PolarSSL v1.2.9
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2012, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #include "polarssl/config.h"
35 
36 #if defined(POLARSSL_SSL_TLS_C)
37 
38 #include "polarssl/aes.h"
39 #include "polarssl/arc4.h"
40 #include "polarssl/camellia.h"
41 #include "polarssl/des.h"
42 #include "polarssl/debug.h"
43 #include "polarssl/ssl.h"
44 #include "polarssl/sha2.h"
45 
46 #if defined(POLARSSL_GCM_C)
47 #include "polarssl/gcm.h"
48 #endif
49 
50 #include <stdlib.h>
51 #include <time.h>
52 
53 #if defined _MSC_VER && !defined strcasecmp
54 #define strcasecmp _stricmp
55 #endif
56 
57 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58 int (*ssl_hw_record_init)(ssl_context *ssl,
59  const unsigned char *key_enc, const unsigned char *key_dec,
60  const unsigned char *iv_enc, const unsigned char *iv_dec,
61  const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
62 int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
63 int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
64 int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
65 int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
66 #endif
67 
68 static int ssl_rsa_decrypt( void *ctx,
69  int (*f_rng)(void *, unsigned char *, size_t),
70  void *p_rng, int mode, size_t *olen,
71  const unsigned char *input, unsigned char *output,
72  size_t output_max_len )
73 {
74  return rsa_pkcs1_decrypt( (rsa_context *) ctx, f_rng, p_rng, mode, olen,
75  input, output, output_max_len );
76 }
77 
78 static int ssl_rsa_sign( void *ctx,
79  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
80  int mode, int hash_id, unsigned int hashlen,
81  const unsigned char *hash, unsigned char *sig )
82 {
83  return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
84  hashlen, hash, sig );
85 }
86 
87 static size_t ssl_rsa_key_len( void *ctx )
88 {
89  return ( (rsa_context *) ctx )->len;
90 }
91 
92 /*
93  * Key material generation
94  */
95 static int ssl3_prf( unsigned char *secret, size_t slen, char *label,
96  unsigned char *random, size_t rlen,
97  unsigned char *dstbuf, size_t dlen )
98 {
99  size_t i;
102  unsigned char padding[16];
103  unsigned char sha1sum[20];
104  ((void)label);
105 
106  /*
107  * SSLv3:
108  * block =
109  * MD5( secret + SHA1( 'A' + secret + random ) ) +
110  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
111  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
112  * ...
113  */
114  for( i = 0; i < dlen / 16; i++ )
115  {
116  memset( padding, 'A' + i, 1 + i );
117 
118  sha1_starts( &sha1 );
119  sha1_update( &sha1, padding, 1 + i );
120  sha1_update( &sha1, secret, slen );
121  sha1_update( &sha1, random, rlen );
122  sha1_finish( &sha1, sha1sum );
123 
124  md5_starts( &md5 );
125  md5_update( &md5, secret, slen );
126  md5_update( &md5, sha1sum, 20 );
127  md5_finish( &md5, dstbuf + i * 16 );
128  }
129 
130  memset( &md5, 0, sizeof( md5 ) );
131  memset( &sha1, 0, sizeof( sha1 ) );
132 
133  memset( padding, 0, sizeof( padding ) );
134  memset( sha1sum, 0, sizeof( sha1sum ) );
135 
136  return( 0 );
137 }
138 
139 static int tls1_prf( unsigned char *secret, size_t slen, char *label,
140  unsigned char *random, size_t rlen,
141  unsigned char *dstbuf, size_t dlen )
142 {
143  size_t nb, hs;
144  size_t i, j, k;
145  unsigned char *S1, *S2;
146  unsigned char tmp[128];
147  unsigned char h_i[20];
148 
149  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
151 
152  hs = ( slen + 1 ) / 2;
153  S1 = secret;
154  S2 = secret + slen - hs;
155 
156  nb = strlen( label );
157  memcpy( tmp + 20, label, nb );
158  memcpy( tmp + 20 + nb, random, rlen );
159  nb += rlen;
160 
161  /*
162  * First compute P_md5(secret,label+random)[0..dlen]
163  */
164  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
165 
166  for( i = 0; i < dlen; i += 16 )
167  {
168  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
169  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
170 
171  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
172 
173  for( j = 0; j < k; j++ )
174  dstbuf[i + j] = h_i[j];
175  }
176 
177  /*
178  * XOR out with P_sha1(secret,label+random)[0..dlen]
179  */
180  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
181 
182  for( i = 0; i < dlen; i += 20 )
183  {
184  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
185  sha1_hmac( S2, hs, tmp, 20, tmp );
186 
187  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
188 
189  for( j = 0; j < k; j++ )
190  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
191  }
192 
193  memset( tmp, 0, sizeof( tmp ) );
194  memset( h_i, 0, sizeof( h_i ) );
195 
196  return( 0 );
197 }
198 
199 static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
200  unsigned char *random, size_t rlen,
201  unsigned char *dstbuf, size_t dlen )
202 {
203  size_t nb;
204  size_t i, j, k;
205  unsigned char tmp[128];
206  unsigned char h_i[32];
207 
208  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
210 
211  nb = strlen( label );
212  memcpy( tmp + 32, label, nb );
213  memcpy( tmp + 32 + nb, random, rlen );
214  nb += rlen;
215 
216  /*
217  * Compute P_<hash>(secret, label + random)[0..dlen]
218  */
219  sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
220 
221  for( i = 0; i < dlen; i += 32 )
222  {
223  sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
224  sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
225 
226  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
227 
228  for( j = 0; j < k; j++ )
229  dstbuf[i + j] = h_i[j];
230  }
231 
232  memset( tmp, 0, sizeof( tmp ) );
233  memset( h_i, 0, sizeof( h_i ) );
234 
235  return( 0 );
236 }
237 
238 #if defined(POLARSSL_SHA4_C)
239 static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
240  unsigned char *random, size_t rlen,
241  unsigned char *dstbuf, size_t dlen )
242 {
243  size_t nb;
244  size_t i, j, k;
245  unsigned char tmp[128];
246  unsigned char h_i[48];
247 
248  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
250 
251  nb = strlen( label );
252  memcpy( tmp + 48, label, nb );
253  memcpy( tmp + 48 + nb, random, rlen );
254  nb += rlen;
255 
256  /*
257  * Compute P_<hash>(secret, label + random)[0..dlen]
258  */
259  sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
260 
261  for( i = 0; i < dlen; i += 48 )
262  {
263  sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
264  sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
265 
266  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
267 
268  for( j = 0; j < k; j++ )
269  dstbuf[i + j] = h_i[j];
270  }
271 
272  memset( tmp, 0, sizeof( tmp ) );
273  memset( h_i, 0, sizeof( h_i ) );
274 
275  return( 0 );
276 }
277 #endif
278 
279 static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
280 static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
281 static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
282 
283 static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
284 static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
285 static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
286 
287 static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
288 static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
289 static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
290 
291 #if defined(POLARSSL_SHA4_C)
292 static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
293 static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
294 static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
295 #endif
296 
297 int ssl_derive_keys( ssl_context *ssl )
298 {
299  unsigned char tmp[64];
300  unsigned char keyblk[256];
301  unsigned char *key1;
302  unsigned char *key2;
303  unsigned int iv_copy_len;
304  ssl_session *session = ssl->session_negotiate;
305  ssl_transform *transform = ssl->transform_negotiate;
306  ssl_handshake_params *handshake = ssl->handshake;
307 
308  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
309 
310  /*
311  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
312  */
313  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
314  {
315  handshake->tls_prf = ssl3_prf;
316  handshake->calc_verify = ssl_calc_verify_ssl;
317  handshake->calc_finished = ssl_calc_finished_ssl;
318  }
319  else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
320  {
321  handshake->tls_prf = tls1_prf;
322  handshake->calc_verify = ssl_calc_verify_tls;
323  handshake->calc_finished = ssl_calc_finished_tls;
324  }
325 #if defined(POLARSSL_SHA4_C)
326  else if( session->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
328  {
329  handshake->tls_prf = tls_prf_sha384;
330  handshake->calc_verify = ssl_calc_verify_tls_sha384;
331  handshake->calc_finished = ssl_calc_finished_tls_sha384;
332  }
333 #endif
334  else
335  {
336  handshake->tls_prf = tls_prf_sha256;
337  handshake->calc_verify = ssl_calc_verify_tls_sha256;
338  handshake->calc_finished = ssl_calc_finished_tls_sha256;
339  }
340 
341  /*
342  * SSLv3:
343  * master =
344  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
345  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
346  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
347  *
348  * TLSv1:
349  * master = PRF( premaster, "master secret", randbytes )[0..47]
350  */
351  if( handshake->resume == 0 )
352  {
353  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
354  handshake->pmslen );
355 
356  handshake->tls_prf( handshake->premaster, handshake->pmslen,
357  "master secret",
358  handshake->randbytes, 64, session->master, 48 );
359 
360  memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
361  }
362  else
363  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
364 
365  /*
366  * Swap the client and server random values.
367  */
368  memcpy( tmp, handshake->randbytes, 64 );
369  memcpy( handshake->randbytes, tmp + 32, 32 );
370  memcpy( handshake->randbytes + 32, tmp, 32 );
371  memset( tmp, 0, sizeof( tmp ) );
372 
373  /*
374  * SSLv3:
375  * key block =
376  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
377  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
378  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
379  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
380  * ...
381  *
382  * TLSv1:
383  * key block = PRF( master, "key expansion", randbytes )
384  */
385  handshake->tls_prf( session->master, 48, "key expansion",
386  handshake->randbytes, 64, keyblk, 256 );
387 
388  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
389  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
390  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
391  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
392  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
393 
394  memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
395 
396  /*
397  * Determine the appropriate key, IV and MAC length.
398  */
399  switch( session->ciphersuite )
400  {
401 #if defined(POLARSSL_ARC4_C)
403  transform->keylen = 16; transform->minlen = 16;
404  transform->ivlen = 0; transform->maclen = 16;
405  break;
406 
408  transform->keylen = 16; transform->minlen = 20;
409  transform->ivlen = 0; transform->maclen = 20;
410  break;
411 #endif
412 
413 #if defined(POLARSSL_DES_C)
416  transform->keylen = 24; transform->minlen = 24;
417  transform->ivlen = 8; transform->maclen = 20;
418  break;
419 #endif
420 
421 #if defined(POLARSSL_AES_C)
424  transform->keylen = 16; transform->minlen = 32;
425  transform->ivlen = 16; transform->maclen = 20;
426  break;
427 
430  transform->keylen = 32; transform->minlen = 32;
431  transform->ivlen = 16; transform->maclen = 20;
432  break;
433 
434 #if defined(POLARSSL_SHA2_C)
437  transform->keylen = 16; transform->minlen = 32;
438  transform->ivlen = 16; transform->maclen = 32;
439  break;
440 
443  transform->keylen = 32; transform->minlen = 32;
444  transform->ivlen = 16; transform->maclen = 32;
445  break;
446 #endif
447 #if defined(POLARSSL_GCM_C)
450  transform->keylen = 16; transform->minlen = 1;
451  transform->ivlen = 12; transform->maclen = 0;
452  transform->fixed_ivlen = 4;
453  break;
454 
457  transform->keylen = 32; transform->minlen = 1;
458  transform->ivlen = 12; transform->maclen = 0;
459  transform->fixed_ivlen = 4;
460  break;
461 #endif
462 #endif
463 
464 #if defined(POLARSSL_CAMELLIA_C)
467  transform->keylen = 16; transform->minlen = 32;
468  transform->ivlen = 16; transform->maclen = 20;
469  break;
470 
473  transform->keylen = 32; transform->minlen = 32;
474  transform->ivlen = 16; transform->maclen = 20;
475  break;
476 
477 #if defined(POLARSSL_SHA2_C)
480  transform->keylen = 16; transform->minlen = 32;
481  transform->ivlen = 16; transform->maclen = 32;
482  break;
483 
486  transform->keylen = 32; transform->minlen = 32;
487  transform->ivlen = 16; transform->maclen = 32;
488  break;
489 #endif
490 #endif
491 
492 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
493 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
495  transform->keylen = 0; transform->minlen = 0;
496  transform->ivlen = 0; transform->maclen = 16;
497  break;
498 
500  transform->keylen = 0; transform->minlen = 0;
501  transform->ivlen = 0; transform->maclen = 20;
502  break;
503 
505  transform->keylen = 0; transform->minlen = 0;
506  transform->ivlen = 0; transform->maclen = 32;
507  break;
508 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
509 
510 #if defined(POLARSSL_DES_C)
513  transform->keylen = 8; transform->minlen = 8;
514  transform->ivlen = 8; transform->maclen = 20;
515  break;
516 #endif
517 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
518 
519  default:
520  SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
521  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
523  }
524 
525  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
526  transform->keylen, transform->minlen, transform->ivlen,
527  transform->maclen ) );
528 
529  /*
530  * Finally setup the cipher contexts, IVs and MAC secrets.
531  */
532  if( ssl->endpoint == SSL_IS_CLIENT )
533  {
534  key1 = keyblk + transform->maclen * 2;
535  key2 = keyblk + transform->maclen * 2 + transform->keylen;
536 
537  memcpy( transform->mac_enc, keyblk, transform->maclen );
538  memcpy( transform->mac_dec, keyblk + transform->maclen,
539  transform->maclen );
540 
541  /*
542  * This is not used in TLS v1.1.
543  */
544  iv_copy_len = ( transform->fixed_ivlen ) ?
545  transform->fixed_ivlen : transform->ivlen;
546  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
547  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
548  iv_copy_len );
549  }
550  else
551  {
552  key1 = keyblk + transform->maclen * 2 + transform->keylen;
553  key2 = keyblk + transform->maclen * 2;
554 
555  memcpy( transform->mac_dec, keyblk, transform->maclen );
556  memcpy( transform->mac_enc, keyblk + transform->maclen,
557  transform->maclen );
558 
559  /*
560  * This is not used in TLS v1.1.
561  */
562  iv_copy_len = ( transform->fixed_ivlen ) ?
