Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / ff60ee6c2af5512ff67ad9f4f2dc193133a99016 / . / library / ssl_tls.c
blob: 03975d29b7766c70f3ac45735ddb75a14a14fe29 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 shared functions
3 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]4 * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
5 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]6 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]7 * Joined copyright on original XySSL code with: Christophe Devine
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23/*
24 * The SSL 3.0 specification was drafted by Netscape in 1996,
25 * and became an IETF standard in 1999.
26 *
27 * http://wp.netscape.com/eng/ssl3/
28 * http://www.ietf.org/rfc/rfc2246.txt
29 * http://www.ietf.org/rfc/rfc4346.txt
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_SSL_TLS_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
37#include "polarssl/arc4.h"
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]38#include "polarssl/camellia.h"
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]39#include "polarssl/des.h"
40#include "polarssl/debug.h"
41#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
43#include <string.h>
44#include <stdlib.h>
45#include <time.h>
46
47/*
48 * Key material generation
49 */
50static int tls1_prf( unsigned char *secret, int slen, char *label,
51 unsigned char *random, int rlen,
52 unsigned char *dstbuf, int dlen )
53{
54 int nb, hs;
55 int i, j, k;
56 unsigned char *S1, *S2;
57 unsigned char tmp[128];
58 unsigned char h_i[20];
59
60 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]61 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62
63 hs = ( slen + 1 ) / 2;
64 S1 = secret;
65 S2 = secret + slen - hs;
66
67 nb = strlen( label );
68 memcpy( tmp + 20, label, nb );
69 memcpy( tmp + 20 + nb, random, rlen );
70 nb += rlen;
71
72 /*
73 * First compute P_md5(secret,label+random)[0..dlen]
74 */
75 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
76
77 for( i = 0; i < dlen; i += 16 )
78 {
79 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
80 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
81
82 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
83
84 for( j = 0; j < k; j++ )
85 dstbuf[i + j] = h_i[j];
86 }
87
88 /*
89 * XOR out with P_sha1(secret,label+random)[0..dlen]
90 */
91 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
92
93 for( i = 0; i < dlen; i += 20 )
94 {
95 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
96 sha1_hmac( S2, hs, tmp, 20, tmp );
97
98 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
99
100 for( j = 0; j < k; j++ )
101 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
102 }
103
104 memset( tmp, 0, sizeof( tmp ) );
105 memset( h_i, 0, sizeof( h_i ) );
106
107 return( 0 );
108}
109
110int ssl_derive_keys( ssl_context *ssl )
111{
112 int i;
113 md5_context md5;
114 sha1_context sha1;
115 unsigned char tmp[64];
116 unsigned char padding[16];
117 unsigned char sha1sum[20];
118 unsigned char keyblk[256];
119 unsigned char *key1;
120 unsigned char *key2;
121
122 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
123
124 /*
125 * SSLv3:
126 * master =
127 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
128 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
129 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
130 *
131 * TLSv1:
132 * master = PRF( premaster, "master secret", randbytes )[0..47]
133 */
134 if( ssl->resume == 0 )
135 {
136 int len = ssl->pmslen;
137
138 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
139
140 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
141 {
142 for( i = 0; i < 3; i++ )
143 {
144 memset( padding, 'A' + i, 1 + i );
145
146 sha1_starts( &sha1 );
147 sha1_update( &sha1, padding, 1 + i );
148 sha1_update( &sha1, ssl->premaster, len );
149 sha1_update( &sha1, ssl->randbytes, 64 );
150 sha1_finish( &sha1, sha1sum );
151
152 md5_starts( &md5 );
153 md5_update( &md5, ssl->premaster, len );
154 md5_update( &md5, sha1sum, 20 );
155 md5_finish( &md5, ssl->session->master + i * 16 );
156 }
157 }
158 else
159 tls1_prf( ssl->premaster, len, "master secret",
160 ssl->randbytes, 64, ssl->session->master, 48 );
161
162 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
163 }
164 else
165 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
166
167 /*
168 * Swap the client and server random values.
169 */
170 memcpy( tmp, ssl->randbytes, 64 );
171 memcpy( ssl->randbytes, tmp + 32, 32 );
172 memcpy( ssl->randbytes + 32, tmp, 32 );
173 memset( tmp, 0, sizeof( tmp ) );
174
175 /*
176 * SSLv3:
177 * key block =
178 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
179 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
180 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
181 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
182 * ...
183 *
184 * TLSv1:
185 * key block = PRF( master, "key expansion", randbytes )
186 */
187 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
188 {
189 for( i = 0; i < 16; i++ )
190 {
191 memset( padding, 'A' + i, 1 + i );
192
193 sha1_starts( &sha1 );
194 sha1_update( &sha1, padding, 1 + i );
195 sha1_update( &sha1, ssl->session->master, 48 );
196 sha1_update( &sha1, ssl->randbytes, 64 );
197 sha1_finish( &sha1, sha1sum );
198
199 md5_starts( &md5 );
200 md5_update( &md5, ssl->session->master, 48 );
201 md5_update( &md5, sha1sum, 20 );
202 md5_finish( &md5, keyblk + i * 16 );
203 }
204
205 memset( &md5, 0, sizeof( md5 ) );
206 memset( &sha1, 0, sizeof( sha1 ) );
207
208 memset( padding, 0, sizeof( padding ) );
209 memset( sha1sum, 0, sizeof( sha1sum ) );
210 }
211 else
212 tls1_prf( ssl->session->master, 48, "key expansion",
213 ssl->randbytes, 64, keyblk, 256 );
214
215 SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) );
216 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
217 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
218 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
219
220 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
221
222 /*
223 * Determine the appropriate key, IV and MAC length.
