PolarSSL v1.3.4
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #include "polarssl/config.h"
35 
36 #if defined(POLARSSL_SSL_TLS_C)
37 
38 #include "polarssl/debug.h"
39 #include "polarssl/ssl.h"
40 
41 #if defined(POLARSSL_MEMORY_C)
42 #include "polarssl/memory.h"
43 #else
44 #define polarssl_malloc malloc
45 #define polarssl_free free
46 #endif
47 
48 #include <stdlib.h>
49 
50 #if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
51  !defined(EFI32)
52 #define strcasecmp _stricmp
53 #endif
54 
55 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
56 /*
57  * Convert max_fragment_length codes to length.
58  * RFC 6066 says:
59  * enum{
60  * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
61  * } MaxFragmentLength;
62  * and we add 0 -> extension unused
63  */
64 static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
65 {
66  SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
67  512, /* SSL_MAX_FRAG_LEN_512 */
68  1024, /* SSL_MAX_FRAG_LEN_1024 */
69  2048, /* SSL_MAX_FRAG_LEN_2048 */
70  4096, /* SSL_MAX_FRAG_LEN_4096 */
71 };
72 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
73 
74 static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
75 {
76  ssl_session_free( dst );
77  memcpy( dst, src, sizeof( ssl_session ) );
78 
79 #if defined(POLARSSL_X509_CRT_PARSE_C)
80  if( src->peer_cert != NULL )
81  {
82  int ret;
83 
84  dst->peer_cert = (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
85  if( dst->peer_cert == NULL )
87 
88  x509_crt_init( dst->peer_cert );
89 
90  if( ( ret = x509_crt_parse( dst->peer_cert, src->peer_cert->raw.p,
91  src->peer_cert->raw.len ) != 0 ) )
92  {
93  polarssl_free( dst->peer_cert );
94  dst->peer_cert = NULL;
95  return( ret );
96  }
97  }
98 #endif /* POLARSSL_X509_CRT_PARSE_C */
99 
100 #if defined(POLARSSL_SSL_SESSION_TICKETS)
101  if( src->ticket != NULL )
102  {
103  dst->ticket = (unsigned char *) polarssl_malloc( src->ticket_len );
104  if( dst->ticket == NULL )
106 
107  memcpy( dst->ticket, src->ticket, src->ticket_len );
108  }
109 #endif /* POLARSSL_SSL_SESSION_TICKETS */
110 
111  return( 0 );
112 }
113 
114 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
115 int (*ssl_hw_record_init)(ssl_context *ssl,
116  const unsigned char *key_enc, const unsigned char *key_dec,
117  size_t keylen,
118  const unsigned char *iv_enc, const unsigned char *iv_dec,
119  size_t ivlen,
120  const unsigned char *mac_enc, const unsigned char *mac_dec,
121  size_t maclen) = NULL;
122 int (*ssl_hw_record_activate)(ssl_context *ssl, int direction) = NULL;
123 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
124 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
125 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
126 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
127 #endif
128 
129 /*
130  * Key material generation
131  */
132 #if defined(POLARSSL_SSL_PROTO_SSL3)
133 static int ssl3_prf( const unsigned char *secret, size_t slen,
134  const char *label,
135  const unsigned char *random, size_t rlen,
136  unsigned char *dstbuf, size_t dlen )
137 {
138  size_t i;
141  unsigned char padding[16];
142  unsigned char sha1sum[20];
143  ((void)label);
144 
145  /*
146  * SSLv3:
147  * block =
148  * MD5( secret + SHA1( 'A' + secret + random ) ) +
149  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
150  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
151  * ...
152  */
153  for( i = 0; i < dlen / 16; i++ )
154  {
155  memset( padding, (unsigned char) ('A' + i), 1 + i );
156 
157  sha1_starts( &sha1 );
158  sha1_update( &sha1, padding, 1 + i );
159  sha1_update( &sha1, secret, slen );
160  sha1_update( &sha1, random, rlen );
161  sha1_finish( &sha1, sha1sum );
162 
163  md5_starts( &md5 );
164  md5_update( &md5, secret, slen );
165  md5_update( &md5, sha1sum, 20 );
166  md5_finish( &md5, dstbuf + i * 16 );
167  }
168 
169  memset( &md5, 0, sizeof( md5 ) );
170  memset( &sha1, 0, sizeof( sha1 ) );
171 
172  memset( padding, 0, sizeof( padding ) );
173  memset( sha1sum, 0, sizeof( sha1sum ) );
174 
175  return( 0 );
176 }
177 #endif /* POLARSSL_SSL_PROTO_SSL3 */
178 
179 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
180 static int tls1_prf( const unsigned char *secret, size_t slen,
181  const char *label,
182  const unsigned char *random, size_t rlen,
183  unsigned char *dstbuf, size_t dlen )
184 {
185  size_t nb, hs;
186  size_t i, j, k;
187  const unsigned char *S1, *S2;
188  unsigned char tmp[128];
189  unsigned char h_i[20];
190 
191  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
193 
194  hs = ( slen + 1 ) / 2;
195  S1 = secret;
196  S2 = secret + slen - hs;
197 
198  nb = strlen( label );
199  memcpy( tmp + 20, label, nb );
200  memcpy( tmp + 20 + nb, random, rlen );
201  nb += rlen;
202 
203  /*
204  * First compute P_md5(secret,label+random)[0..dlen]
205  */
206  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
207 
208  for( i = 0; i < dlen; i += 16 )
209  {
210  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
211  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
212 
213  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
214 
215  for( j = 0; j < k; j++ )
216  dstbuf[i + j] = h_i[j];
217  }
218 
219  /*
220  * XOR out with P_sha1(secret,label+random)[0..dlen]
221  */
222  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
223 
224  for( i = 0; i < dlen; i += 20 )
225  {
226  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
227  sha1_hmac( S2, hs, tmp, 20, tmp );
228 
229  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
230 
231  for( j = 0; j < k; j++ )
232  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
233  }
234 
235  memset( tmp, 0, sizeof( tmp ) );
236  memset( h_i, 0, sizeof( h_i ) );
237 
238  return( 0 );
239 }
240 #endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
241 
242 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
243 #if defined(POLARSSL_SHA256_C)
244 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
245  const char *label,
246  const unsigned char *random, size_t rlen,
247  unsigned char *dstbuf, size_t dlen )
248 {
249  size_t nb;
250  size_t i, j, k;
251  unsigned char tmp[128];
252  unsigned char h_i[32];
253 
254  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
256 
257  nb = strlen( label );
258  memcpy( tmp + 32, label, nb );
259  memcpy( tmp + 32 + nb, random, rlen );
260  nb += rlen;
261 
262  /*
263  * Compute P_<hash>(secret, label + random)[0..dlen]
264  */
265  sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
266 
267  for( i = 0; i < dlen; i += 32 )
268  {
269  sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
270  sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
271 
272  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
273 
274  for( j = 0; j < k; j++ )
275  dstbuf[i + j] = h_i[j];
276  }
277 
278  memset( tmp, 0, sizeof( tmp ) );
279  memset( h_i, 0, sizeof( h_i ) );
280 
281  return( 0 );
282 }
283 #endif /* POLARSSL_SHA256_C */
284 
285 #if defined(POLARSSL_SHA512_C)
286 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
287  const char *label,
288  const unsigned char *random, size_t rlen,
289  unsigned char *dstbuf, size_t dlen )
290 {
291  size_t nb;
292  size_t i, j, k;
293  unsigned char tmp[128];
294  unsigned char h_i[48];
295 
296  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
298 
299  nb = strlen( label );
300  memcpy( tmp + 48, label, nb );
301  memcpy( tmp + 48 + nb, random, rlen );
302  nb += rlen;
303 
304  /*
305  * Compute P_<hash>(secret, label + random)[0..dlen]
306  */
307  sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
308 
309  for( i = 0; i < dlen; i += 48 )
310  {
311  sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
312  sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
313 
314  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
315 
316  for( j = 0; j < k; j++ )
317  dstbuf[i + j] = h_i[j];
318  }
319 
320  memset( tmp, 0, sizeof( tmp ) );
321  memset( h_i, 0, sizeof( h_i ) );
322 
323  return( 0 );
324 }
325 #endif /* POLARSSL_SHA512_C */
326 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
327 
328 static void ssl_update_checksum_start(ssl_context *, const unsigned char *, size_t);
329 
330 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
331  defined(POLARSSL_SSL_PROTO_TLS1_1)
332 static void ssl_update_checksum_md5sha1(ssl_context *, const unsigned char *, size_t);
333 #endif
334 
335 #if defined(POLARSSL_SSL_PROTO_SSL3)
336 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
337 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
338 #endif
339 
340 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
341 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
342 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
343 #endif
344 
345 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
346 #if defined(POLARSSL_SHA256_C)
347 static void ssl_update_checksum_sha256(ssl_context *, const unsigned char *, size_t);
348 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
349 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
350 #endif
351 
352 #if defined(POLARSSL_SHA512_C)
353 static void ssl_update_checksum_sha384(ssl_context *, const unsigned char *, size_t);
354 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
355 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
356 #endif
357 #endif
358 
359 int ssl_derive_keys( ssl_context *ssl )
360 {
361  int ret = 0;
362  unsigned char tmp[64];
363  unsigned char keyblk[256];
364  unsigned char *key1;
365  unsigned char *key2;
366  unsigned char *mac_enc;
367  unsigned char *mac_dec;
368  size_t iv_copy_len;
369  const cipher_info_t *cipher_info;
370  const md_info_t *md_info;
371 
372  ssl_session *session = ssl->session_negotiate;
373  ssl_transform *transform = ssl->transform_negotiate;
374  ssl_handshake_params *handshake = ssl->handshake;
375 
376  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
377 
378  cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
379  if( cipher_info == NULL )
380  {
381  SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
382  transform->ciphersuite_info->cipher ) );
384  }
385 
386  md_info = md_info_from_type( transform->ciphersuite_info->mac );
387  if( md_info == NULL )
388  {
389  SSL_DEBUG_MSG( 1, ( "md info for %d not found",
390  transform->ciphersuite_info->mac ) );
392  }
393 
394  /*
395  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
396  */
397 #if defined(POLARSSL_SSL_PROTO_SSL3)
398  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
399  {
400  handshake->tls_prf = ssl3_prf;
401  handshake->calc_verify = ssl_calc_verify_ssl;
402  handshake->calc_finished = ssl_calc_finished_ssl;
403  }
404  else
405 #endif
406 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
407  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
408  {
409  handshake->tls_prf = tls1_prf;
410  handshake->calc_verify = ssl_calc_verify_tls;
411  handshake->calc_finished = ssl_calc_finished_tls;
412  }
413  else
414 #endif
415 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
416 #if defined(POLARSSL_SHA512_C)
417  if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
418  transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
419  {
420  handshake->tls_prf = tls_prf_sha384;
421  handshake->calc_verify = ssl_calc_verify_tls_sha384;
422  handshake->calc_finished = ssl_calc_finished_tls_sha384;
423  }
424  else
425 #endif
426 #if defined(POLARSSL_SHA256_C)
427  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
428  {
429  handshake->tls_prf = tls_prf_sha256;
430  handshake->calc_verify = ssl_calc_verify_tls_sha256;
431  handshake->calc_finished = ssl_calc_finished_tls_sha256;
432  }
433  else
434 #endif
435 #endif
436  {
437  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
439  }
440 
441  /*
442  * SSLv3:
443  * master =
444  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
445  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
446  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
447  *
448  * TLSv1+:
449  * master = PRF( premaster, "master secret", randbytes )[0..47]
450  */
451  if( handshake->resume == 0 )
452  {
453  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
454  handshake->pmslen );
455 
456  handshake->tls_prf( handshake->premaster, handshake->pmslen,
457  "master secret",
458  handshake->randbytes, 64, session->master, 48 );
459 
460  memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
461  }
462  else
463  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
464 
465  /*
466  * Swap the client and server random values.
467  */
468  memcpy( tmp, handshake->randbytes, 64 );
469  memcpy( handshake->randbytes, tmp + 32, 32 );
470  memcpy( handshake->randbytes + 32, tmp, 32 );
471  memset( tmp, 0, sizeof( tmp ) );
472 
473  /*
474  * SSLv3:
475  * key block =
476  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
477  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
478  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
479  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
480  * ...
481  *
482  * TLSv1:
483  * key block = PRF( master, "key expansion", randbytes )
484  */
485  handshake->tls_prf( session->master, 48, "key expansion",
486  handshake->randbytes, 64, keyblk, 256 );
487 
488  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
489  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
490  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
491  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
492  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
493 
494  memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
495 
496  /*
497  * Determine the appropriate key, IV and MAC length.
498  */
499 
500  if( cipher_info->mode == POLARSSL_MODE_GCM )
501  {
502  transform->keylen = cipher_info->key_length;
503  transform->keylen /= 8;
504  transform->minlen = 1;
505  transform->ivlen = 12;
506  transform->fixed_ivlen = 4;
507  transform->maclen = 0;
508  }
509  else
510  {
511  if( md_info->type != POLARSSL_MD_NONE )
512  {
513  int ret;
514 
515  if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 )
516  {
517  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
518  return( ret );
519  }
520 
521  if( ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
522  {
523  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
524  return( ret );
525  }
526 
527  transform->maclen = md_get_size( md_info );
528 
529 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
530  /*
531  * If HMAC is to be truncated, we shall keep the leftmost bytes,
532  * (rfc 6066 page 13 or rfc 2104 section 4),
533  * so we only need to adjust the length here.
534  */
535  if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
536  transform->maclen = SSL_TRUNCATED_HMAC_LEN;
537 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
538  }
539 
540  transform->keylen = cipher_info->key_length;
541  transform->keylen /= 8;
542  transform->ivlen = cipher_info->iv_size;
543 
544  transform->minlen = transform->keylen;
545  if( transform->minlen < transform->maclen )
546  {
547  if( cipher_info->mode == POLARSSL_MODE_STREAM )
548  transform->minlen = transform->maclen;
549  else
550  transform->minlen += transform->keylen;
551  }
552  }
553 
554  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
555  transform->keylen, transform->minlen, transform->ivlen,
556  transform->maclen ) );
557 
558  /*
559  * Finally setup the cipher contexts, IVs and MAC secrets.
560  */
561  if( ssl->endpoint == SSL_IS_CLIENT )
562  {
563  key1 = keyblk + transform->maclen * 2;
564  key2 = keyblk + transform->maclen * 2 + transform->keylen;
565 
566  mac_enc = keyblk;
567  mac_dec = keyblk + transform->maclen;
568 
569  /*
570  * This is not used in TLS v1.1.
571  */
572  iv_copy_len = ( transform->fixed_ivlen ) ?
573  transform->fixed_ivlen : transform->ivlen;
574  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
575  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
576  iv_copy_len );
577  }
578  else
579  {
580  key1 = keyblk + transform->maclen * 2 + transform->keylen;
581  key2 = keyblk + transform->maclen * 2;
582 
583  mac_enc = keyblk + transform->maclen;
584  mac_dec = keyblk;
585 
586  /*
587  * This is not used in TLS v1.1.
588  */
589  iv_copy_len = ( transform->fixed_ivlen ) ?
