blob: 7cf968d928ce72059065ad0388ad534142904296 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 shared functions
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +00004 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +00006 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakkerb96f1542010-07-18 20:36:00 +00007 *
Paul Bakker5121ce52009-01-03 21:22:43 +00008 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The SSL 3.0 specification was drafted by Netscape in 1996,
24 * and became an IETF standard in 1999.
25 *
26 * http://wp.netscape.com/eng/ssl3/
27 * http://www.ietf.org/rfc/rfc2246.txt
28 * http://www.ietf.org/rfc/rfc4346.txt
29 */
30
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020031#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +000032#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020033#else
34#include POLARSSL_CONFIG_FILE
35#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000036
Paul Bakker40e46942009-01-03 21:51:57 +000037#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000038
Paul Bakker0be444a2013-08-27 21:55:01 +020039#include "polarssl/debug.h"
40#include "polarssl/ssl.h"
41
Rich Evans00ab4702015-02-06 13:43:58 +000042#include <string.h>
43
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +020044#if defined(POLARSSL_X509_CRT_PARSE_C) && \
45 defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
46#include "polarssl/oid.h"
47#endif
48
Paul Bakker7dc4c442014-02-01 22:50:26 +010049#if defined(POLARSSL_PLATFORM_C)
50#include "polarssl/platform.h"
Paul Bakker6e339b52013-07-03 13:37:05 +020051#else
Rich Evans00ab4702015-02-06 13:43:58 +000052#include <stdlib.h>
Paul Bakker6e339b52013-07-03 13:37:05 +020053#define polarssl_malloc malloc
54#define polarssl_free free
55#endif
56
Paul Bakker6edcd412013-10-29 15:22:54 +010057#if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
58 !defined(EFI32)
Paul Bakkeraf5c85f2011-04-18 03:47:52 +000059#define strcasecmp _stricmp
60#endif
61
Paul Bakker34617722014-06-13 17:20:13 +020062/* Implementation that should never be optimized out by the compiler */
63static void polarssl_zeroize( void *v, size_t n ) {
64 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
65}
66
Paul Bakker05decb22013-08-15 13:33:48 +020067#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +020068/*
69 * Convert max_fragment_length codes to length.
70 * RFC 6066 says:
71 * enum{
72 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
73 * } MaxFragmentLength;
74 * and we add 0 -> extension unused
75 */
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +020076static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +020077{
78 SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
79 512, /* SSL_MAX_FRAG_LEN_512 */
80 1024, /* SSL_MAX_FRAG_LEN_1024 */
81 2048, /* SSL_MAX_FRAG_LEN_2048 */
82 4096, /* SSL_MAX_FRAG_LEN_4096 */
83};
Paul Bakker05decb22013-08-15 13:33:48 +020084#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +020085
Simon Butcher149950d2016-10-15 22:08:08 +010086#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +020087static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
88{
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +020089 ssl_session_free( dst );
90 memcpy( dst, src, sizeof( ssl_session ) );
91
Paul Bakker7c6b2c32013-09-16 13:49:26 +020092#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +020093 if( src->peer_cert != NULL )
94 {
Paul Bakker2292d1f2013-09-15 17:06:49 +020095 int ret;
96
Mansour Moufidc531b4a2015-02-15 17:35:38 -050097 dst->peer_cert = polarssl_malloc( sizeof(x509_crt) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +020098 if( dst->peer_cert == NULL )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +020099 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
100
Paul Bakkerb6b09562013-09-18 14:17:41 +0200101 x509_crt_init( dst->peer_cert );
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200102
Manuel Pégourié-Gonnard4d2a8eb2014-06-13 20:33:27 +0200103 if( ( ret = x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
104 src->peer_cert->raw.len ) ) != 0 )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200105 {
106 polarssl_free( dst->peer_cert );
107 dst->peer_cert = NULL;
108 return( ret );
109 }
110 }
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200111#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200112
Paul Bakkera503a632013-08-14 13:48:06 +0200113#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200114 if( src->ticket != NULL )
115 {
Mansour Moufidc531b4a2015-02-15 17:35:38 -0500116 dst->ticket = polarssl_malloc( src->ticket_len );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200117 if( dst->ticket == NULL )
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200118 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
119
120 memcpy( dst->ticket, src->ticket, src->ticket_len );
121 }
Paul Bakkera503a632013-08-14 13:48:06 +0200122#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200123
124 return( 0 );
125}
Simon Butcher149950d2016-10-15 22:08:08 +0100126#endif /* POLARSSL_SSL_CLI_C */
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +0200127
Paul Bakker05ef8352012-05-08 09:17:57 +0000128#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200129int (*ssl_hw_record_init)( ssl_context *ssl,
Paul Bakker9af723c2014-05-01 13:03:14 +0200130 const unsigned char *key_enc, const unsigned char *key_dec,
131 size_t keylen,
132 const unsigned char *iv_enc, const unsigned char *iv_dec,
133 size_t ivlen,
134 const unsigned char *mac_enc, const unsigned char *mac_dec,
Paul Bakker66d5d072014-06-17 16:39:18 +0200135 size_t maclen ) = NULL;
136int (*ssl_hw_record_activate)( ssl_context *ssl, int direction) = NULL;
137int (*ssl_hw_record_reset)( ssl_context *ssl ) = NULL;
138int (*ssl_hw_record_write)( ssl_context *ssl ) = NULL;
139int (*ssl_hw_record_read)( ssl_context *ssl ) = NULL;
140int (*ssl_hw_record_finish)( ssl_context *ssl ) = NULL;
Paul Bakker9af723c2014-05-01 13:03:14 +0200141#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000142
Paul Bakker5121ce52009-01-03 21:22:43 +0000143/*
144 * Key material generation
145 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200146#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200147static int ssl3_prf( const unsigned char *secret, size_t slen,
148 const char *label,
149 const unsigned char *random, size_t rlen,
Paul Bakker5f70b252012-09-13 14:23:06 +0000150 unsigned char *dstbuf, size_t dlen )
151{
152 size_t i;
153 md5_context md5;
154 sha1_context sha1;
155 unsigned char padding[16];
156 unsigned char sha1sum[20];
157 ((void)label);
158
Paul Bakker5b4af392014-06-26 12:09:34 +0200159 md5_init( &md5 );
160 sha1_init( &sha1 );
161
Paul Bakker5f70b252012-09-13 14:23:06 +0000162 /*
163 * SSLv3:
164 * block =
165 * MD5( secret + SHA1( 'A' + secret + random ) ) +
166 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
167 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
168 * ...
169 */
170 for( i = 0; i < dlen / 16; i++ )
171 {
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200172 memset( padding, (unsigned char) ('A' + i), 1 + i );
Paul Bakker5f70b252012-09-13 14:23:06 +0000173
174 sha1_starts( &sha1 );
175 sha1_update( &sha1, padding, 1 + i );
176 sha1_update( &sha1, secret, slen );
177 sha1_update( &sha1, random, rlen );
178 sha1_finish( &sha1, sha1sum );
179
180 md5_starts( &md5 );
181 md5_update( &md5, secret, slen );
182 md5_update( &md5, sha1sum, 20 );
183 md5_finish( &md5, dstbuf + i * 16 );
184 }
185
Paul Bakker5b4af392014-06-26 12:09:34 +0200186 md5_free( &md5 );
187 sha1_free( &sha1 );
Paul Bakker5f70b252012-09-13 14:23:06 +0000188
Paul Bakker34617722014-06-13 17:20:13 +0200189 polarssl_zeroize( padding, sizeof( padding ) );
190 polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5f70b252012-09-13 14:23:06 +0000191
192 return( 0 );
193}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200194#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +0000195
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200196#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200197static int tls1_prf( const unsigned char *secret, size_t slen,
198 const char *label,
199 const unsigned char *random, size_t rlen,
Paul Bakker23986e52011-04-24 08:57:21 +0000200 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000201{
Paul Bakker23986e52011-04-24 08:57:21 +0000202 size_t nb, hs;
203 size_t i, j, k;
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200204 const unsigned char *S1, *S2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000205 unsigned char tmp[128];
206 unsigned char h_i[20];
207
208 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000209 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000210
211 hs = ( slen + 1 ) / 2;
212 S1 = secret;
213 S2 = secret + slen - hs;
214
215 nb = strlen( label );
216 memcpy( tmp + 20, label, nb );
217 memcpy( tmp + 20 + nb, random, rlen );
218 nb += rlen;
219
220 /*
221 * First compute P_md5(secret,label+random)[0..dlen]
222 */
223 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
224
225 for( i = 0; i < dlen; i += 16 )
226 {
227 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
228 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
229
230 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
231
232 for( j = 0; j < k; j++ )
233 dstbuf[i + j] = h_i[j];
234 }
235
236 /*
237 * XOR out with P_sha1(secret,label+random)[0..dlen]
238 */
239 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
240
241 for( i = 0; i < dlen; i += 20 )
242 {
243 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
244 sha1_hmac( S2, hs, tmp, 20, tmp );
245
246 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
247
248 for( j = 0; j < k; j++ )
249 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
250 }
251
Paul Bakker34617722014-06-13 17:20:13 +0200252 polarssl_zeroize( tmp, sizeof( tmp ) );
253 polarssl_zeroize( h_i, sizeof( h_i ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000254
255 return( 0 );
256}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200257#endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000258
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200259#if defined(POLARSSL_SSL_PROTO_TLS1_2)
260#if defined(POLARSSL_SHA256_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200261static int tls_prf_sha256( const unsigned char *secret, size_t slen,
262 const char *label,
263 const unsigned char *random, size_t rlen,
Paul Bakker1ef83d62012-04-11 12:09:53 +0000264 unsigned char *dstbuf, size_t dlen )
265{
266 size_t nb;
267 size_t i, j, k;
268 unsigned char tmp[128];
269 unsigned char h_i[32];
270
271 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
272 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
273
274 nb = strlen( label );
275 memcpy( tmp + 32, label, nb );
276 memcpy( tmp + 32 + nb, random, rlen );
277 nb += rlen;
278
279 /*
280 * Compute P_<hash>(secret, label + random)[0..dlen]
281 */
Paul Bakker9e36f042013-06-30 14:34:05 +0200282 sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000283
284 for( i = 0; i < dlen; i += 32 )
285 {
Paul Bakker9e36f042013-06-30 14:34:05 +0200286 sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
287 sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000288
289 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
290
291 for( j = 0; j < k; j++ )
292 dstbuf[i + j] = h_i[j];
293 }
294
Paul Bakker34617722014-06-13 17:20:13 +0200295 polarssl_zeroize( tmp, sizeof( tmp ) );
296 polarssl_zeroize( h_i, sizeof( h_i ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000297
298 return( 0 );
299}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200300#endif /* POLARSSL_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000301
Paul Bakker9e36f042013-06-30 14:34:05 +0200302#if defined(POLARSSL_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200303static int tls_prf_sha384( const unsigned char *secret, size_t slen,
304 const char *label,
305 const unsigned char *random, size_t rlen,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000306 unsigned char *dstbuf, size_t dlen )
307{
308 size_t nb;
309 size_t i, j, k;
310 unsigned char tmp[128];
311 unsigned char h_i[48];
312
313 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
314 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
315
316 nb = strlen( label );
317 memcpy( tmp + 48, label, nb );
318 memcpy( tmp + 48 + nb, random, rlen );
319 nb += rlen;
320
321 /*
322 * Compute P_<hash>(secret, label + random)[0..dlen]
323 */
Paul Bakker9e36f042013-06-30 14:34:05 +0200324 sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000325
326 for( i = 0; i < dlen; i += 48 )
327 {
Paul Bakker9e36f042013-06-30 14:34:05 +0200328 sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
329 sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000330
331 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
332
333 for( j = 0; j < k; j++ )
334 dstbuf[i + j] = h_i[j];
335 }
336
Paul Bakker34617722014-06-13 17:20:13 +0200337 polarssl_zeroize( tmp, sizeof( tmp ) );
338 polarssl_zeroize( h_i, sizeof( h_i ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +0000339
340 return( 0 );
341}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200342#endif /* POLARSSL_SHA512_C */
343#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +0000344
Paul Bakker66d5d072014-06-17 16:39:18 +0200345static void ssl_update_checksum_start( ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200346
347#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
348 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker66d5d072014-06-17 16:39:18 +0200349static void ssl_update_checksum_md5sha1( ssl_context *, const unsigned char *, size_t );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200350#endif
Paul Bakker380da532012-04-18 16:10:25 +0000351
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200352#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker66d5d072014-06-17 16:39:18 +0200353static void ssl_calc_verify_ssl( ssl_context *, unsigned char * );
354static void ssl_calc_finished_ssl( ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200355#endif
356
357#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker66d5d072014-06-17 16:39:18 +0200358static void ssl_calc_verify_tls( ssl_context *, unsigned char * );
359static void ssl_calc_finished_tls( ssl_context *, unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200360#endif
361
362#if defined(POLARSSL_SSL_PROTO_TLS1_2)
363#if defined(POLARSSL_SHA256_C)
Paul Bakker66d5d072014-06-17 16:39:18 +0200364static void ssl_update_checksum_sha256( ssl_context *, const unsigned char *, size_t );
365static void ssl_calc_verify_tls_sha256( ssl_context *,unsigned char * );
366static void ssl_calc_finished_tls_sha256( ssl_context *,unsigned char *, int );
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200367#endif
Paul Bakker769075d2012-11-24 11:26:46 +0100368
Paul Bakker9e36f042013-06-30 14:34:05 +0200369#if defined(POLARSSL_SHA512_C)
Paul Bakker66d5d072014-06-17 16:39:18 +0200370static void ssl_update_checksum_sha384( ssl_context *, const unsigned char *, size_t );
371static void ssl_calc_verify_tls_sha384( ssl_context *, unsigned char * );
372static void ssl_calc_finished_tls_sha384( ssl_context *, unsigned char *, int );
Paul Bakker769075d2012-11-24 11:26:46 +0100373#endif
Paul Bakker9af723c2014-05-01 13:03:14 +0200374#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker1ef83d62012-04-11 12:09:53 +0000375
Paul Bakker5121ce52009-01-03 21:22:43 +0000376int ssl_derive_keys( ssl_context *ssl )
377{
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200378 int ret = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000379 unsigned char tmp[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000380 unsigned char keyblk[256];
381 unsigned char *key1;
382 unsigned char *key2;
Paul Bakker68884e32013-01-07 18:20:04 +0100383 unsigned char *mac_enc;
384 unsigned char *mac_dec;
Paul Bakkerb9cfaa02013-10-11 18:58:55 +0200385 size_t iv_copy_len;
Paul Bakker68884e32013-01-07 18:20:04 +0100386 const cipher_info_t *cipher_info;
387 const md_info_t *md_info;
388
Paul Bakker48916f92012-09-16 19:57:18 +0000389 ssl_session *session = ssl->session_negotiate;
390 ssl_transform *transform = ssl->transform_negotiate;
391 ssl_handshake_params *handshake = ssl->handshake;
Paul Bakker5121ce52009-01-03 21:22:43 +0000392
393 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
394
Paul Bakker68884e32013-01-07 18:20:04 +0100395 cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
396 if( cipher_info == NULL )
397 {
Paul Bakkerf7abd422013-04-16 13:15:56 +0200398 SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100399 transform->ciphersuite_info->cipher ) );
400 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
401 }
402
403 md_info = md_info_from_type( transform->ciphersuite_info->mac );
404 if( md_info == NULL )
405 {
Paul Bakkerf7abd422013-04-16 13:15:56 +0200406 SSL_DEBUG_MSG( 1, ( "md info for %d not found",
Paul Bakker68884e32013-01-07 18:20:04 +0100407 transform->ciphersuite_info->mac ) );
408 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
409 }
410
Paul Bakker5121ce52009-01-03 21:22:43 +0000411 /*
Paul Bakkerca4ab492012-04-18 14:23:57 +0000412 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
Paul Bakker1ef83d62012-04-11 12:09:53 +0000413 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200414#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker1ef83d62012-04-11 12:09:53 +0000415 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000416 {
Paul Bakker48916f92012-09-16 19:57:18 +0000417 handshake->tls_prf = ssl3_prf;
418 handshake->calc_verify = ssl_calc_verify_ssl;
419 handshake->calc_finished = ssl_calc_finished_ssl;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000420 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200421 else
422#endif
423#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
424 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000425 {
Paul Bakker48916f92012-09-16 19:57:18 +0000426 handshake->tls_prf = tls1_prf;
427 handshake->calc_verify = ssl_calc_verify_tls;
428 handshake->calc_finished = ssl_calc_finished_tls;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000429 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200430 else
431#endif
432#if defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker9e36f042013-06-30 14:34:05 +0200433#if defined(POLARSSL_SHA512_C)
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200434 if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
435 transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000436 {
Paul Bakker48916f92012-09-16 19:57:18 +0000437 handshake->tls_prf = tls_prf_sha384;
438 handshake->calc_verify = ssl_calc_verify_tls_sha384;
439 handshake->calc_finished = ssl_calc_finished_tls_sha384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000440 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000441 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200442#endif
443#if defined(POLARSSL_SHA256_C)
444 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000445 {
Paul Bakker48916f92012-09-16 19:57:18 +0000446 handshake->tls_prf = tls_prf_sha256;
447 handshake->calc_verify = ssl_calc_verify_tls_sha256;
448 handshake->calc_finished = ssl_calc_finished_tls_sha256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000449 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200450 else
451#endif
Paul Bakker9af723c2014-05-01 13:03:14 +0200452#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200453 {
454 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200455 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200456 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000457
458 /*
Paul Bakker5121ce52009-01-03 21:22:43 +0000459 * SSLv3:
460 * master =
461 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
462 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
463 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
Paul Bakkerf7abd422013-04-16 13:15:56 +0200464 *
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200465 * TLSv1+:
Paul Bakker5121ce52009-01-03 21:22:43 +0000466 * master = PRF( premaster, "master secret", randbytes )[0..47]
467 */
Paul Bakker0a597072012-09-25 21:55:46 +0000468 if( handshake->resume == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000469 {
Paul Bakker48916f92012-09-16 19:57:18 +0000470 SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
471 handshake->pmslen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000472
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200473#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
474 if( ssl->handshake->extended_ms == SSL_EXTENDED_MS_ENABLED )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200475 {
476 unsigned char session_hash[48];
477 size_t hash_len;
478
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200479 SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200480
481 ssl->handshake->calc_verify( ssl, session_hash );
482
483#if defined(POLARSSL_SSL_PROTO_TLS1_2)
484 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
485 {
486#if defined(POLARSSL_SHA512_C)
487 if( ssl->transform_negotiate->ciphersuite_info->mac ==
488 POLARSSL_MD_SHA384 )
489 {
490 hash_len = 48;
491 }
492 else
493#endif
494 hash_len = 32;
495 }
496 else
497#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
498 hash_len = 36;
499
500 SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
501
502 handshake->tls_prf( handshake->premaster, handshake->pmslen,
503 "extended master secret",
504 session_hash, hash_len, session->master, 48 );
505
506 }
507 else
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200508#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000509 handshake->tls_prf( handshake->premaster, handshake->pmslen,
510 "master secret",
511 handshake->randbytes, 64, session->master, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000512
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200513
Paul Bakker34617722014-06-13 17:20:13 +0200514 polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000515 }
516 else
517 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
518
519 /*
520 * Swap the client and server random values.
521 */
Paul Bakker48916f92012-09-16 19:57:18 +0000522 memcpy( tmp, handshake->randbytes, 64 );
523 memcpy( handshake->randbytes, tmp + 32, 32 );
524 memcpy( handshake->randbytes + 32, tmp, 32 );
Paul Bakker34617722014-06-13 17:20:13 +0200525 polarssl_zeroize( tmp, sizeof( tmp ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000526
527 /*
528 * SSLv3:
529 * key block =
530 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
531 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
532 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
533 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
534 * ...
535 *
536 * TLSv1:
537 * key block = PRF( master, "key expansion", randbytes )
538 */
Paul Bakker48916f92012-09-16 19:57:18 +0000539 handshake->tls_prf( session->master, 48, "key expansion",
540 handshake->randbytes, 64, keyblk, 256 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000541
Paul Bakker48916f92012-09-16 19:57:18 +0000542 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
543 ssl_get_ciphersuite_name( session->ciphersuite ) ) );
544 SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
545 SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000546 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
547
Paul Bakker34617722014-06-13 17:20:13 +0200548 polarssl_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000549
550 /*
551 * Determine the appropriate key, IV and MAC length.
552 */
Paul Bakker68884e32013-01-07 18:20:04 +0100553
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200554 transform->keylen = cipher_info->key_length / 8;
555
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +0200556 if( cipher_info->mode == POLARSSL_MODE_GCM ||
557 cipher_info->mode == POLARSSL_MODE_CCM )
Paul Bakker5121ce52009-01-03 21:22:43 +0000558 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200559 transform->maclen = 0;
560
Paul Bakker68884e32013-01-07 18:20:04 +0100561 transform->ivlen = 12;
562 transform->fixed_ivlen = 4;
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200563
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200564 /* Minimum length is expicit IV + tag */
565 transform->minlen = transform->ivlen - transform->fixed_ivlen
566 + ( transform->ciphersuite_info->flags &
567 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
Paul Bakker68884e32013-01-07 18:20:04 +0100568 }
569 else
570 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200571 /* Initialize HMAC contexts */
572 if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 ||
573 ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
Paul Bakker68884e32013-01-07 18:20:04 +0100574 {
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200575 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
576 return( ret );
Paul Bakker68884e32013-01-07 18:20:04 +0100577 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000578
Manuel Pégourié-Gonnarde800cd82014-06-18 15:34:40 +0200579 /* Get MAC length */
580 transform->maclen = md_get_size( md_info );
581
582#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
583 /*
584 * If HMAC is to be truncated, we shall keep the leftmost bytes,
585 * (rfc 6066 page 13 or rfc 2104 section 4),
586 * so we only need to adjust the length here.
587 */
588 if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
589 transform->maclen = SSL_TRUNCATED_HMAC_LEN;
590#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
591
592 /* IV length */
Paul Bakker68884e32013-01-07 18:20:04 +0100593 transform->ivlen = cipher_info->iv_size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000594
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200595 /* Minimum length */
596 if( cipher_info->mode == POLARSSL_MODE_STREAM )
597 transform->minlen = transform->maclen;
598 else
Paul Bakker68884e32013-01-07 18:20:04 +0100599 {
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200600 /*
601 * GenericBlockCipher:
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100602 * 1. if EtM is in use: one block plus MAC
603 * otherwise: * first multiple of blocklen greater than maclen
604 * 2. IV except for SSL3 and TLS 1.0
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200605 */
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100606#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
607 if( session->encrypt_then_mac == SSL_ETM_ENABLED )
608 {
609 transform->minlen = transform->maclen
610 + cipher_info->block_size;
611 }
612 else
613#endif
614 {
615 transform->minlen = transform->maclen
616 + cipher_info->block_size
617 - transform->maclen % cipher_info->block_size;
618 }
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200619
620#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
621 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ||
622 ssl->minor_ver == SSL_MINOR_VERSION_1 )
623 ; /* No need to adjust minlen */
Paul Bakker68884e32013-01-07 18:20:04 +0100624 else
Manuel Pégourié-Gonnardeaa76f72014-06-18 16:06:02 +0200625#endif
626#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
627 if( ssl->minor_ver == SSL_MINOR_VERSION_2 ||
628 ssl->minor_ver == SSL_MINOR_VERSION_3 )
629 {
630 transform->minlen += transform->ivlen;
631 }
632 else
633#endif
634 {
635 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
636 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
637 }
Paul Bakker68884e32013-01-07 18:20:04 +0100638 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000639 }
640
641 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
Paul Bakker48916f92012-09-16 19:57:18 +0000642 transform->keylen, transform->minlen, transform->ivlen,
643 transform->maclen ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000644
645 /*
646 * Finally setup the cipher contexts, IVs and MAC secrets.
647 */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100648#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000649 if( ssl->endpoint == SSL_IS_CLIENT )
650 {
Paul Bakker48916f92012-09-16 19:57:18 +0000651 key1 = keyblk + transform->maclen * 2;
652 key2 = keyblk + transform->maclen * 2 + transform->keylen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000653
Paul Bakker68884e32013-01-07 18:20:04 +0100654 mac_enc = keyblk;
655 mac_dec = keyblk + transform->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000656
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000657 /*
658 * This is not used in TLS v1.1.
659 */
Paul Bakker48916f92012-09-16 19:57:18 +0000660 iv_copy_len = ( transform->fixed_ivlen ) ?
