TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f0ba6a479aff489c268b664ae370aa5ab301b23f / . / library / ssl_tls.c
blob: fb46d48f3f84ca2b0699bf42c6fee1df886145fa [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
5 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]6 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The SSL 3.0 specification was drafted by Netscape in 1996,
24 * and became an IETF standard in 1999.
25 *
26 * http://wp.netscape.com/eng/ssl3/
27 * http://www.ietf.org/rfc/rfc2246.txt
28 * http://www.ietf.org/rfc/rfc4346.txt
29 */
30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#include "polarssl/aes.h"
36#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]37#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/des.h"
39#include "polarssl/debug.h"
40#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]41
42#include <string.h>
43#include <stdlib.h>
44#include <time.h>
45
46/*
47 * Key material generation
48 */
49static int tls1_prf( unsigned char *secret, int slen, char *label,
50 unsigned char *random, int rlen,
51 unsigned char *dstbuf, int dlen )
52{
53 int nb, hs;
54 int i, j, k;
55 unsigned char *S1, *S2;
56 unsigned char tmp[128];
57 unsigned char h_i[20];
58
59 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]60 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61
62 hs = ( slen + 1 ) / 2;
63 S1 = secret;
64 S2 = secret + slen - hs;
65
66 nb = strlen( label );
67 memcpy( tmp + 20, label, nb );
68 memcpy( tmp + 20 + nb, random, rlen );
69 nb += rlen;
70
71 /*
72 * First compute P_md5(secret,label+random)[0..dlen]
73 */
74 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
75
76 for( i = 0; i < dlen; i += 16 )
77 {
78 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
79 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
80
81 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
82
83 for( j = 0; j < k; j++ )
84 dstbuf[i + j] = h_i[j];
85 }
86
87 /*
88 * XOR out with P_sha1(secret,label+random)[0..dlen]
89 */
90 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
91
92 for( i = 0; i < dlen; i += 20 )
93 {
94 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
95 sha1_hmac( S2, hs, tmp, 20, tmp );
96
97 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
98
99 for( j = 0; j < k; j++ )
100 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
101 }
102
103 memset( tmp, 0, sizeof( tmp ) );
104 memset( h_i, 0, sizeof( h_i ) );
105
106 return( 0 );
107}
108
109int ssl_derive_keys( ssl_context *ssl )
110{
111 int i;
112 md5_context md5;
113 sha1_context sha1;
114 unsigned char tmp[64];
115 unsigned char padding[16];
116 unsigned char sha1sum[20];
117 unsigned char keyblk[256];
118 unsigned char *key1;
119 unsigned char *key2;
120
121 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
122
123 /*
124 * SSLv3:
125 * master =
126 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
127 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
128 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
129 *
130 * TLSv1:
131 * master = PRF( premaster, "master secret", randbytes )[0..47]
132 */
133 if( ssl->resume == 0 )
134 {
135 int len = ssl->pmslen;
136
137 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
138
139 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
140 {
141 for( i = 0; i < 3; i++ )
142 {
143 memset( padding, 'A' + i, 1 + i );
144
145 sha1_starts( &sha1 );
146 sha1_update( &sha1, padding, 1 + i );
147 sha1_update( &sha1, ssl->premaster, len );
148 sha1_update( &sha1, ssl->randbytes, 64 );
149 sha1_finish( &sha1, sha1sum );
150
151 md5_starts( &md5 );
152 md5_update( &md5, ssl->premaster, len );
153 md5_update( &md5, sha1sum, 20 );
154 md5_finish( &md5, ssl->session->master + i * 16 );
155 }
156 }
157 else
158 tls1_prf( ssl->premaster, len, "master secret",
159 ssl->randbytes, 64, ssl->session->master, 48 );
160
161 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
162 }
163 else
164 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
165
166 /*
167 * Swap the client and server random values.
168 */
169 memcpy( tmp, ssl->randbytes, 64 );
170 memcpy( ssl->randbytes, tmp + 32, 32 );
171 memcpy( ssl->randbytes + 32, tmp, 32 );
172 memset( tmp, 0, sizeof( tmp ) );
173
174 /*
175 * SSLv3:
176 * key block =
177 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
178 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
179 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
180 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
181 * ...
182 *
183 * TLSv1:
184 * key block = PRF( master, "key expansion", randbytes )
185 */
186 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
187 {
188 for( i = 0; i < 16; i++ )
189 {
190 memset( padding, 'A' + i, 1 + i );
191
192 sha1_starts( &sha1 );
193 sha1_update( &sha1, padding, 1 + i );
194 sha1_update( &sha1, ssl->session->master, 48 );
195 sha1_update( &sha1, ssl->randbytes, 64 );
196 sha1_finish( &sha1, sha1sum );
197
198 md5_starts( &md5 );
199 md5_update( &md5, ssl->session->master, 48 );
200 md5_update( &md5, sha1sum, 20 );
201 md5_finish( &md5, keyblk + i * 16 );
202 }
203
204 memset( &md5, 0, sizeof( md5 ) );
205 memset( &sha1, 0, sizeof( sha1 ) );
206
207 memset( padding, 0, sizeof( padding ) );
208 memset( sha1sum, 0, sizeof( sha1sum ) );
209 }
210 else
211 tls1_prf( ssl->session->master, 48, "key expansion",
212 ssl->randbytes, 64, keyblk, 256 );
213
214 SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) );
215 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
216 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
217 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
218
219 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
220
221 /*
222 * Determine the appropriate key, IV and MAC length.
