PolarSSL v1.3.2
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #include "polarssl/config.h"
35 
36 #if defined(POLARSSL_SSL_TLS_C)
37 
38 #include "polarssl/debug.h"
39 #include "polarssl/ssl.h"
40 
41 #if defined(POLARSSL_MEMORY_C)
42 #include "polarssl/memory.h"
43 #else
44 #define polarssl_malloc malloc
45 #define polarssl_free free
46 #endif
47 
48 #include <stdlib.h>
49 
50 #if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
51  !defined(EFI32)
52 #define strcasecmp _stricmp
53 #endif
54 
55 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
56 /*
57  * Convert max_fragment_length codes to length.
58  * RFC 6066 says:
59  * enum{
60  * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
61  * } MaxFragmentLength;
62  * and we add 0 -> extension unused
63  */
64 static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
65 {
66  SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
67  512, /* SSL_MAX_FRAG_LEN_512 */
68  1024, /* SSL_MAX_FRAG_LEN_1024 */
69  2048, /* SSL_MAX_FRAG_LEN_2048 */
70  4096, /* SSL_MAX_FRAG_LEN_4096 */
71 };
72 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
73 
74 static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
75 {
76  ssl_session_free( dst );
77  memcpy( dst, src, sizeof( ssl_session ) );
78 
79 #if defined(POLARSSL_X509_CRT_PARSE_C)
80  if( src->peer_cert != NULL )
81  {
82  int ret;
83 
84  dst->peer_cert = (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
85  if( dst->peer_cert == NULL )
87 
88  x509_crt_init( dst->peer_cert );
89 
90  if( ( ret = x509_crt_parse( dst->peer_cert, src->peer_cert->raw.p,
91  src->peer_cert->raw.len ) != 0 ) )
92  {
93  polarssl_free( dst->peer_cert );
94  dst->peer_cert = NULL;
95  return( ret );
96  }
97  }
98 #endif /* POLARSSL_X509_CRT_PARSE_C */
99 
100 #if defined(POLARSSL_SSL_SESSION_TICKETS)
101  if( src->ticket != NULL )
102  {
103  dst->ticket = (unsigned char *) polarssl_malloc( src->ticket_len );
104  if( dst->ticket == NULL )
106 
107  memcpy( dst->ticket, src->ticket, src->ticket_len );
108  }
109 #endif /* POLARSSL_SSL_SESSION_TICKETS */
110 
111  return( 0 );
112 }
113 
114 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
115 int (*ssl_hw_record_init)(ssl_context *ssl,
116  const unsigned char *key_enc, const unsigned char *key_dec,
117  size_t keylen,
118  const unsigned char *iv_enc, const unsigned char *iv_dec,
119  size_t ivlen,
120  const unsigned char *mac_enc, const unsigned char *mac_dec,
121  size_t maclen) = NULL;
122 int (*ssl_hw_record_activate)(ssl_context *ssl, int direction) = NULL;
123 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
124 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
125 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
126 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
127 #endif
128 
129 /*
130  * Key material generation
131  */
132 #if defined(POLARSSL_SSL_PROTO_SSL3)
133 static int ssl3_prf( const unsigned char *secret, size_t slen,
134  const char *label,
135  const unsigned char *random, size_t rlen,
136  unsigned char *dstbuf, size_t dlen )
137 {
138  size_t i;
141  unsigned char padding[16];
142  unsigned char sha1sum[20];
143  ((void)label);
144 
145  /*
146  * SSLv3:
147  * block =
148  * MD5( secret + SHA1( 'A' + secret + random ) ) +
149  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
150  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
151  * ...
152  */
153  for( i = 0; i < dlen / 16; i++ )
154  {
155  memset( padding, (unsigned char) ('A' + i), 1 + i );
156 
157  sha1_starts( &sha1 );
158  sha1_update( &sha1, padding, 1 + i );
159  sha1_update( &sha1, secret, slen );
160  sha1_update( &sha1, random, rlen );
161  sha1_finish( &sha1, sha1sum );
162 
163  md5_starts( &md5 );
164  md5_update( &md5, secret, slen );
165  md5_update( &md5, sha1sum, 20 );
166  md5_finish( &md5, dstbuf + i * 16 );
167  }
168 
169  memset( &md5, 0, sizeof( md5 ) );
170  memset( &sha1, 0, sizeof( sha1 ) );
171 
172  memset( padding, 0, sizeof( padding ) );
173  memset( sha1sum, 0, sizeof( sha1sum ) );
174 
175  return( 0 );
176 }
177 #endif /* POLARSSL_SSL_PROTO_SSL3 */
178 
179 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
180 static int tls1_prf( const unsigned char *secret, size_t slen,
181  const char *label,
182  const unsigned char *random, size_t rlen,
183  unsigned char *dstbuf, size_t dlen )
184 {
185  size_t nb, hs;
186  size_t i, j, k;
187  const unsigned char *S1, *S2;
188  unsigned char tmp[128];
189  unsigned char h_i[20];
190 
191  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
193 
194  hs = ( slen + 1 ) / 2;
195  S1 = secret;
196  S2 = secret + slen - hs;
197 
198  nb = strlen( label );
199  memcpy( tmp + 20, label, nb );
200  memcpy( tmp + 20 + nb, random, rlen );
201  nb += rlen;
202 
203  /*
204  * First compute P_md5(secret,label+random)[0..dlen]
205  */
206  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
207 
208  for( i = 0; i < dlen; i += 16 )
209  {
210  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
211  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
212 
213  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
214 
215  for( j = 0; j < k; j++ )
216  dstbuf[i + j] = h_i[j];
217  }
218 
219  /*
220  * XOR out with P_sha1(secret,label+random)[0..dlen]
221  */
222  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
223 
224  for( i = 0; i < dlen; i += 20 )
225  {
226  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
227  sha1_hmac( S2, hs, tmp, 20, tmp );
228 
229  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
230 
231  for( j = 0; j < k; j++ )
232  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
233  }
234 
235  memset( tmp, 0, sizeof( tmp ) );
236  memset( h_i, 0, sizeof( h_i ) );
237 
238  return( 0 );
239 }
240 #endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
241 
242 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
243 #if defined(POLARSSL_SHA256_C)
244 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
245  const char *label,
246  const unsigned char *random, size_t rlen,
247  unsigned char *dstbuf, size_t dlen )
248 {
249  size_t nb;
250  size_t i, j, k;
251  unsigned char tmp[128];
252  unsigned char h_i[32];
253 
254  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
256 
257  nb = strlen( label );
258  memcpy( tmp + 32, label, nb );
259  memcpy( tmp + 32 + nb, random, rlen );
260  nb += rlen;
261 
262  /*
263  * Compute P_<hash>(secret, label + random)[0..dlen]
264  */
265  sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
266 
267  for( i = 0; i < dlen; i += 32 )
268  {
269  sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
270  sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
271 
272  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
273 
274  for( j = 0; j < k; j++ )
275  dstbuf[i + j] = h_i[j];
276  }
277 
278  memset( tmp, 0, sizeof( tmp ) );
279  memset( h_i, 0, sizeof( h_i ) );
280 
281  return( 0 );
282 }
283 #endif /* POLARSSL_SHA256_C */
284 
285 #if defined(POLARSSL_SHA512_C)
286 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
287  const char *label,
288  const unsigned char *random, size_t rlen,
289  unsigned char *dstbuf, size_t dlen )
290 {
291  size_t nb;
292  size_t i, j, k;
293  unsigned char tmp[128];
294  unsigned char h_i[48];
295 
296  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
298 
299  nb = strlen( label );
300  memcpy( tmp + 48, label, nb );
301  memcpy( tmp + 48 + nb, random, rlen );
302  nb += rlen;
303 
304  /*
305  * Compute P_<hash>(secret, label + random)[0..dlen]
306  */
307  sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
308 
309  for( i = 0; i < dlen; i += 48 )
310  {
311  sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
312  sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
313 
314  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
315 
316  for( j = 0; j < k; j++ )
317  dstbuf[i + j] = h_i[j];
318  }
319 
320  memset( tmp, 0, sizeof( tmp ) );
321  memset( h_i, 0, sizeof( h_i ) );
322 
323  return( 0 );
324 }
325 #endif /* POLARSSL_SHA512_C */
326 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
327 
328 static void ssl_update_checksum_start(ssl_context *, const unsigned char *, size_t);
329 
330 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
331  defined(POLARSSL_SSL_PROTO_TLS1_1)
332 static void ssl_update_checksum_md5sha1(ssl_context *, const unsigned char *, size_t);
333 #endif
334 
335 #if defined(POLARSSL_SSL_PROTO_SSL3)
336 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
337 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
338 #endif
339 
340 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
341 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
342 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
343 #endif
344 
345 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
346 #if defined(POLARSSL_SHA256_C)
347 static void ssl_update_checksum_sha256(ssl_context *, const unsigned char *, size_t);
348 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
349 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
350 #endif
351 
352 #if defined(POLARSSL_SHA512_C)
353 static void ssl_update_checksum_sha384(ssl_context *, const unsigned char *, size_t);
354 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
355 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
356 #endif
357 #endif
358 
359 int ssl_derive_keys( ssl_context *ssl )
360 {
361  int ret = 0;
362  unsigned char tmp[64];
363  unsigned char keyblk[256];
364  unsigned char *key1;
365  unsigned char *key2;
366  unsigned char *mac_enc;
367  unsigned char *mac_dec;
368  size_t iv_copy_len;
369  const cipher_info_t *cipher_info;
370  const md_info_t *md_info;
371 
372  ssl_session *session = ssl->session_negotiate;
373  ssl_transform *transform = ssl->transform_negotiate;
374  ssl_handshake_params *handshake = ssl->handshake;
375 
376  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
377 
378  cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
379  if( cipher_info == NULL )
380  {
381  SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
382  transform->ciphersuite_info->cipher ) );
384  }
385 
386  md_info = md_info_from_type( transform->ciphersuite_info->mac );
387  if( md_info == NULL )
388  {
389  SSL_DEBUG_MSG( 1, ( "md info for %d not found",
390  transform->ciphersuite_info->mac ) );
392  }
393 
394  /*
395  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
396  */
397 #if defined(POLARSSL_SSL_PROTO_SSL3)
398  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
399  {
400  handshake->tls_prf = ssl3_prf;
401  handshake->calc_verify = ssl_calc_verify_ssl;
402  handshake->calc_finished = ssl_calc_finished_ssl;
403  }
404  else
405 #endif
406 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
407  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
408  {
409  handshake->tls_prf = tls1_prf;
410  handshake->calc_verify = ssl_calc_verify_tls;
411  handshake->calc_finished = ssl_calc_finished_tls;
412  }
413  else
414 #endif
415 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
416 #if defined(POLARSSL_SHA512_C)
417  if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
418  transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
419  {
420  handshake->tls_prf = tls_prf_sha384;
421  handshake->calc_verify = ssl_calc_verify_tls_sha384;
422  handshake->calc_finished = ssl_calc_finished_tls_sha384;
423  }
424  else
425 #endif
426 #if defined(POLARSSL_SHA256_C)
427  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
428  {
429  handshake->tls_prf = tls_prf_sha256;
430  handshake->calc_verify = ssl_calc_verify_tls_sha256;
431  handshake->calc_finished = ssl_calc_finished_tls_sha256;
432  }
433  else
434 #endif
435 #endif
436  {
437  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
439  }
440 
441  /*
442  * SSLv3:
443  * master =
444  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
445  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
446  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
447  *
448  * TLSv1+:
449  * master = PRF( premaster, "master secret", randbytes )[0..47]
450  */
451  if( handshake->resume == 0 )
452  {
453  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
454  handshake->pmslen );
455 
456  handshake->tls_prf( handshake->premaster, handshake->pmslen,
457  "master secret",
458  handshake->randbytes, 64, session->master, 48 );
459 
460  memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
461  }
462  else
463  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
464 
465  /*
466  * Swap the client and server random values.
467  */
468  memcpy( tmp, handshake->randbytes, 64 );
469  memcpy( handshake->randbytes, tmp + 32, 32 );
470  memcpy( handshake->randbytes + 32, tmp, 32 );
471  memset( tmp, 0, sizeof( tmp ) );
472 
473  /*
474  * SSLv3:
475  * key block =
476  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
477  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
478  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
479  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
480  * ...
481  *
482  * TLSv1:
483  * key block = PRF( master, "key expansion", randbytes )
484  */
485  handshake->tls_prf( session->master, 48, "key expansion",
486  handshake->randbytes, 64, keyblk, 256 );
487 
488  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
489  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
490  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
491  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
492  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
493 
494  memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
495 
496  /*
497  * Determine the appropriate key, IV and MAC length.
498  */
499 
500  if( cipher_info->mode == POLARSSL_MODE_GCM )
501  {
502  transform->keylen = cipher_info->key_length;
503  transform->keylen /= 8;
504  transform->minlen = 1;
505  transform->ivlen = 12;
506  transform->fixed_ivlen = 4;
507  transform->maclen = 0;
508  }
509  else
510  {
511  if( md_info->type != POLARSSL_MD_NONE )
512  {
513  int ret;
514 
515  if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 )
516  {
517  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
518  return( ret );
519  }
520 
521  if( ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
522  {
523  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
524  return( ret );
525  }
526 
527  transform->maclen = md_get_size( md_info );
528 
529 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
530  /*
531  * If HMAC is to be truncated, we shall keep the leftmost bytes,
532  * (rfc 6066 page 13 or rfc 2104 section 4),
533  * so we only need to adjust the length here.
534  */
535  if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
536  transform->maclen = SSL_TRUNCATED_HMAC_LEN;
537 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
538  }
539 
540  transform->keylen = cipher_info->key_length;
541  transform->keylen /= 8;
542  transform->ivlen = cipher_info->iv_size;
543 
544  transform->minlen = transform->keylen;
545  if( transform->minlen < transform->maclen )
546  {
547  if( cipher_info->mode == POLARSSL_MODE_STREAM )
548  transform->minlen = transform->maclen;
549  else
550  transform->minlen += transform->keylen;
551  }
552  }
553 
554  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
555  transform->keylen, transform->minlen, transform->ivlen,
556  transform->maclen ) );
557 
558  /*
559  * Finally setup the cipher contexts, IVs and MAC secrets.
560  */
561  if( ssl->endpoint == SSL_IS_CLIENT )
562  {
563  key1 = keyblk + transform->maclen * 2;
564  key2 = keyblk + transform->maclen * 2 + transform->keylen;
565 
566  mac_enc = keyblk;
567  mac_dec = keyblk + transform->maclen;
568 
569  /*
570  * This is not used in TLS v1.1.
571  */
572  iv_copy_len = ( transform->fixed_ivlen ) ?
573  transform->fixed_ivlen : transform->ivlen;
574  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
575  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
576  iv_copy_len );
577  }
578  else
579  {
580  key1 = keyblk + transform->maclen * 2 + transform->keylen;
581  key2 = keyblk + transform->maclen * 2;
582 
583  mac_enc = keyblk + transform->maclen;
584  mac_dec = keyblk;
585 
586  /*
587  * This is not used in TLS v1.1.
588  */
589  iv_copy_len = ( transform->fixed_ivlen ) ?
