TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1ef83d66dd5a94a1b1985fd3e1706367e587e892 / . / library / ssl_tls.c
blob: b5c89a9be65fb6b5fa4c9f601338b289e582e8b7 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46#include <stdlib.h>
47#include <time.h>
48
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]49#if defined _MSC_VER && !defined strcasecmp
50#define strcasecmp _stricmp
51#endif
52
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53/*
54 * Key material generation
55 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]56static int tls1_prf( unsigned char *secret, size_t slen, char *label,
57 unsigned char *random, size_t rlen,
58 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]59{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]60 size_t nb, hs;
61 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62 unsigned char *S1, *S2;
63 unsigned char tmp[128];
64 unsigned char h_i[20];
65
66 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]67 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68
69 hs = ( slen + 1 ) / 2;
70 S1 = secret;
71 S2 = secret + slen - hs;
72
73 nb = strlen( label );
74 memcpy( tmp + 20, label, nb );
75 memcpy( tmp + 20 + nb, random, rlen );
76 nb += rlen;
77
78 /*
79 * First compute P_md5(secret,label+random)[0..dlen]
80 */
81 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
82
83 for( i = 0; i < dlen; i += 16 )
84 {
85 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
86 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
87
88 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
89
90 for( j = 0; j < k; j++ )
91 dstbuf[i + j] = h_i[j];
92 }
93
94 /*
95 * XOR out with P_sha1(secret,label+random)[0..dlen]
96 */
97 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
98
99 for( i = 0; i < dlen; i += 20 )
100 {
101 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
102 sha1_hmac( S2, hs, tmp, 20, tmp );
103
104 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
105
106 for( j = 0; j < k; j++ )
107 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
108 }
109
110 memset( tmp, 0, sizeof( tmp ) );
111 memset( h_i, 0, sizeof( h_i ) );
112
113 return( 0 );
114}
115
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]116static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
117 unsigned char *random, size_t rlen,
118 unsigned char *dstbuf, size_t dlen )
119{
120 size_t nb;
121 size_t i, j, k;
122 unsigned char tmp[128];
123 unsigned char h_i[32];
124
125 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
126 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
127
128 nb = strlen( label );
129 memcpy( tmp + 32, label, nb );
130 memcpy( tmp + 32 + nb, random, rlen );
131 nb += rlen;
132
133 /*
134 * Compute P_<hash>(secret, label + random)[0..dlen]
135 */
136 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
137
138 for( i = 0; i < dlen; i += 32 )
139 {
140 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
141 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
142
143 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
144
145 for( j = 0; j < k; j++ )
146 dstbuf[i + j] = h_i[j];
147 }
148
149 memset( tmp, 0, sizeof( tmp ) );
150 memset( h_i, 0, sizeof( h_i ) );
151
152 return( 0 );
153}
154
155static void ssl_calc_finished_ssl (ssl_context *,unsigned char *,int);
156static void ssl_calc_finished_tls (ssl_context *,unsigned char *,int);
157static void ssl_calc_finished_tls1_2(ssl_context *,unsigned char *,int);
158
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]159int ssl_derive_keys( ssl_context *ssl )
160{
161 int i;
162 md5_context md5;
163 sha1_context sha1;
164 unsigned char tmp[64];
165 unsigned char padding[16];
166 unsigned char sha1sum[20];
167 unsigned char keyblk[256];
168 unsigned char *key1;
169 unsigned char *key2;
170
171 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
172
173 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]174 * Set appropriate PRF function.
175 */
176 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
177 ssl->tls_prf = tls1_prf;
178 else
179 ssl->tls_prf = tls_prf_sha256;
180
181 /*
182 * Set appropriate SSL / TLS / TLS1.2 functions
183 */
184 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
185 ssl->calc_finished = ssl_calc_finished_ssl;
186 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
187 ssl->calc_finished = ssl_calc_finished_tls;
188 else
189 ssl->calc_finished = ssl_calc_finished_tls1_2;
190
191 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]192 * SSLv3:
193 * master =
194 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
195 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
196 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
197 *
198 * TLSv1:
199 * master = PRF( premaster, "master secret", randbytes )[0..47]
200 */
201 if( ssl->resume == 0 )
202 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]203 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204
205 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
206
207 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
208 {
209 for( i = 0; i < 3; i++ )
210 {
211 memset( padding, 'A' + i, 1 + i );
212
213 sha1_starts( &sha1 );
214 sha1_update( &sha1, padding, 1 + i );
215 sha1_update( &sha1, ssl->premaster, len );
216 sha1_update( &sha1, ssl->randbytes, 64 );
217 sha1_finish( &sha1, sha1sum );
218
219 md5_starts( &md5 );
220 md5_update( &md5, ssl->premaster, len );
221 md5_update( &md5, sha1sum, 20 );
222 md5_finish( &md5, ssl->session->master + i * 16 );
223 }
224 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]225 else
226 ssl->tls_prf( ssl->premaster, len, "master secret",
227 ssl->randbytes, 64, ssl->session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]228
229 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
230 }
231 else
232 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
233
234 /*
235 * Swap the client and server random values.
236 */
237 memcpy( tmp, ssl->randbytes, 64 );
238 memcpy( ssl->randbytes, tmp + 32, 32 );
239 memcpy( ssl->randbytes + 32, tmp, 32 );
240 memset( tmp, 0, sizeof( tmp ) );
241
242 /*
243 * SSLv3:
244 * key block =
245 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
246 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
247 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
248 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
249 * ...
250 *
251 * TLSv1:
252 * key block = PRF( master, "key expansion", randbytes )
253 */
254 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
255 {
256 for( i = 0; i < 16; i++ )
257 {
258 memset( padding, 'A' + i, 1 + i );
259
260 sha1_starts( &sha1 );
261 sha1_update( &sha1, padding, 1 + i );
262 sha1_update( &sha1, ssl->session->master, 48 );
263 sha1_update( &sha1, ssl->randbytes, 64 );
264 sha1_finish( &sha1, sha1sum );
265
266 md5_starts( &md5 );
267 md5_update( &md5, ssl->session->master, 48 );
268 md5_update( &md5, sha1sum, 20 );
269 md5_finish( &md5, keyblk + i * 16 );
270 }
271
272 memset( &md5, 0, sizeof( md5 ) );
273 memset( &sha1, 0, sizeof( sha1 ) );
274
275 memset( padding, 0, sizeof( padding ) );
276 memset( sha1sum, 0, sizeof( sha1sum ) );
277 }
278 else
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]279 ssl->tls_prf( ssl->session->master, 48, "key expansion",
280 ssl->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]282 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]283 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
284 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
285 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
286
287 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
288
289 /*
290 * Determine the appropriate key, IV and MAC length.