223 */
224 switch( ssl->session->cipher )
225 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]226#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]227 case SSL_RSA_RC4_128_MD5:
228 ssl->keylen = 16; ssl->minlen = 16;
229 ssl->ivlen = 0; ssl->maclen = 16;
230 break;
231
232 case SSL_RSA_RC4_128_SHA:
233 ssl->keylen = 16; ssl->minlen = 20;
234 ssl->ivlen = 0; ssl->maclen = 20;
235 break;
236#endif
237
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]238#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]239 case SSL_RSA_DES_168_SHA:
240 case SSL_EDH_RSA_DES_168_SHA:
241 ssl->keylen = 24; ssl->minlen = 24;
242 ssl->ivlen = 8; ssl->maclen = 20;
243 break;
244#endif
245
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]246#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]247 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]248 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]249 ssl->keylen = 16; ssl->minlen = 32;
250 ssl->ivlen = 16; ssl->maclen = 20;
251 break;
252
253 case SSL_RSA_AES_256_SHA:
254 case SSL_EDH_RSA_AES_256_SHA:
255 ssl->keylen = 32; ssl->minlen = 32;
256 ssl->ivlen = 16; ssl->maclen = 20;
257 break;
258#endif
259
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]260#if defined(POLARSSL_CAMELLIA_C)
261 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]262 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]263 ssl->keylen = 16; ssl->minlen = 32;
264 ssl->ivlen = 16; ssl->maclen = 20;
265 break;
266
267 case SSL_RSA_CAMELLIA_256_SHA:
268 case SSL_EDH_RSA_CAMELLIA_256_SHA:
269 ssl->keylen = 32; ssl->minlen = 32;
270 ssl->ivlen = 16; ssl->maclen = 20;
271 break;
272#endif
273
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]274 default:
275 SSL_DEBUG_MSG( 1, ( "cipher %s is not available",
276 ssl_get_cipher( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]277 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]278 }
279
280 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
281 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
282
283 /*
284 * Finally setup the cipher contexts, IVs and MAC secrets.
285 */
286 if( ssl->endpoint == SSL_IS_CLIENT )
287 {
288 key1 = keyblk + ssl->maclen * 2;
289 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
290
291 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
292 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
293
294 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
295 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
296 ssl->ivlen );
297 }
298 else
299 {
300 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
301 key2 = keyblk + ssl->maclen * 2;
302
303 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
304 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
305
306 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
307 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
308 ssl->ivlen );
309 }
310
311 switch( ssl->session->cipher )
312 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]313#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]314 case SSL_RSA_RC4_128_MD5:
315 case SSL_RSA_RC4_128_SHA:
316 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
317 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
318 break;
319#endif
320
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]321#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322 case SSL_RSA_DES_168_SHA:
323 case SSL_EDH_RSA_DES_168_SHA:
324 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
325 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
326 break;
327#endif
328
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]329#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]330 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]331 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
333 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
334 break;
335
336 case SSL_RSA_AES_256_SHA:
337 case SSL_EDH_RSA_AES_256_SHA:
338 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
339 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
340 break;
341#endif
342
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]343#if defined(POLARSSL_CAMELLIA_C)
344 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]345 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]346 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
347 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
348 break;
349
350 case SSL_RSA_CAMELLIA_256_SHA:
351 case SSL_EDH_RSA_CAMELLIA_256_SHA:
352 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
353 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
354 break;
355#endif
356
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]357 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]358 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359 }
360
361 memset( keyblk, 0, sizeof( keyblk ) );
362
363 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
364
365 return( 0 );
366}
367
368void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
369{
370 md5_context md5;
371 sha1_context sha1;
372 unsigned char pad_1[48];
373 unsigned char pad_2[48];
374
375 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
376
377 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
378 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
379
380 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
381 {
382 memset( pad_1, 0x36, 48 );
383 memset( pad_2, 0x5C, 48 );
384
385 md5_update( &md5, ssl->session->master, 48 );
386 md5_update( &md5, pad_1, 48 );
387 md5_finish( &md5, hash );
388
389 md5_starts( &md5 );
390 md5_update( &md5, ssl->session->master, 48 );
391 md5_update( &md5, pad_2, 48 );
392 md5_update( &md5, hash, 16 );
393 md5_finish( &md5, hash );
394
395 sha1_update( &sha1, ssl->session->master, 48 );
396 sha1_update( &sha1, pad_1, 40 );
397 sha1_finish( &sha1, hash + 16 );
398
399 sha1_starts( &sha1 );
400 sha1_update( &sha1, ssl->session->master, 48 );
401 sha1_update( &sha1, pad_2, 40 );
402 sha1_update( &sha1, hash + 16, 20 );
403 sha1_finish( &sha1, hash + 16 );
404 }
405 else /* TLSv1 */
406 {
407 md5_finish( &md5, hash );
408 sha1_finish( &sha1, hash + 16 );
409 }
410
411 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
412 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
413
414 return;
415}
416
417/*
418 * SSLv3.0 MAC functions
419 */
420static void ssl_mac_md5( unsigned char *secret,
421 unsigned char *buf, int len,
422 unsigned char *ctr, int type )
423{
424 unsigned char header[11];
425 unsigned char padding[48];
426 md5_context md5;
427
428 memcpy( header, ctr, 8 );
429 header[ 8] = (unsigned char) type;
430 header[ 9] = (unsigned char)( len >> 8 );
431 header[10] = (unsigned char)( len );
432
433 memset( padding, 0x36, 48 );
434 md5_starts( &md5 );
435 md5_update( &md5, secret, 16 );
436 md5_update( &md5, padding, 48 );
437 md5_update( &md5, header, 11 );
438 md5_update( &md5, buf, len );
439 md5_finish( &md5, buf + len );
440
441 memset( padding, 0x5C, 48 );
442 md5_starts( &md5 );
443 md5_update( &md5, secret, 16 );
444 md5_update( &md5, padding, 48 );
445 md5_update( &md5, buf + len, 16 );
446 md5_finish( &md5, buf + len );
447}
448
449static void ssl_mac_sha1( unsigned char *secret,
450 unsigned char *buf, int len,
451 unsigned char *ctr, int type )
452{
453 unsigned char header[11];
454 unsigned char padding[40];
455 sha1_context sha1;
456
457 memcpy( header, ctr, 8 );
458 header[ 8] = (unsigned char) type;
459 header[ 9] = (unsigned char)( len >> 8 );
460 header[10] = (unsigned char)( len );
461
462 memset( padding, 0x36, 40 );
463 sha1_starts( &sha1 );
464 sha1_update( &sha1, secret, 20 );
465 sha1_update( &sha1, padding, 40 );
466 sha1_update( &sha1, header, 11 );
467 sha1_update( &sha1, buf, len );
468 sha1_finish( &sha1, buf + len );
469
