_AES_128_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]546 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
547 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
548 break;
549
550 case SSL_RSA_AES_256_SHA:
551 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]552 case SSL_RSA_AES_256_SHA256:
553 case SSL_EDH_RSA_AES_256_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
555 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
556 break;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]557
558#if defined(POLARSSL_GCM_C)
559 case SSL_RSA_AES_128_GCM_SHA256:
560 case SSL_EDH_RSA_AES_128_GCM_SHA256:
561 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 128 );
562 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 128 );
563 break;
564
565 case SSL_RSA_AES_256_GCM_SHA384:
566 case SSL_EDH_RSA_AES_256_GCM_SHA384:
567 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 256 );
568 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 256 );
569 break;
570#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571#endif
572
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]573#if defined(POLARSSL_CAMELLIA_C)
574 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]575 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]576 case SSL_RSA_CAMELLIA_128_SHA256:
577 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]578 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
579 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
580 break;
581
582 case SSL_RSA_CAMELLIA_256_SHA:
583 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]584 case SSL_RSA_CAMELLIA_256_SHA256:
585 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]586 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
587 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
588 break;
589#endif
590
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]591#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
592#if defined(POLARSSL_CIPHER_NULL_CIPHER)
593 case SSL_RSA_NULL_MD5:
594 case SSL_RSA_NULL_SHA:
595 case SSL_RSA_NULL_SHA256:
596 break;
597#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
598
599#if defined(POLARSSL_DES_C)
600 case SSL_RSA_DES_SHA:
601 case SSL_EDH_RSA_DES_SHA:
602 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
603 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
604 break;
605#endif
606#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
607
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]609 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]610 }
611
612 memset( keyblk, 0, sizeof( keyblk ) );
613
614 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
615
616 return( 0 );
617}
618
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]619void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620{
621 md5_context md5;
622 sha1_context sha1;
623 unsigned char pad_1[48];
624 unsigned char pad_2[48];
625
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]626 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]628 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
629 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
630 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]631
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]632 memset( pad_1, 0x36, 48 );
633 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]635 md5_update( &md5, ssl->session->master, 48 );
636 md5_update( &md5, pad_1, 48 );
637 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]638
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]639 md5_starts( &md5 );
640 md5_update( &md5, ssl->session->master, 48 );
641 md5_update( &md5, pad_2, 48 );
642 md5_update( &md5, hash, 16 );
643 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]644
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]645 sha1_update( &sha1, ssl->session->master, 48 );
646 sha1_update( &sha1, pad_1, 40 );
647 sha1_finish( &sha1, hash + 16 );
648
649 sha1_starts( &sha1 );
650 sha1_update( &sha1, ssl->session->master, 48 );
651 sha1_update( &sha1, pad_2, 40 );
652 sha1_update( &sha1, hash + 16, 20 );
653 sha1_finish( &sha1, hash + 16 );
654
655 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
656 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
657
658 return;
659}
660
661void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
662{
663 md5_context md5;
664 sha1_context sha1;
665
666 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
667
668 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
669 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
670 sizeof( sha1_context ) );
671
672 md5_finish( &md5, hash );
673 sha1_finish( &sha1, hash + 16 );
674
675 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
676 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
677
678 return;
679}
680
681void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
682{
683 sha2_context sha2;
684
685 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
686
687 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
688 sha2_finish( &sha2, hash );
689
690 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
691 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
692
693 return;
694}
695
696void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
697{
698 sha4_context sha4;
699
700 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
701
702 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
703 sha4_finish( &sha4, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]704
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]705 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]706 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
707
708 return;
709}
710
711/*
712 * SSLv3.0 MAC functions
713 */
714static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]715 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716 unsigned char *ctr, int type )
717{
718 unsigned char header[11];
719 unsigned char padding[48];
720 md5_context md5;
721
722 memcpy( header, ctr, 8 );
723 header[ 8] = (unsigned char) type;
724 header[ 9] = (unsigned char)( len >> 8 );
725 header[10] = (unsigned char)( len );
726
727 memset( padding, 0x36, 48 );
728 md5_starts( &md5 );
729 md5_update( &md5, secret, 16 );
730 md5_update( &md5, padding, 48 );
731 md5_update( &md5, header, 11 );
732 md5_update( &md5, buf, len );
733 md5_finish( &md5, buf + len );
734
735 memset( padding, 0x5C, 48 );
736 md5_starts( &md5 );
737 md5_update( &md5, secret, 16 );
738 md5_update( &md5, padding, 48 );
739 md5_update( &md5, buf + len, 16 );
740 md5_finish( &md5, buf + len );
741}
742
743static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]744 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745 unsigned char *ctr, int type )
746{
747 unsigned char header[11];
748 unsigned char padding[40];
749 sha1_context sha1;
750
751 memcpy( header, ctr, 8 );
752 header[ 8] = (unsigned char) type;
753 header[ 9] = (unsigned char)( len >> 8 );
754 header[10] = (unsigned char)( len );
755
756 memset( padding, 0x36, 40 );
757 sha1_starts( &sha1 );
758 sha1_update( &sha1, secret, 20 );
759 sha1_update( &sha1, padding, 40 );
760 sha1_update( &sha1, header, 11 );
761 sha1_update( &sha1, buf, len );
762 sha1_finish( &sha1, buf + len );
763
764 memset( padding, 0x5C, 40 );
765 sha1_starts( &sha1 );
766 sha1_update( &sha1, secret, 20 );
767 sha1_update( &sha1, padding, 40 );
768 sha1_update( &sha1, buf + len, 20 );
769 sha1_finish( &sha1, buf + len );
770}
771
772/*
773 * Encryption/decryption functions
774 */
775static int ssl_encrypt_buf( ssl_context *ssl )
776{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]777 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778
779 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
780
781 /*
782 * Add MAC then encrypt
783 */
784 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
785 {
786 if( ssl->maclen == 16 )
787 ssl_mac_md5( ssl->mac_enc,
788 ssl->out_msg, ssl->out_msglen,
789 ssl->out_ctr, ssl->out_msgtype );
790
791 if( ssl->maclen == 20 )
792 ssl_mac_sha1( ssl->mac_enc,
793 ssl->out_msg, ssl->out_msglen,
794 ssl->out_ctr, ssl->out_msgtype );
795 }
796 else
797 {
798 if( ssl->maclen == 16 )
799 md5_hmac( ssl->mac_enc, 16,
800 ssl->out_ctr, ssl->out_msglen + 13,
801 ssl->out_msg + ssl->out_msglen );
802
803 if( ssl->maclen == 20 )
804 sha1_hmac( ssl->mac_enc, 20,
805 ssl->out_ctr, ssl->out_msglen + 13,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]806 ssl->out_msg + ssl->out_msglen );
807
808 if( ssl->maclen == 32 )
809 sha2_hmac( ssl->mac_enc, 32,
810 ssl->out_ctr, ssl->out_msglen + 13,
811 ssl->out_msg + ssl->out_msglen, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812 }
813
814 SSL_DEBUG_BUF( 4, "computed mac",
815 ssl->out_msg + ssl->out_msglen, ssl->maclen );
816
817 ssl->out_msglen += ssl->maclen;
818
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819 if( ssl->ivlen == 0 )
820 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]821 padlen = 0;
822
823 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
824 "including %d bytes of padding",
825 ssl->out_msglen, 0 ) );
826
827 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
828 ssl->out_msg, ssl->out_msglen );
829
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]830#if defined(POLARSSL_ARC4_C)
831 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
832 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
833 {
834 arc4_crypt( (arc4_context *) ssl->ctx_enc,
835 ssl->out_msglen, ssl->out_msg,
836 ssl->out_msg );
837 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]839#if defined(POLARSSL_CIPHER_NULL_CIPHER)
840 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
841 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
842 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
843 {
844 } else
845#endif
846 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]848 else if( ssl->ivlen == 12 )
849 {
850 size_t enc_msglen;
851 unsigned char *enc_msg;
852 unsigned char add_data[13];
853 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
854
855 padlen = 0;
