TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0a9251870ac0b902bc8ece6c1111c2802855346e / . / library / ssl_tls.c
blob: 98a2187a96b177395a9174652e9b67df20cfcaab [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46#include <stdlib.h>
47#include <time.h>
48
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]49#if defined _MSC_VER && !defined strcasecmp
50#define strcasecmp _stricmp
51#endif
52
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53/*
54 * Key material generation
55 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]56static int tls1_prf( unsigned char *secret, size_t slen, char *label,
57 unsigned char *random, size_t rlen,
58 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]59{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]60 size_t nb, hs;
61 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62 unsigned char *S1, *S2;
63 unsigned char tmp[128];
64 unsigned char h_i[20];
65
66 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]67 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68
69 hs = ( slen + 1 ) / 2;
70 S1 = secret;
71 S2 = secret + slen - hs;
72
73 nb = strlen( label );
74 memcpy( tmp + 20, label, nb );
75 memcpy( tmp + 20 + nb, random, rlen );
76 nb += rlen;
77
78 /*
79 * First compute P_md5(secret,label+random)[0..dlen]
80 */
81 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
82
83 for( i = 0; i < dlen; i += 16 )
84 {
85 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
86 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
87
88 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
89
90 for( j = 0; j < k; j++ )
91 dstbuf[i + j] = h_i[j];
92 }
93
94 /*
95 * XOR out with P_sha1(secret,label+random)[0..dlen]
96 */
97 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
98
99 for( i = 0; i < dlen; i += 20 )
100 {
101 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
102 sha1_hmac( S2, hs, tmp, 20, tmp );
103
104 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
105
106 for( j = 0; j < k; j++ )
107 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
108 }
109
110 memset( tmp, 0, sizeof( tmp ) );
111 memset( h_i, 0, sizeof( h_i ) );
112
113 return( 0 );
114}
115
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]116static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
117 unsigned char *random, size_t rlen,
118 unsigned char *dstbuf, size_t dlen )
119{
120 size_t nb;
121 size_t i, j, k;
122 unsigned char tmp[128];
123 unsigned char h_i[32];
124
125 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
126 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
127
128 nb = strlen( label );
129 memcpy( tmp + 32, label, nb );
130 memcpy( tmp + 32 + nb, random, rlen );
131 nb += rlen;
132
133 /*
134 * Compute P_<hash>(secret, label + random)[0..dlen]
135 */
136 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
137
138 for( i = 0; i < dlen; i += 32 )
139 {
140 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
141 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
142
143 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
144
145 for( j = 0; j < k; j++ )
146 dstbuf[i + j] = h_i[j];
147 }
148
149 memset( tmp, 0, sizeof( tmp ) );
150 memset( h_i, 0, sizeof( h_i ) );
151
152 return( 0 );
153}
154
155static void ssl_calc_finished_ssl (ssl_context *,unsigned char *,int);
156static void ssl_calc_finished_tls (ssl_context *,unsigned char *,int);
157static void ssl_calc_finished_tls1_2(ssl_context *,unsigned char *,int);
158
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]159int ssl_derive_keys( ssl_context *ssl )
160{
161 int i;
162 md5_context md5;
163 sha1_context sha1;
164 unsigned char tmp[64];
165 unsigned char padding[16];
166 unsigned char sha1sum[20];
167 unsigned char keyblk[256];
168 unsigned char *key1;
169 unsigned char *key2;
170
171 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
172
173 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]174 * Set appropriate PRF function.
175 */
176 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
177 ssl->tls_prf = tls1_prf;
178 else
179 ssl->tls_prf = tls_prf_sha256;
180
181 /*
182 * Set appropriate SSL / TLS / TLS1.2 functions
183 */
184 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
185 ssl->calc_finished = ssl_calc_finished_ssl;
186 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
187 ssl->calc_finished = ssl_calc_finished_tls;
188 else
189 ssl->calc_finished = ssl_calc_finished_tls1_2;
190
191 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]192 * SSLv3:
193 * master =
194 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
195 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
196 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
197 *
198 * TLSv1:
199 * master = PRF( premaster, "master secret", randbytes )[0..47]
200 */
201 if( ssl->resume == 0 )
202 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]203 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204
205 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
206
207 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
208 {
209 for( i = 0; i < 3; i++ )
210 {
211 memset( padding, 'A' + i, 1 + i );
212
213 sha1_starts( &sha1 );
214 sha1_update( &sha1, padding, 1 + i );
215 sha1_update( &sha1, ssl->premaster, len );
216 sha1_update( &sha1, ssl->randbytes, 64 );
217 sha1_finish( &sha1, sha1sum );
218
219 md5_starts( &md5 );
220 md5_update( &md5, ssl->premaster, len );
221 md5_update( &md5, sha1sum, 20 );
222 md5_finish( &md5, ssl->session->master + i * 16 );
223 }
224 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]225 else
226 ssl->tls_prf( ssl->premaster, len, "master secret",
227 ssl->randbytes, 64, ssl->session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]228
229 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
230 }
231 else
232 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
233
234 /*
235 * Swap the client and server random values.
236 */
237 memcpy( tmp, ssl->randbytes, 64 );
238 memcpy( ssl->randbytes, tmp + 32, 32 );
239 memcpy( ssl->randbytes + 32, tmp, 32 );
240 memset( tmp, 0, sizeof( tmp ) );
241
242 /*
243 * SSLv3:
244 * key block =
245 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
246 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
247 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
248 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
249 * ...
250 *
251 * TLSv1:
252 * key block = PRF( master, "key expansion", randbytes )
253 */
254 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
255 {
256 for( i = 0; i < 16; i++ )
257 {
258 memset( padding, 'A' + i, 1 + i );
259
260 sha1_starts( &sha1 );
261 sha1_update( &sha1, padding, 1 + i );
262 sha1_update( &sha1, ssl->session->master, 48 );
263 sha1_update( &sha1, ssl->randbytes, 64 );
264 sha1_finish( &sha1, sha1sum );
265
266 md5_starts( &md5 );
267 md5_update( &md5, ssl->session->master, 48 );
268 md5_update( &md5, sha1sum, 20 );
269 md5_finish( &md5, keyblk + i * 16 );
270 }
271
272 memset( &md5, 0, sizeof( md5 ) );
273 memset( &sha1, 0, sizeof( sha1 ) );
274
275 memset( padding, 0, sizeof( padding ) );
276 memset( sha1sum, 0, sizeof( sha1sum ) );
277 }
278 else
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]279 ssl->tls_prf( ssl->session->master, 48, "key expansion",
280 ssl->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]282 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]283 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
284 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
285 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
286
287 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
288
289 /*
290 * Determine the appropriate key, IV and MAC length.
