TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/archive/polarssl-1.1 / . / library / ssl_tls.c
blob: b3b82b075504d005db184eec07c1f1b335ebd607 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/aes.h"
39#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]40#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/des.h"
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45#include <stdlib.h>
46#include <time.h>
47
Paul Bakkeraf5c85f2011-04-18 03:47:52 +0000[diff] [blame]48#if defined _MSC_VER && !defined strcasecmp
49#define strcasecmp _stricmp
50#endif
51
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]52/*
53 * Key material generation
54 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]55static int tls1_prf( unsigned char *secret, size_t slen, char *label,
56 unsigned char *random, size_t rlen,
57 unsigned char *dstbuf, size_t dlen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]59 size_t nb, hs;
60 size_t i, j, k;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61 unsigned char *S1, *S2;
62 unsigned char tmp[128];
63 unsigned char h_i[20];
64
65 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]66 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67
68 hs = ( slen + 1 ) / 2;
69 S1 = secret;
70 S2 = secret + slen - hs;
71
72 nb = strlen( label );
73 memcpy( tmp + 20, label, nb );
74 memcpy( tmp + 20 + nb, random, rlen );
75 nb += rlen;
76
77 /*
78 * First compute P_md5(secret,label+random)[0..dlen]
79 */
80 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
81
82 for( i = 0; i < dlen; i += 16 )
83 {
84 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
85 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
86
87 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
88
89 for( j = 0; j < k; j++ )
90 dstbuf[i + j] = h_i[j];
91 }
92
93 /*
94 * XOR out with P_sha1(secret,label+random)[0..dlen]
95 */
96 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
97
98 for( i = 0; i < dlen; i += 20 )
99 {
100 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
101 sha1_hmac( S2, hs, tmp, 20, tmp );
102
103 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
104
105 for( j = 0; j < k; j++ )
106 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
107 }
108
109 memset( tmp, 0, sizeof( tmp ) );
110 memset( h_i, 0, sizeof( h_i ) );
111
112 return( 0 );
113}
114
115int ssl_derive_keys( ssl_context *ssl )
116{
117 int i;
118 md5_context md5;
119 sha1_context sha1;
120 unsigned char tmp[64];
121 unsigned char padding[16];
122 unsigned char sha1sum[20];
123 unsigned char keyblk[256];
124 unsigned char *key1;
125 unsigned char *key2;
126
127 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
128
129 /*
130 * SSLv3:
131 * master =
132 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
133 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
134 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
135 *
136 * TLSv1:
137 * master = PRF( premaster, "master secret", randbytes )[0..47]
138 */
139 if( ssl->resume == 0 )
140 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]141 size_t len = ssl->pmslen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]142
143 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
144
145 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
146 {
147 for( i = 0; i < 3; i++ )
148 {
149 memset( padding, 'A' + i, 1 + i );
150
151 sha1_starts( &sha1 );
152 sha1_update( &sha1, padding, 1 + i );
153 sha1_update( &sha1, ssl->premaster, len );
154 sha1_update( &sha1, ssl->randbytes, 64 );
155 sha1_finish( &sha1, sha1sum );
156
157 md5_starts( &md5 );
158 md5_update( &md5, ssl->premaster, len );
159 md5_update( &md5, sha1sum, 20 );
160 md5_finish( &md5, ssl->session->master + i * 16 );
161 }
162 }
163 else
164 tls1_prf( ssl->premaster, len, "master secret",
165 ssl->randbytes, 64, ssl->session->master, 48 );
166
167 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
168 }
169 else
170 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
171
172 /*
173 * Swap the client and server random values.
174 */
175 memcpy( tmp, ssl->randbytes, 64 );
176 memcpy( ssl->randbytes, tmp + 32, 32 );
177 memcpy( ssl->randbytes + 32, tmp, 32 );
178 memset( tmp, 0, sizeof( tmp ) );
179
180 /*
181 * SSLv3:
182 * key block =
183 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
184 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
185 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
186 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
187 * ...
188 *
189 * TLSv1:
190 * key block = PRF( master, "key expansion", randbytes )
191 */
192 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
193 {
194 for( i = 0; i < 16; i++ )
195 {
196 memset( padding, 'A' + i, 1 + i );
197
198 sha1_starts( &sha1 );
199 sha1_update( &sha1, padding, 1 + i );
200 sha1_update( &sha1, ssl->session->master, 48 );
201 sha1_update( &sha1, ssl->randbytes, 64 );
202 sha1_finish( &sha1, sha1sum );
203
204 md5_starts( &md5 );
205 md5_update( &md5, ssl->session->master, 48 );
206 md5_update( &md5, sha1sum, 20 );
207 md5_finish( &md5, keyblk + i * 16 );
208 }
209
210 memset( &md5, 0, sizeof( md5 ) );
211 memset( &sha1, 0, sizeof( sha1 ) );
212
213 memset( padding, 0, sizeof( padding ) );
214 memset( sha1sum, 0, sizeof( sha1sum ) );
215 }
216 else
217 tls1_prf( ssl->session->master, 48, "key expansion",
218 ssl->randbytes, 64, keyblk, 256 );
219
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]220 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]221 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
222 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
223 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
224
225 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
226
227 /*
228 * Determine the appropriate key, IV and MAC length.
229 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]230 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]231 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]232#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]233 case SSL_RSA_RC4_128_MD5:
234 ssl->keylen = 16; ssl->minlen = 16;
235 ssl->ivlen = 0; ssl->maclen = 16;
236 break;
237
238 case SSL_RSA_RC4_128_SHA:
239 ssl->keylen = 16; ssl->minlen = 20;
240 ssl->ivlen = 0; ssl->maclen = 20;
241 break;
242#endif
243
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]244#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]245 case SSL_RSA_DES_168_SHA:
246 case SSL_EDH_RSA_DES_168_SHA:
247 ssl->keylen = 24; ssl->minlen = 24;
248 ssl->ivlen = 8; ssl->maclen = 20;
249 break;
250#endif
251
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]252#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]253 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]254 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]255 ssl->keylen = 16; ssl->minlen = 32;
256 ssl->ivlen = 16; ssl->maclen = 20;
257 break;
258
259 case SSL_RSA_AES_256_SHA:
260 case SSL_EDH_RSA_AES_256_SHA:
261 ssl->keylen = 32; ssl->minlen = 32;
262 ssl->ivlen = 16; ssl->maclen = 20;
263 break;
264#endif
265
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]266#if defined(POLARSSL_CAMELLIA_C)
267 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]268 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]269 ssl->keylen = 16; ssl->minlen = 32;
270 ssl->ivlen = 16; ssl->maclen = 20;
271 break;
272
273 case SSL_RSA_CAMELLIA_256_SHA:
274 case SSL_EDH_RSA_CAMELLIA_256_SHA:
275 ssl->keylen = 32; ssl->minlen = 32;
276 ssl->ivlen = 16; ssl->maclen = 20;
277 break;
278#endif
279
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280 default:
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]281 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
282 ssl_get_ciphersuite( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]283 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]284 }
285
286 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
287 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
288
289 /*
290 * Finally setup the cipher contexts, IVs and MAC secrets.
291 */
292 if( ssl->endpoint == SSL_IS_CLIENT )
293 {
294 key1 = keyblk + ssl->maclen * 2;
295 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
296
297 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
298 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
299
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]300 /*
301 * This is not used in TLS v1.1.