856 enc_msglen = ssl->out_msglen;
857
858 memcpy( add_data, ssl->out_ctr, 8 );
859 add_data[8] = ssl->out_msgtype;
860 add_data[9] = ssl->major_ver;
861 add_data[10] = ssl->minor_ver;
862 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
863 add_data[12] = ssl->out_msglen & 0xFF;
864
865 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
866 add_data, 13 );
867
868#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
869
870 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
871 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
872 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
873 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
874 {
875 /*
876 * Generate IV
877 */
878 ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc + ssl->fixed_ivlen,
879 ssl->ivlen - ssl->fixed_ivlen );
880 if( ret != 0 )
881 return( ret );
882
883 /*
884 * Shift message for ivlen bytes and prepend IV
885 */
886 memmove( ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen,
887 ssl->out_msg, ssl->out_msglen );
888 memcpy( ssl->out_msg, ssl->iv_enc + ssl->fixed_ivlen,
889 ssl->ivlen - ssl->fixed_ivlen );
890
891 /*
892 * Fix pointer positions and message length with added IV
893 */
894 enc_msg = ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen;
895 enc_msglen = ssl->out_msglen;
896 ssl->out_msglen += ssl->ivlen - ssl->fixed_ivlen;
897
898 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
899 "including %d bytes of padding",
900 ssl->out_msglen, 0 ) );
901
902 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
903 ssl->out_msg, ssl->out_msglen );
904
905 /*
906 * Adjust for tag
907 */
908 ssl->out_msglen += 16;
909
910 gcm_crypt_and_tag( (gcm_context *) ssl->ctx_enc,
911 GCM_ENCRYPT, enc_msglen,
912 ssl->iv_enc, ssl->ivlen,
913 add_data, 13,
914 enc_msg, enc_msg,
915 16, enc_msg + enc_msglen );
916
917 SSL_DEBUG_BUF( 4, "after encrypt: tag",
918 enc_msg + enc_msglen, 16 );
919
920 } else
921#endif
922 return( ret );
923 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]924 else
925 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]926 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]927 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]928
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
930 if( padlen == ssl->ivlen )
931 padlen = 0;
932
933 for( i = 0; i <= padlen; i++ )
934 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
935
936 ssl->out_msglen += padlen + 1;
937
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]938 enc_msglen = ssl->out_msglen;
939 enc_msg = ssl->out_msg;
940
941 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]942 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
943 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]944 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]945 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]946 {
947 /*
948 * Generate IV
949 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]950 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
951 if( ret != 0 )
952 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]953
954 /*
955 * Shift message for ivlen bytes and prepend IV
956 */
957 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
958 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
959
960 /*
961 * Fix pointer positions and message length with added IV
962 */
963 enc_msg = ssl->out_msg + ssl->ivlen;
964 enc_msglen = ssl->out_msglen;
965 ssl->out_msglen += ssl->ivlen;
966 }
967
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]969 "including %d bytes of IV and %d bytes of padding",
970 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971
972 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
973 ssl->out_msg, ssl->out_msglen );
974
975 switch( ssl->ivlen )
976 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]977#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]978 case 8:
979#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
980 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
981 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
982 {
983 des_crypt_cbc( (des_context *) ssl->ctx_enc,
984 DES_ENCRYPT, enc_msglen,
985 ssl->iv_enc, enc_msg, enc_msg );
986 }
987 else
988#endif
989 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
990 DES_ENCRYPT, enc_msglen,
991 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992 break;
993#endif
994
995 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]996#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]997 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
998 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
999 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1000 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1001 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1002 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1003 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1004 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1005 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1006 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1007 AES_ENCRYPT, enc_msglen,
1008 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1009 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1010 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1011#endif
1012
1013#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1014 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1015 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1016 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1017 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1018 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1019 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1020 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1021 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1022 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1023 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1024 CAMELLIA_ENCRYPT, enc_msglen,
1025 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1026 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1027 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028#endif
1029
1030 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1031 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1032 }
1033 }
1034
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1035 for( i = 8; i > 0; i-- )
1036 if( ++ssl->out_ctr[i - 1] != 0 )
1037 break;
1038
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1040
1041 return( 0 );
1042}
1043
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1044/*
1045 * TODO: Use digest version when integrated!
1046 */
1047#define POLARSSL_SSL_MAX_MAC_SIZE 32
1048
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049static int ssl_decrypt_buf( ssl_context *ssl )
1050{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1051 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1052 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053
1054 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1055
1056 if( ssl->in_msglen < ssl->minlen )
1057 {
1058 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1059 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1060 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1061 }
1062
1063 if( ssl->ivlen == 0 )
1064 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1065#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1067 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
1068 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
1069 {
1070 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]1071 ssl->in_msglen, ssl->in_msg,
1072 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1073 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1075#if defined(POLARSSL_CIPHER_NULL_CIPHER)
1076 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
1077 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
1078 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
1079 {
1080 } else
1081#endif
1082 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1084 else if( ssl->ivlen == 12 )
1085 {
1086 unsigned char *dec_msg;
1087 unsigned char *dec_msg_result;
1088 size_t dec_msglen;
1089 unsigned char add_data[13];
1090 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1091
1092 padlen = 0;
1093
1094#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1095 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
1096 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
1097 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
1098 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
1099 {
1100 dec_msglen = ssl->in_msglen - ( ssl->ivlen - ssl->fixed_ivlen );
1101 dec_msglen -= 16;
1102 dec_msg = ssl->in_msg + ( ssl->ivlen - ssl->fixed_ivlen );
1103 dec_msg_result = ssl->in_msg;
1104 ssl->in_msglen = dec_msglen;
1105
1106 memcpy( add_data, ssl->in_ctr, 8 );
1107 add_data[8] = ssl->in_msgtype;
1108 add_data[9] = ssl->major_ver;
1109 add_data[10] = ssl->minor_ver;
1110 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1111 add_data[12] = ssl->in_msglen & 0xFF;
1112
1113 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1114 add_data, 13 );
1115
1116 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1117 ssl->ivlen - ssl->fixed_ivlen );
1118
1119 SSL_DEBUG_BUF( 4, "IV used", ssl->iv_dec, ssl->ivlen );
1120 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1121
1122 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1123 ssl->ivlen - ssl->fixed_ivlen );
1124
1125 ret = gcm_auth_decrypt( (gcm_context *) ssl->ctx_dec,
1126 dec_msglen,
1127 ssl->iv_dec, ssl->ivlen,
1128 add_data, 13,
1129 dec_msg + dec_msglen, 16,
1130 dec_msg, dec_msg_result );
1131
1132 if( ret != 0 )
1133 {
1134 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1135 -ret ) );
1136
1137 return( POLARSSL_ERR_SSL_INVALID_MAC );
1138 }
1139 } else
1140#endif
1141 return( ret );
1142 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1143 else
1144 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1145 unsigned char *dec_msg;