563  transform->fixed_ivlen : transform->ivlen;
564  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
565  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
566  iv_copy_len );
567  }
568 
569 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
570  if( ssl_hw_record_init != NULL)
571  {
572  int ret = 0;
573 
574  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
575 
576  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->iv_enc,
577  transform->iv_dec, transform->mac_enc,
578  transform->mac_dec ) ) != 0 )
579  {
580  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
582  }
583  }
584 #endif
585 
586  switch( session->ciphersuite )
587  {
588 #if defined(POLARSSL_ARC4_C)
591  arc4_setup( (arc4_context *) transform->ctx_enc, key1,
592  transform->keylen );
593  arc4_setup( (arc4_context *) transform->ctx_dec, key2,
594  transform->keylen );
595  break;
596 #endif
597 
598 #if defined(POLARSSL_DES_C)
601  des3_set3key_enc( (des3_context *) transform->ctx_enc, key1 );
602  des3_set3key_dec( (des3_context *) transform->ctx_dec, key2 );
603  break;
604 #endif
605 
606 #if defined(POLARSSL_AES_C)
611  aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 128 );
612  aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 128 );
613  break;
614 
619  aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 256 );
620  aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 256 );
621  break;
622 
623 #if defined(POLARSSL_GCM_C)
626  gcm_init( (gcm_context *) transform->ctx_enc, key1, 128 );
627  gcm_init( (gcm_context *) transform->ctx_dec, key2, 128 );
628  break;
629 
632  gcm_init( (gcm_context *) transform->ctx_enc, key1, 256 );
633  gcm_init( (gcm_context *) transform->ctx_dec, key2, 256 );
634  break;
635 #endif
636 #endif
637 
638 #if defined(POLARSSL_CAMELLIA_C)
643  camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 128 );
644  camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 128 );
645  break;
646 
651  camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 256 );
652  camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 256 );
653  break;
654 #endif
655 
656 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
657 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
661  break;
662 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
663 
664 #if defined(POLARSSL_DES_C)
667  des_setkey_enc( (des_context *) transform->ctx_enc, key1 );
668  des_setkey_dec( (des_context *) transform->ctx_dec, key2 );
669  break;
670 #endif
671 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
672 
673  default:
675  }
676 
677  memset( keyblk, 0, sizeof( keyblk ) );
678 
679 #if defined(POLARSSL_ZLIB_SUPPORT)
680  // Initialize compression
681  //
682  if( session->compression == SSL_COMPRESS_DEFLATE )
683  {
684  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
685 
686  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
687  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
688 
689  if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
690  inflateInit( &transform->ctx_inflate ) != Z_OK )
691  {
692  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
694  }
695  }
696 #endif /* POLARSSL_ZLIB_SUPPORT */
697 
698  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
699 
700  return( 0 );
701 }
702 
703 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
704 {
707  unsigned char pad_1[48];
708  unsigned char pad_2[48];
709 
710  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
711 
712  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
713  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
714 
715  memset( pad_1, 0x36, 48 );
716  memset( pad_2, 0x5C, 48 );
717 
718  md5_update( &md5, ssl->session_negotiate->master, 48 );
719  md5_update( &md5, pad_1, 48 );
720  md5_finish( &md5, hash );
721 
722  md5_starts( &md5 );
723  md5_update( &md5, ssl->session_negotiate->master, 48 );
724  md5_update( &md5, pad_2, 48 );
725  md5_update( &md5, hash, 16 );
726  md5_finish( &md5, hash );
727 
728  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
729  sha1_update( &sha1, pad_1, 40 );
730  sha1_finish( &sha1, hash + 16 );
731 
732  sha1_starts( &sha1 );
733  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
734  sha1_update( &sha1, pad_2, 40 );
735  sha1_update( &sha1, hash + 16, 20 );
736  sha1_finish( &sha1, hash + 16 );
737 
738  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
739  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
740 
741  return;
742 }
743 
744 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
745 {
748 
749  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
750 
751  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
752  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
753 
754  md5_finish( &md5, hash );
755  sha1_finish( &sha1, hash + 16 );
756 
757  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
758  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
759 
760  return;
761 }
762 
763 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
764 {
766 
767  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
768 
769  memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
770  sha2_finish( &sha2, hash );
771 
772  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
773  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
774 
775  return;
776 }
777 
778 #if defined(POLARSSL_SHA4_C)
779 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
780 {
782 
783  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
784 
785  memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
786  sha4_finish( &sha4, hash );
787 
788  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
789  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
790 
791  return;
792 }
793 #endif
794 
795 /*
796  * SSLv3.0 MAC functions
797  */
798 static void ssl_mac_md5( unsigned char *secret,
799  unsigned char *buf, size_t len,
800  unsigned char *ctr, int type )
801 {
802  unsigned char header[11];
803  unsigned char padding[48];
805 
806  memcpy( header, ctr, 8 );
807  header[ 8] = (unsigned char) type;
808  header[ 9] = (unsigned char)( len >> 8 );
809  header[10] = (unsigned char)( len );
810 
811  memset( padding, 0x36, 48 );
812  md5_starts( &md5 );
813  md5_update( &md5, secret, 16 );
814  md5_update( &md5, padding, 48 );
815  md5_update( &md5, header, 11 );
816  md5_update( &md5, buf, len );
817  md5_finish( &md5, buf + len );
818 
819  memset( padding, 0x5C, 48 );
820  md5_starts( &md5 );
821  md5_update( &md5, secret, 16 );
822  md5_update( &md5, padding, 48 );
823  md5_update( &md5, buf + len, 16 );
824  md5_finish( &md5, buf + len );
825 }
826 
827 static void ssl_mac_sha1( unsigned char *secret,
828  unsigned char *buf, size_t len,
829  unsigned char *ctr, int type )
830 {
831  unsigned char header[11];
832  unsigned char padding[40];
834 
835  memcpy( header, ctr, 8 );
836  header[ 8] = (unsigned char) type;
837  header[ 9] = (unsigned char)( len >> 8 );
838  header[10] = (unsigned char)( len );
839 
840  memset( padding, 0x36, 40 );
841  sha1_starts( &sha1 );
842  sha1_update( &sha1, secret, 20 );
843  sha1_update( &sha1, padding, 40 );
844  sha1_update( &sha1, header, 11 );
845  sha1_update( &sha1, buf, len );
846  sha1_finish( &sha1, buf + len );
847 
848  memset( padding, 0x5C, 40 );
849  sha1_starts( &sha1 );
850  sha1_update( &sha1, secret, 20 );
851  sha1_update( &sha1, padding, 40 );
852  sha1_update( &sha1, buf + len, 20 );
853  sha1_finish( &sha1, buf + len );
854 }
855 
856 static void ssl_mac_sha2( unsigned char *secret,
857  unsigned char *buf, size_t len,
858  unsigned char *ctr, int type )
859 {
860  unsigned char header[11];
861  unsigned char padding[32];
863 
864  memcpy( header, ctr, 8 );
865  header[ 8] = (unsigned char) type;
866  header[ 9] = (unsigned char)( len >> 8 );
867  header[10] = (unsigned char)( len );
868 
869  memset( padding, 0x36, 32 );
870  sha2_starts( &sha2, 0 );
871  sha2_update( &sha2, secret, 32 );
872  sha2_update( &sha2, padding, 32 );
873  sha2_update( &sha2, header, 11 );
874  sha2_update( &sha2, buf, len );
875  sha2_finish( &sha2, buf + len );
876 
877  memset( padding, 0x5C, 32 );
878  sha2_starts( &sha2, 0 );
879  sha2_update( &sha2, secret, 32 );
880  sha2_update( &sha2, padding, 32 );
881  sha2_update( &sha2, buf + len, 32 );
882  sha2_finish( &sha2, buf + len );
883 }
884 
885 /*
886  * Encryption/decryption functions
887  */
888 static int ssl_encrypt_buf( ssl_context *ssl )
889 {
890  size_t i, padlen;
891 
892  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
893 
894  /*
895  * Add MAC then encrypt
896  */
897  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
898  {
899  if( ssl->transform_out->maclen == 16 )
900  ssl_mac_md5( ssl->transform_out->mac_enc,
901  ssl->out_msg, ssl->out_msglen,
902  ssl->out_ctr, ssl->out_msgtype );
903  else if( ssl->transform_out->maclen == 20 )
904  ssl_mac_sha1( ssl->transform_out->mac_enc,
905  ssl->out_msg, ssl->out_msglen,
906  ssl->out_ctr, ssl->out_msgtype );
907  else if( ssl->transform_out->maclen == 32 )
908  ssl_mac_sha2( ssl->transform_out->mac_enc,
909  ssl->out_msg, ssl->out_msglen,
910  ssl->out_ctr, ssl->out_msgtype );
911  else if( ssl->transform_out->maclen != 0 )
912  {
913  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
914  ssl->transform_out->maclen ) );
916  }
917  }
918  else
919  {
920  if( ssl->transform_out->maclen == 16 )
921  {
922  md5_context ctx;
923  md5_hmac_starts( &ctx, ssl->transform_out->mac_enc, 16 );
924  md5_hmac_update( &ctx, ssl->out_ctr, 13 );
925  md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
926  md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
927  memset( &ctx, 0, sizeof(md5_context));
928  }
929  else if( ssl->transform_out->maclen == 20 )
930  {
931  sha1_context ctx;
932  sha1_hmac_starts( &ctx, ssl->transform_out->mac_enc, 20 );
933  sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
934  sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
935  sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
936  memset( &ctx, 0, sizeof(sha1_context));
937  }
938  else if( ssl->transform_out->maclen == 32 )
939  {
940  sha2_context ctx;
941  sha2_hmac_starts( &ctx, ssl->transform_out->mac_enc, 32, 0 );
942  sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
943  sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
944  sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
945  memset( &ctx, 0, sizeof(sha2_context));
946  }
947  else if( ssl->transform_out->maclen != 0 )
948  {
949  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
950  ssl->transform_out->maclen ) );
952  }
953  }
954 
955  SSL_DEBUG_BUF( 4, "computed mac",
956  ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
957 
958  ssl->out_msglen += ssl->transform_out->maclen;
959 
960  if( ssl->transform_out->ivlen == 0 )
961  {
962  padlen = 0;
963 
964  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
965  "including %d bytes of padding",
966  ssl->out_msglen, 0 ) );
967 
968  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
969  ssl->out_msg, ssl->out_msglen );
970 
971 #if defined(POLARSSL_ARC4_C)
974  {
976  ssl->out_msglen, ssl->out_msg,
977  ssl->out_msg );
978  } else
979 #endif
980 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
984  {
985  } else
986 #endif
988  }
989  else if( ssl->transform_out->ivlen == 12 )
990  {
991  size_t enc_msglen;
992  unsigned char *enc_msg;
993  unsigned char add_data[13];
995 
996  padlen = 0;
997  enc_msglen = ssl->out_msglen;
998 
999  memcpy( add_data, ssl->out_ctr, 8 );
1000  add_data[8] = ssl->out_msgtype;
1001  add_data[9] = ssl->major_ver;
1002  add_data[10] = ssl->minor_ver;
1003  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1004  add_data[12] = ssl->out_msglen & 0xFF;
1005 
1006  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1007  add_data, 13 );
1008 
1009 #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1010 
1015  {
1016  /*
1017  * Generate IV
1018  */
1019  ret = ssl->f_rng( ssl->p_rng,
1021  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1022  if( ret != 0 )
1023  return( ret );
1024 
1025  /*
1026  * Shift message for ivlen bytes and prepend IV
1027  */
1028  memmove( ssl->out_msg + ssl->transform_out->ivlen -
1029  ssl->transform_out->fixed_ivlen,
1030  ssl->out_msg, ssl->out_msglen );
1031  memcpy( ssl->out_msg,
1033  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1034 
1035  /*
1036  * Fix pointer positions and message length with added IV
1037  */
1038  enc_msg = ssl->out_msg + ssl->transform_out->ivlen -
1039  ssl->transform_out->fixed_ivlen;
1040  enc_msglen = ssl->out_msglen;
1041  ssl->out_msglen += ssl->transform_out->ivlen -
1042  ssl->transform_out->fixed_ivlen;
1043 
1044  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1045  "including %d bytes of padding",
1046  ssl->out_msglen, 0 ) );
1047 
1048  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1049  ssl->out_msg, ssl->out_msglen );
1050 
1051  /*
1052  * Adjust for tag
1053  */
1054  ssl->out_msglen += 16;
1055 
1057  GCM_ENCRYPT, enc_msglen,
1058  ssl->transform_out->iv_enc, ssl->transform_out->ivlen,
1059  add_data, 13,
1060  enc_msg, enc_msg,
1061  16, enc_msg + enc_msglen );
1062 
1063  SSL_DEBUG_BUF( 4, "after encrypt: tag",
1064  enc_msg + enc_msglen, 16 );
1065 
1066  } else
1067 #endif
1068  return( ret );
1069  }
1070  else
1071  {
1072  unsigned char *enc_msg;
1073  size_t enc_msglen;
1074 
1075  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1076  ssl->transform_out->ivlen;
1077  if( padlen == ssl->transform_out->ivlen )
1078  padlen = 0;
1079 
1080  for( i = 0; i <= padlen; i++ )
1081  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1082 
1083  ssl->out_msglen += padlen + 1;
1084 
1085  enc_msglen = ssl->out_msglen;
1086  enc_msg = ssl->out_msg;
1087 
1088  /*
1089  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1090  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1091  */
1092  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1093  {
1094  /*
1095  * Generate IV
1096  */
1097  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1098  ssl->transform_out->ivlen );
1099  if( ret != 0 )
1100  return( ret );
1101 
1102  /*
1103  * Shift message for ivlen bytes and prepend IV
1104  */
1105  memmove( ssl->out_msg + ssl->transform_out->ivlen, ssl->out_msg,
1106  ssl->out_msglen );
1107  memcpy( ssl->out_msg, ssl->transform_out->iv_enc,
1108  ssl->transform_out->ivlen );
1109 
1110  /*
1111  * Fix pointer positions and message length with added IV
1112  */
1113  enc_msg = ssl->out_msg + ssl->transform_out->ivlen;
1114  enc_msglen = ssl->out_msglen;
1115  ssl->out_msglen += ssl->transform_out->ivlen;
1116  }
1117 
1118  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1119  "including %d bytes of IV and %d bytes of padding",
1120  ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
1121 
1122  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1123  ssl->out_msg, ssl->out_msglen );
1124 
1125  switch( ssl->transform_out->ivlen )
1126  {
1127 #if defined(POLARSSL_DES_C)
1128  case 8:
1129 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1132  {
1134  DES_ENCRYPT, enc_msglen,
1135  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1136  }
1137  else
1138 #endif
1140  DES_ENCRYPT, enc_msglen,
1141  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1142  break;
1143 #endif
1144 
1145  case 16:
1146 #if defined(POLARSSL_AES_C)
1155  {
1157  AES_ENCRYPT, enc_msglen,
1158  ssl->transform_out->iv_enc, enc_msg, enc_msg);
1159  break;
1160  }
1161 #endif
1162 
1163 #if defined(POLARSSL_CAMELLIA_C)
1172  {
1174  CAMELLIA_ENCRYPT, enc_msglen,
1175  ssl->transform_out->iv_enc, enc_msg, enc_msg );
1176  break;
1177  }
1178 #endif
1179 
1180  default:
1182  }
1183  }
1184 
1185  for( i = 8; i > 0; i-- )
1186  if( ++ssl->out_ctr[i - 1] != 0 )
1187  break;
1188 
1189  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1190 
1191  return( 0 );
1192 }
1193 
1194 /*
1195  * TODO: Use digest version when integrated!
