TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b96f154e51ed3aaca328257d74cae0a517ed31e0 / . / library / ssl_tls.c
blob: fa172c295f10a84815bfb57d89c94f9d8607a652 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame^]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame^]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
45#include <string.h>
46#include <stdlib.h>
47#include <time.h>
48
49/*
50 * Key material generation
51 */
52static int tls1_prf( unsigned char *secret, int slen, char *label,
53 unsigned char *random, int rlen,
54 unsigned char *dstbuf, int dlen )
55{
56 int nb, hs;
57 int i, j, k;
58 unsigned char *S1, *S2;
59 unsigned char tmp[128];
60 unsigned char h_i[20];
61
62 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]63 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]64
65 hs = ( slen + 1 ) / 2;
66 S1 = secret;
67 S2 = secret + slen - hs;
68
69 nb = strlen( label );
70 memcpy( tmp + 20, label, nb );
71 memcpy( tmp + 20 + nb, random, rlen );
72 nb += rlen;
73
74 /*
75 * First compute P_md5(secret,label+random)[0..dlen]
76 */
77 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
78
79 for( i = 0; i < dlen; i += 16 )
80 {
81 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
82 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
83
84 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
85
86 for( j = 0; j < k; j++ )
87 dstbuf[i + j] = h_i[j];
88 }
89
90 /*
91 * XOR out with P_sha1(secret,label+random)[0..dlen]
92 */
93 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
94
95 for( i = 0; i < dlen; i += 20 )
96 {
97 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
98 sha1_hmac( S2, hs, tmp, 20, tmp );
99
100 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
101
102 for( j = 0; j < k; j++ )
103 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
104 }
105
106 memset( tmp, 0, sizeof( tmp ) );
107 memset( h_i, 0, sizeof( h_i ) );
108
109 return( 0 );
110}
111
112int ssl_derive_keys( ssl_context *ssl )
113{
114 int i;
115 md5_context md5;
116 sha1_context sha1;
117 unsigned char tmp[64];
118 unsigned char padding[16];
119 unsigned char sha1sum[20];
120 unsigned char keyblk[256];
121 unsigned char *key1;
122 unsigned char *key2;
123
124 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
125
126 /*
127 * SSLv3:
128 * master =
129 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
130 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
131 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
132 *
133 * TLSv1:
134 * master = PRF( premaster, "master secret", randbytes )[0..47]
135 */
136 if( ssl->resume == 0 )
137 {
138 int len = ssl->pmslen;
139
140 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
141
142 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
143 {
144 for( i = 0; i < 3; i++ )
145 {
146 memset( padding, 'A' + i, 1 + i );
147
148 sha1_starts( &sha1 );
149 sha1_update( &sha1, padding, 1 + i );
150 sha1_update( &sha1, ssl->premaster, len );
151 sha1_update( &sha1, ssl->randbytes, 64 );
152 sha1_finish( &sha1, sha1sum );
153
154 md5_starts( &md5 );
155 md5_update( &md5, ssl->premaster, len );
156 md5_update( &md5, sha1sum, 20 );
157 md5_finish( &md5, ssl->session->master + i * 16 );
158 }
159 }
160 else
161 tls1_prf( ssl->premaster, len, "master secret",
162 ssl->randbytes, 64, ssl->session->master, 48 );
163
164 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
165 }
166 else
167 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
168
169 /*
170 * Swap the client and server random values.
171 */
172 memcpy( tmp, ssl->randbytes, 64 );
173 memcpy( ssl->randbytes, tmp + 32, 32 );
174 memcpy( ssl->randbytes + 32, tmp, 32 );
175 memset( tmp, 0, sizeof( tmp ) );
176
177 /*
178 * SSLv3:
179 * key block =
180 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
181 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
182 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
183 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
184 * ...
185 *
186 * TLSv1:
187 * key block = PRF( master, "key expansion", randbytes )
188 */
189 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
190 {
191 for( i = 0; i < 16; i++ )
192 {
193 memset( padding, 'A' + i, 1 + i );
194
195 sha1_starts( &sha1 );
196 sha1_update( &sha1, padding, 1 + i );
197 sha1_update( &sha1, ssl->session->master, 48 );
198 sha1_update( &sha1, ssl->randbytes, 64 );
199 sha1_finish( &sha1, sha1sum );
200
201 md5_starts( &md5 );
202 md5_update( &md5, ssl->session->master, 48 );
203 md5_update( &md5, sha1sum, 20 );
204 md5_finish( &md5, keyblk + i * 16 );
205 }
206
207 memset( &md5, 0, sizeof( md5 ) );
208 memset( &sha1, 0, sizeof( sha1 ) );
209
210 memset( padding, 0, sizeof( padding ) );
211 memset( sha1sum, 0, sizeof( sha1sum ) );
212 }
213 else
214 tls1_prf( ssl->session->master, 48, "key expansion",
215 ssl->randbytes, 64, keyblk, 256 );
216
217 SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) );
218 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
219 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
220 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
221
222 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
223
224 /*
225 * Determine the appropriate key, IV and MAC length.
