blob: 72cd6d21a8d4382cacfd0f1454ae6b6d827ec625 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 shared functions
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +00004 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +00006 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakkerb96f1542010-07-18 20:36:00 +00007 *
Paul Bakker5121ce52009-01-03 21:22:43 +00008 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The SSL 3.0 specification was drafted by Netscape in 1996,
24 * and became an IETF standard in 1999.
25 *
26 * http://wp.netscape.com/eng/ssl3/
27 * http://www.ietf.org/rfc/rfc2246.txt
28 * http://www.ietf.org/rfc/rfc4346.txt
29 */
30
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020031#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +000032#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020033#else
34#include POLARSSL_CONFIG_FILE
35#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000036
Paul Bakker40e46942009-01-03 21:51:57 +000037#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000038
Paul Bakker0be444a2013-08-27 21:55:01 +020039#include "polarssl/debug.h"
40#include "polarssl/ssl.h"
41
Rich Evans00ab4702015-02-06 13:43:58 +000042#include <string.h>
43
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +020044#if defined(POLARSSL_X509_CRT_PARSE_C) && \
45 defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
46#include "polarssl/oid.h"
47#endif
48
Paul Bakker7dc4c442014-02-01 22:50:26 +010049#if defined(POLARSSL_PLATFORM_C)
50#include "polarssl/platform.h"
Paul Bakker6e339b52013-07-03 13:37:05 +020051#else
Rich Evans00ab4702015-02-06 13:43:58 +000052#include <stdlib.h>
Paul Bakker6e339b52013-07-03 13:37:05 +020053#define polarssl_malloc malloc
54#define polarssl_free free
55#endif
56
Paul Bakker6edcd412013-10-29 15:22:54 +010057#if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
58 !defined(EFI32)
Paul Bakkeraf5c85f2011-04-18 03:47:52 +000059#define strcasecmp _stricmp
60#endif
61
Paul Bakker34617722014-06-13 17:20:13 +020062/* Implementation that should never be optimized out by the compiler */
63static void polarssl_zeroize( void *v, size_t n ) {
64 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
65}
66
Paul Bakker05decb22013-08-15 13:33:48 +020067#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +020068/*
69 * Convert max_fragment_length codes to length.
70 * RFC 6066 says:
71 * enum{
72 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
73 * } MaxFragmentLength;
74 * and we add 0 -> extension unused
75 */
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +020076static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +020077{
78 SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
79 512, /* SSL_MAX_FRAG_LEN_512 */
80 1024, /* SSL_MAX_FRAG_LEN_1024 */
81 2048, /* SSL_MAX_FRAG_LEN_2048 */
82 4096, /* SSL_MAX_FRAG_LEN_4096 */
83};
Paul Bakker05decb22013-08-15 13:33:48 +020084#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +020085
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +020086static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
87{
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +020088 ssl_session_free( dst );
89 memcpy( dst, src, sizeof( ssl_session ) );
90
Paul Bakker7c6b2c32013-09-16 13:49:26 +020091#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +020092 if( src->peer_cert != NULL )
93 {
Paul Bakker2292d1f2013-09-15 17:06:49 +020094 int ret;
95
Mansour Moufidc531b4a2015-02-15 17:35:38 -050096 dst->peer_cert = polarssl_malloc( sizeof(x509_crt) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +020097 if( dst->peer_cert == NULL )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +020098 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
99
Paul Bakkerb6b09562013-09-18 14:17:41 +0200100 x509_crt_init( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200101
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200102 if( ( ret = x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
103 src->peer_cert->raw.len ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200104 {
105 polarssl_free( dst->peer_cert );
106 dst->peer_cert = NULL;
107 return( ret );
108 }
109 }
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200110#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200111
Paul Bakkera503a632013-08-14 13:48:06 +0200112#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200113 if( src->ticket != NULL )
114 {
Mansour Moufidc531b4a2015-02-15 17:35:38 -0500115 dst->ticket = polarssl_malloc( src->ticket_len );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200116 if( dst->ticket == NULL )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200117 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
118
119 memcpy( dst->ticket, src->ticket, src->ticket_len );
120 }
Paul Bakkera503a632013-08-14 13:48:06 +0200121#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200122
123 return( 0 );
124}
125
Paul Bakker05ef8352012-05-08 09:17:57 +0000126#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200127int (*ssl_hw_record_init)( ssl_context *ssl,
Paul Bakker9af723c2014-05-01 13:03:14 +0200128 const unsigned char *key_enc, const unsigned char *key_dec,
129 size_t keylen,
130 const unsigned char *iv_enc, const unsigned char *iv_dec,
131 size_t ivlen,
132 const unsigned char *mac_enc, const unsigned char *mac_dec,
Paul Bakker66d5d072014-06-17 16:39:18 +0200133 size_t maclen ) = NULL;
134int (*ssl_hw_record_activate)( ssl_context *ssl, int direction) = NULL;
135int (*ssl_hw_record_reset)( ssl_context *ssl ) = NULL;
136int (*ssl_hw_record_write)( ssl_context *ssl ) = NULL;
137int (*ssl_hw_record_read)( ssl_context *ssl ) = NULL;
138int (*ssl_hw_record_finish)( ssl_context *ssl ) = NULL;
Paul Bakker9af723c2014-05-01 13:03:14 +0200139#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000140
Paul Bakker5121ce52009-01-03 21:22:43 +0000141/*
142 * Key material generation
143 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200144#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200145static int ssl3_prf( const unsigned char *secret, size_t slen,
146 const char *label,
147 const unsigned char *random, size_t rlen,
Paul Bakker5f70b252012-09-13 14:23:06 +0000148 unsigned char *dstbuf, size_t dlen )
149{
150 size_t i;
151 md5_context md5;
152 sha1_context sha1;
153 unsigned char padding[16];
154 unsigned char sha1sum[20];
155 ((void)label);
156
Paul Bakker5b4af392014-06-26 12:09:34 +0200157 md5_init( &md5 );
158 sha1_init( &sha1 );
159
Paul Bakker5f70b252012-09-13 14:23:06 +0000160 /*
161 * SSLv3:
162 * block =
163 * MD5( secret + SHA1( 'A' + secret + random ) ) +
164 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
165 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
166 * ...
167 */
168 for( i = 0; i < dlen / 16; i++ )
169 {
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200170 memset( padding, (unsigned char) ('A' + i), 1 + i );
Paul Bakker5f70b252012-09-13 14:23:06 +0000171
172 sha1_starts( &sha1 );
173 sha1_update( &sha1, padding, 1 + i );
174 sha1_update( &sha1, secret, slen );
175 sha1_update( &sha1, random, rlen );
176 sha1_finish( &sha1, sha1sum );
177
178 md5_starts( &md5 );
179 md5_update( &md5, secret, slen );
180 md5_update( &md5, sha1sum, 20 );
181 md5_finish( &md5, dstbuf + i * 16 );
182 }
183
Paul Bakker5b4af392014-06-26 12:09:34 +0200184 md5_free( &md5 );
185 sha1_free( &sha1 );
Paul Bakker5f70b252012-09-13 14:23:06 +0000186
Paul Bakker34617722014-06-13 17:20:13 +0200187 polarssl_zeroize( padding, sizeof( padding ) );
188 polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5f70b252012-09-13 14:23:06 +0000189
190 return( 0 );
191}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200192#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000193
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200194#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200195static int tls1_prf( const unsigned char *secret, size_t slen,
196 const char *label,
197 const unsigned char *random, size_t rlen,
Paul Bakker23986e52011-04-24 08:57:21 +0000198 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000199{
Paul Bakker23986e52011-04-24 08:57:21 +0000200 size_t nb, hs;
201 size_t i, j, k;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200202 const unsigned char *S1, *S2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000203 unsigned char tmp[128];
204 unsigned char h_i[20];
205
206 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000207 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000208
209 hs = ( slen + 1 ) / 2;
210 S1 = secret;
211 S2 = secret + slen - hs;
212
213 nb = strlen( label );
214 memcpy( tmp + 20, label, nb );
215 memcpy( tmp + 20 + nb, random, rlen );
216 nb += rlen;
217
218 /*
219 * First compute P_md5(secret,label+random)[0..dlen]
220 */
221 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
222
223 for( i = 0; i < dlen; i += 16 )
224 {
225 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
226 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
227
228 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
229
230 for( j = 0; j < k; j++ )
231 dstbuf[i + j] = h_i[j];
232 }
233
234 /*
235 * XOR out with P_sha1(secret,label+random)[0..dlen]
236 */
237 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
238
239 for( i = 0; i < dlen; i += 20 )
240 {
241 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
242 sha1_hmac( S2, hs, tmp, 20, tmp );
243
244 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
245
246 for( j = 0; j < k; j++ )
247 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
248 }
249
Paul Bakker34617722014-06-13 17:20:13 +0200250 polarssl_zeroize( tmp, sizeof( tmp ) );
251 polarssl_zeroize( h_i, sizeof( h_i ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000252
253 return( 0 );
254}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200255#endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000256
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200257#if defined(POLARSSL_SSL_PROTO_TLS1_2)
258#if defined(POLARSSL_SHA256_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200259static int tls_prf_sha256( const unsigned char *secret, size_t slen,
260 const char *label,
261 const unsigned char *random, size_t rlen,
Paul Bakker1ef83d62012-04-11 12:09:53 +0000262 unsigned char *dstbuf, size_t dlen )
263{
264 size_t nb;
265 size_t i, j, k;
266 unsigned char tmp[128];
267 unsigned char h_i[32];
268
269 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
270 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
271
272 nb = strlen( label );
273 memcpy( tmp + 32, label, nb );
274 memcpy( tmp + 32 + nb, random, rlen );
275 nb += rlen;
276
277 /*
278 * Compute P_<hash>(secret, label + random)[0..dlen]
279 */
Paul Bakker9e36f042013-06-30 14:34:05 +0200280 sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000281
282 for( i = 0; i < dlen; i += 32 )
283 {
Paul Bakker9e36f042013-06-30 14:34:05 +0200284 sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
285 sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000286
287 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
288
289 for( j = 0; j < k; j++ )
290 dstbuf[i + j] = h_i[j];
291 }
292
Paul Bakker34617722014-06-13 17:20:13 +0200293 polarssl_zeroize( tmp, sizeof( tmp ) );
294 polarssl_zeroize( h_i, sizeof( h_i ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000295
296 return( 0 );
297}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200298#endif /* POLARSSL_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000299
Paul Bakker9e36f042013-06-30 14:34:05 +0200300#if defined(POLARSSL_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200301static int tls_prf_sha384( const unsigned char *secret, size_t slen,
302 const char *label,
303 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000304 unsigned char *dstbuf, size_t dlen )
305{
306 size_t nb;
307 size_t i, j, k;
308 unsigned char tmp[128];
309 unsigned char h_i[48];
310
311 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
312 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
313
314 nb = strlen( label );
315 memcpy( tmp + 48, label, nb );
316 memcpy( tmp + 48 + nb, random, rlen );
317 nb += rlen;
318
319 /*
320 * Compute P_<hash>(secret, label + random)[0..dlen]
321 */
Paul Bakker9e36f042013-06-30 14:34:05 +0200322 sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000323
324 for( i = 0; i < dlen; i += 48 )
325 {
Paul Bakker9e36f042013-06-30 14:34:05 +0200326 sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
327 sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000328
329 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
330
331 for( j = 0; j < k; j++ )
332 dstbuf[i + j] = h_i[j];
333 }
334
Paul Bakker34617722014-06-13 17:20:13 +0200335 polarssl_zeroize( tmp, sizeof( tmp ) );
336 polarssl_zeroize( h_i, sizeof( h_i ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000337
338 return( 0 );
339}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200340#endif /* POLARSSL_SHA512_C */
341#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000342
Paul Bakker66d5d072014-06-17 16:39:18 +0200343static void ssl_update_checksum_start( ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200344
345#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
346 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker66d5d072014-06-17 16:39:18 +0200347static void ssl_update_checksum_md5sha1( ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200348#endif
Paul Bakker380da532012-04-18 16:10:25 +0000349
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200350#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker66d5d072014-06-17 16:39:18 +0200351static void ssl_calc_verify_ssl( ssl_context *, unsigned char * );
352static void ssl_calc_finished_ssl( ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200353#endif
354
355#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker66d5d072014-06-17 16:39:18 +0200356static void ssl_calc_verify_tls( ssl_context *, unsigned char * );
357static void ssl_calc_finished_tls( ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200358#endif
359
360#if defined(POLARSSL_SSL_PROTO_TLS1_2)
361#if defined(POLARSSL_SHA256_C)
Paul Bakker66d5d072014-06-17 16:39:18 +0200362static void ssl_update_checksum_sha256( ssl_context *, const unsigned char *, size_t );
363static void ssl_calc_verify_tls_sha256( ssl_context *,unsigned char * );
364static void ssl_calc_finished_tls_sha256( ssl_context *,unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200365#endif
Paul Bakker769075d2012-11-24 11:26:46 +0100366
Paul Bakker9e36f042013-06-30 14:34:05 +0200367#if defined(POLARSSL_SHA512_C)
Paul Bakker66d5d072014-06-17 16:39:18 +0200368static void ssl_update_checksum_sha384( ssl_context *, const unsigned char *, size_t );
369static void ssl_calc_verify_tls_sha384( ssl_context *, unsigned char * );
370static void ssl_calc_finished_tls_sha384( ssl_context *, unsigned char *, int );
Paul Bakker769075d2012-11-24 11:26:46 +0100371#endif
Paul Bakker9af723c2014-05-01 13:03:14 +0200372#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000373
Paul Bakker5121ce52009-01-03 21:22:43 +0000374int ssl_derive_keys( ssl_context *ssl )
375{
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200376 int ret = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000377 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000378 unsigned char keyblk[256];
379 unsigned char *key1;
380 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100381 unsigned char *mac_enc;
382 unsigned char *mac_dec;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200383 size_t iv_copy_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100384 const cipher_info_t *cipher_info;
385 const md_info_t *md_info;
386
Paul Bakker48916f92012-09-16 19:57:18 +0000387 ssl_session *session = ssl->session_negotiate;
388 ssl_transform *transform = ssl->transform_negotiate;
389 ssl_handshake_params *handshake = ssl->handshake;
Paul Bakker5121ce52009-01-03 21:22:43 +0000390
391 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
392
Paul Bakker68884e32013-01-07 18:20:04 +0100393 cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
394 if( cipher_info == NULL )
395 {
Paul Bakkerf7abd422013-04-16 13:15:56 +0200396 SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100397 transform->ciphersuite_info->cipher ) );
398 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
399 }
400
401 md_info = md_info_from_type( transform->ciphersuite_info->mac );
402 if( md_info == NULL )
403 {
Paul Bakkerf7abd422013-04-16 13:15:56 +0200404 SSL_DEBUG_MSG( 1, ( "md info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100405 transform->ciphersuite_info->mac ) );
406 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
407 }
408
Paul Bakker5121ce52009-01-03 21:22:43 +0000409 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000410 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000411 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200412#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000413 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000414 {
Paul Bakker48916f92012-09-16 19:57:18 +0000415 handshake->tls_prf = ssl3_prf;
416 handshake->calc_verify = ssl_calc_verify_ssl;
417 handshake->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000418 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200419 else
420#endif
421#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
422 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000423 {
Paul Bakker48916f92012-09-16 19:57:18 +0000424 handshake->tls_prf = tls1_prf;
425 handshake->calc_verify = ssl_calc_verify_tls;
426 handshake->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000427 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200428 else
429#endif
430#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker9e36f042013-06-30 14:34:05 +0200431#if defined(POLARSSL_SHA512_C)
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200432 if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
433 transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000434 {
Paul Bakker48916f92012-09-16 19:57:18 +0000435 handshake->tls_prf = tls_prf_sha384;
436 handshake->calc_verify = ssl_calc_verify_tls_sha384;
437 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000438 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000439 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200440#endif
441#if defined(POLARSSL_SHA256_C)
442 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000443 {
Paul Bakker48916f92012-09-16 19:57:18 +0000444 handshake->tls_prf = tls_prf_sha256;
445 handshake->calc_verify = ssl_calc_verify_tls_sha256;
446 handshake->calc_finished = ssl_calc_finished_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000447 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200448 else
449#endif
Paul Bakker9af723c2014-05-01 13:03:14 +0200450#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200451 {
452 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200453 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200454 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000455
456 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000457 * SSLv3:
458 * master =
459 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
460 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
461 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakkerf7abd422013-04-16 13:15:56 +0200462 *
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200463 * TLSv1+:
Paul Bakker5121ce52009-01-03 21:22:43 +0000464 * master = PRF( premaster, "master secret", randbytes )[0..47]
465 */
Paul Bakker0a597072012-09-25 21:55:46 +0000466 if( handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000467 {
Paul Bakker48916f92012-09-16 19:57:18 +0000468 SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
469 handshake->pmslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000470
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200471#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
472 if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_ENABLED )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200473 {
474 unsigned char session_hash[48];
475 size_t hash_len;
476
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200477 SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200478
479 ssl->handshake->calc_verify( ssl, session_hash );
480
481#if defined(POLARSSL_SSL_PROTO_TLS1_2)
482 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
483 {
484#if defined(POLARSSL_SHA512_C)
485 if( ssl->transform_negotiate->ciphersuite_info->mac ==
486 POLARSSL_MD_SHA384 )
487 {
488 hash_len = 48;
489 }
490 else
491#endif
492 hash_len = 32;
493 }
494 else
495#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
496 hash_len = 36;
497
498 SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
499
500 handshake->tls_prf( handshake->premaster, handshake->pmslen,
501 "extended master secret",
502 session_hash, hash_len, session->master, 48 );
503
504 }
505 else
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200506#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000507 handshake->tls_prf( handshake->premaster, handshake->pmslen,
508 "master secret",
509 handshake->randbytes, 64, session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000510
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200511
Paul Bakker34617722014-06-13 17:20:13 +0200512 polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000513 }
514 else
515 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
516
517 /*
518 * Swap the client and server random values.
519 */
Paul Bakker48916f92012-09-16 19:57:18 +0000520 memcpy( tmp, handshake->randbytes, 64 );
521 memcpy( handshake->randbytes, tmp + 32, 32 );
522 memcpy( handshake->randbytes + 32, tmp, 32 );
Paul Bakker34617722014-06-13 17:20:13 +0200523 polarssl_zeroize( tmp, sizeof( tmp ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000524
525 /*
526 * SSLv3:
527 * key block =
528 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
529 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
530 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
531 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
532 * ...
533 *
534 * TLSv1:
535 * key block = PRF( master, "key expansion", randbytes )
536 */
Paul Bakker48916f92012-09-16 19:57:18 +0000537 handshake->tls_prf( session->master, 48, "key expansion",
538 handshake->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000539
Paul Bakker48916f92012-09-16 19:57:18 +0000540 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
541 ssl_get_ciphersuite_name( session->ciphersuite ) ) );
542 SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
543 SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000544 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
545
Paul Bakker34617722014-06-13 17:20:13 +0200546 polarssl_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000547
548 /*
549 * Determine the appropriate key, IV and MAC length.
550 */
Paul Bakker68884e32013-01-07 18:20:04 +0100551
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200552 transform->keylen = cipher_info->key_length / 8;
553
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200554 if( cipher_info->mode == POLARSSL_MODE_GCM ||
555 cipher_info->mode == POLARSSL_MODE_CCM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000556 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200557 transform->maclen = 0;
558
Paul Bakker68884e32013-01-07 18:20:04 +0100559 transform->ivlen = 12;
560 transform->fixed_ivlen = 4;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200561
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200562 /* Minimum length is expicit IV + tag */
563 transform->minlen = transform->ivlen - transform->fixed_ivlen
564 + ( transform->ciphersuite_info->flags &
565 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
Paul Bakker68884e32013-01-07 18:20:04 +0100566 }
567 else
568 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200569 int ret;
570
571 /* Initialize HMAC contexts */
572 if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 ||
573 ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100574 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200575 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
576 return( ret );
Paul Bakker68884e32013-01-07 18:20:04 +0100577 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000578
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200579 /* Get MAC length */
580 transform->maclen = md_get_size( md_info );
581
582#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
583 /*
584 * If HMAC is to be truncated, we shall keep the leftmost bytes,
585 * (rfc 6066 page 13 or rfc 2104 section 4),
586 * so we only need to adjust the length here.
587 */
588 if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
589 transform->maclen = SSL_TRUNCATED_HMAC_LEN;
590#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
591
592 /* IV length */
Paul Bakker68884e32013-01-07 18:20:04 +0100593 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000594
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200595 /* Minimum length */
596 if( cipher_info->mode == POLARSSL_MODE_STREAM )
597 transform->minlen = transform->maclen;
598 else
Paul Bakker68884e32013-01-07 18:20:04 +0100599 {
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200600 /*
601 * GenericBlockCipher:
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100602 * 1. if EtM is in use: one block plus MAC
603 * otherwise: * first multiple of blocklen greater than maclen
604 * 2. IV except for SSL3 and TLS 1.0
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200605 */
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100606#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
607 if( session->encrypt_then_mac == SSL_ETM_ENABLED )
608 {
609 transform->minlen = transform->maclen
610 + cipher_info->block_size;
611 }
612 else
613#endif
614 {
615 transform->minlen = transform->maclen
616 + cipher_info->block_size
617 - transform->maclen % cipher_info->block_size;
618 }
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200619
620#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
621 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ||
622 ssl->minor_ver == SSL_MINOR_VERSION_1 )
623 ; /* No need to adjust minlen */
Paul Bakker68884e32013-01-07 18:20:04 +0100624 else
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200625#endif
626#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
627 if( ssl->minor_ver == SSL_MINOR_VERSION_2 ||
628 ssl->minor_ver == SSL_MINOR_VERSION_3 )
629 {
630 transform->minlen += transform->ivlen;
631 }
632 else
633#endif
634 {
635 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
636 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
637 }
Paul Bakker68884e32013-01-07 18:20:04 +0100638 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000639 }
640
641 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000642 transform->keylen, transform->minlen, transform->ivlen,
643 transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000644
645 /*
646 * Finally setup the cipher contexts, IVs and MAC secrets.
