TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ca4ab491585b432d7db0266aa6fbcbc6813eda00 / . / library / ssl_tls.c
blob: 9a962b2d1b54071d7655c1102e525d5960b96ea8 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]46#if defined(POLARSSL_GCM_C)
47#include "polarssl/gcm.h"
48#endif
49
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50#include <stdlib.h>
51#include <time.h>
52
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]53#if defined _MSC_VER && !defined strcasecmp
54#define strcasecmp _stricmp
55#endif
56
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]57/*
58 * Key material generation
59 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]60static int tls1_prf( unsigned char *secret, size_t slen, char *label,
61 unsigned char *random, size_t rlen,
62 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]64 size_t nb, hs;
65 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66 unsigned char *S1, *S2;
67 unsigned char tmp[128];
68 unsigned char h_i[20];
69
70 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]71 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
73 hs = ( slen + 1 ) / 2;
74 S1 = secret;
75 S2 = secret + slen - hs;
76
77 nb = strlen( label );
78 memcpy( tmp + 20, label, nb );
79 memcpy( tmp + 20 + nb, random, rlen );
80 nb += rlen;
81
82 /*
83 * First compute P_md5(secret,label+random)[0..dlen]
84 */
85 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
86
87 for( i = 0; i < dlen; i += 16 )
88 {
89 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
90 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
91
92 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
93
94 for( j = 0; j < k; j++ )
95 dstbuf[i + j] = h_i[j];
96 }
97
98 /*
99 * XOR out with P_sha1(secret,label+random)[0..dlen]
100 */
101 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
102
103 for( i = 0; i < dlen; i += 20 )
104 {
105 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
106 sha1_hmac( S2, hs, tmp, 20, tmp );
107
108 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
109
110 for( j = 0; j < k; j++ )
111 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
112 }
113
114 memset( tmp, 0, sizeof( tmp ) );
115 memset( h_i, 0, sizeof( h_i ) );
116
117 return( 0 );
118}
119
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]120static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
121 unsigned char *random, size_t rlen,
122 unsigned char *dstbuf, size_t dlen )
123{
124 size_t nb;
125 size_t i, j, k;
126 unsigned char tmp[128];
127 unsigned char h_i[32];
128
129 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
130 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
131
132 nb = strlen( label );
133 memcpy( tmp + 32, label, nb );
134 memcpy( tmp + 32 + nb, random, rlen );
135 nb += rlen;
136
137 /*
138 * Compute P_<hash>(secret, label + random)[0..dlen]
139 */
140 sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
141
142 for( i = 0; i < dlen; i += 32 )
143 {
144 sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
145 sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
146
147 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
148
149 for( j = 0; j < k; j++ )
150 dstbuf[i + j] = h_i[j];
151 }
152
153 memset( tmp, 0, sizeof( tmp ) );
154 memset( h_i, 0, sizeof( h_i ) );
155
156 return( 0 );
157}
158
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]159static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
160 unsigned char *random, size_t rlen,
161 unsigned char *dstbuf, size_t dlen )
162{
163 size_t nb;
164 size_t i, j, k;
165 unsigned char tmp[128];
166 unsigned char h_i[48];
167
168 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
169 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
170
171 nb = strlen( label );
172 memcpy( tmp + 48, label, nb );
173 memcpy( tmp + 48 + nb, random, rlen );
174 nb += rlen;
175
176 /*
177 * Compute P_<hash>(secret, label + random)[0..dlen]
178 */
179 sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
180
181 for( i = 0; i < dlen; i += 48 )
182 {
183 sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
184 sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
185
186 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
187
188 for( j = 0; j < k; j++ )
189 dstbuf[i + j] = h_i[j];
190 }
191
192 memset( tmp, 0, sizeof( tmp ) );
193 memset( h_i, 0, sizeof( h_i ) );
194
195 return( 0 );
196}
197
198static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
199static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
200static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
201static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]202
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]203int ssl_derive_keys( ssl_context *ssl )
204{
205 int i;
206 md5_context md5;
207 sha1_context sha1;
208 unsigned char tmp[64];
209 unsigned char padding[16];
210 unsigned char sha1sum[20];
211 unsigned char keyblk[256];
212 unsigned char *key1;
213 unsigned char *key2;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]214 unsigned int iv_copy_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215
216 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
217
218 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]219 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]220 */
221 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]222 {
223 ssl->tls_prf = tls1_prf;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]224 ssl->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]225 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]226 else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]227 {
228 ssl->tls_prf = tls1_prf;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]229 ssl->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]230 }
231 else if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
232 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
233 {
234 ssl->tls_prf = tls_prf_sha384;
235 ssl->calc_finished = ssl_calc_finished_tls_sha384;
236 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]237 else
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]238 {
239 ssl->tls_prf = tls_prf_sha256;
240 ssl->calc_finished = ssl_calc_finished_tls_sha256;
241 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]242
243 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244 * SSLv3:
245 * master =
246 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
247 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
248 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
249 *
250 * TLSv1:
251 * master = PRF( premaster, "master secret", randbytes )[0..47]
252 */
253 if( ssl->resume == 0 )
254 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]255 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]256
257 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
258
259 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
260 {
261 for( i = 0; i < 3; i++ )
262 {
263 memset( padding, 'A' + i, 1 + i );
264
265 sha1_starts( &sha1 );
266 sha1_update( &sha1, padding, 1 + i );
267 sha1_update( &sha1, ssl->premaster, len );
268 sha1_update( &sha1, ssl->randbytes, 64 );
269 sha1_finish( &sha1, sha1sum );
270
271 md5_starts( &md5 );
272 md5_update( &md5, ssl->premaster, len );
273 md5_update( &md5, sha1sum, 20 );
274 md5_finish( &md5, ssl->session->master + i * 16 );
275 }
276 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]277 else
278 ssl->tls_prf( ssl->premaster, len, "master secret",
279 ssl->randbytes, 64, ssl->session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280
281 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
282 }
283 else
284 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
285
286 /*
287 * Swap the client and server random values.
288 */
289 memcpy( tmp, ssl->randbytes, 64 );
290 memcpy( ssl->randbytes, tmp + 32, 32 );
291 memcpy( ssl->randbytes + 32, tmp, 32 );
292 memset( tmp, 0, sizeof( tmp ) );
293
294 /*
295 * SSLv3:
296 * key block =
297 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
298 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
299 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
300 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
301 * ...
302 *
303 * TLSv1:
304 * key block = PRF( master, "key expansion", randbytes )
305 */
306 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
307 {
308 for( i = 0; i < 16; i++ )
309 {
310 memset( padding, 'A' + i, 1 + i );
311
312 sha1_starts( &sha1 );
313 sha1_update( &sha1, padding, 1 + i );
314 sha1_update( &sha1, ssl->session->master, 48 );
315 sha1_update( &sha1, ssl->randbytes, 64 );
316 sha1_finish( &sha1, sha1sum );
317
318 md5_starts( &md5 );
319 md5_update( &md5, ssl->session->master, 48 );
320 md5_update( &md5, sha1sum, 20 );
321 md5_finish( &md5, keyblk + i * 16 );
322 }
323
324 memset( &md5, 0, sizeof( md5 ) );
325 memset( &sha1, 0, sizeof( sha1 ) );
326
327 memset( padding, 0, sizeof( padding ) );
328 memset( sha1sum, 0, sizeof( sha1sum ) );
329 }
330 else
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]331 ssl->tls_prf( ssl->session->master, 48, "key expansion",
332 ssl->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]334 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
336 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
337 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
338
339 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
340
341 /*
342 * Determine the appropriate key, IV and MAC length.
