PolarSSL v1.3.3
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #include "polarssl/config.h"
35 
36 #if defined(POLARSSL_SSL_TLS_C)
37 
38 #include "polarssl/debug.h"
39 #include "polarssl/ssl.h"
40 
41 #if defined(POLARSSL_MEMORY_C)
42 #include "polarssl/memory.h"
43 #else
44 #define polarssl_malloc malloc
45 #define polarssl_free free
46 #endif
47 
48 #include <stdlib.h>
49 
50 #if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
51  !defined(EFI32)
52 #define strcasecmp _stricmp
53 #endif
54 
55 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
56 /*
57  * Convert max_fragment_length codes to length.
58  * RFC 6066 says:
59  * enum{
60  * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
61  * } MaxFragmentLength;
62  * and we add 0 -> extension unused
63  */
64 static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
65 {
66  SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
67  512, /* SSL_MAX_FRAG_LEN_512 */
68  1024, /* SSL_MAX_FRAG_LEN_1024 */
69  2048, /* SSL_MAX_FRAG_LEN_2048 */
70  4096, /* SSL_MAX_FRAG_LEN_4096 */
71 };
72 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
73 
74 static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
75 {
76  ssl_session_free( dst );
77  memcpy( dst, src, sizeof( ssl_session ) );
78 
79 #if defined(POLARSSL_X509_CRT_PARSE_C)
80  if( src->peer_cert != NULL )
81  {
82  int ret;
83 
84  dst->peer_cert = (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
85  if( dst->peer_cert == NULL )
87 
88  x509_crt_init( dst->peer_cert );
89 
90  if( ( ret = x509_crt_parse( dst->peer_cert, src->peer_cert->raw.p,
91  src->peer_cert->raw.len ) != 0 ) )
92  {
93  polarssl_free( dst->peer_cert );
94  dst->peer_cert = NULL;
95  return( ret );
96  }
97  }
98 #endif /* POLARSSL_X509_CRT_PARSE_C */
99 
100 #if defined(POLARSSL_SSL_SESSION_TICKETS)
101  if( src->ticket != NULL )
102  {
103  dst->ticket = (unsigned char *) polarssl_malloc( src->ticket_len );
104  if( dst->ticket == NULL )
106 
107  memcpy( dst->ticket, src->ticket, src->ticket_len );
108  }
109 #endif /* POLARSSL_SSL_SESSION_TICKETS */
110 
111  return( 0 );
112 }
113 
114 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
115 int (*ssl_hw_record_init)(ssl_context *ssl,
116  const unsigned char *key_enc, const unsigned char *key_dec,
117  size_t keylen,
118  const unsigned char *iv_enc, const unsigned char *iv_dec,
119  size_t ivlen,
120  const unsigned char *mac_enc, const unsigned char *mac_dec,
121  size_t maclen) = NULL;
122 int (*ssl_hw_record_activate)(ssl_context *ssl, int direction) = NULL;
123 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
124 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
125 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
126 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
127 #endif
128 
129 /*
130  * Key material generation
131  */
132 #if defined(POLARSSL_SSL_PROTO_SSL3)
133 static int ssl3_prf( const unsigned char *secret, size_t slen,
134  const char *label,
135  const unsigned char *random, size_t rlen,
136  unsigned char *dstbuf, size_t dlen )
137 {
138  size_t i;
141  unsigned char padding[16];
142  unsigned char sha1sum[20];
143  ((void)label);
144 
145  /*
146  * SSLv3:
147  * block =
148  * MD5( secret + SHA1( 'A' + secret + random ) ) +
149  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
150  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
151  * ...
152  */
153  for( i = 0; i < dlen / 16; i++ )
154  {
155  memset( padding, (unsigned char) ('A' + i), 1 + i );
156 
157  sha1_starts( &sha1 );
158  sha1_update( &sha1, padding, 1 + i );
159  sha1_update( &sha1, secret, slen );
160  sha1_update( &sha1, random, rlen );
161  sha1_finish( &sha1, sha1sum );
162 
163  md5_starts( &md5 );
164  md5_update( &md5, secret, slen );
165  md5_update( &md5, sha1sum, 20 );
166  md5_finish( &md5, dstbuf + i * 16 );
167  }
168 
169  memset( &md5, 0, sizeof( md5 ) );
170  memset( &sha1, 0, sizeof( sha1 ) );
171 
172  memset( padding, 0, sizeof( padding ) );
173  memset( sha1sum, 0, sizeof( sha1sum ) );
174 
175  return( 0 );
176 }
177 #endif /* POLARSSL_SSL_PROTO_SSL3 */
178 
179 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
180 static int tls1_prf( const unsigned char *secret, size_t slen,
181  const char *label,
182  const unsigned char *random, size_t rlen,
183  unsigned char *dstbuf, size_t dlen )
184 {
185  size_t nb, hs;
186  size_t i, j, k;
187  const unsigned char *S1, *S2;
188  unsigned char tmp[128];
189  unsigned char h_i[20];
190 
191  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
193 
194  hs = ( slen + 1 ) / 2;
195  S1 = secret;
196  S2 = secret + slen - hs;
197 
198  nb = strlen( label );
199  memcpy( tmp + 20, label, nb );
200  memcpy( tmp + 20 + nb, random, rlen );
201  nb += rlen;
202 
203  /*
204  * First compute P_md5(secret,label+random)[0..dlen]
205  */
206  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
207 
208  for( i = 0; i < dlen; i += 16 )
209  {
210  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
211  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
212 
213  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
214 
215  for( j = 0; j < k; j++ )
216  dstbuf[i + j] = h_i[j];
217  }
218 
219  /*
220  * XOR out with P_sha1(secret,label+random)[0..dlen]
221  */
222  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
223 
224  for( i = 0; i < dlen; i += 20 )
225  {
226  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
227  sha1_hmac( S2, hs, tmp, 20, tmp );
228 
229  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
230 
231  for( j = 0; j < k; j++ )
232  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
233  }
234 
235  memset( tmp, 0, sizeof( tmp ) );
236  memset( h_i, 0, sizeof( h_i ) );
237 
238  return( 0 );
239 }
240 #endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
241 
242 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
243 #if defined(POLARSSL_SHA256_C)
244 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
245  const char *label,
246  const unsigned char *random, size_t rlen,
247  unsigned char *dstbuf, size_t dlen )
248 {
249  size_t nb;
250  size_t i, j, k;
251  unsigned char tmp[128];
252  unsigned char h_i[32];
253 
254  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
256 
257  nb = strlen( label );
258  memcpy( tmp + 32, label, nb );
259  memcpy( tmp + 32 + nb, random, rlen );
260  nb += rlen;
261 
262  /*
263  * Compute P_<hash>(secret, label + random)[0..dlen]
264  */
265  sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
266 
267  for( i = 0; i < dlen; i += 32 )
268  {
269  sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
270  sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
271 
272  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
273 
274  for( j = 0; j < k; j++ )
275  dstbuf[i + j] = h_i[j];
276  }
277 
278  memset( tmp, 0, sizeof( tmp ) );
279  memset( h_i, 0, sizeof( h_i ) );
280 
281  return( 0 );
282 }
283 #endif /* POLARSSL_SHA256_C */
284 
285 #if defined(POLARSSL_SHA512_C)
286 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
287  const char *label,
288  const unsigned char *random, size_t rlen,
289  unsigned char *dstbuf, size_t dlen )
290 {
291  size_t nb;
292  size_t i, j, k;
293  unsigned char tmp[128];
294  unsigned char h_i[48];
295 
296  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
298 
299  nb = strlen( label );
300  memcpy( tmp + 48, label, nb );
301  memcpy( tmp + 48 + nb, random, rlen );
302  nb += rlen;
303 
304  /*
305  * Compute P_<hash>(secret, label + random)[0..dlen]
306  */
307  sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
308 
309  for( i = 0; i < dlen; i += 48 )
310  {
311  sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
312  sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
313 
314  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
315 
316  for( j = 0; j < k; j++ )
317  dstbuf[i + j] = h_i[j];
318  }
319 
320  memset( tmp, 0, sizeof( tmp ) );
321  memset( h_i, 0, sizeof( h_i ) );
322 
323  return( 0 );
324 }
325 #endif /* POLARSSL_SHA512_C */
326 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
327 
328 static void ssl_update_checksum_start(ssl_context *, const unsigned char *, size_t);
329 
330 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
331  defined(POLARSSL_SSL_PROTO_TLS1_1)
332 static void ssl_update_checksum_md5sha1(ssl_context *, const unsigned char *, size_t);
333 #endif
334 
335 #if defined(POLARSSL_SSL_PROTO_SSL3)
336 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
337 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
338 #endif
339 
340 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
341 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
342 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
343 #endif
344 
345 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
346 #if defined(POLARSSL_SHA256_C)
347 static void ssl_update_checksum_sha256(ssl_context *, const unsigned char *, size_t);
348 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
349 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
350 #endif
351 
352 #if defined(POLARSSL_SHA512_C)
353 static void ssl_update_checksum_sha384(ssl_context *, const unsigned char *, size_t);
354 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
355 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
356 #endif
357 #endif
358 
359 int ssl_derive_keys( ssl_context *ssl )
360 {
361  int ret = 0;
362  unsigned char tmp[64];
363  unsigned char keyblk[256];
364  unsigned char *key1;
365  unsigned char *key2;
366  unsigned char *mac_enc;
367  unsigned char *mac_dec;
368  size_t iv_copy_len;
369  const cipher_info_t *cipher_info;
370  const md_info_t *md_info;
371 
372  ssl_session *session = ssl->session_negotiate;
373  ssl_transform *transform = ssl->transform_negotiate;
374  ssl_handshake_params *handshake = ssl->handshake;
375 
376  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
377 
378  cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
379  if( cipher_info == NULL )
380  {
381  SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
382  transform->ciphersuite_info->cipher ) );
384  }
385 
386  md_info = md_info_from_type( transform->ciphersuite_info->mac );
387  if( md_info == NULL )
388  {
389  SSL_DEBUG_MSG( 1, ( "md info for %d not found",
390  transform->ciphersuite_info->mac ) );
392  }
393 
394  /*
395  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
396  */
397 #if defined(POLARSSL_SSL_PROTO_SSL3)
398  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
399  {
400  handshake->tls_prf = ssl3_prf;
401  handshake->calc_verify = ssl_calc_verify_ssl;
402  handshake->calc_finished = ssl_calc_finished_ssl;
403  }
404  else
405 #endif
406 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
407  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
408  {
409  handshake->tls_prf = tls1_prf;
410  handshake->calc_verify = ssl_calc_verify_tls;
411  handshake->calc_finished = ssl_calc_finished_tls;
412  }
413  else
414 #endif
415 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
416 #if defined(POLARSSL_SHA512_C)
417  if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
418  transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
419  {
420  handshake->tls_prf = tls_prf_sha384;
421  handshake->calc_verify = ssl_calc_verify_tls_sha384;
422  handshake->calc_finished = ssl_calc_finished_tls_sha384;
423  }
424  else
425 #endif
426 #if defined(POLARSSL_SHA256_C)
427  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
428  {
429  handshake->tls_prf = tls_prf_sha256;
430  handshake->calc_verify = ssl_calc_verify_tls_sha256;
431  handshake->calc_finished = ssl_calc_finished_tls_sha256;
432  }
433  else
434 #endif
435 #endif
436  {
437  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
439  }
440 
441  /*
442  * SSLv3:
443  * master =
444  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
445  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
446  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
447  *
448  * TLSv1+:
449  * master = PRF( premaster, "master secret", randbytes )[0..47]
450  */
451  if( handshake->resume == 0 )
452  {
453  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
454  handshake->pmslen );
455 
456  handshake->tls_prf( handshake->premaster, handshake->pmslen,
457  "master secret",
458  handshake->randbytes, 64, session->master, 48 );
459 
460  memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
461  }
462  else
463  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
464 
465  /*
466  * Swap the client and server random values.
467  */
468  memcpy( tmp, handshake->randbytes, 64 );
469  memcpy( handshake->randbytes, tmp + 32, 32 );
470  memcpy( handshake->randbytes + 32, tmp, 32 );
471  memset( tmp, 0, sizeof( tmp ) );
472 
473  /*
474  * SSLv3:
475  * key block =
476  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
477  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
478  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
479  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
480  * ...
481  *
482  * TLSv1:
483  * key block = PRF( master, "key expansion", randbytes )
484  */
485  handshake->tls_prf( session->master, 48, "key expansion",
486  handshake->randbytes, 64, keyblk, 256 );
487 
488  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
489  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
490  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
491  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
492  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
493 
494  memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
495 
496  /*
497  * Determine the appropriate key, IV and MAC length.
498  */
499 
500  if( cipher_info->mode == POLARSSL_MODE_GCM )
501  {
502  transform->keylen = cipher_info->key_length;
503  transform->keylen /= 8;
504  transform->minlen = 1;
505  transform->ivlen = 12;
506  transform->fixed_ivlen = 4;
507  transform->maclen = 0;
508  }
509  else
510  {
511  if( md_info->type != POLARSSL_MD_NONE )
512  {
513  int ret;
514 
515  if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 )
516  {
517  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
518  return( ret );
519  }
520 
521  if( ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
522  {
523  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
524  return( ret );
525  }
526 
527  transform->maclen = md_get_size( md_info );
528 
529 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
530  /*
531  * If HMAC is to be truncated, we shall keep the leftmost bytes,
532  * (rfc 6066 page 13 or rfc 2104 section 4),
533  * so we only need to adjust the length here.
534  */
535  if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
536  transform->maclen = SSL_TRUNCATED_HMAC_LEN;
537 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
538  }
539 
540  transform->keylen = cipher_info->key_length;
541  transform->keylen /= 8;
542  transform->ivlen = cipher_info->iv_size;
543 
544  transform->minlen = transform->keylen;
545  if( transform->minlen < transform->maclen )
546  {
547  if( cipher_info->mode == POLARSSL_MODE_STREAM )
548  transform->minlen = transform->maclen;
549  else
550  transform->minlen += transform->keylen;
551  }
552  }
553 
554  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
555  transform->keylen, transform->minlen, transform->ivlen,
556  transform->maclen ) );
557 
558  /*
559  * Finally setup the cipher contexts, IVs and MAC secrets.
560  */
561  if( ssl->endpoint == SSL_IS_CLIENT )
562  {
563  key1 = keyblk + transform->maclen * 2;
564  key2 = keyblk + transform->maclen * 2 + transform->keylen;
565 
566  mac_enc = keyblk;
567  mac_dec = keyblk + transform->maclen;
568 
569  /*
570  * This is not used in TLS v1.1.
571  */
572  iv_copy_len = ( transform->fixed_ivlen ) ?
573  transform->fixed_ivlen : transform->ivlen;
574  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
575  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
576  iv_copy_len );
577  }
578  else
579  {
580  key1 = keyblk + transform->maclen * 2 + transform->keylen;
581  key2 = keyblk + transform->maclen * 2;
582 
583  mac_enc = keyblk + transform->maclen;
584  mac_dec = keyblk;
585 
586  /*
587  * This is not used in TLS v1.1.
588  */
589  iv_copy_len = ( transform->fixed_ivlen ) ?