590  transform->fixed_ivlen : transform->ivlen;
591  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
592  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
593  iv_copy_len );
594  }
595 
596 #if defined(POLARSSL_SSL_PROTO_SSL3)
597  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
598  {
599  memcpy( transform->mac_enc, mac_enc, transform->maclen );
600  memcpy( transform->mac_dec, mac_dec, transform->maclen );
601  }
602  else
603 #endif
604 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
605  defined(POLARSSL_SSL_PROTO_TLS1_2)
606  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
607  {
608  md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
609  md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
610  }
611  else
612 #endif
613  {
614  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
616  }
617 
618 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
619  if( ssl_hw_record_init != NULL)
620  {
621  int ret = 0;
622 
623  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
624 
625  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
626  transform->iv_enc, transform->iv_dec,
627  iv_copy_len,
628  mac_enc, mac_dec,
629  transform->maclen ) ) != 0 )
630  {
631  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
633  }
634  }
635 #endif
636 
637  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
638  cipher_info ) ) != 0 )
639  {
640  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
641  return( ret );
642  }
643 
644  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
645  cipher_info ) ) != 0 )
646  {
647  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
648  return( ret );
649  }
650 
651  if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
652  cipher_info->key_length,
653  POLARSSL_ENCRYPT ) ) != 0 )
654  {
655  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
656  return( ret );
657  }
658 
659  if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
660  cipher_info->key_length,
661  POLARSSL_DECRYPT ) ) != 0 )
662  {
663  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
664  return( ret );
665  }
666 
667 #if defined(POLARSSL_CIPHER_MODE_CBC)
668  if( cipher_info->mode == POLARSSL_MODE_CBC )
669  {
670  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
671  POLARSSL_PADDING_NONE ) ) != 0 )
672  {
673  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
674  return( ret );
675  }
676 
677  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
678  POLARSSL_PADDING_NONE ) ) != 0 )
679  {
680  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
681  return( ret );
682  }
683  }
684 #endif /* POLARSSL_CIPHER_MODE_CBC */
685 
686  memset( keyblk, 0, sizeof( keyblk ) );
687 
688 #if defined(POLARSSL_ZLIB_SUPPORT)
689  // Initialize compression
690  //
691  if( session->compression == SSL_COMPRESS_DEFLATE )
692  {
693  if( ssl->compress_buf == NULL )
694  {
695  SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
696  ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
697  if( ssl->compress_buf == NULL )
698  {
699  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
700  SSL_BUFFER_LEN ) );
702  }
703  }
704 
705  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
706 
707  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
708  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
709 
710  if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
711  inflateInit( &transform->ctx_inflate ) != Z_OK )
712  {
713  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
715  }
716  }
717 #endif /* POLARSSL_ZLIB_SUPPORT */
718 
719  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
720 
721  return( 0 );
722 }
723 
724 #if defined(POLARSSL_SSL_PROTO_SSL3)
725 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
726 {
729  unsigned char pad_1[48];
730  unsigned char pad_2[48];
731 
732  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
733 
734  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
735  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
736 
737  memset( pad_1, 0x36, 48 );
738  memset( pad_2, 0x5C, 48 );
739 
740  md5_update( &md5, ssl->session_negotiate->master, 48 );
741  md5_update( &md5, pad_1, 48 );
742  md5_finish( &md5, hash );
743 
744  md5_starts( &md5 );
745  md5_update( &md5, ssl->session_negotiate->master, 48 );
746  md5_update( &md5, pad_2, 48 );
747  md5_update( &md5, hash, 16 );
748  md5_finish( &md5, hash );
749 
750  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
751  sha1_update( &sha1, pad_1, 40 );
752  sha1_finish( &sha1, hash + 16 );
753 
754  sha1_starts( &sha1 );
755  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
756  sha1_update( &sha1, pad_2, 40 );
757  sha1_update( &sha1, hash + 16, 20 );
758  sha1_finish( &sha1, hash + 16 );
759 
760  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
761  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
762 
763  return;
764 }
765 #endif
766 
767 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
768 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
769 {
772 
773  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
774 
775  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
776  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
777 
778  md5_finish( &md5, hash );
779  sha1_finish( &sha1, hash + 16 );
780 
781  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
782  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
783 
784  return;
785 }
786 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
787 
788 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
789 #if defined(POLARSSL_SHA256_C)
790 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
791 {
793 
794  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
795 
796  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
797  sha256_finish( &sha256, hash );
798 
799  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
800  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
801 
802  return;
803 }
804 #endif /* POLARSSL_SHA256_C */
805 
806 #if defined(POLARSSL_SHA512_C)
807 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
808 {
810 
811  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
812 
813  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
814  sha512_finish( &sha512, hash );
815 
816  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
817  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
818 
819  return;
820 }
821 #endif /* POLARSSL_SHA512_C */
822 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
823 
824 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
826 {
827  unsigned char *p = ssl->handshake->premaster;
828  unsigned char *end = p + sizeof( ssl->handshake->premaster );
829 
830  /*
831  * PMS = struct {
832  * opaque other_secret<0..2^16-1>;
833  * opaque psk<0..2^16-1>;
834  * };
835  * with "other_secret" depending on the particular key exchange
836  */
837 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
838  if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
839  {
840  if( end - p < 2 + (int) ssl->psk_len )
842 
843  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
844  *(p++) = (unsigned char)( ssl->psk_len );
845  p += ssl->psk_len;
846  }
847  else
848 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
849 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
850  if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
851  {
852  /*
853  * other_secret already set by the ClientKeyExchange message,
854  * and is 48 bytes long
855  */
856  *p++ = 0;
857  *p++ = 48;
858  p += 48;
859  }
860  else
861 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
862 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
863  if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
864  {
865  int ret;
866  size_t len = ssl->handshake->dhm_ctx.len;
867 
868  if( end - p < 2 + (int) len )
870 
871  *(p++) = (unsigned char)( len >> 8 );
872  *(p++) = (unsigned char)( len );
873  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
874  p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
875  {
876  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
877  return( ret );
878  }
879  p += len;
880 
881  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
882  }
883  else
884 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
885 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
886  if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
887  {
888  int ret;
889  size_t zlen;
890 
891  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
892  p + 2, end - (p + 2),
893  ssl->f_rng, ssl->p_rng ) ) != 0 )
894  {
895  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
896  return( ret );
897  }
898 
899  *(p++) = (unsigned char)( zlen >> 8 );
900  *(p++) = (unsigned char)( zlen );
901  p += zlen;
902 
903  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
904  }
905  else
906 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
907  {
908  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
910  }
911 
912  /* opaque psk<0..2^16-1>; */
913  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
914  *(p++) = (unsigned char)( ssl->psk_len );
915  memcpy( p, ssl->psk, ssl->psk_len );
916  p += ssl->psk_len;
917 
918  ssl->handshake->pmslen = p - ssl->handshake->premaster;
919 
920  return( 0 );
921 }
922 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
923 
924 #if defined(POLARSSL_SSL_PROTO_SSL3)
925 /*
926  * SSLv3.0 MAC functions
927  */
928 static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
929  unsigned char *buf, size_t len,
930  unsigned char *ctr, int type )
931 {
932  unsigned char header[11];
933  unsigned char padding[48];
934  int padlen = 0;
935  int md_size = md_get_size( md_ctx->md_info );
936  int md_type = md_get_type( md_ctx->md_info );
937 
938  if( md_type == POLARSSL_MD_MD5 )
939  padlen = 48;
940  else if( md_type == POLARSSL_MD_SHA1 )
941  padlen = 40;
942  else if( md_type == POLARSSL_MD_SHA256 )
943  padlen = 32;
944 
945  memcpy( header, ctr, 8 );
946  header[ 8] = (unsigned char) type;
947  header[ 9] = (unsigned char)( len >> 8 );
948  header[10] = (unsigned char)( len );
949 
950  memset( padding, 0x36, padlen );
951  md_starts( md_ctx );
952  md_update( md_ctx, secret, md_size );
953  md_update( md_ctx, padding, padlen );
954  md_update( md_ctx, header, 11 );
955  md_update( md_ctx, buf, len );
956  md_finish( md_ctx, buf + len );
957 
958  memset( padding, 0x5C, padlen );
959  md_starts( md_ctx );
960  md_update( md_ctx, secret, md_size );
961  md_update( md_ctx, padding, padlen );
962  md_update( md_ctx, buf + len, md_size );
963  md_finish( md_ctx, buf + len );
964 }
965 #endif /* POLARSSL_SSL_PROTO_SSL3 */
966 
967 /*
968  * Encryption/decryption functions
969  */
970 static int ssl_encrypt_buf( ssl_context *ssl )
971 {
972  size_t i;
973 
974  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
975 
976  /*
977  * Add MAC before encrypt, except for GCM
978  */
979 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
980  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
981  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
984  {
985 #if defined(POLARSSL_SSL_PROTO_SSL3)
986  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
987  {
988  ssl_mac( &ssl->transform_out->md_ctx_enc,
989  ssl->transform_out->mac_enc,
990  ssl->out_msg, ssl->out_msglen,
991  ssl->out_ctr, ssl->out_msgtype );
992  }
993  else
994 #endif
995 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
996  defined(POLARSSL_SSL_PROTO_TLS1_2)
997  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
998  {
999  md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1001  ssl->out_msg, ssl->out_msglen );
1003  ssl->out_msg + ssl->out_msglen );
1005  }
1006  else
1007 #endif
1008  {
1009  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1011  }
1012 
1013  SSL_DEBUG_BUF( 4, "computed mac",
1014  ssl->out_msg + ssl->out_msglen,
1015  ssl->transform_out->maclen );
1016 
1017  ssl->out_msglen += ssl->transform_out->maclen;
1018  }
1019 #endif /* GCM not the only option */
1020 
1021  /*
1022  * Encrypt
1023  */
1024 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1027  {
1028  int ret;
1029  size_t olen = 0;
1030 
1031  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1032  "including %d bytes of padding",
1033  ssl->out_msglen, 0 ) );
1034 
1035  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1036  ssl->out_msg, ssl->out_msglen );
1037 
1038  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1039  {
1040  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1041  return( ret );
1042  }
1043 
1044  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1045  ssl->transform_out->iv_enc,
1046  ssl->transform_out->ivlen ) ) != 0 )
1047  {
1048  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1049  return( ret );
1050  }
1051 
1052  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1053  ssl->out_msg, ssl->out_msglen, ssl->out_msg,
1054  &olen ) ) != 0 )
1055  {
1056  SSL_DEBUG_RET( 1, "cipher_update", ret );
1057  return( ret );
1058  }
1059 
1060  if( ssl->out_msglen != olen )
1061  {
1062  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1063  ssl->out_msglen, olen ) );
1065  }
1066 
1067  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1068  ssl->out_msg + olen, &olen ) ) != 0 )
1069  {
1070  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1071  return( ret );
1072  }
1073 
1074  if( 0 != olen )
1075  {
1076  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1077  0, olen ) );
1079  }
1080  }
1081  else
1082 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1083 #if defined(POLARSSL_GCM_C)
1086  {
1087  size_t enc_msglen, olen, totlen;
1088  unsigned char *enc_msg;
1089  unsigned char add_data[13];
1091 
1092  enc_msglen = ssl->out_msglen;
1093 
1094  memcpy( add_data, ssl->out_ctr, 8 );
1095  add_data[8] = ssl->out_msgtype;
1096  add_data[9] = ssl->major_ver;
1097  add_data[10] = ssl->minor_ver;
1098  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1099  add_data[12] = ssl->out_msglen & 0xFF;
1100 
1101  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1102  add_data, 13 );
1103 
1104  /*
1105  * Generate IV
1106  */
1107  ret = ssl->f_rng( ssl->p_rng,
1109  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1110  if( ret != 0 )
1111  return( ret );
1112 
1113  memcpy( ssl->out_iv,
1115  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1116 
1117  SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1118  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1119 
1120  /*
1121  * Fix pointer positions and message length with added IV
1122  */
1123  enc_msg = ssl->out_msg;
1124  enc_msglen = ssl->out_msglen;
1125  ssl->out_msglen += ssl->transform_out->ivlen -
1126  ssl->transform_out->fixed_ivlen;
1127 
1128  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1129  "including %d bytes of padding",
1130  ssl->out_msglen, 0 ) );
1131 
1132  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1133  ssl->out_msg, ssl->out_msglen );
1134 
1135  /*
1136  * Encrypt
1137  */
1138  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1139  ssl->transform_out->iv_enc,
1140  ssl->transform_out->ivlen ) ) != 0 ||
1141  ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1142  {
1143  return( ret );
1144  }
1145 
1146  if( ( ret = cipher_update_ad( &ssl->transform_out->cipher_ctx_enc,
1147  add_data, 13 ) ) != 0 )
1148  {
1149  return( ret );
1150  }
1151 
1152  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1153  enc_msg, enc_msglen,
1154  enc_msg, &olen ) ) != 0 )
1155  {
1156  return( ret );
1157  }
1158  totlen = olen;
1159 
1160  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1161  enc_msg + olen, &olen ) ) != 0 )
1162  {
1163  return( ret );
1164  }
1165  totlen += olen;
1166 
1167  if( totlen != enc_msglen )
1168  {
1169  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1170  return( -1 );
1171  }
1172 
1173  /*
1174  * Authenticate
1175  */
1176  ssl->out_msglen += 16;
1177 
1178  if( ( ret = cipher_write_tag( &ssl->transform_out->cipher_ctx_enc,
1179  enc_msg + enc_msglen, 16 ) ) != 0 )
1180  {
1181  return( ret );
1182  }
1183 
1184  SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, 16 );
1185  }
1186  else
1187 #endif /* POLARSSL_GCM_C */
1188 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1189  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1192  {
1193  int ret;
1194  unsigned char *enc_msg;
1195  size_t enc_msglen, padlen, olen = 0;
1196 
1197  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1198  ssl->transform_out->ivlen;
1199  if( padlen == ssl->transform_out->ivlen )
1200  padlen = 0;
1201 
1202  for( i = 0; i <= padlen; i++ )
1203  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1204 
1205  ssl->out_msglen += padlen + 1;
1206 
1207  enc_msglen = ssl->out_msglen;
1208  enc_msg = ssl->out_msg;
1209 
1210 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1211  /*
1212  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1213  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1214  */
1215  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1216  {
1217  /*
1218  * Generate IV
1219  */
1220  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1221  ssl->transform_out->ivlen );
1222  if( ret != 0 )
1223  return( ret );
1224 
1225  memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1226  ssl->transform_out->ivlen );
1227 
1228  /*
1229  * Fix pointer positions and message length with added IV
1230  */
1231  enc_msg = ssl->out_msg;
1232  enc_msglen = ssl->out_msglen;
1233  ssl->out_msglen += ssl->transform_out->ivlen;
1234  }
1235 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1236 
1237  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1238  "including %d bytes of IV and %d bytes of padding",
1239  ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
1240 
1241  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1242  ssl->out_iv, ssl->out_msglen );
1243 
1244  if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
1245  {
1246  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1247  return( ret );
1248  }
1249 
1250  if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
1251  ssl->transform_out->iv_enc,
1252  ssl->transform_out->ivlen ) ) != 0 )
1253  {
1254  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1255  return( ret );
1256  }
1257 
1258  if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
1259  enc_msg, enc_msglen, enc_msg,
1260  &olen ) ) != 0 )
1261  {
1262  SSL_DEBUG_RET( 1, "cipher_update", ret );
