TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 96d42da8fe83ea6b1812fc5c5b09cd19efaf2395 / . / library / ssl_tls.c
blob: 64012e54f8240d13db8369e7ed6ea8ada10f78f0 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]4 * Copyright (C) 2006-2012, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]44#include "polarssl/sha2.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46#include <stdlib.h>
47#include <time.h>
48
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]49#if defined _MSC_VER && !defined strcasecmp
50#define strcasecmp _stricmp
51#endif
52
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53/*
54 * Key material generation
55 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]56static int tls1_prf( unsigned char *secret, size_t slen, char *label,
57 unsigned char *random, size_t rlen,
58 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]59{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]60 size_t nb, hs;
61 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62 unsigned char *S1, *S2;
63 unsigned char tmp[128];
64 unsigned char h_i[20];
65
66 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]67 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68
69 hs = ( slen + 1 ) / 2;
70 S1 = secret;
71 S2 = secret + slen - hs;
72
73 nb = strlen( label );
74 memcpy( tmp + 20, label, nb );
75 memcpy( tmp + 20 + nb, random, rlen );
76 nb += rlen;
77
78 /*
79 * First compute P_md5(secret,label+random)[0..dlen]
80 */
81 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
82
83 for( i = 0; i < dlen; i += 16 )
84 {
85 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
86 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
87
88 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
89
90 for( j = 0; j < k; j++ )
91 dstbuf[i + j] = h_i[j];
92 }
93
94 /*
95 * XOR out with P_sha1(secret,label+random)[0..dlen]
96 */
97 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
98
99 for( i = 0; i < dlen; i += 20 )
100 {
101 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
102 sha1_hmac( S2, hs, tmp, 20, tmp );
103
104 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
105
106 for( j = 0; j < k; j++ )
107 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
108 }
109
110 memset( tmp, 0, sizeof( tmp ) );
111 memset( h_i, 0, sizeof( h_i ) );
112
113 return( 0 );
114}
115
116int ssl_derive_keys( ssl_context *ssl )
117{
118 int i;
119 md5_context md5;
120 sha1_context sha1;
121 unsigned char tmp[64];
122 unsigned char padding[16];
123 unsigned char sha1sum[20];
124 unsigned char keyblk[256];
125 unsigned char *key1;
126 unsigned char *key2;
127
128 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
129
130 /*
131 * SSLv3:
132 * master =
133 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
134 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
135 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
136 *
137 * TLSv1:
138 * master = PRF( premaster, "master secret", randbytes )[0..47]
139 */
140 if( ssl->resume == 0 )
141 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]142 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]143
144 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
145
146 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
147 {
148 for( i = 0; i < 3; i++ )
149 {
150 memset( padding, 'A' + i, 1 + i );
151
152 sha1_starts( &sha1 );
153 sha1_update( &sha1, padding, 1 + i );
154 sha1_update( &sha1, ssl->premaster, len );
155 sha1_update( &sha1, ssl->randbytes, 64 );
156 sha1_finish( &sha1, sha1sum );
157
158 md5_starts( &md5 );
159 md5_update( &md5, ssl->premaster, len );
160 md5_update( &md5, sha1sum, 20 );
161 md5_finish( &md5, ssl->session->master + i * 16 );
162 }
163 }
164 else
165 tls1_prf( ssl->premaster, len, "master secret",
166 ssl->randbytes, 64, ssl->session->master, 48 );
167
168 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
169 }
170 else
171 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
172
173 /*
174 * Swap the client and server random values.
175 */
176 memcpy( tmp, ssl->randbytes, 64 );
177 memcpy( ssl->randbytes, tmp + 32, 32 );
178 memcpy( ssl->randbytes + 32, tmp, 32 );
179 memset( tmp, 0, sizeof( tmp ) );
180
181 /*
182 * SSLv3:
183 * key block =
184 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
185 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
186 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
187 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
188 * ...
189 *
190 * TLSv1:
191 * key block = PRF( master, "key expansion", randbytes )
192 */
193 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
194 {
195 for( i = 0; i < 16; i++ )
196 {
197 memset( padding, 'A' + i, 1 + i );
198
199 sha1_starts( &sha1 );
200 sha1_update( &sha1, padding, 1 + i );
201 sha1_update( &sha1, ssl->session->master, 48 );
202 sha1_update( &sha1, ssl->randbytes, 64 );
203 sha1_finish( &sha1, sha1sum );
204
205 md5_starts( &md5 );
206 md5_update( &md5, ssl->session->master, 48 );
207 md5_update( &md5, sha1sum, 20 );
208 md5_finish( &md5, keyblk + i * 16 );
209 }
210
211 memset( &md5, 0, sizeof( md5 ) );
212 memset( &sha1, 0, sizeof( sha1 ) );
213
214 memset( padding, 0, sizeof( padding ) );
215 memset( sha1sum, 0, sizeof( sha1sum ) );
216 }
217 else
218 tls1_prf( ssl->session->master, 48, "key expansion",
219 ssl->randbytes, 64, keyblk, 256 );
220
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]221 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]222 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
223 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
224 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
225
226 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
227
228 /*
229 * Determine the appropriate key, IV and MAC length.
230 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]231 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]232 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]233#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234 case SSL_RSA_RC4_128_MD5:
235 ssl->keylen = 16; ssl->minlen = 16;
236 ssl->ivlen = 0; ssl->maclen = 16;
237 break;
238
239 case SSL_RSA_RC4_128_SHA:
240 ssl->keylen = 16; ssl->minlen = 20;
241 ssl->ivlen = 0; ssl->maclen = 20;
242 break;
243#endif
244
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]245#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]246 case SSL_RSA_DES_168_SHA:
247 case SSL_EDH_RSA_DES_168_SHA:
248 ssl->keylen = 24; ssl->minlen = 24;
249 ssl->ivlen = 8; ssl->maclen = 20;
250 break;
251#endif
252
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]253#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]254 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]255 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]256 ssl->keylen = 16; ssl->minlen = 32;
257 ssl->ivlen = 16; ssl->maclen = 20;
258 break;
259
260 case SSL_RSA_AES_256_SHA:
261 case SSL_EDH_RSA_AES_256_SHA:
262 ssl->keylen = 32; ssl->minlen = 32;
263 ssl->ivlen = 16; ssl->maclen = 20;
264 break;
265#endif
266
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]267#if defined(POLARSSL_CAMELLIA_C)
268 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]269 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]270 ssl->keylen = 16; ssl->minlen = 32;
271 ssl->ivlen = 16; ssl->maclen = 20;
272 break;
273
274 case SSL_RSA_CAMELLIA_256_SHA:
275 case SSL_EDH_RSA_CAMELLIA_256_SHA:
276 ssl->keylen = 32; ssl->minlen = 32;
277 ssl->ivlen = 16; ssl->maclen = 20;
278 break;
279#endif
280
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]281#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
282#if defined(POLARSSL_CIPHER_NULL_CIPHER)
283 case SSL_RSA_NULL_MD5:
284 ssl->keylen = 0; ssl->minlen = 0;
285 ssl->ivlen = 0; ssl->maclen = 16;
286 break;
287
288 case SSL_RSA_NULL_SHA:
289 ssl->keylen = 0; ssl->minlen = 0;
290 ssl->ivlen = 0; ssl->maclen = 20;
291 break;
292
293 case SSL_RSA_NULL_SHA256:
294 ssl->keylen = 0; ssl->minlen = 0;
295 ssl->ivlen = 0; ssl->maclen = 32;
296 break;
297#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
298
299#if defined(POLARSSL_DES_C)
300 case SSL_RSA_DES_SHA:
301 case SSL_EDH_RSA_DES_SHA:
302 ssl->keylen = 8; ssl->minlen = 8;
303 ssl->ivlen = 8; ssl->maclen = 20;
304 break;
305#endif
306#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
307
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]309 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
310 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]311 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312 }
313
314 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
315 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
316
317 /*
318 * Finally setup the cipher contexts, IVs and MAC secrets.