1146 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1147 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1148
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1149 /*
1150 * Decrypt and check the padding
1151 */
1152 if( ssl->in_msglen % ssl->ivlen != 0 )
1153 {
1154 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1155 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1156 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1157 }
1158
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1159 dec_msglen = ssl->in_msglen;
1160 dec_msg = ssl->in_msg;
1161 dec_msg_result = ssl->in_msg;
1162
1163 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1164 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1165 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1166 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1167 {
1168 dec_msg += ssl->ivlen;
1169 dec_msglen -= ssl->ivlen;
1170 ssl->in_msglen -= ssl->ivlen;
1171
1172 for( i = 0; i < ssl->ivlen; i++ )
1173 ssl->iv_dec[i] = ssl->in_msg[i];
1174 }
1175
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1176 switch( ssl->ivlen )
1177 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1178#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1179 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1180#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1181 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1182 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1183 {
1184 des_crypt_cbc( (des_context *) ssl->ctx_dec,
1185 DES_DECRYPT, dec_msglen,
1186 ssl->iv_dec, dec_msg, dec_msg_result );
1187 }
1188 else
1189#endif
1190 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
1191 DES_DECRYPT, dec_msglen,
1192 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1193 break;
1194#endif
1195
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1196 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1197#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1198 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1199 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1200 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1201 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1202 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1203 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1204 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1205 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1206 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1207 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1208 AES_DECRYPT, dec_msglen,
1209 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1210 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1211 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1212#endif
1213
1214#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1215 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1216 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1217 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1218 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1219 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1220 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1221 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1222 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1223 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1224 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1225 CAMELLIA_DECRYPT, dec_msglen,
1226 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1227 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1228 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1229#endif
1230
1231 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1232 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1233 }
1234
1235 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1236
1237 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1238 {
1239 if( padlen > ssl->ivlen )
1240 {
1241 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1242 "should be no more than %d",
1243 padlen, ssl->ivlen ) );
1244 padlen = 0;
1245 }
1246 }
1247 else
1248 {
1249 /*
1250 * TLSv1: always check the padding
1251 */
1252 for( i = 1; i <= padlen; i++ )
1253 {
1254 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1255 {
1256 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
1257 "%02x, but is %02x", padlen - 1,
1258 ssl->in_msg[ssl->in_msglen - i] ) );
1259 padlen = 0;
1260 }
1261 }
1262 }
1263 }
1264
1265 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1266 ssl->in_msg, ssl->in_msglen );
1267
1268 /*
1269 * Always compute the MAC (RFC4346, CBCTIME).
1270 */
Paul Bakkerf34cf852012-04-10 07:48:40 +0000[diff] [blame]1271 if( ssl->in_msglen < ssl->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1272 {
1273 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1274 ssl->in_msglen, ssl->maclen, padlen ) );
1275 return( POLARSSL_ERR_SSL_INVALID_MAC );
1276 }
1277
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1278 ssl->in_msglen -= ( ssl->maclen + padlen );
1279
1280 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1281 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1282
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1283 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1284
1285 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1286 {
1287 if( ssl->maclen == 16 )
1288 ssl_mac_md5( ssl->mac_dec,
1289 ssl->in_msg, ssl->in_msglen,
1290 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1291 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1292 ssl_mac_sha1( ssl->mac_dec,
1293 ssl->in_msg, ssl->in_msglen,
1294 ssl->in_ctr, ssl->in_msgtype );
1295 }
1296 else
1297 {
1298 if( ssl->maclen == 16 )
1299 md5_hmac( ssl->mac_dec, 16,
1300 ssl->in_ctr, ssl->in_msglen + 13,
1301 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1302 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303 sha1_hmac( ssl->mac_dec, 20,
1304 ssl->in_ctr, ssl->in_msglen + 13,
1305 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1306 else if( ssl->maclen == 32 )
1307 sha2_hmac( ssl->mac_dec, 32,
1308 ssl->in_ctr, ssl->in_msglen + 13,
1309 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1310 }
1311
1312 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
1313 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1314 ssl->maclen );
1315
1316 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1317 ssl->maclen ) != 0 )
1318 {
1319 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1320 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321 }
1322
1323 /*
1324 * Finally check the padding length; bad padding
1325 * will produce the same error as an invalid MAC.
1326 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1327 if( ssl->ivlen != 0 && ssl->ivlen != 12 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1328 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329
1330 if( ssl->in_msglen == 0 )
1331 {
1332 ssl->nb_zero++;
1333
1334 /*
1335 * Three or more empty messages may be a DoS attack
1336 * (excessive CPU consumption).
1337 */
1338 if( ssl->nb_zero > 3 )
1339 {
1340 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1341 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1342 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343 }
1344 }
1345 else
1346 ssl->nb_zero = 0;
1347
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1348 for( i = 8; i > 0; i-- )
1349 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350 break;
1351
1352 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1353
1354 return( 0 );
1355}
1356
1357/*
1358 * Fill the input message buffer
1359 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1360int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1361{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1362 int ret;
1363 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1364
1365 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1366
1367 while( ssl->in_left < nb_want )
1368 {
1369 len = nb_want - ssl->in_left;
1370 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1371
1372 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1373 ssl->in_left, nb_want ) );
1374 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1375
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1376 if( ret == 0 )
1377 return( POLARSSL_ERR_SSL_CONN_EOF );
1378
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1379 if( ret < 0 )
1380 return( ret );
1381
1382 ssl->in_left += ret;
1383 }
1384
1385 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1386
1387 return( 0 );
1388}
1389
1390/*
1391 * Flush any data not yet written
1392 */
1393int ssl_flush_output( ssl_context *ssl )
1394{
1395 int ret;
1396 unsigned char *buf;
1397
1398 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1399
1400 while( ssl->out_left > 0 )
1401 {
1402 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1403 5 + ssl->out_msglen, ssl->out_left ) );
1404
1405 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1406 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1407 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1408
1409 if( ret <= 0 )
1410 return( ret );
1411
1412 ssl->out_left -= ret;
1413 }
1414
1415 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1416
1417 return( 0 );
1418}
1419
1420/*
1421 * Record layer functions
1422 */
1423int ssl_write_record( ssl_context *ssl )
1424{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1425 int ret;
1426 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427
1428 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1429
1430 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1431 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1432 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1433 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1434 ssl->out_hdr[4] = (unsigned char)( len );
1435
1436 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1437 {
1438 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1439 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1440 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1441