1196  */
1197 #define POLARSSL_SSL_MAX_MAC_SIZE 32
1198 
1199 static int ssl_decrypt_buf( ssl_context *ssl )
1200 {
1201  size_t i, padlen = 0, correct = 1;
1202  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1203 
1204  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1205 
1206  if( ssl->in_msglen < ssl->transform_in->minlen )
1207  {
1208  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1209  ssl->in_msglen, ssl->transform_in->minlen ) );
1210  return( POLARSSL_ERR_SSL_INVALID_MAC );
1211  }
1212 
1213  if( ssl->transform_in->ivlen == 0 )
1214  {
1215 #if defined(POLARSSL_ARC4_C)
1218  {
1220  ssl->in_msglen, ssl->in_msg,
1221  ssl->in_msg );
1222  } else
1223 #endif
1224 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
1228  {
1229  } else
1230 #endif
1232  }
1233  else if( ssl->transform_in->ivlen == 12 )
1234  {
1235  unsigned char *dec_msg;
1236  unsigned char *dec_msg_result;
1237  size_t dec_msglen;
1238  unsigned char add_data[13];
1240 
1241 #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1246  {
1247  dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
1248  ssl->transform_in->fixed_ivlen );
1249  dec_msglen -= 16;
1250  dec_msg = ssl->in_msg + ( ssl->transform_in->ivlen -
1251  ssl->transform_in->fixed_ivlen );
1252  dec_msg_result = ssl->in_msg;
1253  ssl->in_msglen = dec_msglen;
1254 
1255  memcpy( add_data, ssl->in_ctr, 8 );
1256  add_data[8] = ssl->in_msgtype;
1257  add_data[9] = ssl->major_ver;
1258  add_data[10] = ssl->minor_ver;
1259  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1260  add_data[12] = ssl->in_msglen & 0xFF;
1261 
1262  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1263  add_data, 13 );
1264 
1265  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1266  ssl->in_msg,
1267  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1268 
1269  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1270  ssl->transform_in->ivlen );
1271  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1272 
1273  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1274  ssl->in_msg,
1275  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1276 
1278  dec_msglen,
1279  ssl->transform_in->iv_dec,
1280  ssl->transform_in->ivlen,
1281  add_data, 13,
1282  dec_msg + dec_msglen, 16,
1283  dec_msg, dec_msg_result );
1284 
1285  if( ret != 0 )
1286  {
1287  SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1288  -ret ) );
1289 
1290  return( POLARSSL_ERR_SSL_INVALID_MAC );
1291  }
1292  } else
1293 #endif
1294  return( ret );
1295  }
1296  else
1297  {
1298  /*
1299  * Decrypt and check the padding
1300  */
1301  unsigned char *dec_msg;
1302  unsigned char *dec_msg_result;
1303  size_t dec_msglen;
1304  size_t minlen = 0;
1305 
1306  /*
1307  * Check immediate ciphertext sanity
1308  */
1309  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1310  {
1311  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1312  ssl->in_msglen, ssl->transform_in->ivlen ) );
1313  return( POLARSSL_ERR_SSL_INVALID_MAC );
1314  }
1315 
1316  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1317  minlen += ssl->transform_in->ivlen;
1318 
1319  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1320  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1321  {
1322  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
1323  ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
1324  return( POLARSSL_ERR_SSL_INVALID_MAC );
1325  }
1326 
1327  dec_msglen = ssl->in_msglen;
1328  dec_msg = ssl->in_msg;
1329  dec_msg_result = ssl->in_msg;
1330 
1331  /*
1332  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1333  */
1334  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1335  {
1336  dec_msg += ssl->transform_in->ivlen;
1337  dec_msglen -= ssl->transform_in->ivlen;
1338  ssl->in_msglen -= ssl->transform_in->ivlen;
1339 
1340  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1341  ssl->transform_in->iv_dec[i] = ssl->in_msg[i];
1342  }
1343 
1344  switch( ssl->transform_in->ivlen )
1345  {
1346 #if defined(POLARSSL_DES_C)
1347  case 8:
1348 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1351  {
1353  DES_DECRYPT, dec_msglen,
1354  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1355  }
1356  else
1357 #endif
1359  DES_DECRYPT, dec_msglen,
1360  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1361  break;
1362 #endif
1363 
1364  case 16:
1365 #if defined(POLARSSL_AES_C)
1374  {
1376  AES_DECRYPT, dec_msglen,
1377  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1378  break;
1379  }
1380 #endif
1381 
1382 #if defined(POLARSSL_CAMELLIA_C)
1391  {
1393  CAMELLIA_DECRYPT, dec_msglen,
1394  ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
1395  break;
1396  }
1397 #endif
1398 
1399  default:
1401  }
1402 
1403  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1404 
1405  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1406  {
1407 #if defined(POLARSSL_SSL_DEBUG_ALL)
1408  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1409  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1410 #endif
1411  padlen = 0;
1412  correct = 0;
1413  }
1414 
1415  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1416  {
1417  if( padlen > ssl->transform_in->ivlen )
1418  {
1419 #if defined(POLARSSL_SSL_DEBUG_ALL)
1420  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1421  "should be no more than %d",
1422  padlen, ssl->transform_in->ivlen ) );
1423 #endif
1424  correct = 0;
1425  }
1426  }
1427  else
1428  {
1429  /*
1430  * TLSv1+: always check the padding up to the first failure
1431  * and fake check up to 256 bytes of padding
1432  */
1433  size_t pad_count = 0, fake_pad_count = 0;
1434  size_t padding_idx = ssl->in_msglen - padlen - 1;
1435 
1436  for( i = 1; i <= padlen; i++ )
1437  pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1438 
1439  for( ; i <= 256; i++ )
1440  fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1441 
1442  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1443  correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
1444 
1445 #if defined(POLARSSL_SSL_DEBUG_ALL)
1446  if( padlen > 0 && correct == 0)
1447  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1448 #endif
1449  padlen &= correct * 0x1FF;
1450  }
1451  }
1452 
1453  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1454  ssl->in_msg, ssl->in_msglen );
1455 
1456  /*
1457  * Always compute the MAC (RFC4346, CBCTIME).
1458  */
1459  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1460 
1461  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1462  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1463 
1464  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1465 
1466  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1467  {
1468  if( ssl->transform_in->maclen == 16 )
1469  ssl_mac_md5( ssl->transform_in->mac_dec,
1470  ssl->in_msg, ssl->in_msglen,
1471  ssl->in_ctr, ssl->in_msgtype );
1472  else if( ssl->transform_in->maclen == 20 )
1473  ssl_mac_sha1( ssl->transform_in->mac_dec,
1474  ssl->in_msg, ssl->in_msglen,
1475  ssl->in_ctr, ssl->in_msgtype );
1476  else if( ssl->transform_in->maclen == 32 )
1477  ssl_mac_sha2( ssl->transform_in->mac_dec,
1478  ssl->in_msg, ssl->in_msglen,
1479  ssl->in_ctr, ssl->in_msgtype );
1480  else if( ssl->transform_in->maclen != 0 )
1481  {
1482  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1483  ssl->transform_in->maclen ) );
1485  }
1486  }
1487  else
1488  {
1489  /*
1490  * Process MAC and always update for padlen afterwards to make
1491  * total time independent of padlen
1492  *
1493  * extra_run compensates MAC check for padlen
1494  *
1495  * Known timing attacks:
1496  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1497  *
1498  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1499  * correctly. (We round down instead of up, so -56 is the correct
1500  * value for our calculations instead of -55)
1501  */
1502  int j, extra_run = 0;
1503  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1504  ( 13 + ssl->in_msglen + 8 ) / 64;
1505 
1506  extra_run &= correct * 0xFF;
1507 
1508  if( ssl->transform_in->maclen == 16 )
1509  {
1510  md5_context ctx;
1511  md5_hmac_starts( &ctx, ssl->transform_in->mac_dec, 16 );
1512  md5_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1513  md5_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1514 
1515  for( j = 0; j < extra_run; j++ )
1516  md5_process( &ctx, ssl->in_msg );
1517  }
1518  else if( ssl->transform_in->maclen == 20 )
1519  {
1520  sha1_context ctx;
1521  sha1_hmac_starts( &ctx, ssl->transform_in->mac_dec, 20 );
1522  sha1_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1523  sha1_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1524 
1525  for( j = 0; j < extra_run; j++ )
1526  sha1_process( &ctx, ssl->in_msg );
1527  }
1528  else if( ssl->transform_in->maclen == 32 )
1529  {
1530  sha2_context ctx;
1531  sha2_hmac_starts( &ctx, ssl->transform_in->mac_dec, 32, 0 );
1532  sha2_hmac_update( &ctx, ssl->in_ctr, ssl->in_msglen + 13 );
1533  sha2_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
1534 
1535  for( j = 0; j < extra_run; j++ )
1536  sha2_process( &ctx, ssl->in_msg );
1537  }
1538  else if( ssl->transform_in->maclen != 0 )
1539  {
1540  SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
1541  ssl->transform_in->maclen ) );
1543  }
1544  }
1545 
1546  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1547  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1548  ssl->transform_in->maclen );
1549 
1550  if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1551  ssl->transform_in->maclen ) != 0 )
1552  {
1553 #if defined(POLARSSL_SSL_DEBUG_ALL)
1554  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1555 #endif
1556  correct = 0;
1557  }
1558 
1559  /*
1560  * Finally check the correct flag
1561  */
1562  if( correct == 0 )
1563  return( POLARSSL_ERR_SSL_INVALID_MAC );
1564 
1565  if( ssl->in_msglen == 0 )
1566  {
1567  ssl->nb_zero++;
1568 
1569  /*
1570  * Three or more empty messages may be a DoS attack
1571  * (excessive CPU consumption).
1572  */
1573  if( ssl->nb_zero > 3 )
1574  {
1575  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1576  "messages, possible DoS attack" ) );
1577  return( POLARSSL_ERR_SSL_INVALID_MAC );
1578  }
1579  }
1580  else
1581  ssl->nb_zero = 0;
1582 
1583  for( i = 8; i > 0; i-- )
1584  if( ++ssl->in_ctr[i - 1] != 0 )
1585  break;
1586 
1587  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1588 
1589  return( 0 );
1590 }
1591 
1592 #if defined(POLARSSL_ZLIB_SUPPORT)
1593 /*
1594  * Compression/decompression functions
1595  */
1596 static int ssl_compress_buf( ssl_context *ssl )
1597 {
1598  int ret;
1599  unsigned char *msg_post = ssl->out_msg;
1600  size_t len_pre = ssl->out_msglen;
1601  unsigned char *msg_pre;
1602 
1603  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1604 
1605  msg_pre = (unsigned char*) malloc( len_pre );
1606  if( msg_pre == NULL )
1607  {
1608  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1610  }
1611 
1612  memcpy( msg_pre, ssl->out_msg, len_pre );
1613 
1614  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1615  ssl->out_msglen ) );
1616 
1617  SSL_DEBUG_BUF( 4, "before compression: output payload",
1618  ssl->out_msg, ssl->out_msglen );
1619 
1620  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1621  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1622  ssl->transform_out->ctx_deflate.next_out = msg_post;
1623  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1624 
1625  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1626  if( ret != Z_OK )
1627  {
1628  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1630  }
1631 
1632  ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
1633 
1634  free( msg_pre );
1635 
1636  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1637  ssl->out_msglen ) );
1638 
1639  SSL_DEBUG_BUF( 4, "after compression: output payload",
1640  ssl->out_msg, ssl->out_msglen );
1641 
1642  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1643 
1644  return( 0 );
1645 }
1646 
1647 static int ssl_decompress_buf( ssl_context *ssl )
1648 {
1649  int ret;
1650  unsigned char *msg_post = ssl->in_msg;
1651  size_t len_pre = ssl->in_msglen;
1652  unsigned char *msg_pre;
1653 
1654  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1655 
1656  msg_pre = (unsigned char*) malloc( len_pre );
1657  if( msg_pre == NULL )
1658  {
1659  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
1661  }
1662 
1663  memcpy( msg_pre, ssl->in_msg, len_pre );
1664 
1665  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1666  ssl->in_msglen ) );
1667 
1668  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1669  ssl->in_msg, ssl->in_msglen );
1670 
1671  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1672  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1673  ssl->transform_in->ctx_inflate.next_out = msg_post;
1674  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1675 
1676  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1677  if( ret != Z_OK )
1678  {
1679  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1681  }
1682 
1683  ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
1684 
1685  free( msg_pre );
1686 
1687  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1688  ssl->in_msglen ) );
1689 
1690  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1691  ssl->in_msg, ssl->in_msglen );
1692 
1693  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1694 
1695  return( 0 );
1696 }
1697 #endif /* POLARSSL_ZLIB_SUPPORT */
1698 
1699 /*
1700  * Fill the input message buffer
1701  */
1702 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1703 {
1704  int ret;
1705  size_t len;
1706 
1707  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1708 
1709  while( ssl->in_left < nb_want )
1710  {
1711  len = nb_want - ssl->in_left;
1712  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1713 
1714  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1715  ssl->in_left, nb_want ) );
1716  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1717 
1718  if( ret == 0 )
1719  return( POLARSSL_ERR_SSL_CONN_EOF );
1720 
1721  if( ret < 0 )
1722  return( ret );
1723 
1724  ssl->in_left += ret;
1725  }
1726 
1727  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1728 
1729  return( 0 );
1730 }
1731 
1732 /*
1733  * Flush any data not yet written
1734  */
1735 int ssl_flush_output( ssl_context *ssl )
1736 {
1737  int ret;
1738  unsigned char *buf;
1739 
1740  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1741 
1742  while( ssl->out_left > 0 )
1743  {
1744  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1745  5 + ssl->out_msglen, ssl->out_left ) );
1746 
1747  if( ssl->out_msglen < ssl->out_left )
1748  {
1749  size_t header_left = ssl->out_left - ssl->out_msglen;
1750 
1751  buf = ssl->out_hdr + 5 - header_left;
1752  ret = ssl->f_send( ssl->p_send, buf, header_left );
1753 
1754  SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1755 
1756  if( ret <= 0 )
1757  return( ret );
1758 
1759  ssl->out_left -= ret;
1760  }
1761 
1762  buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
1763  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1764 
1765  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1766 
1767  if( ret <= 0 )
1768  return( ret );
1769 
1770  ssl->out_left -= ret;
1771  }
1772 
1773  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1774 
1775  return( 0 );
1776 }
1777 
1778 /*
1779  * Record layer functions
1780  */
1781 int ssl_write_record( ssl_context *ssl )
1782 {
1783  int ret, done = 0;
1784  size_t len = ssl->out_msglen;
1785 
1786  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1787 
1788  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1789  {