291 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]292 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]293 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]294#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]295 case SSL_RSA_RC4_128_MD5:
296 ssl->keylen = 16; ssl->minlen = 16;
297 ssl->ivlen = 0; ssl->maclen = 16;
298 break;
299
300 case SSL_RSA_RC4_128_SHA:
301 ssl->keylen = 16; ssl->minlen = 20;
302 ssl->ivlen = 0; ssl->maclen = 20;
303 break;
304#endif
305
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]306#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]307 case SSL_RSA_DES_168_SHA:
308 case SSL_EDH_RSA_DES_168_SHA:
309 ssl->keylen = 24; ssl->minlen = 24;
310 ssl->ivlen = 8; ssl->maclen = 20;
311 break;
312#endif
313
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]314#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]316 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317 ssl->keylen = 16; ssl->minlen = 32;
318 ssl->ivlen = 16; ssl->maclen = 20;
319 break;
320
321 case SSL_RSA_AES_256_SHA:
322 case SSL_EDH_RSA_AES_256_SHA:
323 ssl->keylen = 32; ssl->minlen = 32;
324 ssl->ivlen = 16; ssl->maclen = 20;
325 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]326
327#if defined(POLARSSL_SHA2_C)
328 case SSL_RSA_AES_128_SHA256:
329 case SSL_EDH_RSA_AES_128_SHA256:
330 ssl->keylen = 16; ssl->minlen = 32;
331 ssl->ivlen = 16; ssl->maclen = 32;
332 break;
333
334 case SSL_RSA_AES_256_SHA256:
335 case SSL_EDH_RSA_AES_256_SHA256:
336 ssl->keylen = 32; ssl->minlen = 32;
337 ssl->ivlen = 16; ssl->maclen = 32;
338 break;
339#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#endif
341
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]342#if defined(POLARSSL_CAMELLIA_C)
343 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]344 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]345 ssl->keylen = 16; ssl->minlen = 32;
346 ssl->ivlen = 16; ssl->maclen = 20;
347 break;
348
349 case SSL_RSA_CAMELLIA_256_SHA:
350 case SSL_EDH_RSA_CAMELLIA_256_SHA:
351 ssl->keylen = 32; ssl->minlen = 32;
352 ssl->ivlen = 16; ssl->maclen = 20;
353 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]354
355#if defined(POLARSSL_SHA2_C)
356 case SSL_RSA_CAMELLIA_128_SHA256:
357 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
358 ssl->keylen = 16; ssl->minlen = 32;
359 ssl->ivlen = 16; ssl->maclen = 32;
360 break;
361
362 case SSL_RSA_CAMELLIA_256_SHA256:
363 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
364 ssl->keylen = 32; ssl->minlen = 32;
365 ssl->ivlen = 16; ssl->maclen = 32;
366 break;
367#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]368#endif
369
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]370#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
371#if defined(POLARSSL_CIPHER_NULL_CIPHER)
372 case SSL_RSA_NULL_MD5:
373 ssl->keylen = 0; ssl->minlen = 0;
374 ssl->ivlen = 0; ssl->maclen = 16;
375 break;
376
377 case SSL_RSA_NULL_SHA:
378 ssl->keylen = 0; ssl->minlen = 0;
379 ssl->ivlen = 0; ssl->maclen = 20;
380 break;
381
382 case SSL_RSA_NULL_SHA256:
383 ssl->keylen = 0; ssl->minlen = 0;
384 ssl->ivlen = 0; ssl->maclen = 32;
385 break;
386#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
387
388#if defined(POLARSSL_DES_C)
389 case SSL_RSA_DES_SHA:
390 case SSL_EDH_RSA_DES_SHA:
391 ssl->keylen = 8; ssl->minlen = 8;
392 ssl->ivlen = 8; ssl->maclen = 20;
393 break;
394#endif
395#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
396
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]398 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
399 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]400 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401 }
402
403 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
404 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
405
406 /*
407 * Finally setup the cipher contexts, IVs and MAC secrets.
408 */
409 if( ssl->endpoint == SSL_IS_CLIENT )
410 {
411 key1 = keyblk + ssl->maclen * 2;
412 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
413
414 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
415 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
416
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]417 /*
418 * This is not used in TLS v1.1.
419 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]420 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
421 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
422 ssl->ivlen );
423 }
424 else
425 {
426 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
427 key2 = keyblk + ssl->maclen * 2;
428
429 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
430 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
431
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]432 /*
433 * This is not used in TLS v1.1.
434 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]435 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
436 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
437 ssl->ivlen );
438 }
439
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]440 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]441 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]442#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 case SSL_RSA_RC4_128_MD5:
444 case SSL_RSA_RC4_128_SHA:
445 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
446 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
447 break;
448#endif
449
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]450#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 case SSL_RSA_DES_168_SHA:
452 case SSL_EDH_RSA_DES_168_SHA:
453 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
454 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
455 break;
456#endif
457
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]458#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]460 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]461#if defined(POLARSSL_SHA2_C)
462 case SSL_RSA_AES_128_SHA256:
463 case SSL_EDH_RSA_AES_128_SHA256:
464#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
466 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
467 break;
468
469 case SSL_RSA_AES_256_SHA:
470 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]471#if defined(POLARSSL_SHA2_C)
472 case SSL_RSA_AES_256_SHA256:
473 case SSL_EDH_RSA_AES_256_SHA256:
474#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
476 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
477 break;
478#endif
479
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]480#if defined(POLARSSL_CAMELLIA_C)
481 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]482 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]483#if defined(POLARSSL_SHA2_C)
484 case SSL_RSA_CAMELLIA_128_SHA256:
485 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
486#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]487 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
488 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
489 break;
490
491 case SSL_RSA_CAMELLIA_256_SHA:
492 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]493#if defined(POLARSSL_SHA2_C)
494 case SSL_RSA_CAMELLIA_256_SHA256:
495 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
496#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]497 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
498 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
499 break;
500#endif
501
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]502#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
503#if defined(POLARSSL_CIPHER_NULL_CIPHER)
504 case SSL_RSA_NULL_MD5:
505 case SSL_RSA_NULL_SHA:
506 case SSL_RSA_NULL_SHA256:
507 break;
508#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
509
510#if defined(POLARSSL_DES_C)
511 case SSL_RSA_DES_SHA:
512 case SSL_EDH_RSA_DES_SHA:
513 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
514 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
515 break;
516#endif
517#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
518
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]519 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]520 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521 }
522
523 memset( keyblk, 0, sizeof( keyblk ) );
524
525 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
526
527 return( 0 );
528}
529
530void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
531{
532 md5_context md5;
533 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]534 sha2_context sha2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]535 unsigned char pad_1[48];
536 unsigned char pad_2[48];
537
538 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
539
540 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
541 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]542 memcpy( &sha2, &ssl->fin_sha2, sizeof( sha2_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]543
544 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
545 {
546 memset( pad_1, 0x36, 48 );
547 memset( pad_2, 0x5C, 48 );
548
549 md5_update( &md5, ssl->session->master, 48 );
550 md5_update( &md5, pad_1, 48 );
551 md5_finish( &md5, hash );
552
553 md5_starts( &md5 );
554 md5_update( &md5, ssl->session->master, 48 );
555 md5_update( &md5, pad_2, 48 );
556 md5_update( &md5, hash, 16 );
557 md5_finish( &md5, hash );
558
559 sha1_update( &sha1, ssl->session->master, 48 );
560 sha1_update( &sha1, pad_1, 40 );
561 sha1_finish( &sha1, hash + 16 );
562
563 sha1_starts( &sha1 );
564 sha1_update( &sha1, ssl->session->master, 48 );
565 sha1_update( &sha1, pad_2, 40 );
566 sha1_update( &sha1, hash + 16, 20 );
567 sha1_finish( &sha1, hash + 16 );
568 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]569 else if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) /* TLSv1 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570 {
571 md5_finish( &md5, hash );
572 sha1_finish( &sha1, hash + 16 );
573 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]574 else
575 {
576 sha2_finish( &sha2, hash );
577 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]578
579 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
580 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
581
582 return;
583}
584
585/*
586 * SSLv3.0 MAC functions
587 */
588static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]589 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590 unsigned char *ctr, int type )
591{
592 unsigned char header[11];
593 unsigned char padding[48];
594 md5_context md5;
595
596 memcpy( header, ctr, 8 );
597 header[ 8] = (unsigned char) type;
598 header[ 9] = (unsigned char)( len >> 8 );
599 header[10] = (unsigned char)( len );
600
601 memset( padding, 0x36, 48 );
602 md5_starts( &md5 );
603 md5_update( &md5, secret, 16 );
604 md5_update( &md5, padding, 48 );
605 md5_update( &md5, header, 11 );
606 md5_update( &md5, buf, len );
607 md5_finish( &md5, buf + len );
608
609 memset( padding, 0x5C, 48 );
610 md5_starts( &md5 );
611 md5_update( &md5, secret, 16 );
612 md5_update( &md5, padding, 48 );
613 md5_update( &md5, buf + len, 16 );
614 md5_finish( &md5, buf + len );
615}
616
617static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]618 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619 unsigned char *ctr, int type )
620{
621 unsigned char header[11];
622 unsigned char padding[40];
623 sha1_context sha1;
624
625 memcpy( header, ctr, 8 );
626 header[ 8] = (unsigned char) type;
627 header[ 9] = (unsigned char)( len >> 8 );
628 header[10] = (unsigned char)( len );
629
630 memset( padding, 0x36, 40 );
631 sha1_starts( &sha1 );
632 sha1_update( &sha1, secret, 20 );
633 sha1_update( &sha1, padding, 40 );
634 sha1_update( &sha1, header, 11 );
635 sha1_update( &sha1, buf, len );
636 sha1_finish( &sha1, buf + len );
637
638 memset( padding, 0x5C, 40 );
639 sha1_starts( &sha1 );
640 sha1_update( &sha1, secret, 20 );
641 sha1_update( &sha1, padding, 40 );
642 sha1_update( &sha1, buf + len, 20 );
643 sha1_finish( &sha1, buf + len );
644}
645
646/*
647 * Encryption/decryption functions
648 */
649static int ssl_encrypt_buf( ssl_context *ssl )
650{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]651 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]652
653 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
654
655 /*
656 * Add MAC then encrypt
657 */
658 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
659 {
660 if( ssl->maclen == 16 )
661 ssl_mac_md5( ssl->mac_enc,
662 ssl->out_msg, ssl->out_msglen,
663 ssl->out_ctr, ssl->out_msgtype );
664
665 if( ssl->maclen == 20 )
666 ssl_mac_sha1( ssl->mac_enc,