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1442 ssl->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1443 }
1444
1445 if( ssl->do_crypt != 0 )
1446 {
1447 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1448 {
1449 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1450 return( ret );
1451 }
1452
1453 len = ssl->out_msglen;
1454 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1455 ssl->out_hdr[4] = (unsigned char)( len );
1456 }
1457
1458 ssl->out_left = 5 + ssl->out_msglen;
1459
1460 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1461 "version = [%d:%d], msglen = %d",
1462 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1463 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1464
1465 SSL_DEBUG_BUF( 4, "output record sent to network",
1466 ssl->out_hdr, 5 + ssl->out_msglen );
1467
1468 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1469 {
1470 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1471 return( ret );
1472 }
1473
1474 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1475
1476 return( 0 );
1477}
1478
1479int ssl_read_record( ssl_context *ssl )
1480{
1481 int ret;
1482
1483 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1484
1485 if( ssl->in_hslen != 0 &&
1486 ssl->in_hslen < ssl->in_msglen )
1487 {
1488 /*
1489 * Get next Handshake message in the current record
1490 */
1491 ssl->in_msglen -= ssl->in_hslen;
1492
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1493 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1494 ssl->in_msglen );
1495
1496 ssl->in_hslen = 4;
1497 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1498
1499 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1500 " %d, type = %d, hslen = %d",
1501 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1502
1503 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1504 {
1505 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1506 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1507 }
1508
1509 if( ssl->in_msglen < ssl->in_hslen )
1510 {
1511 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1512 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1513 }
1514
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1515 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1516
1517 return( 0 );
1518 }
1519
1520 ssl->in_hslen = 0;
1521
1522 /*
1523 * Read the record header and validate it
1524 */
1525 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1526 {
1527 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1528 return( ret );
1529 }
1530
1531 ssl->in_msgtype = ssl->in_hdr[0];
1532 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1533
1534 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1535 "version = [%d:%d], msglen = %d",
1536 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1537 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1538
1539 if( ssl->in_hdr[1] != ssl->major_ver )
1540 {
1541 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1542 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1543 }
1544
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1545 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1546 {
1547 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1548 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1549 }
1550
1551 /*
1552 * Make sure the message length is acceptable
1553 */
1554 if( ssl->do_crypt == 0 )
1555 {
1556 if( ssl->in_msglen < 1 ||
1557 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1558 {
1559 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1560 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1561 }
1562 }
1563 else
1564 {
1565 if( ssl->in_msglen < ssl->minlen )
1566 {
1567 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1568 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1569 }
1570
1571 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1572 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1573 {
1574 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1575 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1576 }
1577
1578 /*
1579 * TLS encrypted messages can have up to 256 bytes of padding
1580 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1581 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1582 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1583 {
1584 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1585 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1586 }
1587 }
1588
1589 /*
1590 * Read and optionally decrypt the message contents
1591 */
1592 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1593 {
1594 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1595 return( ret );
1596 }
1597
1598 SSL_DEBUG_BUF( 4, "input record from network",
1599 ssl->in_hdr, 5 + ssl->in_msglen );
1600
1601 if( ssl->do_crypt != 0 )
1602 {
1603 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1604 {
1605 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1606 return( ret );
1607 }
1608
1609 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1610 ssl->in_msg, ssl->in_msglen );
1611
1612 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1613 {
1614 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1615 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1616 }
1617 }
1618
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1619 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1620 ssl->in_msgtype != SSL_MSG_ALERT &&
1621 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1622 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1623 {
1624 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1625
1626 if( ( ret = ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1627 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
1628 {
1629 return( ret );
1630 }
1631
1632 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1633 }
1634
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1635 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1636 {
1637 ssl->in_hslen = 4;
1638 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1639
1640 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1641 " %d, type = %d, hslen = %d",
1642 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1643
1644 /*
1645 * Additional checks to validate the handshake header
1646 */
1647 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1648 {
1649 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1650 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1651 }
1652
1653 if( ssl->in_msglen < ssl->in_hslen )
1654 {
1655 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1656 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1657 }
1658
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1659 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1660 }
1661
1662 if( ssl->in_msgtype == SSL_MSG_ALERT )
1663 {
1664 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1665 ssl->in_msg[0], ssl->in_msg[1] ) );
1666
1667 /*
1668 * Ignore non-fatal alerts, except close_notify
1669 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1670 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1671 {
1672 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1673 /**
1674 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1675 * error identifier.
1676 */
1677 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678 }
1679
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1680 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1681 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1682 {
1683 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1684 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1685 }
1686 }
1687
1688 ssl->in_left = 0;
1689
1690 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1691
1692 return( 0 );
1693}
1694
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1695int ssl_send_alert_message( ssl_context *ssl,
1696 unsigned char level,
1697 unsigned char message )
1698{
1699 int ret;
1700
1701 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1702
1703 ssl->out_msgtype = SSL_MSG_ALERT;
1704 ssl->out_msglen = 2;
1705 ssl->out_msg[0] = level;
1706 ssl->out_msg[1] = message;
1707
1708 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1709 {
1710 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1711 return( ret );
1712 }
1713
1714 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1715
1716 return( 0 );
1717}
1718
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719/*
1720 * Handshake functions
1721 */
1722int ssl_write_certificate( ssl_context *ssl )
1723{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1724 int ret;
1725 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1726 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1727
1728 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1729
1730 if( ssl->endpoint == SSL_IS_CLIENT )
1731 {
1732 if( ssl->client_auth == 0 )
1733 {
1734 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1735 ssl->state++;
1736 return( 0 );
1737 }
1738
1739 /*
1740 * If using SSLv3 and got no cert, send an Alert message
1741 * (otherwise an empty Certificate message will be sent).
1742 */
1743 if( ssl->own_cert == NULL &&
1744 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1745 {
1746 ssl->out_msglen = 2;
1747 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1748 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1749 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1750
1751 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1752 goto write_msg;
1753 }
1754 }
1755 else /* SSL_IS_SERVER */
1756 {
1757 if( ssl->own_cert == NULL )
1758 {
1759 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1760 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1761 }
1762 }
1763
1764 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1765
1766 /*
1767 * 0 . 0 handshake type
1768 * 1 . 3 handshake length
1769 * 4 . 6 length of all certs
1770 * 7 . 9 length of cert. 1
1771 * 10 . n-1 peer certificate
1772 * n . n+2 length of cert. 2
1773 * n+3 . ... upper level cert, etc.
