TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2770fbd651918f64881339e162edbbd261624a59 / . / library / ssl_tls.c
blob: a458e6287840290e65d647702eef279e449350ed [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]46#if defined(POLARSSL_GCM_C)
47#include "polarssl/gcm.h"
48#endif
49
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50#include <stdlib.h>
51#include <time.h>
52
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]53#if defined _MSC_VER && !defined strcasecmp
54#define strcasecmp _stricmp
55#endif
56
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]57#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58int (*ssl_hw_record_init)(ssl_context *ssl,
59 const unsigned char *key_enc, const unsigned char *key_dec,
60 const unsigned char *iv_enc, const unsigned char *iv_dec,
61 const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
62int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
63int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
64int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
65int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
66#endif
67
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68/*
69 * Key material generation
70 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]71static int tls1_prf( unsigned char *secret, size_t slen, char *label,
72 unsigned char *random, size_t rlen,
73 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]74{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]75 size_t nb, hs;
76 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77 unsigned char *S1, *S2;
78 unsigned char tmp[128];
79 unsigned char h_i[20];
80
81 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]82 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]83
84 hs = ( slen + 1 ) / 2;
85 S1 = secret;
86 S2 = secret + slen - hs;
87
88 nb = strlen( label );
89 memcpy( tmp + 20, label, nb );
90 memcpy( tmp + 20 + nb, random, rlen );
91 nb += rlen;
92
93 /*
94 * First compute P_md5(secret,label+random)[0..dlen]
95 */
96 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
97
98 for( i = 0; i < dlen; i += 16 )
99 {
100 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
101 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
102
103 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
104
105 for( j = 0; j < k; j++ )
106 dstbuf[i + j] = h_i[j];
107 }
108
109 /*
110 * XOR out with P_sha1(secret,label+random)[0..dlen]
111 */
112 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
113
114 for( i = 0; i < dlen; i += 20 )
115 {
116 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
117 sha1_hmac( S2, hs, tmp, 20, tmp );
118
119 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
120
121 for( j = 0; j < k; j++ )
122 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
123 }
124
125 memset( tmp, 0, sizeof( tmp ) );
126 memset( h_i, 0, sizeof( h_i ) );
127
128 return( 0 );
129}
130
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]131static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
132 unsigned char *random, size_t rlen,
133 unsigned char *dstbuf, size_t dlen )
134{
135 size_t nb;
136 size_t i, j, k;
137 unsigned char tmp[128];
138 unsigned char h_i[32];
139
140 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
141 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
142
143 nb = strlen( label );
144 memcpy( tmp + 32, label, nb );
145 memcpy( tmp + 32 + nb, random, rlen );
146 nb += rlen;
147
148 /*
149 * Compute P_<hash>(secret, label + random)[0..dlen]
150 */
151 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
152
153 for( i = 0; i < dlen; i += 32 )
154 {
155 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
156 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
157
158 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
159
160 for( j = 0; j < k; j++ )
161 dstbuf[i + j] = h_i[j];
162 }
163
164 memset( tmp, 0, sizeof( tmp ) );
165 memset( h_i, 0, sizeof( h_i ) );
166
167 return( 0 );
168}
169
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]170static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
171 unsigned char *random, size_t rlen,
172 unsigned char *dstbuf, size_t dlen )
173{
174 size_t nb;
175 size_t i, j, k;
176 unsigned char tmp[128];
177 unsigned char h_i[48];
178
179 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
180 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
181
182 nb = strlen( label );
183 memcpy( tmp + 48, label, nb );
184 memcpy( tmp + 48 + nb, random, rlen );
185 nb += rlen;
186
187 /*
188 * Compute P_<hash>(secret, label + random)[0..dlen]
189 */
190 sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
191
192 for( i = 0; i < dlen; i += 48 )
193 {
194 sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
195 sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
196
197 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
198
199 for( j = 0; j < k; j++ )
200 dstbuf[i + j] = h_i[j];
201 }
202
203 memset( tmp, 0, sizeof( tmp ) );
204 memset( h_i, 0, sizeof( h_i ) );
205
206 return( 0 );
207}
208
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]209static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
210static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
211static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
212static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
213
214static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
215static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
216static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
217static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
218
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]219static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
220static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
221static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
222static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224int ssl_derive_keys( ssl_context *ssl )
225{
226 int i;
227 md5_context md5;
228 sha1_context sha1;
229 unsigned char tmp[64];
230 unsigned char padding[16];
231 unsigned char sha1sum[20];
232 unsigned char keyblk[256];
233 unsigned char *key1;
234 unsigned char *key2;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]235 unsigned int iv_copy_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236
237 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
238
239 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]240 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]241 */
242 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]243 {
244 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]245 ssl->calc_verify = ssl_calc_verify_ssl;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]246 ssl->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]247 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]248 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]249 {
250 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]251 ssl->calc_verify = ssl_calc_verify_tls;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]252 ssl->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]253 }
254 else if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
255 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
256 {
257 ssl->tls_prf = tls_prf_sha384;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]258 ssl->calc_verify = ssl_calc_verify_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]259 ssl->calc_finished = ssl_calc_finished_tls_sha384;
260 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]261 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]262 {
263 ssl->tls_prf = tls_prf_sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]264 ssl->calc_verify = ssl_calc_verify_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]265 ssl->calc_finished = ssl_calc_finished_tls_sha256;
266 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]267
268 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]269 * SSLv3:
270 * master =
271 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
272 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
273 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
274 *
275 * TLSv1:
276 * master = PRF( premaster, "master secret", randbytes )[0..47]
277 */
278 if( ssl->resume == 0 )
279 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]280 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281
282 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
283
284 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
285 {
286 for( i = 0; i < 3; i++ )
287 {
288 memset( padding, 'A' + i, 1 + i );
289
290 sha1_starts( &sha1 );
291 sha1_update( &sha1, padding, 1 + i );
292 sha1_update( &sha1, ssl->premaster, len );
293 sha1_update( &sha1, ssl->randbytes, 64 );
294 sha1_finish( &sha1, sha1sum );
295
296 md5_starts( &md5 );
297 md5_update( &md5, ssl->premaster, len );
298 md5_update( &md5, sha1sum, 20 );
299 md5_finish( &md5, ssl->session->master + i * 16 );
300 }
301 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]302 else
303 ssl->tls_prf( ssl->premaster, len, "master secret",
304 ssl->randbytes, 64, ssl->session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]305
306 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
307 }
308 else
309 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
310
311 /*
312 * Swap the client and server random values.
313 */
314 memcpy( tmp, ssl->randbytes, 64 );
315 memcpy( ssl->randbytes, tmp + 32, 32 );
316 memcpy( ssl->randbytes + 32, tmp, 32 );
317 memset( tmp, 0, sizeof( tmp ) );
318
319 /*
320 * SSLv3:
321 * key block =
322 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
323 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
324 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
325 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
326 * ...
327 *
328 * TLSv1:
329 * key block = PRF( master, "key expansion", randbytes )
330 */
331 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
332 {
333 for( i = 0; i < 16; i++ )
334 {
335 memset( padding, 'A' + i, 1 + i );
336
337 sha1_starts( &sha1 );
338 sha1_update( &sha1, padding, 1 + i );
339 sha1_update( &sha1, ssl->session->master, 48 );
340 sha1_update( &sha1, ssl->randbytes, 64 );
341 sha1_finish( &sha1, sha1sum );
342
343 md5_starts( &md5 );
344 md5_update( &md5, ssl->session->master, 48 );
345 md5_update( &md5, sha1sum, 20 );
346 md5_finish( &md5, keyblk + i * 16 );
347 }
348
349 memset( &md5, 0, sizeof( md5 ) );
350 memset( &sha1, 0, sizeof( sha1 ) );
351
352 memset( padding, 0, sizeof( padding ) );
353 memset( sha1sum, 0, sizeof( sha1sum ) );
354 }
355 else
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]356 ssl->tls_prf( ssl->session->master, 48, "key expansion",
357 ssl->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]359 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
361 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
362 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
363
364 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
365
366 /*
367 * Determine the appropriate key, IV and MAC length.
