TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 186751d9dd28082d4b19e69a2c15fd432d366133 / . / library / ssl_tls.c
blob: fab20046adea419c5e108ff11ceedeea48b993f5 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]46#if defined(POLARSSL_GCM_C)
47#include "polarssl/gcm.h"
48#endif
49
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50#include <stdlib.h>
51#include <time.h>
52
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]53#if defined _MSC_VER && !defined strcasecmp
54#define strcasecmp _stricmp
55#endif
56
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]57#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58int (*ssl_hw_record_init)(ssl_context *ssl,
59 const unsigned char *key_enc, const unsigned char *key_dec,
60 const unsigned char *iv_enc, const unsigned char *iv_dec,
61 const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
62int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
63int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
64int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
65int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
66#endif
67
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68/*
69 * Key material generation
70 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]71static int tls1_prf( unsigned char *secret, size_t slen, char *label,
72 unsigned char *random, size_t rlen,
73 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]74{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]75 size_t nb, hs;
76 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77 unsigned char *S1, *S2;
78 unsigned char tmp[128];
79 unsigned char h_i[20];
80
81 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]82 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]83
84 hs = ( slen + 1 ) / 2;
85 S1 = secret;
86 S2 = secret + slen - hs;
87
88 nb = strlen( label );
89 memcpy( tmp + 20, label, nb );
90 memcpy( tmp + 20 + nb, random, rlen );
91 nb += rlen;
92
93 /*
94 * First compute P_md5(secret,label+random)[0..dlen]
95 */
96 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
97
98 for( i = 0; i < dlen; i += 16 )
99 {
100 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
101 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
102
103 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
104
105 for( j = 0; j < k; j++ )
106 dstbuf[i + j] = h_i[j];
107 }
108
109 /*
110 * XOR out with P_sha1(secret,label+random)[0..dlen]
111 */
112 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
113
114 for( i = 0; i < dlen; i += 20 )
115 {
116 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
117 sha1_hmac( S2, hs, tmp, 20, tmp );
118
119 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
120
121 for( j = 0; j < k; j++ )
122 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
123 }
124
125 memset( tmp, 0, sizeof( tmp ) );
126 memset( h_i, 0, sizeof( h_i ) );
127
128 return( 0 );
129}
130
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]131static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
132 unsigned char *random, size_t rlen,
133 unsigned char *dstbuf, size_t dlen )
134{
135 size_t nb;
136 size_t i, j, k;
137 unsigned char tmp[128];
138 unsigned char h_i[32];
139
140 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
141 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
142
143 nb = strlen( label );
144 memcpy( tmp + 32, label, nb );
145 memcpy( tmp + 32 + nb, random, rlen );
146 nb += rlen;
147
148 /*
149 * Compute P_<hash>(secret, label + random)[0..dlen]
150 */
151 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
152
153 for( i = 0; i < dlen; i += 32 )
154 {
155 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
156 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
157
158 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
159
160 for( j = 0; j < k; j++ )
161 dstbuf[i + j] = h_i[j];
162 }
163
164 memset( tmp, 0, sizeof( tmp ) );
165 memset( h_i, 0, sizeof( h_i ) );
166
167 return( 0 );
168}
169
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]170static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
171 unsigned char *random, size_t rlen,
172 unsigned char *dstbuf, size_t dlen )
173{
174 size_t nb;
175 size_t i, j, k;
176 unsigned char tmp[128];
177 unsigned char h_i[48];
178
179 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
180 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
181
182 nb = strlen( label );
183 memcpy( tmp + 48, label, nb );
184 memcpy( tmp + 48 + nb, random, rlen );
185 nb += rlen;
186
187 /*
188 * Compute P_<hash>(secret, label + random)[0..dlen]
189 */
190 sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
191
192 for( i = 0; i < dlen; i += 48 )
193 {
194 sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
195 sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
196
197 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
198
199 for( j = 0; j < k; j++ )
200 dstbuf[i + j] = h_i[j];
201 }
202
203 memset( tmp, 0, sizeof( tmp ) );
204 memset( h_i, 0, sizeof( h_i ) );
205
206 return( 0 );
207}
208
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]209static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
210static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
211static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
212static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
213
214static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
215static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
216static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
217static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
218
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]219static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
220static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
221static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
222static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224int ssl_derive_keys( ssl_context *ssl )
225{
226 int i;
227 md5_context md5;
228 sha1_context sha1;
229 unsigned char tmp[64];
230 unsigned char padding[16];
231 unsigned char sha1sum[20];
232 unsigned char keyblk[256];
233 unsigned char *key1;
234 unsigned char *key2;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]235 unsigned int iv_copy_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236
237 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
238
239 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]240 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]241 */
242 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]243 {
244 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]245 ssl->calc_verify = ssl_calc_verify_ssl;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]246 ssl->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]247 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]248 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]249 {
250 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]251 ssl->calc_verify = ssl_calc_verify_tls;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]252 ssl->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]253 }
254 else if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
255 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
256 {
257 ssl->tls_prf = tls_prf_sha384;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]258 ssl->calc_verify = ssl_calc_verify_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]259 ssl->calc_finished = ssl_calc_finished_tls_sha384;
260 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]261 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]262 {
263 ssl->tls_prf = tls_prf_sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]264 ssl->calc_verify = ssl_calc_verify_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]265 ssl->calc_finished = ssl_calc_finished_tls_sha256;
266 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]267
268 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]269 * SSLv3:
270 * master =
271 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
272 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
273 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
274 *
275 * TLSv1:
276 * master = PRF( premaster, "master secret", randbytes )[0..47]
277 */
278 if( ssl->resume == 0 )
279 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]280 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281
282 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
283
284 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
285 {
286 for( i = 0; i < 3; i++ )
287 {
288 memset( padding, 'A' + i, 1 + i );
289
290 sha1_starts( &sha1 );
291 sha1_update( &sha1, padding, 1 + i );
292 sha1_update( &sha1, ssl->premaster, len );
293 sha1_update( &sha1, ssl->randbytes, 64 );
294 sha1_finish( &sha1, sha1sum );
295
296 md5_starts( &md5 );
297 md5_update( &md5, ssl->premaster, len );
298 md5_update( &md5, sha1sum, 20 );
299 md5_finish( &md5, ssl->session->master + i * 16 );
300 }
301 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]302 else
303 ssl->tls_prf( ssl->premaster, len, "master secret",
304 ssl->randbytes, 64, ssl->session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]305
306 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
307 }
308 else
309 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
310
311 /*
312 * Swap the client and server random values.
313 */
314 memcpy( tmp, ssl->randbytes, 64 );
315 memcpy( ssl->randbytes, tmp + 32, 32 );
316 memcpy( ssl->randbytes + 32, tmp, 32 );
317 memset( tmp, 0, sizeof( tmp ) );
318
319 /*
320 * SSLv3:
321 * key block =
322 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
323 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
324 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
325 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
326 * ...
327 *
328 * TLSv1:
329 * key block = PRF( master, "key expansion", randbytes )
330 */
331 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
332 {
333 for( i = 0; i < 16; i++ )
334 {
335 memset( padding, 'A' + i, 1 + i );
336
337 sha1_starts( &sha1 );
338 sha1_update( &sha1, padding, 1 + i );
339 sha1_update( &sha1, ssl->session->master, 48 );
340 sha1_update( &sha1, ssl->randbytes, 64 );
341 sha1_finish( &sha1, sha1sum );
342
343 md5_starts( &md5 );
344 md5_update( &md5, ssl->session->master, 48 );
345 md5_update( &md5, sha1sum, 20 );
346 md5_finish( &md5, keyblk + i * 16 );
347 }
348
349 memset( &md5, 0, sizeof( md5 ) );
350 memset( &sha1, 0, sizeof( sha1 ) );
351
352 memset( padding, 0, sizeof( padding ) );
353 memset( sha1sum, 0, sizeof( sha1sum ) );
354 }
355 else
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]356 ssl->tls_prf( ssl->session->master, 48, "key expansion",
357 ssl->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]359 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
361 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
362 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
363
364 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
365
366 /*
367 * Determine the appropriate key, IV and MAC length.