224 */
225 switch( ssl->session->cipher )
226 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]227#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]228 case SSL_RSA_RC4_128_MD5:
229 ssl->keylen = 16; ssl->minlen = 16;
230 ssl->ivlen = 0; ssl->maclen = 16;
231 break;
232
233 case SSL_RSA_RC4_128_SHA:
234 ssl->keylen = 16; ssl->minlen = 20;
235 ssl->ivlen = 0; ssl->maclen = 20;
236 break;
237#endif
238
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]239#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]240 case SSL_RSA_DES_168_SHA:
241 case SSL_EDH_RSA_DES_168_SHA:
242 ssl->keylen = 24; ssl->minlen = 24;
243 ssl->ivlen = 8; ssl->maclen = 20;
244 break;
245#endif
246
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]247#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]248 case SSL_RSA_AES_128_SHA:
249 ssl->keylen = 16; ssl->minlen = 32;
250 ssl->ivlen = 16; ssl->maclen = 20;
251 break;
252
253 case SSL_RSA_AES_256_SHA:
254 case SSL_EDH_RSA_AES_256_SHA:
255 ssl->keylen = 32; ssl->minlen = 32;
256 ssl->ivlen = 16; ssl->maclen = 20;
257 break;
258#endif
259
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]260#if defined(POLARSSL_CAMELLIA_C)
261 case SSL_RSA_CAMELLIA_128_SHA:
262 ssl->keylen = 16; ssl->minlen = 32;
263 ssl->ivlen = 16; ssl->maclen = 20;
264 break;
265
266 case SSL_RSA_CAMELLIA_256_SHA:
267 case SSL_EDH_RSA_CAMELLIA_256_SHA:
268 ssl->keylen = 32; ssl->minlen = 32;
269 ssl->ivlen = 16; ssl->maclen = 20;
270 break;
271#endif
272
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]273 default:
274 SSL_DEBUG_MSG( 1, ( "cipher %s is not available",
275 ssl_get_cipher( ssl ) ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]276 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]277 }
278
279 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
280 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
281
282 /*
283 * Finally setup the cipher contexts, IVs and MAC secrets.
284 */
285 if( ssl->endpoint == SSL_IS_CLIENT )
286 {
287 key1 = keyblk + ssl->maclen * 2;
288 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
289
290 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
291 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
292
293 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
294 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
295 ssl->ivlen );
296 }
297 else
298 {
299 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
300 key2 = keyblk + ssl->maclen * 2;
301
302 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
303 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
304
305 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
306 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
307 ssl->ivlen );
308 }
309
310 switch( ssl->session->cipher )
311 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]312#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313 case SSL_RSA_RC4_128_MD5:
314 case SSL_RSA_RC4_128_SHA:
315 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
316 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
317 break;
318#endif
319
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]320#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321 case SSL_RSA_DES_168_SHA:
322 case SSL_EDH_RSA_DES_168_SHA:
323 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
324 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
325 break;
326#endif
327
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]328#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]329 case SSL_RSA_AES_128_SHA:
330 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
331 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
332 break;
333
334 case SSL_RSA_AES_256_SHA:
335 case SSL_EDH_RSA_AES_256_SHA:
336 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
337 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
338 break;
339#endif
340
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]341#if defined(POLARSSL_CAMELLIA_C)
342 case SSL_RSA_CAMELLIA_128_SHA:
343 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
344 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
345 break;
346
347 case SSL_RSA_CAMELLIA_256_SHA:
348 case SSL_EDH_RSA_CAMELLIA_256_SHA:
349 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
350 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
351 break;
352#endif
353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]355 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]356 }
357
358 memset( keyblk, 0, sizeof( keyblk ) );
359
360 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
361
362 return( 0 );
363}
364
365void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
366{
367 md5_context md5;
368 sha1_context sha1;
369 unsigned char pad_1[48];
370 unsigned char pad_2[48];
371
372 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
373
374 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
375 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
376
377 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
378 {
379 memset( pad_1, 0x36, 48 );
380 memset( pad_2, 0x5C, 48 );
381
382 md5_update( &md5, ssl->session->master, 48 );
383 md5_update( &md5, pad_1, 48 );
384 md5_finish( &md5, hash );
385
386 md5_starts( &md5 );
387 md5_update( &md5, ssl->session->master, 48 );
388 md5_update( &md5, pad_2, 48 );
389 md5_update( &md5, hash, 16 );
390 md5_finish( &md5, hash );
391
392 sha1_update( &sha1, ssl->session->master, 48 );
393 sha1_update( &sha1, pad_1, 40 );
394 sha1_finish( &sha1, hash + 16 );
395
396 sha1_starts( &sha1 );
397 sha1_update( &sha1, ssl->session->master, 48 );
398 sha1_update( &sha1, pad_2, 40 );
399 sha1_update( &sha1, hash + 16, 20 );
400 sha1_finish( &sha1, hash + 16 );
401 }
402 else /* TLSv1 */
403 {
404 md5_finish( &md5, hash );
405 sha1_finish( &sha1, hash + 16 );
406 }
407
408 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
409 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
410
411 return;
412}
413
414/*
415 * SSLv3.0 MAC functions
416 */
417static void ssl_mac_md5( unsigned char *secret,
418 unsigned char *buf, int len,
419 unsigned char *ctr, int type )
420{
421 unsigned char header[11];
422 unsigned char padding[48];
423 md5_context md5;
424
425 memcpy( header, ctr, 8 );
426 header[ 8] = (unsigned char) type;
427 header[ 9] = (unsigned char)( len >> 8 );
428 header[10] = (unsigned char)( len );
429
430 memset( padding, 0x36, 48 );
431 md5_starts( &md5 );
432 md5_update( &md5, secret, 16 );
433 md5_update( &md5, padding, 48 );
434 md5_update( &md5, header, 11 );
435 md5_update( &md5, buf, len );
436 md5_finish( &md5, buf + len );
437
438 memset( padding, 0x5C, 48 );
439 md5_starts( &md5 );
440 md5_update( &md5, secret, 16 );
441 md5_update( &md5, padding, 48 );
442 md5_update( &md5, buf + len, 16 );
443 md5_finish( &md5, buf + len );
444}
445
446static void ssl_mac_sha1( unsigned char *secret,
447 unsigned char *buf, int len,
448 unsigned char *ctr, int type )
449{
450 unsigned char header[11];
451 unsigned char padding[40];
452 sha1_context sha1;
453
454 memcpy( header, ctr, 8 );
455 header[ 8] = (unsigned char) type;
456 header[ 9] = (unsigned char)( len >> 8 );
457 header[10] = (unsigned char)( len );
458
459 memset( padding, 0x36, 40 );
460 sha1_starts( &sha1 );
461 sha1_update( &sha1, secret, 20 );
462 sha1_update( &sha1, padding, 40 );