291 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]292 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]293 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]294#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]295 case SSL_RSA_RC4_128_MD5:
296 ssl->keylen = 16; ssl->minlen = 16;
297 ssl->ivlen = 0; ssl->maclen = 16;
298 break;
299
300 case SSL_RSA_RC4_128_SHA:
301 ssl->keylen = 16; ssl->minlen = 20;
302 ssl->ivlen = 0; ssl->maclen = 20;
303 break;
304#endif
305
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]306#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]307 case SSL_RSA_DES_168_SHA:
308 case SSL_EDH_RSA_DES_168_SHA:
309 ssl->keylen = 24; ssl->minlen = 24;
310 ssl->ivlen = 8; ssl->maclen = 20;
311 break;
312#endif
313
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]314#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]316 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317 ssl->keylen = 16; ssl->minlen = 32;
318 ssl->ivlen = 16; ssl->maclen = 20;
319 break;
320
321 case SSL_RSA_AES_256_SHA:
322 case SSL_EDH_RSA_AES_256_SHA:
323 ssl->keylen = 32; ssl->minlen = 32;
324 ssl->ivlen = 16; ssl->maclen = 20;
325 break;
326#endif
327
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]328#if defined(POLARSSL_CAMELLIA_C)
329 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]330 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]331 ssl->keylen = 16; ssl->minlen = 32;
332 ssl->ivlen = 16; ssl->maclen = 20;
333 break;
334
335 case SSL_RSA_CAMELLIA_256_SHA:
336 case SSL_EDH_RSA_CAMELLIA_256_SHA:
337 ssl->keylen = 32; ssl->minlen = 32;
338 ssl->ivlen = 16; ssl->maclen = 20;
339 break;
340#endif
341
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]342#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
343#if defined(POLARSSL_CIPHER_NULL_CIPHER)
344 case SSL_RSA_NULL_MD5:
345 ssl->keylen = 0; ssl->minlen = 0;
346 ssl->ivlen = 0; ssl->maclen = 16;
347 break;
348
349 case SSL_RSA_NULL_SHA:
350 ssl->keylen = 0; ssl->minlen = 0;
351 ssl->ivlen = 0; ssl->maclen = 20;
352 break;
353
354 case SSL_RSA_NULL_SHA256:
355 ssl->keylen = 0; ssl->minlen = 0;
356 ssl->ivlen = 0; ssl->maclen = 32;
357 break;
358#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
359
360#if defined(POLARSSL_DES_C)
361 case SSL_RSA_DES_SHA:
362 case SSL_EDH_RSA_DES_SHA:
363 ssl->keylen = 8; ssl->minlen = 8;
364 ssl->ivlen = 8; ssl->maclen = 20;
365 break;
366#endif
367#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
368
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]370 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
371 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]372 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373 }
374
375 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
376 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
377
378 /*
379 * Finally setup the cipher contexts, IVs and MAC secrets.
380 */
381 if( ssl->endpoint == SSL_IS_CLIENT )
382 {
383 key1 = keyblk + ssl->maclen * 2;
384 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
385
386 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
387 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
388
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]389 /*
390 * This is not used in TLS v1.1.
391 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
393 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
394 ssl->ivlen );
395 }
396 else
397 {
398 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
399 key2 = keyblk + ssl->maclen * 2;
400
401 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
402 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
403
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]404 /*
405 * This is not used in TLS v1.1.
406 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]407 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
408 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
409 ssl->ivlen );
410 }
411
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]412 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]413 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]414#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415 case SSL_RSA_RC4_128_MD5:
416 case SSL_RSA_RC4_128_SHA:
417 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
418 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
419 break;
420#endif
421
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]422#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423 case SSL_RSA_DES_168_SHA:
424 case SSL_EDH_RSA_DES_168_SHA:
425 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
426 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
427 break;
428#endif
429
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]430#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]432 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]433 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
434 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
435 break;
436
437 case SSL_RSA_AES_256_SHA:
438 case SSL_EDH_RSA_AES_256_SHA:
439 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
440 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
441 break;
442#endif
443
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]444#if defined(POLARSSL_CAMELLIA_C)
445 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]446 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]447 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
448 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
449 break;
450
451 case SSL_RSA_CAMELLIA_256_SHA:
452 case SSL_EDH_RSA_CAMELLIA_256_SHA:
453 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
454 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
455 break;
456#endif
457
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]458#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
459#if defined(POLARSSL_CIPHER_NULL_CIPHER)
460 case SSL_RSA_NULL_MD5:
461 case SSL_RSA_NULL_SHA:
462 case SSL_RSA_NULL_SHA256:
463 break;
464#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
465
466#if defined(POLARSSL_DES_C)
467 case SSL_RSA_DES_SHA:
468 case SSL_EDH_RSA_DES_SHA:
469 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
470 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
471 break;
472#endif
473#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
474
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]476 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 }
478
479 memset( keyblk, 0, sizeof( keyblk ) );
480
481 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
482
483 return( 0 );
484}
485
486void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
487{
488 md5_context md5;
489 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]490 sha2_context sha2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 unsigned char pad_1[48];
492 unsigned char pad_2[48];
493
494 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
495
496 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
497 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]498 memcpy( &sha2, &ssl->fin_sha2, sizeof( sha2_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]499
500 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
501 {
502 memset( pad_1, 0x36, 48 );
503 memset( pad_2, 0x5C, 48 );
504
505 md5_update( &md5, ssl->session->master, 48 );
506 md5_update( &md5, pad_1, 48 );
507 md5_finish( &md5, hash );
508
509 md5_starts( &md5 );
510 md5_update( &md5, ssl->session->master, 48 );
511 md5_update( &md5, pad_2, 48 );
512 md5_update( &md5, hash, 16 );
513 md5_finish( &md5, hash );
514
515 sha1_update( &sha1, ssl->session->master, 48 );
516 sha1_update( &sha1, pad_1, 40 );
517 sha1_finish( &sha1, hash + 16 );
518
519 sha1_starts( &sha1 );
520 sha1_update( &sha1, ssl->session->master, 48 );
521 sha1_update( &sha1, pad_2, 40 );
522 sha1_update( &sha1, hash + 16, 20 );
523 sha1_finish( &sha1, hash + 16 );
524 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]525 else if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) /* TLSv1 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]526 {
527 md5_finish( &md5, hash );
528 sha1_finish( &sha1, hash + 16 );
529 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]530 else
531 {
532 sha2_finish( &sha2, hash );
533 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]534
535 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
536 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
537
538 return;
539}
540
541/*
542 * SSLv3.0 MAC functions
543 */
544static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]545 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]546 unsigned char *ctr, int type )
547{
548 unsigned char header[11];
549 unsigned char padding[48];
550 md5_context md5;
551
552 memcpy( header, ctr, 8 );
553 header[ 8] = (unsigned char) type;
554 header[ 9] = (unsigned char)( len >> 8 );
555 header[10] = (unsigned char)( len );
556
557 memset( padding, 0x36, 48 );
558 md5_starts( &md5 );
559 md5_update( &md5, secret, 16 );
560 md5_update( &md5, padding, 48 );
561 md5_update( &md5, header, 11 );
562 md5_update( &md5, buf, len );
563 md5_finish( &md5, buf + len );
564
565 memset( padding, 0x5C, 48 );
566 md5_starts( &md5 );
567 md5_update( &md5, secret, 16 );
568 md5_update( &md5, padding, 48 );
569 md5_update( &md5, buf + len, 16 );
570 md5_finish( &md5, buf + len );
571}
572
573static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]574 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575 unsigned char *ctr, int type )
576{
577 unsigned char header[11];
578 unsigned char padding[40];
579 sha1_context sha1;
580
581 memcpy( header, ctr, 8 );
582 header[ 8] = (unsigned char) type;
583 header[ 9] = (unsigned char)( len >> 8 );
584 header[10] = (unsigned char)( len );
585
586 memset( padding, 0x36, 40 );
587 sha1_starts( &sha1 );
588 sha1_update( &sha1, secret, 20 );
589 sha1_update( &sha1, padding, 40 );
590 sha1_update( &sha1, header, 11 );
591 sha1_update( &sha1, buf, len );
592 sha1_finish( &sha1, buf + len );
593
594 memset( padding, 0x5C, 40 );
595 sha1_starts( &sha1 );
596 sha1_update( &sha1, secret, 20 );
597 sha1_update( &sha1, padding, 40 );
598 sha1_update( &sha1, buf + len, 20 );
599 sha1_finish( &sha1, buf + len );
600}
601
602/*
603 * Encryption/decryption functions
604 */
605static int ssl_encrypt_buf( ssl_context *ssl )
606{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]607 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608
609 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
610
611 /*
612 * Add MAC then encrypt
613 */
614 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
615 {
616 if( ssl->maclen == 16 )
617 ssl_mac_md5( ssl->mac_enc,
618 ssl->out_msg, ssl->out_msglen,
619 ssl->out_ctr, ssl->out_msgtype );
620
621 if( ssl->maclen == 20 )
622 ssl_mac_sha1( ssl->mac_enc,
623 ssl->out_msg, ssl->out_msglen,
624 ssl->out_ctr, ssl->out_msgtype );
625 }
626 else
627 {
628 if( ssl->maclen == 16 )
629 md5_hmac( ssl->mac_enc, 16,
630 ssl->out_ctr, ssl->out_msglen + 13,
631 ssl->out_msg + ssl->out_msglen );
632
633 if( ssl->maclen == 20 )
634 sha1_hmac( ssl->mac_enc, 20,