1774 */
1775 i = 7;
1776 crt = ssl->own_cert;
1777
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1778 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1779 {
1780 n = crt->raw.len;
1781 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1782 {
1783 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1784 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1785 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786 }
1787
1788 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1789 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1790 ssl->out_msg[i + 2] = (unsigned char)( n );
1791
1792 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1793 i += n; crt = crt->next;
1794 }
1795
1796 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1797 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1798 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1799
1800 ssl->out_msglen = i;
1801 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1802 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1803
1804write_msg:
1805
1806 ssl->state++;
1807
1808 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1809 {
1810 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1811 return( ret );
1812 }
1813
1814 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1815
1816 return( 0 );
1817}
1818
1819int ssl_parse_certificate( ssl_context *ssl )
1820{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1821 int ret;
1822 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823
1824 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1825
1826 if( ssl->endpoint == SSL_IS_SERVER &&
1827 ssl->authmode == SSL_VERIFY_NONE )
1828 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1829 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1830 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1831 ssl->state++;
1832 return( 0 );
1833 }
1834
1835 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1836 {
1837 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1838 return( ret );
1839 }
1840
1841 ssl->state++;
1842
1843 /*
1844 * Check if the client sent an empty certificate
1845 */
1846 if( ssl->endpoint == SSL_IS_SERVER &&
1847 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1848 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1849 if( ssl->in_msglen == 2 &&
1850 ssl->in_msgtype == SSL_MSG_ALERT &&
1851 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1852 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853 {
1854 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1855
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1856 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1858 return( 0 );
1859 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1860 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1861 }
1862 }
1863
1864 if( ssl->endpoint == SSL_IS_SERVER &&
1865 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1866 {
1867 if( ssl->in_hslen == 7 &&
1868 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1869 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1870 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1871 {
1872 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1873
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1874 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1875 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1876 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1877 else
1878 return( 0 );
1879 }
1880 }
1881
1882 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1883 {
1884 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1885 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886 }
1887
1888 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1889 {
1890 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1891 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1892 }
1893
1894 /*
1895 * Same message structure as in ssl_write_certificate()
1896 */
1897 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1898
1899 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1900 {
1901 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1902 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903 }
1904
1905 if( ( ssl->peer_cert = (x509_cert *) malloc(
1906 sizeof( x509_cert ) ) ) == NULL )
1907 {
1908 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1909 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1910 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1911 }
1912
1913 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1914
1915 i = 7;
1916
1917 while( i < ssl->in_hslen )
1918 {
1919 if( ssl->in_msg[i] != 0 )
1920 {
1921 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1922 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923 }
1924
1925 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1926 | (unsigned int) ssl->in_msg[i + 2];
1927 i += 3;
1928
1929 if( n < 128 || i + n > ssl->in_hslen )
1930 {
1931 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1932 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933 }
1934
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1935 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1936 if( ret != 0 )
1937 {
1938 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1939 return( ret );
1940 }
1941
1942 i += n;
1943 }
1944
1945 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1946
1947 if( ssl->authmode != SSL_VERIFY_NONE )
1948 {
1949 if( ssl->ca_chain == NULL )
1950 {
1951 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1952 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 }
1954
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1955 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1956 ssl->peer_cn, &ssl->verify_result,
1957 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1958
1959 if( ret != 0 )
1960 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1961
1962 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1963 ret = 0;
1964 }
1965
1966 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1967
1968 return( ret );
1969}
1970
1971int ssl_write_change_cipher_spec( ssl_context *ssl )
1972{
1973 int ret;
1974
1975 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1976
1977 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1978 ssl->out_msglen = 1;
1979 ssl->out_msg[0] = 1;
1980
1981 ssl->do_crypt = 0;
1982 ssl->state++;
1983
1984 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1985 {
1986 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1987 return( ret );
1988 }
1989
1990 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1991
1992 return( 0 );
1993}
1994
1995int ssl_parse_change_cipher_spec( ssl_context *ssl )
1996{
1997 int ret;
1998
1999 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2000
2001 ssl->do_crypt = 0;
2002
2003 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2004 {
2005 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2006 return( ret );
2007 }
2008
2009 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2010 {
2011 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2012 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013 }
2014
2015 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2016 {
2017 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2018 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019 }
2020
2021 ssl->state++;
2022
2023 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2024
2025 return( 0 );
2026}
2027
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2028void ssl_kickstart_checksum( ssl_context *ssl, int ciphersuite,
2029 unsigned char *input_buf, size_t len )
2030{
2031 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2032 {
2033 md5_starts( (md5_context *) ssl->ctx_checksum );
2034 sha1_starts( (sha1_context *) ( ssl->ctx_checksum +
2035 sizeof(md5_context) ) );
2036
2037 ssl->update_checksum = ssl_update_checksum_md5sha1;
2038 }
2039 else if ( ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
2040 ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
2041 {
2042 sha4_starts( (sha4_context *) ssl->ctx_checksum, 1 );
2043 ssl->update_checksum = ssl_update_checksum_sha384;
2044 }
2045 else
2046 {
2047 sha2_starts( (sha2_context *) ssl->ctx_checksum, 0 );
2048 ssl->update_checksum = ssl_update_checksum_sha256;
2049 }
2050
2051 if( ssl->endpoint == SSL_IS_CLIENT )
2052 ssl->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2053 ssl->update_checksum( ssl, input_buf, len );
2054}
2055
2056static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2057 size_t len )
2058{
2059 ((void) ssl);
2060 ((void) buf);
2061 ((void) len);
2062}
2063
2064static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2065 size_t len )
2066{
2067 md5_update( (md5_context *) ssl->ctx_checksum, buf, len );
2068 sha1_update( (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2069 buf, len );
2070}
2071
2072static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2073 size_t len )
2074{
2075 sha2_update( (sha2_context *) ssl->ctx_checksum, buf, len );
2076}
2077
2078static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2079 size_t len )
2080{
2081 sha4_update( (sha4_context *) ssl->ctx_checksum, buf, len );
2082}
2083
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2084static void ssl_calc_finished_ssl(
2085 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2086{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2087 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2088 md5_context md5;
2089 sha1_context sha1;
2090
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2091 unsigned char padbuf[48];
2092 unsigned char md5sum[16];
2093 unsigned char sha1sum[20];
2094
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2095 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2096
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2097 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2098 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2099 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2100
2101 /*
2102 * SSLv3:
2103 * hash =
2104 * MD5( master + pad2 +
2105 * MD5( handshake + sender + master + pad1 ) )
2106 * + SHA1( master + pad2 +
2107 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108 */
2109
2110 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2111 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2112
2113 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2114 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2115
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2116 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2117 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2118
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2119 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2120
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2121 md5_update( &md5, (unsigned char *) sender, 4 );
2122 md5_update( &md5, ssl->session->master, 48 );
2123 md5_update( &md5, padbuf, 48 );
2124 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2125
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2126 sha1_update( &sha1, (unsigned char *) sender, 4 );
2127 sha1_update( &sha1, ssl->session->master, 48 );
2128 sha1_update( &sha1, padbuf, 40 );
2129 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2130
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2131 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2132
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2133 md5_starts( &md5 );
2134 md5_update( &md5, ssl->session->master, 48 );
2135 md5_update( &md5, padbuf, 48 );
2136 md5_update( &md5, md5sum, 16 );
2137 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2138
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2139 sha1_starts( &sha1 );
2140 sha1_update( &sha1, ssl->session->master, 48 );
2141 sha1_update( &sha1, padbuf , 40 );
2142 sha1_update( &sha1, sha1sum, 20 );
2143 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2144
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2145 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2147 memset( &md5, 0, sizeof( md5_context ) );
2148 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2149
2150 memset( padbuf, 0, sizeof( padbuf ) );
2151 memset( md5sum, 0, sizeof( md5sum ) );
2152 memset( sha1sum, 0, sizeof( sha1sum ) );
2153
2154 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2155}
2156
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2157static void ssl_calc_finished_tls(
2158 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2159{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2160 int len = 12;
2161 char *sender;
2162 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2163 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2164 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2165
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2166 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2167
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2168 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2169 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2170 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2172 /*
2173 * TLSv1:
2174 * hash = PRF( master, finished_label,
2175 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2176 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2177
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2178 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2179 md5.state, sizeof( md5.state ) );
2180
2181 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2182 sha1.state, sizeof( sha1.state ) );
2183
2184 sender = ( from == SSL_IS_CLIENT )
2185 ? (char *) "client finished"
2186 : (char *) "server finished";
2187
2188 md5_finish( &md5, padbuf );
2189 sha1_finish( &sha1, padbuf + 16 );
2190
2191 ssl->tls_prf( ssl->session->master, 48, sender,
2192 padbuf, 36, buf, len );
2193
2194 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2195
2196 memset( &md5, 0, sizeof( md5_context ) );
2197 memset( &sha1, 0, sizeof( sha1_context ) );
2198
2199 memset( padbuf, 0, sizeof( padbuf ) );
2200
2201 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2202}
2203
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2204static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2205 ssl_context *ssl, unsigned char *buf, int from )
2206{
2207 int len = 12;
2208 char *sender;
2209 sha2_context sha2;
2210 unsigned char padbuf[32];
2211
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2212 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2213
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2214 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2215
2216 /*
2217 * TLSv1.2:
2218 * hash = PRF( master, finished_label,
2219 * Hash( handshake ) )[0.11]
2220 */
2221
2222 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2223 sha2.state, sizeof( sha2.state ) );
2224
2225 sender = ( from == SSL_IS_CLIENT )
2226 ? (char *) "client finished"
2227 : (char *) "server finished";
2228
2229 sha2_finish( &sha2, padbuf );
2230
2231 ssl->tls_prf( ssl->session->master, 48, sender,
2232 padbuf, 32, buf, len );
2233
2234 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2235
2236 memset( &sha2, 0, sizeof( sha2_context ) );
2237
2238 memset( padbuf, 0, sizeof( padbuf ) );
2239
2240 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2241}
2242
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2243static void ssl_calc_finished_tls_sha384(
2244 ssl_context *ssl, unsigned char *buf, int from )
2245{
2246 int len = 12;
2247 char *sender;
2248 sha4_context sha4;
2249 unsigned char padbuf[48];
2250
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2251 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2252
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2253 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2254
2255 /*
2256 * TLSv1.2:
2257 * hash = PRF( master, finished_label,
2258 * Hash( handshake ) )[0.11]
2259 */
2260
2261 SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2262 sha4.state, sizeof( sha4.state ) );
2263
2264 sender = ( from == SSL_IS_CLIENT )
2265 ? (char *) "client finished"
2266 : (char *) "server finished";
2267
2268 sha4_finish( &sha4, padbuf );
2269
2270 ssl->tls_prf( ssl->session->master, 48, sender,
2271 padbuf, 48, buf, len );
2272
2273 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2274
2275 memset( &sha4, 0, sizeof( sha4_context ) );
2276
2277 memset( padbuf, 0, sizeof( padbuf ) );
2278
2279 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2280}
2281
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2282int ssl_write_finished( ssl_context *ssl )
2283{
2284 int ret, hash_len;
2285
2286 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2287
2288 ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2289
2290 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2291 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2292
2293 ssl->out_msglen = 4 + hash_len;
2294 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2295 ssl->out_msg[0] = SSL_HS_FINISHED;
2296
2297 /*
2298 * In case of session resuming, invert the client and server
2299 * ChangeCipherSpec messages order.