463 sha1_update( &sha1, header, 11 );
464 sha1_update( &sha1, buf, len );
465 sha1_finish( &sha1, buf + len );
466
467 memset( padding, 0x5C, 40 );
468 sha1_starts( &sha1 );
469 sha1_update( &sha1, secret, 20 );
470 sha1_update( &sha1, padding, 40 );
471 sha1_update( &sha1, buf + len, 20 );
472 sha1_finish( &sha1, buf + len );
473}
474
475/*
476 * Encryption/decryption functions
477 */
478static int ssl_encrypt_buf( ssl_context *ssl )
479{
480 int i, padlen;
481
482 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
483
484 /*
485 * Add MAC then encrypt
486 */
487 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
488 {
489 if( ssl->maclen == 16 )
490 ssl_mac_md5( ssl->mac_enc,
491 ssl->out_msg, ssl->out_msglen,
492 ssl->out_ctr, ssl->out_msgtype );
493
494 if( ssl->maclen == 20 )
495 ssl_mac_sha1( ssl->mac_enc,
496 ssl->out_msg, ssl->out_msglen,
497 ssl->out_ctr, ssl->out_msgtype );
498 }
499 else
500 {
501 if( ssl->maclen == 16 )
502 md5_hmac( ssl->mac_enc, 16,
503 ssl->out_ctr, ssl->out_msglen + 13,
504 ssl->out_msg + ssl->out_msglen );
505
506 if( ssl->maclen == 20 )
507 sha1_hmac( ssl->mac_enc, 20,
508 ssl->out_ctr, ssl->out_msglen + 13,
509 ssl->out_msg + ssl->out_msglen );
510 }
511
512 SSL_DEBUG_BUF( 4, "computed mac",
513 ssl->out_msg + ssl->out_msglen, ssl->maclen );
514
515 ssl->out_msglen += ssl->maclen;
516
517 for( i = 7; i >= 0; i-- )
518 if( ++ssl->out_ctr[i] != 0 )
519 break;
520
521 if( ssl->ivlen == 0 )
522 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]523#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524 padlen = 0;
525
526 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
527 "including %d bytes of padding",
528 ssl->out_msglen, 0 ) );
529
530 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
531 ssl->out_msg, ssl->out_msglen );
532
533 arc4_crypt( (arc4_context *) ssl->ctx_enc,
534 ssl->out_msg, ssl->out_msglen );
535#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]536 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]537#endif
538 }
539 else
540 {
541 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
542 if( padlen == ssl->ivlen )
543 padlen = 0;
544
545 for( i = 0; i <= padlen; i++ )
546 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
547
548 ssl->out_msglen += padlen + 1;
549
550 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
551 "including %d bytes of padding",
552 ssl->out_msglen, padlen + 1 ) );
553
554 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
555 ssl->out_msg, ssl->out_msglen );
556
557 switch( ssl->ivlen )
558 {
559 case 8:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]560#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
562 DES_ENCRYPT, ssl->out_msglen,
563 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
564 break;
565#endif
566
567 case 16:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]568#if defined(POLARSSL_AES_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]569 if ( ssl->session->cipher == SSL_RSA_AES_128_SHA ||
570 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
571 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA)
572 {
573 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
574 AES_ENCRYPT, ssl->out_msglen,
575 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
576 break;
577 }
578#endif
579
580#if defined(POLARSSL_CAMELLIA_C)
581 if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
582 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
583 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
584 {
585 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
586 CAMELLIA_ENCRYPT, ssl->out_msglen,
587 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
588 break;
589 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590#endif
591
592 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]593 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 }
595 }
596
597 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
598
599 return( 0 );
600}
601
602static int ssl_decrypt_buf( ssl_context *ssl )
603{
604 int i, padlen;
605 unsigned char tmp[20];
606
607 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
608
609 if( ssl->in_msglen < ssl->minlen )
610 {
611 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
612 ssl->in_msglen, ssl->minlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]613 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614 }
615
616 if( ssl->ivlen == 0 )
617 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]618#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619 padlen = 0;
620 arc4_crypt( (arc4_context *) ssl->ctx_dec,
621 ssl->in_msg, ssl->in_msglen );
622#else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]623 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624#endif
625 }
626 else
627 {
628 /*
629 * Decrypt and check the padding
630 */
631 if( ssl->in_msglen % ssl->ivlen != 0 )
632 {
633 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
634 ssl->in_msglen, ssl->ivlen ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]635 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 }
637
638 switch( ssl->ivlen )
639 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]640#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641 case 8:
642 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
643 DES_DECRYPT, ssl->in_msglen,
644 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
645 break;
646#endif
647
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648 case 16:
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]649#if defined(POLARSSL_AES_C)
650 if ( ssl->session->cipher == SSL_RSA_AES_128_SHA ||
651 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
652 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA)
653 {
654 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
655 AES_DECRYPT, ssl->in_msglen,
656 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
657 break;
658 }
659#endif
660
661#if defined(POLARSSL_CAMELLIA_C)
662 if ( ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
663 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
664 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
665 {
666 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
667 CAMELLIA_DECRYPT, ssl->in_msglen,
668 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
669 break;
670 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671#endif
672
673 default:
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]674 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675 }
676
677 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
678
679 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
680 {
681 if( padlen > ssl->ivlen )
682 {
683 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
684 "should be no more than %d",
685 padlen, ssl->ivlen ) );
686 padlen = 0;
687 }
688 }
689 else
690 {
691 /*
692 * TLSv1: always check the padding
693 */
694 for( i = 1; i <= padlen; i++ )
695 {
696 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
697 {
698 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
699 "%02x, but is %02x", padlen - 1,
700 ssl->in_msg[ssl->in_msglen - i] ) );
701 padlen = 0;
702 }
703 }
704 }
705 }
706
707 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
708 ssl->in_msg, ssl->in_msglen );
709
710 /*
711 * Always compute the MAC (RFC4346, CBCTIME).
