TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1ace1fdd4c33f550e6ced26a5de2ec542872f629 / . / library / ssl_tls.c
blob: def073b86a79a14df8b90e0b538b3f8b7ce5dbcc [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker785a9ee2009-01-25 14:15:10 +0000[diff] [blame]6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The SSL 3.0 specification was drafted by Netscape in 1996,
24 * and became an IETF standard in 1999.
25 *
26 * http://wp.netscape.com/eng/ssl3/
27 * http://www.ietf.org/rfc/rfc2246.txt
28 * http://www.ietf.org/rfc/rfc4346.txt
29 */
30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#include "polarssl/aes.h"
36#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]37#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/des.h"
39#include "polarssl/debug.h"
40#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]41
42#include <string.h>
43#include <stdlib.h>
44#include <time.h>
45
46/*
47 * Key material generation
48 */
49static int tls1_prf( unsigned char *secret, int slen, char *label,
50 unsigned char *random, int rlen,
51 unsigned char *dstbuf, int dlen )
52{
53 int nb, hs;
54 int i, j, k;
55 unsigned char *S1, *S2;
56 unsigned char tmp[128];
57 unsigned char h_i[20];
58
59 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]60 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61
62 hs = ( slen + 1 ) / 2;
63 S1 = secret;
64 S2 = secret + slen - hs;
65
66 nb = strlen( label );
67 memcpy( tmp + 20, label, nb );
68 memcpy( tmp + 20 + nb, random, rlen );
69 nb += rlen;
70
71 /*
72 * First compute P_md5(secret,label+random)[0..dlen]
73 */
74 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
75
76 for( i = 0; i < dlen; i += 16 )
77 {
78 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
79 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
80
81 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
82
83 for( j = 0; j < k; j++ )
84 dstbuf[i + j] = h_i[j];
85 }
86
87 /*
88 * XOR out with P_sha1(secret,label+random)[0..dlen]
89 */
90 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
91
92 for( i = 0; i < dlen; i += 20 )
93 {
94 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
95 sha1_hmac( S2, hs, tmp, 20, tmp );
96
97 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
98
99 for( j = 0; j < k; j++ )
100 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
101 }
102
103 memset( tmp, 0, sizeof( tmp ) );
104 memset( h_i, 0, sizeof( h_i ) );
105
106 return( 0 );
107}
108
109int ssl_derive_keys( ssl_context *ssl )
110{
111 int i;
112 md5_context md5;
113 sha1_context sha1;
114 unsigned char tmp[64];
115 unsigned char padding[16];
116 unsigned char sha1sum[20];
117 unsigned char keyblk[256];
118 unsigned char *key1;
119 unsigned char *key2;
120
121 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
122
123 /*
124 * SSLv3:
125 * master =
126 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
127 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
128 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
129 *
130 * TLSv1:
131 * master = PRF( premaster, "master secret", randbytes )[0..47]
132 */
133 if( ssl->resume == 0 )
134 {
135 int len = ssl->pmslen;
136
137 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
138
139 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
140 {
141 for( i = 0; i < 3; i++ )
142 {
143 memset( padding, 'A' + i, 1 + i );
144
145 sha1_starts( &sha1 );
146 sha1_update( &sha1, padding, 1 + i );
147 sha1_update( &sha1, ssl->premaster, len );
148 sha1_update( &sha1, ssl->randbytes, 64 );
149 sha1_finish( &sha1, sha1sum );
150
151 md5_starts( &md5 );
152 md5_update( &md5, ssl->premaster, len );
153 md5_update( &md5, sha1sum, 20 );
154 md5_finish( &md5, ssl->session->master + i * 16 );
155 }
156 }
157 else
158 tls1_prf( ssl->premaster, len, "master secret",
159 ssl->randbytes, 64, ssl->session->master, 48 );
160
161 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
162 }
163 else
164 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
165
166 /*
167 * Swap the client and server random values.
168 */
169 memcpy( tmp, ssl->randbytes, 64 );
170 memcpy( ssl->randbytes, tmp + 32, 32 );
171 memcpy( ssl->randbytes + 32, tmp, 32 );
172 memset( tmp, 0, sizeof( tmp ) );
173
174 /*
175 * SSLv3:
176 * key block =
177 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
178 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
179 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
180 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
181 * ...
182 *
183 * TLSv1:
184 * key block = PRF( master, "key expansion", randbytes )
185 */
186 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
187 {
188 for( i = 0; i < 16; i++ )
189 {
190 memset( padding, 'A' + i, 1 + i );
191
192 sha1_starts( &sha1 );
193 sha1_update( &sha1, padding, 1 + i );
194 sha1_update( &sha1, ssl->session->master, 48 );
195 sha1_update( &sha1, ssl->randbytes, 64 );
196 sha1_finish( &sha1, sha1sum );
197
198 md5_starts( &md5 );
199 md5_update( &md5, ssl->session->master, 48 );
200 md5_update( &md5, sha1sum, 20 );
201 md5_finish( &md5, keyblk + i * 16 );
202 }
203
204 memset( &md5, 0, sizeof( md5 ) );
205 memset( &sha1, 0, sizeof( sha1 ) );
206
207 memset( padding, 0, sizeof( padding ) );
208 memset( sha1sum, 0, sizeof( sha1sum ) );
209 }
210 else
211 tls1_prf( ssl->session->master, 48, "key expansion",
212 ssl->randbytes, 64, keyblk, 256 );
213
214 SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) );
215 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
216 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
217 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
218
219 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
220
221 /*
222 * Determine the appropriate key, IV and MAC length.