319 */
320 if( ssl->endpoint == SSL_IS_CLIENT )
321 {
322 key1 = keyblk + ssl->maclen * 2;
323 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
324
325 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
326 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
327
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]328 /*
329 * This is not used in TLS v1.1.
330 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
332 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
333 ssl->ivlen );
334 }
335 else
336 {
337 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
338 key2 = keyblk + ssl->maclen * 2;
339
340 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
341 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
342
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]343 /*
344 * This is not used in TLS v1.1.
345 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
347 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
348 ssl->ivlen );
349 }
350
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]351 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]353#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354 case SSL_RSA_RC4_128_MD5:
355 case SSL_RSA_RC4_128_SHA:
356 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
357 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
358 break;
359#endif
360
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]361#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362 case SSL_RSA_DES_168_SHA:
363 case SSL_EDH_RSA_DES_168_SHA:
364 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
365 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
366 break;
367#endif
368
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]369#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]371 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]372 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
373 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
374 break;
375
376 case SSL_RSA_AES_256_SHA:
377 case SSL_EDH_RSA_AES_256_SHA:
378 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
379 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
380 break;
381#endif
382
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]383#if defined(POLARSSL_CAMELLIA_C)
384 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]385 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]386 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
387 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
388 break;
389
390 case SSL_RSA_CAMELLIA_256_SHA:
391 case SSL_EDH_RSA_CAMELLIA_256_SHA:
392 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
393 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
394 break;
395#endif
396
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]397#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
398#if defined(POLARSSL_CIPHER_NULL_CIPHER)
399 case SSL_RSA_NULL_MD5:
400 case SSL_RSA_NULL_SHA:
401 case SSL_RSA_NULL_SHA256:
402 break;
403#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
404
405#if defined(POLARSSL_DES_C)
406 case SSL_RSA_DES_SHA:
407 case SSL_EDH_RSA_DES_SHA:
408 des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
409 des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
410 break;
411#endif
412#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
413
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]414 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]415 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]416 }
417
418 memset( keyblk, 0, sizeof( keyblk ) );
419
420 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
421
422 return( 0 );
423}
424
425void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
426{
427 md5_context md5;
428 sha1_context sha1;
429 unsigned char pad_1[48];
430 unsigned char pad_2[48];
431
432 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
433
434 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
435 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
436
437 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
438 {
439 memset( pad_1, 0x36, 48 );
440 memset( pad_2, 0x5C, 48 );
441
442 md5_update( &md5, ssl->session->master, 48 );
443 md5_update( &md5, pad_1, 48 );
444 md5_finish( &md5, hash );
445
446 md5_starts( &md5 );
447 md5_update( &md5, ssl->session->master, 48 );
448 md5_update( &md5, pad_2, 48 );
449 md5_update( &md5, hash, 16 );
450 md5_finish( &md5, hash );
451
452 sha1_update( &sha1, ssl->session->master, 48 );
453 sha1_update( &sha1, pad_1, 40 );
454 sha1_finish( &sha1, hash + 16 );
455
456 sha1_starts( &sha1 );
457 sha1_update( &sha1, ssl->session->master, 48 );
458 sha1_update( &sha1, pad_2, 40 );
459 sha1_update( &sha1, hash + 16, 20 );
460 sha1_finish( &sha1, hash + 16 );
461 }
462 else /* TLSv1 */
463 {
464 md5_finish( &md5, hash );
465 sha1_finish( &sha1, hash + 16 );
466 }
467
468 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
469 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
470
471 return;
472}
473
474/*
475 * SSLv3.0 MAC functions
476 */
477static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]478 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]479 unsigned char *ctr, int type )
480{
481 unsigned char header[11];
482 unsigned char padding[48];
483 md5_context md5;
484
485 memcpy( header, ctr, 8 );
486 header[ 8] = (unsigned char) type;
487 header[ 9] = (unsigned char)( len >> 8 );
488 header[10] = (unsigned char)( len );
489
490 memset( padding, 0x36, 48 );
491 md5_starts( &md5 );
492 md5_update( &md5, secret, 16 );
493 md5_update( &md5, padding, 48 );
494 md5_update( &md5, header, 11 );
495 md5_update( &md5, buf, len );
496 md5_finish( &md5, buf + len );
497
498 memset( padding, 0x5C, 48 );
499 md5_starts( &md5 );
500 md5_update( &md5, secret, 16 );
501 md5_update( &md5, padding, 48 );
502 md5_update( &md5, buf + len, 16 );
503 md5_finish( &md5, buf + len );
504}
505
506static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]507 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 unsigned char *ctr, int type )
509{
510 unsigned char header[11];
511 unsigned char padding[40];
512 sha1_context sha1;
513
514 memcpy( header, ctr, 8 );
515 header[ 8] = (unsigned char) type;
516 header[ 9] = (unsigned char)( len >> 8 );
517 header[10] = (unsigned char)( len );
518
519 memset( padding, 0x36, 40 );
520 sha1_starts( &sha1 );
521 sha1_update( &sha1, secret, 20 );
522 sha1_update( &sha1, padding, 40 );
523 sha1_update( &sha1, header, 11 );
524 sha1_update( &sha1, buf, len );
525 sha1_finish( &sha1, buf + len );
526
527 memset( padding, 0x5C, 40 );
528 sha1_starts( &sha1 );
529 sha1_update( &sha1, secret, 20 );
530 sha1_update( &sha1, padding, 40 );
531 sha1_update( &sha1, buf + len, 20 );
532 sha1_finish( &sha1, buf + len );
533}
534
535/*
536 * Encryption/decryption functions
537 */
538static int ssl_encrypt_buf( ssl_context *ssl )
539{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]540 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
542 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
543
544 /*
545 * Add MAC then encrypt
546 */
547 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
548 {
549 if( ssl->maclen == 16 )
550 ssl_mac_md5( ssl->mac_enc,
551 ssl->out_msg, ssl->out_msglen,
552 ssl->out_ctr, ssl->out_msgtype );
553
554 if( ssl->maclen == 20 )
555 ssl_mac_sha1( ssl->mac_enc,
556 ssl->out_msg, ssl->out_msglen,
557 ssl->out_ctr, ssl->out_msgtype );
558 }
559 else
560 {
561 if( ssl->maclen == 16 )
562 md5_hmac( ssl->mac_enc, 16,
563 ssl->out_ctr, ssl->out_msglen + 13,
564 ssl->out_msg + ssl->out_msglen );
565
566 if( ssl->maclen == 20 )
567 sha1_hmac( ssl->mac_enc, 20,
568 ssl->out_ctr, ssl->out_msglen + 13,
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]569 ssl->out_msg + ssl->out_msglen );
570
571 if( ssl->maclen == 32 )
572 sha2_hmac( ssl->mac_enc, 32,
573 ssl->out_ctr, ssl->out_msglen + 13,
574 ssl->out_msg + ssl->out_msglen, 0);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575 }
576
577 SSL_DEBUG_BUF( 4, "computed mac",
578 ssl->out_msg + ssl->out_msglen, ssl->maclen );
579
580 ssl->out_msglen += ssl->maclen;
581
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]582 for( i = 8; i > 0; i-- )
583 if( ++ssl->out_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]584 break;
585
586 if( ssl->ivlen == 0 )
587 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588 padlen = 0;
589
590 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
591 "including %d bytes of padding",
592 ssl->out_msglen, 0 ) );
593
594 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
595 ssl->out_msg, ssl->out_msglen );
596
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]597#if defined(POLARSSL_ARC4_C)
598 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
599 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
600 {
601 arc4_crypt( (arc4_context *) ssl->ctx_enc,
602 ssl->out_msglen, ssl->out_msg,
603 ssl->out_msg );
604 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]605#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]606#if defined(POLARSSL_CIPHER_NULL_CIPHER)
607 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
608 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
609 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
610 {
611 } else
612#endif
613 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614 }
615 else
