TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / af5c85fc1087d045641e3daa0634e75d367e4ae4 / . / library / ssl_tls.c
blob: 3875e9994d392af0e5e5803926b324ec94d15047 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
45#include <string.h>
46#include <stdlib.h>
47#include <time.h>
48
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame^]49#if defined _MSC_VER && !defined strcasecmp
50#define strcasecmp _stricmp
51#endif
52
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53/*
54 * Key material generation
55 */
56static int tls1_prf( unsigned char *secret, int slen, char *label,
57 unsigned char *random, int rlen,
58 unsigned char *dstbuf, int dlen )
59{
60 int nb, hs;
61 int i, j, k;
62 unsigned char *S1, *S2;
63 unsigned char tmp[128];
64 unsigned char h_i[20];
65
66 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]67 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68
69 hs = ( slen + 1 ) / 2;
70 S1 = secret;
71 S2 = secret + slen - hs;
72
73 nb = strlen( label );
74 memcpy( tmp + 20, label, nb );
75 memcpy( tmp + 20 + nb, random, rlen );
76 nb += rlen;
77
78 /*
79 * First compute P_md5(secret,label+random)[0..dlen]
80 */
81 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
82
83 for( i = 0; i < dlen; i += 16 )
84 {
85 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
86 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
87
88 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
89
90 for( j = 0; j < k; j++ )
91 dstbuf[i + j] = h_i[j];
92 }
93
94 /*
95 * XOR out with P_sha1(secret,label+random)[0..dlen]
96 */
97 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
98
99 for( i = 0; i < dlen; i += 20 )
100 {
101 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
102 sha1_hmac( S2, hs, tmp, 20, tmp );
103
104 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
105
106 for( j = 0; j < k; j++ )
107 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
108 }
109
110 memset( tmp, 0, sizeof( tmp ) );
111 memset( h_i, 0, sizeof( h_i ) );
112
113 return( 0 );
114}
115
116int ssl_derive_keys( ssl_context *ssl )
117{
118 int i;
119 md5_context md5;
120 sha1_context sha1;
121 unsigned char tmp[64];
122 unsigned char padding[16];
123 unsigned char sha1sum[20];
124 unsigned char keyblk[256];
125 unsigned char *key1;
126 unsigned char *key2;
127
128 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
129
130 /*
131 * SSLv3:
132 * master =
133 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
134 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
135 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
136 *
137 * TLSv1:
138 * master = PRF( premaster, "master secret", randbytes )[0..47]
139 */
140 if( ssl->resume == 0 )
141 {
142 int len = ssl->pmslen;
143
144 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
145
146 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
147 {
148 for( i = 0; i < 3; i++ )
149 {
150 memset( padding, 'A' + i, 1 + i );
151
152 sha1_starts( &sha1 );
153 sha1_update( &sha1, padding, 1 + i );
154 sha1_update( &sha1, ssl->premaster, len );
155 sha1_update( &sha1, ssl->randbytes, 64 );
156 sha1_finish( &sha1, sha1sum );
157
158 md5_starts( &md5 );
159 md5_update( &md5, ssl->premaster, len );
160 md5_update( &md5, sha1sum, 20 );
161 md5_finish( &md5, ssl->session->master + i * 16 );
162 }
163 }
164 else
165 tls1_prf( ssl->premaster, len, "master secret",
166 ssl->randbytes, 64, ssl->session->master, 48 );
167
168 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
169 }
170 else
171 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
172
173 /*
174 * Swap the client and server random values.
175 */
176 memcpy( tmp, ssl->randbytes, 64 );
177 memcpy( ssl->randbytes, tmp + 32, 32 );
178 memcpy( ssl->randbytes + 32, tmp, 32 );
179 memset( tmp, 0, sizeof( tmp ) );
180
181 /*
182 * SSLv3:
183 * key block =
184 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
185 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
186 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
187 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
188 * ...
189 *
190 * TLSv1:
191 * key block = PRF( master, "key expansion", randbytes )
192 */
193 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
194 {
195 for( i = 0; i < 16; i++ )
196 {
197 memset( padding, 'A' + i, 1 + i );
198
199 sha1_starts( &sha1 );
200 sha1_update( &sha1, padding, 1 + i );
201 sha1_update( &sha1, ssl->session->master, 48 );
202 sha1_update( &sha1, ssl->randbytes, 64 );
203 sha1_finish( &sha1, sha1sum );
204
205 md5_starts( &md5 );
206 md5_update( &md5, ssl->session->master, 48 );
207 md5_update( &md5, sha1sum, 20 );
208 md5_finish( &md5, keyblk + i * 16 );
209 }
210
211 memset( &md5, 0, sizeof( md5 ) );
212 memset( &sha1, 0, sizeof( sha1 ) );
213
214 memset( padding, 0, sizeof( padding ) );
215 memset( sha1sum, 0, sizeof( sha1sum ) );
216 }
217 else
218 tls1_prf( ssl->session->master, 48, "key expansion",
219 ssl->randbytes, 64, keyblk, 256 );
220
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]221 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]222 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
223 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
224 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
225
226 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
227
228 /*
229 * Determine the appropriate key, IV and MAC length.
230 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]231 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]232 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]233#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234 case SSL_RSA_RC4_128_MD5:
235 ssl->keylen = 16; ssl->minlen = 16;
236 ssl->ivlen = 0; ssl->maclen = 16;
237 break;
238
239 case SSL_RSA_RC4_128_SHA:
240 ssl->keylen = 16; ssl->minlen = 20;
241 ssl->ivlen = 0; ssl->maclen = 20;
242 break;
243#endif
244
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]245#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]246 case SSL_RSA_DES_168_SHA:
247 case SSL_EDH_RSA_DES_168_SHA:
248 ssl->keylen = 24; ssl->minlen = 24;
249 ssl->ivlen = 8; ssl->maclen = 20;
250 break;
251#endif
252
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]253#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]254 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]255 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]256 ssl->keylen = 16; ssl->minlen = 32;
257 ssl->ivlen = 16; ssl->maclen = 20;
258 break;
259
260 case SSL_RSA_AES_256_SHA:
261 case SSL_EDH_RSA_AES_256_SHA:
262 ssl->keylen = 32; ssl->minlen = 32;
263 ssl->ivlen = 16; ssl->maclen = 20;
264 break;
265#endif
266
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]267#if defined(POLARSSL_CAMELLIA_C)
268 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]269 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]270 ssl->keylen = 16; ssl->minlen = 32;
271 ssl->ivlen = 16; ssl->maclen = 20;
272 break;
273
274 case SSL_RSA_CAMELLIA_256_SHA:
275 case SSL_EDH_RSA_CAMELLIA_256_SHA:
276 ssl->keylen = 32; ssl->minlen = 32;
277 ssl->ivlen = 16; ssl->maclen = 20;
278 break;
279#endif
280
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]281 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]282 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
283 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]284 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]285 }
286
287 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
288 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
289
290 /*
291 * Finally setup the cipher contexts, IVs and MAC secrets.
