blob: cea90eb778b5793c017226e1e7c8330741322bca [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakker68884e32013-01-07 18:20:04 +01004 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +000034#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000035
Paul Bakker40e46942009-01-03 21:51:57 +000036#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000037
Paul Bakker40e46942009-01-03 21:51:57 +000038#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +000040#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +000041#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000044
Paul Bakkerca4ab492012-04-18 14:23:57 +000045#if defined(POLARSSL_GCM_C)
46#include "polarssl/gcm.h"
47#endif
48
Paul Bakker6e339b52013-07-03 13:37:05 +020049#if defined(POLARSSL_MEMORY_C)
50#include "polarssl/memory.h"
51#else
52#define polarssl_malloc malloc
53#define polarssl_free free
54#endif
55
Paul Bakker5121ce52009-01-03 21:22:43 +000056#include <stdlib.h>
Paul Bakker5121ce52009-01-03 21:22:43 +000057
Paul Bakkeraf5c85f2011-04-18 03:47:52 +000058#if defined _MSC_VER && !defined strcasecmp
59#define strcasecmp _stricmp
60#endif
61
Paul Bakker05ef8352012-05-08 09:17:57 +000062#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
63int (*ssl_hw_record_init)(ssl_context *ssl,
64 const unsigned char *key_enc, const unsigned char *key_dec,
Paul Bakker07eb38b2012-12-19 14:42:06 +010065 size_t keylen,
Paul Bakker05ef8352012-05-08 09:17:57 +000066 const unsigned char *iv_enc, const unsigned char *iv_dec,
Paul Bakker07eb38b2012-12-19 14:42:06 +010067 size_t ivlen,
68 const unsigned char *mac_enc, const unsigned char *mac_dec,
69 size_t maclen) = NULL;
70int (*ssl_hw_record_activate)(ssl_context *ssl, int direction) = NULL;
Paul Bakker05ef8352012-05-08 09:17:57 +000071int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
72int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
73int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
74int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
75#endif
76
Paul Bakkered27a042013-04-18 22:46:23 +020077#if defined(POLARSSL_RSA_C)
Paul Bakkereb2c6582012-09-27 19:15:01 +000078static int ssl_rsa_decrypt( void *ctx, int mode, size_t *olen,
79 const unsigned char *input, unsigned char *output,
80 size_t output_max_len )
81{
82 return rsa_pkcs1_decrypt( (rsa_context *) ctx, mode, olen, input, output,
83 output_max_len );
84}
85
86static int ssl_rsa_sign( void *ctx,
87 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
88 int mode, int hash_id, unsigned int hashlen,
89 const unsigned char *hash, unsigned char *sig )
90{
91 return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
92 hashlen, hash, sig );
93}
94
95static size_t ssl_rsa_key_len( void *ctx )
96{
97 return ( (rsa_context *) ctx )->len;
98}
Paul Bakkered27a042013-04-18 22:46:23 +020099#endif /* POLARSSL_RSA_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +0000100
Paul Bakker5121ce52009-01-03 21:22:43 +0000101/*
102 * Key material generation
103 */
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200104static int ssl3_prf( const unsigned char *secret, size_t slen,
105 const char *label,
106 const unsigned char *random, size_t rlen,
Paul Bakker5f70b252012-09-13 14:23:06 +0000107 unsigned char *dstbuf, size_t dlen )
108{
109 size_t i;
110 md5_context md5;
111 sha1_context sha1;
112 unsigned char padding[16];
113 unsigned char sha1sum[20];
114 ((void)label);
115
116 /*
117 * SSLv3:
118 * block =
119 * MD5( secret + SHA1( 'A' + secret + random ) ) +
120 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
121 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
122 * ...
123 */
124 for( i = 0; i < dlen / 16; i++ )
125 {
126 memset( padding, 'A' + i, 1 + i );
127
128 sha1_starts( &sha1 );
129 sha1_update( &sha1, padding, 1 + i );
130 sha1_update( &sha1, secret, slen );
131 sha1_update( &sha1, random, rlen );
132 sha1_finish( &sha1, sha1sum );
133
134 md5_starts( &md5 );
135 md5_update( &md5, secret, slen );
136 md5_update( &md5, sha1sum, 20 );
137 md5_finish( &md5, dstbuf + i * 16 );
138 }
139
140 memset( &md5, 0, sizeof( md5 ) );
141 memset( &sha1, 0, sizeof( sha1 ) );
142
143 memset( padding, 0, sizeof( padding ) );
144 memset( sha1sum, 0, sizeof( sha1sum ) );
145
146 return( 0 );
147}
148
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200149static int tls1_prf( const unsigned char *secret, size_t slen,
150 const char *label,
151 const unsigned char *random, size_t rlen,
Paul Bakker23986e52011-04-24 08:57:21 +0000152 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000153{
Paul Bakker23986e52011-04-24 08:57:21 +0000154 size_t nb, hs;
155 size_t i, j, k;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200156 const unsigned char *S1, *S2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000157 unsigned char tmp[128];
158 unsigned char h_i[20];
159
160 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000161 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000162
163 hs = ( slen + 1 ) / 2;
164 S1 = secret;
165 S2 = secret + slen - hs;
166
167 nb = strlen( label );
168 memcpy( tmp + 20, label, nb );
169 memcpy( tmp + 20 + nb, random, rlen );
170 nb += rlen;
171
172 /*
173 * First compute P_md5(secret,label+random)[0..dlen]
174 */
175 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
176
177 for( i = 0; i < dlen; i += 16 )
178 {
179 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
180 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
181
182 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
183
184 for( j = 0; j < k; j++ )
185 dstbuf[i + j] = h_i[j];
186 }
187
188 /*
189 * XOR out with P_sha1(secret,label+random)[0..dlen]
190 */
191 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
192
193 for( i = 0; i < dlen; i += 20 )
194 {
195 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
196 sha1_hmac( S2, hs, tmp, 20, tmp );
197
198 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
199
200 for( j = 0; j < k; j++ )
201 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
202 }
203
204 memset( tmp, 0, sizeof( tmp ) );
205 memset( h_i, 0, sizeof( h_i ) );
206
207 return( 0 );
208}
209
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200210static int tls_prf_sha256( const unsigned char *secret, size_t slen,
211 const char *label,
212 const unsigned char *random, size_t rlen,
Paul Bakker1ef83d62012-04-11 12:09:53 +0000213 unsigned char *dstbuf, size_t dlen )
214{
215 size_t nb;
216 size_t i, j, k;
217 unsigned char tmp[128];
218 unsigned char h_i[32];
219
220 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
221 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
222
223 nb = strlen( label );
224 memcpy( tmp + 32, label, nb );
225 memcpy( tmp + 32 + nb, random, rlen );
226 nb += rlen;
227
228 /*
229 * Compute P_<hash>(secret, label + random)[0..dlen]
230 */
Paul Bakker9e36f042013-06-30 14:34:05 +0200231 sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000232
233 for( i = 0; i < dlen; i += 32 )
234 {
Paul Bakker9e36f042013-06-30 14:34:05 +0200235 sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
236 sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000237
238 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
239
240 for( j = 0; j < k; j++ )
241 dstbuf[i + j] = h_i[j];
242 }
243
244 memset( tmp, 0, sizeof( tmp ) );
245 memset( h_i, 0, sizeof( h_i ) );
246
247 return( 0 );
248}
249
Paul Bakker9e36f042013-06-30 14:34:05 +0200250#if defined(POLARSSL_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200251static int tls_prf_sha384( const unsigned char *secret, size_t slen,
252 const char *label,
253 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000254 unsigned char *dstbuf, size_t dlen )
255{
256 size_t nb;
257 size_t i, j, k;
258 unsigned char tmp[128];
259 unsigned char h_i[48];
260
261 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
262 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
263
264 nb = strlen( label );
265 memcpy( tmp + 48, label, nb );
266 memcpy( tmp + 48 + nb, random, rlen );
267 nb += rlen;
268
269 /*
270 * Compute P_<hash>(secret, label + random)[0..dlen]
271 */
Paul Bakker9e36f042013-06-30 14:34:05 +0200272 sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000273
274 for( i = 0; i < dlen; i += 48 )
275 {
Paul Bakker9e36f042013-06-30 14:34:05 +0200276 sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
277 sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000278
279 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
280
281 for( j = 0; j < k; j++ )
282 dstbuf[i + j] = h_i[j];
283 }
284
285 memset( tmp, 0, sizeof( tmp ) );
286 memset( h_i, 0, sizeof( h_i ) );
287
288 return( 0 );
289}
Paul Bakker769075d2012-11-24 11:26:46 +0100290#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000291
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200292static void ssl_update_checksum_start(ssl_context *, const unsigned char *, size_t);
293static void ssl_update_checksum_md5sha1(ssl_context *, const unsigned char *, size_t);
294static void ssl_update_checksum_sha256(ssl_context *, const unsigned char *, size_t);
Paul Bakker380da532012-04-18 16:10:25 +0000295
296static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
297static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
298static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
Paul Bakker380da532012-04-18 16:10:25 +0000299
Paul Bakkerca4ab492012-04-18 14:23:57 +0000300static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
301static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
302static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
Paul Bakker769075d2012-11-24 11:26:46 +0100303
Paul Bakker9e36f042013-06-30 14:34:05 +0200304#if defined(POLARSSL_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200305static void ssl_update_checksum_sha384(ssl_context *, const unsigned char *, size_t);
Paul Bakker769075d2012-11-24 11:26:46 +0100306static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
Paul Bakkerca4ab492012-04-18 14:23:57 +0000307static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker769075d2012-11-24 11:26:46 +0100308#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000309
Paul Bakker5121ce52009-01-03 21:22:43 +0000310int ssl_derive_keys( ssl_context *ssl )
311{
Paul Bakker5121ce52009-01-03 21:22:43 +0000312 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000313 unsigned char keyblk[256];
314 unsigned char *key1;
315 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100316 unsigned char *mac_enc;
317 unsigned char *mac_dec;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000318 unsigned int iv_copy_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100319 const cipher_info_t *cipher_info;
320 const md_info_t *md_info;
321
Paul Bakker48916f92012-09-16 19:57:18 +0000322 ssl_session *session = ssl->session_negotiate;
323 ssl_transform *transform = ssl->transform_negotiate;
324 ssl_handshake_params *handshake = ssl->handshake;
Paul Bakker5121ce52009-01-03 21:22:43 +0000325
326 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
327
Paul Bakker68884e32013-01-07 18:20:04 +0100328 cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
329 if( cipher_info == NULL )
330 {
Paul Bakkerf7abd422013-04-16 13:15:56 +0200331 SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100332 transform->ciphersuite_info->cipher ) );
333 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
334 }
335
336 md_info = md_info_from_type( transform->ciphersuite_info->mac );
337 if( md_info == NULL )
338 {
Paul Bakkerf7abd422013-04-16 13:15:56 +0200339 SSL_DEBUG_MSG( 1, ( "md info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100340 transform->ciphersuite_info->mac ) );
341 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
342 }
343
Paul Bakker5121ce52009-01-03 21:22:43 +0000344 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000345 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000346 */
347 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000348 {
Paul Bakker48916f92012-09-16 19:57:18 +0000349 handshake->tls_prf = ssl3_prf;
350 handshake->calc_verify = ssl_calc_verify_ssl;
351 handshake->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000352 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000353 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000354 {
Paul Bakker48916f92012-09-16 19:57:18 +0000355 handshake->tls_prf = tls1_prf;
356 handshake->calc_verify = ssl_calc_verify_tls;
357 handshake->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000358 }
Paul Bakker9e36f042013-06-30 14:34:05 +0200359#if defined(POLARSSL_SHA512_C)
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100360 else if( transform->ciphersuite_info->mac ==
361 POLARSSL_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000362 {
Paul Bakker48916f92012-09-16 19:57:18 +0000363 handshake->tls_prf = tls_prf_sha384;
364 handshake->calc_verify = ssl_calc_verify_tls_sha384;
365 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000366 }
Paul Bakker769075d2012-11-24 11:26:46 +0100367#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +0000368 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000369 {
Paul Bakker48916f92012-09-16 19:57:18 +0000370 handshake->tls_prf = tls_prf_sha256;
371 handshake->calc_verify = ssl_calc_verify_tls_sha256;
372 handshake->calc_finished = ssl_calc_finished_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000373 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000374
375 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000376 * SSLv3:
377 * master =
378 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
379 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
380 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakkerf7abd422013-04-16 13:15:56 +0200381 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000382 * TLSv1:
383 * master = PRF( premaster, "master secret", randbytes )[0..47]
384 */
Paul Bakker0a597072012-09-25 21:55:46 +0000385 if( handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000386 {
Paul Bakker48916f92012-09-16 19:57:18 +0000387 SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
388 handshake->pmslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000389
Paul Bakker48916f92012-09-16 19:57:18 +0000390 handshake->tls_prf( handshake->premaster, handshake->pmslen,
391 "master secret",
392 handshake->randbytes, 64, session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000393
Paul Bakker48916f92012-09-16 19:57:18 +0000394 memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000395 }
396 else
397 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
398
399 /*
400 * Swap the client and server random values.
401 */
Paul Bakker48916f92012-09-16 19:57:18 +0000402 memcpy( tmp, handshake->randbytes, 64 );
403 memcpy( handshake->randbytes, tmp + 32, 32 );
404 memcpy( handshake->randbytes + 32, tmp, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000405 memset( tmp, 0, sizeof( tmp ) );
406
407 /*
408 * SSLv3:
409 * key block =
410 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
411 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
412 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
413 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
414 * ...
415 *
416 * TLSv1:
417 * key block = PRF( master, "key expansion", randbytes )
418 */
Paul Bakker48916f92012-09-16 19:57:18 +0000419 handshake->tls_prf( session->master, 48, "key expansion",
420 handshake->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000421
Paul Bakker48916f92012-09-16 19:57:18 +0000422 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
423 ssl_get_ciphersuite_name( session->ciphersuite ) ) );
424 SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
425 SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000426 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
427
Paul Bakker48916f92012-09-16 19:57:18 +0000428 memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000429
430 /*
431 * Determine the appropriate key, IV and MAC length.
