PolarSSL v1.2.12
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2012, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #include "polarssl/config.h"
35 
36 #if defined(POLARSSL_SSL_TLS_C)
37 
38 #include "polarssl/aes.h"
39 #include "polarssl/arc4.h"
40 #include "polarssl/camellia.h"
41 #include "polarssl/des.h"
42 #include "polarssl/debug.h"
43 #include "polarssl/ssl.h"
44 #include "polarssl/sha2.h"
45 
46 #if defined(POLARSSL_GCM_C)
47 #include "polarssl/gcm.h"
48 #endif
49 
50 #include <stdlib.h>
51 #include <time.h>
52 
53 #if defined _MSC_VER && !defined strcasecmp
54 #define strcasecmp _stricmp
55 #endif
56 
57 /* Implementation that should never be optimized out by the compiler */
58 static void polarssl_zeroize( void *v, size_t n ) {
59  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
60 }
61 
62 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
63 int (*ssl_hw_record_init)(ssl_context *ssl,
64  const unsigned char *key_enc, const unsigned char *key_dec,
65  const unsigned char *iv_enc, const unsigned char *iv_dec,
66  const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
67 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
68 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
69 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
70 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
71 #endif
72 
73 static int ssl_rsa_decrypt( void *ctx,
74  int (*f_rng)(void *, unsigned char *, size_t),
75  void *p_rng, int mode, size_t *olen,
76  const unsigned char *input, unsigned char *output,
77  size_t output_max_len )
78 {
79  return rsa_pkcs1_decrypt( (rsa_context *) ctx, f_rng, p_rng, mode, olen,
80  input, output, output_max_len );
81 }
82 
83 static int ssl_rsa_sign( void *ctx,
84  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
85  int mode, int hash_id, unsigned int hashlen,
86  const unsigned char *hash, unsigned char *sig )
87 {
88  return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
89  hashlen, hash, sig );
90 }
91 
92 static size_t ssl_rsa_key_len( void *ctx )
93 {
94  return ( (rsa_context *) ctx )->len;
95 }
96 
97 /*
98  * Key material generation
99  */
100 static int ssl3_prf( unsigned char *secret, size_t slen, char *label,
101  unsigned char *random, size_t rlen,
102  unsigned char *dstbuf, size_t dlen )
103 {
104  size_t i;
107  unsigned char padding[16];
108  unsigned char sha1sum[20];
109  ((void)label);
110 
111  /*
112  * SSLv3:
113  * block =
114  * MD5( secret + SHA1( 'A' + secret + random ) ) +
115  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
116  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
117  * ...
118  */
119  for( i = 0; i < dlen / 16; i++ )
120  {
121  memset( padding, 'A' + i, 1 + i );
122 
123  sha1_starts( &sha1 );
124  sha1_update( &sha1, padding, 1 + i );
125  sha1_update( &sha1, secret, slen );
126  sha1_update( &sha1, random, rlen );
127  sha1_finish( &sha1, sha1sum );
128 
129  md5_starts( &md5 );
130  md5_update( &md5, secret, slen );
131  md5_update( &md5, sha1sum, 20 );
132  md5_finish( &md5, dstbuf + i * 16 );
133  }
134 
135  polarssl_zeroize( &md5, sizeof( md5 ) );
136  polarssl_zeroize( &sha1, sizeof( sha1 ) );
137 
138  polarssl_zeroize( padding, sizeof( padding ) );
139  polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
140 
141  return( 0 );
142 }
143 
144 static int tls1_prf( unsigned char *secret, size_t slen, char *label,
145  unsigned char *random, size_t rlen,
146  unsigned char *dstbuf, size_t dlen )
147 {
148  size_t nb, hs;
149  size_t i, j, k;
150  unsigned char *S1, *S2;
151  unsigned char tmp[128];
152  unsigned char h_i[20];
153 
154  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
156 
157  hs = ( slen + 1 ) / 2;
158  S1 = secret;
159  S2 = secret + slen - hs;
160 
161  nb = strlen( label );
162  memcpy( tmp + 20, label, nb );
163  memcpy( tmp + 20 + nb, random, rlen );
164  nb += rlen;
165 
166  /*
167  * First compute P_md5(secret,label+random)[0..dlen]
168  */
169  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
170 
171  for( i = 0; i < dlen; i += 16 )
172  {
173  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
174  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
175 
176  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
177 
178  for( j = 0; j < k; j++ )
179  dstbuf[i + j] = h_i[j];
180  }
181 
182  /*
183  * XOR out with P_sha1(secret,label+random)[0..dlen]
184  */
185  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
186 
187  for( i = 0; i < dlen; i += 20 )
188  {
189  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
190  sha1_hmac( S2, hs, tmp, 20, tmp );
191 
192  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
193 
194  for( j = 0; j < k; j++ )
195  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
196  }
197 
198  polarssl_zeroize( tmp, sizeof( tmp ) );
199  polarssl_zeroize( h_i, sizeof( h_i ) );
200 
201  return( 0 );
202 }
203 
204 static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
205  unsigned char *random, size_t rlen,
206  unsigned char *dstbuf, size_t dlen )
207 {
208  size_t nb;
209  size_t i, j, k;
210  unsigned char tmp[128];
211  unsigned char h_i[32];
212 
213  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
215 
216  nb = strlen( label );
217  memcpy( tmp + 32, label, nb );
218  memcpy( tmp + 32 + nb, random, rlen );
219  nb += rlen;
220 
221  /*
222  * Compute P_<hash>(secret, label + random)[0..dlen]
223  */
224  sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
225 
226  for( i = 0; i < dlen; i += 32 )
227  {
228  sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
229  sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
230 
231  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
232 
233  for( j = 0; j < k; j++ )
234  dstbuf[i + j] = h_i[j];
235  }
236 
237  polarssl_zeroize( tmp, sizeof( tmp ) );
238  polarssl_zeroize( h_i, sizeof( h_i ) );
239 
240  return( 0 );
241 }
242 
243 #if defined(POLARSSL_SHA4_C)
244 static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
245  unsigned char *random, size_t rlen,
246  unsigned char *dstbuf, size_t dlen )
247 {
248  size_t nb;
249  size_t i, j, k;
250  unsigned char tmp[128];
251  unsigned char h_i[48];
252 
253  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
255 
256  nb = strlen( label );
257  memcpy( tmp + 48, label, nb );
258  memcpy( tmp + 48 + nb, random, rlen );
259  nb += rlen;
260 
261  /*
262  * Compute P_<hash>(secret, label + random)[0..dlen]
263  */
264  sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
265 
266  for( i = 0; i < dlen; i += 48 )
267  {
268  sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
269  sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
270 
271  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
272 
273  for( j = 0; j < k; j++ )
274  dstbuf[i + j] = h_i[j];
275  }
276 
277  polarssl_zeroize( tmp, sizeof( tmp ) );
278  polarssl_zeroize( h_i, sizeof( h_i ) );
279 
280  return( 0 );
281 }
282 #endif
283 
284 static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
285 static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
286 static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
287 
288 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
289 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
290 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
291 
292 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
293 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
294 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
295 
296 #if defined(POLARSSL_SHA4_C)
297 static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
298 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
299 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
300 #endif
301 
302 int ssl_derive_keys( ssl_context *ssl )
303 {
304  unsigned char tmp[64];
305  unsigned char keyblk[256];
306  unsigned char *key1;
307  unsigned char *key2;
308  unsigned int iv_copy_len;
309  ssl_session *session = ssl->session_negotiate;
310  ssl_transform *transform = ssl->transform_negotiate;
311  ssl_handshake_params *handshake = ssl->handshake;
312 
313  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
314 
315  /*
316  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
317  */
318  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
319  {
320  handshake->tls_prf = ssl3_prf;
321  handshake->calc_verify = ssl_calc_verify_ssl;
322  handshake->calc_finished = ssl_calc_finished_ssl;
323  }
324  else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
325  {
326  handshake->tls_prf = tls1_prf;
327  handshake->calc_verify = ssl_calc_verify_tls;
328  handshake->calc_finished = ssl_calc_finished_tls;
329  }
330 #if defined(POLARSSL_SHA4_C)
331  else if( session->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
333  {
334  handshake->tls_prf = tls_prf_sha384;
335  handshake->calc_verify = ssl_calc_verify_tls_sha384;
336  handshake->calc_finished = ssl_calc_finished_tls_sha384;
337  }
338 #endif
339  else
340  {
341  handshake->tls_prf = tls_prf_sha256;
342  handshake->calc_verify = ssl_calc_verify_tls_sha256;
343  handshake->calc_finished = ssl_calc_finished_tls_sha256;
344  }
345 
346  /*
347  * SSLv3:
348  * master =
349  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
350  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
351  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
352  *
353  * TLSv1:
354  * master = PRF( premaster, "master secret", randbytes )[0..47]
355  */
356  if( handshake->resume == 0 )
357  {
358  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
359  handshake->pmslen );
360 
361  handshake->tls_prf( handshake->premaster, handshake->pmslen,
362  (char *) "master secret",
363  handshake->randbytes, 64, session->master, 48 );
364 
365  polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
366  }
367  else
368  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
369 
370  /*
371  * Swap the client and server random values.
372  */
373  memcpy( tmp, handshake->randbytes, 64 );
374  memcpy( handshake->randbytes, tmp + 32, 32 );
375  memcpy( handshake->randbytes + 32, tmp, 32 );
376  polarssl_zeroize( tmp, sizeof( tmp ) );
377 
378  /*
379  * SSLv3:
380  * key block =
381  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
382  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
383  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
384  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
385  * ...
386  *
387  * TLSv1:
388  * key block = PRF( master, "key expansion", randbytes )
389  */
390  handshake->tls_prf( session->master, 48, (char *) "key expansion",
391  handshake->randbytes, 64, keyblk, 256 );
392 
393  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
394  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
395  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
396  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
397  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
398 
399  polarssl_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
400 
401  /*
402  * Determine the appropriate key, IV and MAC length.
403  */
404  switch( session->ciphersuite )
405  {
406 #if defined(POLARSSL_ARC4_C)
408  transform->keylen = 16; transform->minlen = 16;
409  transform->ivlen = 0; transform->maclen = 16;
410  break;
411 
413  transform->keylen = 16; transform->minlen = 20;
414  transform->ivlen = 0; transform->maclen = 20;
415  break;
416 #endif
417 
418 #if defined(POLARSSL_DES_C)
421  transform->keylen = 24; transform->minlen = 24;
422  transform->ivlen = 8; transform->maclen = 20;
423  break;
424 #endif
425 
426 #if defined(POLARSSL_AES_C)
429  transform->keylen = 16; transform->minlen = 32;
430  transform->ivlen = 16; transform->maclen = 20;
431  break;
432 
435  transform->keylen = 32; transform->minlen = 32;
436  transform->ivlen = 16; transform->maclen = 20;
437  break;
438 
439 #if defined(POLARSSL_SHA2_C)
442  transform->keylen = 16; transform->minlen = 32;
443  transform->ivlen = 16; transform->maclen = 32;
444  break;
445 
448  transform->keylen = 32; transform->minlen = 32;
449  transform->ivlen = 16; transform->maclen = 32;
450  break;
451 #endif
452 #if defined(POLARSSL_GCM_C)
455  transform->keylen = 16; transform->minlen = 24;
456  transform->ivlen = 12; transform->maclen = 0;
457  transform->fixed_ivlen = 4;
458  break;
459 
462  transform->keylen = 32; transform->minlen = 24;
463  transform->ivlen = 12; transform->maclen = 0;
464  transform->fixed_ivlen = 4;
465  break;
466 #endif
467 #endif
468 
469 #if defined(POLARSSL_CAMELLIA_C)
472  transform->keylen = 16; transform->minlen = 32;
473  transform->ivlen = 16; transform->maclen = 20;
474  break;
475 
478  transform->keylen = 32; transform->minlen = 32;
479  transform->ivlen = 16; transform->maclen = 20;
480  break;
481 
482 #if defined(POLARSSL_SHA2_C)
485  transform->keylen = 16; transform->minlen = 32;
486  transform->ivlen = 16; transform->maclen = 32;
487  break;
488 
491  transform->keylen = 32; transform->minlen = 32;
492  transform->ivlen = 16; transform->maclen = 32;
493  break;
494 #endif
495 #endif
496 
497 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
498 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
500  transform->keylen = 0; transform->minlen = 0;
501  transform->ivlen = 0; transform->maclen = 16;
502  break;
503 
505  transform->keylen = 0; transform->minlen = 0;
506  transform->ivlen = 0; transform->maclen = 20;
507  break;
508 
510  transform->keylen = 0; transform->minlen = 0;
511  transform->ivlen = 0; transform->maclen = 32;
512  break;
513 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
514 
515 #if defined(POLARSSL_DES_C)
518  transform->keylen = 8; transform->minlen = 8;
519  transform->ivlen = 8; transform->maclen = 20;
520  break;
521 #endif
522 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
523 
524  default:
525  SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
526  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
528  }
529 
530  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
531  transform->keylen, transform->minlen, transform->ivlen,
532  transform->maclen ) );
533 
534  if( transform->maclen > sizeof transform->mac_enc )
535  {
536  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
538  }
539 
540  /*
541  * Finally setup the cipher contexts, IVs and MAC secrets.
542  */
543  if( ssl->endpoint == SSL_IS_CLIENT )
544  {
545  key1 = keyblk + transform->maclen * 2;
546  key2 = keyblk + transform->maclen * 2 + transform->keylen;
547 
548  memcpy( transform->mac_enc, keyblk, transform->maclen );
549  memcpy( transform->mac_dec, keyblk + transform->maclen,
550  transform->maclen );
551 
552  /*
553  * This is not used in TLS v1.1.
554  */
555  iv_copy_len = ( transform->fixed_ivlen ) ?
556  transform->fixed_ivlen : transform->ivlen;
557  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
558  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
559  iv_copy_len );
560  }
561  else
562  {
563  key1 = keyblk + transform->maclen * 2 + transform->keylen;
564  key2 = keyblk + transform->maclen * 2;
565 
566  memcpy( transform->mac_dec, keyblk, transform->maclen );
567  memcpy( transform->mac_enc, keyblk + transform->maclen,
568  transform->maclen );
569 
570  /*
571  * This is not used in TLS v1.1.
572  */
573  iv_copy_len = ( transform->fixed_ivlen ) ?
