PolarSSL v1.3.9
ssl_tls.c
Go to the documentation of this file.
1/*
2 * SSLv3/TLSv1 shared functions
3 *
4 * Copyright (C) 2006-2014, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The SSL 3.0 specification was drafted by Netscape in 1996,
27 * and became an IETF standard in 1999.
28 *
29 * http://wp.netscape.com/eng/ssl3/
30 * http://www.ietf.org/rfc/rfc2246.txt
31 * http://www.ietf.org/rfc/rfc4346.txt
32 */
33
34#if !defined(POLARSSL_CONFIG_FILE)
35#include "polarssl/config.h"
36#else
37#include POLARSSL_CONFIG_FILE
38#endif
39
40#if defined(POLARSSL_SSL_TLS_C)
41
42#include "polarssl/debug.h"
43#include "polarssl/ssl.h"
44
45#if defined(POLARSSL_X509_CRT_PARSE_C) && \
46 defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
47#include "polarssl/oid.h"
48#endif
49
50#if defined(POLARSSL_PLATFORM_C)
51#include "polarssl/platform.h"
52#else
53#define polarssl_malloc malloc
54#define polarssl_free free
55#endif
56
57#include <stdlib.h>
58
59#if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
60 !defined(EFI32)
61#define strcasecmp _stricmp
62#endif
63
64/* Implementation that should never be optimized out by the compiler */
65static void polarssl_zeroize( void *v, size_t n ) {
66 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
67}
68
69#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
70/*
71 * Convert max_fragment_length codes to length.
72 * RFC 6066 says:
73 * enum{
74 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
75 * } MaxFragmentLength;
76 * and we add 0 -> extension unused
77 */
78static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
79{
80 SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
81 512, /* SSL_MAX_FRAG_LEN_512 */
82 1024, /* SSL_MAX_FRAG_LEN_1024 */
83 2048, /* SSL_MAX_FRAG_LEN_2048 */
84 4096, /* SSL_MAX_FRAG_LEN_4096 */
85};
86#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
87
88static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
89{
90 ssl_session_free( dst );
91 memcpy( dst, src, sizeof( ssl_session ) );
92
93#if defined(POLARSSL_X509_CRT_PARSE_C)
94 if( src->peer_cert != NULL )
95 {
96 int ret;
97
98 dst->peer_cert = (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
99 if( dst->peer_cert == NULL )
100 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
101
102 x509_crt_init( dst->peer_cert );
103
104 if( ( ret = x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
105 src->peer_cert->raw.len ) ) != 0 )
106 {
107 polarssl_free( dst->peer_cert );
108 dst->peer_cert = NULL;
109 return( ret );
110 }
111 }
112#endif /* POLARSSL_X509_CRT_PARSE_C */
113
114#if defined(POLARSSL_SSL_SESSION_TICKETS)
115 if( src->ticket != NULL )
116 {
117 dst->ticket = (unsigned char *) polarssl_malloc( src->ticket_len );
118 if( dst->ticket == NULL )
119 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
120
121 memcpy( dst->ticket, src->ticket, src->ticket_len );
122 }
123#endif /* POLARSSL_SSL_SESSION_TICKETS */
124
125 return( 0 );
126}
127
128#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
129int (*ssl_hw_record_init)( ssl_context *ssl,
130 const unsigned char *key_enc, const unsigned char *key_dec,
131 size_t keylen,
132 const unsigned char *iv_enc, const unsigned char *iv_dec,
133 size_t ivlen,
134 const unsigned char *mac_enc, const unsigned char *mac_dec,
135 size_t maclen ) = NULL;
136int (*ssl_hw_record_activate)( ssl_context *ssl, int direction) = NULL;
137int (*ssl_hw_record_reset)( ssl_context *ssl ) = NULL;
138int (*ssl_hw_record_write)( ssl_context *ssl ) = NULL;
139int (*ssl_hw_record_read)( ssl_context *ssl ) = NULL;
140int (*ssl_hw_record_finish)( ssl_context *ssl ) = NULL;
141#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
142
143/*
144 * Key material generation
145 */
146#if defined(POLARSSL_SSL_PROTO_SSL3)
147static int ssl3_prf( const unsigned char *secret, size_t slen,
148 const char *label,
149 const unsigned char *random, size_t rlen,
150 unsigned char *dstbuf, size_t dlen )
151{
152 size_t i;
153 md5_context md5;
154 sha1_context sha1;
155 unsigned char padding[16];
156 unsigned char sha1sum[20];
157 ((void)label);
158
159 md5_init( &md5 );
160 sha1_init( &sha1 );
161
162 /*
163 * SSLv3:
164 * block =
165 * MD5( secret + SHA1( 'A' + secret + random ) ) +
166 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
167 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
168 * ...
169 */
170 for( i = 0; i < dlen / 16; i++ )
171 {
172 memset( padding, (unsigned char) ('A' + i), 1 + i );
173
174 sha1_starts( &sha1 );
175 sha1_update( &sha1, padding, 1 + i );
176 sha1_update( &sha1, secret, slen );
177 sha1_update( &sha1, random, rlen );
178 sha1_finish( &sha1, sha1sum );
179
180 md5_starts( &md5 );
181 md5_update( &md5, secret, slen );
182 md5_update( &md5, sha1sum, 20 );
183 md5_finish( &md5, dstbuf + i * 16 );
184 }
185
186 md5_free( &md5 );
187 sha1_free( &sha1 );
188
189 polarssl_zeroize( padding, sizeof( padding ) );
190 polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
191
192 return( 0 );
193}
194#endif /* POLARSSL_SSL_PROTO_SSL3 */
195
196#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
197static int tls1_prf( const unsigned char *secret, size_t slen,
198 const char *label,
199 const unsigned char *random, size_t rlen,
200 unsigned char *dstbuf, size_t dlen )
201{
202 size_t nb, hs;
203 size_t i, j, k;
204 const unsigned char *S1, *S2;
205 unsigned char tmp[128];
206 unsigned char h_i[20];
207
208 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
209 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
210
211 hs = ( slen + 1 ) / 2;
212 S1 = secret;
213 S2 = secret + slen - hs;
214
215 nb = strlen( label );
216 memcpy( tmp + 20, label, nb );
217 memcpy( tmp + 20 + nb, random, rlen );
218 nb += rlen;
219
220 /*
221 * First compute P_md5(secret,label+random)[0..dlen]
222 */
223 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
224
225 for( i = 0; i < dlen; i += 16 )
226 {
227 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
228 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
229
230 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
231
232 for( j = 0; j < k; j++ )
233 dstbuf[i + j] = h_i[j];
234 }
235
236 /*
237 * XOR out with P_sha1(secret,label+random)[0..dlen]
238 */
239 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
240
241 for( i = 0; i < dlen; i += 20 )
242 {
243 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
244 sha1_hmac( S2, hs, tmp, 20, tmp );
245
246 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
247
248 for( j = 0; j < k; j++ )
249 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
250 }
251
252 polarssl_zeroize( tmp, sizeof( tmp ) );
253 polarssl_zeroize( h_i, sizeof( h_i ) );
254
255 return( 0 );
256}
257#endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
258
259#if defined(POLARSSL_SSL_PROTO_TLS1_2)
260#if defined(POLARSSL_SHA256_C)
261static int tls_prf_sha256( const unsigned char *secret, size_t slen,
262 const char *label,
263 const unsigned char *random, size_t rlen,
264 unsigned char *dstbuf, size_t dlen )
265{
266 size_t nb;
267 size_t i, j, k;
268 unsigned char tmp[128];
269 unsigned char h_i[32];
270
271 if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
272 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
273
274 nb = strlen( label );
275 memcpy( tmp + 32, label, nb );
276 memcpy( tmp + 32 + nb, random, rlen );
277 nb += rlen;
278
279 /*
280 * Compute P_<hash>(secret, label + random)[0..dlen]
281 */
282 sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
283
284 for( i = 0; i < dlen; i += 32 )
285 {
286 sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
287 sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
288
289 k = ( i + 32 > dlen ) ? dlen % 32 : 32;
290
291 for( j = 0; j < k; j++ )
292 dstbuf[i + j] = h_i[j];
293 }
294
295 polarssl_zeroize( tmp, sizeof( tmp ) );
296 polarssl_zeroize( h_i, sizeof( h_i ) );
297
298 return( 0 );
299}
300#endif /* POLARSSL_SHA256_C */
301
302#if defined(POLARSSL_SHA512_C)
303static int tls_prf_sha384( const unsigned char *secret, size_t slen,
304 const char *label,
305 const unsigned char *random, size_t rlen,
306 unsigned char *dstbuf, size_t dlen )
307{
308 size_t nb;
309 size_t i, j, k;
310 unsigned char tmp[128];
311 unsigned char h_i[48];
312
313 if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
314 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
315
316 nb = strlen( label );
317 memcpy( tmp + 48, label, nb );
318 memcpy( tmp + 48 + nb, random, rlen );
319 nb += rlen;
320
321 /*
322 * Compute P_<hash>(secret, label + random)[0..dlen]
323 */
324 sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
325
326 for( i = 0; i < dlen; i += 48 )
327 {
328 sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
329 sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
330
331 k = ( i + 48 > dlen ) ? dlen % 48 : 48;
332
333 for( j = 0; j < k; j++ )
334 dstbuf[i + j] = h_i[j];
335 }
336
337 polarssl_zeroize( tmp, sizeof( tmp ) );
338 polarssl_zeroize( h_i, sizeof( h_i ) );
339
340 return( 0 );
341}
342#endif /* POLARSSL_SHA512_C */
343#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
344
345static void ssl_update_checksum_start( ssl_context *, const unsigned char *, size_t );
346
347#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
348 defined(POLARSSL_SSL_PROTO_TLS1_1)
349static void ssl_update_checksum_md5sha1( ssl_context *, const unsigned char *, size_t );
350#endif
351
352#if defined(POLARSSL_SSL_PROTO_SSL3)
353static void ssl_calc_verify_ssl( ssl_context *, unsigned char * );
354static void ssl_calc_finished_ssl( ssl_context *, unsigned char *, int );
355#endif
356
357#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
358static void ssl_calc_verify_tls( ssl_context *, unsigned char * );
359static void ssl_calc_finished_tls( ssl_context *, unsigned char *, int );
360#endif
361
362#if defined(POLARSSL_SSL_PROTO_TLS1_2)
363#if defined(POLARSSL_SHA256_C)
364static void ssl_update_checksum_sha256( ssl_context *, const unsigned char *, size_t );
365static void ssl_calc_verify_tls_sha256( ssl_context *,unsigned char * );
366static void ssl_calc_finished_tls_sha256( ssl_context *,unsigned char *, int );
367#endif
368
369#if defined(POLARSSL_SHA512_C)
370static void ssl_update_checksum_sha384( ssl_context *, const unsigned char *, size_t );
371static void ssl_calc_verify_tls_sha384( ssl_context *, unsigned char * );
372static void ssl_calc_finished_tls_sha384( ssl_context *, unsigned char *, int );
373#endif
374#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
375
376int ssl_derive_keys( ssl_context *ssl )
377{
378 int ret = 0;
379 unsigned char tmp[64];
380 unsigned char keyblk[256];
381 unsigned char *key1;
382 unsigned char *key2;
383 unsigned char *mac_enc;
384 unsigned char *mac_dec;
385 size_t iv_copy_len;
386 const cipher_info_t *cipher_info;
387 const md_info_t *md_info;
388
389 ssl_session *session = ssl->session_negotiate;
390 ssl_transform *transform = ssl->transform_negotiate;
391 ssl_handshake_params *handshake = ssl->handshake;
392
393 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
394
395 cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
396 if( cipher_info == NULL )
397 {
398 SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
399 transform->ciphersuite_info->cipher ) );
400 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
401 }
402
403 md_info = md_info_from_type( transform->ciphersuite_info->mac );
404 if( md_info == NULL )
405 {
406 SSL_DEBUG_MSG( 1, ( "md info for %d not found",
407 transform->ciphersuite_info->mac ) );
408 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
409 }
410
411 /*
412 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
413 */
414#if defined(POLARSSL_SSL_PROTO_SSL3)
415 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
416 {
417 handshake->tls_prf = ssl3_prf;
418 handshake->calc_verify = ssl_calc_verify_ssl;
419 handshake->calc_finished = ssl_calc_finished_ssl;
420 }
421 else
422#endif
423#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
424 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
425 {
426 handshake->tls_prf = tls1_prf;
427 handshake->calc_verify = ssl_calc_verify_tls;
428 handshake->calc_finished = ssl_calc_finished_tls;
429 }
430 else
431#endif
432#if defined(POLARSSL_SSL_PROTO_TLS1_2)
433#if defined(POLARSSL_SHA512_C)
434 if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
435 transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
436 {
437 handshake->tls_prf = tls_prf_sha384;
438 handshake->calc_verify = ssl_calc_verify_tls_sha384;
439 handshake->calc_finished = ssl_calc_finished_tls_sha384;
440 }
441 else
442#endif
443#if defined(POLARSSL_SHA256_C)
444 if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
445 {
446 handshake->tls_prf = tls_prf_sha256;
447 handshake->calc_verify = ssl_calc_verify_tls_sha256;
448 handshake->calc_finished = ssl_calc_finished_tls_sha256;
449 }
450 else
451#endif
452#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
453 {
454 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
455 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
456 }
457
458 /*
459 * SSLv3:
460 * master =
461 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
462 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
463 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
464 *
465 * TLSv1+:
466 * master = PRF( premaster, "master secret", randbytes )[0..47]
467 */
468 if( handshake->resume == 0 )
469 {
470 SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
471 handshake->pmslen );
472
473 handshake->tls_prf( handshake->premaster, handshake->pmslen,
474 "master secret",
475 handshake->randbytes, 64, session->master, 48 );
476
477 polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
478 }
479 else
480 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
481
482 /*
483 * Swap the client and server random values.
484 */
485 memcpy( tmp, handshake->randbytes, 64 );
486 memcpy( handshake->randbytes, tmp + 32, 32 );
487 memcpy( handshake->randbytes + 32, tmp, 32 );
488 polarssl_zeroize( tmp, sizeof( tmp ) );
489
490 /*
491 * SSLv3:
492 * key block =
493 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
494 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
495 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
496 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
497 * ...
498 *
499 * TLSv1:
500 * key block = PRF( master, "key expansion", randbytes )
501 */
502 handshake->tls_prf( session->master, 48, "key expansion",
503 handshake->randbytes, 64, keyblk, 256 );
504
505 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
506 ssl_get_ciphersuite_name( session->ciphersuite ) ) );
507 SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
508 SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
509 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
510
511 polarssl_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
512
513 /*
514 * Determine the appropriate key, IV and MAC length.
515 */
516
517 transform->keylen = cipher_info->key_length / 8;
518
519 if( cipher_info->mode == POLARSSL_MODE_GCM ||
520 cipher_info->mode == POLARSSL_MODE_CCM )
521 {
522 transform->maclen = 0;
523
524 transform->ivlen = 12;
525 transform->fixed_ivlen = 4;
526
527 /* Minimum length is expicit IV + tag */
528 transform->minlen = transform->ivlen - transform->fixed_ivlen
529 + ( transform->ciphersuite_info->flags &
530 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
531 }
532 else
533 {
534 int ret;
535
536 /* Initialize HMAC contexts */
537 if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 ||
538 ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
539 {
540 SSL_DEBUG_RET( 1, "md_init_ctx", ret );
541 return( ret );
542 }
543
544 /* Get MAC length */
545 transform->maclen = md_get_size( md_info );
546
547#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
548 /*
549 * If HMAC is to be truncated, we shall keep the leftmost bytes,
550 * (rfc 6066 page 13 or rfc 2104 section 4),
551 * so we only need to adjust the length here.
552 */
553 if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
554 transform->maclen = SSL_TRUNCATED_HMAC_LEN;
555#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
556
557 /* IV length */
558 transform->ivlen = cipher_info->iv_size;
559
560 /* Minimum length */
561 if( cipher_info->mode == POLARSSL_MODE_STREAM )
562 transform->minlen = transform->maclen;
563 else
564 {
565 /*
566 * GenericBlockCipher:
567 * first multiple of blocklen greater than maclen
568 * + IV except for SSL3 and TLS 1.0
569 */
570 transform->minlen = transform->maclen
571 + cipher_info->block_size
572 - transform->maclen % cipher_info->block_size;
573
574#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
575 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ||
576 ssl->minor_ver == SSL_MINOR_VERSION_1 )
577 ; /* No need to adjust minlen */
578 else
579#endif
580#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
581 if( ssl->minor_ver == SSL_MINOR_VERSION_2 ||
582 ssl->minor_ver == SSL_MINOR_VERSION_3 )
583 {
584 transform->minlen += transform->ivlen;
585 }
586 else
587#endif
588 {
589 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
590 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
591 }
592 }
593 }
594
595 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
596 transform->keylen, transform->minlen, transform->ivlen,
597 transform->maclen ) );
598
599 /*
600 * Finally setup the cipher contexts, IVs and MAC secrets.
601 */
602 if( ssl->endpoint == SSL_IS_CLIENT )
603 {
604 key1 = keyblk + transform->maclen * 2;
605 key2 = keyblk + transform->maclen * 2 + transform->keylen;
606
607 mac_enc = keyblk;
608 mac_dec = keyblk + transform->maclen;
609
610 /*
611 * This is not used in TLS v1.1.
612 */
613 iv_copy_len = ( transform->fixed_ivlen ) ?
614 transform->fixed_ivlen : transform->ivlen;
615 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
616 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
617 iv_copy_len );
618 }
619 else
620 {
621 key1 = keyblk + transform->maclen * 2 + transform->keylen;
622 key2 = keyblk + transform->maclen * 2;
623
624 mac_enc = keyblk + transform->maclen;
625 mac_dec = keyblk;
626
627 /*
628 * This is not used in TLS v1.1.
629 */
630 iv_copy_len = ( transform->fixed_ivlen ) ?