432 */
Paul Bakker68884e32013-01-07 18:20:04 +0100433
434 if( cipher_info->mode == POLARSSL_MODE_GCM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000435 {
Paul Bakker68884e32013-01-07 18:20:04 +0100436 transform->keylen = cipher_info->key_length;
437 transform->keylen /= 8;
438 transform->minlen = 1;
439 transform->ivlen = 12;
440 transform->fixed_ivlen = 4;
441 transform->maclen = 0;
442 }
443 else
444 {
445 if( md_info->type != POLARSSL_MD_NONE )
446 {
447 md_init_ctx( &transform->md_ctx_enc, md_info );
448 md_init_ctx( &transform->md_ctx_dec, md_info );
Paul Bakker5121ce52009-01-03 21:22:43 +0000449
Paul Bakker68884e32013-01-07 18:20:04 +0100450 transform->maclen = md_get_size( md_info );
451 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000452
Paul Bakker68884e32013-01-07 18:20:04 +0100453 transform->keylen = cipher_info->key_length;
454 transform->keylen /= 8;
455 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000456
Paul Bakker68884e32013-01-07 18:20:04 +0100457 transform->minlen = transform->keylen;
458 if( transform->minlen < transform->maclen )
459 {
460 if( cipher_info->mode == POLARSSL_MODE_STREAM )
461 transform->minlen = transform->maclen;
462 else
463 transform->minlen += transform->keylen;
464 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000465 }
466
467 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000468 transform->keylen, transform->minlen, transform->ivlen,
469 transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000470
471 /*
472 * Finally setup the cipher contexts, IVs and MAC secrets.
473 */
474 if( ssl->endpoint == SSL_IS_CLIENT )
475 {
Paul Bakker48916f92012-09-16 19:57:18 +0000476 key1 = keyblk + transform->maclen * 2;
477 key2 = keyblk + transform->maclen * 2 + transform->keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000478
Paul Bakker68884e32013-01-07 18:20:04 +0100479 mac_enc = keyblk;
480 mac_dec = keyblk + transform->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000481
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000482 /*
483 * This is not used in TLS v1.1.
484 */
Paul Bakker48916f92012-09-16 19:57:18 +0000485 iv_copy_len = ( transform->fixed_ivlen ) ?
486 transform->fixed_ivlen : transform->ivlen;
487 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
488 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000489 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000490 }
491 else
492 {
Paul Bakker48916f92012-09-16 19:57:18 +0000493 key1 = keyblk + transform->maclen * 2 + transform->keylen;
494 key2 = keyblk + transform->maclen * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000495
Paul Bakker68884e32013-01-07 18:20:04 +0100496 mac_enc = keyblk + transform->maclen;
497 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000498
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000499 /*
500 * This is not used in TLS v1.1.
501 */
Paul Bakker48916f92012-09-16 19:57:18 +0000502 iv_copy_len = ( transform->fixed_ivlen ) ?
503 transform->fixed_ivlen : transform->ivlen;
504 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
505 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000506 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000507 }
508
Paul Bakker68884e32013-01-07 18:20:04 +0100509 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
510 {
511 memcpy( transform->mac_enc, mac_enc, transform->maclen );
512 memcpy( transform->mac_dec, mac_dec, transform->maclen );
513 }
514 else
515 {
516 md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
517 md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
518 }
519
Paul Bakker05ef8352012-05-08 09:17:57 +0000520#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
521 if( ssl_hw_record_init != NULL)
522 {
523 int ret = 0;
524
525 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
526
Paul Bakker07eb38b2012-12-19 14:42:06 +0100527 if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
528 transform->iv_enc, transform->iv_dec,
529 iv_copy_len,
Paul Bakker68884e32013-01-07 18:20:04 +0100530 mac_enc, mac_dec,
Paul Bakker07eb38b2012-12-19 14:42:06 +0100531 transform->maclen ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000532 {
533 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
534 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
535 }
536 }
537#endif
538
Paul Bakker68884e32013-01-07 18:20:04 +0100539 switch( cipher_info->type )
Paul Bakker5121ce52009-01-03 21:22:43 +0000540 {
Paul Bakker40e46942009-01-03 21:51:57 +0000541#if defined(POLARSSL_ARC4_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100542 case POLARSSL_CIPHER_ARC4_128:
Paul Bakker48916f92012-09-16 19:57:18 +0000543 arc4_setup( (arc4_context *) transform->ctx_enc, key1,
544 transform->keylen );
545 arc4_setup( (arc4_context *) transform->ctx_dec, key2,
546 transform->keylen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000547 break;
548#endif
549
Paul Bakker40e46942009-01-03 21:51:57 +0000550#if defined(POLARSSL_DES_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100551 case POLARSSL_CIPHER_DES_EDE3_CBC:
552 des3_set3key_enc( (des3_context *) transform->ctx_enc, key1 );
553 des3_set3key_dec( (des3_context *) transform->ctx_dec, key2 );
554 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000555#endif
556
Paul Bakker40e46942009-01-03 21:51:57 +0000557#if defined(POLARSSL_AES_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100558 case POLARSSL_CIPHER_AES_128_CBC:
559 case POLARSSL_CIPHER_AES_256_CBC:
560 aes_setkey_enc( (aes_context*) transform->ctx_enc, key1,
561 cipher_info->key_length );
562 aes_setkey_dec( (aes_context*) transform->ctx_dec, key2,
563 cipher_info->key_length );
Paul Bakker5121ce52009-01-03 21:22:43 +0000564 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000565#endif
566
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000567#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100568 case POLARSSL_CIPHER_CAMELLIA_128_CBC:
569 case POLARSSL_CIPHER_CAMELLIA_256_CBC:
570 camellia_setkey_enc( (camellia_context*) transform->ctx_enc, key1,
571 cipher_info->key_length );
572 camellia_setkey_dec( (camellia_context*) transform->ctx_dec, key2,
573 cipher_info->key_length );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000574 break;
575#endif
576
Paul Bakkerfab5c822012-02-06 16:45:10 +0000577#if defined(POLARSSL_DES_C)
Paul Bakker68884e32013-01-07 18:20:04 +0100578 case POLARSSL_CIPHER_DES_CBC:
Paul Bakker48916f92012-09-16 19:57:18 +0000579 des_setkey_enc( (des_context *) transform->ctx_enc, key1 );
580 des_setkey_dec( (des_context *) transform->ctx_dec, key2 );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000581 break;
582#endif
Paul Bakker68884e32013-01-07 18:20:04 +0100583
584#if defined(POLARSSL_GCM_C)
585 case POLARSSL_CIPHER_AES_128_GCM:
586 case POLARSSL_CIPHER_AES_256_GCM:
587 gcm_init( (gcm_context *) transform->ctx_enc, key1,
588 cipher_info->key_length );
589 gcm_init( (gcm_context *) transform->ctx_dec, key2,
590 cipher_info->key_length );
591 break;
592#endif
593
594 case POLARSSL_CIPHER_NULL:
595 break;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000596
Paul Bakker5121ce52009-01-03 21:22:43 +0000597 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000598 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000599 }
600
601 memset( keyblk, 0, sizeof( keyblk ) );
602
Paul Bakker2770fbd2012-07-03 13:30:23 +0000603#if defined(POLARSSL_ZLIB_SUPPORT)
604 // Initialize compression
605 //
Paul Bakker48916f92012-09-16 19:57:18 +0000606 if( session->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000607 {
608 SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
609
Paul Bakker48916f92012-09-16 19:57:18 +0000610 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
611 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000612
Paul Bakker48916f92012-09-16 19:57:18 +0000613 if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
614 inflateInit( &transform->ctx_inflate ) != Z_OK )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000615 {
616 SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
617 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
618 }
619 }
620#endif /* POLARSSL_ZLIB_SUPPORT */
621
Paul Bakker5121ce52009-01-03 21:22:43 +0000622 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
623
624 return( 0 );
625}
626
Paul Bakker380da532012-04-18 16:10:25 +0000627void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000628{
629 md5_context md5;
630 sha1_context sha1;
631 unsigned char pad_1[48];
632 unsigned char pad_2[48];
633
Paul Bakker380da532012-04-18 16:10:25 +0000634 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000635
Paul Bakker48916f92012-09-16 19:57:18 +0000636 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
637 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000638
Paul Bakker380da532012-04-18 16:10:25 +0000639 memset( pad_1, 0x36, 48 );
640 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000641
Paul Bakker48916f92012-09-16 19:57:18 +0000642 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000643 md5_update( &md5, pad_1, 48 );
644 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000645
Paul Bakker380da532012-04-18 16:10:25 +0000646 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +0000647 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000648 md5_update( &md5, pad_2, 48 );
649 md5_update( &md5, hash, 16 );
650 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000651
Paul Bakker48916f92012-09-16 19:57:18 +0000652 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000653 sha1_update( &sha1, pad_1, 40 );
654 sha1_finish( &sha1, hash + 16 );
655
656 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +0000657 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000658 sha1_update( &sha1, pad_2, 40 );
659 sha1_update( &sha1, hash + 16, 20 );
660 sha1_finish( &sha1, hash + 16 );
661
662 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
663 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
664
665 return;
666}
667
668void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
669{
670 md5_context md5;
671 sha1_context sha1;
672
673 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
674
Paul Bakker48916f92012-09-16 19:57:18 +0000675 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
676 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000677
Paul Bakker48916f92012-09-16 19:57:18 +0000678 md5_finish( &md5, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000679 sha1_finish( &sha1, hash + 16 );
680
681 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
682 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
683
684 return;
685}
686
687void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
688{
Paul Bakker9e36f042013-06-30 14:34:05 +0200689 sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000690
691 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
692
Paul Bakker9e36f042013-06-30 14:34:05 +0200693 memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
694 sha256_finish( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000695
696 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
697 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
698
699 return;
700}
701
Paul Bakker9e36f042013-06-30 14:34:05 +0200702#if defined(POLARSSL_SHA512_C)
Paul Bakker380da532012-04-18 16:10:25 +0000703void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
704{
Paul Bakker9e36f042013-06-30 14:34:05 +0200705 sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +0000706
707 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
708
Paul Bakker9e36f042013-06-30 14:34:05 +0200709 memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
710 sha512_finish( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000711
Paul Bakkerca4ab492012-04-18 14:23:57 +0000712 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000713 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
714
715 return;
716}
Paul Bakker769075d2012-11-24 11:26:46 +0100717#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000718
719/*
720 * SSLv3.0 MAC functions
721 */
Paul Bakker68884e32013-01-07 18:20:04 +0100722static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
723 unsigned char *buf, size_t len,
724 unsigned char *ctr, int type )
Paul Bakker5121ce52009-01-03 21:22:43 +0000725{
726 unsigned char header[11];
727 unsigned char padding[48];
Paul Bakker68884e32013-01-07 18:20:04 +0100728 int padlen = 0;
729 int md_size = md_get_size( md_ctx->md_info );
730 int md_type = md_get_type( md_ctx->md_info );
731
732 if( md_type == POLARSSL_MD_MD5 )
733 padlen = 48;
734 else if( md_type == POLARSSL_MD_SHA1 )
735 padlen = 40;
736 else if( md_type == POLARSSL_MD_SHA256 )
737 padlen = 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000738
739 memcpy( header, ctr, 8 );
740 header[ 8] = (unsigned char) type;
741 header[ 9] = (unsigned char)( len >> 8 );
742 header[10] = (unsigned char)( len );
743
Paul Bakker68884e32013-01-07 18:20:04 +0100744 memset( padding, 0x36, padlen );
745 md_starts( md_ctx );
746 md_update( md_ctx, secret, md_size );
747 md_update( md_ctx, padding, padlen );
748 md_update( md_ctx, header, 11 );
749 md_update( md_ctx, buf, len );
750 md_finish( md_ctx, buf + len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000751
Paul Bakker68884e32013-01-07 18:20:04 +0100752 memset( padding, 0x5C, padlen );
753 md_starts( md_ctx );
754 md_update( md_ctx, secret, md_size );
755 md_update( md_ctx, padding, padlen );
756 md_update( md_ctx, buf + len, md_size );
757 md_finish( md_ctx, buf + len );
Paul Bakker5f70b252012-09-13 14:23:06 +0000758}
759
Paul Bakker5121ce52009-01-03 21:22:43 +0000760/*
761 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +0200762 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000763static int ssl_encrypt_buf( ssl_context *ssl )
764{
Paul Bakker23986e52011-04-24 08:57:21 +0000765 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000766
767 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
768
769 /*
770 * Add MAC then encrypt
771 */
772 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
773 {
Paul Bakker68884e32013-01-07 18:20:04 +0100774 ssl_mac( &ssl->transform_out->md_ctx_enc,
775 ssl->transform_out->mac_enc,
776 ssl->out_msg, ssl->out_msglen,
777 ssl->out_ctr, ssl->out_msgtype );
Paul Bakker5121ce52009-01-03 21:22:43 +0000778 }
779 else
780 {
Paul Bakker68884e32013-01-07 18:20:04 +0100781 md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
782 md_hmac_update( &ssl->transform_out->md_ctx_enc,
783 ssl->out_msg, ssl->out_msglen );
784 md_hmac_finish( &ssl->transform_out->md_ctx_enc,
785 ssl->out_msg + ssl->out_msglen );
786 md_hmac_reset( &ssl->transform_out->md_ctx_enc );
Paul Bakker5121ce52009-01-03 21:22:43 +0000787 }
788
789 SSL_DEBUG_BUF( 4, "computed mac",
Paul Bakker48916f92012-09-16 19:57:18 +0000790 ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000791
Paul Bakker48916f92012-09-16 19:57:18 +0000792 ssl->out_msglen += ssl->transform_out->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000793
Paul Bakker68884e32013-01-07 18:20:04 +0100794#if defined(POLARSSL_CIPHER_NULL_CIPHER)
795 if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_NULL )
796 {
797 padlen = 0;
798 }
799 else
800#endif /* POLARSSL_CIPHER_NULL_CIPHER */
801#if defined(POLARSSL_ARC4_C)
802 if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000803 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000804 padlen = 0;
805
806 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
807 "including %d bytes of padding",
808 ssl->out_msglen, 0 ) );
809
810 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
811 ssl->out_msg, ssl->out_msglen );
812
Paul Bakker68884e32013-01-07 18:20:04 +0100813 arc4_crypt( (arc4_context *) ssl->transform_out->ctx_enc,
814 ssl->out_msglen, ssl->out_msg,
815 ssl->out_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000816 }
Paul Bakker68884e32013-01-07 18:20:04 +0100817 else
818#endif /* POLARSSL_ARC4_C */
819#if defined(POLARSSL_GCM_C)
820 if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_128_GCM ||
821 ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_256_GCM )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000822 {
823 size_t enc_msglen;
824 unsigned char *enc_msg;
825 unsigned char add_data[13];
826 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
827
828 padlen = 0;
829 enc_msglen = ssl->out_msglen;
830
831 memcpy( add_data, ssl->out_ctr, 8 );
832 add_data[8] = ssl->out_msgtype;