343 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]344 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]346#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347 case SSL_RSA_RC4_128_MD5:
348 ssl->keylen = 16; ssl->minlen = 16;
349 ssl->ivlen = 0; ssl->maclen = 16;
350 break;
351
352 case SSL_RSA_RC4_128_SHA:
353 ssl->keylen = 16; ssl->minlen = 20;
354 ssl->ivlen = 0; ssl->maclen = 20;
355 break;
356#endif
357
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]358#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359 case SSL_RSA_DES_168_SHA:
360 case SSL_EDH_RSA_DES_168_SHA:
361 ssl->keylen = 24; ssl->minlen = 24;
362 ssl->ivlen = 8; ssl->maclen = 20;
363 break;
364#endif
365
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]366#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]368 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 ssl->keylen = 16; ssl->minlen = 32;
370 ssl->ivlen = 16; ssl->maclen = 20;
371 break;
372
373 case SSL_RSA_AES_256_SHA:
374 case SSL_EDH_RSA_AES_256_SHA:
375 ssl->keylen = 32; ssl->minlen = 32;
376 ssl->ivlen = 16; ssl->maclen = 20;
377 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]378
379#if defined(POLARSSL_SHA2_C)
380 case SSL_RSA_AES_128_SHA256:
381 case SSL_EDH_RSA_AES_128_SHA256:
382 ssl->keylen = 16; ssl->minlen = 32;
383 ssl->ivlen = 16; ssl->maclen = 32;
384 break;
385
386 case SSL_RSA_AES_256_SHA256:
387 case SSL_EDH_RSA_AES_256_SHA256:
388 ssl->keylen = 32; ssl->minlen = 32;
389 ssl->ivlen = 16; ssl->maclen = 32;
390 break;
391#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]392#if defined(POLARSSL_GCM_C)
393 case SSL_RSA_AES_128_GCM_SHA256:
394 case SSL_EDH_RSA_AES_128_GCM_SHA256:
395 ssl->keylen = 16; ssl->minlen = 1;
396 ssl->ivlen = 12; ssl->maclen = 0;
397 ssl->fixed_ivlen = 4;
398 break;
399
400 case SSL_RSA_AES_256_GCM_SHA384:
401 case SSL_EDH_RSA_AES_256_GCM_SHA384:
402 ssl->keylen = 32; ssl->minlen = 1;
403 ssl->ivlen = 12; ssl->maclen = 0;
404 ssl->fixed_ivlen = 4;
405 break;
406#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]407#endif
408
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]409#if defined(POLARSSL_CAMELLIA_C)
410 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]411 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]412 ssl->keylen = 16; ssl->minlen = 32;
413 ssl->ivlen = 16; ssl->maclen = 20;
414 break;
415
416 case SSL_RSA_CAMELLIA_256_SHA:
417 case SSL_EDH_RSA_CAMELLIA_256_SHA:
418 ssl->keylen = 32; ssl->minlen = 32;
419 ssl->ivlen = 16; ssl->maclen = 20;
420 break;
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]421
422#if defined(POLARSSL_SHA2_C)
423 case SSL_RSA_CAMELLIA_128_SHA256:
424 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
425 ssl->keylen = 16; ssl->minlen = 32;
426 ssl->ivlen = 16; ssl->maclen = 32;
427 break;
428
429 case SSL_RSA_CAMELLIA_256_SHA256:
430 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
431 ssl->keylen = 32; ssl->minlen = 32;
432 ssl->ivlen = 16; ssl->maclen = 32;
433 break;
434#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]435#endif
436
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]437#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
438#if defined(POLARSSL_CIPHER_NULL_CIPHER)
439 case SSL_RSA_NULL_MD5:
440 ssl->keylen = 0; ssl->minlen = 0;
441 ssl->ivlen = 0; ssl->maclen = 16;
442 break;
443
444 case SSL_RSA_NULL_SHA:
445 ssl->keylen = 0; ssl->minlen = 0;
446 ssl->ivlen = 0; ssl->maclen = 20;
447 break;
448
449 case SSL_RSA_NULL_SHA256:
450 ssl->keylen = 0; ssl->minlen = 0;
451 ssl->ivlen = 0; ssl->maclen = 32;
452 break;
453#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
454
455#if defined(POLARSSL_DES_C)
456 case SSL_RSA_DES_SHA:
457 case SSL_EDH_RSA_DES_SHA:
458 ssl->keylen = 8; ssl->minlen = 8;
459 ssl->ivlen = 8; ssl->maclen = 20;
460 break;
461#endif
462#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
463
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]465 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
466 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]467 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468 }
469
470 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
471 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
472
473 /*
474 * Finally setup the cipher contexts, IVs and MAC secrets.
475 */
476 if( ssl->endpoint == SSL_IS_CLIENT )
477 {
478 key1 = keyblk + ssl->maclen * 2;
479 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
480
481 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
482 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
483
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]484 /*
485 * This is not used in TLS v1.1.
486 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]487 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
488 memcpy( ssl->iv_enc, key2 + ssl->keylen, iv_copy_len );
489 memcpy( ssl->iv_dec, key2 + ssl->keylen + iv_copy_len,
490 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 }
492 else
493 {
494 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
495 key2 = keyblk + ssl->maclen * 2;
496
497 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
498 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
499
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]500 /*
501 * This is not used in TLS v1.1.
502 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]503 iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
504 memcpy( ssl->iv_dec, key1 + ssl->keylen, iv_copy_len );
505 memcpy( ssl->iv_enc, key1 + ssl->keylen + iv_copy_len,
506 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]507 }
508
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]509 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]510 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]511#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512 case SSL_RSA_RC4_128_MD5:
513 case SSL_RSA_RC4_128_SHA:
514 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
515 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
516 break;
517#endif
518
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]519#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]520 case SSL_RSA_DES_168_SHA:
521 case SSL_EDH_RSA_DES_168_SHA:
522 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
523 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
524 break;
525#endif
526
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]527#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]528 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]529 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]530 case SSL_RSA_AES_128_SHA256:
531 case SSL_EDH_RSA_AES_128_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]532 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
533 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
534 break;
535
536 case SSL_RSA_AES_256_SHA:
537 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]538 case SSL_RSA_AES_256_SHA256:
539 case SSL_EDH_RSA_AES_256_SHA256:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]540 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
541 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
542 break;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]543
544#if defined(POLARSSL_GCM_C)
545 case SSL_RSA_AES_128_GCM_SHA256:
546 case SSL_EDH_RSA_AES_128_GCM_SHA256:
547 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 128 );
548 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 128 );
549 break;
550
551 case SSL_RSA_AES_256_GCM_SHA384:
552 case SSL_EDH_RSA_AES_256_GCM_SHA384:
553 gcm_init( (gcm_context *) ssl->ctx_enc, key1, 256 );
554 gcm_init( (gcm_context *) ssl->ctx_dec, key2, 256 );
555 break;
556#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]557#endif
558
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]559#if defined(POLARSSL_CAMELLIA_C)
560 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]561 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]562 case SSL_RSA_CAMELLIA_128_SHA256:
563 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]564 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
565 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
566 break;
567
568 case SSL_RSA_CAMELLIA_256_SHA:
569 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]570 case SSL_RSA_CAMELLIA_256_SHA256:
571 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]572 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
573 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
574 break;
575#endif
576
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]577#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
578#if defined(POLARSSL_CIPHER_NULL_CIPHER)
579 case SSL_RSA_NULL_MD5:
580 case SSL_RSA_NULL_SHA:
581 case SSL_RSA_NULL_SHA256:
582 break;
583#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
584
585#if defined(POLARSSL_DES_C)
586 case SSL_RSA_DES_SHA:
587 case SSL_EDH_RSA_DES_SHA:
588 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
589 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
590 break;
591#endif
592#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
593
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]595 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 }
597
598 memset( keyblk, 0, sizeof( keyblk ) );
599
600 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
601
602 return( 0 );
603}
604
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]605void ssl_calc_verify( ssl_context *ssl, unsigned char hash[48] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]606{
607 md5_context md5;
608 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]609 sha2_context sha2;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]610 sha4_context sha4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]611 unsigned char pad_1[48];
612 unsigned char pad_2[48];
613
614 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
615
616 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
617 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]618 memcpy( &sha2, &ssl->fin_sha2, sizeof( sha2_context ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]619 memcpy( &sha4, &ssl->fin_sha4, sizeof( sha4_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620
621 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
622 {
623 memset( pad_1, 0x36, 48 );
624 memset( pad_2, 0x5C, 48 );
625
626 md5_update( &md5, ssl->session->master, 48 );
627 md5_update( &md5, pad_1, 48 );
628 md5_finish( &md5, hash );
629
630 md5_starts( &md5 );
631 md5_update( &md5, ssl->session->master, 48 );
632 md5_update( &md5, pad_2, 48 );
633 md5_update( &md5, hash, 16 );
634 md5_finish( &md5, hash );
635
636 sha1_update( &sha1, ssl->session->master, 48 );
637 sha1_update( &sha1, pad_1, 40 );
638 sha1_finish( &sha1, hash + 16 );
639
640 sha1_starts( &sha1 );
641 sha1_update( &sha1, ssl->session->master, 48 );
642 sha1_update( &sha1, pad_2, 40 );
643 sha1_update( &sha1, hash + 16, 20 );
644 sha1_finish( &sha1, hash + 16 );
645 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]646 else if( ssl->minor_ver != SSL_MINOR_VERSION_3 ) /* TLSv1 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647 {
648 md5_finish( &md5, hash );
649 sha1_finish( &sha1, hash + 16 );
650 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]651 else if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
652 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
653 {
654 sha4_finish( &sha4, hash );
655 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]656 else