631 transform->fixed_ivlen : transform->ivlen;
632 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
633 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
634 iv_copy_len );
635 }
636
637#if defined(POLARSSL_SSL_PROTO_SSL3)
638 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
639 {
640 if( transform->maclen > sizeof transform->mac_enc )
641 {
642 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
643 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
644 }
645
646 memcpy( transform->mac_enc, mac_enc, transform->maclen );
647 memcpy( transform->mac_dec, mac_dec, transform->maclen );
648 }
649 else
650#endif /* POLARSSL_SSL_PROTO_SSL3 */
651#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
652 defined(POLARSSL_SSL_PROTO_TLS1_2)
653 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
654 {
655 md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
656 md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
657 }
658 else
659#endif
660 {
661 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
662 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
663 }
664
665#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
666 if( ssl_hw_record_init != NULL )
667 {
668 int ret = 0;
669
670 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
671
672 if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
673 transform->iv_enc, transform->iv_dec,
674 iv_copy_len,
675 mac_enc, mac_dec,
676 transform->maclen ) ) != 0 )
677 {
678 SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
679 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
680 }
681 }
682#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
683
684 if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
685 cipher_info ) ) != 0 )
686 {
687 SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
688 return( ret );
689 }
690
691 if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
692 cipher_info ) ) != 0 )
693 {
694 SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
695 return( ret );
696 }
697
698 if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
699 cipher_info->key_length,
700 POLARSSL_ENCRYPT ) ) != 0 )
701 {
702 SSL_DEBUG_RET( 1, "cipher_setkey", ret );
703 return( ret );
704 }
705
706 if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
707 cipher_info->key_length,
708 POLARSSL_DECRYPT ) ) != 0 )
709 {
710 SSL_DEBUG_RET( 1, "cipher_setkey", ret );
711 return( ret );
712 }
713
714#if defined(POLARSSL_CIPHER_MODE_CBC)
715 if( cipher_info->mode == POLARSSL_MODE_CBC )
716 {
717 if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
718 POLARSSL_PADDING_NONE ) ) != 0 )
719 {
720 SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
721 return( ret );
722 }
723
724 if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
725 POLARSSL_PADDING_NONE ) ) != 0 )
726 {
727 SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
728 return( ret );
729 }
730 }
731#endif /* POLARSSL_CIPHER_MODE_CBC */
732
733 polarssl_zeroize( keyblk, sizeof( keyblk ) );
734
735#if defined(POLARSSL_ZLIB_SUPPORT)
736 // Initialize compression
737 //
738 if( session->compression == SSL_COMPRESS_DEFLATE )
739 {
740 if( ssl->compress_buf == NULL )
741 {
742 SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
743 ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
744 if( ssl->compress_buf == NULL )
745 {
746 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
747 SSL_BUFFER_LEN ) );
748 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
749 }
750 }
751
752 SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
753
754 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
755 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
756
757 if( deflateInit( &transform->ctx_deflate,
758 Z_DEFAULT_COMPRESSION ) != Z_OK ||
759 inflateInit( &transform->ctx_inflate ) != Z_OK )
760 {
761 SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
762 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
763 }
764 }
765#endif /* POLARSSL_ZLIB_SUPPORT */
766
767 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
768
769 return( 0 );
770}
771
772#if defined(POLARSSL_SSL_PROTO_SSL3)
773void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
774{
775 md5_context md5;
776 sha1_context sha1;
777 unsigned char pad_1[48];
778 unsigned char pad_2[48];
779
780 SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
781
782 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
783 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
784
785 memset( pad_1, 0x36, 48 );
786 memset( pad_2, 0x5C, 48 );
787
788 md5_update( &md5, ssl->session_negotiate->master, 48 );
789 md5_update( &md5, pad_1, 48 );
790 md5_finish( &md5, hash );
791
792 md5_starts( &md5 );
793 md5_update( &md5, ssl->session_negotiate->master, 48 );
794 md5_update( &md5, pad_2, 48 );
795 md5_update( &md5, hash, 16 );
796 md5_finish( &md5, hash );
797
798 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
799 sha1_update( &sha1, pad_1, 40 );
800 sha1_finish( &sha1, hash + 16 );
801
802 sha1_starts( &sha1 );
803 sha1_update( &sha1, ssl->session_negotiate->master, 48 );
804 sha1_update( &sha1, pad_2, 40 );
805 sha1_update( &sha1, hash + 16, 20 );
806 sha1_finish( &sha1, hash + 16 );
807
808 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
809 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
810
811 md5_free( &md5 );
812 sha1_free( &sha1 );
813
814 return;
815}
816#endif /* POLARSSL_SSL_PROTO_SSL3 */
817
818#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
819void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
820{
821 md5_context md5;
822 sha1_context sha1;
823
824 SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
825
826 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
827 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
828
829 md5_finish( &md5, hash );
830 sha1_finish( &sha1, hash + 16 );
831
832 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
833 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
834
835 md5_free( &md5 );
836 sha1_free( &sha1 );
837
838 return;
839}
840#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
841
842#if defined(POLARSSL_SSL_PROTO_TLS1_2)
843#if defined(POLARSSL_SHA256_C)
844void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
845{
846 sha256_context sha256;
847
848 SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
849
850 memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
851 sha256_finish( &sha256, hash );
852
853 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
854 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
855
856 sha256_free( &sha256 );
857
858 return;
859}
860#endif /* POLARSSL_SHA256_C */
861
862#if defined(POLARSSL_SHA512_C)
863void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
864{
865 sha512_context sha512;
866
867 SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
868
869 memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
870 sha512_finish( &sha512, hash );
871
872 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
873 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
874
875 sha512_free( &sha512 );
876
877 return;
878}
879#endif /* POLARSSL_SHA512_C */
880#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
881
882#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
883int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex )
884{
885 unsigned char *p = ssl->handshake->premaster;
886 unsigned char *end = p + sizeof( ssl->handshake->premaster );
887
888 /*
889 * PMS = struct {
890 * opaque other_secret<0..2^16-1>;
891 * opaque psk<0..2^16-1>;
892 * };
893 * with "other_secret" depending on the particular key exchange
894 */
895#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
896 if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
897 {
898 if( end - p < 2 + (int) ssl->psk_len )
899 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
900
901 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
902 *(p++) = (unsigned char)( ssl->psk_len );
903 p += ssl->psk_len;
904 }
905 else
906#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
907#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
908 if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
909 {
910 /*
911 * other_secret already set by the ClientKeyExchange message,
912 * and is 48 bytes long
913 */
914 *p++ = 0;
915 *p++ = 48;
916 p += 48;
917 }
918 else
919#endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
920#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
921 if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
922 {
923 int ret;
924 size_t len = end - ( p + 2 );
925
926 /* Write length only when we know the actual value */
927 if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
928 p + 2, &len,
929 ssl->f_rng, ssl->p_rng ) ) != 0 )
930 {
931 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
932 return( ret );
933 }
934 *(p++) = (unsigned char)( len >> 8 );
935 *(p++) = (unsigned char)( len );
936 p += len;
937
938 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
939 }
940 else
941#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
942#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
943 if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
944 {
945 int ret;
946 size_t zlen;
947
948 if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
949 p + 2, end - ( p + 2 ),
950 ssl->f_rng, ssl->p_rng ) ) != 0 )
951 {
952 SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
953 return( ret );
954 }
955
956 *(p++) = (unsigned char)( zlen >> 8 );
957 *(p++) = (unsigned char)( zlen );
958 p += zlen;
959
960 SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
961 }
962 else
963#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
964 {
965 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
966 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
967 }
968
969 /* opaque psk<0..2^16-1>; */
970 if( end - p < 2 + (int) ssl->psk_len )
971 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
972
973 *(p++) = (unsigned char)( ssl->psk_len >> 8 );
974 *(p++) = (unsigned char)( ssl->psk_len );
975 memcpy( p, ssl->psk, ssl->psk_len );
976 p += ssl->psk_len;
977
978 ssl->handshake->pmslen = p - ssl->handshake->premaster;
979
980 return( 0 );
981}
982#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
983
984#if defined(POLARSSL_SSL_PROTO_SSL3)
985/*
986 * SSLv3.0 MAC functions
987 */
988static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
989 unsigned char *buf, size_t len,
990 unsigned char *ctr, int type )
991{
992 unsigned char header[11];
993 unsigned char padding[48];
994 int padlen;
995 int md_size = md_get_size( md_ctx->md_info );
996 int md_type = md_get_type( md_ctx->md_info );
997
998 /* Only MD5 and SHA-1 supported */
999 if( md_type == POLARSSL_MD_MD5 )
1000 padlen = 48;
1001 else
1002 padlen = 40;
1003
1004 memcpy( header, ctr, 8 );
1005 header[ 8] = (unsigned char) type;
1006 header[ 9] = (unsigned char)( len >> 8 );
1007 header[10] = (unsigned char)( len );
1008
1009 memset( padding, 0x36, padlen );
1010 md_starts( md_ctx );
1011 md_update( md_ctx, secret, md_size );
1012 md_update( md_ctx, padding, padlen );
1013 md_update( md_ctx, header, 11 );
1014 md_update( md_ctx, buf, len );
1015 md_finish( md_ctx, buf + len );
1016
1017 memset( padding, 0x5C, padlen );
1018 md_starts( md_ctx );
1019 md_update( md_ctx, secret, md_size );
1020 md_update( md_ctx, padding, padlen );
1021 md_update( md_ctx, buf + len, md_size );
1022 md_finish( md_ctx, buf + len );
1023}
1024#endif /* POLARSSL_SSL_PROTO_SSL3 */
1025
1026/*
1027 * Encryption/decryption functions
1028 */
1029static int ssl_encrypt_buf( ssl_context *ssl )
1030{
1031 size_t i;
1032 const cipher_mode_t mode = cipher_get_cipher_mode(
1033 &ssl->transform_out->cipher_ctx_enc );
1034
1035 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
1036
1037 /*
1038 * Add MAC before encrypt, except for AEAD modes
1039 */
1040#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1041 ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1042 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1043 if( mode != POLARSSL_MODE_GCM &&
1044 mode != POLARSSL_MODE_CCM )
1045 {
1046#if defined(POLARSSL_SSL_PROTO_SSL3)
1047 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1048 {
1049 ssl_mac( &ssl->transform_out->md_ctx_enc,
1050 ssl->transform_out->mac_enc,
1051 ssl->out_msg, ssl->out_msglen,
1052 ssl->out_ctr, ssl->out_msgtype );
1053 }
1054 else
1055#endif
1056#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1057 defined(POLARSSL_SSL_PROTO_TLS1_2)
1058 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1059 {
1060 md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1061 md_hmac_update( &ssl->transform_out->md_ctx_enc,
1062 ssl->out_msg, ssl->out_msglen );
1063 md_hmac_finish( &ssl->transform_out->md_ctx_enc,
1064 ssl->out_msg + ssl->out_msglen );
1065 md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1066 }
1067 else
1068#endif
1069 {
1070 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1071 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1072 }
1073
1074 SSL_DEBUG_BUF( 4, "computed mac",
1075 ssl->out_msg + ssl->out_msglen,
1076 ssl->transform_out->maclen );
1077
1078 ssl->out_msglen += ssl->transform_out->maclen;
1079 }
1080#endif /* AEAD not the only option */
1081
1082 /*
1083 * Encrypt
1084 */
1085#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1086 if( mode == POLARSSL_MODE_STREAM )
1087 {
1088 int ret;
1089 size_t olen = 0;
1090
1091 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1092 "including %d bytes of padding",
1093 ssl->out_msglen, 0 ) );
1094
1095 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1096 ssl->out_msg, ssl->out_msglen );
1097
1098 if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1099 ssl->transform_out->iv_enc,
1100 ssl->transform_out->ivlen,
1101 ssl->out_msg, ssl->out_msglen,
1102 ssl->out_msg, &olen ) ) != 0 )
1103 {
1104 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1105 return( ret );
1106 }
1107
1108 if( ssl->out_msglen != olen )
1109 {
1110 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1111 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1112 }
1113 }
1114 else
1115#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1116#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1117 if( mode == POLARSSL_MODE_GCM ||
1118 mode == POLARSSL_MODE_CCM )
1119 {
1120 int ret;
1121 size_t enc_msglen, olen;
1122 unsigned char *enc_msg;
1123 unsigned char add_data[13];
1124 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
1125 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
1126
1127 memcpy( add_data, ssl->out_ctr, 8 );
1128 add_data[8] = ssl->out_msgtype;
1129 add_data[9] = ssl->major_ver;
1130 add_data[10] = ssl->minor_ver;
1131 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1132 add_data[12] = ssl->out_msglen & 0xFF;
1133
1134 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1135 add_data, 13 );
1136
1137 /*
1138 * Generate IV
1139 */
1140 ret = ssl->f_rng( ssl->p_rng,
1141 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1142 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1143 if( ret != 0 )
1144 return( ret );
1145
1146 memcpy( ssl->out_iv,
1147 ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
1148 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1149
1150 SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1151 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1152
1153 /*
1154 * Fix pointer positions and message length with added IV
1155 */
1156 enc_msg = ssl->out_msg;
1157 enc_msglen = ssl->out_msglen;
1158 ssl->out_msglen += ssl->transform_out->ivlen -
1159 ssl->transform_out->fixed_ivlen;
1160
1161 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1162 "including %d bytes of padding",
1163 ssl->out_msglen, 0 ) );
1164
1165 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1166 ssl->out_msg, ssl->out_msglen );
1167
1168 /*
1169 * Encrypt and authenticate
1170 */
1171 if( ( ret = cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
1172 ssl->transform_out->iv_enc,
1173 ssl->transform_out->ivlen,
1174 add_data, 13,
1175 enc_msg, enc_msglen,
1176 enc_msg, &olen,
1177 enc_msg + enc_msglen, taglen ) ) != 0 )
1178 {
1179 SSL_DEBUG_RET( 1, "cipher_auth_encrypt", ret );
1180 return( ret );
1181 }
1182
1183 if( olen != enc_msglen )
1184 {
1185 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1186 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1187 }
1188
1189 ssl->out_msglen += taglen;
1190
1191 SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
1192 }
1193 else
1194#endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
1195#if defined(POLARSSL_CIPHER_MODE_CBC) && \
1196 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1197 if( mode == POLARSSL_MODE_CBC )
1198 {
1199 int ret;
1200 unsigned char *enc_msg;
1201 size_t enc_msglen, padlen, olen = 0;
1202
1203 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1204 ssl->transform_out->ivlen;
1205 if( padlen == ssl->transform_out->ivlen )
1206 padlen = 0;
1207
1208 for( i = 0; i <= padlen; i++ )
1209 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1210
1211 ssl->out_msglen += padlen + 1;
1212
1213 enc_msglen = ssl->out_msglen;
1214 enc_msg = ssl->out_msg;
1215
1216#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1217 /*
1218 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1219 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1220 */
1221 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1222 {
1223 /*
1224 * Generate IV
1225 */
1226 int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1227 ssl->transform_out->ivlen );
1228 if( ret != 0 )
1229 return( ret );
1230
1231 memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1232 ssl->transform_out->ivlen );
1233
1234 /*
1235 * Fix pointer positions and message length with added IV
1236 */
1237 enc_msg = ssl->out_msg;
1238 enc_msglen = ssl->out_msglen;
1239 ssl->out_msglen += ssl->transform_out->ivlen;
1240 }
1241#endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1242
1243 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1244 "including %d bytes of IV and %d bytes of padding",
1245 ssl->out_msglen, ssl->transform_out->ivlen,
1246 padlen + 1 ) );
1247
1248 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1249 ssl->out_iv, ssl->out_msglen );
1250
1251 if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1252 ssl->transform_out->iv_enc,
1253 ssl->transform_out->ivlen,
1254 enc_msg, enc_msglen,
1255 enc_msg, &olen ) ) != 0 )
1256 {
1257 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1258 return( ret );
1259 }
1260
1261 if( enc_msglen != olen )
1262 {
1263 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1264 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1265 }
1266
1267#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1268 if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1269 {
1270 /*
1271 * Save IV in SSL3 and TLS1
1272 */
1273 memcpy( ssl->transform_out->iv_enc,
1274 ssl->transform_out->cipher_ctx_enc.iv,
1275 ssl->transform_out->ivlen );
1276 }
1277#endif
1278 }
1279 else
1280#endif /* POLARSSL_CIPHER_MODE_CBC &&
1281 ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1282 {
1283 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1284 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1285 }
1286
1287 for( i = 8; i > 0; i-- )
1288 if( ++ssl->out_ctr[i - 1] != 0 )
1289 break;
1290
1291 /* The loops goes to its end iff the counter is wrapping */
1292 if( i == 0 )
1293 {
1294 SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
1295 return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
1296 }
1297
1298 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1299
1300 return( 0 );
1301}
1302
1303#define POLARSSL_SSL_MAX_MAC_SIZE 48
1304
1305static int ssl_decrypt_buf( ssl_context *ssl )
1306{
1307 size_t i;
1308 const cipher_mode_t mode = cipher_get_cipher_mode(
1309 &ssl->transform_in->cipher_ctx_dec );
1310#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1311 ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1312 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1313 size_t padlen = 0, correct = 1;
1314#endif
1315
1316 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1317
1318 if( ssl->in_msglen < ssl->transform_in->minlen )
1319 {
1320 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1321 ssl->in_msglen, ssl->transform_in->minlen ) );
1322 return( POLARSSL_ERR_SSL_INVALID_MAC );
1323 }
1324
1325#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1326 if( mode == POLARSSL_MODE_STREAM )
1327 {
1328 int ret;
1329 size_t olen = 0;
1330
1331 padlen = 0;
1332
1333 if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1334 ssl->transform_in->iv_dec,
1335 ssl->transform_in->ivlen,
1336 ssl->in_msg, ssl->in_msglen,
1337 ssl->in_msg, &olen ) ) != 0 )
1338 {
1339 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1340 return( ret );
1341 }
1342
1343 if( ssl->in_msglen != olen )
1344 {
1345 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1346 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1347 }
1348 }
1349 else
1350#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1351#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1352 if( mode == POLARSSL_MODE_GCM ||
1353 mode == POLARSSL_MODE_CCM )
1354 {
1355 int ret;
1356 size_t dec_msglen, olen;
1357 unsigned char *dec_msg;
1358 unsigned char *dec_msg_result;
1359 unsigned char add_data[13];
1360 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
1361 POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
1362 unsigned char explicit_iv_len = ssl->transform_in->ivlen -
1363 ssl->transform_in->fixed_ivlen;
1364
1365 if( ssl->in_msglen < explicit_iv_len + taglen )
1366 {
1367 SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1368 "+ taglen (%d)", ssl->in_msglen,
1369 explicit_iv_len, taglen ) );
1370 return( POLARSSL_ERR_SSL_INVALID_MAC );
1371 }
1372 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
1373
1374 dec_msg = ssl->in_msg;
1375 dec_msg_result = ssl->in_msg;
1376 ssl->in_msglen = dec_msglen;
1377
1378 memcpy( add_data, ssl->in_ctr, 8 );
1379 add_data[8] = ssl->in_msgtype;
1380 add_data[9] = ssl->major_ver;
1381 add_data[10] = ssl->minor_ver;
1382 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1383 add_data[12] = ssl->in_msglen & 0xFF;
1384
1385 SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1386 add_data, 13 );
1387
1388 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1389 ssl->in_iv,
1390 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1391
1392 SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1393 ssl->transform_in->ivlen );
1394 SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
1395
1396 /*
1397 * Decrypt and authenticate
1398 */
1399 if( ( ret = cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
1400 ssl->transform_in->iv_dec,
1401 ssl->transform_in->ivlen,
1402 add_data, 13,
1403 dec_msg, dec_msglen,
1404 dec_msg_result, &olen,
1405 dec_msg + dec_msglen, taglen ) ) != 0 )
1406 {
1407 SSL_DEBUG_RET( 1, "cipher_auth_decrypt", ret );
1408
1409 if( ret == POLARSSL_ERR_CIPHER_AUTH_FAILED )
1410 return( POLARSSL_ERR_SSL_INVALID_MAC );
1411
1412 return( ret );
1413 }
1414
1415 if( olen != dec_msglen )
1416 {
1417 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1418 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1419 }
1420 }
1421 else
1422#endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
1423#if defined(POLARSSL_CIPHER_MODE_CBC) && \
1424 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1425 if( mode == POLARSSL_MODE_CBC )
1426 {
1427 /*
1428 * Decrypt and check the padding
1429 */
1430 int ret;
1431 unsigned char *dec_msg;
1432 unsigned char *dec_msg_result;
1433 size_t dec_msglen;
1434 size_t minlen = 0;
1435 size_t olen = 0;
1436
1437 /*
1438 * Check immediate ciphertext sanity
1439 */
1440 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1441 {
1442 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1443 ssl->in_msglen, ssl->transform_in->ivlen ) );
1444 return( POLARSSL_ERR_SSL_INVALID_MAC );
1445 }
1446
1447#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1448 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1449 minlen += ssl->transform_in->ivlen;
1450#endif
1451
1452 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1453 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1454 {
1455 SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1456 "+ 1 ) ( + expl IV )", ssl->in_msglen,
1457 ssl->transform_in->ivlen,
1458 ssl->transform_in->maclen ) );
1459 return( POLARSSL_ERR_SSL_INVALID_MAC );
1460 }
1461
1462 dec_msglen = ssl->in_msglen;
1463 dec_msg = ssl->in_msg;
1464 dec_msg_result = ssl->in_msg;
1465
1466#if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1467 /*
1468 * Initialize for prepended IV for block cipher in TLS v1.1 and up
1469 */
1470 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1471 {
1472 dec_msglen -= ssl->transform_in->ivlen;
1473 ssl->in_msglen -= ssl->transform_in->ivlen;
1474
1475 for( i = 0; i < ssl->transform_in->ivlen; i++ )
1476 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1477 }
1478#endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1479
1480 if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1481 ssl->transform_in->iv_dec,
1482 ssl->transform_in->ivlen,
1483 dec_msg, dec_msglen,
1484 dec_msg_result, &olen ) ) != 0 )
1485 {
1486 SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1487 return( ret );
1488 }
1489
1490 if( dec_msglen != olen )
1491 {
1492 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1493 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1494 }
1495
1496#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1497 if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1498 {
1499 /*
1500 * Save IV in SSL3 and TLS1
1501 */
1502 memcpy( ssl->transform_in->iv_dec,
1503 ssl->transform_in->cipher_ctx_dec.iv,
1504 ssl->transform_in->ivlen );
1505 }
1506#endif
1507
1508 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1509
1510 if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1511 {
1512#if defined(POLARSSL_SSL_DEBUG_ALL)
1513 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1514 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1515#endif
1516 padlen = 0;
1517 correct = 0;
1518 }
1519
1520#if defined(POLARSSL_SSL_PROTO_SSL3)
1521 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1522 {
1523 if( padlen > ssl->transform_in->ivlen )
1524 {
1525#if defined(POLARSSL_SSL_DEBUG_ALL)
1526 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1527 "should be no more than %d",
1528 padlen, ssl->transform_in->ivlen ) );
1529#endif
1530 correct = 0;
1531 }
1532 }
1533 else
1534#endif /* POLARSSL_SSL_PROTO_SSL3 */
1535#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1536 defined(POLARSSL_SSL_PROTO_TLS1_2)
1537 if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1538 {
1539 /*
1540 * TLSv1+: always check the padding up to the first failure
1541 * and fake check up to 256 bytes of padding
1542 */
1543 size_t pad_count = 0, real_count = 1;
1544 size_t padding_idx = ssl->in_msglen - padlen - 1;
1545
1546 /*
1547 * Padding is guaranteed to be incorrect if:
1548 * 1. padlen >= ssl->in_msglen
1549 *
1550 * 2. padding_idx >= SSL_MAX_CONTENT_LEN +
1551 * ssl->transform_in->maclen
1552 *
1553 * In both cases we reset padding_idx to a safe value (0) to
1554 * prevent out-of-buffer reads.
