TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e471cd14bd8f36733424fca97d2442a9c135387c / . / library / ssl_tls.c
blob: 8ee2d0800dcdb1ca9804bff83fddcc8afc15e4bb [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45#include <stdlib.h>
46#include <time.h>
47
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]48#if defined _MSC_VER && !defined strcasecmp
49#define strcasecmp _stricmp
50#endif
51
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]52/*
53 * Key material generation
54 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]55static int tls1_prf( unsigned char *secret, size_t slen, char *label,
56 unsigned char *random, size_t rlen,
57 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]59 size_t nb, hs;
60 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61 unsigned char *S1, *S2;
62 unsigned char tmp[128];
63 unsigned char h_i[20];
64
65 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]66 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67
68 hs = ( slen + 1 ) / 2;
69 S1 = secret;
70 S2 = secret + slen - hs;
71
72 nb = strlen( label );
73 memcpy( tmp + 20, label, nb );
74 memcpy( tmp + 20 + nb, random, rlen );
75 nb += rlen;
76
77 /*
78 * First compute P_md5(secret,label+random)[0..dlen]
79 */
80 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
81
82 for( i = 0; i < dlen; i += 16 )
83 {
84 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
85 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
86
87 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
88
89 for( j = 0; j < k; j++ )
90 dstbuf[i + j] = h_i[j];
91 }
92
93 /*
94 * XOR out with P_sha1(secret,label+random)[0..dlen]
95 */
96 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
97
98 for( i = 0; i < dlen; i += 20 )
99 {
100 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
101 sha1_hmac( S2, hs, tmp, 20, tmp );
102
103 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
104
105 for( j = 0; j < k; j++ )
106 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
107 }
108
109 memset( tmp, 0, sizeof( tmp ) );
110 memset( h_i, 0, sizeof( h_i ) );
111
112 return( 0 );
113}
114
115int ssl_derive_keys( ssl_context *ssl )
116{
117 int i;
118 md5_context md5;
119 sha1_context sha1;
120 unsigned char tmp[64];
121 unsigned char padding[16];
122 unsigned char sha1sum[20];
123 unsigned char keyblk[256];
124 unsigned char *key1;
125 unsigned char *key2;
126
127 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
128
129 /*
130 * SSLv3:
131 * master =
132 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
133 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
134 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
135 *
136 * TLSv1:
137 * master = PRF( premaster, "master secret", randbytes )[0..47]
138 */
139 if( ssl->resume == 0 )
140 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]141 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]142
143 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
144
145 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
146 {
147 for( i = 0; i < 3; i++ )
148 {
149 memset( padding, 'A' + i, 1 + i );
150
151 sha1_starts( &sha1 );
152 sha1_update( &sha1, padding, 1 + i );
153 sha1_update( &sha1, ssl->premaster, len );
154 sha1_update( &sha1, ssl->randbytes, 64 );
155 sha1_finish( &sha1, sha1sum );
156
157 md5_starts( &md5 );
158 md5_update( &md5, ssl->premaster, len );
159 md5_update( &md5, sha1sum, 20 );
160 md5_finish( &md5, ssl->session->master + i * 16 );
161 }
162 }
163 else
164 tls1_prf( ssl->premaster, len, "master secret",
165 ssl->randbytes, 64, ssl->session->master, 48 );
166
167 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
168 }
169 else
170 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
171
172 /*
173 * Swap the client and server random values.
174 */
175 memcpy( tmp, ssl->randbytes, 64 );
176 memcpy( ssl->randbytes, tmp + 32, 32 );
177 memcpy( ssl->randbytes + 32, tmp, 32 );
178 memset( tmp, 0, sizeof( tmp ) );
179
180 /*
181 * SSLv3:
182 * key block =
183 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
184 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
185 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
186 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
187 * ...
188 *
189 * TLSv1:
190 * key block = PRF( master, "key expansion", randbytes )
191 */
192 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
193 {
194 for( i = 0; i < 16; i++ )
195 {
196 memset( padding, 'A' + i, 1 + i );
197
198 sha1_starts( &sha1 );
199 sha1_update( &sha1, padding, 1 + i );
200 sha1_update( &sha1, ssl->session->master, 48 );
201 sha1_update( &sha1, ssl->randbytes, 64 );
202 sha1_finish( &sha1, sha1sum );
203
204 md5_starts( &md5 );
205 md5_update( &md5, ssl->session->master, 48 );
206 md5_update( &md5, sha1sum, 20 );
207 md5_finish( &md5, keyblk + i * 16 );
208 }
209
210 memset( &md5, 0, sizeof( md5 ) );
211 memset( &sha1, 0, sizeof( sha1 ) );
212
213 memset( padding, 0, sizeof( padding ) );
214 memset( sha1sum, 0, sizeof( sha1sum ) );
215 }
216 else
217 tls1_prf( ssl->session->master, 48, "key expansion",
218 ssl->randbytes, 64, keyblk, 256 );
219
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]220 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]221 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
222 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
223 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
224
225 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
226
227 /*
228 * Determine the appropriate key, IV and MAC length.
229 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]230 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]231 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]232#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]233 case SSL_RSA_RC4_128_MD5:
234 ssl->keylen = 16; ssl->minlen = 16;
235 ssl->ivlen = 0; ssl->maclen = 16;
236 break;
237
238 case SSL_RSA_RC4_128_SHA:
239 ssl->keylen = 16; ssl->minlen = 20;
240 ssl->ivlen = 0; ssl->maclen = 20;
241 break;
242#endif
243
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]244#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]245 case SSL_RSA_DES_168_SHA:
246 case SSL_EDH_RSA_DES_168_SHA:
247 ssl->keylen = 24; ssl->minlen = 24;
248 ssl->ivlen = 8; ssl->maclen = 20;
249 break;
250#endif
251
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]252#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]253 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]254 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]255 ssl->keylen = 16; ssl->minlen = 32;
256 ssl->ivlen = 16; ssl->maclen = 20;
257 break;
258
259 case SSL_RSA_AES_256_SHA:
260 case SSL_EDH_RSA_AES_256_SHA:
261 ssl->keylen = 32; ssl->minlen = 32;
262 ssl->ivlen = 16; ssl->maclen = 20;
263 break;
264#endif
265
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]266#if defined(POLARSSL_CAMELLIA_C)
267 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]268 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]269 ssl->keylen = 16; ssl->minlen = 32;
270 ssl->ivlen = 16; ssl->maclen = 20;
271 break;
272
273 case SSL_RSA_CAMELLIA_256_SHA:
274 case SSL_EDH_RSA_CAMELLIA_256_SHA:
275 ssl->keylen = 32; ssl->minlen = 32;
276 ssl->ivlen = 16; ssl->maclen = 20;
277 break;
278#endif
279
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]281 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
282 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]283 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]284 }
285
286 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
287 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
288
289 /*
290 * Finally setup the cipher contexts, IVs and MAC secrets.
