TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0a5970752349f33865b4f141f9f6d2375bd8c92c / . / library / ssl_tls.c
blob: 61920042b96ac442d07dfe8f6266710cf382dd43 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]46#if defined(POLARSSL_GCM_C)
47#include "polarssl/gcm.h"
48#endif
49
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50#include <stdlib.h>
51#include <time.h>
52
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]53#if defined _MSC_VER && !defined strcasecmp
54#define strcasecmp _stricmp
55#endif
56
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]57#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58int (*ssl_hw_record_init)(ssl_context *ssl,
59 const unsigned char *key_enc, const unsigned char *key_dec,
60 const unsigned char *iv_enc, const unsigned char *iv_dec,
61 const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
62int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
63int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
64int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
65int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
66#endif
67
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68/*
69 * Key material generation
70 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]71static int ssl3_prf( unsigned char *secret, size_t slen, char *label,
72 unsigned char *random, size_t rlen,
73 unsigned char *dstbuf, size_t dlen )
74{
75 size_t i;
76 md5_context md5;
77 sha1_context sha1;
78 unsigned char padding[16];
79 unsigned char sha1sum[20];
80 ((void)label);
81
82 /*
83 * SSLv3:
84 * block =
85 * MD5( secret + SHA1( 'A' + secret + random ) ) +
86 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
87 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
88 * ...
89 */
90 for( i = 0; i < dlen / 16; i++ )
91 {
92 memset( padding, 'A' + i, 1 + i );
93
94 sha1_starts( &sha1 );
95 sha1_update( &sha1, padding, 1 + i );
96 sha1_update( &sha1, secret, slen );
97 sha1_update( &sha1, random, rlen );
98 sha1_finish( &sha1, sha1sum );
99
100 md5_starts( &md5 );
101 md5_update( &md5, secret, slen );
102 md5_update( &md5, sha1sum, 20 );
103 md5_finish( &md5, dstbuf + i * 16 );
104 }
105
106 memset( &md5, 0, sizeof( md5 ) );
107 memset( &sha1, 0, sizeof( sha1 ) );
108
109 memset( padding, 0, sizeof( padding ) );
110 memset( sha1sum, 0, sizeof( sha1sum ) );
111
112 return( 0 );
113}
114
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]115static int tls1_prf( unsigned char *secret, size_t slen, char *label,
116 unsigned char *random, size_t rlen,
117 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]118{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]119 size_t nb, hs;
120 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]121 unsigned char *S1, *S2;
122 unsigned char tmp[128];
123 unsigned char h_i[20];
124
125 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]126 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]127
128 hs = ( slen + 1 ) / 2;
129 S1 = secret;
130 S2 = secret + slen - hs;
131
132 nb = strlen( label );
133 memcpy( tmp + 20, label, nb );
134 memcpy( tmp + 20 + nb, random, rlen );
135 nb += rlen;
136
137 /*
138 * First compute P_md5(secret,label+random)[0..dlen]
139 */
140 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
141
142 for( i = 0; i < dlen; i += 16 )
143 {
144 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
145 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
146
147 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
148
149 for( j = 0; j < k; j++ )
150 dstbuf[i + j] = h_i[j];
151 }
152
153 /*
154 * XOR out with P_sha1(secret,label+random)[0..dlen]
155 */
156 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
157
158 for( i = 0; i < dlen; i += 20 )
159 {
160 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
161 sha1_hmac( S2, hs, tmp, 20, tmp );
162
163 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
164
165 for( j = 0; j < k; j++ )
166 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
167 }
168
169 memset( tmp, 0, sizeof( tmp ) );
170 memset( h_i, 0, sizeof( h_i ) );
171
172 return( 0 );
173}
174
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]175static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
176 unsigned char *random, size_t rlen,
177 unsigned char *dstbuf, size_t dlen )
178{
179 size_t nb;
180 size_t i, j, k;
181 unsigned char tmp[128];
182 unsigned char h_i[32];
183
184 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
185 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
186
187 nb = strlen( label );
188 memcpy( tmp + 32, label, nb );
189 memcpy( tmp + 32 + nb, random, rlen );
190 nb += rlen;
191
192 /*
193 * Compute P_<hash>(secret, label + random)[0..dlen]
194 */
195 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
196
197 for( i = 0; i < dlen; i += 32 )
198 {
199 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
200 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
201
202 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
203
204 for( j = 0; j < k; j++ )
205 dstbuf[i + j] = h_i[j];
206 }
207
208 memset( tmp, 0, sizeof( tmp ) );
209 memset( h_i, 0, sizeof( h_i ) );
210
211 return( 0 );
212}
213
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]214static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
215 unsigned char *random, size_t rlen,
216 unsigned char *dstbuf, size_t dlen )
217{
218 size_t nb;
219 size_t i, j, k;
220 unsigned char tmp[128];
221 unsigned char h_i[48];
222
223 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
224 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
225
226 nb = strlen( label );
227 memcpy( tmp + 48, label, nb );
228 memcpy( tmp + 48 + nb, random, rlen );
229 nb += rlen;
230
231 /*
232 * Compute P_<hash>(secret, label + random)[0..dlen]
233 */
234 sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
235
236 for( i = 0; i < dlen; i += 48 )
237 {
238 sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
239 sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
240
241 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
242
243 for( j = 0; j < k; j++ )
244 dstbuf[i + j] = h_i[j];
245 }
246
247 memset( tmp, 0, sizeof( tmp ) );
248 memset( h_i, 0, sizeof( h_i ) );
249
250 return( 0 );
251}
252
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]253static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
254static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
255static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
256static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
257
258static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
259static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
260static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
261static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
262
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]263static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
264static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
265static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
266static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]267
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]268int ssl_derive_keys( ssl_context *ssl )
269{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]270 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]271 unsigned char keyblk[256];
272 unsigned char *key1;
273 unsigned char *key2;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]274 unsigned int iv_copy_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]275 ssl_session *session = ssl->session_negotiate;
276 ssl_transform *transform = ssl->transform_negotiate;
277 ssl_handshake_params *handshake = ssl->handshake;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]278
279 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
280
281 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]282 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]283 */
284 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]285 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]286 handshake->tls_prf = ssl3_prf;
287 handshake->calc_verify = ssl_calc_verify_ssl;
288 handshake->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]289 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]290 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]291 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]292 handshake->tls_prf = tls1_prf;
293 handshake->calc_verify = ssl_calc_verify_tls;
294 handshake->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]295 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]296 else if( session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
297 session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]298 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]299 handshake->tls_prf = tls_prf_sha384;
300 handshake->calc_verify = ssl_calc_verify_tls_sha384;
301 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]302 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]303 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]304 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]305 handshake->tls_prf = tls_prf_sha256;
306 handshake->calc_verify = ssl_calc_verify_tls_sha256;
307 handshake->calc_finished = ssl_calc_finished_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]308 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]309
310 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]311 * SSLv3:
312 * master =
313 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
314 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
315 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]316 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317 * TLSv1:
318 * master = PRF( premaster, "master secret", randbytes )[0..47]
319 */
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]320 if( handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]322 SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
323 handshake->pmslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]324
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]325 handshake->tls_prf( handshake->premaster, handshake->pmslen,
326 "master secret",
327 handshake->randbytes, 64, session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]328
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]329 memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]330 }
331 else
332 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
333
334 /*
335 * Swap the client and server random values.
336 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]337 memcpy( tmp, handshake->randbytes, 64 );
338 memcpy( handshake->randbytes, tmp + 32, 32 );
339 memcpy( handshake->randbytes + 32, tmp, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340 memset( tmp, 0, sizeof( tmp ) );
341
342 /*
343 * SSLv3:
344 * key block =
345 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
346 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
347 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
348 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
349 * ...
350 *
351 * TLSv1:
352 * key block = PRF( master, "key expansion", randbytes )
353 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]354 handshake->tls_prf( session->master, 48, "key expansion",
355 handshake->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]356
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]357 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
358 ssl_get_ciphersuite_name( session->ciphersuite ) ) );
359 SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
360 SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
362
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]363 memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365 /*
366 * Determine the appropriate key, IV and MAC length.
367 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]368 switch( session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]370#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371 case SSL_RSA_RC4_128_MD5:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]372 transform->keylen = 16; transform->minlen = 16;
373 transform->ivlen = 0; transform->maclen = 16;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]374 break;
375
376 case SSL_RSA_RC4_128_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]377 transform->keylen = 16; transform->minlen = 20;
378 transform->ivlen = 0; transform->maclen = 20;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379 break;
380#endif
381
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]382#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]383 case SSL_RSA_DES_168_SHA:
384 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]385 transform->keylen = 24; transform->minlen = 24;
386 transform->ivlen = 8; transform->maclen = 20;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387 break;
388#endif
389
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]390#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]391 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]392 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]393 transform->keylen = 16; transform->minlen = 32;
394 transform->ivlen = 16; transform->maclen = 20;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395 break;
396
397 case SSL_RSA_AES_256_SHA:
398 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]399 transform->keylen = 32; transform->minlen = 32;
400 transform->ivlen = 16; transform->maclen = 20;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]402
403#if defined(POLARSSL_SHA2_C)
404 case SSL_RSA_AES_128_SHA256:
405 case SSL_EDH_RSA_AES_128_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]406 transform->keylen = 16; transform->minlen = 32;
407 transform->ivlen = 16; transform->maclen = 32;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]408 break;
409
410 case SSL_RSA_AES_256_SHA256:
411 case SSL_EDH_RSA_AES_256_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]412 transform->keylen = 32; transform->minlen = 32;
413 transform->ivlen = 16; transform->maclen = 32;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]414 break;
415#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]416#if defined(POLARSSL_GCM_C)
417 case SSL_RSA_AES_128_GCM_SHA256:
418 case SSL_EDH_RSA_AES_128_GCM_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]419 transform->keylen = 16; transform->minlen = 1;
420 transform->ivlen = 12; transform->maclen = 0;
421 transform->fixed_ivlen = 4;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]422 break;
423
424 case SSL_RSA_AES_256_GCM_SHA384:
425 case SSL_EDH_RSA_AES_256_GCM_SHA384:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]426 transform->keylen = 32; transform->minlen = 1;
427 transform->ivlen = 12; transform->maclen = 0;
428 transform->fixed_ivlen = 4;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]429 break;
430#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431#endif
432
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]433#if defined(POLARSSL_CAMELLIA_C)
434 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]435 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]436 transform->keylen = 16; transform->minlen = 32;
437 transform->ivlen = 16; transform->maclen = 20;
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]438 break;
439
440 case SSL_RSA_CAMELLIA_256_SHA:
441 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]442 transform->keylen = 32; transform->minlen = 32;
443 transform->ivlen = 16; transform->maclen = 20;
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]444 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]445
446#if defined(POLARSSL_SHA2_C)
447 case SSL_RSA_CAMELLIA_128_SHA256:
448 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]449 transform->keylen = 16; transform->minlen = 32;
450 transform->ivlen = 16; transform->maclen = 32;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]451 break;
452
453 case SSL_RSA_CAMELLIA_256_SHA256:
454 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]455 transform->keylen = 32; transform->minlen = 32;
456 transform->ivlen = 16; transform->maclen = 32;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]457 break;
458#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]459#endif
460
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]461#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
462#if defined(POLARSSL_CIPHER_NULL_CIPHER)
463 case SSL_RSA_NULL_MD5:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]464 transform->keylen = 0; transform->minlen = 0;
465 transform->ivlen = 0; transform->maclen = 16;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]466 break;
467
468 case SSL_RSA_NULL_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]469 transform->keylen = 0; transform->minlen = 0;
470 transform->ivlen = 0; transform->maclen = 20;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]471 break;
472
473 case SSL_RSA_NULL_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]474 transform->keylen = 0; transform->minlen = 0;
475 transform->ivlen = 0; transform->maclen = 32;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]476 break;
477#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
478
479#if defined(POLARSSL_DES_C)
480 case SSL_RSA_DES_SHA:
481 case SSL_EDH_RSA_DES_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]482 transform->keylen = 8; transform->minlen = 8;
483 transform->ivlen = 8; transform->maclen = 20;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]484 break;
485#endif
486#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
487
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]489 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]490 ssl_get_ciphersuite_name( session->ciphersuite ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]491 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]492 }
493
494 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]495 transform->keylen, transform->minlen, transform->ivlen,
496 transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]497
498 /*
499 * Finally setup the cipher contexts, IVs and MAC secrets.