661 transform->fixed_ivlen : transform->ivlen;
662 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
663 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000664 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000665 }
666 else
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100667#endif /* POLARSSL_SSL_CLI_C */
668#if defined(POLARSSL_SSL_SRV_C)
669 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +0000670 {
Paul Bakker48916f92012-09-16 19:57:18 +0000671 key1 = keyblk + transform->maclen * 2 + transform->keylen;
672 key2 = keyblk + transform->maclen * 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000673
Paul Bakker68884e32013-01-07 18:20:04 +0100674 mac_enc = keyblk + transform->maclen;
675 mac_dec = keyblk;
Paul Bakker5121ce52009-01-03 21:22:43 +0000676
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000677 /*
678 * This is not used in TLS v1.1.
679 */
Paul Bakker48916f92012-09-16 19:57:18 +0000680 iv_copy_len = ( transform->fixed_ivlen ) ?
681 transform->fixed_ivlen : transform->ivlen;
682 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
683 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
Paul Bakkerca4ab492012-04-18 14:23:57 +0000684 iv_copy_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000685 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +0100686 else
687#endif /* POLARSSL_SSL_SRV_C */
688 {
689 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
690 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
691 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000692
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200693#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker68884e32013-01-07 18:20:04 +0100694 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
695 {
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +0100696 if( transform->maclen > sizeof transform->mac_enc )
697 {
698 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200699 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7cfdcb82014-01-18 18:22:55 +0100700 }
701
Paul Bakker68884e32013-01-07 18:20:04 +0100702 memcpy( transform->mac_enc, mac_enc, transform->maclen );
703 memcpy( transform->mac_dec, mac_dec, transform->maclen );
704 }
705 else
Paul Bakker9af723c2014-05-01 13:03:14 +0200706#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200707#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
708 defined(POLARSSL_SSL_PROTO_TLS1_2)
709 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
Paul Bakker68884e32013-01-07 18:20:04 +0100710 {
711 md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
712 md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
713 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200714 else
715#endif
Paul Bakker577e0062013-08-28 11:57:20 +0200716 {
717 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +0200718 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200719 }
Paul Bakker68884e32013-01-07 18:20:04 +0100720
Paul Bakker05ef8352012-05-08 09:17:57 +0000721#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +0200722 if( ssl_hw_record_init != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +0000723 {
724 int ret = 0;
725
726 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
727
Paul Bakker07eb38b2012-12-19 14:42:06 +0100728 if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
729 transform->iv_enc, transform->iv_dec,
730 iv_copy_len,
Paul Bakker68884e32013-01-07 18:20:04 +0100731 mac_enc, mac_dec,
Paul Bakker07eb38b2012-12-19 14:42:06 +0100732 transform->maclen ) ) != 0 )
Paul Bakker05ef8352012-05-08 09:17:57 +0000733 {
734 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200735 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +0000736 }
737 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200738#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +0000739
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200740 if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
741 cipher_info ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000742 {
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200743 SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
744 return( ret );
745 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200746
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200747 if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
748 cipher_info ) ) != 0 )
749 {
750 SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
751 return( ret );
752 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200753
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200754 if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
755 cipher_info->key_length,
756 POLARSSL_ENCRYPT ) ) != 0 )
757 {
758 SSL_DEBUG_RET( 1, "cipher_setkey", ret );
759 return( ret );
760 }
Paul Bakkerea6ad3f2013-09-02 14:57:01 +0200761
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200762 if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
763 cipher_info->key_length,
764 POLARSSL_DECRYPT ) ) != 0 )
765 {
766 SSL_DEBUG_RET( 1, "cipher_setkey", ret );
767 return( ret );
768 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +0200769
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200770#if defined(POLARSSL_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200771 if( cipher_info->mode == POLARSSL_MODE_CBC )
772 {
773 if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
774 POLARSSL_PADDING_NONE ) ) != 0 )
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +0200775 {
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200776 SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
777 return( ret );
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +0200778 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200779
780 if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
781 POLARSSL_PADDING_NONE ) ) != 0 )
782 {
783 SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
784 return( ret );
785 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000786 }
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +0200787#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000788
Paul Bakker34617722014-06-13 17:20:13 +0200789 polarssl_zeroize( keyblk, sizeof( keyblk ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000790
Paul Bakker2770fbd2012-07-03 13:30:23 +0000791#if defined(POLARSSL_ZLIB_SUPPORT)
792 // Initialize compression
793 //
Paul Bakker48916f92012-09-16 19:57:18 +0000794 if( session->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000795 {
Paul Bakker16770332013-10-11 09:59:44 +0200796 if( ssl->compress_buf == NULL )
797 {
798 SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
799 ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
800 if( ssl->compress_buf == NULL )
801 {
802 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
803 SSL_BUFFER_LEN ) );
804 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
805 }
806 }
807
Paul Bakker2770fbd2012-07-03 13:30:23 +0000808 SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
809
Paul Bakker48916f92012-09-16 19:57:18 +0000810 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
811 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +0000812
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200813 if( deflateInit( &transform->ctx_deflate,
814 Z_DEFAULT_COMPRESSION ) != Z_OK ||
Paul Bakker48916f92012-09-16 19:57:18 +0000815 inflateInit( &transform->ctx_inflate ) != Z_OK )
Paul Bakker2770fbd2012-07-03 13:30:23 +0000816 {
817 SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
818 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
819 }
820 }
821#endif /* POLARSSL_ZLIB_SUPPORT */
822
Paul Bakker5121ce52009-01-03 21:22:43 +0000823 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
824
825 return( 0 );
826}
827
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200828#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker380da532012-04-18 16:10:25 +0000829void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000830{
831 md5_context md5;
832 sha1_context sha1;
833 unsigned char pad_1[48];
834 unsigned char pad_2[48];
835
Paul Bakker380da532012-04-18 16:10:25 +0000836 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000837
Paul Bakker48916f92012-09-16 19:57:18 +0000838 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
839 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000840
Paul Bakker380da532012-04-18 16:10:25 +0000841 memset( pad_1, 0x36, 48 );
842 memset( pad_2, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000843
Paul Bakker48916f92012-09-16 19:57:18 +0000844 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000845 md5_update( &md5, pad_1, 48 );
846 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000847
Paul Bakker380da532012-04-18 16:10:25 +0000848 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +0000849 md5_update( &md5, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000850 md5_update( &md5, pad_2, 48 );
851 md5_update( &md5, hash, 16 );
852 md5_finish( &md5, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000853
Paul Bakker48916f92012-09-16 19:57:18 +0000854 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000855 sha1_update( &sha1, pad_1, 40 );
856 sha1_finish( &sha1, hash + 16 );
857
858 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +0000859 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
Paul Bakker380da532012-04-18 16:10:25 +0000860 sha1_update( &sha1, pad_2, 40 );
861 sha1_update( &sha1, hash + 16, 20 );
862 sha1_finish( &sha1, hash + 16 );
863
864 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
865 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
866
Paul Bakker5b4af392014-06-26 12:09:34 +0200867 md5_free( &md5 );
868 sha1_free( &sha1 );
869
Paul Bakker380da532012-04-18 16:10:25 +0000870 return;
871}
Paul Bakker9af723c2014-05-01 13:03:14 +0200872#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker380da532012-04-18 16:10:25 +0000873
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200874#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker380da532012-04-18 16:10:25 +0000875void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
876{
877 md5_context md5;
878 sha1_context sha1;
879
880 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
881
Paul Bakker48916f92012-09-16 19:57:18 +0000882 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
883 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker380da532012-04-18 16:10:25 +0000884
Paul Bakker48916f92012-09-16 19:57:18 +0000885 md5_finish( &md5, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000886 sha1_finish( &sha1, hash + 16 );
887
888 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
889 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
890
Paul Bakker5b4af392014-06-26 12:09:34 +0200891 md5_free( &md5 );
892 sha1_free( &sha1 );
893
Paul Bakker380da532012-04-18 16:10:25 +0000894 return;
895}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200896#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker380da532012-04-18 16:10:25 +0000897
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200898#if defined(POLARSSL_SSL_PROTO_TLS1_2)
899#if defined(POLARSSL_SHA256_C)
Paul Bakker380da532012-04-18 16:10:25 +0000900void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
901{
Paul Bakker9e36f042013-06-30 14:34:05 +0200902 sha256_context sha256;
Paul Bakker380da532012-04-18 16:10:25 +0000903
904 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
905
Paul Bakker9e36f042013-06-30 14:34:05 +0200906 memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
907 sha256_finish( &sha256, hash );
Paul Bakker380da532012-04-18 16:10:25 +0000908
909 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
910 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
911
Paul Bakker5b4af392014-06-26 12:09:34 +0200912 sha256_free( &sha256 );
913
Paul Bakker380da532012-04-18 16:10:25 +0000914 return;
915}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200916#endif /* POLARSSL_SHA256_C */
Paul Bakker380da532012-04-18 16:10:25 +0000917
Paul Bakker9e36f042013-06-30 14:34:05 +0200918#if defined(POLARSSL_SHA512_C)
Paul Bakker380da532012-04-18 16:10:25 +0000919void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
920{
Paul Bakker9e36f042013-06-30 14:34:05 +0200921 sha512_context sha512;
Paul Bakker380da532012-04-18 16:10:25 +0000922
923 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
924
Paul Bakker9e36f042013-06-30 14:34:05 +0200925 memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
926 sha512_finish( &sha512, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000927
Paul Bakkerca4ab492012-04-18 14:23:57 +0000928 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000929 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
930
Paul Bakker5b4af392014-06-26 12:09:34 +0200931 sha512_free( &sha512 );
932
Paul Bakker5121ce52009-01-03 21:22:43 +0000933 return;
934}
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200935#endif /* POLARSSL_SHA512_C */
936#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000937
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +0200938#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200939int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex )
940{
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200941 unsigned char *p = ssl->handshake->premaster;
942 unsigned char *end = p + sizeof( ssl->handshake->premaster );
943
944 /*
945 * PMS = struct {
946 * opaque other_secret<0..2^16-1>;
947 * opaque psk<0..2^16-1>;
948 * };
949 * with "other_secret" depending on the particular key exchange
950 */
951#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
952 if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
953 {
Manuel Pégourié-Gonnard5ca36402015-10-21 12:35:29 +0200954 if( end - p < 2 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200955 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
956
957 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
958 *(p++) = (unsigned char)( ssl->psk_len );
Manuel Pégourié-Gonnard5ca36402015-10-21 12:35:29 +0200959
960 if( end < p || (size_t)( end - p ) < ssl->psk_len )
961 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
962
963 memset( p, 0, ssl->psk_len );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200964 p += ssl->psk_len;
965 }
966 else
967#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200968#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
969 if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
970 {
971 /*
972 * other_secret already set by the ClientKeyExchange message,
973 * and is 48 bytes long
974 */
975 *p++ = 0;
976 *p++ = 48;
977 p += 48;
978 }
979 else
980#endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200981#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
982 if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
983 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +0200984 int ret;
Manuel Pégourié-Gonnarddd0c0f32014-06-23 18:07:11 +0200985 size_t len = end - ( p + 2 );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200986
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200987 /* Write length only when we know the actual value */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200988 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200989 p + 2, &len,
990 ssl->f_rng, ssl->p_rng ) ) != 0 )
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200991 {
992 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
993 return( ret );
994 }
Manuel Pégourié-Gonnard8df68632014-06-23 17:56:08 +0200995 *(p++) = (unsigned char)( len >> 8 );
996 *(p++) = (unsigned char)( len );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200997 p += len;
998
999 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1000 }
1001 else
1002#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
1003#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1004 if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
1005 {
Manuel Pégourié-Gonnard1b62c7f2013-10-14 14:02:19 +02001006 int ret;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001007 size_t zlen;
1008
1009 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
Paul Bakker66d5d072014-06-17 16:39:18 +02001010 p + 2, end - ( p + 2 ),
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001011 ssl->f_rng, ssl->p_rng ) ) != 0 )
1012 {
1013 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
1014 return( ret );
1015 }
1016
1017 *(p++) = (unsigned char)( zlen >> 8 );
1018 *(p++) = (unsigned char)( zlen );
1019 p += zlen;
1020
1021 SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
1022 }
1023 else
1024#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1025 {
1026 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001027 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001028 }
1029
1030 /* opaque psk<0..2^16-1>; */
Manuel Pégourié-Gonnard5ca36402015-10-21 12:35:29 +02001031 if( end - p < 2 )
1032 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01001033
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001034 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
1035 *(p++) = (unsigned char)( ssl->psk_len );
Manuel Pégourié-Gonnard5ca36402015-10-21 12:35:29 +02001036
1037 if( end < p || (size_t)( end - p ) < ssl->psk_len )
1038 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1039
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001040 memcpy( p, ssl->psk, ssl->psk_len );
1041 p += ssl->psk_len;
1042
1043 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1044
1045 return( 0 );
1046}
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02001047#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02001048
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001049#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00001050/*
1051 * SSLv3.0 MAC functions
1052 */
Paul Bakker68884e32013-01-07 18:20:04 +01001053static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
1054 unsigned char *buf, size_t len,
1055 unsigned char *ctr, int type )
Paul Bakker5121ce52009-01-03 21:22:43 +00001056{
1057 unsigned char header[11];
1058 unsigned char padding[48];
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001059 int padlen;
Paul Bakker68884e32013-01-07 18:20:04 +01001060 int md_size = md_get_size( md_ctx->md_info );
1061 int md_type = md_get_type( md_ctx->md_info );
1062
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001063 /* Only MD5 and SHA-1 supported */
Paul Bakker68884e32013-01-07 18:20:04 +01001064 if( md_type == POLARSSL_MD_MD5 )
1065 padlen = 48;
Manuel Pégourié-Gonnard8d4ad072014-07-13 14:43:28 +02001066 else
Paul Bakker68884e32013-01-07 18:20:04 +01001067 padlen = 40;
Paul Bakker5121ce52009-01-03 21:22:43 +00001068
1069 memcpy( header, ctr, 8 );
1070 header[ 8] = (unsigned char) type;
1071 header[ 9] = (unsigned char)( len >> 8 );
1072 header[10] = (unsigned char)( len );
1073
Paul Bakker68884e32013-01-07 18:20:04 +01001074 memset( padding, 0x36, padlen );
1075 md_starts( md_ctx );
1076 md_update( md_ctx, secret, md_size );
1077 md_update( md_ctx, padding, padlen );
1078 md_update( md_ctx, header, 11 );
1079 md_update( md_ctx, buf, len );
1080 md_finish( md_ctx, buf + len );
Paul Bakker5121ce52009-01-03 21:22:43 +00001081
Paul Bakker68884e32013-01-07 18:20:04 +01001082 memset( padding, 0x5C, padlen );
1083 md_starts( md_ctx );
1084 md_update( md_ctx, secret, md_size );
1085 md_update( md_ctx, padding, padlen );
1086 md_update( md_ctx, buf + len, md_size );
1087 md_finish( md_ctx, buf + len );
Paul Bakker5f70b252012-09-13 14:23:06 +00001088}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001089#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5f70b252012-09-13 14:23:06 +00001090
Manuel Pégourié-Gonnard8e4b3372014-11-17 15:06:13 +01001091#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1092 ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1093 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1094#define POLARSSL_SOME_MODES_USE_MAC
1095#endif
1096
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01001097/*
Paul Bakker5121ce52009-01-03 21:22:43 +00001098 * Encryption/decryption functions
Paul Bakkerf7abd422013-04-16 13:15:56 +02001099 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001100static int ssl_encrypt_buf( ssl_context *ssl )
1101{
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001102 size_t i;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001103 cipher_mode_t mode;
1104 int auth_done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001105
1106 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
1107
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001108 if( ssl->session_out == NULL || ssl->transform_out == NULL )
1109 {
1110 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1111 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1112 }
1113
1114 mode = cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
1115
Manuel Pégourié-Gonnard60346be2014-11-21 11:38:37 +01001116 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1117 ssl->out_msg, ssl->out_msglen );
1118
Paul Bakker5121ce52009-01-03 21:22:43 +00001119 /*
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01001120 * Add MAC before if needed
Paul Bakker5121ce52009-01-03 21:22:43 +00001121 */
Manuel Pégourié-Gonnard8e4b3372014-11-17 15:06:13 +01001122#if defined(POLARSSL_SOME_MODES_USE_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001123 if( mode == POLARSSL_MODE_STREAM ||
1124 ( mode == POLARSSL_MODE_CBC
1125#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
1126 && ssl->session_out->encrypt_then_mac == SSL_ETM_DISABLED
1127#endif
1128 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00001129 {
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001130#if defined(POLARSSL_SSL_PROTO_SSL3)
1131 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1132 {
1133 ssl_mac( &ssl->transform_out->md_ctx_enc,
1134 ssl->transform_out->mac_enc,
1135 ssl->out_msg, ssl->out_msglen,
1136 ssl->out_ctr, ssl->out_msgtype );
1137 }
1138 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001139#endif
1140#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001141 defined(POLARSSL_SSL_PROTO_TLS1_2)
1142 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1143 {
1144 md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1145 md_hmac_update( &ssl->transform_out->md_ctx_enc,
1146 ssl->out_msg, ssl->out_msglen );
1147 md_hmac_finish( &ssl->transform_out->md_ctx_enc,
1148 ssl->out_msg + ssl->out_msglen );
1149 md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1150 }
1151 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001152#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001153 {
1154 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001155 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001156 }
1157
1158 SSL_DEBUG_BUF( 4, "computed mac",
1159 ssl->out_msg + ssl->out_msglen,
1160 ssl->transform_out->maclen );
1161
1162 ssl->out_msglen += ssl->transform_out->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001163 auth_done++;
Paul Bakker577e0062013-08-28 11:57:20 +02001164 }
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001165#endif /* AEAD not the only option */
Paul Bakker5121ce52009-01-03 21:22:43 +00001166
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001167 /*
1168 * Encrypt
1169 */
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001170#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
Manuel Pégourié-Gonnard5efd7722014-05-14 12:52:22 +02001171 if( mode == POLARSSL_MODE_STREAM )
Paul Bakker5121ce52009-01-03 21:22:43 +00001172 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001173 int ret;
1174 size_t olen = 0;
1175
Paul Bakker5121ce52009-01-03 21:22:43 +00001176 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1177 "including %d bytes of padding",
1178 ssl->out_msglen, 0 ) );
1179
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001180 if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
Paul Bakker45125bc2013-09-04 16:47:11 +02001181 ssl->transform_out->iv_enc,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001182 ssl->transform_out->ivlen,
1183 ssl->out_msg, ssl->out_msglen,
1184 ssl->out_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001185 {
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001186 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001187 return( ret );
1188 }
1189
1190 if( ssl->out_msglen != olen )
1191 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001192 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnarda8a25ae2013-10-27 13:48:15 +01001193 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001194 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001195 }
Paul Bakker68884e32013-01-07 18:20:04 +01001196 else
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001197#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001198#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1199 if( mode == POLARSSL_MODE_GCM ||
1200 mode == POLARSSL_MODE_CCM )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001201 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001202 int ret;
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001203 size_t enc_msglen, olen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001204 unsigned char *enc_msg;
1205 unsigned char add_data[13];
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001206 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
1207 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001208
Paul Bakkerca4ab492012-04-18 14:23:57 +00001209 memcpy( add_data, ssl->out_ctr, 8 );
1210 add_data[8] = ssl->out_msgtype;
1211 add_data[9] = ssl->major_ver;
1212 add_data[10] = ssl->minor_ver;
1213 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1214 add_data[12] = ssl->out_msglen & 0xFF;
1215
1216 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1217 add_data, 13 );
1218
Paul Bakker68884e32013-01-07 18:20:04 +01001219 /*
1220 * Generate IV
1221 */
Manuel Pégourié-Gonnardd056ce02014-10-29 22:29:20 +01001222 if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
1223 {
1224 /* Reminder if we ever add an AEAD mode with a different size */
1225 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1226 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1227 }
1228
1229 memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1230 ssl->out_ctr, 8 );
1231 memcpy( ssl->out_iv, ssl->out_ctr, 8 );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001232
Manuel Pégourié-Gonnard226d5da2013-09-05 13:19:22 +02001233 SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001234 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
Manuel Pégourié-Gonnard226d5da2013-09-05 13:19:22 +02001235
Paul Bakker68884e32013-01-07 18:20:04 +01001236 /*
1237 * Fix pointer positions and message length with added IV
1238 */
1239 enc_msg = ssl->out_msg;
1240 enc_msglen = ssl->out_msglen;
1241 ssl->out_msglen += ssl->transform_out->ivlen -
1242 ssl->transform_out->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001243
Paul Bakker68884e32013-01-07 18:20:04 +01001244 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1245 "including %d bytes of padding",
1246 ssl->out_msglen, 0 ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001247
Paul Bakker68884e32013-01-07 18:20:04 +01001248 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001249 * Encrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001250 */
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001251 if( ( ret = cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
1252 ssl->transform_out->iv_enc,
1253 ssl->transform_out->ivlen,
1254 add_data, 13,
1255 enc_msg, enc_msglen,
1256 enc_msg, &olen,
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001257 enc_msg + enc_msglen, taglen ) ) != 0 )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001258 {
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001259 SSL_DEBUG_RET( 1, "cipher_auth_encrypt", ret );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001260 return( ret );
1261 }
1262
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001263 if( olen != enc_msglen )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001264 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001265 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001266 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001267 }
1268
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001269 ssl->out_msglen += taglen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001270 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001271
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001272 SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
Paul Bakkerca4ab492012-04-18 14:23:57 +00001273 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001274 else
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001275#endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001276#if defined(POLARSSL_CIPHER_MODE_CBC) && \
1277 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
Manuel Pégourié-Gonnard5efd7722014-05-14 12:52:22 +02001278 if( mode == POLARSSL_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +00001279 {
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001280 int ret;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001281 unsigned char *enc_msg;
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001282 size_t enc_msglen, padlen, olen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001283
Paul Bakker48916f92012-09-16 19:57:18 +00001284 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1285 ssl->transform_out->ivlen;
1286 if( padlen == ssl->transform_out->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001287 padlen = 0;
1288
1289 for( i = 0; i <= padlen; i++ )