292 */
293 if( ssl->endpoint == SSL_IS_CLIENT )
294 {
295 key1 = keyblk + ssl->maclen * 2;
296 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
297
298 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
299 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
300
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]301 /*
302 * This is not used in TLS v1.1.
303 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]304 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
305 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
306 ssl->ivlen );
307 }
308 else
309 {
310 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
311 key2 = keyblk + ssl->maclen * 2;
312
313 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
314 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
315
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]316 /*
317 * This is not used in TLS v1.1.
318 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
320 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
321 ssl->ivlen );
322 }
323
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]324 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]326#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]327 case SSL_RSA_RC4_128_MD5:
328 case SSL_RSA_RC4_128_SHA:
329 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
330 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
331 break;
332#endif
333
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]334#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335 case SSL_RSA_DES_168_SHA:
336 case SSL_EDH_RSA_DES_168_SHA:
337 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
338 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
339 break;
340#endif
341
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]342#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]344 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
346 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
347 break;
348
349 case SSL_RSA_AES_256_SHA:
350 case SSL_EDH_RSA_AES_256_SHA:
351 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
352 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
353 break;
354#endif
355
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]356#if defined(POLARSSL_CAMELLIA_C)
357 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]358 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]359 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
360 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
361 break;
362
363 case SSL_RSA_CAMELLIA_256_SHA:
364 case SSL_EDH_RSA_CAMELLIA_256_SHA:
365 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
366 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
367 break;
368#endif
369
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]371 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]372 }
373
374 memset( keyblk, 0, sizeof( keyblk ) );
375
376 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
377
378 return( 0 );
379}
380
381void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
382{
383 md5_context md5;
384 sha1_context sha1;
385 unsigned char pad_1[48];
386 unsigned char pad_2[48];
387
388 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
389
390 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
391 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
392
393 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
394 {
395 memset( pad_1, 0x36, 48 );
396 memset( pad_2, 0x5C, 48 );
397
398 md5_update( &md5, ssl->session->master, 48 );
399 md5_update( &md5, pad_1, 48 );
400 md5_finish( &md5, hash );
401
402 md5_starts( &md5 );
403 md5_update( &md5, ssl->session->master, 48 );
404 md5_update( &md5, pad_2, 48 );
405 md5_update( &md5, hash, 16 );
406 md5_finish( &md5, hash );
407
408 sha1_update( &sha1, ssl->session->master, 48 );
409 sha1_update( &sha1, pad_1, 40 );
410 sha1_finish( &sha1, hash + 16 );
411
412 sha1_starts( &sha1 );
413 sha1_update( &sha1, ssl->session->master, 48 );
414 sha1_update( &sha1, pad_2, 40 );
415 sha1_update( &sha1, hash + 16, 20 );
416 sha1_finish( &sha1, hash + 16 );
417 }
418 else /* TLSv1 */
419 {
420 md5_finish( &md5, hash );
421 sha1_finish( &sha1, hash + 16 );
422 }
423
424 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
425 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
426
427 return;
428}
429
430/*
431 * SSLv3.0 MAC functions
432 */
433static void ssl_mac_md5( unsigned char *secret,
434 unsigned char *buf, int len,
435 unsigned char *ctr, int type )
436{
437 unsigned char header[11];
438 unsigned char padding[48];
439 md5_context md5;
440
441 memcpy( header, ctr, 8 );
442 header[ 8] = (unsigned char) type;
443 header[ 9] = (unsigned char)( len >> 8 );
444 header[10] = (unsigned char)( len );
445
446 memset( padding, 0x36, 48 );
447 md5_starts( &md5 );
448 md5_update( &md5, secret, 16 );
449 md5_update( &md5, padding, 48 );
450 md5_update( &md5, header, 11 );
451 md5_update( &md5, buf, len );
452 md5_finish( &md5, buf + len );
453
454 memset( padding, 0x5C, 48 );
455 md5_starts( &md5 );
456 md5_update( &md5, secret, 16 );
457 md5_update( &md5, padding, 48 );
458 md5_update( &md5, buf + len, 16 );
459 md5_finish( &md5, buf + len );
460}
461
462static void ssl_mac_sha1( unsigned char *secret,
463 unsigned char *buf, int len,
464 unsigned char *ctr, int type )
465{
466 unsigned char header[11];
467 unsigned char padding[40];
468 sha1_context sha1;
469
470 memcpy( header, ctr, 8 );
471 header[ 8] = (unsigned char) type;
472 header[ 9] = (unsigned char)( len >> 8 );
473 header[10] = (unsigned char)( len );
474
475 memset( padding, 0x36, 40 );
476 sha1_starts( &sha1 );
477 sha1_update( &sha1, secret, 20 );
478 sha1_update( &sha1, padding, 40 );
479 sha1_update( &sha1, header, 11 );
480 sha1_update( &sha1, buf, len );
481 sha1_finish( &sha1, buf + len );
482
483 memset( padding, 0x5C, 40 );
484 sha1_starts( &sha1 );
485 sha1_update( &sha1, secret, 20 );
486 sha1_update( &sha1, padding, 40 );
487 sha1_update( &sha1, buf + len, 20 );
488 sha1_finish( &sha1, buf + len );
489}
490
491/*
492 * Encryption/decryption functions
493 */
494static int ssl_encrypt_buf( ssl_context *ssl )
495{
496 int i, padlen;
497
498 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
499
500 /*
501 * Add MAC then encrypt
502 */
503 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
504 {
505 if( ssl->maclen == 16 )
506 ssl_mac_md5( ssl->mac_enc,
507 ssl->out_msg, ssl->out_msglen,
508 ssl->out_ctr, ssl->out_msgtype );
509
510 if( ssl->maclen == 20 )
511 ssl_mac_sha1( ssl->mac_enc,
512 ssl->out_msg, ssl->out_msglen,
513 ssl->out_ctr, ssl->out_msgtype );
514 }
515 else
516 {
517 if( ssl->maclen == 16 )
518 md5_hmac( ssl->mac_enc, 16,
519 ssl->out_ctr, ssl->out_msglen + 13,
520 ssl->out_msg + ssl->out_msglen );
521
522 if( ssl->maclen == 20 )
523 sha1_hmac( ssl->mac_enc, 20,
524 ssl->out_ctr, ssl->out_msglen + 13,
525 ssl->out_msg + ssl->out_msglen );
526 }
527
528 SSL_DEBUG_BUF( 4, "computed mac",
529 ssl->out_msg + ssl->out_msglen, ssl->maclen );
530
531 ssl->out_msglen += ssl->maclen;
532
533 for( i = 7; i >= 0; i-- )
534 if( ++ssl->out_ctr[i] != 0 )
535 break;
536
537 if( ssl->ivlen == 0 )
538 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]539#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]540 padlen = 0;
541
542 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
543 "including %d bytes of padding",
544 ssl->out_msglen, 0 ) );
545
546 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