1555 */
1556 correct &= ( ssl->in_msglen >= padlen + 1 );
1557 correct &= ( padding_idx < SSL_MAX_CONTENT_LEN +
1558 ssl->transform_in->maclen );
1559
1560 padding_idx *= correct;
1561
1562 for( i = 1; i <= 256; i++ )
1563 {
1564 real_count &= ( i <= padlen );
1565 pad_count += real_count *
1566 ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1567 }
1568
1569 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1570
1571#if defined(POLARSSL_SSL_DEBUG_ALL)
1572 if( padlen > 0 && correct == 0 )
1573 SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1574#endif
1575 padlen &= correct * 0x1FF;
1576 }
1577 else
1578#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1579 POLARSSL_SSL_PROTO_TLS1_2 */
1580 {
1581 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1582 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1583 }
1584 }
1585 else
1586#endif /* POLARSSL_CIPHER_MODE_CBC &&
1587 ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1588 {
1589 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1590 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1591 }
1592
1593 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1594 ssl->in_msg, ssl->in_msglen );
1595
1596 /*
1597 * Always compute the MAC (RFC4346, CBCTIME), except for AEAD of course
1598 */
1599#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1600 ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1601 ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1602 if( mode != POLARSSL_MODE_GCM &&
1603 mode != POLARSSL_MODE_CCM )
1604 {
1605 unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1606
1607 ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1608
1609 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1610 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1611
1612 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1613
1614#if defined(POLARSSL_SSL_PROTO_SSL3)
1615 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1616 {
1617 ssl_mac( &ssl->transform_in->md_ctx_dec,
1618 ssl->transform_in->mac_dec,
1619 ssl->in_msg, ssl->in_msglen,
1620 ssl->in_ctr, ssl->in_msgtype );
1621 }
1622 else
1623#endif /* POLARSSL_SSL_PROTO_SSL3 */
1624#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1625 defined(POLARSSL_SSL_PROTO_TLS1_2)
1626 if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1627 {
1628 /*
1629 * Process MAC and always update for padlen afterwards to make
1630 * total time independent of padlen
1631 *
1632 * extra_run compensates MAC check for padlen
1633 *
1634 * Known timing attacks:
1635 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1636 *
1637 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1638 * correctly. (We round down instead of up, so -56 is the correct
1639 * value for our calculations instead of -55)
1640 */
1641 size_t j, extra_run = 0;
1642 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1643 ( 13 + ssl->in_msglen + 8 ) / 64;
1644
1645 extra_run &= correct * 0xFF;
1646
1647 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1648 md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
1649 ssl->in_msglen );
1650 md_hmac_finish( &ssl->transform_in->md_ctx_dec,
1651 ssl->in_msg + ssl->in_msglen );
1652 for( j = 0; j < extra_run; j++ )
1653 md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1654
1655 md_hmac_reset( &ssl->transform_in->md_ctx_dec );
1656 }
1657 else
1658#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1659 POLARSSL_SSL_PROTO_TLS1_2 */
1660 {
1661 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1662 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
1663 }
1664
1665 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1666 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1667 ssl->transform_in->maclen );
1668
1669 if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1670 ssl->transform_in->maclen ) != 0 )
1671 {
1672#if defined(POLARSSL_SSL_DEBUG_ALL)
1673 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1674#endif
1675 correct = 0;
1676 }
1677
1678 /*
1679 * Finally check the correct flag
1680 */
1681 if( correct == 0 )
1682 return( POLARSSL_ERR_SSL_INVALID_MAC );
1683 }
1684#endif /* AEAD not the only option */
1685
1686 if( ssl->in_msglen == 0 )
1687 {
1688 ssl->nb_zero++;
1689
1690 /*
1691 * Three or more empty messages may be a DoS attack
1692 * (excessive CPU consumption).
1693 */
1694 if( ssl->nb_zero > 3 )
1695 {
1696 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1697 "messages, possible DoS attack" ) );
1698 return( POLARSSL_ERR_SSL_INVALID_MAC );
1699 }
1700 }
1701 else
1702 ssl->nb_zero = 0;
1703
1704 for( i = 8; i > 0; i-- )
1705 if( ++ssl->in_ctr[i - 1] != 0 )
1706 break;
1707
1708 /* The loops goes to its end iff the counter is wrapping */
1709 if( i == 0 )
1710 {
1711 SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
1712 return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
1713 }
1714
1715 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1716
1717 return( 0 );
1718}
1719
1720#if defined(POLARSSL_ZLIB_SUPPORT)
1721/*
1722 * Compression/decompression functions
1723 */
1724static int ssl_compress_buf( ssl_context *ssl )
1725{
1726 int ret;
1727 unsigned char *msg_post = ssl->out_msg;
1728 size_t len_pre = ssl->out_msglen;
1729 unsigned char *msg_pre = ssl->compress_buf;
1730
1731 SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1732
1733 if( len_pre == 0 )
1734 return( 0 );
1735
1736 memcpy( msg_pre, ssl->out_msg, len_pre );
1737
1738 SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1739 ssl->out_msglen ) );
1740
1741 SSL_DEBUG_BUF( 4, "before compression: output payload",
1742 ssl->out_msg, ssl->out_msglen );
1743
1744 ssl->transform_out->ctx_deflate.next_in = msg_pre;
1745 ssl->transform_out->ctx_deflate.avail_in = len_pre;
1746 ssl->transform_out->ctx_deflate.next_out = msg_post;
1747 ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1748
1749 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1750 if( ret != Z_OK )
1751 {
1752 SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1753 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1754 }
1755
1756 ssl->out_msglen = SSL_BUFFER_LEN -
1757 ssl->transform_out->ctx_deflate.avail_out;
1758
1759 SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1760 ssl->out_msglen ) );
1761
1762 SSL_DEBUG_BUF( 4, "after compression: output payload",
1763 ssl->out_msg, ssl->out_msglen );
1764
1765 SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1766
1767 return( 0 );
1768}
1769
1770static int ssl_decompress_buf( ssl_context *ssl )
1771{
1772 int ret;
1773 unsigned char *msg_post = ssl->in_msg;
1774 size_t len_pre = ssl->in_msglen;
1775 unsigned char *msg_pre = ssl->compress_buf;
1776
1777 SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1778
1779 if( len_pre == 0 )
1780 return( 0 );
1781
1782 memcpy( msg_pre, ssl->in_msg, len_pre );
1783
1784 SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1785 ssl->in_msglen ) );
1786
1787 SSL_DEBUG_BUF( 4, "before decompression: input payload",
1788 ssl->in_msg, ssl->in_msglen );
1789
1790 ssl->transform_in->ctx_inflate.next_in = msg_pre;
1791 ssl->transform_in->ctx_inflate.avail_in = len_pre;
1792 ssl->transform_in->ctx_inflate.next_out = msg_post;
1793 ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1794
1795 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1796 if( ret != Z_OK )
1797 {
1798 SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1799 return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
1800 }
1801
1802 ssl->in_msglen = SSL_MAX_CONTENT_LEN -
1803 ssl->transform_in->ctx_inflate.avail_out;
1804
1805 SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1806 ssl->in_msglen ) );
1807
1808 SSL_DEBUG_BUF( 4, "after decompression: input payload",
1809 ssl->in_msg, ssl->in_msglen );
1810
1811 SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1812
1813 return( 0 );
1814}
1815#endif /* POLARSSL_ZLIB_SUPPORT */
1816
1817/*
1818 * Fill the input message buffer
1819 */
1820int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1821{
1822 int ret;
1823 size_t len;
1824
1825 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1826
1827 if( nb_want > SSL_BUFFER_LEN - 8 )
1828 {
1829 SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1830 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
1831 }
1832
1833 while( ssl->in_left < nb_want )
1834 {
1835 len = nb_want - ssl->in_left;
1836 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1837
1838 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1839 ssl->in_left, nb_want ) );
1840 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1841
1842 if( ret == 0 )
1843 return( POLARSSL_ERR_SSL_CONN_EOF );
1844
1845 if( ret < 0 )
1846 return( ret );
1847
1848 ssl->in_left += ret;
1849 }
1850
1851 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1852
1853 return( 0 );
1854}
1855
1856/*
1857 * Flush any data not yet written
1858 */
1859int ssl_flush_output( ssl_context *ssl )
1860{
1861 int ret;
1862 unsigned char *buf;
1863
1864 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1865
1866 while( ssl->out_left > 0 )
1867 {
1868 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1869 5 + ssl->out_msglen, ssl->out_left ) );
1870
1871 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1872 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1873
1874 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1875
1876 if( ret <= 0 )
1877 return( ret );
1878
1879 ssl->out_left -= ret;
1880 }
1881
1882 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1883
1884 return( 0 );
1885}
1886
1887/*
1888 * Record layer functions
1889 */
1890int ssl_write_record( ssl_context *ssl )
1891{
1892 int ret, done = 0;
1893 size_t len = ssl->out_msglen;
1894
1895 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1896
1897 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1898 {
1899 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1900 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1901 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1902
1903 if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
1904 ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1905 }
1906
1907#if defined(POLARSSL_ZLIB_SUPPORT)
1908 if( ssl->transform_out != NULL &&
1909 ssl->session_out->compression == SSL_COMPRESS_DEFLATE )
1910 {
1911 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1912 {
1913 SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1914 return( ret );
1915 }
1916
1917 len = ssl->out_msglen;
1918 }
1919#endif /*POLARSSL_ZLIB_SUPPORT */
1920
1921#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1922 if( ssl_hw_record_write != NULL )
1923 {
1924 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1925
1926 ret = ssl_hw_record_write( ssl );
1927 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1928 {
1929 SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1930 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
1931 }
1932
1933 if( ret == 0 )
1934 done = 1;
1935 }
1936#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
1937 if( !done )
1938 {
1939 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1940 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1941 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1942 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1943 ssl->out_hdr[4] = (unsigned char)( len );
1944
1945 if( ssl->transform_out != NULL )
1946 {
1947 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1948 {
1949 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1950 return( ret );
1951 }
1952
1953 len = ssl->out_msglen;
1954 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1955 ssl->out_hdr[4] = (unsigned char)( len );
1956 }
1957
1958 ssl->out_left = 5 + ssl->out_msglen;
1959
1960 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1961 "version = [%d:%d], msglen = %d",
1962 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1963 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1964
1965 SSL_DEBUG_BUF( 4, "output record sent to network",
1966 ssl->out_hdr, 5 + ssl->out_msglen );
1967 }
1968
1969 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1970 {
1971 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1972 return( ret );
1973 }
1974
1975 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1976
1977 return( 0 );
1978}
1979
1980int ssl_read_record( ssl_context *ssl )
1981{
1982 int ret, done = 0;
1983
1984 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1985
1986 if( ssl->in_hslen != 0 &&
1987 ssl->in_hslen < ssl->in_msglen )
1988 {
1989 /*
1990 * Get next Handshake message in the current record
1991 */
1992 ssl->in_msglen -= ssl->in_hslen;
1993
1994 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
1995 ssl->in_msglen );
1996
1997 ssl->in_hslen = 4;
1998 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1999
2000 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2001 " %d, type = %d, hslen = %d",
2002 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2003
2004 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2005 {
2006 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2007 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2008 }
2009
2010 if( ssl->in_msglen < ssl->in_hslen )
2011 {
2012 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2013 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2014 }
2015
2016 if( ssl->state != SSL_HANDSHAKE_OVER )
2017 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2018
2019 return( 0 );
2020 }
2021
2022 ssl->in_hslen = 0;
2023
2024 /*
2025 * Read the record header and validate it
2026 */
2027 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2028 {
2029 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2030 return( ret );
2031 }
2032
2033 ssl->in_msgtype = ssl->in_hdr[0];
2034 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2035
2036 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2037 "version = [%d:%d], msglen = %d",
2038 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2039 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2040
2041 if( ssl->in_hdr[1] != ssl->major_ver )
2042 {
2043 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
2044 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2045 }
2046
2047 if( ssl->in_hdr[2] > ssl->max_minor_ver )
2048 {
2049 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
2050 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2051 }
2052
2053 /* Sanity check (outer boundaries) */
2054 if( ssl->in_msglen < 1 || ssl->in_msglen > SSL_BUFFER_LEN - 13 )
2055 {
2056 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2057 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2058 }
2059
2060 /*
2061 * Make sure the message length is acceptable for the current transform
2062 * and protocol version.
2063 */
2064 if( ssl->transform_in == NULL )
2065 {
2066 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2067 {
2068 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2069 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2070 }
2071 }
2072 else
2073 {
2074 if( ssl->in_msglen < ssl->transform_in->minlen )
2075 {
2076 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2077 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2078 }
2079
2080#if defined(POLARSSL_SSL_PROTO_SSL3)
2081 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2082 ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN )
2083 {
2084 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2085 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2086 }
2087#endif
2088
2089#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2090 defined(POLARSSL_SSL_PROTO_TLS1_2)
2091 /*
2092 * TLS encrypted messages can have up to 256 bytes of padding
2093 */
2094 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2095 ssl->in_msglen > ssl->transform_in->minlen +
2096 SSL_MAX_CONTENT_LEN + 256 )
2097 {
2098 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2099 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2100 }
2101#endif
2102 }
2103
2104 /*
2105 * Read and optionally decrypt the message contents
2106 */
2107 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2108 {
2109 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2110 return( ret );
2111 }
2112
2113 SSL_DEBUG_BUF( 4, "input record from network",
2114 ssl->in_hdr, 5 + ssl->in_msglen );
2115
2116#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2117 if( ssl_hw_record_read != NULL )
2118 {
2119 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2120
2121 ret = ssl_hw_record_read( ssl );
2122 if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2123 {
2124 SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2125 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
2126 }
2127
2128 if( ret == 0 )
2129 done = 1;
2130 }
2131#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
2132 if( !done && ssl->transform_in != NULL )
2133 {
2134 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2135 {
2136#if defined(POLARSSL_SSL_ALERT_MESSAGES)
2137 if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2138 {
2139 ssl_send_alert_message( ssl,
2140 SSL_ALERT_LEVEL_FATAL,
2141 SSL_ALERT_MSG_BAD_RECORD_MAC );
2142 }
2143#endif
2144 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2145 return( ret );
2146 }
2147
2148 SSL_DEBUG_BUF( 4, "input payload after decrypt",
2149 ssl->in_msg, ssl->in_msglen );
2150
2151 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2152 {
2153 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2154 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2155 }
2156 }
2157
2158#if defined(POLARSSL_ZLIB_SUPPORT)
2159 if( ssl->transform_in != NULL &&
2160 ssl->session_in->compression == SSL_COMPRESS_DEFLATE )
2161 {
2162 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2163 {
2164 SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2165 return( ret );
2166 }
2167
2168 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2169 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2170 }
2171#endif /* POLARSSL_ZLIB_SUPPORT */
2172
2173 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2174 ssl->in_msgtype != SSL_MSG_ALERT &&
2175 ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
2176 ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
2177 {
2178 SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2179
2180 if( ( ret = ssl_send_alert_message( ssl,
2181 SSL_ALERT_LEVEL_FATAL,
2182 SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
2183 {
2184 return( ret );
2185 }
2186
2187 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2188 }
2189
2190 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2191 {
2192 ssl->in_hslen = 4;
2193 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2194
2195 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2196 " %d, type = %d, hslen = %d",
2197 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2198
2199 /*
2200 * Additional checks to validate the handshake header
2201 */
2202 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2203 {
2204 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2205 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2206 }
2207
2208 if( ssl->in_msglen < ssl->in_hslen )
2209 {
2210 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2211 return( POLARSSL_ERR_SSL_INVALID_RECORD );
2212 }
2213
2214 if( ssl->state != SSL_HANDSHAKE_OVER )
2215 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2216 }
2217
2218 if( ssl->in_msgtype == SSL_MSG_ALERT )
2219 {
2220 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2221 ssl->in_msg[0], ssl->in_msg[1] ) );
2222
2223 /*
2224 * Ignore non-fatal alerts, except close_notify
2225 */
2226 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2227 {
2228 SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2229 ssl->in_msg[1] ) );
2230 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
2231 }
2232
2233 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2234 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2235 {
2236 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2237 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
2238 }
2239 }
2240
2241 ssl->in_left = 0;
2242
2243 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2244
2245 return( 0 );
2246}
2247
2248int ssl_send_fatal_handshake_failure( ssl_context *ssl )
2249{
2250 int ret;
2251
2252 if( ( ret = ssl_send_alert_message( ssl,
2253 SSL_ALERT_LEVEL_FATAL,
2254 SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
2255 {
2256 return( ret );
2257 }
2258
2259 return( 0 );
2260}
2261
2262int ssl_send_alert_message( ssl_context *ssl,
2263 unsigned char level,
2264 unsigned char message )
2265{
2266 int ret;
2267
2268 SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2269
2270 ssl->out_msgtype = SSL_MSG_ALERT;
2271 ssl->out_msglen = 2;
2272 ssl->out_msg[0] = level;
2273 ssl->out_msg[1] = message;
2274
2275 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2276 {
2277 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2278 return( ret );
2279 }
2280
2281 SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2282
2283 return( 0 );
2284}
2285
2286/*
2287 * Handshake functions
2288 */
2289#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2290 !defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
2291 !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2292 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2293 !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
2294 !defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2295 !defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2296int ssl_write_certificate( ssl_context *ssl )
2297{
2298 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2299
2300 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2301
2302 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2303 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2304 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2305 {
2306 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2307 ssl->state++;
2308 return( 0 );
2309 }
2310
2311 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2312 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2313}
2314
2315int ssl_parse_certificate( ssl_context *ssl )
2316{
2317 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2318
2319 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2320
2321 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2322 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2323 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2324 {
2325 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2326 ssl->state++;
2327 return( 0 );
2328 }
2329
2330 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2331 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
2332}
2333#else
2334int ssl_write_certificate( ssl_context *ssl )
2335{
2336 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2337 size_t i, n;
2338 const x509_crt *crt;
2339 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2340
2341 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2342
2343 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2344 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2345 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2346 {
2347 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2348 ssl->state++;
2349 return( 0 );
2350 }
2351
2352 if( ssl->endpoint == SSL_IS_CLIENT )
2353 {
2354 if( ssl->client_auth == 0 )
2355 {
2356 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2357 ssl->state++;
2358 return( 0 );
2359 }
2360
2361#if defined(POLARSSL_SSL_PROTO_SSL3)
2362 /*
2363 * If using SSLv3 and got no cert, send an Alert message
2364 * (otherwise an empty Certificate message will be sent).
2365 */
2366 if( ssl_own_cert( ssl ) == NULL &&
2367 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2368 {
2369 ssl->out_msglen = 2;
2370 ssl->out_msgtype = SSL_MSG_ALERT;
2371 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2372 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2373
2374 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2375 goto write_msg;
2376 }
2377#endif /* POLARSSL_SSL_PROTO_SSL3 */
2378 }
2379 else /* SSL_IS_SERVER */
2380 {
2381 if( ssl_own_cert( ssl ) == NULL )
2382 {
2383 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2384 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
2385 }
2386 }
2387
2388 SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
2389
2390 /*
2391 * 0 . 0 handshake type
2392 * 1 . 3 handshake length
2393 * 4 . 6 length of all certs
2394 * 7 . 9 length of cert. 1
2395 * 10 . n-1 peer certificate
2396 * n . n+2 length of cert. 2
2397 * n+3 . ... upper level cert, etc.