302 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]303 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
304 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
305 ssl->ivlen );
306 }
307 else
308 {
309 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
310 key2 = keyblk + ssl->maclen * 2;
311
312 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
313 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
314
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]315 /*
316 * This is not used in TLS v1.1.
317 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
319 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
320 ssl->ivlen );
321 }
322
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]323 switch( ssl->session->ciphersuite )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]324 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]325#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326 case SSL_RSA_RC4_128_MD5:
327 case SSL_RSA_RC4_128_SHA:
328 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
329 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
330 break;
331#endif
332
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]333#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]334 case SSL_RSA_DES_168_SHA:
335 case SSL_EDH_RSA_DES_168_SHA:
336 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
337 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
338 break;
339#endif
340
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]341#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342 case SSL_RSA_AES_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]343 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]344 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
345 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
346 break;
347
348 case SSL_RSA_AES_256_SHA:
349 case SSL_EDH_RSA_AES_256_SHA:
350 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
351 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
352 break;
353#endif
354
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]355#if defined(POLARSSL_CAMELLIA_C)
356 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]357 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]358 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
359 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
360 break;
361
362 case SSL_RSA_CAMELLIA_256_SHA:
363 case SSL_EDH_RSA_CAMELLIA_256_SHA:
364 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
365 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
366 break;
367#endif
368
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]370 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371 }
372
373 memset( keyblk, 0, sizeof( keyblk ) );
374
375 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
376
377 return( 0 );
378}
379
380void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
381{
382 md5_context md5;
383 sha1_context sha1;
384 unsigned char pad_1[48];
385 unsigned char pad_2[48];
386
387 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
388
389 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
390 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
391
392 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
393 {
394 memset( pad_1, 0x36, 48 );
395 memset( pad_2, 0x5C, 48 );
396
397 md5_update( &md5, ssl->session->master, 48 );
398 md5_update( &md5, pad_1, 48 );
399 md5_finish( &md5, hash );
400
401 md5_starts( &md5 );
402 md5_update( &md5, ssl->session->master, 48 );
403 md5_update( &md5, pad_2, 48 );
404 md5_update( &md5, hash, 16 );
405 md5_finish( &md5, hash );
406
407 sha1_update( &sha1, ssl->session->master, 48 );
408 sha1_update( &sha1, pad_1, 40 );
409 sha1_finish( &sha1, hash + 16 );
410
411 sha1_starts( &sha1 );
412 sha1_update( &sha1, ssl->session->master, 48 );
413 sha1_update( &sha1, pad_2, 40 );
414 sha1_update( &sha1, hash + 16, 20 );
415 sha1_finish( &sha1, hash + 16 );
416 }
417 else /* TLSv1 */
418 {
419 md5_finish( &md5, hash );
420 sha1_finish( &sha1, hash + 16 );
421 }
422
423 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
424 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
425
426 return;
427}
428
429/*
430 * SSLv3.0 MAC functions
431 */
432static void ssl_mac_md5( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]433 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434 unsigned char *ctr, int type )
435{
436 unsigned char header[11];
437 unsigned char padding[48];
438 md5_context md5;
439
440 memcpy( header, ctr, 8 );
441 header[ 8] = (unsigned char) type;
442 header[ 9] = (unsigned char)( len >> 8 );
443 header[10] = (unsigned char)( len );
444
445 memset( padding, 0x36, 48 );
446 md5_starts( &md5 );
447 md5_update( &md5, secret, 16 );
448 md5_update( &md5, padding, 48 );
449 md5_update( &md5, header, 11 );
450 md5_update( &md5, buf, len );
451 md5_finish( &md5, buf + len );
452
453 memset( padding, 0x5C, 48 );
454 md5_starts( &md5 );
455 md5_update( &md5, secret, 16 );
456 md5_update( &md5, padding, 48 );
457 md5_update( &md5, buf + len, 16 );
458 md5_finish( &md5, buf + len );
459}
460
461static void ssl_mac_sha1( unsigned char *secret,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]462 unsigned char *buf, size_t len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 unsigned char *ctr, int type )
464{
465 unsigned char header[11];
466 unsigned char padding[40];
467 sha1_context sha1;
468
469 memcpy( header, ctr, 8 );
470 header[ 8] = (unsigned char) type;
471 header[ 9] = (unsigned char)( len >> 8 );
472 header[10] = (unsigned char)( len );
473
474 memset( padding, 0x36, 40 );
475 sha1_starts( &sha1 );
476 sha1_update( &sha1, secret, 20 );
477 sha1_update( &sha1, padding, 40 );
478 sha1_update( &sha1, header, 11 );
479 sha1_update( &sha1, buf, len );
480 sha1_finish( &sha1, buf + len );
481
482 memset( padding, 0x5C, 40 );
483 sha1_starts( &sha1 );
484 sha1_update( &sha1, secret, 20 );
485 sha1_update( &sha1, padding, 40 );
486 sha1_update( &sha1, buf + len, 20 );
487 sha1_finish( &sha1, buf + len );
488}
489
490/*
491 * Encryption/decryption functions
492 */
493static int ssl_encrypt_buf( ssl_context *ssl )
494{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]495 size_t i, padlen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]496
497 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
498
499 /*
500 * Add MAC then encrypt
501 */
502 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
503 {
504 if( ssl->maclen == 16 )
505 ssl_mac_md5( ssl->mac_enc,
506 ssl->out_msg, ssl->out_msglen,
507 ssl->out_ctr, ssl->out_msgtype );
508
509 if( ssl->maclen == 20 )
510 ssl_mac_sha1( ssl->mac_enc,
511 ssl->out_msg, ssl->out_msglen,
512 ssl->out_ctr, ssl->out_msgtype );
513 }
514 else
515 {
516 if( ssl->maclen == 16 )
517 md5_hmac( ssl->mac_enc, 16,
518 ssl->out_ctr, ssl->out_msglen + 13,
519 ssl->out_msg + ssl->out_msglen );
520
521 if( ssl->maclen == 20 )
522 sha1_hmac( ssl->mac_enc, 20,
523 ssl->out_ctr, ssl->out_msglen + 13,
524 ssl->out_msg + ssl->out_msglen );
525 }
526
527 SSL_DEBUG_BUF( 4, "computed mac",
528 ssl->out_msg + ssl->out_msglen, ssl->maclen );
529
530 ssl->out_msglen += ssl->maclen;
531
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]532 for( i = 8; i > 0; i-- )
533 if( ++ssl->out_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]534 break;
535
536 if( ssl->ivlen == 0 )
537 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]538#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]539 padlen = 0;
540
541 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
542 "including %d bytes of padding",
543 ssl->out_msglen, 0 ) );
544
545 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
546 ssl->out_msg, ssl->out_msglen );
547
548 arc4_crypt( (arc4_context *) ssl->ctx_enc,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]549 ssl->out_msglen, ssl->out_msg,
550 ssl->out_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]552 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553#endif
554 }
555 else
556 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]557 unsigned char *enc_msg;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]558 size_t enc_msglen;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]559
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
561 if( padlen == ssl->ivlen )
562 padlen = 0;
563
564 for( i = 0; i <= padlen; i++ )
565 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
566
567 ssl->out_msglen += padlen + 1;
568
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]569 enc_msglen = ssl->out_msglen;
570 enc_msg = ssl->out_msg;
571
572 /*
573 * Prepend per-record IV for block cipher in TLS v1.1 as per
574 * Method 1 (6.2.3.2. in RFC4346)
575 */
576 if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
577 {
578 /*
579 * Generate IV
580 */
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]581 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
582 if( ret != 0 )
583 return( ret );
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]584
585 /*
586 * Shift message for ivlen bytes and prepend IV
587 */
588 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
589 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
590
591 /*
592 * Fix pointer positions and message length with added IV
593 */
594 enc_msg = ssl->out_msg + ssl->ivlen;
595 enc_msglen = ssl->out_msglen;
596 ssl->out_msglen += ssl->ivlen;