547 ssl->out_msg, ssl->out_msglen );
548
549 arc4_crypt( (arc4_context *) ssl->ctx_enc,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]550 ssl->out_msglen, ssl->out_msg,
551 ssl->out_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]553 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554#endif
555 }
556 else
557 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]558 unsigned char *enc_msg;
559 int enc_msglen;
560
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
562 if( padlen == ssl->ivlen )
563 padlen = 0;
564
565 for( i = 0; i <= padlen; i++ )
566 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
567
568 ssl->out_msglen += padlen + 1;
569
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]570 enc_msglen = ssl->out_msglen;
571 enc_msg = ssl->out_msg;
572
573 /*
574 * Prepend per-record IV for block cipher in TLS v1.1 as per
575 * Method 1 (6.2.3.2. in RFC4346)
576 */
577 if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
578 {
579 /*
580 * Generate IV
581 */
582 for( i = 0; i < ssl->ivlen; i++ )
583 ssl->iv_enc[i] = ssl->f_rng( ssl->p_rng );
584
585 /*
586 * Shift message for ivlen bytes and prepend IV
587 */
588 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
589 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
590
591 /*
592 * Fix pointer positions and message length with added IV
593 */
594 enc_msg = ssl->out_msg + ssl->ivlen;
595 enc_msglen = ssl->out_msglen;
596 ssl->out_msglen += ssl->ivlen;
597 }
598
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]600 "including %d bytes of IV and %d bytes of padding",
601 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]602
603 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
604 ssl->out_msg, ssl->out_msglen );
605
606 switch( ssl->ivlen )
607 {
608 case 8:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]609#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]610 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]611 DES_ENCRYPT, enc_msglen,
612 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 break;
614#endif
615
616 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]617#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]618 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
619 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
620 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
621 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]622 {
623 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]624 AES_ENCRYPT, enc_msglen,
625 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]626 break;
627 }
628#endif
629
630#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]631 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
632 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
633 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
634 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]635 {
636 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]637 CAMELLIA_ENCRYPT, enc_msglen,
638 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]639 break;
640 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641#endif
642
643 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]644 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]645 }
646 }
647
648 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
649
650 return( 0 );
651}
652
653static int ssl_decrypt_buf( ssl_context *ssl )
654{
655 int i, padlen;
656 unsigned char tmp[20];
657
658 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
659
660 if( ssl->in_msglen < ssl->minlen )
661 {
662 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
663 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]664 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665 }
666
667 if( ssl->ivlen == 0 )
668 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]669#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]670 padlen = 0;
671 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]672 ssl->in_msglen, ssl->in_msg,
673 ssl->in_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]675 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]676#endif
677 }
678 else
679 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]680 unsigned char *dec_msg;
681 unsigned char *dec_msg_result;
682 int dec_msglen;
683
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684 /*
685 * Decrypt and check the padding
686 */
687 if( ssl->in_msglen % ssl->ivlen != 0 )
688 {
689 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
690 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]691 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692 }
693
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]694 dec_msglen = ssl->in_msglen;
695 dec_msg = ssl->in_msg;
696 dec_msg_result = ssl->in_msg;
697
698 /*
699 * Initialize for prepended IV for block cipher in TLS v1.1
700 */
701 if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
702 {
703 dec_msg += ssl->ivlen;
704 dec_msglen -= ssl->ivlen;
705 ssl->in_msglen -= ssl->ivlen;
706
707 for( i = 0; i < ssl->ivlen; i++ )
708 ssl->iv_dec[i] = ssl->in_msg[i];
709 }
710
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711 switch( ssl->ivlen )
712 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]713#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]714 case 8:
715 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]716 DES_DECRYPT, dec_msglen,
717 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]718 break;
719#endif
720
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]721 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]722#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]723 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
724 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
725 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
726 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]727 {
728 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]729 AES_DECRYPT, dec_msglen,
730 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]731 break;
732 }
733#endif
734
735#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]736 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
737 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
738 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
739 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]740 {
741 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]742 CAMELLIA_DECRYPT, dec_msglen,
743 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]744 break;
745 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]746#endif
747
748 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]749 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750 }
751
752 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
753
754 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
755 {
756 if( padlen > ssl->ivlen )
757 {
758 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
759 "should be no more than %d",
760 padlen, ssl->ivlen ) );
761 padlen = 0;
762 }
763 }
764 else
765 {
766 /*
767 * TLSv1: always check the padding
768 */
769 for( i = 1; i <= padlen; i++ )
770 {
771 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
772 {
773 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
774 "%02x, but is %02x", padlen - 1,
775 ssl->in_msg[ssl->in_msglen - i] ) );
776 padlen = 0;
777 }
778 }
779 }
780 }
781
782 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
783 ssl->in_msg, ssl->in_msglen );
784
785 /*
786 * Always compute the MAC (RFC4346, CBCTIME).