833 add_data[9] = ssl->major_ver;
834 add_data[10] = ssl->minor_ver;
835 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
836 add_data[12] = ssl->out_msglen & 0xFF;
837
838 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
839 add_data, 13 );
840
Paul Bakker68884e32013-01-07 18:20:04 +0100841 /*
842 * Generate IV
843 */
844 ret = ssl->f_rng( ssl->p_rng,
Paul Bakker48916f92012-09-16 19:57:18 +0000845 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
Paul Bakker68884e32013-01-07 18:20:04 +0100846 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
847 if( ret != 0 )
848 return( ret );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000849
Paul Bakker68884e32013-01-07 18:20:04 +0100850 memcpy( ssl->out_iv,
851 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
852 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000853
Paul Bakker68884e32013-01-07 18:20:04 +0100854 /*
855 * Fix pointer positions and message length with added IV
856 */
857 enc_msg = ssl->out_msg;
858 enc_msglen = ssl->out_msglen;
859 ssl->out_msglen += ssl->transform_out->ivlen -
860 ssl->transform_out->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000861
Paul Bakker68884e32013-01-07 18:20:04 +0100862 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
863 "including %d bytes of padding",
864 ssl->out_msglen, 0 ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000865
Paul Bakker68884e32013-01-07 18:20:04 +0100866 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
867 ssl->out_msg, ssl->out_msglen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000868
Paul Bakker68884e32013-01-07 18:20:04 +0100869 /*
870 * Adjust for tag
871 */
872 ssl->out_msglen += 16;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000873
Paul Bakker68884e32013-01-07 18:20:04 +0100874 gcm_crypt_and_tag( (gcm_context *) ssl->transform_out->ctx_enc,
875 GCM_ENCRYPT, enc_msglen,
876 ssl->transform_out->iv_enc, ssl->transform_out->ivlen,
877 add_data, 13,
878 enc_msg, enc_msg,
879 16, enc_msg + enc_msglen );
880
881 SSL_DEBUG_BUF( 4, "after encrypt: tag",
882 enc_msg + enc_msglen, 16 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000883 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000884 else
Paul Bakker68884e32013-01-07 18:20:04 +0100885#endif /* POLARSSL_GCM_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000886 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000887 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000888 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000889
Paul Bakker48916f92012-09-16 19:57:18 +0000890 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
891 ssl->transform_out->ivlen;
892 if( padlen == ssl->transform_out->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000893 padlen = 0;
894
895 for( i = 0; i <= padlen; i++ )
896 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
897
898 ssl->out_msglen += padlen + 1;
899
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000900 enc_msglen = ssl->out_msglen;
901 enc_msg = ssl->out_msg;
902
903 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000904 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
905 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000906 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000907 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000908 {
909 /*
910 * Generate IV
911 */
Paul Bakker48916f92012-09-16 19:57:18 +0000912 int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
913 ssl->transform_out->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +0000914 if( ret != 0 )
915 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000916
Paul Bakker92be97b2013-01-02 17:30:03 +0100917 memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +0000918 ssl->transform_out->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000919
920 /*
921 * Fix pointer positions and message length with added IV
922 */
Paul Bakker92be97b2013-01-02 17:30:03 +0100923 enc_msg = ssl->out_msg;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000924 enc_msglen = ssl->out_msglen;
Paul Bakker48916f92012-09-16 19:57:18 +0000925 ssl->out_msglen += ssl->transform_out->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000926 }
927
Paul Bakker5121ce52009-01-03 21:22:43 +0000928 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000929 "including %d bytes of IV and %d bytes of padding",
Paul Bakker48916f92012-09-16 19:57:18 +0000930 ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000931
932 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
Paul Bakker92be97b2013-01-02 17:30:03 +0100933 ssl->out_iv, ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000934
Paul Bakker68884e32013-01-07 18:20:04 +0100935 switch( ssl->transform_out->ciphersuite_info->cipher )
Paul Bakker5121ce52009-01-03 21:22:43 +0000936 {
Paul Bakker68884e32013-01-07 18:20:04 +0100937 case POLARSSL_CIPHER_DES_CBC:
938 des_crypt_cbc( (des_context *) ssl->transform_out->ctx_enc,
939 DES_ENCRYPT, enc_msglen,
940 ssl->transform_out->iv_enc, enc_msg, enc_msg );
941 break;
942
943 case POLARSSL_CIPHER_DES_EDE3_CBC:
944 des3_crypt_cbc( (des3_context *) ssl->transform_out->ctx_enc,
945 DES_ENCRYPT, enc_msglen,
946 ssl->transform_out->iv_enc, enc_msg, enc_msg );
947 break;
948
949 case POLARSSL_CIPHER_AES_128_CBC:
950 case POLARSSL_CIPHER_AES_256_CBC:
951 aes_crypt_cbc( (aes_context *) ssl->transform_out->ctx_enc,
952 AES_ENCRYPT, enc_msglen,
953 ssl->transform_out->iv_enc, enc_msg, enc_msg );
954 break;
955
956 case POLARSSL_CIPHER_CAMELLIA_128_CBC:
957 case POLARSSL_CIPHER_CAMELLIA_256_CBC:
958 camellia_crypt_cbc( (camellia_context *) ssl->transform_out->ctx_enc,
959 CAMELLIA_ENCRYPT, enc_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +0000960 ssl->transform_out->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000961 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000962
963 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000964 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000965 }
966 }
967
Paul Bakkerca4ab492012-04-18 14:23:57 +0000968 for( i = 8; i > 0; i-- )
969 if( ++ssl->out_ctr[i - 1] != 0 )
970 break;
971
Paul Bakker5121ce52009-01-03 21:22:43 +0000972 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
973
974 return( 0 );
975}
976
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100977#define POLARSSL_SSL_MAX_MAC_SIZE 48
Paul Bakkerfab5c822012-02-06 16:45:10 +0000978
Paul Bakker5121ce52009-01-03 21:22:43 +0000979static int ssl_decrypt_buf( ssl_context *ssl )
980{
Paul Bakker45829992013-01-03 14:52:21 +0100981 size_t i, padlen = 0, correct = 1;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000982 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000983
984 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
985
Paul Bakker48916f92012-09-16 19:57:18 +0000986 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000987 {
988 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
Paul Bakker48916f92012-09-16 19:57:18 +0000989 ssl->in_msglen, ssl->transform_in->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000990 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000991 }
992
Paul Bakker68884e32013-01-07 18:20:04 +0100993#if defined(POLARSSL_CIPHER_NULL_CIPHER)
994 if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000995 {
Paul Bakker68884e32013-01-07 18:20:04 +0100996 padlen = 0;
997 }
998 else
999#endif /* POLARSSL_CIPHER_NULL_CIPHER */
Paul Bakker40e46942009-01-03 21:51:57 +00001000#if defined(POLARSSL_ARC4_C)
Paul Bakker68884e32013-01-07 18:20:04 +01001001 if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
1002 {
1003 padlen = 0;
1004
1005 arc4_crypt( (arc4_context *) ssl->transform_in->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +00001006 ssl->in_msglen, ssl->in_msg,
1007 ssl->in_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +00001008 }
Paul Bakker68884e32013-01-07 18:20:04 +01001009 else
1010#endif /* POLARSSL_ARC4_C */
1011#if defined(POLARSSL_GCM_C)
1012 if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_128_GCM ||
1013 ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_256_GCM )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001014 {
1015 unsigned char *dec_msg;
1016 unsigned char *dec_msg_result;
1017 size_t dec_msglen;
1018 unsigned char add_data[13];
1019 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1020
Paul Bakker68884e32013-01-07 18:20:04 +01001021 padlen = 0;
1022
1023 dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1024 ssl->transform_in->fixed_ivlen );
1025 dec_msglen -= 16;
1026 dec_msg = ssl->in_msg;
1027 dec_msg_result = ssl->in_msg;
1028 ssl->in_msglen = dec_msglen;
1029
1030 memcpy( add_data, ssl->in_ctr, 8 );
1031 add_data[8] = ssl->in_msgtype;
1032 add_data[9] = ssl->major_ver;
1033 add_data[10] = ssl->minor_ver;
1034 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1035 add_data[12] = ssl->in_msglen & 0xFF;
1036
1037 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1038 add_data, 13 );
1039
1040 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1041 ssl->in_iv,
1042 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1043
1044 SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1045 ssl->transform_in->ivlen );
1046 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1047
1048 ret = gcm_auth_decrypt( (gcm_context *) ssl->transform_in->ctx_dec,
1049 dec_msglen,
1050 ssl->transform_in->iv_dec,
1051 ssl->transform_in->ivlen,
1052 add_data, 13,
1053 dec_msg + dec_msglen, 16,
1054 dec_msg, dec_msg_result );
1055
1056 if( ret != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001057 {
Paul Bakker68884e32013-01-07 18:20:04 +01001058 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1059 -ret ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001060
Paul Bakker68884e32013-01-07 18:20:04 +01001061 return( POLARSSL_ERR_SSL_INVALID_MAC );
1062 }
Paul Bakkerca4ab492012-04-18 14:23:57 +00001063 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001064 else
Paul Bakker68884e32013-01-07 18:20:04 +01001065#endif /* POLARSSL_GCM_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00001066 {
Paul Bakker45829992013-01-03 14:52:21 +01001067 /*
1068 * Decrypt and check the padding
1069 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001070 unsigned char *dec_msg;
1071 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +00001072 size_t dec_msglen;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001073 size_t minlen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001074
Paul Bakker5121ce52009-01-03 21:22:43 +00001075 /*
Paul Bakker45829992013-01-03 14:52:21 +01001076 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +00001077 */
Paul Bakker48916f92012-09-16 19:57:18 +00001078 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001079 {
1080 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
Paul Bakker48916f92012-09-16 19:57:18 +00001081 ssl->in_msglen, ssl->transform_in->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001082 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001083 }
1084
Paul Bakker45829992013-01-03 14:52:21 +01001085 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1086 minlen += ssl->transform_in->ivlen;
1087
1088 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1089 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1090 {
1091 SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1092 ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1093 return( POLARSSL_ERR_SSL_INVALID_MAC );
1094 }
1095
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001096 dec_msglen = ssl->in_msglen;
1097 dec_msg = ssl->in_msg;
1098 dec_msg_result = ssl->in_msg;
1099
1100 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +00001101 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001102 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00001103 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001104 {
Paul Bakker48916f92012-09-16 19:57:18 +00001105 dec_msglen -= ssl->transform_in->ivlen;
1106 ssl->in_msglen -= ssl->transform_in->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001107
Paul Bakker48916f92012-09-16 19:57:18 +00001108 for( i = 0; i < ssl->transform_in->ivlen; i++ )
Paul Bakker92be97b2013-01-02 17:30:03 +01001109 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001110 }
1111
Paul Bakker68884e32013-01-07 18:20:04 +01001112 switch( ssl->transform_in->ciphersuite_info->cipher )
Paul Bakker5121ce52009-01-03 21:22:43 +00001113 {
Paul Bakker68884e32013-01-07 18:20:04 +01001114 case POLARSSL_CIPHER_DES_CBC:
1115 des_crypt_cbc( (des_context *) ssl->transform_in->ctx_dec,
1116 DES_DECRYPT, dec_msglen,
1117 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +00001118 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00001119
Paul Bakker68884e32013-01-07 18:20:04 +01001120 case POLARSSL_CIPHER_DES_EDE3_CBC:
1121 des3_crypt_cbc( (des3_context *) ssl->transform_in->ctx_dec,
1122 DES_DECRYPT, dec_msglen,
1123 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1124 break;
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +00001125
Paul Bakker68884e32013-01-07 18:20:04 +01001126 case POLARSSL_CIPHER_AES_128_CBC:
1127 case POLARSSL_CIPHER_AES_256_CBC:
1128 aes_crypt_cbc( (aes_context *) ssl->transform_in->ctx_dec,
1129 AES_DECRYPT, dec_msglen,
1130 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1131 break;
1132
1133 case POLARSSL_CIPHER_CAMELLIA_128_CBC:
1134 case POLARSSL_CIPHER_CAMELLIA_256_CBC:
1135 camellia_crypt_cbc( (camellia_context *) ssl->transform_in->ctx_dec,
1136 CAMELLIA_DECRYPT, dec_msglen,
1137 ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1138 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00001139
1140 default:
Paul Bakker40e46942009-01-03 21:51:57 +00001141 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001142 }
1143
1144 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
Paul Bakker45829992013-01-03 14:52:21 +01001145
1146 if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1147 {
Paul Bakkerd66f0702013-01-31 16:57:45 +01001148#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker45829992013-01-03 14:52:21 +01001149 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1150 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001151#endif
Paul Bakker45829992013-01-03 14:52:21 +01001152 padlen = 0;
Paul Bakker45829992013-01-03 14:52:21 +01001153 correct = 0;
1154 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001155
1156 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1157 {
Paul Bakker48916f92012-09-16 19:57:18 +00001158 if( padlen > ssl->transform_in->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001159 {
Paul Bakkerd66f0702013-01-31 16:57:45 +01001160#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker5121ce52009-01-03 21:22:43 +00001161 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1162 "should be no more than %d",
Paul Bakker48916f92012-09-16 19:57:18 +00001163 padlen, ssl->transform_in->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001164#endif
Paul Bakker45829992013-01-03 14:52:21 +01001165 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001166 }
1167 }
1168 else
1169 {
1170 /*
Paul Bakker45829992013-01-03 14:52:21 +01001171 * TLSv1+: always check the padding up to the first failure
1172 * and fake check up to 256 bytes of padding
Paul Bakker5121ce52009-01-03 21:22:43 +00001173 */
Paul Bakkere47b34b2013-02-27 14:48:00 +01001174 size_t pad_count = 0, fake_pad_count = 0;
1175 size_t padding_idx = ssl->in_msglen - padlen - 1;
1176
Paul Bakker5121ce52009-01-03 21:22:43 +00001177 for( i = 1; i <= padlen; i++ )
Paul Bakkere47b34b2013-02-27 14:48:00 +01001178 pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1179
1180 for( ; i <= 256; i++ )
1181 fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1182
1183 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1184 correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
1185
Paul Bakkerd66f0702013-01-31 16:57:45 +01001186#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker45829992013-01-03 14:52:21 +01001187 if( padlen > 0 && correct == 0)
1188 SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001189#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +01001190 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +00001191 }
1192 }
1193
1194 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1195 ssl->in_msg, ssl->in_msglen );
1196
1197 /*
1198 * Always compute the MAC (RFC4346, CBCTIME).