597 }
598
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]600 "including %d bytes of IV and %d bytes of padding",
601 ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]602
603 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
604 ssl->out_msg, ssl->out_msglen );
605
606 switch( ssl->ivlen )
607 {
608 case 8:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]609#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]610 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]611 DES_ENCRYPT, enc_msglen,
612 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 break;
614#endif
615
616 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]617#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]618 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
619 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
620 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
621 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
622 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]623 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]624 AES_ENCRYPT, enc_msglen,
625 ssl->iv_enc, enc_msg, enc_msg);
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]626 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]627 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]628#endif
629
630#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]631 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
632 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
633 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
634 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
635 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]636 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]637 CAMELLIA_ENCRYPT, enc_msglen,
638 ssl->iv_enc, enc_msg, enc_msg );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]639 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]640 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641#endif
642
643 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]644 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]645 }
646 }
647
648 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
649
650 return( 0 );
651}
652
653static int ssl_decrypt_buf( ssl_context *ssl )
654{
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]655 size_t i, padlen = 0, correct = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656 unsigned char tmp[20];
657
658 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
659
660 if( ssl->in_msglen < ssl->minlen )
661 {
662 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
663 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]664 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665 }
666
667 if( ssl->ivlen == 0 )
668 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]669#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]670 padlen = 0;
671 arc4_crypt( (arc4_context *) ssl->ctx_dec,
Paul Bakkerbaad6502010-03-21 15:42:15 +0000[diff] [blame]672 ssl->in_msglen, ssl->in_msg,
673 ssl->in_msg );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]675 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]676#endif
677 }
678 else
679 {
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]680 /*
681 * Decrypt and check the padding
682 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]683 unsigned char *dec_msg;
684 unsigned char *dec_msg_result;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]685 size_t dec_msglen;
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]686 size_t minlen = 0;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]687
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]688 /*
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]689 * Check immediate ciphertext sanity
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690 */
691 if( ssl->in_msglen % ssl->ivlen != 0 )
692 {
693 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
694 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]695 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]696 }
697
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]698 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
699 minlen += ssl->ivlen;
700
701 if( ssl->in_msglen < minlen + ssl->ivlen ||
702 ssl->in_msglen < minlen + ssl->maclen + 1 )
703 {
704 SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
705 ssl->in_msglen, ssl->ivlen, ssl->maclen ) );
706 return( POLARSSL_ERR_SSL_INVALID_MAC );
707 }
708
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]709 dec_msglen = ssl->in_msglen;
710 dec_msg = ssl->in_msg;
711 dec_msg_result = ssl->in_msg;
712
713 /*
714 * Initialize for prepended IV for block cipher in TLS v1.1
715 */
716 if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
717 {
718 dec_msg += ssl->ivlen;
719 dec_msglen -= ssl->ivlen;
720 ssl->in_msglen -= ssl->ivlen;
721
722 for( i = 0; i < ssl->ivlen; i++ )
723 ssl->iv_dec[i] = ssl->in_msg[i];
724 }
725
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726 switch( ssl->ivlen )
727 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]728#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]729 case 8:
730 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]731 DES_DECRYPT, dec_msglen,
732 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]733 break;
734#endif
735
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]736 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]737#if defined(POLARSSL_AES_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]738 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
739 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
740 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
741 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
742 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]743 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]744 AES_DECRYPT, dec_msglen,
745 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]746 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]747 }
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]748#endif
749
750#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]751 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
752 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
753 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
754 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
755 {
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]756 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]757 CAMELLIA_DECRYPT, dec_msglen,
758 ssl->iv_dec, dec_msg, dec_msg_result );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]759 break;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]760 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]761#endif
762
763 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]764 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]765 }
766
767 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]768
769 if( ssl->in_msglen < ssl->maclen + padlen )
770 {
Paul Bakker48b7cb82013-03-11 15:59:03 +0100[diff] [blame]771#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]772 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
773 ssl->in_msglen, ssl->maclen, padlen ) );
Paul Bakker48b7cb82013-03-11 15:59:03 +0100[diff] [blame]774#endif
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]775 padlen = 0;
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]776 correct = 0;
777 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778
779 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
780 {
781 if( padlen > ssl->ivlen )
782 {
Paul Bakker48b7cb82013-03-11 15:59:03 +0100[diff] [blame]783#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]784 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
785 "should be no more than %d",
786 padlen, ssl->ivlen ) );
Paul Bakker48b7cb82013-03-11 15:59:03 +0100[diff] [blame]787#endif
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]788 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]789 }
790 }
791 else
792 {
793 /*
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]794 * TLSv1+: always check the padding up to the first failure
795 * and fake check up to 256 bytes of padding
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]796 */
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]797 size_t pad_count = 0, fake_pad_count = 0;
798 size_t padding_idx = ssl->in_msglen - padlen - 1;
799
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]800 for( i = 1; i <= padlen; i++ )
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]801 pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
802
803 for( ; i <= 256; i++ )
804 fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
805
806 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
807 correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
808
Paul Bakker48b7cb82013-03-11 15:59:03 +0100[diff] [blame]809#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]810 if( padlen > 0 && correct == 0)
811 SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
Paul Bakker48b7cb82013-03-11 15:59:03 +0100[diff] [blame]812#endif
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]813 padlen &= correct * 0x1FF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814 }
815 }
816
817 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
818 ssl->in_msg, ssl->in_msglen );
819
820 /*
821 * Always compute the MAC (RFC4346, CBCTIME).