574  transform->fixed_ivlen : transform->ivlen;
575  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
576  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
577  iv_copy_len );
578  }
579 
580 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
581  if( ssl_hw_record_init != NULL)
582  {
583  int ret = 0;
584 
585  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
586 
587  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->iv_enc,
588  transform->iv_dec, transform->mac_enc,
589  transform->mac_dec ) ) != 0 )
590  {
591  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
593  }
594  }
595 #endif
596 
597  switch( session->ciphersuite )
598  {
599 #if defined(POLARSSL_ARC4_C)
602  arc4_setup( (arc4_context *) transform->ctx_enc, key1,
603  transform->keylen );
604  arc4_setup( (arc4_context *) transform->ctx_dec, key2,
605  transform->keylen );
606  break;
607 #endif
608 
609 #if defined(POLARSSL_DES_C)
612  des3_set3key_enc( (des3_context *) transform->ctx_enc, key1 );
613  des3_set3key_dec( (des3_context *) transform->ctx_dec, key2 );
614  break;
615 #endif
616 
617 #if defined(POLARSSL_AES_C)
622  aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 128 );
623  aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 128 );
624  break;
625 
630  aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 256 );
631  aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 256 );
632  break;
633 
634 #if defined(POLARSSL_GCM_C)
637  gcm_init( (gcm_context *) transform->ctx_enc, key1, 128 );
638  gcm_init( (gcm_context *) transform->ctx_dec, key2, 128 );
639  break;
640 
643  gcm_init( (gcm_context *) transform->ctx_enc, key1, 256 );
644  gcm_init( (gcm_context *) transform->ctx_dec, key2, 256 );
645  break;
646 #endif
647 #endif
648 
649 #if defined(POLARSSL_CAMELLIA_C)
654  camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 128 );
655  camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 128 );
656  break;
657 
662  camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 256 );
663  camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 256 );
664  break;
665 #endif
666 
667 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
668 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
672  break;
673 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
674 
675 #if defined(POLARSSL_DES_C)
678  des_setkey_enc( (des_context *) transform->ctx_enc, key1 );
679  des_setkey_dec( (des_context *) transform->ctx_dec, key2 );
680  break;
681 #endif
682 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
683 
684  default:
686  }
687 
688  polarssl_zeroize( keyblk, sizeof( keyblk ) );
689 
690 #if defined(POLARSSL_ZLIB_SUPPORT)
691  // Initialize compression
692  //
693  if( session->compression == SSL_COMPRESS_DEFLATE )
694  {
695  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
696 
697  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
698  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
699 
700  if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
701  inflateInit( &transform->ctx_inflate ) != Z_OK )
702  {
703  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
705  }
706  }
707 #endif /* POLARSSL_ZLIB_SUPPORT */
708 
709  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
710 
711  return( 0 );
712 }
713 
714 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
715 {
718  unsigned char pad_1[48];
719  unsigned char pad_2[48];
720 
721  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
722 
723  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
724  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
725 
726  memset( pad_1, 0x36, 48 );
727  memset( pad_2, 0x5C, 48 );
728 
729  md5_update( &md5, ssl->session_negotiate->master, 48 );
730  md5_update( &md5, pad_1, 48 );
731  md5_finish( &md5, hash );
732 
733  md5_starts( &md5 );
734  md5_update( &md5, ssl->session_negotiate->master, 48 );
735  md5_update( &md5, pad_2, 48 );
736  md5_update( &md5, hash, 16 );
737  md5_finish( &md5, hash );
738 
739  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
740  sha1_update( &sha1, pad_1, 40 );
741  sha1_finish( &sha1, hash + 16 );
742 
743  sha1_starts( &sha1 );
744  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
745  sha1_update( &sha1, pad_2, 40 );
746  sha1_update( &sha1, hash + 16, 20 );
747  sha1_finish( &sha1, hash + 16 );
748 
749  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
750  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
751 
752  return;
753 }
754 
755 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
756 {
759 
760  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
761 
762  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
763  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
764 
765  md5_finish( &md5, hash );
766  sha1_finish( &sha1, hash + 16 );
767 
768  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
769  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
770 
771  return;
772 }
773 
774 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
775 {
777 
778  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
779 
780  memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
781  sha2_finish( &sha2, hash );
782 
783  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
784  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
785 
786  return;
787 }
788 
789 #if defined(POLARSSL_SHA4_C)
790 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
791 {
793 
794  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
795 
796  memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
797  sha4_finish( &sha4, hash );
798 
799  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
800  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
801 
802  return;
803 }
804 #endif
805 
806 /*
807  * SSLv3.0 MAC functions
808  */
809 static void ssl_mac_md5( unsigned char *secret,
810  unsigned char *buf, size_t len,
811  unsigned char *ctr, int type )
812 {
813  unsigned char header[11];
814  unsigned char padding[48];
816 
817  memcpy( header, ctr, 8 );
818  header[ 8] = (unsigned char) type;
819  header[ 9] = (unsigned char)( len >> 8 );
820  header[10] = (unsigned char)( len );
821 
822  memset( padding, 0x36, 48 );
823  md5_starts( &md5 );
824  md5_update( &md5, secret, 16 );
825  md5_update( &md5, padding, 48 );
826  md5_update( &md5, header, 11 );
827  md5_update( &md5, buf, len );
828  md5_finish( &md5, buf + len );
829 
830  memset( padding, 0x5C, 48 );
831  md5_starts( &md5 );
832  md5_update( &md5, secret, 16 );
833  md5_update( &md5, padding, 48 );
834  md5_update( &md5, buf + len, 16 );
835  md5_finish( &md5, buf + len );
836 }
837 
838 static void ssl_mac_sha1( unsigned char *secret,
839  unsigned char *buf, size_t len,
840  unsigned char *ctr, int type )
841 {
842  unsigned char header[11];
843  unsigned char padding[40];
845 
846  memcpy( header, ctr, 8 );
847  header[ 8] = (unsigned char) type;
848  header[ 9] = (unsigned char)( len >> 8 );
849  header[10] = (unsigned char)( len );
850 
851  memset( padding, 0x36, 40 );
852  sha1_starts( &sha1 );
853  sha1_update( &sha1, secret, 20 );
854  sha1_update( &sha1, padding, 40 );
855  sha1_update( &sha1, header, 11 );
856  sha1_update( &sha1, buf, len );
857  sha1_finish( &sha1, buf + len );
858 
859  memset( padding, 0x5C, 40 );
860  sha1_starts( &sha1 );
861  sha1_update( &sha1, secret, 20 );
862  sha1_update( &sha1, padding, 40 );
863  sha1_update( &sha1, buf + len, 20 );
864  sha1_finish( &sha1, buf + len );
865 }
866 
867 static void ssl_mac_sha2( unsigned char *secret,
868  unsigned char *buf, size_t len,
869  unsigned char *ctr, int type )
870 {
871  unsigned char header[11];
872  unsigned char padding[32];
874 
875  memcpy( header, ctr, 8 );
876  header[ 8] = (unsigned char) type;
877  header[ 9] = (unsigned char)( len >> 8 );
878  header[10] = (unsigned char)( len );
879 
880  memset( padding, 0x36, 32 );
881  sha2_starts( &sha2, 0 );
882  sha2_update( &sha2, secret, 32 );
883  sha2_update( &sha2, padding, 32 );
884  sha2_update( &sha2, header, 11 );
885  sha2_update( &sha2, buf, len );
886  sha2_finish( &sha2, buf + len );
887 
888  memset( padding, 0x5C, 32 );
889  sha2_starts( &sha2, 0 );
890  sha2_update( &sha2, secret, 32 );
891  sha2_update( &sha2, padding, 32 );
892  sha2_update( &sha2, buf + len, 32 );
893  sha2_finish( &sha2, buf + len );
894 }
895 
896 /*
897  * Encryption/decryption functions
898  */
899 static int ssl_encrypt_buf( ssl_context *ssl )
900 {
901  size_t i, padlen;
902 
903  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
904 
905  /*
906  * Add MAC then encrypt
907  */
908  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
909  {
910  if( ssl->transform_out->maclen == 16 )
911  ssl_mac_md5( ssl->transform_out->mac_enc,
912  ssl->out_msg, ssl->out_msglen,
913  ssl->out_ctr, ssl->out_msgtype );
914  else if( ssl->transform_out->maclen == 20 )
915  ssl_mac_sha1( ssl->transform_out->mac_enc,
916  ssl->out_msg, ssl->out_msglen,
917  ssl->out_ctr, ssl->out_msgtype );
918  else if( ssl->transform_out->maclen == 32 )
919  ssl_mac_sha2( ssl->transform_out->mac_enc,
920  ssl->out_msg, ssl->out_msglen,
921  ssl->out_ctr, ssl->out_msgtype );
922  else if( ssl->transform_out->maclen != 0 )
923  {
924  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
925  ssl->transform_out->maclen ) );
927  }
928  }
929  else
930  {
931  if( ssl->transform_out->maclen == 16 )
932  {
933  md5_context ctx;
934  md5_hmac_starts( &ctx, ssl->transform_out->mac_enc, 16 );
935  md5_hmac_update( &ctx, ssl->out_ctr, 13 );
936  md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
937  md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
938  memset( &ctx, 0, sizeof(md5_context));
939  }
940  else if( ssl->transform_out->maclen == 20 )
941  {
942  sha1_context ctx;
943  sha1_hmac_starts( &ctx, ssl->transform_out->mac_enc, 20 );
944  sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
945  sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
946  sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
947  memset( &ctx, 0, sizeof(sha1_context));
948  }
949  else if( ssl->transform_out->maclen == 32 )
950  {
951  sha2_context ctx;
952  sha2_hmac_starts( &ctx, ssl->transform_out->mac_enc, 32, 0 );
953  sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
954  sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
955  sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
956  memset( &ctx, 0, sizeof(sha2_context));
957  }
958  else if( ssl->transform_out->maclen != 0 )
959  {
960  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
961  ssl->transform_out->maclen ) );
963  }
964  }
965 
966  SSL_DEBUG_BUF( 4, "computed mac",
967  ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
968 
969  ssl->out_msglen += ssl->transform_out->maclen;
970 
971  if( ssl->transform_out->ivlen == 0 )
972  {
973  padlen = 0;
974 
975  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
976  "including %d bytes of padding",
977  ssl->out_msglen, 0 ) );
978 
979  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
980  ssl->out_msg, ssl->out_msglen );
981 
982 #if defined(POLARSSL_ARC4_C)
985  {
987  ssl->out_msglen, ssl->out_msg,
988  ssl->out_msg );
989  } else
990 #endif
991 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
995  {
996  } else
997 #endif
999  }
1000  else if( ssl->transform_out->ivlen == 12 )
1001  {
1002  size_t enc_msglen;
1003  unsigned char *enc_msg;
1004  unsigned char add_data[13];
1006 
1007  padlen = 0;
1008 
1009  memcpy( add_data, ssl->out_ctr, 8 );
1010  add_data[8] = ssl->out_msgtype;
1011  add_data[9] = ssl->major_ver;
1012  add_data[10] = ssl->minor_ver;
1013  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1014  add_data[12] = ssl->out_msglen & 0xFF;
1015 
1016  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1017  add_data, 13 );
1018 
1019 #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1020 
1025  {
1026  /*
1027  * Generate IV
1028  */
1029  ret = ssl->f_rng( ssl->p_rng,
1031  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1032  if( ret != 0 )
1033  return( ret );
1034 
1035  /*
1036  * Shift message for ivlen bytes and prepend IV
1037  */
1038  memmove( ssl->out_msg + ssl->transform_out->ivlen -
1039  ssl->transform_out->fixed_ivlen,
1040  ssl->out_msg, ssl->out_msglen );
1041  memcpy( ssl->out_msg,
1043  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1044 
1045  /*
1046  * Fix pointer positions and message length with added IV
1047  */
1048  enc_msg = ssl->out_msg + ssl->transform_out->ivlen -
1049  ssl->transform_out->fixed_ivlen;
1050  enc_msglen = ssl->out_msglen;
1051  ssl->out_msglen += ssl->transform_out->ivlen -
1052  ssl->transform_out->fixed_ivlen;
1053 
1054  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1055  "including %d bytes of padding",
1056  ssl->out_msglen, 0 ) );
1057 
1058  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1059  ssl->out_msg, ssl->out_msglen );
1060 
1061  /*
1062  * Adjust for tag
1063  */
1064  ssl->out_msglen += 16;
1065 
1067  GCM_ENCRYPT, enc_msglen,
1068  ssl->transform_out->iv_enc, ssl->transform_out->ivlen,
1069  add_data, 13,
1070  enc_msg, enc_msg,
1071  16, enc_msg + enc_msglen );
1072 
1073  SSL_DEBUG_BUF( 4, "after encrypt: tag",
1074  enc_msg + enc_msglen, 16 );
1075 
1076  } else
1077 #endif
1078  return( ret );
1079  }
1080  else
1081  {
1082  unsigned char *enc_msg;
1083  size_t enc_msglen;
1084 
1085  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1086  ssl->transform_out->ivlen;
1087  if( padlen == ssl->transform_out->ivlen )
1088  padlen = 0;
1089 
1090  for( i = 0; i <= padlen; i++ )
1091  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1092 
1093  ssl->out_msglen += padlen + 1;
1094 
1095  enc_msglen = ssl->out_msglen;
1096  enc_msg = ssl->out_msg;
1097 
1098  /*
1099  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1100  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1101  */
1102  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1103  {
1104  /*
1105  * Generate IV
1106  */
1107  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1108  ssl->transform_out->ivlen );
1109  if( ret != 0 )
1110  return( ret );
1111 
1112  /*
1113  * Shift message for ivlen bytes and prepend IV
1114  */
1115  memmove( ssl->out_msg + ssl->transform_out->ivlen, ssl->out_msg,
1116  ssl->out_msglen );
1117  memcpy( ssl->out_msg, ssl->transform_out->iv_enc,
1118  ssl->transform_out->ivlen );
1119 
1120  /*
1121  * Fix pointer positions and message length with added IV
1122  */
1123  enc_msg = ssl->out_msg + ssl->transform_out->ivlen;
1124  enc_msglen = ssl->out_msglen;
1125  ssl->out_msglen += ssl->transform_out->ivlen;
1126  }
1127 
1128  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1129  "including %d bytes of IV and %d bytes of padding",
1130  ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
1131 
1132  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1133  ssl->out_msg, ssl->out_msglen );
1134 
1135  switch( ssl->transform_out->ivlen )
1136  {
1137 #if defined(POLARSSL_DES_C)
1138  case 8:
1139 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1142  {
1144  DES_ENCRYPT, enc_msglen,
1145  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1146  }
1147  else
1148 #endif
1150  DES_ENCRYPT, enc_msglen,
1151  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1152  break;
1153 #endif
1154 
1155  case 16:
1156 #if defined(POLARSSL_AES_C)
1165  {
1167  AES_ENCRYPT, enc_msglen,
1168  ssl->transform_out->iv_enc, enc_msg, enc_msg);
1169  break;
1170  }
1171 #endif
1172 
1173 #if defined(POLARSSL_CAMELLIA_C)
1182  {
1184  CAMELLIA_ENCRYPT, enc_msglen,
1185  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1186  break;
1187  }
1188 #endif
1189 
1190  default:
1192  }
1193  }
1194 
1195  for( i = 8; i > 0; i-- )
1196  if( ++ssl->out_ctr[i - 1] != 0 )
1197  break;
1198 
1199  /* The loops goes to its end iff the counter is wrapping */
1200  if( i == 0 )
1201  {
1202  SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
1204  }
1205 
1206  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1207 
1208  return( 0 );
1209 }
1210 
1211 /*
1212  * TODO: Use digest version when integrated!