1199 */
Paul Bakker48916f92012-09-16 19:57:18 +00001200 ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001201
1202 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1203 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1204
Paul Bakker45829992013-01-03 14:52:21 +01001205 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001206
1207 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1208 {
Paul Bakker68884e32013-01-07 18:20:04 +01001209 ssl_mac( &ssl->transform_in->md_ctx_dec,
1210 ssl->transform_in->mac_dec,
1211 ssl->in_msg, ssl->in_msglen,
1212 ssl->in_ctr, ssl->in_msgtype );
Paul Bakker5121ce52009-01-03 21:22:43 +00001213 }
1214 else
1215 {
Paul Bakker45829992013-01-03 14:52:21 +01001216 /*
1217 * Process MAC and always update for padlen afterwards to make
1218 * total time independent of padlen
Paul Bakkere47b34b2013-02-27 14:48:00 +01001219 *
1220 * extra_run compensates MAC check for padlen
1221 *
1222 * Known timing attacks:
1223 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1224 *
1225 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1226 * correctly. (We round down instead of up, so -56 is the correct
1227 * value for our calculations instead of -55)
Paul Bakker45829992013-01-03 14:52:21 +01001228 */
Paul Bakkere47b34b2013-02-27 14:48:00 +01001229 int j, extra_run = 0;
1230 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1231 ( 13 + ssl->in_msglen + 8 ) / 64;
1232
1233 extra_run &= correct * 0xFF;
1234
Paul Bakker68884e32013-01-07 18:20:04 +01001235 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1236 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
1237 ssl->in_msglen );
1238 md_hmac_finish( &ssl->transform_in->md_ctx_dec,
1239 ssl->in_msg + ssl->in_msglen );
1240 for( j = 0; j < extra_run; j++ )
1241 md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
Paul Bakkere47b34b2013-02-27 14:48:00 +01001242
Paul Bakker68884e32013-01-07 18:20:04 +01001243 md_hmac_reset( &ssl->transform_in->md_ctx_dec );
Paul Bakker5121ce52009-01-03 21:22:43 +00001244 }
1245
Paul Bakker48916f92012-09-16 19:57:18 +00001246 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001247 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +00001248 ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001249
1250 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
Paul Bakker48916f92012-09-16 19:57:18 +00001251 ssl->transform_in->maclen ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001252 {
Paul Bakkere47b34b2013-02-27 14:48:00 +01001253#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker5121ce52009-01-03 21:22:43 +00001254 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +01001255#endif
Paul Bakker45829992013-01-03 14:52:21 +01001256 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001257 }
1258
1259 /*
Paul Bakker45829992013-01-03 14:52:21 +01001260 * Finally check the correct flag
Paul Bakker5121ce52009-01-03 21:22:43 +00001261 */
Paul Bakker45829992013-01-03 14:52:21 +01001262 if( correct == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +00001263 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001264
1265 if( ssl->in_msglen == 0 )
1266 {
1267 ssl->nb_zero++;
1268
1269 /*
1270 * Three or more empty messages may be a DoS attack
1271 * (excessive CPU consumption).
1272 */
1273 if( ssl->nb_zero > 3 )
1274 {
1275 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1276 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001277 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001278 }
1279 }
1280 else
1281 ssl->nb_zero = 0;
Paul Bakkerf7abd422013-04-16 13:15:56 +02001282
Paul Bakker23986e52011-04-24 08:57:21 +00001283 for( i = 8; i > 0; i-- )
1284 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001285 break;
1286
1287 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1288
1289 return( 0 );
1290}
1291
Paul Bakker2770fbd2012-07-03 13:30:23 +00001292#if defined(POLARSSL_ZLIB_SUPPORT)
1293/*
1294 * Compression/decompression functions
1295 */
1296static int ssl_compress_buf( ssl_context *ssl )
1297{
1298 int ret;
1299 unsigned char *msg_post = ssl->out_msg;
1300 size_t len_pre = ssl->out_msglen;
1301 unsigned char *msg_pre;
1302
1303 SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1304
Paul Bakkerabf2f8f2013-06-30 14:57:46 +02001305 if( len_pre == 0 )
1306 return( 0 );
1307
Paul Bakker6e339b52013-07-03 13:37:05 +02001308 msg_pre = (unsigned char*) polarssl_malloc( len_pre );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001309 if( msg_pre == NULL )
1310 {
1311 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1312 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1313 }
1314
1315 memcpy( msg_pre, ssl->out_msg, len_pre );
1316
1317 SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1318 ssl->out_msglen ) );
1319
1320 SSL_DEBUG_BUF( 4, "before compression: output payload",
1321 ssl->out_msg, ssl->out_msglen );
1322
Paul Bakker48916f92012-09-16 19:57:18 +00001323 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1324 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1325 ssl->transform_out->ctx_deflate.next_out = msg_post;
1326 ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001327
Paul Bakker48916f92012-09-16 19:57:18 +00001328 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001329 if( ret != Z_OK )
1330 {
1331 SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1332 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1333 }
1334
Paul Bakker48916f92012-09-16 19:57:18 +00001335 ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001336
Paul Bakker6e339b52013-07-03 13:37:05 +02001337 polarssl_free( msg_pre );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001338
1339 SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1340 ssl->out_msglen ) );
1341
1342 SSL_DEBUG_BUF( 4, "after compression: output payload",
1343 ssl->out_msg, ssl->out_msglen );
1344
1345 SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1346
1347 return( 0 );
1348}
1349
1350static int ssl_decompress_buf( ssl_context *ssl )
1351{
1352 int ret;
1353 unsigned char *msg_post = ssl->in_msg;
1354 size_t len_pre = ssl->in_msglen;
1355 unsigned char *msg_pre;
1356
1357 SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1358
Paul Bakkerabf2f8f2013-06-30 14:57:46 +02001359 if( len_pre == 0 )
1360 return( 0 );
1361
Paul Bakker6e339b52013-07-03 13:37:05 +02001362 msg_pre = (unsigned char*) polarssl_malloc( len_pre );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001363 if( msg_pre == NULL )
1364 {
1365 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1366 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
1367 }
1368
1369 memcpy( msg_pre, ssl->in_msg, len_pre );
1370
1371 SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1372 ssl->in_msglen ) );
1373
1374 SSL_DEBUG_BUF( 4, "before decompression: input payload",
1375 ssl->in_msg, ssl->in_msglen );
1376
Paul Bakker48916f92012-09-16 19:57:18 +00001377 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1378 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1379 ssl->transform_in->ctx_inflate.next_out = msg_post;
1380 ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001381
Paul Bakker48916f92012-09-16 19:57:18 +00001382 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001383 if( ret != Z_OK )
1384 {
1385 SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1386 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1387 }
1388
Paul Bakker48916f92012-09-16 19:57:18 +00001389 ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001390
Paul Bakker6e339b52013-07-03 13:37:05 +02001391 polarssl_free( msg_pre );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001392
1393 SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1394 ssl->in_msglen ) );
1395
1396 SSL_DEBUG_BUF( 4, "after decompression: input payload",
1397 ssl->in_msg, ssl->in_msglen );
1398
1399 SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1400
1401 return( 0 );
1402}
1403#endif /* POLARSSL_ZLIB_SUPPORT */
1404
Paul Bakker5121ce52009-01-03 21:22:43 +00001405/*
1406 * Fill the input message buffer
1407 */
Paul Bakker23986e52011-04-24 08:57:21 +00001408int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +00001409{
Paul Bakker23986e52011-04-24 08:57:21 +00001410 int ret;
1411 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +00001412
1413 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1414
1415 while( ssl->in_left < nb_want )
1416 {
1417 len = nb_want - ssl->in_left;
1418 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1419
1420 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1421 ssl->in_left, nb_want ) );
1422 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1423
Paul Bakker831a7552011-05-18 13:32:51 +00001424 if( ret == 0 )
1425 return( POLARSSL_ERR_SSL_CONN_EOF );
1426
Paul Bakker5121ce52009-01-03 21:22:43 +00001427 if( ret < 0 )
1428 return( ret );
1429
1430 ssl->in_left += ret;
1431 }
1432
1433 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1434
1435 return( 0 );
1436}
1437
1438/*
1439 * Flush any data not yet written
1440 */
1441int ssl_flush_output( ssl_context *ssl )
1442{
1443 int ret;
1444 unsigned char *buf;
1445
1446 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1447
1448 while( ssl->out_left > 0 )
1449 {
1450 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1451 5 + ssl->out_msglen, ssl->out_left ) );
1452
Paul Bakker5bd42292012-12-19 14:40:42 +01001453 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
Paul Bakker5121ce52009-01-03 21:22:43 +00001454 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +00001455
Paul Bakker5121ce52009-01-03 21:22:43 +00001456 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1457
1458 if( ret <= 0 )
1459 return( ret );
1460
1461 ssl->out_left -= ret;
1462 }
1463
1464 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1465
1466 return( 0 );
1467}
1468
1469/*
1470 * Record layer functions
1471 */
1472int ssl_write_record( ssl_context *ssl )
1473{
Paul Bakker05ef8352012-05-08 09:17:57 +00001474 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +00001475 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +00001476
1477 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1478
Paul Bakker5121ce52009-01-03 21:22:43 +00001479 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1480 {
1481 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1482 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1483 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1484
Paul Bakker48916f92012-09-16 19:57:18 +00001485 ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001486 }
1487
Paul Bakker2770fbd2012-07-03 13:30:23 +00001488#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00001489 if( ssl->transform_out != NULL &&
1490 ssl->session_out->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00001491 {
1492 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1493 {
1494 SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1495 return( ret );
1496 }
1497
1498 len = ssl->out_msglen;
1499 }
1500#endif /*POLARSSL_ZLIB_SUPPORT */
1501
Paul Bakker05ef8352012-05-08 09:17:57 +00001502#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1503 if( ssl_hw_record_write != NULL)
Paul Bakker5121ce52009-01-03 21:22:43 +00001504 {
Paul Bakker05ef8352012-05-08 09:17:57 +00001505 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001506
Paul Bakker05ef8352012-05-08 09:17:57 +00001507 ret = ssl_hw_record_write( ssl );
1508 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1509 {
1510 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1511 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1512 }
Paul Bakkerc7878112012-12-19 14:41:14 +01001513
1514 if( ret == 0 )
1515 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00001516 }
1517#endif
1518 if( !done )
1519 {
1520 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1521 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1522 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +00001523 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1524 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +00001525
Paul Bakker48916f92012-09-16 19:57:18 +00001526 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00001527 {
1528 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1529 {
1530 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1531 return( ret );
1532 }
1533
1534 len = ssl->out_msglen;
1535 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1536 ssl->out_hdr[4] = (unsigned char)( len );
1537 }
1538
1539 ssl->out_left = 5 + ssl->out_msglen;
1540
1541 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1542 "version = [%d:%d], msglen = %d",
1543 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1544 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1545
1546 SSL_DEBUG_BUF( 4, "output record sent to network",
Paul Bakker5bd42292012-12-19 14:40:42 +01001547 ssl->out_hdr, 5 + ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001548 }
1549
Paul Bakker5121ce52009-01-03 21:22:43 +00001550 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1551 {
1552 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1553 return( ret );
1554 }
1555
1556 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1557
1558 return( 0 );
1559}
1560
1561int ssl_read_record( ssl_context *ssl )
1562{
Paul Bakker05ef8352012-05-08 09:17:57 +00001563 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001564
1565 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1566
Paul Bakker68884e32013-01-07 18:20:04 +01001567 SSL_DEBUG_BUF( 4, "input record from network",
1568 ssl->in_hdr, 5 + ssl->in_msglen );
1569
Paul Bakker5121ce52009-01-03 21:22:43 +00001570 if( ssl->in_hslen != 0 &&
1571 ssl->in_hslen < ssl->in_msglen )
1572 {
1573 /*
1574 * Get next Handshake message in the current record
1575 */
1576 ssl->in_msglen -= ssl->in_hslen;
1577
Paul Bakker8934a982011-08-05 11:11:53 +00001578 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker48916f92012-09-16 19:57:18 +00001579 ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001580
1581 ssl->in_hslen = 4;
1582 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1583
1584 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1585 " %d, type = %d, hslen = %d",
1586 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1587
1588 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1589 {
1590 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001591 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001592 }
1593
1594 if( ssl->in_msglen < ssl->in_hslen )
1595 {
1596 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001597 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001598 }
1599
Paul Bakker48916f92012-09-16 19:57:18 +00001600 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001601
1602 return( 0 );
1603 }
1604
1605 ssl->in_hslen = 0;
1606
1607 /*
1608 * Read the record header and validate it
1609 */
1610 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1611 {
1612 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1613 return( ret );
1614 }
1615
1616 ssl->in_msgtype = ssl->in_hdr[0];
1617 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1618
1619 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1620 "version = [%d:%d], msglen = %d",
1621 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1622 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1623
1624 if( ssl->in_hdr[1] != ssl->major_ver )
1625 {
1626 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001627 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001628 }
1629
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001630 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +00001631 {
1632 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001633 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001634 }
1635
1636 /*
1637 * Make sure the message length is acceptable
1638 */
Paul Bakker48916f92012-09-16 19:57:18 +00001639 if( ssl->transform_in == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001640 {
1641 if( ssl->in_msglen < 1 ||
1642 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1643 {
1644 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001645 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001646 }
1647 }
1648 else
1649 {
Paul Bakker48916f92012-09-16 19:57:18 +00001650 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001651 {
1652 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001653 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001654 }
1655
1656 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
Paul Bakker48916f92012-09-16 19:57:18 +00001657 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +00001658 {
1659 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001660 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001661 }
1662
1663 /*
1664 * TLS encrypted messages can have up to 256 bytes of padding
1665 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00001666 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker48916f92012-09-16 19:57:18 +00001667 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001668 {
1669 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001670 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001671 }
1672 }
1673
1674 /*
1675 * Read and optionally decrypt the message contents
1676 */
1677 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1678 {
1679 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1680 return( ret );
1681 }
1682
1683 SSL_DEBUG_BUF( 4, "input record from network",
1684 ssl->in_hdr, 5 + ssl->in_msglen );
1685
Paul Bakker05ef8352012-05-08 09:17:57 +00001686#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1687 if( ssl_hw_record_read != NULL)
1688 {
1689 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1690
1691 ret = ssl_hw_record_read( ssl );
1692 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1693 {
1694 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1695 return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1696 }
Paul Bakkerc7878112012-12-19 14:41:14 +01001697
1698 if( ret == 0 )
1699 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00001700 }
1701#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001702 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001703 {
1704 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1705 {
Paul Bakker40865c82013-01-31 17:13:13 +01001706#if defined(POLARSSL_SSL_ALERT_MESSAGES)
1707 if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
1708 {
1709 ssl_send_alert_message( ssl,
1710 SSL_ALERT_LEVEL_FATAL,
1711 SSL_ALERT_MSG_BAD_RECORD_MAC );
1712 }
1713#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001714 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1715 return( ret );
1716 }
1717
1718 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1719 ssl->in_msg, ssl->in_msglen );
1720
1721 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1722 {
1723 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001724 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001725 }
1726 }
1727
Paul Bakker2770fbd2012-07-03 13:30:23 +00001728#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00001729 if( ssl->transform_in != NULL &&
1730 ssl->session_in->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00001731 {
1732 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
1733 {
1734 SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
1735 return( ret );
1736 }
1737
1738 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1739 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1740 }
1741#endif /* POLARSSL_ZLIB_SUPPORT */
1742
Paul Bakker0a925182012-04-16 06:46:41 +00001743 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1744 ssl->in_msgtype != SSL_MSG_ALERT &&
1745 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1746 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1747 {
1748 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1749
Paul Bakker48916f92012-09-16 19:57:18 +00001750 if( ( ret = ssl_send_alert_message( ssl,
1751 SSL_ALERT_LEVEL_FATAL,
1752 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +00001753 {
1754 return( ret );
1755 }
1756
1757 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1758 }
1759
Paul Bakker5121ce52009-01-03 21:22:43 +00001760 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1761 {
1762 ssl->in_hslen = 4;
1763 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1764
1765 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1766 " %d, type = %d, hslen = %d",
1767 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1768
1769 /*
1770 * Additional checks to validate the handshake header
1771 */
1772 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1773 {
1774 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001775 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001776 }
1777
1778 if( ssl->in_msglen < ssl->in_hslen )
1779 {
1780 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001781 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00001782 }
1783
Paul Bakker48916f92012-09-16 19:57:18 +00001784 if( ssl->state != SSL_HANDSHAKE_OVER )
1785 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001786 }
1787
1788 if( ssl->in_msgtype == SSL_MSG_ALERT )
1789 {
1790 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1791 ssl->in_msg[0], ssl->in_msg[1] ) );
1792
1793 /*
1794 * Ignore non-fatal alerts, except close_notify
1795 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001796 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001797 {
Paul Bakker2770fbd2012-07-03 13:30:23 +00001798 SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
1799 ssl->in_msg[1] ) );
Paul Bakker9d781402011-05-09 16:17:09 +00001800 /**
1801 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1802 * error identifier.