590  transform->fixed_ivlen : transform->ivlen;
591  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
592  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
593  iv_copy_len );
594  }
595 
596 #if defined(POLARSSL_SSL_PROTO_SSL3)
597  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
598  {
599  if( transform->maclen > sizeof transform->mac_enc )
600  {
601  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
603  }
604 
605  memcpy( transform->mac_enc, mac_enc, transform->maclen );
606  memcpy( transform->mac_dec, mac_dec, transform->maclen );
607  }
608  else
609 #endif
610 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
611  defined(POLARSSL_SSL_PROTO_TLS1_2)
612  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
613  {
614  md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
615  md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
616  }
617  else
618 #endif
619  {
620  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
622  }
623 
624 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
625  if( ssl_hw_record_init != NULL)
626  {
627  int ret = 0;
628 
629  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
630 
631  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
632  transform->iv_enc, transform->iv_dec,
633  iv_copy_len,
634  mac_enc, mac_dec,
635  transform->maclen ) ) != 0 )
636  {
637  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
639  }
640  }
641 #endif
642 
643  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
644  cipher_info ) ) != 0 )
645  {
646  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
647  return( ret );
648  }
649 
650  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
651  cipher_info ) ) != 0 )
652  {
653  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
654  return( ret );
655  }
656 
657  if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
658  cipher_info->key_length,
659  POLARSSL_ENCRYPT ) ) != 0 )
660  {
661  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
662  return( ret );
663  }
664 
665  if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
666  cipher_info->key_length,
667  POLARSSL_DECRYPT ) ) != 0 )
668  {
669  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
670  return( ret );
671  }
672 
673 #if defined(POLARSSL_CIPHER_MODE_CBC)
674  if( cipher_info->mode == POLARSSL_MODE_CBC )
675  {
676  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
677  POLARSSL_PADDING_NONE ) ) != 0 )
678  {
679  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
680  return( ret );
681  }
682 
683  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
684  POLARSSL_PADDING_NONE ) ) != 0 )
685  {
686  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
687  return( ret );
688  }
689  }
690 #endif /* POLARSSL_CIPHER_MODE_CBC */
691 
692  memset( keyblk, 0, sizeof( keyblk ) );
693 
694 #if defined(POLARSSL_ZLIB_SUPPORT)
695  // Initialize compression
696  //
697  if( session->compression == SSL_COMPRESS_DEFLATE )
698  {
699  if( ssl->compress_buf == NULL )
700  {
701  SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
702  ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
703  if( ssl->compress_buf == NULL )
704  {
705  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
706  SSL_BUFFER_LEN ) );
708  }
709  }
710 
711  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
712 
713  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
714  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
715 
716  if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
717  inflateInit( &transform->ctx_inflate ) != Z_OK )
718  {
719  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
721  }
722  }
723 #endif /* POLARSSL_ZLIB_SUPPORT */
724 
725  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
726 
727  return( 0 );
728 }
729 
730 #if defined(POLARSSL_SSL_PROTO_SSL3)
731 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
732 {
735  unsigned char pad_1[48];
736  unsigned char pad_2[48];
737 
738  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
739 
740  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
741  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
742 
743  memset( pad_1, 0x36, 48 );
744  memset( pad_2, 0x5C, 48 );
745 
746  md5_update( &md5, ssl->session_negotiate->master, 48 );
747  md5_update( &md5, pad_1, 48 );
748  md5_finish( &md5, hash );
749 
750  md5_starts( &md5 );
751  md5_update( &md5, ssl->session_negotiate->master, 48 );
752  md5_update( &md5, pad_2, 48 );
753  md5_update( &md5, hash, 16 );
754  md5_finish( &md5, hash );
755 
756  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
757  sha1_update( &sha1, pad_1, 40 );
758  sha1_finish( &sha1, hash + 16 );
759 
760  sha1_starts( &sha1 );
761  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
762  sha1_update( &sha1, pad_2, 40 );
763  sha1_update( &sha1, hash + 16, 20 );
764  sha1_finish( &sha1, hash + 16 );
765 
766  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
767  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
768 
769  return;
770 }
771 #endif
772 
773 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
774 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
775 {
778 
779  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
780 
781  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
782  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
783 
784  md5_finish( &md5, hash );
785  sha1_finish( &sha1, hash + 16 );
786 
787  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
788  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
789 
790  return;
791 }
792 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
793 
794 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
795 #if defined(POLARSSL_SHA256_C)
796 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
797 {
799 
800  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
801 
802  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
803  sha256_finish( &sha256, hash );
804 
805  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
806  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
807 
808  return;
809 }
810 #endif /* POLARSSL_SHA256_C */
811 
812 #if defined(POLARSSL_SHA512_C)
813 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
814 {
816 
817  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
818 
819  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
820  sha512_finish( &sha512, hash );
821 
822  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
823  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
824 
825  return;
826 }
827 #endif /* POLARSSL_SHA512_C */
828 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
829 
830 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
832 {
833  unsigned char *p = ssl->handshake->premaster;
834  unsigned char *end = p + sizeof( ssl->handshake->premaster );
835 
836  /*
837  * PMS = struct {
838  * opaque other_secret<0..2^16-1>;
839  * opaque psk<0..2^16-1>;
840  * };
841  * with "other_secret" depending on the particular key exchange
842  */
843 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
844  if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
845  {
846  if( end - p < 2 + (int) ssl->psk_len )
848 
849  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
850  *(p++) = (unsigned char)( ssl->psk_len );
851  p += ssl->psk_len;
852  }
853  else
854 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
855 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
856  if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
857  {
858  /*
859  * other_secret already set by the ClientKeyExchange message,
860  * and is 48 bytes long
861  */
862  *p++ = 0;
863  *p++ = 48;
864  p += 48;
865  }
866  else
867 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
868 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
869  if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
870  {
871  int ret;
872  size_t len = ssl->handshake->dhm_ctx.len;
873 
874  if( end - p < 2 + (int) len )
876 
877  *(p++) = (unsigned char)( len >> 8 );
878  *(p++) = (unsigned char)( len );
879  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
880  p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
881  {
882  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
883  return( ret );
884  }
885  p += len;
886 
887  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
888  }
889  else
890 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
891 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
892  if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
893  {
894  int ret;
895  size_t zlen;
896 
897  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
898  p + 2, end - (p + 2),
899  ssl->f_rng, ssl->p_rng ) ) != 0 )
900  {
901  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
902  return( ret );
903  }
904 
905  *(p++) = (unsigned char)( zlen >> 8 );
906  *(p++) = (unsigned char)( zlen );
907  p += zlen;
908 
909  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
910  }
911  else
912 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
913  {
914  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
916  }
917 
918  /* opaque psk<0..2^16-1>; */
919  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
920  *(p++) = (unsigned char)( ssl->psk_len );
921  memcpy( p, ssl->psk, ssl->psk_len );
922  p += ssl->psk_len;
923 
924  ssl->handshake->pmslen = p - ssl->handshake->premaster;
925 
926  return( 0 );
927 }
928 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
929 
930 #if defined(POLARSSL_SSL_PROTO_SSL3)
931 /*
932  * SSLv3.0 MAC functions
933  */
934 static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
935  unsigned char *buf, size_t len,
936  unsigned char *ctr, int type )
937 {
938  unsigned char header[11];
939  unsigned char padding[48];
940  int padlen = 0;
941  int md_size = md_get_size( md_ctx->md_info );
942  int md_type = md_get_type( md_ctx->md_info );
943 
944  if( md_type == POLARSSL_MD_MD5 )
945  padlen = 48;
946  else if( md_type == POLARSSL_MD_SHA1 )
947  padlen = 40;
948  else if( md_type == POLARSSL_MD_SHA256 )
949  padlen = 32;
950  else if( md_type == POLARSSL_MD_SHA384 )
951  padlen = 16;
952 
953  memcpy( header, ctr, 8 );
954  header[ 8] = (unsigned char) type;
955  header[ 9] = (unsigned char)( len >> 8 );
956  header[10] = (unsigned char)( len );
957 
958  memset( padding, 0x36, padlen );
959  md_starts( md_ctx );
960  md_update( md_ctx, secret, md_size );
961  md_update( md_ctx, padding, padlen );
962  md_update( md_ctx, header, 11 );
963  md_update( md_ctx, buf, len );
964  md_finish( md_ctx, buf + len );
965 
966  memset( padding, 0x5C, padlen );
967  md_starts( md_ctx );
968  md_update( md_ctx, secret, md_size );
969  md_update( md_ctx, padding, padlen );
970  md_update( md_ctx, buf + len, md_size );
971  md_finish( md_ctx, buf + len );
972 }
973 #endif /* POLARSSL_SSL_PROTO_SSL3 */
974 
975 /*
976  * Encryption/decryption functions
977  */
978 static int ssl_encrypt_buf( ssl_context *ssl )
979 {
980  size_t i;
981 
982  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
983 
984  /*
985  * Add MAC before encrypt, except for GCM
986  */
987 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
988  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
989  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
992  {
993 #if defined(POLARSSL_SSL_PROTO_SSL3)
994  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
995  {
996  ssl_mac( &ssl->transform_out->md_ctx_enc,
997  ssl->transform_out->mac_enc,
998  ssl->out_msg, ssl->out_msglen,
999  ssl->out_ctr, ssl->out_msgtype );
1000  }
1001  else
1002 #endif
1003 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1004  defined(POLARSSL_SSL_PROTO_TLS1_2)
1005  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1006  {
1007  md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1009  ssl->out_msg, ssl->out_msglen );
1011  ssl->out_msg + ssl->out_msglen );
1013  }
1014  else
1015 #endif
1016  {
1017  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1019  }
1020 
1021  SSL_DEBUG_BUF( 4, "computed mac",
1022  ssl->out_msg + ssl->out_msglen,
1023  ssl->transform_out->maclen );
1024 
1025  ssl->out_msglen += ssl->transform_out->maclen;
1026  }
1027 #endif /* GCM not the only option */
1028 
1029  /*
1030  * Encrypt
1031  */
1032 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1035  {
1036  int ret;
1037  size_t olen = 0;
1038 
1039  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1040  "including %d bytes of padding",
1041  ssl->out_msglen, 0 ) );
1042 
1043  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1044  ssl->out_msg, ssl->out_msglen );
1045 
1046  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1047  {
1048  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1049  return( ret );
1050  }
1051 
1052  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1053  ssl->transform_out->iv_enc,
1054  ssl->transform_out->ivlen ) ) != 0 )
1055  {
1056  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1057  return( ret );
1058  }
1059 
1060  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1061  ssl->out_msg, ssl->out_msglen, ssl->out_msg,
1062  &olen ) ) != 0 )
1063  {
1064  SSL_DEBUG_RET( 1, "cipher_update", ret );
1065  return( ret );
1066  }
1067 
1068  if( ssl->out_msglen != olen )
1069  {
1070  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1071  ssl->out_msglen, olen ) );
1073  }
1074 
1075  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1076  ssl->out_msg + olen, &olen ) ) != 0 )
1077  {
1078  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1079  return( ret );
1080  }
1081 
1082  if( 0 != olen )
1083  {
1084  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1085  0, olen ) );
1087  }
1088  }
1089  else
1090 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1091 #if defined(POLARSSL_GCM_C)
1094  {
1095  size_t enc_msglen, olen, totlen;
1096  unsigned char *enc_msg;
1097  unsigned char add_data[13];
1099 
1100  memcpy( add_data, ssl->out_ctr, 8 );
1101  add_data[8] = ssl->out_msgtype;
1102  add_data[9] = ssl->major_ver;
1103  add_data[10] = ssl->minor_ver;
1104  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1105  add_data[12] = ssl->out_msglen & 0xFF;
1106 
1107  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1108  add_data, 13 );
1109 
1110  /*
1111  * Generate IV
1112  */
1113  ret = ssl->f_rng( ssl->p_rng,
1115  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1116  if( ret != 0 )
1117  return( ret );
1118 
1119  memcpy( ssl->out_iv,
1121  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1122 
1123  SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1124  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1125 
1126  /*
1127  * Fix pointer positions and message length with added IV
1128  */
1129  enc_msg = ssl->out_msg;
1130  enc_msglen = ssl->out_msglen;
1131  ssl->out_msglen += ssl->transform_out->ivlen -
1132  ssl->transform_out->fixed_ivlen;
1133 
1134  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1135  "including %d bytes of padding",
1136  ssl->out_msglen, 0 ) );
1137 
1138  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1139  ssl->out_msg, ssl->out_msglen );
1140 
1141  /*
1142  * Encrypt
1143  */
1144  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1145  ssl->transform_out->iv_enc,
1146  ssl->transform_out->ivlen ) ) != 0 ||
1147  ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1148  {
1149  return( ret );
1150  }
1151 
1152  if( ( ret = cipher_update_ad( &ssl->transform_out->cipher_ctx_enc,
1153  add_data, 13 ) ) != 0 )
1154  {
1155  return( ret );
1156  }
1157 
1158  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1159  enc_msg, enc_msglen,
1160  enc_msg, &olen ) ) != 0 )
1161  {
1162  return( ret );
1163  }
1164  totlen = olen;
1165 
1166  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1167  enc_msg + olen, &olen ) ) != 0 )
1168  {
1169  return( ret );
1170  }
1171  totlen += olen;
1172 
1173  if( totlen != enc_msglen )
1174  {
1175  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1176  return( -1 );
1177  }
1178 
1179  /*
1180  * Authenticate
1181  */
1182  ssl->out_msglen += 16;
1183 
1184  if( ( ret = cipher_write_tag( &ssl->transform_out->cipher_ctx_enc,
1185  enc_msg + enc_msglen, 16 ) ) != 0 )
1186  {
1187  return( ret );
1188  }
1189 
1190  SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, 16 );
1191  }
1192  else
1193 #endif /* POLARSSL_GCM_C */
1194 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1195  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1198  {
1199  int ret;
1200  unsigned char *enc_msg;
1201  size_t enc_msglen, padlen, olen = 0;
1202 
1203  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1204  ssl->transform_out->ivlen;
1205  if( padlen == ssl->transform_out->ivlen )
1206  padlen = 0;
1207 
1208  for( i = 0; i <= padlen; i++ )
1209  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1210 
1211  ssl->out_msglen += padlen + 1;
1212 
1213  enc_msglen = ssl->out_msglen;
1214  enc_msg = ssl->out_msg;
1215 
1216 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1217  /*
1218  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1219  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1220  */
1221  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1222  {
1223  /*
1224  * Generate IV
1225  */
1226  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1227  ssl->transform_out->ivlen );
1228  if( ret != 0 )
1229  return( ret );
1230 
1231  memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1232  ssl->transform_out->ivlen );
1233 
1234  /*
1235  * Fix pointer positions and message length with added IV
1236  */
1237  enc_msg = ssl->out_msg;
1238  enc_msglen = ssl->out_msglen;
1239  ssl->out_msglen += ssl->transform_out->ivlen;
1240  }
1241 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1242 
1243  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1244  "including %d bytes of IV and %d bytes of padding",
1245  ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
1246 
1247  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1248  ssl->out_iv, ssl->out_msglen );
1249 
1250  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1251  {
1252  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1253  return( ret );
1254  }
1255 
1256  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1257  ssl->transform_out->iv_enc,
1258  ssl->transform_out->ivlen ) ) != 0 )
1259  {
1260  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1261  return( ret );
1262  }
1263 
1264  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1265  enc_msg, enc_msglen, enc_msg,
1266  &olen ) ) != 0 )
1267  {
1268  SSL_DEBUG_RET( 1, "cipher_update", ret );
1269  return( ret );
1270  }
1271 
1272  enc_msglen -= olen;
1273 
1274  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1275  enc_msg + olen, &olen ) ) != 0 )
1276  {