1290 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1291
1292 ssl->out_msglen += padlen + 1;
1293
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001294 enc_msglen = ssl->out_msglen;
1295 enc_msg = ssl->out_msg;
1296
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001297#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001298 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +00001299 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1300 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001301 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00001302 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001303 {
1304 /*
1305 * Generate IV
1306 */
Manuel Pégourié-Gonnarda67fd792015-08-27 12:02:40 +02001307 ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +00001308 ssl->transform_out->ivlen );
Paul Bakkera3d195c2011-11-27 21:07:34 +00001309 if( ret != 0 )
1310 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001311
Paul Bakker92be97b2013-01-02 17:30:03 +01001312 memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
Paul Bakker48916f92012-09-16 19:57:18 +00001313 ssl->transform_out->ivlen );
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001314
1315 /*
1316 * Fix pointer positions and message length with added IV
1317 */
Paul Bakker92be97b2013-01-02 17:30:03 +01001318 enc_msg = ssl->out_msg;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001319 enc_msglen = ssl->out_msglen;
Paul Bakker48916f92012-09-16 19:57:18 +00001320 ssl->out_msglen += ssl->transform_out->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001321 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001322#endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001323
Paul Bakker5121ce52009-01-03 21:22:43 +00001324 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001325 "including %d bytes of IV and %d bytes of padding",
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001326 ssl->out_msglen, ssl->transform_out->ivlen,
1327 padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001328
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001329 if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
Paul Bakker45125bc2013-09-04 16:47:11 +02001330 ssl->transform_out->iv_enc,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001331 ssl->transform_out->ivlen,
1332 enc_msg, enc_msglen,
1333 enc_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001334 {
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001335 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +02001336 return( ret );
1337 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001338
Paul Bakkercca5b812013-08-31 17:40:26 +02001339 if( enc_msglen != olen )
1340 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001341 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnarda8a25ae2013-10-27 13:48:15 +01001342 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +02001343 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001344
1345#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
Paul Bakkercca5b812013-08-31 17:40:26 +02001346 if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1347 {
1348 /*
1349 * Save IV in SSL3 and TLS1
1350 */
1351 memcpy( ssl->transform_out->iv_enc,
1352 ssl->transform_out->cipher_ctx_enc.iv,
1353 ssl->transform_out->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001354 }
Paul Bakkercca5b812013-08-31 17:40:26 +02001355#endif
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001356
1357#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001358 if( auth_done == 0 )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001359 {
1360 /*
1361 * MAC(MAC_write_key, seq_num +
1362 * TLSCipherText.type +
1363 * TLSCipherText.version +
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01001364 * length_of( (IV +) ENC(...) ) +
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001365 * IV + // except for TLS 1.0
1366 * ENC(content + padding + padding_length));
1367 */
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001368 unsigned char pseudo_hdr[13];
1369
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001370 SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1371
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001372 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
1373 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01001374 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
1375 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
1376
1377 SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001378
1379 md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
1380 md_hmac_update( &ssl->transform_out->md_ctx_enc,
1381 ssl->out_iv, ssl->out_msglen );
1382 md_hmac_finish( &ssl->transform_out->md_ctx_enc,
1383 ssl->out_iv + ssl->out_msglen );
1384 md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1385
1386 ssl->out_msglen += ssl->transform_out->maclen;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001387 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001388 }
1389#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001390 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001391 else
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001392#endif /* POLARSSL_CIPHER_MODE_CBC &&
1393 ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001394 {
1395 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001396 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001397 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001398
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001399 /* Make extra sure authentication was performed, exactly once */
1400 if( auth_done != 1 )
1401 {
1402 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1403 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1404 }
1405
Paul Bakkerca4ab492012-04-18 14:23:57 +00001406 for( i = 8; i > 0; i-- )
1407 if( ++ssl->out_ctr[i - 1] != 0 )
1408 break;
1409
Manuel Pégourié-Gonnard83cdffc2014-03-10 21:20:29 +01001410 /* The loops goes to its end iff the counter is wrapping */
1411 if( i == 0 )
1412 {
1413 SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
1414 return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
1415 }
1416
Paul Bakker5121ce52009-01-03 21:22:43 +00001417 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1418
1419 return( 0 );
1420}
1421
Paul Bakkerb7149bc2013-03-20 15:30:09 +01001422#define POLARSSL_SSL_MAX_MAC_SIZE 48
Paul Bakkerfab5c822012-02-06 16:45:10 +00001423
Paul Bakker5121ce52009-01-03 21:22:43 +00001424static int ssl_decrypt_buf( ssl_context *ssl )
1425{
Paul Bakker1e5369c2013-12-19 16:40:57 +01001426 size_t i;
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001427 cipher_mode_t mode;
1428 int auth_done = 0;
Manuel Pégourié-Gonnard8e4b3372014-11-17 15:06:13 +01001429#if defined(POLARSSL_SOME_MODES_USE_MAC)
Paul Bakker1e5369c2013-12-19 16:40:57 +01001430 size_t padlen = 0, correct = 1;
1431#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001432
1433 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1434
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001435 if( ssl->session_in == NULL || ssl->transform_in == NULL )
1436 {
1437 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1438 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1439 }
1440
1441 mode = cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
1442
Paul Bakker48916f92012-09-16 19:57:18 +00001443 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001444 {
1445 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
Paul Bakker48916f92012-09-16 19:57:18 +00001446 ssl->in_msglen, ssl->transform_in->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001447 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001448 }
1449
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001450#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
Manuel Pégourié-Gonnard5efd7722014-05-14 12:52:22 +02001451 if( mode == POLARSSL_MODE_STREAM )
Paul Bakker68884e32013-01-07 18:20:04 +01001452 {
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001453 int ret;
1454 size_t olen = 0;
1455
Paul Bakker68884e32013-01-07 18:20:04 +01001456 padlen = 0;
1457
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001458 if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
Paul Bakker45125bc2013-09-04 16:47:11 +02001459 ssl->transform_in->iv_dec,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001460 ssl->transform_in->ivlen,
1461 ssl->in_msg, ssl->in_msglen,
1462 ssl->in_msg, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001463 {
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001464 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001465 return( ret );
1466 }
1467
1468 if( ssl->in_msglen != olen )
1469 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001470 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnarda8a25ae2013-10-27 13:48:15 +01001471 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakkerea6ad3f2013-09-02 14:57:01 +02001472 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001473 }
Paul Bakker68884e32013-01-07 18:20:04 +01001474 else
Manuel Pégourié-Gonnard88665912013-10-25 18:42:44 +02001475#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001476#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1477 if( mode == POLARSSL_MODE_GCM ||
1478 mode == POLARSSL_MODE_CCM )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001479 {
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001480 int ret;
1481 size_t dec_msglen, olen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001482 unsigned char *dec_msg;
1483 unsigned char *dec_msg_result;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001484 unsigned char add_data[13];
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001485 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
1486 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
Simon Ba697bf52016-11-10 13:19:42 +00001487 size_t explicit_iv_len = ssl->transform_in->ivlen -
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +02001488 ssl->transform_in->fixed_ivlen;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001489
Manuel Pégourié-Gonnard06d75192015-02-11 14:54:11 +00001490 if( ssl->in_msglen < (size_t) explicit_iv_len + taglen )
Manuel Pégourié-Gonnard0bcc4e12014-06-17 10:54:17 +02001491 {
1492 SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1493 "+ taglen (%d)", ssl->in_msglen,
1494 explicit_iv_len, taglen ) );
1495 return( POLARSSL_ERR_SSL_INVALID_MAC );
1496 }
1497 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
1498
Paul Bakker68884e32013-01-07 18:20:04 +01001499 dec_msg = ssl->in_msg;
1500 dec_msg_result = ssl->in_msg;
1501 ssl->in_msglen = dec_msglen;
1502
1503 memcpy( add_data, ssl->in_ctr, 8 );
1504 add_data[8] = ssl->in_msgtype;
1505 add_data[9] = ssl->major_ver;
1506 add_data[10] = ssl->minor_ver;
1507 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1508 add_data[12] = ssl->in_msglen & 0xFF;
1509
1510 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1511 add_data, 13 );
1512
1513 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1514 ssl->in_iv,
1515 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1516
1517 SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1518 ssl->transform_in->ivlen );
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001519 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
Paul Bakker68884e32013-01-07 18:20:04 +01001520
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001521 /*
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001522 * Decrypt and authenticate
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001523 */
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001524 if( ( ret = cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
1525 ssl->transform_in->iv_dec,
1526 ssl->transform_in->ivlen,
1527 add_data, 13,
1528 dec_msg, dec_msglen,
1529 dec_msg_result, &olen,
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001530 dec_msg + dec_msglen, taglen ) ) != 0 )
Paul Bakkerca4ab492012-04-18 14:23:57 +00001531 {
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001532 SSL_DEBUG_RET( 1, "cipher_auth_decrypt", ret );
1533
1534 if( ret == POLARSSL_ERR_CIPHER_AUTH_FAILED )
1535 return( POLARSSL_ERR_SSL_INVALID_MAC );
1536
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001537 return( ret );
1538 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001539 auth_done++;
Paul Bakkerca4ab492012-04-18 14:23:57 +00001540
Manuel Pégourié-Gonnardde7bb442014-05-13 12:41:10 +02001541 if( olen != dec_msglen )
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001542 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001543 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001544 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardd13a4092013-09-05 16:10:41 +02001545 }
Paul Bakkerca4ab492012-04-18 14:23:57 +00001546 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001547 else
Manuel Pégourié-Gonnard2e5ee322014-05-14 13:09:22 +02001548#endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001549#if defined(POLARSSL_CIPHER_MODE_CBC) && \
1550 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
Manuel Pégourié-Gonnard5efd7722014-05-14 12:52:22 +02001551 if( mode == POLARSSL_MODE_CBC )
Paul Bakker5121ce52009-01-03 21:22:43 +00001552 {
Paul Bakker45829992013-01-03 14:52:21 +01001553 /*
1554 * Decrypt and check the padding
1555 */
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001556 int ret;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001557 unsigned char *dec_msg;
1558 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +00001559 size_t dec_msglen;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001560 size_t minlen = 0;
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001561 size_t olen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001562
Paul Bakker5121ce52009-01-03 21:22:43 +00001563 /*
Paul Bakker45829992013-01-03 14:52:21 +01001564 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +00001565 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001566#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker45829992013-01-03 14:52:21 +01001567 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1568 minlen += ssl->transform_in->ivlen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001569#endif
Paul Bakker45829992013-01-03 14:52:21 +01001570
1571 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1572 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1573 {
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001574 SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1575 "+ 1 ) ( + expl IV )", ssl->in_msglen,
1576 ssl->transform_in->ivlen,
1577 ssl->transform_in->maclen ) );
Paul Bakker45829992013-01-03 14:52:21 +01001578 return( POLARSSL_ERR_SSL_INVALID_MAC );
1579 }
1580
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001581 dec_msglen = ssl->in_msglen;
1582 dec_msg = ssl->in_msg;
1583 dec_msg_result = ssl->in_msg;
1584
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001585 /*
1586 * Authenticate before decrypt if enabled
1587 */
1588#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001589 if( ssl->session_in->encrypt_then_mac == SSL_ETM_ENABLED )
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001590 {
1591 unsigned char computed_mac[POLARSSL_SSL_MAX_MAC_SIZE];
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01001592 unsigned char pseudo_hdr[13];
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001593
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001594 SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1595
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001596 dec_msglen -= ssl->transform_in->maclen;
1597 ssl->in_msglen -= ssl->transform_in->maclen;
1598
Manuel Pégourié-Gonnard08558e52014-11-04 14:40:21 +01001599 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
1600 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
1601 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
1602 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
1603
1604 SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
1605
1606 md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001607 md_hmac_update( &ssl->transform_in->md_ctx_dec,
1608 ssl->in_iv, ssl->in_msglen );
1609 md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac );
1610 md_hmac_reset( &ssl->transform_in->md_ctx_dec );
1611
1612 SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
1613 ssl->transform_in->maclen );
1614 SSL_DEBUG_BUF( 4, "computed mac", computed_mac,
1615 ssl->transform_in->maclen );
1616
1617 if( safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac,
1618 ssl->transform_in->maclen ) != 0 )
1619 {
1620 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1621
1622 return( POLARSSL_ERR_SSL_INVALID_MAC );
1623 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001624 auth_done++;
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001625 }
1626#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
1627
1628 /*
1629 * Check length sanity
1630 */
1631 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1632 {
1633 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1634 ssl->in_msglen, ssl->transform_in->ivlen ) );
1635 return( POLARSSL_ERR_SSL_INVALID_MAC );
1636 }
1637
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001638#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001639 /*
Paul Bakker1ef83d62012-04-11 12:09:53 +00001640 * Initialize for prepended IV for block cipher in TLS v1.1 and up
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001641 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00001642 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001643 {
Paul Bakker48916f92012-09-16 19:57:18 +00001644 dec_msglen -= ssl->transform_in->ivlen;
1645 ssl->in_msglen -= ssl->transform_in->ivlen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001646
Paul Bakker48916f92012-09-16 19:57:18 +00001647 for( i = 0; i < ssl->transform_in->ivlen; i++ )
Paul Bakker92be97b2013-01-02 17:30:03 +01001648 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001649 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001650#endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00001651
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001652 if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
Paul Bakker45125bc2013-09-04 16:47:11 +02001653 ssl->transform_in->iv_dec,
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001654 ssl->transform_in->ivlen,
1655 dec_msg, dec_msglen,
1656 dec_msg_result, &olen ) ) != 0 )
Paul Bakker45125bc2013-09-04 16:47:11 +02001657 {
Manuel Pégourié-Gonnard8764d272014-05-13 11:52:02 +02001658 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
Paul Bakkercca5b812013-08-31 17:40:26 +02001659 return( ret );
1660 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001661
Paul Bakkercca5b812013-08-31 17:40:26 +02001662 if( dec_msglen != olen )
1663 {
Manuel Pégourié-Gonnard77921982014-05-28 10:23:31 +02001664 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnarda8a25ae2013-10-27 13:48:15 +01001665 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakkercca5b812013-08-31 17:40:26 +02001666 }
Paul Bakkerda02a7f2013-08-31 17:25:14 +02001667
1668#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
Paul Bakkercca5b812013-08-31 17:40:26 +02001669 if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1670 {
1671 /*
1672 * Save IV in SSL3 and TLS1
1673 */
1674 memcpy( ssl->transform_in->iv_dec,
1675 ssl->transform_in->cipher_ctx_dec.iv,
1676 ssl->transform_in->ivlen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001677 }
Paul Bakkercca5b812013-08-31 17:40:26 +02001678#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001679
1680 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
Paul Bakker45829992013-01-03 14:52:21 +01001681
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001682 if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001683 auth_done == 0 )
Paul Bakker45829992013-01-03 14:52:21 +01001684 {
Paul Bakkerd66f0702013-01-31 16:57:45 +01001685#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker45829992013-01-03 14:52:21 +01001686 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1687 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001688#endif
Paul Bakker45829992013-01-03 14:52:21 +01001689 padlen = 0;
Paul Bakker45829992013-01-03 14:52:21 +01001690 correct = 0;
1691 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001692
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001693#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00001694 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1695 {
Paul Bakker48916f92012-09-16 19:57:18 +00001696 if( padlen > ssl->transform_in->ivlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00001697 {
Paul Bakkerd66f0702013-01-31 16:57:45 +01001698#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker5121ce52009-01-03 21:22:43 +00001699 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1700 "should be no more than %d",
Paul Bakker48916f92012-09-16 19:57:18 +00001701 padlen, ssl->transform_in->ivlen ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001702#endif
Paul Bakker45829992013-01-03 14:52:21 +01001703 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00001704 }
1705 }
1706 else
Paul Bakker9af723c2014-05-01 13:03:14 +02001707#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001708#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1709 defined(POLARSSL_SSL_PROTO_TLS1_2)
1710 if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001711 {
1712 /*
Paul Bakker45829992013-01-03 14:52:21 +01001713 * TLSv1+: always check the padding up to the first failure
1714 * and fake check up to 256 bytes of padding
Paul Bakker5121ce52009-01-03 21:22:43 +00001715 */
Paul Bakkerca9c87e2013-09-25 18:52:37 +02001716 size_t pad_count = 0, real_count = 1;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001717 size_t padding_idx = ssl->in_msglen - padlen - 1;
1718
Paul Bakker956c9e02013-12-19 14:42:28 +01001719 /*
1720 * Padding is guaranteed to be incorrect if:
Paul Bakker91c61bc2014-03-26 14:06:55 +01001721 * 1. padlen >= ssl->in_msglen
Paul Bakker956c9e02013-12-19 14:42:28 +01001722 *
Paul Bakker61885c72014-04-25 12:59:03 +02001723 * 2. padding_idx >= SSL_MAX_CONTENT_LEN +
1724 * ssl->transform_in->maclen
Paul Bakker956c9e02013-12-19 14:42:28 +01001725 *
1726 * In both cases we reset padding_idx to a safe value (0) to
1727 * prevent out-of-buffer reads.
1728 */
Paul Bakker91c61bc2014-03-26 14:06:55 +01001729 correct &= ( ssl->in_msglen >= padlen + 1 );
Paul Bakker61885c72014-04-25 12:59:03 +02001730 correct &= ( padding_idx < SSL_MAX_CONTENT_LEN +
1731 ssl->transform_in->maclen );
Paul Bakker956c9e02013-12-19 14:42:28 +01001732
1733 padding_idx *= correct;
1734
Paul Bakkerca9c87e2013-09-25 18:52:37 +02001735 for( i = 1; i <= 256; i++ )
1736 {
1737 real_count &= ( i <= padlen );
1738 pad_count += real_count *
1739 ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1740 }
Paul Bakkere47b34b2013-02-27 14:48:00 +01001741
1742 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
Paul Bakkere47b34b2013-02-27 14:48:00 +01001743
Paul Bakkerd66f0702013-01-31 16:57:45 +01001744#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker66d5d072014-06-17 16:39:18 +02001745 if( padlen > 0 && correct == 0 )
Paul Bakker45829992013-01-03 14:52:21 +01001746 SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakkerd66f0702013-01-31 16:57:45 +01001747#endif
Paul Bakkere47b34b2013-02-27 14:48:00 +01001748 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +00001749 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001750 else
1751#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1752 POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02001753 {
1754 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001755 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02001756 }
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001757
1758 ssl->in_msglen -= padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +00001759 }
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001760 else
Manuel Pégourié-Gonnard126a66f2013-10-25 18:33:32 +02001761#endif /* POLARSSL_CIPHER_MODE_CBC &&
1762 ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001763 {
1764 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001765 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +02001766 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001767
1768 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1769 ssl->in_msg, ssl->in_msglen );
1770
1771 /*
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001772 * Authenticate if not done yet.
1773 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
Paul Bakker5121ce52009-01-03 21:22:43 +00001774 */
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001775#if defined(POLARSSL_SOME_MODES_USE_MAC)
1776 if( auth_done == 0 )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001777 {
Paul Bakker1e5369c2013-12-19 16:40:57 +01001778 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1779
Manuel Pégourié-Gonnard313d7962014-10-29 12:07:57 +01001780 ssl->in_msglen -= ssl->transform_in->maclen;
Paul Bakker5121ce52009-01-03 21:22:43 +00001781
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001782 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1783 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001784
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001785 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001786
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001787#if defined(POLARSSL_SSL_PROTO_SSL3)
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001788 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1789 {
1790 ssl_mac( &ssl->transform_in->md_ctx_dec,
1791 ssl->transform_in->mac_dec,
1792 ssl->in_msg, ssl->in_msglen,
1793 ssl->in_ctr, ssl->in_msgtype );
1794 }
1795 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001796#endif /* POLARSSL_SSL_PROTO_SSL3 */
1797#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001798 defined(POLARSSL_SSL_PROTO_TLS1_2)
1799 if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1800 {
1801 /*
1802 * Process MAC and always update for padlen afterwards to make
1803 * total time independent of padlen
1804 *
Paul Bakker9af723c2014-05-01 13:03:14 +02001805 * extra_run compensates MAC check for padlen
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001806 *
1807 * Known timing attacks:
1808 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1809 *
1810 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1811 * correctly. (We round down instead of up, so -56 is the correct
1812 * value for our calculations instead of -55)
1813 */
1814 size_t j, extra_run = 0;
1815 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1816 ( 13 + ssl->in_msglen + 8 ) / 64;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001817
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001818 extra_run &= correct * 0xFF;
Paul Bakkere47b34b2013-02-27 14:48:00 +01001819
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001820 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1821 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
1822 ssl->in_msglen );
1823 md_hmac_finish( &ssl->transform_in->md_ctx_dec,
1824 ssl->in_msg + ssl->in_msglen );
Manuel Pégourié-Gonnard7d1e95c2015-04-29 01:35:48 +02001825 /* Call md_process at least once due to cache attacks */
1826 for( j = 0; j < extra_run + 1; j++ )
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001827 md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
Paul Bakkere47b34b2013-02-27 14:48:00 +01001828
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001829 md_hmac_reset( &ssl->transform_in->md_ctx_dec );
1830 }
1831 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001832#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001833 POLARSSL_SSL_PROTO_TLS1_2 */
1834 {
1835 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02001836 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001837 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001838
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001839 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1840 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1841 ssl->transform_in->maclen );
Paul Bakker5121ce52009-01-03 21:22:43 +00001842
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01001843 if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001844 ssl->transform_in->maclen ) != 0 )
1845 {
Paul Bakkere47b34b2013-02-27 14:48:00 +01001846#if defined(POLARSSL_SSL_DEBUG_ALL)
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001847 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakkere47b34b2013-02-27 14:48:00 +01001848#endif
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001849 correct = 0;
1850 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001851 auth_done++;
Paul Bakker5121ce52009-01-03 21:22:43 +00001852
Manuel Pégourié-Gonnard71096242013-10-25 19:31:25 +02001853 /*
1854 * Finally check the correct flag
1855 */
1856 if( correct == 0 )
1857 return( POLARSSL_ERR_SSL_INVALID_MAC );
1858 }
Manuel Pégourié-Gonnard352143f2015-01-13 10:59:51 +01001859#endif /* POLARSSL_SOME_MODES_USE_MAC */
1860
1861 /* Make extra sure authentication was performed, exactly once */
1862 if( auth_done != 1 )
1863 {
1864 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1865 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1866 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001867
1868 if( ssl->in_msglen == 0 )
1869 {
1870 ssl->nb_zero++;
1871
1872 /*
1873 * Three or more empty messages may be a DoS attack
1874 * (excessive CPU consumption).