500 */
501 if( ssl->endpoint == SSL_IS_CLIENT )
502 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]503 key1 = keyblk + transform->maclen * 2;
504 key2 = keyblk + transform->maclen * 2 + transform->keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]506 memcpy( transform->mac_enc, keyblk, transform->maclen );
507 memcpy( transform->mac_dec, keyblk + transform->maclen,
508 transform->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]509
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]510 /*
511 * This is not used in TLS v1.1.
512 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]513 iv_copy_len = ( transform->fixed_ivlen ) ?
514 transform->fixed_ivlen : transform->ivlen;
515 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
516 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]517 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518 }
519 else
520 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]521 key1 = keyblk + transform->maclen * 2 + transform->keylen;
522 key2 = keyblk + transform->maclen * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]524 memcpy( transform->mac_dec, keyblk, transform->maclen );
525 memcpy( transform->mac_enc, keyblk + transform->maclen,
526 transform->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]527
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]528 /*
529 * This is not used in TLS v1.1.
530 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]531 iv_copy_len = ( transform->fixed_ivlen ) ?
532 transform->fixed_ivlen : transform->ivlen;
533 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
534 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]535 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]536 }
537
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]538#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
539 if( ssl_hw_record_init != NULL)
540 {
541 int ret = 0;
542
543 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
544
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]545 if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->iv_enc,
546 transform->iv_dec, transform->mac_enc,
547 transform->mac_dec ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]548 {
549 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
550 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
551 }
552 }
553#endif
554
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]555 switch( session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]557#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558 case SSL_RSA_RC4_128_MD5:
559 case SSL_RSA_RC4_128_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]560 arc4_setup( (arc4_context *) transform->ctx_enc, key1,
561 transform->keylen );
562 arc4_setup( (arc4_context *) transform->ctx_dec, key2,
563 transform->keylen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564 break;
565#endif
566
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]567#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568 case SSL_RSA_DES_168_SHA:
569 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]570 des3_set3key_enc( (des3_context *) transform->ctx_enc, key1 );
571 des3_set3key_dec( (des3_context *) transform->ctx_dec, key2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 break;
573#endif
574
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]575#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]577 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]578 case SSL_RSA_AES_128_SHA256:
579 case SSL_EDH_RSA_AES_128_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]580 aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 128 );
581 aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 128 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582 break;
583
584 case SSL_RSA_AES_256_SHA:
585 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]586 case SSL_RSA_AES_256_SHA256:
587 case SSL_EDH_RSA_AES_256_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]588 aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 256 );
589 aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590 break;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]591
592#if defined(POLARSSL_GCM_C)
593 case SSL_RSA_AES_128_GCM_SHA256:
594 case SSL_EDH_RSA_AES_128_GCM_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]595 gcm_init( (gcm_context *) transform->ctx_enc, key1, 128 );
596 gcm_init( (gcm_context *) transform->ctx_dec, key2, 128 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]597 break;
598
599 case SSL_RSA_AES_256_GCM_SHA384:
600 case SSL_EDH_RSA_AES_256_GCM_SHA384:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]601 gcm_init( (gcm_context *) transform->ctx_enc, key1, 256 );
602 gcm_init( (gcm_context *) transform->ctx_dec, key2, 256 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]603 break;
604#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]605#endif
606
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]607#if defined(POLARSSL_CAMELLIA_C)
608 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]609 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]610 case SSL_RSA_CAMELLIA_128_SHA256:
611 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]612 camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 128 );
613 camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 128 );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]614 break;
615
616 case SSL_RSA_CAMELLIA_256_SHA:
617 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]618 case SSL_RSA_CAMELLIA_256_SHA256:
619 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]620 camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 256 );
621 camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 256 );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]622 break;
623#endif
624
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]625#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
626#if defined(POLARSSL_CIPHER_NULL_CIPHER)
627 case SSL_RSA_NULL_MD5:
628 case SSL_RSA_NULL_SHA:
629 case SSL_RSA_NULL_SHA256:
630 break;
631#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
632
633#if defined(POLARSSL_DES_C)
634 case SSL_RSA_DES_SHA:
635 case SSL_EDH_RSA_DES_SHA:
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]636 des_setkey_enc( (des_context *) transform->ctx_enc, key1 );
637 des_setkey_dec( (des_context *) transform->ctx_dec, key2 );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]638 break;
639#endif
640#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
641
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]643 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]644 }
645
646 memset( keyblk, 0, sizeof( keyblk ) );
647
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]648#if defined(POLARSSL_ZLIB_SUPPORT)
649 // Initialize compression
650 //
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]651 if( session->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]652 {
653 SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
654
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]655 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
656 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]657
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]658 if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
659 inflateInit( &transform->ctx_inflate ) != Z_OK )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]660 {
661 SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
662 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
663 }
664 }
665#endif /* POLARSSL_ZLIB_SUPPORT */
666
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
668
669 return( 0 );
670}
671
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]672void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673{
674 md5_context md5;
675 sha1_context sha1;
676 unsigned char pad_1[48];
677 unsigned char pad_2[48];
678
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]679 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]681 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
682 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]683
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]684 memset( pad_1, 0x36, 48 );
685 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]686
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]687 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]688 md5_update( &md5, pad_1, 48 );
689 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]691 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]692 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]693 md5_update( &md5, pad_2, 48 );
694 md5_update( &md5, hash, 16 );
695 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]696
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]697 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]698 sha1_update( &sha1, pad_1, 40 );
699 sha1_finish( &sha1, hash + 16 );
700
701 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]702 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]703 sha1_update( &sha1, pad_2, 40 );
704 sha1_update( &sha1, hash + 16, 20 );
705 sha1_finish( &sha1, hash + 16 );
706
707 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
708 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
709
710 return;
711}
712
713void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
714{
715 md5_context md5;
716 sha1_context sha1;
717
718 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
719
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]720 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
721 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]722
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]723 md5_finish( &md5, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]724 sha1_finish( &sha1, hash + 16 );
725
726 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
727 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
728
729 return;
730}
731
732void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
733{
734 sha2_context sha2;
735
736 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
737
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]738 memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]739 sha2_finish( &sha2, hash );
740
741 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
742 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
743
744 return;
745}
746
747void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
748{
749 sha4_context sha4;
750
751 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
752
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]753 memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]754 sha4_finish( &sha4, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]755
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]756 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]757 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
758
759 return;
760}
761
762/*
763 * SSLv3.0 MAC functions
764 */
765static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]766 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767 unsigned char *ctr, int type )
768{
769 unsigned char header[11];
770 unsigned char padding[48];
771 md5_context md5;
772
773 memcpy( header, ctr, 8 );
774 header[ 8] = (unsigned char) type;
775 header[ 9] = (unsigned char)( len >> 8 );
776 header[10] = (unsigned char)( len );
777
778 memset( padding, 0x36, 48 );
779 md5_starts( &md5 );
780 md5_update( &md5, secret, 16 );
781 md5_update( &md5, padding, 48 );
782 md5_update( &md5, header, 11 );
783 md5_update( &md5, buf, len );
784 md5_finish( &md5, buf + len );
785
786 memset( padding, 0x5C, 48 );
787 md5_starts( &md5 );
788 md5_update( &md5, secret, 16 );
789 md5_update( &md5, padding, 48 );
790 md5_update( &md5, buf + len, 16 );
791 md5_finish( &md5, buf + len );
792}
793
794static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]795 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]796 unsigned char *ctr, int type )
797{
798 unsigned char header[11];
799 unsigned char padding[40];
800 sha1_context sha1;
801
802 memcpy( header, ctr, 8 );
803 header[ 8] = (unsigned char) type;
804 header[ 9] = (unsigned char)( len >> 8 );
805 header[10] = (unsigned char)( len );
806
807 memset( padding, 0x36, 40 );
808 sha1_starts( &sha1 );
809 sha1_update( &sha1, secret, 20 );
810 sha1_update( &sha1, padding, 40 );
811 sha1_update( &sha1, header, 11 );
812 sha1_update( &sha1, buf, len );
813 sha1_finish( &sha1, buf + len );
814
815 memset( padding, 0x5C, 40 );
816 sha1_starts( &sha1 );
817 sha1_update( &sha1, secret, 20 );
818 sha1_update( &sha1, padding, 40 );
819 sha1_update( &sha1, buf + len, 20 );
820 sha1_finish( &sha1, buf + len );
821}
822
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]823static void ssl_mac_sha2( unsigned char *secret,
824 unsigned char *buf, size_t len,
825 unsigned char *ctr, int type )
826{
827 unsigned char header[11];
828 unsigned char padding[32];
829 sha2_context sha2;
830
831 memcpy( header, ctr, 8 );
832 header[ 8] = (unsigned char) type;
833 header[ 9] = (unsigned char)( len >> 8 );
834 header[10] = (unsigned char)( len );
835
836 memset( padding, 0x36, 32 );
837 sha2_starts( &sha2, 0 );
838 sha2_update( &sha2, secret, 32 );
839 sha2_update( &sha2, padding, 32 );
840 sha2_update( &sha2, header, 11 );
841 sha2_update( &sha2, buf, len );
842 sha2_finish( &sha2, buf + len );
843
844 memset( padding, 0x5C, 32 );
845 sha2_starts( &sha2, 0 );
846 sha2_update( &sha2, secret, 32 );
847 sha2_update( &sha2, padding, 32 );
848 sha2_update( &sha2, buf + len, 32 );
849 sha2_finish( &sha2, buf + len );
850}
851
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852/*
853 * Encryption/decryption functions
854 */
855static int ssl_encrypt_buf( ssl_context *ssl )
856{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]857 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]858
859 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
860
861 /*
862 * Add MAC then encrypt
863 */
864 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
865 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]866 if( ssl->transform_out->maclen == 16 )
867 ssl_mac_md5( ssl->transform_out->mac_enc,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868 ssl->out_msg, ssl->out_msglen,
869 ssl->out_ctr, ssl->out_msgtype );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]870 else if( ssl->transform_out->maclen == 20 )
871 ssl_mac_sha1( ssl->transform_out->mac_enc,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]872 ssl->out_msg, ssl->out_msglen,
