TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5f70b25c9bbe01cd9d7c074eeafc0b7653dc5e77 / . / library / ssl_tls.c
blob: 905f7cf03c4159a38ab339d68a2bc60c51d09a59 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]46#if defined(POLARSSL_GCM_C)
47#include "polarssl/gcm.h"
48#endif
49
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50#include <stdlib.h>
51#include <time.h>
52
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]53#if defined _MSC_VER && !defined strcasecmp
54#define strcasecmp _stricmp
55#endif
56
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]57#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58int (*ssl_hw_record_init)(ssl_context *ssl,
59 const unsigned char *key_enc, const unsigned char *key_dec,
60 const unsigned char *iv_enc, const unsigned char *iv_dec,
61 const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
62int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
63int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
64int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
65int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
66#endif
67
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68/*
69 * Key material generation
70 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]71static int ssl3_prf( unsigned char *secret, size_t slen, char *label,
72 unsigned char *random, size_t rlen,
73 unsigned char *dstbuf, size_t dlen )
74{
75 size_t i;
76 md5_context md5;
77 sha1_context sha1;
78 unsigned char padding[16];
79 unsigned char sha1sum[20];
80 ((void)label);
81
82 /*
83 * SSLv3:
84 * block =
85 * MD5( secret + SHA1( 'A' + secret + random ) ) +
86 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
87 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
88 * ...
89 */
90 for( i = 0; i < dlen / 16; i++ )
91 {
92 memset( padding, 'A' + i, 1 + i );
93
94 sha1_starts( &sha1 );
95 sha1_update( &sha1, padding, 1 + i );
96 sha1_update( &sha1, secret, slen );
97 sha1_update( &sha1, random, rlen );
98 sha1_finish( &sha1, sha1sum );
99
100 md5_starts( &md5 );
101 md5_update( &md5, secret, slen );
102 md5_update( &md5, sha1sum, 20 );
103 md5_finish( &md5, dstbuf + i * 16 );
104 }
105
106 memset( &md5, 0, sizeof( md5 ) );
107 memset( &sha1, 0, sizeof( sha1 ) );
108
109 memset( padding, 0, sizeof( padding ) );
110 memset( sha1sum, 0, sizeof( sha1sum ) );
111
112 return( 0 );
113}
114
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]115static int tls1_prf( unsigned char *secret, size_t slen, char *label,
116 unsigned char *random, size_t rlen,
117 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]118{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]119 size_t nb, hs;
120 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]121 unsigned char *S1, *S2;
122 unsigned char tmp[128];
123 unsigned char h_i[20];
124
125 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]126 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]127
128 hs = ( slen + 1 ) / 2;
129 S1 = secret;
130 S2 = secret + slen - hs;
131
132 nb = strlen( label );
133 memcpy( tmp + 20, label, nb );
134 memcpy( tmp + 20 + nb, random, rlen );
135 nb += rlen;
136
137 /*
138 * First compute P_md5(secret,label+random)[0..dlen]
139 */
140 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
141
142 for( i = 0; i < dlen; i += 16 )
143 {
144 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
145 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
146
147 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
148
149 for( j = 0; j < k; j++ )
150 dstbuf[i + j] = h_i[j];
151 }
152
153 /*
154 * XOR out with P_sha1(secret,label+random)[0..dlen]
155 */
156 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
157
158 for( i = 0; i < dlen; i += 20 )
159 {
160 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
161 sha1_hmac( S2, hs, tmp, 20, tmp );
162
163 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
164
165 for( j = 0; j < k; j++ )
166 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
167 }
168
169 memset( tmp, 0, sizeof( tmp ) );
170 memset( h_i, 0, sizeof( h_i ) );
171
172 return( 0 );
173}
174
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]175static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
176 unsigned char *random, size_t rlen,
177 unsigned char *dstbuf, size_t dlen )
178{
179 size_t nb;
180 size_t i, j, k;
181 unsigned char tmp[128];
182 unsigned char h_i[32];
183
184 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
185 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
186
187 nb = strlen( label );
188 memcpy( tmp + 32, label, nb );
189 memcpy( tmp + 32 + nb, random, rlen );
190 nb += rlen;
191
192 /*
193 * Compute P_<hash>(secret, label + random)[0..dlen]
194 */
195 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
196
197 for( i = 0; i < dlen; i += 32 )
198 {
199 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
200 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
201
202 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
203
204 for( j = 0; j < k; j++ )
205 dstbuf[i + j] = h_i[j];
206 }
207
208 memset( tmp, 0, sizeof( tmp ) );
209 memset( h_i, 0, sizeof( h_i ) );
210
211 return( 0 );
212}
213
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]214static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
215 unsigned char *random, size_t rlen,
216 unsigned char *dstbuf, size_t dlen )
217{
218 size_t nb;
219 size_t i, j, k;
220 unsigned char tmp[128];
221 unsigned char h_i[48];
222
223 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
224 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
225
226 nb = strlen( label );
227 memcpy( tmp + 48, label, nb );
228 memcpy( tmp + 48 + nb, random, rlen );
229 nb += rlen;
230
231 /*
232 * Compute P_<hash>(secret, label + random)[0..dlen]
233 */
234 sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
235
236 for( i = 0; i < dlen; i += 48 )
237 {
238 sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
239 sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
240
241 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
242
243 for( j = 0; j < k; j++ )
244 dstbuf[i + j] = h_i[j];
245 }
246
247 memset( tmp, 0, sizeof( tmp ) );
248 memset( h_i, 0, sizeof( h_i ) );
249
250 return( 0 );
251}
252
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]253static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
254static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
255static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
256static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
257
258static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
259static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
260static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
261static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
262
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]263static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
264static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
265static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
266static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]267
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]268int ssl_derive_keys( ssl_context *ssl )
269{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]270 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]271 unsigned char keyblk[256];
272 unsigned char *key1;
273 unsigned char *key2;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]274 unsigned int iv_copy_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]275
276 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
277
278 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]279 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]280 */
281 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]282 {
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]283 ssl->tls_prf = ssl3_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]284 ssl->calc_verify = ssl_calc_verify_ssl;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]285 ssl->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]286 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]287 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]288 {
289 ssl->tls_prf = tls1_prf;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]290 ssl->calc_verify = ssl_calc_verify_tls;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]291 ssl->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]292 }
293 else if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
294 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
295 {
296 ssl->tls_prf = tls_prf_sha384;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]297 ssl->calc_verify = ssl_calc_verify_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]298 ssl->calc_finished = ssl_calc_finished_tls_sha384;
299 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]300 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]301 {
302 ssl->tls_prf = tls_prf_sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]303 ssl->calc_verify = ssl_calc_verify_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]304 ssl->calc_finished = ssl_calc_finished_tls_sha256;
305 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]306
307 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308 * SSLv3:
309 * master =
310 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
311 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
312 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]313 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]314 * TLSv1:
315 * master = PRF( premaster, "master secret", randbytes )[0..47]
316 */
317 if( ssl->resume == 0 )
318 {
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]319 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, ssl->pmslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]320
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]321 ssl->tls_prf( ssl->premaster, ssl->pmslen, "master secret",
322 ssl->randbytes, 64, ssl->session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323
324 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
325 }
326 else
327 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
328
329 /*
330 * Swap the client and server random values.
331 */
332 memcpy( tmp, ssl->randbytes, 64 );
333 memcpy( ssl->randbytes, tmp + 32, 32 );
334 memcpy( ssl->randbytes + 32, tmp, 32 );
335 memset( tmp, 0, sizeof( tmp ) );
336
337 /*
338 * SSLv3:
339 * key block =
340 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
341 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
342 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
343 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
344 * ...
345 *
346 * TLSv1:
347 * key block = PRF( master, "key expansion", randbytes )
348 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]349 ssl->tls_prf( ssl->session->master, 48, "key expansion",
350 ssl->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]352 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
354 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
355 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
356
357 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
358
359 /*
360 * Determine the appropriate key, IV and MAC length.
361 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]362 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]364#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365 case SSL_RSA_RC4_128_MD5:
366 ssl->keylen = 16; ssl->minlen = 16;
367 ssl->ivlen = 0; ssl->maclen = 16;
368 break;
369
370 case SSL_RSA_RC4_128_SHA:
371 ssl->keylen = 16; ssl->minlen = 20;
372 ssl->ivlen = 0; ssl->maclen = 20;
373 break;
374#endif
375
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]376#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]377 case SSL_RSA_DES_168_SHA:
378 case SSL_EDH_RSA_DES_168_SHA:
379 ssl->keylen = 24; ssl->minlen = 24;
380 ssl->ivlen = 8; ssl->maclen = 20;
381 break;
382#endif
383
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]384#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]385 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]386 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387 ssl->keylen = 16; ssl->minlen = 32;
388 ssl->ivlen = 16; ssl->maclen = 20;
389 break;
390
391 case SSL_RSA_AES_256_SHA:
392 case SSL_EDH_RSA_AES_256_SHA:
393 ssl->keylen = 32; ssl->minlen = 32;
394 ssl->ivlen = 16; ssl->maclen = 20;
395 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]396
397#if defined(POLARSSL_SHA2_C)
398 case SSL_RSA_AES_128_SHA256:
399 case SSL_EDH_RSA_AES_128_SHA256:
400 ssl->keylen = 16; ssl->minlen = 32;
401 ssl->ivlen = 16; ssl->maclen = 32;
402 break;
403
404 case SSL_RSA_AES_256_SHA256:
405 case SSL_EDH_RSA_AES_256_SHA256:
406 ssl->keylen = 32; ssl->minlen = 32;
407 ssl->ivlen = 16; ssl->maclen = 32;
408 break;
409#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]410#if defined(POLARSSL_GCM_C)
411 case SSL_RSA_AES_128_GCM_SHA256:
412 case SSL_EDH_RSA_AES_128_GCM_SHA256:
413 ssl->keylen = 16; ssl->minlen = 1;
414 ssl->ivlen = 12; ssl->maclen = 0;
415 ssl->fixed_ivlen = 4;
416 break;
417
418 case SSL_RSA_AES_256_GCM_SHA384:
419 case SSL_EDH_RSA_AES_256_GCM_SHA384:
420 ssl->keylen = 32; ssl->minlen = 1;
421 ssl->ivlen = 12; ssl->maclen = 0;
422 ssl->fixed_ivlen = 4;
423 break;
424#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]425#endif
426
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]427#if defined(POLARSSL_CAMELLIA_C)
428 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]429 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]430 ssl->keylen = 16; ssl->minlen = 32;
431 ssl->ivlen = 16; ssl->maclen = 20;
432 break;
433
434 case SSL_RSA_CAMELLIA_256_SHA:
435 case SSL_EDH_RSA_CAMELLIA_256_SHA:
436 ssl->keylen = 32; ssl->minlen = 32;
437 ssl->ivlen = 16; ssl->maclen = 20;
438 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]439
440#if defined(POLARSSL_SHA2_C)
441 case SSL_RSA_CAMELLIA_128_SHA256:
442 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
443 ssl->keylen = 16; ssl->minlen = 32;
444 ssl->ivlen = 16; ssl->maclen = 32;
445 break;
446
447 case SSL_RSA_CAMELLIA_256_SHA256:
448 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
449 ssl->keylen = 32; ssl->minlen = 32;
450 ssl->ivlen = 16; ssl->maclen = 32;
451 break;
452#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]453#endif
454
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]455#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
456#if defined(POLARSSL_CIPHER_NULL_CIPHER)
457 case SSL_RSA_NULL_MD5:
458 ssl->keylen = 0; ssl->minlen = 0;
459 ssl->ivlen = 0; ssl->maclen = 16;
460 break;
461
462 case SSL_RSA_NULL_SHA:
463 ssl->keylen = 0; ssl->minlen = 0;
464 ssl->ivlen = 0; ssl->maclen = 20;
465 break;
466
467 case SSL_RSA_NULL_SHA256:
468 ssl->keylen = 0; ssl->minlen = 0;
469 ssl->ivlen = 0; ssl->maclen = 32;
470 break;
471#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
472
473#if defined(POLARSSL_DES_C)
474 case SSL_RSA_DES_SHA:
475 case SSL_EDH_RSA_DES_SHA:
476 ssl->keylen = 8; ssl->minlen = 8;
477 ssl->ivlen = 8; ssl->maclen = 20;
478 break;
479#endif
480#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
481
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]483 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
484 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]485 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]486 }
487
488 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
489 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
490
491 /*
492 * Finally setup the cipher contexts, IVs and MAC secrets.