712 */
713 ssl->in_msglen -= ( ssl->maclen + padlen );
714
715 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
716 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
717
718 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
719
720 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
721 {
722 if( ssl->maclen == 16 )
723 ssl_mac_md5( ssl->mac_dec,
724 ssl->in_msg, ssl->in_msglen,
725 ssl->in_ctr, ssl->in_msgtype );
726 else
727 ssl_mac_sha1( ssl->mac_dec,
728 ssl->in_msg, ssl->in_msglen,
729 ssl->in_ctr, ssl->in_msgtype );
730 }
731 else
732 {
733 if( ssl->maclen == 16 )
734 md5_hmac( ssl->mac_dec, 16,
735 ssl->in_ctr, ssl->in_msglen + 13,
736 ssl->in_msg + ssl->in_msglen );
737 else
738 sha1_hmac( ssl->mac_dec, 20,
739 ssl->in_ctr, ssl->in_msglen + 13,
740 ssl->in_msg + ssl->in_msglen );
741 }
742
743 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
744 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
745 ssl->maclen );
746
747 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
748 ssl->maclen ) != 0 )
749 {
750 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]751 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752 }
753
754 /*
755 * Finally check the padding length; bad padding
756 * will produce the same error as an invalid MAC.
757 */
758 if( ssl->ivlen != 0 && padlen == 0 )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]759 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760
761 if( ssl->in_msglen == 0 )
762 {
763 ssl->nb_zero++;
764
765 /*
766 * Three or more empty messages may be a DoS attack
767 * (excessive CPU consumption).
768 */
769 if( ssl->nb_zero > 3 )
770 {
771 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
772 "messages, possible DoS attack" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]773 return( POLARSSL_ERR_SSL_INVALID_MAC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]774 }
775 }
776 else
777 ssl->nb_zero = 0;
778
779 for( i = 7; i >= 0; i-- )
780 if( ++ssl->in_ctr[i] != 0 )
781 break;
782
783 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
784
785 return( 0 );
786}
787
788/*
789 * Fill the input message buffer
790 */
791int ssl_fetch_input( ssl_context *ssl, int nb_want )
792{
793 int ret, len;
794
795 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
796
797 while( ssl->in_left < nb_want )
798 {
799 len = nb_want - ssl->in_left;
800 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
801
802 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
803 ssl->in_left, nb_want ) );
804 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
805
806 if( ret < 0 )
807 return( ret );
808
809 ssl->in_left += ret;
810 }
811
812 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
813
814 return( 0 );
815}
816
817/*
818 * Flush any data not yet written
819 */
820int ssl_flush_output( ssl_context *ssl )
821{
822 int ret;
823 unsigned char *buf;
824
825 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
826
827 while( ssl->out_left > 0 )
828 {
829 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
830 5 + ssl->out_msglen, ssl->out_left ) );
831
832 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
833 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
834 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
835
836 if( ret <= 0 )
837 return( ret );
838
839 ssl->out_left -= ret;
840 }
841
842 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
843
844 return( 0 );
845}
846
847/*
848 * Record layer functions
849 */
850int ssl_write_record( ssl_context *ssl )
851{
852 int ret, len = ssl->out_msglen;
853
854 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
855
856 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
857 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
858 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
859 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
860 ssl->out_hdr[4] = (unsigned char)( len );
861
862 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
863 {
864 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
865 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
866 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
867
868 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
869 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
870 }
871
872 if( ssl->do_crypt != 0 )
873 {
874 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
875 {
876 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
877 return( ret );
878 }
879
880 len = ssl->out_msglen;
881 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
882 ssl->out_hdr[4] = (unsigned char)( len );
883 }
884
885 ssl->out_left = 5 + ssl->out_msglen;
886
887 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
888 "version = [%d:%d], msglen = %d",
889 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
890 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
891
892 SSL_DEBUG_BUF( 4, "output record sent to network",
893 ssl->out_hdr, 5 + ssl->out_msglen );
894
895 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
896 {
897 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
898 return( ret );
899 }
900
901 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
902
903 return( 0 );
904}
905
906int ssl_read_record( ssl_context *ssl )
907{
908 int ret;
909
910 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
911
912 if( ssl->in_hslen != 0 &&
913 ssl->in_hslen < ssl->in_msglen )
914 {
915 /*
916 * Get next Handshake message in the current record
917 */
918 ssl->in_msglen -= ssl->in_hslen;
919
920 memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
921 ssl->in_msglen );
922
923 ssl->in_hslen = 4;
924 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
925
926 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
927 " %d, type = %d, hslen = %d",
928 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
929
930 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
931 {
932 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]933 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]934 }
935
936 if( ssl->in_msglen < ssl->in_hslen )
937 {
938 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]939 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]940 }
941
942 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
943 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
944
945 return( 0 );
946 }
947
948 ssl->in_hslen = 0;
949
950 /*
951 * Read the record header and validate it
952 */
953 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
954 {
955 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
956 return( ret );
957 }
958
959 ssl->in_msgtype = ssl->in_hdr[0];
960 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
961
962 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
963 "version = [%d:%d], msglen = %d",
964 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
965 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
966
967 if( ssl->in_hdr[1] != ssl->major_ver )
968 {
969 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]970 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971 }
972
973 if( ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
974 ssl->in_hdr[2] != SSL_MINOR_VERSION_1 )
975 {
976 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]977 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]978 }
979
980 /*
981 * Make sure the message length is acceptable
982 */
983 if( ssl->do_crypt == 0 )
984 {
985 if( ssl->in_msglen < 1 ||
986 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
987 {
988 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]989 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990 }
991 }
992 else
993 {
994 if( ssl->in_msglen < ssl->minlen )
995 {
996 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]997 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]998 }
999
1000 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1001 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1002 {
1003 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1004 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005 }
1006
1007 /*
1008 * TLS encrypted messages can have up to 256 bytes of padding
1009 */
1010 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
1011 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1012 {
1013 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1014 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1015 }
1016 }
1017
1018 /*
1019 * Read and optionally decrypt the message contents
1020 */
1021 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1022 {
1023 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1024 return( ret );
1025 }
1026
1027 SSL_DEBUG_BUF( 4, "input record from network",
1028 ssl->in_hdr, 5 + ssl->in_msglen );
1029
1030 if( ssl->do_crypt != 0 )
1031 {
1032 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1033 {
1034 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1035 return( ret );
1036 }
1037
1038 SSL_DEBUG_BUF( 4, "input payload after decrypt",
1039 ssl->in_msg, ssl->in_msglen );
1040
1041 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1042 {
1043 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1044 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045 }
1046 }
1047
1048 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1049 {
1050 ssl->in_hslen = 4;
1051 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1052
1053 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1054 " %d, type = %d, hslen = %d",
1055 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1056
1057 /*
1058 * Additional checks to validate the handshake header
1059 */
1060 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1061 {
1062 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1063 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064 }
1065
1066 if( ssl->in_msglen < ssl->in_hslen )
1067 {
1068 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1069 return( POLARSSL_ERR_SSL_INVALID_RECORD );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070 }
1071
1072 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1073 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1074 }
1075
1076 if( ssl->in_msgtype == SSL_MSG_ALERT )
1077 {
1078 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1079 ssl->in_msg[0], ssl->in_msg[1] ) );
1080
1081 /*
1082 * Ignore non-fatal alerts, except close_notify
1083 */
1084 if( ssl->in_msg[0] == SSL_ALERT_FATAL )
1085 {
1086 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1087 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE | ssl->in_msg[1] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1088 }
1089
1090 if( ssl->in_msg[0] == SSL_ALERT_WARNING &&
1091 ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY )
1092 {
1093 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1094 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 }
1096 }
1097
1098 ssl->in_left = 0;
1099
1100 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1101
1102 return( 0 );
1103}
1104
1105/*
1106 * Handshake functions
1107 */
1108int ssl_write_certificate( ssl_context *ssl )
1109{
1110 int ret, i, n;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]1111 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1112
1113 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1114
1115 if( ssl->endpoint == SSL_IS_CLIENT )
1116 {
1117 if( ssl->client_auth == 0 )
1118 {
1119 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1120 ssl->state++;
1121 return( 0 );
1122 }
1123
1124 /*
1125 * If using SSLv3 and got no cert, send an Alert message
1126 * (otherwise an empty Certificate message will be sent).
