TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 05ef835b6a97ca85c331c0160278dabd6c92d99b / . / library / ssl_tls.c
blob: bbafcf35c65ede288330b7e34a12d889c4c5d4d4 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]46#if defined(POLARSSL_GCM_C)
47#include "polarssl/gcm.h"
48#endif
49
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50#include <stdlib.h>
51#include <time.h>
52
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]53#if defined _MSC_VER && !defined strcasecmp
54#define strcasecmp _stricmp
55#endif
56
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]57#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58int (*ssl_hw_record_init)(ssl_context *ssl,
59 const unsigned char *key_enc, const unsigned char *key_dec,
60 const unsigned char *iv_enc, const unsigned char *iv_dec,
61 const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
62int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
63int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
64int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
65int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
66#endif
67
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68/*
69 * Key material generation
70 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]71static int tls1_prf( unsigned char *secret, size_t slen, char *label,
72 unsigned char *random, size_t rlen,
73 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]74{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]75 size_t nb, hs;
76 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77 unsigned char *S1, *S2;
78 unsigned char tmp[128];
79 unsigned char h_i[20];
80
81 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]82 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]83
84 hs = ( slen + 1 ) / 2;
85 S1 = secret;
86 S2 = secret + slen - hs;
87
88 nb = strlen( label );
89 memcpy( tmp + 20, label, nb );
90 memcpy( tmp + 20 + nb, random, rlen );
91 nb += rlen;
92
93 /*
94 * First compute P_md5(secret,label+random)[0..dlen]
95 */
96 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
97
98 for( i = 0; i < dlen; i += 16 )
99 {
100 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
101 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
102
103 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
104
105 for( j = 0; j < k; j++ )
106 dstbuf[i + j] = h_i[j];
107 }
108
109 /*
110 * XOR out with P_sha1(secret,label+random)[0..dlen]
111 */
112 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
113
114 for( i = 0; i < dlen; i += 20 )
115 {
116 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
117 sha1_hmac( S2, hs, tmp, 20, tmp );
118
119 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
120
121 for( j = 0; j < k; j++ )
122 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
123 }
124
125 memset( tmp, 0, sizeof( tmp ) );
126 memset( h_i, 0, sizeof( h_i ) );
127
128 return( 0 );
129}
130
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]131static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
132 unsigned char *random, size_t rlen,
133 unsigned char *dstbuf, size_t dlen )
134{
135 size_t nb;
136 size_t i, j, k;
137 unsigned char tmp[128];
138 unsigned char h_i[32];
139
140 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
141 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
142
143 nb = strlen( label );
144 memcpy( tmp + 32, label, nb );
145 memcpy( tmp + 32 + nb, random, rlen );
146 nb += rlen;
147
148 /*
149 * Compute P_<hash>(secret, label + random)[0..dlen]
150 */
151 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
152
153 for( i = 0; i < dlen; i += 32 )
154 {
155 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
156 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
157
158 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
159
160 for( j = 0; j < k; j++ )
161 dstbuf[i + j] = h_i[j];
162 }
163
164 memset( tmp, 0, sizeof( tmp ) );
165 memset( h_i, 0, sizeof( h_i ) );
166
167 return( 0 );
168}
169
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]170static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
171 unsigned char *random, size_t rlen,
172 unsigned char *dstbuf, size_t dlen )
173{
174 size_t nb;
175 size_t i, j, k;
176 unsigned char tmp[128];
177 unsigned char h_i[48];
178
179 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
180 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
181
182 nb = strlen( label );
183 memcpy( tmp + 48, label, nb );
184 memcpy( tmp + 48 + nb, random, rlen );
185 nb += rlen;
186
187 /*
188 * Compute P_<hash>(secret, label + random)[0..dlen]
189 */
190 sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
191
192 for( i = 0; i < dlen; i += 48 )
193 {
194 sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
195 sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
196
197 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
198
199 for( j = 0; j < k; j++ )
200 dstbuf[i + j] = h_i[j];
201 }
202
203 memset( tmp, 0, sizeof( tmp ) );
204 memset( h_i, 0, sizeof( h_i ) );
205
206 return( 0 );
207}
208
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]209static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
210static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
211static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
212static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
213
214static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
215static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
216static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
217static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
218
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]219static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
220static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
221static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
222static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224int ssl_derive_keys( ssl_context *ssl )
225{
226 int i;
227 md5_context md5;
228 sha1_context sha1;
229 unsigned char tmp[64];
230 unsigned char padding[16];
231 unsigned char sha1sum[20];
232 unsigned char keyblk[256];
233 unsigned char *key1;
234 unsigned char *key2;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]235 unsigned int iv_copy_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236
237 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
238
239 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]240 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]241 */
242 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]243 {
244 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]245 ssl->calc_verify = ssl_calc_verify_ssl;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]246 ssl->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]247 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]248 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]249 {
250 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]251 ssl->calc_verify = ssl_calc_verify_tls;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]252 ssl->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]253 }
254 else if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
255 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
256 {
257 ssl->tls_prf = tls_prf_sha384;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]258 ssl->calc_verify = ssl_calc_verify_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]259 ssl->calc_finished = ssl_calc_finished_tls_sha384;
260 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]261 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]262 {
263 ssl->tls_prf = tls_prf_sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]264 ssl->calc_verify = ssl_calc_verify_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]265 ssl->calc_finished = ssl_calc_finished_tls_sha256;
266 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]267
268 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]269 * SSLv3:
270 * master =
271 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
272 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
273 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
274 *
275 * TLSv1:
276 * master = PRF( premaster, "master secret", randbytes )[0..47]
277 */
278 if( ssl->resume == 0 )
279 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]280 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281
282 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
283
284 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
285 {
286 for( i = 0; i < 3; i++ )
287 {
288 memset( padding, 'A' + i, 1 + i );
289
290 sha1_starts( &sha1 );
291 sha1_update( &sha1, padding, 1 + i );
292 sha1_update( &sha1, ssl->premaster, len );
293 sha1_update( &sha1, ssl->randbytes, 64 );
294 sha1_finish( &sha1, sha1sum );
295
296 md5_starts( &md5 );
297 md5_update( &md5, ssl->premaster, len );
298 md5_update( &md5, sha1sum, 20 );
299 md5_finish( &md5, ssl->session->master + i * 16 );
300 }
301 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]302 else
303 ssl->tls_prf( ssl->premaster, len, "master secret",
304 ssl->randbytes, 64, ssl->session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]305
306 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
307 }
308 else
309 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
310
311 /*
312 * Swap the client and server random values.
313 */
314 memcpy( tmp, ssl->randbytes, 64 );
315 memcpy( ssl->randbytes, tmp + 32, 32 );
316 memcpy( ssl->randbytes + 32, tmp, 32 );
317 memset( tmp, 0, sizeof( tmp ) );
318
319 /*
320 * SSLv3:
321 * key block =
322 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
323 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
324 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
325 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
326 * ...
327 *
328 * TLSv1:
329 * key block = PRF( master, "key expansion", randbytes )
330 */
331 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
332 {
333 for( i = 0; i < 16; i++ )
334 {
335 memset( padding, 'A' + i, 1 + i );
336
337 sha1_starts( &sha1 );
338 sha1_update( &sha1, padding, 1 + i );
339 sha1_update( &sha1, ssl->session->master, 48 );
340 sha1_update( &sha1, ssl->randbytes, 64 );
341 sha1_finish( &sha1, sha1sum );
342
343 md5_starts( &md5 );
344 md5_update( &md5, ssl->session->master, 48 );
345 md5_update( &md5, sha1sum, 20 );
346 md5_finish( &md5, keyblk + i * 16 );
347 }
348
349 memset( &md5, 0, sizeof( md5 ) );
350 memset( &sha1, 0, sizeof( sha1 ) );
351
352 memset( padding, 0, sizeof( padding ) );
353 memset( sha1sum, 0, sizeof( sha1sum ) );
354 }
355 else
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]356 ssl->tls_prf( ssl->session->master, 48, "key expansion",
357 ssl->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]359 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
361 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
362 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
363
364 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
365
366 /*
367 * Determine the appropriate key, IV and MAC length.