822 */
823 ssl->in_msglen -= ( ssl->maclen + padlen );
824
825 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
826 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
827
828 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
829
830 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
831 {
832 if( ssl->maclen == 16 )
833 ssl_mac_md5( ssl->mac_dec,
834 ssl->in_msg, ssl->in_msglen,
835 ssl->in_ctr, ssl->in_msgtype );
836 else
837 ssl_mac_sha1( ssl->mac_dec,
838 ssl->in_msg, ssl->in_msglen,
839 ssl->in_ctr, ssl->in_msgtype );
840 }
841 else
842 {
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]843 /*
844 * Process MAC and always update for padlen afterwards to make
845 * total time independent of padlen
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]846 *
847 * extra_run compensates MAC check for padlen
848 *
849 * Known timing attacks:
850 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
851 *
852 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
853 * correctly. (We round down instead of up, so -56 is the correct
854 * value for our calculations instead of -55)
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]855 */
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]856 int j, extra_run = 0;
857 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
858 ( 13 + ssl->in_msglen + 8 ) / 64;
859
860 extra_run &= correct * 0xFF;
861
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862 if( ssl->maclen == 16 )
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]863 {
864 md5_context ctx;
865 md5_hmac_starts( &ctx, ssl->mac_dec, 16 );
866 md5_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
867 md5_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
868
869 for( j = 0; j < extra_run; j++ )
870 md5_process( &ctx, ssl->in_msg );
871 }
872 else if( ssl->maclen == 20 )
873 {
874 sha1_context ctx;
875 sha1_hmac_starts( &ctx, ssl->mac_dec, 20 );
876 sha1_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
877 sha1_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
878
879 for( j = 0; j < extra_run; j++ )
880 sha1_process( &ctx, ssl->in_msg );
881 }
882 else if( ssl->maclen != 0 )
883 {
884 SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
885 ssl->maclen ) );
886 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
887 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]888 }
889
890 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
891 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
892 ssl->maclen );
893
894 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
895 ssl->maclen ) != 0 )
896 {
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]897#if defined(POLARSSL_SSL_DEBUG_ALL)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]898 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker0a971b52013-03-11 16:08:06 +0100[diff] [blame]899#endif
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]900 correct = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]901 }
902
903 /*
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]904 * Finally check the correct flag
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]905 */
Paul Bakker6a229c12013-03-11 15:56:17 +0100[diff] [blame]906 if( correct == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]907 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]908
909 if( ssl->in_msglen == 0 )
910 {
911 ssl->nb_zero++;
912
913 /*
914 * Three or more empty messages may be a DoS attack
915 * (excessive CPU consumption).
916 */
917 if( ssl->nb_zero > 3 )
918 {
919 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
920 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]921 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]922 }
923 }
924 else
925 ssl->nb_zero = 0;
926
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]927 for( i = 8; i > 0; i-- )
928 if( ++ssl->in_ctr[i - 1] != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929 break;
930
931 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
932
933 return( 0 );
934}
935
936/*
937 * Fill the input message buffer
938 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]939int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]940{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]941 int ret;
942 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]943
944 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
945
946 while( ssl->in_left < nb_want )
947 {
948 len = nb_want - ssl->in_left;
949 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
950
951 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
952 ssl->in_left, nb_want ) );
953 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
954
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]955 if( ret == 0 )
956 return( POLARSSL_ERR_SSL_CONN_EOF );
957
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]958 if( ret < 0 )
959 return( ret );
960
961 ssl->in_left += ret;
962 }
963
964 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
965
966 return( 0 );
967}
968
969/*
970 * Flush any data not yet written
971 */
972int ssl_flush_output( ssl_context *ssl )
973{
974 int ret;
975 unsigned char *buf;
976
977 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
978
979 while( ssl->out_left > 0 )
980 {
981 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
982 5 + ssl->out_msglen, ssl->out_left ) );
983
984 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
985 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
986 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
987
988 if( ret <= 0 )
989 return( ret );
990
991 ssl->out_left -= ret;
992 }
993
994 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
995
996 return( 0 );
997}
998
999/*
1000 * Record layer functions
1001 */
1002int ssl_write_record( ssl_context *ssl )
1003{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1004 int ret;
1005 size_t len = ssl->out_msglen;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1006
1007 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1008
1009 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1010 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1011 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1012 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1013 ssl->out_hdr[4] = (unsigned char)( len );
1014
1015 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1016 {
1017 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1018 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1019 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1020
1021 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
1022 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
1023 }
1024
1025 if( ssl->do_crypt != 0 )
1026 {
1027 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1028 {
1029 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1030 return( ret );
1031 }
1032
1033 len = ssl->out_msglen;
1034 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1035 ssl->out_hdr[4] = (unsigned char)( len );
1036 }
1037
1038 ssl->out_left = 5 + ssl->out_msglen;
1039
1040 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1041 "version = [%d:%d], msglen = %d",
1042 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1043 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1044
1045 SSL_DEBUG_BUF( 4, "output record sent to network",
1046 ssl->out_hdr, 5 + ssl->out_msglen );
1047
1048 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1049 {
1050 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1051 return( ret );
1052 }
1053
1054 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1055
1056 return( 0 );
1057}
1058
1059int ssl_read_record( ssl_context *ssl )
1060{
1061 int ret;
1062
1063 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1064
1065 if( ssl->in_hslen != 0 &&
1066 ssl->in_hslen < ssl->in_msglen )
1067 {
1068 /*
1069 * Get next Handshake message in the current record
1070 */
1071 ssl->in_msglen -= ssl->in_hslen;
1072
Paul Bakker8934a982011-08-05 11:11:53 +0000[diff] [blame]1073 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074 ssl->in_msglen );
1075
1076 ssl->in_hslen = 4;
1077 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1078
1079 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1080 " %d, type = %d, hslen = %d",
1081 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1082
1083 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1084 {
1085 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1086 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1087 }
1088
1089 if( ssl->in_msglen < ssl->in_hslen )
1090 {
1091 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1092 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1093 }
1094
1095 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1096 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1097
1098 return( 0 );
1099 }
1100
1101 ssl->in_hslen = 0;
1102
1103 /*
1104 * Read the record header and validate it
1105 */
1106 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1107 {
1108 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1109 return( ret );
1110 }
1111
1112 ssl->in_msgtype = ssl->in_hdr[0];
1113 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1114
1115 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1116 "version = [%d:%d], msglen = %d",
1117 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1118 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1119
1120 if( ssl->in_hdr[1] != ssl->major_ver )
1121 {
1122 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1123 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1124 }
1125
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1126 if( ssl->in_hdr[2] > ssl->max_minor_ver )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1127 {
1128 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1129 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1130 }
1131
1132 /*
1133 * Make sure the message length is acceptable
1134 */
1135 if( ssl->do_crypt == 0 )
1136 {
1137 if( ssl->in_msglen < 1 ||
1138 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1139 {
1140 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1141 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1142 }
1143 }
1144 else
1145 {
1146 if( ssl->in_msglen < ssl->minlen )
1147 {
1148 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1149 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1150 }
1151
1152 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1153 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1154 {
1155 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1156 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1157 }
1158
1159 /*
1160 * TLS encrypted messages can have up to 256 bytes of padding
1161 */
Paul Bakker8648f042013-09-11 13:16:28 +0200[diff] [blame]1162 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1163 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1164 {
1165 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1166 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1167 }
1168 }
1169
1170 /*
1171 * Read and optionally decrypt the message contents
1172 */
1173 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1174 {
1175 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1176 return( ret );
1177 }
1178
1179 SSL_DEBUG_BUF( 4, "input record from network",
1180 ssl->in_hdr, 5 + ssl->in_msglen );
1181
1182 if( ssl->do_crypt != 0 )
1183 {
1184 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1185 {
1186 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1187 return( ret );
1188 }
1189
1190 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1191 ssl->in_msg, ssl->in_msglen );
1192
1193 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1194 {
1195 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1196 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1197 }
1198 }
1199
1200 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1201 {
1202 ssl->in_hslen = 4;
1203 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1204
1205 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1206 " %d, type = %d, hslen = %d",
1207 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1208
1209 /*
1210 * Additional checks to validate the handshake header
1211 */
1212 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1213 {
1214 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1215 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1216 }
1217
1218 if( ssl->in_msglen < ssl->in_hslen )
1219 {
1220 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1221 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1222 }
1223
1224 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1225 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1226 }
1227
1228 if( ssl->in_msgtype == SSL_MSG_ALERT )
1229 {
1230 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1231 ssl->in_msg[0], ssl->in_msg[1] ) );
1232
1233 /*
1234 * Ignore non-fatal alerts, except close_notify
1235 */
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1236 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1237 {
1238 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1239 /**
1240 * Subtract from error code as ssl->in_msg[1] is 7-bit positive
1241 * error identifier.
