PolarSSL v1.3.1
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #include "polarssl/config.h"
35 
36 #if defined(POLARSSL_SSL_TLS_C)
37 
38 #include "polarssl/debug.h"
39 #include "polarssl/ssl.h"
40 
41 #if defined(POLARSSL_MEMORY_C)
42 #include "polarssl/memory.h"
43 #else
44 #define polarssl_malloc malloc
45 #define polarssl_free free
46 #endif
47 
48 #include <stdlib.h>
49 
50 #if defined _MSC_VER && !defined strcasecmp
51 #define strcasecmp _stricmp
52 #endif
53 
54 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
55 /*
56  * Convert max_fragment_length codes to length.
57  * RFC 6066 says:
58  * enum{
59  * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
60  * } MaxFragmentLength;
61  * and we add 0 -> extension unused
62  */
63 static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
64 {
65  SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
66  512, /* SSL_MAX_FRAG_LEN_512 */
67  1024, /* SSL_MAX_FRAG_LEN_1024 */
68  2048, /* SSL_MAX_FRAG_LEN_2048 */
69  4096, /* SSL_MAX_FRAG_LEN_4096 */
70 };
71 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
72 
73 static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
74 {
75  ssl_session_free( dst );
76  memcpy( dst, src, sizeof( ssl_session ) );
77 
78 #if defined(POLARSSL_X509_CRT_PARSE_C)
79  if( src->peer_cert != NULL )
80  {
81  int ret;
82 
83  dst->peer_cert = (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
84  if( dst->peer_cert == NULL )
86 
87  x509_crt_init( dst->peer_cert );
88 
89  if( ( ret = x509_crt_parse( dst->peer_cert, src->peer_cert->raw.p,
90  src->peer_cert->raw.len ) != 0 ) )
91  {
92  polarssl_free( dst->peer_cert );
93  dst->peer_cert = NULL;
94  return( ret );
95  }
96  }
97 #endif /* POLARSSL_X509_CRT_PARSE_C */
98 
99 #if defined(POLARSSL_SSL_SESSION_TICKETS)
100  if( src->ticket != NULL )
101  {
102  dst->ticket = (unsigned char *) polarssl_malloc( src->ticket_len );
103  if( dst->ticket == NULL )
105 
106  memcpy( dst->ticket, src->ticket, src->ticket_len );
107  }
108 #endif /* POLARSSL_SSL_SESSION_TICKETS */
109 
110  return( 0 );
111 }
112 
113 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
114 int (*ssl_hw_record_init)(ssl_context *ssl,
115  const unsigned char *key_enc, const unsigned char *key_dec,
116  size_t keylen,
117  const unsigned char *iv_enc, const unsigned char *iv_dec,
118  size_t ivlen,
119  const unsigned char *mac_enc, const unsigned char *mac_dec,
120  size_t maclen) = NULL;
121 int (*ssl_hw_record_activate)(ssl_context *ssl, int direction) = NULL;
122 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
123 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
124 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
125 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
126 #endif
127 
128 /*
129  * Key material generation
130  */
131 #if defined(POLARSSL_SSL_PROTO_SSL3)
132 static int ssl3_prf( const unsigned char *secret, size_t slen,
133  const char *label,
134  const unsigned char *random, size_t rlen,
135  unsigned char *dstbuf, size_t dlen )
136 {
137  size_t i;
140  unsigned char padding[16];
141  unsigned char sha1sum[20];
142  ((void)label);
143 
144  /*
145  * SSLv3:
146  * block =
147  * MD5( secret + SHA1( 'A' + secret + random ) ) +
148  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
149  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
150  * ...
151  */
152  for( i = 0; i < dlen / 16; i++ )
153  {
154  memset( padding, (unsigned char) ('A' + i), 1 + i );
155 
156  sha1_starts( &sha1 );
157  sha1_update( &sha1, padding, 1 + i );
158  sha1_update( &sha1, secret, slen );
159  sha1_update( &sha1, random, rlen );
160  sha1_finish( &sha1, sha1sum );
161 
162  md5_starts( &md5 );
163  md5_update( &md5, secret, slen );
164  md5_update( &md5, sha1sum, 20 );
165  md5_finish( &md5, dstbuf + i * 16 );
166  }
167 
168  memset( &md5, 0, sizeof( md5 ) );
169  memset( &sha1, 0, sizeof( sha1 ) );
170 
171  memset( padding, 0, sizeof( padding ) );
172  memset( sha1sum, 0, sizeof( sha1sum ) );
173 
174  return( 0 );
175 }
176 #endif /* POLARSSL_SSL_PROTO_SSL3 */
177 
178 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
179 static int tls1_prf( const unsigned char *secret, size_t slen,
180  const char *label,
181  const unsigned char *random, size_t rlen,
182  unsigned char *dstbuf, size_t dlen )
183 {
184  size_t nb, hs;
185  size_t i, j, k;
186  const unsigned char *S1, *S2;
187  unsigned char tmp[128];
188  unsigned char h_i[20];
189 
190  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
192 
193  hs = ( slen + 1 ) / 2;
194  S1 = secret;
195  S2 = secret + slen - hs;
196 
197  nb = strlen( label );
198  memcpy( tmp + 20, label, nb );
199  memcpy( tmp + 20 + nb, random, rlen );
200  nb += rlen;
201 
202  /*
203  * First compute P_md5(secret,label+random)[0..dlen]
204  */
205  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
206 
207  for( i = 0; i < dlen; i += 16 )
208  {
209  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
210  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
211 
212  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
213 
214  for( j = 0; j < k; j++ )
215  dstbuf[i + j] = h_i[j];
216  }
217 
218  /*
219  * XOR out with P_sha1(secret,label+random)[0..dlen]
220  */
221  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
222 
223  for( i = 0; i < dlen; i += 20 )
224  {
225  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
226  sha1_hmac( S2, hs, tmp, 20, tmp );
227 
228  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
229 
230  for( j = 0; j < k; j++ )
231  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
232  }
233 
234  memset( tmp, 0, sizeof( tmp ) );
235  memset( h_i, 0, sizeof( h_i ) );
236 
237  return( 0 );
238 }
239 #endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
240 
241 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
242 #if defined(POLARSSL_SHA256_C)
243 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
244  const char *label,
245  const unsigned char *random, size_t rlen,
246  unsigned char *dstbuf, size_t dlen )
247 {
248  size_t nb;
249  size_t i, j, k;
250  unsigned char tmp[128];
251  unsigned char h_i[32];
252 
253  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
255 
256  nb = strlen( label );
257  memcpy( tmp + 32, label, nb );
258  memcpy( tmp + 32 + nb, random, rlen );
259  nb += rlen;
260 
261  /*
262  * Compute P_<hash>(secret, label + random)[0..dlen]
263  */
264  sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
265 
266  for( i = 0; i < dlen; i += 32 )
267  {
268  sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
269  sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
270 
271  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
272 
273  for( j = 0; j < k; j++ )
274  dstbuf[i + j] = h_i[j];
275  }
276 
277  memset( tmp, 0, sizeof( tmp ) );
278  memset( h_i, 0, sizeof( h_i ) );
279 
280  return( 0 );
281 }
282 #endif /* POLARSSL_SHA256_C */
283 
284 #if defined(POLARSSL_SHA512_C)
285 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
286  const char *label,
287  const unsigned char *random, size_t rlen,
288  unsigned char *dstbuf, size_t dlen )
289 {
290  size_t nb;
291  size_t i, j, k;
292  unsigned char tmp[128];
293  unsigned char h_i[48];
294 
295  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
297 
298  nb = strlen( label );
299  memcpy( tmp + 48, label, nb );
300  memcpy( tmp + 48 + nb, random, rlen );
301  nb += rlen;
302 
303  /*
304  * Compute P_<hash>(secret, label + random)[0..dlen]
305  */
306  sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
307 
308  for( i = 0; i < dlen; i += 48 )
309  {
310  sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
311  sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
312 
313  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
314 
315  for( j = 0; j < k; j++ )
316  dstbuf[i + j] = h_i[j];
317  }
318 
319  memset( tmp, 0, sizeof( tmp ) );
320  memset( h_i, 0, sizeof( h_i ) );
321 
322  return( 0 );
323 }
324 #endif /* POLARSSL_SHA512_C */
325 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
326 
327 static void ssl_update_checksum_start(ssl_context *, const unsigned char *, size_t);
328 
329 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
330  defined(POLARSSL_SSL_PROTO_TLS1_1)
331 static void ssl_update_checksum_md5sha1(ssl_context *, const unsigned char *, size_t);
332 #endif
333 
334 #if defined(POLARSSL_SSL_PROTO_SSL3)
335 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
336 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
337 #endif
338 
339 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
340 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
341 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
342 #endif
343 
344 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
345 #if defined(POLARSSL_SHA256_C)
346 static void ssl_update_checksum_sha256(ssl_context *, const unsigned char *, size_t);
347 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
348 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
349 #endif
350 
351 #if defined(POLARSSL_SHA512_C)
352 static void ssl_update_checksum_sha384(ssl_context *, const unsigned char *, size_t);
353 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
354 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
355 #endif
356 #endif
357 
358 int ssl_derive_keys( ssl_context *ssl )
359 {
360  int ret = 0;
361  unsigned char tmp[64];
362  unsigned char keyblk[256];
363  unsigned char *key1;
364  unsigned char *key2;
365  unsigned char *mac_enc;
366  unsigned char *mac_dec;
367  size_t iv_copy_len;
368  const cipher_info_t *cipher_info;
369  const md_info_t *md_info;
370 
371  ssl_session *session = ssl->session_negotiate;
372  ssl_transform *transform = ssl->transform_negotiate;
373  ssl_handshake_params *handshake = ssl->handshake;
374 
375  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
376 
377  cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
378  if( cipher_info == NULL )
379  {
380  SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
381  transform->ciphersuite_info->cipher ) );
383  }
384 
385  md_info = md_info_from_type( transform->ciphersuite_info->mac );
386  if( md_info == NULL )
387  {
388  SSL_DEBUG_MSG( 1, ( "md info for %d not found",
389  transform->ciphersuite_info->mac ) );
391  }
392 
393  /*
394  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
395  */
396 #if defined(POLARSSL_SSL_PROTO_SSL3)
397  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
398  {
399  handshake->tls_prf = ssl3_prf;
400  handshake->calc_verify = ssl_calc_verify_ssl;
401  handshake->calc_finished = ssl_calc_finished_ssl;
402  }
403  else
404 #endif
405 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
406  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
407  {
408  handshake->tls_prf = tls1_prf;
409  handshake->calc_verify = ssl_calc_verify_tls;
410  handshake->calc_finished = ssl_calc_finished_tls;
411  }
412  else
413 #endif
414 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
415 #if defined(POLARSSL_SHA512_C)
416  if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
417  transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
418  {
419  handshake->tls_prf = tls_prf_sha384;
420  handshake->calc_verify = ssl_calc_verify_tls_sha384;
421  handshake->calc_finished = ssl_calc_finished_tls_sha384;
422  }
423  else
424 #endif
425 #if defined(POLARSSL_SHA256_C)
426  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
427  {
428  handshake->tls_prf = tls_prf_sha256;
429  handshake->calc_verify = ssl_calc_verify_tls_sha256;
430  handshake->calc_finished = ssl_calc_finished_tls_sha256;
431  }
432  else
433 #endif
434 #endif
435  {
436  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
438  }
439 
440  /*
441  * SSLv3:
442  * master =
443  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
444  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
445  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
446  *
447  * TLSv1+:
448  * master = PRF( premaster, "master secret", randbytes )[0..47]
449  */
450  if( handshake->resume == 0 )
451  {
452  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
453  handshake->pmslen );
454 
455  handshake->tls_prf( handshake->premaster, handshake->pmslen,
456  "master secret",
457  handshake->randbytes, 64, session->master, 48 );
458 
459  memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
460  }
461  else
462  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
463 
464  /*
465  * Swap the client and server random values.
466  */
467  memcpy( tmp, handshake->randbytes, 64 );
468  memcpy( handshake->randbytes, tmp + 32, 32 );
469  memcpy( handshake->randbytes + 32, tmp, 32 );
470  memset( tmp, 0, sizeof( tmp ) );
471 
472  /*
473  * SSLv3:
474  * key block =
475  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
476  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
477  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
478  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
479  * ...
480  *
481  * TLSv1:
482  * key block = PRF( master, "key expansion", randbytes )
483  */
484  handshake->tls_prf( session->master, 48, "key expansion",
485  handshake->randbytes, 64, keyblk, 256 );
486 
487  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
488  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
489  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
490  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
491  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
492 
493  memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
494 
495  /*
496  * Determine the appropriate key, IV and MAC length.
497  */
498 
499  if( cipher_info->mode == POLARSSL_MODE_GCM )
500  {
501  transform->keylen = cipher_info->key_length;
502  transform->keylen /= 8;
503  transform->minlen = 1;
504  transform->ivlen = 12;
505  transform->fixed_ivlen = 4;
506  transform->maclen = 0;
507  }
508  else
509  {
510  if( md_info->type != POLARSSL_MD_NONE )
511  {
512  int ret;
513 
514  if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 )
515  {
516  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
517  return( ret );
518  }
519 
520  if( ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
521  {
522  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
523  return( ret );
524  }
525 
526  transform->maclen = md_get_size( md_info );
527 
528 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
529  /*
530  * If HMAC is to be truncated, we shall keep the leftmost bytes,
531  * (rfc 6066 page 13 or rfc 2104 section 4),
532  * so we only need to adjust the length here.