647 */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100648#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000649 if( ssl->endpoint == SSL_IS_CLIENT )
650 {
Paul Bakker48916f92012-09-16 19:57:18 +0000651 key1 = keyblk + transform->maclen * 2;
652 key2 = keyblk + transform->maclen * 2 + transform->keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000653
Paul Bakker68884e32013-01-07 18:20:04 +0100654 mac_enc = keyblk;
655 mac_dec = keyblk + transform->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000656
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000657 /*
658 * This is not used in TLS v1.1.
659 */
Paul Bakker48916f92012-09-16 19:57:18 +0000660 iv_copy_len = ( transform->fixed_ivlen ) ?
661 transform->fixed_ivlen : transform->ivlen;
662 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
663 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000664 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000665 }
666 else
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100667#endif /* POLARSSL_SSL_CLI_C */
668#if defined(POLARSSL_SSL_SRV_C)
669 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000670 {
Paul Bakker48916f92012-09-16 19:57:18 +0000671 key1 = keyblk + transform->maclen * 2 + transform->keylen;
672 key2 = keyblk + transform->maclen * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000673
Paul Bakker68884e32013-01-07 18:20:04 +0100674 mac_enc = keyblk + transform->maclen;
675 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000676
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000677 /*
678 * This is not used in TLS v1.1.
679 */
Paul Bakker48916f92012-09-16 19:57:18 +0000680 iv_copy_len = ( transform->fixed_ivlen ) ?
681 transform->fixed_ivlen : transform->ivlen;
682 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
683 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000684 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000685 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100686 else
687#endif /* POLARSSL_SSL_SRV_C */
688 {
689 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
690 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
691 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000692
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200693#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker68884e32013-01-07 18:20:04 +0100694 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
695 {
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +0100696 if( transform->maclen > sizeof transform->mac_enc )
697 {
698 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200699 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +0100700 }
701
Paul Bakker68884e32013-01-07 18:20:04 +0100702 memcpy( transform->mac_enc, mac_enc, transform->maclen );
703 memcpy( transform->mac_dec, mac_dec, transform->maclen );
704 }
705 else
Paul Bakker9af723c2014-05-01 13:03:14 +0200706#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200707#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
708 defined(POLARSSL_SSL_PROTO_TLS1_2)
709 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
Paul Bakker68884e32013-01-07 18:20:04 +0100710 {
711 md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
712 md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
713 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200714 else
715#endif
Paul Bakker577e0062013-08-28 11:57:20 +0200716 {
717 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200718 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200719 }
Paul Bakker68884e32013-01-07 18:20:04 +0100720
Paul Bakker05ef8352012-05-08 09:17:57 +0000721#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200722 if( ssl_hw_record_init != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000723 {
724 int ret = 0;
725
726 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
727
Paul Bakker07eb38b2012-12-19 14:42:06 +0100728 if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
729 transform->iv_enc, transform->iv_dec,
730 iv_copy_len,
Paul Bakker68884e32013-01-07 18:20:04 +0100731 mac_enc, mac_dec,
Paul Bakker07eb38b2012-12-19 14:42:06 +0100732 transform->maclen ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000733 {
734 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200735 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000736 }
737 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200738#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000739
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200740 if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
741 cipher_info ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000742 {
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200743 SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
744 return( ret );
745 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200746
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200747 if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
748 cipher_info ) ) != 0 )
749 {
750 SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
751 return( ret );
752 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200753
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200754 if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
755 cipher_info->key_length,
756 POLARSSL_ENCRYPT ) ) != 0 )
757 {
758 SSL_DEBUG_RET( 1, "cipher_setkey", ret );
759 return( ret );
760 }
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200761
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200762 if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
763 cipher_info->key_length,
764 POLARSSL_DECRYPT ) ) != 0 )
765 {
766 SSL_DEBUG_RET( 1, "cipher_setkey", ret );
767 return( ret );
768 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200769
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200770#if defined(POLARSSL_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200771 if( cipher_info->mode == POLARSSL_MODE_CBC )
772 {
773 if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
774 POLARSSL_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +0200775 {
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200776 SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
777 return( ret );
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +0200778 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200779
780 if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
781 POLARSSL_PADDING_NONE ) ) != 0 )
782 {
783 SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
784 return( ret );
785 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000786 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200787#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000788
Paul Bakker34617722014-06-13 17:20:13 +0200789 polarssl_zeroize( keyblk, sizeof( keyblk ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000790
Paul Bakker2770fbd2012-07-03 13:30:23 +0000791#if defined(POLARSSL_ZLIB_SUPPORT)
792 // Initialize compression
793 //
Paul Bakker48916f92012-09-16 19:57:18 +0000794 if( session->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000795 {
Paul Bakker16770332013-10-11 09:59:44 +0200796 if( ssl->compress_buf == NULL )
797 {
798 SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
799 ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
800 if( ssl->compress_buf == NULL )
801 {
802 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
803 SSL_BUFFER_LEN ) );
804 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
805 }
806 }
807
Paul Bakker2770fbd2012-07-03 13:30:23 +0000808 SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
809
Paul Bakker48916f92012-09-16 19:57:18 +0000810 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
811 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000812
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200813 if( deflateInit( &transform->ctx_deflate,
814 Z_DEFAULT_COMPRESSION ) != Z_OK ||
Paul Bakker48916f92012-09-16 19:57:18 +0000815 inflateInit( &transform->ctx_inflate ) != Z_OK )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000816 {
817 SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
818 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
819 }
820 }
821#endif /* POLARSSL_ZLIB_SUPPORT */
822
Paul Bakker5121ce52009-01-03 21:22:43 +0000823 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
824
825 return( 0 );
826}
827
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200828#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker380da532012-04-18 16:10:25 +0000829void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000830{
831 md5_context md5;
832 sha1_context sha1;
833 unsigned char pad_1[48];
834 unsigned char pad_2[48];
835
Paul Bakker380da532012-04-18 16:10:25 +0000836 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000837
Paul Bakker48916f92012-09-16 19:57:18 +0000838 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
839 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000840
Paul Bakker380da532012-04-18 16:10:25 +0000841 memset( pad_1, 0x36, 48 );
842 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000843
Paul Bakker48916f92012-09-16 19:57:18 +0000844 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000845 md5_update( &md5, pad_1, 48 );
846 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000847
Paul Bakker380da532012-04-18 16:10:25 +0000848 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +0000849 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000850 md5_update( &md5, pad_2, 48 );
851 md5_update( &md5, hash, 16 );
852 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000853
Paul Bakker48916f92012-09-16 19:57:18 +0000854 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000855 sha1_update( &sha1, pad_1, 40 );
856 sha1_finish( &sha1, hash + 16 );
857
858 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +0000859 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000860 sha1_update( &sha1, pad_2, 40 );
861 sha1_update( &sha1, hash + 16, 20 );
862 sha1_finish( &sha1, hash + 16 );
863
864 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
865 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
866
Paul Bakker5b4af392014-06-26 12:09:34 +0200867 md5_free( &md5 );
868 sha1_free( &sha1 );
869
Paul Bakker380da532012-04-18 16:10:25 +0000870 return;
871}
Paul Bakker9af723c2014-05-01 13:03:14 +0200872#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker380da532012-04-18 16:10:25 +0000873
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200874#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker380da532012-04-18 16:10:25 +0000875void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
876{
877 md5_context md5;
878 sha1_context sha1;
879
880 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
881
Paul Bakker48916f92012-09-16 19:57:18 +0000882 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
883 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000884
Paul Bakker48916f92012-09-16 19:57:18 +0000885 md5_finish( &md5, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000886 sha1_finish( &sha1, hash + 16 );
887
888 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
889 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
890
Paul Bakker5b4af392014-06-26 12:09:34 +0200891 md5_free( &md5 );
892 sha1_free( &sha1 );
893
Paul Bakker380da532012-04-18 16:10:25 +0000894 return;
895}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200896#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker380da532012-04-18 16:10:25 +0000897
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200898#if defined(POLARSSL_SSL_PROTO_TLS1_2)
899#if defined(POLARSSL_SHA256_C)
Paul Bakker380da532012-04-18 16:10:25 +0000900void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
901{
Paul Bakker9e36f042013-06-30 14:34:05 +0200902 sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000903
904 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
905
Paul Bakker9e36f042013-06-30 14:34:05 +0200906 memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
907 sha256_finish( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000908
909 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
910 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
911
Paul Bakker5b4af392014-06-26 12:09:34 +0200912 sha256_free( &sha256 );
913
Paul Bakker380da532012-04-18 16:10:25 +0000914 return;
915}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200916#endif /* POLARSSL_SHA256_C */
Paul Bakker380da532012-04-18 16:10:25 +0000917
Paul Bakker9e36f042013-06-30 14:34:05 +0200918#if defined(POLARSSL_SHA512_C)
Paul Bakker380da532012-04-18 16:10:25 +0000919void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
920{
Paul Bakker9e36f042013-06-30 14:34:05 +0200921 sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +0000922
923 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
924
Paul Bakker9e36f042013-06-30 14:34:05 +0200925 memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
926 sha512_finish( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000927
Paul Bakkerca4ab492012-04-18 14:23:57 +0000928 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000929 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
930
Paul Bakker5b4af392014-06-26 12:09:34 +0200931 sha512_free( &sha512 );
932
Paul Bakker5121ce52009-01-03 21:22:43 +0000933 return;
934}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200935#endif /* POLARSSL_SHA512_C */
936#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000937
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +0200938#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200939int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex )
940{
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200941 unsigned char *p = ssl->handshake->premaster;
942 unsigned char *end = p + sizeof( ssl->handshake->premaster );
943
944 /*
945 * PMS = struct {
946 * opaque other_secret<0..2^16-1>;
947 * opaque psk<0..2^16-1>;
948 * };
949 * with "other_secret" depending on the particular key exchange
950 */
951#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
952 if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
953 {
954 if( end - p < 2 + (int) ssl->psk_len )
955 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
956
957 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
958 *(p++) = (unsigned char)( ssl->psk_len );
959 p += ssl->psk_len;
960 }
961 else
962#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200963#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
964 if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
965 {
966 /*
967 * other_secret already set by the ClientKeyExchange message,
968 * and is 48 bytes long
969 */
970 *p++ = 0;
971 *p++ = 48;
972 p += 48;
973 }
974 else
975#endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200976#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
977 if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
978 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200979 int ret;
Manuel Pégourié-Gonnarddd0c0f32014-06-23 18:07:11 +0200980 size_t len = end - ( p + 2 );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200981
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200982 /* Write length only when we know the actual value */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200983 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200984 p + 2, &len,
985 ssl->f_rng, ssl->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200986 {
987 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
988 return( ret );
989 }
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200990 *(p++) = (unsigned char)( len >> 8 );
991 *(p++) = (unsigned char)( len );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200992 p += len;
993
994 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
995 }
996 else
997#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
998#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
999 if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1000 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02001001 int ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001002 size_t zlen;
1003
1004 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
Paul Bakker66d5d072014-06-17 16:39:18 +02001005 p + 2, end - ( p + 2 ),
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001006 ssl->f_rng, ssl->p_rng ) ) != 0 )
1007 {
1008 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
1009 return( ret );
1010 }
1011
1012 *(p++) = (unsigned char)( zlen >> 8 );
1013 *(p++) = (unsigned char)( zlen );
1014 p += zlen;
1015
1016 SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
1017 }
1018 else
1019#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1020 {
1021 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001022 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001023 }
1024
1025 /* opaque psk<0..2^16-1>; */
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01001026 if( end - p < 2 + (int) ssl->psk_len )
1027 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1028
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001029 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
1030 *(p++) = (unsigned char)( ssl->psk_len );
1031 memcpy( p, ssl->psk, ssl->psk_len );
1032 p += ssl->psk_len;
1033
1034 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1035
1036 return( 0 );
1037}
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02001038#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001039
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001040#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00001041/*
1042 * SSLv3.0 MAC functions
1043 */
Paul Bakker68884e32013-01-07 18:20:04 +01001044static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
1045 unsigned char *buf, size_t len,
1046 unsigned char *ctr, int type )
Paul Bakker5121ce52009-01-03 21:22:43 +00001047{
1048 unsigned char header[11];
1049 unsigned char padding[48];
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001050 int padlen;
Paul Bakker68884e32013-01-07 18:20:04 +01001051 int md_size = md_get_size( md_ctx->md_info );
1052 int md_type = md_get_type( md_ctx->md_info );
1053
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001054 /* Only MD5 and SHA-1 supported */
Paul Bakker68884e32013-01-07 18:20:04 +01001055 if( md_type == POLARSSL_MD_MD5 )
1056 padlen = 48;
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001057 else
Paul Bakker68884e32013-01-07 18:20:04 +01001058 padlen = 40;
Paul Bakker5121ce52009-01-03 21:22:43 +00001059
1060 memcpy( header, ctr, 8 );
1061 header[ 8] = (unsigned char) type;
1062 header[ 9] = (unsigned char)( len >> 8 );
1063 header[10] = (unsigned char)( len );
1064
Paul Bakker68884e32013-01-07 18:20:04 +01001065 memset( padding, 0x36, padlen );
1066 md_starts( md_ctx );
1067 md_update( md_ctx, secret, md_size );
1068 md_update( md_ctx, padding, padlen );
1069 md_update( md_ctx, header, 11 );
1070 md_update( md_ctx, buf, len );
1071 md_finish( md_ctx, buf + len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001072
Paul Bakker68884e32013-01-07 18:20:04 +01001073 memset( padding, 0x5C, padlen );
1074 md_starts( md_ctx );
1075 md_update( md_ctx, secret, md_size );
1076 md_update( md_ctx, padding, padlen );
1077 md_update( md_ctx, buf + len, md_size );
1078 md_finish( md_ctx, buf + len );
Paul Bakker5f70b252012-09-13 14:23:06 +00001079}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001080#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +00001081
Manuel Pégourié-Gonnard8e4b3372014-11-17 15:06:13 +01001082#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1083 ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1084 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1085#define POLARSSL_SOME_MODES_USE_MAC
1086#endif
1087
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01001088/*
Paul Bakker5121ce52009-01-03 21:22:43 +00001089 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +02001090 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001091static int ssl_encrypt_buf( ssl_context *ssl )
1092{
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001093 size_t i;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001094 cipher_mode_t mode;
1095 int auth_done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001096
1097 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
1098
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001099 if( ssl->session_out == NULL || ssl->transform_out == NULL )
1100 {
1101 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1102 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1103 }
1104
1105 mode = cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
1106
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +01001107 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1108 ssl->out_msg, ssl->out_msglen );
1109
Paul Bakker5121ce52009-01-03 21:22:43 +00001110 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01001111 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +00001112 */
Manuel Pégourié-Gonnard8e4b3372014-11-17 15:06:13 +01001113#if defined(POLARSSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001114 if( mode == POLARSSL_MODE_STREAM ||
1115 ( mode == POLARSSL_MODE_CBC
1116#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
1117 && ssl->session_out->encrypt_then_mac == SSL_ETM_DISABLED
1118#endif
1119 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00001120 {
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001121#if defined(POLARSSL_SSL_PROTO_SSL3)
1122 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1123 {
1124 ssl_mac( &ssl->transform_out->md_ctx_enc,
1125 ssl->transform_out->mac_enc,
1126 ssl->out_msg, ssl->out_msglen,
1127 ssl->out_ctr, ssl->out_msgtype );
1128 }
1129 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001130#endif
1131#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001132 defined(POLARSSL_SSL_PROTO_TLS1_2)
1133 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1134 {
1135 md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1136 md_hmac_update( &ssl->transform_out->md_ctx_enc,
1137 ssl->out_msg, ssl->out_msglen );
1138 md_hmac_finish( &ssl->transform_out->md_ctx_enc,
1139 ssl->out_msg + ssl->out_msglen );
1140 md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1141 }
1142 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001143#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001144 {
1145 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001146 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001147 }
1148
1149 SSL_DEBUG_BUF( 4, "computed mac",
1150 ssl->out_msg + ssl->out_msglen,
1151 ssl->transform_out->maclen );
1152
1153 ssl->out_msglen += ssl->transform_out->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001154 auth_done++;
Paul Bakker577e0062013-08-28 11:57:20 +02001155 }
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001156#endif /* AEAD not the only option */
Paul Bakker5121ce52009-01-03 21:22:43 +00001157
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001158 /*
1159 * Encrypt
1160 */
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001161#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
Manuel Pégourié-Gonnard5efd7722014-05-14 12:52:22 +02001162 if( mode == POLARSSL_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +00001163 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001164 int ret;
1165 size_t olen = 0;
1166
Paul Bakker5121ce52009-01-03 21:22:43 +00001167 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1168 "including %d bytes of padding",
1169 ssl->out_msglen, 0 ) );
1170
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001171 if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
Paul Bakker45125bc2013-09-04 16:47:11 +02001172 ssl->transform_out->iv_enc,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001173 ssl->transform_out->ivlen,
1174 ssl->out_msg, ssl->out_msglen,
1175 ssl->out_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001176 {
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001177 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001178 return( ret );
1179 }
1180
1181 if( ssl->out_msglen != olen )
1182 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001183 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnarda8a25ae2013-10-27 13:48:15 +01001184 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001185 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001186 }
Paul Bakker68884e32013-01-07 18:20:04 +01001187 else
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001188#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001189#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1190 if( mode == POLARSSL_MODE_GCM ||
1191 mode == POLARSSL_MODE_CCM )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001192 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001193 int ret;
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001194 size_t enc_msglen, olen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001195 unsigned char *enc_msg;
1196 unsigned char add_data[13];
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001197 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
1198 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001199
Paul Bakkerca4ab492012-04-18 14:23:57 +00001200 memcpy( add_data, ssl->out_ctr, 8 );
1201 add_data[8] = ssl->out_msgtype;
1202 add_data[9] = ssl->major_ver;
1203 add_data[10] = ssl->minor_ver;
1204 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1205 add_data[12] = ssl->out_msglen & 0xFF;
1206
1207 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1208 add_data, 13 );
1209
Paul Bakker68884e32013-01-07 18:20:04 +01001210 /*
1211 * Generate IV
1212 */
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +01001213#if defined(POLARSSL_SSL_AEAD_RANDOM_IV)
Paul Bakker68884e32013-01-07 18:20:04 +01001214 ret = ssl->f_rng( ssl->p_rng,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001215 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1216 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
Paul Bakker68884e32013-01-07 18:20:04 +01001217 if( ret != 0 )
1218 return( ret );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001219
Paul Bakker68884e32013-01-07 18:20:04 +01001220 memcpy( ssl->out_iv,
1221 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1222 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +01001223#else
1224 if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
1225 {
1226 /* Reminder if we ever add an AEAD mode with a different size */
1227 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1228 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1229 }
1230
1231 memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1232 ssl->out_ctr, 8 );
1233 memcpy( ssl->out_iv, ssl->out_ctr, 8 );
1234#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00001235
Manuel Pégourié-Gonnard226d5da2013-09-05 13:19:22 +02001236 SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001237 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
Manuel Pégourié-Gonnard226d5da2013-09-05 13:19:22 +02001238
Paul Bakker68884e32013-01-07 18:20:04 +01001239 /*
1240 * Fix pointer positions and message length with added IV
1241 */
1242 enc_msg = ssl->out_msg;
1243 enc_msglen = ssl->out_msglen;
1244 ssl->out_msglen += ssl->transform_out->ivlen -
1245 ssl->transform_out->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001246
Paul Bakker68884e32013-01-07 18:20:04 +01001247 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1248 "including %d bytes of padding",
1249 ssl->out_msglen, 0 ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001250
Paul Bakker68884e32013-01-07 18:20:04 +01001251 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001252 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001253 */
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001254 if( ( ret = cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
1255 ssl->transform_out->iv_enc,
1256 ssl->transform_out->ivlen,
1257 add_data, 13,
1258 enc_msg, enc_msglen,
1259 enc_msg, &olen,
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001260 enc_msg + enc_msglen, taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001261 {
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001262 SSL_DEBUG_RET( 1, "cipher_auth_encrypt", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001263 return( ret );
1264 }
1265
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001266 if( olen != enc_msglen )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001267 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001268 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001269 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001270 }
1271
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001272 ssl->out_msglen += taglen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001273 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001274
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001275 SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001276 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001277 else
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001278#endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001279#if defined(POLARSSL_CIPHER_MODE_CBC) && \
1280 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
Manuel Pégourié-Gonnard5efd7722014-05-14 12:52:22 +02001281 if( mode == POLARSSL_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +00001282 {