1127 */
1128 if( ssl->own_cert == NULL &&
1129 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1130 {
1131 ssl->out_msglen = 2;
1132 ssl->out_msgtype = SSL_MSG_ALERT;
1133 ssl->out_msg[0] = SSL_ALERT_WARNING;
1134 ssl->out_msg[1] = SSL_ALERT_NO_CERTIFICATE;
1135
1136 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1137 goto write_msg;
1138 }
1139 }
1140 else /* SSL_IS_SERVER */
1141 {
1142 if( ssl->own_cert == NULL )
1143 {
1144 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1145 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146 }
1147 }
1148
1149 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1150
1151 /*
1152 * 0 . 0 handshake type
1153 * 1 . 3 handshake length
1154 * 4 . 6 length of all certs
1155 * 7 . 9 length of cert. 1
1156 * 10 . n-1 peer certificate
1157 * n . n+2 length of cert. 2
1158 * n+3 . ... upper level cert, etc.
1159 */
1160 i = 7;
1161 crt = ssl->own_cert;
1162
Paul Bakker1f761152010-02-18 18:16:31 +0000[diff] [blame]1163 while( crt != NULL && crt->version != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1164 {
1165 n = crt->raw.len;
1166 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1167 {
1168 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1169 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1170 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1171 }
1172
1173 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1174 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1175 ssl->out_msg[i + 2] = (unsigned char)( n );
1176
1177 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1178 i += n; crt = crt->next;
1179 }
1180
1181 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1182 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1183 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1184
1185 ssl->out_msglen = i;
1186 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1187 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1188
1189write_msg:
1190
1191 ssl->state++;
1192
1193 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1194 {
1195 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1196 return( ret );
1197 }
1198
1199 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1200
1201 return( 0 );
1202}
1203
1204int ssl_parse_certificate( ssl_context *ssl )
1205{
1206 int ret, i, n;
1207
1208 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1209
1210 if( ssl->endpoint == SSL_IS_SERVER &&
1211 ssl->authmode == SSL_VERIFY_NONE )
1212 {
1213 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1214 ssl->state++;
1215 return( 0 );
1216 }
1217
1218 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1219 {
1220 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1221 return( ret );
1222 }
1223
1224 ssl->state++;
1225
1226 /*
1227 * Check if the client sent an empty certificate
1228 */
1229 if( ssl->endpoint == SSL_IS_SERVER &&
1230 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1231 {
1232 if( ssl->in_msglen == 2 &&
1233 ssl->in_msgtype == SSL_MSG_ALERT &&
1234 ssl->in_msg[0] == SSL_ALERT_WARNING &&
1235 ssl->in_msg[1] == SSL_ALERT_NO_CERTIFICATE )
1236 {
1237 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1238
1239 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1240 return( 0 );
1241 else
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1242 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1243 }
1244 }
1245
1246 if( ssl->endpoint == SSL_IS_SERVER &&
1247 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1248 {
1249 if( ssl->in_hslen == 7 &&
1250 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1251 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1252 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1253 {
1254 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1255
1256 if( ssl->authmode == SSL_VERIFY_REQUIRED )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1257 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 else
1259 return( 0 );
1260 }
1261 }
1262
1263 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1264 {
1265 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1266 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1267 }
1268
1269 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1270 {
1271 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1272 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1273 }
1274
1275 /*
1276 * Same message structure as in ssl_write_certificate()
1277 */
1278 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1279
1280 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1281 {
1282 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1283 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1284 }
1285
1286 if( ( ssl->peer_cert = (x509_cert *) malloc(
1287 sizeof( x509_cert ) ) ) == NULL )
1288 {
1289 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1290 sizeof( x509_cert ) ) );
1291 return( 1 );
1292 }
1293
1294 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1295
1296 i = 7;
1297
1298 while( i < ssl->in_hslen )
1299 {
1300 if( ssl->in_msg[i] != 0 )
1301 {
1302 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1303 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304 }
1305
1306 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1307 | (unsigned int) ssl->in_msg[i + 2];
1308 i += 3;
1309
1310 if( n < 128 || i + n > ssl->in_hslen )
1311 {
1312 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1313 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314 }
1315