1242 */
1243 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244 }
1245
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1246 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1247 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1248 {
1249 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1250 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251 }
1252 }
1253
1254 ssl->in_left = 0;
1255
1256 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1257
1258 return( 0 );
1259}
1260
1261/*
1262 * Handshake functions
1263 */
1264int ssl_write_certificate( ssl_context *ssl )
1265{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1266 int ret;
1267 size_t i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1268 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269
1270 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1271
1272 if( ssl->endpoint == SSL_IS_CLIENT )
1273 {
1274 if( ssl->client_auth == 0 )
1275 {
1276 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1277 ssl->state++;
1278 return( 0 );
1279 }
1280
1281 /*
1282 * If using SSLv3 and got no cert, send an Alert message
1283 * (otherwise an empty Certificate message will be sent).
1284 */
1285 if( ssl->own_cert == NULL &&
1286 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1287 {
1288 ssl->out_msglen = 2;
1289 ssl->out_msgtype = SSL_MSG_ALERT;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1290 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1291 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1292
1293 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1294 goto write_msg;
1295 }
1296 }
1297 else /* SSL_IS_SERVER */
1298 {
1299 if( ssl->own_cert == NULL )
1300 {
1301 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1302 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303 }
1304 }
1305
1306 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1307
1308 /*
1309 * 0 . 0 handshake type
1310 * 1 . 3 handshake length
1311 * 4 . 6 length of all certs
1312 * 7 . 9 length of cert. 1
1313 * 10 . n-1 peer certificate
1314 * n . n+2 length of cert. 2
1315 * n+3 . ... upper level cert, etc.
1316 */
1317 i = 7;
1318 crt = ssl->own_cert;
1319
Paul Bakker29087132010-03-21 21:03:34 +0000[diff] [blame]1320 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321 {
1322 n = crt->raw.len;
1323 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1324 {
1325 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1326 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1327 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328 }
1329
1330 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1331 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1332 ssl->out_msg[i + 2] = (unsigned char)( n );
1333
1334 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1335 i += n; crt = crt->next;
1336 }
1337
1338 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1339 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1340 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1341
1342 ssl->out_msglen = i;
1343 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1344 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1345
1346write_msg:
1347
1348 ssl->state++;
1349
1350 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1351 {
1352 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1353 return( ret );
1354 }
1355
1356 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1357
1358 return( 0 );
1359}
1360
1361int ssl_parse_certificate( ssl_context *ssl )
1362{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1363 int ret;
1364 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1365
1366 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1367
1368 if( ssl->endpoint == SSL_IS_SERVER &&
1369 ssl->authmode == SSL_VERIFY_NONE )
1370 {
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1371 ssl->verify_result = BADCERT_SKIP_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1372 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1373 ssl->state++;
1374 return( 0 );
1375 }
1376
1377 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1378 {
1379 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1380 return( ret );
1381 }
1382
1383 ssl->state++;
1384
1385 /*
1386 * Check if the client sent an empty certificate
1387 */
1388 if( ssl->endpoint == SSL_IS_SERVER &&
1389 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1390 {
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]1391 if( ssl->in_msglen == 2 &&
1392 ssl->in_msgtype == SSL_MSG_ALERT &&
1393 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1394 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1395 {
1396 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1397
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1398 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1399 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1400 return( 0 );
1401 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1402 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1403 }
1404 }
1405
1406 if( ssl->endpoint == SSL_IS_SERVER &&
1407 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1408 {
1409 if( ssl->in_hslen == 7 &&
1410 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1411 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1412 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1413 {
1414 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1415
Paul Bakkercdf07e92011-01-30 17:05:13 +0000[diff] [blame]1416 ssl->verify_result = BADCERT_MISSING;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1417 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1418 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1419 else
1420 return( 0 );
1421 }
1422 }
1423
1424 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1425 {
1426 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1427 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1428 }
1429
1430 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1431 {
1432 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1433 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1434 }
1435
1436 /*
1437 * Same message structure as in ssl_write_certificate()
1438 */
1439 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1440
1441 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1442 {
1443 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1444 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1445 }
1446
Paul Bakkerdf177ba2013-09-11 11:45:41 +0200[diff] [blame]1447 /* In case we tried to reuse a session but it failed */
1448 if( ssl->peer_cert != NULL )
1449 {
1450 x509_free( ssl->peer_cert );
1451 free( ssl->peer_cert );
1452 }
1453
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1454 if( ( ssl->peer_cert = (x509_cert *) malloc(
1455 sizeof( x509_cert ) ) ) == NULL )
1456 {
1457 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1458 sizeof( x509_cert ) ) );
Paul Bakker732e1a82011-12-11 16:35:09 +0000[diff] [blame]1459 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1460 }
1461
1462 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1463
1464 i = 7;
1465
1466 while( i < ssl->in_hslen )
1467 {
1468 if( ssl->in_msg[i] != 0 )
1469 {
1470 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1471 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1472 }
1473
1474 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1475 | (unsigned int) ssl->in_msg[i + 2];
1476 i += 3;
1477
1478 if( n < 128 || i + n > ssl->in_hslen )
1479 {
1480 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1481 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1482 }
1483
Paul Bakkerb5df3bf2013-06-19 12:08:47 +0200[diff] [blame]1484 ret = x509parse_crt_der( ssl->peer_cert, ssl->in_msg + i, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1485 if( ret != 0 )
1486 {
1487 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1488 return( ret );
1489 }
1490
1491 i += n;
1492 }
1493
1494 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1495
1496 if( ssl->authmode != SSL_VERIFY_NONE )
1497 {
1498 if( ssl->ca_chain == NULL )
1499 {
1500 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1501 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1502 }
1503
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1504 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1505 ssl->peer_cn, &ssl->verify_result,
1506 ssl->f_vrfy, ssl->p_vrfy );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1507
1508 if( ret != 0 )
1509 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1510