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001283 int ret;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001284 unsigned char *enc_msg;
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001285 size_t enc_msglen, padlen, olen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001286
Paul Bakker48916f92012-09-16 19:57:18 +00001287 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1288 ssl->transform_out->ivlen;
1289 if( padlen == ssl->transform_out->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001290 padlen = 0;
1291
1292 for( i = 0; i <= padlen; i++ )
1293 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1294
1295 ssl->out_msglen += padlen + 1;
1296
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001297 enc_msglen = ssl->out_msglen;
1298 enc_msg = ssl->out_msg;
1299
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001300#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001301 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +00001302 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1303 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001304 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00001305 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001306 {
1307 /*
1308 * Generate IV
1309 */
Paul Bakker48916f92012-09-16 19:57:18 +00001310 int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1311 ssl->transform_out->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +00001312 if( ret != 0 )
1313 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001314
Paul Bakker92be97b2013-01-02 17:30:03 +01001315 memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +00001316 ssl->transform_out->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001317
1318 /*
1319 * Fix pointer positions and message length with added IV
1320 */
Paul Bakker92be97b2013-01-02 17:30:03 +01001321 enc_msg = ssl->out_msg;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001322 enc_msglen = ssl->out_msglen;
Paul Bakker48916f92012-09-16 19:57:18 +00001323 ssl->out_msglen += ssl->transform_out->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001324 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001325#endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001326
Paul Bakker5121ce52009-01-03 21:22:43 +00001327 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001328 "including %d bytes of IV and %d bytes of padding",
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001329 ssl->out_msglen, ssl->transform_out->ivlen,
1330 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001331
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001332 if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
Paul Bakker45125bc2013-09-04 16:47:11 +02001333 ssl->transform_out->iv_enc,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001334 ssl->transform_out->ivlen,
1335 enc_msg, enc_msglen,
1336 enc_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001337 {
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001338 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +02001339 return( ret );
1340 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001341
Paul Bakkercca5b812013-08-31 17:40:26 +02001342 if( enc_msglen != olen )
1343 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001344 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnarda8a25ae2013-10-27 13:48:15 +01001345 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +02001346 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001347
1348#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
Paul Bakkercca5b812013-08-31 17:40:26 +02001349 if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1350 {
1351 /*
1352 * Save IV in SSL3 and TLS1
1353 */
1354 memcpy( ssl->transform_out->iv_enc,
1355 ssl->transform_out->cipher_ctx_enc.iv,
1356 ssl->transform_out->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001357 }
Paul Bakkercca5b812013-08-31 17:40:26 +02001358#endif
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001359
1360#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001361 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001362 {
1363 /*
1364 * MAC(MAC_write_key, seq_num +
1365 * TLSCipherText.type +
1366 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01001367 * length_of( (IV +) ENC(...) ) +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001368 * IV + // except for TLS 1.0
1369 * ENC(content + padding + padding_length));
1370 */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001371 unsigned char pseudo_hdr[13];
1372
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001373 SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1374
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001375 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
1376 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01001377 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
1378 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
1379
1380 SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001381
1382 md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
1383 md_hmac_update( &ssl->transform_out->md_ctx_enc,
1384 ssl->out_iv, ssl->out_msglen );
1385 md_hmac_finish( &ssl->transform_out->md_ctx_enc,
1386 ssl->out_iv + ssl->out_msglen );
1387 md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1388
1389 ssl->out_msglen += ssl->transform_out->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001390 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001391 }
1392#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001393 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001394 else
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001395#endif /* POLARSSL_CIPHER_MODE_CBC &&
1396 ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001397 {
1398 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001399 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001400 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001401
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001402 /* Make extra sure authentication was performed, exactly once */
1403 if( auth_done != 1 )
1404 {
1405 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1406 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1407 }
1408
Paul Bakkerca4ab492012-04-18 14:23:57 +00001409 for( i = 8; i > 0; i-- )
1410 if( ++ssl->out_ctr[i - 1] != 0 )
1411 break;
1412
Manuel Pégourié-Gonnard83cdffc2014-03-10 21:20:29 +01001413 /* The loops goes to its end iff the counter is wrapping */
1414 if( i == 0 )
1415 {
1416 SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
1417 return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
1418 }
1419
Paul Bakker5121ce52009-01-03 21:22:43 +00001420 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1421
1422 return( 0 );
1423}
1424
Paul Bakkerb7149bc2013-03-20 15:30:09 +01001425#define POLARSSL_SSL_MAX_MAC_SIZE 48
Paul Bakkerfab5c822012-02-06 16:45:10 +00001426
Paul Bakker5121ce52009-01-03 21:22:43 +00001427static int ssl_decrypt_buf( ssl_context *ssl )
1428{
Paul Bakker1e5369c2013-12-19 16:40:57 +01001429 size_t i;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001430 cipher_mode_t mode;
1431 int auth_done = 0;
Manuel Pégourié-Gonnard8e4b3372014-11-17 15:06:13 +01001432#if defined(POLARSSL_SOME_MODES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +01001433 size_t padlen = 0, correct = 1;
1434#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001435
1436 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1437
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001438 if( ssl->session_in == NULL || ssl->transform_in == NULL )
1439 {
1440 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1441 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1442 }
1443
1444 mode = cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
1445
Paul Bakker48916f92012-09-16 19:57:18 +00001446 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001447 {
1448 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
Paul Bakker48916f92012-09-16 19:57:18 +00001449 ssl->in_msglen, ssl->transform_in->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001450 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001451 }
1452
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001453#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
Manuel Pégourié-Gonnard5efd7722014-05-14 12:52:22 +02001454 if( mode == POLARSSL_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +01001455 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001456 int ret;
1457 size_t olen = 0;
1458
Paul Bakker68884e32013-01-07 18:20:04 +01001459 padlen = 0;
1460
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001461 if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
Paul Bakker45125bc2013-09-04 16:47:11 +02001462 ssl->transform_in->iv_dec,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001463 ssl->transform_in->ivlen,
1464 ssl->in_msg, ssl->in_msglen,
1465 ssl->in_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001466 {
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001467 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001468 return( ret );
1469 }
1470
1471 if( ssl->in_msglen != olen )
1472 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001473 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnarda8a25ae2013-10-27 13:48:15 +01001474 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001475 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001476 }
Paul Bakker68884e32013-01-07 18:20:04 +01001477 else
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001478#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001479#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1480 if( mode == POLARSSL_MODE_GCM ||
1481 mode == POLARSSL_MODE_CCM )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001482 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001483 int ret;
1484 size_t dec_msglen, olen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001485 unsigned char *dec_msg;
1486 unsigned char *dec_msg_result;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001487 unsigned char add_data[13];
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001488 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
1489 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +02001490 unsigned char explicit_iv_len = ssl->transform_in->ivlen -
1491 ssl->transform_in->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001492
Manuel Pégourié-Gonnard06d75192015-02-11 14:54:11 +00001493 if( ssl->in_msglen < (size_t) explicit_iv_len + taglen )
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +02001494 {
1495 SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1496 "+ taglen (%d)", ssl->in_msglen,
1497 explicit_iv_len, taglen ) );
1498 return( POLARSSL_ERR_SSL_INVALID_MAC );
1499 }
1500 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
1501
Paul Bakker68884e32013-01-07 18:20:04 +01001502 dec_msg = ssl->in_msg;
1503 dec_msg_result = ssl->in_msg;
1504 ssl->in_msglen = dec_msglen;
1505
1506 memcpy( add_data, ssl->in_ctr, 8 );
1507 add_data[8] = ssl->in_msgtype;
1508 add_data[9] = ssl->major_ver;
1509 add_data[10] = ssl->minor_ver;
1510 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1511 add_data[12] = ssl->in_msglen & 0xFF;
1512
1513 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1514 add_data, 13 );
1515
1516 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1517 ssl->in_iv,
1518 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1519
1520 SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1521 ssl->transform_in->ivlen );
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001522 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
Paul Bakker68884e32013-01-07 18:20:04 +01001523
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001524 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001525 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001526 */
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001527 if( ( ret = cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
1528 ssl->transform_in->iv_dec,
1529 ssl->transform_in->ivlen,
1530 add_data, 13,
1531 dec_msg, dec_msglen,
1532 dec_msg_result, &olen,
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001533 dec_msg + dec_msglen, taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001534 {
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001535 SSL_DEBUG_RET( 1, "cipher_auth_decrypt", ret );
1536
1537 if( ret == POLARSSL_ERR_CIPHER_AUTH_FAILED )
1538 return( POLARSSL_ERR_SSL_INVALID_MAC );
1539
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001540 return( ret );
1541 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001542 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001543
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001544 if( olen != dec_msglen )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001545 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001546 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001547 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001548 }
Paul Bakkerca4ab492012-04-18 14:23:57 +00001549 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001550 else
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001551#endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001552#if defined(POLARSSL_CIPHER_MODE_CBC) && \
1553 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
Manuel Pégourié-Gonnard5efd7722014-05-14 12:52:22 +02001554 if( mode == POLARSSL_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +00001555 {
Paul Bakker45829992013-01-03 14:52:21 +01001556 /*
1557 * Decrypt and check the padding
1558 */
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001559 int ret;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001560 unsigned char *dec_msg;
1561 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +00001562 size_t dec_msglen;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001563 size_t minlen = 0;
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001564 size_t olen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001565
Paul Bakker5121ce52009-01-03 21:22:43 +00001566 /*
Paul Bakker45829992013-01-03 14:52:21 +01001567 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +00001568 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001569#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker45829992013-01-03 14:52:21 +01001570 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1571 minlen += ssl->transform_in->ivlen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001572#endif
Paul Bakker45829992013-01-03 14:52:21 +01001573
1574 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1575 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1576 {
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001577 SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1578 "+ 1 ) ( + expl IV )", ssl->in_msglen,
1579 ssl->transform_in->ivlen,
1580 ssl->transform_in->maclen ) );
Paul Bakker45829992013-01-03 14:52:21 +01001581 return( POLARSSL_ERR_SSL_INVALID_MAC );
1582 }
1583
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001584 dec_msglen = ssl->in_msglen;
1585 dec_msg = ssl->in_msg;
1586 dec_msg_result = ssl->in_msg;
1587
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001588 /*
1589 * Authenticate before decrypt if enabled
1590 */
1591#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001592 if( ssl->session_in->encrypt_then_mac == SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001593 {
1594 unsigned char computed_mac[POLARSSL_SSL_MAX_MAC_SIZE];
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01001595 unsigned char pseudo_hdr[13];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001596
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001597 SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1598
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001599 dec_msglen -= ssl->transform_in->maclen;
1600 ssl->in_msglen -= ssl->transform_in->maclen;
1601
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01001602 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
1603 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
1604 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
1605 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
1606
1607 SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
1608
1609 md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001610 md_hmac_update( &ssl->transform_in->md_ctx_dec,
1611 ssl->in_iv, ssl->in_msglen );
1612 md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
1613 md_hmac_reset( &ssl->transform_in->md_ctx_dec );
1614
1615 SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
1616 ssl->transform_in->maclen );
1617 SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
1618 ssl->transform_in->maclen );
1619
1620 if( safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
1621 ssl->transform_in->maclen ) != 0 )
1622 {
1623 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1624
1625 return( POLARSSL_ERR_SSL_INVALID_MAC );
1626 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001627 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001628 }
1629#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
1630
1631 /*
1632 * Check length sanity
1633 */
1634 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1635 {
1636 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1637 ssl->in_msglen, ssl->transform_in->ivlen ) );
1638 return( POLARSSL_ERR_SSL_INVALID_MAC );
1639 }
1640
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001641#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001642 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +00001643 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001644 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00001645 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001646 {
Paul Bakker48916f92012-09-16 19:57:18 +00001647 dec_msglen -= ssl->transform_in->ivlen;
1648 ssl->in_msglen -= ssl->transform_in->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001649
Paul Bakker48916f92012-09-16 19:57:18 +00001650 for( i = 0; i < ssl->transform_in->ivlen; i++ )
Paul Bakker92be97b2013-01-02 17:30:03 +01001651 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001652 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001653#endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001654
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001655 if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
Paul Bakker45125bc2013-09-04 16:47:11 +02001656 ssl->transform_in->iv_dec,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001657 ssl->transform_in->ivlen,
1658 dec_msg, dec_msglen,
1659 dec_msg_result, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001660 {
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001661 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +02001662 return( ret );
1663 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001664
Paul Bakkercca5b812013-08-31 17:40:26 +02001665 if( dec_msglen != olen )
1666 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001667 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnarda8a25ae2013-10-27 13:48:15 +01001668 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +02001669 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001670
1671#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
Paul Bakkercca5b812013-08-31 17:40:26 +02001672 if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1673 {
1674 /*
1675 * Save IV in SSL3 and TLS1
1676 */
1677 memcpy( ssl->transform_in->iv_dec,
1678 ssl->transform_in->cipher_ctx_dec.iv,
1679 ssl->transform_in->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001680 }
Paul Bakkercca5b812013-08-31 17:40:26 +02001681#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001682
1683 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
Paul Bakker45829992013-01-03 14:52:21 +01001684
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001685 if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001686 auth_done == 0 )
Paul Bakker45829992013-01-03 14:52:21 +01001687 {
Paul Bakkerd66f0702013-01-31 16:57:45 +01001688#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker45829992013-01-03 14:52:21 +01001689 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1690 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001691#endif
Paul Bakker45829992013-01-03 14:52:21 +01001692 padlen = 0;
Paul Bakker45829992013-01-03 14:52:21 +01001693 correct = 0;
1694 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001695
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001696#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00001697 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1698 {
Paul Bakker48916f92012-09-16 19:57:18 +00001699 if( padlen > ssl->transform_in->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001700 {
Paul Bakkerd66f0702013-01-31 16:57:45 +01001701#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker5121ce52009-01-03 21:22:43 +00001702 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1703 "should be no more than %d",
Paul Bakker48916f92012-09-16 19:57:18 +00001704 padlen, ssl->transform_in->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001705#endif
Paul Bakker45829992013-01-03 14:52:21 +01001706 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001707 }
1708 }
1709 else
Paul Bakker9af723c2014-05-01 13:03:14 +02001710#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001711#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1712 defined(POLARSSL_SSL_PROTO_TLS1_2)
1713 if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001714 {
1715 /*
Paul Bakker45829992013-01-03 14:52:21 +01001716 * TLSv1+: always check the padding up to the first failure
1717 * and fake check up to 256 bytes of padding
Paul Bakker5121ce52009-01-03 21:22:43 +00001718 */
Paul Bakkerca9c87e2013-09-25 18:52:37 +02001719 size_t pad_count = 0, real_count = 1;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001720 size_t padding_idx = ssl->in_msglen - padlen - 1;
1721
Paul Bakker956c9e02013-12-19 14:42:28 +01001722 /*
1723 * Padding is guaranteed to be incorrect if:
Paul Bakker91c61bc2014-03-26 14:06:55 +01001724 * 1. padlen >= ssl->in_msglen
Paul Bakker956c9e02013-12-19 14:42:28 +01001725 *
Paul Bakker61885c72014-04-25 12:59:03 +02001726 * 2. padding_idx >= SSL_MAX_CONTENT_LEN +
1727 * ssl->transform_in->maclen
Paul Bakker956c9e02013-12-19 14:42:28 +01001728 *
1729 * In both cases we reset padding_idx to a safe value (0) to
1730 * prevent out-of-buffer reads.
1731 */
Paul Bakker91c61bc2014-03-26 14:06:55 +01001732 correct &= ( ssl->in_msglen >= padlen + 1 );
Paul Bakker61885c72014-04-25 12:59:03 +02001733 correct &= ( padding_idx < SSL_MAX_CONTENT_LEN +
1734 ssl->transform_in->maclen );
Paul Bakker956c9e02013-12-19 14:42:28 +01001735
1736 padding_idx *= correct;
1737
Paul Bakkerca9c87e2013-09-25 18:52:37 +02001738 for( i = 1; i <= 256; i++ )
1739 {
1740 real_count &= ( i <= padlen );
1741 pad_count += real_count *
1742 ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1743 }
Paul Bakkere47b34b2013-02-27 14:48:00 +01001744
1745 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
Paul Bakkere47b34b2013-02-27 14:48:00 +01001746
Paul Bakkerd66f0702013-01-31 16:57:45 +01001747#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker66d5d072014-06-17 16:39:18 +02001748 if( padlen > 0 && correct == 0 )
Paul Bakker45829992013-01-03 14:52:21 +01001749 SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001750#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +01001751 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +00001752 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001753 else
1754#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1755 POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02001756 {
1757 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001758 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02001759 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001760
1761 ssl->in_msglen -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +00001762 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001763 else
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001764#endif /* POLARSSL_CIPHER_MODE_CBC &&
1765 ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001766 {
1767 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001768 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001769 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001770
1771 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1772 ssl->in_msg, ssl->in_msglen );
1773
1774 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001775 * Authenticate if not done yet.
1776 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +00001777 */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001778#if defined(POLARSSL_SOME_MODES_USE_MAC)
1779 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001780 {
Paul Bakker1e5369c2013-12-19 16:40:57 +01001781 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1782
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001783 ssl->in_msglen -= ssl->transform_in->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +00001784
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001785 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1786 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001787
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001788 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001789
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001790#if defined(POLARSSL_SSL_PROTO_SSL3)
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001791 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1792 {
1793 ssl_mac( &ssl->transform_in->md_ctx_dec,
1794 ssl->transform_in->mac_dec,
1795 ssl->in_msg, ssl->in_msglen,
1796 ssl->in_ctr, ssl->in_msgtype );
1797 }
1798 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001799#endif /* POLARSSL_SSL_PROTO_SSL3 */
1800#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001801 defined(POLARSSL_SSL_PROTO_TLS1_2)
1802 if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1803 {
1804 /*
1805 * Process MAC and always update for padlen afterwards to make
1806 * total time independent of padlen
1807 *
Paul Bakker9af723c2014-05-01 13:03:14 +02001808 * extra_run compensates MAC check for padlen
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001809 *
1810 * Known timing attacks:
1811 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1812 *
1813 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1814 * correctly. (We round down instead of up, so -56 is the correct
1815 * value for our calculations instead of -55)
1816 */
1817 size_t j, extra_run = 0;
1818 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1819 ( 13 + ssl->in_msglen + 8 ) / 64;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001820
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001821 extra_run &= correct * 0xFF;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001822
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001823 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1824 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
1825 ssl->in_msglen );
1826 md_hmac_finish( &ssl->transform_in->md_ctx_dec,
1827 ssl->in_msg + ssl->in_msglen );
1828 for( j = 0; j < extra_run; j++ )
1829 md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
Paul Bakkere47b34b2013-02-27 14:48:00 +01001830
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001831 md_hmac_reset( &ssl->transform_in->md_ctx_dec );
1832 }
1833 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001834#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001835 POLARSSL_SSL_PROTO_TLS1_2 */
1836 {
1837 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001838 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001839 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001840
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001841 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1842 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1843 ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001844
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01001845 if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001846 ssl->transform_in->maclen ) != 0 )
1847 {
Paul Bakkere47b34b2013-02-27 14:48:00 +01001848#if defined(POLARSSL_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001849 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +01001850#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001851 correct = 0;
1852 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001853 auth_done++;
Paul Bakker5121ce52009-01-03 21:22:43 +00001854
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001855 /*
1856 * Finally check the correct flag
1857 */
1858 if( correct == 0 )
1859 return( POLARSSL_ERR_SSL_INVALID_MAC );
1860 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001861#endif /* POLARSSL_SOME_MODES_USE_MAC */
1862
1863 /* Make extra sure authentication was performed, exactly once */
1864 if( auth_done != 1 )
1865 {
1866 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1867 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1868 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001869
1870 if( ssl->in_msglen == 0 )
1871 {
1872 ssl->nb_zero++;
1873
1874 /*
1875 * Three or more empty messages may be a DoS attack
1876 * (excessive CPU consumption).
