PolarSSL v1.2.8
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2012, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #include "polarssl/config.h"
35 
36 #if defined(POLARSSL_SSL_TLS_C)
37 
38 #include "polarssl/aes.h"
39 #include "polarssl/arc4.h"
40 #include "polarssl/camellia.h"
41 #include "polarssl/des.h"
42 #include "polarssl/debug.h"
43 #include "polarssl/ssl.h"
44 #include "polarssl/sha2.h"
45 
46 #if defined(POLARSSL_GCM_C)
47 #include "polarssl/gcm.h"
48 #endif
49 
50 #include <stdlib.h>
51 #include <time.h>
52 
53 #if defined _MSC_VER && !defined strcasecmp
54 #define strcasecmp _stricmp
55 #endif
56 
57 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58 int (*ssl_hw_record_init)(ssl_context *ssl,
59  const unsigned char *key_enc, const unsigned char *key_dec,
60  const unsigned char *iv_enc, const unsigned char *iv_dec,
61  const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
62 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
63 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
64 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
65 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
66 #endif
67 
68 static int ssl_rsa_decrypt( void *ctx, int mode, size_t *olen,
69  const unsigned char *input, unsigned char *output,
70  size_t output_max_len )
71 {
72  return rsa_pkcs1_decrypt( (rsa_context *) ctx, mode, olen, input, output,
73  output_max_len );
74 }
75 
76 static int ssl_rsa_sign( void *ctx,
77  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
78  int mode, int hash_id, unsigned int hashlen,
79  const unsigned char *hash, unsigned char *sig )
80 {
81  return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
82  hashlen, hash, sig );
83 }
84 
85 static size_t ssl_rsa_key_len( void *ctx )
86 {
87  return ( (rsa_context *) ctx )->len;
88 }
89 
90 /*
91  * Key material generation
92  */
93 static int ssl3_prf( unsigned char *secret, size_t slen, char *label,
94  unsigned char *random, size_t rlen,
95  unsigned char *dstbuf, size_t dlen )
96 {
97  size_t i;
100  unsigned char padding[16];
101  unsigned char sha1sum[20];
102  ((void)label);
103 
104  /*
105  * SSLv3:
106  * block =
107  * MD5( secret + SHA1( 'A' + secret + random ) ) +
108  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
109  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
110  * ...
111  */
112  for( i = 0; i < dlen / 16; i++ )
113  {
114  memset( padding, 'A' + i, 1 + i );
115 
116  sha1_starts( &sha1 );
117  sha1_update( &sha1, padding, 1 + i );
118  sha1_update( &sha1, secret, slen );
119  sha1_update( &sha1, random, rlen );
120  sha1_finish( &sha1, sha1sum );
121 
122  md5_starts( &md5 );
123  md5_update( &md5, secret, slen );
124  md5_update( &md5, sha1sum, 20 );
125  md5_finish( &md5, dstbuf + i * 16 );
126  }
127 
128  memset( &md5, 0, sizeof( md5 ) );
129  memset( &sha1, 0, sizeof( sha1 ) );
130 
131  memset( padding, 0, sizeof( padding ) );
132  memset( sha1sum, 0, sizeof( sha1sum ) );
133 
134  return( 0 );
135 }
136 
137 static int tls1_prf( unsigned char *secret, size_t slen, char *label,
138  unsigned char *random, size_t rlen,
139  unsigned char *dstbuf, size_t dlen )
140 {
141  size_t nb, hs;
142  size_t i, j, k;
143  unsigned char *S1, *S2;
144  unsigned char tmp[128];
145  unsigned char h_i[20];
146 
147  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
149 
150  hs = ( slen + 1 ) / 2;
151  S1 = secret;
152  S2 = secret + slen - hs;
153 
154  nb = strlen( label );
155  memcpy( tmp + 20, label, nb );
156  memcpy( tmp + 20 + nb, random, rlen );
157  nb += rlen;
158 
159  /*
160  * First compute P_md5(secret,label+random)[0..dlen]
161  */
162  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
163 
164  for( i = 0; i < dlen; i += 16 )
165  {
166  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
167  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
168 
169  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
170 
171  for( j = 0; j < k; j++ )
172  dstbuf[i + j] = h_i[j];
173  }
174 
175  /*
176  * XOR out with P_sha1(secret,label+random)[0..dlen]
177  */
178  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
179 
180  for( i = 0; i < dlen; i += 20 )
181  {
182  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
183  sha1_hmac( S2, hs, tmp, 20, tmp );
184 
185  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
186 
187  for( j = 0; j < k; j++ )
188  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
189  }
190 
191  memset( tmp, 0, sizeof( tmp ) );
192  memset( h_i, 0, sizeof( h_i ) );
193 
194  return( 0 );
195 }
196 
197 static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
198  unsigned char *random, size_t rlen,
199  unsigned char *dstbuf, size_t dlen )
200 {
201  size_t nb;
202  size_t i, j, k;
203  unsigned char tmp[128];
204  unsigned char h_i[32];
205 
206  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
208 
209  nb = strlen( label );
210  memcpy( tmp + 32, label, nb );
211  memcpy( tmp + 32 + nb, random, rlen );
212  nb += rlen;
213 
214  /*
215  * Compute P_<hash>(secret, label + random)[0..dlen]
216  */
217  sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
218 
219  for( i = 0; i < dlen; i += 32 )
220  {
221  sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
222  sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
223 
224  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
225 
226  for( j = 0; j < k; j++ )
227  dstbuf[i + j] = h_i[j];
228  }
229 
230  memset( tmp, 0, sizeof( tmp ) );
231  memset( h_i, 0, sizeof( h_i ) );
232 
233  return( 0 );
234 }
235 
236 #if defined(POLARSSL_SHA4_C)
237 static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
238  unsigned char *random, size_t rlen,
239  unsigned char *dstbuf, size_t dlen )
240 {
241  size_t nb;
242  size_t i, j, k;
243  unsigned char tmp[128];
244  unsigned char h_i[48];
245 
246  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
248 
249  nb = strlen( label );
250  memcpy( tmp + 48, label, nb );
251  memcpy( tmp + 48 + nb, random, rlen );
252  nb += rlen;
253 
254  /*
255  * Compute P_<hash>(secret, label + random)[0..dlen]
256  */
257  sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
258 
259  for( i = 0; i < dlen; i += 48 )
260  {
261  sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
262  sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
263 
264  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
265 
266  for( j = 0; j < k; j++ )
267  dstbuf[i + j] = h_i[j];
268  }
269 
270  memset( tmp, 0, sizeof( tmp ) );
271  memset( h_i, 0, sizeof( h_i ) );
272 
273  return( 0 );
274 }
275 #endif
276 
277 static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
278 static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
279 static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
280 
281 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
282 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
283 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
284 
285 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
286 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
287 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
288 
289 #if defined(POLARSSL_SHA4_C)
290 static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
291 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
292 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
293 #endif
294 
295 int ssl_derive_keys( ssl_context *ssl )
296 {
297  unsigned char tmp[64];
298  unsigned char keyblk[256];
299  unsigned char *key1;
300  unsigned char *key2;
301  unsigned int iv_copy_len;
302  ssl_session *session = ssl->session_negotiate;
303  ssl_transform *transform = ssl->transform_negotiate;
304  ssl_handshake_params *handshake = ssl->handshake;
305 
306  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
307 
308  /*
309  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
310  */
311  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
312  {
313  handshake->tls_prf = ssl3_prf;
314  handshake->calc_verify = ssl_calc_verify_ssl;
315  handshake->calc_finished = ssl_calc_finished_ssl;
316  }
317  else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
318  {
319  handshake->tls_prf = tls1_prf;
320  handshake->calc_verify = ssl_calc_verify_tls;
321  handshake->calc_finished = ssl_calc_finished_tls;
322  }
323 #if defined(POLARSSL_SHA4_C)
324  else if( session->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
326  {
327  handshake->tls_prf = tls_prf_sha384;
328  handshake->calc_verify = ssl_calc_verify_tls_sha384;
329  handshake->calc_finished = ssl_calc_finished_tls_sha384;
330  }
331 #endif
332  else
333  {
334  handshake->tls_prf = tls_prf_sha256;
335  handshake->calc_verify = ssl_calc_verify_tls_sha256;
336  handshake->calc_finished = ssl_calc_finished_tls_sha256;
337  }
338 
339  /*
340  * SSLv3:
341  * master =
342  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
343  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
344  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
345  *
346  * TLSv1:
347  * master = PRF( premaster, "master secret", randbytes )[0..47]
348  */
349  if( handshake->resume == 0 )
350  {
351  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
352  handshake->pmslen );
353 
354  handshake->tls_prf( handshake->premaster, handshake->pmslen,
355  "master secret",
356  handshake->randbytes, 64, session->master, 48 );
357 
358  memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
359  }
360  else
361  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
362 
363  /*
364  * Swap the client and server random values.
365  */
366  memcpy( tmp, handshake->randbytes, 64 );
367  memcpy( handshake->randbytes, tmp + 32, 32 );
368  memcpy( handshake->randbytes + 32, tmp, 32 );
369  memset( tmp, 0, sizeof( tmp ) );
370 
371  /*
372  * SSLv3:
373  * key block =
374  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
375  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
376  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
377  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
378  * ...
379  *
380  * TLSv1:
381  * key block = PRF( master, "key expansion", randbytes )
382  */
383  handshake->tls_prf( session->master, 48, "key expansion",
384  handshake->randbytes, 64, keyblk, 256 );
385 
386  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
387  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
388  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
389  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
390  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
391 
392  memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
393 
394  /*
395  * Determine the appropriate key, IV and MAC length.
396  */
397  switch( session->ciphersuite )
398  {
399 #if defined(POLARSSL_ARC4_C)
401  transform->keylen = 16; transform->minlen = 16;
402  transform->ivlen = 0; transform->maclen = 16;
403  break;
404 
406  transform->keylen = 16; transform->minlen = 20;
407  transform->ivlen = 0; transform->maclen = 20;
408  break;
409 #endif
410 
411 #if defined(POLARSSL_DES_C)
414  transform->keylen = 24; transform->minlen = 24;
415  transform->ivlen = 8; transform->maclen = 20;
416  break;
417 #endif
418 
419 #if defined(POLARSSL_AES_C)
422  transform->keylen = 16; transform->minlen = 32;
423  transform->ivlen = 16; transform->maclen = 20;
424  break;
425 
428  transform->keylen = 32; transform->minlen = 32;
429  transform->ivlen = 16; transform->maclen = 20;
430  break;
431 
432 #if defined(POLARSSL_SHA2_C)
435  transform->keylen = 16; transform->minlen = 32;
436  transform->ivlen = 16; transform->maclen = 32;
437  break;
438 
441  transform->keylen = 32; transform->minlen = 32;
442  transform->ivlen = 16; transform->maclen = 32;
443  break;
444 #endif
445 #if defined(POLARSSL_GCM_C)
448  transform->keylen = 16; transform->minlen = 1;
449  transform->ivlen = 12; transform->maclen = 0;
450  transform->fixed_ivlen = 4;
451  break;
452 
455  transform->keylen = 32; transform->minlen = 1;
456  transform->ivlen = 12; transform->maclen = 0;
457  transform->fixed_ivlen = 4;
458  break;
459 #endif
460 #endif
461 
462 #if defined(POLARSSL_CAMELLIA_C)
465  transform->keylen = 16; transform->minlen = 32;
466  transform->ivlen = 16; transform->maclen = 20;
467  break;
468 
471  transform->keylen = 32; transform->minlen = 32;
472  transform->ivlen = 16; transform->maclen = 20;
473  break;
474 
475 #if defined(POLARSSL_SHA2_C)
478  transform->keylen = 16; transform->minlen = 32;
479  transform->ivlen = 16; transform->maclen = 32;
480  break;
481 
484  transform->keylen = 32; transform->minlen = 32;
485  transform->ivlen = 16; transform->maclen = 32;
486  break;
487 #endif
488 #endif
489 
490 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
491 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
493  transform->keylen = 0; transform->minlen = 0;
494  transform->ivlen = 0; transform->maclen = 16;
495  break;
496 
498  transform->keylen = 0; transform->minlen = 0;
499  transform->ivlen = 0; transform->maclen = 20;
500  break;
501 
503  transform->keylen = 0; transform->minlen = 0;
504  transform->ivlen = 0; transform->maclen = 32;
505  break;
506 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
507 
508 #if defined(POLARSSL_DES_C)
511  transform->keylen = 8; transform->minlen = 8;
512  transform->ivlen = 8; transform->maclen = 20;
513  break;
514 #endif
515 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
516 
517  default:
518  SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
519  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
521  }
522 
523  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
524  transform->keylen, transform->minlen, transform->ivlen,
525  transform->maclen ) );
526 
527  /*
528  * Finally setup the cipher contexts, IVs and MAC secrets.