470 memset( padding, 0x5C, 40 );
471 sha1_starts( &sha1 );
472 sha1_update( &sha1, secret, 20 );
473 sha1_update( &sha1, padding, 40 );
474 sha1_update( &sha1, buf + len, 20 );
475 sha1_finish( &sha1, buf + len );
476}
477
478/*
479 * Encryption/decryption functions
480 */
481static int ssl_encrypt_buf( ssl_context *ssl )
482{
483 int i, padlen;
484
485 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
486
487 /*
488 * Add MAC then encrypt
489 */
490 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
491 {
492 if( ssl->maclen == 16 )
493 ssl_mac_md5( ssl->mac_enc,
494 ssl->out_msg, ssl->out_msglen,
495 ssl->out_ctr, ssl->out_msgtype );
496
497 if( ssl->maclen == 20 )
498 ssl_mac_sha1( ssl->mac_enc,
499 ssl->out_msg, ssl->out_msglen,
500 ssl->out_ctr, ssl->out_msgtype );
501 }
502 else
503 {
504 if( ssl->maclen == 16 )
505 md5_hmac( ssl->mac_enc, 16,
506 ssl->out_ctr, ssl->out_msglen + 13,
507 ssl->out_msg + ssl->out_msglen );
508
509 if( ssl->maclen == 20 )
510 sha1_hmac( ssl->mac_enc, 20,
511 ssl->out_ctr, ssl->out_msglen + 13,
512 ssl->out_msg + ssl->out_msglen );
513 }
514
515 SSL_DEBUG_BUF( 4, "computed mac",
516 ssl->out_msg + ssl->out_msglen, ssl->maclen );
517
518 ssl->out_msglen += ssl->maclen;
519
520 for( i = 7; i >= 0; i-- )
521 if( ++ssl->out_ctr[i] != 0 )
522 break;
523
524 if( ssl->ivlen == 0 )
525 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]526#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]527 padlen = 0;
528
529 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
530 "including %d bytes of padding",
531 ssl->out_msglen, 0 ) );
532
533 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
534 ssl->out_msg, ssl->out_msglen );
535
536 arc4_crypt( (arc4_context *) ssl->ctx_enc,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]537 ssl->out_msglen, ssl->out_msg,
538 ssl->out_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]539#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]540 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541#endif
542 }
543 else
544 {
545 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
546 if( padlen == ssl->ivlen )
547 padlen = 0;
548
549 for( i = 0; i <= padlen; i++ )
550 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
551
552 ssl->out_msglen += padlen + 1;
553
554 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
555 "including %d bytes of padding",
556 ssl->out_msglen, padlen + 1 ) );
557
558 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
559 ssl->out_msg, ssl->out_msglen );
560
561 switch( ssl->ivlen )
562 {
563 case 8:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]564#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
566 DES_ENCRYPT, ssl->out_msglen,
567 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
568 break;
569#endif
570
571 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]572#if defined(POLARSSL_AES_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]573 if ( ssl->session->cipher == SSL_RSA_AES_128_SHA ||
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]574 ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA ||
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]575 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
576 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA)
577 {
578 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
579 AES_ENCRYPT, ssl->out_msglen,
580 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
581 break;
582 }
583#endif
584
585#if defined(POLARSSL_CAMELLIA_C)
586 if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]587 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA ||
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]588 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
589 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
590 {
591 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
592 CAMELLIA_ENCRYPT, ssl->out_msglen,
593 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
594 break;
595 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596#endif
597
598 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]599 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600 }
601 }
602
603 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
604
605 return( 0 );
606}
607
608static int ssl_decrypt_buf( ssl_context *ssl )
609{
610 int i, padlen;
611 unsigned char tmp[20];
612
613 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
614
615 if( ssl->in_msglen < ssl->minlen )
616 {
617 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
618 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]619 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620 }
621
622 if( ssl->ivlen == 0 )
623 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]624#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625 padlen = 0;
626 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]627 ssl->in_msglen, ssl->in_msg,
628 ssl->in_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]630 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]631#endif
632 }
633 else
634 {
635 /*
636 * Decrypt and check the padding
637 */
638 if( ssl->in_msglen % ssl->ivlen != 0 )
639 {
640 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
641 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]642 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]643 }
644
645 switch( ssl->ivlen )
646 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]647#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648 case 8:
649 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
650 DES_DECRYPT, ssl->in_msglen,
651 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
652 break;
653#endif
654
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]656#if defined(POLARSSL_AES_C)
657 if ( ssl->session->cipher == SSL_RSA_AES_128_SHA ||
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]658 ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA ||
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]659 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
660 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA)
661 {
662 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
663 AES_DECRYPT, ssl->in_msglen,
664 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
665 break;
666 }
667#endif
668
669#if defined(POLARSSL_CAMELLIA_C)
670 if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]671 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA ||
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]672 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
673 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
674 {
675 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
676 CAMELLIA_DECRYPT, ssl->in_msglen,
677 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
678 break;
679 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680#endif
681
682 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]683 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684 }
685
686 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
687
688 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
689 {
690 if( padlen > ssl->ivlen )
691 {
692 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
693 "should be no more than %d",
694 padlen, ssl->ivlen ) );
695 padlen = 0;
696 }
697 }
698 else
699 {
700 /*
701 * TLSv1: always check the padding
702 */
703 for( i = 1; i <= padlen; i++ )
704 {
705 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
706 {
707 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
708 "%02x, but is %02x", padlen - 1,
709 ssl->in_msg[ssl->in_msglen - i] ) );
710 padlen = 0;
711 }
712 }
713 }
714 }
715
716 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
717 ssl->in_msg, ssl->in_msglen );
718
719 /*
720 * Always compute the MAC (RFC4346, CBCTIME).