590  transform->fixed_ivlen : transform->ivlen;
591  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
592  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
593  iv_copy_len );
594  }
595 
596 #if defined(POLARSSL_SSL_PROTO_SSL3)
597  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
598  {
599  memcpy( transform->mac_enc, mac_enc, transform->maclen );
600  memcpy( transform->mac_dec, mac_dec, transform->maclen );
601  }
602  else
603 #endif
604 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
605  defined(POLARSSL_SSL_PROTO_TLS1_2)
606  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
607  {
608  md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
609  md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
610  }
611  else
612 #endif
613  {
614  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
616  }
617 
618 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
619  if( ssl_hw_record_init != NULL)
620  {
621  int ret = 0;
622 
623  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
624 
625  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
626  transform->iv_enc, transform->iv_dec,
627  iv_copy_len,
628  mac_enc, mac_dec,
629  transform->maclen ) ) != 0 )
630  {
631  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
633  }
634  }
635 #endif
636 
637  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
638  cipher_info ) ) != 0 )
639  {
640  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
641  return( ret );
642  }
643 
644  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
645  cipher_info ) ) != 0 )
646  {
647  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
648  return( ret );
649  }
650 
651  if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
652  cipher_info->key_length,
653  POLARSSL_ENCRYPT ) ) != 0 )
654  {
655  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
656  return( ret );
657  }
658 
659  if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
660  cipher_info->key_length,
661  POLARSSL_DECRYPT ) ) != 0 )
662  {
663  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
664  return( ret );
665  }
666 
667 #if defined(POLARSSL_CIPHER_MODE_CBC)
668  if( cipher_info->mode == POLARSSL_MODE_CBC )
669  {
670  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
671  POLARSSL_PADDING_NONE ) ) != 0 )
672  {
673  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
674  return( ret );
675  }
676 
677  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
678  POLARSSL_PADDING_NONE ) ) != 0 )
679  {
680  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
681  return( ret );
682  }
683  }
684 #endif /* POLARSSL_CIPHER_MODE_CBC */
685 
686  memset( keyblk, 0, sizeof( keyblk ) );
687 
688 #if defined(POLARSSL_ZLIB_SUPPORT)
689  // Initialize compression
690  //
691  if( session->compression == SSL_COMPRESS_DEFLATE )
692  {
693  if( ssl->compress_buf == NULL )
694  {
695  SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
696  ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
697  if( ssl->compress_buf == NULL )
698  {
699  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
700  SSL_BUFFER_LEN ) );
702  }
703  }
704 
705  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
706 
707  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
708  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
709 
710  if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
711  inflateInit( &transform->ctx_inflate ) != Z_OK )
712  {
713  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
715  }
716  }
717 #endif /* POLARSSL_ZLIB_SUPPORT */
718 
719  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
720 
721  return( 0 );
722 }
723 
724 #if defined(POLARSSL_SSL_PROTO_SSL3)
725 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
726 {
729  unsigned char pad_1[48];
730  unsigned char pad_2[48];
731 
732  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
733 
734  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
735  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
736 
737  memset( pad_1, 0x36, 48 );
738  memset( pad_2, 0x5C, 48 );
739 
740  md5_update( &md5, ssl->session_negotiate->master, 48 );
741  md5_update( &md5, pad_1, 48 );
742  md5_finish( &md5, hash );
743 
744  md5_starts( &md5 );
745  md5_update( &md5, ssl->session_negotiate->master, 48 );
746  md5_update( &md5, pad_2, 48 );
747  md5_update( &md5, hash, 16 );
748  md5_finish( &md5, hash );
749 
750  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
751  sha1_update( &sha1, pad_1, 40 );
752  sha1_finish( &sha1, hash + 16 );
753 
754  sha1_starts( &sha1 );
755  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
756  sha1_update( &sha1, pad_2, 40 );
757  sha1_update( &sha1, hash + 16, 20 );
758  sha1_finish( &sha1, hash + 16 );
759 
760  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
761  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
762 
763  return;
764 }
765 #endif
766 
767 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
768 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
769 {
772 
773  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
774 
775  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
776  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
777 
778  md5_finish( &md5, hash );
779  sha1_finish( &sha1, hash + 16 );
780 
781  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
782  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
783 
784  return;
785 }
786 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
787 
788 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
789 #if defined(POLARSSL_SHA256_C)
790 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
791 {
793 
794  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
795 
796  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
797  sha256_finish( &sha256, hash );
798 
799  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
800  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
801 
802  return;
803 }
804 #endif /* POLARSSL_SHA256_C */
805 
806 #if defined(POLARSSL_SHA512_C)
807 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
808 {
810 
811  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
812 
813  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
814  sha512_finish( &sha512, hash );
815 
816  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
817  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
818 
819  return;
820 }
821 #endif /* POLARSSL_SHA512_C */
822 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
823 
824 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
826 {
827  unsigned char *p = ssl->handshake->premaster;
828  unsigned char *end = p + sizeof( ssl->handshake->premaster );
829 
830  /*
831  * PMS = struct {
832  * opaque other_secret<0..2^16-1>;
833  * opaque psk<0..2^16-1>;
834  * };
835  * with "other_secret" depending on the particular key exchange
836  */
837 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
838  if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
839  {
840  if( end - p < 2 + (int) ssl->psk_len )
842 
843  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
844  *(p++) = (unsigned char)( ssl->psk_len );
845  p += ssl->psk_len;
846  }
847  else
848 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
849 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
850  if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
851  {
852  /*
853  * other_secret already set by the ClientKeyExchange message,
854  * and is 48 bytes long
855  */
856  *p++ = 0;
857  *p++ = 48;
858  p += 48;
859  }
860  else
861 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
862 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
863  if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
864  {
865  int ret;
866  size_t len = ssl->handshake->dhm_ctx.len;
867 
868  if( end - p < 2 + (int) len )
870 
871  *(p++) = (unsigned char)( len >> 8 );
872  *(p++) = (unsigned char)( len );
873  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
874  p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
875  {
876  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
877  return( ret );
878  }
879  p += len;
880 
881  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
882  }
883  else
884 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
885 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
886  if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
887  {
888  int ret;
889  size_t zlen;
890 
891  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
892  p + 2, end - (p + 2),
893  ssl->f_rng, ssl->p_rng ) ) != 0 )
894  {
895  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
896  return( ret );
897  }
898 
899  *(p++) = (unsigned char)( zlen >> 8 );
900  *(p++) = (unsigned char)( zlen );
901  p += zlen;
902 
903  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
904  }
905  else
906 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
907  {
908  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
910  }
911 
912  /* opaque psk<0..2^16-1>; */
913  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
914  *(p++) = (unsigned char)( ssl->psk_len );
915  memcpy( p, ssl->psk, ssl->psk_len );
916  p += ssl->psk_len;
917 
918  ssl->handshake->pmslen = p - ssl->handshake->premaster;
919 
920  return( 0 );
921 }
922 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
923 
924 #if defined(POLARSSL_SSL_PROTO_SSL3)
925 /*
926  * SSLv3.0 MAC functions
927  */
928 static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
929  unsigned char *buf, size_t len,
930  unsigned char *ctr, int type )
931 {
932  unsigned char header[11];
933  unsigned char padding[48];
934  int padlen = 0;
935  int md_size = md_get_size( md_ctx->md_info );
936  int md_type = md_get_type( md_ctx->md_info );
937 
938  if( md_type == POLARSSL_MD_MD5 )
939  padlen = 48;
940  else if( md_type == POLARSSL_MD_SHA1 )
941  padlen = 40;
942  else if( md_type == POLARSSL_MD_SHA256 )
943  padlen = 32;
944  else if( md_type == POLARSSL_MD_SHA384 )
945  padlen = 16;
946 
947  memcpy( header, ctr, 8 );
948  header[ 8] = (unsigned char) type;
949  header[ 9] = (unsigned char)( len >> 8 );
950  header[10] = (unsigned char)( len );
951 
952  memset( padding, 0x36, padlen );
953  md_starts( md_ctx );
954  md_update( md_ctx, secret, md_size );
955  md_update( md_ctx, padding, padlen );
956  md_update( md_ctx, header, 11 );
957  md_update( md_ctx, buf, len );
958  md_finish( md_ctx, buf + len );
959 
960  memset( padding, 0x5C, padlen );
961  md_starts( md_ctx );
962  md_update( md_ctx, secret, md_size );
963  md_update( md_ctx, padding, padlen );
964  md_update( md_ctx, buf + len, md_size );
965  md_finish( md_ctx, buf + len );
966 }
967 #endif /* POLARSSL_SSL_PROTO_SSL3 */
968 
969 /*
970  * Encryption/decryption functions
971  */
972 static int ssl_encrypt_buf( ssl_context *ssl )
973 {
974  size_t i;
975 
976  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
977 
978  /*
979  * Add MAC before encrypt, except for GCM
980  */
981 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
982  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
983  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
986  {
987 #if defined(POLARSSL_SSL_PROTO_SSL3)
988  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
989  {
990  ssl_mac( &ssl->transform_out->md_ctx_enc,
991  ssl->transform_out->mac_enc,
992  ssl->out_msg, ssl->out_msglen,
993  ssl->out_ctr, ssl->out_msgtype );
994  }
995  else
996 #endif
997 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
998  defined(POLARSSL_SSL_PROTO_TLS1_2)
999  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1000  {
1001  md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1003  ssl->out_msg, ssl->out_msglen );
1005  ssl->out_msg + ssl->out_msglen );
1007  }
1008  else
1009 #endif
1010  {
1011  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1013  }
1014 
1015  SSL_DEBUG_BUF( 4, "computed mac",
1016  ssl->out_msg + ssl->out_msglen,
1017  ssl->transform_out->maclen );
1018 
1019  ssl->out_msglen += ssl->transform_out->maclen;
1020  }
1021 #endif /* GCM not the only option */
1022 
1023  /*
1024  * Encrypt
1025  */
1026 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1029  {
1030  int ret;
1031  size_t olen = 0;
1032 
1033  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1034  "including %d bytes of padding",
1035  ssl->out_msglen, 0 ) );
1036 
1037  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1038  ssl->out_msg, ssl->out_msglen );
1039 
1040  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1041  {
1042  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1043  return( ret );
1044  }
1045 
1046  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1047  ssl->transform_out->iv_enc,
1048  ssl->transform_out->ivlen ) ) != 0 )
1049  {
1050  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1051  return( ret );
1052  }
1053 
1054  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1055  ssl->out_msg, ssl->out_msglen, ssl->out_msg,
1056  &olen ) ) != 0 )
1057  {
1058  SSL_DEBUG_RET( 1, "cipher_update", ret );
1059  return( ret );
1060  }
1061 
1062  if( ssl->out_msglen != olen )
1063  {
1064  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1065  ssl->out_msglen, olen ) );
1067  }
1068 
1069  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1070  ssl->out_msg + olen, &olen ) ) != 0 )
1071  {
1072  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1073  return( ret );
1074  }
1075 
1076  if( 0 != olen )
1077  {
1078  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1079  0, olen ) );
1081  }
1082  }
1083  else
1084 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1085 #if defined(POLARSSL_GCM_C)
1088  {
1089  size_t enc_msglen, olen, totlen;
1090  unsigned char *enc_msg;
1091  unsigned char add_data[13];
1093 
1094  enc_msglen = ssl->out_msglen;
1095 
1096  memcpy( add_data, ssl->out_ctr, 8 );
1097  add_data[8] = ssl->out_msgtype;
1098  add_data[9] = ssl->major_ver;
1099  add_data[10] = ssl->minor_ver;
1100  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1101  add_data[12] = ssl->out_msglen & 0xFF;
1102 
1103  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1104  add_data, 13 );
1105 
1106  /*
1107  * Generate IV
1108  */
1109  ret = ssl->f_rng( ssl->p_rng,
1111  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1112  if( ret != 0 )
1113  return( ret );
1114 
1115  memcpy( ssl->out_iv,
1117  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1118 
1119  SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1120  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1121 
1122  /*
1123  * Fix pointer positions and message length with added IV
1124  */
1125  enc_msg = ssl->out_msg;
1126  enc_msglen = ssl->out_msglen;
1127  ssl->out_msglen += ssl->transform_out->ivlen -
1128  ssl->transform_out->fixed_ivlen;
1129 
1130  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1131  "including %d bytes of padding",
1132  ssl->out_msglen, 0 ) );
1133 
1134  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1135  ssl->out_msg, ssl->out_msglen );
1136 
1137  /*
1138  * Encrypt
1139  */
1140  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1141  ssl->transform_out->iv_enc,
1142  ssl->transform_out->ivlen ) ) != 0 ||
1143  ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1144  {
1145  return( ret );
1146  }
1147 
1148  if( ( ret = cipher_update_ad( &ssl->transform_out->cipher_ctx_enc,
1149  add_data, 13 ) ) != 0 )
1150  {
1151  return( ret );
1152  }
1153 
1154  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1155  enc_msg, enc_msglen,
1156  enc_msg, &olen ) ) != 0 )
1157  {
1158  return( ret );
1159  }
1160  totlen = olen;
1161 
1162  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1163  enc_msg + olen, &olen ) ) != 0 )
1164  {
1165  return( ret );
1166  }
1167  totlen += olen;
1168 
1169  if( totlen != enc_msglen )
1170  {
1171  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1172  return( -1 );
1173  }
1174 
1175  /*
1176  * Authenticate
1177  */
1178  ssl->out_msglen += 16;
1179 
1180  if( ( ret = cipher_write_tag( &ssl->transform_out->cipher_ctx_enc,
1181  enc_msg + enc_msglen, 16 ) ) != 0 )
1182  {
1183  return( ret );
1184  }
1185 
1186  SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, 16 );
1187  }
1188  else
1189 #endif /* POLARSSL_GCM_C */
1190 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1191  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1194  {
1195  int ret;
1196  unsigned char *enc_msg;
1197  size_t enc_msglen, padlen, olen = 0;
1198 
1199  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1200  ssl->transform_out->ivlen;
1201  if( padlen == ssl->transform_out->ivlen )
1202  padlen = 0;
1203 
1204  for( i = 0; i <= padlen; i++ )
1205  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1206 
1207  ssl->out_msglen += padlen + 1;
1208 
1209  enc_msglen = ssl->out_msglen;
1210  enc_msg = ssl->out_msg;
1211 
1212 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1213  /*
1214  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1215  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1216  */
1217  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1218  {
1219  /*
1220  * Generate IV
1221  */
1222  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1223  ssl->transform_out->ivlen );
1224  if( ret != 0 )
1225  return( ret );
1226 
1227  memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1228  ssl->transform_out->ivlen );
1229 
1230  /*
1231  * Fix pointer positions and message length with added IV
1232  */
1233  enc_msg = ssl->out_msg;
1234  enc_msglen = ssl->out_msglen;
1235  ssl->out_msglen += ssl->transform_out->ivlen;
1236  }
1237 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1238 
1239  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1240  "including %d bytes of IV and %d bytes of padding",
1241  ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
1242 
1243  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1244  ssl->out_iv, ssl->out_msglen );
1245 
1246  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1247  {
1248  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1249  return( ret );
1250  }
1251 
1252  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1253  ssl->transform_out->iv_enc,
1254  ssl->transform_out->ivlen ) ) != 0 )
1255  {
1256  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1257  return( ret );
1258  }
1259 
1260  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1261  enc_msg, enc_msglen, enc_msg,
1262  &olen ) ) != 0 )
1263  {
1264  SSL_DEBUG_RET( 1, "cipher_update", ret );
1265  return( ret );
1266  }
1267 
1268  enc_msglen -= olen;
1269 
1270  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1271  enc_msg + olen, &olen ) ) != 0 )
1272  {
1273  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1274  return( ret );
