PolarSSL v1.3.7
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #if !defined(POLARSSL_CONFIG_FILE)
35 #include "polarssl/config.h"
36 #else
37 #include POLARSSL_CONFIG_FILE
38 #endif
39 
40 #if defined(POLARSSL_SSL_TLS_C)
41 
42 #include "polarssl/debug.h"
43 #include "polarssl/ssl.h"
44 
45 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
46  defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
47 #include "polarssl/oid.h"
48 #endif
49 
50 #if defined(POLARSSL_PLATFORM_C)
51 #include "polarssl/platform.h"
52 #else
53 #define polarssl_malloc malloc
54 #define polarssl_free free
55 #endif
56 
57 #include <stdlib.h>
58 
59 #if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
60  !defined(EFI32)
61 #define strcasecmp _stricmp
62 #endif
63 
64 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
65 /*
66  * Convert max_fragment_length codes to length.
67  * RFC 6066 says:
68  * enum{
69  * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
70  * } MaxFragmentLength;
71  * and we add 0 -> extension unused
72  */
73 static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
74 {
75  SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
76  512, /* SSL_MAX_FRAG_LEN_512 */
77  1024, /* SSL_MAX_FRAG_LEN_1024 */
78  2048, /* SSL_MAX_FRAG_LEN_2048 */
79  4096, /* SSL_MAX_FRAG_LEN_4096 */
80 };
81 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
82 
83 static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
84 {
85  ssl_session_free( dst );
86  memcpy( dst, src, sizeof( ssl_session ) );
87 
88 #if defined(POLARSSL_X509_CRT_PARSE_C)
89  if( src->peer_cert != NULL )
90  {
91  int ret;
92 
93  dst->peer_cert = (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
94  if( dst->peer_cert == NULL )
96 
97  x509_crt_init( dst->peer_cert );
98 
99  if( ( ret = x509_crt_parse( dst->peer_cert, src->peer_cert->raw.p,
100  src->peer_cert->raw.len ) != 0 ) )
101  {
102  polarssl_free( dst->peer_cert );
103  dst->peer_cert = NULL;
104  return( ret );
105  }
106  }
107 #endif /* POLARSSL_X509_CRT_PARSE_C */
108 
109 #if defined(POLARSSL_SSL_SESSION_TICKETS)
110  if( src->ticket != NULL )
111  {
112  dst->ticket = (unsigned char *) polarssl_malloc( src->ticket_len );
113  if( dst->ticket == NULL )
115 
116  memcpy( dst->ticket, src->ticket, src->ticket_len );
117  }
118 #endif /* POLARSSL_SSL_SESSION_TICKETS */
119 
120  return( 0 );
121 }
122 
123 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
124 int (*ssl_hw_record_init)(ssl_context *ssl,
125  const unsigned char *key_enc, const unsigned char *key_dec,
126  size_t keylen,
127  const unsigned char *iv_enc, const unsigned char *iv_dec,
128  size_t ivlen,
129  const unsigned char *mac_enc, const unsigned char *mac_dec,
130  size_t maclen) = NULL;
131 int (*ssl_hw_record_activate)(ssl_context *ssl, int direction) = NULL;
132 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
133 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
134 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
135 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
136 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
137 
138 /*
139  * Key material generation
140  */
141 #if defined(POLARSSL_SSL_PROTO_SSL3)
142 static int ssl3_prf( const unsigned char *secret, size_t slen,
143  const char *label,
144  const unsigned char *random, size_t rlen,
145  unsigned char *dstbuf, size_t dlen )
146 {
147  size_t i;
150  unsigned char padding[16];
151  unsigned char sha1sum[20];
152  ((void)label);
153 
154  /*
155  * SSLv3:
156  * block =
157  * MD5( secret + SHA1( 'A' + secret + random ) ) +
158  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
159  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
160  * ...
161  */
162  for( i = 0; i < dlen / 16; i++ )
163  {
164  memset( padding, (unsigned char) ('A' + i), 1 + i );
165 
166  sha1_starts( &sha1 );
167  sha1_update( &sha1, padding, 1 + i );
168  sha1_update( &sha1, secret, slen );
169  sha1_update( &sha1, random, rlen );
170  sha1_finish( &sha1, sha1sum );
171 
172  md5_starts( &md5 );
173  md5_update( &md5, secret, slen );
174  md5_update( &md5, sha1sum, 20 );
175  md5_finish( &md5, dstbuf + i * 16 );
176  }
177 
178  memset( &md5, 0, sizeof( md5 ) );
179  memset( &sha1, 0, sizeof( sha1 ) );
180 
181  memset( padding, 0, sizeof( padding ) );
182  memset( sha1sum, 0, sizeof( sha1sum ) );
183 
184  return( 0 );
185 }
186 #endif /* POLARSSL_SSL_PROTO_SSL3 */
187 
188 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
189 static int tls1_prf( const unsigned char *secret, size_t slen,
190  const char *label,
191  const unsigned char *random, size_t rlen,
192  unsigned char *dstbuf, size_t dlen )
193 {
194  size_t nb, hs;
195  size_t i, j, k;
196  const unsigned char *S1, *S2;
197  unsigned char tmp[128];
198  unsigned char h_i[20];
199 
200  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
202 
203  hs = ( slen + 1 ) / 2;
204  S1 = secret;
205  S2 = secret + slen - hs;
206 
207  nb = strlen( label );
208  memcpy( tmp + 20, label, nb );
209  memcpy( tmp + 20 + nb, random, rlen );
210  nb += rlen;
211 
212  /*
213  * First compute P_md5(secret,label+random)[0..dlen]
214  */
215  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
216 
217  for( i = 0; i < dlen; i += 16 )
218  {
219  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
220  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
221 
222  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
223 
224  for( j = 0; j < k; j++ )
225  dstbuf[i + j] = h_i[j];
226  }
227 
228  /*
229  * XOR out with P_sha1(secret,label+random)[0..dlen]
230  */
231  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
232 
233  for( i = 0; i < dlen; i += 20 )
234  {
235  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
236  sha1_hmac( S2, hs, tmp, 20, tmp );
237 
238  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
239 
240  for( j = 0; j < k; j++ )
241  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
242  }
243 
244  memset( tmp, 0, sizeof( tmp ) );
245  memset( h_i, 0, sizeof( h_i ) );
246 
247  return( 0 );
248 }
249 #endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
250 
251 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
252 #if defined(POLARSSL_SHA256_C)
253 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
254  const char *label,
255  const unsigned char *random, size_t rlen,
256  unsigned char *dstbuf, size_t dlen )
257 {
258  size_t nb;
259  size_t i, j, k;
260  unsigned char tmp[128];
261  unsigned char h_i[32];
262 
263  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
265 
266  nb = strlen( label );
267  memcpy( tmp + 32, label, nb );
268  memcpy( tmp + 32 + nb, random, rlen );
269  nb += rlen;
270 
271  /*
272  * Compute P_<hash>(secret, label + random)[0..dlen]
273  */
274  sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
275 
276  for( i = 0; i < dlen; i += 32 )
277  {
278  sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
279  sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
280 
281  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
282 
283  for( j = 0; j < k; j++ )
284  dstbuf[i + j] = h_i[j];
285  }
286 
287  memset( tmp, 0, sizeof( tmp ) );
288  memset( h_i, 0, sizeof( h_i ) );
289 
290  return( 0 );
291 }
292 #endif /* POLARSSL_SHA256_C */
293 
294 #if defined(POLARSSL_SHA512_C)
295 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
296  const char *label,
297  const unsigned char *random, size_t rlen,
298  unsigned char *dstbuf, size_t dlen )
299 {
300  size_t nb;
301  size_t i, j, k;
302  unsigned char tmp[128];
303  unsigned char h_i[48];
304 
305  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
307 
308  nb = strlen( label );
309  memcpy( tmp + 48, label, nb );
310  memcpy( tmp + 48 + nb, random, rlen );
311  nb += rlen;
312 
313  /*
314  * Compute P_<hash>(secret, label + random)[0..dlen]
315  */
316  sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
317 
318  for( i = 0; i < dlen; i += 48 )
319  {
320  sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
321  sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
322 
323  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
324 
325  for( j = 0; j < k; j++ )
326  dstbuf[i + j] = h_i[j];
327  }
328 
329  memset( tmp, 0, sizeof( tmp ) );
330  memset( h_i, 0, sizeof( h_i ) );
331 
332  return( 0 );
333 }
334 #endif /* POLARSSL_SHA512_C */
335 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
336 
337 static void ssl_update_checksum_start(ssl_context *, const unsigned char *, size_t);
338 
339 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
340  defined(POLARSSL_SSL_PROTO_TLS1_1)
341 static void ssl_update_checksum_md5sha1(ssl_context *, const unsigned char *, size_t);
342 #endif
343 
344 #if defined(POLARSSL_SSL_PROTO_SSL3)
345 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
346 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
347 #endif
348 
349 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
350 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
351 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
352 #endif
353 
354 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
355 #if defined(POLARSSL_SHA256_C)
356 static void ssl_update_checksum_sha256(ssl_context *, const unsigned char *, size_t);
357 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
358 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
359 #endif
360 
361 #if defined(POLARSSL_SHA512_C)
362 static void ssl_update_checksum_sha384(ssl_context *, const unsigned char *, size_t);
363 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
364 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
365 #endif
366 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
367 
368 int ssl_derive_keys( ssl_context *ssl )
369 {
370  int ret = 0;
371  unsigned char tmp[64];
372  unsigned char keyblk[256];
373  unsigned char *key1;
374  unsigned char *key2;
375  unsigned char *mac_enc;
376  unsigned char *mac_dec;
377  size_t iv_copy_len;
378  const cipher_info_t *cipher_info;
379  const md_info_t *md_info;
380 
381  ssl_session *session = ssl->session_negotiate;
382  ssl_transform *transform = ssl->transform_negotiate;
383  ssl_handshake_params *handshake = ssl->handshake;
384 
385  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
386 
387  cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
388  if( cipher_info == NULL )
389  {
390  SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
391  transform->ciphersuite_info->cipher ) );
393  }
394 
395  md_info = md_info_from_type( transform->ciphersuite_info->mac );
396  if( md_info == NULL )
397  {
398  SSL_DEBUG_MSG( 1, ( "md info for %d not found",
399  transform->ciphersuite_info->mac ) );
401  }
402 
403  /*
404  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
405  */
406 #if defined(POLARSSL_SSL_PROTO_SSL3)
407  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
408  {
409  handshake->tls_prf = ssl3_prf;
410  handshake->calc_verify = ssl_calc_verify_ssl;
411  handshake->calc_finished = ssl_calc_finished_ssl;
412  }
413  else
414 #endif
415 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
416  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
417  {
418  handshake->tls_prf = tls1_prf;
419  handshake->calc_verify = ssl_calc_verify_tls;
420  handshake->calc_finished = ssl_calc_finished_tls;
421  }
422  else
423 #endif
424 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
425 #if defined(POLARSSL_SHA512_C)
426  if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
427  transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
428  {
429  handshake->tls_prf = tls_prf_sha384;
430  handshake->calc_verify = ssl_calc_verify_tls_sha384;
431  handshake->calc_finished = ssl_calc_finished_tls_sha384;
432  }
433  else
434 #endif
435 #if defined(POLARSSL_SHA256_C)
436  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
437  {
438  handshake->tls_prf = tls_prf_sha256;
439  handshake->calc_verify = ssl_calc_verify_tls_sha256;
440  handshake->calc_finished = ssl_calc_finished_tls_sha256;
441  }
442  else
443 #endif
444 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
445  {
446  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
448  }
449 
450  /*
451  * SSLv3:
452  * master =
453  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
454  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
455  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
456  *
457  * TLSv1+:
458  * master = PRF( premaster, "master secret", randbytes )[0..47]
459  */
460  if( handshake->resume == 0 )
461  {
462  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
463  handshake->pmslen );
464 
465  handshake->tls_prf( handshake->premaster, handshake->pmslen,
466  "master secret",
467  handshake->randbytes, 64, session->master, 48 );
468 
469  memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
470  }
471  else
472  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
473 
474  /*
475  * Swap the client and server random values.
476  */
477  memcpy( tmp, handshake->randbytes, 64 );
478  memcpy( handshake->randbytes, tmp + 32, 32 );
479  memcpy( handshake->randbytes + 32, tmp, 32 );
480  memset( tmp, 0, sizeof( tmp ) );
481 
482  /*
483  * SSLv3:
484  * key block =
485  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
486  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
487  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
488  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
489  * ...
490  *
491  * TLSv1:
492  * key block = PRF( master, "key expansion", randbytes )
493  */
494  handshake->tls_prf( session->master, 48, "key expansion",
495  handshake->randbytes, 64, keyblk, 256 );
496 
497  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
498  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
499  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
500  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
501  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
502 
503  memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
504 
505  /*
506  * Determine the appropriate key, IV and MAC length.
507  */
508 
509  if( cipher_info->mode == POLARSSL_MODE_GCM )
510  {
511  transform->keylen = cipher_info->key_length;
512  transform->keylen /= 8;
513  transform->minlen = 1;
514  transform->ivlen = 12;
515  transform->fixed_ivlen = 4;
516  transform->maclen = 0;
517  }
518  else
519  {
520  if( md_info->type != POLARSSL_MD_NONE )
521  {
522  int ret;
523 
524  if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 )
525  {
526  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
527  return( ret );
528  }
529 
530  if( ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
531  {
532  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
533  return( ret );
534  }
535 
536  transform->maclen = md_get_size( md_info );
537 
538 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
539  /*
540  * If HMAC is to be truncated, we shall keep the leftmost bytes,
541  * (rfc 6066 page 13 or rfc 2104 section 4),
542  * so we only need to adjust the length here.
543  */
544  if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
545  transform->maclen = SSL_TRUNCATED_HMAC_LEN;
546 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
547  }
548 
549  transform->keylen = cipher_info->key_length;
550  transform->keylen /= 8;
551  transform->ivlen = cipher_info->iv_size;
552 
553  transform->minlen = transform->keylen;
554  if( transform->minlen < transform->maclen )
555  {
556  if( cipher_info->mode == POLARSSL_MODE_STREAM )
557  transform->minlen = transform->maclen;
558  else
559  transform->minlen += transform->keylen;
560  }
561  }
562 
563  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
564  transform->keylen, transform->minlen, transform->ivlen,
565  transform->maclen ) );
566 
567  /*
568  * Finally setup the cipher contexts, IVs and MAC secrets.
569  */
570  if( ssl->endpoint == SSL_IS_CLIENT )
571  {
572  key1 = keyblk + transform->maclen * 2;
573  key2 = keyblk + transform->maclen * 2 + transform->keylen;
574 
575  mac_enc = keyblk;
576  mac_dec = keyblk + transform->maclen;
577 
578  /*
579  * This is not used in TLS v1.1.
580  */
581  iv_copy_len = ( transform->fixed_ivlen ) ?
582  transform->fixed_ivlen : transform->ivlen;
583  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
584  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
585  iv_copy_len );
586  }
587  else
588  {
589  key1 = keyblk + transform->maclen * 2 + transform->keylen;
590  key2 = keyblk + transform->maclen * 2;
591 
592  mac_enc = keyblk + transform->maclen;
593  mac_dec = keyblk;
594 
595  /*
596  * This is not used in TLS v1.1.
597  */
598  iv_copy_len = ( transform->fixed_ivlen ) ?