1277  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1278  return( ret );
1279  }
1280 
1281  if( enc_msglen != olen )
1282  {
1283  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1284  enc_msglen, olen ) );
1286  }
1287 
1288 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1289  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1290  {
1291  /*
1292  * Save IV in SSL3 and TLS1
1293  */
1294  memcpy( ssl->transform_out->iv_enc,
1296  ssl->transform_out->ivlen );
1297  }
1298 #endif
1299  }
1300  else
1301 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1302  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1303  {
1304  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1306  }
1307 
1308  for( i = 8; i > 0; i-- )
1309  if( ++ssl->out_ctr[i - 1] != 0 )
1310  break;
1311 
1312  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1313 
1314  return( 0 );
1315 }
1316 
1317 #define POLARSSL_SSL_MAX_MAC_SIZE 48
1318 
1319 static int ssl_decrypt_buf( ssl_context *ssl )
1320 {
1321  size_t i;
1322 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1323  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1324  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1325  size_t padlen = 0, correct = 1;
1326 #endif
1327 
1328  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1329 
1330  if( ssl->in_msglen < ssl->transform_in->minlen )
1331  {
1332  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1333  ssl->in_msglen, ssl->transform_in->minlen ) );
1334  return( POLARSSL_ERR_SSL_INVALID_MAC );
1335  }
1336 
1337 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1340  {
1341  int ret;
1342  size_t olen = 0;
1343 
1344  padlen = 0;
1345 
1346  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1347  {
1348  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1349  return( ret );
1350  }
1351 
1352  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1353  ssl->transform_in->iv_dec,
1354  ssl->transform_in->ivlen ) ) != 0 )
1355  {
1356  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1357  return( ret );
1358  }
1359 
1360  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1361  ssl->in_msg, ssl->in_msglen, ssl->in_msg,
1362  &olen ) ) != 0 )
1363  {
1364  SSL_DEBUG_RET( 1, "cipher_update", ret );
1365  return( ret );
1366  }
1367 
1368  if( ssl->in_msglen != olen )
1369  {
1370  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1372  }
1373 
1374  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1375  ssl->in_msg + olen, &olen ) ) != 0 )
1376  {
1377  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1378  return( ret );
1379  }
1380 
1381  if( 0 != olen )
1382  {
1383  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1385  }
1386  }
1387  else
1388 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1389 #if defined(POLARSSL_GCM_C)
1392  {
1393  unsigned char *dec_msg;
1394  unsigned char *dec_msg_result;
1395  size_t dec_msglen, olen, totlen;
1396  unsigned char add_data[13];
1398 
1399  dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1400  ssl->transform_in->fixed_ivlen );
1401  dec_msglen -= 16;
1402  dec_msg = ssl->in_msg;
1403  dec_msg_result = ssl->in_msg;
1404  ssl->in_msglen = dec_msglen;
1405 
1406  memcpy( add_data, ssl->in_ctr, 8 );
1407  add_data[8] = ssl->in_msgtype;
1408  add_data[9] = ssl->major_ver;
1409  add_data[10] = ssl->minor_ver;
1410  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1411  add_data[12] = ssl->in_msglen & 0xFF;
1412 
1413  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1414  add_data, 13 );
1415 
1416  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1417  ssl->in_iv,
1418  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1419 
1420  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1421  ssl->transform_in->ivlen );
1422  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1423 
1424  /*
1425  * Decrypt
1426  */
1427  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1428  ssl->transform_in->iv_dec,
1429  ssl->transform_in->ivlen ) ) != 0 ||
1430  ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1431  {
1432  return( ret );
1433  }
1434 
1435  if( ( ret = cipher_update_ad( &ssl->transform_in->cipher_ctx_dec,
1436  add_data, 13 ) ) != 0 )
1437  {
1438  return( ret );
1439  }
1440 
1441  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1442  dec_msg, dec_msglen,
1443  dec_msg_result, &olen ) ) != 0 )
1444  {
1445  return( ret );
1446  }
1447  totlen = olen;
1448 
1449  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1450  dec_msg_result + olen, &olen ) ) != 0 )
1451  {
1452  return( ret );
1453  }
1454  totlen += olen;
1455 
1456  if( totlen != dec_msglen )
1457  {
1458  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1459  return( -1 );
1460  }
1461 
1462  /*
1463  * Authenticate
1464  */
1465  if( ( ret = cipher_check_tag( &ssl->transform_in->cipher_ctx_dec,
1466  dec_msg + dec_msglen, 16 ) ) != 0 )
1467  {
1468  SSL_DEBUG_RET( 1, "cipher_check_tag", ret );
1469  return( POLARSSL_ERR_SSL_INVALID_MAC );
1470  }
1471 
1472  }
1473  else
1474 #endif /* POLARSSL_GCM_C */
1475 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1476  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1479  {
1480  /*
1481  * Decrypt and check the padding
1482  */
1483  int ret;
1484  unsigned char *dec_msg;
1485  unsigned char *dec_msg_result;
1486  size_t dec_msglen;
1487  size_t minlen = 0;
1488  size_t olen = 0;
1489 
1490  /*
1491  * Check immediate ciphertext sanity
1492  */
1493  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1494  {
1495  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1496  ssl->in_msglen, ssl->transform_in->ivlen ) );
1497  return( POLARSSL_ERR_SSL_INVALID_MAC );
1498  }
1499 
1500 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1501  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1502  minlen += ssl->transform_in->ivlen;
1503 #endif
1504 
1505  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1506  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1507  {
1508  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1509  ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1510  return( POLARSSL_ERR_SSL_INVALID_MAC );
1511  }
1512 
1513  dec_msglen = ssl->in_msglen;
1514  dec_msg = ssl->in_msg;
1515  dec_msg_result = ssl->in_msg;
1516 
1517 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1518  /*
1519  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1520  */
1521  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1522  {
1523  dec_msglen -= ssl->transform_in->ivlen;
1524  ssl->in_msglen -= ssl->transform_in->ivlen;
1525 
1526  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1527  ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1528  }
1529 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1530 
1531  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1532  {
1533  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1534  return( ret );
1535  }
1536 
1537  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1538  ssl->transform_in->iv_dec,
1539  ssl->transform_in->ivlen ) ) != 0 )
1540  {
1541  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1542  return( ret );
1543  }
1544 
1545  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1546  dec_msg, dec_msglen, dec_msg_result,
1547  &olen ) ) != 0 )
1548  {
1549  SSL_DEBUG_RET( 1, "cipher_update", ret );
1550  return( ret );
1551  }
1552 
1553  dec_msglen -= olen;
1554  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1555  dec_msg_result + olen, &olen ) ) != 0 )
1556  {
1557  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1558  return( ret );
1559  }
1560 
1561  if( dec_msglen != olen )
1562  {
1563  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1565  }
1566 
1567 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1568  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1569  {
1570  /*
1571  * Save IV in SSL3 and TLS1
1572  */
1573  memcpy( ssl->transform_in->iv_dec,
1575  ssl->transform_in->ivlen );
1576  }
1577 #endif
1578 
1579  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1580 
1581  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1582  {
1583 #if defined(POLARSSL_SSL_DEBUG_ALL)
1584  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1585  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1586 #endif
1587  padlen = 0;
1588  correct = 0;
1589  }
1590 
1591 #if defined(POLARSSL_SSL_PROTO_SSL3)
1592  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1593  {
1594  if( padlen > ssl->transform_in->ivlen )
1595  {
1596 #if defined(POLARSSL_SSL_DEBUG_ALL)
1597  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1598  "should be no more than %d",
1599  padlen, ssl->transform_in->ivlen ) );
1600 #endif
1601  correct = 0;
1602  }
1603  }
1604  else
1605 #endif
1606 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1607  defined(POLARSSL_SSL_PROTO_TLS1_2)
1608  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1609  {
1610  /*
1611  * TLSv1+: always check the padding up to the first failure
1612  * and fake check up to 256 bytes of padding
1613  */
1614  size_t pad_count = 0, real_count = 1;
1615  size_t padding_idx = ssl->in_msglen - padlen - 1;
1616 
1617  /*
1618  * Padding is guaranteed to be incorrect if:
1619  * 1. padlen - 1 > ssl->in_msglen
1620  *
1621  * 2. ssl->in_msglen + padlen >
1622  * SSL_MAX_CONTENT_LEN + 256 (max padding)
1623  *
1624  * In both cases we reset padding_idx to a safe value (0) to
1625  * prevent out-of-buffer reads.
1626  */
1627  correct &= ( ssl->in_msglen >= padlen - 1 );
1628  correct &= ( ssl->in_msglen + padlen <= SSL_MAX_CONTENT_LEN + 256 );
1629 
1630  padding_idx *= correct;
1631 
1632  for( i = 1; i <= 256; i++ )
1633  {
1634  real_count &= ( i <= padlen );
1635  pad_count += real_count *
1636  ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1637  }
1638 
1639  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1640 
1641 #if defined(POLARSSL_SSL_DEBUG_ALL)
1642  if( padlen > 0 && correct == 0)
1643  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1644 #endif
1645  padlen &= correct * 0x1FF;
1646  }
1647  else
1648 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1649  POLARSSL_SSL_PROTO_TLS1_2 */
1650  {
1651  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1653  }
1654  }
1655  else
1656 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1657  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1658  {
1659  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1661  }
1662 
1663  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1664  ssl->in_msg, ssl->in_msglen );
1665 
1666  /*
1667  * Always compute the MAC (RFC4346, CBCTIME), except for GCM of course
1668  */
1669 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1670  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1671  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1674  {
1675  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1676 
1677  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1678 
1679  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1680  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1681 
1682  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1683 
1684 #if defined(POLARSSL_SSL_PROTO_SSL3)
1685  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1686  {
1687  ssl_mac( &ssl->transform_in->md_ctx_dec,
1688  ssl->transform_in->mac_dec,
1689  ssl->in_msg, ssl->in_msglen,
1690  ssl->in_ctr, ssl->in_msgtype );
1691  }
1692  else
1693 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1694 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1695  defined(POLARSSL_SSL_PROTO_TLS1_2)
1696  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1697  {
1698  /*
1699  * Process MAC and always update for padlen afterwards to make
1700  * total time independent of padlen
1701  *
1702  * extra_run compensates MAC check for padlen
1703  *
1704  * Known timing attacks:
1705  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1706  *
1707  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1708  * correctly. (We round down instead of up, so -56 is the correct
1709  * value for our calculations instead of -55)
1710  */
1711  size_t j, extra_run = 0;
1712  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1713  ( 13 + ssl->in_msglen + 8 ) / 64;
1714 
1715  extra_run &= correct * 0xFF;
1716 
1717  md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1719  ssl->in_msglen );
1721  ssl->in_msg + ssl->in_msglen );
1722  for( j = 0; j < extra_run; j++ )
1723  md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1724 
1726  }
1727  else
1728 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1729  POLARSSL_SSL_PROTO_TLS1_2 */
1730  {
1731  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1733  }
1734 
1735  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1736  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1737  ssl->transform_in->maclen );
1738 
1739  if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1740  ssl->transform_in->maclen ) != 0 )
1741  {
1742 #if defined(POLARSSL_SSL_DEBUG_ALL)
1743  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1744 #endif
1745  correct = 0;
1746  }
1747 
1748  /*
1749  * Finally check the correct flag
1750  */
1751  if( correct == 0 )
1752  return( POLARSSL_ERR_SSL_INVALID_MAC );
1753  }
1754 #endif /* GCM not the only option */
1755 
1756  if( ssl->in_msglen == 0 )
1757  {
1758  ssl->nb_zero++;
1759 
1760  /*
1761  * Three or more empty messages may be a DoS attack
1762  * (excessive CPU consumption).
1763  */
1764  if( ssl->nb_zero > 3 )
1765  {
1766  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1767  "messages, possible DoS attack" ) );
1768  return( POLARSSL_ERR_SSL_INVALID_MAC );
1769  }
1770  }
1771  else
1772  ssl->nb_zero = 0;
1773 
1774  for( i = 8; i > 0; i-- )
1775  if( ++ssl->in_ctr[i - 1] != 0 )
1776  break;
1777 
1778  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1779 
1780  return( 0 );
1781 }
1782 
1783 #if defined(POLARSSL_ZLIB_SUPPORT)
1784 /*
1785  * Compression/decompression functions
1786  */
1787 static int ssl_compress_buf( ssl_context *ssl )
1788 {
1789  int ret;
1790  unsigned char *msg_post = ssl->out_msg;
1791  size_t len_pre = ssl->out_msglen;
1792  unsigned char *msg_pre = ssl->compress_buf;
1793 
1794  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1795 
1796  if( len_pre == 0 )
1797  return( 0 );
1798 
1799  memcpy( msg_pre, ssl->out_msg, len_pre );
1800 
1801  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1802  ssl->out_msglen ) );
1803 
1804  SSL_DEBUG_BUF( 4, "before compression: output payload",
1805  ssl->out_msg, ssl->out_msglen );
1806 
1807  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1808  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1809  ssl->transform_out->ctx_deflate.next_out = msg_post;
1810  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1811 
1812  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1813  if( ret != Z_OK )
1814  {
1815  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1817  }
1818 
1819  ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
1820 
1821  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1822  ssl->out_msglen ) );
1823 
1824  SSL_DEBUG_BUF( 4, "after compression: output payload",
1825  ssl->out_msg, ssl->out_msglen );
1826 
1827  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1828 
1829  return( 0 );
1830 }
1831 
1832 static int ssl_decompress_buf( ssl_context *ssl )
1833 {
1834  int ret;
1835  unsigned char *msg_post = ssl->in_msg;
1836  size_t len_pre = ssl->in_msglen;
1837  unsigned char *msg_pre = ssl->compress_buf;
1838 
1839  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1840 
1841  if( len_pre == 0 )
1842  return( 0 );
1843 
1844  memcpy( msg_pre, ssl->in_msg, len_pre );
1845 
1846  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1847  ssl->in_msglen ) );
1848 
1849  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1850  ssl->in_msg, ssl->in_msglen );
1851 
1852  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1853  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1854  ssl->transform_in->ctx_inflate.next_out = msg_post;
1855  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1856 
1857  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1858  if( ret != Z_OK )
1859  {
1860  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1862  }
1863 
1864  ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
1865 
1866  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1867  ssl->in_msglen ) );
1868 
1869  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1870  ssl->in_msg, ssl->in_msglen );
1871 
1872  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1873 
1874  return( 0 );
1875 }
1876 #endif /* POLARSSL_ZLIB_SUPPORT */
1877 
1878 /*
1879  * Fill the input message buffer
1880  */
1881 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1882 {
1883  int ret;
1884  size_t len;
1885 
1886  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1887 
1888  while( ssl->in_left < nb_want )
1889  {
1890  len = nb_want - ssl->in_left;
1891  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1892 
1893  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1894  ssl->in_left, nb_want ) );
1895  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1896 
1897  if( ret == 0 )
1898  return( POLARSSL_ERR_SSL_CONN_EOF );
1899 
1900  if( ret < 0 )
1901  return( ret );
1902 
1903  ssl->in_left += ret;
1904  }
1905 
1906  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1907 
1908  return( 0 );
1909 }
1910 
1911 /*
1912  * Flush any data not yet written
1913  */
1914 int ssl_flush_output( ssl_context *ssl )
1915 {
1916  int ret;
1917  unsigned char *buf;
1918 
1919  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1920 
1921  while( ssl->out_left > 0 )
1922  {
1923  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1924  5 + ssl->out_msglen, ssl->out_left ) );
1925 
1926  buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1927  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1928 
1929  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1930 
1931  if( ret <= 0 )
1932  return( ret );
1933 
1934  ssl->out_left -= ret;
1935  }
1936 
1937  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1938 
1939  return( 0 );
1940 }
1941 
1942 /*
1943  * Record layer functions
1944  */
1945 int ssl_write_record( ssl_context *ssl )
1946 {
1947  int ret, done = 0;
1948  size_t len = ssl->out_msglen;
1949 
1950  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1951 
1952  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1953  {
1954  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1955  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1956  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1957 
1958  if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