721 */
722 ssl->in_msglen -= ( ssl->maclen + padlen );
723
724 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
725 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
726
727 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
728
729 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
730 {
731 if( ssl->maclen == 16 )
732 ssl_mac_md5( ssl->mac_dec,
733 ssl->in_msg, ssl->in_msglen,
734 ssl->in_ctr, ssl->in_msgtype );
735 else
736 ssl_mac_sha1( ssl->mac_dec,
737 ssl->in_msg, ssl->in_msglen,
738 ssl->in_ctr, ssl->in_msgtype );
739 }
740 else
741 {
742 if( ssl->maclen == 16 )
743 md5_hmac( ssl->mac_dec, 16,
744 ssl->in_ctr, ssl->in_msglen + 13,
745 ssl->in_msg + ssl->in_msglen );
746 else
747 sha1_hmac( ssl->mac_dec, 20,
748 ssl->in_ctr, ssl->in_msglen + 13,
749 ssl->in_msg + ssl->in_msglen );
750 }
751
752 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
753 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
754 ssl->maclen );
755
756 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
757 ssl->maclen ) != 0 )
758 {
759 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]760 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]761 }
762
763 /*
764 * Finally check the padding length; bad padding
765 * will produce the same error as an invalid MAC.
766 */
767 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]768 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]769
770 if( ssl->in_msglen == 0 )
771 {
772 ssl->nb_zero++;
773
774 /*
775 * Three or more empty messages may be a DoS attack
776 * (excessive CPU consumption).
777 */
778 if( ssl->nb_zero > 3 )
779 {
780 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
781 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]782 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]783 }
784 }
785 else
786 ssl->nb_zero = 0;
787
788 for( i = 7; i >= 0; i-- )
789 if( ++ssl->in_ctr[i] != 0 )
790 break;
791
792 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
793
794 return( 0 );
795}
796
797/*
798 * Fill the input message buffer
799 */
800int ssl_fetch_input( ssl_context *ssl, int nb_want )
801{
802 int ret, len;
803
804 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
805
806 while( ssl->in_left < nb_want )
807 {
808 len = nb_want - ssl->in_left;
809 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
810
811 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
812 ssl->in_left, nb_want ) );
813 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
814
815 if( ret < 0 )
816 return( ret );
817
818 ssl->in_left += ret;
819 }
820
821 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
822
823 return( 0 );
824}
825
826/*
827 * Flush any data not yet written
828 */
829int ssl_flush_output( ssl_context *ssl )
830{
831 int ret;
832 unsigned char *buf;
833
834 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
835
836 while( ssl->out_left > 0 )
837 {
838 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
839 5 + ssl->out_msglen, ssl->out_left ) );
840
841 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
842 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
843 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
844
845 if( ret <= 0 )
846 return( ret );
847
848 ssl->out_left -= ret;
849 }
850
851 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
852
853 return( 0 );
854}
855
856/*
857 * Record layer functions
858 */
859int ssl_write_record( ssl_context *ssl )
860{
861 int ret, len = ssl->out_msglen;
862
863 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
864
865 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
866 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
867 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
868 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
869 ssl->out_hdr[4] = (unsigned char)( len );
870
871 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
872 {
873 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
874 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
875 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
876
877 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
878 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
879 }
880
881 if( ssl->do_crypt != 0 )
882 {
883 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
884 {
885 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
886 return( ret );
887 }
888
889 len = ssl->out_msglen;
890 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
891 ssl->out_hdr[4] = (unsigned char)( len );
892 }
893
894 ssl->out_left = 5 + ssl->out_msglen;
895
896 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
897 "version = [%d:%d], msglen = %d",
898 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
899 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
900
901 SSL_DEBUG_BUF( 4, "output record sent to network",
902 ssl->out_hdr, 5 + ssl->out_msglen );
903
904 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
905 {
906 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
907 return( ret );
908 }
909
910 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
911
912 return( 0 );
913}
914
915int ssl_read_record( ssl_context *ssl )
916{
917 int ret;
918
919 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
920
921 if( ssl->in_hslen != 0 &&
922 ssl->in_hslen < ssl->in_msglen )
923 {
924 /*
925 * Get next Handshake message in the current record
926 */
927 ssl->in_msglen -= ssl->in_hslen;
928
929 memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
930 ssl->in_msglen );
931
932 ssl->in_hslen = 4;
933 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
934
935 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
936 " %d, type = %d, hslen = %d",
937 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
938
939 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
940 {
941 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]942 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]943 }
944
945 if( ssl->in_msglen < ssl->in_hslen )
946 {
947 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]948 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]949 }
950
951 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
952 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
953
954 return( 0 );
955 }
956
957 ssl->in_hslen = 0;
958
959 /*
960 * Read the record header and validate it
961 */
962 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
963 {
964 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
965 return( ret );
966 }
967
968 ssl->in_msgtype = ssl->in_hdr[0];
969 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
970
971 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
972 "version = [%d:%d], msglen = %d",
973 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
974 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
975
976 if( ssl->in_hdr[1] != ssl->major_ver )
977 {
978 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]979 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980 }
981
982 if( ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
983 ssl->in_hdr[2] != SSL_MINOR_VERSION_1 )
984 {
985 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]986 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]987 }
988
989 /*
990 * Make sure the message length is acceptable
991 */
992 if( ssl->do_crypt == 0 )
993 {
994 if( ssl->in_msglen < 1 ||
995 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
996 {