368 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]369 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]371#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]372 case SSL_RSA_RC4_128_MD5:
373 ssl->keylen = 16; ssl->minlen = 16;
374 ssl->ivlen = 0; ssl->maclen = 16;
375 break;
376
377 case SSL_RSA_RC4_128_SHA:
378 ssl->keylen = 16; ssl->minlen = 20;
379 ssl->ivlen = 0; ssl->maclen = 20;
380 break;
381#endif
382
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]383#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384 case SSL_RSA_DES_168_SHA:
385 case SSL_EDH_RSA_DES_168_SHA:
386 ssl->keylen = 24; ssl->minlen = 24;
387 ssl->ivlen = 8; ssl->maclen = 20;
388 break;
389#endif
390
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]391#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]393 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394 ssl->keylen = 16; ssl->minlen = 32;
395 ssl->ivlen = 16; ssl->maclen = 20;
396 break;
397
398 case SSL_RSA_AES_256_SHA:
399 case SSL_EDH_RSA_AES_256_SHA:
400 ssl->keylen = 32; ssl->minlen = 32;
401 ssl->ivlen = 16; ssl->maclen = 20;
402 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]403
404#if defined(POLARSSL_SHA2_C)
405 case SSL_RSA_AES_128_SHA256:
406 case SSL_EDH_RSA_AES_128_SHA256:
407 ssl->keylen = 16; ssl->minlen = 32;
408 ssl->ivlen = 16; ssl->maclen = 32;
409 break;
410
411 case SSL_RSA_AES_256_SHA256:
412 case SSL_EDH_RSA_AES_256_SHA256:
413 ssl->keylen = 32; ssl->minlen = 32;
414 ssl->ivlen = 16; ssl->maclen = 32;
415 break;
416#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]417#if defined(POLARSSL_GCM_C)
418 case SSL_RSA_AES_128_GCM_SHA256:
419 case SSL_EDH_RSA_AES_128_GCM_SHA256:
420 ssl->keylen = 16; ssl->minlen = 1;
421 ssl->ivlen = 12; ssl->maclen = 0;
422 ssl->fixed_ivlen = 4;
423 break;
424
425 case SSL_RSA_AES_256_GCM_SHA384:
426 case SSL_EDH_RSA_AES_256_GCM_SHA384:
427 ssl->keylen = 32; ssl->minlen = 1;
428 ssl->ivlen = 12; ssl->maclen = 0;
429 ssl->fixed_ivlen = 4;
430 break;
431#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]432#endif
433
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]434#if defined(POLARSSL_CAMELLIA_C)
435 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]436 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]437 ssl->keylen = 16; ssl->minlen = 32;
438 ssl->ivlen = 16; ssl->maclen = 20;
439 break;
440
441 case SSL_RSA_CAMELLIA_256_SHA:
442 case SSL_EDH_RSA_CAMELLIA_256_SHA:
443 ssl->keylen = 32; ssl->minlen = 32;
444 ssl->ivlen = 16; ssl->maclen = 20;
445 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]446
447#if defined(POLARSSL_SHA2_C)
448 case SSL_RSA_CAMELLIA_128_SHA256:
449 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
450 ssl->keylen = 16; ssl->minlen = 32;
451 ssl->ivlen = 16; ssl->maclen = 32;
452 break;
453
454 case SSL_RSA_CAMELLIA_256_SHA256:
455 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
456 ssl->keylen = 32; ssl->minlen = 32;
457 ssl->ivlen = 16; ssl->maclen = 32;
458 break;
459#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]460#endif
461
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]462#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
463#if defined(POLARSSL_CIPHER_NULL_CIPHER)
464 case SSL_RSA_NULL_MD5:
465 ssl->keylen = 0; ssl->minlen = 0;
466 ssl->ivlen = 0; ssl->maclen = 16;
467 break;
468
469 case SSL_RSA_NULL_SHA:
470 ssl->keylen = 0; ssl->minlen = 0;
471 ssl->ivlen = 0; ssl->maclen = 20;
472 break;
473
474 case SSL_RSA_NULL_SHA256:
475 ssl->keylen = 0; ssl->minlen = 0;
476 ssl->ivlen = 0; ssl->maclen = 32;
477 break;
478#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
479
480#if defined(POLARSSL_DES_C)
481 case SSL_RSA_DES_SHA:
482 case SSL_EDH_RSA_DES_SHA:
483 ssl->keylen = 8; ssl->minlen = 8;
484 ssl->ivlen = 8; ssl->maclen = 20;
485 break;
486#endif
487#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
488
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]490 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
491 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]492 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493 }
494
495 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
496 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
497
498 /*
499 * Finally setup the cipher contexts, IVs and MAC secrets.
500 */
501 if( ssl->endpoint == SSL_IS_CLIENT )
502 {
503 key1 = keyblk + ssl->maclen * 2;
504 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
505
506 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
507 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
508
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]509 /*
510 * This is not used in TLS v1.1.
511 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]512 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
513 memcpy( ssl->iv_enc, key2 + ssl->keylen, iv_copy_len );
514 memcpy( ssl->iv_dec, key2 + ssl->keylen + iv_copy_len,
515 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516 }
517 else
518 {
519 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
520 key2 = keyblk + ssl->maclen * 2;
521
522 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
523 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
524
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]525 /*
526 * This is not used in TLS v1.1.
527 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]528 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
529 memcpy( ssl->iv_dec, key1 + ssl->keylen, iv_copy_len );
530 memcpy( ssl->iv_enc, key1 + ssl->keylen + iv_copy_len,
531 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]532 }
533
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]534#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
535 if( ssl_hw_record_init != NULL)
536 {
537 int ret = 0;
538
539 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
540
541 if( ( ret = ssl_hw_record_init( ssl, key1, key2, ssl->iv_enc,
542 ssl->iv_dec, ssl->mac_enc,
543 ssl->mac_dec ) ) != 0 )
544 {
545 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
546 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
547 }
548 }
549#endif
550
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]551 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]553#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554 case SSL_RSA_RC4_128_MD5:
555 case SSL_RSA_RC4_128_SHA:
556 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
557 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
558 break;
559#endif
560
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]561#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562 case SSL_RSA_DES_168_SHA:
563 case SSL_EDH_RSA_DES_168_SHA:
564 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
565 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
566 break;
567#endif
568
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]569#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]571 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]572 case SSL_RSA_AES_128_SHA256:
573 case SSL_EDH_RSA_AES_128_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
575 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
576 break;
577
578 case SSL_RSA_AES_256_SHA:
579 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]580 case SSL_RSA_AES_256_SHA256:
581 case SSL_EDH_RSA_AES_256_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
583 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
584 break;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]585
586#if defined(POLARSSL_GCM_C)
587 case SSL_RSA_AES_128_GCM_SHA256:
588 case SSL_EDH_RSA_AES_128_GCM_SHA256:
589 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 128 );
590 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 128 );
591 break;
592
593 case SSL_RSA_AES_256_GCM_SHA384:
594 case SSL_EDH_RSA_AES_256_GCM_SHA384:
595 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 256 );
596 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 256 );
597 break;
598#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599#endif
600
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]601#if defined(POLARSSL_CAMELLIA_C)
602 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]603 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]604 case SSL_RSA_CAMELLIA_128_SHA256:
605 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]606 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
607 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
608 break;
609
610 case SSL_RSA_CAMELLIA_256_SHA:
611 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]612 case SSL_RSA_CAMELLIA_256_SHA256:
613 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]614 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
615 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
616 break;
617#endif
618
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]619#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
620#if defined(POLARSSL_CIPHER_NULL_CIPHER)
621 case SSL_RSA_NULL_MD5:
622 case SSL_RSA_NULL_SHA:
623 case SSL_RSA_NULL_SHA256:
624 break;
625#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
626
627#if defined(POLARSSL_DES_C)
628 case SSL_RSA_DES_SHA:
629 case SSL_EDH_RSA_DES_SHA:
630 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
631 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
632 break;
633#endif
634#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
635
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]637 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]638 }
639
640 memset( keyblk, 0, sizeof( keyblk ) );
641
642 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
643
644 return( 0 );
645}
646
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]647void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648{
649 md5_context md5;
650 sha1_context sha1;
651 unsigned char pad_1[48];
652 unsigned char pad_2[48];
653
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]654 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]656 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
657 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
658 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]660 memset( pad_1, 0x36, 48 );
661 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]663 md5_update( &md5, ssl->session->master, 48 );
664 md5_update( &md5, pad_1, 48 );
665 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]667 md5_starts( &md5 );
668 md5_update( &md5, ssl->session->master, 48 );
669 md5_update( &md5, pad_2, 48 );
670 md5_update( &md5, hash, 16 );
671 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]673 sha1_update( &sha1, ssl->session->master, 48 );
674 sha1_update( &sha1, pad_1, 40 );
675 sha1_finish( &sha1, hash + 16 );
676
677 sha1_starts( &sha1 );
678 sha1_update( &sha1, ssl->session->master, 48 );
679 sha1_update( &sha1, pad_2, 40 );
680 sha1_update( &sha1, hash + 16, 20 );
681 sha1_finish( &sha1, hash + 16 );
682
683 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
684 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
685
686 return;
687}
688
689void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
690{
691 md5_context md5;
692 sha1_context sha1;
693
694 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
695
696 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
697 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
698 sizeof( sha1_context ) );
699
700 md5_finish( &md5, hash );
701 sha1_finish( &sha1, hash + 16 );
702
703 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
704 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
705
706 return;
707}
708
709void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
710{
711 sha2_context sha2;
712
713 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
714
715 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
716 sha2_finish( &sha2, hash );
717
718 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
719 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
720
721 return;
722}
723
724void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
725{
726 sha4_context sha4;
727
728 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
729