226 */
227 switch( ssl->session->cipher )
228 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]229#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230 case SSL_RSA_RC4_128_MD5:
231 ssl->keylen = 16; ssl->minlen = 16;
232 ssl->ivlen = 0; ssl->maclen = 16;
233 break;
234
235 case SSL_RSA_RC4_128_SHA:
236 ssl->keylen = 16; ssl->minlen = 20;
237 ssl->ivlen = 0; ssl->maclen = 20;
238 break;
239#endif
240
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]241#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]242 case SSL_RSA_DES_168_SHA:
243 case SSL_EDH_RSA_DES_168_SHA:
244 ssl->keylen = 24; ssl->minlen = 24;
245 ssl->ivlen = 8; ssl->maclen = 20;
246 break;
247#endif
248
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]249#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]250 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]251 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]252 ssl->keylen = 16; ssl->minlen = 32;
253 ssl->ivlen = 16; ssl->maclen = 20;
254 break;
255
256 case SSL_RSA_AES_256_SHA:
257 case SSL_EDH_RSA_AES_256_SHA:
258 ssl->keylen = 32; ssl->minlen = 32;
259 ssl->ivlen = 16; ssl->maclen = 20;
260 break;
261#endif
262
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]263#if defined(POLARSSL_CAMELLIA_C)
264 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]265 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]266 ssl->keylen = 16; ssl->minlen = 32;
267 ssl->ivlen = 16; ssl->maclen = 20;
268 break;
269
270 case SSL_RSA_CAMELLIA_256_SHA:
271 case SSL_EDH_RSA_CAMELLIA_256_SHA:
272 ssl->keylen = 32; ssl->minlen = 32;
273 ssl->ivlen = 16; ssl->maclen = 20;
274 break;
275#endif
276
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]277 default:
278 SSL_DEBUG_MSG( 1, ( "cipher %s is not available",
279 ssl_get_cipher( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]280 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281 }
282
283 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
284 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
285
286 /*
287 * Finally setup the cipher contexts, IVs and MAC secrets.
288 */
289 if( ssl->endpoint == SSL_IS_CLIENT )
290 {
291 key1 = keyblk + ssl->maclen * 2;
292 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
293
294 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
295 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
296
297 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
298 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
299 ssl->ivlen );
300 }
301 else
302 {
303 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
304 key2 = keyblk + ssl->maclen * 2;
305
306 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
307 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
308
309 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
310 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
311 ssl->ivlen );
312 }
313
314 switch( ssl->session->cipher )
315 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]316#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317 case SSL_RSA_RC4_128_MD5:
318 case SSL_RSA_RC4_128_SHA:
319 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
320 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
321 break;
322#endif
323
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]324#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325 case SSL_RSA_DES_168_SHA:
326 case SSL_EDH_RSA_DES_168_SHA:
327 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
328 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
329 break;
330#endif
331
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]332#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]334 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
336 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
337 break;
338
339 case SSL_RSA_AES_256_SHA:
340 case SSL_EDH_RSA_AES_256_SHA:
341 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
342 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
343 break;
344#endif
345
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]346#if defined(POLARSSL_CAMELLIA_C)
347 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]348 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]349 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
350 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
351 break;
352
353 case SSL_RSA_CAMELLIA_256_SHA:
354 case SSL_EDH_RSA_CAMELLIA_256_SHA:
355 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
356 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
357 break;
358#endif
359
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]361 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362 }
363
364 memset( keyblk, 0, sizeof( keyblk ) );
365
366 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
367
368 return( 0 );
369}
370
371void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
372{
373 md5_context md5;
374 sha1_context sha1;
375 unsigned char pad_1[48];
376 unsigned char pad_2[48];
377
378 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
379
380 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
381 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
382
383 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
384 {
385 memset( pad_1, 0x36, 48 );
386 memset( pad_2, 0x5C, 48 );
387
388 md5_update( &md5, ssl->session->master, 48 );
389 md5_update( &md5, pad_1, 48 );
390 md5_finish( &md5, hash );
391
392 md5_starts( &md5 );
393 md5_update( &md5, ssl->session->master, 48 );
394 md5_update( &md5, pad_2, 48 );
395 md5_update( &md5, hash, 16 );
396 md5_finish( &md5, hash );
397
398 sha1_update( &sha1, ssl->session->master, 48 );
399 sha1_update( &sha1, pad_1, 40 );
400 sha1_finish( &sha1, hash + 16 );
401
402 sha1_starts( &sha1 );
403 sha1_update( &sha1, ssl->session->master, 48 );
404 sha1_update( &sha1, pad_2, 40 );
405 sha1_update( &sha1, hash + 16, 20 );
406 sha1_finish( &sha1, hash + 16 );
407 }
408 else /* TLSv1 */
409 {
410 md5_finish( &md5, hash );
411 sha1_finish( &sha1, hash + 16 );
412 }
413
414 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
415 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
416
417 return;
418}
419
420/*
421 * SSLv3.0 MAC functions
422 */
423static void ssl_mac_md5( unsigned char *secret,
424 unsigned char *buf, int len,
425 unsigned char *ctr, int type )
426{
427 unsigned char header[11];
428 unsigned char padding[48];
429 md5_context md5;
430
431 memcpy( header, ctr, 8 );
432 header[ 8] = (unsigned char) type;
433 header[ 9] = (unsigned char)( len >> 8 );
434 header[10] = (unsigned char)( len );
435
436 memset( padding, 0x36, 48 );
437 md5_starts( &md5 );
438 md5_update( &md5, secret, 16 );
439 md5_update( &md5, padding, 48 );
440 md5_update( &md5, header, 11 );
441 md5_update( &md5, buf, len );
442 md5_finish( &md5, buf + len );
443
444 memset( padding, 0x5C, 48 );
445 md5_starts( &md5 );
446 md5_update( &md5, secret, 16 );
447 md5_update( &md5, padding, 48 );
448 md5_update( &md5, buf + len, 16 );
449 md5_finish( &md5, buf + len );
450}
451
452static void ssl_mac_sha1( unsigned char *secret,
453 unsigned char *buf, int len,
454 unsigned char *ctr, int type )
455{
456 unsigned char header[11];
457 unsigned char padding[40];
458 sha1_context sha1;
459
460 memcpy( header, ctr, 8 );
461 header[ 8] = (unsigned char) type;
462 header[ 9] = (unsigned char)( len >> 8 );
463 header[10] = (unsigned char)( len );
464
465 memset( padding, 0x36, 40 );
466 sha1_starts( &sha1 );
467 sha1_update( &sha1, secret, 20 );
468 sha1_update( &sha1, padding, 40 );
469 sha1_update( &sha1, header, 11 );
470 sha1_update( &sha1, buf, len );
471 sha1_finish( &sha1, buf + len );
472
473 memset( padding, 0x5C, 40 );
474 sha1_starts( &sha1 );