667 ssl->out_msg, ssl->out_msglen,
668 ssl->out_ctr, ssl->out_msgtype );
669 }
670 else
671 {
672 if( ssl->maclen == 16 )
673 md5_hmac( ssl->mac_enc, 16,
674 ssl->out_ctr, ssl->out_msglen + 13,
675 ssl->out_msg + ssl->out_msglen );
676
677 if( ssl->maclen == 20 )
678 sha1_hmac( ssl->mac_enc, 20,
679 ssl->out_ctr, ssl->out_msglen + 13,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]680 ssl->out_msg + ssl->out_msglen );
681
682 if( ssl->maclen == 32 )
683 sha2_hmac( ssl->mac_enc, 32,
684 ssl->out_ctr, ssl->out_msglen + 13,
685 ssl->out_msg + ssl->out_msglen, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]686 }
687
688 SSL_DEBUG_BUF( 4, "computed mac",
689 ssl->out_msg + ssl->out_msglen, ssl->maclen );
690
691 ssl->out_msglen += ssl->maclen;
692
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]693 for( i = 8; i > 0; i-- )
694 if( ++ssl->out_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695 break;
696
697 if( ssl->ivlen == 0 )
698 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699 padlen = 0;
700
701 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
702 "including %d bytes of padding",
703 ssl->out_msglen, 0 ) );
704
705 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
706 ssl->out_msg, ssl->out_msglen );
707
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]708#if defined(POLARSSL_ARC4_C)
709 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
710 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
711 {
712 arc4_crypt( (arc4_context *) ssl->ctx_enc,
713 ssl->out_msglen, ssl->out_msg,
714 ssl->out_msg );
715 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]717#if defined(POLARSSL_CIPHER_NULL_CIPHER)
718 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
719 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
720 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
721 {
722 } else
723#endif
724 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725 }
726 else
727 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]728 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]729 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]730
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]731 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
732 if( padlen == ssl->ivlen )
733 padlen = 0;
734
735 for( i = 0; i <= padlen; i++ )
736 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
737
738 ssl->out_msglen += padlen + 1;
739
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]740 enc_msglen = ssl->out_msglen;
741 enc_msg = ssl->out_msg;
742
743 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]744 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
745 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]746 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]747 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]748 {
749 /*
750 * Generate IV
751 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]752 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
753 if( ret != 0 )
754 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]755
756 /*
757 * Shift message for ivlen bytes and prepend IV
758 */
759 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
760 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
761
762 /*
763 * Fix pointer positions and message length with added IV
764 */
765 enc_msg = ssl->out_msg + ssl->ivlen;
766 enc_msglen = ssl->out_msglen;
767 ssl->out_msglen += ssl->ivlen;
768 }
769
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]771 "including %d bytes of IV and %d bytes of padding",
772 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773
774 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
775 ssl->out_msg, ssl->out_msglen );
776
777 switch( ssl->ivlen )
778 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]779#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]780 case 8:
781#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
782 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
783 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
784 {
785 des_crypt_cbc( (des_context *) ssl->ctx_enc,
786 DES_ENCRYPT, enc_msglen,
787 ssl->iv_enc, enc_msg, enc_msg );
788 }
789 else
790#endif
791 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
792 DES_ENCRYPT, enc_msglen,
793 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]794 break;
795#endif
796
797 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]798#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]799 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
800 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
801 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]802 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
803 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
804 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
805 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
806 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]807 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]808 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]809 AES_ENCRYPT, enc_msglen,
810 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]811 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]812 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]813#endif
814
815#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]816 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
817 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
818 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]819 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
820 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
821 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
822 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
823 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]824 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]825 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]826 CAMELLIA_ENCRYPT, enc_msglen,
827 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]828 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]829 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]830#endif
831
832 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]833 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834 }
835 }
836
837 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
838
839 return( 0 );
840}
841
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]842/*
843 * TODO: Use digest version when integrated!
844 */
845#define POLARSSL_SSL_MAX_MAC_SIZE 32
846
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847static int ssl_decrypt_buf( ssl_context *ssl )
848{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]849 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]850 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]851
852 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
853
854 if( ssl->in_msglen < ssl->minlen )
855 {
856 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
857 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]858 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]859 }
860
861 if( ssl->ivlen == 0 )
862 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]863#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]865 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
866 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
867 {
868 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]869 ssl->in_msglen, ssl->in_msg,
870 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]871 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]872#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]873#if defined(POLARSSL_CIPHER_NULL_CIPHER)
874 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
875 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
876 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
877 {
878 } else
879#endif
880 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]881 }
882 else
883 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]884 unsigned char *dec_msg;
885 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]886 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]887
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]888 /*
889 * Decrypt and check the padding
890 */
891 if( ssl->in_msglen % ssl->ivlen != 0 )
892 {
893 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
894 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]895 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]896 }
897
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]898 dec_msglen = ssl->in_msglen;
899 dec_msg = ssl->in_msg;
900 dec_msg_result = ssl->in_msg;
901
902 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]903 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]904 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]905 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]906 {
907 dec_msg += ssl->ivlen;
908 dec_msglen -= ssl->ivlen;
909 ssl->in_msglen -= ssl->ivlen;
910
911 for( i = 0; i < ssl->ivlen; i++ )
912 ssl->iv_dec[i] = ssl->in_msg[i];
913 }
914
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]915 switch( ssl->ivlen )
916 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]917#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]918 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]919#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
920 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
921 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
922 {
923 des_crypt_cbc( (des_context *) ssl->ctx_dec,
924 DES_DECRYPT, dec_msglen,
925 ssl->iv_dec, dec_msg, dec_msg_result );
926 }
927 else
928#endif
929 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
930 DES_DECRYPT, dec_msglen,
931 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]932 break;
933#endif
934
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]935 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]936#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]937 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
938 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
939 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]940 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
941 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
942 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
943 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
944 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]945 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]946 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]947 AES_DECRYPT, dec_msglen,
948 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]949 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]950 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]951#endif
952
953#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]954 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
955 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
956 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]957 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
958 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
959 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
960 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
961 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]962 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]963 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]964 CAMELLIA_DECRYPT, dec_msglen,
965 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]966 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]967 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968#endif
969
970 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]971 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]972 }
973
974 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
975
976 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
977 {
978 if( padlen > ssl->ivlen )
979 {
980 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
981 "should be no more than %d",
982 padlen, ssl->ivlen ) );
983 padlen = 0;
984 }
985 }
986 else
987 {
988 /*
989 * TLSv1: always check the padding
990 */
991 for( i = 1; i <= padlen; i++ )
992 {
993 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
994 {
995 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
996 "%02x, but is %02x", padlen - 1,
997 ssl->in_msg[ssl->in_msglen - i] ) );
998 padlen = 0;
999 }
1000 }
1001 }
1002 }
1003
1004 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1005 ssl->in_msg, ssl->in_msglen );
1006
1007 /*
1008 * Always compute the MAC (RFC4346, CBCTIME).