368 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]369 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]371#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]372 case SSL_RSA_RC4_128_MD5:
373 ssl->keylen = 16; ssl->minlen = 16;
374 ssl->ivlen = 0; ssl->maclen = 16;
375 break;
376
377 case SSL_RSA_RC4_128_SHA:
378 ssl->keylen = 16; ssl->minlen = 20;
379 ssl->ivlen = 0; ssl->maclen = 20;
380 break;
381#endif
382
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]383#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384 case SSL_RSA_DES_168_SHA:
385 case SSL_EDH_RSA_DES_168_SHA:
386 ssl->keylen = 24; ssl->minlen = 24;
387 ssl->ivlen = 8; ssl->maclen = 20;
388 break;
389#endif
390
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]391#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]393 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394 ssl->keylen = 16; ssl->minlen = 32;
395 ssl->ivlen = 16; ssl->maclen = 20;
396 break;
397
398 case SSL_RSA_AES_256_SHA:
399 case SSL_EDH_RSA_AES_256_SHA:
400 ssl->keylen = 32; ssl->minlen = 32;
401 ssl->ivlen = 16; ssl->maclen = 20;
402 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]403
404#if defined(POLARSSL_SHA2_C)
405 case SSL_RSA_AES_128_SHA256:
406 case SSL_EDH_RSA_AES_128_SHA256:
407 ssl->keylen = 16; ssl->minlen = 32;
408 ssl->ivlen = 16; ssl->maclen = 32;
409 break;
410
411 case SSL_RSA_AES_256_SHA256:
412 case SSL_EDH_RSA_AES_256_SHA256:
413 ssl->keylen = 32; ssl->minlen = 32;
414 ssl->ivlen = 16; ssl->maclen = 32;
415 break;
416#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]417#if defined(POLARSSL_GCM_C)
418 case SSL_RSA_AES_128_GCM_SHA256:
419 case SSL_EDH_RSA_AES_128_GCM_SHA256:
420 ssl->keylen = 16; ssl->minlen = 1;
421 ssl->ivlen = 12; ssl->maclen = 0;
422 ssl->fixed_ivlen = 4;
423 break;
424
425 case SSL_RSA_AES_256_GCM_SHA384:
426 case SSL_EDH_RSA_AES_256_GCM_SHA384:
427 ssl->keylen = 32; ssl->minlen = 1;
428 ssl->ivlen = 12; ssl->maclen = 0;
429 ssl->fixed_ivlen = 4;
430 break;
431#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]432#endif
433
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]434#if defined(POLARSSL_CAMELLIA_C)
435 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]436 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]437 ssl->keylen = 16; ssl->minlen = 32;
438 ssl->ivlen = 16; ssl->maclen = 20;
439 break;
440
441 case SSL_RSA_CAMELLIA_256_SHA:
442 case SSL_EDH_RSA_CAMELLIA_256_SHA:
443 ssl->keylen = 32; ssl->minlen = 32;
444 ssl->ivlen = 16; ssl->maclen = 20;
445 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]446
447#if defined(POLARSSL_SHA2_C)
448 case SSL_RSA_CAMELLIA_128_SHA256:
449 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
450 ssl->keylen = 16; ssl->minlen = 32;
451 ssl->ivlen = 16; ssl->maclen = 32;
452 break;
453
454 case SSL_RSA_CAMELLIA_256_SHA256:
455 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
456 ssl->keylen = 32; ssl->minlen = 32;
457 ssl->ivlen = 16; ssl->maclen = 32;
458 break;
459#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]460#endif
461
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]462#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
463#if defined(POLARSSL_CIPHER_NULL_CIPHER)
464 case SSL_RSA_NULL_MD5:
465 ssl->keylen = 0; ssl->minlen = 0;
466 ssl->ivlen = 0; ssl->maclen = 16;
467 break;
468
469 case SSL_RSA_NULL_SHA:
470 ssl->keylen = 0; ssl->minlen = 0;
471 ssl->ivlen = 0; ssl->maclen = 20;
472 break;
473
474 case SSL_RSA_NULL_SHA256:
475 ssl->keylen = 0; ssl->minlen = 0;
476 ssl->ivlen = 0; ssl->maclen = 32;
477 break;
478#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
479
480#if defined(POLARSSL_DES_C)
481 case SSL_RSA_DES_SHA:
482 case SSL_EDH_RSA_DES_SHA:
483 ssl->keylen = 8; ssl->minlen = 8;
484 ssl->ivlen = 8; ssl->maclen = 20;
485 break;
486#endif
487#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
488
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]490 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
491 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]492 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493 }
494
495 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
496 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
497
498 /*
499 * Finally setup the cipher contexts, IVs and MAC secrets.
500 */
501 if( ssl->endpoint == SSL_IS_CLIENT )
502 {
503 key1 = keyblk + ssl->maclen * 2;
504 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
505
506 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
507 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
508
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]509 /*
510 * This is not used in TLS v1.1.
511 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]512 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
513 memcpy( ssl->iv_enc, key2 + ssl->keylen, iv_copy_len );
514 memcpy( ssl->iv_dec, key2 + ssl->keylen + iv_copy_len,
515 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516 }
517 else
518 {
519 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
520 key2 = keyblk + ssl->maclen * 2;
521
522 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
523 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
524
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]525 /*
526 * This is not used in TLS v1.1.
527 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]528 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
529 memcpy( ssl->iv_dec, key1 + ssl->keylen, iv_copy_len );
530 memcpy( ssl->iv_enc, key1 + ssl->keylen + iv_copy_len,
531 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]532 }
533
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]534#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
535 if( ssl_hw_record_init != NULL)
536 {
537 int ret = 0;
538
539 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
540
541 if( ( ret = ssl_hw_record_init( ssl, key1, key2, ssl->iv_enc,
542 ssl->iv_dec, ssl->mac_enc,
543 ssl->mac_dec ) ) != 0 )
544 {
545 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
546 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
547 }
548 }
549#endif
550
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]551 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]553#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554 case SSL_RSA_RC4_128_MD5:
555 case SSL_RSA_RC4_128_SHA:
556 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
557 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
558 break;
559#endif
560
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]561#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562 case SSL_RSA_DES_168_SHA:
563 case SSL_EDH_RSA_DES_168_SHA:
564 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
565 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
566 break;
567#endif
568
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]569#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]571 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]572 case SSL_RSA_AES_128_SHA256:
573 case SSL_EDH_RSA_AES_128_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
575 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
576 break;
577
578 case SSL_RSA_AES_256_SHA:
579 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]580 case SSL_RSA_AES_256_SHA256:
581 case SSL_EDH_RSA_AES_256_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
583 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
584 break;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]585
586#if defined(POLARSSL_GCM_C)
587 case SSL_RSA_AES_128_GCM_SHA256:
588 case SSL_EDH_RSA_AES_128_GCM_SHA256:
589 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 128 );
590 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 128 );
591 break;
592
593 case SSL_RSA_AES_256_GCM_SHA384:
594 case SSL_EDH_RSA_AES_256_GCM_SHA384:
595 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 256 );
596 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 256 );
597 break;
598#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599#endif
600
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]601#if defined(POLARSSL_CAMELLIA_C)
602 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]603 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]604 case SSL_RSA_CAMELLIA_128_SHA256:
605 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]606 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
607 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
608 break;
609
610 case SSL_RSA_CAMELLIA_256_SHA:
611 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]612 case SSL_RSA_CAMELLIA_256_SHA256:
613 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]614 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
615 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
616 break;
617#endif
618
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]619#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
620#if defined(POLARSSL_CIPHER_NULL_CIPHER)
621 case SSL_RSA_NULL_MD5:
622 case SSL_RSA_NULL_SHA:
623 case SSL_RSA_NULL_SHA256:
624 break;
625#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
626
627#if defined(POLARSSL_DES_C)
628 case SSL_RSA_DES_SHA:
629 case SSL_EDH_RSA_DES_SHA:
630 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
631 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
632 break;
633#endif
634#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
635
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]637 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]638 }
639
640 memset( keyblk, 0, sizeof( keyblk ) );
641
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]642#if defined(POLARSSL_ZLIB_SUPPORT)
643 // Initialize compression
644 //
645 if( ssl->session->compression == SSL_COMPRESS_DEFLATE )
646 {
647 SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
648
649 memset( &ssl->ctx_deflate, 0, sizeof( ssl->ctx_deflate ) );
650 memset( &ssl->ctx_inflate, 0, sizeof( ssl->ctx_inflate ) );
651
652 if( deflateInit( &ssl->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
653 inflateInit( &ssl->ctx_inflate ) != Z_OK )
654 {
655 SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
656 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
657 }
658 }
659#endif /* POLARSSL_ZLIB_SUPPORT */
660
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
662
663 return( 0 );
664}
665
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]666void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667{
668 md5_context md5;
669 sha1_context sha1;
670 unsigned char pad_1[48];
671 unsigned char pad_2[48];
672
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]673 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]675 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
676 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
677 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]678
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]679 memset( pad_1, 0x36, 48 );
680 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]682 md5_update( &md5, ssl->session->master, 48 );
683 md5_update( &md5, pad_1, 48 );
684 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]686 md5_starts( &md5 );
687 md5_update( &md5, ssl->session->master, 48 );
688 md5_update( &md5, pad_2, 48 );
689 md5_update( &md5, hash, 16 );
690 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]692 sha1_update( &sha1, ssl->session->master, 48 );
693 sha1_update( &sha1, pad_1, 40 );
694 sha1_finish( &sha1, hash + 16 );
695
696 sha1_starts( &sha1 );
697 sha1_update( &sha1, ssl->session->master, 48 );
698 sha1_update( &sha1, pad_2, 40 );
699 sha1_update( &sha1, hash + 16, 20 );
700 sha1_finish( &sha1, hash + 16 );
701
702 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
703 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
704
705 return;
706}
707
708void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
709{
710 md5_context md5;
711 sha1_context sha1;
712
713 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
714
715 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
716 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
717 sizeof( sha1_context ) );
718
719 md5_finish( &md5, hash );
720 sha1_finish( &sha1, hash + 16 );
721
722 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
723 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
724
725 return;
726}
727
728void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
729{
730 sha2_context sha2;
731
732 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
733
734 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
735 sha2_finish( &sha2, hash );
736
737 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
738 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
739
740 return;
741}
742
743void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
744{
745 sha4_context sha4;
746
747 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
748
749 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
750 sha4_finish( &sha4, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]751
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]752 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
754
755 return;
756}
757
758/*
759 * SSLv3.0 MAC functions
760 */
761static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]762 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]763 unsigned char *ctr, int type )
764{
765 unsigned char header[11];
766 unsigned char padding[48];
767 md5_context md5;
768
769 memcpy( header, ctr, 8 );
770 header[ 8] = (unsigned char) type;
771 header[ 9] = (unsigned char)( len >> 8 );
772 header[10] = (unsigned char)( len );
773
774 memset( padding, 0x36, 48 );
775 md5_starts( &md5 );
776 md5_update( &md5, secret, 16 );
777 md5_update( &md5, padding, 48 );
778 md5_update( &md5, header, 11 );
779 md5_update( &md5, buf, len );
780 md5_finish( &md5, buf + len );
781
782 memset( padding, 0x5C, 48 );
783 md5_starts( &md5 );
784 md5_update( &md5, secret, 16 );
785 md5_update( &md5, padding, 48 );
786 md5_update( &md5, buf + len, 16 );
787 md5_finish( &md5, buf + len );
788}
789
790static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]791 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]792 unsigned char *ctr, int type )
793{
794 unsigned char header[11];
795 unsigned char padding[40];
796 sha1_context sha1;
797
798 memcpy( header, ctr, 8 );
799 header[ 8] = (unsigned char) type;
800 header[ 9] = (unsigned char)( len >> 8 );
801 header[10] = (unsigned char)( len );
802
803 memset( padding, 0x36, 40 );
804 sha1_starts( &sha1 );
805 sha1_update( &sha1, secret, 20 );
806 sha1_update( &sha1, padding, 40 );
807 sha1_update( &sha1, header, 11 );
808 sha1_update( &sha1, buf, len );
809 sha1_finish( &sha1, buf + len );
810
811 memset( padding, 0x5C, 40 );
812 sha1_starts( &sha1 );
813 sha1_update( &sha1, secret, 20 );
814 sha1_update( &sha1, padding, 40 );
815 sha1_update( &sha1, buf + len, 20 );
816 sha1_finish( &sha1, buf + len );
817}
818
819/*
820 * Encryption/decryption functions
821 */
822static int ssl_encrypt_buf( ssl_context *ssl )
823{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]824 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825
826 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
827
828 /*
829 * Add MAC then encrypt
830 */
831 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
832 {
833 if( ssl->maclen == 16 )
834 ssl_mac_md5( ssl->mac_enc,
835 ssl->out_msg, ssl->out_msglen,
836 ssl->out_ctr, ssl->out_msgtype );
837
838 if( ssl->maclen == 20 )
839 ssl_mac_sha1( ssl->mac_enc,
840 ssl->out_msg, ssl->out_msglen,
841 ssl->out_ctr, ssl->out_msgtype );
842 }
843 else
844 {
845 if( ssl->maclen == 16 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]846 {
847 md5_context ctx;
848 md5_hmac_starts( &ctx, ssl->mac_enc, 16 );
849 md5_hmac_update( &ctx, ssl->out_ctr, 13 );
850 md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
851 md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
852 memset( &ctx, 0, sizeof(md5_context));
853 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]854
855 if( ssl->maclen == 20 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]856 {
857 sha1_context ctx;
858 sha1_hmac_starts( &ctx, ssl->mac_enc, 20 );
859 sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
860 sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
861 sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
862 memset( &ctx, 0, sizeof(sha1_context));
863 }
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]864
865 if( ssl->maclen == 32 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]866 {