1875 */
1876 if( ssl->nb_zero > 3 )
1877 {
1878 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1879 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001880 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +00001881 }
1882 }
1883 else
1884 ssl->nb_zero = 0;
Paul Bakkerf7abd422013-04-16 13:15:56 +02001885
Paul Bakker23986e52011-04-24 08:57:21 +00001886 for( i = 8; i > 0; i-- )
1887 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001888 break;
1889
Manuel Pégourié-Gonnard83cdffc2014-03-10 21:20:29 +01001890 /* The loops goes to its end iff the counter is wrapping */
1891 if( i == 0 )
1892 {
1893 SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
1894 return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
1895 }
1896
Paul Bakker5121ce52009-01-03 21:22:43 +00001897 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1898
1899 return( 0 );
1900}
1901
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +01001902#undef MAC_NONE
1903#undef MAC_PLAINTEXT
1904#undef MAC_CIPHERTEXT
1905
Paul Bakker2770fbd2012-07-03 13:30:23 +00001906#if defined(POLARSSL_ZLIB_SUPPORT)
1907/*
1908 * Compression/decompression functions
1909 */
1910static int ssl_compress_buf( ssl_context *ssl )
1911{
1912 int ret;
1913 unsigned char *msg_post = ssl->out_msg;
1914 size_t len_pre = ssl->out_msglen;
Paul Bakker16770332013-10-11 09:59:44 +02001915 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001916
1917 SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1918
Paul Bakkerabf2f8f2013-06-30 14:57:46 +02001919 if( len_pre == 0 )
1920 return( 0 );
1921
Paul Bakker2770fbd2012-07-03 13:30:23 +00001922 memcpy( msg_pre, ssl->out_msg, len_pre );
1923
1924 SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1925 ssl->out_msglen ) );
1926
1927 SSL_DEBUG_BUF( 4, "before compression: output payload",
1928 ssl->out_msg, ssl->out_msglen );
1929
Paul Bakker48916f92012-09-16 19:57:18 +00001930 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1931 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1932 ssl->transform_out->ctx_deflate.next_out = msg_post;
1933 ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001934
Paul Bakker48916f92012-09-16 19:57:18 +00001935 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001936 if( ret != Z_OK )
1937 {
1938 SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1939 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1940 }
1941
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001942 ssl->out_msglen = SSL_BUFFER_LEN -
1943 ssl->transform_out->ctx_deflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001944
Paul Bakker2770fbd2012-07-03 13:30:23 +00001945 SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1946 ssl->out_msglen ) );
1947
1948 SSL_DEBUG_BUF( 4, "after compression: output payload",
1949 ssl->out_msg, ssl->out_msglen );
1950
1951 SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1952
1953 return( 0 );
1954}
1955
1956static int ssl_decompress_buf( ssl_context *ssl )
1957{
1958 int ret;
1959 unsigned char *msg_post = ssl->in_msg;
1960 size_t len_pre = ssl->in_msglen;
Paul Bakker16770332013-10-11 09:59:44 +02001961 unsigned char *msg_pre = ssl->compress_buf;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001962
1963 SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1964
Paul Bakkerabf2f8f2013-06-30 14:57:46 +02001965 if( len_pre == 0 )
1966 return( 0 );
1967
Paul Bakker2770fbd2012-07-03 13:30:23 +00001968 memcpy( msg_pre, ssl->in_msg, len_pre );
1969
1970 SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1971 ssl->in_msglen ) );
1972
1973 SSL_DEBUG_BUF( 4, "before decompression: input payload",
1974 ssl->in_msg, ssl->in_msglen );
1975
Paul Bakker48916f92012-09-16 19:57:18 +00001976 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1977 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1978 ssl->transform_in->ctx_inflate.next_out = msg_post;
1979 ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001980
Paul Bakker48916f92012-09-16 19:57:18 +00001981 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
Paul Bakker2770fbd2012-07-03 13:30:23 +00001982 if( ret != Z_OK )
1983 {
1984 SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1985 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1986 }
1987
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001988 ssl->in_msglen = SSL_MAX_CONTENT_LEN -
1989 ssl->transform_in->ctx_inflate.avail_out;
Paul Bakker2770fbd2012-07-03 13:30:23 +00001990
Paul Bakker2770fbd2012-07-03 13:30:23 +00001991 SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1992 ssl->in_msglen ) );
1993
1994 SSL_DEBUG_BUF( 4, "after decompression: input payload",
1995 ssl->in_msg, ssl->in_msglen );
1996
1997 SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1998
1999 return( 0 );
2000}
2001#endif /* POLARSSL_ZLIB_SUPPORT */
2002
Paul Bakker5121ce52009-01-03 21:22:43 +00002003/*
2004 * Fill the input message buffer
2005 */
Paul Bakker23986e52011-04-24 08:57:21 +00002006int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +00002007{
Paul Bakker23986e52011-04-24 08:57:21 +00002008 int ret;
2009 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +00002010
2011 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
2012
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002013 if( nb_want > SSL_BUFFER_LEN - 8 )
2014 {
2015 SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2016 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2017 }
2018
Paul Bakker5121ce52009-01-03 21:22:43 +00002019 while( ssl->in_left < nb_want )
2020 {
2021 len = nb_want - ssl->in_left;
2022 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
2023
2024 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2025 ssl->in_left, nb_want ) );
2026 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
2027
Paul Bakker831a7552011-05-18 13:32:51 +00002028 if( ret == 0 )
2029 return( POLARSSL_ERR_SSL_CONN_EOF );
2030
Paul Bakker5121ce52009-01-03 21:22:43 +00002031 if( ret < 0 )
2032 return( ret );
2033
2034 ssl->in_left += ret;
2035 }
2036
2037 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2038
2039 return( 0 );
2040}
2041
2042/*
2043 * Flush any data not yet written
2044 */
2045int ssl_flush_output( ssl_context *ssl )
2046{
2047 int ret;
2048 unsigned char *buf;
2049
2050 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
2051
2052 while( ssl->out_left > 0 )
2053 {
2054 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
2055 5 + ssl->out_msglen, ssl->out_left ) );
2056
Paul Bakker5bd42292012-12-19 14:40:42 +01002057 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
Paul Bakker5121ce52009-01-03 21:22:43 +00002058 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
Paul Bakker186751d2012-05-08 13:16:14 +00002059
Paul Bakker5121ce52009-01-03 21:22:43 +00002060 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
2061
2062 if( ret <= 0 )
2063 return( ret );
2064
2065 ssl->out_left -= ret;
2066 }
2067
2068 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2069
2070 return( 0 );
2071}
2072
2073/*
2074 * Record layer functions
2075 */
2076int ssl_write_record( ssl_context *ssl )
2077{
Paul Bakker05ef8352012-05-08 09:17:57 +00002078 int ret, done = 0;
Paul Bakker23986e52011-04-24 08:57:21 +00002079 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +00002080
2081 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
2082
Paul Bakker5121ce52009-01-03 21:22:43 +00002083 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
2084 {
2085 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
2086 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
2087 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
2088
Manuel Pégourié-Gonnardf3dc2f62013-10-29 18:17:41 +01002089 if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
2090 ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
Paul Bakker5121ce52009-01-03 21:22:43 +00002091 }
2092
Paul Bakker2770fbd2012-07-03 13:30:23 +00002093#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00002094 if( ssl->transform_out != NULL &&
2095 ssl->session_out->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002096 {
2097 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2098 {
2099 SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
2100 return( ret );
2101 }
2102
2103 len = ssl->out_msglen;
2104 }
2105#endif /*POLARSSL_ZLIB_SUPPORT */
2106
Paul Bakker05ef8352012-05-08 09:17:57 +00002107#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02002108 if( ssl_hw_record_write != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002109 {
Paul Bakker05ef8352012-05-08 09:17:57 +00002110 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002111
Paul Bakker05ef8352012-05-08 09:17:57 +00002112 ret = ssl_hw_record_write( ssl );
2113 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2114 {
2115 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
Paul Bakkerd8bb8262014-06-17 14:06:49 +02002116 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +00002117 }
Paul Bakkerc7878112012-12-19 14:41:14 +01002118
2119 if( ret == 0 )
2120 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00002121 }
Paul Bakker9af723c2014-05-01 13:03:14 +02002122#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
Paul Bakker05ef8352012-05-08 09:17:57 +00002123 if( !done )
2124 {
2125 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2126 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
2127 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
Paul Bakker5121ce52009-01-03 21:22:43 +00002128 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
2129 ssl->out_hdr[4] = (unsigned char)( len );
Paul Bakker05ef8352012-05-08 09:17:57 +00002130
Paul Bakker48916f92012-09-16 19:57:18 +00002131 if( ssl->transform_out != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00002132 {
2133 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
2134 {
2135 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2136 return( ret );
2137 }
2138
2139 len = ssl->out_msglen;
2140 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
2141 ssl->out_hdr[4] = (unsigned char)( len );
2142 }
2143
2144 ssl->out_left = 5 + ssl->out_msglen;
2145
2146 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2147 "version = [%d:%d], msglen = %d",
2148 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
2149 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
2150
2151 SSL_DEBUG_BUF( 4, "output record sent to network",
Paul Bakker5bd42292012-12-19 14:40:42 +01002152 ssl->out_hdr, 5 + ssl->out_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002153 }
2154
Paul Bakker5121ce52009-01-03 21:22:43 +00002155 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2156 {
2157 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2158 return( ret );
2159 }
2160
2161 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2162
2163 return( 0 );
2164}
2165
2166int ssl_read_record( ssl_context *ssl )
2167{
Paul Bakker05ef8352012-05-08 09:17:57 +00002168 int ret, done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +00002169
2170 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
2171
2172 if( ssl->in_hslen != 0 &&
2173 ssl->in_hslen < ssl->in_msglen )
2174 {
2175 /*
2176 * Get next Handshake message in the current record
2177 */
2178 ssl->in_msglen -= ssl->in_hslen;
2179
Paul Bakker8934a982011-08-05 11:11:53 +00002180 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker48916f92012-09-16 19:57:18 +00002181 ssl->in_msglen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002182
2183 ssl->in_hslen = 4;
2184 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2185
2186 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2187 " %d, type = %d, hslen = %d",
2188 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2189
2190 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2191 {
2192 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002193 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002194 }
2195
2196 if( ssl->in_msglen < ssl->in_hslen )
2197 {
2198 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002199 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002200 }
2201
Paul Bakker4224bc02014-04-08 14:36:50 +02002202 if( ssl->state != SSL_HANDSHAKE_OVER )
2203 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002204
2205 return( 0 );
2206 }
2207
2208 ssl->in_hslen = 0;
2209
2210 /*
2211 * Read the record header and validate it
2212 */
Manuel Pégourié-Gonnard0aaefce2015-10-27 13:42:11 +01002213read_record_header:
Paul Bakker5121ce52009-01-03 21:22:43 +00002214 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2215 {
2216 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2217 return( ret );
2218 }
2219
2220 ssl->in_msgtype = ssl->in_hdr[0];
2221 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2222
2223 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2224 "version = [%d:%d], msglen = %d",
2225 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2226 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2227
2228 if( ssl->in_hdr[1] != ssl->major_ver )
2229 {
2230 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002231 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002232 }
2233
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002234 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +00002235 {
2236 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002237 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002238 }
2239
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002240 /* Sanity check (outer boundaries) */
2241 if( ssl->in_msglen < 1 || ssl->in_msglen > SSL_BUFFER_LEN - 13 )
2242 {
2243 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2244 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2245 }
2246
Paul Bakker5121ce52009-01-03 21:22:43 +00002247 /*
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002248 * Make sure the message length is acceptable for the current transform
2249 * and protocol version.
Paul Bakker5121ce52009-01-03 21:22:43 +00002250 */
Paul Bakker48916f92012-09-16 19:57:18 +00002251 if( ssl->transform_in == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002252 {
Paul Bakker1a1fbba2014-04-30 14:38:05 +02002253 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +00002254 {
2255 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002256 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002257 }
2258 }
2259 else
2260 {
Paul Bakker48916f92012-09-16 19:57:18 +00002261 if( ssl->in_msglen < ssl->transform_in->minlen )
Paul Bakker5121ce52009-01-03 21:22:43 +00002262 {
2263 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002264 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002265 }
2266
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002267#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00002268 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
Paul Bakker48916f92012-09-16 19:57:18 +00002269 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN )
Paul Bakker5121ce52009-01-03 21:22:43 +00002270 {
2271 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002272 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002273 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002274#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002275
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002276#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2277 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker5121ce52009-01-03 21:22:43 +00002278 /*
2279 * TLS encrypted messages can have up to 256 bytes of padding
2280 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00002281 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02002282 ssl->in_msglen > ssl->transform_in->minlen +
2283 SSL_MAX_CONTENT_LEN + 256 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002284 {
2285 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002286 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002287 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002288#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002289 }
2290
2291 /*
2292 * Read and optionally decrypt the message contents
2293 */
2294 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2295 {
2296 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2297 return( ret );
2298 }
2299
2300 SSL_DEBUG_BUF( 4, "input record from network",
2301 ssl->in_hdr, 5 + ssl->in_msglen );
2302
Paul Bakker05ef8352012-05-08 09:17:57 +00002303#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02002304 if( ssl_hw_record_read != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00002305 {
2306 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2307
2308 ret = ssl_hw_record_read( ssl );
2309 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2310 {
2311 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
Paul Bakkerd8bb8262014-06-17 14:06:49 +02002312 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
Paul Bakker05ef8352012-05-08 09:17:57 +00002313 }
Paul Bakkerc7878112012-12-19 14:41:14 +01002314
2315 if( ret == 0 )
2316 done = 1;
Paul Bakker05ef8352012-05-08 09:17:57 +00002317 }
Paul Bakker9af723c2014-05-01 13:03:14 +02002318#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
Paul Bakker48916f92012-09-16 19:57:18 +00002319 if( !done && ssl->transform_in != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002320 {
2321 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2322 {
Paul Bakker40865c82013-01-31 17:13:13 +01002323#if defined(POLARSSL_SSL_ALERT_MESSAGES)
2324 if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2325 {
2326 ssl_send_alert_message( ssl,
2327 SSL_ALERT_LEVEL_FATAL,
2328 SSL_ALERT_MSG_BAD_RECORD_MAC );
2329 }
2330#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002331 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2332 return( ret );
2333 }
2334
2335 SSL_DEBUG_BUF( 4, "input payload after decrypt",
2336 ssl->in_msg, ssl->in_msglen );
2337
2338 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2339 {
2340 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002341 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002342 }
2343 }
2344
Paul Bakker2770fbd2012-07-03 13:30:23 +00002345#if defined(POLARSSL_ZLIB_SUPPORT)
Paul Bakker48916f92012-09-16 19:57:18 +00002346 if( ssl->transform_in != NULL &&
2347 ssl->session_in->compression == SSL_COMPRESS_DEFLATE )
Paul Bakker2770fbd2012-07-03 13:30:23 +00002348 {
2349 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2350 {
2351 SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2352 return( ret );
2353 }
2354
2355 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2356 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2357 }
2358#endif /* POLARSSL_ZLIB_SUPPORT */
2359
Paul Bakker0a925182012-04-16 06:46:41 +00002360 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2361 ssl->in_msgtype != SSL_MSG_ALERT &&
2362 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
2363 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2364 {
2365 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2366
Paul Bakker48916f92012-09-16 19:57:18 +00002367 if( ( ret = ssl_send_alert_message( ssl,
2368 SSL_ALERT_LEVEL_FATAL,
2369 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
Paul Bakker0a925182012-04-16 06:46:41 +00002370 {
2371 return( ret );
2372 }
2373
2374 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2375 }
2376
Paul Bakker5121ce52009-01-03 21:22:43 +00002377 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2378 {
2379 ssl->in_hslen = 4;
2380 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2381
2382 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2383 " %d, type = %d, hslen = %d",
2384 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2385
2386 /*
2387 * Additional checks to validate the handshake header
2388 */
2389 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2390 {
2391 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002392 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002393 }
2394
2395 if( ssl->in_msglen < ssl->in_hslen )
2396 {
2397 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002398 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +00002399 }
2400
Paul Bakker48916f92012-09-16 19:57:18 +00002401 if( ssl->state != SSL_HANDSHAKE_OVER )
2402 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
Paul Bakker5121ce52009-01-03 21:22:43 +00002403 }
2404
2405 if( ssl->in_msgtype == SSL_MSG_ALERT )
2406 {
2407 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2408 ssl->in_msg[0], ssl->in_msg[1] ) );
2409
2410 /*
Manuel Pégourié-Gonnard0aaefce2015-10-27 13:42:11 +01002411 * Ignore non-fatal alerts, except close_notify and no_renego
Paul Bakker5121ce52009-01-03 21:22:43 +00002412 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002413 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002414 {
Paul Bakker2770fbd2012-07-03 13:30:23 +00002415 SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2416 ssl->in_msg[1] ) );
Paul Bakker2770fbd2012-07-03 13:30:23 +00002417 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002418 }
2419
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002420 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2421 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +00002422 {
2423 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002424 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +00002425 }
Manuel Pégourié-Gonnard0aaefce2015-10-27 13:42:11 +01002426
2427 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2428 ssl->in_msg[1] == SSL_ALERT_MSG_NO_RENEGOTIATION )
2429 {
2430 SSL_DEBUG_MSG( 2, ( "is a no_renegotiation" ) );
2431 /* Will be handled when trying to parse ServerHello */
2432 ssl->in_left = 0;
2433 return( 0 );
2434 }
2435
2436 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2437 ssl->endpoint == SSL_IS_SERVER &&
2438 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2439 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2440 {
2441 SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
2442 /* Will be handled in ssl_parse_certificate() */
2443 ssl->in_left = 0;
2444 return( 0 );
2445 }
2446
2447 /* Silently discard: fetch new message */
2448 goto read_record_header;
Paul Bakker5121ce52009-01-03 21:22:43 +00002449 }
2450
2451 ssl->in_left = 0;
2452
2453 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2454
2455 return( 0 );
2456}
2457
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00002458int ssl_send_fatal_handshake_failure( ssl_context *ssl )
2459{
2460 int ret;
2461
2462 if( ( ret = ssl_send_alert_message( ssl,
2463 SSL_ALERT_LEVEL_FATAL,
2464 SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
2465 {
2466 return( ret );
2467 }
2468
2469 return( 0 );
2470}
2471
Paul Bakker0a925182012-04-16 06:46:41 +00002472int ssl_send_alert_message( ssl_context *ssl,
2473 unsigned char level,
2474 unsigned char message )
2475{
2476 int ret;
2477
2478 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2479
2480 ssl->out_msgtype = SSL_MSG_ALERT;
2481 ssl->out_msglen = 2;
2482 ssl->out_msg[0] = level;
2483 ssl->out_msg[1] = message;
2484
2485 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2486 {
2487 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2488 return( ret );
2489 }
2490
2491 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2492
2493 return( 0 );
2494}
2495
Paul Bakker5121ce52009-01-03 21:22:43 +00002496/*
2497 * Handshake functions
2498 */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002499#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2500 !defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
2501 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2502 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2503 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
2504 !defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2505 !defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Paul Bakker5121ce52009-01-03 21:22:43 +00002506int ssl_write_certificate( ssl_context *ssl )
2507{
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002508 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002509
2510 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2511
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002512 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002513 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2514 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002515 {
2516 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2517 ssl->state++;
2518 return( 0 );
2519 }
2520
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002521 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2522 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002523}
2524
2525int ssl_parse_certificate( ssl_context *ssl )
2526{
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002527 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2528
2529 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2530
2531 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002532 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2533 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002534 {
2535 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2536 ssl->state++;
2537 return( 0 );
2538 }
2539
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002540 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2541 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002542}
2543#else
2544int ssl_write_certificate( ssl_context *ssl )
2545{
2546 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2547 size_t i, n;
Paul Bakkerc559c7a2013-09-18 14:13:26 +02002548 const x509_crt *crt;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002549 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2550
2551 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2552
2553 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002554 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2555 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002556 {
2557 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2558 ssl->state++;
2559 return( 0 );
2560 }
2561
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002562#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00002563 if( ssl->endpoint == SSL_IS_CLIENT )
2564 {
2565 if( ssl->client_auth == 0 )
2566 {
2567 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2568 ssl->state++;
2569 return( 0 );
2570 }
2571
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002572#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00002573 /*
2574 * If using SSLv3 and got no cert, send an Alert message
2575 * (otherwise an empty Certificate message will be sent).
2576 */
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002577 if( ssl_own_cert( ssl ) == NULL &&
Paul Bakker5121ce52009-01-03 21:22:43 +00002578 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2579 {
2580 ssl->out_msglen = 2;
2581 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002582 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2583 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +00002584
2585 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2586 goto write_msg;
2587 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002588#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002589 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002590#endif /* POLARSSL_SSL_CLI_C */
2591#if defined(POLARSSL_SSL_SRV_C)
2592 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00002593 {
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002594 if( ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002595 {
2596 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002597 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002598 }
2599 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002600#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002601
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002602 SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002603
2604 /*
2605 * 0 . 0 handshake type
2606 * 1 . 3 handshake length
2607 * 4 . 6 length of all certs
2608 * 7 . 9 length of cert. 1
2609 * 10 . n-1 peer certificate
2610 * n . n+2 length of cert. 2
2611 * n+3 . ... upper level cert, etc.
2612 */
2613 i = 7;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02002614 crt = ssl_own_cert( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00002615
Paul Bakker29087132010-03-21 21:03:34 +00002616 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002617 {
2618 n = crt->raw.len;
Paul Bakker6992eb72013-12-31 11:35:16 +01002619 if( n > SSL_MAX_CONTENT_LEN - 3 - i )
Paul Bakker5121ce52009-01-03 21:22:43 +00002620 {
2621 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2622 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002623 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002624 }
2625
2626 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2627 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2628 ssl->out_msg[i + 2] = (unsigned char)( n );
2629
2630 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2631 i += n; crt = crt->next;
2632 }
2633
2634 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2635 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2636 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2637
2638 ssl->out_msglen = i;
2639 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2640 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2641
Simon Butcher149950d2016-10-15 22:08:08 +01002642#if defined(POLARSSL_SSL_PROTO_SSL3) && defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00002643write_msg:
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002644#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002645
2646 ssl->state++;
2647
2648 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2649 {
2650 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2651 return( ret );
2652 }
2653
2654 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2655
Paul Bakkered27a042013-04-18 22:46:23 +02002656 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002657}
2658
2659int ssl_parse_certificate( ssl_context *ssl )
2660{
Paul Bakkered27a042013-04-18 22:46:23 +02002661 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker23986e52011-04-24 08:57:21 +00002662 size_t i, n;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002663 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002664
2665 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2666
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002667 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002668 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2669 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002670 {
2671 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2672 ssl->state++;
2673 return( 0 );
2674 }
2675
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002676#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00002677 if( ssl->endpoint == SSL_IS_SERVER &&
Manuel Pégourié-Gonnarddc953e82013-11-25 17:27:39 +01002678 ( ssl->authmode == SSL_VERIFY_NONE ||
2679 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00002680 {
Manuel Pégourié-Gonnard38d1eba2013-08-23 10:44:29 +02002681 ssl->session_negotiate->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +00002682 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2683 ssl->state++;
2684 return( 0 );
2685 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002686#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002687
2688 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2689 {
2690 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2691 return( ret );
2692 }
2693
2694 ssl->state++;
2695
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002696#if defined(POLARSSL_SSL_SRV_C)
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002697#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker5121ce52009-01-03 21:22:43 +00002698 /*
2699 * Check if the client sent an empty certificate
2700 */
2701 if( ssl->endpoint == SSL_IS_SERVER &&
2702 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2703 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +00002704 if( ssl->in_msglen == 2 &&
2705 ssl->in_msgtype == SSL_MSG_ALERT &&
2706 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2707 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +00002708 {
2709 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2710
Manuel Pégourié-Gonnard38d1eba2013-08-23 10:44:29 +02002711 ssl->session_negotiate->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002712 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2713 return( 0 );
2714 else
Paul Bakker40e46942009-01-03 21:51:57 +00002715 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002716 }
2717 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002718#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00002719
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002720#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2721 defined(POLARSSL_SSL_PROTO_TLS1_2)
Paul Bakker5121ce52009-01-03 21:22:43 +00002722 if( ssl->endpoint == SSL_IS_SERVER &&
2723 ssl->minor_ver != SSL_MINOR_VERSION_0 )
2724 {
2725 if( ssl->in_hslen == 7 &&
2726 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2727 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2728 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2729 {
2730 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2731
Manuel Pégourié-Gonnard38d1eba2013-08-23 10:44:29 +02002732 ssl->session_negotiate->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +00002733 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +00002734 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002735 else
2736 return( 0 );
2737 }
2738 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002739#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2740 POLARSSL_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01002741#endif /* POLARSSL_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00002742
2743 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2744 {
2745 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002746 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002747 }
2748
2749 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2750 {
2751 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002752 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002753 }
2754
2755 /*
2756 * Same message structure as in ssl_write_certificate()
2757 */
2758 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2759
2760 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2761 {
2762 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002763 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002764 }
2765
Manuel Pégourié-Gonnardbfb355c2013-09-07 17:27:43 +02002766 /* In case we tried to reuse a session but it failed */
2767 if( ssl->session_negotiate->peer_cert != NULL )
2768 {
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002769 x509_crt_free( ssl->session_negotiate->peer_cert );
Manuel Pégourié-Gonnardbfb355c2013-09-07 17:27:43 +02002770 polarssl_free( ssl->session_negotiate->peer_cert );
2771 }
2772
Mansour Moufidc531b4a2015-02-15 17:35:38 -05002773 if( ( ssl->session_negotiate->peer_cert = polarssl_malloc(
Paul Bakkerc559c7a2013-09-18 14:13:26 +02002774 sizeof( x509_crt ) ) ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00002775 {
2776 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
Paul Bakkerc559c7a2013-09-18 14:13:26 +02002777 sizeof( x509_crt ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +00002778 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002779 }
2780
Paul Bakkerb6b09562013-09-18 14:17:41 +02002781 x509_crt_init( ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +00002782
2783 i = 7;
2784
2785 while( i < ssl->in_hslen )
2786 {
2787 if( ssl->in_msg[i] != 0 )
2788 {