657 {
658 sha2_finish( &sha2, hash );
659 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]661 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
663
664 return;
665}
666
667/*
668 * SSLv3.0 MAC functions
669 */
670static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]671 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672 unsigned char *ctr, int type )
673{
674 unsigned char header[11];
675 unsigned char padding[48];
676 md5_context md5;
677
678 memcpy( header, ctr, 8 );
679 header[ 8] = (unsigned char) type;
680 header[ 9] = (unsigned char)( len >> 8 );
681 header[10] = (unsigned char)( len );
682
683 memset( padding, 0x36, 48 );
684 md5_starts( &md5 );
685 md5_update( &md5, secret, 16 );
686 md5_update( &md5, padding, 48 );
687 md5_update( &md5, header, 11 );
688 md5_update( &md5, buf, len );
689 md5_finish( &md5, buf + len );
690
691 memset( padding, 0x5C, 48 );
692 md5_starts( &md5 );
693 md5_update( &md5, secret, 16 );
694 md5_update( &md5, padding, 48 );
695 md5_update( &md5, buf + len, 16 );
696 md5_finish( &md5, buf + len );
697}
698
699static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]700 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701 unsigned char *ctr, int type )
702{
703 unsigned char header[11];
704 unsigned char padding[40];
705 sha1_context sha1;
706
707 memcpy( header, ctr, 8 );
708 header[ 8] = (unsigned char) type;
709 header[ 9] = (unsigned char)( len >> 8 );
710 header[10] = (unsigned char)( len );
711
712 memset( padding, 0x36, 40 );
713 sha1_starts( &sha1 );
714 sha1_update( &sha1, secret, 20 );
715 sha1_update( &sha1, padding, 40 );
716 sha1_update( &sha1, header, 11 );
717 sha1_update( &sha1, buf, len );
718 sha1_finish( &sha1, buf + len );
719
720 memset( padding, 0x5C, 40 );
721 sha1_starts( &sha1 );
722 sha1_update( &sha1, secret, 20 );
723 sha1_update( &sha1, padding, 40 );
724 sha1_update( &sha1, buf + len, 20 );
725 sha1_finish( &sha1, buf + len );
726}
727
728/*
729 * Encryption/decryption functions
730 */
731static int ssl_encrypt_buf( ssl_context *ssl )
732{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]733 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734
735 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
736
737 /*
738 * Add MAC then encrypt
739 */
740 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
741 {
742 if( ssl->maclen == 16 )
743 ssl_mac_md5( ssl->mac_enc,
744 ssl->out_msg, ssl->out_msglen,
745 ssl->out_ctr, ssl->out_msgtype );
746
747 if( ssl->maclen == 20 )
748 ssl_mac_sha1( ssl->mac_enc,
749 ssl->out_msg, ssl->out_msglen,
750 ssl->out_ctr, ssl->out_msgtype );
751 }
752 else
753 {
754 if( ssl->maclen == 16 )
755 md5_hmac( ssl->mac_enc, 16,
756 ssl->out_ctr, ssl->out_msglen + 13,
757 ssl->out_msg + ssl->out_msglen );
758
759 if( ssl->maclen == 20 )
760 sha1_hmac( ssl->mac_enc, 20,
761 ssl->out_ctr, ssl->out_msglen + 13,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]762 ssl->out_msg + ssl->out_msglen );
763
764 if( ssl->maclen == 32 )
765 sha2_hmac( ssl->mac_enc, 32,
766 ssl->out_ctr, ssl->out_msglen + 13,
767 ssl->out_msg + ssl->out_msglen, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]768 }
769
770 SSL_DEBUG_BUF( 4, "computed mac",
771 ssl->out_msg + ssl->out_msglen, ssl->maclen );
772
773 ssl->out_msglen += ssl->maclen;
774
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775 if( ssl->ivlen == 0 )
776 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]777 padlen = 0;
778
779 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
780 "including %d bytes of padding",
781 ssl->out_msglen, 0 ) );
782
783 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
784 ssl->out_msg, ssl->out_msglen );
785
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]786#if defined(POLARSSL_ARC4_C)
787 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
788 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
789 {
790 arc4_crypt( (arc4_context *) ssl->ctx_enc,
791 ssl->out_msglen, ssl->out_msg,
792 ssl->out_msg );
793 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]794#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]795#if defined(POLARSSL_CIPHER_NULL_CIPHER)
796 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
797 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
798 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
799 {
800 } else
801#endif
802 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]803 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]804 else if( ssl->ivlen == 12 )
805 {
806 size_t enc_msglen;
807 unsigned char *enc_msg;
808 unsigned char add_data[13];
809 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
810
811 padlen = 0;
812 enc_msglen = ssl->out_msglen;
813
814 memcpy( add_data, ssl->out_ctr, 8 );
815 add_data[8] = ssl->out_msgtype;
816 add_data[9] = ssl->major_ver;
817 add_data[10] = ssl->minor_ver;
818 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
819 add_data[12] = ssl->out_msglen & 0xFF;
820
821 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
822 add_data, 13 );
823
824#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
825
826 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
827 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
828 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
829 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
830 {
831 /*
832 * Generate IV
833 */
834 ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc + ssl->fixed_ivlen,
835 ssl->ivlen - ssl->fixed_ivlen );
836 if( ret != 0 )
837 return( ret );
838
839 /*
840 * Shift message for ivlen bytes and prepend IV
841 */
842 memmove( ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen,
843 ssl->out_msg, ssl->out_msglen );
844 memcpy( ssl->out_msg, ssl->iv_enc + ssl->fixed_ivlen,
845 ssl->ivlen - ssl->fixed_ivlen );
846
847 /*
848 * Fix pointer positions and message length with added IV
849 */
850 enc_msg = ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen;
851 enc_msglen = ssl->out_msglen;
852 ssl->out_msglen += ssl->ivlen - ssl->fixed_ivlen;
853
854 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
855 "including %d bytes of padding",
856 ssl->out_msglen, 0 ) );
857
858 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
859 ssl->out_msg, ssl->out_msglen );
860
861 /*
862 * Adjust for tag
863 */
864 ssl->out_msglen += 16;
865
866 gcm_crypt_and_tag( (gcm_context *) ssl->ctx_enc,
867 GCM_ENCRYPT, enc_msglen,
868 ssl->iv_enc, ssl->ivlen,
869 add_data, 13,
870 enc_msg, enc_msg,
871 16, enc_msg + enc_msglen );
872
873 SSL_DEBUG_BUF( 4, "after encrypt: tag",
874 enc_msg + enc_msglen, 16 );
875
876 } else
877#endif
878 return( ret );
879 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]880 else
881 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]882 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]883 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]884
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]885 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
886 if( padlen == ssl->ivlen )
887 padlen = 0;
888
889 for( i = 0; i <= padlen; i++ )
890 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
891
892 ssl->out_msglen += padlen + 1;
893
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]894 enc_msglen = ssl->out_msglen;
895 enc_msg = ssl->out_msg;
896
897 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]898 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
899 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]900 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]901 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]902 {
903 /*
904 * Generate IV
905 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]906 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
907 if( ret != 0 )
908 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]909
910 /*
911 * Shift message for ivlen bytes and prepend IV
912 */
913 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
914 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
915
916 /*
917 * Fix pointer positions and message length with added IV
918 */
919 enc_msg = ssl->out_msg + ssl->ivlen;
920 enc_msglen = ssl->out_msglen;
921 ssl->out_msglen += ssl->ivlen;
922 }
923
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]924 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]925 "including %d bytes of IV and %d bytes of padding",
926 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]927
928 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
929 ssl->out_msg, ssl->out_msglen );
930
931 switch( ssl->ivlen )
932 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]933#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]934 case 8:
935#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
936 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
937 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
938 {
939 des_crypt_cbc( (des_context *) ssl->ctx_enc,
940 DES_ENCRYPT, enc_msglen,
941 ssl->iv_enc, enc_msg, enc_msg );
942 }
943 else
944#endif
945 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
946 DES_ENCRYPT, enc_msglen,
947 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]948 break;
949#endif
950
951 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]952#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]953 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
954 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
955 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]956 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
957 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
958 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
959 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
960 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]961 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]962 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]963 AES_ENCRYPT, enc_msglen,
964 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]965 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]966 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]967#endif
968
969#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]970 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
971 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
972 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]973 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
974 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
975 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
976 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
977 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]978 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]979 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]980 CAMELLIA_ENCRYPT, enc_msglen,
981 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]982 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]983 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]984#endif
985
986 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]987 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]988 }
989 }
990
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]991 for( i = 8; i > 0; i-- )
992 if( ++ssl->out_ctr[i - 1] != 0 )
993 break;
994
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]995 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
996
997 return( 0 );
998}
999
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1000/*
1001 * TODO: Use digest version when integrated!