867 sha2_context ctx;
868 sha2_hmac_starts( &ctx, ssl->mac_enc, 32, 0 );
869 sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
870 sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
871 sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
872 memset( &ctx, 0, sizeof(sha2_context));
873 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]874 }
875
876 SSL_DEBUG_BUF( 4, "computed mac",
877 ssl->out_msg + ssl->out_msglen, ssl->maclen );
878
879 ssl->out_msglen += ssl->maclen;
880
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]881 if( ssl->ivlen == 0 )
882 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883 padlen = 0;
884
885 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
886 "including %d bytes of padding",
887 ssl->out_msglen, 0 ) );
888
889 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
890 ssl->out_msg, ssl->out_msglen );
891
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]892#if defined(POLARSSL_ARC4_C)
893 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
894 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
895 {
896 arc4_crypt( (arc4_context *) ssl->ctx_enc,
897 ssl->out_msglen, ssl->out_msg,
898 ssl->out_msg );
899 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]900#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]901#if defined(POLARSSL_CIPHER_NULL_CIPHER)
902 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
903 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
904 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
905 {
906 } else
907#endif
908 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]909 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]910 else if( ssl->ivlen == 12 )
911 {
912 size_t enc_msglen;
913 unsigned char *enc_msg;
914 unsigned char add_data[13];
915 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
916
917 padlen = 0;
918 enc_msglen = ssl->out_msglen;
919
920 memcpy( add_data, ssl->out_ctr, 8 );
921 add_data[8] = ssl->out_msgtype;
922 add_data[9] = ssl->major_ver;
923 add_data[10] = ssl->minor_ver;
924 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
925 add_data[12] = ssl->out_msglen & 0xFF;
926
927 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
928 add_data, 13 );
929
930#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
931
932 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
933 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
934 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
935 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
936 {
937 /*
938 * Generate IV
939 */
940 ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc + ssl->fixed_ivlen,
941 ssl->ivlen - ssl->fixed_ivlen );
942 if( ret != 0 )
943 return( ret );
944
945 /*
946 * Shift message for ivlen bytes and prepend IV
947 */
948 memmove( ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen,
949 ssl->out_msg, ssl->out_msglen );
950 memcpy( ssl->out_msg, ssl->iv_enc + ssl->fixed_ivlen,
951 ssl->ivlen - ssl->fixed_ivlen );
952
953 /*
954 * Fix pointer positions and message length with added IV
955 */
956 enc_msg = ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen;
957 enc_msglen = ssl->out_msglen;
958 ssl->out_msglen += ssl->ivlen - ssl->fixed_ivlen;
959
960 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
961 "including %d bytes of padding",
962 ssl->out_msglen, 0 ) );
963
964 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
965 ssl->out_msg, ssl->out_msglen );
966
967 /*
968 * Adjust for tag
969 */
970 ssl->out_msglen += 16;
971
972 gcm_crypt_and_tag( (gcm_context *) ssl->ctx_enc,
973 GCM_ENCRYPT, enc_msglen,
974 ssl->iv_enc, ssl->ivlen,
975 add_data, 13,
976 enc_msg, enc_msg,
977 16, enc_msg + enc_msglen );
978
979 SSL_DEBUG_BUF( 4, "after encrypt: tag",
980 enc_msg + enc_msglen, 16 );
981
982 } else
983#endif
984 return( ret );
985 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]986 else
987 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]988 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]989 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]990
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]991 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
992 if( padlen == ssl->ivlen )
993 padlen = 0;
994
995 for( i = 0; i <= padlen; i++ )
996 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
997
998 ssl->out_msglen += padlen + 1;
999
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1000 enc_msglen = ssl->out_msglen;
1001 enc_msg = ssl->out_msg;
1002
1003 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1004 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1005 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1006 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1007 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1008 {
1009 /*
1010 * Generate IV
1011 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1012 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
1013 if( ret != 0 )
1014 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1015
1016 /*
1017 * Shift message for ivlen bytes and prepend IV
1018 */
1019 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
1020 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
1021
1022 /*
1023 * Fix pointer positions and message length with added IV
1024 */
1025 enc_msg = ssl->out_msg + ssl->ivlen;
1026 enc_msglen = ssl->out_msglen;
1027 ssl->out_msglen += ssl->ivlen;
1028 }
1029
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1031 "including %d bytes of IV and %d bytes of padding",
1032 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1033
1034 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1035 ssl->out_msg, ssl->out_msglen );
1036
1037 switch( ssl->ivlen )
1038 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1039#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1040 case 8:
1041#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1042 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1043 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1044 {
1045 des_crypt_cbc( (des_context *) ssl->ctx_enc,
1046 DES_ENCRYPT, enc_msglen,
1047 ssl->iv_enc, enc_msg, enc_msg );
1048 }
1049 else
1050#endif
1051 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
1052 DES_ENCRYPT, enc_msglen,
1053 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1054 break;
1055#endif
1056
1057 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1058#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1059 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1060 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1061 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1062 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1063 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1064 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1065 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1066 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1067 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1068 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1069 AES_ENCRYPT, enc_msglen,
1070 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1071 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1072 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1073#endif
1074
1075#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1076 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1077 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1078 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1079 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1080 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1081 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1082 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1083 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1084 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1085 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1086 CAMELLIA_ENCRYPT, enc_msglen,
1087 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1088 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1089 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1090#endif
1091
1092 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1093 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1094 }
1095 }
1096
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1097 for( i = 8; i > 0; i-- )
1098 if( ++ssl->out_ctr[i - 1] != 0 )
1099 break;
1100
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1102
1103 return( 0 );
1104}
1105
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1106/*
1107 * TODO: Use digest version when integrated!
1108 */
1109#define POLARSSL_SSL_MAX_MAC_SIZE 32
1110
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111static int ssl_decrypt_buf( ssl_context *ssl )
1112{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1113 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1114 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1115
1116 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1117
1118 if( ssl->in_msglen < ssl->minlen )
1119 {
1120 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1121 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1122 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1123 }
1124
1125 if( ssl->ivlen == 0 )
1126 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1127#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1128 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1129 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
1130 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
1131 {
1132 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]1133 ssl->in_msglen, ssl->in_msg,
1134 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1135 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1137#if defined(POLARSSL_CIPHER_NULL_CIPHER)
1138 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
1139 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
1140 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
1141 {
1142 } else
1143#endif
1144 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1146 else if( ssl->ivlen == 12 )
1147 {
1148 unsigned char *dec_msg;
1149 unsigned char *dec_msg_result;
1150 size_t dec_msglen;
1151 unsigned char add_data[13];
1152 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1153
1154 padlen = 0;
1155
1156#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1157 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
1158 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
1159 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
1160 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
1161 {
1162 dec_msglen = ssl->in_msglen - ( ssl->ivlen - ssl->fixed_ivlen );
1163 dec_msglen -= 16;
1164 dec_msg = ssl->in_msg + ( ssl->ivlen - ssl->fixed_ivlen );
1165 dec_msg_result = ssl->in_msg;
1166 ssl->in_msglen = dec_msglen;
1167
1168 memcpy( add_data, ssl->in_ctr, 8 );
1169 add_data[8] = ssl->in_msgtype;
1170 add_data[9] = ssl->major_ver;
1171 add_data[10] = ssl->minor_ver;
1172 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1173 add_data[12] = ssl->in_msglen & 0xFF;
1174
1175 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1176 add_data, 13 );
1177
1178 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1179 ssl->ivlen - ssl->fixed_ivlen );
1180
1181 SSL_DEBUG_BUF( 4, "IV used", ssl->iv_dec, ssl->ivlen );
1182 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1183
1184 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1185 ssl->ivlen - ssl->fixed_ivlen );
1186
1187 ret = gcm_auth_decrypt( (gcm_context *) ssl->ctx_dec,
1188 dec_msglen,
1189 ssl->iv_dec, ssl->ivlen,
1190 add_data, 13,
1191 dec_msg + dec_msglen, 16,
1192 dec_msg, dec_msg_result );
1193
1194 if( ret != 0 )
1195 {
1196 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1197 -ret ) );
1198
1199 return( POLARSSL_ERR_SSL_INVALID_MAC );
1200 }
1201 } else
1202#endif
1203 return( ret );
1204 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1205 else
1206 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1207 unsigned char *dec_msg;
1208 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1209 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1210
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1211 /*
1212 * Decrypt and check the padding
1213 */
1214 if( ssl->in_msglen % ssl->ivlen != 0 )
1215 {
1216 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1217 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1218 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1219 }
1220
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1221 dec_msglen = ssl->in_msglen;
1222 dec_msg = ssl->in_msg;
1223 dec_msg_result = ssl->in_msg;
1224
1225 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1226 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1227 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1228 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1229 {
1230 dec_msg += ssl->ivlen;
1231 dec_msglen -= ssl->ivlen;
1232 ssl->in_msglen -= ssl->ivlen;
1233
1234 for( i = 0; i < ssl->ivlen; i++ )
1235 ssl->iv_dec[i] = ssl->in_msg[i];
1236 }
1237
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238 switch( ssl->ivlen )
1239 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1240#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1241 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1242#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1243 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1244 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1245 {
1246 des_crypt_cbc( (des_context *) ssl->ctx_dec,
1247 DES_DECRYPT, dec_msglen,
1248 ssl->iv_dec, dec_msg, dec_msg_result );
1249 }
1250 else
1251#endif
1252 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
1253 DES_DECRYPT, dec_msglen,
1254 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1255 break;
1256#endif
1257
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1259#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1260 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1261 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1262 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1263 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1264 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1265 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1266 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1267 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1268 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1269 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1270 AES_DECRYPT, dec_msglen,
1271 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1272 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1273 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1274#endif
1275
1276#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1277 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1278 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1279 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1280 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1281 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1282 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1283 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1284 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1285 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1286 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1287 CAMELLIA_DECRYPT, dec_msglen,
1288 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1289 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1290 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1291#endif
1292
1293 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1294 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1295 }
1296
1297 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1298
1299 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1300 {
1301 if( padlen > ssl->ivlen )
1302 {
1303 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1304 "should be no more than %d",
1305 padlen, ssl->ivlen ) );
1306 padlen = 0;
1307 }
1308 }
1309 else
1310 {
1311 /*
1312 * TLSv1: always check the padding
1313 */
1314 for( i = 1; i <= padlen; i++ )
1315 {
1316 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1317 {
1318 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
1319 "%02x, but is %02x", padlen - 1,
1320 ssl->in_msg[ssl->in_msglen - i] ) );
1321 padlen = 0;
1322 }
1323 }
1324 }
1325 }
1326
1327 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1328 ssl->in_msg, ssl->in_msglen );
1329
1330 /*
1331 * Always compute the MAC (RFC4346, CBCTIME).