1275  }
1276 
1277  if( enc_msglen != olen )
1278  {
1279  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1280  enc_msglen, olen ) );
1282  }
1283 
1284 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1285  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1286  {
1287  /*
1288  * Save IV in SSL3 and TLS1
1289  */
1290  memcpy( ssl->transform_out->iv_enc,
1292  ssl->transform_out->ivlen );
1293  }
1294 #endif
1295  }
1296  else
1297 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1298  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1299  {
1300  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1302  }
1303 
1304  for( i = 8; i > 0; i-- )
1305  if( ++ssl->out_ctr[i - 1] != 0 )
1306  break;
1307 
1308  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1309 
1310  return( 0 );
1311 }
1312 
1313 #define POLARSSL_SSL_MAX_MAC_SIZE 48
1314 
1315 static int ssl_decrypt_buf( ssl_context *ssl )
1316 {
1317  size_t i;
1318 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1319  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1320  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1321  size_t padlen = 0, correct = 1;
1322 #endif
1323 
1324  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1325 
1326  if( ssl->in_msglen < ssl->transform_in->minlen )
1327  {
1328  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1329  ssl->in_msglen, ssl->transform_in->minlen ) );
1330  return( POLARSSL_ERR_SSL_INVALID_MAC );
1331  }
1332 
1333 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1336  {
1337  int ret;
1338  size_t olen = 0;
1339 
1340  padlen = 0;
1341 
1342  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1343  {
1344  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1345  return( ret );
1346  }
1347 
1348  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1349  ssl->transform_in->iv_dec,
1350  ssl->transform_in->ivlen ) ) != 0 )
1351  {
1352  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1353  return( ret );
1354  }
1355 
1356  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1357  ssl->in_msg, ssl->in_msglen, ssl->in_msg,
1358  &olen ) ) != 0 )
1359  {
1360  SSL_DEBUG_RET( 1, "cipher_update", ret );
1361  return( ret );
1362  }
1363 
1364  if( ssl->in_msglen != olen )
1365  {
1366  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1368  }
1369 
1370  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1371  ssl->in_msg + olen, &olen ) ) != 0 )
1372  {
1373  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1374  return( ret );
1375  }
1376 
1377  if( 0 != olen )
1378  {
1379  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1381  }
1382  }
1383  else
1384 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1385 #if defined(POLARSSL_GCM_C)
1388  {
1389  unsigned char *dec_msg;
1390  unsigned char *dec_msg_result;
1391  size_t dec_msglen, olen, totlen;
1392  unsigned char add_data[13];
1394 
1395  dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1396  ssl->transform_in->fixed_ivlen );
1397  dec_msglen -= 16;
1398  dec_msg = ssl->in_msg;
1399  dec_msg_result = ssl->in_msg;
1400  ssl->in_msglen = dec_msglen;
1401 
1402  memcpy( add_data, ssl->in_ctr, 8 );
1403  add_data[8] = ssl->in_msgtype;
1404  add_data[9] = ssl->major_ver;
1405  add_data[10] = ssl->minor_ver;
1406  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1407  add_data[12] = ssl->in_msglen & 0xFF;
1408 
1409  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1410  add_data, 13 );
1411 
1412  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1413  ssl->in_iv,
1414  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1415 
1416  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1417  ssl->transform_in->ivlen );
1418  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1419 
1420  /*
1421  * Decrypt
1422  */
1423  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1424  ssl->transform_in->iv_dec,
1425  ssl->transform_in->ivlen ) ) != 0 ||
1426  ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1427  {
1428  return( ret );
1429  }
1430 
1431  if( ( ret = cipher_update_ad( &ssl->transform_in->cipher_ctx_dec,
1432  add_data, 13 ) ) != 0 )
1433  {
1434  return( ret );
1435  }
1436 
1437  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1438  dec_msg, dec_msglen,
1439  dec_msg_result, &olen ) ) != 0 )
1440  {
1441  return( ret );
1442  }
1443  totlen = olen;
1444 
1445  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1446  dec_msg_result + olen, &olen ) ) != 0 )
1447  {
1448  return( ret );
1449  }
1450  totlen += olen;
1451 
1452  if( totlen != dec_msglen )
1453  {
1454  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1455  return( -1 );
1456  }
1457 
1458  /*
1459  * Authenticate
1460  */
1461  if( ( ret = cipher_check_tag( &ssl->transform_in->cipher_ctx_dec,
1462  dec_msg + dec_msglen, 16 ) ) != 0 )
1463  {
1464  SSL_DEBUG_RET( 1, "cipher_check_tag", ret );
1465  return( POLARSSL_ERR_SSL_INVALID_MAC );
1466  }
1467 
1468  }
1469  else
1470 #endif /* POLARSSL_GCM_C */
1471 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1472  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1475  {
1476  /*
1477  * Decrypt and check the padding
1478  */
1479  int ret;
1480  unsigned char *dec_msg;
1481  unsigned char *dec_msg_result;
1482  size_t dec_msglen;
1483  size_t minlen = 0;
1484  size_t olen = 0;
1485 
1486  /*
1487  * Check immediate ciphertext sanity
1488  */
1489  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1490  {
1491  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1492  ssl->in_msglen, ssl->transform_in->ivlen ) );
1493  return( POLARSSL_ERR_SSL_INVALID_MAC );
1494  }
1495 
1496 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1497  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1498  minlen += ssl->transform_in->ivlen;
1499 #endif
1500 
1501  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1502  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1503  {
1504  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1505  ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1506  return( POLARSSL_ERR_SSL_INVALID_MAC );
1507  }
1508 
1509  dec_msglen = ssl->in_msglen;
1510  dec_msg = ssl->in_msg;
1511  dec_msg_result = ssl->in_msg;
1512 
1513 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1514  /*
1515  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1516  */
1517  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1518  {
1519  dec_msglen -= ssl->transform_in->ivlen;
1520  ssl->in_msglen -= ssl->transform_in->ivlen;
1521 
1522  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1523  ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1524  }
1525 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1526 
1527  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1528  {
1529  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1530  return( ret );
1531  }
1532 
1533  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1534  ssl->transform_in->iv_dec,
1535  ssl->transform_in->ivlen ) ) != 0 )
1536  {
1537  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1538  return( ret );
1539  }
1540 
1541  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1542  dec_msg, dec_msglen, dec_msg_result,
1543  &olen ) ) != 0 )
1544  {
1545  SSL_DEBUG_RET( 1, "cipher_update", ret );
1546  return( ret );
1547  }
1548 
1549  dec_msglen -= olen;
1550  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1551  dec_msg_result + olen, &olen ) ) != 0 )
1552  {
1553  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1554  return( ret );
1555  }
1556 
1557  if( dec_msglen != olen )
1558  {
1559  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1561  }
1562 
1563 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1564  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1565  {
1566  /*
1567  * Save IV in SSL3 and TLS1
1568  */
1569  memcpy( ssl->transform_in->iv_dec,
1571  ssl->transform_in->ivlen );
1572  }
1573 #endif
1574 
1575  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1576 
1577  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1578  {
1579 #if defined(POLARSSL_SSL_DEBUG_ALL)
1580  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1581  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1582 #endif
1583  padlen = 0;
1584  correct = 0;
1585  }
1586 
1587 #if defined(POLARSSL_SSL_PROTO_SSL3)
1588  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1589  {
1590  if( padlen > ssl->transform_in->ivlen )
1591  {
1592 #if defined(POLARSSL_SSL_DEBUG_ALL)
1593  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1594  "should be no more than %d",
1595  padlen, ssl->transform_in->ivlen ) );
1596 #endif
1597  correct = 0;
1598  }
1599  }
1600  else
1601 #endif
1602 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1603  defined(POLARSSL_SSL_PROTO_TLS1_2)
1604  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1605  {
1606  /*
1607  * TLSv1+: always check the padding up to the first failure
1608  * and fake check up to 256 bytes of padding
1609  */
1610  size_t pad_count = 0, real_count = 1;
1611  size_t padding_idx = ssl->in_msglen - padlen - 1;
1612 
1613  /*
1614  * Padding is guaranteed to be incorrect if:
1615  * 1. padlen - 1 > ssl->in_msglen
1616  *
1617  * 2. ssl->in_msglen + padlen >
1618  * SSL_MAX_CONTENT_LEN + 256 (max padding)
1619  *
1620  * In both cases we reset padding_idx to a safe value (0) to
1621  * prevent out-of-buffer reads.
1622  */
1623  correct &= ( ssl->in_msglen >= padlen - 1 );
1624  correct &= ( ssl->in_msglen + padlen <= SSL_MAX_CONTENT_LEN + 256 );
1625 
1626  padding_idx *= correct;
1627 
1628  for( i = 1; i <= 256; i++ )
1629  {
1630  real_count &= ( i <= padlen );
1631  pad_count += real_count *
1632  ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1633  }
1634 
1635  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1636 
1637 #if defined(POLARSSL_SSL_DEBUG_ALL)
1638  if( padlen > 0 && correct == 0)
1639  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1640 #endif
1641  padlen &= correct * 0x1FF;
1642  }
1643  else
1644 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1645  POLARSSL_SSL_PROTO_TLS1_2 */
1646  {
1647  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1649  }
1650  }
1651  else
1652 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1653  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1654  {
1655  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1657  }
1658 
1659  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1660  ssl->in_msg, ssl->in_msglen );
1661 
1662  /*
1663  * Always compute the MAC (RFC4346, CBCTIME), except for GCM of course
1664  */
1665 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1666  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1667  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1670  {
1671  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1672 
1673  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1674 
1675  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1676  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1677 
1678  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1679 
1680 #if defined(POLARSSL_SSL_PROTO_SSL3)
1681  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1682  {
1683  ssl_mac( &ssl->transform_in->md_ctx_dec,
1684  ssl->transform_in->mac_dec,
1685  ssl->in_msg, ssl->in_msglen,
1686  ssl->in_ctr, ssl->in_msgtype );
1687  }
1688  else
1689 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1690 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1691  defined(POLARSSL_SSL_PROTO_TLS1_2)
1692  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1693  {
1694  /*
1695  * Process MAC and always update for padlen afterwards to make
1696  * total time independent of padlen
1697  *
1698  * extra_run compensates MAC check for padlen
1699  *
1700  * Known timing attacks:
1701  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1702  *
1703  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1704  * correctly. (We round down instead of up, so -56 is the correct
1705  * value for our calculations instead of -55)
1706  */
1707  size_t j, extra_run = 0;
1708  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1709  ( 13 + ssl->in_msglen + 8 ) / 64;
1710 
1711  extra_run &= correct * 0xFF;
1712 
1713  md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1715  ssl->in_msglen );
1717  ssl->in_msg + ssl->in_msglen );
1718  for( j = 0; j < extra_run; j++ )
1719  md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1720 
1722  }
1723  else
1724 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1725  POLARSSL_SSL_PROTO_TLS1_2 */
1726  {
1727  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1729  }
1730 
1731  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1732  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1733  ssl->transform_in->maclen );
1734 
1735  if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1736  ssl->transform_in->maclen ) != 0 )
1737  {
1738 #if defined(POLARSSL_SSL_DEBUG_ALL)
1739  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1740 #endif
1741  correct = 0;
1742  }
1743 
1744  /*
1745  * Finally check the correct flag
1746  */
1747  if( correct == 0 )
1748  return( POLARSSL_ERR_SSL_INVALID_MAC );
1749  }
1750 #endif /* GCM not the only option */
1751 
1752  if( ssl->in_msglen == 0 )
1753  {
1754  ssl->nb_zero++;
1755 
1756  /*
1757  * Three or more empty messages may be a DoS attack
1758  * (excessive CPU consumption).
1759  */
1760  if( ssl->nb_zero > 3 )
1761  {
1762  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1763  "messages, possible DoS attack" ) );
1764  return( POLARSSL_ERR_SSL_INVALID_MAC );
1765  }
1766  }
1767  else
1768  ssl->nb_zero = 0;
1769 
1770  for( i = 8; i > 0; i-- )
1771  if( ++ssl->in_ctr[i - 1] != 0 )
1772  break;
1773 
1774  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1775 
1776  return( 0 );
1777 }
1778 
1779 #if defined(POLARSSL_ZLIB_SUPPORT)
1780 /*
1781  * Compression/decompression functions
1782  */
1783 static int ssl_compress_buf( ssl_context *ssl )
1784 {
1785  int ret;
1786  unsigned char *msg_post = ssl->out_msg;
1787  size_t len_pre = ssl->out_msglen;
1788  unsigned char *msg_pre = ssl->compress_buf;
1789 
1790  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1791 
1792  if( len_pre == 0 )
1793  return( 0 );
1794 
1795  memcpy( msg_pre, ssl->out_msg, len_pre );
1796 
1797  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1798  ssl->out_msglen ) );
1799 
1800  SSL_DEBUG_BUF( 4, "before compression: output payload",
1801  ssl->out_msg, ssl->out_msglen );
1802 
1803  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1804  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1805  ssl->transform_out->ctx_deflate.next_out = msg_post;
1806  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1807 
1808  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1809  if( ret != Z_OK )
1810  {
1811  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1813  }
1814 
1815  ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
1816 
1817  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1818  ssl->out_msglen ) );
1819 
1820  SSL_DEBUG_BUF( 4, "after compression: output payload",
1821  ssl->out_msg, ssl->out_msglen );
1822 
1823  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1824 
1825  return( 0 );
1826 }
1827 
1828 static int ssl_decompress_buf( ssl_context *ssl )
1829 {
1830  int ret;
1831  unsigned char *msg_post = ssl->in_msg;
1832  size_t len_pre = ssl->in_msglen;
1833  unsigned char *msg_pre = ssl->compress_buf;
1834 
1835  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1836 
1837  if( len_pre == 0 )
1838  return( 0 );
1839 
1840  memcpy( msg_pre, ssl->in_msg, len_pre );
1841 
1842  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1843  ssl->in_msglen ) );
1844 
1845  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1846  ssl->in_msg, ssl->in_msglen );
1847 
1848  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1849  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1850  ssl->transform_in->ctx_inflate.next_out = msg_post;
1851  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1852 
1853  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1854  if( ret != Z_OK )
1855  {
1856  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1858  }
1859 
1860  ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
1861 
1862  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1863  ssl->in_msglen ) );
1864 
1865  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1866  ssl->in_msg, ssl->in_msglen );
1867 
1868  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1869 
1870  return( 0 );
1871 }
1872 #endif /* POLARSSL_ZLIB_SUPPORT */
1873 
1874 /*
1875  * Fill the input message buffer
1876  */
1877 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1878 {
1879  int ret;
1880  size_t len;
1881 
1882  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1883 
1884  while( ssl->in_left < nb_want )
1885  {
1886  len = nb_want - ssl->in_left;
1887  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1888 
1889  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1890  ssl->in_left, nb_want ) );
1891  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1892 
1893  if( ret == 0 )
1894  return( POLARSSL_ERR_SSL_CONN_EOF );
1895 
1896  if( ret < 0 )
1897  return( ret );
1898 
1899  ssl->in_left += ret;
1900  }
1901 
1902  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1903 
1904  return( 0 );
1905 }
1906 
1907 /*
1908  * Flush any data not yet written
1909  */
1910 int ssl_flush_output( ssl_context *ssl )
1911 {
1912  int ret;
1913  unsigned char *buf;
1914 
1915  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1916 
1917  while( ssl->out_left > 0 )
1918  {
1919  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1920  5 + ssl->out_msglen, ssl->out_left ) );
1921 
1922  buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1923  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1924 
1925  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1926 
1927  if( ret <= 0 )
1928  return( ret );
1929 
1930  ssl->out_left -= ret;
1931  }
1932 
1933  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1934 
1935  return( 0 );
1936 }
1937 
1938 /*
1939  * Record layer functions
1940  */
1941 int ssl_write_record( ssl_context *ssl )
1942 {
1943  int ret, done = 0;
1944  size_t len = ssl->out_msglen;
1945 
1946  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1947 
1948  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1949  {
1950  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1951  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1952  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1953 
1954  if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
1955  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1956  }
