PolarSSL v1.2.5
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2012, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #include "polarssl/config.h"
35 
36 #if defined(POLARSSL_SSL_TLS_C)
37 
38 #include "polarssl/aes.h"
39 #include "polarssl/arc4.h"
40 #include "polarssl/camellia.h"
41 #include "polarssl/des.h"
42 #include "polarssl/debug.h"
43 #include "polarssl/ssl.h"
44 #include "polarssl/sha2.h"
45 
46 #if defined(POLARSSL_GCM_C)
47 #include "polarssl/gcm.h"
48 #endif
49 
50 #include <stdlib.h>
51 #include <time.h>
52 
53 #if defined _MSC_VER && !defined strcasecmp
54 #define strcasecmp _stricmp
55 #endif
56 
57 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58 int (*ssl_hw_record_init)(ssl_context *ssl,
59  const unsigned char *key_enc, const unsigned char *key_dec,
60  const unsigned char *iv_enc, const unsigned char *iv_dec,
61  const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
62 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
63 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
64 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
65 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
66 #endif
67 
68 static int ssl_rsa_decrypt( void *ctx, int mode, size_t *olen,
69  const unsigned char *input, unsigned char *output,
70  size_t output_max_len )
71 {
72  return rsa_pkcs1_decrypt( (rsa_context *) ctx, mode, olen, input, output,
73  output_max_len );
74 }
75 
76 static int ssl_rsa_sign( void *ctx,
77  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
78  int mode, int hash_id, unsigned int hashlen,
79  const unsigned char *hash, unsigned char *sig )
80 {
81  return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
82  hashlen, hash, sig );
83 }
84 
85 static size_t ssl_rsa_key_len( void *ctx )
86 {
87  return ( (rsa_context *) ctx )->len;
88 }
89 
90 /*
91  * Key material generation
92  */
93 static int ssl3_prf( unsigned char *secret, size_t slen, char *label,
94  unsigned char *random, size_t rlen,
95  unsigned char *dstbuf, size_t dlen )
96 {
97  size_t i;
100  unsigned char padding[16];
101  unsigned char sha1sum[20];
102  ((void)label);
103 
104  /*
105  * SSLv3:
106  * block =
107  * MD5( secret + SHA1( 'A' + secret + random ) ) +
108  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
109  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
110  * ...
111  */
112  for( i = 0; i < dlen / 16; i++ )
113  {
114  memset( padding, 'A' + i, 1 + i );
115 
116  sha1_starts( &sha1 );
117  sha1_update( &sha1, padding, 1 + i );
118  sha1_update( &sha1, secret, slen );
119  sha1_update( &sha1, random, rlen );
120  sha1_finish( &sha1, sha1sum );
121 
122  md5_starts( &md5 );
123  md5_update( &md5, secret, slen );
124  md5_update( &md5, sha1sum, 20 );
125  md5_finish( &md5, dstbuf + i * 16 );
126  }
127 
128  memset( &md5, 0, sizeof( md5 ) );
129  memset( &sha1, 0, sizeof( sha1 ) );
130 
131  memset( padding, 0, sizeof( padding ) );
132  memset( sha1sum, 0, sizeof( sha1sum ) );
133 
134  return( 0 );
135 }
136 
137 static int tls1_prf( unsigned char *secret, size_t slen, char *label,
138  unsigned char *random, size_t rlen,
139  unsigned char *dstbuf, size_t dlen )
140 {
141  size_t nb, hs;
142  size_t i, j, k;
143  unsigned char *S1, *S2;
144  unsigned char tmp[128];
145  unsigned char h_i[20];
146 
147  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
149 
150  hs = ( slen + 1 ) / 2;
151  S1 = secret;
152  S2 = secret + slen - hs;
153 
154  nb = strlen( label );
155  memcpy( tmp + 20, label, nb );
156  memcpy( tmp + 20 + nb, random, rlen );
157  nb += rlen;
158 
159  /*
160  * First compute P_md5(secret,label+random)[0..dlen]
161  */
162  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
163 
164  for( i = 0; i < dlen; i += 16 )
165  {
166  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
167  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
168 
169  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
170 
171  for( j = 0; j < k; j++ )
172  dstbuf[i + j] = h_i[j];
173  }
174 
175  /*
176  * XOR out with P_sha1(secret,label+random)[0..dlen]
177  */
178  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
179 
180  for( i = 0; i < dlen; i += 20 )
181  {
182  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
183  sha1_hmac( S2, hs, tmp, 20, tmp );
184 
185  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
186 
187  for( j = 0; j < k; j++ )
188  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
189  }
190 
191  memset( tmp, 0, sizeof( tmp ) );
192  memset( h_i, 0, sizeof( h_i ) );
193 
194  return( 0 );
195 }
196 
197 static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
198  unsigned char *random, size_t rlen,
199  unsigned char *dstbuf, size_t dlen )
200 {
201  size_t nb;
202  size_t i, j, k;
203  unsigned char tmp[128];
204  unsigned char h_i[32];
205 
206  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
208 
209  nb = strlen( label );
210  memcpy( tmp + 32, label, nb );
211  memcpy( tmp + 32 + nb, random, rlen );
212  nb += rlen;
213 
214  /*
215  * Compute P_<hash>(secret, label + random)[0..dlen]
216  */
217  sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
218 
219  for( i = 0; i < dlen; i += 32 )
220  {
221  sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
222  sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
223 
224  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
225 
226  for( j = 0; j < k; j++ )
227  dstbuf[i + j] = h_i[j];
228  }
229 
230  memset( tmp, 0, sizeof( tmp ) );
231  memset( h_i, 0, sizeof( h_i ) );
232 
233  return( 0 );
234 }
235 
236 #if defined(POLARSSL_SHA4_C)
237 static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
238  unsigned char *random, size_t rlen,
239  unsigned char *dstbuf, size_t dlen )
240 {
241  size_t nb;
242  size_t i, j, k;
243  unsigned char tmp[128];
244  unsigned char h_i[48];
245 
246  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
248 
249  nb = strlen( label );
250  memcpy( tmp + 48, label, nb );
251  memcpy( tmp + 48 + nb, random, rlen );
252  nb += rlen;
253 
254  /*
255  * Compute P_<hash>(secret, label + random)[0..dlen]
256  */
257  sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
258 
259  for( i = 0; i < dlen; i += 48 )
260  {
261  sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
262  sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
263 
264  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
265 
266  for( j = 0; j < k; j++ )
267  dstbuf[i + j] = h_i[j];
268  }
269 
270  memset( tmp, 0, sizeof( tmp ) );
271  memset( h_i, 0, sizeof( h_i ) );
272 
273  return( 0 );
274 }
275 #endif
276 
277 static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
278 static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
279 static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
280 
281 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
282 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
283 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
284 
285 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
286 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
287 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
288 
289 #if defined(POLARSSL_SHA4_C)
290 static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
291 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
292 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
293 #endif
294 
295 int ssl_derive_keys( ssl_context *ssl )
296 {
297  unsigned char tmp[64];
298  unsigned char keyblk[256];
299  unsigned char *key1;
300  unsigned char *key2;
301  unsigned int iv_copy_len;
302  ssl_session *session = ssl->session_negotiate;
303  ssl_transform *transform = ssl->transform_negotiate;
304  ssl_handshake_params *handshake = ssl->handshake;
305 
306  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
307 
308  /*
309  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
310  */
311  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
312  {
313  handshake->tls_prf = ssl3_prf;
314  handshake->calc_verify = ssl_calc_verify_ssl;
315  handshake->calc_finished = ssl_calc_finished_ssl;
316  }
317  else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
318  {
319  handshake->tls_prf = tls1_prf;
320  handshake->calc_verify = ssl_calc_verify_tls;
321  handshake->calc_finished = ssl_calc_finished_tls;
322  }
323 #if defined(POLARSSL_SHA4_C)
324  else if( session->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
326  {
327  handshake->tls_prf = tls_prf_sha384;
328  handshake->calc_verify = ssl_calc_verify_tls_sha384;
329  handshake->calc_finished = ssl_calc_finished_tls_sha384;
330  }
331 #endif
332  else
333  {
334  handshake->tls_prf = tls_prf_sha256;
335  handshake->calc_verify = ssl_calc_verify_tls_sha256;
336  handshake->calc_finished = ssl_calc_finished_tls_sha256;
337  }
338 
339  /*
340  * SSLv3:
341  * master =
342  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
343  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
344  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
345  *
346  * TLSv1:
347  * master = PRF( premaster, "master secret", randbytes )[0..47]
348  */
349  if( handshake->resume == 0 )
350  {
351  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
352  handshake->pmslen );
353 
354  handshake->tls_prf( handshake->premaster, handshake->pmslen,
355  "master secret",
356  handshake->randbytes, 64, session->master, 48 );
357 
358  memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
359  }
360  else
361  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
362 
363  /*
364  * Swap the client and server random values.
365  */
366  memcpy( tmp, handshake->randbytes, 64 );
367  memcpy( handshake->randbytes, tmp + 32, 32 );
368  memcpy( handshake->randbytes + 32, tmp, 32 );
369  memset( tmp, 0, sizeof( tmp ) );
370 
371  /*
372  * SSLv3:
373  * key block =
374  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
375  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
376  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
377  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
378  * ...
379  *
380  * TLSv1:
381  * key block = PRF( master, "key expansion", randbytes )
382  */
383  handshake->tls_prf( session->master, 48, "key expansion",
384  handshake->randbytes, 64, keyblk, 256 );
385 
386  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
387  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
388  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
389  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
390  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
391 
392  memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
393 
394  /*
395  * Determine the appropriate key, IV and MAC length.
396  */
397  switch( session->ciphersuite )
398  {
399 #if defined(POLARSSL_ARC4_C)
401  transform->keylen = 16; transform->minlen = 16;
402  transform->ivlen = 0; transform->maclen = 16;
403  break;
404 
406  transform->keylen = 16; transform->minlen = 20;
407  transform->ivlen = 0; transform->maclen = 20;
408  break;
409 #endif
410 
411 #if defined(POLARSSL_DES_C)
414  transform->keylen = 24; transform->minlen = 24;
415  transform->ivlen = 8; transform->maclen = 20;
416  break;
417 #endif
418 
419 #if defined(POLARSSL_AES_C)
422  transform->keylen = 16; transform->minlen = 32;
423  transform->ivlen = 16; transform->maclen = 20;
424  break;
425 
428  transform->keylen = 32; transform->minlen = 32;
429  transform->ivlen = 16; transform->maclen = 20;
430  break;
431 
432 #if defined(POLARSSL_SHA2_C)
435  transform->keylen = 16; transform->minlen = 32;
436  transform->ivlen = 16; transform->maclen = 32;
437  break;
438 
441  transform->keylen = 32; transform->minlen = 32;
442  transform->ivlen = 16; transform->maclen = 32;
443  break;
444 #endif
445 #if defined(POLARSSL_GCM_C)
448  transform->keylen = 16; transform->minlen = 1;
449  transform->ivlen = 12; transform->maclen = 0;
450  transform->fixed_ivlen = 4;
451  break;
452 
455  transform->keylen = 32; transform->minlen = 1;
456  transform->ivlen = 12; transform->maclen = 0;
457  transform->fixed_ivlen = 4;
458  break;
459 #endif
460 #endif
461 
462 #if defined(POLARSSL_CAMELLIA_C)
465  transform->keylen = 16; transform->minlen = 32;
466  transform->ivlen = 16; transform->maclen = 20;
467  break;
468 
471  transform->keylen = 32; transform->minlen = 32;
472  transform->ivlen = 16; transform->maclen = 20;
473  break;
474 
475 #if defined(POLARSSL_SHA2_C)
478  transform->keylen = 16; transform->minlen = 32;
479  transform->ivlen = 16; transform->maclen = 32;
480  break;
481 
484  transform->keylen = 32; transform->minlen = 32;
485  transform->ivlen = 16; transform->maclen = 32;
486  break;
487 #endif
488 #endif
489 
490 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
491 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
493  transform->keylen = 0; transform->minlen = 0;
494  transform->ivlen = 0; transform->maclen = 16;
495  break;
496 
498  transform->keylen = 0; transform->minlen = 0;
499  transform->ivlen = 0; transform->maclen = 20;
500  break;
501 
503  transform->keylen = 0; transform->minlen = 0;
504  transform->ivlen = 0; transform->maclen = 32;
505  break;
506 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
507 
508 #if defined(POLARSSL_DES_C)
511  transform->keylen = 8; transform->minlen = 8;
512  transform->ivlen = 8; transform->maclen = 20;
513  break;
514 #endif
515 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
516 
517  default:
518  SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
519  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
521  }
522 
523  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
524  transform->keylen, transform->minlen, transform->ivlen,
525  transform->maclen ) );
526 
527  /*
528  * Finally setup the cipher contexts, IVs and MAC secrets.