599  transform->fixed_ivlen : transform->ivlen;
600  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
601  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
602  iv_copy_len );
603  }
604 
605 #if defined(POLARSSL_SSL_PROTO_SSL3)
606  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
607  {
608  if( transform->maclen > sizeof transform->mac_enc )
609  {
610  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
612  }
613 
614  memcpy( transform->mac_enc, mac_enc, transform->maclen );
615  memcpy( transform->mac_dec, mac_dec, transform->maclen );
616  }
617  else
618 #endif /* POLARSSL_SSL_PROTO_SSL3 */
619 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
620  defined(POLARSSL_SSL_PROTO_TLS1_2)
621  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
622  {
623  md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
624  md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
625  }
626  else
627 #endif
628  {
629  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
631  }
632 
633 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
634  if( ssl_hw_record_init != NULL)
635  {
636  int ret = 0;
637 
638  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
639 
640  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
641  transform->iv_enc, transform->iv_dec,
642  iv_copy_len,
643  mac_enc, mac_dec,
644  transform->maclen ) ) != 0 )
645  {
646  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
648  }
649  }
650 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
651 
652  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
653  cipher_info ) ) != 0 )
654  {
655  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
656  return( ret );
657  }
658 
659  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
660  cipher_info ) ) != 0 )
661  {
662  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
663  return( ret );
664  }
665 
666  if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
667  cipher_info->key_length,
668  POLARSSL_ENCRYPT ) ) != 0 )
669  {
670  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
671  return( ret );
672  }
673 
674  if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
675  cipher_info->key_length,
676  POLARSSL_DECRYPT ) ) != 0 )
677  {
678  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
679  return( ret );
680  }
681 
682 #if defined(POLARSSL_CIPHER_MODE_CBC)
683  if( cipher_info->mode == POLARSSL_MODE_CBC )
684  {
685  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
686  POLARSSL_PADDING_NONE ) ) != 0 )
687  {
688  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
689  return( ret );
690  }
691 
692  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
693  POLARSSL_PADDING_NONE ) ) != 0 )
694  {
695  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
696  return( ret );
697  }
698  }
699 #endif /* POLARSSL_CIPHER_MODE_CBC */
700 
701  memset( keyblk, 0, sizeof( keyblk ) );
702 
703 #if defined(POLARSSL_ZLIB_SUPPORT)
704  // Initialize compression
705  //
706  if( session->compression == SSL_COMPRESS_DEFLATE )
707  {
708  if( ssl->compress_buf == NULL )
709  {
710  SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
711  ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
712  if( ssl->compress_buf == NULL )
713  {
714  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
715  SSL_BUFFER_LEN ) );
717  }
718  }
719 
720  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
721 
722  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
723  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
724 
725  if( deflateInit( &transform->ctx_deflate,
726  Z_DEFAULT_COMPRESSION ) != Z_OK ||
727  inflateInit( &transform->ctx_inflate ) != Z_OK )
728  {
729  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
731  }
732  }
733 #endif /* POLARSSL_ZLIB_SUPPORT */
734 
735  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
736 
737  return( 0 );
738 }
739 
740 #if defined(POLARSSL_SSL_PROTO_SSL3)
741 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
742 {
745  unsigned char pad_1[48];
746  unsigned char pad_2[48];
747 
748  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
749 
750  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
751  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
752 
753  memset( pad_1, 0x36, 48 );
754  memset( pad_2, 0x5C, 48 );
755 
756  md5_update( &md5, ssl->session_negotiate->master, 48 );
757  md5_update( &md5, pad_1, 48 );
758  md5_finish( &md5, hash );
759 
760  md5_starts( &md5 );
761  md5_update( &md5, ssl->session_negotiate->master, 48 );
762  md5_update( &md5, pad_2, 48 );
763  md5_update( &md5, hash, 16 );
764  md5_finish( &md5, hash );
765 
766  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
767  sha1_update( &sha1, pad_1, 40 );
768  sha1_finish( &sha1, hash + 16 );
769 
770  sha1_starts( &sha1 );
771  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
772  sha1_update( &sha1, pad_2, 40 );
773  sha1_update( &sha1, hash + 16, 20 );
774  sha1_finish( &sha1, hash + 16 );
775 
776  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
777  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
778 
779  return;
780 }
781 #endif /* POLARSSL_SSL_PROTO_SSL3 */
782 
783 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
784 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
785 {
788 
789  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
790 
791  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
792  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
793 
794  md5_finish( &md5, hash );
795  sha1_finish( &sha1, hash + 16 );
796 
797  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
798  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
799 
800  return;
801 }
802 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
803 
804 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
805 #if defined(POLARSSL_SHA256_C)
806 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
807 {
809 
810  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
811 
812  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
813  sha256_finish( &sha256, hash );
814 
815  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
816  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
817 
818  return;
819 }
820 #endif /* POLARSSL_SHA256_C */
821 
822 #if defined(POLARSSL_SHA512_C)
823 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
824 {
826 
827  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
828 
829  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
830  sha512_finish( &sha512, hash );
831 
832  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
833  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
834 
835  return;
836 }
837 #endif /* POLARSSL_SHA512_C */
838 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
839 
840 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
842 {
843  unsigned char *p = ssl->handshake->premaster;
844  unsigned char *end = p + sizeof( ssl->handshake->premaster );
845 
846  /*
847  * PMS = struct {
848  * opaque other_secret<0..2^16-1>;
849  * opaque psk<0..2^16-1>;
850  * };
851  * with "other_secret" depending on the particular key exchange
852  */
853 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
854  if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
855  {
856  if( end - p < 2 + (int) ssl->psk_len )
858 
859  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
860  *(p++) = (unsigned char)( ssl->psk_len );
861  p += ssl->psk_len;
862  }
863  else
864 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
865 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
866  if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
867  {
868  /*
869  * other_secret already set by the ClientKeyExchange message,
870  * and is 48 bytes long
871  */
872  *p++ = 0;
873  *p++ = 48;
874  p += 48;
875  }
876  else
877 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
878 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
879  if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
880  {
881  int ret;
882  size_t len = ssl->handshake->dhm_ctx.len;
883 
884  if( end - p < 2 + (int) len )
886 
887  *(p++) = (unsigned char)( len >> 8 );
888  *(p++) = (unsigned char)( len );
889  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
890  p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
891  {
892  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
893  return( ret );
894  }
895  p += len;
896 
897  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
898  }
899  else
900 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
901 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
902  if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
903  {
904  int ret;
905  size_t zlen;
906 
907  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
908  p + 2, end - (p + 2),
909  ssl->f_rng, ssl->p_rng ) ) != 0 )
910  {
911  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
912  return( ret );
913  }
914 
915  *(p++) = (unsigned char)( zlen >> 8 );
916  *(p++) = (unsigned char)( zlen );
917  p += zlen;
918 
919  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
920  }
921  else
922 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
923  {
924  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
926  }
927 
928  /* opaque psk<0..2^16-1>; */
929  if( end - p < 2 + (int) ssl->psk_len )
931 
932  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
933  *(p++) = (unsigned char)( ssl->psk_len );
934  memcpy( p, ssl->psk, ssl->psk_len );
935  p += ssl->psk_len;
936 
937  ssl->handshake->pmslen = p - ssl->handshake->premaster;
938 
939  return( 0 );
940 }
941 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
942 
943 #if defined(POLARSSL_SSL_PROTO_SSL3)
944 /*
945  * SSLv3.0 MAC functions
946  */
947 static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
948  unsigned char *buf, size_t len,
949  unsigned char *ctr, int type )
950 {
951  unsigned char header[11];
952  unsigned char padding[48];
953  int padlen = 0;
954  int md_size = md_get_size( md_ctx->md_info );
955  int md_type = md_get_type( md_ctx->md_info );
956 
957  if( md_type == POLARSSL_MD_MD5 )
958  padlen = 48;
959  else if( md_type == POLARSSL_MD_SHA1 )
960  padlen = 40;
961  else if( md_type == POLARSSL_MD_SHA256 )
962  padlen = 32;
963  else if( md_type == POLARSSL_MD_SHA384 )
964  padlen = 16;
965 
966  memcpy( header, ctr, 8 );
967  header[ 8] = (unsigned char) type;
968  header[ 9] = (unsigned char)( len >> 8 );
969  header[10] = (unsigned char)( len );
970 
971  memset( padding, 0x36, padlen );
972  md_starts( md_ctx );
973  md_update( md_ctx, secret, md_size );
974  md_update( md_ctx, padding, padlen );
975  md_update( md_ctx, header, 11 );
976  md_update( md_ctx, buf, len );
977  md_finish( md_ctx, buf + len );
978 
979  memset( padding, 0x5C, padlen );
980  md_starts( md_ctx );
981  md_update( md_ctx, secret, md_size );
982  md_update( md_ctx, padding, padlen );
983  md_update( md_ctx, buf + len, md_size );
984  md_finish( md_ctx, buf + len );
985 }
986 #endif /* POLARSSL_SSL_PROTO_SSL3 */
987 
988 /*
989  * Encryption/decryption functions
990  */
991 static int ssl_encrypt_buf( ssl_context *ssl )
992 {
993  size_t i;
994 
995  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
996 
997  /*
998  * Add MAC before encrypt, except for GCM
999  */
1000 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1001  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1002  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1005  {
1006 #if defined(POLARSSL_SSL_PROTO_SSL3)
1007  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1008  {
1009  ssl_mac( &ssl->transform_out->md_ctx_enc,
1010  ssl->transform_out->mac_enc,
1011  ssl->out_msg, ssl->out_msglen,
1012  ssl->out_ctr, ssl->out_msgtype );
1013  }
1014  else
1015 #endif
1016 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1017  defined(POLARSSL_SSL_PROTO_TLS1_2)
1018  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1019  {
1020  md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1022  ssl->out_msg, ssl->out_msglen );
1024  ssl->out_msg + ssl->out_msglen );
1026  }
1027  else
1028 #endif
1029  {
1030  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1032  }
1033 
1034  SSL_DEBUG_BUF( 4, "computed mac",
1035  ssl->out_msg + ssl->out_msglen,
1036  ssl->transform_out->maclen );
1037 
1038  ssl->out_msglen += ssl->transform_out->maclen;
1039  }
1040 #endif /* GCM not the only option */
1041 
1042  /*
1043  * Encrypt
1044  */
1045 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1048  {
1049  int ret;
1050  size_t olen = 0;
1051 
1052  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1053  "including %d bytes of padding",
1054  ssl->out_msglen, 0 ) );
1055 
1056  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1057  ssl->out_msg, ssl->out_msglen );
1058 
1059  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1060  {
1061  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1062  return( ret );
1063  }
1064 
1065  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1066  ssl->transform_out->iv_enc,
1067  ssl->transform_out->ivlen ) ) != 0 )
1068  {
1069  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1070  return( ret );
1071  }
1072 
1073  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1074  ssl->out_msg, ssl->out_msglen, ssl->out_msg,
1075  &olen ) ) != 0 )
1076  {
1077  SSL_DEBUG_RET( 1, "cipher_update", ret );
1078  return( ret );
1079  }
1080 
1081  if( ssl->out_msglen != olen )
1082  {
1083  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1084  ssl->out_msglen, olen ) );
1086  }
1087 
1088  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1089  ssl->out_msg + olen, &olen ) ) != 0 )
1090  {
1091  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1092  return( ret );
1093  }
1094 
1095  if( 0 != olen )
1096  {
1097  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1098  0, olen ) );
1100  }
1101  }
1102  else
1103 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1104 #if defined(POLARSSL_GCM_C)
1107  {
1108  size_t enc_msglen, olen, totlen;
1109  unsigned char *enc_msg;
1110  unsigned char add_data[13];
1112 
1113  memcpy( add_data, ssl->out_ctr, 8 );
1114  add_data[8] = ssl->out_msgtype;
1115  add_data[9] = ssl->major_ver;
1116  add_data[10] = ssl->minor_ver;
1117  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1118  add_data[12] = ssl->out_msglen & 0xFF;
1119 
1120  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1121  add_data, 13 );
1122 
1123  /*
1124  * Generate IV
1125  */
1126  ret = ssl->f_rng( ssl->p_rng,
1128  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1129  if( ret != 0 )
1130  return( ret );
1131 
1132  memcpy( ssl->out_iv,
1134  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1135 
1136  SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1137  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1138 
1139  /*
1140  * Fix pointer positions and message length with added IV
1141  */
1142  enc_msg = ssl->out_msg;
1143  enc_msglen = ssl->out_msglen;
1144  ssl->out_msglen += ssl->transform_out->ivlen -
1145  ssl->transform_out->fixed_ivlen;
1146 
1147  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1148  "including %d bytes of padding",
1149  ssl->out_msglen, 0 ) );
1150 
1151  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1152  ssl->out_msg, ssl->out_msglen );
1153 
1154  /*
1155  * Encrypt
1156  */
1157  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1158  ssl->transform_out->iv_enc,
1159  ssl->transform_out->ivlen ) ) != 0 ||
1160  ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1161  {
1162  return( ret );
1163  }
1164 
1165  if( ( ret = cipher_update_ad( &ssl->transform_out->cipher_ctx_enc,
1166  add_data, 13 ) ) != 0 )
1167  {
1168  return( ret );
1169  }
1170 
1171  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1172  enc_msg, enc_msglen,
1173  enc_msg, &olen ) ) != 0 )
1174  {
1175  return( ret );
1176  }
1177  totlen = olen;
1178 
1179  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1180  enc_msg + olen, &olen ) ) != 0 )
1181  {
1182  return( ret );
1183  }
1184  totlen += olen;
1185 
1186  if( totlen != enc_msglen )
1187  {
1188  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1189  return( -1 );
1190  }
1191 
1192  /*
1193  * Authenticate
1194  */
1195  ssl->out_msglen += 16;
1196 
1197  if( ( ret = cipher_write_tag( &ssl->transform_out->cipher_ctx_enc,
1198  enc_msg + enc_msglen, 16 ) ) != 0 )
1199  {
1200  return( ret );
1201  }
1202 
1203  SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, 16 );
1204  }
1205  else
1206 #endif /* POLARSSL_GCM_C */
1207 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1208  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1211  {
1212  int ret;
1213  unsigned char *enc_msg;
1214  size_t enc_msglen, padlen, olen = 0;
1215 
1216  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1217  ssl->transform_out->ivlen;
1218  if( padlen == ssl->transform_out->ivlen )
1219  padlen = 0;
1220 
1221  for( i = 0; i <= padlen; i++ )
1222  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1223 
1224  ssl->out_msglen += padlen + 1;
1225 
1226  enc_msglen = ssl->out_msglen;
1227  enc_msg = ssl->out_msg;
1228 
1229 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1230  /*
1231  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1232  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1233  */
1234  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1235  {
1236  /*
1237  * Generate IV
1238  */
1239  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1240  ssl->transform_out->ivlen );
1241  if( ret != 0 )
1242  return( ret );
1243 
1244  memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1245  ssl->transform_out->ivlen );
1246 
1247  /*
1248  * Fix pointer positions and message length with added IV
1249  */
1250  enc_msg = ssl->out_msg;
1251  enc_msglen = ssl->out_msglen;
1252  ssl->out_msglen += ssl->transform_out->ivlen;
1253  }
1254 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1255 
1256  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1257  "including %d bytes of IV and %d bytes of padding",
1258  ssl->out_msglen, ssl->transform_out->ivlen,
1259  padlen + 1 ) );
1260 
1261  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1262  ssl->out_iv, ssl->out_msglen );
1263 
1264  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1265  {
1266  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1267  return( ret );
1268  }
1269 
1270  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1271  ssl->transform_out->iv_enc,
1272  ssl->transform_out->ivlen ) ) != 0 )
1273  {
1274  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1275  return( ret );
1276  }
1277 
1278  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1279  enc_msg, enc_msglen, enc_msg,
1280  &olen ) ) != 0 )
1281  {
1282  SSL_DEBUG_RET( 1, "cipher_update", ret );
1283  return( ret );
1284  }
1285 
1286  enc_msglen -= olen;
1287 
1288  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1289  enc_msg + olen, &olen ) ) != 0 )
1290  {
1291  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1292  return( ret );
1293  }
1294 
1295  if( enc_msglen != olen )
1296  {
1297  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1298  enc_msglen, olen ) );
1300  }
1301 
1302 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1303  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1304  {
1305  /*
1306  * Save IV in SSL3 and TLS1
1307  */
1308  memcpy( ssl->transform_out->iv_enc,
1310  ssl->transform_out->ivlen );
1311  }
1312 #endif
1313  }
1314  else
1315 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1316  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1317  {
1318  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1320  }
1321 
1322  for( i = 8; i > 0; i-- )
1323  if( ++ssl->out_ctr[i - 1] != 0 )
1324  break;
1325 
1326  /* The loops goes to its end iff the counter is wrapping */
1327  if( i == 0 )
1328  {
1329  SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
1331  }
1332 
1333  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1334 
1335  return( 0 );
1336 }
1337 
1338 #define POLARSSL_SSL_MAX_MAC_SIZE 48
1339 
1340 static int ssl_decrypt_buf( ssl_context *ssl )
1341 {
1342  size_t i;
1343 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1344  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1345  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1346  size_t padlen = 0, correct = 1;
1347 #endif
1348 
1349  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1350 
1351  if( ssl->in_msglen < ssl->transform_in->minlen )
1352  {
1353  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1354  ssl->in_msglen, ssl->transform_in->minlen ) );
1355  return( POLARSSL_ERR_SSL_INVALID_MAC );
1356  }
1357 
1358 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1361  {
1362  int ret;
1363  size_t olen = 0;
1364 
1365  padlen = 0;
1366 
1367  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1368  {
1369  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1370  return( ret );
1371  }
1372 
1373  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1374  ssl->transform_in->iv_dec,
1375  ssl->transform_in->ivlen ) ) != 0 )
1376  {
1377  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1378  return( ret );
1379  }
1380 
1381  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1382  ssl->in_msg, ssl->in_msglen, ssl->in_msg,
1383  &olen ) ) != 0 )
1384  {
1385  SSL_DEBUG_RET( 1, "cipher_update", ret );
1386  return( ret );