1959  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1960  }
1961 
1962 #if defined(POLARSSL_ZLIB_SUPPORT)
1963  if( ssl->transform_out != NULL &&
1965  {
1966  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1967  {
1968  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1969  return( ret );
1970  }
1971 
1972  len = ssl->out_msglen;
1973  }
1974 #endif /*POLARSSL_ZLIB_SUPPORT */
1975 
1976 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1977  if( ssl_hw_record_write != NULL)
1978  {
1979  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1980 
1981  ret = ssl_hw_record_write( ssl );
1982  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1983  {
1984  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1986  }
1987 
1988  if( ret == 0 )
1989  done = 1;
1990  }
1991 #endif
1992  if( !done )
1993  {
1994  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1995  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1996  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1997  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1998  ssl->out_hdr[4] = (unsigned char)( len );
1999 
2000  if( ssl->transform_out != NULL )
2001  {
2002  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
2003  {
2004  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2005  return( ret );
2006  }
2007 
2008  len = ssl->out_msglen;
2009  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
2010  ssl->out_hdr[4] = (unsigned char)( len );
2011  }
2012 
2013  ssl->out_left = 5 + ssl->out_msglen;
2014 
2015  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2016  "version = [%d:%d], msglen = %d",
2017  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
2018  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
2019 
2020  SSL_DEBUG_BUF( 4, "output record sent to network",
2021  ssl->out_hdr, 5 + ssl->out_msglen );
2022  }
2023 
2024  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2025  {
2026  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2027  return( ret );
2028  }
2029 
2030  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2031 
2032  return( 0 );
2033 }
2034 
2035 int ssl_read_record( ssl_context *ssl )
2036 {
2037  int ret, done = 0;
2038 
2039  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
2040 
2041  SSL_DEBUG_BUF( 4, "input record from network",
2042  ssl->in_hdr, 5 + ssl->in_msglen );
2043 
2044  if( ssl->in_hslen != 0 &&
2045  ssl->in_hslen < ssl->in_msglen )
2046  {
2047  /*
2048  * Get next Handshake message in the current record
2049  */
2050  ssl->in_msglen -= ssl->in_hslen;
2051 
2052  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
2053  ssl->in_msglen );
2054 
2055  ssl->in_hslen = 4;
2056  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2057 
2058  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2059  " %d, type = %d, hslen = %d",
2060  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2061 
2062  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2063  {
2064  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2066  }
2067 
2068  if( ssl->in_msglen < ssl->in_hslen )
2069  {
2070  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2072  }
2073 
2074  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2075 
2076  return( 0 );
2077  }
2078 
2079  ssl->in_hslen = 0;
2080 
2081  /*
2082  * Read the record header and validate it
2083  */
2084  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2085  {
2086  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2087  return( ret );
2088  }
2089 
2090  ssl->in_msgtype = ssl->in_hdr[0];
2091  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2092 
2093  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2094  "version = [%d:%d], msglen = %d",
2095  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2096  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2097 
2098  if( ssl->in_hdr[1] != ssl->major_ver )
2099  {
2100  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
2102  }
2103 
2104  if( ssl->in_hdr[2] > ssl->max_minor_ver )
2105  {
2106  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
2108  }
2109 
2110  /*
2111  * Make sure the message length is acceptable
2112  */
2113  if( ssl->transform_in == NULL )
2114  {
2115  if( ssl->in_msglen < 1 ||
2117  {
2118  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2120  }
2121  }
2122  else
2123  {
2124  if( ssl->in_msglen < ssl->transform_in->minlen )
2125  {
2126  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2128  }
2129 
2130 #if defined(POLARSSL_SSL_PROTO_SSL3)
2131  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2133  {
2134  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2136  }
2137 #endif
2138 
2139 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2140  defined(POLARSSL_SSL_PROTO_TLS1_2)
2141  /*
2142  * TLS encrypted messages can have up to 256 bytes of padding
2143  */
2144  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2145  ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
2146  {
2147  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2149  }
2150 #endif
2151  }
2152 
2153  /*
2154  * Read and optionally decrypt the message contents
2155  */
2156  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2157  {
2158  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2159  return( ret );
2160  }
2161 
2162  SSL_DEBUG_BUF( 4, "input record from network",
2163  ssl->in_hdr, 5 + ssl->in_msglen );
2164 
2165 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2166  if( ssl_hw_record_read != NULL)
2167  {
2168  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2169 
2170  ret = ssl_hw_record_read( ssl );
2171  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2172  {
2173  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2175  }
2176 
2177  if( ret == 0 )
2178  done = 1;
2179  }
2180 #endif
2181  if( !done && ssl->transform_in != NULL )
2182  {
2183  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2184  {
2185 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2186  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2187  {
2191  }
2192 #endif
2193  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2194  return( ret );
2195  }
2196 
2197  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2198  ssl->in_msg, ssl->in_msglen );
2199 
2200  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2201  {
2202  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2204  }
2205  }
2206 
2207 #if defined(POLARSSL_ZLIB_SUPPORT)
2208  if( ssl->transform_in != NULL &&
2210  {
2211  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2212  {
2213  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2214  return( ret );
2215  }
2216 
2217  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2218  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2219  }
2220 #endif /* POLARSSL_ZLIB_SUPPORT */
2221 
2222  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2223  ssl->in_msgtype != SSL_MSG_ALERT &&
2226  {
2227  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2228 
2229  if( ( ret = ssl_send_alert_message( ssl,
2232  {
2233  return( ret );
2234  }
2235 
2237  }
2238 
2239  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2240  {
2241  ssl->in_hslen = 4;
2242  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2243 
2244  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2245  " %d, type = %d, hslen = %d",
2246  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2247 
2248  /*
2249  * Additional checks to validate the handshake header
2250  */
2251  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2252  {
2253  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2255  }
2256 
2257  if( ssl->in_msglen < ssl->in_hslen )
2258  {
2259  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2261  }
2262 
2263  if( ssl->state != SSL_HANDSHAKE_OVER )
2264  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2265  }
2266 
2267  if( ssl->in_msgtype == SSL_MSG_ALERT )
2268  {
2269  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2270  ssl->in_msg[0], ssl->in_msg[1] ) );
2271 
2272  /*
2273  * Ignore non-fatal alerts, except close_notify
2274  */
2275  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2276  {
2277  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2278  ssl->in_msg[1] ) );
2284  }
2285 
2286  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2287  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2288  {
2289  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2291  }
2292  }
2293 
2294  ssl->in_left = 0;
2295 
2296  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2297 
2298  return( 0 );
2299 }
2300 
2302 {
2303  int ret;
2304 
2305  if( ( ret = ssl_send_alert_message( ssl,
2308  {
2309  return( ret );
2310  }
2311 
2312  return( 0 );
2313 }
2314 
2316  unsigned char level,
2317  unsigned char message )
2318 {
2319  int ret;
2320 
2321  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2322 
2323  ssl->out_msgtype = SSL_MSG_ALERT;
2324  ssl->out_msglen = 2;
2325  ssl->out_msg[0] = level;
2326  ssl->out_msg[1] = message;
2327 
2328  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2329  {
2330  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2331  return( ret );
2332  }
2333 
2334  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2335 
2336  return( 0 );
2337 }
2338 
2339 /*
2340  * Handshake functions
2341  */
2342 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2343  !defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
2344  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2345  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2346  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
2347  !defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2348  !defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2350 {
2352  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2353 
2354  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2355 
2356  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2357  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2358  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2359  {
2360  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2361  ssl->state++;
2362  return( 0 );
2363  }
2364 
2365  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2366  return( ret );
2367 }
2368 
2370 {
2372  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2373 
2374  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2375 
2376  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2377  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2378  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2379  {
2380  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2381  ssl->state++;
2382  return( 0 );
2383  }
2384 
2385  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2386  return( ret );
2387 }
2388 #else
2390 {
2392  size_t i, n;
2393  const x509_crt *crt;
2394  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2395 
2396  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2397 
2398  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2399  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2400  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2401  {
2402  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2403  ssl->state++;
2404  return( 0 );
2405  }
2406 
2407  if( ssl->endpoint == SSL_IS_CLIENT )
2408  {
2409  if( ssl->client_auth == 0 )
2410  {
2411  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2412  ssl->state++;
2413  return( 0 );
2414  }
2415 
2416 #if defined(POLARSSL_SSL_PROTO_SSL3)
2417  /*
2418  * If using SSLv3 and got no cert, send an Alert message
2419  * (otherwise an empty Certificate message will be sent).
2420  */
2421  if( ssl_own_cert( ssl ) == NULL &&
2422  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2423  {
2424  ssl->out_msglen = 2;
2425  ssl->out_msgtype = SSL_MSG_ALERT;
2426  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2427  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2428 
2429  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2430  goto write_msg;
2431  }
2432 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2433  }
2434  else /* SSL_IS_SERVER */
2435  {
2436  if( ssl_own_cert( ssl ) == NULL )
2437  {
2438  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2440  }
2441  }
2442 
2443  SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
2444 
2445  /*
2446  * 0 . 0 handshake type
2447  * 1 . 3 handshake length
2448  * 4 . 6 length of all certs
2449  * 7 . 9 length of cert. 1
2450  * 10 . n-1 peer certificate
2451  * n . n+2 length of cert. 2
2452  * n+3 . ... upper level cert, etc.
2453  */
2454  i = 7;
2455  crt = ssl_own_cert( ssl );
2456 
2457  while( crt != NULL )
2458  {
2459  n = crt->raw.len;
2460  if( n > SSL_MAX_CONTENT_LEN - 3 - i )
2461  {
2462  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2463  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2465  }
2466 
2467  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2468  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2469  ssl->out_msg[i + 2] = (unsigned char)( n );
2470 
2471  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2472  i += n; crt = crt->next;
2473  }
2474 
2475  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2476  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2477  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2478 
2479  ssl->out_msglen = i;
2481  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2482 
2483 #if defined(POLARSSL_SSL_PROTO_SSL3)
2484 write_msg:
2485 #endif
2486 
2487  ssl->state++;
2488 
2489  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2490  {
2491  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2492  return( ret );
2493  }
2494 
2495  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2496 
2497  return( ret );
2498 }
2499 
2501 {
2503  size_t i, n;
2504  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2505 
2506  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2507 
2508  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2509  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2510  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2511  {
2512  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2513  ssl->state++;
2514  return( 0 );
2515  }
2516 
2517  if( ssl->endpoint == SSL_IS_SERVER &&
2518  ( ssl->authmode == SSL_VERIFY_NONE ||
2519  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
2520  {
2522  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2523  ssl->state++;
2524  return( 0 );
2525  }
2526 
2527  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2528  {
2529  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2530  return( ret );
2531  }
2532 
2533  ssl->state++;
2534 
2535 #if defined(POLARSSL_SSL_PROTO_SSL3)
2536  /*
2537  * Check if the client sent an empty certificate
2538  */
2539  if( ssl->endpoint == SSL_IS_SERVER &&
2540  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2541  {
2542  if( ssl->in_msglen == 2 &&
2543  ssl->in_msgtype == SSL_MSG_ALERT &&
2544  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2545  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2546  {
2547  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2548 
2550  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2551  return( 0 );
2552  else
2554  }
2555  }
2556 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2557 
2558 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2559  defined(POLARSSL_SSL_PROTO_TLS1_2)
2560  if( ssl->endpoint == SSL_IS_SERVER &&
2561  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2562  {
2563  if( ssl->in_hslen == 7 &&
2564  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2565  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2566  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2567  {
2568  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2569 
2571  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2573  else
2574  return( 0 );
2575  }
2576  }
2577 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2578  POLARSSL_SSL_PROTO_TLS1_2 */
2579 
2580  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2581  {
2582  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2584  }
2585 
2586  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2587  {
2588  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2590  }
2591 
2592  /*
2593  * Same message structure as in ssl_write_certificate()
2594  */
2595  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2596 
2597  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2598  {
2599  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2601  }
2602 
2603  /* In case we tried to reuse a session but it failed */
2604  if( ssl->session_negotiate->peer_cert != NULL )
2605  {
2608  }
2609 
2611  sizeof( x509_crt ) ) ) == NULL )
2612  {
2613  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2614  sizeof( x509_crt ) ) );
2616  }
2617 
2619 
2620  i = 7;
2621 
2622  while( i < ssl->in_hslen )
2623  {
2624  if( ssl->in_msg[i] != 0 )
2625  {
2626  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2628  }
2629 
2630  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2631  | (unsigned int) ssl->in_msg[i + 2];
2632  i += 3;
2633 
2634  if( n < 128 || i + n > ssl->in_hslen )
2635  {
2636  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2638  }
2639 
2641  ssl->in_msg + i, n );
2642  if( ret != 0 )
2643  {
2644  SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
2645  return( ret );
2646  }
2647 
2648  i += n;
2649  }
2650 
2651  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2652 
2653  if( ssl->authmode != SSL_VERIFY_NONE )
2654  {
2655  if( ssl->ca_chain == NULL )
2656  {
2657  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2659  }
2660 
2662  ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2664  ssl->f_vrfy, ssl->p_vrfy );
2665 
2666  if( ret != 0 )
2667  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2668 
2669  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2670  ret = 0;
2671  }
2672 
2673  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2674 
2675  return( ret );
2676 }
2677 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED
2678  !POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
2679  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
2680  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2681  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2682  !POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
2683  !POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2684 
2686 {
2687  int ret;
2688 
2689  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2690 
2692  ssl->out_msglen = 1;
2693  ssl->out_msg[0] = 1;
2694 
2695  ssl->state++;
2696 
2697  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2698  {