529  */
530  if( ssl->endpoint == SSL_IS_CLIENT )
531  {
532  key1 = keyblk + transform->maclen * 2;
533  key2 = keyblk + transform->maclen * 2 + transform->keylen;
534 
535  memcpy( transform->mac_enc, keyblk, transform->maclen );
536  memcpy( transform->mac_dec, keyblk + transform->maclen,
537  transform->maclen );
538 
539  /*
540  * This is not used in TLS v1.1.
541  */
542  iv_copy_len = ( transform->fixed_ivlen ) ?
543  transform->fixed_ivlen : transform->ivlen;
544  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
545  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
546  iv_copy_len );
547  }
548  else
549  {
550  key1 = keyblk + transform->maclen * 2 + transform->keylen;
551  key2 = keyblk + transform->maclen * 2;
552 
553  memcpy( transform->mac_dec, keyblk, transform->maclen );
554  memcpy( transform->mac_enc, keyblk + transform->maclen,
555  transform->maclen );
556 
557  /*
558  * This is not used in TLS v1.1.
559  */
560  iv_copy_len = ( transform->fixed_ivlen ) ?
561  transform->fixed_ivlen : transform->ivlen;
562  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
563  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
564  iv_copy_len );
565  }
566 
567 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
568  if( ssl_hw_record_init != NULL)
569  {
570  int ret = 0;
571 
572  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
573 
574  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->iv_enc,
575  transform->iv_dec, transform->mac_enc,
576  transform->mac_dec ) ) != 0 )
577  {
578  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
580  }
581  }
582 #endif
583 
584  switch( session->ciphersuite )
585  {
586 #if defined(POLARSSL_ARC4_C)
589  arc4_setup( (arc4_context *) transform->ctx_enc, key1,
590  transform->keylen );
591  arc4_setup( (arc4_context *) transform->ctx_dec, key2,
592  transform->keylen );
593  break;
594 #endif
595 
596 #if defined(POLARSSL_DES_C)
599  des3_set3key_enc( (des3_context *) transform->ctx_enc, key1 );
600  des3_set3key_dec( (des3_context *) transform->ctx_dec, key2 );
601  break;
602 #endif
603 
604 #if defined(POLARSSL_AES_C)
609  aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 128 );
610  aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 128 );
611  break;
612 
617  aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 256 );
618  aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 256 );
619  break;
620 
621 #if defined(POLARSSL_GCM_C)
624  gcm_init( (gcm_context *) transform->ctx_enc, key1, 128 );
625  gcm_init( (gcm_context *) transform->ctx_dec, key2, 128 );
626  break;
627 
630  gcm_init( (gcm_context *) transform->ctx_enc, key1, 256 );
631  gcm_init( (gcm_context *) transform->ctx_dec, key2, 256 );
632  break;
633 #endif
634 #endif
635 
636 #if defined(POLARSSL_CAMELLIA_C)
641  camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 128 );
642  camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 128 );
643  break;
644 
649  camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 256 );
650  camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 256 );
651  break;
652 #endif
653 
654 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
655 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
659  break;
660 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
661 
662 #if defined(POLARSSL_DES_C)
665  des_setkey_enc( (des_context *) transform->ctx_enc, key1 );
666  des_setkey_dec( (des_context *) transform->ctx_dec, key2 );
667  break;
668 #endif
669 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
670 
671  default:
673  }
674 
675  memset( keyblk, 0, sizeof( keyblk ) );
676 
677 #if defined(POLARSSL_ZLIB_SUPPORT)
678  // Initialize compression
679  //
680  if( session->compression == SSL_COMPRESS_DEFLATE )
681  {
682  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
683 
684  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
685  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
686 
687  if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
688  inflateInit( &transform->ctx_inflate ) != Z_OK )
689  {
690  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
692  }
693  }
694 #endif /* POLARSSL_ZLIB_SUPPORT */
695 
696  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
697 
698  return( 0 );
699 }
700 
701 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
702 {
705  unsigned char pad_1[48];
706  unsigned char pad_2[48];
707 
708  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
709 
710  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
711  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
712 
713  memset( pad_1, 0x36, 48 );
714  memset( pad_2, 0x5C, 48 );
715 
716  md5_update( &md5, ssl->session_negotiate->master, 48 );
717  md5_update( &md5, pad_1, 48 );
718  md5_finish( &md5, hash );
719 
720  md5_starts( &md5 );
721  md5_update( &md5, ssl->session_negotiate->master, 48 );
722  md5_update( &md5, pad_2, 48 );
723  md5_update( &md5, hash, 16 );
724  md5_finish( &md5, hash );
725 
726  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
727  sha1_update( &sha1, pad_1, 40 );
728  sha1_finish( &sha1, hash + 16 );
729 
730  sha1_starts( &sha1 );
731  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
732  sha1_update( &sha1, pad_2, 40 );
733  sha1_update( &sha1, hash + 16, 20 );
734  sha1_finish( &sha1, hash + 16 );
735 
736  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
737  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
738 
739  return;
740 }
741 
742 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
743 {
746 
747  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
748 
749  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
750  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
751 
752  md5_finish( &md5, hash );
753  sha1_finish( &sha1, hash + 16 );
754 
755  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
756  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
757 
758  return;
759 }
760 
761 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
762 {
764 
765  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
766 
767  memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
768  sha2_finish( &sha2, hash );
769 
770  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
771  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
772 
773  return;
774 }
775 
776 #if defined(POLARSSL_SHA4_C)
777 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
778 {
780 
781  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
782 
783  memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
784  sha4_finish( &sha4, hash );
785 
786  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
787  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
788 
789  return;
790 }
791 #endif
792 
793 /*
794  * SSLv3.0 MAC functions
795  */
796 static void ssl_mac_md5( unsigned char *secret,
797  unsigned char *buf, size_t len,
798  unsigned char *ctr, int type )
799 {
800  unsigned char header[11];
801  unsigned char padding[48];
803 
804  memcpy( header, ctr, 8 );
805  header[ 8] = (unsigned char) type;
806  header[ 9] = (unsigned char)( len >> 8 );
807  header[10] = (unsigned char)( len );
808 
809  memset( padding, 0x36, 48 );
810  md5_starts( &md5 );
811  md5_update( &md5, secret, 16 );
812  md5_update( &md5, padding, 48 );
813  md5_update( &md5, header, 11 );
814  md5_update( &md5, buf, len );
815  md5_finish( &md5, buf + len );
816 
817  memset( padding, 0x5C, 48 );
818  md5_starts( &md5 );
819  md5_update( &md5, secret, 16 );
820  md5_update( &md5, padding, 48 );
821  md5_update( &md5, buf + len, 16 );
822  md5_finish( &md5, buf + len );
823 }
824 
825 static void ssl_mac_sha1( unsigned char *secret,
826  unsigned char *buf, size_t len,
827  unsigned char *ctr, int type )
828 {
829  unsigned char header[11];
830  unsigned char padding[40];
832 
833  memcpy( header, ctr, 8 );
834  header[ 8] = (unsigned char) type;
835  header[ 9] = (unsigned char)( len >> 8 );
836  header[10] = (unsigned char)( len );
837 
838  memset( padding, 0x36, 40 );
839  sha1_starts( &sha1 );
840  sha1_update( &sha1, secret, 20 );
841  sha1_update( &sha1, padding, 40 );
842  sha1_update( &sha1, header, 11 );
843  sha1_update( &sha1, buf, len );
844  sha1_finish( &sha1, buf + len );
845 
846  memset( padding, 0x5C, 40 );
847  sha1_starts( &sha1 );
848  sha1_update( &sha1, secret, 20 );
849  sha1_update( &sha1, padding, 40 );
850  sha1_update( &sha1, buf + len, 20 );
851  sha1_finish( &sha1, buf + len );
852 }
853 
854 static void ssl_mac_sha2( unsigned char *secret,
855  unsigned char *buf, size_t len,
856  unsigned char *ctr, int type )
857 {
858  unsigned char header[11];
859  unsigned char padding[32];
861 
862  memcpy( header, ctr, 8 );
863  header[ 8] = (unsigned char) type;
864  header[ 9] = (unsigned char)( len >> 8 );
865  header[10] = (unsigned char)( len );
866 
867  memset( padding, 0x36, 32 );
868  sha2_starts( &sha2, 0 );
869  sha2_update( &sha2, secret, 32 );
870  sha2_update( &sha2, padding, 32 );
871  sha2_update( &sha2, header, 11 );
872  sha2_update( &sha2, buf, len );
873  sha2_finish( &sha2, buf + len );
874 
875  memset( padding, 0x5C, 32 );
876  sha2_starts( &sha2, 0 );
877  sha2_update( &sha2, secret, 32 );
878  sha2_update( &sha2, padding, 32 );
879  sha2_update( &sha2, buf + len, 32 );
880  sha2_finish( &sha2, buf + len );
881 }
882 
883 /*
884  * Encryption/decryption functions
885  */
886 static int ssl_encrypt_buf( ssl_context *ssl )
887 {
888  size_t i, padlen;
889 
890  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
891 
892  /*
893  * Add MAC then encrypt
894  */
895  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
896  {
897  if( ssl->transform_out->maclen == 16 )
898  ssl_mac_md5( ssl->transform_out->mac_enc,
899  ssl->out_msg, ssl->out_msglen,
900  ssl->out_ctr, ssl->out_msgtype );
901  else if( ssl->transform_out->maclen == 20 )
902  ssl_mac_sha1( ssl->transform_out->mac_enc,
903  ssl->out_msg, ssl->out_msglen,
904  ssl->out_ctr, ssl->out_msgtype );
905  else if( ssl->transform_out->maclen == 32 )
906  ssl_mac_sha2( ssl->transform_out->mac_enc,
907  ssl->out_msg, ssl->out_msglen,
908  ssl->out_ctr, ssl->out_msgtype );
909  else if( ssl->transform_out->maclen != 0 )
910  {
911  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
912  ssl->transform_out->maclen ) );
914  }
915  }
916  else
917  {
918  if( ssl->transform_out->maclen == 16 )
919  {
920  md5_context ctx;
921  md5_hmac_starts( &ctx, ssl->transform_out->mac_enc, 16 );
922  md5_hmac_update( &ctx, ssl->out_ctr, 13 );
923  md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
924  md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
925  memset( &ctx, 0, sizeof(md5_context));
926  }
927  else if( ssl->transform_out->maclen == 20 )
928  {
929  sha1_context ctx;
930  sha1_hmac_starts( &ctx, ssl->transform_out->mac_enc, 20 );
931  sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
932  sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
933  sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
934  memset( &ctx, 0, sizeof(sha1_context));
935  }
936  else if( ssl->transform_out->maclen == 32 )
937  {
938  sha2_context ctx;
939  sha2_hmac_starts( &ctx, ssl->transform_out->mac_enc, 32, 0 );
940  sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
941  sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
942  sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
943  memset( &ctx, 0, sizeof(sha2_context));
944  }
945  else if( ssl->transform_out->maclen != 0 )
946  {
947  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
948  ssl->transform_out->maclen ) );
950  }
951  }
952 
953  SSL_DEBUG_BUF( 4, "computed mac",