873 ssl->out_ctr, ssl->out_msgtype );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]874 else if( ssl->transform_out->maclen == 32 )
875 ssl_mac_sha2( ssl->transform_out->mac_enc,
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]876 ssl->out_msg, ssl->out_msglen,
877 ssl->out_ctr, ssl->out_msgtype );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]878 else if( ssl->transform_out->maclen != 0 )
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]879 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]880 SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
881 ssl->transform_out->maclen ) );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]882 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
883 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]884 }
885 else
886 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]887 if( ssl->transform_out->maclen == 16 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]888 {
889 md5_context ctx;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]890 md5_hmac_starts( &ctx, ssl->transform_out->mac_enc, 16 );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]891 md5_hmac_update( &ctx, ssl->out_ctr, 13 );
892 md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
893 md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
894 memset( &ctx, 0, sizeof(md5_context));
895 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]896 else if( ssl->transform_out->maclen == 20 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]897 {
898 sha1_context ctx;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]899 sha1_hmac_starts( &ctx, ssl->transform_out->mac_enc, 20 );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]900 sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
901 sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
902 sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
903 memset( &ctx, 0, sizeof(sha1_context));
904 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]905 else if( ssl->transform_out->maclen == 32 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]906 {
907 sha2_context ctx;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]908 sha2_hmac_starts( &ctx, ssl->transform_out->mac_enc, 32, 0 );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]909 sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
910 sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
911 sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
912 memset( &ctx, 0, sizeof(sha2_context));
913 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]914 else if( ssl->transform_out->maclen != 0 )
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]915 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]916 SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
917 ssl->transform_out->maclen ) );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame]918 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
919 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]920 }
921
922 SSL_DEBUG_BUF( 4, "computed mac",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]923 ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]924
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]925 ssl->out_msglen += ssl->transform_out->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]926
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]927 if( ssl->transform_out->ivlen == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]928 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929 padlen = 0;
930
931 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
932 "including %d bytes of padding",
933 ssl->out_msglen, 0 ) );
934
935 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
936 ssl->out_msg, ssl->out_msglen );
937
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]938#if defined(POLARSSL_ARC4_C)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]939 if( ssl->session_out->ciphersuite == SSL_RSA_RC4_128_MD5 ||
940 ssl->session_out->ciphersuite == SSL_RSA_RC4_128_SHA )
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]941 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]942 arc4_crypt( (arc4_context *) ssl->transform_out->ctx_enc,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]943 ssl->out_msglen, ssl->out_msg,
944 ssl->out_msg );
945 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]946#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]947#if defined(POLARSSL_CIPHER_NULL_CIPHER)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]948 if( ssl->session_out->ciphersuite == SSL_RSA_NULL_MD5 ||
949 ssl->session_out->ciphersuite == SSL_RSA_NULL_SHA ||
950 ssl->session_out->ciphersuite == SSL_RSA_NULL_SHA256 )
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]951 {
952 } else
953#endif
954 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]956 else if( ssl->transform_out->ivlen == 12 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]957 {
958 size_t enc_msglen;
959 unsigned char *enc_msg;
960 unsigned char add_data[13];
961 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
962
963 padlen = 0;
964 enc_msglen = ssl->out_msglen;
965
966 memcpy( add_data, ssl->out_ctr, 8 );
967 add_data[8] = ssl->out_msgtype;
968 add_data[9] = ssl->major_ver;
969 add_data[10] = ssl->minor_ver;
970 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
971 add_data[12] = ssl->out_msglen & 0xFF;
972
973 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
974 add_data, 13 );
975
976#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
977
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]978 if( ssl->session_out->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
979 ssl->session_out->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
980 ssl->session_out->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
981 ssl->session_out->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]982 {
983 /*
984 * Generate IV
985 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]986 ret = ssl->f_rng( ssl->p_rng,
987 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
988 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]989 if( ret != 0 )
990 return( ret );
991
992 /*
993 * Shift message for ivlen bytes and prepend IV
994 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]995 memmove( ssl->out_msg + ssl->transform_out->ivlen -
996 ssl->transform_out->fixed_ivlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]997 ssl->out_msg, ssl->out_msglen );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]998 memcpy( ssl->out_msg,
999 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1000 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1001
1002 /*
1003 * Fix pointer positions and message length with added IV
1004 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1005 enc_msg = ssl->out_msg + ssl->transform_out->ivlen -
1006 ssl->transform_out->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1007 enc_msglen = ssl->out_msglen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1008 ssl->out_msglen += ssl->transform_out->ivlen -
1009 ssl->transform_out->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1010
1011 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1012 "including %d bytes of padding",
1013 ssl->out_msglen, 0 ) );
1014
1015 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1016 ssl->out_msg, ssl->out_msglen );
1017
1018 /*
1019 * Adjust for tag
1020 */
1021 ssl->out_msglen += 16;
1022
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1023 gcm_crypt_and_tag( (gcm_context *) ssl->transform_out->ctx_enc,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1024 GCM_ENCRYPT, enc_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1025 ssl->transform_out->iv_enc, ssl->transform_out->ivlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1026 add_data, 13,
1027 enc_msg, enc_msg,
1028 16, enc_msg + enc_msglen );
1029
1030 SSL_DEBUG_BUF( 4, "after encrypt: tag",
1031 enc_msg + enc_msglen, 16 );
1032
1033 } else
1034#endif
1035 return( ret );
1036 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1037 else
1038 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1039 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1040 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1041
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1042 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1043 ssl->transform_out->ivlen;
1044 if( padlen == ssl->transform_out->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045 padlen = 0;
1046
1047 for( i = 0; i <= padlen; i++ )
1048 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1049
1050 ssl->out_msglen += padlen + 1;
1051
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1052 enc_msglen = ssl->out_msglen;
1053 enc_msg = ssl->out_msg;
1054
1055 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1056 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1057 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1058 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1059 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1060 {
1061 /*
1062 * Generate IV
1063 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1064 int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1065 ssl->transform_out->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1066 if( ret != 0 )
1067 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1068
1069 /*
1070 * Shift message for ivlen bytes and prepend IV
1071 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1072 memmove( ssl->out_msg + ssl->transform_out->ivlen, ssl->out_msg,
1073 ssl->out_msglen );
1074 memcpy( ssl->out_msg, ssl->transform_out->iv_enc,
1075 ssl->transform_out->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1076
1077 /*
1078 * Fix pointer positions and message length with added IV
1079 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1080 enc_msg = ssl->out_msg + ssl->transform_out->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1081 enc_msglen = ssl->out_msglen;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1082 ssl->out_msglen += ssl->transform_out->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1083 }
1084
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1085 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1086 "including %d bytes of IV and %d bytes of padding",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1087 ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1088
1089 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1090 ssl->out_msg, ssl->out_msglen );
1091
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1092 switch( ssl->transform_out->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1093 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1094#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1095 case 8:
1096#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1097 if( ssl->session_out->ciphersuite == SSL_RSA_DES_SHA ||
1098 ssl->session_out->ciphersuite == SSL_EDH_RSA_DES_SHA )
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1099 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1100 des_crypt_cbc( (des_context *) ssl->transform_out->ctx_enc,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1101 DES_ENCRYPT, enc_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1102 ssl->transform_out->iv_enc, enc_msg, enc_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1103 }
1104 else
1105#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1106 des3_crypt_cbc( (des3_context *) ssl->transform_out->ctx_enc,
1107 DES_ENCRYPT, enc_msglen,
1108 ssl->transform_out->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109 break;
1110#endif
1111
1112 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1113#if defined(POLARSSL_AES_C)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1114 if ( ssl->session_out->ciphersuite == SSL_RSA_AES_128_SHA ||
1115 ssl->session_out->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1116 ssl->session_out->ciphersuite == SSL_RSA_AES_256_SHA ||
1117 ssl->session_out->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1118 ssl->session_out->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1119 ssl->session_out->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1120 ssl->session_out->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1121 ssl->session_out->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1122 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1123 aes_crypt_cbc( (aes_context *) ssl->transform_out->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1124 AES_ENCRYPT, enc_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1125 ssl->transform_out->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1126 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1127 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1128#endif
1129
1130#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1131 if ( ssl->session_out->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1132 ssl->session_out->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1133 ssl->session_out->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
1134 ssl->session_out->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1135 ssl->session_out->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1136 ssl->session_out->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1137 ssl->session_out->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1138 ssl->session_out->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1139 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1140 camellia_crypt_cbc( (camellia_context *) ssl->transform_out->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1141 CAMELLIA_ENCRYPT, enc_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1142 ssl->transform_out->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1143 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1144 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145#endif
1146
1147 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1148 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1149 }
1150 }
1151
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1152 for( i = 8; i > 0; i-- )
1153 if( ++ssl->out_ctr[i - 1] != 0 )
1154 break;
1155
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1156 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1157
1158 return( 0 );
1159}
1160
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1161/*
1162 * TODO: Use digest version when integrated!