1009 */
Paul Bakkerf34cf852012-04-10 07:48:40 +0000[diff] [blame]1010 if( ssl->in_msglen < ssl->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1011 {
1012 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1013 ssl->in_msglen, ssl->maclen, padlen ) );
1014 return( POLARSSL_ERR_SSL_INVALID_MAC );
1015 }
1016
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1017 ssl->in_msglen -= ( ssl->maclen + padlen );
1018
1019 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1020 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1021
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1022 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1023
1024 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1025 {
1026 if( ssl->maclen == 16 )
1027 ssl_mac_md5( ssl->mac_dec,
1028 ssl->in_msg, ssl->in_msglen,
1029 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1030 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1031 ssl_mac_sha1( ssl->mac_dec,
1032 ssl->in_msg, ssl->in_msglen,
1033 ssl->in_ctr, ssl->in_msgtype );
1034 }
1035 else
1036 {
1037 if( ssl->maclen == 16 )
1038 md5_hmac( ssl->mac_dec, 16,
1039 ssl->in_ctr, ssl->in_msglen + 13,
1040 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1041 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042 sha1_hmac( ssl->mac_dec, 20,
1043 ssl->in_ctr, ssl->in_msglen + 13,
1044 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1045 else if( ssl->maclen == 32 )
1046 sha2_hmac( ssl->mac_dec, 32,
1047 ssl->in_ctr, ssl->in_msglen + 13,
1048 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 }
1050
1051 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
1052 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1053 ssl->maclen );
1054
1055 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1056 ssl->maclen ) != 0 )
1057 {
1058 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1059 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1060 }
1061
1062 /*
1063 * Finally check the padding length; bad padding
1064 * will produce the same error as an invalid MAC.
1065 */
1066 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1067 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1068
1069 if( ssl->in_msglen == 0 )
1070 {
1071 ssl->nb_zero++;
1072
1073 /*
1074 * Three or more empty messages may be a DoS attack
1075 * (excessive CPU consumption).
1076 */
1077 if( ssl->nb_zero > 3 )
1078 {
1079 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1080 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1081 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082 }
1083 }
1084 else
1085 ssl->nb_zero = 0;
1086
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1087 for( i = 8; i > 0; i-- )
1088 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 break;
1090
1091 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1092
1093 return( 0 );
1094}
1095
1096/*
1097 * Fill the input message buffer
1098 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1099int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1101 int ret;
1102 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1103
1104 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1105
1106 while( ssl->in_left < nb_want )
1107 {
1108 len = nb_want - ssl->in_left;
1109 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1110
1111 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1112 ssl->in_left, nb_want ) );
1113 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1114
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1115 if( ret == 0 )
1116 return( POLARSSL_ERR_SSL_CONN_EOF );
1117
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1118 if( ret < 0 )
1119 return( ret );
1120
1121 ssl->in_left += ret;
1122 }
1123
1124 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1125
1126 return( 0 );
1127}
1128
1129/*
1130 * Flush any data not yet written
1131 */
1132int ssl_flush_output( ssl_context *ssl )
1133{
1134 int ret;
1135 unsigned char *buf;
1136
1137 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1138
1139 while( ssl->out_left > 0 )
1140 {
1141 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1142 5 + ssl->out_msglen, ssl->out_left ) );
1143
1144 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1145 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1146 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1147
1148 if( ret <= 0 )
1149 return( ret );
1150
1151 ssl->out_left -= ret;
1152 }
1153
1154 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1155
1156 return( 0 );
1157}
1158
1159/*
1160 * Record layer functions
1161 */
1162int ssl_write_record( ssl_context *ssl )
1163{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1164 int ret;
1165 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1166
1167 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1168
1169 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1170 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1171 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1172 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1173 ssl->out_hdr[4] = (unsigned char)( len );
1174
1175 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1176 {
1177 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1178 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1179 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1180
1181 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
1182 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1183 sha2_update( &ssl->fin_sha2, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1184 }
1185
1186 if( ssl->do_crypt != 0 )
1187 {
1188 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1189 {
1190 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1191 return( ret );
1192 }
1193
1194 len = ssl->out_msglen;
1195 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1196 ssl->out_hdr[4] = (unsigned char)( len );
1197 }
1198
1199 ssl->out_left = 5 + ssl->out_msglen;
1200
1201 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1202 "version = [%d:%d], msglen = %d",
1203 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1204 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1205
1206 SSL_DEBUG_BUF( 4, "output record sent to network",
1207 ssl->out_hdr, 5 + ssl->out_msglen );
1208
1209 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1210 {
1211 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1212 return( ret );
1213 }
1214
1215 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1216
1217 return( 0 );
1218}
1219
1220int ssl_read_record( ssl_context *ssl )
1221{
1222 int ret;
1223
1224 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1225
1226 if( ssl->in_hslen != 0 &&
1227 ssl->in_hslen < ssl->in_msglen )
1228 {
1229 /*
1230 * Get next Handshake message in the current record
1231 */
1232 ssl->in_msglen -= ssl->in_hslen;
1233
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1234 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1235 ssl->in_msglen );
1236
1237 ssl->in_hslen = 4;
1238 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1239
1240 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1241 " %d, type = %d, hslen = %d",
1242 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1243
1244 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1245 {
1246 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1247 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1248 }
1249
1250 if( ssl->in_msglen < ssl->in_hslen )
1251 {
1252 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1253 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1254 }
1255
1256 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1257 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1258 sha2_update( &ssl->fin_sha2, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1259
1260 return( 0 );
1261 }
1262
1263 ssl->in_hslen = 0;
1264
1265 /*
1266 * Read the record header and validate it
1267 */
1268 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1269 {
1270 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1271 return( ret );
1272 }
1273
1274 ssl->in_msgtype = ssl->in_hdr[0];
1275 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1276
1277 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1278 "version = [%d:%d], msglen = %d",
1279 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1280 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1281
1282 if( ssl->in_hdr[1] != ssl->major_ver )
1283 {
1284 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1285 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286 }
1287
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1288 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289 {
1290 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1291 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1292 }
1293
1294 /*
1295 * Make sure the message length is acceptable
1296 */
1297 if( ssl->do_crypt == 0 )
1298 {
1299 if( ssl->in_msglen < 1 ||
1300 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1301 {
1302 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1303 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304 }
1305 }
1306 else
1307 {
1308 if( ssl->in_msglen < ssl->minlen )
1309 {
1310 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1311 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312 }
1313
1314 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1315 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1316 {
1317 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1318 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319 }
1320
1321 /*
1322 * TLS encrypted messages can have up to 256 bytes of padding
1323 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1324 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1326 {
1327 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1328 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329 }
1330 }
1331
1332 /*
1333 * Read and optionally decrypt the message contents
1334 */
1335 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1336 {
1337 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1338 return( ret );
1339 }
1340
1341 SSL_DEBUG_BUF( 4, "input record from network",
1342 ssl->in_hdr, 5 + ssl->in_msglen );
1343
1344 if( ssl->do_crypt != 0 )
1345 {
1346 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1347 {
1348 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1349 return( ret );
1350 }
1351
1352 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1353 ssl->in_msg, ssl->in_msglen );
1354
1355 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1356 {
1357 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1358 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1359 }
1360 }
1361
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame^]1362 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1363 ssl->in_msgtype != SSL_MSG_ALERT &&
1364 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1365 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1366 {
1367 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1368
1369 if( ( ret = ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1370 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
1371 {
1372 return( ret );
1373 }
1374
1375 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1376 }
1377
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1378 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1379 {
1380 ssl->in_hslen = 4;
1381 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1382
1383 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1384 " %d, type = %d, hslen = %d",
1385 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1386
1387 /*
1388 * Additional checks to validate the handshake header
1389 */
1390 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1391 {
1392 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1393 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1394 }
1395
1396 if( ssl->in_msglen < ssl->in_hslen )
1397 {
1398 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1399 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400 }
1401
1402 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1403 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1404 sha2_update( &ssl->fin_sha2, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1405 }
1406
1407 if( ssl->in_msgtype == SSL_MSG_ALERT )
1408 {
1409 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1410 ssl->in_msg[0], ssl->in_msg[1] ) );
1411
1412 /*
1413 * Ignore non-fatal alerts, except close_notify
1414 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1415 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1416 {
1417 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1418 /**
1419 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1420 * error identifier.