635 ssl->out_ctr, ssl->out_msglen + 13,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]636 ssl->out_msg + ssl->out_msglen );
637
638 if( ssl->maclen == 32 )
639 sha2_hmac( ssl->mac_enc, 32,
640 ssl->out_ctr, ssl->out_msglen + 13,
641 ssl->out_msg + ssl->out_msglen, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642 }
643
644 SSL_DEBUG_BUF( 4, "computed mac",
645 ssl->out_msg + ssl->out_msglen, ssl->maclen );
646
647 ssl->out_msglen += ssl->maclen;
648
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]649 for( i = 8; i > 0; i-- )
650 if( ++ssl->out_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651 break;
652
653 if( ssl->ivlen == 0 )
654 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655 padlen = 0;
656
657 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
658 "including %d bytes of padding",
659 ssl->out_msglen, 0 ) );
660
661 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
662 ssl->out_msg, ssl->out_msglen );
663
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]664#if defined(POLARSSL_ARC4_C)
665 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
666 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
667 {
668 arc4_crypt( (arc4_context *) ssl->ctx_enc,
669 ssl->out_msglen, ssl->out_msg,
670 ssl->out_msg );
671 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]673#if defined(POLARSSL_CIPHER_NULL_CIPHER)
674 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
675 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
676 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
677 {
678 } else
679#endif
680 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681 }
682 else
683 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]684 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]685 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]686
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
688 if( padlen == ssl->ivlen )
689 padlen = 0;
690
691 for( i = 0; i <= padlen; i++ )
692 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
693
694 ssl->out_msglen += padlen + 1;
695
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]696 enc_msglen = ssl->out_msglen;
697 enc_msg = ssl->out_msg;
698
699 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]700 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
701 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]702 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]703 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]704 {
705 /*
706 * Generate IV
707 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]708 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
709 if( ret != 0 )
710 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]711
712 /*
713 * Shift message for ivlen bytes and prepend IV
714 */
715 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
716 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
717
718 /*
719 * Fix pointer positions and message length with added IV
720 */
721 enc_msg = ssl->out_msg + ssl->ivlen;
722 enc_msglen = ssl->out_msglen;
723 ssl->out_msglen += ssl->ivlen;
724 }
725
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]727 "including %d bytes of IV and %d bytes of padding",
728 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]729
730 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
731 ssl->out_msg, ssl->out_msglen );
732
733 switch( ssl->ivlen )
734 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]735#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]736 case 8:
737#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
738 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
739 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
740 {
741 des_crypt_cbc( (des_context *) ssl->ctx_enc,
742 DES_ENCRYPT, enc_msglen,
743 ssl->iv_enc, enc_msg, enc_msg );
744 }
745 else
746#endif
747 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
748 DES_ENCRYPT, enc_msglen,
749 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750 break;
751#endif
752
753 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]754#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]755 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
756 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
757 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
758 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
759 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]760 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]761 AES_ENCRYPT, enc_msglen,
762 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]763 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]764 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]765#endif
766
767#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]768 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
769 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
770 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
771 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
772 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]773 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]774 CAMELLIA_ENCRYPT, enc_msglen,
775 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]776 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]777 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778#endif
779
780 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]781 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]782 }
783 }
784
785 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
786
787 return( 0 );
788}
789
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]790/*
791 * TODO: Use digest version when integrated!
792 */
793#define POLARSSL_SSL_MAX_MAC_SIZE 32
794
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]795static int ssl_decrypt_buf( ssl_context *ssl )
796{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]797 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]798 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]799
800 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
801
802 if( ssl->in_msglen < ssl->minlen )
803 {
804 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
805 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]806 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]807 }
808
809 if( ssl->ivlen == 0 )
810 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]811#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]813 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
814 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
815 {
816 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]817 ssl->in_msglen, ssl->in_msg,
818 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]819 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]820#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]821#if defined(POLARSSL_CIPHER_NULL_CIPHER)
822 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
823 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
824 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
825 {
826 } else
827#endif
828 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]829 }
830 else
831 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]832 unsigned char *dec_msg;
833 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]834 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]835
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836 /*
837 * Decrypt and check the padding
838 */
839 if( ssl->in_msglen % ssl->ivlen != 0 )
840 {
841 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
842 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]843 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]844 }
845
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]846 dec_msglen = ssl->in_msglen;
847 dec_msg = ssl->in_msg;
848 dec_msg_result = ssl->in_msg;
849
850 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]851 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]852 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]853 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]854 {
855 dec_msg += ssl->ivlen;
856 dec_msglen -= ssl->ivlen;
857 ssl->in_msglen -= ssl->ivlen;
858
859 for( i = 0; i < ssl->ivlen; i++ )
860 ssl->iv_dec[i] = ssl->in_msg[i];
861 }
862
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863 switch( ssl->ivlen )
864 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]865#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]867#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
868 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
869 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
870 {
871 des_crypt_cbc( (des_context *) ssl->ctx_dec,
872 DES_DECRYPT, dec_msglen,
873 ssl->iv_dec, dec_msg, dec_msg_result );
874 }
875 else
876#endif
877 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
878 DES_DECRYPT, dec_msglen,
879 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]880 break;
881#endif
882
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]884#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]885 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
886 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
887 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
888 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
889 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]890 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]891 AES_DECRYPT, dec_msglen,
892 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]893 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]894 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]895#endif
896
897#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]898 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
899 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
900 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
901 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
902 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]903 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]904 CAMELLIA_DECRYPT, dec_msglen,
905 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]906 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]907 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]908#endif
909
910 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]911 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]912 }
913
914 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
915
916 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
917 {
918 if( padlen > ssl->ivlen )
919 {
920 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
921 "should be no more than %d",
922 padlen, ssl->ivlen ) );
923 padlen = 0;
924 }
925 }
926 else
927 {
928 /*
929 * TLSv1: always check the padding
930 */
931 for( i = 1; i <= padlen; i++ )
932 {
933 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
934 {
935 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
936 "%02x, but is %02x", padlen - 1,
937 ssl->in_msg[ssl->in_msglen - i] ) );
938 padlen = 0;
939 }
940 }
941 }
942 }
943
944 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
945 ssl->in_msg, ssl->in_msglen );
946
947 /*
948 * Always compute the MAC (RFC4346, CBCTIME).