223 */
224 switch( ssl->session->cipher )
225 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]226#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]227 case SSL_RSA_RC4_128_MD5:
228 ssl->keylen = 16; ssl->minlen = 16;
229 ssl->ivlen = 0; ssl->maclen = 16;
230 break;
231
232 case SSL_RSA_RC4_128_SHA:
233 ssl->keylen = 16; ssl->minlen = 20;
234 ssl->ivlen = 0; ssl->maclen = 20;
235 break;
236#endif
237
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]238#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]239 case SSL_RSA_DES_168_SHA:
240 case SSL_EDH_RSA_DES_168_SHA:
241 ssl->keylen = 24; ssl->minlen = 24;
242 ssl->ivlen = 8; ssl->maclen = 20;
243 break;
244#endif
245
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]246#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]247 case SSL_RSA_AES_128_SHA:
248 ssl->keylen = 16; ssl->minlen = 32;
249 ssl->ivlen = 16; ssl->maclen = 20;
250 break;
251
252 case SSL_RSA_AES_256_SHA:
253 case SSL_EDH_RSA_AES_256_SHA:
254 ssl->keylen = 32; ssl->minlen = 32;
255 ssl->ivlen = 16; ssl->maclen = 20;
256 break;
257#endif
258
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]259#if defined(POLARSSL_CAMELLIA_C)
260 case SSL_RSA_CAMELLIA_128_SHA:
261 ssl->keylen = 16; ssl->minlen = 32;
262 ssl->ivlen = 16; ssl->maclen = 20;
263 break;
264
265 case SSL_RSA_CAMELLIA_256_SHA:
266 case SSL_EDH_RSA_CAMELLIA_256_SHA:
267 ssl->keylen = 32; ssl->minlen = 32;
268 ssl->ivlen = 16; ssl->maclen = 20;
269 break;
270#endif
271
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]272 default:
273 SSL_DEBUG_MSG( 1, ( "cipher %s is not available",
274 ssl_get_cipher( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]275 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]276 }
277
278 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
279 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
280
281 /*
282 * Finally setup the cipher contexts, IVs and MAC secrets.
283 */
284 if( ssl->endpoint == SSL_IS_CLIENT )
285 {
286 key1 = keyblk + ssl->maclen * 2;
287 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
288
289 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
290 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
291
292 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
293 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
294 ssl->ivlen );
295 }
296 else
297 {
298 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
299 key2 = keyblk + ssl->maclen * 2;
300
301 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
302 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
303
304 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
305 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
306 ssl->ivlen );
307 }
308
309 switch( ssl->session->cipher )
310 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]311#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312 case SSL_RSA_RC4_128_MD5:
313 case SSL_RSA_RC4_128_SHA:
314 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
315 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
316 break;
317#endif
318
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]319#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]320 case SSL_RSA_DES_168_SHA:
321 case SSL_EDH_RSA_DES_168_SHA:
322 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
323 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
324 break;
325#endif
326
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]327#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]328 case SSL_RSA_AES_128_SHA:
329 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
330 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
331 break;
332
333 case SSL_RSA_AES_256_SHA:
334 case SSL_EDH_RSA_AES_256_SHA:
335 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
336 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
337 break;
338#endif
339
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]340#if defined(POLARSSL_CAMELLIA_C)
341 case SSL_RSA_CAMELLIA_128_SHA:
342 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
343 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
344 break;
345
346 case SSL_RSA_CAMELLIA_256_SHA:
347 case SSL_EDH_RSA_CAMELLIA_256_SHA:
348 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
349 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
350 break;
351#endif
352
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]354 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355 }
356
357 memset( keyblk, 0, sizeof( keyblk ) );
358
359 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
360
361 return( 0 );
362}
363
364void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
365{
366 md5_context md5;
367 sha1_context sha1;
368 unsigned char pad_1[48];
369 unsigned char pad_2[48];
370
371 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
372
373 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
374 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
375
376 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
377 {
378 memset( pad_1, 0x36, 48 );
379 memset( pad_2, 0x5C, 48 );
380
381 md5_update( &md5, ssl->session->master, 48 );
382 md5_update( &md5, pad_1, 48 );
383 md5_finish( &md5, hash );
384
385 md5_starts( &md5 );
386 md5_update( &md5, ssl->session->master, 48 );
387 md5_update( &md5, pad_2, 48 );
388 md5_update( &md5, hash, 16 );
389 md5_finish( &md5, hash );
390
391 sha1_update( &sha1, ssl->session->master, 48 );
392 sha1_update( &sha1, pad_1, 40 );
393 sha1_finish( &sha1, hash + 16 );
394
395 sha1_starts( &sha1 );
396 sha1_update( &sha1, ssl->session->master, 48 );
397 sha1_update( &sha1, pad_2, 40 );
398 sha1_update( &sha1, hash + 16, 20 );
399 sha1_finish( &sha1, hash + 16 );
400 }
401 else /* TLSv1 */
402 {
403 md5_finish( &md5, hash );
404 sha1_finish( &sha1, hash + 16 );
405 }
406
407 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
408 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
409
410 return;
411}
412
413/*
414 * SSLv3.0 MAC functions
415 */
416static void ssl_mac_md5( unsigned char *secret,
417 unsigned char *buf, int len,
418 unsigned char *ctr, int type )
419{
420 unsigned char header[11];
421 unsigned char padding[48];
422 md5_context md5;
423
424 memcpy( header, ctr, 8 );
425 header[ 8] = (unsigned char) type;
426 header[ 9] = (unsigned char)( len >> 8 );
427 header[10] = (unsigned char)( len );
428
429 memset( padding, 0x36, 48 );
430 md5_starts( &md5 );
431 md5_update( &md5, secret, 16 );
432 md5_update( &md5, padding, 48 );
433 md5_update( &md5, header, 11 );
434 md5_update( &md5, buf, len );
435 md5_finish( &md5, buf + len );
436
437 memset( padding, 0x5C, 48 );
438 md5_starts( &md5 );
439 md5_update( &md5, secret, 16 );
440 md5_update( &md5, padding, 48 );
441 md5_update( &md5, buf + len, 16 );
442 md5_finish( &md5, buf + len );
443}
444
445static void ssl_mac_sha1( unsigned char *secret,
446 unsigned char *buf, int len,
447 unsigned char *ctr, int type )
448{
449 unsigned char header[11];
450 unsigned char padding[40];
451 sha1_context sha1;
452
453 memcpy( header, ctr, 8 );
454 header[ 8] = (unsigned char) type;
455 header[ 9] = (unsigned char)( len >> 8 );
456 header[10] = (unsigned char)( len );
457
458 memset( padding, 0x36, 40 );
459 sha1_starts( &sha1 );