1421 */
1422 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1423 }
1424
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1425 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1426 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427 {
1428 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1429 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1430 }
1431 }
1432
1433 ssl->in_left = 0;
1434
1435 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1436
1437 return( 0 );
1438}
1439
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame^]1440int ssl_send_alert_message( ssl_context *ssl,
1441 unsigned char level,
1442 unsigned char message )
1443{
1444 int ret;
1445
1446 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1447
1448 ssl->out_msgtype = SSL_MSG_ALERT;
1449 ssl->out_msglen = 2;
1450 ssl->out_msg[0] = level;
1451 ssl->out_msg[1] = message;
1452
1453 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1454 {
1455 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1456 return( ret );
1457 }
1458
1459 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1460
1461 return( 0 );
1462}
1463
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1464/*
1465 * Handshake functions
1466 */
1467int ssl_write_certificate( ssl_context *ssl )
1468{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1469 int ret;
1470 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1471 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1472
1473 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1474
1475 if( ssl->endpoint == SSL_IS_CLIENT )
1476 {
1477 if( ssl->client_auth == 0 )
1478 {
1479 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1480 ssl->state++;
1481 return( 0 );
1482 }
1483
1484 /*
1485 * If using SSLv3 and got no cert, send an Alert message
1486 * (otherwise an empty Certificate message will be sent).
1487 */
1488 if( ssl->own_cert == NULL &&
1489 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1490 {
1491 ssl->out_msglen = 2;
1492 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1493 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1494 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1495
1496 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1497 goto write_msg;
1498 }
1499 }
1500 else /* SSL_IS_SERVER */
1501 {
1502 if( ssl->own_cert == NULL )
1503 {
1504 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1505 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1506 }
1507 }
1508
1509 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1510
1511 /*
1512 * 0 . 0 handshake type
1513 * 1 . 3 handshake length
1514 * 4 . 6 length of all certs
1515 * 7 . 9 length of cert. 1
1516 * 10 . n-1 peer certificate
1517 * n . n+2 length of cert. 2
1518 * n+3 . ... upper level cert, etc.
1519 */
1520 i = 7;
1521 crt = ssl->own_cert;
1522
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1523 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1524 {
1525 n = crt->raw.len;
1526 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1527 {
1528 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1529 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1530 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1531 }
1532
1533 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1534 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1535 ssl->out_msg[i + 2] = (unsigned char)( n );
1536
1537 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1538 i += n; crt = crt->next;
1539 }
1540
1541 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1542 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1543 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1544
1545 ssl->out_msglen = i;
1546 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1547 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1548
1549write_msg:
1550
1551 ssl->state++;
1552
1553 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1554 {
1555 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1556 return( ret );
1557 }
1558
1559 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1560
1561 return( 0 );
1562}
1563
1564int ssl_parse_certificate( ssl_context *ssl )
1565{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1566 int ret;
1567 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1568
1569 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1570
1571 if( ssl->endpoint == SSL_IS_SERVER &&
1572 ssl->authmode == SSL_VERIFY_NONE )
1573 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1574 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1575 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1576 ssl->state++;
1577 return( 0 );
1578 }
1579
1580 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1581 {
1582 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1583 return( ret );
1584 }
1585
1586 ssl->state++;
1587
1588 /*
1589 * Check if the client sent an empty certificate
1590 */
1591 if( ssl->endpoint == SSL_IS_SERVER &&
1592 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1593 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1594 if( ssl->in_msglen == 2 &&
1595 ssl->in_msgtype == SSL_MSG_ALERT &&
1596 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1597 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1598 {
1599 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1600
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1601 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1602 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1603 return( 0 );
1604 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1605 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1606 }
1607 }
1608
1609 if( ssl->endpoint == SSL_IS_SERVER &&
1610 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1611 {
1612 if( ssl->in_hslen == 7 &&
1613 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1614 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1615 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1616 {
1617 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1618
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1619 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1620 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1621 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1622 else
1623 return( 0 );
1624 }
1625 }
1626
1627 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1628 {
1629 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1630 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1631 }
1632
1633 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1634 {
1635 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1636 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1637 }
1638
1639 /*
1640 * Same message structure as in ssl_write_certificate()
1641 */
1642 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1643
1644 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1645 {
1646 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1647 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1648 }
1649
1650 if( ( ssl->peer_cert = (x509_cert *) malloc(
1651 sizeof( x509_cert ) ) ) == NULL )
1652 {
1653 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1654 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1655 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1656 }
1657
1658 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1659
1660 i = 7;
1661
1662 while( i < ssl->in_hslen )
1663 {
1664 if( ssl->in_msg[i] != 0 )
1665 {
1666 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1667 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1668 }
1669
1670 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1671 | (unsigned int) ssl->in_msg[i + 2];
1672 i += 3;
1673
1674 if( n < 128 || i + n > ssl->in_hslen )
1675 {
1676 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1677 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678 }
1679
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1680 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1681 if( ret != 0 )
1682 {
1683 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1684 return( ret );
1685 }
1686
1687 i += n;
1688 }
1689
1690 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1691
1692 if( ssl->authmode != SSL_VERIFY_NONE )
1693 {
1694 if( ssl->ca_chain == NULL )
1695 {
1696 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1697 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1698 }
1699
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1700 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1701 ssl->peer_cn, &ssl->verify_result,
1702 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1703
1704 if( ret != 0 )
1705 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1706
1707 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1708 ret = 0;
1709 }
1710
1711 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1712
1713 return( ret );
1714}
1715
1716int ssl_write_change_cipher_spec( ssl_context *ssl )
1717{
1718 int ret;
1719
1720 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1721
1722 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1723 ssl->out_msglen = 1;
1724 ssl->out_msg[0] = 1;
1725
1726 ssl->do_crypt = 0;
1727 ssl->state++;
1728
1729 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1730 {
1731 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1732 return( ret );
1733 }
1734
1735 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1736
1737 return( 0 );
1738}
1739
1740int ssl_parse_change_cipher_spec( ssl_context *ssl )
1741{
1742 int ret;
1743
1744 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1745
1746 ssl->do_crypt = 0;
1747
1748 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1749 {
1750 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1751 return( ret );
1752 }
1753
1754 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1755 {
1756 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1757 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1758 }
1759