1263  return( ret );
1264  }
1265 
1266  enc_msglen -= olen;
1267 
1268  if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
1269  enc_msg + olen, &olen ) ) != 0 )
1270  {
1271  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1272  return( ret );
1273  }
1274 
1275  if( enc_msglen != olen )
1276  {
1277  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
1278  enc_msglen, olen ) );
1280  }
1281 
1282 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1283  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1284  {
1285  /*
1286  * Save IV in SSL3 and TLS1
1287  */
1288  memcpy( ssl->transform_out->iv_enc,
1290  ssl->transform_out->ivlen );
1291  }
1292 #endif
1293  }
1294  else
1295 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1296  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1297  {
1298  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1300  }
1301 
1302  for( i = 8; i > 0; i-- )
1303  if( ++ssl->out_ctr[i - 1] != 0 )
1304  break;
1305 
1306  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1307 
1308  return( 0 );
1309 }
1310 
1311 #define POLARSSL_SSL_MAX_MAC_SIZE 48
1312 
1313 static int ssl_decrypt_buf( ssl_context *ssl )
1314 {
1315  size_t i, padlen = 0, correct = 1;
1316  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1317 
1318  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1319 
1320  if( ssl->in_msglen < ssl->transform_in->minlen )
1321  {
1322  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1323  ssl->in_msglen, ssl->transform_in->minlen ) );
1324  return( POLARSSL_ERR_SSL_INVALID_MAC );
1325  }
1326 
1327 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1330  {
1331  int ret;
1332  size_t olen = 0;
1333 
1334  padlen = 0;
1335 
1336  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1337  {
1338  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1339  return( ret );
1340  }
1341 
1342  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1343  ssl->transform_in->iv_dec,
1344  ssl->transform_in->ivlen ) ) != 0 )
1345  {
1346  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1347  return( ret );
1348  }
1349 
1350  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1351  ssl->in_msg, ssl->in_msglen, ssl->in_msg,
1352  &olen ) ) != 0 )
1353  {
1354  SSL_DEBUG_RET( 1, "cipher_update", ret );
1355  return( ret );
1356  }
1357 
1358  if( ssl->in_msglen != olen )
1359  {
1360  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1362  }
1363 
1364  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1365  ssl->in_msg + olen, &olen ) ) != 0 )
1366  {
1367  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1368  return( ret );
1369  }
1370 
1371  if( 0 != olen )
1372  {
1373  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1375  }
1376  }
1377  else
1378 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1379 #if defined(POLARSSL_GCM_C)
1382  {
1383  unsigned char *dec_msg;
1384  unsigned char *dec_msg_result;
1385  size_t dec_msglen, olen, totlen;
1386  unsigned char add_data[13];
1388 
1389  padlen = 0;
1390 
1391  dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1392  ssl->transform_in->fixed_ivlen );
1393  dec_msglen -= 16;
1394  dec_msg = ssl->in_msg;
1395  dec_msg_result = ssl->in_msg;
1396  ssl->in_msglen = dec_msglen;
1397 
1398  memcpy( add_data, ssl->in_ctr, 8 );
1399  add_data[8] = ssl->in_msgtype;
1400  add_data[9] = ssl->major_ver;
1401  add_data[10] = ssl->minor_ver;
1402  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1403  add_data[12] = ssl->in_msglen & 0xFF;
1404 
1405  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1406  add_data, 13 );
1407 
1408  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1409  ssl->in_iv,
1410  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1411 
1412  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1413  ssl->transform_in->ivlen );
1414  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1415 
1416  /*
1417  * Decrypt
1418  */
1419  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1420  ssl->transform_in->iv_dec,
1421  ssl->transform_in->ivlen ) ) != 0 ||
1422  ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1423  {
1424  return( ret );
1425  }
1426 
1427  if( ( ret = cipher_update_ad( &ssl->transform_in->cipher_ctx_dec,
1428  add_data, 13 ) ) != 0 )
1429  {
1430  return( ret );
1431  }
1432 
1433  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1434  dec_msg, dec_msglen,
1435  dec_msg_result, &olen ) ) != 0 )
1436  {
1437  return( ret );
1438  }
1439  totlen = olen;
1440 
1441  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1442  dec_msg_result + olen, &olen ) ) != 0 )
1443  {
1444  return( ret );
1445  }
1446  totlen += olen;
1447 
1448  if( totlen != dec_msglen )
1449  {
1450  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1451  return( -1 );
1452  }
1453 
1454  /*
1455  * Authenticate
1456  */
1457  if( ( ret = cipher_check_tag( &ssl->transform_in->cipher_ctx_dec,
1458  dec_msg + dec_msglen, 16 ) ) != 0 )
1459  {
1460  SSL_DEBUG_RET( 1, "cipher_check_tag", ret );
1461  return( POLARSSL_ERR_SSL_INVALID_MAC );
1462  }
1463 
1464  }
1465  else
1466 #endif /* POLARSSL_GCM_C */
1467 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1468  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1471  {
1472  /*
1473  * Decrypt and check the padding
1474  */
1475  int ret;
1476  unsigned char *dec_msg;
1477  unsigned char *dec_msg_result;
1478  size_t dec_msglen;
1479  size_t minlen = 0;
1480  size_t olen = 0;
1481 
1482  /*
1483  * Check immediate ciphertext sanity
1484  */
1485  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1486  {
1487  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1488  ssl->in_msglen, ssl->transform_in->ivlen ) );
1489  return( POLARSSL_ERR_SSL_INVALID_MAC );
1490  }
1491 
1492 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1493  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1494  minlen += ssl->transform_in->ivlen;
1495 #endif
1496 
1497  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1498  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1499  {
1500  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1501  ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1502  return( POLARSSL_ERR_SSL_INVALID_MAC );
1503  }
1504 
1505  dec_msglen = ssl->in_msglen;
1506  dec_msg = ssl->in_msg;
1507  dec_msg_result = ssl->in_msg;
1508 
1509 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1510  /*
1511  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1512  */
1513  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1514  {
1515  dec_msglen -= ssl->transform_in->ivlen;
1516  ssl->in_msglen -= ssl->transform_in->ivlen;
1517 
1518  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1519  ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1520  }
1521 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1522 
1523  if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
1524  {
1525  SSL_DEBUG_RET( 1, "cipher_reset", ret );
1526  return( ret );
1527  }
1528 
1529  if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
1530  ssl->transform_in->iv_dec,
1531  ssl->transform_in->ivlen ) ) != 0 )
1532  {
1533  SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
1534  return( ret );
1535  }
1536 
1537  if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
1538  dec_msg, dec_msglen, dec_msg_result,
1539  &olen ) ) != 0 )
1540  {
1541  SSL_DEBUG_RET( 1, "cipher_update", ret );
1542  return( ret );
1543  }
1544 
1545  dec_msglen -= olen;
1546  if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
1547  dec_msg_result + olen, &olen ) ) != 0 )
1548  {
1549  SSL_DEBUG_RET( 1, "cipher_finish", ret );
1550  return( ret );
1551  }
1552 
1553  if( dec_msglen != olen )
1554  {
1555  SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
1557  }
1558 
1559 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1560  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1561  {
1562  /*
1563  * Save IV in SSL3 and TLS1
1564  */
1565  memcpy( ssl->transform_in->iv_dec,
1567  ssl->transform_in->ivlen );
1568  }
1569 #endif
1570 
1571  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1572 
1573  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1574  {
1575 #if defined(POLARSSL_SSL_DEBUG_ALL)
1576  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1577  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1578 #endif
1579  padlen = 0;
1580  correct = 0;
1581  }
1582 
1583 #if defined(POLARSSL_SSL_PROTO_SSL3)
1584  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1585  {
1586  if( padlen > ssl->transform_in->ivlen )
1587  {
1588 #if defined(POLARSSL_SSL_DEBUG_ALL)
1589  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1590  "should be no more than %d",
1591  padlen, ssl->transform_in->ivlen ) );
1592 #endif
1593  correct = 0;
1594  }
1595  }
1596  else
1597 #endif
1598 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1599  defined(POLARSSL_SSL_PROTO_TLS1_2)
1600  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1601  {
1602  /*
1603  * TLSv1+: always check the padding up to the first failure
1604  * and fake check up to 256 bytes of padding
1605  */
1606  size_t pad_count = 0, real_count = 1;
1607  size_t padding_idx = ssl->in_msglen - padlen - 1;
1608 
1609  for( i = 1; i <= 256; i++ )
1610  {
1611  real_count &= ( i <= padlen );
1612  pad_count += real_count *
1613  ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1614  }
1615 
1616  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1617 
1618 #if defined(POLARSSL_SSL_DEBUG_ALL)
1619  if( padlen > 0 && correct == 0)
1620  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1621 #endif
1622  padlen &= correct * 0x1FF;
1623  }
1624  else
1625 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1626  POLARSSL_SSL_PROTO_TLS1_2 */
1627  {
1628  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1630  }
1631  }
1632  else
1633 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1634  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1635  {
1636  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1638  }
1639 
1640  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1641  ssl->in_msg, ssl->in_msglen );
1642 
1643  /*
1644  * Always compute the MAC (RFC4346, CBCTIME), except for GCM of course
1645  */
1646 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1647  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1648  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1651  {
1652  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1653 
1654  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1655  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1656 
1657  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1658 
1659 #if defined(POLARSSL_SSL_PROTO_SSL3)
1660  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1661  {
1662  ssl_mac( &ssl->transform_in->md_ctx_dec,
1663  ssl->transform_in->mac_dec,
1664  ssl->in_msg, ssl->in_msglen,
1665  ssl->in_ctr, ssl->in_msgtype );
1666  }
1667  else
1668 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1669 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1670  defined(POLARSSL_SSL_PROTO_TLS1_2)
1671  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1672  {
1673  /*
1674  * Process MAC and always update for padlen afterwards to make
1675  * total time independent of padlen
1676  *
1677  * extra_run compensates MAC check for padlen
1678  *
1679  * Known timing attacks:
1680  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1681  *
1682  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1683  * correctly. (We round down instead of up, so -56 is the correct
1684  * value for our calculations instead of -55)
1685  */
1686  size_t j, extra_run = 0;
1687  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1688  ( 13 + ssl->in_msglen + 8 ) / 64;
1689 
1690  extra_run &= correct * 0xFF;
1691 
1692  md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1694  ssl->in_msglen );
1696  ssl->in_msg + ssl->in_msglen );
1697  for( j = 0; j < extra_run; j++ )
1698  md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1699 
1701  }
1702  else
1703 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1704  POLARSSL_SSL_PROTO_TLS1_2 */
1705  {
1706  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1708  }
1709 
1710  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1711  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1712  ssl->transform_in->maclen );
1713 
1714  if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1715  ssl->transform_in->maclen ) != 0 )
1716  {
1717 #if defined(POLARSSL_SSL_DEBUG_ALL)
1718  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1719 #endif
1720  correct = 0;
1721  }
1722 
1723  /*
1724  * Finally check the correct flag
1725  */
1726  if( correct == 0 )
1727  return( POLARSSL_ERR_SSL_INVALID_MAC );
1728  }
1729 #endif /* GCM not the only option */
1730 
1731  if( ssl->in_msglen == 0 )
1732  {
1733  ssl->nb_zero++;
1734 
1735  /*
1736  * Three or more empty messages may be a DoS attack
1737  * (excessive CPU consumption).
1738  */
1739  if( ssl->nb_zero > 3 )
1740  {
1741  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1742  "messages, possible DoS attack" ) );
1743  return( POLARSSL_ERR_SSL_INVALID_MAC );
1744  }
1745  }
1746  else
1747  ssl->nb_zero = 0;
1748 
1749  for( i = 8; i > 0; i-- )
1750  if( ++ssl->in_ctr[i - 1] != 0 )
1751  break;
1752 
1753  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1754 
1755  return( 0 );
1756 }
1757 
1758 #if defined(POLARSSL_ZLIB_SUPPORT)
1759 /*
1760  * Compression/decompression functions
1761  */
1762 static int ssl_compress_buf( ssl_context *ssl )
1763 {
1764  int ret;
1765  unsigned char *msg_post = ssl->out_msg;
1766  size_t len_pre = ssl->out_msglen;
1767  unsigned char *msg_pre = ssl->compress_buf;
1768 
1769  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1770 
1771  if( len_pre == 0 )
1772  return( 0 );
1773 
1774  memcpy( msg_pre, ssl->out_msg, len_pre );
1775 
1776  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1777  ssl->out_msglen ) );
1778 
1779  SSL_DEBUG_BUF( 4, "before compression: output payload",
1780  ssl->out_msg, ssl->out_msglen );
1781 
1782  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1783  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1784  ssl->transform_out->ctx_deflate.next_out = msg_post;
1785  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1786 
1787  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1788  if( ret != Z_OK )
1789  {
1790  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1792  }
1793 
1794  ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
1795 
1796  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1797  ssl->out_msglen ) );
1798 
1799  SSL_DEBUG_BUF( 4, "after compression: output payload",
1800  ssl->out_msg, ssl->out_msglen );
1801 
1802  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1803 
1804  return( 0 );
1805 }
1806 
1807 static int ssl_decompress_buf( ssl_context *ssl )
1808 {
1809  int ret;
1810  unsigned char *msg_post = ssl->in_msg;
1811  size_t len_pre = ssl->in_msglen;
1812  unsigned char *msg_pre = ssl->compress_buf;
1813 
1814  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1815 
1816  if( len_pre == 0 )
1817  return( 0 );
1818 
1819  memcpy( msg_pre, ssl->in_msg, len_pre );
1820 
1821  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1822  ssl->in_msglen ) );
1823 
1824  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1825  ssl->in_msg, ssl->in_msglen );
1826 
1827  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1828  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1829  ssl->transform_in->ctx_inflate.next_out = msg_post;
1830  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1831 
1832  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1833  if( ret != Z_OK )
1834  {
1835  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1837  }
1838 
1839  ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
1840 
1841  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1842  ssl->in_msglen ) );
1843 
1844  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1845  ssl->in_msg, ssl->in_msglen );
1846 
1847  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1848 
1849  return( 0 );
1850 }
1851 #endif /* POLARSSL_ZLIB_SUPPORT */
1852 
1853 /*
1854  * Fill the input message buffer
1855  */
1856 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1857 {
1858  int ret;
1859  size_t len;
1860 
1861  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1862 
1863  while( ssl->in_left < nb_want )
1864  {
1865  len = nb_want - ssl->in_left;
1866  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1867 
1868  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1869  ssl->in_left, nb_want ) );
1870  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1871 
1872  if( ret == 0 )
1873  return( POLARSSL_ERR_SSL_CONN_EOF );
1874 
1875  if( ret < 0 )
1876  return( ret );
1877 
1878  ssl->in_left += ret;
1879  }
1880 
1881  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1882 
1883  return( 0 );
1884 }
1885 
1886 /*
1887  * Flush any data not yet written
1888  */
1889 int ssl_flush_output( ssl_context *ssl )
1890 {
1891  int ret;
1892  unsigned char *buf;
1893 
1894  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1895 
1896  while( ssl->out_left > 0 )
1897  {
1898  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1899  5 + ssl->out_msglen, ssl->out_left ) );
1900 
1901  buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1902  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1903 
1904  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1905 
1906  if( ret <= 0 )
1907  return( ret );
1908 
1909  ssl->out_left -= ret;
1910  }
1911 
1912  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1913 
1914  return( 0 );
1915 }
1916 
1917 /*
1918  * Record layer functions
1919  */
1920 int ssl_write_record( ssl_context *ssl )
1921 {
1922  int ret, done = 0;
1923  size_t len = ssl->out_msglen;
1924 
1925  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1926 
1927  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1928  {
1929  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1930  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1931  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1932 
1933  if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
1934  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1935  }
1936 
1937 #if defined(POLARSSL_ZLIB_SUPPORT)
1938  if( ssl->transform_out != NULL &&
