Context Navigation

ssl_tls.c @ 1270

Visit:

Revision 1270, 94.2 KB checked in by paul, 10 days ago (diff)
Moved out_msg to out_hdr + 32 to support hardware acceleration

Line
1	/*
2	* SSLv3/TLSv1 shared functions
3	*
4	* Copyright (C) 2006-2012, Brainspark B.V.
5	*
6	* This file is part of PolarSSL (http://www.polarssl.org)
7	* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8	*
9	* All rights reserved.
10	*
11	* This program is free software; you can redistribute it and/or modify
12	* it under the terms of the GNU General Public License as published by
13	* the Free Software Foundation; either version 2 of the License, or
14	* (at your option) any later version.
15	*
16	* This program is distributed in the hope that it will be useful,
17	* but WITHOUT ANY WARRANTY; without even the implied warranty of
18	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19	* GNU General Public License for more details.
20	*
21	* You should have received a copy of the GNU General Public License along
22	* with this program; if not, write to the Free Software Foundation, Inc.,
23	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24	*/
25	/*
26	* The SSL 3.0 specification was drafted by Netscape in 1996,
27	* and became an IETF standard in 1999.
28	*
29	* http://wp.netscape.com/eng/ssl3/
30	* http://www.ietf.org/rfc/rfc2246.txt
31	* http://www.ietf.org/rfc/rfc4346.txt
32	*/
33
34	#include "polarssl/config.h"
35
36	#if defined(POLARSSL_SSL_TLS_C)
37
38	#include "polarssl/aes.h"
39	#include "polarssl/arc4.h"
40	#include "polarssl/camellia.h"
41	#include "polarssl/des.h"
42	#include "polarssl/debug.h"
43	#include "polarssl/ssl.h"
44	#include "polarssl/sha2.h"
45
46	#if defined(POLARSSL_GCM_C)
47	#include "polarssl/gcm.h"
48	#endif
49
50	#include <stdlib.h>
51	#include <time.h>
52
53	#if defined _MSC_VER && !defined strcasecmp
54	#define strcasecmp _stricmp
55	#endif
56
57	#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
58	int (ssl_hw_record_init)(ssl_context ssl,
59	const unsigned char key_enc, const unsigned char key_dec,
60	const unsigned char iv_enc, const unsigned char iv_dec,
61	const unsigned char mac_enc, const unsigned char mac_dec) = NULL;
62	int (ssl_hw_record_reset)(ssl_context ssl) = NULL;
63	int (ssl_hw_record_write)(ssl_context ssl) = NULL;
64	int (ssl_hw_record_read)(ssl_context ssl) = NULL;
65	int (ssl_hw_record_finish)(ssl_context ssl) = NULL;
66	#endif
67
68	/*
69	* Key material generation
70	*/
71	static int tls1_prf( unsigned char secret, size_t slen, char label,
72	unsigned char *random, size_t rlen,
73	unsigned char *dstbuf, size_t dlen )
74	{
75	size_t nb, hs;
76	size_t i, j, k;
77	unsigned char S1, S2;
78	unsigned char tmp[128];
79	unsigned char h_i[20];
80
81	if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
82	return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
83
84	hs = ( slen + 1 ) / 2;
85	S1 = secret;
86	S2 = secret + slen - hs;
87
88	nb = strlen( label );
89	memcpy( tmp + 20, label, nb );
90	memcpy( tmp + 20 + nb, random, rlen );
91	nb += rlen;
92
93	/*
94	* First compute P_md5(secret,label+random)[0..dlen]
95	*/
96	md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
97
98	for( i = 0; i < dlen; i += 16 )
99	{
100	md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
101	md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
102
103	k = ( i + 16 > dlen ) ? dlen % 16 : 16;
104
105	for( j = 0; j < k; j++ )
106	dstbuf[i + j] = h_i[j];
107	}
108
109	/*
110	* XOR out with P_sha1(secret,label+random)[0..dlen]
111	*/
112	sha1_hmac( S2, hs, tmp + 20, nb, tmp );
113
114	for( i = 0; i < dlen; i += 20 )
115	{
116	sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
117	sha1_hmac( S2, hs, tmp, 20, tmp );
118
119	k = ( i + 20 > dlen ) ? dlen % 20 : 20;
120
121	for( j = 0; j < k; j++ )
122	dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
123	}
124
125	memset( tmp, 0, sizeof( tmp ) );
126	memset( h_i, 0, sizeof( h_i ) );
127
128	return( 0 );
129	}
130
131	static int tls_prf_sha256( unsigned char secret, size_t slen, char label,
132	unsigned char *random, size_t rlen,
133	unsigned char *dstbuf, size_t dlen )
134	{
135	size_t nb;
136	size_t i, j, k;
137	unsigned char tmp[128];
138	unsigned char h_i[32];
139
140	if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
141	return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
142
143	nb = strlen( label );
144	memcpy( tmp + 32, label, nb );
145	memcpy( tmp + 32 + nb, random, rlen );
146	nb += rlen;
147
148	/*
149	* Compute P_<hash>(secret, label + random)[0..dlen]
150	*/
151	sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
152
153	for( i = 0; i < dlen; i += 32 )
154	{
155	sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
156	sha2_hmac( secret, slen, tmp, 32, tmp, 0 );
157
158	k = ( i + 32 > dlen ) ? dlen % 32 : 32;
159
160	for( j = 0; j < k; j++ )
161	dstbuf[i + j] = h_i[j];
162	}
163
164	memset( tmp, 0, sizeof( tmp ) );
165	memset( h_i, 0, sizeof( h_i ) );
166
167	return( 0 );
168	}
169
170	static int tls_prf_sha384( unsigned char secret, size_t slen, char label,
171	unsigned char *random, size_t rlen,
172	unsigned char *dstbuf, size_t dlen )
173	{
174	size_t nb;
175	size_t i, j, k;
176	unsigned char tmp[128];
177	unsigned char h_i[48];
178
179	if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
180	return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
181
182	nb = strlen( label );
183	memcpy( tmp + 48, label, nb );
184	memcpy( tmp + 48 + nb, random, rlen );
185	nb += rlen;
186
187	/*
188	* Compute P_<hash>(secret, label + random)[0..dlen]
189	*/
190	sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