533  */
534  if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
535  transform->maclen = SSL_TRUNCATED_HMAC_LEN;
536 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
537  }
538 
539  transform->keylen = cipher_info->key_length;
540  transform->keylen /= 8;
541  transform->ivlen = cipher_info->iv_size;
542 
543  transform->minlen = transform->keylen;
544  if( transform->minlen < transform->maclen )
545  {
546  if( cipher_info->mode == POLARSSL_MODE_STREAM )
547  transform->minlen = transform->maclen;
548  else
549  transform->minlen += transform->keylen;
550  }
551  }
552 
553  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
554  transform->keylen, transform->minlen, transform->ivlen,
555  transform->maclen ) );
556 
557  /*
558  * Finally setup the cipher contexts, IVs and MAC secrets.
559  */
560  if( ssl->endpoint == SSL_IS_CLIENT )
561  {
562  key1 = keyblk + transform->maclen * 2;
563  key2 = keyblk + transform->maclen * 2 + transform->keylen;
564 
565  mac_enc = keyblk;
566  mac_dec = keyblk + transform->maclen;
567 
568  /*
569  * This is not used in TLS v1.1.
570  */
571  iv_copy_len = ( transform->fixed_ivlen ) ?
572  transform->fixed_ivlen : transform->ivlen;
573  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
574  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
575  iv_copy_len );
576  }
577  else
578  {
579  key1 = keyblk + transform->maclen * 2 + transform->keylen;
580  key2 = keyblk + transform->maclen * 2;
581 
582  mac_enc = keyblk + transform->maclen;
583  mac_dec = keyblk;
584 
585  /*
586  * This is not used in TLS v1.1.
587  */
588  iv_copy_len = ( transform->fixed_ivlen ) ?
589  transform->fixed_ivlen : transform->ivlen;
590  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
591  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
592  iv_copy_len );
593  }
594 
595 #if defined(POLARSSL_SSL_PROTO_SSL3)
596  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
597  {
598  memcpy( transform->mac_enc, mac_enc, transform->maclen );
599  memcpy( transform->mac_dec, mac_dec, transform->maclen );
600  }
601  else
602 #endif
603 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
604  defined(POLARSSL_SSL_PROTO_TLS1_2)
605  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
606  {
607  md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
608  md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
609  }
610  else
611 #endif
612  {
613  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
615  }
616 
617 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
618  if( ssl_hw_record_init != NULL)
619  {
620  int ret = 0;
621 
622  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
623 
624  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
625  transform->iv_enc, transform->iv_dec,
626  iv_copy_len,
627  mac_enc, mac_dec,
628  transform->maclen ) ) != 0 )
629  {
630  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
632  }
633  }
634 #endif
635 
636  switch( cipher_info->type )
637  {
647  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
648  cipher_info ) ) != 0 )
649  {
650  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
651  return( ret );
652  }
653 
654  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
655  cipher_info ) ) != 0 )
656  {
657  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
658  return( ret );
659  }
660 
661  if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
662  cipher_info->key_length,
663  POLARSSL_ENCRYPT ) ) != 0 )
664  {
665  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
666  return( ret );
667  }
668 
669  if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
670  cipher_info->key_length,
671  POLARSSL_DECRYPT ) ) != 0 )
672  {
673  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
674  return( ret );
675  }
676 
677 #if defined(POLARSSL_CIPHER_MODE_CBC)
678  if( cipher_info->mode == POLARSSL_MODE_CBC )
679  {
680  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
681  POLARSSL_PADDING_NONE ) ) != 0 )
682  {
683  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
684  return( ret );
685  }
686 
687  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
688  POLARSSL_PADDING_NONE ) ) != 0 )
689  {
690  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
691  return( ret );
692  }
693  }
694 #endif /* POLARSSL_CIPHER_MODE_CBC */
695  break;
696 
698  break;
699 
700  default:
702  }
703 
704  memset( keyblk, 0, sizeof( keyblk ) );
705 
706 #if defined(POLARSSL_ZLIB_SUPPORT)
707  // Initialize compression
708  //
709  if( session->compression == SSL_COMPRESS_DEFLATE )
710  {
711  if( ssl->compress_buf == NULL )
712  {
713  SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
714  ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
715  if( ssl->compress_buf == NULL )
716  {
717  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
718  SSL_BUFFER_LEN ) );
720  }
721  }
722 
723  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
724 
725  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
726  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
727 
728  if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
729  inflateInit( &transform->ctx_inflate ) != Z_OK )
730  {
731  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
733  }
734  }
735 #endif /* POLARSSL_ZLIB_SUPPORT */
736 
737  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
738 
739  return( 0 );
740 }
741 
742 #if defined(POLARSSL_SSL_PROTO_SSL3)
743 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
744 {
747  unsigned char pad_1[48];
748  unsigned char pad_2[48];
749 
750  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
751 
752  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
753  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
754 
755  memset( pad_1, 0x36, 48 );
756  memset( pad_2, 0x5C, 48 );
757 
758  md5_update( &md5, ssl->session_negotiate->master, 48 );
759  md5_update( &md5, pad_1, 48 );
760  md5_finish( &md5, hash );
761 
762  md5_starts( &md5 );
763  md5_update( &md5, ssl->session_negotiate->master, 48 );
764  md5_update( &md5, pad_2, 48 );
765  md5_update( &md5, hash, 16 );
766  md5_finish( &md5, hash );
767 
768  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
769  sha1_update( &sha1, pad_1, 40 );
770  sha1_finish( &sha1, hash + 16 );
771 
772  sha1_starts( &sha1 );
773  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
774  sha1_update( &sha1, pad_2, 40 );
775  sha1_update( &sha1, hash + 16, 20 );
776  sha1_finish( &sha1, hash + 16 );
777 
778  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
779  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
780 
781  return;
782 }
783 #endif
784 
785 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
786 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
787 {
790 
791  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
792 
793  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
794  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
795 
796  md5_finish( &md5, hash );
797  sha1_finish( &sha1, hash + 16 );
798 
799  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
800  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
801 
802  return;
803 }
804 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
805 
806 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
807 #if defined(POLARSSL_SHA256_C)
808 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
809 {
811 
812  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
813 
814  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
815  sha256_finish( &sha256, hash );
816 
817  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
818  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
819 
820  return;
821 }
822 #endif /* POLARSSL_SHA256_C */
823 
824 #if defined(POLARSSL_SHA512_C)
825 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
826 {
828 
829  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
830 
831  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
832  sha512_finish( &sha512, hash );
833 
834  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
835  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
836 
837  return;
838 }
839 #endif /* POLARSSL_SHA512_C */
840 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
841 
842 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
844 {
845  unsigned char *p = ssl->handshake->premaster;
846  unsigned char *end = p + sizeof( ssl->handshake->premaster );
847 
848  /*
849  * PMS = struct {
850  * opaque other_secret<0..2^16-1>;
851  * opaque psk<0..2^16-1>;
852  * };
853  * with "other_secret" depending on the particular key exchange
854  */
855 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
856  if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
857  {
858  if( end - p < 2 + (int) ssl->psk_len )
860 
861  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
862  *(p++) = (unsigned char)( ssl->psk_len );
863  p += ssl->psk_len;
864  }
865  else
866 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
867 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
868  if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
869  {
870  /*
871  * other_secret already set by the ClientKeyExchange message,
872  * and is 48 bytes long
873  */
874  *p++ = 0;
875  *p++ = 48;
876  p += 48;
877  }
878  else
879 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
880 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
881  if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
882  {
883  int ret;
884  size_t len = ssl->handshake->dhm_ctx.len;
885 
886  if( end - p < 2 + (int) len )
888 
889  *(p++) = (unsigned char)( len >> 8 );
890  *(p++) = (unsigned char)( len );
891  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
892  p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
893  {
894  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
895  return( ret );
896  }
897  p += len;
898 
899  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
900  }
901  else
902 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
903 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
904  if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
905  {
906  int ret;
907  size_t zlen;
908 
909  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
910  p + 2, end - (p + 2),
911  ssl->f_rng, ssl->p_rng ) ) != 0 )
912  {
913  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
914  return( ret );
915  }
916 
917  *(p++) = (unsigned char)( zlen >> 8 );
918  *(p++) = (unsigned char)( zlen );
919  p += zlen;
920 
921  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
922  }
923  else
924 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
925  {
926  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
928  }
929 
930  /* opaque psk<0..2^16-1>; */
931  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
932  *(p++) = (unsigned char)( ssl->psk_len );
933  memcpy( p, ssl->psk, ssl->psk_len );
934  p += ssl->psk_len;
935 
936  ssl->handshake->pmslen = p - ssl->handshake->premaster;
937 
938  return( 0 );
939 }
940 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
941 
942 #if defined(POLARSSL_SSL_PROTO_SSL3)
943 /*
944  * SSLv3.0 MAC functions
945  */
946 static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
947  unsigned char *buf, size_t len,
948  unsigned char *ctr, int type )
949 {
950  unsigned char header[11];
951  unsigned char padding[48];
952  int padlen = 0;
953  int md_size = md_get_size( md_ctx->md_info );
954  int md_type = md_get_type( md_ctx->md_info );
955 
956  if( md_type == POLARSSL_MD_MD5 )
957  padlen = 48;
958  else if( md_type == POLARSSL_MD_SHA1 )
959  padlen = 40;
960  else if( md_type == POLARSSL_MD_SHA256 )
961  padlen = 32;
962 
963  memcpy( header, ctr, 8 );
964  header[ 8] = (unsigned char) type;
965  header[ 9] = (unsigned char)( len >> 8 );
966  header[10] = (unsigned char)( len );
967 
968  memset( padding, 0x36, padlen );
969  md_starts( md_ctx );
970  md_update( md_ctx, secret, md_size );
971  md_update( md_ctx, padding, padlen );
972  md_update( md_ctx, header, 11 );
973  md_update( md_ctx, buf, len );
974  md_finish( md_ctx, buf + len );
975 
976  memset( padding, 0x5C, padlen );
977  md_starts( md_ctx );
978  md_update( md_ctx, secret, md_size );
979  md_update( md_ctx, padding, padlen );
980  md_update( md_ctx, buf + len, md_size );
981  md_finish( md_ctx, buf + len );
982 }
983 #endif /* POLARSSL_SSL_PROTO_SSL3 */
984 
985 /*
986  * Encryption/decryption functions
987  */
988 static int ssl_encrypt_buf( ssl_context *ssl )
989 {
990  size_t i;
991 
992  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
993 
994  /*
995  * Add MAC then encrypt
996  */
997 #if defined(POLARSSL_SSL_PROTO_SSL3)
998  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
999  {
1000  ssl_mac( &ssl->transform_out->md_ctx_enc,
1001  ssl->transform_out->mac_enc,
1002  ssl->out_msg, ssl->out_msglen,
1003  ssl->out_ctr, ssl->out_msgtype );
1004  }
1005  else
1006 #endif
1007 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1008  defined(POLARSSL_SSL_PROTO_TLS1_2)
1009  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1010  {
1011  md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1013  ssl->out_msg, ssl->out_msglen );
1015  ssl->out_msg + ssl->out_msglen );
1017  }
1018  else
1019 #endif
1020  {
1021  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1023  }
1024 
1025  SSL_DEBUG_BUF( 4, "computed mac",
1026  ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
1027 
1028  ssl->out_msglen += ssl->transform_out->maclen;
1029 
1030 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
1032  {
1033  ; /* Nothing to do */
1034  }
1035  else
1036 #endif /* POLARSSL_CIPHER_NULL_CIPHER */
1037 #if defined(POLARSSL_ARC4_C)
1039  {
1040  int ret;
1041  size_t olen = 0;
1042 
1043  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1044  "including %d bytes of padding",
1045  ssl->out_msglen, 0 ) );
1046 
1047  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1048  ssl->out_msg, ssl->out_msglen );
1049 
1050  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1051  {
1052  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1053  return( ret );
1054  }
1055 
1056  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1057  ssl->transform_out->iv_enc,
1058  ssl->transform_out->ivlen ) ) != 0 )
1059  {
1060  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1061  return( ret );
1062  }
1063 
1064  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1065  ssl->out_msg, ssl->out_msglen, ssl->out_msg,
1066  &olen ) ) != 0 )
1067  {
1068  SSL_DEBUG_RET( 1, "cipher_update", ret );
1069  return( ret );
1070  }
1071 
1072  if( ssl->out_msglen != olen )
1073  {
1074  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1075  ssl->out_msglen, olen ) );
1076  // TODO Real error number
1077  return( -1 );
1078  }
1079 
1080  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1081  ssl->out_msg + olen, &olen ) ) != 0 )
1082  {
1083  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1084  return( ret );
1085  }
1086 
1087  if( 0 != olen )
1088  {
1089  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1090  0, olen ) );
1091  // TODO Real error number
1092  return( -1 );
1093  }
1094  }
1095  else