493 */
494 if( ssl->endpoint == SSL_IS_CLIENT )
495 {
496 key1 = keyblk + ssl->maclen * 2;
497 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
498
499 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
500 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
501
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]502 /*
503 * This is not used in TLS v1.1.
504 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]505 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
506 memcpy( ssl->iv_enc, key2 + ssl->keylen, iv_copy_len );
507 memcpy( ssl->iv_dec, key2 + ssl->keylen + iv_copy_len,
508 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]509 }
510 else
511 {
512 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
513 key2 = keyblk + ssl->maclen * 2;
514
515 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
516 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
517
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]518 /*
519 * This is not used in TLS v1.1.
520 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]521 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
522 memcpy( ssl->iv_dec, key1 + ssl->keylen, iv_copy_len );
523 memcpy( ssl->iv_enc, key1 + ssl->keylen + iv_copy_len,
524 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]525 }
526
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]527#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
528 if( ssl_hw_record_init != NULL)
529 {
530 int ret = 0;
531
532 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
533
534 if( ( ret = ssl_hw_record_init( ssl, key1, key2, ssl->iv_enc,
535 ssl->iv_dec, ssl->mac_enc,
536 ssl->mac_dec ) ) != 0 )
537 {
538 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
539 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
540 }
541 }
542#endif
543
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]544 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]545 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]546#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547 case SSL_RSA_RC4_128_MD5:
548 case SSL_RSA_RC4_128_SHA:
549 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
550 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
551 break;
552#endif
553
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]554#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]555 case SSL_RSA_DES_168_SHA:
556 case SSL_EDH_RSA_DES_168_SHA:
557 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
558 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
559 break;
560#endif
561
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]562#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]564 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]565 case SSL_RSA_AES_128_SHA256:
566 case SSL_EDH_RSA_AES_128_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
568 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
569 break;
570
571 case SSL_RSA_AES_256_SHA:
572 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]573 case SSL_RSA_AES_256_SHA256:
574 case SSL_EDH_RSA_AES_256_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
576 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
577 break;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]578
579#if defined(POLARSSL_GCM_C)
580 case SSL_RSA_AES_128_GCM_SHA256:
581 case SSL_EDH_RSA_AES_128_GCM_SHA256:
582 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 128 );
583 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 128 );
584 break;
585
586 case SSL_RSA_AES_256_GCM_SHA384:
587 case SSL_EDH_RSA_AES_256_GCM_SHA384:
588 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 256 );
589 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 256 );
590 break;
591#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592#endif
593
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]594#if defined(POLARSSL_CAMELLIA_C)
595 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]596 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]597 case SSL_RSA_CAMELLIA_128_SHA256:
598 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]599 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
600 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
601 break;
602
603 case SSL_RSA_CAMELLIA_256_SHA:
604 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]605 case SSL_RSA_CAMELLIA_256_SHA256:
606 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]607 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
608 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
609 break;
610#endif
611
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]612#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
613#if defined(POLARSSL_CIPHER_NULL_CIPHER)
614 case SSL_RSA_NULL_MD5:
615 case SSL_RSA_NULL_SHA:
616 case SSL_RSA_NULL_SHA256:
617 break;
618#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
619
620#if defined(POLARSSL_DES_C)
621 case SSL_RSA_DES_SHA:
622 case SSL_EDH_RSA_DES_SHA:
623 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
624 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
625 break;
626#endif
627#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
628
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]630 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]631 }
632
633 memset( keyblk, 0, sizeof( keyblk ) );
634
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]635#if defined(POLARSSL_ZLIB_SUPPORT)
636 // Initialize compression
637 //
638 if( ssl->session->compression == SSL_COMPRESS_DEFLATE )
639 {
640 SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
641
642 memset( &ssl->ctx_deflate, 0, sizeof( ssl->ctx_deflate ) );
643 memset( &ssl->ctx_inflate, 0, sizeof( ssl->ctx_inflate ) );
644
645 if( deflateInit( &ssl->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
646 inflateInit( &ssl->ctx_inflate ) != Z_OK )
647 {
648 SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
649 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
650 }
651 }
652#endif /* POLARSSL_ZLIB_SUPPORT */
653
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]654 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
655
656 return( 0 );
657}
658
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]659void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660{
661 md5_context md5;
662 sha1_context sha1;
663 unsigned char pad_1[48];
664 unsigned char pad_2[48];
665
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]666 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]668 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
669 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
670 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]672 memset( pad_1, 0x36, 48 );
673 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]675 md5_update( &md5, ssl->session->master, 48 );
676 md5_update( &md5, pad_1, 48 );
677 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]678
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]679 md5_starts( &md5 );
680 md5_update( &md5, ssl->session->master, 48 );
681 md5_update( &md5, pad_2, 48 );
682 md5_update( &md5, hash, 16 );
683 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]685 sha1_update( &sha1, ssl->session->master, 48 );
686 sha1_update( &sha1, pad_1, 40 );
687 sha1_finish( &sha1, hash + 16 );
688
689 sha1_starts( &sha1 );
690 sha1_update( &sha1, ssl->session->master, 48 );
691 sha1_update( &sha1, pad_2, 40 );
692 sha1_update( &sha1, hash + 16, 20 );
693 sha1_finish( &sha1, hash + 16 );
694
695 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
696 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
697
698 return;
699}
700
701void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
702{
703 md5_context md5;
704 sha1_context sha1;
705
706 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
707
708 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
709 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
710 sizeof( sha1_context ) );
711
712 md5_finish( &md5, hash );
713 sha1_finish( &sha1, hash + 16 );
714
715 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
716 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
717
718 return;
719}
720
721void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
722{
723 sha2_context sha2;
724
725 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
726
727 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
728 sha2_finish( &sha2, hash );
729
730 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
731 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
732
733 return;
734}
735
736void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
737{
738 sha4_context sha4;
739
740 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
741
742 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
743 sha4_finish( &sha4, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]744
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]745 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]746 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
747
748 return;
749}
750
751/*
752 * SSLv3.0 MAC functions
753 */
754static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]755 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]756 unsigned char *ctr, int type )
757{
758 unsigned char header[11];
759 unsigned char padding[48];
760 md5_context md5;
761
762 memcpy( header, ctr, 8 );
763 header[ 8] = (unsigned char) type;
764 header[ 9] = (unsigned char)( len >> 8 );
765 header[10] = (unsigned char)( len );
766
767 memset( padding, 0x36, 48 );
768 md5_starts( &md5 );
769 md5_update( &md5, secret, 16 );
770 md5_update( &md5, padding, 48 );
771 md5_update( &md5, header, 11 );
772 md5_update( &md5, buf, len );
773 md5_finish( &md5, buf + len );
774
775 memset( padding, 0x5C, 48 );
776 md5_starts( &md5 );
777 md5_update( &md5, secret, 16 );
778 md5_update( &md5, padding, 48 );
779 md5_update( &md5, buf + len, 16 );
780 md5_finish( &md5, buf + len );
781}
782
783static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]784 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]785 unsigned char *ctr, int type )
786{
787 unsigned char header[11];
788 unsigned char padding[40];
789 sha1_context sha1;
790
791 memcpy( header, ctr, 8 );
792 header[ 8] = (unsigned char) type;
793 header[ 9] = (unsigned char)( len >> 8 );
794 header[10] = (unsigned char)( len );
795
796 memset( padding, 0x36, 40 );
797 sha1_starts( &sha1 );
798 sha1_update( &sha1, secret, 20 );
799 sha1_update( &sha1, padding, 40 );
800 sha1_update( &sha1, header, 11 );
801 sha1_update( &sha1, buf, len );
802 sha1_finish( &sha1, buf + len );
803
804 memset( padding, 0x5C, 40 );
805 sha1_starts( &sha1 );
806 sha1_update( &sha1, secret, 20 );
807 sha1_update( &sha1, padding, 40 );
808 sha1_update( &sha1, buf + len, 20 );
809 sha1_finish( &sha1, buf + len );
810}
811
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]812static void ssl_mac_sha2( unsigned char *secret,
813 unsigned char *buf, size_t len,
814 unsigned char *ctr, int type )
815{
816 unsigned char header[11];
817 unsigned char padding[32];
818 sha2_context sha2;
819
820 memcpy( header, ctr, 8 );
821 header[ 8] = (unsigned char) type;
822 header[ 9] = (unsigned char)( len >> 8 );
823 header[10] = (unsigned char)( len );
824
825 memset( padding, 0x36, 32 );
826 sha2_starts( &sha2, 0 );
827 sha2_update( &sha2, secret, 32 );