191
192	for( i = 0; i < dlen; i += 48 )
193	{
194	sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
195	sha4_hmac( secret, slen, tmp, 48, tmp, 1 );
196
197	k = ( i + 48 > dlen ) ? dlen % 48 : 48;
198
199	for( j = 0; j < k; j++ )
200	dstbuf[i + j] = h_i[j];
201	}
202
203	memset( tmp, 0, sizeof( tmp ) );
204	memset( h_i, 0, sizeof( h_i ) );
205
206	return( 0 );
207	}
208
209	static void ssl_update_checksum_start(ssl_context , unsigned char , size_t);
210	static void ssl_update_checksum_md5sha1(ssl_context , unsigned char , size_t);
211	static void ssl_update_checksum_sha256(ssl_context , unsigned char , size_t);
212	static void ssl_update_checksum_sha384(ssl_context , unsigned char , size_t);
213
214	static void ssl_calc_verify_ssl(ssl_context ,unsigned char );
215	static void ssl_calc_verify_tls(ssl_context ,unsigned char );
216	static void ssl_calc_verify_tls_sha256(ssl_context ,unsigned char );
217	static void ssl_calc_verify_tls_sha384(ssl_context ,unsigned char );
218
219	static void ssl_calc_finished_ssl(ssl_context ,unsigned char ,int);
220	static void ssl_calc_finished_tls(ssl_context ,unsigned char ,int);
221	static void ssl_calc_finished_tls_sha256(ssl_context ,unsigned char ,int);
222	static void ssl_calc_finished_tls_sha384(ssl_context ,unsigned char ,int);
223
224	int ssl_derive_keys( ssl_context *ssl )
225	{
226	int i;
227	md5_context md5;
228	sha1_context sha1;
229	unsigned char tmp[64];
230	unsigned char padding[16];
231	unsigned char sha1sum[20];
232	unsigned char keyblk[256];
233	unsigned char *key1;
234	unsigned char *key2;
235	unsigned int iv_copy_len;
236
237	SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
238
239	/*
240	* Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
241	*/
242	if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
243	{
244	ssl->tls_prf = tls1_prf;
245	ssl->calc_verify = ssl_calc_verify_ssl;
246	ssl->calc_finished = ssl_calc_finished_ssl;
247	}
248	else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
249	{
250	ssl->tls_prf = tls1_prf;
251	ssl->calc_verify = ssl_calc_verify_tls;
252	ssl->calc_finished = ssl_calc_finished_tls;
253	}
254	else if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 \|\|
255	ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
256	{
257	ssl->tls_prf = tls_prf_sha384;
258	ssl->calc_verify = ssl_calc_verify_tls_sha384;
259	ssl->calc_finished = ssl_calc_finished_tls_sha384;
260	}
261	else
262	{
263	ssl->tls_prf = tls_prf_sha256;
264	ssl->calc_verify = ssl_calc_verify_tls_sha256;
265	ssl->calc_finished = ssl_calc_finished_tls_sha256;
266	}
267
268	/*
269	* SSLv3:
270	* master =
271	* MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
272	* MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
273	* MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
274	*
275	* TLSv1:
276	* master = PRF( premaster, "master secret", randbytes )[0..47]
277	*/
278	if( ssl->resume == 0 )
279	{
280	size_t len = ssl->pmslen;
281
282	SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
283
284	if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
285	{
286	for( i = 0; i < 3; i++ )
287	{
288	memset( padding, 'A' + i, 1 + i );
289
290	sha1_starts( &sha1 );
291	sha1_update( &sha1, padding, 1 + i );
292	sha1_update( &sha1, ssl->premaster, len );
293	sha1_update( &sha1, ssl->randbytes, 64 );
294	sha1_finish( &sha1, sha1sum );
295
296	md5_starts( &md5 );
297	md5_update( &md5, ssl->premaster, len );
298	md5_update( &md5, sha1sum, 20 );
299	md5_finish( &md5, ssl->session->master + i * 16 );
300	}
301	}
302	else
303	ssl->tls_prf( ssl->premaster, len, "master secret",
304	ssl->randbytes, 64, ssl->session->master, 48 );
305
306	memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
307	}
308	else
309	SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
310
311	/*
312	* Swap the client and server random values.
313	*/
314	memcpy( tmp, ssl->randbytes, 64 );
315	memcpy( ssl->randbytes, tmp + 32, 32 );
316	memcpy( ssl->randbytes + 32, tmp, 32 );
317	memset( tmp, 0, sizeof( tmp ) );
318
319	/*
320	* SSLv3:
321	* key block =
322	* MD5( master + SHA1( 'A' + master + randbytes ) ) +
323	* MD5( master + SHA1( 'BB' + master + randbytes ) ) +
324	* MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
325	* MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
326	* ...
327	*
328	* TLSv1:
329	* key block = PRF( master, "key expansion", randbytes )
330	*/
331	if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
332	{
333	for( i = 0; i < 16; i++ )
334	{
335	memset( padding, 'A' + i, 1 + i );
336
337	sha1_starts( &sha1 );
338	sha1_update( &sha1, padding, 1 + i );
339	sha1_update( &sha1, ssl->session->master, 48 );
340	sha1_update( &sha1, ssl->randbytes, 64 );
341	sha1_finish( &sha1, sha1sum );
342
343	md5_starts( &md5 );
344	md5_update( &md5, ssl->session->master, 48 );
345	md5_update( &md5, sha1sum, 20 );
346	md5_finish( &md5, keyblk + i * 16 );
347	}
348
349	memset( &md5, 0, sizeof( md5 ) );
350	memset( &sha1, 0, sizeof( sha1 ) );
351
352	memset( padding, 0, sizeof( padding ) );
353	memset( sha1sum, 0, sizeof( sha1sum ) );
354	}
355	else
356	ssl->tls_prf( ssl->session->master, 48, "key expansion",
357	ssl->randbytes, 64, keyblk, 256 );
358
359	SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
360	SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
361	SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
362	SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
363
364	memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
365
366	/*
367	* Determine the appropriate key, IV and MAC length.