2398 */
2399 i = 7;
2400 crt = ssl_own_cert( ssl );
2401
2402 while( crt != NULL )
2403 {
2404 n = crt->raw.len;
2405 if( n > SSL_MAX_CONTENT_LEN - 3 - i )
2406 {
2407 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2408 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2409 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
2410 }
2411
2412 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2413 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2414 ssl->out_msg[i + 2] = (unsigned char)( n );
2415
2416 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2417 i += n; crt = crt->next;
2418 }
2419
2420 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2421 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2422 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2423
2424 ssl->out_msglen = i;
2425 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2426 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2427
2428#if defined(POLARSSL_SSL_PROTO_SSL3)
2429write_msg:
2430#endif
2431
2432 ssl->state++;
2433
2434 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2435 {
2436 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2437 return( ret );
2438 }
2439
2440 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2441
2442 return( ret );
2443}
2444
2445int ssl_parse_certificate( ssl_context *ssl )
2446{
2447 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
2448 size_t i, n;
2449 const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2450
2451 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2452
2453 if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2454 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2455 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2456 {
2457 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2458 ssl->state++;
2459 return( 0 );
2460 }
2461
2462 if( ssl->endpoint == SSL_IS_SERVER &&
2463 ( ssl->authmode == SSL_VERIFY_NONE ||
2464 ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
2465 {
2466 ssl->session_negotiate->verify_result = BADCERT_SKIP_VERIFY;
2467 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2468 ssl->state++;
2469 return( 0 );
2470 }
2471
2472 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2473 {
2474 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2475 return( ret );
2476 }
2477
2478 ssl->state++;
2479
2480#if defined(POLARSSL_SSL_PROTO_SSL3)
2481 /*
2482 * Check if the client sent an empty certificate
2483 */
2484 if( ssl->endpoint == SSL_IS_SERVER &&
2485 ssl->minor_ver == SSL_MINOR_VERSION_0 )
2486 {
2487 if( ssl->in_msglen == 2 &&
2488 ssl->in_msgtype == SSL_MSG_ALERT &&
2489 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2490 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2491 {
2492 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2493
2494 ssl->session_negotiate->verify_result = BADCERT_MISSING;
2495 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2496 return( 0 );
2497 else
2498 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
2499 }
2500 }
2501#endif /* POLARSSL_SSL_PROTO_SSL3 */
2502
2503#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2504 defined(POLARSSL_SSL_PROTO_TLS1_2)
2505 if( ssl->endpoint == SSL_IS_SERVER &&
2506 ssl->minor_ver != SSL_MINOR_VERSION_0 )
2507 {
2508 if( ssl->in_hslen == 7 &&
2509 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2510 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2511 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2512 {
2513 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2514
2515 ssl->session_negotiate->verify_result = BADCERT_MISSING;
2516 if( ssl->authmode == SSL_VERIFY_REQUIRED )
2517 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
2518 else
2519 return( 0 );
2520 }
2521 }
2522#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2523 POLARSSL_SSL_PROTO_TLS1_2 */
2524
2525 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2526 {
2527 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2528 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2529 }
2530
2531 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2532 {
2533 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2534 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2535 }
2536
2537 /*
2538 * Same message structure as in ssl_write_certificate()
2539 */
2540 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2541
2542 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2543 {
2544 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2545 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2546 }
2547
2548 /* In case we tried to reuse a session but it failed */
2549 if( ssl->session_negotiate->peer_cert != NULL )
2550 {
2551 x509_crt_free( ssl->session_negotiate->peer_cert );
2552 polarssl_free( ssl->session_negotiate->peer_cert );
2553 }
2554
2555 if( ( ssl->session_negotiate->peer_cert = (x509_crt *) polarssl_malloc(
2556 sizeof( x509_crt ) ) ) == NULL )
2557 {
2558 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2559 sizeof( x509_crt ) ) );
2560 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2561 }
2562
2563 x509_crt_init( ssl->session_negotiate->peer_cert );
2564
2565 i = 7;
2566
2567 while( i < ssl->in_hslen )
2568 {
2569 if( ssl->in_msg[i] != 0 )
2570 {
2571 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2572 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2573 }
2574
2575 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2576 | (unsigned int) ssl->in_msg[i + 2];
2577 i += 3;
2578
2579 if( n < 128 || i + n > ssl->in_hslen )
2580 {
2581 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2582 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2583 }
2584
2585 ret = x509_crt_parse_der( ssl->session_negotiate->peer_cert,
2586 ssl->in_msg + i, n );
2587 if( ret != 0 )
2588 {
2589 SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
2590 return( ret );
2591 }
2592
2593 i += n;
2594 }
2595
2596 SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2597
2598 /*
2599 * On client, make sure the server cert doesn't change during renego to
2600 * avoid "triple handshake" attack: https://secure-resumption.com/
2601 */
2602 if( ssl->endpoint == SSL_IS_CLIENT &&
2603 ssl->renegotiation == SSL_RENEGOTIATION )
2604 {
2605 if( ssl->session->peer_cert == NULL )
2606 {
2607 SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
2608 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2609 }
2610
2611 if( ssl->session->peer_cert->raw.len !=
2612 ssl->session_negotiate->peer_cert->raw.len ||
2613 memcmp( ssl->session->peer_cert->raw.p,
2614 ssl->session_negotiate->peer_cert->raw.p,
2615 ssl->session->peer_cert->raw.len ) != 0 )
2616 {
2617 SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
2618 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2619 }
2620 }
2621
2622 if( ssl->authmode != SSL_VERIFY_NONE )
2623 {
2624 if( ssl->ca_chain == NULL )
2625 {
2626 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2627 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
2628 }
2629
2630 /*
2631 * Main check: verify certificate
2632 */
2633 ret = x509_crt_verify( ssl->session_negotiate->peer_cert,
2634 ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2635 &ssl->session_negotiate->verify_result,
2636 ssl->f_vrfy, ssl->p_vrfy );
2637
2638 if( ret != 0 )
2639 {
2640 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2641 }
2642
2643 /*
2644 * Secondary checks: always done, but change 'ret' only if it was 0
2645 */
2646
2647#if defined(POLARSSL_SSL_SET_CURVES)
2648 {
2649 pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
2650
2651 /* If certificate uses an EC key, make sure the curve is OK */
2652 if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
2653 ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
2654 {
2655 SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
2656 if( ret == 0 )
2657 ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
2658 }
2659 }
2660#endif /* POLARSSL_SSL_SET_CURVES */
2661
2662 if( ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
2663 ciphersuite_info,
2664 ! ssl->endpoint ) != 0 )
2665 {
2666 SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
2667 if( ret == 0 )
2668 ret = POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE;
2669 }
2670
2671 if( ssl->authmode != SSL_VERIFY_REQUIRED )
2672 ret = 0;
2673 }
2674
2675 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2676
2677 return( ret );
2678}
2679#endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED
2680 !POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
2681 !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
2682 !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2683 !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2684 !POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
2685 !POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2686
2687int ssl_write_change_cipher_spec( ssl_context *ssl )
2688{
2689 int ret;
2690
2691 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2692
2693 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2694 ssl->out_msglen = 1;
2695 ssl->out_msg[0] = 1;
2696
2697 ssl->state++;
2698
2699 if( ( ret = ssl_write_record( ssl ) ) != 0 )
2700 {
2701 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2702 return( ret );
2703 }
2704
2705 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2706
2707 return( 0 );
2708}
2709
2710int ssl_parse_change_cipher_spec( ssl_context *ssl )
2711{
2712 int ret;
2713
2714 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2715
2716 if( ( ret = ssl_read_record( ssl ) ) != 0 )
2717 {
2718 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2719 return( ret );
2720 }
2721
2722 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2723 {
2724 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2725 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2726 }
2727
2728 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2729 {
2730 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2731 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
2732 }
2733
2734 ssl->state++;
2735
2736 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2737
2738 return( 0 );
2739}
2740
2741void ssl_optimize_checksum( ssl_context *ssl,
2742 const ssl_ciphersuite_t *ciphersuite_info )
2743{
2744 ((void) ciphersuite_info);
2745
2746#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2747 defined(POLARSSL_SSL_PROTO_TLS1_1)
2748 if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2749 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2750 else
2751#endif
2752#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2753#if defined(POLARSSL_SHA512_C)
2754 if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2755 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2756 else
2757#endif
2758#if defined(POLARSSL_SHA256_C)
2759 if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
2760 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2761 else
2762#endif
2763#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2764 {
2765 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2766 return;
2767 }
2768}
2769
2770static void ssl_update_checksum_start( ssl_context *ssl,
2771 const unsigned char *buf, size_t len )
2772{
2773#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2774 defined(POLARSSL_SSL_PROTO_TLS1_1)
2775 md5_update( &ssl->handshake->fin_md5 , buf, len );
2776 sha1_update( &ssl->handshake->fin_sha1, buf, len );
2777#endif
2778#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2779#if defined(POLARSSL_SHA256_C)
2780 sha256_update( &ssl->handshake->fin_sha256, buf, len );
2781#endif
2782#if defined(POLARSSL_SHA512_C)
2783 sha512_update( &ssl->handshake->fin_sha512, buf, len );
2784#endif
2785#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2786}
2787
2788#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2789 defined(POLARSSL_SSL_PROTO_TLS1_1)
2790static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2791 const unsigned char *buf, size_t len )
2792{
2793 md5_update( &ssl->handshake->fin_md5 , buf, len );
2794 sha1_update( &ssl->handshake->fin_sha1, buf, len );
2795}
2796#endif
2797
2798#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2799#if defined(POLARSSL_SHA256_C)
2800static void ssl_update_checksum_sha256( ssl_context *ssl,
2801 const unsigned char *buf, size_t len )
2802{
2803 sha256_update( &ssl->handshake->fin_sha256, buf, len );
2804}
2805#endif
2806
2807#if defined(POLARSSL_SHA512_C)
2808static void ssl_update_checksum_sha384( ssl_context *ssl,
2809 const unsigned char *buf, size_t len )
2810{
2811 sha512_update( &ssl->handshake->fin_sha512, buf, len );
2812}
2813#endif
2814#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2815
2816#if defined(POLARSSL_SSL_PROTO_SSL3)
2817static void ssl_calc_finished_ssl(
2818 ssl_context *ssl, unsigned char *buf, int from )
2819{
2820 const char *sender;
2821 md5_context md5;
2822 sha1_context sha1;
2823
2824 unsigned char padbuf[48];
2825 unsigned char md5sum[16];
2826 unsigned char sha1sum[20];
2827
2828 ssl_session *session = ssl->session_negotiate;
2829 if( !session )
2830 session = ssl->session;
2831
2832 SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2833
2834 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2835 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2836
2837 /*
2838 * SSLv3:
2839 * hash =
2840 * MD5( master + pad2 +
2841 * MD5( handshake + sender + master + pad1 ) )
2842 * + SHA1( master + pad2 +
2843 * SHA1( handshake + sender + master + pad1 ) )
2844 */
2845
2846#if !defined(POLARSSL_MD5_ALT)
2847 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2848 md5.state, sizeof( md5.state ) );
2849#endif
2850
2851#if !defined(POLARSSL_SHA1_ALT)
2852 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2853 sha1.state, sizeof( sha1.state ) );
2854#endif
2855
2856 sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2857 : "SRVR";
2858
2859 memset( padbuf, 0x36, 48 );
2860
2861 md5_update( &md5, (const unsigned char *) sender, 4 );
2862 md5_update( &md5, session->master, 48 );
2863 md5_update( &md5, padbuf, 48 );
2864 md5_finish( &md5, md5sum );
2865
2866 sha1_update( &sha1, (const unsigned char *) sender, 4 );
2867 sha1_update( &sha1, session->master, 48 );
2868 sha1_update( &sha1, padbuf, 40 );
2869 sha1_finish( &sha1, sha1sum );
2870
2871 memset( padbuf, 0x5C, 48 );
2872
2873 md5_starts( &md5 );
2874 md5_update( &md5, session->master, 48 );
2875 md5_update( &md5, padbuf, 48 );
2876 md5_update( &md5, md5sum, 16 );
2877 md5_finish( &md5, buf );
2878
2879 sha1_starts( &sha1 );
2880 sha1_update( &sha1, session->master, 48 );
2881 sha1_update( &sha1, padbuf , 40 );
2882 sha1_update( &sha1, sha1sum, 20 );
2883 sha1_finish( &sha1, buf + 16 );
2884
2885 SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2886
2887 md5_free( &md5 );
2888 sha1_free( &sha1 );
2889
2890 polarssl_zeroize( padbuf, sizeof( padbuf ) );
2891 polarssl_zeroize( md5sum, sizeof( md5sum ) );
2892 polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
2893
2894 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2895}
2896#endif /* POLARSSL_SSL_PROTO_SSL3 */
2897
2898#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
2899static void ssl_calc_finished_tls(
2900 ssl_context *ssl, unsigned char *buf, int from )
2901{
2902 int len = 12;
2903 const char *sender;
2904 md5_context md5;
2905 sha1_context sha1;
2906 unsigned char padbuf[36];
2907
2908 ssl_session *session = ssl->session_negotiate;
2909 if( !session )
2910 session = ssl->session;
2911
2912 SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2913
2914 memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2915 memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2916
2917 /*
2918 * TLSv1:
2919 * hash = PRF( master, finished_label,
2920 * MD5( handshake ) + SHA1( handshake ) )[0..11]
2921 */
2922
2923#if !defined(POLARSSL_MD5_ALT)
2924 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2925 md5.state, sizeof( md5.state ) );
2926#endif
2927
2928#if !defined(POLARSSL_SHA1_ALT)
2929 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2930 sha1.state, sizeof( sha1.state ) );
2931#endif
2932
2933 sender = ( from == SSL_IS_CLIENT )
2934 ? "client finished"
2935 : "server finished";
2936
2937 md5_finish( &md5, padbuf );
2938 sha1_finish( &sha1, padbuf + 16 );
2939
2940 ssl->handshake->tls_prf( session->master, 48, sender,
2941 padbuf, 36, buf, len );
2942
2943 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2944
2945 md5_free( &md5 );
2946 sha1_free( &sha1 );
2947
2948 polarssl_zeroize( padbuf, sizeof( padbuf ) );
2949
2950 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2951}
2952#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
2953
2954#if defined(POLARSSL_SSL_PROTO_TLS1_2)
2955#if defined(POLARSSL_SHA256_C)
2956static void ssl_calc_finished_tls_sha256(
2957 ssl_context *ssl, unsigned char *buf, int from )
2958{
2959 int len = 12;
2960 const char *sender;
2961 sha256_context sha256;
2962 unsigned char padbuf[32];
2963
2964 ssl_session *session = ssl->session_negotiate;
2965 if( !session )
2966 session = ssl->session;
2967
2968 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2969
2970 memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
2971
2972 /*
2973 * TLSv1.2:
2974 * hash = PRF( master, finished_label,
2975 * Hash( handshake ) )[0.11]
2976 */
2977
2978#if !defined(POLARSSL_SHA256_ALT)
2979 SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2980 sha256.state, sizeof( sha256.state ) );
2981#endif
2982
2983 sender = ( from == SSL_IS_CLIENT )
2984 ? "client finished"
2985 : "server finished";
2986
2987 sha256_finish( &sha256, padbuf );
2988
2989 ssl->handshake->tls_prf( session->master, 48, sender,
2990 padbuf, 32, buf, len );
2991
2992 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2993
2994 sha256_free( &sha256 );
2995
2996 polarssl_zeroize( padbuf, sizeof( padbuf ) );
2997
2998 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2999}
3000#endif /* POLARSSL_SHA256_C */
3001
3002#if defined(POLARSSL_SHA512_C)
3003static void ssl_calc_finished_tls_sha384(
3004 ssl_context *ssl, unsigned char *buf, int from )
3005{
3006 int len = 12;
3007 const char *sender;
3008 sha512_context sha512;
3009 unsigned char padbuf[48];
3010
3011 ssl_session *session = ssl->session_negotiate;
3012 if( !session )
3013 session = ssl->session;
3014
3015 SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
3016
3017 memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
3018
3019 /*
3020 * TLSv1.2:
3021 * hash = PRF( master, finished_label,
3022 * Hash( handshake ) )[0.11]
3023 */
3024
3025#if !defined(POLARSSL_SHA512_ALT)
3026 SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3027 sha512.state, sizeof( sha512.state ) );
3028#endif
3029
3030 sender = ( from == SSL_IS_CLIENT )
3031 ? "client finished"
3032 : "server finished";
3033
3034 sha512_finish( &sha512, padbuf );
3035
3036 ssl->handshake->tls_prf( session->master, 48, sender,
3037 padbuf, 48, buf, len );
3038
3039 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3040
3041 sha512_free( &sha512 );
3042
3043 polarssl_zeroize( padbuf, sizeof( padbuf ) );
3044
3045 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3046}
3047#endif /* POLARSSL_SHA512_C */
3048#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3049
3050void ssl_handshake_wrapup( ssl_context *ssl )
3051{
3052 int resume = ssl->handshake->resume;
3053
3054 SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3055
3056 /*
3057 * Free our handshake params
3058 */
3059 ssl_handshake_free( ssl->handshake );
3060 polarssl_free( ssl->handshake );
3061 ssl->handshake = NULL;
3062
3063 if( ssl->renegotiation == SSL_RENEGOTIATION )
3064 {
3065 ssl->renegotiation = SSL_RENEGOTIATION_DONE;
3066 ssl->renego_records_seen = 0;
3067 }
3068
3069 /*
3070 * Switch in our now active transform context
3071 */
3072 if( ssl->transform )
3073 {
3074 ssl_transform_free( ssl->transform );
3075 polarssl_free( ssl->transform );
3076 }
3077 ssl->transform = ssl->transform_negotiate;
3078 ssl->transform_negotiate = NULL;
3079
3080 if( ssl->session )
3081 {
3082 ssl_session_free( ssl->session );
3083 polarssl_free( ssl->session );
3084 }
3085 ssl->session = ssl->session_negotiate;
3086 ssl->session_negotiate = NULL;
3087
3088 /*
3089 * Add cache entry
3090 */
3091 if( ssl->f_set_cache != NULL &&
3092 ssl->session->length != 0 &&
3093 resume == 0 )
3094 {
3095 if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3096 SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
3097 }
3098
3099 ssl->state++;
3100
3101 SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3102}
3103
3104int ssl_write_finished( ssl_context *ssl )
3105{
3106 int ret, hash_len;
3107
3108 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3109
3110 /*
3111 * Set the out_msg pointer to the correct location based on IV length
3112 */
3113 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3114 {
3115 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3116 ssl->transform_negotiate->fixed_ivlen;
3117 }
3118 else
3119 ssl->out_msg = ssl->out_iv;
3120
3121 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
3122
3123 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3124 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3125
3126 ssl->verify_data_len = hash_len;
3127 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
3128
3129 ssl->out_msglen = 4 + hash_len;
3130 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
3131 ssl->out_msg[0] = SSL_HS_FINISHED;
3132
3133 /*
3134 * In case of session resuming, invert the client and server
3135 * ChangeCipherSpec messages order.
3136 */
3137 if( ssl->handshake->resume != 0 )
3138 {
3139 if( ssl->endpoint == SSL_IS_CLIENT )
3140 ssl->state = SSL_HANDSHAKE_WRAPUP;
3141 else
3142 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
3143 }
3144 else
3145 ssl->state++;
3146
3147 /*
3148 * Switch to our negotiated transform and session parameters for outbound
3149 * data.
3150 */
3151 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3152 ssl->transform_out = ssl->transform_negotiate;
3153 ssl->session_out = ssl->session_negotiate;
3154 memset( ssl->out_ctr, 0, 8 );
3155
3156#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3157 if( ssl_hw_record_activate != NULL )
3158 {
3159 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3160 {
3161 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3162 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3163 }
3164 }
3165#endif
3166
3167 if( ( ret = ssl_write_record( ssl ) ) != 0 )
3168 {
3169 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3170 return( ret );
3171 }
3172
3173 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3174
3175 return( 0 );
3176}
3177
3178int ssl_parse_finished( ssl_context *ssl )
3179{
3180 int ret;
3181 unsigned int hash_len;
3182 unsigned char buf[36];
3183
3184 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3185
3186 ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
3187
3188 /*
3189 * Switch to our negotiated transform and session parameters for inbound
3190 * data.
3191 */
3192 SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3193 ssl->transform_in = ssl->transform_negotiate;
3194 ssl->session_in = ssl->session_negotiate;
3195 memset( ssl->in_ctr, 0, 8 );
3196
3197 /*
3198 * Set the in_msg pointer to the correct location based on IV length
3199 */
3200 if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3201 {
3202 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3203 ssl->transform_negotiate->fixed_ivlen;
3204 }
3205 else
3206 ssl->in_msg = ssl->in_iv;
3207
3208#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3209 if( ssl_hw_record_activate != NULL )
3210 {
3211 if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3212 {
3213 SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3214 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3215 }
3216 }
3217#endif
3218
3219 if( ( ret = ssl_read_record( ssl ) ) != 0 )
3220 {
3221 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3222 return( ret );
3223 }
3224
3225 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3226 {
3227 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3228 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
3229 }
3230
3231 // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3232 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3233
3234 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3235 ssl->in_hslen != 4 + hash_len )
3236 {
3237 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3238 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
3239 }
3240
3241 if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
3242 {
3243 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3244 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
3245 }
3246
3247 ssl->verify_data_len = hash_len;
3248 memcpy( ssl->peer_verify_data, buf, hash_len );
3249
3250 if( ssl->handshake->resume != 0 )
3251 {
3252 if( ssl->endpoint == SSL_IS_CLIENT )
3253 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
3254
3255 if( ssl->endpoint == SSL_IS_SERVER )
3256 ssl->state = SSL_HANDSHAKE_WRAPUP;
3257 }
3258 else
3259 ssl->state++;
3260
3261 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3262
3263 return( 0 );
3264}
3265
3266static void ssl_handshake_params_init( ssl_handshake_params *handshake )
3267{
3268 memset( handshake, 0, sizeof( ssl_handshake_params ) );
3269
3270#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3271 defined(POLARSSL_SSL_PROTO_TLS1_1)
3272 md5_init( &handshake->fin_md5 );
3273 sha1_init( &handshake->fin_sha1 );
3274 md5_starts( &handshake->fin_md5 );
3275 sha1_starts( &handshake->fin_sha1 );
3276#endif
3277#if defined(POLARSSL_SSL_PROTO_TLS1_2)
3278#if defined(POLARSSL_SHA256_C)
3279 sha256_init( &handshake->fin_sha256 );
3280 sha256_starts( &handshake->fin_sha256, 0 );
3281#endif
3282#if defined(POLARSSL_SHA512_C)
3283 sha512_init( &handshake->fin_sha512 );
3284 sha512_starts( &handshake->fin_sha512, 1 );
3285#endif
3286#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3287
3288 handshake->update_checksum = ssl_update_checksum_start;
3289 handshake->sig_alg = SSL_HASH_SHA1;
3290
3291#if defined(POLARSSL_DHM_C)
3292 dhm_init( &handshake->dhm_ctx );
3293#endif
3294#if defined(POLARSSL_ECDH_C)
3295 ecdh_init( &handshake->ecdh_ctx );
3296#endif
3297}
3298
3299static void ssl_transform_init( ssl_transform *transform )
3300{
3301 memset( transform, 0, sizeof(ssl_transform) );
3302
3303 cipher_init( &transform->cipher_ctx_enc );
3304 cipher_init( &transform->cipher_ctx_dec );
3305
3306 md_init( &transform->md_ctx_enc );
3307 md_init( &transform->md_ctx_dec );
3308}
3309
3310void ssl_session_init( ssl_session *session )
3311{
3312 memset( session, 0, sizeof(ssl_session) );
3313}
3314
3315static int ssl_handshake_init( ssl_context *ssl )
3316{
3317 /* Clear old handshake information if present */
3318 if( ssl->transform_negotiate )
3319 ssl_transform_free( ssl->transform_negotiate );
3320 if( ssl->session_negotiate )
3321 ssl_session_free( ssl->session_negotiate );
3322 if( ssl->handshake )
3323 ssl_handshake_free( ssl->handshake );
3324
3325 /*
3326 * Either the pointers are now NULL or cleared properly and can be freed.
3327 * Now allocate missing structures.