828 sha2_update( &sha2, padding, 32 );
829 sha2_update( &sha2, header, 11 );
830 sha2_update( &sha2, buf, len );
831 sha2_finish( &sha2, buf + len );
832
833 memset( padding, 0x5C, 32 );
834 sha2_starts( &sha2, 0 );
835 sha2_update( &sha2, secret, 32 );
836 sha2_update( &sha2, padding, 32 );
837 sha2_update( &sha2, buf + len, 32 );
838 sha2_finish( &sha2, buf + len );
839}
840
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841/*
842 * Encryption/decryption functions
843 */
844static int ssl_encrypt_buf( ssl_context *ssl )
845{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]846 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847
848 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
849
850 /*
851 * Add MAC then encrypt
852 */
853 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
854 {
855 if( ssl->maclen == 16 )
856 ssl_mac_md5( ssl->mac_enc,
857 ssl->out_msg, ssl->out_msglen,
858 ssl->out_ctr, ssl->out_msgtype );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]859 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860 ssl_mac_sha1( ssl->mac_enc,
861 ssl->out_msg, ssl->out_msglen,
862 ssl->out_ctr, ssl->out_msgtype );
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]863 else if( ssl->maclen == 32 )
864 ssl_mac_sha2( ssl->mac_enc,
865 ssl->out_msg, ssl->out_msglen,
866 ssl->out_ctr, ssl->out_msgtype );
867 else if( ssl->maclen != 0 )
868 {
869 SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d", ssl->maclen ) );
870 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
871 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]872 }
873 else
874 {
875 if( ssl->maclen == 16 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]876 {
877 md5_context ctx;
878 md5_hmac_starts( &ctx, ssl->mac_enc, 16 );
879 md5_hmac_update( &ctx, ssl->out_ctr, 13 );
880 md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
881 md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
882 memset( &ctx, 0, sizeof(md5_context));
883 }
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]884 else if( ssl->maclen == 20 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]885 {
886 sha1_context ctx;
887 sha1_hmac_starts( &ctx, ssl->mac_enc, 20 );
888 sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
889 sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
890 sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
891 memset( &ctx, 0, sizeof(sha1_context));
892 }
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]893 else if( ssl->maclen == 32 )
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]894 {
895 sha2_context ctx;
896 sha2_hmac_starts( &ctx, ssl->mac_enc, 32, 0 );
897 sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
898 sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
899 sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
900 memset( &ctx, 0, sizeof(sha2_context));
901 }
Paul Bakker5f70b252012-09-13 14:23:06 +0000[diff] [blame^]902 else if( ssl->maclen != 0 )
903 {
904 SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d", ssl->maclen ) );
905 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
906 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]907 }
908
909 SSL_DEBUG_BUF( 4, "computed mac",
910 ssl->out_msg + ssl->out_msglen, ssl->maclen );
911
912 ssl->out_msglen += ssl->maclen;
913
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]914 if( ssl->ivlen == 0 )
915 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]916 padlen = 0;
917
918 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
919 "including %d bytes of padding",
920 ssl->out_msglen, 0 ) );
921
922 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
923 ssl->out_msg, ssl->out_msglen );
924
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]925#if defined(POLARSSL_ARC4_C)
926 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
927 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
928 {
929 arc4_crypt( (arc4_context *) ssl->ctx_enc,
930 ssl->out_msglen, ssl->out_msg,
931 ssl->out_msg );
932 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]933#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]934#if defined(POLARSSL_CIPHER_NULL_CIPHER)
935 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
936 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
937 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
938 {
939 } else
940#endif
941 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]942 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]943 else if( ssl->ivlen == 12 )
944 {
945 size_t enc_msglen;
946 unsigned char *enc_msg;
947 unsigned char add_data[13];
948 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
949
950 padlen = 0;
951 enc_msglen = ssl->out_msglen;
952
953 memcpy( add_data, ssl->out_ctr, 8 );
954 add_data[8] = ssl->out_msgtype;
955 add_data[9] = ssl->major_ver;
956 add_data[10] = ssl->minor_ver;
957 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
958 add_data[12] = ssl->out_msglen & 0xFF;
959
960 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
961 add_data, 13 );
962
963#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
964
965 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
966 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
967 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
968 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
969 {
970 /*
971 * Generate IV
972 */
973 ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc + ssl->fixed_ivlen,
974 ssl->ivlen - ssl->fixed_ivlen );
975 if( ret != 0 )
976 return( ret );
977
978 /*
979 * Shift message for ivlen bytes and prepend IV
980 */
981 memmove( ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen,
982 ssl->out_msg, ssl->out_msglen );
983 memcpy( ssl->out_msg, ssl->iv_enc + ssl->fixed_ivlen,
984 ssl->ivlen - ssl->fixed_ivlen );
985
986 /*
987 * Fix pointer positions and message length with added IV
988 */
989 enc_msg = ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen;
990 enc_msglen = ssl->out_msglen;
991 ssl->out_msglen += ssl->ivlen - ssl->fixed_ivlen;
992
993 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
994 "including %d bytes of padding",
995 ssl->out_msglen, 0 ) );
996
997 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
998 ssl->out_msg, ssl->out_msglen );
999
1000 /*
1001 * Adjust for tag
1002 */
1003 ssl->out_msglen += 16;
1004
1005 gcm_crypt_and_tag( (gcm_context *) ssl->ctx_enc,
1006 GCM_ENCRYPT, enc_msglen,
1007 ssl->iv_enc, ssl->ivlen,
1008 add_data, 13,
1009 enc_msg, enc_msg,
1010 16, enc_msg + enc_msglen );
1011
1012 SSL_DEBUG_BUF( 4, "after encrypt: tag",
1013 enc_msg + enc_msglen, 16 );
1014
1015 } else
1016#endif
1017 return( ret );
1018 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1019 else
1020 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1021 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1022 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1023
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
1025 if( padlen == ssl->ivlen )
1026 padlen = 0;
1027
1028 for( i = 0; i <= padlen; i++ )
1029 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1030
1031 ssl->out_msglen += padlen + 1;
1032
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1033 enc_msglen = ssl->out_msglen;
1034 enc_msg = ssl->out_msg;
1035
1036 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1037 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1038 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1039 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1040 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1041 {
1042 /*
1043 * Generate IV
1044 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1045 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
1046 if( ret != 0 )
1047 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1048
1049 /*
1050 * Shift message for ivlen bytes and prepend IV
1051 */
1052 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
1053 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
1054
1055 /*
1056 * Fix pointer positions and message length with added IV
1057 */
1058 enc_msg = ssl->out_msg + ssl->ivlen;
1059 enc_msglen = ssl->out_msglen;
1060 ssl->out_msglen += ssl->ivlen;
1061 }
1062
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1064 "including %d bytes of IV and %d bytes of padding",
1065 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066
1067 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1068 ssl->out_msg, ssl->out_msglen );
1069
1070 switch( ssl->ivlen )
1071 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1072#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1073 case 8:
1074#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1075 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1076 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1077 {
1078 des_crypt_cbc( (des_context *) ssl->ctx_enc,
1079 DES_ENCRYPT, enc_msglen,
1080 ssl->iv_enc, enc_msg, enc_msg );
1081 }
1082 else
1083#endif
1084 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
1085 DES_ENCRYPT, enc_msglen,
1086 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1087 break;
1088#endif
1089
1090 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1091#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1092 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1093 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1094 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1095 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1096 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1097 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1098 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1099 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1100 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1101 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1102 AES_ENCRYPT, enc_msglen,
1103 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1104 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1105 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1106#endif
1107
1108#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1109 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1110 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1111 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1112 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1113 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1114 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1115 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1116 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1117 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1118 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1119 CAMELLIA_ENCRYPT, enc_msglen,
1120 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1121 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1122 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1123#endif
1124
1125 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1126 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1127 }
1128 }
1129
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1130 for( i = 8; i > 0; i-- )
1131 if( ++ssl->out_ctr[i - 1] != 0 )
1132 break;
1133
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1135
1136 return( 0 );
1137}
1138
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1139/*
1140 * TODO: Use digest version when integrated!