1790  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1791  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1792  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1793 
1794  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1795  }
1796 
1797 #if defined(POLARSSL_ZLIB_SUPPORT)
1798  if( ssl->transform_out != NULL &&
1800  {
1801  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1802  {
1803  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1804  return( ret );
1805  }
1806 
1807  len = ssl->out_msglen;
1808  }
1809 #endif /*POLARSSL_ZLIB_SUPPORT */
1810 
1811 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1812  if( ssl_hw_record_write != NULL)
1813  {
1814  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1815 
1816  ret = ssl_hw_record_write( ssl );
1817  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1818  {
1819  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1821  }
1822  done = 1;
1823  }
1824 #endif
1825  if( !done )
1826  {
1827  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1828  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1829  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1830  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1831  ssl->out_hdr[4] = (unsigned char)( len );
1832 
1833  if( ssl->transform_out != NULL )
1834  {
1835  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1836  {
1837  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1838  return( ret );
1839  }
1840 
1841  len = ssl->out_msglen;
1842  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1843  ssl->out_hdr[4] = (unsigned char)( len );
1844  }
1845 
1846  ssl->out_left = 5 + ssl->out_msglen;
1847 
1848  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1849  "version = [%d:%d], msglen = %d",
1850  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1851  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1852 
1853  SSL_DEBUG_BUF( 4, "output record header sent to network",
1854  ssl->out_hdr, 5 );
1855  SSL_DEBUG_BUF( 4, "output record sent to network",
1856  ssl->out_hdr + 32, ssl->out_msglen );
1857  }
1858 
1859  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1860  {
1861  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1862  return( ret );
1863  }
1864 
1865  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1866 
1867  return( 0 );
1868 }
1869 
1870 int ssl_read_record( ssl_context *ssl )
1871 {
1872  int ret, done = 0;
1873 
1874  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1875 
1876  if( ssl->in_hslen != 0 &&
1877  ssl->in_hslen < ssl->in_msglen )
1878  {
1879  /*
1880  * Get next Handshake message in the current record
1881  */
1882  ssl->in_msglen -= ssl->in_hslen;
1883 
1884  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
1885  ssl->in_msglen );
1886 
1887  ssl->in_hslen = 4;
1888  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1889 
1890  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1891  " %d, type = %d, hslen = %d",
1892  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1893 
1894  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
1895  {
1896  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1898  }
1899 
1900  if( ssl->in_msglen < ssl->in_hslen )
1901  {
1902  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1904  }
1905 
1906  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
1907 
1908  return( 0 );
1909  }
1910 
1911  ssl->in_hslen = 0;
1912 
1913  /*
1914  * Read the record header and validate it
1915  */
1916  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1917  {
1918  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1919  return( ret );
1920  }
1921 
1922  ssl->in_msgtype = ssl->in_hdr[0];
1923  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
1924 
1925  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1926  "version = [%d:%d], msglen = %d",
1927  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1928  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
1929 
1930  if( ssl->in_hdr[1] != ssl->major_ver )
1931  {
1932  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
1934  }
1935 
1936  if( ssl->in_hdr[2] > ssl->max_minor_ver )
1937  {
1938  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
1940  }
1941 
1942  /*
1943  * Make sure the message length is acceptable
1944  */
1945  if( ssl->transform_in == NULL )
1946  {
1947  if( ssl->in_msglen < 1 ||
1949  {
1950  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1952  }
1953  }
1954  else
1955  {
1956  if( ssl->in_msglen < ssl->transform_in->minlen )
1957  {
1958  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1960  }
1961 
1962  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1964  {
1965  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1967  }
1968 
1969  /*
1970  * TLS encrypted messages can have up to 256 bytes of padding
1971  */
1972  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
1973  ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
1974  {
1975  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1977  }
1978  }
1979 
1980  /*
1981  * Read and optionally decrypt the message contents
1982  */
1983  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1984  {
1985  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1986  return( ret );
1987  }
1988 
1989  SSL_DEBUG_BUF( 4, "input record from network",
1990  ssl->in_hdr, 5 + ssl->in_msglen );
1991 
1992 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1993  if( ssl_hw_record_read != NULL)
1994  {
1995  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1996 
1997  ret = ssl_hw_record_read( ssl );
1998  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1999  {
2000  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2002  }
2003  done = 1;
2004  }
2005 #endif
2006  if( !done && ssl->transform_in != NULL )
2007  {
2008  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2009  {
2010 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2011  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2012  {
2016  }
2017 #endif
2018  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2019  return( ret );
2020  }
2021 
2022  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2023  ssl->in_msg, ssl->in_msglen );
2024 
2025  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2026  {
2027  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2029  }
2030  }
2031 
2032 #if defined(POLARSSL_ZLIB_SUPPORT)
2033  if( ssl->transform_in != NULL &&
2035  {
2036  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2037  {
2038  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2039  return( ret );
2040  }
2041 
2042  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2043  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2044  }
2045 #endif /* POLARSSL_ZLIB_SUPPORT */
2046 
2047  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2048  ssl->in_msgtype != SSL_MSG_ALERT &&
2051  {
2052  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2053 
2054  if( ( ret = ssl_send_alert_message( ssl,
2057  {
2058  return( ret );
2059  }
2060 
2062  }
2063 
2064  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2065  {
2066  ssl->in_hslen = 4;
2067  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2068 
2069  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2070  " %d, type = %d, hslen = %d",
2071  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2072 
2073  /*
2074  * Additional checks to validate the handshake header
2075  */
2076  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2077  {
2078  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2080  }
2081 
2082  if( ssl->in_msglen < ssl->in_hslen )
2083  {
2084  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2086  }
2087 
2088  if( ssl->state != SSL_HANDSHAKE_OVER )
2089  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2090  }
2091 
2092  if( ssl->in_msgtype == SSL_MSG_ALERT )
2093  {
2094  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2095  ssl->in_msg[0], ssl->in_msg[1] ) );
2096 
2097  /*
2098  * Ignore non-fatal alerts, except close_notify
2099  */
2100  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2101  {
2102  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2103  ssl->in_msg[1] ) );
2109  }
2110 
2111  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2112  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2113  {
2114  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2116  }
2117  }
2118 
2119  ssl->in_left = 0;
2120 
2121  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2122 
2123  return( 0 );
2124 }
2125 
2127 {
2128  int ret;
2129 
2130  if( ( ret = ssl_send_alert_message( ssl,
2133  {
2134  return( ret );
2135  }
2136 
2137  return( 0 );
2138 }
2139 
2141  unsigned char level,
2142  unsigned char message )
2143 {
2144  int ret;
2145 
2146  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2147 
2148  ssl->out_msgtype = SSL_MSG_ALERT;
2149  ssl->out_msglen = 2;
2150  ssl->out_msg[0] = level;
2151  ssl->out_msg[1] = message;
2152 
2153  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2154  {
2155  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2156  return( ret );
2157  }
2158 
2159  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2160 
2161  return( 0 );
2162 }
2163 
2164 /*
2165  * Handshake functions
2166  */
2168 {
2169  int ret;
2170  size_t i, n;
2171  const x509_cert *crt;
2172 
2173  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2174 
2175  if( ssl->endpoint == SSL_IS_CLIENT )
2176  {
2177  if( ssl->client_auth == 0 )
2178  {
2179  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2180  ssl->state++;
2181  return( 0 );
2182  }
2183 
2184  /*
2185  * If using SSLv3 and got no cert, send an Alert message
2186  * (otherwise an empty Certificate message will be sent).
2187  */
2188  if( ssl->own_cert == NULL &&
2189  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2190  {
2191  ssl->out_msglen = 2;
2192  ssl->out_msgtype = SSL_MSG_ALERT;
2193  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2194  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2195 
2196  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2197  goto write_msg;
2198  }
2199  }
2200  else /* SSL_IS_SERVER */
2201  {
2202  if( ssl->own_cert == NULL )
2203  {
2204  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2206  }
2207  }
2208 
2209  SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
2210 
2211  /*
2212  * 0 . 0 handshake type
2213  * 1 . 3 handshake length
2214  * 4 . 6 length of all certs
2215  * 7 . 9 length of cert. 1
2216  * 10 . n-1 peer certificate
2217  * n . n+2 length of cert. 2
2218  * n+3 . ... upper level cert, etc.
2219  */
2220  i = 7;
2221  crt = ssl->own_cert;
2222 
2223  while( crt != NULL )
2224  {
2225  n = crt->raw.len;
2226  if( i + 3 + n > SSL_MAX_CONTENT_LEN )
2227  {
2228  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2229  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2231  }
2232 
2233  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2234  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2235  ssl->out_msg[i + 2] = (unsigned char)( n );
2236 
2237  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2238  i += n; crt = crt->next;
2239  }
2240 
2241  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2242  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2243  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2244 
2245  ssl->out_msglen = i;
2247  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2248 
2249 write_msg:
2250 
2251  ssl->state++;
2252 
2253  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2254  {
2255  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2256  return( ret );
2257  }
2258 
2259  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2260 
2261  return( 0 );
2262 }
2263 
2265 {
2266  int ret;
2267  size_t i, n;
2268 
2269  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2270 
2271  if( ssl->endpoint == SSL_IS_SERVER &&
2272  ssl->authmode == SSL_VERIFY_NONE )
2273  {
2275  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2276  ssl->state++;
2277  return( 0 );
2278  }
2279 
2280  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2281  {
2282  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2283  return( ret );
2284  }
2285 
2286  ssl->state++;
2287 
2288  /*
2289  * Check if the client sent an empty certificate
2290  */
2291  if( ssl->endpoint == SSL_IS_SERVER &&
2292  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2293  {
2294  if( ssl->in_msglen == 2 &&
2295  ssl->in_msgtype == SSL_MSG_ALERT &&
2296  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2297  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2298  {
2299  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2300 
2302  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2303  return( 0 );
2304  else
2306  }
2307  }
2308 
2309  if( ssl->endpoint == SSL_IS_SERVER &&
2310  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2311  {
2312  if( ssl->in_hslen == 7 &&
2313  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2314  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2315  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2316  {
2317  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2318 
2320  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2322  else
2323  return( 0 );
2324  }
2325  }
2326 
2327  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2328  {
2329  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2331  }
2332 
2333  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2334  {
2335  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2337  }
2338 
2339  /*
2340  * Same message structure as in ssl_write_certificate()
2341  */
2342  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2343 
2344  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2345  {
2346  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2348  }
2349 
2350  /* In case we tried to reuse a session but it failed */
2351  if( ssl->session_negotiate->peer_cert != NULL )
2352  {
2354  free( ssl->session_negotiate->peer_cert );
2355  }
2356 
2357  if( ( ssl->session_negotiate->peer_cert = (x509_cert *) malloc(
2358  sizeof( x509_cert ) ) ) == NULL )
2359  {
2360  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2361  sizeof( x509_cert ) ) );
2363  }
2364 
2365  memset( ssl->session_negotiate->peer_cert, 0, sizeof( x509_cert ) );
2366 
2367  i = 7;
2368 
2369  while( i < ssl->in_hslen )
2370  {
2371  if( ssl->in_msg[i] != 0 )
2372  {
2373  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2375  }
2376 
2377  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2378  | (unsigned int) ssl->in_msg[i + 2];
2379  i += 3;
2380 
2381  if( n < 128 || i + n > ssl->in_hslen )
2382  {
2383  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2385  }
2386 
2388  ssl->in_msg + i, n );
2389  if( ret != 0 )
2390  {
2391  SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2392  return( ret );
2393  }
2394 
2395  i += n;
2396  }
2397 
2398  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2399 
2400  if( ssl->authmode != SSL_VERIFY_NONE )
2401  {
2402  if( ssl->ca_chain == NULL )
2403  {
2404  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2406  }
2407 
2409  ssl->ca_chain, ssl->ca_crl,
2410  ssl->peer_cn, &ssl->verify_result,
2411  ssl->f_vrfy, ssl->p_vrfy );
2412 
2413  if( ret != 0 )
2414  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2415 
2416  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2417  ret = 0;
2418  }
2419 
2420  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2421 
2422  return( ret );
2423 }
2424 
2426 {
2427  int ret;
2428 
2429  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2430 
2432  ssl->out_msglen = 1;
2433  ssl->out_msg[0] = 1;
2434 
2435  ssl->state++;
2436 
2437  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2438  {