616 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]617 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]618 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]619
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
621 if( padlen == ssl->ivlen )
622 padlen = 0;
623
624 for( i = 0; i <= padlen; i++ )
625 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
626
627 ssl->out_msglen += padlen + 1;
628
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]629 enc_msglen = ssl->out_msglen;
630 enc_msg = ssl->out_msg;
631
632 /*
633 * Prepend per-record IV for block cipher in TLS v1.1 as per
634 * Method 1 (6.2.3.2. in RFC4346)
635 */
636 if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
637 {
638 /*
639 * Generate IV
640 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]641 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
642 if( ret != 0 )
643 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]644
645 /*
646 * Shift message for ivlen bytes and prepend IV
647 */
648 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
649 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
650
651 /*
652 * Fix pointer positions and message length with added IV
653 */
654 enc_msg = ssl->out_msg + ssl->ivlen;
655 enc_msglen = ssl->out_msglen;
656 ssl->out_msglen += ssl->ivlen;
657 }
658
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]660 "including %d bytes of IV and %d bytes of padding",
661 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
664 ssl->out_msg, ssl->out_msglen );
665
666 switch( ssl->ivlen )
667 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]668#if defined(POLARSSL_DES_C)
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]669 case 8:
670#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
671 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
672 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
673 {
674 des_crypt_cbc( (des_context *) ssl->ctx_enc,
675 DES_ENCRYPT, enc_msglen,
676 ssl->iv_enc, enc_msg, enc_msg );
677 }
678 else
679#endif
680 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
681 DES_ENCRYPT, enc_msglen,
682 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]683 break;
684#endif
685
686 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]687#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]688 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
689 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
690 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
691 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
692 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]693 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]694 AES_ENCRYPT, enc_msglen,
695 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]696 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]697 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]698#endif
699
700#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]701 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
702 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
703 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
704 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
705 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]706 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]707 CAMELLIA_ENCRYPT, enc_msglen,
708 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]709 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]710 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711#endif
712
713 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]714 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]715 }
716 }
717
718 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
719
720 return( 0 );
721}
722
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]723/*
724 * TODO: Use digest version when integrated!
725 */
726#define POLARSSL_SSL_MAX_MAC_SIZE 32
727
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728static int ssl_decrypt_buf( ssl_context *ssl )
729{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]730 size_t i, padlen;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]731 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732
733 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
734
735 if( ssl->in_msglen < ssl->minlen )
736 {
737 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
738 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]739 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]740 }
741
742 if( ssl->ivlen == 0 )
743 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]744#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745 padlen = 0;
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]746 if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 ||
747 ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
748 {
749 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]750 ssl->in_msglen, ssl->in_msg,
751 ssl->in_msg );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]752 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753#endif
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]754#if defined(POLARSSL_CIPHER_NULL_CIPHER)
755 if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 ||
756 ssl->session->ciphersuite == SSL_RSA_NULL_SHA ||
757 ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
758 {
759 } else
760#endif
761 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762 }
763 else
764 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]765 unsigned char *dec_msg;
766 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]767 size_t dec_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]768
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]769 /*
770 * Decrypt and check the padding
771 */
772 if( ssl->in_msglen % ssl->ivlen != 0 )
773 {
774 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
775 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]776 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]777 }
778
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]779 dec_msglen = ssl->in_msglen;
780 dec_msg = ssl->in_msg;
781 dec_msg_result = ssl->in_msg;
782
783 /*
784 * Initialize for prepended IV for block cipher in TLS v1.1
785 */
786 if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
787 {
788 dec_msg += ssl->ivlen;
789 dec_msglen -= ssl->ivlen;
790 ssl->in_msglen -= ssl->ivlen;
791
792 for( i = 0; i < ssl->ivlen; i++ )
793 ssl->iv_dec[i] = ssl->in_msg[i];
794 }
795
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]796 switch( ssl->ivlen )
797 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]798#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]799 case 8:
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]800#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
801 if( ssl->session->ciphersuite == SSL_RSA_DES_SHA ||
802 ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
803 {
804 des_crypt_cbc( (des_context *) ssl->ctx_dec,
805 DES_DECRYPT, dec_msglen,
806 ssl->iv_dec, dec_msg, dec_msg_result );
807 }
808 else
809#endif
810 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
811 DES_DECRYPT, dec_msglen,
812 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]813 break;
814#endif
815
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]817#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]818 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
819 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
820 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
821 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
822 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]823 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]824 AES_DECRYPT, dec_msglen,
825 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]826 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]827 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]828#endif
829
830#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]831 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
832 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
833 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
834 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
835 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]836 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]837 CAMELLIA_DECRYPT, dec_msglen,
838 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]839 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]840 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841#endif
842
843 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]844 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]845 }
846
847 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
848
849 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
850 {
851 if( padlen > ssl->ivlen )
852 {
853 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
854 "should be no more than %d",
855 padlen, ssl->ivlen ) );
856 padlen = 0;
857 }
858 }
859 else
860 {
861 /*
862 * TLSv1: always check the padding
863 */
864 for( i = 1; i <= padlen; i++ )
865 {
866 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
867 {
868 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
869 "%02x, but is %02x", padlen - 1,
870 ssl->in_msg[ssl->in_msglen - i] ) );
871 padlen = 0;
872 }
873 }
874 }
875 }
876
877 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
878 ssl->in_msg, ssl->in_msglen );
879
880 /*
881 * Always compute the MAC (RFC4346, CBCTIME).