1163 */
1164#define POLARSSL_SSL_MAX_MAC_SIZE 32
1165
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1166static int ssl_decrypt_buf( ssl_context *ssl )
1167{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1168 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1169 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1170
1171 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1172
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1173 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1174 {
1175 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1176 ssl->in_msglen, ssl->transform_in->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1177 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1178 }
1179
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1180 if( ssl->transform_in->ivlen == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1181 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1182#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1183 padlen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1184 if( ssl->session_in->ciphersuite == SSL_RSA_RC4_128_MD5 ||
1185 ssl->session_in->ciphersuite == SSL_RSA_RC4_128_SHA )
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1186 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1187 arc4_crypt( (arc4_context *) ssl->transform_in->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]1188 ssl->in_msglen, ssl->in_msg,
1189 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1190 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1191#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1192#if defined(POLARSSL_CIPHER_NULL_CIPHER)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1193 if( ssl->session_in->ciphersuite == SSL_RSA_NULL_MD5 ||
1194 ssl->session_in->ciphersuite == SSL_RSA_NULL_SHA ||
1195 ssl->session_in->ciphersuite == SSL_RSA_NULL_SHA256 )
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1196 {
1197 } else
1198#endif
1199 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1200 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1201 else if( ssl->transform_in->ivlen == 12 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1202 {
1203 unsigned char *dec_msg;
1204 unsigned char *dec_msg_result;
1205 size_t dec_msglen;
1206 unsigned char add_data[13];
1207 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1208
1209 padlen = 0;
1210
1211#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1212 if( ssl->session_in->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
1213 ssl->session_in->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
1214 ssl->session_in->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
1215 ssl->session_in->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1216 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1217 dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1218 ssl->transform_in->fixed_ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1219 dec_msglen -= 16;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1220 dec_msg = ssl->in_msg + ( ssl->transform_in->ivlen -
1221 ssl->transform_in->fixed_ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1222 dec_msg_result = ssl->in_msg;
1223 ssl->in_msglen = dec_msglen;
1224
1225 memcpy( add_data, ssl->in_ctr, 8 );
1226 add_data[8] = ssl->in_msgtype;
1227 add_data[9] = ssl->major_ver;
1228 add_data[10] = ssl->minor_ver;
1229 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1230 add_data[12] = ssl->in_msglen & 0xFF;
1231
1232 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1233 add_data, 13 );
1234
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1235 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1236 ssl->in_msg,
1237 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1238
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1239 SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1240 ssl->transform_in->ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1241 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1242
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1243 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1244 ssl->in_msg,
1245 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1246
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1247 ret = gcm_auth_decrypt( (gcm_context *) ssl->transform_in->ctx_dec,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1248 dec_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1249 ssl->transform_in->iv_dec,
1250 ssl->transform_in->ivlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1251 add_data, 13,
1252 dec_msg + dec_msglen, 16,
1253 dec_msg, dec_msg_result );
1254
1255 if( ret != 0 )
1256 {
1257 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1258 -ret ) );
1259
1260 return( POLARSSL_ERR_SSL_INVALID_MAC );
1261 }
1262 } else
1263#endif
1264 return( ret );
1265 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1266 else
1267 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1268 unsigned char *dec_msg;
1269 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1270 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1271
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272 /*
1273 * Decrypt and check the padding
1274 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1275 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1276 {
1277 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1278 ssl->in_msglen, ssl->transform_in->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1279 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1280 }
1281
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1282 dec_msglen = ssl->in_msglen;
1283 dec_msg = ssl->in_msg;
1284 dec_msg_result = ssl->in_msg;
1285
1286 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1287 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1288 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1289 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1290 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1291 dec_msg += ssl->transform_in->ivlen;
1292 dec_msglen -= ssl->transform_in->ivlen;
1293 ssl->in_msglen -= ssl->transform_in->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1294
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1295 for( i = 0; i < ssl->transform_in->ivlen; i++ )
1296 ssl->transform_in->iv_dec[i] = ssl->in_msg[i];
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1297 }
1298
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1299 switch( ssl->transform_in->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1300 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1301#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1303#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1304 if( ssl->session_in->ciphersuite == SSL_RSA_DES_SHA ||
1305 ssl->session_in->ciphersuite == SSL_EDH_RSA_DES_SHA )
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1306 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1307 des_crypt_cbc( (des_context *) ssl->transform_in->ctx_dec,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1308 DES_DECRYPT, dec_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1309 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1310 }
1311 else
1312#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1313 des3_crypt_cbc( (des3_context *) ssl->transform_in->ctx_dec,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1314 DES_DECRYPT, dec_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1315 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1316 break;
1317#endif
1318
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1320#if defined(POLARSSL_AES_C)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1321 if ( ssl->session_in->ciphersuite == SSL_RSA_AES_128_SHA ||
1322 ssl->session_in->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1323 ssl->session_in->ciphersuite == SSL_RSA_AES_256_SHA ||
1324 ssl->session_in->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1325 ssl->session_in->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1326 ssl->session_in->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1327 ssl->session_in->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1328 ssl->session_in->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1329 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1330 aes_crypt_cbc( (aes_context *) ssl->transform_in->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1331 AES_DECRYPT, dec_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1332 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1333 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1334 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1335#endif
1336
1337#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1338 if ( ssl->session_in->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1339 ssl->session_in->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1340 ssl->session_in->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
1341 ssl->session_in->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1342 ssl->session_in->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1343 ssl->session_in->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1344 ssl->session_in->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1345 ssl->session_in->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1346 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1347 camellia_crypt_cbc( (camellia_context *) ssl->transform_in->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1348 CAMELLIA_DECRYPT, dec_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1349 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1350 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1351 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352#endif
1353
1354 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1355 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1356 }
1357
1358 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1359
1360 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1361 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1362 if( padlen > ssl->transform_in->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1363 {
1364 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1365 "should be no more than %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1366 padlen, ssl->transform_in->ivlen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1367 padlen = 0;
1368 }
1369 }
1370 else
1371 {
1372 /*
1373 * TLSv1: always check the padding
1374 */
1375 for( i = 1; i <= padlen; i++ )
1376 {
1377 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1378 {
1379 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
1380 "%02x, but is %02x", padlen - 1,
1381 ssl->in_msg[ssl->in_msglen - i] ) );
1382 padlen = 0;
1383 }
1384 }
1385 }
1386 }
1387
1388 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1389 ssl->in_msg, ssl->in_msglen );
1390
1391 /*
1392 * Always compute the MAC (RFC4346, CBCTIME).
1393 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1394 if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1395 {
1396 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1397 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1398 return( POLARSSL_ERR_SSL_INVALID_MAC );
1399 }
1400
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1401 ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1402
1403 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1404 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1405
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1406 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1407
1408 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1409 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1410 if( ssl->transform_in->maclen == 16 )
1411 ssl_mac_md5( ssl->transform_in->mac_dec,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412 ssl->in_msg, ssl->in_msglen,
1413 ssl->in_ctr, ssl->in_msgtype );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1414 else if( ssl->transform_in->maclen == 20 )
1415 ssl_mac_sha1( ssl->transform_in->mac_dec,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1416 ssl->in_msg, ssl->in_msglen,
1417 ssl->in_ctr, ssl->in_msgtype );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1418 else if( ssl->transform_in->maclen == 32 )
1419 ssl_mac_sha2( ssl->transform_in->mac_dec,
1420 ssl->in_msg, ssl->in_msglen,
1421 ssl->in_ctr, ssl->in_msgtype );
1422 else if( ssl->transform_in->maclen != 0 )
1423 {
1424 SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1425 ssl->transform_in->maclen ) );
1426 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
1427 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1428 }
1429 else
1430 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1431 if( ssl->transform_in->maclen == 16 )
1432 md5_hmac( ssl->transform_in->mac_dec, 16,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1433 ssl->in_ctr, ssl->in_msglen + 13,
1434 ssl->in_msg + ssl->in_msglen );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1435 else if( ssl->transform_in->maclen == 20 )
1436 sha1_hmac( ssl->transform_in->mac_dec, 20,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1437 ssl->in_ctr, ssl->in_msglen + 13,
1438 ssl->in_msg + ssl->in_msglen );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1439 else if( ssl->transform_in->maclen == 32 )
1440 sha2_hmac( ssl->transform_in->mac_dec, 32,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1441 ssl->in_ctr, ssl->in_msglen + 13,
1442 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1443 else if( ssl->transform_in->maclen != 0 )
1444 {
1445 SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1446 ssl->transform_in->maclen ) );
1447 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
1448 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1449 }
1450
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1451 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1452 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1453 ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1454
1455 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1456 ssl->transform_in->maclen ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1457 {
1458 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1459 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1460 }
1461
1462 /*
1463 * Finally check the padding length; bad padding
1464 * will produce the same error as an invalid MAC.
1465 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1466 if( ssl->transform_in->ivlen != 0 && ssl->transform_in->ivlen != 12 &&
1467 padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1468 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1469
1470 if( ssl->in_msglen == 0 )
1471 {
1472 ssl->nb_zero++;
1473
1474 /*
1475 * Three or more empty messages may be a DoS attack
1476 * (excessive CPU consumption).
1477 */
1478 if( ssl->nb_zero > 3 )
1479 {
1480 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1481 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1482 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1483 }
1484 }
1485 else
1486 ssl->nb_zero = 0;
1487
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1488 for( i = 8; i > 0; i-- )
1489 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1490 break;
1491
1492 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1493
1494 return( 0 );
1495}
1496
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1497#if defined(POLARSSL_ZLIB_SUPPORT)
1498/*
1499 * Compression/decompression functions
1500 */
1501static int ssl_compress_buf( ssl_context *ssl )
1502{
1503 int ret;
1504 unsigned char *msg_post = ssl->out_msg;
1505 size_t len_pre = ssl->out_msglen;
1506 unsigned char *msg_pre;
1507
1508 SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1509
1510 msg_pre = (unsigned char*) malloc( len_pre );
1511 if( msg_pre == NULL )
1512 {
1513 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1514 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1515 }
1516
1517 memcpy( msg_pre, ssl->out_msg, len_pre );
1518
1519 SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1520 ssl->out_msglen ) );
1521
1522 SSL_DEBUG_BUF( 4, "before compression: output payload",
1523 ssl->out_msg, ssl->out_msglen );
1524
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1525 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1526 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1527 ssl->transform_out->ctx_deflate.next_out = msg_post;
1528 ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1529
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1530 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1531 if( ret != Z_OK )
1532 {
1533 SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1534 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1535 }
1536
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1537 ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1538
1539 free( msg_pre );
1540
1541 SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1542 ssl->out_msglen ) );
1543
1544 SSL_DEBUG_BUF( 4, "after compression: output payload",
1545 ssl->out_msg, ssl->out_msglen );
1546
1547 SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1548
1549 return( 0 );
1550}
1551
1552static int ssl_decompress_buf( ssl_context *ssl )
1553{
1554 int ret;
1555 unsigned char *msg_post = ssl->in_msg;
1556 size_t len_pre = ssl->in_msglen;
1557 unsigned char *msg_pre;
1558
1559 SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1560
1561 msg_pre = (unsigned char*) malloc( len_pre );
1562 if( msg_pre == NULL )
1563 {
1564 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1565 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1566 }
1567
1568 memcpy( msg_pre, ssl->in_msg, len_pre );
1569
1570 SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1571 ssl->in_msglen ) );
1572
1573 SSL_DEBUG_BUF( 4, "before decompression: input payload",
1574 ssl->in_msg, ssl->in_msglen );
1575
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1576 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1577 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1578 ssl->transform_in->ctx_inflate.next_out = msg_post;
1579 ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1580
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1581 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1582 if( ret != Z_OK )
1583 {
1584 SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1585 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1586 }
1587
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1588 ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1589
1590 free( msg_pre );
1591
1592 SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1593 ssl->in_msglen ) );
1594
1595 SSL_DEBUG_BUF( 4, "after decompression: input payload",
1596 ssl->in_msg, ssl->in_msglen );
1597
1598 SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1599
1600 return( 0 );
1601}
1602#endif /* POLARSSL_ZLIB_SUPPORT */
1603
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1604/*
1605 * Fill the input message buffer
1606 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1607int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1608{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1609 int ret;
1610 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1611
1612 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1613
1614 while( ssl->in_left < nb_want )
1615 {
1616 len = nb_want - ssl->in_left;
1617 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1618
1619 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1620 ssl->in_left, nb_want ) );
1621 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1622
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1623 if( ret == 0 )
1624 return( POLARSSL_ERR_SSL_CONN_EOF );
1625
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1626 if( ret < 0 )
1627 return( ret );
1628
1629 ssl->in_left += ret;
1630 }
1631
1632 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1633
1634 return( 0 );
1635}
1636
1637/*
1638 * Flush any data not yet written
1639 */
1640int ssl_flush_output( ssl_context *ssl )
1641{
1642 int ret;
1643 unsigned char *buf;
1644
1645 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1646
1647 while( ssl->out_left > 0 )
1648 {
1649 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1650 5 + ssl->out_msglen, ssl->out_left ) );
1651
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1652 if( ssl->out_msglen < ssl->out_left )
1653 {
1654 size_t header_left = ssl->out_left - ssl->out_msglen;
1655
1656 buf = ssl->out_hdr + 5 - header_left;
1657 ret = ssl->f_send( ssl->p_send, buf, header_left );
1658
1659 SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1660
1661 if( ret <= 0 )
1662 return( ret );
1663
1664 ssl->out_left -= ret;
1665 }
1666