529  */
530  if( ssl->endpoint == SSL_IS_CLIENT )
531  {
532  key1 = keyblk + transform->maclen * 2;
533  key2 = keyblk + transform->maclen * 2 + transform->keylen;
534 
535  memcpy( transform->mac_enc, keyblk, transform->maclen );
536  memcpy( transform->mac_dec, keyblk + transform->maclen,
537  transform->maclen );
538 
539  /*
540  * This is not used in TLS v1.1.
541  */
542  iv_copy_len = ( transform->fixed_ivlen ) ?
543  transform->fixed_ivlen : transform->ivlen;
544  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
545  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
546  iv_copy_len );
547  }
548  else
549  {
550  key1 = keyblk + transform->maclen * 2 + transform->keylen;
551  key2 = keyblk + transform->maclen * 2;
552 
553  memcpy( transform->mac_dec, keyblk, transform->maclen );
554  memcpy( transform->mac_enc, keyblk + transform->maclen,
555  transform->maclen );
556 
557  /*
558  * This is not used in TLS v1.1.
559  */
560  iv_copy_len = ( transform->fixed_ivlen ) ?
561  transform->fixed_ivlen : transform->ivlen;
562  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
563  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
564  iv_copy_len );
565  }
566 
567 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
568  if( ssl_hw_record_init != NULL)
569  {
570  int ret = 0;
571 
572  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
573 
574  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->iv_enc,
575  transform->iv_dec, transform->mac_enc,
576  transform->mac_dec ) ) != 0 )
577  {
578  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
580  }
581  }
582 #endif
583 
584  switch( session->ciphersuite )
585  {
586 #if defined(POLARSSL_ARC4_C)
589  arc4_setup( (arc4_context *) transform->ctx_enc, key1,
590  transform->keylen );
591  arc4_setup( (arc4_context *) transform->ctx_dec, key2,
592  transform->keylen );
593  break;
594 #endif
595 
596 #if defined(POLARSSL_DES_C)
599  des3_set3key_enc( (des3_context *) transform->ctx_enc, key1 );
600  des3_set3key_dec( (des3_context *) transform->ctx_dec, key2 );
601  break;
602 #endif
603 
604 #if defined(POLARSSL_AES_C)
609  aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 128 );
610  aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 128 );
611  break;
612 
617  aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 256 );
618  aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 256 );
619  break;
620 
621 #if defined(POLARSSL_GCM_C)
624  gcm_init( (gcm_context *) transform->ctx_enc, key1, 128 );
625  gcm_init( (gcm_context *) transform->ctx_dec, key2, 128 );
626  break;
627 
630  gcm_init( (gcm_context *) transform->ctx_enc, key1, 256 );
631  gcm_init( (gcm_context *) transform->ctx_dec, key2, 256 );
632  break;
633 #endif
634 #endif
635 
636 #if defined(POLARSSL_CAMELLIA_C)
641  camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 128 );
642  camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 128 );
643  break;
644 
649  camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 256 );
650  camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 256 );
651  break;
652 #endif
653 
654 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
655 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
659  break;
660 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
661 
662 #if defined(POLARSSL_DES_C)
665  des_setkey_enc( (des_context *) transform->ctx_enc, key1 );
666  des_setkey_dec( (des_context *) transform->ctx_dec, key2 );
667  break;
668 #endif
669 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
670 
671  default:
673  }
674 
675  memset( keyblk, 0, sizeof( keyblk ) );
676 
677 #if defined(POLARSSL_ZLIB_SUPPORT)
678  // Initialize compression
679  //
680  if( session->compression == SSL_COMPRESS_DEFLATE )
681  {
682  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
683 
684  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
685  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
686 
687  if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
688  inflateInit( &transform->ctx_inflate ) != Z_OK )
689  {
690  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
692  }
693  }
694 #endif /* POLARSSL_ZLIB_SUPPORT */
695 
696  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
697 
698  return( 0 );
699 }
700 
701 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
702 {
705  unsigned char pad_1[48];
706  unsigned char pad_2[48];
707 
708  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
709 
710  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
711  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
712 
713  memset( pad_1, 0x36, 48 );
714  memset( pad_2, 0x5C, 48 );
715 
716  md5_update( &md5, ssl->session_negotiate->master, 48 );
717  md5_update( &md5, pad_1, 48 );
718  md5_finish( &md5, hash );
719 
720  md5_starts( &md5 );
721  md5_update( &md5, ssl->session_negotiate->master, 48 );
722  md5_update( &md5, pad_2, 48 );
723  md5_update( &md5, hash, 16 );
724  md5_finish( &md5, hash );
725 
726  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
727  sha1_update( &sha1, pad_1, 40 );
728  sha1_finish( &sha1, hash + 16 );
729 
730  sha1_starts( &sha1 );
731  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
732  sha1_update( &sha1, pad_2, 40 );
733  sha1_update( &sha1, hash + 16, 20 );
734  sha1_finish( &sha1, hash + 16 );
735 
736  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
737  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
738 
739  return;
740 }
741 
742 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
743 {
746 
747  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
748 
749  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
750  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
751 
752  md5_finish( &md5, hash );
753  sha1_finish( &sha1, hash + 16 );
754 
755  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
756  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
757 
758  return;
759 }
760 
761 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
762 {
764 
765  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
766 
767  memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
768  sha2_finish( &sha2, hash );
769 
770  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
771  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
772 
773  return;
774 }
775 
776 #if defined(POLARSSL_SHA4_C)
777 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
778 {
780 
781  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
782 
783  memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
784  sha4_finish( &sha4, hash );
785 
786  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
787  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
788 
789  return;
790 }
791 #endif
792 
793 /*
794  * SSLv3.0 MAC functions
795  */
796 static void ssl_mac_md5( unsigned char *secret,
797  unsigned char *buf, size_t len,
798  unsigned char *ctr, int type )
799 {
800  unsigned char header[11];
801  unsigned char padding[48];
803 
804  memcpy( header, ctr, 8 );
805  header[ 8] = (unsigned char) type;
806  header[ 9] = (unsigned char)( len >> 8 );
807  header[10] = (unsigned char)( len );
808 
809  memset( padding, 0x36, 48 );
810  md5_starts( &md5 );
811  md5_update( &md5, secret, 16 );
812  md5_update( &md5, padding, 48 );
813  md5_update( &md5, header, 11 );
814  md5_update( &md5, buf, len );
815  md5_finish( &md5, buf + len );
816 
817  memset( padding, 0x5C, 48 );
818  md5_starts( &md5 );
819  md5_update( &md5, secret, 16 );
820  md5_update( &md5, padding, 48 );
821  md5_update( &md5, buf + len, 16 );
822  md5_finish( &md5, buf + len );
823 }
824 
825 static void ssl_mac_sha1( unsigned char *secret,
826  unsigned char *buf, size_t len,
827  unsigned char *ctr, int type )
828 {
829  unsigned char header[11];
830  unsigned char padding[40];
832 
833  memcpy( header, ctr, 8 );
834  header[ 8] = (unsigned char) type;
835  header[ 9] = (unsigned char)( len >> 8 );
836  header[10] = (unsigned char)( len );
837 
838  memset( padding, 0x36, 40 );
839  sha1_starts( &sha1 );
840  sha1_update( &sha1, secret, 20 );
841  sha1_update( &sha1, padding, 40 );
842  sha1_update( &sha1, header, 11 );
843  sha1_update( &sha1, buf, len );
844  sha1_finish( &sha1, buf + len );
845 
846  memset( padding, 0x5C, 40 );
847  sha1_starts( &sha1 );
848  sha1_update( &sha1, secret, 20 );
849  sha1_update( &sha1, padding, 40 );
850  sha1_update( &sha1, buf + len, 20 );
851  sha1_finish( &sha1, buf + len );
852 }
853 
854 static void ssl_mac_sha2( unsigned char *secret,
855  unsigned char *buf, size_t len,
856  unsigned char *ctr, int type )
857 {
858  unsigned char header[11];
859  unsigned char padding[32];
861 
862  memcpy( header, ctr, 8 );
863  header[ 8] = (unsigned char) type;
864  header[ 9] = (unsigned char)( len >> 8 );
865  header[10] = (unsigned char)( len );
866 
867  memset( padding, 0x36, 32 );
868  sha2_starts( &sha2, 0 );
869  sha2_update( &sha2, secret, 32 );
870  sha2_update( &sha2, padding, 32 );
871  sha2_update( &sha2, header, 11 );
872  sha2_update( &sha2, buf, len );
873  sha2_finish( &sha2, buf + len );
874 
875  memset( padding, 0x5C, 32 );
876  sha2_starts( &sha2, 0 );
877  sha2_update( &sha2, secret, 32 );
878  sha2_update( &sha2, padding, 32 );
879  sha2_update( &sha2, buf + len, 32 );
880  sha2_finish( &sha2, buf + len );
881 }
882 
883 /*
884  * Encryption/decryption functions
885  */
886 static int ssl_encrypt_buf( ssl_context *ssl )
887 {
888  size_t i, padlen;
889 
890  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
891 
892  /*
893  * Add MAC then encrypt
894  */
895  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
896  {
897  if( ssl->transform_out->maclen == 16 )
898  ssl_mac_md5( ssl->transform_out->mac_enc,
899  ssl->out_msg, ssl->out_msglen,
900  ssl->out_ctr, ssl->out_msgtype );
901  else if( ssl->transform_out->maclen == 20 )
902  ssl_mac_sha1( ssl->transform_out->mac_enc,
903  ssl->out_msg, ssl->out_msglen,
904  ssl->out_ctr, ssl->out_msgtype );
905  else if( ssl->transform_out->maclen == 32 )
906  ssl_mac_sha2( ssl->transform_out->mac_enc,
907  ssl->out_msg, ssl->out_msglen,
908  ssl->out_ctr, ssl->out_msgtype );
909  else if( ssl->transform_out->maclen != 0 )
910  {
911  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
912  ssl->transform_out->maclen ) );
914  }
915  }
916  else
917  {
918  if( ssl->transform_out->maclen == 16 )
919  {
920  md5_context ctx;
921  md5_hmac_starts( &ctx, ssl->transform_out->mac_enc, 16 );
922  md5_hmac_update( &ctx, ssl->out_ctr, 13 );
923  md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
924  md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
925  memset( &ctx, 0, sizeof(md5_context));
926  }
927  else if( ssl->transform_out->maclen == 20 )
928  {
929  sha1_context ctx;
930  sha1_hmac_starts( &ctx, ssl->transform_out->mac_enc, 20 );
931  sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
932  sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
933  sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
934  memset( &ctx, 0, sizeof(sha1_context));
935  }
936  else if( ssl->transform_out->maclen == 32 )
937  {
938  sha2_context ctx;
939  sha2_hmac_starts( &ctx, ssl->transform_out->mac_enc, 32, 0 );
940  sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
941  sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
942  sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
943  memset( &ctx, 0, sizeof(sha2_context));
944  }
945  else if( ssl->transform_out->maclen != 0 )
946  {
947  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
948  ssl->transform_out->maclen ) );
950  }
951  }
952 
953  SSL_DEBUG_BUF( 4, "computed mac",
954  ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