1141 */
1142#define POLARSSL_SSL_MAX_MAC_SIZE 32
1143
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1144static int ssl_decrypt_buf( ssl_context *ssl )
1145{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1146 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1147 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1148
1149 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1150
1151 if( ssl->in_msglen < ssl->minlen )
1152 {
1153 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1154 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1155 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1156 }
1157
1158 if( ssl->ivlen == 0 )
1159 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1160#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1161 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1162 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
1163 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
1164 {
1165 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]1166 ssl->in_msglen, ssl->in_msg,
1167 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1168 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1169#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1170#if defined(POLARSSL_CIPHER_NULL_CIPHER)
1171 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
1172 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
1173 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
1174 {
1175 } else
1176#endif
1177 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1178 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1179 else if( ssl->ivlen == 12 )
1180 {
1181 unsigned char *dec_msg;
1182 unsigned char *dec_msg_result;
1183 size_t dec_msglen;
1184 unsigned char add_data[13];
1185 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1186
1187 padlen = 0;
1188
1189#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1190 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
1191 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
1192 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
1193 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
1194 {
1195 dec_msglen = ssl->in_msglen - ( ssl->ivlen - ssl->fixed_ivlen );
1196 dec_msglen -= 16;
1197 dec_msg = ssl->in_msg + ( ssl->ivlen - ssl->fixed_ivlen );
1198 dec_msg_result = ssl->in_msg;
1199 ssl->in_msglen = dec_msglen;
1200
1201 memcpy( add_data, ssl->in_ctr, 8 );
1202 add_data[8] = ssl->in_msgtype;
1203 add_data[9] = ssl->major_ver;
1204 add_data[10] = ssl->minor_ver;
1205 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1206 add_data[12] = ssl->in_msglen & 0xFF;
1207
1208 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1209 add_data, 13 );
1210
1211 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1212 ssl->ivlen - ssl->fixed_ivlen );
1213
1214 SSL_DEBUG_BUF( 4, "IV used", ssl->iv_dec, ssl->ivlen );
1215 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1216
1217 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1218 ssl->ivlen - ssl->fixed_ivlen );
1219
1220 ret = gcm_auth_decrypt( (gcm_context *) ssl->ctx_dec,
1221 dec_msglen,
1222 ssl->iv_dec, ssl->ivlen,
1223 add_data, 13,
1224 dec_msg + dec_msglen, 16,
1225 dec_msg, dec_msg_result );
1226
1227 if( ret != 0 )
1228 {
1229 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1230 -ret ) );
1231
1232 return( POLARSSL_ERR_SSL_INVALID_MAC );
1233 }
1234 } else
1235#endif
1236 return( ret );
1237 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238 else
1239 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1240 unsigned char *dec_msg;
1241 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1242 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1243
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244 /*
1245 * Decrypt and check the padding
1246 */
1247 if( ssl->in_msglen % ssl->ivlen != 0 )
1248 {
1249 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1250 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1251 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252 }
1253
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1254 dec_msglen = ssl->in_msglen;
1255 dec_msg = ssl->in_msg;
1256 dec_msg_result = ssl->in_msg;
1257
1258 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1259 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1260 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1261 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1262 {
1263 dec_msg += ssl->ivlen;
1264 dec_msglen -= ssl->ivlen;
1265 ssl->in_msglen -= ssl->ivlen;
1266
1267 for( i = 0; i < ssl->ivlen; i++ )
1268 ssl->iv_dec[i] = ssl->in_msg[i];
1269 }
1270
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1271 switch( ssl->ivlen )
1272 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1273#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1274 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1275#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1276 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1277 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1278 {
1279 des_crypt_cbc( (des_context *) ssl->ctx_dec,
1280 DES_DECRYPT, dec_msglen,
1281 ssl->iv_dec, dec_msg, dec_msg_result );
1282 }
1283 else
1284#endif
1285 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
1286 DES_DECRYPT, dec_msglen,
1287 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1288 break;
1289#endif
1290
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1291 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1292#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1293 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1294 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1295 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1296 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1297 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1298 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1299 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1300 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1301 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1302 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1303 AES_DECRYPT, dec_msglen,
1304 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1305 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1306 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1307#endif
1308
1309#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1310 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1311 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1312 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1313 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1314 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1315 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1316 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1317 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1318 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1319 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1320 CAMELLIA_DECRYPT, dec_msglen,
1321 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1322 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1323 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1324#endif
1325
1326 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1327 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328 }
1329
1330 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1331
1332 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1333 {
1334 if( padlen > ssl->ivlen )
1335 {
1336 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1337 "should be no more than %d",
1338 padlen, ssl->ivlen ) );
1339 padlen = 0;
1340 }
1341 }
1342 else
1343 {
1344 /*
1345 * TLSv1: always check the padding
1346 */
1347 for( i = 1; i <= padlen; i++ )
1348 {
1349 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1350 {
1351 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
1352 "%02x, but is %02x", padlen - 1,
1353 ssl->in_msg[ssl->in_msglen - i] ) );
1354 padlen = 0;
1355 }
1356 }
1357 }
1358 }
1359
1360 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1361 ssl->in_msg, ssl->in_msglen );
1362
1363 /*
1364 * Always compute the MAC (RFC4346, CBCTIME).
1365 */
Paul Bakkerf34cf852012-04-10 07:48:40 +0000[diff] [blame]1366 if( ssl->in_msglen < ssl->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1367 {
1368 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1369 ssl->in_msglen, ssl->maclen, padlen ) );
1370 return( POLARSSL_ERR_SSL_INVALID_MAC );
1371 }
1372
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373 ssl->in_msglen -= ( ssl->maclen + padlen );
1374
1375 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1376 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1377
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1378 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1379
1380 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1381 {
1382 if( ssl->maclen == 16 )
1383 ssl_mac_md5( ssl->mac_dec,
1384 ssl->in_msg, ssl->in_msglen,
1385 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1386 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1387 ssl_mac_sha1( ssl->mac_dec,
1388 ssl->in_msg, ssl->in_msglen,
1389 ssl->in_ctr, ssl->in_msgtype );
1390 }
1391 else
1392 {
1393 if( ssl->maclen == 16 )
1394 md5_hmac( ssl->mac_dec, 16,
1395 ssl->in_ctr, ssl->in_msglen + 13,
1396 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1397 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1398 sha1_hmac( ssl->mac_dec, 20,
1399 ssl->in_ctr, ssl->in_msglen + 13,
1400 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1401 else if( ssl->maclen == 32 )
1402 sha2_hmac( ssl->mac_dec, 32,
1403 ssl->in_ctr, ssl->in_msglen + 13,
1404 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1405 }
1406
1407 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
1408 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1409 ssl->maclen );
1410
1411 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1412 ssl->maclen ) != 0 )
1413 {
1414 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1415 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1416 }
1417
1418 /*
1419 * Finally check the padding length; bad padding
1420 * will produce the same error as an invalid MAC.
1421 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]1422 if( ssl->ivlen != 0 && ssl->ivlen != 12 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1423 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1424
1425 if( ssl->in_msglen == 0 )
1426 {
1427 ssl->nb_zero++;
1428
1429 /*
1430 * Three or more empty messages may be a DoS attack
1431 * (excessive CPU consumption).
1432 */
1433 if( ssl->nb_zero > 3 )
1434 {
1435 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1436 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1437 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1438 }
1439 }
1440 else
1441 ssl->nb_zero = 0;
1442
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1443 for( i = 8; i > 0; i-- )
1444 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1445 break;
1446
1447 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1448
1449 return( 0 );
1450}
1451
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1452#if defined(POLARSSL_ZLIB_SUPPORT)
1453/*
1454 * Compression/decompression functions
1455 */
1456static int ssl_compress_buf( ssl_context *ssl )
1457{
1458 int ret;
1459 unsigned char *msg_post = ssl->out_msg;
1460 size_t len_pre = ssl->out_msglen;
1461 unsigned char *msg_pre;
1462
1463 SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1464
1465 msg_pre = (unsigned char*) malloc( len_pre );
1466 if( msg_pre == NULL )
1467 {
1468 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1469 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1470 }
1471
1472 memcpy( msg_pre, ssl->out_msg, len_pre );
1473
1474 SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1475 ssl->out_msglen ) );
1476
1477 SSL_DEBUG_BUF( 4, "before compression: output payload",
1478 ssl->out_msg, ssl->out_msglen );
1479
1480 ssl->ctx_deflate.next_in = msg_pre;
1481 ssl->ctx_deflate.avail_in = len_pre;
1482 ssl->ctx_deflate.next_out = msg_post;
1483 ssl->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1484
1485 ret = deflate( &ssl->ctx_deflate, Z_SYNC_FLUSH );
1486 if( ret != Z_OK )
1487 {
1488 SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1489 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1490 }
1491
1492 ssl->out_msglen = SSL_BUFFER_LEN - ssl->ctx_deflate.avail_out;
1493
1494 free( msg_pre );
1495
1496 SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1497 ssl->out_msglen ) );
1498
1499 SSL_DEBUG_BUF( 4, "after compression: output payload",
1500 ssl->out_msg, ssl->out_msglen );
1501
1502 SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1503
1504 return( 0 );
1505}
1506
1507static int ssl_decompress_buf( ssl_context *ssl )
1508{
1509 int ret;
1510 unsigned char *msg_post = ssl->in_msg;
1511 size_t len_pre = ssl->in_msglen;
1512 unsigned char *msg_pre;
1513
1514 SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1515
1516 msg_pre = (unsigned char*) malloc( len_pre );
1517 if( msg_pre == NULL )
1518 {
1519 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1520 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1521 }
1522
1523 memcpy( msg_pre, ssl->in_msg, len_pre );
1524
1525 SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1526 ssl->in_msglen ) );
1527
1528 SSL_DEBUG_BUF( 4, "before decompression: input payload",
1529 ssl->in_msg, ssl->in_msglen );
1530
1531 ssl->ctx_inflate.next_in = msg_pre;
1532 ssl->ctx_inflate.avail_in = len_pre;
1533 ssl->ctx_inflate.next_out = msg_post;
1534 ssl->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1535
1536 ret = inflate( &ssl->ctx_inflate, Z_SYNC_FLUSH );
1537 if( ret != Z_OK )
1538 {
1539 SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1540 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1541 }
1542
1543 ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->ctx_inflate.avail_out;
1544
1545 free( msg_pre );
1546
1547 SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1548 ssl->in_msglen ) );
1549
1550 SSL_DEBUG_BUF( 4, "after decompression: input payload",
1551 ssl->in_msg, ssl->in_msglen );
1552
1553 SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1554
1555 return( 0 );
1556}
1557#endif /* POLARSSL_ZLIB_SUPPORT */
1558
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1559/*
1560 * Fill the input message buffer
1561 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1562int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1563{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1564 int ret;
1565 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1566
1567 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1568
1569 while( ssl->in_left < nb_want )
1570 {
1571 len = nb_want - ssl->in_left;
1572 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1573
1574 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1575 ssl->in_left, nb_want ) );