1877 */
1878 if( ssl->nb_zero > 3 )
1879 {
1880 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1881 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001882 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001883 }
1884 }
1885 else
1886 ssl->nb_zero = 0;
Paul Bakkerf7abd422013-04-16 13:15:56 +02001887
Paul Bakker23986e52011-04-24 08:57:21 +00001888 for( i = 8; i > 0; i-- )
1889 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001890 break;
1891
Manuel Pégourié-Gonnard83cdffc2014-03-10 21:20:29 +01001892 /* The loops goes to its end iff the counter is wrapping */
1893 if( i == 0 )
1894 {
1895 SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
1896 return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
1897 }
1898
Paul Bakker5121ce52009-01-03 21:22:43 +00001899 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1900
1901 return( 0 );
1902}
1903
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01001904#undef MAC_NONE
1905#undef MAC_PLAINTEXT
1906#undef MAC_CIPHERTEXT
1907
Paul Bakker2770fbd2012-07-03 13:30:23 +00001908#if defined(POLARSSL_ZLIB_SUPPORT)
1909/*
1910 * Compression/decompression functions
1911 */
1912static int ssl_compress_buf( ssl_context *ssl )
1913{
1914 int ret;
1915 unsigned char *msg_post = ssl->out_msg;
1916 size_t len_pre = ssl->out_msglen;
Paul Bakker16770332013-10-11 09:59:44 +02001917 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001918
1919 SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1920
Paul Bakkerabf2f8f2013-06-30 14:57:46 +02001921 if( len_pre == 0 )
1922 return( 0 );
1923
Paul Bakker2770fbd2012-07-03 13:30:23 +00001924 memcpy( msg_pre, ssl->out_msg, len_pre );
1925
1926 SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1927 ssl->out_msglen ) );
1928
1929 SSL_DEBUG_BUF( 4, "before compression: output payload",
1930 ssl->out_msg, ssl->out_msglen );
1931
Paul Bakker48916f92012-09-16 19:57:18 +00001932 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1933 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1934 ssl->transform_out->ctx_deflate.next_out = msg_post;
1935 ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001936
Paul Bakker48916f92012-09-16 19:57:18 +00001937 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001938 if( ret != Z_OK )
1939 {
1940 SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1941 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1942 }
1943
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001944 ssl->out_msglen = SSL_BUFFER_LEN -
1945 ssl->transform_out->ctx_deflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001946
Paul Bakker2770fbd2012-07-03 13:30:23 +00001947 SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1948 ssl->out_msglen ) );
1949
1950 SSL_DEBUG_BUF( 4, "after compression: output payload",
1951 ssl->out_msg, ssl->out_msglen );
1952
1953 SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1954
1955 return( 0 );
1956}
1957
1958static int ssl_decompress_buf( ssl_context *ssl )
1959{
1960 int ret;
1961 unsigned char *msg_post = ssl->in_msg;
1962 size_t len_pre = ssl->in_msglen;
Paul Bakker16770332013-10-11 09:59:44 +02001963 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001964
1965 SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1966
Paul Bakkerabf2f8f2013-06-30 14:57:46 +02001967 if( len_pre == 0 )
1968 return( 0 );
1969
Paul Bakker2770fbd2012-07-03 13:30:23 +00001970 memcpy( msg_pre, ssl->in_msg, len_pre );
1971
1972 SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1973 ssl->in_msglen ) );
1974
1975 SSL_DEBUG_BUF( 4, "before decompression: input payload",
1976 ssl->in_msg, ssl->in_msglen );
1977
Paul Bakker48916f92012-09-16 19:57:18 +00001978 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1979 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1980 ssl->transform_in->ctx_inflate.next_out = msg_post;
1981 ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001982
Paul Bakker48916f92012-09-16 19:57:18 +00001983 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001984 if( ret != Z_OK )
1985 {
1986 SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1987 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1988 }
1989
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001990 ssl->in_msglen = SSL_MAX_CONTENT_LEN -
1991 ssl->transform_in->ctx_inflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001992
Paul Bakker2770fbd2012-07-03 13:30:23 +00001993 SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1994 ssl->in_msglen ) );
1995
1996 SSL_DEBUG_BUF( 4, "after decompression: input payload",
1997 ssl->in_msg, ssl->in_msglen );
1998
1999 SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
2000
2001 return( 0 );
2002}
2003#endif /* POLARSSL_ZLIB_SUPPORT */
2004
Paul Bakker5121ce52009-01-03 21:22:43 +00002005/*
2006 * Fill the input message buffer
2007 */
Paul Bakker23986e52011-04-24 08:57:21 +00002008int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +00002009{
Paul Bakker23986e52011-04-24 08:57:21 +00002010 int ret;
2011 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +00002012
2013 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
2014
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002015 if( nb_want > SSL_BUFFER_LEN - 8 )
2016 {
2017 SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2018 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2019 }
2020
Paul Bakker5121ce52009-01-03 21:22:43 +00002021 while( ssl->in_left < nb_want )
2022 {
2023 len = nb_want - ssl->in_left;
2024 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
2025
2026 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2027 ssl->in_left, nb_want ) );
2028 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
2029
Paul Bakker831a7552011-05-18 13:32:51 +00002030 if( ret == 0 )
2031 return( POLARSSL_ERR_SSL_CONN_EOF );
2032
Paul Bakker5121ce52009-01-03 21:22:43 +00002033 if( ret < 0 )
2034 return( ret );
2035
2036 ssl->in_left += ret;
2037 }
2038
2039 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2040
2041 return( 0 );
2042}
2043
2044/*
2045 * Flush any data not yet written
2046 */
2047int ssl_flush_output( ssl_context *ssl )
2048{
2049 int ret;
2050 unsigned char *buf;
2051
2052 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
2053
2054 while( ssl->out_left > 0 )
2055 {
2056 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
2057 5 + ssl->out_msglen, ssl->out_left ) );
2058
Paul Bakker5bd42292012-12-19 14:40:42 +01002059 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
Paul Bakker5121ce52009-01-03 21:22:43 +00002060 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +00002061
Paul Bakker5121ce52009-01-03 21:22:43 +00002062 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
2063
2064 if( ret <= 0 )
2065 return( ret );
2066
2067 ssl->out_left -= ret;
2068 }
2069
2070 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2071
2072 return( 0 );
2073}
2074
2075/*
2076 * Record layer functions
2077 */
2078int ssl_write_record( ssl_context *ssl )
2079{
Paul Bakker05ef8352012-05-08 09:17:57 +00002080 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +00002081 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +00002082
2083 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
2084
Paul Bakker5121ce52009-01-03 21:22:43 +00002085 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
2086 {
2087 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
2088 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
2089 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
2090
Manuel Pégourié-Gonnardf3dc2f62013-10-29 18:17:41 +01002091 if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
2092 ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +00002093 }
2094
Paul Bakker2770fbd2012-07-03 13:30:23 +00002095#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00002096 if( ssl->transform_out != NULL &&
2097 ssl->session_out->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002098 {
2099 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2100 {
2101 SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
2102 return( ret );
2103 }
2104
2105 len = ssl->out_msglen;
2106 }
2107#endif /*POLARSSL_ZLIB_SUPPORT */
2108
Paul Bakker05ef8352012-05-08 09:17:57 +00002109#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02002110 if( ssl_hw_record_write != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002111 {
Paul Bakker05ef8352012-05-08 09:17:57 +00002112 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002113
Paul Bakker05ef8352012-05-08 09:17:57 +00002114 ret = ssl_hw_record_write( ssl );
2115 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2116 {
2117 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
Paul Bakkerd8bb8262014-06-17 14:06:49 +02002118 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +00002119 }
Paul Bakkerc7878112012-12-19 14:41:14 +01002120
2121 if( ret == 0 )
2122 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00002123 }
Paul Bakker9af723c2014-05-01 13:03:14 +02002124#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +00002125 if( !done )
2126 {
2127 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2128 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
2129 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +00002130 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
2131 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +00002132
Paul Bakker48916f92012-09-16 19:57:18 +00002133 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00002134 {
2135 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
2136 {
2137 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2138 return( ret );
2139 }
2140
2141 len = ssl->out_msglen;
2142 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
2143 ssl->out_hdr[4] = (unsigned char)( len );
2144 }
2145
2146 ssl->out_left = 5 + ssl->out_msglen;
2147
2148 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2149 "version = [%d:%d], msglen = %d",
2150 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
2151 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
2152
2153 SSL_DEBUG_BUF( 4, "output record sent to network",
Paul Bakker5bd42292012-12-19 14:40:42 +01002154 ssl->out_hdr, 5 + ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002155 }
2156
Paul Bakker5121ce52009-01-03 21:22:43 +00002157 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2158 {
2159 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2160 return( ret );
2161 }
2162
2163 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2164
2165 return( 0 );
2166}
2167
2168int ssl_read_record( ssl_context *ssl )
2169{
Paul Bakker05ef8352012-05-08 09:17:57 +00002170 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00002171
2172 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
2173
2174 if( ssl->in_hslen != 0 &&
2175 ssl->in_hslen < ssl->in_msglen )
2176 {
2177 /*
2178 * Get next Handshake message in the current record
2179 */
2180 ssl->in_msglen -= ssl->in_hslen;
2181
Paul Bakker8934a982011-08-05 11:11:53 +00002182 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker48916f92012-09-16 19:57:18 +00002183 ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002184
2185 ssl->in_hslen = 4;
2186 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2187
2188 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2189 " %d, type = %d, hslen = %d",
2190 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2191
2192 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2193 {
2194 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002195 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002196 }
2197
2198 if( ssl->in_msglen < ssl->in_hslen )
2199 {
2200 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002201 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002202 }
2203
Paul Bakker4224bc02014-04-08 14:36:50 +02002204 if( ssl->state != SSL_HANDSHAKE_OVER )
2205 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002206
2207 return( 0 );
2208 }
2209
2210 ssl->in_hslen = 0;
2211
2212 /*
2213 * Read the record header and validate it
2214 */
2215 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2216 {
2217 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2218 return( ret );
2219 }
2220
2221 ssl->in_msgtype = ssl->in_hdr[0];
2222 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2223
2224 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2225 "version = [%d:%d], msglen = %d",
2226 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2227 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2228
2229 if( ssl->in_hdr[1] != ssl->major_ver )
2230 {
2231 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002232 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002233 }
2234
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002235 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +00002236 {
2237 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002238 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002239 }
2240
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002241 /* Sanity check (outer boundaries) */
2242 if( ssl->in_msglen < 1 || ssl->in_msglen > SSL_BUFFER_LEN - 13 )
2243 {
2244 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2245 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2246 }
2247
Paul Bakker5121ce52009-01-03 21:22:43 +00002248 /*
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002249 * Make sure the message length is acceptable for the current transform
2250 * and protocol version.
Paul Bakker5121ce52009-01-03 21:22:43 +00002251 */
Paul Bakker48916f92012-09-16 19:57:18 +00002252 if( ssl->transform_in == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002253 {
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002254 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +00002255 {
2256 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002257 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002258 }
2259 }
2260 else
2261 {
Paul Bakker48916f92012-09-16 19:57:18 +00002262 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00002263 {
2264 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002265 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002266 }
2267
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002268#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00002269 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
Paul Bakker48916f92012-09-16 19:57:18 +00002270 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +00002271 {
2272 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002273 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002274 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002275#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002276
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002277#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2278 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker5121ce52009-01-03 21:22:43 +00002279 /*
2280 * TLS encrypted messages can have up to 256 bytes of padding
2281 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002282 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02002283 ssl->in_msglen > ssl->transform_in->minlen +
2284 SSL_MAX_CONTENT_LEN + 256 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002285 {
2286 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002287 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002288 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002289#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002290 }
2291
2292 /*
2293 * Read and optionally decrypt the message contents
2294 */
2295 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2296 {
2297 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2298 return( ret );
2299 }
2300
2301 SSL_DEBUG_BUF( 4, "input record from network",
2302 ssl->in_hdr, 5 + ssl->in_msglen );
2303
Paul Bakker05ef8352012-05-08 09:17:57 +00002304#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02002305 if( ssl_hw_record_read != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00002306 {
2307 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2308
2309 ret = ssl_hw_record_read( ssl );
2310 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2311 {
2312 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
Paul Bakkerd8bb8262014-06-17 14:06:49 +02002313 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +00002314 }
Paul Bakkerc7878112012-12-19 14:41:14 +01002315
2316 if( ret == 0 )
2317 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00002318 }
Paul Bakker9af723c2014-05-01 13:03:14 +02002319#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
Paul Bakker48916f92012-09-16 19:57:18 +00002320 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002321 {
2322 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2323 {
Paul Bakker40865c82013-01-31 17:13:13 +01002324#if defined(POLARSSL_SSL_ALERT_MESSAGES)
2325 if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2326 {
2327 ssl_send_alert_message( ssl,
2328 SSL_ALERT_LEVEL_FATAL,
2329 SSL_ALERT_MSG_BAD_RECORD_MAC );
2330 }
2331#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002332 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2333 return( ret );
2334 }
2335
2336 SSL_DEBUG_BUF( 4, "input payload after decrypt",
2337 ssl->in_msg, ssl->in_msglen );
2338
2339 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2340 {
2341 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002342 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002343 }
2344 }
2345
Paul Bakker2770fbd2012-07-03 13:30:23 +00002346#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00002347 if( ssl->transform_in != NULL &&
2348 ssl->session_in->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002349 {
2350 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2351 {
2352 SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2353 return( ret );
2354 }
2355
2356 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2357 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2358 }
2359#endif /* POLARSSL_ZLIB_SUPPORT */
2360
Paul Bakker0a925182012-04-16 06:46:41 +00002361 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2362 ssl->in_msgtype != SSL_MSG_ALERT &&
2363 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
2364 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2365 {
2366 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2367
Paul Bakker48916f92012-09-16 19:57:18 +00002368 if( ( ret = ssl_send_alert_message( ssl,
2369 SSL_ALERT_LEVEL_FATAL,
2370 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +00002371 {
2372 return( ret );
2373 }
2374
2375 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2376 }
2377
Paul Bakker5121ce52009-01-03 21:22:43 +00002378 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2379 {
2380 ssl->in_hslen = 4;
2381 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2382
2383 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2384 " %d, type = %d, hslen = %d",
2385 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2386
2387 /*
2388 * Additional checks to validate the handshake header
2389 */
2390 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2391 {
2392 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002393 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002394 }
2395
2396 if( ssl->in_msglen < ssl->in_hslen )
2397 {
2398 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002399 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002400 }
2401
Paul Bakker48916f92012-09-16 19:57:18 +00002402 if( ssl->state != SSL_HANDSHAKE_OVER )
2403 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002404 }
2405
2406 if( ssl->in_msgtype == SSL_MSG_ALERT )
2407 {
2408 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2409 ssl->in_msg[0], ssl->in_msg[1] ) );
2410
2411 /*
2412 * Ignore non-fatal alerts, except close_notify
2413 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002414 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002415 {
Paul Bakker2770fbd2012-07-03 13:30:23 +00002416 SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2417 ssl->in_msg[1] ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002418 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002419 }
2420
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002421 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2422 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +00002423 {
2424 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002425 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002426 }
2427 }
2428
2429 ssl->in_left = 0;
2430
2431 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2432
2433 return( 0 );
2434}
2435
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00002436int ssl_send_fatal_handshake_failure( ssl_context *ssl )
2437{
2438 int ret;
2439
2440 if( ( ret = ssl_send_alert_message( ssl,
2441 SSL_ALERT_LEVEL_FATAL,
2442 SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
2443 {
2444 return( ret );
2445 }
2446
2447 return( 0 );
2448}
2449
Paul Bakker0a925182012-04-16 06:46:41 +00002450int ssl_send_alert_message( ssl_context *ssl,
2451 unsigned char level,
2452 unsigned char message )
2453{
2454 int ret;
2455
2456 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2457
2458 ssl->out_msgtype = SSL_MSG_ALERT;
2459 ssl->out_msglen = 2;
2460 ssl->out_msg[0] = level;
2461 ssl->out_msg[1] = message;
2462
2463 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2464 {
2465 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2466 return( ret );
2467 }
2468
2469 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2470
2471 return( 0 );
2472}
2473
Paul Bakker5121ce52009-01-03 21:22:43 +00002474/*
2475 * Handshake functions
2476 */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002477#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2478 !defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
2479 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2480 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2481 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
2482 !defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2483 !defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00002484int ssl_write_certificate( ssl_context *ssl )
2485{
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002486 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002487
2488 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2489
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002490 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002491 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2492 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002493 {
2494 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2495 ssl->state++;
2496 return( 0 );
2497 }
2498
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002499 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2500 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002501}
2502
2503int ssl_parse_certificate( ssl_context *ssl )
2504{
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002505 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2506
2507 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2508
2509 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002510 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2511 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002512 {
2513 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2514 ssl->state++;
2515 return( 0 );
2516 }
2517
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002518 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2519 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002520}
2521#else
2522int ssl_write_certificate( ssl_context *ssl )
2523{
2524 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2525 size_t i, n;
Paul Bakkerc559c7a2013-09-18 14:13:26 +02002526 const x509_crt *crt;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002527 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2528
2529 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2530
2531 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002532 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2533 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002534 {
2535 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2536 ssl->state++;
2537 return( 0 );
2538 }
2539
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002540#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00002541 if( ssl->endpoint == SSL_IS_CLIENT )
2542 {
2543 if( ssl->client_auth == 0 )
2544 {
2545 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2546 ssl->state++;
2547 return( 0 );
2548 }
2549
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002550#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00002551 /*
2552 * If using SSLv3 and got no cert, send an Alert message
2553 * (otherwise an empty Certificate message will be sent).
2554 */
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002555 if( ssl_own_cert( ssl ) == NULL &&
Paul Bakker5121ce52009-01-03 21:22:43 +00002556 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2557 {
2558 ssl->out_msglen = 2;
2559 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002560 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2561 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +00002562
2563 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2564 goto write_msg;
2565 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002566#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002567 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002568#endif /* POLARSSL_SSL_CLI_C */
2569#if defined(POLARSSL_SSL_SRV_C)
2570 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00002571 {
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002572 if( ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002573 {
2574 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002575 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002576 }
2577 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002578#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002579
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002580 SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002581
2582 /*
2583 * 0 . 0 handshake type
2584 * 1 . 3 handshake length
2585 * 4 . 6 length of all certs
2586 * 7 . 9 length of cert. 1
2587 * 10 . n-1 peer certificate
2588 * n . n+2 length of cert. 2
2589 * n+3 . ... upper level cert, etc.