954  ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
955 
956  ssl->out_msglen += ssl->transform_out->maclen;
957 
958  if( ssl->transform_out->ivlen == 0 )
959  {
960  padlen = 0;
961 
962  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
963  "including %d bytes of padding",
964  ssl->out_msglen, 0 ) );
965 
966  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
967  ssl->out_msg, ssl->out_msglen );
968 
969 #if defined(POLARSSL_ARC4_C)
972  {
974  ssl->out_msglen, ssl->out_msg,
975  ssl->out_msg );
976  } else
977 #endif
978 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
982  {
983  } else
984 #endif
986  }
987  else if( ssl->transform_out->ivlen == 12 )
988  {
989  size_t enc_msglen;
990  unsigned char *enc_msg;
991  unsigned char add_data[13];
993 
994  padlen = 0;
995  enc_msglen = ssl->out_msglen;
996 
997  memcpy( add_data, ssl->out_ctr, 8 );
998  add_data[8] = ssl->out_msgtype;
999  add_data[9] = ssl->major_ver;
1000  add_data[10] = ssl->minor_ver;
1001  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1002  add_data[12] = ssl->out_msglen & 0xFF;
1003 
1004  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1005  add_data, 13 );
1006 
1007 #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1008 
1013  {
1014  /*
1015  * Generate IV
1016  */
1017  ret = ssl->f_rng( ssl->p_rng,
1019  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1020  if( ret != 0 )
1021  return( ret );
1022 
1023  /*
1024  * Shift message for ivlen bytes and prepend IV
1025  */
1026  memmove( ssl->out_msg + ssl->transform_out->ivlen -
1027  ssl->transform_out->fixed_ivlen,
1028  ssl->out_msg, ssl->out_msglen );
1029  memcpy( ssl->out_msg,
1031  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1032 
1033  /*
1034  * Fix pointer positions and message length with added IV
1035  */
1036  enc_msg = ssl->out_msg + ssl->transform_out->ivlen -
1037  ssl->transform_out->fixed_ivlen;
1038  enc_msglen = ssl->out_msglen;
1039  ssl->out_msglen += ssl->transform_out->ivlen -
1040  ssl->transform_out->fixed_ivlen;
1041 
1042  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1043  "including %d bytes of padding",
1044  ssl->out_msglen, 0 ) );
1045 
1046  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1047  ssl->out_msg, ssl->out_msglen );
1048 
1049  /*
1050  * Adjust for tag
1051  */
1052  ssl->out_msglen += 16;
1053 
1055  GCM_ENCRYPT, enc_msglen,
1056  ssl->transform_out->iv_enc, ssl->transform_out->ivlen,
1057  add_data, 13,
1058  enc_msg, enc_msg,
1059  16, enc_msg + enc_msglen );
1060 
1061  SSL_DEBUG_BUF( 4, "after encrypt: tag",
1062  enc_msg + enc_msglen, 16 );
1063 
1064  } else
1065 #endif
1066  return( ret );
1067  }
1068  else
1069  {
1070  unsigned char *enc_msg;
1071  size_t enc_msglen;
1072 
1073  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1074  ssl->transform_out->ivlen;
1075  if( padlen == ssl->transform_out->ivlen )
1076  padlen = 0;
1077 
1078  for( i = 0; i <= padlen; i++ )
1079  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1080 
1081  ssl->out_msglen += padlen + 1;
1082 
1083  enc_msglen = ssl->out_msglen;
1084  enc_msg = ssl->out_msg;
1085 
1086  /*
1087  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1088  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1089  */
1090  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1091  {
1092  /*
1093  * Generate IV
1094  */
1095  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1096  ssl->transform_out->ivlen );
1097  if( ret != 0 )
1098  return( ret );
1099 
1100  /*
1101  * Shift message for ivlen bytes and prepend IV
1102  */
1103  memmove( ssl->out_msg + ssl->transform_out->ivlen, ssl->out_msg,
1104  ssl->out_msglen );
1105  memcpy( ssl->out_msg, ssl->transform_out->iv_enc,
1106  ssl->transform_out->ivlen );
1107 
1108  /*
1109  * Fix pointer positions and message length with added IV
1110  */
1111  enc_msg = ssl->out_msg + ssl->transform_out->ivlen;
1112  enc_msglen = ssl->out_msglen;
1113  ssl->out_msglen += ssl->transform_out->ivlen;
1114  }
1115 
1116  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1117  "including %d bytes of IV and %d bytes of padding",
1118  ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
1119 
1120  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1121  ssl->out_msg, ssl->out_msglen );
1122 
1123  switch( ssl->transform_out->ivlen )
1124  {
1125 #if defined(POLARSSL_DES_C)
1126  case 8:
1127 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1130  {
1132  DES_ENCRYPT, enc_msglen,
1133  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1134  }
1135  else
1136 #endif
1138  DES_ENCRYPT, enc_msglen,
1139  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1140  break;
1141 #endif
1142 
1143  case 16:
1144 #if defined(POLARSSL_AES_C)
1153  {
1155  AES_ENCRYPT, enc_msglen,
1156  ssl->transform_out->iv_enc, enc_msg, enc_msg);
1157  break;
1158  }
1159 #endif
1160 
1161 #if defined(POLARSSL_CAMELLIA_C)
1170  {
1172  CAMELLIA_ENCRYPT, enc_msglen,
1173  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1174  break;
1175  }
1176 #endif
1177 
1178  default:
1180  }
1181  }
1182 
1183  for( i = 8; i > 0; i-- )
1184  if( ++ssl->out_ctr[i - 1] != 0 )
1185  break;
1186 
1187  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1188 
1189  return( 0 );
1190 }
1191 
1192 /*
1193  * TODO: Use digest version when integrated!
1194  */
1195 #define POLARSSL_SSL_MAX_MAC_SIZE 32
1196 
1197 static int ssl_decrypt_buf( ssl_context *ssl )
1198 {
1199  size_t i, padlen = 0, correct = 1;
1200  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1201 
1202  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1203 
1204  if( ssl->in_msglen < ssl->transform_in->minlen )
1205  {
1206  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1207  ssl->in_msglen, ssl->transform_in->minlen ) );
1208  return( POLARSSL_ERR_SSL_INVALID_MAC );
1209  }
1210 
1211  if( ssl->transform_in->ivlen == 0 )
1212  {
1213 #if defined(POLARSSL_ARC4_C)
1216  {
1218  ssl->in_msglen, ssl->in_msg,
1219  ssl->in_msg );
1220  } else
1221 #endif
1222 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
1226  {
1227  } else
1228 #endif
1230  }
1231  else if( ssl->transform_in->ivlen == 12 )
1232  {
1233  unsigned char *dec_msg;
1234  unsigned char *dec_msg_result;
1235  size_t dec_msglen;
1236  unsigned char add_data[13];
1238 
1239 #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1244  {
1245  dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1246  ssl->transform_in->fixed_ivlen );
1247  dec_msglen -= 16;
1248  dec_msg = ssl->in_msg + ( ssl->transform_in->ivlen -
1249  ssl->transform_in->fixed_ivlen );
1250  dec_msg_result = ssl->in_msg;
1251  ssl->in_msglen = dec_msglen;
1252 
1253  memcpy( add_data, ssl->in_ctr, 8 );
1254  add_data[8] = ssl->in_msgtype;
1255  add_data[9] = ssl->major_ver;
1256  add_data[10] = ssl->minor_ver;
1257  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1258  add_data[12] = ssl->in_msglen & 0xFF;
1259 
1260  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1261  add_data, 13 );
1262 
1263  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1264  ssl->in_msg,
1265  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1266 
1267  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1268  ssl->transform_in->ivlen );
1269  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1270 
1271  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1272  ssl->in_msg,
1273  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1274 
1276  dec_msglen,
1277  ssl->transform_in->iv_dec,
1278  ssl->transform_in->ivlen,
1279  add_data, 13,
1280  dec_msg + dec_msglen, 16,
1281  dec_msg, dec_msg_result );
1282 
1283  if( ret != 0 )
1284  {
1285  SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1286  -ret ) );
1287 
1288  return( POLARSSL_ERR_SSL_INVALID_MAC );
1289  }
1290  } else
1291 #endif
1292  return( ret );
1293  }
1294  else
1295  {
1296  /*
1297  * Decrypt and check the padding
1298  */
1299  unsigned char *dec_msg;
1300  unsigned char *dec_msg_result;
1301  size_t dec_msglen;
1302  size_t minlen = 0, fake_padlen;
1303 
1304  /*
1305  * Check immediate ciphertext sanity
1306  */
1307  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1308  {
1309  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1310  ssl->in_msglen, ssl->transform_in->ivlen ) );
1311  return( POLARSSL_ERR_SSL_INVALID_MAC );
1312  }
1313 
1314  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1315  minlen += ssl->transform_in->ivlen;
1316 
1317  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1318  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1319  {
1320  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1321  ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1322  return( POLARSSL_ERR_SSL_INVALID_MAC );
1323  }
1324 
1325  dec_msglen = ssl->in_msglen;
1326  dec_msg = ssl->in_msg;
1327  dec_msg_result = ssl->in_msg;
1328 
1329  /*
1330  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1331  */
1332  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1333  {
1334  dec_msg += ssl->transform_in->ivlen;
1335  dec_msglen -= ssl->transform_in->ivlen;
1336  ssl->in_msglen -= ssl->transform_in->ivlen;
1337 
1338  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1339  ssl->transform_in->iv_dec[i] = ssl->in_msg[i];
1340  }
1341 
1342  switch( ssl->transform_in->ivlen )
1343  {
1344 #if defined(POLARSSL_DES_C)
1345  case 8:
1346 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1349  {
1351  DES_DECRYPT, dec_msglen,
1352  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1353  }
1354  else
1355 #endif
1357  DES_DECRYPT, dec_msglen,
1358  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1359  break;
1360 #endif
1361 
1362  case 16:
1363 #if defined(POLARSSL_AES_C)
1372  {
1374  AES_DECRYPT, dec_msglen,
1375  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1376  break;
1377  }
1378 #endif
1379 
1380 #if defined(POLARSSL_CAMELLIA_C)
1389  {
1391  CAMELLIA_DECRYPT, dec_msglen,
1392  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1393  break;
1394  }
1395 #endif
1396 
1397  default:
1399  }
1400 
1401  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1402  fake_padlen = 256 - padlen;
1403 
1404  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1405  {
1406 #if defined(POLARSSL_SSL_DEBUG_ALL)
1407  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1408  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1409 #endif
1410  padlen = 0;
1411  fake_padlen = 256;
1412  correct = 0;
1413  }
1414 
1415  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1416  {
1417  if( padlen > ssl->transform_in->ivlen )
1418  {
1419 #if defined(POLARSSL_SSL_DEBUG_ALL)
1420  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1421  "should be no more than %d",
1422  padlen, ssl->transform_in->ivlen ) );
1423 #endif
1424  correct = 0;
1425  }
1426  }
1427  else
1428  {
1429  /*
1430  * TLSv1+: always check the padding up to the first failure
1431  * and fake check up to 256 bytes of padding
1432  */
1433  for( i = 1; i <= padlen; i++ )
1434  {
1435  if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1436  {
1437  correct = 0;
1438  fake_padlen = 256 - i;
1439  padlen = 0;
1440  }
1441  }
1442  for( i = 1; i <= fake_padlen; i++ )
1443  {
1444  if( ssl->in_msg[i + 1] != fake_padlen - 1 )
1445  minlen = 0;
1446  else
1447  minlen = 1;
1448  }
1449 #if defined(POLARSSL_SSL_DEBUG_ALL)
1450  if( padlen > 0 && correct == 0)
1451  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1452 #endif
1453  }
1454  }
1455 
1456  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1457  ssl->in_msg, ssl->in_msglen );
1458 
1459  /*
1460  * Always compute the MAC (RFC4346, CBCTIME).