3328 */
3329 if( ssl->transform_negotiate == NULL )
3330 {
3331 ssl->transform_negotiate =
3332 (ssl_transform *) polarssl_malloc( sizeof(ssl_transform) );
3333 }
3334
3335 if( ssl->session_negotiate == NULL )
3336 {
3337 ssl->session_negotiate =
3338 (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
3339 }
3340
3341 if( ssl->handshake == NULL )
3342 {
3343 ssl->handshake = (ssl_handshake_params *)
3344 polarssl_malloc( sizeof(ssl_handshake_params) );
3345 }
3346
3347 /* All pointers should exist and can be directly freed without issue */
3348 if( ssl->handshake == NULL ||
3349 ssl->transform_negotiate == NULL ||
3350 ssl->session_negotiate == NULL )
3351 {
3352 SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3353
3354 polarssl_free( ssl->handshake );
3355 polarssl_free( ssl->transform_negotiate );
3356 polarssl_free( ssl->session_negotiate );
3357
3358 ssl->handshake = NULL;
3359 ssl->transform_negotiate = NULL;
3360 ssl->session_negotiate = NULL;
3361
3362 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3363 }
3364
3365 /* Initialize structures */
3366 ssl_session_init( ssl->session_negotiate );
3367 ssl_transform_init( ssl->transform_negotiate );
3368 ssl_handshake_params_init( ssl->handshake );
3369
3370#if defined(POLARSSL_X509_CRT_PARSE_C)
3371 ssl->handshake->key_cert = ssl->key_cert;
3372#endif
3373
3374 return( 0 );
3375}
3376
3377/*
3378 * Initialize an SSL context
3379 */
3380int ssl_init( ssl_context *ssl )
3381{
3382 int ret;
3383 int len = SSL_BUFFER_LEN;
3384
3385 memset( ssl, 0, sizeof( ssl_context ) );
3386
3387 /*
3388 * Sane defaults
3389 */
3390 ssl->min_major_ver = SSL_MIN_MAJOR_VERSION;
3391 ssl->min_minor_ver = SSL_MIN_MINOR_VERSION;
3392 ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
3393 ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
3394
3395 ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
3396
3397 ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT;
3398
3399#if defined(POLARSSL_DHM_C)
3400 if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3401 POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
3402 ( ret = mpi_read_string( &ssl->dhm_G, 16,
3403 POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
3404 {
3405 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3406 return( ret );
3407 }
3408#endif
3409
3410 /*
3411 * Prepare base structures
3412 */
3413 ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
3414 ssl->in_hdr = ssl->in_ctr + 8;
3415 ssl->in_iv = ssl->in_ctr + 13;
3416 ssl->in_msg = ssl->in_ctr + 13;
3417
3418 if( ssl->in_ctr == NULL )
3419 {
3420 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3421 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3422 }
3423
3424 ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
3425 ssl->out_hdr = ssl->out_ctr + 8;
3426 ssl->out_iv = ssl->out_ctr + 13;
3427 ssl->out_msg = ssl->out_ctr + 13;
3428
3429 if( ssl->out_ctr == NULL )
3430 {
3431 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3432 polarssl_free( ssl->in_ctr );
3433 ssl->in_ctr = NULL;
3434 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3435 }
3436
3437 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3438 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3439
3440#if defined(POLARSSL_SSL_SESSION_TICKETS)
3441 ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
3442#endif
3443
3444#if defined(POLARSSL_SSL_SET_CURVES)
3445 ssl->curve_list = ecp_grp_id_list( );
3446#endif
3447
3448 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3449 return( ret );
3450
3451 return( 0 );
3452}
3453
3454/*
3455 * Reset an initialized and used SSL context for re-use while retaining
3456 * all application-set variables, function pointers and data.
3457 */
3458int ssl_session_reset( ssl_context *ssl )
3459{
3460 int ret;
3461
3462 ssl->state = SSL_HELLO_REQUEST;
3463 ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
3464 ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
3465
3466 ssl->verify_data_len = 0;
3467 memset( ssl->own_verify_data, 0, 36 );
3468 memset( ssl->peer_verify_data, 0, 36 );
3469
3470 ssl->in_offt = NULL;
3471
3472 ssl->in_msg = ssl->in_ctr + 13;
3473 ssl->in_msgtype = 0;
3474 ssl->in_msglen = 0;
3475 ssl->in_left = 0;
3476
3477 ssl->in_hslen = 0;
3478 ssl->nb_zero = 0;
3479 ssl->record_read = 0;
3480
3481 ssl->out_msg = ssl->out_ctr + 13;
3482 ssl->out_msgtype = 0;
3483 ssl->out_msglen = 0;
3484 ssl->out_left = 0;
3485
3486 ssl->transform_in = NULL;
3487 ssl->transform_out = NULL;
3488
3489 ssl->renego_records_seen = 0;
3490
3491 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3492 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3493
3494#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3495 if( ssl_hw_record_reset != NULL )
3496 {
3497 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3498 if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
3499 {
3500 SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3501 return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
3502 }
3503 }
3504#endif
3505
3506 if( ssl->transform )
3507 {
3508 ssl_transform_free( ssl->transform );
3509 polarssl_free( ssl->transform );
3510 ssl->transform = NULL;
3511 }
3512
3513 if( ssl->session )
3514 {
3515 ssl_session_free( ssl->session );
3516 polarssl_free( ssl->session );
3517 ssl->session = NULL;
3518 }
3519
3520#if defined(POLARSSL_SSL_ALPN)
3521 ssl->alpn_chosen = NULL;
3522#endif
3523
3524 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3525 return( ret );
3526
3527 return( 0 );
3528}
3529
3530#if defined(POLARSSL_SSL_SESSION_TICKETS)
3531static void ssl_ticket_keys_free( ssl_ticket_keys *tkeys )
3532{
3533 aes_free( &tkeys->enc );
3534 aes_free( &tkeys->dec );
3535
3536 polarssl_zeroize( tkeys, sizeof(ssl_ticket_keys) );
3537}
3538
3539/*
3540 * Allocate and initialize ticket keys
3541 */
3542static int ssl_ticket_keys_init( ssl_context *ssl )
3543{
3544 int ret;
3545 ssl_ticket_keys *tkeys;
3546 unsigned char buf[16];
3547
3548 if( ssl->ticket_keys != NULL )
3549 return( 0 );
3550
3551 tkeys = (ssl_ticket_keys *) polarssl_malloc( sizeof(ssl_ticket_keys) );
3552 if( tkeys == NULL )
3553 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3554
3555 aes_init( &tkeys->enc );
3556 aes_init( &tkeys->dec );
3557
3558 if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
3559 {
3560 ssl_ticket_keys_free( tkeys );
3561 polarssl_free( tkeys );
3562 return( ret );
3563 }
3564
3565 if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3566 ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3567 ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3568 {
3569 ssl_ticket_keys_free( tkeys );
3570 polarssl_free( tkeys );
3571 return( ret );
3572 }
3573
3574 if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
3575 {
3576 ssl_ticket_keys_free( tkeys );
3577 polarssl_free( tkeys );
3578 return( ret );
3579 }
3580
3581 ssl->ticket_keys = tkeys;
3582
3583 return( 0 );
3584}
3585#endif /* POLARSSL_SSL_SESSION_TICKETS */
3586
3587/*
3588 * SSL set accessors
3589 */
3590void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3591{
3592 ssl->endpoint = endpoint;
3593
3594#if defined(POLARSSL_SSL_SESSION_TICKETS)
3595 if( endpoint == SSL_IS_CLIENT )
3596 ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
3597#endif
3598}
3599
3600void ssl_set_authmode( ssl_context *ssl, int authmode )
3601{
3602 ssl->authmode = authmode;
3603}
3604
3605#if defined(POLARSSL_X509_CRT_PARSE_C)
3606void ssl_set_verify( ssl_context *ssl,
3607 int (*f_vrfy)(void *, x509_crt *, int, int *),
3608 void *p_vrfy )
3609{
3610 ssl->f_vrfy = f_vrfy;
3611 ssl->p_vrfy = p_vrfy;
3612}
3613#endif /* POLARSSL_X509_CRT_PARSE_C */
3614
3615void ssl_set_rng( ssl_context *ssl,
3616 int (*f_rng)(void *, unsigned char *, size_t),
3617 void *p_rng )
3618{
3619 ssl->f_rng = f_rng;
3620 ssl->p_rng = p_rng;
3621}
3622
3623void ssl_set_dbg( ssl_context *ssl,
3624 void (*f_dbg)(void *, int, const char *),
3625 void *p_dbg )
3626{
3627 ssl->f_dbg = f_dbg;
3628 ssl->p_dbg = p_dbg;
3629}
3630
3631void ssl_set_bio( ssl_context *ssl,
3632 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3633 int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3634{
3635 ssl->f_recv = f_recv;
3636 ssl->f_send = f_send;
3637 ssl->p_recv = p_recv;
3638 ssl->p_send = p_send;
3639}
3640
3641void ssl_set_session_cache( ssl_context *ssl,
3642 int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3643 int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3644{
3645 ssl->f_get_cache = f_get_cache;
3646 ssl->p_get_cache = p_get_cache;
3647 ssl->f_set_cache = f_set_cache;
3648 ssl->p_set_cache = p_set_cache;
3649}
3650
3651int ssl_set_session( ssl_context *ssl, const ssl_session *session )
3652{
3653 int ret;
3654
3655 if( ssl == NULL ||
3656 session == NULL ||
3657 ssl->session_negotiate == NULL ||
3658 ssl->endpoint != SSL_IS_CLIENT )
3659 {
3660 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3661 }
3662
3663 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3664 return( ret );
3665
3666 ssl->handshake->resume = 1;
3667
3668 return( 0 );
3669}
3670
3671void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3672{
3673 ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3674 ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3675 ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3676 ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3677}
3678
3679void ssl_set_ciphersuites_for_version( ssl_context *ssl,
3680 const int *ciphersuites,
3681 int major, int minor )
3682{
3683 if( major != SSL_MAJOR_VERSION_3 )
3684 return;
3685
3686 if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3687 return;
3688
3689 ssl->ciphersuite_list[minor] = ciphersuites;
3690}
3691
3692#if defined(POLARSSL_X509_CRT_PARSE_C)
3693/* Add a new (empty) key_cert entry an return a pointer to it */
3694static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3695{
3696 ssl_key_cert *key_cert, *last;
3697
3698 key_cert = (ssl_key_cert *) polarssl_malloc( sizeof(ssl_key_cert) );
3699 if( key_cert == NULL )
3700 return( NULL );
3701
3702 memset( key_cert, 0, sizeof( ssl_key_cert ) );
3703
3704 /* Append the new key_cert to the (possibly empty) current list */
3705 if( ssl->key_cert == NULL )
3706 {
3707 ssl->key_cert = key_cert;
3708 if( ssl->handshake != NULL )
3709 ssl->handshake->key_cert = key_cert;
3710 }
3711 else
3712 {
3713 last = ssl->key_cert;
3714 while( last->next != NULL )
3715 last = last->next;
3716 last->next = key_cert;
3717 }
3718
3719 return( key_cert );
3720}
3721
3722void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
3723 x509_crl *ca_crl, const char *peer_cn )
3724{
3725 ssl->ca_chain = ca_chain;
3726 ssl->ca_crl = ca_crl;
3727 ssl->peer_cn = peer_cn;
3728}
3729
3730int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
3731 pk_context *pk_key )
3732{
3733 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3734
3735 if( key_cert == NULL )
3736 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3737
3738 key_cert->cert = own_cert;
3739 key_cert->key = pk_key;
3740
3741 return( 0 );
3742}
3743
3744#if defined(POLARSSL_RSA_C)
3745int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
3746 rsa_context *rsa_key )
3747{
3748 int ret;
3749 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3750
3751 if( key_cert == NULL )
3752 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3753
3754 key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3755 if( key_cert->key == NULL )
3756 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3757
3758 pk_init( key_cert->key );
3759
3760 ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
3761 if( ret != 0 )
3762 return( ret );
3763
3764 if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
3765 return( ret );
3766
3767 key_cert->cert = own_cert;
3768 key_cert->key_own_alloc = 1;
3769
3770 return( 0 );
3771}
3772#endif /* POLARSSL_RSA_C */
3773
3774int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
3775 void *rsa_key,
3776 rsa_decrypt_func rsa_decrypt,
3777 rsa_sign_func rsa_sign,
3778 rsa_key_len_func rsa_key_len )
3779{
3780 int ret;
3781 ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3782
3783 if( key_cert == NULL )
3784 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3785
3786 key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3787 if( key_cert->key == NULL )
3788 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3789
3790 pk_init( key_cert->key );
3791
3792 if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
3793 rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
3794 return( ret );
3795
3796 key_cert->cert = own_cert;
3797 key_cert->key_own_alloc = 1;
3798
3799 return( 0 );
3800}
3801#endif /* POLARSSL_X509_CRT_PARSE_C */
3802
3803#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
3804int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3805 const unsigned char *psk_identity, size_t psk_identity_len )
3806{
3807 if( psk == NULL || psk_identity == NULL )
3808 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3809
3810 if( psk_len > POLARSSL_PSK_MAX_LEN )
3811 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3812
3813 if( ssl->psk != NULL )
3814 {
3815 polarssl_free( ssl->psk );
3816 polarssl_free( ssl->psk_identity );
3817 }
3818
3819 ssl->psk_len = psk_len;
3820 ssl->psk_identity_len = psk_identity_len;
3821
3822 ssl->psk = (unsigned char *) polarssl_malloc( ssl->psk_len );
3823 ssl->psk_identity = (unsigned char *)
3824 polarssl_malloc( ssl->psk_identity_len );
3825
3826 if( ssl->psk == NULL || ssl->psk_identity == NULL )
3827 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3828
3829 memcpy( ssl->psk, psk, ssl->psk_len );
3830 memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
3831
3832 return( 0 );
3833}
3834
3835void ssl_set_psk_cb( ssl_context *ssl,
3836 int (*f_psk)(void *, ssl_context *, const unsigned char *,
3837 size_t),
3838 void *p_psk )
3839{
3840 ssl->f_psk = f_psk;
3841 ssl->p_psk = p_psk;
3842}
3843#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
3844
3845#if defined(POLARSSL_DHM_C)
3846int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3847{
3848 int ret;
3849
3850 if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3851 {
3852 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3853 return( ret );
3854 }
3855
3856 if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3857 {
3858 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3859 return( ret );
3860 }
3861
3862 return( 0 );
3863}
3864
3865int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3866{
3867 int ret;
3868
3869 if( ( ret = mpi_copy( &ssl->dhm_P, &dhm_ctx->P ) ) != 0 )
3870 {
3871 SSL_DEBUG_RET( 1, "mpi_copy", ret );
3872 return( ret );
3873 }
3874
3875 if( ( ret = mpi_copy( &ssl->dhm_G, &dhm_ctx->G ) ) != 0 )
3876 {
3877 SSL_DEBUG_RET( 1, "mpi_copy", ret );
3878 return( ret );
3879 }
3880
3881 return( 0 );
3882}
3883#endif /* POLARSSL_DHM_C */
3884
3885#if defined(POLARSSL_SSL_SET_CURVES)
3886/*
3887 * Set the allowed elliptic curves
3888 */
3889void ssl_set_curves( ssl_context *ssl, const ecp_group_id *curve_list )
3890{
3891 ssl->curve_list = curve_list;
3892}
3893#endif
3894
3895#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
3896int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3897{
3898 if( hostname == NULL )
3899 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3900
3901 ssl->hostname_len = strlen( hostname );
3902
3903 if( ssl->hostname_len + 1 == 0 )
3904 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3905
3906 ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
3907
3908 if( ssl->hostname == NULL )
3909 return( POLARSSL_ERR_SSL_MALLOC_FAILED );
3910
3911 memcpy( ssl->hostname, (const unsigned char *) hostname,
3912 ssl->hostname_len );
3913
3914 ssl->hostname[ssl->hostname_len] = '\0';
3915
3916 return( 0 );
3917}
3918
3919void ssl_set_sni( ssl_context *ssl,
3920 int (*f_sni)(void *, ssl_context *,
3921 const unsigned char *, size_t),
3922 void *p_sni )
3923{
3924 ssl->f_sni = f_sni;
3925 ssl->p_sni = p_sni;
3926}
3927#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
3928
3929#if defined(POLARSSL_SSL_ALPN)
3930int ssl_set_alpn_protocols( ssl_context *ssl, const char **protos )
3931{
3932 size_t cur_len, tot_len;
3933 const char **p;
3934
3935 /*
3936 * "Empty strings MUST NOT be included and byte strings MUST NOT be
3937 * truncated". Check lengths now rather than later.
3938 */
3939 tot_len = 0;
3940 for( p = protos; *p != NULL; p++ )
3941 {
3942 cur_len = strlen( *p );
3943 tot_len += cur_len;
3944
3945 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
3946 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3947 }
3948
3949 ssl->alpn_list = protos;
3950
3951 return( 0 );
3952}
3953
3954const char *ssl_get_alpn_protocol( const ssl_context *ssl )
3955{
3956 return( ssl->alpn_chosen );
3957}
3958#endif /* POLARSSL_SSL_ALPN */
3959
3960void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3961{
3962 if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3963 minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3964 {
3965 ssl->max_major_ver = major;
3966 ssl->max_minor_ver = minor;
3967 }
3968}
3969
3970void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3971{
3972 if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3973 minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3974 {
3975 ssl->min_major_ver = major;
3976 ssl->min_minor_ver = minor;
3977 }
3978}
3979
3980#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
3981int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
3982{
3983 if( mfl_code >= SSL_MAX_FRAG_LEN_INVALID ||
3984 mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
3985 {
3986 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
3987 }
3988
3989 ssl->mfl_code = mfl_code;
3990
3991 return( 0 );
3992}
3993#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
3994
3995#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
3996int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
3997{
3998 if( ssl->endpoint != SSL_IS_CLIENT )
3999 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4000
4001 ssl->trunc_hmac = truncate;
4002
4003 return( 0 );
4004}
4005#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
4006
4007void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
4008{
4009 ssl->disable_renegotiation = renegotiation;
4010}
4011
4012void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
4013{
4014 ssl->allow_legacy_renegotiation = allow_legacy;
4015}
4016
4017void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records )
4018{
4019 ssl->renego_max_records = max_records;
4020}
4021
4022#if defined(POLARSSL_SSL_SESSION_TICKETS)
4023int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
4024{
4025 ssl->session_tickets = use_tickets;
4026
4027 if( ssl->endpoint == SSL_IS_CLIENT )
4028 return( 0 );
4029
4030 if( ssl->f_rng == NULL )
4031 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4032
4033 return( ssl_ticket_keys_init( ssl ) );
4034}
4035
4036void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
4037{
4038 ssl->ticket_lifetime = lifetime;
4039}
4040#endif /* POLARSSL_SSL_SESSION_TICKETS */
4041
4042/*
4043 * SSL get accessors
4044 */
4045size_t ssl_get_bytes_avail( const ssl_context *ssl )
4046{
4047 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4048}
4049
4050int ssl_get_verify_result( const ssl_context *ssl )
4051{
4052 return( ssl->session->verify_result );
4053}
4054
4055const char *ssl_get_ciphersuite( const ssl_context *ssl )
4056{
4057 if( ssl == NULL || ssl->session == NULL )
4058 return( NULL );
4059
4060 return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
4061}
4062
4063const char *ssl_get_version( const ssl_context *ssl )
4064{
4065 switch( ssl->minor_ver )
4066 {
4067 case SSL_MINOR_VERSION_0:
4068 return( "SSLv3.0" );
4069
4070 case SSL_MINOR_VERSION_1:
4071 return( "TLSv1.0" );
4072
4073 case SSL_MINOR_VERSION_2:
4074 return( "TLSv1.1" );
4075
4076 case SSL_MINOR_VERSION_3:
4077 return( "TLSv1.2" );
4078
4079 default:
4080 break;
4081 }
4082 return( "unknown" );
4083}
4084
4085#if defined(POLARSSL_X509_CRT_PARSE_C)
4086const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
4087{
4088 if( ssl == NULL || ssl->session == NULL )
4089 return( NULL );
4090
4091 return( ssl->session->peer_cert );
4092}
4093#endif /* POLARSSL_X509_CRT_PARSE_C */
4094
4095int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
4096{
4097 if( ssl == NULL ||
4098 dst == NULL ||
4099 ssl->session == NULL ||
4100 ssl->endpoint != SSL_IS_CLIENT )
4101 {
4102 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4103 }
4104
4105 return( ssl_session_copy( dst, ssl->session ) );
4106}
4107
4108/*
4109 * Perform a single step of the SSL handshake
4110 */
4111int ssl_handshake_step( ssl_context *ssl )
4112{
4113 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
4114
4115#if defined(POLARSSL_SSL_CLI_C)
4116 if( ssl->endpoint == SSL_IS_CLIENT )
4117 ret = ssl_handshake_client_step( ssl );
4118#endif
4119
4120#if defined(POLARSSL_SSL_SRV_C)
4121 if( ssl->endpoint == SSL_IS_SERVER )
4122 ret = ssl_handshake_server_step( ssl );
4123#endif
4124
4125 return( ret );
4126}
4127
4128/*
4129 * Perform the SSL handshake
4130 */
4131int ssl_handshake( ssl_context *ssl )
4132{
4133 int ret = 0;
4134
4135 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
4136
4137 while( ssl->state != SSL_HANDSHAKE_OVER )
4138 {
4139 ret = ssl_handshake_step( ssl );
4140
4141 if( ret != 0 )
4142 break;
4143 }
4144
4145 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
4146
4147 return( ret );
4148}
4149
4150#if defined(POLARSSL_SSL_SRV_C)
4151/*
4152 * Write HelloRequest to request renegotiation on server
4153 */
4154static int ssl_write_hello_request( ssl_context *ssl )
4155{
4156 int ret;
4157
4158 SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
4159
4160 ssl->out_msglen = 4;
4161 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
4162 ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
4163
4164 if( ( ret = ssl_write_record( ssl ) ) != 0 )
4165 {
4166 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4167 return( ret );
4168 }
4169
4170 SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4171
4172 return( 0 );
4173}
4174#endif /* POLARSSL_SSL_SRV_C */
4175
4176/*
4177 * Actually renegotiate current connection, triggered by either:
4178 * - any side: calling ssl_renegotiate(),
4179 * - client: receiving a HelloRequest during ssl_read(),
4180 * - server: receiving any handshake message on server during ssl_read() after
4181 * the initial handshake is completed.