2439  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2440  return( ret );
2441  }
2442 
2443  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2444 
2445  return( 0 );
2446 }
2447 
2449 {
2450  int ret;
2451 
2452  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2453 
2454  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2455  {
2456  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2457  return( ret );
2458  }
2459 
2461  {
2462  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2464  }
2465 
2466  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2467  {
2468  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2470  }
2471 
2472  ssl->state++;
2473 
2474  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2475 
2476  return( 0 );
2477 }
2478 
2479 void ssl_optimize_checksum( ssl_context *ssl, int ciphersuite )
2480 {
2481 #if !defined(POLARSSL_SHA4_C)
2482  ((void) ciphersuite);
2483 #endif
2484 
2485  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2486  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2487 #if defined(POLARSSL_SHA4_C)
2488  else if ( ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
2489  ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
2490  {
2491  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2492  }
2493 #endif
2494  else
2495  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2496 }
2497 
2498 static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
2499  size_t len )
2500 {
2501  md5_update( &ssl->handshake->fin_md5 , buf, len );
2502  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2503  sha2_update( &ssl->handshake->fin_sha2, buf, len );
2504 #if defined(POLARSSL_SHA4_C)
2505  sha4_update( &ssl->handshake->fin_sha4, buf, len );
2506 #endif
2507 }
2508 
2509 static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
2510  size_t len )
2511 {
2512  md5_update( &ssl->handshake->fin_md5 , buf, len );
2513  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2514 }
2515 
2516 static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
2517  size_t len )
2518 {
2519  sha2_update( &ssl->handshake->fin_sha2, buf, len );
2520 }
2521 
2522 #if defined(POLARSSL_SHA4_C)
2523 static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
2524  size_t len )
2525 {
2526  sha4_update( &ssl->handshake->fin_sha4, buf, len );
2527 }
2528 #endif
2529 
2530 static void ssl_calc_finished_ssl(
2531  ssl_context *ssl, unsigned char *buf, int from )
2532 {
2533  const char *sender;
2534  md5_context md5;
2536 
2537  unsigned char padbuf[48];
2538  unsigned char md5sum[16];
2539  unsigned char sha1sum[20];
2540 
2541  ssl_session *session = ssl->session_negotiate;
2542  if( !session )
2543  session = ssl->session;
2544 
2545  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2546 
2547  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2548  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2549 
2550  /*
2551  * SSLv3:
2552  * hash =
2553  * MD5( master + pad2 +
2554  * MD5( handshake + sender + master + pad1 ) )
2555  * + SHA1( master + pad2 +
2556  * SHA1( handshake + sender + master + pad1 ) )
2557  */
2558 
2559 #if !defined(POLARSSL_MD5_ALT)
2560  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2561  md5.state, sizeof( md5.state ) );
2562 #endif
2563 
2564 #if !defined(POLARSSL_SHA1_ALT)
2565  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2566  sha1.state, sizeof( sha1.state ) );
2567 #endif
2568 
2569  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2570  : "SRVR";
2571 
2572  memset( padbuf, 0x36, 48 );
2573 
2574  md5_update( &md5, (const unsigned char *) sender, 4 );
2575  md5_update( &md5, session->master, 48 );
2576  md5_update( &md5, padbuf, 48 );
2577  md5_finish( &md5, md5sum );
2578 
2579  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2580  sha1_update( &sha1, session->master, 48 );
2581  sha1_update( &sha1, padbuf, 40 );
2582  sha1_finish( &sha1, sha1sum );
2583 
2584  memset( padbuf, 0x5C, 48 );
2585 
2586  md5_starts( &md5 );
2587  md5_update( &md5, session->master, 48 );
2588  md5_update( &md5, padbuf, 48 );
2589  md5_update( &md5, md5sum, 16 );
2590  md5_finish( &md5, buf );
2591 
2592  sha1_starts( &sha1 );
2593  sha1_update( &sha1, session->master, 48 );
2594  sha1_update( &sha1, padbuf , 40 );
2595  sha1_update( &sha1, sha1sum, 20 );
2596  sha1_finish( &sha1, buf + 16 );
2597 
2598  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2599 
2600  memset( &md5, 0, sizeof( md5_context ) );
2601  memset( &sha1, 0, sizeof( sha1_context ) );
2602 
2603  memset( padbuf, 0, sizeof( padbuf ) );
2604  memset( md5sum, 0, sizeof( md5sum ) );
2605  memset( sha1sum, 0, sizeof( sha1sum ) );
2606 
2607  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2608 }
2609 
2610 static void ssl_calc_finished_tls(
2611  ssl_context *ssl, unsigned char *buf, int from )
2612 {
2613  int len = 12;
2614  const char *sender;
2615  md5_context md5;
2617  unsigned char padbuf[36];
2618 
2619  ssl_session *session = ssl->session_negotiate;
2620  if( !session )
2621  session = ssl->session;
2622 
2623  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2624 
2625  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2626  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2627 
2628  /*
2629  * TLSv1:
2630  * hash = PRF( master, finished_label,
2631  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2632  */
2633 
2634 #if !defined(POLARSSL_MD5_ALT)
2635  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2636  md5.state, sizeof( md5.state ) );
2637 #endif
2638 
2639 #if !defined(POLARSSL_SHA1_ALT)
2640  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2641  sha1.state, sizeof( sha1.state ) );
2642 #endif
2643 
2644  sender = ( from == SSL_IS_CLIENT )
2645  ? "client finished"
2646  : "server finished";
2647 
2648  md5_finish( &md5, padbuf );
2649  sha1_finish( &sha1, padbuf + 16 );
2650 
2651  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2652  padbuf, 36, buf, len );
2653 
2654  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2655 
2656  memset( &md5, 0, sizeof( md5_context ) );
2657  memset( &sha1, 0, sizeof( sha1_context ) );
2658 
2659  memset( padbuf, 0, sizeof( padbuf ) );
2660 
2661  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2662 }
2663 
2664 static void ssl_calc_finished_tls_sha256(
2665  ssl_context *ssl, unsigned char *buf, int from )
2666 {
2667  int len = 12;
2668  const char *sender;
2670  unsigned char padbuf[32];
2671 
2672  ssl_session *session = ssl->session_negotiate;
2673  if( !session )
2674  session = ssl->session;
2675 
2676  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2677 
2678  memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
2679 
2680  /*
2681  * TLSv1.2:
2682  * hash = PRF( master, finished_label,
2683  * Hash( handshake ) )[0.11]
2684  */
2685 
2686 #if !defined(POLARSSL_SHA2_ALT)
2687  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2688  sha2.state, sizeof( sha2.state ) );
2689 #endif
2690 
2691  sender = ( from == SSL_IS_CLIENT )
2692  ? "client finished"
2693  : "server finished";
2694 
2695  sha2_finish( &sha2, padbuf );
2696 
2697  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2698  padbuf, 32, buf, len );
2699 
2700  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2701 
2702  memset( &sha2, 0, sizeof( sha2_context ) );
2703 
2704  memset( padbuf, 0, sizeof( padbuf ) );
2705 
2706  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2707 }
2708 
2709 #if defined(POLARSSL_SHA4_C)
2710 static void ssl_calc_finished_tls_sha384(
2711  ssl_context *ssl, unsigned char *buf, int from )
2712 {
2713  int len = 12;
2714  const char *sender;
2716  unsigned char padbuf[48];
2717 
2718  ssl_session *session = ssl->session_negotiate;
2719  if( !session )
2720  session = ssl->session;
2721 
2722  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
2723 
2724  memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
2725 
2726  /*
2727  * TLSv1.2:
2728  * hash = PRF( master, finished_label,
2729  * Hash( handshake ) )[0.11]
2730  */
2731 
2732 #if !defined(POLARSSL_SHA4_ALT)
2733  SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2734  sha4.state, sizeof( sha4.state ) );
2735 #endif
2736 
2737  sender = ( from == SSL_IS_CLIENT )
2738  ? "client finished"
2739  : "server finished";
2740 
2741  sha4_finish( &sha4, padbuf );
2742 
2743  ssl->handshake->tls_prf( session->master, 48, (char *) sender,
2744  padbuf, 48, buf, len );
2745 
2746  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2747 
2748  memset( &sha4, 0, sizeof( sha4_context ) );
2749 
2750  memset( padbuf, 0, sizeof( padbuf ) );
2751 
2752  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2753 }
2754 #endif
2755 
2756 void ssl_handshake_wrapup( ssl_context *ssl )
2757 {
2758  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
2759 
2760  /*
2761  * Free our handshake params
2762  */
2763  ssl_handshake_free( ssl->handshake );
2764  free( ssl->handshake );
2765  ssl->handshake = NULL;
2766 
2767  /*
2768  * Switch in our now active transform context
2769  */
2770  if( ssl->transform )
2771  {
2772  ssl_transform_free( ssl->transform );
2773  free( ssl->transform );
2774  }
2775  ssl->transform = ssl->transform_negotiate;
2776  ssl->transform_negotiate = NULL;
2777 
2778  if( ssl->session )
2779  {
2780  ssl_session_free( ssl->session );
2781  free( ssl->session );
2782  }
2783  ssl->session = ssl->session_negotiate;
2784  ssl->session_negotiate = NULL;
2785 
2786  /*
2787  * Add cache entry
2788  */
2789  if( ssl->f_set_cache != NULL )
2790  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
2791  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
2792 
2793  ssl->state++;
2794 
2795  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
2796 }
2797 
2798 int ssl_write_finished( ssl_context *ssl )
2799 {
2800  int ret, hash_len;
2801 
2802  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2803 
2804  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2805 
2806  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2807  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2808 
2809  ssl->verify_data_len = hash_len;
2810  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
2811 
2812  ssl->out_msglen = 4 + hash_len;
2814  ssl->out_msg[0] = SSL_HS_FINISHED;
2815 
2816  /*
2817  * In case of session resuming, invert the client and server
2818  * ChangeCipherSpec messages order.
2819  */
2820  if( ssl->handshake->resume != 0 )
2821  {
2822  if( ssl->endpoint == SSL_IS_CLIENT )
2823  ssl->state = SSL_HANDSHAKE_WRAPUP;
2824  else
2826  }
2827  else
2828  ssl->state++;
2829 
2830  /*
2831  * Switch to our negotiated transform and session parameters for outbound data.
2832  */
2833  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
2834  ssl->transform_out = ssl->transform_negotiate;
2835  ssl->session_out = ssl->session_negotiate;
2836  memset( ssl->out_ctr, 0, 8 );
2837 
2838  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2839  {
2840  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2841  return( ret );
2842  }
2843 
2844  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2845 
2846  return( 0 );
2847 }
2848 
2849 int ssl_parse_finished( ssl_context *ssl )
2850 {
2851  int ret;
2852  unsigned int hash_len;
2853  unsigned char buf[36];
2854 
2855  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2856 
2857  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
2858 
2859  /*
2860  * Switch to our negotiated transform and session parameters for inbound data.
2861  */
2862  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
2863  ssl->transform_in = ssl->transform_negotiate;
2864  ssl->session_in = ssl->session_negotiate;
2865  memset( ssl->in_ctr, 0, 8 );
2866 
2867  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2868  {
2869  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2870  return( ret );
2871  }
2872 
2873  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2874  {
2875  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2877  }
2878 
2879  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2880  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2881 
2882  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
2883  ssl->in_hslen != 4 + hash_len )
2884  {
2885  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2887  }
2888 
2889  if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2890  {
2891  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2893  }
2894 
2895  ssl->verify_data_len = hash_len;
2896  memcpy( ssl->peer_verify_data, buf, hash_len );
2897 
2898  if( ssl->handshake->resume != 0 )
2899  {
2900  if( ssl->endpoint == SSL_IS_CLIENT )
2902 
2903  if( ssl->endpoint == SSL_IS_SERVER )
2904  ssl->state = SSL_HANDSHAKE_WRAPUP;
2905  }
2906  else
2907  ssl->state++;
2908 
2909  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2910 
2911  return( 0 );
2912 }
2913 
2914 int ssl_handshake_init( ssl_context *ssl )
2915 {
2916  if( ssl->transform_negotiate )
2918  else
2919  ssl->transform_negotiate = malloc( sizeof(ssl_transform) );
2920 
2921  if( ssl->session_negotiate )
2923  else
2924  ssl->session_negotiate = malloc( sizeof(ssl_session) );
2925 
2926  if( ssl->handshake )
2927  ssl_handshake_free( ssl->handshake );
2928  else
2929  ssl->handshake = malloc( sizeof(ssl_handshake_params) );
2930 
2931  if( ssl->handshake == NULL ||
2932  ssl->transform_negotiate == NULL ||
2933  ssl->session_negotiate == NULL )
2934  {
2935  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
2937  }
2938 
2939  memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
2940  memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
2941  memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
2942 
2943  md5_starts( &ssl->handshake->fin_md5 );
2944  sha1_starts( &ssl->handshake->fin_sha1 );
2945  sha2_starts( &ssl->handshake->fin_sha2, 0 );
2946 #if defined(POLARSSL_SHA4_C)
2947  sha4_starts( &ssl->handshake->fin_sha4, 1 );
2948 #endif
2949 
2950  ssl->handshake->update_checksum = ssl_update_checksum_start;
2952 
2953  return( 0 );
2954 }
2955 
2956 /*
2957  * Initialize an SSL context
2958  */
2959 int ssl_init( ssl_context *ssl )
2960 {
2961  int ret;
2962  int len = SSL_BUFFER_LEN;
2963 
2964  memset( ssl, 0, sizeof( ssl_context ) );
2965 
2966  /*
2967  * Sane defaults
2968  */
2969  ssl->rsa_decrypt = ssl_rsa_decrypt;
2970  ssl->rsa_sign = ssl_rsa_sign;
2971  ssl->rsa_key_len = ssl_rsa_key_len;
2972 
2975 
2976  ssl->ciphersuites = malloc( sizeof(int *) * 4 );
2978 
2979 #if defined(POLARSSL_DHM_C)
2980  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
2982  ( ret = mpi_read_string( &ssl->dhm_G, 16,
2984  {
2985  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2986  return( ret );
2987  }
2988 #endif
2989 
2990  /*
2991  * Prepare base structures
2992  */
2993  ssl->in_ctr = (unsigned char *) malloc( len );
2994  ssl->in_hdr = ssl->in_ctr + 8;
2995  ssl->in_msg = ssl->in_ctr + 13;
2996 
2997  if( ssl->in_ctr == NULL )
2998  {
2999  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3001  }
3002 
3003  ssl->out_ctr = (unsigned char *) malloc( len );
3004  ssl->out_hdr = ssl->out_ctr + 8;
3005  ssl->out_msg = ssl->out_ctr + 40;
3006 
3007  if( ssl->out_ctr == NULL )
3008  {
3009  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3010  free( ssl-> in_ctr );
3012  }
3013 
3014  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3015  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3016 
3017  ssl->hostname = NULL;
3018  ssl->hostname_len = 0;
3019 
3020  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3021  return( ret );
3022 
3023  return( 0 );
3024 }
3025 
3026 /*
3027  * Reset an initialized and used SSL context for re-use while retaining
3028  * all application-set variables, function pointers and data.