1957 
1958 #if defined(POLARSSL_ZLIB_SUPPORT)
1959  if( ssl->transform_out != NULL &&
1961  {
1962  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1963  {
1964  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1965  return( ret );
1966  }
1967 
1968  len = ssl->out_msglen;
1969  }
1970 #endif /*POLARSSL_ZLIB_SUPPORT */
1971 
1972 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1973  if( ssl_hw_record_write != NULL)
1974  {
1975  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1976 
1977  ret = ssl_hw_record_write( ssl );
1978  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1979  {
1980  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1982  }
1983 
1984  if( ret == 0 )
1985  done = 1;
1986  }
1987 #endif
1988  if( !done )
1989  {
1990  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1991  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1992  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1993  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1994  ssl->out_hdr[4] = (unsigned char)( len );
1995 
1996  if( ssl->transform_out != NULL )
1997  {
1998  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1999  {
2000  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2001  return( ret );
2002  }
2003 
2004  len = ssl->out_msglen;
2005  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
2006  ssl->out_hdr[4] = (unsigned char)( len );
2007  }
2008 
2009  ssl->out_left = 5 + ssl->out_msglen;
2010 
2011  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2012  "version = [%d:%d], msglen = %d",
2013  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
2014  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
2015 
2016  SSL_DEBUG_BUF( 4, "output record sent to network",
2017  ssl->out_hdr, 5 + ssl->out_msglen );
2018  }
2019 
2020  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2021  {
2022  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2023  return( ret );
2024  }
2025 
2026  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2027 
2028  return( 0 );
2029 }
2030 
2031 int ssl_read_record( ssl_context *ssl )
2032 {
2033  int ret, done = 0;
2034 
2035  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
2036 
2037  SSL_DEBUG_BUF( 4, "input record from network",
2038  ssl->in_hdr, 5 + ssl->in_msglen );
2039 
2040  if( ssl->in_hslen != 0 &&
2041  ssl->in_hslen < ssl->in_msglen )
2042  {
2043  /*
2044  * Get next Handshake message in the current record
2045  */
2046  ssl->in_msglen -= ssl->in_hslen;
2047 
2048  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
2049  ssl->in_msglen );
2050 
2051  ssl->in_hslen = 4;
2052  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2053 
2054  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2055  " %d, type = %d, hslen = %d",
2056  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2057 
2058  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2059  {
2060  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2062  }
2063 
2064  if( ssl->in_msglen < ssl->in_hslen )
2065  {
2066  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2068  }
2069 
2070  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2071 
2072  return( 0 );
2073  }
2074 
2075  ssl->in_hslen = 0;
2076 
2077  /*
2078  * Read the record header and validate it
2079  */
2080  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2081  {
2082  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2083  return( ret );
2084  }
2085 
2086  ssl->in_msgtype = ssl->in_hdr[0];
2087  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2088 
2089  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2090  "version = [%d:%d], msglen = %d",
2091  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2092  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2093 
2094  if( ssl->in_hdr[1] != ssl->major_ver )
2095  {
2096  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
2098  }
2099 
2100  if( ssl->in_hdr[2] > ssl->max_minor_ver )
2101  {
2102  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
2104  }
2105 
2106  /*
2107  * Make sure the message length is acceptable
2108  */
2109  if( ssl->transform_in == NULL )
2110  {
2111  if( ssl->in_msglen < 1 ||
2113  {
2114  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2116  }
2117  }
2118  else
2119  {
2120  if( ssl->in_msglen < ssl->transform_in->minlen )
2121  {
2122  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2124  }
2125 
2126 #if defined(POLARSSL_SSL_PROTO_SSL3)
2127  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2129  {
2130  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2132  }
2133 #endif
2134 
2135 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2136  defined(POLARSSL_SSL_PROTO_TLS1_2)
2137  /*
2138  * TLS encrypted messages can have up to 256 bytes of padding
2139  */
2140  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2141  ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
2142  {
2143  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2145  }
2146 #endif
2147  }
2148 
2149  /*
2150  * Read and optionally decrypt the message contents
2151  */
2152  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2153  {
2154  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2155  return( ret );
2156  }
2157 
2158  SSL_DEBUG_BUF( 4, "input record from network",
2159  ssl->in_hdr, 5 + ssl->in_msglen );
2160 
2161 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2162  if( ssl_hw_record_read != NULL)
2163  {
2164  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2165 
2166  ret = ssl_hw_record_read( ssl );
2167  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2168  {
2169  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2171  }
2172 
2173  if( ret == 0 )
2174  done = 1;
2175  }
2176 #endif
2177  if( !done && ssl->transform_in != NULL )
2178  {
2179  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2180  {
2181 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2182  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2183  {
2187  }
2188 #endif
2189  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2190  return( ret );
2191  }
2192 
2193  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2194  ssl->in_msg, ssl->in_msglen );
2195 
2196  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2197  {
2198  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2200  }
2201  }
2202 
2203 #if defined(POLARSSL_ZLIB_SUPPORT)
2204  if( ssl->transform_in != NULL &&
2206  {
2207  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2208  {
2209  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2210  return( ret );
2211  }
2212 
2213  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2214  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2215  }
2216 #endif /* POLARSSL_ZLIB_SUPPORT */
2217 
2218  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2219  ssl->in_msgtype != SSL_MSG_ALERT &&
2222  {
2223  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2224 
2225  if( ( ret = ssl_send_alert_message( ssl,
2228  {
2229  return( ret );
2230  }
2231 
2233  }
2234 
2235  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2236  {
2237  ssl->in_hslen = 4;
2238  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2239 
2240  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2241  " %d, type = %d, hslen = %d",
2242  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2243 
2244  /*
2245  * Additional checks to validate the handshake header
2246  */
2247  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2248  {
2249  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2251  }
2252 
2253  if( ssl->in_msglen < ssl->in_hslen )
2254  {
2255  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2257  }
2258 
2259  if( ssl->state != SSL_HANDSHAKE_OVER )
2260  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2261  }
2262 
2263  if( ssl->in_msgtype == SSL_MSG_ALERT )
2264  {
2265  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2266  ssl->in_msg[0], ssl->in_msg[1] ) );
2267 
2268  /*
2269  * Ignore non-fatal alerts, except close_notify
2270  */
2271  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2272  {
2273  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2274  ssl->in_msg[1] ) );
2280  }
2281 
2282  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2283  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2284  {
2285  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2287  }
2288  }
2289 
2290  ssl->in_left = 0;
2291 
2292  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2293 
2294  return( 0 );
2295 }
2296 
2298 {
2299  int ret;
2300 
2301  if( ( ret = ssl_send_alert_message( ssl,
2304  {
2305  return( ret );
2306  }
2307 
2308  return( 0 );
2309 }
2310 
2312  unsigned char level,
2313  unsigned char message )
2314 {
2315  int ret;
2316 
2317  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2318 
2319  ssl->out_msgtype = SSL_MSG_ALERT;
2320  ssl->out_msglen = 2;
2321  ssl->out_msg[0] = level;
2322  ssl->out_msg[1] = message;
2323 
2324  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2325  {
2326  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2327  return( ret );
2328  }
2329 
2330  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2331 
2332  return( 0 );
2333 }
2334 
2335 /*
2336  * Handshake functions
2337  */
2338 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2339  !defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
2340  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2341  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2342  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
2343  !defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2344  !defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2346 {
2348  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2349 
2350  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2351 
2352  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2353  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2354  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2355  {
2356  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2357  ssl->state++;
2358  return( 0 );
2359  }
2360 
2361  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2362  return( ret );
2363 }
2364 
2366 {
2368  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2369 
2370  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2371 
2372  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2373  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2374  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2375  {
2376  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2377  ssl->state++;
2378  return( 0 );
2379  }
2380 
2381  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2382  return( ret );
2383 }
2384 #else
2386 {
2388  size_t i, n;
2389  const x509_crt *crt;
2390  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2391 
2392  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2393 
2394  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2395  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2396  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2397  {
2398  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2399  ssl->state++;
2400  return( 0 );
2401  }
2402 
2403  if( ssl->endpoint == SSL_IS_CLIENT )
2404  {
2405  if( ssl->client_auth == 0 )
2406  {
2407  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2408  ssl->state++;
2409  return( 0 );
2410  }
2411 
2412 #if defined(POLARSSL_SSL_PROTO_SSL3)
2413  /*
2414  * If using SSLv3 and got no cert, send an Alert message
2415  * (otherwise an empty Certificate message will be sent).
2416  */
2417  if( ssl_own_cert( ssl ) == NULL &&
2418  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2419  {
2420  ssl->out_msglen = 2;
2421  ssl->out_msgtype = SSL_MSG_ALERT;
2422  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2423  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2424 
2425  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2426  goto write_msg;
2427  }
2428 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2429  }
2430  else /* SSL_IS_SERVER */
2431  {
2432  if( ssl_own_cert( ssl ) == NULL )
2433  {
2434  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2436  }
2437  }
2438 
2439  SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
2440 
2441  /*
2442  * 0 . 0 handshake type
2443  * 1 . 3 handshake length
2444  * 4 . 6 length of all certs
2445  * 7 . 9 length of cert. 1
2446  * 10 . n-1 peer certificate
2447  * n . n+2 length of cert. 2
2448  * n+3 . ... upper level cert, etc.
2449  */
2450  i = 7;
2451  crt = ssl_own_cert( ssl );
2452 
2453  while( crt != NULL )
2454  {
2455  n = crt->raw.len;
2456  if( n > SSL_MAX_CONTENT_LEN - 3 - i )
2457  {
2458  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2459  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2461  }
2462 
2463  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2464  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2465  ssl->out_msg[i + 2] = (unsigned char)( n );
2466 
2467  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2468  i += n; crt = crt->next;
2469  }
2470 
2471  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2472  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2473  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2474 
2475  ssl->out_msglen = i;
2477  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2478 
2479 #if defined(POLARSSL_SSL_PROTO_SSL3)
2480 write_msg:
2481 #endif
2482 
2483  ssl->state++;
2484 
2485  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2486  {
2487  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2488  return( ret );
2489  }
2490 
2491  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2492 
2493  return( ret );
2494 }
2495 
2497 {
2499  size_t i, n;
2500  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2501 
2502  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2503 
2504  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2505  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2506  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2507  {
2508  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2509  ssl->state++;
2510  return( 0 );
2511  }
2512 
2513  if( ssl->endpoint == SSL_IS_SERVER &&
2514  ( ssl->authmode == SSL_VERIFY_NONE ||
2515  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
2516  {
2518  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2519  ssl->state++;
2520  return( 0 );
2521  }
2522 
2523  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2524  {
2525  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2526  return( ret );
2527  }
2528 
2529  ssl->state++;
2530 
2531 #if defined(POLARSSL_SSL_PROTO_SSL3)
2532  /*
2533  * Check if the client sent an empty certificate
2534  */
2535  if( ssl->endpoint == SSL_IS_SERVER &&
2536  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2537  {
2538  if( ssl->in_msglen == 2 &&
2539  ssl->in_msgtype == SSL_MSG_ALERT &&
2540  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2541  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2542  {
2543  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2544 
2546  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2547  return( 0 );
2548  else
2550  }
2551  }
2552 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2553 
2554 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2555  defined(POLARSSL_SSL_PROTO_TLS1_2)
2556  if( ssl->endpoint == SSL_IS_SERVER &&
2557  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2558  {
2559  if( ssl->in_hslen == 7 &&
2560  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2561  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2562  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2563  {
2564  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2565 
2567  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2569  else
2570  return( 0 );
2571  }
2572  }
2573 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2574  POLARSSL_SSL_PROTO_TLS1_2 */
2575 
2576  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2577  {
2578  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2580  }
2581 
2582  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2583  {
2584  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2586  }
2587 
2588  /*
2589  * Same message structure as in ssl_write_certificate()
2590  */
2591  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2592 
2593  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2594  {
2595  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2597  }
2598 
2599  /* In case we tried to reuse a session but it failed */
2600  if( ssl->session_negotiate->peer_cert != NULL )
2601  {
2604  }
2605 
2607  sizeof( x509_crt ) ) ) == NULL )
2608  {
2609  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2610  sizeof( x509_crt ) ) );
2612  }
2613 
2615 
2616  i = 7;
2617 
2618  while( i < ssl->in_hslen )
2619  {
2620  if( ssl->in_msg[i] != 0 )
2621  {
2622  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2624  }
2625 
2626  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2627  | (unsigned int) ssl->in_msg[i + 2];
2628  i += 3;
2629 
2630  if( n < 128 || i + n > ssl->in_hslen )
2631  {
2632  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2634  }
2635 
2637  ssl->in_msg + i, n );
2638  if( ret != 0 )
2639  {
2640  SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
2641  return( ret );
2642  }
2643 
2644  i += n;
2645  }
2646 
2647  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2648 
2649  if( ssl->authmode != SSL_VERIFY_NONE )
2650  {
2651  if( ssl->ca_chain == NULL )
2652  {
2653  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2655  }
2656 
2658  ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2660  ssl->f_vrfy, ssl->p_vrfy );
2661 
2662  if( ret != 0 )
2663  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2664 
2665  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2666  ret = 0;
2667  }
2668 
2669  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2670 
2671  return( ret );
2672 }
2673 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED
2674  !POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
2675  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
2676  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2677  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2678  !POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
2679  !POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2680 
2682 {
2683  int ret;
2684 
2685  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2686 
2688  ssl->out_msglen = 1;
2689  ssl->out_msg[0] = 1;
2690 
2691  ssl->state++;
2692 
2693  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2694  {
2695  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2696  return( ret );