475 sha1_update( &sha1, secret, 20 );
476 sha1_update( &sha1, padding, 40 );
477 sha1_update( &sha1, buf + len, 20 );
478 sha1_finish( &sha1, buf + len );
479}
480
481/*
482 * Encryption/decryption functions
483 */
484static int ssl_encrypt_buf( ssl_context *ssl )
485{
486 int i, padlen;
487
488 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
489
490 /*
491 * Add MAC then encrypt
492 */
493 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
494 {
495 if( ssl->maclen == 16 )
496 ssl_mac_md5( ssl->mac_enc,
497 ssl->out_msg, ssl->out_msglen,
498 ssl->out_ctr, ssl->out_msgtype );
499
500 if( ssl->maclen == 20 )
501 ssl_mac_sha1( ssl->mac_enc,
502 ssl->out_msg, ssl->out_msglen,
503 ssl->out_ctr, ssl->out_msgtype );
504 }
505 else
506 {
507 if( ssl->maclen == 16 )
508 md5_hmac( ssl->mac_enc, 16,
509 ssl->out_ctr, ssl->out_msglen + 13,
510 ssl->out_msg + ssl->out_msglen );
511
512 if( ssl->maclen == 20 )
513 sha1_hmac( ssl->mac_enc, 20,
514 ssl->out_ctr, ssl->out_msglen + 13,
515 ssl->out_msg + ssl->out_msglen );
516 }
517
518 SSL_DEBUG_BUF( 4, "computed mac",
519 ssl->out_msg + ssl->out_msglen, ssl->maclen );
520
521 ssl->out_msglen += ssl->maclen;
522
523 for( i = 7; i >= 0; i-- )
524 if( ++ssl->out_ctr[i] != 0 )
525 break;
526
527 if( ssl->ivlen == 0 )
528 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]529#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530 padlen = 0;
531
532 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
533 "including %d bytes of padding",
534 ssl->out_msglen, 0 ) );
535
536 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
537 ssl->out_msg, ssl->out_msglen );
538
539 arc4_crypt( (arc4_context *) ssl->ctx_enc,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]540 ssl->out_msglen, ssl->out_msg,
541 ssl->out_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]542#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]543 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544#endif
545 }
546 else
547 {
548 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
549 if( padlen == ssl->ivlen )
550 padlen = 0;
551
552 for( i = 0; i <= padlen; i++ )
553 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
554
555 ssl->out_msglen += padlen + 1;
556
557 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
558 "including %d bytes of padding",
559 ssl->out_msglen, padlen + 1 ) );
560
561 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
562 ssl->out_msg, ssl->out_msglen );
563
564 switch( ssl->ivlen )
565 {
566 case 8:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]567#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
569 DES_ENCRYPT, ssl->out_msglen,
570 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
571 break;
572#endif
573
574 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]575#if defined(POLARSSL_AES_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]576 if ( ssl->session->cipher == SSL_RSA_AES_128_SHA ||
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]577 ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA ||
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]578 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
579 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA)
580 {
581 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
582 AES_ENCRYPT, ssl->out_msglen,
583 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
584 break;
585 }
586#endif
587
588#if defined(POLARSSL_CAMELLIA_C)
589 if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]590 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA ||
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]591 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
592 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
593 {
594 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
595 CAMELLIA_ENCRYPT, ssl->out_msglen,
596 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
597 break;
598 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599#endif
600
601 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]602 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]603 }
604 }
605
606 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
607
608 return( 0 );
609}
610
611static int ssl_decrypt_buf( ssl_context *ssl )
612{
613 int i, padlen;
614 unsigned char tmp[20];
615
616 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
617
618 if( ssl->in_msglen < ssl->minlen )
619 {
620 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
621 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]622 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623 }
624
625 if( ssl->ivlen == 0 )
626 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]627#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]628 padlen = 0;
629 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]630 ssl->in_msglen, ssl->in_msg,
631 ssl->in_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]633 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634#endif
635 }
636 else
637 {
638 /*
639 * Decrypt and check the padding
640 */
641 if( ssl->in_msglen % ssl->ivlen != 0 )
642 {
643 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
644 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]645 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646 }
647
648 switch( ssl->ivlen )
649 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]650#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651 case 8:
652 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
653 DES_DECRYPT, ssl->in_msglen,
654 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
655 break;
656#endif
657
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]659#if defined(POLARSSL_AES_C)
660 if ( ssl->session->cipher == SSL_RSA_AES_128_SHA ||
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]661 ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA ||
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]662 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
663 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA)
664 {
665 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
666 AES_DECRYPT, ssl->in_msglen,
667 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
668 break;
669 }
670#endif
671
672#if defined(POLARSSL_CAMELLIA_C)
673 if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]674 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA ||
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]675 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
676 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
677 {
678 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
679 CAMELLIA_DECRYPT, ssl->in_msglen,
680 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
681 break;
682 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]683#endif
684
685 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]686 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 }
688
689 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
690
691 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
692 {
693 if( padlen > ssl->ivlen )
694 {
695 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
696 "should be no more than %d",
697 padlen, ssl->ivlen ) );
698 padlen = 0;
699 }
700 }
701 else
702 {
703 /*
704 * TLSv1: always check the padding
705 */
706 for( i = 1; i <= padlen; i++ )
707 {
708 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
709 {
710 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
711 "%02x, but is %02x", padlen - 1,
712 ssl->in_msg[ssl->in_msglen - i] ) );
713 padlen = 0;
714 }
715 }
716 }
717 }
718
719 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
720 ssl->in_msg, ssl->in_msglen );
721
722 /*
723 * Always compute the MAC (RFC4346, CBCTIME).