1461  */
1462  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1463 
1464  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1465  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1466 
1467  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1468 
1469  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1470  {
1471  if( ssl->transform_in->maclen == 16 )
1472  ssl_mac_md5( ssl->transform_in->mac_dec,
1473  ssl->in_msg, ssl->in_msglen,
1474  ssl->in_ctr, ssl->in_msgtype );
1475  else if( ssl->transform_in->maclen == 20 )
1476  ssl_mac_sha1( ssl->transform_in->mac_dec,
1477  ssl->in_msg, ssl->in_msglen,
1478  ssl->in_ctr, ssl->in_msgtype );
1479  else if( ssl->transform_in->maclen == 32 )
1480  ssl_mac_sha2( ssl->transform_in->mac_dec,
1481  ssl->in_msg, ssl->in_msglen,
1482  ssl->in_ctr, ssl->in_msgtype );
1483  else if( ssl->transform_in->maclen != 0 )
1484  {
1485  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1486  ssl->transform_in->maclen ) );
1488  }
1489  }
1490  else
1491  {
1492  /*
1493  * Process MAC and always update for padlen afterwards to make
1494  * total time independent of padlen
1495  */
1496  if( ssl->transform_in->maclen == 16 )
1497  md5_hmac( ssl->transform_in->mac_dec, 16,
1498  ssl->in_ctr, ssl->in_msglen + 13,
1499  ssl->in_msg + ssl->in_msglen );
1500  else if( ssl->transform_in->maclen == 20 )
1501  sha1_hmac( ssl->transform_in->mac_dec, 20,
1502  ssl->in_ctr, ssl->in_msglen + 13,
1503  ssl->in_msg + ssl->in_msglen );
1504  else if( ssl->transform_in->maclen == 32 )
1505  sha2_hmac( ssl->transform_in->mac_dec, 32,
1506  ssl->in_ctr, ssl->in_msglen + 13,
1507  ssl->in_msg + ssl->in_msglen, 0 );
1508  else if( ssl->transform_in->maclen != 0 )
1509  {
1510  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1511  ssl->transform_in->maclen ) );
1513  }
1514  }
1515 
1516  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1517  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1518  ssl->transform_in->maclen );
1519 
1520  if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1521  ssl->transform_in->maclen ) != 0 )
1522  {
1523  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1524  correct = 0;
1525  }
1526 
1527  /*
1528  * Finally check the correct flag
1529  */
1530  if( correct == 0 )
1531  return( POLARSSL_ERR_SSL_INVALID_MAC );
1532 
1533  if( ssl->in_msglen == 0 )
1534  {
1535  ssl->nb_zero++;
1536 
1537  /*
1538  * Three or more empty messages may be a DoS attack
1539  * (excessive CPU consumption).
1540  */
1541  if( ssl->nb_zero > 3 )
1542  {
1543  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1544  "messages, possible DoS attack" ) );
1545  return( POLARSSL_ERR_SSL_INVALID_MAC );
1546  }
1547  }
1548  else
1549  ssl->nb_zero = 0;
1550 
1551  for( i = 8; i > 0; i-- )
1552  if( ++ssl->in_ctr[i - 1] != 0 )
1553  break;
1554 
1555  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1556 
1557  return( 0 );
1558 }
1559 
1560 #if defined(POLARSSL_ZLIB_SUPPORT)
1561 /*
1562  * Compression/decompression functions
1563  */
1564 static int ssl_compress_buf( ssl_context *ssl )
1565 {
1566  int ret;
1567  unsigned char *msg_post = ssl->out_msg;
1568  size_t len_pre = ssl->out_msglen;
1569  unsigned char *msg_pre;
1570 
1571  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1572 
1573  msg_pre = (unsigned char*) malloc( len_pre );
1574  if( msg_pre == NULL )
1575  {
1576  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1578  }
1579 
1580  memcpy( msg_pre, ssl->out_msg, len_pre );
1581 
1582  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1583  ssl->out_msglen ) );
1584 
1585  SSL_DEBUG_BUF( 4, "before compression: output payload",
1586  ssl->out_msg, ssl->out_msglen );
1587 
1588  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1589  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1590  ssl->transform_out->ctx_deflate.next_out = msg_post;
1591  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1592 
1593  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1594  if( ret != Z_OK )
1595  {
1596  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1598  }
1599 
1600  ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
1601 
1602  free( msg_pre );
1603 
1604  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1605  ssl->out_msglen ) );
1606 
1607  SSL_DEBUG_BUF( 4, "after compression: output payload",
1608  ssl->out_msg, ssl->out_msglen );
1609 
1610  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1611 
1612  return( 0 );
1613 }
1614 
1615 static int ssl_decompress_buf( ssl_context *ssl )
1616 {
1617  int ret;
1618  unsigned char *msg_post = ssl->in_msg;
1619  size_t len_pre = ssl->in_msglen;
1620  unsigned char *msg_pre;
1621 
1622  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1623 
1624  msg_pre = (unsigned char*) malloc( len_pre );
1625  if( msg_pre == NULL )
1626  {
1627  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1629  }
1630 
1631  memcpy( msg_pre, ssl->in_msg, len_pre );
1632 
1633  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1634  ssl->in_msglen ) );
1635 
1636  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1637  ssl->in_msg, ssl->in_msglen );
1638 
1639  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1640  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1641  ssl->transform_in->ctx_inflate.next_out = msg_post;
1642  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1643 
1644  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1645  if( ret != Z_OK )
1646  {
1647  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1649  }
1650 
1651  ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
1652 
1653  free( msg_pre );
1654 
1655  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1656  ssl->in_msglen ) );
1657 
1658  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1659  ssl->in_msg, ssl->in_msglen );
1660 
1661  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1662 
1663  return( 0 );
1664 }
1665 #endif /* POLARSSL_ZLIB_SUPPORT */
1666 
1667 /*
1668  * Fill the input message buffer
1669  */
1670 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1671 {
1672  int ret;
1673  size_t len;
1674 
1675  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1676 
1677  while( ssl->in_left < nb_want )
1678  {
1679  len = nb_want - ssl->in_left;
1680  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1681 
1682  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1683  ssl->in_left, nb_want ) );
1684  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1685 
1686  if( ret == 0 )
1687  return( POLARSSL_ERR_SSL_CONN_EOF );
1688 
1689  if( ret < 0 )
1690  return( ret );
1691 
1692  ssl->in_left += ret;
1693  }
1694 
1695  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1696 
1697  return( 0 );
1698 }
1699 
1700 /*
1701  * Flush any data not yet written
1702  */
1703 int ssl_flush_output( ssl_context *ssl )
1704 {
1705  int ret;
1706  unsigned char *buf;
1707 
1708  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1709 
1710  while( ssl->out_left > 0 )
1711  {
1712  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1713  5 + ssl->out_msglen, ssl->out_left ) );
1714 
1715  if( ssl->out_msglen < ssl->out_left )
1716  {
1717  size_t header_left = ssl->out_left - ssl->out_msglen;
1718 
1719  buf = ssl->out_hdr + 5 - header_left;
1720  ret = ssl->f_send( ssl->p_send, buf, header_left );
1721 
1722  SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1723 
1724  if( ret <= 0 )
1725  return( ret );
1726 
1727  ssl->out_left -= ret;
1728  }
1729 
1730  buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
1731  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1732 
1733  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1734 
1735  if( ret <= 0 )
1736  return( ret );
1737 
1738  ssl->out_left -= ret;
1739  }
1740 
1741  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1742 
1743  return( 0 );
1744 }
1745 
1746 /*
1747  * Record layer functions
1748  */
1749 int ssl_write_record( ssl_context *ssl )
1750 {
1751  int ret, done = 0;
1752  size_t len = ssl->out_msglen;
1753 
1754  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1755 
1756  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1757  {
1758  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1759  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1760  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1761 
1762  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1763  }
1764 
1765 #if defined(POLARSSL_ZLIB_SUPPORT)
1766  if( ssl->transform_out != NULL &&
1768  {
1769  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1770  {
1771  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1772  return( ret );
1773  }
1774 
1775  len = ssl->out_msglen;
1776  }
1777 #endif /*POLARSSL_ZLIB_SUPPORT */
1778 
1779 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1780  if( ssl_hw_record_write != NULL)
1781  {
1782  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1783 
1784  ret = ssl_hw_record_write( ssl );
1785  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1786  {
1787  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1789  }
1790  done = 1;
1791  }
1792 #endif
1793  if( !done )
1794  {
1795  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1796  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1797  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1798  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1799  ssl->out_hdr[4] = (unsigned char)( len );
1800 
1801  if( ssl->transform_out != NULL )
1802  {
1803  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1804  {
1805  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1806  return( ret );
1807  }
1808 
1809  len = ssl->out_msglen;
1810  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1811  ssl->out_hdr[4] = (unsigned char)( len );
1812  }
1813 
1814  ssl->out_left = 5 + ssl->out_msglen;
1815 
1816  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1817  "version = [%d:%d], msglen = %d",
1818  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1819  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1820 
1821  SSL_DEBUG_BUF( 4, "output record header sent to network",
1822  ssl->out_hdr, 5 );
1823  SSL_DEBUG_BUF( 4, "output record sent to network",
1824  ssl->out_hdr + 32, ssl->out_msglen );
1825  }
1826 
1827  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1828  {
1829  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1830  return( ret );
1831  }
1832 
1833  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1834 
1835  return( 0 );
1836 }
1837 
1838 int ssl_read_record( ssl_context *ssl )
1839 {
1840  int ret, done = 0;
1841 
1842  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1843 
1844  if( ssl->in_hslen != 0 &&
1845  ssl->in_hslen < ssl->in_msglen )
1846  {
1847  /*
1848  * Get next Handshake message in the current record
1849  */
1850  ssl->in_msglen -= ssl->in_hslen;
1851 
1852  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
1853  ssl->in_msglen );
1854 
1855  ssl->in_hslen = 4;
1856  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1857 
1858  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1859  " %d, type = %d, hslen = %d",
1860  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1861 
1862  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1863  {
1864  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1866  }
1867 
1868  if( ssl->in_msglen < ssl->in_hslen )
1869  {
1870  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1872  }
1873 
1874  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
1875 
1876  return( 0 );
1877  }
1878 
1879  ssl->in_hslen = 0;
1880 
1881  /*
1882  * Read the record header and validate it
1883  */
1884  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1885  {
1886  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1887  return( ret );
1888  }
1889 
1890  ssl->in_msgtype = ssl->in_hdr[0];
1891  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1892 
1893  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1894  "version = [%d:%d], msglen = %d",
1895  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1896  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1897 
1898  if( ssl->in_hdr[1] != ssl->major_ver )
1899  {
1900  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
1902  }
1903 
1904  if( ssl->in_hdr[2] > ssl->max_minor_ver )
1905  {
1906  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
1908  }
1909 
1910  /*
1911  * Make sure the message length is acceptable
1912  */
1913  if( ssl->transform_in == NULL )
1914  {
1915  if( ssl->in_msglen < 1 ||
1917  {
1918  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1920  }
1921  }
1922  else
1923  {
1924  if( ssl->in_msglen < ssl->transform_in->minlen )
1925  {
1926  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1928  }
1929 
1930  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1932  {
1933  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1935  }
1936 
1937  /*
1938  * TLS encrypted messages can have up to 256 bytes of padding
1939  */
1940  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