1760 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1761 {
1762 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1763 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1764 }
1765
1766 ssl->state++;
1767
1768 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1769
1770 return( 0 );
1771}
1772
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1773static void ssl_calc_finished_ssl(
1774 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1775{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1776 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1777 md5_context md5;
1778 sha1_context sha1;
1779
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1780 unsigned char padbuf[48];
1781 unsigned char md5sum[16];
1782 unsigned char sha1sum[20];
1783
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1784 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
1785
1786 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1787 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788
1789 /*
1790 * SSLv3:
1791 * hash =
1792 * MD5( master + pad2 +
1793 * MD5( handshake + sender + master + pad1 ) )
1794 * + SHA1( master + pad2 +
1795 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1796 */
1797
1798 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1799 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1800
1801 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1802 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1803
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1804 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1805 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1806
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1807 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1808
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1809 md5_update( &md5, (unsigned char *) sender, 4 );
1810 md5_update( &md5, ssl->session->master, 48 );
1811 md5_update( &md5, padbuf, 48 );
1812 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1814 sha1_update( &sha1, (unsigned char *) sender, 4 );
1815 sha1_update( &sha1, ssl->session->master, 48 );
1816 sha1_update( &sha1, padbuf, 40 );
1817 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1818
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1819 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1821 md5_starts( &md5 );
1822 md5_update( &md5, ssl->session->master, 48 );
1823 md5_update( &md5, padbuf, 48 );
1824 md5_update( &md5, md5sum, 16 );
1825 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1827 sha1_starts( &sha1 );
1828 sha1_update( &sha1, ssl->session->master, 48 );
1829 sha1_update( &sha1, padbuf , 40 );
1830 sha1_update( &sha1, sha1sum, 20 );
1831 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1833 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1835 memset( &md5, 0, sizeof( md5_context ) );
1836 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1837
1838 memset( padbuf, 0, sizeof( padbuf ) );
1839 memset( md5sum, 0, sizeof( md5sum ) );
1840 memset( sha1sum, 0, sizeof( sha1sum ) );
1841
1842 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1843}
1844
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1845static void ssl_calc_finished_tls(
1846 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1847{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1848 int len = 12;
1849 char *sender;
1850 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1852 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1854 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855
1856 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1857 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1858
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1859 /*
1860 * TLSv1:
1861 * hash = PRF( master, finished_label,
1862 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1863 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1865 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1866 md5.state, sizeof( md5.state ) );
1867
1868 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1869 sha1.state, sizeof( sha1.state ) );
1870
1871 sender = ( from == SSL_IS_CLIENT )
1872 ? (char *) "client finished"
1873 : (char *) "server finished";
1874
1875 md5_finish( &md5, padbuf );
1876 sha1_finish( &sha1, padbuf + 16 );
1877
1878 ssl->tls_prf( ssl->session->master, 48, sender,
1879 padbuf, 36, buf, len );
1880
1881 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1882
1883 memset( &md5, 0, sizeof( md5_context ) );
1884 memset( &sha1, 0, sizeof( sha1_context ) );
1885
1886 memset( padbuf, 0, sizeof( padbuf ) );
1887
1888 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1889}
1890
1891static void ssl_calc_finished_tls1_2(
1892 ssl_context *ssl, unsigned char *buf, int from )
1893{
1894 int len = 12;
1895 char *sender;
1896 sha2_context sha2;
1897 unsigned char padbuf[32];
1898
1899 SSL_DEBUG_MSG( 2, ( "=> calc finished tls 1.2" ) );
1900
1901 memcpy( &sha2, &ssl->fin_sha2, sizeof( sha2_context ) );
1902
1903 /*
1904 * TLSv1.2:
1905 * hash = PRF( master, finished_label,
1906 * Hash( handshake ) )[0.11]
1907 */
1908
1909 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
1910 sha2.state, sizeof( sha2.state ) );
1911
1912 sender = ( from == SSL_IS_CLIENT )
1913 ? (char *) "client finished"
1914 : (char *) "server finished";
1915
1916 sha2_finish( &sha2, padbuf );
1917
1918 ssl->tls_prf( ssl->session->master, 48, sender,
1919 padbuf, 32, buf, len );
1920
1921 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1922
1923 memset( &sha2, 0, sizeof( sha2_context ) );
1924
1925 memset( padbuf, 0, sizeof( padbuf ) );
1926
1927 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1928}
1929
1930int ssl_write_finished( ssl_context *ssl )
1931{
1932 int ret, hash_len;
1933
1934 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1935
1936 ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
1937
1938 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1939 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1940
1941 ssl->out_msglen = 4 + hash_len;
1942 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1943 ssl->out_msg[0] = SSL_HS_FINISHED;
1944
1945 /*
1946 * In case of session resuming, invert the client and server
1947 * ChangeCipherSpec messages order.
1948 */
1949 if( ssl->resume != 0 )
1950 {
1951 if( ssl->endpoint == SSL_IS_CLIENT )
1952 ssl->state = SSL_HANDSHAKE_OVER;
1953 else
1954 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1955 }
1956 else
1957 ssl->state++;
1958
1959 ssl->do_crypt = 1;
1960
1961 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1962 {
1963 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1964 return( ret );
1965 }
1966
1967 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1968
1969 return( 0 );
1970}
1971
1972int ssl_parse_finished( ssl_context *ssl )
1973{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1974 int ret;
1975 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1976 unsigned char buf[36];
1977
1978 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1979
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1980 ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1981
1982 ssl->do_crypt = 1;
1983
1984 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1985 {
1986 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1987 return( ret );
1988 }
1989
1990 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1991 {
1992 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1993 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1994 }
1995
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1996 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1997 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1998
1999 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2000 ssl->in_hslen != 4 + hash_len )
2001 {
2002 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2003 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2004 }
2005
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2006 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2007 {
2008 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2009 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010 }
2011
2012 if( ssl->resume != 0 )
2013 {
2014 if( ssl->endpoint == SSL_IS_CLIENT )
2015 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2016
2017 if( ssl->endpoint == SSL_IS_SERVER )
2018 ssl->state = SSL_HANDSHAKE_OVER;
2019 }
2020 else
2021 ssl->state++;
2022
2023 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2024
2025 return( 0 );
2026}
2027
2028/*
2029 * Initialize an SSL context
2030 */
2031int ssl_init( ssl_context *ssl )
2032{
2033 int len = SSL_BUFFER_LEN;
2034
2035 memset( ssl, 0, sizeof( ssl_context ) );
2036
2037 ssl->in_ctr = (unsigned char *) malloc( len );
2038 ssl->in_hdr = ssl->in_ctr + 8;
2039 ssl->in_msg = ssl->in_ctr + 13;
2040
2041 if( ssl->in_ctr == NULL )
2042 {
2043 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2044 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2045 }
2046
2047 ssl->out_ctr = (unsigned char *) malloc( len );
2048 ssl->out_hdr = ssl->out_ctr + 8;
2049 ssl->out_msg = ssl->out_ctr + 13;
2050
2051 if( ssl->out_ctr == NULL )
2052 {
2053 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2054 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2055 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2056 }
2057
2058 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2059 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2060
2061 ssl->hostname = NULL;
2062 ssl->hostname_len = 0;
2063
2064 md5_starts( &ssl->fin_md5 );
2065 sha1_starts( &ssl->fin_sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2066 sha2_starts( &ssl->fin_sha2, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2067
2068 return( 0 );
2069}
2070
2071/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2072 * Reset an initialized and used SSL context for re-use while retaining
2073 * all application-set variables, function pointers and data.