1213  */
1214 #define POLARSSL_SSL_MAX_MAC_SIZE 32
1215 
1216 static int ssl_decrypt_buf( ssl_context *ssl )
1217 {
1218  size_t i, padlen = 0, correct = 1;
1219  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1220 
1221  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1222 
1223  if( ssl->in_msglen < ssl->transform_in->minlen )
1224  {
1225  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1226  ssl->in_msglen, ssl->transform_in->minlen ) );
1227  return( POLARSSL_ERR_SSL_INVALID_MAC );
1228  }
1229 
1230  if( ssl->transform_in->ivlen == 0 )
1231  {
1232 #if defined(POLARSSL_ARC4_C)
1235  {
1237  ssl->in_msglen, ssl->in_msg,
1238  ssl->in_msg );
1239  } else
1240 #endif
1241 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
1245  {
1246  } else
1247 #endif
1249  }
1250  else if( ssl->transform_in->ivlen == 12 )
1251  {
1252  unsigned char *dec_msg;
1253  unsigned char *dec_msg_result;
1254  size_t dec_msglen;
1255  unsigned char add_data[13];
1257  unsigned char taglen = 16;
1258  unsigned char explicit_iv_len = ssl->transform_in->ivlen -
1259  ssl->transform_in->fixed_ivlen;
1260 
1261 #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1266  {
1267  if( ssl->in_msglen < explicit_iv_len + taglen )
1268  {
1269  SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1270  "+ taglen (%d)", ssl->in_msglen,
1271  explicit_iv_len, taglen ) );
1272  return( POLARSSL_ERR_SSL_INVALID_MAC );
1273  }
1274  dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
1275 
1276  dec_msg = ssl->in_msg + explicit_iv_len;
1277  dec_msg_result = ssl->in_msg;
1278  ssl->in_msglen = dec_msglen;
1279 
1280  memcpy( add_data, ssl->in_ctr, 8 );
1281  add_data[8] = ssl->in_msgtype;
1282  add_data[9] = ssl->major_ver;
1283  add_data[10] = ssl->minor_ver;
1284  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1285  add_data[12] = ssl->in_msglen & 0xFF;
1286 
1287  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1288  add_data, 13 );
1289 
1290  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1291  ssl->in_msg,
1292  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1293 
1294  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1295  ssl->transform_in->ivlen );
1296  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1297 
1298  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1299  ssl->in_msg,
1300  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1301 
1303  dec_msglen,
1304  ssl->transform_in->iv_dec,
1305  ssl->transform_in->ivlen,
1306  add_data, 13,
1307  dec_msg + dec_msglen, 16,
1308  dec_msg, dec_msg_result );
1309 
1310  if( ret != 0 )
1311  {
1312  SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1313  -ret ) );
1314 
1315  return( POLARSSL_ERR_SSL_INVALID_MAC );
1316  }
1317  } else
1318 #endif
1319  return( ret );
1320  }
1321  else
1322  {
1323  /*
1324  * Decrypt and check the padding
1325  */
1326  unsigned char *dec_msg;
1327  unsigned char *dec_msg_result;
1328  size_t dec_msglen;
1329  size_t minlen = 0;
1330 
1331  /*
1332  * Check immediate ciphertext sanity
1333  */
1334  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1335  {
1336  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1337  ssl->in_msglen, ssl->transform_in->ivlen ) );
1338  return( POLARSSL_ERR_SSL_INVALID_MAC );
1339  }
1340 
1341  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1342  minlen += ssl->transform_in->ivlen;
1343 
1344  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1345  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1346  {
1347  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1348  ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1349  return( POLARSSL_ERR_SSL_INVALID_MAC );
1350  }
1351 
1352  dec_msglen = ssl->in_msglen;
1353  dec_msg = ssl->in_msg;
1354  dec_msg_result = ssl->in_msg;
1355 
1356  /*
1357  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1358  */
1359  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1360  {
1361  dec_msg += ssl->transform_in->ivlen;
1362  dec_msglen -= ssl->transform_in->ivlen;
1363  ssl->in_msglen -= ssl->transform_in->ivlen;
1364 
1365  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1366  ssl->transform_in->iv_dec[i] = ssl->in_msg[i];
1367  }
1368 
1369  switch( ssl->transform_in->ivlen )
1370  {
1371 #if defined(POLARSSL_DES_C)
1372  case 8:
1373 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1376  {
1378  DES_DECRYPT, dec_msglen,
1379  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1380  }
1381  else
1382 #endif
1384  DES_DECRYPT, dec_msglen,
1385  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1386  break;
1387 #endif
1388 
1389  case 16:
1390 #if defined(POLARSSL_AES_C)
1399  {
1401  AES_DECRYPT, dec_msglen,
1402  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1403  break;
1404  }
1405 #endif
1406 
1407 #if defined(POLARSSL_CAMELLIA_C)
1416  {
1418  CAMELLIA_DECRYPT, dec_msglen,
1419  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1420  break;
1421  }
1422 #endif
1423 
1424  default:
1426  }
1427 
1428  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1429 
1430  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1431  {
1432 #if defined(POLARSSL_SSL_DEBUG_ALL)
1433  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1434  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1435 #endif
1436  padlen = 0;
1437  correct = 0;
1438  }
1439 
1440  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1441  {
1442  if( padlen > ssl->transform_in->ivlen )
1443  {
1444 #if defined(POLARSSL_SSL_DEBUG_ALL)
1445  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1446  "should be no more than %d",
1447  padlen, ssl->transform_in->ivlen ) );
1448 #endif
1449  correct = 0;
1450  }
1451  }
1452  else
1453  {
1454  /*
1455  * TLSv1+: always check the padding up to the first failure
1456  * and fake check up to 256 bytes of padding
1457  */
1458  size_t pad_count = 0, real_count = 1;
1459  size_t padding_idx = ssl->in_msglen - padlen - 1;
1460 
1461  /*
1462  * Padding is guaranteed to be incorrect if:
1463  * 1. padlen >= ssl->in_msglen
1464  *
1465  * 2. padding_idx >= SSL_MAX_CONTENT_LEN +
1466  * ssl->transform_in->maclen
1467  *
1468  * In both cases we reset padding_idx to a safe value (0) to
1469  * prevent out-of-buffer reads.
1470  */
1471  correct &= ( ssl->in_msglen >= padlen + 1 );
1472  correct &= ( padding_idx < SSL_MAX_CONTENT_LEN +
1473  ssl->transform_in->maclen );
1474 
1475  padding_idx *= correct;
1476 
1477  for( i = 1; i <= 256; i++ )
1478  {
1479  real_count &= ( i <= padlen );
1480  pad_count += real_count *
1481  ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1482  }
1483 
1484  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1485 
1486 #if defined(POLARSSL_SSL_DEBUG_ALL)
1487  if( padlen > 0 && correct == 0)
1488  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1489 #endif
1490  padlen &= correct * 0x1FF;
1491  }
1492  }
1493 
1494  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1495  ssl->in_msg, ssl->in_msglen );
1496 
1497  /*
1498  * Always compute the MAC (RFC4346, CBCTIME).
1499  */
1500  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1501 
1502  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1503  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1504 
1505  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1506 
1507  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1508  {
1509  if( ssl->transform_in->maclen == 16 )
1510  ssl_mac_md5( ssl->transform_in->mac_dec,
1511  ssl->in_msg, ssl->in_msglen,
1512  ssl->in_ctr, ssl->in_msgtype );
1513  else if( ssl->transform_in->maclen == 20 )
1514  ssl_mac_sha1( ssl->transform_in->mac_dec,
1515  ssl->in_msg, ssl->in_msglen,
1516  ssl->in_ctr, ssl->in_msgtype );
1517  else if( ssl->transform_in->maclen == 32 )
1518  ssl_mac_sha2( ssl->transform_in->mac_dec,
1519  ssl->in_msg, ssl->in_msglen,
1520  ssl->in_ctr, ssl->in_msgtype );
1521  else if( ssl->transform_in->maclen != 0 )
1522  {
1523  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1524  ssl->transform_in->maclen ) );
1526  }
1527  }
1528  else
1529  {
1530  /*
1531  * Process MAC and always update for padlen afterwards to make
1532  * total time independent of padlen
1533  *
1534  * extra_run compensates MAC check for padlen
1535  *
1536  * Known timing attacks:
1537  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1538  *
1539  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1540  * correctly. (We round down instead of up, so -56 is the correct
1541  * value for our calculations instead of -55)
1542  */
1543  int j, extra_run = 0;
1544  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1545  ( 13 + ssl->in_msglen + 8 ) / 64;
1546 
1547  extra_run &= correct * 0xFF;
1548 
1549  if( ssl->transform_in->maclen == 16 )
1550  {
1551  md5_context ctx;
1552  md5_hmac_starts( &ctx, ssl->transform_in->mac_dec, 16 );
1553  md5_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1554  md5_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1555 
1556  for( j = 0; j < extra_run; j++ )
1557  md5_process( &ctx, ssl->in_msg );
1558  }
1559  else if( ssl->transform_in->maclen == 20 )
1560  {
1561  sha1_context ctx;
1562  sha1_hmac_starts( &ctx, ssl->transform_in->mac_dec, 20 );
1563  sha1_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1564  sha1_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1565 
1566  for( j = 0; j < extra_run; j++ )
1567  sha1_process( &ctx, ssl->in_msg );
1568  }
1569  else if( ssl->transform_in->maclen == 32 )
1570  {
1571  sha2_context ctx;
1572  sha2_hmac_starts( &ctx, ssl->transform_in->mac_dec, 32, 0 );
1573  sha2_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1574  sha2_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1575 
1576  for( j = 0; j < extra_run; j++ )
1577  sha2_process( &ctx, ssl->in_msg );
1578  }
1579  else if( ssl->transform_in->maclen != 0 )
1580  {
1581  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1582  ssl->transform_in->maclen ) );
1584  }
1585  }
1586 
1587  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1588  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1589  ssl->transform_in->maclen );
1590 
1591  if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1592  ssl->transform_in->maclen ) != 0 )
1593  {
1594 #if defined(POLARSSL_SSL_DEBUG_ALL)
1595  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1596 #endif
1597  correct = 0;
1598  }
1599 
1600  /*
1601  * Finally check the correct flag
1602  */
1603  if( correct == 0 )
1604  return( POLARSSL_ERR_SSL_INVALID_MAC );
1605 
1606  if( ssl->in_msglen == 0 )
1607  {
1608  ssl->nb_zero++;
1609 
1610  /*
1611  * Three or more empty messages may be a DoS attack
1612  * (excessive CPU consumption).