1096 #endif /* POLARSSL_ARC4_C */
1097 #if defined(POLARSSL_GCM_C)
1100  {
1101  size_t enc_msglen, olen, totlen;
1102  unsigned char *enc_msg;
1103  unsigned char add_data[13];
1105 
1106  enc_msglen = ssl->out_msglen;
1107 
1108  memcpy( add_data, ssl->out_ctr, 8 );
1109  add_data[8] = ssl->out_msgtype;
1110  add_data[9] = ssl->major_ver;
1111  add_data[10] = ssl->minor_ver;
1112  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1113  add_data[12] = ssl->out_msglen & 0xFF;
1114 
1115  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1116  add_data, 13 );
1117 
1118  /*
1119  * Generate IV
1120  */
1121  ret = ssl->f_rng( ssl->p_rng,
1123  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1124  if( ret != 0 )
1125  return( ret );
1126 
1127  memcpy( ssl->out_iv,
1129  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1130 
1131  SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1132  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1133 
1134  /*
1135  * Fix pointer positions and message length with added IV
1136  */
1137  enc_msg = ssl->out_msg;
1138  enc_msglen = ssl->out_msglen;
1139  ssl->out_msglen += ssl->transform_out->ivlen -
1140  ssl->transform_out->fixed_ivlen;
1141 
1142  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1143  "including %d bytes of padding",
1144  ssl->out_msglen, 0 ) );
1145 
1146  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1147  ssl->out_msg, ssl->out_msglen );
1148 
1149  /*
1150  * Encrypt
1151  */
1152  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1153  ssl->transform_out->iv_enc,
1154  ssl->transform_out->ivlen ) ) != 0 ||
1155  ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1156  {
1157  return( ret );
1158  }
1159 
1160  if( ( ret = cipher_update_ad( &ssl->transform_out->cipher_ctx_enc,
1161  add_data, 13 ) ) != 0 )
1162  {
1163  return( ret );
1164  }
1165 
1166  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1167  enc_msg, enc_msglen,
1168  enc_msg, &olen ) ) != 0 )
1169  {
1170  return( ret );
1171  }
1172  totlen = olen;
1173 
1174  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1175  enc_msg + olen, &olen ) ) != 0 )
1176  {
1177  return( ret );
1178  }
1179  totlen += olen;
1180 
1181  if( totlen != enc_msglen )
1182  {
1183  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1184  return( -1 );
1185  }
1186 
1187  /*
1188  * Authenticate
1189  */
1190  ssl->out_msglen += 16;
1191 
1192  if( ( ret = cipher_write_tag( &ssl->transform_out->cipher_ctx_enc,
1193  enc_msg + enc_msglen, 16 ) ) != 0 )
1194  {
1195  return( ret );
1196  }
1197 
1198  SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, 16 );
1199  }
1200  else
1201 #endif /* POLARSSL_GCM_C */
1202 #if defined(POLARSSL_CIPHER_MODE_CBC)
1205  {
1206  int ret;
1207  unsigned char *enc_msg;
1208  size_t enc_msglen, padlen, olen = 0;
1209 
1210  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1211  ssl->transform_out->ivlen;
1212  if( padlen == ssl->transform_out->ivlen )
1213  padlen = 0;
1214 
1215  for( i = 0; i <= padlen; i++ )
1216  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1217 
1218  ssl->out_msglen += padlen + 1;
1219 
1220  enc_msglen = ssl->out_msglen;
1221  enc_msg = ssl->out_msg;
1222 
1223 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1224  /*
1225  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1226  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1227  */
1228  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1229  {
1230  /*
1231  * Generate IV
1232  */
1233  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1234  ssl->transform_out->ivlen );
1235  if( ret != 0 )
1236  return( ret );
1237 
1238  memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1239  ssl->transform_out->ivlen );
1240 
1241  /*
1242  * Fix pointer positions and message length with added IV
1243  */
1244  enc_msg = ssl->out_msg;
1245  enc_msglen = ssl->out_msglen;
1246  ssl->out_msglen += ssl->transform_out->ivlen;
1247  }
1248 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1249 
1250  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1251  "including %d bytes of IV and %d bytes of padding",
1252  ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
1253 
1254  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1255  ssl->out_iv, ssl->out_msglen );
1256 
1257  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1258  {
1259  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1260  return( ret );
1261  }
1262 
1263  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1264  ssl->transform_out->iv_enc,
1265  ssl->transform_out->ivlen ) ) != 0 )
1266  {
1267  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1268  return( ret );
1269  }
1270 
1271  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1272  enc_msg, enc_msglen, enc_msg,
1273  &olen ) ) != 0 )
1274  {
1275  SSL_DEBUG_RET( 1, "cipher_update", ret );
1276  return( ret );
1277  }
1278 
1279  enc_msglen -= olen;
1280 
1281  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1282  enc_msg + olen, &olen ) ) != 0 )
1283  {
1284  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1285  return( ret );
1286  }
1287 
1288  if( enc_msglen != olen )
1289  {
1290  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1291  enc_msglen, olen ) );
1292  // TODO Real error number
1293  return( -1 );
1294  }
1295 
1296 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1297  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1298  {
1299  /*
1300  * Save IV in SSL3 and TLS1
1301  */
1302  memcpy( ssl->transform_out->iv_enc,
1304  ssl->transform_out->ivlen );
1305  }
1306 #endif
1307  }
1308  else
1309 #endif /* POLARSSL_CIPHER_MODE_CBC */
1310  {
1311  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1313  }
1314 
1315  for( i = 8; i > 0; i-- )
1316  if( ++ssl->out_ctr[i - 1] != 0 )
1317  break;
1318 
1319  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1320 
1321  return( 0 );
1322 }
1323 
1324 #define POLARSSL_SSL_MAX_MAC_SIZE 48
1325 
1326 static int ssl_decrypt_buf( ssl_context *ssl )
1327 {
1328  size_t i, padlen = 0, correct = 1;
1329  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1330 
1331  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1332 
1333  if( ssl->in_msglen < ssl->transform_in->minlen )
1334  {
1335  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1336  ssl->in_msglen, ssl->transform_in->minlen ) );
1337  return( POLARSSL_ERR_SSL_INVALID_MAC );
1338  }
1339 
1340 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
1342  {
1343  padlen = 0;
1344  }
1345  else
1346 #endif /* POLARSSL_CIPHER_NULL_CIPHER */
1347 #if defined(POLARSSL_ARC4_C)
1349  {
1350  int ret;
1351  size_t olen = 0;
1352 
1353  padlen = 0;
1354 
1355  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1356  {
1357  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1358  return( ret );
1359  }
1360 
1361  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1362  ssl->transform_in->iv_dec,
1363  ssl->transform_in->ivlen ) ) != 0 )
1364  {
1365  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1366  return( ret );
1367  }
1368 
1369  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1370  ssl->in_msg, ssl->in_msglen, ssl->in_msg,
1371  &olen ) ) != 0 )
1372  {
1373  SSL_DEBUG_RET( 1, "cipher_update", ret );
1374  return( ret );
1375  }
1376 
1377  if( ssl->in_msglen != olen )
1378  {
1379  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1380  // TODO Real error number
1381  return( -1 );
1382  }
1383 
1384  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1385  ssl->in_msg + olen, &olen ) ) != 0 )
1386  {
1387  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1388  return( ret );
1389  }
1390 
1391  if( 0 != olen )
1392  {
1393  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1394  // TODO Real error number
1395  return( -1 );
1396  }
1397  }
1398  else
1399 #endif /* POLARSSL_ARC4_C */
1400 #if defined(POLARSSL_GCM_C)
1403  {
1404  unsigned char *dec_msg;
1405  unsigned char *dec_msg_result;
1406  size_t dec_msglen, olen, totlen;
1407  unsigned char add_data[13];
1409 
1410  padlen = 0;
1411 
1412  dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1413  ssl->transform_in->fixed_ivlen );
1414  dec_msglen -= 16;
1415  dec_msg = ssl->in_msg;
1416  dec_msg_result = ssl->in_msg;
1417  ssl->in_msglen = dec_msglen;
1418 
1419  memcpy( add_data, ssl->in_ctr, 8 );
1420  add_data[8] = ssl->in_msgtype;
1421  add_data[9] = ssl->major_ver;
1422  add_data[10] = ssl->minor_ver;
1423  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1424  add_data[12] = ssl->in_msglen & 0xFF;
1425 
1426  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1427  add_data, 13 );
1428 
1429  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1430  ssl->in_iv,
1431  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1432 
1433  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1434  ssl->transform_in->ivlen );
1435  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1436 
1437  /*
1438  * Decrypt
1439  */
1440  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1441  ssl->transform_in->iv_dec,
1442  ssl->transform_in->ivlen ) ) != 0 ||
1443  ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1444  {
1445  return( ret );
1446  }
1447 
1448  if( ( ret = cipher_update_ad( &ssl->transform_in->cipher_ctx_dec,
1449  add_data, 13 ) ) != 0 )
1450  {
1451  return( ret );
1452  }
1453 
1454  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1455  dec_msg, dec_msglen,
1456  dec_msg_result, &olen ) ) != 0 )
1457  {
1458  return( ret );
1459  }
1460  totlen = olen;
1461 
1462  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1463  dec_msg_result + olen, &olen ) ) != 0 )
1464  {
1465  return( ret );
1466  }
1467  totlen += olen;
1468 
1469  if( totlen != dec_msglen )
1470  {
1471  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1472  return( -1 );
1473  }
1474 
1475  /*
1476  * Authenticate
1477  */
1478  if( ( ret = cipher_check_tag( &ssl->transform_in->cipher_ctx_dec,
1479  dec_msg + dec_msglen, 16 ) ) != 0 )
1480  {
1481  SSL_DEBUG_RET( 1, "cipher_check_tag", ret );
1482  return( POLARSSL_ERR_SSL_INVALID_MAC );
1483  }
1484 
1485  }
1486  else
1487 #endif /* POLARSSL_GCM_C */
1488 #if defined(POLARSSL_CIPHER_MODE_CBC)
1491  {
1492  /*
1493  * Decrypt and check the padding
1494  */
1495  int ret;
1496  unsigned char *dec_msg;
1497  unsigned char *dec_msg_result;
1498  size_t dec_msglen;
1499  size_t minlen = 0;
1500  size_t olen = 0;
1501 
1502  /*
1503  * Check immediate ciphertext sanity
1504  */
1505  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1506  {
1507  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1508  ssl->in_msglen, ssl->transform_in->ivlen ) );
1509  return( POLARSSL_ERR_SSL_INVALID_MAC );
1510  }
1511 
1512 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1513  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1514  minlen += ssl->transform_in->ivlen;
1515 #endif
1516 
1517  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1518  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1519  {
1520  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1521  ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1522  return( POLARSSL_ERR_SSL_INVALID_MAC );
1523  }
1524 
1525  dec_msglen = ssl->in_msglen;
1526  dec_msg = ssl->in_msg;
1527  dec_msg_result = ssl->in_msg;
1528 
1529 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1530  /*
1531  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1532  */
1533  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1534  {
1535  dec_msglen -= ssl->transform_in->ivlen;
1536  ssl->in_msglen -= ssl->transform_in->ivlen;
1537 
1538  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1539  ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1540  }
1541 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1542 
1543  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1544  {
1545  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1546  return( ret );
1547  }
1548 
1549  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1550  ssl->transform_in->iv_dec,
1551  ssl->transform_in->ivlen ) ) != 0 )
1552  {
1553  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1554  return( ret );
1555  }
1556 
1557  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1558  dec_msg, dec_msglen, dec_msg_result,
1559  &olen ) ) != 0 )
1560  {
1561  SSL_DEBUG_RET( 1, "cipher_update", ret );
1562  return( ret );
1563  }
1564 
1565  dec_msglen -= olen;
1566  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1567  dec_msg_result + olen, &olen ) ) != 0 )
1568  {
1569  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1570  return( ret );
1571  }
1572 
1573  if( dec_msglen != olen )
1574  {
1575  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1576  // TODO Real error number
1577  return( -1 );
1578  }
1579 
1580 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1581  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1582  {
1583  /*
1584  * Save IV in SSL3 and TLS1
1585  */
1586  memcpy( ssl->transform_in->iv_dec,
1588  ssl->transform_in->ivlen );
1589  }
1590 #endif
1591 
1592  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1593 
1594  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1595  {
1596 #if defined(POLARSSL_SSL_DEBUG_ALL)
1597  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1598  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1599 #endif
1600  padlen = 0;
1601  correct = 0;
1602  }
1603 
1604 #if defined(POLARSSL_SSL_PROTO_SSL3)
1605  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1606  {
1607  if( padlen > ssl->transform_in->ivlen )
1608  {
1609 #if defined(POLARSSL_SSL_DEBUG_ALL)
1610  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1611  "should be no more than %d",
1612  padlen, ssl->transform_in->ivlen ) );
1613 #endif
1614  correct = 0;
1615  }
1616  }
1617  else
1618 #endif
1619 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1620  defined(POLARSSL_SSL_PROTO_TLS1_2)
1621  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1622  {
1623  /*
1624  * TLSv1+: always check the padding up to the first failure
1625  * and fake check up to 256 bytes of padding
1626  */
1627  size_t pad_count = 0, real_count = 1;
1628  size_t padding_idx = ssl->in_msglen - padlen - 1;
1629 
1630  for( i = 1; i <= 256; i++ )
1631  {
1632  real_count &= ( i <= padlen );
1633  pad_count += real_count *
1634  ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1635  }
1636 
1637  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1638 
1639 #if defined(POLARSSL_SSL_DEBUG_ALL)
1640  if( padlen > 0 && correct == 0)
1641  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1642 #endif
1643  padlen &= correct * 0x1FF;
1644  }
1645  else
1646 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1647  POLARSSL_SSL_PROTO_TLS1_2 */
1648  {
1649  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1651  }
1652  }
1653  else
1654 #endif /* POLARSSL_CIPHER_MODE_CBC */
1655  {
1656  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1658  }
1659 
1660  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1661  ssl->in_msg, ssl->in_msglen );
1662 
1663  /*
1664  * Always compute the MAC (RFC4346, CBCTIME).