1511 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1512 ret = 0;
1513 }
1514
1515 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1516
1517 return( ret );
1518}
1519
1520int ssl_write_change_cipher_spec( ssl_context *ssl )
1521{
1522 int ret;
1523
1524 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1525
1526 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1527 ssl->out_msglen = 1;
1528 ssl->out_msg[0] = 1;
1529
1530 ssl->do_crypt = 0;
1531 ssl->state++;
1532
1533 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1534 {
1535 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1536 return( ret );
1537 }
1538
1539 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1540
1541 return( 0 );
1542}
1543
1544int ssl_parse_change_cipher_spec( ssl_context *ssl )
1545{
1546 int ret;
1547
1548 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1549
1550 ssl->do_crypt = 0;
1551
1552 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1553 {
1554 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1555 return( ret );
1556 }
1557
1558 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1559 {
1560 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1561 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1562 }
1563
1564 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1565 {
1566 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1567 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1568 }
1569
1570 ssl->state++;
1571
1572 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1573
1574 return( 0 );
1575}
1576
1577static void ssl_calc_finished(
1578 ssl_context *ssl, unsigned char *buf, int from,
1579 md5_context *md5, sha1_context *sha1 )
1580{
1581 int len = 12;
1582 char *sender;
1583 unsigned char padbuf[48];
1584 unsigned char md5sum[16];
1585 unsigned char sha1sum[20];
1586
1587 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1588
1589 /*
1590 * SSLv3:
1591 * hash =
1592 * MD5( master + pad2 +
1593 * MD5( handshake + sender + master + pad1 ) )
1594 * + SHA1( master + pad2 +
1595 * SHA1( handshake + sender + master + pad1 ) )
1596 *
1597 * TLSv1:
1598 * hash = PRF( master, finished_label,
1599 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1600 */
1601
1602 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1603 md5->state, sizeof( md5->state ) );
1604
1605 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1606 sha1->state, sizeof( sha1->state ) );
1607
1608 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1609 {
1610 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1611 : (char *) "SRVR";
1612
1613 memset( padbuf, 0x36, 48 );
1614
1615 md5_update( md5, (unsigned char *) sender, 4 );
1616 md5_update( md5, ssl->session->master, 48 );
1617 md5_update( md5, padbuf, 48 );
1618 md5_finish( md5, md5sum );
1619
1620 sha1_update( sha1, (unsigned char *) sender, 4 );
1621 sha1_update( sha1, ssl->session->master, 48 );
1622 sha1_update( sha1, padbuf, 40 );
1623 sha1_finish( sha1, sha1sum );
1624
1625 memset( padbuf, 0x5C, 48 );
1626
1627 md5_starts( md5 );
1628 md5_update( md5, ssl->session->master, 48 );
1629 md5_update( md5, padbuf, 48 );
1630 md5_update( md5, md5sum, 16 );
1631 md5_finish( md5, buf );
1632
1633 sha1_starts( sha1 );
1634 sha1_update( sha1, ssl->session->master, 48 );
1635 sha1_update( sha1, padbuf , 40 );
1636 sha1_update( sha1, sha1sum, 20 );
1637 sha1_finish( sha1, buf + 16 );
1638
1639 len += 24;
1640 }
1641 else
1642 {
1643 sender = ( from == SSL_IS_CLIENT )
1644 ? (char *) "client finished"
1645 : (char *) "server finished";
1646
1647 md5_finish( md5, padbuf );
1648 sha1_finish( sha1, padbuf + 16 );
1649
1650 tls1_prf( ssl->session->master, 48, sender,
1651 padbuf, 36, buf, len );
1652 }
1653
1654 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1655
1656 memset( md5, 0, sizeof( md5_context ) );
1657 memset( sha1, 0, sizeof( sha1_context ) );
1658
1659 memset( padbuf, 0, sizeof( padbuf ) );
1660 memset( md5sum, 0, sizeof( md5sum ) );
1661 memset( sha1sum, 0, sizeof( sha1sum ) );
1662
1663 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1664}
1665
1666int ssl_write_finished( ssl_context *ssl )
1667{
1668 int ret, hash_len;
1669 md5_context md5;
1670 sha1_context sha1;
1671
1672 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1673
1674 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1675 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1676
1677 ssl_calc_finished( ssl, ssl->out_msg + 4,
1678 ssl->endpoint, &md5, &sha1 );
1679
1680 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1681
1682 ssl->out_msglen = 4 + hash_len;
1683 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1684 ssl->out_msg[0] = SSL_HS_FINISHED;
1685
1686 /*
1687 * In case of session resuming, invert the client and server
1688 * ChangeCipherSpec messages order.
1689 */
1690 if( ssl->resume != 0 )
1691 {
1692 if( ssl->endpoint == SSL_IS_CLIENT )
1693 ssl->state = SSL_HANDSHAKE_OVER;
1694 else
1695 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1696 }
1697 else
1698 ssl->state++;
1699
1700 ssl->do_crypt = 1;
1701
1702 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1703 {
1704 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1705 return( ret );
1706 }
1707
1708 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1709
1710 return( 0 );
1711}
1712
1713int ssl_parse_finished( ssl_context *ssl )
1714{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1715 int ret;
1716 unsigned int hash_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1717 unsigned char buf[36];
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1718 md5_context md5;
1719 sha1_context sha1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1720
1721 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1722
1723 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1724 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1725
1726 ssl->do_crypt = 1;
1727
1728 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1729 {
1730 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1731 return( ret );
1732 }
1733
1734 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1735 {
1736 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1737 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1738 }
1739
1740 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1741
1742 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1743 ssl->in_hslen != 4 + hash_len )
1744 {
1745 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1746 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747 }
1748
1749 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1750
1751 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1752 {
1753 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1754 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1755 }
1756
1757 if( ssl->resume != 0 )
1758 {
1759 if( ssl->endpoint == SSL_IS_CLIENT )
1760 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1761
1762 if( ssl->endpoint == SSL_IS_SERVER )
1763 ssl->state = SSL_HANDSHAKE_OVER;
1764 }
1765 else
1766 ssl->state++;
1767
1768 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1769
1770 return( 0 );
1771}
1772
1773/*
1774 * Initialize an SSL context
1775 */
1776int ssl_init( ssl_context *ssl )
1777{
1778 int len = SSL_BUFFER_LEN;
1779
1780 memset( ssl, 0, sizeof( ssl_context ) );
1781
1782 ssl->in_ctr = (unsigned char *) malloc( len );
1783 ssl->in_hdr = ssl->in_ctr + 8;
1784 ssl->in_msg = ssl->in_ctr + 13;
1785
1786 if( ssl->in_ctr == NULL )
1787 {
1788 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
Paul Bakker732e1a82011-12-11 16:35:09 +0000[diff] [blame]1789 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790 }
1791
1792 ssl->out_ctr = (unsigned char *) malloc( len );
1793 ssl->out_hdr = ssl->out_ctr + 8;
1794 ssl->out_msg = ssl->out_ctr + 13;
1795
1796 if( ssl->out_ctr == NULL )
1797 {
1798 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1799 free( ssl-> in_ctr );
Paul Bakker732e1a82011-12-11 16:35:09 +0000[diff] [blame]1800 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1801 }
1802
1803 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1804 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1805
1806 ssl->hostname = NULL;
1807 ssl->hostname_len = 0;
1808
1809 md5_starts( &ssl->fin_md5 );
1810 sha1_starts( &ssl->fin_sha1 );
1811
1812 return( 0 );
1813}
1814
1815/*
Paul Bakker7eb013f2011-10-06 12:37:39 +0000[diff] [blame]1816 * Reset an initialized and used SSL context for re-use while retaining
1817 * all application-set variables, function pointers and data.