787 */
788 ssl->in_msglen -= ( ssl->maclen + padlen );
789
790 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
791 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
792
793 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
794
795 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
796 {
797 if( ssl->maclen == 16 )
798 ssl_mac_md5( ssl->mac_dec,
799 ssl->in_msg, ssl->in_msglen,
800 ssl->in_ctr, ssl->in_msgtype );
801 else
802 ssl_mac_sha1( ssl->mac_dec,
803 ssl->in_msg, ssl->in_msglen,
804 ssl->in_ctr, ssl->in_msgtype );
805 }
806 else
807 {
808 if( ssl->maclen == 16 )
809 md5_hmac( ssl->mac_dec, 16,
810 ssl->in_ctr, ssl->in_msglen + 13,
811 ssl->in_msg + ssl->in_msglen );
812 else
813 sha1_hmac( ssl->mac_dec, 20,
814 ssl->in_ctr, ssl->in_msglen + 13,
815 ssl->in_msg + ssl->in_msglen );
816 }
817
818 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
819 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
820 ssl->maclen );
821
822 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
823 ssl->maclen ) != 0 )
824 {
825 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]826 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]827 }
828
829 /*
830 * Finally check the padding length; bad padding
831 * will produce the same error as an invalid MAC.
832 */
833 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]834 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835
836 if( ssl->in_msglen == 0 )
837 {
838 ssl->nb_zero++;
839
840 /*
841 * Three or more empty messages may be a DoS attack
842 * (excessive CPU consumption).
843 */
844 if( ssl->nb_zero > 3 )
845 {
846 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
847 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]848 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]849 }
850 }
851 else
852 ssl->nb_zero = 0;
853
854 for( i = 7; i >= 0; i-- )
855 if( ++ssl->in_ctr[i] != 0 )
856 break;
857
858 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
859
860 return( 0 );
861}
862
863/*
864 * Fill the input message buffer
865 */
866int ssl_fetch_input( ssl_context *ssl, int nb_want )
867{
868 int ret, len;
869
870 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
871
872 while( ssl->in_left < nb_want )
873 {
874 len = nb_want - ssl->in_left;
875 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
876
877 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
878 ssl->in_left, nb_want ) );
879 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
880
881 if( ret < 0 )
882 return( ret );
883
884 ssl->in_left += ret;
885 }
886
887 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
888
889 return( 0 );
890}
891
892/*
893 * Flush any data not yet written
894 */
895int ssl_flush_output( ssl_context *ssl )
896{
897 int ret;
898 unsigned char *buf;
899
900 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
901
902 while( ssl->out_left > 0 )
903 {
904 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
905 5 + ssl->out_msglen, ssl->out_left ) );
906
907 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
908 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
909 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
910
911 if( ret <= 0 )
912 return( ret );
913
914 ssl->out_left -= ret;
915 }
916
917 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
918
919 return( 0 );
920}
921
922/*
923 * Record layer functions
924 */
925int ssl_write_record( ssl_context *ssl )
926{
927 int ret, len = ssl->out_msglen;
928
929 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
930
931 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
932 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
933 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
934 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
935 ssl->out_hdr[4] = (unsigned char)( len );
936
937 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
938 {
939 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
940 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
941 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
942
943 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
944 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
945 }
946
947 if( ssl->do_crypt != 0 )
948 {
949 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
950 {
951 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
952 return( ret );
953 }
954
955 len = ssl->out_msglen;
956 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
957 ssl->out_hdr[4] = (unsigned char)( len );
958 }
959
960 ssl->out_left = 5 + ssl->out_msglen;
961
962 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
963 "version = [%d:%d], msglen = %d",
964 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
965 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
966
967 SSL_DEBUG_BUF( 4, "output record sent to network",
968 ssl->out_hdr, 5 + ssl->out_msglen );
969
970 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
971 {
972 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
973 return( ret );
974 }
975
976 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
977
978 return( 0 );
979}
980
981int ssl_read_record( ssl_context *ssl )
982{
983 int ret;
984
985 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
986
987 if( ssl->in_hslen != 0 &&
988 ssl->in_hslen < ssl->in_msglen )
989 {
990 /*
991 * Get next Handshake message in the current record
992 */
993 ssl->in_msglen -= ssl->in_hslen;
994
995 memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
996 ssl->in_msglen );
997
998 ssl->in_hslen = 4;
999 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1000
1001 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1002 " %d, type = %d, hslen = %d",
1003 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1004
1005 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1006 {
1007 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1008 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1009 }
1010
1011 if( ssl->in_msglen < ssl->in_hslen )
1012 {
1013 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1014 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1015 }
1016
1017 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1018 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1019
1020 return( 0 );
1021 }
1022
1023 ssl->in_hslen = 0;
1024
1025 /*
1026 * Read the record header and validate it
1027 */
1028 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1029 {
1030 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1031 return( ret );
1032 }
1033
1034 ssl->in_msgtype = ssl->in_hdr[0];
1035 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1036
1037 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1038 "version = [%d:%d], msglen = %d",
1039 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1040 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1041
1042 if( ssl->in_hdr[1] != ssl->major_ver )
1043 {
1044 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1045 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046 }
1047
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1048 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 {
1050 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1051 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1052 }
1053
1054 /*
1055 * Make sure the message length is acceptable
1056 */
1057 if( ssl->do_crypt == 0 )
1058 {
1059 if( ssl->in_msglen < 1 ||
1060 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1061 {
1062 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1063 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064 }
1065 }
1066 else
1067 {
1068 if( ssl->in_msglen < ssl->minlen )
1069 {