1665  */
1666  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1667 
1668  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1669  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1670 
1671  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1672 
1673 #if defined(POLARSSL_SSL_PROTO_SSL3)
1674  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1675  {
1676  ssl_mac( &ssl->transform_in->md_ctx_dec,
1677  ssl->transform_in->mac_dec,
1678  ssl->in_msg, ssl->in_msglen,
1679  ssl->in_ctr, ssl->in_msgtype );
1680  }
1681  else
1682 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1683 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1684  defined(POLARSSL_SSL_PROTO_TLS1_2)
1685  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1686  {
1687  /*
1688  * Process MAC and always update for padlen afterwards to make
1689  * total time independent of padlen
1690  *
1691  * extra_run compensates MAC check for padlen
1692  *
1693  * Known timing attacks:
1694  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1695  *
1696  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1697  * correctly. (We round down instead of up, so -56 is the correct
1698  * value for our calculations instead of -55)
1699  */
1700  size_t j, extra_run = 0;
1701  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1702  ( 13 + ssl->in_msglen + 8 ) / 64;
1703 
1704  extra_run &= correct * 0xFF;
1705 
1706  md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1708  ssl->in_msglen );
1710  ssl->in_msg + ssl->in_msglen );
1711  for( j = 0; j < extra_run; j++ )
1712  md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1713 
1715  }
1716  else
1717 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1718  POLARSSL_SSL_PROTO_TLS1_2 */
1719  {
1720  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1722  }
1723 
1724  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1725  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1726  ssl->transform_in->maclen );
1727 
1728  if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1729  ssl->transform_in->maclen ) != 0 )
1730  {
1731 #if defined(POLARSSL_SSL_DEBUG_ALL)
1732  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1733 #endif
1734  correct = 0;
1735  }
1736 
1737  /*
1738  * Finally check the correct flag
1739  */
1740  if( correct == 0 )
1741  return( POLARSSL_ERR_SSL_INVALID_MAC );
1742 
1743  if( ssl->in_msglen == 0 )
1744  {
1745  ssl->nb_zero++;
1746 
1747  /*
1748  * Three or more empty messages may be a DoS attack
1749  * (excessive CPU consumption).
1750  */
1751  if( ssl->nb_zero > 3 )
1752  {
1753  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1754  "messages, possible DoS attack" ) );
1755  return( POLARSSL_ERR_SSL_INVALID_MAC );
1756  }
1757  }
1758  else
1759  ssl->nb_zero = 0;
1760 
1761  for( i = 8; i > 0; i-- )
1762  if( ++ssl->in_ctr[i - 1] != 0 )
1763  break;
1764 
1765  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1766 
1767  return( 0 );
1768 }
1769 
1770 #if defined(POLARSSL_ZLIB_SUPPORT)
1771 /*
1772  * Compression/decompression functions
1773  */
1774 static int ssl_compress_buf( ssl_context *ssl )
1775 {
1776  int ret;
1777  unsigned char *msg_post = ssl->out_msg;
1778  size_t len_pre = ssl->out_msglen;
1779  unsigned char *msg_pre = ssl->compress_buf;
1780 
1781  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1782 
1783  if( len_pre == 0 )
1784  return( 0 );
1785 
1786  memcpy( msg_pre, ssl->out_msg, len_pre );
1787 
1788  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1789  ssl->out_msglen ) );
1790 
1791  SSL_DEBUG_BUF( 4, "before compression: output payload",
1792  ssl->out_msg, ssl->out_msglen );
1793 
1794  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1795  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1796  ssl->transform_out->ctx_deflate.next_out = msg_post;
1797  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1798 
1799  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1800  if( ret != Z_OK )
1801  {
1802  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1804  }
1805 
1806  ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
1807 
1808  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1809  ssl->out_msglen ) );
1810 
1811  SSL_DEBUG_BUF( 4, "after compression: output payload",
1812  ssl->out_msg, ssl->out_msglen );
1813 
1814  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1815 
1816  return( 0 );
1817 }
1818 
1819 static int ssl_decompress_buf( ssl_context *ssl )
1820 {
1821  int ret;
1822  unsigned char *msg_post = ssl->in_msg;
1823  size_t len_pre = ssl->in_msglen;
1824  unsigned char *msg_pre = ssl->compress_buf;
1825 
1826  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1827 
1828  if( len_pre == 0 )
1829  return( 0 );
1830 
1831  memcpy( msg_pre, ssl->in_msg, len_pre );
1832 
1833  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1834  ssl->in_msglen ) );
1835 
1836  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1837  ssl->in_msg, ssl->in_msglen );
1838 
1839  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1840  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1841  ssl->transform_in->ctx_inflate.next_out = msg_post;
1842  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1843 
1844  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1845  if( ret != Z_OK )
1846  {
1847  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1849  }
1850 
1851  ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
1852 
1853  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1854  ssl->in_msglen ) );
1855 
1856  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1857  ssl->in_msg, ssl->in_msglen );
1858 
1859  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1860 
1861  return( 0 );
1862 }
1863 #endif /* POLARSSL_ZLIB_SUPPORT */
1864 
1865 /*
1866  * Fill the input message buffer
1867  */
1868 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1869 {
1870  int ret;
1871  size_t len;
1872 
1873  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1874 
1875  while( ssl->in_left < nb_want )
1876  {
1877  len = nb_want - ssl->in_left;
1878  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1879 
1880  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1881  ssl->in_left, nb_want ) );
1882  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1883 
1884  if( ret == 0 )
1885  return( POLARSSL_ERR_SSL_CONN_EOF );
1886 
1887  if( ret < 0 )
1888  return( ret );
1889 
1890  ssl->in_left += ret;
1891  }
1892 
1893  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1894 
1895  return( 0 );
1896 }
1897 
1898 /*
1899  * Flush any data not yet written
1900  */
1901 int ssl_flush_output( ssl_context *ssl )
1902 {
1903  int ret;
1904  unsigned char *buf;
1905 
1906  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1907 
1908  while( ssl->out_left > 0 )
1909  {
1910  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1911  5 + ssl->out_msglen, ssl->out_left ) );
1912 
1913  buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1914  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1915 
1916  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1917 
1918  if( ret <= 0 )
1919  return( ret );
1920 
1921  ssl->out_left -= ret;
1922  }
1923 
1924  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1925 
1926  return( 0 );
1927 }
1928 
1929 /*
1930  * Record layer functions
1931  */
1932 int ssl_write_record( ssl_context *ssl )
1933 {
1934  int ret, done = 0;
1935  size_t len = ssl->out_msglen;
1936 
1937  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1938 
1939  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1940  {
1941  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1942  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1943  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1944 
1945  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1946  }
1947 
1948 #if defined(POLARSSL_ZLIB_SUPPORT)
1949  if( ssl->transform_out != NULL &&
1951  {
1952  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1953  {
1954  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1955  return( ret );
1956  }
1957 
1958  len = ssl->out_msglen;
1959  }
1960 #endif /*POLARSSL_ZLIB_SUPPORT */
1961 
1962 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1963  if( ssl_hw_record_write != NULL)
1964  {
1965  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1966 
1967  ret = ssl_hw_record_write( ssl );
1968  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1969  {
1970  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1972  }
1973 
1974  if( ret == 0 )
1975  done = 1;
1976  }
1977 #endif
1978  if( !done )
1979  {
1980  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1981  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1982  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1983  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1984  ssl->out_hdr[4] = (unsigned char)( len );
1985 
1986  if( ssl->transform_out != NULL )
1987  {
1988  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1989  {
1990  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1991  return( ret );
1992  }
1993 
1994  len = ssl->out_msglen;
1995  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1996  ssl->out_hdr[4] = (unsigned char)( len );
1997  }
1998 
1999  ssl->out_left = 5 + ssl->out_msglen;
2000 
2001  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2002  "version = [%d:%d], msglen = %d",
2003  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
2004  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
2005 
2006  SSL_DEBUG_BUF( 4, "output record sent to network",
2007  ssl->out_hdr, 5 + ssl->out_msglen );
2008  }
2009 
2010  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2011  {
2012  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2013  return( ret );
2014  }
2015 
2016  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2017 
2018  return( 0 );
2019 }
2020 
2021 int ssl_read_record( ssl_context *ssl )
2022 {
2023  int ret, done = 0;
2024 
2025  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
2026 
2027  SSL_DEBUG_BUF( 4, "input record from network",
2028  ssl->in_hdr, 5 + ssl->in_msglen );
2029 
2030  if( ssl->in_hslen != 0 &&
2031  ssl->in_hslen < ssl->in_msglen )
2032  {
2033  /*
2034  * Get next Handshake message in the current record
2035  */
2036  ssl->in_msglen -= ssl->in_hslen;
2037 
2038  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
2039  ssl->in_msglen );
2040 
2041  ssl->in_hslen = 4;
2042  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2043 
2044  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2045  " %d, type = %d, hslen = %d",
2046  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2047 
2048  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2049  {
2050  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2052  }
2053 
2054  if( ssl->in_msglen < ssl->in_hslen )
2055  {
2056  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2058  }
2059 
2060  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2061 
2062  return( 0 );
2063  }
2064 
2065  ssl->in_hslen = 0;
2066 
2067  /*
2068  * Read the record header and validate it
2069  */
2070  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2071  {
2072  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2073  return( ret );
2074  }
2075 
2076  ssl->in_msgtype = ssl->in_hdr[0];
2077  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2078 
2079  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2080  "version = [%d:%d], msglen = %d",
2081  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2082  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2083 
2084  if( ssl->in_hdr[1] != ssl->major_ver )
2085  {
2086  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
2088  }
2089 
2090  if( ssl->in_hdr[2] > ssl->max_minor_ver )
2091  {
2092  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
2094  }
2095 
2096  /*
2097  * Make sure the message length is acceptable
2098  */
2099  if( ssl->transform_in == NULL )
2100  {
2101  if( ssl->in_msglen < 1 ||
2103  {
2104  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2106  }
2107  }
2108  else
2109  {
2110  if( ssl->in_msglen < ssl->transform_in->minlen )
2111  {
2112  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2114  }
2115 
2116 #if defined(POLARSSL_SSL_PROTO_SSL3)
2117  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2119  {
2120  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2122  }
2123 #endif
2124 
2125 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2126  defined(POLARSSL_SSL_PROTO_TLS1_2)
2127  /*
2128  * TLS encrypted messages can have up to 256 bytes of padding
2129  */
2130  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2131  ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
2132  {
2133  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2135  }
2136 #endif
2137  }
2138 
2139  /*
2140  * Read and optionally decrypt the message contents
2141  */
2142  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2143  {
2144  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2145  return( ret );
2146  }
2147 
2148  SSL_DEBUG_BUF( 4, "input record from network",
2149  ssl->in_hdr, 5 + ssl->in_msglen );
2150 
2151 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2152  if( ssl_hw_record_read != NULL)
2153  {
2154  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2155 
2156  ret = ssl_hw_record_read( ssl );
2157  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2158  {
2159  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2161  }
2162 
2163  if( ret == 0 )
2164  done = 1;
2165  }
2166 #endif
2167  if( !done && ssl->transform_in != NULL )
2168  {
2169  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2170  {
2171 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2172  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2173  {
2177  }
2178 #endif
2179  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2180  return( ret );
2181  }
2182 
2183  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2184  ssl->in_msg, ssl->in_msglen );
2185 
2186  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2187  {
2188  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2190  }
2191  }
2192 
2193 #if defined(POLARSSL_ZLIB_SUPPORT)
2194  if( ssl->transform_in != NULL &&
2196  {
2197  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2198  {
2199  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2200  return( ret );
2201  }
2202 
2203  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2204  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2205  }
2206 #endif /* POLARSSL_ZLIB_SUPPORT */
2207 
2208  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2209  ssl->in_msgtype != SSL_MSG_ALERT &&
2212  {
2213  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2214 
2215  if( ( ret = ssl_send_alert_message( ssl,
2218  {
2219  return( ret );
2220  }
2221 
2223  }
2224 
2225  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2226  {
2227  ssl->in_hslen = 4;
2228  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2229 
2230  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2231  " %d, type = %d, hslen = %d",
2232  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2233 
2234  /*
2235  * Additional checks to validate the handshake header
2236  */
2237  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2238  {
2239  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2241  }
2242 
2243  if( ssl->in_msglen < ssl->in_hslen )
2244  {
2245  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2247  }
2248 
2249  if( ssl->state != SSL_HANDSHAKE_OVER )
2250  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2251  }
2252 
2253  if( ssl->in_msgtype == SSL_MSG_ALERT )
2254  {
2255  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2256  ssl->in_msg[0], ssl->in_msg[1] ) );
2257 
2258  /*
2259  * Ignore non-fatal alerts, except close_notify
2260  */
2261  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2262  {
2263  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2264  ssl->in_msg[1] ) );
2270  }
2271 
2272  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2273  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2274  {
2275  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2277  }
2278  }
2279 
2280  ssl->in_left = 0;
2281 
2282  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2283 
2284  return( 0 );
2285 }
2286 
2288 {
2289  int ret;
2290 
2291  if( ( ret = ssl_send_alert_message( ssl,
2294  {
2295  return( ret );
2296  }
2297 
2298  return( 0 );
2299 }
2300 
2302  unsigned char level,
2303  unsigned char message )
2304 {
2305  int ret;
2306 
2307  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2308 
2309  ssl->out_msgtype = SSL_MSG_ALERT;
2310  ssl->out_msglen = 2;
2311  ssl->out_msg[0] = level;
2312  ssl->out_msg[1] = message;
2313 
2314  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2315  {
2316  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2317  return( ret );
2318  }
2319 
2320  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2321 
2322  return( 0 );
2323 }
2324 
2325 /*
2326  * Handshake functions
2327  */
2328 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2329  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2330  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2331  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2333 {
2335  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2336 
2337  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2338 
2339  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2340  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2341  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2342  {
2343  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2344  ssl->state++;
2345  return( 0 );
2346  }
2347 
2348  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2349  return( ret );
2350 }
2351 
2353 {
2355  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2356 
2357  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2358 
2359  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2360  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2361  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2362  {
2363  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2364  ssl->state++;
2365  return( 0 );
2366  }
2367 
2368  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2369  return( ret );
2370 }
2371 #else
2373 {
2375  size_t i, n;
2376  const x509_crt *crt;
2377  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2378 
2379  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2380 
2381  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2382  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2383  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2384  {
2385  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2386  ssl->state++;
2387  return( 0 );
2388  }
2389 
2390  if( ssl->endpoint == SSL_IS_CLIENT )
2391  {
2392  if( ssl->client_auth == 0 )
2393  {
2394  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2395  ssl->state++;
2396  return( 0 );
2397  }
2398 
2399 #if defined(POLARSSL_SSL_PROTO_SSL3)
2400  /*
2401  * If using SSLv3 and got no cert, send an Alert message
2402  * (otherwise an empty Certificate message will be sent).