955 
956  ssl->out_msglen += ssl->transform_out->maclen;
957 
958  if( ssl->transform_out->ivlen == 0 )
959  {
960  padlen = 0;
961 
962  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
963  "including %d bytes of padding",
964  ssl->out_msglen, 0 ) );
965 
966  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
967  ssl->out_msg, ssl->out_msglen );
968 
969 #if defined(POLARSSL_ARC4_C)
972  {
974  ssl->out_msglen, ssl->out_msg,
975  ssl->out_msg );
976  } else
977 #endif
978 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
982  {
983  } else
984 #endif
986  }
987  else if( ssl->transform_out->ivlen == 12 )
988  {
989  size_t enc_msglen;
990  unsigned char *enc_msg;
991  unsigned char add_data[13];
993 
994  padlen = 0;
995  enc_msglen = ssl->out_msglen;
996 
997  memcpy( add_data, ssl->out_ctr, 8 );
998  add_data[8] = ssl->out_msgtype;
999  add_data[9] = ssl->major_ver;
1000  add_data[10] = ssl->minor_ver;
1001  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1002  add_data[12] = ssl->out_msglen & 0xFF;
1003 
1004  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1005  add_data, 13 );
1006 
1007 #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1008 
1013  {
1014  /*
1015  * Generate IV
1016  */
1017  ret = ssl->f_rng( ssl->p_rng,
1019  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1020  if( ret != 0 )
1021  return( ret );
1022 
1023  /*
1024  * Shift message for ivlen bytes and prepend IV
1025  */
1026  memmove( ssl->out_msg + ssl->transform_out->ivlen -
1027  ssl->transform_out->fixed_ivlen,
1028  ssl->out_msg, ssl->out_msglen );
1029  memcpy( ssl->out_msg,
1031  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1032 
1033  /*
1034  * Fix pointer positions and message length with added IV
1035  */
1036  enc_msg = ssl->out_msg + ssl->transform_out->ivlen -
1037  ssl->transform_out->fixed_ivlen;
1038  enc_msglen = ssl->out_msglen;
1039  ssl->out_msglen += ssl->transform_out->ivlen -
1040  ssl->transform_out->fixed_ivlen;
1041 
1042  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1043  "including %d bytes of padding",
1044  ssl->out_msglen, 0 ) );
1045 
1046  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1047  ssl->out_msg, ssl->out_msglen );
1048 
1049  /*
1050  * Adjust for tag
1051  */
1052  ssl->out_msglen += 16;
1053 
1055  GCM_ENCRYPT, enc_msglen,
1056  ssl->transform_out->iv_enc, ssl->transform_out->ivlen,
1057  add_data, 13,
1058  enc_msg, enc_msg,
1059  16, enc_msg + enc_msglen );
1060 
1061  SSL_DEBUG_BUF( 4, "after encrypt: tag",
1062  enc_msg + enc_msglen, 16 );
1063 
1064  } else
1065 #endif
1066  return( ret );
1067  }
1068  else
1069  {
1070  unsigned char *enc_msg;
1071  size_t enc_msglen;
1072 
1073  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1074  ssl->transform_out->ivlen;
1075  if( padlen == ssl->transform_out->ivlen )
1076  padlen = 0;
1077 
1078  for( i = 0; i <= padlen; i++ )
1079  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1080 
1081  ssl->out_msglen += padlen + 1;
1082 
1083  enc_msglen = ssl->out_msglen;
1084  enc_msg = ssl->out_msg;
1085 
1086  /*
1087  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1088  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1089  */
1090  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1091  {
1092  /*
1093  * Generate IV
1094  */
1095  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1096  ssl->transform_out->ivlen );
1097  if( ret != 0 )
1098  return( ret );
1099 
1100  /*
1101  * Shift message for ivlen bytes and prepend IV
1102  */
1103  memmove( ssl->out_msg + ssl->transform_out->ivlen, ssl->out_msg,
1104  ssl->out_msglen );
1105  memcpy( ssl->out_msg, ssl->transform_out->iv_enc,
1106  ssl->transform_out->ivlen );
1107 
1108  /*
1109  * Fix pointer positions and message length with added IV
1110  */
1111  enc_msg = ssl->out_msg + ssl->transform_out->ivlen;
1112  enc_msglen = ssl->out_msglen;
1113  ssl->out_msglen += ssl->transform_out->ivlen;
1114  }
1115 
1116  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1117  "including %d bytes of IV and %d bytes of padding",
1118  ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
1119 
1120  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1121  ssl->out_msg, ssl->out_msglen );
1122 
1123  switch( ssl->transform_out->ivlen )
1124  {
1125 #if defined(POLARSSL_DES_C)
1126  case 8:
1127 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1130  {
1132  DES_ENCRYPT, enc_msglen,
1133  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1134  }
1135  else
1136 #endif
1138  DES_ENCRYPT, enc_msglen,
1139  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1140  break;
1141 #endif
1142 
1143  case 16:
1144 #if defined(POLARSSL_AES_C)
1153  {
1155  AES_ENCRYPT, enc_msglen,
1156  ssl->transform_out->iv_enc, enc_msg, enc_msg);
1157  break;
1158  }
1159 #endif
1160 
1161 #if defined(POLARSSL_CAMELLIA_C)
1170  {
1172  CAMELLIA_ENCRYPT, enc_msglen,
1173  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1174  break;
1175  }
1176 #endif
1177 
1178  default:
1180  }
1181  }
1182 
1183  for( i = 8; i > 0; i-- )
1184  if( ++ssl->out_ctr[i - 1] != 0 )
1185  break;
1186 
1187  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1188 
1189  return( 0 );
1190 }
1191 
1192 /*
1193  * TODO: Use digest version when integrated!
1194  */
1195 #define POLARSSL_SSL_MAX_MAC_SIZE 32
1196 
1197 static int ssl_decrypt_buf( ssl_context *ssl )
1198 {
1199  size_t i, padlen = 0, correct = 1;
1200  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1201 
1202  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1203 
1204  if( ssl->in_msglen < ssl->transform_in->minlen )
1205  {
1206  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1207  ssl->in_msglen, ssl->transform_in->minlen ) );
1208  return( POLARSSL_ERR_SSL_INVALID_MAC );
1209  }
1210 
1211  if( ssl->transform_in->ivlen == 0 )
1212  {
1213 #if defined(POLARSSL_ARC4_C)
1216  {
1218  ssl->in_msglen, ssl->in_msg,
1219  ssl->in_msg );
1220  } else
1221 #endif
1222 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
1226  {
1227  } else
1228 #endif
1230  }
1231  else if( ssl->transform_in->ivlen == 12 )
1232  {
1233  unsigned char *dec_msg;
1234  unsigned char *dec_msg_result;
1235  size_t dec_msglen;
1236  unsigned char add_data[13];
1238 
1239 #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1244  {
1245  dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1246  ssl->transform_in->fixed_ivlen );
1247  dec_msglen -= 16;
1248  dec_msg = ssl->in_msg + ( ssl->transform_in->ivlen -
1249  ssl->transform_in->fixed_ivlen );
1250  dec_msg_result = ssl->in_msg;
1251  ssl->in_msglen = dec_msglen;
1252 
1253  memcpy( add_data, ssl->in_ctr, 8 );
1254  add_data[8] = ssl->in_msgtype;
1255  add_data[9] = ssl->major_ver;
1256  add_data[10] = ssl->minor_ver;
1257  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1258  add_data[12] = ssl->in_msglen & 0xFF;
1259 
1260  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1261  add_data, 13 );
1262 
1263  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1264  ssl->in_msg,
1265  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1266 
1267  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1268  ssl->transform_in->ivlen );
1269  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1270 
1271  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1272  ssl->in_msg,
1273  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1274 
1276  dec_msglen,
1277  ssl->transform_in->iv_dec,
1278  ssl->transform_in->ivlen,
1279  add_data, 13,
1280  dec_msg + dec_msglen, 16,
1281  dec_msg, dec_msg_result );
1282 
1283  if( ret != 0 )
1284  {
1285  SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1286  -ret ) );
1287 
1288  return( POLARSSL_ERR_SSL_INVALID_MAC );
1289  }
1290  } else
1291 #endif
1292  return( ret );
1293  }
1294  else
1295  {
1296  /*
1297  * Decrypt and check the padding
1298  */
1299  unsigned char *dec_msg;
1300  unsigned char *dec_msg_result;
1301  size_t dec_msglen;
1302  size_t minlen = 0;
1303 
1304  /*
1305  * Check immediate ciphertext sanity
1306  */
1307  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1308  {
1309  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1310  ssl->in_msglen, ssl->transform_in->ivlen ) );
1311  return( POLARSSL_ERR_SSL_INVALID_MAC );
1312  }
1313 
1314  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1315  minlen += ssl->transform_in->ivlen;
1316 
1317  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1318  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1319  {
1320  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1321  ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1322  return( POLARSSL_ERR_SSL_INVALID_MAC );
1323  }
1324 
1325  dec_msglen = ssl->in_msglen;
1326  dec_msg = ssl->in_msg;
1327  dec_msg_result = ssl->in_msg;
1328 
1329  /*
1330  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1331  */
1332  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1333  {
1334  dec_msg += ssl->transform_in->ivlen;
1335  dec_msglen -= ssl->transform_in->ivlen;
1336  ssl->in_msglen -= ssl->transform_in->ivlen;
1337 
1338  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1339  ssl->transform_in->iv_dec[i] = ssl->in_msg[i];
1340  }
1341 
1342  switch( ssl->transform_in->ivlen )
1343  {
1344 #if defined(POLARSSL_DES_C)
1345  case 8:
1346 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1349  {
1351  DES_DECRYPT, dec_msglen,
1352  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1353  }
1354  else
1355 #endif
1357  DES_DECRYPT, dec_msglen,
1358  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1359  break;
1360 #endif
1361 
1362  case 16:
1363 #if defined(POLARSSL_AES_C)
1372  {
1374  AES_DECRYPT, dec_msglen,
1375  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1376  break;
1377  }
1378 #endif
1379 
1380 #if defined(POLARSSL_CAMELLIA_C)
1389  {
1391  CAMELLIA_DECRYPT, dec_msglen,
1392  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1393  break;
1394  }
1395 #endif
1396 
1397  default:
1399  }
1400 
1401  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1402 
1403  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1404  {
1405 #if defined(POLARSSL_SSL_DEBUG_ALL)
1406  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1407  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1408 #endif
1409  padlen = 0;
1410  correct = 0;
1411  }
1412 
1413  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1414  {
1415  if( padlen > ssl->transform_in->ivlen )
1416  {
1417 #if defined(POLARSSL_SSL_DEBUG_ALL)
1418  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1419  "should be no more than %d",
1420  padlen, ssl->transform_in->ivlen ) );
1421 #endif
1422  correct = 0;
1423  }
1424  }
1425  else
1426  {
1427  /*
1428  * TLSv1+: always check the padding up to the first failure
1429  * and fake check up to 256 bytes of padding
1430  */
1431  size_t pad_count = 0, fake_pad_count = 0;
1432  size_t padding_idx = ssl->in_msglen - padlen - 1;
1433 
1434  for( i = 1; i <= padlen; i++ )
1435  pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1436 
1437  for( ; i <= 256; i++ )
1438  fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1439 
1440  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1441  correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
1442 
1443 #if defined(POLARSSL_SSL_DEBUG_ALL)
1444  if( padlen > 0 && correct == 0)
1445  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1446 #endif
1447  padlen &= correct * 0x1FF;
1448  }
1449  }
1450 
1451  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1452  ssl->in_msg, ssl->in_msglen );
1453 
1454  /*
1455  * Always compute the MAC (RFC4346, CBCTIME).