730 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
731 sha4_finish( &sha4, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]733 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
735
736 return;
737}
738
739/*
740 * SSLv3.0 MAC functions
741 */
742static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]743 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]744 unsigned char *ctr, int type )
745{
746 unsigned char header[11];
747 unsigned char padding[48];
748 md5_context md5;
749
750 memcpy( header, ctr, 8 );
751 header[ 8] = (unsigned char) type;
752 header[ 9] = (unsigned char)( len >> 8 );
753 header[10] = (unsigned char)( len );
754
755 memset( padding, 0x36, 48 );
756 md5_starts( &md5 );
757 md5_update( &md5, secret, 16 );
758 md5_update( &md5, padding, 48 );
759 md5_update( &md5, header, 11 );
760 md5_update( &md5, buf, len );
761 md5_finish( &md5, buf + len );
762
763 memset( padding, 0x5C, 48 );
764 md5_starts( &md5 );
765 md5_update( &md5, secret, 16 );
766 md5_update( &md5, padding, 48 );
767 md5_update( &md5, buf + len, 16 );
768 md5_finish( &md5, buf + len );
769}
770
771static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]772 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 unsigned char *ctr, int type )
774{
775 unsigned char header[11];
776 unsigned char padding[40];
777 sha1_context sha1;
778
779 memcpy( header, ctr, 8 );
780 header[ 8] = (unsigned char) type;
781 header[ 9] = (unsigned char)( len >> 8 );
782 header[10] = (unsigned char)( len );
783
784 memset( padding, 0x36, 40 );
785 sha1_starts( &sha1 );
786 sha1_update( &sha1, secret, 20 );
787 sha1_update( &sha1, padding, 40 );
788 sha1_update( &sha1, header, 11 );
789 sha1_update( &sha1, buf, len );
790 sha1_finish( &sha1, buf + len );
791
792 memset( padding, 0x5C, 40 );
793 sha1_starts( &sha1 );
794 sha1_update( &sha1, secret, 20 );
795 sha1_update( &sha1, padding, 40 );
796 sha1_update( &sha1, buf + len, 20 );
797 sha1_finish( &sha1, buf + len );
798}
799
800/*
801 * Encryption/decryption functions
802 */
803static int ssl_encrypt_buf( ssl_context *ssl )
804{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]805 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806
807 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
808
809 /*
810 * Add MAC then encrypt
811 */
812 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
813 {
814 if( ssl->maclen == 16 )
815 ssl_mac_md5( ssl->mac_enc,
816 ssl->out_msg, ssl->out_msglen,
817 ssl->out_ctr, ssl->out_msgtype );
818
819 if( ssl->maclen == 20 )
820 ssl_mac_sha1( ssl->mac_enc,
821 ssl->out_msg, ssl->out_msglen,
822 ssl->out_ctr, ssl->out_msgtype );
823 }
824 else
825 {
826 if( ssl->maclen == 16 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame^]827 {
828 md5_context ctx;
829 md5_hmac_starts( &ctx, ssl->mac_enc, 16 );
830 md5_hmac_update( &ctx, ssl->out_ctr, 13 );
831 md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
832 md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
833 memset( &ctx, 0, sizeof(md5_context));
834 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835
836 if( ssl->maclen == 20 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame^]837 {
838 sha1_context ctx;
839 sha1_hmac_starts( &ctx, ssl->mac_enc, 20 );
840 sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
841 sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
842 sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
843 memset( &ctx, 0, sizeof(sha1_context));
844 }
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]845
846 if( ssl->maclen == 32 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame^]847 {
848 sha2_context ctx;
849 sha2_hmac_starts( &ctx, ssl->mac_enc, 32, 0 );
850 sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
851 sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
852 sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
853 memset( &ctx, 0, sizeof(sha2_context));
854 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]855 }
856
857 SSL_DEBUG_BUF( 4, "computed mac",
858 ssl->out_msg + ssl->out_msglen, ssl->maclen );
859
860 ssl->out_msglen += ssl->maclen;
861
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862 if( ssl->ivlen == 0 )
863 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864 padlen = 0;
865
866 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
867 "including %d bytes of padding",
868 ssl->out_msglen, 0 ) );
869
870 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
871 ssl->out_msg, ssl->out_msglen );
872
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]873#if defined(POLARSSL_ARC4_C)
874 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
875 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
876 {
877 arc4_crypt( (arc4_context *) ssl->ctx_enc,
878 ssl->out_msglen, ssl->out_msg,
879 ssl->out_msg );
880 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]881#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]882#if defined(POLARSSL_CIPHER_NULL_CIPHER)
883 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
884 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
885 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
886 {
887 } else
888#endif
889 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]890 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]891 else if( ssl->ivlen == 12 )
892 {
893 size_t enc_msglen;
894 unsigned char *enc_msg;
895 unsigned char add_data[13];
896 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
897
898 padlen = 0;
899 enc_msglen = ssl->out_msglen;
900
901 memcpy( add_data, ssl->out_ctr, 8 );
902 add_data[8] = ssl->out_msgtype;
903 add_data[9] = ssl->major_ver;
904 add_data[10] = ssl->minor_ver;
905 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
906 add_data[12] = ssl->out_msglen & 0xFF;
907
908 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
909 add_data, 13 );
910
911#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
912
913 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
914 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
915 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
916 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
917 {
918 /*
919 * Generate IV
920 */
921 ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc + ssl->fixed_ivlen,
922 ssl->ivlen - ssl->fixed_ivlen );
923 if( ret != 0 )
924 return( ret );
925
926 /*
927 * Shift message for ivlen bytes and prepend IV
928 */
929 memmove( ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen,
930 ssl->out_msg, ssl->out_msglen );
931 memcpy( ssl->out_msg, ssl->iv_enc + ssl->fixed_ivlen,
932 ssl->ivlen - ssl->fixed_ivlen );
933
934 /*
935 * Fix pointer positions and message length with added IV
936 */
937 enc_msg = ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen;
938 enc_msglen = ssl->out_msglen;
939 ssl->out_msglen += ssl->ivlen - ssl->fixed_ivlen;
940
941 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
942 "including %d bytes of padding",
943 ssl->out_msglen, 0 ) );
944
945 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
946 ssl->out_msg, ssl->out_msglen );
947
948 /*
949 * Adjust for tag
950 */
951 ssl->out_msglen += 16;
952
953 gcm_crypt_and_tag( (gcm_context *) ssl->ctx_enc,
954 GCM_ENCRYPT, enc_msglen,
955 ssl->iv_enc, ssl->ivlen,
956 add_data, 13,
957 enc_msg, enc_msg,
958 16, enc_msg + enc_msglen );
959
960 SSL_DEBUG_BUF( 4, "after encrypt: tag",
961 enc_msg + enc_msglen, 16 );
962
963 } else
964#endif
965 return( ret );
966 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]967 else
968 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]969 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]970 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]971
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]972 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
973 if( padlen == ssl->ivlen )
974 padlen = 0;
975
976 for( i = 0; i <= padlen; i++ )
977 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
978
979 ssl->out_msglen += padlen + 1;
980
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]981 enc_msglen = ssl->out_msglen;
982 enc_msg = ssl->out_msg;
983
984 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]985 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
986 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]987 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]988 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]989 {
990 /*
991 * Generate IV
992 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]993 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
994 if( ret != 0 )
995 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]996
997 /*
998 * Shift message for ivlen bytes and prepend IV
999 */
1000 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
1001 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
1002
1003 /*
1004 * Fix pointer positions and message length with added IV
1005 */
1006 enc_msg = ssl->out_msg + ssl->ivlen;
1007 enc_msglen = ssl->out_msglen;
1008 ssl->out_msglen += ssl->ivlen;
1009 }
1010
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1012 "including %d bytes of IV and %d bytes of padding",
1013 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014
1015 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1016 ssl->out_msg, ssl->out_msglen );
1017
1018 switch( ssl->ivlen )
1019 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1020#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1021 case 8:
1022#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1023 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1024 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1025 {
1026 des_crypt_cbc( (des_context *) ssl->ctx_enc,
1027 DES_ENCRYPT, enc_msglen,
1028 ssl->iv_enc, enc_msg, enc_msg );
1029 }
1030 else
1031#endif
1032 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
1033 DES_ENCRYPT, enc_msglen,
1034 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035 break;
1036#endif
1037
1038 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1039#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1040 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1041 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1042 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1043 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1044 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1045 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1046 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1047 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1048 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1049 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1050 AES_ENCRYPT, enc_msglen,
1051 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1052 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1053 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1054#endif
1055
1056#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1057 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1058 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1059 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1060 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1061 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1062 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1063 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1064 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1065 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1066 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1067 CAMELLIA_ENCRYPT, enc_msglen,
1068 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1069 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1070 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1071#endif
1072
1073 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1074 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075 }
1076 }
1077
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1078 for( i = 8; i > 0; i-- )
1079 if( ++ssl->out_ctr[i - 1] != 0 )
1080 break;
1081
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1083
1084 return( 0 );
1085}
1086
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1087/*
1088 * TODO: Use digest version when integrated!