1803 */
Paul Bakker2770fbd2012-07-03 13:30:23 +00001804 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001805 }
1806
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001807 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1808 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +00001809 {
1810 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001811 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00001812 }
1813 }
1814
1815 ssl->in_left = 0;
1816
1817 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1818
1819 return( 0 );
1820}
1821
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001822int ssl_send_fatal_handshake_failure( ssl_context *ssl )
1823{
1824 int ret;
1825
1826 if( ( ret = ssl_send_alert_message( ssl,
1827 SSL_ALERT_LEVEL_FATAL,
1828 SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
1829 {
1830 return( ret );
1831 }
1832
1833 return( 0 );
1834}
1835
Paul Bakker0a925182012-04-16 06:46:41 +00001836int ssl_send_alert_message( ssl_context *ssl,
1837 unsigned char level,
1838 unsigned char message )
1839{
1840 int ret;
1841
1842 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1843
1844 ssl->out_msgtype = SSL_MSG_ALERT;
1845 ssl->out_msglen = 2;
1846 ssl->out_msg[0] = level;
1847 ssl->out_msg[1] = message;
1848
1849 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1850 {
1851 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1852 return( ret );
1853 }
1854
1855 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1856
1857 return( 0 );
1858}
1859
Paul Bakker5121ce52009-01-03 21:22:43 +00001860/*
1861 * Handshake functions
1862 */
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001863#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
1864 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
1865 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00001866int ssl_write_certificate( ssl_context *ssl )
1867{
Paul Bakkered27a042013-04-18 22:46:23 +02001868 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001869 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001870
1871 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1872
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001873 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1874 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02001875 {
1876 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1877 ssl->state++;
1878 return( 0 );
1879 }
1880
Paul Bakker48f7a5d2013-04-19 14:30:58 +02001881 return( ret );
1882}
1883
1884int ssl_parse_certificate( ssl_context *ssl )
1885{
1886 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1887 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1888
1889 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1890
1891 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1892 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1893 {
1894 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1895 ssl->state++;
1896 return( 0 );
1897 }
1898
1899 return( ret );
1900}
1901#else
1902int ssl_write_certificate( ssl_context *ssl )
1903{
1904 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1905 size_t i, n;
1906 const x509_cert *crt;
1907 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
1908
1909 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1910
1911 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
1912 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
1913 {
1914 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1915 ssl->state++;
1916 return( 0 );
1917 }
1918
Paul Bakker5121ce52009-01-03 21:22:43 +00001919 if( ssl->endpoint == SSL_IS_CLIENT )
1920 {
1921 if( ssl->client_auth == 0 )
1922 {
1923 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1924 ssl->state++;
1925 return( 0 );
1926 }
1927
1928 /*
1929 * If using SSLv3 and got no cert, send an Alert message
1930 * (otherwise an empty Certificate message will be sent).
1931 */
1932 if( ssl->own_cert == NULL &&
1933 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1934 {
1935 ssl->out_msglen = 2;
1936 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001937 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1938 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +00001939
1940 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1941 goto write_msg;
1942 }
1943 }
1944 else /* SSL_IS_SERVER */
1945 {
1946 if( ssl->own_cert == NULL )
1947 {
1948 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001949 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00001950 }
1951 }
1952
1953 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1954
1955 /*
1956 * 0 . 0 handshake type
1957 * 1 . 3 handshake length
1958 * 4 . 6 length of all certs
1959 * 7 . 9 length of cert. 1
1960 * 10 . n-1 peer certificate
1961 * n . n+2 length of cert. 2
1962 * n+3 . ... upper level cert, etc.
1963 */
1964 i = 7;
1965 crt = ssl->own_cert;
1966
Paul Bakker29087132010-03-21 21:03:34 +00001967 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00001968 {
1969 n = crt->raw.len;
1970 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1971 {
1972 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1973 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001974 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001975 }
1976
1977 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1978 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1979 ssl->out_msg[i + 2] = (unsigned char)( n );
1980
1981 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1982 i += n; crt = crt->next;
1983 }
1984
1985 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1986 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1987 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1988
1989 ssl->out_msglen = i;
1990 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1991 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1992
1993write_msg:
1994
1995 ssl->state++;
1996
1997 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1998 {
1999 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2000 return( ret );
2001 }
2002
2003 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2004
Paul Bakkered27a042013-04-18 22:46:23 +02002005 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002006}
2007
2008int ssl_parse_certificate( ssl_context *ssl )
2009{
Paul Bakkered27a042013-04-18 22:46:23 +02002010 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker23986e52011-04-24 08:57:21 +00002011 size_t i, n;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002012 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002013
2014 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2015
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002016 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2017 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002018 {
2019 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2020 ssl->state++;
2021 return( 0 );
2022 }
2023
Paul Bakker5121ce52009-01-03 21:22:43 +00002024 if( ssl->endpoint == SSL_IS_SERVER &&
2025 ssl->authmode == SSL_VERIFY_NONE )
2026 {
Paul Bakkercdf07e92011-01-30 17:05:13 +00002027 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +00002028 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2029 ssl->state++;
2030 return( 0 );
2031 }
2032
2033 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2034 {
2035 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2036 return( ret );
2037 }
2038
2039 ssl->state++;
2040
2041 /*
2042 * Check if the client sent an empty certificate
2043 */
2044 if( ssl->endpoint == SSL_IS_SERVER &&
2045 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2046 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002047 if( ssl->in_msglen == 2 &&
2048 ssl->in_msgtype == SSL_MSG_ALERT &&
2049 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2050 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +00002051 {
2052 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2053
Paul Bakkercdf07e92011-01-30 17:05:13 +00002054 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002055 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2056 return( 0 );
2057 else
Paul Bakker40e46942009-01-03 21:51:57 +00002058 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002059 }
2060 }
2061
2062 if( ssl->endpoint == SSL_IS_SERVER &&
2063 ssl->minor_ver != SSL_MINOR_VERSION_0 )
2064 {
2065 if( ssl->in_hslen == 7 &&
2066 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2067 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2068 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2069 {
2070 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2071
Paul Bakkercdf07e92011-01-30 17:05:13 +00002072 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002073 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +00002074 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002075 else
2076 return( 0 );
2077 }
2078 }
2079
2080 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2081 {
2082 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002083 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002084 }
2085
2086 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2087 {
2088 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002089 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002090 }
2091
2092 /*
2093 * Same message structure as in ssl_write_certificate()
2094 */
2095 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2096
2097 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2098 {
2099 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002100 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002101 }
2102
Paul Bakker6e339b52013-07-03 13:37:05 +02002103 if( ( ssl->session_negotiate->peer_cert = (x509_cert *) polarssl_malloc(
Paul Bakker5121ce52009-01-03 21:22:43 +00002104 sizeof( x509_cert ) ) ) == NULL )
2105 {
2106 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2107 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +00002108 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002109 }
2110
Paul Bakker48916f92012-09-16 19:57:18 +00002111 memset( ssl->session_negotiate->peer_cert, 0, sizeof( x509_cert ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002112
2113 i = 7;
2114
2115 while( i < ssl->in_hslen )
2116 {
2117 if( ssl->in_msg[i] != 0 )
2118 {
2119 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002120 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002121 }
2122
2123 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2124 | (unsigned int) ssl->in_msg[i + 2];
2125 i += 3;
2126
2127 if( n < 128 || i + n > ssl->in_hslen )
2128 {
2129 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002130 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002131 }
2132
Paul Bakker89ecb2d2013-06-24 19:06:15 +02002133 ret = x509parse_crt_der( ssl->session_negotiate->peer_cert,
2134 ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00002135 if( ret != 0 )
2136 {
2137 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2138 return( ret );
2139 }
2140
2141 i += n;
2142 }
2143
Paul Bakker48916f92012-09-16 19:57:18 +00002144 SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +00002145
2146 if( ssl->authmode != SSL_VERIFY_NONE )
2147 {
2148 if( ssl->ca_chain == NULL )
2149 {
2150 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002151 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002152 }
2153
Paul Bakker48916f92012-09-16 19:57:18 +00002154 ret = x509parse_verify( ssl->session_negotiate->peer_cert,
2155 ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +00002156 ssl->peer_cn, &ssl->verify_result,
2157 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +00002158
2159 if( ret != 0 )
2160 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2161
2162 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2163 ret = 0;
2164 }
2165
2166 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2167
2168 return( ret );
2169}
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002170#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2171 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2172 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002173
2174int ssl_write_change_cipher_spec( ssl_context *ssl )
2175{
2176 int ret;
2177
2178 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2179
2180 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2181 ssl->out_msglen = 1;
2182 ssl->out_msg[0] = 1;
2183
Paul Bakker5121ce52009-01-03 21:22:43 +00002184 ssl->state++;
2185
2186 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2187 {
2188 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2189 return( ret );
2190 }
2191
2192 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2193
2194 return( 0 );
2195}
2196
2197int ssl_parse_change_cipher_spec( ssl_context *ssl )
2198{
2199 int ret;
2200
2201 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2202
Paul Bakker5121ce52009-01-03 21:22:43 +00002203 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2204 {
2205 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2206 return( ret );
2207 }
2208
2209 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2210 {
2211 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002212 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002213 }
2214
2215 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2216 {
2217 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002218 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +00002219 }
2220
2221 ssl->state++;
2222
2223 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2224
2225 return( 0 );
2226}
2227
Paul Bakker41c83d32013-03-20 14:39:14 +01002228void ssl_optimize_checksum( ssl_context *ssl,
2229 const ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +00002230{
Paul Bakker9e36f042013-06-30 14:34:05 +02002231#if !defined(POLARSSL_SHA512_C)
Paul Bakker769075d2012-11-24 11:26:46 +01002232 ((void) ciphersuite);
2233#endif
2234
Paul Bakker380da532012-04-18 16:10:25 +00002235 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakker48916f92012-09-16 19:57:18 +00002236 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
Paul Bakker9e36f042013-06-30 14:34:05 +02002237#if defined(POLARSSL_SHA512_C)
Paul Bakkerb7149bc2013-03-20 15:30:09 +01002238 else if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
Paul Bakker380da532012-04-18 16:10:25 +00002239 {
Paul Bakker48916f92012-09-16 19:57:18 +00002240 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
Paul Bakker380da532012-04-18 16:10:25 +00002241 }
Paul Bakker769075d2012-11-24 11:26:46 +01002242#endif
Paul Bakker380da532012-04-18 16:10:25 +00002243 else
Paul Bakker48916f92012-09-16 19:57:18 +00002244 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakker380da532012-04-18 16:10:25 +00002245}
Paul Bakkerf7abd422013-04-16 13:15:56 +02002246
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002247static void ssl_update_checksum_start( ssl_context *ssl,
2248 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002249{
Paul Bakker48916f92012-09-16 19:57:18 +00002250 md5_update( &ssl->handshake->fin_md5 , buf, len );
2251 sha1_update( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker9e36f042013-06-30 14:34:05 +02002252 sha256_update( &ssl->handshake->fin_sha256, buf, len );
2253#if defined(POLARSSL_SHA512_C)
2254 sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01002255#endif
Paul Bakker380da532012-04-18 16:10:25 +00002256}
2257
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002258static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2259 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002260{
Paul Bakker48916f92012-09-16 19:57:18 +00002261 md5_update( &ssl->handshake->fin_md5 , buf, len );
2262 sha1_update( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00002263}
2264
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002265static void ssl_update_checksum_sha256( ssl_context *ssl,