882 */
Paul Bakker452d5322012-04-05 12:07:34 +0000[diff] [blame]883 if( ssl->in_msglen <= ssl->maclen + padlen )
884 {
885 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
886 ssl->in_msglen, ssl->maclen, padlen ) );
887 return( POLARSSL_ERR_SSL_INVALID_MAC );
888 }
889
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]890 ssl->in_msglen -= ( ssl->maclen + padlen );
891
892 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
893 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
894
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]895 memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]896
897 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
898 {
899 if( ssl->maclen == 16 )
900 ssl_mac_md5( ssl->mac_dec,
901 ssl->in_msg, ssl->in_msglen,
902 ssl->in_ctr, ssl->in_msgtype );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]903 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]904 ssl_mac_sha1( ssl->mac_dec,
905 ssl->in_msg, ssl->in_msglen,
906 ssl->in_ctr, ssl->in_msgtype );
907 }
908 else
909 {
910 if( ssl->maclen == 16 )
911 md5_hmac( ssl->mac_dec, 16,
912 ssl->in_ctr, ssl->in_msglen + 13,
913 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]914 else if( ssl->maclen == 20 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]915 sha1_hmac( ssl->mac_dec, 20,
916 ssl->in_ctr, ssl->in_msglen + 13,
917 ssl->in_msg + ssl->in_msglen );
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]918 else if( ssl->maclen == 32 )
919 sha2_hmac( ssl->mac_dec, 32,
920 ssl->in_ctr, ssl->in_msglen + 13,
921 ssl->in_msg + ssl->in_msglen, 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]922 }
923
924 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
925 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
926 ssl->maclen );
927
928 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
929 ssl->maclen ) != 0 )
930 {
931 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]932 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]933 }
934
935 /*
936 * Finally check the padding length; bad padding
937 * will produce the same error as an invalid MAC.
938 */
939 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]940 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]941
942 if( ssl->in_msglen == 0 )
943 {
944 ssl->nb_zero++;
945
946 /*
947 * Three or more empty messages may be a DoS attack
948 * (excessive CPU consumption).
949 */
950 if( ssl->nb_zero > 3 )
951 {
952 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
953 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]954 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955 }
956 }
957 else
958 ssl->nb_zero = 0;
959
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]960 for( i = 8; i > 0; i-- )
961 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]962 break;
963
964 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
965
966 return( 0 );
967}
968
969/*
970 * Fill the input message buffer
971 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]972int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]973{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]974 int ret;
975 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]976
977 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
978
979 while( ssl->in_left < nb_want )
980 {
981 len = nb_want - ssl->in_left;
982 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
983
984 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
985 ssl->in_left, nb_want ) );
986 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
987
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]988 if( ret == 0 )
989 return( POLARSSL_ERR_SSL_CONN_EOF );
990
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]991 if( ret < 0 )
992 return( ret );
993
994 ssl->in_left += ret;
995 }
996
997 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
998
999 return( 0 );
1000}
1001
1002/*
1003 * Flush any data not yet written
1004 */
1005int ssl_flush_output( ssl_context *ssl )
1006{
1007 int ret;
1008 unsigned char *buf;
1009
1010 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1011
1012 while( ssl->out_left > 0 )
1013 {
1014 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1015 5 + ssl->out_msglen, ssl->out_left ) );
1016
1017 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1018 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1019 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1020
1021 if( ret <= 0 )
1022 return( ret );
1023
1024 ssl->out_left -= ret;
1025 }
1026
1027 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1028
1029 return( 0 );
1030}
1031
1032/*
1033 * Record layer functions
1034 */
1035int ssl_write_record( ssl_context *ssl )
1036{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1037 int ret;
1038 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039
1040 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1041
1042 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1043 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1044 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1045 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1046 ssl->out_hdr[4] = (unsigned char)( len );
1047
1048 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1049 {
1050 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1051 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1052 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1053
1054 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
1055 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
1056 }
1057
1058 if( ssl->do_crypt != 0 )
1059 {
1060 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1061 {
1062 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1063 return( ret );
1064 }
1065
1066 len = ssl->out_msglen;
1067 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1068 ssl->out_hdr[4] = (unsigned char)( len );
1069 }
1070
1071 ssl->out_left = 5 + ssl->out_msglen;
1072
1073 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1074 "version = [%d:%d], msglen = %d",
1075 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1076 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1077
1078 SSL_DEBUG_BUF( 4, "output record sent to network",
1079 ssl->out_hdr, 5 + ssl->out_msglen );
1080
1081 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1082 {
1083 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1084 return( ret );
1085 }
1086
1087 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1088
1089 return( 0 );
1090}
1091
1092int ssl_read_record( ssl_context *ssl )
1093{
1094 int ret;
1095
1096 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1097
1098 if( ssl->in_hslen != 0 &&
1099 ssl->in_hslen < ssl->in_msglen )
1100 {
1101 /*
1102 * Get next Handshake message in the current record
1103 */
1104 ssl->in_msglen -= ssl->in_hslen;
1105
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1106 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107 ssl->in_msglen );
1108
1109 ssl->in_hslen = 4;
1110 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1111
1112 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1113 " %d, type = %d, hslen = %d",
1114 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1115
1116 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1117 {
1118 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1119 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1120 }
1121
1122 if( ssl->in_msglen < ssl->in_hslen )
1123 {
1124 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1125 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1126 }
1127
1128 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1129 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1130
1131 return( 0 );
1132 }
1133
1134 ssl->in_hslen = 0;
1135
1136 /*
1137 * Read the record header and validate it
1138 */
1139 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1140 {
1141 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1142 return( ret );
1143 }
1144
1145 ssl->in_msgtype = ssl->in_hdr[0];
1146 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1147
1148 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1149 "version = [%d:%d], msglen = %d",
1150 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1151 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1152
1153 if( ssl->in_hdr[1] != ssl->major_ver )
1154 {
1155 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1156 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1157 }
1158
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1159 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1160 {
1161 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1162 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1163 }
1164
1165 /*
1166 * Make sure the message length is acceptable
1167 */
1168 if( ssl->do_crypt == 0 )
1169 {
1170 if( ssl->in_msglen < 1 ||
1171 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1172 {
1173 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1174 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1175 }
1176 }
1177 else
1178 {
1179 if( ssl->in_msglen < ssl->minlen )
1180 {
1181 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1182 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1183 }
1184
1185 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1186 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1187 {
1188 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1189 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1190 }
1191
1192 /*
1193 * TLS encrypted messages can have up to 256 bytes of padding
1194 */
1195 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
1196 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1197 {
1198 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1199 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1200 }
1201 }
1202
1203 /*
1204 * Read and optionally decrypt the message contents
1205 */
1206 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1207 {
1208 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1209 return( ret );
1210 }
1211
1212 SSL_DEBUG_BUF( 4, "input record from network",
1213 ssl->in_hdr, 5 + ssl->in_msglen );
1214
1215 if( ssl->do_crypt != 0 )
1216 {
1217 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1218 {
1219 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1220 return( ret );
1221 }
1222
1223 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1224 ssl->in_msg, ssl->in_msglen );
1225
1226 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1227 {
1228 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1229 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1230 }
1231 }
1232
1233 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1234 {
1235 ssl->in_hslen = 4;
1236 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1237
1238 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1239 " %d, type = %d, hslen = %d",
1240 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1241
1242 /*
1243 * Additional checks to validate the handshake header
1244 */
1245 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1246 {
1247 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1248 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1249 }
1250
1251 if( ssl->in_msglen < ssl->in_hslen )
1252 {
1253 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1254 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1255 }
1256
1257 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1258 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1259 }
1260
1261 if( ssl->in_msgtype == SSL_MSG_ALERT )
1262 {
1263 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1264 ssl->in_msg[0], ssl->in_msg[1] ) );
1265
1266 /*
1267 * Ignore non-fatal alerts, except close_notify
1268 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1269 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1270 {
1271 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1272 /**
1273 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1274 * error identifier.