2590 */
2591 i = 7;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002592 crt = ssl_own_cert( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00002593
Paul Bakker29087132010-03-21 21:03:34 +00002594 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002595 {
2596 n = crt->raw.len;
Paul Bakker6992eb72013-12-31 11:35:16 +01002597 if( n > SSL_MAX_CONTENT_LEN - 3 - i )
Paul Bakker5121ce52009-01-03 21:22:43 +00002598 {
2599 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2600 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002601 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002602 }
2603
2604 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2605 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2606 ssl->out_msg[i + 2] = (unsigned char)( n );
2607
2608 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2609 i += n; crt = crt->next;
2610 }
2611
2612 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2613 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2614 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2615
2616 ssl->out_msglen = i;
2617 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2618 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2619
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002620#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00002621write_msg:
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002622#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002623
2624 ssl->state++;
2625
2626 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2627 {
2628 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2629 return( ret );
2630 }
2631
2632 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2633
Paul Bakkered27a042013-04-18 22:46:23 +02002634 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002635}
2636
2637int ssl_parse_certificate( ssl_context *ssl )
2638{
Paul Bakkered27a042013-04-18 22:46:23 +02002639 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker23986e52011-04-24 08:57:21 +00002640 size_t i, n;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002641 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002642
2643 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2644
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002645 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002646 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2647 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002648 {
2649 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2650 ssl->state++;
2651 return( 0 );
2652 }
2653
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002654#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00002655 if( ssl->endpoint == SSL_IS_SERVER &&
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +01002656 ( ssl->authmode == SSL_VERIFY_NONE ||
2657 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00002658 {
Manuel Pégourié-Gonnard38d1eba2013-08-23 10:44:29 +02002659 ssl->session_negotiate->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +00002660 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2661 ssl->state++;
2662 return( 0 );
2663 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002664#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002665
2666 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2667 {
2668 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2669 return( ret );
2670 }
2671
2672 ssl->state++;
2673
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002674#if defined(POLARSSL_SSL_SRV_C)
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002675#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00002676 /*
2677 * Check if the client sent an empty certificate
2678 */
2679 if( ssl->endpoint == SSL_IS_SERVER &&
2680 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2681 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002682 if( ssl->in_msglen == 2 &&
2683 ssl->in_msgtype == SSL_MSG_ALERT &&
2684 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2685 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +00002686 {
2687 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2688
Manuel Pégourié-Gonnard38d1eba2013-08-23 10:44:29 +02002689 ssl->session_negotiate->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002690 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2691 return( 0 );
2692 else
Paul Bakker40e46942009-01-03 21:51:57 +00002693 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002694 }
2695 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002696#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002697
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002698#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2699 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker5121ce52009-01-03 21:22:43 +00002700 if( ssl->endpoint == SSL_IS_SERVER &&
2701 ssl->minor_ver != SSL_MINOR_VERSION_0 )
2702 {
2703 if( ssl->in_hslen == 7 &&
2704 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2705 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2706 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2707 {
2708 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2709
Manuel Pégourié-Gonnard38d1eba2013-08-23 10:44:29 +02002710 ssl->session_negotiate->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002711 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +00002712 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002713 else
2714 return( 0 );
2715 }
2716 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002717#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2718 POLARSSL_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002719#endif /* POLARSSL_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00002720
2721 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2722 {
2723 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002724 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002725 }
2726
2727 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2728 {
2729 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002730 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002731 }
2732
2733 /*
2734 * Same message structure as in ssl_write_certificate()
2735 */
2736 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2737
2738 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2739 {
2740 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002741 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002742 }
2743
Manuel Pégourié-Gonnardbfb355c2013-09-07 17:27:43 +02002744 /* In case we tried to reuse a session but it failed */
2745 if( ssl->session_negotiate->peer_cert != NULL )
2746 {
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002747 x509_crt_free( ssl->session_negotiate->peer_cert );
Manuel Pégourié-Gonnardbfb355c2013-09-07 17:27:43 +02002748 polarssl_free( ssl->session_negotiate->peer_cert );
2749 }
2750
Mansour Moufidc531b4a2015-02-15 17:35:38 -05002751 if( ( ssl->session_negotiate->peer_cert = polarssl_malloc(
Paul Bakkerc559c7a2013-09-18 14:13:26 +02002752 sizeof( x509_crt ) ) ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002753 {
2754 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
Paul Bakkerc559c7a2013-09-18 14:13:26 +02002755 sizeof( x509_crt ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +00002756 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002757 }
2758
Paul Bakkerb6b09562013-09-18 14:17:41 +02002759 x509_crt_init( ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +00002760
2761 i = 7;
2762
2763 while( i < ssl->in_hslen )
2764 {
2765 if( ssl->in_msg[i] != 0 )
2766 {
2767 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002768 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002769 }
2770
2771 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2772 | (unsigned int) ssl->in_msg[i + 2];
2773 i += 3;
2774
2775 if( n < 128 || i + n > ssl->in_hslen )
2776 {
2777 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002778 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002779 }
2780
Paul Bakkerddf26b42013-09-18 13:46:23 +02002781 ret = x509_crt_parse_der( ssl->session_negotiate->peer_cert,
2782 ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00002783 if( ret != 0 )
2784 {
Paul Bakkerddf26b42013-09-18 13:46:23 +02002785 SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002786 return( ret );
2787 }
2788
2789 i += n;
2790 }
2791
Paul Bakker48916f92012-09-16 19:57:18 +00002792 SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +00002793
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01002794 /*
2795 * On client, make sure the server cert doesn't change during renego to
2796 * avoid "triple handshake" attack: https://secure-resumption.com/
2797 */
Paul Bakkerf6080b82015-01-13 16:18:23 +01002798#if defined(POLARSSL_SSL_RENEGOTIATION) && defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01002799 if( ssl->endpoint == SSL_IS_CLIENT &&
2800 ssl->renegotiation == SSL_RENEGOTIATION )
2801 {
2802 if( ssl->session->peer_cert == NULL )
2803 {
2804 SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
2805 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2806 }
2807
2808 if( ssl->session->peer_cert->raw.len !=
2809 ssl->session_negotiate->peer_cert->raw.len ||
2810 memcmp( ssl->session->peer_cert->raw.p,
2811 ssl->session_negotiate->peer_cert->raw.p,
2812 ssl->session->peer_cert->raw.len ) != 0 )
2813 {
2814 SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
2815 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2816 }
2817 }
Paul Bakkerf6080b82015-01-13 16:18:23 +01002818#endif /* POLARSSL_SSL_RENEGOTIATION && POLARSSL_SSL_CLI_C */
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01002819
Paul Bakker5121ce52009-01-03 21:22:43 +00002820 if( ssl->authmode != SSL_VERIFY_NONE )
2821 {
2822 if( ssl->ca_chain == NULL )
2823 {
2824 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002825 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002826 }
2827
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002828 /*
2829 * Main check: verify certificate
2830 */
Paul Bakkerddf26b42013-09-18 13:46:23 +02002831 ret = x509_crt_verify( ssl->session_negotiate->peer_cert,
2832 ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2833 &ssl->session_negotiate->verify_result,
2834 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +00002835
2836 if( ret != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002837 {
Paul Bakker5121ce52009-01-03 21:22:43 +00002838 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002839 }
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002840
2841 /*
2842 * Secondary checks: always done, but change 'ret' only if it was 0
2843 */
2844
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002845#if defined(POLARSSL_SSL_SET_CURVES)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002846 {
Paul Bakker93389cc2014-04-17 14:44:38 +02002847 pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002848
2849 /* If certificate uses an EC key, make sure the curve is OK */
2850 if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
2851 ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
2852 {
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +02002853 SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002854 if( ret == 0 )
2855 ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002856 }
2857 }
Paul Bakker9af723c2014-05-01 13:03:14 +02002858#endif /* POLARSSL_SSL_SET_CURVES */
Paul Bakker5121ce52009-01-03 21:22:43 +00002859
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002860 if( ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
2861 ciphersuite_info,
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02002862 ! ssl->endpoint,
2863 &ssl->session_negotiate->verify_result ) != 0 )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002864 {
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +02002865 SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002866 if( ret == 0 )
2867 ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
2868 }
2869
Paul Bakker5121ce52009-01-03 21:22:43 +00002870 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2871 ret = 0;
2872 }
2873
2874 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2875
2876 return( ret );
2877}
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002878#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED
2879 !POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
2880 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
2881 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2882 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2883 !POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
2884 !POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002885
2886int ssl_write_change_cipher_spec( ssl_context *ssl )
2887{
2888 int ret;
2889
2890 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2891
2892 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2893 ssl->out_msglen = 1;
2894 ssl->out_msg[0] = 1;
2895
Paul Bakker5121ce52009-01-03 21:22:43 +00002896 ssl->state++;
2897
2898 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2899 {
2900 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2901 return( ret );
2902 }
2903
2904 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2905
2906 return( 0 );
2907}
2908
2909int ssl_parse_change_cipher_spec( ssl_context *ssl )
2910{
2911 int ret;
2912
2913 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2914
Paul Bakker5121ce52009-01-03 21:22:43 +00002915 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2916 {
2917 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2918 return( ret );
2919 }
2920
2921 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2922 {
2923 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002924 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002925 }
2926
2927 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2928 {
2929 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002930 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +00002931 }
2932
2933 ssl->state++;
2934
2935 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2936
2937 return( 0 );
2938}
2939
Paul Bakker41c83d32013-03-20 14:39:14 +01002940void ssl_optimize_checksum( ssl_context *ssl,
2941 const ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +00002942{
Paul Bakkerfb08fd22013-08-27 15:06:26 +02002943 ((void) ciphersuite_info);
Paul Bakker769075d2012-11-24 11:26:46 +01002944
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002945#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2946 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker380da532012-04-18 16:10:25 +00002947 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakker48916f92012-09-16 19:57:18 +00002948 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
Paul Bakker380da532012-04-18 16:10:25 +00002949 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002950#endif
2951#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2952#if defined(POLARSSL_SHA512_C)
2953 if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2954 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2955 else
2956#endif
2957#if defined(POLARSSL_SHA256_C)
2958 if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
Paul Bakker48916f92012-09-16 19:57:18 +00002959 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002960 else
2961#endif
2962#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002963 {
2964 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002965 return;
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002966 }
Paul Bakker380da532012-04-18 16:10:25 +00002967}
Paul Bakkerf7abd422013-04-16 13:15:56 +02002968
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002969static void ssl_update_checksum_start( ssl_context *ssl,
2970 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002971{
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002972#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2973 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker48916f92012-09-16 19:57:18 +00002974 md5_update( &ssl->handshake->fin_md5 , buf, len );
2975 sha1_update( &ssl->handshake->fin_sha1, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002976#endif
2977#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2978#if defined(POLARSSL_SHA256_C)
Paul Bakker9e36f042013-06-30 14:34:05 +02002979 sha256_update( &ssl->handshake->fin_sha256, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002980#endif
Paul Bakker9e36f042013-06-30 14:34:05 +02002981#if defined(POLARSSL_SHA512_C)
2982 sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01002983#endif
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002984#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00002985}
2986
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002987#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2988 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002989static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2990 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002991{
Paul Bakker48916f92012-09-16 19:57:18 +00002992 md5_update( &ssl->handshake->fin_md5 , buf, len );
2993 sha1_update( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00002994}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002995#endif
Paul Bakker380da532012-04-18 16:10:25 +00002996
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002997#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2998#if defined(POLARSSL_SHA256_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002999static void ssl_update_checksum_sha256( ssl_context *ssl,
3000 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00003001{
Paul Bakker9e36f042013-06-30 14:34:05 +02003002 sha256_update( &ssl->handshake->fin_sha256, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00003003}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003004#endif
Paul Bakker380da532012-04-18 16:10:25 +00003005
Paul Bakker9e36f042013-06-30 14:34:05 +02003006#if defined(POLARSSL_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003007static void ssl_update_checksum_sha384( ssl_context *ssl,
3008 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00003009{
Paul Bakker9e36f042013-06-30 14:34:05 +02003010 sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00003011}
Paul Bakker769075d2012-11-24 11:26:46 +01003012#endif
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003013#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00003014
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003015#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003016static void ssl_calc_finished_ssl(
3017 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00003018{
Paul Bakker3c2122f2013-06-24 19:03:14 +02003019 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003020 md5_context md5;
3021 sha1_context sha1;
3022
Paul Bakker5121ce52009-01-03 21:22:43 +00003023 unsigned char padbuf[48];
3024 unsigned char md5sum[16];
3025 unsigned char sha1sum[20];
3026
Paul Bakker48916f92012-09-16 19:57:18 +00003027 ssl_session *session = ssl->session_negotiate;
3028 if( !session )
3029 session = ssl->session;
3030
Paul Bakker1ef83d62012-04-11 12:09:53 +00003031 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
3032
Paul Bakker48916f92012-09-16 19:57:18 +00003033 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
3034 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003035
3036 /*
3037 * SSLv3:
3038 * hash =
3039 * MD5( master + pad2 +
3040 * MD5( handshake + sender + master + pad1 ) )
3041 * + SHA1( master + pad2 +
3042 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00003043 */
3044
Paul Bakker90995b52013-06-24 19:20:35 +02003045#if !defined(POLARSSL_MD5_ALT)
Paul Bakker5121ce52009-01-03 21:22:43 +00003046 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003047 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003048#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003049
Paul Bakker90995b52013-06-24 19:20:35 +02003050#if !defined(POLARSSL_SHA1_ALT)
Paul Bakker5121ce52009-01-03 21:22:43 +00003051 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003052 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003053#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003054
Paul Bakker3c2122f2013-06-24 19:03:14 +02003055 sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
3056 : "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +00003057
Paul Bakker1ef83d62012-04-11 12:09:53 +00003058 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003059
Paul Bakker3c2122f2013-06-24 19:03:14 +02003060 md5_update( &md5, (const unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +00003061 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003062 md5_update( &md5, padbuf, 48 );
3063 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00003064
Paul Bakker3c2122f2013-06-24 19:03:14 +02003065 sha1_update( &sha1, (const unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +00003066 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003067 sha1_update( &sha1, padbuf, 40 );
3068 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00003069
Paul Bakker1ef83d62012-04-11 12:09:53 +00003070 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003071
Paul Bakker1ef83d62012-04-11 12:09:53 +00003072 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +00003073 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003074 md5_update( &md5, padbuf, 48 );
3075 md5_update( &md5, md5sum, 16 );
3076 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00003077
Paul Bakker1ef83d62012-04-11 12:09:53 +00003078 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +00003079 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003080 sha1_update( &sha1, padbuf , 40 );
3081 sha1_update( &sha1, sha1sum, 20 );
3082 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003083
Paul Bakker1ef83d62012-04-11 12:09:53 +00003084 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003085
Paul Bakker5b4af392014-06-26 12:09:34 +02003086 md5_free( &md5 );
3087 sha1_free( &sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003088
Paul Bakker34617722014-06-13 17:20:13 +02003089 polarssl_zeroize( padbuf, sizeof( padbuf ) );
3090 polarssl_zeroize( md5sum, sizeof( md5sum ) );
3091 polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003092
3093 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3094}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003095#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00003096
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003097#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003098static void ssl_calc_finished_tls(
3099 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00003100{
Paul Bakker1ef83d62012-04-11 12:09:53 +00003101 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02003102 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003103 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +00003104 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003105 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +00003106
Paul Bakker48916f92012-09-16 19:57:18 +00003107 ssl_session *session = ssl->session_negotiate;
3108 if( !session )
3109 session = ssl->session;
3110
Paul Bakker1ef83d62012-04-11 12:09:53 +00003111 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003112
Paul Bakker48916f92012-09-16 19:57:18 +00003113 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
3114 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003115
Paul Bakker1ef83d62012-04-11 12:09:53 +00003116 /*
3117 * TLSv1:
3118 * hash = PRF( master, finished_label,
3119 * MD5( handshake ) + SHA1( handshake ) )[0..11]
3120 */
Paul Bakker5121ce52009-01-03 21:22:43 +00003121
Paul Bakker90995b52013-06-24 19:20:35 +02003122#if !defined(POLARSSL_MD5_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003123 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
3124 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003125#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00003126
Paul Bakker90995b52013-06-24 19:20:35 +02003127#if !defined(POLARSSL_SHA1_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003128 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
3129 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003130#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00003131
3132 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02003133 ? "client finished"
3134 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00003135
3136 md5_finish( &md5, padbuf );
3137 sha1_finish( &sha1, padbuf + 16 );
3138
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003139 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00003140 padbuf, 36, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003141
3142 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3143
Paul Bakker5b4af392014-06-26 12:09:34 +02003144 md5_free( &md5 );
3145 sha1_free( &sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003146
Paul Bakker34617722014-06-13 17:20:13 +02003147 polarssl_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003148
3149 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3150}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003151#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00003152
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003153#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3154#if defined(POLARSSL_SHA256_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00003155static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +00003156 ssl_context *ssl, unsigned char *buf, int from )
3157{
3158 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02003159 const char *sender;
Paul Bakker9e36f042013-06-30 14:34:05 +02003160 sha256_context sha256;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003161 unsigned char padbuf[32];
3162
Paul Bakker48916f92012-09-16 19:57:18 +00003163 ssl_session *session = ssl->session_negotiate;
3164 if( !session )
3165 session = ssl->session;
3166
Paul Bakker380da532012-04-18 16:10:25 +00003167 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003168
Paul Bakker9e36f042013-06-30 14:34:05 +02003169 memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003170
3171 /*
3172 * TLSv1.2:
3173 * hash = PRF( master, finished_label,
3174 * Hash( handshake ) )[0.11]
3175 */
3176
Paul Bakker9e36f042013-06-30 14:34:05 +02003177#if !defined(POLARSSL_SHA256_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003178 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Paul Bakker9e36f042013-06-30 14:34:05 +02003179 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003180#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00003181
3182 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02003183 ? "client finished"
3184 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00003185
Paul Bakker9e36f042013-06-30 14:34:05 +02003186 sha256_finish( &sha256, padbuf );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003187
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003188 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00003189 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003190
3191 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3192
Paul Bakker5b4af392014-06-26 12:09:34 +02003193 sha256_free( &sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003194
Paul Bakker34617722014-06-13 17:20:13 +02003195 polarssl_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003196
3197 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3198}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003199#endif /* POLARSSL_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +00003200
Paul Bakker9e36f042013-06-30 14:34:05 +02003201#if defined(POLARSSL_SHA512_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00003202static void ssl_calc_finished_tls_sha384(
3203 ssl_context *ssl, unsigned char *buf, int from )
3204{
3205 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02003206 const char *sender;
Paul Bakker9e36f042013-06-30 14:34:05 +02003207 sha512_context sha512;
Paul Bakkerca4ab492012-04-18 14:23:57 +00003208 unsigned char padbuf[48];
3209
Paul Bakker48916f92012-09-16 19:57:18 +00003210 ssl_session *session = ssl->session_negotiate;
3211 if( !session )
3212 session = ssl->session;
3213
Paul Bakker380da532012-04-18 16:10:25 +00003214 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003215
Paul Bakker9e36f042013-06-30 14:34:05 +02003216 memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003217
3218 /*
3219 * TLSv1.2:
3220 * hash = PRF( master, finished_label,
3221 * Hash( handshake ) )[0.11]
3222 */
3223
Paul Bakker9e36f042013-06-30 14:34:05 +02003224#if !defined(POLARSSL_SHA512_ALT)
3225 SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3226 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003227#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00003228
3229 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02003230 ? "client finished"
3231 : "server finished";
Paul Bakkerca4ab492012-04-18 14:23:57 +00003232
Paul Bakker9e36f042013-06-30 14:34:05 +02003233 sha512_finish( &sha512, padbuf );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003234
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003235 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00003236 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003237
3238 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3239
Paul Bakker5b4af392014-06-26 12:09:34 +02003240 sha512_free( &sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003241
Paul Bakker34617722014-06-13 17:20:13 +02003242 polarssl_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003243
3244 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3245}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003246#endif /* POLARSSL_SHA512_C */
3247#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +00003248
Paul Bakker48916f92012-09-16 19:57:18 +00003249void ssl_handshake_wrapup( ssl_context *ssl )
3250{
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02003251 int resume = ssl->handshake->resume;
3252
Paul Bakker48916f92012-09-16 19:57:18 +00003253 SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3254
3255 /*
3256 * Free our handshake params
3257 */
3258 ssl_handshake_free( ssl->handshake );
Paul Bakker6e339b52013-07-03 13:37:05 +02003259 polarssl_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +00003260 ssl->handshake = NULL;
3261
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003262#if defined(POLARSSL_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnardcaed0542013-10-30 12:47:35 +01003263 if( ssl->renegotiation == SSL_RENEGOTIATION )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02003264 {
Manuel Pégourié-Gonnardcaed0542013-10-30 12:47:35 +01003265 ssl->renegotiation = SSL_RENEGOTIATION_DONE;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02003266 ssl->renego_records_seen = 0;
3267 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003268#endif
Manuel Pégourié-Gonnardcaed0542013-10-30 12:47:35 +01003269
Paul Bakker48916f92012-09-16 19:57:18 +00003270 /*
3271 * Switch in our now active transform context
3272 */
3273 if( ssl->transform )
3274 {
3275 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02003276 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00003277 }
3278 ssl->transform = ssl->transform_negotiate;
3279 ssl->transform_negotiate = NULL;
3280
Paul Bakker0a597072012-09-25 21:55:46 +00003281 if( ssl->session )
3282 {
Manuel Pégourié-Gonnard1a034732014-11-04 17:36:18 +01003283#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
3284 /* RFC 7366 3.1: keep the EtM state */
3285 ssl->session_negotiate->encrypt_then_mac =
3286 ssl->session->encrypt_then_mac;
3287#endif
3288
Paul Bakker0a597072012-09-25 21:55:46 +00003289 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02003290 polarssl_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +00003291 }
3292 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00003293 ssl->session_negotiate = NULL;
3294
Paul Bakker0a597072012-09-25 21:55:46 +00003295 /*
3296 * Add cache entry
3297 */
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02003298 if( ssl->f_set_cache != NULL &&
3299 ssl->session->length != 0 &&
3300 resume == 0 )
3301 {
Paul Bakker0a597072012-09-25 21:55:46 +00003302 if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3303 SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02003304 }
Paul Bakker0a597072012-09-25 21:55:46 +00003305
Paul Bakker48916f92012-09-16 19:57:18 +00003306 ssl->state++;
3307
3308 SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3309}
3310
Paul Bakker1ef83d62012-04-11 12:09:53 +00003311int ssl_write_finished( ssl_context *ssl )
3312{
3313 int ret, hash_len;
3314
3315 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3316
Paul Bakker92be97b2013-01-02 17:30:03 +01003317 /*
3318 * Set the out_msg pointer to the correct location based on IV length
3319 */
3320 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3321 {
3322 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3323 ssl->transform_negotiate->fixed_ivlen;
3324 }
3325 else
3326 ssl->out_msg = ssl->out_iv;
3327
Paul Bakker48916f92012-09-16 19:57:18 +00003328 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003329
3330 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +00003331 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3332
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003333#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00003334 ssl->verify_data_len = hash_len;
3335 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003336#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003337
Paul Bakker5121ce52009-01-03 21:22:43 +00003338 ssl->out_msglen = 4 + hash_len;
3339 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
3340 ssl->out_msg[0] = SSL_HS_FINISHED;
3341
3342 /*
3343 * In case of session resuming, invert the client and server
3344 * ChangeCipherSpec messages order.
3345 */
Paul Bakker0a597072012-09-25 21:55:46 +00003346 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003347 {
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003348#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003349 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker48916f92012-09-16 19:57:18 +00003350 ssl->state = SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003351#endif
3352#if defined(POLARSSL_SSL_SRV_C)
3353 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00003354 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003355#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003356 }
3357 else
3358 ssl->state++;
3359
Paul Bakker48916f92012-09-16 19:57:18 +00003360 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02003361 * Switch to our negotiated transform and session parameters for outbound
3362 * data.
Paul Bakker48916f92012-09-16 19:57:18 +00003363 */
3364 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3365 ssl->transform_out = ssl->transform_negotiate;
3366 ssl->session_out = ssl->session_negotiate;
3367 memset( ssl->out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003368
Paul Bakker07eb38b2012-12-19 14:42:06 +01003369#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02003370 if( ssl_hw_record_activate != NULL )
Paul Bakker07eb38b2012-12-19 14:42:06 +01003371 {
3372 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3373 {
3374 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3375 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3376 }
3377 }
3378#endif
3379
Paul Bakker5121ce52009-01-03 21:22:43 +00003380 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3381 {
3382 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3383 return( ret );
3384 }
3385
3386 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3387
3388 return( 0 );
3389}
3390
3391int ssl_parse_finished( ssl_context *ssl )
3392{
Paul Bakker23986e52011-04-24 08:57:21 +00003393 int ret;
3394 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00003395 unsigned char buf[36];
3396
3397 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3398
Paul Bakker48916f92012-09-16 19:57:18 +00003399 ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003400
Paul Bakker48916f92012-09-16 19:57:18 +00003401 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02003402 * Switch to our negotiated transform and session parameters for inbound
3403 * data.