949 */
Paul Bakkerf34cf852012-04-10 07:48:40 +0000[diff] [blame]950 if( ssl->in_msglen < ssl->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]951 {
952 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
953 ssl->in_msglen, ssl->maclen, padlen ) );
954 return( POLARSSL_ERR_SSL_INVALID_MAC );
955 }
956
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957 ssl->in_msglen -= ( ssl->maclen + padlen );
958
959 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
960 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
961
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]962 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]963
964 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
965 {
966 if( ssl->maclen == 16 )
967 ssl_mac_md5( ssl->mac_dec,
968 ssl->in_msg, ssl->in_msglen,
969 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]970 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971 ssl_mac_sha1( ssl->mac_dec,
972 ssl->in_msg, ssl->in_msglen,
973 ssl->in_ctr, ssl->in_msgtype );
974 }
975 else
976 {
977 if( ssl->maclen == 16 )
978 md5_hmac( ssl->mac_dec, 16,
979 ssl->in_ctr, ssl->in_msglen + 13,
980 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]981 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 sha1_hmac( ssl->mac_dec, 20,
983 ssl->in_ctr, ssl->in_msglen + 13,
984 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]985 else if( ssl->maclen == 32 )
986 sha2_hmac( ssl->mac_dec, 32,
987 ssl->in_ctr, ssl->in_msglen + 13,
988 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]989 }
990
991 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
992 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
993 ssl->maclen );
994
995 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
996 ssl->maclen ) != 0 )
997 {
998 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]999 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000 }
1001
1002 /*
1003 * Finally check the padding length; bad padding
1004 * will produce the same error as an invalid MAC.
1005 */
1006 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1007 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1008
1009 if( ssl->in_msglen == 0 )
1010 {
1011 ssl->nb_zero++;
1012
1013 /*
1014 * Three or more empty messages may be a DoS attack
1015 * (excessive CPU consumption).
1016 */
1017 if( ssl->nb_zero > 3 )
1018 {
1019 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1020 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1021 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1022 }
1023 }
1024 else
1025 ssl->nb_zero = 0;
1026
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1027 for( i = 8; i > 0; i-- )
1028 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1029 break;
1030
1031 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1032
1033 return( 0 );
1034}
1035
1036/*
1037 * Fill the input message buffer
1038 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1039int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1040{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1041 int ret;
1042 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1043
1044 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1045
1046 while( ssl->in_left < nb_want )
1047 {
1048 len = nb_want - ssl->in_left;
1049 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1050
1051 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1052 ssl->in_left, nb_want ) );
1053 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1054
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1055 if( ret == 0 )
1056 return( POLARSSL_ERR_SSL_CONN_EOF );
1057
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058 if( ret < 0 )
1059 return( ret );
1060
1061 ssl->in_left += ret;
1062 }
1063
1064 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1065
1066 return( 0 );
1067}
1068
1069/*
1070 * Flush any data not yet written
1071 */
1072int ssl_flush_output( ssl_context *ssl )
1073{
1074 int ret;
1075 unsigned char *buf;
1076
1077 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1078
1079 while( ssl->out_left > 0 )
1080 {
1081 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1082 5 + ssl->out_msglen, ssl->out_left ) );
1083
1084 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1085 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1086 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1087
1088 if( ret <= 0 )
1089 return( ret );
1090
1091 ssl->out_left -= ret;
1092 }
1093
1094 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1095
1096 return( 0 );
1097}
1098
1099/*
1100 * Record layer functions
1101 */
1102int ssl_write_record( ssl_context *ssl )
1103{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1104 int ret;
1105 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1106
1107 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1108
1109 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1110 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1111 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1112 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1113 ssl->out_hdr[4] = (unsigned char)( len );
1114
1115 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1116 {
1117 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1118 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1119 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1120
1121 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
1122 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1123 sha2_update( &ssl->fin_sha2, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1124 }
1125
1126 if( ssl->do_crypt != 0 )
1127 {
1128 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1129 {
1130 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1131 return( ret );
1132 }
1133
1134 len = ssl->out_msglen;
1135 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1136 ssl->out_hdr[4] = (unsigned char)( len );
1137 }
1138
1139 ssl->out_left = 5 + ssl->out_msglen;
1140
1141 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1142 "version = [%d:%d], msglen = %d",
1143 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1144 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1145
1146 SSL_DEBUG_BUF( 4, "output record sent to network",
1147 ssl->out_hdr, 5 + ssl->out_msglen );
1148
1149 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1150 {
1151 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1152 return( ret );
1153 }
1154
1155 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1156
1157 return( 0 );
1158}
1159
1160int ssl_read_record( ssl_context *ssl )
1161{
1162 int ret;
1163
1164 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1165
1166 if( ssl->in_hslen != 0 &&
1167 ssl->in_hslen < ssl->in_msglen )
1168 {
1169 /*
1170 * Get next Handshake message in the current record
1171 */
1172 ssl->in_msglen -= ssl->in_hslen;
1173
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1174 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1175 ssl->in_msglen );
1176
1177 ssl->in_hslen = 4;
1178 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1179
1180 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1181 " %d, type = %d, hslen = %d",
1182 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1183
1184 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1185 {
1186 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1187 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1188 }
1189
1190 if( ssl->in_msglen < ssl->in_hslen )
1191 {
1192 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1193 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1194 }
1195
1196 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1197 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1198 sha2_update( &ssl->fin_sha2, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1199
1200 return( 0 );
1201 }
1202
1203 ssl->in_hslen = 0;
1204
1205 /*
1206 * Read the record header and validate it
1207 */
1208 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1209 {
1210 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1211 return( ret );
1212 }
1213
1214 ssl->in_msgtype = ssl->in_hdr[0];
1215 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1216
1217 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1218 "version = [%d:%d], msglen = %d",
1219 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1220 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1221
1222 if( ssl->in_hdr[1] != ssl->major_ver )
1223 {
1224 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1225 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226 }
1227
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1228 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1229 {
1230 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1231 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1232 }
1233
1234 /*
1235 * Make sure the message length is acceptable
1236 */
1237 if( ssl->do_crypt == 0 )
1238 {
1239 if( ssl->in_msglen < 1 ||
1240 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1241 {
1242 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1243 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244 }
1245 }
1246 else
1247 {
1248 if( ssl->in_msglen < ssl->minlen )
1249 {
1250 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1251 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252 }
1253
1254 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1255 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1256 {
1257 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1258 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1259 }
1260
1261 /*
1262 * TLS encrypted messages can have up to 256 bytes of padding
1263 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1264 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1265 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1266 {
1267 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1268 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269 }
1270 }
1271
1272 /*
1273 * Read and optionally decrypt the message contents
1274 */
1275 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1276 {
1277 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1278 return( ret );
1279 }
1280
1281 SSL_DEBUG_BUF( 4, "input record from network",
1282 ssl->in_hdr, 5 + ssl->in_msglen );
1283
1284 if( ssl->do_crypt != 0 )
1285 {
1286 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1287 {
1288 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1289 return( ret );
1290 }
1291
1292 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1293 ssl->in_msg, ssl->in_msglen );
1294
1295 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1296 {
1297 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1298 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299 }
1300 }
1301
1302 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1303 {
1304 ssl->in_hslen = 4;
1305 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1306
1307 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1308 " %d, type = %d, hslen = %d",
1309 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1310
1311 /*
1312 * Additional checks to validate the handshake header
1313 */
1314 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1315 {
1316 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1317 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318 }
1319
1320 if( ssl->in_msglen < ssl->in_hslen )
1321 {
1322 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1323 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1324 }
1325
1326 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1327 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1328 sha2_update( &ssl->fin_sha2, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329 }
1330
1331 if( ssl->in_msgtype == SSL_MSG_ALERT )
1332 {
1333 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1334 ssl->in_msg[0], ssl->in_msg[1] ) );
1335
1336 /*
1337 * Ignore non-fatal alerts, except close_notify
1338 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1339 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340 {
1341 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1342 /**
1343 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1344 * error identifier.