2300 */
2301 if( ssl->resume != 0 )
2302 {
2303 if( ssl->endpoint == SSL_IS_CLIENT )
2304 ssl->state = SSL_HANDSHAKE_OVER;
2305 else
2306 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2307 }
2308 else
2309 ssl->state++;
2310
2311 ssl->do_crypt = 1;
2312
2313 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2314 {
2315 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2316 return( ret );
2317 }
2318
2319 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2320
2321 return( 0 );
2322}
2323
2324int ssl_parse_finished( ssl_context *ssl )
2325{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2326 int ret;
2327 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2328 unsigned char buf[36];
2329
2330 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2331
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2332 ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2333
2334 ssl->do_crypt = 1;
2335
2336 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2337 {
2338 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2339 return( ret );
2340 }
2341
2342 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2343 {
2344 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2345 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2346 }
2347
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2348 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2349 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2350
2351 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2352 ssl->in_hslen != 4 + hash_len )
2353 {
2354 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2355 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2356 }
2357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2358 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2359 {
2360 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2361 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2362 }
2363
2364 if( ssl->resume != 0 )
2365 {
2366 if( ssl->endpoint == SSL_IS_CLIENT )
2367 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2368
2369 if( ssl->endpoint == SSL_IS_SERVER )
2370 ssl->state = SSL_HANDSHAKE_OVER;
2371 }
2372 else
2373 ssl->state++;
2374
2375 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2376
2377 return( 0 );
2378}
2379
2380/*
2381 * Initialize an SSL context
2382 */
2383int ssl_init( ssl_context *ssl )
2384{
2385 int len = SSL_BUFFER_LEN;
2386
2387 memset( ssl, 0, sizeof( ssl_context ) );
2388
2389 ssl->in_ctr = (unsigned char *) malloc( len );
2390 ssl->in_hdr = ssl->in_ctr + 8;
2391 ssl->in_msg = ssl->in_ctr + 13;
2392
2393 if( ssl->in_ctr == NULL )
2394 {
2395 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2396 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2397 }
2398
2399 ssl->out_ctr = (unsigned char *) malloc( len );
2400 ssl->out_hdr = ssl->out_ctr + 8;
2401 ssl->out_msg = ssl->out_ctr + 13;
2402
2403 if( ssl->out_ctr == NULL )
2404 {
2405 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2406 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2407 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2408 }
2409
2410 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2411 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2412
2413 ssl->hostname = NULL;
2414 ssl->hostname_len = 0;
2415
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2416 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2417
2418 return( 0 );
2419}
2420
2421/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2422 * Reset an initialized and used SSL context for re-use while retaining
2423 * all application-set variables, function pointers and data.
2424 */
2425void ssl_session_reset( ssl_context *ssl )
2426{
2427 ssl->state = SSL_HELLO_REQUEST;
2428
2429 ssl->in_offt = NULL;
2430
2431 ssl->in_msgtype = 0;
2432 ssl->in_msglen = 0;
2433 ssl->in_left = 0;
2434
2435 ssl->in_hslen = 0;
2436 ssl->nb_zero = 0;
2437
2438 ssl->out_msgtype = 0;
2439 ssl->out_msglen = 0;
2440 ssl->out_left = 0;
2441
2442 ssl->do_crypt = 0;
2443 ssl->pmslen = 0;
2444 ssl->keylen = 0;
2445 ssl->minlen = 0;
2446 ssl->ivlen = 0;
2447 ssl->maclen = 0;
2448
2449 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2450 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2451 memset( ssl->randbytes, 0, 64 );
2452 memset( ssl->premaster, 0, 256 );
2453 memset( ssl->iv_enc, 0, 16 );
2454 memset( ssl->iv_dec, 0, 16 );
2455 memset( ssl->mac_enc, 0, 32 );
2456 memset( ssl->mac_dec, 0, 32 );
2457 memset( ssl->ctx_enc, 0, 128 );
2458 memset( ssl->ctx_dec, 0, 128 );
2459
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2460 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2461}
2462
2463/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2464 * SSL set accessors
2465 */
2466void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2467{
2468 ssl->endpoint = endpoint;
2469}
2470
2471void ssl_set_authmode( ssl_context *ssl, int authmode )
2472{
2473 ssl->authmode = authmode;
2474}
2475
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2476void ssl_set_verify( ssl_context *ssl,
2477 int (*f_vrfy)(void *, x509_cert *, int, int),
2478 void *p_vrfy )
2479{
2480 ssl->f_vrfy = f_vrfy;
2481 ssl->p_vrfy = p_vrfy;
2482}
2483
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2484void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2485 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2486 void *p_rng )
2487{
2488 ssl->f_rng = f_rng;
2489 ssl->p_rng = p_rng;
2490}
2491
2492void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2493 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2494 void *p_dbg )
2495{
2496 ssl->f_dbg = f_dbg;
2497 ssl->p_dbg = p_dbg;
2498}
2499
2500void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2501 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2502 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2503{
2504 ssl->f_recv = f_recv;
2505 ssl->f_send = f_send;
2506 ssl->p_recv = p_recv;
2507 ssl->p_send = p_send;
2508}
2509
2510void ssl_set_scb( ssl_context *ssl,
2511 int (*s_get)(ssl_context *),
2512 int (*s_set)(ssl_context *) )
2513{
2514 ssl->s_get = s_get;
2515 ssl->s_set = s_set;
2516}
2517
2518void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2519 ssl_session *session )
2520{
2521 ssl->resume = resume;
2522 ssl->timeout = timeout;
2523 ssl->session = session;
2524}
2525
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2526void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2527{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2528 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2529}
2530
2531void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2532 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2533{
2534 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2535 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2536 ssl->peer_cn = peer_cn;
2537}
2538
2539void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2540 rsa_context *rsa_key )
2541{
2542 ssl->own_cert = own_cert;
2543 ssl->rsa_key = rsa_key;
2544}
2545
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]2546#if defined(POLARSSL_PKCS11_C)
2547void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
2548 pkcs11_context *pkcs11_key )
2549{
2550 ssl->own_cert = own_cert;
2551 ssl->pkcs11_key = pkcs11_key;
2552}
2553#endif
2554
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2555int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2556{
2557 int ret;
2558
2559 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2560 {
2561 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2562 return( ret );
2563 }
2564
2565 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2566 {
2567 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2568 return( ret );
2569 }
2570
2571 return( 0 );
2572}
2573
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2574int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
2575{
2576 int ret;
2577
2578 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2579 {
2580 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2581 return( ret );
2582 }
2583
2584 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2585 {
2586 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2587 return( ret );
2588 }
2589
2590 return( 0 );
2591}
2592
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2593int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2594{
2595 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2596 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2597
2598 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2599 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2600
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2601 if( ssl->hostname == NULL )
2602 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2603
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2604 memcpy( ssl->hostname, (unsigned char *) hostname,
2605 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2606
2607 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2608
2609 return( 0 );
2610}
2611
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2612void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2613{
2614 ssl->max_major_ver = major;
2615 ssl->max_minor_ver = minor;
2616}
2617
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2618/*
2619 * SSL get accessors
2620 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2621size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2622{
2623 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2624}
2625
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2626int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2627{
2628 return( ssl->verify_result );
2629}
2630