3029  */
3030 int ssl_session_reset( ssl_context *ssl )
3031 {
3032  int ret;
3033 
3034  ssl->state = SSL_HELLO_REQUEST;
3037 
3038  ssl->verify_data_len = 0;
3039  memset( ssl->own_verify_data, 0, 36 );
3040  memset( ssl->peer_verify_data, 0, 36 );
3041 
3042  ssl->in_offt = NULL;
3043 
3044  ssl->in_msgtype = 0;
3045  ssl->in_msglen = 0;
3046  ssl->in_left = 0;
3047 
3048  ssl->in_hslen = 0;
3049  ssl->nb_zero = 0;
3050 
3051  ssl->out_msgtype = 0;
3052  ssl->out_msglen = 0;
3053  ssl->out_left = 0;
3054 
3055  ssl->transform_in = NULL;
3056  ssl->transform_out = NULL;
3057 
3058  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3059  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3060 
3061 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3062  if( ssl_hw_record_reset != NULL)
3063  {
3064  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3065  if( ssl_hw_record_reset( ssl ) != 0 )
3066  {
3067  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3069  }
3070  }
3071 #endif
3072 
3073  if( ssl->transform )
3074  {
3075  ssl_transform_free( ssl->transform );
3076  free( ssl->transform );
3077  ssl->transform = NULL;
3078  }
3079 
3080  if( ssl->session )
3081  {
3082  ssl_session_free( ssl->session );
3083  free( ssl->session );
3084  ssl->session = NULL;
3085  }
3086 
3087  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3088  return( ret );
3089 
3090  return( 0 );
3091 }
3092 
3093 /*
3094  * SSL set accessors
3095  */
3096 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3097 {
3098  ssl->endpoint = endpoint;
3099 }
3100 
3101 void ssl_set_authmode( ssl_context *ssl, int authmode )
3102 {
3103  ssl->authmode = authmode;
3104 }
3105 
3106 void ssl_set_verify( ssl_context *ssl,
3107  int (*f_vrfy)(void *, x509_cert *, int, int *),
3108  void *p_vrfy )
3109 {
3110  ssl->f_vrfy = f_vrfy;
3111  ssl->p_vrfy = p_vrfy;
3112 }
3113 
3114 void ssl_set_rng( ssl_context *ssl,
3115  int (*f_rng)(void *, unsigned char *, size_t),
3116  void *p_rng )
3117 {
3118  ssl->f_rng = f_rng;
3119  ssl->p_rng = p_rng;
3120 }
3121 
3122 void ssl_set_dbg( ssl_context *ssl,
3123  void (*f_dbg)(void *, int, const char *),
3124  void *p_dbg )
3125 {
3126  ssl->f_dbg = f_dbg;
3127  ssl->p_dbg = p_dbg;
3128 }
3129 
3130 void ssl_set_bio( ssl_context *ssl,
3131  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3132  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3133 {
3134  ssl->f_recv = f_recv;
3135  ssl->f_send = f_send;
3136  ssl->p_recv = p_recv;
3137  ssl->p_send = p_send;
3138 }
3139 
3141  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3142  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3143 {
3144  ssl->f_get_cache = f_get_cache;
3145  ssl->p_get_cache = p_get_cache;
3146  ssl->f_set_cache = f_set_cache;
3147  ssl->p_set_cache = p_set_cache;
3148 }
3149 
3150 void ssl_set_session( ssl_context *ssl, const ssl_session *session )
3151 {
3152  memcpy( ssl->session_negotiate, session, sizeof(ssl_session) );
3153  ssl->handshake->resume = 1;
3154 }
3155 
3156 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3157 {
3158  ssl->ciphersuites[SSL_MINOR_VERSION_0] = ciphersuites;
3159  ssl->ciphersuites[SSL_MINOR_VERSION_1] = ciphersuites;
3160  ssl->ciphersuites[SSL_MINOR_VERSION_2] = ciphersuites;
3161  ssl->ciphersuites[SSL_MINOR_VERSION_3] = ciphersuites;
3162 }
3163 
3164 void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
3165  int major, int minor )
3166 {
3167  if( major != SSL_MAJOR_VERSION_3 )
3168  return;
3169 
3170  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3171  return;
3172 
3173  ssl->ciphersuites[minor] = ciphersuites;
3174 }
3175 
3176 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
3177  x509_crl *ca_crl, const char *peer_cn )
3178 {
3179  ssl->ca_chain = ca_chain;
3180  ssl->ca_crl = ca_crl;
3181  ssl->peer_cn = peer_cn;
3182 }
3183 
3184 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
3185  rsa_context *rsa_key )
3186 {
3187  ssl->own_cert = own_cert;
3188  ssl->rsa_key = rsa_key;
3189 }
3190 
3191 void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
3192  void *rsa_key,
3193  rsa_decrypt_func rsa_decrypt,
3194  rsa_sign_func rsa_sign,
3195  rsa_key_len_func rsa_key_len )
3196 {
3197  ssl->own_cert = own_cert;
3198  ssl->rsa_key = rsa_key;
3199  ssl->rsa_decrypt = rsa_decrypt;
3200  ssl->rsa_sign = rsa_sign;
3201  ssl->rsa_key_len = rsa_key_len;
3202 }
3203 
3204 
3205 #if defined(POLARSSL_DHM_C)
3206 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3207 {
3208  int ret;
3209 
3210  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3211  {
3212  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3213  return( ret );
3214  }
3215 
3216  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3217  {
3218  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3219  return( ret );
3220  }
3221 
3222  return( 0 );
3223 }
3224 
3225 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3226 {
3227  int ret;
3228 
3229  if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
3230  {
3231  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3232  return( ret );
3233  }
3234 
3235  if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
3236  {
3237  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3238  return( ret );
3239  }
3240 
3241  return( 0 );
3242 }
3243 #endif /* POLARSSL_DHM_C */
3244 
3245 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3246 {
3247  if( hostname == NULL )
3249 
3250  ssl->hostname_len = strlen( hostname );
3251 
3252  if( ssl->hostname_len + 1 == 0 )
3254 
3255  ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
3256 
3257  if( ssl->hostname == NULL )
3259 
3260  memcpy( ssl->hostname, (const unsigned char *) hostname,
3261  ssl->hostname_len );
3262 
3263  ssl->hostname[ssl->hostname_len] = '\0';
3264 
3265  return( 0 );
3266 }
3267 
3268 void ssl_set_sni( ssl_context *ssl,
3269  int (*f_sni)(void *, ssl_context *,
3270  const unsigned char *, size_t),
3271  void *p_sni )
3272 {
3273  ssl->f_sni = f_sni;
3274  ssl->p_sni = p_sni;
3275 }
3276 
3277 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3278 {
3279  ssl->max_major_ver = major;
3280  ssl->max_minor_ver = minor;
3281 }
3282 
3283 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3284 {
3285  ssl->min_major_ver = major;
3286  ssl->min_minor_ver = minor;
3287 }
3288 
3289 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
3290 {
3291  ssl->disable_renegotiation = renegotiation;
3292 }
3293 
3294 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
3295 {
3296  ssl->allow_legacy_renegotiation = allow_legacy;
3297 }
3298 
3299 /*
3300  * SSL get accessors
3301  */
3302 size_t ssl_get_bytes_avail( const ssl_context *ssl )
3303 {
3304  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
3305 }
3306 
3307 int ssl_get_verify_result( const ssl_context *ssl )
3308 {
3309  return( ssl->verify_result );
3310 }
3311 
3312 const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
3313 {
3314  switch( ciphersuite_id )
3315  {
3316 #if defined(POLARSSL_ARC4_C)
3318  return( "TLS-RSA-WITH-RC4-128-MD5" );
3319 
3321  return( "TLS-RSA-WITH-RC4-128-SHA" );
3322 #endif
3323 
3324 #if defined(POLARSSL_DES_C)
3326  return( "TLS-RSA-WITH-3DES-EDE-CBC-SHA" );
3327 
3329  return( "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA" );
3330 #endif
3331 
3332 #if defined(POLARSSL_AES_C)
3334  return( "TLS-RSA-WITH-AES-128-CBC-SHA" );
3335 
3337  return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA" );
3338 
3340  return( "TLS-RSA-WITH-AES-256-CBC-SHA" );
3341 
3343  return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA" );
3344 
3345 #if defined(POLARSSL_SHA2_C)
3347  return( "TLS-RSA-WITH-AES-128-CBC-SHA256" );
3348 
3350  return( "TLS-RSA-WITH-AES-256-CBC-SHA256" );
3351 
3353  return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" );
3354 
3356  return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" );
3357 #endif
3358 
3359 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3361  return( "TLS-RSA-WITH-AES-128-GCM-SHA256" );
3362 
3364  return( "TLS-RSA-WITH-AES-256-GCM-SHA384" );
3365 #endif
3366 
3367 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3369  return( "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" );
3370 
3372  return( "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" );
3373 #endif
3374 #endif /* POLARSSL_AES_C */
3375 
3376 #if defined(POLARSSL_CAMELLIA_C)
3378  return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" );
3379 
3381  return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA" );
3382 
3384  return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA" );
3385 
3387  return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA" );
3388 
3389 #if defined(POLARSSL_SHA2_C)
3391  return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
3392 
3394  return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
3395 
3397  return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
3398 
3400  return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
3401 #endif
3402 #endif
3403 
3404 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3405 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
3406  case TLS_RSA_WITH_NULL_MD5:
3407  return( "TLS-RSA-WITH-NULL-MD5" );
3408  case TLS_RSA_WITH_NULL_SHA:
3409  return( "TLS-RSA-WITH-NULL-SHA" );
3411  return( "TLS-RSA-WITH-NULL-SHA256" );
3412 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3413 
3414 #if defined(POLARSSL_DES_C)
3416  return( "TLS-RSA-WITH-DES-CBC-SHA" );
3418  return( "TLS-DHE-RSA-WITH-DES-CBC-SHA" );
3419 #endif
3420 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3421 
3422  default:
3423  break;
3424  }
3425 
3426  return( "unknown" );
3427 }
3428 
3429 int ssl_get_ciphersuite_id( const char *ciphersuite_name )
3430 {
3431 #if defined(POLARSSL_ARC4_C)
3432  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-MD5"))
3433  return( TLS_RSA_WITH_RC4_128_MD5 );
3434  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-SHA"))
3435  return( TLS_RSA_WITH_RC4_128_SHA );
3436 #endif
3437 
3438 #if defined(POLARSSL_DES_C)
3439  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-3DES-EDE-CBC-SHA"))
3441  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"))
3443 #endif
3444 
3445 #if defined(POLARSSL_AES_C)
3446  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA"))
3447  return( TLS_RSA_WITH_AES_128_CBC_SHA );
3448  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"))
3450  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA"))
3451  return( TLS_RSA_WITH_AES_256_CBC_SHA );
3452  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"))
3454 
3455 #if defined(POLARSSL_SHA2_C)
3456  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA256"))
3458  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA256"))
3460  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"))
3462  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"))
3464 #endif
3465 
3466 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3467  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-GCM-SHA256"))
3469  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-GCM-SHA384"))
3471 #endif
3472 
3473 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3474  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"))
3476  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"))
3478 #endif
3479 #endif
3480 
3481 #if defined(POLARSSL_CAMELLIA_C)
3482  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"))
3484  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"))
3486  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"))
3488  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"))
3490 
3491 #if defined(POLARSSL_SHA2_C)
3492  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
3494  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
3496  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
3498  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
3500 #endif
3501 #endif
3502 
3503 #if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
3504 #if defined(POLARSSL_CIPHER_NULL_CIPHER)
3505  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-MD5"))
3506  return( TLS_RSA_WITH_NULL_MD5 );
3507  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA"))
3508  return( TLS_RSA_WITH_NULL_SHA );
3509  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA256"))
3510  return( TLS_RSA_WITH_NULL_SHA256 );
3511 #endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
3512 
3513 #if defined(POLARSSL_DES_C)
3514  if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-DES-CBC-SHA"))
3515  return( TLS_RSA_WITH_DES_CBC_SHA );
3516  if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-DES-CBC-SHA"))
3517  return( TLS_DHE_RSA_WITH_DES_CBC_SHA );
3518 #endif
3519 #endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
3520 
3521  return( 0 );
3522 }
3523 
3524 int ssl_get_ciphersuite_min_version( const int ciphersuite_id )
3525 {
3526  switch( ciphersuite_id )
3527  {
3540  case TLS_RSA_WITH_NULL_MD5:
3541  case TLS_RSA_WITH_NULL_SHA:
3544  return SSL_MINOR_VERSION_0;
3545 
3559  return SSL_MINOR_VERSION_3;
3560 
3561  default:
3562  break;
3563  }
3564 
3565  return SSL_MINOR_VERSION_0;
3566 }
3567 
3568 const char *ssl_get_ciphersuite( const ssl_context *ssl )
3569 {
3570  if( ssl == NULL || ssl->session == NULL )
3571  return NULL;
3572 
3574 }
3575 
3576 const char *ssl_get_version( const ssl_context *ssl )
3577 {
3578  switch( ssl->minor_ver )
3579  {
3580  case SSL_MINOR_VERSION_0:
3581  return( "SSLv3.0" );
3582 
3583  case SSL_MINOR_VERSION_1:
3584  return( "TLSv1.0" );
3585 
3586  case SSL_MINOR_VERSION_2:
3587  return( "TLSv1.1" );
3588 
3589  case SSL_MINOR_VERSION_3:
3590  return( "TLSv1.2" );
3591 
3592  default:
3593  break;
3594  }
3595  return( "unknown" );
3596 }
3597 
3598 const x509_cert *ssl_get_peer_cert( const ssl_context *ssl )
3599 {
3600  if( ssl == NULL || ssl->session == NULL )
3601  return NULL;
3602 
3603  return ssl->session->peer_cert;
3604 }
3605 
3606 const int ssl_default_ciphersuites[] =
3607 {
3608 #if defined(POLARSSL_DHM_C)
3609 #if defined(POLARSSL_AES_C)
3610 #if defined(POLARSSL_SHA2_C)
3612 #endif /* POLARSSL_SHA2_C */
3613 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3615 #endif
3617 #if defined(POLARSSL_SHA2_C)
3619 #endif
3620 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3622 #endif
3624 #endif
3625 #if defined(POLARSSL_CAMELLIA_C)
3626 #if defined(POLARSSL_SHA2_C)
3628 #endif /* POLARSSL_SHA2_C */
3630 #if defined(POLARSSL_SHA2_C)
3632 #endif /* POLARSSL_SHA2_C */
3634 #endif
3635 #if defined(POLARSSL_DES_C)
3637 #endif
3638 #endif
3639 
3640 #if defined(POLARSSL_AES_C)
3641 #if defined(POLARSSL_SHA2_C)
3643 #endif /* POLARSSL_SHA2_C */
3644 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3646 #endif /* POLARSSL_SHA2_C */
3648 #endif
3649 #if defined(POLARSSL_CAMELLIA_C)
3650 #if defined(POLARSSL_SHA2_C)
3652 #endif /* POLARSSL_SHA2_C */
3654 #endif
3655 #if defined(POLARSSL_AES_C)
3656 #if defined(POLARSSL_SHA2_C)
3658 #endif /* POLARSSL_SHA2_C */
3659 #if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3661 #endif /* POLARSSL_SHA2_C */
3663 #endif
3664 #if defined(POLARSSL_CAMELLIA_C)
3665 #if defined(POLARSSL_SHA2_C)
3667 #endif /* POLARSSL_SHA2_C */
3669 #endif
3670 #if defined(POLARSSL_DES_C)
3672 #endif