460 sha1_update( &sha1, secret, 20 );
461 sha1_update( &sha1, padding, 40 );
462 sha1_update( &sha1, header, 11 );
463 sha1_update( &sha1, buf, len );
464 sha1_finish( &sha1, buf + len );
465
466 memset( padding, 0x5C, 40 );
467 sha1_starts( &sha1 );
468 sha1_update( &sha1, secret, 20 );
469 sha1_update( &sha1, padding, 40 );
470 sha1_update( &sha1, buf + len, 20 );
471 sha1_finish( &sha1, buf + len );
472}
473
474/*
475 * Encryption/decryption functions
476 */
477static int ssl_encrypt_buf( ssl_context *ssl )
478{
479 int i, padlen;
480
481 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
482
483 /*
484 * Add MAC then encrypt
485 */
486 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
487 {
488 if( ssl->maclen == 16 )
489 ssl_mac_md5( ssl->mac_enc,
490 ssl->out_msg, ssl->out_msglen,
491 ssl->out_ctr, ssl->out_msgtype );
492
493 if( ssl->maclen == 20 )
494 ssl_mac_sha1( ssl->mac_enc,
495 ssl->out_msg, ssl->out_msglen,
496 ssl->out_ctr, ssl->out_msgtype );
497 }
498 else
499 {
500 if( ssl->maclen == 16 )
501 md5_hmac( ssl->mac_enc, 16,
502 ssl->out_ctr, ssl->out_msglen + 13,
503 ssl->out_msg + ssl->out_msglen );
504
505 if( ssl->maclen == 20 )
506 sha1_hmac( ssl->mac_enc, 20,
507 ssl->out_ctr, ssl->out_msglen + 13,
508 ssl->out_msg + ssl->out_msglen );
509 }
510
511 SSL_DEBUG_BUF( 4, "computed mac",
512 ssl->out_msg + ssl->out_msglen, ssl->maclen );
513
514 ssl->out_msglen += ssl->maclen;
515
516 for( i = 7; i >= 0; i-- )
517 if( ++ssl->out_ctr[i] != 0 )
518 break;
519
520 if( ssl->ivlen == 0 )
521 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]522#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523 padlen = 0;
524
525 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
526 "including %d bytes of padding",
527 ssl->out_msglen, 0 ) );
528
529 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
530 ssl->out_msg, ssl->out_msglen );
531
532 arc4_crypt( (arc4_context *) ssl->ctx_enc,
533 ssl->out_msg, ssl->out_msglen );
534#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]535 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]536#endif
537 }
538 else
539 {
540 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
541 if( padlen == ssl->ivlen )
542 padlen = 0;
543
544 for( i = 0; i <= padlen; i++ )
545 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
546
547 ssl->out_msglen += padlen + 1;
548
549 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
550 "including %d bytes of padding",
551 ssl->out_msglen, padlen + 1 ) );
552
553 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
554 ssl->out_msg, ssl->out_msglen );
555
556 switch( ssl->ivlen )
557 {
558 case 8:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]559#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
561 DES_ENCRYPT, ssl->out_msglen,
562 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
563 break;
564#endif
565
566 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]567#if defined(POLARSSL_AES_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]568 if ( ssl->session->cipher == SSL_RSA_AES_128_SHA ||
569 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
570 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA)
571 {
572 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
573 AES_ENCRYPT, ssl->out_msglen,
574 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
575 break;
576 }
577#endif
578
579#if defined(POLARSSL_CAMELLIA_C)
580 if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
581 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
582 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
583 {
584 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
585 CAMELLIA_ENCRYPT, ssl->out_msglen,
586 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
587 break;
588 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589#endif
590
591 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]592 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]593 }
594 }
595
596 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
597
598 return( 0 );
599}
600
601static int ssl_decrypt_buf( ssl_context *ssl )
602{
603 int i, padlen;
604 unsigned char tmp[20];
605
606 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
607
608 if( ssl->in_msglen < ssl->minlen )
609 {
610 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
611 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]612 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 }
614
615 if( ssl->ivlen == 0 )
616 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]617#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618 padlen = 0;
619 arc4_crypt( (arc4_context *) ssl->ctx_dec,
620 ssl->in_msg, ssl->in_msglen );
621#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]622 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623#endif
624 }
625 else
626 {
627 /*
628 * Decrypt and check the padding
629 */
630 if( ssl->in_msglen % ssl->ivlen != 0 )
631 {
632 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
633 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]634 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]635 }
636
637 switch( ssl->ivlen )
638 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]639#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640 case 8:
641 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
642 DES_DECRYPT, ssl->in_msglen,
643 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
644 break;
645#endif
646
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]648#if defined(POLARSSL_AES_C)
649 if ( ssl->session->cipher == SSL_RSA_AES_128_SHA ||
650 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
651 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA)
652 {
653 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
654 AES_DECRYPT, ssl->in_msglen,
655 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
656 break;
657 }
658#endif
659
660#if defined(POLARSSL_CAMELLIA_C)
661 if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
662 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
663 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
664 {
665 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
666 CAMELLIA_DECRYPT, ssl->in_msglen,
667 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
668 break;
669 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]670#endif
671
672 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]673 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674 }
675
676 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
677
678 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
679 {
680 if( padlen > ssl->ivlen )
681 {
682 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
683 "should be no more than %d",
684 padlen, ssl->ivlen ) );
685 padlen = 0;
686 }
687 }
688 else
689 {
690 /*
691 * TLSv1: always check the padding
692 */
693 for( i = 1; i <= padlen; i++ )
694 {
695 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
696 {
697 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
698 "%02x, but is %02x", padlen - 1,
699 ssl->in_msg[ssl->in_msglen - i] ) );
700 padlen = 0;
701 }
702 }
703 }
704 }
705
706 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
707 ssl->in_msg, ssl->in_msglen );
708
709 /*
710 * Always compute the MAC (RFC4346, CBCTIME).