1667 buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1668 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1669
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1670 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1671
1672 if( ret <= 0 )
1673 return( ret );
1674
1675 ssl->out_left -= ret;
1676 }
1677
1678 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1679
1680 return( 0 );
1681}
1682
1683/*
1684 * Record layer functions
1685 */
1686int ssl_write_record( ssl_context *ssl )
1687{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1688 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1689 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690
1691 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1692
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1693 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1694 {
1695 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1696 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1697 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1698
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1699 ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700 }
1701
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1702#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1703 if( ssl->transform_out != NULL &&
1704 ssl->session_out->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1705 {
1706 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1707 {
1708 SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1709 return( ret );
1710 }
1711
1712 len = ssl->out_msglen;
1713 }
1714#endif /*POLARSSL_ZLIB_SUPPORT */
1715
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1716#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1717 if( ssl_hw_record_write != NULL)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1718 {
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1719 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1720
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1721 ret = ssl_hw_record_write( ssl );
1722 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1723 {
1724 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1725 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1726 }
1727 done = 1;
1728 }
1729#endif
1730 if( !done )
1731 {
1732 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1733 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1734 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1735 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1736 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1737
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1738 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1739 {
1740 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1741 {
1742 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1743 return( ret );
1744 }
1745
1746 len = ssl->out_msglen;
1747 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1748 ssl->out_hdr[4] = (unsigned char)( len );
1749 }
1750
1751 ssl->out_left = 5 + ssl->out_msglen;
1752
1753 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1754 "version = [%d:%d], msglen = %d",
1755 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1756 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1757
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1758 SSL_DEBUG_BUF( 4, "output record header sent to network",
1759 ssl->out_hdr, 5 );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1760 SSL_DEBUG_BUF( 4, "output record sent to network",
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1761 ssl->out_hdr + 32, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762 }
1763
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1764 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1765 {
1766 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1767 return( ret );
1768 }
1769
1770 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1771
1772 return( 0 );
1773}
1774
1775int ssl_read_record( ssl_context *ssl )
1776{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1777 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778
1779 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1780
1781 if( ssl->in_hslen != 0 &&
1782 ssl->in_hslen < ssl->in_msglen )
1783 {
1784 /*
1785 * Get next Handshake message in the current record
1786 */
1787 ssl->in_msglen -= ssl->in_hslen;
1788
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1789 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1790 ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1791
1792 ssl->in_hslen = 4;
1793 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1794
1795 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1796 " %d, type = %d, hslen = %d",
1797 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1798
1799 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1800 {
1801 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1802 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1803 }
1804
1805 if( ssl->in_msglen < ssl->in_hslen )
1806 {
1807 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1808 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809 }
1810
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1811 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812
1813 return( 0 );
1814 }
1815
1816 ssl->in_hslen = 0;
1817
1818 /*
1819 * Read the record header and validate it
1820 */
1821 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1822 {
1823 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1824 return( ret );
1825 }
1826
1827 ssl->in_msgtype = ssl->in_hdr[0];
1828 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1829
1830 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1831 "version = [%d:%d], msglen = %d",
1832 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1833 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1834
1835 if( ssl->in_hdr[1] != ssl->major_ver )
1836 {
1837 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1838 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839 }
1840
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1841 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842 {
1843 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1844 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845 }
1846
1847 /*
1848 * Make sure the message length is acceptable
1849 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1850 if( ssl->transform_in == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851 {
1852 if( ssl->in_msglen < 1 ||
1853 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1854 {
1855 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1856 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857 }
1858 }
1859 else
1860 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1861 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862 {
1863 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1864 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865 }
1866
1867 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1868 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1869 {
1870 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1871 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872 }
1873
1874 /*
1875 * TLS encrypted messages can have up to 256 bytes of padding
1876 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1877 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1878 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1879 {
1880 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1881 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882 }
1883 }
1884
1885 /*
1886 * Read and optionally decrypt the message contents
1887 */
1888 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1889 {
1890 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1891 return( ret );
1892 }
1893
1894 SSL_DEBUG_BUF( 4, "input record from network",
1895 ssl->in_hdr, 5 + ssl->in_msglen );
1896
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1897#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1898 if( ssl_hw_record_read != NULL)
1899 {
1900 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1901
1902 ret = ssl_hw_record_read( ssl );
1903 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1904 {
1905 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1906 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1907 }
1908 done = 1;
1909 }
1910#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1911 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912 {
1913 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1914 {
1915 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1916 return( ret );
1917 }
1918
1919 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1920 ssl->in_msg, ssl->in_msglen );
1921
1922 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1923 {
1924 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1925 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1926 }
1927 }
1928
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1929#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1930 if( ssl->transform_in != NULL &&
1931 ssl->session_in->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1932 {
1933 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
1934 {
1935 SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
1936 return( ret );
1937 }
1938
1939 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1940 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1941 }
1942#endif /* POLARSSL_ZLIB_SUPPORT */
1943
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1944 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1945 ssl->in_msgtype != SSL_MSG_ALERT &&
1946 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1947 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1948 {
1949 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1950
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1951 if( ( ret = ssl_send_alert_message( ssl,
1952 SSL_ALERT_LEVEL_FATAL,
1953 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1954 {
1955 return( ret );
1956 }
1957
1958 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1959 }
1960
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1961 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1962 {
1963 ssl->in_hslen = 4;
1964 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1965
1966 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1967 " %d, type = %d, hslen = %d",
1968 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1969
1970 /*
1971 * Additional checks to validate the handshake header
1972 */
1973 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1974 {
1975 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1976 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1977 }
1978
1979 if( ssl->in_msglen < ssl->in_hslen )
1980 {
1981 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1982 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1983 }
1984
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1985 if( ssl->state != SSL_HANDSHAKE_OVER )
1986 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1987 }
1988
1989 if( ssl->in_msgtype == SSL_MSG_ALERT )
1990 {
1991 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1992 ssl->in_msg[0], ssl->in_msg[1] ) );
1993
1994 /*
1995 * Ignore non-fatal alerts, except close_notify
1996 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1997 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1998 {
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1999 SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2000 ssl->in_msg[1] ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]2001 /**
2002 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
2003 * error identifier.
2004 */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2005 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2006 }
2007
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2008 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2009 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010 {
2011 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2012 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013 }
2014 }
2015
2016 ssl->in_left = 0;
2017
2018 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2019
2020 return( 0 );
2021}
2022
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2023int ssl_send_fatal_handshake_failure( ssl_context *ssl )
2024{
2025 int ret;
2026
2027 if( ( ret = ssl_send_alert_message( ssl,
2028 SSL_ALERT_LEVEL_FATAL,
2029 SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
2030 {
2031 return( ret );
2032 }
2033
2034 return( 0 );
2035}
2036
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]2037int ssl_send_alert_message( ssl_context *ssl,
2038 unsigned char level,
2039 unsigned char message )
2040{
2041 int ret;
2042
2043 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2044
2045 ssl->out_msgtype = SSL_MSG_ALERT;
2046 ssl->out_msglen = 2;
2047 ssl->out_msg[0] = level;
2048 ssl->out_msg[1] = message;
2049
2050 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2051 {
2052 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2053 return( ret );
2054 }
2055
2056 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2057
2058 return( 0 );
2059}
2060
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2061/*
2062 * Handshake functions
2063 */
2064int ssl_write_certificate( ssl_context *ssl )
2065{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2066 int ret;
2067 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2068 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2069
2070 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2071
2072 if( ssl->endpoint == SSL_IS_CLIENT )
2073 {
2074 if( ssl->client_auth == 0 )
2075 {
2076 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2077 ssl->state++;
2078 return( 0 );
2079 }
2080
2081 /*
2082 * If using SSLv3 and got no cert, send an Alert message
2083 * (otherwise an empty Certificate message will be sent).
2084 */
2085 if( ssl->own_cert == NULL &&
2086 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2087 {
2088 ssl->out_msglen = 2;
2089 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2090 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2091 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2092
2093 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2094 goto write_msg;
2095 }
2096 }
2097 else /* SSL_IS_SERVER */
2098 {
2099 if( ssl->own_cert == NULL )
2100 {
2101 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2102 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2103 }
2104 }
2105
2106 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
2107
2108 /*
2109 * 0 . 0 handshake type
2110 * 1 . 3 handshake length
2111 * 4 . 6 length of all certs
2112 * 7 . 9 length of cert. 1
2113 * 10 . n-1 peer certificate
2114 * n . n+2 length of cert. 2
2115 * n+3 . ... upper level cert, etc.
2116 */
2117 i = 7;
2118 crt = ssl->own_cert;
2119
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]2120 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2121 {
2122 n = crt->raw.len;
2123 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
2124 {
2125 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2126 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2127 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2128 }
2129
2130 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2131 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2132 ssl->out_msg[i + 2] = (unsigned char)( n );
2133
2134 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2135 i += n; crt = crt->next;
2136 }
2137
2138 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2139 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2140 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2141
2142 ssl->out_msglen = i;
2143 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2144 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2145
2146write_msg:
2147
2148 ssl->state++;
2149
2150 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2151 {
2152 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2153 return( ret );
2154 }
2155
2156 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2157
2158 return( 0 );
2159}
2160
2161int ssl_parse_certificate( ssl_context *ssl )
2162{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2163 int ret;
2164 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2165
2166 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2167
2168 if( ssl->endpoint == SSL_IS_SERVER &&
2169 ssl->authmode == SSL_VERIFY_NONE )
2170 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2171 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2172 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2173 ssl->state++;
2174 return( 0 );
2175 }
2176
2177 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2178 {
2179 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2180 return( ret );
2181 }
2182
2183 ssl->state++;
2184
2185 /*
2186 * Check if the client sent an empty certificate
2187 */
2188 if( ssl->endpoint == SSL_IS_SERVER &&
2189 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2190 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2191 if( ssl->in_msglen == 2 &&
2192 ssl->in_msgtype == SSL_MSG_ALERT &&
2193 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2194 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195 {
2196 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2197
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2198 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2199 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2200 return( 0 );
2201 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2202 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2203 }
2204 }
2205
2206 if( ssl->endpoint == SSL_IS_SERVER &&
2207 ssl->minor_ver != SSL_MINOR_VERSION_0 )
2208 {
2209 if( ssl->in_hslen == 7 &&
2210 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2211 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2212 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2213 {
2214 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2215
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2216 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2217 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2218 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2219 else
2220 return( 0 );
2221 }
2222 }
2223
2224 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2225 {
2226 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2227 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2228 }
2229
2230 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2231 {
2232 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2233 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2234 }
2235
2236 /*
2237 * Same message structure as in ssl_write_certificate()
2238 */
2239 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2240
2241 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2242 {
2243 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2244 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2245 }
2246
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2247 if( ( ssl->session_negotiate->peer_cert = (x509_cert *) malloc(
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2248 sizeof( x509_cert ) ) ) == NULL )
2249 {
2250 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2251 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2252 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2253 }
2254
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2255 memset( ssl->session_negotiate->peer_cert, 0, sizeof( x509_cert ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256
2257 i = 7;
2258
2259 while( i < ssl->in_hslen )
2260 {
2261 if( ssl->in_msg[i] != 0 )
2262 {
2263 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2264 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2265 }
2266
2267 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2268 | (unsigned int) ssl->in_msg[i + 2];
2269 i += 3;
2270
2271 if( n < 128 || i + n > ssl->in_hslen )
2272 {
2273 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2274 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2275 }
2276
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2277 ret = x509parse_crt( ssl->session_negotiate->peer_cert, ssl->in_msg + i,
2278 n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2279 if( ret != 0 )
2280 {
2281 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2282 return( ret );
2283 }
2284
2285 i += n;
2286 }
2287
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2288 SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2289
2290 if( ssl->authmode != SSL_VERIFY_NONE )
2291 {
2292 if( ssl->ca_chain == NULL )
2293 {
2294 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2295 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2296 }