1070 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1071 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072 }
1073
1074 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1075 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1076 {
1077 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1078 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079 }
1080
1081 /*
1082 * TLS encrypted messages can have up to 256 bytes of padding
1083 */
1084 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
1085 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1086 {
1087 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1088 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 }
1090 }
1091
1092 /*
1093 * Read and optionally decrypt the message contents
1094 */
1095 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1096 {
1097 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1098 return( ret );
1099 }
1100
1101 SSL_DEBUG_BUF( 4, "input record from network",
1102 ssl->in_hdr, 5 + ssl->in_msglen );
1103
1104 if( ssl->do_crypt != 0 )
1105 {
1106 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1107 {
1108 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1109 return( ret );
1110 }
1111
1112 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1113 ssl->in_msg, ssl->in_msglen );
1114
1115 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1116 {
1117 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1118 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119 }
1120 }
1121
1122 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1123 {
1124 ssl->in_hslen = 4;
1125 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1126
1127 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1128 " %d, type = %d, hslen = %d",
1129 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1130
1131 /*
1132 * Additional checks to validate the handshake header
1133 */
1134 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1135 {
1136 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1137 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1138 }
1139
1140 if( ssl->in_msglen < ssl->in_hslen )
1141 {
1142 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1143 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1144 }
1145
1146 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1147 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1148 }
1149
1150 if( ssl->in_msgtype == SSL_MSG_ALERT )
1151 {
1152 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1153 ssl->in_msg[0], ssl->in_msg[1] ) );
1154
1155 /*
1156 * Ignore non-fatal alerts, except close_notify
1157 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1158 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1159 {
1160 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1161 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE | ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1162 }
1163
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1164 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1165 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1166 {
1167 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1168 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1169 }
1170 }
1171
1172 ssl->in_left = 0;
1173
1174 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1175
1176 return( 0 );
1177}
1178
1179/*
1180 * Handshake functions
1181 */
1182int ssl_write_certificate( ssl_context *ssl )
1183{
1184 int ret, i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1185 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1186
1187 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1188
1189 if( ssl->endpoint == SSL_IS_CLIENT )
1190 {
1191 if( ssl->client_auth == 0 )
1192 {
1193 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1194 ssl->state++;
1195 return( 0 );
1196 }
1197
1198 /*
1199 * If using SSLv3 and got no cert, send an Alert message
1200 * (otherwise an empty Certificate message will be sent).
1201 */
1202 if( ssl->own_cert == NULL &&
1203 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1204 {
1205 ssl->out_msglen = 2;
1206 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1207 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1208 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1209
1210 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1211 goto write_msg;
1212 }
1213 }
1214 else /* SSL_IS_SERVER */
1215 {
1216 if( ssl->own_cert == NULL )
1217 {
1218 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1219 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1220 }
1221 }
1222
1223 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1224
1225 /*
1226 * 0 . 0 handshake type
1227 * 1 . 3 handshake length
1228 * 4 . 6 length of all certs
1229 * 7 . 9 length of cert. 1
1230 * 10 . n-1 peer certificate
1231 * n . n+2 length of cert. 2
1232 * n+3 . ... upper level cert, etc.
1233 */
1234 i = 7;
1235 crt = ssl->own_cert;
1236
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1237 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238 {
1239 n = crt->raw.len;
1240 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1241 {
1242 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1243 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1244 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1245 }
1246
1247 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1248 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1249 ssl->out_msg[i + 2] = (unsigned char)( n );
1250
1251 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1252 i += n; crt = crt->next;
1253 }
1254
1255 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1256 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1257 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1258
1259 ssl->out_msglen = i;
1260 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1261 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1262
1263write_msg:
1264
1265 ssl->state++;
1266
1267 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1268 {
1269 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1270 return( ret );
1271 }
1272
1273 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1274
1275 return( 0 );
1276}
1277
1278int ssl_parse_certificate( ssl_context *ssl )
1279{
1280 int ret, i, n;
1281
1282 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1283
1284 if( ssl->endpoint == SSL_IS_SERVER &&
1285 ssl->authmode == SSL_VERIFY_NONE )
1286 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1287 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1288 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1289 ssl->state++;
1290 return( 0 );
1291 }
1292
1293 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1294 {
1295 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1296 return( ret );
1297 }
1298
1299 ssl->state++;
1300
1301 /*
1302 * Check if the client sent an empty certificate
1303 */
1304 if( ssl->endpoint == SSL_IS_SERVER &&
1305 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1306 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1307 if( ssl->in_msglen == 2 &&
1308 ssl->in_msgtype == SSL_MSG_ALERT &&
1309 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1310 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1311 {
1312 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1313
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1314 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1315 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1316 return( 0 );
1317 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1318 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319 }
1320 }
1321
1322 if( ssl->endpoint == SSL_IS_SERVER &&