1345 */
1346 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347 }
1348
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1349 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1350 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351 {
1352 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1353 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1354 }
1355 }
1356
1357 ssl->in_left = 0;
1358
1359 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1360
1361 return( 0 );
1362}
1363
1364/*
1365 * Handshake functions
1366 */
1367int ssl_write_certificate( ssl_context *ssl )
1368{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1369 int ret;
1370 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1371 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1372
1373 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1374
1375 if( ssl->endpoint == SSL_IS_CLIENT )
1376 {
1377 if( ssl->client_auth == 0 )
1378 {
1379 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1380 ssl->state++;
1381 return( 0 );
1382 }
1383
1384 /*
1385 * If using SSLv3 and got no cert, send an Alert message
1386 * (otherwise an empty Certificate message will be sent).
1387 */
1388 if( ssl->own_cert == NULL &&
1389 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1390 {
1391 ssl->out_msglen = 2;
1392 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1393 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1394 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1395
1396 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1397 goto write_msg;
1398 }
1399 }
1400 else /* SSL_IS_SERVER */
1401 {
1402 if( ssl->own_cert == NULL )
1403 {
1404 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1405 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1406 }
1407 }
1408
1409 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1410
1411 /*
1412 * 0 . 0 handshake type
1413 * 1 . 3 handshake length
1414 * 4 . 6 length of all certs
1415 * 7 . 9 length of cert. 1
1416 * 10 . n-1 peer certificate
1417 * n . n+2 length of cert. 2
1418 * n+3 . ... upper level cert, etc.
1419 */
1420 i = 7;
1421 crt = ssl->own_cert;
1422
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1423 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1424 {
1425 n = crt->raw.len;
1426 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1427 {
1428 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1429 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1430 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1431 }
1432
1433 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1434 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1435 ssl->out_msg[i + 2] = (unsigned char)( n );
1436
1437 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1438 i += n; crt = crt->next;
1439 }
1440
1441 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1442 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1443 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1444
1445 ssl->out_msglen = i;
1446 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1447 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1448
1449write_msg:
1450
1451 ssl->state++;
1452
1453 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1454 {
1455 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1456 return( ret );
1457 }
1458
1459 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1460
1461 return( 0 );
1462}
1463
1464int ssl_parse_certificate( ssl_context *ssl )
1465{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1466 int ret;
1467 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1468
1469 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1470
1471 if( ssl->endpoint == SSL_IS_SERVER &&
1472 ssl->authmode == SSL_VERIFY_NONE )
1473 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1474 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1475 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1476 ssl->state++;
1477 return( 0 );
1478 }
1479
1480 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1481 {
1482 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1483 return( ret );
1484 }
1485
1486 ssl->state++;
1487
1488 /*
1489 * Check if the client sent an empty certificate
1490 */
1491 if( ssl->endpoint == SSL_IS_SERVER &&
1492 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1493 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1494 if( ssl->in_msglen == 2 &&
1495 ssl->in_msgtype == SSL_MSG_ALERT &&
1496 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1497 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1498 {
1499 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1500
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1501 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1502 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1503 return( 0 );
1504 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1505 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1506 }
1507 }
1508
1509 if( ssl->endpoint == SSL_IS_SERVER &&
1510 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1511 {
1512 if( ssl->in_hslen == 7 &&
1513 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1514 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1515 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1516 {
1517 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1518
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1519 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1520 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1521 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522 else
1523 return( 0 );
1524 }
1525 }
1526
1527 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1528 {
1529 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1530 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1531 }
1532
1533 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1534 {
1535 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1536 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1537 }
1538
1539 /*
1540 * Same message structure as in ssl_write_certificate()
1541 */
1542 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1543
1544 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1545 {
1546 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1547 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1548 }
1549
1550 if( ( ssl->peer_cert = (x509_cert *) malloc(
1551 sizeof( x509_cert ) ) ) == NULL )
1552 {
1553 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1554 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1555 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1556 }
1557
1558 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1559
1560 i = 7;
1561
1562 while( i < ssl->in_hslen )
1563 {
1564 if( ssl->in_msg[i] != 0 )
1565 {
1566 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1567 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1568 }
1569
1570 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1571 | (unsigned int) ssl->in_msg[i + 2];
1572 i += 3;
1573
1574 if( n < 128 || i + n > ssl->in_hslen )
1575 {
1576 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1577 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1578 }
1579
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1580 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1581 if( ret != 0 )
1582 {
1583 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1584 return( ret );
1585 }
1586
1587 i += n;
1588 }
1589
1590 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1591
1592 if( ssl->authmode != SSL_VERIFY_NONE )
1593 {
1594 if( ssl->ca_chain == NULL )
1595 {
1596 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1597 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1598 }
1599
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1600 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1601 ssl->peer_cn, &ssl->verify_result,
1602 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1603
1604 if( ret != 0 )
1605 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1606
1607 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1608 ret = 0;
1609 }
1610
1611 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1612
1613 return( ret );
1614}
1615
1616int ssl_write_change_cipher_spec( ssl_context *ssl )
1617{
1618 int ret;
1619
1620 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1621
1622 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1623 ssl->out_msglen = 1;
1624 ssl->out_msg[0] = 1;
1625
1626 ssl->do_crypt = 0;
1627 ssl->state++;
1628
1629 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1630 {
1631 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1632 return( ret );
1633 }
1634
1635 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1636
1637 return( 0 );
1638}
1639
1640int ssl_parse_change_cipher_spec( ssl_context *ssl )
1641{
1642 int ret;
1643
1644 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1645
1646 ssl->do_crypt = 0;
1647
1648 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1649 {
1650 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1651 return( ret );
1652 }
1653
1654 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1655 {
1656 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1657 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1658 }
1659
1660 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1661 {
1662 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1663 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1664 }
1665
1666 ssl->state++;
1667
1668 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1669
1670 return( 0 );
1671}
1672
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1673static void ssl_calc_finished_ssl(
1674 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1675{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1676 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1677 md5_context md5;