2297
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2298 ret = x509parse_verify( ssl->session_negotiate->peer_cert,
2299 ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2300 ssl->peer_cn, &ssl->verify_result,
2301 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2302
2303 if( ret != 0 )
2304 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2305
2306 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2307 ret = 0;
2308 }
2309
2310 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2311
2312 return( ret );
2313}
2314
2315int ssl_write_change_cipher_spec( ssl_context *ssl )
2316{
2317 int ret;
2318
2319 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2320
2321 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2322 ssl->out_msglen = 1;
2323 ssl->out_msg[0] = 1;
2324
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2325 ssl->state++;
2326
2327 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2328 {
2329 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2330 return( ret );
2331 }
2332
2333 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2334
2335 return( 0 );
2336}
2337
2338int ssl_parse_change_cipher_spec( ssl_context *ssl )
2339{
2340 int ret;
2341
2342 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2343
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2344 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2345 {
2346 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2347 return( ret );
2348 }
2349
2350 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2351 {
2352 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2353 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2354 }
2355
2356 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2357 {
2358 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2359 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2360 }
2361
2362 ssl->state++;
2363
2364 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2365
2366 return( 0 );
2367}
2368
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2369void ssl_optimize_checksum( ssl_context *ssl, int ciphersuite )
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2370{
2371 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2372 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2373 else if ( ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
2374 ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
2375 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2376 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2377 }
2378 else
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2379 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2380}
2381
2382static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2383 size_t len )
2384{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2385 md5_update( &ssl->handshake->fin_md5 , buf, len );
2386 sha1_update( &ssl->handshake->fin_sha1, buf, len );
2387 sha2_update( &ssl->handshake->fin_sha2, buf, len );
2388 sha4_update( &ssl->handshake->fin_sha4, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2389}
2390
2391static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2392 size_t len )
2393{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2394 md5_update( &ssl->handshake->fin_md5 , buf, len );
2395 sha1_update( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2396}
2397
2398static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2399 size_t len )
2400{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2401 sha2_update( &ssl->handshake->fin_sha2, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2402}
2403
2404static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2405 size_t len )
2406{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2407 sha4_update( &ssl->handshake->fin_sha4, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2408}
2409
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2410static void ssl_calc_finished_ssl(
2411 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2412{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2413 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2414 md5_context md5;
2415 sha1_context sha1;
2416
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2417 unsigned char padbuf[48];
2418 unsigned char md5sum[16];
2419 unsigned char sha1sum[20];
2420
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2421 ssl_session *session = ssl->session_negotiate;
2422 if( !session )
2423 session = ssl->session;
2424
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2425 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2426
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2427 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2428 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2429
2430 /*
2431 * SSLv3:
2432 * hash =
2433 * MD5( master + pad2 +
2434 * MD5( handshake + sender + master + pad1 ) )
2435 * + SHA1( master + pad2 +
2436 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2437 */
2438
2439 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2440 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2441
2442 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2443 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2444
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2445 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2446 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2447
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2448 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2449
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2450 md5_update( &md5, (unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2451 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2452 md5_update( &md5, padbuf, 48 );
2453 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2454
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2455 sha1_update( &sha1, (unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2456 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2457 sha1_update( &sha1, padbuf, 40 );
2458 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2459
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2460 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2461
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2462 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2463 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2464 md5_update( &md5, padbuf, 48 );
2465 md5_update( &md5, md5sum, 16 );
2466 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2467
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2468 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2469 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2470 sha1_update( &sha1, padbuf , 40 );
2471 sha1_update( &sha1, sha1sum, 20 );
2472 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2473
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2474 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2475
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2476 memset( &md5, 0, sizeof( md5_context ) );
2477 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2478
2479 memset( padbuf, 0, sizeof( padbuf ) );
2480 memset( md5sum, 0, sizeof( md5sum ) );
2481 memset( sha1sum, 0, sizeof( sha1sum ) );
2482
2483 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2484}
2485
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2486static void ssl_calc_finished_tls(
2487 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2488{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2489 int len = 12;
2490 char *sender;
2491 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2492 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2493 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2494
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2495 ssl_session *session = ssl->session_negotiate;
2496 if( !session )
2497 session = ssl->session;
2498
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2499 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2500
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2501 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2502 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2503
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2504 /*
2505 * TLSv1:
2506 * hash = PRF( master, finished_label,
2507 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2508 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2509
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2510 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2511 md5.state, sizeof( md5.state ) );
2512
2513 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2514 sha1.state, sizeof( sha1.state ) );
2515
2516 sender = ( from == SSL_IS_CLIENT )
2517 ? (char *) "client finished"
2518 : (char *) "server finished";
2519
2520 md5_finish( &md5, padbuf );
2521 sha1_finish( &sha1, padbuf + 16 );
2522
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2523 ssl->handshake->tls_prf( session->master, 48, sender,
2524 padbuf, 36, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2525
2526 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2527
2528 memset( &md5, 0, sizeof( md5_context ) );
2529 memset( &sha1, 0, sizeof( sha1_context ) );
2530
2531 memset( padbuf, 0, sizeof( padbuf ) );
2532
2533 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2534}
2535
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2536static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2537 ssl_context *ssl, unsigned char *buf, int from )
2538{
2539 int len = 12;
2540 char *sender;
2541 sha2_context sha2;
2542 unsigned char padbuf[32];
2543
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2544 ssl_session *session = ssl->session_negotiate;
2545 if( !session )
2546 session = ssl->session;
2547
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2548 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2549
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2550 memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2551
2552 /*
2553 * TLSv1.2:
2554 * hash = PRF( master, finished_label,
2555 * Hash( handshake ) )[0.11]
2556 */
2557
2558 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2559 sha2.state, sizeof( sha2.state ) );
2560
2561 sender = ( from == SSL_IS_CLIENT )
2562 ? (char *) "client finished"
2563 : (char *) "server finished";
2564
2565 sha2_finish( &sha2, padbuf );
2566
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2567 ssl->handshake->tls_prf( session->master, 48, sender,
2568 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2569
2570 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2571
2572 memset( &sha2, 0, sizeof( sha2_context ) );
2573
2574 memset( padbuf, 0, sizeof( padbuf ) );
2575
2576 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2577}
2578
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2579static void ssl_calc_finished_tls_sha384(
2580 ssl_context *ssl, unsigned char *buf, int from )
2581{
2582 int len = 12;
2583 char *sender;
2584 sha4_context sha4;
2585 unsigned char padbuf[48];
2586
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2587 ssl_session *session = ssl->session_negotiate;
2588 if( !session )
2589 session = ssl->session;
2590
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2591 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2592
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2593 memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2594
2595 /*
2596 * TLSv1.2:
2597 * hash = PRF( master, finished_label,
2598 * Hash( handshake ) )[0.11]
2599 */
2600
2601 SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2602 sha4.state, sizeof( sha4.state ) );
2603
2604 sender = ( from == SSL_IS_CLIENT )
2605 ? (char *) "client finished"
2606 : (char *) "server finished";
2607
2608 sha4_finish( &sha4, padbuf );
2609
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2610 ssl->handshake->tls_prf( session->master, 48, sender,
2611 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2612
2613 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2614
2615 memset( &sha4, 0, sizeof( sha4_context ) );
2616
2617 memset( padbuf, 0, sizeof( padbuf ) );
2618
2619 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2620}
2621
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2622void ssl_handshake_wrapup( ssl_context *ssl )
2623{
2624 SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
2625
2626 /*
2627 * Free our handshake params
2628 */
2629 ssl_handshake_free( ssl->handshake );
2630 free( ssl->handshake );
2631 ssl->handshake = NULL;
2632
2633 /*
2634 * Switch in our now active transform context
2635 */
2636 if( ssl->transform )
2637 {
2638 ssl_transform_free( ssl->transform );
2639 free( ssl->transform );
2640 }
2641 ssl->transform = ssl->transform_negotiate;
2642 ssl->transform_negotiate = NULL;
2643
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]2644 if( ssl->session )
2645 {
2646 ssl_session_free( ssl->session );
2647 free( ssl->session );
2648 }
2649 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2650 ssl->session_negotiate = NULL;
2651
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]2652 /*
2653 * Add cache entry
2654 */
2655 if( ssl->f_set_cache != NULL )
2656 if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
2657 SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
2658
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2659 ssl->state++;
2660
2661 SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
2662}
2663
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2664int ssl_write_finished( ssl_context *ssl )
2665{
2666 int ret, hash_len;
2667
2668 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2669
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2670 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2671
2672 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2673 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2674
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2675 ssl->verify_data_len = hash_len;
2676 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
2677
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2678 ssl->out_msglen = 4 + hash_len;
2679 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2680 ssl->out_msg[0] = SSL_HS_FINISHED;
2681
2682 /*
2683 * In case of session resuming, invert the client and server
2684 * ChangeCipherSpec messages order.
2685 */
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]2686 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2687 {
2688 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2689 ssl->state = SSL_HANDSHAKE_WRAPUP;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2690 else
2691 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2692 }
2693 else
2694 ssl->state++;
2695
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2696 /*
2697 * Switch to our negotiated transform and session parameters for outbound data.
2698 */
2699 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
2700 ssl->transform_out = ssl->transform_negotiate;
2701 ssl->session_out = ssl->session_negotiate;
2702 memset( ssl->out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2703
2704 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2705 {
2706 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2707 return( ret );
2708 }
2709
2710 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2711
2712 return( 0 );
2713}
2714
2715int ssl_parse_finished( ssl_context *ssl )
2716{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2717 int ret;
2718 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2719 unsigned char buf[36];
2720
2721 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2722
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2723 ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2724
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2725 /*
2726 * Switch to our negotiated transform and session parameters for inbound data.
2727 */
2728 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
2729 ssl->transform_in = ssl->transform_negotiate;
2730 ssl->session_in = ssl->session_negotiate;
2731 memset( ssl->in_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2732
2733 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2734 {
2735 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2736 return( ret );
2737 }
2738
2739 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2740 {
2741 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2742 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2743 }
2744
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2745 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2746 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2747
2748 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2749 ssl->in_hslen != 4 + hash_len )
2750 {
2751 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2752 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2753 }
2754
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2755 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2756 {
2757 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2758 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2759 }
2760
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2761 ssl->verify_data_len = hash_len;
2762 memcpy( ssl->peer_verify_data, buf, hash_len );
2763
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]2764 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2765 {
2766 if( ssl->endpoint == SSL_IS_CLIENT )
2767 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2768
2769 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2770 ssl->state = SSL_HANDSHAKE_WRAPUP;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2771 }
2772 else
2773 ssl->state++;
2774
2775 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2776
2777 return( 0 );
2778}
2779
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2780int ssl_handshake_init( ssl_context *ssl )
2781{
2782 if( ssl->transform_negotiate )
2783 ssl_transform_free( ssl->transform_negotiate );
2784 else
2785 ssl->transform_negotiate = malloc( sizeof(ssl_transform) );
2786
2787 if( ssl->session_negotiate )
2788 ssl_session_free( ssl->session_negotiate );
2789 else
2790 ssl->session_negotiate = malloc( sizeof(ssl_session) );
2791
2792 if( ssl->handshake )
2793 ssl_handshake_free( ssl->handshake );
2794 else
2795 ssl->handshake = malloc( sizeof(ssl_handshake_params) );
2796
2797 if( ssl->handshake == NULL ||
2798 ssl->transform_negotiate == NULL ||
2799 ssl->session_negotiate == NULL )
2800 {
2801 SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
2802 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2803 }
2804
2805 memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
2806 memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
2807 memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
2808
2809 md5_starts( &ssl->handshake->fin_md5 );
2810 sha1_starts( &ssl->handshake->fin_sha1 );
2811 sha2_starts( &ssl->handshake->fin_sha2, 0 );
2812 sha4_starts( &ssl->handshake->fin_sha4, 1 );
2813
2814 ssl->handshake->update_checksum = ssl_update_checksum_start;
2815
2816 return( 0 );
2817}
2818
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2819/*
2820 * Initialize an SSL context
2821 */
2822int ssl_init( ssl_context *ssl )
2823{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2824 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2825 int len = SSL_BUFFER_LEN;
2826
2827 memset( ssl, 0, sizeof( ssl_context ) );
2828
2829 ssl->in_ctr = (unsigned char *) malloc( len );
2830 ssl->in_hdr = ssl->in_ctr + 8;
2831 ssl->in_msg = ssl->in_ctr + 13;
2832
2833 if( ssl->in_ctr == NULL )
2834 {
2835 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2836 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2837 }
2838
2839 ssl->out_ctr = (unsigned char *) malloc( len );
2840 ssl->out_hdr = ssl->out_ctr + 8;
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]2841 ssl->out_msg = ssl->out_ctr + 40;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2842
2843 if( ssl->out_ctr == NULL )
2844 {
2845 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2846 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2847 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2848 }
2849
2850 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2851 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2852
2853 ssl->hostname = NULL;
2854 ssl->hostname_len = 0;
2855
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2856 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
2857 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2858
2859 return( 0 );
2860}
2861
2862/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2863 * Reset an initialized and used SSL context for re-use while retaining
2864 * all application-set variables, function pointers and data.