2789 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002790 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002791 }
2792
2793 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2794 | (unsigned int) ssl->in_msg[i + 2];
2795 i += 3;
2796
2797 if( n < 128 || i + n > ssl->in_hslen )
2798 {
2799 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002800 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002801 }
2802
Paul Bakkerddf26b42013-09-18 13:46:23 +02002803 ret = x509_crt_parse_der( ssl->session_negotiate->peer_cert,
2804 ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00002805 if( ret != 0 )
2806 {
Paul Bakkerddf26b42013-09-18 13:46:23 +02002807 SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002808 return( ret );
2809 }
2810
2811 i += n;
2812 }
2813
Paul Bakker48916f92012-09-16 19:57:18 +00002814 SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
Paul Bakker5121ce52009-01-03 21:22:43 +00002815
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01002816 /*
2817 * On client, make sure the server cert doesn't change during renego to
2818 * avoid "triple handshake" attack: https://secure-resumption.com/
2819 */
Paul Bakkerf6080b82015-01-13 16:18:23 +01002820#if defined(POLARSSL_SSL_RENEGOTIATION) && defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01002821 if( ssl->endpoint == SSL_IS_CLIENT &&
2822 ssl->renegotiation == SSL_RENEGOTIATION )
2823 {
2824 if( ssl->session->peer_cert == NULL )
2825 {
2826 SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
2827 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2828 }
2829
2830 if( ssl->session->peer_cert->raw.len !=
2831 ssl->session_negotiate->peer_cert->raw.len ||
2832 memcmp( ssl->session->peer_cert->raw.p,
2833 ssl->session_negotiate->peer_cert->raw.p,
2834 ssl->session->peer_cert->raw.len ) != 0 )
2835 {
2836 SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
2837 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2838 }
2839 }
Paul Bakkerf6080b82015-01-13 16:18:23 +01002840#endif /* POLARSSL_SSL_RENEGOTIATION && POLARSSL_SSL_CLI_C */
Manuel Pégourié-Gonnard796c6f32014-03-10 09:34:49 +01002841
Paul Bakker5121ce52009-01-03 21:22:43 +00002842 if( ssl->authmode != SSL_VERIFY_NONE )
2843 {
2844 if( ssl->ca_chain == NULL )
2845 {
2846 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002847 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00002848 }
2849
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002850 /*
2851 * Main check: verify certificate
2852 */
Paul Bakkerddf26b42013-09-18 13:46:23 +02002853 ret = x509_crt_verify( ssl->session_negotiate->peer_cert,
2854 ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2855 &ssl->session_negotiate->verify_result,
2856 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +00002857
2858 if( ret != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002859 {
Paul Bakker5121ce52009-01-03 21:22:43 +00002860 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002861 }
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002862
2863 /*
2864 * Secondary checks: always done, but change 'ret' only if it was 0
2865 */
2866
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002867#if defined(POLARSSL_SSL_SET_CURVES)
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002868 {
Paul Bakker93389cc2014-04-17 14:44:38 +02002869 pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002870
2871 /* If certificate uses an EC key, make sure the curve is OK */
2872 if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
2873 ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
2874 {
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +02002875 SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002876 if( ret == 0 )
2877 ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002878 }
2879 }
Paul Bakker9af723c2014-05-01 13:03:14 +02002880#endif /* POLARSSL_SSL_SET_CURVES */
Paul Bakker5121ce52009-01-03 21:22:43 +00002881
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002882 if( ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
2883 ciphersuite_info,
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02002884 ! ssl->endpoint,
2885 &ssl->session_negotiate->verify_result ) != 0 )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002886 {
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +02002887 SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02002888 if( ret == 0 )
2889 ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
2890 }
2891
Paul Bakker5121ce52009-01-03 21:22:43 +00002892 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2893 ret = 0;
2894 }
2895
2896 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2897
2898 return( ret );
2899}
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002900#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED
2901 !POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
2902 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
2903 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2904 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2905 !POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
2906 !POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002907
2908int ssl_write_change_cipher_spec( ssl_context *ssl )
2909{
2910 int ret;
2911
2912 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2913
2914 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2915 ssl->out_msglen = 1;
2916 ssl->out_msg[0] = 1;
2917
Paul Bakker5121ce52009-01-03 21:22:43 +00002918 ssl->state++;
2919
2920 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2921 {
2922 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2923 return( ret );
2924 }
2925
2926 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2927
2928 return( 0 );
2929}
2930
2931int ssl_parse_change_cipher_spec( ssl_context *ssl )
2932{
2933 int ret;
2934
2935 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2936
Paul Bakker5121ce52009-01-03 21:22:43 +00002937 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2938 {
2939 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2940 return( ret );
2941 }
2942
2943 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2944 {
2945 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002946 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002947 }
2948
2949 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2950 {
2951 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00002952 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +00002953 }
2954
2955 ssl->state++;
2956
2957 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2958
2959 return( 0 );
2960}
2961
Paul Bakker41c83d32013-03-20 14:39:14 +01002962void ssl_optimize_checksum( ssl_context *ssl,
2963 const ssl_ciphersuite_t *ciphersuite_info )
Paul Bakker380da532012-04-18 16:10:25 +00002964{
Paul Bakkerfb08fd22013-08-27 15:06:26 +02002965 ((void) ciphersuite_info);
Paul Bakker769075d2012-11-24 11:26:46 +01002966
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002967#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2968 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker380da532012-04-18 16:10:25 +00002969 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
Paul Bakker48916f92012-09-16 19:57:18 +00002970 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
Paul Bakker380da532012-04-18 16:10:25 +00002971 else
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002972#endif
2973#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2974#if defined(POLARSSL_SHA512_C)
2975 if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2976 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2977 else
2978#endif
2979#if defined(POLARSSL_SHA256_C)
2980 if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
Paul Bakker48916f92012-09-16 19:57:18 +00002981 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002982 else
2983#endif
2984#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002985 {
2986 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002987 return;
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02002988 }
Paul Bakker380da532012-04-18 16:10:25 +00002989}
Paul Bakkerf7abd422013-04-16 13:15:56 +02002990
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02002991static void ssl_update_checksum_start( ssl_context *ssl,
2992 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00002993{
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002994#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2995 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker48916f92012-09-16 19:57:18 +00002996 md5_update( &ssl->handshake->fin_md5 , buf, len );
2997 sha1_update( &ssl->handshake->fin_sha1, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002998#endif
2999#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3000#if defined(POLARSSL_SHA256_C)
Paul Bakker9e36f042013-06-30 14:34:05 +02003001 sha256_update( &ssl->handshake->fin_sha256, buf, len );
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003002#endif
Paul Bakker9e36f042013-06-30 14:34:05 +02003003#if defined(POLARSSL_SHA512_C)
3004 sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker769075d2012-11-24 11:26:46 +01003005#endif
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003006#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00003007}
3008
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003009#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3010 defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003011static void ssl_update_checksum_md5sha1( ssl_context *ssl,
3012 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00003013{
Paul Bakker48916f92012-09-16 19:57:18 +00003014 md5_update( &ssl->handshake->fin_md5 , buf, len );
3015 sha1_update( &ssl->handshake->fin_sha1, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00003016}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003017#endif
Paul Bakker380da532012-04-18 16:10:25 +00003018
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003019#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3020#if defined(POLARSSL_SHA256_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003021static void ssl_update_checksum_sha256( ssl_context *ssl,
3022 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00003023{
Paul Bakker9e36f042013-06-30 14:34:05 +02003024 sha256_update( &ssl->handshake->fin_sha256, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00003025}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003026#endif
Paul Bakker380da532012-04-18 16:10:25 +00003027
Paul Bakker9e36f042013-06-30 14:34:05 +02003028#if defined(POLARSSL_SHA512_C)
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003029static void ssl_update_checksum_sha384( ssl_context *ssl,
3030 const unsigned char *buf, size_t len )
Paul Bakker380da532012-04-18 16:10:25 +00003031{
Paul Bakker9e36f042013-06-30 14:34:05 +02003032 sha512_update( &ssl->handshake->fin_sha512, buf, len );
Paul Bakker380da532012-04-18 16:10:25 +00003033}
Paul Bakker769075d2012-11-24 11:26:46 +01003034#endif
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003035#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker380da532012-04-18 16:10:25 +00003036
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003037#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003038static void ssl_calc_finished_ssl(
3039 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00003040{
Paul Bakker3c2122f2013-06-24 19:03:14 +02003041 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003042 md5_context md5;
3043 sha1_context sha1;
3044
Paul Bakker5121ce52009-01-03 21:22:43 +00003045 unsigned char padbuf[48];
3046 unsigned char md5sum[16];
3047 unsigned char sha1sum[20];
3048
Paul Bakker48916f92012-09-16 19:57:18 +00003049 ssl_session *session = ssl->session_negotiate;
3050 if( !session )
3051 session = ssl->session;
3052
Paul Bakker1ef83d62012-04-11 12:09:53 +00003053 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
3054
Paul Bakker48916f92012-09-16 19:57:18 +00003055 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
3056 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003057
3058 /*
3059 * SSLv3:
3060 * hash =
3061 * MD5( master + pad2 +
3062 * MD5( handshake + sender + master + pad1 ) )
3063 * + SHA1( master + pad2 +
3064 * SHA1( handshake + sender + master + pad1 ) )
Paul Bakker5121ce52009-01-03 21:22:43 +00003065 */
3066
Paul Bakker90995b52013-06-24 19:20:35 +02003067#if !defined(POLARSSL_MD5_ALT)
Paul Bakker5121ce52009-01-03 21:22:43 +00003068 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003069 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003070#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003071
Paul Bakker90995b52013-06-24 19:20:35 +02003072#if !defined(POLARSSL_SHA1_ALT)
Paul Bakker5121ce52009-01-03 21:22:43 +00003073 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003074 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003075#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003076
Paul Bakker3c2122f2013-06-24 19:03:14 +02003077 sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
3078 : "SRVR";
Paul Bakker5121ce52009-01-03 21:22:43 +00003079
Paul Bakker1ef83d62012-04-11 12:09:53 +00003080 memset( padbuf, 0x36, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003081
Paul Bakker3c2122f2013-06-24 19:03:14 +02003082 md5_update( &md5, (const unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +00003083 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003084 md5_update( &md5, padbuf, 48 );
3085 md5_finish( &md5, md5sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00003086
Paul Bakker3c2122f2013-06-24 19:03:14 +02003087 sha1_update( &sha1, (const unsigned char *) sender, 4 );
Paul Bakker48916f92012-09-16 19:57:18 +00003088 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003089 sha1_update( &sha1, padbuf, 40 );
3090 sha1_finish( &sha1, sha1sum );
Paul Bakker5121ce52009-01-03 21:22:43 +00003091
Paul Bakker1ef83d62012-04-11 12:09:53 +00003092 memset( padbuf, 0x5C, 48 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003093
Paul Bakker1ef83d62012-04-11 12:09:53 +00003094 md5_starts( &md5 );
Paul Bakker48916f92012-09-16 19:57:18 +00003095 md5_update( &md5, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003096 md5_update( &md5, padbuf, 48 );
3097 md5_update( &md5, md5sum, 16 );
3098 md5_finish( &md5, buf );
Paul Bakker5121ce52009-01-03 21:22:43 +00003099
Paul Bakker1ef83d62012-04-11 12:09:53 +00003100 sha1_starts( &sha1 );
Paul Bakker48916f92012-09-16 19:57:18 +00003101 sha1_update( &sha1, session->master, 48 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003102 sha1_update( &sha1, padbuf , 40 );
3103 sha1_update( &sha1, sha1sum, 20 );
3104 sha1_finish( &sha1, buf + 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003105
Paul Bakker1ef83d62012-04-11 12:09:53 +00003106 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003107
Paul Bakker5b4af392014-06-26 12:09:34 +02003108 md5_free( &md5 );
3109 sha1_free( &sha1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003110
Paul Bakker34617722014-06-13 17:20:13 +02003111 polarssl_zeroize( padbuf, sizeof( padbuf ) );
3112 polarssl_zeroize( md5sum, sizeof( md5sum ) );
3113 polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003114
3115 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3116}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003117#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakker5121ce52009-01-03 21:22:43 +00003118
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003119#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003120static void ssl_calc_finished_tls(
3121 ssl_context *ssl, unsigned char *buf, int from )
Paul Bakker5121ce52009-01-03 21:22:43 +00003122{
Paul Bakker1ef83d62012-04-11 12:09:53 +00003123 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02003124 const char *sender;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003125 md5_context md5;
Paul Bakker5121ce52009-01-03 21:22:43 +00003126 sha1_context sha1;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003127 unsigned char padbuf[36];
Paul Bakker5121ce52009-01-03 21:22:43 +00003128
Paul Bakker48916f92012-09-16 19:57:18 +00003129 ssl_session *session = ssl->session_negotiate;
3130 if( !session )
3131 session = ssl->session;
3132
Paul Bakker1ef83d62012-04-11 12:09:53 +00003133 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003134
Paul Bakker48916f92012-09-16 19:57:18 +00003135 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
3136 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003137
Paul Bakker1ef83d62012-04-11 12:09:53 +00003138 /*
3139 * TLSv1:
3140 * hash = PRF( master, finished_label,
3141 * MD5( handshake ) + SHA1( handshake ) )[0..11]
3142 */
Paul Bakker5121ce52009-01-03 21:22:43 +00003143
Paul Bakker90995b52013-06-24 19:20:35 +02003144#if !defined(POLARSSL_MD5_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003145 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
3146 md5.state, sizeof( md5.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003147#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00003148
Paul Bakker90995b52013-06-24 19:20:35 +02003149#if !defined(POLARSSL_SHA1_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003150 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
3151 sha1.state, sizeof( sha1.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003152#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00003153
3154 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02003155 ? "client finished"
3156 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00003157
3158 md5_finish( &md5, padbuf );
3159 sha1_finish( &sha1, padbuf + 16 );
3160
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003161 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00003162 padbuf, 36, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003163
3164 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3165
Paul Bakker5b4af392014-06-26 12:09:34 +02003166 md5_free( &md5 );
3167 sha1_free( &sha1 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003168
Paul Bakker34617722014-06-13 17:20:13 +02003169 polarssl_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003170
3171 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3172}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003173#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
Paul Bakker1ef83d62012-04-11 12:09:53 +00003174
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003175#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3176#if defined(POLARSSL_SHA256_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00003177static void ssl_calc_finished_tls_sha256(
Paul Bakker1ef83d62012-04-11 12:09:53 +00003178 ssl_context *ssl, unsigned char *buf, int from )
3179{
3180 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02003181 const char *sender;
Paul Bakker9e36f042013-06-30 14:34:05 +02003182 sha256_context sha256;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003183 unsigned char padbuf[32];
3184
Paul Bakker48916f92012-09-16 19:57:18 +00003185 ssl_session *session = ssl->session_negotiate;
3186 if( !session )
3187 session = ssl->session;
3188
Paul Bakker380da532012-04-18 16:10:25 +00003189 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003190
Paul Bakker9e36f042013-06-30 14:34:05 +02003191 memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003192
3193 /*
3194 * TLSv1.2:
3195 * hash = PRF( master, finished_label,
3196 * Hash( handshake ) )[0.11]
3197 */
3198
Paul Bakker9e36f042013-06-30 14:34:05 +02003199#if !defined(POLARSSL_SHA256_ALT)
Paul Bakker1ef83d62012-04-11 12:09:53 +00003200 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
Paul Bakker9e36f042013-06-30 14:34:05 +02003201 sha256.state, sizeof( sha256.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003202#endif
Paul Bakker1ef83d62012-04-11 12:09:53 +00003203
3204 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02003205 ? "client finished"
3206 : "server finished";
Paul Bakker1ef83d62012-04-11 12:09:53 +00003207
Paul Bakker9e36f042013-06-30 14:34:05 +02003208 sha256_finish( &sha256, padbuf );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003209
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003210 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00003211 padbuf, 32, buf, len );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003212
3213 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3214
Paul Bakker5b4af392014-06-26 12:09:34 +02003215 sha256_free( &sha256 );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003216
Paul Bakker34617722014-06-13 17:20:13 +02003217 polarssl_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003218
3219 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3220}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003221#endif /* POLARSSL_SHA256_C */
Paul Bakker1ef83d62012-04-11 12:09:53 +00003222
Paul Bakker9e36f042013-06-30 14:34:05 +02003223#if defined(POLARSSL_SHA512_C)
Paul Bakkerca4ab492012-04-18 14:23:57 +00003224static void ssl_calc_finished_tls_sha384(
3225 ssl_context *ssl, unsigned char *buf, int from )
3226{
3227 int len = 12;
Paul Bakker3c2122f2013-06-24 19:03:14 +02003228 const char *sender;
Paul Bakker9e36f042013-06-30 14:34:05 +02003229 sha512_context sha512;
Paul Bakkerca4ab492012-04-18 14:23:57 +00003230 unsigned char padbuf[48];
3231
Paul Bakker48916f92012-09-16 19:57:18 +00003232 ssl_session *session = ssl->session_negotiate;
3233 if( !session )
3234 session = ssl->session;
3235
Paul Bakker380da532012-04-18 16:10:25 +00003236 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003237
Paul Bakker9e36f042013-06-30 14:34:05 +02003238 memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003239
3240 /*
3241 * TLSv1.2:
3242 * hash = PRF( master, finished_label,
3243 * Hash( handshake ) )[0.11]
3244 */
3245
Paul Bakker9e36f042013-06-30 14:34:05 +02003246#if !defined(POLARSSL_SHA512_ALT)
3247 SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3248 sha512.state, sizeof( sha512.state ) );
Paul Bakker90995b52013-06-24 19:20:35 +02003249#endif
Paul Bakkerca4ab492012-04-18 14:23:57 +00003250
3251 sender = ( from == SSL_IS_CLIENT )
Paul Bakker3c2122f2013-06-24 19:03:14 +02003252 ? "client finished"
3253 : "server finished";
Paul Bakkerca4ab492012-04-18 14:23:57 +00003254
Paul Bakker9e36f042013-06-30 14:34:05 +02003255 sha512_finish( &sha512, padbuf );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003256
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003257 ssl->handshake->tls_prf( session->master, 48, sender,
Paul Bakker48916f92012-09-16 19:57:18 +00003258 padbuf, 48, buf, len );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003259
3260 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3261
Paul Bakker5b4af392014-06-26 12:09:34 +02003262 sha512_free( &sha512 );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003263
Paul Bakker34617722014-06-13 17:20:13 +02003264 polarssl_zeroize( padbuf, sizeof( padbuf ) );
Paul Bakkerca4ab492012-04-18 14:23:57 +00003265
3266 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3267}
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003268#endif /* POLARSSL_SHA512_C */
3269#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakkerca4ab492012-04-18 14:23:57 +00003270
Paul Bakker48916f92012-09-16 19:57:18 +00003271void ssl_handshake_wrapup( ssl_context *ssl )
3272{
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02003273 int resume = ssl->handshake->resume;
3274
Paul Bakker48916f92012-09-16 19:57:18 +00003275 SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3276
3277 /*
3278 * Free our handshake params
3279 */
3280 ssl_handshake_free( ssl->handshake );
Paul Bakker6e339b52013-07-03 13:37:05 +02003281 polarssl_free( ssl->handshake );
Paul Bakker48916f92012-09-16 19:57:18 +00003282 ssl->handshake = NULL;
3283
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003284#if defined(POLARSSL_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnardcaed0542013-10-30 12:47:35 +01003285 if( ssl->renegotiation == SSL_RENEGOTIATION )
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02003286 {
Manuel Pégourié-Gonnardcaed0542013-10-30 12:47:35 +01003287 ssl->renegotiation = SSL_RENEGOTIATION_DONE;
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02003288 ssl->renego_records_seen = 0;
3289 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003290#endif
Manuel Pégourié-Gonnardcaed0542013-10-30 12:47:35 +01003291
Paul Bakker48916f92012-09-16 19:57:18 +00003292 /*
3293 * Switch in our now active transform context
3294 */
3295 if( ssl->transform )
3296 {
3297 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02003298 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00003299 }
3300 ssl->transform = ssl->transform_negotiate;
3301 ssl->transform_negotiate = NULL;
3302
Paul Bakker0a597072012-09-25 21:55:46 +00003303 if( ssl->session )
3304 {
Manuel Pégourié-Gonnard1a034732014-11-04 17:36:18 +01003305#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
3306 /* RFC 7366 3.1: keep the EtM state */
3307 ssl->session_negotiate->encrypt_then_mac =
3308 ssl->session->encrypt_then_mac;
3309#endif
3310
Paul Bakker0a597072012-09-25 21:55:46 +00003311 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02003312 polarssl_free( ssl->session );
Paul Bakker0a597072012-09-25 21:55:46 +00003313 }
3314 ssl->session = ssl->session_negotiate;
Paul Bakker48916f92012-09-16 19:57:18 +00003315 ssl->session_negotiate = NULL;
3316
Paul Bakker0a597072012-09-25 21:55:46 +00003317 /*
3318 * Add cache entry
3319 */
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02003320 if( ssl->f_set_cache != NULL &&
3321 ssl->session->length != 0 &&
3322 resume == 0 )
3323 {
Paul Bakker0a597072012-09-25 21:55:46 +00003324 if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3325 SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
Manuel Pégourié-Gonnardc086cce2013-08-02 14:13:02 +02003326 }
Paul Bakker0a597072012-09-25 21:55:46 +00003327
Paul Bakker48916f92012-09-16 19:57:18 +00003328 ssl->state++;
3329
3330 SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3331}
3332
Paul Bakker1ef83d62012-04-11 12:09:53 +00003333int ssl_write_finished( ssl_context *ssl )
3334{
3335 int ret, hash_len;
3336
3337 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3338
Paul Bakker92be97b2013-01-02 17:30:03 +01003339 /*
3340 * Set the out_msg pointer to the correct location based on IV length
3341 */
3342 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3343 {
3344 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3345 ssl->transform_negotiate->fixed_ivlen;
3346 }
3347 else
3348 ssl->out_msg = ssl->out_iv;
3349
Paul Bakker48916f92012-09-16 19:57:18 +00003350 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003351
3352 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +00003353 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3354
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003355#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00003356 ssl->verify_data_len = hash_len;
3357 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003358#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003359
Paul Bakker5121ce52009-01-03 21:22:43 +00003360 ssl->out_msglen = 4 + hash_len;
3361 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
3362 ssl->out_msg[0] = SSL_HS_FINISHED;
3363
3364 /*
3365 * In case of session resuming, invert the client and server
3366 * ChangeCipherSpec messages order.
3367 */
Paul Bakker0a597072012-09-25 21:55:46 +00003368 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003369 {
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003370#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003371 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker48916f92012-09-16 19:57:18 +00003372 ssl->state = SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003373#endif
3374#if defined(POLARSSL_SSL_SRV_C)
3375 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker5121ce52009-01-03 21:22:43 +00003376 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003377#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003378 }
3379 else
3380 ssl->state++;
3381
Paul Bakker48916f92012-09-16 19:57:18 +00003382 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02003383 * Switch to our negotiated transform and session parameters for outbound
3384 * data.
Paul Bakker48916f92012-09-16 19:57:18 +00003385 */
3386 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3387 ssl->transform_out = ssl->transform_negotiate;
3388 ssl->session_out = ssl->session_negotiate;
3389 memset( ssl->out_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003390
Paul Bakker07eb38b2012-12-19 14:42:06 +01003391#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02003392 if( ssl_hw_record_activate != NULL )
Paul Bakker07eb38b2012-12-19 14:42:06 +01003393 {
3394 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3395 {
3396 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3397 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3398 }
3399 }
3400#endif
3401
Paul Bakker5121ce52009-01-03 21:22:43 +00003402 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3403 {
3404 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3405 return( ret );
3406 }
3407
3408 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3409
3410 return( 0 );
3411}
3412
3413int ssl_parse_finished( ssl_context *ssl )
3414{
Paul Bakker23986e52011-04-24 08:57:21 +00003415 int ret;
3416 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +00003417 unsigned char buf[36];
3418
3419 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3420
Paul Bakker48916f92012-09-16 19:57:18 +00003421 ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003422
Paul Bakker48916f92012-09-16 19:57:18 +00003423 /*
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02003424 * Switch to our negotiated transform and session parameters for inbound
3425 * data.
Paul Bakker48916f92012-09-16 19:57:18 +00003426 */
3427 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3428 ssl->transform_in = ssl->transform_negotiate;
3429 ssl->session_in = ssl->session_negotiate;
3430 memset( ssl->in_ctr, 0, 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003431
Paul Bakker92be97b2013-01-02 17:30:03 +01003432 /*
3433 * Set the in_msg pointer to the correct location based on IV length
3434 */
3435 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3436 {
3437 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3438 ssl->transform_negotiate->fixed_ivlen;
3439 }
3440 else
3441 ssl->in_msg = ssl->in_iv;
3442
Paul Bakker07eb38b2012-12-19 14:42:06 +01003443#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02003444 if( ssl_hw_record_activate != NULL )
Paul Bakker07eb38b2012-12-19 14:42:06 +01003445 {
3446 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3447 {
3448 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3449 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3450 }
3451 }
3452#endif
3453
Paul Bakker5121ce52009-01-03 21:22:43 +00003454 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3455 {
3456 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3457 return( ret );
3458 }
3459
3460 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3461 {
3462 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003463 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00003464 }
3465
Paul Bakker1ef83d62012-04-11 12:09:53 +00003466 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
Paul Bakker5121ce52009-01-03 21:22:43 +00003467 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3468
3469 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3470 ssl->in_hslen != 4 + hash_len )
3471 {
3472 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003473 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00003474 }
3475
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01003476 if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003477 {
3478 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00003479 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +00003480 }
3481
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003482#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00003483 ssl->verify_data_len = hash_len;
3484 memcpy( ssl->peer_verify_data, buf, hash_len );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003485#endif
Paul Bakker48916f92012-09-16 19:57:18 +00003486
Paul Bakker0a597072012-09-25 21:55:46 +00003487 if( ssl->handshake->resume != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003488 {
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003489#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003490 if( ssl->endpoint == SSL_IS_CLIENT )
3491 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003492#endif
3493#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00003494 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker48916f92012-09-16 19:57:18 +00003495 ssl->state = SSL_HANDSHAKE_WRAPUP;
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003496#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003497 }
3498 else
3499 ssl->state++;
3500
3501 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3502
3503 return( 0 );
3504}
3505
Paul Bakker968afaa2014-07-09 11:09:24 +02003506static void ssl_handshake_params_init( ssl_handshake_params *handshake )
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003507{
3508 memset( handshake, 0, sizeof( ssl_handshake_params ) );
3509
3510#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3511 defined(POLARSSL_SSL_PROTO_TLS1_1)
3512 md5_init( &handshake->fin_md5 );
3513 sha1_init( &handshake->fin_sha1 );
3514 md5_starts( &handshake->fin_md5 );
3515 sha1_starts( &handshake->fin_sha1 );
3516#endif
3517#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3518#if defined(POLARSSL_SHA256_C)
3519 sha256_init( &handshake->fin_sha256 );
3520 sha256_starts( &handshake->fin_sha256, 0 );
3521#endif
3522#if defined(POLARSSL_SHA512_C)
3523 sha512_init( &handshake->fin_sha512 );
3524 sha512_starts( &handshake->fin_sha512, 1 );
3525#endif
3526#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3527
3528 handshake->update_checksum = ssl_update_checksum_start;
Hanno Beckerc2b9d982017-05-10 16:37:21 +01003529
3530#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
3531 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
3532 ssl_sig_hash_set_init( &handshake->hash_algs );
3533#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003534
3535#if defined(POLARSSL_DHM_C)
3536 dhm_init( &handshake->dhm_ctx );
3537#endif
3538#if defined(POLARSSL_ECDH_C)
3539 ecdh_init( &handshake->ecdh_ctx );
3540#endif
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003541}
3542
3543static void ssl_transform_init( ssl_transform *transform )
3544{
3545 memset( transform, 0, sizeof(ssl_transform) );
Paul Bakker84bbeb52014-07-01 14:53:22 +02003546
3547 cipher_init( &transform->cipher_ctx_enc );
3548 cipher_init( &transform->cipher_ctx_dec );
3549
3550 md_init( &transform->md_ctx_enc );
3551 md_init( &transform->md_ctx_dec );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003552}
3553
3554void ssl_session_init( ssl_session *session )
3555{
3556 memset( session, 0, sizeof(ssl_session) );
3557}
3558
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +02003559static int ssl_handshake_init( ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00003560{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003561 /* Clear old handshake information if present */
Paul Bakker48916f92012-09-16 19:57:18 +00003562 if( ssl->transform_negotiate )
3563 ssl_transform_free( ssl->transform_negotiate );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003564 if( ssl->session_negotiate )
3565 ssl_session_free( ssl->session_negotiate );
3566 if( ssl->handshake )
3567 ssl_handshake_free( ssl->handshake );
3568
3569 /*
3570 * Either the pointers are now NULL or cleared properly and can be freed.