2699  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2700  return( ret );
2701  }
2702 
2703  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2704 
2705  return( 0 );
2706 }
2707 
2709 {
2710  int ret;
2711 
2712  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2713 
2714  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2715  {
2716  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2717  return( ret );
2718  }
2719 
2721  {
2722  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2724  }
2725 
2726  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2727  {
2728  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2730  }
2731 
2732  ssl->state++;
2733 
2734  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2735 
2736  return( 0 );
2737 }
2738 
2740  const ssl_ciphersuite_t *ciphersuite_info )
2741 {
2742  ((void) ciphersuite_info);
2743 
2744 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2745  defined(POLARSSL_SSL_PROTO_TLS1_1)
2746  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2747  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2748  else
2749 #endif
2750 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2751 #if defined(POLARSSL_SHA512_C)
2752  if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2753  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2754  else
2755 #endif
2756 #if defined(POLARSSL_SHA256_C)
2757  if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
2758  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2759  else
2760 #endif
2761 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2762  /* Should never happen */
2763  return;
2764 }
2765 
2766 static void ssl_update_checksum_start( ssl_context *ssl,
2767  const unsigned char *buf, size_t len )
2768 {
2769 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2770  defined(POLARSSL_SSL_PROTO_TLS1_1)
2771  md5_update( &ssl->handshake->fin_md5 , buf, len );
2772  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2773 #endif
2774 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2775 #if defined(POLARSSL_SHA256_C)
2776  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2777 #endif
2778 #if defined(POLARSSL_SHA512_C)
2779  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2780 #endif
2781 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2782 }
2783 
2784 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2785  defined(POLARSSL_SSL_PROTO_TLS1_1)
2786 static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2787  const unsigned char *buf, size_t len )
2788 {
2789  md5_update( &ssl->handshake->fin_md5 , buf, len );
2790  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2791 }
2792 #endif
2793 
2794 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2795 #if defined(POLARSSL_SHA256_C)
2796 static void ssl_update_checksum_sha256( ssl_context *ssl,
2797  const unsigned char *buf, size_t len )
2798 {
2799  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2800 }
2801 #endif
2802 
2803 #if defined(POLARSSL_SHA512_C)
2804 static void ssl_update_checksum_sha384( ssl_context *ssl,
2805  const unsigned char *buf, size_t len )
2806 {
2807  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2808 }
2809 #endif
2810 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2811 
2812 #if defined(POLARSSL_SSL_PROTO_SSL3)
2813 static void ssl_calc_finished_ssl(
2814  ssl_context *ssl, unsigned char *buf, int from )
2815 {
2816  const char *sender;
2817  md5_context md5;
2819 
2820  unsigned char padbuf[48];
2821  unsigned char md5sum[16];
2822  unsigned char sha1sum[20];
2823 
2824  ssl_session *session = ssl->session_negotiate;
2825  if( !session )
2826  session = ssl->session;
2827 
2828  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2829 
2830  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2831  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2832 
2833  /*
2834  * SSLv3:
2835  * hash =
2836  * MD5( master + pad2 +
2837  * MD5( handshake + sender + master + pad1 ) )
2838  * + SHA1( master + pad2 +
2839  * SHA1( handshake + sender + master + pad1 ) )
2840  */
2841 
2842 #if !defined(POLARSSL_MD5_ALT)
2843  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2844  md5.state, sizeof( md5.state ) );
2845 #endif
2846 
2847 #if !defined(POLARSSL_SHA1_ALT)
2848  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2849  sha1.state, sizeof( sha1.state ) );
2850 #endif
2851 
2852  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2853  : "SRVR";
2854 
2855  memset( padbuf, 0x36, 48 );
2856 
2857  md5_update( &md5, (const unsigned char *) sender, 4 );
2858  md5_update( &md5, session->master, 48 );
2859  md5_update( &md5, padbuf, 48 );
2860  md5_finish( &md5, md5sum );
2861 
2862  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2863  sha1_update( &sha1, session->master, 48 );
2864  sha1_update( &sha1, padbuf, 40 );
2865  sha1_finish( &sha1, sha1sum );
2866 
2867  memset( padbuf, 0x5C, 48 );
2868 
2869  md5_starts( &md5 );
2870  md5_update( &md5, session->master, 48 );
2871  md5_update( &md5, padbuf, 48 );
2872  md5_update( &md5, md5sum, 16 );
2873  md5_finish( &md5, buf );
2874 
2875  sha1_starts( &sha1 );
2876  sha1_update( &sha1, session->master, 48 );
2877  sha1_update( &sha1, padbuf , 40 );
2878  sha1_update( &sha1, sha1sum, 20 );
2879  sha1_finish( &sha1, buf + 16 );
2880 
2881  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2882 
2883  memset( &md5, 0, sizeof( md5_context ) );
2884  memset( &sha1, 0, sizeof( sha1_context ) );
2885 
2886  memset( padbuf, 0, sizeof( padbuf ) );
2887  memset( md5sum, 0, sizeof( md5sum ) );
2888  memset( sha1sum, 0, sizeof( sha1sum ) );
2889 
2890  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2891 }
2892 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2893 
2894 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
2895 static void ssl_calc_finished_tls(
2896  ssl_context *ssl, unsigned char *buf, int from )
2897 {
2898  int len = 12;
2899  const char *sender;
2900  md5_context md5;
2902  unsigned char padbuf[36];
2903 
2904  ssl_session *session = ssl->session_negotiate;
2905  if( !session )
2906  session = ssl->session;
2907 
2908  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2909 
2910  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2911  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2912 
2913  /*
2914  * TLSv1:
2915  * hash = PRF( master, finished_label,
2916  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2917  */
2918 
2919 #if !defined(POLARSSL_MD5_ALT)
2920  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2921  md5.state, sizeof( md5.state ) );
2922 #endif
2923 
2924 #if !defined(POLARSSL_SHA1_ALT)
2925  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2926  sha1.state, sizeof( sha1.state ) );
2927 #endif
2928 
2929  sender = ( from == SSL_IS_CLIENT )
2930  ? "client finished"
2931  : "server finished";
2932 
2933  md5_finish( &md5, padbuf );
2934  sha1_finish( &sha1, padbuf + 16 );
2935 
2936  ssl->handshake->tls_prf( session->master, 48, sender,
2937  padbuf, 36, buf, len );
2938 
2939  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2940 
2941  memset( &md5, 0, sizeof( md5_context ) );
2942  memset( &sha1, 0, sizeof( sha1_context ) );
2943 
2944  memset( padbuf, 0, sizeof( padbuf ) );
2945 
2946  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2947 }
2948 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
2949 
2950 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2951 #if defined(POLARSSL_SHA256_C)
2952 static void ssl_calc_finished_tls_sha256(
2953  ssl_context *ssl, unsigned char *buf, int from )
2954 {
2955  int len = 12;
2956  const char *sender;
2958  unsigned char padbuf[32];
2959 
2960  ssl_session *session = ssl->session_negotiate;
2961  if( !session )
2962  session = ssl->session;
2963 
2964  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2965 
2966  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
2967 
2968  /*
2969  * TLSv1.2:
2970  * hash = PRF( master, finished_label,
2971  * Hash( handshake ) )[0.11]
2972  */
2973 
2974 #if !defined(POLARSSL_SHA256_ALT)
2975  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2976  sha256.state, sizeof( sha256.state ) );
2977 #endif
2978 
2979  sender = ( from == SSL_IS_CLIENT )
2980  ? "client finished"
2981  : "server finished";
2982 
2983  sha256_finish( &sha256, padbuf );
2984 
2985  ssl->handshake->tls_prf( session->master, 48, sender,
2986  padbuf, 32, buf, len );
2987 
2988  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2989 
2990  memset( &sha256, 0, sizeof( sha256_context ) );
2991 
2992  memset( padbuf, 0, sizeof( padbuf ) );
2993 
2994  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2995 }
2996 #endif /* POLARSSL_SHA256_C */
2997 
2998 #if defined(POLARSSL_SHA512_C)
2999 static void ssl_calc_finished_tls_sha384(
3000  ssl_context *ssl, unsigned char *buf, int from )
3001 {
3002  int len = 12;
3003  const char *sender;
3005  unsigned char padbuf[48];
3006 
3007  ssl_session *session = ssl->session_negotiate;
3008  if( !session )
3009  session = ssl->session;
3010 
3011  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
3012 
3013  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
3014 
3015  /*
3016  * TLSv1.2:
3017  * hash = PRF( master, finished_label,
3018  * Hash( handshake ) )[0.11]
3019  */
3020 
3021 #if !defined(POLARSSL_SHA512_ALT)
3022  SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3023  sha512.state, sizeof( sha512.state ) );
3024 #endif
3025 
3026  sender = ( from == SSL_IS_CLIENT )
3027  ? "client finished"
3028  : "server finished";
3029 
3030  sha512_finish( &sha512, padbuf );
3031 
3032  ssl->handshake->tls_prf( session->master, 48, sender,
3033  padbuf, 48, buf, len );
3034 
3035  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3036 
3037  memset( &sha512, 0, sizeof( sha512_context ) );
3038 
3039  memset( padbuf, 0, sizeof( padbuf ) );
3040 
3041  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3042 }
3043 #endif /* POLARSSL_SHA512_C */
3044 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3045 
3046 void ssl_handshake_wrapup( ssl_context *ssl )
3047 {
3048  int resume = ssl->handshake->resume;
3049 
3050  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3051 
3052  /*
3053  * Free our handshake params
3054  */
3055  ssl_handshake_free( ssl->handshake );
3056  polarssl_free( ssl->handshake );
3057  ssl->handshake = NULL;
3058 
3059  if( ssl->renegotiation == SSL_RENEGOTIATION )
3061 
3062  /*
3063  * Switch in our now active transform context
3064  */
3065  if( ssl->transform )
3066  {
3067  ssl_transform_free( ssl->transform );
3068  polarssl_free( ssl->transform );
3069  }
3070  ssl->transform = ssl->transform_negotiate;
3071  ssl->transform_negotiate = NULL;
3072 
3073  if( ssl->session )
3074  {
3075  ssl_session_free( ssl->session );
3076  polarssl_free( ssl->session );
3077  }
3078  ssl->session = ssl->session_negotiate;
3079  ssl->session_negotiate = NULL;
3080 
3081  /*
3082  * Add cache entry
3083  */
3084  if( ssl->f_set_cache != NULL &&
3085  ssl->session->length != 0 &&
3086  resume == 0 )
3087  {
3088  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3089  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
3090  }
3091 
3092  ssl->state++;
3093 
3094  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3095 }
3096 
3097 int ssl_write_finished( ssl_context *ssl )
3098 {
3099  int ret, hash_len;
3100 
3101  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3102 
3103  /*
3104  * Set the out_msg pointer to the correct location based on IV length
3105  */
3106  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3107  {
3108  ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3110  }
3111  else
3112  ssl->out_msg = ssl->out_iv;
3113 
3114  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
3115 
3116  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3117  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3118 
3119  ssl->verify_data_len = hash_len;
3120  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
3121 
3122  ssl->out_msglen = 4 + hash_len;
3124  ssl->out_msg[0] = SSL_HS_FINISHED;
3125 
3126  /*
3127  * In case of session resuming, invert the client and server
3128  * ChangeCipherSpec messages order.
3129  */
3130  if( ssl->handshake->resume != 0 )
3131  {
3132  if( ssl->endpoint == SSL_IS_CLIENT )
3133  ssl->state = SSL_HANDSHAKE_WRAPUP;
3134  else
3136  }
3137  else
3138  ssl->state++;
3139 
3140  /*
3141  * Switch to our negotiated transform and session parameters for outbound data.
3142  */
3143  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3144  ssl->transform_out = ssl->transform_negotiate;
3145  ssl->session_out = ssl->session_negotiate;
3146  memset( ssl->out_ctr, 0, 8 );
3147 
3148 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3149  if( ssl_hw_record_activate != NULL)
3150  {
3151  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3152  {
3153  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3155  }
3156  }
3157 #endif
3158 
3159  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3160  {
3161  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3162  return( ret );
3163  }
3164 
3165  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3166 
3167  return( 0 );
3168 }
3169 
3170 int ssl_parse_finished( ssl_context *ssl )
3171 {
3172  int ret;
3173  unsigned int hash_len;
3174  unsigned char buf[36];
3175 
3176  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3177 
3178  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
3179 
3180  /*
3181  * Switch to our negotiated transform and session parameters for inbound data.
3182  */
3183  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3184  ssl->transform_in = ssl->transform_negotiate;
3185  ssl->session_in = ssl->session_negotiate;
3186  memset( ssl->in_ctr, 0, 8 );
3187 
3188  /*
3189  * Set the in_msg pointer to the correct location based on IV length
3190  */
3191  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3192  {
3193  ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3195  }
3196  else
3197  ssl->in_msg = ssl->in_iv;
3198 
3199 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3200  if( ssl_hw_record_activate != NULL)
3201  {
3202  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3203  {
3204  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3206  }
3207  }
3208 #endif
3209 
3210  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3211  {
3212  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3213  return( ret );
3214  }
3215 
3216  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3217  {
3218  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3220  }
3221 
3222  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3223  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3224 
3225  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3226  ssl->in_hslen != 4 + hash_len )
3227  {
3228  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3230  }
3231 
3232  if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
3233  {
3234  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3236  }
3237 
3238  ssl->verify_data_len = hash_len;
3239  memcpy( ssl->peer_verify_data, buf, hash_len );
3240 
3241  if( ssl->handshake->resume != 0 )
3242  {
3243  if( ssl->endpoint == SSL_IS_CLIENT )
3245 
3246  if( ssl->endpoint == SSL_IS_SERVER )
3247  ssl->state = SSL_HANDSHAKE_WRAPUP;
3248  }
3249  else
3250  ssl->state++;
3251 
3252  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3253 
3254  return( 0 );
3255 }
3256 
3257 static int ssl_handshake_init( ssl_context *ssl )
3258 {
3259  if( ssl->transform_negotiate )
3261  else
3262  {
3263  ssl->transform_negotiate =
3265  }
3266 
3267  if( ssl->session_negotiate )
3269  else
3270  {
3271  ssl->session_negotiate =
3272  (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
3273  }
3274 
3275  if( ssl->handshake )
3276  ssl_handshake_free( ssl->handshake );
3277  else
3278  {
3279  ssl->handshake = (ssl_handshake_params *)
3281  }
3282 
3283  if( ssl->handshake == NULL ||
3284  ssl->transform_negotiate == NULL ||
3285  ssl->session_negotiate == NULL )
3286  {
3287  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3289  }
3290 
3291  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
3292  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
3293  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
3294 
3295 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3296  defined(POLARSSL_SSL_PROTO_TLS1_1)
3297  md5_starts( &ssl->handshake->fin_md5 );
3298  sha1_starts( &ssl->handshake->fin_sha1 );
3299 #endif
3300 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3301 #if defined(POLARSSL_SHA256_C)
3302  sha256_starts( &ssl->handshake->fin_sha256, 0 );
3303 #endif
3304 #if defined(POLARSSL_SHA512_C)
3305  sha512_starts( &ssl->handshake->fin_sha512, 1 );
3306 #endif
3307 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3308 
3309  ssl->handshake->update_checksum = ssl_update_checksum_start;
3311 
3312 #if defined(POLARSSL_ECDH_C)
3313  ecdh_init( &ssl->handshake->ecdh_ctx );
3314 #endif
3315 
3316 #if defined(POLARSSL_X509_CRT_PARSE_C)
3317  ssl->handshake->key_cert = ssl->key_cert;
3318 #endif
3319 
3320  return( 0 );
3321 }
3322 
3323 /*
3324  * Initialize an SSL context
3325  */
3326 int ssl_init( ssl_context *ssl )
3327 {
3328  int ret;
3329  int len = SSL_BUFFER_LEN;
3330 
3331  memset( ssl, 0, sizeof( ssl_context ) );
3332 
3333  /*
3334  * Sane defaults
3335  */
3340 
3342 
3343 #if defined(POLARSSL_DHM_C)
3344  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3346  ( ret = mpi_read_string( &ssl->dhm_G, 16,
3348  {
3349  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3350  return( ret );
3351  }
3352 #endif
3353 
3354  /*
3355  * Prepare base structures
3356  */
3357  ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
3358  ssl->in_hdr = ssl->in_ctr + 8;
3359  ssl->in_iv = ssl->in_ctr + 13;
3360  ssl->in_msg = ssl->in_ctr + 13;
3361 
3362  if( ssl->in_ctr == NULL )
3363  {
3364  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3366  }
3367 
3368  ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
3369  ssl->out_hdr = ssl->out_ctr + 8;
3370  ssl->out_iv = ssl->out_ctr + 13;
3371  ssl->out_msg = ssl->out_ctr + 13;
3372 
3373  if( ssl->out_ctr == NULL )
3374  {
3375  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3376  polarssl_free( ssl-> in_ctr );
3378  }
3379 
3380  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3381  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3382 
3383 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3385 #endif
3386 
3387  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3388  return( ret );
3389 
3390  return( 0 );
3391 }
3392 
3393 /*
3394  * Reset an initialized and used SSL context for re-use while retaining
3395  * all application-set variables, function pointers and data.