368	*/
369	switch( ssl->session->ciphersuite )
370	{
371	#if defined(POLARSSL_ARC4_C)
372	case SSL_RSA_RC4_128_MD5:
373	ssl->keylen = 16; ssl->minlen = 16;
374	ssl->ivlen = 0; ssl->maclen = 16;
375	break;
376
377	case SSL_RSA_RC4_128_SHA:
378	ssl->keylen = 16; ssl->minlen = 20;
379	ssl->ivlen = 0; ssl->maclen = 20;
380	break;
381	#endif
382
383	#if defined(POLARSSL_DES_C)
384	case SSL_RSA_DES_168_SHA:
385	case SSL_EDH_RSA_DES_168_SHA:
386	ssl->keylen = 24; ssl->minlen = 24;
387	ssl->ivlen = 8; ssl->maclen = 20;
388	break;
389	#endif
390
391	#if defined(POLARSSL_AES_C)
392	case SSL_RSA_AES_128_SHA:
393	case SSL_EDH_RSA_AES_128_SHA:
394	ssl->keylen = 16; ssl->minlen = 32;
395	ssl->ivlen = 16; ssl->maclen = 20;
396	break;
397
398	case SSL_RSA_AES_256_SHA:
399	case SSL_EDH_RSA_AES_256_SHA:
400	ssl->keylen = 32; ssl->minlen = 32;
401	ssl->ivlen = 16; ssl->maclen = 20;
402	break;
403
404	#if defined(POLARSSL_SHA2_C)
405	case SSL_RSA_AES_128_SHA256:
406	case SSL_EDH_RSA_AES_128_SHA256:
407	ssl->keylen = 16; ssl->minlen = 32;
408	ssl->ivlen = 16; ssl->maclen = 32;
409	break;
410
411	case SSL_RSA_AES_256_SHA256:
412	case SSL_EDH_RSA_AES_256_SHA256:
413	ssl->keylen = 32; ssl->minlen = 32;
414	ssl->ivlen = 16; ssl->maclen = 32;
415	break;
416	#endif
417	#if defined(POLARSSL_GCM_C)
418	case SSL_RSA_AES_128_GCM_SHA256:
419	case SSL_EDH_RSA_AES_128_GCM_SHA256:
420	ssl->keylen = 16; ssl->minlen = 1;
421	ssl->ivlen = 12; ssl->maclen = 0;
422	ssl->fixed_ivlen = 4;
423	break;
424
425	case SSL_RSA_AES_256_GCM_SHA384:
426	case SSL_EDH_RSA_AES_256_GCM_SHA384:
427	ssl->keylen = 32; ssl->minlen = 1;
428	ssl->ivlen = 12; ssl->maclen = 0;
429	ssl->fixed_ivlen = 4;
430	break;
431	#endif
432	#endif
433
434	#if defined(POLARSSL_CAMELLIA_C)
435	case SSL_RSA_CAMELLIA_128_SHA:
436	case SSL_EDH_RSA_CAMELLIA_128_SHA:
437	ssl->keylen = 16; ssl->minlen = 32;
438	ssl->ivlen = 16; ssl->maclen = 20;
439	break;
440
441	case SSL_RSA_CAMELLIA_256_SHA:
442	case SSL_EDH_RSA_CAMELLIA_256_SHA:
443	ssl->keylen = 32; ssl->minlen = 32;
444	ssl->ivlen = 16; ssl->maclen = 20;
445	break;
446
447	#if defined(POLARSSL_SHA2_C)
448	case SSL_RSA_CAMELLIA_128_SHA256:
449	case SSL_EDH_RSA_CAMELLIA_128_SHA256:
450	ssl->keylen = 16; ssl->minlen = 32;
451	ssl->ivlen = 16; ssl->maclen = 32;
452	break;
453
454	case SSL_RSA_CAMELLIA_256_SHA256:
455	case SSL_EDH_RSA_CAMELLIA_256_SHA256:
456	ssl->keylen = 32; ssl->minlen = 32;
457	ssl->ivlen = 16; ssl->maclen = 32;
458	break;
459	#endif
460	#endif
461
462	#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
463	#if defined(POLARSSL_CIPHER_NULL_CIPHER)
464	case SSL_RSA_NULL_MD5:
465	ssl->keylen = 0; ssl->minlen = 0;
466	ssl->ivlen = 0; ssl->maclen = 16;
467	break;
468
469	case SSL_RSA_NULL_SHA:
470	ssl->keylen = 0; ssl->minlen = 0;
471	ssl->ivlen = 0; ssl->maclen = 20;
472	break;
473
474	case SSL_RSA_NULL_SHA256:
475	ssl->keylen = 0; ssl->minlen = 0;
476	ssl->ivlen = 0; ssl->maclen = 32;
477	break;
478	#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
479
480	#if defined(POLARSSL_DES_C)
481	case SSL_RSA_DES_SHA:
482	case SSL_EDH_RSA_DES_SHA:
483	ssl->keylen = 8; ssl->minlen = 8;
484	ssl->ivlen = 8; ssl->maclen = 20;
485	break;
486	#endif
487	#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
488
489	default:
490	SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
491	ssl_get_ciphersuite( ssl ) ) );
492	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
493	}
494
495	SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
496	ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
497
498	/*
499	* Finally setup the cipher contexts, IVs and MAC secrets.