291 */
292 if( ssl->endpoint == SSL_IS_CLIENT )
293 {
294 key1 = keyblk + ssl->maclen * 2;
295 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
296
297 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
298 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
299
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]300 /*
301 * This is not used in TLS v1.1.
302 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]303 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
304 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
305 ssl->ivlen );
306 }
307 else
308 {
309 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
310 key2 = keyblk + ssl->maclen * 2;
311
312 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
313 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
314
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]315 /*
316 * This is not used in TLS v1.1.
317 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
319 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
320 ssl->ivlen );
321 }
322
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]323 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]324 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]325#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326 case SSL_RSA_RC4_128_MD5:
327 case SSL_RSA_RC4_128_SHA:
328 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
329 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
330 break;
331#endif
332
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]333#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]334 case SSL_RSA_DES_168_SHA:
335 case SSL_EDH_RSA_DES_168_SHA:
336 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
337 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
338 break;
339#endif
340
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]341#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]343 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]344 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
345 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
346 break;
347
348 case SSL_RSA_AES_256_SHA:
349 case SSL_EDH_RSA_AES_256_SHA:
350 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
351 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
352 break;
353#endif
354
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]355#if defined(POLARSSL_CAMELLIA_C)
356 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]357 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]358 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
359 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
360 break;
361
362 case SSL_RSA_CAMELLIA_256_SHA:
363 case SSL_EDH_RSA_CAMELLIA_256_SHA:
364 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
365 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
366 break;
367#endif
368
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]370 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371 }
372
373 memset( keyblk, 0, sizeof( keyblk ) );
374
375 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
376
377 return( 0 );
378}
379
380void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
381{
382 md5_context md5;
383 sha1_context sha1;
384 unsigned char pad_1[48];
385 unsigned char pad_2[48];
386
387 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
388
389 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
390 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
391
392 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
393 {
394 memset( pad_1, 0x36, 48 );
395 memset( pad_2, 0x5C, 48 );
396
397 md5_update( &md5, ssl->session->master, 48 );
398 md5_update( &md5, pad_1, 48 );
399 md5_finish( &md5, hash );
400
401 md5_starts( &md5 );
402 md5_update( &md5, ssl->session->master, 48 );
403 md5_update( &md5, pad_2, 48 );
404 md5_update( &md5, hash, 16 );
405 md5_finish( &md5, hash );
406
407 sha1_update( &sha1, ssl->session->master, 48 );
408 sha1_update( &sha1, pad_1, 40 );
409 sha1_finish( &sha1, hash + 16 );
410
411 sha1_starts( &sha1 );
412 sha1_update( &sha1, ssl->session->master, 48 );
413 sha1_update( &sha1, pad_2, 40 );
414 sha1_update( &sha1, hash + 16, 20 );
415 sha1_finish( &sha1, hash + 16 );
416 }
417 else /* TLSv1 */
418 {
419 md5_finish( &md5, hash );
420 sha1_finish( &sha1, hash + 16 );
421 }
422
423 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
424 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
425
426 return;
427}
428
429/*
430 * SSLv3.0 MAC functions
431 */
432static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]433 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434 unsigned char *ctr, int type )
435{
436 unsigned char header[11];
437 unsigned char padding[48];
438 md5_context md5;
439
440 memcpy( header, ctr, 8 );
441 header[ 8] = (unsigned char) type;
442 header[ 9] = (unsigned char)( len >> 8 );
443 header[10] = (unsigned char)( len );
444
445 memset( padding, 0x36, 48 );
446 md5_starts( &md5 );
447 md5_update( &md5, secret, 16 );
448 md5_update( &md5, padding, 48 );
449 md5_update( &md5, header, 11 );
450 md5_update( &md5, buf, len );
451 md5_finish( &md5, buf + len );
452
453 memset( padding, 0x5C, 48 );
454 md5_starts( &md5 );
455 md5_update( &md5, secret, 16 );
456 md5_update( &md5, padding, 48 );
457 md5_update( &md5, buf + len, 16 );
458 md5_finish( &md5, buf + len );
459}
460
461static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]462 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 unsigned char *ctr, int type )
464{
465 unsigned char header[11];
466 unsigned char padding[40];
467 sha1_context sha1;
468
469 memcpy( header, ctr, 8 );
470 header[ 8] = (unsigned char) type;
471 header[ 9] = (unsigned char)( len >> 8 );
472 header[10] = (unsigned char)( len );
473
474 memset( padding, 0x36, 40 );
475 sha1_starts( &sha1 );
476 sha1_update( &sha1, secret, 20 );
477 sha1_update( &sha1, padding, 40 );
478 sha1_update( &sha1, header, 11 );
479 sha1_update( &sha1, buf, len );
480 sha1_finish( &sha1, buf + len );
481
482 memset( padding, 0x5C, 40 );
483 sha1_starts( &sha1 );
484 sha1_update( &sha1, secret, 20 );
485 sha1_update( &sha1, padding, 40 );
486 sha1_update( &sha1, buf + len, 20 );
487 sha1_finish( &sha1, buf + len );
488}
489
490/*
491 * Encryption/decryption functions
492 */
493static int ssl_encrypt_buf( ssl_context *ssl )
494{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]495 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]496
497 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
498
499 /*
500 * Add MAC then encrypt
501 */
502 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
503 {
504 if( ssl->maclen == 16 )
505 ssl_mac_md5( ssl->mac_enc,
506 ssl->out_msg, ssl->out_msglen,
507 ssl->out_ctr, ssl->out_msgtype );
508
509 if( ssl->maclen == 20 )
510 ssl_mac_sha1( ssl->mac_enc,
511 ssl->out_msg, ssl->out_msglen,
512 ssl->out_ctr, ssl->out_msgtype );
513 }
514 else
515 {
516 if( ssl->maclen == 16 )
517 md5_hmac( ssl->mac_enc, 16,
518 ssl->out_ctr, ssl->out_msglen + 13,
519 ssl->out_msg + ssl->out_msglen );
520
521 if( ssl->maclen == 20 )
522 sha1_hmac( ssl->mac_enc, 20,
523 ssl->out_ctr, ssl->out_msglen + 13,
524 ssl->out_msg + ssl->out_msglen );
525 }
526
527 SSL_DEBUG_BUF( 4, "computed mac",
528 ssl->out_msg + ssl->out_msglen, ssl->maclen );
529
530 ssl->out_msglen += ssl->maclen;
531
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]532 for( i = 8; i > 0; i-- )
533 if( ++ssl->out_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]534 break;
535
536 if( ssl->ivlen == 0 )
537 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]538#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]539 padlen = 0;
540
541 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
542 "including %d bytes of padding",
543 ssl->out_msglen, 0 ) );
544
545 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
546 ssl->out_msg, ssl->out_msglen );
547
548 arc4_crypt( (arc4_context *) ssl->ctx_enc,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]549 ssl->out_msglen, ssl->out_msg,