1089 */
1090#define POLARSSL_SSL_MAX_MAC_SIZE 32
1091
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1092static int ssl_decrypt_buf( ssl_context *ssl )
1093{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1094 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1095 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1096
1097 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1098
1099 if( ssl->in_msglen < ssl->minlen )
1100 {
1101 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1102 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1103 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104 }
1105
1106 if( ssl->ivlen == 0 )
1107 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1108#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1110 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
1111 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
1112 {
1113 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]1114 ssl->in_msglen, ssl->in_msg,
1115 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1116 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1117#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1118#if defined(POLARSSL_CIPHER_NULL_CIPHER)
1119 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
1120 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
1121 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
1122 {
1123 } else
1124#endif
1125 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1126 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1127 else if( ssl->ivlen == 12 )
1128 {
1129 unsigned char *dec_msg;
1130 unsigned char *dec_msg_result;
1131 size_t dec_msglen;
1132 unsigned char add_data[13];
1133 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1134
1135 padlen = 0;
1136
1137#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1138 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
1139 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
1140 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
1141 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
1142 {
1143 dec_msglen = ssl->in_msglen - ( ssl->ivlen - ssl->fixed_ivlen );
1144 dec_msglen -= 16;
1145 dec_msg = ssl->in_msg + ( ssl->ivlen - ssl->fixed_ivlen );
1146 dec_msg_result = ssl->in_msg;
1147 ssl->in_msglen = dec_msglen;
1148
1149 memcpy( add_data, ssl->in_ctr, 8 );
1150 add_data[8] = ssl->in_msgtype;
1151 add_data[9] = ssl->major_ver;
1152 add_data[10] = ssl->minor_ver;
1153 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1154 add_data[12] = ssl->in_msglen & 0xFF;
1155
1156 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1157 add_data, 13 );
1158
1159 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1160 ssl->ivlen - ssl->fixed_ivlen );
1161
1162 SSL_DEBUG_BUF( 4, "IV used", ssl->iv_dec, ssl->ivlen );
1163 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1164
1165 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1166 ssl->ivlen - ssl->fixed_ivlen );
1167
1168 ret = gcm_auth_decrypt( (gcm_context *) ssl->ctx_dec,
1169 dec_msglen,
1170 ssl->iv_dec, ssl->ivlen,
1171 add_data, 13,
1172 dec_msg + dec_msglen, 16,
1173 dec_msg, dec_msg_result );
1174
1175 if( ret != 0 )
1176 {
1177 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1178 -ret ) );
1179
1180 return( POLARSSL_ERR_SSL_INVALID_MAC );
1181 }
1182 } else
1183#endif
1184 return( ret );
1185 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1186 else
1187 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1188 unsigned char *dec_msg;
1189 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1190 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1191
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1192 /*
1193 * Decrypt and check the padding
1194 */
1195 if( ssl->in_msglen % ssl->ivlen != 0 )
1196 {
1197 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1198 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1199 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1200 }
1201
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1202 dec_msglen = ssl->in_msglen;
1203 dec_msg = ssl->in_msg;
1204 dec_msg_result = ssl->in_msg;
1205
1206 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1207 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1208 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1209 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1210 {
1211 dec_msg += ssl->ivlen;
1212 dec_msglen -= ssl->ivlen;
1213 ssl->in_msglen -= ssl->ivlen;
1214
1215 for( i = 0; i < ssl->ivlen; i++ )
1216 ssl->iv_dec[i] = ssl->in_msg[i];
1217 }
1218
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1219 switch( ssl->ivlen )
1220 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1221#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1222 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1223#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1224 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1225 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1226 {
1227 des_crypt_cbc( (des_context *) ssl->ctx_dec,
1228 DES_DECRYPT, dec_msglen,
1229 ssl->iv_dec, dec_msg, dec_msg_result );
1230 }
1231 else
1232#endif
1233 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
1234 DES_DECRYPT, dec_msglen,
1235 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1236 break;
1237#endif
1238
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1239 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1240#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1241 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1242 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1243 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1244 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1245 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1246 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1247 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1248 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1249 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1250 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1251 AES_DECRYPT, dec_msglen,
1252 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1253 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1254 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1255#endif
1256
1257#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1258 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1259 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1260 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1261 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1262 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1263 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1264 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1265 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1266 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1267 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1268 CAMELLIA_DECRYPT, dec_msglen,
1269 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1270 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1271 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272#endif
1273
1274 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1275 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1276 }
1277
1278 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1279
1280 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1281 {
1282 if( padlen > ssl->ivlen )
1283 {
1284 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1285 "should be no more than %d",
1286 padlen, ssl->ivlen ) );
1287 padlen = 0;
1288 }
1289 }
1290 else
1291 {
1292 /*
1293 * TLSv1: always check the padding
1294 */
1295 for( i = 1; i <= padlen; i++ )
1296 {
1297 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1298 {
1299 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
1300 "%02x, but is %02x", padlen - 1,
1301 ssl->in_msg[ssl->in_msglen - i] ) );
1302 padlen = 0;
1303 }
1304 }
1305 }
1306 }
1307
1308 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1309 ssl->in_msg, ssl->in_msglen );
1310
1311 /*
1312 * Always compute the MAC (RFC4346, CBCTIME).
1313 */
Paul Bakkerf34cf852012-04-10 07:48:40 +0000[diff] [blame]1314 if( ssl->in_msglen < ssl->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1315 {
1316 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1317 ssl->in_msglen, ssl->maclen, padlen ) );
1318 return( POLARSSL_ERR_SSL_INVALID_MAC );
1319 }
1320
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321 ssl->in_msglen -= ( ssl->maclen + padlen );
1322
1323 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1324 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1325
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1326 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327
1328 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1329 {
1330 if( ssl->maclen == 16 )
1331 ssl_mac_md5( ssl->mac_dec,
1332 ssl->in_msg, ssl->in_msglen,
1333 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1334 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1335 ssl_mac_sha1( ssl->mac_dec,
1336 ssl->in_msg, ssl->in_msglen,
1337 ssl->in_ctr, ssl->in_msgtype );
1338 }
1339 else
1340 {
1341 if( ssl->maclen == 16 )
1342 md5_hmac( ssl->mac_dec, 16,
1343 ssl->in_ctr, ssl->in_msglen + 13,
1344 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1345 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346 sha1_hmac( ssl->mac_dec, 20,
1347 ssl->in_ctr, ssl->in_msglen + 13,
1348 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1349 else if( ssl->maclen == 32 )
1350 sha2_hmac( ssl->mac_dec, 32,
1351 ssl->in_ctr, ssl->in_msglen + 13,
1352 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1353 }
1354
1355 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
1356 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1357 ssl->maclen );
1358
1359 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1360 ssl->maclen ) != 0 )
1361 {
1362 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1363 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1364 }
1365
1366 /*
1367 * Finally check the padding length; bad padding
1368 * will produce the same error as an invalid MAC.
1369 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1370 if( ssl->ivlen != 0 && ssl->ivlen != 12 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1371 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1372
1373 if( ssl->in_msglen == 0 )
1374 {
1375 ssl->nb_zero++;
1376
1377 /*
1378 * Three or more empty messages may be a DoS attack
1379 * (excessive CPU consumption).
1380 */
1381 if( ssl->nb_zero > 3 )
1382 {
1383 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1384 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1385 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1386 }
1387 }
1388 else
1389 ssl->nb_zero = 0;
1390
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1391 for( i = 8; i > 0; i-- )
1392 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1393 break;
1394
1395 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1396
1397 return( 0 );
1398}
1399
1400/*
1401 * Fill the input message buffer
1402 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1403int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1404{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1405 int ret;
1406 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1407
1408 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1409
1410 while( ssl->in_left < nb_want )
1411 {
1412 len = nb_want - ssl->in_left;
1413 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1414
1415 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1416 ssl->in_left, nb_want ) );
1417 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1418
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1419 if( ret == 0 )
1420 return( POLARSSL_ERR_SSL_CONN_EOF );
1421
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1422 if( ret < 0 )
1423 return( ret );
1424
1425 ssl->in_left += ret;
1426 }
1427
1428 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1429
1430 return( 0 );
1431}
1432
1433/*
1434 * Flush any data not yet written
1435 */
1436int ssl_flush_output( ssl_context *ssl )
1437{
1438 int ret;
1439 unsigned char *buf;
1440
1441 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1442
1443 while( ssl->out_left > 0 )
1444 {
1445 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1446 5 + ssl->out_msglen, ssl->out_left ) );
1447
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame^]1448 if( ssl->out_msglen < ssl->out_left )
1449 {
1450 size_t header_left = ssl->out_left - ssl->out_msglen;
1451
1452 buf = ssl->out_hdr + 5 - header_left;
1453 ret = ssl->f_send( ssl->p_send, buf, header_left );
1454
1455 SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1456
1457 if( ret <= 0 )
1458 return( ret );
1459
1460 ssl->out_left -= ret;
1461 }
1462
1463 buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1464 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame^]1465
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1466 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1467
1468 if( ret <= 0 )
1469 return( ret );
1470
1471 ssl->out_left -= ret;
1472 }
1473
1474 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1475
1476 return( 0 );
1477}
1478
1479/*
1480 * Record layer functions
1481 */
1482int ssl_write_record( ssl_context *ssl )
1483{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1484 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1485 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1486
1487 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1488
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1489 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1490 {
1491 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1492 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1493 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1494
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1495 ssl->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1496 }
1497
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1498#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1499 if( ssl_hw_record_write != NULL)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500 {
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1501 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1502
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1503 ret = ssl_hw_record_write( ssl );
1504 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1505 {
1506 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1507 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1508 }
1509 done = 1;
1510 }
1511#endif
1512 if( !done )
1513 {
1514 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1515 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1516 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1517 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1518 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1519
1520 if( ssl->do_crypt != 0 )
1521 {
1522 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1523 {
1524 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1525 return( ret );
1526 }
1527
1528 len = ssl->out_msglen;
1529 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1530 ssl->out_hdr[4] = (unsigned char)( len );
1531 }
1532
1533 ssl->out_left = 5 + ssl->out_msglen;
1534
1535 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1536 "version = [%d:%d], msglen = %d",
1537 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1538 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1539