711 */
712 ssl->in_msglen -= ( ssl->maclen + padlen );
713
714 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
715 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
716
717 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
718
719 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
720 {
721 if( ssl->maclen == 16 )
722 ssl_mac_md5( ssl->mac_dec,
723 ssl->in_msg, ssl->in_msglen,
724 ssl->in_ctr, ssl->in_msgtype );
725 else
726 ssl_mac_sha1( ssl->mac_dec,
727 ssl->in_msg, ssl->in_msglen,
728 ssl->in_ctr, ssl->in_msgtype );
729 }
730 else
731 {
732 if( ssl->maclen == 16 )
733 md5_hmac( ssl->mac_dec, 16,
734 ssl->in_ctr, ssl->in_msglen + 13,
735 ssl->in_msg + ssl->in_msglen );
736 else
737 sha1_hmac( ssl->mac_dec, 20,
738 ssl->in_ctr, ssl->in_msglen + 13,
739 ssl->in_msg + ssl->in_msglen );
740 }
741
742 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
743 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
744 ssl->maclen );
745
746 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
747 ssl->maclen ) != 0 )
748 {
749 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]750 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]751 }
752
753 /*
754 * Finally check the padding length; bad padding
755 * will produce the same error as an invalid MAC.
756 */
757 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]758 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]759
760 if( ssl->in_msglen == 0 )
761 {
762 ssl->nb_zero++;
763
764 /*
765 * Three or more empty messages may be a DoS attack
766 * (excessive CPU consumption).
767 */
768 if( ssl->nb_zero > 3 )
769 {
770 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
771 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]772 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 }
774 }
775 else
776 ssl->nb_zero = 0;
777
778 for( i = 7; i >= 0; i-- )
779 if( ++ssl->in_ctr[i] != 0 )
780 break;
781
782 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
783
784 return( 0 );
785}
786
787/*
788 * Fill the input message buffer
789 */
790int ssl_fetch_input( ssl_context *ssl, int nb_want )
791{
792 int ret, len;
793
794 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
795
796 while( ssl->in_left < nb_want )
797 {
798 len = nb_want - ssl->in_left;
799 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
800
801 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
802 ssl->in_left, nb_want ) );
803 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
804
805 if( ret < 0 )
806 return( ret );
807
808 ssl->in_left += ret;
809 }
810
811 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
812
813 return( 0 );
814}
815
816/*
817 * Flush any data not yet written
818 */
819int ssl_flush_output( ssl_context *ssl )
820{
821 int ret;
822 unsigned char *buf;
823
824 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
825
826 while( ssl->out_left > 0 )
827 {
828 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
829 5 + ssl->out_msglen, ssl->out_left ) );
830
831 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
832 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
833 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
834
835 if( ret <= 0 )
836 return( ret );
837
838 ssl->out_left -= ret;
839 }
840
841 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
842
843 return( 0 );
844}
845
846/*
847 * Record layer functions
848 */
849int ssl_write_record( ssl_context *ssl )
850{
851 int ret, len = ssl->out_msglen;
852
853 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
854
855 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
856 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
857 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
858 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
859 ssl->out_hdr[4] = (unsigned char)( len );
860
861 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
862 {
863 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
864 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
865 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
866
867 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
868 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
869 }
870
871 if( ssl->do_crypt != 0 )
872 {
873 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
874 {
875 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
876 return( ret );
877 }
878
879 len = ssl->out_msglen;
880 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
881 ssl->out_hdr[4] = (unsigned char)( len );
882 }
883
884 ssl->out_left = 5 + ssl->out_msglen;
885
886 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
887 "version = [%d:%d], msglen = %d",
888 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
889 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
890
891 SSL_DEBUG_BUF( 4, "output record sent to network",
892 ssl->out_hdr, 5 + ssl->out_msglen );
893
894 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
895 {
896 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
897 return( ret );
898 }
899
900 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
901
902 return( 0 );
903}
904
905int ssl_read_record( ssl_context *ssl )
906{
907 int ret;
908
909 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
910
911 if( ssl->in_hslen != 0 &&
912 ssl->in_hslen < ssl->in_msglen )
913 {
914 /*
915 * Get next Handshake message in the current record
916 */
917 ssl->in_msglen -= ssl->in_hslen;
918
919 memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
920 ssl->in_msglen );
921
922 ssl->in_hslen = 4;
923 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
924
925 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
926 " %d, type = %d, hslen = %d",
927 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
928
929 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
930 {
931 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]932 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]933 }
934
935 if( ssl->in_msglen < ssl->in_hslen )
936 {
937 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]938 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]939 }
940
941 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
942 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
943
944 return( 0 );
945 }
946
947 ssl->in_hslen = 0;
948
949 /*
950 * Read the record header and validate it
951 */
952 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
953 {
954 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
955 return( ret );
956 }
957
958 ssl->in_msgtype = ssl->in_hdr[0];
959 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
960
961 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
962 "version = [%d:%d], msglen = %d",
963 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
964 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
965
966 if( ssl->in_hdr[1] != ssl->major_ver )
967 {
968 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]969 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]970 }
971
972 if( ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
973 ssl->in_hdr[2] != SSL_MINOR_VERSION_1 )
974 {
975 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]976 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]977 }
978
979 /*
980 * Make sure the message length is acceptable
981 */
982 if( ssl->do_crypt == 0 )
983 {
984 if( ssl->in_msglen < 1 ||
985 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
986 {
987 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]988 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]989 }
990 }
991 else
992 {
993 if( ssl->in_msglen < ssl->minlen )
994 {
995 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]996 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]997 }
998
999 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1000 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1001 {
1002 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1003 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1004 }
1005
1006 /*
1007 * TLS encrypted messages can have up to 256 bytes of padding
1008 */
1009 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
1010 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1011 {
1012 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1013 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014 }
1015 }
1016
1017 /*
1018 * Read and optionally decrypt the message contents
1019 */
1020 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1021 {
1022 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1023 return( ret );
1024 }
1025
1026 SSL_DEBUG_BUF( 4, "input record from network",
1027 ssl->in_hdr, 5 + ssl->in_msglen );
1028
1029 if( ssl->do_crypt != 0 )
1030 {
1031 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1032 {
1033 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1034 return( ret );
1035 }
1036
1037 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1038 ssl->in_msg, ssl->in_msglen );
1039
1040 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1041 {
1042 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1043 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044 }
1045 }
1046
1047 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1048 {
1049 ssl->in_hslen = 4;
1050 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1051
1052 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1053 " %d, type = %d, hslen = %d",
1054 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1055
1056 /*
1057 * Additional checks to validate the handshake header
1058 */
1059 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1060 {
1061 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1062 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 }
1064
1065 if( ssl->in_msglen < ssl->in_hslen )
1066 {
1067 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1068 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069 }
1070
1071 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1072 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1073 }
1074
1075 if( ssl->in_msgtype == SSL_MSG_ALERT )
1076 {
1077 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1078 ssl->in_msg[0], ssl->in_msg[1] ) );
1079
1080 /*
1081 * Ignore non-fatal alerts, except close_notify
1082 */
1083 if( ssl->in_msg[0] == SSL_ALERT_FATAL )
1084 {
1085 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1086 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE | ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1087 }
1088
1089 if( ssl->in_msg[0] == SSL_ALERT_WARNING &&
1090 ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY )
1091 {
1092 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1093 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1094 }
1095 }
1096
1097 ssl->in_left = 0;
1098
1099 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1100
1101 return( 0 );
1102}
1103
1104/*
1105 * Handshake functions
1106 */
1107int ssl_write_certificate( ssl_context *ssl )
1108{
1109 int ret, i, n;
1110 x509_cert *crt;
1111
1112 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1113
1114 if( ssl->endpoint == SSL_IS_CLIENT )
1115 {
1116 if( ssl->client_auth == 0 )
1117 {
1118 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1119 ssl->state++;
1120 return( 0 );
1121 }
1122
1123 /*
1124 * If using SSLv3 and got no cert, send an Alert message
1125 * (otherwise an empty Certificate message will be sent).