1316 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
1317 if( ret != 0 )
1318 {
1319 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1320 return( ret );
1321 }
1322
1323 i += n;
1324 }
1325
1326 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1327
1328 if( ssl->authmode != SSL_VERIFY_NONE )
1329 {
1330 if( ssl->ca_chain == NULL )
1331 {
1332 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1333 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1334 }
1335
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1336 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337 ssl->peer_cn, &ssl->verify_result );
1338
1339 if( ret != 0 )
1340 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1341
1342 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1343 ret = 0;
1344 }
1345
1346 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1347
1348 return( ret );
1349}
1350
1351int ssl_write_change_cipher_spec( ssl_context *ssl )
1352{
1353 int ret;
1354
1355 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1356
1357 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1358 ssl->out_msglen = 1;
1359 ssl->out_msg[0] = 1;
1360
1361 ssl->do_crypt = 0;
1362 ssl->state++;
1363
1364 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1365 {
1366 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1367 return( ret );
1368 }
1369
1370 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1371
1372 return( 0 );
1373}
1374
1375int ssl_parse_change_cipher_spec( ssl_context *ssl )
1376{
1377 int ret;
1378
1379 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1380
1381 ssl->do_crypt = 0;
1382
1383 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1384 {
1385 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1386 return( ret );
1387 }
1388
1389 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1390 {
1391 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1392 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1393 }
1394
1395 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1396 {
1397 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1398 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1399 }
1400
1401 ssl->state++;
1402
1403 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1404
1405 return( 0 );
1406}
1407
1408static void ssl_calc_finished(
1409 ssl_context *ssl, unsigned char *buf, int from,
1410 md5_context *md5, sha1_context *sha1 )
1411{
1412 int len = 12;
1413 char *sender;
1414 unsigned char padbuf[48];
1415 unsigned char md5sum[16];
1416 unsigned char sha1sum[20];
1417
1418 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1419
1420 /*
1421 * SSLv3:
1422 * hash =
1423 * MD5( master + pad2 +
1424 * MD5( handshake + sender + master + pad1 ) )
1425 * + SHA1( master + pad2 +
1426 * SHA1( handshake + sender + master + pad1 ) )
1427 *
1428 * TLSv1:
1429 * hash = PRF( master, finished_label,
1430 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1431 */
1432
1433 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1434 md5->state, sizeof( md5->state ) );
1435
1436 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1437 sha1->state, sizeof( sha1->state ) );
1438
1439 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1440 {
1441 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1442 : (char *) "SRVR";
1443
1444 memset( padbuf, 0x36, 48 );
1445
1446 md5_update( md5, (unsigned char *) sender, 4 );
1447 md5_update( md5, ssl->session->master, 48 );
1448 md5_update( md5, padbuf, 48 );
1449 md5_finish( md5, md5sum );
1450
1451 sha1_update( sha1, (unsigned char *) sender, 4 );
1452 sha1_update( sha1, ssl->session->master, 48 );
1453 sha1_update( sha1, padbuf, 40 );
1454 sha1_finish( sha1, sha1sum );
1455
1456 memset( padbuf, 0x5C, 48 );
1457
1458 md5_starts( md5 );
1459 md5_update( md5, ssl->session->master, 48 );
1460 md5_update( md5, padbuf, 48 );
1461 md5_update( md5, md5sum, 16 );
1462 md5_finish( md5, buf );
1463
1464 sha1_starts( sha1 );
1465 sha1_update( sha1, ssl->session->master, 48 );
1466 sha1_update( sha1, padbuf , 40 );
1467 sha1_update( sha1, sha1sum, 20 );
1468 sha1_finish( sha1, buf + 16 );
1469
1470 len += 24;
1471 }
1472 else
1473 {
1474 sender = ( from == SSL_IS_CLIENT )
1475 ? (char *) "client finished"
1476 : (char *) "server finished";
1477
1478 md5_finish( md5, padbuf );
1479 sha1_finish( sha1, padbuf + 16 );
1480
1481 tls1_prf( ssl->session->master, 48, sender,
1482 padbuf, 36, buf, len );
1483 }
1484
1485 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1486
1487 memset( md5, 0, sizeof( md5_context ) );
1488 memset( sha1, 0, sizeof( sha1_context ) );
1489
1490 memset( padbuf, 0, sizeof( padbuf ) );
1491 memset( md5sum, 0, sizeof( md5sum ) );
1492 memset( sha1sum, 0, sizeof( sha1sum ) );
1493
1494 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1495}
1496
1497int ssl_write_finished( ssl_context *ssl )
1498{
1499 int ret, hash_len;
1500 md5_context md5;
1501 sha1_context sha1;
1502
1503 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1504
1505 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1506 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1507
1508 ssl_calc_finished( ssl, ssl->out_msg + 4,
1509 ssl->endpoint, &md5, &sha1 );
1510
1511 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1512
1513 ssl->out_msglen = 4 + hash_len;
1514 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1515 ssl->out_msg[0] = SSL_HS_FINISHED;
1516
1517 /*
1518 * In case of session resuming, invert the client and server
1519 * ChangeCipherSpec messages order.