2403  */
2404  if( ssl_own_cert( ssl ) == NULL &&
2405  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2406  {
2407  ssl->out_msglen = 2;
2408  ssl->out_msgtype = SSL_MSG_ALERT;
2409  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2410  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2411 
2412  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2413  goto write_msg;
2414  }
2415 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2416  }
2417  else /* SSL_IS_SERVER */
2418  {
2419  if( ssl_own_cert( ssl ) == NULL )
2420  {
2421  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2423  }
2424  }
2425 
2426  SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
2427 
2428  /*
2429  * 0 . 0 handshake type
2430  * 1 . 3 handshake length
2431  * 4 . 6 length of all certs
2432  * 7 . 9 length of cert. 1
2433  * 10 . n-1 peer certificate
2434  * n . n+2 length of cert. 2
2435  * n+3 . ... upper level cert, etc.
2436  */
2437  i = 7;
2438  crt = ssl_own_cert( ssl );
2439 
2440  while( crt != NULL )
2441  {
2442  n = crt->raw.len;
2443  if( i + 3 + n > SSL_MAX_CONTENT_LEN )
2444  {
2445  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2446  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2448  }
2449 
2450  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2451  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2452  ssl->out_msg[i + 2] = (unsigned char)( n );
2453 
2454  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2455  i += n; crt = crt->next;
2456  }
2457 
2458  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2459  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2460  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2461 
2462  ssl->out_msglen = i;
2464  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2465 
2466 #if defined(POLARSSL_SSL_PROTO_SSL3)
2467 write_msg:
2468 #endif
2469 
2470  ssl->state++;
2471 
2472  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2473  {
2474  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2475  return( ret );
2476  }
2477 
2478  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2479 
2480  return( ret );
2481 }
2482 
2484 {
2486  size_t i, n;
2487  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2488 
2489  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2490 
2491  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2492  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2493  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2494  {
2495  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2496  ssl->state++;
2497  return( 0 );
2498  }
2499 
2500  if( ssl->endpoint == SSL_IS_SERVER &&
2501  ssl->authmode == SSL_VERIFY_NONE )
2502  {
2504  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2505  ssl->state++;
2506  return( 0 );
2507  }
2508 
2509  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2510  {
2511  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2512  return( ret );
2513  }
2514 
2515  ssl->state++;
2516 
2517 #if defined(POLARSSL_SSL_PROTO_SSL3)
2518  /*
2519  * Check if the client sent an empty certificate
2520  */
2521  if( ssl->endpoint == SSL_IS_SERVER &&
2522  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2523  {
2524  if( ssl->in_msglen == 2 &&
2525  ssl->in_msgtype == SSL_MSG_ALERT &&
2526  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2527  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2528  {
2529  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2530 
2532  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2533  return( 0 );
2534  else
2536  }
2537  }
2538 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2539 
2540 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2541  defined(POLARSSL_SSL_PROTO_TLS1_2)
2542  if( ssl->endpoint == SSL_IS_SERVER &&
2543  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2544  {
2545  if( ssl->in_hslen == 7 &&
2546  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2547  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2548  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2549  {
2550  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2551 
2553  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2555  else
2556  return( 0 );
2557  }
2558  }
2559 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2560  POLARSSL_SSL_PROTO_TLS1_2 */
2561 
2562  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2563  {
2564  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2566  }
2567 
2568  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2569  {
2570  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2572  }
2573 
2574  /*
2575  * Same message structure as in ssl_write_certificate()
2576  */
2577  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2578 
2579  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2580  {
2581  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2583  }
2584 
2585  /* In case we tried to reuse a session but it failed */
2586  if( ssl->session_negotiate->peer_cert != NULL )
2587  {
2590  }
2591 
2593  sizeof( x509_crt ) ) ) == NULL )
2594  {
2595  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2596  sizeof( x509_crt ) ) );
2598  }
2599 
2601 
2602  i = 7;
2603 
2604  while( i < ssl->in_hslen )
2605  {
2606  if( ssl->in_msg[i] != 0 )
2607  {
2608  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2610  }
2611 
2612  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2613  | (unsigned int) ssl->in_msg[i + 2];
2614  i += 3;
2615 
2616  if( n < 128 || i + n > ssl->in_hslen )
2617  {
2618  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2620  }
2621 
2623  ssl->in_msg + i, n );
2624  if( ret != 0 )
2625  {
2626  SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
2627  return( ret );
2628  }
2629 
2630  i += n;
2631  }
2632 
2633  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2634 
2635  if( ssl->authmode != SSL_VERIFY_NONE )
2636  {
2637  if( ssl->ca_chain == NULL )
2638  {
2639  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2641  }
2642 
2644  ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2646  ssl->f_vrfy, ssl->p_vrfy );
2647 
2648  if( ret != 0 )
2649  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2650 
2651  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2652  ret = 0;
2653  }
2654 
2655  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2656 
2657  return( ret );
2658 }
2659 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2660  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2661  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2662 
2664 {
2665  int ret;
2666 
2667  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2668 
2670  ssl->out_msglen = 1;
2671  ssl->out_msg[0] = 1;
2672 
2673  ssl->state++;
2674 
2675  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2676  {
2677  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2678  return( ret );
2679  }
2680 
2681  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2682 
2683  return( 0 );
2684 }
2685 
2687 {
2688  int ret;
2689 
2690  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2691 
2692  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2693  {
2694  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2695  return( ret );
2696  }
2697 
2699  {
2700  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2702  }
2703 
2704  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2705  {
2706  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2708  }
2709 
2710  ssl->state++;
2711 
2712  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2713 
2714  return( 0 );
2715 }
2716 
2718  const ssl_ciphersuite_t *ciphersuite_info )
2719 {
2720  ((void) ciphersuite_info);
2721 
2722 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2723  defined(POLARSSL_SSL_PROTO_TLS1_1)
2724  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2725  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2726  else
2727 #endif
2728 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2729 #if defined(POLARSSL_SHA512_C)
2730  if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2731  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2732  else
2733 #endif
2734 #if defined(POLARSSL_SHA256_C)
2735  if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
2736  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2737  else
2738 #endif
2739 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2740  /* Should never happen */
2741  return;
2742 }
2743 
2744 static void ssl_update_checksum_start( ssl_context *ssl,
2745  const unsigned char *buf, size_t len )
2746 {
2747 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2748  defined(POLARSSL_SSL_PROTO_TLS1_1)
2749  md5_update( &ssl->handshake->fin_md5 , buf, len );
2750  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2751 #endif
2752 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2753 #if defined(POLARSSL_SHA256_C)
2754  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2755 #endif
2756 #if defined(POLARSSL_SHA512_C)
2757  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2758 #endif
2759 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2760 }
2761 
2762 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2763  defined(POLARSSL_SSL_PROTO_TLS1_1)
2764 static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2765  const unsigned char *buf, size_t len )
2766 {
2767  md5_update( &ssl->handshake->fin_md5 , buf, len );
2768  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2769 }
2770 #endif
2771 
2772 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2773 #if defined(POLARSSL_SHA256_C)
2774 static void ssl_update_checksum_sha256( ssl_context *ssl,
2775  const unsigned char *buf, size_t len )
2776 {
2777  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2778 }
2779 #endif
2780 
2781 #if defined(POLARSSL_SHA512_C)
2782 static void ssl_update_checksum_sha384( ssl_context *ssl,
2783  const unsigned char *buf, size_t len )
2784 {
2785  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2786 }
2787 #endif
2788 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2789 
2790 #if defined(POLARSSL_SSL_PROTO_SSL3)
2791 static void ssl_calc_finished_ssl(
2792  ssl_context *ssl, unsigned char *buf, int from )
2793 {
2794  const char *sender;
2795  md5_context md5;
2797 
2798  unsigned char padbuf[48];
2799  unsigned char md5sum[16];
2800  unsigned char sha1sum[20];
2801 
2802  ssl_session *session = ssl->session_negotiate;
2803  if( !session )
2804  session = ssl->session;
2805 
2806  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2807 
2808  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2809  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2810 
2811  /*
2812  * SSLv3:
2813  * hash =
2814  * MD5( master + pad2 +
2815  * MD5( handshake + sender + master + pad1 ) )
2816  * + SHA1( master + pad2 +
2817  * SHA1( handshake + sender + master + pad1 ) )
2818  */
2819 
2820 #if !defined(POLARSSL_MD5_ALT)
2821  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2822  md5.state, sizeof( md5.state ) );
2823 #endif
2824 
2825 #if !defined(POLARSSL_SHA1_ALT)
2826  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2827  sha1.state, sizeof( sha1.state ) );
2828 #endif
2829 
2830  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2831  : "SRVR";
2832 
2833  memset( padbuf, 0x36, 48 );
2834 
2835  md5_update( &md5, (const unsigned char *) sender, 4 );
2836  md5_update( &md5, session->master, 48 );
2837  md5_update( &md5, padbuf, 48 );
2838  md5_finish( &md5, md5sum );
2839 
2840  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2841  sha1_update( &sha1, session->master, 48 );
2842  sha1_update( &sha1, padbuf, 40 );
2843  sha1_finish( &sha1, sha1sum );
2844 
2845  memset( padbuf, 0x5C, 48 );
2846 
2847  md5_starts( &md5 );
2848  md5_update( &md5, session->master, 48 );
2849  md5_update( &md5, padbuf, 48 );
2850  md5_update( &md5, md5sum, 16 );
2851  md5_finish( &md5, buf );
2852 
2853  sha1_starts( &sha1 );
2854  sha1_update( &sha1, session->master, 48 );
2855  sha1_update( &sha1, padbuf , 40 );
2856  sha1_update( &sha1, sha1sum, 20 );
2857  sha1_finish( &sha1, buf + 16 );
2858 
2859  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2860 
2861  memset( &md5, 0, sizeof( md5_context ) );
2862  memset( &sha1, 0, sizeof( sha1_context ) );
2863 
2864  memset( padbuf, 0, sizeof( padbuf ) );
2865  memset( md5sum, 0, sizeof( md5sum ) );
2866  memset( sha1sum, 0, sizeof( sha1sum ) );
2867 
2868  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2869 }
2870 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2871 
2872 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
2873 static void ssl_calc_finished_tls(
2874  ssl_context *ssl, unsigned char *buf, int from )
2875 {
2876  int len = 12;