3571 * Now allocate missing structures.
3572 */
3573 if( ssl->transform_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003574 {
Mansour Moufid99b92592015-02-15 17:46:32 -05003575 ssl->transform_negotiate = polarssl_malloc( sizeof(ssl_transform) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003576 }
Paul Bakker48916f92012-09-16 19:57:18 +00003577
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003578 if( ssl->session_negotiate == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003579 {
Mansour Moufid99b92592015-02-15 17:46:32 -05003580 ssl->session_negotiate = polarssl_malloc( sizeof(ssl_session) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003581 }
Paul Bakker48916f92012-09-16 19:57:18 +00003582
Paul Bakker82788fb2014-10-20 13:59:19 +02003583 if( ssl->handshake == NULL )
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003584 {
Mansour Moufid99b92592015-02-15 17:46:32 -05003585 ssl->handshake = polarssl_malloc( sizeof(ssl_handshake_params) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003586 }
Paul Bakker48916f92012-09-16 19:57:18 +00003587
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003588 /* All pointers should exist and can be directly freed without issue */
Paul Bakker48916f92012-09-16 19:57:18 +00003589 if( ssl->handshake == NULL ||
3590 ssl->transform_negotiate == NULL ||
3591 ssl->session_negotiate == NULL )
3592 {
3593 SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003594
3595 polarssl_free( ssl->handshake );
3596 polarssl_free( ssl->transform_negotiate );
3597 polarssl_free( ssl->session_negotiate );
3598
3599 ssl->handshake = NULL;
3600 ssl->transform_negotiate = NULL;
3601 ssl->session_negotiate = NULL;
3602
Paul Bakker48916f92012-09-16 19:57:18 +00003603 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3604 }
3605
Paul Bakkeraccaffe2014-06-26 13:37:14 +02003606 /* Initialize structures */
3607 ssl_session_init( ssl->session_negotiate );
3608 ssl_transform_init( ssl->transform_negotiate );
Paul Bakker968afaa2014-07-09 11:09:24 +02003609 ssl_handshake_params_init( ssl->handshake );
3610
3611#if defined(POLARSSL_X509_CRT_PARSE_C)
3612 ssl->handshake->key_cert = ssl->key_cert;
3613#endif
Manuel Pégourié-Gonnarde5e1bb92013-10-30 11:25:30 +01003614
Paul Bakker48916f92012-09-16 19:57:18 +00003615 return( 0 );
3616}
3617
Paul Bakker5121ce52009-01-03 21:22:43 +00003618/*
3619 * Initialize an SSL context
3620 */
3621int ssl_init( ssl_context *ssl )
3622{
Paul Bakker48916f92012-09-16 19:57:18 +00003623 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00003624 int len = SSL_BUFFER_LEN;
3625
3626 memset( ssl, 0, sizeof( ssl_context ) );
3627
Paul Bakker62f2dee2012-09-28 07:31:51 +00003628 /*
3629 * Sane defaults
3630 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003631 ssl->min_major_ver = SSL_MIN_MAJOR_VERSION;
3632 ssl->min_minor_ver = SSL_MIN_MINOR_VERSION;
3633 ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
3634 ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
Paul Bakker1d29fb52012-09-28 13:28:45 +00003635
Paul Bakker8f4ddae2013-04-15 15:09:54 +02003636 ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
Paul Bakker645ce3a2012-10-31 12:32:41 +00003637
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003638#if defined(POLARSSL_SSL_RENEGOTIATION)
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02003639 ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT;
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01003640 memset( ssl->renego_period, 0xFF, 7 );
3641 ssl->renego_period[7] = 0x00;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003642#endif
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02003643
Paul Bakker62f2dee2012-09-28 07:31:51 +00003644#if defined(POLARSSL_DHM_C)
3645 if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
Manuel Pégourié-Gonnardf0f399d2015-07-03 17:45:57 +02003646 POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 ||
Paul Bakker62f2dee2012-09-28 07:31:51 +00003647 ( ret = mpi_read_string( &ssl->dhm_G, 16,
Manuel Pégourié-Gonnardf0f399d2015-07-03 17:45:57 +02003648 POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 )
Paul Bakker62f2dee2012-09-28 07:31:51 +00003649 {
3650 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3651 return( ret );
3652 }
3653#endif
3654
3655 /*
3656 * Prepare base structures
3657 */
Manuel Pégourié-Gonnardf7db5e02015-02-18 10:32:41 +00003658 if( ( ssl->in_ctr = polarssl_malloc( len ) ) == NULL ||
3659 ( ssl->out_ctr = polarssl_malloc( len ) ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003660 {
3661 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker3d6504a2014-03-17 13:41:51 +01003662 polarssl_free( ssl->in_ctr );
3663 ssl->in_ctr = NULL;
Paul Bakker69e095c2011-12-10 21:55:01 +00003664 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +00003665 }
3666
3667 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3668 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3669
Manuel Pégourié-Gonnardf7db5e02015-02-18 10:32:41 +00003670 ssl->in_hdr = ssl->in_ctr + 8;
3671 ssl->in_iv = ssl->in_ctr + 13;
3672 ssl->in_msg = ssl->in_ctr + 13;
3673
3674 ssl->out_hdr = ssl->out_ctr + 8;
3675 ssl->out_iv = ssl->out_ctr + 13;
3676 ssl->out_msg = ssl->out_ctr + 13;
3677
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01003678#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
3679 ssl->encrypt_then_mac = SSL_ETM_ENABLED;
3680#endif
3681
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02003682#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
3683 ssl->extended_ms = SSL_EXTENDED_MS_ENABLED;
3684#endif
3685
Paul Bakker606b4ba2013-08-14 16:52:14 +02003686#if defined(POLARSSL_SSL_SESSION_TICKETS)
3687 ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
3688#endif
3689
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01003690#if defined(POLARSSL_SSL_SET_CURVES)
Manuel Pégourié-Gonnardac719412014-02-04 14:48:50 +01003691 ssl->curve_list = ecp_grp_id_list( );
Gergely Budai987bfb52014-01-19 21:48:42 +01003692#endif
3693
Paul Bakker48916f92012-09-16 19:57:18 +00003694 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3695 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003696
3697 return( 0 );
3698}
3699
3700/*
Paul Bakker7eb013f2011-10-06 12:37:39 +00003701 * Reset an initialized and used SSL context for re-use while retaining
3702 * all application-set variables, function pointers and data.
3703 */
Paul Bakker2770fbd2012-07-03 13:30:23 +00003704int ssl_session_reset( ssl_context *ssl )
Paul Bakker7eb013f2011-10-06 12:37:39 +00003705{
Paul Bakker48916f92012-09-16 19:57:18 +00003706 int ret;
3707
Paul Bakker7eb013f2011-10-06 12:37:39 +00003708 ssl->state = SSL_HELLO_REQUEST;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003709
3710#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00003711 ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003712 ssl->renego_records_seen = 0;
Paul Bakker48916f92012-09-16 19:57:18 +00003713
3714 ssl->verify_data_len = 0;
Manuel Pégourié-Gonnard61860192014-11-04 13:05:42 +01003715 memset( ssl->own_verify_data, 0, SSL_VERIFY_DATA_MAX_LEN );
3716 memset( ssl->peer_verify_data, 0, SSL_VERIFY_DATA_MAX_LEN );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01003717#endif
3718 ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
Paul Bakker48916f92012-09-16 19:57:18 +00003719
Paul Bakker7eb013f2011-10-06 12:37:39 +00003720 ssl->in_offt = NULL;
3721
Paul Bakker92be97b2013-01-02 17:30:03 +01003722 ssl->in_msg = ssl->in_ctr + 13;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003723 ssl->in_msgtype = 0;
3724 ssl->in_msglen = 0;
3725 ssl->in_left = 0;
3726
3727 ssl->in_hslen = 0;
3728 ssl->nb_zero = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02003729 ssl->record_read = 0;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003730
Paul Bakker92be97b2013-01-02 17:30:03 +01003731 ssl->out_msg = ssl->out_ctr + 13;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003732 ssl->out_msgtype = 0;
3733 ssl->out_msglen = 0;
3734 ssl->out_left = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01003735#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01003736 if( ssl->split_done != SSL_CBC_RECORD_SPLITTING_DISABLED )
3737 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01003738#endif
Paul Bakker7eb013f2011-10-06 12:37:39 +00003739
Paul Bakker48916f92012-09-16 19:57:18 +00003740 ssl->transform_in = NULL;
3741 ssl->transform_out = NULL;
Paul Bakker7eb013f2011-10-06 12:37:39 +00003742
3743 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3744 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
Paul Bakker05ef8352012-05-08 09:17:57 +00003745
3746#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
Paul Bakker66d5d072014-06-17 16:39:18 +02003747 if( ssl_hw_record_reset != NULL )
Paul Bakker05ef8352012-05-08 09:17:57 +00003748 {
3749 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
Paul Bakker07eb38b2012-12-19 14:42:06 +01003750 if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
Paul Bakker2770fbd2012-07-03 13:30:23 +00003751 {
3752 SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3753 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3754 }
Paul Bakker05ef8352012-05-08 09:17:57 +00003755 }
3756#endif
Paul Bakker2770fbd2012-07-03 13:30:23 +00003757
Paul Bakker48916f92012-09-16 19:57:18 +00003758 if( ssl->transform )
Paul Bakker2770fbd2012-07-03 13:30:23 +00003759 {
Paul Bakker48916f92012-09-16 19:57:18 +00003760 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02003761 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00003762 ssl->transform = NULL;
Paul Bakker2770fbd2012-07-03 13:30:23 +00003763 }
Paul Bakker48916f92012-09-16 19:57:18 +00003764
Paul Bakkerc0463502013-02-14 11:19:38 +01003765 if( ssl->session )
3766 {
3767 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02003768 polarssl_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01003769 ssl->session = NULL;
3770 }
3771
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02003772#if defined(POLARSSL_SSL_ALPN)
3773 ssl->alpn_chosen = NULL;
3774#endif
3775
Paul Bakker48916f92012-09-16 19:57:18 +00003776 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3777 return( ret );
Paul Bakker2770fbd2012-07-03 13:30:23 +00003778
3779 return( 0 );
Paul Bakker7eb013f2011-10-06 12:37:39 +00003780}
3781
Paul Bakkera503a632013-08-14 13:48:06 +02003782#if defined(POLARSSL_SSL_SESSION_TICKETS)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003783static void ssl_ticket_keys_free( ssl_ticket_keys *tkeys )
3784{
3785 aes_free( &tkeys->enc );
3786 aes_free( &tkeys->dec );
3787
3788 polarssl_zeroize( tkeys, sizeof(ssl_ticket_keys) );
3789}
3790
Paul Bakker7eb013f2011-10-06 12:37:39 +00003791/*
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003792 * Allocate and initialize ticket keys
3793 */
3794static int ssl_ticket_keys_init( ssl_context *ssl )
3795{
3796 int ret;
3797 ssl_ticket_keys *tkeys;
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +02003798 unsigned char buf[16];
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003799
3800 if( ssl->ticket_keys != NULL )
3801 return( 0 );
3802
Mansour Moufidc531b4a2015-02-15 17:35:38 -05003803 tkeys = polarssl_malloc( sizeof(ssl_ticket_keys) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003804 if( tkeys == NULL )
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003805 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3806
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003807 aes_init( &tkeys->enc );
3808 aes_init( &tkeys->dec );
3809
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003810 if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
Paul Bakker6f0636a2013-12-16 15:24:05 +01003811 {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003812 ssl_ticket_keys_free( tkeys );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003813 polarssl_free( tkeys );
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003814 return( ret );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003815 }
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003816
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +02003817 if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3818 ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3819 ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3820 {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003821 ssl_ticket_keys_free( tkeys );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003822 polarssl_free( tkeys );
3823 return( ret );
Manuel Pégourié-Gonnard990c51a2013-08-03 15:37:58 +02003824 }
3825
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +02003826 if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
Paul Bakker6f0636a2013-12-16 15:24:05 +01003827 {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02003828 ssl_ticket_keys_free( tkeys );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003829 polarssl_free( tkeys );
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +02003830 return( ret );
Paul Bakker6f0636a2013-12-16 15:24:05 +01003831 }
Manuel Pégourié-Gonnard56dc9e82013-08-03 17:16:31 +02003832
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003833 ssl->ticket_keys = tkeys;
3834
3835 return( 0 );
3836}
Paul Bakkera503a632013-08-14 13:48:06 +02003837#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02003838
3839/*
Paul Bakker5121ce52009-01-03 21:22:43 +00003840 * SSL set accessors
3841 */
3842void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3843{
3844 ssl->endpoint = endpoint;
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02003845
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003846#if defined(POLARSSL_SSL_SESSION_TICKETS) && \
3847 defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02003848 if( endpoint == SSL_IS_CLIENT )
3849 ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
Paul Bakker606b4ba2013-08-14 16:52:14 +02003850#endif
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +01003851
3852#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
3853 if( endpoint == SSL_IS_SERVER )
3854 ssl->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
3855#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00003856}
3857
3858void ssl_set_authmode( ssl_context *ssl, int authmode )
3859{
3860 ssl->authmode = authmode;
3861}
3862
Paul Bakker7c6b2c32013-09-16 13:49:26 +02003863#if defined(POLARSSL_X509_CRT_PARSE_C)
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003864void ssl_set_verify( ssl_context *ssl,
Paul Bakkerc559c7a2013-09-18 14:13:26 +02003865 int (*f_vrfy)(void *, x509_crt *, int, int *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003866 void *p_vrfy )
3867{
3868 ssl->f_vrfy = f_vrfy;
3869 ssl->p_vrfy = p_vrfy;
3870}
Paul Bakker7c6b2c32013-09-16 13:49:26 +02003871#endif /* POLARSSL_X509_CRT_PARSE_C */
Paul Bakkerb63b0af2011-01-13 17:54:59 +00003872
Paul Bakker5121ce52009-01-03 21:22:43 +00003873void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +00003874 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +00003875 void *p_rng )
3876{
3877 ssl->f_rng = f_rng;
3878 ssl->p_rng = p_rng;
3879}
3880
3881void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +00003882 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +00003883 void *p_dbg )
3884{
3885 ssl->f_dbg = f_dbg;
3886 ssl->p_dbg = p_dbg;
3887}
3888
3889void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +00003890 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +00003891 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +00003892{
3893 ssl->f_recv = f_recv;
3894 ssl->f_send = f_send;
3895 ssl->p_recv = p_recv;
3896 ssl->p_send = p_send;
3897}
3898
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003899#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker0a597072012-09-25 21:55:46 +00003900void ssl_set_session_cache( ssl_context *ssl,
3901 int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3902 int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
Paul Bakker5121ce52009-01-03 21:22:43 +00003903{
Paul Bakker0a597072012-09-25 21:55:46 +00003904 ssl->f_get_cache = f_get_cache;
3905 ssl->p_get_cache = p_get_cache;
3906 ssl->f_set_cache = f_set_cache;
3907 ssl->p_set_cache = p_set_cache;
Paul Bakker5121ce52009-01-03 21:22:43 +00003908}
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003909#endif /* POLARSSL_SSL_SRV_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003910
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003911#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003912int ssl_set_session( ssl_context *ssl, const ssl_session *session )
Paul Bakker5121ce52009-01-03 21:22:43 +00003913{
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003914 int ret;
3915
3916 if( ssl == NULL ||
3917 session == NULL ||
3918 ssl->session_negotiate == NULL ||
3919 ssl->endpoint != SSL_IS_CLIENT )
3920 {
3921 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3922 }
3923
3924 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3925 return( ret );
3926
Paul Bakker0a597072012-09-25 21:55:46 +00003927 ssl->handshake->resume = 1;
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02003928
3929 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00003930}
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01003931#endif /* POLARSSL_SSL_CLI_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00003932
Paul Bakkerb68cad62012-08-23 08:34:18 +00003933void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +00003934{
Paul Bakker8f4ddae2013-04-15 15:09:54 +02003935 ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3936 ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3937 ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3938 ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3939}
3940
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02003941void ssl_set_ciphersuites_for_version( ssl_context *ssl,
3942 const int *ciphersuites,
Paul Bakker8f4ddae2013-04-15 15:09:54 +02003943 int major, int minor )
3944{
3945 if( major != SSL_MAJOR_VERSION_3 )
3946 return;
3947
3948 if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3949 return;
3950
3951 ssl->ciphersuite_list[minor] = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +00003952}
3953
Paul Bakker7c6b2c32013-09-16 13:49:26 +02003954#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003955/* Add a new (empty) key_cert entry an return a pointer to it */
3956static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3957{
3958 ssl_key_cert *key_cert, *last;
3959
Mansour Moufidc531b4a2015-02-15 17:35:38 -05003960 key_cert = polarssl_malloc( sizeof(ssl_key_cert) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02003961 if( key_cert == NULL )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003962 return( NULL );
3963
3964 memset( key_cert, 0, sizeof( ssl_key_cert ) );
3965
3966 /* Append the new key_cert to the (possibly empty) current list */
3967 if( ssl->key_cert == NULL )
Paul Bakker0333b972013-11-04 17:08:28 +01003968 {
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003969 ssl->key_cert = key_cert;
Paul Bakker08b028f2013-11-19 10:42:37 +01003970 if( ssl->handshake != NULL )
3971 ssl->handshake->key_cert = key_cert;
Paul Bakker0333b972013-11-04 17:08:28 +01003972 }
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003973 else
3974 {
3975 last = ssl->key_cert;
3976 while( last->next != NULL )
3977 last = last->next;
3978 last->next = key_cert;
3979 }
3980
Paul Bakkerd8bb8262014-06-17 14:06:49 +02003981 return( key_cert );
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003982}
3983
Paul Bakkerc559c7a2013-09-18 14:13:26 +02003984void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +00003985 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +00003986{
3987 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +00003988 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +00003989 ssl->peer_cn = peer_cn;
3990}
3991
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003992int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
Manuel Pégourié-Gonnardac755232013-08-19 14:10:16 +02003993 pk_context *pk_key )
Paul Bakker5121ce52009-01-03 21:22:43 +00003994{
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02003995 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3996
3997 if( key_cert == NULL )
3998 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3999
4000 key_cert->cert = own_cert;
4001 key_cert->key = pk_key;
4002
Manuel Pégourié-Gonnardf427f882015-03-10 15:35:29 +00004003 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004004}
4005
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +01004006#if ! defined(POLARSSL_DEPRECATED_REMOVED)
Manuel Pégourié-Gonnardac755232013-08-19 14:10:16 +02004007#if defined(POLARSSL_RSA_C)
Paul Bakkerc559c7a2013-09-18 14:13:26 +02004008int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
Manuel Pégourié-Gonnardac755232013-08-19 14:10:16 +02004009 rsa_context *rsa_key )
Paul Bakker43b7e352011-01-18 15:27:19 +00004010{
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004011 int ret;
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004012 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004013
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004014 if( key_cert == NULL )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004015 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
4016
Mansour Moufidc531b4a2015-02-15 17:35:38 -05004017 key_cert->key = polarssl_malloc( sizeof(pk_context) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02004018 if( key_cert->key == NULL )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004019 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004020
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004021 pk_init( key_cert->key );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004022
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004023 ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004024 if( ret != 0 )
4025 return( ret );
4026
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02004027 if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02004028 return( ret );
4029
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004030 key_cert->cert = own_cert;
4031 key_cert->key_own_alloc = 1;
4032
Manuel Pégourié-Gonnardf427f882015-03-10 15:35:29 +00004033 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004034}
Manuel Pégourié-Gonnardac755232013-08-19 14:10:16 +02004035#endif /* POLARSSL_RSA_C */
Paul Bakker5121ce52009-01-03 21:22:43 +00004036
Paul Bakkerc559c7a2013-09-18 14:13:26 +02004037int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
Manuel Pégourié-Gonnard2fb15f62013-08-22 17:54:20 +02004038 void *rsa_key,
4039 rsa_decrypt_func rsa_decrypt,
4040 rsa_sign_func rsa_sign,
4041 rsa_key_len_func rsa_key_len )
Paul Bakker43b7e352011-01-18 15:27:19 +00004042{
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004043 int ret;
4044 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02004045
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004046 if( key_cert == NULL )
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02004047 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
4048
Mansour Moufidc531b4a2015-02-15 17:35:38 -05004049 key_cert->key = polarssl_malloc( sizeof(pk_context) );
Paul Bakkerb9cfaa02013-10-11 18:58:55 +02004050 if( key_cert->key == NULL )
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004051 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02004052
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004053 pk_init( key_cert->key );
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02004054
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02004055 if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
4056 rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
4057 return( ret );
4058
4059 key_cert->cert = own_cert;
4060 key_cert->key_own_alloc = 1;
4061
Manuel Pégourié-Gonnardf427f882015-03-10 15:35:29 +00004062 return( 0 );
Paul Bakker43b7e352011-01-18 15:27:19 +00004063}
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +01004064#endif /* POLARSSL_DEPRECATED_REMOVED */
Paul Bakker7c6b2c32013-09-16 13:49:26 +02004065#endif /* POLARSSL_X509_CRT_PARSE_C */
Paul Bakkereb2c6582012-09-27 19:15:01 +00004066
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02004067#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Paul Bakker6db455e2013-09-18 17:29:31 +02004068int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
4069 const unsigned char *psk_identity, size_t psk_identity_len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02004070{
Paul Bakker6db455e2013-09-18 17:29:31 +02004071 if( psk == NULL || psk_identity == NULL )
4072 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4073
Manuel Pégourié-Gonnard481fcfd2014-07-03 16:12:50 +02004074 if( psk_len > POLARSSL_PSK_MAX_LEN )
Manuel Pégourié-Gonnardb2bf5a12014-03-25 16:28:12 +01004075 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4076
Manuel Pégourié-Gonnard65125542015-08-27 16:37:35 +02004077 /* Identity len will be encoded on two bytes */
4078 if( ( psk_identity_len >> 16 ) != 0 ||
4079 psk_identity_len > SSL_MAX_CONTENT_LEN )
4080 {
4081 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4082 }
4083
Manuel Pégourié-Gonnardf45850c2015-02-18 10:23:52 +00004084 if( ssl->psk != NULL || ssl->psk_identity != NULL )
Paul Bakker6db455e2013-09-18 17:29:31 +02004085 {
4086 polarssl_free( ssl->psk );
4087 polarssl_free( ssl->psk_identity );
Manuel Pégourié-Gonnard9c521762015-10-27 10:54:53 +01004088 ssl->psk = NULL;
4089 ssl->psk_identity = NULL;
Paul Bakker6db455e2013-09-18 17:29:31 +02004090 }
4091
Manuel Pégourié-Gonnardf45850c2015-02-18 10:23:52 +00004092 if( ( ssl->psk = polarssl_malloc( psk_len ) ) == NULL ||
4093 ( ssl->psk_identity = polarssl_malloc( psk_identity_len ) ) == NULL )
Mansour Moufidf81088b2015-02-17 13:10:21 -05004094 {
4095 polarssl_free( ssl->psk );
Manuel Pégourié-Gonnard5aff0292015-09-28 18:09:45 +02004096 polarssl_free( ssl->psk_identity );
Manuel Pégourié-Gonnardf45850c2015-02-18 10:23:52 +00004097 ssl->psk = NULL;
Manuel Pégourié-Gonnard5aff0292015-09-28 18:09:45 +02004098 ssl->psk_identity = NULL;
Mansour Moufidf81088b2015-02-17 13:10:21 -05004099 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
4100 }
Paul Bakker6db455e2013-09-18 17:29:31 +02004101
Manuel Pégourié-Gonnardf45850c2015-02-18 10:23:52 +00004102 ssl->psk_len = psk_len;
4103 ssl->psk_identity_len = psk_identity_len;
4104
Paul Bakker6db455e2013-09-18 17:29:31 +02004105 memcpy( ssl->psk, psk, ssl->psk_len );
4106 memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
Paul Bakker5ad403f2013-09-18 21:21:30 +02004107
4108 return( 0 );
Paul Bakker6db455e2013-09-18 17:29:31 +02004109}
4110
4111void ssl_set_psk_cb( ssl_context *ssl,
4112 int (*f_psk)(void *, ssl_context *, const unsigned char *,
4113 size_t),
4114 void *p_psk )
4115{
4116 ssl->f_psk = f_psk;
4117 ssl->p_psk = p_psk;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02004118}
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02004119#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakker43b7e352011-01-18 15:27:19 +00004120
Paul Bakker48916f92012-09-16 19:57:18 +00004121#if defined(POLARSSL_DHM_C)
Paul Bakkerff60ee62010-03-16 21:09:09 +00004122int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +00004123{
4124 int ret;
4125
Paul Bakker48916f92012-09-16 19:57:18 +00004126 if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004127 {
4128 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
4129 return( ret );
4130 }
4131
Paul Bakker48916f92012-09-16 19:57:18 +00004132 if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004133 {
4134 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
4135 return( ret );
4136 }
4137
4138 return( 0 );
4139}
4140
Paul Bakker1b57b062011-01-06 15:48:19 +00004141int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
4142{
4143 int ret;
4144
Paul Bakker66d5d072014-06-17 16:39:18 +02004145 if( ( ret = mpi_copy( &ssl->dhm_P, &dhm_ctx->P ) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +00004146 {
4147 SSL_DEBUG_RET( 1, "mpi_copy", ret );
4148 return( ret );
4149 }
4150
Paul Bakker66d5d072014-06-17 16:39:18 +02004151 if( ( ret = mpi_copy( &ssl->dhm_G, &dhm_ctx->G ) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +00004152 {
4153 SSL_DEBUG_RET( 1, "mpi_copy", ret );
4154 return( ret );
4155 }
4156
4157 return( 0 );
4158}
Paul Bakker48916f92012-09-16 19:57:18 +00004159#endif /* POLARSSL_DHM_C */
Paul Bakker1b57b062011-01-06 15:48:19 +00004160
Manuel Pégourié-Gonnard7f38ed02014-02-04 15:52:33 +01004161#if defined(POLARSSL_SSL_SET_CURVES)
4162/*
4163 * Set the allowed elliptic curves
4164 */
4165void ssl_set_curves( ssl_context *ssl, const ecp_group_id *curve_list )
4166{
4167 ssl->curve_list = curve_list;
4168}
4169#endif
4170
Paul Bakker0be444a2013-08-27 21:55:01 +02004171#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakkerff60ee62010-03-16 21:09:09 +00004172int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +00004173{
4174 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +00004175 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00004176
4177 ssl->hostname_len = strlen( hostname );
Paul Bakker75c1a6f2013-08-19 14:25:29 +02004178
4179 if( ssl->hostname_len + 1 == 0 )
4180 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4181
Simon Butcherc988f322015-09-29 23:27:20 +01004182 if( ssl->hostname_len > SSL_MAX_HOST_NAME_LEN )
4183 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4184
Mansour Moufidc531b4a2015-02-15 17:35:38 -05004185 ssl->hostname = polarssl_malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004186
Paul Bakkerb15b8512012-01-13 13:44:06 +00004187 if( ssl->hostname == NULL )
4188 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
4189
Paul Bakker3c2122f2013-06-24 19:03:14 +02004190 memcpy( ssl->hostname, (const unsigned char *) hostname,
Paul Bakker5121ce52009-01-03 21:22:43 +00004191 ssl->hostname_len );
Paul Bakkerf7abd422013-04-16 13:15:56 +02004192
Paul Bakker40ea7de2009-05-03 10:18:48 +00004193 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +00004194
4195 return( 0 );
4196}
4197
Paul Bakker5701cdc2012-09-27 21:49:42 +00004198void ssl_set_sni( ssl_context *ssl,
4199 int (*f_sni)(void *, ssl_context *,
4200 const unsigned char *, size_t),
4201 void *p_sni )
4202{
4203 ssl->f_sni = f_sni;
4204 ssl->p_sni = p_sni;
4205}
Paul Bakker0be444a2013-08-27 21:55:01 +02004206#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
Paul Bakker5701cdc2012-09-27 21:49:42 +00004207
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004208#if defined(POLARSSL_SSL_ALPN)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004209int ssl_set_alpn_protocols( ssl_context *ssl, const char **protos )
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004210{
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004211 size_t cur_len, tot_len;
4212 const char **p;
4213
4214 /*
4215 * "Empty strings MUST NOT be included and byte strings MUST NOT be
4216 * truncated". Check lengths now rather than later.