1940  {
1941  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1942  {
1943  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1944  return( ret );
1945  }
1946 
1947  len = ssl->out_msglen;
1948  }
1949 #endif /*POLARSSL_ZLIB_SUPPORT */
1950 
1951 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1952  if( ssl_hw_record_write != NULL)
1953  {
1954  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1955 
1956  ret = ssl_hw_record_write( ssl );
1957  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1958  {
1959  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1961  }
1962 
1963  if( ret == 0 )
1964  done = 1;
1965  }
1966 #endif
1967  if( !done )
1968  {
1969  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1970  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1971  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1972  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1973  ssl->out_hdr[4] = (unsigned char)( len );
1974 
1975  if( ssl->transform_out != NULL )
1976  {
1977  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1978  {
1979  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1980  return( ret );
1981  }
1982 
1983  len = ssl->out_msglen;
1984  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1985  ssl->out_hdr[4] = (unsigned char)( len );
1986  }
1987 
1988  ssl->out_left = 5 + ssl->out_msglen;
1989 
1990  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1991  "version = [%d:%d], msglen = %d",
1992  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1993  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1994 
1995  SSL_DEBUG_BUF( 4, "output record sent to network",
1996  ssl->out_hdr, 5 + ssl->out_msglen );
1997  }
1998 
1999  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
2000  {
2001  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
2002  return( ret );
2003  }
2004 
2005  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2006 
2007  return( 0 );
2008 }
2009 
2010 int ssl_read_record( ssl_context *ssl )
2011 {
2012  int ret, done = 0;
2013 
2014  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
2015 
2016  SSL_DEBUG_BUF( 4, "input record from network",
2017  ssl->in_hdr, 5 + ssl->in_msglen );
2018 
2019  if( ssl->in_hslen != 0 &&
2020  ssl->in_hslen < ssl->in_msglen )
2021  {
2022  /*
2023  * Get next Handshake message in the current record
2024  */
2025  ssl->in_msglen -= ssl->in_hslen;
2026 
2027  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
2028  ssl->in_msglen );
2029 
2030  ssl->in_hslen = 4;
2031  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2032 
2033  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2034  " %d, type = %d, hslen = %d",
2035  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2036 
2037  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2038  {
2039  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2041  }
2042 
2043  if( ssl->in_msglen < ssl->in_hslen )
2044  {
2045  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2047  }
2048 
2049  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2050 
2051  return( 0 );
2052  }
2053 
2054  ssl->in_hslen = 0;
2055 
2056  /*
2057  * Read the record header and validate it
2058  */
2059  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2060  {
2061  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2062  return( ret );
2063  }
2064 
2065  ssl->in_msgtype = ssl->in_hdr[0];
2066  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2067 
2068  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2069  "version = [%d:%d], msglen = %d",
2070  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2071  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2072 
2073  if( ssl->in_hdr[1] != ssl->major_ver )
2074  {
2075  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
2077  }
2078 
2079  if( ssl->in_hdr[2] > ssl->max_minor_ver )
2080  {
2081  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
2083  }
2084 
2085  /*
2086  * Make sure the message length is acceptable
2087  */
2088  if( ssl->transform_in == NULL )
2089  {
2090  if( ssl->in_msglen < 1 ||
2092  {
2093  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2095  }
2096  }
2097  else
2098  {
2099  if( ssl->in_msglen < ssl->transform_in->minlen )
2100  {
2101  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2103  }
2104 
2105 #if defined(POLARSSL_SSL_PROTO_SSL3)
2106  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2108  {
2109  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2111  }
2112 #endif
2113 
2114 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2115  defined(POLARSSL_SSL_PROTO_TLS1_2)
2116  /*
2117  * TLS encrypted messages can have up to 256 bytes of padding
2118  */
2119  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2120  ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
2121  {
2122  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2124  }
2125 #endif
2126  }
2127 
2128  /*
2129  * Read and optionally decrypt the message contents
2130  */
2131  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2132  {
2133  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2134  return( ret );
2135  }
2136 
2137  SSL_DEBUG_BUF( 4, "input record from network",
2138  ssl->in_hdr, 5 + ssl->in_msglen );
2139 
2140 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2141  if( ssl_hw_record_read != NULL)
2142  {
2143  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2144 
2145  ret = ssl_hw_record_read( ssl );
2146  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2147  {
2148  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2150  }
2151 
2152  if( ret == 0 )
2153  done = 1;
2154  }
2155 #endif
2156  if( !done && ssl->transform_in != NULL )
2157  {
2158  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2159  {
2160 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2161  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2162  {
2166  }
2167 #endif
2168  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2169  return( ret );
2170  }
2171 
2172  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2173  ssl->in_msg, ssl->in_msglen );
2174 
2175  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2176  {
2177  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2179  }
2180  }
2181 
2182 #if defined(POLARSSL_ZLIB_SUPPORT)
2183  if( ssl->transform_in != NULL &&
2185  {
2186  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2187  {
2188  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2189  return( ret );
2190  }
2191 
2192  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2193  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2194  }
2195 #endif /* POLARSSL_ZLIB_SUPPORT */
2196 
2197  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2198  ssl->in_msgtype != SSL_MSG_ALERT &&
2201  {
2202  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2203 
2204  if( ( ret = ssl_send_alert_message( ssl,
2207  {
2208  return( ret );
2209  }
2210 
2212  }
2213 
2214  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2215  {
2216  ssl->in_hslen = 4;
2217  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2218 
2219  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2220  " %d, type = %d, hslen = %d",
2221  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2222 
2223  /*
2224  * Additional checks to validate the handshake header
2225  */
2226  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2227  {
2228  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2230  }
2231 
2232  if( ssl->in_msglen < ssl->in_hslen )
2233  {
2234  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2236  }
2237 
2238  if( ssl->state != SSL_HANDSHAKE_OVER )
2239  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2240  }
2241 
2242  if( ssl->in_msgtype == SSL_MSG_ALERT )
2243  {
2244  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2245  ssl->in_msg[0], ssl->in_msg[1] ) );
2246 
2247  /*
2248  * Ignore non-fatal alerts, except close_notify
2249  */
2250  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2251  {
2252  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2253  ssl->in_msg[1] ) );
2259  }
2260 
2261  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2262  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2263  {
2264  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2266  }
2267  }
2268 
2269  ssl->in_left = 0;
2270 
2271  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2272 
2273  return( 0 );
2274 }
2275 
2277 {
2278  int ret;
2279 
2280  if( ( ret = ssl_send_alert_message( ssl,
2283  {
2284  return( ret );
2285  }
2286 
2287  return( 0 );
2288 }
2289 
2291  unsigned char level,
2292  unsigned char message )
2293 {
2294  int ret;
2295 
2296  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2297 
2298  ssl->out_msgtype = SSL_MSG_ALERT;
2299  ssl->out_msglen = 2;
2300  ssl->out_msg[0] = level;
2301  ssl->out_msg[1] = message;
2302 
2303  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2304  {
2305  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2306  return( ret );
2307  }
2308 
2309  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2310 
2311  return( 0 );
2312 }
2313 
2314 /*
2315  * Handshake functions
2316  */
2317 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2318  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2319  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2320  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2322 {
2324  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2325 
2326  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2327 
2328  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2329  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2330  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2331  {
2332  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2333  ssl->state++;
2334  return( 0 );
2335  }
2336 
2337  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2338  return( ret );
2339 }
2340 
2342 {
2344  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2345 
2346  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2347 
2348  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2349  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2350  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2351  {
2352  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2353  ssl->state++;
2354  return( 0 );
2355  }
2356 
2357  SSL_DEBUG_MSG( 1, ( "should not happen" ) );
2358  return( ret );
2359 }
2360 #else
2362 {
2364  size_t i, n;
2365  const x509_crt *crt;
2366  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2367 
2368  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2369 
2370  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2371  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2372  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2373  {
2374  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2375  ssl->state++;
2376  return( 0 );
2377  }
2378 
2379  if( ssl->endpoint == SSL_IS_CLIENT )
2380  {
2381  if( ssl->client_auth == 0 )
2382  {
2383  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2384  ssl->state++;
2385  return( 0 );
2386  }
2387 
2388 #if defined(POLARSSL_SSL_PROTO_SSL3)
2389  /*
2390  * If using SSLv3 and got no cert, send an Alert message
2391  * (otherwise an empty Certificate message will be sent).
2392  */
2393  if( ssl_own_cert( ssl ) == NULL &&
2394  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2395  {
2396  ssl->out_msglen = 2;
2397  ssl->out_msgtype = SSL_MSG_ALERT;
2398  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2399  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2400 
2401  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2402  goto write_msg;
2403  }
2404 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2405  }
2406  else /* SSL_IS_SERVER */
2407  {
2408  if( ssl_own_cert( ssl ) == NULL )
2409  {
2410  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2412  }
2413  }
2414 
2415  SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
2416 
2417  /*
2418  * 0 . 0 handshake type
2419  * 1 . 3 handshake length
2420  * 4 . 6 length of all certs
2421  * 7 . 9 length of cert. 1
2422  * 10 . n-1 peer certificate
2423  * n . n+2 length of cert. 2
2424  * n+3 . ... upper level cert, etc.
2425  */
2426  i = 7;
2427  crt = ssl_own_cert( ssl );
2428 
2429  while( crt != NULL )
2430  {
2431  n = crt->raw.len;
2432  if( i + 3 + n > SSL_MAX_CONTENT_LEN )
2433  {
2434  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2435  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2437  }
2438 
2439  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2440  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2441  ssl->out_msg[i + 2] = (unsigned char)( n );
2442 
2443  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2444  i += n; crt = crt->next;
2445  }
2446 
2447  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2448  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2449  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2450 
2451  ssl->out_msglen = i;
2453  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2454 
2455 #if defined(POLARSSL_SSL_PROTO_SSL3)
2456 write_msg:
2457 #endif
2458 
2459  ssl->state++;
2460 
2461  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2462  {
2463  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2464  return( ret );
2465  }
2466 
2467  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2468 
2469  return( ret );
2470 }
2471 
2473 {
2475  size_t i, n;
2476  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2477 
2478  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2479 
2480  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2481  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2482  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2483  {
2484  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2485  ssl->state++;
2486  return( 0 );
2487  }
2488 
2489  if( ssl->endpoint == SSL_IS_SERVER &&
2490  ssl->authmode == SSL_VERIFY_NONE )
2491  {
2493  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2494  ssl->state++;
2495  return( 0 );
2496  }
2497 
2498  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2499  {
2500  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2501  return( ret );
2502  }
2503 
2504  ssl->state++;
2505 
2506 #if defined(POLARSSL_SSL_PROTO_SSL3)
2507  /*
2508  * Check if the client sent an empty certificate
2509  */
2510  if( ssl->endpoint == SSL_IS_SERVER &&
2511  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2512  {
2513  if( ssl->in_msglen == 2 &&
2514  ssl->in_msgtype == SSL_MSG_ALERT &&
2515  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2516  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2517  {
2518  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2519 
2521  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2522  return( 0 );
2523  else
2525  }
2526  }
2527 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2528 
2529 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2530  defined(POLARSSL_SSL_PROTO_TLS1_2)
2531  if( ssl->endpoint == SSL_IS_SERVER &&
2532  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2533  {
2534  if( ssl->in_hslen == 7 &&
2535  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2536  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2537  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2538  {
2539  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2540 
2542  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2544  else
2545  return( 0 );
2546  }
2547  }
2548 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2549  POLARSSL_SSL_PROTO_TLS1_2 */
2550 
2551  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2552  {
2553  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2555  }
2556 
2557  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2558  {
2559  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2561  }
2562 
2563  /*
2564  * Same message structure as in ssl_write_certificate()
2565  */
2566  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2567 
2568  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2569  {
2570  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2572  }
2573 
2574  /* In case we tried to reuse a session but it failed */
2575  if( ssl->session_negotiate->peer_cert != NULL )
2576  {
2579  }
2580 
2582  sizeof( x509_crt ) ) ) == NULL )
2583  {
2584  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2585  sizeof( x509_crt ) ) );
2587  }
2588 
2590 
2591  i = 7;
2592 
2593  while( i < ssl->in_hslen )
2594  {
2595  if( ssl->in_msg[i] != 0 )
2596  {
2597  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2599  }
2600 
2601  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2602  | (unsigned int) ssl->in_msg[i + 2];
2603  i += 3;
2604 
2605  if( n < 128 || i + n > ssl->in_hslen )
2606  {
2607  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2609  }
2610 
2612  ssl->in_msg + i, n );
2613  if( ret != 0 )
2614  {
2615  SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
2616  return( ret );
2617  }
2618 
2619  i += n;
2620  }
2621 
2622  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2623 
2624  if( ssl->authmode != SSL_VERIFY_NONE )
2625  {
2626  if( ssl->ca_chain == NULL )
2627  {
2628  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2630  }
2631 
2633  ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2635  ssl->f_vrfy, ssl->p_vrfy );
2636 
2637  if( ret != 0 )
2638  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2639 
2640  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2641  ret = 0;
2642  }
2643 
2644  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2645 
2646  return( ret );
2647 }
2648 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED &&
2649  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2650  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2651 
2653 {
2654  int ret;
2655 
2656  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2657 
2659  ssl->out_msglen = 1;
2660  ssl->out_msg[0] = 1;
2661 
2662  ssl->state++;
2663 
2664  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2665  {
2666  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2667  return( ret );
2668  }
2669 
2670  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2671 
2672  return( 0 );
2673 }
2674 
2676 {
2677  int ret;
2678 
2679  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2680 
2681  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2682  {