1520 */
1521 if( ssl->resume != 0 )
1522 {
1523 if( ssl->endpoint == SSL_IS_CLIENT )
1524 ssl->state = SSL_HANDSHAKE_OVER;
1525 else
1526 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1527 }
1528 else
1529 ssl->state++;
1530
1531 ssl->do_crypt = 1;
1532
1533 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1534 {
1535 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1536 return( ret );
1537 }
1538
1539 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1540
1541 return( 0 );
1542}
1543
1544int ssl_parse_finished( ssl_context *ssl )
1545{
1546 int ret, hash_len;
1547 md5_context md5;
1548 sha1_context sha1;
1549 unsigned char buf[36];
1550
1551 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1552
1553 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1554 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1555
1556 ssl->do_crypt = 1;
1557
1558 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1559 {
1560 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1561 return( ret );
1562 }
1563
1564 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1565 {
1566 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1567 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1568 }
1569
1570 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1571
1572 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1573 ssl->in_hslen != 4 + hash_len )
1574 {
1575 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1576 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1577 }
1578
1579 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1580
1581 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1582 {
1583 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1584 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1585 }
1586
1587 if( ssl->resume != 0 )
1588 {
1589 if( ssl->endpoint == SSL_IS_CLIENT )
1590 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1591
1592 if( ssl->endpoint == SSL_IS_SERVER )
1593 ssl->state = SSL_HANDSHAKE_OVER;
1594 }
1595 else
1596 ssl->state++;
1597
1598 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1599
1600 return( 0 );
1601}
1602
1603/*
1604 * Initialize an SSL context
1605 */
1606int ssl_init( ssl_context *ssl )
1607{
1608 int len = SSL_BUFFER_LEN;
1609
1610 memset( ssl, 0, sizeof( ssl_context ) );
1611
1612 ssl->in_ctr = (unsigned char *) malloc( len );
1613 ssl->in_hdr = ssl->in_ctr + 8;
1614 ssl->in_msg = ssl->in_ctr + 13;
1615
1616 if( ssl->in_ctr == NULL )
1617 {
1618 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1619 return( 1 );
1620 }
1621
1622 ssl->out_ctr = (unsigned char *) malloc( len );
1623 ssl->out_hdr = ssl->out_ctr + 8;
1624 ssl->out_msg = ssl->out_ctr + 13;
1625
1626 if( ssl->out_ctr == NULL )
1627 {
1628 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1629 free( ssl-> in_ctr );
1630 return( 1 );
1631 }
1632
1633 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1634 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1635
1636 ssl->hostname = NULL;
1637 ssl->hostname_len = 0;
1638
1639 md5_starts( &ssl->fin_md5 );
1640 sha1_starts( &ssl->fin_sha1 );
1641
1642 return( 0 );
1643}
1644
1645/*
1646 * SSL set accessors
1647 */
1648void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1649{
1650 ssl->endpoint = endpoint;
1651}
1652
1653void ssl_set_authmode( ssl_context *ssl, int authmode )
1654{
1655 ssl->authmode = authmode;
1656}
1657
1658void ssl_set_rng( ssl_context *ssl,
1659 int (*f_rng)(void *),
1660 void *p_rng )
1661{
1662 ssl->f_rng = f_rng;
1663 ssl->p_rng = p_rng;
1664}
1665
1666void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]1667 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1668 void *p_dbg )
1669{
1670 ssl->f_dbg = f_dbg;
1671 ssl->p_dbg = p_dbg;
1672}
1673
1674void ssl_set_bio( ssl_context *ssl,
1675 int (*f_recv)(void *, unsigned char *, int), void *p_recv,
1676 int (*f_send)(void *, unsigned char *, int), void *p_send )
1677{
1678 ssl->f_recv = f_recv;
1679 ssl->f_send = f_send;
1680 ssl->p_recv = p_recv;
1681 ssl->p_send = p_send;
1682}
1683
1684void ssl_set_scb( ssl_context *ssl,
1685 int (*s_get)(ssl_context *),
1686 int (*s_set)(ssl_context *) )
1687{
1688 ssl->s_get = s_get;
1689 ssl->s_set = s_set;
1690}
1691
1692void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1693 ssl_session *session )
1694{
1695 ssl->resume = resume;
1696 ssl->timeout = timeout;
1697 ssl->session = session;
1698}
1699
1700void ssl_set_ciphers( ssl_context *ssl, int *ciphers )
1701{
1702 ssl->ciphers = ciphers;
1703}
1704
1705void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1706 x509_crl *ca_crl, char *peer_cn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1707{
1708 ssl->ca_chain = ca_chain;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1709 ssl->ca_crl = ca_crl;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1710 ssl->peer_cn = peer_cn;
1711}
1712
1713void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1714 rsa_context *rsa_key )
1715{
1716 ssl->own_cert = own_cert;
1717 ssl->rsa_key = rsa_key;
1718}
1719
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]1720int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1721{
1722 int ret;
1723
1724 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1725 {
1726 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1727 return( ret );
1728 }
1729
1730 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1731 {
1732 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1733 return( ret );
1734 }
1735
1736 return( 0 );
1737}
1738
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]1739int ssl_set_hostname( ssl_context *ssl, const char *hostname )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1740{
1741 if( hostname == NULL )
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1742 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1743
1744 ssl->hostname_len = strlen( hostname );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1745 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1746
1747 memcpy( ssl->hostname, (unsigned char *) hostname,
1748 ssl->hostname_len );
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]1749
1750 ssl->hostname[ssl->hostname_len] = '\0';
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1751
1752 return( 0 );
1753}
1754
1755/*
1756 * SSL get accessors
1757 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]1758int ssl_get_bytes_avail( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1759{
1760 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
1761}
1762
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]1763int ssl_get_verify_result( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1764{
1765 return( ssl->verify_result );
1766}
1767
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]1768const char *ssl_get_cipher( const ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1769{
1770 switch( ssl->session->cipher )
1771 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1772#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1773 case SSL_RSA_RC4_128_MD5:
1774 return( "SSL_RSA_RC4_128_MD5" );
1775
1776 case SSL_RSA_RC4_128_SHA:
1777 return( "SSL_RSA_RC4_128_SHA" );
1778#endif
1779
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1780#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1781 case SSL_RSA_DES_168_SHA:
1782 return( "SSL_RSA_DES_168_SHA" );
1783
1784 case SSL_EDH_RSA_DES_168_SHA:
1785 return( "SSL_EDH_RSA_DES_168_SHA" );
1786#endif
1787
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1788#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1789 case SSL_RSA_AES_128_SHA:
1790 return( "SSL_RSA_AES_128_SHA" );
1791