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame^]1540 SSL_DEBUG_BUF( 4, "output record header sent to network",
1541 ssl->out_hdr, 5 );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1542 SSL_DEBUG_BUF( 4, "output record sent to network",
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame^]1543 ssl->out_hdr + 32, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544 }
1545
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1546 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1547 {
1548 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1549 return( ret );
1550 }
1551
1552 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1553
1554 return( 0 );
1555}
1556
1557int ssl_read_record( ssl_context *ssl )
1558{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1559 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1560
1561 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1562
1563 if( ssl->in_hslen != 0 &&
1564 ssl->in_hslen < ssl->in_msglen )
1565 {
1566 /*
1567 * Get next Handshake message in the current record
1568 */
1569 ssl->in_msglen -= ssl->in_hslen;
1570
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1571 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1572 ssl->in_msglen );
1573
1574 ssl->in_hslen = 4;
1575 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1576
1577 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1578 " %d, type = %d, hslen = %d",
1579 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1580
1581 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1582 {
1583 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1584 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1585 }
1586
1587 if( ssl->in_msglen < ssl->in_hslen )
1588 {
1589 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1590 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1591 }
1592
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1593 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1594
1595 return( 0 );
1596 }
1597
1598 ssl->in_hslen = 0;
1599
1600 /*
1601 * Read the record header and validate it
1602 */
1603 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1604 {
1605 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1606 return( ret );
1607 }
1608
1609 ssl->in_msgtype = ssl->in_hdr[0];
1610 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1611
1612 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1613 "version = [%d:%d], msglen = %d",
1614 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1615 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1616
1617 if( ssl->in_hdr[1] != ssl->major_ver )
1618 {
1619 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1620 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1621 }
1622
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1623 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1624 {
1625 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1626 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1627 }
1628
1629 /*
1630 * Make sure the message length is acceptable
1631 */
1632 if( ssl->do_crypt == 0 )
1633 {
1634 if( ssl->in_msglen < 1 ||
1635 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1636 {
1637 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1638 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1639 }
1640 }
1641 else
1642 {
1643 if( ssl->in_msglen < ssl->minlen )
1644 {
1645 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1646 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1647 }
1648
1649 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1650 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1651 {
1652 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1653 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1654 }
1655
1656 /*
1657 * TLS encrypted messages can have up to 256 bytes of padding
1658 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1659 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1660 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1661 {
1662 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1663 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1664 }
1665 }
1666
1667 /*
1668 * Read and optionally decrypt the message contents
1669 */
1670 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1671 {
1672 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1673 return( ret );
1674 }
1675
1676 SSL_DEBUG_BUF( 4, "input record from network",
1677 ssl->in_hdr, 5 + ssl->in_msglen );
1678
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1679#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1680 if( ssl_hw_record_read != NULL)
1681 {
1682 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1683
1684 ret = ssl_hw_record_read( ssl );
1685 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1686 {
1687 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1688 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1689 }
1690 done = 1;
1691 }
1692#endif
1693 if( !done && ssl->do_crypt != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1694 {
1695 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1696 {
1697 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1698 return( ret );
1699 }
1700
1701 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1702 ssl->in_msg, ssl->in_msglen );
1703
1704 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1705 {
1706 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1707 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1708 }
1709 }
1710
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1711 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1712 ssl->in_msgtype != SSL_MSG_ALERT &&
1713 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1714 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1715 {
1716 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1717
1718 if( ( ret = ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1719 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
1720 {
1721 return( ret );
1722 }
1723
1724 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1725 }
1726
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1727 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1728 {
1729 ssl->in_hslen = 4;
1730 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1731
1732 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1733 " %d, type = %d, hslen = %d",
1734 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1735
1736 /*
1737 * Additional checks to validate the handshake header
1738 */
1739 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1740 {
1741 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1742 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1743 }
1744
1745 if( ssl->in_msglen < ssl->in_hslen )
1746 {
1747 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1748 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1749 }
1750
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1751 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752 }
1753
1754 if( ssl->in_msgtype == SSL_MSG_ALERT )
1755 {
1756 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1757 ssl->in_msg[0], ssl->in_msg[1] ) );
1758
1759 /*
1760 * Ignore non-fatal alerts, except close_notify
1761 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1762 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1763 {
1764 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1765 /**
1766 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1767 * error identifier.
1768 */
1769 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1770 }
1771
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1772 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1773 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1774 {
1775 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1776 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1777 }
1778 }
1779
1780 ssl->in_left = 0;
1781
1782 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1783
1784 return( 0 );
1785}
1786
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1787int ssl_send_alert_message( ssl_context *ssl,
1788 unsigned char level,
1789 unsigned char message )
1790{
1791 int ret;
1792
1793 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1794
1795 ssl->out_msgtype = SSL_MSG_ALERT;
1796 ssl->out_msglen = 2;
1797 ssl->out_msg[0] = level;
1798 ssl->out_msg[1] = message;
1799
1800 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1801 {
1802 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1803 return( ret );
1804 }
1805
1806 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1807
1808 return( 0 );
1809}
1810
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811/*
1812 * Handshake functions
1813 */
1814int ssl_write_certificate( ssl_context *ssl )
1815{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1816 int ret;
1817 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1818 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819
1820 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1821
1822 if( ssl->endpoint == SSL_IS_CLIENT )
1823 {
1824 if( ssl->client_auth == 0 )
1825 {
1826 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1827 ssl->state++;
1828 return( 0 );
1829 }
1830
1831 /*
1832 * If using SSLv3 and got no cert, send an Alert message
1833 * (otherwise an empty Certificate message will be sent).
1834 */
1835 if( ssl->own_cert == NULL &&
1836 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1837 {
1838 ssl->out_msglen = 2;
1839 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1840 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1841 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842
1843 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1844 goto write_msg;
1845 }
1846 }
1847 else /* SSL_IS_SERVER */
1848 {
1849 if( ssl->own_cert == NULL )
1850 {
1851 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1852 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853 }
1854 }
1855
1856 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1857
1858 /*
1859 * 0 . 0 handshake type
1860 * 1 . 3 handshake length
1861 * 4 . 6 length of all certs
1862 * 7 . 9 length of cert. 1
1863 * 10 . n-1 peer certificate
1864 * n . n+2 length of cert. 2
1865 * n+3 . ... upper level cert, etc.
1866 */
1867 i = 7;
1868 crt = ssl->own_cert;
1869
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1870 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1871 {
1872 n = crt->raw.len;
1873 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1874 {
1875 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1876 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1877 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878 }
1879
1880 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1881 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1882 ssl->out_msg[i + 2] = (unsigned char)( n );
1883
1884 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1885 i += n; crt = crt->next;
1886 }
1887
1888 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1889 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1890 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1891
1892 ssl->out_msglen = i;
1893 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1894 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1895
1896write_msg:
1897
1898 ssl->state++;
1899
1900 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1901 {
1902 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1903 return( ret );
1904 }
1905
1906 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1907
1908 return( 0 );
1909}
1910
1911int ssl_parse_certificate( ssl_context *ssl )
1912{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1913 int ret;
1914 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915
1916 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1917
1918 if( ssl->endpoint == SSL_IS_SERVER &&
1919 ssl->authmode == SSL_VERIFY_NONE )
1920 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1921 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1923 ssl->state++;
1924 return( 0 );
1925 }
1926
1927 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1928 {
1929 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1930 return( ret );
1931 }
1932
1933 ssl->state++;
1934
1935 /*
1936 * Check if the client sent an empty certificate
1937 */
1938 if( ssl->endpoint == SSL_IS_SERVER &&
1939 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1940 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1941 if( ssl->in_msglen == 2 &&
1942 ssl->in_msgtype == SSL_MSG_ALERT &&
1943 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1944 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945 {
1946 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1947
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1948 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1949 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1950 return( 0 );
1951 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1952 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 }
1954 }
1955
1956 if( ssl->endpoint == SSL_IS_SERVER &&
1957 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1958 {
1959 if( ssl->in_hslen == 7 &&
1960 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1961 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1962 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1963 {
1964 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1965
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1966 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1968 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1969 else
1970 return( 0 );
1971 }
1972 }
1973
1974 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1975 {
1976 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1977 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1978 }
1979
1980 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1981 {
1982 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1983 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1984 }
1985
1986 /*
1987 * Same message structure as in ssl_write_certificate()
1988 */
1989 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1990
1991 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1992 {
1993 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1994 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1995 }
1996
1997 if( ( ssl->peer_cert = (x509_cert *) malloc(
1998 sizeof( x509_cert ) ) ) == NULL )
1999 {
2000 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2001 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2002 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2003 }
2004
2005 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2006
2007 i = 7;
2008
2009 while( i < ssl->in_hslen )
2010 {
2011 if( ssl->in_msg[i] != 0 )
2012 {
2013 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2014 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2015 }
2016
2017 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2018 | (unsigned int) ssl->in_msg[i + 2];
2019 i += 3;
2020
2021 if( n < 128 || i + n > ssl->in_hslen )
2022 {
2023 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2024 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025 }
2026
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2027 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028 if( ret != 0 )
2029 {
2030 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2031 return( ret );
2032 }
2033
2034 i += n;
2035 }
2036