2683  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2684  return( ret );
2685  }
2686 
2688  {
2689  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2691  }
2692 
2693  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2694  {
2695  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2697  }
2698 
2699  ssl->state++;
2700 
2701  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2702 
2703  return( 0 );
2704 }
2705 
2707  const ssl_ciphersuite_t *ciphersuite_info )
2708 {
2709  ((void) ciphersuite_info);
2710 
2711 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2712  defined(POLARSSL_SSL_PROTO_TLS1_1)
2713  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2714  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2715  else
2716 #endif
2717 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2718 #if defined(POLARSSL_SHA512_C)
2719  if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2720  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2721  else
2722 #endif
2723 #if defined(POLARSSL_SHA256_C)
2724  if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
2725  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2726  else
2727 #endif
2728 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2729  /* Should never happen */
2730  return;
2731 }
2732 
2733 static void ssl_update_checksum_start( ssl_context *ssl,
2734  const unsigned char *buf, size_t len )
2735 {
2736 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2737  defined(POLARSSL_SSL_PROTO_TLS1_1)
2738  md5_update( &ssl->handshake->fin_md5 , buf, len );
2739  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2740 #endif
2741 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2742 #if defined(POLARSSL_SHA256_C)
2743  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2744 #endif
2745 #if defined(POLARSSL_SHA512_C)
2746  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2747 #endif
2748 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2749 }
2750 
2751 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2752  defined(POLARSSL_SSL_PROTO_TLS1_1)
2753 static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2754  const unsigned char *buf, size_t len )
2755 {
2756  md5_update( &ssl->handshake->fin_md5 , buf, len );
2757  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2758 }
2759 #endif
2760 
2761 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2762 #if defined(POLARSSL_SHA256_C)
2763 static void ssl_update_checksum_sha256( ssl_context *ssl,
2764  const unsigned char *buf, size_t len )
2765 {
2766  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2767 }
2768 #endif
2769 
2770 #if defined(POLARSSL_SHA512_C)
2771 static void ssl_update_checksum_sha384( ssl_context *ssl,
2772  const unsigned char *buf, size_t len )
2773 {
2774  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2775 }
2776 #endif
2777 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2778 
2779 #if defined(POLARSSL_SSL_PROTO_SSL3)
2780 static void ssl_calc_finished_ssl(
2781  ssl_context *ssl, unsigned char *buf, int from )
2782 {
2783  const char *sender;
2784  md5_context md5;
2786 
2787  unsigned char padbuf[48];
2788  unsigned char md5sum[16];
2789  unsigned char sha1sum[20];
2790 
2791  ssl_session *session = ssl->session_negotiate;
2792  if( !session )
2793  session = ssl->session;
2794 
2795  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2796 
2797  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2798  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2799 
2800  /*
2801  * SSLv3:
2802  * hash =
2803  * MD5( master + pad2 +
2804  * MD5( handshake + sender + master + pad1 ) )
2805  * + SHA1( master + pad2 +
2806  * SHA1( handshake + sender + master + pad1 ) )
2807  */
2808 
2809 #if !defined(POLARSSL_MD5_ALT)
2810  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2811  md5.state, sizeof( md5.state ) );
2812 #endif
2813 
2814 #if !defined(POLARSSL_SHA1_ALT)
2815  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2816  sha1.state, sizeof( sha1.state ) );
2817 #endif
2818 
2819  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2820  : "SRVR";
2821 
2822  memset( padbuf, 0x36, 48 );
2823 
2824  md5_update( &md5, (const unsigned char *) sender, 4 );
2825  md5_update( &md5, session->master, 48 );
2826  md5_update( &md5, padbuf, 48 );
2827  md5_finish( &md5, md5sum );
2828 
2829  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2830  sha1_update( &sha1, session->master, 48 );
2831  sha1_update( &sha1, padbuf, 40 );
2832  sha1_finish( &sha1, sha1sum );
2833 
2834  memset( padbuf, 0x5C, 48 );
2835 
2836  md5_starts( &md5 );
2837  md5_update( &md5, session->master, 48 );
2838  md5_update( &md5, padbuf, 48 );
2839  md5_update( &md5, md5sum, 16 );
2840  md5_finish( &md5, buf );
2841 
2842  sha1_starts( &sha1 );
2843  sha1_update( &sha1, session->master, 48 );
2844  sha1_update( &sha1, padbuf , 40 );
2845  sha1_update( &sha1, sha1sum, 20 );
2846  sha1_finish( &sha1, buf + 16 );
2847 
2848  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2849 
2850  memset( &md5, 0, sizeof( md5_context ) );
2851  memset( &sha1, 0, sizeof( sha1_context ) );
2852 
2853  memset( padbuf, 0, sizeof( padbuf ) );
2854  memset( md5sum, 0, sizeof( md5sum ) );
2855  memset( sha1sum, 0, sizeof( sha1sum ) );
2856 
2857  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2858 }
2859 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2860 
2861 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
2862 static void ssl_calc_finished_tls(
2863  ssl_context *ssl, unsigned char *buf, int from )
2864 {
2865  int len = 12;
2866  const char *sender;
2867  md5_context md5;
2869  unsigned char padbuf[36];
2870 
2871  ssl_session *session = ssl->session_negotiate;
2872  if( !session )
2873  session = ssl->session;
2874 
2875  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2876 
2877  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2878  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2879 
2880  /*
2881  * TLSv1:
2882  * hash = PRF( master, finished_label,
2883  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2884  */
2885 
2886 #if !defined(POLARSSL_MD5_ALT)
2887  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2888  md5.state, sizeof( md5.state ) );
2889 #endif
2890 
2891 #if !defined(POLARSSL_SHA1_ALT)
2892  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2893  sha1.state, sizeof( sha1.state ) );
2894 #endif
2895 
2896  sender = ( from == SSL_IS_CLIENT )
2897  ? "client finished"
2898  : "server finished";
2899 
2900  md5_finish( &md5, padbuf );
2901  sha1_finish( &sha1, padbuf + 16 );
2902 
2903  ssl->handshake->tls_prf( session->master, 48, sender,
2904  padbuf, 36, buf, len );
2905 
2906  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2907 
2908  memset( &md5, 0, sizeof( md5_context ) );
2909  memset( &sha1, 0, sizeof( sha1_context ) );
2910 
2911  memset( padbuf, 0, sizeof( padbuf ) );
2912 
2913  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2914 }
2915 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
2916 
2917 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2918 #if defined(POLARSSL_SHA256_C)
2919 static void ssl_calc_finished_tls_sha256(
2920  ssl_context *ssl, unsigned char *buf, int from )
2921 {
2922  int len = 12;
2923  const char *sender;
2925  unsigned char padbuf[32];
2926 
2927  ssl_session *session = ssl->session_negotiate;
2928  if( !session )
2929  session = ssl->session;
2930 
2931  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2932 
2933  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
2934 
2935  /*
2936  * TLSv1.2:
2937  * hash = PRF( master, finished_label,
2938  * Hash( handshake ) )[0.11]
2939  */
2940 
2941 #if !defined(POLARSSL_SHA256_ALT)
2942  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2943  sha256.state, sizeof( sha256.state ) );
2944 #endif
2945 
2946  sender = ( from == SSL_IS_CLIENT )
2947  ? "client finished"
2948  : "server finished";
2949 
2950  sha256_finish( &sha256, padbuf );
2951 
2952  ssl->handshake->tls_prf( session->master, 48, sender,
2953  padbuf, 32, buf, len );
2954 
2955  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2956 
2957  memset( &sha256, 0, sizeof( sha256_context ) );
2958 
2959  memset( padbuf, 0, sizeof( padbuf ) );
2960 
2961  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2962 }
2963 #endif /* POLARSSL_SHA256_C */
2964 
2965 #if defined(POLARSSL_SHA512_C)
2966 static void ssl_calc_finished_tls_sha384(
2967  ssl_context *ssl, unsigned char *buf, int from )
2968 {
2969  int len = 12;
2970  const char *sender;
2972  unsigned char padbuf[48];
2973 
2974  ssl_session *session = ssl->session_negotiate;
2975  if( !session )
2976  session = ssl->session;
2977 
2978  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
2979 
2980  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
2981 
2982  /*
2983  * TLSv1.2:
2984  * hash = PRF( master, finished_label,
2985  * Hash( handshake ) )[0.11]
2986  */
2987 
2988 #if !defined(POLARSSL_SHA512_ALT)
2989  SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
2990  sha512.state, sizeof( sha512.state ) );
2991 #endif
2992 
2993  sender = ( from == SSL_IS_CLIENT )
2994  ? "client finished"
2995  : "server finished";
2996 
2997  sha512_finish( &sha512, padbuf );
2998 
2999  ssl->handshake->tls_prf( session->master, 48, sender,
3000  padbuf, 48, buf, len );
3001 
3002  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3003 
3004  memset( &sha512, 0, sizeof( sha512_context ) );
3005 
3006  memset( padbuf, 0, sizeof( padbuf ) );
3007 
3008  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3009 }
3010 #endif /* POLARSSL_SHA512_C */
3011 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3012 
3013 void ssl_handshake_wrapup( ssl_context *ssl )
3014 {
3015  int resume = ssl->handshake->resume;
3016 
3017  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3018 
3019  /*
3020  * Free our handshake params
3021  */
3022  ssl_handshake_free( ssl->handshake );
3023  polarssl_free( ssl->handshake );
3024  ssl->handshake = NULL;
3025 
3026  if( ssl->renegotiation == SSL_RENEGOTIATION )
3028 
3029  /*
3030  * Switch in our now active transform context
3031  */
3032  if( ssl->transform )
3033  {
3034  ssl_transform_free( ssl->transform );
3035  polarssl_free( ssl->transform );
3036  }
3037  ssl->transform = ssl->transform_negotiate;
3038  ssl->transform_negotiate = NULL;
3039 
3040  if( ssl->session )
3041  {
3042  ssl_session_free( ssl->session );
3043  polarssl_free( ssl->session );
3044  }
3045  ssl->session = ssl->session_negotiate;
3046  ssl->session_negotiate = NULL;
3047 
3048  /*
3049  * Add cache entry
3050  */
3051  if( ssl->f_set_cache != NULL &&
3052  ssl->session->length != 0 &&
3053  resume == 0 )
3054  {
3055  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3056  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
3057  }
3058 
3059  ssl->state++;
3060 
3061  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3062 }
3063 
3064 int ssl_write_finished( ssl_context *ssl )
3065 {
3066  int ret, hash_len;
3067 
3068  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3069 
3070  /*
3071  * Set the out_msg pointer to the correct location based on IV length
3072  */
3073  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3074  {
3075  ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3077  }
3078  else
3079  ssl->out_msg = ssl->out_iv;
3080 
3081  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
3082 
3083  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3084  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3085 
3086  ssl->verify_data_len = hash_len;
3087  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
3088 
3089  ssl->out_msglen = 4 + hash_len;
3091  ssl->out_msg[0] = SSL_HS_FINISHED;
3092 
3093  /*
3094  * In case of session resuming, invert the client and server
3095  * ChangeCipherSpec messages order.
3096  */
3097  if( ssl->handshake->resume != 0 )
3098  {
3099  if( ssl->endpoint == SSL_IS_CLIENT )
3100  ssl->state = SSL_HANDSHAKE_WRAPUP;
3101  else
3103  }
3104  else
3105  ssl->state++;
3106 
3107  /*
3108  * Switch to our negotiated transform and session parameters for outbound data.
3109  */
3110  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3111  ssl->transform_out = ssl->transform_negotiate;
3112  ssl->session_out = ssl->session_negotiate;
3113  memset( ssl->out_ctr, 0, 8 );
3114 
3115 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3116  if( ssl_hw_record_activate != NULL)
3117  {
3118  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3119  {
3120  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3122  }
3123  }
3124 #endif
3125 
3126  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3127  {
3128  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3129  return( ret );
3130  }
3131 
3132  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3133 
3134  return( 0 );
3135 }
3136 
3137 int ssl_parse_finished( ssl_context *ssl )
3138 {
3139  int ret;
3140  unsigned int hash_len;
3141  unsigned char buf[36];
3142 
3143  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3144 
3145  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
3146 
3147  /*
3148  * Switch to our negotiated transform and session parameters for inbound data.
3149  */
3150  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3151  ssl->transform_in = ssl->transform_negotiate;
3152  ssl->session_in = ssl->session_negotiate;
3153  memset( ssl->in_ctr, 0, 8 );
3154 
3155  /*
3156  * Set the in_msg pointer to the correct location based on IV length
3157  */
3158  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3159  {
3160  ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3162  }
3163  else
3164  ssl->in_msg = ssl->in_iv;
3165 
3166 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3167  if( ssl_hw_record_activate != NULL)
3168  {
3169  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3170  {
3171  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3173  }
3174  }
3175 #endif
3176 
3177  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3178  {
3179  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3180  return( ret );
3181  }
3182 
3183  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3184  {
3185  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3187  }
3188 
3189  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3190  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3191 
3192  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3193  ssl->in_hslen != 4 + hash_len )
3194  {
3195  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3197  }
3198 
3199  if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
3200  {
3201  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3203  }
3204 
3205  ssl->verify_data_len = hash_len;
3206  memcpy( ssl->peer_verify_data, buf, hash_len );
3207 
3208  if( ssl->handshake->resume != 0 )
3209  {
3210  if( ssl->endpoint == SSL_IS_CLIENT )
3212 
3213  if( ssl->endpoint == SSL_IS_SERVER )
3214  ssl->state = SSL_HANDSHAKE_WRAPUP;
3215  }
3216  else
3217  ssl->state++;
3218 
3219  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3220 
3221  return( 0 );
3222 }
3223 
3224 static int ssl_handshake_init( ssl_context *ssl )
3225 {
3226  if( ssl->transform_negotiate )
3228  else
3229  {
3230  ssl->transform_negotiate =
3232  }
3233 
3234  if( ssl->session_negotiate )
3236  else
3237  {
3238  ssl->session_negotiate =
3239  (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
3240  }
3241 
3242  if( ssl->handshake )
3243  ssl_handshake_free( ssl->handshake );
3244  else
3245  {
3246  ssl->handshake = (ssl_handshake_params *)
3248  }
3249 
3250  if( ssl->handshake == NULL ||
3251  ssl->transform_negotiate == NULL ||
3252  ssl->session_negotiate == NULL )
3253  {
3254  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3256  }
3257 
3258  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
3259  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
3260  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
3261 
3262 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3263  defined(POLARSSL_SSL_PROTO_TLS1_1)
3264  md5_starts( &ssl->handshake->fin_md5 );
3265  sha1_starts( &ssl->handshake->fin_sha1 );
3266 #endif
3267 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3268 #if defined(POLARSSL_SHA256_C)
3269  sha256_starts( &ssl->handshake->fin_sha256, 0 );
3270 #endif
3271 #if defined(POLARSSL_SHA512_C)
3272  sha512_starts( &ssl->handshake->fin_sha512, 1 );
3273 #endif
3274 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3275 
3276  ssl->handshake->update_checksum = ssl_update_checksum_start;
3278 
3279 #if defined(POLARSSL_ECDH_C)
3280  ecdh_init( &ssl->handshake->ecdh_ctx );
3281 #endif
3282 
3283 #if defined(POLARSSL_X509_CRT_PARSE_C)
3284  ssl->handshake->key_cert = ssl->key_cert;
3285 #endif
3286 
3287  return( 0 );
3288 }
3289 
3290 /*
3291  * Initialize an SSL context
3292  */
3293 int ssl_init( ssl_context *ssl )
3294 {
3295  int ret;
3296  int len = SSL_BUFFER_LEN;
3297 
3298  memset( ssl, 0, sizeof( ssl_context ) );
3299 
3300  /*
3301  * Sane defaults
3302  */
3307 
3309 
3310 #if defined(POLARSSL_DHM_C)
3311  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3313  ( ret = mpi_read_string( &ssl->dhm_G, 16,
3315  {
3316  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3317  return( ret );
3318  }
3319 #endif
3320 
3321  /*
3322  * Prepare base structures
3323  */
3324  ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
3325  ssl->in_hdr = ssl->in_ctr + 8;
3326  ssl->in_iv = ssl->in_ctr + 13;
3327  ssl->in_msg = ssl->in_ctr + 13;
3328 
3329  if( ssl->in_ctr == NULL )
3330  {
3331  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3333  }
3334 
3335  ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
3336  ssl->out_hdr = ssl->out_ctr + 8;
3337  ssl->out_iv = ssl->out_ctr + 13;
3338  ssl->out_msg = ssl->out_ctr + 13;
3339 
3340  if( ssl->out_ctr == NULL )
3341  {
3342  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3343  polarssl_free( ssl-> in_ctr );
3345  }
3346 
3347  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3348  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3349 
3350 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3352 #endif
3353 
3354  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3355  return( ret );
3356 
3357  return( 0 );
3358 }
3359 
3360 /*
3361  * Reset an initialized and used SSL context for re-use while retaining
3362  * all application-set variables, function pointers and data.