1387  }
1388 
1389  if( ssl->in_msglen != olen )
1390  {
1391  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1393  }
1394 
1395  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1396  ssl->in_msg + olen, &olen ) ) != 0 )
1397  {
1398  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1399  return( ret );
1400  }
1401 
1402  if( 0 != olen )
1403  {
1404  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1406  }
1407  }
1408  else
1409 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1410 #if defined(POLARSSL_GCM_C)
1413  {
1414  unsigned char *dec_msg;
1415  unsigned char *dec_msg_result;
1416  size_t dec_msglen, olen, totlen;
1417  unsigned char add_data[13];
1419 
1420  dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1421  ssl->transform_in->fixed_ivlen );
1422  dec_msglen -= 16;
1423  dec_msg = ssl->in_msg;
1424  dec_msg_result = ssl->in_msg;
1425  ssl->in_msglen = dec_msglen;
1426 
1427  memcpy( add_data, ssl->in_ctr, 8 );
1428  add_data[8] = ssl->in_msgtype;
1429  add_data[9] = ssl->major_ver;
1430  add_data[10] = ssl->minor_ver;
1431  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1432  add_data[12] = ssl->in_msglen & 0xFF;
1433 
1434  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1435  add_data, 13 );
1436 
1437  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1438  ssl->in_iv,
1439  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1440 
1441  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1442  ssl->transform_in->ivlen );
1443  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1444 
1445  /*
1446  * Decrypt
1447  */
1448  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1449  ssl->transform_in->iv_dec,
1450  ssl->transform_in->ivlen ) ) != 0 ||
1451  ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1452  {
1453  return( ret );
1454  }
1455 
1456  if( ( ret = cipher_update_ad( &ssl->transform_in->cipher_ctx_dec,
1457  add_data, 13 ) ) != 0 )
1458  {
1459  return( ret );
1460  }
1461 
1462  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1463  dec_msg, dec_msglen,
1464  dec_msg_result, &olen ) ) != 0 )
1465  {
1466  return( ret );
1467  }
1468  totlen = olen;
1469 
1470  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1471  dec_msg_result + olen, &olen ) ) != 0 )
1472  {
1473  return( ret );
1474  }
1475  totlen += olen;
1476 
1477  if( totlen != dec_msglen )
1478  {
1479  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1480  return( -1 );
1481  }
1482 
1483  /*
1484  * Authenticate
1485  */
1486  if( ( ret = cipher_check_tag( &ssl->transform_in->cipher_ctx_dec,
1487  dec_msg + dec_msglen, 16 ) ) != 0 )
1488  {
1489  SSL_DEBUG_RET( 1, "cipher_check_tag", ret );
1490  return( POLARSSL_ERR_SSL_INVALID_MAC );
1491  }
1492 
1493  }
1494  else
1495 #endif /* POLARSSL_GCM_C */
1496 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1497  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1500  {
1501  /*
1502  * Decrypt and check the padding
1503  */
1504  int ret;
1505  unsigned char *dec_msg;
1506  unsigned char *dec_msg_result;
1507  size_t dec_msglen;
1508  size_t minlen = 0;
1509  size_t olen = 0;
1510 
1511  /*
1512  * Check immediate ciphertext sanity
1513  */
1514  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1515  {
1516  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1517  ssl->in_msglen, ssl->transform_in->ivlen ) );
1518  return( POLARSSL_ERR_SSL_INVALID_MAC );
1519  }
1520 
1521 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1522  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1523  minlen += ssl->transform_in->ivlen;
1524 #endif
1525 
1526  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1527  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1528  {
1529  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1530  "+ 1 ) ( + expl IV )", ssl->in_msglen,
1531  ssl->transform_in->ivlen,
1532  ssl->transform_in->maclen ) );
1533  return( POLARSSL_ERR_SSL_INVALID_MAC );
1534  }
1535 
1536  dec_msglen = ssl->in_msglen;
1537  dec_msg = ssl->in_msg;
1538  dec_msg_result = ssl->in_msg;
1539 
1540 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1541  /*
1542  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1543  */
1544  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1545  {
1546  dec_msglen -= ssl->transform_in->ivlen;
1547  ssl->in_msglen -= ssl->transform_in->ivlen;
1548 
1549  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1550  ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1551  }
1552 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1553 
1554  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1555  {
1556  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1557  return( ret );
1558  }
1559 
1560  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1561  ssl->transform_in->iv_dec,
1562  ssl->transform_in->ivlen ) ) != 0 )
1563  {
1564  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1565  return( ret );
1566  }
1567 
1568  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1569  dec_msg, dec_msglen, dec_msg_result,
1570  &olen ) ) != 0 )
1571  {
1572  SSL_DEBUG_RET( 1, "cipher_update", ret );
1573  return( ret );
1574  }
1575 
1576  dec_msglen -= olen;
1577  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1578  dec_msg_result + olen, &olen ) ) != 0 )
1579  {
1580  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1581  return( ret );
1582  }
1583 
1584  if( dec_msglen != olen )
1585  {
1586  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1588  }
1589 
1590 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1591  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1592  {
1593  /*
1594  * Save IV in SSL3 and TLS1
1595  */
1596  memcpy( ssl->transform_in->iv_dec,
1598  ssl->transform_in->ivlen );
1599  }
1600 #endif
1601 
1602  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1603 
1604  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1605  {
1606 #if defined(POLARSSL_SSL_DEBUG_ALL)
1607  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1608  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1609 #endif
1610  padlen = 0;
1611  correct = 0;
1612  }
1613 
1614 #if defined(POLARSSL_SSL_PROTO_SSL3)
1615  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1616  {
1617  if( padlen > ssl->transform_in->ivlen )
1618  {
1619 #if defined(POLARSSL_SSL_DEBUG_ALL)
1620  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1621  "should be no more than %d",
1622  padlen, ssl->transform_in->ivlen ) );
1623 #endif
1624  correct = 0;
1625  }
1626  }
1627  else
1628 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1629 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1630  defined(POLARSSL_SSL_PROTO_TLS1_2)
1631  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1632  {
1633  /*
1634  * TLSv1+: always check the padding up to the first failure
1635  * and fake check up to 256 bytes of padding
1636  */
1637  size_t pad_count = 0, real_count = 1;
1638  size_t padding_idx = ssl->in_msglen - padlen - 1;
1639 
1640  /*
1641  * Padding is guaranteed to be incorrect if:
1642  * 1. padlen >= ssl->in_msglen
1643  *
1644  * 2. padding_idx >= SSL_MAX_CONTENT_LEN +
1645  * ssl->transform_in->maclen
1646  *
1647  * In both cases we reset padding_idx to a safe value (0) to
1648  * prevent out-of-buffer reads.
1649  */
1650  correct &= ( ssl->in_msglen >= padlen + 1 );
1651  correct &= ( padding_idx < SSL_MAX_CONTENT_LEN +
1652  ssl->transform_in->maclen );
1653 
1654  padding_idx *= correct;
1655 
1656  for( i = 1; i <= 256; i++ )
1657  {
1658  real_count &= ( i <= padlen );
1659  pad_count += real_count *
1660  ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1661  }
1662 
1663  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1664 
1665 #if defined(POLARSSL_SSL_DEBUG_ALL)
1666  if( padlen > 0 && correct == 0)
1667  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1668 #endif
1669  padlen &= correct * 0x1FF;
1670  }
1671  else
1672 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1673  POLARSSL_SSL_PROTO_TLS1_2 */
1674  {
1675  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1677  }
1678  }
1679  else
1680 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1681  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1682  {
1683  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1685  }
1686 
1687  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1688  ssl->in_msg, ssl->in_msglen );
1689 
1690  /*
1691  * Always compute the MAC (RFC4346, CBCTIME), except for GCM of course
1692  */
1693 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1694  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1695  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1698  {
1699  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1700 
1701  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1702 
1703  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1704  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1705 
1706  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1707 
1708 #if defined(POLARSSL_SSL_PROTO_SSL3)
1709  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1710  {
1711  ssl_mac( &ssl->transform_in->md_ctx_dec,
1712  ssl->transform_in->mac_dec,
1713  ssl->in_msg, ssl->in_msglen,
1714  ssl->in_ctr, ssl->in_msgtype );
1715  }
1716  else
1717 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1718 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1719  defined(POLARSSL_SSL_PROTO_TLS1_2)
1720  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1721  {
1722  /*
1723  * Process MAC and always update for padlen afterwards to make
1724  * total time independent of padlen
1725  *
1726  * extra_run compensates MAC check for padlen
1727  *
1728  * Known timing attacks:
1729  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1730  *
1731  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1732  * correctly. (We round down instead of up, so -56 is the correct
1733  * value for our calculations instead of -55)
1734  */
1735  size_t j, extra_run = 0;
1736  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1737  ( 13 + ssl->in_msglen + 8 ) / 64;
1738 
1739  extra_run &= correct * 0xFF;
1740 
1741  md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1743  ssl->in_msglen );
1745  ssl->in_msg + ssl->in_msglen );
1746  for( j = 0; j < extra_run; j++ )
1747  md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1748 
1750  }
1751  else
1752 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1753  POLARSSL_SSL_PROTO_TLS1_2 */
1754  {
1755  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1757  }
1758 
1759  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1760  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1761  ssl->transform_in->maclen );
1762 
1763  if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1764  ssl->transform_in->maclen ) != 0 )
1765  {
1766 #if defined(POLARSSL_SSL_DEBUG_ALL)
1767  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1768 #endif
1769  correct = 0;
1770  }
1771 
1772  /*
1773  * Finally check the correct flag
1774  */
1775  if( correct == 0 )
1776  return( POLARSSL_ERR_SSL_INVALID_MAC );
1777  }
1778 #endif /* GCM not the only option */
1779 
1780  if( ssl->in_msglen == 0 )
1781  {
1782  ssl->nb_zero++;
1783 
1784  /*
1785  * Three or more empty messages may be a DoS attack
1786  * (excessive CPU consumption).
1787  */
1788  if( ssl->nb_zero > 3 )
1789  {
1790  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1791  "messages, possible DoS attack" ) );
1792  return( POLARSSL_ERR_SSL_INVALID_MAC );
1793  }
1794  }
1795  else
1796  ssl->nb_zero = 0;
1797 
1798  for( i = 8; i > 0; i-- )
1799  if( ++ssl->in_ctr[i - 1] != 0 )
1800  break;
1801 
1802  /* The loops goes to its end iff the counter is wrapping */
1803  if( i == 0 )
1804  {
1805  SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
1807  }
1808 
1809  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1810 
1811  return( 0 );
1812 }
1813 
1814 #if defined(POLARSSL_ZLIB_SUPPORT)
1815 /*
1816  * Compression/decompression functions
1817  */
1818 static int ssl_compress_buf( ssl_context *ssl )
1819 {
1820  int ret;
1821  unsigned char *msg_post = ssl->out_msg;
1822  size_t len_pre = ssl->out_msglen;
1823  unsigned char *msg_pre = ssl->compress_buf;
1824 
1825  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1826 
1827  if( len_pre == 0 )
1828  return( 0 );
1829 
1830  memcpy( msg_pre, ssl->out_msg, len_pre );
1831 
1832  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1833  ssl->out_msglen ) );
1834 
1835  SSL_DEBUG_BUF( 4, "before compression: output payload",
1836  ssl->out_msg, ssl->out_msglen );
1837 
1838  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1839  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1840  ssl->transform_out->ctx_deflate.next_out = msg_post;
1841  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1842 
1843  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1844  if( ret != Z_OK )
1845  {
1846  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1848  }
1849 
1850  ssl->out_msglen = SSL_BUFFER_LEN -
1851  ssl->transform_out->ctx_deflate.avail_out;
1852 
1853  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1854  ssl->out_msglen ) );
1855 
1856  SSL_DEBUG_BUF( 4, "after compression: output payload",
1857  ssl->out_msg, ssl->out_msglen );
1858 
1859  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1860 
1861  return( 0 );
1862 }
1863 
1864 static int ssl_decompress_buf( ssl_context *ssl )
1865 {
1866  int ret;
1867  unsigned char *msg_post = ssl->in_msg;
1868  size_t len_pre = ssl->in_msglen;
1869  unsigned char *msg_pre = ssl->compress_buf;
1870 
1871  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1872 
1873  if( len_pre == 0 )
1874  return( 0 );
1875 
1876  memcpy( msg_pre, ssl->in_msg, len_pre );
1877 
1878  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1879  ssl->in_msglen ) );
1880 
1881  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1882  ssl->in_msg, ssl->in_msglen );
1883 
1884  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1885  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1886  ssl->transform_in->ctx_inflate.next_out = msg_post;
1887  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1888 
1889  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1890  if( ret != Z_OK )
1891  {
1892  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1894  }
1895 
1897  ssl->transform_in->ctx_inflate.avail_out;
1898 
1899  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1900  ssl->in_msglen ) );
1901 
1902  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1903  ssl->in_msg, ssl->in_msglen );
1904 
1905  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1906 
1907  return( 0 );
1908 }
1909 #endif /* POLARSSL_ZLIB_SUPPORT */
1910 
1911 /*
1912  * Fill the input message buffer
1913  */
1914 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1915 {
1916  int ret;
1917  size_t len;
1918 
1919  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1920 
1921  if( nb_want > SSL_BUFFER_LEN - 8 )
1922  {
1923  SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1925  }
1926 
1927  while( ssl->in_left < nb_want )
1928  {
1929  len = nb_want - ssl->in_left;
1930  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1931 
1932  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1933  ssl->in_left, nb_want ) );
1934  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1935 
1936  if( ret == 0 )
1937  return( POLARSSL_ERR_SSL_CONN_EOF );
1938 
1939  if( ret < 0 )
1940  return( ret );
1941 
1942  ssl->in_left += ret;
1943  }
1944 
1945  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1946 
1947  return( 0 );
1948 }
1949 
1950 /*
1951  * Flush any data not yet written
1952  */
1953 int ssl_flush_output( ssl_context *ssl )
1954 {
1955  int ret;
1956  unsigned char *buf;
1957 
1958  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1959 
1960  while( ssl->out_left > 0 )
1961  {
1962  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1963  5 + ssl->out_msglen, ssl->out_left ) );
1964 
1965  buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1966  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1967 
1968  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1969 
1970  if( ret <= 0 )
1971  return( ret );
1972 
1973  ssl->out_left -= ret;
1974  }
1975 
1976  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1977 
1978  return( 0 );
1979 }
1980 
1981 /*
1982  * Record layer functions
1983  */
1984 int ssl_write_record( ssl_context *ssl )
1985 {
1986  int ret, done = 0;
1987  size_t len = ssl->out_msglen;
1988 
1989  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1990 
1991  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1992  {
1993  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1994  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1995  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1996 
1997  if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
1998  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1999  }
2000 
2001 #if defined(POLARSSL_ZLIB_SUPPORT)
2002  if( ssl->transform_out != NULL &&
2004  {
2005  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
2006  {
2007  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
2008  return( ret );
2009  }
2010 
2011  len = ssl->out_msglen;
2012  }
2013 #endif /*POLARSSL_ZLIB_SUPPORT */
2014 
2015 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2016  if( ssl_hw_record_write != NULL)
2017  {
2018  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
2019 
2020  ret = ssl_hw_record_write( ssl );
2021  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2022  {
2023  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
2025  }
2026 
2027  if( ret == 0 )
2028  done = 1;
2029  }
2030 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
2031  if( !done )
2032  {
2033  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2034  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
2035  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
2036  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
2037  ssl->out_hdr[4] = (unsigned char)( len );
2038 
2039  if( ssl->transform_out != NULL )
2040  {
2041  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
2042  {
2043  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2044  return( ret );
2045  }
2046 
2047  len = ssl->out_msglen;
2048  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
2049  ssl->out_hdr[4] = (unsigned char)( len );
2050  }
2051 
2052  ssl->out_left = 5 + ssl->out_msglen;
2053 
2054  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2055  "version = [%d:%d], msglen = %d",
2056  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
2057  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
2058 
2059  SSL_DEBUG_BUF( 4, "output record sent to network",
2060  ssl->out_hdr, 5 + ssl->out_msglen );
2061  }
2062 
2063  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2064  {
2065  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2066  return( ret );
2067  }
2068 
2069  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2070 
2071  return( 0 );
2072 }
2073 
2074 int ssl_read_record( ssl_context *ssl )
2075 {
2076  int ret, done = 0;
2077 
2078  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
2079 
2080  SSL_DEBUG_BUF( 4, "input record from network",
2081  ssl->in_hdr, 5 + ssl->in_msglen );
2082 
2083  if( ssl->in_hslen != 0 &&
2084  ssl->in_hslen < ssl->in_msglen )
2085  {
2086  /*
2087  * Get next Handshake message in the current record
2088  */
2089  ssl->in_msglen -= ssl->in_hslen;
2090 
2091  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
2092  ssl->in_msglen );
2093 
2094  ssl->in_hslen = 4;
2095  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2096 
2097  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2098  " %d, type = %d, hslen = %d",
2099  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2100 
2101  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2102  {
2103  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2105  }
2106 
2107  if( ssl->in_msglen < ssl->in_hslen )
2108  {
2109  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2111  }
2112 
2113  if( ssl->state != SSL_HANDSHAKE_OVER )
2114  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2115 
2116  return( 0 );
2117  }
2118 
2119  ssl->in_hslen = 0;
2120 
2121  /*
2122  * Read the record header and validate it
2123  */
2124  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2125  {
2126  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2127  return( ret );
2128  }
2129 
2130  ssl->in_msgtype = ssl->in_hdr[0];
2131  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2132 
2133  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2134  "version = [%d:%d], msglen = %d",
2135  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2136  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2137 
2138  if( ssl->in_hdr[1] != ssl->major_ver )
2139  {
2140  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
2142  }
2143 
2144  if( ssl->in_hdr[2] > ssl->max_minor_ver )
2145  {
2146  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
2148  }
2149 
2150  /* Sanity check (outer boundaries) */
2151  if( ssl->in_msglen < 1 || ssl->in_msglen > SSL_BUFFER_LEN - 13 )
2152  {
2153  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2155  }
2156 
2157  /*
2158  * Make sure the message length is acceptable for the current transform
2159  * and protocol version.