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2631const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2632{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2633 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2634 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2635#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2636 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2637 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2638
2639 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2640 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2641#endif
2642
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2643#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2644 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2645 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2646
2647 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2648 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2649#endif
2650
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2651#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2652 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2653 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2654
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2655 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2656 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2657
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2658 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2659 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2660
2661 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2662 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2663
2664#if defined(POLARSSL_SHA2_C)
2665 case SSL_RSA_AES_128_SHA256:
2666 return( "SSL-RSA-AES-128-SHA256" );
2667
2668 case SSL_EDH_RSA_AES_128_SHA256:
2669 return( "SSL-EDH-RSA-AES-128-SHA256" );
2670
2671 case SSL_RSA_AES_256_SHA256:
2672 return( "SSL-RSA-AES-256-SHA256" );
2673
2674 case SSL_EDH_RSA_AES_256_SHA256:
2675 return( "SSL-EDH-RSA-AES-256-SHA256" );
2676#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2677
2678#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2679 case SSL_RSA_AES_128_GCM_SHA256:
2680 return( "SSL-RSA-AES-128-GCM-SHA256" );
2681
2682 case SSL_EDH_RSA_AES_128_GCM_SHA256:
2683 return( "SSL-EDH-RSA-AES-128-GCM-SHA256" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2684#endif
2685
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2686#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2687 case SSL_RSA_AES_256_GCM_SHA384:
2688 return( "SSL-RSA-AES-256-GCM-SHA384" );
2689
2690 case SSL_EDH_RSA_AES_256_GCM_SHA384:
2691 return( "SSL-EDH-RSA-AES-256-GCM-SHA384" );
2692#endif
2693#endif /* POLARSSL_AES_C */
2694
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2695#if defined(POLARSSL_CAMELLIA_C)
2696 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2697 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2698
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2699 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2700 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2701
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2702 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2703 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2704
2705 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2706 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2707
2708#if defined(POLARSSL_SHA2_C)
2709 case SSL_RSA_CAMELLIA_128_SHA256:
2710 return( "SSL-RSA-CAMELLIA-128-SHA256" );
2711
2712 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
2713 return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
2714
2715 case SSL_RSA_CAMELLIA_256_SHA256:
2716 return( "SSL-RSA-CAMELLIA-256-SHA256" );
2717
2718 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
2719 return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
2720#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2721#endif
2722
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2723#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2724#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2725 case SSL_RSA_NULL_MD5:
2726 return( "SSL-RSA-NULL-MD5" );
2727 case SSL_RSA_NULL_SHA:
2728 return( "SSL-RSA-NULL-SHA" );
2729 case SSL_RSA_NULL_SHA256:
2730 return( "SSL-RSA-NULL-SHA256" );
2731#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2732
2733#if defined(POLARSSL_DES_C)
2734 case SSL_RSA_DES_SHA:
2735 return( "SSL-RSA-DES-SHA" );
2736 case SSL_EDH_RSA_DES_SHA:
2737 return( "SSL-EDH-RSA-DES-SHA" );
2738#endif
2739#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2740
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2741 default:
2742 break;
2743 }
2744
2745 return( "unknown" );
2746}
2747
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2748int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2749{
2750#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2751 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2752 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2753 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2754 return( SSL_RSA_RC4_128_SHA );
2755#endif
2756
2757#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2758 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2759 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2760 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2761 return( SSL_EDH_RSA_DES_168_SHA );
2762#endif
2763
2764#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2765 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2766 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2767 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2768 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2769 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2770 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2771 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2772 return( SSL_EDH_RSA_AES_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2773
2774#if defined(POLARSSL_SHA2_C)
2775 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
2776 return( SSL_RSA_AES_128_SHA256 );
2777 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
2778 return( SSL_EDH_RSA_AES_128_SHA256 );
2779 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
2780 return( SSL_RSA_AES_256_SHA256 );
2781 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
2782 return( SSL_EDH_RSA_AES_256_SHA256 );
2783#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2784
2785#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2786 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-GCM-SHA256"))
2787 return( SSL_RSA_AES_128_GCM_SHA256 );
2788 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-GCM-SHA256"))
2789 return( SSL_EDH_RSA_AES_128_GCM_SHA256 );
2790#endif
2791
2792#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2793 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-GCM-SHA384"))
2794 return( SSL_RSA_AES_256_GCM_SHA384 );
2795 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-GCM-SHA384"))
2796 return( SSL_EDH_RSA_AES_256_GCM_SHA384 );
2797#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2798#endif
2799
2800#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2801 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2802 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2803 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2804 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2805 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2806 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2807 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2808 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2809
2810#if defined(POLARSSL_SHA2_C)
2811 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
2812 return( SSL_RSA_CAMELLIA_128_SHA256 );
2813 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
2814 return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
2815 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
2816 return( SSL_RSA_CAMELLIA_256_SHA256 );
2817 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
2818 return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
2819#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2820#endif
2821
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2822#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2823#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2824 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
2825 return( SSL_RSA_NULL_MD5 );
2826 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
2827 return( SSL_RSA_NULL_SHA );
2828 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
2829 return( SSL_RSA_NULL_SHA256 );
2830#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2831
2832#if defined(POLARSSL_DES_C)
2833 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
2834 return( SSL_RSA_DES_SHA );
2835 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
2836 return( SSL_EDH_RSA_DES_SHA );
2837#endif
2838#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2839
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2840 return( 0 );
2841}
2842
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2843const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2844{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2845 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2846}
2847
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2848const char *ssl_get_version( const ssl_context *ssl )
2849{
2850 switch( ssl->minor_ver )
2851 {
2852 case SSL_MINOR_VERSION_0:
2853 return( "SSLv3.0" );
2854
2855 case SSL_MINOR_VERSION_1:
2856 return( "TLSv1.0" );
2857
2858 case SSL_MINOR_VERSION_2:
2859 return( "TLSv1.1" );
2860
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2861 case SSL_MINOR_VERSION_3:
2862 return( "TLSv1.2" );
2863
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2864 default:
2865 break;
2866 }
2867 return( "unknown" );
2868}
2869
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2870int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2871{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2872#if defined(POLARSSL_DHM_C)