3363  */
3364 int ssl_session_reset( ssl_context *ssl )
3365 {
3366  int ret;
3367 
3368  ssl->state = SSL_HELLO_REQUEST;
3371 
3372  ssl->verify_data_len = 0;
3373  memset( ssl->own_verify_data, 0, 36 );
3374  memset( ssl->peer_verify_data, 0, 36 );
3375 
3376  ssl->in_offt = NULL;
3377 
3378  ssl->in_msg = ssl->in_ctr + 13;
3379  ssl->in_msgtype = 0;
3380  ssl->in_msglen = 0;
3381  ssl->in_left = 0;
3382 
3383  ssl->in_hslen = 0;
3384  ssl->nb_zero = 0;
3385  ssl->record_read = 0;
3386 
3387  ssl->out_msg = ssl->out_ctr + 13;
3388  ssl->out_msgtype = 0;
3389  ssl->out_msglen = 0;
3390  ssl->out_left = 0;
3391 
3392  ssl->transform_in = NULL;
3393  ssl->transform_out = NULL;
3394 
3395  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3396  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3397 
3398 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3399  if( ssl_hw_record_reset != NULL)
3400  {
3401  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3402  if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
3403  {
3404  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3406  }
3407  }
3408 #endif
3409 
3410  if( ssl->transform )
3411  {
3412  ssl_transform_free( ssl->transform );
3413  polarssl_free( ssl->transform );
3414  ssl->transform = NULL;
3415  }
3416 
3417  if( ssl->session )
3418  {
3419  ssl_session_free( ssl->session );
3420  polarssl_free( ssl->session );
3421  ssl->session = NULL;
3422  }
3423 
3424  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3425  return( ret );
3426 
3427  return( 0 );
3428 }
3429 
3430 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3431 /*
3432  * Allocate and initialize ticket keys
3433  */
3434 static int ssl_ticket_keys_init( ssl_context *ssl )
3435 {
3436  int ret;
3437  ssl_ticket_keys *tkeys;
3438  unsigned char buf[16];
3439 
3440  if( ssl->ticket_keys != NULL )
3441  return( 0 );
3442 
3443  tkeys = (ssl_ticket_keys *) polarssl_malloc( sizeof(ssl_ticket_keys) );
3444  if( tkeys == NULL )
3446 
3447  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
3448  return( ret );
3449 
3450  if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3451  ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3452  ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3453  {
3454  return( ret );
3455  }
3456 
3457  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
3458  return( ret );
3459 
3460  ssl->ticket_keys = tkeys;
3461 
3462  return( 0 );
3463 }
3464 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3465 
3466 /*
3467  * SSL set accessors
3468  */
3469 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3470 {
3471  ssl->endpoint = endpoint;
3472 
3473 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3474  if( endpoint == SSL_IS_CLIENT )
3476 #endif
3477 }
3478 
3479 void ssl_set_authmode( ssl_context *ssl, int authmode )
3480 {
3481  ssl->authmode = authmode;
3482 }
3483 
3484 #if defined(POLARSSL_X509_CRT_PARSE_C)
3485 void ssl_set_verify( ssl_context *ssl,
3486  int (*f_vrfy)(void *, x509_crt *, int, int *),
3487  void *p_vrfy )
3488 {
3489  ssl->f_vrfy = f_vrfy;
3490  ssl->p_vrfy = p_vrfy;
3491 }
3492 #endif /* POLARSSL_X509_CRT_PARSE_C */
3493 
3494 void ssl_set_rng( ssl_context *ssl,
3495  int (*f_rng)(void *, unsigned char *, size_t),
3496  void *p_rng )
3497 {
3498  ssl->f_rng = f_rng;
3499  ssl->p_rng = p_rng;
3500 }
3501 
3502 void ssl_set_dbg( ssl_context *ssl,
3503  void (*f_dbg)(void *, int, const char *),
3504  void *p_dbg )
3505 {
3506  ssl->f_dbg = f_dbg;
3507  ssl->p_dbg = p_dbg;
3508 }
3509 
3510 void ssl_set_bio( ssl_context *ssl,
3511  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3512  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3513 {
3514  ssl->f_recv = f_recv;
3515  ssl->f_send = f_send;
3516  ssl->p_recv = p_recv;
3517  ssl->p_send = p_send;
3518 }
3519 
3521  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3522  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3523 {
3524  ssl->f_get_cache = f_get_cache;
3525  ssl->p_get_cache = p_get_cache;
3526  ssl->f_set_cache = f_set_cache;
3527  ssl->p_set_cache = p_set_cache;
3528 }
3529 
3530 int ssl_set_session( ssl_context *ssl, const ssl_session *session )
3531 {
3532  int ret;
3533 
3534  if( ssl == NULL ||
3535  session == NULL ||
3536  ssl->session_negotiate == NULL ||
3537  ssl->endpoint != SSL_IS_CLIENT )
3538  {
3540  }
3541 
3542  if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3543  return( ret );
3544 
3545  ssl->handshake->resume = 1;
3546 
3547  return( 0 );
3548 }
3549 
3550 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3551 {
3552  ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3553  ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3554  ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3555  ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3556 }
3557 
3558 void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
3559  int major, int minor )
3560 {
3561  if( major != SSL_MAJOR_VERSION_3 )
3562  return;
3563 
3564  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3565  return;
3566 
3567  ssl->ciphersuite_list[minor] = ciphersuites;
3568 }
3569 
3570 #if defined(POLARSSL_X509_CRT_PARSE_C)
3571 /* Add a new (empty) key_cert entry an return a pointer to it */
3572 static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3573 {
3574  ssl_key_cert *key_cert, *last;
3575 
3576  key_cert = (ssl_key_cert *) polarssl_malloc( sizeof(ssl_key_cert) );
3577  if( key_cert == NULL )
3578  return( NULL );
3579 
3580  memset( key_cert, 0, sizeof( ssl_key_cert ) );
3581 
3582  /* Append the new key_cert to the (possibly empty) current list */
3583  if( ssl->key_cert == NULL )
3584  {
3585  ssl->key_cert = key_cert;
3586  ssl->handshake->key_cert = key_cert;
3587  }
3588  else
3589  {
3590  last = ssl->key_cert;
3591  while( last->next != NULL )
3592  last = last->next;
3593  last->next = key_cert;
3594  }
3595 
3596  return key_cert;
3597 }
3598 
3599 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
3600  x509_crl *ca_crl, const char *peer_cn )
3601 {
3602  ssl->ca_chain = ca_chain;
3603  ssl->ca_crl = ca_crl;
3604  ssl->peer_cn = peer_cn;
3605 }
3606 
3607 int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
3608  pk_context *pk_key )
3609 {
3610  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3611 
3612  if( key_cert == NULL )
3614 
3615  key_cert->cert = own_cert;
3616  key_cert->key = pk_key;
3617 
3618  return( 0 );
3619 }
3620 
3621 #if defined(POLARSSL_RSA_C)
3622 int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
3623  rsa_context *rsa_key )
3624 {
3625  int ret;
3626  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3627 
3628  if( key_cert == NULL )
3630 
3631  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3632  if( key_cert->key == NULL )
3634 
3635  pk_init( key_cert->key );
3636 
3637  ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
3638  if( ret != 0 )
3639  return( ret );
3640 
3641  if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
3642  return( ret );
3643 
3644  key_cert->cert = own_cert;
3645  key_cert->key_own_alloc = 1;
3646 
3647  return( 0 );
3648 }
3649 #endif /* POLARSSL_RSA_C */
3650 
3651 int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
3652  void *rsa_key,
3653  rsa_decrypt_func rsa_decrypt,
3654  rsa_sign_func rsa_sign,
3655  rsa_key_len_func rsa_key_len )
3656 {
3657  int ret;
3658  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3659 
3660  if( key_cert == NULL )
3662 
3663  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3664  if( key_cert->key == NULL )
3666 
3667  pk_init( key_cert->key );
3668 
3669  if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
3670  rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
3671  return( ret );
3672 
3673  key_cert->cert = own_cert;
3674  key_cert->key_own_alloc = 1;
3675 
3676  return( 0 );
3677 }
3678 #endif /* POLARSSL_X509_CRT_PARSE_C */
3679 
3680 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
3681 int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3682  const unsigned char *psk_identity, size_t psk_identity_len )
3683 {
3684  if( psk == NULL || psk_identity == NULL )
3686 
3687  if( ssl->psk != NULL )
3688  {
3689  polarssl_free( ssl->psk );
3690  polarssl_free( ssl->psk_identity );
3691  }
3692 
3693  ssl->psk_len = psk_len;
3694  ssl->psk_identity_len = psk_identity_len;
3695 
3696  ssl->psk = (unsigned char *) polarssl_malloc( ssl->psk_len );
3697  ssl->psk_identity = (unsigned char *) polarssl_malloc( ssl->psk_identity_len );
3698 
3699  if( ssl->psk == NULL || ssl->psk_identity == NULL )
3701 
3702  memcpy( ssl->psk, psk, ssl->psk_len );
3703  memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
3704 
3705  return( 0 );
3706 }
3707 
3708 void ssl_set_psk_cb( ssl_context *ssl,
3709  int (*f_psk)(void *, ssl_context *, const unsigned char *,
3710  size_t),
3711  void *p_psk )
3712 {
3713  ssl->f_psk = f_psk;
3714  ssl->p_psk = p_psk;
3715 }
3716 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
3717 
3718 #if defined(POLARSSL_DHM_C)
3719 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3720 {
3721  int ret;
3722 
3723  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3724  {
3725  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3726  return( ret );
3727  }
3728 
3729  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3730  {
3731  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3732  return( ret );
3733  }
3734 
3735  return( 0 );
3736 }
3737 
3738 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3739 {
3740  int ret;
3741 
3742  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3743  {
3744  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3745  return( ret );
3746  }
3747 
3748  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3749  {
3750  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3751  return( ret );
3752  }
3753 
3754  return( 0 );
3755 }
3756 #endif /* POLARSSL_DHM_C */
3757 
3758 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
3759 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3760 {
3761  if( hostname == NULL )
3763 
3764  ssl->hostname_len = strlen( hostname );
3765 
3766  if( ssl->hostname_len + 1 == 0 )
3768 
3769  ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
3770 
3771  if( ssl->hostname == NULL )
3773 
3774  memcpy( ssl->hostname, (const unsigned char *) hostname,
3775  ssl->hostname_len );
3776 
3777  ssl->hostname[ssl->hostname_len] = '\0';
3778 
3779  return( 0 );
3780 }
3781 
3782 void ssl_set_sni( ssl_context *ssl,
3783  int (*f_sni)(void *, ssl_context *,
3784  const unsigned char *, size_t),
3785  void *p_sni )
3786 {
3787  ssl->f_sni = f_sni;
3788  ssl->p_sni = p_sni;
3789 }
3790 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
3791 
3792 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3793 {
3794  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3795  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3796  {
3797  ssl->max_major_ver = major;
3798  ssl->max_minor_ver = minor;
3799  }
3800 }
3801 
3802 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3803 {
3804  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3805  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3806  {
3807  ssl->min_major_ver = major;
3808  ssl->min_minor_ver = minor;
3809  }
3810 }
3811 
3812 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
3813 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
3814 {
3815  if( mfl_code >= sizeof( mfl_code_to_length ) ||
3816  mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
3817  {
3819  }
3820 
3821  ssl->mfl_code = mfl_code;
3822 
3823  return( 0 );
3824 }
3825 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
3826 
3827 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
3828 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
3829 {
3830  if( ssl->endpoint != SSL_IS_CLIENT )
3832 
3833  ssl->trunc_hmac = truncate;
3834 
3835  return( 0 );
3836 }
3837 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
3838 
3839 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3840 {
3841  ssl->disable_renegotiation = renegotiation;
3842 }
3843 
3844 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3845 {
3846  ssl->allow_legacy_renegotiation = allow_legacy;
3847 }
3848 
3849 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3850 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
3851 {
3852  ssl->session_tickets = use_tickets;
3853 
3854  if( ssl->endpoint == SSL_IS_CLIENT )
3855  return( 0 );
3856 
3857  if( ssl->f_rng == NULL )
3859 
3860  return( ssl_ticket_keys_init( ssl ) );
3861 }
3862 
3863 void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
3864 {
3865  ssl->ticket_lifetime = lifetime;
3866 }
3867 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3868 
3869 /*
3870  * SSL get accessors
3871  */
3872 size_t ssl_get_bytes_avail( const ssl_context *ssl )
3873 {
3874  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3875 }
3876 
3877 int ssl_get_verify_result( const ssl_context *ssl )
3878 {
3879  return( ssl->session->verify_result );
3880 }
3881 
3882 const char *ssl_get_ciphersuite( const ssl_context *ssl )
3883 {
3884  if( ssl == NULL || ssl->session == NULL )
3885  return NULL;
3886 
3888 }
3889 
3890 const char *ssl_get_version( const ssl_context *ssl )
3891 {
3892  switch( ssl->minor_ver )
3893  {
3894  case SSL_MINOR_VERSION_0:
3895  return( "SSLv3.0" );
3896 
3897  case SSL_MINOR_VERSION_1:
3898  return( "TLSv1.0" );
3899 
3900  case SSL_MINOR_VERSION_2:
3901  return( "TLSv1.1" );
3902 
3903  case SSL_MINOR_VERSION_3:
3904  return( "TLSv1.2" );
3905 
3906  default:
3907  break;
3908  }
3909  return( "unknown" );
3910 }
3911 
3912 #if defined(POLARSSL_X509_CRT_PARSE_C)
3913 const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
3914 {
3915  if( ssl == NULL || ssl->session == NULL )
3916  return NULL;
3917 
3918  return ssl->session->peer_cert;
3919 }
3920 #endif /* POLARSSL_X509_CRT_PARSE_C */
3921 
3922 int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
3923 {
3924  if( ssl == NULL ||
3925  dst == NULL ||
3926  ssl->session == NULL ||
3927  ssl->endpoint != SSL_IS_CLIENT )
3928  {
3930  }
3931 
3932  return( ssl_session_copy( dst, ssl->session ) );
3933 }
3934 
3935 /*
3936  * Perform a single step of the SSL handshake
3937  */
3938 int ssl_handshake_step( ssl_context *ssl )
3939 {
3941 
3942 #if defined(POLARSSL_SSL_CLI_C)
3943  if( ssl->endpoint == SSL_IS_CLIENT )
3944  ret = ssl_handshake_client_step( ssl );
3945 #endif
3946 
3947 #if defined(POLARSSL_SSL_SRV_C)
3948  if( ssl->endpoint == SSL_IS_SERVER )
3949  ret = ssl_handshake_server_step( ssl );
3950 #endif
3951 
3952  return( ret );
3953 }
3954 
3955 /*
3956  * Perform the SSL handshake
3957  */
3958 int ssl_handshake( ssl_context *ssl )
3959 {
3960  int ret = 0;
3961 
3962  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3963 
3964  while( ssl->state != SSL_HANDSHAKE_OVER )
3965  {
3966  ret = ssl_handshake_step( ssl );
3967 
3968  if( ret != 0 )
3969  break;
3970  }
3971 
3972  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3973 
3974  return( ret );
3975 }
3976 
3977 #if defined(POLARSSL_SSL_SRV_C)
3978 /*
3979  * Write HelloRequest to request renegotiation on server
3980  */
3981 static int ssl_write_hello_request( ssl_context *ssl )
3982 {
3983  int ret;
3984 
3985  SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
3986 
3987  ssl->out_msglen = 4;
3989  ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
3990 
3991  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3992  {
3993  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3994  return( ret );
3995  }
3996 
3998 
3999  SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4000 
4001  return( 0 );
4002 }
4003 #endif /* POLARSSL_SSL_SRV_C */
4004 
4005 /*
4006  * Actually renegotiate current connection, triggered by either:
4007  * - calling ssl_renegotiate() on client,
4008  * - receiving a HelloRequest on client during ssl_read(),
4009  * - receiving any handshake message on server during ssl_read() after the
4010  * initial handshake is completed
4011  * If the handshake doesn't complete due to waiting for I/O, it will continue
4012  * during the next calls to ssl_renegotiate() or ssl_read() respectively.