1332 */
Paul Bakkerf34cf852012-04-10 07:48:40 +0000[diff] [blame]1333 if( ssl->in_msglen < ssl->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1334 {
1335 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1336 ssl->in_msglen, ssl->maclen, padlen ) );
1337 return( POLARSSL_ERR_SSL_INVALID_MAC );
1338 }
1339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340 ssl->in_msglen -= ( ssl->maclen + padlen );
1341
1342 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1343 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1344
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1345 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346
1347 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1348 {
1349 if( ssl->maclen == 16 )
1350 ssl_mac_md5( ssl->mac_dec,
1351 ssl->in_msg, ssl->in_msglen,
1352 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1353 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1354 ssl_mac_sha1( ssl->mac_dec,
1355 ssl->in_msg, ssl->in_msglen,
1356 ssl->in_ctr, ssl->in_msgtype );
1357 }
1358 else
1359 {
1360 if( ssl->maclen == 16 )
1361 md5_hmac( ssl->mac_dec, 16,
1362 ssl->in_ctr, ssl->in_msglen + 13,
1363 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1364 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1365 sha1_hmac( ssl->mac_dec, 20,
1366 ssl->in_ctr, ssl->in_msglen + 13,
1367 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1368 else if( ssl->maclen == 32 )
1369 sha2_hmac( ssl->mac_dec, 32,
1370 ssl->in_ctr, ssl->in_msglen + 13,
1371 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1372 }
1373
1374 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
1375 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1376 ssl->maclen );
1377
1378 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1379 ssl->maclen ) != 0 )
1380 {
1381 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1382 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1383 }
1384
1385 /*
1386 * Finally check the padding length; bad padding
1387 * will produce the same error as an invalid MAC.
1388 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1389 if( ssl->ivlen != 0 && ssl->ivlen != 12 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1390 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1391
1392 if( ssl->in_msglen == 0 )
1393 {
1394 ssl->nb_zero++;
1395
1396 /*
1397 * Three or more empty messages may be a DoS attack
1398 * (excessive CPU consumption).
1399 */
1400 if( ssl->nb_zero > 3 )
1401 {
1402 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1403 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1404 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1405 }
1406 }
1407 else
1408 ssl->nb_zero = 0;
1409
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1410 for( i = 8; i > 0; i-- )
1411 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412 break;
1413
1414 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1415
1416 return( 0 );
1417}
1418
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]1419#if defined(POLARSSL_ZLIB_SUPPORT)
1420/*
1421 * Compression/decompression functions
1422 */
1423static int ssl_compress_buf( ssl_context *ssl )
1424{
1425 int ret;
1426 unsigned char *msg_post = ssl->out_msg;
1427 size_t len_pre = ssl->out_msglen;
1428 unsigned char *msg_pre;
1429
1430 SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1431
1432 msg_pre = (unsigned char*) malloc( len_pre );
1433 if( msg_pre == NULL )
1434 {
1435 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1436 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1437 }
1438
1439 memcpy( msg_pre, ssl->out_msg, len_pre );
1440
1441 SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1442 ssl->out_msglen ) );
1443
1444 SSL_DEBUG_BUF( 4, "before compression: output payload",
1445 ssl->out_msg, ssl->out_msglen );
1446
1447 ssl->ctx_deflate.next_in = msg_pre;
1448 ssl->ctx_deflate.avail_in = len_pre;
1449 ssl->ctx_deflate.next_out = msg_post;
1450 ssl->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1451
1452 ret = deflate( &ssl->ctx_deflate, Z_SYNC_FLUSH );
1453 if( ret != Z_OK )
1454 {
1455 SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1456 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1457 }
1458
1459 ssl->out_msglen = SSL_BUFFER_LEN - ssl->ctx_deflate.avail_out;
1460
1461 free( msg_pre );
1462
1463 SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1464 ssl->out_msglen ) );
1465
1466 SSL_DEBUG_BUF( 4, "after compression: output payload",
1467 ssl->out_msg, ssl->out_msglen );
1468
1469 SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1470
1471 return( 0 );
1472}
1473
1474static int ssl_decompress_buf( ssl_context *ssl )
1475{
1476 int ret;
1477 unsigned char *msg_post = ssl->in_msg;
1478 size_t len_pre = ssl->in_msglen;
1479 unsigned char *msg_pre;
1480
1481 SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1482
1483 msg_pre = (unsigned char*) malloc( len_pre );
1484 if( msg_pre == NULL )
1485 {
1486 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1487 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1488 }
1489
1490 memcpy( msg_pre, ssl->in_msg, len_pre );
1491
1492 SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1493 ssl->in_msglen ) );
1494
1495 SSL_DEBUG_BUF( 4, "before decompression: input payload",
1496 ssl->in_msg, ssl->in_msglen );
1497
1498 ssl->ctx_inflate.next_in = msg_pre;
1499 ssl->ctx_inflate.avail_in = len_pre;
1500 ssl->ctx_inflate.next_out = msg_post;
1501 ssl->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1502
1503 ret = inflate( &ssl->ctx_inflate, Z_SYNC_FLUSH );
1504 if( ret != Z_OK )
1505 {
1506 SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1507 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1508 }
1509
1510 ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->ctx_inflate.avail_out;
1511
1512 free( msg_pre );
1513
1514 SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1515 ssl->in_msglen ) );
1516
1517 SSL_DEBUG_BUF( 4, "after decompression: input payload",
1518 ssl->in_msg, ssl->in_msglen );
1519
1520 SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1521
1522 return( 0 );
1523}
1524#endif /* POLARSSL_ZLIB_SUPPORT */
1525
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1526/*
1527 * Fill the input message buffer
1528 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1529int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1530{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1531 int ret;
1532 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1533
1534 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1535
1536 while( ssl->in_left < nb_want )
1537 {
1538 len = nb_want - ssl->in_left;
1539 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1540
1541 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1542 ssl->in_left, nb_want ) );
1543 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1544
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1545 if( ret == 0 )
1546 return( POLARSSL_ERR_SSL_CONN_EOF );
1547
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1548 if( ret < 0 )
1549 return( ret );
1550
1551 ssl->in_left += ret;
1552 }
1553
1554 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1555
1556 return( 0 );
1557}
1558
1559/*
1560 * Flush any data not yet written
1561 */
1562int ssl_flush_output( ssl_context *ssl )
1563{
1564 int ret;
1565 unsigned char *buf;
1566
1567 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1568
1569 while( ssl->out_left > 0 )
1570 {
1571 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1572 5 + ssl->out_msglen, ssl->out_left ) );
1573
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1574 if( ssl->out_msglen < ssl->out_left )
1575 {
1576 size_t header_left = ssl->out_left - ssl->out_msglen;
1577
1578 buf = ssl->out_hdr + 5 - header_left;
1579 ret = ssl->f_send( ssl->p_send, buf, header_left );
1580
1581 SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1582
1583 if( ret <= 0 )
1584 return( ret );
1585
1586 ssl->out_left -= ret;
1587 }
1588
1589 buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1590 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1591
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1592 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1593
1594 if( ret <= 0 )
1595 return( ret );
1596
1597 ssl->out_left -= ret;
1598 }
1599
1600 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1601
1602 return( 0 );
1603}
1604
1605/*
1606 * Record layer functions
1607 */
1608int ssl_write_record( ssl_context *ssl )
1609{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1610 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1611 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1612
1613 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1614
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1615 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1616 {
1617 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1618 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1619 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1620
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1621 ssl->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1622 }
1623
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]1624#if defined(POLARSSL_ZLIB_SUPPORT)
1625 if( ssl->do_crypt != 0 &&
1626 ssl->session->compression == SSL_COMPRESS_DEFLATE )
1627 {
1628 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1629 {
1630 SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1631 return( ret );
1632 }
1633
1634 len = ssl->out_msglen;
1635 }
1636#endif /*POLARSSL_ZLIB_SUPPORT */
1637
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1638#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1639 if( ssl_hw_record_write != NULL)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1640 {
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1641 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1642
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1643 ret = ssl_hw_record_write( ssl );
1644 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1645 {
1646 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1647 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1648 }
1649 done = 1;
1650 }
1651#endif
1652 if( !done )
1653 {
1654 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1655 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1656 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1657 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1658 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1659
1660 if( ssl->do_crypt != 0 )
1661 {
1662 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1663 {
1664 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1665 return( ret );
1666 }
1667
1668 len = ssl->out_msglen;
1669 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1670 ssl->out_hdr[4] = (unsigned char)( len );
1671 }
1672
1673 ssl->out_left = 5 + ssl->out_msglen;
1674
1675 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1676 "version = [%d:%d], msglen = %d",