2160  */
2161  if( ssl->transform_in == NULL )
2162  {
2163  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2164  {
2165  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2167  }
2168  }
2169  else
2170  {
2171  if( ssl->in_msglen < ssl->transform_in->minlen )
2172  {
2173  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2175  }
2176 
2177 #if defined(POLARSSL_SSL_PROTO_SSL3)
2178  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2180  {
2181  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2183  }
2184 #endif
2185 
2186 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2187  defined(POLARSSL_SSL_PROTO_TLS1_2)
2188  /*
2189  * TLS encrypted messages can have up to 256 bytes of padding
2190  */
2191  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2192  ssl->in_msglen > ssl->transform_in->minlen +
2193  SSL_MAX_CONTENT_LEN + 256 )
2194  {
2195  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2197  }
2198 #endif
2199  }
2200 
2201  /*
2202  * Read and optionally decrypt the message contents
2203  */
2204  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2205  {
2206  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2207  return( ret );
2208  }
2209 
2210  SSL_DEBUG_BUF( 4, "input record from network",
2211  ssl->in_hdr, 5 + ssl->in_msglen );
2212 
2213 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2214  if( ssl_hw_record_read != NULL)
2215  {
2216  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2217 
2218  ret = ssl_hw_record_read( ssl );
2219  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2220  {
2221  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2223  }
2224 
2225  if( ret == 0 )
2226  done = 1;
2227  }
2228 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
2229  if( !done && ssl->transform_in != NULL )
2230  {
2231  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2232  {
2233 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2234  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2235  {
2239  }
2240 #endif
2241  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2242  return( ret );
2243  }
2244 
2245  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2246  ssl->in_msg, ssl->in_msglen );
2247 
2248  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2249  {
2250  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2252  }
2253  }
2254 
2255 #if defined(POLARSSL_ZLIB_SUPPORT)
2256  if( ssl->transform_in != NULL &&
2258  {
2259  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2260  {
2261  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2262  return( ret );
2263  }
2264 
2265  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2266  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2267  }
2268 #endif /* POLARSSL_ZLIB_SUPPORT */
2269 
2270  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2271  ssl->in_msgtype != SSL_MSG_ALERT &&
2274  {
2275  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2276 
2277  if( ( ret = ssl_send_alert_message( ssl,
2280  {
2281  return( ret );
2282  }
2283 
2285  }
2286 
2287  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2288  {
2289  ssl->in_hslen = 4;
2290  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2291 
2292  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2293  " %d, type = %d, hslen = %d",
2294  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2295 
2296  /*
2297  * Additional checks to validate the handshake header
2298  */
2299  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2300  {
2301  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2303  }
2304 
2305  if( ssl->in_msglen < ssl->in_hslen )
2306  {
2307  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2309  }
2310 
2311  if( ssl->state != SSL_HANDSHAKE_OVER )
2312  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2313  }
2314 
2315  if( ssl->in_msgtype == SSL_MSG_ALERT )
2316  {
2317  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2318  ssl->in_msg[0], ssl->in_msg[1] ) );
2319 
2320  /*
2321  * Ignore non-fatal alerts, except close_notify
2322  */
2323  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2324  {
2325  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2326  ssl->in_msg[1] ) );
2332  }
2333 
2334  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2335  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2336  {
2337  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2339  }
2340  }
2341 
2342  ssl->in_left = 0;
2343 
2344  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2345 
2346  return( 0 );
2347 }
2348 
2350 {
2351  int ret;
2352 
2353  if( ( ret = ssl_send_alert_message( ssl,
2356  {
2357  return( ret );
2358  }
2359 
2360  return( 0 );
2361 }
2362 
2364  unsigned char level,
2365  unsigned char message )
2366 {
2367  int ret;
2368 
2369  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2370 
2371  ssl->out_msgtype = SSL_MSG_ALERT;
2372  ssl->out_msglen = 2;
2373  ssl->out_msg[0] = level;
2374  ssl->out_msg[1] = message;
2375 
2376  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2377  {
2378  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2379  return( ret );
2380  }
2381 
2382  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2383 
2384  return( 0 );
2385 }
2386 
2387 /*
2388  * Handshake functions
2389  */
2390 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2391  !defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
2392  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2393  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2394  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
2395  !defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2396  !defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2398 {
2400  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2401 
2402  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2403 
2404  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2405  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2406  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2407  {
2408  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2409  ssl->state++;
2410  return( 0 );
2411  }
2412 
2413  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2414  return( ret );
2415 }
2416 
2418 {
2420  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2421 
2422  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2423 
2424  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2425  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2426  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2427  {
2428  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2429  ssl->state++;
2430  return( 0 );
2431  }
2432 
2433  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2434  return( ret );
2435 }
2436 #else
2438 {
2440  size_t i, n;
2441  const x509_crt *crt;
2442  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2443 
2444  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2445 
2446  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2447  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2448  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2449  {
2450  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2451  ssl->state++;
2452  return( 0 );
2453  }
2454 
2455  if( ssl->endpoint == SSL_IS_CLIENT )
2456  {
2457  if( ssl->client_auth == 0 )
2458  {
2459  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2460  ssl->state++;
2461  return( 0 );
2462  }
2463 
2464 #if defined(POLARSSL_SSL_PROTO_SSL3)
2465  /*
2466  * If using SSLv3 and got no cert, send an Alert message
2467  * (otherwise an empty Certificate message will be sent).
2468  */
2469  if( ssl_own_cert( ssl ) == NULL &&
2470  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2471  {
2472  ssl->out_msglen = 2;
2473  ssl->out_msgtype = SSL_MSG_ALERT;
2474  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2475  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2476 
2477  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2478  goto write_msg;
2479  }
2480 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2481  }
2482  else /* SSL_IS_SERVER */
2483  {
2484  if( ssl_own_cert( ssl ) == NULL )
2485  {
2486  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2488  }
2489  }
2490 
2491  SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
2492 
2493  /*
2494  * 0 . 0 handshake type
2495  * 1 . 3 handshake length
2496  * 4 . 6 length of all certs
2497  * 7 . 9 length of cert. 1
2498  * 10 . n-1 peer certificate
2499  * n . n+2 length of cert. 2
2500  * n+3 . ... upper level cert, etc.
2501  */
2502  i = 7;
2503  crt = ssl_own_cert( ssl );
2504 
2505  while( crt != NULL )
2506  {
2507  n = crt->raw.len;
2508  if( n > SSL_MAX_CONTENT_LEN - 3 - i )
2509  {
2510  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2511  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2513  }
2514 
2515  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2516  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2517  ssl->out_msg[i + 2] = (unsigned char)( n );
2518 
2519  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2520  i += n; crt = crt->next;
2521  }
2522 
2523  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2524  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2525  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2526 
2527  ssl->out_msglen = i;
2529  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2530 
2531 #if defined(POLARSSL_SSL_PROTO_SSL3)
2532 write_msg:
2533 #endif
2534 
2535  ssl->state++;
2536 
2537  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2538  {
2539  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2540  return( ret );
2541  }
2542 
2543  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2544 
2545  return( ret );
2546 }
2547 
2549 {
2551  size_t i, n;
2552  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2553 
2554  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2555 
2556  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2557  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2558  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2559  {
2560  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2561  ssl->state++;
2562  return( 0 );
2563  }
2564 
2565  if( ssl->endpoint == SSL_IS_SERVER &&
2566  ( ssl->authmode == SSL_VERIFY_NONE ||
2567  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
2568  {
2570  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2571  ssl->state++;
2572  return( 0 );
2573  }
2574 
2575  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2576  {
2577  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2578  return( ret );
2579  }
2580 
2581  ssl->state++;
2582 
2583 #if defined(POLARSSL_SSL_PROTO_SSL3)
2584  /*
2585  * Check if the client sent an empty certificate
2586  */
2587  if( ssl->endpoint == SSL_IS_SERVER &&
2588  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2589  {
2590  if( ssl->in_msglen == 2 &&
2591  ssl->in_msgtype == SSL_MSG_ALERT &&
2592  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2593  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2594  {
2595  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2596 
2598  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2599  return( 0 );
2600  else
2602  }
2603  }
2604 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2605 
2606 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2607  defined(POLARSSL_SSL_PROTO_TLS1_2)
2608  if( ssl->endpoint == SSL_IS_SERVER &&
2609  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2610  {
2611  if( ssl->in_hslen == 7 &&
2612  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2613  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2614  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2615  {
2616  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2617 
2619  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2621  else
2622  return( 0 );
2623  }
2624  }
2625 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2626  POLARSSL_SSL_PROTO_TLS1_2 */
2627 
2628  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2629  {
2630  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2632  }
2633 
2634  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2635  {
2636  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2638  }
2639 
2640  /*
2641  * Same message structure as in ssl_write_certificate()
2642  */
2643  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2644 
2645  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2646  {
2647  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2649  }
2650 
2651  /* In case we tried to reuse a session but it failed */
2652  if( ssl->session_negotiate->peer_cert != NULL )
2653  {
2656  }
2657 
2659  sizeof( x509_crt ) ) ) == NULL )
2660  {
2661  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2662  sizeof( x509_crt ) ) );
2664  }
2665 
2667 
2668  i = 7;
2669 
2670  while( i < ssl->in_hslen )
2671  {
2672  if( ssl->in_msg[i] != 0 )
2673  {
2674  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2676  }
2677 
2678  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2679  | (unsigned int) ssl->in_msg[i + 2];
2680  i += 3;
2681 
2682  if( n < 128 || i + n > ssl->in_hslen )
2683  {
2684  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2686  }
2687 
2689  ssl->in_msg + i, n );
2690  if( ret != 0 )
2691  {
2692  SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
2693  return( ret );
2694  }
2695 
2696  i += n;
2697  }
2698 
2699  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2700 
2701  /*
2702  * On client, make sure the server cert doesn't change during renego to
2703  * avoid "triple handshake" attack: https://secure-resumption.com/
2704  */
2705  if( ssl->endpoint == SSL_IS_CLIENT &&
2707  {
2708  if( ssl->session->peer_cert == NULL )
2709  {
2710  SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
2712  }
2713 
2714  if( ssl->session->peer_cert->raw.len !=
2716  memcmp( ssl->session->peer_cert->raw.p,
2718  ssl->session->peer_cert->raw.len ) != 0 )
2719  {
2720  SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
2722  }
2723  }
2724 
2725  if( ssl->authmode != SSL_VERIFY_NONE )
2726  {
2727  if( ssl->ca_chain == NULL )
2728  {
2729  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2731  }
2732 
2733  /*
2734  * Main check: verify certificate
2735  */
2737  ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2739  ssl->f_vrfy, ssl->p_vrfy );
2740 
2741  if( ret != 0 )
2742  {
2743  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2744  }
2745 
2746  /*
2747  * Secondary checks: always done, but change 'ret' only if it was 0
2748  */
2749 
2750 #if defined(POLARSSL_SSL_SET_CURVES)
2751  {
2752  pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
2753 
2754  /* If certificate uses an EC key, make sure the curve is OK */
2755  if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
2756  ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
2757  {
2758  SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
2759  if( ret == 0 )
2761  }
2762  }
2763 #endif /* POLARSSL_SSL_SET_CURVES */
2764 
2766  ciphersuite_info,
2767  ! ssl->endpoint ) != 0 )
2768  {
2769  SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
2770  if( ret == 0 )
2772  }
2773 
2774  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2775  ret = 0;
2776  }
2777 
2778  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2779 
2780  return( ret );
2781 }
2782 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED
2783  !POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
2784  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
2785  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2786  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2787  !POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
2788  !POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2789 
2791 {
2792  int ret;
2793 
2794  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2795 
2797  ssl->out_msglen = 1;
2798  ssl->out_msg[0] = 1;
2799 
2800  ssl->state++;
2801 
2802  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2803  {
2804  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2805  return( ret );
2806  }
2807 
2808  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2809 
2810  return( 0 );
2811 }
2812 
2814 {
2815  int ret;
2816 
2817  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2818 
2819  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2820  {
2821  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2822  return( ret );
2823  }
2824 
2826  {
2827  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2829  }
2830 
2831  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2832  {
2833  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2835  }
2836 
2837  ssl->state++;
2838 
2839  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2840 
2841  return( 0 );
2842 }
2843 
2845  const ssl_ciphersuite_t *ciphersuite_info )
2846 {
2847  ((void) ciphersuite_info);
2848 
2849 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2850  defined(POLARSSL_SSL_PROTO_TLS1_1)
2851  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2852  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2853  else
2854 #endif
2855 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2856 #if defined(POLARSSL_SHA512_C)
2857  if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2858  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2859  else
2860 #endif
2861 #if defined(POLARSSL_SHA256_C)
2862  if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
2863  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2864  else