2697  }
2698 
2699  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2700 
2701  return( 0 );
2702 }
2703 
2705 {
2706  int ret;
2707 
2708  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2709 
2710  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2711  {
2712  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2713  return( ret );
2714  }
2715 
2717  {
2718  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2720  }
2721 
2722  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2723  {
2724  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2726  }
2727 
2728  ssl->state++;
2729 
2730  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2731 
2732  return( 0 );
2733 }
2734 
2736  const ssl_ciphersuite_t *ciphersuite_info )
2737 {
2738  ((void) ciphersuite_info);
2739 
2740 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2741  defined(POLARSSL_SSL_PROTO_TLS1_1)
2742  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2743  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2744  else
2745 #endif
2746 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2747 #if defined(POLARSSL_SHA512_C)
2748  if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2749  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2750  else
2751 #endif
2752 #if defined(POLARSSL_SHA256_C)
2753  if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
2754  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2755  else
2756 #endif
2757 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2758  /* Should never happen */
2759  return;
2760 }
2761 
2762 static void ssl_update_checksum_start( ssl_context *ssl,
2763  const unsigned char *buf, size_t len )
2764 {
2765 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2766  defined(POLARSSL_SSL_PROTO_TLS1_1)
2767  md5_update( &ssl->handshake->fin_md5 , buf, len );
2768  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2769 #endif
2770 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2771 #if defined(POLARSSL_SHA256_C)
2772  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2773 #endif
2774 #if defined(POLARSSL_SHA512_C)
2775  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2776 #endif
2777 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2778 }
2779 
2780 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2781  defined(POLARSSL_SSL_PROTO_TLS1_1)
2782 static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2783  const unsigned char *buf, size_t len )
2784 {
2785  md5_update( &ssl->handshake->fin_md5 , buf, len );
2786  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2787 }
2788 #endif
2789 
2790 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2791 #if defined(POLARSSL_SHA256_C)
2792 static void ssl_update_checksum_sha256( ssl_context *ssl,
2793  const unsigned char *buf, size_t len )
2794 {
2795  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2796 }
2797 #endif
2798 
2799 #if defined(POLARSSL_SHA512_C)
2800 static void ssl_update_checksum_sha384( ssl_context *ssl,
2801  const unsigned char *buf, size_t len )
2802 {
2803  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2804 }
2805 #endif
2806 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2807 
2808 #if defined(POLARSSL_SSL_PROTO_SSL3)
2809 static void ssl_calc_finished_ssl(
2810  ssl_context *ssl, unsigned char *buf, int from )
2811 {
2812  const char *sender;
2813  md5_context md5;
2815 
2816  unsigned char padbuf[48];
2817  unsigned char md5sum[16];
2818  unsigned char sha1sum[20];
2819 
2820  ssl_session *session = ssl->session_negotiate;
2821  if( !session )
2822  session = ssl->session;
2823 
2824  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2825 
2826  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2827  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2828 
2829  /*
2830  * SSLv3:
2831  * hash =
2832  * MD5( master + pad2 +
2833  * MD5( handshake + sender + master + pad1 ) )
2834  * + SHA1( master + pad2 +
2835  * SHA1( handshake + sender + master + pad1 ) )
2836  */
2837 
2838 #if !defined(POLARSSL_MD5_ALT)
2839  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2840  md5.state, sizeof( md5.state ) );
2841 #endif
2842 
2843 #if !defined(POLARSSL_SHA1_ALT)
2844  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2845  sha1.state, sizeof( sha1.state ) );
2846 #endif
2847 
2848  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2849  : "SRVR";
2850 
2851  memset( padbuf, 0x36, 48 );
2852 
2853  md5_update( &md5, (const unsigned char *) sender, 4 );
2854  md5_update( &md5, session->master, 48 );
2855  md5_update( &md5, padbuf, 48 );
2856  md5_finish( &md5, md5sum );
2857 
2858  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2859  sha1_update( &sha1, session->master, 48 );
2860  sha1_update( &sha1, padbuf, 40 );
2861  sha1_finish( &sha1, sha1sum );
2862 
2863  memset( padbuf, 0x5C, 48 );
2864 
2865  md5_starts( &md5 );
2866  md5_update( &md5, session->master, 48 );
2867  md5_update( &md5, padbuf, 48 );
2868  md5_update( &md5, md5sum, 16 );
2869  md5_finish( &md5, buf );
2870 
2871  sha1_starts( &sha1 );
2872  sha1_update( &sha1, session->master, 48 );
2873  sha1_update( &sha1, padbuf , 40 );
2874  sha1_update( &sha1, sha1sum, 20 );
2875  sha1_finish( &sha1, buf + 16 );
2876 
2877  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2878 
2879  memset( &md5, 0, sizeof( md5_context ) );
2880  memset( &sha1, 0, sizeof( sha1_context ) );
2881 
2882  memset( padbuf, 0, sizeof( padbuf ) );
2883  memset( md5sum, 0, sizeof( md5sum ) );
2884  memset( sha1sum, 0, sizeof( sha1sum ) );
2885 
2886  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2887 }
2888 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2889 
2890 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
2891 static void ssl_calc_finished_tls(
2892  ssl_context *ssl, unsigned char *buf, int from )
2893 {
2894  int len = 12;
2895  const char *sender;
2896  md5_context md5;
2898  unsigned char padbuf[36];
2899 
2900  ssl_session *session = ssl->session_negotiate;
2901  if( !session )
2902  session = ssl->session;
2903 
2904  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2905 
2906  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2907  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2908 
2909  /*
2910  * TLSv1:
2911  * hash = PRF( master, finished_label,
2912  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2913  */
2914 
2915 #if !defined(POLARSSL_MD5_ALT)
2916  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2917  md5.state, sizeof( md5.state ) );
2918 #endif
2919 
2920 #if !defined(POLARSSL_SHA1_ALT)
2921  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2922  sha1.state, sizeof( sha1.state ) );
2923 #endif
2924 
2925  sender = ( from == SSL_IS_CLIENT )
2926  ? "client finished"
2927  : "server finished";
2928 
2929  md5_finish( &md5, padbuf );
2930  sha1_finish( &sha1, padbuf + 16 );
2931 
2932  ssl->handshake->tls_prf( session->master, 48, sender,
2933  padbuf, 36, buf, len );
2934 
2935  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2936 
2937  memset( &md5, 0, sizeof( md5_context ) );
2938  memset( &sha1, 0, sizeof( sha1_context ) );
2939 
2940  memset( padbuf, 0, sizeof( padbuf ) );
2941 
2942  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2943 }
2944 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
2945 
2946 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2947 #if defined(POLARSSL_SHA256_C)
2948 static void ssl_calc_finished_tls_sha256(
2949  ssl_context *ssl, unsigned char *buf, int from )
2950 {
2951  int len = 12;
2952  const char *sender;
2954  unsigned char padbuf[32];
2955 
2956  ssl_session *session = ssl->session_negotiate;
2957  if( !session )
2958  session = ssl->session;
2959 
2960  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2961 
2962  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
2963 
2964  /*
2965  * TLSv1.2:
2966  * hash = PRF( master, finished_label,
2967  * Hash( handshake ) )[0.11]
2968  */
2969 
2970 #if !defined(POLARSSL_SHA256_ALT)
2971  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2972  sha256.state, sizeof( sha256.state ) );
2973 #endif
2974 
2975  sender = ( from == SSL_IS_CLIENT )
2976  ? "client finished"
2977  : "server finished";
2978 
2979  sha256_finish( &sha256, padbuf );
2980 
2981  ssl->handshake->tls_prf( session->master, 48, sender,
2982  padbuf, 32, buf, len );
2983 
2984  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2985 
2986  memset( &sha256, 0, sizeof( sha256_context ) );
2987 
2988  memset( padbuf, 0, sizeof( padbuf ) );
2989 
2990  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2991 }
2992 #endif /* POLARSSL_SHA256_C */
2993 
2994 #if defined(POLARSSL_SHA512_C)
2995 static void ssl_calc_finished_tls_sha384(
2996  ssl_context *ssl, unsigned char *buf, int from )
2997 {
2998  int len = 12;
2999  const char *sender;
3001  unsigned char padbuf[48];
3002 
3003  ssl_session *session = ssl->session_negotiate;
3004  if( !session )
3005  session = ssl->session;
3006 
3007  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
3008 
3009  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
3010 
3011  /*
3012  * TLSv1.2:
3013  * hash = PRF( master, finished_label,
3014  * Hash( handshake ) )[0.11]
3015  */
3016 
3017 #if !defined(POLARSSL_SHA512_ALT)
3018  SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3019  sha512.state, sizeof( sha512.state ) );
3020 #endif
3021 
3022  sender = ( from == SSL_IS_CLIENT )
3023  ? "client finished"
3024  : "server finished";
3025 
3026  sha512_finish( &sha512, padbuf );
3027 
3028  ssl->handshake->tls_prf( session->master, 48, sender,
3029  padbuf, 48, buf, len );
3030 
3031  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3032 
3033  memset( &sha512, 0, sizeof( sha512_context ) );
3034 
3035  memset( padbuf, 0, sizeof( padbuf ) );
3036 
3037  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3038 }
3039 #endif /* POLARSSL_SHA512_C */
3040 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3041 
3042 void ssl_handshake_wrapup( ssl_context *ssl )
3043 {
3044  int resume = ssl->handshake->resume;
3045 
3046  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3047 
3048  /*
3049  * Free our handshake params
3050  */
3051  ssl_handshake_free( ssl->handshake );
3052  polarssl_free( ssl->handshake );
3053  ssl->handshake = NULL;
3054 
3055  if( ssl->renegotiation == SSL_RENEGOTIATION )
3057 
3058  /*
3059  * Switch in our now active transform context
3060  */
3061  if( ssl->transform )
3062  {
3063  ssl_transform_free( ssl->transform );
3064  polarssl_free( ssl->transform );
3065  }
3066  ssl->transform = ssl->transform_negotiate;
3067  ssl->transform_negotiate = NULL;
3068 
3069  if( ssl->session )
3070  {
3071  ssl_session_free( ssl->session );
3072  polarssl_free( ssl->session );
3073  }
3074  ssl->session = ssl->session_negotiate;
3075  ssl->session_negotiate = NULL;
3076 
3077  /*
3078  * Add cache entry
3079  */
3080  if( ssl->f_set_cache != NULL &&
3081  ssl->session->length != 0 &&
3082  resume == 0 )
3083  {
3084  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3085  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
3086  }
3087 
3088  ssl->state++;
3089 
3090  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3091 }
3092 
3093 int ssl_write_finished( ssl_context *ssl )
3094 {
3095  int ret, hash_len;
3096 
3097  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3098 
3099  /*
3100  * Set the out_msg pointer to the correct location based on IV length
3101  */
3102  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3103  {
3104  ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3106  }
3107  else
3108  ssl->out_msg = ssl->out_iv;
3109 
3110  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
3111 
3112  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3113  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3114 
3115  ssl->verify_data_len = hash_len;
3116  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
3117 
3118  ssl->out_msglen = 4 + hash_len;
3120  ssl->out_msg[0] = SSL_HS_FINISHED;
3121 
3122  /*
3123  * In case of session resuming, invert the client and server
3124  * ChangeCipherSpec messages order.
3125  */
3126  if( ssl->handshake->resume != 0 )
3127  {
3128  if( ssl->endpoint == SSL_IS_CLIENT )
3129  ssl->state = SSL_HANDSHAKE_WRAPUP;
3130  else
3132  }
3133  else
3134  ssl->state++;
3135 
3136  /*
3137  * Switch to our negotiated transform and session parameters for outbound data.
3138  */
3139  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3140  ssl->transform_out = ssl->transform_negotiate;
3141  ssl->session_out = ssl->session_negotiate;
3142  memset( ssl->out_ctr, 0, 8 );
3143 
3144 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3145  if( ssl_hw_record_activate != NULL)
3146  {
3147  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3148  {
3149  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3151  }
3152  }
3153 #endif
3154 
3155  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3156  {
3157  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3158  return( ret );
3159  }
3160 
3161  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3162 
3163  return( 0 );
3164 }
3165 
3166 int ssl_parse_finished( ssl_context *ssl )
3167 {
3168  int ret;
3169  unsigned int hash_len;
3170  unsigned char buf[36];
3171 
3172  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3173 
3174  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
3175 
3176  /*
3177  * Switch to our negotiated transform and session parameters for inbound data.
3178  */
3179  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3180  ssl->transform_in = ssl->transform_negotiate;
3181  ssl->session_in = ssl->session_negotiate;
3182  memset( ssl->in_ctr, 0, 8 );
3183 
3184  /*
3185  * Set the in_msg pointer to the correct location based on IV length
3186  */
3187  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3188  {
3189  ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3191  }
3192  else
3193  ssl->in_msg = ssl->in_iv;
3194 
3195 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3196  if( ssl_hw_record_activate != NULL)
3197  {
3198  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3199  {
3200  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3202  }
3203  }
3204 #endif
3205 
3206  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3207  {
3208  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3209  return( ret );
3210  }
3211 
3212  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3213  {
3214  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3216  }
3217 
3218  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3219  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3220 
3221  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3222  ssl->in_hslen != 4 + hash_len )
3223  {
3224  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3226  }
3227 
3228  if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
3229  {
3230  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3232  }
3233 
3234  ssl->verify_data_len = hash_len;
3235  memcpy( ssl->peer_verify_data, buf, hash_len );
3236 
3237  if( ssl->handshake->resume != 0 )
3238  {
3239  if( ssl->endpoint == SSL_IS_CLIENT )
3241 
3242  if( ssl->endpoint == SSL_IS_SERVER )
3243  ssl->state = SSL_HANDSHAKE_WRAPUP;
3244  }
3245  else
3246  ssl->state++;
3247 
3248  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3249 
3250  return( 0 );
3251 }
3252 
3253 static int ssl_handshake_init( ssl_context *ssl )
3254 {
3255  if( ssl->transform_negotiate )
3257  else
3258  {
3259  ssl->transform_negotiate =
3261  }
3262 
3263  if( ssl->session_negotiate )
3265  else
3266  {
3267  ssl->session_negotiate =
3268  (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
3269  }
3270 
3271  if( ssl->handshake )
3272  ssl_handshake_free( ssl->handshake );
3273  else
3274  {
3275  ssl->handshake = (ssl_handshake_params *)
3277  }
3278 
3279  if( ssl->handshake == NULL ||
3280  ssl->transform_negotiate == NULL ||
3281  ssl->session_negotiate == NULL )
3282  {
3283  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3285  }
3286 
3287  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
3288  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
3289  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
3290 
3291 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3292  defined(POLARSSL_SSL_PROTO_TLS1_1)
3293  md5_starts( &ssl->handshake->fin_md5 );
3294  sha1_starts( &ssl->handshake->fin_sha1 );
3295 #endif
3296 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3297 #if defined(POLARSSL_SHA256_C)
3298  sha256_starts( &ssl->handshake->fin_sha256, 0 );
3299 #endif
3300 #if defined(POLARSSL_SHA512_C)
3301  sha512_starts( &ssl->handshake->fin_sha512, 1 );
3302 #endif
3303 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3304 
3305  ssl->handshake->update_checksum = ssl_update_checksum_start;
3307 
3308 #if defined(POLARSSL_ECDH_C)
3309  ecdh_init( &ssl->handshake->ecdh_ctx );
3310 #endif
3311 
3312 #if defined(POLARSSL_X509_CRT_PARSE_C)
3313  ssl->handshake->key_cert = ssl->key_cert;
3314 #endif
3315 
3316  return( 0 );
3317 }
3318 
3319 /*
3320  * Initialize an SSL context
3321  */
3322 int ssl_init( ssl_context *ssl )
3323 {
3324  int ret;
3325  int len = SSL_BUFFER_LEN;
3326 
3327  memset( ssl, 0, sizeof( ssl_context ) );
3328 
3329  /*
3330  * Sane defaults
3331  */
3336 
3338 
3339 #if defined(POLARSSL_DHM_C)
3340  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3342  ( ret = mpi_read_string( &ssl->dhm_G, 16,
3344  {
3345  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3346  return( ret );
3347  }
3348 #endif
3349 
3350  /*
3351  * Prepare base structures
3352  */
3353  ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
3354  ssl->in_hdr = ssl->in_ctr + 8;
3355  ssl->in_iv = ssl->in_ctr + 13;
3356  ssl->in_msg = ssl->in_ctr + 13;
3357 
3358  if( ssl->in_ctr == NULL )
3359  {
3360  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3362  }
3363 
3364  ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
3365  ssl->out_hdr = ssl->out_ctr + 8;
3366  ssl->out_iv = ssl->out_ctr + 13;
3367  ssl->out_msg = ssl->out_ctr + 13;
3368 
3369  if( ssl->out_ctr == NULL )
3370  {
3371  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3372  polarssl_free( ssl-> in_ctr );
3374  }
3375 
3376  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3377  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3378 
3379 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3381 #endif
3382 
3383  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3384  return( ret );
3385 
3386  return( 0 );
3387 }
3388 
3389 /*
3390  * Reset an initialized and used SSL context for re-use while retaining
3391  * all application-set variables, function pointers and data.