4217 */
4218 tot_len = 0;
4219 for( p = protos; *p != NULL; p++ )
4220 {
4221 cur_len = strlen( *p );
4222 tot_len += cur_len;
4223
4224 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
4225 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4226 }
4227
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004228 ssl->alpn_list = protos;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02004229
4230 return( 0 );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004231}
4232
4233const char *ssl_get_alpn_protocol( const ssl_context *ssl )
4234{
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004235 return( ssl->alpn_chosen );
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02004236}
4237#endif /* POLARSSL_SSL_ALPN */
4238
Paul Bakker490ecc82011-10-06 13:04:09 +00004239void ssl_set_max_version( ssl_context *ssl, int major, int minor )
4240{
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004241 if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
4242 minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
4243 {
4244 ssl->max_major_ver = major;
4245 ssl->max_minor_ver = minor;
4246 }
Paul Bakker490ecc82011-10-06 13:04:09 +00004247}
4248
Paul Bakker1d29fb52012-09-28 13:28:45 +00004249void ssl_set_min_version( ssl_context *ssl, int major, int minor )
4250{
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004251 if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
4252 minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
4253 {
4254 ssl->min_major_ver = major;
4255 ssl->min_minor_ver = minor;
4256 }
Paul Bakker1d29fb52012-09-28 13:28:45 +00004257}
4258
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02004259#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
4260void ssl_set_fallback( ssl_context *ssl, char fallback )
4261{
4262 ssl->fallback = fallback;
4263}
4264#endif
4265
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01004266#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
4267void ssl_set_encrypt_then_mac( ssl_context *ssl, char etm )
4268{
4269 ssl->encrypt_then_mac = etm;
4270}
4271#endif
4272
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02004273#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
4274void ssl_set_extended_master_secret( ssl_context *ssl, char ems )
4275{
4276 ssl->extended_ms = ems;
4277}
4278#endif
4279
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +01004280void ssl_set_arc4_support( ssl_context *ssl, char arc4 )
4281{
4282 ssl->arc4_disabled = arc4;
4283}
4284
Paul Bakker05decb22013-08-15 13:33:48 +02004285#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004286int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
4287{
Paul Bakker77e257e2013-12-16 15:29:52 +01004288 if( mfl_code >= SSL_MAX_FRAG_LEN_INVALID ||
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +02004289 mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004290 {
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +02004291 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004292 }
4293
4294 ssl->mfl_code = mfl_code;
4295
4296 return( 0 );
4297}
Paul Bakker05decb22013-08-15 13:33:48 +02004298#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnard8b464592013-07-16 12:45:26 +02004299
Paul Bakker1f2bc622013-08-15 13:45:55 +02004300#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
Paul Bakker8c1ede62013-07-19 14:14:37 +02004301int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02004302{
Paul Bakker8c1ede62013-07-19 14:14:37 +02004303 ssl->trunc_hmac = truncate;
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02004304
4305 return( 0 );
4306}
Paul Bakker1f2bc622013-08-15 13:45:55 +02004307#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnarde980a992013-07-19 11:08:52 +02004308
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01004309#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
4310void ssl_set_cbc_record_splitting( ssl_context *ssl, char split )
4311{
4312 ssl->split_done = split;
4313}
4314#endif
4315
Paul Bakker48916f92012-09-16 19:57:18 +00004316void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
4317{
4318 ssl->allow_legacy_renegotiation = allow_legacy;
4319}
4320
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004321#if defined(POLARSSL_SSL_RENEGOTIATION)
4322void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
4323{
4324 ssl->disable_renegotiation = renegotiation;
4325}
4326
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004327void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records )
4328{
4329 ssl->renego_max_records = max_records;
4330}
4331
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004332void ssl_set_renegotiation_period( ssl_context *ssl,
4333 const unsigned char period[8] )
4334{
4335 memcpy( ssl->renego_period, period, 8 );
4336}
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004337#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00004338
Paul Bakkera503a632013-08-14 13:48:06 +02004339#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004340int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
4341{
4342 ssl->session_tickets = use_tickets;
4343
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004344#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02004345 if( ssl->endpoint == SSL_IS_CLIENT )
4346 return( 0 );
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004347#endif
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02004348
Manuel Pégourié-Gonnard2457fa02014-11-21 09:23:11 +01004349 if( use_tickets == SSL_SESSION_TICKETS_DISABLED )
4350 return( 0 );
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02004351
4352 if( ssl->f_rng == NULL )
4353 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4354
4355 return( ssl_ticket_keys_init( ssl ) );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004356}
Paul Bakker606b4ba2013-08-14 16:52:14 +02004357
4358void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
4359{
4360 ssl->ticket_lifetime = lifetime;
4361}
Paul Bakkera503a632013-08-14 13:48:06 +02004362#endif /* POLARSSL_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02004363
Paul Bakker5121ce52009-01-03 21:22:43 +00004364/*
4365 * SSL get accessors
4366 */
4367size_t ssl_get_bytes_avail( const ssl_context *ssl )
4368{
4369 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4370}
4371
Paul Bakkerff60ee62010-03-16 21:09:09 +00004372int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004373{
Manuel Pégourié-Gonnarde89163c2015-01-23 14:30:57 +00004374 if( ssl->session != NULL )
4375 return( ssl->session->verify_result );
4376
4377 if( ssl->session_negotiate != NULL )
4378 return( ssl->session_negotiate->verify_result );
4379
4380 return( -1 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004381}
4382
Paul Bakkere3166ce2011-01-27 17:40:50 +00004383const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +00004384{
Paul Bakker926c8e42013-03-06 10:23:34 +01004385 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004386 return( NULL );
Paul Bakker926c8e42013-03-06 10:23:34 +01004387
Paul Bakkere3166ce2011-01-27 17:40:50 +00004388 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +00004389}
4390
Paul Bakker43ca69c2011-01-15 17:35:19 +00004391const char *ssl_get_version( const ssl_context *ssl )
4392{
4393 switch( ssl->minor_ver )
4394 {
4395 case SSL_MINOR_VERSION_0:
4396 return( "SSLv3.0" );
4397
4398 case SSL_MINOR_VERSION_1:
4399 return( "TLSv1.0" );
4400
4401 case SSL_MINOR_VERSION_2:
4402 return( "TLSv1.1" );
4403
Paul Bakker1ef83d62012-04-11 12:09:53 +00004404 case SSL_MINOR_VERSION_3:
4405 return( "TLSv1.2" );
4406
Paul Bakker43ca69c2011-01-15 17:35:19 +00004407 default:
4408 break;
4409 }
4410 return( "unknown" );
4411}
4412
Paul Bakker7c6b2c32013-09-16 13:49:26 +02004413#if defined(POLARSSL_X509_CRT_PARSE_C)
Paul Bakkerc559c7a2013-09-18 14:13:26 +02004414const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
Paul Bakkerb0550d92012-10-30 07:51:03 +00004415{
4416 if( ssl == NULL || ssl->session == NULL )
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004417 return( NULL );
Paul Bakkerb0550d92012-10-30 07:51:03 +00004418
Paul Bakkerd8bb8262014-06-17 14:06:49 +02004419 return( ssl->session->peer_cert );
Paul Bakkerb0550d92012-10-30 07:51:03 +00004420}
Paul Bakker7c6b2c32013-09-16 13:49:26 +02004421#endif /* POLARSSL_X509_CRT_PARSE_C */
Paul Bakkerb0550d92012-10-30 07:51:03 +00004422
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004423#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004424int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
4425{
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004426 if( ssl == NULL ||
4427 dst == NULL ||
4428 ssl->session == NULL ||
4429 ssl->endpoint != SSL_IS_CLIENT )
4430 {
4431 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4432 }
4433
Manuel Pégourié-Gonnard06650f62013-08-02 15:34:52 +02004434 return( ssl_session_copy( dst, ssl->session ) );
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004435}
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004436#endif /* POLARSSL_SSL_CLI_C */
Manuel Pégourié-Gonnard74718032013-07-30 12:41:56 +02004437
Paul Bakker5121ce52009-01-03 21:22:43 +00004438/*
Paul Bakker1961b702013-01-25 14:49:24 +01004439 * Perform a single step of the SSL handshake
Paul Bakker5121ce52009-01-03 21:22:43 +00004440 */
Paul Bakker1961b702013-01-25 14:49:24 +01004441int ssl_handshake_step( ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00004442{
Paul Bakker40e46942009-01-03 21:51:57 +00004443 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +00004444
Paul Bakker40e46942009-01-03 21:51:57 +00004445#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00004446 if( ssl->endpoint == SSL_IS_CLIENT )
Paul Bakker1961b702013-01-25 14:49:24 +01004447 ret = ssl_handshake_client_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00004448#endif
Paul Bakker40e46942009-01-03 21:51:57 +00004449#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00004450 if( ssl->endpoint == SSL_IS_SERVER )
Paul Bakker1961b702013-01-25 14:49:24 +01004451 ret = ssl_handshake_server_step( ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +00004452#endif
4453
Paul Bakker1961b702013-01-25 14:49:24 +01004454 return( ret );
4455}
4456
4457/*
4458 * Perform the SSL handshake
4459 */
4460int ssl_handshake( ssl_context *ssl )
4461{
4462 int ret = 0;
4463
4464 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
4465
4466 while( ssl->state != SSL_HANDSHAKE_OVER )
4467 {
4468 ret = ssl_handshake_step( ssl );
4469
4470 if( ret != 0 )
4471 break;
4472 }
4473
Paul Bakker5121ce52009-01-03 21:22:43 +00004474 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
4475
4476 return( ret );
4477}
4478
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004479#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004480#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +00004481/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004482 * Write HelloRequest to request renegotiation on server
Paul Bakker48916f92012-09-16 19:57:18 +00004483 */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004484static int ssl_write_hello_request( ssl_context *ssl )
4485{
4486 int ret;
4487
4488 SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
4489
4490 ssl->out_msglen = 4;
4491 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
4492 ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
4493
4494 if( ( ret = ssl_write_record( ssl ) ) != 0 )
4495 {
4496 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4497 return( ret );
4498 }
4499
4500 SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4501
4502 return( 0 );
4503}
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004504#endif /* POLARSSL_SSL_SRV_C */
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004505
4506/*
4507 * Actually renegotiate current connection, triggered by either:
Manuel Pégourié-Gonnard55e4ff22014-08-19 11:16:35 +02004508 * - any side: calling ssl_renegotiate(),
4509 * - client: receiving a HelloRequest during ssl_read(),
4510 * - server: receiving any handshake message on server during ssl_read() after
4511 * the initial handshake is completed.
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004512 * If the handshake doesn't complete due to waiting for I/O, it will continue
4513 * during the next calls to ssl_renegotiate() or ssl_read() respectively.
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004514 */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004515static int ssl_start_renegotiation( ssl_context *ssl )
Paul Bakker48916f92012-09-16 19:57:18 +00004516{
4517 int ret;
4518
4519 SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4520
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004521 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4522 return( ret );
Paul Bakker48916f92012-09-16 19:57:18 +00004523
4524 ssl->state = SSL_HELLO_REQUEST;
4525 ssl->renegotiation = SSL_RENEGOTIATION;
4526
Paul Bakker48916f92012-09-16 19:57:18 +00004527 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4528 {
4529 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4530 return( ret );
4531 }
4532
4533 SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4534
4535 return( 0 );
4536}
4537
4538/*
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004539 * Renegotiate current connection on client,
4540 * or request renegotiation on server
4541 */
4542int ssl_renegotiate( ssl_context *ssl )
4543{
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004544 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004545
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004546#if defined(POLARSSL_SSL_SRV_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004547 /* On server, just send the request */
4548 if( ssl->endpoint == SSL_IS_SERVER )
4549 {
4550 if( ssl->state != SSL_HANDSHAKE_OVER )
4551 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4552
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +02004553 ssl->renegotiation = SSL_RENEGOTIATION_PENDING;
4554
4555 /* Did we already try/start sending HelloRequest? */
4556 if( ssl->out_left != 0 )
4557 return( ssl_flush_output( ssl ) );
4558
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004559 return( ssl_write_hello_request( ssl ) );
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004560 }
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004561#endif /* POLARSSL_SSL_SRV_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004562
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004563#if defined(POLARSSL_SSL_CLI_C)
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004564 /*
4565 * On client, either start the renegotiation process or,
4566 * if already in progress, continue the handshake
4567 */
4568 if( ssl->renegotiation != SSL_RENEGOTIATION )
4569 {
4570 if( ssl->state != SSL_HANDSHAKE_OVER )
4571 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4572
4573 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4574 {
4575 SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4576 return( ret );
4577 }
4578 }
4579 else
4580 {
4581 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4582 {
4583 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4584 return( ret );
4585 }
4586 }
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004587#endif /* POLARSSL_SSL_CLI_C */
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004588
Paul Bakker37ce0ff2013-10-31 14:32:04 +01004589 return( ret );
Manuel Pégourié-Gonnard214eed32013-10-30 13:06:54 +01004590}
4591
4592/*
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004593 * Check record counters and renegotiate if they're above the limit.
4594 */
4595static int ssl_check_ctr_renegotiate( ssl_context *ssl )
4596{
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004597 if( ssl->state != SSL_HANDSHAKE_OVER ||
4598 ssl->renegotiation == SSL_RENEGOTIATION_PENDING ||
4599 ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED )
4600 {
4601 return( 0 );
4602 }
4603
4604 // TODO: adapt for DTLS
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004605 if( memcmp( ssl->in_ctr, ssl->renego_period, 8 ) <= 0 &&
4606 memcmp( ssl->out_ctr, ssl->renego_period, 8 ) <= 0 )
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004607 {
4608 return( 0 );
4609 }
4610
Manuel Pégourié-Gonnard837f0fe2014-11-05 13:58:53 +01004611 SSL_DEBUG_MSG( 0, ( "record counter limit reached: renegotiate" ) );
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004612 return( ssl_renegotiate( ssl ) );
4613}
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004614#endif /* POLARSSL_SSL_RENEGOTIATION */
Paul Bakker5121ce52009-01-03 21:22:43 +00004615
4616/*
4617 * Receive application data decrypted from the SSL layer
4618 */
Paul Bakker23986e52011-04-24 08:57:21 +00004619int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00004620{
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004621 int ret, record_read = 0;
Paul Bakker23986e52011-04-24 08:57:21 +00004622 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +00004623
4624 SSL_DEBUG_MSG( 2, ( "=> read" ) );
4625
Manuel Pégourié-Gonnardb4458052014-11-04 21:04:22 +01004626#if defined(POLARSSL_SSL_RENEGOTIATION)
4627 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
4628 {
4629 SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
4630 return( ret );
4631 }
4632#endif
4633
Paul Bakker5121ce52009-01-03 21:22:43 +00004634 if( ssl->state != SSL_HANDSHAKE_OVER )
4635 {
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004636 ret = ssl_handshake( ssl );
4637 if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
4638 {
4639 record_read = 1;
4640 }
4641 else if( ret != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004642 {
4643 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4644 return( ret );
4645 }
4646 }
4647
4648 if( ssl->in_offt == NULL )
4649 {
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004650 if( ! record_read )
Paul Bakker5121ce52009-01-03 21:22:43 +00004651 {
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004652 if( ( ret = ssl_read_record( ssl ) ) != 0 )
4653 {
4654 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4655 return( 0 );
Paul Bakker831a7552011-05-18 13:32:51 +00004656
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004657 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4658 return( ret );
4659 }
Paul Bakker5121ce52009-01-03 21:22:43 +00004660 }
4661
4662 if( ssl->in_msglen == 0 &&
4663 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
4664 {
4665 /*
4666 * OpenSSL sends empty messages to randomize the IV
4667 */
4668 if( ( ret = ssl_read_record( ssl ) ) != 0 )
4669 {
Paul Bakker831a7552011-05-18 13:32:51 +00004670 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4671 return( 0 );
4672
Paul Bakker5121ce52009-01-03 21:22:43 +00004673 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4674 return( ret );
4675 }
4676 }
4677
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004678#if defined(POLARSSL_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00004679 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4680 {
4681 SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4682
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004683#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker48916f92012-09-16 19:57:18 +00004684 if( ssl->endpoint == SSL_IS_CLIENT &&
4685 ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4686 ssl->in_hslen != 4 ) )
4687 {
4688 SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4689 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
4690 }
Manuel Pégourié-Gonnardd16d1cb2014-11-20 18:15:05 +01004691#endif
Paul Bakker48916f92012-09-16 19:57:18 +00004692
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00004693 if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
4694 ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02004695 ssl->allow_legacy_renegotiation ==
4696 SSL_LEGACY_NO_RENEGOTIATION ) )
Paul Bakker48916f92012-09-16 19:57:18 +00004697 {
4698 SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4699
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004700#if defined(POLARSSL_SSL_PROTO_SSL3)
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00004701 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
Paul Bakker48916f92012-09-16 19:57:18 +00004702 {
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00004703 /*
4704 * SSLv3 does not have a "no_renegotiation" alert
4705 */
4706 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4707 return( ret );
4708 }
4709 else
Paul Bakker9af723c2014-05-01 13:03:14 +02004710#endif /* POLARSSL_SSL_PROTO_SSL3 */
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004711#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4712 defined(POLARSSL_SSL_PROTO_TLS1_2)
4713 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00004714 {
4715 if( ( ret = ssl_send_alert_message( ssl,
4716 SSL_ALERT_LEVEL_WARNING,
4717 SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
4718 {
4719 return( ret );
4720 }
Paul Bakker48916f92012-09-16 19:57:18 +00004721 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02004722 else
Paul Bakker9af723c2014-05-01 13:03:14 +02004723#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 ||
4724 POLARSSL_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02004725 {
4726 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Manuel Pégourié-Gonnard61edffe2014-04-11 17:07:31 +02004727 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02004728 }
Paul Bakker48916f92012-09-16 19:57:18 +00004729 }
4730 else
4731 {
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004732 ret = ssl_start_renegotiation( ssl );
4733 if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
4734 {
4735 record_read = 1;
4736 }
4737 else if( ret != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00004738 {
Manuel Pégourié-Gonnard9c1e1892013-10-30 16:41:21 +01004739 SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
Paul Bakker48916f92012-09-16 19:57:18 +00004740 return( ret );
4741 }
Paul Bakker48916f92012-09-16 19:57:18 +00004742 }
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +02004743
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02004744 /* If a non-handshake record was read during renego, fallthrough,
4745 * else tell the user they should call ssl_read() again */
4746 if( ! record_read )
4747 return( POLARSSL_ERR_NET_WANT_READ );
Paul Bakker48916f92012-09-16 19:57:18 +00004748 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +01004749 else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4750 {
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +02004751 ssl->renego_records_seen++;
4752
4753 if( ssl->renego_max_records >= 0 &&
4754 ssl->renego_records_seen > ssl->renego_max_records )
4755 {
4756 SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4757 "but not honored by client" ) );
4758 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
4759 }
Manuel Pégourié-Gonnard6d8404d2013-10-30 16:41:45 +01004760 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01004761#endif /* POLARSSL_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnardf26a1e82014-08-19 12:28:50 +02004762
4763 /* Fatal and closure alerts handled by ssl_read_record() */
4764 if( ssl->in_msgtype == SSL_MSG_ALERT )
4765 {
4766 SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
4767 return( POLARSSL_ERR_NET_WANT_READ );
4768 }
4769
4770 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
Paul Bakker5121ce52009-01-03 21:22:43 +00004771 {
4772 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +00004773 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00004774 }
4775
4776 ssl->in_offt = ssl->in_msg;
4777 }
4778
4779 n = ( len < ssl->in_msglen )
4780 ? len : ssl->in_msglen;
4781
4782 memcpy( buf, ssl->in_offt, n );
4783 ssl->in_msglen -= n;
4784
4785 if( ssl->in_msglen == 0 )
4786 /* all bytes consumed */
4787 ssl->in_offt = NULL;
4788 else
4789 /* more data available */
4790 ssl->in_offt += n;
4791
4792 SSL_DEBUG_MSG( 2, ( "<= read" ) );
4793
Paul Bakker23986e52011-04-24 08:57:21 +00004794 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00004795}
4796
4797/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02004798 * Send application data to be encrypted by the SSL layer,
4799 * taking care of max fragment length and buffer size
Paul Bakker5121ce52009-01-03 21:22:43 +00004800 */
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02004801static int ssl_write_real( ssl_context *ssl,
4802 const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +00004803{
Paul Bakker23986e52011-04-24 08:57:21 +00004804 int ret;
4805 size_t n;
Paul Bakker05decb22013-08-15 13:33:48 +02004806 unsigned int max_len = SSL_MAX_CONTENT_LEN;
Paul Bakker5121ce52009-01-03 21:22:43 +00004807
Paul Bakker05decb22013-08-15 13:33:48 +02004808#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +02004809 /*
4810 * Assume mfl_code is correct since it was checked when set
4811 */
4812 max_len = mfl_code_to_length[ssl->mfl_code];
4813
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02004814 /*
Paul Bakker05decb22013-08-15 13:33:48 +02004815 * Check if a smaller max length was negotiated
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02004816 */
4817 if( ssl->session_out != NULL &&
4818 mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4819 {
4820 max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4821 }
Paul Bakker05decb22013-08-15 13:33:48 +02004822#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarded4af8b2013-07-18 14:07:09 +02004823
Manuel Pégourié-Gonnard581e6b62013-07-18 12:32:27 +02004824 n = ( len < max_len) ? len : max_len;
Paul Bakker887bd502011-06-08 13:10:54 +00004825
Paul Bakker5121ce52009-01-03 21:22:43 +00004826 if( ssl->out_left != 0 )
4827 {
4828 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4829 {
4830 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4831 return( ret );
4832 }
4833 }
Paul Bakker887bd502011-06-08 13:10:54 +00004834 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +00004835 {
Paul Bakker887bd502011-06-08 13:10:54 +00004836 ssl->out_msglen = n;
4837 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
4838 memcpy( ssl->out_msg, buf, n );
4839
4840 if( ( ret = ssl_write_record( ssl ) ) != 0 )
4841 {
4842 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4843 return( ret );
4844 }
Paul Bakker5121ce52009-01-03 21:22:43 +00004845 }
4846
Paul Bakker23986e52011-04-24 08:57:21 +00004847 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +00004848}
4849
4850/*
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004851 * Write application data, doing 1/n-1 splitting if necessary.