1576 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1577
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1578 if( ret == 0 )
1579 return( POLARSSL_ERR_SSL_CONN_EOF );
1580
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1581 if( ret < 0 )
1582 return( ret );
1583
1584 ssl->in_left += ret;
1585 }
1586
1587 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1588
1589 return( 0 );
1590}
1591
1592/*
1593 * Flush any data not yet written
1594 */
1595int ssl_flush_output( ssl_context *ssl )
1596{
1597 int ret;
1598 unsigned char *buf;
1599
1600 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1601
1602 while( ssl->out_left > 0 )
1603 {
1604 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1605 5 + ssl->out_msglen, ssl->out_left ) );
1606
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1607 if( ssl->out_msglen < ssl->out_left )
1608 {
1609 size_t header_left = ssl->out_left - ssl->out_msglen;
1610
1611 buf = ssl->out_hdr + 5 - header_left;
1612 ret = ssl->f_send( ssl->p_send, buf, header_left );
1613
1614 SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1615
1616 if( ret <= 0 )
1617 return( ret );
1618
1619 ssl->out_left -= ret;
1620 }
1621
1622 buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1623 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1624
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1625 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1626
1627 if( ret <= 0 )
1628 return( ret );
1629
1630 ssl->out_left -= ret;
1631 }
1632
1633 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1634
1635 return( 0 );
1636}
1637
1638/*
1639 * Record layer functions
1640 */
1641int ssl_write_record( ssl_context *ssl )
1642{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1643 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1644 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1645
1646 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1647
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1648 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1649 {
1650 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1651 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1652 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1653
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1654 ssl->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1655 }
1656
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1657#if defined(POLARSSL_ZLIB_SUPPORT)
1658 if( ssl->do_crypt != 0 &&
1659 ssl->session->compression == SSL_COMPRESS_DEFLATE )
1660 {
1661 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1662 {
1663 SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1664 return( ret );
1665 }
1666
1667 len = ssl->out_msglen;
1668 }
1669#endif /*POLARSSL_ZLIB_SUPPORT */
1670
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1671#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1672 if( ssl_hw_record_write != NULL)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1673 {
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1674 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1675
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1676 ret = ssl_hw_record_write( ssl );
1677 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1678 {
1679 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1680 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1681 }
1682 done = 1;
1683 }
1684#endif
1685 if( !done )
1686 {
1687 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1688 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1689 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1691 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1692
1693 if( ssl->do_crypt != 0 )
1694 {
1695 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1696 {
1697 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1698 return( ret );
1699 }
1700
1701 len = ssl->out_msglen;
1702 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1703 ssl->out_hdr[4] = (unsigned char)( len );
1704 }
1705
1706 ssl->out_left = 5 + ssl->out_msglen;
1707
1708 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1709 "version = [%d:%d], msglen = %d",
1710 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1711 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1712
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1713 SSL_DEBUG_BUF( 4, "output record header sent to network",
1714 ssl->out_hdr, 5 );
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1715 SSL_DEBUG_BUF( 4, "output record sent to network",
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]1716 ssl->out_hdr + 32, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1717 }
1718
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1720 {
1721 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1722 return( ret );
1723 }
1724
1725 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1726
1727 return( 0 );
1728}
1729
1730int ssl_read_record( ssl_context *ssl )
1731{
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1732 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1733
1734 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1735
1736 if( ssl->in_hslen != 0 &&
1737 ssl->in_hslen < ssl->in_msglen )
1738 {
1739 /*
1740 * Get next Handshake message in the current record
1741 */
1742 ssl->in_msglen -= ssl->in_hslen;
1743
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1744 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1745 ssl->in_msglen );
1746
1747 ssl->in_hslen = 4;
1748 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1749
1750 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1751 " %d, type = %d, hslen = %d",
1752 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1753
1754 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1755 {
1756 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1757 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1758 }
1759
1760 if( ssl->in_msglen < ssl->in_hslen )
1761 {
1762 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1763 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1764 }
1765
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1766 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1767
1768 return( 0 );
1769 }
1770
1771 ssl->in_hslen = 0;
1772
1773 /*
1774 * Read the record header and validate it
1775 */
1776 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1777 {
1778 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1779 return( ret );
1780 }
1781
1782 ssl->in_msgtype = ssl->in_hdr[0];
1783 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1784
1785 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1786 "version = [%d:%d], msglen = %d",
1787 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1788 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1789
1790 if( ssl->in_hdr[1] != ssl->major_ver )
1791 {
1792 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1793 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1794 }
1795
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1796 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797 {
1798 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1799 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1800 }
1801
1802 /*
1803 * Make sure the message length is acceptable
1804 */
1805 if( ssl->do_crypt == 0 )
1806 {
1807 if( ssl->in_msglen < 1 ||
1808 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1809 {
1810 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1811 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812 }
1813 }
1814 else
1815 {
1816 if( ssl->in_msglen < ssl->minlen )
1817 {
1818 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1819 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820 }
1821
1822 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1823 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1824 {
1825 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1826 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1827 }
1828
1829 /*
1830 * TLS encrypted messages can have up to 256 bytes of padding
1831 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1832 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1834 {
1835 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1836 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1837 }
1838 }
1839
1840 /*
1841 * Read and optionally decrypt the message contents
1842 */
1843 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1844 {
1845 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1846 return( ret );
1847 }
1848
1849 SSL_DEBUG_BUF( 4, "input record from network",
1850 ssl->in_hdr, 5 + ssl->in_msglen );
1851
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]1852#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1853 if( ssl_hw_record_read != NULL)
1854 {
1855 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1856
1857 ret = ssl_hw_record_read( ssl );
1858 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1859 {
1860 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1861 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1862 }
1863 done = 1;
1864 }
1865#endif
1866 if( !done && ssl->do_crypt != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867 {
1868 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1869 {
1870 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1871 return( ret );
1872 }
1873
1874 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1875 ssl->in_msg, ssl->in_msglen );
1876
1877 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1878 {
1879 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1880 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881 }
1882 }
1883
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1884#if defined(POLARSSL_ZLIB_SUPPORT)
1885 if( ssl->do_crypt != 0 &&
1886 ssl->session->compression == SSL_COMPRESS_DEFLATE )
1887 {
1888 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
1889 {
1890 SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
1891 return( ret );
1892 }
1893
1894 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1895 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1896 }
1897#endif /* POLARSSL_ZLIB_SUPPORT */
1898
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1899 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1900 ssl->in_msgtype != SSL_MSG_ALERT &&
1901 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1902 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1903 {
1904 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1905
1906 if( ( ret = ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1907 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
1908 {
1909 return( ret );
1910 }
1911
1912 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1913 }
1914
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1916 {
1917 ssl->in_hslen = 4;
1918 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1919
1920 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1921 " %d, type = %d, hslen = %d",
1922 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1923
1924 /*
1925 * Additional checks to validate the handshake header
1926 */
1927 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1928 {
1929 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1930 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1931 }
1932
1933 if( ssl->in_msglen < ssl->in_hslen )
1934 {
1935 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1936 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1937 }
1938
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1939 ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1940 }
1941
1942 if( ssl->in_msgtype == SSL_MSG_ALERT )
1943 {
1944 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1945 ssl->in_msg[0], ssl->in_msg[1] ) );
1946
1947 /*
1948 * Ignore non-fatal alerts, except close_notify
1949 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1950 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951 {
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1952 SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
1953 ssl->in_msg[1] ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1954 /**
1955 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1956 * error identifier.
1957 */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1958 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1959 }
1960
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1961 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1962 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1963 {
1964 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1965 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1966 }
1967 }
1968
1969 ssl->in_left = 0;
1970
1971 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1972
1973 return( 0 );
1974}
1975
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1976int ssl_send_alert_message( ssl_context *ssl,
1977 unsigned char level,
1978 unsigned char message )
1979{
1980 int ret;
1981
1982 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1983
1984 ssl->out_msgtype = SSL_MSG_ALERT;
1985 ssl->out_msglen = 2;
1986 ssl->out_msg[0] = level;
1987 ssl->out_msg[1] = message;
1988
1989 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1990 {
1991 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1992 return( ret );
1993 }
1994
1995 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1996
1997 return( 0 );
1998}
1999
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000/*
2001 * Handshake functions
2002 */
2003int ssl_write_certificate( ssl_context *ssl )
2004{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2005 int ret;
2006 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2007 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2008
2009 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2010
2011 if( ssl->endpoint == SSL_IS_CLIENT )
2012 {
2013 if( ssl->client_auth == 0 )
2014 {
2015 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2016 ssl->state++;
2017 return( 0 );
2018 }
2019
2020 /*
2021 * If using SSLv3 and got no cert, send an Alert message
2022 * (otherwise an empty Certificate message will be sent).
2023 */
2024 if( ssl->own_cert == NULL &&
2025 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2026 {
2027 ssl->out_msglen = 2;
2028 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2029 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2030 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031
2032 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2033 goto write_msg;
2034 }
2035 }
2036 else /* SSL_IS_SERVER */
2037 {
2038 if( ssl->own_cert == NULL )
2039 {
2040 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2041 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2042 }
2043 }
2044
2045 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
2046
2047 /*
2048 * 0 . 0 handshake type
2049 * 1 . 3 handshake length
2050 * 4 . 6 length of all certs
2051 * 7 . 9 length of cert. 1
2052 * 10 . n-1 peer certificate
2053 * n . n+2 length of cert. 2
2054 * n+3 . ... upper level cert, etc.