550 ssl->out_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]552 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553#endif
554 }
555 else
556 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]557 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]558 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]559
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
561 if( padlen == ssl->ivlen )
562 padlen = 0;
563
564 for( i = 0; i <= padlen; i++ )
565 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
566
567 ssl->out_msglen += padlen + 1;
568
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]569 enc_msglen = ssl->out_msglen;
570 enc_msg = ssl->out_msg;
571
572 /*
573 * Prepend per-record IV for block cipher in TLS v1.1 as per
574 * Method 1 (6.2.3.2. in RFC4346)
575 */
576 if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
577 {
578 /*
579 * Generate IV
580 */
581 for( i = 0; i < ssl->ivlen; i++ )
582 ssl->iv_enc[i] = ssl->f_rng( ssl->p_rng );
583
584 /*
585 * Shift message for ivlen bytes and prepend IV
586 */
587 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
588 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
589
590 /*
591 * Fix pointer positions and message length with added IV
592 */
593 enc_msg = ssl->out_msg + ssl->ivlen;
594 enc_msglen = ssl->out_msglen;
595 ssl->out_msglen += ssl->ivlen;
596 }
597
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]599 "including %d bytes of IV and %d bytes of padding",
600 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601
602 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
603 ssl->out_msg, ssl->out_msglen );
604
605 switch( ssl->ivlen )
606 {
607 case 8:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]608#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]609 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]610 DES_ENCRYPT, enc_msglen,
611 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612 break;
613#endif
614
615 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]616#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]617 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
618 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
619 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
620 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
621 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]622 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]623 AES_ENCRYPT, enc_msglen,
624 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]625 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]626 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]627#endif
628
629#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]630 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
631 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
632 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
633 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
634 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]635 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]636 CAMELLIA_ENCRYPT, enc_msglen,
637 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]638 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]639 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640#endif
641
642 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]643 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]644 }
645 }
646
647 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
648
649 return( 0 );
650}
651
652static int ssl_decrypt_buf( ssl_context *ssl )
653{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]654 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655 unsigned char tmp[20];
656
657 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
658
659 if( ssl->in_msglen < ssl->minlen )
660 {
661 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
662 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]663 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664 }
665
666 if( ssl->ivlen == 0 )
667 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]668#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 padlen = 0;
670 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]671 ssl->in_msglen, ssl->in_msg,
672 ssl->in_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]674 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675#endif
676 }
677 else
678 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]679 unsigned char *dec_msg;
680 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]681 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]682
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]683 /*
684 * Decrypt and check the padding
685 */
686 if( ssl->in_msglen % ssl->ivlen != 0 )
687 {
688 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
689 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]690 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691 }
692
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]693 dec_msglen = ssl->in_msglen;
694 dec_msg = ssl->in_msg;
695 dec_msg_result = ssl->in_msg;
696
697 /*
698 * Initialize for prepended IV for block cipher in TLS v1.1
699 */
700 if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
701 {
702 dec_msg += ssl->ivlen;
703 dec_msglen -= ssl->ivlen;
704 ssl->in_msglen -= ssl->ivlen;
705
706 for( i = 0; i < ssl->ivlen; i++ )
707 ssl->iv_dec[i] = ssl->in_msg[i];
708 }
709
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 switch( ssl->ivlen )
711 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]712#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]713 case 8:
714 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]715 DES_DECRYPT, dec_msglen,
716 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717 break;
718#endif
719
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]721#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]722 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
723 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
724 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
725 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
726 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]727 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]728 AES_DECRYPT, dec_msglen,
729 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]730 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]731 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]732#endif
733
734#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]735 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
736 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
737 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
738 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
739 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]740 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]741 CAMELLIA_DECRYPT, dec_msglen,
742 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]743 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]744 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745#endif
746
747 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]748 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]749 }
750
751 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
752
753 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
754 {
755 if( padlen > ssl->ivlen )
756 {
757 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
758 "should be no more than %d",
759 padlen, ssl->ivlen ) );
760 padlen = 0;
761 }
762 }
763 else
764 {
765 /*
766 * TLSv1: always check the padding
767 */
768 for( i = 1; i <= padlen; i++ )
769 {
770 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
771 {
772 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
773 "%02x, but is %02x", padlen - 1,
774 ssl->in_msg[ssl->in_msglen - i] ) );
775 padlen = 0;
776 }
777 }
778 }
779 }
780
781 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
782 ssl->in_msg, ssl->in_msglen );
783
784 /*
785 * Always compute the MAC (RFC4346, CBCTIME).