3673 #if defined(POLARSSL_ARC4_C)
3676 #endif
3677  0
3678 };
3679 
3680 /*
3681  * Perform a single step of the SSL handshake
3682  */
3683 int ssl_handshake_step( ssl_context *ssl )
3684 {
3686 
3687 #if defined(POLARSSL_SSL_CLI_C)
3688  if( ssl->endpoint == SSL_IS_CLIENT )
3689  ret = ssl_handshake_client_step( ssl );
3690 #endif
3691 
3692 #if defined(POLARSSL_SSL_SRV_C)
3693  if( ssl->endpoint == SSL_IS_SERVER )
3694  ret = ssl_handshake_server_step( ssl );
3695 #endif
3696 
3697  return( ret );
3698 }
3699 
3700 /*
3701  * Perform the SSL handshake
3702  */
3703 int ssl_handshake( ssl_context *ssl )
3704 {
3705  int ret = 0;
3706 
3707  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3708 
3709  while( ssl->state != SSL_HANDSHAKE_OVER )
3710  {
3711  ret = ssl_handshake_step( ssl );
3712 
3713  if( ret != 0 )
3714  break;
3715  }
3716 
3717  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3718 
3719  return( ret );
3720 }
3721 
3722 /*
3723  * Renegotiate current connection
3724  */
3725 int ssl_renegotiate( ssl_context *ssl )
3726 {
3727  int ret;
3728 
3729  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
3730 
3731  if( ssl->state != SSL_HANDSHAKE_OVER )
3733 
3734  ssl->state = SSL_HELLO_REQUEST;
3736 
3737  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3738  return( ret );
3739 
3740  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3741  {
3742  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3743  return( ret );
3744  }
3745 
3746  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
3747 
3748  return( 0 );
3749 }
3750 
3751 /*
3752  * Receive application data decrypted from the SSL layer
3753  */
3754 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
3755 {
3756  int ret;
3757  size_t n;
3758 
3759  SSL_DEBUG_MSG( 2, ( "=> read" ) );
3760 
3761  if( ssl->state != SSL_HANDSHAKE_OVER )
3762  {
3763  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3764  {
3765  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3766  return( ret );
3767  }
3768  }
3769 
3770  if( ssl->in_offt == NULL )
3771  {
3772  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3773  {
3774  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3775  return( 0 );
3776 
3777  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3778  return( ret );
3779  }
3780 
3781  if( ssl->in_msglen == 0 &&
3783  {
3784  /*
3785  * OpenSSL sends empty messages to randomize the IV
3786  */
3787  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3788  {
3789  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3790  return( 0 );
3791 
3792  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3793  return( ret );
3794  }
3795  }
3796 
3797  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
3798  {
3799  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
3800 
3801  if( ssl->endpoint == SSL_IS_CLIENT &&
3802  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
3803  ssl->in_hslen != 4 ) )
3804  {
3805  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
3807  }
3808 
3812  {
3813  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
3814 
3815  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
3816  {
3817  /*
3818  * SSLv3 does not have a "no_renegotiation" alert
3819  */
3820  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
3821  return( ret );
3822  }
3823  else
3824  {
3825  if( ( ret = ssl_send_alert_message( ssl,
3828  {
3829  return( ret );
3830  }
3831  }
3832  }
3833  else
3834  {
3835  if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
3836  {
3837  SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
3838  return( ret );
3839  }
3840 
3841  return( POLARSSL_ERR_NET_WANT_READ );
3842  }
3843  }
3844  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3845  {
3846  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
3848  }
3849 
3850  ssl->in_offt = ssl->in_msg;
3851  }
3852 
3853  n = ( len < ssl->in_msglen )
3854  ? len : ssl->in_msglen;
3855 
3856  memcpy( buf, ssl->in_offt, n );
3857  ssl->in_msglen -= n;
3858 
3859  if( ssl->in_msglen == 0 )
3860  /* all bytes consumed */
3861  ssl->in_offt = NULL;
3862  else
3863  /* more data available */
3864  ssl->in_offt += n;
3865 
3866  SSL_DEBUG_MSG( 2, ( "<= read" ) );
3867 
3868  return( (int) n );
3869 }
3870 
3871 /*
3872  * Send application data to be encrypted by the SSL layer
3873  */
3874 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
3875 {
3876  int ret;
3877  size_t n;
3878 
3879  SSL_DEBUG_MSG( 2, ( "=> write" ) );
3880 
3881  if( ssl->state != SSL_HANDSHAKE_OVER )
3882  {
3883  if( ( ret = ssl_handshake( ssl ) ) != 0 )
3884  {
3885  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3886  return( ret );
3887  }
3888  }
3889 
3890  n = ( len < SSL_MAX_CONTENT_LEN )
3891  ? len : SSL_MAX_CONTENT_LEN;
3892 
3893  if( ssl->out_left != 0 )
3894  {
3895  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3896  {
3897  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3898  return( ret );
3899  }
3900  }
3901  else
3902  {
3903  ssl->out_msglen = n;
3905  memcpy( ssl->out_msg, buf, n );
3906 
3907  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3908  {
3909  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3910  return( ret );
3911  }
3912  }
3913 
3914  SSL_DEBUG_MSG( 2, ( "<= write" ) );
3915 
3916  return( (int) n );
3917 }
3918 
3919 /*
3920  * Notify the peer that the connection is being closed
3921  */
3922 int ssl_close_notify( ssl_context *ssl )
3923 {
3924  int ret;
3925 
3926  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3927 
3928  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3929  {
3930  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3931  return( ret );
3932  }
3933 
3934  if( ssl->state == SSL_HANDSHAKE_OVER )
3935  {
3936  if( ( ret = ssl_send_alert_message( ssl,
3938  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
3939  {
3940  return( ret );
3941  }
3942  }
3943 
3944  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3945 
3946  return( ret );
3947 }
3948 
3949 void ssl_transform_free( ssl_transform *transform )
3950 {
3951 #if defined(POLARSSL_ZLIB_SUPPORT)
3952  deflateEnd( &transform->ctx_deflate );
3953  inflateEnd( &transform->ctx_inflate );
3954 #endif
3955 
3956  memset( transform, 0, sizeof( ssl_transform ) );
3957 }
3958 
3959 void ssl_handshake_free( ssl_handshake_params *handshake )
3960 {
3961 #if defined(POLARSSL_DHM_C)
3962  dhm_free( &handshake->dhm_ctx );
3963 #endif
3964  memset( handshake, 0, sizeof( ssl_handshake_params ) );
3965 }
3966 
3967 void ssl_session_free( ssl_session *session )
3968 {
3969  if( session->peer_cert != NULL )
3970  {
3971  x509_free( session->peer_cert );
3972  free( session->peer_cert );
3973  }
3974 
3975  memset( session, 0, sizeof( ssl_session ) );
3976 }
3977 
3978 /*
3979  * Free an SSL context
3980  */
3981 void ssl_free( ssl_context *ssl )
3982 {
3983  SSL_DEBUG_MSG( 2, ( "=> free" ) );
3984 
3985  free( ssl->ciphersuites );
3986 
3987  if( ssl->out_ctr != NULL )
3988  {
3989  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3990  free( ssl->out_ctr );
3991  }
3992 
3993  if( ssl->in_ctr != NULL )
3994  {
3995  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3996  free( ssl->in_ctr );
3997  }
3998 
3999 #if defined(POLARSSL_DHM_C)
4000  mpi_free( &ssl->dhm_P );
4001  mpi_free( &ssl->dhm_G );
4002 #endif
4003 
4004  if( ssl->transform )
4005  {
4006  ssl_transform_free( ssl->transform );
4007  free( ssl->transform );
4008  }
4009 
4010  if( ssl->handshake )
4011  {
4012  ssl_handshake_free( ssl->handshake );
4015 
4016  free( ssl->handshake );
4017  free( ssl->transform_negotiate );
4018  free( ssl->session_negotiate );
4019  }
4020 
4021  if( ssl->session )
4022  {
4023  ssl_session_free( ssl->session );
4024  free( ssl->session );
4025  }
4026 
4027  if ( ssl->hostname != NULL)
4028  {
4029  memset( ssl->hostname, 0, ssl->hostname_len );
4030  free( ssl->hostname );
4031  ssl->hostname_len = 0;
4032  }
4033 
4034 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4035  if( ssl_hw_record_finish != NULL )
4036  {
4037  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4038  ssl_hw_record_finish( ssl );
4039  }
4040 #endif
4041 
4042  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4043 
4044  /* Actually clear after last debug message */
4045  memset( ssl, 0, sizeof( ssl_context ) );
4046 }
4047 
4048 #endif
unsigned char * hostname
Definition: ssl.h:515
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:218
ssl_session * session_in
Definition: ssl.h:441
#define SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:222
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:173
void sha1_hmac_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 HMAC final digest.
void * p_set_cache
Definition: ssl.h:434
int ciphersuite
Definition: ssl.h:320
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Processing of the ChangeCipherSpec handshake message failed.
Definition: ssl.h:87
mpi P
Definition: dhm.h:139
int x509parse_crt_der(x509_cert *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
size_t in_hslen
Definition: ssl.h:469
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
void(* f_dbg)(void *, int, const char *)
Definition: ssl.h:420
#define SSL_HS_FINISHED
Definition: ssl.h:256
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:419
void sha2_hmac_update(sha2_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 HMAC process buffer.
SHA-256 context structure.
Definition: sha2.h:50
#define POLARSSL_DHM_RFC5114_MODP_1024_P
Definition: dhm.h:91
size_t ivlen
Definition: ssl.h:339
int gcm_auth_decrypt(gcm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *tag, size_t tag_len, const unsigned char *input, unsigned char *output)
GCM buffer authenticated decryption using AES.
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition: ssl.h:175
int major_ver
Definition: ssl.h:408
void(* update_checksum)(ssl_context *, unsigned char *, size_t)
Definition: ssl.h:384
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:38
#define TLS_RSA_WITH_AES_128_CBC_SHA
Definition: ssl.h:166
int(* tls_prf)(unsigned char *, size_t, char *, unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl.h:387
int arc4_crypt(arc4_context *ctx, size_t length, const unsigned char *input, unsigned char *output)
ARC4 cipher function.
SHA-1 context structure.
Definition: sha1.h:50
sha1_context fin_sha1
Definition: ssl.h:380
int compression
Definition: ssl.h:321
void arc4_setup(arc4_context *ctx, const unsigned char *key, unsigned int keylen)
ARC4 key schedule.
const int ** ciphersuites
Definition: ssl.h:505
int state
Definition: ssl.h:405
const char * peer_cn
Definition: ssl.h:494
unsigned char master[48]
Definition: ssl.h:324
#define TLS_RSA_WITH_RC4_128_SHA
Definition: ssl.h:161
char peer_verify_data[36]
Definition: ssl.h:525
int camellia_crypt_cbc(camellia_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
CAMELLIA-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
void ssl_set_own_cert(ssl_context *ssl, x509_cert *own_cert, rsa_context *rsa_key)
Set own certificate chain and private key.
ssl_transform * transform_out
Definition: ssl.h:453
Debug functions.
#define DES_ENCRYPT
Definition: des.h:41
int ssl_get_ciphersuite_min_version(const int ciphersuite_id)
#define POLARSSL_ERR_SSL_CONN_EOF
The connection indicated an EOF.
Definition: ssl.h:64
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:426
int nb_zero
Definition: ssl.h:470
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:385
#define TLS_RSA_WITH_AES_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:171
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
DHM context structure.
Definition: dhm.h:136
x509_cert * peer_cert
Definition: ssl.h:325
#define SSL_BUFFER_LEN
Definition: ssl.h:149
#define SSL_IS_CLIENT
Definition: ssl.h:104
#define SSL_HASH_SHA1
Definition: ssl.h:196
void ssl_set_verify(ssl_context *ssl, int(*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy)
Set the verification callback (Optional).
ssl_session * session_negotiate
Definition: ssl.h:444
x509_cert * ca_chain
Definition: ssl.h:492
ssl_session * session
Definition: ssl.h:443
void ssl_legacy_renegotiation(ssl_context *ssl, int allow_legacy)
Prevent or allow legacy renegotiation.
int ssl_parse_certificate(ssl_context *ssl)
void ssl_set_dbg(ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg)
Set the debug callback.
#define POLARSSL_ERR_SSL_INVALID_RECORD
An invalid SSL record was received.
Definition: ssl.h:63
void ssl_set_own_cert_alt(ssl_context *ssl, x509_cert *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len)
Set own certificate and alternate non-PolarSSL private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
#define BADCERT_SKIP_VERIFY
Certificate verification was skipped.
Definition: x509.h:81
void sha2_hmac_starts(sha2_context *ctx, const unsigned char *key, size_t keylen, int is224)
SHA-256 HMAC context setup.
uint32_t state[5]
Definition: sha1.h:53
unsigned char iv_enc[16]
Definition: ssl.h:343
size_t out_msglen
Definition: ssl.h:480
ssl_transform * transform_in
Definition: ssl.h:452
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:428
x509_buf raw
The raw certificate data (DER).
Definition: x509.h:290
int rsa_pkcs1_sign(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Generic wrapper to perform a PKCS#1 signature using the mode from the context.
rsa_sign_func rsa_sign
Definition: ssl.h:488
mpi dhm_P
Definition: ssl.h:508
#define AES_DECRYPT
Definition: aes.h:42
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:180
#define SSL_RENEGOTIATION
Definition: ssl.h:114
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
void sha1_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[20])
Output = HMAC-SHA-1( hmac key, input buffer )
AES context structure.
Definition: aes.h:54
void x509_free(x509_cert *crt)
Unallocate all certificate data.
int ssl_write_finished(ssl_context *ssl)
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:181
Configuration options (set of defines)
ssl_transform * transform
Definition: ssl.h:454
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:35
unsigned char * out_ctr
Definition: ssl.h:475
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
Camellia block cipher.
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
The peer notified us that the connection is going to be closed.
Definition: ssl.h:76
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:524
int camellia_setkey_enc(camellia_context *ctx, const unsigned char *key, unsigned int keysize)
CAMELLIA key schedule (encryption)
#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:187
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:422
int rsa_pkcs1_decrypt(rsa_context *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Generic wrapper to perform a PKCS#1 decryption using the mode from the context.
#define SSL_VERIFY_OPTIONAL
Definition: ssl.h:110
size_t in_msglen
Definition: ssl.h:466
int ssl_set_dh_param_ctx(ssl_context *ssl, dhm_context *dhm_ctx)
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) ...
unsigned char * in_hdr
Definition: ssl.h:461
int secure_renegotiation
Definition: ssl.h:521
#define TLS_RSA_WITH_3DES_EDE_CBC_SHA
Definition: ssl.h:163
int(* rsa_decrypt_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Definition: ssl.h:273
Container for an X.509 certificate.