2055 */
2056 i = 7;
2057 crt = ssl->own_cert;
2058
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]2059 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2060 {
2061 n = crt->raw.len;
2062 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
2063 {
2064 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2065 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2066 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2067 }
2068
2069 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2070 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2071 ssl->out_msg[i + 2] = (unsigned char)( n );
2072
2073 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2074 i += n; crt = crt->next;
2075 }
2076
2077 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2078 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2079 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2080
2081 ssl->out_msglen = i;
2082 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2083 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2084
2085write_msg:
2086
2087 ssl->state++;
2088
2089 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2090 {
2091 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2092 return( ret );
2093 }
2094
2095 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2096
2097 return( 0 );
2098}
2099
2100int ssl_parse_certificate( ssl_context *ssl )
2101{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2102 int ret;
2103 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2104
2105 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2106
2107 if( ssl->endpoint == SSL_IS_SERVER &&
2108 ssl->authmode == SSL_VERIFY_NONE )
2109 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2110 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2111 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2112 ssl->state++;
2113 return( 0 );
2114 }
2115
2116 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2117 {
2118 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2119 return( ret );
2120 }
2121
2122 ssl->state++;
2123
2124 /*
2125 * Check if the client sent an empty certificate
2126 */
2127 if( ssl->endpoint == SSL_IS_SERVER &&
2128 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2129 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2130 if( ssl->in_msglen == 2 &&
2131 ssl->in_msgtype == SSL_MSG_ALERT &&
2132 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2133 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2134 {
2135 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2136
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2137 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2138 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2139 return( 0 );
2140 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2141 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2142 }
2143 }
2144
2145 if( ssl->endpoint == SSL_IS_SERVER &&
2146 ssl->minor_ver != SSL_MINOR_VERSION_0 )
2147 {
2148 if( ssl->in_hslen == 7 &&
2149 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2150 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2151 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2152 {
2153 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2154
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]2155 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2157 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2158 else
2159 return( 0 );
2160 }
2161 }
2162
2163 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2164 {
2165 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2166 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2167 }
2168
2169 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2170 {
2171 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2172 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2173 }
2174
2175 /*
2176 * Same message structure as in ssl_write_certificate()
2177 */
2178 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2179
2180 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2181 {
2182 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2183 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2184 }
2185
2186 if( ( ssl->peer_cert = (x509_cert *) malloc(
2187 sizeof( x509_cert ) ) ) == NULL )
2188 {
2189 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2190 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2191 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2192 }
2193
2194 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2195
2196 i = 7;
2197
2198 while( i < ssl->in_hslen )
2199 {
2200 if( ssl->in_msg[i] != 0 )
2201 {
2202 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2203 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204 }
2205
2206 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2207 | (unsigned int) ssl->in_msg[i + 2];
2208 i += 3;
2209
2210 if( n < 128 || i + n > ssl->in_hslen )
2211 {
2212 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2213 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2214 }
2215
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2216 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2217 if( ret != 0 )
2218 {
2219 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2220 return( ret );
2221 }
2222
2223 i += n;
2224 }
2225
2226 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
2227
2228 if( ssl->authmode != SSL_VERIFY_NONE )
2229 {
2230 if( ssl->ca_chain == NULL )
2231 {
2232 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2233 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2234 }
2235
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2236 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2237 ssl->peer_cn, &ssl->verify_result,
2238 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2239
2240 if( ret != 0 )
2241 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2242
2243 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2244 ret = 0;
2245 }
2246
2247 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2248
2249 return( ret );
2250}
2251
2252int ssl_write_change_cipher_spec( ssl_context *ssl )
2253{
2254 int ret;
2255
2256 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2257
2258 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2259 ssl->out_msglen = 1;
2260 ssl->out_msg[0] = 1;
2261
2262 ssl->do_crypt = 0;
2263 ssl->state++;
2264
2265 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2266 {
2267 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2268 return( ret );
2269 }
2270
2271 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2272
2273 return( 0 );
2274}
2275
2276int ssl_parse_change_cipher_spec( ssl_context *ssl )
2277{
2278 int ret;
2279
2280 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2281
2282 ssl->do_crypt = 0;
2283
2284 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2285 {
2286 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2287 return( ret );
2288 }
2289
2290 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2291 {
2292 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2293 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2294 }
2295
2296 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2297 {
2298 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2299 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2300 }
2301
2302 ssl->state++;
2303
2304 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2305
2306 return( 0 );
2307}
2308
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2309void ssl_kickstart_checksum( ssl_context *ssl, int ciphersuite,
2310 unsigned char *input_buf, size_t len )
2311{
2312 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2313 {
2314 md5_starts( (md5_context *) ssl->ctx_checksum );
2315 sha1_starts( (sha1_context *) ( ssl->ctx_checksum +
2316 sizeof(md5_context) ) );
2317
2318 ssl->update_checksum = ssl_update_checksum_md5sha1;
2319 }
2320 else if ( ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
2321 ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
2322 {
2323 sha4_starts( (sha4_context *) ssl->ctx_checksum, 1 );
2324 ssl->update_checksum = ssl_update_checksum_sha384;
2325 }
2326 else
2327 {
2328 sha2_starts( (sha2_context *) ssl->ctx_checksum, 0 );
2329 ssl->update_checksum = ssl_update_checksum_sha256;
2330 }
2331
2332 if( ssl->endpoint == SSL_IS_CLIENT )
2333 ssl->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2334 ssl->update_checksum( ssl, input_buf, len );
2335}
2336
2337static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2338 size_t len )
2339{
2340 ((void) ssl);
2341 ((void) buf);
2342 ((void) len);
2343}
2344
2345static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2346 size_t len )
2347{
2348 md5_update( (md5_context *) ssl->ctx_checksum, buf, len );
2349 sha1_update( (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2350 buf, len );
2351}
2352
2353static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2354 size_t len )
2355{
2356 sha2_update( (sha2_context *) ssl->ctx_checksum, buf, len );
2357}
2358
2359static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2360 size_t len )
2361{
2362 sha4_update( (sha4_context *) ssl->ctx_checksum, buf, len );
2363}
2364
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2365static void ssl_calc_finished_ssl(
2366 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2367{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2368 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2369 md5_context md5;
2370 sha1_context sha1;
2371
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2372 unsigned char padbuf[48];
2373 unsigned char md5sum[16];
2374 unsigned char sha1sum[20];
2375
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2376 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2377
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2378 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2379 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2380 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2381
2382 /*
2383 * SSLv3:
2384 * hash =
2385 * MD5( master + pad2 +
2386 * MD5( handshake + sender + master + pad1 ) )
2387 * + SHA1( master + pad2 +
2388 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2389 */
2390
2391 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2392 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2393
2394 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2395 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2396
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2397 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2398 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2399
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2400 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2401
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2402 md5_update( &md5, (unsigned char *) sender, 4 );
2403 md5_update( &md5, ssl->session->master, 48 );
2404 md5_update( &md5, padbuf, 48 );
2405 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2406
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2407 sha1_update( &sha1, (unsigned char *) sender, 4 );
2408 sha1_update( &sha1, ssl->session->master, 48 );
2409 sha1_update( &sha1, padbuf, 40 );
2410 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2411
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2412 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2413
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2414 md5_starts( &md5 );
2415 md5_update( &md5, ssl->session->master, 48 );
2416 md5_update( &md5, padbuf, 48 );
2417 md5_update( &md5, md5sum, 16 );
2418 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2419
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2420 sha1_starts( &sha1 );
2421 sha1_update( &sha1, ssl->session->master, 48 );
2422 sha1_update( &sha1, padbuf , 40 );
2423 sha1_update( &sha1, sha1sum, 20 );
2424 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2425
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2426 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2427
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2428 memset( &md5, 0, sizeof( md5_context ) );
2429 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2430
2431 memset( padbuf, 0, sizeof( padbuf ) );
2432 memset( md5sum, 0, sizeof( md5sum ) );
2433 memset( sha1sum, 0, sizeof( sha1sum ) );
2434
2435 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2436}
2437
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2438static void ssl_calc_finished_tls(
2439 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2440{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2441 int len = 12;
2442 char *sender;
2443 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2444 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2445 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2446
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2447 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2448
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2449 memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2450 memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2451 sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2452
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2453 /*
2454 * TLSv1:
2455 * hash = PRF( master, finished_label,
2456 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2457 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2458
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2459 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2460 md5.state, sizeof( md5.state ) );
2461
2462 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2463 sha1.state, sizeof( sha1.state ) );
2464
2465 sender = ( from == SSL_IS_CLIENT )
2466 ? (char *) "client finished"
2467 : (char *) "server finished";
2468
2469 md5_finish( &md5, padbuf );
2470 sha1_finish( &sha1, padbuf + 16 );
2471
2472 ssl->tls_prf( ssl->session->master, 48, sender,
2473 padbuf, 36, buf, len );
2474
2475 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2476
2477 memset( &md5, 0, sizeof( md5_context ) );
2478 memset( &sha1, 0, sizeof( sha1_context ) );
2479
2480 memset( padbuf, 0, sizeof( padbuf ) );
2481
2482 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2483}
2484
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2485static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2486 ssl_context *ssl, unsigned char *buf, int from )
2487{
2488 int len = 12;
2489 char *sender;
2490 sha2_context sha2;
2491 unsigned char padbuf[32];
2492
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2493 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2494
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2495 memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2496
2497 /*
2498 * TLSv1.2:
2499 * hash = PRF( master, finished_label,
2500 * Hash( handshake ) )[0.11]
2501 */
2502
2503 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2504 sha2.state, sizeof( sha2.state ) );
2505
2506 sender = ( from == SSL_IS_CLIENT )
2507 ? (char *) "client finished"
2508 : (char *) "server finished";
2509
2510 sha2_finish( &sha2, padbuf );
2511
2512 ssl->tls_prf( ssl->session->master, 48, sender,
2513 padbuf, 32, buf, len );
2514
2515 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2516
2517 memset( &sha2, 0, sizeof( sha2_context ) );
2518
2519 memset( padbuf, 0, sizeof( padbuf ) );
2520
2521 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2522}
2523
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2524static void ssl_calc_finished_tls_sha384(
2525 ssl_context *ssl, unsigned char *buf, int from )
2526{
2527 int len = 12;
2528 char *sender;
2529 sha4_context sha4;
2530 unsigned char padbuf[48];
2531
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2532 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2533
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2534 memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2535
2536 /*
2537 * TLSv1.2:
2538 * hash = PRF( master, finished_label,
2539 * Hash( handshake ) )[0.11]
2540 */
2541
2542 SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2543 sha4.state, sizeof( sha4.state ) );
2544
2545 sender = ( from == SSL_IS_CLIENT )
2546 ? (char *) "client finished"
2547 : (char *) "server finished";
2548
2549 sha4_finish( &sha4, padbuf );
2550
2551 ssl->tls_prf( ssl->session->master, 48, sender,
2552 padbuf, 48, buf, len );
2553
2554 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2555
2556 memset( &sha4, 0, sizeof( sha4_context ) );
2557
2558 memset( padbuf, 0, sizeof( padbuf ) );
2559
2560 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2561}
2562
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2563int ssl_write_finished( ssl_context *ssl )
2564{
2565 int ret, hash_len;
2566
2567 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2568
2569 ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2570
2571 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2572 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2573
2574 ssl->out_msglen = 4 + hash_len;
2575 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2576 ssl->out_msg[0] = SSL_HS_FINISHED;
2577
2578 /*
2579 * In case of session resuming, invert the client and server
2580 * ChangeCipherSpec messages order.
2581 */
2582 if( ssl->resume != 0 )
2583 {
2584 if( ssl->endpoint == SSL_IS_CLIENT )
2585 ssl->state = SSL_HANDSHAKE_OVER;
2586 else
2587 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2588 }
2589 else
2590 ssl->state++;
2591
2592 ssl->do_crypt = 1;
2593
2594 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2595 {
2596 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2597 return( ret );
2598 }
2599
2600 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2601
2602 return( 0 );
2603}
2604
2605int ssl_parse_finished( ssl_context *ssl )
2606{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2607 int ret;
2608 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2609 unsigned char buf[36];
2610
2611 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2612
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2613 ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2614
2615 ssl->do_crypt = 1;
2616
2617 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2618 {
2619 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2620 return( ret );
2621 }
2622
2623 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2624 {
2625 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2626 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2627 }
2628
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2629 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2630 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2631
2632 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2633 ssl->in_hslen != 4 + hash_len )
2634 {
2635 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2636 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2637 }
2638
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2639 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2640 {
2641 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2642 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2643 }
2644
2645 if( ssl->resume != 0 )
2646 {
2647 if( ssl->endpoint == SSL_IS_CLIENT )
2648 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2649
2650 if( ssl->endpoint == SSL_IS_SERVER )
2651 ssl->state = SSL_HANDSHAKE_OVER;
2652 }
2653 else
2654 ssl->state++;
2655
2656 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2657
2658 return( 0 );
2659}
2660
2661/*
2662 * Initialize an SSL context
2663 */
2664int ssl_init( ssl_context *ssl )
2665{
2666 int len = SSL_BUFFER_LEN;
2667
2668 memset( ssl, 0, sizeof( ssl_context ) );
2669
2670 ssl->in_ctr = (unsigned char *) malloc( len );
2671 ssl->in_hdr = ssl->in_ctr + 8;
2672 ssl->in_msg = ssl->in_ctr + 13;
2673
2674 if( ssl->in_ctr == NULL )
2675 {
2676 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2677 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2678 }
2679
2680 ssl->out_ctr = (unsigned char *) malloc( len );
2681 ssl->out_hdr = ssl->out_ctr + 8;
Paul Bakker186751d2012-05-08 13:16:14 +0000[diff] [blame]2682 ssl->out_msg = ssl->out_ctr + 40;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2683
2684 if( ssl->out_ctr == NULL )
2685 {
2686 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2687 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2688 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2689 }
2690
2691 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2692 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2693
2694 ssl->hostname = NULL;
2695 ssl->hostname_len = 0;
2696
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2697 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2698
2699 return( 0 );
2700}
2701
2702/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2703 * Reset an initialized and used SSL context for re-use while retaining
2704 * all application-set variables, function pointers and data.