786 */
787 ssl->in_msglen -= ( ssl->maclen + padlen );
788
789 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
790 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
791
792 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
793
794 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
795 {
796 if( ssl->maclen == 16 )
797 ssl_mac_md5( ssl->mac_dec,
798 ssl->in_msg, ssl->in_msglen,
799 ssl->in_ctr, ssl->in_msgtype );
800 else
801 ssl_mac_sha1( ssl->mac_dec,
802 ssl->in_msg, ssl->in_msglen,
803 ssl->in_ctr, ssl->in_msgtype );
804 }
805 else
806 {
807 if( ssl->maclen == 16 )
808 md5_hmac( ssl->mac_dec, 16,
809 ssl->in_ctr, ssl->in_msglen + 13,
810 ssl->in_msg + ssl->in_msglen );
811 else
812 sha1_hmac( ssl->mac_dec, 20,
813 ssl->in_ctr, ssl->in_msglen + 13,
814 ssl->in_msg + ssl->in_msglen );
815 }
816
817 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
818 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
819 ssl->maclen );
820
821 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
822 ssl->maclen ) != 0 )
823 {
824 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]825 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]826 }
827
828 /*
829 * Finally check the padding length; bad padding
830 * will produce the same error as an invalid MAC.
831 */
832 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]833 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834
835 if( ssl->in_msglen == 0 )
836 {
837 ssl->nb_zero++;
838
839 /*
840 * Three or more empty messages may be a DoS attack
841 * (excessive CPU consumption).
842 */
843 if( ssl->nb_zero > 3 )
844 {
845 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
846 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]847 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]848 }
849 }
850 else
851 ssl->nb_zero = 0;
852
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]853 for( i = 8; i > 0; i-- )
854 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]855 break;
856
857 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
858
859 return( 0 );
860}
861
862/*
863 * Fill the input message buffer
864 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]865int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]867 int ret;
868 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]869
870 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
871
872 while( ssl->in_left < nb_want )
873 {
874 len = nb_want - ssl->in_left;
875 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
876
877 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
878 ssl->in_left, nb_want ) );
879 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
880
881 if( ret < 0 )
882 return( ret );
883
884 ssl->in_left += ret;
885 }
886
887 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
888
889 return( 0 );
890}
891
892/*
893 * Flush any data not yet written
894 */
895int ssl_flush_output( ssl_context *ssl )
896{
897 int ret;
898 unsigned char *buf;
899
900 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
901
902 while( ssl->out_left > 0 )
903 {
904 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
905 5 + ssl->out_msglen, ssl->out_left ) );
906
907 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
908 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
909 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
910
911 if( ret <= 0 )
912 return( ret );
913
914 ssl->out_left -= ret;
915 }
916
917 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
918
919 return( 0 );
920}
921
922/*
923 * Record layer functions
924 */
925int ssl_write_record( ssl_context *ssl )
926{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]927 int ret;
928 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929
930 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
931
932 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
933 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
934 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
935 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
936 ssl->out_hdr[4] = (unsigned char)( len );
937
938 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
939 {
940 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
941 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
942 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
943
944 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
945 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
946 }
947
948 if( ssl->do_crypt != 0 )
949 {
950 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
951 {
952 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
953 return( ret );
954 }
955
956 len = ssl->out_msglen;
957 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
958 ssl->out_hdr[4] = (unsigned char)( len );
959 }
960
961 ssl->out_left = 5 + ssl->out_msglen;
962
963 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
964 "version = [%d:%d], msglen = %d",
965 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
966 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
967
968 SSL_DEBUG_BUF( 4, "output record sent to network",
969 ssl->out_hdr, 5 + ssl->out_msglen );
970
971 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
972 {
973 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
974 return( ret );
975 }
976
977 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
978
979 return( 0 );
980}
981
982int ssl_read_record( ssl_context *ssl )
983{
984 int ret;
985
986 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
987
988 if( ssl->in_hslen != 0 &&
989 ssl->in_hslen < ssl->in_msglen )
990 {
991 /*
992 * Get next Handshake message in the current record
993 */
994 ssl->in_msglen -= ssl->in_hslen;
995
996 memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
997 ssl->in_msglen );
998
999 ssl->in_hslen = 4;
1000 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1001
1002 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1003 " %d, type = %d, hslen = %d",
1004 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1005
1006 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1007 {
1008 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1009 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1010 }
1011
1012 if( ssl->in_msglen < ssl->in_hslen )
1013 {
1014 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1015 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1016 }
1017
1018 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1019 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1020
1021 return( 0 );
1022 }
1023
1024 ssl->in_hslen = 0;
1025
1026 /*
1027 * Read the record header and validate it
1028 */
1029 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1030 {
1031 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1032 return( ret );
1033 }
1034
1035 ssl->in_msgtype = ssl->in_hdr[0];
1036 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1037
1038 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1039 "version = [%d:%d], msglen = %d",
1040 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1041 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1042
1043 if( ssl->in_hdr[1] != ssl->major_ver )
1044 {
1045 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1046 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1047 }
1048
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1049 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1050 {
1051 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1052 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053 }
1054
1055 /*
1056 * Make sure the message length is acceptable
1057 */
1058 if( ssl->do_crypt == 0 )
1059 {
1060 if( ssl->in_msglen < 1 ||
1061 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1062 {
1063 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1064 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1065 }
1066 }
1067 else
1068 {
1069 if( ssl->in_msglen < ssl->minlen )
1070 {
1071 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1072 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1073 }
1074
1075 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1076 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1077 {
1078 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1079 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1080 }
1081
1082 /*
1083 * TLS encrypted messages can have up to 256 bytes of padding
1084 */
1085 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
1086 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1087 {
1088 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1089 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1090 }
1091 }
1092
1093 /*
1094 * Read and optionally decrypt the message contents
1095 */
1096 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1097 {
1098 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1099 return( ret );
1100 }
1101
1102 SSL_DEBUG_BUF( 4, "input record from network",
1103 ssl->in_hdr, 5 + ssl->in_msglen );
1104
1105 if( ssl->do_crypt != 0 )
1106 {
1107 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1108 {
1109 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1110 return( ret );
1111 }
1112
1113 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1114 ssl->in_msg, ssl->in_msglen );
1115
1116 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1117 {
1118 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1119 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1120 }
1121 }
1122
1123 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1124 {
1125 ssl->in_hslen = 4;
1126 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1127
1128 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1129 " %d, type = %d, hslen = %d",
1130 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1131
1132 /*
1133 * Additional checks to validate the handshake header
1134 */
1135 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1136 {
1137 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1138 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1139 }
1140
1141 if( ssl->in_msglen < ssl->in_hslen )
1142 {
1143 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1144 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145 }
1146
1147 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1148 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1149 }
1150
1151 if( ssl->in_msgtype == SSL_MSG_ALERT )
1152 {
1153 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1154 ssl->in_msg[0], ssl->in_msg[1] ) );
1155
1156 /*
1157 * Ignore non-fatal alerts, except close_notify
1158 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1159 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1160 {
1161 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1162 /**
1163 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1164 * error identifier.