2266 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002267{
Paul Bakker9e36f042013-06-30 14:34:05 +02002268 sha256_update( &ssl->handshake->fin_sha256, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00002269}
2270
Paul Bakker9e36f042013-06-30 14:34:05 +02002271#if defined(POLARSSL_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002272static void ssl_update_checksum_sha384( ssl_context *ssl,
2273 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002274{
Paul Bakker9e36f042013-06-30 14:34:05 +02002275 sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00002276}
Paul Bakker769075d2012-11-24 11:26:46 +01002277#endif
Paul Bakker380da532012-04-18 16:10:25 +00002278
Paul Bakker1ef83d62012-04-11 12:09:53 +00002279static void ssl_calc_finished_ssl(
2280 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00002281{
Paul Bakker3c2122f2013-06-24 19:03:14 +02002282 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002283 md5_context md5;
2284 sha1_context sha1;
2285
Paul Bakker5121ce52009-01-03 21:22:43 +00002286 unsigned char padbuf[48];
2287 unsigned char md5sum[16];
2288 unsigned char sha1sum[20];
2289
Paul Bakker48916f92012-09-16 19:57:18 +00002290 ssl_session *session = ssl->session_negotiate;
2291 if( !session )
2292 session = ssl->session;
2293
Paul Bakker1ef83d62012-04-11 12:09:53 +00002294 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2295
Paul Bakker48916f92012-09-16 19:57:18 +00002296 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2297 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002298
2299 /*
2300 * SSLv3:
2301 * hash =
2302 * MD5( master + pad2 +
2303 * MD5( handshake + sender + master + pad1 ) )
2304 * + SHA1( master + pad2 +
2305 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00002306 */
2307
Paul Bakker90995b52013-06-24 19:20:35 +02002308#if !defined(POLARSSL_MD5_ALT)
Paul Bakker5121ce52009-01-03 21:22:43 +00002309 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002310 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002311#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002312
Paul Bakker90995b52013-06-24 19:20:35 +02002313#if !defined(POLARSSL_SHA1_ALT)
Paul Bakker5121ce52009-01-03 21:22:43 +00002314 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002315 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002316#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002317
Paul Bakker3c2122f2013-06-24 19:03:14 +02002318 sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2319 : "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +00002320
Paul Bakker1ef83d62012-04-11 12:09:53 +00002321 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002322
Paul Bakker3c2122f2013-06-24 19:03:14 +02002323 md5_update( &md5, (const unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +00002324 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002325 md5_update( &md5, padbuf, 48 );
2326 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00002327
Paul Bakker3c2122f2013-06-24 19:03:14 +02002328 sha1_update( &sha1, (const unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +00002329 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002330 sha1_update( &sha1, padbuf, 40 );
2331 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00002332
Paul Bakker1ef83d62012-04-11 12:09:53 +00002333 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002334
Paul Bakker1ef83d62012-04-11 12:09:53 +00002335 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +00002336 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002337 md5_update( &md5, padbuf, 48 );
2338 md5_update( &md5, md5sum, 16 );
2339 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00002340
Paul Bakker1ef83d62012-04-11 12:09:53 +00002341 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +00002342 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002343 sha1_update( &sha1, padbuf , 40 );
2344 sha1_update( &sha1, sha1sum, 20 );
2345 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002346
Paul Bakker1ef83d62012-04-11 12:09:53 +00002347 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002348
Paul Bakker1ef83d62012-04-11 12:09:53 +00002349 memset( &md5, 0, sizeof( md5_context ) );
2350 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002351
2352 memset( padbuf, 0, sizeof( padbuf ) );
2353 memset( md5sum, 0, sizeof( md5sum ) );
2354 memset( sha1sum, 0, sizeof( sha1sum ) );
2355
2356 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2357}
2358
Paul Bakker1ef83d62012-04-11 12:09:53 +00002359static void ssl_calc_finished_tls(
2360 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00002361{
Paul Bakker1ef83d62012-04-11 12:09:53 +00002362 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002363 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002364 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +00002365 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002366 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +00002367
Paul Bakker48916f92012-09-16 19:57:18 +00002368 ssl_session *session = ssl->session_negotiate;
2369 if( !session )
2370 session = ssl->session;
2371
Paul Bakker1ef83d62012-04-11 12:09:53 +00002372 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002373
Paul Bakker48916f92012-09-16 19:57:18 +00002374 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2375 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002376
Paul Bakker1ef83d62012-04-11 12:09:53 +00002377 /*
2378 * TLSv1:
2379 * hash = PRF( master, finished_label,
2380 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2381 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002382
Paul Bakker90995b52013-06-24 19:20:35 +02002383#if !defined(POLARSSL_MD5_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002384 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2385 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002386#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002387
Paul Bakker90995b52013-06-24 19:20:35 +02002388#if !defined(POLARSSL_SHA1_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002389 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2390 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002391#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002392
2393 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02002394 ? "client finished"
2395 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00002396
2397 md5_finish( &md5, padbuf );
2398 sha1_finish( &sha1, padbuf + 16 );
2399
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002400 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002401 padbuf, 36, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002402
2403 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2404
2405 memset( &md5, 0, sizeof( md5_context ) );
2406 memset( &sha1, 0, sizeof( sha1_context ) );
2407
2408 memset( padbuf, 0, sizeof( padbuf ) );
2409
2410 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2411}
2412
Paul Bakkerca4ab492012-04-18 14:23:57 +00002413static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +00002414 ssl_context *ssl, unsigned char *buf, int from )
2415{
2416 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002417 const char *sender;
Paul Bakker9e36f042013-06-30 14:34:05 +02002418 sha256_context sha256;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002419 unsigned char padbuf[32];
2420
Paul Bakker48916f92012-09-16 19:57:18 +00002421 ssl_session *session = ssl->session_negotiate;
2422 if( !session )
2423 session = ssl->session;
2424
Paul Bakker380da532012-04-18 16:10:25 +00002425 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002426
Paul Bakker9e36f042013-06-30 14:34:05 +02002427 memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002428
2429 /*
2430 * TLSv1.2:
2431 * hash = PRF( master, finished_label,
2432 * Hash( handshake ) )[0.11]
2433 */
2434
Paul Bakker9e36f042013-06-30 14:34:05 +02002435#if !defined(POLARSSL_SHA256_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00002436 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Paul Bakker9e36f042013-06-30 14:34:05 +02002437 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002438#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00002439
2440 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02002441 ? "client finished"
2442 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00002443
Paul Bakker9e36f042013-06-30 14:34:05 +02002444 sha256_finish( &sha256, padbuf );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002445
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002446 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002447 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002448
2449 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2450
Paul Bakker9e36f042013-06-30 14:34:05 +02002451 memset( &sha256, 0, sizeof( sha256_context ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002452
2453 memset( padbuf, 0, sizeof( padbuf ) );
2454
2455 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2456}
2457
Paul Bakker9e36f042013-06-30 14:34:05 +02002458#if defined(POLARSSL_SHA512_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00002459static void ssl_calc_finished_tls_sha384(
2460 ssl_context *ssl, unsigned char *buf, int from )
2461{
2462 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02002463 const char *sender;
Paul Bakker9e36f042013-06-30 14:34:05 +02002464 sha512_context sha512;
Paul Bakkerca4ab492012-04-18 14:23:57 +00002465 unsigned char padbuf[48];
2466
Paul Bakker48916f92012-09-16 19:57:18 +00002467 ssl_session *session = ssl->session_negotiate;
2468 if( !session )
2469 session = ssl->session;
2470
Paul Bakker380da532012-04-18 16:10:25 +00002471 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002472
Paul Bakker9e36f042013-06-30 14:34:05 +02002473 memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002474
2475 /*
2476 * TLSv1.2:
2477 * hash = PRF( master, finished_label,
2478 * Hash( handshake ) )[0.11]
2479 */
2480
Paul Bakker9e36f042013-06-30 14:34:05 +02002481#if !defined(POLARSSL_SHA512_ALT)
2482 SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
2483 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02002484#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002485
2486 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02002487 ? "client finished"
2488 : "server finished";
Paul Bakkerca4ab492012-04-18 14:23:57 +00002489
Paul Bakker9e36f042013-06-30 14:34:05 +02002490 sha512_finish( &sha512, padbuf );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002491
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002492 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00002493 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002494
2495 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2496
Paul Bakker9e36f042013-06-30 14:34:05 +02002497 memset( &sha512, 0, sizeof( sha512_context ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00002498
2499 memset( padbuf, 0, sizeof( padbuf ) );
2500
2501 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2502}
Paul Bakker769075d2012-11-24 11:26:46 +01002503#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00002504
Paul Bakker48916f92012-09-16 19:57:18 +00002505void ssl_handshake_wrapup( ssl_context *ssl )
2506{
2507 SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
2508
2509 /*
2510 * Free our handshake params
2511 */
2512 ssl_handshake_free( ssl->handshake );
Paul Bakker6e339b52013-07-03 13:37:05 +02002513 polarssl_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +00002514 ssl->handshake = NULL;
2515
2516 /*
2517 * Switch in our now active transform context
2518 */
2519 if( ssl->transform )
2520 {
2521 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02002522 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00002523 }
2524 ssl->transform = ssl->transform_negotiate;
2525 ssl->transform_negotiate = NULL;
2526
Paul Bakker0a597072012-09-25 21:55:46 +00002527 if( ssl->session )
2528 {
2529 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02002530 polarssl_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +00002531 }
2532 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00002533 ssl->session_negotiate = NULL;
2534
Paul Bakker0a597072012-09-25 21:55:46 +00002535 /*
2536 * Add cache entry
2537 */
2538 if( ssl->f_set_cache != NULL )
2539 if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
2540 SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
2541
Paul Bakker48916f92012-09-16 19:57:18 +00002542 ssl->state++;
2543
2544 SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
2545}
2546
Paul Bakker1ef83d62012-04-11 12:09:53 +00002547int ssl_write_finished( ssl_context *ssl )
2548{
2549 int ret, hash_len;
2550
2551 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2552
Paul Bakker92be97b2013-01-02 17:30:03 +01002553 /*
2554 * Set the out_msg pointer to the correct location based on IV length
2555 */
2556 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
2557 {
2558 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
2559 ssl->transform_negotiate->fixed_ivlen;
2560 }
2561 else
2562 ssl->out_msg = ssl->out_iv;
2563
Paul Bakker48916f92012-09-16 19:57:18 +00002564 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002565
2566 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +00002567 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2568
Paul Bakker48916f92012-09-16 19:57:18 +00002569 ssl->verify_data_len = hash_len;
2570 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
2571
Paul Bakker5121ce52009-01-03 21:22:43 +00002572 ssl->out_msglen = 4 + hash_len;
2573 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2574 ssl->out_msg[0] = SSL_HS_FINISHED;
2575
2576 /*
2577 * In case of session resuming, invert the client and server
2578 * ChangeCipherSpec messages order.
2579 */
Paul Bakker0a597072012-09-25 21:55:46 +00002580 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002581 {
2582 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker48916f92012-09-16 19:57:18 +00002583 ssl->state = SSL_HANDSHAKE_WRAPUP;
Paul Bakker5121ce52009-01-03 21:22:43 +00002584 else
2585 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2586 }
2587 else
2588 ssl->state++;
2589
Paul Bakker48916f92012-09-16 19:57:18 +00002590 /*
2591 * Switch to our negotiated transform and session parameters for outbound data.
2592 */
2593 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
2594 ssl->transform_out = ssl->transform_negotiate;
2595 ssl->session_out = ssl->session_negotiate;
2596 memset( ssl->out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002597
Paul Bakker07eb38b2012-12-19 14:42:06 +01002598#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2599 if( ssl_hw_record_activate != NULL)
2600 {
2601 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
2602 {
2603 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
2604 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2605 }
2606 }
2607#endif
2608
Paul Bakker5121ce52009-01-03 21:22:43 +00002609 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2610 {
2611 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2612 return( ret );
2613 }
2614
2615 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2616
2617 return( 0 );
2618}
2619
2620int ssl_parse_finished( ssl_context *ssl )
2621{
Paul Bakker23986e52011-04-24 08:57:21 +00002622 int ret;
2623 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00002624 unsigned char buf[36];
2625
2626 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2627
Paul Bakker48916f92012-09-16 19:57:18 +00002628 ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002629
Paul Bakker48916f92012-09-16 19:57:18 +00002630 /*
2631 * Switch to our negotiated transform and session parameters for inbound data.