1678 sha1_context sha1;
1679
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1680 unsigned char padbuf[48];
1681 unsigned char md5sum[16];
1682 unsigned char sha1sum[20];
1683
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1684 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
1685
1686 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1687 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1688
1689 /*
1690 * SSLv3:
1691 * hash =
1692 * MD5( master + pad2 +
1693 * MD5( handshake + sender + master + pad1 ) )
1694 * + SHA1( master + pad2 +
1695 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696 */
1697
1698 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1699 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700
1701 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1702 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1703
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1704 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1705 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1706
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1707 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1708
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1709 md5_update( &md5, (unsigned char *) sender, 4 );
1710 md5_update( &md5, ssl->session->master, 48 );
1711 md5_update( &md5, padbuf, 48 );
1712 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1713
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1714 sha1_update( &sha1, (unsigned char *) sender, 4 );
1715 sha1_update( &sha1, ssl->session->master, 48 );
1716 sha1_update( &sha1, padbuf, 40 );
1717 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1718
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1719 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1720
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1721 md5_starts( &md5 );
1722 md5_update( &md5, ssl->session->master, 48 );
1723 md5_update( &md5, padbuf, 48 );
1724 md5_update( &md5, md5sum, 16 );
1725 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1726
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1727 sha1_starts( &sha1 );
1728 sha1_update( &sha1, ssl->session->master, 48 );
1729 sha1_update( &sha1, padbuf , 40 );
1730 sha1_update( &sha1, sha1sum, 20 );
1731 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1732
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1733 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1734
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1735 memset( &md5, 0, sizeof( md5_context ) );
1736 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1737
1738 memset( padbuf, 0, sizeof( padbuf ) );
1739 memset( md5sum, 0, sizeof( md5sum ) );
1740 memset( sha1sum, 0, sizeof( sha1sum ) );
1741
1742 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1743}
1744
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1745static void ssl_calc_finished_tls(
1746 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1748 int len = 12;
1749 char *sender;
1750 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1751 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1752 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1753
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1754 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1755
1756 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1757 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1758
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1759 /*
1760 * TLSv1:
1761 * hash = PRF( master, finished_label,
1762 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1763 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1764
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1765 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1766 md5.state, sizeof( md5.state ) );
1767
1768 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1769 sha1.state, sizeof( sha1.state ) );
1770
1771 sender = ( from == SSL_IS_CLIENT )
1772 ? (char *) "client finished"
1773 : (char *) "server finished";
1774
1775 md5_finish( &md5, padbuf );
1776 sha1_finish( &sha1, padbuf + 16 );
1777
1778 ssl->tls_prf( ssl->session->master, 48, sender,
1779 padbuf, 36, buf, len );
1780
1781 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1782
1783 memset( &md5, 0, sizeof( md5_context ) );
1784 memset( &sha1, 0, sizeof( sha1_context ) );
1785
1786 memset( padbuf, 0, sizeof( padbuf ) );
1787
1788 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1789}
1790
1791static void ssl_calc_finished_tls1_2(
1792 ssl_context *ssl, unsigned char *buf, int from )
1793{
1794 int len = 12;
1795 char *sender;
1796 sha2_context sha2;
1797 unsigned char padbuf[32];
1798
1799 SSL_DEBUG_MSG( 2, ( "=> calc finished tls 1.2" ) );
1800
1801 memcpy( &sha2, &ssl->fin_sha2, sizeof( sha2_context ) );
1802
1803 /*
1804 * TLSv1.2:
1805 * hash = PRF( master, finished_label,
1806 * Hash( handshake ) )[0.11]
1807 */
1808
1809 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
1810 sha2.state, sizeof( sha2.state ) );
1811
1812 sender = ( from == SSL_IS_CLIENT )
1813 ? (char *) "client finished"
1814 : (char *) "server finished";
1815
1816 sha2_finish( &sha2, padbuf );
1817
1818 ssl->tls_prf( ssl->session->master, 48, sender,
1819 padbuf, 32, buf, len );
1820
1821 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1822
1823 memset( &sha2, 0, sizeof( sha2_context ) );
1824
1825 memset( padbuf, 0, sizeof( padbuf ) );
1826
1827 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1828}
1829
1830int ssl_write_finished( ssl_context *ssl )
1831{
1832 int ret, hash_len;
1833
1834 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1835
1836 ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
1837
1838 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1840
1841 ssl->out_msglen = 4 + hash_len;
1842 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1843 ssl->out_msg[0] = SSL_HS_FINISHED;
1844
1845 /*
1846 * In case of session resuming, invert the client and server
1847 * ChangeCipherSpec messages order.
1848 */
1849 if( ssl->resume != 0 )
1850 {
1851 if( ssl->endpoint == SSL_IS_CLIENT )
1852 ssl->state = SSL_HANDSHAKE_OVER;
1853 else
1854 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1855 }
1856 else
1857 ssl->state++;
1858
1859 ssl->do_crypt = 1;
1860
1861 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1862 {
1863 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1864 return( ret );
1865 }
1866
1867 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1868
1869 return( 0 );
1870}
1871
1872int ssl_parse_finished( ssl_context *ssl )
1873{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1874 int ret;
1875 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876 unsigned char buf[36];
1877
1878 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1879
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1880 ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881
1882 ssl->do_crypt = 1;
1883
1884 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1885 {
1886 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1887 return( ret );
1888 }
1889
1890 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1891 {
1892 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1893 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1894 }
1895
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1896 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1898
1899 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1900 ssl->in_hslen != 4 + hash_len )
1901 {
1902 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1903 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904 }
1905
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1906 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1907 {
1908 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1909 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1910 }
1911
1912 if( ssl->resume != 0 )
1913 {
1914 if( ssl->endpoint == SSL_IS_CLIENT )
1915 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1916
1917 if( ssl->endpoint == SSL_IS_SERVER )
1918 ssl->state = SSL_HANDSHAKE_OVER;
1919 }
1920 else
1921 ssl->state++;
1922
1923 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1924
1925 return( 0 );
1926}
1927
1928/*
1929 * Initialize an SSL context
1930 */
1931int ssl_init( ssl_context *ssl )
1932{
1933 int len = SSL_BUFFER_LEN;
1934
1935 memset( ssl, 0, sizeof( ssl_context ) );
1936
1937 ssl->in_ctr = (unsigned char *) malloc( len );
1938 ssl->in_hdr = ssl->in_ctr + 8;
1939 ssl->in_msg = ssl->in_ctr + 13;
1940
1941 if( ssl->in_ctr == NULL )
1942 {
1943 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1944 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945 }
1946
1947 ssl->out_ctr = (unsigned char *) malloc( len );
1948 ssl->out_hdr = ssl->out_ctr + 8;
1949 ssl->out_msg = ssl->out_ctr + 13;
1950
1951 if( ssl->out_ctr == NULL )
1952 {
1953 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1954 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1955 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1956 }
1957
1958 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1959 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1960
1961 ssl->hostname = NULL;
1962 ssl->hostname_len = 0;
1963
1964 md5_starts( &ssl->fin_md5 );
1965 sha1_starts( &ssl->fin_sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]1966 sha2_starts( &ssl->fin_sha2, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967
1968 return( 0 );
1969}
1970
1971/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]1972 * Reset an initialized and used SSL context for re-use while retaining
1973 * all application-set variables, function pointers and data.