1275 */
1276 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1277 }
1278
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1279 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1280 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1281 {
1282 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1283 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1284 }
1285 }
1286
1287 ssl->in_left = 0;
1288
1289 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1290
1291 return( 0 );
1292}
1293
1294/*
1295 * Handshake functions
1296 */
1297int ssl_write_certificate( ssl_context *ssl )
1298{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1299 int ret;
1300 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1301 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302
1303 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1304
1305 if( ssl->endpoint == SSL_IS_CLIENT )
1306 {
1307 if( ssl->client_auth == 0 )
1308 {
1309 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1310 ssl->state++;
1311 return( 0 );
1312 }
1313
1314 /*
1315 * If using SSLv3 and got no cert, send an Alert message
1316 * (otherwise an empty Certificate message will be sent).
1317 */
1318 if( ssl->own_cert == NULL &&
1319 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1320 {
1321 ssl->out_msglen = 2;
1322 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1323 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1324 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325
1326 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1327 goto write_msg;
1328 }
1329 }
1330 else /* SSL_IS_SERVER */
1331 {
1332 if( ssl->own_cert == NULL )
1333 {
1334 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1335 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336 }
1337 }
1338
1339 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1340
1341 /*
1342 * 0 . 0 handshake type
1343 * 1 . 3 handshake length
1344 * 4 . 6 length of all certs
1345 * 7 . 9 length of cert. 1
1346 * 10 . n-1 peer certificate
1347 * n . n+2 length of cert. 2
1348 * n+3 . ... upper level cert, etc.
1349 */
1350 i = 7;
1351 crt = ssl->own_cert;
1352
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1353 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1354 {
1355 n = crt->raw.len;
1356 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1357 {
1358 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1359 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1360 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1361 }
1362
1363 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1364 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1365 ssl->out_msg[i + 2] = (unsigned char)( n );
1366
1367 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1368 i += n; crt = crt->next;
1369 }
1370
1371 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1372 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1373 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1374
1375 ssl->out_msglen = i;
1376 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1377 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1378
1379write_msg:
1380
1381 ssl->state++;
1382
1383 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1384 {
1385 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1386 return( ret );
1387 }
1388
1389 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1390
1391 return( 0 );
1392}
1393
1394int ssl_parse_certificate( ssl_context *ssl )
1395{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1396 int ret;
1397 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1398
1399 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1400
1401 if( ssl->endpoint == SSL_IS_SERVER &&
1402 ssl->authmode == SSL_VERIFY_NONE )
1403 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1404 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1405 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1406 ssl->state++;
1407 return( 0 );
1408 }
1409
1410 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1411 {
1412 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1413 return( ret );
1414 }
1415
1416 ssl->state++;
1417
1418 /*
1419 * Check if the client sent an empty certificate
1420 */
1421 if( ssl->endpoint == SSL_IS_SERVER &&
1422 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1423 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1424 if( ssl->in_msglen == 2 &&
1425 ssl->in_msgtype == SSL_MSG_ALERT &&
1426 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1427 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1428 {
1429 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1430
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1431 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1432 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1433 return( 0 );
1434 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1435 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1436 }
1437 }
1438
1439 if( ssl->endpoint == SSL_IS_SERVER &&
1440 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1441 {
1442 if( ssl->in_hslen == 7 &&
1443 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1444 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1445 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1446 {
1447 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1448
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1449 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1451 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1452 else
1453 return( 0 );
1454 }
1455 }
1456
1457 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1458 {
1459 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1460 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1461 }
1462
1463 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1464 {
1465 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1466 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1467 }
1468
1469 /*
1470 * Same message structure as in ssl_write_certificate()
1471 */
1472 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1473
1474 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1475 {
1476 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1477 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1478 }
1479
1480 if( ( ssl->peer_cert = (x509_cert *) malloc(
1481 sizeof( x509_cert ) ) ) == NULL )
1482 {
1483 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1484 sizeof( x509_cert ) ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1485 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1486 }
1487
1488 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1489
1490 i = 7;
1491
1492 while( i < ssl->in_hslen )
1493 {
1494 if( ssl->in_msg[i] != 0 )
1495 {
1496 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1497 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1498 }
1499
1500 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1501 | (unsigned int) ssl->in_msg[i + 2];
1502 i += 3;
1503
1504 if( n < 128 || i + n > ssl->in_hslen )
1505 {
1506 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1507 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1508 }
1509
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1510 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1511 if( ret != 0 )
1512 {
1513 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1514 return( ret );
1515 }
1516
1517 i += n;
1518 }
1519
1520 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1521
1522 if( ssl->authmode != SSL_VERIFY_NONE )
1523 {
1524 if( ssl->ca_chain == NULL )
1525 {
1526 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1527 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1528 }
1529
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1530 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1531 ssl->peer_cn, &ssl->verify_result,
1532 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1533
1534 if( ret != 0 )
1535 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1536
1537 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1538 ret = 0;
1539 }
1540
1541 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1542
1543 return( ret );
1544}
1545
1546int ssl_write_change_cipher_spec( ssl_context *ssl )
1547{