1613  */
1614  if( ssl->nb_zero > 3 )
1615  {
1616  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1617  "messages, possible DoS attack" ) );
1618  return( POLARSSL_ERR_SSL_INVALID_MAC );
1619  }
1620  }
1621  else
1622  ssl->nb_zero = 0;
1623 
1624  for( i = 8; i > 0; i-- )
1625  if( ++ssl->in_ctr[i - 1] != 0 )
1626  break;
1627 
1628  /* The loops goes to its end iff the counter is wrapping */
1629  if( i == 0 )
1630  {
1631  SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
1633  }
1634 
1635  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1636 
1637  return( 0 );
1638 }
1639 
1640 #if defined(POLARSSL_ZLIB_SUPPORT)
1641 /*
1642  * Compression/decompression functions
1643  */
1644 static int ssl_compress_buf( ssl_context *ssl )
1645 {
1646  int ret;
1647  unsigned char *msg_post = ssl->out_msg;
1648  size_t len_pre = ssl->out_msglen;
1649  unsigned char *msg_pre;
1650 
1651  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1652 
1653  msg_pre = (unsigned char*) malloc( len_pre );
1654  if( msg_pre == NULL )
1655  {
1656  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1658  }
1659 
1660  memcpy( msg_pre, ssl->out_msg, len_pre );
1661 
1662  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1663  ssl->out_msglen ) );
1664 
1665  SSL_DEBUG_BUF( 4, "before compression: output payload",
1666  ssl->out_msg, ssl->out_msglen );
1667 
1668  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1669  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1670  ssl->transform_out->ctx_deflate.next_out = msg_post;
1671  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1672 
1673  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1674  if( ret != Z_OK )
1675  {
1676  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1678  }
1679 
1680  ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
1681 
1682  free( msg_pre );
1683 
1684  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1685  ssl->out_msglen ) );
1686 
1687  SSL_DEBUG_BUF( 4, "after compression: output payload",
1688  ssl->out_msg, ssl->out_msglen );
1689 
1690  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1691 
1692  return( 0 );
1693 }
1694 
1695 static int ssl_decompress_buf( ssl_context *ssl )
1696 {
1697  int ret;
1698  unsigned char *msg_post = ssl->in_msg;
1699  size_t len_pre = ssl->in_msglen;
1700  unsigned char *msg_pre;
1701 
1702  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1703 
1704  msg_pre = (unsigned char*) malloc( len_pre );
1705  if( msg_pre == NULL )
1706  {
1707  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1709  }
1710 
1711  memcpy( msg_pre, ssl->in_msg, len_pre );
1712 
1713  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1714  ssl->in_msglen ) );
1715 
1716  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1717  ssl->in_msg, ssl->in_msglen );
1718 
1719  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1720  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1721  ssl->transform_in->ctx_inflate.next_out = msg_post;
1722  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1723 
1724  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1725  if( ret != Z_OK )
1726  {
1727  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1729  }
1730 
1731  ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
1732 
1733  free( msg_pre );
1734 
1735  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1736  ssl->in_msglen ) );
1737 
1738  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1739  ssl->in_msg, ssl->in_msglen );
1740 
1741  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1742 
1743  return( 0 );
1744 }
1745 #endif /* POLARSSL_ZLIB_SUPPORT */
1746 
1747 /*
1748  * Fill the input message buffer
1749  */
1750 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1751 {
1752  int ret;
1753  size_t len;
1754 
1755  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1756 
1757  if( nb_want > SSL_BUFFER_LEN - 8 )
1758  {
1759  SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1761  }
1762 
1763  while( ssl->in_left < nb_want )
1764  {
1765  len = nb_want - ssl->in_left;
1766  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1767 
1768  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1769  ssl->in_left, nb_want ) );
1770  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1771 
1772  if( ret == 0 )
1773  return( POLARSSL_ERR_SSL_CONN_EOF );
1774 
1775  if( ret < 0 )
1776  return( ret );
1777 
1778  ssl->in_left += ret;
1779  }
1780 
1781  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1782 
1783  return( 0 );
1784 }
1785 
1786 /*
1787  * Flush any data not yet written
1788  */
1789 int ssl_flush_output( ssl_context *ssl )
1790 {
1791  int ret;
1792  unsigned char *buf;
1793 
1794  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1795 
1796  while( ssl->out_left > 0 )
1797  {
1798  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1799  5 + ssl->out_msglen, ssl->out_left ) );
1800 
1801  if( ssl->out_msglen < ssl->out_left )
1802  {
1803  size_t header_left = ssl->out_left - ssl->out_msglen;
1804 
1805  buf = ssl->out_hdr + 5 - header_left;
1806  ret = ssl->f_send( ssl->p_send, buf, header_left );
1807 
1808  SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1809 
1810  if( ret <= 0 )
1811  return( ret );
1812 
1813  ssl->out_left -= ret;
1814  }
1815 
1816  buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
1817  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1818 
1819  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1820 
1821  if( ret <= 0 )
1822  return( ret );
1823 
1824  ssl->out_left -= ret;
1825  }
1826 
1827  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1828 
1829  return( 0 );
1830 }
1831 
1832 /*
1833  * Record layer functions
1834  */
1835 int ssl_write_record( ssl_context *ssl )
1836 {
1837  int ret, done = 0;
1838  size_t len = ssl->out_msglen;
1839 
1840  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1841 
1842  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1843  {
1844  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1845  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1846  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1847 
1848  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1849  }
1850 
1851 #if defined(POLARSSL_ZLIB_SUPPORT)
1852  if( ssl->transform_out != NULL &&
1854  {
1855  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1856  {
1857  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1858  return( ret );
1859  }
1860 
1861  len = ssl->out_msglen;
1862  }
1863 #endif /*POLARSSL_ZLIB_SUPPORT */
1864 
1865 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1866  if( ssl_hw_record_write != NULL)
1867  {
1868  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1869 
1870  ret = ssl_hw_record_write( ssl );
1871  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1872  {
1873  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1875  }
1876  done = 1;
1877  }
1878 #endif
1879  if( !done )
1880  {
1881  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1882  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1883  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1884  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1885  ssl->out_hdr[4] = (unsigned char)( len );
1886 
1887  if( ssl->transform_out != NULL )
1888  {
1889  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1890  {
1891  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1892  return( ret );
1893  }
1894 
1895  len = ssl->out_msglen;
1896  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1897  ssl->out_hdr[4] = (unsigned char)( len );
1898  }
1899 
1900  ssl->out_left = 5 + ssl->out_msglen;
1901 
1902  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1903  "version = [%d:%d], msglen = %d",
1904  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1905  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1906 
1907  SSL_DEBUG_BUF( 4, "output record header sent to network",
1908  ssl->out_hdr, 5 );
1909  SSL_DEBUG_BUF( 4, "output record sent to network",
1910  ssl->out_hdr + 32, ssl->out_msglen );
1911  }
1912 
1913  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1914  {
1915  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1916  return( ret );
1917  }
1918 
1919  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1920 
1921  return( 0 );
1922 }
1923 
1924 int ssl_read_record( ssl_context *ssl )
1925 {
1926  int ret, done = 0;
1927 
1928  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1929 
1930  if( ssl->in_hslen != 0 &&
1931  ssl->in_hslen < ssl->in_msglen )
1932  {
1933  /*
1934  * Get next Handshake message in the current record
1935  */
1936  ssl->in_msglen -= ssl->in_hslen;
1937 
1938  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
1939  ssl->in_msglen );
1940 
1941  ssl->in_hslen = 4;
1942  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1943 
1944  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1945  " %d, type = %d, hslen = %d",
1946  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1947 
1948  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1949  {
1950  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1952  }
1953 
1954  if( ssl->in_msglen < ssl->in_hslen )
1955  {
1956  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1958  }
1959 
1960  if( ssl->state != SSL_HANDSHAKE_OVER )
1961  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
1962 
1963  return( 0 );
1964  }
1965 
1966  ssl->in_hslen = 0;
1967 
1968  /*
1969  * Read the record header and validate it
1970  */
1971  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1972  {
1973  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1974  return( ret );
1975  }
1976 
1977  ssl->in_msgtype = ssl->in_hdr[0];
1978  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1979 
1980  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1981  "version = [%d:%d], msglen = %d",
1982  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1983  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1984 
1985  if( ssl->in_hdr[1] != ssl->major_ver )
1986  {
1987  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
1989  }
1990 
1991  if( ssl->in_hdr[2] > ssl->max_minor_ver )
1992  {
1993  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
1995  }
1996 
1997  /* Sanity check (outer boundaries) */
1998  if( ssl->in_msglen < 1 || ssl->in_msglen > SSL_BUFFER_LEN - 13 )
1999  {
2000  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2002  }
2003 
2004  /*
2005  * Make sure the message length is acceptable for the current transform
2006  * and protocol version.
2007  */
2008  if( ssl->transform_in == NULL )
2009  {
2010  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2011  {
2012  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2014  }
2015  }
2016  else
2017  {
2018  if( ssl->in_msglen < ssl->transform_in->minlen )
2019  {
2020  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2022  }
2023 
2024  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2026  {
2027  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2029  }
2030 
2031  /*
2032  * TLS encrypted messages can have up to 256 bytes of padding
2033  */
2034  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2035  ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
2036  {
2037  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2039  }
2040  }
2041 
2042  /*
2043  * Read and optionally decrypt the message contents
2044  */
2045  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2046  {
2047  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2048  return( ret );
2049  }
2050 
2051  SSL_DEBUG_BUF( 4, "input record from network",
2052  ssl->in_hdr, 5 + ssl->in_msglen );
2053 
2054 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2055  if( ssl_hw_record_read != NULL)
2056  {
2057  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2058 
2059  ret = ssl_hw_record_read( ssl );
2060  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2061  {
2062  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2064  }
2065  done = 1;
2066  }
2067 #endif
2068  if( !done && ssl->transform_in != NULL )
2069  {
2070  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2071  {
2072 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2073  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2074  {
2078  }
2079 #endif
2080  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2081  return( ret );
2082  }
2083 
2084  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2085  ssl->in_msg, ssl->in_msglen );
2086 
2087  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2088  {
2089  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2091  }
2092  }
2093 
2094 #if defined(POLARSSL_ZLIB_SUPPORT)
2095  if( ssl->transform_in != NULL &&
2097  {
2098  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2099  {
2100  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2101  return( ret );
2102  }
2103 
2104  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2105  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2106  }
2107 #endif /* POLARSSL_ZLIB_SUPPORT */
2108 
2109  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2110  ssl->in_msgtype != SSL_MSG_ALERT &&
2113  {
2114  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2115 
2116  if( ( ret = ssl_send_alert_message( ssl,
2119  {
2120  return( ret );
2121  }
2122 
2124  }
2125 
2126  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2127  {
2128  ssl->in_hslen = 4;
2129  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2130 
2131  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2132  " %d, type = %d, hslen = %d",
2133  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2134 
2135  /*
2136  * Additional checks to validate the handshake header
2137  */
2138  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2139  {
2140  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2142  }
2143 
2144  if( ssl->in_msglen < ssl->in_hslen )
2145  {
2146  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2148  }
2149 
2150  if( ssl->state != SSL_HANDSHAKE_OVER )
2151  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2152  }
2153 
2154  if( ssl->in_msgtype == SSL_MSG_ALERT )
2155  {
2156  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2157  ssl->in_msg[0], ssl->in_msg[1] ) );
2158 
2159  /*
2160  * Ignore non-fatal alerts, except close_notify
2161  */
2162  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2163  {
2164  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2165  ssl->in_msg[1] ) );
2171  }
2172 
2173  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2174  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2175  {
2176  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2178  }
2179  }
2180 
2181  ssl->in_left = 0;
2182 
2183  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2184 
2185  return( 0 );
2186 }
2187 
2189 {
2190  int ret;
2191 
2192  if( ( ret = ssl_send_alert_message( ssl,
2195  {
2196  return( ret );
2197  }
2198 
2199  return( 0 );
2200 }
2201 
2203  unsigned char level,
2204  unsigned char message )
2205 {
2206  int ret;
2207 
2208  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2209 
2210  ssl->out_msgtype = SSL_MSG_ALERT;
2211  ssl->out_msglen = 2;
2212  ssl->out_msg[0] = level;
2213  ssl->out_msg[1] = message;
2214 
2215  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2216  {
2217  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2218  return( ret );
2219  }
2220 
2221  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2222 
2223  return( 0 );
2224 }
2225 
2226 /*
2227  * Handshake functions
2228  */
2230 {
2231  int ret;
2232  size_t i, n;
2233  const x509_cert *crt;
2234 
2235  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2236 
2237  if( ssl->endpoint == SSL_IS_CLIENT )
2238  {
2239  if( ssl->client_auth == 0 )
2240  {
2241  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2242  ssl->state++;
2243  return( 0 );
2244  }
2245 
2246  /*
2247  * If using SSLv3 and got no cert, send an Alert message
2248  * (otherwise an empty Certificate message will be sent).
2249  */
2250  if( ssl->own_cert == NULL &&
2251  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2252  {
2253  ssl->out_msglen = 2;
2254  ssl->out_msgtype = SSL_MSG_ALERT;
2255  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2256  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2257 
2258  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2259  goto write_msg;
2260  }
2261  }
2262  else /* SSL_IS_SERVER */
2263  {
2264  if( ssl->own_cert == NULL )
2265  {
2266  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2268  }
2269  }
2270 
2271  SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
2272 
2273  /*
2274  * 0 . 0 handshake type
2275  * 1 . 3 handshake length
2276  * 4 . 6 length of all certs
2277  * 7 . 9 length of cert. 1
2278  * 10 . n-1 peer certificate
2279  * n . n+2 length of cert. 2
2280  * n+3 . ... upper level cert, etc.
2281  */
2282  i = 7;
2283  crt = ssl->own_cert;
2284 
2285  while( crt != NULL )
2286  {
2287  n = crt->raw.len;
2288  if( n > SSL_MAX_CONTENT_LEN - 3 - i )
2289  {
2290  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2291  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2293  }
2294 
2295  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2296  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2297  ssl->out_msg[i + 2] = (unsigned char)( n );
2298 
2299  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2300  i += n; crt = crt->next;
2301  }
2302 
2303  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2304  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2305  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2306 
2307  ssl->out_msglen = i;
2309  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2310 
2311 write_msg:
2312 
2313  ssl->state++;
2314 
2315  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2316  {
2317  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2318  return( ret );
2319  }
2320 
2321  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2322 
2323  return( 0 );
2324 }
2325 
2327 {
2328  int ret;
2329  size_t i, n;
2330 
2331  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2332 
2333  if( ssl->endpoint == SSL_IS_SERVER &&
2334  ssl->authmode == SSL_VERIFY_NONE )
2335  {
2337  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2338  ssl->state++;
2339  return( 0 );
2340  }
2341 
2342  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2343  {
2344  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2345  return( ret );
2346  }
2347 
2348  ssl->state++;
2349 
2350  /*
2351  * Check if the client sent an empty certificate
2352  */
2353  if( ssl->endpoint == SSL_IS_SERVER &&
2354  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2355  {
2356  if( ssl->in_msglen == 2 &&
2357  ssl->in_msgtype == SSL_MSG_ALERT &&
2358  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2359  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2360  {
2361  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2362 
2364  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2365  return( 0 );
2366  else
2368  }
2369  }
2370 
2371  if( ssl->endpoint == SSL_IS_SERVER &&
2372  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2373  {
2374  if( ssl->in_hslen == 7 &&
2375  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2376  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2377  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2378  {