724 */
725 ssl->in_msglen -= ( ssl->maclen + padlen );
726
727 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
728 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
729
730 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
731
732 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
733 {
734 if( ssl->maclen == 16 )
735 ssl_mac_md5( ssl->mac_dec,
736 ssl->in_msg, ssl->in_msglen,
737 ssl->in_ctr, ssl->in_msgtype );
738 else
739 ssl_mac_sha1( ssl->mac_dec,
740 ssl->in_msg, ssl->in_msglen,
741 ssl->in_ctr, ssl->in_msgtype );
742 }
743 else
744 {
745 if( ssl->maclen == 16 )
746 md5_hmac( ssl->mac_dec, 16,
747 ssl->in_ctr, ssl->in_msglen + 13,
748 ssl->in_msg + ssl->in_msglen );
749 else
750 sha1_hmac( ssl->mac_dec, 20,
751 ssl->in_ctr, ssl->in_msglen + 13,
752 ssl->in_msg + ssl->in_msglen );
753 }
754
755 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
756 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
757 ssl->maclen );
758
759 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
760 ssl->maclen ) != 0 )
761 {
762 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]763 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764 }
765
766 /*
767 * Finally check the padding length; bad padding
768 * will produce the same error as an invalid MAC.
769 */
770 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]771 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]772
773 if( ssl->in_msglen == 0 )
774 {
775 ssl->nb_zero++;
776
777 /*
778 * Three or more empty messages may be a DoS attack
779 * (excessive CPU consumption).
780 */
781 if( ssl->nb_zero > 3 )
782 {
783 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
784 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]785 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]786 }
787 }
788 else
789 ssl->nb_zero = 0;
790
791 for( i = 7; i >= 0; i-- )
792 if( ++ssl->in_ctr[i] != 0 )
793 break;
794
795 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
796
797 return( 0 );
798}
799
800/*
801 * Fill the input message buffer
802 */
803int ssl_fetch_input( ssl_context *ssl, int nb_want )
804{
805 int ret, len;
806
807 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
808
809 while( ssl->in_left < nb_want )
810 {
811 len = nb_want - ssl->in_left;
812 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
813
814 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
815 ssl->in_left, nb_want ) );
816 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
817
818 if( ret < 0 )
819 return( ret );
820
821 ssl->in_left += ret;
822 }
823
824 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
825
826 return( 0 );
827}
828
829/*
830 * Flush any data not yet written
831 */
832int ssl_flush_output( ssl_context *ssl )
833{
834 int ret;
835 unsigned char *buf;
836
837 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
838
839 while( ssl->out_left > 0 )
840 {
841 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
842 5 + ssl->out_msglen, ssl->out_left ) );
843
844 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
845 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
846 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
847
848 if( ret <= 0 )
849 return( ret );
850
851 ssl->out_left -= ret;
852 }
853
854 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
855
856 return( 0 );
857}
858
859/*
860 * Record layer functions
861 */
862int ssl_write_record( ssl_context *ssl )
863{
864 int ret, len = ssl->out_msglen;
865
866 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
867
868 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
869 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
870 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
871 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
872 ssl->out_hdr[4] = (unsigned char)( len );
873
874 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
875 {
876 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
877 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
878 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
879
880 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
881 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
882 }
883
884 if( ssl->do_crypt != 0 )
885 {
886 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
887 {
888 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
889 return( ret );
890 }
891
892 len = ssl->out_msglen;
893 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
894 ssl->out_hdr[4] = (unsigned char)( len );
895 }
896
897 ssl->out_left = 5 + ssl->out_msglen;
898
899 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
900 "version = [%d:%d], msglen = %d",
901 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
902 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
903
904 SSL_DEBUG_BUF( 4, "output record sent to network",
905 ssl->out_hdr, 5 + ssl->out_msglen );
906
907 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
908 {
909 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
910 return( ret );
911 }
912
913 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
914
915 return( 0 );
916}
917
918int ssl_read_record( ssl_context *ssl )
919{
920 int ret;
921
922 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
923
924 if( ssl->in_hslen != 0 &&
925 ssl->in_hslen < ssl->in_msglen )
926 {
927 /*
928 * Get next Handshake message in the current record
929 */
930 ssl->in_msglen -= ssl->in_hslen;
931
932 memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
933 ssl->in_msglen );
934
935 ssl->in_hslen = 4;
936 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
937
938 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
939 " %d, type = %d, hslen = %d",
940 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
941
942 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
943 {
944 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]945 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]946 }
947
948 if( ssl->in_msglen < ssl->in_hslen )
949 {
950 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]951 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]952 }
953
954 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
955 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
956
957 return( 0 );
958 }
959
960 ssl->in_hslen = 0;
961
962 /*
963 * Read the record header and validate it
964 */
965 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
966 {
967 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
968 return( ret );
969 }
970
971 ssl->in_msgtype = ssl->in_hdr[0];
972 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
973
974 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
975 "version = [%d:%d], msglen = %d",
976 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
977 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
978
979 if( ssl->in_hdr[1] != ssl->major_ver )
980 {
981 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]982 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]983 }
984
985 if( ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
986 ssl->in_hdr[2] != SSL_MINOR_VERSION_1 )
987 {
988 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]989 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990 }
991
992 /*
993 * Make sure the message length is acceptable
994 */
995 if( ssl->do_crypt == 0 )
996 {
997 if( ssl->in_msglen < 1 ||
998 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
999 {
1000 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1001 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1002 }
1003 }
1004 else
1005 {
1006 if( ssl->in_msglen < ssl->minlen )
1007 {
1008 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1009 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1010 }
1011
1012 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1013 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1014 {
1015 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1016 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1017 }
1018
1019 /*
1020 * TLS encrypted messages can have up to 256 bytes of padding
1021 */
1022 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
1023 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1024 {
1025 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1026 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027 }
1028 }
1029
1030 /*
1031 * Read and optionally decrypt the message contents
1032 */
1033 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1034 {
1035 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1036 return( ret );
1037 }
1038
1039 SSL_DEBUG_BUF( 4, "input record from network",
1040 ssl->in_hdr, 5 + ssl->in_msglen );
1041
1042 if( ssl->do_crypt != 0 )
1043 {
1044 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1045 {
1046 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1047 return( ret );
1048 }
1049
1050 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1051 ssl->in_msg, ssl->in_msglen );
1052
1053 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1054 {
1055 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1056 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1057 }
1058 }
1059
1060 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1061 {
1062 ssl->in_hslen = 4;
1063 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1064
1065 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1066 " %d, type = %d, hslen = %d",
1067 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1068
1069 /*
1070 * Additional checks to validate the handshake header
1071 */
1072 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1073 {
1074 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1075 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076 }
1077
1078 if( ssl->in_msglen < ssl->in_hslen )
1079 {
1080 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1081 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082 }
1083
1084 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1085 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1086 }
1087
1088 if( ssl->in_msgtype == SSL_MSG_ALERT )
1089 {
1090 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1091 ssl->in_msg[0], ssl->in_msg[1] ) );
1092
1093 /*
1094 * Ignore non-fatal alerts, except close_notify
1095 */
1096 if( ssl->in_msg[0] == SSL_ALERT_FATAL )
1097 {
1098 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1099 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE | ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100 }
1101
1102 if( ssl->in_msg[0] == SSL_ALERT_WARNING &&
1103 ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY )
1104 {
1105 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1106 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107 }
1108 }
1109
1110 ssl->in_left = 0;
1111
1112 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1113
1114 return( 0 );
1115}
1116
1117/*
1118 * Handshake functions
1119 */
1120int ssl_write_certificate( ssl_context *ssl )
1121{
1122 int ret, i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1123 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1124
1125 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1126
1127 if( ssl->endpoint == SSL_IS_CLIENT )
1128 {
1129 if( ssl->client_auth == 0 )
1130 {
1131 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1132 ssl->state++;
1133 return( 0 );
1134 }
1135
1136 /*
1137 * If using SSLv3 and got no cert, send an Alert message
1138 * (otherwise an empty Certificate message will be sent).