2865 #endif
2866 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2867  /* Should never happen */
2868  return;
2869 }
2870 
2871 static void ssl_update_checksum_start( ssl_context *ssl,
2872  const unsigned char *buf, size_t len )
2873 {
2874 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2875  defined(POLARSSL_SSL_PROTO_TLS1_1)
2876  md5_update( &ssl->handshake->fin_md5 , buf, len );
2877  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2878 #endif
2879 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2880 #if defined(POLARSSL_SHA256_C)
2881  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2882 #endif
2883 #if defined(POLARSSL_SHA512_C)
2884  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2885 #endif
2886 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2887 }
2888 
2889 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2890  defined(POLARSSL_SSL_PROTO_TLS1_1)
2891 static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2892  const unsigned char *buf, size_t len )
2893 {
2894  md5_update( &ssl->handshake->fin_md5 , buf, len );
2895  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2896 }
2897 #endif
2898 
2899 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2900 #if defined(POLARSSL_SHA256_C)
2901 static void ssl_update_checksum_sha256( ssl_context *ssl,
2902  const unsigned char *buf, size_t len )
2903 {
2904  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2905 }
2906 #endif
2907 
2908 #if defined(POLARSSL_SHA512_C)
2909 static void ssl_update_checksum_sha384( ssl_context *ssl,
2910  const unsigned char *buf, size_t len )
2911 {
2912  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2913 }
2914 #endif
2915 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2916 
2917 #if defined(POLARSSL_SSL_PROTO_SSL3)
2918 static void ssl_calc_finished_ssl(
2919  ssl_context *ssl, unsigned char *buf, int from )
2920 {
2921  const char *sender;
2922  md5_context md5;
2924 
2925  unsigned char padbuf[48];
2926  unsigned char md5sum[16];
2927  unsigned char sha1sum[20];
2928 
2929  ssl_session *session = ssl->session_negotiate;
2930  if( !session )
2931  session = ssl->session;
2932 
2933  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2934 
2935  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2936  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2937 
2938  /*
2939  * SSLv3:
2940  * hash =
2941  * MD5( master + pad2 +
2942  * MD5( handshake + sender + master + pad1 ) )
2943  * + SHA1( master + pad2 +
2944  * SHA1( handshake + sender + master + pad1 ) )
2945  */
2946 
2947 #if !defined(POLARSSL_MD5_ALT)
2948  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2949  md5.state, sizeof( md5.state ) );
2950 #endif
2951 
2952 #if !defined(POLARSSL_SHA1_ALT)
2953  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2954  sha1.state, sizeof( sha1.state ) );
2955 #endif
2956 
2957  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2958  : "SRVR";
2959 
2960  memset( padbuf, 0x36, 48 );
2961 
2962  md5_update( &md5, (const unsigned char *) sender, 4 );
2963  md5_update( &md5, session->master, 48 );
2964  md5_update( &md5, padbuf, 48 );
2965  md5_finish( &md5, md5sum );
2966 
2967  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2968  sha1_update( &sha1, session->master, 48 );
2969  sha1_update( &sha1, padbuf, 40 );
2970  sha1_finish( &sha1, sha1sum );
2971 
2972  memset( padbuf, 0x5C, 48 );
2973 
2974  md5_starts( &md5 );
2975  md5_update( &md5, session->master, 48 );
2976  md5_update( &md5, padbuf, 48 );
2977  md5_update( &md5, md5sum, 16 );
2978  md5_finish( &md5, buf );
2979 
2980  sha1_starts( &sha1 );
2981  sha1_update( &sha1, session->master, 48 );
2982  sha1_update( &sha1, padbuf , 40 );
2983  sha1_update( &sha1, sha1sum, 20 );
2984  sha1_finish( &sha1, buf + 16 );
2985 
2986  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2987 
2988  memset( &md5, 0, sizeof( md5_context ) );
2989  memset( &sha1, 0, sizeof( sha1_context ) );
2990 
2991  memset( padbuf, 0, sizeof( padbuf ) );
2992  memset( md5sum, 0, sizeof( md5sum ) );
2993  memset( sha1sum, 0, sizeof( sha1sum ) );
2994 
2995  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2996 }
2997 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2998 
2999 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
3000 static void ssl_calc_finished_tls(
3001  ssl_context *ssl, unsigned char *buf, int from )
3002 {
3003  int len = 12;
3004  const char *sender;
3005  md5_context md5;
3007  unsigned char padbuf[36];
3008 
3009  ssl_session *session = ssl->session_negotiate;
3010  if( !session )
3011  session = ssl->session;
3012 
3013  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
3014 
3015  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
3016  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
3017 
3018  /*
3019  * TLSv1:
3020  * hash = PRF( master, finished_label,
3021  * MD5( handshake ) + SHA1( handshake ) )[0..11]
3022  */
3023 
3024 #if !defined(POLARSSL_MD5_ALT)
3025  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
3026  md5.state, sizeof( md5.state ) );
3027 #endif
3028 
3029 #if !defined(POLARSSL_SHA1_ALT)
3030  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
3031  sha1.state, sizeof( sha1.state ) );
3032 #endif
3033 
3034  sender = ( from == SSL_IS_CLIENT )
3035  ? "client finished"
3036  : "server finished";
3037 
3038  md5_finish( &md5, padbuf );
3039  sha1_finish( &sha1, padbuf + 16 );
3040 
3041  ssl->handshake->tls_prf( session->master, 48, sender,
3042  padbuf, 36, buf, len );
3043 
3044  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3045 
3046  memset( &md5, 0, sizeof( md5_context ) );
3047  memset( &sha1, 0, sizeof( sha1_context ) );
3048 
3049  memset( padbuf, 0, sizeof( padbuf ) );
3050 
3051  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3052 }
3053 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
3054 
3055 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3056 #if defined(POLARSSL_SHA256_C)
3057 static void ssl_calc_finished_tls_sha256(
3058  ssl_context *ssl, unsigned char *buf, int from )
3059 {
3060  int len = 12;
3061  const char *sender;
3063  unsigned char padbuf[32];
3064 
3065  ssl_session *session = ssl->session_negotiate;
3066  if( !session )
3067  session = ssl->session;
3068 
3069  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
3070 
3071  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
3072 
3073  /*
3074  * TLSv1.2:
3075  * hash = PRF( master, finished_label,
3076  * Hash( handshake ) )[0.11]
3077  */
3078 
3079 #if !defined(POLARSSL_SHA256_ALT)
3080  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
3081  sha256.state, sizeof( sha256.state ) );
3082 #endif
3083 
3084  sender = ( from == SSL_IS_CLIENT )
3085  ? "client finished"
3086  : "server finished";
3087 
3088  sha256_finish( &sha256, padbuf );
3089 
3090  ssl->handshake->tls_prf( session->master, 48, sender,
3091  padbuf, 32, buf, len );
3092 
3093  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3094 
3095  memset( &sha256, 0, sizeof( sha256_context ) );
3096 
3097  memset( padbuf, 0, sizeof( padbuf ) );
3098 
3099  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3100 }
3101 #endif /* POLARSSL_SHA256_C */
3102 
3103 #if defined(POLARSSL_SHA512_C)
3104 static void ssl_calc_finished_tls_sha384(
3105  ssl_context *ssl, unsigned char *buf, int from )
3106 {
3107  int len = 12;
3108  const char *sender;
3110  unsigned char padbuf[48];
3111 
3112  ssl_session *session = ssl->session_negotiate;
3113  if( !session )
3114  session = ssl->session;
3115 
3116  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
3117 
3118  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
3119 
3120  /*
3121  * TLSv1.2:
3122  * hash = PRF( master, finished_label,
3123  * Hash( handshake ) )[0.11]
3124  */
3125 
3126 #if !defined(POLARSSL_SHA512_ALT)
3127  SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3128  sha512.state, sizeof( sha512.state ) );
3129 #endif
3130 
3131  sender = ( from == SSL_IS_CLIENT )
3132  ? "client finished"
3133  : "server finished";
3134 
3135  sha512_finish( &sha512, padbuf );
3136 
3137  ssl->handshake->tls_prf( session->master, 48, sender,
3138  padbuf, 48, buf, len );
3139 
3140  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3141 
3142  memset( &sha512, 0, sizeof( sha512_context ) );
3143 
3144  memset( padbuf, 0, sizeof( padbuf ) );
3145 
3146  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3147 }
3148 #endif /* POLARSSL_SHA512_C */
3149 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3150 
3151 void ssl_handshake_wrapup( ssl_context *ssl )
3152 {
3153  int resume = ssl->handshake->resume;
3154 
3155  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3156 
3157  /*
3158  * Free our handshake params
3159  */
3160  ssl_handshake_free( ssl->handshake );
3161  polarssl_free( ssl->handshake );
3162  ssl->handshake = NULL;
3163 
3164  if( ssl->renegotiation == SSL_RENEGOTIATION )
3166 
3167  /*
3168  * Switch in our now active transform context
3169  */
3170  if( ssl->transform )
3171  {
3172  ssl_transform_free( ssl->transform );
3173  polarssl_free( ssl->transform );
3174  }
3175  ssl->transform = ssl->transform_negotiate;
3176  ssl->transform_negotiate = NULL;
3177 
3178  if( ssl->session )
3179  {
3180  ssl_session_free( ssl->session );
3181  polarssl_free( ssl->session );
3182  }
3183  ssl->session = ssl->session_negotiate;
3184  ssl->session_negotiate = NULL;
3185 
3186  /*
3187  * Add cache entry
3188  */
3189  if( ssl->f_set_cache != NULL &&
3190  ssl->session->length != 0 &&
3191  resume == 0 )
3192  {
3193  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3194  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
3195  }
3196 
3197  ssl->state++;
3198 
3199  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3200 }
3201 
3202 int ssl_write_finished( ssl_context *ssl )
3203 {
3204  int ret, hash_len;
3205 
3206  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3207 
3208  /*
3209  * Set the out_msg pointer to the correct location based on IV length
3210  */
3211  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3212  {
3213  ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3215  }
3216  else
3217  ssl->out_msg = ssl->out_iv;
3218 
3219  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
3220 
3221  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3222  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3223 
3224  ssl->verify_data_len = hash_len;
3225  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
3226 
3227  ssl->out_msglen = 4 + hash_len;
3229  ssl->out_msg[0] = SSL_HS_FINISHED;
3230 
3231  /*
3232  * In case of session resuming, invert the client and server
3233  * ChangeCipherSpec messages order.
3234  */
3235  if( ssl->handshake->resume != 0 )
3236  {
3237  if( ssl->endpoint == SSL_IS_CLIENT )
3238  ssl->state = SSL_HANDSHAKE_WRAPUP;
3239  else
3241  }
3242  else
3243  ssl->state++;
3244 
3245  /*
3246  * Switch to our negotiated transform and session parameters for outbound
3247  * data.
3248  */
3249  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3250  ssl->transform_out = ssl->transform_negotiate;
3251  ssl->session_out = ssl->session_negotiate;
3252  memset( ssl->out_ctr, 0, 8 );
3253 
3254 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3255  if( ssl_hw_record_activate != NULL)
3256  {
3257  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3258  {
3259  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3261  }
3262  }
3263 #endif
3264 
3265  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3266  {
3267  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3268  return( ret );
3269  }
3270 
3271  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3272 
3273  return( 0 );
3274 }
3275 
3276 int ssl_parse_finished( ssl_context *ssl )
3277 {
3278  int ret;
3279  unsigned int hash_len;
3280  unsigned char buf[36];
3281 
3282  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3283 
3284  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
3285 
3286  /*
3287  * Switch to our negotiated transform and session parameters for inbound
3288  * data.
3289  */
3290  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3291  ssl->transform_in = ssl->transform_negotiate;
3292  ssl->session_in = ssl->session_negotiate;
3293  memset( ssl->in_ctr, 0, 8 );
3294 
3295  /*
3296  * Set the in_msg pointer to the correct location based on IV length
3297  */
3298  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3299  {
3300  ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3302  }
3303  else
3304  ssl->in_msg = ssl->in_iv;
3305 
3306 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3307  if( ssl_hw_record_activate != NULL)
3308  {
3309  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3310  {
3311  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3313  }
3314  }
3315 #endif
3316 
3317  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3318  {
3319  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3320  return( ret );
3321  }
3322 
3323  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3324  {
3325  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3327  }
3328 
3329  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3330  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3331 
3332  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3333  ssl->in_hslen != 4 + hash_len )
3334  {
3335  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3337  }
3338 
3339  if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
3340  {
3341  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3343  }
3344 
3345  ssl->verify_data_len = hash_len;
3346  memcpy( ssl->peer_verify_data, buf, hash_len );
3347 
3348  if( ssl->handshake->resume != 0 )
3349  {
3350  if( ssl->endpoint == SSL_IS_CLIENT )
3352 
3353  if( ssl->endpoint == SSL_IS_SERVER )
3354  ssl->state = SSL_HANDSHAKE_WRAPUP;
3355  }
3356  else
3357  ssl->state++;
3358 
3359  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3360 
3361  return( 0 );
3362 }
3363 
3364 static int ssl_handshake_init( ssl_context *ssl )
3365 {
3366  if( ssl->transform_negotiate )
3368  else
3369  {
3370  ssl->transform_negotiate =
3372 
3373  if( ssl->transform_negotiate != NULL )
3374  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
3375  }
3376 
3377  if( ssl->session_negotiate )
3379  else
3380  {
3381  ssl->session_negotiate =
3382  (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
3383 
3384  if( ssl->session_negotiate != NULL )
3385  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
3386  }
3387 
3388  if( ssl->handshake )
3389  ssl_handshake_free( ssl->handshake );
3390  else
3391  {
3392  ssl->handshake = (ssl_handshake_params *)
3394 
3395  if( ssl->handshake != NULL )
3396  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
3397  }
3398 
3399  if( ssl->handshake == NULL ||
3400  ssl->transform_negotiate == NULL ||
3401  ssl->session_negotiate == NULL )
3402  {
3403  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3405  }
3406 
3407 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3408  defined(POLARSSL_SSL_PROTO_TLS1_1)
3409  md5_starts( &ssl->handshake->fin_md5 );
3410  sha1_starts( &ssl->handshake->fin_sha1 );
3411 #endif
3412 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3413 #if defined(POLARSSL_SHA256_C)
3414  sha256_starts( &ssl->handshake->fin_sha256, 0 );
3415 #endif
3416 #if defined(POLARSSL_SHA512_C)
3417  sha512_starts( &ssl->handshake->fin_sha512, 1 );
3418 #endif
3419 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3420 
3421  ssl->handshake->update_checksum = ssl_update_checksum_start;
3423 
3424 #if defined(POLARSSL_ECDH_C)
3425  ecdh_init( &ssl->handshake->ecdh_ctx );
3426 #endif
3427 
3428 #if defined(POLARSSL_X509_CRT_PARSE_C)
3429  ssl->handshake->key_cert = ssl->key_cert;
3430 #endif
3431 
3432  return( 0 );
3433 }
3434 
3435 /*
3436  * Initialize an SSL context
3437  */
3438 int ssl_init( ssl_context *ssl )
3439 {
3440  int ret;
3441  int len = SSL_BUFFER_LEN;
3442 
3443  memset( ssl, 0, sizeof( ssl_context ) );
3444 
3445  /*
3446  * Sane defaults
3447  */
3452 
3454 
3455 #if defined(POLARSSL_DHM_C)
3456  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3458  ( ret = mpi_read_string( &ssl->dhm_G, 16,
3460  {
3461  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3462  return( ret );
3463  }
3464 #endif
3465 
3466  /*
3467  * Prepare base structures
3468  */
3469  ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
3470  ssl->in_hdr = ssl->in_ctr + 8;
3471  ssl->in_iv = ssl->in_ctr + 13;
3472  ssl->in_msg = ssl->in_ctr + 13;
3473 
3474  if( ssl->in_ctr == NULL )
3475  {
3476  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3478  }
3479 
3480  ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
3481  ssl->out_hdr = ssl->out_ctr + 8;
3482  ssl->out_iv = ssl->out_ctr + 13;
3483  ssl->out_msg = ssl->out_ctr + 13;
3484 
3485  if( ssl->out_ctr == NULL )
3486  {
3487  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3488  polarssl_free( ssl->in_ctr );
3489  ssl->in_ctr = NULL;
3491  }
3492 
3493  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3494  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3495 
3496 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3498 #endif
3499 
3500 #if defined(POLARSSL_SSL_SET_CURVES)
3501  ssl->curve_list = ecp_grp_id_list( );
3502 #endif
3503 
3504  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3505  return( ret );
3506 
3507  return( 0 );
3508 }
3509 
3510 /*
3511  * Reset an initialized and used SSL context for re-use while retaining
3512  * all application-set variables, function pointers and data.
3513  */