1941  ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
1942  {
1943  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1945  }
1946  }
1947 
1948  /*
1949  * Read and optionally decrypt the message contents
1950  */
1951  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1952  {
1953  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1954  return( ret );
1955  }
1956 
1957  SSL_DEBUG_BUF( 4, "input record from network",
1958  ssl->in_hdr, 5 + ssl->in_msglen );
1959 
1960 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1961  if( ssl_hw_record_read != NULL)
1962  {
1963  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1964 
1965  ret = ssl_hw_record_read( ssl );
1966  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1967  {
1968  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1970  }
1971  done = 1;
1972  }
1973 #endif
1974  if( !done && ssl->transform_in != NULL )
1975  {
1976  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1977  {
1978 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
1979  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
1980  {
1984  }
1985 #endif
1986  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1987  return( ret );
1988  }
1989 
1990  SSL_DEBUG_BUF( 4, "input payload after decrypt",
1991  ssl->in_msg, ssl->in_msglen );
1992 
1993  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1994  {
1995  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1997  }
1998  }
1999 
2000 #if defined(POLARSSL_ZLIB_SUPPORT)
2001  if( ssl->transform_in != NULL &&
2003  {
2004  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2005  {
2006  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2007  return( ret );
2008  }
2009 
2010  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2011  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2012  }
2013 #endif /* POLARSSL_ZLIB_SUPPORT */
2014 
2015  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2016  ssl->in_msgtype != SSL_MSG_ALERT &&
2019  {
2020  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2021 
2022  if( ( ret = ssl_send_alert_message( ssl,
2025  {
2026  return( ret );
2027  }
2028 
2030  }
2031 
2032  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2033  {
2034  ssl->in_hslen = 4;
2035  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2036 
2037  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2038  " %d, type = %d, hslen = %d",
2039  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2040 
2041  /*
2042  * Additional checks to validate the handshake header
2043  */
2044  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2045  {
2046  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2048  }
2049 
2050  if( ssl->in_msglen < ssl->in_hslen )
2051  {
2052  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2054  }
2055 
2056  if( ssl->state != SSL_HANDSHAKE_OVER )
2057  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2058  }
2059 
2060  if( ssl->in_msgtype == SSL_MSG_ALERT )
2061  {
2062  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2063  ssl->in_msg[0], ssl->in_msg[1] ) );
2064 
2065  /*
2066  * Ignore non-fatal alerts, except close_notify
2067  */
2068  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2069  {
2070  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2071  ssl->in_msg[1] ) );
2077  }
2078 
2079  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2080  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2081  {
2082  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2084  }
2085  }
2086 
2087  ssl->in_left = 0;
2088 
2089  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2090 
2091  return( 0 );
2092 }
2093 
2095 {
2096  int ret;
2097 
2098  if( ( ret = ssl_send_alert_message( ssl,
2101  {
2102  return( ret );
2103  }
2104 
2105  return( 0 );
2106 }
2107 
2109  unsigned char level,
2110  unsigned char message )
2111 {
2112  int ret;
2113 
2114  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2115 
2116  ssl->out_msgtype = SSL_MSG_ALERT;
2117  ssl->out_msglen = 2;
2118  ssl->out_msg[0] = level;
2119  ssl->out_msg[1] = message;
2120 
2121  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2122  {
2123  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2124  return( ret );
2125  }
2126 
2127  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2128 
2129  return( 0 );
2130 }
2131 
2132 /*
2133  * Handshake functions
2134  */
2136 {
2137  int ret;
2138  size_t i, n;
2139  const x509_cert *crt;
2140 
2141  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2142 
2143  if( ssl->endpoint == SSL_IS_CLIENT )
2144  {
2145  if( ssl->client_auth == 0 )
2146  {
2147  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2148  ssl->state++;
2149  return( 0 );
2150  }
2151 
2152  /*
2153  * If using SSLv3 and got no cert, send an Alert message
2154  * (otherwise an empty Certificate message will be sent).
2155  */
2156  if( ssl->own_cert == NULL &&
2157  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2158  {
2159  ssl->out_msglen = 2;
2160  ssl->out_msgtype = SSL_MSG_ALERT;
2161  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2162  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2163 
2164  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2165  goto write_msg;
2166  }
2167  }
2168  else /* SSL_IS_SERVER */
2169  {
2170  if( ssl->own_cert == NULL )
2171  {
2172  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2174  }
2175  }
2176 
2177  SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
2178 
2179  /*
2180  * 0 . 0 handshake type
2181  * 1 . 3 handshake length
2182  * 4 . 6 length of all certs
2183  * 7 . 9 length of cert. 1
2184  * 10 . n-1 peer certificate
2185  * n . n+2 length of cert. 2
2186  * n+3 . ... upper level cert, etc.
2187  */
2188  i = 7;
2189  crt = ssl->own_cert;
2190 
2191  while( crt != NULL )
2192  {
2193  n = crt->raw.len;
2194  if( i + 3 + n > SSL_MAX_CONTENT_LEN )
2195  {
2196  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2197  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2199  }
2200 
2201  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2202  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2203  ssl->out_msg[i + 2] = (unsigned char)( n );
2204 
2205  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2206  i += n; crt = crt->next;
2207  }
2208 
2209  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2210  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2211  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2212 
2213  ssl->out_msglen = i;
2215  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2216 
2217 write_msg:
2218 
2219  ssl->state++;
2220 
2221  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2222  {
2223  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2224  return( ret );
2225  }
2226 
2227  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2228 
2229  return( 0 );
2230 }
2231 
2233 {
2234  int ret;
2235  size_t i, n;
2236 
2237  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2238 
2239  if( ssl->endpoint == SSL_IS_SERVER &&
2240  ssl->authmode == SSL_VERIFY_NONE )
2241  {
2243  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2244  ssl->state++;
2245  return( 0 );
2246  }
2247 
2248  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2249  {
2250  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2251  return( ret );
2252  }
2253 
2254  ssl->state++;
2255 
2256  /*
2257  * Check if the client sent an empty certificate
2258  */
2259  if( ssl->endpoint == SSL_IS_SERVER &&
2260  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2261  {
2262  if( ssl->in_msglen == 2 &&
2263  ssl->in_msgtype == SSL_MSG_ALERT &&
2264  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2265  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2266  {
2267  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2268 
2270  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2271  return( 0 );
2272  else
2274  }
2275  }
2276 
2277  if( ssl->endpoint == SSL_IS_SERVER &&
2278  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2279  {
2280  if( ssl->in_hslen == 7 &&
2281  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2282  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2283  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2284  {
2285  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2286 
2288  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2290  else
2291  return( 0 );
2292  }
2293  }
2294 
2295  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2296  {
2297  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2299  }
2300 
2301  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2302  {
2303  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2305  }
2306 
2307  /*
2308  * Same message structure as in ssl_write_certificate()
2309  */
2310  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2311 
2312  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2313  {
2314  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2316  }
2317 
2318  if( ( ssl->session_negotiate->peer_cert = (x509_cert *) malloc(
2319  sizeof( x509_cert ) ) ) == NULL )
2320  {
2321  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2322  sizeof( x509_cert ) ) );
2324  }
2325 
2326  memset( ssl->session_negotiate->peer_cert, 0, sizeof( x509_cert ) );
2327 
2328  i = 7;
2329 
2330  while( i < ssl->in_hslen )
2331  {
2332  if( ssl->in_msg[i] != 0 )
2333  {
2334  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2336  }
2337 
2338  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2339  | (unsigned int) ssl->in_msg[i + 2];
2340  i += 3;
2341 
2342  if( n < 128 || i + n > ssl->in_hslen )
2343  {
2344  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2346  }
2347 
2348  ret = x509parse_crt( ssl->session_negotiate->peer_cert, ssl->in_msg + i,
2349  n );
2350  if( ret != 0 )
2351  {
2352  SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2353  return( ret );
2354  }
2355 
2356  i += n;
2357  }
2358 
2359  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2360 
2361  if( ssl->authmode != SSL_VERIFY_NONE )
2362  {
2363  if( ssl->ca_chain == NULL )
2364  {
2365  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2367  }
2368 
2370  ssl->ca_chain, ssl->ca_crl,
2371  ssl->peer_cn, &ssl->verify_result,
2372  ssl->f_vrfy, ssl->p_vrfy );
2373 
2374  if( ret != 0 )
2375  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2376 
2377  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2378  ret = 0;
2379  }
2380 
2381  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2382 
2383  return( ret );
2384 }
2385 
2387 {
2388  int ret;
2389 
2390  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2391 
2393  ssl->out_msglen = 1;
2394  ssl->out_msg[0] = 1;
2395 
2396  ssl->state++;
2397 
2398  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2399  {
2400  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2401  return( ret );
2402  }
2403 
2404  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2405 
2406  return( 0 );
2407 }
2408 
2410 {
2411  int ret;
2412 
2413  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2414 
2415  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2416  {
2417  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2418  return( ret );
2419  }
2420 
2422  {
2423  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2425  }
2426 
2427  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2428  {
2429  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2431  }
2432 
2433  ssl->state++;
2434 
2435  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2436 
2437  return( 0 );
2438 }
2439 
2440 void ssl_optimize_checksum( ssl_context *ssl, int ciphersuite )
2441 {
2442 #if !defined(POLARSSL_SHA4_C)
2443  ((void) ciphersuite);
2444 #endif
2445 
2446  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2447  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2448 #if defined(POLARSSL_SHA4_C)
2449  else if ( ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
2450  ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
2451  {
2452  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2453  }
2454 #endif
2455  else
2456  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2457 }
2458 
2459 static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2460  size_t len )
2461 {
2462  md5_update( &ssl->handshake->fin_md5 , buf, len );
2463  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2464  sha2_update( &ssl->handshake->fin_sha2, buf, len );
2465 #if defined(POLARSSL_SHA4_C)
2466  sha4_update( &ssl->handshake->fin_sha4, buf, len );
2467 #endif
2468 }
2469 
2470 static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2471  size_t len )
2472 {
2473  md5_update( &ssl->handshake->fin_md5 , buf, len );
2474  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2475 }
2476 
2477 static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2478  size_t len )
2479 {
2480  sha2_update( &ssl->handshake->fin_sha2, buf, len );
2481 }
2482 
2483 #if defined(POLARSSL_SHA4_C)
2484 static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2485  size_t len )
2486 {
2487  sha4_update( &ssl->handshake->fin_sha4, buf, len );