1139 */
1140 if( ssl->own_cert == NULL &&
1141 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1142 {
1143 ssl->out_msglen = 2;
1144 ssl->out_msgtype = SSL_MSG_ALERT;
1145 ssl->out_msg[0] = SSL_ALERT_WARNING;
1146 ssl->out_msg[1] = SSL_ALERT_NO_CERTIFICATE;
1147
1148 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1149 goto write_msg;
1150 }
1151 }
1152 else /* SSL_IS_SERVER */
1153 {
1154 if( ssl->own_cert == NULL )
1155 {
1156 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1157 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1158 }
1159 }
1160
1161 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1162
1163 /*
1164 * 0 . 0 handshake type
1165 * 1 . 3 handshake length
1166 * 4 . 6 length of all certs
1167 * 7 . 9 length of cert. 1
1168 * 10 . n-1 peer certificate
1169 * n . n+2 length of cert. 2
1170 * n+3 . ... upper level cert, etc.
1171 */
1172 i = 7;
1173 crt = ssl->own_cert;
1174
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1175 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1176 {
1177 n = crt->raw.len;
1178 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1179 {
1180 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1181 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1182 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1183 }
1184
1185 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1186 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1187 ssl->out_msg[i + 2] = (unsigned char)( n );
1188
1189 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1190 i += n; crt = crt->next;
1191 }
1192
1193 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1194 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1195 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1196
1197 ssl->out_msglen = i;
1198 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1199 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1200
1201write_msg:
1202
1203 ssl->state++;
1204
1205 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1206 {
1207 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1208 return( ret );
1209 }
1210
1211 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1212
1213 return( 0 );
1214}
1215
1216int ssl_parse_certificate( ssl_context *ssl )
1217{
1218 int ret, i, n;
1219
1220 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1221
1222 if( ssl->endpoint == SSL_IS_SERVER &&
1223 ssl->authmode == SSL_VERIFY_NONE )
1224 {
1225 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1226 ssl->state++;
1227 return( 0 );
1228 }
1229
1230 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1231 {
1232 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1233 return( ret );
1234 }
1235
1236 ssl->state++;
1237
1238 /*
1239 * Check if the client sent an empty certificate
1240 */
1241 if( ssl->endpoint == SSL_IS_SERVER &&
1242 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1243 {
1244 if( ssl->in_msglen == 2 &&
1245 ssl->in_msgtype == SSL_MSG_ALERT &&
1246 ssl->in_msg[0] == SSL_ALERT_WARNING &&
1247 ssl->in_msg[1] == SSL_ALERT_NO_CERTIFICATE )
1248 {
1249 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1250
1251 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1252 return( 0 );
1253 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1254 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1255 }
1256 }
1257
1258 if( ssl->endpoint == SSL_IS_SERVER &&
1259 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1260 {
1261 if( ssl->in_hslen == 7 &&
1262 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1263 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1264 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1265 {
1266 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1267
1268 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1269 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1270 else
1271 return( 0 );
1272 }
1273 }
1274
1275 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1276 {
1277 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1278 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1279 }
1280
1281 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1282 {
1283 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1284 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1285 }
1286
1287 /*
1288 * Same message structure as in ssl_write_certificate()
1289 */
1290 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1291
1292 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1293 {
1294 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1295 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1296 }
1297
1298 if( ( ssl->peer_cert = (x509_cert *) malloc(
1299 sizeof( x509_cert ) ) ) == NULL )
1300 {
1301 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1302 sizeof( x509_cert ) ) );
1303 return( 1 );
1304 }
1305
1306 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1307
1308 i = 7;
1309
1310 while( i < ssl->in_hslen )
1311 {
1312 if( ssl->in_msg[i] != 0 )
1313 {
1314 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1315 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1316 }
1317
1318 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1319 | (unsigned int) ssl->in_msg[i + 2];
1320 i += 3;
1321
1322 if( n < 128 || i + n > ssl->in_hslen )
1323 {
1324 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1325 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326 }
1327
1328 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