4013  */
4014 static int ssl_start_renegotiation( ssl_context *ssl )
4015 {
4016  int ret;
4017 
4018  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4019 
4020  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4021  return( ret );
4022 
4023  ssl->state = SSL_HELLO_REQUEST;
4025 
4026  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4027  {
4028  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4029  return( ret );
4030  }
4031 
4032  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4033 
4034  return( 0 );
4035 }
4036 
4037 /*
4038  * Renegotiate current connection on client,
4039  * or request renegotiation on server
4040  */
4041 int ssl_renegotiate( ssl_context *ssl )
4042 {
4044 
4045 #if defined(POLARSSL_SSL_SRV_C)
4046  /* On server, just send the request */
4047  if( ssl->endpoint == SSL_IS_SERVER )
4048  {
4049  if( ssl->state != SSL_HANDSHAKE_OVER )
4051 
4052  return( ssl_write_hello_request( ssl ) );
4053  }
4054 #endif /* POLARSSL_SSL_SRV_C */
4055 
4056 #if defined(POLARSSL_SSL_CLI_C)
4057  /*
4058  * On client, either start the renegotiation process or,
4059  * if already in progress, continue the handshake
4060  */
4061  if( ssl->renegotiation != SSL_RENEGOTIATION )
4062  {
4063  if( ssl->state != SSL_HANDSHAKE_OVER )
4065 
4066  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4067  {
4068  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4069  return( ret );
4070  }
4071  }
4072  else
4073  {
4074  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4075  {
4076  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4077  return( ret );
4078  }
4079  }
4080 #endif /* POLARSSL_SSL_CLI_C */
4081 
4082  return( ret );
4083 }
4084 
4085 /*
4086  * Receive application data decrypted from the SSL layer
4087  */
4088 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
4089 {
4090  int ret;
4091  size_t n;
4092 
4093  SSL_DEBUG_MSG( 2, ( "=> read" ) );
4094 
4095  if( ssl->state != SSL_HANDSHAKE_OVER )
4096  {
4097  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4098  {
4099  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4100  return( ret );
4101  }
4102  }
4103 
4104  if( ssl->in_offt == NULL )
4105  {
4106  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4107  {
4108  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4109  return( 0 );
4110 
4111  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4112  return( ret );
4113  }
4114 
4115  if( ssl->in_msglen == 0 &&
4117  {
4118  /*
4119  * OpenSSL sends empty messages to randomize the IV
4120  */
4121  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4122  {
4123  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4124  return( 0 );
4125 
4126  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4127  return( ret );
4128  }
4129  }
4130 
4131  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4132  {
4133  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4134 
4135  if( ssl->endpoint == SSL_IS_CLIENT &&
4136  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4137  ssl->in_hslen != 4 ) )
4138  {
4139  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4141  }
4142 
4146  {
4147  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4148 
4149 #if defined(POLARSSL_SSL_PROTO_SSL3)
4150  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
4151  {
4152  /*
4153  * SSLv3 does not have a "no_renegotiation" alert
4154  */
4155  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4156  return( ret );
4157  }
4158  else
4159 #endif
4160 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4161  defined(POLARSSL_SSL_PROTO_TLS1_2)
4162  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
4163  {
4164  if( ( ret = ssl_send_alert_message( ssl,
4167  {
4168  return( ret );
4169  }
4170  }
4171  else
4172 #endif
4173  {
4174  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4176  }
4177  }
4178  else
4179  {
4180  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4181  {
4182  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4183  return( ret );
4184  }
4185 
4186  return( POLARSSL_ERR_NET_WANT_READ );
4187  }
4188  }
4189  else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4190  {
4191  SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4192  "but not honored by client" ) );
4194  }
4195  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
4196  {
4197  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
4199  }
4200 
4201  ssl->in_offt = ssl->in_msg;
4202  }
4203 
4204  n = ( len < ssl->in_msglen )
4205  ? len : ssl->in_msglen;
4206 
4207  memcpy( buf, ssl->in_offt, n );
4208  ssl->in_msglen -= n;
4209 
4210  if( ssl->in_msglen == 0 )
4211  /* all bytes consumed */
4212  ssl->in_offt = NULL;
4213  else
4214  /* more data available */
4215  ssl->in_offt += n;
4216 
4217  SSL_DEBUG_MSG( 2, ( "<= read" ) );
4218 
4219  return( (int) n );
4220 }
4221 
4222 /*
4223  * Send application data to be encrypted by the SSL layer
4224  */
4225 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4226 {
4227  int ret;
4228  size_t n;
4229  unsigned int max_len = SSL_MAX_CONTENT_LEN;
4230 
4231  SSL_DEBUG_MSG( 2, ( "=> write" ) );
4232 
4233  if( ssl->state != SSL_HANDSHAKE_OVER )
4234  {
4235  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4236  {
4237  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4238  return( ret );
4239  }
4240  }
4241 
4242 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4243  /*
4244  * Assume mfl_code is correct since it was checked when set
4245  */
4246  max_len = mfl_code_to_length[ssl->mfl_code];
4247 
4248  /*
4249  * Check if a smaller max length was negotiated
4250  */
4251  if( ssl->session_out != NULL &&
4252  mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4253  {
4254  max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4255  }
4256 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4257 
4258  n = ( len < max_len) ? len : max_len;
4259 
4260  if( ssl->out_left != 0 )
4261  {
4262  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4263  {
4264  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4265  return( ret );
4266  }
4267  }
4268  else
4269  {
4270  ssl->out_msglen = n;
4272  memcpy( ssl->out_msg, buf, n );
4273 
4274  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4275  {
4276  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4277  return( ret );
4278  }
4279  }
4280 
4281  SSL_DEBUG_MSG( 2, ( "<= write" ) );
4282 
4283  return( (int) n );
4284 }
4285 
4286 /*
4287  * Notify the peer that the connection is being closed
4288  */
4289 int ssl_close_notify( ssl_context *ssl )
4290 {
4291  int ret;
4292 
4293  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4294 
4295  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4296  {
4297  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4298  return( ret );
4299  }
4300 
4301  if( ssl->state == SSL_HANDSHAKE_OVER )
4302  {
4303  if( ( ret = ssl_send_alert_message( ssl,
4305  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4306  {
4307  return( ret );
4308  }
4309  }
4310 
4311  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4312 
4313  return( ret );
4314 }
4315 
4316 void ssl_transform_free( ssl_transform *transform )
4317 {
4318 #if defined(POLARSSL_ZLIB_SUPPORT)
4319  deflateEnd( &transform->ctx_deflate );
4320  inflateEnd( &transform->ctx_inflate );
4321 #endif
4322 
4323  cipher_free_ctx( &transform->cipher_ctx_enc );
4324  cipher_free_ctx( &transform->cipher_ctx_dec );
4325 
4326  md_free_ctx( &transform->md_ctx_enc );
4327  md_free_ctx( &transform->md_ctx_dec );
4328 
4329  memset( transform, 0, sizeof( ssl_transform ) );
4330 }
4331 
4332 #if defined(POLARSSL_X509_CRT_PARSE_C)
4333 static void ssl_key_cert_free( ssl_key_cert *key_cert )
4334 {
4335  ssl_key_cert *cur = key_cert, *next;
4336 
4337  while( cur != NULL )
4338  {
4339  next = cur->next;
4340 
4341  if( cur->key_own_alloc )
4342  {
4343  pk_free( cur->key );
4344  polarssl_free( cur->key );
4345  }
4346  polarssl_free( cur );
4347 
4348  cur = next;
4349  }
4350 }
4351 #endif /* POLARSSL_X509_CRT_PARSE_C */
4352 
4353 void ssl_handshake_free( ssl_handshake_params *handshake )
4354 {
4355 #if defined(POLARSSL_DHM_C)
4356  dhm_free( &handshake->dhm_ctx );
4357 #endif
4358 #if defined(POLARSSL_ECDH_C)
4359  ecdh_free( &handshake->ecdh_ctx );
4360 #endif
4361 
4362 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
4363  /* explicit void pointer cast for buggy MS compiler */
4364  polarssl_free( (void *) handshake->curves );
4365 #endif
4366 
4367 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
4368  defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4369  /*
4370  * Free only the linked list wrapper, not the keys themselves
4371  * since the belong to the SNI callback
4372  */
4373  if( handshake->sni_key_cert != NULL )
4374  {
4375  ssl_key_cert *cur = handshake->sni_key_cert, *next;
4376 
4377  while( cur != NULL )
4378  {
4379  next = cur->next;
4380  polarssl_free( cur );
4381  cur = next;
4382  }
4383  }
4384 #endif
4385 
4386  memset( handshake, 0, sizeof( ssl_handshake_params ) );
4387 }
4388 
4389 void ssl_session_free( ssl_session *session )
4390 {
4391 #if defined(POLARSSL_X509_CRT_PARSE_C)
4392  if( session->peer_cert != NULL )
4393  {
4394  x509_crt_free( session->peer_cert );
4395  polarssl_free( session->peer_cert );
4396  }
4397 #endif
4398 
4399 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4400  polarssl_free( session->ticket );
4401 #endif
4402 
4403  memset( session, 0, sizeof( ssl_session ) );
4404 }
4405 
4406 /*
4407  * Free an SSL context
4408  */
4409 void ssl_free( ssl_context *ssl )
4410 {
4411  SSL_DEBUG_MSG( 2, ( "=> free" ) );
4412 
4413  if( ssl->out_ctr != NULL )
4414  {
4415  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
4416  polarssl_free( ssl->out_ctr );
4417  }
4418 
4419  if( ssl->in_ctr != NULL )
4420  {
4421  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
4422  polarssl_free( ssl->in_ctr );
4423  }
4424 
4425 #if defined(POLARSSL_ZLIB_SUPPORT)
4426  if( ssl->compress_buf != NULL )
4427  {
4428  memset( ssl->compress_buf, 0, SSL_BUFFER_LEN );
4429  polarssl_free( ssl->compress_buf );
4430  }
4431 #endif
4432 
4433 #if defined(POLARSSL_DHM_C)
4434  mpi_free( &ssl->dhm_P );
4435  mpi_free( &ssl->dhm_G );
4436 #endif
4437 
4438  if( ssl->transform )
4439  {
4440  ssl_transform_free( ssl->transform );
4441  polarssl_free( ssl->transform );
4442  }
4443 
4444  if( ssl->handshake )
4445  {
4446  ssl_handshake_free( ssl->handshake );
4449 
4450  polarssl_free( ssl->handshake );
4453  }
4454 
4455  if( ssl->session )
4456  {
4457  ssl_session_free( ssl->session );
4458  polarssl_free( ssl->session );
4459  }
4460 
4461 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4462  polarssl_free( ssl->ticket_keys );
4463 #endif
4464 
4465 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4466  if ( ssl->hostname != NULL )
4467  {
4468  memset( ssl->hostname, 0, ssl->hostname_len );
4469  polarssl_free( ssl->hostname );
4470  ssl->hostname_len = 0;
4471  }
4472 #endif
4473 
4474 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
4475  if( ssl->psk != NULL )
4476  {
4477  memset( ssl->psk, 0, ssl->psk_len );
4478  memset( ssl->psk_identity, 0, ssl->psk_identity_len );
4479  polarssl_free( ssl->psk );
4480  polarssl_free( ssl->psk_identity );
4481  ssl->psk_len = 0;
4482  ssl->psk_identity_len = 0;
4483  }
4484 #endif
4485 
4486 #if defined(POLARSSL_X509_CRT_PARSE_C)
4487  ssl_key_cert_free( ssl->key_cert );
4488 #endif
4489 
4490 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4491  if( ssl_hw_record_finish != NULL )
4492  {
4493  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4494  ssl_hw_record_finish( ssl );
4495  }
4496 #endif
4497 
4498  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4499 
4500  /* Actually clear after last debug message */
4501  memset( ssl, 0, sizeof( ssl_context ) );
4502 }
4503 
4504 #if defined(POLARSSL_PK_C)
4505 /*
4506  * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
4507  */
4508 unsigned char ssl_sig_from_pk( pk_context *pk )
4509 {
4510 #if defined(POLARSSL_RSA_C)
4511  if( pk_can_do( pk, POLARSSL_PK_RSA ) )
4512  return( SSL_SIG_RSA );
4513 #endif
4514 #if defined(POLARSSL_ECDSA_C)
4515  if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
4516  return( SSL_SIG_ECDSA );
4517 #endif
4518  return( SSL_SIG_ANON );
4519 }
4520 
4521 pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
4522 {
4523  switch( sig )
4524  {
4525 #if defined(POLARSSL_RSA_C)
4526  case SSL_SIG_RSA:
4527  return( POLARSSL_PK_RSA );
4528 #endif
4529 #if defined(POLARSSL_ECDSA_C)
4530  case SSL_SIG_ECDSA:
4531  return( POLARSSL_PK_ECDSA );
4532 #endif
4533  default:
4534  return( POLARSSL_PK_NONE );
4535  }
4536 }
4537 #endif
4538 
4539 /*
4540  * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
4541  */
4542 md_type_t ssl_md_alg_from_hash( unsigned char hash )
4543 {
4544  switch( hash )
4545  {
4546 #if defined(POLARSSL_MD5_C)
4547  case SSL_HASH_MD5:
4548  return( POLARSSL_MD_MD5 );
4549 #endif
4550 #if defined(POLARSSL_SHA1_C)
4551  case SSL_HASH_SHA1:
4552  return( POLARSSL_MD_SHA1 );
4553 #endif
4554 #if defined(POLARSSL_SHA256_C)
4555  case SSL_HASH_SHA224:
4556  return( POLARSSL_MD_SHA224 );
4557  case SSL_HASH_SHA256:
4558  return( POLARSSL_MD_SHA256 );
4559 #endif
4560 #if defined(POLARSSL_SHA512_C)
4561  case SSL_HASH_SHA384:
4562  return( POLARSSL_MD_SHA384 );
4563  case SSL_HASH_SHA512:
4564  return( POLARSSL_MD_SHA512 );
4565 #endif
4566  default:
4567  return( POLARSSL_MD_NONE );
4568  }
4569 }
4570 
4571 #endif
const ecp_curve_info ** curves
Definition: ssl.h:511
unsigned char * hostname
Definition: ssl.h:751
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:287
ssl_session * session_in
Definition: ssl.h:644
#define SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:291
unsigned char mfl_code
Definition: ssl.h:693
size_t length
Definition: ssl.h:428
void * p_set_cache
Definition: ssl.h:623
md_context_t md_ctx_dec
Definition: ssl.h:479
int ciphersuite
Definition: ssl.h:426
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Processing of the ChangeCipherSpec handshake message failed.
Definition: ssl.h:124
mpi P
Definition: dhm.h:146
int trunc_hmac
Definition: ssl.h:725
size_t in_hslen
Definition: ssl.h:673
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
void(* f_dbg)(void *, int, const char *)
Definition: ssl.h:612
#define SSL_HS_FINISHED
Definition: ssl.h:327
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:611
uint32_t state[8]
Definition: sha256.h:57
const pk_info_t * pk_info_from_type(pk_type_t pk_type)
Return information associated with the given PK type.
#define POLARSSL_DHM_RFC5114_MODP_1024_P
Definition: dhm.h:94
sha256_context fin_sha256
Definition: ssl.h:536
size_t ivlen
Definition: ssl.h:465
int cipher_finish(cipher_context_t *ctx, unsigned char *output, size_t *olen)
Generic cipher finalisation function.
int record_read
Definition: ssl.h:675
Memory allocation layer.
int major_ver
Definition: ssl.h:600
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:41
int rsa_copy(rsa_context *dst, const rsa_context *src)
Copy the components of an RSA context.
SHA-1 context structure.
Definition: sha1.h:54
void *(* polarssl_malloc)(size_t len)
sha1_context fin_sha1
Definition: ssl.h:532
int compression
Definition: ssl.h:427
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:597
const char * peer_cn
Definition: ssl.h:704
unsigned char master[48]
Definition: ssl.h:430
void sha256_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
void sha256(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
char peer_verify_data[36]
Definition: ssl.h:762
int ssl_set_truncated_hmac(ssl_context *ssl, int truncate)
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED) ...
ssl_transform * transform_out
Definition: ssl.h:656
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:55
Debug functions.
#define POLARSSL_ERR_SSL_CONN_EOF
The connection indicated an EOF.
Definition: ssl.h:101
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:627
int nb_zero
Definition: ssl.h:674
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:544
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
DHM context structure.
Definition: dhm.h:143
void * p_psk
Definition: ssl.h:638
#define SSL_BUFFER_LEN
Definition: ssl.h:251
int cipher_write_tag(cipher_context_t *ctx, unsigned char *tag, size_t tag_len)
Write tag for AEAD ciphers.
#define SSL_IS_CLIENT
Definition: ssl.h:193
size_t ticket_len
Definition: ssl.h:439
#define SSL_HASH_SHA1
Definition: ssl.h:261
Cipher information.
Definition: cipher.h:207
ssl_session * session_negotiate
Definition: ssl.h:647
const cipher_info_t * cipher_info_from_type(const cipher_type_t cipher_type)
Returns the cipher information structure associated with the given cipher type.
ssl_session * session
Definition: ssl.h:646
void ssl_legacy_renegotiation(ssl_context *ssl, int allow_legacy)
Prevent or allow legacy renegotiation.
int ssl_parse_certificate(ssl_context *ssl)
void ssl_set_dbg(ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg)
Set the debug callback.
#define POLARSSL_ERR_SSL_INVALID_RECORD
An invalid SSL record was received.
Definition: ssl.h:100
#define BADCERT_SKIP_VERIFY
Certificate verification was skipped.
Definition: x509.h:79
uint32_t state[5]
Definition: sha1.h:57
ssl_key_cert * key_cert
Definition: ssl.h:700
ssl_key_cert * sni_key_cert
Definition: ssl.h:522
int ssl_set_session_tickets(ssl_context *ssl, int use_tickets)
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS...
unsigned char iv_enc[16]
Definition: ssl.h:469
size_t out_msglen
Definition: ssl.h:686
void ssl_set_verify(ssl_context *ssl, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Set the verification callback (Optional).
#define SSL_SIG_RSA
Definition: ssl.h:268
int ticket_lifetime
Definition: ssl.h:729
ssl_transform * transform_in
Definition: ssl.h:655
cipher_context_t cipher_ctx_enc
Definition: ssl.h:481
const int * ciphersuite_list[4]
Definition: ssl.h:723
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:618
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
mpi dhm_P
Definition: ssl.h:733
#define SSL_RENEGOTIATION
Definition: ssl.h:203
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:553
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
void sha1_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[20])
Output = HMAC-SHA-1( hmac key, input buffer )
int md_process(md_context_t *ctx, const unsigned char *data)
int x509_crt_parse(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one or more certificates and add them to the chained list.
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
ssl_transform * transform
Definition: ssl.h:657
x509_crt * cert
Definition: ssl.h:585
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:38
size_t psk_identity_len
Definition: ssl.h:744
unsigned char * out_ctr
Definition: ssl.h:680
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
The peer notified us that the connection is going to be closed.