1126 */
1127 if( ssl->own_cert == NULL &&
1128 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1129 {
1130 ssl->out_msglen = 2;
1131 ssl->out_msgtype = SSL_MSG_ALERT;
1132 ssl->out_msg[0] = SSL_ALERT_WARNING;
1133 ssl->out_msg[1] = SSL_ALERT_NO_CERTIFICATE;
1134
1135 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1136 goto write_msg;
1137 }
1138 }
1139 else /* SSL_IS_SERVER */
1140 {
1141 if( ssl->own_cert == NULL )
1142 {
1143 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1144 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145 }
1146 }
1147
1148 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1149
1150 /*
1151 * 0 . 0 handshake type
1152 * 1 . 3 handshake length
1153 * 4 . 6 length of all certs
1154 * 7 . 9 length of cert. 1
1155 * 10 . n-1 peer certificate
1156 * n . n+2 length of cert. 2
1157 * n+3 . ... upper level cert, etc.
1158 */
1159 i = 7;
1160 crt = ssl->own_cert;
1161
1162 while( crt != NULL && crt->next != NULL )
1163 {
1164 n = crt->raw.len;
1165 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1166 {
1167 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1168 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1169 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1170 }
1171
1172 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1173 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1174 ssl->out_msg[i + 2] = (unsigned char)( n );
1175
1176 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1177 i += n; crt = crt->next;
1178 }
1179
1180 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1181 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1182 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1183
1184 ssl->out_msglen = i;
1185 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1186 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1187
1188write_msg:
1189
1190 ssl->state++;
1191
1192 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1193 {
1194 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1195 return( ret );
1196 }
1197
1198 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1199
1200 return( 0 );
1201}
1202
1203int ssl_parse_certificate( ssl_context *ssl )
1204{
1205 int ret, i, n;
1206
1207 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1208
1209 if( ssl->endpoint == SSL_IS_SERVER &&
1210 ssl->authmode == SSL_VERIFY_NONE )
1211 {
1212 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1213 ssl->state++;
1214 return( 0 );
1215 }
1216
1217 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1218 {
1219 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1220 return( ret );
1221 }
1222
1223 ssl->state++;
1224
1225 /*
1226 * Check if the client sent an empty certificate
1227 */
1228 if( ssl->endpoint == SSL_IS_SERVER &&
1229 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1230 {
1231 if( ssl->in_msglen == 2 &&
1232 ssl->in_msgtype == SSL_MSG_ALERT &&
1233 ssl->in_msg[0] == SSL_ALERT_WARNING &&
1234 ssl->in_msg[1] == SSL_ALERT_NO_CERTIFICATE )
1235 {
1236 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1237
1238 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1239 return( 0 );
1240 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1241 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1242 }
1243 }
1244
1245 if( ssl->endpoint == SSL_IS_SERVER &&
1246 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1247 {
1248 if( ssl->in_hslen == 7 &&
1249 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1250 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1251 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1252 {
1253 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1254
1255 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1256 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1257 else
1258 return( 0 );
1259 }
1260 }
1261
1262 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1263 {
1264 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1265 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1266 }
1267
1268 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1269 {
1270 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1271 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272 }
1273
1274 /*
1275 * Same message structure as in ssl_write_certificate()
1276 */
1277 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1278
1279 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1280 {
1281 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1282 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1283 }
1284
1285 if( ( ssl->peer_cert = (x509_cert *) malloc(
1286 sizeof( x509_cert ) ) ) == NULL )
1287 {
1288 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1289 sizeof( x509_cert ) ) );
1290 return( 1 );
1291 }
1292
1293 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1294
1295 i = 7;
1296
1297 while( i < ssl->in_hslen )
1298 {
1299 if( ssl->in_msg[i] != 0 )
1300 {
1301 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1302 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303 }
1304
1305 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1306 | (unsigned int) ssl->in_msg[i + 2];
1307 i += 3;
1308
1309 if( n < 128 || i + n > ssl->in_hslen )
1310 {
1311 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1312 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313 }
1314
1315 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
1316 if( ret != 0 )