2379  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2380 
2382  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2384  else
2385  return( 0 );
2386  }
2387  }
2388 
2389  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2390  {
2391  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2393  }
2394 
2395  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2396  {
2397  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2399  }
2400 
2401  /*
2402  * Same message structure as in ssl_write_certificate()
2403  */
2404  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2405 
2406  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2407  {
2408  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2410  }
2411 
2412  /* In case we tried to reuse a session but it failed */
2413  if( ssl->session_negotiate->peer_cert != NULL )
2414  {
2416  free( ssl->session_negotiate->peer_cert );
2417  }
2418 
2419  if( ( ssl->session_negotiate->peer_cert = (x509_cert *) malloc(
2420  sizeof( x509_cert ) ) ) == NULL )
2421  {
2422  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2423  sizeof( x509_cert ) ) );
2425  }
2426 
2427  memset( ssl->session_negotiate->peer_cert, 0, sizeof( x509_cert ) );
2428 
2429  i = 7;
2430 
2431  while( i < ssl->in_hslen )
2432  {
2433  if( ssl->in_msg[i] != 0 )
2434  {
2435  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2437  }
2438 
2439  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2440  | (unsigned int) ssl->in_msg[i + 2];
2441  i += 3;
2442 
2443  if( n < 128 || i + n > ssl->in_hslen )
2444  {
2445  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2447  }
2448 
2450  ssl->in_msg + i, n );
2451  if( ret != 0 )
2452  {
2453  SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2454  return( ret );
2455  }
2456 
2457  i += n;
2458  }
2459 
2460  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2461 
2462  /*
2463  * On client, make sure the server cert doesn't change during renego to
2464  * avoid "triple handshake" attack: https://secure-resumption.com/
2465  */
2466  if( ssl->endpoint == SSL_IS_CLIENT &&
2468  {
2469  if( ssl->session->peer_cert == NULL )
2470  {
2471  SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
2473  }
2474 
2475  if( ssl->session->peer_cert->raw.len !=
2477  memcmp( ssl->session->peer_cert->raw.p,
2479  ssl->session->peer_cert->raw.len ) != 0 )
2480  {
2481  SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
2483  }
2484  }
2485 
2486  if( ssl->authmode != SSL_VERIFY_NONE )
2487  {
2488  if( ssl->ca_chain == NULL )
2489  {
2490  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2492  }
2493 
2495  ssl->ca_chain, ssl->ca_crl,
2496  ssl->peer_cn, &ssl->verify_result,
2497  ssl->f_vrfy, ssl->p_vrfy );
2498 
2499  if( ret != 0 )
2500  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2501 
2502  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2503  ret = 0;
2504  }
2505 
2506  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2507 
2508  return( ret );
2509 }
2510 
2512 {
2513  int ret;
2514 
2515  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2516 
2518  ssl->out_msglen = 1;
2519  ssl->out_msg[0] = 1;
2520 
2521  ssl->state++;
2522 
2523  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2524  {
2525  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2526  return( ret );
2527  }
2528 
2529  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2530 
2531  return( 0 );
2532 }
2533 
2535 {
2536  int ret;
2537 
2538  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2539 
2540  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2541  {
2542  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2543  return( ret );
2544  }
2545 
2547  {
2548  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2550  }
2551 
2552  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2553  {
2554  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2556  }
2557 
2558  ssl->state++;
2559 
2560  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2561 
2562  return( 0 );
2563 }
2564 
2565 void ssl_optimize_checksum( ssl_context *ssl, int ciphersuite )
2566 {
2567 #if !defined(POLARSSL_SHA4_C)
2568  ((void) ciphersuite);
2569 #endif
2570 
2571  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2572  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2573 #if defined(POLARSSL_SHA4_C)
2574  else if ( ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
2575  ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
2576  {
2577  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2578  }
2579 #endif
2580  else
2581  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2582 }
2583 
2584 static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2585  size_t len )
2586 {
2587  md5_update( &ssl->handshake->fin_md5 , buf, len );
2588  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2589  sha2_update( &ssl->handshake->fin_sha2, buf, len );
2590 #if defined(POLARSSL_SHA4_C)
2591  sha4_update( &ssl->handshake->fin_sha4, buf, len );
2592 #endif
2593 }
2594 
2595 static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2596  size_t len )
2597 {
2598  md5_update( &ssl->handshake->fin_md5 , buf, len );
2599  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2600 }
2601 
2602 static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2603  size_t len )
2604 {
2605  sha2_update( &ssl->handshake->fin_sha2, buf, len );
2606 }
2607 
2608 #if defined(POLARSSL_SHA4_C)
2609 static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2610  size_t len )
2611 {
2612  sha4_update( &ssl->handshake->fin_sha4, buf, len );
2613 }
2614 #endif
2615 
2616 static void ssl_calc_finished_ssl(
2617  ssl_context *ssl, unsigned char *buf, int from )
2618 {
2619  const char *sender;
2620  md5_context md5;
2622 
2623  unsigned char padbuf[48];
2624  unsigned char md5sum[16];
2625  unsigned char sha1sum[20];
2626 
2627  ssl_session *session = ssl->session_negotiate;
2628  if( !session )
2629  session = ssl->session;
2630 
2631  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2632 
2633  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2634  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2635 
2636  /*
2637  * SSLv3:
2638  * hash =
2639  * MD5( master + pad2 +
2640  * MD5( handshake + sender + master + pad1 ) )
2641  * + SHA1( master + pad2 +
2642  * SHA1( handshake + sender + master + pad1 ) )
2643  */
2644 
2645 #if !defined(POLARSSL_MD5_ALT)
2646  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2647  md5.state, sizeof( md5.state ) );
2648 #endif
2649 
2650 #if !defined(POLARSSL_SHA1_ALT)
2651  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2652  sha1.state, sizeof( sha1.state ) );
2653 #endif
2654 
2655  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2656  : "SRVR";
2657 
2658  memset( padbuf, 0x36, 48 );
2659 
2660  md5_update( &md5, (const unsigned char *) sender, 4 );
2661  md5_update( &md5, session->master, 48 );
2662  md5_update( &md5, padbuf, 48 );
2663  md5_finish( &md5, md5sum );
2664 
2665  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2666  sha1_update( &sha1, session->master, 48 );
2667  sha1_update( &sha1, padbuf, 40 );
2668  sha1_finish( &sha1, sha1sum );
2669 
2670  memset( padbuf, 0x5C, 48 );
2671 
2672  md5_starts( &md5 );
2673  md5_update( &md5, session->master, 48 );
2674  md5_update( &md5, padbuf, 48 );
2675  md5_update( &md5, md5sum, 16 );
2676  md5_finish( &md5, buf );
2677 
2678  sha1_starts( &sha1 );
2679  sha1_update( &sha1, session->master, 48 );
2680  sha1_update( &sha1, padbuf , 40 );
2681  sha1_update( &sha1, sha1sum, 20 );
2682  sha1_finish( &sha1, buf + 16 );
2683 
2684  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2685 
2686  polarssl_zeroize( &md5, sizeof( md5_context ) );
2687  polarssl_zeroize( &sha1, sizeof( sha1_context ) );
2688 
2689  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2690  polarssl_zeroize( md5sum, sizeof( md5sum ) );
2691  polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
2692 
2693  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2694 }
2695 
2696 static void ssl_calc_finished_tls(
2697  ssl_context *ssl, unsigned char *buf, int from )
2698 {
2699  int len = 12;
2700  const char *sender;
2701  md5_context md5;
2703  unsigned char padbuf[36];
2704 
2705  ssl_session *session = ssl->session_negotiate;
2706  if( !session )
2707  session = ssl->session;
2708 
2709  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2710 
2711  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2712  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2713 
2714  /*
2715  * TLSv1:
2716  * hash = PRF( master, finished_label,
2717  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2718  */
2719 
2720 #if !defined(POLARSSL_MD5_ALT)
2721  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2722  md5.state, sizeof( md5.state ) );
2723 #endif
2724 
2725 #if !defined(POLARSSL_SHA1_ALT)
2726  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2727  sha1.state, sizeof( sha1.state ) );
2728 #endif
2729 
2730  sender = ( from == SSL_IS_CLIENT )
2731  ? "client finished"
2732  : "server finished";
2733 
2734  md5_finish( &md5, padbuf );
2735  sha1_finish( &sha1, padbuf + 16 );
2736 
2737  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2738  padbuf, 36, buf, len );
2739 
2740  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2741 
2742  polarssl_zeroize( &md5, sizeof( md5_context ) );
2743  polarssl_zeroize( &sha1, sizeof( sha1_context ) );
2744 
2745  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2746 
2747  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2748 }
2749 
2750 static void ssl_calc_finished_tls_sha256(
2751  ssl_context *ssl, unsigned char *buf, int from )
2752 {
2753  int len = 12;
2754  const char *sender;
2756  unsigned char padbuf[32];
2757 
2758  ssl_session *session = ssl->session_negotiate;
2759  if( !session )
2760  session = ssl->session;
2761 
2762  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2763 
2764  memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
2765 
2766  /*
2767  * TLSv1.2:
2768  * hash = PRF( master, finished_label,
2769  * Hash( handshake ) )[0.11]
2770  */
2771 
2772 #if !defined(POLARSSL_SHA2_ALT)
2773  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2774  sha2.state, sizeof( sha2.state ) );
2775 #endif
2776 
2777  sender = ( from == SSL_IS_CLIENT )
2778  ? "client finished"
2779  : "server finished";
2780 
2781  sha2_finish( &sha2, padbuf );
2782 
2783  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2784  padbuf, 32, buf, len );
2785 
2786  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2787 
2788  polarssl_zeroize( &sha2, sizeof( sha2_context ) );
2789  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2790 
2791  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2792 }
2793 
2794 #if defined(POLARSSL_SHA4_C)
2795 static void ssl_calc_finished_tls_sha384(
2796  ssl_context *ssl, unsigned char *buf, int from )
2797 {
2798  int len = 12;
2799  const char *sender;
2801  unsigned char padbuf[48];
2802 
2803  ssl_session *session = ssl->session_negotiate;
2804  if( !session )
2805  session = ssl->session;
2806 
2807  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
2808 
2809  memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
2810 
2811  /*
2812  * TLSv1.2:
2813  * hash = PRF( master, finished_label,
2814  * Hash( handshake ) )[0.11]
2815  */
2816 
2817 #if !defined(POLARSSL_SHA4_ALT)
2818  SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2819  sha4.state, sizeof( sha4.state ) );
2820 #endif
2821 
2822  sender = ( from == SSL_IS_CLIENT )
2823  ? "client finished"
2824  : "server finished";
2825 
2826  sha4_finish( &sha4, padbuf );
2827 
2828  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2829  padbuf, 48, buf, len );
2830 
2831  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2832 
2833  polarssl_zeroize( &sha4, sizeof( sha4_context ) );
2834  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2835 
2836  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2837 }
2838 #endif
2839 
2840 void ssl_handshake_wrapup( ssl_context *ssl )
2841 {
2842  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
2843 
2844  /*
2845  * Free our handshake params
2846  */
2847  ssl_handshake_free( ssl->handshake );
2848  free( ssl->handshake );
2849  ssl->handshake = NULL;
2850 
2851  /*
2852  * Switch in our now active transform context
2853  */
2854  if( ssl->transform )
2855  {
2856  ssl_transform_free( ssl->transform );
2857  free( ssl->transform );
2858  }
2859  ssl->transform = ssl->transform_negotiate;
2860  ssl->transform_negotiate = NULL;
2861 
2862  if( ssl->session )
2863  {
2864  ssl_session_free( ssl->session );
2865  free( ssl->session );
2866  }
2867  ssl->session = ssl->session_negotiate;
2868  ssl->session_negotiate = NULL;
2869 
2870  /*
2871  * Add cache entry
2872  */
2873  if( ssl->f_set_cache != NULL )
2874  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
2875  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
2876 
2877  ssl->state++;
2878 
2879  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
2880 }
2881 
2882 int ssl_write_finished( ssl_context *ssl )
2883 {
2884  int ret, hash_len;
2885 
2886  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2887 
2888  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2889 
2890  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2891  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2892 
2893  ssl->verify_data_len = hash_len;
2894  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
2895 
2896  ssl->out_msglen = 4 + hash_len;
2898  ssl->out_msg[0] = SSL_HS_FINISHED;
2899 
2900  /*
2901  * In case of session resuming, invert the client and server
2902  * ChangeCipherSpec messages order.
2903  */
2904  if( ssl->handshake->resume != 0 )
2905  {
2906  if( ssl->endpoint == SSL_IS_CLIENT )
2907  ssl->state = SSL_HANDSHAKE_WRAPUP;
2908  else
2910  }
2911  else
2912  ssl->state++;
2913 
2914  /*
2915  * Switch to our negotiated transform and session parameters for outbound data.
2916  */
2917  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
2918  ssl->transform_out = ssl->transform_negotiate;
2919  ssl->session_out = ssl->session_negotiate;
2920  memset( ssl->out_ctr, 0, 8 );
2921 
2922  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2923  {
2924  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2925  return( ret );
2926  }
2927 
2928  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2929 
2930  return( 0 );
2931 }
2932 
2933 int ssl_parse_finished( ssl_context *ssl )
2934 {
2935  int ret;
2936  unsigned int hash_len;
2937  unsigned char buf[36];
2938 
2939  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2940 
2941  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
2942 
2943  /*
2944  * Switch to our negotiated transform and session parameters for inbound data.
2945  */
2946  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
2947  ssl->transform_in = ssl->transform_negotiate;
2948  ssl->session_in = ssl->session_negotiate;
2949  memset( ssl->in_ctr, 0, 8 );
2950 
2951  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2952  {
2953  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2954  return( ret );
2955  }
2956 
2957  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2958  {
2959  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2961  }
2962 
2963  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2964  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2965 
2966  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2967  ssl->in_hslen != 4 + hash_len )
2968  {
2969  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2971  }
2972 
2973  if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2974  {
2975  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2977  }
2978 
2979  ssl->verify_data_len = hash_len;
2980  memcpy( ssl->peer_verify_data, buf, hash_len );
2981 
2982  if( ssl->handshake->resume != 0 )
2983  {
2984  if( ssl->endpoint == SSL_IS_CLIENT )
2986 
2987  if( ssl->endpoint == SSL_IS_SERVER )
2988  ssl->state = SSL_HANDSHAKE_WRAPUP;
2989  }
2990  else
2991  ssl->state++;
2992 
2993  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2994 
2995  return( 0 );
2996 }
2997 
2998 static int ssl_handshake_init( ssl_context *ssl )
2999 {
3000  if( ssl->transform_negotiate )
3002  else
3003  {
3004  ssl->transform_negotiate = malloc( sizeof(ssl_transform) );
3005  if( ssl->transform_negotiate != NULL )
3006  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
3007  }
3008 
3009  if( ssl->session_negotiate )
3011  else
3012  {
3013  ssl->session_negotiate = malloc( sizeof(ssl_session) );
3014  if( ssl->session_negotiate != NULL )
3015  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
3016  }
3017 
3018  if( ssl->handshake )
3019  ssl_handshake_free( ssl->handshake );
3020  else
3021  {
3022  ssl->handshake = malloc( sizeof(ssl_handshake_params) );
3023  if( ssl->handshake != NULL )
3024  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
3025  }
3026 
3027  if( ssl->handshake == NULL ||
3028  ssl->transform_negotiate == NULL ||
3029  ssl->session_negotiate == NULL )
3030  {
3031  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3033  }
3034 
3035  md5_starts( &ssl->handshake->fin_md5 );
3036  sha1_starts( &ssl->handshake->fin_sha1 );
3037  sha2_starts( &ssl->handshake->fin_sha2, 0 );
3038 #if defined(POLARSSL_SHA4_C)
3039  sha4_starts( &ssl->handshake->fin_sha4, 1 );
3040 #endif
3041 
3042  ssl->handshake->update_checksum = ssl_update_checksum_start;
3044 
3045  return( 0 );
3046 }
3047 
3048 /*
3049  * Initialize an SSL context
3050  */
3051 int ssl_init( ssl_context *ssl )
3052 {
3053  int ret;
3054  int len = SSL_BUFFER_LEN;
3055 
3056  memset( ssl, 0, sizeof( ssl_context ) );
3057 
3058  /*
3059  * Sane defaults
3060  */
3061  ssl->rsa_decrypt = ssl_rsa_decrypt;
3062  ssl->rsa_sign = ssl_rsa_sign;
3063  ssl->rsa_key_len = ssl_rsa_key_len;
3064 
3067 
3068  ssl->ciphersuites = malloc( sizeof(int *) * 4 );
3070 
3071 #if defined(POLARSSL_DHM_C)
3072  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3074  ( ret = mpi_read_string( &ssl->dhm_G, 16,
3076  {
3077  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3078  return( ret );
3079  }
3080 #endif
3081 
3082  /*
3083  * Prepare base structures
3084  */
3085  ssl->in_ctr = (unsigned char *) malloc( len );
3086  ssl->in_hdr = ssl->in_ctr + 8;
3087  ssl->in_msg = ssl->in_ctr + 13;
3088 
3089  if( ssl->in_ctr == NULL )
3090  {
3091  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3093  }
3094 
3095  ssl->out_ctr = (unsigned char *) malloc( len );
3096  ssl->out_hdr = ssl->out_ctr + 8;
3097  ssl->out_msg = ssl->out_ctr + 40;
3098 
3099  if( ssl->out_ctr == NULL )
3100  {
3101  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3102  free( ssl-> in_ctr );
3103  ssl->in_ctr = NULL;
3105  }
3106 
3107  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3108  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3109 
3110  ssl->hostname = NULL;
3111  ssl->hostname_len = 0;
3112 
3113  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3114  return( ret );
3115 
3116  return( 0 );
3117 }
3118 
3119 /*
3120  * Reset an initialized and used SSL context for re-use while retaining
3121  * all application-set variables, function pointers and data.