1974 */
1975void ssl_session_reset( ssl_context *ssl )
1976{
1977 ssl->state = SSL_HELLO_REQUEST;
1978
1979 ssl->in_offt = NULL;
1980
1981 ssl->in_msgtype = 0;
1982 ssl->in_msglen = 0;
1983 ssl->in_left = 0;
1984
1985 ssl->in_hslen = 0;
1986 ssl->nb_zero = 0;
1987
1988 ssl->out_msgtype = 0;
1989 ssl->out_msglen = 0;
1990 ssl->out_left = 0;
1991
1992 ssl->do_crypt = 0;
1993 ssl->pmslen = 0;
1994 ssl->keylen = 0;
1995 ssl->minlen = 0;
1996 ssl->ivlen = 0;
1997 ssl->maclen = 0;
1998
1999 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2000 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2001 memset( ssl->randbytes, 0, 64 );
2002 memset( ssl->premaster, 0, 256 );
2003 memset( ssl->iv_enc, 0, 16 );
2004 memset( ssl->iv_dec, 0, 16 );
2005 memset( ssl->mac_enc, 0, 32 );
2006 memset( ssl->mac_dec, 0, 32 );
2007 memset( ssl->ctx_enc, 0, 128 );
2008 memset( ssl->ctx_dec, 0, 128 );
2009
2010 md5_starts( &ssl->fin_md5 );
2011 sha1_starts( &ssl->fin_sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]2012 sha2_starts( &ssl->fin_sha2, 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2013}
2014
2015/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016 * SSL set accessors
2017 */
2018void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2019{
2020 ssl->endpoint = endpoint;
2021}
2022
2023void ssl_set_authmode( ssl_context *ssl, int authmode )
2024{
2025 ssl->authmode = authmode;
2026}
2027
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2028void ssl_set_verify( ssl_context *ssl,
2029 int (*f_vrfy)(void *, x509_cert *, int, int),
2030 void *p_vrfy )
2031{
2032 ssl->f_vrfy = f_vrfy;
2033 ssl->p_vrfy = p_vrfy;
2034}
2035
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2036void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2037 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038 void *p_rng )
2039{
2040 ssl->f_rng = f_rng;
2041 ssl->p_rng = p_rng;
2042}
2043
2044void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2045 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046 void *p_dbg )
2047{
2048 ssl->f_dbg = f_dbg;
2049 ssl->p_dbg = p_dbg;
2050}
2051
2052void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2053 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2054 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2055{
2056 ssl->f_recv = f_recv;
2057 ssl->f_send = f_send;
2058 ssl->p_recv = p_recv;
2059 ssl->p_send = p_send;
2060}
2061
2062void ssl_set_scb( ssl_context *ssl,
2063 int (*s_get)(ssl_context *),
2064 int (*s_set)(ssl_context *) )
2065{
2066 ssl->s_get = s_get;
2067 ssl->s_set = s_set;
2068}
2069
2070void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2071 ssl_session *session )
2072{
2073 ssl->resume = resume;
2074 ssl->timeout = timeout;
2075 ssl->session = session;
2076}
2077
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2078void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2079{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2080 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2081}
2082
2083void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2084 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2085{
2086 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2087 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2088 ssl->peer_cn = peer_cn;
2089}
2090
2091void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2092 rsa_context *rsa_key )
2093{
2094 ssl->own_cert = own_cert;
2095 ssl->rsa_key = rsa_key;
2096}
2097
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]2098#if defined(POLARSSL_PKCS11_C)
2099void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
2100 pkcs11_context *pkcs11_key )
2101{
2102 ssl->own_cert = own_cert;
2103 ssl->pkcs11_key = pkcs11_key;
2104}
2105#endif
2106
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2107int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108{
2109 int ret;
2110
2111 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2112 {
2113 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2114 return( ret );
2115 }
2116
2117 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2118 {
2119 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2120 return( ret );
2121 }
2122
2123 return( 0 );
2124}
2125
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2126int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
2127{
2128 int ret;
2129
2130 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2131 {
2132 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2133 return( ret );
2134 }
2135
2136 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2137 {
2138 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2139 return( ret );
2140 }
2141
2142 return( 0 );
2143}
2144
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2145int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146{
2147 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2148 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2149
2150 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2151 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2152
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2153 if( ssl->hostname == NULL )
2154 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2155
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156 memcpy( ssl->hostname, (unsigned char *) hostname,
2157 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2158
2159 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2160
2161 return( 0 );
2162}
2163
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2164void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2165{
2166 ssl->max_major_ver = major;
2167 ssl->max_minor_ver = minor;
2168}
2169
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2170/*
2171 * SSL get accessors
2172 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2173size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2174{
2175 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2176}
2177
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2178int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179{
2180 return( ssl->verify_result );
2181}
2182
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2183const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2184{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2185 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2186 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2187#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2188 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2189 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2190
2191 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2192 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2193#endif
2194
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2195#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2196 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2197 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198
2199 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2200 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2201#endif
2202
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2203#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2205 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2206
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2207 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2208 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2209
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2210 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2211 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2212
2213 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2214 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2215#endif
2216
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2217#if defined(POLARSSL_CAMELLIA_C)
2218 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2219 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2220
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2221 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2222 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2223
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2224 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2225 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2226
2227 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2228 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2229#endif
2230
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2231#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2232#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2233 case SSL_RSA_NULL_MD5:
2234 return( "SSL-RSA-NULL-MD5" );
2235 case SSL_RSA_NULL_SHA:
2236 return( "SSL-RSA-NULL-SHA" );
2237 case SSL_RSA_NULL_SHA256:
2238 return( "SSL-RSA-NULL-SHA256" );
2239#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2240
2241#if defined(POLARSSL_DES_C)
2242 case SSL_RSA_DES_SHA:
2243 return( "SSL-RSA-DES-SHA" );
2244 case SSL_EDH_RSA_DES_SHA:
2245 return( "SSL-EDH-RSA-DES-SHA" );
2246#endif
2247#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2248
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2249 default:
2250 break;
2251 }
2252
2253 return( "unknown" );
2254}
2255
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2256int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2257{
2258#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2259 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2260 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2261 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2262 return( SSL_RSA_RC4_128_SHA );
2263#endif
2264
2265#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2266 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2267 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2268 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2269 return( SSL_EDH_RSA_DES_168_SHA );
2270#endif
2271
2272#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2273 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2274 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2275 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2276 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2277 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2278 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2279 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2280 return( SSL_EDH_RSA_AES_256_SHA );
2281#endif
2282