4182 * If the handshake doesn't complete due to waiting for I/O, it will continue
4183 * during the next calls to ssl_renegotiate() or ssl_read() respectively.
4184 */
4185static int ssl_start_renegotiation( ssl_context *ssl )
4186{
4187 int ret;
4188
4189 SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4190
4191 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4192 return( ret );
4193
4194 ssl->state = SSL_HELLO_REQUEST;
4195 ssl->renegotiation = SSL_RENEGOTIATION;
4196
4197 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4198 {
4199 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4200 return( ret );
4201 }
4202
4203 SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4204
4205 return( 0 );
4206}
4207
4208/*
4209 * Renegotiate current connection on client,
4210 * or request renegotiation on server
4211 */
4212int ssl_renegotiate( ssl_context *ssl )
4213{
4214 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
4215
4216#if defined(POLARSSL_SSL_SRV_C)
4217 /* On server, just send the request */
4218 if( ssl->endpoint == SSL_IS_SERVER )
4219 {
4220 if( ssl->state != SSL_HANDSHAKE_OVER )
4221 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4222
4223 ssl->renegotiation = SSL_RENEGOTIATION_PENDING;
4224
4225 /* Did we already try/start sending HelloRequest? */
4226 if( ssl->out_left != 0 )
4227 return( ssl_flush_output( ssl ) );
4228
4229 return( ssl_write_hello_request( ssl ) );
4230 }
4231#endif /* POLARSSL_SSL_SRV_C */
4232
4233#if defined(POLARSSL_SSL_CLI_C)
4234 /*
4235 * On client, either start the renegotiation process or,
4236 * if already in progress, continue the handshake
4237 */
4238 if( ssl->renegotiation != SSL_RENEGOTIATION )
4239 {
4240 if( ssl->state != SSL_HANDSHAKE_OVER )
4241 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
4242
4243 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4244 {
4245 SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4246 return( ret );
4247 }
4248 }
4249 else
4250 {
4251 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4252 {
4253 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4254 return( ret );
4255 }
4256 }
4257#endif /* POLARSSL_SSL_CLI_C */
4258
4259 return( ret );
4260}
4261
4262/*
4263 * Receive application data decrypted from the SSL layer
4264 */
4265int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
4266{
4267 int ret, record_read = 0;
4268 size_t n;
4269
4270 SSL_DEBUG_MSG( 2, ( "=> read" ) );
4271
4272 if( ssl->state != SSL_HANDSHAKE_OVER )
4273 {
4274 ret = ssl_handshake( ssl );
4275 if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
4276 {
4277 record_read = 1;
4278 }
4279 else if( ret != 0 )
4280 {
4281 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4282 return( ret );
4283 }
4284 }
4285
4286 if( ssl->in_offt == NULL )
4287 {
4288 if( ! record_read )
4289 {
4290 if( ( ret = ssl_read_record( ssl ) ) != 0 )
4291 {
4292 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4293 return( 0 );
4294
4295 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4296 return( ret );
4297 }
4298 }
4299
4300 if( ssl->in_msglen == 0 &&
4301 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
4302 {
4303 /*
4304 * OpenSSL sends empty messages to randomize the IV
4305 */
4306 if( ( ret = ssl_read_record( ssl ) ) != 0 )
4307 {
4308 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4309 return( 0 );
4310
4311 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4312 return( ret );
4313 }
4314 }
4315
4316 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4317 {
4318 SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4319
4320 if( ssl->endpoint == SSL_IS_CLIENT &&
4321 ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4322 ssl->in_hslen != 4 ) )
4323 {
4324 SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4325 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
4326 }
4327
4328 if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
4329 ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
4330 ssl->allow_legacy_renegotiation ==
4331 SSL_LEGACY_NO_RENEGOTIATION ) )
4332 {
4333 SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4334
4335#if defined(POLARSSL_SSL_PROTO_SSL3)
4336 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
4337 {
4338 /*
4339 * SSLv3 does not have a "no_renegotiation" alert
4340 */
4341 if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4342 return( ret );
4343 }
4344 else
4345#endif /* POLARSSL_SSL_PROTO_SSL3 */
4346#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4347 defined(POLARSSL_SSL_PROTO_TLS1_2)
4348 if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
4349 {
4350 if( ( ret = ssl_send_alert_message( ssl,
4351 SSL_ALERT_LEVEL_WARNING,
4352 SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
4353 {
4354 return( ret );
4355 }
4356 }
4357 else
4358#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 ||
4359 POLARSSL_SSL_PROTO_TLS1_2 */
4360 {
4361 SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4362 return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
4363 }
4364 }
4365 else
4366 {
4367 ret = ssl_start_renegotiation( ssl );
4368 if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
4369 {
4370 record_read = 1;
4371 }
4372 else if( ret != 0 )
4373 {
4374 SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4375 return( ret );
4376 }
4377 }
4378
4379 /* If a non-handshake record was read during renego, fallthrough,
4380 * else tell the user they should call ssl_read() again */
4381 if( ! record_read )
4382 return( POLARSSL_ERR_NET_WANT_READ );
4383 }
4384 else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4385 {
4386 ssl->renego_records_seen++;
4387
4388 if( ssl->renego_max_records >= 0 &&
4389 ssl->renego_records_seen > ssl->renego_max_records )
4390 {
4391 SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4392 "but not honored by client" ) );
4393 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
4394 }
4395 }
4396
4397 /* Fatal and closure alerts handled by ssl_read_record() */
4398 if( ssl->in_msgtype == SSL_MSG_ALERT )
4399 {
4400 SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
4401 return( POLARSSL_ERR_NET_WANT_READ );
4402 }
4403
4404 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
4405 {
4406 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
4407 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
4408 }
4409
4410 ssl->in_offt = ssl->in_msg;
4411 }
4412
4413 n = ( len < ssl->in_msglen )
4414 ? len : ssl->in_msglen;
4415
4416 memcpy( buf, ssl->in_offt, n );
4417 ssl->in_msglen -= n;
4418
4419 if( ssl->in_msglen == 0 )
4420 /* all bytes consumed */
4421 ssl->in_offt = NULL;
4422 else
4423 /* more data available */
4424 ssl->in_offt += n;
4425
4426 SSL_DEBUG_MSG( 2, ( "<= read" ) );
4427
4428 return( (int) n );
4429}
4430
4431/*
4432 * Send application data to be encrypted by the SSL layer
4433 */
4434int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4435{
4436 int ret;
4437 size_t n;
4438 unsigned int max_len = SSL_MAX_CONTENT_LEN;
4439
4440 SSL_DEBUG_MSG( 2, ( "=> write" ) );
4441
4442 if( ssl->state != SSL_HANDSHAKE_OVER )
4443 {
4444 if( ( ret = ssl_handshake( ssl ) ) != 0 )
4445 {
4446 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4447 return( ret );
4448 }
4449 }
4450
4451#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4452 /*
4453 * Assume mfl_code is correct since it was checked when set
4454 */
4455 max_len = mfl_code_to_length[ssl->mfl_code];
4456
4457 /*
4458 * Check if a smaller max length was negotiated
4459 */
4460 if( ssl->session_out != NULL &&
4461 mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4462 {
4463 max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4464 }
4465#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4466
4467 n = ( len < max_len) ? len : max_len;
4468
4469 if( ssl->out_left != 0 )
4470 {
4471 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4472 {
4473 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4474 return( ret );
4475 }
4476 }
4477 else
4478 {
4479 ssl->out_msglen = n;
4480 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
4481 memcpy( ssl->out_msg, buf, n );
4482
4483 if( ( ret = ssl_write_record( ssl ) ) != 0 )
4484 {
4485 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4486 return( ret );
4487 }
4488 }
4489
4490 SSL_DEBUG_MSG( 2, ( "<= write" ) );
4491
4492 return( (int) n );
4493}
4494
4495/*
4496 * Notify the peer that the connection is being closed
4497 */
4498int ssl_close_notify( ssl_context *ssl )
4499{
4500 int ret;
4501
4502 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4503
4504 if( ssl->out_left != 0 )
4505 return( ssl_flush_output( ssl ) );
4506
4507 if( ssl->state == SSL_HANDSHAKE_OVER )
4508 {
4509 if( ( ret = ssl_send_alert_message( ssl,
4510 SSL_ALERT_LEVEL_WARNING,
4511 SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4512 {
4513 SSL_DEBUG_RET( 1, "ssl_send_alert_message", ret );
4514 return( ret );
4515 }
4516 }
4517
4518 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4519
4520 return( 0 );
4521}
4522
4523void ssl_transform_free( ssl_transform *transform )
4524{
4525 if( transform == NULL )
4526 return;
4527
4528#if defined(POLARSSL_ZLIB_SUPPORT)
4529 deflateEnd( &transform->ctx_deflate );
4530 inflateEnd( &transform->ctx_inflate );
4531#endif
4532
4533 cipher_free( &transform->cipher_ctx_enc );
4534 cipher_free( &transform->cipher_ctx_dec );
4535
4536 md_free( &transform->md_ctx_enc );
4537 md_free( &transform->md_ctx_dec );
4538
4539 polarssl_zeroize( transform, sizeof( ssl_transform ) );
4540}
4541
4542#if defined(POLARSSL_X509_CRT_PARSE_C)
4543static void ssl_key_cert_free( ssl_key_cert *key_cert )
4544{
4545 ssl_key_cert *cur = key_cert, *next;
4546
4547 while( cur != NULL )
4548 {
4549 next = cur->next;
4550
4551 if( cur->key_own_alloc )
4552 {
4553 pk_free( cur->key );
4554 polarssl_free( cur->key );
4555 }
4556 polarssl_free( cur );
4557
4558 cur = next;
4559 }
4560}
4561#endif /* POLARSSL_X509_CRT_PARSE_C */
4562
4563void ssl_handshake_free( ssl_handshake_params *handshake )
4564{
4565 if( handshake == NULL )
4566 return;
4567
4568#if defined(POLARSSL_DHM_C)
4569 dhm_free( &handshake->dhm_ctx );
4570#endif
4571#if defined(POLARSSL_ECDH_C)
4572 ecdh_free( &handshake->ecdh_ctx );
4573#endif
4574
4575#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
4576 /* explicit void pointer cast for buggy MS compiler */
4577 polarssl_free( (void *) handshake->curves );
4578#endif
4579
4580#if defined(POLARSSL_X509_CRT_PARSE_C) && \
4581 defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4582 /*
4583 * Free only the linked list wrapper, not the keys themselves
4584 * since the belong to the SNI callback
4585 */
4586 if( handshake->sni_key_cert != NULL )
4587 {
4588 ssl_key_cert *cur = handshake->sni_key_cert, *next;
4589
4590 while( cur != NULL )
4591 {
4592 next = cur->next;
4593 polarssl_free( cur );
4594 cur = next;
4595 }
4596 }
4597#endif /* POLARSSL_X509_CRT_PARSE_C && POLARSSL_SSL_SERVER_NAME_INDICATION */
4598
4599 polarssl_zeroize( handshake, sizeof( ssl_handshake_params ) );
4600}
4601
4602void ssl_session_free( ssl_session *session )
4603{
4604 if( session == NULL )
4605 return;
4606
4607#if defined(POLARSSL_X509_CRT_PARSE_C)
4608 if( session->peer_cert != NULL )
4609 {
4610 x509_crt_free( session->peer_cert );
4611 polarssl_free( session->peer_cert );
4612 }
4613#endif
4614
4615#if defined(POLARSSL_SSL_SESSION_TICKETS)
4616 polarssl_free( session->ticket );
4617#endif
4618
4619 polarssl_zeroize( session, sizeof( ssl_session ) );
4620}
4621
4622/*
4623 * Free an SSL context
4624 */
4625void ssl_free( ssl_context *ssl )
4626{
4627 if( ssl == NULL )
4628 return;
4629
4630 SSL_DEBUG_MSG( 2, ( "=> free" ) );
4631
4632 if( ssl->out_ctr != NULL )
4633 {
4634 polarssl_zeroize( ssl->out_ctr, SSL_BUFFER_LEN );
4635 polarssl_free( ssl->out_ctr );
4636 }
4637
4638 if( ssl->in_ctr != NULL )
4639 {
4640 polarssl_zeroize( ssl->in_ctr, SSL_BUFFER_LEN );
4641 polarssl_free( ssl->in_ctr );
4642 }
4643
4644#if defined(POLARSSL_ZLIB_SUPPORT)
4645 if( ssl->compress_buf != NULL )
4646 {
4647 polarssl_zeroize( ssl->compress_buf, SSL_BUFFER_LEN );
4648 polarssl_free( ssl->compress_buf );
4649 }
4650#endif
4651
4652#if defined(POLARSSL_DHM_C)
4653 mpi_free( &ssl->dhm_P );
4654 mpi_free( &ssl->dhm_G );
4655#endif
4656
4657 if( ssl->transform )
4658 {
4659 ssl_transform_free( ssl->transform );
4660 polarssl_free( ssl->transform );
4661 }
4662
4663 if( ssl->handshake )
4664 {
4665 ssl_handshake_free( ssl->handshake );
4666 ssl_transform_free( ssl->transform_negotiate );
4667 ssl_session_free( ssl->session_negotiate );
4668
4669 polarssl_free( ssl->handshake );
4670 polarssl_free( ssl->transform_negotiate );
4671 polarssl_free( ssl->session_negotiate );
4672 }
4673
4674 if( ssl->session )
4675 {
4676 ssl_session_free( ssl->session );
4677 polarssl_free( ssl->session );
4678 }
4679
4680#if defined(POLARSSL_SSL_SESSION_TICKETS)
4681 if( ssl->ticket_keys )
4682 {
4683 ssl_ticket_keys_free( ssl->ticket_keys );
4684 polarssl_free( ssl->ticket_keys );
4685 }
4686#endif
4687
4688#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4689 if( ssl->hostname != NULL )
4690 {
4691 polarssl_zeroize( ssl->hostname, ssl->hostname_len );
4692 polarssl_free( ssl->hostname );
4693 ssl->hostname_len = 0;
4694 }
4695#endif
4696
4697#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
4698 if( ssl->psk != NULL )
4699 {
4700 polarssl_zeroize( ssl->psk, ssl->psk_len );
4701 polarssl_zeroize( ssl->psk_identity, ssl->psk_identity_len );
4702 polarssl_free( ssl->psk );
4703 polarssl_free( ssl->psk_identity );
4704 ssl->psk_len = 0;
4705 ssl->psk_identity_len = 0;
4706 }
4707#endif
4708
4709#if defined(POLARSSL_X509_CRT_PARSE_C)
4710 ssl_key_cert_free( ssl->key_cert );
4711#endif
4712
4713#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4714 if( ssl_hw_record_finish != NULL )
4715 {
4716 SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4717 ssl_hw_record_finish( ssl );
4718 }
4719#endif
4720
4721 SSL_DEBUG_MSG( 2, ( "<= free" ) );
4722
4723 /* Actually clear after last debug message */
4724 polarssl_zeroize( ssl, sizeof( ssl_context ) );
4725}
4726
4727#if defined(POLARSSL_PK_C)
4728/*
4729 * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
4730 */
4731unsigned char ssl_sig_from_pk( pk_context *pk )
4732{
4733#if defined(POLARSSL_RSA_C)
4734 if( pk_can_do( pk, POLARSSL_PK_RSA ) )
4735 return( SSL_SIG_RSA );
4736#endif
4737#if defined(POLARSSL_ECDSA_C)
4738 if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
4739 return( SSL_SIG_ECDSA );
4740#endif
4741 return( SSL_SIG_ANON );
4742}
4743
4744pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
4745{
4746 switch( sig )
4747 {
4748#if defined(POLARSSL_RSA_C)
4749 case SSL_SIG_RSA:
4750 return( POLARSSL_PK_RSA );
4751#endif
4752#if defined(POLARSSL_ECDSA_C)
4753 case SSL_SIG_ECDSA:
4754 return( POLARSSL_PK_ECDSA );
4755#endif
4756 default:
4757 return( POLARSSL_PK_NONE );
4758 }
4759}
4760#endif /* POLARSSL_PK_C */
4761
4762/*
4763 * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
4764 */
4765md_type_t ssl_md_alg_from_hash( unsigned char hash )
4766{
4767 switch( hash )
4768 {
4769#if defined(POLARSSL_MD5_C)
4770 case SSL_HASH_MD5:
4771 return( POLARSSL_MD_MD5 );
4772#endif
4773#if defined(POLARSSL_SHA1_C)
4774 case SSL_HASH_SHA1:
4775 return( POLARSSL_MD_SHA1 );
4776#endif
4777#if defined(POLARSSL_SHA256_C)
4778 case SSL_HASH_SHA224:
4779 return( POLARSSL_MD_SHA224 );
4780 case SSL_HASH_SHA256:
4781 return( POLARSSL_MD_SHA256 );
4782#endif
4783#if defined(POLARSSL_SHA512_C)
4784 case SSL_HASH_SHA384:
4785 return( POLARSSL_MD_SHA384 );
4786 case SSL_HASH_SHA512:
4787 return( POLARSSL_MD_SHA512 );
4788#endif
4789 default:
4790 return( POLARSSL_MD_NONE );
4791 }
4792}
4793
4794#if defined(POLARSSL_SSL_SET_CURVES)
4795/*
4796 * Check is a curve proposed by the peer is in our list.
4797 * Return 1 if we're willing to use it, 0 otherwise.
4798 */
4799int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
4800{
4801 const ecp_group_id *gid;
4802
4803 for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
4804 if( *gid == grp_id )
4805 return( 1 );
4806
4807 return( 0 );
4808}
4809#endif /* POLARSSL_SSL_SET_CURVES */
4810
4811#if defined(POLARSSL_X509_CRT_PARSE_C)
4812int ssl_check_cert_usage( const x509_crt *cert,
4813 const ssl_ciphersuite_t *ciphersuite,
4814 int cert_endpoint )
4815{
4816#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
4817 int usage = 0;
4818#endif
4819#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4820 const char *ext_oid;
4821 size_t ext_len;
4822#endif
4823
4824#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
4825 !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4826 ((void) cert);
4827 ((void) cert_endpoint);
4828#endif
4829
4830#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
4831 if( cert_endpoint == SSL_IS_SERVER )
4832 {
4833 /* Server part of the key exchange */
4834 switch( ciphersuite->key_exchange )
4835 {
4836 case POLARSSL_KEY_EXCHANGE_RSA:
4837 case POLARSSL_KEY_EXCHANGE_RSA_PSK:
4838 usage = KU_KEY_ENCIPHERMENT;
4839 break;
4840
4841 case POLARSSL_KEY_EXCHANGE_DHE_RSA:
4842 case POLARSSL_KEY_EXCHANGE_ECDHE_RSA:
4843 case POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA:
4844 usage = KU_DIGITAL_SIGNATURE;
4845 break;
4846
4847 case POLARSSL_KEY_EXCHANGE_ECDH_RSA:
4848 case POLARSSL_KEY_EXCHANGE_ECDH_ECDSA:
4849 usage = KU_KEY_AGREEMENT;
4850 break;
4851
4852 /* Don't use default: we want warnings when adding new values */
4853 case POLARSSL_KEY_EXCHANGE_NONE:
4854 case POLARSSL_KEY_EXCHANGE_PSK:
4855 case POLARSSL_KEY_EXCHANGE_DHE_PSK:
4856 case POLARSSL_KEY_EXCHANGE_ECDHE_PSK:
4857 usage = 0;
4858 }
4859 }
4860 else
4861 {
4862 /* Client auth: we only implement rsa_sign and ecdsa_sign for now */
4863 usage = KU_DIGITAL_SIGNATURE;
4864 }
4865
4866 if( x509_crt_check_key_usage( cert, usage ) != 0 )
4867 return( -1 );
4868#else
4869 ((void) ciphersuite);
4870#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
4871
4872#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4873 if( cert_endpoint == SSL_IS_SERVER )
4874 {
4875 ext_oid = OID_SERVER_AUTH;
4876 ext_len = OID_SIZE( OID_SERVER_AUTH );
4877 }
4878 else
4879 {
4880 ext_oid = OID_CLIENT_AUTH;
4881 ext_len = OID_SIZE( OID_CLIENT_AUTH );
4882 }
4883
4884 if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
4885 return( -1 );
4886#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
4887
4888 return( 0 );
4889}
4890#endif /* POLARSSL_X509_CRT_PARSE_C */
4891
4892#endif /* POLARSSL_SSL_TLS_C */
aes_setkey_enc
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
aes_free
void aes_free(aes_context *ctx)
Clear AES context.
aes_setkey_dec
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
aes_init
void aes_init(aes_context *ctx)
Initialize AES context.
mpi_copy
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
mpi_read_string
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
mpi_free
void mpi_free(mpi *X)
Unallocate one MPI.
POLARSSL_ERR_CIPHER_AUTH_FAILED
#define POLARSSL_ERR_CIPHER_AUTH_FAILED
Authentication failed (for AEAD modes).