1323 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1324 {
1325 if( ssl->in_hslen == 7 &&
1326 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1327 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1328 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1329 {
1330 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1331
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1332 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1334 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1335 else
1336 return( 0 );
1337 }
1338 }
1339
1340 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1341 {
1342 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1343 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344 }
1345
1346 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1347 {
1348 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1349 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350 }
1351
1352 /*
1353 * Same message structure as in ssl_write_certificate()
1354 */
1355 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1356
1357 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1358 {
1359 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1360 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1361 }
1362
1363 if( ( ssl->peer_cert = (x509_cert *) malloc(
1364 sizeof( x509_cert ) ) ) == NULL )
1365 {
1366 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1367 sizeof( x509_cert ) ) );
1368 return( 1 );
1369 }
1370
1371 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1372
1373 i = 7;
1374
1375 while( i < ssl->in_hslen )
1376 {
1377 if( ssl->in_msg[i] != 0 )
1378 {
1379 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1380 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1381 }
1382
1383 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1384 | (unsigned int) ssl->in_msg[i + 2];
1385 i += 3;
1386
1387 if( n < 128 || i + n > ssl->in_hslen )
1388 {
1389 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1390 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1391 }
1392
1393 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
1394 if( ret != 0 )
1395 {
1396 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1397 return( ret );
1398 }
1399
1400 i += n;
1401 }
1402
1403 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1404
1405 if( ssl->authmode != SSL_VERIFY_NONE )
1406 {
1407 if( ssl->ca_chain == NULL )
1408 {
1409 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1410 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1411 }
1412
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1413 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1414 ssl->peer_cn, &ssl->verify_result,
1415 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1416
1417 if( ret != 0 )
1418 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1419
1420 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1421 ret = 0;
1422 }
1423
1424 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1425
1426 return( ret );
1427}
1428
1429int ssl_write_change_cipher_spec( ssl_context *ssl )
1430{
1431 int ret;
1432
1433 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1434
1435 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1436 ssl->out_msglen = 1;
1437 ssl->out_msg[0] = 1;
1438
1439 ssl->do_crypt = 0;
1440 ssl->state++;
1441
1442 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1443 {
1444 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1445 return( ret );
1446 }
1447
1448 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1449
1450 return( 0 );
1451}
1452
1453int ssl_parse_change_cipher_spec( ssl_context *ssl )
1454{
1455 int ret;
1456
1457 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1458
1459 ssl->do_crypt = 0;
1460
1461 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1462 {
1463 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1464 return( ret );
1465 }
1466
1467 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1468 {
1469 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1470 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1471 }
1472
1473 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1474 {
1475 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1476 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1477 }
1478
1479 ssl->state++;
1480
1481 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1482
1483 return( 0 );
1484}
1485
1486static void ssl_calc_finished(
1487 ssl_context *ssl, unsigned char *buf, int from,
1488 md5_context *md5, sha1_context *sha1 )
1489{
1490 int len = 12;
1491 char *sender;
1492 unsigned char padbuf[48];
1493 unsigned char md5sum[16];
1494 unsigned char sha1sum[20];
1495
1496 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1497
1498 /*
1499 * SSLv3:
1500 * hash =
1501 * MD5( master + pad2 +
1502 * MD5( handshake + sender + master + pad1 ) )
1503 * + SHA1( master + pad2 +
1504 * SHA1( handshake + sender + master + pad1 ) )
1505 *
1506 * TLSv1:
1507 * hash = PRF( master, finished_label,
1508 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1509 */
1510
1511 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1512 md5->state, sizeof( md5->state ) );
1513
1514 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1515 sha1->state, sizeof( sha1->state ) );
1516
1517 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1518 {
1519 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1520 : (char *) "SRVR";
1521
1522 memset( padbuf, 0x36, 48 );
1523
1524 md5_update( md5, (unsigned char *) sender, 4 );
1525 md5_update( md5, ssl->session->master, 48 );
1526 md5_update( md5, padbuf, 48 );
1527 md5_finish( md5, md5sum );
1528
1529 sha1_update( sha1, (unsigned char *) sender, 4 );
1530 sha1_update( sha1, ssl->session->master, 48 );
1531 sha1_update( sha1, padbuf, 40 );
1532 sha1_finish( sha1, sha1sum );
1533
1534 memset( padbuf, 0x5C, 48 );
1535
1536 md5_starts( md5 );
1537 md5_update( md5, ssl->session->master, 48 );
1538 md5_update( md5, padbuf, 48 );
1539 md5_update( md5, md5sum, 16 );
1540 md5_finish( md5, buf );
1541
1542 sha1_starts( sha1 );
1543 sha1_update( sha1, ssl->session->master, 48 );
1544 sha1_update( sha1, padbuf , 40 );
1545 sha1_update( sha1, sha1sum, 20 );
1546 sha1_finish( sha1, buf + 16 );
1547
1548 len += 24;
1549 }
1550 else
1551 {
1552 sender = ( from == SSL_IS_CLIENT )
1553 ? (char *) "client finished"
1554 : (char *) "server finished";
1555
1556 md5_finish( md5, padbuf );
1557 sha1_finish( sha1, padbuf + 16 );
1558
1559 tls1_prf( ssl->session->master, 48, sender,
1560 padbuf, 36, buf, len );
1561 }
1562
1563 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1564
1565 memset( md5, 0, sizeof( md5_context ) );
1566 memset( sha1, 0, sizeof( sha1_context ) );
1567
1568 memset( padbuf, 0, sizeof( padbuf ) );
1569 memset( md5sum, 0, sizeof( md5sum ) );
1570 memset( sha1sum, 0, sizeof( sha1sum ) );
1571
1572 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1573}
1574
1575int ssl_write_finished( ssl_context *ssl )
1576{
1577 int ret, hash_len;
1578 md5_context md5;
1579 sha1_context sha1;
1580
1581 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1582
1583 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1584 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1585
1586 ssl_calc_finished( ssl, ssl->out_msg + 4,
1587 ssl->endpoint, &md5, &sha1 );
1588
1589 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1590
1591 ssl->out_msglen = 4 + hash_len;
1592 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1593 ssl->out_msg[0] = SSL_HS_FINISHED;
1594
1595 /*
1596 * In case of session resuming, invert the client and server
1597 * ChangeCipherSpec messages order.