500	*/
501	if( ssl->endpoint == SSL_IS_CLIENT )
502	{
503	key1 = keyblk + ssl->maclen * 2;
504	key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
505
506	memcpy( ssl->mac_enc, keyblk, ssl->maclen );
507	memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
508
509	/*
510	* This is not used in TLS v1.1.
511	*/
512	iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
513	memcpy( ssl->iv_enc, key2 + ssl->keylen, iv_copy_len );
514	memcpy( ssl->iv_dec, key2 + ssl->keylen + iv_copy_len,
515	iv_copy_len );
516	}
517	else
518	{
519	key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
520	key2 = keyblk + ssl->maclen * 2;
521
522	memcpy( ssl->mac_dec, keyblk, ssl->maclen );
523	memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
524
525	/*
526	* This is not used in TLS v1.1.
527	*/
528	iv_copy_len = ( ssl->fixed_ivlen ) ? ssl->fixed_ivlen : ssl->ivlen;
529	memcpy( ssl->iv_dec, key1 + ssl->keylen, iv_copy_len );
530	memcpy( ssl->iv_enc, key1 + ssl->keylen + iv_copy_len,
531	iv_copy_len );
532	}
533
534	#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
535	if( ssl_hw_record_init != NULL)
536	{
537	int ret = 0;
538
539	SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
540
541	if( ( ret = ssl_hw_record_init( ssl, key1, key2, ssl->iv_enc,
542	ssl->iv_dec, ssl->mac_enc,
543	ssl->mac_dec ) ) != 0 )
544	{
545	SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
546	return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
547	}
548	}
549	#endif
550
551	switch( ssl->session->ciphersuite )
552	{
553	#if defined(POLARSSL_ARC4_C)
554	case SSL_RSA_RC4_128_MD5:
555	case SSL_RSA_RC4_128_SHA:
556	arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
557	arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
558	break;
559	#endif
560
561	#if defined(POLARSSL_DES_C)
562	case SSL_RSA_DES_168_SHA:
563	case SSL_EDH_RSA_DES_168_SHA:
564	des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
565	des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
566	break;
567	#endif
568
569	#if defined(POLARSSL_AES_C)
570	case SSL_RSA_AES_128_SHA:
571	case SSL_EDH_RSA_AES_128_SHA:
572	case SSL_RSA_AES_128_SHA256:
573	case SSL_EDH_RSA_AES_128_SHA256:
574	aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
575	aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
576	break;
577
578	case SSL_RSA_AES_256_SHA:
579	case SSL_EDH_RSA_AES_256_SHA:
580	case SSL_RSA_AES_256_SHA256:
581	case SSL_EDH_RSA_AES_256_SHA256:
582	aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
583	aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
584	break;
585
586	#if defined(POLARSSL_GCM_C)
587	case SSL_RSA_AES_128_GCM_SHA256:
588	case SSL_EDH_RSA_AES_128_GCM_SHA256:
589	gcm_init( (gcm_context *) ssl->ctx_enc, key1, 128 );
590	gcm_init( (gcm_context *) ssl->ctx_dec, key2, 128 );
591	break;
592
593	case SSL_RSA_AES_256_GCM_SHA384:
594	case SSL_EDH_RSA_AES_256_GCM_SHA384:
595	gcm_init( (gcm_context *) ssl->ctx_enc, key1, 256 );
596	gcm_init( (gcm_context *) ssl->ctx_dec, key2, 256 );
597	break;
598	#endif
599	#endif
600
601	#if defined(POLARSSL_CAMELLIA_C)
602	case SSL_RSA_CAMELLIA_128_SHA:
603	case SSL_EDH_RSA_CAMELLIA_128_SHA:
604	case SSL_RSA_CAMELLIA_128_SHA256:
605	case SSL_EDH_RSA_CAMELLIA_128_SHA256:
606	camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
607	camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
608	break;
609
610	case SSL_RSA_CAMELLIA_256_SHA:
611	case SSL_EDH_RSA_CAMELLIA_256_SHA:
612	case SSL_RSA_CAMELLIA_256_SHA256:
613	case SSL_EDH_RSA_CAMELLIA_256_SHA256:
614	camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
615	camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
616	break;
617	#endif
618
619	#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
620	#if defined(POLARSSL_CIPHER_NULL_CIPHER)
621	case SSL_RSA_NULL_MD5:
622	case SSL_RSA_NULL_SHA:
623	case SSL_RSA_NULL_SHA256:
624	break;
625	#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
626
627	#if defined(POLARSSL_DES_C)
628	case SSL_RSA_DES_SHA:
629	case SSL_EDH_RSA_DES_SHA:
630	des_setkey_enc( (des_context *) ssl->ctx_enc, key1 );
631	des_setkey_dec( (des_context *) ssl->ctx_dec, key2 );
632	break;
633	#endif
634	#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
635
636	default:
637	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
638	}
639
640	memset( keyblk, 0, sizeof( keyblk ) );
641
642	SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
643
644	return( 0 );
645	}
646
647	void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
648	{
649	md5_context md5;
650	sha1_context sha1;
651	unsigned char pad_1[48];
652	unsigned char pad_2[48];
653
654	SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
655
656	memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
657	memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
658	sizeof( sha1_context ) );
659
660	memset( pad_1, 0x36, 48 );
661	memset( pad_2, 0x5C, 48 );
662
663	md5_update( &md5, ssl->session->master, 48 );
664	md5_update( &md5, pad_1, 48 );
665	md5_finish( &md5, hash );
666
667	md5_starts( &md5 );
668	md5_update( &md5, ssl->session->master, 48 );
669	md5_update( &md5, pad_2, 48 );
670	md5_update( &md5, hash, 16 );
671	md5_finish( &md5, hash );
672
673	sha1_update( &sha1, ssl->session->master, 48 );
674	sha1_update( &sha1, pad_1, 40 );
675	sha1_finish( &sha1, hash + 16 );
676
677	sha1_starts( &sha1 );
678	sha1_update( &sha1, ssl->session->master, 48 );
679	sha1_update( &sha1, pad_2, 40 );
680	sha1_update( &sha1, hash + 16, 20 );
681	sha1_finish( &sha1, hash + 16 );
682
683	SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
684	SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
685
686	return;
687	}
688
689	void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
690	{
691	md5_context md5;