Definition: x509.h:288
uint64_t state[8]
Definition: sha4.h:54
DES context structure.
Definition: des.h:55
#define SSL_VERIFY_REQUIRED
Definition: ssl.h:111
#define SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:243
void md5_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[16])
Output = HMAC-MD5( hmac key, input buffer )
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:122
void * p_vrfy
Definition: ssl.h:432
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:98
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Definition: ssl.h:164
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED
Hardware acceleration function returned with error.
Definition: ssl.h:90
void ssl_set_max_version(ssl_context *ssl, int major, int minor)
Set the maximum supported version sent from the client side.
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:62
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
No client certification received from the client, but required by the authentication mode...
Definition: ssl.h:68
void * p_recv
Definition: ssl.h:430
#define GCM_ENCRYPT
Definition: gcm.h:39
const int ssl_default_ciphersuites[]
void ssl_set_ciphersuites_for_version(ssl_context *ssl, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites for a specific version of the protocol.
int des3_set3key_enc(des3_context *ctx, const unsigned char key[DES_KEY_SIZE *3])
Triple-DES key schedule (168-bit, encryption)
int ssl_init(ssl_context *ssl)
Initialize an SSL context.
int max_major_ver
Definition: ssl.h:411
int ssl_get_ciphersuite_id(const char *ciphersuite_name)
Return the ID of the ciphersuite associated with the given name.
#define SSL_MINOR_VERSION_1
Definition: ssl.h:100
unsigned int keylen
Definition: ssl.h:337
void sha2_hmac_finish(sha2_context *ctx, unsigned char output[32])
SHA-256 HMAC final digest.
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Definition: ssl.h:186
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
Hardware acceleration function skipped / left alone data.
Definition: ssl.h:91
int des3_set3key_dec(des3_context *ctx, const unsigned char key[DES_KEY_SIZE *3])
Triple-DES key schedule (168-bit, decryption)
int max_minor_ver
Definition: ssl.h:412
unsigned char premaster[POLARSSL_MPI_MAX_SIZE]
Definition: ssl.h:394
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
The own certificate is not set, but needed by the server.
Definition: ssl.h:70
void sha4_starts(sha4_context *ctx, int is384)
SHA-512 context setup.
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:221
#define TLS_RSA_WITH_AES_256_GCM_SHA384
Definition: ssl.h:185
unsigned char * in_ctr
Definition: ssl.h:460
ssl_handshake_params * handshake
Definition: ssl.h:446
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:69
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:214
size_t fixed_ivlen
Definition: ssl.h:340
#define SSL_MINOR_VERSION_2
Definition: ssl.h:101
void sha4_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
int ssl_write_certificate(ssl_context *ssl)
int gcm_crypt_and_tag(gcm_context *ctx, int mode, size_t length, const unsigned char *iv, size_t iv_len, const unsigned char *add, size_t add_len, const unsigned char *input, unsigned char *output, size_t tag_len, unsigned char *tag)
GCM buffer encryption/decryption using AES.
size_t(* rsa_key_len_func)(void *ctx)
Definition: ssl.h:282
#define POLARSSL_DHM_RFC5114_MODP_1024_G
Definition: dhm.h:99
RSA context structure.
Definition: rsa.h:135
rsa_key_len_func rsa_key_len
Definition: ssl.h:489
int in_msgtype
Definition: ssl.h:465
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
A fatal alert message was received from our peer.
Definition: ssl.h:74
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
Definition: ssl.h:177
Triple-DES context structure.
Definition: des.h:65
void md5_hmac_starts(md5_context *ctx, const unsigned char *key, size_t keylen)
MD5 HMAC context setup.
size_t verify_data_len
Definition: ssl.h:523
const char * ssl_get_ciphersuite(const ssl_context *ssl)
Return the name of the current ciphersuite.
mpi dhm_G
Definition: ssl.h:509
mpi G
Definition: dhm.h:140
#define SSL_IS_SERVER
Definition: ssl.h:105
const char * ssl_get_version(const ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
void ssl_set_renegotiation(ssl_context *ssl, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIAT...
int min_minor_ver
Definition: ssl.h:414
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
unsigned char * out_msg
Definition: ssl.h:477
sha2_context fin_sha2
Definition: ssl.h:381
SHA-224 and SHA-256 cryptographic hash function.
#define SSL_MINOR_VERSION_0
Definition: ssl.h:99
int client_auth
Definition: ssl.h:501
#define SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:212
void * p_dbg
Definition: ssl.h:429
void * p_send
Definition: ssl.h:431
x509_crl * ca_crl
Definition: ssl.h:493
sha4_context fin_sha4
Definition: ssl.h:382
#define TLS_DHE_RSA_WITH_DES_CBC_SHA
Weak! Not in TLS 1.2.
Definition: ssl.h:158
int ssl_handshake_client_step(ssl_context *ssl)
void sha4_update(sha4_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:73
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:112
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition: ssl.h:176
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED
Processing of the compression / decompression failed.
Definition: ssl.h:92
size_t maclen
Definition: ssl.h:341
unsigned char * out_hdr
Definition: ssl.h:476
AES block cipher.
int(* f_vrfy)(void *, x509_cert *, int, int *)
Definition: ssl.h:423
void ssl_set_endpoint(ssl_context *ssl, int endpoint)
Set the current endpoint type.
void mpi_free(mpi *X)
Unallocate one MPI.
void ssl_set_ciphersuites(ssl_context *ssl, const int *ciphersuites)
Set the list of allowed ciphersuites (Default: ssl_default_ciphersuites) (Overrides all version speci...
void md5_process(md5_context *ctx, const unsigned char data[64])
#define TLS_RSA_WITH_NULL_SHA256
Weak!
Definition: ssl.h:156
#define SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:217
void ssl_set_rng(ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
void * p_get_cache
Definition: ssl.h:433
#define TLS_RSA_WITH_RC4_128_MD5
Definition: ssl.h:160
void ssl_set_bio(ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send)
Set the underlying BIO read and write callbacks.
void ssl_free(ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
void md5_starts(md5_context *ctx)
MD5 context setup.
GCM context structure.
Definition: gcm.h:48
#define SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:119
int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Definition: ssl.h:278
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
No CA Chain is set, but required to operate.
Definition: ssl.h:72
CAMELLIA context structure.
Definition: camellia.h:54
void ssl_handshake_free(ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
int authmode
Definition: ssl.h:500
int ssl_flush_output(ssl_context *ssl)
int ssl_handshake(ssl_context *ssl)
Perform the SSL handshake.
unsigned char * in_offt
Definition: ssl.h:463
rsa_decrypt_func rsa_decrypt
Definition: ssl.h:487
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Definition: ssl.h:169
void ssl_set_min_version(ssl_context *ssl, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0)...
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:107
void sha1_hmac_starts(sha1_context *ctx, const unsigned char *key, size_t keylen)
SHA-1 HMAC context setup.
unsigned char * in_msg
Definition: ssl.h:462
void ssl_set_session(ssl_context *ssl, const ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
int ssl_set_hostname(ssl_context *ssl, const char *hostname)
Set hostname for ServerName TLS extension (client-side only)
uint32_t state[8]
Definition: sha2.h:53
void md5_hmac_finish(md5_context *ctx, unsigned char output[16])
MD5 HMAC final digest.
int ssl_handshake_step(ssl_context *ssl)
Perform a single step of the SSL handshake.
#define SSL_MINOR_VERSION_3
Definition: ssl.h:102
MD5 context structure.
Definition: md5.h:50
unsigned char mac_dec[32]
Definition: ssl.h:347
int gcm_init(gcm_context *ctx, const unsigned char *key, unsigned int keysize)
GCM initialization (encryption)
unsigned char iv_dec[16]
Definition: ssl.h:344
#define POLARSSL_ERR_NET_WANT_READ
Connection requires a read call.
Definition: net.h:41
#define SSL_HS_CERTIFICATE
Definition: ssl.h:250
int ssl_parse_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:47
size_t hostname_len
Definition: ssl.h:516
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:409
int des_crypt_cbc(des_context *ctx, int mode, size_t length, unsigned char iv[8], const unsigned char *input, unsigned char *output)
DES-CBC buffer encryption/decryption.
struct _x509_cert * next
Next certificate in the CA-chain.
Definition: x509.h:328
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:226
DES block cipher.
int ssl_close_notify(ssl_context *ssl)
Notify the peer that the connection is being closed.
void ssl_set_session_cache(ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache)
Set the session cache callbacks (server-side only) If not set, no session resuming is done...
size_t ssl_get_bytes_avail(const ssl_context *ssl)
Return the number of data bytes available to read.
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:172
#define SSL_VERIFY_NONE
Definition: ssl.h:109
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:41
#define AES_ENCRYPT
Definition: aes.h:41
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:113
size_t in_left
Definition: ssl.h:467
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Definition: ssl.h:178
void sha2_update(sha2_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int allow_legacy_renegotiation
Definition: ssl.h:504
void sha2_process(sha2_context *ctx, const unsigned char data[64])
ssl_session * session_out
Definition: ssl.h:442
int camellia_setkey_dec(camellia_context *ctx, const unsigned char *key, unsigned int keysize)
CAMELLIA key schedule (decryption)
uint32_t state[4]
Definition: md5.h:53
void(* calc_finished)(ssl_context *, unsigned char *, int)
Definition: ssl.h:386
int ssl_read_record(ssl_context *ssl)
size_t len
ASN1 length, e.g.
Definition: asn1.h:111
int des_setkey_enc(des_context *ctx, const unsigned char key[DES_KEY_SIZE])
DES key schedule (56-bit, encryption)
#define TLS_RSA_WITH_AES_256_CBC_SHA
Definition: ssl.h:168
int ssl_set_dh_param(ssl_context *ssl, const char *dhm_P, const char *dhm_G)
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default...
#define TLS_RSA_WITH_AES_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:170
void sha4(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
int out_msgtype
Definition: ssl.h:479
int des_setkey_dec(des_context *ctx, const unsigned char key[DES_KEY_SIZE])
DES key schedule (56-bit, decryption)
uint32_t ctx_enc[136]
Definition: ssl.h:349
size_t out_left
Definition: ssl.h:481
#define DES_DECRYPT
Definition: des.h:42
#define BADCERT_MISSING
Certificate was missing.
Definition: x509.h:80
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED
Processing of the Finished handshake message failed.
Definition: ssl.h:88
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
void sha2_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
unsigned char mac_enc[32]
Definition: ssl.h:346
int ssl_get_verify_result(const ssl_context *ssl)
Return the result of the certificate verification.
#define SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:227
Galois/Counter mode for AES.
int ssl_session_reset(ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables...
ARC4 context structure.
Definition: arc4.h:41
x509_cert * own_cert
Definition: ssl.h:491
int min_major_ver
Definition: ssl.h:413
#define CAMELLIA_DECRYPT
Definition: camellia.h:42
Certificate revocation list structure.
Definition: x509.h:354
ssl_transform * transform_negotiate
Definition: ssl.h:455
SHA-512 context structure.
Definition: sha4.h:51
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:116
SSL/TLS functions.
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:89
int disable_renegotiation
Definition: ssl.h:503
#define SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:220
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Definition: ssl.h:167
int verify_result
Definition: ssl.h:502
void dhm_free(dhm_context *ctx)
Free the components of a DHM key.
#define TLS_RSA_WITH_DES_CBC_SHA
Weak! Not in TLS 1.2.
Definition: ssl.h:157
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:424
void sha2(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
void * rsa_key
Definition: ssl.h:486
int ssl_derive_keys(ssl_context *ssl)
void ssl_set_authmode(ssl_context *ssl, int authmode)
Set the certificate verification mode.
void sha4_finish(sha4_context *ctx, unsigned char output[64])
SHA-512 final digest.
void sha1_process(sha1_context *ctx, const unsigned char data[64])
#define TLS_RSA_WITH_NULL_SHA
Weak!
Definition: ssl.h:155
int(* f_set_cache)(void *, const ssl_session *)
Definition: ssl.h:425
void ssl_set_ca_chain(ssl_context *ssl, x509_cert *ca_chain, x509_crl *ca_crl, const char *peer_cn)
Set the data required to verify peer certificate.
int renegotiation
Definition: ssl.h:406
void sha1_hmac_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 HMAC process buffer.
dhm_context dhm_ctx
Definition: ssl.h:373
void ssl_optimize_checksum(ssl_context *ssl, int ciphersuite)
int x509parse_verify(x509_cert *crt, x509_cert *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy)
Verify the certificate signature.
void md5_hmac_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 HMAC process buffer.
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
#define TLS_RSA_WITH_AES_128_GCM_SHA256
Definition: ssl.h:184
size_t minlen
Definition: ssl.h:338
void sha2_starts(sha2_context *ctx, int is224)
SHA-256 context setup.
int ssl_read(ssl_context *ssl, unsigned char *buf, size_t len)
Read at most &#39;len&#39; application data bytes.
void ssl_transform_free(ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS 1.2.
Definition: ssl.h:182
#define SSL_MAX_CONTENT_LEN
Size of the input / output buffer.
Definition: ssl.h:134
#define SSL_MSG_APPLICATION_DATA
Definition: ssl.h:215
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
#define CAMELLIA_ENCRYPT
Definition: camellia.h:41
#define SSL_MSG_ALERT
Definition: ssl.h:213
uint32_t ctx_dec[136]
Definition: ssl.h:350
int ssl_renegotiate(ssl_context *ssl)
Perform an SSL renegotiation on the running connection.
#define TLS_RSA_WITH_NULL_MD5
Weak!
Definition: ssl.h:154
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:421
int ssl_write(ssl_context *ssl, const unsigned char *buf, size_t len)
Write exactly &#39;len&#39; application data bytes.
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:60
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:79
The ARCFOUR stream cipher.
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
md5_context fin_md5
Definition: ssl.h:379
int endpoint
Definition: ssl.h:499
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:61
void ssl_set_sni(ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS 1.2.
Definition: ssl.h:179
int ssl_write_record(ssl_context *ssl)
const x509_cert * ssl_get_peer_cert(const ssl_context *ssl)
Return the peer certificate from the current connection.
unsigned char randbytes[64]
Definition: ssl.h:393
void sha2_finish(sha2_context *ctx, unsigned char output[32])
SHA-256 final digest.
void * p_sni
Definition: ssl.h:435
int des3_crypt_cbc(des3_context *ctx, int mode, size_t length, unsigned char iv[8], const unsigned char *input, unsigned char *output)
3DES-CBC buffer encryption/decryption
#define SSL_HS_HELLO_REQUEST
Definition: ssl.h:247