368 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]369 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]371#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]372 case SSL_RSA_RC4_128_MD5:
373 ssl->keylen = 16; ssl->minlen = 16;
374 ssl->ivlen = 0; ssl->maclen = 16;
375 break;
376
377 case SSL_RSA_RC4_128_SHA:
378 ssl->keylen = 16; ssl->minlen = 20;
379 ssl->ivlen = 0; ssl->maclen = 20;
380 break;
381#endif
382
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]383#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384 case SSL_RSA_DES_168_SHA:
385 case SSL_EDH_RSA_DES_168_SHA:
386 ssl->keylen = 24; ssl->minlen = 24;
387 ssl->ivlen = 8; ssl->maclen = 20;
388 break;
389#endif
390
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]391#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]393 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394 ssl->keylen = 16; ssl->minlen = 32;
395 ssl->ivlen = 16; ssl->maclen = 20;
396 break;
397
398 case SSL_RSA_AES_256_SHA:
399 case SSL_EDH_RSA_AES_256_SHA:
400 ssl->keylen = 32; ssl->minlen = 32;
401 ssl->ivlen = 16; ssl->maclen = 20;
402 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]403
404#if defined(POLARSSL_SHA2_C)
405 case SSL_RSA_AES_128_SHA256:
406 case SSL_EDH_RSA_AES_128_SHA256:
407 ssl->keylen = 16; ssl->minlen = 32;
408 ssl->ivlen = 16; ssl->maclen = 32;
409 break;
410
411 case SSL_RSA_AES_256_SHA256:
412 case SSL_EDH_RSA_AES_256_SHA256:
413 ssl->keylen = 32; ssl->minlen = 32;
414 ssl->ivlen = 16; ssl->maclen = 32;
415 break;
416#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]417#if defined(POLARSSL_GCM_C)
418 case SSL_RSA_AES_128_GCM_SHA256:
419 case SSL_EDH_RSA_AES_128_GCM_SHA256:
420 ssl->keylen = 16; ssl->minlen = 1;
421 ssl->ivlen = 12; ssl->maclen = 0;
422 ssl->fixed_ivlen = 4;
423 break;
424
425 case SSL_RSA_AES_256_GCM_SHA384:
426 case SSL_EDH_RSA_AES_256_GCM_SHA384:
427 ssl->keylen = 32; ssl->minlen = 1;
428 ssl->ivlen = 12; ssl->maclen = 0;
429 ssl->fixed_ivlen = 4;
430 break;
431#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]432#endif
433
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]434#if defined(POLARSSL_CAMELLIA_C)
435 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]436 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]437 ssl->keylen = 16; ssl->minlen = 32;
438 ssl->ivlen = 16; ssl->maclen = 20;
439 break;
440
441 case SSL_RSA_CAMELLIA_256_SHA:
442 case SSL_EDH_RSA_CAMELLIA_256_SHA:
443 ssl->keylen = 32; ssl->minlen = 32;
444 ssl->ivlen = 16; ssl->maclen = 20;
445 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]446
447#if defined(POLARSSL_SHA2_C)
448 case SSL_RSA_CAMELLIA_128_SHA256:
449 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
450 ssl->keylen = 16; ssl->minlen = 32;
451 ssl->ivlen = 16; ssl->maclen = 32;
452 break;
453
454 case SSL_RSA_CAMELLIA_256_SHA256:
455 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
456 ssl->keylen = 32; ssl->minlen = 32;
457 ssl->ivlen = 16; ssl->maclen = 32;
458 break;
459#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]460#endif
461
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]462#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
463#if defined(POLARSSL_CIPHER_NULL_CIPHER)
464 case SSL_RSA_NULL_MD5:
465 ssl->keylen = 0; ssl->minlen = 0;
466 ssl->ivlen = 0; ssl->maclen = 16;
467 break;
468
469 case SSL_RSA_NULL_SHA:
470 ssl->keylen = 0; ssl->minlen = 0;
471 ssl->ivlen = 0; ssl->maclen = 20;
472 break;
473
474 case SSL_RSA_NULL_SHA256:
475 ssl->keylen = 0; ssl->minlen = 0;
476 ssl->ivlen = 0; ssl->maclen = 32;
477 break;
478#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
479
480#if defined(POLARSSL_DES_C)
481 case SSL_RSA_DES_SHA:
482 case SSL_EDH_RSA_DES_SHA:
483 ssl->keylen = 8; ssl->minlen = 8;
484 ssl->ivlen = 8; ssl->maclen = 20;
485 break;
486#endif
487#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
488
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]490 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
491 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]492 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493 }
494
495 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
496 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
497
498 /*
499 * Finally setup the cipher contexts, IVs and MAC secrets.
500 */
501 if( ssl->endpoint == SSL_IS_CLIENT )
502 {
503 key1 = keyblk + ssl->maclen * 2;
504 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
505
506 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
507 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
508
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]509 /*
510 * This is not used in TLS v1.1.
511 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]512 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
513 memcpy( ssl->iv_enc, key2 + ssl->keylen, iv_copy_len );
514 memcpy( ssl->iv_dec, key2 + ssl->keylen + iv_copy_len,
515 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516 }
517 else
518 {
519 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
520 key2 = keyblk + ssl->maclen * 2;
521
522 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
523 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
524
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]525 /*
526 * This is not used in TLS v1.1.
527 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]528 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
529 memcpy( ssl->iv_dec, key1 + ssl->keylen, iv_copy_len );
530 memcpy( ssl->iv_enc, key1 + ssl->keylen + iv_copy_len,
531 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]532 }
533
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]534#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
535 if( ssl_hw_record_init != NULL)
536 {
537 int ret = 0;
538
539 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
540
541 if( ( ret = ssl_hw_record_init( ssl, key1, key2, ssl->iv_enc,
542 ssl->iv_dec, ssl->mac_enc,
543 ssl->mac_dec ) ) != 0 )
544 {
545 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
546 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
547 }
548 }
549#endif
550
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]551 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]553#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554 case SSL_RSA_RC4_128_MD5:
555 case SSL_RSA_RC4_128_SHA:
556 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
557 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
558 break;
559#endif
560
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]561#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562 case SSL_RSA_DES_168_SHA:
563 case SSL_EDH_RSA_DES_168_SHA:
564 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
565 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
566 break;
567#endif
568
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]569#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]571 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]572 case SSL_RSA_AES_128_SHA256:
573 case SSL_EDH_RSA_AES_128_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
575 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
576 break;
577
578 case SSL_RSA_AES_256_SHA:
579 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]580 case SSL_RSA_AES_256_SHA256:
581 case SSL_EDH_RSA_AES_256_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
583 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
584 break;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]585
586#if defined(POLARSSL_GCM_C)
587 case SSL_RSA_AES_128_GCM_SHA256:
588 case SSL_EDH_RSA_AES_128_GCM_SHA256:
589 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 128 );
590 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 128 );
591 break;
592
593 case SSL_RSA_AES_256_GCM_SHA384:
594 case SSL_EDH_RSA_AES_256_GCM_SHA384:
595 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 256 );
596 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 256 );
597 break;
598#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599#endif
600
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]601#if defined(POLARSSL_CAMELLIA_C)
602 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]603 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]604 case SSL_RSA_CAMELLIA_128_SHA256:
605 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]606 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
607 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
608 break;
609
610 case SSL_RSA_CAMELLIA_256_SHA:
611 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]612 case SSL_RSA_CAMELLIA_256_SHA256:
613 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]614 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
615 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
616 break;
617#endif
618
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]619#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
620#if defined(POLARSSL_CIPHER_NULL_CIPHER)
621 case SSL_RSA_NULL_MD5:
622 case SSL_RSA_NULL_SHA:
623 case SSL_RSA_NULL_SHA256:
624 break;
625#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
626
627#if defined(POLARSSL_DES_C)
628 case SSL_RSA_DES_SHA:
629 case SSL_EDH_RSA_DES_SHA:
630 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
631 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
632 break;
633#endif
634#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
635
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]637 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]638 }
639
640 memset( keyblk, 0, sizeof( keyblk ) );
641
642 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
643
644 return( 0 );
645}
646
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]647void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648{
649 md5_context md5;
650 sha1_context sha1;
651 unsigned char pad_1[48];
652 unsigned char pad_2[48];
653
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]654 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]656 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
657 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
658 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]660 memset( pad_1, 0x36, 48 );
661 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]663 md5_update( &md5, ssl->session->master, 48 );
664 md5_update( &md5, pad_1, 48 );
665 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]667 md5_starts( &md5 );
668 md5_update( &md5, ssl->session->master, 48 );
669 md5_update( &md5, pad_2, 48 );
670 md5_update( &md5, hash, 16 );
671 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]673 sha1_update( &sha1, ssl->session->master, 48 );
674 sha1_update( &sha1, pad_1, 40 );
675 sha1_finish( &sha1, hash + 16 );
676
677 sha1_starts( &sha1 );
678 sha1_update( &sha1, ssl->session->master, 48 );
679 sha1_update( &sha1, pad_2, 40 );
680 sha1_update( &sha1, hash + 16, 20 );
681 sha1_finish( &sha1, hash + 16 );
682
683 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
684 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
685
686 return;
687}
688
689void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
690{
691 md5_context md5;
692 sha1_context sha1;
693
694 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
695
696 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
697 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
698 sizeof( sha1_context ) );
699
700 md5_finish( &md5, hash );
701 sha1_finish( &sha1, hash + 16 );
702
703 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
704 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
705
706 return;
707}
708
709void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
710{
711 sha2_context sha2;
712