2037 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
2038
2039 if( ssl->authmode != SSL_VERIFY_NONE )
2040 {
2041 if( ssl->ca_chain == NULL )
2042 {
2043 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2044 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2045 }
2046
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2047 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2048 ssl->peer_cn, &ssl->verify_result,
2049 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2050
2051 if( ret != 0 )
2052 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2053
2054 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2055 ret = 0;
2056 }
2057
2058 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2059
2060 return( ret );
2061}
2062
2063int ssl_write_change_cipher_spec( ssl_context *ssl )
2064{
2065 int ret;
2066
2067 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2068
2069 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2070 ssl->out_msglen = 1;
2071 ssl->out_msg[0] = 1;
2072
2073 ssl->do_crypt = 0;
2074 ssl->state++;
2075
2076 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2077 {
2078 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2079 return( ret );
2080 }
2081
2082 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2083
2084 return( 0 );
2085}
2086
2087int ssl_parse_change_cipher_spec( ssl_context *ssl )
2088{
2089 int ret;
2090
2091 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2092
2093 ssl->do_crypt = 0;
2094
2095 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2096 {
2097 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2098 return( ret );
2099 }
2100
2101 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2102 {
2103 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2104 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2105 }
2106
2107 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2108 {
2109 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2110 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2111 }
2112
2113 ssl->state++;
2114
2115 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2116
2117 return( 0 );
2118}
2119
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2120void ssl_kickstart_checksum( ssl_context *ssl, int ciphersuite,
2121 unsigned char *input_buf, size_t len )
2122{
2123 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2124 {
2125 md5_starts( (md5_context *) ssl->ctx_checksum );
2126 sha1_starts( (sha1_context *) ( ssl->ctx_checksum +
2127 sizeof(md5_context) ) );
2128
2129 ssl->update_checksum = ssl_update_checksum_md5sha1;
2130 }
2131 else if ( ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
2132 ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
2133 {
2134 sha4_starts( (sha4_context *) ssl->ctx_checksum, 1 );
2135 ssl->update_checksum = ssl_update_checksum_sha384;
2136 }
2137 else
2138 {
2139 sha2_starts( (sha2_context *) ssl->ctx_checksum, 0 );
2140 ssl->update_checksum = ssl_update_checksum_sha256;
2141 }
2142
2143 if( ssl->endpoint == SSL_IS_CLIENT )
2144 ssl->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2145 ssl->update_checksum( ssl, input_buf, len );
2146}
2147
2148static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2149 size_t len )
2150{
2151 ((void) ssl);
2152 ((void) buf);
2153 ((void) len);
2154}
2155
2156static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2157 size_t len )
2158{
2159 md5_update( (md5_context *) ssl->ctx_checksum, buf, len );
2160 sha1_update( (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2161 buf, len );
2162}
2163
2164static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2165 size_t len )
2166{
2167 sha2_update( (sha2_context *) ssl->ctx_checksum, buf, len );
2168}
2169
2170static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2171 size_t len )
2172{
2173 sha4_update( (sha4_context *) ssl->ctx_checksum, buf, len );
2174}
2175
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2176static void ssl_calc_finished_ssl(
2177 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2178{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2180 md5_context md5;
2181 sha1_context sha1;
2182
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2183 unsigned char padbuf[48];
2184 unsigned char md5sum[16];
2185 unsigned char sha1sum[20];
2186
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2187 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2188
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2189 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2190 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2191 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2192
2193 /*
2194 * SSLv3:
2195 * hash =
2196 * MD5( master + pad2 +
2197 * MD5( handshake + sender + master + pad1 ) )
2198 * + SHA1( master + pad2 +
2199 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2200 */
2201
2202 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2203 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204
2205 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2206 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2207
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2208 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2209 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2210
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2211 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2212
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2213 md5_update( &md5, (unsigned char *) sender, 4 );
2214 md5_update( &md5, ssl->session->master, 48 );
2215 md5_update( &md5, padbuf, 48 );
2216 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2217
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2218 sha1_update( &sha1, (unsigned char *) sender, 4 );
2219 sha1_update( &sha1, ssl->session->master, 48 );
2220 sha1_update( &sha1, padbuf, 40 );
2221 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2222
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2223 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2224
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2225 md5_starts( &md5 );
2226 md5_update( &md5, ssl->session->master, 48 );
2227 md5_update( &md5, padbuf, 48 );
2228 md5_update( &md5, md5sum, 16 );
2229 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2230
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2231 sha1_starts( &sha1 );
2232 sha1_update( &sha1, ssl->session->master, 48 );
2233 sha1_update( &sha1, padbuf , 40 );
2234 sha1_update( &sha1, sha1sum, 20 );
2235 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2236
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2237 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2238
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2239 memset( &md5, 0, sizeof( md5_context ) );
2240 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2241
2242 memset( padbuf, 0, sizeof( padbuf ) );
2243 memset( md5sum, 0, sizeof( md5sum ) );
2244 memset( sha1sum, 0, sizeof( sha1sum ) );
2245
2246 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2247}
2248
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2249static void ssl_calc_finished_tls(
2250 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2251{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2252 int len = 12;
2253 char *sender;
2254 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2255 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2256 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2258 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2259
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2260 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2261 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2262 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2263
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2264 /*
2265 * TLSv1:
2266 * hash = PRF( master, finished_label,
2267 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2268 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2269
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2270 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2271 md5.state, sizeof( md5.state ) );
2272
2273 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2274 sha1.state, sizeof( sha1.state ) );
2275
2276 sender = ( from == SSL_IS_CLIENT )
2277 ? (char *) "client finished"
2278 : (char *) "server finished";
2279
2280 md5_finish( &md5, padbuf );
2281 sha1_finish( &sha1, padbuf + 16 );
2282
2283 ssl->tls_prf( ssl->session->master, 48, sender,
2284 padbuf, 36, buf, len );
2285
2286 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2287
2288 memset( &md5, 0, sizeof( md5_context ) );
2289 memset( &sha1, 0, sizeof( sha1_context ) );
2290
2291 memset( padbuf, 0, sizeof( padbuf ) );
2292
2293 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2294}
2295
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2296static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2297 ssl_context *ssl, unsigned char *buf, int from )
2298{
2299 int len = 12;
2300 char *sender;
2301 sha2_context sha2;
2302 unsigned char padbuf[32];
2303
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2304 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2305
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2306 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2307
2308 /*
2309 * TLSv1.2:
2310 * hash = PRF( master, finished_label,
2311 * Hash( handshake ) )[0.11]
2312 */
2313
2314 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2315 sha2.state, sizeof( sha2.state ) );
2316
2317 sender = ( from == SSL_IS_CLIENT )
2318 ? (char *) "client finished"
2319 : (char *) "server finished";
2320
2321 sha2_finish( &sha2, padbuf );
2322
2323 ssl->tls_prf( ssl->session->master, 48, sender,
2324 padbuf, 32, buf, len );
2325
2326 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2327
2328 memset( &sha2, 0, sizeof( sha2_context ) );
2329
2330 memset( padbuf, 0, sizeof( padbuf ) );
2331
2332 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2333}
2334
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2335static void ssl_calc_finished_tls_sha384(
2336 ssl_context *ssl, unsigned char *buf, int from )
2337{
2338 int len = 12;
2339 char *sender;
2340 sha4_context sha4;
2341 unsigned char padbuf[48];
2342
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2343 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2344
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2345 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2346
2347 /*
2348 * TLSv1.2:
2349 * hash = PRF( master, finished_label,
2350 * Hash( handshake ) )[0.11]
2351 */
2352
2353 SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2354 sha4.state, sizeof( sha4.state ) );
2355
2356 sender = ( from == SSL_IS_CLIENT )
2357 ? (char *) "client finished"
2358 : (char *) "server finished";
2359
2360 sha4_finish( &sha4, padbuf );
2361
2362 ssl->tls_prf( ssl->session->master, 48, sender,
2363 padbuf, 48, buf, len );
2364
2365 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2366
2367 memset( &sha4, 0, sizeof( sha4_context ) );
2368
2369 memset( padbuf, 0, sizeof( padbuf ) );
2370
2371 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2372}
2373
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2374int ssl_write_finished( ssl_context *ssl )
2375{
2376 int ret, hash_len;
2377
2378 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2379
2380 ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2381
2382 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2383 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2384
2385 ssl->out_msglen = 4 + hash_len;
2386 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2387 ssl->out_msg[0] = SSL_HS_FINISHED;
2388
2389 /*
2390 * In case of session resuming, invert the client and server
2391 * ChangeCipherSpec messages order.
2392 */
2393 if( ssl->resume != 0 )
2394 {
2395 if( ssl->endpoint == SSL_IS_CLIENT )
2396 ssl->state = SSL_HANDSHAKE_OVER;
2397 else
2398 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2399 }
2400 else
2401 ssl->state++;
2402
2403 ssl->do_crypt = 1;
2404
2405 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2406 {
2407 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2408 return( ret );
2409 }
2410
2411 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2412
2413 return( 0 );
2414}
2415
2416int ssl_parse_finished( ssl_context *ssl )
2417{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2418 int ret;
2419 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2420 unsigned char buf[36];
2421
2422 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2423
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2424 ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2425
2426 ssl->do_crypt = 1;
2427
2428 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2429 {
2430 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2431 return( ret );
2432 }
2433
2434 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2435 {
2436 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2437 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2438 }
2439
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2440 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2441 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2442
2443 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2444 ssl->in_hslen != 4 + hash_len )
2445 {
2446 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2447 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2448 }
2449
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2450 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2451 {
2452 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2453 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2454 }
2455
2456 if( ssl->resume != 0 )
2457 {
2458 if( ssl->endpoint == SSL_IS_CLIENT )
2459 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2460
2461 if( ssl->endpoint == SSL_IS_SERVER )
2462 ssl->state = SSL_HANDSHAKE_OVER;
2463 }
2464 else
2465 ssl->state++;
2466
2467 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2468
2469 return( 0 );
2470}
2471
2472/*
2473 * Initialize an SSL context
2474 */
2475int ssl_init( ssl_context *ssl )
2476{
2477 int len = SSL_BUFFER_LEN;
2478
2479 memset( ssl, 0, sizeof( ssl_context ) );
2480
2481 ssl->in_ctr = (unsigned char *) malloc( len );
2482 ssl->in_hdr = ssl->in_ctr + 8;
2483 ssl->in_msg = ssl->in_ctr + 13;
2484
2485 if( ssl->in_ctr == NULL )
2486 {
2487 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2488 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2489 }
2490
2491 ssl->out_ctr = (unsigned char *) malloc( len );
2492 ssl->out_hdr = ssl->out_ctr + 8;
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame^]2493 ssl->out_msg = ssl->out_ctr + 40;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2494
2495 if( ssl->out_ctr == NULL )
2496 {
2497 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2498 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2499 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2500 }
2501
2502 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2503 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2504
2505 ssl->hostname = NULL;
2506 ssl->hostname_len = 0;
2507
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2508 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2509
2510 return( 0 );
2511}
2512
2513/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2514 * Reset an initialized and used SSL context for re-use while retaining
2515 * all application-set variables, function pointers and data.