3396  */
3397 int ssl_session_reset( ssl_context *ssl )
3398 {
3399  int ret;
3400 
3401  ssl->state = SSL_HELLO_REQUEST;
3404 
3405  ssl->verify_data_len = 0;
3406  memset( ssl->own_verify_data, 0, 36 );
3407  memset( ssl->peer_verify_data, 0, 36 );
3408 
3409  ssl->in_offt = NULL;
3410 
3411  ssl->in_msg = ssl->in_ctr + 13;
3412  ssl->in_msgtype = 0;
3413  ssl->in_msglen = 0;
3414  ssl->in_left = 0;
3415 
3416  ssl->in_hslen = 0;
3417  ssl->nb_zero = 0;
3418  ssl->record_read = 0;
3419 
3420  ssl->out_msg = ssl->out_ctr + 13;
3421  ssl->out_msgtype = 0;
3422  ssl->out_msglen = 0;
3423  ssl->out_left = 0;
3424 
3425  ssl->transform_in = NULL;
3426  ssl->transform_out = NULL;
3427 
3428  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3429  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3430 
3431 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3432  if( ssl_hw_record_reset != NULL)
3433  {
3434  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3435  if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
3436  {
3437  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3439  }
3440  }
3441 #endif
3442 
3443  if( ssl->transform )
3444  {
3445  ssl_transform_free( ssl->transform );
3446  polarssl_free( ssl->transform );
3447  ssl->transform = NULL;
3448  }
3449 
3450  if( ssl->session )
3451  {
3452  ssl_session_free( ssl->session );
3453  polarssl_free( ssl->session );
3454  ssl->session = NULL;
3455  }
3456 
3457  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3458  return( ret );
3459 
3460  return( 0 );
3461 }
3462 
3463 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3464 /*
3465  * Allocate and initialize ticket keys
3466  */
3467 static int ssl_ticket_keys_init( ssl_context *ssl )
3468 {
3469  int ret;
3470  ssl_ticket_keys *tkeys;
3471  unsigned char buf[16];
3472 
3473  if( ssl->ticket_keys != NULL )
3474  return( 0 );
3475 
3476  tkeys = (ssl_ticket_keys *) polarssl_malloc( sizeof(ssl_ticket_keys) );
3477  if( tkeys == NULL )
3479 
3480  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
3481  {
3482  polarssl_free( tkeys );
3483  return( ret );
3484  }
3485 
3486  if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3487  ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3488  ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3489  {
3490  polarssl_free( tkeys );
3491  return( ret );
3492  }
3493 
3494  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
3495  {
3496  polarssl_free( tkeys );
3497  return( ret );
3498  }
3499 
3500  ssl->ticket_keys = tkeys;
3501 
3502  return( 0 );
3503 }
3504 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3505 
3506 /*
3507  * SSL set accessors
3508  */
3509 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3510 {
3511  ssl->endpoint = endpoint;
3512 
3513 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3514  if( endpoint == SSL_IS_CLIENT )
3516 #endif
3517 }
3518 
3519 void ssl_set_authmode( ssl_context *ssl, int authmode )
3520 {
3521  ssl->authmode = authmode;
3522 }
3523 
3524 #if defined(POLARSSL_X509_CRT_PARSE_C)
3525 void ssl_set_verify( ssl_context *ssl,
3526  int (*f_vrfy)(void *, x509_crt *, int, int *),
3527  void *p_vrfy )
3528 {
3529  ssl->f_vrfy = f_vrfy;
3530  ssl->p_vrfy = p_vrfy;
3531 }
3532 #endif /* POLARSSL_X509_CRT_PARSE_C */
3533 
3534 void ssl_set_rng( ssl_context *ssl,
3535  int (*f_rng)(void *, unsigned char *, size_t),
3536  void *p_rng )
3537 {
3538  ssl->f_rng = f_rng;
3539  ssl->p_rng = p_rng;
3540 }
3541 
3542 void ssl_set_dbg( ssl_context *ssl,
3543  void (*f_dbg)(void *, int, const char *),
3544  void *p_dbg )
3545 {
3546  ssl->f_dbg = f_dbg;
3547  ssl->p_dbg = p_dbg;
3548 }
3549 
3550 void ssl_set_bio( ssl_context *ssl,
3551  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3552  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3553 {
3554  ssl->f_recv = f_recv;
3555  ssl->f_send = f_send;
3556  ssl->p_recv = p_recv;
3557  ssl->p_send = p_send;
3558 }
3559 
3561  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3562  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3563 {
3564  ssl->f_get_cache = f_get_cache;
3565  ssl->p_get_cache = p_get_cache;
3566  ssl->f_set_cache = f_set_cache;
3567  ssl->p_set_cache = p_set_cache;
3568 }
3569 
3570 int ssl_set_session( ssl_context *ssl, const ssl_session *session )
3571 {
3572  int ret;
3573 
3574  if( ssl == NULL ||
3575  session == NULL ||
3576  ssl->session_negotiate == NULL ||
3577  ssl->endpoint != SSL_IS_CLIENT )
3578  {
3580  }
3581 
3582  if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3583  return( ret );
3584 
3585  ssl->handshake->resume = 1;
3586 
3587  return( 0 );
3588 }
3589 
3590 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3591 {
3592  ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3593  ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3594  ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3595  ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3596 }
3597 
3598 void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
3599  int major, int minor )
3600 {
3601  if( major != SSL_MAJOR_VERSION_3 )
3602  return;
3603 
3604  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3605  return;
3606 
3607  ssl->ciphersuite_list[minor] = ciphersuites;
3608 }
3609 
3610 #if defined(POLARSSL_X509_CRT_PARSE_C)
3611 /* Add a new (empty) key_cert entry an return a pointer to it */
3612 static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3613 {
3614  ssl_key_cert *key_cert, *last;
3615 
3616  key_cert = (ssl_key_cert *) polarssl_malloc( sizeof(ssl_key_cert) );
3617  if( key_cert == NULL )
3618  return( NULL );
3619 
3620  memset( key_cert, 0, sizeof( ssl_key_cert ) );
3621 
3622  /* Append the new key_cert to the (possibly empty) current list */
3623  if( ssl->key_cert == NULL )
3624  {
3625  ssl->key_cert = key_cert;
3626  if( ssl->handshake != NULL )
3627  ssl->handshake->key_cert = key_cert;
3628  }
3629  else
3630  {
3631  last = ssl->key_cert;
3632  while( last->next != NULL )
3633  last = last->next;
3634  last->next = key_cert;
3635  }
3636 
3637  return key_cert;
3638 }
3639 
3640 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
3641  x509_crl *ca_crl, const char *peer_cn )
3642 {
3643  ssl->ca_chain = ca_chain;
3644  ssl->ca_crl = ca_crl;
3645  ssl->peer_cn = peer_cn;
3646 }
3647 
3648 int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
3649  pk_context *pk_key )
3650 {
3651  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3652 
3653  if( key_cert == NULL )
3655 
3656  key_cert->cert = own_cert;
3657  key_cert->key = pk_key;
3658 
3659  return( 0 );
3660 }
3661 
3662 #if defined(POLARSSL_RSA_C)
3663 int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
3664  rsa_context *rsa_key )
3665 {
3666  int ret;
3667  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3668 
3669  if( key_cert == NULL )
3671 
3672  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3673  if( key_cert->key == NULL )
3675 
3676  pk_init( key_cert->key );
3677 
3678  ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
3679  if( ret != 0 )
3680  return( ret );
3681 
3682  if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
3683  return( ret );
3684 
3685  key_cert->cert = own_cert;
3686  key_cert->key_own_alloc = 1;
3687 
3688  return( 0 );
3689 }
3690 #endif /* POLARSSL_RSA_C */
3691 
3692 int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
3693  void *rsa_key,
3694  rsa_decrypt_func rsa_decrypt,
3695  rsa_sign_func rsa_sign,
3696  rsa_key_len_func rsa_key_len )
3697 {
3698  int ret;
3699  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3700 
3701  if( key_cert == NULL )
3703 
3704  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3705  if( key_cert->key == NULL )
3707 
3708  pk_init( key_cert->key );
3709 
3710  if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
3711  rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
3712  return( ret );
3713 
3714  key_cert->cert = own_cert;
3715  key_cert->key_own_alloc = 1;
3716 
3717  return( 0 );
3718 }
3719 #endif /* POLARSSL_X509_CRT_PARSE_C */
3720 
3721 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
3722 int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3723  const unsigned char *psk_identity, size_t psk_identity_len )
3724 {
3725  if( psk == NULL || psk_identity == NULL )
3727 
3728  if( ssl->psk != NULL )
3729  {
3730  polarssl_free( ssl->psk );
3731  polarssl_free( ssl->psk_identity );
3732  }
3733 
3734  ssl->psk_len = psk_len;
3735  ssl->psk_identity_len = psk_identity_len;
3736 
3737  ssl->psk = (unsigned char *) polarssl_malloc( ssl->psk_len );
3738  ssl->psk_identity = (unsigned char *) polarssl_malloc( ssl->psk_identity_len );
3739 
3740  if( ssl->psk == NULL || ssl->psk_identity == NULL )
3742 
3743  memcpy( ssl->psk, psk, ssl->psk_len );
3744  memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
3745 
3746  return( 0 );
3747 }
3748 
3749 void ssl_set_psk_cb( ssl_context *ssl,
3750  int (*f_psk)(void *, ssl_context *, const unsigned char *,
3751  size_t),
3752  void *p_psk )
3753 {
3754  ssl->f_psk = f_psk;
3755  ssl->p_psk = p_psk;
3756 }
3757 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
3758 
3759 #if defined(POLARSSL_DHM_C)
3760 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3761 {
3762  int ret;
3763 
3764  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3765  {
3766  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3767  return( ret );
3768  }
3769 
3770  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3771  {
3772  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3773  return( ret );
3774  }
3775 
3776  return( 0 );
3777 }
3778 
3779 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3780 {
3781  int ret;
3782 
3783  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3784  {
3785  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3786  return( ret );
3787  }
3788 
3789  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3790  {
3791  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3792  return( ret );
3793  }
3794 
3795  return( 0 );
3796 }
3797 #endif /* POLARSSL_DHM_C */
3798 
3799 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
3800 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3801 {
3802  if( hostname == NULL )
3804 
3805  ssl->hostname_len = strlen( hostname );
3806 
3807  if( ssl->hostname_len + 1 == 0 )
3809 
3810  ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
3811 
3812  if( ssl->hostname == NULL )
3814 
3815  memcpy( ssl->hostname, (const unsigned char *) hostname,
3816  ssl->hostname_len );
3817 
3818  ssl->hostname[ssl->hostname_len] = '\0';
3819 
3820  return( 0 );
3821 }
3822 
3823 void ssl_set_sni( ssl_context *ssl,
3824  int (*f_sni)(void *, ssl_context *,
3825  const unsigned char *, size_t),
3826  void *p_sni )
3827 {
3828  ssl->f_sni = f_sni;
3829  ssl->p_sni = p_sni;
3830 }
3831 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
3832 
3833 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3834 {
3835  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3836  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3837  {
3838  ssl->max_major_ver = major;
3839  ssl->max_minor_ver = minor;
3840  }
3841 }
3842 
3843 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3844 {
3845  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3846  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3847  {
3848  ssl->min_major_ver = major;
3849  ssl->min_minor_ver = minor;
3850  }
3851 }
3852 
3853 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
3854 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
3855 {
3856  if( mfl_code >= SSL_MAX_FRAG_LEN_INVALID ||
3857  mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
3858  {
3860  }
3861 
3862  ssl->mfl_code = mfl_code;
3863 
3864  return( 0 );
3865 }
3866 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
3867 
3868 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
3869 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
3870 {
3871  if( ssl->endpoint != SSL_IS_CLIENT )
3873 
3874  ssl->trunc_hmac = truncate;
3875 
3876  return( 0 );
3877 }
3878 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
3879 
3880 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3881 {
3882  ssl->disable_renegotiation = renegotiation;
3883 }
3884 
3885 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3886 {
3887  ssl->allow_legacy_renegotiation = allow_legacy;
3888 }
3889 
3890 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3891 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
3892 {
3893  ssl->session_tickets = use_tickets;
3894 
3895  if( ssl->endpoint == SSL_IS_CLIENT )
3896  return( 0 );
3897 
3898  if( ssl->f_rng == NULL )
3900 
3901  return( ssl_ticket_keys_init( ssl ) );
3902 }
3903 
3904 void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
3905 {
3906  ssl->ticket_lifetime = lifetime;
3907 }
3908 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3909 
3910 /*
3911  * SSL get accessors
3912  */
3913 size_t ssl_get_bytes_avail( const ssl_context *ssl )
3914 {
3915  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3916 }
3917 
3918 int ssl_get_verify_result( const ssl_context *ssl )
3919 {
3920  return( ssl->session->verify_result );
3921 }
3922 
3923 const char *ssl_get_ciphersuite( const ssl_context *ssl )
3924 {
3925  if( ssl == NULL || ssl->session == NULL )
3926  return NULL;
3927 
3929 }
3930 
3931 const char *ssl_get_version( const ssl_context *ssl )
3932 {
3933  switch( ssl->minor_ver )
3934  {
3935  case SSL_MINOR_VERSION_0:
3936  return( "SSLv3.0" );
3937 
3938  case SSL_MINOR_VERSION_1:
3939  return( "TLSv1.0" );
3940 
3941  case SSL_MINOR_VERSION_2:
3942  return( "TLSv1.1" );
3943 
3944  case SSL_MINOR_VERSION_3:
3945  return( "TLSv1.2" );
3946 
3947  default:
3948  break;
3949  }
3950  return( "unknown" );
3951 }
3952 
3953 #if defined(POLARSSL_X509_CRT_PARSE_C)
3954 const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
3955 {
3956  if( ssl == NULL || ssl->session == NULL )
3957  return NULL;
3958 
3959  return ssl->session->peer_cert;
3960 }
3961 #endif /* POLARSSL_X509_CRT_PARSE_C */
3962 
3963 int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
3964 {
3965  if( ssl == NULL ||
3966  dst == NULL ||
3967  ssl->session == NULL ||
3968  ssl->endpoint != SSL_IS_CLIENT )
3969  {
3971  }
3972 
3973  return( ssl_session_copy( dst, ssl->session ) );
3974 }
3975 
3976 /*
3977  * Perform a single step of the SSL handshake
3978  */
3979 int ssl_handshake_step( ssl_context *ssl )
3980 {
3982 
3983 #if defined(POLARSSL_SSL_CLI_C)
3984  if( ssl->endpoint == SSL_IS_CLIENT )
3985  ret = ssl_handshake_client_step( ssl );
3986 #endif
3987 
3988 #if defined(POLARSSL_SSL_SRV_C)
3989  if( ssl->endpoint == SSL_IS_SERVER )
3990  ret = ssl_handshake_server_step( ssl );
3991 #endif
3992 
3993  return( ret );
3994 }
3995 
3996 /*
3997  * Perform the SSL handshake
3998  */
3999 int ssl_handshake( ssl_context *ssl )
4000 {
4001  int ret = 0;
4002 
4003  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
4004 
4005  while( ssl->state != SSL_HANDSHAKE_OVER )
4006  {
4007  ret = ssl_handshake_step( ssl );
4008 
4009  if( ret != 0 )
4010  break;
4011  }
4012 
4013  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
4014 
4015  return( ret );
4016 }
4017 
4018 #if defined(POLARSSL_SSL_SRV_C)
4019 /*
4020  * Write HelloRequest to request renegotiation on server
4021  */
4022 static int ssl_write_hello_request( ssl_context *ssl )
4023 {
4024  int ret;
4025 
4026  SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
4027 
4028  ssl->out_msglen = 4;
4030  ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
4031 
4032  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4033  {
4034  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4035  return( ret );
4036  }
4037 
4039 
4040  SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4041 
4042  return( 0 );
4043 }
4044 #endif /* POLARSSL_SSL_SRV_C */
4045 
4046 /*
4047  * Actually renegotiate current connection, triggered by either:
4048  * - calling ssl_renegotiate() on client,
4049  * - receiving a HelloRequest on client during ssl_read(),
4050  * - receiving any handshake message on server during ssl_read() after the
4051  * initial handshake is completed
4052  * If the handshake doesn't complete due to waiting for I/O, it will continue
4053  * during the next calls to ssl_renegotiate() or ssl_read() respectively.