1002 */
1003#define POLARSSL_SSL_MAX_MAC_SIZE 32
1004
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005static int ssl_decrypt_buf( ssl_context *ssl )
1006{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1007 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1008 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1009
1010 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1011
1012 if( ssl->in_msglen < ssl->minlen )
1013 {
1014 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1015 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1016 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1017 }
1018
1019 if( ssl->ivlen == 0 )
1020 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1021#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1022 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1023 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
1024 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
1025 {
1026 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]1027 ssl->in_msglen, ssl->in_msg,
1028 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1029 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1031#if defined(POLARSSL_CIPHER_NULL_CIPHER)
1032 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
1033 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
1034 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
1035 {
1036 } else
1037#endif
1038 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039 }
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]1040 else if( ssl->ivlen == 12 )
1041 {
1042 unsigned char *dec_msg;
1043 unsigned char *dec_msg_result;
1044 size_t dec_msglen;
1045 unsigned char add_data[13];
1046 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1047
1048 padlen = 0;
1049
1050#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1051 if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 ||
1052 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
1053 ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
1054 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
1055 {
1056 dec_msglen = ssl->in_msglen - ( ssl->ivlen - ssl->fixed_ivlen );
1057 dec_msglen -= 16;
1058 dec_msg = ssl->in_msg + ( ssl->ivlen - ssl->fixed_ivlen );
1059 dec_msg_result = ssl->in_msg;
1060 ssl->in_msglen = dec_msglen;
1061
1062 memcpy( add_data, ssl->in_ctr, 8 );
1063 add_data[8] = ssl->in_msgtype;
1064 add_data[9] = ssl->major_ver;
1065 add_data[10] = ssl->minor_ver;
1066 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1067 add_data[12] = ssl->in_msglen & 0xFF;
1068
1069 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1070 add_data, 13 );
1071
1072 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1073 ssl->ivlen - ssl->fixed_ivlen );
1074
1075 SSL_DEBUG_BUF( 4, "IV used", ssl->iv_dec, ssl->ivlen );
1076 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1077
1078 memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1079 ssl->ivlen - ssl->fixed_ivlen );
1080
1081 ret = gcm_auth_decrypt( (gcm_context *) ssl->ctx_dec,
1082 dec_msglen,
1083 ssl->iv_dec, ssl->ivlen,
1084 add_data, 13,
1085 dec_msg + dec_msglen, 16,
1086 dec_msg, dec_msg_result );
1087
1088 if( ret != 0 )
1089 {
1090 SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1091 -ret ) );
1092
1093 return( POLARSSL_ERR_SSL_INVALID_MAC );
1094 }
1095 } else
1096#endif
1097 return( ret );
1098 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1099 else
1100 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1101 unsigned char *dec_msg;
1102 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1103 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1104
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1105 /*
1106 * Decrypt and check the padding
1107 */
1108 if( ssl->in_msglen % ssl->ivlen != 0 )
1109 {
1110 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1111 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1112 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1113 }
1114
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1115 dec_msglen = ssl->in_msglen;
1116 dec_msg = ssl->in_msg;
1117 dec_msg_result = ssl->in_msg;
1118
1119 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1120 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1121 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1122 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1123 {
1124 dec_msg += ssl->ivlen;
1125 dec_msglen -= ssl->ivlen;
1126 ssl->in_msglen -= ssl->ivlen;
1127
1128 for( i = 0; i < ssl->ivlen; i++ )
1129 ssl->iv_dec[i] = ssl->in_msg[i];
1130 }
1131
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1132 switch( ssl->ivlen )
1133 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1134#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1135 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1136#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1137 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
1138 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1139 {
1140 des_crypt_cbc( (des_context *) ssl->ctx_dec,
1141 DES_DECRYPT, dec_msglen,
1142 ssl->iv_dec, dec_msg, dec_msg_result );
1143 }
1144 else
1145#endif
1146 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
1147 DES_DECRYPT, dec_msglen,
1148 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1149 break;
1150#endif
1151
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1152 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1153#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1154 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
1155 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
1156 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1157 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
1158 ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 ||
1159 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 ||
1160 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 ||
1161 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1162 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1163 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1164 AES_DECRYPT, dec_msglen,
1165 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1166 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1167 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1168#endif
1169
1170#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1171 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
1172 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
1173 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]1174 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
1175 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 ||
1176 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
1177 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 ||
1178 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1179 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1180 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1181 CAMELLIA_DECRYPT, dec_msglen,
1182 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1183 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1184 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1185#endif
1186
1187 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1188 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1189 }
1190
1191 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1192
1193 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1194 {
1195 if( padlen > ssl->ivlen )
1196 {
1197 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1198 "should be no more than %d",
1199 padlen, ssl->ivlen ) );
1200 padlen = 0;
1201 }
1202 }
1203 else
1204 {
1205 /*
1206 * TLSv1: always check the padding
1207 */
1208 for( i = 1; i <= padlen; i++ )
1209 {
1210 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1211 {
1212 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
1213 "%02x, but is %02x", padlen - 1,
1214 ssl->in_msg[ssl->in_msglen - i] ) );
1215 padlen = 0;
1216 }
1217 }
1218 }
1219 }
1220
1221 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1222 ssl->in_msg, ssl->in_msglen );
1223
1224 /*
1225 * Always compute the MAC (RFC4346, CBCTIME).
1226 */
Paul Bakkerf34cf852012-04-10 07:48:40 +0000[diff] [blame]1227 if( ssl->in_msglen < ssl->maclen + padlen )
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]1228 {
1229 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1230 ssl->in_msglen, ssl->maclen, padlen ) );
1231 return( POLARSSL_ERR_SSL_INVALID_MAC );
1232 }
1233
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1234 ssl->in_msglen -= ( ssl->maclen + padlen );
1235
1236 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1237 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1238
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1239 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1240
1241 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1242 {
1243 if( ssl->maclen == 16 )
1244 ssl_mac_md5( ssl->mac_dec,
1245 ssl->in_msg, ssl->in_msglen,
1246 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1247 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1248 ssl_mac_sha1( ssl->mac_dec,
1249 ssl->in_msg, ssl->in_msglen,
1250 ssl->in_ctr, ssl->in_msgtype );
1251 }
1252 else
1253 {
1254 if( ssl->maclen == 16 )
1255 md5_hmac( ssl->mac_dec, 16,
1256 ssl->in_ctr, ssl->in_msglen + 13,
1257 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1258 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1259 sha1_hmac( ssl->mac_dec, 20,
1260 ssl->in_ctr, ssl->in_msglen + 13,
1261 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]1262 else if( ssl->maclen == 32 )
1263 sha2_hmac( ssl->mac_dec, 32,
1264 ssl->in_ctr, ssl->in_msglen + 13,
1265 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1266 }
1267
1268 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
1269 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1270 ssl->maclen );
1271
1272 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1273 ssl->maclen ) != 0 )
1274 {
1275 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1276 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1277 }
1278
1279 /*
1280 * Finally check the padding length; bad padding
1281 * will produce the same error as an invalid MAC.
1282 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]1283 if( ssl->ivlen != 0 && ssl->ivlen != 12 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1284 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1285
1286 if( ssl->in_msglen == 0 )
1287 {
1288 ssl->nb_zero++;
1289
1290 /*
1291 * Three or more empty messages may be a DoS attack
1292 * (excessive CPU consumption).
1293 */
1294 if( ssl->nb_zero > 3 )
1295 {
1296 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1297 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1298 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299 }
1300 }
1301 else
1302 ssl->nb_zero = 0;
1303
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1304 for( i = 8; i > 0; i-- )
1305 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1306 break;
1307
1308 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1309
1310 return( 0 );
1311}
1312
1313/*
1314 * Fill the input message buffer
1315 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1316int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1317{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1318 int ret;
1319 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320
1321 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1322
1323 while( ssl->in_left < nb_want )
1324 {
1325 len = nb_want - ssl->in_left;
1326 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1327
1328 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1329 ssl->in_left, nb_want ) );
1330 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1331
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]1332 if( ret == 0 )
1333 return( POLARSSL_ERR_SSL_CONN_EOF );
1334
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1335 if( ret < 0 )
1336 return( ret );
1337
1338 ssl->in_left += ret;
1339 }
1340
1341 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1342
1343 return( 0 );
1344}
1345
1346/*
1347 * Flush any data not yet written
1348 */
1349int ssl_flush_output( ssl_context *ssl )
1350{
1351 int ret;
1352 unsigned char *buf;
1353
1354 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1355
1356 while( ssl->out_left > 0 )
1357 {
1358 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1359 5 + ssl->out_msglen, ssl->out_left ) );
1360
1361 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1362 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1363 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1364
1365 if( ret <= 0 )
1366 return( ret );
1367
1368 ssl->out_left -= ret;
1369 }
1370
1371 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1372
1373 return( 0 );
1374}
1375
1376/*
1377 * Record layer functions
1378 */
1379int ssl_write_record( ssl_context *ssl )
1380{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1381 int ret;
1382 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1383
1384 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1385
1386 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1387 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1388 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1389 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1390 ssl->out_hdr[4] = (unsigned char)( len );
1391
1392 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1393 {
1394 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1395 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1396 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1397
1398 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
1399 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1400 sha2_update( &ssl->fin_sha2, ssl->out_msg, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]1401 sha4_update( &ssl->fin_sha4, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1402 }
1403
1404 if( ssl->do_crypt != 0 )
1405 {
1406 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1407 {
1408 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1409 return( ret );
1410 }
1411
1412 len = ssl->out_msglen;
1413 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1414 ssl->out_hdr[4] = (unsigned char)( len );