1456  */
1457  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1458 
1459  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1460  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1461 
1462  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1463 
1464  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1465  {
1466  if( ssl->transform_in->maclen == 16 )
1467  ssl_mac_md5( ssl->transform_in->mac_dec,
1468  ssl->in_msg, ssl->in_msglen,
1469  ssl->in_ctr, ssl->in_msgtype );
1470  else if( ssl->transform_in->maclen == 20 )
1471  ssl_mac_sha1( ssl->transform_in->mac_dec,
1472  ssl->in_msg, ssl->in_msglen,
1473  ssl->in_ctr, ssl->in_msgtype );
1474  else if( ssl->transform_in->maclen == 32 )
1475  ssl_mac_sha2( ssl->transform_in->mac_dec,
1476  ssl->in_msg, ssl->in_msglen,
1477  ssl->in_ctr, ssl->in_msgtype );
1478  else if( ssl->transform_in->maclen != 0 )
1479  {
1480  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1481  ssl->transform_in->maclen ) );
1483  }
1484  }
1485  else
1486  {
1487  /*
1488  * Process MAC and always update for padlen afterwards to make
1489  * total time independent of padlen
1490  *
1491  * extra_run compensates MAC check for padlen
1492  *
1493  * Known timing attacks:
1494  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1495  *
1496  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1497  * correctly. (We round down instead of up, so -56 is the correct
1498  * value for our calculations instead of -55)
1499  */
1500  int j, extra_run = 0;
1501  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1502  ( 13 + ssl->in_msglen + 8 ) / 64;
1503 
1504  extra_run &= correct * 0xFF;
1505 
1506  if( ssl->transform_in->maclen == 16 )
1507  {
1508  md5_context ctx;
1509  md5_hmac_starts( &ctx, ssl->transform_in->mac_dec, 16 );
1510  md5_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1511  md5_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1512 
1513  for( j = 0; j < extra_run; j++ )
1514  md5_process( &ctx, ssl->in_msg );
1515  }
1516  else if( ssl->transform_in->maclen == 20 )
1517  {
1518  sha1_context ctx;
1519  sha1_hmac_starts( &ctx, ssl->transform_in->mac_dec, 20 );
1520  sha1_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1521  sha1_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1522 
1523  for( j = 0; j < extra_run; j++ )
1524  sha1_process( &ctx, ssl->in_msg );
1525  }
1526  else if( ssl->transform_in->maclen == 32 )
1527  {
1528  sha2_context ctx;
1529  sha2_hmac_starts( &ctx, ssl->transform_in->mac_dec, 32, 0 );
1530  sha2_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1531  sha2_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1532 
1533  for( j = 0; j < extra_run; j++ )
1534  sha2_process( &ctx, ssl->in_msg );
1535  }
1536  else if( ssl->transform_in->maclen != 0 )
1537  {
1538  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1539  ssl->transform_in->maclen ) );
1541  }
1542  }
1543 
1544  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1545  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1546  ssl->transform_in->maclen );
1547 
1548  if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1549  ssl->transform_in->maclen ) != 0 )
1550  {
1551 #if defined(POLARSSL_SSL_DEBUG_ALL)
1552  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1553 #endif
1554  correct = 0;
1555  }
1556 
1557  /*
1558  * Finally check the correct flag
1559  */
1560  if( correct == 0 )
1561  return( POLARSSL_ERR_SSL_INVALID_MAC );
1562 
1563  if( ssl->in_msglen == 0 )
1564  {
1565  ssl->nb_zero++;
1566 
1567  /*
1568  * Three or more empty messages may be a DoS attack
1569  * (excessive CPU consumption).
1570  */
1571  if( ssl->nb_zero > 3 )
1572  {
1573  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1574  "messages, possible DoS attack" ) );
1575  return( POLARSSL_ERR_SSL_INVALID_MAC );
1576  }
1577  }
1578  else
1579  ssl->nb_zero = 0;
1580 
1581  for( i = 8; i > 0; i-- )
1582  if( ++ssl->in_ctr[i - 1] != 0 )
1583  break;
1584 
1585  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1586 
1587  return( 0 );
1588 }
1589 
1590 #if defined(POLARSSL_ZLIB_SUPPORT)
1591 /*
1592  * Compression/decompression functions
1593  */
1594 static int ssl_compress_buf( ssl_context *ssl )
1595 {
1596  int ret;
1597  unsigned char *msg_post = ssl->out_msg;
1598  size_t len_pre = ssl->out_msglen;
1599  unsigned char *msg_pre;
1600 
1601  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1602 
1603  msg_pre = (unsigned char*) malloc( len_pre );
1604  if( msg_pre == NULL )
1605  {
1606  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1608  }
1609 
1610  memcpy( msg_pre, ssl->out_msg, len_pre );
1611 
1612  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1613  ssl->out_msglen ) );
1614 
1615  SSL_DEBUG_BUF( 4, "before compression: output payload",
1616  ssl->out_msg, ssl->out_msglen );
1617 
1618  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1619  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1620  ssl->transform_out->ctx_deflate.next_out = msg_post;
1621  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1622 
1623  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1624  if( ret != Z_OK )
1625  {
1626  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1628  }
1629 
1630  ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
1631 
1632  free( msg_pre );
1633 
1634  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1635  ssl->out_msglen ) );
1636 
1637  SSL_DEBUG_BUF( 4, "after compression: output payload",
1638  ssl->out_msg, ssl->out_msglen );
1639 
1640  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1641 
1642  return( 0 );
1643 }
1644 
1645 static int ssl_decompress_buf( ssl_context *ssl )
1646 {
1647  int ret;
1648  unsigned char *msg_post = ssl->in_msg;
1649  size_t len_pre = ssl->in_msglen;
1650  unsigned char *msg_pre;
1651 
1652  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1653 
1654  msg_pre = (unsigned char*) malloc( len_pre );
1655  if( msg_pre == NULL )
1656  {
1657  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1659  }
1660 
1661  memcpy( msg_pre, ssl->in_msg, len_pre );
1662 
1663  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1664  ssl->in_msglen ) );
1665 
1666  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1667  ssl->in_msg, ssl->in_msglen );
1668 
1669  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1670  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1671  ssl->transform_in->ctx_inflate.next_out = msg_post;
1672  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1673 
1674  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1675  if( ret != Z_OK )
1676  {
1677  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1679  }
1680 
1681  ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
1682 
1683  free( msg_pre );
1684 
1685  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1686  ssl->in_msglen ) );
1687 
1688  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1689  ssl->in_msg, ssl->in_msglen );
1690 
1691  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1692 
1693  return( 0 );
1694 }
1695 #endif /* POLARSSL_ZLIB_SUPPORT */
1696 
1697 /*
1698  * Fill the input message buffer
1699  */
1700 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1701 {
1702  int ret;
1703  size_t len;
1704 
1705  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1706 
1707  while( ssl->in_left < nb_want )
1708  {
1709  len = nb_want - ssl->in_left;
1710  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1711 
1712  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1713  ssl->in_left, nb_want ) );
1714  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1715 
1716  if( ret == 0 )
1717  return( POLARSSL_ERR_SSL_CONN_EOF );
1718 
1719  if( ret < 0 )
1720  return( ret );
1721 
1722  ssl->in_left += ret;
1723  }
1724 
1725  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1726 
1727  return( 0 );
1728 }
1729 
1730 /*
1731  * Flush any data not yet written
1732  */
1733 int ssl_flush_output( ssl_context *ssl )
1734 {
1735  int ret;
1736  unsigned char *buf;
1737 
1738  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1739 
1740  while( ssl->out_left > 0 )
1741  {
1742  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1743  5 + ssl->out_msglen, ssl->out_left ) );
1744 
1745  if( ssl->out_msglen < ssl->out_left )
1746  {
1747  size_t header_left = ssl->out_left - ssl->out_msglen;
1748 
1749  buf = ssl->out_hdr + 5 - header_left;
1750  ret = ssl->f_send( ssl->p_send, buf, header_left );
1751 
1752  SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1753 
1754  if( ret <= 0 )
1755  return( ret );
1756 
1757  ssl->out_left -= ret;
1758  }
1759 
1760  buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
1761  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1762 
1763  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1764 
1765  if( ret <= 0 )
1766  return( ret );
1767 
1768  ssl->out_left -= ret;
1769  }
1770 
1771  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1772 
1773  return( 0 );
1774 }
1775 
1776 /*
1777  * Record layer functions
1778  */
1779 int ssl_write_record( ssl_context *ssl )
1780 {
1781  int ret, done = 0;
1782  size_t len = ssl->out_msglen;
1783 
1784  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1785 
1786  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1787  {
1788  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1789  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1790  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1791 
1792  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1793  }
1794 
1795 #if defined(POLARSSL_ZLIB_SUPPORT)
1796  if( ssl->transform_out != NULL &&
1798  {
1799  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1800  {
1801  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1802  return( ret );
1803  }
1804 
1805  len = ssl->out_msglen;
1806  }
1807 #endif /*POLARSSL_ZLIB_SUPPORT */
1808 
1809 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1810  if( ssl_hw_record_write != NULL)
1811  {
1812  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1813 
1814  ret = ssl_hw_record_write( ssl );
1815  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1816  {
1817  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1819  }
1820  done = 1;
1821  }
1822 #endif
1823  if( !done )
1824  {
1825  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1826  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1827  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1828  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1829  ssl->out_hdr[4] = (unsigned char)( len );
1830 
1831  if( ssl->transform_out != NULL )
1832  {
1833  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1834  {
1835  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1836  return( ret );
1837  }
1838 
1839  len = ssl->out_msglen;
1840  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1841  ssl->out_hdr[4] = (unsigned char)( len );
1842  }
1843 
1844  ssl->out_left = 5 + ssl->out_msglen;
1845 
1846  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1847  "version = [%d:%d], msglen = %d",
1848  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1849  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1850 
1851  SSL_DEBUG_BUF( 4, "output record header sent to network",
1852  ssl->out_hdr, 5 );
1853  SSL_DEBUG_BUF( 4, "output record sent to network",
1854  ssl->out_hdr + 32, ssl->out_msglen );
1855  }
1856 
1857  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1858  {
1859  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1860  return( ret );
1861  }
1862 
1863  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1864 
1865  return( 0 );
1866 }
1867 
1868 int ssl_read_record( ssl_context *ssl )
1869 {
1870  int ret, done = 0;
1871 
1872  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1873 
1874  if( ssl->in_hslen != 0 &&
1875  ssl->in_hslen < ssl->in_msglen )
1876  {
1877  /*
1878  * Get next Handshake message in the current record
1879  */
1880  ssl->in_msglen -= ssl->in_hslen;
1881 
1882  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
1883  ssl->in_msglen );
1884 
1885  ssl->in_hslen = 4;
1886  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1887 
1888  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1889  " %d, type = %d, hslen = %d",
1890  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1891 
1892  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1893  {
1894  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1896  }
1897 
1898  if( ssl->in_msglen < ssl->in_hslen )
1899  {
1900  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1902  }
1903 
1904  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
1905 
1906  return( 0 );
1907  }
1908 
1909  ssl->in_hslen = 0;
1910 
1911  /*
1912  * Read the record header and validate it
1913  */
1914  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1915  {
1916  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1917  return( ret );
1918  }
1919 
1920  ssl->in_msgtype = ssl->in_hdr[0];
1921  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1922 
1923  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1924  "version = [%d:%d], msglen = %d",
1925  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1926  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1927 
1928  if( ssl->in_hdr[1] != ssl->major_ver )
1929  {
1930  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
1932  }
1933 
1934  if( ssl->in_hdr[2] > ssl->max_minor_ver )
1935  {
1936  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
1938  }
1939 
1940  /*
1941  * Make sure the message length is acceptable