2283#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2284 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2285 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2286 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2287 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2288 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2289 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2290 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2291 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
2292#endif
2293
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2294#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2295#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2296 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
2297 return( SSL_RSA_NULL_MD5 );
2298 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
2299 return( SSL_RSA_NULL_SHA );
2300 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
2301 return( SSL_RSA_NULL_SHA256 );
2302#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2303
2304#if defined(POLARSSL_DES_C)
2305 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
2306 return( SSL_RSA_DES_SHA );
2307 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
2308 return( SSL_EDH_RSA_DES_SHA );
2309#endif
2310#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2311
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2312 return( 0 );
2313}
2314
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2315const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2316{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2317 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2318}
2319
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2320const char *ssl_get_version( const ssl_context *ssl )
2321{
2322 switch( ssl->minor_ver )
2323 {
2324 case SSL_MINOR_VERSION_0:
2325 return( "SSLv3.0" );
2326
2327 case SSL_MINOR_VERSION_1:
2328 return( "TLSv1.0" );
2329
2330 case SSL_MINOR_VERSION_2:
2331 return( "TLSv1.1" );
2332
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame^]2333 case SSL_MINOR_VERSION_3:
2334 return( "TLSv1.2" );
2335
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2336 default:
2337 break;
2338 }
2339 return( "unknown" );
2340}
2341
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2342int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2343{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2344#if defined(POLARSSL_DHM_C)
2345#if defined(POLARSSL_AES_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2346 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2347 SSL_EDH_RSA_AES_256_SHA,
2348#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2349#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2350 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2351 SSL_EDH_RSA_CAMELLIA_256_SHA,
2352#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2353#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2354 SSL_EDH_RSA_DES_168_SHA,
2355#endif
2356#endif
2357
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2358#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2359 SSL_RSA_AES_256_SHA,
2360#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2361#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2362 SSL_RSA_CAMELLIA_256_SHA,
2363#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2364#if defined(POLARSSL_AES_C)
2365 SSL_RSA_AES_128_SHA,
2366#endif
2367#if defined(POLARSSL_CAMELLIA_C)
2368 SSL_RSA_CAMELLIA_128_SHA,
2369#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2370#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2371 SSL_RSA_DES_168_SHA,
2372#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2373#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2374 SSL_RSA_RC4_128_SHA,
2375 SSL_RSA_RC4_128_MD5,
2376#endif
2377 0
2378};
2379
2380/*
2381 * Perform the SSL handshake
2382 */
2383int ssl_handshake( ssl_context *ssl )
2384{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2385 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2386
2387 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
2388
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2389#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2390 if( ssl->endpoint == SSL_IS_CLIENT )
2391 ret = ssl_handshake_client( ssl );
2392#endif
2393
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2394#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2395 if( ssl->endpoint == SSL_IS_SERVER )
2396 ret = ssl_handshake_server( ssl );
2397#endif
2398
2399 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
2400
2401 return( ret );
2402}
2403
2404/*
2405 * Receive application data decrypted from the SSL layer
2406 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2407int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2408{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2409 int ret;
2410 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2411
2412 SSL_DEBUG_MSG( 2, ( "=> read" ) );
2413
2414 if( ssl->state != SSL_HANDSHAKE_OVER )
2415 {
2416 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2417 {
2418 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2419 return( ret );
2420 }
2421 }
2422
2423 if( ssl->in_offt == NULL )
2424 {
2425 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2426 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2427 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2428 return( 0 );
2429
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2430 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2431 return( ret );
2432 }
2433
2434 if( ssl->in_msglen == 0 &&
2435 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
2436 {
2437 /*
2438 * OpenSSL sends empty messages to randomize the IV
2439 */
2440 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2441 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2442 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2443 return( 0 );
2444
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2445 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2446 return( ret );
2447 }
2448 }
2449
2450 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2451 {
2452 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2453 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2454 }
2455
2456 ssl->in_offt = ssl->in_msg;
2457 }
2458
2459 n = ( len < ssl->in_msglen )
2460 ? len : ssl->in_msglen;
2461
2462 memcpy( buf, ssl->in_offt, n );
2463 ssl->in_msglen -= n;
2464
2465 if( ssl->in_msglen == 0 )
2466 /* all bytes consumed */
2467 ssl->in_offt = NULL;
2468 else
2469 /* more data available */
2470 ssl->in_offt += n;
2471
2472 SSL_DEBUG_MSG( 2, ( "<= read" ) );
2473
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2474 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2475}
2476
2477/*
2478 * Send application data to be encrypted by the SSL layer
2479 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2480int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2481{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2482 int ret;
2483 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2484
2485 SSL_DEBUG_MSG( 2, ( "=> write" ) );
2486
2487 if( ssl->state != SSL_HANDSHAKE_OVER )
2488 {
2489 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2490 {
2491 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2492 return( ret );
2493 }
2494 }
2495
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2496 n = ( len < SSL_MAX_CONTENT_LEN )
2497 ? len : SSL_MAX_CONTENT_LEN;
2498
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2499 if( ssl->out_left != 0 )
2500 {
2501 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2502 {
2503 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2504 return( ret );
2505 }
2506 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2507 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]2508 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2509 ssl->out_msglen = n;
2510 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
2511 memcpy( ssl->out_msg, buf, n );
2512
2513 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2514 {
2515 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2516 return( ret );
2517 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2518 }
2519
2520 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2521
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2522 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2523}
2524
2525/*
2526 * Notify the peer that the connection is being closed
2527 */
2528int ssl_close_notify( ssl_context *ssl )
2529{
2530 int ret;
2531
2532 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
2533
2534 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2535 {
2536 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2537 return( ret );
2538 }
2539
2540 if( ssl->state == SSL_HANDSHAKE_OVER )
2541 {
2542 ssl->out_msgtype = SSL_MSG_ALERT;
2543 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2544 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2545 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2546
2547 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2548 {
2549 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2550 return( ret );
2551 }
2552 }
2553
2554 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2555
2556 return( ret );
2557}
2558
2559/*
2560 * Free an SSL context
2561 */
2562void ssl_free( ssl_context *ssl )
2563{
2564 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2565
2566 if( ssl->peer_cert != NULL )
2567 {
2568 x509_free( ssl->peer_cert );
2569 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2570 free( ssl->peer_cert );
2571 }
2572
2573 if( ssl->out_ctr != NULL )
2574 {
2575 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2576 free( ssl->out_ctr );
2577 }
2578
2579 if( ssl->in_ctr != NULL )
2580 {
2581 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2582 free( ssl->in_ctr );
2583 }
2584
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2585#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2586 dhm_free( &ssl->dhm_ctx );
2587#endif
2588
2589 if ( ssl->hostname != NULL)
2590 {
2591 memset( ssl->hostname, 0, ssl->hostname_len );
2592 free( ssl->hostname );
2593 ssl->hostname_len = 0;
2594 }
2595
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2596 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2597
2598 /* Actually free after last debug message */
2599 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2600}
2601
2602#endif