Paul Bakker48916f92012-09-16 19:57:18 +00003404 */
3405 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3406 ssl->transform_in = ssl->transform_negotiate;
3407 ssl->session_in = ssl->session_negotiate;
3408 memset( ssl->in_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003409
Paul Bakker92be97b2013-01-02 17:30:03 +01003410 /*
3411 * Set the in_msg pointer to the correct location based on IV length
3412 */
3413 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3414 {
3415 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3416 ssl->transform_negotiate->fixed_ivlen;
3417 }
3418 else
3419 ssl->in_msg = ssl->in_iv;
3420
Paul Bakker07eb38b2012-12-19 14:42:06 +01003421#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02003422 if( ssl_hw_record_activate != NULL )
Paul Bakker07eb38b2012-12-19 14:42:06 +01003423 {
3424 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3425 {
3426 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3427 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3428 }
3429 }
3430#endif
3431
Paul Bakker5121ce52009-01-03 21:22:43 +00003432 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3433 {
3434 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3435 return( ret );
3436 }
3437
3438 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3439 {
3440 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003441 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00003442 }
3443
Paul Bakker1ef83d62012-04-11 12:09:53 +00003444 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +00003445 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3446
3447 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3448 ssl->in_hslen != 4 + hash_len )
3449 {
3450 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003451 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00003452 }
3453
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01003454 if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003455 {
3456 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003457 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00003458 }
3459
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003460#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00003461 ssl->verify_data_len = hash_len;
3462 memcpy( ssl->peer_verify_data, buf, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003463#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003464
Paul Bakker0a597072012-09-25 21:55:46 +00003465 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003466 {
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003467#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003468 if( ssl->endpoint == SSL_IS_CLIENT )
3469 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003470#endif
3471#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003472 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker48916f92012-09-16 19:57:18 +00003473 ssl->state = SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003474#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003475 }
3476 else
3477 ssl->state++;
3478
3479 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3480
3481 return( 0 );
3482}
3483
Paul Bakker968afaa2014-07-09 11:09:24 +02003484static void ssl_handshake_params_init( ssl_handshake_params *handshake )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003485{
3486 memset( handshake, 0, sizeof( ssl_handshake_params ) );
3487
3488#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3489 defined(POLARSSL_SSL_PROTO_TLS1_1)
3490 md5_init( &handshake->fin_md5 );
3491 sha1_init( &handshake->fin_sha1 );
3492 md5_starts( &handshake->fin_md5 );
3493 sha1_starts( &handshake->fin_sha1 );
3494#endif
3495#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3496#if defined(POLARSSL_SHA256_C)
3497 sha256_init( &handshake->fin_sha256 );
3498 sha256_starts( &handshake->fin_sha256, 0 );
3499#endif
3500#if defined(POLARSSL_SHA512_C)
3501 sha512_init( &handshake->fin_sha512 );
3502 sha512_starts( &handshake->fin_sha512, 1 );
3503#endif
3504#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3505
3506 handshake->update_checksum = ssl_update_checksum_start;
3507 handshake->sig_alg = SSL_HASH_SHA1;
3508
3509#if defined(POLARSSL_DHM_C)
3510 dhm_init( &handshake->dhm_ctx );
3511#endif
3512#if defined(POLARSSL_ECDH_C)
3513 ecdh_init( &handshake->ecdh_ctx );
3514#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003515}
3516
3517static void ssl_transform_init( ssl_transform *transform )
3518{
3519 memset( transform, 0, sizeof(ssl_transform) );
Paul Bakker84bbeb52014-07-01 14:53:22 +02003520
3521 cipher_init( &transform->cipher_ctx_enc );
3522 cipher_init( &transform->cipher_ctx_dec );
3523
3524 md_init( &transform->md_ctx_enc );
3525 md_init( &transform->md_ctx_dec );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003526}
3527
3528void ssl_session_init( ssl_session *session )
3529{
3530 memset( session, 0, sizeof(ssl_session) );
3531}
3532
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003533static int ssl_handshake_init( ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00003534{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003535 /* Clear old handshake information if present */
Paul Bakker48916f92012-09-16 19:57:18 +00003536 if( ssl->transform_negotiate )
3537 ssl_transform_free( ssl->transform_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003538 if( ssl->session_negotiate )
3539 ssl_session_free( ssl->session_negotiate );
3540 if( ssl->handshake )
3541 ssl_handshake_free( ssl->handshake );
3542
3543 /*
3544 * Either the pointers are now NULL or cleared properly and can be freed.
3545 * Now allocate missing structures.
3546 */
3547 if( ssl->transform_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003548 {
Mansour Moufid99b92592015-02-15 17:46:32 -05003549 ssl->transform_negotiate = polarssl_malloc( sizeof(ssl_transform) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003550 }
Paul Bakker48916f92012-09-16 19:57:18 +00003551
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003552 if( ssl->session_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003553 {
Mansour Moufid99b92592015-02-15 17:46:32 -05003554 ssl->session_negotiate = polarssl_malloc( sizeof(ssl_session) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003555 }
Paul Bakker48916f92012-09-16 19:57:18 +00003556
Paul Bakker82788fb2014-10-20 13:59:19 +02003557 if( ssl->handshake == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003558 {
Mansour Moufid99b92592015-02-15 17:46:32 -05003559 ssl->handshake = polarssl_malloc( sizeof(ssl_handshake_params) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003560 }
Paul Bakker48916f92012-09-16 19:57:18 +00003561
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003562 /* All pointers should exist and can be directly freed without issue */
Paul Bakker48916f92012-09-16 19:57:18 +00003563 if( ssl->handshake == NULL ||
3564 ssl->transform_negotiate == NULL ||
3565 ssl->session_negotiate == NULL )
3566 {
3567 SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003568
3569 polarssl_free( ssl->handshake );
3570 polarssl_free( ssl->transform_negotiate );
3571 polarssl_free( ssl->session_negotiate );
3572
3573 ssl->handshake = NULL;
3574 ssl->transform_negotiate = NULL;
3575 ssl->session_negotiate = NULL;
3576
Paul Bakker48916f92012-09-16 19:57:18 +00003577 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3578 }
3579
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003580 /* Initialize structures */
3581 ssl_session_init( ssl->session_negotiate );
3582 ssl_transform_init( ssl->transform_negotiate );
Paul Bakker968afaa2014-07-09 11:09:24 +02003583 ssl_handshake_params_init( ssl->handshake );
3584
3585#if defined(POLARSSL_X509_CRT_PARSE_C)
3586 ssl->handshake->key_cert = ssl->key_cert;
3587#endif
Manuel Pégourié-Gonnarde5e1bb92013-10-30 11:25:30 +01003588
Paul Bakker48916f92012-09-16 19:57:18 +00003589 return( 0 );
3590}
3591
Paul Bakker5121ce52009-01-03 21:22:43 +00003592/*
3593 * Initialize an SSL context
3594 */
3595int ssl_init( ssl_context *ssl )
3596{
Paul Bakker48916f92012-09-16 19:57:18 +00003597 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00003598 int len = SSL_BUFFER_LEN;
3599
3600 memset( ssl, 0, sizeof( ssl_context ) );
3601
Paul Bakker62f2dee2012-09-28 07:31:51 +00003602 /*
3603 * Sane defaults
3604 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003605 ssl->min_major_ver = SSL_MIN_MAJOR_VERSION;
3606 ssl->min_minor_ver = SSL_MIN_MINOR_VERSION;
3607 ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
3608 ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +00003609
Paul Bakker8f4ddae2013-04-15 15:09:54 +02003610 ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
Paul Bakker645ce3a2012-10-31 12:32:41 +00003611
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003612#if defined(POLARSSL_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02003613 ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT;
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01003614 memset( ssl->renego_period, 0xFF, 7 );
3615 ssl->renego_period[7] = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003616#endif
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02003617
Paul Bakker62f2dee2012-09-28 07:31:51 +00003618#if defined(POLARSSL_DHM_C)
3619 if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3620 POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
3621 ( ret = mpi_read_string( &ssl->dhm_G, 16,
3622 POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
3623 {
3624 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3625 return( ret );
3626 }
3627#endif
3628
3629 /*
3630 * Prepare base structures
3631 */
Manuel Pégourié-Gonnardf7db5e02015-02-18 10:32:41 +00003632 if( ( ssl->in_ctr = polarssl_malloc( len ) ) == NULL ||
3633 ( ssl->out_ctr = polarssl_malloc( len ) ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003634 {
3635 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker3d6504a2014-03-17 13:41:51 +01003636 polarssl_free( ssl->in_ctr );
3637 ssl->in_ctr = NULL;
Paul Bakker69e095c2011-12-10 21:55:01 +00003638 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00003639 }
3640
3641 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3642 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3643
Manuel Pégourié-Gonnardf7db5e02015-02-18 10:32:41 +00003644 ssl->in_hdr = ssl->in_ctr + 8;
3645 ssl->in_iv = ssl->in_ctr + 13;
3646 ssl->in_msg = ssl->in_ctr + 13;
3647
3648 ssl->out_hdr = ssl->out_ctr + 8;
3649 ssl->out_iv = ssl->out_ctr + 13;
3650 ssl->out_msg = ssl->out_ctr + 13;
3651
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01003652#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
3653 ssl->encrypt_then_mac = SSL_ETM_ENABLED;
3654#endif
3655
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02003656#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
3657 ssl->extended_ms = SSL_EXTENDED_MS_ENABLED;
3658#endif
3659
Paul Bakker606b4ba2013-08-14 16:52:14 +02003660#if defined(POLARSSL_SSL_SESSION_TICKETS)
3661 ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
3662#endif
3663
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003664#if defined(POLARSSL_SSL_SET_CURVES)
Manuel Pégourié-Gonnardac719412014-02-04 14:48:50 +01003665 ssl->curve_list = ecp_grp_id_list( );
Gergely Budai987bfb52014-01-19 21:48:42 +01003666#endif
3667
Paul Bakker48916f92012-09-16 19:57:18 +00003668 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3669 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003670
3671 return( 0 );
3672}
3673
3674/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00003675 * Reset an initialized and used SSL context for re-use while retaining
3676 * all application-set variables, function pointers and data.
3677 */
Paul Bakker2770fbd2012-07-03 13:30:23 +00003678int ssl_session_reset( ssl_context *ssl )
Paul Bakker7eb013f2011-10-06 12:37:39 +00003679{
Paul Bakker48916f92012-09-16 19:57:18 +00003680 int ret;
3681
Paul Bakker7eb013f2011-10-06 12:37:39 +00003682 ssl->state = SSL_HELLO_REQUEST;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003683
3684#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00003685 ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003686 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +00003687
3688 ssl->verify_data_len = 0;
Manuel Pégourié-Gonnard61860192014-11-04 13:05:42 +01003689 memset( ssl->own_verify_data, 0, SSL_VERIFY_DATA_MAX_LEN );
3690 memset( ssl->peer_verify_data, 0, SSL_VERIFY_DATA_MAX_LEN );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003691#endif
3692 ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +00003693
Paul Bakker7eb013f2011-10-06 12:37:39 +00003694 ssl->in_offt = NULL;
3695
Paul Bakker92be97b2013-01-02 17:30:03 +01003696 ssl->in_msg = ssl->in_ctr + 13;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003697 ssl->in_msgtype = 0;
3698 ssl->in_msglen = 0;
3699 ssl->in_left = 0;
3700
3701 ssl->in_hslen = 0;
3702 ssl->nb_zero = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003703 ssl->record_read = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003704
Paul Bakker92be97b2013-01-02 17:30:03 +01003705 ssl->out_msg = ssl->out_ctr + 13;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003706 ssl->out_msgtype = 0;
3707 ssl->out_msglen = 0;
3708 ssl->out_left = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01003709#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01003710 if( ssl->split_done != SSL_CBC_RECORD_SPLITTING_DISABLED )
3711 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01003712#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +00003713
Paul Bakker48916f92012-09-16 19:57:18 +00003714 ssl->transform_in = NULL;
3715 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003716
3717 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3718 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
Paul Bakker05ef8352012-05-08 09:17:57 +00003719
3720#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02003721 if( ssl_hw_record_reset != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00003722 {
3723 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
Paul Bakker07eb38b2012-12-19 14:42:06 +01003724 if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
Paul Bakker2770fbd2012-07-03 13:30:23 +00003725 {
3726 SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3727 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3728 }
Paul Bakker05ef8352012-05-08 09:17:57 +00003729 }
3730#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +00003731
Paul Bakker48916f92012-09-16 19:57:18 +00003732 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +00003733 {
Paul Bakker48916f92012-09-16 19:57:18 +00003734 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02003735 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00003736 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +00003737 }
Paul Bakker48916f92012-09-16 19:57:18 +00003738
Paul Bakkerc0463502013-02-14 11:19:38 +01003739 if( ssl->session )
3740 {
3741 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02003742 polarssl_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01003743 ssl->session = NULL;
3744 }
3745
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02003746#if defined(POLARSSL_SSL_ALPN)
3747 ssl->alpn_chosen = NULL;
3748#endif
3749
Paul Bakker48916f92012-09-16 19:57:18 +00003750 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3751 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00003752
3753 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +00003754}
3755
Paul Bakkera503a632013-08-14 13:48:06 +02003756#if defined(POLARSSL_SSL_SESSION_TICKETS)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003757static void ssl_ticket_keys_free( ssl_ticket_keys *tkeys )
3758{
3759 aes_free( &tkeys->enc );
3760 aes_free( &tkeys->dec );
3761
3762 polarssl_zeroize( tkeys, sizeof(ssl_ticket_keys) );
3763}
3764
Paul Bakker7eb013f2011-10-06 12:37:39 +00003765/*
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003766 * Allocate and initialize ticket keys
3767 */
3768static int ssl_ticket_keys_init( ssl_context *ssl )
3769{
3770 int ret;
3771 ssl_ticket_keys *tkeys;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +02003772 unsigned char buf[16];
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003773
3774 if( ssl->ticket_keys != NULL )
3775 return( 0 );
3776
Mansour Moufidc531b4a2015-02-15 17:35:38 -05003777 tkeys = polarssl_malloc( sizeof(ssl_ticket_keys) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003778 if( tkeys == NULL )
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003779 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3780
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003781 aes_init( &tkeys->enc );
3782 aes_init( &tkeys->dec );
3783
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003784 if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
Paul Bakker6f0636a2013-12-16 15:24:05 +01003785 {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003786 ssl_ticket_keys_free( tkeys );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003787 polarssl_free( tkeys );
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003788 return( ret );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003789 }
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003790
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +02003791 if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3792 ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3793 ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3794 {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003795 ssl_ticket_keys_free( tkeys );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003796 polarssl_free( tkeys );
3797 return( ret );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +02003798 }
3799
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +02003800 if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
Paul Bakker6f0636a2013-12-16 15:24:05 +01003801 {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003802 ssl_ticket_keys_free( tkeys );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003803 polarssl_free( tkeys );
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +02003804 return( ret );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003805 }
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +02003806
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003807 ssl->ticket_keys = tkeys;
3808
3809 return( 0 );
3810}
Paul Bakkera503a632013-08-14 13:48:06 +02003811#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003812
3813/*
Paul Bakker5121ce52009-01-03 21:22:43 +00003814 * SSL set accessors
3815 */
3816void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3817{
3818 ssl->endpoint = endpoint;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02003819
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003820#if defined(POLARSSL_SSL_SESSION_TICKETS) && \
3821 defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02003822 if( endpoint == SSL_IS_CLIENT )
3823 ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
Paul Bakker606b4ba2013-08-14 16:52:14 +02003824#endif
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +01003825
3826#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
3827 if( endpoint == SSL_IS_SERVER )
3828 ssl->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
3829#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003830}
3831
3832void ssl_set_authmode( ssl_context *ssl, int authmode )
3833{
3834 ssl->authmode = authmode;
3835}
3836
Paul Bakker7c6b2c32013-09-16 13:49:26 +02003837#if defined(POLARSSL_X509_CRT_PARSE_C)
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003838void ssl_set_verify( ssl_context *ssl,
Paul Bakkerc559c7a2013-09-18 14:13:26 +02003839 int (*f_vrfy)(void *, x509_crt *, int, int *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003840 void *p_vrfy )
3841{
3842 ssl->f_vrfy = f_vrfy;
3843 ssl->p_vrfy = p_vrfy;
3844}
Paul Bakker7c6b2c32013-09-16 13:49:26 +02003845#endif /* POLARSSL_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003846
Paul Bakker5121ce52009-01-03 21:22:43 +00003847void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +00003848 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +00003849 void *p_rng )
3850{
3851 ssl->f_rng = f_rng;
3852 ssl->p_rng = p_rng;
3853}
3854
3855void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +00003856 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +00003857 void *p_dbg )
3858{
3859 ssl->f_dbg = f_dbg;
3860 ssl->p_dbg = p_dbg;
3861}
3862
3863void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +00003864 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +00003865 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +00003866{
3867 ssl->f_recv = f_recv;
3868 ssl->f_send = f_send;
3869 ssl->p_recv = p_recv;
3870 ssl->p_send = p_send;
3871}
3872
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003873#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker0a597072012-09-25 21:55:46 +00003874void ssl_set_session_cache( ssl_context *ssl,
3875 int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3876 int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
Paul Bakker5121ce52009-01-03 21:22:43 +00003877{
Paul Bakker0a597072012-09-25 21:55:46 +00003878 ssl->f_get_cache = f_get_cache;
3879 ssl->p_get_cache = p_get_cache;
3880 ssl->f_set_cache = f_set_cache;
3881 ssl->p_set_cache = p_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00003882}
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003883#endif /* POLARSSL_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003884
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003885#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003886int ssl_set_session( ssl_context *ssl, const ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +00003887{
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003888 int ret;
3889
3890 if( ssl == NULL ||
3891 session == NULL ||
3892 ssl->session_negotiate == NULL ||
3893 ssl->endpoint != SSL_IS_CLIENT )
3894 {
3895 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3896 }
3897
3898 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3899 return( ret );
3900
Paul Bakker0a597072012-09-25 21:55:46 +00003901 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003902
3903 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003904}
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003905#endif /* POLARSSL_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003906
Paul Bakkerb68cad62012-08-23 08:34:18 +00003907void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +00003908{
Paul Bakker8f4ddae2013-04-15 15:09:54 +02003909 ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3910 ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3911 ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3912 ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3913}
3914
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02003915void ssl_set_ciphersuites_for_version( ssl_context *ssl,
3916 const int *ciphersuites,
Paul Bakker8f4ddae2013-04-15 15:09:54 +02003917 int major, int minor )
3918{
3919 if( major != SSL_MAJOR_VERSION_3 )
3920 return;
3921
3922 if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3923 return;
3924
3925 ssl->ciphersuite_list[minor] = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00003926}
3927
Paul Bakker7c6b2c32013-09-16 13:49:26 +02003928#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003929/* Add a new (empty) key_cert entry an return a pointer to it */
3930static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3931{
3932 ssl_key_cert *key_cert, *last;
3933
Mansour Moufidc531b4a2015-02-15 17:35:38 -05003934 key_cert = polarssl_malloc( sizeof(ssl_key_cert) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003935 if( key_cert == NULL )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003936 return( NULL );
3937
3938 memset( key_cert, 0, sizeof( ssl_key_cert ) );
3939
3940 /* Append the new key_cert to the (possibly empty) current list */
3941 if( ssl->key_cert == NULL )
Paul Bakker0333b972013-11-04 17:08:28 +01003942 {
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003943 ssl->key_cert = key_cert;
Paul Bakker08b028f2013-11-19 10:42:37 +01003944 if( ssl->handshake != NULL )
3945 ssl->handshake->key_cert = key_cert;
Paul Bakker0333b972013-11-04 17:08:28 +01003946 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003947 else
3948 {
3949 last = ssl->key_cert;
3950 while( last->next != NULL )
3951 last = last->next;
3952 last->next = key_cert;
3953 }
3954
Paul Bakkerd8bb8262014-06-17 14:06:49 +02003955 return( key_cert );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003956}
3957
Paul Bakkerc559c7a2013-09-18 14:13:26 +02003958void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +00003959 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +00003960{
3961 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +00003962 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +00003963 ssl->peer_cn = peer_cn;
3964}
3965
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003966int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
Manuel Pégourié-Gonnardac755232013-08-19 14:10:16 +02003967 pk_context *pk_key )
Paul Bakker5121ce52009-01-03 21:22:43 +00003968{
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003969 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3970
3971 if( key_cert == NULL )
3972 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3973
3974 key_cert->cert = own_cert;
3975 key_cert->key = pk_key;
3976
Manuel Pégourié-Gonnardf427f882015-03-10 15:35:29 +00003977 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003978}
3979
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +01003980#if ! defined(POLARSSL_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnardac755232013-08-19 14:10:16 +02003981#if defined(POLARSSL_RSA_C)
Paul Bakkerc559c7a2013-09-18 14:13:26 +02003982int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
Manuel Pégourié-Gonnardac755232013-08-19 14:10:16 +02003983 rsa_context *rsa_key )
Paul Bakker43b7e352011-01-18 15:27:19 +00003984{
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02003985 int ret;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003986 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02003987
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003988 if( key_cert == NULL )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02003989 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3990
Mansour Moufidc531b4a2015-02-15 17:35:38 -05003991 key_cert->key = polarssl_malloc( sizeof(pk_context) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003992 if( key_cert->key == NULL )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003993 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02003994
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003995 pk_init( key_cert->key );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02003996
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003997 ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02003998 if( ret != 0 )
3999 return( ret );
4000
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02004001 if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004002 return( ret );
4003
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004004 key_cert->cert = own_cert;
4005 key_cert->key_own_alloc = 1;
4006
Manuel Pégourié-Gonnardf427f882015-03-10 15:35:29 +00004007 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004008}
Manuel Pégourié-Gonnardac755232013-08-19 14:10:16 +02004009#endif /* POLARSSL_RSA_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00004010
Paul Bakkerc559c7a2013-09-18 14:13:26 +02004011int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
Manuel Pégourié-Gonnard2fb15f62013-08-22 17:54:20 +02004012 void *rsa_key,
4013 rsa_decrypt_func rsa_decrypt,
4014 rsa_sign_func rsa_sign,
4015 rsa_key_len_func rsa_key_len )
Paul Bakker43b7e352011-01-18 15:27:19 +00004016{
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004017 int ret;
4018 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02004019
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004020 if( key_cert == NULL )
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02004021 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
4022
Mansour Moufidc531b4a2015-02-15 17:35:38 -05004023 key_cert->key = polarssl_malloc( sizeof(pk_context) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02004024 if( key_cert->key == NULL )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004025 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02004026
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004027 pk_init( key_cert->key );
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02004028
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004029 if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
4030 rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
4031 return( ret );
4032
4033 key_cert->cert = own_cert;
4034 key_cert->key_own_alloc = 1;
4035
Manuel Pégourié-Gonnardf427f882015-03-10 15:35:29 +00004036 return( 0 );
Paul Bakker43b7e352011-01-18 15:27:19 +00004037}
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +01004038#endif /* POLARSSL_DEPRECATED_REMOVED */
Paul Bakker7c6b2c32013-09-16 13:49:26 +02004039#endif /* POLARSSL_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00004040
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02004041#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Paul Bakker6db455e2013-09-18 17:29:31 +02004042int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
4043 const unsigned char *psk_identity, size_t psk_identity_len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02004044{
Paul Bakker6db455e2013-09-18 17:29:31 +02004045 if( psk == NULL || psk_identity == NULL )
4046 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4047
Manuel Pégourié-Gonnard481fcfd2014-07-03 16:12:50 +02004048 if( psk_len > POLARSSL_PSK_MAX_LEN )
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01004049 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4050
Manuel Pégourié-Gonnardf45850c2015-02-18 10:23:52 +00004051 if( ssl->psk != NULL || ssl->psk_identity != NULL )
Paul Bakker6db455e2013-09-18 17:29:31 +02004052 {
4053 polarssl_free( ssl->psk );
4054 polarssl_free( ssl->psk_identity );
4055 }
4056
Manuel Pégourié-Gonnardf45850c2015-02-18 10:23:52 +00004057 if( ( ssl->psk = polarssl_malloc( psk_len ) ) == NULL ||
4058 ( ssl->psk_identity = polarssl_malloc( psk_identity_len ) ) == NULL )
Mansour Moufidf81088b2015-02-17 13:10:21 -05004059 {
4060 polarssl_free( ssl->psk );
Manuel Pégourié-Gonnardf45850c2015-02-18 10:23:52 +00004061 ssl->psk = NULL;
Mansour Moufidf81088b2015-02-17 13:10:21 -05004062 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
4063 }
Paul Bakker6db455e2013-09-18 17:29:31 +02004064
Manuel Pégourié-Gonnardf45850c2015-02-18 10:23:52 +00004065 ssl->psk_len = psk_len;
4066 ssl->psk_identity_len = psk_identity_len;
4067
Paul Bakker6db455e2013-09-18 17:29:31 +02004068 memcpy( ssl->psk, psk, ssl->psk_len );
4069 memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
Paul Bakker5ad403f2013-09-18 21:21:30 +02004070
4071 return( 0 );
Paul Bakker6db455e2013-09-18 17:29:31 +02004072}
4073
4074void ssl_set_psk_cb( ssl_context *ssl,
4075 int (*f_psk)(void *, ssl_context *, const unsigned char *,
4076 size_t),
4077 void *p_psk )
4078{
4079 ssl->f_psk = f_psk;
4080 ssl->p_psk = p_psk;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02004081}
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02004082#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +00004083
Paul Bakker48916f92012-09-16 19:57:18 +00004084#if defined(POLARSSL_DHM_C)
Paul Bakkerff60ee62010-03-16 21:09:09 +00004085int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +00004086{
4087 int ret;
4088
Paul Bakker48916f92012-09-16 19:57:18 +00004089 if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004090 {
4091 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
4092 return( ret );
4093 }
4094
Paul Bakker48916f92012-09-16 19:57:18 +00004095 if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004096 {
4097 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
4098 return( ret );
4099 }
4100
4101 return( 0 );
4102}
4103
Paul Bakker1b57b062011-01-06 15:48:19 +00004104int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
4105{
4106 int ret;
4107
Paul Bakker66d5d072014-06-17 16:39:18 +02004108 if( ( ret = mpi_copy( &ssl->dhm_P, &dhm_ctx->P ) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +00004109 {
4110 SSL_DEBUG_RET( 1, "mpi_copy", ret );
4111 return( ret );
4112 }
4113
Paul Bakker66d5d072014-06-17 16:39:18 +02004114 if( ( ret = mpi_copy( &ssl->dhm_G, &dhm_ctx->G ) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +00004115 {
4116 SSL_DEBUG_RET( 1, "mpi_copy", ret );
4117 return( ret );
4118 }
4119
4120 return( 0 );
4121}
Paul Bakker48916f92012-09-16 19:57:18 +00004122#endif /* POLARSSL_DHM_C */
Paul Bakker1b57b062011-01-06 15:48:19 +00004123
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01004124#if defined(POLARSSL_SSL_SET_CURVES)
4125/*
4126 * Set the allowed elliptic curves
4127 */
4128void ssl_set_curves( ssl_context *ssl, const ecp_group_id *curve_list )
4129{
4130 ssl->curve_list = curve_list;
4131}
4132#endif
4133
Paul Bakker0be444a2013-08-27 21:55:01 +02004134#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakkerff60ee62010-03-16 21:09:09 +00004135int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +00004136{
4137 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +00004138 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00004139
4140 ssl->hostname_len = strlen( hostname );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02004141
4142 if( ssl->hostname_len + 1 == 0 )
4143 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4144
Mansour Moufidc531b4a2015-02-15 17:35:38 -05004145 ssl->hostname = polarssl_malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004146
Paul Bakkerb15b8512012-01-13 13:44:06 +00004147 if( ssl->hostname == NULL )
4148 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
4149
Paul Bakker3c2122f2013-06-24 19:03:14 +02004150 memcpy( ssl->hostname, (const unsigned char *) hostname,
Paul Bakker5121ce52009-01-03 21:22:43 +00004151 ssl->hostname_len );
Paul Bakkerf7abd422013-04-16 13:15:56 +02004152
Paul Bakker40ea7de2009-05-03 10:18:48 +00004153 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +00004154
4155 return( 0 );
4156}
4157
Paul Bakker5701cdc2012-09-27 21:49:42 +00004158void ssl_set_sni( ssl_context *ssl,
4159 int (*f_sni)(void *, ssl_context *,
4160 const unsigned char *, size_t),
4161 void *p_sni )
4162{
4163 ssl->f_sni = f_sni;
4164 ssl->p_sni = p_sni;
4165}
Paul Bakker0be444a2013-08-27 21:55:01 +02004166#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00004167
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004168#if defined(POLARSSL_SSL_ALPN)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004169int ssl_set_alpn_protocols( ssl_context *ssl, const char **protos )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004170{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004171 size_t cur_len, tot_len;
4172 const char **p;
4173
4174 /*
4175 * "Empty strings MUST NOT be included and byte strings MUST NOT be
4176 * truncated". Check lengths now rather than later.