1942  */
1943  if( ssl->transform_in == NULL )
1944  {
1945  if( ssl->in_msglen < 1 ||
1947  {
1948  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1950  }
1951  }
1952  else
1953  {
1954  if( ssl->in_msglen < ssl->transform_in->minlen )
1955  {
1956  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1958  }
1959 
1960  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1962  {
1963  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1965  }
1966 
1967  /*
1968  * TLS encrypted messages can have up to 256 bytes of padding
1969  */
1970  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
1971  ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
1972  {
1973  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1975  }
1976  }
1977 
1978  /*
1979  * Read and optionally decrypt the message contents
1980  */
1981  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1982  {
1983  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1984  return( ret );
1985  }
1986 
1987  SSL_DEBUG_BUF( 4, "input record from network",
1988  ssl->in_hdr, 5 + ssl->in_msglen );
1989 
1990 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1991  if( ssl_hw_record_read != NULL)
1992  {
1993  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1994 
1995  ret = ssl_hw_record_read( ssl );
1996  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1997  {
1998  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2000  }
2001  done = 1;
2002  }
2003 #endif
2004  if( !done && ssl->transform_in != NULL )
2005  {
2006  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2007  {
2008 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2009  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2010  {
2014  }
2015 #endif
2016  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2017  return( ret );
2018  }
2019 
2020  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2021  ssl->in_msg, ssl->in_msglen );
2022 
2023  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2024  {
2025  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2027  }
2028  }
2029 
2030 #if defined(POLARSSL_ZLIB_SUPPORT)
2031  if( ssl->transform_in != NULL &&
2033  {
2034  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2035  {
2036  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2037  return( ret );
2038  }
2039 
2040  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2041  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2042  }
2043 #endif /* POLARSSL_ZLIB_SUPPORT */
2044 
2045  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2046  ssl->in_msgtype != SSL_MSG_ALERT &&
2049  {
2050  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2051 
2052  if( ( ret = ssl_send_alert_message( ssl,
2055  {
2056  return( ret );
2057  }
2058 
2060  }
2061 
2062  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2063  {
2064  ssl->in_hslen = 4;
2065  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2066 
2067  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2068  " %d, type = %d, hslen = %d",
2069  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2070 
2071  /*
2072  * Additional checks to validate the handshake header
2073  */
2074  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2075  {
2076  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2078  }
2079 
2080  if( ssl->in_msglen < ssl->in_hslen )
2081  {
2082  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2084  }
2085 
2086  if( ssl->state != SSL_HANDSHAKE_OVER )
2087  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2088  }
2089 
2090  if( ssl->in_msgtype == SSL_MSG_ALERT )
2091  {
2092  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2093  ssl->in_msg[0], ssl->in_msg[1] ) );
2094 
2095  /*
2096  * Ignore non-fatal alerts, except close_notify
2097  */
2098  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2099  {
2100  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2101  ssl->in_msg[1] ) );
2107  }
2108 
2109  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2110  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2111  {
2112  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2114  }
2115  }
2116 
2117  ssl->in_left = 0;
2118 
2119  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2120 
2121  return( 0 );
2122 }
2123 
2125 {
2126  int ret;
2127 
2128  if( ( ret = ssl_send_alert_message( ssl,
2131  {
2132  return( ret );
2133  }
2134 
2135  return( 0 );
2136 }
2137 
2139  unsigned char level,
2140  unsigned char message )
2141 {
2142  int ret;
2143 
2144  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2145 
2146  ssl->out_msgtype = SSL_MSG_ALERT;
2147  ssl->out_msglen = 2;
2148  ssl->out_msg[0] = level;
2149  ssl->out_msg[1] = message;
2150 
2151  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2152  {
2153  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2154  return( ret );
2155  }
2156 
2157  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2158 
2159  return( 0 );
2160 }
2161 
2162 /*
2163  * Handshake functions
2164  */
2166 {
2167  int ret;
2168  size_t i, n;
2169  const x509_cert *crt;
2170 
2171  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2172 
2173  if( ssl->endpoint == SSL_IS_CLIENT )
2174  {
2175  if( ssl->client_auth == 0 )
2176  {
2177  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2178  ssl->state++;
2179  return( 0 );
2180  }
2181 
2182  /*
2183  * If using SSLv3 and got no cert, send an Alert message
2184  * (otherwise an empty Certificate message will be sent).
2185  */
2186  if( ssl->own_cert == NULL &&
2187  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2188  {
2189  ssl->out_msglen = 2;
2190  ssl->out_msgtype = SSL_MSG_ALERT;
2191  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2192  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2193 
2194  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2195  goto write_msg;
2196  }
2197  }
2198  else /* SSL_IS_SERVER */
2199  {
2200  if( ssl->own_cert == NULL )
2201  {
2202  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2204  }
2205  }
2206 
2207  SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
2208 
2209  /*
2210  * 0 . 0 handshake type
2211  * 1 . 3 handshake length
2212  * 4 . 6 length of all certs
2213  * 7 . 9 length of cert. 1
2214  * 10 . n-1 peer certificate
2215  * n . n+2 length of cert. 2
2216  * n+3 . ... upper level cert, etc.
2217  */
2218  i = 7;
2219  crt = ssl->own_cert;
2220 
2221  while( crt != NULL )
2222  {
2223  n = crt->raw.len;
2224  if( i + 3 + n > SSL_MAX_CONTENT_LEN )
2225  {
2226  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2227  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2229  }
2230 
2231  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2232  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2233  ssl->out_msg[i + 2] = (unsigned char)( n );
2234 
2235  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2236  i += n; crt = crt->next;
2237  }
2238 
2239  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2240  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2241  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2242 
2243  ssl->out_msglen = i;
2245  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2246 
2247 write_msg:
2248 
2249  ssl->state++;
2250 
2251  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2252  {
2253  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2254  return( ret );
2255  }
2256 
2257  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2258 
2259  return( 0 );
2260 }
2261 
2263 {
2264  int ret;
2265  size_t i, n;
2266 
2267  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2268 
2269  if( ssl->endpoint == SSL_IS_SERVER &&
2270  ssl->authmode == SSL_VERIFY_NONE )
2271  {
2273  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2274  ssl->state++;
2275  return( 0 );
2276  }
2277 
2278  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2279  {
2280  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2281  return( ret );
2282  }
2283 
2284  ssl->state++;
2285 
2286  /*
2287  * Check if the client sent an empty certificate
2288  */
2289  if( ssl->endpoint == SSL_IS_SERVER &&
2290  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2291  {
2292  if( ssl->in_msglen == 2 &&
2293  ssl->in_msgtype == SSL_MSG_ALERT &&
2294  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2295  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2296  {
2297  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2298 
2300  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2301  return( 0 );
2302  else
2304  }
2305  }
2306 
2307  if( ssl->endpoint == SSL_IS_SERVER &&
2308  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2309  {
2310  if( ssl->in_hslen == 7 &&
2311  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2312  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2313  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2314  {
2315  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2316 
2318  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2320  else
2321  return( 0 );
2322  }
2323  }
2324 
2325  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2326  {
2327  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2329  }
2330 
2331  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2332  {
2333  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2335  }
2336 
2337  /*
2338  * Same message structure as in ssl_write_certificate()
2339  */
2340  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2341 
2342  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2343  {
2344  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2346  }
2347 
2348  if( ( ssl->session_negotiate->peer_cert = (x509_cert *) malloc(
2349  sizeof( x509_cert ) ) ) == NULL )
2350  {
2351  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2352  sizeof( x509_cert ) ) );
2354  }
2355 
2356  memset( ssl->session_negotiate->peer_cert, 0, sizeof( x509_cert ) );
2357 
2358  i = 7;
2359 
2360  while( i < ssl->in_hslen )
2361  {
2362  if( ssl->in_msg[i] != 0 )
2363  {
2364  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2366  }
2367 
2368  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2369  | (unsigned int) ssl->in_msg[i + 2];
2370  i += 3;
2371 
2372  if( n < 128 || i + n > ssl->in_hslen )
2373  {
2374  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2376  }
2377 
2379  ssl->in_msg + i, n );
2380  if( ret != 0 )
2381  {
2382  SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2383  return( ret );
2384  }
2385 
2386  i += n;
2387  }
2388 
2389  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2390 
2391  if( ssl->authmode != SSL_VERIFY_NONE )
2392  {
2393  if( ssl->ca_chain == NULL )
2394  {
2395  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2397  }
2398 
2400  ssl->ca_chain, ssl->ca_crl,
2401  ssl->peer_cn, &ssl->verify_result,
2402  ssl->f_vrfy, ssl->p_vrfy );
2403 
2404  if( ret != 0 )
2405  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2406 
2407  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2408  ret = 0;
2409  }
2410 
2411  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2412 
2413  return( ret );
2414 }
2415 
2417 {
2418  int ret;
2419 
2420  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2421 
2423  ssl->out_msglen = 1;
2424  ssl->out_msg[0] = 1;
2425 
2426  ssl->state++;
2427 
2428  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2429  {
2430  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2431  return( ret );
2432  }
2433 
2434  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2435 
2436  return( 0 );
2437 }
2438 
2440 {
2441  int ret;
2442 
2443  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2444 
2445  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2446  {
2447  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2448  return( ret );
2449  }
2450 
2452  {
2453  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2455  }
2456 
2457  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2458  {
2459  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2461  }
2462 
2463  ssl->state++;
2464 
2465  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2466 
2467  return( 0 );
2468 }
2469 
2470 void ssl_optimize_checksum( ssl_context *ssl, int ciphersuite )
2471 {
2472 #if !defined(POLARSSL_SHA4_C)
2473  ((void) ciphersuite);
2474 #endif
2475 
2476  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2477  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2478 #if defined(POLARSSL_SHA4_C)
2479  else if ( ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
2480  ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
2481  {
2482  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2483  }
2484 #endif
2485  else
2486  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2487 }
2488 
2489 static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2490  size_t len )
2491 {
2492  md5_update( &ssl->handshake->fin_md5 , buf, len );
2493  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2494  sha2_update( &ssl->handshake->fin_sha2, buf, len );
2495 #if defined(POLARSSL_SHA4_C)
2496  sha4_update( &ssl->handshake->fin_sha4, buf, len );
2497 #endif
2498 }
2499 
2500 static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2501  size_t len )
2502 {
2503  md5_update( &ssl->handshake->fin_md5 , buf, len );
2504  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2505 }
2506 
2507 static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2508  size_t len )
2509 {
2510  sha2_update( &ssl->handshake->fin_sha2, buf, len );
2511 }
2512 
2513 #if defined(POLARSSL_SHA4_C)