1415 }
1416
1417 ssl->out_left = 5 + ssl->out_msglen;
1418
1419 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1420 "version = [%d:%d], msglen = %d",
1421 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1422 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1423
1424 SSL_DEBUG_BUF( 4, "output record sent to network",
1425 ssl->out_hdr, 5 + ssl->out_msglen );
1426
1427 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1428 {
1429 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1430 return( ret );
1431 }
1432
1433 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1434
1435 return( 0 );
1436}
1437
1438int ssl_read_record( ssl_context *ssl )
1439{
1440 int ret;
1441
1442 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1443
1444 if( ssl->in_hslen != 0 &&
1445 ssl->in_hslen < ssl->in_msglen )
1446 {
1447 /*
1448 * Get next Handshake message in the current record
1449 */
1450 ssl->in_msglen -= ssl->in_hslen;
1451
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1452 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1453 ssl->in_msglen );
1454
1455 ssl->in_hslen = 4;
1456 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1457
1458 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1459 " %d, type = %d, hslen = %d",
1460 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1461
1462 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1463 {
1464 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1465 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1466 }
1467
1468 if( ssl->in_msglen < ssl->in_hslen )
1469 {
1470 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1471 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1472 }
1473
1474 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1475 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1476 sha2_update( &ssl->fin_sha2, ssl->in_msg, ssl->in_hslen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]1477 sha4_update( &ssl->fin_sha4, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1478
1479 return( 0 );
1480 }
1481
1482 ssl->in_hslen = 0;
1483
1484 /*
1485 * Read the record header and validate it
1486 */
1487 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1488 {
1489 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1490 return( ret );
1491 }
1492
1493 ssl->in_msgtype = ssl->in_hdr[0];
1494 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1495
1496 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1497 "version = [%d:%d], msglen = %d",
1498 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1499 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1500
1501 if( ssl->in_hdr[1] != ssl->major_ver )
1502 {
1503 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1504 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1505 }
1506
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1507 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1508 {
1509 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1510 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1511 }
1512
1513 /*
1514 * Make sure the message length is acceptable
1515 */
1516 if( ssl->do_crypt == 0 )
1517 {
1518 if( ssl->in_msglen < 1 ||
1519 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1520 {
1521 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1522 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1523 }
1524 }
1525 else
1526 {
1527 if( ssl->in_msglen < ssl->minlen )
1528 {
1529 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1530 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1531 }
1532
1533 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1534 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1535 {
1536 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1537 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1538 }
1539
1540 /*
1541 * TLS encrypted messages can have up to 256 bytes of padding
1542 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1543 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1545 {
1546 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1547 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1548 }
1549 }
1550
1551 /*
1552 * Read and optionally decrypt the message contents
1553 */
1554 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1555 {
1556 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1557 return( ret );
1558 }
1559
1560 SSL_DEBUG_BUF( 4, "input record from network",
1561 ssl->in_hdr, 5 + ssl->in_msglen );
1562
1563 if( ssl->do_crypt != 0 )
1564 {
1565 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1566 {
1567 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1568 return( ret );
1569 }
1570
1571 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1572 ssl->in_msg, ssl->in_msglen );
1573
1574 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1575 {
1576 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1577 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1578 }
1579 }
1580
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1581 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1582 ssl->in_msgtype != SSL_MSG_ALERT &&
1583 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1584 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1585 {
1586 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1587
1588 if( ( ret = ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1589 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
1590 {
1591 return( ret );
1592 }
1593
1594 return( POLARSSL_ERR_SSL_INVALID_RECORD );
1595 }
1596
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1597 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1598 {
1599 ssl->in_hslen = 4;
1600 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1601
1602 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1603 " %d, type = %d, hslen = %d",
1604 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1605
1606 /*
1607 * Additional checks to validate the handshake header
1608 */
1609 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1610 {
1611 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1612 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1613 }
1614
1615 if( ssl->in_msglen < ssl->in_hslen )
1616 {
1617 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1618 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1619 }
1620
1621 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1622 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1623 sha2_update( &ssl->fin_sha2, ssl->in_msg, ssl->in_hslen );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]1624 sha4_update( &ssl->fin_sha4, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1625 }
1626
1627 if( ssl->in_msgtype == SSL_MSG_ALERT )
1628 {
1629 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1630 ssl->in_msg[0], ssl->in_msg[1] ) );
1631
1632 /*
1633 * Ignore non-fatal alerts, except close_notify
1634 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1635 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1636 {
1637 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1638 /**
1639 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1640 * error identifier.
1641 */
1642 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1643 }
1644
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1645 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1646 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1647 {
1648 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1649 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1650 }
1651 }
1652
1653 ssl->in_left = 0;
1654
1655 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1656
1657 return( 0 );
1658}
1659
Paul Bakker0a925182012-04-16 06:46:41 +0000[diff] [blame]1660int ssl_send_alert_message( ssl_context *ssl,
1661 unsigned char level,
1662 unsigned char message )
1663{
1664 int ret;
1665
1666 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1667
1668 ssl->out_msgtype = SSL_MSG_ALERT;
1669 ssl->out_msglen = 2;
1670 ssl->out_msg[0] = level;
1671 ssl->out_msg[1] = message;
1672
1673 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1674 {
1675 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1676 return( ret );
1677 }
1678
1679 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1680
1681 return( 0 );
1682}
1683
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1684/*
1685 * Handshake functions
1686 */
1687int ssl_write_certificate( ssl_context *ssl )
1688{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1689 int ret;
1690 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1691 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1692
1693 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1694
1695 if( ssl->endpoint == SSL_IS_CLIENT )
1696 {
1697 if( ssl->client_auth == 0 )
1698 {
1699 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1700 ssl->state++;
1701 return( 0 );
1702 }
1703
1704 /*
1705 * If using SSLv3 and got no cert, send an Alert message
1706 * (otherwise an empty Certificate message will be sent).
1707 */
1708 if( ssl->own_cert == NULL &&
1709 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1710 {
1711 ssl->out_msglen = 2;
1712 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1713 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1714 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1715
1716 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1717 goto write_msg;
1718 }
1719 }
1720 else /* SSL_IS_SERVER */
1721 {
1722 if( ssl->own_cert == NULL )
1723 {
1724 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1725 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1726 }
1727 }
1728
1729 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1730
1731 /*
1732 * 0 . 0 handshake type
1733 * 1 . 3 handshake length
1734 * 4 . 6 length of all certs
1735 * 7 . 9 length of cert. 1
1736 * 10 . n-1 peer certificate
1737 * n . n+2 length of cert. 2
1738 * n+3 . ... upper level cert, etc.
1739 */
1740 i = 7;
1741 crt = ssl->own_cert;
1742
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1743 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744 {
1745 n = crt->raw.len;
1746 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1747 {
1748 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1749 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1750 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1751 }
1752
1753 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1754 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1755 ssl->out_msg[i + 2] = (unsigned char)( n );
1756
1757 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1758 i += n; crt = crt->next;
1759 }
1760
1761 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1762 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1763 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1764
1765 ssl->out_msglen = i;
1766 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1767 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1768
1769write_msg:
1770
1771 ssl->state++;
1772
1773 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1774 {
1775 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1776 return( ret );
1777 }
1778
1779 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1780
1781 return( 0 );
1782}
1783
1784int ssl_parse_certificate( ssl_context *ssl )
1785{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1786 int ret;
1787 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788
1789 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1790
1791 if( ssl->endpoint == SSL_IS_SERVER &&
1792 ssl->authmode == SSL_VERIFY_NONE )
1793 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1794 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1796 ssl->state++;
1797 return( 0 );
1798 }
1799
1800 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1801 {
1802 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1803 return( ret );
1804 }
1805
1806 ssl->state++;
1807
1808 /*
1809 * Check if the client sent an empty certificate
1810 */
1811 if( ssl->endpoint == SSL_IS_SERVER &&
1812 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1813 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1814 if( ssl->in_msglen == 2 &&
1815 ssl->in_msgtype == SSL_MSG_ALERT &&
1816 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1817 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1818 {
1819 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1820
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1821 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1822 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1823 return( 0 );
1824 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1825 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826 }
1827 }
1828
1829 if( ssl->endpoint == SSL_IS_SERVER &&
1830 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1831 {
1832 if( ssl->in_hslen == 7 &&
1833 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1834 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1835 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1836 {
1837 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1838
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1839 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1841 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842 else
1843 return( 0 );
1844 }
1845 }
1846
1847 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1848 {
1849 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1850 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851 }
1852
1853 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1854 {
1855 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1856 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857 }
1858
1859 /*
1860 * Same message structure as in ssl_write_certificate()
1861 */
1862 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1863
1864 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1865 {
1866 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1867 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868 }
1869
1870 if( ( ssl->peer_cert = (x509_cert *) malloc(
1871 sizeof( x509_cert ) ) ) == NULL )
1872 {
1873 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1874 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1875 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876 }