2705 */
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2706int ssl_session_reset( ssl_context *ssl )
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2707{
2708 ssl->state = SSL_HELLO_REQUEST;
2709
2710 ssl->in_offt = NULL;
2711
2712 ssl->in_msgtype = 0;
2713 ssl->in_msglen = 0;
2714 ssl->in_left = 0;
2715
2716 ssl->in_hslen = 0;
2717 ssl->nb_zero = 0;
2718
2719 ssl->out_msgtype = 0;
2720 ssl->out_msglen = 0;
2721 ssl->out_left = 0;
2722
2723 ssl->do_crypt = 0;
2724 ssl->pmslen = 0;
2725 ssl->keylen = 0;
2726 ssl->minlen = 0;
2727 ssl->ivlen = 0;
2728 ssl->maclen = 0;
2729
2730 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2731 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2732 memset( ssl->randbytes, 0, 64 );
2733 memset( ssl->premaster, 0, 256 );
2734 memset( ssl->iv_enc, 0, 16 );
2735 memset( ssl->iv_dec, 0, 16 );
2736 memset( ssl->mac_enc, 0, 32 );
2737 memset( ssl->mac_dec, 0, 32 );
2738 memset( ssl->ctx_enc, 0, 128 );
2739 memset( ssl->ctx_dec, 0, 128 );
2740
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]2741 ssl->update_checksum = ssl_update_checksum_start;
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2742
2743#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2744 if( ssl_hw_record_reset != NULL)
2745 {
2746 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2747 if( ssl_hw_record_reset( ssl ) != 0 )
2748 {
2749 SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
2750 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2751 }
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]2752 }
2753#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]2754
2755#if defined(POLARSSL_ZLIB_SUPPORT)
2756 // Reset compression state
2757 //
2758 if( ssl->session->compression == SSL_COMPRESS_DEFLATE )
2759 {
2760 ssl->ctx_deflate.next_in = Z_NULL;
2761 ssl->ctx_deflate.next_out = Z_NULL;
2762 ssl->ctx_deflate.avail_in = 0;
2763 ssl->ctx_deflate.avail_out = 0;
2764
2765 ssl->ctx_inflate.next_in = Z_NULL;
2766 ssl->ctx_inflate.next_out = Z_NULL;
2767 ssl->ctx_inflate.avail_in = 0;
2768 ssl->ctx_inflate.avail_out = 0;
2769
2770 if( deflateReset( &ssl->ctx_deflate ) != Z_OK ||
2771 inflateReset( &ssl->ctx_inflate ) != Z_OK )
2772 {
2773 SSL_DEBUG_MSG( 1, ( "Failed to reset compression" ) );
2774 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
2775 }
2776 }
2777#endif /* POLARSSL_ZLIB_SUPPORT */
2778
2779 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2780}
2781
2782/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2783 * SSL set accessors
2784 */
2785void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2786{
2787 ssl->endpoint = endpoint;
2788}
2789
2790void ssl_set_authmode( ssl_context *ssl, int authmode )
2791{
2792 ssl->authmode = authmode;
2793}
2794
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2795void ssl_set_verify( ssl_context *ssl,
2796 int (*f_vrfy)(void *, x509_cert *, int, int),
2797 void *p_vrfy )
2798{
2799 ssl->f_vrfy = f_vrfy;
2800 ssl->p_vrfy = p_vrfy;
2801}
2802
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2803void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2804 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2805 void *p_rng )
2806{
2807 ssl->f_rng = f_rng;
2808 ssl->p_rng = p_rng;
2809}
2810
2811void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2812 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2813 void *p_dbg )
2814{
2815 ssl->f_dbg = f_dbg;
2816 ssl->p_dbg = p_dbg;
2817}
2818
2819void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2820 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2821 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2822{
2823 ssl->f_recv = f_recv;
2824 ssl->f_send = f_send;
2825 ssl->p_recv = p_recv;
2826 ssl->p_send = p_send;
2827}
2828
2829void ssl_set_scb( ssl_context *ssl,
2830 int (*s_get)(ssl_context *),
2831 int (*s_set)(ssl_context *) )
2832{
2833 ssl->s_get = s_get;
2834 ssl->s_set = s_set;
2835}
2836
2837void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2838 ssl_session *session )
2839{
2840 ssl->resume = resume;
2841 ssl->timeout = timeout;
2842 ssl->session = session;
2843}
2844
Paul Bakkerb68cad62012-08-23 08:34:18 +0000[diff] [blame]2845void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2846{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2847 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2848}
2849
2850void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2851 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2852{
2853 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2854 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2855 ssl->peer_cn = peer_cn;
2856}
2857
2858void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2859 rsa_context *rsa_key )
2860{
2861 ssl->own_cert = own_cert;
2862 ssl->rsa_key = rsa_key;
2863}
2864
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]2865#if defined(POLARSSL_PKCS11_C)
2866void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
2867 pkcs11_context *pkcs11_key )
2868{
2869 ssl->own_cert = own_cert;
2870 ssl->pkcs11_key = pkcs11_key;
2871}
2872#endif
2873
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2874int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2875{
2876 int ret;
2877
2878 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2879 {
2880 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2881 return( ret );
2882 }
2883
2884 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2885 {
2886 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2887 return( ret );
2888 }
2889
2890 return( 0 );
2891}
2892
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2893int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
2894{
2895 int ret;
2896
2897 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2898 {
2899 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2900 return( ret );
2901 }
2902
2903 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2904 {
2905 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2906 return( ret );
2907 }
2908
2909 return( 0 );
2910}
2911
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2912int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2913{
2914 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2915 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2916
2917 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2918 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2919
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2920 if( ssl->hostname == NULL )
2921 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2922
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2923 memcpy( ssl->hostname, (unsigned char *) hostname,
2924 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2925
2926 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2927
2928 return( 0 );
2929}
2930
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2931void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2932{
2933 ssl->max_major_ver = major;
2934 ssl->max_minor_ver = minor;
2935}
2936
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2937/*
2938 * SSL get accessors
2939 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2940size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2941{
2942 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2943}
2944
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2945int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2946{
2947 return( ssl->verify_result );
2948}
2949
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2950const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2951{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2952 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2953 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2954#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2955 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2956 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2957
2958 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2959 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2960#endif
2961
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2962#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2963 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2964 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2965
2966 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2967 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2968#endif
2969
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2970#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2971 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2972 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2973
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2974 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2975 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2976
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2977 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2978 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2979
2980 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2981 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2982
2983#if defined(POLARSSL_SHA2_C)
2984 case SSL_RSA_AES_128_SHA256:
2985 return( "SSL-RSA-AES-128-SHA256" );
2986
2987 case SSL_EDH_RSA_AES_128_SHA256:
2988 return( "SSL-EDH-RSA-AES-128-SHA256" );
2989
2990 case SSL_RSA_AES_256_SHA256:
2991 return( "SSL-RSA-AES-256-SHA256" );
2992
2993 case SSL_EDH_RSA_AES_256_SHA256:
2994 return( "SSL-EDH-RSA-AES-256-SHA256" );
2995#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2996
2997#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2998 case SSL_RSA_AES_128_GCM_SHA256:
2999 return( "SSL-RSA-AES-128-GCM-SHA256" );
3000
3001 case SSL_EDH_RSA_AES_128_GCM_SHA256:
3002 return( "SSL-EDH-RSA-AES-128-GCM-SHA256" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3003#endif
3004
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3005#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3006 case SSL_RSA_AES_256_GCM_SHA384:
3007 return( "SSL-RSA-AES-256-GCM-SHA384" );
3008
3009 case SSL_EDH_RSA_AES_256_GCM_SHA384:
3010 return( "SSL-EDH-RSA-AES-256-GCM-SHA384" );
3011#endif
3012#endif /* POLARSSL_AES_C */
3013
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3014#if defined(POLARSSL_CAMELLIA_C)
3015 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3016 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3017
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]3018 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3019 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]3020
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3021 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3022 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3023
3024 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3025 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3026
3027#if defined(POLARSSL_SHA2_C)
3028 case SSL_RSA_CAMELLIA_128_SHA256:
3029 return( "SSL-RSA-CAMELLIA-128-SHA256" );
3030
3031 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
3032 return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
3033
3034 case SSL_RSA_CAMELLIA_256_SHA256:
3035 return( "SSL-RSA-CAMELLIA-256-SHA256" );
3036
3037 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
3038 return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
3039#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3040#endif
3041
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]3042#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3043#if defined(POLARSSL_CIPHER_NULL_CIPHER)
3044 case SSL_RSA_NULL_MD5:
3045 return( "SSL-RSA-NULL-MD5" );
3046 case SSL_RSA_NULL_SHA:
3047 return( "SSL-RSA-NULL-SHA" );
3048 case SSL_RSA_NULL_SHA256:
3049 return( "SSL-RSA-NULL-SHA256" );
3050#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3051
3052#if defined(POLARSSL_DES_C)
3053 case SSL_RSA_DES_SHA:
3054 return( "SSL-RSA-DES-SHA" );
3055 case SSL_EDH_RSA_DES_SHA:
3056 return( "SSL-EDH-RSA-DES-SHA" );
3057#endif
3058#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3059
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3060 default:
3061 break;
3062 }
3063
3064 return( "unknown" );
3065}
3066
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3067int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3068{
3069#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3070 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3071 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3072 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3073 return( SSL_RSA_RC4_128_SHA );
3074#endif
3075
3076#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3077 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3078 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3079 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3080 return( SSL_EDH_RSA_DES_168_SHA );
3081#endif
3082
3083#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3084 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3085 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3086 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3087 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3088 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3089 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3090 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3091 return( SSL_EDH_RSA_AES_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3092
3093#if defined(POLARSSL_SHA2_C)
3094 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
3095 return( SSL_RSA_AES_128_SHA256 );
3096 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
3097 return( SSL_EDH_RSA_AES_128_SHA256 );
3098 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
3099 return( SSL_RSA_AES_256_SHA256 );
3100 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
3101 return( SSL_EDH_RSA_AES_256_SHA256 );
3102#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3103