3122  */
3123 int ssl_session_reset( ssl_context *ssl )
3124 {
3125  int ret;
3126 
3127  ssl->state = SSL_HELLO_REQUEST;
3130 
3131  ssl->verify_data_len = 0;
3132  memset( ssl->own_verify_data, 0, 36 );
3133  memset( ssl->peer_verify_data, 0, 36 );
3134 
3135  ssl->in_offt = NULL;
3136 
3137  ssl->in_msgtype = 0;
3138  ssl->in_msglen = 0;
3139  ssl->in_left = 0;
3140 
3141  ssl->in_hslen = 0;
3142  ssl->nb_zero = 0;
3143 
3144  ssl->out_msgtype = 0;
3145  ssl->out_msglen = 0;
3146  ssl->out_left = 0;
3147 
3148  ssl->transform_in = NULL;
3149  ssl->transform_out = NULL;
3150 
3151  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3152  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3153 
3154 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3155  if( ssl_hw_record_reset != NULL)
3156  {
3157  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3158  if( ssl_hw_record_reset( ssl ) != 0 )
3159  {
3160  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3162  }
3163  }
3164 #endif
3165 
3166  if( ssl->transform )
3167  {
3168  ssl_transform_free( ssl->transform );
3169  free( ssl->transform );
3170  ssl->transform = NULL;
3171  }
3172 
3173  if( ssl->session )
3174  {
3175  ssl_session_free( ssl->session );
3176  free( ssl->session );
3177  ssl->session = NULL;
3178  }
3179 
3180  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3181  return( ret );
3182 
3183  return( 0 );
3184 }
3185 
3186 /*
3187  * SSL set accessors
3188  */
3189 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3190 {
3191  ssl->endpoint = endpoint;
3192 }
3193 
3194 void ssl_set_authmode( ssl_context *ssl, int authmode )
3195 {
3196  ssl->authmode = authmode;
3197 }
3198 
3199 void ssl_set_verify( ssl_context *ssl,
3200  int (*f_vrfy)(void *, x509_cert *, int, int *),
3201  void *p_vrfy )
3202 {
3203  ssl->f_vrfy = f_vrfy;
3204  ssl->p_vrfy = p_vrfy;
3205 }
3206 
3207 void ssl_set_rng( ssl_context *ssl,
3208  int (*f_rng)(void *, unsigned char *, size_t),
3209  void *p_rng )
3210 {
3211  ssl->f_rng = f_rng;
3212  ssl->p_rng = p_rng;
3213 }
3214 
3215 void ssl_set_dbg( ssl_context *ssl,
3216  void (*f_dbg)(void *, int, const char *),
3217  void *p_dbg )
3218 {
3219  ssl->f_dbg = f_dbg;
3220  ssl->p_dbg = p_dbg;
3221 }
3222 
3223 void ssl_set_bio( ssl_context *ssl,
3224  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3225  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3226 {
3227  ssl->f_recv = f_recv;
3228  ssl->f_send = f_send;
3229  ssl->p_recv = p_recv;
3230  ssl->p_send = p_send;
3231 }
3232 
3234  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3235  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3236 {
3237  ssl->f_get_cache = f_get_cache;
3238  ssl->p_get_cache = p_get_cache;
3239  ssl->f_set_cache = f_set_cache;
3240  ssl->p_set_cache = p_set_cache;
3241 }
3242 
3243 void ssl_set_session( ssl_context *ssl, const ssl_session *session )
3244 {
3245  memcpy( ssl->session_negotiate, session, sizeof(ssl_session) );
3246  ssl->handshake->resume = 1;
3247 }
3248 
3249 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3250 {
3251  ssl->ciphersuites[SSL_MINOR_VERSION_0] = ciphersuites;
3252  ssl->ciphersuites[SSL_MINOR_VERSION_1] = ciphersuites;
3253  ssl->ciphersuites[SSL_MINOR_VERSION_2] = ciphersuites;
3254  ssl->ciphersuites[SSL_MINOR_VERSION_3] = ciphersuites;
3255 }
3256 
3257 void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
3258  int major, int minor )
3259 {
3260  if( major != SSL_MAJOR_VERSION_3 )
3261  return;
3262 
3263  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3264  return;
3265 
3266  ssl->ciphersuites[minor] = ciphersuites;
3267 }
3268 
3269 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
3270  x509_crl *ca_crl, const char *peer_cn )
3271 {
3272  ssl->ca_chain = ca_chain;
3273  ssl->ca_crl = ca_crl;
3274  ssl->peer_cn = peer_cn;
3275 }
3276 
3277 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
3278  rsa_context *rsa_key )
3279 {
3280  ssl->own_cert = own_cert;
3281  ssl->rsa_key = rsa_key;
3282 }
3283 
3284 void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
3285  void *rsa_key,
3286  rsa_decrypt_func rsa_decrypt,
3287  rsa_sign_func rsa_sign,
3288  rsa_key_len_func rsa_key_len )
3289 {
3290  ssl->own_cert = own_cert;
3291  ssl->rsa_key = rsa_key;
3292  ssl->rsa_decrypt = rsa_decrypt;
3293  ssl->rsa_sign = rsa_sign;
3294  ssl->rsa_key_len = rsa_key_len;
3295 }
3296 
3297 
3298 #if defined(POLARSSL_DHM_C)
3299 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3300 {
3301  int ret;
3302 
3303  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3304  {
3305  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3306  return( ret );
3307  }
3308 
3309  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3310  {
3311  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3312  return( ret );
3313  }
3314 
3315  return( 0 );
3316 }
3317 
3318 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3319 {
3320  int ret;
3321 
3322  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3323  {
3324  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3325  return( ret );
3326  }
3327 
3328  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3329  {
3330  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3331  return( ret );
3332  }
3333 
3334  return( 0 );
3335 }
3336 #endif /* POLARSSL_DHM_C */
3337 
3338 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3339 {
3340  if( hostname == NULL )
3342 
3343  ssl->hostname_len = strlen( hostname );
3344 
3345  if( ssl->hostname_len + 1 == 0 )
3347 
3348  ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
3349 
3350  if( ssl->hostname == NULL )
3352 
3353  memcpy( ssl->hostname, (const unsigned char *) hostname,
3354  ssl->hostname_len );
3355 
3356  ssl->hostname[ssl->hostname_len] = '\0';
3357 
3358  return( 0 );
3359 }
3360 
3361 void ssl_set_sni( ssl_context *ssl,
3362  int (*f_sni)(void *, ssl_context *,
3363  const unsigned char *, size_t),
3364  void *p_sni )
3365 {
3366  ssl->f_sni = f_sni;
3367  ssl->p_sni = p_sni;
3368 }
3369 
3370 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3371 {
3372  ssl->max_major_ver = major;
3373  ssl->max_minor_ver = minor;
3374 }
3375 
3376 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3377 {
3378  ssl->min_major_ver = major;
3379  ssl->min_minor_ver = minor;
3380 }
3381 
3382 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3383 {
3384  ssl->disable_renegotiation = renegotiation;
3385 }
3386 
3387 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3388 {
3389  ssl->allow_legacy_renegotiation = allow_legacy;
3390 }
3391 
3392 /*
3393  * SSL get accessors
3394  */
3395 size_t ssl_get_bytes_avail( const ssl_context *ssl )
3396 {
3397  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3398 }
3399 
3400 int ssl_get_verify_result( const ssl_context *ssl )
3401 {
3402  return( ssl->verify_result );
3403 }
3404 
3405 const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
3406 {
3407  switch( ciphersuite_id )
3408  {
3409 #if defined(POLARSSL_ARC4_C)
3411  return( "TLS-RSA-WITH-RC4-128-MD5" );
3412 
3414  return( "TLS-RSA-WITH-RC4-128-SHA" );
3415 #endif
3416 
3417 #if defined(POLARSSL_DES_C)
3419  return( "TLS-RSA-WITH-3DES-EDE-CBC-SHA" );
3420 
3422  return( "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA" );
3423 #endif
3424 
3425 #if defined(POLARSSL_AES_C)
3427  return( "TLS-RSA-WITH-AES-128-CBC-SHA" );
3428 
3430  return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA" );
3431 
3433  return( "TLS-RSA-WITH-AES-256-CBC-SHA" );
3434 
3436  return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA" );
3437 
3438 #if defined(POLARSSL_SHA2_C)
3440  return( "TLS-RSA-WITH-AES-128-CBC-SHA256" );
3441 
3443  return( "TLS-RSA-WITH-AES-256-CBC-SHA256" );
3444 
3446  return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" );
3447 
3449  return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" );
3450 #endif
3451 
3452 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3454  return( "TLS-RSA-WITH-AES-128-GCM-SHA256" );
3455 
3457  return( "TLS-RSA-WITH-AES-256-GCM-SHA384" );
3458 #endif
3459 
3460 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3462  return( "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" );
3463 
3465  return( "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" );
3466 #endif
3467 #endif /* POLARSSL_AES_C */
3468 
3469 #if defined(POLARSSL_CAMELLIA_C)
3471  return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" );
3472 
3474  return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA" );
3475 
3477  return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA" );
3478 
3480  return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA" );
3481 
3482 #if defined(POLARSSL_SHA2_C)
3484  return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
3485 
3487  return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
3488 
3490  return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
3491 
3493  return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
3494 #endif
3495 #endif
3496 
3497 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3498 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
3499  case TLS_RSA_WITH_NULL_MD5:
3500  return( "TLS-RSA-WITH-NULL-MD5" );
3501  case TLS_RSA_WITH_NULL_SHA:
3502  return( "TLS-RSA-WITH-NULL-SHA" );
3504  return( "TLS-RSA-WITH-NULL-SHA256" );
3505 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3506 
3507 #if defined(POLARSSL_DES_C)
3509  return( "TLS-RSA-WITH-DES-CBC-SHA" );
3511  return( "TLS-DHE-RSA-WITH-DES-CBC-SHA" );
3512 #endif
3513 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3514 
3515  default:
3516  break;
3517  }
3518 
3519  return( "unknown" );
3520 }
3521 
3522 int ssl_get_ciphersuite_id( const char *ciphersuite_name )
3523 {
3524 #if defined(POLARSSL_ARC4_C)
3525  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-MD5"))
3526  return( TLS_RSA_WITH_RC4_128_MD5 );
3527  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-SHA"))
3528  return( TLS_RSA_WITH_RC4_128_SHA );
3529 #endif
3530 
3531 #if defined(POLARSSL_DES_C)
3532  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-3DES-EDE-CBC-SHA"))
3534  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"))
3536 #endif
3537 
3538 #if defined(POLARSSL_AES_C)
3539  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA"))
3540  return( TLS_RSA_WITH_AES_128_CBC_SHA );
3541  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"))
3543  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA"))
3544  return( TLS_RSA_WITH_AES_256_CBC_SHA );
3545  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"))
3547 
3548 #if defined(POLARSSL_SHA2_C)
3549  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA256"))
3551  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA256"))
3553  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"))
3555  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"))
3557 #endif
3558 
3559 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3560  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-GCM-SHA256"))
3562  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-GCM-SHA384"))
3564 #endif
3565 
3566 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3567  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"))
3569  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"))
3571 #endif
3572 #endif
3573 
3574 #if defined(POLARSSL_CAMELLIA_C)
3575  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"))
3577  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"))
3579  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"))
3581  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"))
3583 
3584 #if defined(POLARSSL_SHA2_C)
3585  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
3587  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
3589  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
3591  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
3593 #endif
3594 #endif
3595 
3596 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3597 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
3598  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-MD5"))
3599  return( TLS_RSA_WITH_NULL_MD5 );
3600  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA"))
3601  return( TLS_RSA_WITH_NULL_SHA );
3602  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA256"))
3603  return( TLS_RSA_WITH_NULL_SHA256 );
3604 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3605 
3606 #if defined(POLARSSL_DES_C)
3607  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-DES-CBC-SHA"))
3608  return( TLS_RSA_WITH_DES_CBC_SHA );
3609  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-DES-CBC-SHA"))
3610  return( TLS_DHE_RSA_WITH_DES_CBC_SHA );
3611 #endif
3612 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3613 
3614  return( 0 );
3615 }
3616 
3617 int ssl_get_ciphersuite_min_version( const int ciphersuite_id )
3618 {
3619  switch( ciphersuite_id )
3620  {
3633  case TLS_RSA_WITH_NULL_MD5:
3634  case TLS_RSA_WITH_NULL_SHA:
3637  return SSL_MINOR_VERSION_0;
3638 
3652  return SSL_MINOR_VERSION_3;
3653 
3654  default:
3655  break;
3656  }
3657 
3658  return SSL_MINOR_VERSION_0;
3659 }
3660 
3661 const char *ssl_get_ciphersuite( const ssl_context *ssl )
3662 {
3663  if( ssl == NULL || ssl->session == NULL )
3664  return NULL;
3665 
3667 }
3668 
3669 const char *ssl_get_version( const ssl_context *ssl )
3670 {
3671  switch( ssl->minor_ver )
3672  {
3673  case SSL_MINOR_VERSION_0:
3674  return( "SSLv3.0" );
3675 
3676  case SSL_MINOR_VERSION_1:
3677  return( "TLSv1.0" );
3678 
3679  case SSL_MINOR_VERSION_2:
3680  return( "TLSv1.1" );
3681 
3682  case SSL_MINOR_VERSION_3:
3683  return( "TLSv1.2" );
3684 
3685  default:
3686  break;
3687  }
3688  return( "unknown" );
3689 }
3690 
3691 const x509_cert *ssl_get_peer_cert( const ssl_context *ssl )
3692 {
3693  if( ssl == NULL || ssl->session == NULL )
3694  return NULL;
3695 
3696  return ssl->session->peer_cert;
3697 }
3698 
3699 const int ssl_default_ciphersuites[] =
3700 {
3701 #if defined(POLARSSL_DHM_C)
3702 #if defined(POLARSSL_AES_C)
3703 #if defined(POLARSSL_SHA2_C)
3705 #endif /* POLARSSL_SHA2_C */
3706 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3708 #endif
3710 #if defined(POLARSSL_SHA2_C)
3712 #endif
3713 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3715 #endif
3717 #endif
3718 #if defined(POLARSSL_CAMELLIA_C)
3719 #if defined(POLARSSL_SHA2_C)
3721 #endif /* POLARSSL_SHA2_C */
3723 #if defined(POLARSSL_SHA2_C)
3725 #endif /* POLARSSL_SHA2_C */
3727 #endif
3728 #if defined(POLARSSL_DES_C)
3730 #endif
3731 #endif
3732 
3733 #if defined(POLARSSL_AES_C)
3734 #if defined(POLARSSL_SHA2_C)
3736 #endif /* POLARSSL_SHA2_C */
3737 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3739 #endif /* POLARSSL_SHA2_C */
3741 #endif
3742 #if defined(POLARSSL_CAMELLIA_C)
3743 #if defined(POLARSSL_SHA2_C)
3745 #endif /* POLARSSL_SHA2_C */
3747 #endif
3748 #if defined(POLARSSL_AES_C)
3749 #if defined(POLARSSL_SHA2_C)
3751 #endif /* POLARSSL_SHA2_C */
3752 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3754 #endif /* POLARSSL_SHA2_C */
3756 #endif
3757 #if defined(POLARSSL_CAMELLIA_C)