692	sha1_context sha1;
693
694	SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
695
696	memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
697	memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
698	sizeof( sha1_context ) );
699
700	md5_finish( &md5, hash );
701	sha1_finish( &sha1, hash + 16 );
702
703	SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
704	SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
705
706	return;
707	}
708
709	void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
710	{
711	sha2_context sha2;
712
713	SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
714
715	memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
716	sha2_finish( &sha2, hash );
717
718	SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
719	SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
720
721	return;
722	}
723
724	void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
725	{
726	sha4_context sha4;
727
728	SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
729
730	memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
731	sha4_finish( &sha4, hash );
732
733	SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
734	SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
735
736	return;
737	}
738
739	/*
740	* SSLv3.0 MAC functions
741	*/
742	static void ssl_mac_md5( unsigned char *secret,
743	unsigned char *buf, size_t len,
744	unsigned char *ctr, int type )
745	{
746	unsigned char header[11];
747	unsigned char padding[48];
748	md5_context md5;
749
750	memcpy( header, ctr, 8 );
751	header[ 8] = (unsigned char) type;
752	header[ 9] = (unsigned char)( len >> 8 );
753	header[10] = (unsigned char)( len );
754
755	memset( padding, 0x36, 48 );
756	md5_starts( &md5 );
757	md5_update( &md5, secret, 16 );
758	md5_update( &md5, padding, 48 );
759	md5_update( &md5, header, 11 );
760	md5_update( &md5, buf, len );
761	md5_finish( &md5, buf + len );
762
763	memset( padding, 0x5C, 48 );
764	md5_starts( &md5 );
765	md5_update( &md5, secret, 16 );
766	md5_update( &md5, padding, 48 );
767	md5_update( &md5, buf + len, 16 );
768	md5_finish( &md5, buf + len );
769	}
770
771	static void ssl_mac_sha1( unsigned char *secret,
772	unsigned char *buf, size_t len,
773	unsigned char *ctr, int type )
774	{
775	unsigned char header[11];
776	unsigned char padding[40];
777	sha1_context sha1;
778
779	memcpy( header, ctr, 8 );
780	header[ 8] = (unsigned char) type;
781	header[ 9] = (unsigned char)( len >> 8 );
782	header[10] = (unsigned char)( len );
783
784	memset( padding, 0x36, 40 );
785	sha1_starts( &sha1 );
786	sha1_update( &sha1, secret, 20 );
787	sha1_update( &sha1, padding, 40 );
788	sha1_update( &sha1, header, 11 );
789	sha1_update( &sha1, buf, len );
790	sha1_finish( &sha1, buf + len );
791
792	memset( padding, 0x5C, 40 );
793	sha1_starts( &sha1 );
794	sha1_update( &sha1, secret, 20 );
795	sha1_update( &sha1, padding, 40 );
796	sha1_update( &sha1, buf + len, 20 );
797	sha1_finish( &sha1, buf + len );
798	}
799
800	/*
801	* Encryption/decryption functions
802	*/
803	static int ssl_encrypt_buf( ssl_context *ssl )
804	{
805	size_t i, padlen;
806
807	SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
808
809	/*
810	* Add MAC then encrypt
811	*/
812	if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
813	{
814	if( ssl->maclen == 16 )
815	ssl_mac_md5( ssl->mac_enc,
816	ssl->out_msg, ssl->out_msglen,
817	ssl->out_ctr, ssl->out_msgtype );
818
819	if( ssl->maclen == 20 )
820	ssl_mac_sha1( ssl->mac_enc,
821	ssl->out_msg, ssl->out_msglen,
822	ssl->out_ctr, ssl->out_msgtype );
823	}
824	else
825	{
826	if( ssl->maclen == 16 )
827	{
828	md5_context ctx;
829	md5_hmac_starts( &ctx, ssl->mac_enc, 16 );
830	md5_hmac_update( &ctx, ssl->out_ctr, 13 );
831	md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
832	md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
833	memset( &ctx, 0, sizeof(md5_context));
834	}
835
836	if( ssl->maclen == 20 )
837	{
838	sha1_context ctx;
839	sha1_hmac_starts( &ctx, ssl->mac_enc, 20 );
840	sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
841	sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
842	sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
843	memset( &ctx, 0, sizeof(sha1_context));
844	}
845
846	if( ssl->maclen == 32 )
847	{
848	sha2_context ctx;
849	sha2_hmac_starts( &ctx, ssl->mac_enc, 32, 0 );
850	sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
851	sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
852	sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
853	memset( &ctx, 0, sizeof(sha2_context));
854	}
855	}
856
857	SSL_DEBUG_BUF( 4, "computed mac",
858	ssl->out_msg + ssl->out_msglen, ssl->maclen );
859
860	ssl->out_msglen += ssl->maclen;
861
862	if( ssl->ivlen == 0 )
863	{
864	padlen = 0;
865
866	SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
867	"including %d bytes of padding",
868	ssl->out_msglen, 0 ) );
869
870	SSL_DEBUG_BUF( 4, "before encrypt: output payload",
871	ssl->out_msg, ssl->out_msglen );
872
873	#if defined(POLARSSL_ARC4_C)
874	if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 \|\|
875	ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
876	{
877	arc4_crypt( (arc4_context *) ssl->ctx_enc,
878	ssl->out_msglen, ssl->out_msg,
879	ssl->out_msg );
880	} else
881	#endif
882	#if defined(POLARSSL_CIPHER_NULL_CIPHER)
883	if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 \|\|
884	ssl->session->ciphersuite == SSL_RSA_NULL_SHA \|\|
885	ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
886	{
887	} else
888	#endif
889	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
890	}
891	else if( ssl->ivlen == 12 )
892	{
893	size_t enc_msglen;
894	unsigned char *enc_msg;
895	unsigned char add_data[13];
896	int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