4177 */
4178 tot_len = 0;
4179 for( p = protos; *p != NULL; p++ )
4180 {
4181 cur_len = strlen( *p );
4182 tot_len += cur_len;
4183
4184 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
4185 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4186 }
4187
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004188 ssl->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004189
4190 return( 0 );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004191}
4192
4193const char *ssl_get_alpn_protocol( const ssl_context *ssl )
4194{
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004195 return( ssl->alpn_chosen );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004196}
4197#endif /* POLARSSL_SSL_ALPN */
4198
Paul Bakker490ecc82011-10-06 13:04:09 +00004199void ssl_set_max_version( ssl_context *ssl, int major, int minor )
4200{
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004201 if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
4202 minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
4203 {
4204 ssl->max_major_ver = major;
4205 ssl->max_minor_ver = minor;
4206 }
Paul Bakker490ecc82011-10-06 13:04:09 +00004207}
4208
Paul Bakker1d29fb52012-09-28 13:28:45 +00004209void ssl_set_min_version( ssl_context *ssl, int major, int minor )
4210{
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004211 if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
4212 minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
4213 {
4214 ssl->min_major_ver = major;
4215 ssl->min_minor_ver = minor;
4216 }
Paul Bakker1d29fb52012-09-28 13:28:45 +00004217}
4218
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02004219#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
4220void ssl_set_fallback( ssl_context *ssl, char fallback )
4221{
4222 ssl->fallback = fallback;
4223}
4224#endif
4225
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01004226#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
4227void ssl_set_encrypt_then_mac( ssl_context *ssl, char etm )
4228{
4229 ssl->encrypt_then_mac = etm;
4230}
4231#endif
4232
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02004233#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
4234void ssl_set_extended_master_secret( ssl_context *ssl, char ems )
4235{
4236 ssl->extended_ms = ems;
4237}
4238#endif
4239
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +01004240void ssl_set_arc4_support( ssl_context *ssl, char arc4 )
4241{
4242 ssl->arc4_disabled = arc4;
4243}
4244
Paul Bakker05decb22013-08-15 13:33:48 +02004245#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004246int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
4247{
Paul Bakker77e257e2013-12-16 15:29:52 +01004248 if( mfl_code >= SSL_MAX_FRAG_LEN_INVALID ||
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +02004249 mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004250 {
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +02004251 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004252 }
4253
4254 ssl->mfl_code = mfl_code;
4255
4256 return( 0 );
4257}
Paul Bakker05decb22013-08-15 13:33:48 +02004258#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004259
Paul Bakker1f2bc622013-08-15 13:45:55 +02004260#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Paul Bakker8c1ede62013-07-19 14:14:37 +02004261int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02004262{
Paul Bakker8c1ede62013-07-19 14:14:37 +02004263 ssl->trunc_hmac = truncate;
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02004264
4265 return( 0 );
4266}
Paul Bakker1f2bc622013-08-15 13:45:55 +02004267#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02004268
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01004269#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
4270void ssl_set_cbc_record_splitting( ssl_context *ssl, char split )
4271{
4272 ssl->split_done = split;
4273}
4274#endif
4275
Paul Bakker48916f92012-09-16 19:57:18 +00004276void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
4277{
4278 ssl->allow_legacy_renegotiation = allow_legacy;
4279}
4280
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004281#if defined(POLARSSL_SSL_RENEGOTIATION)
4282void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
4283{
4284 ssl->disable_renegotiation = renegotiation;
4285}
4286
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004287void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records )
4288{
4289 ssl->renego_max_records = max_records;
4290}
4291
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004292void ssl_set_renegotiation_period( ssl_context *ssl,
4293 const unsigned char period[8] )
4294{
4295 memcpy( ssl->renego_period, period, 8 );
4296}
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004297#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00004298
Paul Bakkera503a632013-08-14 13:48:06 +02004299#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004300int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
4301{
4302 ssl->session_tickets = use_tickets;
4303
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004304#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02004305 if( ssl->endpoint == SSL_IS_CLIENT )
4306 return( 0 );
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004307#endif
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02004308
Manuel Pégourié-Gonnard2457fa02014-11-21 09:23:11 +01004309 if( use_tickets == SSL_SESSION_TICKETS_DISABLED )
4310 return( 0 );
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02004311
4312 if( ssl->f_rng == NULL )
4313 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4314
4315 return( ssl_ticket_keys_init( ssl ) );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004316}
Paul Bakker606b4ba2013-08-14 16:52:14 +02004317
4318void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
4319{
4320 ssl->ticket_lifetime = lifetime;
4321}
Paul Bakkera503a632013-08-14 13:48:06 +02004322#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004323
Paul Bakker5121ce52009-01-03 21:22:43 +00004324/*
4325 * SSL get accessors
4326 */
4327size_t ssl_get_bytes_avail( const ssl_context *ssl )
4328{
4329 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4330}
4331
Paul Bakkerff60ee62010-03-16 21:09:09 +00004332int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004333{
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00004334 if( ssl->session != NULL )
4335 return( ssl->session->verify_result );
4336
4337 if( ssl->session_negotiate != NULL )
4338 return( ssl->session_negotiate->verify_result );
4339
4340 return( -1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004341}
4342
Paul Bakkere3166ce2011-01-27 17:40:50 +00004343const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +00004344{
Paul Bakker926c8e42013-03-06 10:23:34 +01004345 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004346 return( NULL );
Paul Bakker926c8e42013-03-06 10:23:34 +01004347
Paul Bakkere3166ce2011-01-27 17:40:50 +00004348 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +00004349}
4350
Paul Bakker43ca69c2011-01-15 17:35:19 +00004351const char *ssl_get_version( const ssl_context *ssl )
4352{
4353 switch( ssl->minor_ver )
4354 {
4355 case SSL_MINOR_VERSION_0:
4356 return( "SSLv3.0" );
4357
4358 case SSL_MINOR_VERSION_1:
4359 return( "TLSv1.0" );
4360
4361 case SSL_MINOR_VERSION_2:
4362 return( "TLSv1.1" );
4363
Paul Bakker1ef83d62012-04-11 12:09:53 +00004364 case SSL_MINOR_VERSION_3:
4365 return( "TLSv1.2" );
4366
Paul Bakker43ca69c2011-01-15 17:35:19 +00004367 default:
4368 break;
4369 }
4370 return( "unknown" );
4371}
4372
Paul Bakker7c6b2c32013-09-16 13:49:26 +02004373#if defined(POLARSSL_X509_CRT_PARSE_C)
Paul Bakkerc559c7a2013-09-18 14:13:26 +02004374const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
Paul Bakkerb0550d92012-10-30 07:51:03 +00004375{
4376 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004377 return( NULL );
Paul Bakkerb0550d92012-10-30 07:51:03 +00004378
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004379 return( ssl->session->peer_cert );
Paul Bakkerb0550d92012-10-30 07:51:03 +00004380}
Paul Bakker7c6b2c32013-09-16 13:49:26 +02004381#endif /* POLARSSL_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00004382
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004383#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004384int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
4385{
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004386 if( ssl == NULL ||
4387 dst == NULL ||
4388 ssl->session == NULL ||
4389 ssl->endpoint != SSL_IS_CLIENT )
4390 {
4391 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4392 }
4393
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02004394 return( ssl_session_copy( dst, ssl->session ) );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004395}
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004396#endif /* POLARSSL_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004397
Paul Bakker5121ce52009-01-03 21:22:43 +00004398/*
Paul Bakker1961b702013-01-25 14:49:24 +01004399 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00004400 */
Paul Bakker1961b702013-01-25 14:49:24 +01004401int ssl_handshake_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004402{
Paul Bakker40e46942009-01-03 21:51:57 +00004403 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +00004404
Paul Bakker40e46942009-01-03 21:51:57 +00004405#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00004406 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker1961b702013-01-25 14:49:24 +01004407 ret = ssl_handshake_client_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00004408#endif
Paul Bakker40e46942009-01-03 21:51:57 +00004409#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00004410 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker1961b702013-01-25 14:49:24 +01004411 ret = ssl_handshake_server_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00004412#endif
4413
Paul Bakker1961b702013-01-25 14:49:24 +01004414 return( ret );
4415}
4416
4417/*
4418 * Perform the SSL handshake
4419 */
4420int ssl_handshake( ssl_context *ssl )
4421{
4422 int ret = 0;
4423
4424 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
4425
4426 while( ssl->state != SSL_HANDSHAKE_OVER )
4427 {
4428 ret = ssl_handshake_step( ssl );
4429
4430 if( ret != 0 )
4431 break;
4432 }
4433
Paul Bakker5121ce52009-01-03 21:22:43 +00004434 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
4435
4436 return( ret );
4437}
4438
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004439#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004440#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00004441/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004442 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +00004443 */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004444static int ssl_write_hello_request( ssl_context *ssl )
4445{
4446 int ret;
4447
4448 SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
4449
4450 ssl->out_msglen = 4;
4451 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
4452 ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
4453
4454 if( ( ret = ssl_write_record( ssl ) ) != 0 )
4455 {
4456 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4457 return( ret );
4458 }
4459
4460 SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4461
4462 return( 0 );
4463}
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004464#endif /* POLARSSL_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004465
4466/*
4467 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +02004468 * - any side: calling ssl_renegotiate(),
4469 * - client: receiving a HelloRequest during ssl_read(),
4470 * - server: receiving any handshake message on server during ssl_read() after
4471 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004472 * If the handshake doesn't complete due to waiting for I/O, it will continue
4473 * during the next calls to ssl_renegotiate() or ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004474 */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004475static int ssl_start_renegotiation( ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00004476{
4477 int ret;
4478
4479 SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4480
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004481 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4482 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00004483
4484 ssl->state = SSL_HELLO_REQUEST;
4485 ssl->renegotiation = SSL_RENEGOTIATION;
4486
Paul Bakker48916f92012-09-16 19:57:18 +00004487 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4488 {
4489 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4490 return( ret );
4491 }
4492
4493 SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4494
4495 return( 0 );
4496}
4497
4498/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004499 * Renegotiate current connection on client,
4500 * or request renegotiation on server
4501 */
4502int ssl_renegotiate( ssl_context *ssl )
4503{
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004504 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004505
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004506#if defined(POLARSSL_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004507 /* On server, just send the request */
4508 if( ssl->endpoint == SSL_IS_SERVER )
4509 {
4510 if( ssl->state != SSL_HANDSHAKE_OVER )
4511 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4512
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02004513 ssl->renegotiation = SSL_RENEGOTIATION_PENDING;
4514
4515 /* Did we already try/start sending HelloRequest? */
4516 if( ssl->out_left != 0 )
4517 return( ssl_flush_output( ssl ) );
4518
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004519 return( ssl_write_hello_request( ssl ) );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004520 }
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004521#endif /* POLARSSL_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004522
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004523#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004524 /*
4525 * On client, either start the renegotiation process or,
4526 * if already in progress, continue the handshake
4527 */
4528 if( ssl->renegotiation != SSL_RENEGOTIATION )
4529 {
4530 if( ssl->state != SSL_HANDSHAKE_OVER )
4531 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4532
4533 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4534 {
4535 SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4536 return( ret );
4537 }
4538 }
4539 else
4540 {
4541 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4542 {
4543 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4544 return( ret );
4545 }
4546 }
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004547#endif /* POLARSSL_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004548
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004549 return( ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004550}
4551
4552/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004553 * Check record counters and renegotiate if they're above the limit.
4554 */
4555static int ssl_check_ctr_renegotiate( ssl_context *ssl )
4556{
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004557 if( ssl->state != SSL_HANDSHAKE_OVER ||
4558 ssl->renegotiation == SSL_RENEGOTIATION_PENDING ||
4559 ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED )
4560 {
4561 return( 0 );
4562 }
4563
4564 // TODO: adapt for DTLS
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004565 if( memcmp( ssl->in_ctr, ssl->renego_period, 8 ) <= 0 &&
4566 memcmp( ssl->out_ctr, ssl->renego_period, 8 ) <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004567 {
4568 return( 0 );
4569 }
4570
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004571 SSL_DEBUG_MSG( 0, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004572 return( ssl_renegotiate( ssl ) );
4573}
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004574#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00004575
4576/*
4577 * Receive application data decrypted from the SSL layer
4578 */
Paul Bakker23986e52011-04-24 08:57:21 +00004579int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00004580{
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004581 int ret, record_read = 0;
Paul Bakker23986e52011-04-24 08:57:21 +00004582 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +00004583
4584 SSL_DEBUG_MSG( 2, ( "=> read" ) );
4585
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004586#if defined(POLARSSL_SSL_RENEGOTIATION)
4587 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
4588 {
4589 SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
4590 return( ret );
4591 }
4592#endif
4593
Paul Bakker5121ce52009-01-03 21:22:43 +00004594 if( ssl->state != SSL_HANDSHAKE_OVER )
4595 {
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004596 ret = ssl_handshake( ssl );
4597 if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
4598 {
4599 record_read = 1;
4600 }
4601 else if( ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004602 {
4603 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4604 return( ret );
4605 }
4606 }
4607
4608 if( ssl->in_offt == NULL )
4609 {
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004610 if( ! record_read )
Paul Bakker5121ce52009-01-03 21:22:43 +00004611 {
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004612 if( ( ret = ssl_read_record( ssl ) ) != 0 )
4613 {
4614 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4615 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +00004616
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004617 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4618 return( ret );
4619 }
Paul Bakker5121ce52009-01-03 21:22:43 +00004620 }
4621
4622 if( ssl->in_msglen == 0 &&
4623 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
4624 {
4625 /*
4626 * OpenSSL sends empty messages to randomize the IV
4627 */
4628 if( ( ret = ssl_read_record( ssl ) ) != 0 )
4629 {
Paul Bakker831a7552011-05-18 13:32:51 +00004630 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4631 return( 0 );
4632
Paul Bakker5121ce52009-01-03 21:22:43 +00004633 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4634 return( ret );
4635 }
4636 }
4637
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004638#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00004639 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4640 {
4641 SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4642
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004643#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker48916f92012-09-16 19:57:18 +00004644 if( ssl->endpoint == SSL_IS_CLIENT &&
4645 ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4646 ssl->in_hslen != 4 ) )
4647 {
4648 SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4649 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
4650 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004651#endif
Paul Bakker48916f92012-09-16 19:57:18 +00004652
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00004653 if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
4654 ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02004655 ssl->allow_legacy_renegotiation ==
4656 SSL_LEGACY_NO_RENEGOTIATION ) )
Paul Bakker48916f92012-09-16 19:57:18 +00004657 {
4658 SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4659
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004660#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00004661 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +00004662 {
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00004663 /*
4664 * SSLv3 does not have a "no_renegotiation" alert
4665 */
4666 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4667 return( ret );
4668 }
4669 else
Paul Bakker9af723c2014-05-01 13:03:14 +02004670#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004671#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4672 defined(POLARSSL_SSL_PROTO_TLS1_2)
4673 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00004674 {
4675 if( ( ret = ssl_send_alert_message( ssl,
4676 SSL_ALERT_LEVEL_WARNING,
4677 SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
4678 {
4679 return( ret );
4680 }
Paul Bakker48916f92012-09-16 19:57:18 +00004681 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004682 else
Paul Bakker9af723c2014-05-01 13:03:14 +02004683#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 ||
4684 POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02004685 {
4686 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02004687 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02004688 }
Paul Bakker48916f92012-09-16 19:57:18 +00004689 }
4690 else
4691 {
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004692 ret = ssl_start_renegotiation( ssl );
4693 if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
4694 {
4695 record_read = 1;
4696 }
4697 else if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00004698 {
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004699 SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
Paul Bakker48916f92012-09-16 19:57:18 +00004700 return( ret );
4701 }
Paul Bakker48916f92012-09-16 19:57:18 +00004702 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +02004703
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004704 /* If a non-handshake record was read during renego, fallthrough,
4705 * else tell the user they should call ssl_read() again */
4706 if( ! record_read )
4707 return( POLARSSL_ERR_NET_WANT_READ );
Paul Bakker48916f92012-09-16 19:57:18 +00004708 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +01004709 else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4710 {
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004711 ssl->renego_records_seen++;
4712
4713 if( ssl->renego_max_records >= 0 &&
4714 ssl->renego_records_seen > ssl->renego_max_records )
4715 {
4716 SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4717 "but not honored by client" ) );
4718 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
4719 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +01004720 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004721#endif /* POLARSSL_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +02004722
4723 /* Fatal and closure alerts handled by ssl_read_record() */
4724 if( ssl->in_msgtype == SSL_MSG_ALERT )
4725 {
4726 SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
4727 return( POLARSSL_ERR_NET_WANT_READ );
4728 }
4729
4730 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +00004731 {
4732 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00004733 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00004734 }
4735
4736 ssl->in_offt = ssl->in_msg;
4737 }
4738
4739 n = ( len < ssl->in_msglen )
4740 ? len : ssl->in_msglen;
4741
4742 memcpy( buf, ssl->in_offt, n );
4743 ssl->in_msglen -= n;
4744
4745 if( ssl->in_msglen == 0 )
4746 /* all bytes consumed */
4747 ssl->in_offt = NULL;
4748 else
4749 /* more data available */
4750 ssl->in_offt += n;
4751
4752 SSL_DEBUG_MSG( 2, ( "<= read" ) );
4753
Paul Bakker23986e52011-04-24 08:57:21 +00004754 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00004755}
4756
4757/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02004758 * Send application data to be encrypted by the SSL layer,
4759 * taking care of max fragment length and buffer size
Paul Bakker5121ce52009-01-03 21:22:43 +00004760 */
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02004761static int ssl_write_real( ssl_context *ssl,
4762 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00004763{
Paul Bakker23986e52011-04-24 08:57:21 +00004764 int ret;
4765 size_t n;
Paul Bakker05decb22013-08-15 13:33:48 +02004766 unsigned int max_len = SSL_MAX_CONTENT_LEN;
Paul Bakker5121ce52009-01-03 21:22:43 +00004767
Paul Bakker05decb22013-08-15 13:33:48 +02004768#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +02004769 /*
4770 * Assume mfl_code is correct since it was checked when set
4771 */
4772 max_len = mfl_code_to_length[ssl->mfl_code];
4773
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02004774 /*
Paul Bakker05decb22013-08-15 13:33:48 +02004775 * Check if a smaller max length was negotiated
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02004776 */
4777 if( ssl->session_out != NULL &&
4778 mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4779 {
4780 max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4781 }
Paul Bakker05decb22013-08-15 13:33:48 +02004782#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02004783
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +02004784 n = ( len < max_len) ? len : max_len;
Paul Bakker887bd502011-06-08 13:10:54 +00004785
Paul Bakker5121ce52009-01-03 21:22:43 +00004786 if( ssl->out_left != 0 )
4787 {
4788 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4789 {
4790 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4791 return( ret );
4792 }
4793 }
Paul Bakker887bd502011-06-08 13:10:54 +00004794 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +00004795 {
Paul Bakker887bd502011-06-08 13:10:54 +00004796 ssl->out_msglen = n;
4797 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
4798 memcpy( ssl->out_msg, buf, n );
4799
4800 if( ( ret = ssl_write_record( ssl ) ) != 0 )
4801 {
4802 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4803 return( ret );
4804 }
Paul Bakker5121ce52009-01-03 21:22:43 +00004805 }
4806
Paul Bakker23986e52011-04-24 08:57:21 +00004807 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00004808}
4809
4810/*
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004811 * Write application data, doing 1/n-1 splitting if necessary.