1677 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1678 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1679
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1680 SSL_DEBUG_BUF( 4, "output record header sent to network",
1681 ssl->out_hdr, 5 );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1682 SSL_DEBUG_BUF( 4, "output record sent to network",
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1683 ssl->out_hdr + 32, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1684 }
1685
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1686 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1687 {
1688 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1689 return( ret );
1690 }
1691
1692 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1693
1694 return( 0 );
1695}
1696
1697int ssl_read_record( ssl_context *ssl )
1698{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1699 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700
1701 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1702
1703 if( ssl->in_hslen != 0 &&
1704 ssl->in_hslen < ssl->in_msglen )
1705 {
1706 /*
1707 * Get next Handshake message in the current record
1708 */
1709 ssl->in_msglen -= ssl->in_hslen;
1710
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1711 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1712 ssl->in_msglen );
1713
1714 ssl->in_hslen = 4;
1715 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1716
1717 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1718 " %d, type = %d, hslen = %d",
1719 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1720
1721 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1722 {
1723 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1724 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1725 }
1726
1727 if( ssl->in_msglen < ssl->in_hslen )
1728 {
1729 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1730 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1731 }
1732
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1733 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1734
1735 return( 0 );
1736 }
1737
1738 ssl->in_hslen = 0;
1739
1740 /*
1741 * Read the record header and validate it
1742 */
1743 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1744 {
1745 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1746 return( ret );
1747 }
1748
1749 ssl->in_msgtype = ssl->in_hdr[0];
1750 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1751
1752 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1753 "version = [%d:%d], msglen = %d",
1754 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1755 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1756
1757 if( ssl->in_hdr[1] != ssl->major_ver )
1758 {
1759 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1760 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1761 }
1762
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1763 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1764 {
1765 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1766 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1767 }
1768
1769 /*
1770 * Make sure the message length is acceptable
1771 */
1772 if( ssl->do_crypt == 0 )
1773 {
1774 if( ssl->in_msglen < 1 ||
1775 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1776 {
1777 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1778 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1779 }
1780 }
1781 else
1782 {
1783 if( ssl->in_msglen < ssl->minlen )
1784 {
1785 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1786 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787 }
1788
1789 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1790 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1791 {
1792 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1793 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1794 }
1795
1796 /*
1797 * TLS encrypted messages can have up to 256 bytes of padding
1798 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1799 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1800 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1801 {
1802 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1803 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804 }
1805 }
1806
1807 /*
1808 * Read and optionally decrypt the message contents
1809 */
1810 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1811 {
1812 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1813 return( ret );
1814 }
1815
1816 SSL_DEBUG_BUF( 4, "input record from network",
1817 ssl->in_hdr, 5 + ssl->in_msglen );
1818
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1819#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1820 if( ssl_hw_record_read != NULL)
1821 {
1822 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1823
1824 ret = ssl_hw_record_read( ssl );
1825 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1826 {
1827 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1828 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1829 }
1830 done = 1;
1831 }
1832#endif
1833 if( !done && ssl->do_crypt != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834 {
1835 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1836 {
1837 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1838 return( ret );
1839 }
1840
1841 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1842 ssl->in_msg, ssl->in_msglen );
1843
1844 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1845 {
1846 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1847 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848 }
1849 }
1850
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]1851#if defined(POLARSSL_ZLIB_SUPPORT)
1852 if( ssl->do_crypt != 0 &&
1853 ssl->session->compression == SSL_COMPRESS_DEFLATE )
1854 {
1855 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
1856 {
1857 SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
1858 return( ret );
1859 }
1860
1861 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1862 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1863 }
1864#endif /* POLARSSL_ZLIB_SUPPORT */
1865
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1866 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1867 ssl->in_msgtype != SSL_MSG_ALERT &&
1868 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1869 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1870 {
1871 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1872
1873 if( ( ret = ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1874 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
1875 {
1876 return( ret );
1877 }
1878
1879 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1880 }
1881
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1883 {
1884 ssl->in_hslen = 4;
1885 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1886
1887 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1888 " %d, type = %d, hslen = %d",
1889 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1890
1891 /*
1892 * Additional checks to validate the handshake header
1893 */
1894 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1895 {
1896 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1897 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898 }
1899
1900 if( ssl->in_msglen < ssl->in_hslen )
1901 {
1902 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1903 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904 }
1905
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1906 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1907 }
1908
1909 if( ssl->in_msgtype == SSL_MSG_ALERT )
1910 {
1911 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1912 ssl->in_msg[0], ssl->in_msg[1] ) );
1913
1914 /*
1915 * Ignore non-fatal alerts, except close_notify
1916 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1917 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918 {
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]1919 SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
1920 ssl->in_msg[1] ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1921 /**
1922 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1923 * error identifier.
1924 */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]1925 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1926 }
1927
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1928 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1929 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930 {
1931 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1932 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933 }
1934 }
1935
1936 ssl->in_left = 0;
1937
1938 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1939
1940 return( 0 );
1941}
1942
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1943int ssl_send_alert_message( ssl_context *ssl,
1944 unsigned char level,
1945 unsigned char message )
1946{
1947 int ret;
1948
1949 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1950
1951 ssl->out_msgtype = SSL_MSG_ALERT;
1952 ssl->out_msglen = 2;
1953 ssl->out_msg[0] = level;
1954 ssl->out_msg[1] = message;
1955
1956 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1957 {
1958 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1959 return( ret );
1960 }
1961
1962 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1963
1964 return( 0 );
1965}
1966
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967/*
1968 * Handshake functions
1969 */
1970int ssl_write_certificate( ssl_context *ssl )
1971{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1972 int ret;
1973 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1974 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975
1976 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1977
1978 if( ssl->endpoint == SSL_IS_CLIENT )
1979 {
1980 if( ssl->client_auth == 0 )
1981 {
1982 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1983 ssl->state++;
1984 return( 0 );
1985 }
1986
1987 /*
1988 * If using SSLv3 and got no cert, send an Alert message
1989 * (otherwise an empty Certificate message will be sent).
1990 */
1991 if( ssl->own_cert == NULL &&
1992 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1993 {
1994 ssl->out_msglen = 2;
1995 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1996 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1997 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1998
1999 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2000 goto write_msg;
2001 }
2002 }
2003 else /* SSL_IS_SERVER */
2004 {
2005 if( ssl->own_cert == NULL )
2006 {
2007 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2008 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009 }
2010 }
2011
2012 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
2013
2014 /*
2015 * 0 . 0 handshake type
2016 * 1 . 3 handshake length
2017 * 4 . 6 length of all certs
2018 * 7 . 9 length of cert. 1
2019 * 10 . n-1 peer certificate
2020 * n . n+2 length of cert. 2
2021 * n+3 . ... upper level cert, etc.