3514 int ssl_session_reset( ssl_context *ssl )
3515 {
3516  int ret;
3517 
3518  ssl->state = SSL_HELLO_REQUEST;
3521 
3522  ssl->verify_data_len = 0;
3523  memset( ssl->own_verify_data, 0, 36 );
3524  memset( ssl->peer_verify_data, 0, 36 );
3525 
3526  ssl->in_offt = NULL;
3527 
3528  ssl->in_msg = ssl->in_ctr + 13;
3529  ssl->in_msgtype = 0;
3530  ssl->in_msglen = 0;
3531  ssl->in_left = 0;
3532 
3533  ssl->in_hslen = 0;
3534  ssl->nb_zero = 0;
3535  ssl->record_read = 0;
3536 
3537  ssl->out_msg = ssl->out_ctr + 13;
3538  ssl->out_msgtype = 0;
3539  ssl->out_msglen = 0;
3540  ssl->out_left = 0;
3541 
3542  ssl->transform_in = NULL;
3543  ssl->transform_out = NULL;
3544 
3545  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3546  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3547 
3548 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3549  if( ssl_hw_record_reset != NULL)
3550  {
3551  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3552  if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
3553  {
3554  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3556  }
3557  }
3558 #endif
3559 
3560  if( ssl->transform )
3561  {
3562  ssl_transform_free( ssl->transform );
3563  polarssl_free( ssl->transform );
3564  ssl->transform = NULL;
3565  }
3566 
3567  if( ssl->session )
3568  {
3569  ssl_session_free( ssl->session );
3570  polarssl_free( ssl->session );
3571  ssl->session = NULL;
3572  }
3573 
3574 #if defined(POLARSSL_SSL_ALPN)
3575  ssl->alpn_chosen = NULL;
3576 #endif
3577 
3578  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3579  return( ret );
3580 
3581  return( 0 );
3582 }
3583 
3584 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3585 /*
3586  * Allocate and initialize ticket keys
3587  */
3588 static int ssl_ticket_keys_init( ssl_context *ssl )
3589 {
3590  int ret;
3591  ssl_ticket_keys *tkeys;
3592  unsigned char buf[16];
3593 
3594  if( ssl->ticket_keys != NULL )
3595  return( 0 );
3596 
3597  tkeys = (ssl_ticket_keys *) polarssl_malloc( sizeof(ssl_ticket_keys) );
3598  if( tkeys == NULL )
3600 
3601  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
3602  {
3603  polarssl_free( tkeys );
3604  return( ret );
3605  }
3606 
3607  if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3608  ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3609  ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3610  {
3611  polarssl_free( tkeys );
3612  return( ret );
3613  }
3614 
3615  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
3616  {
3617  polarssl_free( tkeys );
3618  return( ret );
3619  }
3620 
3621  ssl->ticket_keys = tkeys;
3622 
3623  return( 0 );
3624 }
3625 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3626 
3627 /*
3628  * SSL set accessors
3629  */
3630 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3631 {
3632  ssl->endpoint = endpoint;
3633 
3634 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3635  if( endpoint == SSL_IS_CLIENT )
3637 #endif
3638 }
3639 
3640 void ssl_set_authmode( ssl_context *ssl, int authmode )
3641 {
3642  ssl->authmode = authmode;
3643 }
3644 
3645 #if defined(POLARSSL_X509_CRT_PARSE_C)
3646 void ssl_set_verify( ssl_context *ssl,
3647  int (*f_vrfy)(void *, x509_crt *, int, int *),
3648  void *p_vrfy )
3649 {
3650  ssl->f_vrfy = f_vrfy;
3651  ssl->p_vrfy = p_vrfy;
3652 }
3653 #endif /* POLARSSL_X509_CRT_PARSE_C */
3654 
3655 void ssl_set_rng( ssl_context *ssl,
3656  int (*f_rng)(void *, unsigned char *, size_t),
3657  void *p_rng )
3658 {
3659  ssl->f_rng = f_rng;
3660  ssl->p_rng = p_rng;
3661 }
3662 
3663 void ssl_set_dbg( ssl_context *ssl,
3664  void (*f_dbg)(void *, int, const char *),
3665  void *p_dbg )
3666 {
3667  ssl->f_dbg = f_dbg;
3668  ssl->p_dbg = p_dbg;
3669 }
3670 
3671 void ssl_set_bio( ssl_context *ssl,
3672  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3673  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3674 {
3675  ssl->f_recv = f_recv;
3676  ssl->f_send = f_send;
3677  ssl->p_recv = p_recv;
3678  ssl->p_send = p_send;
3679 }
3680 
3682  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3683  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3684 {
3685  ssl->f_get_cache = f_get_cache;
3686  ssl->p_get_cache = p_get_cache;
3687  ssl->f_set_cache = f_set_cache;
3688  ssl->p_set_cache = p_set_cache;
3689 }
3690 
3691 int ssl_set_session( ssl_context *ssl, const ssl_session *session )
3692 {
3693  int ret;
3694 
3695  if( ssl == NULL ||
3696  session == NULL ||
3697  ssl->session_negotiate == NULL ||
3698  ssl->endpoint != SSL_IS_CLIENT )
3699  {
3701  }
3702 
3703  if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3704  return( ret );
3705 
3706  ssl->handshake->resume = 1;
3707 
3708  return( 0 );
3709 }
3710 
3711 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3712 {
3713  ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3714  ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3715  ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3716  ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3717 }
3718 
3720  const int *ciphersuites,
3721  int major, int minor )
3722 {
3723  if( major != SSL_MAJOR_VERSION_3 )
3724  return;
3725 
3726  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3727  return;
3728 
3729  ssl->ciphersuite_list[minor] = ciphersuites;
3730 }
3731 
3732 #if defined(POLARSSL_X509_CRT_PARSE_C)
3733 /* Add a new (empty) key_cert entry an return a pointer to it */
3734 static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3735 {
3736  ssl_key_cert *key_cert, *last;
3737 
3738  key_cert = (ssl_key_cert *) polarssl_malloc( sizeof(ssl_key_cert) );
3739  if( key_cert == NULL )
3740  return( NULL );
3741 
3742  memset( key_cert, 0, sizeof( ssl_key_cert ) );
3743 
3744  /* Append the new key_cert to the (possibly empty) current list */
3745  if( ssl->key_cert == NULL )
3746  {
3747  ssl->key_cert = key_cert;
3748  if( ssl->handshake != NULL )
3749  ssl->handshake->key_cert = key_cert;
3750  }
3751  else
3752  {
3753  last = ssl->key_cert;
3754  while( last->next != NULL )
3755  last = last->next;
3756  last->next = key_cert;
3757  }
3758 
3759  return key_cert;
3760 }
3761 
3762 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
3763  x509_crl *ca_crl, const char *peer_cn )
3764 {
3765  ssl->ca_chain = ca_chain;
3766  ssl->ca_crl = ca_crl;
3767  ssl->peer_cn = peer_cn;
3768 }
3769 
3770 int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
3771  pk_context *pk_key )
3772 {
3773  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3774 
3775  if( key_cert == NULL )
3777 
3778  key_cert->cert = own_cert;
3779  key_cert->key = pk_key;
3780 
3781  return( 0 );
3782 }
3783 
3784 #if defined(POLARSSL_RSA_C)
3785 int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
3786  rsa_context *rsa_key )
3787 {
3788  int ret;
3789  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3790 
3791  if( key_cert == NULL )
3793 
3794  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3795  if( key_cert->key == NULL )
3797 
3798  pk_init( key_cert->key );
3799 
3800  ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
3801  if( ret != 0 )
3802  return( ret );
3803 
3804  if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
3805  return( ret );
3806 
3807  key_cert->cert = own_cert;
3808  key_cert->key_own_alloc = 1;
3809 
3810  return( 0 );
3811 }
3812 #endif /* POLARSSL_RSA_C */
3813 
3814 int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
3815  void *rsa_key,
3816  rsa_decrypt_func rsa_decrypt,
3817  rsa_sign_func rsa_sign,
3818  rsa_key_len_func rsa_key_len )
3819 {
3820  int ret;
3821  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3822 
3823  if( key_cert == NULL )
3825 
3826  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3827  if( key_cert->key == NULL )
3829 
3830  pk_init( key_cert->key );
3831 
3832  if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
3833  rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
3834  return( ret );
3835 
3836  key_cert->cert = own_cert;
3837  key_cert->key_own_alloc = 1;
3838 
3839  return( 0 );
3840 }
3841 #endif /* POLARSSL_X509_CRT_PARSE_C */
3842 
3843 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
3844 int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3845  const unsigned char *psk_identity, size_t psk_identity_len )
3846 {
3847  if( psk == NULL || psk_identity == NULL )
3849 
3850  /*
3851  * The length will be check later anyway, but in case it is obviously
3852  * too large, better abort now. The PMS is as follows:
3853  * other_len (2 bytes) + other + psk_len (2 bytes) + psk
3854  */
3855  if( psk_len + 4 > POLARSSL_PREMASTER_SIZE )
3857 
3858  if( ssl->psk != NULL )
3859  {
3860  polarssl_free( ssl->psk );
3861  polarssl_free( ssl->psk_identity );
3862  }
3863 
3864  ssl->psk_len = psk_len;
3865  ssl->psk_identity_len = psk_identity_len;
3866 
3867  ssl->psk = (unsigned char *) polarssl_malloc( ssl->psk_len );
3868  ssl->psk_identity = (unsigned char *)
3870 
3871  if( ssl->psk == NULL || ssl->psk_identity == NULL )
3873 
3874  memcpy( ssl->psk, psk, ssl->psk_len );
3875  memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
3876 
3877  return( 0 );
3878 }
3879 
3880 void ssl_set_psk_cb( ssl_context *ssl,
3881  int (*f_psk)(void *, ssl_context *, const unsigned char *,
3882  size_t),
3883  void *p_psk )
3884 {
3885  ssl->f_psk = f_psk;
3886  ssl->p_psk = p_psk;
3887 }
3888 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
3889 
3890 #if defined(POLARSSL_DHM_C)
3891 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3892 {
3893  int ret;
3894 
3895  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3896  {
3897  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3898  return( ret );
3899  }
3900 
3901  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3902  {
3903  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3904  return( ret );
3905  }
3906 
3907  return( 0 );
3908 }
3909 
3910 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3911 {
3912  int ret;
3913 
3914  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3915  {
3916  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3917  return( ret );
3918  }
3919 
3920  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3921  {
3922  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3923  return( ret );
3924  }
3925 
3926  return( 0 );
3927 }
3928 #endif /* POLARSSL_DHM_C */
3929 
3930 #if defined(POLARSSL_SSL_SET_CURVES)
3931 /*
3932  * Set the allowed elliptic curves
3933  */
3934 void ssl_set_curves( ssl_context *ssl, const ecp_group_id *curve_list )
3935 {
3936  ssl->curve_list = curve_list;
3937 }
3938 #endif
3939 
3940 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
3941 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3942 {
3943  if( hostname == NULL )
3945 
3946  ssl->hostname_len = strlen( hostname );
3947 
3948  if( ssl->hostname_len + 1 == 0 )
3950 
3951  ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
3952 
3953  if( ssl->hostname == NULL )
3955 
3956  memcpy( ssl->hostname, (const unsigned char *) hostname,
3957  ssl->hostname_len );
3958 
3959  ssl->hostname[ssl->hostname_len] = '\0';
3960 
3961  return( 0 );
3962 }
3963 
3964 void ssl_set_sni( ssl_context *ssl,
3965  int (*f_sni)(void *, ssl_context *,
3966  const unsigned char *, size_t),
3967  void *p_sni )
3968 {
3969  ssl->f_sni = f_sni;
3970  ssl->p_sni = p_sni;
3971 }
3972 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
3973 
3974 #if defined(POLARSSL_SSL_ALPN)
3975 int ssl_set_alpn_protocols( ssl_context *ssl, const char **protos )
3976 {
3977  size_t cur_len, tot_len;
3978  const char **p;
3979 
3980  /*
3981  * "Empty strings MUST NOT be included and byte strings MUST NOT be
3982  * truncated". Check lengths now rather than later.
3983  */
3984  tot_len = 0;
3985  for( p = protos; *p != NULL; p++ )
3986  {
3987  cur_len = strlen( *p );
3988  tot_len += cur_len;
3989 
3990  if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
3992  }
3993 
3994  ssl->alpn_list = protos;
3995 
3996  return( 0 );
3997 }
3998 
3999 const char *ssl_get_alpn_protocol( const ssl_context *ssl )
4000 {
4001  return ssl->alpn_chosen;
4002 }
4003 #endif /* POLARSSL_SSL_ALPN */
4004 
4005 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
4006 {
4007  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
4008  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
4009  {
4010  ssl->max_major_ver = major;
4011  ssl->max_minor_ver = minor;
4012  }
4013 }
4014 
4015 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
4016 {
4017  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
4018  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
4019  {
4020  ssl->min_major_ver = major;
4021  ssl->min_minor_ver = minor;
4022  }
4023 }
4024 
4025 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4026 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
4027 {
4028  if( mfl_code >= SSL_MAX_FRAG_LEN_INVALID ||
4029  mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
4030  {
4032  }
4033 
4034  ssl->mfl_code = mfl_code;
4035 
4036  return( 0 );
4037 }
4038 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4039 
4040 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
4041 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
4042 {
4043  if( ssl->endpoint != SSL_IS_CLIENT )
4045 
4046  ssl->trunc_hmac = truncate;
4047 
4048  return( 0 );
4049 }
4050 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
4051 
4052 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
4053 {
4054  ssl->disable_renegotiation = renegotiation;
4055 }
4056 
4057 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
4058 {
4059  ssl->allow_legacy_renegotiation = allow_legacy;
4060 }
4061 
4062 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4063 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
4064 {
4065  ssl->session_tickets = use_tickets;
4066 
4067  if( ssl->endpoint == SSL_IS_CLIENT )
4068  return( 0 );
4069 
4070  if( ssl->f_rng == NULL )
4072 
4073  return( ssl_ticket_keys_init( ssl ) );
4074 }
4075 
4076 void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
4077 {
4078  ssl->ticket_lifetime = lifetime;
4079 }
4080 #endif /* POLARSSL_SSL_SESSION_TICKETS */
4081 
4082 /*
4083  * SSL get accessors
4084  */
4085 size_t ssl_get_bytes_avail( const ssl_context *ssl )
4086 {
4087  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4088 }
4089 
4090 int ssl_get_verify_result( const ssl_context *ssl )
4091 {
4092  return( ssl->session->verify_result );
4093 }
4094 
4095 const char *ssl_get_ciphersuite( const ssl_context *ssl )
4096 {
4097  if( ssl == NULL || ssl->session == NULL )
4098  return NULL;
4099 
4101 }
4102 
4103 const char *ssl_get_version( const ssl_context *ssl )
4104 {
4105  switch( ssl->minor_ver )
4106  {
4107  case SSL_MINOR_VERSION_0:
4108  return( "SSLv3.0" );
4109 
4110  case SSL_MINOR_VERSION_1:
4111  return( "TLSv1.0" );
4112 
4113  case SSL_MINOR_VERSION_2:
4114  return( "TLSv1.1" );
4115 
4116  case SSL_MINOR_VERSION_3:
4117  return( "TLSv1.2" );
4118 
4119  default:
4120  break;
4121  }
4122  return( "unknown" );
4123 }
4124 
4125 #if defined(POLARSSL_X509_CRT_PARSE_C)
4126 const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
4127 {
4128  if( ssl == NULL || ssl->session == NULL )
4129  return NULL;
4130 
4131  return ssl->session->peer_cert;
4132 }
4133 #endif /* POLARSSL_X509_CRT_PARSE_C */
4134 
4135 int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
4136 {
4137  if( ssl == NULL ||
4138  dst == NULL ||
4139  ssl->session == NULL ||
4140  ssl->endpoint != SSL_IS_CLIENT )
4141  {
4143  }
4144 
4145  return( ssl_session_copy( dst, ssl->session ) );
4146 }
4147 
4148 /*
4149  * Perform a single step of the SSL handshake
4150  */
4151 int ssl_handshake_step( ssl_context *ssl )
4152 {
4154 
4155 #if defined(POLARSSL_SSL_CLI_C)
4156  if( ssl->endpoint == SSL_IS_CLIENT )
4157  ret = ssl_handshake_client_step( ssl );
4158 #endif
4159 
4160 #if defined(POLARSSL_SSL_SRV_C)
4161  if( ssl->endpoint == SSL_IS_SERVER )
4162  ret = ssl_handshake_server_step( ssl );
4163 #endif
4164 
4165  return( ret );
4166 }
4167 
4168 /*
4169  * Perform the SSL handshake
4170  */
4171 int ssl_handshake( ssl_context *ssl )
4172 {
4173  int ret = 0;
4174 
4175  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
4176 
4177  while( ssl->state != SSL_HANDSHAKE_OVER )
4178  {
4179  ret = ssl_handshake_step( ssl );
4180 
4181  if( ret != 0 )
4182  break;
4183  }
4184 
4185  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
4186 
4187  return( ret );
4188 }
4189 
4190 #if defined(POLARSSL_SSL_SRV_C)
4191 /*
4192  * Write HelloRequest to request renegotiation on server
4193  */
4194 static int ssl_write_hello_request( ssl_context *ssl )
4195 {
4196  int ret;
4197 
4198  SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
4199 
4200  ssl->out_msglen = 4;
4202  ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
4203 
4204  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4205  {
4206  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4207  return( ret );
4208  }
4209 
4211 
4212  SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4213 
4214  return( 0 );
4215 }
4216 #endif /* POLARSSL_SSL_SRV_C */
4217 
4218 /*
4219  * Actually renegotiate current connection, triggered by either:
4220  * - calling ssl_renegotiate() on client,
4221  * - receiving a HelloRequest on client during ssl_read(),
4222  * - receiving any handshake message on server during ssl_read() after the
4223  * initial handshake is completed
4224  * If the handshake doesn't complete due to waiting for I/O, it will continue
4225  * during the next calls to ssl_renegotiate() or ssl_read() respectively.