2488 }
2489 #endif
2490 
2491 static void ssl_calc_finished_ssl(
2492  ssl_context *ssl, unsigned char *buf, int from )
2493 {
2494  char *sender;
2495  md5_context md5;
2497 
2498  unsigned char padbuf[48];
2499  unsigned char md5sum[16];
2500  unsigned char sha1sum[20];
2501 
2502  ssl_session *session = ssl->session_negotiate;
2503  if( !session )
2504  session = ssl->session;
2505 
2506  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2507 
2508  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2509  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2510 
2511  /*
2512  * SSLv3:
2513  * hash =
2514  * MD5( master + pad2 +
2515  * MD5( handshake + sender + master + pad1 ) )
2516  * + SHA1( master + pad2 +
2517  * SHA1( handshake + sender + master + pad1 ) )
2518  */
2519 
2520  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2521  md5.state, sizeof( md5.state ) );
2522 
2523  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2524  sha1.state, sizeof( sha1.state ) );
2525 
2526  sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2527  : (char *) "SRVR";
2528 
2529  memset( padbuf, 0x36, 48 );
2530 
2531  md5_update( &md5, (unsigned char *) sender, 4 );
2532  md5_update( &md5, session->master, 48 );
2533  md5_update( &md5, padbuf, 48 );
2534  md5_finish( &md5, md5sum );
2535 
2536  sha1_update( &sha1, (unsigned char *) sender, 4 );
2537  sha1_update( &sha1, session->master, 48 );
2538  sha1_update( &sha1, padbuf, 40 );
2539  sha1_finish( &sha1, sha1sum );
2540 
2541  memset( padbuf, 0x5C, 48 );
2542 
2543  md5_starts( &md5 );
2544  md5_update( &md5, session->master, 48 );
2545  md5_update( &md5, padbuf, 48 );
2546  md5_update( &md5, md5sum, 16 );
2547  md5_finish( &md5, buf );
2548 
2549  sha1_starts( &sha1 );
2550  sha1_update( &sha1, session->master, 48 );
2551  sha1_update( &sha1, padbuf , 40 );
2552  sha1_update( &sha1, sha1sum, 20 );
2553  sha1_finish( &sha1, buf + 16 );
2554 
2555  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2556 
2557  memset( &md5, 0, sizeof( md5_context ) );
2558  memset( &sha1, 0, sizeof( sha1_context ) );
2559 
2560  memset( padbuf, 0, sizeof( padbuf ) );
2561  memset( md5sum, 0, sizeof( md5sum ) );
2562  memset( sha1sum, 0, sizeof( sha1sum ) );
2563 
2564  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2565 }
2566 
2567 static void ssl_calc_finished_tls(
2568  ssl_context *ssl, unsigned char *buf, int from )
2569 {
2570  int len = 12;
2571  char *sender;
2572  md5_context md5;
2574  unsigned char padbuf[36];
2575 
2576  ssl_session *session = ssl->session_negotiate;
2577  if( !session )
2578  session = ssl->session;
2579 
2580  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2581 
2582  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2583  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2584 
2585  /*
2586  * TLSv1:
2587  * hash = PRF( master, finished_label,
2588  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2589  */
2590 
2591  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2592  md5.state, sizeof( md5.state ) );
2593 
2594  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2595  sha1.state, sizeof( sha1.state ) );
2596 
2597  sender = ( from == SSL_IS_CLIENT )
2598  ? (char *) "client finished"
2599  : (char *) "server finished";
2600 
2601  md5_finish( &md5, padbuf );
2602  sha1_finish( &sha1, padbuf + 16 );
2603 
2604  ssl->handshake->tls_prf( session->master, 48, sender,
2605  padbuf, 36, buf, len );
2606 
2607  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2608 
2609  memset( &md5, 0, sizeof( md5_context ) );
2610  memset( &sha1, 0, sizeof( sha1_context ) );
2611 
2612  memset( padbuf, 0, sizeof( padbuf ) );
2613 
2614  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2615 }
2616 
2617 static void ssl_calc_finished_tls_sha256(
2618  ssl_context *ssl, unsigned char *buf, int from )
2619 {
2620  int len = 12;
2621  char *sender;
2623  unsigned char padbuf[32];
2624 
2625  ssl_session *session = ssl->session_negotiate;
2626  if( !session )
2627  session = ssl->session;
2628 
2629  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2630 
2631  memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
2632 
2633  /*
2634  * TLSv1.2:
2635  * hash = PRF( master, finished_label,
2636  * Hash( handshake ) )[0.11]
2637  */
2638 
2639  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2640  sha2.state, sizeof( sha2.state ) );
2641 
2642  sender = ( from == SSL_IS_CLIENT )
2643  ? (char *) "client finished"
2644  : (char *) "server finished";
2645 
2646  sha2_finish( &sha2, padbuf );
2647 
2648  ssl->handshake->tls_prf( session->master, 48, sender,
2649  padbuf, 32, buf, len );
2650 
2651  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2652 
2653  memset( &sha2, 0, sizeof( sha2_context ) );
2654 
2655  memset( padbuf, 0, sizeof( padbuf ) );
2656 
2657  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2658 }
2659 
2660 #if defined(POLARSSL_SHA4_C)
2661 static void ssl_calc_finished_tls_sha384(
2662  ssl_context *ssl, unsigned char *buf, int from )
2663 {
2664  int len = 12;
2665  char *sender;
2667  unsigned char padbuf[48];
2668 
2669  ssl_session *session = ssl->session_negotiate;
2670  if( !session )
2671  session = ssl->session;
2672 
2673  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
2674 
2675  memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
2676 
2677  /*
2678  * TLSv1.2:
2679  * hash = PRF( master, finished_label,
2680  * Hash( handshake ) )[0.11]
2681  */
2682 
2683  SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2684  sha4.state, sizeof( sha4.state ) );
2685 
2686  sender = ( from == SSL_IS_CLIENT )
2687  ? (char *) "client finished"
2688  : (char *) "server finished";
2689 
2690  sha4_finish( &sha4, padbuf );
2691 
2692  ssl->handshake->tls_prf( session->master, 48, sender,
2693  padbuf, 48, buf, len );
2694 
2695  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2696 
2697  memset( &sha4, 0, sizeof( sha4_context ) );
2698 
2699  memset( padbuf, 0, sizeof( padbuf ) );
2700 
2701  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2702 }
2703 #endif
2704 
2705 void ssl_handshake_wrapup( ssl_context *ssl )
2706 {
2707  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
2708 
2709  /*
2710  * Free our handshake params
2711  */
2712  ssl_handshake_free( ssl->handshake );
2713  free( ssl->handshake );
2714  ssl->handshake = NULL;
2715 
2716  /*
2717  * Switch in our now active transform context
2718  */
2719  if( ssl->transform )
2720  {
2721  ssl_transform_free( ssl->transform );
2722  free( ssl->transform );
2723  }
2724  ssl->transform = ssl->transform_negotiate;
2725  ssl->transform_negotiate = NULL;
2726 
2727  if( ssl->session )
2728  {
2729  ssl_session_free( ssl->session );
2730  free( ssl->session );
2731  }
2732  ssl->session = ssl->session_negotiate;
2733  ssl->session_negotiate = NULL;
2734 
2735  /*
2736  * Add cache entry
2737  */
2738  if( ssl->f_set_cache != NULL )
2739  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
2740  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
2741 
2742  ssl->state++;
2743 
2744  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
2745 }
2746 
2747 int ssl_write_finished( ssl_context *ssl )
2748 {
2749  int ret, hash_len;
2750 
2751  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2752 
2753  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2754 
2755  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2756  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2757 
2758  ssl->verify_data_len = hash_len;
2759  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
2760 
2761  ssl->out_msglen = 4 + hash_len;
2763  ssl->out_msg[0] = SSL_HS_FINISHED;
2764 
2765  /*
2766  * In case of session resuming, invert the client and server
2767  * ChangeCipherSpec messages order.
2768  */
2769  if( ssl->handshake->resume != 0 )
2770  {
2771  if( ssl->endpoint == SSL_IS_CLIENT )
2772  ssl->state = SSL_HANDSHAKE_WRAPUP;
2773  else
2775  }
2776  else
2777  ssl->state++;
2778 
2779  /*
2780  * Switch to our negotiated transform and session parameters for outbound data.
2781  */
2782  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
2783  ssl->transform_out = ssl->transform_negotiate;
2784  ssl->session_out = ssl->session_negotiate;
2785  memset( ssl->out_ctr, 0, 8 );
2786 
2787  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2788  {
2789  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2790  return( ret );
2791  }
2792 
2793  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2794 
2795  return( 0 );
2796 }
2797 
2798 int ssl_parse_finished( ssl_context *ssl )
2799 {
2800  int ret;
2801  unsigned int hash_len;
2802  unsigned char buf[36];
2803 
2804  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2805 
2806  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
2807 
2808  /*
2809  * Switch to our negotiated transform and session parameters for inbound data.
2810  */
2811  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
2812  ssl->transform_in = ssl->transform_negotiate;
2813  ssl->session_in = ssl->session_negotiate;
2814  memset( ssl->in_ctr, 0, 8 );
2815 
2816  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2817  {
2818  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2819  return( ret );
2820  }
2821 
2822  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2823  {
2824  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2826  }
2827 
2828  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2829  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2830 
2831  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2832  ssl->in_hslen != 4 + hash_len )
2833  {
2834  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2836  }
2837 
2838  if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2839  {
2840  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2842  }
2843 
2844  ssl->verify_data_len = hash_len;
2845  memcpy( ssl->peer_verify_data, buf, hash_len );
2846 
2847  if( ssl->handshake->resume != 0 )
2848  {
2849  if( ssl->endpoint == SSL_IS_CLIENT )
2851 
2852  if( ssl->endpoint == SSL_IS_SERVER )
2853  ssl->state = SSL_HANDSHAKE_WRAPUP;
2854  }
2855  else
2856  ssl->state++;
2857 
2858  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2859 
2860  return( 0 );
2861 }
2862 
2863 int ssl_handshake_init( ssl_context *ssl )
2864 {
2865  if( ssl->transform_negotiate )
2867  else
2868  ssl->transform_negotiate = malloc( sizeof(ssl_transform) );
2869 
2870  if( ssl->session_negotiate )
2872  else
2873  ssl->session_negotiate = malloc( sizeof(ssl_session) );
2874 
2875  if( ssl->handshake )
2876  ssl_handshake_free( ssl->handshake );
2877  else
2878  ssl->handshake = malloc( sizeof(ssl_handshake_params) );
2879 
2880  if( ssl->handshake == NULL ||
2881  ssl->transform_negotiate == NULL ||
2882  ssl->session_negotiate == NULL )
2883  {
2884  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
2886  }
2887 
2888  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
2889  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
2890  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
2891 
2892  md5_starts( &ssl->handshake->fin_md5 );
2893  sha1_starts( &ssl->handshake->fin_sha1 );
2894  sha2_starts( &ssl->handshake->fin_sha2, 0 );
2895 #if defined(POLARSSL_SHA4_C)
2896  sha4_starts( &ssl->handshake->fin_sha4, 1 );
2897 #endif
2898 
2899  ssl->handshake->update_checksum = ssl_update_checksum_start;
2901 
2902  return( 0 );
2903 }
2904 
2905 /*
2906  * Initialize an SSL context
2907  */
2908 int ssl_init( ssl_context *ssl )
2909 {
2910  int ret;
2911  int len = SSL_BUFFER_LEN;
2912 
2913  memset( ssl, 0, sizeof( ssl_context ) );
2914 
2915  /*
2916  * Sane defaults
2917  */
2918  ssl->rsa_decrypt = ssl_rsa_decrypt;
2919  ssl->rsa_sign = ssl_rsa_sign;
2920  ssl->rsa_key_len = ssl_rsa_key_len;
2921 
2924 
2926 
2927 #if defined(POLARSSL_DHM_C)
2928  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
2930  ( ret = mpi_read_string( &ssl->dhm_G, 16,
2932  {
2933  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2934  return( ret );
2935  }
2936 #endif
2937 
2938  /*
2939  * Prepare base structures
2940  */
2941  ssl->in_ctr = (unsigned char *) malloc( len );
2942  ssl->in_hdr = ssl->in_ctr + 8;
2943  ssl->in_msg = ssl->in_ctr + 13;
2944 
2945  if( ssl->in_ctr == NULL )
2946  {
2947  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2949  }
2950 
2951  ssl->out_ctr = (unsigned char *) malloc( len );
2952  ssl->out_hdr = ssl->out_ctr + 8;
2953  ssl->out_msg = ssl->out_ctr + 40;
2954 
2955  if( ssl->out_ctr == NULL )
2956  {
2957  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2958  free( ssl-> in_ctr );
2960  }
2961 
2962  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2963  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2964 
2965  ssl->hostname = NULL;
2966  ssl->hostname_len = 0;
2967 
2968  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
2969  return( ret );
2970 
2971  return( 0 );
2972 }
2973 
2974 /*
2975  * Reset an initialized and used SSL context for re-use while retaining
2976  * all application-set variables, function pointers and data.