2865 */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2866int ssl_session_reset( ssl_context *ssl )
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2867{
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2868 int ret;
2869
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2870 ssl->state = SSL_HELLO_REQUEST;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2871 ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
2872 ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
2873
2874 ssl->verify_data_len = 0;
2875 memset( ssl->own_verify_data, 0, 36 );
2876 memset( ssl->peer_verify_data, 0, 36 );
2877
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2878 ssl->in_offt = NULL;
2879
2880 ssl->in_msgtype = 0;
2881 ssl->in_msglen = 0;
2882 ssl->in_left = 0;
2883
2884 ssl->in_hslen = 0;
2885 ssl->nb_zero = 0;
2886
2887 ssl->out_msgtype = 0;
2888 ssl->out_msglen = 0;
2889 ssl->out_left = 0;
2890
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2891 ssl->transform_in = NULL;
2892 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2893
2894 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2895 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2896
2897#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2898 if( ssl_hw_record_reset != NULL)
2899 {
2900 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2901 if( ssl_hw_record_reset( ssl ) != 0 )
2902 {
2903 SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
2904 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2905 }
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2906 }
2907#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2908
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2909 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2910 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2911 ssl_transform_free( ssl->transform );
2912 free( ssl->transform );
2913 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2914 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2915
2916 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
2917 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2918
2919 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2920}
2921
2922/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2923 * SSL set accessors
2924 */
2925void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2926{
2927 ssl->endpoint = endpoint;
2928}
2929
2930void ssl_set_authmode( ssl_context *ssl, int authmode )
2931{
2932 ssl->authmode = authmode;
2933}
2934
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2935void ssl_set_verify( ssl_context *ssl,
2936 int (*f_vrfy)(void *, x509_cert *, int, int),
2937 void *p_vrfy )
2938{
2939 ssl->f_vrfy = f_vrfy;
2940 ssl->p_vrfy = p_vrfy;
2941}
2942
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2943void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2944 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2945 void *p_rng )
2946{
2947 ssl->f_rng = f_rng;
2948 ssl->p_rng = p_rng;
2949}
2950
2951void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2952 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2953 void *p_dbg )
2954{
2955 ssl->f_dbg = f_dbg;
2956 ssl->p_dbg = p_dbg;
2957}
2958
2959void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2960 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2961 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2962{
2963 ssl->f_recv = f_recv;
2964 ssl->f_send = f_send;
2965 ssl->p_recv = p_recv;
2966 ssl->p_send = p_send;
2967}
2968
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]2969void ssl_set_session_cache( ssl_context *ssl,
2970 int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
2971 int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2972{
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]2973 ssl->f_get_cache = f_get_cache;
2974 ssl->p_get_cache = p_get_cache;
2975 ssl->f_set_cache = f_set_cache;
2976 ssl->p_set_cache = p_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2977}
2978
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]2979void ssl_set_session( ssl_context *ssl, const ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2980{
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]2981 memcpy( ssl->session_negotiate, session, sizeof(ssl_session) );
2982 ssl->handshake->resume = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2983}
2984
Paul Bakkerb68cad62012-08-23 08:34:18 +0000[diff] [blame]2985void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2986{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2987 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2988}
2989
2990void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2991 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2992{
2993 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2994 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2995 ssl->peer_cn = peer_cn;
2996}
2997
2998void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2999 rsa_context *rsa_key )
3000{
3001 ssl->own_cert = own_cert;
3002 ssl->rsa_key = rsa_key;
3003}
3004
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]3005#if defined(POLARSSL_PKCS11_C)
3006void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
3007 pkcs11_context *pkcs11_key )
3008{
3009 ssl->own_cert = own_cert;
3010 ssl->pkcs11_key = pkcs11_key;
3011}
3012#endif
3013
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3014#if defined(POLARSSL_DHM_C)
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3015int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3016{
3017 int ret;
3018
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3019 if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3020 {
3021 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3022 return( ret );
3023 }
3024
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3025 if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3026 {
3027 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3028 return( ret );
3029 }
3030
3031 return( 0 );
3032}
3033
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]3034int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3035{
3036 int ret;
3037
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3038 if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]3039 {
3040 SSL_DEBUG_RET( 1, "mpi_copy", ret );
3041 return( ret );
3042 }
3043
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3044 if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]3045 {
3046 SSL_DEBUG_RET( 1, "mpi_copy", ret );
3047 return( ret );
3048 }
3049
3050 return( 0 );
3051}
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3052#endif /* POLARSSL_DHM_C */
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]3053
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3054int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3055{
3056 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3057 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3058
3059 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3060 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3061
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]3062 if( ssl->hostname == NULL )
3063 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3064
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3065 memcpy( ssl->hostname, (unsigned char *) hostname,
3066 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3067
3068 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3069
3070 return( 0 );
3071}
3072
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]3073void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3074{
3075 ssl->max_major_ver = major;
3076 ssl->max_minor_ver = minor;
3077}
3078
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3079void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3080{
3081 ssl->disable_renegotiation = renegotiation;
3082}
3083
3084void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3085{
3086 ssl->allow_legacy_renegotiation = allow_legacy;
3087}
3088
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3089/*
3090 * SSL get accessors
3091 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3092size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3093{
3094 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3095}
3096
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3097int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3098{
3099 return( ssl->verify_result );
3100}
3101
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3102const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3103{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3104 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3105 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3106#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3107 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3108 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3109
3110 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3111 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3112#endif
3113
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3114#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3115 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3116 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3117
3118 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3119 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3120#endif
3121
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3122#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3123 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3124 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3125
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]3126 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3127 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]3128
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3129 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3130 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3131
3132 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3133 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3134
3135#if defined(POLARSSL_SHA2_C)
3136 case SSL_RSA_AES_128_SHA256:
3137 return( "SSL-RSA-AES-128-SHA256" );
3138
3139 case SSL_EDH_RSA_AES_128_SHA256:
3140 return( "SSL-EDH-RSA-AES-128-SHA256" );
3141
3142 case SSL_RSA_AES_256_SHA256:
3143 return( "SSL-RSA-AES-256-SHA256" );
3144
3145 case SSL_EDH_RSA_AES_256_SHA256:
3146 return( "SSL-EDH-RSA-AES-256-SHA256" );
3147#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3148
3149#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3150 case SSL_RSA_AES_128_GCM_SHA256:
3151 return( "SSL-RSA-AES-128-GCM-SHA256" );
3152
3153 case SSL_EDH_RSA_AES_128_GCM_SHA256:
3154 return( "SSL-EDH-RSA-AES-128-GCM-SHA256" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3155#endif
3156
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3157#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3158 case SSL_RSA_AES_256_GCM_SHA384:
3159 return( "SSL-RSA-AES-256-GCM-SHA384" );
3160
3161 case SSL_EDH_RSA_AES_256_GCM_SHA384:
3162 return( "SSL-EDH-RSA-AES-256-GCM-SHA384" );
3163#endif
3164#endif /* POLARSSL_AES_C */
3165
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3166#if defined(POLARSSL_CAMELLIA_C)
3167 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3168 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3169
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]3170 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3171 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]3172
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3173 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3174 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3175
3176 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3177 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3178
3179#if defined(POLARSSL_SHA2_C)
3180 case SSL_RSA_CAMELLIA_128_SHA256:
3181 return( "SSL-RSA-CAMELLIA-128-SHA256" );
3182
3183 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
3184 return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
3185
3186 case SSL_RSA_CAMELLIA_256_SHA256:
3187 return( "SSL-RSA-CAMELLIA-256-SHA256" );
3188
3189 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
3190 return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
3191#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3192#endif
3193
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]3194#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3195#if defined(POLARSSL_CIPHER_NULL_CIPHER)
3196 case SSL_RSA_NULL_MD5:
3197 return( "SSL-RSA-NULL-MD5" );
3198 case SSL_RSA_NULL_SHA:
3199 return( "SSL-RSA-NULL-SHA" );
3200 case SSL_RSA_NULL_SHA256:
3201 return( "SSL-RSA-NULL-SHA256" );
3202#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3203
3204#if defined(POLARSSL_DES_C)
3205 case SSL_RSA_DES_SHA:
3206 return( "SSL-RSA-DES-SHA" );
3207 case SSL_EDH_RSA_DES_SHA:
3208 return( "SSL-EDH-RSA-DES-SHA" );
3209#endif
3210#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3211
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3212 default:
3213 break;
3214 }
3215
3216 return( "unknown" );
3217}
3218
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3219int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3220{
3221#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3222 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3223 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3224 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3225 return( SSL_RSA_RC4_128_SHA );
3226#endif
3227
3228#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3229 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3230 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3231 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3232 return( SSL_EDH_RSA_DES_168_SHA );
3233#endif
3234
3235#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3236 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3237 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3238 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3239 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3240 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3241 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3242 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3243 return( SSL_EDH_RSA_AES_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3244
3245#if defined(POLARSSL_SHA2_C)
3246 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
3247 return( SSL_RSA_AES_128_SHA256 );
3248 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
3249 return( SSL_EDH_RSA_AES_128_SHA256 );
3250 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
3251 return( SSL_RSA_AES_256_SHA256 );
3252 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
3253 return( SSL_EDH_RSA_AES_256_SHA256 );
3254#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3255
3256#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3257 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-GCM-SHA256"))
3258 return( SSL_RSA_AES_128_GCM_SHA256 );
3259 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-GCM-SHA256"))
3260 return( SSL_EDH_RSA_AES_128_GCM_SHA256 );
3261#endif
3262
3263#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3264 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-GCM-SHA384"))
3265 return( SSL_RSA_AES_256_GCM_SHA384 );
3266 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-GCM-SHA384"))
3267 return( SSL_EDH_RSA_AES_256_GCM_SHA384 );
3268#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3269#endif
3270
3271#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3272 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3273 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3274 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3275 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3276 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3277 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3278 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3279 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3280
3281#if defined(POLARSSL_SHA2_C)
3282 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
3283 return( SSL_RSA_CAMELLIA_128_SHA256 );
3284 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