3392  */
3393 int ssl_session_reset( ssl_context *ssl )
3394 {
3395  int ret;
3396 
3397  ssl->state = SSL_HELLO_REQUEST;
3400 
3401  ssl->verify_data_len = 0;
3402  memset( ssl->own_verify_data, 0, 36 );
3403  memset( ssl->peer_verify_data, 0, 36 );
3404 
3405  ssl->in_offt = NULL;
3406 
3407  ssl->in_msg = ssl->in_ctr + 13;
3408  ssl->in_msgtype = 0;
3409  ssl->in_msglen = 0;
3410  ssl->in_left = 0;
3411 
3412  ssl->in_hslen = 0;
3413  ssl->nb_zero = 0;
3414  ssl->record_read = 0;
3415 
3416  ssl->out_msg = ssl->out_ctr + 13;
3417  ssl->out_msgtype = 0;
3418  ssl->out_msglen = 0;
3419  ssl->out_left = 0;
3420 
3421  ssl->transform_in = NULL;
3422  ssl->transform_out = NULL;
3423 
3424  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3425  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3426 
3427 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3428  if( ssl_hw_record_reset != NULL)
3429  {
3430  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3431  if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
3432  {
3433  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3435  }
3436  }
3437 #endif
3438 
3439  if( ssl->transform )
3440  {
3441  ssl_transform_free( ssl->transform );
3442  polarssl_free( ssl->transform );
3443  ssl->transform = NULL;
3444  }
3445 
3446  if( ssl->session )
3447  {
3448  ssl_session_free( ssl->session );
3449  polarssl_free( ssl->session );
3450  ssl->session = NULL;
3451  }
3452 
3453  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3454  return( ret );
3455 
3456  return( 0 );
3457 }
3458 
3459 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3460 /*
3461  * Allocate and initialize ticket keys
3462  */
3463 static int ssl_ticket_keys_init( ssl_context *ssl )
3464 {
3465  int ret;
3466  ssl_ticket_keys *tkeys;
3467  unsigned char buf[16];
3468 
3469  if( ssl->ticket_keys != NULL )
3470  return( 0 );
3471 
3472  tkeys = (ssl_ticket_keys *) polarssl_malloc( sizeof(ssl_ticket_keys) );
3473  if( tkeys == NULL )
3475 
3476  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
3477  {
3478  polarssl_free( tkeys );
3479  return( ret );
3480  }
3481 
3482  if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3483  ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3484  ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3485  {
3486  polarssl_free( tkeys );
3487  return( ret );
3488  }
3489 
3490  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
3491  {
3492  polarssl_free( tkeys );
3493  return( ret );
3494  }
3495 
3496  ssl->ticket_keys = tkeys;
3497 
3498  return( 0 );
3499 }
3500 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3501 
3502 /*
3503  * SSL set accessors
3504  */
3505 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3506 {
3507  ssl->endpoint = endpoint;
3508 
3509 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3510  if( endpoint == SSL_IS_CLIENT )
3512 #endif
3513 }
3514 
3515 void ssl_set_authmode( ssl_context *ssl, int authmode )
3516 {
3517  ssl->authmode = authmode;
3518 }
3519 
3520 #if defined(POLARSSL_X509_CRT_PARSE_C)
3521 void ssl_set_verify( ssl_context *ssl,
3522  int (*f_vrfy)(void *, x509_crt *, int, int *),
3523  void *p_vrfy )
3524 {
3525  ssl->f_vrfy = f_vrfy;
3526  ssl->p_vrfy = p_vrfy;
3527 }
3528 #endif /* POLARSSL_X509_CRT_PARSE_C */
3529 
3530 void ssl_set_rng( ssl_context *ssl,
3531  int (*f_rng)(void *, unsigned char *, size_t),
3532  void *p_rng )
3533 {
3534  ssl->f_rng = f_rng;
3535  ssl->p_rng = p_rng;
3536 }
3537 
3538 void ssl_set_dbg( ssl_context *ssl,
3539  void (*f_dbg)(void *, int, const char *),
3540  void *p_dbg )
3541 {
3542  ssl->f_dbg = f_dbg;
3543  ssl->p_dbg = p_dbg;
3544 }
3545 
3546 void ssl_set_bio( ssl_context *ssl,
3547  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3548  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3549 {
3550  ssl->f_recv = f_recv;
3551  ssl->f_send = f_send;
3552  ssl->p_recv = p_recv;
3553  ssl->p_send = p_send;
3554 }
3555 
3557  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3558  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3559 {
3560  ssl->f_get_cache = f_get_cache;
3561  ssl->p_get_cache = p_get_cache;
3562  ssl->f_set_cache = f_set_cache;
3563  ssl->p_set_cache = p_set_cache;
3564 }
3565 
3566 int ssl_set_session( ssl_context *ssl, const ssl_session *session )
3567 {
3568  int ret;
3569 
3570  if( ssl == NULL ||
3571  session == NULL ||
3572  ssl->session_negotiate == NULL ||
3573  ssl->endpoint != SSL_IS_CLIENT )
3574  {
3576  }
3577 
3578  if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3579  return( ret );
3580 
3581  ssl->handshake->resume = 1;
3582 
3583  return( 0 );
3584 }
3585 
3586 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3587 {
3588  ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3589  ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3590  ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3591  ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3592 }
3593 
3594 void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
3595  int major, int minor )
3596 {
3597  if( major != SSL_MAJOR_VERSION_3 )
3598  return;
3599 
3600  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3601  return;
3602 
3603  ssl->ciphersuite_list[minor] = ciphersuites;
3604 }
3605 
3606 #if defined(POLARSSL_X509_CRT_PARSE_C)
3607 /* Add a new (empty) key_cert entry an return a pointer to it */
3608 static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3609 {
3610  ssl_key_cert *key_cert, *last;
3611 
3612  key_cert = (ssl_key_cert *) polarssl_malloc( sizeof(ssl_key_cert) );
3613  if( key_cert == NULL )
3614  return( NULL );
3615 
3616  memset( key_cert, 0, sizeof( ssl_key_cert ) );
3617 
3618  /* Append the new key_cert to the (possibly empty) current list */
3619  if( ssl->key_cert == NULL )
3620  {
3621  ssl->key_cert = key_cert;
3622  if( ssl->handshake != NULL )
3623  ssl->handshake->key_cert = key_cert;
3624  }
3625  else
3626  {
3627  last = ssl->key_cert;
3628  while( last->next != NULL )
3629  last = last->next;
3630  last->next = key_cert;
3631  }
3632 
3633  return key_cert;
3634 }
3635 
3636 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
3637  x509_crl *ca_crl, const char *peer_cn )
3638 {
3639  ssl->ca_chain = ca_chain;
3640  ssl->ca_crl = ca_crl;
3641  ssl->peer_cn = peer_cn;
3642 }
3643 
3644 int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
3645  pk_context *pk_key )
3646 {
3647  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3648 
3649  if( key_cert == NULL )
3651 
3652  key_cert->cert = own_cert;
3653  key_cert->key = pk_key;
3654 
3655  return( 0 );
3656 }
3657 
3658 #if defined(POLARSSL_RSA_C)
3659 int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
3660  rsa_context *rsa_key )
3661 {
3662  int ret;
3663  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3664 
3665  if( key_cert == NULL )
3667 
3668  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3669  if( key_cert->key == NULL )
3671 
3672  pk_init( key_cert->key );
3673 
3674  ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
3675  if( ret != 0 )
3676  return( ret );
3677 
3678  if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
3679  return( ret );
3680 
3681  key_cert->cert = own_cert;
3682  key_cert->key_own_alloc = 1;
3683 
3684  return( 0 );
3685 }
3686 #endif /* POLARSSL_RSA_C */
3687 
3688 int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
3689  void *rsa_key,
3690  rsa_decrypt_func rsa_decrypt,
3691  rsa_sign_func rsa_sign,
3692  rsa_key_len_func rsa_key_len )
3693 {
3694  int ret;
3695  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3696 
3697  if( key_cert == NULL )
3699 
3700  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3701  if( key_cert->key == NULL )
3703 
3704  pk_init( key_cert->key );
3705 
3706  if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
3707  rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
3708  return( ret );
3709 
3710  key_cert->cert = own_cert;
3711  key_cert->key_own_alloc = 1;
3712 
3713  return( 0 );
3714 }
3715 #endif /* POLARSSL_X509_CRT_PARSE_C */
3716 
3717 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
3718 int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3719  const unsigned char *psk_identity, size_t psk_identity_len )
3720 {
3721  if( psk == NULL || psk_identity == NULL )
3723 
3724  if( ssl->psk != NULL )
3725  {
3726  polarssl_free( ssl->psk );
3727  polarssl_free( ssl->psk_identity );
3728  }
3729 
3730  ssl->psk_len = psk_len;
3731  ssl->psk_identity_len = psk_identity_len;
3732 
3733  ssl->psk = (unsigned char *) polarssl_malloc( ssl->psk_len );
3734  ssl->psk_identity = (unsigned char *) polarssl_malloc( ssl->psk_identity_len );
3735 
3736  if( ssl->psk == NULL || ssl->psk_identity == NULL )
3738 
3739  memcpy( ssl->psk, psk, ssl->psk_len );
3740  memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
3741 
3742  return( 0 );
3743 }
3744 
3745 void ssl_set_psk_cb( ssl_context *ssl,
3746  int (*f_psk)(void *, ssl_context *, const unsigned char *,
3747  size_t),
3748  void *p_psk )
3749 {
3750  ssl->f_psk = f_psk;
3751  ssl->p_psk = p_psk;
3752 }
3753 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
3754 
3755 #if defined(POLARSSL_DHM_C)
3756 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3757 {
3758  int ret;
3759 
3760  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3761  {
3762  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3763  return( ret );
3764  }
3765 
3766  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3767  {
3768  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3769  return( ret );
3770  }
3771 
3772  return( 0 );
3773 }
3774 
3775 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3776 {
3777  int ret;
3778 
3779  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3780  {
3781  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3782  return( ret );
3783  }
3784 
3785  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3786  {
3787  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3788  return( ret );
3789  }
3790 
3791  return( 0 );
3792 }
3793 #endif /* POLARSSL_DHM_C */
3794 
3795 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
3796 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3797 {
3798  if( hostname == NULL )
3800 
3801  ssl->hostname_len = strlen( hostname );
3802 
3803  if( ssl->hostname_len + 1 == 0 )
3805 
3806  ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
3807 
3808  if( ssl->hostname == NULL )
3810 
3811  memcpy( ssl->hostname, (const unsigned char *) hostname,
3812  ssl->hostname_len );
3813 
3814  ssl->hostname[ssl->hostname_len] = '\0';
3815 
3816  return( 0 );
3817 }
3818 
3819 void ssl_set_sni( ssl_context *ssl,
3820  int (*f_sni)(void *, ssl_context *,
3821  const unsigned char *, size_t),
3822  void *p_sni )
3823 {
3824  ssl->f_sni = f_sni;
3825  ssl->p_sni = p_sni;
3826 }
3827 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
3828 
3829 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3830 {
3831  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3832  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3833  {
3834  ssl->max_major_ver = major;
3835  ssl->max_minor_ver = minor;
3836  }
3837 }
3838 
3839 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3840 {
3841  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3842  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3843  {
3844  ssl->min_major_ver = major;
3845  ssl->min_minor_ver = minor;
3846  }
3847 }
3848 
3849 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
3850 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
3851 {
3852  if( mfl_code >= SSL_MAX_FRAG_LEN_INVALID ||
3853  mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
3854  {
3856  }
3857 
3858  ssl->mfl_code = mfl_code;
3859 
3860  return( 0 );
3861 }
3862 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
3863 
3864 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
3865 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
3866 {
3867  if( ssl->endpoint != SSL_IS_CLIENT )
3869 
3870  ssl->trunc_hmac = truncate;
3871 
3872  return( 0 );
3873 }
3874 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
3875 
3876 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3877 {
3878  ssl->disable_renegotiation = renegotiation;
3879 }
3880 
3881 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3882 {
3883  ssl->allow_legacy_renegotiation = allow_legacy;
3884 }
3885 
3886 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3887 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
3888 {
3889  ssl->session_tickets = use_tickets;
3890 
3891  if( ssl->endpoint == SSL_IS_CLIENT )
3892  return( 0 );
3893 
3894  if( ssl->f_rng == NULL )
3896 
3897  return( ssl_ticket_keys_init( ssl ) );
3898 }
3899 
3900 void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
3901 {
3902  ssl->ticket_lifetime = lifetime;
3903 }
3904 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3905 
3906 /*
3907  * SSL get accessors
3908  */
3909 size_t ssl_get_bytes_avail( const ssl_context *ssl )
3910 {
3911  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3912 }
3913 
3914 int ssl_get_verify_result( const ssl_context *ssl )
3915 {
3916  return( ssl->session->verify_result );
3917 }
3918 
3919 const char *ssl_get_ciphersuite( const ssl_context *ssl )
3920 {
3921  if( ssl == NULL || ssl->session == NULL )
3922  return NULL;
3923 
3925 }
3926 
3927 const char *ssl_get_version( const ssl_context *ssl )
3928 {
3929  switch( ssl->minor_ver )
3930  {
3931  case SSL_MINOR_VERSION_0:
3932  return( "SSLv3.0" );
3933 
3934  case SSL_MINOR_VERSION_1:
3935  return( "TLSv1.0" );
3936 
3937  case SSL_MINOR_VERSION_2:
3938  return( "TLSv1.1" );
3939 
3940  case SSL_MINOR_VERSION_3:
3941  return( "TLSv1.2" );
3942 
3943  default:
3944  break;
3945  }
3946  return( "unknown" );
3947 }
3948 
3949 #if defined(POLARSSL_X509_CRT_PARSE_C)
3950 const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
3951 {
3952  if( ssl == NULL || ssl->session == NULL )
3953  return NULL;
3954 
3955  return ssl->session->peer_cert;
3956 }
3957 #endif /* POLARSSL_X509_CRT_PARSE_C */
3958 
3959 int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
3960 {
3961  if( ssl == NULL ||
3962  dst == NULL ||
3963  ssl->session == NULL ||
3964  ssl->endpoint != SSL_IS_CLIENT )
3965  {
3967  }
3968 
3969  return( ssl_session_copy( dst, ssl->session ) );
3970 }
3971 
3972 /*
3973  * Perform a single step of the SSL handshake
3974  */
3975 int ssl_handshake_step( ssl_context *ssl )
3976 {
3978 
3979 #if defined(POLARSSL_SSL_CLI_C)
3980  if( ssl->endpoint == SSL_IS_CLIENT )
3981  ret = ssl_handshake_client_step( ssl );
3982 #endif
3983 
3984 #if defined(POLARSSL_SSL_SRV_C)
3985  if( ssl->endpoint == SSL_IS_SERVER )
3986  ret = ssl_handshake_server_step( ssl );
3987 #endif
3988 
3989  return( ret );
3990 }
3991 
3992 /*
3993  * Perform the SSL handshake
3994  */
3995 int ssl_handshake( ssl_context *ssl )
3996 {
3997  int ret = 0;
3998 
3999  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
4000 
4001  while( ssl->state != SSL_HANDSHAKE_OVER )
4002  {
4003  ret = ssl_handshake_step( ssl );
4004 
4005  if( ret != 0 )
4006  break;
4007  }
4008 
4009  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
4010 
4011  return( ret );
4012 }
4013 
4014 #if defined(POLARSSL_SSL_SRV_C)
4015 /*
4016  * Write HelloRequest to request renegotiation on server
4017  */
4018 static int ssl_write_hello_request( ssl_context *ssl )
4019 {
4020  int ret;
4021 
4022  SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
4023 
4024  ssl->out_msglen = 4;
4026  ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
4027 
4028  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4029  {
4030  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4031  return( ret );
4032  }
4033 
4035 
4036  SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4037 
4038  return( 0 );
4039 }
4040 #endif /* POLARSSL_SSL_SRV_C */
4041 
4042 /*
4043  * Actually renegotiate current connection, triggered by either:
4044  * - calling ssl_renegotiate() on client,
4045  * - receiving a HelloRequest on client during ssl_read(),
4046  * - receiving any handshake message on server during ssl_read() after the
4047  * initial handshake is completed
4048  * If the handshake doesn't complete due to waiting for I/O, it will continue
4049  * during the next calls to ssl_renegotiate() or ssl_read() respectively.