Definition: cipher.h:62
cipher_auth_encrypt
int cipher_auth_encrypt(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, unsigned char *tag, size_t tag_len)
Generic autenticated encryption (AEAD ciphers).
cipher_init
void cipher_init(cipher_context_t *ctx)
Initialize a cipher_context (as NONE)
POLARSSL_ENCRYPT
@ POLARSSL_ENCRYPT
Definition: cipher.h:157
POLARSSL_DECRYPT
@ POLARSSL_DECRYPT
Definition: cipher.h:156
cipher_setkey
int cipher_setkey(cipher_context_t *ctx, const unsigned char *key, int key_length, const operation_t operation)
Set the key to use with the given context.
cipher_info_from_type
const cipher_info_t * cipher_info_from_type(const cipher_type_t cipher_type)
Returns the cipher information structure associated with the given cipher type.
cipher_get_cipher_mode
static cipher_mode_t cipher_get_cipher_mode(const cipher_context_t *ctx)
Returns the mode of operation for the cipher.
Definition: cipher.h:401
cipher_crypt
int cipher_crypt(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
Generic all-in-one encryption/decryption (for all ciphers except AEAD constructs).
cipher_set_padding_mode
int cipher_set_padding_mode(cipher_context_t *ctx, cipher_padding_t mode)
Set padding mode, for cipher modes that use padding.
POLARSSL_PADDING_NONE
@ POLARSSL_PADDING_NONE
never pad (full blocks only)
Definition: cipher.h:151
cipher_auth_decrypt
int cipher_auth_decrypt(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, const unsigned char *tag, size_t tag_len)
Generic autenticated decryption (AEAD ciphers).
cipher_init_ctx
int cipher_init_ctx(cipher_context_t *ctx, const cipher_info_t *cipher_info)
Initialises and fills the cipher context structure with the appropriate values.
cipher_free
void cipher_free(cipher_context_t *ctx)
Free and clear the cipher-specific context of ctx.
cipher_mode_t
cipher_mode_t
Definition: cipher.h:134
POLARSSL_MODE_GCM
@ POLARSSL_MODE_GCM
Definition: cipher.h:141
POLARSSL_MODE_CBC
@ POLARSSL_MODE_CBC
Definition: cipher.h:137
POLARSSL_MODE_CCM
@ POLARSSL_MODE_CCM
Definition: cipher.h:143
POLARSSL_MODE_STREAM
@ POLARSSL_MODE_STREAM
Definition: cipher.h:142
POLARSSL_PSK_MAX_LEN
#define POLARSSL_PSK_MAX_LEN
Definition: config-ccm-psk-tls1_2.h:40
SSL_MAX_CONTENT_LEN
#define SSL_MAX_CONTENT_LEN
Definition: config-ccm-psk-tls1_2.h:62
config.h
Configuration options (set of defines)
debug.h
Debug functions.
SSL_DEBUG_MPI
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:70
SSL_DEBUG_BUF
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:66
SSL_DEBUG_RET
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:63
SSL_DEBUG_CRT
#define SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:80
SSL_DEBUG_MSG
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:60
POLARSSL_DHM_RFC5114_MODP_1024_P
#define POLARSSL_DHM_RFC5114_MODP_1024_P
Definition: dhm.h:107
dhm_calc_secret
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.
dhm_init
void dhm_init(dhm_context *ctx)
Initialize DHM context.
dhm_free
void dhm_free(dhm_context *ctx)
Free and clear the components of a DHM key.
POLARSSL_DHM_RFC5114_MODP_1024_G
#define POLARSSL_DHM_RFC5114_MODP_1024_G
Definition: dhm.h:115
ecdh_calc_secret
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
ecdh_init
void ecdh_init(ecdh_context *ctx)
Initialize context.
ecdh_free
void ecdh_free(ecdh_context *ctx)
Free context.
ecp_group_id
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:58
POLARSSL_ECP_DP_NONE
@ POLARSSL_ECP_DP_NONE
Definition: ecp.h:59
ecp_grp_id_list
const ecp_group_id * ecp_grp_id_list(void)
Get the list of supported curves in order of preferrence (grp_id only)
_asn1_buf::len
size_t len
ASN1 length, e.g.
Definition: asn1.h:127
_asn1_buf::p
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:128
OID_SIZE
#define OID_SIZE(x)
Returns the size of the binary string, without the trailing \0.
Definition: asn1.h:98
x509_crt_check_key_usage
int x509_crt_check_key_usage(const x509_crt *crt, int usage)
Check usage of certificate against keyUsage extension.
_x509_crt::pk
pk_context pk
Container for the public key context.
Definition: x509_crt.h:75
x509_crt_init
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
x509_crt_parse_der
int x509_crt_parse_der(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
KU_KEY_AGREEMENT
#define KU_KEY_AGREEMENT
Definition: x509.h:97
KU_DIGITAL_SIGNATURE
#define KU_DIGITAL_SIGNATURE
Definition: x509.h:93
x509_crt_free
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
KU_KEY_ENCIPHERMENT
#define KU_KEY_ENCIPHERMENT
Definition: x509.h:95
_x509_crt::raw
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:59
BADCERT_SKIP_VERIFY
#define BADCERT_SKIP_VERIFY
Certificate verification was skipped.
Definition: x509.h:83
BADCERT_MISSING
#define BADCERT_MISSING
Certificate was missing.
Definition: x509.h:82
x509_crt_verify
int x509_crt_verify(x509_crt *crt, x509_crt *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Verify the certificate signature.
x509_crt_check_extended_key_usage
int x509_crt_check_extended_key_usage(const x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extentedJeyUsage.
_x509_crt::next
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:98
md5_hmac
void md5_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[16])
Output = HMAC-MD5( hmac key, input buffer )
md5_free
void md5_free(md5_context *ctx)
Clear MD5 context.
md5_init
void md5_init(md5_context *ctx)
Initialize MD5 context.
md5_update
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
md5_finish
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
md5
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
md5_starts
void md5_starts(md5_context *ctx)
MD5 context setup.
md_hmac_reset
int md_hmac_reset(md_context_t *ctx)
Generic HMAC context reset.
md_get_size
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:225
md_starts
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
md_info_from_type
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
md_hmac_update
int md_hmac_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic HMAC process buffer.
md_init_ctx
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
md_hmac_starts
int md_hmac_starts(md_context_t *ctx, const unsigned char *key, size_t keylen)
Generic HMAC context setup.
md_get_type
static md_type_t md_get_type(const md_info_t *md_info)
Returns the type of the message digest output.
Definition: md.h:240
md_free
void md_free(md_context_t *ctx)
Free and clear the message-specific context of ctx.
md_process
int md_process(md_context_t *ctx, const unsigned char *data)
md_finish
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
md_hmac_finish
int md_hmac_finish(md_context_t *ctx, unsigned char *output)
Generic HMAC final digest.
md_init
void md_init(md_context_t *ctx)
Initialize a md_context (as NONE)
md_update
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
md_type_t
md_type_t
Definition: md.h:51
POLARSSL_MD_MD5
@ POLARSSL_MD_MD5
Definition: md.h:55
POLARSSL_MD_NONE
@ POLARSSL_MD_NONE
Definition: md.h:52
POLARSSL_MD_SHA224
@ POLARSSL_MD_SHA224
Definition: md.h:57
POLARSSL_MD_SHA1
@ POLARSSL_MD_SHA1
Definition: md.h:56
POLARSSL_MD_SHA384
@ POLARSSL_MD_SHA384
Definition: md.h:59
POLARSSL_MD_SHA512
@ POLARSSL_MD_SHA512
Definition: md.h:60
POLARSSL_MD_SHA256
@ POLARSSL_MD_SHA256
Definition: md.h:58
POLARSSL_ERR_NET_WANT_READ
#define POLARSSL_ERR_NET_WANT_READ
Connection requires a read call.
Definition: net.h:41
oid.h
Object Identifier (OID) database.
OID_CLIENT_AUTH
#define OID_CLIENT_AUTH
id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
Definition: oid.h:177
OID_SERVER_AUTH
#define OID_SERVER_AUTH
id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
Definition: oid.h:176
pk_info_from_type
const pk_info_t * pk_info_from_type(pk_type_t pk_type)
Return information associated with the given PK type.
pk_init_ctx_rsa_alt
int pk_init_ctx_rsa_alt(pk_context *ctx, void *key, pk_rsa_alt_decrypt_func decrypt_func, pk_rsa_alt_sign_func sign_func, pk_rsa_alt_key_len_func key_len_func)
Initialize an RSA-alt context.
pk_init_ctx
int pk_init_ctx(pk_context *ctx, const pk_info_t *info)
Initialize a PK context with the information given and allocates the type-specific PK subcontext.
pk_rsa
#define pk_rsa(pk)
Quick access to an RSA context inside a PK context.
Definition: pk.h:74
pk_free
void pk_free(pk_context *ctx)
Free a pk_context.
pk_ec
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:84
pk_init
void pk_init(pk_context *ctx)
Initialize a pk_context (as NONE)
pk_type_t
pk_type_t
Public key types.
Definition: pk.h:95
POLARSSL_PK_ECDSA
@ POLARSSL_PK_ECDSA
Definition: pk.h:100
POLARSSL_PK_ECKEY
@ POLARSSL_PK_ECKEY
Definition: pk.h:98
POLARSSL_PK_RSA
@ POLARSSL_PK_RSA
Definition: pk.h:97
POLARSSL_PK_NONE
@ POLARSSL_PK_NONE
Definition: pk.h:96
pk_can_do
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
platform.h
PolarSSL Platform abstraction layer.
rsa_copy
int rsa_copy(rsa_context *dst, const rsa_context *src)
Copy the components of an RSA context.
sha1
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
sha1_starts
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
sha1_hmac
void sha1_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[20])
Output = HMAC-SHA-1( hmac key, input buffer )
sha1_update
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
sha1_init
void sha1_init(sha1_context *ctx)
Initialize SHA-1 context.
sha1_finish
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
sha1_free
void sha1_free(sha1_context *ctx)
Clear SHA-1 context.
sha256_finish
void sha256_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 final digest.
sha256_free
void sha256_free(sha256_context *ctx)
Clear SHA-256 context.
sha256
void sha256(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
sha256_hmac
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
sha256_update
void sha256_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
sha256_starts
void sha256_starts(sha256_context *ctx, int is224)
SHA-256 context setup.
sha256_init
void sha256_init(sha256_context *ctx)
Initialize SHA-256 context.
sha512_free
void sha512_free(sha512_context *ctx)
Clear SHA-512 context.
sha512_starts
void sha512_starts(sha512_context *ctx, int is384)
SHA-512 context setup.
sha512
void sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
sha512_hmac
void sha512_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
sha512_finish
void sha512_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 final digest.
sha512_update
void sha512_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
sha512_init
void sha512_init(sha512_context *ctx)
Initialize SHA-512 context.
ssl.h
SSL/TLS functions.
SSL_RENEGOTIATION_DONE
#define SSL_RENEGOTIATION_DONE
Definition: ssl.h:218
SSL_SIG_ECDSA
#define SSL_SIG_ECDSA
Definition: ssl.h:326
ssl_read_record
int ssl_read_record(ssl_context *ssl)
SSL_VERIFY_NONE
#define SSL_VERIFY_NONE
Definition: ssl.h:212
SSL_LEGACY_RENEGOTIATION
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:221
ssl_set_hostname
int ssl_set_hostname(ssl_context *ssl, const char *hostname)
Set hostname for ServerName TLS extension (client-side only)
ssl_set_session_tickets
int ssl_set_session_tickets(ssl_context *ssl, int use_tickets)
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS...
ssl_send_alert_message
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
ssl_set_authmode
void ssl_set_authmode(ssl_context *ssl, int authmode)
Set the certificate verification mode.
POLARSSL_ERR_SSL_INTERNAL_ERROR
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition: ssl.h:146
ssl_sig_from_pk
unsigned char ssl_sig_from_pk(pk_context *pk)
POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Processing of the ChangeCipherSpec handshake message failed.
Definition: ssl.h:135
ssl_set_dh_param
int ssl_set_dh_param(ssl_context *ssl, const char *dhm_P, const char *dhm_G)
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default...
SSL_VERIFY_REQUIRED
#define SSL_VERIFY_REQUIRED
Definition: ssl.h:214
ssl_get_ciphersuite
const char * ssl_get_ciphersuite(const ssl_context *ssl)
Return the name of the current ciphersuite.
ssl_set_psk_cb
void ssl_set_psk_cb(ssl_context *ssl, int(*f_psk)(void *, ssl_context *, const unsigned char *, size_t), void *p_psk)
Set the PSK callback (server-side only) (Optional).
SSL_ALERT_MSG_HANDSHAKE_FAILURE
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:352
SSL_RENEGOTIATION_PENDING
#define SSL_RENEGOTIATION_PENDING
Definition: ssl.h:219
SSL_HASH_SHA384
#define SSL_HASH_SHA384
Definition: ssl.h:321
ssl_set_own_cert_alt
int ssl_set_own_cert_alt(ssl_context *ssl, x509_crt *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len)
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks,...
ssl_set_psk
int ssl_set_psk(ssl_context *ssl, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len)
Set the Pre Shared Key (PSK) and the identity name connected to it.
ssl_set_dbg
void ssl_set_dbg(ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg)
Set the debug callback.
POLARSSL_ERR_SSL_CONN_EOF
#define POLARSSL_ERR_SSL_CONN_EOF
The connection indicated an EOF.
Definition: ssl.h:112
SSL_HANDSHAKE_OVER
@ SSL_HANDSHAKE_OVER
Definition: ssl.h:493
SSL_HANDSHAKE_WRAPUP
@ SSL_HANDSHAKE_WRAPUP
Definition: ssl.h:492
SSL_HELLO_REQUEST
@ SSL_HELLO_REQUEST
Definition: ssl.h:477
SSL_CLIENT_CHANGE_CIPHER_SPEC
@ SSL_CLIENT_CHANGE_CIPHER_SPEC
Definition: ssl.h:487
ssl_handshake_client_step
int ssl_handshake_client_step(ssl_context *ssl)
ssl_write_record
int ssl_write_record(ssl_context *ssl)
rsa_key_len_func
size_t(* rsa_key_len_func)(void *ctx)
Definition: ssl.h:470
ssl_get_version
const char * ssl_get_version(const ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
SSL_RENEGO_MAX_RECORDS_DEFAULT
#define SSL_RENEGO_MAX_RECORDS_DEFAULT
Definition: ssl.h:228
ssl_set_session_ticket_lifetime
void ssl_set_session_ticket_lifetime(ssl_context *ssl, int lifetime)
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))
SSL_TRUNCATED_HMAC_LEN
#define SSL_TRUNCATED_HMAC_LEN
Definition: ssl.h:236
POLARSSL_ERR_SSL_COUNTER_WRAPPING
#define POLARSSL_ERR_SSL_COUNTER_WRAPPING
A counter would wrap (eg, too many messages exchanged).
Definition: ssl.h:147
ssl_md_alg_from_hash
md_type_t ssl_md_alg_from_hash(unsigned char hash)
SSL_ALERT_MSG_UNEXPECTED_MESSAGE
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:347
POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:108
SSL_INITIAL_HANDSHAKE
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:216
ssl_set_endpoint
void ssl_set_endpoint(ssl_context *ssl, int endpoint)
Set the current endpoint type.
ssl_psk_derive_premaster
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
SSL_MSG_ALERT
#define SSL_MSG_ALERT
Definition: ssl.h:339
SSL_MINOR_VERSION_1
#define SSL_MINOR_VERSION_1
Definition: ssl.h:155
ssl_set_max_frag_len
int ssl_set_max_frag_len(ssl_context *ssl, unsigned char mfl_code)
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN,...
SSL_ALERT_LEVEL_WARNING
#define SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:343
ssl_set_bio
void ssl_set_bio(ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send)
Set the underlying BIO read and write callbacks.
ssl_set_own_cert
int ssl_set_own_cert(ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key)
Set own certificate chain and private key.
ssl_set_truncated_hmac
int ssl_set_truncated_hmac(ssl_context *ssl, int truncate)
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED)
ssl_handshake_server_step
int ssl_handshake_server_step(ssl_context *ssl)
POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
Hardware acceleration function skipped / left alone data.
Definition: ssl.h:139
SSL_HS_FINISHED
#define SSL_HS_FINISHED
Definition: ssl.h:385
ssl_write_certificate
int ssl_write_certificate(ssl_context *ssl)
SSL_MINOR_VERSION_0
#define SSL_MINOR_VERSION_0
Definition: ssl.h:154
ssl_session_free
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
POLARSSL_ERR_SSL_HW_ACCEL_FAILED
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED
Hardware acceleration function returned with error.
Definition: ssl.h:138
ssl_check_cert_usage
int ssl_check_cert_usage(const x509_crt *cert, const ssl_ciphersuite_t *ciphersuite, int cert_endpoint)
ssl_transform_free
void ssl_transform_free(ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
ssl_set_ciphersuites
void ssl_set_ciphersuites(ssl_context *ssl, const int *ciphersuites)
Set the list of allowed ciphersuites and the preference order.
ssl_get_session
int ssl_get_session(const ssl_context *ssl, ssl_session *session)
Save session in order to resume it later (client-side only) Session data is copied to presented sessi...
SSL_ALERT_MSG_NO_RENEGOTIATION
#define SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:369
ssl_get_bytes_avail
size_t ssl_get_bytes_avail(const ssl_context *ssl)
Return the number of data bytes available to read.
SSL_HASH_SHA512
#define SSL_HASH_SHA512
Definition: ssl.h:322
POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
A fatal alert message was received from our peer.
Definition: ssl.h:122
ssl_derive_keys
int ssl_derive_keys(ssl_context *ssl)
ssl_handshake_step
int ssl_handshake_step(ssl_context *ssl)
Perform a single step of the SSL handshake.
ssl_set_renegotiation
void ssl_set_renegotiation(ssl_context *ssl, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIAT...
ssl_set_alpn_protocols
int ssl_set_alpn_protocols(ssl_context *ssl, const char **protos)
Set the supported Application Layer Protocols.
SSL_LEGACY_NO_RENEGOTIATION
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:230
ssl_write_change_cipher_spec
int ssl_write_change_cipher_spec(ssl_context *ssl)
SSL_SESSION_TICKETS_ENABLED
#define SSL_SESSION_TICKETS_ENABLED
Definition: ssl.h:239
POLARSSL_ERR_SSL_INVALID_RECORD
#define POLARSSL_ERR_SSL_INVALID_RECORD
An invalid SSL record was received.
Definition: ssl.h:111
ssl_set_verify
void ssl_set_verify(ssl_context *ssl, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Set the verification callback (Optional).
SSL_MINOR_VERSION_3
#define SSL_MINOR_VERSION_3
Definition: ssl.h:157
ssl_optimize_checksum
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
SSL_MSG_APPLICATION_DATA
#define SSL_MSG_APPLICATION_DATA
Definition: ssl.h:341
ssl_write_finished
int ssl_write_finished(ssl_context *ssl)
SSL_BUFFER_LEN
#define SSL_BUFFER_LEN
Definition: ssl.h:300
SSL_SIG_ANON
#define SSL_SIG_ANON
Definition: ssl.h:324
SSL_ALERT_MSG_BAD_RECORD_MAC
#define SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:348
SSL_MSG_CHANGE_CIPHER_SPEC
#define SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:338
SSL_MAX_MINOR_VERSION
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:182
ssl_set_sni
void ssl_set_sni(ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
SSL_VERIFY_OPTIONAL
#define SSL_VERIFY_OPTIONAL
Definition: ssl.h:213
SSL_ALERT_LEVEL_FATAL
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:344
ssl_pk_alg_from_sig
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
SSL_IS_CLIENT
#define SSL_IS_CLIENT
Definition: ssl.h:206
ssl_own_cert
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1776
ssl_set_session
int ssl_set_session(ssl_context *ssl, const ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
SSL_MAJOR_VERSION_3
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:153
SSL_MIN_MAJOR_VERSION
#define SSL_MIN_MAJOR_VERSION
Definition: ssl.h:160
ssl_handshake_wrapup
void ssl_handshake_wrapup(ssl_context *ssl)
SSL_DEFAULT_TICKET_LIFETIME
#define SSL_DEFAULT_TICKET_LIFETIME
Lifetime of session tickets (if enabled)
Definition: ssl.h:250
POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
No CA Chain is set, but required to operate.
Definition: ssl.h:120
POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
The peer notified us that the connection is going to be closed.
Definition: ssl.h:124
SSL_TRUNC_HMAC_ENABLED
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:235
SSL_IS_SERVER
#define SSL_IS_SERVER
Definition: ssl.h:207
POLARSSL_ERR_SSL_COMPRESSION_FAILED
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED
Processing of the compression / decompression failed.
Definition: ssl.h:140
ssl_session_init
void ssl_session_init(ssl_session *session)
Initialize SSL session structure.
ssl_get_peer_cert
const x509_crt * ssl_get_peer_cert(const ssl_context *ssl)
Return the peer certificate from the current connection.
POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
Unexpected message at ServerHello in renegotiation.
Definition: ssl.h:148
ssl_list_ciphersuites
const int * ssl_list_ciphersuites(void)
Returns the list of ciphersuites supported by the SSL/TLS module.
ssl_set_dh_param_ctx
int ssl_set_dh_param_ctx(ssl_context *ssl, dhm_context *dhm_ctx)
Set the Diffie-Hellman public P and G values, read from existing context (server-side only)
ssl_set_session_cache
void ssl_set_session_cache(ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache)
Set the session cache callbacks (server-side only) If not set, no session resuming is done.