1317 {
1318 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1319 return( ret );
1320 }
1321
1322 i += n;
1323 }
1324
1325 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1326
1327 if( ssl->authmode != SSL_VERIFY_NONE )
1328 {
1329 if( ssl->ca_chain == NULL )
1330 {
1331 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1332 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 }
1334
1335 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain,
1336 ssl->peer_cn, &ssl->verify_result );
1337
1338 if( ret != 0 )
1339 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1340
1341 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1342 ret = 0;
1343 }
1344
1345 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1346
1347 return( ret );
1348}
1349
1350int ssl_write_change_cipher_spec( ssl_context *ssl )
1351{
1352 int ret;
1353
1354 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1355
1356 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1357 ssl->out_msglen = 1;
1358 ssl->out_msg[0] = 1;
1359
1360 ssl->do_crypt = 0;
1361 ssl->state++;
1362
1363 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1364 {
1365 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1366 return( ret );
1367 }
1368
1369 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1370
1371 return( 0 );
1372}
1373
1374int ssl_parse_change_cipher_spec( ssl_context *ssl )
1375{
1376 int ret;
1377
1378 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1379
1380 ssl->do_crypt = 0;
1381
1382 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1383 {
1384 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1385 return( ret );
1386 }
1387
1388 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1389 {
1390 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1391 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392 }
1393
1394 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1395 {
1396 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1397 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1398 }
1399
1400 ssl->state++;
1401
1402 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1403
1404 return( 0 );
1405}
1406
1407static void ssl_calc_finished(
1408 ssl_context *ssl, unsigned char *buf, int from,
1409 md5_context *md5, sha1_context *sha1 )
1410{
1411 int len = 12;
1412 char *sender;
1413 unsigned char padbuf[48];
1414 unsigned char md5sum[16];
1415 unsigned char sha1sum[20];
1416
1417 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1418
1419 /*
1420 * SSLv3:
1421 * hash =
1422 * MD5( master + pad2 +
1423 * MD5( handshake + sender + master + pad1 ) )
1424 * + SHA1( master + pad2 +
1425 * SHA1( handshake + sender + master + pad1 ) )
1426 *
1427 * TLSv1:
1428 * hash = PRF( master, finished_label,
1429 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1430 */
1431
1432 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1433 md5->state, sizeof( md5->state ) );
1434
1435 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1436 sha1->state, sizeof( sha1->state ) );
1437
1438 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1439 {
1440 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1441 : (char *) "SRVR";
1442
1443 memset( padbuf, 0x36, 48 );
1444
1445 md5_update( md5, (unsigned char *) sender, 4 );
1446 md5_update( md5, ssl->session->master, 48 );
1447 md5_update( md5, padbuf, 48 );
1448 md5_finish( md5, md5sum );
1449
1450 sha1_update( sha1, (unsigned char *) sender, 4 );
1451 sha1_update( sha1, ssl->session->master, 48 );
1452 sha1_update( sha1, padbuf, 40 );
1453 sha1_finish( sha1, sha1sum );
1454
1455 memset( padbuf, 0x5C, 48 );
1456
1457 md5_starts( md5 );
1458 md5_update( md5, ssl->session->master, 48 );
1459 md5_update( md5, padbuf, 48 );
1460 md5_update( md5, md5sum, 16 );
1461 md5_finish( md5, buf );
1462
1463 sha1_starts( sha1 );
1464 sha1_update( sha1, ssl->session->master, 48 );
1465 sha1_update( sha1, padbuf , 40 );
1466 sha1_update( sha1, sha1sum, 20 );
1467 sha1_finish( sha1, buf + 16 );
1468
1469 len += 24;
1470 }
1471 else
1472 {
1473 sender = ( from == SSL_IS_CLIENT )
1474 ? (char *) "client finished"
1475 : (char *) "server finished";
1476
1477 md5_finish( md5, padbuf );
1478 sha1_finish( sha1, padbuf + 16 );
1479
1480 tls1_prf( ssl->session->master, 48, sender,
1481 padbuf, 36, buf, len );
1482 }
1483
1484 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1485
1486 memset( md5, 0, sizeof( md5_context ) );
1487 memset( sha1, 0, sizeof( sha1_context ) );
1488
1489 memset( padbuf, 0, sizeof( padbuf ) );
1490 memset( md5sum, 0, sizeof( md5sum ) );
1491 memset( sha1sum, 0, sizeof( sha1sum ) );
1492
1493 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1494}
1495
1496int ssl_write_finished( ssl_context *ssl )
1497{
1498 int ret, hash_len;
1499 md5_context md5;
1500 sha1_context sha1;
1501
1502 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1503
1504 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1505 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1506
1507 ssl_calc_finished( ssl, ssl->out_msg + 4,
1508 ssl->endpoint, &md5, &sha1 );
1509
1510 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1511
1512 ssl->out_msglen = 4 + hash_len;
1513 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1514 ssl->out_msg[0] = SSL_HS_FINISHED;
1515
1516 /*
1517 * In case of session resuming, invert the client and server
1518 * ChangeCipherSpec messages order.