2022 */
2023 i = 7;
2024 crt = ssl->own_cert;
2025
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]2026 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2027 {
2028 n = crt->raw.len;
2029 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
2030 {
2031 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2032 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2033 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2034 }
2035
2036 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2037 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2038 ssl->out_msg[i + 2] = (unsigned char)( n );
2039
2040 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2041 i += n; crt = crt->next;
2042 }
2043
2044 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2045 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2046 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2047
2048 ssl->out_msglen = i;
2049 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2050 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2051
2052write_msg:
2053
2054 ssl->state++;
2055
2056 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2057 {
2058 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2059 return( ret );
2060 }
2061
2062 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2063
2064 return( 0 );
2065}
2066
2067int ssl_parse_certificate( ssl_context *ssl )
2068{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2069 int ret;
2070 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2071
2072 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2073
2074 if( ssl->endpoint == SSL_IS_SERVER &&
2075 ssl->authmode == SSL_VERIFY_NONE )
2076 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2077 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2078 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2079 ssl->state++;
2080 return( 0 );
2081 }
2082
2083 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2084 {
2085 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2086 return( ret );
2087 }
2088
2089 ssl->state++;
2090
2091 /*
2092 * Check if the client sent an empty certificate
2093 */
2094 if( ssl->endpoint == SSL_IS_SERVER &&
2095 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2096 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2097 if( ssl->in_msglen == 2 &&
2098 ssl->in_msgtype == SSL_MSG_ALERT &&
2099 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2100 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2101 {
2102 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2103
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2104 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2105 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2106 return( 0 );
2107 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2108 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2109 }
2110 }
2111
2112 if( ssl->endpoint == SSL_IS_SERVER &&
2113 ssl->minor_ver != SSL_MINOR_VERSION_0 )
2114 {
2115 if( ssl->in_hslen == 7 &&
2116 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2117 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2118 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2119 {
2120 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2121
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2122 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2123 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2124 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2125 else
2126 return( 0 );
2127 }
2128 }
2129
2130 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2131 {
2132 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2133 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2134 }
2135
2136 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2137 {
2138 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2139 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2140 }
2141
2142 /*
2143 * Same message structure as in ssl_write_certificate()
2144 */
2145 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2146
2147 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2148 {
2149 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2150 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2151 }
2152
2153 if( ( ssl->peer_cert = (x509_cert *) malloc(
2154 sizeof( x509_cert ) ) ) == NULL )
2155 {
2156 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2157 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2158 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2159 }
2160
2161 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2162
2163 i = 7;
2164
2165 while( i < ssl->in_hslen )
2166 {
2167 if( ssl->in_msg[i] != 0 )
2168 {
2169 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2170 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171 }
2172
2173 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2174 | (unsigned int) ssl->in_msg[i + 2];
2175 i += 3;
2176
2177 if( n < 128 || i + n > ssl->in_hslen )
2178 {
2179 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2180 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2181 }
2182
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2183 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2184 if( ret != 0 )
2185 {
2186 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2187 return( ret );
2188 }
2189
2190 i += n;
2191 }
2192
2193 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
2194
2195 if( ssl->authmode != SSL_VERIFY_NONE )
2196 {
2197 if( ssl->ca_chain == NULL )
2198 {
2199 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2200 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2201 }
2202
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2203 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2204 ssl->peer_cn, &ssl->verify_result,
2205 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2206
2207 if( ret != 0 )
2208 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2209
2210 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2211 ret = 0;
2212 }
2213
2214 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2215
2216 return( ret );
2217}
2218
2219int ssl_write_change_cipher_spec( ssl_context *ssl )
2220{
2221 int ret;
2222
2223 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2224
2225 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2226 ssl->out_msglen = 1;
2227 ssl->out_msg[0] = 1;
2228
2229 ssl->do_crypt = 0;
2230 ssl->state++;
2231
2232 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2233 {
2234 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2235 return( ret );
2236 }
2237
2238 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2239
2240 return( 0 );
2241}
2242
2243int ssl_parse_change_cipher_spec( ssl_context *ssl )
2244{
2245 int ret;
2246
2247 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2248
2249 ssl->do_crypt = 0;
2250
2251 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2252 {
2253 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2254 return( ret );
2255 }
2256
2257 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2258 {
2259 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2260 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2261 }
2262
2263 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2264 {
2265 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2266 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2267 }
2268
2269 ssl->state++;
2270
2271 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2272
2273 return( 0 );
2274}
2275
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2276void ssl_kickstart_checksum( ssl_context *ssl, int ciphersuite,
2277 unsigned char *input_buf, size_t len )
2278{
2279 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2280 {
2281 md5_starts( (md5_context *) ssl->ctx_checksum );
2282 sha1_starts( (sha1_context *) ( ssl->ctx_checksum +
2283 sizeof(md5_context) ) );
2284
2285 ssl->update_checksum = ssl_update_checksum_md5sha1;
2286 }
2287 else if ( ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
2288 ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
2289 {
2290 sha4_starts( (sha4_context *) ssl->ctx_checksum, 1 );
2291 ssl->update_checksum = ssl_update_checksum_sha384;
2292 }
2293 else
2294 {
2295 sha2_starts( (sha2_context *) ssl->ctx_checksum, 0 );
2296 ssl->update_checksum = ssl_update_checksum_sha256;
2297 }
2298
2299 if( ssl->endpoint == SSL_IS_CLIENT )
2300 ssl->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2301 ssl->update_checksum( ssl, input_buf, len );
2302}
2303
2304static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2305 size_t len )
2306{
2307 ((void) ssl);
2308 ((void) buf);
2309 ((void) len);
2310}
2311
2312static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2313 size_t len )
2314{
2315 md5_update( (md5_context *) ssl->ctx_checksum, buf, len );
2316 sha1_update( (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2317 buf, len );
2318}
2319
2320static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2321 size_t len )
2322{
2323 sha2_update( (sha2_context *) ssl->ctx_checksum, buf, len );
2324}
2325
2326static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2327 size_t len )
2328{
2329 sha4_update( (sha4_context *) ssl->ctx_checksum, buf, len );
2330}
2331
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2332static void ssl_calc_finished_ssl(
2333 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2334{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2335 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2336 md5_context md5;
2337 sha1_context sha1;
2338
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2339 unsigned char padbuf[48];
2340 unsigned char md5sum[16];
2341 unsigned char sha1sum[20];
2342
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2343 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2344
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2345 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2346 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2347 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2348
2349 /*
2350 * SSLv3:
2351 * hash =
2352 * MD5( master + pad2 +
2353 * MD5( handshake + sender + master + pad1 ) )
2354 * + SHA1( master + pad2 +
2355 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2356 */
2357
2358 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2359 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2360
2361 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2362 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2363
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2364 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2365 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2366
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2367 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2368
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2369 md5_update( &md5, (unsigned char *) sender, 4 );
2370 md5_update( &md5, ssl->session->master, 48 );
2371 md5_update( &md5, padbuf, 48 );
2372 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2373
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2374 sha1_update( &sha1, (unsigned char *) sender, 4 );
2375 sha1_update( &sha1, ssl->session->master, 48 );
2376 sha1_update( &sha1, padbuf, 40 );
2377 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2378
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2379 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2380
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2381 md5_starts( &md5 );
2382 md5_update( &md5, ssl->session->master, 48 );
2383 md5_update( &md5, padbuf, 48 );
2384 md5_update( &md5, md5sum, 16 );
2385 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2386
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2387 sha1_starts( &sha1 );
2388 sha1_update( &sha1, ssl->session->master, 48 );
2389 sha1_update( &sha1, padbuf , 40 );
2390 sha1_update( &sha1, sha1sum, 20 );
2391 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2392
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2393 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2394
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2395 memset( &md5, 0, sizeof( md5_context ) );
2396 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2397
2398 memset( padbuf, 0, sizeof( padbuf ) );
2399 memset( md5sum, 0, sizeof( md5sum ) );
2400 memset( sha1sum, 0, sizeof( sha1sum ) );
2401
2402 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2403}
2404
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2405static void ssl_calc_finished_tls(
2406 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2407{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2408 int len = 12;
2409 char *sender;
2410 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2411 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2412 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2413
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2414 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2415
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2416 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2417 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2418 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2419
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2420 /*
2421 * TLSv1:
2422 * hash = PRF( master, finished_label,
2423 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2424 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2425
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2426 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2427 md5.state, sizeof( md5.state ) );
2428
2429 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2430 sha1.state, sizeof( sha1.state ) );
2431
2432 sender = ( from == SSL_IS_CLIENT )
2433 ? (char *) "client finished"
2434 : (char *) "server finished";
2435
2436 md5_finish( &md5, padbuf );
2437 sha1_finish( &sha1, padbuf + 16 );
2438
2439 ssl->tls_prf( ssl->session->master, 48, sender,
2440 padbuf, 36, buf, len );
2441
2442 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2443
2444 memset( &md5, 0, sizeof( md5_context ) );
2445 memset( &sha1, 0, sizeof( sha1_context ) );
2446
2447 memset( padbuf, 0, sizeof( padbuf ) );
2448
2449 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2450}
2451
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2452static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2453 ssl_context *ssl, unsigned char *buf, int from )
2454{
2455 int len = 12;
2456 char *sender;
2457 sha2_context sha2;
2458 unsigned char padbuf[32];
2459
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2460 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2461
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2462 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2463
2464 /*
2465 * TLSv1.2:
2466 * hash = PRF( master, finished_label,
2467 * Hash( handshake ) )[0.11]
2468 */
2469
2470 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2471 sha2.state, sizeof( sha2.state ) );
2472
2473 sender = ( from == SSL_IS_CLIENT )
2474 ? (char *) "client finished"
2475 : (char *) "server finished";
2476
2477 sha2_finish( &sha2, padbuf );
2478
2479 ssl->tls_prf( ssl->session->master, 48, sender,
2480 padbuf, 32, buf, len );
2481
2482 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2483
2484 memset( &sha2, 0, sizeof( sha2_context ) );
2485
2486 memset( padbuf, 0, sizeof( padbuf ) );
2487
2488 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2489}
2490
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2491static void ssl_calc_finished_tls_sha384(
2492 ssl_context *ssl, unsigned char *buf, int from )
2493{
2494 int len = 12;
2495 char *sender;
2496 sha4_context sha4;
2497 unsigned char padbuf[48];
2498
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2499 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2500
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2501 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2502
2503 /*
2504 * TLSv1.2:
2505 * hash = PRF( master, finished_label,
2506 * Hash( handshake ) )[0.11]
2507 */
2508
2509 SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2510 sha4.state, sizeof( sha4.state ) );
2511
2512 sender = ( from == SSL_IS_CLIENT )
2513 ? (char *) "client finished"
2514 : (char *) "server finished";
2515
2516 sha4_finish( &sha4, padbuf );
2517
2518 ssl->tls_prf( ssl->session->master, 48, sender,
2519 padbuf, 48, buf, len );
2520
2521 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2522
2523 memset( &sha4, 0, sizeof( sha4_context ) );
2524
2525 memset( padbuf, 0, sizeof( padbuf ) );
2526
2527 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2528}
2529
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2530int ssl_write_finished( ssl_context *ssl )
2531{
2532 int ret, hash_len;
2533
2534 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2535
2536 ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2537
2538 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2539 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2540
2541 ssl->out_msglen = 4 + hash_len;
2542 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2543 ssl->out_msg[0] = SSL_HS_FINISHED;
2544
2545 /*
2546 * In case of session resuming, invert the client and server
2547 * ChangeCipherSpec messages order.
2548 */
2549 if( ssl->resume != 0 )
2550 {
2551 if( ssl->endpoint == SSL_IS_CLIENT )
2552 ssl->state = SSL_HANDSHAKE_OVER;
2553 else
2554 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2555 }
2556 else
2557 ssl->state++;
2558
2559 ssl->do_crypt = 1;
2560
2561 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2562 {
2563 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2564 return( ret );
2565 }
2566
2567 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2568
2569 return( 0 );
2570}
2571
2572int ssl_parse_finished( ssl_context *ssl )
2573{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2574 int ret;
2575 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2576 unsigned char buf[36];
2577
2578 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2579
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2580 ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2581
2582 ssl->do_crypt = 1;
2583
2584 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2585 {
2586 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2587 return( ret );
2588 }
2589
2590 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2591 {
2592 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2593 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2594 }
2595
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2596 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2597 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2598
2599 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2600 ssl->in_hslen != 4 + hash_len )
2601 {
2602 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2603 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2604 }
2605
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2606 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2607 {
2608 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2609 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2610 }
2611
2612 if( ssl->resume != 0 )
2613 {
2614 if( ssl->endpoint == SSL_IS_CLIENT )
2615 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2616
2617 if( ssl->endpoint == SSL_IS_SERVER )
2618 ssl->state = SSL_HANDSHAKE_OVER;
2619 }
2620 else
2621 ssl->state++;
2622
2623 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2624
2625 return( 0 );
2626}
2627
2628/*
2629 * Initialize an SSL context
2630 */
2631int ssl_init( ssl_context *ssl )
2632{
2633 int len = SSL_BUFFER_LEN;
2634
2635 memset( ssl, 0, sizeof( ssl_context ) );
2636
2637 ssl->in_ctr = (unsigned char *) malloc( len );
2638 ssl->in_hdr = ssl->in_ctr + 8;
2639 ssl->in_msg = ssl->in_ctr + 13;
2640
2641 if( ssl->in_ctr == NULL )
2642 {
2643 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2644 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2645 }
2646
2647 ssl->out_ctr = (unsigned char *) malloc( len );
2648 ssl->out_hdr = ssl->out_ctr + 8;
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]2649 ssl->out_msg = ssl->out_ctr + 40;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2650
2651 if( ssl->out_ctr == NULL )
2652 {
2653 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2654 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2655 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2656 }
2657
2658 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2659 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2660
2661 ssl->hostname = NULL;
2662 ssl->hostname_len = 0;
2663
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2664 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2665
2666 return( 0 );
2667}
2668
2669/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2670 * Reset an initialized and used SSL context for re-use while retaining
2671 * all application-set variables, function pointers and data.