2632 */
2633 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
2634 ssl->transform_in = ssl->transform_negotiate;
2635 ssl->session_in = ssl->session_negotiate;
2636 memset( ssl->in_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002637
Paul Bakker92be97b2013-01-02 17:30:03 +01002638 /*
2639 * Set the in_msg pointer to the correct location based on IV length
2640 */
2641 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
2642 {
2643 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
2644 ssl->transform_negotiate->fixed_ivlen;
2645 }
2646 else
2647 ssl->in_msg = ssl->in_iv;
2648
Paul Bakker07eb38b2012-12-19 14:42:06 +01002649#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2650 if( ssl_hw_record_activate != NULL)
2651 {
2652 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
2653 {
2654 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
2655 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2656 }
2657 }
2658#endif
2659
Paul Bakker5121ce52009-01-03 21:22:43 +00002660 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2661 {
2662 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2663 return( ret );
2664 }
2665
2666 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2667 {
2668 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002669 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002670 }
2671
Paul Bakker1ef83d62012-04-11 12:09:53 +00002672 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +00002673 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2674
2675 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2676 ssl->in_hslen != 4 + hash_len )
2677 {
2678 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002679 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002680 }
2681
Paul Bakker5121ce52009-01-03 21:22:43 +00002682 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2683 {
2684 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002685 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002686 }
2687
Paul Bakker48916f92012-09-16 19:57:18 +00002688 ssl->verify_data_len = hash_len;
2689 memcpy( ssl->peer_verify_data, buf, hash_len );
2690
Paul Bakker0a597072012-09-25 21:55:46 +00002691 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002692 {
2693 if( ssl->endpoint == SSL_IS_CLIENT )
2694 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2695
2696 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker48916f92012-09-16 19:57:18 +00002697 ssl->state = SSL_HANDSHAKE_WRAPUP;
Paul Bakker5121ce52009-01-03 21:22:43 +00002698 }
2699 else
2700 ssl->state++;
2701
2702 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2703
2704 return( 0 );
2705}
2706
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002707static int ssl_handshake_init( ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00002708{
2709 if( ssl->transform_negotiate )
2710 ssl_transform_free( ssl->transform_negotiate );
2711 else
Paul Bakker6e339b52013-07-03 13:37:05 +02002712 ssl->transform_negotiate = polarssl_malloc( sizeof(ssl_transform) );
Paul Bakker48916f92012-09-16 19:57:18 +00002713
2714 if( ssl->session_negotiate )
2715 ssl_session_free( ssl->session_negotiate );
2716 else
Paul Bakker6e339b52013-07-03 13:37:05 +02002717 ssl->session_negotiate = polarssl_malloc( sizeof(ssl_session) );
Paul Bakker48916f92012-09-16 19:57:18 +00002718
2719 if( ssl->handshake )
2720 ssl_handshake_free( ssl->handshake );
2721 else
Paul Bakker6e339b52013-07-03 13:37:05 +02002722 ssl->handshake = polarssl_malloc( sizeof(ssl_handshake_params) );
Paul Bakker48916f92012-09-16 19:57:18 +00002723
2724 if( ssl->handshake == NULL ||
2725 ssl->transform_negotiate == NULL ||
2726 ssl->session_negotiate == NULL )
2727 {
2728 SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
2729 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2730 }
2731
2732 memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
2733 memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
2734 memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
2735
2736 md5_starts( &ssl->handshake->fin_md5 );
2737 sha1_starts( &ssl->handshake->fin_sha1 );
Paul Bakker9e36f042013-06-30 14:34:05 +02002738 sha256_starts( &ssl->handshake->fin_sha256, 0 );
2739#if defined(POLARSSL_SHA512_C)
2740 sha512_starts( &ssl->handshake->fin_sha512, 1 );
Paul Bakker769075d2012-11-24 11:26:46 +01002741#endif
Paul Bakker48916f92012-09-16 19:57:18 +00002742
2743 ssl->handshake->update_checksum = ssl_update_checksum_start;
Paul Bakker23f36802012-09-28 14:15:14 +00002744 ssl->handshake->sig_alg = SSL_HASH_SHA1;
Paul Bakkerf7abd422013-04-16 13:15:56 +02002745
Paul Bakker48916f92012-09-16 19:57:18 +00002746 return( 0 );
2747}
2748
Paul Bakker5121ce52009-01-03 21:22:43 +00002749/*
2750 * Initialize an SSL context
2751 */
2752int ssl_init( ssl_context *ssl )
2753{
Paul Bakker48916f92012-09-16 19:57:18 +00002754 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00002755 int len = SSL_BUFFER_LEN;
2756
2757 memset( ssl, 0, sizeof( ssl_context ) );
2758
Paul Bakker62f2dee2012-09-28 07:31:51 +00002759 /*
2760 * Sane defaults
2761 */
Paul Bakkered27a042013-04-18 22:46:23 +02002762#if defined(POLARSSL_RSA_C)
Paul Bakkereb2c6582012-09-27 19:15:01 +00002763 ssl->rsa_decrypt = ssl_rsa_decrypt;
2764 ssl->rsa_sign = ssl_rsa_sign;
2765 ssl->rsa_key_len = ssl_rsa_key_len;
Paul Bakkered27a042013-04-18 22:46:23 +02002766#endif
Paul Bakkereb2c6582012-09-27 19:15:01 +00002767
Paul Bakker1d29fb52012-09-28 13:28:45 +00002768 ssl->min_major_ver = SSL_MAJOR_VERSION_3;
2769 ssl->min_minor_ver = SSL_MINOR_VERSION_0;
Paul Bakker2fbefde2013-06-29 16:01:15 +02002770 ssl->max_major_ver = SSL_MAJOR_VERSION_3;
2771 ssl->max_minor_ver = SSL_MINOR_VERSION_3;
Paul Bakker1d29fb52012-09-28 13:28:45 +00002772
Paul Bakker8f4ddae2013-04-15 15:09:54 +02002773 ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
Paul Bakker645ce3a2012-10-31 12:32:41 +00002774
Paul Bakker62f2dee2012-09-28 07:31:51 +00002775#if defined(POLARSSL_DHM_C)
2776 if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
2777 POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
2778 ( ret = mpi_read_string( &ssl->dhm_G, 16,
2779 POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
2780 {
2781 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2782 return( ret );
2783 }
2784#endif
2785
2786 /*
2787 * Prepare base structures
2788 */
Paul Bakker6e339b52013-07-03 13:37:05 +02002789 ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
Paul Bakker5121ce52009-01-03 21:22:43 +00002790 ssl->in_hdr = ssl->in_ctr + 8;
Paul Bakker92be97b2013-01-02 17:30:03 +01002791 ssl->in_iv = ssl->in_ctr + 13;
Paul Bakker5121ce52009-01-03 21:22:43 +00002792 ssl->in_msg = ssl->in_ctr + 13;
2793
2794 if( ssl->in_ctr == NULL )
2795 {
2796 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +00002797 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002798 }
2799
Paul Bakker6e339b52013-07-03 13:37:05 +02002800 ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
Paul Bakker5121ce52009-01-03 21:22:43 +00002801 ssl->out_hdr = ssl->out_ctr + 8;
Paul Bakker92be97b2013-01-02 17:30:03 +01002802 ssl->out_iv = ssl->out_ctr + 13;
Paul Bakker5bd42292012-12-19 14:40:42 +01002803 ssl->out_msg = ssl->out_ctr + 13;
Paul Bakker5121ce52009-01-03 21:22:43 +00002804
2805 if( ssl->out_ctr == NULL )
2806 {
2807 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker6e339b52013-07-03 13:37:05 +02002808 polarssl_free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +00002809 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002810 }
2811
2812 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2813 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2814
2815 ssl->hostname = NULL;
2816 ssl->hostname_len = 0;
2817
Paul Bakker48916f92012-09-16 19:57:18 +00002818 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
2819 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002820
2821 return( 0 );
2822}
2823
2824/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00002825 * Reset an initialized and used SSL context for re-use while retaining
2826 * all application-set variables, function pointers and data.
2827 */
Paul Bakker2770fbd2012-07-03 13:30:23 +00002828int ssl_session_reset( ssl_context *ssl )
Paul Bakker7eb013f2011-10-06 12:37:39 +00002829{
Paul Bakker48916f92012-09-16 19:57:18 +00002830 int ret;
2831
Paul Bakker7eb013f2011-10-06 12:37:39 +00002832 ssl->state = SSL_HELLO_REQUEST;
Paul Bakker48916f92012-09-16 19:57:18 +00002833 ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
2834 ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
2835
2836 ssl->verify_data_len = 0;
2837 memset( ssl->own_verify_data, 0, 36 );
2838 memset( ssl->peer_verify_data, 0, 36 );
2839
Paul Bakker7eb013f2011-10-06 12:37:39 +00002840 ssl->in_offt = NULL;
2841
Paul Bakker92be97b2013-01-02 17:30:03 +01002842 ssl->in_msg = ssl->in_ctr + 13;
Paul Bakker7eb013f2011-10-06 12:37:39 +00002843 ssl->in_msgtype = 0;
2844 ssl->in_msglen = 0;
2845 ssl->in_left = 0;
2846
2847 ssl->in_hslen = 0;
2848 ssl->nb_zero = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002849 ssl->record_read = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00002850
Paul Bakker92be97b2013-01-02 17:30:03 +01002851 ssl->out_msg = ssl->out_ctr + 13;
Paul Bakker7eb013f2011-10-06 12:37:39 +00002852 ssl->out_msgtype = 0;
2853 ssl->out_msglen = 0;
2854 ssl->out_left = 0;
2855
Paul Bakker48916f92012-09-16 19:57:18 +00002856 ssl->transform_in = NULL;
2857 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +00002858
2859 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2860 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
Paul Bakker05ef8352012-05-08 09:17:57 +00002861
2862#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2863 if( ssl_hw_record_reset != NULL)
2864 {
2865 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
Paul Bakker07eb38b2012-12-19 14:42:06 +01002866 if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002867 {
2868 SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
2869 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2870 }
Paul Bakker05ef8352012-05-08 09:17:57 +00002871 }
2872#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +00002873
Paul Bakker48916f92012-09-16 19:57:18 +00002874 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002875 {
Paul Bakker48916f92012-09-16 19:57:18 +00002876 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02002877 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00002878 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +00002879 }
Paul Bakker48916f92012-09-16 19:57:18 +00002880
Paul Bakkerc0463502013-02-14 11:19:38 +01002881 if( ssl->session )
2882 {
2883 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02002884 polarssl_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01002885 ssl->session = NULL;
2886 }
2887
Paul Bakker48916f92012-09-16 19:57:18 +00002888 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
2889 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002890
2891 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +00002892}
2893
2894/*
Paul Bakker5121ce52009-01-03 21:22:43 +00002895 * SSL set accessors
2896 */
2897void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2898{
2899 ssl->endpoint = endpoint;
2900}
2901
2902void ssl_set_authmode( ssl_context *ssl, int authmode )
2903{
2904 ssl->authmode = authmode;
2905}
2906
Paul Bakkered27a042013-04-18 22:46:23 +02002907#if defined(POLARSSL_X509_PARSE_C)
Paul Bakkerb63b0af2011-01-13 17:54:59 +00002908void ssl_set_verify( ssl_context *ssl,
Paul Bakker915275b2012-09-28 07:10:55 +00002909 int (*f_vrfy)(void *, x509_cert *, int, int *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +00002910 void *p_vrfy )
2911{
2912 ssl->f_vrfy = f_vrfy;
2913 ssl->p_vrfy = p_vrfy;
2914}
Paul Bakkered27a042013-04-18 22:46:23 +02002915#endif /* POLARSSL_X509_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00002916
Paul Bakker5121ce52009-01-03 21:22:43 +00002917void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +00002918 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +00002919 void *p_rng )
2920{
2921 ssl->f_rng = f_rng;
2922 ssl->p_rng = p_rng;
2923}
2924
2925void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +00002926 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +00002927 void *p_dbg )
2928{
2929 ssl->f_dbg = f_dbg;
2930 ssl->p_dbg = p_dbg;
2931}
2932
2933void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +00002934 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +00002935 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +00002936{
2937 ssl->f_recv = f_recv;
2938 ssl->f_send = f_send;
2939 ssl->p_recv = p_recv;
2940 ssl->p_send = p_send;
2941}
2942
Paul Bakker0a597072012-09-25 21:55:46 +00002943void ssl_set_session_cache( ssl_context *ssl,
2944 int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
2945 int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
Paul Bakker5121ce52009-01-03 21:22:43 +00002946{
Paul Bakker0a597072012-09-25 21:55:46 +00002947 ssl->f_get_cache = f_get_cache;
2948 ssl->p_get_cache = p_get_cache;
2949 ssl->f_set_cache = f_set_cache;
2950 ssl->p_set_cache = p_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00002951}
2952
Paul Bakker0a597072012-09-25 21:55:46 +00002953void ssl_set_session( ssl_context *ssl, const ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +00002954{
Paul Bakker0a597072012-09-25 21:55:46 +00002955 memcpy( ssl->session_negotiate, session, sizeof(ssl_session) );
2956 ssl->handshake->resume = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +00002957}
2958
Paul Bakkerb68cad62012-08-23 08:34:18 +00002959void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +00002960{
Paul Bakker8f4ddae2013-04-15 15:09:54 +02002961 ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
2962 ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
2963 ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
2964 ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
2965}
2966
2967void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
2968 int major, int minor )
2969{
2970 if( major != SSL_MAJOR_VERSION_3 )
2971 return;
2972
2973 if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
2974 return;
2975
2976 ssl->ciphersuite_list[minor] = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00002977}
2978
Paul Bakkered27a042013-04-18 22:46:23 +02002979#if defined(POLARSSL_X509_PARSE_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00002980void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +00002981 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +00002982{
2983 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +00002984 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +00002985 ssl->peer_cn = peer_cn;
2986}
2987
2988void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2989 rsa_context *rsa_key )
2990{
2991 ssl->own_cert = own_cert;
2992 ssl->rsa_key = rsa_key;
2993}
2994
Paul Bakkereb2c6582012-09-27 19:15:01 +00002995void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
2996 void *rsa_key,
2997 rsa_decrypt_func rsa_decrypt,
2998 rsa_sign_func rsa_sign,
2999 rsa_key_len_func rsa_key_len )
Paul Bakker43b7e352011-01-18 15:27:19 +00003000{
3001 ssl->own_cert = own_cert;
Paul Bakkereb2c6582012-09-27 19:15:01 +00003002 ssl->rsa_key = rsa_key;
3003 ssl->rsa_decrypt = rsa_decrypt;
3004 ssl->rsa_sign = rsa_sign;
3005 ssl->rsa_key_len = rsa_key_len;
Paul Bakker43b7e352011-01-18 15:27:19 +00003006}
Paul Bakkered27a042013-04-18 22:46:23 +02003007#endif /* POLARSSL_X509_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00003008
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003009#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
3010void ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3011 const unsigned char *psk_identity, size_t psk_identity_len )
3012{
3013 ssl->psk = psk;
3014 ssl->psk_len = psk_len;
3015 ssl->psk_identity = psk_identity;
3016 ssl->psk_identity_len = psk_identity_len;
3017}
3018#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +00003019
Paul Bakker48916f92012-09-16 19:57:18 +00003020#if defined(POLARSSL_DHM_C)
Paul Bakkerff60ee62010-03-16 21:09:09 +00003021int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +00003022{
3023 int ret;
3024
Paul Bakker48916f92012-09-16 19:57:18 +00003025 if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003026 {
3027 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3028 return( ret );
3029 }
3030
Paul Bakker48916f92012-09-16 19:57:18 +00003031 if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003032 {
3033 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3034 return( ret );