897
898	padlen = 0;
899	enc_msglen = ssl->out_msglen;
900
901	memcpy( add_data, ssl->out_ctr, 8 );
902	add_data[8] = ssl->out_msgtype;
903	add_data[9] = ssl->major_ver;
904	add_data[10] = ssl->minor_ver;
905	add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
906	add_data[12] = ssl->out_msglen & 0xFF;
907
908	SSL_DEBUG_BUF( 4, "additional data used for AEAD",
909	add_data, 13 );
910
911	#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
912
913	if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 \|\|
914	ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 \|\|
915	ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 \|\|
916	ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
917	{
918	/*
919	* Generate IV
920	*/
921	ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc + ssl->fixed_ivlen,
922	ssl->ivlen - ssl->fixed_ivlen );
923	if( ret != 0 )
924	return( ret );
925
926	/*
927	* Shift message for ivlen bytes and prepend IV
928	*/
929	memmove( ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen,
930	ssl->out_msg, ssl->out_msglen );
931	memcpy( ssl->out_msg, ssl->iv_enc + ssl->fixed_ivlen,
932	ssl->ivlen - ssl->fixed_ivlen );
933
934	/*
935	* Fix pointer positions and message length with added IV
936	*/
937	enc_msg = ssl->out_msg + ssl->ivlen - ssl->fixed_ivlen;
938	enc_msglen = ssl->out_msglen;
939	ssl->out_msglen += ssl->ivlen - ssl->fixed_ivlen;
940
941	SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
942	"including %d bytes of padding",
943	ssl->out_msglen, 0 ) );
944
945	SSL_DEBUG_BUF( 4, "before encrypt: output payload",
946	ssl->out_msg, ssl->out_msglen );
947
948	/*
949	* Adjust for tag
950	*/
951	ssl->out_msglen += 16;
952
953	gcm_crypt_and_tag( (gcm_context *) ssl->ctx_enc,
954	GCM_ENCRYPT, enc_msglen,
955	ssl->iv_enc, ssl->ivlen,
956	add_data, 13,
957	enc_msg, enc_msg,
958	16, enc_msg + enc_msglen );
959
960	SSL_DEBUG_BUF( 4, "after encrypt: tag",
961	enc_msg + enc_msglen, 16 );
962
963	} else
964	#endif
965	return( ret );
966	}
967	else
968	{
969	unsigned char *enc_msg;
970	size_t enc_msglen;
971
972	padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
973	if( padlen == ssl->ivlen )
974	padlen = 0;
975
976	for( i = 0; i <= padlen; i++ )
977	ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
978
979	ssl->out_msglen += padlen + 1;
980
981	enc_msglen = ssl->out_msglen;
982	enc_msg = ssl->out_msg;
983
984	/*
985	* Prepend per-record IV for block cipher in TLS v1.1 and up as per
986	* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
987	*/
988	if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
989	{
990	/*
991	* Generate IV
992	*/
993	int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
994	if( ret != 0 )
995	return( ret );
996
997	/*
998	* Shift message for ivlen bytes and prepend IV
999	*/
1000	memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
1001	memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
1002
1003	/*
1004	* Fix pointer positions and message length with added IV
1005	*/
1006	enc_msg = ssl->out_msg + ssl->ivlen;
1007	enc_msglen = ssl->out_msglen;
1008	ssl->out_msglen += ssl->ivlen;
1009	}
1010
1011	SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1012	"including %d bytes of IV and %d bytes of padding",
1013	ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
1014
1015	SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1016	ssl->out_msg, ssl->out_msglen );
1017
1018	switch( ssl->ivlen )
1019	{
1020	#if defined(POLARSSL_DES_C)
1021	case 8:
1022	#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1023	if( ssl->session->ciphersuite == SSL_RSA_DES_SHA \|\|
1024	ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1025	{
1026	des_crypt_cbc( (des_context *) ssl->ctx_enc,
1027	DES_ENCRYPT, enc_msglen,
1028	ssl->iv_enc, enc_msg, enc_msg );
1029	}
1030	else
1031	#endif
1032	des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
1033	DES_ENCRYPT, enc_msglen,
1034	ssl->iv_enc, enc_msg, enc_msg );
1035	break;
1036	#endif
1037
1038	case 16:
1039	#if defined(POLARSSL_AES_C)
1040	if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA \|\|
1041	ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA \|\|
1042	ssl->session->ciphersuite == SSL_RSA_AES_256_SHA \|\|
1043	ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA \|\|
1044	ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 \|\|
1045	ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 \|\|
1046	ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 \|\|
1047	ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
1048	{
1049	aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
1050	AES_ENCRYPT, enc_msglen,
1051	ssl->iv_enc, enc_msg, enc_msg);
1052	break;
1053	}
1054	#endif
1055
1056	#if defined(POLARSSL_CAMELLIA_C)
1057	if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA \|\|
1058	ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA \|\|
1059	ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA \|\|
1060	ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA \|\|
1061	ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 \|\|
1062	ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 \|\|
1063	ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 \|\|
1064	ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
1065	{
1066	camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
1067	CAMELLIA_ENCRYPT, enc_msglen,
1068	ssl->iv_enc, enc_msg, enc_msg );
1069	break;
1070	}
1071	#endif
1072
1073	default:
1074	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
1075	}
1076	}
1077
1078	for( i = 8; i > 0; i-- )
1079	if( ++ssl->out_ctr[i - 1] != 0 )
1080	break;
1081
1082	SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1083
1084	return( 0 );
1085	}
1086
1087	/*
1088	* TODO: Use digest version when integrated!