3758 #if defined(POLARSSL_SHA2_C)
3760 #endif /* POLARSSL_SHA2_C */
3762 #endif
3763 #if defined(POLARSSL_DES_C)
3765 #endif
3766 #if defined(POLARSSL_ARC4_C)
3769 #endif
3770  0
3771 };
3772 
3773 /*
3774  * Perform a single step of the SSL handshake
3775  */
3776 int ssl_handshake_step( ssl_context *ssl )
3777 {
3779 
3780 #if defined(POLARSSL_SSL_CLI_C)
3781  if( ssl->endpoint == SSL_IS_CLIENT )
3782  ret = ssl_handshake_client_step( ssl );
3783 #endif
3784 
3785 #if defined(POLARSSL_SSL_SRV_C)
3786  if( ssl->endpoint == SSL_IS_SERVER )
3787  ret = ssl_handshake_server_step( ssl );
3788 #endif
3789 
3790  return( ret );
3791 }
3792 
3793 /*
3794  * Perform the SSL handshake
3795  */
3796 int ssl_handshake( ssl_context *ssl )
3797 {
3798  int ret = 0;
3799 
3800  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3801 
3802  while( ssl->state != SSL_HANDSHAKE_OVER )
3803  {
3804  ret = ssl_handshake_step( ssl );
3805 
3806  if( ret != 0 )
3807  break;
3808  }
3809 
3810  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3811 
3812  return( ret );
3813 }
3814 
3815 /*
3816  * Renegotiate current connection
3817  */
3818 int ssl_renegotiate( ssl_context *ssl )
3819 {
3820  int ret;
3821 
3822  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
3823 
3824  if( ssl->state != SSL_HANDSHAKE_OVER )
3826 
3827  ssl->state = SSL_HELLO_REQUEST;
3829 
3830  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3831  return( ret );
3832 
3833  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3834  {
3835  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3836  return( ret );
3837  }
3838 
3839  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
3840 
3841  return( 0 );
3842 }
3843 
3844 /*
3845  * Receive application data decrypted from the SSL layer
3846  */
3847 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
3848 {
3849  int ret;
3850  size_t n;
3851 
3852  SSL_DEBUG_MSG( 2, ( "=> read" ) );
3853 
3854  if( ssl->state != SSL_HANDSHAKE_OVER )
3855  {
3856  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3857  {
3858  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3859  return( ret );
3860  }
3861  }
3862 
3863  if( ssl->in_offt == NULL )
3864  {
3865  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3866  {
3867  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3868  return( 0 );
3869 
3870  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3871  return( ret );
3872  }
3873 
3874  if( ssl->in_msglen == 0 &&
3876  {
3877  /*
3878  * OpenSSL sends empty messages to randomize the IV
3879  */
3880  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3881  {
3882  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3883  return( 0 );
3884 
3885  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3886  return( ret );
3887  }
3888  }
3889 
3890  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
3891  {
3892  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
3893 
3894  if( ssl->endpoint == SSL_IS_CLIENT &&
3895  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
3896  ssl->in_hslen != 4 ) )
3897  {
3898  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
3900  }
3901 
3905  {
3906  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
3907 
3908  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
3909  {
3910  /*
3911  * SSLv3 does not have a "no_renegotiation" alert
3912  */
3913  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
3914  return( ret );
3915  }
3916  else
3917  {
3918  if( ( ret = ssl_send_alert_message( ssl,
3921  {
3922  return( ret );
3923  }
3924  }
3925  }
3926  else
3927  {
3928  if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
3929  {
3930  SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
3931  return( ret );
3932  }
3933  }
3934 
3935  /* Tell the user to call ssl_read() again */
3936  return( POLARSSL_ERR_NET_WANT_READ );
3937  }
3938 
3939  /* Fatal and closure alerts handled by ssl_read_record() */
3940  if( ssl->in_msgtype == SSL_MSG_ALERT )
3941  {
3942  SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
3943  return( POLARSSL_ERR_NET_WANT_READ );
3944  }
3945 
3946  if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3947  {
3948  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
3950  }
3951 
3952  ssl->in_offt = ssl->in_msg;
3953  }
3954 
3955  n = ( len < ssl->in_msglen )
3956  ? len : ssl->in_msglen;
3957 
3958  memcpy( buf, ssl->in_offt, n );
3959  ssl->in_msglen -= n;
3960 
3961  if( ssl->in_msglen == 0 )
3962  /* all bytes consumed */
3963  ssl->in_offt = NULL;
3964  else
3965  /* more data available */
3966  ssl->in_offt += n;
3967 
3968  SSL_DEBUG_MSG( 2, ( "<= read" ) );
3969 
3970  return( (int) n );
3971 }
3972 
3973 /*
3974  * Send application data to be encrypted by the SSL layer
3975  */
3976 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
3977 {
3978  int ret;
3979  size_t n;
3980 
3981  SSL_DEBUG_MSG( 2, ( "=> write" ) );
3982 
3983  if( ssl->state != SSL_HANDSHAKE_OVER )
3984  {
3985  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3986  {
3987  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3988  return( ret );
3989  }
3990  }
3991 
3992  n = ( len < SSL_MAX_CONTENT_LEN )
3993  ? len : SSL_MAX_CONTENT_LEN;
3994 
3995  if( ssl->out_left != 0 )
3996  {
3997  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3998  {
3999  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4000  return( ret );
4001  }
4002  }
4003  else
4004  {
4005  ssl->out_msglen = n;
4007  memcpy( ssl->out_msg, buf, n );
4008 
4009  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4010  {
4011  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4012  return( ret );
4013  }
4014  }
4015 
4016  SSL_DEBUG_MSG( 2, ( "<= write" ) );
4017 
4018  return( (int) n );
4019 }
4020 
4021 /*
4022  * Notify the peer that the connection is being closed
4023  */
4024 int ssl_close_notify( ssl_context *ssl )
4025 {
4026  int ret;
4027 
4028  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4029 
4030  if( ssl->out_left != 0 )
4031  return( ssl_flush_output( ssl ) );
4032 
4033  if( ssl->state == SSL_HANDSHAKE_OVER )
4034  {
4035  if( ( ret = ssl_send_alert_message( ssl,
4037  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4038  {
4039  return( ret );
4040  }
4041  }
4042 
4043  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4044 
4045  return( 0 );
4046 }
4047 
4048 void ssl_transform_free( ssl_transform *transform )
4049 {
4050 #if defined(POLARSSL_ZLIB_SUPPORT)
4051  deflateEnd( &transform->ctx_deflate );
4052  inflateEnd( &transform->ctx_inflate );
4053 #endif
4054 
4055  polarssl_zeroize( transform, sizeof( ssl_transform ) );
4056 }
4057 
4058 void ssl_handshake_free( ssl_handshake_params *handshake )
4059 {
4060 #if defined(POLARSSL_DHM_C)
4061  dhm_free( &handshake->dhm_ctx );
4062 #endif
4063  polarssl_zeroize( handshake, sizeof( ssl_handshake_params ) );
4064 }
4065 
4066 void ssl_session_free( ssl_session *session )
4067 {
4068  if( session->peer_cert != NULL )
4069  {
4070  x509_free( session->peer_cert );
4071  free( session->peer_cert );
4072  }
4073 
4074  polarssl_zeroize( session, sizeof( ssl_session ) );
4075 }
4076 
4077 /*
4078  * Free an SSL context
4079  */
4080 void ssl_free( ssl_context *ssl )
4081 {
4082  SSL_DEBUG_MSG( 2, ( "=> free" ) );
4083 
4084  free( ssl->ciphersuites );
4085 
4086  if( ssl->out_ctr != NULL )
4087  {
4088  polarssl_zeroize( ssl->out_ctr, SSL_BUFFER_LEN );
4089  free( ssl->out_ctr );
4090  }
4091 
4092  if( ssl->in_ctr != NULL )
4093  {
4094  polarssl_zeroize( ssl->in_ctr, SSL_BUFFER_LEN );
4095  free( ssl->in_ctr );
4096  }
4097 
4098 #if defined(POLARSSL_DHM_C)
4099  mpi_free( &ssl->dhm_P );
4100  mpi_free( &ssl->dhm_G );
4101 #endif
4102 
4103  if( ssl->transform )
4104  {
4105  ssl_transform_free( ssl->transform );
4106  free( ssl->transform );
4107  }
4108 
4109  if( ssl->handshake )
4110  {
4111  ssl_handshake_free( ssl->handshake );
4114 
4115  free( ssl->handshake );
4116  free( ssl->transform_negotiate );
4117  free( ssl->session_negotiate );
4118  }
4119 
4120  if( ssl->session )
4121  {
4122  ssl_session_free( ssl->session );
4123  free( ssl->session );
4124  }
4125 
4126  if ( ssl->hostname != NULL)
4127  {
4128  polarssl_zeroize( ssl->hostname, ssl->hostname_len );
4129  free( ssl->hostname );
4130  ssl->hostname_len = 0;
4131  }
4132 
4133 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4134  if( ssl_hw_record_finish != NULL )
4135  {
4136  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4137  ssl_hw_record_finish( ssl );
4138  }
4139 #endif
4140 
4141  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4142 
4143  /* Actually clear after last debug message */
4144  polarssl_zeroize( ssl, sizeof( ssl_context ) );
4145 }
4146 
4147 #endif
unsigned char * hostname
Definition: ssl.h:516
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:219
ssl_session * session_in
Definition: ssl.h:442
#define SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:223
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:174
void sha1_hmac_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 HMAC final digest.
void * p_set_cache
Definition: ssl.h:435
int ciphersuite
Definition: ssl.h:321
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Processing of the ChangeCipherSpec handshake message failed.
Definition: ssl.h:87
mpi P
Definition: dhm.h:139
int x509parse_crt_der(x509_cert *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
size_t in_hslen
Definition: ssl.h:470
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
void(* f_dbg)(void *, int, const char *)
Definition: ssl.h:421
#define SSL_HS_FINISHED
Definition: ssl.h:257
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:420
void sha2_hmac_update(sha2_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 HMAC process buffer.
SHA-256 context structure.
Definition: sha2.h:50
#define POLARSSL_DHM_RFC5114_MODP_1024_P
Definition: dhm.h:91
size_t ivlen
Definition: ssl.h:340
int gcm_auth_decrypt(gcm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *tag, size_t tag_len, const unsigned char *input, unsigned char *output)
GCM buffer authenticated decryption using AES.
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition: ssl.h:176
int major_ver
Definition: ssl.h:409
void(* update_checksum)(ssl_context *, unsigned char *, size_t)
Definition: ssl.h:385
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:38
#define TLS_RSA_WITH_AES_128_CBC_SHA
Definition: ssl.h:167
int(* tls_prf)(unsigned char *, size_t, char *, unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl.h:388
int arc4_crypt(arc4_context *ctx, size_t length, const unsigned char *input, unsigned char *output)
ARC4 cipher function.
SHA-1 context structure.
Definition: sha1.h:50
sha1_context fin_sha1
Definition: ssl.h:381
int compression
Definition: ssl.h:322
void arc4_setup(arc4_context *ctx, const unsigned char *key, unsigned int keylen)
ARC4 key schedule.
const int ** ciphersuites
Definition: ssl.h:506
int state
Definition: ssl.h:406
const char * peer_cn
Definition: ssl.h:495
unsigned char master[48]
Definition: ssl.h:325
#define TLS_RSA_WITH_RC4_128_SHA
Definition: ssl.h:162
char peer_verify_data[36]
Definition: ssl.h:526
int camellia_crypt_cbc(camellia_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
CAMELLIA-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
void ssl_set_own_cert(ssl_context *ssl, x509_cert *own_cert, rsa_context *rsa_key)
Set own certificate chain and private key.
ssl_transform * transform_out
Definition: ssl.h:454
Debug functions.
#define DES_ENCRYPT
Definition: des.h:41
int ssl_get_ciphersuite_min_version(const int ciphersuite_id)
#define POLARSSL_ERR_SSL_CONN_EOF
The connection indicated an EOF.
Definition: ssl.h:64
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:427
int nb_zero
Definition: ssl.h:471
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:386
#define TLS_RSA_WITH_AES_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:172
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
DHM context structure.
Definition: dhm.h:136
x509_cert * peer_cert
Definition: ssl.h:326
#define SSL_BUFFER_LEN
Definition: ssl.h:150
#define SSL_IS_CLIENT
Definition: ssl.h:105
#define SSL_HASH_SHA1
Definition: ssl.h:197
void ssl_set_verify(ssl_context *ssl, int(*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy)
Set the verification callback (Optional).
ssl_session * session_negotiate
Definition: ssl.h:445
x509_cert * ca_chain
Definition: ssl.h:493
ssl_session * session
Definition: ssl.h:444
void ssl_legacy_renegotiation(ssl_context *ssl, int allow_legacy)
Prevent or allow legacy renegotiation.
int ssl_parse_certificate(ssl_context *ssl)
void ssl_set_dbg(ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg)
Set the debug callback.
#define POLARSSL_ERR_SSL_INVALID_RECORD
An invalid SSL record was received.
Definition: ssl.h:63
void ssl_set_own_cert_alt(ssl_context *ssl, x509_cert *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len)
Set own certificate and alternate non-PolarSSL private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
#define BADCERT_SKIP_VERIFY
Certificate verification was skipped.
Definition: x509.h:81
void sha2_hmac_starts(sha2_context *ctx, const unsigned char *key, size_t keylen, int is224)
SHA-256 HMAC context setup.
uint32_t state[5]
Definition: sha1.h:53
unsigned char iv_enc[16]
Definition: ssl.h:344
size_t out_msglen
Definition: ssl.h:481
ssl_transform * transform_in
Definition: ssl.h:453
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:429
x509_buf raw
The raw certificate data (DER).
Definition: x509.h:293
int rsa_pkcs1_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 signature using the mode from the context.
rsa_sign_func rsa_sign
Definition: ssl.h:489
mpi dhm_P
Definition: ssl.h:509
#define AES_DECRYPT
Definition: aes.h:42
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:181
#define SSL_RENEGOTIATION
Definition: ssl.h:115
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
void sha1_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[20])
Output = HMAC-SHA-1( hmac key, input buffer )
AES context structure.
Definition: aes.h:54
void x509_free(x509_cert *crt)
Unallocate all certificate data.
int ssl_write_finished(ssl_context *ssl)
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:182
Configuration options (set of defines)
ssl_transform * transform
Definition: ssl.h:455
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:35
unsigned char * out_ctr
Definition: ssl.h:476
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
Camellia block cipher.
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
The peer notified us that the connection is going to be closed.
Definition: ssl.h:76
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:525
int camellia_setkey_enc(camellia_context *ctx, const unsigned char *key, unsigned int keysize)
CAMELLIA key schedule (encryption)
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:188
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:423
int rsa_pkcs1_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Generic wrapper to perform a PKCS#1 decryption using the mode from the context.