997 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]998 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999 }
1000 }
1001 else
1002 {
1003 if( ssl->in_msglen < ssl->minlen )
1004 {
1005 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1006 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007 }
1008
1009 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1010 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1011 {
1012 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1013 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014 }
1015
1016 /*
1017 * TLS encrypted messages can have up to 256 bytes of padding
1018 */
1019 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
1020 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1021 {
1022 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1023 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024 }
1025 }
1026
1027 /*
1028 * Read and optionally decrypt the message contents
1029 */
1030 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1031 {
1032 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1033 return( ret );
1034 }
1035
1036 SSL_DEBUG_BUF( 4, "input record from network",
1037 ssl->in_hdr, 5 + ssl->in_msglen );
1038
1039 if( ssl->do_crypt != 0 )
1040 {
1041 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1042 {
1043 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1044 return( ret );
1045 }
1046
1047 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1048 ssl->in_msg, ssl->in_msglen );
1049
1050 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1051 {
1052 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1053 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1054 }
1055 }
1056
1057 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1058 {
1059 ssl->in_hslen = 4;
1060 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1061
1062 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1063 " %d, type = %d, hslen = %d",
1064 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1065
1066 /*
1067 * Additional checks to validate the handshake header
1068 */
1069 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1070 {
1071 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1072 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1073 }
1074
1075 if( ssl->in_msglen < ssl->in_hslen )
1076 {
1077 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1078 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079 }
1080
1081 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1082 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1083 }
1084
1085 if( ssl->in_msgtype == SSL_MSG_ALERT )
1086 {
1087 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1088 ssl->in_msg[0], ssl->in_msg[1] ) );
1089
1090 /*
1091 * Ignore non-fatal alerts, except close_notify
1092 */
1093 if( ssl->in_msg[0] == SSL_ALERT_FATAL )
1094 {
1095 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1096 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE | ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1097 }
1098
1099 if( ssl->in_msg[0] == SSL_ALERT_WARNING &&
1100 ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY )
1101 {
1102 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1103 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104 }
1105 }
1106
1107 ssl->in_left = 0;
1108
1109 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1110
1111 return( 0 );
1112}
1113
1114/*
1115 * Handshake functions
1116 */
1117int ssl_write_certificate( ssl_context *ssl )
1118{
1119 int ret, i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1120 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1121
1122 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1123
1124 if( ssl->endpoint == SSL_IS_CLIENT )
1125 {
1126 if( ssl->client_auth == 0 )
1127 {
1128 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1129 ssl->state++;
1130 return( 0 );
1131 }
1132
1133 /*
1134 * If using SSLv3 and got no cert, send an Alert message
1135 * (otherwise an empty Certificate message will be sent).
1136 */
1137 if( ssl->own_cert == NULL &&
1138 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1139 {
1140 ssl->out_msglen = 2;
1141 ssl->out_msgtype = SSL_MSG_ALERT;
1142 ssl->out_msg[0] = SSL_ALERT_WARNING;
1143 ssl->out_msg[1] = SSL_ALERT_NO_CERTIFICATE;
1144
1145 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1146 goto write_msg;
1147 }
1148 }
1149 else /* SSL_IS_SERVER */
1150 {
1151 if( ssl->own_cert == NULL )
1152 {
1153 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1154 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1155 }
1156 }
1157
1158 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1159
1160 /*
1161 * 0 . 0 handshake type
1162 * 1 . 3 handshake length
1163 * 4 . 6 length of all certs
1164 * 7 . 9 length of cert. 1
1165 * 10 . n-1 peer certificate
1166 * n . n+2 length of cert. 2
1167 * n+3 . ... upper level cert, etc.
1168 */
1169 i = 7;
1170 crt = ssl->own_cert;
1171
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1172 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1173 {
1174 n = crt->raw.len;
1175 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1176 {
1177 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1178 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1179 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1180 }
1181
1182 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1183 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1184 ssl->out_msg[i + 2] = (unsigned char)( n );
1185
1186 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1187 i += n; crt = crt->next;
1188 }
1189
1190 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1191 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1192 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1193
1194 ssl->out_msglen = i;
1195 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1196 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1197
1198write_msg:
1199
1200 ssl->state++;
1201
1202 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1203 {
1204 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1205 return( ret );
1206 }
1207
1208 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1209
1210 return( 0 );
1211}
1212
1213int ssl_parse_certificate( ssl_context *ssl )
1214{
1215 int ret, i, n;
1216
1217 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1218
1219 if( ssl->endpoint == SSL_IS_SERVER &&
1220 ssl->authmode == SSL_VERIFY_NONE )
1221 {
1222 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1223 ssl->state++;
1224 return( 0 );
1225 }
1226
1227 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1228 {
1229 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1230 return( ret );
1231 }
1232
1233 ssl->state++;
1234
1235 /*
1236 * Check if the client sent an empty certificate
1237 */
1238 if( ssl->endpoint == SSL_IS_SERVER &&
1239 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1240 {
1241 if( ssl->in_msglen == 2 &&
1242 ssl->in_msgtype == SSL_MSG_ALERT &&
1243 ssl->in_msg[0] == SSL_ALERT_WARNING &&
1244 ssl->in_msg[1] == SSL_ALERT_NO_CERTIFICATE )
1245 {
1246 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1247
1248 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1249 return( 0 );
1250 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1251 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252 }
1253 }
1254
1255 if( ssl->endpoint == SSL_IS_SERVER &&
1256 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1257 {
1258 if( ssl->in_hslen == 7 &&