4050  */
4051 static int ssl_start_renegotiation( ssl_context *ssl )
4052 {
4053  int ret;
4054 
4055  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4056 
4057  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4058  return( ret );
4059 
4060  ssl->state = SSL_HELLO_REQUEST;
4062 
4063  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4064  {
4065  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4066  return( ret );
4067  }
4068 
4069  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4070 
4071  return( 0 );
4072 }
4073 
4074 /*
4075  * Renegotiate current connection on client,
4076  * or request renegotiation on server
4077  */
4078 int ssl_renegotiate( ssl_context *ssl )
4079 {
4081 
4082 #if defined(POLARSSL_SSL_SRV_C)
4083  /* On server, just send the request */
4084  if( ssl->endpoint == SSL_IS_SERVER )
4085  {
4086  if( ssl->state != SSL_HANDSHAKE_OVER )
4088 
4089  return( ssl_write_hello_request( ssl ) );
4090  }
4091 #endif /* POLARSSL_SSL_SRV_C */
4092 
4093 #if defined(POLARSSL_SSL_CLI_C)
4094  /*
4095  * On client, either start the renegotiation process or,
4096  * if already in progress, continue the handshake
4097  */
4098  if( ssl->renegotiation != SSL_RENEGOTIATION )
4099  {
4100  if( ssl->state != SSL_HANDSHAKE_OVER )
4102 
4103  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4104  {
4105  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4106  return( ret );
4107  }
4108  }
4109  else
4110  {
4111  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4112  {
4113  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4114  return( ret );
4115  }
4116  }
4117 #endif /* POLARSSL_SSL_CLI_C */
4118 
4119  return( ret );
4120 }
4121 
4122 /*
4123  * Receive application data decrypted from the SSL layer
4124  */
4125 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
4126 {
4127  int ret;
4128  size_t n;
4129 
4130  SSL_DEBUG_MSG( 2, ( "=> read" ) );
4131 
4132  if( ssl->state != SSL_HANDSHAKE_OVER )
4133  {
4134  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4135  {
4136  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4137  return( ret );
4138  }
4139  }
4140 
4141  if( ssl->in_offt == NULL )
4142  {
4143  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4144  {
4145  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4146  return( 0 );
4147 
4148  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4149  return( ret );
4150  }
4151 
4152  if( ssl->in_msglen == 0 &&
4154  {
4155  /*
4156  * OpenSSL sends empty messages to randomize the IV
4157  */
4158  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4159  {
4160  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4161  return( 0 );
4162 
4163  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4164  return( ret );
4165  }
4166  }
4167 
4168  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4169  {
4170  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4171 
4172  if( ssl->endpoint == SSL_IS_CLIENT &&
4173  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4174  ssl->in_hslen != 4 ) )
4175  {
4176  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4178  }
4179 
4183  {
4184  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4185 
4186 #if defined(POLARSSL_SSL_PROTO_SSL3)
4187  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
4188  {
4189  /*
4190  * SSLv3 does not have a "no_renegotiation" alert
4191  */
4192  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4193  return( ret );
4194  }
4195  else
4196 #endif
4197 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4198  defined(POLARSSL_SSL_PROTO_TLS1_2)
4199  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
4200  {
4201  if( ( ret = ssl_send_alert_message( ssl,
4204  {
4205  return( ret );
4206  }
4207  }
4208  else
4209 #endif
4210  {
4211  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4213  }
4214  }
4215  else
4216  {
4217  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4218  {
4219  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4220  return( ret );
4221  }
4222 
4223  return( POLARSSL_ERR_NET_WANT_READ );
4224  }
4225  }
4226  else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4227  {
4228  SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4229  "but not honored by client" ) );
4231  }
4232  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
4233  {
4234  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
4236  }
4237 
4238  ssl->in_offt = ssl->in_msg;
4239  }
4240 
4241  n = ( len < ssl->in_msglen )
4242  ? len : ssl->in_msglen;
4243 
4244  memcpy( buf, ssl->in_offt, n );
4245  ssl->in_msglen -= n;
4246 
4247  if( ssl->in_msglen == 0 )
4248  /* all bytes consumed */
4249  ssl->in_offt = NULL;
4250  else
4251  /* more data available */
4252  ssl->in_offt += n;
4253 
4254  SSL_DEBUG_MSG( 2, ( "<= read" ) );
4255 
4256  return( (int) n );
4257 }
4258 
4259 /*
4260  * Send application data to be encrypted by the SSL layer
4261  */
4262 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4263 {
4264  int ret;
4265  size_t n;
4266  unsigned int max_len = SSL_MAX_CONTENT_LEN;
4267 
4268  SSL_DEBUG_MSG( 2, ( "=> write" ) );
4269 
4270  if( ssl->state != SSL_HANDSHAKE_OVER )
4271  {
4272  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4273  {
4274  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4275  return( ret );
4276  }
4277  }
4278 
4279 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4280  /*
4281  * Assume mfl_code is correct since it was checked when set
4282  */
4283  max_len = mfl_code_to_length[ssl->mfl_code];
4284 
4285  /*
4286  * Check if a smaller max length was negotiated
4287  */
4288  if( ssl->session_out != NULL &&
4289  mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4290  {
4291  max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4292  }
4293 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4294 
4295  n = ( len < max_len) ? len : max_len;
4296 
4297  if( ssl->out_left != 0 )
4298  {
4299  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4300  {
4301  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4302  return( ret );
4303  }
4304  }
4305  else
4306  {
4307  ssl->out_msglen = n;
4309  memcpy( ssl->out_msg, buf, n );
4310 
4311  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4312  {
4313  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4314  return( ret );
4315  }
4316  }
4317 
4318  SSL_DEBUG_MSG( 2, ( "<= write" ) );
4319 
4320  return( (int) n );
4321 }
4322 
4323 /*
4324  * Notify the peer that the connection is being closed
4325  */
4326 int ssl_close_notify( ssl_context *ssl )
4327 {
4328  int ret;
4329 
4330  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4331 
4332  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4333  {
4334  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4335  return( ret );
4336  }
4337 
4338  if( ssl->state == SSL_HANDSHAKE_OVER )
4339  {
4340  if( ( ret = ssl_send_alert_message( ssl,
4342  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4343  {
4344  return( ret );
4345  }
4346  }
4347 
4348  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4349 
4350  return( ret );
4351 }
4352 
4353 void ssl_transform_free( ssl_transform *transform )
4354 {
4355 #if defined(POLARSSL_ZLIB_SUPPORT)
4356  deflateEnd( &transform->ctx_deflate );
4357  inflateEnd( &transform->ctx_inflate );
4358 #endif
4359 
4360  cipher_free_ctx( &transform->cipher_ctx_enc );
4361  cipher_free_ctx( &transform->cipher_ctx_dec );
4362 
4363  md_free_ctx( &transform->md_ctx_enc );
4364  md_free_ctx( &transform->md_ctx_dec );
4365 
4366  memset( transform, 0, sizeof( ssl_transform ) );
4367 }
4368 
4369 #if defined(POLARSSL_X509_CRT_PARSE_C)
4370 static void ssl_key_cert_free( ssl_key_cert *key_cert )
4371 {
4372  ssl_key_cert *cur = key_cert, *next;
4373 
4374  while( cur != NULL )
4375  {
4376  next = cur->next;
4377 
4378  if( cur->key_own_alloc )
4379  {
4380  pk_free( cur->key );
4381  polarssl_free( cur->key );
4382  }
4383  polarssl_free( cur );
4384 
4385  cur = next;
4386  }
4387 }
4388 #endif /* POLARSSL_X509_CRT_PARSE_C */
4389 
4390 void ssl_handshake_free( ssl_handshake_params *handshake )
4391 {
4392 #if defined(POLARSSL_DHM_C)
4393  dhm_free( &handshake->dhm_ctx );
4394 #endif
4395 #if defined(POLARSSL_ECDH_C)
4396  ecdh_free( &handshake->ecdh_ctx );
4397 #endif
4398 
4399 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
4400  /* explicit void pointer cast for buggy MS compiler */
4401  polarssl_free( (void *) handshake->curves );
4402 #endif
4403 
4404 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
4405  defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4406  /*
4407  * Free only the linked list wrapper, not the keys themselves
4408  * since the belong to the SNI callback
4409  */
4410  if( handshake->sni_key_cert != NULL )
4411  {
4412  ssl_key_cert *cur = handshake->sni_key_cert, *next;
4413 
4414  while( cur != NULL )
4415  {
4416  next = cur->next;
4417  polarssl_free( cur );
4418  cur = next;
4419  }
4420  }
4421 #endif
4422 
4423  memset( handshake, 0, sizeof( ssl_handshake_params ) );
4424 }
4425 
4426 void ssl_session_free( ssl_session *session )
4427 {
4428 #if defined(POLARSSL_X509_CRT_PARSE_C)
4429  if( session->peer_cert != NULL )
4430  {
4431  x509_crt_free( session->peer_cert );
4432  polarssl_free( session->peer_cert );
4433  }
4434 #endif
4435 
4436 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4437  polarssl_free( session->ticket );
4438 #endif
4439 
4440  memset( session, 0, sizeof( ssl_session ) );
4441 }
4442 
4443 /*
4444  * Free an SSL context
4445  */
4446 void ssl_free( ssl_context *ssl )
4447 {
4448  SSL_DEBUG_MSG( 2, ( "=> free" ) );
4449 
4450  if( ssl->out_ctr != NULL )
4451  {
4452  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
4453  polarssl_free( ssl->out_ctr );
4454  }
4455 
4456  if( ssl->in_ctr != NULL )
4457  {
4458  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
4459  polarssl_free( ssl->in_ctr );
4460  }
4461 
4462 #if defined(POLARSSL_ZLIB_SUPPORT)
4463  if( ssl->compress_buf != NULL )
4464  {
4465  memset( ssl->compress_buf, 0, SSL_BUFFER_LEN );
4466  polarssl_free( ssl->compress_buf );
4467  }
4468 #endif
4469 
4470 #if defined(POLARSSL_DHM_C)
4471  mpi_free( &ssl->dhm_P );
4472  mpi_free( &ssl->dhm_G );
4473 #endif
4474 
4475  if( ssl->transform )
4476  {
4477  ssl_transform_free( ssl->transform );
4478  polarssl_free( ssl->transform );
4479  }
4480 
4481  if( ssl->handshake )
4482  {
4483  ssl_handshake_free( ssl->handshake );
4486 
4487  polarssl_free( ssl->handshake );
4490  }
4491 
4492  if( ssl->session )
4493  {
4494  ssl_session_free( ssl->session );
4495  polarssl_free( ssl->session );
4496  }
4497 
4498 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4499  polarssl_free( ssl->ticket_keys );
4500 #endif
4501 
4502 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4503  if ( ssl->hostname != NULL )
4504  {
4505  memset( ssl->hostname, 0, ssl->hostname_len );
4506  polarssl_free( ssl->hostname );
4507  ssl->hostname_len = 0;
4508  }
4509 #endif
4510 
4511 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
4512  if( ssl->psk != NULL )
4513  {
4514  memset( ssl->psk, 0, ssl->psk_len );
4515  memset( ssl->psk_identity, 0, ssl->psk_identity_len );
4516  polarssl_free( ssl->psk );
4517  polarssl_free( ssl->psk_identity );
4518  ssl->psk_len = 0;
4519  ssl->psk_identity_len = 0;
4520  }
4521 #endif
4522 
4523 #if defined(POLARSSL_X509_CRT_PARSE_C)
4524  ssl_key_cert_free( ssl->key_cert );
4525 #endif
4526 
4527 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4528  if( ssl_hw_record_finish != NULL )
4529  {
4530  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4531  ssl_hw_record_finish( ssl );
4532  }
4533 #endif
4534 
4535  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4536 
4537  /* Actually clear after last debug message */
4538  memset( ssl, 0, sizeof( ssl_context ) );
4539 }
4540 
4541 #if defined(POLARSSL_PK_C)
4542 /*
4543  * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
4544  */
4545 unsigned char ssl_sig_from_pk( pk_context *pk )
4546 {
4547 #if defined(POLARSSL_RSA_C)
4548  if( pk_can_do( pk, POLARSSL_PK_RSA ) )
4549  return( SSL_SIG_RSA );
4550 #endif
4551 #if defined(POLARSSL_ECDSA_C)
4552  if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
4553  return( SSL_SIG_ECDSA );
4554 #endif
4555  return( SSL_SIG_ANON );
4556 }
4557 
4558 pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
4559 {
4560  switch( sig )
4561  {
4562 #if defined(POLARSSL_RSA_C)
4563  case SSL_SIG_RSA:
4564  return( POLARSSL_PK_RSA );
4565 #endif
4566 #if defined(POLARSSL_ECDSA_C)
4567  case SSL_SIG_ECDSA:
4568  return( POLARSSL_PK_ECDSA );
4569 #endif
4570  default:
4571  return( POLARSSL_PK_NONE );
4572  }
4573 }
4574 #endif
4575 
4576 /*
4577  * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
4578  */
4579 md_type_t ssl_md_alg_from_hash( unsigned char hash )
4580 {
4581  switch( hash )
4582  {
4583 #if defined(POLARSSL_MD5_C)
4584  case SSL_HASH_MD5:
4585  return( POLARSSL_MD_MD5 );
4586 #endif
4587 #if defined(POLARSSL_SHA1_C)
4588  case SSL_HASH_SHA1:
4589  return( POLARSSL_MD_SHA1 );
4590 #endif
4591 #if defined(POLARSSL_SHA256_C)
4592  case SSL_HASH_SHA224:
4593  return( POLARSSL_MD_SHA224 );
4594  case SSL_HASH_SHA256:
4595  return( POLARSSL_MD_SHA256 );
4596 #endif
4597 #if defined(POLARSSL_SHA512_C)
4598  case SSL_HASH_SHA384:
4599  return( POLARSSL_MD_SHA384 );
4600  case SSL_HASH_SHA512:
4601  return( POLARSSL_MD_SHA512 );
4602 #endif
4603  default:
4604  return( POLARSSL_MD_NONE );
4605  }
4606 }
4607 
4608 #endif
const ecp_curve_info ** curves
Definition: ssl.h:511
unsigned char * hostname
Definition: ssl.h:751
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:287
ssl_session * session_in
Definition: ssl.h:644
#define SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:291
unsigned char mfl_code
Definition: ssl.h:693
size_t length
Definition: ssl.h:428
void * p_set_cache
Definition: ssl.h:623
md_context_t md_ctx_dec
Definition: ssl.h:479
int ciphersuite
Definition: ssl.h:426
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Processing of the ChangeCipherSpec handshake message failed.
Definition: ssl.h:124
mpi P
Definition: dhm.h:146
int trunc_hmac
Definition: ssl.h:725
size_t in_hslen
Definition: ssl.h:673
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
void(* f_dbg)(void *, int, const char *)
Definition: ssl.h:612
#define SSL_HS_FINISHED
Definition: ssl.h:327
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:611
uint32_t state[8]
Definition: sha256.h:57
const pk_info_t * pk_info_from_type(pk_type_t pk_type)
Return information associated with the given PK type.
#define POLARSSL_DHM_RFC5114_MODP_1024_P
Definition: dhm.h:94
sha256_context fin_sha256
Definition: ssl.h:536
size_t ivlen
Definition: ssl.h:465
int cipher_finish(cipher_context_t *ctx, unsigned char *output, size_t *olen)
Generic cipher finalisation function.
int record_read
Definition: ssl.h:675
Memory allocation layer.
int major_ver
Definition: ssl.h:600
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:41
int rsa_copy(rsa_context *dst, const rsa_context *src)
Copy the components of an RSA context.
SHA-1 context structure.
Definition: sha1.h:54
void *(* polarssl_malloc)(size_t len)
sha1_context fin_sha1
Definition: ssl.h:532
int compression
Definition: ssl.h:427
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:597
const char * peer_cn
Definition: ssl.h:704
unsigned char master[48]
Definition: ssl.h:430
void sha256_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
void sha256(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
char peer_verify_data[36]
Definition: ssl.h:762
int ssl_set_truncated_hmac(ssl_context *ssl, int truncate)
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED) ...
ssl_transform * transform_out
Definition: ssl.h:656
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:55
Debug functions.
#define POLARSSL_ERR_SSL_CONN_EOF
The connection indicated an EOF.
Definition: ssl.h:101
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:627
int nb_zero
Definition: ssl.h:674
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:544
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
DHM context structure.
Definition: dhm.h:143
void * p_psk
Definition: ssl.h:638
#define SSL_BUFFER_LEN
Definition: ssl.h:251
int cipher_write_tag(cipher_context_t *ctx, unsigned char *tag, size_t tag_len)
Write tag for AEAD ciphers.
#define SSL_IS_CLIENT
Definition: ssl.h:193
unsigned char mac_dec[48]
Definition: ssl.h:475
size_t ticket_len
Definition: ssl.h:439
#define SSL_HASH_SHA1
Definition: ssl.h:261
Cipher information.
Definition: cipher.h:207
ssl_session * session_negotiate
Definition: ssl.h:647
const cipher_info_t * cipher_info_from_type(const cipher_type_t cipher_type)
Returns the cipher information structure associated with the given cipher type.
ssl_session * session
Definition: ssl.h:646
void ssl_legacy_renegotiation(ssl_context *ssl, int allow_legacy)
Prevent or allow legacy renegotiation.
int ssl_parse_certificate(ssl_context *ssl)
void ssl_set_dbg(ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg)
Set the debug callback.
#define POLARSSL_ERR_SSL_INVALID_RECORD
An invalid SSL record was received.
Definition: ssl.h:100
#define BADCERT_SKIP_VERIFY
Certificate verification was skipped.
Definition: x509.h:79
uint32_t state[5]
Definition: sha1.h:57
ssl_key_cert * key_cert
Definition: ssl.h:700
ssl_key_cert * sni_key_cert
Definition: ssl.h:522
int ssl_set_session_tickets(ssl_context *ssl, int use_tickets)
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS...
unsigned char iv_enc[16]
Definition: ssl.h:469
size_t out_msglen
Definition: ssl.h:686
void ssl_set_verify(ssl_context *ssl, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Set the verification callback (Optional).
#define SSL_SIG_RSA
Definition: ssl.h:268
int ticket_lifetime
Definition: ssl.h:729
ssl_transform * transform_in
Definition: ssl.h:655
cipher_context_t cipher_ctx_enc
Definition: ssl.h:481
const int * ciphersuite_list[4]
Definition: ssl.h:723
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:618
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
mpi dhm_P
Definition: ssl.h:733
#define SSL_RENEGOTIATION
Definition: ssl.h:203
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:553
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
void sha1_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[20])
Output = HMAC-SHA-1( hmac key, input buffer )
int md_process(md_context_t *ctx, const unsigned char *data)
int x509_crt_parse(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
ssl_transform * transform
Definition: ssl.h:657
x509_crt * cert
Definition: ssl.h:585
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:38
size_t psk_identity_len
Definition: ssl.h:744
unsigned char * out_ctr
Definition: ssl.h:680
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
The peer notified us that the connection is going to be closed.