1089	*/
1090	#define POLARSSL_SSL_MAX_MAC_SIZE 32
1091
1092	static int ssl_decrypt_buf( ssl_context *ssl )
1093	{
1094	size_t i, padlen;
1095	unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1096
1097	SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1098
1099	if( ssl->in_msglen < ssl->minlen )
1100	{
1101	SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1102	ssl->in_msglen, ssl->minlen ) );
1103	return( POLARSSL_ERR_SSL_INVALID_MAC );
1104	}
1105
1106	if( ssl->ivlen == 0 )
1107	{
1108	#if defined(POLARSSL_ARC4_C)
1109	padlen = 0;
1110	if( ssl->session->ciphersuite == SSL_RSA_RC4_128_MD5 \|\|
1111	ssl->session->ciphersuite == SSL_RSA_RC4_128_SHA )
1112	{
1113	arc4_crypt( (arc4_context *) ssl->ctx_dec,
1114	ssl->in_msglen, ssl->in_msg,
1115	ssl->in_msg );
1116	} else
1117	#endif
1118	#if defined(POLARSSL_CIPHER_NULL_CIPHER)
1119	if( ssl->session->ciphersuite == SSL_RSA_NULL_MD5 \|\|
1120	ssl->session->ciphersuite == SSL_RSA_NULL_SHA \|\|
1121	ssl->session->ciphersuite == SSL_RSA_NULL_SHA256 )
1122	{
1123	} else
1124	#endif
1125	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
1126	}
1127	else if( ssl->ivlen == 12 )
1128	{
1129	unsigned char *dec_msg;
1130	unsigned char *dec_msg_result;
1131	size_t dec_msglen;
1132	unsigned char add_data[13];
1133	int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1134
1135	padlen = 0;
1136
1137	#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
1138	if( ssl->session->ciphersuite == SSL_RSA_AES_128_GCM_SHA256 \|\|
1139	ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 \|\|
1140	ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 \|\|
1141	ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
1142	{
1143	dec_msglen = ssl->in_msglen - ( ssl->ivlen - ssl->fixed_ivlen );
1144	dec_msglen -= 16;
1145	dec_msg = ssl->in_msg + ( ssl->ivlen - ssl->fixed_ivlen );
1146	dec_msg_result = ssl->in_msg;
1147	ssl->in_msglen = dec_msglen;
1148
1149	memcpy( add_data, ssl->in_ctr, 8 );
1150	add_data[8] = ssl->in_msgtype;
1151	add_data[9] = ssl->major_ver;
1152	add_data[10] = ssl->minor_ver;
1153	add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1154	add_data[12] = ssl->in_msglen & 0xFF;
1155
1156	SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1157	add_data, 13 );
1158
1159	memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1160	ssl->ivlen - ssl->fixed_ivlen );
1161
1162	SSL_DEBUG_BUF( 4, "IV used", ssl->iv_dec, ssl->ivlen );
1163	SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
1164
1165	memcpy( ssl->iv_dec + ssl->fixed_ivlen, ssl->in_msg,
1166	ssl->ivlen - ssl->fixed_ivlen );
1167
1168	ret = gcm_auth_decrypt( (gcm_context *) ssl->ctx_dec,
1169	dec_msglen,
1170	ssl->iv_dec, ssl->ivlen,
1171	add_data, 13,
1172	dec_msg + dec_msglen, 16,
1173	dec_msg, dec_msg_result );
1174
1175	if( ret != 0 )
1176	{
1177	SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
1178	-ret ) );
1179
1180	return( POLARSSL_ERR_SSL_INVALID_MAC );
1181	}
1182	} else
1183	#endif
1184	return( ret );
1185	}
1186	else
1187	{
1188	unsigned char *dec_msg;
1189	unsigned char *dec_msg_result;
1190	size_t dec_msglen;
1191
1192	/*
1193	* Decrypt and check the padding
1194	*/
1195	if( ssl->in_msglen % ssl->ivlen != 0 )
1196	{
1197	SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1198	ssl->in_msglen, ssl->ivlen ) );
1199	return( POLARSSL_ERR_SSL_INVALID_MAC );
1200	}
1201
1202	dec_msglen = ssl->in_msglen;
1203	dec_msg = ssl->in_msg;
1204	dec_msg_result = ssl->in_msg;
1205
1206	/*
1207	* Initialize for prepended IV for block cipher in TLS v1.1 and up
1208	*/
1209	if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1210	{
1211	dec_msg += ssl->ivlen;
1212	dec_msglen -= ssl->ivlen;
1213	ssl->in_msglen -= ssl->ivlen;
1214
1215	for( i = 0; i < ssl->ivlen; i++ )
1216	ssl->iv_dec[i] = ssl->in_msg[i];
1217	}
1218
1219	switch( ssl->ivlen )
1220	{
1221	#if defined(POLARSSL_DES_C)
1222	case 8:
1223	#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
1224	if( ssl->session->ciphersuite == SSL_RSA_DES_SHA \|\|
1225	ssl->session->ciphersuite == SSL_EDH_RSA_DES_SHA )
1226	{
1227	des_crypt_cbc( (des_context *) ssl->ctx_dec,
1228	DES_DECRYPT, dec_msglen,
1229	ssl->iv_dec, dec_msg, dec_msg_result );
1230	}
1231	else
1232	#endif
1233	des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
1234	DES_DECRYPT, dec_msglen,
1235	ssl->iv_dec, dec_msg, dec_msg_result );
1236	break;
1237	#endif
1238
1239	case 16:
1240	#if defined(POLARSSL_AES_C)
1241	if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA \|\|
1242	ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA \|\|
1243	ssl->session->ciphersuite == SSL_RSA_AES_256_SHA \|\|
1244	ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA \|\|
1245	ssl->session->ciphersuite == SSL_RSA_AES_128_SHA256 \|\|
1246	ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA256 \|\|
1247	ssl->session->ciphersuite == SSL_RSA_AES_256_SHA256 \|\|
1248	ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA256 )
1249	{
1250	aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
1251	AES_DECRYPT, dec_msglen,
1252	ssl->iv_dec, dec_msg, dec_msg_result );
1253	break;
1254	}
1255	#endif
1256
1257	#if defined(POLARSSL_CAMELLIA_C)
1258	if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA \|\|
1259	ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA \|\|
1260	ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA \|\|
1261	ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA \|\|
1262	ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA256 \|\|
1263	ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 \|\|
1264	ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA256 \|\|
1265	ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
1266	{
1267	camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
1268	CAMELLIA_DECRYPT, dec_msglen,
1269	ssl->iv_dec, dec_msg, dec_msg_result );
1270	break;
1271	}
1272	#endif
1273
1274	default:
1275	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
1276	}
1277
1278	padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1279
1280	if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1281	{
1282	if( padlen > ssl->ivlen )
1283	{
1284	SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1285	"should be no more than %d",
1286	padlen, ssl->ivlen ) );
1287	padlen = 0;
1288	}
1289	}
1290	else
1291	{
1292	/*
1293	* TLSv1: always check the padding
1294	*/
1295	for( i = 1; i <= padlen; i++ )
1296	{
1297	if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
1298	{
1299	SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
1300	"%02x, but is %02x", padlen - 1,
1301	ssl->in_msg[ssl->in_msglen - i] ) );
1302	padlen = 0;
1303	}
1304	}
1305	}
1306	}
1307
1308	SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1309	ssl->in_msg, ssl->in_msglen );
1310
1311	/*
1312	* Always compute the MAC (RFC4346, CBCTIME).