1548 int ret;
1549
1550 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1551
1552 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1553 ssl->out_msglen = 1;
1554 ssl->out_msg[0] = 1;
1555
1556 ssl->do_crypt = 0;
1557 ssl->state++;
1558
1559 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1560 {
1561 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1562 return( ret );
1563 }
1564
1565 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1566
1567 return( 0 );
1568}
1569
1570int ssl_parse_change_cipher_spec( ssl_context *ssl )
1571{
1572 int ret;
1573
1574 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1575
1576 ssl->do_crypt = 0;
1577
1578 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1579 {
1580 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1581 return( ret );
1582 }
1583
1584 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1585 {
1586 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1587 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1588 }
1589
1590 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1591 {
1592 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1593 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1594 }
1595
1596 ssl->state++;
1597
1598 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1599
1600 return( 0 );
1601}
1602
1603static void ssl_calc_finished(
1604 ssl_context *ssl, unsigned char *buf, int from,
1605 md5_context *md5, sha1_context *sha1 )
1606{
1607 int len = 12;
1608 char *sender;
1609 unsigned char padbuf[48];
1610 unsigned char md5sum[16];
1611 unsigned char sha1sum[20];
1612
1613 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1614
1615 /*
1616 * SSLv3:
1617 * hash =
1618 * MD5( master + pad2 +
1619 * MD5( handshake + sender + master + pad1 ) )
1620 * + SHA1( master + pad2 +
1621 * SHA1( handshake + sender + master + pad1 ) )
1622 *
1623 * TLSv1:
1624 * hash = PRF( master, finished_label,
1625 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1626 */
1627
1628 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1629 md5->state, sizeof( md5->state ) );
1630
1631 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1632 sha1->state, sizeof( sha1->state ) );
1633
1634 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1635 {
1636 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1637 : (char *) "SRVR";
1638
1639 memset( padbuf, 0x36, 48 );
1640
1641 md5_update( md5, (unsigned char *) sender, 4 );
1642 md5_update( md5, ssl->session->master, 48 );
1643 md5_update( md5, padbuf, 48 );
1644 md5_finish( md5, md5sum );
1645
1646 sha1_update( sha1, (unsigned char *) sender, 4 );
1647 sha1_update( sha1, ssl->session->master, 48 );
1648 sha1_update( sha1, padbuf, 40 );
1649 sha1_finish( sha1, sha1sum );
1650
1651 memset( padbuf, 0x5C, 48 );
1652
1653 md5_starts( md5 );
1654 md5_update( md5, ssl->session->master, 48 );
1655 md5_update( md5, padbuf, 48 );
1656 md5_update( md5, md5sum, 16 );
1657 md5_finish( md5, buf );
1658
1659 sha1_starts( sha1 );
1660 sha1_update( sha1, ssl->session->master, 48 );
1661 sha1_update( sha1, padbuf , 40 );
1662 sha1_update( sha1, sha1sum, 20 );
1663 sha1_finish( sha1, buf + 16 );
1664
1665 len += 24;
1666 }
1667 else
1668 {
1669 sender = ( from == SSL_IS_CLIENT )
1670 ? (char *) "client finished"
1671 : (char *) "server finished";
1672
1673 md5_finish( md5, padbuf );
1674 sha1_finish( sha1, padbuf + 16 );
1675
1676 tls1_prf( ssl->session->master, 48, sender,
1677 padbuf, 36, buf, len );
1678 }
1679
1680 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1681
1682 memset( md5, 0, sizeof( md5_context ) );
1683 memset( sha1, 0, sizeof( sha1_context ) );
1684
1685 memset( padbuf, 0, sizeof( padbuf ) );
1686 memset( md5sum, 0, sizeof( md5sum ) );
1687 memset( sha1sum, 0, sizeof( sha1sum ) );
1688
1689 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1690}
1691
1692int ssl_write_finished( ssl_context *ssl )
1693{
1694 int ret, hash_len;
1695 md5_context md5;
1696 sha1_context sha1;
1697
1698 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1699
1700 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1701 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1702
1703 ssl_calc_finished( ssl, ssl->out_msg + 4,
1704 ssl->endpoint, &md5, &sha1 );
1705
1706 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1707
1708 ssl->out_msglen = 4 + hash_len;
1709 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1710 ssl->out_msg[0] = SSL_HS_FINISHED;
1711
1712 /*
1713 * In case of session resuming, invert the client and server
1714 * ChangeCipherSpec messages order.
1715 */
1716 if( ssl->resume != 0 )
1717 {
1718 if( ssl->endpoint == SSL_IS_CLIENT )
1719 ssl->state = SSL_HANDSHAKE_OVER;
1720 else
1721 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1722 }
1723 else
1724 ssl->state++;
1725
1726 ssl->do_crypt = 1;
1727
1728 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1729 {
1730 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1731 return( ret );
1732 }
1733
1734 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1735
1736 return( 0 );
1737}
1738
1739int ssl_parse_finished( ssl_context *ssl )
1740{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1741 int ret;
1742 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1743 unsigned char buf[36];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1744 md5_context md5;
1745 sha1_context sha1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1746
1747 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1748
1749 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1750 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1751
1752 ssl->do_crypt = 1;
1753
1754 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1755 {
1756 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1757 return( ret );
1758 }
1759
1760 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1761 {
1762 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1763 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1764 }
1765
1766 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1767
1768 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1769 ssl->in_hslen != 4 + hash_len )
1770 {
1771 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1772 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1773 }
1774
1775 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1776
1777 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1778 {
1779 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1780 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1781 }
1782
1783 if( ssl->resume != 0 )
1784 {
1785 if( ssl->endpoint == SSL_IS_CLIENT )
1786 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1787
1788 if( ssl->endpoint == SSL_IS_SERVER )
1789 ssl->state = SSL_HANDSHAKE_OVER;
1790 }
1791 else
1792 ssl->state++;
1793
1794 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1795
1796 return( 0 );
1797}
1798
1799/*
1800 * Initialize an SSL context
1801 */
1802int ssl_init( ssl_context *ssl )
1803{
1804 int len = SSL_BUFFER_LEN;
1805
1806 memset( ssl, 0, sizeof( ssl_context ) );
1807
1808 ssl->in_ctr = (unsigned char *) malloc( len );
1809 ssl->in_hdr = ssl->in_ctr + 8;
1810 ssl->in_msg = ssl->in_ctr + 13;
1811
1812 if( ssl->in_ctr == NULL )
1813 {
1814 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1815 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816 }
1817
1818 ssl->out_ctr = (unsigned char *) malloc( len );
1819 ssl->out_hdr = ssl->out_ctr + 8;
1820 ssl->out_msg = ssl->out_ctr + 13;
1821
1822 if( ssl->out_ctr == NULL )
1823 {
1824 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1825 free( ssl-> in_ctr );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1826 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1827 }
1828
1829 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1830 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1831
1832 ssl->hostname = NULL;
1833 ssl->hostname_len = 0;
1834
1835 md5_starts( &ssl->fin_md5 );
1836 sha1_starts( &ssl->fin_sha1 );
1837
1838 return( 0 );
1839}
1840
1841/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]1842 * Reset an initialized and used SSL context for re-use while retaining
1843 * all application-set variables, function pointers and data.