2977  */
2978 int ssl_session_reset( ssl_context *ssl )
2979 {
2980  int ret;
2981 
2982  ssl->state = SSL_HELLO_REQUEST;
2985 
2986  ssl->verify_data_len = 0;
2987  memset( ssl->own_verify_data, 0, 36 );
2988  memset( ssl->peer_verify_data, 0, 36 );
2989 
2990  ssl->in_offt = NULL;
2991 
2992  ssl->in_msgtype = 0;
2993  ssl->in_msglen = 0;
2994  ssl->in_left = 0;
2995 
2996  ssl->in_hslen = 0;
2997  ssl->nb_zero = 0;
2998 
2999  ssl->out_msgtype = 0;
3000  ssl->out_msglen = 0;
3001  ssl->out_left = 0;
3002 
3003  ssl->transform_in = NULL;
3004  ssl->transform_out = NULL;
3005 
3006  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3007  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3008 
3009 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3010  if( ssl_hw_record_reset != NULL)
3011  {
3012  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3013  if( ssl_hw_record_reset( ssl ) != 0 )
3014  {
3015  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3017  }
3018  }
3019 #endif
3020 
3021  if( ssl->transform )
3022  {
3023  ssl_transform_free( ssl->transform );
3024  free( ssl->transform );
3025  ssl->transform = NULL;
3026  }
3027 
3028  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3029  return( ret );
3030 
3031  return( 0 );
3032 }
3033 
3034 /*
3035  * SSL set accessors
3036  */
3037 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3038 {
3039  ssl->endpoint = endpoint;
3040 }
3041 
3042 void ssl_set_authmode( ssl_context *ssl, int authmode )
3043 {
3044  ssl->authmode = authmode;
3045 }
3046 
3047 void ssl_set_verify( ssl_context *ssl,
3048  int (*f_vrfy)(void *, x509_cert *, int, int *),
3049  void *p_vrfy )
3050 {
3051  ssl->f_vrfy = f_vrfy;
3052  ssl->p_vrfy = p_vrfy;
3053 }
3054 
3055 void ssl_set_rng( ssl_context *ssl,
3056  int (*f_rng)(void *, unsigned char *, size_t),
3057  void *p_rng )
3058 {
3059  ssl->f_rng = f_rng;
3060  ssl->p_rng = p_rng;
3061 }
3062 
3063 void ssl_set_dbg( ssl_context *ssl,
3064  void (*f_dbg)(void *, int, const char *),
3065  void *p_dbg )
3066 {
3067  ssl->f_dbg = f_dbg;
3068  ssl->p_dbg = p_dbg;
3069 }
3070 
3071 void ssl_set_bio( ssl_context *ssl,
3072  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3073  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3074 {
3075  ssl->f_recv = f_recv;
3076  ssl->f_send = f_send;
3077  ssl->p_recv = p_recv;
3078  ssl->p_send = p_send;
3079 }
3080 
3082  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3083  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3084 {
3085  ssl->f_get_cache = f_get_cache;
3086  ssl->p_get_cache = p_get_cache;
3087  ssl->f_set_cache = f_set_cache;
3088  ssl->p_set_cache = p_set_cache;
3089 }
3090 
3091 void ssl_set_session( ssl_context *ssl, const ssl_session *session )
3092 {
3093  memcpy( ssl->session_negotiate, session, sizeof(ssl_session) );
3094  ssl->handshake->resume = 1;
3095 }
3096 
3097 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3098 {
3099  ssl->ciphersuites = ciphersuites;
3100 }
3101 
3102 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
3103  x509_crl *ca_crl, const char *peer_cn )
3104 {
3105  ssl->ca_chain = ca_chain;
3106  ssl->ca_crl = ca_crl;
3107  ssl->peer_cn = peer_cn;
3108 }
3109 
3110 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
3111  rsa_context *rsa_key )
3112 {
3113  ssl->own_cert = own_cert;
3114  ssl->rsa_key = rsa_key;
3115 }
3116 
3117 void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
3118  void *rsa_key,
3119  rsa_decrypt_func rsa_decrypt,
3120  rsa_sign_func rsa_sign,
3121  rsa_key_len_func rsa_key_len )
3122 {
3123  ssl->own_cert = own_cert;
3124  ssl->rsa_key = rsa_key;
3125  ssl->rsa_decrypt = rsa_decrypt;
3126  ssl->rsa_sign = rsa_sign;
3127  ssl->rsa_key_len = rsa_key_len;
3128 }
3129 
3130 
3131 #if defined(POLARSSL_DHM_C)
3132 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3133 {
3134  int ret;
3135 
3136  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3137  {
3138  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3139  return( ret );
3140  }
3141 
3142  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3143  {
3144  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3145  return( ret );
3146  }
3147 
3148  return( 0 );
3149 }
3150 
3151 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3152 {
3153  int ret;
3154 
3155  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3156  {
3157  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3158  return( ret );
3159  }
3160 
3161  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3162  {
3163  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3164  return( ret );
3165  }
3166 
3167  return( 0 );
3168 }
3169 #endif /* POLARSSL_DHM_C */
3170 
3171 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3172 {
3173  if( hostname == NULL )
3175 
3176  ssl->hostname_len = strlen( hostname );
3177  ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
3178 
3179  if( ssl->hostname == NULL )
3181 
3182  memcpy( ssl->hostname, (unsigned char *) hostname,
3183  ssl->hostname_len );
3184 
3185  ssl->hostname[ssl->hostname_len] = '\0';
3186 
3187  return( 0 );
3188 }
3189 
3190 void ssl_set_sni( ssl_context *ssl,
3191  int (*f_sni)(void *, ssl_context *,
3192  const unsigned char *, size_t),
3193  void *p_sni )
3194 {
3195  ssl->f_sni = f_sni;
3196  ssl->p_sni = p_sni;
3197 }
3198 
3199 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3200 {
3201  ssl->max_major_ver = major;
3202  ssl->max_minor_ver = minor;
3203 }
3204 
3205 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3206 {
3207  ssl->min_major_ver = major;
3208  ssl->min_minor_ver = minor;
3209 }
3210 
3211 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3212 {
3213  ssl->disable_renegotiation = renegotiation;
3214 }
3215 
3216 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3217 {
3218  ssl->allow_legacy_renegotiation = allow_legacy;
3219 }
3220 
3221 /*
3222  * SSL get accessors
3223  */
3224 size_t ssl_get_bytes_avail( const ssl_context *ssl )
3225 {
3226  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3227 }
3228 
3229 int ssl_get_verify_result( const ssl_context *ssl )
3230 {
3231  return( ssl->verify_result );
3232 }
3233 
3234 const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
3235 {
3236  switch( ciphersuite_id )
3237  {
3238 #if defined(POLARSSL_ARC4_C)
3240  return( "TLS-RSA-WITH-RC4-128-MD5" );
3241 
3243  return( "TLS-RSA-WITH-RC4-128-SHA" );
3244 #endif
3245 
3246 #if defined(POLARSSL_DES_C)
3248  return( "TLS-RSA-WITH-3DES-EDE-CBC-SHA" );
3249 
3251  return( "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA" );
3252 #endif
3253 
3254 #if defined(POLARSSL_AES_C)
3256  return( "TLS-RSA-WITH-AES-128-CBC-SHA" );
3257 
3259  return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA" );
3260 
3262  return( "TLS-RSA-WITH-AES-256-CBC-SHA" );
3263 
3265  return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA" );
3266 
3267 #if defined(POLARSSL_SHA2_C)
3269  return( "TLS-RSA-WITH-AES-128-CBC-SHA256" );
3270 
3272  return( "TLS-RSA-WITH-AES-256-CBC-SHA256" );
3273 
3275  return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" );
3276 
3278  return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" );
3279 #endif
3280 
3281 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3283  return( "TLS-RSA-WITH-AES-128-GCM-SHA256" );
3284 
3286  return( "TLS-RSA-WITH-AES-256-GCM-SHA384" );
3287 #endif
3288 
3289 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3291  return( "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" );
3292 
3294  return( "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" );
3295 #endif
3296 #endif /* POLARSSL_AES_C */
3297 
3298 #if defined(POLARSSL_CAMELLIA_C)
3300  return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" );
3301 
3303  return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA" );
3304 
3306  return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA" );
3307 
3309  return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA" );
3310 
3311 #if defined(POLARSSL_SHA2_C)
3313  return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
3314 
3316  return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
3317 
3319  return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
3320 
3322  return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
3323 #endif
3324 #endif
3325 
3326 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3327 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
3328  case TLS_RSA_WITH_NULL_MD5:
3329  return( "TLS-RSA-WITH-NULL-MD5" );
3330  case TLS_RSA_WITH_NULL_SHA:
3331  return( "TLS-RSA-WITH-NULL-SHA" );
3333  return( "TLS-RSA-WITH-NULL-SHA256" );
3334 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3335 
3336 #if defined(POLARSSL_DES_C)
3338  return( "TLS-RSA-WITH-DES-CBC-SHA" );
3340  return( "TLS-DHE-RSA-WITH-DES-CBC-SHA" );
3341 #endif
3342 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3343 
3344  default:
3345  break;
3346  }
3347 
3348  return( "unknown" );
3349 }
3350 
3351 int ssl_get_ciphersuite_id( const char *ciphersuite_name )
3352 {
3353 #if defined(POLARSSL_ARC4_C)
3354  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-MD5"))
3355  return( TLS_RSA_WITH_RC4_128_MD5 );
3356  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-SHA"))
3357  return( TLS_RSA_WITH_RC4_128_SHA );
3358 #endif
3359 
3360 #if defined(POLARSSL_DES_C)
3361  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-3DES-EDE-CBC-SHA"))
3363  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"))
3365 #endif
3366 
3367 #if defined(POLARSSL_AES_C)
3368  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA"))
3369  return( TLS_RSA_WITH_AES_128_CBC_SHA );
3370  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"))
3372  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA"))
3373  return( TLS_RSA_WITH_AES_256_CBC_SHA );
3374  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"))
3376 
3377 #if defined(POLARSSL_SHA2_C)
3378  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA256"))
3380  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA256"))
3382  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"))
3384  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"))
3386 #endif
3387 
3388 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3389  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-GCM-SHA256"))
3391  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-GCM-SHA384"))
3393 #endif
3394 
3395 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3396  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"))
3398  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"))
3400 #endif
3401 #endif
3402 
3403 #if defined(POLARSSL_CAMELLIA_C)
3404  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"))
3406  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"))
3408  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"))
3410  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"))
3412 
3413 #if defined(POLARSSL_SHA2_C)
3414  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
3416  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
3418  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