1792 case SSL_RSA_AES_256_SHA:
1793 return( "SSL_RSA_AES_256_SHA" );
1794
1795 case SSL_EDH_RSA_AES_256_SHA:
1796 return( "SSL_EDH_RSA_AES_256_SHA" );
1797#endif
1798
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1799#if defined(POLARSSL_CAMELLIA_C)
1800 case SSL_RSA_CAMELLIA_128_SHA:
1801 return( "SSL_RSA_CAMELLIA_128_SHA" );
1802
1803 case SSL_RSA_CAMELLIA_256_SHA:
1804 return( "SSL_RSA_CAMELLIA_256_SHA" );
1805
1806 case SSL_EDH_RSA_CAMELLIA_256_SHA:
1807 return( "SSL_EDH_RSA_CAMELLIA_256_SHA" );
1808#endif
1809
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1810 default:
1811 break;
1812 }
1813
1814 return( "unknown" );
1815}
1816
1817int ssl_default_ciphers[] =
1818{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1819#if defined(POLARSSL_DHM_C)
1820#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1821 SSL_EDH_RSA_AES_256_SHA,
1822#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1823#if defined(POLARSSL_CAMELLIA_C)
1824 SSL_EDH_RSA_CAMELLIA_256_SHA,
1825#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1826#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1827 SSL_EDH_RSA_DES_168_SHA,
1828#endif
1829#endif
1830
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1831#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832 SSL_RSA_AES_256_SHA,
1833#endif
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1834#if defined(POLARSSL_CAMELLIA_C)
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]1835 SSL_RSA_CAMELLIA_256_SHA,
1836#endif
Paul Bakkeref75f252009-03-28 18:43:23 +0000[diff] [blame]1837#if defined(POLARSSL_AES_C)
1838 SSL_RSA_AES_128_SHA,
1839#endif
1840#if defined(POLARSSL_CAMELLIA_C)
1841 SSL_RSA_CAMELLIA_128_SHA,
1842#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1843#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1844 SSL_RSA_DES_168_SHA,
1845#endif
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1846#if defined(POLARSSL_ARC4_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1847 SSL_RSA_RC4_128_SHA,
1848 SSL_RSA_RC4_128_MD5,
1849#endif
1850 0
1851};
1852
1853/*
1854 * Perform the SSL handshake
1855 */
1856int ssl_handshake( ssl_context *ssl )
1857{
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1858 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859
1860 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
1861
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1862#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1863 if( ssl->endpoint == SSL_IS_CLIENT )
1864 ret = ssl_handshake_client( ssl );
1865#endif
1866
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1867#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868 if( ssl->endpoint == SSL_IS_SERVER )
1869 ret = ssl_handshake_server( ssl );
1870#endif
1871
1872 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
1873
1874 return( ret );
1875}
1876
1877/*
1878 * Receive application data decrypted from the SSL layer
1879 */
1880int ssl_read( ssl_context *ssl, unsigned char *buf, int len )
1881{
1882 int ret, n;
1883
1884 SSL_DEBUG_MSG( 2, ( "=> read" ) );
1885
1886 if( ssl->state != SSL_HANDSHAKE_OVER )
1887 {
1888 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1889 {
1890 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1891 return( ret );
1892 }
1893 }
1894
1895 if( ssl->in_offt == NULL )
1896 {
1897 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1898 {
1899 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1900 return( ret );
1901 }
1902
1903 if( ssl->in_msglen == 0 &&
1904 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
1905 {
1906 /*
1907 * OpenSSL sends empty messages to randomize the IV
1908 */
1909 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1910 {
1911 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1912 return( ret );
1913 }
1914 }
1915
1916 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1917 {
1918 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1919 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920 }
1921
1922 ssl->in_offt = ssl->in_msg;
1923 }
1924
1925 n = ( len < ssl->in_msglen )
1926 ? len : ssl->in_msglen;
1927
1928 memcpy( buf, ssl->in_offt, n );
1929 ssl->in_msglen -= n;
1930
1931 if( ssl->in_msglen == 0 )
1932 /* all bytes consumed */
1933 ssl->in_offt = NULL;
1934 else
1935 /* more data available */
1936 ssl->in_offt += n;
1937
1938 SSL_DEBUG_MSG( 2, ( "<= read" ) );
1939
1940 return( n );
1941}
1942
1943/*
1944 * Send application data to be encrypted by the SSL layer
1945 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame^]1946int ssl_write( ssl_context *ssl, const unsigned char *buf, int len )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1947{
1948 int ret, n;
1949
1950 SSL_DEBUG_MSG( 2, ( "=> write" ) );
1951
1952 if( ssl->state != SSL_HANDSHAKE_OVER )
1953 {
1954 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1955 {
1956 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1957 return( ret );
1958 }
1959 }
1960
1961 n = ( len < SSL_MAX_CONTENT_LEN )
1962 ? len : SSL_MAX_CONTENT_LEN;
1963
1964 if( ssl->out_left != 0 )
1965 {
1966 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1967 {
1968 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1969 return( ret );
1970 }
1971 }
1972 else
1973 {
1974 ssl->out_msglen = n;
1975 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
1976 memcpy( ssl->out_msg, buf, n );
1977
1978 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1979 {
1980 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1981 return( ret );
1982 }
1983 }
1984
1985 SSL_DEBUG_MSG( 2, ( "<= write" ) );
1986
1987 return( n );
1988}
1989
1990/*
1991 * Notify the peer that the connection is being closed
1992 */
1993int ssl_close_notify( ssl_context *ssl )
1994{
1995 int ret;
1996
1997 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
1998
1999 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2000 {
2001 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2002 return( ret );
2003 }
2004
2005 if( ssl->state == SSL_HANDSHAKE_OVER )
2006 {
2007 ssl->out_msgtype = SSL_MSG_ALERT;
2008 ssl->out_msglen = 2;
2009 ssl->out_msg[0] = SSL_ALERT_WARNING;
2010 ssl->out_msg[1] = SSL_ALERT_CLOSE_NOTIFY;
2011
2012 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2013 {
2014 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2015 return( ret );
2016 }
2017 }
2018
2019 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
2020
2021 return( ret );
2022}
2023
2024/*
2025 * Free an SSL context
2026 */
2027void ssl_free( ssl_context *ssl )
2028{
2029 SSL_DEBUG_MSG( 2, ( "=> free" ) );
2030
2031 if( ssl->peer_cert != NULL )
2032 {
2033 x509_free( ssl->peer_cert );
2034 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2035 free( ssl->peer_cert );
2036 }
2037
2038 if( ssl->out_ctr != NULL )
2039 {
2040 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2041 free( ssl->out_ctr );
2042 }
2043
2044 if( ssl->in_ctr != NULL )
2045 {
2046 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2047 free( ssl->in_ctr );
2048 }
2049
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2050#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2051 dhm_free( &ssl->dhm_ctx );
2052#endif
2053
2054 if ( ssl->hostname != NULL)
2055 {
2056 memset( ssl->hostname, 0, ssl->hostname_len );
2057 free( ssl->hostname );
2058 ssl->hostname_len = 0;
2059 }
2060
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2061 SSL_DEBUG_MSG( 2, ( "<= free" ) );
Paul Bakker2da561c2009-02-05 18:00:28 +0000[diff] [blame]2062
2063 /* Actually free after last debug message */
2064 memset( ssl, 0, sizeof( ssl_context ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2065}
2066
2067#endif