3104#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3105 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-GCM-SHA256"))
3106 return( SSL_RSA_AES_128_GCM_SHA256 );
3107 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-GCM-SHA256"))
3108 return( SSL_EDH_RSA_AES_128_GCM_SHA256 );
3109#endif
3110
3111#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3112 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-GCM-SHA384"))
3113 return( SSL_RSA_AES_256_GCM_SHA384 );
3114 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-GCM-SHA384"))
3115 return( SSL_EDH_RSA_AES_256_GCM_SHA384 );
3116#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3117#endif
3118
3119#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3120 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3121 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3122 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3123 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3124 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3125 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3126 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3127 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3128
3129#if defined(POLARSSL_SHA2_C)
3130 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
3131 return( SSL_RSA_CAMELLIA_128_SHA256 );
3132 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
3133 return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
3134 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
3135 return( SSL_RSA_CAMELLIA_256_SHA256 );
3136 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
3137 return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
3138#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3139#endif
3140
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]3141#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3142#if defined(POLARSSL_CIPHER_NULL_CIPHER)
3143 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
3144 return( SSL_RSA_NULL_MD5 );
3145 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
3146 return( SSL_RSA_NULL_SHA );
3147 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
3148 return( SSL_RSA_NULL_SHA256 );
3149#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3150
3151#if defined(POLARSSL_DES_C)
3152 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
3153 return( SSL_RSA_DES_SHA );
3154 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
3155 return( SSL_EDH_RSA_DES_SHA );
3156#endif
3157#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3158
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3159 return( 0 );
3160}
3161
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3162const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3163{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]3164 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]3165}
3166
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]3167const char *ssl_get_version( const ssl_context *ssl )
3168{
3169 switch( ssl->minor_ver )
3170 {
3171 case SSL_MINOR_VERSION_0:
3172 return( "SSLv3.0" );
3173
3174 case SSL_MINOR_VERSION_1:
3175 return( "TLSv1.0" );
3176
3177 case SSL_MINOR_VERSION_2:
3178 return( "TLSv1.1" );
3179
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3180 case SSL_MINOR_VERSION_3:
3181 return( "TLSv1.2" );
3182
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]3183 default:
3184 break;
3185 }
3186 return( "unknown" );
3187}
3188
Paul Bakkerb68cad62012-08-23 08:34:18 +0000[diff] [blame]3189const int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3190{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3191#if defined(POLARSSL_DHM_C)
3192#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3193#if defined(POLARSSL_SHA2_C)
3194 SSL_EDH_RSA_AES_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3195#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3196#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3197 SSL_EDH_RSA_AES_256_GCM_SHA384,
3198#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3199 SSL_EDH_RSA_AES_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3200#if defined(POLARSSL_SHA2_C)
3201 SSL_EDH_RSA_AES_128_SHA256,
3202#endif
3203#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3204 SSL_EDH_RSA_AES_128_GCM_SHA256,
3205#endif
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3206 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3207#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3208#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3209#if defined(POLARSSL_SHA2_C)
3210 SSL_EDH_RSA_CAMELLIA_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3211#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3212 SSL_EDH_RSA_CAMELLIA_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3213#if defined(POLARSSL_SHA2_C)
3214 SSL_EDH_RSA_CAMELLIA_128_SHA256,
3215#endif /* POLARSSL_SHA2_C */
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3216 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3217#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3218#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3219 SSL_EDH_RSA_DES_168_SHA,
3220#endif
3221#endif
3222
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3223#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3224#if defined(POLARSSL_SHA2_C)
3225 SSL_RSA_AES_256_SHA256,
3226#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3227#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3228 SSL_RSA_AES_256_GCM_SHA384,
3229#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3230 SSL_RSA_AES_256_SHA,
3231#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3232#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3233#if defined(POLARSSL_SHA2_C)
3234 SSL_RSA_CAMELLIA_256_SHA256,
3235#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]3236 SSL_RSA_CAMELLIA_256_SHA,
3237#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3238#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3239#if defined(POLARSSL_SHA2_C)
3240 SSL_RSA_AES_128_SHA256,
3241#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3242#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3243 SSL_RSA_AES_128_GCM_SHA256,
3244#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3245 SSL_RSA_AES_128_SHA,
3246#endif
3247#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]3248#if defined(POLARSSL_SHA2_C)
3249 SSL_RSA_CAMELLIA_128_SHA256,
3250#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]3251 SSL_RSA_CAMELLIA_128_SHA,
3252#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3253#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3254 SSL_RSA_DES_168_SHA,
3255#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3256#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3257 SSL_RSA_RC4_128_SHA,
3258 SSL_RSA_RC4_128_MD5,
3259#endif
3260 0
3261};
3262
3263/*
3264 * Perform the SSL handshake
3265 */
3266int ssl_handshake( ssl_context *ssl )
3267{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3268 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3269
3270 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3271
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3272#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3273 if( ssl->endpoint == SSL_IS_CLIENT )
3274 ret = ssl_handshake_client( ssl );
3275#endif
3276
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3277#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3278 if( ssl->endpoint == SSL_IS_SERVER )
3279 ret = ssl_handshake_server( ssl );
3280#endif
3281
3282 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3283
3284 return( ret );
3285}
3286
3287/*
3288 * Receive application data decrypted from the SSL layer
3289 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3290int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3291{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3292 int ret;
3293 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3294
3295 SSL_DEBUG_MSG( 2, ( "=> read" ) );
3296
3297 if( ssl->state != SSL_HANDSHAKE_OVER )
3298 {
3299 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3300 {
3301 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3302 return( ret );
3303 }
3304 }
3305
3306 if( ssl->in_offt == NULL )
3307 {
3308 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3309 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3310 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3311 return( 0 );
3312
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3313 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3314 return( ret );
3315 }
3316
3317 if( ssl->in_msglen == 0 &&
3318 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3319 {
3320 /*
3321 * OpenSSL sends empty messages to randomize the IV
3322 */
3323 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3324 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]3325 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3326 return( 0 );
3327
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3328 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3329 return( ret );
3330 }
3331 }
3332
3333 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3334 {
3335 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3336 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3337 }
3338
3339 ssl->in_offt = ssl->in_msg;
3340 }
3341
3342 n = ( len < ssl->in_msglen )
3343 ? len : ssl->in_msglen;
3344
3345 memcpy( buf, ssl->in_offt, n );
3346 ssl->in_msglen -= n;
3347
3348 if( ssl->in_msglen == 0 )
3349 /* all bytes consumed */
3350 ssl->in_offt = NULL;
3351 else
3352 /* more data available */
3353 ssl->in_offt += n;
3354
3355 SSL_DEBUG_MSG( 2, ( "<= read" ) );
3356
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3357 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3358}
3359
3360/*
3361 * Send application data to be encrypted by the SSL layer
3362 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3363int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3364{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3365 int ret;
3366 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3367
3368 SSL_DEBUG_MSG( 2, ( "=> write" ) );
3369
3370 if( ssl->state != SSL_HANDSHAKE_OVER )
3371 {
3372 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3373 {
3374 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3375 return( ret );
3376 }
3377 }
3378
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3379 n = ( len < SSL_MAX_CONTENT_LEN )
3380 ? len : SSL_MAX_CONTENT_LEN;
3381
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3382 if( ssl->out_left != 0 )
3383 {
3384 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3385 {
3386 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3387 return( ret );
3388 }
3389 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3390 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]3391 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]3392 ssl->out_msglen = n;
3393 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3394 memcpy( ssl->out_msg, buf, n );
3395
3396 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3397 {
3398 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3399 return( ret );
3400 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3401 }
3402
3403 SSL_DEBUG_MSG( 2, ( "<= write" ) );
3404
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3405 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3406}
3407
3408/*
3409 * Notify the peer that the connection is being closed
3410 */
3411int ssl_close_notify( ssl_context *ssl )
3412{
3413 int ret;
3414
3415 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3416
3417 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3418 {
3419 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3420 return( ret );
3421 }
3422
3423 if( ssl->state == SSL_HANDSHAKE_OVER )
3424 {
3425 ssl->out_msgtype = SSL_MSG_ALERT;
3426 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]3427 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
3428 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3429
3430 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3431 {
3432 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3433 return( ret );
3434 }
3435 }
3436
3437 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3438
3439 return( ret );
3440}
3441
3442/*
3443 * Free an SSL context
3444 */
3445void ssl_free( ssl_context *ssl )
3446{
3447 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3448
3449 if( ssl->peer_cert != NULL )
3450 {
3451 x509_free( ssl->peer_cert );
3452 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
3453 free( ssl->peer_cert );
3454 }
3455
3456 if( ssl->out_ctr != NULL )
3457 {
3458 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3459 free( ssl->out_ctr );
3460 }
3461
3462 if( ssl->in_ctr != NULL )
3463 {
3464 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3465 free( ssl->in_ctr );
3466 }
3467
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3468#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3469 dhm_free( &ssl->dhm_ctx );
3470#endif
3471
3472 if ( ssl->hostname != NULL)
3473 {
3474 memset( ssl->hostname, 0, ssl->hostname_len );
3475 free( ssl->hostname );
3476 ssl->hostname_len = 0;
3477 }
3478
Paul Bakker05ef8352012-05-08 09:17:57 +0000[diff] [blame]3479#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3480 if( ssl_hw_record_finish != NULL )
3481 {
3482 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3483 ssl_hw_record_finish( ssl );
3484 }
3485#endif
3486
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]3487#if defined(POLARSSL_ZLIB_SUPPORT)
3488 deflateEnd( &ssl->ctx_deflate );
3489 inflateEnd( &ssl->ctx_inflate );
3490#endif
3491
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3492 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]3493
3494 /* Actually free after last debug message */
3495 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3496}
3497
3498#endif