3035 }
3036
3037 return( 0 );
3038}
3039
Paul Bakker1b57b062011-01-06 15:48:19 +00003040int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3041{
3042 int ret;
3043
Paul Bakker48916f92012-09-16 19:57:18 +00003044 if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +00003045 {
3046 SSL_DEBUG_RET( 1, "mpi_copy", ret );
3047 return( ret );
3048 }
3049
Paul Bakker48916f92012-09-16 19:57:18 +00003050 if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +00003051 {
3052 SSL_DEBUG_RET( 1, "mpi_copy", ret );
3053 return( ret );
3054 }
3055
3056 return( 0 );
3057}
Paul Bakker48916f92012-09-16 19:57:18 +00003058#endif /* POLARSSL_DHM_C */
Paul Bakker1b57b062011-01-06 15:48:19 +00003059
Paul Bakkerff60ee62010-03-16 21:09:09 +00003060int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +00003061{
3062 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +00003063 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00003064
3065 ssl->hostname_len = strlen( hostname );
Paul Bakker6e339b52013-07-03 13:37:05 +02003066 ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003067
Paul Bakkerb15b8512012-01-13 13:44:06 +00003068 if( ssl->hostname == NULL )
3069 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3070
Paul Bakker3c2122f2013-06-24 19:03:14 +02003071 memcpy( ssl->hostname, (const unsigned char *) hostname,
Paul Bakker5121ce52009-01-03 21:22:43 +00003072 ssl->hostname_len );
Paul Bakkerf7abd422013-04-16 13:15:56 +02003073
Paul Bakker40ea7de2009-05-03 10:18:48 +00003074 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +00003075
3076 return( 0 );
3077}
3078
Paul Bakker5701cdc2012-09-27 21:49:42 +00003079void ssl_set_sni( ssl_context *ssl,
3080 int (*f_sni)(void *, ssl_context *,
3081 const unsigned char *, size_t),
3082 void *p_sni )
3083{
3084 ssl->f_sni = f_sni;
3085 ssl->p_sni = p_sni;
3086}
3087
Paul Bakker490ecc82011-10-06 13:04:09 +00003088void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3089{
3090 ssl->max_major_ver = major;
3091 ssl->max_minor_ver = minor;
3092}
3093
Paul Bakker1d29fb52012-09-28 13:28:45 +00003094void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3095{
3096 ssl->min_major_ver = major;
3097 ssl->min_minor_ver = minor;
3098}
3099
Paul Bakker48916f92012-09-16 19:57:18 +00003100void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3101{
3102 ssl->disable_renegotiation = renegotiation;
3103}
3104
3105void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3106{
3107 ssl->allow_legacy_renegotiation = allow_legacy;
3108}
3109
Paul Bakker5121ce52009-01-03 21:22:43 +00003110/*
3111 * SSL get accessors
3112 */
Paul Bakker23986e52011-04-24 08:57:21 +00003113size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003114{
3115 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3116}
3117
Paul Bakkerff60ee62010-03-16 21:09:09 +00003118int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003119{
3120 return( ssl->verify_result );
3121}
3122
Paul Bakkere3166ce2011-01-27 17:40:50 +00003123const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +00003124{
Paul Bakker926c8e42013-03-06 10:23:34 +01003125 if( ssl == NULL || ssl->session == NULL )
3126 return NULL;
3127
Paul Bakkere3166ce2011-01-27 17:40:50 +00003128 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +00003129}
3130
Paul Bakker43ca69c2011-01-15 17:35:19 +00003131const char *ssl_get_version( const ssl_context *ssl )
3132{
3133 switch( ssl->minor_ver )
3134 {
3135 case SSL_MINOR_VERSION_0:
3136 return( "SSLv3.0" );
3137
3138 case SSL_MINOR_VERSION_1:
3139 return( "TLSv1.0" );
3140
3141 case SSL_MINOR_VERSION_2:
3142 return( "TLSv1.1" );
3143
Paul Bakker1ef83d62012-04-11 12:09:53 +00003144 case SSL_MINOR_VERSION_3:
3145 return( "TLSv1.2" );
3146
Paul Bakker43ca69c2011-01-15 17:35:19 +00003147 default:
3148 break;
3149 }
3150 return( "unknown" );
3151}
3152
Paul Bakkered27a042013-04-18 22:46:23 +02003153#if defined(POLARSSL_X509_PARSE_C)
Paul Bakkerb0550d92012-10-30 07:51:03 +00003154const x509_cert *ssl_get_peer_cert( const ssl_context *ssl )
3155{
3156 if( ssl == NULL || ssl->session == NULL )
3157 return NULL;
3158
3159 return ssl->session->peer_cert;
3160}
Paul Bakkered27a042013-04-18 22:46:23 +02003161#endif /* POLARSSL_X509_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00003162
Paul Bakker5121ce52009-01-03 21:22:43 +00003163/*
Paul Bakker1961b702013-01-25 14:49:24 +01003164 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00003165 */
Paul Bakker1961b702013-01-25 14:49:24 +01003166int ssl_handshake_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003167{
Paul Bakker40e46942009-01-03 21:51:57 +00003168 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +00003169
Paul Bakker40e46942009-01-03 21:51:57 +00003170#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003171 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker1961b702013-01-25 14:49:24 +01003172 ret = ssl_handshake_client_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00003173#endif
3174
Paul Bakker40e46942009-01-03 21:51:57 +00003175#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003176 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker1961b702013-01-25 14:49:24 +01003177 ret = ssl_handshake_server_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00003178#endif
3179
Paul Bakker1961b702013-01-25 14:49:24 +01003180 return( ret );
3181}
3182
3183/*
3184 * Perform the SSL handshake
3185 */
3186int ssl_handshake( ssl_context *ssl )
3187{
3188 int ret = 0;
3189
3190 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3191
3192 while( ssl->state != SSL_HANDSHAKE_OVER )
3193 {
3194 ret = ssl_handshake_step( ssl );
3195
3196 if( ret != 0 )
3197 break;
3198 }
3199
Paul Bakker5121ce52009-01-03 21:22:43 +00003200 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3201
3202 return( ret );
3203}
3204
3205/*
Paul Bakker48916f92012-09-16 19:57:18 +00003206 * Renegotiate current connection
3207 */
3208int ssl_renegotiate( ssl_context *ssl )
3209{
3210 int ret;
3211
3212 SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
3213
3214 if( ssl->state != SSL_HANDSHAKE_OVER )
3215 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3216
3217 ssl->state = SSL_HELLO_REQUEST;
3218 ssl->renegotiation = SSL_RENEGOTIATION;
3219
3220 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3221 return( ret );
3222
3223 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3224 {
3225 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3226 return( ret );
3227 }
3228
3229 SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
3230
3231 return( 0 );
3232}
3233
3234/*
Paul Bakker5121ce52009-01-03 21:22:43 +00003235 * Receive application data decrypted from the SSL layer
3236 */
Paul Bakker23986e52011-04-24 08:57:21 +00003237int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00003238{
Paul Bakker23986e52011-04-24 08:57:21 +00003239 int ret;
3240 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +00003241
3242 SSL_DEBUG_MSG( 2, ( "=> read" ) );
3243
3244 if( ssl->state != SSL_HANDSHAKE_OVER )
3245 {
3246 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3247 {
3248 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3249 return( ret );
3250 }
3251 }
3252
3253 if( ssl->in_offt == NULL )
3254 {
3255 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3256 {
Paul Bakker831a7552011-05-18 13:32:51 +00003257 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3258 return( 0 );
3259
Paul Bakker5121ce52009-01-03 21:22:43 +00003260 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3261 return( ret );
3262 }
3263
3264 if( ssl->in_msglen == 0 &&
3265 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3266 {
3267 /*
3268 * OpenSSL sends empty messages to randomize the IV
3269 */
3270 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3271 {
Paul Bakker831a7552011-05-18 13:32:51 +00003272 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3273 return( 0 );
3274
Paul Bakker5121ce52009-01-03 21:22:43 +00003275 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3276 return( ret );
3277 }
3278 }
3279
Paul Bakker48916f92012-09-16 19:57:18 +00003280 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
3281 {
3282 SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
3283
3284 if( ssl->endpoint == SSL_IS_CLIENT &&
3285 ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
3286 ssl->in_hslen != 4 ) )
3287 {
3288 SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
3289 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
3290 }
3291
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00003292 if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
3293 ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
3294 ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) )
Paul Bakker48916f92012-09-16 19:57:18 +00003295 {
3296 SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
3297
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00003298 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +00003299 {
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00003300 /*
3301 * SSLv3 does not have a "no_renegotiation" alert
3302 */
3303 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
3304 return( ret );
3305 }
3306 else
3307 {
3308 if( ( ret = ssl_send_alert_message( ssl,
3309 SSL_ALERT_LEVEL_WARNING,
3310 SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
3311 {
3312 return( ret );
3313 }
Paul Bakker48916f92012-09-16 19:57:18 +00003314 }
3315 }
3316 else
3317 {
3318 if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
3319 {
3320 SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
3321 return( ret );
3322 }
3323
3324 return( POLARSSL_ERR_NET_WANT_READ );
3325 }
3326 }
3327 else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +00003328 {
3329 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003330 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00003331 }
3332
3333 ssl->in_offt = ssl->in_msg;
3334 }
3335
3336 n = ( len < ssl->in_msglen )
3337 ? len : ssl->in_msglen;
3338
3339 memcpy( buf, ssl->in_offt, n );
3340 ssl->in_msglen -= n;
3341
3342 if( ssl->in_msglen == 0 )
3343 /* all bytes consumed */
3344 ssl->in_offt = NULL;
3345 else
3346 /* more data available */
3347 ssl->in_offt += n;
3348
3349 SSL_DEBUG_MSG( 2, ( "<= read" ) );
3350
Paul Bakker23986e52011-04-24 08:57:21 +00003351 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00003352}
3353
3354/*
3355 * Send application data to be encrypted by the SSL layer
3356 */
Paul Bakker23986e52011-04-24 08:57:21 +00003357int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00003358{
Paul Bakker23986e52011-04-24 08:57:21 +00003359 int ret;
3360 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +00003361
3362 SSL_DEBUG_MSG( 2, ( "=> write" ) );
3363
3364 if( ssl->state != SSL_HANDSHAKE_OVER )
3365 {
3366 if( ( ret = ssl_handshake( ssl ) ) != 0 )
3367 {
3368 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3369 return( ret );
3370 }
3371 }
3372
Paul Bakker887bd502011-06-08 13:10:54 +00003373 n = ( len < SSL_MAX_CONTENT_LEN )
3374 ? len : SSL_MAX_CONTENT_LEN;
3375
Paul Bakker5121ce52009-01-03 21:22:43 +00003376 if( ssl->out_left != 0 )
3377 {
3378 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3379 {
3380 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3381 return( ret );
3382 }
3383 }
Paul Bakker887bd502011-06-08 13:10:54 +00003384 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +00003385 {
Paul Bakker887bd502011-06-08 13:10:54 +00003386 ssl->out_msglen = n;
3387 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3388 memcpy( ssl->out_msg, buf, n );
3389
3390 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3391 {
3392 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3393 return( ret );
3394 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003395 }
3396
3397 SSL_DEBUG_MSG( 2, ( "<= write" ) );
3398
Paul Bakker23986e52011-04-24 08:57:21 +00003399 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00003400}
3401
3402/*
3403 * Notify the peer that the connection is being closed
3404 */
3405int ssl_close_notify( ssl_context *ssl )
3406{
3407 int ret;
3408
3409 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3410
3411 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3412 {
3413 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3414 return( ret );
3415 }
3416
3417 if( ssl->state == SSL_HANDSHAKE_OVER )
3418 {
Paul Bakker48916f92012-09-16 19:57:18 +00003419 if( ( ret = ssl_send_alert_message( ssl,
3420 SSL_ALERT_LEVEL_WARNING,
3421 SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003422 {
Paul Bakker5121ce52009-01-03 21:22:43 +00003423 return( ret );
3424 }
3425 }
3426
3427 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3428
3429 return( ret );
3430}
3431
Paul Bakker48916f92012-09-16 19:57:18 +00003432void ssl_transform_free( ssl_transform *transform )
3433{
3434#if defined(POLARSSL_ZLIB_SUPPORT)
3435 deflateEnd( &transform->ctx_deflate );
3436 inflateEnd( &transform->ctx_inflate );
3437#endif
3438
3439 memset( transform, 0, sizeof( ssl_transform ) );
3440}
3441
3442void ssl_handshake_free( ssl_handshake_params *handshake )
3443{
3444#if defined(POLARSSL_DHM_C)
3445 dhm_free( &handshake->dhm_ctx );
3446#endif
3447 memset( handshake, 0, sizeof( ssl_handshake_params ) );
3448}
3449
3450void ssl_session_free( ssl_session *session )
3451{
Paul Bakkered27a042013-04-18 22:46:23 +02003452#if defined(POLARSSL_X509_PARSE_C)
Paul Bakker0a597072012-09-25 21:55:46 +00003453 if( session->peer_cert != NULL )
Paul Bakker48916f92012-09-16 19:57:18 +00003454 {
Paul Bakker0a597072012-09-25 21:55:46 +00003455 x509_free( session->peer_cert );
Paul Bakker6e339b52013-07-03 13:37:05 +02003456 polarssl_free( session->peer_cert );
Paul Bakker48916f92012-09-16 19:57:18 +00003457 }
Paul Bakkered27a042013-04-18 22:46:23 +02003458#endif
Paul Bakker0a597072012-09-25 21:55:46 +00003459
3460 memset( session, 0, sizeof( ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +00003461}
3462
Paul Bakker5121ce52009-01-03 21:22:43 +00003463/*
3464 * Free an SSL context
3465 */
3466void ssl_free( ssl_context *ssl )
3467{
3468 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3469
Paul Bakker5121ce52009-01-03 21:22:43 +00003470 if( ssl->out_ctr != NULL )
3471 {
3472 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
Paul Bakker6e339b52013-07-03 13:37:05 +02003473 polarssl_free( ssl->out_ctr );
Paul Bakker5121ce52009-01-03 21:22:43 +00003474 }
3475
3476 if( ssl->in_ctr != NULL )
3477 {
3478 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
Paul Bakker6e339b52013-07-03 13:37:05 +02003479 polarssl_free( ssl->in_ctr );
Paul Bakker5121ce52009-01-03 21:22:43 +00003480 }
3481
Paul Bakker40e46942009-01-03 21:51:57 +00003482#if defined(POLARSSL_DHM_C)
Paul Bakker48916f92012-09-16 19:57:18 +00003483 mpi_free( &ssl->dhm_P );
3484 mpi_free( &ssl->dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +00003485#endif
3486
Paul Bakker48916f92012-09-16 19:57:18 +00003487 if( ssl->transform )
3488 {
3489 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02003490 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00003491 }
3492
3493 if( ssl->handshake )
3494 {
3495 ssl_handshake_free( ssl->handshake );
3496 ssl_transform_free( ssl->transform_negotiate );
3497 ssl_session_free( ssl->session_negotiate );
3498
Paul Bakker6e339b52013-07-03 13:37:05 +02003499 polarssl_free( ssl->handshake );
3500 polarssl_free( ssl->transform_negotiate );
3501 polarssl_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00003502 }
3503
Paul Bakkerc0463502013-02-14 11:19:38 +01003504 if( ssl->session )
3505 {
3506 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02003507 polarssl_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01003508 }
3509
Paul Bakker5121ce52009-01-03 21:22:43 +00003510 if ( ssl->hostname != NULL)
3511 {
3512 memset( ssl->hostname, 0, ssl->hostname_len );
Paul Bakker6e339b52013-07-03 13:37:05 +02003513 polarssl_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +00003514 ssl->hostname_len = 0;
3515 }
3516
Paul Bakker05ef8352012-05-08 09:17:57 +00003517#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3518 if( ssl_hw_record_finish != NULL )
3519 {
3520 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3521 ssl_hw_record_finish( ssl );
3522 }
3523#endif
3524
Paul Bakker5121ce52009-01-03 21:22:43 +00003525 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +00003526
Paul Bakker86f04f42013-02-14 11:20:09 +01003527 /* Actually clear after last debug message */
Paul Bakker2da561c2009-02-05 18:00:28 +00003528 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003529}
3530
3531#endif