713 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
714
715 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
716 sha2_finish( &sha2, hash );
717
718 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
719 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
720
721 return;
722}
723
724void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
725{
726 sha4_context sha4;
727
728 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
729
730 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
731 sha4_finish( &sha4, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]733 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
735
736 return;
737}
738
739/*
740 * SSLv3.0 MAC functions
741 */
742static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]743 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]744 unsigned char *ctr, int type )
745{
746 unsigned char header[11];
747 unsigned char padding[48];
748 md5_context md5;
749
750 memcpy( header, ctr, 8 );
751 header[ 8] = (unsigned char) type;
752 header[ 9] = (unsigned char)( len >> 8 );
753 header[10] = (unsigned char)( len );
754
755 memset( padding, 0x36, 48 );
756 md5_starts( &md5 );
757 md5_update( &md5, secret, 16 );
758 md5_update( &md5, padding, 48 );
759 md5_update( &md5, header, 11 );
760 md5_update( &md5, buf, len );
761 md5_finish( &md5, buf + len );
762
763 memset( padding, 0x5C, 48 );
764 md5_starts( &md5 );
765 md5_update( &md5, secret, 16 );
766 md5_update( &md5, padding, 48 );
767 md5_update( &md5, buf + len, 16 );
768 md5_finish( &md5, buf + len );
769}
770
771static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]772 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 unsigned char *ctr, int type )
774{
775 unsigned char header[11];
776 unsigned char padding[40];
777 sha1_context sha1;
778
779 memcpy( header, ctr, 8 );
780 header[ 8] = (unsigned char) type;
781 header[ 9] = (unsigned char)( len >> 8 );
782 header[10] = (unsigned char)( len );
783
784 memset( padding, 0x36, 40 );
785 sha1_starts( &sha1 );
786 sha1_update( &sha1, secret, 20 );
787 sha1_update( &sha1, padding, 40 );
788 sha1_update( &sha1, header, 11 );
789 sha1_update( &sha1, buf, len );
790 sha1_finish( &sha1, buf + len );
791
792 memset( padding, 0x5C, 40 );
793 sha1_starts( &sha1 );
794 sha1_update( &sha1, secret, 20 );
795 sha1_update( &sha1, padding, 40 );
796 sha1_update( &sha1, buf + len, 20 );
797 sha1_finish( &sha1, buf + len );
798}
799
800/*
801 * Encryption/decryption functions
802 */
803static int ssl_encrypt_buf( ssl_context *ssl )
804{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]805 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806
807 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
808
809 /*
810 * Add MAC then encrypt
811 */
812 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
813 {
814 if( ssl->maclen == 16 )
815 ssl_mac_md5( ssl->mac_enc,
816 ssl->out_msg, ssl->out_msglen,
817 ssl->out_ctr, ssl->out_msgtype );
818
819 if( ssl->maclen == 20 )
820 ssl_mac_sha1( ssl->mac_enc,
821 ssl->out_msg, ssl->out_msglen,
822 ssl->out_ctr, ssl->out_msgtype );
823 }
824 else
825 {
826 if( ssl->maclen == 16 )
827 md5_hmac( ssl->mac_enc, 16,
828 ssl->out_ctr, ssl->out_msglen + 13,
829 ssl->out_msg + ssl->out_msglen );
830
831 if( ssl->maclen == 20 )
832 sha1_hmac( ssl->mac_enc, 20,
833 ssl->out_ctr, ssl->out_msglen + 13,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]834 ssl->out_msg + ssl->out_msglen );
835
836 if( ssl->maclen == 32 )
837 sha2_hmac( ssl->mac_enc, 32,
838 ssl->out_ctr, ssl->out_msglen + 13,
839 ssl->out_msg + ssl->out_msglen, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840 }
841
842 SSL_DEBUG_BUF( 4, "computed mac",
843 ssl->out_msg + ssl->out_msglen, ssl->maclen );
844
845 ssl->out_msglen += ssl->maclen;
846
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847 if( ssl->ivlen == 0 )
848 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]849 padlen = 0;
850
851 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
852 "including %d bytes of padding",
853 ssl->out_msglen, 0 ) );
854
855 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
856 ssl->out_msg, ssl->out_msglen );
857
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]858#if defined(POLARSSL_ARC4_C)
859 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
860 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
861 {
862 arc4_crypt( (arc4_context *) ssl->ctx_enc,
863 ssl->out_msglen, ssl->out_msg,
864 ssl->out_msg );
865 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]867#if defined(POLARSSL_CIPHER_NULL_CIPHER)
868 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
869 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
870 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
871 {
872 } else
873#endif
874 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]876 else if( ssl->ivlen == 12 )
877 {
878 size_t enc_msglen;
879 unsigned char *enc_msg;
880 unsigned char add_data[13];
881 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
882
883 padlen = 0;
884 enc_msglen = ssl->out_msglen;
885
886 memcpy( add_data, ssl->out_ctr, 8 );
887 add_data[8] = ssl->out_msgtype;
888 add_data[9] = ssl->major_ver;
889 add_data[10] = ssl->minor_ver;
890 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
891 add_data[12] = ssl->out_msglen & 0xFF;
892
893 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
894 add_data, 13 );
895
896#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
897
898 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
899 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
900 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
901 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
902 {
903 /*
904 * Generate IV
905 */
906 ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc + ssl->fixed_ivlen,
907 ssl->ivlen - ssl->fixed_ivlen );
908 if( ret != 0 )
909 return( ret );
910
911 /*
912 * Shift message for ivlen bytes and prepend IV
913 */
914 memmove( ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen,
915 ssl->out_msg, ssl->out_msglen );
916 memcpy( ssl->out_msg, ssl->iv_enc + ssl->fixed_ivlen,
917 ssl->ivlen - ssl->fixed_ivlen );
918
919 /*
920 * Fix pointer positions and message length with added IV
921 */
922 enc_msg = ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen;
923 enc_msglen = ssl->out_msglen;
924 ssl->out_msglen += ssl->ivlen - ssl->fixed_ivlen;
925
926 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
927 "including %d bytes of padding",
928 ssl->out_msglen, 0 ) );
929
930 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
931 ssl->out_msg, ssl->out_msglen );
932
933 /*
934 * Adjust for tag
935 */
936 ssl->out_msglen += 16;
937
938 gcm_crypt_and_tag( (gcm_context *) ssl->ctx_enc,
939 GCM_ENCRYPT, enc_msglen,
940 ssl->iv_enc, ssl->ivlen,
941 add_data, 13,
942 enc_msg, enc_msg,
943 16, enc_msg + enc_msglen );
944
945 SSL_DEBUG_BUF( 4, "after encrypt: tag",
946 enc_msg + enc_msglen, 16 );
947
948 } else
949#endif
950 return( ret );
951 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]952 else
953 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]954 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]955 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]956
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
958 if( padlen == ssl->ivlen )
959 padlen = 0;
960
961 for( i = 0; i <= padlen; i++ )
962 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
963
964 ssl->out_msglen += padlen + 1;
965
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]966 enc_msglen = ssl->out_msglen;
967 enc_msg = ssl->out_msg;
968
969 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]970 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
971 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]972 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]973 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]974 {
975 /*
976 * Generate IV
977 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]978 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
979 if( ret != 0 )
980 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]981
982 /*
983 * Shift message for ivlen bytes and prepend IV
984 */
985 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
986 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
987
988 /*
989 * Fix pointer positions and message length with added IV
990 */
991 enc_msg = ssl->out_msg + ssl->ivlen;
992 enc_msglen = ssl->out_msglen;
993 ssl->out_msglen += ssl->ivlen;
994 }
995
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]997 "including %d bytes of IV and %d bytes of padding",
998 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999
1000 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1001 ssl->out_msg, ssl->out_msglen );
1002
1003 switch( ssl->ivlen )
1004 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1005#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1006 case 8:
1007#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1008 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1009 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1010 {
1011 des_crypt_cbc( (des_context *) ssl->ctx_enc,
1012 DES_ENCRYPT, enc_msglen,
1013 ssl->iv_enc, enc_msg, enc_msg );
1014 }
1015 else
1016#endif
1017 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
1018 DES_ENCRYPT, enc_msglen,
1019 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1020 break;
1021#endif
1022
1023 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1024#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1025 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1026 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1027 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1028 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1029 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1030 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1031 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1032 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1033 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1034 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1035 AES_ENCRYPT, enc_msglen,
1036 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1037 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1038 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1039#endif
1040
1041#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1042 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1043 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1044 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1045 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1046 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1047 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1048 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1049 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1050 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1051 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1052 CAMELLIA_ENCRYPT, enc_msglen,
1053 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1054 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1055 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056#endif
1057
1058 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1059 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1060 }
1061 }
1062
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1063 for( i = 8; i > 0; i-- )
1064 if( ++ssl->out_ctr[i - 1] != 0 )
1065 break;
1066
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1067 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1068
1069 return( 0 );
1070}
1071
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1072/*
1073 * TODO: Use digest version when integrated!