1165 */
1166 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1167 }
1168
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1169 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1170 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1171 {
1172 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1173 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1174 }
1175 }
1176
1177 ssl->in_left = 0;
1178
1179 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1180
1181 return( 0 );
1182}
1183
1184/*
1185 * Handshake functions
1186 */
1187int ssl_write_certificate( ssl_context *ssl )
1188{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1189 int ret;
1190 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1191 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1192
1193 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1194
1195 if( ssl->endpoint == SSL_IS_CLIENT )
1196 {
1197 if( ssl->client_auth == 0 )
1198 {
1199 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1200 ssl->state++;
1201 return( 0 );
1202 }
1203
1204 /*
1205 * If using SSLv3 and got no cert, send an Alert message
1206 * (otherwise an empty Certificate message will be sent).
1207 */
1208 if( ssl->own_cert == NULL &&
1209 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1210 {
1211 ssl->out_msglen = 2;
1212 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1213 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1214 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1215
1216 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1217 goto write_msg;
1218 }
1219 }
1220 else /* SSL_IS_SERVER */
1221 {
1222 if( ssl->own_cert == NULL )
1223 {
1224 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1225 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226 }
1227 }
1228
1229 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1230
1231 /*
1232 * 0 . 0 handshake type
1233 * 1 . 3 handshake length
1234 * 4 . 6 length of all certs
1235 * 7 . 9 length of cert. 1
1236 * 10 . n-1 peer certificate
1237 * n . n+2 length of cert. 2
1238 * n+3 . ... upper level cert, etc.
1239 */
1240 i = 7;
1241 crt = ssl->own_cert;
1242
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1243 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244 {
1245 n = crt->raw.len;
1246 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1247 {
1248 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1249 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1250 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251 }
1252
1253 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1254 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1255 ssl->out_msg[i + 2] = (unsigned char)( n );
1256
1257 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1258 i += n; crt = crt->next;
1259 }
1260
1261 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1262 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1263 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1264
1265 ssl->out_msglen = i;
1266 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1267 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1268
1269write_msg:
1270
1271 ssl->state++;
1272
1273 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1274 {
1275 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1276 return( ret );
1277 }
1278
1279 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1280
1281 return( 0 );
1282}
1283
1284int ssl_parse_certificate( ssl_context *ssl )
1285{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1286 int ret;
1287 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1288
1289 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1290
1291 if( ssl->endpoint == SSL_IS_SERVER &&
1292 ssl->authmode == SSL_VERIFY_NONE )
1293 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1294 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1295 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1296 ssl->state++;
1297 return( 0 );
1298 }
1299
1300 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1301 {
1302 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1303 return( ret );
1304 }
1305
1306 ssl->state++;
1307
1308 /*
1309 * Check if the client sent an empty certificate
1310 */
1311 if( ssl->endpoint == SSL_IS_SERVER &&
1312 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1313 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1314 if( ssl->in_msglen == 2 &&
1315 ssl->in_msgtype == SSL_MSG_ALERT &&
1316 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1317 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318 {
1319 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1320
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1321 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1322 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1323 return( 0 );
1324 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1325 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326 }
1327 }
1328
1329 if( ssl->endpoint == SSL_IS_SERVER &&
1330 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1331 {
1332 if( ssl->in_hslen == 7 &&
1333 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1334 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1335 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1336 {
1337 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1338
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1339 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1341 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342 else
1343 return( 0 );
1344 }
1345 }
1346
1347 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1348 {
1349 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1350 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351 }
1352
1353 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1354 {
1355 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1356 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1357 }
1358
1359 /*
1360 * Same message structure as in ssl_write_certificate()
1361 */
1362 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1363
1364 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1365 {
1366 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1367 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1368 }
1369
1370 if( ( ssl->peer_cert = (x509_cert *) malloc(