4054  */
4055 static int ssl_start_renegotiation( ssl_context *ssl )
4056 {
4057  int ret;
4058 
4059  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4060 
4061  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4062  return( ret );
4063 
4064  ssl->state = SSL_HELLO_REQUEST;
4066 
4067  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4068  {
4069  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4070  return( ret );
4071  }
4072 
4073  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4074 
4075  return( 0 );
4076 }
4077 
4078 /*
4079  * Renegotiate current connection on client,
4080  * or request renegotiation on server
4081  */
4082 int ssl_renegotiate( ssl_context *ssl )
4083 {
4085 
4086 #if defined(POLARSSL_SSL_SRV_C)
4087  /* On server, just send the request */
4088  if( ssl->endpoint == SSL_IS_SERVER )
4089  {
4090  if( ssl->state != SSL_HANDSHAKE_OVER )
4092 
4093  return( ssl_write_hello_request( ssl ) );
4094  }
4095 #endif /* POLARSSL_SSL_SRV_C */
4096 
4097 #if defined(POLARSSL_SSL_CLI_C)
4098  /*
4099  * On client, either start the renegotiation process or,
4100  * if already in progress, continue the handshake
4101  */
4102  if( ssl->renegotiation != SSL_RENEGOTIATION )
4103  {
4104  if( ssl->state != SSL_HANDSHAKE_OVER )
4106 
4107  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4108  {
4109  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4110  return( ret );
4111  }
4112  }
4113  else
4114  {
4115  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4116  {
4117  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4118  return( ret );
4119  }
4120  }
4121 #endif /* POLARSSL_SSL_CLI_C */
4122 
4123  return( ret );
4124 }
4125 
4126 /*
4127  * Receive application data decrypted from the SSL layer
4128  */
4129 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
4130 {
4131  int ret;
4132  size_t n;
4133 
4134  SSL_DEBUG_MSG( 2, ( "=> read" ) );
4135 
4136  if( ssl->state != SSL_HANDSHAKE_OVER )
4137  {
4138  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4139  {
4140  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4141  return( ret );
4142  }
4143  }
4144 
4145  if( ssl->in_offt == NULL )
4146  {
4147  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4148  {
4149  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4150  return( 0 );
4151 
4152  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4153  return( ret );
4154  }
4155 
4156  if( ssl->in_msglen == 0 &&
4158  {
4159  /*
4160  * OpenSSL sends empty messages to randomize the IV
4161  */
4162  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4163  {
4164  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4165  return( 0 );
4166 
4167  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4168  return( ret );
4169  }
4170  }
4171 
4172  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4173  {
4174  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4175 
4176  if( ssl->endpoint == SSL_IS_CLIENT &&
4177  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4178  ssl->in_hslen != 4 ) )
4179  {
4180  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4182  }
4183 
4187  {
4188  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4189 
4190 #if defined(POLARSSL_SSL_PROTO_SSL3)
4191  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
4192  {
4193  /*
4194  * SSLv3 does not have a "no_renegotiation" alert
4195  */
4196  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4197  return( ret );
4198  }
4199  else
4200 #endif
4201 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4202  defined(POLARSSL_SSL_PROTO_TLS1_2)
4203  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
4204  {
4205  if( ( ret = ssl_send_alert_message( ssl,
4208  {
4209  return( ret );
4210  }
4211  }
4212  else
4213 #endif
4214  {
4215  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4217  }
4218  }
4219  else
4220  {
4221  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4222  {
4223  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4224  return( ret );
4225  }
4226 
4227  return( POLARSSL_ERR_NET_WANT_READ );
4228  }
4229  }
4230  else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4231  {
4232  SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4233  "but not honored by client" ) );
4235  }
4236  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
4237  {
4238  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
4240  }
4241 
4242  ssl->in_offt = ssl->in_msg;
4243  }
4244 
4245  n = ( len < ssl->in_msglen )
4246  ? len : ssl->in_msglen;
4247 
4248  memcpy( buf, ssl->in_offt, n );
4249  ssl->in_msglen -= n;
4250 
4251  if( ssl->in_msglen == 0 )
4252  /* all bytes consumed */
4253  ssl->in_offt = NULL;
4254  else
4255  /* more data available */
4256  ssl->in_offt += n;
4257 
4258  SSL_DEBUG_MSG( 2, ( "<= read" ) );
4259 
4260  return( (int) n );
4261 }
4262 
4263 /*
4264  * Send application data to be encrypted by the SSL layer
4265  */
4266 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4267 {
4268  int ret;
4269  size_t n;
4270  unsigned int max_len = SSL_MAX_CONTENT_LEN;
4271 
4272  SSL_DEBUG_MSG( 2, ( "=> write" ) );
4273 
4274  if( ssl->state != SSL_HANDSHAKE_OVER )
4275  {
4276  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4277  {
4278  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4279  return( ret );
4280  }
4281  }
4282 
4283 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4284  /*
4285  * Assume mfl_code is correct since it was checked when set
4286  */
4287  max_len = mfl_code_to_length[ssl->mfl_code];
4288 
4289  /*
4290  * Check if a smaller max length was negotiated
4291  */
4292  if( ssl->session_out != NULL &&
4293  mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4294  {
4295  max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4296  }
4297 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4298 
4299  n = ( len < max_len) ? len : max_len;
4300 
4301  if( ssl->out_left != 0 )
4302  {
4303  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4304  {
4305  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4306  return( ret );
4307  }
4308  }
4309  else
4310  {
4311  ssl->out_msglen = n;
4313  memcpy( ssl->out_msg, buf, n );
4314 
4315  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4316  {
4317  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4318  return( ret );
4319  }
4320  }
4321 
4322  SSL_DEBUG_MSG( 2, ( "<= write" ) );
4323 
4324  return( (int) n );
4325 }
4326 
4327 /*
4328  * Notify the peer that the connection is being closed
4329  */
4330 int ssl_close_notify( ssl_context *ssl )
4331 {
4332  int ret;
4333 
4334  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4335 
4336  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4337  {
4338  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4339  return( ret );
4340  }
4341 
4342  if( ssl->state == SSL_HANDSHAKE_OVER )
4343  {
4344  if( ( ret = ssl_send_alert_message( ssl,
4346  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4347  {
4348  return( ret );
4349  }
4350  }
4351 
4352  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4353 
4354  return( ret );
4355 }
4356 
4357 void ssl_transform_free( ssl_transform *transform )
4358 {
4359 #if defined(POLARSSL_ZLIB_SUPPORT)
4360  deflateEnd( &transform->ctx_deflate );
4361  inflateEnd( &transform->ctx_inflate );
4362 #endif
4363 
4364  cipher_free_ctx( &transform->cipher_ctx_enc );
4365  cipher_free_ctx( &transform->cipher_ctx_dec );
4366 
4367  md_free_ctx( &transform->md_ctx_enc );
4368  md_free_ctx( &transform->md_ctx_dec );
4369 
4370  memset( transform, 0, sizeof( ssl_transform ) );
4371 }
4372 
4373 #if defined(POLARSSL_X509_CRT_PARSE_C)
4374 static void ssl_key_cert_free( ssl_key_cert *key_cert )
4375 {
4376  ssl_key_cert *cur = key_cert, *next;
4377 
4378  while( cur != NULL )
4379  {
4380  next = cur->next;
4381 
4382  if( cur->key_own_alloc )
4383  {
4384  pk_free( cur->key );
4385  polarssl_free( cur->key );
4386  }
4387  polarssl_free( cur );
4388 
4389  cur = next;
4390  }
4391 }
4392 #endif /* POLARSSL_X509_CRT_PARSE_C */
4393 
4394 void ssl_handshake_free( ssl_handshake_params *handshake )
4395 {
4396 #if defined(POLARSSL_DHM_C)
4397  dhm_free( &handshake->dhm_ctx );
4398 #endif
4399 #if defined(POLARSSL_ECDH_C)
4400  ecdh_free( &handshake->ecdh_ctx );
4401 #endif
4402 
4403 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
4404  /* explicit void pointer cast for buggy MS compiler */
4405  polarssl_free( (void *) handshake->curves );
4406 #endif
4407 
4408 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
4409  defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4410  /*
4411  * Free only the linked list wrapper, not the keys themselves
4412  * since the belong to the SNI callback
4413  */
4414  if( handshake->sni_key_cert != NULL )
4415  {
4416  ssl_key_cert *cur = handshake->sni_key_cert, *next;
4417 
4418  while( cur != NULL )
4419  {
4420  next = cur->next;
4421  polarssl_free( cur );
4422  cur = next;
4423  }
4424  }
4425 #endif
4426 
4427  memset( handshake, 0, sizeof( ssl_handshake_params ) );
4428 }
4429 
4430 void ssl_session_free( ssl_session *session )
4431 {
4432 #if defined(POLARSSL_X509_CRT_PARSE_C)
4433  if( session->peer_cert != NULL )
4434  {
4435  x509_crt_free( session->peer_cert );
4436  polarssl_free( session->peer_cert );
4437  }
4438 #endif
4439 
4440 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4441  polarssl_free( session->ticket );
4442 #endif
4443 
4444  memset( session, 0, sizeof( ssl_session ) );
4445 }
4446 
4447 /*
4448  * Free an SSL context
4449  */
4450 void ssl_free( ssl_context *ssl )
4451 {
4452  SSL_DEBUG_MSG( 2, ( "=> free" ) );
4453 
4454  if( ssl->out_ctr != NULL )
4455  {
4456  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
4457  polarssl_free( ssl->out_ctr );
4458  }
4459 
4460  if( ssl->in_ctr != NULL )
4461  {
4462  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
4463  polarssl_free( ssl->in_ctr );
4464  }
4465 
4466 #if defined(POLARSSL_ZLIB_SUPPORT)
4467  if( ssl->compress_buf != NULL )
4468  {
4469  memset( ssl->compress_buf, 0, SSL_BUFFER_LEN );
4470  polarssl_free( ssl->compress_buf );
4471  }
4472 #endif
4473 
4474 #if defined(POLARSSL_DHM_C)
4475  mpi_free( &ssl->dhm_P );
4476  mpi_free( &ssl->dhm_G );
4477 #endif
4478 
4479  if( ssl->transform )
4480  {
4481  ssl_transform_free( ssl->transform );
4482  polarssl_free( ssl->transform );
4483  }
4484 
4485  if( ssl->handshake )
4486  {
4487  ssl_handshake_free( ssl->handshake );
4490 
4491  polarssl_free( ssl->handshake );
4494  }
4495 
4496  if( ssl->session )
4497  {
4498  ssl_session_free( ssl->session );
4499  polarssl_free( ssl->session );
4500  }
4501 
4502 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4503  polarssl_free( ssl->ticket_keys );
4504 #endif
4505 
4506 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4507  if ( ssl->hostname != NULL )
4508  {
4509  memset( ssl->hostname, 0, ssl->hostname_len );
4510  polarssl_free( ssl->hostname );
4511  ssl->hostname_len = 0;
4512  }
4513 #endif
4514 
4515 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
4516  if( ssl->psk != NULL )
4517  {
4518  memset( ssl->psk, 0, ssl->psk_len );
4519  memset( ssl->psk_identity, 0, ssl->psk_identity_len );
4520  polarssl_free( ssl->psk );
4521  polarssl_free( ssl->psk_identity );
4522  ssl->psk_len = 0;
4523  ssl->psk_identity_len = 0;
4524  }
4525 #endif
4526 
4527 #if defined(POLARSSL_X509_CRT_PARSE_C)
4528  ssl_key_cert_free( ssl->key_cert );
4529 #endif
4530 
4531 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4532  if( ssl_hw_record_finish != NULL )
4533  {
4534  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4535  ssl_hw_record_finish( ssl );
4536  }
4537 #endif
4538 
4539  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4540 
4541  /* Actually clear after last debug message */
4542  memset( ssl, 0, sizeof( ssl_context ) );
4543 }
4544 
4545 #if defined(POLARSSL_PK_C)
4546 /*
4547  * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
4548  */
4549 unsigned char ssl_sig_from_pk( pk_context *pk )
4550 {
4551 #if defined(POLARSSL_RSA_C)
4552  if( pk_can_do( pk, POLARSSL_PK_RSA ) )
4553  return( SSL_SIG_RSA );
4554 #endif
4555 #if defined(POLARSSL_ECDSA_C)
4556  if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
4557  return( SSL_SIG_ECDSA );
4558 #endif
4559  return( SSL_SIG_ANON );
4560 }
4561 
4562 pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
4563 {
4564  switch( sig )
4565  {
4566 #if defined(POLARSSL_RSA_C)
4567  case SSL_SIG_RSA:
4568  return( POLARSSL_PK_RSA );
4569 #endif
4570 #if defined(POLARSSL_ECDSA_C)
4571  case SSL_SIG_ECDSA:
4572  return( POLARSSL_PK_ECDSA );
4573 #endif
4574  default:
4575  return( POLARSSL_PK_NONE );
4576  }
4577 }
4578 #endif
4579 
4580 /*
4581  * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
4582  */
4583 md_type_t ssl_md_alg_from_hash( unsigned char hash )
4584 {
4585  switch( hash )
4586  {
4587 #if defined(POLARSSL_MD5_C)
4588  case SSL_HASH_MD5:
4589  return( POLARSSL_MD_MD5 );
4590 #endif
4591 #if defined(POLARSSL_SHA1_C)
4592  case SSL_HASH_SHA1:
4593  return( POLARSSL_MD_SHA1 );
4594 #endif
4595 #if defined(POLARSSL_SHA256_C)
4596  case SSL_HASH_SHA224:
4597  return( POLARSSL_MD_SHA224 );
4598  case SSL_HASH_SHA256:
4599  return( POLARSSL_MD_SHA256 );
4600 #endif
4601 #if defined(POLARSSL_SHA512_C)
4602  case SSL_HASH_SHA384:
4603  return( POLARSSL_MD_SHA384 );
4604  case SSL_HASH_SHA512:
4605  return( POLARSSL_MD_SHA512 );
4606 #endif
4607  default:
4608  return( POLARSSL_MD_NONE );
4609  }
4610 }
4611 
4612 #endif
const ecp_curve_info ** curves
Definition: ssl.h:511
unsigned char * hostname
Definition: ssl.h:751
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:287
ssl_session * session_in
Definition: ssl.h:644
#define SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:291
unsigned char mfl_code
Definition: ssl.h:693
size_t length
Definition: ssl.h:428
void * p_set_cache
Definition: ssl.h:623
md_context_t md_ctx_dec
Definition: ssl.h:479
int ciphersuite
Definition: ssl.h:426
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Processing of the ChangeCipherSpec handshake message failed.
Definition: ssl.h:124
mpi P
Definition: dhm.h:146
int trunc_hmac
Definition: ssl.h:725
size_t in_hslen
Definition: ssl.h:673
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
void(* f_dbg)(void *, int, const char *)
Definition: ssl.h:612
#define SSL_HS_FINISHED
Definition: ssl.h:327
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:611
uint32_t state[8]
Definition: sha256.h:57
const pk_info_t * pk_info_from_type(pk_type_t pk_type)
Return information associated with the given PK type.
#define POLARSSL_DHM_RFC5114_MODP_1024_P
Definition: dhm.h:94
sha256_context fin_sha256
Definition: ssl.h:536
size_t ivlen
Definition: ssl.h:465
int cipher_finish(cipher_context_t *ctx, unsigned char *output, size_t *olen)
Generic cipher finalisation function.
int record_read
Definition: ssl.h:675
Memory allocation layer.
int major_ver
Definition: ssl.h:600
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:41
int rsa_copy(rsa_context *dst, const rsa_context *src)
Copy the components of an RSA context.
SHA-1 context structure.
Definition: sha1.h:54
void *(* polarssl_malloc)(size_t len)
sha1_context fin_sha1
Definition: ssl.h:532
int compression
Definition: ssl.h:427
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:597
const char * peer_cn
Definition: ssl.h:704
unsigned char master[48]
Definition: ssl.h:430
void sha256_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
void sha256(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
char peer_verify_data[36]
Definition: ssl.h:762
int ssl_set_truncated_hmac(ssl_context *ssl, int truncate)
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED) ...
ssl_transform * transform_out
Definition: ssl.h:656
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:55
Debug functions.
#define POLARSSL_ERR_SSL_CONN_EOF
The connection indicated an EOF.
Definition: ssl.h:101
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:627
int nb_zero
Definition: ssl.h:674
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:544
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
DHM context structure.
Definition: dhm.h:143
void * p_psk
Definition: ssl.h:638
#define SSL_BUFFER_LEN
Definition: ssl.h:251
int cipher_write_tag(cipher_context_t *ctx, unsigned char *tag, size_t tag_len)
Write tag for AEAD ciphers.
#define SSL_IS_CLIENT
Definition: ssl.h:193
unsigned char mac_dec[48]
Definition: ssl.h:475
size_t ticket_len
Definition: ssl.h:439
#define SSL_HASH_SHA1
Definition: ssl.h:261
Cipher information.
Definition: cipher.h:207
ssl_session * session_negotiate
Definition: ssl.h:647
const cipher_info_t * cipher_info_from_type(const cipher_type_t cipher_type)
Returns the cipher information structure associated with the given cipher type.
ssl_session * session
Definition: ssl.h:646
void ssl_legacy_renegotiation(ssl_context *ssl, int allow_legacy)
Prevent or allow legacy renegotiation.
int ssl_parse_certificate(ssl_context *ssl)
void ssl_set_dbg(ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg)
Set the debug callback.
#define POLARSSL_ERR_SSL_INVALID_RECORD
An invalid SSL record was received.
Definition: ssl.h:100
#define BADCERT_SKIP_VERIFY
Certificate verification was skipped.
Definition: x509.h:79
uint32_t state[5]
Definition: sha1.h:57
ssl_key_cert * key_cert
Definition: ssl.h:700
ssl_key_cert * sni_key_cert
Definition: ssl.h:522
int ssl_set_session_tickets(ssl_context *ssl, int use_tickets)
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS...
unsigned char iv_enc[16]
Definition: ssl.h:469
size_t out_msglen
Definition: ssl.h:686
void ssl_set_verify(ssl_context *ssl, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Set the verification callback (Optional).
#define SSL_SIG_RSA
Definition: ssl.h:268
int ticket_lifetime
Definition: ssl.h:729
ssl_transform * transform_in
Definition: ssl.h:655
cipher_context_t cipher_ctx_enc
Definition: ssl.h:481
const int * ciphersuite_list[4]
Definition: ssl.h:723
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:618
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
mpi dhm_P
Definition: ssl.h:733
#define SSL_RENEGOTIATION
Definition: ssl.h:203
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:553
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
void sha1_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[20])
Output = HMAC-SHA-1( hmac key, input buffer )
int md_process(md_context_t *ctx, const unsigned char *data)
int x509_crt_parse(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
ssl_transform * transform
Definition: ssl.h:657
x509_crt * cert
Definition: ssl.h:585
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:38
size_t psk_identity_len
Definition: ssl.h:744
unsigned char * out_ctr
Definition: ssl.h:680
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
The peer notified us that the connection is going to be closed.