4226  */
4227 static int ssl_start_renegotiation( ssl_context *ssl )
4228 {
4229  int ret;
4230 
4231  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4232 
4233  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4234  return( ret );
4235 
4236  ssl->state = SSL_HELLO_REQUEST;
4238 
4239  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4240  {
4241  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4242  return( ret );
4243  }
4244 
4245  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4246 
4247  return( 0 );
4248 }
4249 
4250 /*
4251  * Renegotiate current connection on client,
4252  * or request renegotiation on server
4253  */
4254 int ssl_renegotiate( ssl_context *ssl )
4255 {
4257 
4258 #if defined(POLARSSL_SSL_SRV_C)
4259  /* On server, just send the request */
4260  if( ssl->endpoint == SSL_IS_SERVER )
4261  {
4262  if( ssl->state != SSL_HANDSHAKE_OVER )
4264 
4265  return( ssl_write_hello_request( ssl ) );
4266  }
4267 #endif /* POLARSSL_SSL_SRV_C */
4268 
4269 #if defined(POLARSSL_SSL_CLI_C)
4270  /*
4271  * On client, either start the renegotiation process or,
4272  * if already in progress, continue the handshake
4273  */
4274  if( ssl->renegotiation != SSL_RENEGOTIATION )
4275  {
4276  if( ssl->state != SSL_HANDSHAKE_OVER )
4278 
4279  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4280  {
4281  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4282  return( ret );
4283  }
4284  }
4285  else
4286  {
4287  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4288  {
4289  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4290  return( ret );
4291  }
4292  }
4293 #endif /* POLARSSL_SSL_CLI_C */
4294 
4295  return( ret );
4296 }
4297 
4298 /*
4299  * Receive application data decrypted from the SSL layer
4300  */
4301 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
4302 {
4303  int ret;
4304  size_t n;
4305 
4306  SSL_DEBUG_MSG( 2, ( "=> read" ) );
4307 
4308  if( ssl->state != SSL_HANDSHAKE_OVER )
4309  {
4310  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4311  {
4312  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4313  return( ret );
4314  }
4315  }
4316 
4317  if( ssl->in_offt == NULL )
4318  {
4319  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4320  {
4321  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4322  return( 0 );
4323 
4324  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4325  return( ret );
4326  }
4327 
4328  if( ssl->in_msglen == 0 &&
4330  {
4331  /*
4332  * OpenSSL sends empty messages to randomize the IV
4333  */
4334  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4335  {
4336  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4337  return( 0 );
4338 
4339  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4340  return( ret );
4341  }
4342  }
4343 
4344  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4345  {
4346  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4347 
4348  if( ssl->endpoint == SSL_IS_CLIENT &&
4349  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4350  ssl->in_hslen != 4 ) )
4351  {
4352  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4354  }
4355 
4360  {
4361  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4362 
4363 #if defined(POLARSSL_SSL_PROTO_SSL3)
4364  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
4365  {
4366  /*
4367  * SSLv3 does not have a "no_renegotiation" alert
4368  */
4369  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4370  return( ret );
4371  }
4372  else
4373 #endif /* POLARSSL_SSL_PROTO_SSL3 */
4374 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4375  defined(POLARSSL_SSL_PROTO_TLS1_2)
4376  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
4377  {
4378  if( ( ret = ssl_send_alert_message( ssl,
4381  {
4382  return( ret );
4383  }
4384  }
4385  else
4386 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 ||
4387  POLARSSL_SSL_PROTO_TLS1_2 */
4388  {
4389  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4391  }
4392  }
4393  else
4394  {
4395  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4396  {
4397  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4398  return( ret );
4399  }
4400 
4401  return( POLARSSL_ERR_NET_WANT_READ );
4402  }
4403  }
4404  else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4405  {
4406  SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4407  "but not honored by client" ) );
4409  }
4410  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
4411  {
4412  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
4414  }
4415 
4416  ssl->in_offt = ssl->in_msg;
4417  }
4418 
4419  n = ( len < ssl->in_msglen )
4420  ? len : ssl->in_msglen;
4421 
4422  memcpy( buf, ssl->in_offt, n );
4423  ssl->in_msglen -= n;
4424 
4425  if( ssl->in_msglen == 0 )
4426  /* all bytes consumed */
4427  ssl->in_offt = NULL;
4428  else
4429  /* more data available */
4430  ssl->in_offt += n;
4431 
4432  SSL_DEBUG_MSG( 2, ( "<= read" ) );
4433 
4434  return( (int) n );
4435 }
4436 
4437 /*
4438  * Send application data to be encrypted by the SSL layer
4439  */
4440 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4441 {
4442  int ret;
4443  size_t n;
4444  unsigned int max_len = SSL_MAX_CONTENT_LEN;
4445 
4446  SSL_DEBUG_MSG( 2, ( "=> write" ) );
4447 
4448  if( ssl->state != SSL_HANDSHAKE_OVER )
4449  {
4450  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4451  {
4452  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4453  return( ret );
4454  }
4455  }
4456 
4457 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4458  /*
4459  * Assume mfl_code is correct since it was checked when set
4460  */
4461  max_len = mfl_code_to_length[ssl->mfl_code];
4462 
4463  /*
4464  * Check if a smaller max length was negotiated
4465  */
4466  if( ssl->session_out != NULL &&
4467  mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4468  {
4469  max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4470  }
4471 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4472 
4473  n = ( len < max_len) ? len : max_len;
4474 
4475  if( ssl->out_left != 0 )
4476  {
4477  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4478  {
4479  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4480  return( ret );
4481  }
4482  }
4483  else
4484  {
4485  ssl->out_msglen = n;
4487  memcpy( ssl->out_msg, buf, n );
4488 
4489  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4490  {
4491  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4492  return( ret );
4493  }
4494  }
4495 
4496  SSL_DEBUG_MSG( 2, ( "<= write" ) );
4497 
4498  return( (int) n );
4499 }
4500 
4501 /*
4502  * Notify the peer that the connection is being closed
4503  */
4504 int ssl_close_notify( ssl_context *ssl )
4505 {
4506  int ret;
4507 
4508  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4509 
4510  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4511  {
4512  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4513  return( ret );
4514  }
4515 
4516  if( ssl->state == SSL_HANDSHAKE_OVER )
4517  {
4518  if( ( ret = ssl_send_alert_message( ssl,
4520  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4521  {
4522  return( ret );
4523  }
4524  }
4525 
4526  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4527 
4528  return( ret );
4529 }
4530 
4531 void ssl_transform_free( ssl_transform *transform )
4532 {
4533 #if defined(POLARSSL_ZLIB_SUPPORT)
4534  deflateEnd( &transform->ctx_deflate );
4535  inflateEnd( &transform->ctx_inflate );
4536 #endif
4537 
4538  cipher_free_ctx( &transform->cipher_ctx_enc );
4539  cipher_free_ctx( &transform->cipher_ctx_dec );
4540 
4541  md_free_ctx( &transform->md_ctx_enc );
4542  md_free_ctx( &transform->md_ctx_dec );
4543 
4544  memset( transform, 0, sizeof( ssl_transform ) );
4545 }
4546 
4547 #if defined(POLARSSL_X509_CRT_PARSE_C)
4548 static void ssl_key_cert_free( ssl_key_cert *key_cert )
4549 {
4550  ssl_key_cert *cur = key_cert, *next;
4551 
4552  while( cur != NULL )
4553  {
4554  next = cur->next;
4555 
4556  if( cur->key_own_alloc )
4557  {
4558  pk_free( cur->key );
4559  polarssl_free( cur->key );
4560  }
4561  polarssl_free( cur );
4562 
4563  cur = next;
4564  }
4565 }
4566 #endif /* POLARSSL_X509_CRT_PARSE_C */
4567 
4568 void ssl_handshake_free( ssl_handshake_params *handshake )
4569 {
4570 #if defined(POLARSSL_DHM_C)
4571  dhm_free( &handshake->dhm_ctx );
4572 #endif
4573 #if defined(POLARSSL_ECDH_C)
4574  ecdh_free( &handshake->ecdh_ctx );
4575 #endif
4576 
4577 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
4578  /* explicit void pointer cast for buggy MS compiler */
4579  polarssl_free( (void *) handshake->curves );
4580 #endif
4581 
4582 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
4583  defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4584  /*
4585  * Free only the linked list wrapper, not the keys themselves
4586  * since the belong to the SNI callback
4587  */
4588  if( handshake->sni_key_cert != NULL )
4589  {
4590  ssl_key_cert *cur = handshake->sni_key_cert, *next;
4591 
4592  while( cur != NULL )
4593  {
4594  next = cur->next;
4595  polarssl_free( cur );
4596  cur = next;
4597  }
4598  }
4599 #endif /* POLARSSL_X509_CRT_PARSE_C && POLARSSL_SSL_SERVER_NAME_INDICATION */
4600 
4601  memset( handshake, 0, sizeof( ssl_handshake_params ) );
4602 }
4603 
4604 void ssl_session_free( ssl_session *session )
4605 {
4606 #if defined(POLARSSL_X509_CRT_PARSE_C)
4607  if( session->peer_cert != NULL )
4608  {
4609  x509_crt_free( session->peer_cert );
4610  polarssl_free( session->peer_cert );
4611  }
4612 #endif
4613 
4614 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4615  polarssl_free( session->ticket );
4616 #endif
4617 
4618  memset( session, 0, sizeof( ssl_session ) );
4619 }
4620 
4621 /*
4622  * Free an SSL context
4623  */
4624 void ssl_free( ssl_context *ssl )
4625 {
4626  SSL_DEBUG_MSG( 2, ( "=> free" ) );
4627 
4628  if( ssl->out_ctr != NULL )
4629  {
4630  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
4631  polarssl_free( ssl->out_ctr );
4632  }
4633 
4634  if( ssl->in_ctr != NULL )
4635  {
4636  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
4637  polarssl_free( ssl->in_ctr );
4638  }
4639 
4640 #if defined(POLARSSL_ZLIB_SUPPORT)
4641  if( ssl->compress_buf != NULL )
4642  {
4643  memset( ssl->compress_buf, 0, SSL_BUFFER_LEN );
4644  polarssl_free( ssl->compress_buf );
4645  }
4646 #endif
4647 
4648 #if defined(POLARSSL_DHM_C)
4649  mpi_free( &ssl->dhm_P );
4650  mpi_free( &ssl->dhm_G );
4651 #endif
4652 
4653  if( ssl->transform )
4654  {
4655  ssl_transform_free( ssl->transform );
4656  polarssl_free( ssl->transform );
4657  }
4658 
4659  if( ssl->handshake )
4660  {
4661  ssl_handshake_free( ssl->handshake );
4664 
4665  polarssl_free( ssl->handshake );
4668  }
4669 
4670  if( ssl->session )
4671  {
4672  ssl_session_free( ssl->session );
4673  polarssl_free( ssl->session );
4674  }
4675 
4676 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4677  polarssl_free( ssl->ticket_keys );
4678 #endif
4679 
4680 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4681  if ( ssl->hostname != NULL )
4682  {
4683  memset( ssl->hostname, 0, ssl->hostname_len );
4684  polarssl_free( ssl->hostname );
4685  ssl->hostname_len = 0;
4686  }
4687 #endif
4688 
4689 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
4690  if( ssl->psk != NULL )
4691  {
4692  memset( ssl->psk, 0, ssl->psk_len );
4693  memset( ssl->psk_identity, 0, ssl->psk_identity_len );
4694  polarssl_free( ssl->psk );
4695  polarssl_free( ssl->psk_identity );
4696  ssl->psk_len = 0;
4697  ssl->psk_identity_len = 0;
4698  }
4699 #endif
4700 
4701 #if defined(POLARSSL_X509_CRT_PARSE_C)
4702  ssl_key_cert_free( ssl->key_cert );
4703 #endif
4704 
4705 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4706  if( ssl_hw_record_finish != NULL )
4707  {
4708  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4709  ssl_hw_record_finish( ssl );
4710  }
4711 #endif
4712 
4713  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4714 
4715  /* Actually clear after last debug message */
4716  memset( ssl, 0, sizeof( ssl_context ) );
4717 }
4718 
4719 #if defined(POLARSSL_PK_C)
4720 /*
4721  * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
4722  */
4723 unsigned char ssl_sig_from_pk( pk_context *pk )
4724 {
4725 #if defined(POLARSSL_RSA_C)
4726  if( pk_can_do( pk, POLARSSL_PK_RSA ) )
4727  return( SSL_SIG_RSA );
4728 #endif
4729 #if defined(POLARSSL_ECDSA_C)
4730  if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
4731  return( SSL_SIG_ECDSA );
4732 #endif
4733  return( SSL_SIG_ANON );
4734 }
4735 
4736 pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
4737 {
4738  switch( sig )
4739  {
4740 #if defined(POLARSSL_RSA_C)
4741  case SSL_SIG_RSA:
4742  return( POLARSSL_PK_RSA );
4743 #endif
4744 #if defined(POLARSSL_ECDSA_C)
4745  case SSL_SIG_ECDSA:
4746  return( POLARSSL_PK_ECDSA );
4747 #endif
4748  default:
4749  return( POLARSSL_PK_NONE );
4750  }
4751 }
4752 #endif /* POLARSSL_PK_C */
4753 
4754 /*
4755  * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
4756  */
4757 md_type_t ssl_md_alg_from_hash( unsigned char hash )
4758 {
4759  switch( hash )
4760  {
4761 #if defined(POLARSSL_MD5_C)
4762  case SSL_HASH_MD5:
4763  return( POLARSSL_MD_MD5 );
4764 #endif
4765 #if defined(POLARSSL_SHA1_C)
4766  case SSL_HASH_SHA1:
4767  return( POLARSSL_MD_SHA1 );
4768 #endif
4769 #if defined(POLARSSL_SHA256_C)
4770  case SSL_HASH_SHA224:
4771  return( POLARSSL_MD_SHA224 );
4772  case SSL_HASH_SHA256:
4773  return( POLARSSL_MD_SHA256 );
4774 #endif
4775 #if defined(POLARSSL_SHA512_C)
4776  case SSL_HASH_SHA384:
4777  return( POLARSSL_MD_SHA384 );
4778  case SSL_HASH_SHA512:
4779  return( POLARSSL_MD_SHA512 );
4780 #endif
4781  default:
4782  return( POLARSSL_MD_NONE );
4783  }
4784 }
4785 
4786 #if defined(POLARSSL_SSL_SET_CURVES)
4787 /*
4788  * Check is a curve proposed by the peer is in our list.
4789  * Return 1 if we're willing to use it, 0 otherwise.
4790  */
4791 int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
4792 {
4793  const ecp_group_id *gid;
4794 
4795  for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
4796  if( *gid == grp_id )
4797  return( 1 );
4798 
4799  return( 0 );
4800 }
4801 #endif /* POLARSSL_SSL_SET_CURVES */
4802 
4803 #if defined(POLARSSL_X509_CRT_PARSE_C)
4804 int ssl_check_cert_usage( const x509_crt *cert,
4805  const ssl_ciphersuite_t *ciphersuite,
4806  int cert_endpoint )
4807 {
4808 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
4809  int usage = 0;
4810 #endif
4811 #if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4812  const char *ext_oid;
4813  size_t ext_len;
4814 #endif
4815 
4816 #if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
4817  !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4818  ((void) cert);
4819  ((void) cert_endpoint);
4820 #endif
4821 
4822 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
4823  if( cert_endpoint == SSL_IS_SERVER )
4824  {
4825  /* Server part of the key exchange */
4826  switch( ciphersuite->key_exchange )
4827  {
4830  usage = KU_KEY_ENCIPHERMENT;
4831  break;
4832 
4836  usage = KU_DIGITAL_SIGNATURE;
4837  break;
4838 
4841  usage = KU_KEY_AGREEMENT;
4842  break;
4843 
4844  /* Don't use default: we want warnings when adding new values */
4849  usage = 0;
4850  }
4851  }
4852  else
4853  {
4854  /* Client auth: we only implement rsa_sign and ecdsa_sign for now */
4855  usage = KU_DIGITAL_SIGNATURE;
4856  }
4857 
4858  if( x509_crt_check_key_usage( cert, usage ) != 0 )
4859  return( -1 );
4860 #else
4861  ((void) ciphersuite);
4862 #endif /* POLARSSL_X509_CHECK_KEY_USAGE */
4863 
4864 #if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4865  if( cert_endpoint == SSL_IS_SERVER )
4866  {
4867  ext_oid = OID_SERVER_AUTH;
4868  ext_len = OID_SIZE( OID_SERVER_AUTH );
4869  }
4870  else
4871  {
4872  ext_oid = OID_CLIENT_AUTH;
4873  ext_len = OID_SIZE( OID_CLIENT_AUTH );
4874  }
4875 
4876  if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
4877  return( -1 );
4878 #endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
4879 
4880  return( 0 );
4881 }
4882 #endif /* POLARSSL_X509_CRT_PARSE_C */
4883 
4884 #endif /* POLARSSL_SSL_TLS_C */
const ecp_curve_info ** curves
Definition: ssl.h:535
unsigned char * hostname
Definition: ssl.h:778
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:308
ssl_session * session_in
Definition: ssl.h:668
#define SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:312
unsigned char mfl_code
Definition: ssl.h:717
size_t length
Definition: ssl.h:452
void * p_set_cache
Definition: ssl.h:647
md_context_t md_ctx_dec
Definition: ssl.h:503
int ciphersuite
Definition: ssl.h:450
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Processing of the ChangeCipherSpec handshake message failed.
Definition: ssl.h:134
mpi P
Definition: dhm.h:146
int trunc_hmac
Definition: ssl.h:752
size_t in_hslen
Definition: ssl.h:697
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
void(* f_dbg)(void *, int, const char *)
Definition: ssl.h:636
#define SSL_HS_FINISHED
Definition: ssl.h:349
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:635
uint32_t state[8]
Definition: sha256.h:61
const pk_info_t * pk_info_from_type(pk_type_t pk_type)
Return information associated with the given PK type.
#define POLARSSL_DHM_RFC5114_MODP_1024_P
Definition: dhm.h:94
sha256_context fin_sha256
Definition: ssl.h:560
size_t ivlen
Definition: ssl.h:489
int cipher_finish(cipher_context_t *ctx, unsigned char *output, size_t *olen)
Generic cipher finalisation function.
int record_read
Definition: ssl.h:699
int major_ver
Definition: ssl.h:624
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:63
int rsa_copy(rsa_context *dst, const rsa_context *src)
Copy the components of an RSA context.
#define POLARSSL_PREMASTER_SIZE
Definition: ssl.h:385
SHA-1 context structure.
Definition: sha1.h:58
sha1_context fin_sha1
Definition: ssl.h:556
int compression
Definition: ssl.h:451
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:621
const char * peer_cn
Definition: ssl.h:728
unsigned char master[48]
Definition: ssl.h:454
void sha256_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
void sha256(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
char peer_verify_data[36]
Definition: ssl.h:797
int ssl_set_truncated_hmac(ssl_context *ssl, int truncate)
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED) ...
ssl_transform * transform_out
Definition: ssl.h:680
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:59
Debug functions.
#define POLARSSL_ERR_SSL_CONN_EOF
The connection indicated an EOF.
Definition: ssl.h:111
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:651
int nb_zero
Definition: ssl.h:698
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:568
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
DHM context structure.
Definition: dhm.h:143
void * p_psk
Definition: ssl.h:662
#define SSL_BUFFER_LEN
Definition: ssl.h:272
int cipher_write_tag(cipher_context_t *ctx, unsigned char *tag, size_t tag_len)
Write tag for AEAD ciphers.
#define SSL_IS_CLIENT
Definition: ssl.h:204
unsigned char mac_dec[48]
Definition: ssl.h:499
size_t ticket_len
Definition: ssl.h:463
#define SSL_HASH_SHA1
Definition: ssl.h:282
Cipher information.
Definition: cipher.h:216
ssl_session * session_negotiate
Definition: ssl.h:671
const cipher_info_t * cipher_info_from_type(const cipher_type_t cipher_type)
Returns the cipher information structure associated with the given cipher type.
ssl_session * session
Definition: ssl.h:670
void ssl_legacy_renegotiation(ssl_context *ssl, int allow_legacy)
Prevent or allow legacy renegotiation.
int ssl_parse_certificate(ssl_context *ssl)
void ssl_set_dbg(ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg)
Set the debug callback.
#define POLARSSL_ERR_SSL_INVALID_RECORD
An invalid SSL record was received.
Definition: ssl.h:110
#define BADCERT_SKIP_VERIFY
Certificate verification was skipped.
Definition: x509.h:83
uint32_t state[5]
Definition: sha1.h:61
ssl_key_cert * key_cert
Definition: ssl.h:724
ssl_key_cert * sni_key_cert
Definition: ssl.h:546
int ssl_set_session_tickets(ssl_context *ssl, int use_tickets)
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS...
unsigned char iv_enc[16]
Definition: ssl.h:493
size_t out_msglen
Definition: ssl.h:710
void ssl_set_verify(ssl_context *ssl, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Set the verification callback (Optional).
#define SSL_SIG_RSA
Definition: ssl.h:289
int ticket_lifetime
Definition: ssl.h:756
ssl_transform * transform_in
Definition: ssl.h:679
cipher_context_t cipher_ctx_enc
Definition: ssl.h:505
const int * ciphersuite_list[4]
Definition: ssl.h:747
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:642
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
mpi dhm_P
Definition: ssl.h:760
#define polarssl_free
Definition: platform.h:91
#define SSL_RENEGOTIATION
Definition: ssl.h:214
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:577
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
void sha1_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[20])
Output = HMAC-SHA-1( hmac key, input buffer )
int md_process(md_context_t *ctx, const unsigned char *data)
int x509_crt_parse(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
ssl_transform * transform
Definition: ssl.h:681
x509_crt * cert
Definition: ssl.h:609
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:60
size_t psk_identity_len
Definition: ssl.h:771
unsigned char * out_ctr
Definition: ssl.h:704
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
The peer notified us that the connection is going to be closed.