2074 */
2075void ssl_session_reset( ssl_context *ssl )
2076{
2077 ssl->state = SSL_HELLO_REQUEST;
2078
2079 ssl->in_offt = NULL;
2080
2081 ssl->in_msgtype = 0;
2082 ssl->in_msglen = 0;
2083 ssl->in_left = 0;
2084
2085 ssl->in_hslen = 0;
2086 ssl->nb_zero = 0;
2087
2088 ssl->out_msgtype = 0;
2089 ssl->out_msglen = 0;
2090 ssl->out_left = 0;
2091
2092 ssl->do_crypt = 0;
2093 ssl->pmslen = 0;
2094 ssl->keylen = 0;
2095 ssl->minlen = 0;
2096 ssl->ivlen = 0;
2097 ssl->maclen = 0;
2098
2099 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2100 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2101 memset( ssl->randbytes, 0, 64 );
2102 memset( ssl->premaster, 0, 256 );
2103 memset( ssl->iv_enc, 0, 16 );
2104 memset( ssl->iv_dec, 0, 16 );
2105 memset( ssl->mac_enc, 0, 32 );
2106 memset( ssl->mac_dec, 0, 32 );
2107 memset( ssl->ctx_enc, 0, 128 );
2108 memset( ssl->ctx_dec, 0, 128 );
2109
2110 md5_starts( &ssl->fin_md5 );
2111 sha1_starts( &ssl->fin_sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2112 sha2_starts( &ssl->fin_sha2, 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2113}
2114
2115/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2116 * SSL set accessors
2117 */
2118void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2119{
2120 ssl->endpoint = endpoint;
2121}
2122
2123void ssl_set_authmode( ssl_context *ssl, int authmode )
2124{
2125 ssl->authmode = authmode;
2126}
2127
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2128void ssl_set_verify( ssl_context *ssl,
2129 int (*f_vrfy)(void *, x509_cert *, int, int),
2130 void *p_vrfy )
2131{
2132 ssl->f_vrfy = f_vrfy;
2133 ssl->p_vrfy = p_vrfy;
2134}
2135
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2136void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2137 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2138 void *p_rng )
2139{
2140 ssl->f_rng = f_rng;
2141 ssl->p_rng = p_rng;
2142}
2143
2144void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2145 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146 void *p_dbg )
2147{
2148 ssl->f_dbg = f_dbg;
2149 ssl->p_dbg = p_dbg;
2150}
2151
2152void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2153 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2154 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2155{
2156 ssl->f_recv = f_recv;
2157 ssl->f_send = f_send;
2158 ssl->p_recv = p_recv;
2159 ssl->p_send = p_send;
2160}
2161
2162void ssl_set_scb( ssl_context *ssl,
2163 int (*s_get)(ssl_context *),
2164 int (*s_set)(ssl_context *) )
2165{
2166 ssl->s_get = s_get;
2167 ssl->s_set = s_set;
2168}
2169
2170void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2171 ssl_session *session )
2172{
2173 ssl->resume = resume;
2174 ssl->timeout = timeout;
2175 ssl->session = session;
2176}
2177
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2178void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2180 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2181}
2182
2183void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2184 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2185{
2186 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2187 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2188 ssl->peer_cn = peer_cn;
2189}
2190
2191void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2192 rsa_context *rsa_key )
2193{
2194 ssl->own_cert = own_cert;
2195 ssl->rsa_key = rsa_key;
2196}
2197
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]2198#if defined(POLARSSL_PKCS11_C)
2199void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
2200 pkcs11_context *pkcs11_key )
2201{
2202 ssl->own_cert = own_cert;
2203 ssl->pkcs11_key = pkcs11_key;
2204}
2205#endif
2206
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2207int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2208{
2209 int ret;
2210
2211 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2212 {
2213 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2214 return( ret );
2215 }
2216
2217 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2218 {
2219 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2220 return( ret );
2221 }
2222
2223 return( 0 );
2224}
2225
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2226int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
2227{
2228 int ret;
2229
2230 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2231 {
2232 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2233 return( ret );
2234 }
2235
2236 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2237 {
2238 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2239 return( ret );
2240 }
2241
2242 return( 0 );
2243}
2244
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2245int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2246{
2247 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2248 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2249
2250 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2251 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2252
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2253 if( ssl->hostname == NULL )
2254 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2255
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256 memcpy( ssl->hostname, (unsigned char *) hostname,
2257 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2258
2259 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260
2261 return( 0 );
2262}
2263
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2264void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2265{
2266 ssl->max_major_ver = major;
2267 ssl->max_minor_ver = minor;
2268}
2269
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2270/*
2271 * SSL get accessors
2272 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2273size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2274{
2275 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2276}
2277
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2278int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2279{
2280 return( ssl->verify_result );
2281}
2282
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2283const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2284{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2285 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2286 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2287#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2288 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2289 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2290
2291 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2292 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2293#endif
2294
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2295#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2296 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2297 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2298
2299 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2300 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2301#endif
2302
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2303#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2304 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2305 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2306
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2307 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2308 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2309
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2310 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2311 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2312
2313 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2314 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2315
2316#if defined(POLARSSL_SHA2_C)
2317 case SSL_RSA_AES_128_SHA256:
2318 return( "SSL-RSA-AES-128-SHA256" );
2319
2320 case SSL_EDH_RSA_AES_128_SHA256:
2321 return( "SSL-EDH-RSA-AES-128-SHA256" );
2322
2323 case SSL_RSA_AES_256_SHA256:
2324 return( "SSL-RSA-AES-256-SHA256" );
2325
2326 case SSL_EDH_RSA_AES_256_SHA256:
2327 return( "SSL-EDH-RSA-AES-256-SHA256" );
2328#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2329#endif
2330
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2331#if defined(POLARSSL_CAMELLIA_C)
2332 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2333 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2334
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2335 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2336 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2337
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2338 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2339 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2340
2341 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2342 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2343
2344#if defined(POLARSSL_SHA2_C)
2345 case SSL_RSA_CAMELLIA_128_SHA256:
2346 return( "SSL-RSA-CAMELLIA-128-SHA256" );
2347
2348 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
2349 return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
2350
2351 case SSL_RSA_CAMELLIA_256_SHA256:
2352 return( "SSL-RSA-CAMELLIA-256-SHA256" );
2353
2354 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
2355 return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
2356#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2357#endif
2358
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2359#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2360#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2361 case SSL_RSA_NULL_MD5:
2362 return( "SSL-RSA-NULL-MD5" );
2363 case SSL_RSA_NULL_SHA:
2364 return( "SSL-RSA-NULL-SHA" );
2365 case SSL_RSA_NULL_SHA256:
2366 return( "SSL-RSA-NULL-SHA256" );
2367#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2368
2369#if defined(POLARSSL_DES_C)
2370 case SSL_RSA_DES_SHA:
2371 return( "SSL-RSA-DES-SHA" );
2372 case SSL_EDH_RSA_DES_SHA:
2373 return( "SSL-EDH-RSA-DES-SHA" );
2374#endif
2375#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2376
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2377 default:
2378 break;
2379 }
2380
2381 return( "unknown" );
2382}
2383
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2384int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2385{
2386#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2387 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2388 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2389 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2390 return( SSL_RSA_RC4_128_SHA );
2391#endif
2392
2393#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2394 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2395 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2396 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2397 return( SSL_EDH_RSA_DES_168_SHA );
2398#endif
2399
2400#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2401 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2402 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2403 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2404 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2405 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2406 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2407 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2408 return( SSL_EDH_RSA_AES_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2409
2410#if defined(POLARSSL_SHA2_C)
2411 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
2412 return( SSL_RSA_AES_128_SHA256 );
2413 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
2414 return( SSL_EDH_RSA_AES_128_SHA256 );
2415 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
2416 return( SSL_RSA_AES_256_SHA256 );
2417 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
2418 return( SSL_EDH_RSA_AES_256_SHA256 );
2419#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2420#endif
2421