2516 */
2517void ssl_session_reset( ssl_context *ssl )
2518{
2519 ssl->state = SSL_HELLO_REQUEST;
2520
2521 ssl->in_offt = NULL;
2522
2523 ssl->in_msgtype = 0;
2524 ssl->in_msglen = 0;
2525 ssl->in_left = 0;
2526
2527 ssl->in_hslen = 0;
2528 ssl->nb_zero = 0;
2529
2530 ssl->out_msgtype = 0;
2531 ssl->out_msglen = 0;
2532 ssl->out_left = 0;
2533
2534 ssl->do_crypt = 0;
2535 ssl->pmslen = 0;
2536 ssl->keylen = 0;
2537 ssl->minlen = 0;
2538 ssl->ivlen = 0;
2539 ssl->maclen = 0;
2540
2541 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2542 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2543 memset( ssl->randbytes, 0, 64 );
2544 memset( ssl->premaster, 0, 256 );
2545 memset( ssl->iv_enc, 0, 16 );
2546 memset( ssl->iv_dec, 0, 16 );
2547 memset( ssl->mac_enc, 0, 32 );
2548 memset( ssl->mac_dec, 0, 32 );
2549 memset( ssl->ctx_enc, 0, 128 );
2550 memset( ssl->ctx_dec, 0, 128 );
2551
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2552 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2553
2554#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2555 if( ssl_hw_record_reset != NULL)
2556 {
2557 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
2558 ssl_hw_record_reset( ssl );
2559 }
2560#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2561}
2562
2563/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2564 * SSL set accessors
2565 */
2566void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2567{
2568 ssl->endpoint = endpoint;
2569}
2570
2571void ssl_set_authmode( ssl_context *ssl, int authmode )
2572{
2573 ssl->authmode = authmode;
2574}
2575
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2576void ssl_set_verify( ssl_context *ssl,
2577 int (*f_vrfy)(void *, x509_cert *, int, int),
2578 void *p_vrfy )
2579{
2580 ssl->f_vrfy = f_vrfy;
2581 ssl->p_vrfy = p_vrfy;
2582}
2583
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2584void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2585 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2586 void *p_rng )
2587{
2588 ssl->f_rng = f_rng;
2589 ssl->p_rng = p_rng;
2590}
2591
2592void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2593 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2594 void *p_dbg )
2595{
2596 ssl->f_dbg = f_dbg;
2597 ssl->p_dbg = p_dbg;
2598}
2599
2600void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2601 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2602 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2603{
2604 ssl->f_recv = f_recv;
2605 ssl->f_send = f_send;
2606 ssl->p_recv = p_recv;
2607 ssl->p_send = p_send;
2608}
2609
2610void ssl_set_scb( ssl_context *ssl,
2611 int (*s_get)(ssl_context *),
2612 int (*s_set)(ssl_context *) )
2613{
2614 ssl->s_get = s_get;
2615 ssl->s_set = s_set;
2616}
2617
2618void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2619 ssl_session *session )
2620{
2621 ssl->resume = resume;
2622 ssl->timeout = timeout;
2623 ssl->session = session;
2624}
2625
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2626void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2627{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2628 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2629}
2630
2631void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2632 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2633{
2634 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2635 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2636 ssl->peer_cn = peer_cn;
2637}
2638
2639void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2640 rsa_context *rsa_key )
2641{
2642 ssl->own_cert = own_cert;
2643 ssl->rsa_key = rsa_key;
2644}
2645
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]2646#if defined(POLARSSL_PKCS11_C)
2647void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
2648 pkcs11_context *pkcs11_key )
2649{
2650 ssl->own_cert = own_cert;
2651 ssl->pkcs11_key = pkcs11_key;
2652}
2653#endif
2654
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2655int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2656{
2657 int ret;
2658
2659 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2660 {
2661 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2662 return( ret );
2663 }
2664
2665 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2666 {
2667 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2668 return( ret );
2669 }
2670
2671 return( 0 );
2672}
2673
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2674int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
2675{
2676 int ret;
2677
2678 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2679 {
2680 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2681 return( ret );
2682 }
2683
2684 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2685 {
2686 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2687 return( ret );
2688 }
2689
2690 return( 0 );
2691}
2692
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2693int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2694{
2695 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2696 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2697
2698 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2699 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2700
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2701 if( ssl->hostname == NULL )
2702 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2703
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2704 memcpy( ssl->hostname, (unsigned char *) hostname,
2705 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2706
2707 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2708
2709 return( 0 );
2710}
2711
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2712void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2713{
2714 ssl->max_major_ver = major;
2715 ssl->max_minor_ver = minor;
2716}
2717
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2718/*
2719 * SSL get accessors
2720 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2721size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2722{
2723 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2724}
2725
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2726int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2727{
2728 return( ssl->verify_result );
2729}
2730
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2731const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2732{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2733 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2734 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2735#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2736 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2737 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2738
2739 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2740 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2741#endif
2742
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2743#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2744 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2745 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2746
2747 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2748 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2749#endif
2750
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2751#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2752 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2753 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2754
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2755 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2756 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2757
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2758 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2759 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2760
2761 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2762 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2763
2764#if defined(POLARSSL_SHA2_C)
2765 case SSL_RSA_AES_128_SHA256:
2766 return( "SSL-RSA-AES-128-SHA256" );
2767
2768 case SSL_EDH_RSA_AES_128_SHA256:
2769 return( "SSL-EDH-RSA-AES-128-SHA256" );
2770
2771 case SSL_RSA_AES_256_SHA256:
2772 return( "SSL-RSA-AES-256-SHA256" );
2773
2774 case SSL_EDH_RSA_AES_256_SHA256:
2775 return( "SSL-EDH-RSA-AES-256-SHA256" );
2776#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2777
2778#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2779 case SSL_RSA_AES_128_GCM_SHA256:
2780 return( "SSL-RSA-AES-128-GCM-SHA256" );
2781
2782 case SSL_EDH_RSA_AES_128_GCM_SHA256:
2783 return( "SSL-EDH-RSA-AES-128-GCM-SHA256" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2784#endif
2785
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2786#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2787 case SSL_RSA_AES_256_GCM_SHA384:
2788 return( "SSL-RSA-AES-256-GCM-SHA384" );
2789
2790 case SSL_EDH_RSA_AES_256_GCM_SHA384:
2791 return( "SSL-EDH-RSA-AES-256-GCM-SHA384" );
2792#endif
2793#endif /* POLARSSL_AES_C */
2794
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2795#if defined(POLARSSL_CAMELLIA_C)
2796 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2797 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2798
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2799 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2800 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2801
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2802 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2803 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2804
2805 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2806 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2807
2808#if defined(POLARSSL_SHA2_C)
2809 case SSL_RSA_CAMELLIA_128_SHA256:
2810 return( "SSL-RSA-CAMELLIA-128-SHA256" );
2811
2812 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
2813 return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
2814
2815 case SSL_RSA_CAMELLIA_256_SHA256:
2816 return( "SSL-RSA-CAMELLIA-256-SHA256" );
2817
2818 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
2819 return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
2820#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2821#endif
2822
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2823#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2824#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2825 case SSL_RSA_NULL_MD5:
2826 return( "SSL-RSA-NULL-MD5" );
2827 case SSL_RSA_NULL_SHA:
2828 return( "SSL-RSA-NULL-SHA" );
2829 case SSL_RSA_NULL_SHA256:
2830 return( "SSL-RSA-NULL-SHA256" );
2831#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2832
2833#if defined(POLARSSL_DES_C)
2834 case SSL_RSA_DES_SHA:
2835 return( "SSL-RSA-DES-SHA" );
2836 case SSL_EDH_RSA_DES_SHA:
2837 return( "SSL-EDH-RSA-DES-SHA" );
2838#endif
2839#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2840
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2841 default:
2842 break;
2843 }
2844
2845 return( "unknown" );
2846}
2847
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2848int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2849{
2850#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2851 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2852 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2853 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2854 return( SSL_RSA_RC4_128_SHA );
2855#endif
2856
2857#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2858 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2859 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2860 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2861 return( SSL_EDH_RSA_DES_168_SHA );
2862#endif
2863
2864#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2865 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2866 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2867 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2868 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2869 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2870 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2871 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2872 return( SSL_EDH_RSA_AES_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2873
2874#if defined(POLARSSL_SHA2_C)
2875 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
2876 return( SSL_RSA_AES_128_SHA256 );
2877 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
2878 return( SSL_EDH_RSA_AES_128_SHA256 );
2879 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
2880 return( SSL_RSA_AES_256_SHA256 );
2881 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
2882 return( SSL_EDH_RSA_AES_256_SHA256 );
2883#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2884
2885#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2886 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-GCM-SHA256"))
2887 return( SSL_RSA_AES_128_GCM_SHA256 );
2888 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-GCM-SHA256"))
2889 return( SSL_EDH_RSA_AES_128_GCM_SHA256 );
2890#endif
2891
2892#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2893 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-GCM-SHA384"))
2894 return( SSL_RSA_AES_256_GCM_SHA384 );