1074 */
1075#define POLARSSL_SSL_MAX_MAC_SIZE 32
1076
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1077static int ssl_decrypt_buf( ssl_context *ssl )
1078{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1079 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1080 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081
1082 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1083
1084 if( ssl->in_msglen < ssl->minlen )
1085 {
1086 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1087 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1088 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 }
1090
1091 if( ssl->ivlen == 0 )
1092 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1093#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1094 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1095 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
1096 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
1097 {
1098 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]1099 ssl->in_msglen, ssl->in_msg,
1100 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1101 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1103#if defined(POLARSSL_CIPHER_NULL_CIPHER)
1104 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
1105 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
1106 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
1107 {
1108 } else
1109#endif
1110 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1112 else if( ssl->ivlen == 12 )
1113 {
1114 unsigned char *dec_msg;
1115 unsigned char *dec_msg_result;
1116 size_t dec_msglen;
1117 unsigned char add_data[13];
1118 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1119
1120 padlen = 0;
1121
1122#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1123 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
1124 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
1125 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
1126 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
1127 {
1128 dec_msglen = ssl->in_msglen - ( ssl->ivlen - ssl->fixed_ivlen );
1129 dec_msglen -= 16;
1130 dec_msg = ssl->in_msg + ( ssl->ivlen - ssl->fixed_ivlen );
1131 dec_msg_result = ssl->in_msg;
1132 ssl->in_msglen = dec_msglen;
1133
1134 memcpy( add_data, ssl->in_ctr, 8 );
1135 add_data[8] = ssl->in_msgtype;
1136 add_data[9] = ssl->major_ver;
1137 add_data[10] = ssl->minor_ver;
1138 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1139 add_data[12] = ssl->in_msglen & 0xFF;
1140
1141 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1142 add_data, 13 );
1143
1144 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1145 ssl->ivlen - ssl->fixed_ivlen );
1146
1147 SSL_DEBUG_BUF( 4, "IV used", ssl->iv_dec, ssl->ivlen );
1148 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1149
1150 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1151 ssl->ivlen - ssl->fixed_ivlen );
1152
1153 ret = gcm_auth_decrypt( (gcm_context *) ssl->ctx_dec,
1154 dec_msglen,
1155 ssl->iv_dec, ssl->ivlen,
1156 add_data, 13,
1157 dec_msg + dec_msglen, 16,
1158 dec_msg, dec_msg_result );
1159
1160 if( ret != 0 )
1161 {
1162 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1163 -ret ) );
1164
1165 return( POLARSSL_ERR_SSL_INVALID_MAC );
1166 }
1167 } else
1168#endif
1169 return( ret );
1170 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1171 else
1172 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1173 unsigned char *dec_msg;
1174 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1175 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1176
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1177 /*
1178 * Decrypt and check the padding
1179 */
1180 if( ssl->in_msglen % ssl->ivlen != 0 )
1181 {
1182 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1183 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1184 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1185 }
1186
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1187 dec_msglen = ssl->in_msglen;
1188 dec_msg = ssl->in_msg;
1189 dec_msg_result = ssl->in_msg;
1190
1191 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1192 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1193 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1194 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1195 {
1196 dec_msg += ssl->ivlen;
1197 dec_msglen -= ssl->ivlen;
1198 ssl->in_msglen -= ssl->ivlen;
1199
1200 for( i = 0; i < ssl->ivlen; i++ )
1201 ssl->iv_dec[i] = ssl->in_msg[i];
1202 }
1203
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1204 switch( ssl->ivlen )
1205 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1206#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1207 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1208#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1209 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1210 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1211 {
1212 des_crypt_cbc( (des_context *) ssl->ctx_dec,
1213 DES_DECRYPT, dec_msglen,
1214 ssl->iv_dec, dec_msg, dec_msg_result );
1215 }
1216 else
1217#endif
1218 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
1219 DES_DECRYPT, dec_msglen,
1220 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1221 break;
1222#endif
1223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1224 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1225#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1226 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1227 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1228 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1229 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1230 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1231 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1232 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1233 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1234 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1235 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1236 AES_DECRYPT, dec_msglen,
1237 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1238 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1239 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1240#endif
1241
1242#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1243 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1244 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1245 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1246 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1247 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1248 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1249 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1250 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1251 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1252 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1253 CAMELLIA_DECRYPT, dec_msglen,
1254 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1255 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1256 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1257#endif
1258
1259 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1260 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1261 }
1262
1263 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1264
1265 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1266 {
1267 if( padlen > ssl->ivlen )
1268 {
1269 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1270 "should be no more than %d",
1271 padlen, ssl->ivlen ) );
1272 padlen = 0;
1273 }
1274 }
1275 else
1276 {
1277 /*
1278 * TLSv1: always check the padding
1279 */
1280 for( i = 1; i <= padlen; i++ )
1281 {
1282 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1283 {
1284 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
1285 "%02x, but is %02x", padlen - 1,
1286 ssl->in_msg[ssl->in_msglen - i] ) );
1287 padlen = 0;
1288 }
1289 }
1290 }
1291 }
1292
1293 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1294 ssl->in_msg, ssl->in_msglen );
1295
1296 /*
1297 * Always compute the MAC (RFC4346, CBCTIME).
1298 */
Paul Bakkerf34cf852012-04-10 07:48:40 +0000[diff] [blame]1299 if( ssl->in_msglen < ssl->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1300 {
1301 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1302 ssl->in_msglen, ssl->maclen, padlen ) );
1303 return( POLARSSL_ERR_SSL_INVALID_MAC );
1304 }
1305
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1306 ssl->in_msglen -= ( ssl->maclen + padlen );
1307
1308 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1309 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1310
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1311 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312
1313 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1314 {
1315 if( ssl->maclen == 16 )
1316 ssl_mac_md5( ssl->mac_dec,
1317 ssl->in_msg, ssl->in_msglen,
1318 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1319 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320 ssl_mac_sha1( ssl->mac_dec,
1321 ssl->in_msg, ssl->in_msglen,
1322 ssl->in_ctr, ssl->in_msgtype );
1323 }
1324 else
1325 {
1326 if( ssl->maclen == 16 )
1327 md5_hmac( ssl->mac_dec, 16,
1328 ssl->in_ctr, ssl->in_msglen + 13,
1329 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1330 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331 sha1_hmac( ssl->mac_dec, 20,
1332 ssl->in_ctr, ssl->in_msglen + 13,
1333 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1334 else if( ssl->maclen == 32 )
1335 sha2_hmac( ssl->mac_dec, 32,
1336 ssl->in_ctr, ssl->in_msglen + 13,
1337 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1338 }
1339
1340 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
1341 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1342 ssl->maclen );
1343
1344 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1345 ssl->maclen ) != 0 )
1346 {
1347 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1348 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1349 }
1350
1351 /*
1352 * Finally check the padding length; bad padding
1353 * will produce the same error as an invalid MAC.
1354 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1355 if( ssl->ivlen != 0 && ssl->ivlen != 12 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1356 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1357
1358 if( ssl->in_msglen == 0 )
1359 {
1360 ssl->nb_zero++;
1361
1362 /*
1363 * Three or more empty messages may be a DoS attack
1364 * (excessive CPU consumption).
1365 */
1366 if( ssl->nb_zero > 3 )
1367 {
1368 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1369 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1370 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1371 }
1372 }
1373 else
1374 ssl->nb_zero = 0;
1375
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1376 for( i = 8; i > 0; i-- )
1377 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1378 break;
1379
1380 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1381
1382 return( 0 );
1383}
1384
1385/*
1386 * Fill the input message buffer
1387 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1388int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1389{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1390 int ret;
1391 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392
1393 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1394
1395 while( ssl->in_left < nb_want )
1396 {
1397 len = nb_want - ssl->in_left;
1398 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1399
1400 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1401 ssl->in_left, nb_want ) );
1402 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1403
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1404 if( ret == 0 )
1405 return( POLARSSL_ERR_SSL_CONN_EOF );
1406
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1407 if( ret < 0 )
1408 return( ret );
1409
1410 ssl->in_left += ret;
1411 }
1412
1413 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1414
1415 return( 0 );
1416}
1417
1418/*
1419 * Flush any data not yet written
1420 */
1421int ssl_flush_output( ssl_context *ssl )
1422{
1423 int ret;
1424 unsigned char *buf;
1425
1426 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1427
1428 while( ssl->out_left > 0 )
1429 {
1430 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1431 5 + ssl->out_msglen, ssl->out_left ) );
1432
1433 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1434 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1435 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1436
1437 if( ret <= 0 )
1438 return( ret );
1439
1440 ssl->out_left -= ret;
1441 }
1442
1443 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1444
1445 return( 0 );
1446}
1447
1448/*
1449 * Record layer functions
1450 */
1451int ssl_write_record( ssl_context *ssl )
1452{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]1453 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1454 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1455
1456 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1457
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1458 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1459 {
1460 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1461 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1462 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1463
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1464 ssl->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1465 }
1466
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]1467#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1468 if( ssl_hw_record_write != NULL)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1469 {
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]1470 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1471
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]1472 ret = ssl_hw_record_write( ssl );
1473 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1474 {
1475 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1476 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1477 }
1478 done = 1;
1479 }
1480#endif
1481 if( !done )
1482 {
1483 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1484 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1485 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1486 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1487 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]1488
1489 if( ssl->do_crypt != 0 )
1490 {
1491 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1492 {
1493 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1494 return( ret );
1495 }
1496
1497 len = ssl->out_msglen;
1498 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1499 ssl->out_hdr[4] = (unsigned char)( len );
1500 }
1501
1502 ssl->out_left = 5 + ssl->out_msglen;
1503
1504 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1505 "version = [%d:%d], msglen = %d",
1506 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1507 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1508
1509 SSL_DEBUG_BUF( 4, "output record sent to network",
1510 ssl->out_hdr, 5 + ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1511 }
1512
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1513 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1514 {