1877
1878 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1879
1880 i = 7;
1881
1882 while( i < ssl->in_hslen )
1883 {
1884 if( ssl->in_msg[i] != 0 )
1885 {
1886 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1887 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1888 }
1889
1890 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1891 | (unsigned int) ssl->in_msg[i + 2];
1892 i += 3;
1893
1894 if( n < 128 || i + n > ssl->in_hslen )
1895 {
1896 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1897 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898 }
1899
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1900 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901 if( ret != 0 )
1902 {
1903 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1904 return( ret );
1905 }
1906
1907 i += n;
1908 }
1909
1910 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1911
1912 if( ssl->authmode != SSL_VERIFY_NONE )
1913 {
1914 if( ssl->ca_chain == NULL )
1915 {
1916 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1917 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918 }
1919
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1920 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1921 ssl->peer_cn, &ssl->verify_result,
1922 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923
1924 if( ret != 0 )
1925 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1926
1927 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1928 ret = 0;
1929 }
1930
1931 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1932
1933 return( ret );
1934}
1935
1936int ssl_write_change_cipher_spec( ssl_context *ssl )
1937{
1938 int ret;
1939
1940 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1941
1942 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1943 ssl->out_msglen = 1;
1944 ssl->out_msg[0] = 1;
1945
1946 ssl->do_crypt = 0;
1947 ssl->state++;
1948
1949 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1950 {
1951 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1952 return( ret );
1953 }
1954
1955 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1956
1957 return( 0 );
1958}
1959
1960int ssl_parse_change_cipher_spec( ssl_context *ssl )
1961{
1962 int ret;
1963
1964 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1965
1966 ssl->do_crypt = 0;
1967
1968 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1969 {
1970 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1971 return( ret );
1972 }
1973
1974 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1975 {
1976 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1977 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1978 }
1979
1980 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1981 {
1982 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1983 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1984 }
1985
1986 ssl->state++;
1987
1988 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1989
1990 return( 0 );
1991}
1992
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1993static void ssl_calc_finished_ssl(
1994 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1995{
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1996 char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]1997 md5_context md5;
1998 sha1_context sha1;
1999
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000 unsigned char padbuf[48];
2001 unsigned char md5sum[16];
2002 unsigned char sha1sum[20];
2003
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2004 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2005
2006 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
2007 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2008
2009 /*
2010 * SSLv3:
2011 * hash =
2012 * MD5( master + pad2 +
2013 * MD5( handshake + sender + master + pad1 ) )
2014 * + SHA1( master + pad2 +
2015 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016 */
2017
2018 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2019 md5.state, sizeof( md5.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2020
2021 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2022 sha1.state, sizeof( sha1.state ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2023
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2024 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2025 : (char *) "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2026
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2027 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2029 md5_update( &md5, (unsigned char *) sender, 4 );
2030 md5_update( &md5, ssl->session->master, 48 );
2031 md5_update( &md5, padbuf, 48 );
2032 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2033
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2034 sha1_update( &sha1, (unsigned char *) sender, 4 );
2035 sha1_update( &sha1, ssl->session->master, 48 );
2036 sha1_update( &sha1, padbuf, 40 );
2037 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2039 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2040
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2041 md5_starts( &md5 );
2042 md5_update( &md5, ssl->session->master, 48 );
2043 md5_update( &md5, padbuf, 48 );
2044 md5_update( &md5, md5sum, 16 );
2045 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2047 sha1_starts( &sha1 );
2048 sha1_update( &sha1, ssl->session->master, 48 );
2049 sha1_update( &sha1, padbuf , 40 );
2050 sha1_update( &sha1, sha1sum, 20 );
2051 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2052
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2053 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2054
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2055 memset( &md5, 0, sizeof( md5_context ) );
2056 memset( &sha1, 0, sizeof( sha1_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057
2058 memset( padbuf, 0, sizeof( padbuf ) );
2059 memset( md5sum, 0, sizeof( md5sum ) );
2060 memset( sha1sum, 0, sizeof( sha1sum ) );
2061
2062 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2063}
2064
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2065static void ssl_calc_finished_tls(
2066 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2067{
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2068 int len = 12;
2069 char *sender;
2070 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2071 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2072 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2073
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2074 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2075
2076 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
2077 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
2078
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2079 /*
2080 * TLSv1:
2081 * hash = PRF( master, finished_label,
2082 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2083 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2084
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2085 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2086 md5.state, sizeof( md5.state ) );
2087
2088 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2089 sha1.state, sizeof( sha1.state ) );
2090
2091 sender = ( from == SSL_IS_CLIENT )
2092 ? (char *) "client finished"
2093 : (char *) "server finished";
2094
2095 md5_finish( &md5, padbuf );
2096 sha1_finish( &sha1, padbuf + 16 );
2097
2098 ssl->tls_prf( ssl->session->master, 48, sender,
2099 padbuf, 36, buf, len );
2100
2101 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2102
2103 memset( &md5, 0, sizeof( md5_context ) );
2104 memset( &sha1, 0, sizeof( sha1_context ) );
2105
2106 memset( padbuf, 0, sizeof( padbuf ) );
2107
2108 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2109}
2110
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2111static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2112 ssl_context *ssl, unsigned char *buf, int from )
2113{
2114 int len = 12;
2115 char *sender;
2116 sha2_context sha2;
2117 unsigned char padbuf[32];
2118
2119 SSL_DEBUG_MSG( 2, ( "=> calc finished tls 1.2" ) );
2120
2121 memcpy( &sha2, &ssl->fin_sha2, sizeof( sha2_context ) );
2122
2123 /*
2124 * TLSv1.2:
2125 * hash = PRF( master, finished_label,
2126 * Hash( handshake ) )[0.11]
2127 */
2128
2129 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2130 sha2.state, sizeof( sha2.state ) );
2131
2132 sender = ( from == SSL_IS_CLIENT )
2133 ? (char *) "client finished"
2134 : (char *) "server finished";
2135
2136 sha2_finish( &sha2, padbuf );
2137
2138 ssl->tls_prf( ssl->session->master, 48, sender,
2139 padbuf, 32, buf, len );
2140
2141 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2142
2143 memset( &sha2, 0, sizeof( sha2_context ) );
2144
2145 memset( padbuf, 0, sizeof( padbuf ) );
2146
2147 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2148}
2149
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2150static void ssl_calc_finished_tls_sha384(
2151 ssl_context *ssl, unsigned char *buf, int from )
2152{
2153 int len = 12;
2154 char *sender;
2155 sha4_context sha4;
2156 unsigned char padbuf[48];
2157
2158 SSL_DEBUG_MSG( 2, ( "=> calc finished tls 1.2" ) );
2159
2160 memcpy( &sha4, &ssl->fin_sha4, sizeof( sha4_context ) );
2161
2162 /*
2163 * TLSv1.2:
2164 * hash = PRF( master, finished_label,
2165 * Hash( handshake ) )[0.11]
2166 */
2167
2168 SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2169 sha4.state, sizeof( sha4.state ) );
2170
2171 sender = ( from == SSL_IS_CLIENT )
2172 ? (char *) "client finished"
2173 : (char *) "server finished";
2174
2175 sha4_finish( &sha4, padbuf );
2176
2177 ssl->tls_prf( ssl->session->master, 48, sender,
2178 padbuf, 48, buf, len );
2179
2180 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2181
2182 memset( &sha4, 0, sizeof( sha4_context ) );
2183
2184 memset( padbuf, 0, sizeof( padbuf ) );
2185
2186 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2187}
2188
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2189int ssl_write_finished( ssl_context *ssl )
2190{
2191 int ret, hash_len;
2192
2193 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2194
2195 ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2196
2197 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2199
2200 ssl->out_msglen = 4 + hash_len;
2201 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2202 ssl->out_msg[0] = SSL_HS_FINISHED;
2203
2204 /*
2205 * In case of session resuming, invert the client and server
2206 * ChangeCipherSpec messages order.
2207 */
2208 if( ssl->resume != 0 )
2209 {
2210 if( ssl->endpoint == SSL_IS_CLIENT )
2211 ssl->state = SSL_HANDSHAKE_OVER;
2212 else
2213 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2214 }
2215 else
2216 ssl->state++;
2217
2218 ssl->do_crypt = 1;
2219
2220 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2221 {
2222 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2223 return( ret );
2224 }
2225
2226 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2227
2228 return( 0 );
2229}
2230
2231int ssl_parse_finished( ssl_context *ssl )
2232{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2233 int ret;
2234 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2235 unsigned char buf[36];
2236
2237 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2238
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2239 ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2240
2241 ssl->do_crypt = 1;
2242
2243 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2244 {
2245 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2246 return( ret );
2247 }
2248
2249 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2250 {
2251 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2252 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2253 }
2254
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2255 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2257
2258 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2259 ssl->in_hslen != 4 + hash_len )
2260 {
2261 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2262 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2263 }
2264
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2265 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2266 {
2267 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2268 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2269 }
2270
2271 if( ssl->resume != 0 )
2272 {
2273 if( ssl->endpoint == SSL_IS_CLIENT )
2274 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2275
2276 if( ssl->endpoint == SSL_IS_SERVER )
2277 ssl->state = SSL_HANDSHAKE_OVER;
2278 }
2279 else
2280 ssl->state++;
2281
2282 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2283
2284 return( 0 );
2285}
2286
2287/*
2288 * Initialize an SSL context
2289 */
2290int ssl_init( ssl_context *ssl )
2291{
2292 int len = SSL_BUFFER_LEN;
2293
2294 memset( ssl, 0, sizeof( ssl_context ) );
2295
2296 ssl->in_ctr = (unsigned char *) malloc( len );
2297 ssl->in_hdr = ssl->in_ctr + 8;
2298 ssl->in_msg = ssl->in_ctr + 13;
2299
2300 if( ssl->in_ctr == NULL )
2301 {
2302 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2303 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2304 }
2305
2306 ssl->out_ctr = (unsigned char *) malloc( len );
2307 ssl->out_hdr = ssl->out_ctr + 8;
2308 ssl->out_msg = ssl->out_ctr + 13;
2309
2310 if( ssl->out_ctr == NULL )
2311 {
2312 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2313 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2314 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2315 }
2316
2317 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2318 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2319
2320 ssl->hostname = NULL;
2321 ssl->hostname_len = 0;
2322
2323 md5_starts( &ssl->fin_md5 );
2324 sha1_starts( &ssl->fin_sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2325 sha2_starts( &ssl->fin_sha2, 0 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2326 sha4_starts( &ssl->fin_sha4, 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2327
2328 return( 0 );
2329}
2330
2331/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2332 * Reset an initialized and used SSL context for re-use while retaining
2333 * all application-set variables, function pointers and data.