Definition: ssl.h:113
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:218
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:761
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:206
int x509_crt_parse_der(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
#define SSL_SIG_ECDSA
Definition: ssl.h:269
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:614
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:166
#define SSL_MIN_MINOR_VERSION
Definition: ssl.h:150
#define SSL_VERIFY_OPTIONAL
Definition: ssl.h:199
size_t in_msglen
Definition: ssl.h:670
int ssl_set_dh_param_ctx(ssl_context *ssl, dhm_context *dhm_ctx)
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) ...
unsigned char * in_hdr
Definition: ssl.h:664
int secure_renegotiation
Definition: ssl.h:758
#define SSL_SIG_ANON
Definition: ssl.h:267
sha512_context fin_sha512
Definition: ssl.h:539
#define SSL_VERIFY_REQUIRED
Definition: ssl.h:200
#define SSL_HASH_MD5
Definition: ssl.h:260
#define SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:312
void md5_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[16])
Output = HMAC-MD5( hmac key, input buffer )
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:213
static md_type_t md_get_type(const md_info_t *md_info)
Returns the type of the message digest output.
Definition: md.h:221
int(* tls_prf)(const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl.h:546
unsigned char mac_key[16]
Definition: ssl.h:575
void * p_vrfy
Definition: ssl.h:633
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:140
size_t psk_len
Definition: ssl.h:742
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED
Hardware acceleration function returned with error.
Definition: ssl.h:127
void ssl_set_max_version(ssl_context *ssl, int major, int minor)
Set the maximum supported version sent from the client side and/or accepted at the server side (Defau...
#define SSL_RENEGOTIATION_DONE
Definition: ssl.h:204
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:99
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
No client certification received from the client, but required by the authentication mode...
Definition: ssl.h:105
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:461
void * p_recv
Definition: ssl.h:620
unsigned char * psk
Definition: ssl.h:741
int pk_init_ctx_rsa_alt(pk_context *ctx, void *key, pk_rsa_alt_decrypt_func decrypt_func, pk_rsa_alt_sign_func sign_func, pk_rsa_alt_key_len_func key_len_func)
Initialize an RSA-alt context.
size_t len
Definition: dhm.h:145
void ssl_set_ciphersuites_for_version(ssl_context *ssl, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites and the preference order for a specific version of the protocol...
int ssl_init(ssl_context *ssl)
Initialize an SSL context (An individual SSL context is not thread-safe)
int max_major_ver
Definition: ssl.h:603
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:132
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:93
#define SSL_MINOR_VERSION_1
Definition: ssl.h:142
int ssl_set_psk(ssl_context *ssl, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len)
Set the Pre Shared Key (PSK) and the identity name connected to it.
void ssl_set_psk_cb(ssl_context *ssl, int(*f_psk)(void *, ssl_context *, const unsigned char *, size_t), void *p_psk)
Set the PSK callback (server-side only) (Optional).
unsigned int keylen
Definition: ssl.h:463
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
Hardware acceleration function skipped / left alone data.
Definition: ssl.h:128
int ssl_get_session(const ssl_context *ssl, ssl_session *session)
Save session in order to resume it later (client-side only) Session data is copied to presented sessi...
md_type_t
Definition: md.h:51
int verify_result
Definition: ssl.h:435
unsigned char iv[POLARSSL_MAX_IV_LENGTH]
Current IV or NONCE_COUNTER for CTR-mode.
Definition: cipher.h:260
const cipher_info_t * cipher_info
Information about the associated cipher.
Definition: cipher.h:241
int max_minor_ver
Definition: ssl.h:604
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
The own certificate is not set, but needed by the server.
Definition: ssl.h:107
#define SSL_RENEGOTIATION_PENDING
Definition: ssl.h:205
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:290
unsigned char * in_ctr
Definition: ssl.h:663
ssl_handshake_params * handshake
Definition: ssl.h:649
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:106
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:283
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:543
size_t fixed_ivlen
Definition: ssl.h:466
#define SSL_MINOR_VERSION_2
Definition: ssl.h:143
int ssl_write_certificate(ssl_context *ssl)
size_t(* rsa_key_len_func)(void *ctx)
Definition: ssl.h:379
#define POLARSSL_DHM_RFC5114_MODP_1024_G
Definition: dhm.h:102
RSA context structure.
Definition: rsa.h:77
cipher_context_t cipher_ctx_dec
Definition: ssl.h:482
int in_msgtype
Definition: ssl.h:669
Container for an X.509 certificate.
Definition: x509_crt.h:53
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
A fatal alert message was received from our peer.
Definition: ssl.h:111
#define SSL_MIN_MAJOR_VERSION
Definition: ssl.h:147
#define SSL_DEFAULT_TICKET_LIFETIME
Lifetime of session tickets (if enabled)
Definition: ssl.h:225
size_t verify_data_len
Definition: ssl.h:760
const char * ssl_get_ciphersuite(const ssl_context *ssl)
Return the name of the current ciphersuite.
mpi dhm_G
Definition: ssl.h:734
mpi G
Definition: dhm.h:147
int cipher_free_ctx(cipher_context_t *ctx)
Free the cipher-specific context of ctx.
int cipher_update_ad(cipher_context_t *ctx, const unsigned char *ad, size_t ad_len)
Add additional data (for AEAD ciphers).
#define SSL_IS_SERVER
Definition: ssl.h:194
const char * ssl_get_version(const ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
void ssl_set_renegotiation(ssl_context *ssl, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIAT...
int min_minor_ver
Definition: ssl.h:606
unsigned char * out_msg
Definition: ssl.h:683
unsigned int key_length
Cipher key length, in bits (default length for variable sized ciphers) (Includes parity bits for ciph...
Definition: cipher.h:216
int cipher_set_iv(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len)
Set the initialization vector (IV) or nonce.
#define SSL_MINOR_VERSION_0
Definition: ssl.h:141
int client_auth
Definition: ssl.h:719
#define SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:281
void * p_dbg
Definition: ssl.h:619
void sha256_starts(sha256_context *ctx, int is224)
SHA-256 context setup.
int cipher_update(cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
Generic cipher update function.
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:520
void * p_send
Definition: ssl.h:621
ecdh_context ecdh_ctx
Definition: ssl.h:508
x509_crl * ca_crl
Definition: ssl.h:703
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1571
void(* polarssl_free)(void *ptr)
int ssl_set_max_frag_len(ssl_context *ssl, unsigned char mfl_code)
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit and negotiate with the server during handshake)
SHA-512 context structure.
Definition: sha512.h:55
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:110
unsigned char * ticket
Definition: ssl.h:438
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:120
key_exchange_type_t key_exchange
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED
Processing of the compression / decompression failed.
Definition: ssl.h:129
size_t maclen
Definition: ssl.h:467
unsigned char * out_hdr
Definition: ssl.h:681
int ssl_set_own_cert(ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key)
Set own certificate chain and private key.
int trunc_hmac
Definition: ssl.h:448
void ssl_set_endpoint(ssl_context *ssl, int endpoint)
Set the current endpoint type.
void mpi_free(mpi *X)
Unallocate one MPI.
void ssl_set_ciphersuites(ssl_context *ssl, const int *ciphersuites)
Set the list of allowed ciphersuites and the preference order.
void sha512_starts(sha512_context *ctx, int is384)
SHA-512 context setup.
int x509_crt_verify(x509_crt *crt, x509_crt *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Verify the certificate signature.
#define SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:286
void ssl_set_rng(ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:622
void ssl_set_bio(ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send)
Set the underlying BIO read and write callbacks.
void ssl_free(ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
void sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
void md5_starts(md5_context *ctx)
MD5 context setup.
#define SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:210
unsigned char ssl_sig_from_pk(pk_context *pk)
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
No CA Chain is set, but required to operate.
Definition: ssl.h:109
void ssl_handshake_free(ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
int authmode
Definition: ssl.h:718
int ssl_flush_output(ssl_context *ssl)
int ssl_handshake(ssl_context *ssl)
Perform the SSL handshake.
unsigned char * in_offt
Definition: ssl.h:667
void ssl_set_min_version(ssl_context *ssl, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:196
int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Definition: ssl.h:375
unsigned char * in_msg
Definition: ssl.h:666
int ssl_set_hostname(ssl_context *ssl, const char *hostname)
Set hostname for ServerName TLS extension (client-side only)
aes_context dec
Definition: ssl.h:574
mpi z
Definition: ecdh.h:54
int ssl_handshake_step(ssl_context *ssl)
Perform a single step of the SSL handshake.
#define SSL_MINOR_VERSION_3
Definition: ssl.h:144
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:54
pk_type_t
Public key types.
Definition: pk.h:90
aes_context enc
Definition: ssl.h:573
unsigned char iv_dec[16]
Definition: ssl.h:470
#define POLARSSL_ERR_NET_WANT_READ
Connection requires a read call.
Definition: net.h:41
#define SSL_HS_CERTIFICATE
Definition: ssl.h:321
int ssl_parse_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:58
size_t hostname_len
Definition: ssl.h:752
int cipher_reset(cipher_context_t *ctx)
Finish preparation of the given context.
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:601
int pk_init_ctx(pk_context *ctx, const pk_info_t *info)
Initialize a PK context with the information given and allocates the type-specific PK subcontext...
void sha512_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:295
This structure is used for storing ciphersuite information.
int ssl_close_notify(ssl_context *ssl)
Notify the peer that the connection is being closed.
const x509_crt * ssl_get_peer_cert(const ssl_context *ssl)
Return the peer certificate from the current connection.
void ssl_set_session_cache(ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache)
Set the session cache callbacks (server-side only) If not set, no session resuming is done...
#define SSL_HASH_SHA256
Definition: ssl.h:263
size_t ssl_get_bytes_avail(const ssl_context *ssl)
Return the number of data bytes available to read.
int md_hmac_starts(md_context_t *ctx, const unsigned char *key, size_t keylen)
Generic HMAC context setup.
int ssl_set_session(ssl_context *ssl, const ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
int cipher_set_padding_mode(cipher_context_t *ctx, cipher_padding_t mode)
Set padding mode, for cipher modes that use padding.
#define SSL_VERIFY_NONE
Definition: ssl.h:198
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:44
cipher_mode_t mode
Cipher mode (e.g.
Definition: cipher.h:212
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:202
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:169
size_t in_left
Definition: ssl.h:671
void sha512_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 final digest.
pk_context * key
Definition: ssl.h:586
int session_tickets
Definition: ssl.h:728
int cipher_init_ctx(cipher_context_t *ctx, const cipher_info_t *cipher_info)
Initialises and fills the cipher context structure with the appropriate values.
int allow_legacy_renegotiation
Definition: ssl.h:722
int cipher_setkey(cipher_context_t *ctx, const unsigned char *key, int key_length, const operation_t operation)
Set the key to use with the given context.
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition: ssl.h:135
ssl_session * session_out
Definition: ssl.h:645
#define SSL_TRUNCATED_HMAC_LEN
Definition: ssl.h:219
uint32_t state[4]
Definition: md5.h:57
void(* calc_finished)(ssl_context *, unsigned char *, int)
Definition: ssl.h:545
int ssl_read_record(ssl_context *ssl)
int ssl_set_own_cert_rsa(ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key)
Set own certificate chain and private RSA key.
size_t len
ASN1 length, e.g.
Definition: asn1.h:119
int md_hmac_reset(md_context_t *ctx)
Generic HMAC context reset.
#define pk_rsa(pk)
Quick access to an RSA context inside a PK context.
Definition: pk.h:69
int ssl_set_dh_param(ssl_context *ssl, const char *dhm_P, const char *dhm_G)
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default...
int(* f_vrfy)(void *, x509_crt *, int, int *)
Definition: ssl.h:632
int out_msgtype
Definition: ssl.h:685
void ssl_set_session_ticket_lifetime(ssl_context *ssl, int lifetime)
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))...
size_t out_left
Definition: ssl.h:687
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:191
int md_hmac_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic HMAC process buffer.
#define BADCERT_MISSING
Certificate was missing.
Definition: x509.h:78
void pk_free(pk_context *ctx)
Free a pk_context.
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED
Processing of the Finished handshake message failed.
Definition: ssl.h:125
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:48
md_context_t md_ctx_enc
Definition: ssl.h:478
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
int ssl_get_verify_result(const ssl_context *ssl)
Return the result of the certificate verification.
#define SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:296
never pad (full blocks only)
Definition: cipher.h:137
int ssl_session_reset(ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables...
void pk_init(pk_context *ctx)
Initialize a pk_context (as NONE)
int min_major_ver
Definition: ssl.h:605
Certificate revocation list structure.
Definition: x509_crl.h:69
const int * ssl_list_ciphersuites(void)
Returns the list of ciphersuites supported by the SSL/TLS module.
ssl_transform * transform_negotiate
Definition: ssl.h:658
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:207
#define SSL_HASH_SHA224
Definition: ssl.h:262
SSL/TLS functions.
unsigned char * in_iv
Definition: ssl.h:665
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:126
int disable_renegotiation
Definition: ssl.h:721
#define SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:289
void sha256_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 final digest.
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
void dhm_free(dhm_context *ctx)
Free the components of a DHM key.
void ecdh_init(ecdh_context *ctx)
Initialize context.
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:615
int ssl_derive_keys(ssl_context *ssl)
void ssl_set_authmode(ssl_context *ssl, int authmode)
Set the certificate verification mode.
md_type_t type
Digest identifier.
Definition: md.h:76
int(* f_set_cache)(void *, const ssl_session *)
Definition: ssl.h:616
SHA-256 context structure.
Definition: sha256.h:54
unsigned char mfl_code
Definition: ssl.h:444
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
key_exchange_type_t
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:598
cipher_type_t cipher
dhm_context dhm_ctx
Definition: ssl.h:505
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1579
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:711
size_t minlen
Definition: ssl.h:464
int ssl_read(ssl_context *ssl, unsigned char *buf, size_t len)
Read at most &#39;len&#39; application data bytes.
void ssl_transform_free(ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:236
unsigned char * psk_identity
Definition: ssl.h:743
#define SSL_SESSION_TICKETS_ENABLED
Definition: ssl.h:222
unsigned char mac_enc[48]
Definition: ssl.h:474
#define SSL_MSG_APPLICATION_DATA
Definition: ssl.h:284
uint64_t state[8]
Definition: sha512.h:58
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
#define SSL_MSG_ALERT
Definition: ssl.h:282
int ssl_renegotiate(ssl_context *ssl)
Initiate an SSL renegotiation on the running connection.
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:613
unsigned char key_name[16]
Definition: ssl.h:572
int key_own_alloc
Definition: ssl.h:587
int ssl_write(ssl_context *ssl, const unsigned char *buf, size_t len)
Write exactly &#39;len&#39; application data bytes.
ssl_key_cert * next
Definition: ssl.h:588
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
void sha512_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:97
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:116
void ssl_set_ca_chain(ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn)
Set the data required to verify peer certificate.
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
Message digest information.
Definition: md.h:74
x509_crt * ca_chain
Definition: ssl.h:702
md5_context fin_md5
Definition: ssl.h:531
int cipher_check_tag(cipher_context_t *ctx, const unsigned char *tag, size_t tag_len)
Check tag for AEAD ciphers.
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int endpoint
Definition: ssl.h:717
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:98
int ssl_set_own_cert_alt(ssl_context *ssl, x509_crt *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len)
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
void ssl_set_sni(ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
#define SSL_HASH_SHA512
Definition: ssl.h:265
unsigned int iv_size
IV/NONCE size, in bytes.
Definition: cipher.h:223
#define SSL_HASH_SHA384
Definition: ssl.h:264
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:637
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:177
void ecdh_free(ecdh_context *ctx)
Free context.
unsigned char * out_iv
Definition: ssl.h:682
unsigned char randbytes[64]
Definition: ssl.h:552
int md_hmac_finish(md_context_t *ctx, unsigned char *output)
Generic HMAC final digest.
int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Definition: ssl.h:372
Generic message digest context.
Definition: md.h:130
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
x509_crt * peer_cert
Definition: ssl.h:433
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:628
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.
#define SSL_HS_HELLO_REQUEST
Definition: ssl.h:317