1515 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1516 return( ret );
1517 }
1518
1519 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1520
1521 return( 0 );
1522}
1523
1524int ssl_read_record( ssl_context *ssl )
1525{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]1526 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1527
1528 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1529
1530 if( ssl->in_hslen != 0 &&
1531 ssl->in_hslen < ssl->in_msglen )
1532 {
1533 /*
1534 * Get next Handshake message in the current record
1535 */
1536 ssl->in_msglen -= ssl->in_hslen;
1537
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1538 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1539 ssl->in_msglen );
1540
1541 ssl->in_hslen = 4;
1542 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1543
1544 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1545 " %d, type = %d, hslen = %d",
1546 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1547
1548 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1549 {
1550 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1551 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1552 }
1553
1554 if( ssl->in_msglen < ssl->in_hslen )
1555 {
1556 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1557 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1558 }
1559
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1560 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1561
1562 return( 0 );
1563 }
1564
1565 ssl->in_hslen = 0;
1566
1567 /*
1568 * Read the record header and validate it
1569 */
1570 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1571 {
1572 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1573 return( ret );
1574 }
1575
1576 ssl->in_msgtype = ssl->in_hdr[0];
1577 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1578
1579 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1580 "version = [%d:%d], msglen = %d",
1581 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1582 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1583
1584 if( ssl->in_hdr[1] != ssl->major_ver )
1585 {
1586 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1587 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1588 }
1589
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1590 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1591 {
1592 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1593 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1594 }
1595
1596 /*
1597 * Make sure the message length is acceptable
1598 */
1599 if( ssl->do_crypt == 0 )
1600 {
1601 if( ssl->in_msglen < 1 ||
1602 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1603 {
1604 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1605 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1606 }
1607 }
1608 else
1609 {
1610 if( ssl->in_msglen < ssl->minlen )
1611 {
1612 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1613 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1614 }
1615
1616 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1617 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1618 {
1619 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1620 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1621 }
1622
1623 /*
1624 * TLS encrypted messages can have up to 256 bytes of padding
1625 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1626 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1627 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1628 {
1629 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1630 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1631 }
1632 }
1633
1634 /*
1635 * Read and optionally decrypt the message contents
1636 */
1637 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1638 {
1639 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1640 return( ret );
1641 }
1642
1643 SSL_DEBUG_BUF( 4, "input record from network",
1644 ssl->in_hdr, 5 + ssl->in_msglen );
1645
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]1646#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1647 if( ssl_hw_record_read != NULL)
1648 {
1649 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1650
1651 ret = ssl_hw_record_read( ssl );
1652 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1653 {
1654 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1655 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1656 }
1657 done = 1;
1658 }
1659#endif
1660 if( !done && ssl->do_crypt != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1661 {
1662 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1663 {
1664 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1665 return( ret );
1666 }
1667
1668 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1669 ssl->in_msg, ssl->in_msglen );
1670
1671 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1672 {
1673 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1674 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1675 }
1676 }
1677
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1678 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1679 ssl->in_msgtype != SSL_MSG_ALERT &&
1680 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1681 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1682 {
1683 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1684
1685 if( ( ret = ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1686 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
1687 {
1688 return( ret );
1689 }
1690
1691 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1692 }
1693
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1694 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1695 {
1696 ssl->in_hslen = 4;
1697 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1698
1699 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1700 " %d, type = %d, hslen = %d",
1701 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1702
1703 /*
1704 * Additional checks to validate the handshake header
1705 */
1706 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1707 {
1708 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1709 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1710 }
1711
1712 if( ssl->in_msglen < ssl->in_hslen )
1713 {
1714 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1715 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1716 }
1717
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1718 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719 }
1720
1721 if( ssl->in_msgtype == SSL_MSG_ALERT )
1722 {
1723 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1724 ssl->in_msg[0], ssl->in_msg[1] ) );
1725
1726 /*
1727 * Ignore non-fatal alerts, except close_notify
1728 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1729 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1730 {
1731 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1732 /**
1733 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1734 * error identifier.
1735 */
1736 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1737 }
1738
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1739 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1740 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1741 {
1742 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1743 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744 }
1745 }
1746
1747 ssl->in_left = 0;
1748
1749 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1750
1751 return( 0 );
1752}
1753
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1754int ssl_send_alert_message( ssl_context *ssl,
1755 unsigned char level,
1756 unsigned char message )
1757{
1758 int ret;
1759
1760 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1761
1762 ssl->out_msgtype = SSL_MSG_ALERT;
1763 ssl->out_msglen = 2;
1764 ssl->out_msg[0] = level;
1765 ssl->out_msg[1] = message;
1766
1767 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1768 {
1769 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1770 return( ret );
1771 }
1772
1773 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1774
1775 return( 0 );
1776}
1777
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778/*
1779 * Handshake functions
1780 */
1781int ssl_write_certificate( ssl_context *ssl )
1782{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1783 int ret;
1784 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1785 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786
1787 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1788
1789 if( ssl->endpoint == SSL_IS_CLIENT )
1790 {
1791 if( ssl->client_auth == 0 )
1792 {
1793 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1794 ssl->state++;
1795 return( 0 );
1796 }
1797
1798 /*
1799 * If using SSLv3 and got no cert, send an Alert message
1800 * (otherwise an empty Certificate message will be sent).
1801 */
1802 if( ssl->own_cert == NULL &&
1803 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1804 {
1805 ssl->out_msglen = 2;
1806 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1807 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1808 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809
1810 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1811 goto write_msg;
1812 }
1813 }
1814 else /* SSL_IS_SERVER */
1815 {
1816 if( ssl->own_cert == NULL )
1817 {
1818 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1819 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820 }
1821 }
1822
1823 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1824
1825 /*
1826 * 0 . 0 handshake type
1827 * 1 . 3 handshake length
1828 * 4 . 6 length of all certs
1829 * 7 . 9 length of cert. 1
1830 * 10 . n-1 peer certificate
1831 * n . n+2 length of cert. 2
1832 * n+3 . ... upper level cert, etc.
1833 */
1834 i = 7;
1835 crt = ssl->own_cert;
1836
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1837 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838 {
1839 n = crt->raw.len;
1840 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1841 {
1842 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1843 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1844 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845 }
1846
1847 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1848 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1849 ssl->out_msg[i + 2] = (unsigned char)( n );
1850
1851 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1852 i += n; crt = crt->next;
1853 }
1854
1855 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1856 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1857 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1858
1859 ssl->out_msglen = i;
1860 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1861 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1862
1863write_msg:
1864
1865 ssl->state++;
1866
1867 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1868 {
1869 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1870 return( ret );
1871 }
1872
1873 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1874
1875 return( 0 );
1876}
1877
1878int ssl_parse_certificate( ssl_context *ssl )
1879{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1880 int ret;
1881 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882
1883 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1884
1885 if( ssl->endpoint == SSL_IS_SERVER &&
1886 ssl->authmode == SSL_VERIFY_NONE )
1887 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1888 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1890 ssl->state++;
1891 return( 0 );
1892 }
1893
1894 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1895 {
1896 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1897 return( ret );
1898 }
1899
1900 ssl->state++;
1901
1902 /*
1903 * Check if the client sent an empty certificate
1904 */
1905 if( ssl->endpoint == SSL_IS_SERVER &&
1906 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1907 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1908 if( ssl->in_msglen == 2 &&
1909 ssl->in_msgtype == SSL_MSG_ALERT &&
1910 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1911 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912 {
1913 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1914
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1915 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1916 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1917 return( 0 );
1918 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1919 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920 }
1921 }
1922
1923 if( ssl->endpoint == SSL_IS_SERVER &&
1924 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1925 {
1926 if( ssl->in_hslen == 7 &&
1927 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1928 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1929 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1930 {
1931 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1932
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1933 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1934 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1935 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1936 else
1937 return( 0 );
1938 }
1939 }
1940
1941 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1942 {
1943 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1944 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945 }
1946
1947 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1948 {
1949 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1950 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951 }
1952
1953 /*
1954 * Same message structure as in ssl_write_certificate()
1955 */
1956 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1957
1958 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1959 {
1960 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1961 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1962 }
1963
1964 if( ( ssl->peer_cert = (x509_cert *) malloc(
1965 sizeof( x509_cert ) ) ) == NULL )
1966 {
1967 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1968 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1969 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1970 }
1971
1972 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1973
1974 i = 7;
1975
1976 while( i < ssl->in_hslen )
1977 {
1978 if( ssl->in_msg[i] != 0 )
1979 {
1980 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1981 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1982 }
1983
1984 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1985 | (unsigned int) ssl->in_msg[i + 2];
1986 i += 3;
1987
1988 if( n < 128 || i + n > ssl->in_hslen )
1989 {
1990 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1991 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1992 }
1993
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1994 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1995 if( ret != 0 )
1996 {
1997 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1998 return( ret );
1999 }
2000
2001 i += n;
2002 }
2003
2004 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
2005
2006 if( ssl->authmode != SSL_VERIFY_NONE )
2007 {
2008 if( ssl->ca_chain == NULL )
2009 {