3420  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
3422 #endif
3423 #endif
3424 
3425 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3426 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
3427  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-MD5"))
3428  return( TLS_RSA_WITH_NULL_MD5 );
3429  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA"))
3430  return( TLS_RSA_WITH_NULL_SHA );
3431  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA256"))
3432  return( TLS_RSA_WITH_NULL_SHA256 );
3433 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3434 
3435 #if defined(POLARSSL_DES_C)
3436  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-DES-CBC-SHA"))
3437  return( TLS_RSA_WITH_DES_CBC_SHA );
3438  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-DES-CBC-SHA"))
3439  return( TLS_DHE_RSA_WITH_DES_CBC_SHA );
3440 #endif
3441 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3442 
3443  return( 0 );
3444 }
3445 
3446 const char *ssl_get_ciphersuite( const ssl_context *ssl )
3447 {
3449 }
3450 
3451 const char *ssl_get_version( const ssl_context *ssl )
3452 {
3453  switch( ssl->minor_ver )
3454  {
3455  case SSL_MINOR_VERSION_0:
3456  return( "SSLv3.0" );
3457 
3458  case SSL_MINOR_VERSION_1:
3459  return( "TLSv1.0" );
3460 
3461  case SSL_MINOR_VERSION_2:
3462  return( "TLSv1.1" );
3463 
3464  case SSL_MINOR_VERSION_3:
3465  return( "TLSv1.2" );
3466 
3467  default:
3468  break;
3469  }
3470  return( "unknown" );
3471 }
3472 
3473 const x509_cert *ssl_get_peer_cert( const ssl_context *ssl )
3474 {
3475  if( ssl == NULL || ssl->session == NULL )
3476  return NULL;
3477 
3478  return ssl->session->peer_cert;
3479 }
3480 
3481 const int ssl_default_ciphersuites[] =
3482 {
3483 #if defined(POLARSSL_DHM_C)
3484 #if defined(POLARSSL_AES_C)
3485 #if defined(POLARSSL_SHA2_C)
3487 #endif /* POLARSSL_SHA2_C */
3488 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3490 #endif
3492 #if defined(POLARSSL_SHA2_C)
3494 #endif
3495 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3497 #endif
3499 #endif
3500 #if defined(POLARSSL_CAMELLIA_C)
3501 #if defined(POLARSSL_SHA2_C)
3503 #endif /* POLARSSL_SHA2_C */
3505 #if defined(POLARSSL_SHA2_C)
3507 #endif /* POLARSSL_SHA2_C */
3509 #endif
3510 #if defined(POLARSSL_DES_C)
3512 #endif
3513 #endif
3514 
3515 #if defined(POLARSSL_AES_C)
3516 #if defined(POLARSSL_SHA2_C)
3518 #endif /* POLARSSL_SHA2_C */
3519 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3521 #endif /* POLARSSL_SHA2_C */
3523 #endif
3524 #if defined(POLARSSL_CAMELLIA_C)
3525 #if defined(POLARSSL_SHA2_C)
3527 #endif /* POLARSSL_SHA2_C */
3529 #endif
3530 #if defined(POLARSSL_AES_C)
3531 #if defined(POLARSSL_SHA2_C)
3533 #endif /* POLARSSL_SHA2_C */
3534 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3536 #endif /* POLARSSL_SHA2_C */
3538 #endif
3539 #if defined(POLARSSL_CAMELLIA_C)
3540 #if defined(POLARSSL_SHA2_C)
3542 #endif /* POLARSSL_SHA2_C */
3544 #endif
3545 #if defined(POLARSSL_DES_C)
3547 #endif
3548 #if defined(POLARSSL_ARC4_C)
3551 #endif
3552  0
3553 };
3554 
3555 /*
3556  * Perform a single step of the SSL handshake
3557  */
3558 int ssl_handshake_step( ssl_context *ssl )
3559 {
3561 
3562 #if defined(POLARSSL_SSL_CLI_C)
3563  if( ssl->endpoint == SSL_IS_CLIENT )
3564  ret = ssl_handshake_client_step( ssl );
3565 #endif
3566 
3567 #if defined(POLARSSL_SSL_SRV_C)
3568  if( ssl->endpoint == SSL_IS_SERVER )
3569  ret = ssl_handshake_server_step( ssl );
3570 #endif
3571 
3572  return( ret );
3573 }
3574 
3575 /*
3576  * Perform the SSL handshake
3577  */
3578 int ssl_handshake( ssl_context *ssl )
3579 {
3580  int ret = 0;
3581 
3582  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3583 
3584  while( ssl->state != SSL_HANDSHAKE_OVER )
3585  {
3586  ret = ssl_handshake_step( ssl );
3587 
3588  if( ret != 0 )
3589  break;
3590  }
3591 
3592  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3593 
3594  return( ret );
3595 }
3596 
3597 /*
3598  * Renegotiate current connection
3599  */
3600 int ssl_renegotiate( ssl_context *ssl )
3601 {
3602  int ret;
3603 
3604  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
3605 
3606  if( ssl->state != SSL_HANDSHAKE_OVER )
3608 
3609  ssl->state = SSL_HELLO_REQUEST;
3611 
3612  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3613  return( ret );
3614 
3615  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3616  {
3617  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3618  return( ret );
3619  }
3620 
3621  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
3622 
3623  return( 0 );
3624 }
3625 
3626 /*
3627  * Receive application data decrypted from the SSL layer
3628  */
3629 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
3630 {
3631  int ret;
3632  size_t n;
3633 
3634  SSL_DEBUG_MSG( 2, ( "=> read" ) );
3635 
3636  if( ssl->state != SSL_HANDSHAKE_OVER )
3637  {
3638  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3639  {
3640  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3641  return( ret );
3642  }
3643  }
3644 
3645  if( ssl->in_offt == NULL )
3646  {
3647  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3648  {
3649  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3650  return( 0 );
3651 
3652  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3653  return( ret );
3654  }
3655 
3656  if( ssl->in_msglen == 0 &&
3658  {
3659  /*
3660  * OpenSSL sends empty messages to randomize the IV
3661  */
3662  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3663  {
3664  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3665  return( 0 );
3666 
3667  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3668  return( ret );
3669  }
3670  }
3671 
3672  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
3673  {
3674  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
3675 
3676  if( ssl->endpoint == SSL_IS_CLIENT &&
3677  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
3678  ssl->in_hslen != 4 ) )
3679  {
3680  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
3682  }
3683 
3687  {
3688  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
3689 
3690  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
3691  {
3692  /*
3693  * SSLv3 does not have a "no_renegotiation" alert
3694  */
3695  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
3696  return( ret );
3697  }
3698  else
3699  {
3700  if( ( ret = ssl_send_alert_message( ssl,
3703  {
3704  return( ret );
3705  }
3706  }
3707  }
3708  else
3709  {
3710  if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
3711  {
3712  SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
3713  return( ret );
3714  }
3715 
3716  return( POLARSSL_ERR_NET_WANT_READ );
3717  }
3718  }
3719  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3720  {
3721  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
3723  }
3724 
3725  ssl->in_offt = ssl->in_msg;
3726  }
3727 
3728  n = ( len < ssl->in_msglen )
3729  ? len : ssl->in_msglen;
3730 
3731  memcpy( buf, ssl->in_offt, n );
3732  ssl->in_msglen -= n;
3733 
3734  if( ssl->in_msglen == 0 )
3735  /* all bytes consumed */
3736  ssl->in_offt = NULL;
3737  else
3738  /* more data available */
3739  ssl->in_offt += n;
3740 
3741  SSL_DEBUG_MSG( 2, ( "<= read" ) );
3742 
3743  return( (int) n );
3744 }
3745 
3746 /*
3747  * Send application data to be encrypted by the SSL layer
3748  */
3749 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
3750 {
3751  int ret;
3752  size_t n;
3753 
3754  SSL_DEBUG_MSG( 2, ( "=> write" ) );
3755 
3756  if( ssl->state != SSL_HANDSHAKE_OVER )
3757  {
3758  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3759  {
3760  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3761  return( ret );
3762  }
3763  }
3764 
3765  n = ( len < SSL_MAX_CONTENT_LEN )
3766  ? len : SSL_MAX_CONTENT_LEN;
3767 
3768  if( ssl->out_left != 0 )
3769  {
3770  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3771  {
3772  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3773  return( ret );
3774  }
3775  }
3776  else
3777  {
3778  ssl->out_msglen = n;
3780  memcpy( ssl->out_msg, buf, n );
3781 
3782  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3783  {
3784  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3785  return( ret );
3786  }
3787  }
3788 
3789  SSL_DEBUG_MSG( 2, ( "<= write" ) );
3790 
3791  return( (int) n );
3792 }
3793 
3794 /*
3795  * Notify the peer that the connection is being closed
3796  */
3797 int ssl_close_notify( ssl_context *ssl )
3798 {
3799  int ret;
3800 
3801  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3802 
3803  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3804  {
3805  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3806  return( ret );
3807  }
3808 
3809  if( ssl->state == SSL_HANDSHAKE_OVER )
3810  {
3811  if( ( ret = ssl_send_alert_message( ssl,
3813  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
3814  {
3815  return( ret );
3816  }
3817  }
3818 
3819  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3820 
3821  return( ret );
3822 }
3823 
3824 void ssl_transform_free( ssl_transform *transform )
3825 {
3826 #if defined(POLARSSL_ZLIB_SUPPORT)
3827  deflateEnd( &transform->ctx_deflate );
3828  inflateEnd( &transform->ctx_inflate );
3829 #endif
3830 
3831  memset( transform, 0, sizeof( ssl_transform ) );
3832 }
3833 
3834 void ssl_handshake_free( ssl_handshake_params *handshake )
3835 {
3836 #if defined(POLARSSL_DHM_C)
3837  dhm_free( &handshake->dhm_ctx );
3838 #endif
3839  memset( handshake, 0, sizeof( ssl_handshake_params ) );
3840 }
3841 
3842 void ssl_session_free( ssl_session *session )
3843 {
3844  if( session->peer_cert != NULL )
3845  {
3846  x509_free( session->peer_cert );
3847  free( session->peer_cert );
3848  }
3849 
3850  memset( session, 0, sizeof( ssl_session ) );
3851 }
3852 
3853 /*
3854  * Free an SSL context
3855  */
3856 void ssl_free( ssl_context *ssl )
3857 {
3858  SSL_DEBUG_MSG( 2, ( "=> free" ) );
3859 
3860  if( ssl->out_ctr != NULL )
3861  {
3862  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3863  free( ssl->out_ctr );
3864  }
3865 
3866  if( ssl->in_ctr != NULL )
3867  {
3868  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3869  free( ssl->in_ctr );
3870  }
3871 
3872 #if defined(POLARSSL_DHM_C)
3873  mpi_free( &ssl->dhm_P );
3874  mpi_free( &ssl->dhm_G );
3875 #endif
3876 
3877  if( ssl->transform )
3878  {
3879  ssl_transform_free( ssl->transform );
3880  free( ssl->transform );
3881  }
3882 
3883  if( ssl->handshake )
3884  {
3885  ssl_handshake_free( ssl->handshake );
3888 
3889  free( ssl->handshake );
3890  free( ssl->transform_negotiate );
3891  free( ssl->session_negotiate );
3892  }
3893 
3894  if ( ssl->hostname != NULL)
3895  {
3896  memset( ssl->hostname, 0, ssl->hostname_len );
3897  free( ssl->hostname );
3898  ssl->hostname_len = 0;
3899  }
3900 
3901 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3902  if( ssl_hw_record_finish != NULL )
3903  {
3904  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3905  ssl_hw_record_finish( ssl );
3906  }
3907 #endif
3908 
3909  SSL_DEBUG_MSG( 2, ( "<= free" ) );
3910 
3911  /* Actually free after last debug message */
3912  memset( ssl, 0, sizeof( ssl_context ) );
3913 }
3914 
3915 #endif