2514 static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2515  size_t len )
2516 {
2517  sha4_update( &ssl->handshake->fin_sha4, buf, len );
2518 }
2519 #endif
2520 
2521 static void ssl_calc_finished_ssl(
2522  ssl_context *ssl, unsigned char *buf, int from )
2523 {
2524  const char *sender;
2525  md5_context md5;
2527 
2528  unsigned char padbuf[48];
2529  unsigned char md5sum[16];
2530  unsigned char sha1sum[20];
2531 
2532  ssl_session *session = ssl->session_negotiate;
2533  if( !session )
2534  session = ssl->session;
2535 
2536  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2537 
2538  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2539  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2540 
2541  /*
2542  * SSLv3:
2543  * hash =
2544  * MD5( master + pad2 +
2545  * MD5( handshake + sender + master + pad1 ) )
2546  * + SHA1( master + pad2 +
2547  * SHA1( handshake + sender + master + pad1 ) )
2548  */
2549 
2550 #if !defined(POLARSSL_MD5_ALT)
2551  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2552  md5.state, sizeof( md5.state ) );
2553 #endif
2554 
2555 #if !defined(POLARSSL_SHA1_ALT)
2556  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2557  sha1.state, sizeof( sha1.state ) );
2558 #endif
2559 
2560  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2561  : "SRVR";
2562 
2563  memset( padbuf, 0x36, 48 );
2564 
2565  md5_update( &md5, (const unsigned char *) sender, 4 );
2566  md5_update( &md5, session->master, 48 );
2567  md5_update( &md5, padbuf, 48 );
2568  md5_finish( &md5, md5sum );
2569 
2570  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2571  sha1_update( &sha1, session->master, 48 );
2572  sha1_update( &sha1, padbuf, 40 );
2573  sha1_finish( &sha1, sha1sum );
2574 
2575  memset( padbuf, 0x5C, 48 );
2576 
2577  md5_starts( &md5 );
2578  md5_update( &md5, session->master, 48 );
2579  md5_update( &md5, padbuf, 48 );
2580  md5_update( &md5, md5sum, 16 );
2581  md5_finish( &md5, buf );
2582 
2583  sha1_starts( &sha1 );
2584  sha1_update( &sha1, session->master, 48 );
2585  sha1_update( &sha1, padbuf , 40 );
2586  sha1_update( &sha1, sha1sum, 20 );
2587  sha1_finish( &sha1, buf + 16 );
2588 
2589  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2590 
2591  memset( &md5, 0, sizeof( md5_context ) );
2592  memset( &sha1, 0, sizeof( sha1_context ) );
2593 
2594  memset( padbuf, 0, sizeof( padbuf ) );
2595  memset( md5sum, 0, sizeof( md5sum ) );
2596  memset( sha1sum, 0, sizeof( sha1sum ) );
2597 
2598  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2599 }
2600 
2601 static void ssl_calc_finished_tls(
2602  ssl_context *ssl, unsigned char *buf, int from )
2603 {
2604  int len = 12;
2605  const char *sender;
2606  md5_context md5;
2608  unsigned char padbuf[36];
2609 
2610  ssl_session *session = ssl->session_negotiate;
2611  if( !session )
2612  session = ssl->session;
2613 
2614  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2615 
2616  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2617  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2618 
2619  /*
2620  * TLSv1:
2621  * hash = PRF( master, finished_label,
2622  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2623  */
2624 
2625 #if !defined(POLARSSL_MD5_ALT)
2626  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2627  md5.state, sizeof( md5.state ) );
2628 #endif
2629 
2630 #if !defined(POLARSSL_SHA1_ALT)
2631  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2632  sha1.state, sizeof( sha1.state ) );
2633 #endif
2634 
2635  sender = ( from == SSL_IS_CLIENT )
2636  ? "client finished"
2637  : "server finished";
2638 
2639  md5_finish( &md5, padbuf );
2640  sha1_finish( &sha1, padbuf + 16 );
2641 
2642  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2643  padbuf, 36, buf, len );
2644 
2645  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2646 
2647  memset( &md5, 0, sizeof( md5_context ) );
2648  memset( &sha1, 0, sizeof( sha1_context ) );
2649 
2650  memset( padbuf, 0, sizeof( padbuf ) );
2651 
2652  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2653 }
2654 
2655 static void ssl_calc_finished_tls_sha256(
2656  ssl_context *ssl, unsigned char *buf, int from )
2657 {
2658  int len = 12;
2659  const char *sender;
2661  unsigned char padbuf[32];
2662 
2663  ssl_session *session = ssl->session_negotiate;
2664  if( !session )
2665  session = ssl->session;
2666 
2667  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2668 
2669  memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
2670 
2671  /*
2672  * TLSv1.2:
2673  * hash = PRF( master, finished_label,
2674  * Hash( handshake ) )[0.11]
2675  */
2676 
2677 #if !defined(POLARSSL_SHA2_ALT)
2678  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2679  sha2.state, sizeof( sha2.state ) );
2680 #endif
2681 
2682  sender = ( from == SSL_IS_CLIENT )
2683  ? "client finished"
2684  : "server finished";
2685 
2686  sha2_finish( &sha2, padbuf );
2687 
2688  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2689  padbuf, 32, buf, len );
2690 
2691  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2692 
2693  memset( &sha2, 0, sizeof( sha2_context ) );
2694 
2695  memset( padbuf, 0, sizeof( padbuf ) );
2696 
2697  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2698 }
2699 
2700 #if defined(POLARSSL_SHA4_C)
2701 static void ssl_calc_finished_tls_sha384(
2702  ssl_context *ssl, unsigned char *buf, int from )
2703 {
2704  int len = 12;
2705  const char *sender;
2707  unsigned char padbuf[48];
2708 
2709  ssl_session *session = ssl->session_negotiate;
2710  if( !session )
2711  session = ssl->session;
2712 
2713  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
2714 
2715  memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
2716 
2717  /*
2718  * TLSv1.2:
2719  * hash = PRF( master, finished_label,
2720  * Hash( handshake ) )[0.11]
2721  */
2722 
2723 #if !defined(POLARSSL_SHA4_ALT)
2724  SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2725  sha4.state, sizeof( sha4.state ) );
2726 #endif
2727 
2728  sender = ( from == SSL_IS_CLIENT )
2729  ? "client finished"
2730  : "server finished";
2731 
2732  sha4_finish( &sha4, padbuf );
2733 
2734  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2735  padbuf, 48, buf, len );
2736 
2737  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2738 
2739  memset( &sha4, 0, sizeof( sha4_context ) );
2740 
2741  memset( padbuf, 0, sizeof( padbuf ) );
2742 
2743  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2744 }
2745 #endif
2746 
2747 void ssl_handshake_wrapup( ssl_context *ssl )
2748 {
2749  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
2750 
2751  /*
2752  * Free our handshake params
2753  */
2754  ssl_handshake_free( ssl->handshake );
2755  free( ssl->handshake );
2756  ssl->handshake = NULL;
2757 
2758  /*
2759  * Switch in our now active transform context
2760  */
2761  if( ssl->transform )
2762  {
2763  ssl_transform_free( ssl->transform );
2764  free( ssl->transform );
2765  }
2766  ssl->transform = ssl->transform_negotiate;
2767  ssl->transform_negotiate = NULL;
2768 
2769  if( ssl->session )
2770  {
2771  ssl_session_free( ssl->session );
2772  free( ssl->session );
2773  }
2774  ssl->session = ssl->session_negotiate;
2775  ssl->session_negotiate = NULL;
2776 
2777  /*
2778  * Add cache entry
2779  */
2780  if( ssl->f_set_cache != NULL )
2781  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
2782  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
2783 
2784  ssl->state++;
2785 
2786  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
2787 }
2788 
2789 int ssl_write_finished( ssl_context *ssl )
2790 {
2791  int ret, hash_len;
2792 
2793  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2794 
2795  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2796 
2797  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2798  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2799 
2800  ssl->verify_data_len = hash_len;
2801  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
2802 
2803  ssl->out_msglen = 4 + hash_len;
2805  ssl->out_msg[0] = SSL_HS_FINISHED;
2806 
2807  /*
2808  * In case of session resuming, invert the client and server
2809  * ChangeCipherSpec messages order.
2810  */
2811  if( ssl->handshake->resume != 0 )
2812  {
2813  if( ssl->endpoint == SSL_IS_CLIENT )
2814  ssl->state = SSL_HANDSHAKE_WRAPUP;
2815  else
2817  }
2818  else
2819  ssl->state++;
2820 
2821  /*
2822  * Switch to our negotiated transform and session parameters for outbound data.
2823  */
2824  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
2825  ssl->transform_out = ssl->transform_negotiate;
2826  ssl->session_out = ssl->session_negotiate;
2827  memset( ssl->out_ctr, 0, 8 );
2828 
2829  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2830  {
2831  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2832  return( ret );
2833  }
2834 
2835  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2836 
2837  return( 0 );
2838 }
2839 
2840 int ssl_parse_finished( ssl_context *ssl )
2841 {
2842  int ret;
2843  unsigned int hash_len;
2844  unsigned char buf[36];
2845 
2846  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2847 
2848  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
2849 
2850  /*
2851  * Switch to our negotiated transform and session parameters for inbound data.
2852  */
2853  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
2854  ssl->transform_in = ssl->transform_negotiate;
2855  ssl->session_in = ssl->session_negotiate;
2856  memset( ssl->in_ctr, 0, 8 );
2857 
2858  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2859  {
2860  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2861  return( ret );
2862  }
2863 
2864  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2865  {
2866  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2868  }
2869 
2870  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2871  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2872 
2873  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2874  ssl->in_hslen != 4 + hash_len )
2875  {
2876  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2878  }
2879 
2880  if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2881  {
2882  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2884  }
2885 
2886  ssl->verify_data_len = hash_len;
2887  memcpy( ssl->peer_verify_data, buf, hash_len );
2888 
2889  if( ssl->handshake->resume != 0 )
2890  {
2891  if( ssl->endpoint == SSL_IS_CLIENT )
2893 
2894  if( ssl->endpoint == SSL_IS_SERVER )
2895  ssl->state = SSL_HANDSHAKE_WRAPUP;
2896  }
2897  else
2898  ssl->state++;
2899 
2900  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2901 
2902  return( 0 );
2903 }
2904 
2905 int ssl_handshake_init( ssl_context *ssl )
2906 {
2907  if( ssl->transform_negotiate )
2909  else
2910  ssl->transform_negotiate = malloc( sizeof(ssl_transform) );
2911 
2912  if( ssl->session_negotiate )
2914  else
2915  ssl->session_negotiate = malloc( sizeof(ssl_session) );
2916 
2917  if( ssl->handshake )
2918  ssl_handshake_free( ssl->handshake );
2919  else
2920  ssl->handshake = malloc( sizeof(ssl_handshake_params) );
2921 
2922  if( ssl->handshake == NULL ||
2923  ssl->transform_negotiate == NULL ||
2924  ssl->session_negotiate == NULL )
2925  {
2926  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
2928  }
2929 
2930  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
2931  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
2932  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
2933 
2934  md5_starts( &ssl->handshake->fin_md5 );
2935  sha1_starts( &ssl->handshake->fin_sha1 );
2936  sha2_starts( &ssl->handshake->fin_sha2, 0 );
2937 #if defined(POLARSSL_SHA4_C)
2938  sha4_starts( &ssl->handshake->fin_sha4, 1 );
2939 #endif
2940 
2941  ssl->handshake->update_checksum = ssl_update_checksum_start;
2943 
2944  return( 0 );
2945 }
2946 
2947 /*
2948  * Initialize an SSL context
2949  */
2950 int ssl_init( ssl_context *ssl )
2951 {
2952  int ret;
2953  int len = SSL_BUFFER_LEN;
2954 
2955  memset( ssl, 0, sizeof( ssl_context ) );
2956 
2957  /*
2958  * Sane defaults
2959  */
2960  ssl->rsa_decrypt = ssl_rsa_decrypt;
2961  ssl->rsa_sign = ssl_rsa_sign;
2962  ssl->rsa_key_len = ssl_rsa_key_len;
2963 
2966 
2967  ssl->ciphersuites = malloc( sizeof(int *) * 4 );
2968  ssl_set_ciphersuites( ssl, ssl_default_ciphersuites );
2969 
2970 #if defined(POLARSSL_DHM_C)
2971  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
2973  ( ret = mpi_read_string( &ssl->dhm_G, 16,
2975  {
2976  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2977  return( ret );
2978  }
2979 #endif
2980 
2981  /*
2982  * Prepare base structures
2983  */
2984  ssl->in_ctr = (unsigned char *) malloc( len );
2985  ssl->in_hdr = ssl->in_ctr + 8;
2986  ssl->in_msg = ssl->in_ctr + 13;
2987 
2988  if( ssl->in_ctr == NULL )
2989  {
2990  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2992  }
2993 
2994  ssl->out_ctr = (unsigned char *) malloc( len );
2995  ssl->out_hdr = ssl->out_ctr + 8;
2996  ssl->out_msg = ssl->out_ctr + 40;
2997 
2998  if( ssl->out_ctr == NULL )
2999  {
3000  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3001  free( ssl-> in_ctr );
3003  }
3004 
3005  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3006  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3007 
3008  ssl->hostname = NULL;
3009  ssl->hostname_len = 0;
3010 
3011  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3012  return( ret );
3013 
3014  return( 0 );
3015 }
3016 
3017 /*
3018  * Reset an initialized and used SSL context for re-use while retaining
3019  * all application-set variables, function pointers and data.