#define SSL_VERIFY_OPTIONAL
Definition: ssl.h:111
size_t in_msglen
Definition: ssl.h:467
int ssl_set_dh_param_ctx(ssl_context *ssl, dhm_context *dhm_ctx)
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) ...
unsigned char * in_hdr
Definition: ssl.h:462
int secure_renegotiation
Definition: ssl.h:522
#define TLS_RSA_WITH_3DES_EDE_CBC_SHA
Definition: ssl.h:164
int(* rsa_decrypt_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Definition: ssl.h:274
Container for an X.509 certificate.
Definition: x509.h:291
uint64_t state[8]
Definition: sha4.h:54
DES context structure.
Definition: des.h:55
#define SSL_VERIFY_REQUIRED
Definition: ssl.h:112
#define SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:244
void md5_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[16])
Output = HMAC-MD5( hmac key, input buffer )
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:123
void * p_vrfy
Definition: ssl.h:433
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:99
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Definition: ssl.h:165
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED
Hardware acceleration function returned with error.
Definition: ssl.h:90
void ssl_set_max_version(ssl_context *ssl, int major, int minor)
Set the maximum supported version sent from the client side.
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:62
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
No client certification received from the client, but required by the authentication mode...
Definition: ssl.h:68
void * p_recv
Definition: ssl.h:431
#define GCM_ENCRYPT
Definition: gcm.h:39
const int ssl_default_ciphersuites[]
void ssl_set_ciphersuites_for_version(ssl_context *ssl, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites for a specific version of the protocol.
int des3_set3key_enc(des3_context *ctx, const unsigned char key[DES_KEY_SIZE *3])
Triple-DES key schedule (168-bit, encryption)
int ssl_init(ssl_context *ssl)
Initialize an SSL context.
int max_major_ver
Definition: ssl.h:412
int ssl_get_ciphersuite_id(const char *ciphersuite_name)
Return the ID of the ciphersuite associated with the given name.
#define SSL_MINOR_VERSION_1
Definition: ssl.h:101
unsigned int keylen
Definition: ssl.h:338
void sha2_hmac_finish(sha2_context *ctx, unsigned char output[32])
SHA-256 HMAC final digest.
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Definition: ssl.h:187
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
Hardware acceleration function skipped / left alone data.
Definition: ssl.h:91
int des3_set3key_dec(des3_context *ctx, const unsigned char key[DES_KEY_SIZE *3])
Triple-DES key schedule (168-bit, decryption)
int max_minor_ver
Definition: ssl.h:413
unsigned char premaster[POLARSSL_MPI_MAX_SIZE]
Definition: ssl.h:395
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
The own certificate is not set, but needed by the server.
Definition: ssl.h:70
void sha4_starts(sha4_context *ctx, int is384)
SHA-512 context setup.
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:222
#define TLS_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:186
unsigned char * in_ctr
Definition: ssl.h:461
ssl_handshake_params * handshake
Definition: ssl.h:447
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:69
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:215
size_t fixed_ivlen
Definition: ssl.h:341
#define SSL_MINOR_VERSION_2
Definition: ssl.h:102
void sha4_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
int ssl_write_certificate(ssl_context *ssl)
int gcm_crypt_and_tag(gcm_context *ctx, int mode, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, size_t tag_len, unsigned char *tag)
GCM buffer encryption/decryption using AES.
size_t(* rsa_key_len_func)(void *ctx)
Definition: ssl.h:283
#define POLARSSL_DHM_RFC5114_MODP_1024_G
Definition: dhm.h:99
RSA context structure.
Definition: rsa.h:135
rsa_key_len_func rsa_key_len
Definition: ssl.h:490
int in_msgtype
Definition: ssl.h:466
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
A fatal alert message was received from our peer.
Definition: ssl.h:74
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
Definition: ssl.h:178
Triple-DES context structure.
Definition: des.h:65
void md5_hmac_starts(md5_context *ctx, const unsigned char *key, size_t keylen)
MD5 HMAC context setup.
size_t verify_data_len
Definition: ssl.h:524
const char * ssl_get_ciphersuite(const ssl_context *ssl)
Return the name of the current ciphersuite.
mpi dhm_G
Definition: ssl.h:510
mpi G
Definition: dhm.h:140
#define SSL_IS_SERVER
Definition: ssl.h:106
const char * ssl_get_version(const ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
void ssl_set_renegotiation(ssl_context *ssl, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIAT...
int min_minor_ver
Definition: ssl.h:415
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
unsigned char * out_msg
Definition: ssl.h:478
sha2_context fin_sha2
Definition: ssl.h:382
SHA-224 and SHA-256 cryptographic hash function.
#define SSL_MINOR_VERSION_0
Definition: ssl.h:100
int client_auth
Definition: ssl.h:502
#define SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:213
void * p_dbg
Definition: ssl.h:430
void * p_send
Definition: ssl.h:432
x509_crl * ca_crl
Definition: ssl.h:494
sha4_context fin_sha4
Definition: ssl.h:383
#define TLS_DHE_RSA_WITH_DES_CBC_SHA
Weak! Not in TLS 1.2.
Definition: ssl.h:159
int ssl_handshake_client_step(ssl_context *ssl)
void sha4_update(sha4_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:73
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:112
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition: ssl.h:177
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED
Processing of the compression / decompression failed.
Definition: ssl.h:92
size_t maclen
Definition: ssl.h:342
unsigned char * out_hdr
Definition: ssl.h:477
AES block cipher.
int(* f_vrfy)(void *, x509_cert *, int, int *)
Definition: ssl.h:424
void ssl_set_endpoint(ssl_context *ssl, int endpoint)
Set the current endpoint type.
void mpi_free(mpi *X)
Unallocate one MPI.
void ssl_set_ciphersuites(ssl_context *ssl, const int *ciphersuites)
Set the list of allowed ciphersuites (Default: ssl_default_ciphersuites) (Overrides all version speci...
void md5_process(md5_context *ctx, const unsigned char data[64])
#define TLS_RSA_WITH_NULL_SHA256
Weak!
Definition: ssl.h:157
#define SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:218
void ssl_set_rng(ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
void * p_get_cache
Definition: ssl.h:434
#define TLS_RSA_WITH_RC4_128_MD5
Definition: ssl.h:161
void ssl_set_bio(ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send)
Set the underlying BIO read and write callbacks.
void ssl_free(ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
void md5_starts(md5_context *ctx)
MD5 context setup.
GCM context structure.
Definition: gcm.h:48
#define SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:120
int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Definition: ssl.h:279
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
No CA Chain is set, but required to operate.
Definition: ssl.h:72
CAMELLIA context structure.
Definition: camellia.h:54
void ssl_handshake_free(ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
int authmode
Definition: ssl.h:501
int ssl_flush_output(ssl_context *ssl)
int ssl_handshake(ssl_context *ssl)
Perform the SSL handshake.
unsigned char * in_offt
Definition: ssl.h:464
rsa_decrypt_func rsa_decrypt
Definition: ssl.h:488
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Definition: ssl.h:170
void ssl_set_min_version(ssl_context *ssl, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0)...
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:108
void sha1_hmac_starts(sha1_context *ctx, const unsigned char *key, size_t keylen)
SHA-1 HMAC context setup.
unsigned char * in_msg
Definition: ssl.h:463
void ssl_set_session(ssl_context *ssl, const ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
int ssl_set_hostname(ssl_context *ssl, const char *hostname)
Set hostname for ServerName TLS extension (client-side only)
uint32_t state[8]
Definition: sha2.h:53
void md5_hmac_finish(md5_context *ctx, unsigned char output[16])
MD5 HMAC final digest.
int ssl_handshake_step(ssl_context *ssl)
Perform a single step of the SSL handshake.
#define SSL_MINOR_VERSION_3
Definition: ssl.h:103
MD5 context structure.
Definition: md5.h:50
unsigned char mac_dec[32]
Definition: ssl.h:348
int gcm_init(gcm_context *ctx, const unsigned char *key, unsigned int keysize)
GCM initialization (encryption)
unsigned char iv_dec[16]
Definition: ssl.h:345
#define POLARSSL_ERR_NET_WANT_READ
Connection requires a read call.
Definition: net.h:41
#define SSL_HS_CERTIFICATE
Definition: ssl.h:251
int ssl_parse_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:47
size_t hostname_len
Definition: ssl.h:517
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:410
int des_crypt_cbc(des_context *ctx, int mode, size_t length, unsigned char iv[8], const unsigned char *input, unsigned char *output)
DES-CBC buffer encryption/decryption.
struct _x509_cert * next
Next certificate in the CA-chain.
Definition: x509.h:331
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:227
DES block cipher.
int ssl_close_notify(ssl_context *ssl)
Notify the peer that the connection is being closed.
void ssl_set_session_cache(ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache)
Set the session cache callbacks (server-side only) If not set, no session resuming is done...
size_t ssl_get_bytes_avail(const ssl_context *ssl)
Return the number of data bytes available to read.
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:173
#define SSL_VERIFY_NONE
Definition: ssl.h:110
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:41
#define AES_ENCRYPT
Definition: aes.h:41
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:114
size_t in_left
Definition: ssl.h:468
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Definition: ssl.h:179
void sha2_update(sha2_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int allow_legacy_renegotiation
Definition: ssl.h:505
void sha2_process(sha2_context *ctx, const unsigned char data[64])
ssl_session * session_out
Definition: ssl.h:443
int camellia_setkey_dec(camellia_context *ctx, const unsigned char *key, unsigned int keysize)
CAMELLIA key schedule (decryption)
uint32_t state[4]
Definition: md5.h:53
void(* calc_finished)(ssl_context *, unsigned char *, int)
Definition: ssl.h:387
int ssl_read_record(ssl_context *ssl)
size_t len
ASN1 length, e.g.
Definition: asn1.h:111
int des_setkey_enc(des_context *ctx, const unsigned char key[DES_KEY_SIZE])
DES key schedule (56-bit, encryption)
#define TLS_RSA_WITH_AES_256_CBC_SHA
Definition: ssl.h:169
int ssl_set_dh_param(ssl_context *ssl, const char *dhm_P, const char *dhm_G)
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default...
#define TLS_RSA_WITH_AES_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:171
void sha4(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
int out_msgtype
Definition: ssl.h:480
int des_setkey_dec(des_context *ctx, const unsigned char key[DES_KEY_SIZE])
DES key schedule (56-bit, decryption)
uint32_t ctx_enc[136]
Definition: ssl.h:350
size_t out_left
Definition: ssl.h:482
#define DES_DECRYPT
Definition: des.h:42
#define BADCERT_MISSING
Certificate was missing.
Definition: x509.h:80
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED
Processing of the Finished handshake message failed.
Definition: ssl.h:88
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
void sha2_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
unsigned char mac_enc[32]
Definition: ssl.h:347
int ssl_get_verify_result(const ssl_context *ssl)
Return the result of the certificate verification.
#define SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:228
Galois/Counter mode for AES.
int ssl_session_reset(ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables...
ARC4 context structure.
Definition: arc4.h:41
x509_cert * own_cert
Definition: ssl.h:492
int min_major_ver
Definition: ssl.h:414
#define CAMELLIA_DECRYPT
Definition: camellia.h:42
Certificate revocation list structure.
Definition: x509.h:357
ssl_transform * transform_negotiate
Definition: ssl.h:456
SHA-512 context structure.
Definition: sha4.h:51
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:117
SSL/TLS functions.
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:89
int disable_renegotiation
Definition: ssl.h:504
#define SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:221
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Definition: ssl.h:168
int verify_result
Definition: ssl.h:503
void dhm_free(dhm_context *ctx)
Free the components of a DHM key.
#define TLS_RSA_WITH_DES_CBC_SHA
Weak! Not in TLS 1.2.
Definition: ssl.h:158
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:425
void sha2(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
void * rsa_key
Definition: ssl.h:487
int ssl_derive_keys(ssl_context *ssl)
void ssl_set_authmode(ssl_context *ssl, int authmode)
Set the certificate verification mode.
void sha4_finish(sha4_context *ctx, unsigned char output[64])
SHA-512 final digest.
void sha1_process(sha1_context *ctx, const unsigned char data[64])
#define TLS_RSA_WITH_NULL_SHA
Weak!
Definition: ssl.h:156
int(* f_set_cache)(void *, const ssl_session *)
Definition: ssl.h:426
void ssl_set_ca_chain(ssl_context *ssl, x509_cert *ca_chain, x509_crl *ca_crl, const char *peer_cn)
Set the data required to verify peer certificate.
int renegotiation
Definition: ssl.h:407
void sha1_hmac_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 HMAC process buffer.
dhm_context dhm_ctx
Definition: ssl.h:374
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1147
void ssl_optimize_checksum(ssl_context *ssl, int ciphersuite)
int x509parse_verify(x509_cert *crt, x509_cert *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy)
Verify the certificate signature.
void md5_hmac_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 HMAC process buffer.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
#define TLS_RSA_WITH_AES_128_GCM_SHA256
Definition: ssl.h:185
size_t minlen
Definition: ssl.h:339
void sha2_starts(sha2_context *ctx, int is224)
SHA-256 context setup.
int ssl_read(ssl_context *ssl, unsigned char *buf, size_t len)
Read at most 'len' application data bytes.
void ssl_transform_free(ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:183
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:135
#define SSL_MSG_APPLICATION_DATA
Definition: ssl.h:216
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
#define CAMELLIA_ENCRYPT
Definition: camellia.h:41
#define SSL_MSG_ALERT
Definition: ssl.h:214
uint32_t ctx_dec[136]
Definition: ssl.h:351
int ssl_renegotiate(ssl_context *ssl)
Perform an SSL renegotiation on the running connection.
#define TLS_RSA_WITH_NULL_MD5
Weak!
Definition: ssl.h:155
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:422
int ssl_write(ssl_context *ssl, const unsigned char *buf, size_t len)
Write exactly 'len' application data bytes.
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:60
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:79
The ARCFOUR stream cipher.
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
md5_context fin_md5
Definition: ssl.h:380
int endpoint
Definition: ssl.h:500
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:61
void ssl_set_sni(ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:180
int ssl_write_record(ssl_context *ssl)
const x509_cert * ssl_get_peer_cert(const ssl_context *ssl)
Return the peer certificate from the current connection.
unsigned char randbytes[64]
Definition: ssl.h:394
void sha2_finish(sha2_context *ctx, unsigned char output[32])
SHA-256 final digest.
#define POLARSSL_ERR_SSL_COUNTER_WRAPPING
A counter would wrap (eg, too many messages exchanged).
Definition: ssl.h:94
void * p_sni
Definition: ssl.h:436
int des3_crypt_cbc(des3_context *ctx, int mode, size_t length, unsigned char iv[8], const unsigned char *input, unsigned char *output)
3DES-CBC buffer encryption/decryption
#define SSL_HS_HELLO_REQUEST
Definition: ssl.h:248