1598 */
1599 if( ssl->resume != 0 )
1600 {
1601 if( ssl->endpoint == SSL_IS_CLIENT )
1602 ssl->state = SSL_HANDSHAKE_OVER;
1603 else
1604 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1605 }
1606 else
1607 ssl->state++;
1608
1609 ssl->do_crypt = 1;
1610
1611 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1612 {
1613 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1614 return( ret );
1615 }
1616
1617 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1618
1619 return( 0 );
1620}
1621
1622int ssl_parse_finished( ssl_context *ssl )
1623{
1624 int ret, hash_len;
1625 md5_context md5;
1626 sha1_context sha1;
1627 unsigned char buf[36];
1628
1629 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1630
1631 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1632 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1633
1634 ssl->do_crypt = 1;
1635
1636 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1637 {
1638 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1639 return( ret );
1640 }
1641
1642 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1643 {
1644 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1645 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1646 }
1647
1648 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1649
1650 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1651 ssl->in_hslen != 4 + hash_len )
1652 {
1653 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1654 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1655 }
1656
1657 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1658
1659 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1660 {
1661 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1662 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1663 }
1664
1665 if( ssl->resume != 0 )
1666 {
1667 if( ssl->endpoint == SSL_IS_CLIENT )
1668 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1669
1670 if( ssl->endpoint == SSL_IS_SERVER )
1671 ssl->state = SSL_HANDSHAKE_OVER;
1672 }
1673 else
1674 ssl->state++;
1675
1676 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1677
1678 return( 0 );
1679}
1680
1681/*
1682 * Initialize an SSL context
1683 */
1684int ssl_init( ssl_context *ssl )
1685{
1686 int len = SSL_BUFFER_LEN;
1687
1688 memset( ssl, 0, sizeof( ssl_context ) );
1689
1690 ssl->in_ctr = (unsigned char *) malloc( len );
1691 ssl->in_hdr = ssl->in_ctr + 8;
1692 ssl->in_msg = ssl->in_ctr + 13;
1693
1694 if( ssl->in_ctr == NULL )
1695 {
1696 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1697 return( 1 );
1698 }
1699
1700 ssl->out_ctr = (unsigned char *) malloc( len );
1701 ssl->out_hdr = ssl->out_ctr + 8;
1702 ssl->out_msg = ssl->out_ctr + 13;
1703
1704 if( ssl->out_ctr == NULL )
1705 {
1706 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1707 free( ssl-> in_ctr );
1708 return( 1 );
1709 }
1710
1711 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1712 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1713
1714 ssl->hostname = NULL;
1715 ssl->hostname_len = 0;
1716
1717 md5_starts( &ssl->fin_md5 );
1718 sha1_starts( &ssl->fin_sha1 );
1719
1720 return( 0 );
1721}
1722
1723/*
1724 * SSL set accessors
1725 */
1726void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1727{
1728 ssl->endpoint = endpoint;
1729}
1730
1731void ssl_set_authmode( ssl_context *ssl, int authmode )
1732{
1733 ssl->authmode = authmode;
1734}
1735
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1736void ssl_set_verify( ssl_context *ssl,
1737 int (*f_vrfy)(void *, x509_cert *, int, int),
1738 void *p_vrfy )
1739{
1740 ssl->f_vrfy = f_vrfy;
1741 ssl->p_vrfy = p_vrfy;
1742}
1743
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744void ssl_set_rng( ssl_context *ssl,
1745 int (*f_rng)(void *),
1746 void *p_rng )
1747{
1748 ssl->f_rng = f_rng;
1749 ssl->p_rng = p_rng;
1750}
1751
1752void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1753 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1754 void *p_dbg )
1755{
1756 ssl->f_dbg = f_dbg;
1757 ssl->p_dbg = p_dbg;
1758}
1759
1760void ssl_set_bio( ssl_context *ssl,
1761 int (*f_recv)(void *, unsigned char *, int), void *p_recv,
1762 int (*f_send)(void *, unsigned char *, int), void *p_send )
1763{
1764 ssl->f_recv = f_recv;
1765 ssl->f_send = f_send;
1766 ssl->p_recv = p_recv;
1767 ssl->p_send = p_send;
1768}
1769
1770void ssl_set_scb( ssl_context *ssl,
1771 int (*s_get)(ssl_context *),
1772 int (*s_set)(ssl_context *) )
1773{
1774 ssl->s_get = s_get;
1775 ssl->s_set = s_set;
1776}
1777
1778void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1779 ssl_session *session )
1780{
1781 ssl->resume = resume;
1782 ssl->timeout = timeout;
1783 ssl->session = session;
1784}
1785
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1786void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1788 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1789}
1790
1791void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]1792 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1793{
1794 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1795 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1796 ssl->peer_cn = peer_cn;
1797}
1798
1799void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1800 rsa_context *rsa_key )
1801{
1802 ssl->own_cert = own_cert;
1803 ssl->rsa_key = rsa_key;
1804}
1805
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1806#if defined(POLARSSL_PKCS11_C)
1807void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
1808 pkcs11_context *pkcs11_key )
1809{
1810 ssl->own_cert = own_cert;
1811 ssl->pkcs11_key = pkcs11_key;
1812}
1813#endif
1814
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1815int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816{
1817 int ret;
1818
1819 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1820 {
1821 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1822 return( ret );
1823 }
1824
1825 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1826 {
1827 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1828 return( ret );
1829 }
1830
1831 return( 0 );
1832}
1833
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]1834int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
1835{
1836 int ret;
1837
1838 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
1839 {
1840 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1841 return( ret );
1842 }
1843
1844 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
1845 {
1846 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1847 return( ret );
1848 }
1849
1850 return( 0 );
1851}
1852
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1853int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1854{
1855 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1856 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857
1858 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1859 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860
1861 memcpy( ssl->hostname, (unsigned char *) hostname,
1862 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1863
1864 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865
1866 return( 0 );
1867}
1868
1869/*
1870 * SSL get accessors
1871 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1872int ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1873{
1874 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
1875}
1876
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1877int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878{
1879 return( ssl->verify_result );
1880}
1881
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1882const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1883{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1884 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1886#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1887 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1888 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889
1890 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1891 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1892#endif
1893
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1894#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1895 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1896 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897
1898 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1899 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900#endif
1901
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1902#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1904 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1905
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1906 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1907 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1908
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1910 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1911
1912 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1913 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914#endif
1915
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1916#if defined(POLARSSL_CAMELLIA_C)
1917 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1918 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1919
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1920 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1921 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]1922
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1923 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1924 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1925
1926 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1927 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1928#endif
1929
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930 default:
1931 break;
1932 }
1933
1934 return( "unknown" );
1935}
1936
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1937int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1938{
1939#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1940 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1941 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1942 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1943 return( SSL_RSA_RC4_128_SHA );
1944#endif
1945
1946#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1947 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1948 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1949 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1950 return( SSL_EDH_RSA_DES_168_SHA );
1951#endif
1952
1953#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1954 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1955 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1956 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1957 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1958 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1959 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1960 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1961 return( SSL_EDH_RSA_AES_256_SHA );
1962#endif
1963
1964#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1965 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1966 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1967 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1968 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1969 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1970 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1971 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1972 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
1973#endif
1974
1975 return( 0 );
1976}
1977
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1978const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1979{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1980 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]1981}
1982
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]1983const char *ssl_get_version( const ssl_context *ssl )
1984{
1985 switch( ssl->minor_ver )
1986 {
1987 case SSL_MINOR_VERSION_0:
1988 return( "SSLv3.0" );
1989
1990 case SSL_MINOR_VERSION_1:
1991 return( "TLSv1.0" );
1992
1993 case SSL_MINOR_VERSION_2:
1994 return( "TLSv1.1" );
1995
1996 default:
1997 break;
1998 }
1999 return( "unknown" );
2000}
2001
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2002int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2003{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2004#if defined(POLARSSL_DHM_C)
2005#if defined(POLARSSL_AES_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2006 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007 SSL_EDH_RSA_AES_256_SHA,
2008#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2009#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2010 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2011 SSL_EDH_RSA_CAMELLIA_256_SHA,
2012#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2013#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014 SSL_EDH_RSA_DES_168_SHA,
2015#endif
2016#endif
2017
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2018#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019 SSL_RSA_AES_256_SHA,
2020#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2021#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2022 SSL_RSA_CAMELLIA_256_SHA,
2023#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2024#if defined(POLARSSL_AES_C)
2025 SSL_RSA_AES_128_SHA,
2026#endif
2027#if defined(POLARSSL_CAMELLIA_C)
2028 SSL_RSA_CAMELLIA_128_SHA,
2029#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2030#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031 SSL_RSA_DES_168_SHA,
2032#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2033#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2034 SSL_RSA_RC4_128_SHA,
2035 SSL_RSA_RC4_128_MD5,
2036#endif
2037 0
2038};
2039
2040/*
2041 * Perform the SSL handshake
2042 */
2043int ssl_handshake( ssl_context *ssl )
2044{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2045 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046
2047 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
2048
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2049#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2050 if( ssl->endpoint == SSL_IS_CLIENT )
2051 ret = ssl_handshake_client( ssl );
2052#endif
2053
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2054#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2055 if( ssl->endpoint == SSL_IS_SERVER )
2056 ret = ssl_handshake_server( ssl );
2057#endif
2058
2059 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
2060
2061 return( ret );
2062}
2063
2064/*
2065 * Receive application data decrypted from the SSL layer
2066 */
2067int ssl_read( ssl_context *ssl, unsigned char *buf, int len )
2068{
2069 int ret, n;
2070
2071 SSL_DEBUG_MSG( 2, ( "=> read" ) );
2072
2073 if( ssl->state != SSL_HANDSHAKE_OVER )
2074 {
2075 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2076 {
2077 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2078 return( ret );
2079 }
2080 }
2081
2082 if( ssl->in_offt == NULL )
2083 {
2084 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2085 {
2086 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2087 return( ret );
2088 }
2089
2090 if( ssl->in_msglen == 0 &&
2091 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
2092 {
2093 /*
2094 * OpenSSL sends empty messages to randomize the IV
2095 */
2096 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2097 {
2098 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2099 return( ret );
2100 }
2101 }
2102
2103 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2104 {
2105 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2106 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2107 }
2108
2109 ssl->in_offt = ssl->in_msg;
2110 }
2111
2112 n = ( len < ssl->in_msglen )
2113 ? len : ssl->in_msglen;
2114
2115 memcpy( buf, ssl->in_offt, n );
2116 ssl->in_msglen -= n;
2117
2118 if( ssl->in_msglen == 0 )
2119 /* all bytes consumed */
2120 ssl->in_offt = NULL;
2121 else
2122 /* more data available */
2123 ssl->in_offt += n;
2124
2125 SSL_DEBUG_MSG( 2, ( "<= read" ) );
2126
2127 return( n );
2128}
2129
2130/*
2131 * Send application data to be encrypted by the SSL layer
2132 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2133int ssl_write( ssl_context *ssl, const unsigned char *buf, int len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2134{
2135 int ret, n;
2136
2137 SSL_DEBUG_MSG( 2, ( "=> write" ) );
2138
2139 if( ssl->state != SSL_HANDSHAKE_OVER )
2140 {
2141 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2142 {
2143 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2144 return( ret );
2145 }
2146 }
2147
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2148 if( ssl->out_left != 0 )
2149 {
2150 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2151 {
2152 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2153 return( ret );
2154 }
2155 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]2157 n = ( len < SSL_MAX_CONTENT_LEN )
2158 ? len : SSL_MAX_CONTENT_LEN;
2159
2160 ssl->out_msglen = n;
2161 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
2162 memcpy( ssl->out_msg, buf, n );
2163
2164 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2165 {
2166 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2167 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2168 }
2169
2170 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2171
2172 return( n );
2173}
2174
2175/*
2176 * Notify the peer that the connection is being closed
2177 */
2178int ssl_close_notify( ssl_context *ssl )
2179{
2180 int ret;
2181
2182 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
2183
2184 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2185 {
2186 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2187 return( ret );
2188 }
2189
2190 if( ssl->state == SSL_HANDSHAKE_OVER )
2191 {
2192 ssl->out_msgtype = SSL_MSG_ALERT;
2193 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2194 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2195 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2196
2197 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2198 {
2199 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2200 return( ret );
2201 }
2202 }
2203
2204 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2205
2206 return( ret );
2207}
2208
2209/*
2210 * Free an SSL context
2211 */
2212void ssl_free( ssl_context *ssl )
2213{
2214 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2215
2216 if( ssl->peer_cert != NULL )
2217 {
2218 x509_free( ssl->peer_cert );
2219 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2220 free( ssl->peer_cert );
2221 }
2222
2223 if( ssl->out_ctr != NULL )
2224 {
2225 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2226 free( ssl->out_ctr );
2227 }
2228
2229 if( ssl->in_ctr != NULL )
2230 {
2231 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2232 free( ssl->in_ctr );
2233 }
2234
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2235#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2236 dhm_free( &ssl->dhm_ctx );
2237#endif
2238
2239 if ( ssl->hostname != NULL)
2240 {
2241 memset( ssl->hostname, 0, ssl->hostname_len );
2242 free( ssl->hostname );
2243 ssl->hostname_len = 0;
2244 }
2245
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2246 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2247
2248 /* Actually free after last debug message */
2249 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2250}
2251
2252#endif