4852 *
4853 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01004854 * then the caller will call us again with the same arguments, so
4855 * remember wether we already did the split or not.
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004856 */
4857#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02004858static int ssl_write_split( ssl_context *ssl,
4859 const unsigned char *buf, size_t len )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004860{
4861 int ret;
4862
Manuel Pégourié-Gonnardcfa477e2015-01-07 14:50:54 +01004863 if( ssl->split_done == SSL_CBC_RECORD_SPLITTING_DISABLED ||
4864 len <= 1 ||
4865 ssl->minor_ver > SSL_MINOR_VERSION_1 ||
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004866 cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
4867 != POLARSSL_MODE_CBC )
4868 {
4869 return( ssl_write_real( ssl, buf, len ) );
4870 }
4871
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01004872 if( ssl->split_done == 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004873 {
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01004874 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004875 return( ret );
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01004876 ssl->split_done = 1;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004877 }
4878
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +01004879 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
4880 return( ret );
4881 ssl->split_done = 0;
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01004882
4883 return( ret + 1 );
4884}
4885#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
4886
4887/*
Manuel Pégourié-Gonnarda2fce212015-04-15 19:09:03 +02004888 * Write application data (public-facing wrapper)
4889 */
4890int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4891{
4892 int ret;
4893
4894 SSL_DEBUG_MSG( 2, ( "=> write" ) );
4895
4896#if defined(POLARSSL_SSL_RENEGOTIATION)
4897 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
4898 {
4899 SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
4900 return( ret );
4901 }
4902#endif
4903
4904 if( ssl->state != SSL_HANDSHAKE_OVER )
4905 {
4906 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4907 {
4908 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4909 return( ret );
4910 }
4911 }
4912
4913#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
4914 ret = ssl_write_split( ssl, buf, len );
4915#else
4916 ret = ssl_write_real( ssl, buf, len );
4917#endif
4918
4919 SSL_DEBUG_MSG( 2, ( "<= write" ) );
4920
4921 return( ret );
4922}
4923
4924/*
Paul Bakker5121ce52009-01-03 21:22:43 +00004925 * Notify the peer that the connection is being closed
4926 */
4927int ssl_close_notify( ssl_context *ssl )
4928{
4929 int ret;
4930
4931 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4932
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +02004933 if( ssl->out_left != 0 )
4934 return( ssl_flush_output( ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00004935
4936 if( ssl->state == SSL_HANDSHAKE_OVER )
4937 {
Paul Bakker48916f92012-09-16 19:57:18 +00004938 if( ( ret = ssl_send_alert_message( ssl,
4939 SSL_ALERT_LEVEL_WARNING,
4940 SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00004941 {
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +02004942 SSL_DEBUG_RET( 1, "ssl_send_alert_message", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00004943 return( ret );
4944 }
4945 }
4946
4947 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4948
Manuel Pégourié-Gonnarda13500f2014-08-19 16:14:04 +02004949 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00004950}
4951
Paul Bakker48916f92012-09-16 19:57:18 +00004952void ssl_transform_free( ssl_transform *transform )
4953{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004954 if( transform == NULL )
4955 return;
4956
Paul Bakker48916f92012-09-16 19:57:18 +00004957#if defined(POLARSSL_ZLIB_SUPPORT)
4958 deflateEnd( &transform->ctx_deflate );
4959 inflateEnd( &transform->ctx_inflate );
4960#endif
4961
Paul Bakker84bbeb52014-07-01 14:53:22 +02004962 cipher_free( &transform->cipher_ctx_enc );
4963 cipher_free( &transform->cipher_ctx_dec );
Manuel Pégourié-Gonnardf71e5872013-09-23 17:12:43 +02004964
Paul Bakker84bbeb52014-07-01 14:53:22 +02004965 md_free( &transform->md_ctx_enc );
4966 md_free( &transform->md_ctx_dec );
Paul Bakker61d113b2013-07-04 11:51:43 +02004967
Paul Bakker34617722014-06-13 17:20:13 +02004968 polarssl_zeroize( transform, sizeof( ssl_transform ) );
Paul Bakker48916f92012-09-16 19:57:18 +00004969}
4970
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02004971#if defined(POLARSSL_X509_CRT_PARSE_C)
4972static void ssl_key_cert_free( ssl_key_cert *key_cert )
4973{
4974 ssl_key_cert *cur = key_cert, *next;
4975
4976 while( cur != NULL )
4977 {
4978 next = cur->next;
4979
4980 if( cur->key_own_alloc )
4981 {
4982 pk_free( cur->key );
4983 polarssl_free( cur->key );
4984 }
4985 polarssl_free( cur );
4986
4987 cur = next;
4988 }
4989}
4990#endif /* POLARSSL_X509_CRT_PARSE_C */
4991
Paul Bakker48916f92012-09-16 19:57:18 +00004992void ssl_handshake_free( ssl_handshake_params *handshake )
4993{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02004994 if( handshake == NULL )
4995 return;
4996
Paul Bakker48916f92012-09-16 19:57:18 +00004997#if defined(POLARSSL_DHM_C)
4998 dhm_free( &handshake->dhm_ctx );
4999#endif
Paul Bakker61d113b2013-07-04 11:51:43 +02005000#if defined(POLARSSL_ECDH_C)
5001 ecdh_free( &handshake->ecdh_ctx );
5002#endif
5003
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02005004#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
Paul Bakker9af723c2014-05-01 13:03:14 +02005005 /* explicit void pointer cast for buggy MS compiler */
5006 polarssl_free( (void *) handshake->curves );
Manuel Pégourié-Gonnardd09453c2013-09-23 19:11:32 +02005007#endif
5008
Manuel Pégourié-Gonnard83724542013-09-24 22:30:56 +02005009#if defined(POLARSSL_X509_CRT_PARSE_C) && \
5010 defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
5011 /*
5012 * Free only the linked list wrapper, not the keys themselves
5013 * since the belong to the SNI callback
5014 */
5015 if( handshake->sni_key_cert != NULL )
5016 {
5017 ssl_key_cert *cur = handshake->sni_key_cert, *next;
5018
5019 while( cur != NULL )
5020 {
5021 next = cur->next;
5022 polarssl_free( cur );
5023 cur = next;
5024 }
5025 }
Paul Bakker9af723c2014-05-01 13:03:14 +02005026#endif /* POLARSSL_X509_CRT_PARSE_C && POLARSSL_SSL_SERVER_NAME_INDICATION */
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005027
Paul Bakker34617722014-06-13 17:20:13 +02005028 polarssl_zeroize( handshake, sizeof( ssl_handshake_params ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005029}
5030
5031void ssl_session_free( ssl_session *session )
5032{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005033 if( session == NULL )
5034 return;
5035
Paul Bakker7c6b2c32013-09-16 13:49:26 +02005036#if defined(POLARSSL_X509_CRT_PARSE_C)
Paul Bakker0a597072012-09-25 21:55:46 +00005037 if( session->peer_cert != NULL )
Paul Bakker48916f92012-09-16 19:57:18 +00005038 {
Paul Bakker7c6b2c32013-09-16 13:49:26 +02005039 x509_crt_free( session->peer_cert );
Paul Bakker6e339b52013-07-03 13:37:05 +02005040 polarssl_free( session->peer_cert );
Paul Bakker48916f92012-09-16 19:57:18 +00005041 }
Paul Bakkered27a042013-04-18 22:46:23 +02005042#endif
Paul Bakker0a597072012-09-25 21:55:46 +00005043
Paul Bakkera503a632013-08-14 13:48:06 +02005044#if defined(POLARSSL_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02005045 polarssl_free( session->ticket );
Paul Bakkera503a632013-08-14 13:48:06 +02005046#endif
Manuel Pégourié-Gonnard75d44012013-08-02 14:44:04 +02005047
Paul Bakker34617722014-06-13 17:20:13 +02005048 polarssl_zeroize( session, sizeof( ssl_session ) );
Paul Bakker48916f92012-09-16 19:57:18 +00005049}
5050
Paul Bakker5121ce52009-01-03 21:22:43 +00005051/*
5052 * Free an SSL context
5053 */
5054void ssl_free( ssl_context *ssl )
5055{
Paul Bakkeraccaffe2014-06-26 13:37:14 +02005056 if( ssl == NULL )
5057 return;
5058
Paul Bakker5121ce52009-01-03 21:22:43 +00005059 SSL_DEBUG_MSG( 2, ( "=> free" ) );
5060
Paul Bakker5121ce52009-01-03 21:22:43 +00005061 if( ssl->out_ctr != NULL )
5062 {
Paul Bakker34617722014-06-13 17:20:13 +02005063 polarssl_zeroize( ssl->out_ctr, SSL_BUFFER_LEN );
Paul Bakker6e339b52013-07-03 13:37:05 +02005064 polarssl_free( ssl->out_ctr );
Paul Bakker5121ce52009-01-03 21:22:43 +00005065 }
5066
5067 if( ssl->in_ctr != NULL )
5068 {
Paul Bakker34617722014-06-13 17:20:13 +02005069 polarssl_zeroize( ssl->in_ctr, SSL_BUFFER_LEN );
Paul Bakker6e339b52013-07-03 13:37:05 +02005070 polarssl_free( ssl->in_ctr );
Paul Bakker5121ce52009-01-03 21:22:43 +00005071 }
5072
Paul Bakker16770332013-10-11 09:59:44 +02005073#if defined(POLARSSL_ZLIB_SUPPORT)
5074 if( ssl->compress_buf != NULL )
5075 {
Paul Bakker34617722014-06-13 17:20:13 +02005076 polarssl_zeroize( ssl->compress_buf, SSL_BUFFER_LEN );
Paul Bakker16770332013-10-11 09:59:44 +02005077 polarssl_free( ssl->compress_buf );
5078 }
5079#endif
5080
Paul Bakker40e46942009-01-03 21:51:57 +00005081#if defined(POLARSSL_DHM_C)
Paul Bakker48916f92012-09-16 19:57:18 +00005082 mpi_free( &ssl->dhm_P );
5083 mpi_free( &ssl->dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +00005084#endif
5085
Paul Bakker48916f92012-09-16 19:57:18 +00005086 if( ssl->transform )
5087 {
5088 ssl_transform_free( ssl->transform );
Paul Bakker6e339b52013-07-03 13:37:05 +02005089 polarssl_free( ssl->transform );
Paul Bakker48916f92012-09-16 19:57:18 +00005090 }
5091
5092 if( ssl->handshake )
5093 {
5094 ssl_handshake_free( ssl->handshake );
5095 ssl_transform_free( ssl->transform_negotiate );
5096 ssl_session_free( ssl->session_negotiate );
5097
Paul Bakker6e339b52013-07-03 13:37:05 +02005098 polarssl_free( ssl->handshake );
5099 polarssl_free( ssl->transform_negotiate );
5100 polarssl_free( ssl->session_negotiate );
Paul Bakker48916f92012-09-16 19:57:18 +00005101 }
5102
Paul Bakkerc0463502013-02-14 11:19:38 +01005103 if( ssl->session )
5104 {
5105 ssl_session_free( ssl->session );
Paul Bakker6e339b52013-07-03 13:37:05 +02005106 polarssl_free( ssl->session );
Paul Bakkerc0463502013-02-14 11:19:38 +01005107 }
5108
Paul Bakkera503a632013-08-14 13:48:06 +02005109#if defined(POLARSSL_SSL_SESSION_TICKETS)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +02005110 if( ssl->ticket_keys )
5111 {
5112 ssl_ticket_keys_free( ssl->ticket_keys );
5113 polarssl_free( ssl->ticket_keys );
5114 }
Paul Bakkera503a632013-08-14 13:48:06 +02005115#endif
Manuel Pégourié-Gonnard779e4292013-08-03 13:50:48 +02005116
Paul Bakker0be444a2013-08-27 21:55:01 +02005117#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
Paul Bakker66d5d072014-06-17 16:39:18 +02005118 if( ssl->hostname != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00005119 {
Paul Bakker34617722014-06-13 17:20:13 +02005120 polarssl_zeroize( ssl->hostname, ssl->hostname_len );
Paul Bakker6e339b52013-07-03 13:37:05 +02005121 polarssl_free( ssl->hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +00005122 ssl->hostname_len = 0;
5123 }
Paul Bakker0be444a2013-08-27 21:55:01 +02005124#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00005125
Manuel Pégourié-Gonnard8a3c64d2013-10-14 19:54:10 +02005126#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
Paul Bakker6db455e2013-09-18 17:29:31 +02005127 if( ssl->psk != NULL )
5128 {
Paul Bakker34617722014-06-13 17:20:13 +02005129 polarssl_zeroize( ssl->psk, ssl->psk_len );
5130 polarssl_zeroize( ssl->psk_identity, ssl->psk_identity_len );
Paul Bakker6db455e2013-09-18 17:29:31 +02005131 polarssl_free( ssl->psk );
5132 polarssl_free( ssl->psk_identity );
5133 ssl->psk_len = 0;
5134 ssl->psk_identity_len = 0;
5135 }
5136#endif
5137
Manuel Pégourié-Gonnard834ea852013-09-23 14:46:13 +02005138#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard705fcca2013-09-23 20:04:20 +02005139 ssl_key_cert_free( ssl->key_cert );
5140#endif
Manuel Pégourié-Gonnard070cc7f2013-08-21 15:09:31 +02005141
Paul Bakker05ef8352012-05-08 09:17:57 +00005142#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
5143 if( ssl_hw_record_finish != NULL )
5144 {
5145 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
5146 ssl_hw_record_finish( ssl );
5147 }
5148#endif
5149
Paul Bakker5121ce52009-01-03 21:22:43 +00005150 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +00005151
Paul Bakker86f04f42013-02-14 11:20:09 +01005152 /* Actually clear after last debug message */
Paul Bakker34617722014-06-13 17:20:13 +02005153 polarssl_zeroize( ssl, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00005154}
5155
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005156#if defined(POLARSSL_PK_C)
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005157/*
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005158 * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02005159 */
5160unsigned char ssl_sig_from_pk( pk_context *pk )
5161{
5162#if defined(POLARSSL_RSA_C)
5163 if( pk_can_do( pk, POLARSSL_PK_RSA ) )
5164 return( SSL_SIG_RSA );
5165#endif
5166#if defined(POLARSSL_ECDSA_C)
5167 if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
5168 return( SSL_SIG_ECDSA );
5169#endif
5170 return( SSL_SIG_ANON );
5171}
5172
Hanno Beckerc2b9d982017-05-10 16:37:21 +01005173unsigned char ssl_sig_from_pk_alg( pk_type_t type )
5174{
5175 switch( type ) {
5176 case POLARSSL_PK_RSA:
5177 return( SSL_SIG_RSA );
5178 case POLARSSL_PK_ECDSA:
5179 case POLARSSL_PK_ECKEY:
5180 return( SSL_SIG_ECDSA );
5181 default:
5182 return( SSL_SIG_ANON );
5183 }
5184}
5185
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005186pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
5187{
5188 switch( sig )
5189 {
5190#if defined(POLARSSL_RSA_C)
5191 case SSL_SIG_RSA:
5192 return( POLARSSL_PK_RSA );
5193#endif
5194#if defined(POLARSSL_ECDSA_C)
5195 case SSL_SIG_ECDSA:
5196 return( POLARSSL_PK_ECDSA );
5197#endif
5198 default:
5199 return( POLARSSL_PK_NONE );
5200 }
5201}
Paul Bakker9af723c2014-05-01 13:03:14 +02005202#endif /* POLARSSL_PK_C */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005203
Hanno Beckerc2b9d982017-05-10 16:37:21 +01005204#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
5205 defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
5206
5207/* Find an entry in a signature-hash set matching a given hash algorithm. */
5208md_type_t ssl_sig_hash_set_find( ssl_sig_hash_set_t *set,
5209 pk_type_t sig_alg )
5210{
5211 switch( sig_alg )
5212 {
5213 case POLARSSL_PK_RSA:
5214 return( set->rsa );
5215 case POLARSSL_PK_ECDSA:
5216 return( set->ecdsa );
5217 default:
5218 return( POLARSSL_MD_NONE );
5219 }
5220}
5221
5222/* Add a signature-hash-pair to a signature-hash set */
5223void ssl_sig_hash_set_add( ssl_sig_hash_set_t *set,
5224 pk_type_t sig_alg,
5225 md_type_t md_alg )
5226{
5227 switch( sig_alg )
5228 {
5229 case POLARSSL_PK_RSA:
5230 if( set->rsa == POLARSSL_MD_NONE )
5231 set->rsa = md_alg;
5232 break;
5233
5234 case POLARSSL_PK_ECDSA:
5235 if( set->ecdsa == POLARSSL_MD_NONE )
5236 set->ecdsa = md_alg;
5237 break;
5238
5239 default:
5240 break;
5241 }
5242}
5243
5244/* Allow exactly one hash algorithm for each signature. */
5245void ssl_sig_hash_set_const_hash( ssl_sig_hash_set_t *set,
5246 md_type_t md_alg )
5247{
5248 set->rsa = md_alg;
5249 set->ecdsa = md_alg;
5250}
5251
5252#endif /* POLARSSL_SSL_PROTO_TLS1_2) &&
5253 POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
5254
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02005255/*
5256 * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
5257 */
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02005258md_type_t ssl_md_alg_from_hash( unsigned char hash )
5259{
5260 switch( hash )
5261 {
5262#if defined(POLARSSL_MD5_C)
5263 case SSL_HASH_MD5:
5264 return( POLARSSL_MD_MD5 );
5265#endif
5266#if defined(POLARSSL_SHA1_C)
5267 case SSL_HASH_SHA1:
5268 return( POLARSSL_MD_SHA1 );
5269#endif
5270#if defined(POLARSSL_SHA256_C)
5271 case SSL_HASH_SHA224:
5272 return( POLARSSL_MD_SHA224 );
5273 case SSL_HASH_SHA256:
5274 return( POLARSSL_MD_SHA256 );
5275#endif
5276#if defined(POLARSSL_SHA512_C)
5277 case SSL_HASH_SHA384:
5278 return( POLARSSL_MD_SHA384 );
5279 case SSL_HASH_SHA512:
5280 return( POLARSSL_MD_SHA512 );
5281#endif
5282 default:
5283 return( POLARSSL_MD_NONE );
5284 }
5285}
5286
Hanno Beckerc2b9d982017-05-10 16:37:21 +01005287/*
5288 * Convert from POLARSSL_MD_XXX to SSL_HASH_XXX
5289 */
5290unsigned char ssl_hash_from_md_alg( md_type_t md )
5291{
5292 switch( md )
5293 {
5294#if defined(POLARSSL_MD5_C)
5295 case POLARSSL_MD_MD5:
5296 return( SSL_HASH_MD5 );
5297#endif
5298#if defined(POLARSSL_SHA1_C)
5299 case POLARSSL_MD_SHA1:
5300 return( SSL_HASH_SHA1 );
5301#endif
5302#if defined(POLARSSL_SHA256_C)
5303 case POLARSSL_MD_SHA224:
5304 return( SSL_HASH_SHA224 );
5305 case POLARSSL_MD_SHA256:
5306 return( SSL_HASH_SHA256 );
5307#endif
5308#if defined(POLARSSL_SHA512_C)
5309 case POLARSSL_MD_SHA384:
5310 return( SSL_HASH_SHA384 );
5311 case POLARSSL_MD_SHA512:
5312 return( SSL_HASH_SHA512 );
5313#endif
5314 default:
5315 return( SSL_HASH_NONE );
5316 }
5317}
5318
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01005319#if defined(POLARSSL_SSL_SET_CURVES)
5320/*
5321 * Check is a curve proposed by the peer is in our list.
5322 * Return 1 if we're willing to use it, 0 otherwise.
5323 */
5324int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
5325{
5326 const ecp_group_id *gid;
5327
5328 for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
5329 if( *gid == grp_id )
5330 return( 1 );
5331
5332 return( 0 );
5333}
Paul Bakker9af723c2014-05-01 13:03:14 +02005334#endif /* POLARSSL_SSL_SET_CURVES */
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005335
Hanno Beckerc2b9d982017-05-10 16:37:21 +01005336#if defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
5337/*
5338 * Check if a hash proposed by the peer is in our list.
5339 * Return 0 if we're willing to use it, -1 otherwise.
5340 */
5341int ssl_check_sig_hash( md_type_t md )
5342{
5343 const int *cur;
5344
5345 for( cur = md_list(); *cur != POLARSSL_MD_NONE; cur++ )
5346 {
5347#if !defined(POLARSSL_SSL_ENABLE_MD5_SIGNATURES)
5348 /* Skip MD5 */
5349 if( *cur == POLARSSL_MD_MD5 )
5350 continue;
5351#endif
5352 if( *cur == (int) md )
5353 return( 0 );
5354 }
5355
5356 return( -1 );
5357}
5358#endif /* POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
5359
Paul Bakkerd6ad8e92014-04-09 17:24:14 +02005360#if defined(POLARSSL_X509_CRT_PARSE_C)
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005361int ssl_check_cert_usage( const x509_crt *cert,
5362 const ssl_ciphersuite_t *ciphersuite,
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005363 int cert_endpoint,
5364 int *flags )
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005365{
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005366 int ret = 0;
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005367#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
5368 int usage = 0;
5369#endif
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005370#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
5371 const char *ext_oid;
5372 size_t ext_len;
5373#endif
5374
5375#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
5376 !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
5377 ((void) cert);
5378 ((void) cert_endpoint);
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005379 ((void) flags);
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005380#endif
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005381
5382#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
5383 if( cert_endpoint == SSL_IS_SERVER )
5384 {
5385 /* Server part of the key exchange */
5386 switch( ciphersuite->key_exchange )
5387 {
5388 case POLARSSL_KEY_EXCHANGE_RSA:
5389 case POLARSSL_KEY_EXCHANGE_RSA_PSK:
5390 usage = KU_KEY_ENCIPHERMENT;
5391 break;
5392
5393 case POLARSSL_KEY_EXCHANGE_DHE_RSA:
5394 case POLARSSL_KEY_EXCHANGE_ECDHE_RSA:
5395 case POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA:
5396 usage = KU_DIGITAL_SIGNATURE;
5397 break;
5398
5399 case POLARSSL_KEY_EXCHANGE_ECDH_RSA:
5400 case POLARSSL_KEY_EXCHANGE_ECDH_ECDSA:
5401 usage = KU_KEY_AGREEMENT;
5402 break;
5403
5404 /* Don't use default: we want warnings when adding new values */
5405 case POLARSSL_KEY_EXCHANGE_NONE:
5406 case POLARSSL_KEY_EXCHANGE_PSK:
5407 case POLARSSL_KEY_EXCHANGE_DHE_PSK:
5408 case POLARSSL_KEY_EXCHANGE_ECDHE_PSK:
5409 usage = 0;
5410 }
5411 }
5412 else
5413 {
5414 /* Client auth: we only implement rsa_sign and ecdsa_sign for now */
5415 usage = KU_DIGITAL_SIGNATURE;
5416 }
5417
5418 if( x509_crt_check_key_usage( cert, usage ) != 0 )
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005419 {
5420 *flags |= BADCERT_KEY_USAGE;
5421 ret = -1;
5422 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005423#else
5424 ((void) ciphersuite);
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005425#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
5426
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005427#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
5428 if( cert_endpoint == SSL_IS_SERVER )
5429 {
5430 ext_oid = OID_SERVER_AUTH;
5431 ext_len = OID_SIZE( OID_SERVER_AUTH );
5432 }
5433 else
5434 {
5435 ext_oid = OID_CLIENT_AUTH;
5436 ext_len = OID_SIZE( OID_CLIENT_AUTH );
5437 }
5438
5439 if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005440 {
5441 *flags |= BADCERT_EXT_KEY_USAGE;
5442 ret = -1;
5443 }
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +02005444#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
5445
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +02005446 return( ret );
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +02005447}
Paul Bakkerd6ad8e92014-04-09 17:24:14 +02005448#endif /* POLARSSL_X509_CRT_PARSE_C */
Manuel Pégourié-Gonnard3a306b92014-04-29 15:11:17 +02005449
5450#endif /* POLARSSL_SSL_TLS_C */