2873#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2874#if defined(POLARSSL_SHA2_C)
2875 SSL_EDH_RSA_AES_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2876#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2877#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2878 SSL_EDH_RSA_AES_256_GCM_SHA384,
2879#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2880 SSL_EDH_RSA_AES_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2881#if defined(POLARSSL_SHA2_C)
2882 SSL_EDH_RSA_AES_128_SHA256,
2883#endif
2884#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2885 SSL_EDH_RSA_AES_128_GCM_SHA256,
2886#endif
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2887 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2888#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2889#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2890#if defined(POLARSSL_SHA2_C)
2891 SSL_EDH_RSA_CAMELLIA_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2892#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2893 SSL_EDH_RSA_CAMELLIA_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2894#if defined(POLARSSL_SHA2_C)
2895 SSL_EDH_RSA_CAMELLIA_128_SHA256,
2896#endif /* POLARSSL_SHA2_C */
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2897 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2898#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2899#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2900 SSL_EDH_RSA_DES_168_SHA,
2901#endif
2902#endif
2903
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2904#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2905#if defined(POLARSSL_SHA2_C)
2906 SSL_RSA_AES_256_SHA256,
2907#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2908#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2909 SSL_RSA_AES_256_GCM_SHA384,
2910#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2911 SSL_RSA_AES_256_SHA,
2912#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2913#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2914#if defined(POLARSSL_SHA2_C)
2915 SSL_RSA_CAMELLIA_256_SHA256,
2916#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2917 SSL_RSA_CAMELLIA_256_SHA,
2918#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2919#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2920#if defined(POLARSSL_SHA2_C)
2921 SSL_RSA_AES_128_SHA256,
2922#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2923#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2924 SSL_RSA_AES_128_GCM_SHA256,
2925#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2926 SSL_RSA_AES_128_SHA,
2927#endif
2928#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2929#if defined(POLARSSL_SHA2_C)
2930 SSL_RSA_CAMELLIA_128_SHA256,
2931#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2932 SSL_RSA_CAMELLIA_128_SHA,
2933#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2934#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2935 SSL_RSA_DES_168_SHA,
2936#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2937#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2938 SSL_RSA_RC4_128_SHA,
2939 SSL_RSA_RC4_128_MD5,
2940#endif
2941 0
2942};
2943
2944/*
2945 * Perform the SSL handshake
2946 */
2947int ssl_handshake( ssl_context *ssl )
2948{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2949 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2950
2951 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
2952
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2953#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2954 if( ssl->endpoint == SSL_IS_CLIENT )
2955 ret = ssl_handshake_client( ssl );
2956#endif
2957
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2958#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2959 if( ssl->endpoint == SSL_IS_SERVER )
2960 ret = ssl_handshake_server( ssl );
2961#endif
2962
2963 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
2964
2965 return( ret );
2966}
2967
2968/*
2969 * Receive application data decrypted from the SSL layer
2970 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2971int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2972{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2973 int ret;
2974 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2975
2976 SSL_DEBUG_MSG( 2, ( "=> read" ) );
2977
2978 if( ssl->state != SSL_HANDSHAKE_OVER )
2979 {
2980 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2981 {
2982 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2983 return( ret );
2984 }
2985 }
2986
2987 if( ssl->in_offt == NULL )
2988 {
2989 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2990 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2991 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2992 return( 0 );
2993
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2994 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2995 return( ret );
2996 }
2997
2998 if( ssl->in_msglen == 0 &&
2999 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3000 {
3001 /*
3002 * OpenSSL sends empty messages to randomize the IV
3003 */
3004 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3005 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3006 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3007 return( 0 );
3008
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3009 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3010 return( ret );
3011 }
3012 }
3013
3014 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3015 {
3016 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3017 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3018 }
3019
3020 ssl->in_offt = ssl->in_msg;
3021 }
3022
3023 n = ( len < ssl->in_msglen )
3024 ? len : ssl->in_msglen;
3025
3026 memcpy( buf, ssl->in_offt, n );
3027 ssl->in_msglen -= n;
3028
3029 if( ssl->in_msglen == 0 )
3030 /* all bytes consumed */
3031 ssl->in_offt = NULL;
3032 else
3033 /* more data available */
3034 ssl->in_offt += n;
3035
3036 SSL_DEBUG_MSG( 2, ( "<= read" ) );
3037
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3038 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3039}
3040
3041/*
3042 * Send application data to be encrypted by the SSL layer
3043 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3044int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3045{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3046 int ret;
3047 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3048
3049 SSL_DEBUG_MSG( 2, ( "=> write" ) );
3050
3051 if( ssl->state != SSL_HANDSHAKE_OVER )
3052 {
3053 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3054 {
3055 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3056 return( ret );
3057 }
3058 }
3059
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3060 n = ( len < SSL_MAX_CONTENT_LEN )
3061 ? len : SSL_MAX_CONTENT_LEN;
3062
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3063 if( ssl->out_left != 0 )
3064 {
3065 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3066 {
3067 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3068 return( ret );
3069 }
3070 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3071 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]3072 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3073 ssl->out_msglen = n;
3074 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3075 memcpy( ssl->out_msg, buf, n );
3076
3077 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3078 {
3079 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3080 return( ret );
3081 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3082 }
3083
3084 SSL_DEBUG_MSG( 2, ( "<= write" ) );
3085
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3086 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3087}
3088
3089/*
3090 * Notify the peer that the connection is being closed
3091 */
3092int ssl_close_notify( ssl_context *ssl )
3093{
3094 int ret;
3095
3096 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3097
3098 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3099 {
3100 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3101 return( ret );
3102 }
3103
3104 if( ssl->state == SSL_HANDSHAKE_OVER )
3105 {
3106 ssl->out_msgtype = SSL_MSG_ALERT;
3107 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]3108 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
3109 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3110
3111 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3112 {
3113 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3114 return( ret );
3115 }
3116 }
3117
3118 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3119
3120 return( ret );
3121}
3122
3123/*
3124 * Free an SSL context
3125 */
3126void ssl_free( ssl_context *ssl )
3127{
3128 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3129
3130 if( ssl->peer_cert != NULL )
3131 {
3132 x509_free( ssl->peer_cert );
3133 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
3134 free( ssl->peer_cert );
3135 }
3136
3137 if( ssl->out_ctr != NULL )
3138 {
3139 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3140 free( ssl->out_ctr );
3141 }
3142
3143 if( ssl->in_ctr != NULL )
3144 {
3145 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3146 free( ssl->in_ctr );
3147 }
3148
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3149#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3150 dhm_free( &ssl->dhm_ctx );
3151#endif
3152
3153 if ( ssl->hostname != NULL)
3154 {
3155 memset( ssl->hostname, 0, ssl->hostname_len );
3156 free( ssl->hostname );
3157 ssl->hostname_len = 0;
3158 }
3159
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3160 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]3161
3162 /* Actually free after last debug message */
3163 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3164}
3165
3166#endif