Definition: ssl.h:123
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:229
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:796
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:208
int x509_crt_parse_der(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
#define SSL_SIG_ECDSA
Definition: ssl.h:290
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:638
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:177
#define SSL_MIN_MINOR_VERSION
Definition: ssl.h:161
#define SSL_VERIFY_OPTIONAL
Definition: ssl.h:210
size_t in_msglen
Definition: ssl.h:694
int ssl_set_dh_param_ctx(ssl_context *ssl, dhm_context *dhm_ctx)
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) ...
unsigned char * in_hdr
Definition: ssl.h:688
int secure_renegotiation
Definition: ssl.h:793
PolarSSL Platform abstraction layer.
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:84
#define SSL_SIG_ANON
Definition: ssl.h:288
sha512_context fin_sha512
Definition: ssl.h:563
#define SSL_VERIFY_REQUIRED
Definition: ssl.h:211
#define SSL_HASH_MD5
Definition: ssl.h:281
#define SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:333
void md5_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[16])
Output = HMAC-MD5( hmac key, input buffer )
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:224
static md_type_t md_get_type(const md_info_t *md_info)
Returns the type of the message digest output.
Definition: md.h:223
int(* tls_prf)(const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl.h:570
unsigned char mac_key[16]
Definition: ssl.h:599
void * p_vrfy
Definition: ssl.h:657
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:151
size_t psk_len
Definition: ssl.h:769
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED
Hardware acceleration function returned with error.
Definition: ssl.h:137
void ssl_set_max_version(ssl_context *ssl, int major, int minor)
Set the maximum supported version sent from the client side and/or accepted at the server side (Defau...
#define SSL_RENEGOTIATION_DONE
Definition: ssl.h:215
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:109
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
No client certification received from the client, but required by the authentication mode...
Definition: ssl.h:115
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:485
void * p_recv
Definition: ssl.h:644
Object Identifier (OID) database.
unsigned char * psk
Definition: ssl.h:768
int pk_init_ctx_rsa_alt(pk_context *ctx, void *key, pk_rsa_alt_decrypt_func decrypt_func, pk_rsa_alt_sign_func sign_func, pk_rsa_alt_key_len_func key_len_func)
Initialize an RSA-alt context.
size_t len
Definition: dhm.h:145
void ssl_set_ciphersuites_for_version(ssl_context *ssl, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites and the preference order for a specific version of the protocol...
int ssl_init(ssl_context *ssl)
Initialize an SSL context (An individual SSL context is not thread-safe)
#define OID_SIZE(x)
Returns the size of the binary string, without the trailing \0.
Definition: asn1.h:98
int max_major_ver
Definition: ssl.h:627
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:134
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:97
#define SSL_MINOR_VERSION_1
Definition: ssl.h:153
int ssl_set_psk(ssl_context *ssl, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len)
Set the Pre Shared Key (PSK) and the identity name connected to it.
int x509_crt_check_key_usage(const x509_crt *crt, int usage)
Check usage of certificate against keyUsage extension.
void ssl_set_psk_cb(ssl_context *ssl, int(*f_psk)(void *, ssl_context *, const unsigned char *, size_t), void *p_psk)
Set the PSK callback (server-side only) (Optional).
unsigned int keylen
Definition: ssl.h:487
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
Hardware acceleration function skipped / left alone data.
Definition: ssl.h:138
#define OID_SERVER_AUTH
id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
Definition: oid.h:176
int ssl_get_session(const ssl_context *ssl, ssl_session *session)
Save session in order to resume it later (client-side only) Session data is copied to presented sessi...
md_type_t
Definition: md.h:51
int verify_result
Definition: ssl.h:459
const char * ssl_get_alpn_protocol(const ssl_context *ssl)
Get the name of the negotiated Application Layer Protocol.
unsigned char iv[POLARSSL_MAX_IV_LENGTH]
Current IV or NONCE_COUNTER for CTR-mode.
Definition: cipher.h:269
const char ** alpn_list
Definition: ssl.h:786
const cipher_info_t * cipher_info
Information about the associated cipher.
Definition: cipher.h:250
int max_minor_ver
Definition: ssl.h:628
const char * alpn_chosen
Definition: ssl.h:787
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
The own certificate is not set, but needed by the server.
Definition: ssl.h:117
#define SSL_RENEGOTIATION_PENDING
Definition: ssl.h:216
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:311
unsigned char * in_ctr
Definition: ssl.h:687
ssl_handshake_params * handshake
Definition: ssl.h:673
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:116
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:304
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:567
size_t fixed_ivlen
Definition: ssl.h:490
#define SSL_MINOR_VERSION_2
Definition: ssl.h:154
int ssl_write_certificate(ssl_context *ssl)
size_t(* rsa_key_len_func)(void *ctx)
Definition: ssl.h:403
#define POLARSSL_DHM_RFC5114_MODP_1024_G
Definition: dhm.h:102
RSA context structure.
Definition: rsa.h:81
cipher_context_t cipher_ctx_dec
Definition: ssl.h:506
int in_msgtype
Definition: ssl.h:693
Container for an X.509 certificate.
Definition: x509_crt.h:57
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
A fatal alert message was received from our peer.
Definition: ssl.h:121
#define SSL_MIN_MAJOR_VERSION
Definition: ssl.h:158
#define SSL_DEFAULT_TICKET_LIFETIME
Lifetime of session tickets (if enabled)
Definition: ssl.h:244
size_t verify_data_len
Definition: ssl.h:795
const char * ssl_get_ciphersuite(const ssl_context *ssl)
Return the name of the current ciphersuite.
mpi dhm_G
Definition: ssl.h:761
mpi G
Definition: dhm.h:147
int cipher_free_ctx(cipher_context_t *ctx)
Free the cipher-specific context of ctx.
int cipher_update_ad(cipher_context_t *ctx, const unsigned char *ad, size_t ad_len)
Add additional data (for AEAD ciphers).
#define SSL_IS_SERVER
Definition: ssl.h:205
const char * ssl_get_version(const ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
void ssl_set_renegotiation(ssl_context *ssl, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIAT...
int min_minor_ver
Definition: ssl.h:630
unsigned char * out_msg
Definition: ssl.h:707
unsigned int key_length
Cipher key length, in bits (default length for variable sized ciphers) (Includes parity bits for ciph...
Definition: cipher.h:225
int cipher_set_iv(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len)
Set the initialization vector (IV) or nonce.
#define SSL_MINOR_VERSION_0
Definition: ssl.h:152
int client_auth
Definition: ssl.h:743
#define SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:302
void * p_dbg
Definition: ssl.h:643
void sha256_starts(sha256_context *ctx, int is224)
SHA-256 context setup.
int cipher_update(cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
Generic cipher update function.
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:544
void * p_send
Definition: ssl.h:645
ecdh_context ecdh_ctx
Definition: ssl.h:532
x509_crl * ca_crl
Definition: ssl.h:727
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1670
int ssl_set_max_frag_len(ssl_context *ssl, unsigned char mfl_code)
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit and negotiate with the server during handshake)
SHA-512 context structure.
Definition: sha512.h:59
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:120
unsigned char * ticket
Definition: ssl.h:462
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:124
key_exchange_type_t key_exchange
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED
Processing of the compression / decompression failed.
Definition: ssl.h:139
size_t maclen
Definition: ssl.h:491
unsigned char * out_hdr
Definition: ssl.h:705
int ssl_set_own_cert(ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key)
Set own certificate chain and private key.
int trunc_hmac
Definition: ssl.h:472
void ssl_set_endpoint(ssl_context *ssl, int endpoint)
Set the current endpoint type.
void mpi_free(mpi *X)
Unallocate one MPI.
void ssl_set_ciphersuites(ssl_context *ssl, const int *ciphersuites)
Set the list of allowed ciphersuites and the preference order.
void sha512_starts(sha512_context *ctx, int is384)
SHA-512 context setup.
int x509_crt_verify(x509_crt *crt, x509_crt *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Verify the certificate signature.
#define SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:307
void ssl_set_rng(ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:646
void ssl_set_bio(ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send)
Set the underlying BIO read and write callbacks.
void ssl_free(ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
void sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
void md5_starts(md5_context *ctx)
MD5 context setup.
#define SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:221
unsigned char ssl_sig_from_pk(pk_context *pk)
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
No CA Chain is set, but required to operate.
Definition: ssl.h:119
void ssl_handshake_free(ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
int authmode
Definition: ssl.h:742
int ssl_flush_output(ssl_context *ssl)
int ssl_handshake(ssl_context *ssl)
Perform the SSL handshake.
unsigned char * in_offt
Definition: ssl.h:691
void ssl_set_min_version(ssl_context *ssl, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:207
int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Definition: ssl.h:399
unsigned char * in_msg
Definition: ssl.h:690
int ssl_set_hostname(ssl_context *ssl, const char *hostname)
Set hostname for ServerName TLS extension (client-side only)
aes_context dec
Definition: ssl.h:598
mpi z
Definition: ecdh.h:54
int ssl_handshake_step(ssl_context *ssl)
Perform a single step of the SSL handshake.
#define SSL_MINOR_VERSION_3
Definition: ssl.h:155
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:58
int ssl_check_cert_usage(const x509_crt *cert, const ssl_ciphersuite_t *ciphersuite, int cert_endpoint)
pk_type_t
Public key types.
Definition: pk.h:95
aes_context enc
Definition: ssl.h:597
#define KU_KEY_AGREEMENT
Definition: x509.h:97
unsigned char iv_dec[16]
Definition: ssl.h:494
#define POLARSSL_ERR_NET_WANT_READ
Connection requires a read call.
Definition: net.h:41
#define SSL_HS_CERTIFICATE
Definition: ssl.h:343
int ssl_parse_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:80
size_t hostname_len
Definition: ssl.h:779
int cipher_reset(cipher_context_t *ctx)
Finish preparation of the given context.
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:625
int pk_init_ctx(pk_context *ctx, const pk_info_t *info)
Initialize a PK context with the information given and allocates the type-specific PK subcontext...
void sha512_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:316
This structure is used for storing ciphersuite information.
int ssl_close_notify(ssl_context *ssl)
Notify the peer that the connection is being closed.
const x509_crt * ssl_get_peer_cert(const ssl_context *ssl)
Return the peer certificate from the current connection.
void ssl_set_session_cache(ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache)
Set the session cache callbacks (server-side only) If not set, no session resuming is done...
#define SSL_HASH_SHA256
Definition: ssl.h:284
size_t ssl_get_bytes_avail(const ssl_context *ssl)
Return the number of data bytes available to read.
int md_hmac_starts(md_context_t *ctx, const unsigned char *key, size_t keylen)
Generic HMAC context setup.
int ssl_set_session(ssl_context *ssl, const ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
int cipher_set_padding_mode(cipher_context_t *ctx, cipher_padding_t mode)
Set padding mode, for cipher modes that use padding.
#define SSL_VERIFY_NONE
Definition: ssl.h:209
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:66
cipher_mode_t mode
Cipher mode (e.g.
Definition: cipher.h:221
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:213
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:180
size_t in_left
Definition: ssl.h:695
void sha512_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 final digest.
pk_context * key
Definition: ssl.h:610
int session_tickets
Definition: ssl.h:755
int cipher_init_ctx(cipher_context_t *ctx, const cipher_info_t *cipher_info)
Initialises and fills the cipher context structure with the appropriate values.
int allow_legacy_renegotiation
Definition: ssl.h:746
int cipher_setkey(cipher_context_t *ctx, const unsigned char *key, int key_length, const operation_t operation)
Set the key to use with the given context.
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition: ssl.h:145
ssl_session * session_out
Definition: ssl.h:669
#define SSL_TRUNCATED_HMAC_LEN
Definition: ssl.h:230
uint32_t state[4]
Definition: md5.h:61
void(* calc_finished)(ssl_context *, unsigned char *, int)
Definition: ssl.h:569
int ssl_read_record(ssl_context *ssl)
int ssl_set_own_cert_rsa(ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key)
Set own certificate chain and private RSA key.
size_t len
ASN1 length, e.g.
Definition: asn1.h:123
int md_hmac_reset(md_context_t *ctx)
Generic HMAC context reset.
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:57
#define pk_rsa(pk)
Quick access to an RSA context inside a PK context.
Definition: pk.h:74
int ssl_set_dh_param(ssl_context *ssl, const char *dhm_P, const char *dhm_G)
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default...
int(* f_vrfy)(void *, x509_crt *, int, int *)
Definition: ssl.h:656
int out_msgtype
Definition: ssl.h:709
void ssl_set_session_ticket_lifetime(ssl_context *ssl, int lifetime)
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))...
size_t out_left
Definition: ssl.h:711
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:202
int md_hmac_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic HMAC process buffer.
#define BADCERT_MISSING
Certificate was missing.
Definition: x509.h:82
void pk_free(pk_context *ctx)
Free a pk_context.
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED
Processing of the Finished handshake message failed.
Definition: ssl.h:135
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:70
md_context_t md_ctx_enc
Definition: ssl.h:502
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
int ssl_get_verify_result(const ssl_context *ssl)
Return the result of the certificate verification.
#define SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:317
never pad (full blocks only)
Definition: cipher.h:141
int ssl_session_reset(ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables...
void pk_init(pk_context *ctx)
Initialize a pk_context (as NONE)
#define KU_DIGITAL_SIGNATURE
Definition: x509.h:93
int min_major_ver
Definition: ssl.h:629
Certificate revocation list structure.
Definition: x509_crl.h:73
const int * ssl_list_ciphersuites(void)
Returns the list of ciphersuites supported by the SSL/TLS module.
pk_context pk
Container for the public key context.
Definition: x509_crt.h:75
ssl_transform * transform_negotiate
Definition: ssl.h:682
int ssl_set_alpn_protocols(ssl_context *ssl, const char **protos)
Set the supported Application Layer Protocols.
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:218
#define SSL_HASH_SHA224
Definition: ssl.h:283
SSL/TLS functions.
unsigned char * in_iv
Definition: ssl.h:689
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:136
int disable_renegotiation
Definition: ssl.h:745
#define SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:310
void sha256_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 final digest.
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
void dhm_free(dhm_context *ctx)
Free the components of a DHM key.
void ecdh_init(ecdh_context *ctx)
Initialize context.
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
#define OID_CLIENT_AUTH
id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
Definition: oid.h:177
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:639
int ssl_derive_keys(ssl_context *ssl)
void ssl_set_authmode(ssl_context *ssl, int authmode)
Set the certificate verification mode.
md_type_t type
Digest identifier.
Definition: md.h:76
int(* f_set_cache)(void *, const ssl_session *)
Definition: ssl.h:640
SHA-256 context structure.
Definition: sha256.h:58
unsigned char mfl_code
Definition: ssl.h:468
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
key_exchange_type_t
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:622
cipher_type_t cipher
dhm_context dhm_ctx
Definition: ssl.h:529
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1691
#define polarssl_malloc
Definition: platform.h:90
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:735
size_t minlen
Definition: ssl.h:488
int ssl_read(ssl_context *ssl, unsigned char *buf, size_t len)
Read at most &#39;len&#39; application data bytes.
void ssl_transform_free(ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:255
unsigned char * psk_identity
Definition: ssl.h:770
#define SSL_SESSION_TICKETS_ENABLED
Definition: ssl.h:233
unsigned char mac_enc[48]
Definition: ssl.h:498
#define SSL_MSG_APPLICATION_DATA
Definition: ssl.h:305
uint64_t state[8]
Definition: sha512.h:62
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
#define SSL_MSG_ALERT
Definition: ssl.h:303
int ssl_renegotiate(ssl_context *ssl)
Initiate an SSL renegotiation on the running connection.
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:637
unsigned char key_name[16]
Definition: ssl.h:596
int key_own_alloc
Definition: ssl.h:611
int ssl_write(ssl_context *ssl, const unsigned char *buf, size_t len)
Write exactly &#39;len&#39; application data bytes.
ssl_key_cert * next
Definition: ssl.h:612
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
void sha512_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:107
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:126
int x509_crt_check_extended_key_usage(const x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extentedJeyUsage.
void ssl_set_ca_chain(ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn)
Set the data required to verify peer certificate.
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
Message digest information.
Definition: md.h:74
x509_crt * ca_chain
Definition: ssl.h:726
md5_context fin_md5
Definition: ssl.h:555
int cipher_check_tag(cipher_context_t *ctx, const unsigned char *tag, size_t tag_len)
Check tag for AEAD ciphers.
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int endpoint
Definition: ssl.h:741
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:108
int ssl_set_own_cert_alt(ssl_context *ssl, x509_crt *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len)
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
void ssl_set_sni(ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
#define SSL_HASH_SHA512
Definition: ssl.h:286
unsigned int iv_size
IV/NONCE size, in bytes.
Definition: cipher.h:232
#define KU_KEY_ENCIPHERMENT
Definition: x509.h:95
#define SSL_HASH_SHA384
Definition: ssl.h:285
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:661
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:182
void ecdh_free(ecdh_context *ctx)
Free context.
unsigned char * out_iv
Definition: ssl.h:706
unsigned char randbytes[64]
Definition: ssl.h:576
const ecp_group_id * ecp_grp_id_list(void)
Get the list of supported curves in order of preferrence (grp_id only)
int md_hmac_finish(md_context_t *ctx, unsigned char *output)
Generic HMAC final digest.
#define POLARSSL_ERR_SSL_COUNTER_WRAPPING
A counter would wrap (eg, too many messages exchanged).
Definition: ssl.h:146
int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Definition: ssl.h:396
Generic message digest context.
Definition: md.h:132
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
x509_crt * peer_cert
Definition: ssl.h:457
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:652
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.
#define SSL_HS_HELLO_REQUEST
Definition: ssl.h:339