3285 return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
3286 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
3287 return( SSL_RSA_CAMELLIA_256_SHA256 );
3288 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
3289 return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
3290#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3291#endif
3292
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]3293#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3294#if defined(POLARSSL_CIPHER_NULL_CIPHER)
3295 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
3296 return( SSL_RSA_NULL_MD5 );
3297 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
3298 return( SSL_RSA_NULL_SHA );
3299 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
3300 return( SSL_RSA_NULL_SHA256 );
3301#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3302
3303#if defined(POLARSSL_DES_C)
3304 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
3305 return( SSL_RSA_DES_SHA );
3306 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
3307 return( SSL_EDH_RSA_DES_SHA );
3308#endif
3309#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3310
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3311 return( 0 );
3312}
3313
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3314const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3315{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3316 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3317}
3318
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]3319const char *ssl_get_version( const ssl_context *ssl )
3320{
3321 switch( ssl->minor_ver )
3322 {
3323 case SSL_MINOR_VERSION_0:
3324 return( "SSLv3.0" );
3325
3326 case SSL_MINOR_VERSION_1:
3327 return( "TLSv1.0" );
3328
3329 case SSL_MINOR_VERSION_2:
3330 return( "TLSv1.1" );
3331
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3332 case SSL_MINOR_VERSION_3:
3333 return( "TLSv1.2" );
3334
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]3335 default:
3336 break;
3337 }
3338 return( "unknown" );
3339}
3340
Paul Bakkerb68cad62012-08-23 08:34:18 +0000[diff] [blame]3341const int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3342{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3343#if defined(POLARSSL_DHM_C)
3344#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3345#if defined(POLARSSL_SHA2_C)
3346 SSL_EDH_RSA_AES_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3347#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3348#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3349 SSL_EDH_RSA_AES_256_GCM_SHA384,
3350#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3351 SSL_EDH_RSA_AES_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3352#if defined(POLARSSL_SHA2_C)
3353 SSL_EDH_RSA_AES_128_SHA256,
3354#endif
3355#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3356 SSL_EDH_RSA_AES_128_GCM_SHA256,
3357#endif
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3358 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3359#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3360#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3361#if defined(POLARSSL_SHA2_C)
3362 SSL_EDH_RSA_CAMELLIA_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3363#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3364 SSL_EDH_RSA_CAMELLIA_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3365#if defined(POLARSSL_SHA2_C)
3366 SSL_EDH_RSA_CAMELLIA_128_SHA256,
3367#endif /* POLARSSL_SHA2_C */
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3368 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3369#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3370#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3371 SSL_EDH_RSA_DES_168_SHA,
3372#endif
3373#endif
3374
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3375#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3376#if defined(POLARSSL_SHA2_C)
3377 SSL_RSA_AES_256_SHA256,
3378#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3379#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3380 SSL_RSA_AES_256_GCM_SHA384,
3381#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3382 SSL_RSA_AES_256_SHA,
3383#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3384#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3385#if defined(POLARSSL_SHA2_C)
3386 SSL_RSA_CAMELLIA_256_SHA256,
3387#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3388 SSL_RSA_CAMELLIA_256_SHA,
3389#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3390#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3391#if defined(POLARSSL_SHA2_C)
3392 SSL_RSA_AES_128_SHA256,
3393#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3394#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3395 SSL_RSA_AES_128_GCM_SHA256,
3396#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3397 SSL_RSA_AES_128_SHA,
3398#endif
3399#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3400#if defined(POLARSSL_SHA2_C)
3401 SSL_RSA_CAMELLIA_128_SHA256,
3402#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3403 SSL_RSA_CAMELLIA_128_SHA,
3404#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3405#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3406 SSL_RSA_DES_168_SHA,
3407#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3408#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3409 SSL_RSA_RC4_128_SHA,
3410 SSL_RSA_RC4_128_MD5,
3411#endif
3412 0
3413};
3414
3415/*
3416 * Perform the SSL handshake
3417 */
3418int ssl_handshake( ssl_context *ssl )
3419{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3420 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3421
3422 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3423
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3424#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3425 if( ssl->endpoint == SSL_IS_CLIENT )
3426 ret = ssl_handshake_client( ssl );
3427#endif
3428
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3429#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3430 if( ssl->endpoint == SSL_IS_SERVER )
3431 ret = ssl_handshake_server( ssl );
3432#endif
3433
3434 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3435
3436 return( ret );
3437}
3438
3439/*
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3440 * Renegotiate current connection
3441 */
3442int ssl_renegotiate( ssl_context *ssl )
3443{
3444 int ret;
3445
3446 SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
3447
3448 if( ssl->state != SSL_HANDSHAKE_OVER )
3449 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3450
3451 ssl->state = SSL_HELLO_REQUEST;
3452 ssl->renegotiation = SSL_RENEGOTIATION;
3453
3454 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3455 return( ret );
3456
3457 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3458 {
3459 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3460 return( ret );
3461 }
3462
3463 SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
3464
3465 return( 0 );
3466}
3467
3468/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3469 * Receive application data decrypted from the SSL layer
3470 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3471int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3472{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3473 int ret;
3474 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3475
3476 SSL_DEBUG_MSG( 2, ( "=> read" ) );
3477
3478 if( ssl->state != SSL_HANDSHAKE_OVER )
3479 {
3480 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3481 {
3482 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3483 return( ret );
3484 }
3485 }
3486
3487 if( ssl->in_offt == NULL )
3488 {
3489 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3490 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3491 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3492 return( 0 );
3493
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3494 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3495 return( ret );
3496 }
3497
3498 if( ssl->in_msglen == 0 &&
3499 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3500 {
3501 /*
3502 * OpenSSL sends empty messages to randomize the IV
3503 */
3504 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3505 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3506 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3507 return( 0 );
3508
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3509 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3510 return( ret );
3511 }
3512 }
3513
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3514 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
3515 {
3516 SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
3517
3518 if( ssl->endpoint == SSL_IS_CLIENT &&
3519 ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
3520 ssl->in_hslen != 4 ) )
3521 {
3522 SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
3523 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
3524 }
3525
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]3526 if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
3527 ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
3528 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3529 {
3530 SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
3531
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]3532 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3533 {
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]3534 /*
3535 * SSLv3 does not have a "no_renegotiation" alert
3536 */
3537 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
3538 return( ret );
3539 }
3540 else
3541 {
3542 if( ( ret = ssl_send_alert_message( ssl,
3543 SSL_ALERT_LEVEL_WARNING,
3544 SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
3545 {
3546 return( ret );
3547 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3548 }
3549 }
3550 else
3551 {
3552 if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
3553 {
3554 SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
3555 return( ret );
3556 }
3557
3558 return( POLARSSL_ERR_NET_WANT_READ );
3559 }
3560 }
3561 else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3562 {
3563 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3564 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3565 }
3566
3567 ssl->in_offt = ssl->in_msg;
3568 }
3569
3570 n = ( len < ssl->in_msglen )
3571 ? len : ssl->in_msglen;
3572
3573 memcpy( buf, ssl->in_offt, n );
3574 ssl->in_msglen -= n;
3575
3576 if( ssl->in_msglen == 0 )
3577 /* all bytes consumed */
3578 ssl->in_offt = NULL;
3579 else
3580 /* more data available */
3581 ssl->in_offt += n;
3582
3583 SSL_DEBUG_MSG( 2, ( "<= read" ) );
3584
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3585 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3586}
3587
3588/*
3589 * Send application data to be encrypted by the SSL layer
3590 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3591int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3592{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3593 int ret;
3594 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3595
3596 SSL_DEBUG_MSG( 2, ( "=> write" ) );
3597
3598 if( ssl->state != SSL_HANDSHAKE_OVER )
3599 {
3600 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3601 {
3602 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3603 return( ret );
3604 }
3605 }
3606
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3607 n = ( len < SSL_MAX_CONTENT_LEN )
3608 ? len : SSL_MAX_CONTENT_LEN;
3609
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3610 if( ssl->out_left != 0 )
3611 {
3612 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3613 {
3614 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3615 return( ret );
3616 }
3617 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3618 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]3619 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3620 ssl->out_msglen = n;
3621 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3622 memcpy( ssl->out_msg, buf, n );
3623
3624 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3625 {
3626 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3627 return( ret );
3628 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3629 }
3630
3631 SSL_DEBUG_MSG( 2, ( "<= write" ) );
3632
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3633 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3634}
3635
3636/*
3637 * Notify the peer that the connection is being closed
3638 */
3639int ssl_close_notify( ssl_context *ssl )
3640{
3641 int ret;
3642
3643 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3644
3645 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3646 {
3647 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3648 return( ret );
3649 }
3650
3651 if( ssl->state == SSL_HANDSHAKE_OVER )
3652 {
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3653 if( ( ret = ssl_send_alert_message( ssl,
3654 SSL_ALERT_LEVEL_WARNING,
3655 SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3656 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3657 return( ret );
3658 }
3659 }
3660
3661 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3662
3663 return( ret );
3664}
3665
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3666void ssl_transform_free( ssl_transform *transform )
3667{
3668#if defined(POLARSSL_ZLIB_SUPPORT)
3669 deflateEnd( &transform->ctx_deflate );
3670 inflateEnd( &transform->ctx_inflate );
3671#endif
3672
3673 memset( transform, 0, sizeof( ssl_transform ) );
3674}
3675
3676void ssl_handshake_free( ssl_handshake_params *handshake )
3677{
3678#if defined(POLARSSL_DHM_C)
3679 dhm_free( &handshake->dhm_ctx );
3680#endif
3681 memset( handshake, 0, sizeof( ssl_handshake_params ) );
3682}
3683
3684void ssl_session_free( ssl_session *session )
3685{
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]3686 if( session->peer_cert != NULL )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3687 {
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]3688 x509_free( session->peer_cert );
3689 free( session->peer_cert );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3690 }
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame^]3691
3692 memset( session, 0, sizeof( ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3693}
3694
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3695/*
3696 * Free an SSL context
3697 */
3698void ssl_free( ssl_context *ssl )
3699{
3700 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3701
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3702 if( ssl->out_ctr != NULL )
3703 {
3704 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3705 free( ssl->out_ctr );
3706 }
3707
3708 if( ssl->in_ctr != NULL )
3709 {
3710 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3711 free( ssl->in_ctr );
3712 }
3713
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3714#if defined(POLARSSL_DHM_C)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3715 mpi_free( &ssl->dhm_P );
3716 mpi_free( &ssl->dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3717#endif
3718
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3719 if( ssl->transform )
3720 {
3721 ssl_transform_free( ssl->transform );
3722 free( ssl->transform );
3723 }
3724
3725 if( ssl->handshake )
3726 {
3727 ssl_handshake_free( ssl->handshake );
3728 ssl_transform_free( ssl->transform_negotiate );
3729 ssl_session_free( ssl->session_negotiate );
3730
3731 free( ssl->handshake );
3732 free( ssl->transform_negotiate );
3733 free( ssl->session_negotiate );
3734 }
3735
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3736 if ( ssl->hostname != NULL)
3737 {
3738 memset( ssl->hostname, 0, ssl->hostname_len );
3739 free( ssl->hostname );
3740 ssl->hostname_len = 0;
3741 }
3742
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3743#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3744 if( ssl_hw_record_finish != NULL )
3745 {
3746 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3747 ssl_hw_record_finish( ssl );
3748 }
3749#endif
3750
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3751 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]3752
3753 /* Actually free after last debug message */
3754 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3755}
3756
3757#endif