2895 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-GCM-SHA384"))
2896 return( SSL_EDH_RSA_AES_256_GCM_SHA384 );
2897#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2898#endif
2899
2900#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2901 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2902 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2903 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2904 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2905 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2906 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2907 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2908 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2909
2910#if defined(POLARSSL_SHA2_C)
2911 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
2912 return( SSL_RSA_CAMELLIA_128_SHA256 );
2913 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
2914 return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
2915 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
2916 return( SSL_RSA_CAMELLIA_256_SHA256 );
2917 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
2918 return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
2919#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2920#endif
2921
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2922#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2923#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2924 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
2925 return( SSL_RSA_NULL_MD5 );
2926 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
2927 return( SSL_RSA_NULL_SHA );
2928 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
2929 return( SSL_RSA_NULL_SHA256 );
2930#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2931
2932#if defined(POLARSSL_DES_C)
2933 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
2934 return( SSL_RSA_DES_SHA );
2935 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
2936 return( SSL_EDH_RSA_DES_SHA );
2937#endif
2938#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2939
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2940 return( 0 );
2941}
2942
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2943const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2944{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2945 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2946}
2947
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2948const char *ssl_get_version( const ssl_context *ssl )
2949{
2950 switch( ssl->minor_ver )
2951 {
2952 case SSL_MINOR_VERSION_0:
2953 return( "SSLv3.0" );
2954
2955 case SSL_MINOR_VERSION_1:
2956 return( "TLSv1.0" );
2957
2958 case SSL_MINOR_VERSION_2:
2959 return( "TLSv1.1" );
2960
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2961 case SSL_MINOR_VERSION_3:
2962 return( "TLSv1.2" );
2963
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2964 default:
2965 break;
2966 }
2967 return( "unknown" );
2968}
2969
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2970int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2971{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2972#if defined(POLARSSL_DHM_C)
2973#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2974#if defined(POLARSSL_SHA2_C)
2975 SSL_EDH_RSA_AES_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2976#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2977#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2978 SSL_EDH_RSA_AES_256_GCM_SHA384,
2979#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2980 SSL_EDH_RSA_AES_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2981#if defined(POLARSSL_SHA2_C)
2982 SSL_EDH_RSA_AES_128_SHA256,
2983#endif
2984#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2985 SSL_EDH_RSA_AES_128_GCM_SHA256,
2986#endif
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2987 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2988#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2989#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2990#if defined(POLARSSL_SHA2_C)
2991 SSL_EDH_RSA_CAMELLIA_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2992#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2993 SSL_EDH_RSA_CAMELLIA_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2994#if defined(POLARSSL_SHA2_C)
2995 SSL_EDH_RSA_CAMELLIA_128_SHA256,
2996#endif /* POLARSSL_SHA2_C */
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2997 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2998#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2999#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3000 SSL_EDH_RSA_DES_168_SHA,
3001#endif
3002#endif
3003
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3004#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3005#if defined(POLARSSL_SHA2_C)
3006 SSL_RSA_AES_256_SHA256,
3007#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3008#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3009 SSL_RSA_AES_256_GCM_SHA384,
3010#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3011 SSL_RSA_AES_256_SHA,
3012#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3013#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3014#if defined(POLARSSL_SHA2_C)
3015 SSL_RSA_CAMELLIA_256_SHA256,
3016#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3017 SSL_RSA_CAMELLIA_256_SHA,
3018#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3019#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3020#if defined(POLARSSL_SHA2_C)
3021 SSL_RSA_AES_128_SHA256,
3022#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3023#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3024 SSL_RSA_AES_128_GCM_SHA256,
3025#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3026 SSL_RSA_AES_128_SHA,
3027#endif
3028#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3029#if defined(POLARSSL_SHA2_C)
3030 SSL_RSA_CAMELLIA_128_SHA256,
3031#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3032 SSL_RSA_CAMELLIA_128_SHA,
3033#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3034#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3035 SSL_RSA_DES_168_SHA,
3036#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3037#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3038 SSL_RSA_RC4_128_SHA,
3039 SSL_RSA_RC4_128_MD5,
3040#endif
3041 0
3042};
3043
3044/*
3045 * Perform the SSL handshake
3046 */
3047int ssl_handshake( ssl_context *ssl )
3048{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3049 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3050
3051 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3052
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3053#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3054 if( ssl->endpoint == SSL_IS_CLIENT )
3055 ret = ssl_handshake_client( ssl );
3056#endif
3057
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3058#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3059 if( ssl->endpoint == SSL_IS_SERVER )
3060 ret = ssl_handshake_server( ssl );
3061#endif
3062
3063 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3064
3065 return( ret );
3066}
3067
3068/*
3069 * Receive application data decrypted from the SSL layer
3070 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3071int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3072{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3073 int ret;
3074 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3075
3076 SSL_DEBUG_MSG( 2, ( "=> read" ) );
3077
3078 if( ssl->state != SSL_HANDSHAKE_OVER )
3079 {
3080 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3081 {
3082 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3083 return( ret );
3084 }
3085 }
3086
3087 if( ssl->in_offt == NULL )
3088 {
3089 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3090 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3091 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3092 return( 0 );
3093
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3094 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3095 return( ret );
3096 }
3097
3098 if( ssl->in_msglen == 0 &&
3099 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3100 {
3101 /*
3102 * OpenSSL sends empty messages to randomize the IV
3103 */
3104 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3105 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3106 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3107 return( 0 );
3108
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3109 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3110 return( ret );
3111 }
3112 }
3113
3114 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3115 {
3116 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3117 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3118 }
3119
3120 ssl->in_offt = ssl->in_msg;
3121 }
3122
3123 n = ( len < ssl->in_msglen )
3124 ? len : ssl->in_msglen;
3125
3126 memcpy( buf, ssl->in_offt, n );
3127 ssl->in_msglen -= n;
3128
3129 if( ssl->in_msglen == 0 )
3130 /* all bytes consumed */
3131 ssl->in_offt = NULL;
3132 else
3133 /* more data available */
3134 ssl->in_offt += n;
3135
3136 SSL_DEBUG_MSG( 2, ( "<= read" ) );
3137
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3138 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3139}
3140
3141/*
3142 * Send application data to be encrypted by the SSL layer
3143 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3144int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3145{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3146 int ret;
3147 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3148
3149 SSL_DEBUG_MSG( 2, ( "=> write" ) );
3150
3151 if( ssl->state != SSL_HANDSHAKE_OVER )
3152 {
3153 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3154 {
3155 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3156 return( ret );
3157 }
3158 }
3159
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3160 n = ( len < SSL_MAX_CONTENT_LEN )
3161 ? len : SSL_MAX_CONTENT_LEN;
3162
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3163 if( ssl->out_left != 0 )
3164 {
3165 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3166 {
3167 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3168 return( ret );
3169 }
3170 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3171 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]3172 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3173 ssl->out_msglen = n;
3174 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3175 memcpy( ssl->out_msg, buf, n );
3176
3177 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3178 {
3179 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3180 return( ret );
3181 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3182 }
3183
3184 SSL_DEBUG_MSG( 2, ( "<= write" ) );
3185
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3186 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3187}
3188
3189/*
3190 * Notify the peer that the connection is being closed
3191 */
3192int ssl_close_notify( ssl_context *ssl )
3193{
3194 int ret;
3195
3196 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3197
3198 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3199 {
3200 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3201 return( ret );
3202 }
3203
3204 if( ssl->state == SSL_HANDSHAKE_OVER )
3205 {
3206 ssl->out_msgtype = SSL_MSG_ALERT;
3207 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]3208 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
3209 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3210
3211 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3212 {
3213 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3214 return( ret );
3215 }
3216 }
3217
3218 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3219
3220 return( ret );
3221}
3222
3223/*
3224 * Free an SSL context
3225 */
3226void ssl_free( ssl_context *ssl )
3227{
3228 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3229
3230 if( ssl->peer_cert != NULL )
3231 {
3232 x509_free( ssl->peer_cert );
3233 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
3234 free( ssl->peer_cert );
3235 }
3236
3237 if( ssl->out_ctr != NULL )
3238 {
3239 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3240 free( ssl->out_ctr );
3241 }
3242
3243 if( ssl->in_ctr != NULL )
3244 {
3245 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3246 free( ssl->in_ctr );
3247 }
3248
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3249#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3250 dhm_free( &ssl->dhm_ctx );
3251#endif
3252
3253 if ( ssl->hostname != NULL)
3254 {
3255 memset( ssl->hostname, 0, ssl->hostname_len );
3256 free( ssl->hostname );
3257 ssl->hostname_len = 0;
3258 }
3259
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3260#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3261 if( ssl_hw_record_finish != NULL )
3262 {
3263 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3264 ssl_hw_record_finish( ssl );
3265 }
3266#endif
3267
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3268 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]3269
3270 /* Actually free after last debug message */
3271 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3272}
3273
3274#endif