3020  */
3021 int ssl_session_reset( ssl_context *ssl )
3022 {
3023  int ret;
3024 
3025  ssl->state = SSL_HELLO_REQUEST;
3028 
3029  ssl->verify_data_len = 0;
3030  memset( ssl->own_verify_data, 0, 36 );
3031  memset( ssl->peer_verify_data, 0, 36 );
3032 
3033  ssl->in_offt = NULL;
3034 
3035  ssl->in_msgtype = 0;
3036  ssl->in_msglen = 0;
3037  ssl->in_left = 0;
3038 
3039  ssl->in_hslen = 0;
3040  ssl->nb_zero = 0;
3041 
3042  ssl->out_msgtype = 0;
3043  ssl->out_msglen = 0;
3044  ssl->out_left = 0;
3045 
3046  ssl->transform_in = NULL;
3047  ssl->transform_out = NULL;
3048 
3049  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3050  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3051 
3052 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3053  if( ssl_hw_record_reset != NULL)
3054  {
3055  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3056  if( ssl_hw_record_reset( ssl ) != 0 )
3057  {
3058  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3060  }
3061  }
3062 #endif
3063 
3064  if( ssl->transform )
3065  {
3066  ssl_transform_free( ssl->transform );
3067  free( ssl->transform );
3068  ssl->transform = NULL;
3069  }
3070 
3071  if( ssl->session )
3072  {
3073  ssl_session_free( ssl->session );
3074  free( ssl->session );
3075  ssl->session = NULL;
3076  }
3077 
3078  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3079  return( ret );
3080 
3081  return( 0 );
3082 }
3083 
3084 /*
3085  * SSL set accessors
3086  */
3087 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3088 {
3089  ssl->endpoint = endpoint;
3090 }
3091 
3092 void ssl_set_authmode( ssl_context *ssl, int authmode )
3093 {
3094  ssl->authmode = authmode;
3095 }
3096 
3097 void ssl_set_verify( ssl_context *ssl,
3098  int (*f_vrfy)(void *, x509_cert *, int, int *),
3099  void *p_vrfy )
3100 {
3101  ssl->f_vrfy = f_vrfy;
3102  ssl->p_vrfy = p_vrfy;
3103 }
3104 
3105 void ssl_set_rng( ssl_context *ssl,
3106  int (*f_rng)(void *, unsigned char *, size_t),
3107  void *p_rng )
3108 {
3109  ssl->f_rng = f_rng;
3110  ssl->p_rng = p_rng;
3111 }
3112 
3113 void ssl_set_dbg( ssl_context *ssl,
3114  void (*f_dbg)(void *, int, const char *),
3115  void *p_dbg )
3116 {
3117  ssl->f_dbg = f_dbg;
3118  ssl->p_dbg = p_dbg;
3119 }
3120 
3121 void ssl_set_bio( ssl_context *ssl,
3122  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3123  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3124 {
3125  ssl->f_recv = f_recv;
3126  ssl->f_send = f_send;
3127  ssl->p_recv = p_recv;
3128  ssl->p_send = p_send;
3129 }
3130 
3132  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3133  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3134 {
3135  ssl->f_get_cache = f_get_cache;
3136  ssl->p_get_cache = p_get_cache;
3137  ssl->f_set_cache = f_set_cache;
3138  ssl->p_set_cache = p_set_cache;
3139 }
3140 
3141 void ssl_set_session( ssl_context *ssl, const ssl_session *session )
3142 {
3143  memcpy( ssl->session_negotiate, session, sizeof(ssl_session) );
3144  ssl->handshake->resume = 1;
3145 }
3146 
3147 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3148 {
3149  ssl->ciphersuites[SSL_MINOR_VERSION_0] = ciphersuites;
3150  ssl->ciphersuites[SSL_MINOR_VERSION_1] = ciphersuites;
3151  ssl->ciphersuites[SSL_MINOR_VERSION_2] = ciphersuites;
3152  ssl->ciphersuites[SSL_MINOR_VERSION_3] = ciphersuites;
3153 }
3154 
3155 void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
3156  int major, int minor )
3157 {
3158  if( major != SSL_MAJOR_VERSION_3 )
3159  return;
3160 
3161  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3162  return;
3163 
3164  ssl->ciphersuites[minor] = ciphersuites;
3165 }
3166 
3167 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
3168  x509_crl *ca_crl, const char *peer_cn )
3169 {
3170  ssl->ca_chain = ca_chain;
3171  ssl->ca_crl = ca_crl;
3172  ssl->peer_cn = peer_cn;
3173 }
3174 
3175 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
3176  rsa_context *rsa_key )
3177 {
3178  ssl->own_cert = own_cert;
3179  ssl->rsa_key = rsa_key;
3180 }
3181 
3182 void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
3183  void *rsa_key,
3184  rsa_decrypt_func rsa_decrypt,
3185  rsa_sign_func rsa_sign,
3186  rsa_key_len_func rsa_key_len )
3187 {
3188  ssl->own_cert = own_cert;
3189  ssl->rsa_key = rsa_key;
3190  ssl->rsa_decrypt = rsa_decrypt;
3191  ssl->rsa_sign = rsa_sign;
3192  ssl->rsa_key_len = rsa_key_len;
3193 }
3194 
3195 
3196 #if defined(POLARSSL_DHM_C)
3197 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3198 {
3199  int ret;
3200 
3201  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3202  {
3203  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3204  return( ret );
3205  }
3206 
3207  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3208  {
3209  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3210  return( ret );
3211  }
3212 
3213  return( 0 );
3214 }
3215 
3216 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3217 {
3218  int ret;
3219 
3220  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3221  {
3222  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3223  return( ret );
3224  }
3225 
3226  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3227  {
3228  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3229  return( ret );
3230  }
3231 
3232  return( 0 );
3233 }
3234 #endif /* POLARSSL_DHM_C */
3235 
3236 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3237 {
3238  if( hostname == NULL )
3240 
3241  ssl->hostname_len = strlen( hostname );
3242  ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
3243 
3244  if( ssl->hostname == NULL )
3246 
3247  memcpy( ssl->hostname, (const unsigned char *) hostname,
3248  ssl->hostname_len );
3249 
3250  ssl->hostname[ssl->hostname_len] = '\0';
3251 
3252  return( 0 );
3253 }
3254 
3255 void ssl_set_sni( ssl_context *ssl,
3256  int (*f_sni)(void *, ssl_context *,
3257  const unsigned char *, size_t),
3258  void *p_sni )
3259 {
3260  ssl->f_sni = f_sni;
3261  ssl->p_sni = p_sni;
3262 }
3263 
3264 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3265 {
3266  ssl->max_major_ver = major;
3267  ssl->max_minor_ver = minor;
3268 }
3269 
3270 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3271 {
3272  ssl->min_major_ver = major;
3273  ssl->min_minor_ver = minor;
3274 }
3275 
3276 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3277 {
3278  ssl->disable_renegotiation = renegotiation;
3279 }
3280 
3281 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3282 {
3283  ssl->allow_legacy_renegotiation = allow_legacy;
3284 }
3285 
3286 /*
3287  * SSL get accessors
3288  */
3289 size_t ssl_get_bytes_avail( const ssl_context *ssl )
3290 {
3291  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3292 }
3293 
3294 int ssl_get_verify_result( const ssl_context *ssl )
3295 {
3296  return( ssl->verify_result );
3297 }
3298 
3299 const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
3300 {
3301  switch( ciphersuite_id )
3302  {
3303 #if defined(POLARSSL_ARC4_C)
3305  return( "TLS-RSA-WITH-RC4-128-MD5" );
3306 
3308  return( "TLS-RSA-WITH-RC4-128-SHA" );
3309 #endif
3310 
3311 #if defined(POLARSSL_DES_C)
3313  return( "TLS-RSA-WITH-3DES-EDE-CBC-SHA" );
3314 
3316  return( "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA" );
3317 #endif
3318 
3319 #if defined(POLARSSL_AES_C)
3321  return( "TLS-RSA-WITH-AES-128-CBC-SHA" );
3322 
3324  return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA" );
3325 
3327  return( "TLS-RSA-WITH-AES-256-CBC-SHA" );
3328 
3330  return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA" );
3331 
3332 #if defined(POLARSSL_SHA2_C)
3334  return( "TLS-RSA-WITH-AES-128-CBC-SHA256" );
3335 
3337  return( "TLS-RSA-WITH-AES-256-CBC-SHA256" );
3338 
3340  return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" );
3341 
3343  return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" );
3344 #endif
3345 
3346 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3348  return( "TLS-RSA-WITH-AES-128-GCM-SHA256" );
3349 
3351  return( "TLS-RSA-WITH-AES-256-GCM-SHA384" );
3352 #endif
3353 
3354 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3356  return( "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" );
3357 
3359  return( "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" );
3360 #endif
3361 #endif /* POLARSSL_AES_C */
3362 
3363 #if defined(POLARSSL_CAMELLIA_C)
3365  return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" );
3366 
3368  return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA" );
3369 
3371  return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA" );
3372 
3374  return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA" );
3375 
3376 #if defined(POLARSSL_SHA2_C)
3378  return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
3379 
3381  return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
3382 
3384  return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
3385 
3387  return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
3388 #endif
3389 #endif
3390 
3391 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3392 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
3393  case TLS_RSA_WITH_NULL_MD5:
3394  return( "TLS-RSA-WITH-NULL-MD5" );
3395  case TLS_RSA_WITH_NULL_SHA:
3396  return( "TLS-RSA-WITH-NULL-SHA" );
3398  return( "TLS-RSA-WITH-NULL-SHA256" );
3399 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3400 
3401 #if defined(POLARSSL_DES_C)
3403  return( "TLS-RSA-WITH-DES-CBC-SHA" );
3405  return( "TLS-DHE-RSA-WITH-DES-CBC-SHA" );
3406 #endif
3407 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3408 
3409  default:
3410  break;
3411  }
3412 
3413  return( "unknown" );
3414 }
3415 
3416 int ssl_get_ciphersuite_id( const char *ciphersuite_name )
3417 {
3418 #if defined(POLARSSL_ARC4_C)
3419  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-MD5"))
3420  return( TLS_RSA_WITH_RC4_128_MD5 );
3421  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-SHA"))
3422  return( TLS_RSA_WITH_RC4_128_SHA );
3423 #endif
3424 
3425 #if defined(POLARSSL_DES_C)
3426  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-3DES-EDE-CBC-SHA"))
3428  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"))
3430 #endif
3431 
3432 #if defined(POLARSSL_AES_C)
3433  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA"))
3434  return( TLS_RSA_WITH_AES_128_CBC_SHA );
3435  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"))
3437  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA"))
3438  return( TLS_RSA_WITH_AES_256_CBC_SHA );
3439  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"))
3441 
3442 #if defined(POLARSSL_SHA2_C)
3443  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA256"))
3445  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA256"))
3447  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"))
3449  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"))
3451 #endif
3452 
3453 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3454  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-GCM-SHA256"))
3456  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-GCM-SHA384"))
3458 #endif
3459 
3460 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3461  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"))
3463  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"))
3465 #endif
3466 #endif
3467 
3468 #if defined(POLARSSL_CAMELLIA_C)
3469  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"))
3471  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"))
3473  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"))
3475  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"))
3477 
3478 #if defined(POLARSSL_SHA2_C)