SSL_MIN_MINOR_VERSION
#define SSL_MIN_MINOR_VERSION
Definition: ssl.h:163
SSL_HASH_SHA224
#define SSL_HASH_SHA224
Definition: ssl.h:319
ssl_set_renegotiation_enforced
void ssl_set_renegotiation_enforced(ssl_context *ssl, int max_records)
Enforce server-requested renegotiation.
SSL_RENEGOTIATION
#define SSL_RENEGOTIATION
Definition: ssl.h:217
rsa_decrypt_func
int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Definition: ssl.h:463
SSL_ALERT_MSG_NO_CERT
#define SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:353
SSL_RENEGOTIATION_DISABLED
#define SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:224
ssl_set_own_cert_rsa
int ssl_set_own_cert_rsa(ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key)
Set own certificate chain and private RSA key.
ssl_parse_certificate
int ssl_parse_certificate(ssl_context *ssl)
SSL_HS_CERTIFICATE
#define SSL_HS_CERTIFICATE
Definition: ssl.h:379
SSL_MINOR_VERSION_2
#define SSL_MINOR_VERSION_2
Definition: ssl.h:156
ssl_write
int ssl_write(ssl_context *ssl, const unsigned char *buf, size_t len)
Write exactly 'len' application data bytes.
ssl_parse_finished
int ssl_parse_finished(ssl_context *ssl)
SSL_HASH_SHA256
#define SSL_HASH_SHA256
Definition: ssl.h:320
ssl_flush_output
int ssl_flush_output(ssl_context *ssl)
ssl_get_ciphersuite_name
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
SSL_MAX_MAJOR_VERSION
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:179
ssl_close_notify
int ssl_close_notify(ssl_context *ssl)
Notify the peer that the connection is being closed.
ssl_handshake_free
void ssl_handshake_free(ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
ssl_parse_change_cipher_spec
int ssl_parse_change_cipher_spec(ssl_context *ssl)
POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:127
ssl_set_ciphersuites_for_version
void ssl_set_ciphersuites_for_version(ssl_context *ssl, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites and the preference order for a specific version of the protocol.
ssl_set_min_version
void ssl_set_min_version(ssl_context *ssl, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION,...
ssl_handshake
int ssl_handshake(ssl_context *ssl)
Perform the SSL handshake.
ssl_get_verify_result
int ssl_get_verify_result(const ssl_context *ssl)
Return the result of the certificate verification.
SSL_SIG_RSA
#define SSL_SIG_RSA
Definition: ssl.h:325
ssl_free
void ssl_free(ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
ssl_legacy_renegotiation
void ssl_legacy_renegotiation(ssl_context *ssl, int allow_legacy)
Prevent or allow legacy renegotiation.
POLARSSL_ERR_SSL_INVALID_MAC
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:110
SSL_MAX_FRAG_LEN_INVALID
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:204
rsa_sign_func
int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Definition: ssl.h:466
SSL_ALERT_MSG_CLOSE_NOTIFY
#define SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:346
POLARSSL_ERR_SSL_BAD_HS_FINISHED
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED
Processing of the Finished handshake message failed.
Definition: ssl.h:136
POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:117
SSL_HASH_SHA1
#define SSL_HASH_SHA1
Definition: ssl.h:318
POLARSSL_ERR_SSL_BAD_INPUT_DATA
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:109
ssl_init
int ssl_init(ssl_context *ssl)
Initialize an SSL context (An individual SSL context is not thread-safe)
SSL_MSG_HANDSHAKE
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:340
ssl_send_fatal_handshake_failure
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_get_alpn_protocol
const char * ssl_get_alpn_protocol(const ssl_context *ssl)
Get the name of the negotiated Application Layer Protocol.
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:121
ssl_read
int ssl_read(ssl_context *ssl, unsigned char *buf, size_t len)
Read at most 'len' application data bytes.
SSL_COMPRESS_DEFLATE
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:210
SSL_HASH_MD5
#define SSL_HASH_MD5
Definition: ssl.h:317
POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
No client certification received from the client, but required by the authentication mode.
Definition: ssl.h:116
POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
The own certificate is not set, but needed by the server.
Definition: ssl.h:118
ssl_session_reset
int ssl_session_reset(ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables,...
ssl_set_rng
void ssl_set_rng(ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
POLARSSL_ERR_SSL_MALLOC_FAILED
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:137
ssl_fetch_input
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
ssl_renegotiate
int ssl_renegotiate(ssl_context *ssl)
Initiate an SSL renegotiation on the running connection.
ssl_set_ca_chain
void ssl_set_ca_chain(ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn)
Set the data required to verify peer certificate.
safer_memcmp
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1797
SSL_HS_HELLO_REQUEST
#define SSL_HS_HELLO_REQUEST
Definition: ssl.h:375
ssl_set_max_version
void ssl_set_max_version(ssl_context *ssl, int major, int minor)
Set the maximum supported version sent from the client side and/or accepted at the server side (Defau...
key_exchange_type_t
key_exchange_type_t
Definition: ssl_ciphersuites.h:237
POLARSSL_KEY_EXCHANGE_NONE
@ POLARSSL_KEY_EXCHANGE_NONE
Definition: ssl_ciphersuites.h:238
POLARSSL_KEY_EXCHANGE_DHE_RSA
@ POLARSSL_KEY_EXCHANGE_DHE_RSA
Definition: ssl_ciphersuites.h:240
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA
@ POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA
Definition: ssl_ciphersuites.h:242
POLARSSL_KEY_EXCHANGE_PSK
@ POLARSSL_KEY_EXCHANGE_PSK
Definition: ssl_ciphersuites.h:243
POLARSSL_KEY_EXCHANGE_DHE_PSK
@ POLARSSL_KEY_EXCHANGE_DHE_PSK
Definition: ssl_ciphersuites.h:244
POLARSSL_KEY_EXCHANGE_ECDHE_RSA
@ POLARSSL_KEY_EXCHANGE_ECDHE_RSA
Definition: ssl_ciphersuites.h:241
POLARSSL_KEY_EXCHANGE_ECDHE_PSK
@ POLARSSL_KEY_EXCHANGE_ECDHE_PSK
Definition: ssl_ciphersuites.h:246
POLARSSL_KEY_EXCHANGE_RSA_PSK
@ POLARSSL_KEY_EXCHANGE_RSA_PSK
Definition: ssl_ciphersuites.h:245
POLARSSL_KEY_EXCHANGE_RSA
@ POLARSSL_KEY_EXCHANGE_RSA
Definition: ssl_ciphersuites.h:239
POLARSSL_KEY_EXCHANGE_ECDH_RSA
@ POLARSSL_KEY_EXCHANGE_ECDH_RSA
Definition: ssl_ciphersuites.h:247
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA
@ POLARSSL_KEY_EXCHANGE_ECDH_ECDSA
Definition: ssl_ciphersuites.h:248
POLARSSL_CIPHERSUITE_SHORT_TAG
#define POLARSSL_CIPHERSUITE_SHORT_TAG
Short authentication tag, eg for CCM_8.
Definition: ssl_ciphersuites.h:254
_ssl_ciphersuite_t
This structure is used for storing ciphersuite information.
Definition: ssl_ciphersuites.h:261
_ssl_ciphersuite_t::cipher
cipher_type_t cipher
Definition: ssl_ciphersuites.h:265
_ssl_ciphersuite_t::key_exchange
key_exchange_type_t key_exchange
Definition: ssl_ciphersuites.h:267
_ssl_ciphersuite_t::mac
md_type_t mac
Definition: ssl_ciphersuites.h:266
_ssl_ciphersuite_t::flags
unsigned char flags
Definition: ssl_ciphersuites.h:274
_ssl_context
Definition: ssl.h:684
_ssl_context::f_psk
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:729
_ssl_context::trunc_hmac
int trunc_hmac
Definition: ssl.h:821
_ssl_context::in_hdr
unsigned char * in_hdr
Definition: ssl.h:756
_ssl_context::nb_zero
int nb_zero
Definition: ssl.h:766
_ssl_context::f_set_cache
int(* f_set_cache)(void *, const ssl_session *)
Definition: ssl.h:708
_ssl_context::handshake
ssl_handshake_params * handshake
Definition: ssl.h:741
_ssl_context::alpn_list
const char ** alpn_list
Definition: ssl.h:855
_ssl_context::minor_ver
int minor_ver
Definition: ssl.h:693
_ssl_context::ciphersuite_list
const int * ciphersuite_list[4]
Definition: ssl.h:816
_ssl_context::f_get_cache
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:707
_ssl_context::in_ctr
unsigned char * in_ctr
Definition: ssl.h:755
_ssl_context::f_send
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:706
_ssl_context::allow_legacy_renegotiation
int allow_legacy_renegotiation
Definition: ssl.h:814
_ssl_context::p_rng
void * p_rng
Definition: ssl.h:710
_ssl_context::hostname
unsigned char * hostname
Definition: ssl.h:847
_ssl_context::endpoint
int endpoint
Definition: ssl.h:809
_ssl_context::p_sni
void * p_sni
Definition: ssl.h:720
_ssl_context::ticket_keys
ssl_ticket_keys * ticket_keys
Definition: ssl.h:803
_ssl_context::out_hdr
unsigned char * out_hdr
Definition: ssl.h:773
_ssl_context::record_read
int record_read
Definition: ssl.h:767
_ssl_context::session_in
ssl_session * session_in
Definition: ssl.h:736
_ssl_context::p_vrfy
void * p_vrfy
Definition: ssl.h:725
_ssl_context::authmode
int authmode
Definition: ssl.h:810
_ssl_context::p_set_cache
void * p_set_cache
Definition: ssl.h:715
_ssl_context::session_out
ssl_session * session_out
Definition: ssl.h:737
_ssl_context::state
int state
Definition: ssl.h:688
_ssl_context::renego_records_seen
int renego_records_seen
Definition: ssl.h:690
_ssl_context::out_ctr
unsigned char * out_ctr
Definition: ssl.h:772
_ssl_context::out_msg
unsigned char * out_msg
Definition: ssl.h:775
_ssl_context::f_rng
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:703
_ssl_context::ca_chain
x509_crt * ca_chain
Definition: ssl.h:794
_ssl_context::psk
unsigned char * psk
Definition: ssl.h:837
_ssl_context::transform
ssl_transform * transform
Definition: ssl.h:749
_ssl_context::dhm_G
mpi dhm_G
Definition: ssl.h:830
_ssl_context::in_iv
unsigned char * in_iv
Definition: ssl.h:757
_ssl_context::f_recv
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:705
_ssl_context::p_get_cache
void * p_get_cache
Definition: ssl.h:714
_ssl_context::major_ver
int major_ver
Definition: ssl.h:692
_ssl_context::transform_negotiate
ssl_transform * transform_negotiate
Definition: ssl.h:750
_ssl_context::session_tickets
int session_tickets
Definition: ssl.h:824
_ssl_context::ca_crl
x509_crl * ca_crl
Definition: ssl.h:795
_ssl_context::in_msglen
size_t in_msglen
Definition: ssl.h:762
_ssl_context::psk_identity_len
size_t psk_identity_len
Definition: ssl.h:840
_ssl_context::out_iv
unsigned char * out_iv
Definition: ssl.h:774
_ssl_context::renegotiation
int renegotiation
Definition: ssl.h:689
_ssl_context::psk_identity
unsigned char * psk_identity
Definition: ssl.h:839
_ssl_context::hostname_len
size_t hostname_len
Definition: ssl.h:848
_ssl_context::min_minor_ver
int min_minor_ver
Definition: ssl.h:698
_ssl_context::peer_cn
const char * peer_cn
Definition: ssl.h:796
_ssl_context::ticket_lifetime
int ticket_lifetime
Definition: ssl.h:825
_ssl_context::verify_data_len
size_t verify_data_len
Definition: ssl.h:864
_ssl_context::max_major_ver
int max_major_ver
Definition: ssl.h:695
_ssl_context::alpn_chosen
const char * alpn_chosen
Definition: ssl.h:856
_ssl_context::f_sni
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:719
_ssl_context::p_recv
void * p_recv
Definition: ssl.h:712
_ssl_context::in_hslen
size_t in_hslen
Definition: ssl.h:765
_ssl_context::transform_in
ssl_transform * transform_in
Definition: ssl.h:747
_ssl_context::min_major_ver
int min_major_ver
Definition: ssl.h:697
_ssl_context::in_left
size_t in_left
Definition: ssl.h:763
_ssl_context::disable_renegotiation
int disable_renegotiation
Definition: ssl.h:813
_ssl_context::psk_len
size_t psk_len
Definition: ssl.h:838
_ssl_context::in_msgtype
int in_msgtype
Definition: ssl.h:761
_ssl_context::p_dbg
void * p_dbg
Definition: ssl.h:711
_ssl_context::session_negotiate
ssl_session * session_negotiate
Definition: ssl.h:739
_ssl_context::f_vrfy
int(* f_vrfy)(void *, x509_crt *, int, int *)
Definition: ssl.h:724
_ssl_context::own_verify_data
char own_verify_data[36]
Definition: ssl.h:865
_ssl_context::out_msgtype
int out_msgtype
Definition: ssl.h:777
_ssl_context::mfl_code
unsigned char mfl_code
Definition: ssl.h:785
_ssl_context::secure_renegotiation
int secure_renegotiation
Definition: ssl.h:862
_ssl_context::f_dbg
void(* f_dbg)(void *, int, const char *)
Definition: ssl.h:704
_ssl_context::max_minor_ver
int max_minor_ver
Definition: ssl.h:696
_ssl_context::dhm_P
mpi dhm_P
Definition: ssl.h:829
_ssl_context::client_auth
int client_auth
Definition: ssl.h:811
_ssl_context::transform_out
ssl_transform * transform_out
Definition: ssl.h:748
_ssl_context::session
ssl_session * session
Definition: ssl.h:738
_ssl_context::out_left
size_t out_left
Definition: ssl.h:779
_ssl_context::out_msglen
size_t out_msglen
Definition: ssl.h:778
_ssl_context::peer_verify_data
char peer_verify_data[36]
Definition: ssl.h:866
_ssl_context::in_msg
unsigned char * in_msg
Definition: ssl.h:758
_ssl_context::p_psk
void * p_psk
Definition: ssl.h:730
_ssl_context::compress_buf
unsigned char * compress_buf
Definition: ssl.h:782
_ssl_context::in_offt
unsigned char * in_offt
Definition: ssl.h:759
_ssl_context::renego_max_records
int renego_max_records
Definition: ssl.h:815
_ssl_context::key_cert
ssl_key_cert * key_cert
Definition: ssl.h:792
_ssl_context::p_send
void * p_send
Definition: ssl.h:713
_ssl_handshake_params
Definition: ssl.h:588
_ssl_handshake_params::calc_finished
void(* calc_finished)(ssl_context *, unsigned char *, int)
Definition: ssl.h:636
_ssl_handshake_params::dhm_ctx
dhm_context dhm_ctx
Definition: ssl.h:596
_ssl_handshake_params::fin_sha512
sha512_context fin_sha512
Definition: ssl.h:630
_ssl_handshake_params::fin_sha256
sha256_context fin_sha256
Definition: ssl.h:627
_ssl_handshake_params::sni_key_cert
ssl_key_cert * sni_key_cert
Definition: ssl.h:613
_ssl_handshake_params::fin_sha1
sha1_context fin_sha1
Definition: ssl.h:623
_ssl_handshake_params::curves
const ecp_curve_info ** curves
Definition: ssl.h:602
_ssl_handshake_params::calc_verify
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:635
_ssl_handshake_params::pmslen
size_t pmslen
Definition: ssl.h:641
_ssl_handshake_params::sig_alg
int sig_alg
Definition: ssl.h:592
_ssl_handshake_params::resume
int resume
Definition: ssl.h:647
_ssl_handshake_params::tls_prf
int(* tls_prf)(const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl.h:637
_ssl_handshake_params::update_checksum
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:634
_ssl_handshake_params::ecdh_ctx
ecdh_context ecdh_ctx
Definition: ssl.h:599
_ssl_handshake_params::premaster
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:644
_ssl_handshake_params::randbytes
unsigned char randbytes[64]
Definition: ssl.h:643
_ssl_handshake_params::fin_md5
md5_context fin_md5
Definition: ssl.h:622
_ssl_handshake_params::key_cert
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:611
_ssl_key_cert
Definition: ssl.h:675
_ssl_key_cert::key
pk_context * key
Definition: ssl.h:677
_ssl_key_cert::key_own_alloc
int key_own_alloc
Definition: ssl.h:678
_ssl_key_cert::cert
x509_crt * cert
Definition: ssl.h:676
_ssl_key_cert::next
ssl_key_cert * next
Definition: ssl.h:679
_ssl_session
Definition: ssl.h:513
_ssl_session::mfl_code
unsigned char mfl_code
Definition: ssl.h:535
_ssl_session::ciphersuite
int ciphersuite
Definition: ssl.h:517
_ssl_session::length
size_t length
Definition: ssl.h:519
_ssl_session::compression
int compression
Definition: ssl.h:518
_ssl_session::master
unsigned char master[48]
Definition: ssl.h:521
_ssl_session::trunc_hmac
int trunc_hmac
Definition: ssl.h:539
_ssl_session::ticket_len
size_t ticket_len
Definition: ssl.h:530
_ssl_session::ticket
unsigned char * ticket
Definition: ssl.h:529
_ssl_session::verify_result
int verify_result
Definition: ssl.h:526
_ssl_session::peer_cert
x509_crt * peer_cert
Definition: ssl.h:524
_ssl_ticket_keys
Definition: ssl.h:662
_ssl_ticket_keys::enc
aes_context enc
Definition: ssl.h:664
_ssl_ticket_keys::dec
aes_context dec
Definition: ssl.h:665
_ssl_ticket_keys::key_name
unsigned char key_name[16]
Definition: ssl.h:663
_ssl_ticket_keys::mac_key
unsigned char mac_key[16]
Definition: ssl.h:666
_ssl_transform
Definition: ssl.h:548
_ssl_transform::ciphersuite_info
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:552
_ssl_transform::keylen
unsigned int keylen
Definition: ssl.h:554
_ssl_transform::minlen
size_t minlen
Definition: ssl.h:555
_ssl_transform::cipher_ctx_dec
cipher_context_t cipher_ctx_dec
Definition: ssl.h:573
_ssl_transform::fixed_ivlen
size_t fixed_ivlen
Definition: ssl.h:557
_ssl_transform::iv_dec
unsigned char iv_dec[16]
Definition: ssl.h:561
_ssl_transform::iv_enc
unsigned char iv_enc[16]
Definition: ssl.h:560
_ssl_transform::ctx_deflate
z_stream ctx_deflate
Definition: ssl.h:579
_ssl_transform::md_ctx_dec
md_context_t md_ctx_dec
Definition: ssl.h:570
_ssl_transform::mac_dec
unsigned char mac_dec[20]
Definition: ssl.h:566
_ssl_transform::ctx_inflate
z_stream ctx_inflate
Definition: ssl.h:580
_ssl_transform::mac_enc
unsigned char mac_enc[20]
Definition: ssl.h:565
_ssl_transform::md_ctx_enc
md_context_t md_ctx_enc
Definition: ssl.h:569
_ssl_transform::ivlen
size_t ivlen
Definition: ssl.h:556
_ssl_transform::maclen
size_t maclen
Definition: ssl.h:558
_ssl_transform::cipher_ctx_enc
cipher_context_t cipher_ctx_enc
Definition: ssl.h:572
_x509_crl
Certificate revocation list structure.
Definition: x509_crl.h:74
_x509_crt
Container for an X.509 certificate.
Definition: x509_crt.h:58
cipher_context_t::iv
unsigned char iv[POLARSSL_MAX_IV_LENGTH]
Current IV or NONCE_COUNTER for CTR-mode.
Definition: cipher.h:279
cipher_info_t
Cipher information.
Definition: cipher.h:226
cipher_info_t::key_length
unsigned int key_length
Cipher key length, in bits (default length for variable sized ciphers) (Includes parity bits for ciph...
Definition: cipher.h:235
cipher_info_t::mode
cipher_mode_t mode
Cipher mode (e.g.
Definition: cipher.h:231
cipher_info_t::block_size
unsigned int block_size
block size, in bytes
Definition: cipher.h:248
cipher_info_t::iv_size
unsigned int iv_size
IV/NONCE size, in bytes.
Definition: cipher.h:242
dhm_context
DHM context structure.
Definition: dhm.h:157
dhm_context::G
mpi G
Definition: dhm.h:160
dhm_context::K
mpi K
Definition: dhm.h:164
dhm_context::P
mpi P
Definition: dhm.h:159
ecdh_context::z
mpi z
Definition: ecdh.h:54
md5_context
MD5 context structure.
Definition: md5.h:59
md_context_t
Generic message digest context.
Definition: md.h:132
md_context_t::md_info
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:134
md_info_t
Message digest information.
Definition: md.h:74
pk_context
Public key container.
Definition: pk.h:195
rsa_context
RSA context structure.
Definition: rsa.h:84
sha1_context
SHA-1 context structure.
Definition: sha1.h:59
sha256_context
SHA-256 context structure.
Definition: sha256.h:59
sha512_context
SHA-512 context structure.
Definition: sha512.h:60
polarssl_malloc
#define polarssl_malloc
Definition: test_suite_aes.cbc.c:310
polarssl_free
#define polarssl_free
Definition: test_suite_aes.cbc.c:311
Generated on Sat Jul 2 2022 03:36:43 for PolarSSL v1.3.9 by doxygen 1.9.3