1844 */
1845void ssl_session_reset( ssl_context *ssl )
1846{
1847 ssl->state = SSL_HELLO_REQUEST;
1848
1849 ssl->in_offt = NULL;
1850
1851 ssl->in_msgtype = 0;
1852 ssl->in_msglen = 0;
1853 ssl->in_left = 0;
1854
1855 ssl->in_hslen = 0;
1856 ssl->nb_zero = 0;
1857
1858 ssl->out_msgtype = 0;
1859 ssl->out_msglen = 0;
1860 ssl->out_left = 0;
1861
1862 ssl->do_crypt = 0;
1863 ssl->pmslen = 0;
1864 ssl->keylen = 0;
1865 ssl->minlen = 0;
1866 ssl->ivlen = 0;
1867 ssl->maclen = 0;
1868
1869 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1870 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
1871 memset( ssl->randbytes, 0, 64 );
1872 memset( ssl->premaster, 0, 256 );
1873 memset( ssl->iv_enc, 0, 16 );
1874 memset( ssl->iv_dec, 0, 16 );
1875 memset( ssl->mac_enc, 0, 32 );
1876 memset( ssl->mac_dec, 0, 32 );
1877 memset( ssl->ctx_enc, 0, 128 );
1878 memset( ssl->ctx_dec, 0, 128 );
1879
1880 md5_starts( &ssl->fin_md5 );
1881 sha1_starts( &ssl->fin_sha1 );
1882}
1883
1884/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885 * SSL set accessors
1886 */
1887void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1888{
1889 ssl->endpoint = endpoint;
1890}
1891
1892void ssl_set_authmode( ssl_context *ssl, int authmode )
1893{
1894 ssl->authmode = authmode;
1895}
1896
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1897void ssl_set_verify( ssl_context *ssl,
1898 int (*f_vrfy)(void *, x509_cert *, int, int),
1899 void *p_vrfy )
1900{
1901 ssl->f_vrfy = f_vrfy;
1902 ssl->p_vrfy = p_vrfy;
1903}
1904
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1905void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1906 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1907 void *p_rng )
1908{
1909 ssl->f_rng = f_rng;
1910 ssl->p_rng = p_rng;
1911}
1912
1913void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1914 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915 void *p_dbg )
1916{
1917 ssl->f_dbg = f_dbg;
1918 ssl->p_dbg = p_dbg;
1919}
1920
1921void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1922 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]1923 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1924{
1925 ssl->f_recv = f_recv;
1926 ssl->f_send = f_send;
1927 ssl->p_recv = p_recv;
1928 ssl->p_send = p_send;
1929}
1930
1931void ssl_set_scb( ssl_context *ssl,
1932 int (*s_get)(ssl_context *),
1933 int (*s_set)(ssl_context *) )
1934{
1935 ssl->s_get = s_get;
1936 ssl->s_set = s_set;
1937}
1938
1939void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1940 ssl_session *session )
1941{
1942 ssl->resume = resume;
1943 ssl->timeout = timeout;
1944 ssl->session = session;
1945}
1946
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1947void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1948{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1949 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1950}
1951
1952void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]1953 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1954{
1955 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1956 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1957 ssl->peer_cn = peer_cn;
1958}
1959
1960void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1961 rsa_context *rsa_key )
1962{
1963 ssl->own_cert = own_cert;
1964 ssl->rsa_key = rsa_key;
1965}
1966
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1967#if defined(POLARSSL_PKCS11_C)
1968void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
1969 pkcs11_context *pkcs11_key )
1970{
1971 ssl->own_cert = own_cert;
1972 ssl->pkcs11_key = pkcs11_key;
1973}
1974#endif
1975
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1976int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1977{
1978 int ret;
1979
1980 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1981 {
1982 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1983 return( ret );
1984 }
1985
1986 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1987 {
1988 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1989 return( ret );
1990 }
1991
1992 return( 0 );
1993}
1994
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]1995int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
1996{
1997 int ret;
1998
1999 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2000 {
2001 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2002 return( ret );
2003 }
2004
2005 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2006 {
2007 SSL_DEBUG_RET( 1, "mpi_copy", ret );
2008 return( ret );
2009 }
2010
2011 return( 0 );
2012}
2013
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2014int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2015{
2016 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2017 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018
2019 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2020 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]2022 if( ssl->hostname == NULL )
2023 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2024
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025 memcpy( ssl->hostname, (unsigned char *) hostname,
2026 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2027
2028 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029
2030 return( 0 );
2031}
2032
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2033void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2034{
2035 ssl->max_major_ver = major;
2036 ssl->max_minor_ver = minor;
2037}
2038
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2039/*
2040 * SSL get accessors
2041 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2042size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2043{
2044 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2045}
2046
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2047int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2048{
2049 return( ssl->verify_result );
2050}
2051
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2052const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2053{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2054 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2055 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2056#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2058 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2059
2060 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2061 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2062#endif
2063
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2064#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2065 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2066 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2067
2068 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2069 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2070#endif
2071
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2072#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2073 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2074 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2075
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2076 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2077 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2078
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2079 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2080 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2081
2082 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2083 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2084#endif
2085
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2086#if defined(POLARSSL_CAMELLIA_C)
2087 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2088 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2089
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2090 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2091 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2092
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2093 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2094 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2095
2096 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2097 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2098#endif
2099
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2100#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2101#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2102 case SSL_RSA_NULL_MD5:
2103 return( "SSL-RSA-NULL-MD5" );
2104 case SSL_RSA_NULL_SHA:
2105 return( "SSL-RSA-NULL-SHA" );
2106 case SSL_RSA_NULL_SHA256:
2107 return( "SSL-RSA-NULL-SHA256" );
2108#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2109
2110#if defined(POLARSSL_DES_C)
2111 case SSL_RSA_DES_SHA:
2112 return( "SSL-RSA-DES-SHA" );
2113 case SSL_EDH_RSA_DES_SHA:
2114 return( "SSL-EDH-RSA-DES-SHA" );
2115#endif
2116#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2117
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2118 default:
2119 break;
2120 }
2121
2122 return( "unknown" );
2123}
2124
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2125int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2126{
2127#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2128 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2129 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2130 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2131 return( SSL_RSA_RC4_128_SHA );
2132#endif
2133
2134#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2135 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2136 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2137 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2138 return( SSL_EDH_RSA_DES_168_SHA );
2139#endif
2140
2141#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2142 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2143 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2144 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2145 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2146 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2147 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2148 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2149 return( SSL_EDH_RSA_AES_256_SHA );
2150#endif
2151