2422#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2423 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2424 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2425 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2426 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2427 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2428 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2429 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2430 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2431
2432#if defined(POLARSSL_SHA2_C)
2433 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
2434 return( SSL_RSA_CAMELLIA_128_SHA256 );
2435 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
2436 return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
2437 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
2438 return( SSL_RSA_CAMELLIA_256_SHA256 );
2439 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
2440 return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
2441#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2442#endif
2443
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2444#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2445#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2446 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
2447 return( SSL_RSA_NULL_MD5 );
2448 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
2449 return( SSL_RSA_NULL_SHA );
2450 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
2451 return( SSL_RSA_NULL_SHA256 );
2452#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2453
2454#if defined(POLARSSL_DES_C)
2455 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
2456 return( SSL_RSA_DES_SHA );
2457 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
2458 return( SSL_EDH_RSA_DES_SHA );
2459#endif
2460#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2461
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2462 return( 0 );
2463}
2464
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2465const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2466{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2467 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2468}
2469
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2470const char *ssl_get_version( const ssl_context *ssl )
2471{
2472 switch( ssl->minor_ver )
2473 {
2474 case SSL_MINOR_VERSION_0:
2475 return( "SSLv3.0" );
2476
2477 case SSL_MINOR_VERSION_1:
2478 return( "TLSv1.0" );
2479
2480 case SSL_MINOR_VERSION_2:
2481 return( "TLSv1.1" );
2482
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2483 case SSL_MINOR_VERSION_3:
2484 return( "TLSv1.2" );
2485
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2486 default:
2487 break;
2488 }
2489 return( "unknown" );
2490}
2491
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2492int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2493{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2494#if defined(POLARSSL_DHM_C)
2495#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2496#if defined(POLARSSL_SHA2_C)
2497 SSL_EDH_RSA_AES_256_SHA256,
2498 SSL_EDH_RSA_AES_128_SHA256,
2499#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2500 SSL_EDH_RSA_AES_256_SHA,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2501 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2502#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2503#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2504#if defined(POLARSSL_SHA2_C)
2505 SSL_EDH_RSA_CAMELLIA_256_SHA256,
2506 SSL_EDH_RSA_CAMELLIA_128_SHA256,
2507#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2508 SSL_EDH_RSA_CAMELLIA_256_SHA,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2509 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2510#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2511#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2512 SSL_EDH_RSA_DES_168_SHA,
2513#endif
2514#endif
2515
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2516#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2517#if defined(POLARSSL_SHA2_C)
2518 SSL_RSA_AES_256_SHA256,
2519#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2520 SSL_RSA_AES_256_SHA,
2521#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2522#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2523#if defined(POLARSSL_SHA2_C)
2524 SSL_RSA_CAMELLIA_256_SHA256,
2525#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2526 SSL_RSA_CAMELLIA_256_SHA,
2527#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2528#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2529#if defined(POLARSSL_SHA2_C)
2530 SSL_RSA_AES_128_SHA256,
2531#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2532 SSL_RSA_AES_128_SHA,
2533#endif
2534#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2535#if defined(POLARSSL_SHA2_C)
2536 SSL_RSA_CAMELLIA_128_SHA256,
2537#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2538 SSL_RSA_CAMELLIA_128_SHA,
2539#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2540#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2541 SSL_RSA_DES_168_SHA,
2542#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2543#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2544 SSL_RSA_RC4_128_SHA,
2545 SSL_RSA_RC4_128_MD5,
2546#endif
2547 0
2548};
2549
2550/*
2551 * Perform the SSL handshake
2552 */
2553int ssl_handshake( ssl_context *ssl )
2554{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2555 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2556
2557 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
2558
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2559#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2560 if( ssl->endpoint == SSL_IS_CLIENT )
2561 ret = ssl_handshake_client( ssl );
2562#endif
2563
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2564#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2565 if( ssl->endpoint == SSL_IS_SERVER )
2566 ret = ssl_handshake_server( ssl );
2567#endif
2568
2569 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
2570
2571 return( ret );
2572}
2573
2574/*
2575 * Receive application data decrypted from the SSL layer
2576 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2577int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2578{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2579 int ret;
2580 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2581
2582 SSL_DEBUG_MSG( 2, ( "=> read" ) );
2583
2584 if( ssl->state != SSL_HANDSHAKE_OVER )
2585 {
2586 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2587 {
2588 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2589 return( ret );
2590 }
2591 }
2592
2593 if( ssl->in_offt == NULL )
2594 {
2595 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2596 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2597 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2598 return( 0 );
2599
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2600 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2601 return( ret );
2602 }
2603
2604 if( ssl->in_msglen == 0 &&
2605 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
2606 {
2607 /*
2608 * OpenSSL sends empty messages to randomize the IV
2609 */
2610 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2611 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2612 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2613 return( 0 );
2614
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2615 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2616 return( ret );
2617 }
2618 }
2619
2620 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2621 {
2622 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2623 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2624 }
2625
2626 ssl->in_offt = ssl->in_msg;
2627 }
2628
2629 n = ( len < ssl->in_msglen )
2630 ? len : ssl->in_msglen;
2631
2632 memcpy( buf, ssl->in_offt, n );
2633 ssl->in_msglen -= n;
2634
2635 if( ssl->in_msglen == 0 )
2636 /* all bytes consumed */
2637 ssl->in_offt = NULL;
2638 else
2639 /* more data available */
2640 ssl->in_offt += n;
2641
2642 SSL_DEBUG_MSG( 2, ( "<= read" ) );
2643
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2644 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2645}
2646
2647/*
2648 * Send application data to be encrypted by the SSL layer
2649 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2650int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2651{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2652 int ret;
2653 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2654
2655 SSL_DEBUG_MSG( 2, ( "=> write" ) );
2656
2657 if( ssl->state != SSL_HANDSHAKE_OVER )
2658 {
2659 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2660 {
2661 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2662 return( ret );
2663 }
2664 }
2665
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2666 n = ( len < SSL_MAX_CONTENT_LEN )
2667 ? len : SSL_MAX_CONTENT_LEN;
2668
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2669 if( ssl->out_left != 0 )
2670 {
2671 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2672 {
2673 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2674 return( ret );
2675 }
2676 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2677 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]2678 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2679 ssl->out_msglen = n;
2680 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
2681 memcpy( ssl->out_msg, buf, n );
2682
2683 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2684 {
2685 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2686 return( ret );
2687 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2688 }
2689
2690 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2691
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2692 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2693}
2694
2695/*
2696 * Notify the peer that the connection is being closed
2697 */
2698int ssl_close_notify( ssl_context *ssl )
2699{
2700 int ret;
2701
2702 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
2703
2704 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2705 {
2706 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2707 return( ret );
2708 }
2709
2710 if( ssl->state == SSL_HANDSHAKE_OVER )
2711 {
2712 ssl->out_msgtype = SSL_MSG_ALERT;
2713 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2714 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2715 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2716
2717 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2718 {
2719 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2720 return( ret );
2721 }
2722 }
2723
2724 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2725
2726 return( ret );
2727}
2728
2729/*
2730 * Free an SSL context
2731 */
2732void ssl_free( ssl_context *ssl )
2733{
2734 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2735
2736 if( ssl->peer_cert != NULL )
2737 {
2738 x509_free( ssl->peer_cert );
2739 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2740 free( ssl->peer_cert );
2741 }
2742
2743 if( ssl->out_ctr != NULL )
2744 {
2745 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2746 free( ssl->out_ctr );
2747 }
2748
2749 if( ssl->in_ctr != NULL )
2750 {
2751 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2752 free( ssl->in_ctr );
2753 }
2754
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2755#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2756 dhm_free( &ssl->dhm_ctx );
2757#endif
2758
2759 if ( ssl->hostname != NULL)
2760 {
2761 memset( ssl->hostname, 0, ssl->hostname_len );
2762 free( ssl->hostname );
2763 ssl->hostname_len = 0;
2764 }
2765
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2766 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2767
2768 /* Actually free after last debug message */
2769 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2770}
2771
2772#endif