1259 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1260 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1261 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1262 {
1263 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1264
1265 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1266 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1267 else
1268 return( 0 );
1269 }
1270 }
1271
1272 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1273 {
1274 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1275 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1276 }
1277
1278 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1279 {
1280 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1281 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1282 }
1283
1284 /*
1285 * Same message structure as in ssl_write_certificate()
1286 */
1287 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1288
1289 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1290 {
1291 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1292 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293 }
1294
1295 if( ( ssl->peer_cert = (x509_cert *) malloc(
1296 sizeof( x509_cert ) ) ) == NULL )
1297 {
1298 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1299 sizeof( x509_cert ) ) );
1300 return( 1 );
1301 }
1302
1303 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1304
1305 i = 7;
1306
1307 while( i < ssl->in_hslen )
1308 {
1309 if( ssl->in_msg[i] != 0 )
1310 {
1311 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1312 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313 }
1314
1315 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1316 | (unsigned int) ssl->in_msg[i + 2];
1317 i += 3;
1318
1319 if( n < 128 || i + n > ssl->in_hslen )
1320 {
1321 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1322 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323 }
1324
1325 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
1326 if( ret != 0 )
1327 {
1328 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1329 return( ret );
1330 }
1331
1332 i += n;
1333 }
1334
1335 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1336
1337 if( ssl->authmode != SSL_VERIFY_NONE )
1338 {
1339 if( ssl->ca_chain == NULL )
1340 {
1341 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1342 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343 }
1344
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1345 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346 ssl->peer_cn, &ssl->verify_result );
1347
1348 if( ret != 0 )
1349 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1350
1351 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1352 ret = 0;
1353 }
1354
1355 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1356
1357 return( ret );
1358}
1359
1360int ssl_write_change_cipher_spec( ssl_context *ssl )
1361{
1362 int ret;
1363
1364 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1365
1366 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1367 ssl->out_msglen = 1;
1368 ssl->out_msg[0] = 1;
1369
1370 ssl->do_crypt = 0;
1371 ssl->state++;
1372
1373 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1374 {
1375 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1376 return( ret );
1377 }
1378
1379 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1380
1381 return( 0 );
1382}
1383
1384int ssl_parse_change_cipher_spec( ssl_context *ssl )
1385{
1386 int ret;
1387
1388 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1389
1390 ssl->do_crypt = 0;
1391
1392 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1393 {
1394 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1395 return( ret );
1396 }
1397
1398 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1399 {
1400 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1401 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1402 }
1403
1404 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1405 {
1406 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1407 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1408 }
1409
1410 ssl->state++;
1411
1412 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1413
1414 return( 0 );
1415}
1416
1417static void ssl_calc_finished(
1418 ssl_context *ssl, unsigned char *buf, int from,
1419 md5_context *md5, sha1_context *sha1 )
1420{
1421 int len = 12;
1422 char *sender;
1423 unsigned char padbuf[48];
1424 unsigned char md5sum[16];
1425 unsigned char sha1sum[20];
1426
1427 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1428
1429 /*
1430 * SSLv3:
1431 * hash =
1432 * MD5( master + pad2 +
1433 * MD5( handshake + sender + master + pad1 ) )
1434 * + SHA1( master + pad2 +
1435 * SHA1( handshake + sender + master + pad1 ) )
1436 *
1437 * TLSv1:
1438 * hash = PRF( master, finished_label,
1439 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1440 */
1441
1442 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1443 md5->state, sizeof( md5->state ) );
1444
1445 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1446 sha1->state, sizeof( sha1->state ) );
1447
1448 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1449 {
1450 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1451 : (char *) "SRVR";
1452
1453 memset( padbuf, 0x36, 48 );
1454
1455 md5_update( md5, (unsigned char *) sender, 4 );
1456 md5_update( md5, ssl->session->master, 48 );
1457 md5_update( md5, padbuf, 48 );
1458 md5_finish( md5, md5sum );
1459
1460 sha1_update( sha1, (unsigned char *) sender, 4 );
1461 sha1_update( sha1, ssl->session->master, 48 );
1462 sha1_update( sha1, padbuf, 40 );
1463 sha1_finish( sha1, sha1sum );
1464
1465 memset( padbuf, 0x5C, 48 );
1466
1467 md5_starts( md5 );
1468 md5_update( md5, ssl->session->master, 48 );
1469 md5_update( md5, padbuf, 48 );
1470 md5_update( md5, md5sum, 16 );
1471 md5_finish( md5, buf );
1472
1473 sha1_starts( sha1 );
1474 sha1_update( sha1, ssl->session->master, 48 );
1475 sha1_update( sha1, padbuf , 40 );
1476 sha1_update( sha1, sha1sum, 20 );
1477 sha1_finish( sha1, buf + 16 );
1478
1479 len += 24;
1480 }
1481 else
1482 {
1483 sender = ( from == SSL_IS_CLIENT )
1484 ? (char *) "client finished"
1485 : (char *) "server finished";
1486
1487 md5_finish( md5, padbuf );
1488 sha1_finish( sha1, padbuf + 16 );
1489
1490 tls1_prf( ssl->session->master, 48, sender,
1491 padbuf, 36, buf, len );
1492 }
1493
1494 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1495
1496 memset( md5, 0, sizeof( md5_context ) );
1497 memset( sha1, 0, sizeof( sha1_context ) );
1498
1499 memset( padbuf, 0, sizeof( padbuf ) );
1500 memset( md5sum, 0, sizeof( md5sum ) );
1501 memset( sha1sum, 0, sizeof( sha1sum ) );
1502
1503 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1504}
1505
1506int ssl_write_finished( ssl_context *ssl )
1507{
1508 int ret, hash_len;
1509 md5_context md5;
1510 sha1_context sha1;
1511
1512 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1513
1514 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1515 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1516
1517 ssl_calc_finished( ssl, ssl->out_msg + 4,
1518 ssl->endpoint, &md5, &sha1 );
1519
1520 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1521
1522 ssl->out_msglen = 4 + hash_len;
1523 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1524 ssl->out_msg[0] = SSL_HS_FINISHED;
1525
1526 /*
1527 * In case of session resuming, invert the client and server
1528 * ChangeCipherSpec messages order.