3479  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
3481  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
3483  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
3485  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
3487 #endif
3488 #endif
3489 
3490 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3491 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
3492  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-MD5"))
3493  return( TLS_RSA_WITH_NULL_MD5 );
3494  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA"))
3495  return( TLS_RSA_WITH_NULL_SHA );
3496  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA256"))
3497  return( TLS_RSA_WITH_NULL_SHA256 );
3498 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3499 
3500 #if defined(POLARSSL_DES_C)
3501  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-DES-CBC-SHA"))
3502  return( TLS_RSA_WITH_DES_CBC_SHA );
3503  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-DES-CBC-SHA"))
3504  return( TLS_DHE_RSA_WITH_DES_CBC_SHA );
3505 #endif
3506 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3507 
3508  return( 0 );
3509 }
3510 
3511 const char *ssl_get_ciphersuite( const ssl_context *ssl )
3512 {
3513  if( ssl == NULL || ssl->session == NULL )
3514  return NULL;
3515 
3517 }
3518 
3519 const char *ssl_get_version( const ssl_context *ssl )
3520 {
3521  switch( ssl->minor_ver )
3522  {
3523  case SSL_MINOR_VERSION_0:
3524  return( "SSLv3.0" );
3525 
3526  case SSL_MINOR_VERSION_1:
3527  return( "TLSv1.0" );
3528 
3529  case SSL_MINOR_VERSION_2:
3530  return( "TLSv1.1" );
3531 
3532  case SSL_MINOR_VERSION_3:
3533  return( "TLSv1.2" );
3534 
3535  default:
3536  break;
3537  }
3538  return( "unknown" );
3539 }
3540 
3541 const x509_cert *ssl_get_peer_cert( const ssl_context *ssl )
3542 {
3543  if( ssl == NULL || ssl->session == NULL )
3544  return NULL;
3545 
3546  return ssl->session->peer_cert;
3547 }
3548 
3549 const int ssl_default_ciphersuites[] =
3550 {
3551 #if defined(POLARSSL_DHM_C)
3552 #if defined(POLARSSL_AES_C)
3553 #if defined(POLARSSL_SHA2_C)
3555 #endif /* POLARSSL_SHA2_C */
3556 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3558 #endif
3560 #if defined(POLARSSL_SHA2_C)
3562 #endif
3563 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3565 #endif
3567 #endif
3568 #if defined(POLARSSL_CAMELLIA_C)
3569 #if defined(POLARSSL_SHA2_C)
3571 #endif /* POLARSSL_SHA2_C */
3573 #if defined(POLARSSL_SHA2_C)
3575 #endif /* POLARSSL_SHA2_C */
3577 #endif
3578 #if defined(POLARSSL_DES_C)
3580 #endif
3581 #endif
3582 
3583 #if defined(POLARSSL_AES_C)
3584 #if defined(POLARSSL_SHA2_C)
3586 #endif /* POLARSSL_SHA2_C */
3587 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3589 #endif /* POLARSSL_SHA2_C */
3591 #endif
3592 #if defined(POLARSSL_CAMELLIA_C)
3593 #if defined(POLARSSL_SHA2_C)
3595 #endif /* POLARSSL_SHA2_C */
3597 #endif
3598 #if defined(POLARSSL_AES_C)
3599 #if defined(POLARSSL_SHA2_C)
3601 #endif /* POLARSSL_SHA2_C */
3602 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3604 #endif /* POLARSSL_SHA2_C */
3606 #endif
3607 #if defined(POLARSSL_CAMELLIA_C)
3608 #if defined(POLARSSL_SHA2_C)
3610 #endif /* POLARSSL_SHA2_C */
3612 #endif
3613 #if defined(POLARSSL_DES_C)
3615 #endif
3616 #if defined(POLARSSL_ARC4_C)
3619 #endif
3620  0
3621 };
3622 
3623 /*
3624  * Perform a single step of the SSL handshake
3625  */
3626 int ssl_handshake_step( ssl_context *ssl )
3627 {
3629 
3630 #if defined(POLARSSL_SSL_CLI_C)
3631  if( ssl->endpoint == SSL_IS_CLIENT )
3632  ret = ssl_handshake_client_step( ssl );
3633 #endif
3634 
3635 #if defined(POLARSSL_SSL_SRV_C)
3636  if( ssl->endpoint == SSL_IS_SERVER )
3637  ret = ssl_handshake_server_step( ssl );
3638 #endif
3639 
3640  return( ret );
3641 }
3642 
3643 /*
3644  * Perform the SSL handshake
3645  */
3646 int ssl_handshake( ssl_context *ssl )
3647 {
3648  int ret = 0;
3649 
3650  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3651 
3652  while( ssl->state != SSL_HANDSHAKE_OVER )
3653  {
3654  ret = ssl_handshake_step( ssl );
3655 
3656  if( ret != 0 )
3657  break;
3658  }
3659 
3660  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3661 
3662  return( ret );
3663 }
3664 
3665 /*
3666  * Renegotiate current connection
3667  */
3668 int ssl_renegotiate( ssl_context *ssl )
3669 {
3670  int ret;
3671 
3672  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
3673 
3674  if( ssl->state != SSL_HANDSHAKE_OVER )
3676 
3677  ssl->state = SSL_HELLO_REQUEST;
3679 
3680  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3681  return( ret );
3682 
3683  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3684  {
3685  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3686  return( ret );
3687  }
3688 
3689  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
3690 
3691  return( 0 );
3692 }
3693 
3694 /*
3695  * Receive application data decrypted from the SSL layer
3696  */
3697 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
3698 {
3699  int ret;
3700  size_t n;
3701 
3702  SSL_DEBUG_MSG( 2, ( "=> read" ) );
3703 
3704  if( ssl->state != SSL_HANDSHAKE_OVER )
3705  {
3706  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3707  {
3708  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3709  return( ret );
3710  }
3711  }
3712 
3713  if( ssl->in_offt == NULL )
3714  {
3715  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3716  {
3717  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3718  return( 0 );
3719 
3720  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3721  return( ret );
3722  }
3723 
3724  if( ssl->in_msglen == 0 &&
3726  {
3727  /*
3728  * OpenSSL sends empty messages to randomize the IV
3729  */
3730  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3731  {
3732  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3733  return( 0 );
3734 
3735  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3736  return( ret );
3737  }
3738  }
3739 
3740  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
3741  {
3742  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
3743 
3744  if( ssl->endpoint == SSL_IS_CLIENT &&
3745  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
3746  ssl->in_hslen != 4 ) )
3747  {
3748  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
3750  }
3751 
3755  {
3756  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
3757 
3758  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
3759  {
3760  /*
3761  * SSLv3 does not have a "no_renegotiation" alert
3762  */
3763  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
3764  return( ret );
3765  }
3766  else
3767  {
3768  if( ( ret = ssl_send_alert_message( ssl,
3771  {
3772  return( ret );
3773  }
3774  }
3775  }
3776  else
3777  {
3778  if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
3779  {
3780  SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
3781  return( ret );
3782  }
3783 
3784  return( POLARSSL_ERR_NET_WANT_READ );
3785  }
3786  }
3787  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3788  {
3789  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
3791  }
3792 
3793  ssl->in_offt = ssl->in_msg;
3794  }
3795 
3796  n = ( len < ssl->in_msglen )
3797  ? len : ssl->in_msglen;
3798 
3799  memcpy( buf, ssl->in_offt, n );
3800  ssl->in_msglen -= n;
3801 
3802  if( ssl->in_msglen == 0 )
3803  /* all bytes consumed */
3804  ssl->in_offt = NULL;
3805  else
3806  /* more data available */
3807  ssl->in_offt += n;
3808 
3809  SSL_DEBUG_MSG( 2, ( "<= read" ) );
3810 
3811  return( (int) n );
3812 }
3813 
3814 /*
3815  * Send application data to be encrypted by the SSL layer
3816  */
3817 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
3818 {
3819  int ret;
3820  size_t n;
3821 
3822  SSL_DEBUG_MSG( 2, ( "=> write" ) );
3823 
3824  if( ssl->state != SSL_HANDSHAKE_OVER )
3825  {
3826  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3827  {
3828  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3829  return( ret );
3830  }
3831  }
3832 
3833  n = ( len < SSL_MAX_CONTENT_LEN )
3834  ? len : SSL_MAX_CONTENT_LEN;
3835 
3836  if( ssl->out_left != 0 )
3837  {
3838  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3839  {
3840  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3841  return( ret );
3842  }
3843  }
3844  else
3845  {
3846  ssl->out_msglen = n;
3848  memcpy( ssl->out_msg, buf, n );
3849 
3850  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3851  {
3852  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3853  return( ret );
3854  }
3855  }
3856 
3857  SSL_DEBUG_MSG( 2, ( "<= write" ) );
3858 
3859  return( (int) n );
3860 }
3861 
3862 /*
3863  * Notify the peer that the connection is being closed
3864  */
3865 int ssl_close_notify( ssl_context *ssl )
3866 {
3867  int ret;
3868 
3869  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3870 
3871  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3872  {
3873  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3874  return( ret );
3875  }
3876 
3877  if( ssl->state == SSL_HANDSHAKE_OVER )
3878  {
3879  if( ( ret = ssl_send_alert_message( ssl,
3881  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
3882  {
3883  return( ret );
3884  }
3885  }
3886 
3887  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3888 
3889  return( ret );
3890 }
3891 
3892 void ssl_transform_free( ssl_transform *transform )
3893 {
3894 #if defined(POLARSSL_ZLIB_SUPPORT)
3895  deflateEnd( &transform->ctx_deflate );
3896  inflateEnd( &transform->ctx_inflate );
3897 #endif
3898 
3899  memset( transform, 0, sizeof( ssl_transform ) );
3900 }
3901 
3902 void ssl_handshake_free( ssl_handshake_params *handshake )
3903 {
3904 #if defined(POLARSSL_DHM_C)
3905  dhm_free( &handshake->dhm_ctx );
3906 #endif
3907  memset( handshake, 0, sizeof( ssl_handshake_params ) );
3908 }
3909 
3910 void ssl_session_free( ssl_session *session )
3911 {
3912  if( session->peer_cert != NULL )
3913  {
3914  x509_free( session->peer_cert );
3915  free( session->peer_cert );
3916  }
3917 
3918  memset( session, 0, sizeof( ssl_session ) );
3919 }
3920 
3921 /*
3922  * Free an SSL context
3923  */
3924 void ssl_free( ssl_context *ssl )
3925 {
3926  SSL_DEBUG_MSG( 2, ( "=> free" ) );
3927 
3928  free( ssl->ciphersuites );
3929 
3930  if( ssl->out_ctr != NULL )
3931  {
3932  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3933  free( ssl->out_ctr );
3934  }
3935 
3936  if( ssl->in_ctr != NULL )
3937  {
3938  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3939  free( ssl->in_ctr );
3940  }
3941 
3942 #if defined(POLARSSL_DHM_C)
3943  mpi_free( &ssl->dhm_P );
3944  mpi_free( &ssl->dhm_G );
3945 #endif
3946 
3947  if( ssl->transform )
3948  {
3949  ssl_transform_free( ssl->transform );
3950  free( ssl->transform );
3951  }
3952 
3953  if( ssl->handshake )
3954  {
3955  ssl_handshake_free( ssl->handshake );
3958 
3959  free( ssl->handshake );
3960  free( ssl->transform_negotiate );
3961  free( ssl->session_negotiate );
3962  }
3963 
3964  if( ssl->session )
3965  {
3966  ssl_session_free( ssl->session );
3967  free( ssl->session );
3968  }
3969 
3970  if ( ssl->hostname != NULL)
3971  {
3972  memset( ssl->hostname, 0, ssl->hostname_len );
3973  free( ssl->hostname );
3974  ssl->hostname_len = 0;
3975  }
3976 
3977 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3978  if( ssl_hw_record_finish != NULL )
3979  {
3980  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3981  ssl_hw_record_finish( ssl );
3982  }
3983 #endif
3984 
3985  SSL_DEBUG_MSG( 2, ( "<= free" ) );
3986 
3987  /* Actually clear after last debug message */
3988  memset( ssl, 0, sizeof( ssl_context ) );
3989 }
3990 
3991 #endif