2877  const char *sender;
2878  md5_context md5;
2880  unsigned char padbuf[36];
2881 
2882  ssl_session *session = ssl->session_negotiate;
2883  if( !session )
2884  session = ssl->session;
2885 
2886  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2887 
2888  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2889  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2890 
2891  /*
2892  * TLSv1:
2893  * hash = PRF( master, finished_label,
2894  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2895  */
2896 
2897 #if !defined(POLARSSL_MD5_ALT)
2898  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2899  md5.state, sizeof( md5.state ) );
2900 #endif
2901 
2902 #if !defined(POLARSSL_SHA1_ALT)
2903  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2904  sha1.state, sizeof( sha1.state ) );
2905 #endif
2906 
2907  sender = ( from == SSL_IS_CLIENT )
2908  ? "client finished"
2909  : "server finished";
2910 
2911  md5_finish( &md5, padbuf );
2912  sha1_finish( &sha1, padbuf + 16 );
2913 
2914  ssl->handshake->tls_prf( session->master, 48, sender,
2915  padbuf, 36, buf, len );
2916 
2917  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2918 
2919  memset( &md5, 0, sizeof( md5_context ) );
2920  memset( &sha1, 0, sizeof( sha1_context ) );
2921 
2922  memset( padbuf, 0, sizeof( padbuf ) );
2923 
2924  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2925 }
2926 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
2927 
2928 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2929 #if defined(POLARSSL_SHA256_C)
2930 static void ssl_calc_finished_tls_sha256(
2931  ssl_context *ssl, unsigned char *buf, int from )
2932 {
2933  int len = 12;
2934  const char *sender;
2936  unsigned char padbuf[32];
2937 
2938  ssl_session *session = ssl->session_negotiate;
2939  if( !session )
2940  session = ssl->session;
2941 
2942  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2943 
2944  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
2945 
2946  /*
2947  * TLSv1.2:
2948  * hash = PRF( master, finished_label,
2949  * Hash( handshake ) )[0.11]
2950  */
2951 
2952 #if !defined(POLARSSL_SHA256_ALT)
2953  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2954  sha256.state, sizeof( sha256.state ) );
2955 #endif
2956 
2957  sender = ( from == SSL_IS_CLIENT )
2958  ? "client finished"
2959  : "server finished";
2960 
2961  sha256_finish( &sha256, padbuf );
2962 
2963  ssl->handshake->tls_prf( session->master, 48, sender,
2964  padbuf, 32, buf, len );
2965 
2966  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2967 
2968  memset( &sha256, 0, sizeof( sha256_context ) );
2969 
2970  memset( padbuf, 0, sizeof( padbuf ) );
2971 
2972  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2973 }
2974 #endif /* POLARSSL_SHA256_C */
2975 
2976 #if defined(POLARSSL_SHA512_C)
2977 static void ssl_calc_finished_tls_sha384(
2978  ssl_context *ssl, unsigned char *buf, int from )
2979 {
2980  int len = 12;
2981  const char *sender;
2983  unsigned char padbuf[48];
2984 
2985  ssl_session *session = ssl->session_negotiate;
2986  if( !session )
2987  session = ssl->session;
2988 
2989  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
2990 
2991  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
2992 
2993  /*
2994  * TLSv1.2:
2995  * hash = PRF( master, finished_label,
2996  * Hash( handshake ) )[0.11]
2997  */
2998 
2999 #if !defined(POLARSSL_SHA512_ALT)
3000  SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3001  sha512.state, sizeof( sha512.state ) );
3002 #endif
3003 
3004  sender = ( from == SSL_IS_CLIENT )
3005  ? "client finished"
3006  : "server finished";
3007 
3008  sha512_finish( &sha512, padbuf );
3009 
3010  ssl->handshake->tls_prf( session->master, 48, sender,
3011  padbuf, 48, buf, len );
3012 
3013  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3014 
3015  memset( &sha512, 0, sizeof( sha512_context ) );
3016 
3017  memset( padbuf, 0, sizeof( padbuf ) );
3018 
3019  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3020 }
3021 #endif /* POLARSSL_SHA512_C */
3022 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3023 
3024 void ssl_handshake_wrapup( ssl_context *ssl )
3025 {
3026  int resume = ssl->handshake->resume;
3027 
3028  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3029 
3030  /*
3031  * Free our handshake params
3032  */
3033  ssl_handshake_free( ssl->handshake );
3034  polarssl_free( ssl->handshake );
3035  ssl->handshake = NULL;
3036 
3037  /*
3038  * Switch in our now active transform context
3039  */
3040  if( ssl->transform )
3041  {
3042  ssl_transform_free( ssl->transform );
3043  polarssl_free( ssl->transform );
3044  }
3045  ssl->transform = ssl->transform_negotiate;
3046  ssl->transform_negotiate = NULL;
3047 
3048  if( ssl->session )
3049  {
3050  ssl_session_free( ssl->session );
3051  polarssl_free( ssl->session );
3052  }
3053  ssl->session = ssl->session_negotiate;
3054  ssl->session_negotiate = NULL;
3055 
3056  /*
3057  * Add cache entry
3058  */
3059  if( ssl->f_set_cache != NULL &&
3060  ssl->session->length != 0 &&
3061  resume == 0 )
3062  {
3063  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3064  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
3065  }
3066 
3067  ssl->state++;
3068 
3069  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3070 }
3071 
3072 int ssl_write_finished( ssl_context *ssl )
3073 {
3074  int ret, hash_len;
3075 
3076  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3077 
3078  /*
3079  * Set the out_msg pointer to the correct location based on IV length
3080  */
3081  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3082  {
3083  ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3085  }
3086  else
3087  ssl->out_msg = ssl->out_iv;
3088 
3089  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
3090 
3091  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3092  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3093 
3094  ssl->verify_data_len = hash_len;
3095  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
3096 
3097  ssl->out_msglen = 4 + hash_len;
3099  ssl->out_msg[0] = SSL_HS_FINISHED;
3100 
3101  /*
3102  * In case of session resuming, invert the client and server
3103  * ChangeCipherSpec messages order.
3104  */
3105  if( ssl->handshake->resume != 0 )
3106  {
3107  if( ssl->endpoint == SSL_IS_CLIENT )
3108  ssl->state = SSL_HANDSHAKE_WRAPUP;
3109  else
3111  }
3112  else
3113  ssl->state++;
3114 
3115  /*
3116  * Switch to our negotiated transform and session parameters for outbound data.
3117  */
3118  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3119  ssl->transform_out = ssl->transform_negotiate;
3120  ssl->session_out = ssl->session_negotiate;
3121  memset( ssl->out_ctr, 0, 8 );
3122 
3123 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3124  if( ssl_hw_record_activate != NULL)
3125  {
3126  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3127  {
3128  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3130  }
3131  }
3132 #endif
3133 
3134  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3135  {
3136  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3137  return( ret );
3138  }
3139 
3140  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3141 
3142  return( 0 );
3143 }
3144 
3145 int ssl_parse_finished( ssl_context *ssl )
3146 {
3147  int ret;
3148  unsigned int hash_len;
3149  unsigned char buf[36];
3150 
3151  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3152 
3153  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
3154 
3155  /*
3156  * Switch to our negotiated transform and session parameters for inbound data.
3157  */
3158  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3159  ssl->transform_in = ssl->transform_negotiate;
3160  ssl->session_in = ssl->session_negotiate;
3161  memset( ssl->in_ctr, 0, 8 );
3162 
3163  /*
3164  * Set the in_msg pointer to the correct location based on IV length
3165  */
3166  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3167  {
3168  ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3170  }
3171  else
3172  ssl->in_msg = ssl->in_iv;
3173 
3174 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3175  if( ssl_hw_record_activate != NULL)
3176  {
3177  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3178  {
3179  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3181  }
3182  }
3183 #endif
3184 
3185  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3186  {
3187  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3188  return( ret );
3189  }
3190 
3191  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3192  {
3193  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3195  }
3196 
3197  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3198  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3199 
3200  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3201  ssl->in_hslen != 4 + hash_len )
3202  {
3203  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3205  }
3206 
3207  if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
3208  {
3209  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3211  }
3212 
3213  ssl->verify_data_len = hash_len;
3214  memcpy( ssl->peer_verify_data, buf, hash_len );
3215 
3216  if( ssl->handshake->resume != 0 )
3217  {
3218  if( ssl->endpoint == SSL_IS_CLIENT )
3220 
3221  if( ssl->endpoint == SSL_IS_SERVER )
3222  ssl->state = SSL_HANDSHAKE_WRAPUP;
3223  }
3224  else
3225  ssl->state++;
3226 
3227  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3228 
3229  return( 0 );
3230 }
3231 
3232 static int ssl_handshake_init( ssl_context *ssl )
3233 {
3234  if( ssl->transform_negotiate )
3236  else
3237  {
3238  ssl->transform_negotiate =
3240  }
3241 
3242  if( ssl->session_negotiate )
3244  else
3245  {
3246  ssl->session_negotiate =
3247  (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
3248  }
3249 
3250  if( ssl->handshake )
3251  ssl_handshake_free( ssl->handshake );
3252  else
3253  {
3254  ssl->handshake = (ssl_handshake_params *)
3256  }
3257 
3258  if( ssl->handshake == NULL ||
3259  ssl->transform_negotiate == NULL ||
3260  ssl->session_negotiate == NULL )
3261  {
3262  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3264  }
3265 
3266  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
3267  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
3268  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
3269 
3270 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3271  defined(POLARSSL_SSL_PROTO_TLS1_1)
3272  md5_starts( &ssl->handshake->fin_md5 );
3273  sha1_starts( &ssl->handshake->fin_sha1 );
3274 #endif
3275 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3276 #if defined(POLARSSL_SHA256_C)
3277  sha256_starts( &ssl->handshake->fin_sha256, 0 );
3278 #endif
3279 #if defined(POLARSSL_SHA512_C)
3280  sha512_starts( &ssl->handshake->fin_sha512, 1 );
3281 #endif
3282 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3283 
3284  ssl->handshake->update_checksum = ssl_update_checksum_start;
3286 
3287 #if defined(POLARSSL_ECDH_C)
3288  ecdh_init( &ssl->handshake->ecdh_ctx );
3289 #endif
3290 
3291  return( 0 );
3292 }
3293 
3294 /*
3295  * Initialize an SSL context
3296  */
3297 int ssl_init( ssl_context *ssl )
3298 {
3299  int ret;
3300  int len = SSL_BUFFER_LEN;
3301 
3302  memset( ssl, 0, sizeof( ssl_context ) );
3303 
3304  /*
3305  * Sane defaults
3306  */
3311 
3313 
3314 #if defined(POLARSSL_DHM_C)
3315  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3317  ( ret = mpi_read_string( &ssl->dhm_G, 16,
3319  {
3320  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3321  return( ret );
3322  }
3323 #endif
3324 
3325  /*
3326  * Prepare base structures
3327  */
3328  ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
3329  ssl->in_hdr = ssl->in_ctr + 8;
3330  ssl->in_iv = ssl->in_ctr + 13;
3331  ssl->in_msg = ssl->in_ctr + 13;
3332 
3333  if( ssl->in_ctr == NULL )
3334  {
3335  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3337  }
3338 
3339  ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
3340  ssl->out_hdr = ssl->out_ctr + 8;
3341  ssl->out_iv = ssl->out_ctr + 13;
3342  ssl->out_msg = ssl->out_ctr + 13;
3343 
3344  if( ssl->out_ctr == NULL )
3345  {
3346  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3347  polarssl_free( ssl-> in_ctr );
3349  }
3350 
3351  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3352  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3353 
3354 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3356 #endif
3357 
3358  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3359  return( ret );
3360 
3361  return( 0 );
3362 }
3363 
3364 /*
3365  * Reset an initialized and used SSL context for re-use while retaining
3366  * all application-set variables, function pointers and data.