Definition: ssl.h:113
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:218
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:761
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:205
int x509_crt_parse_der(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
#define SSL_SIG_ECDSA
Definition: ssl.h:269
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:614
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:166
#define SSL_MIN_MINOR_VERSION
Definition: ssl.h:150
#define SSL_VERIFY_OPTIONAL
Definition: ssl.h:199
size_t in_msglen
Definition: ssl.h:670
int ssl_set_dh_param_ctx(ssl_context *ssl, dhm_context *dhm_ctx)
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) ...
unsigned char * in_hdr
Definition: ssl.h:664
int secure_renegotiation
Definition: ssl.h:758
#define SSL_SIG_ANON
Definition: ssl.h:267
sha512_context fin_sha512
Definition: ssl.h:539
#define SSL_VERIFY_REQUIRED
Definition: ssl.h:200
#define SSL_HASH_MD5
Definition: ssl.h:260
#define SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:312
void md5_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[16])
Output = HMAC-MD5( hmac key, input buffer )
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:213
static md_type_t md_get_type(const md_info_t *md_info)
Returns the type of the message digest output.
Definition: md.h:220
int(* tls_prf)(const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl.h:546
unsigned char mac_key[16]
Definition: ssl.h:575
void * p_vrfy
Definition: ssl.h:633
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:140
size_t psk_len
Definition: ssl.h:742
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED
Hardware acceleration function returned with error.
Definition: ssl.h:127
void ssl_set_max_version(ssl_context *ssl, int major, int minor)
Set the maximum supported version sent from the client side and/or accepted at the server side (Defau...
#define SSL_RENEGOTIATION_DONE
Definition: ssl.h:204
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:99
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
No client certification received from the client, but required by the authentication mode...
Definition: ssl.h:105
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:461
void * p_recv
Definition: ssl.h:620
unsigned char * psk
Definition: ssl.h:741
int pk_init_ctx_rsa_alt(pk_context *ctx, void *key, pk_rsa_alt_decrypt_func decrypt_func, pk_rsa_alt_sign_func sign_func, pk_rsa_alt_key_len_func key_len_func)
Initialize an RSA-alt context.
size_t len
Definition: dhm.h:145
void ssl_set_ciphersuites_for_version(ssl_context *ssl, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites for a specific version of the protocol.
int ssl_init(ssl_context *ssl)
Initialize an SSL context (An individual SSL context is not thread-safe)
int max_major_ver
Definition: ssl.h:603
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:131
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:93
#define SSL_MINOR_VERSION_1
Definition: ssl.h:142
int ssl_set_psk(ssl_context *ssl, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len)
Set the Pre Shared Key (PSK) and the identity name connected to it.
void ssl_set_psk_cb(ssl_context *ssl, int(*f_psk)(void *, ssl_context *, const unsigned char *, size_t), void *p_psk)
Set the PSK callback (server-side only) (Optional).
unsigned int keylen
Definition: ssl.h:463
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
Hardware acceleration function skipped / left alone data.
Definition: ssl.h:128
int ssl_get_session(const ssl_context *ssl, ssl_session *session)
Save session in order to resume it later (client-side only) Session data is copied to presented sessi...
md_type_t
Definition: md.h:51
int verify_result
Definition: ssl.h:435
unsigned char iv[POLARSSL_MAX_IV_LENGTH]
Current IV or NONCE_COUNTER for CTR-mode.
Definition: cipher.h:260
const cipher_info_t * cipher_info
Information about the associated cipher.
Definition: cipher.h:241
int max_minor_ver
Definition: ssl.h:604
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
The own certificate is not set, but needed by the server.
Definition: ssl.h:107
#define SSL_RENEGOTIATION_PENDING
Definition: ssl.h:205
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:290
unsigned char * in_ctr
Definition: ssl.h:663
ssl_handshake_params * handshake
Definition: ssl.h:649
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:106
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:283
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:543
size_t fixed_ivlen
Definition: ssl.h:466
#define SSL_MINOR_VERSION_2
Definition: ssl.h:143
int ssl_write_certificate(ssl_context *ssl)
size_t(* rsa_key_len_func)(void *ctx)
Definition: ssl.h:379
#define POLARSSL_DHM_RFC5114_MODP_1024_G
Definition: dhm.h:102
RSA context structure.
Definition: rsa.h:77
cipher_context_t cipher_ctx_dec
Definition: ssl.h:482
int in_msgtype
Definition: ssl.h:669
Container for an X.509 certificate.
Definition: x509_crt.h:53
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
A fatal alert message was received from our peer.
Definition: ssl.h:111
#define SSL_MIN_MAJOR_VERSION
Definition: ssl.h:147
#define SSL_DEFAULT_TICKET_LIFETIME
Lifetime of session tickets (if enabled)
Definition: ssl.h:225
size_t verify_data_len
Definition: ssl.h:760
const char * ssl_get_ciphersuite(const ssl_context *ssl)
Return the name of the current ciphersuite.
mpi dhm_G
Definition: ssl.h:734
mpi G
Definition: dhm.h:147
int cipher_free_ctx(cipher_context_t *ctx)
Free the cipher-specific context of ctx.
int cipher_update_ad(cipher_context_t *ctx, const unsigned char *ad, size_t ad_len)
Add additional data (for AEAD ciphers).
#define SSL_IS_SERVER
Definition: ssl.h:194
const char * ssl_get_version(const ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
void ssl_set_renegotiation(ssl_context *ssl, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIAT...
int min_minor_ver
Definition: ssl.h:606
unsigned char * out_msg
Definition: ssl.h:683
unsigned int key_length
Cipher key length, in bits (default length for variable sized ciphers) (Includes parity bits for ciph...
Definition: cipher.h:216
int cipher_set_iv(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len)
Set the initialization vector (IV) or nonce.
#define SSL_MINOR_VERSION_0
Definition: ssl.h:141
int client_auth
Definition: ssl.h:719
#define SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:281
void * p_dbg
Definition: ssl.h:619
void sha256_starts(sha256_context *ctx, int is224)
SHA-256 context setup.
int cipher_update(cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
Generic cipher update function.
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:520
void * p_send
Definition: ssl.h:621
ecdh_context ecdh_ctx
Definition: ssl.h:508
x509_crl * ca_crl
Definition: ssl.h:703
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1566
void(* polarssl_free)(void *ptr)
int ssl_set_max_frag_len(ssl_context *ssl, unsigned char mfl_code)
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit and negotiate with the server during handshake)
SHA-512 context structure.
Definition: sha512.h:55
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:110
unsigned char * ticket
Definition: ssl.h:438
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:120
key_exchange_type_t key_exchange
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED
Processing of the compression / decompression failed.
Definition: ssl.h:129
size_t maclen
Definition: ssl.h:467
unsigned char * out_hdr
Definition: ssl.h:681
int ssl_set_own_cert(ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key)
Set own certificate chain and private key.
int trunc_hmac
Definition: ssl.h:448
void ssl_set_endpoint(ssl_context *ssl, int endpoint)
Set the current endpoint type.
void mpi_free(mpi *X)
Unallocate one MPI.
void ssl_set_ciphersuites(ssl_context *ssl, const int *ciphersuites)
Set the list of allowed ciphersuites (Overrides all version specific lists)
void sha512_starts(sha512_context *ctx, int is384)
SHA-512 context setup.
int x509_crt_verify(x509_crt *crt, x509_crt *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Verify the certificate signature.
#define SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:286
void ssl_set_rng(ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:622
void ssl_set_bio(ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send)
Set the underlying BIO read and write callbacks.
void ssl_free(ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
void sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
void md5_starts(md5_context *ctx)
MD5 context setup.
#define SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:210
int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Definition: ssl.h:375
unsigned char ssl_sig_from_pk(pk_context *pk)
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
No CA Chain is set, but required to operate.
Definition: ssl.h:109
void ssl_handshake_free(ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
int authmode
Definition: ssl.h:718
int ssl_flush_output(ssl_context *ssl)
int ssl_handshake(ssl_context *ssl)
Perform the SSL handshake.
unsigned char * in_offt
Definition: ssl.h:667
void ssl_set_min_version(ssl_context *ssl, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:196
unsigned char * in_msg
Definition: ssl.h:666
int ssl_set_hostname(ssl_context *ssl, const char *hostname)
Set hostname for ServerName TLS extension (client-side only)
aes_context dec
Definition: ssl.h:574
mpi z
Definition: ecdh.h:45
int ssl_handshake_step(ssl_context *ssl)
Perform a single step of the SSL handshake.
#define SSL_MINOR_VERSION_3
Definition: ssl.h:144
mpi K
Definition: dhm.h:151
MD5 context structure.
Definition: md5.h:54
pk_type_t
Public key types.
Definition: pk.h:90
aes_context enc
Definition: ssl.h:573
unsigned char mac_dec[32]
Definition: ssl.h:475
unsigned char iv_dec[16]
Definition: ssl.h:470
#define POLARSSL_ERR_NET_WANT_READ
Connection requires a read call.
Definition: net.h:41
#define SSL_HS_CERTIFICATE
Definition: ssl.h:321
int ssl_parse_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:58
size_t hostname_len
Definition: ssl.h:752
int cipher_reset(cipher_context_t *ctx)
Finish preparation of the given context.
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:601
int pk_init_ctx(pk_context *ctx, const pk_info_t *info)
Initialize a PK context with the information given and allocates the type-specific PK subcontext...
void sha512_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:295
This structure is used for storing ciphersuite information.
int ssl_close_notify(ssl_context *ssl)
Notify the peer that the connection is being closed.
const x509_crt * ssl_get_peer_cert(const ssl_context *ssl)
Return the peer certificate from the current connection.
void ssl_set_session_cache(ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache)
Set the session cache callbacks (server-side only) If not set, no session resuming is done...
#define SSL_HASH_SHA256
Definition: ssl.h:263
size_t ssl_get_bytes_avail(const ssl_context *ssl)
Return the number of data bytes available to read.
int md_hmac_starts(md_context_t *ctx, const unsigned char *key, size_t keylen)
Generic HMAC context setup.
int ssl_set_session(ssl_context *ssl, const ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
int cipher_set_padding_mode(cipher_context_t *ctx, cipher_padding_t mode)
Set padding mode, for cipher modes that use padding.
#define SSL_VERIFY_NONE
Definition: ssl.h:198
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:44
cipher_mode_t mode
Cipher mode (e.g.
Definition: cipher.h:212
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:202
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:169
size_t in_left
Definition: ssl.h:671
void sha512_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 final digest.
pk_context * key
Definition: ssl.h:586
int session_tickets
Definition: ssl.h:728
int cipher_init_ctx(cipher_context_t *ctx, const cipher_info_t *cipher_info)
Initialises and fills the cipher context structure with the appropriate values.
int allow_legacy_renegotiation
Definition: ssl.h:722
int cipher_setkey(cipher_context_t *ctx, const unsigned char *key, int key_length, const operation_t operation)
Set the key to use with the given context.
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition: ssl.h:135
ssl_session * session_out
Definition: ssl.h:645
#define SSL_TRUNCATED_HMAC_LEN
Definition: ssl.h:219
uint32_t state[4]
Definition: md5.h:57
void(* calc_finished)(ssl_context *, unsigned char *, int)
Definition: ssl.h:545
int ssl_read_record(ssl_context *ssl)
int ssl_set_own_cert_rsa(ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key)
Set own certificate chain and private RSA key.
size_t len
ASN1 length, e.g.
Definition: asn1.h:119
int md_hmac_reset(md_context_t *ctx)
Generic HMAC context reset.
#define pk_rsa(pk)
Quick access to an RSA context inside a PK context.
Definition: pk.h:69
int ssl_set_dh_param(ssl_context *ssl, const char *dhm_P, const char *dhm_G)
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default...
int(* f_vrfy)(void *, x509_crt *, int, int *)
Definition: ssl.h:632
int out_msgtype
Definition: ssl.h:685
void ssl_set_session_ticket_lifetime(ssl_context *ssl, int lifetime)
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))...
size_t out_left
Definition: ssl.h:687
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:191
int md_hmac_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic HMAC process buffer.
#define BADCERT_MISSING
Certificate was missing.
Definition: x509.h:78
void pk_free(pk_context *ctx)
Free a pk_context.
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED
Processing of the Finished handshake message failed.
Definition: ssl.h:125
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:48
md_context_t md_ctx_enc
Definition: ssl.h:478
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
unsigned char mac_enc[32]
Definition: ssl.h:474
int ssl_get_verify_result(const ssl_context *ssl)
Return the result of the certificate verification.
#define SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:296
never pad (full blocks only)
Definition: cipher.h:137
int ssl_session_reset(ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables...
void pk_init(pk_context *ctx)
Initialize a pk_context (as NONE)
int min_major_ver
Definition: ssl.h:605
Certificate revocation list structure.
Definition: x509_crl.h:69
const int * ssl_list_ciphersuites(void)
Returns the list of ciphersuites supported by the SSL/TLS module.
ssl_transform * transform_negotiate
Definition: ssl.h:658
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:207
#define SSL_HASH_SHA224
Definition: ssl.h:262
SSL/TLS functions.
unsigned char * in_iv
Definition: ssl.h:665
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:126
int disable_renegotiation
Definition: ssl.h:721
#define SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:289
void sha256_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 final digest.
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
void dhm_free(dhm_context *ctx)
Free the components of a DHM key.
void ecdh_init(ecdh_context *ctx)
Initialize context.
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:615
int ssl_derive_keys(ssl_context *ssl)
void ssl_set_authmode(ssl_context *ssl, int authmode)
Set the certificate verification mode.
md_type_t type
Digest identifier.
Definition: md.h:75
int(* f_set_cache)(void *, const ssl_session *)
Definition: ssl.h:616
SHA-256 context structure.
Definition: sha256.h:54
unsigned char mfl_code
Definition: ssl.h:444
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
key_exchange_type_t
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
int renegotiation
Definition: ssl.h:598
cipher_type_t cipher
dhm_context dhm_ctx
Definition: ssl.h:505
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1574
int md_free_ctx(md_context_t *ctx)
Free the message-specific context of ctx.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:711
size_t minlen
Definition: ssl.h:464
int ssl_read(ssl_context *ssl, unsigned char *buf, size_t len)
Read at most &#39;len&#39; application data bytes.
void ssl_transform_free(ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:236
unsigned char * psk_identity
Definition: ssl.h:743
#define SSL_SESSION_TICKETS_ENABLED
Definition: ssl.h:222
#define SSL_MSG_APPLICATION_DATA
Definition: ssl.h:284
uint64_t state[8]
Definition: sha512.h:58
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
#define SSL_MSG_ALERT
Definition: ssl.h:282
int ssl_renegotiate(ssl_context *ssl)
Initiate an SSL renegotiation on the running connection.
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:613
unsigned char key_name[16]
Definition: ssl.h:572
int key_own_alloc
Definition: ssl.h:587
int ssl_write(ssl_context *ssl, const unsigned char *buf, size_t len)
Write exactly &#39;len&#39; application data bytes.
ssl_key_cert * next
Definition: ssl.h:588
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
void sha512_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:97
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:116
void ssl_set_ca_chain(ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn)
Set the data required to verify peer certificate.
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
Message digest information.
Definition: md.h:73
x509_crt * ca_chain
Definition: ssl.h:702
md5_context fin_md5
Definition: ssl.h:531
int cipher_check_tag(cipher_context_t *ctx, const unsigned char *tag, size_t tag_len)
Check tag for AEAD ciphers.
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int endpoint
Definition: ssl.h:717
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:98
int ssl_set_own_cert_alt(ssl_context *ssl, x509_crt *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len)
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
void ssl_set_sni(ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
#define SSL_HASH_SHA512
Definition: ssl.h:265
unsigned int iv_size
IV/NONCE size, in bytes.
Definition: cipher.h:223
#define SSL_HASH_SHA384
Definition: ssl.h:264
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:637
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:177
void ecdh_free(ecdh_context *ctx)
Free context.
unsigned char * out_iv
Definition: ssl.h:682
unsigned char randbytes[64]
Definition: ssl.h:552
int md_hmac_finish(md_context_t *ctx, unsigned char *output)
Generic HMAC final digest.
int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Definition: ssl.h:372
Generic message digest context.
Definition: md.h:129
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
x509_crt * peer_cert
Definition: ssl.h:433
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:628
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.
#define SSL_HS_HELLO_REQUEST
Definition: ssl.h:317