2010 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2011 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2012 }
2013
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2014 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2015 ssl->peer_cn, &ssl->verify_result,
2016 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2017
2018 if( ret != 0 )
2019 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2020
2021 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2022 ret = 0;
2023 }
2024
2025 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2026
2027 return( ret );
2028}
2029
2030int ssl_write_change_cipher_spec( ssl_context *ssl )
2031{
2032 int ret;
2033
2034 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2035
2036 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2037 ssl->out_msglen = 1;
2038 ssl->out_msg[0] = 1;
2039
2040 ssl->do_crypt = 0;
2041 ssl->state++;
2042
2043 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2044 {
2045 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2046 return( ret );
2047 }
2048
2049 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2050
2051 return( 0 );
2052}
2053
2054int ssl_parse_change_cipher_spec( ssl_context *ssl )
2055{
2056 int ret;
2057
2058 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2059
2060 ssl->do_crypt = 0;
2061
2062 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2063 {
2064 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2065 return( ret );
2066 }
2067
2068 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2069 {
2070 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2071 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2072 }
2073
2074 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2075 {
2076 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2077 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2078 }
2079
2080 ssl->state++;
2081
2082 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2083
2084 return( 0 );
2085}
2086
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2087void ssl_kickstart_checksum( ssl_context *ssl, int ciphersuite,
2088 unsigned char *input_buf, size_t len )
2089{
2090 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2091 {
2092 md5_starts( (md5_context *) ssl->ctx_checksum );
2093 sha1_starts( (sha1_context *) ( ssl->ctx_checksum +
2094 sizeof(md5_context) ) );
2095
2096 ssl->update_checksum = ssl_update_checksum_md5sha1;
2097 }
2098 else if ( ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
2099 ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
2100 {
2101 sha4_starts( (sha4_context *) ssl->ctx_checksum, 1 );
2102 ssl->update_checksum = ssl_update_checksum_sha384;
2103 }
2104 else
2105 {
2106 sha2_starts( (sha2_context *) ssl->ctx_checksum, 0 );
2107 ssl->update_checksum = ssl_update_checksum_sha256;
2108 }
2109
2110 if( ssl->endpoint == SSL_IS_CLIENT )
2111 ssl->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2112 ssl->update_checksum( ssl, input_buf, len );
2113}
2114
2115static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2116 size_t len )
2117{
2118 ((void) ssl);
2119 ((void) buf);
2120 ((void) len);
2121}
2122
2123static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2124 size_t len )
2125{
2126 md5_update( (md5_context *) ssl->ctx_checksum, buf, len );
2127 sha1_update( (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2128 buf, len );
2129}
2130
2131static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2132 size_t len )
2133{
2134 sha2_update( (sha2_context *) ssl->ctx_checksum, buf, len );
2135}
2136
2137static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2138 size_t len )
2139{
2140 sha4_update( (sha4_context *) ssl->ctx_checksum, buf, len );
2141}
2142
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2143static void ssl_calc_finished_ssl(
2144 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2145{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2147 md5_context md5;
2148 sha1_context sha1;
2149
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2150 unsigned char padbuf[48];
2151 unsigned char md5sum[16];
2152 unsigned char sha1sum[20];
2153
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2154 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2155
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2156 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2157 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2158 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2159
2160 /*
2161 * SSLv3:
2162 * hash =
2163 * MD5( master + pad2 +
2164 * MD5( handshake + sender + master + pad1 ) )
2165 * + SHA1( master + pad2 +
2166 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2167 */
2168
2169 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2170 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171
2172 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2173 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2174
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2175 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2176 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2177
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2178 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2180 md5_update( &md5, (unsigned char *) sender, 4 );
2181 md5_update( &md5, ssl->session->master, 48 );
2182 md5_update( &md5, padbuf, 48 );
2183 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2184
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2185 sha1_update( &sha1, (unsigned char *) sender, 4 );
2186 sha1_update( &sha1, ssl->session->master, 48 );
2187 sha1_update( &sha1, padbuf, 40 );
2188 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2189
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2190 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2191
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2192 md5_starts( &md5 );
2193 md5_update( &md5, ssl->session->master, 48 );
2194 md5_update( &md5, padbuf, 48 );
2195 md5_update( &md5, md5sum, 16 );
2196 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2197
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2198 sha1_starts( &sha1 );
2199 sha1_update( &sha1, ssl->session->master, 48 );
2200 sha1_update( &sha1, padbuf , 40 );
2201 sha1_update( &sha1, sha1sum, 20 );
2202 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2203
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2204 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2206 memset( &md5, 0, sizeof( md5_context ) );
2207 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2208
2209 memset( padbuf, 0, sizeof( padbuf ) );
2210 memset( md5sum, 0, sizeof( md5sum ) );
2211 memset( sha1sum, 0, sizeof( sha1sum ) );
2212
2213 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2214}
2215
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2216static void ssl_calc_finished_tls(
2217 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2218{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2219 int len = 12;
2220 char *sender;
2221 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2222 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2223 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2224
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2225 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2226
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2227 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2228 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2229 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2230
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2231 /*
2232 * TLSv1:
2233 * hash = PRF( master, finished_label,
2234 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2235 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2236
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2237 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2238 md5.state, sizeof( md5.state ) );
2239
2240 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2241 sha1.state, sizeof( sha1.state ) );
2242
2243 sender = ( from == SSL_IS_CLIENT )
2244 ? (char *) "client finished"
2245 : (char *) "server finished";
2246
2247 md5_finish( &md5, padbuf );
2248 sha1_finish( &sha1, padbuf + 16 );
2249
2250 ssl->tls_prf( ssl->session->master, 48, sender,
2251 padbuf, 36, buf, len );
2252
2253 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2254
2255 memset( &md5, 0, sizeof( md5_context ) );
2256 memset( &sha1, 0, sizeof( sha1_context ) );
2257
2258 memset( padbuf, 0, sizeof( padbuf ) );
2259
2260 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2261}
2262
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2263static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2264 ssl_context *ssl, unsigned char *buf, int from )
2265{
2266 int len = 12;
2267 char *sender;
2268 sha2_context sha2;
2269 unsigned char padbuf[32];
2270
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2271 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2272
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2273 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2274
2275 /*
2276 * TLSv1.2:
2277 * hash = PRF( master, finished_label,
2278 * Hash( handshake ) )[0.11]
2279 */
2280
2281 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2282 sha2.state, sizeof( sha2.state ) );
2283
2284 sender = ( from == SSL_IS_CLIENT )
2285 ? (char *) "client finished"
2286 : (char *) "server finished";
2287
2288 sha2_finish( &sha2, padbuf );
2289
2290 ssl->tls_prf( ssl->session->master, 48, sender,
2291 padbuf, 32, buf, len );
2292
2293 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2294
2295 memset( &sha2, 0, sizeof( sha2_context ) );
2296
2297 memset( padbuf, 0, sizeof( padbuf ) );
2298
2299 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2300}
2301
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2302static void ssl_calc_finished_tls_sha384(
2303 ssl_context *ssl, unsigned char *buf, int from )
2304{
2305 int len = 12;
2306 char *sender;
2307 sha4_context sha4;
2308 unsigned char padbuf[48];
2309
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2310 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2311
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2312 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2313
2314 /*
2315 * TLSv1.2:
2316 * hash = PRF( master, finished_label,
2317 * Hash( handshake ) )[0.11]
2318 */
2319
2320 SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2321 sha4.state, sizeof( sha4.state ) );
2322
2323 sender = ( from == SSL_IS_CLIENT )
2324 ? (char *) "client finished"
2325 : (char *) "server finished";
2326
2327 sha4_finish( &sha4, padbuf );
2328
2329 ssl->tls_prf( ssl->session->master, 48, sender,
2330 padbuf, 48, buf, len );
2331
2332 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2333
2334 memset( &sha4, 0, sizeof( sha4_context ) );
2335
2336 memset( padbuf, 0, sizeof( padbuf ) );
2337
2338 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2339}
2340
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2341int ssl_write_finished( ssl_context *ssl )
2342{
2343 int ret, hash_len;
2344
2345 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2346
2347 ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2348
2349 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2350 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2351
2352 ssl->out_msglen = 4 + hash_len;
2353 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2354 ssl->out_msg[0] = SSL_HS_FINISHED;
2355
2356 /*
2357 * In case of session resuming, invert the client and server
2358 * ChangeCipherSpec messages order.
2359 */
2360 if( ssl->resume != 0 )
2361 {
2362 if( ssl->endpoint == SSL_IS_CLIENT )
2363 ssl->state = SSL_HANDSHAKE_OVER;
2364 else
2365 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2366 }
2367 else
2368 ssl->state++;
2369
2370 ssl->do_crypt = 1;
2371
2372 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2373 {
2374 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2375 return( ret );
2376 }
2377
2378 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2379
2380 return( 0 );
2381}
2382
2383int ssl_parse_finished( ssl_context *ssl )
2384{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2385 int ret;
2386 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2387 unsigned char buf[36];
2388
2389 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2390
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2391 ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2392
2393 ssl->do_crypt = 1;
2394
2395 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2396 {
2397 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2398 return( ret );
2399 }
2400
2401 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2402 {
2403 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2404 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2405 }
2406
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2407 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2408 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2409
2410 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2411 ssl->in_hslen != 4 + hash_len )
2412 {
2413 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2414 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2415 }
2416
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2417 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2418 {
2419 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2420 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2421 }
2422
2423 if( ssl->resume != 0 )
2424 {
2425 if( ssl->endpoint == SSL_IS_CLIENT )
2426 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2427
2428 if( ssl->endpoint == SSL_IS_SERVER )
2429 ssl->state = SSL_HANDSHAKE_OVER;
2430 }
2431 else
2432 ssl->state++;
2433
2434 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2435
2436 return( 0 );
2437}
2438
2439/*
2440 * Initialize an SSL context
2441 */
2442int ssl_init( ssl_context *ssl )
2443{
2444 int len = SSL_BUFFER_LEN;
2445
2446 memset( ssl, 0, sizeof( ssl_context ) );
2447
2448 ssl->in_ctr = (unsigned char *) malloc( len );
2449 ssl->in_hdr = ssl->in_ctr + 8;
2450 ssl->in_msg = ssl->in_ctr + 13;
2451
2452 if( ssl->in_ctr == NULL )
2453 {
2454 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2455 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2456 }
2457
2458 ssl->out_ctr = (unsigned char *) malloc( len );
2459 ssl->out_hdr = ssl->out_ctr + 8;
2460 ssl->out_msg = ssl->out_ctr + 13;
2461
2462 if( ssl->out_ctr == NULL )
2463 {
2464 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2465 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2466 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2467 }
2468
2469 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2470 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2471
2472 ssl->hostname = NULL;
2473 ssl->hostname_len = 0;
2474
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2475 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2476
2477 return( 0 );
2478}
2479
2480/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2481 * Reset an initialized and used SSL context for re-use while retaining
2482 * all application-set variables, function pointers and data.