2672 */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]2673int ssl_session_reset( ssl_context *ssl )
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2674{
2675 ssl->state = SSL_HELLO_REQUEST;
2676
2677 ssl->in_offt = NULL;
2678
2679 ssl->in_msgtype = 0;
2680 ssl->in_msglen = 0;
2681 ssl->in_left = 0;
2682
2683 ssl->in_hslen = 0;
2684 ssl->nb_zero = 0;
2685
2686 ssl->out_msgtype = 0;
2687 ssl->out_msglen = 0;
2688 ssl->out_left = 0;
2689
2690 ssl->do_crypt = 0;
2691 ssl->pmslen = 0;
2692 ssl->keylen = 0;
2693 ssl->minlen = 0;
2694 ssl->ivlen = 0;
2695 ssl->maclen = 0;
2696
2697 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2698 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2699 memset( ssl->randbytes, 0, 64 );
2700 memset( ssl->premaster, 0, 256 );
2701 memset( ssl->iv_enc, 0, 16 );
2702 memset( ssl->iv_dec, 0, 16 );
2703 memset( ssl->mac_enc, 0, 32 );
2704 memset( ssl->mac_dec, 0, 32 );
2705 memset( ssl->ctx_enc, 0, 128 );
2706 memset( ssl->ctx_dec, 0, 128 );
2707
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2708 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2709
2710#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2711 if( ssl_hw_record_reset != NULL)
2712 {
2713 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]2714 if( ssl_hw_record_reset( ssl ) != 0 )
2715 {
2716 SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
2717 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2718 }
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2719 }
2720#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]2721
2722#if defined(POLARSSL_ZLIB_SUPPORT)
2723 // Reset compression state
2724 //
2725 if( ssl->session->compression == SSL_COMPRESS_DEFLATE )
2726 {
2727 ssl->ctx_deflate.next_in = Z_NULL;
2728 ssl->ctx_deflate.next_out = Z_NULL;
2729 ssl->ctx_deflate.avail_in = 0;
2730 ssl->ctx_deflate.avail_out = 0;
2731
2732 ssl->ctx_inflate.next_in = Z_NULL;
2733 ssl->ctx_inflate.next_out = Z_NULL;
2734 ssl->ctx_inflate.avail_in = 0;
2735 ssl->ctx_inflate.avail_out = 0;
2736
2737 if( deflateReset( &ssl->ctx_deflate ) != Z_OK ||
2738 inflateReset( &ssl->ctx_inflate ) != Z_OK )
2739 {
2740 SSL_DEBUG_MSG( 1, ( "Failed to reset compression" ) );
2741 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
2742 }
2743 }
2744#endif /* POLARSSL_ZLIB_SUPPORT */
2745
2746 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2747}
2748
2749/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2750 * SSL set accessors
2751 */
2752void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2753{
2754 ssl->endpoint = endpoint;
2755}
2756
2757void ssl_set_authmode( ssl_context *ssl, int authmode )
2758{
2759 ssl->authmode = authmode;
2760}
2761
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2762void ssl_set_verify( ssl_context *ssl,
2763 int (*f_vrfy)(void *, x509_cert *, int, int),
2764 void *p_vrfy )
2765{
2766 ssl->f_vrfy = f_vrfy;
2767 ssl->p_vrfy = p_vrfy;
2768}
2769
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2770void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2771 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2772 void *p_rng )
2773{
2774 ssl->f_rng = f_rng;
2775 ssl->p_rng = p_rng;
2776}
2777
2778void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2779 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2780 void *p_dbg )
2781{
2782 ssl->f_dbg = f_dbg;
2783 ssl->p_dbg = p_dbg;
2784}
2785
2786void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2787 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2788 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2789{
2790 ssl->f_recv = f_recv;
2791 ssl->f_send = f_send;
2792 ssl->p_recv = p_recv;
2793 ssl->p_send = p_send;
2794}
2795
2796void ssl_set_scb( ssl_context *ssl,
2797 int (*s_get)(ssl_context *),
2798 int (*s_set)(ssl_context *) )
2799{
2800 ssl->s_get = s_get;
2801 ssl->s_set = s_set;
2802}
2803
2804void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2805 ssl_session *session )
2806{
2807 ssl->resume = resume;
2808 ssl->timeout = timeout;
2809 ssl->session = session;
2810}
2811
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2812void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2813{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2814 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2815}
2816
2817void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2818 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2819{
2820 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2821 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2822 ssl->peer_cn = peer_cn;
2823}
2824
2825void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2826 rsa_context *rsa_key )
2827{
2828 ssl->own_cert = own_cert;
2829 ssl->rsa_key = rsa_key;
2830}
2831
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]2832#if defined(POLARSSL_PKCS11_C)
2833void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
2834 pkcs11_context *pkcs11_key )
2835{
2836 ssl->own_cert = own_cert;
2837 ssl->pkcs11_key = pkcs11_key;
2838}
2839#endif
2840
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2841int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2842{
2843 int ret;
2844
2845 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2846 {
2847 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2848 return( ret );
2849 }
2850
2851 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2852 {
2853 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2854 return( ret );
2855 }
2856
2857 return( 0 );
2858}
2859
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2860int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
2861{
2862 int ret;
2863
2864 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2865 {
2866 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2867 return( ret );
2868 }
2869
2870 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2871 {
2872 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2873 return( ret );
2874 }
2875
2876 return( 0 );
2877}
2878
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2879int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2880{
2881 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2882 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2883
2884 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2885 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2886
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2887 if( ssl->hostname == NULL )
2888 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2889
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2890 memcpy( ssl->hostname, (unsigned char *) hostname,
2891 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2892
2893 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2894
2895 return( 0 );
2896}
2897
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2898void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2899{
2900 ssl->max_major_ver = major;
2901 ssl->max_minor_ver = minor;
2902}
2903
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2904/*
2905 * SSL get accessors
2906 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2907size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2908{
2909 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2910}
2911
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2912int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2913{
2914 return( ssl->verify_result );
2915}
2916
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2917const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2918{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2919 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2920 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2921#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2922 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2923 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2924
2925 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2926 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2927#endif
2928
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2929#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2930 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2931 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2932
2933 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2934 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2935#endif
2936
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2937#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2938 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2939 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2940
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2941 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2942 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2943
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2944 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2945 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2946
2947 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2948 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2949
2950#if defined(POLARSSL_SHA2_C)
2951 case SSL_RSA_AES_128_SHA256:
2952 return( "SSL-RSA-AES-128-SHA256" );
2953
2954 case SSL_EDH_RSA_AES_128_SHA256:
2955 return( "SSL-EDH-RSA-AES-128-SHA256" );
2956
2957 case SSL_RSA_AES_256_SHA256:
2958 return( "SSL-RSA-AES-256-SHA256" );
2959
2960 case SSL_EDH_RSA_AES_256_SHA256:
2961 return( "SSL-EDH-RSA-AES-256-SHA256" );
2962#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2963
2964#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2965 case SSL_RSA_AES_128_GCM_SHA256:
2966 return( "SSL-RSA-AES-128-GCM-SHA256" );
2967
2968 case SSL_EDH_RSA_AES_128_GCM_SHA256:
2969 return( "SSL-EDH-RSA-AES-128-GCM-SHA256" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2970#endif
2971
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2972#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2973 case SSL_RSA_AES_256_GCM_SHA384:
2974 return( "SSL-RSA-AES-256-GCM-SHA384" );
2975
2976 case SSL_EDH_RSA_AES_256_GCM_SHA384:
2977 return( "SSL-EDH-RSA-AES-256-GCM-SHA384" );
2978#endif
2979#endif /* POLARSSL_AES_C */
2980
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2981#if defined(POLARSSL_CAMELLIA_C)
2982 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2983 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2984
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2985 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2986 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2987
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2988 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2989 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2990
2991 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2992 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2993
2994#if defined(POLARSSL_SHA2_C)
2995 case SSL_RSA_CAMELLIA_128_SHA256:
2996 return( "SSL-RSA-CAMELLIA-128-SHA256" );
2997
2998 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
2999 return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
3000
3001 case SSL_RSA_CAMELLIA_256_SHA256:
3002 return( "SSL-RSA-CAMELLIA-256-SHA256" );
3003
3004 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
3005 return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
3006#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3007#endif
3008
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]3009#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3010#if defined(POLARSSL_CIPHER_NULL_CIPHER)
3011 case SSL_RSA_NULL_MD5:
3012 return( "SSL-RSA-NULL-MD5" );
3013 case SSL_RSA_NULL_SHA:
3014 return( "SSL-RSA-NULL-SHA" );
3015 case SSL_RSA_NULL_SHA256:
3016 return( "SSL-RSA-NULL-SHA256" );
3017#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3018
3019#if defined(POLARSSL_DES_C)
3020 case SSL_RSA_DES_SHA:
3021 return( "SSL-RSA-DES-SHA" );
3022 case SSL_EDH_RSA_DES_SHA:
3023 return( "SSL-EDH-RSA-DES-SHA" );
3024#endif
3025#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3026
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3027 default:
3028 break;
3029 }
3030
3031 return( "unknown" );
3032}
3033
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3034int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3035{
3036#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3037 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3038 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3039 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3040 return( SSL_RSA_RC4_128_SHA );
3041#endif
3042
3043#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3044 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3045 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3046 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3047 return( SSL_EDH_RSA_DES_168_SHA );
3048#endif
3049
3050#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3051 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3052 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3053 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3054 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3055 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3056 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3057 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3058 return( SSL_EDH_RSA_AES_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3059
3060#if defined(POLARSSL_SHA2_C)
3061 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
3062 return( SSL_RSA_AES_128_SHA256 );
3063 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
3064 return( SSL_EDH_RSA_AES_128_SHA256 );
3065 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
3066 return( SSL_RSA_AES_256_SHA256 );
3067 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
3068 return( SSL_EDH_RSA_AES_256_SHA256 );
3069#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3070