1519 */
1520 if( ssl->resume != 0 )
1521 {
1522 if( ssl->endpoint == SSL_IS_CLIENT )
1523 ssl->state = SSL_HANDSHAKE_OVER;
1524 else
1525 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1526 }
1527 else
1528 ssl->state++;
1529
1530 ssl->do_crypt = 1;
1531
1532 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1533 {
1534 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1535 return( ret );
1536 }
1537
1538 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1539
1540 return( 0 );
1541}
1542
1543int ssl_parse_finished( ssl_context *ssl )
1544{
1545 int ret, hash_len;
1546 md5_context md5;
1547 sha1_context sha1;
1548 unsigned char buf[36];
1549
1550 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1551
1552 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1553 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1554
1555 ssl->do_crypt = 1;
1556
1557 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1558 {
1559 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1560 return( ret );
1561 }
1562
1563 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1564 {
1565 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1566 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1567 }
1568
1569 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1570
1571 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1572 ssl->in_hslen != 4 + hash_len )
1573 {
1574 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1575 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1576 }
1577
1578 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1579
1580 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1581 {
1582 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1583 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1584 }
1585
1586 if( ssl->resume != 0 )
1587 {
1588 if( ssl->endpoint == SSL_IS_CLIENT )
1589 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1590
1591 if( ssl->endpoint == SSL_IS_SERVER )
1592 ssl->state = SSL_HANDSHAKE_OVER;
1593 }
1594 else
1595 ssl->state++;
1596
1597 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1598
1599 return( 0 );
1600}
1601
1602/*
1603 * Initialize an SSL context
1604 */
1605int ssl_init( ssl_context *ssl )
1606{
1607 int len = SSL_BUFFER_LEN;
1608
1609 memset( ssl, 0, sizeof( ssl_context ) );
1610
1611 ssl->in_ctr = (unsigned char *) malloc( len );
1612 ssl->in_hdr = ssl->in_ctr + 8;
1613 ssl->in_msg = ssl->in_ctr + 13;
1614
1615 if( ssl->in_ctr == NULL )
1616 {
1617 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1618 return( 1 );
1619 }
1620
1621 ssl->out_ctr = (unsigned char *) malloc( len );
1622 ssl->out_hdr = ssl->out_ctr + 8;
1623 ssl->out_msg = ssl->out_ctr + 13;
1624
1625 if( ssl->out_ctr == NULL )
1626 {
1627 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1628 free( ssl-> in_ctr );
1629 return( 1 );
1630 }
1631
1632 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1633 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1634
1635 ssl->hostname = NULL;
1636 ssl->hostname_len = 0;
1637
1638 md5_starts( &ssl->fin_md5 );
1639 sha1_starts( &ssl->fin_sha1 );
1640
1641 return( 0 );
1642}
1643
1644/*
1645 * SSL set accessors
1646 */
1647void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1648{
1649 ssl->endpoint = endpoint;
1650}
1651
1652void ssl_set_authmode( ssl_context *ssl, int authmode )
1653{
1654 ssl->authmode = authmode;
1655}
1656
1657void ssl_set_rng( ssl_context *ssl,
1658 int (*f_rng)(void *),
1659 void *p_rng )
1660{
1661 ssl->f_rng = f_rng;
1662 ssl->p_rng = p_rng;
1663}
1664
1665void ssl_set_dbg( ssl_context *ssl,
1666 void (*f_dbg)(void *, int, char *),
1667 void *p_dbg )
1668{
1669 ssl->f_dbg = f_dbg;
1670 ssl->p_dbg = p_dbg;
1671}
1672
1673void ssl_set_bio( ssl_context *ssl,
1674 int (*f_recv)(void *, unsigned char *, int), void *p_recv,
1675 int (*f_send)(void *, unsigned char *, int), void *p_send )
1676{
1677 ssl->f_recv = f_recv;
1678 ssl->f_send = f_send;
1679 ssl->p_recv = p_recv;
1680 ssl->p_send = p_send;
1681}
1682
1683void ssl_set_scb( ssl_context *ssl,
1684 int (*s_get)(ssl_context *),
1685 int (*s_set)(ssl_context *) )
1686{
1687 ssl->s_get = s_get;
1688 ssl->s_set = s_set;
1689}
1690
1691void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1692 ssl_session *session )
1693{
1694 ssl->resume = resume;
1695 ssl->timeout = timeout;
1696 ssl->session = session;
1697}
1698
1699void ssl_set_ciphers( ssl_context *ssl, int *ciphers )
1700{
1701 ssl->ciphers = ciphers;
1702}
1703
1704void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
1705 char *peer_cn )
1706{
1707 ssl->ca_chain = ca_chain;
1708 ssl->peer_cn = peer_cn;
1709}
1710
1711void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1712 rsa_context *rsa_key )
1713{
1714 ssl->own_cert = own_cert;
1715 ssl->rsa_key = rsa_key;
1716}
1717
1718int ssl_set_dh_param( ssl_context *ssl, char *dhm_P, char *dhm_G )
1719{
1720 int ret;
1721
1722 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1723 {
1724 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1725 return( ret );
1726 }
1727
1728 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1729 {
1730 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1731 return( ret );
1732 }
1733
1734 return( 0 );
1735}
1736
1737int ssl_set_hostname( ssl_context *ssl, char *hostname )
1738{
1739 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1740 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1741
1742 ssl->hostname_len = strlen( hostname );
1743 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len );
1744
1745 memcpy( ssl->hostname, (unsigned char *) hostname,
1746 ssl->hostname_len );
1747
1748 return( 0 );
1749}
1750
1751/*
1752 * SSL get accessors
1753 */
1754int ssl_get_bytes_avail( ssl_context *ssl )
1755{
1756 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
1757}
1758
1759int ssl_get_verify_result( ssl_context *ssl )
1760{
1761 return( ssl->verify_result );
1762}
1763
1764char *ssl_get_cipher( ssl_context *ssl )
1765{
1766 switch( ssl->session->cipher )
1767 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1768#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1769 case SSL_RSA_RC4_128_MD5:
1770 return( "SSL_RSA_RC4_128_MD5" );
1771
1772 case SSL_RSA_RC4_128_SHA:
1773 return( "SSL_RSA_RC4_128_SHA" );
1774#endif
1775
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1776#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1777 case SSL_RSA_DES_168_SHA:
1778 return( "SSL_RSA_DES_168_SHA" );
1779
1780 case SSL_EDH_RSA_DES_168_SHA:
1781 return( "SSL_EDH_RSA_DES_168_SHA" );
1782#endif
1783
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1784#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1785 case SSL_RSA_AES_128_SHA:
1786 return( "SSL_RSA_AES_128_SHA" );
1787
1788 case SSL_RSA_AES_256_SHA:
1789 return( "SSL_RSA_AES_256_SHA" );
1790
1791 case SSL_EDH_RSA_AES_256_SHA:
1792 return( "SSL_EDH_RSA_AES_256_SHA" );
1793#endif
1794
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1795#if defined(POLARSSL_CAMELLIA_C)