1818 */
1819void ssl_session_reset( ssl_context *ssl )
1820{
1821 ssl->state = SSL_HELLO_REQUEST;
1822
1823 ssl->in_offt = NULL;
1824
1825 ssl->in_msgtype = 0;
1826 ssl->in_msglen = 0;
1827 ssl->in_left = 0;
1828
1829 ssl->in_hslen = 0;
1830 ssl->nb_zero = 0;
1831
1832 ssl->out_msgtype = 0;
1833 ssl->out_msglen = 0;
1834 ssl->out_left = 0;
1835
1836 ssl->do_crypt = 0;
1837 ssl->pmslen = 0;
1838 ssl->keylen = 0;
1839 ssl->minlen = 0;
1840 ssl->ivlen = 0;
1841 ssl->maclen = 0;
1842
1843 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1844 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
1845 memset( ssl->randbytes, 0, 64 );
1846 memset( ssl->premaster, 0, 256 );
1847 memset( ssl->iv_enc, 0, 16 );
1848 memset( ssl->iv_dec, 0, 16 );
1849 memset( ssl->mac_enc, 0, 32 );
1850 memset( ssl->mac_dec, 0, 32 );
1851 memset( ssl->ctx_enc, 0, 128 );
1852 memset( ssl->ctx_dec, 0, 128 );
1853
1854 md5_starts( &ssl->fin_md5 );
1855 sha1_starts( &ssl->fin_sha1 );
1856}
1857
1858/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859 * SSL set accessors
1860 */
1861void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1862{
1863 ssl->endpoint = endpoint;
1864}
1865
1866void ssl_set_authmode( ssl_context *ssl, int authmode )
1867{
1868 ssl->authmode = authmode;
1869}
1870
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]1871void ssl_set_verify( ssl_context *ssl,
1872 int (*f_vrfy)(void *, x509_cert *, int, int),
1873 void *p_vrfy )
1874{
1875 ssl->f_vrfy = f_vrfy;
1876 ssl->p_vrfy = p_vrfy;
1877}
1878
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1879void ssl_set_rng( ssl_context *ssl,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]1880 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881 void *p_rng )
1882{
1883 ssl->f_rng = f_rng;
1884 ssl->p_rng = p_rng;
1885}
1886
1887void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1888 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889 void *p_dbg )
1890{
1891 ssl->f_dbg = f_dbg;
1892 ssl->p_dbg = p_dbg;
1893}
1894
1895void ssl_set_bio( ssl_context *ssl,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1896 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
Paul Bakker39bb4182011-06-21 07:36:43 +0000[diff] [blame]1897 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898{
1899 ssl->f_recv = f_recv;
1900 ssl->f_send = f_send;
1901 ssl->p_recv = p_recv;
1902 ssl->p_send = p_send;
1903}
1904
1905void ssl_set_scb( ssl_context *ssl,
1906 int (*s_get)(ssl_context *),
1907 int (*s_set)(ssl_context *) )
1908{
1909 ssl->s_get = s_get;
1910 ssl->s_set = s_set;
1911}
1912
1913void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1914 ssl_session *session )
1915{
1916 ssl->resume = resume;
1917 ssl->timeout = timeout;
1918 ssl->session = session;
1919}
1920
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1921void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]1923 ssl->ciphersuites = ciphersuites;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1924}
1925
1926void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]1927 x509_crl *ca_crl, const char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928{
1929 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1930 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1931 ssl->peer_cn = peer_cn;
1932}
1933
1934void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1935 rsa_context *rsa_key )
1936{
1937 ssl->own_cert = own_cert;
1938 ssl->rsa_key = rsa_key;
1939}
1940
Paul Bakker43b7e352011-01-18 15:27:19 +0000[diff] [blame]1941#if defined(POLARSSL_PKCS11_C)
1942void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
1943 pkcs11_context *pkcs11_key )
1944{
1945 ssl->own_cert = own_cert;
1946 ssl->pkcs11_key = pkcs11_key;
1947}
1948#endif
1949
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1950int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951{
1952 int ret;
1953
1954 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1955 {
1956 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1957 return( ret );
1958 }
1959
1960 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1961 {
1962 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1963 return( ret );
1964 }
1965
1966 return( 0 );
1967}
1968
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]1969int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
1970{
1971 int ret;
1972
1973 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
1974 {
1975 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1976 return( ret );
1977 }
1978
1979 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
1980 {
1981 SSL_DEBUG_RET( 1, "mpi_copy", ret );
1982 return( ret );
1983 }
1984
1985 return( 0 );
1986}
1987
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1988int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1989{
1990 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1991 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1992
1993 ssl->hostname_len = strlen( hostname );
Paul Bakker3081ba12013-09-11 11:38:34 +0200[diff] [blame]1994
1995 if( ssl->hostname_len + 1 == 0 )
1996 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1997
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1998 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1999
Paul Bakkere2e36d32012-01-23 09:56:51 +0000[diff] [blame]2000 if( ssl->hostname == NULL )
2001 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2002
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2003 memcpy( ssl->hostname, (unsigned char *) hostname,
2004 ssl->hostname_len );
Paul Bakker3081ba12013-09-11 11:38:34 +0200[diff] [blame]2005
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]2006 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007
2008 return( 0 );
2009}
2010
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]2011void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2012{
2013 ssl->max_major_ver = major;
2014 ssl->max_minor_ver = minor;
2015}
2016
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2017/*
2018 * SSL get accessors
2019 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2020size_t ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021{
2022 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2023}
2024
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2025int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2026{
2027 return( ssl->verify_result );
2028}
2029
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2030const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2032 switch( ciphersuite_id )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2033 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2034#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2035 case SSL_RSA_RC4_128_MD5:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2036 return( "SSL-RSA-RC4-128-MD5" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2037
2038 case SSL_RSA_RC4_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2039 return( "SSL-RSA-RC4-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2040#endif
2041
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2042#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2043 case SSL_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2044 return( "SSL-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2045
2046 case SSL_EDH_RSA_DES_168_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2047 return( "SSL-EDH-RSA-DES-168-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2048#endif
2049
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2050#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2051 case SSL_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2052 return( "SSL-RSA-AES-128-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2053
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2054 case SSL_EDH_RSA_AES_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2055 return( "SSL-EDH-RSA-AES-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2056
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057 case SSL_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2058 return( "SSL-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2059
2060 case SSL_EDH_RSA_AES_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2061 return( "SSL-EDH-RSA-AES-256-SHA" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2062#endif
2063
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2064#if defined(POLARSSL_CAMELLIA_C)
2065 case SSL_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2066 return( "SSL-RSA-CAMELLIA-128-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2067
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2068 case SSL_EDH_RSA_CAMELLIA_128_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2069 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2070
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2071 case SSL_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2072 return( "SSL-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2073
2074 case SSL_EDH_RSA_CAMELLIA_256_SHA:
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2075 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2076#endif
2077
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2078 default:
2079 break;
2080 }
2081
2082 return( "unknown" );
2083}
2084
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2085int ssl_get_ciphersuite_id( const char *ciphersuite_name )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2086{
2087#if defined(POLARSSL_ARC4_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2088 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2089 return( SSL_RSA_RC4_128_MD5 );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2090 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2091 return( SSL_RSA_RC4_128_SHA );
2092#endif
2093
2094#if defined(POLARSSL_DES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2095 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2096 return( SSL_RSA_DES_168_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2097 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2098 return( SSL_EDH_RSA_DES_168_SHA );
2099#endif
2100