1329 if( ret != 0 )
1330 {
1331 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1332 return( ret );
1333 }
1334
1335 i += n;
1336 }
1337
1338 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1339
1340 if( ssl->authmode != SSL_VERIFY_NONE )
1341 {
1342 if( ssl->ca_chain == NULL )
1343 {
1344 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1345 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346 }
1347
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1348 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1349 ssl->peer_cn, &ssl->verify_result );
1350
1351 if( ret != 0 )
1352 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1353
1354 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1355 ret = 0;
1356 }
1357
1358 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1359
1360 return( ret );
1361}
1362
1363int ssl_write_change_cipher_spec( ssl_context *ssl )
1364{
1365 int ret;
1366
1367 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1368
1369 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1370 ssl->out_msglen = 1;
1371 ssl->out_msg[0] = 1;
1372
1373 ssl->do_crypt = 0;
1374 ssl->state++;
1375
1376 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1377 {
1378 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1379 return( ret );
1380 }
1381
1382 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1383
1384 return( 0 );
1385}
1386
1387int ssl_parse_change_cipher_spec( ssl_context *ssl )
1388{
1389 int ret;
1390
1391 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1392
1393 ssl->do_crypt = 0;
1394
1395 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1396 {
1397 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1398 return( ret );
1399 }
1400
1401 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1402 {
1403 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1404 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1405 }
1406
1407 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1408 {
1409 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1410 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1411 }
1412
1413 ssl->state++;
1414
1415 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1416
1417 return( 0 );
1418}
1419
1420static void ssl_calc_finished(
1421 ssl_context *ssl, unsigned char *buf, int from,
1422 md5_context *md5, sha1_context *sha1 )
1423{
1424 int len = 12;
1425 char *sender;
1426 unsigned char padbuf[48];
1427 unsigned char md5sum[16];
1428 unsigned char sha1sum[20];
1429
1430 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1431
1432 /*
1433 * SSLv3:
1434 * hash =
1435 * MD5( master + pad2 +
1436 * MD5( handshake + sender + master + pad1 ) )
1437 * + SHA1( master + pad2 +
1438 * SHA1( handshake + sender + master + pad1 ) )
1439 *
1440 * TLSv1:
1441 * hash = PRF( master, finished_label,
1442 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1443 */
1444
1445 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1446 md5->state, sizeof( md5->state ) );
1447
1448 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1449 sha1->state, sizeof( sha1->state ) );
1450
1451 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1452 {
1453 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1454 : (char *) "SRVR";
1455
1456 memset( padbuf, 0x36, 48 );
1457
1458 md5_update( md5, (unsigned char *) sender, 4 );
1459 md5_update( md5, ssl->session->master, 48 );
1460 md5_update( md5, padbuf, 48 );
1461 md5_finish( md5, md5sum );
1462
1463 sha1_update( sha1, (unsigned char *) sender, 4 );
1464 sha1_update( sha1, ssl->session->master, 48 );
1465 sha1_update( sha1, padbuf, 40 );
1466 sha1_finish( sha1, sha1sum );
1467
1468 memset( padbuf, 0x5C, 48 );
1469
1470 md5_starts( md5 );
1471 md5_update( md5, ssl->session->master, 48 );
1472 md5_update( md5, padbuf, 48 );
1473 md5_update( md5, md5sum, 16 );
1474 md5_finish( md5, buf );
1475
1476 sha1_starts( sha1 );
1477 sha1_update( sha1, ssl->session->master, 48 );
1478 sha1_update( sha1, padbuf , 40 );
1479 sha1_update( sha1, sha1sum, 20 );
1480 sha1_finish( sha1, buf + 16 );
1481
1482 len += 24;
1483 }
1484 else
1485 {
1486 sender = ( from == SSL_IS_CLIENT )
1487 ? (char *) "client finished"
1488 : (char *) "server finished";
1489
1490 md5_finish( md5, padbuf );
1491 sha1_finish( sha1, padbuf + 16 );
1492
1493 tls1_prf( ssl->session->master, 48, sender,
1494 padbuf, 36, buf, len );
1495 }
1496
1497 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1498
1499 memset( md5, 0, sizeof( md5_context ) );
1500 memset( sha1, 0, sizeof( sha1_context ) );
1501
1502 memset( padbuf, 0, sizeof( padbuf ) );
1503 memset( md5sum, 0, sizeof( md5sum ) );
1504 memset( sha1sum, 0, sizeof( sha1sum ) );
1505
1506 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1507}
1508
1509int ssl_write_finished( ssl_context *ssl )
1510{
1511 int ret, hash_len;
1512 md5_context md5;
1513 sha1_context sha1;
1514
1515 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1516
1517 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1518 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1519
1520 ssl_calc_finished( ssl, ssl->out_msg + 4,
1521 ssl->endpoint, &md5, &sha1 );
1522
1523 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1524
1525 ssl->out_msglen = 4 + hash_len;
1526 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1527 ssl->out_msg[0] = SSL_HS_FINISHED;
1528
1529 /*
1530 * In case of session resuming, invert the client and server
1531 * ChangeCipherSpec messages order.