1796 case SSL_RSA_CAMELLIA_128_SHA:
1797 return( "SSL_RSA_CAMELLIA_128_SHA" );
1798
1799 case SSL_RSA_CAMELLIA_256_SHA:
1800 return( "SSL_RSA_CAMELLIA_256_SHA" );
1801
1802 case SSL_EDH_RSA_CAMELLIA_256_SHA:
1803 return( "SSL_EDH_RSA_CAMELLIA_256_SHA" );
1804#endif
1805
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1806 default:
1807 break;
1808 }
1809
1810 return( "unknown" );
1811}
1812
1813int ssl_default_ciphers[] =
1814{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1815#if defined(POLARSSL_DHM_C)
1816#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817 SSL_EDH_RSA_AES_256_SHA,
1818#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1819#if defined(POLARSSL_CAMELLIA_C)
1820 SSL_EDH_RSA_CAMELLIA_256_SHA,
1821#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1822#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823 SSL_EDH_RSA_DES_168_SHA,
1824#endif
1825#endif
1826
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1827#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1828 SSL_RSA_AES_128_SHA,
1829 SSL_RSA_AES_256_SHA,
1830#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1831#if defined(POLARSSL_CAMELLIA_C)
1832 SSL_RSA_CAMELLIA_128_SHA,
1833 SSL_RSA_CAMELLIA_256_SHA,
1834#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1835#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836 SSL_RSA_DES_168_SHA,
1837#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1838#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839 SSL_RSA_RC4_128_SHA,
1840 SSL_RSA_RC4_128_MD5,
1841#endif
1842 0
1843};
1844
1845/*
1846 * Perform the SSL handshake
1847 */
1848int ssl_handshake( ssl_context *ssl )
1849{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1850 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851
1852 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
1853
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1854#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855 if( ssl->endpoint == SSL_IS_CLIENT )
1856 ret = ssl_handshake_client( ssl );
1857#endif
1858
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1859#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860 if( ssl->endpoint == SSL_IS_SERVER )
1861 ret = ssl_handshake_server( ssl );
1862#endif
1863
1864 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
1865
1866 return( ret );
1867}
1868
1869/*
1870 * Receive application data decrypted from the SSL layer
1871 */
1872int ssl_read( ssl_context *ssl, unsigned char *buf, int len )
1873{
1874 int ret, n;
1875
1876 SSL_DEBUG_MSG( 2, ( "=> read" ) );
1877
1878 if( ssl->state != SSL_HANDSHAKE_OVER )
1879 {
1880 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1881 {
1882 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1883 return( ret );
1884 }
1885 }
1886
1887 if( ssl->in_offt == NULL )
1888 {
1889 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1890 {
1891 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1892 return( ret );
1893 }
1894
1895 if( ssl->in_msglen == 0 &&
1896 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
1897 {
1898 /*
1899 * OpenSSL sends empty messages to randomize the IV
1900 */
1901 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1902 {
1903 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1904 return( ret );
1905 }
1906 }
1907
1908 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1909 {
1910 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1911 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912 }
1913
1914 ssl->in_offt = ssl->in_msg;
1915 }
1916
1917 n = ( len < ssl->in_msglen )
1918 ? len : ssl->in_msglen;
1919
1920 memcpy( buf, ssl->in_offt, n );
1921 ssl->in_msglen -= n;
1922
1923 if( ssl->in_msglen == 0 )
1924 /* all bytes consumed */
1925 ssl->in_offt = NULL;
1926 else
1927 /* more data available */
1928 ssl->in_offt += n;
1929
1930 SSL_DEBUG_MSG( 2, ( "<= read" ) );
1931
1932 return( n );
1933}
1934
1935/*
1936 * Send application data to be encrypted by the SSL layer
1937 */
1938int ssl_write( ssl_context *ssl, unsigned char *buf, int len )
1939{
1940 int ret, n;
1941
1942 SSL_DEBUG_MSG( 2, ( "=> write" ) );
1943
1944 if( ssl->state != SSL_HANDSHAKE_OVER )
1945 {
1946 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1947 {
1948 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1949 return( ret );
1950 }
1951 }
1952
1953 n = ( len < SSL_MAX_CONTENT_LEN )
1954 ? len : SSL_MAX_CONTENT_LEN;
1955
1956 if( ssl->out_left != 0 )
1957 {
1958 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1959 {
1960 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1961 return( ret );
1962 }
1963 }
1964 else
1965 {
1966 ssl->out_msglen = n;
1967 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
1968 memcpy( ssl->out_msg, buf, n );
1969
1970 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1971 {
1972 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1973 return( ret );
1974 }
1975 }
1976
1977 SSL_DEBUG_MSG( 2, ( "<= write" ) );
1978
1979 return( n );
1980}
1981
1982/*
1983 * Notify the peer that the connection is being closed
1984 */
1985int ssl_close_notify( ssl_context *ssl )
1986{
1987 int ret;
1988
1989 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
1990
1991 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1992 {
1993 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1994 return( ret );
1995 }
1996
1997 if( ssl->state == SSL_HANDSHAKE_OVER )
1998 {
1999 ssl->out_msgtype = SSL_MSG_ALERT;
2000 ssl->out_msglen = 2;
2001 ssl->out_msg[0] = SSL_ALERT_WARNING;
2002 ssl->out_msg[1] = SSL_ALERT_CLOSE_NOTIFY;
2003
2004 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2005 {
2006 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2007 return( ret );
2008 }
2009 }
2010
2011 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2012
2013 return( ret );
2014}
2015
2016/*
2017 * Free an SSL context
2018 */
2019void ssl_free( ssl_context *ssl )
2020{
2021 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2022
2023 if( ssl->peer_cert != NULL )
2024 {
2025 x509_free( ssl->peer_cert );
2026 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2027 free( ssl->peer_cert );
2028 }
2029
2030 if( ssl->out_ctr != NULL )
2031 {
2032 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2033 free( ssl->out_ctr );
2034 }
2035
2036 if( ssl->in_ctr != NULL )
2037 {
2038 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2039 free( ssl->in_ctr );
2040 }
2041
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2042#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2043 dhm_free( &ssl->dhm_ctx );
2044#endif
2045
2046 if ( ssl->hostname != NULL)
2047 {
2048 memset( ssl->hostname, 0, ssl->hostname_len );
2049 free( ssl->hostname );
2050 ssl->hostname_len = 0;
2051 }
2052
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2053 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2054
2055 /* Actually free after last debug message */
2056 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057}
2058
2059#endif