1529 */
1530 if( ssl->resume != 0 )
1531 {
1532 if( ssl->endpoint == SSL_IS_CLIENT )
1533 ssl->state = SSL_HANDSHAKE_OVER;
1534 else
1535 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1536 }
1537 else
1538 ssl->state++;
1539
1540 ssl->do_crypt = 1;
1541
1542 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1543 {
1544 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1545 return( ret );
1546 }
1547
1548 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1549
1550 return( 0 );
1551}
1552
1553int ssl_parse_finished( ssl_context *ssl )
1554{
1555 int ret, hash_len;
1556 md5_context md5;
1557 sha1_context sha1;
1558 unsigned char buf[36];
1559
1560 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1561
1562 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1563 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1564
1565 ssl->do_crypt = 1;
1566
1567 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1568 {
1569 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1570 return( ret );
1571 }
1572
1573 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1574 {
1575 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1576 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1577 }
1578
1579 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1580
1581 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1582 ssl->in_hslen != 4 + hash_len )
1583 {
1584 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1585 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1586 }
1587
1588 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1589
1590 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1591 {
1592 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1593 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1594 }
1595
1596 if( ssl->resume != 0 )
1597 {
1598 if( ssl->endpoint == SSL_IS_CLIENT )
1599 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1600
1601 if( ssl->endpoint == SSL_IS_SERVER )
1602 ssl->state = SSL_HANDSHAKE_OVER;
1603 }
1604 else
1605 ssl->state++;
1606
1607 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1608
1609 return( 0 );
1610}
1611
1612/*
1613 * Initialize an SSL context
1614 */
1615int ssl_init( ssl_context *ssl )
1616{
1617 int len = SSL_BUFFER_LEN;
1618
1619 memset( ssl, 0, sizeof( ssl_context ) );
1620
1621 ssl->in_ctr = (unsigned char *) malloc( len );
1622 ssl->in_hdr = ssl->in_ctr + 8;
1623 ssl->in_msg = ssl->in_ctr + 13;
1624
1625 if( ssl->in_ctr == NULL )
1626 {
1627 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1628 return( 1 );
1629 }
1630
1631 ssl->out_ctr = (unsigned char *) malloc( len );
1632 ssl->out_hdr = ssl->out_ctr + 8;
1633 ssl->out_msg = ssl->out_ctr + 13;
1634
1635 if( ssl->out_ctr == NULL )
1636 {
1637 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1638 free( ssl-> in_ctr );
1639 return( 1 );
1640 }
1641
1642 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1643 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1644
1645 ssl->hostname = NULL;
1646 ssl->hostname_len = 0;
1647
1648 md5_starts( &ssl->fin_md5 );
1649 sha1_starts( &ssl->fin_sha1 );
1650
1651 return( 0 );
1652}
1653
1654/*
1655 * SSL set accessors
1656 */
1657void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1658{
1659 ssl->endpoint = endpoint;
1660}
1661
1662void ssl_set_authmode( ssl_context *ssl, int authmode )
1663{
1664 ssl->authmode = authmode;
1665}
1666
1667void ssl_set_rng( ssl_context *ssl,
1668 int (*f_rng)(void *),
1669 void *p_rng )
1670{
1671 ssl->f_rng = f_rng;
1672 ssl->p_rng = p_rng;
1673}
1674
1675void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1676 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1677 void *p_dbg )
1678{
1679 ssl->f_dbg = f_dbg;
1680 ssl->p_dbg = p_dbg;
1681}
1682
1683void ssl_set_bio( ssl_context *ssl,
1684 int (*f_recv)(void *, unsigned char *, int), void *p_recv,
1685 int (*f_send)(void *, unsigned char *, int), void *p_send )
1686{
1687 ssl->f_recv = f_recv;
1688 ssl->f_send = f_send;
1689 ssl->p_recv = p_recv;
1690 ssl->p_send = p_send;
1691}
1692
1693void ssl_set_scb( ssl_context *ssl,
1694 int (*s_get)(ssl_context *),
1695 int (*s_set)(ssl_context *) )
1696{
1697 ssl->s_get = s_get;
1698 ssl->s_set = s_set;
1699}
1700
1701void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1702 ssl_session *session )
1703{
1704 ssl->resume = resume;
1705 ssl->timeout = timeout;
1706 ssl->session = session;
1707}
1708
1709void ssl_set_ciphers( ssl_context *ssl, int *ciphers )
1710{
1711 ssl->ciphers = ciphers;
1712}
1713
1714void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]1715 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1716{
1717 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1718 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719 ssl->peer_cn = peer_cn;
1720}
1721
1722void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1723 rsa_context *rsa_key )
1724{
1725 ssl->own_cert = own_cert;
1726 ssl->rsa_key = rsa_key;
1727}
1728
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1729int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1730{
1731 int ret;
1732
1733 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1734 {
1735 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1736 return( ret );
1737 }
1738
1739 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1740 {
1741 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1742 return( ret );
1743 }
1744
1745 return( 0 );
1746}
1747
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1748int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1749{
1750 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1751 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752
1753 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1754 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1755
1756 memcpy( ssl->hostname, (unsigned char *) hostname,
1757 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1758
1759 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1760
1761 return( 0 );
1762}
1763
1764/*
1765 * SSL get accessors
1766 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1767int ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768{
1769 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
1770}
1771
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1772int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1773{
1774 return( ssl->verify_result );
1775}
1776
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1777const char *ssl_get_cipher( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778{
1779 switch( ssl->session->cipher )
1780 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1781#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1782 case SSL_RSA_RC4_128_MD5:
1783 return( "SSL_RSA_RC4_128_MD5" );
1784
1785 case SSL_RSA_RC4_128_SHA:
1786 return( "SSL_RSA_RC4_128_SHA" );
1787#endif
1788
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1789#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790 case SSL_RSA_DES_168_SHA:
1791 return( "SSL_RSA_DES_168_SHA" );
1792
1793 case SSL_EDH_RSA_DES_168_SHA:
1794 return( "SSL_EDH_RSA_DES_168_SHA" );
1795#endif
1796
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1797#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798 case SSL_RSA_AES_128_SHA:
1799 return( "SSL_RSA_AES_128_SHA" );
1800
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1801 case SSL_EDH_RSA_AES_128_SHA:
1802 return( "SSL_EDH_RSA_AES_128_SHA" );
1803
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804 case SSL_RSA_AES_256_SHA:
1805 return( "SSL_RSA_AES_256_SHA" );
1806
1807 case SSL_EDH_RSA_AES_256_SHA:
1808 return( "SSL_EDH_RSA_AES_256_SHA" );
1809#endif
1810