1532 */
1533 if( ssl->resume != 0 )
1534 {
1535 if( ssl->endpoint == SSL_IS_CLIENT )
1536 ssl->state = SSL_HANDSHAKE_OVER;
1537 else
1538 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1539 }
1540 else
1541 ssl->state++;
1542
1543 ssl->do_crypt = 1;
1544
1545 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1546 {
1547 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1548 return( ret );
1549 }
1550
1551 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1552
1553 return( 0 );
1554}
1555
1556int ssl_parse_finished( ssl_context *ssl )
1557{
1558 int ret, hash_len;
1559 md5_context md5;
1560 sha1_context sha1;
1561 unsigned char buf[36];
1562
1563 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1564
1565 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1566 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1567
1568 ssl->do_crypt = 1;
1569
1570 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1571 {
1572 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1573 return( ret );
1574 }
1575
1576 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1577 {
1578 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1579 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1580 }
1581
1582 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1583
1584 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1585 ssl->in_hslen != 4 + hash_len )
1586 {
1587 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1588 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1589 }
1590
1591 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1592
1593 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1594 {
1595 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1596 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1597 }
1598
1599 if( ssl->resume != 0 )
1600 {
1601 if( ssl->endpoint == SSL_IS_CLIENT )
1602 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1603
1604 if( ssl->endpoint == SSL_IS_SERVER )
1605 ssl->state = SSL_HANDSHAKE_OVER;
1606 }
1607 else
1608 ssl->state++;
1609
1610 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1611
1612 return( 0 );
1613}
1614
1615/*
1616 * Initialize an SSL context
1617 */
1618int ssl_init( ssl_context *ssl )
1619{
1620 int len = SSL_BUFFER_LEN;
1621
1622 memset( ssl, 0, sizeof( ssl_context ) );
1623
1624 ssl->in_ctr = (unsigned char *) malloc( len );
1625 ssl->in_hdr = ssl->in_ctr + 8;
1626 ssl->in_msg = ssl->in_ctr + 13;
1627
1628 if( ssl->in_ctr == NULL )
1629 {
1630 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1631 return( 1 );
1632 }
1633
1634 ssl->out_ctr = (unsigned char *) malloc( len );
1635 ssl->out_hdr = ssl->out_ctr + 8;
1636 ssl->out_msg = ssl->out_ctr + 13;
1637
1638 if( ssl->out_ctr == NULL )
1639 {
1640 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1641 free( ssl-> in_ctr );
1642 return( 1 );
1643 }
1644
1645 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1646 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1647
1648 ssl->hostname = NULL;
1649 ssl->hostname_len = 0;
1650
1651 md5_starts( &ssl->fin_md5 );
1652 sha1_starts( &ssl->fin_sha1 );
1653
1654 return( 0 );
1655}
1656
1657/*
1658 * SSL set accessors
1659 */
1660void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1661{
1662 ssl->endpoint = endpoint;
1663}
1664
1665void ssl_set_authmode( ssl_context *ssl, int authmode )
1666{
1667 ssl->authmode = authmode;
1668}
1669
1670void ssl_set_rng( ssl_context *ssl,
1671 int (*f_rng)(void *),
1672 void *p_rng )
1673{
1674 ssl->f_rng = f_rng;
1675 ssl->p_rng = p_rng;
1676}
1677
1678void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1679 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1680 void *p_dbg )
1681{
1682 ssl->f_dbg = f_dbg;
1683 ssl->p_dbg = p_dbg;
1684}
1685
1686void ssl_set_bio( ssl_context *ssl,
1687 int (*f_recv)(void *, unsigned char *, int), void *p_recv,
1688 int (*f_send)(void *, unsigned char *, int), void *p_send )
1689{
1690 ssl->f_recv = f_recv;
1691 ssl->f_send = f_send;
1692 ssl->p_recv = p_recv;
1693 ssl->p_send = p_send;
1694}
1695
1696void ssl_set_scb( ssl_context *ssl,
1697 int (*s_get)(ssl_context *),
1698 int (*s_set)(ssl_context *) )
1699{
1700 ssl->s_get = s_get;
1701 ssl->s_set = s_set;
1702}
1703
1704void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1705 ssl_session *session )
1706{
1707 ssl->resume = resume;
1708 ssl->timeout = timeout;
1709 ssl->session = session;
1710}
1711
1712void ssl_set_ciphers( ssl_context *ssl, int *ciphers )
1713{
1714 ssl->ciphers = ciphers;
1715}
1716
1717void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]1718 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719{
1720 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1721 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1722 ssl->peer_cn = peer_cn;
1723}
1724
1725void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1726 rsa_context *rsa_key )
1727{
1728 ssl->own_cert = own_cert;
1729 ssl->rsa_key = rsa_key;
1730}
1731
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1732int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1733{
1734 int ret;
1735
1736 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1737 {
1738 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1739 return( ret );
1740 }
1741
1742 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1743 {
1744 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1745 return( ret );
1746 }
1747
1748 return( 0 );
1749}
1750
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1751int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752{
1753 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1754 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1755
1756 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1757 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1758
1759 memcpy( ssl->hostname, (unsigned char *) hostname,
1760 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1761
1762 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1763
1764 return( 0 );
1765}
1766
1767/*
1768 * SSL get accessors
1769 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1770int ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1771{
1772 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
1773}
1774
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1775int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1776{
1777 return( ssl->verify_result );
1778}
1779
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1780const char *ssl_get_cipher( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1781{
1782 switch( ssl->session->cipher )
1783 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1784#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1785 case SSL_RSA_RC4_128_MD5:
1786 return( "SSL_RSA_RC4_128_MD5" );
1787
1788 case SSL_RSA_RC4_128_SHA:
1789 return( "SSL_RSA_RC4_128_SHA" );
1790#endif
1791
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1792#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1793 case SSL_RSA_DES_168_SHA:
1794 return( "SSL_RSA_DES_168_SHA" );
1795
1796 case SSL_EDH_RSA_DES_168_SHA:
1797 return( "SSL_EDH_RSA_DES_168_SHA" );
1798#endif
1799
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1800#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1801 case SSL_RSA_AES_128_SHA:
1802 return( "SSL_RSA_AES_128_SHA" );
1803
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1804 case SSL_EDH_RSA_AES_128_SHA:
1805 return( "SSL_EDH_RSA_AES_128_SHA" );
1806
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1807 case SSL_RSA_AES_256_SHA:
1808 return( "SSL_RSA_AES_256_SHA" );
1809
1810 case SSL_EDH_RSA_AES_256_SHA:
1811 return( "SSL_EDH_RSA_AES_256_SHA" );
1812#endif
1813