4812 *
4813 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01004814 * then the caller will call us again with the same arguments, so
4815 * remember wether we already did the split or not.
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004816 */
4817#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02004818static int ssl_write_split( ssl_context *ssl,
4819 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004820{
4821 int ret;
4822
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01004823 if( ssl->split_done == SSL_CBC_RECORD_SPLITTING_DISABLED ||
4824 len <= 1 ||
4825 ssl->minor_ver > SSL_MINOR_VERSION_1 ||
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004826 cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
4827 != POLARSSL_MODE_CBC )
4828 {
4829 return( ssl_write_real( ssl, buf, len ) );
4830 }
4831
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01004832 if( ssl->split_done == 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004833 {
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01004834 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004835 return( ret );
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01004836 ssl->split_done = 1;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004837 }
4838
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01004839 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
4840 return( ret );
4841 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004842
4843 return( ret + 1 );
4844}
4845#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
4846
4847/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02004848 * Write application data (public-facing wrapper)
4849 */
4850int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4851{
4852 int ret;
4853
4854 SSL_DEBUG_MSG( 2, ( "=> write" ) );
4855
4856#if defined(POLARSSL_SSL_RENEGOTIATION)
4857 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
4858 {
4859 SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
4860 return( ret );
4861 }
4862#endif
4863
4864 if( ssl->state != SSL_HANDSHAKE_OVER )
4865 {
4866 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4867 {
4868 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4869 return( ret );
4870 }
4871 }
4872
4873#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
4874 ret = ssl_write_split( ssl, buf, len );
4875#else
4876 ret = ssl_write_real( ssl, buf, len );
4877#endif
4878
4879 SSL_DEBUG_MSG( 2, ( "<= write" ) );
4880
4881 return( ret );
4882}
4883
4884/*
Paul Bakker5121ce52009-01-03 21:22:43 +00004885 * Notify the peer that the connection is being closed
4886 */
4887int ssl_close_notify( ssl_context *ssl )
4888{
4889 int ret;
4890
4891 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4892
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +02004893 if( ssl->out_left != 0 )
4894 return( ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00004895
4896 if( ssl->state == SSL_HANDSHAKE_OVER )
4897 {
Paul Bakker48916f92012-09-16 19:57:18 +00004898 if( ( ret = ssl_send_alert_message( ssl,
4899 SSL_ALERT_LEVEL_WARNING,
4900 SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004901 {
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +02004902 SSL_DEBUG_RET( 1, "ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00004903 return( ret );
4904 }
4905 }
4906
4907 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4908
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +02004909 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004910}
4911
Paul Bakker48916f92012-09-16 19:57:18 +00004912void ssl_transform_free( ssl_transform *transform )
4913{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004914 if( transform == NULL )
4915 return;
4916
Paul Bakker48916f92012-09-16 19:57:18 +00004917#if defined(POLARSSL_ZLIB_SUPPORT)
4918 deflateEnd( &transform->ctx_deflate );
4919 inflateEnd( &transform->ctx_inflate );
4920#endif
4921
Paul Bakker84bbeb52014-07-01 14:53:22 +02004922 cipher_free( &transform->cipher_ctx_enc );
4923 cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +02004924
Paul Bakker84bbeb52014-07-01 14:53:22 +02004925 md_free( &transform->md_ctx_enc );
4926 md_free( &transform->md_ctx_dec );
Paul Bakker61d113b2013-07-04 11:51:43 +02004927
Paul Bakker34617722014-06-13 17:20:13 +02004928 polarssl_zeroize( transform, sizeof( ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +00004929}
4930
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02004931#if defined(POLARSSL_X509_CRT_PARSE_C)
4932static void ssl_key_cert_free( ssl_key_cert *key_cert )
4933{
4934 ssl_key_cert *cur = key_cert, *next;
4935
4936 while( cur != NULL )
4937 {
4938 next = cur->next;
4939
4940 if( cur->key_own_alloc )
4941 {
4942 pk_free( cur->key );
4943 polarssl_free( cur->key );
4944 }
4945 polarssl_free( cur );
4946
4947 cur = next;
4948 }
4949}
4950#endif /* POLARSSL_X509_CRT_PARSE_C */
4951
Paul Bakker48916f92012-09-16 19:57:18 +00004952void ssl_handshake_free( ssl_handshake_params *handshake )
4953{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004954 if( handshake == NULL )
4955 return;
4956
Paul Bakker48916f92012-09-16 19:57:18 +00004957#if defined(POLARSSL_DHM_C)
4958 dhm_free( &handshake->dhm_ctx );
4959#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02004960#if defined(POLARSSL_ECDH_C)
4961 ecdh_free( &handshake->ecdh_ctx );
4962#endif
4963
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02004964#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker9af723c2014-05-01 13:03:14 +02004965 /* explicit void pointer cast for buggy MS compiler */
4966 polarssl_free( (void *) handshake->curves );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02004967#endif
4968
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02004969#if defined(POLARSSL_X509_CRT_PARSE_C) && \
4970 defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4971 /*
4972 * Free only the linked list wrapper, not the keys themselves
4973 * since the belong to the SNI callback
4974 */
4975 if( handshake->sni_key_cert != NULL )
4976 {
4977 ssl_key_cert *cur = handshake->sni_key_cert, *next;
4978
4979 while( cur != NULL )
4980 {
4981 next = cur->next;
4982 polarssl_free( cur );
4983 cur = next;
4984 }
4985 }
Paul Bakker9af723c2014-05-01 13:03:14 +02004986#endif /* POLARSSL_X509_CRT_PARSE_C && POLARSSL_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02004987
Paul Bakker34617722014-06-13 17:20:13 +02004988 polarssl_zeroize( handshake, sizeof( ssl_handshake_params ) );
Paul Bakker48916f92012-09-16 19:57:18 +00004989}
4990
4991void ssl_session_free( ssl_session *session )
4992{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004993 if( session == NULL )
4994 return;
4995
Paul Bakker7c6b2c32013-09-16 13:49:26 +02004996#if defined(POLARSSL_X509_CRT_PARSE_C)
Paul Bakker0a597072012-09-25 21:55:46 +00004997 if( session->peer_cert != NULL )
Paul Bakker48916f92012-09-16 19:57:18 +00004998 {
Paul Bakker7c6b2c32013-09-16 13:49:26 +02004999 x509_crt_free( session->peer_cert );
Paul Bakker6e339b52013-07-03 13:37:05 +02005000 polarssl_free( session->peer_cert );
Paul Bakker48916f92012-09-16 19:57:18 +00005001 }
Paul Bakkered27a042013-04-18 22:46:23 +02005002#endif
Paul Bakker0a597072012-09-25 21:55:46 +00005003
Paul Bakkera503a632013-08-14 13:48:06 +02005004#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02005005 polarssl_free( session->ticket );
Paul Bakkera503a632013-08-14 13:48:06 +02005006#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02005007
Paul Bakker34617722014-06-13 17:20:13 +02005008 polarssl_zeroize( session, sizeof( ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005009}
5010
Paul Bakker5121ce52009-01-03 21:22:43 +00005011/*
5012 * Free an SSL context
5013 */
5014void ssl_free( ssl_context *ssl )
5015{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005016 if( ssl == NULL )
5017 return;
5018
Paul Bakker5121ce52009-01-03 21:22:43 +00005019 SSL_DEBUG_MSG( 2, ( "=> free" ) );
5020
Paul Bakker5121ce52009-01-03 21:22:43 +00005021 if( ssl->out_ctr != NULL )
5022 {
Paul Bakker34617722014-06-13 17:20:13 +02005023 polarssl_zeroize( ssl->out_ctr, SSL_BUFFER_LEN );
Paul Bakker6e339b52013-07-03 13:37:05 +02005024 polarssl_free( ssl->out_ctr );
Paul Bakker5121ce52009-01-03 21:22:43 +00005025 }
5026
5027 if( ssl->in_ctr != NULL )
5028 {
Paul Bakker34617722014-06-13 17:20:13 +02005029 polarssl_zeroize( ssl->in_ctr, SSL_BUFFER_LEN );
Paul Bakker6e339b52013-07-03 13:37:05 +02005030 polarssl_free( ssl->in_ctr );
Paul Bakker5121ce52009-01-03 21:22:43 +00005031 }
5032
Paul Bakker16770332013-10-11 09:59:44 +02005033#if defined(POLARSSL_ZLIB_SUPPORT)
5034 if( ssl->compress_buf != NULL )
5035 {
Paul Bakker34617722014-06-13 17:20:13 +02005036 polarssl_zeroize( ssl->compress_buf, SSL_BUFFER_LEN );
Paul Bakker16770332013-10-11 09:59:44 +02005037 polarssl_free( ssl->compress_buf );
5038 }
5039#endif
5040
Paul Bakker40e46942009-01-03 21:51:57 +00005041#if defined(POLARSSL_DHM_C)
Paul Bakker48916f92012-09-16 19:57:18 +00005042 mpi_free( &ssl->dhm_P );
5043 mpi_free( &ssl->dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +00005044#endif
5045
Paul Bakker48916f92012-09-16 19:57:18 +00005046 if( ssl->transform )
5047 {
5048 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02005049 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00005050 }
5051
5052 if( ssl->handshake )
5053 {
5054 ssl_handshake_free( ssl->handshake );
5055 ssl_transform_free( ssl->transform_negotiate );
5056 ssl_session_free( ssl->session_negotiate );
5057
Paul Bakker6e339b52013-07-03 13:37:05 +02005058 polarssl_free( ssl->handshake );
5059 polarssl_free( ssl->transform_negotiate );
5060 polarssl_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00005061 }
5062
Paul Bakkerc0463502013-02-14 11:19:38 +01005063 if( ssl->session )
5064 {
5065 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02005066 polarssl_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01005067 }
5068
Paul Bakkera503a632013-08-14 13:48:06 +02005069#if defined(POLARSSL_SSL_SESSION_TICKETS)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02005070 if( ssl->ticket_keys )
5071 {
5072 ssl_ticket_keys_free( ssl->ticket_keys );
5073 polarssl_free( ssl->ticket_keys );
5074 }
Paul Bakkera503a632013-08-14 13:48:06 +02005075#endif
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02005076
Paul Bakker0be444a2013-08-27 21:55:01 +02005077#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakker66d5d072014-06-17 16:39:18 +02005078 if( ssl->hostname != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00005079 {
Paul Bakker34617722014-06-13 17:20:13 +02005080 polarssl_zeroize( ssl->hostname, ssl->hostname_len );
Paul Bakker6e339b52013-07-03 13:37:05 +02005081 polarssl_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +00005082 ssl->hostname_len = 0;
5083 }
Paul Bakker0be444a2013-08-27 21:55:01 +02005084#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00005085
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02005086#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Paul Bakker6db455e2013-09-18 17:29:31 +02005087 if( ssl->psk != NULL )
5088 {
Paul Bakker34617722014-06-13 17:20:13 +02005089 polarssl_zeroize( ssl->psk, ssl->psk_len );
5090 polarssl_zeroize( ssl->psk_identity, ssl->psk_identity_len );
Paul Bakker6db455e2013-09-18 17:29:31 +02005091 polarssl_free( ssl->psk );
5092 polarssl_free( ssl->psk_identity );
5093 ssl->psk_len = 0;
5094 ssl->psk_identity_len = 0;
5095 }
5096#endif
5097
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02005098#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005099 ssl_key_cert_free( ssl->key_cert );
5100#endif
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02005101
Paul Bakker05ef8352012-05-08 09:17:57 +00005102#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
5103 if( ssl_hw_record_finish != NULL )
5104 {
5105 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
5106 ssl_hw_record_finish( ssl );
5107 }
5108#endif
5109
Paul Bakker5121ce52009-01-03 21:22:43 +00005110 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +00005111
Paul Bakker86f04f42013-02-14 11:20:09 +01005112 /* Actually clear after last debug message */
Paul Bakker34617722014-06-13 17:20:13 +02005113 polarssl_zeroize( ssl, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005114}
5115
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005116#if defined(POLARSSL_PK_C)
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005117/*
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005118 * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005119 */
5120unsigned char ssl_sig_from_pk( pk_context *pk )
5121{
5122#if defined(POLARSSL_RSA_C)
5123 if( pk_can_do( pk, POLARSSL_PK_RSA ) )
5124 return( SSL_SIG_RSA );
5125#endif
5126#if defined(POLARSSL_ECDSA_C)
5127 if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
5128 return( SSL_SIG_ECDSA );
5129#endif
5130 return( SSL_SIG_ANON );
5131}
5132
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005133pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
5134{
5135 switch( sig )
5136 {
5137#if defined(POLARSSL_RSA_C)
5138 case SSL_SIG_RSA:
5139 return( POLARSSL_PK_RSA );
5140#endif
5141#if defined(POLARSSL_ECDSA_C)
5142 case SSL_SIG_ECDSA:
5143 return( POLARSSL_PK_ECDSA );
5144#endif
5145 default:
5146 return( POLARSSL_PK_NONE );
5147 }
5148}
Paul Bakker9af723c2014-05-01 13:03:14 +02005149#endif /* POLARSSL_PK_C */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005150
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005151/*
5152 * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
5153 */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005154md_type_t ssl_md_alg_from_hash( unsigned char hash )
5155{
5156 switch( hash )
5157 {
5158#if defined(POLARSSL_MD5_C)
5159 case SSL_HASH_MD5:
5160 return( POLARSSL_MD_MD5 );
5161#endif
5162#if defined(POLARSSL_SHA1_C)
5163 case SSL_HASH_SHA1:
5164 return( POLARSSL_MD_SHA1 );
5165#endif
5166#if defined(POLARSSL_SHA256_C)
5167 case SSL_HASH_SHA224:
5168 return( POLARSSL_MD_SHA224 );
5169 case SSL_HASH_SHA256:
5170 return( POLARSSL_MD_SHA256 );
5171#endif
5172#if defined(POLARSSL_SHA512_C)
5173 case SSL_HASH_SHA384:
5174 return( POLARSSL_MD_SHA384 );
5175 case SSL_HASH_SHA512:
5176 return( POLARSSL_MD_SHA512 );
5177#endif
5178 default:
5179 return( POLARSSL_MD_NONE );
5180 }
5181}
5182
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005183#if defined(POLARSSL_SSL_SET_CURVES)
5184/*
5185 * Check is a curve proposed by the peer is in our list.
5186 * Return 1 if we're willing to use it, 0 otherwise.
5187 */
5188int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
5189{
5190 const ecp_group_id *gid;
5191
5192 for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
5193 if( *gid == grp_id )
5194 return( 1 );
5195
5196 return( 0 );
5197}
Paul Bakker9af723c2014-05-01 13:03:14 +02005198#endif /* POLARSSL_SSL_SET_CURVES */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005199
Paul Bakkerd6ad8e92014-04-09 17:24:14 +02005200#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005201int ssl_check_cert_usage( const x509_crt *cert,
5202 const ssl_ciphersuite_t *ciphersuite,
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005203 int cert_endpoint,
5204 int *flags )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005205{
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005206 int ret = 0;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005207#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
5208 int usage = 0;
5209#endif
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005210#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
5211 const char *ext_oid;
5212 size_t ext_len;
5213#endif
5214
5215#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
5216 !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
5217 ((void) cert);
5218 ((void) cert_endpoint);
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005219 ((void) flags);
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005220#endif
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005221
5222#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
5223 if( cert_endpoint == SSL_IS_SERVER )
5224 {
5225 /* Server part of the key exchange */
5226 switch( ciphersuite->key_exchange )
5227 {
5228 case POLARSSL_KEY_EXCHANGE_RSA:
5229 case POLARSSL_KEY_EXCHANGE_RSA_PSK:
5230 usage = KU_KEY_ENCIPHERMENT;
5231 break;
5232
5233 case POLARSSL_KEY_EXCHANGE_DHE_RSA:
5234 case POLARSSL_KEY_EXCHANGE_ECDHE_RSA:
5235 case POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA:
5236 usage = KU_DIGITAL_SIGNATURE;
5237 break;
5238
5239 case POLARSSL_KEY_EXCHANGE_ECDH_RSA:
5240 case POLARSSL_KEY_EXCHANGE_ECDH_ECDSA:
5241 usage = KU_KEY_AGREEMENT;
5242 break;
5243
5244 /* Don't use default: we want warnings when adding new values */
5245 case POLARSSL_KEY_EXCHANGE_NONE:
5246 case POLARSSL_KEY_EXCHANGE_PSK:
5247 case POLARSSL_KEY_EXCHANGE_DHE_PSK:
5248 case POLARSSL_KEY_EXCHANGE_ECDHE_PSK:
5249 usage = 0;
5250 }
5251 }
5252 else
5253 {
5254 /* Client auth: we only implement rsa_sign and ecdsa_sign for now */
5255 usage = KU_DIGITAL_SIGNATURE;
5256 }
5257
5258 if( x509_crt_check_key_usage( cert, usage ) != 0 )
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005259 {
5260 *flags |= BADCERT_KEY_USAGE;
5261 ret = -1;
5262 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005263#else
5264 ((void) ciphersuite);
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005265#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
5266
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005267#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
5268 if( cert_endpoint == SSL_IS_SERVER )
5269 {
5270 ext_oid = OID_SERVER_AUTH;
5271 ext_len = OID_SIZE( OID_SERVER_AUTH );
5272 }
5273 else
5274 {
5275 ext_oid = OID_CLIENT_AUTH;
5276 ext_len = OID_SIZE( OID_CLIENT_AUTH );
5277 }
5278
5279 if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005280 {
5281 *flags |= BADCERT_EXT_KEY_USAGE;
5282 ret = -1;
5283 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005284#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
5285
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005286 return( ret );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005287}
Paul Bakkerd6ad8e92014-04-09 17:24:14 +02005288#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard3a306b92014-04-29 15:11:17 +02005289
5290#endif /* POLARSSL_SSL_TLS_C */