1371 sizeof( x509_cert ) ) ) == NULL )
1372 {
1373 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1374 sizeof( x509_cert ) ) );
1375 return( 1 );
1376 }
1377
1378 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1379
1380 i = 7;
1381
1382 while( i < ssl->in_hslen )
1383 {
1384 if( ssl->in_msg[i] != 0 )
1385 {
1386 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1387 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1388 }
1389
1390 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1391 | (unsigned int) ssl->in_msg[i + 2];
1392 i += 3;
1393
1394 if( n < 128 || i + n > ssl->in_hslen )
1395 {
1396 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1397 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1398 }
1399
1400 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
1401 if( ret != 0 )
1402 {
1403 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1404 return( ret );
1405 }
1406
1407 i += n;
1408 }
1409
1410 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1411
1412 if( ssl->authmode != SSL_VERIFY_NONE )
1413 {
1414 if( ssl->ca_chain == NULL )
1415 {
1416 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1417 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1418 }
1419
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1420 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1421 ssl->peer_cn, &ssl->verify_result,
1422 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1423
1424 if( ret != 0 )
1425 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1426
1427 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1428 ret = 0;
1429 }
1430
1431 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1432
1433 return( ret );
1434}
1435
1436int ssl_write_change_cipher_spec( ssl_context *ssl )
1437{
1438 int ret;
1439
1440 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1441
1442 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1443 ssl->out_msglen = 1;
1444 ssl->out_msg[0] = 1;
1445
1446 ssl->do_crypt = 0;
1447 ssl->state++;
1448
1449 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1450 {
1451 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1452 return( ret );
1453 }
1454
1455 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1456
1457 return( 0 );
1458}
1459
1460int ssl_parse_change_cipher_spec( ssl_context *ssl )
1461{
1462 int ret;
1463
1464 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1465
1466 ssl->do_crypt = 0;
1467
1468 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1469 {
1470 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1471 return( ret );
1472 }
1473
1474 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1475 {
1476 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1477 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1478 }
1479
1480 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1481 {
1482 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1483 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484 }
1485
1486 ssl->state++;
1487
1488 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1489
1490 return( 0 );
1491}
1492
1493static void ssl_calc_finished(
1494 ssl_context *ssl, unsigned char *buf, int from,
1495 md5_context *md5, sha1_context *sha1 )
1496{
1497 int len = 12;
1498 char *sender;
1499 unsigned char padbuf[48];
1500 unsigned char md5sum[16];
1501 unsigned char sha1sum[20];
1502
1503 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1504
1505 /*
1506 * SSLv3:
1507 * hash =
1508 * MD5( master + pad2 +
1509 * MD5( handshake + sender + master + pad1 ) )
1510 * + SHA1( master + pad2 +
1511 * SHA1( handshake + sender + master + pad1 ) )
1512 *
1513 * TLSv1:
1514 * hash = PRF( master, finished_label,
1515 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1516 */
1517
1518 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1519 md5->state, sizeof( md5->state ) );
1520
1521 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1522 sha1->state, sizeof( sha1->state ) );
1523
1524 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1525 {
1526 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1527 : (char *) "SRVR";
1528
1529 memset( padbuf, 0x36, 48 );
1530
1531 md5_update( md5, (unsigned char *) sender, 4 );
1532 md5_update( md5, ssl->session->master, 48 );
1533 md5_update( md5, padbuf, 48 );
1534 md5_finish( md5, md5sum );
1535
1536 sha1_update( sha1, (unsigned char *) sender, 4 );
1537 sha1_update( sha1, ssl->session->master, 48 );
1538 sha1_update( sha1, padbuf, 40 );
1539 sha1_finish( sha1, sha1sum );
1540
1541 memset( padbuf, 0x5C, 48 );
1542
1543 md5_starts( md5 );
1544 md5_update( md5, ssl->session->master, 48 );
1545 md5_update( md5, padbuf, 48 );
1546 md5_update( md5, md5sum, 16 );
1547 md5_finish( md5, buf );
1548
1549 sha1_starts( sha1 );
1550 sha1_update( sha1, ssl->session->master, 48 );
1551 sha1_update( sha1, padbuf , 40 );
1552 sha1_update( sha1, sha1sum, 20 );
1553 sha1_finish( sha1, buf + 16 );
1554
1555 len += 24;
1556 }
1557 else
1558 {
1559 sender = ( from == SSL_IS_CLIENT )
1560 ? (char *) "client finished"
1561 : (char *) "server finished";
1562
1563 md5_finish( md5, padbuf );
1564 sha1_finish( sha1, padbuf + 16 );
1565
1566 tls1_prf( ssl->session->master, 48, sender,
1567 padbuf, 36, buf, len );
1568 }
1569
1570 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1571
1572 memset( md5, 0, sizeof( md5_context ) );
1573 memset( sha1, 0, sizeof( sha1_context ) );
1574
1575 memset( padbuf, 0, sizeof( padbuf ) );
1576 memset( md5sum, 0, sizeof( md5sum ) );
1577 memset( sha1sum, 0, sizeof( sha1sum ) );
1578
1579 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1580}
1581
1582int ssl_write_finished( ssl_context *ssl )
1583{
1584 int ret, hash_len;
1585 md5_context md5;
1586 sha1_context sha1;
1587
1588 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1589
1590 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1591 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1592
1593 ssl_calc_finished( ssl, ssl->out_msg + 4,
1594 ssl->endpoint, &md5, &sha1 );
1595
1596 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1597
1598 ssl->out_msglen = 4 + hash_len;
1599 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1600 ssl->out_msg[0] = SSL_HS_FINISHED;
1601
1602 /*
1603 * In case of session resuming, invert the client and server
1604 * ChangeCipherSpec messages order.