2152#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2153 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2154 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2155 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2156 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2157 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2158 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2159 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2160 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
2161#endif
2162
Paul Bakkerfab5c822012-02-06 16:45:10 +0000[diff] [blame]2163#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2164#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2165 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
2166 return( SSL_RSA_NULL_MD5 );
2167 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
2168 return( SSL_RSA_NULL_SHA );
2169 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
2170 return( SSL_RSA_NULL_SHA256 );
2171#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2172
2173#if defined(POLARSSL_DES_C)
2174 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
2175 return( SSL_RSA_DES_SHA );
2176 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
2177 return( SSL_EDH_RSA_DES_SHA );
2178#endif
2179#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2180
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2181 return( 0 );
2182}
2183
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2184const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2185{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2186 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2187}
2188
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2189const char *ssl_get_version( const ssl_context *ssl )
2190{
2191 switch( ssl->minor_ver )
2192 {
2193 case SSL_MINOR_VERSION_0:
2194 return( "SSLv3.0" );
2195
2196 case SSL_MINOR_VERSION_1:
2197 return( "TLSv1.0" );
2198
2199 case SSL_MINOR_VERSION_2:
2200 return( "TLSv1.1" );
2201
2202 default:
2203 break;
2204 }
2205 return( "unknown" );
2206}
2207
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2208int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2209{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2210#if defined(POLARSSL_DHM_C)
2211#if defined(POLARSSL_AES_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2212 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2213 SSL_EDH_RSA_AES_256_SHA,
2214#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2215#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2216 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2217 SSL_EDH_RSA_CAMELLIA_256_SHA,
2218#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2219#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2220 SSL_EDH_RSA_DES_168_SHA,
2221#endif
2222#endif
2223
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2224#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2225 SSL_RSA_AES_256_SHA,
2226#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2227#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2228 SSL_RSA_CAMELLIA_256_SHA,
2229#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2230#if defined(POLARSSL_AES_C)
2231 SSL_RSA_AES_128_SHA,
2232#endif
2233#if defined(POLARSSL_CAMELLIA_C)
2234 SSL_RSA_CAMELLIA_128_SHA,
2235#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2236#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2237 SSL_RSA_DES_168_SHA,
2238#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2239#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2240 SSL_RSA_RC4_128_SHA,
2241 SSL_RSA_RC4_128_MD5,
2242#endif
2243 0
2244};
2245
2246/*
2247 * Perform the SSL handshake
2248 */
2249int ssl_handshake( ssl_context *ssl )
2250{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2251 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2252
2253 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
2254
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2255#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256 if( ssl->endpoint == SSL_IS_CLIENT )
2257 ret = ssl_handshake_client( ssl );
2258#endif
2259
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2260#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2261 if( ssl->endpoint == SSL_IS_SERVER )
2262 ret = ssl_handshake_server( ssl );
2263#endif
2264
2265 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
2266
2267 return( ret );
2268}
2269
2270/*
2271 * Receive application data decrypted from the SSL layer
2272 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2273int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2274{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2275 int ret;
2276 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2277
2278 SSL_DEBUG_MSG( 2, ( "=> read" ) );
2279
2280 if( ssl->state != SSL_HANDSHAKE_OVER )
2281 {
2282 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2283 {
2284 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2285 return( ret );
2286 }
2287 }
2288
2289 if( ssl->in_offt == NULL )
2290 {
2291 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2292 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2293 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2294 return( 0 );
2295
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2296 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2297 return( ret );
2298 }
2299
2300 if( ssl->in_msglen == 0 &&
2301 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
2302 {
2303 /*
2304 * OpenSSL sends empty messages to randomize the IV
2305 */
2306 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2307 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2308 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2309 return( 0 );
2310
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2311 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2312 return( ret );
2313 }
2314 }
2315
2316 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2317 {
2318 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2319 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2320 }
2321
2322 ssl->in_offt = ssl->in_msg;
2323 }
2324
2325 n = ( len < ssl->in_msglen )
2326 ? len : ssl->in_msglen;
2327
2328 memcpy( buf, ssl->in_offt, n );
2329 ssl->in_msglen -= n;
2330
2331 if( ssl->in_msglen == 0 )
2332 /* all bytes consumed */
2333 ssl->in_offt = NULL;
2334 else
2335 /* more data available */
2336 ssl->in_offt += n;
2337
2338 SSL_DEBUG_MSG( 2, ( "<= read" ) );
2339
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2340 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2341}
2342
2343/*
2344 * Send application data to be encrypted by the SSL layer
2345 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2346int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2347{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2348 int ret;
2349 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2350
2351 SSL_DEBUG_MSG( 2, ( "=> write" ) );
2352
2353 if( ssl->state != SSL_HANDSHAKE_OVER )
2354 {
2355 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2356 {
2357 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2358 return( ret );
2359 }
2360 }
2361
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2362 n = ( len < SSL_MAX_CONTENT_LEN )
2363 ? len : SSL_MAX_CONTENT_LEN;
2364
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2365 if( ssl->out_left != 0 )
2366 {
2367 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2368 {
2369 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2370 return( ret );
2371 }
2372 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2373 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]2374 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2375 ssl->out_msglen = n;
2376 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
2377 memcpy( ssl->out_msg, buf, n );
2378
2379 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2380 {
2381 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2382 return( ret );
2383 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2384 }
2385
2386 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2387
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2388 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2389}
2390
2391/*
2392 * Notify the peer that the connection is being closed
2393 */
2394int ssl_close_notify( ssl_context *ssl )
2395{
2396 int ret;
2397
2398 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
2399
2400 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2401 {
2402 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2403 return( ret );
2404 }
2405
2406 if( ssl->state == SSL_HANDSHAKE_OVER )
2407 {
2408 ssl->out_msgtype = SSL_MSG_ALERT;
2409 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2410 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2411 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2412
2413 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2414 {
2415 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2416 return( ret );
2417 }
2418 }
2419
2420 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2421
2422 return( ret );
2423}
2424
2425/*
2426 * Free an SSL context
2427 */
2428void ssl_free( ssl_context *ssl )
2429{
2430 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2431
2432 if( ssl->peer_cert != NULL )
2433 {
2434 x509_free( ssl->peer_cert );
2435 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2436 free( ssl->peer_cert );
2437 }
2438
2439 if( ssl->out_ctr != NULL )
2440 {
2441 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2442 free( ssl->out_ctr );
2443 }
2444
2445 if( ssl->in_ctr != NULL )
2446 {
2447 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2448 free( ssl->in_ctr );
2449 }
2450
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2451#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2452 dhm_free( &ssl->dhm_ctx );
2453#endif
2454
2455 if ( ssl->hostname != NULL)
2456 {
2457 memset( ssl->hostname, 0, ssl->hostname_len );
2458 free( ssl->hostname );
2459 ssl->hostname_len = 0;
2460 }
2461
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2462 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2463
2464 /* Actually free after last debug message */
2465 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2466}
2467
2468#endif