2334 */
2335void ssl_session_reset( ssl_context *ssl )
2336{
2337 ssl->state = SSL_HELLO_REQUEST;
2338
2339 ssl->in_offt = NULL;
2340
2341 ssl->in_msgtype = 0;
2342 ssl->in_msglen = 0;
2343 ssl->in_left = 0;
2344
2345 ssl->in_hslen = 0;
2346 ssl->nb_zero = 0;
2347
2348 ssl->out_msgtype = 0;
2349 ssl->out_msglen = 0;
2350 ssl->out_left = 0;
2351
2352 ssl->do_crypt = 0;
2353 ssl->pmslen = 0;
2354 ssl->keylen = 0;
2355 ssl->minlen = 0;
2356 ssl->ivlen = 0;
2357 ssl->maclen = 0;
2358
2359 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2360 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2361 memset( ssl->randbytes, 0, 64 );
2362 memset( ssl->premaster, 0, 256 );
2363 memset( ssl->iv_enc, 0, 16 );
2364 memset( ssl->iv_dec, 0, 16 );
2365 memset( ssl->mac_enc, 0, 32 );
2366 memset( ssl->mac_dec, 0, 32 );
2367 memset( ssl->ctx_enc, 0, 128 );
2368 memset( ssl->ctx_dec, 0, 128 );
2369
2370 md5_starts( &ssl->fin_md5 );
2371 sha1_starts( &ssl->fin_sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2372 sha2_starts( &ssl->fin_sha2, 0 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2373 sha4_starts( &ssl->fin_sha4, 1 );
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]2374}
2375
2376/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2377 * SSL set accessors
2378 */
2379void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2380{
2381 ssl->endpoint = endpoint;
2382}
2383
2384void ssl_set_authmode( ssl_context *ssl, int authmode )
2385{
2386 ssl->authmode = authmode;
2387}
2388
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]2389void ssl_set_verify( ssl_context *ssl,
2390 int (*f_vrfy)(void *, x509_cert *, int, int),
2391 void *p_vrfy )
2392{
2393 ssl->f_vrfy = f_vrfy;
2394 ssl->p_vrfy = p_vrfy;
2395}
2396
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2397void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2398 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2399 void *p_rng )
2400{
2401 ssl->f_rng = f_rng;
2402 ssl->p_rng = p_rng;
2403}
2404
2405void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2406 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2407 void *p_dbg )
2408{
2409 ssl->f_dbg = f_dbg;
2410 ssl->p_dbg = p_dbg;
2411}
2412
2413void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2414 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]2415 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2416{
2417 ssl->f_recv = f_recv;
2418 ssl->f_send = f_send;
2419 ssl->p_recv = p_recv;
2420 ssl->p_send = p_send;
2421}
2422
2423void ssl_set_scb( ssl_context *ssl,
2424 int (*s_get)(ssl_context *),
2425 int (*s_set)(ssl_context *) )
2426{
2427 ssl->s_get = s_get;
2428 ssl->s_set = s_set;
2429}
2430
2431void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2432 ssl_session *session )
2433{
2434 ssl->resume = resume;
2435 ssl->timeout = timeout;
2436 ssl->session = session;
2437}
2438
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2439void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2440{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2441 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2442}
2443
2444void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]2445 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2446{
2447 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2448 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2449 ssl->peer_cn = peer_cn;
2450}
2451
2452void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
2453 rsa_context *rsa_key )
2454{
2455 ssl->own_cert = own_cert;
2456 ssl->rsa_key = rsa_key;
2457}
2458
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]2459#if defined(POLARSSL_PKCS11_C)
2460void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
2461 pkcs11_context *pkcs11_key )
2462{
2463 ssl->own_cert = own_cert;
2464 ssl->pkcs11_key = pkcs11_key;
2465}
2466#endif
2467
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2468int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2469{
2470 int ret;
2471
2472 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2473 {
2474 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2475 return( ret );
2476 }
2477
2478 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2479 {
2480 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2481 return( ret );
2482 }
2483
2484 return( 0 );
2485}
2486
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2487int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
2488{
2489 int ret;
2490
2491 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2492 {
2493 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2494 return( ret );
2495 }
2496
2497 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2498 {
2499 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2500 return( ret );
2501 }
2502
2503 return( 0 );
2504}
2505
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2506int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2507{
2508 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2509 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510
2511 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2512 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2513
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2514 if( ssl->hostname == NULL )
2515 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2516
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2517 memcpy( ssl->hostname, (unsigned char *) hostname,
2518 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2519
2520 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2521
2522 return( 0 );
2523}
2524
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2525void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2526{
2527 ssl->max_major_ver = major;
2528 ssl->max_minor_ver = minor;
2529}
2530
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2531/*
2532 * SSL get accessors
2533 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2534size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2535{
2536 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2537}
2538
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2539int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2540{
2541 return( ssl->verify_result );
2542}
2543
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2544const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2545{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2546 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2547 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2548#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2549 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2550 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2551
2552 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2553 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2554#endif
2555
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2556#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2557 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2558 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2559
2560 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2561 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2562#endif
2563
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2564#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2565 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2566 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2567
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2568 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2569 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2570
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2571 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2572 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2573
2574 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2575 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2576
2577#if defined(POLARSSL_SHA2_C)
2578 case SSL_RSA_AES_128_SHA256:
2579 return( "SSL-RSA-AES-128-SHA256" );
2580
2581 case SSL_EDH_RSA_AES_128_SHA256:
2582 return( "SSL-EDH-RSA-AES-128-SHA256" );
2583
2584 case SSL_RSA_AES_256_SHA256:
2585 return( "SSL-RSA-AES-256-SHA256" );
2586
2587 case SSL_EDH_RSA_AES_256_SHA256:
2588 return( "SSL-EDH-RSA-AES-256-SHA256" );
2589#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2590
2591#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2592 case SSL_RSA_AES_128_GCM_SHA256:
2593 return( "SSL-RSA-AES-128-GCM-SHA256" );
2594
2595 case SSL_EDH_RSA_AES_128_GCM_SHA256:
2596 return( "SSL-EDH-RSA-AES-128-GCM-SHA256" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2597#endif
2598
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2599#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2600 case SSL_RSA_AES_256_GCM_SHA384:
2601 return( "SSL-RSA-AES-256-GCM-SHA384" );
2602
2603 case SSL_EDH_RSA_AES_256_GCM_SHA384:
2604 return( "SSL-EDH-RSA-AES-256-GCM-SHA384" );
2605#endif
2606#endif /* POLARSSL_AES_C */
2607
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2608#if defined(POLARSSL_CAMELLIA_C)
2609 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2610 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2611
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2612 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2613 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2614
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2615 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2616 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2617
2618 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2619 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2620
2621#if defined(POLARSSL_SHA2_C)
2622 case SSL_RSA_CAMELLIA_128_SHA256:
2623 return( "SSL-RSA-CAMELLIA-128-SHA256" );
2624
2625 case SSL_EDH_RSA_CAMELLIA_128_SHA256:
2626 return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
2627
2628 case SSL_RSA_CAMELLIA_256_SHA256:
2629 return( "SSL-RSA-CAMELLIA-256-SHA256" );
2630
2631 case SSL_EDH_RSA_CAMELLIA_256_SHA256:
2632 return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
2633#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2634#endif
2635
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2636#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2637#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2638 case SSL_RSA_NULL_MD5:
2639 return( "SSL-RSA-NULL-MD5" );
2640 case SSL_RSA_NULL_SHA:
2641 return( "SSL-RSA-NULL-SHA" );
2642 case SSL_RSA_NULL_SHA256:
2643 return( "SSL-RSA-NULL-SHA256" );
2644#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2645
2646#if defined(POLARSSL_DES_C)
2647 case SSL_RSA_DES_SHA:
2648 return( "SSL-RSA-DES-SHA" );
2649 case SSL_EDH_RSA_DES_SHA:
2650 return( "SSL-EDH-RSA-DES-SHA" );
2651#endif
2652#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2653
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2654 default:
2655 break;
2656 }
2657
2658 return( "unknown" );
2659}
2660
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2661int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2662{
2663#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2664 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2665 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2666 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2667 return( SSL_RSA_RC4_128_SHA );
2668#endif
2669
2670#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2671 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2672 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2673 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2674 return( SSL_EDH_RSA_DES_168_SHA );
2675#endif
2676
2677#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2678 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2679 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2680 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2681 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2682 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2683 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2684 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2685 return( SSL_EDH_RSA_AES_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2686
2687#if defined(POLARSSL_SHA2_C)
2688 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
2689 return( SSL_RSA_AES_128_SHA256 );
2690 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
2691 return( SSL_EDH_RSA_AES_128_SHA256 );
2692 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
2693 return( SSL_RSA_AES_256_SHA256 );
2694 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
2695 return( SSL_EDH_RSA_AES_256_SHA256 );
2696#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2697
2698#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2699 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-GCM-SHA256"))
2700 return( SSL_RSA_AES_128_GCM_SHA256 );
2701 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-GCM-SHA256"))
2702 return( SSL_EDH_RSA_AES_128_GCM_SHA256 );
2703#endif
2704
2705#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2706 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-GCM-SHA384"))
2707 return( SSL_RSA_AES_256_GCM_SHA384 );