2483 */
2484void ssl_session_reset( ssl_context *ssl )
2485{
2486 ssl->state = SSL_HELLO_REQUEST;
2487
2488 ssl->in_offt = NULL;
2489
2490 ssl->in_msgtype = 0;
2491 ssl->in_msglen = 0;
2492 ssl->in_left = 0;
2493
2494 ssl->in_hslen = 0;
2495 ssl->nb_zero = 0;
2496
2497 ssl->out_msgtype = 0;
2498 ssl->out_msglen = 0;
2499 ssl->out_left = 0;
2500
2501 ssl->do_crypt = 0;
2502 ssl->pmslen = 0;
2503 ssl->keylen = 0;
2504 ssl->minlen = 0;
2505 ssl->ivlen = 0;
2506 ssl->maclen = 0;
2507
2508 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2509 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2510 memset( ssl->randbytes, 0, 64 );
2511 memset( ssl->premaster, 0, 256 );
2512 memset( ssl->iv_enc, 0, 16 );
2513 memset( ssl->iv_dec, 0, 16 );
2514 memset( ssl->mac_enc, 0, 32 );
2515 memset( ssl->mac_dec, 0, 32 );
2516 memset( ssl->ctx_enc, 0, 128 );
2517 memset( ssl->ctx_dec, 0, 128 );
2518
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2519 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]2520
2521#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2522 if( ssl_hw_record_reset != NULL)
2523 {
2524 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
2525 ssl_hw_record_reset( ssl );
2526 }
2527#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2528}
2529
2530/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2531 * SSL set accessors
2532 */
2533void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2534{
2535 ssl->endpoint = endpoint;
2536}
2537
2538void ssl_set_authmode( ssl_context *ssl, int authmode )
2539{
2540 ssl->authmode = authmode;
2541}
2542
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2543void ssl_set_verify( ssl_context *ssl,
2544 int (*f_vrfy)(void *, x509_cert *, int, int),
2545 void *p_vrfy )
2546{
2547 ssl->f_vrfy = f_vrfy;
2548 ssl->p_vrfy = p_vrfy;
2549}
2550
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2551void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2552 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2553 void *p_rng )
2554{
2555 ssl->f_rng = f_rng;
2556 ssl->p_rng = p_rng;
2557}
2558
2559void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2560 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2561 void *p_dbg )
2562{
2563 ssl->f_dbg = f_dbg;
2564 ssl->p_dbg = p_dbg;
2565}
2566
2567void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2568 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2569 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2570{
2571 ssl->f_recv = f_recv;
2572 ssl->f_send = f_send;
2573 ssl->p_recv = p_recv;
2574 ssl->p_send = p_send;
2575}
2576
2577void ssl_set_scb( ssl_context *ssl,
2578 int (*s_get)(ssl_context *),
2579 int (*s_set)(ssl_context *) )
2580{
2581 ssl->s_get = s_get;
2582 ssl->s_set = s_set;
2583}
2584
2585void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2586 ssl_session *session )
2587{
2588 ssl->resume = resume;
2589 ssl->timeout = timeout;
2590 ssl->session = session;
2591}
2592
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2593void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2594{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2595 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2596}
2597
2598void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2599 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2600{
2601 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2602 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2603 ssl->peer_cn = peer_cn;
2604}
2605
2606void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2607 rsa_context *rsa_key )
2608{
2609 ssl->own_cert = own_cert;
2610 ssl->rsa_key = rsa_key;
2611}
2612
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]2613#if defined(POLARSSL_PKCS11_C)
2614void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
2615 pkcs11_context *pkcs11_key )
2616{
2617 ssl->own_cert = own_cert;
2618 ssl->pkcs11_key = pkcs11_key;
2619}
2620#endif
2621
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2622int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2623{
2624 int ret;
2625
2626 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2627 {
2628 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2629 return( ret );
2630 }
2631
2632 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2633 {
2634 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2635 return( ret );
2636 }
2637
2638 return( 0 );
2639}
2640
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2641int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
2642{
2643 int ret;
2644
2645 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2646 {
2647 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2648 return( ret );
2649 }
2650
2651 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2652 {
2653 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2654 return( ret );
2655 }
2656
2657 return( 0 );
2658}
2659
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2660int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2661{
2662 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2663 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2664
2665 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2666 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2667
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2668 if( ssl->hostname == NULL )
2669 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2670
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2671 memcpy( ssl->hostname, (unsigned char *) hostname,
2672 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2673
2674 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2675
2676 return( 0 );
2677}
2678
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2679void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2680{
2681 ssl->max_major_ver = major;
2682 ssl->max_minor_ver = minor;
2683}
2684
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2685/*
2686 * SSL get accessors
2687 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2688size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2689{
2690 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2691}
2692
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2693int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2694{
2695 return( ssl->verify_result );
2696}
2697
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2698const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2699{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2700 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2701 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2702#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2703 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2704 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2705
2706 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2707 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2708#endif
2709
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2710#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2711 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2712 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2713
2714 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2715 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2716#endif
2717
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2718#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2719 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2720 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2721
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2722 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2723 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2724
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2725 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2726 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2727
2728 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2729 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2730
2731#if defined(POLARSSL_SHA2_C)
2732 case SSL_RSA_AES_128_SHA256:
2733 return( "SSL-RSA-AES-128-SHA256" );
2734
2735 case SSL_EDH_RSA_AES_128_SHA256:
2736 return( "SSL-EDH-RSA-AES-128-SHA256" );
2737
2738 case SSL_RSA_AES_256_SHA256:
2739 return( "SSL-RSA-AES-256-SHA256" );
2740
2741 case SSL_EDH_RSA_AES_256_SHA256:
2742 return( "SSL-EDH-RSA-AES-256-SHA256" );
2743#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2744
2745#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2746 case SSL_RSA_AES_128_GCM_SHA256:
2747 return( "SSL-RSA-AES-128-GCM-SHA256" );
2748
2749 case SSL_EDH_RSA_AES_128_GCM_SHA256:
2750 return( "SSL-EDH-RSA-AES-128-GCM-SHA256" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2751#endif
2752
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2753#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2754 case SSL_RSA_AES_256_GCM_SHA384:
2755 return( "SSL-RSA-AES-256-GCM-SHA384" );
2756
2757 case SSL_EDH_RSA_AES_256_GCM_SHA384:
2758 return( "SSL-EDH-RSA-AES-256-GCM-SHA384" );
2759#endif
2760#endif /* POLARSSL_AES_C */
2761
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2762#if defined(POLARSSL_CAMELLIA_C)
2763 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2764 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2765
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2766 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2767 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2768
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2769 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2770 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2771
2772 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2773 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2774
2775#if defined(POLARSSL_SHA2_C)
2776 case SSL_RSA_CAMELLIA_128_SHA256:
2777 return( "SSL-RSA-CAMELLIA-128-SHA256" );
2778
2779 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
2780 return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
2781
2782 case SSL_RSA_CAMELLIA_256_SHA256:
2783 return( "SSL-RSA-CAMELLIA-256-SHA256" );
2784
2785 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
2786 return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
2787#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2788#endif
2789
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2790#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2791#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2792 case SSL_RSA_NULL_MD5:
2793 return( "SSL-RSA-NULL-MD5" );
2794 case SSL_RSA_NULL_SHA:
2795 return( "SSL-RSA-NULL-SHA" );
2796 case SSL_RSA_NULL_SHA256:
2797 return( "SSL-RSA-NULL-SHA256" );
2798#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2799
2800#if defined(POLARSSL_DES_C)
2801 case SSL_RSA_DES_SHA:
2802 return( "SSL-RSA-DES-SHA" );
2803 case SSL_EDH_RSA_DES_SHA:
2804 return( "SSL-EDH-RSA-DES-SHA" );
2805#endif
2806#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2807
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2808 default:
2809 break;
2810 }
2811
2812 return( "unknown" );
2813}
2814
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2815int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2816{
2817#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2818 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2819 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2820 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2821 return( SSL_RSA_RC4_128_SHA );
2822#endif
2823
2824#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2825 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2826 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2827 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2828 return( SSL_EDH_RSA_DES_168_SHA );
2829#endif
2830
2831#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2832 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2833 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2834 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2835 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2836 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2837 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2838 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2839 return( SSL_EDH_RSA_AES_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2840
2841#if defined(POLARSSL_SHA2_C)
2842 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
2843 return( SSL_RSA_AES_128_SHA256 );
2844 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
2845 return( SSL_EDH_RSA_AES_128_SHA256 );
2846 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
2847 return( SSL_RSA_AES_256_SHA256 );
2848 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
2849 return( SSL_EDH_RSA_AES_256_SHA256 );
2850#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2851
2852#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2853 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-GCM-SHA256"))
2854 return( SSL_RSA_AES_128_GCM_SHA256 );
2855 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-GCM-SHA256"))
2856 return( SSL_EDH_RSA_AES_128_GCM_SHA256 );
2857#endif
2858
2859#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2860 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-GCM-SHA384"))
2861 return( SSL_RSA_AES_256_GCM_SHA384 );