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1814#if defined(POLARSSL_CAMELLIA_C)
1815 case SSL_RSA_CAMELLIA_128_SHA:
1816 return( "SSL_RSA_CAMELLIA_128_SHA" );
1817
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1818 case SSL_EDH_RSA_CAMELLIA_128_SHA:
1819 return( "SSL_EDH_RSA_CAMELLIA_128_SHA" );
1820
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1821 case SSL_RSA_CAMELLIA_256_SHA:
1822 return( "SSL_RSA_CAMELLIA_256_SHA" );
1823
1824 case SSL_EDH_RSA_CAMELLIA_256_SHA:
1825 return( "SSL_EDH_RSA_CAMELLIA_256_SHA" );
1826#endif
1827
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1828 default:
1829 break;
1830 }
1831
1832 return( "unknown" );
1833}
1834
1835int ssl_default_ciphers[] =
1836{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1837#if defined(POLARSSL_DHM_C)
1838#if defined(POLARSSL_AES_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1839 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840 SSL_EDH_RSA_AES_256_SHA,
1841#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1842#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1843 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1844 SSL_EDH_RSA_CAMELLIA_256_SHA,
1845#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1846#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1847 SSL_EDH_RSA_DES_168_SHA,
1848#endif
1849#endif
1850
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1851#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852 SSL_RSA_AES_256_SHA,
1853#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1854#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1855 SSL_RSA_CAMELLIA_256_SHA,
1856#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]1857#if defined(POLARSSL_AES_C)
1858 SSL_RSA_AES_128_SHA,
1859#endif
1860#if defined(POLARSSL_CAMELLIA_C)
1861 SSL_RSA_CAMELLIA_128_SHA,
1862#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1863#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864 SSL_RSA_DES_168_SHA,
1865#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1866#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867 SSL_RSA_RC4_128_SHA,
1868 SSL_RSA_RC4_128_MD5,
1869#endif
1870 0
1871};
1872
1873/*
1874 * Perform the SSL handshake
1875 */
1876int ssl_handshake( ssl_context *ssl )
1877{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1878 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1879
1880 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
1881
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1882#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1883 if( ssl->endpoint == SSL_IS_CLIENT )
1884 ret = ssl_handshake_client( ssl );
1885#endif
1886
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1887#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1888 if( ssl->endpoint == SSL_IS_SERVER )
1889 ret = ssl_handshake_server( ssl );
1890#endif
1891
1892 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
1893
1894 return( ret );
1895}
1896
1897/*
1898 * Receive application data decrypted from the SSL layer
1899 */
1900int ssl_read( ssl_context *ssl, unsigned char *buf, int len )
1901{
1902 int ret, n;
1903
1904 SSL_DEBUG_MSG( 2, ( "=> read" ) );
1905
1906 if( ssl->state != SSL_HANDSHAKE_OVER )
1907 {
1908 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1909 {
1910 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1911 return( ret );
1912 }
1913 }
1914
1915 if( ssl->in_offt == NULL )
1916 {
1917 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1918 {
1919 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1920 return( ret );
1921 }
1922
1923 if( ssl->in_msglen == 0 &&
1924 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
1925 {
1926 /*
1927 * OpenSSL sends empty messages to randomize the IV
1928 */
1929 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1930 {
1931 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1932 return( ret );
1933 }
1934 }
1935
1936 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1937 {
1938 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1939 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1940 }
1941
1942 ssl->in_offt = ssl->in_msg;
1943 }
1944
1945 n = ( len < ssl->in_msglen )
1946 ? len : ssl->in_msglen;
1947
1948 memcpy( buf, ssl->in_offt, n );
1949 ssl->in_msglen -= n;
1950
1951 if( ssl->in_msglen == 0 )
1952 /* all bytes consumed */
1953 ssl->in_offt = NULL;
1954 else
1955 /* more data available */
1956 ssl->in_offt += n;
1957
1958 SSL_DEBUG_MSG( 2, ( "<= read" ) );
1959
1960 return( n );
1961}
1962
1963/*
1964 * Send application data to be encrypted by the SSL layer
1965 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1966int ssl_write( ssl_context *ssl, const unsigned char *buf, int len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967{
1968 int ret, n;
1969
1970 SSL_DEBUG_MSG( 2, ( "=> write" ) );
1971
1972 if( ssl->state != SSL_HANDSHAKE_OVER )
1973 {
1974 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1975 {
1976 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1977 return( ret );
1978 }
1979 }
1980
1981 n = ( len < SSL_MAX_CONTENT_LEN )
1982 ? len : SSL_MAX_CONTENT_LEN;
1983
1984 if( ssl->out_left != 0 )
1985 {
1986 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1987 {
1988 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1989 return( ret );
1990 }
1991 }
1992 else
1993 {
1994 ssl->out_msglen = n;
1995 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
1996 memcpy( ssl->out_msg, buf, n );
1997
1998 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1999 {
2000 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2001 return( ret );
2002 }
2003 }
2004
2005 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2006
2007 return( n );
2008}
2009
2010/*
2011 * Notify the peer that the connection is being closed
2012 */
2013int ssl_close_notify( ssl_context *ssl )
2014{
2015 int ret;
2016
2017 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
2018
2019 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2020 {
2021 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2022 return( ret );
2023 }
2024
2025 if( ssl->state == SSL_HANDSHAKE_OVER )
2026 {
2027 ssl->out_msgtype = SSL_MSG_ALERT;
2028 ssl->out_msglen = 2;
2029 ssl->out_msg[0] = SSL_ALERT_WARNING;
2030 ssl->out_msg[1] = SSL_ALERT_CLOSE_NOTIFY;
2031
2032 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2033 {
2034 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2035 return( ret );
2036 }
2037 }
2038
2039 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2040
2041 return( ret );
2042}
2043
2044/*
2045 * Free an SSL context
2046 */
2047void ssl_free( ssl_context *ssl )
2048{
2049 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2050
2051 if( ssl->peer_cert != NULL )
2052 {
2053 x509_free( ssl->peer_cert );
2054 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2055 free( ssl->peer_cert );
2056 }
2057
2058 if( ssl->out_ctr != NULL )
2059 {
2060 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2061 free( ssl->out_ctr );
2062 }
2063
2064 if( ssl->in_ctr != NULL )
2065 {
2066 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2067 free( ssl->in_ctr );
2068 }
2069
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2070#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2071 dhm_free( &ssl->dhm_ctx );
2072#endif
2073
2074 if ( ssl->hostname != NULL)
2075 {
2076 memset( ssl->hostname, 0, ssl->hostname_len );
2077 free( ssl->hostname );
2078 ssl->hostname_len = 0;
2079 }
2080
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2081 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2082
2083 /* Actually free after last debug message */
2084 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2085}
2086
2087#endif