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1811#if defined(POLARSSL_CAMELLIA_C)
1812 case SSL_RSA_CAMELLIA_128_SHA:
1813 return( "SSL_RSA_CAMELLIA_128_SHA" );
1814
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1815 case SSL_EDH_RSA_CAMELLIA_128_SHA:
1816 return( "SSL_EDH_RSA_CAMELLIA_128_SHA" );
1817
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1818 case SSL_RSA_CAMELLIA_256_SHA:
1819 return( "SSL_RSA_CAMELLIA_256_SHA" );
1820
1821 case SSL_EDH_RSA_CAMELLIA_256_SHA:
1822 return( "SSL_EDH_RSA_CAMELLIA_256_SHA" );
1823#endif
1824
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1825 default:
1826 break;
1827 }
1828
1829 return( "unknown" );
1830}
1831
1832int ssl_default_ciphers[] =
1833{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1834#if defined(POLARSSL_DHM_C)
1835#if defined(POLARSSL_AES_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1836 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1837 SSL_EDH_RSA_AES_256_SHA,
1838#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1839#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1840 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1841 SSL_EDH_RSA_CAMELLIA_256_SHA,
1842#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1843#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1844 SSL_EDH_RSA_DES_168_SHA,
1845#endif
1846#endif
1847
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1848#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849 SSL_RSA_AES_256_SHA,
1850#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1851#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1852 SSL_RSA_CAMELLIA_256_SHA,
1853#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]1854#if defined(POLARSSL_AES_C)
1855 SSL_RSA_AES_128_SHA,
1856#endif
1857#if defined(POLARSSL_CAMELLIA_C)
1858 SSL_RSA_CAMELLIA_128_SHA,
1859#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1860#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1861 SSL_RSA_DES_168_SHA,
1862#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1863#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864 SSL_RSA_RC4_128_SHA,
1865 SSL_RSA_RC4_128_MD5,
1866#endif
1867 0
1868};
1869
1870/*
1871 * Perform the SSL handshake
1872 */
1873int ssl_handshake( ssl_context *ssl )
1874{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1875 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876
1877 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
1878
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1879#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1880 if( ssl->endpoint == SSL_IS_CLIENT )
1881 ret = ssl_handshake_client( ssl );
1882#endif
1883
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1884#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885 if( ssl->endpoint == SSL_IS_SERVER )
1886 ret = ssl_handshake_server( ssl );
1887#endif
1888
1889 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
1890
1891 return( ret );
1892}
1893
1894/*
1895 * Receive application data decrypted from the SSL layer
1896 */
1897int ssl_read( ssl_context *ssl, unsigned char *buf, int len )
1898{
1899 int ret, n;
1900
1901 SSL_DEBUG_MSG( 2, ( "=> read" ) );
1902
1903 if( ssl->state != SSL_HANDSHAKE_OVER )
1904 {
1905 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1906 {
1907 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1908 return( ret );
1909 }
1910 }
1911
1912 if( ssl->in_offt == NULL )
1913 {
1914 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1915 {
1916 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1917 return( ret );
1918 }
1919
1920 if( ssl->in_msglen == 0 &&
1921 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
1922 {
1923 /*
1924 * OpenSSL sends empty messages to randomize the IV
1925 */
1926 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1927 {
1928 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1929 return( ret );
1930 }
1931 }
1932
1933 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1934 {
1935 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1936 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1937 }
1938
1939 ssl->in_offt = ssl->in_msg;
1940 }
1941
1942 n = ( len < ssl->in_msglen )
1943 ? len : ssl->in_msglen;
1944
1945 memcpy( buf, ssl->in_offt, n );
1946 ssl->in_msglen -= n;
1947
1948 if( ssl->in_msglen == 0 )
1949 /* all bytes consumed */
1950 ssl->in_offt = NULL;
1951 else
1952 /* more data available */
1953 ssl->in_offt += n;
1954
1955 SSL_DEBUG_MSG( 2, ( "<= read" ) );
1956
1957 return( n );
1958}
1959
1960/*
1961 * Send application data to be encrypted by the SSL layer
1962 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1963int ssl_write( ssl_context *ssl, const unsigned char *buf, int len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964{
1965 int ret, n;
1966
1967 SSL_DEBUG_MSG( 2, ( "=> write" ) );
1968
1969 if( ssl->state != SSL_HANDSHAKE_OVER )
1970 {
1971 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1972 {
1973 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1974 return( ret );
1975 }
1976 }
1977
1978 n = ( len < SSL_MAX_CONTENT_LEN )
1979 ? len : SSL_MAX_CONTENT_LEN;
1980
1981 if( ssl->out_left != 0 )
1982 {
1983 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1984 {
1985 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1986 return( ret );
1987 }
1988 }
1989 else
1990 {
1991 ssl->out_msglen = n;
1992 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
1993 memcpy( ssl->out_msg, buf, n );
1994
1995 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1996 {
1997 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1998 return( ret );
1999 }
2000 }
2001
2002 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2003
2004 return( n );
2005}
2006
2007/*
2008 * Notify the peer that the connection is being closed
2009 */
2010int ssl_close_notify( ssl_context *ssl )
2011{
2012 int ret;
2013
2014 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
2015
2016 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2017 {
2018 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2019 return( ret );
2020 }
2021
2022 if( ssl->state == SSL_HANDSHAKE_OVER )
2023 {
2024 ssl->out_msgtype = SSL_MSG_ALERT;
2025 ssl->out_msglen = 2;
2026 ssl->out_msg[0] = SSL_ALERT_WARNING;
2027 ssl->out_msg[1] = SSL_ALERT_CLOSE_NOTIFY;
2028
2029 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2030 {
2031 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2032 return( ret );
2033 }
2034 }
2035
2036 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2037
2038 return( ret );
2039}
2040
2041/*
2042 * Free an SSL context
2043 */
2044void ssl_free( ssl_context *ssl )
2045{
2046 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2047
2048 if( ssl->peer_cert != NULL )
2049 {
2050 x509_free( ssl->peer_cert );
2051 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2052 free( ssl->peer_cert );
2053 }
2054
2055 if( ssl->out_ctr != NULL )
2056 {
2057 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2058 free( ssl->out_ctr );
2059 }
2060
2061 if( ssl->in_ctr != NULL )
2062 {
2063 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2064 free( ssl->in_ctr );
2065 }
2066
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2067#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2068 dhm_free( &ssl->dhm_ctx );
2069#endif
2070
2071 if ( ssl->hostname != NULL)
2072 {
2073 memset( ssl->hostname, 0, ssl->hostname_len );
2074 free( ssl->hostname );
2075 ssl->hostname_len = 0;
2076 }
2077
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2078 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2079
2080 /* Actually free after last debug message */
2081 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2082}
2083
2084#endif