2862 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-GCM-SHA384"))
2863 return( SSL_EDH_RSA_AES_256_GCM_SHA384 );
2864#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2865#endif
2866
2867#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2868 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2869 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2870 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2871 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2872 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2873 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2874 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2875 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2876
2877#if defined(POLARSSL_SHA2_C)
2878 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
2879 return( SSL_RSA_CAMELLIA_128_SHA256 );
2880 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
2881 return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
2882 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
2883 return( SSL_RSA_CAMELLIA_256_SHA256 );
2884 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
2885 return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
2886#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2887#endif
2888
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2889#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2890#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2891 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
2892 return( SSL_RSA_NULL_MD5 );
2893 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
2894 return( SSL_RSA_NULL_SHA );
2895 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
2896 return( SSL_RSA_NULL_SHA256 );
2897#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2898
2899#if defined(POLARSSL_DES_C)
2900 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
2901 return( SSL_RSA_DES_SHA );
2902 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
2903 return( SSL_EDH_RSA_DES_SHA );
2904#endif
2905#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2906
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2907 return( 0 );
2908}
2909
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2910const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2911{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2912 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2913}
2914
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2915const char *ssl_get_version( const ssl_context *ssl )
2916{
2917 switch( ssl->minor_ver )
2918 {
2919 case SSL_MINOR_VERSION_0:
2920 return( "SSLv3.0" );
2921
2922 case SSL_MINOR_VERSION_1:
2923 return( "TLSv1.0" );
2924
2925 case SSL_MINOR_VERSION_2:
2926 return( "TLSv1.1" );
2927
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2928 case SSL_MINOR_VERSION_3:
2929 return( "TLSv1.2" );
2930
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2931 default:
2932 break;
2933 }
2934 return( "unknown" );
2935}
2936
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2937int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2938{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2939#if defined(POLARSSL_DHM_C)
2940#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2941#if defined(POLARSSL_SHA2_C)
2942 SSL_EDH_RSA_AES_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2943#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2944#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2945 SSL_EDH_RSA_AES_256_GCM_SHA384,
2946#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2947 SSL_EDH_RSA_AES_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2948#if defined(POLARSSL_SHA2_C)
2949 SSL_EDH_RSA_AES_128_SHA256,
2950#endif
2951#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2952 SSL_EDH_RSA_AES_128_GCM_SHA256,
2953#endif
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2954 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2955#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2956#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2957#if defined(POLARSSL_SHA2_C)
2958 SSL_EDH_RSA_CAMELLIA_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2959#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2960 SSL_EDH_RSA_CAMELLIA_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2961#if defined(POLARSSL_SHA2_C)
2962 SSL_EDH_RSA_CAMELLIA_128_SHA256,
2963#endif /* POLARSSL_SHA2_C */
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2964 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2965#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2966#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2967 SSL_EDH_RSA_DES_168_SHA,
2968#endif
2969#endif
2970
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2971#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2972#if defined(POLARSSL_SHA2_C)
2973 SSL_RSA_AES_256_SHA256,
2974#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2975#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2976 SSL_RSA_AES_256_GCM_SHA384,
2977#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2978 SSL_RSA_AES_256_SHA,
2979#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2980#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2981#if defined(POLARSSL_SHA2_C)
2982 SSL_RSA_CAMELLIA_256_SHA256,
2983#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2984 SSL_RSA_CAMELLIA_256_SHA,
2985#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2986#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2987#if defined(POLARSSL_SHA2_C)
2988 SSL_RSA_AES_128_SHA256,
2989#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2990#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2991 SSL_RSA_AES_128_GCM_SHA256,
2992#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2993 SSL_RSA_AES_128_SHA,
2994#endif
2995#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2996#if defined(POLARSSL_SHA2_C)
2997 SSL_RSA_CAMELLIA_128_SHA256,
2998#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2999 SSL_RSA_CAMELLIA_128_SHA,
3000#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3001#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3002 SSL_RSA_DES_168_SHA,
3003#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3004#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3005 SSL_RSA_RC4_128_SHA,
3006 SSL_RSA_RC4_128_MD5,
3007#endif
3008 0
3009};
3010
3011/*
3012 * Perform the SSL handshake
3013 */
3014int ssl_handshake( ssl_context *ssl )
3015{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3016 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3017
3018 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3019
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3020#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3021 if( ssl->endpoint == SSL_IS_CLIENT )
3022 ret = ssl_handshake_client( ssl );
3023#endif
3024
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3025#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3026 if( ssl->endpoint == SSL_IS_SERVER )
3027 ret = ssl_handshake_server( ssl );
3028#endif
3029
3030 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3031
3032 return( ret );
3033}
3034
3035/*
3036 * Receive application data decrypted from the SSL layer
3037 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3038int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3039{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3040 int ret;
3041 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3042
3043 SSL_DEBUG_MSG( 2, ( "=> read" ) );
3044
3045 if( ssl->state != SSL_HANDSHAKE_OVER )
3046 {
3047 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3048 {
3049 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3050 return( ret );
3051 }
3052 }
3053
3054 if( ssl->in_offt == NULL )
3055 {
3056 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3057 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3058 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3059 return( 0 );
3060
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3061 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3062 return( ret );
3063 }
3064
3065 if( ssl->in_msglen == 0 &&
3066 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3067 {
3068 /*
3069 * OpenSSL sends empty messages to randomize the IV
3070 */
3071 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3072 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3073 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3074 return( 0 );
3075
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3076 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3077 return( ret );
3078 }
3079 }
3080
3081 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3082 {
3083 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3084 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3085 }
3086
3087 ssl->in_offt = ssl->in_msg;
3088 }
3089
3090 n = ( len < ssl->in_msglen )
3091 ? len : ssl->in_msglen;
3092
3093 memcpy( buf, ssl->in_offt, n );
3094 ssl->in_msglen -= n;
3095
3096 if( ssl->in_msglen == 0 )
3097 /* all bytes consumed */
3098 ssl->in_offt = NULL;
3099 else
3100 /* more data available */
3101 ssl->in_offt += n;
3102
3103 SSL_DEBUG_MSG( 2, ( "<= read" ) );
3104
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3105 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3106}
3107
3108/*
3109 * Send application data to be encrypted by the SSL layer
3110 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3111int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3112{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3113 int ret;
3114 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3115
3116 SSL_DEBUG_MSG( 2, ( "=> write" ) );
3117
3118 if( ssl->state != SSL_HANDSHAKE_OVER )
3119 {
3120 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3121 {
3122 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3123 return( ret );
3124 }
3125 }
3126
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3127 n = ( len < SSL_MAX_CONTENT_LEN )
3128 ? len : SSL_MAX_CONTENT_LEN;
3129
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3130 if( ssl->out_left != 0 )
3131 {
3132 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3133 {
3134 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3135 return( ret );
3136 }
3137 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3138 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]3139 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3140 ssl->out_msglen = n;
3141 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3142 memcpy( ssl->out_msg, buf, n );
3143
3144 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3145 {
3146 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3147 return( ret );
3148 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3149 }
3150
3151 SSL_DEBUG_MSG( 2, ( "<= write" ) );
3152
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3153 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3154}
3155
3156/*
3157 * Notify the peer that the connection is being closed
3158 */
3159int ssl_close_notify( ssl_context *ssl )
3160{
3161 int ret;
3162
3163 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3164
3165 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3166 {
3167 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3168 return( ret );
3169 }
3170
3171 if( ssl->state == SSL_HANDSHAKE_OVER )
3172 {
3173 ssl->out_msgtype = SSL_MSG_ALERT;
3174 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]3175 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
3176 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3177
3178 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3179 {
3180 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3181 return( ret );
3182 }
3183 }
3184
3185 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3186
3187 return( ret );
3188}
3189
3190/*
3191 * Free an SSL context
3192 */
3193void ssl_free( ssl_context *ssl )
3194{
3195 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3196
3197 if( ssl->peer_cert != NULL )
3198 {
3199 x509_free( ssl->peer_cert );
3200 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
3201 free( ssl->peer_cert );
3202 }
3203
3204 if( ssl->out_ctr != NULL )
3205 {
3206 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3207 free( ssl->out_ctr );
3208 }
3209
3210 if( ssl->in_ctr != NULL )
3211 {
3212 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3213 free( ssl->in_ctr );
3214 }
3215
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3216#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3217 dhm_free( &ssl->dhm_ctx );
3218#endif
3219
3220 if ( ssl->hostname != NULL)
3221 {
3222 memset( ssl->hostname, 0, ssl->hostname_len );
3223 free( ssl->hostname );
3224 ssl->hostname_len = 0;
3225 }
3226
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame^]3227#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3228 if( ssl_hw_record_finish != NULL )
3229 {
3230 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3231 ssl_hw_record_finish( ssl );
3232 }
3233#endif
3234
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3235 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]3236
3237 /* Actually free after last debug message */
3238 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3239}
3240
3241#endif