Definition: ssl.h:113
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:218
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:761
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:205
int x509_crt_parse_der(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
#define SSL_SIG_ECDSA
Definition: ssl.h:269
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:614
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:166
#define SSL_MIN_MINOR_VERSION
Definition: ssl.h:150
#define SSL_VERIFY_OPTIONAL
Definition: ssl.h:199
size_t in_msglen
Definition: ssl.h:670
int ssl_set_dh_param_ctx(ssl_context *ssl, dhm_context *dhm_ctx)
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) ...
unsigned char * in_hdr
Definition: ssl.h:664
int secure_renegotiation
Definition: ssl.h:758
#define SSL_SIG_ANON
Definition: ssl.h:267
sha512_context fin_sha512
Definition: ssl.h:539
#define SSL_VERIFY_REQUIRED
Definition: ssl.h:200
#define SSL_HASH_MD5
Definition: ssl.h:260
#define SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:312
void md5_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[16])
Output = HMAC-MD5( hmac key, input buffer )
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:213
static md_type_t md_get_type(const md_info_t *md_info)
Returns the type of the message digest output.
Definition: md.h:220
int(* tls_prf)(const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl.h:546
unsigned char mac_key[16]
Definition: ssl.h:575
void * p_vrfy
Definition: ssl.h:633
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:140
size_t psk_len
Definition: ssl.h:742
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED
Hardware acceleration function returned with error.
Definition: ssl.h:127
void ssl_set_max_version(ssl_context *ssl, int major, int minor)
Set the maximum supported version sent from the client side and/or accepted at the server side (Defau...
#define SSL_RENEGOTIATION_DONE
Definition: ssl.h:204
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:99
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
No client certification received from the client, but required by the authentication mode...
Definition: ssl.h:105
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:461
void * p_recv
Definition: ssl.h:620
unsigned char * psk
Definition: ssl.h:741
int pk_init_ctx_rsa_alt(pk_context *ctx, void *key, pk_rsa_alt_decrypt_func decrypt_func, pk_rsa_alt_sign_func sign_func, pk_rsa_alt_key_len_func key_len_func)
Initialize an RSA-alt context.
size_t len
Definition: dhm.h:145
void ssl_set_ciphersuites_for_version(ssl_context *ssl, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites for a specific version of the protocol.
int ssl_init(ssl_context *ssl)
Initialize an SSL context (An individual SSL context is not thread-safe)
int max_major_ver
Definition: ssl.h:603
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:131
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:93
#define SSL_MINOR_VERSION_1
Definition: ssl.h:142
int ssl_set_psk(ssl_context *ssl, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len)
Set the Pre Shared Key (PSK) and the identity name connected to it.
void ssl_set_psk_cb(ssl_context *ssl, int(*f_psk)(void *, ssl_context *, const unsigned char *, size_t), void *p_psk)
Set the PSK callback (server-side only) (Optional).
unsigned int keylen
Definition: ssl.h:463
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
Hardware acceleration function skipped / left alone data.
Definition: ssl.h:128
int ssl_get_session(const ssl_context *ssl, ssl_session *session)
Save session in order to resume it later (client-side only) Session data is copied to presented sessi...
md_type_t
Definition: md.h:51
int verify_result
Definition: ssl.h:435
unsigned char iv[POLARSSL_MAX_IV_LENGTH]
Current IV or NONCE_COUNTER for CTR-mode.
Definition: cipher.h:260
const cipher_info_t * cipher_info
Information about the associated cipher.
Definition: cipher.h:241
int max_minor_ver
Definition: ssl.h:604
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
The own certificate is not set, but needed by the server.
Definition: ssl.h:107
#define SSL_RENEGOTIATION_PENDING
Definition: ssl.h:205
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:290
unsigned char * in_ctr
Definition: ssl.h:663
ssl_handshake_params * handshake
Definition: ssl.h:649
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:106
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:283
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:543
size_t fixed_ivlen
Definition: ssl.h:466
#define SSL_MINOR_VERSION_2
Definition: ssl.h:143
int ssl_write_certificate(ssl_context *ssl)
size_t(* rsa_key_len_func)(void *ctx)
Definition: ssl.h:379
#define POLARSSL_DHM_RFC5114_MODP_1024_G
Definition: dhm.h:102
RSA context structure.
Definition: rsa.h:77
cipher_context_t cipher_ctx_dec
Definition: ssl.h:482
int in_msgtype
Definition: ssl.h:669
Container for an X.509 certificate.
Definition: x509_crt.h:53
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
A fatal alert message was received from our peer.
Definition: ssl.h:111
#define SSL_MIN_MAJOR_VERSION
Definition: ssl.h:147
#define SSL_DEFAULT_TICKET_LIFETIME
Lifetime of session tickets (if enabled)
Definition: ssl.h:225
size_t verify_data_len
Definition: ssl.h:760
const char * ssl_get_ciphersuite(const ssl_context *ssl)
Return the name of the current ciphersuite.
mpi dhm_G
Definition: ssl.h:734
mpi G
Definition: dhm.h:147
int cipher_free_ctx(cipher_context_t *ctx)
Free the cipher-specific context of ctx.
int cipher_update_ad(cipher_context_t *ctx, const unsigned char *ad, size_t ad_len)
Add additional data (for AEAD ciphers).
#define SSL_IS_SERVER
Definition: ssl.h:194
const char * ssl_get_version(const ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
void ssl_set_renegotiation(ssl_context *ssl, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIAT...
int min_minor_ver
Definition: ssl.h:606
unsigned char * out_msg
Definition: ssl.h:683
unsigned int key_length
Cipher key length, in bits (default length for variable sized ciphers) (Includes parity bits for ciph...
Definition: cipher.h:216
int cipher_set_iv(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len)
Set the initialization vector (IV) or nonce.
#define SSL_MINOR_VERSION_0
Definition: ssl.h:141
int client_auth
Definition: ssl.h:719
#define SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:281
void * p_dbg
Definition: ssl.h:619
void sha256_starts(sha256_context *ctx, int is224)
SHA-256 context setup.
int cipher_update(cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
Generic cipher update function.
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:520
void * p_send
Definition: ssl.h:621
ecdh_context ecdh_ctx
Definition: ssl.h:508
x509_crl * ca_crl
Definition: ssl.h:703
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1566
void(* polarssl_free)(void *ptr)
int ssl_set_max_frag_len(ssl_context *ssl, unsigned char mfl_code)
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit and negotiate with the server during handshake)
SHA-512 context structure.
Definition: sha512.h:55
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:110
unsigned char * ticket
Definition: ssl.h:438
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:120
key_exchange_type_t key_exchange
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED
Processing of the compression / decompression failed.
Definition: ssl.h:129
size_t maclen
Definition: ssl.h:467
unsigned char * out_hdr
Definition: ssl.h:681
int ssl_set_own_cert(ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key)
Set own certificate chain and private key.
int trunc_hmac
Definition: ssl.h:448
void ssl_set_endpoint(ssl_context *ssl, int endpoint)
Set the current endpoint type.
void mpi_free(mpi *X)
Unallocate one MPI.
void ssl_set_ciphersuites(ssl_context *ssl, const int *ciphersuites)
Set the list of allowed ciphersuites (Overrides all version specific lists)
void sha512_starts(sha512_context *ctx, int is384)
SHA-512 context setup.
int x509_crt_verify(x509_crt *crt, x509_crt *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Verify the certificate signature.
#define SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:286
void ssl_set_rng(ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:622
void ssl_set_bio(ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send)
Set the underlying BIO read and write callbacks.
void ssl_free(ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
void sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
void md5_starts(md5_context *ctx)
MD5 context setup.
#define SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:210
unsigned char ssl_sig_from_pk(pk_context *pk)
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
No CA Chain is set, but required to operate.
Definition: ssl.h:109
void ssl_handshake_free(ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
int authmode
Definition: ssl.h:718
int ssl_flush_output(ssl_context *ssl)
int ssl_handshake(ssl_context *ssl)
Perform the SSL handshake.
unsigned char * in_offt
Definition: ssl.h:667
void ssl_set_min_version(ssl_context *ssl, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:196
int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Definition: ssl.h:375
unsigned char * in_msg
Definition: ssl.h:666
int ssl_set_hostname(ssl_context *ssl, const char *hostname)
Set hostname for ServerName TLS extension (client-side only)
aes_context dec
Definition: ssl.h:574
mpi z
Definition: ecdh.h:54
int ssl_handshake_step(ssl_context *ssl)
Perform a single step of the SSL handshake.
#define SSL_MINOR_VERSION_3
Definition: ssl.h:144
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:54
pk_type_t
Public key types.
Definition: pk.h:90
aes_context enc
Definition: ssl.h:573
unsigned char iv_dec[16]
Definition: ssl.h:470
#define POLARSSL_ERR_NET_WANT_READ
Connection requires a read call.
Definition: net.h:41
#define SSL_HS_CERTIFICATE
Definition: ssl.h:321
int ssl_parse_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:58
size_t hostname_len
Definition: ssl.h:752
int cipher_reset(cipher_context_t *ctx)
Finish preparation of the given context.
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:601
int pk_init_ctx(pk_context *ctx, const pk_info_t *info)
Initialize a PK context with the information given and allocates the type-specific PK subcontext...
void sha512_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:295
This structure is used for storing ciphersuite information.
int ssl_close_notify(ssl_context *ssl)
Notify the peer that the connection is being closed.
const x509_crt * ssl_get_peer_cert(const ssl_context *ssl)
Return the peer certificate from the current connection.
void ssl_set_session_cache(ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache)
Set the session cache callbacks (server-side only) If not set, no session resuming is done...
#define SSL_HASH_SHA256
Definition: ssl.h:263
size_t ssl_get_bytes_avail(const ssl_context *ssl)
Return the number of data bytes available to read.
int md_hmac_starts(md_context_t *ctx, const unsigned char *key, size_t keylen)
Generic HMAC context setup.
int ssl_set_session(ssl_context *ssl, const ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
int cipher_set_padding_mode(cipher_context_t *ctx, cipher_padding_t mode)
Set padding mode, for cipher modes that use padding.
#define SSL_VERIFY_NONE
Definition: ssl.h:198
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:44
cipher_mode_t mode
Cipher mode (e.g.
Definition: cipher.h:212
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:202
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:169
size_t in_left
Definition: ssl.h:671
void sha512_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 final digest.
pk_context * key
Definition: ssl.h:586
int session_tickets
Definition: ssl.h:728
int cipher_init_ctx(cipher_context_t *ctx, const cipher_info_t *cipher_info)
Initialises and fills the cipher context structure with the appropriate values.
int allow_legacy_renegotiation
Definition: ssl.h:722
int cipher_setkey(cipher_context_t *ctx, const unsigned char *key, int key_length, const operation_t operation)
Set the key to use with the given context.
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition: ssl.h:135
ssl_session * session_out
Definition: ssl.h:645
#define SSL_TRUNCATED_HMAC_LEN
Definition: ssl.h:219
uint32_t state[4]
Definition: md5.h:57
void(* calc_finished)(ssl_context *, unsigned char *, int)
Definition: ssl.h:545
int ssl_read_record(ssl_context *ssl)
int ssl_set_own_cert_rsa(ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key)
Set own certificate chain and private RSA key.
size_t len
ASN1 length, e.g.
Definition: asn1.h:119
int md_hmac_reset(md_context_t *ctx)
Generic HMAC context reset.
#define pk_rsa(pk)
Quick access to an RSA context inside a PK context.
Definition: pk.h:69
int ssl_set_dh_param(ssl_context *ssl, const char *dhm_P, const char *dhm_G)
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default...
int(* f_vrfy)(void *, x509_crt *, int, int *)
Definition: ssl.h:632
int out_msgtype
Definition: ssl.h:685
void ssl_set_session_ticket_lifetime(ssl_context *ssl, int lifetime)
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))...
size_t out_left
Definition: ssl.h:687
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:191
int md_hmac_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic HMAC process buffer.
#define BADCERT_MISSING
Certificate was missing.
Definition: x509.h:78
void pk_free(pk_context *ctx)
Free a pk_context.
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED
Processing of the Finished handshake message failed.
Definition: ssl.h:125
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:48
md_context_t md_ctx_enc
Definition: ssl.h:478
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
int ssl_get_verify_result(const ssl_context *ssl)
Return the result of the certificate verification.
#define SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:296
never pad (full blocks only)
Definition: cipher.h:137
int ssl_session_reset(ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables...
void pk_init(pk_context *ctx)
Initialize a pk_context (as NONE)
int min_major_ver
Definition: ssl.h:605
Certificate revocation list structure.
Definition: x509_crl.h:69
const int * ssl_list_ciphersuites(void)
Returns the list of ciphersuites supported by the SSL/TLS module.
ssl_transform * transform_negotiate
Definition: ssl.h:658
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:207
#define SSL_HASH_SHA224
Definition: ssl.h:262
SSL/TLS functions.
unsigned char * in_iv
Definition: ssl.h:665
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:126
int disable_renegotiation
Definition: ssl.h:721
#define SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:289
void sha256_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 final digest.
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
void dhm_free(dhm_context *ctx)
Free the components of a DHM key.
void ecdh_init(ecdh_context *ctx)
Initialize context.
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:615
int ssl_derive_keys(ssl_context *ssl)
void ssl_set_authmode(ssl_context *ssl, int authmode)
Set the certificate verification mode.
md_type_t type
Digest identifier.
Definition: md.h:75
int(* f_set_cache)(void *, const ssl_session *)
Definition: ssl.h:616
SHA-256 context structure.
Definition: sha256.h:54
unsigned char mfl_code
Definition: ssl.h:444
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
key_exchange_type_t
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:598
cipher_type_t cipher
dhm_context dhm_ctx
Definition: ssl.h:505
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1574
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:711
size_t minlen
Definition: ssl.h:464
int ssl_read(ssl_context *ssl, unsigned char *buf, size_t len)
Read at most &#39;len&#39; application data bytes.
void ssl_transform_free(ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:236
unsigned char * psk_identity
Definition: ssl.h:743
#define SSL_SESSION_TICKETS_ENABLED
Definition: ssl.h:222
unsigned char mac_enc[48]
Definition: ssl.h:474
#define SSL_MSG_APPLICATION_DATA
Definition: ssl.h:284
uint64_t state[8]
Definition: sha512.h:58
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
#define SSL_MSG_ALERT
Definition: ssl.h:282
int ssl_renegotiate(ssl_context *ssl)
Initiate an SSL renegotiation on the running connection.
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:613
unsigned char key_name[16]
Definition: ssl.h:572
int key_own_alloc
Definition: ssl.h:587
int ssl_write(ssl_context *ssl, const unsigned char *buf, size_t len)
Write exactly &#39;len&#39; application data bytes.
ssl_key_cert * next
Definition: ssl.h:588
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
void sha512_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:97
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:116
void ssl_set_ca_chain(ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn)
Set the data required to verify peer certificate.
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
Message digest information.
Definition: md.h:73
x509_crt * ca_chain
Definition: ssl.h:702
md5_context fin_md5
Definition: ssl.h:531
int cipher_check_tag(cipher_context_t *ctx, const unsigned char *tag, size_t tag_len)
Check tag for AEAD ciphers.
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int endpoint
Definition: ssl.h:717
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:98
int ssl_set_own_cert_alt(ssl_context *ssl, x509_crt *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len)
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
void ssl_set_sni(ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
#define SSL_HASH_SHA512
Definition: ssl.h:265
unsigned int iv_size
IV/NONCE size, in bytes.
Definition: cipher.h:223
#define SSL_HASH_SHA384
Definition: ssl.h:264
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:637
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:177
void ecdh_free(ecdh_context *ctx)
Free context.
unsigned char * out_iv
Definition: ssl.h:682
unsigned char randbytes[64]
Definition: ssl.h:552
int md_hmac_finish(md_context_t *ctx, unsigned char *output)
Generic HMAC final digest.
int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Definition: ssl.h:372
Generic message digest context.
Definition: md.h:129
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
x509_crt * peer_cert
Definition: ssl.h:433
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:628
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.
#define SSL_HS_HELLO_REQUEST
Definition: ssl.h:317