2708 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-GCM-SHA384"))
2709 return( SSL_EDH_RSA_AES_256_GCM_SHA384 );
2710#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2711#endif
2712
2713#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2714 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2715 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2716 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2717 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2718 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2719 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2720 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2721 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2722
2723#if defined(POLARSSL_SHA2_C)
2724 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
2725 return( SSL_RSA_CAMELLIA_128_SHA256 );
2726 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
2727 return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
2728 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
2729 return( SSL_RSA_CAMELLIA_256_SHA256 );
2730 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
2731 return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
2732#endif
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2733#endif
2734
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2735#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2736#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2737 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
2738 return( SSL_RSA_NULL_MD5 );
2739 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
2740 return( SSL_RSA_NULL_SHA );
2741 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
2742 return( SSL_RSA_NULL_SHA256 );
2743#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2744
2745#if defined(POLARSSL_DES_C)
2746 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
2747 return( SSL_RSA_DES_SHA );
2748 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
2749 return( SSL_EDH_RSA_DES_SHA );
2750#endif
2751#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2752
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2753 return( 0 );
2754}
2755
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2756const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2757{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2758 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2759}
2760
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2761const char *ssl_get_version( const ssl_context *ssl )
2762{
2763 switch( ssl->minor_ver )
2764 {
2765 case SSL_MINOR_VERSION_0:
2766 return( "SSLv3.0" );
2767
2768 case SSL_MINOR_VERSION_1:
2769 return( "TLSv1.0" );
2770
2771 case SSL_MINOR_VERSION_2:
2772 return( "TLSv1.1" );
2773
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2774 case SSL_MINOR_VERSION_3:
2775 return( "TLSv1.2" );
2776
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2777 default:
2778 break;
2779 }
2780 return( "unknown" );
2781}
2782
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2783int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2784{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2785#if defined(POLARSSL_DHM_C)
2786#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2787#if defined(POLARSSL_SHA2_C)
2788 SSL_EDH_RSA_AES_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2789#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2790#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2791 SSL_EDH_RSA_AES_256_GCM_SHA384,
2792#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2793 SSL_EDH_RSA_AES_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2794#if defined(POLARSSL_SHA2_C)
2795 SSL_EDH_RSA_AES_128_SHA256,
2796#endif
2797#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2798 SSL_EDH_RSA_AES_128_GCM_SHA256,
2799#endif
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2800 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2801#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2802#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2803#if defined(POLARSSL_SHA2_C)
2804 SSL_EDH_RSA_CAMELLIA_256_SHA256,
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2805#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2806 SSL_EDH_RSA_CAMELLIA_256_SHA,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2807#if defined(POLARSSL_SHA2_C)
2808 SSL_EDH_RSA_CAMELLIA_128_SHA256,
2809#endif /* POLARSSL_SHA2_C */
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2810 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2811#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2812#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2813 SSL_EDH_RSA_DES_168_SHA,
2814#endif
2815#endif
2816
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2817#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2818#if defined(POLARSSL_SHA2_C)
2819 SSL_RSA_AES_256_SHA256,
2820#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2821#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2822 SSL_RSA_AES_256_GCM_SHA384,
2823#endif /* POLARSSL_SHA2_C */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2824 SSL_RSA_AES_256_SHA,
2825#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2826#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2827#if defined(POLARSSL_SHA2_C)
2828 SSL_RSA_CAMELLIA_256_SHA256,
2829#endif /* POLARSSL_SHA2_C */
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2830 SSL_RSA_CAMELLIA_256_SHA,
2831#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2832#if defined(POLARSSL_AES_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2833#if defined(POLARSSL_SHA2_C)
2834 SSL_RSA_AES_128_SHA256,
2835#endif /* POLARSSL_SHA2_C */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame^]2836#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2837 SSL_RSA_AES_128_GCM_SHA256,
2838#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2839 SSL_RSA_AES_128_SHA,
2840#endif
2841#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker10cd2252012-04-12 21:26:34 +0000[diff] [blame]2842#if defined(POLARSSL_SHA2_C)
2843 SSL_RSA_CAMELLIA_128_SHA256,
2844#endif /* POLARSSL_SHA2_C */
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2845 SSL_RSA_CAMELLIA_128_SHA,
2846#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2847#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2848 SSL_RSA_DES_168_SHA,
2849#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2850#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2851 SSL_RSA_RC4_128_SHA,
2852 SSL_RSA_RC4_128_MD5,
2853#endif
2854 0
2855};
2856
2857/*
2858 * Perform the SSL handshake
2859 */
2860int ssl_handshake( ssl_context *ssl )
2861{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2862 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2863
2864 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
2865
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2866#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2867 if( ssl->endpoint == SSL_IS_CLIENT )
2868 ret = ssl_handshake_client( ssl );
2869#endif
2870
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2871#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2872 if( ssl->endpoint == SSL_IS_SERVER )
2873 ret = ssl_handshake_server( ssl );
2874#endif
2875
2876 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
2877
2878 return( ret );
2879}
2880
2881/*
2882 * Receive application data decrypted from the SSL layer
2883 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2884int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2885{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2886 int ret;
2887 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2888
2889 SSL_DEBUG_MSG( 2, ( "=> read" ) );
2890
2891 if( ssl->state != SSL_HANDSHAKE_OVER )
2892 {
2893 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2894 {
2895 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2896 return( ret );
2897 }
2898 }
2899
2900 if( ssl->in_offt == NULL )
2901 {
2902 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2903 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2904 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2905 return( 0 );
2906
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2907 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2908 return( ret );
2909 }
2910
2911 if( ssl->in_msglen == 0 &&
2912 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
2913 {
2914 /*
2915 * OpenSSL sends empty messages to randomize the IV
2916 */
2917 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2918 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2919 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2920 return( 0 );
2921
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2922 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2923 return( ret );
2924 }
2925 }
2926
2927 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2928 {
2929 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2930 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2931 }
2932
2933 ssl->in_offt = ssl->in_msg;
2934 }
2935
2936 n = ( len < ssl->in_msglen )
2937 ? len : ssl->in_msglen;
2938
2939 memcpy( buf, ssl->in_offt, n );
2940 ssl->in_msglen -= n;
2941
2942 if( ssl->in_msglen == 0 )
2943 /* all bytes consumed */
2944 ssl->in_offt = NULL;
2945 else
2946 /* more data available */
2947 ssl->in_offt += n;
2948
2949 SSL_DEBUG_MSG( 2, ( "<= read" ) );
2950
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2951 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2952}
2953
2954/*
2955 * Send application data to be encrypted by the SSL layer
2956 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2957int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2958{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2959 int ret;
2960 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2961
2962 SSL_DEBUG_MSG( 2, ( "=> write" ) );
2963
2964 if( ssl->state != SSL_HANDSHAKE_OVER )
2965 {
2966 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2967 {
2968 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2969 return( ret );
2970 }
2971 }
2972
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2973 n = ( len < SSL_MAX_CONTENT_LEN )
2974 ? len : SSL_MAX_CONTENT_LEN;
2975
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2976 if( ssl->out_left != 0 )
2977 {
2978 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2979 {
2980 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2981 return( ret );
2982 }
2983 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2984 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]2985 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2986 ssl->out_msglen = n;
2987 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
2988 memcpy( ssl->out_msg, buf, n );
2989
2990 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2991 {
2992 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2993 return( ret );
2994 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2995 }
2996
2997 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2998
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2999 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3000}
3001
3002/*
3003 * Notify the peer that the connection is being closed
3004 */
3005int ssl_close_notify( ssl_context *ssl )
3006{
3007 int ret;
3008
3009 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3010
3011 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3012 {
3013 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3014 return( ret );
3015 }
3016
3017 if( ssl->state == SSL_HANDSHAKE_OVER )
3018 {
3019 ssl->out_msgtype = SSL_MSG_ALERT;
3020 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]3021 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
3022 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3023
3024 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3025 {
3026 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3027 return( ret );
3028 }
3029 }
3030
3031 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3032
3033 return( ret );
3034}
3035
3036/*
3037 * Free an SSL context
3038 */
3039void ssl_free( ssl_context *ssl )
3040{
3041 SSL_DEBUG_MSG( 2, ( "=> free" ) );
3042
3043 if( ssl->peer_cert != NULL )
3044 {
3045 x509_free( ssl->peer_cert );
3046 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
3047 free( ssl->peer_cert );
3048 }
3049
3050 if( ssl->out_ctr != NULL )
3051 {
3052 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3053 free( ssl->out_ctr );
3054 }
3055
3056 if( ssl->in_ctr != NULL )
3057 {
3058 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3059 free( ssl->in_ctr );
3060 }
3061
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3062#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3063 dhm_free( &ssl->dhm_ctx );
3064#endif
3065
3066 if ( ssl->hostname != NULL)
3067 {
3068 memset( ssl->hostname, 0, ssl->hostname_len );
3069 free( ssl->hostname );
3070 ssl->hostname_len = 0;
3071 }
3072
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3073 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]3074
3075 /* Actually free after last debug message */
3076 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3077}
3078
3079#endif