3367  */
3368 int ssl_session_reset( ssl_context *ssl )
3369 {
3370  int ret;
3371 
3372  ssl->state = SSL_HELLO_REQUEST;
3375 
3376  ssl->verify_data_len = 0;
3377  memset( ssl->own_verify_data, 0, 36 );
3378  memset( ssl->peer_verify_data, 0, 36 );
3379 
3380  ssl->in_offt = NULL;
3381 
3382  ssl->in_msg = ssl->in_ctr + 13;
3383  ssl->in_msgtype = 0;
3384  ssl->in_msglen = 0;
3385  ssl->in_left = 0;
3386 
3387  ssl->in_hslen = 0;
3388  ssl->nb_zero = 0;
3389  ssl->record_read = 0;
3390 
3391  ssl->out_msg = ssl->out_ctr + 13;
3392  ssl->out_msgtype = 0;
3393  ssl->out_msglen = 0;
3394  ssl->out_left = 0;
3395 
3396  ssl->transform_in = NULL;
3397  ssl->transform_out = NULL;
3398 
3399  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3400  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3401 
3402 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3403  if( ssl_hw_record_reset != NULL)
3404  {
3405  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3406  if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
3407  {
3408  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3410  }
3411  }
3412 #endif
3413 
3414  if( ssl->transform )
3415  {
3416  ssl_transform_free( ssl->transform );
3417  polarssl_free( ssl->transform );
3418  ssl->transform = NULL;
3419  }
3420 
3421  if( ssl->session )
3422  {
3423  ssl_session_free( ssl->session );
3424  polarssl_free( ssl->session );
3425  ssl->session = NULL;
3426  }
3427 
3428  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3429  return( ret );
3430 
3431  return( 0 );
3432 }
3433 
3434 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3435 /*
3436  * Allocate and initialize ticket keys
3437  */
3438 static int ssl_ticket_keys_init( ssl_context *ssl )
3439 {
3440  int ret;
3441  ssl_ticket_keys *tkeys;
3442  unsigned char buf[16];
3443 
3444  if( ssl->ticket_keys != NULL )
3445  return( 0 );
3446 
3447  tkeys = (ssl_ticket_keys *) polarssl_malloc( sizeof(ssl_ticket_keys) );
3448  if( tkeys == NULL )
3450 
3451  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
3452  return( ret );
3453 
3454  if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3455  ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3456  ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3457  {
3458  return( ret );
3459  }
3460 
3461  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
3462  return( ret );
3463 
3464  ssl->ticket_keys = tkeys;
3465 
3466  return( 0 );
3467 }
3468 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3469 
3470 /*
3471  * SSL set accessors
3472  */
3473 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3474 {
3475  ssl->endpoint = endpoint;
3476 
3477 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3478  if( endpoint == SSL_IS_CLIENT )
3480 #endif
3481 }
3482 
3483 void ssl_set_authmode( ssl_context *ssl, int authmode )
3484 {
3485  ssl->authmode = authmode;
3486 }
3487 
3488 #if defined(POLARSSL_X509_CRT_PARSE_C)
3489 void ssl_set_verify( ssl_context *ssl,
3490  int (*f_vrfy)(void *, x509_crt *, int, int *),
3491  void *p_vrfy )
3492 {
3493  ssl->f_vrfy = f_vrfy;
3494  ssl->p_vrfy = p_vrfy;
3495 }
3496 #endif /* POLARSSL_X509_CRT_PARSE_C */
3497 
3498 void ssl_set_rng( ssl_context *ssl,
3499  int (*f_rng)(void *, unsigned char *, size_t),
3500  void *p_rng )
3501 {
3502  ssl->f_rng = f_rng;
3503  ssl->p_rng = p_rng;
3504 }
3505 
3506 void ssl_set_dbg( ssl_context *ssl,
3507  void (*f_dbg)(void *, int, const char *),
3508  void *p_dbg )
3509 {
3510  ssl->f_dbg = f_dbg;
3511  ssl->p_dbg = p_dbg;
3512 }
3513 
3514 void ssl_set_bio( ssl_context *ssl,
3515  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3516  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3517 {
3518  ssl->f_recv = f_recv;
3519  ssl->f_send = f_send;
3520  ssl->p_recv = p_recv;
3521  ssl->p_send = p_send;
3522 }
3523 
3525  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3526  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3527 {
3528  ssl->f_get_cache = f_get_cache;
3529  ssl->p_get_cache = p_get_cache;
3530  ssl->f_set_cache = f_set_cache;
3531  ssl->p_set_cache = p_set_cache;
3532 }
3533 
3534 int ssl_set_session( ssl_context *ssl, const ssl_session *session )
3535 {
3536  int ret;
3537 
3538  if( ssl == NULL ||
3539  session == NULL ||
3540  ssl->session_negotiate == NULL ||
3541  ssl->endpoint != SSL_IS_CLIENT )
3542  {
3544  }
3545 
3546  if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3547  return( ret );
3548 
3549  ssl->handshake->resume = 1;
3550 
3551  return( 0 );
3552 }
3553 
3554 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3555 {
3556  ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3557  ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3558  ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3559  ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3560 }
3561 
3562 void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
3563  int major, int minor )
3564 {
3565  if( major != SSL_MAJOR_VERSION_3 )
3566  return;
3567 
3568  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3569  return;
3570 
3571  ssl->ciphersuite_list[minor] = ciphersuites;
3572 }
3573 
3574 #if defined(POLARSSL_X509_CRT_PARSE_C)
3575 /* Add a new (empty) key_cert entry an return a pointer to it */
3576 static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3577 {
3578  ssl_key_cert *key_cert, *last;
3579 
3580  key_cert = (ssl_key_cert *) polarssl_malloc( sizeof(ssl_key_cert) );
3581  if( key_cert == NULL )
3582  return( NULL );
3583 
3584  memset( key_cert, 0, sizeof( ssl_key_cert ) );
3585 
3586  /* Append the new key_cert to the (possibly empty) current list */
3587  if( ssl->key_cert == NULL )
3588  ssl->key_cert = key_cert;
3589  else
3590  {
3591  last = ssl->key_cert;
3592  while( last->next != NULL )
3593  last = last->next;
3594  last->next = key_cert;
3595  }
3596 
3597  return key_cert;
3598 }
3599 
3600 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
3601  x509_crl *ca_crl, const char *peer_cn )
3602 {
3603  ssl->ca_chain = ca_chain;
3604  ssl->ca_crl = ca_crl;
3605  ssl->peer_cn = peer_cn;
3606 }
3607 
3608 int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
3609  pk_context *pk_key )
3610 {
3611  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3612 
3613  if( key_cert == NULL )
3615 
3616  key_cert->cert = own_cert;
3617  key_cert->key = pk_key;
3618 
3619  return( 0 );
3620 }
3621 
3622 #if defined(POLARSSL_RSA_C)
3623 int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
3624  rsa_context *rsa_key )
3625 {
3626  int ret;
3627  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3628 
3629  if( key_cert == NULL )
3631 
3632  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3633  if( key_cert->key == NULL )
3635 
3636  pk_init( key_cert->key );
3637 
3638  ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
3639  if( ret != 0 )
3640  return( ret );
3641 
3642  if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
3643  return( ret );
3644 
3645  key_cert->cert = own_cert;
3646  key_cert->key_own_alloc = 1;
3647 
3648  return( 0 );
3649 }
3650 #endif /* POLARSSL_RSA_C */
3651 
3652 int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
3653  void *rsa_key,
3654  rsa_decrypt_func rsa_decrypt,
3655  rsa_sign_func rsa_sign,
3656  rsa_key_len_func rsa_key_len )
3657 {
3658  int ret;
3659  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3660 
3661  if( key_cert == NULL )
3663 
3664  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3665  if( key_cert->key == NULL )
3667 
3668  pk_init( key_cert->key );
3669 
3670  if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
3671  rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
3672  return( ret );
3673 
3674  key_cert->cert = own_cert;
3675  key_cert->key_own_alloc = 1;
3676 
3677  return( 0 );
3678 }
3679 #endif /* POLARSSL_X509_CRT_PARSE_C */
3680 
3681 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
3682 int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3683  const unsigned char *psk_identity, size_t psk_identity_len )
3684 {
3685  if( psk == NULL || psk_identity == NULL )
3687 
3688  if( ssl->psk != NULL )
3689  {
3690  polarssl_free( ssl->psk );
3691  polarssl_free( ssl->psk_identity );
3692  }
3693 
3694  ssl->psk_len = psk_len;
3695  ssl->psk_identity_len = psk_identity_len;
3696 
3697  ssl->psk = (unsigned char *) polarssl_malloc( ssl->psk_len );
3698  ssl->psk_identity = (unsigned char *) polarssl_malloc( ssl->psk_identity_len );
3699 
3700  if( ssl->psk == NULL || ssl->psk_identity == NULL )
3702 
3703  memcpy( ssl->psk, psk, ssl->psk_len );
3704  memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
3705 
3706  return( 0 );
3707 }
3708 
3709 void ssl_set_psk_cb( ssl_context *ssl,
3710  int (*f_psk)(void *, ssl_context *, const unsigned char *,
3711  size_t),
3712  void *p_psk )
3713 {
3714  ssl->f_psk = f_psk;
3715  ssl->p_psk = p_psk;
3716 }
3717 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
3718 
3719 #if defined(POLARSSL_DHM_C)
3720 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3721 {
3722  int ret;
3723 
3724  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3725  {
3726  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3727  return( ret );
3728  }
3729 
3730  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3731  {
3732  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3733  return( ret );
3734  }
3735 
3736  return( 0 );
3737 }
3738 
3739 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3740 {
3741  int ret;
3742 
3743  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3744  {
3745  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3746  return( ret );
3747  }
3748 
3749  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3750  {
3751  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3752  return( ret );
3753  }
3754 
3755  return( 0 );
3756 }
3757 #endif /* POLARSSL_DHM_C */
3758 
3759 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
3760 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3761 {
3762  if( hostname == NULL )
3764 
3765  ssl->hostname_len = strlen( hostname );
3766 
3767  if( ssl->hostname_len + 1 == 0 )
3769 
3770  ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
3771 
3772  if( ssl->hostname == NULL )
3774 
3775  memcpy( ssl->hostname, (const unsigned char *) hostname,
3776  ssl->hostname_len );
3777 
3778  ssl->hostname[ssl->hostname_len] = '\0';
3779 
3780  return( 0 );
3781 }
3782 
3783 void ssl_set_sni( ssl_context *ssl,
3784  int (*f_sni)(void *, ssl_context *,
3785  const unsigned char *, size_t),
3786  void *p_sni )
3787 {
3788  ssl->f_sni = f_sni;
3789  ssl->p_sni = p_sni;
3790 }
3791 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
3792 
3793 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3794 {
3795  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3796  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3797  {
3798  ssl->max_major_ver = major;
3799  ssl->max_minor_ver = minor;
3800  }
3801 }
3802 
3803 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3804 {
3805  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3806  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3807  {
3808  ssl->min_major_ver = major;
3809  ssl->min_minor_ver = minor;
3810  }
3811 }
3812 
3813 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
3814 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
3815 {
3816  if( mfl_code >= sizeof( mfl_code_to_length ) ||
3817  mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
3818  {
3820  }
3821 
3822  ssl->mfl_code = mfl_code;
3823 
3824  return( 0 );
3825 }
3826 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
3827 
3828 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
3829 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
3830 {
3831  if( ssl->endpoint != SSL_IS_CLIENT )
3833 
3834  ssl->trunc_hmac = truncate;
3835 
3836  return( 0 );
3837 }
3838 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
3839 
3840 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3841 {
3842  ssl->disable_renegotiation = renegotiation;
3843 }
3844 
3845 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3846 {
3847  ssl->allow_legacy_renegotiation = allow_legacy;
3848 }
3849 
3850 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3851 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
3852 {
3853  ssl->session_tickets = use_tickets;
3854 
3855  if( ssl->endpoint == SSL_IS_CLIENT )
3856  return( 0 );
3857 
3858  if( ssl->f_rng == NULL )
3860 
3861  return( ssl_ticket_keys_init( ssl ) );
3862 }
3863 
3864 void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
3865 {
3866  ssl->ticket_lifetime = lifetime;
3867 }
3868 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3869 
3870 /*
3871  * SSL get accessors
3872  */
3873 size_t ssl_get_bytes_avail( const ssl_context *ssl )
3874 {
3875  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3876 }
3877 
3878 int ssl_get_verify_result( const ssl_context *ssl )
3879 {
3880  return( ssl->session->verify_result );
3881 }
3882 
3883 const char *ssl_get_ciphersuite( const ssl_context *ssl )
3884 {
3885  if( ssl == NULL || ssl->session == NULL )
3886  return NULL;
3887 
3889 }
3890 
3891 const char *ssl_get_version( const ssl_context *ssl )
3892 {
3893  switch( ssl->minor_ver )
3894  {
3895  case SSL_MINOR_VERSION_0:
3896  return( "SSLv3.0" );
3897 
3898  case SSL_MINOR_VERSION_1:
3899  return( "TLSv1.0" );
3900 
3901  case SSL_MINOR_VERSION_2:
3902  return( "TLSv1.1" );
3903 
3904  case SSL_MINOR_VERSION_3:
3905  return( "TLSv1.2" );
3906 
3907  default:
3908  break;
3909  }
3910  return( "unknown" );
3911 }
3912 
3913 #if defined(POLARSSL_X509_CRT_PARSE_C)
3914 const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
3915 {