1605 */
1606 if( ssl->resume != 0 )
1607 {
1608 if( ssl->endpoint == SSL_IS_CLIENT )
1609 ssl->state = SSL_HANDSHAKE_OVER;
1610 else
1611 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1612 }
1613 else
1614 ssl->state++;
1615
1616 ssl->do_crypt = 1;
1617
1618 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1619 {
1620 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1621 return( ret );
1622 }
1623
1624 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1625
1626 return( 0 );
1627}
1628
1629int ssl_parse_finished( ssl_context *ssl )
1630{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1631 int ret;
1632 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1633 unsigned char buf[36];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1634 md5_context md5;
1635 sha1_context sha1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1636
1637 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1638
1639 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1640 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1641
1642 ssl->do_crypt = 1;
1643
1644 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1645 {
1646 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1647 return( ret );
1648 }
1649
1650 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1651 {
1652 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1653 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1654 }
1655
1656 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1657
1658 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1659 ssl->in_hslen != 4 + hash_len )
1660 {
1661 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1662 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1663 }
1664
1665 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1666
1667 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1668 {
1669 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1670 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1671 }
1672
1673 if( ssl->resume != 0 )
1674 {
1675 if( ssl->endpoint == SSL_IS_CLIENT )
1676 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1677
1678 if( ssl->endpoint == SSL_IS_SERVER )
1679 ssl->state = SSL_HANDSHAKE_OVER;
1680 }
1681 else
1682 ssl->state++;
1683
1684 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1685
1686 return( 0 );
1687}
1688
1689/*
1690 * Initialize an SSL context
1691 */
1692int ssl_init( ssl_context *ssl )
1693{
1694 int len = SSL_BUFFER_LEN;
1695
1696 memset( ssl, 0, sizeof( ssl_context ) );
1697
1698 ssl->in_ctr = (unsigned char *) malloc( len );
1699 ssl->in_hdr = ssl->in_ctr + 8;
1700 ssl->in_msg = ssl->in_ctr + 13;
1701
1702 if( ssl->in_ctr == NULL )
1703 {
1704 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1705 return( 1 );
1706 }
1707
1708 ssl->out_ctr = (unsigned char *) malloc( len );
1709 ssl->out_hdr = ssl->out_ctr + 8;
1710 ssl->out_msg = ssl->out_ctr + 13;
1711
1712 if( ssl->out_ctr == NULL )
1713 {
1714 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1715 free( ssl-> in_ctr );
1716 return( 1 );
1717 }
1718
1719 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1720 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1721
1722 ssl->hostname = NULL;
1723 ssl->hostname_len = 0;
1724
1725 md5_starts( &ssl->fin_md5 );
1726 sha1_starts( &ssl->fin_sha1 );
1727
1728 return( 0 );
1729}
1730
1731/*
1732 * SSL set accessors
1733 */
1734void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1735{
1736 ssl->endpoint = endpoint;
1737}
1738
1739void ssl_set_authmode( ssl_context *ssl, int authmode )
1740{
1741 ssl->authmode = authmode;
1742}
1743
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1744void ssl_set_verify( ssl_context *ssl,
1745 int (*f_vrfy)(void *, x509_cert *, int, int),
1746 void *p_vrfy )
1747{
1748 ssl->f_vrfy = f_vrfy;
1749 ssl->p_vrfy = p_vrfy;
1750}
1751
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752void ssl_set_rng( ssl_context *ssl,
1753 int (*f_rng)(void *),
1754 void *p_rng )
1755{
1756 ssl->f_rng = f_rng;
1757 ssl->p_rng = p_rng;
1758}
1759
1760void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1761 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762 void *p_dbg )
1763{
1764 ssl->f_dbg = f_dbg;
1765 ssl->p_dbg = p_dbg;
1766}
1767
1768void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1769 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
1770 int (*f_send)(void *, unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1771{
1772 ssl->f_recv = f_recv;
1773 ssl->f_send = f_send;
1774 ssl->p_recv = p_recv;
1775 ssl->p_send = p_send;
1776}
1777
1778void ssl_set_scb( ssl_context *ssl,
1779 int (*s_get)(ssl_context *),
1780 int (*s_set)(ssl_context *) )
1781{
1782 ssl->s_get = s_get;
1783 ssl->s_set = s_set;
1784}
1785
1786void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1787 ssl_session *session )
1788{
1789 ssl->resume = resume;
1790 ssl->timeout = timeout;
1791 ssl->session = session;
1792}
1793
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1794void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1796 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797}
1798
1799void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]1800 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1801{
1802 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1803 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804 ssl->peer_cn = peer_cn;
1805}
1806
1807void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1808 rsa_context *rsa_key )
1809{
1810 ssl->own_cert = own_cert;
1811 ssl->rsa_key = rsa_key;
1812}
1813
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1814#if defined(POLARSSL_PKCS11_C)
1815void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
1816 pkcs11_context *pkcs11_key )
1817{
1818 ssl->own_cert = own_cert;
1819 ssl->pkcs11_key = pkcs11_key;
1820}
1821#endif
1822
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1823int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1824{
1825 int ret;
1826
1827 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1828 {
1829 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1830 return( ret );
1831 }
1832
1833 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1834 {
1835 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1836 return( ret );
1837 }
1838
1839 return( 0 );
1840}
1841
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]1842int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
1843{
1844 int ret;
1845
1846 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
1847 {
1848 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1849 return( ret );
1850 }
1851
1852 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
1853 {
1854 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1855 return( ret );
1856 }
1857
1858 return( 0 );
1859}
1860
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1861int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862{
1863 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1864 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865
1866 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1867 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868
1869 memcpy( ssl->hostname, (unsigned char *) hostname,
1870 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1871
1872 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1873
1874 return( 0 );
1875}
1876
1877/*
1878 * SSL get accessors
1879 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1880size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881{
1882 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
1883}
1884
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1885int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886{
1887 return( ssl->verify_result );
1888}
1889
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1890const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1891{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1892 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1894#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1895 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1896 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897
1898 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1899 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900#endif
1901
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1902#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1904 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1905
1906 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1907 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908#endif
1909
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1910#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1911 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1912 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1913
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1914 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1915 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1916
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1917 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1918 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1919
1920 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1921 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922#endif
1923
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1924#if defined(POLARSSL_CAMELLIA_C)
1925 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1926 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1927
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1928 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1929 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1930
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1931 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1932 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1933
1934 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1935 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1936#endif
1937
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938 default:
1939 break;
1940 }
1941
1942 return( "unknown" );