3071#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3072 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-GCM-SHA256"))
3073 return( SSL_RSA_AES_128_GCM_SHA256 );
3074 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-GCM-SHA256"))
3075 return( SSL_EDH_RSA_AES_128_GCM_SHA256 );
3076#endif
3077
3078#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3079 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-GCM-SHA384"))
3080 return( SSL_RSA_AES_256_GCM_SHA384 );
3081 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-GCM-SHA384"))
3082 return( SSL_EDH_RSA_AES_256_GCM_SHA384 );
3083#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3084#endif
3085
3086#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3087 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3088 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3089 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3090 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3091 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3092 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3093 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3094 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3095
3096#if defined(POLARSSL_SHA2_C)
3097 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
3098 return( SSL_RSA_CAMELLIA_128_SHA256 );
3099 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
3100 return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
3101 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
3102 return( SSL_RSA_CAMELLIA_256_SHA256 );
3103 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
3104 return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
3105#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3106#endif
3107
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]3108#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3109#if defined(POLARSSL_CIPHER_NULL_CIPHER)
3110 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
3111 return( SSL_RSA_NULL_MD5 );
3112 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
3113 return( SSL_RSA_NULL_SHA );
3114 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
3115 return( SSL_RSA_NULL_SHA256 );
3116#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3117
3118#if defined(POLARSSL_DES_C)
3119 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
3120 return( SSL_RSA_DES_SHA );
3121 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
3122 return( SSL_EDH_RSA_DES_SHA );
3123#endif
3124#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3125
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3126 return( 0 );
3127}
3128
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3129const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3130{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3131 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3132}
3133
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]3134const char *ssl_get_version( const ssl_context *ssl )
3135{
3136 switch( ssl->minor_ver )
3137 {
3138 case SSL_MINOR_VERSION_0:
3139 return( "SSLv3.0" );
3140
3141 case SSL_MINOR_VERSION_1:
3142 return( "TLSv1.0" );
3143
3144 case SSL_MINOR_VERSION_2:
3145 return( "TLSv1.1" );
3146
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3147 case SSL_MINOR_VERSION_3:
3148 return( "TLSv1.2" );
3149
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]3150 default:
3151 break;
3152 }
3153 return( "unknown" );
3154}
3155
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3156int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3157{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3158#if defined(POLARSSL_DHM_C)
3159#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3160#if defined(POLARSSL_SHA2_C)
3161 SSL_EDH_RSA_AES_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3162#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3163#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3164 SSL_EDH_RSA_AES_256_GCM_SHA384,
3165#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3166 SSL_EDH_RSA_AES_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3167#if defined(POLARSSL_SHA2_C)
3168 SSL_EDH_RSA_AES_128_SHA256,
3169#endif
3170#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3171 SSL_EDH_RSA_AES_128_GCM_SHA256,
3172#endif
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3173 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3174#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3175#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3176#if defined(POLARSSL_SHA2_C)
3177 SSL_EDH_RSA_CAMELLIA_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3178#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3179 SSL_EDH_RSA_CAMELLIA_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3180#if defined(POLARSSL_SHA2_C)
3181 SSL_EDH_RSA_CAMELLIA_128_SHA256,
3182#endif /* POLARSSL_SHA2_C */
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3183 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3184#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3185#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3186 SSL_EDH_RSA_DES_168_SHA,
3187#endif
3188#endif
3189
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3190#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3191#if defined(POLARSSL_SHA2_C)
3192 SSL_RSA_AES_256_SHA256,
3193#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3194#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3195 SSL_RSA_AES_256_GCM_SHA384,
3196#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3197 SSL_RSA_AES_256_SHA,
3198#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3199#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3200#if defined(POLARSSL_SHA2_C)
3201 SSL_RSA_CAMELLIA_256_SHA256,
3202#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3203 SSL_RSA_CAMELLIA_256_SHA,
3204#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3205#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3206#if defined(POLARSSL_SHA2_C)
3207 SSL_RSA_AES_128_SHA256,
3208#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3209#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3210 SSL_RSA_AES_128_GCM_SHA256,
3211#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3212 SSL_RSA_AES_128_SHA,
3213#endif
3214#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3215#if defined(POLARSSL_SHA2_C)
3216 SSL_RSA_CAMELLIA_128_SHA256,
3217#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3218 SSL_RSA_CAMELLIA_128_SHA,
3219#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3220#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3221 SSL_RSA_DES_168_SHA,
3222#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3223#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3224 SSL_RSA_RC4_128_SHA,
3225 SSL_RSA_RC4_128_MD5,
3226#endif
3227 0
3228};
3229
3230/*
3231 * Perform the SSL handshake
3232 */
3233int ssl_handshake( ssl_context *ssl )
3234{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3235 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3236
3237 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3238
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3239#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3240 if( ssl->endpoint == SSL_IS_CLIENT )
3241 ret = ssl_handshake_client( ssl );
3242#endif
3243
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3244#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3245 if( ssl->endpoint == SSL_IS_SERVER )
3246 ret = ssl_handshake_server( ssl );
3247#endif
3248
3249 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3250
3251 return( ret );
3252}
3253
3254/*
3255 * Receive application data decrypted from the SSL layer
3256 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3257int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3258{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3259 int ret;
3260 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3261
3262 SSL_DEBUG_MSG( 2, ( "=> read" ) );
3263
3264 if( ssl->state != SSL_HANDSHAKE_OVER )
3265 {
3266 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3267 {
3268 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3269 return( ret );
3270 }
3271 }
3272
3273 if( ssl->in_offt == NULL )
3274 {
3275 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3276 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3277 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3278 return( 0 );
3279
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3280 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3281 return( ret );
3282 }
3283
3284 if( ssl->in_msglen == 0 &&
3285 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3286 {
3287 /*
3288 * OpenSSL sends empty messages to randomize the IV
3289 */
3290 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3291 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3292 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3293 return( 0 );
3294
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3295 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3296 return( ret );
3297 }
3298 }
3299
3300 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3301 {
3302 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3303 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3304 }
3305
3306 ssl->in_offt = ssl->in_msg;
3307 }
3308
3309 n = ( len < ssl->in_msglen )
3310 ? len : ssl->in_msglen;
3311
3312 memcpy( buf, ssl->in_offt, n );
3313 ssl->in_msglen -= n;
3314
3315 if( ssl->in_msglen == 0 )
3316 /* all bytes consumed */
3317 ssl->in_offt = NULL;
3318 else
3319 /* more data available */
3320 ssl->in_offt += n;
3321
3322 SSL_DEBUG_MSG( 2, ( "<= read" ) );
3323
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3324 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3325}
3326
3327/*
3328 * Send application data to be encrypted by the SSL layer
3329 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3330int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3331{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3332 int ret;
3333 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3334
3335 SSL_DEBUG_MSG( 2, ( "=> write" ) );
3336
3337 if( ssl->state != SSL_HANDSHAKE_OVER )
3338 {
3339 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3340 {
3341 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3342 return( ret );
3343 }
3344 }
3345
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3346 n = ( len < SSL_MAX_CONTENT_LEN )
3347 ? len : SSL_MAX_CONTENT_LEN;
3348
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3349 if( ssl->out_left != 0 )
3350 {
3351 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3352 {
3353 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3354 return( ret );
3355 }
3356 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3357 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]3358 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3359 ssl->out_msglen = n;
3360 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3361 memcpy( ssl->out_msg, buf, n );
3362
3363 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3364 {
3365 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3366 return( ret );
3367 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3368 }
3369
3370 SSL_DEBUG_MSG( 2, ( "<= write" ) );
3371
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3372 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3373}
3374
3375/*
3376 * Notify the peer that the connection is being closed
3377 */
3378int ssl_close_notify( ssl_context *ssl )
3379{
3380 int ret;
3381
3382 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3383
3384 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3385 {
3386 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3387 return( ret );
3388 }
3389
3390 if( ssl->state == SSL_HANDSHAKE_OVER )
3391 {
3392 ssl->out_msgtype = SSL_MSG_ALERT;
3393 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]3394 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
3395 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3396
3397 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3398 {
3399 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3400 return( ret );
3401 }
3402 }
3403
3404 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3405
3406 return( ret );
3407}
3408
3409/*
3410 * Free an SSL context
3411 */
3412void ssl_free( ssl_context *ssl )
3413{
3414 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3415
3416 if( ssl->peer_cert != NULL )
3417 {
3418 x509_free( ssl->peer_cert );
3419 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
3420 free( ssl->peer_cert );
3421 }
3422
3423 if( ssl->out_ctr != NULL )
3424 {
3425 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3426 free( ssl->out_ctr );
3427 }
3428
3429 if( ssl->in_ctr != NULL )
3430 {
3431 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3432 free( ssl->in_ctr );
3433 }
3434
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3435#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3436 dhm_free( &ssl->dhm_ctx );
3437#endif
3438
3439 if ( ssl->hostname != NULL)
3440 {
3441 memset( ssl->hostname, 0, ssl->hostname_len );
3442 free( ssl->hostname );
3443 ssl->hostname_len = 0;
3444 }
3445
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3446#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3447 if( ssl_hw_record_finish != NULL )
3448 {
3449 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3450 ssl_hw_record_finish( ssl );
3451 }
3452#endif
3453
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame^]3454#if defined(POLARSSL_ZLIB_SUPPORT)
3455 deflateEnd( &ssl->ctx_deflate );
3456 inflateEnd( &ssl->ctx_inflate );
3457#endif
3458
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3459 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]3460
3461 /* Actually free after last debug message */
3462 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3463}
3464
3465#endif