3916  if( ssl == NULL || ssl->session == NULL )
3917  return NULL;
3918 
3919  return ssl->session->peer_cert;
3920 }
3921 #endif /* POLARSSL_X509_CRT_PARSE_C */
3922 
3923 int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
3924 {
3925  if( ssl == NULL ||
3926  dst == NULL ||
3927  ssl->session == NULL ||
3928  ssl->endpoint != SSL_IS_CLIENT )
3929  {
3931  }
3932 
3933  return( ssl_session_copy( dst, ssl->session ) );
3934 }
3935 
3936 /*
3937  * Perform a single step of the SSL handshake
3938  */
3939 int ssl_handshake_step( ssl_context *ssl )
3940 {
3942 
3943 #if defined(POLARSSL_SSL_CLI_C)
3944  if( ssl->endpoint == SSL_IS_CLIENT )
3945  ret = ssl_handshake_client_step( ssl );
3946 #endif
3947 
3948 #if defined(POLARSSL_SSL_SRV_C)
3949  if( ssl->endpoint == SSL_IS_SERVER )
3950  ret = ssl_handshake_server_step( ssl );
3951 #endif
3952 
3953  return( ret );
3954 }
3955 
3956 /*
3957  * Perform the SSL handshake
3958  */
3959 int ssl_handshake( ssl_context *ssl )
3960 {
3961  int ret = 0;
3962 
3963  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3964 
3965 #if defined(POLARSSL_X509_CRT_PARSE_C)
3966  ssl->handshake->key_cert = ssl->key_cert;
3967 #endif
3968 
3969  while( ssl->state != SSL_HANDSHAKE_OVER )
3970  {
3971  ret = ssl_handshake_step( ssl );
3972 
3973  if( ret != 0 )
3974  break;
3975  }
3976 
3977  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3978 
3979  return( ret );
3980 }
3981 
3982 /*
3983  * Renegotiate current connection
3984  */
3985 int ssl_renegotiate( ssl_context *ssl )
3986 {
3987  int ret;
3988 
3989  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
3990 
3991  if( ssl->state != SSL_HANDSHAKE_OVER )
3993 
3994  ssl->state = SSL_HELLO_REQUEST;
3996 
3997  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3998  return( ret );
3999 
4000  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4001  {
4002  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4003  return( ret );
4004  }
4005 
4006  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4007 
4008  return( 0 );
4009 }
4010 
4011 /*
4012  * Receive application data decrypted from the SSL layer
4013  */
4014 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
4015 {
4016  int ret;
4017  size_t n;
4018 
4019  SSL_DEBUG_MSG( 2, ( "=> read" ) );
4020 
4021  if( ssl->state != SSL_HANDSHAKE_OVER )
4022  {
4023  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4024  {
4025  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4026  return( ret );
4027  }
4028  }
4029 
4030  if( ssl->in_offt == NULL )
4031  {
4032  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4033  {
4034  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4035  return( 0 );
4036 
4037  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4038  return( ret );
4039  }
4040 
4041  if( ssl->in_msglen == 0 &&
4043  {
4044  /*
4045  * OpenSSL sends empty messages to randomize the IV
4046  */
4047  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4048  {
4049  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4050  return( 0 );
4051 
4052  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4053  return( ret );
4054  }
4055  }
4056 
4057  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4058  {
4059  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4060 
4061  if( ssl->endpoint == SSL_IS_CLIENT &&
4062  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4063  ssl->in_hslen != 4 ) )
4064  {
4065  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4067  }
4068 
4072  {
4073  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4074 
4075 #if defined(POLARSSL_SSL_PROTO_SSL3)
4076  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
4077  {
4078  /*
4079  * SSLv3 does not have a "no_renegotiation" alert
4080  */
4081  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4082  return( ret );
4083  }
4084  else
4085 #endif
4086 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4087  defined(POLARSSL_SSL_PROTO_TLS1_2)
4088  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
4089  {
4090  if( ( ret = ssl_send_alert_message( ssl,
4093  {
4094  return( ret );
4095  }
4096  }
4097  else
4098 #endif
4099  {
4100  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4102  }
4103  }
4104  else
4105  {
4106  if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
4107  {
4108  SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
4109  return( ret );
4110  }
4111 
4112  return( POLARSSL_ERR_NET_WANT_READ );
4113  }
4114  }
4115  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
4116  {
4117  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
4119  }
4120 
4121  ssl->in_offt = ssl->in_msg;
4122  }
4123 
4124  n = ( len < ssl->in_msglen )
4125  ? len : ssl->in_msglen;
4126 
4127  memcpy( buf, ssl->in_offt, n );
4128  ssl->in_msglen -= n;
4129 
4130  if( ssl->in_msglen == 0 )
4131  /* all bytes consumed */
4132  ssl->in_offt = NULL;
4133  else
4134  /* more data available */
4135  ssl->in_offt += n;
4136 
4137  SSL_DEBUG_MSG( 2, ( "<= read" ) );
4138 
4139  return( (int) n );
4140 }
4141 
4142 /*
4143  * Send application data to be encrypted by the SSL layer
4144  */
4145 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4146 {
4147  int ret;
4148  size_t n;
4149  unsigned int max_len = SSL_MAX_CONTENT_LEN;
4150 
4151  SSL_DEBUG_MSG( 2, ( "=> write" ) );
4152 
4153  if( ssl->state != SSL_HANDSHAKE_OVER )
4154  {
4155  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4156  {
4157  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4158  return( ret );
4159  }
4160  }
4161 
4162 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4163  /*
4164  * Assume mfl_code is correct since it was checked when set
4165  */
4166  max_len = mfl_code_to_length[ssl->mfl_code];
4167 
4168  /*
4169  * Check if a smaller max length was negotiated
4170  */
4171  if( ssl->session_out != NULL &&
4172  mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4173  {
4174  max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4175  }
4176 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4177 
4178  n = ( len < max_len) ? len : max_len;
4179 
4180  if( ssl->out_left != 0 )
4181  {
4182  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4183  {
4184  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4185  return( ret );
4186  }
4187  }
4188  else
4189  {
4190  ssl->out_msglen = n;
4192  memcpy( ssl->out_msg, buf, n );
4193 
4194  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4195  {
4196  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4197  return( ret );
4198  }
4199  }
4200 
4201  SSL_DEBUG_MSG( 2, ( "<= write" ) );
4202 
4203  return( (int) n );
4204 }
4205 
4206 /*
4207  * Notify the peer that the connection is being closed
4208  */
4209 int ssl_close_notify( ssl_context *ssl )
4210 {
4211  int ret;
4212 
4213  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4214 
4215  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4216  {
4217  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4218  return( ret );
4219  }
4220 
4221  if( ssl->state == SSL_HANDSHAKE_OVER )
4222  {
4223  if( ( ret = ssl_send_alert_message( ssl,
4225  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4226  {
4227  return( ret );
4228  }
4229  }
4230 
4231  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4232 
4233  return( ret );
4234 }
4235 
4236 void ssl_transform_free( ssl_transform *transform )
4237 {
4238 #if defined(POLARSSL_ZLIB_SUPPORT)
4239  deflateEnd( &transform->ctx_deflate );
4240  inflateEnd( &transform->ctx_inflate );
4241 #endif
4242 
4243  cipher_free_ctx( &transform->cipher_ctx_enc );
4244  cipher_free_ctx( &transform->cipher_ctx_dec );
4245 
4246  md_free_ctx( &transform->md_ctx_enc );
4247  md_free_ctx( &transform->md_ctx_dec );
4248 
4249  memset( transform, 0, sizeof( ssl_transform ) );
4250 }
4251 
4252 #if defined(POLARSSL_X509_CRT_PARSE_C)
4253 static void ssl_key_cert_free( ssl_key_cert *key_cert )
4254 {
4255  ssl_key_cert *cur = key_cert, *next;
4256 
4257  while( cur != NULL )
4258  {
4259  next = cur->next;
4260 
4261  if( cur->key_own_alloc )
4262  {
4263  pk_free( cur->key );
4264  polarssl_free( cur->key );
4265  }
4266  polarssl_free( cur );
4267 
4268  cur = next;
4269  }
4270 }
4271 #endif /* POLARSSL_X509_CRT_PARSE_C */
4272 
4273 void ssl_handshake_free( ssl_handshake_params *handshake )
4274 {
4275 #if defined(POLARSSL_DHM_C)
4276  dhm_free( &handshake->dhm_ctx );
4277 #endif
4278 #if defined(POLARSSL_ECDH_C)
4279  ecdh_free( &handshake->ecdh_ctx );
4280 #endif
4281 
4282 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
4283  /* explicit void pointer cast for buggy MS compiler */
4284  polarssl_free( (void *) handshake->curves );
4285 #endif
4286 
4287 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
4288  defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4289  /*
4290  * Free only the linked list wrapper, not the keys themselves
4291  * since the belong to the SNI callback
4292  */
4293  if( handshake->sni_key_cert != NULL )
4294  {
4295  ssl_key_cert *cur = handshake->sni_key_cert, *next;
4296 
4297  while( cur != NULL )
4298  {
4299  next = cur->next;
4300  polarssl_free( cur );
4301  cur = next;
4302  }
4303  }
4304 #endif
4305 
4306  memset( handshake, 0, sizeof( ssl_handshake_params ) );
4307 }
4308 
4309 void ssl_session_free( ssl_session *session )
4310 {
4311 #if defined(POLARSSL_X509_CRT_PARSE_C)
4312  if( session->peer_cert != NULL )
4313  {
4314  x509_crt_free( session->peer_cert );
4315  polarssl_free( session->peer_cert );
4316  }
4317 #endif
4318 
4319 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4320  polarssl_free( session->ticket );
4321 #endif
4322 
4323  memset( session, 0, sizeof( ssl_session ) );
4324 }
4325 
4326 /*
4327  * Free an SSL context
4328  */
4329 void ssl_free( ssl_context *ssl )
4330 {
4331  SSL_DEBUG_MSG( 2, ( "=> free" ) );
4332 
4333  if( ssl->out_ctr != NULL )
4334  {
4335  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
4336  polarssl_free( ssl->out_ctr );
4337  }
4338 
4339  if( ssl->in_ctr != NULL )
4340  {
4341  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
4342  polarssl_free( ssl->in_ctr );
4343  }
4344 
4345 #if defined(POLARSSL_ZLIB_SUPPORT)
4346  if( ssl->compress_buf != NULL )
4347  {
4348  memset( ssl->compress_buf, 0, SSL_BUFFER_LEN );
4349  polarssl_free( ssl->compress_buf );
4350  }
4351 #endif
4352 
4353 #if defined(POLARSSL_DHM_C)
4354  mpi_free( &ssl->dhm_P );
4355  mpi_free( &ssl->dhm_G );
4356 #endif
4357 
4358  if( ssl->transform )
4359  {
4360  ssl_transform_free( ssl->transform );
4361  polarssl_free( ssl->transform );
4362  }
4363 
4364  if( ssl->handshake )
4365  {
4366  ssl_handshake_free( ssl->handshake );
4369 
4370  polarssl_free( ssl->handshake );
4373  }
4374 
4375  if( ssl->session )
4376  {
4377  ssl_session_free( ssl->session );
4378  polarssl_free( ssl->session );
4379  }
4380 
4381 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4382  polarssl_free( ssl->ticket_keys );
4383 #endif
4384 
4385 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4386  if ( ssl->hostname != NULL )
4387  {
4388  memset( ssl->hostname, 0, ssl->hostname_len );
4389  polarssl_free( ssl->hostname );
4390  ssl->hostname_len = 0;
4391  }
4392 #endif
4393 
4394 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
4395  if( ssl->psk != NULL )
4396  {
4397  memset( ssl->psk, 0, ssl->psk_len );
4398  memset( ssl->psk_identity, 0, ssl->psk_identity_len );
4399  polarssl_free( ssl->psk );
4400  polarssl_free( ssl->psk_identity );
4401  ssl->psk_len = 0;
4402  ssl->psk_identity_len = 0;
4403  }
4404 #endif
4405 
4406 #if defined(POLARSSL_X509_CRT_PARSE_C)
4407  ssl_key_cert_free( ssl->key_cert );
4408 #endif
4409 
4410 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4411  if( ssl_hw_record_finish != NULL )
4412  {
4413  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4414  ssl_hw_record_finish( ssl );
4415  }
4416 #endif
4417 
4418  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4419 
4420  /* Actually clear after last debug message */
4421  memset( ssl, 0, sizeof( ssl_context ) );
4422 }
4423 
4424 #if defined(POLARSSL_PK_C)
4425 /*
4426  * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
4427  */
4428 unsigned char ssl_sig_from_pk( pk_context *pk )
4429 {
4430 #if defined(POLARSSL_RSA_C)
4431  if( pk_can_do( pk, POLARSSL_PK_RSA ) )
4432  return( SSL_SIG_RSA );
4433 #endif
4434 #if defined(POLARSSL_ECDSA_C)
4435  if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
4436  return( SSL_SIG_ECDSA );
4437 #endif
4438  return( SSL_SIG_ANON );
4439 }
4440 
4441 pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
4442 {
4443  switch( sig )
4444  {
4445 #if defined(POLARSSL_RSA_C)
4446  case SSL_SIG_RSA:
4447  return( POLARSSL_PK_RSA );
4448 #endif
4449 #if defined(POLARSSL_ECDSA_C)
4450  case SSL_SIG_ECDSA:
4451  return( POLARSSL_PK_ECDSA );
4452 #endif
4453  default:
4454  return( POLARSSL_PK_NONE );
4455  }
4456 }
4457 #endif
4458 
4459 /*
4460  * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
4461  */
4462 md_type_t ssl_md_alg_from_hash( unsigned char hash )
4463 {
4464  switch( hash )
4465  {
4466 #if defined(POLARSSL_MD5_C)
4467  case SSL_HASH_MD5:
4468  return( POLARSSL_MD_MD5 );
4469 #endif
4470 #if defined(POLARSSL_SHA1_C)
4471  case SSL_HASH_SHA1:
4472  return( POLARSSL_MD_SHA1 );
4473 #endif
4474 #if defined(POLARSSL_SHA256_C)
4475  case SSL_HASH_SHA224:
4476  return( POLARSSL_MD_SHA224 );
4477  case SSL_HASH_SHA256:
4478  return( POLARSSL_MD_SHA256 );
4479 #endif
4480 #if defined(POLARSSL_SHA512_C)
4481  case SSL_HASH_SHA384:
4482  return( POLARSSL_MD_SHA384 );
4483  case SSL_HASH_SHA512:
4484  return( POLARSSL_MD_SHA512 );
4485 #endif
4486  default:
4487  return( POLARSSL_MD_NONE );
4488  }
4489 }
4490 
4491 #endif