1943}
1944
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1945int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1946{
1947#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1948 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1949 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1950 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1951 return( SSL_RSA_RC4_128_SHA );
1952#endif
1953
1954#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1955 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1956 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1957 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1958 return( SSL_EDH_RSA_DES_168_SHA );
1959#endif
1960
1961#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1962 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1963 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1964 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1965 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1966 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1967 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1968 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1969 return( SSL_EDH_RSA_AES_256_SHA );
1970#endif
1971
1972#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1973 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1974 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1975 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1976 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1977 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1978 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1979 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1980 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
1981#endif
1982
1983 return( 0 );
1984}
1985
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1986const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1987{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1988 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1989}
1990
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]1991const char *ssl_get_version( const ssl_context *ssl )
1992{
1993 switch( ssl->minor_ver )
1994 {
1995 case SSL_MINOR_VERSION_0:
1996 return( "SSLv3.0" );
1997
1998 case SSL_MINOR_VERSION_1:
1999 return( "TLSv1.0" );
2000
2001 case SSL_MINOR_VERSION_2:
2002 return( "TLSv1.1" );
2003
2004 default:
2005 break;
2006 }
2007 return( "unknown" );
2008}
2009
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2010int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2011{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2012#if defined(POLARSSL_DHM_C)
2013#if defined(POLARSSL_AES_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2014 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2015 SSL_EDH_RSA_AES_256_SHA,
2016#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2017#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2018 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2019 SSL_EDH_RSA_CAMELLIA_256_SHA,
2020#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2021#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2022 SSL_EDH_RSA_DES_168_SHA,
2023#endif
2024#endif
2025
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2026#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2027 SSL_RSA_AES_256_SHA,
2028#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2029#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2030 SSL_RSA_CAMELLIA_256_SHA,
2031#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2032#if defined(POLARSSL_AES_C)
2033 SSL_RSA_AES_128_SHA,
2034#endif
2035#if defined(POLARSSL_CAMELLIA_C)
2036 SSL_RSA_CAMELLIA_128_SHA,
2037#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2038#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2039 SSL_RSA_DES_168_SHA,
2040#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2041#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2042 SSL_RSA_RC4_128_SHA,
2043 SSL_RSA_RC4_128_MD5,
2044#endif
2045 0
2046};
2047
2048/*
2049 * Perform the SSL handshake
2050 */
2051int ssl_handshake( ssl_context *ssl )
2052{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2053 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2054
2055 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
2056
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2057#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2058 if( ssl->endpoint == SSL_IS_CLIENT )
2059 ret = ssl_handshake_client( ssl );
2060#endif
2061
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2062#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2063 if( ssl->endpoint == SSL_IS_SERVER )
2064 ret = ssl_handshake_server( ssl );
2065#endif
2066
2067 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
2068
2069 return( ret );
2070}
2071
2072/*
2073 * Receive application data decrypted from the SSL layer
2074 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2075int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2076{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2077 int ret;
2078 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2079
2080 SSL_DEBUG_MSG( 2, ( "=> read" ) );
2081
2082 if( ssl->state != SSL_HANDSHAKE_OVER )
2083 {
2084 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2085 {
2086 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2087 return( ret );
2088 }
2089 }
2090
2091 if( ssl->in_offt == NULL )
2092 {
2093 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2094 {
2095 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2096 return( ret );
2097 }
2098
2099 if( ssl->in_msglen == 0 &&
2100 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
2101 {
2102 /*
2103 * OpenSSL sends empty messages to randomize the IV
2104 */
2105 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2106 {
2107 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2108 return( ret );
2109 }
2110 }
2111
2112 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2113 {
2114 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2115 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2116 }
2117
2118 ssl->in_offt = ssl->in_msg;
2119 }
2120
2121 n = ( len < ssl->in_msglen )
2122 ? len : ssl->in_msglen;
2123
2124 memcpy( buf, ssl->in_offt, n );
2125 ssl->in_msglen -= n;
2126
2127 if( ssl->in_msglen == 0 )
2128 /* all bytes consumed */
2129 ssl->in_offt = NULL;
2130 else
2131 /* more data available */
2132 ssl->in_offt += n;
2133
2134 SSL_DEBUG_MSG( 2, ( "<= read" ) );
2135
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2136 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2137}
2138
2139/*
2140 * Send application data to be encrypted by the SSL layer
2141 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2142int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2143{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2144 int ret;
2145 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146
2147 SSL_DEBUG_MSG( 2, ( "=> write" ) );
2148
2149 if( ssl->state != SSL_HANDSHAKE_OVER )
2150 {
2151 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2152 {
2153 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2154 return( ret );
2155 }
2156 }
2157
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2158 if( ssl->out_left != 0 )
2159 {
2160 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2161 {
2162 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2163 return( ret );
2164 }
2165 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2166
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]2167 n = ( len < SSL_MAX_CONTENT_LEN )
2168 ? len : SSL_MAX_CONTENT_LEN;
2169
2170 ssl->out_msglen = n;
2171 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
2172 memcpy( ssl->out_msg, buf, n );
2173
2174 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2175 {
2176 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2177 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2178 }
2179
2180 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2181
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2182 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2183}
2184
2185/*
2186 * Notify the peer that the connection is being closed
2187 */
2188int ssl_close_notify( ssl_context *ssl )
2189{
2190 int ret;
2191
2192 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
2193
2194 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2195 {
2196 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2197 return( ret );
2198 }
2199
2200 if( ssl->state == SSL_HANDSHAKE_OVER )
2201 {
2202 ssl->out_msgtype = SSL_MSG_ALERT;
2203 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2204 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2205 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2206
2207 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2208 {
2209 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2210 return( ret );
2211 }
2212 }
2213
2214 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2215
2216 return( ret );
2217}
2218
2219/*
2220 * Free an SSL context
2221 */
2222void ssl_free( ssl_context *ssl )
2223{
2224 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2225
2226 if( ssl->peer_cert != NULL )
2227 {
2228 x509_free( ssl->peer_cert );
2229 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2230 free( ssl->peer_cert );
2231 }
2232
2233 if( ssl->out_ctr != NULL )
2234 {
2235 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2236 free( ssl->out_ctr );
2237 }
2238
2239 if( ssl->in_ctr != NULL )
2240 {
2241 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2242 free( ssl->in_ctr );
2243 }
2244
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2245#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2246 dhm_free( &ssl->dhm_ctx );
2247#endif
2248
2249 if ( ssl->hostname != NULL)
2250 {
2251 memset( ssl->hostname, 0, ssl->hostname_len );
2252 free( ssl->hostname );
2253 ssl->hostname_len = 0;
2254 }
2255
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2257
2258 /* Actually free after last debug message */
2259 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260}
2261
2262#endif