2101#if defined(POLARSSL_AES_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2102 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2103 return( SSL_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2104 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2105 return( SSL_EDH_RSA_AES_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2106 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2107 return( SSL_RSA_AES_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2108 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2109 return( SSL_EDH_RSA_AES_256_SHA );
2110#endif
2111
2112#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2113 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2114 return( SSL_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2115 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2116 return( SSL_EDH_RSA_CAMELLIA_128_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2117 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2118 return( SSL_RSA_CAMELLIA_256_SHA );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2119 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2120 return( SSL_EDH_RSA_CAMELLIA_256_SHA );
2121#endif
2122
2123 return( 0 );
2124}
2125
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2126const char *ssl_get_ciphersuite( const ssl_context *ssl )
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2127{
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2128 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
Paul Bakker72f62662011-01-16 21:27:44 +0000[diff] [blame]2129}
2130
Paul Bakker43ca69c2011-01-15 17:35:19 +0000[diff] [blame]2131const char *ssl_get_version( const ssl_context *ssl )
2132{
2133 switch( ssl->minor_ver )
2134 {
2135 case SSL_MINOR_VERSION_0:
2136 return( "SSLv3.0" );
2137
2138 case SSL_MINOR_VERSION_1:
2139 return( "TLSv1.0" );
2140
2141 case SSL_MINOR_VERSION_2:
2142 return( "TLSv1.1" );
2143
2144 default:
2145 break;
2146 }
2147 return( "unknown" );
2148}
2149
Paul Bakkere3166ce2011-01-27 17:40:50 +0000[diff] [blame]2150int ssl_default_ciphersuites[] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2151{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2152#if defined(POLARSSL_DHM_C)
2153#if defined(POLARSSL_AES_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2154 SSL_EDH_RSA_AES_128_SHA,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2155 SSL_EDH_RSA_AES_256_SHA,
2156#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2157#if defined(POLARSSL_CAMELLIA_C)
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame]2158 SSL_EDH_RSA_CAMELLIA_128_SHA,
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2159 SSL_EDH_RSA_CAMELLIA_256_SHA,
2160#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2161#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2162 SSL_EDH_RSA_DES_168_SHA,
2163#endif
2164#endif
2165
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2166#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2167 SSL_RSA_AES_256_SHA,
2168#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2169#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]2170 SSL_RSA_CAMELLIA_256_SHA,
2171#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]2172#if defined(POLARSSL_AES_C)
2173 SSL_RSA_AES_128_SHA,
2174#endif
2175#if defined(POLARSSL_CAMELLIA_C)
2176 SSL_RSA_CAMELLIA_128_SHA,
2177#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2178#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179 SSL_RSA_DES_168_SHA,
2180#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2181#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2182 SSL_RSA_RC4_128_SHA,
2183 SSL_RSA_RC4_128_MD5,
2184#endif
2185 0
2186};
2187
2188/*
2189 * Perform the SSL handshake
2190 */
2191int ssl_handshake( ssl_context *ssl )
2192{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2193 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2194
2195 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
2196
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2197#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198 if( ssl->endpoint == SSL_IS_CLIENT )
2199 ret = ssl_handshake_client( ssl );
2200#endif
2201
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2202#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2203 if( ssl->endpoint == SSL_IS_SERVER )
2204 ret = ssl_handshake_server( ssl );
2205#endif
2206
2207 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
2208
2209 return( ret );
2210}
2211
2212/*
2213 * Receive application data decrypted from the SSL layer
2214 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2215int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2216{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2217 int ret;
2218 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2219
2220 SSL_DEBUG_MSG( 2, ( "=> read" ) );
2221
2222 if( ssl->state != SSL_HANDSHAKE_OVER )
2223 {
2224 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2225 {
2226 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2227 return( ret );
2228 }
2229 }
2230
2231 if( ssl->in_offt == NULL )
2232 {
2233 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2234 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2235 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2236 return( 0 );
2237
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2238 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2239 return( ret );
2240 }
2241
2242 if( ssl->in_msglen == 0 &&
2243 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
2244 {
2245 /*
2246 * OpenSSL sends empty messages to randomize the IV
2247 */
2248 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2249 {
Paul Bakker831a7552011-05-18 13:32:51 +0000[diff] [blame]2250 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
2251 return( 0 );
2252
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2253 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2254 return( ret );
2255 }
2256 }
2257
2258 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2259 {
2260 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2261 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2262 }
2263
2264 ssl->in_offt = ssl->in_msg;
2265 }
2266
2267 n = ( len < ssl->in_msglen )
2268 ? len : ssl->in_msglen;
2269
2270 memcpy( buf, ssl->in_offt, n );
2271 ssl->in_msglen -= n;
2272
2273 if( ssl->in_msglen == 0 )
2274 /* all bytes consumed */
2275 ssl->in_offt = NULL;
2276 else
2277 /* more data available */
2278 ssl->in_offt += n;
2279
2280 SSL_DEBUG_MSG( 2, ( "<= read" ) );
2281
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2282 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2283}
2284
2285/*
2286 * Send application data to be encrypted by the SSL layer
2287 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2288int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2289{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2290 int ret;
2291 size_t n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2292
2293 SSL_DEBUG_MSG( 2, ( "=> write" ) );
2294
2295 if( ssl->state != SSL_HANDSHAKE_OVER )
2296 {
2297 if( ( ret = ssl_handshake( ssl ) ) != 0 )
2298 {
2299 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
2300 return( ret );
2301 }
2302 }
2303
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2304 n = ( len < SSL_MAX_CONTENT_LEN )
2305 ? len : SSL_MAX_CONTENT_LEN;
2306
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2307 if( ssl->out_left != 0 )
2308 {
2309 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2310 {
2311 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2312 return( ret );
2313 }
2314 }
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2315 else
Paul Bakker1fd00bf2011-03-14 20:50:15 +0000[diff] [blame]2316 {
Paul Bakker887bd502011-06-08 13:10:54 +0000[diff] [blame]2317 ssl->out_msglen = n;
2318 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
2319 memcpy( ssl->out_msg, buf, n );
2320
2321 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2322 {
2323 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2324 return( ret );
2325 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2326 }
2327
2328 SSL_DEBUG_MSG( 2, ( "<= write" ) );
2329
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2330 return( (int) n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2331}
2332
2333/*
2334 * Notify the peer that the connection is being closed
2335 */
2336int ssl_close_notify( ssl_context *ssl )
2337{
2338 int ret;
2339
2340 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
2341
2342 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2343 {
2344 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2345 return( ret );
2346 }
2347
2348 if( ssl->state == SSL_HANDSHAKE_OVER )
2349 {
2350 ssl->out_msgtype = SSL_MSG_ALERT;
2351 ssl->out_msglen = 2;
Paul Bakker2e11f7d2010-07-25 14:24:53 +0000[diff] [blame]2352 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2353 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2354
2355 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2356 {
2357 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2358 return( ret );
2359 }
2360 }
2361
2362 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2363
2364 return( ret );
2365}
2366
2367/*
2368 * Free an SSL context
2369 */
2370void ssl_free( ssl_context *ssl )
2371{
2372 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2373
2374 if( ssl->peer_cert != NULL )
2375 {
2376 x509_free( ssl->peer_cert );
2377 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2378 free( ssl->peer_cert );
2379 }
2380
2381 if( ssl->out_ctr != NULL )
2382 {
2383 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2384 free( ssl->out_ctr );
2385 }
2386
2387 if( ssl->in_ctr != NULL )
2388 {
2389 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2390 free( ssl->in_ctr );
2391 }
2392
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2393#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2394 dhm_free( &ssl->dhm_ctx );
2395#endif
2396
2397 if ( ssl->hostname != NULL)
2398 {
2399 memset( ssl->hostname, 0, ssl->hostname_len );
2400 free( ssl->hostname );
2401 ssl->hostname_len = 0;
2402 }
2403
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2404 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2405
Paul Bakker9fa6ea72013-03-11 16:03:35 +0100[diff] [blame]2406 /* Actually clear after last debug message */
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2407 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2408}
2409
2410#endif