1313	*/
1314	if( ssl->in_msglen < ssl->maclen + padlen )
1315	{
1316	SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1317	ssl->in_msglen, ssl->maclen, padlen ) );
1318	return( POLARSSL_ERR_SSL_INVALID_MAC );
1319	}
1320
1321	ssl->in_msglen -= ( ssl->maclen + padlen );
1322
1323	ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1324	ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1325
1326	memcpy( tmp, ssl->in_msg + ssl->in_msglen, POLARSSL_SSL_MAX_MAC_SIZE );
1327
1328	if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1329	{
1330	if( ssl->maclen == 16 )
1331	ssl_mac_md5( ssl->mac_dec,
1332	ssl->in_msg, ssl->in_msglen,
1333	ssl->in_ctr, ssl->in_msgtype );
1334	else if( ssl->maclen == 20 )
1335	ssl_mac_sha1( ssl->mac_dec,
1336	ssl->in_msg, ssl->in_msglen,
1337	ssl->in_ctr, ssl->in_msgtype );
1338	}
1339	else
1340	{
1341	if( ssl->maclen == 16 )
1342	md5_hmac( ssl->mac_dec, 16,
1343	ssl->in_ctr, ssl->in_msglen + 13,
1344	ssl->in_msg + ssl->in_msglen );
1345	else if( ssl->maclen == 20 )
1346	sha1_hmac( ssl->mac_dec, 20,
1347	ssl->in_ctr, ssl->in_msglen + 13,
1348	ssl->in_msg + ssl->in_msglen );
1349	else if( ssl->maclen == 32 )
1350	sha2_hmac( ssl->mac_dec, 32,
1351	ssl->in_ctr, ssl->in_msglen + 13,
1352	ssl->in_msg + ssl->in_msglen, 0 );
1353	}
1354
1355	SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
1356	SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1357	ssl->maclen );
1358
1359	if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1360	ssl->maclen ) != 0 )
1361	{
1362	SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1363	return( POLARSSL_ERR_SSL_INVALID_MAC );
1364	}
1365
1366	/*
1367	* Finally check the padding length; bad padding
1368	* will produce the same error as an invalid MAC.
1369	*/
1370	if( ssl->ivlen != 0 && ssl->ivlen != 12 && padlen == 0 )
1371	return( POLARSSL_ERR_SSL_INVALID_MAC );
1372
1373	if( ssl->in_msglen == 0 )
1374	{
1375	ssl->nb_zero++;
1376
1377	/*
1378	* Three or more empty messages may be a DoS attack
1379	* (excessive CPU consumption).
1380	*/
1381	if( ssl->nb_zero > 3 )
1382	{
1383	SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1384	"messages, possible DoS attack" ) );
1385	return( POLARSSL_ERR_SSL_INVALID_MAC );
1386	}
1387	}
1388	else
1389	ssl->nb_zero = 0;
1390
1391	for( i = 8; i > 0; i-- )
1392	if( ++ssl->in_ctr[i - 1] != 0 )
1393	break;
1394
1395	SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1396
1397	return( 0 );
1398	}
1399
1400	/*
1401	* Fill the input message buffer
1402	*/
1403	int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1404	{
1405	int ret;
1406	size_t len;
1407
1408	SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1409
1410	while( ssl->in_left < nb_want )
1411	{
1412	len = nb_want - ssl->in_left;
1413	ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1414
1415	SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1416	ssl->in_left, nb_want ) );
1417	SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1418
1419	if( ret == 0 )
1420	return( POLARSSL_ERR_SSL_CONN_EOF );
1421
1422	if( ret < 0 )
1423	return( ret );
1424
1425	ssl->in_left += ret;
1426	}
1427
1428	SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1429
1430	return( 0 );
1431	}
1432
1433	/*
1434	* Flush any data not yet written
1435	*/
1436	int ssl_flush_output( ssl_context *ssl )
1437	{
1438	int ret;
1439	unsigned char *buf;
1440
1441	SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1442
1443	while( ssl->out_left > 0 )
1444	{
1445	SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1446	5 + ssl->out_msglen, ssl->out_left ) );
1447
1448	if( ssl->out_msglen < ssl->out_left )
1449	{
1450	size_t header_left = ssl->out_left - ssl->out_msglen;
1451
1452	buf = ssl->out_hdr + 5 - header_left;
1453	ret = ssl->f_send( ssl->p_send, buf, header_left );
1454
1455	SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
1456
1457	if( ret <= 0 )
1458	return( ret );
1459
1460	ssl->out_left -= ret;
1461	}
1462
1463	buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
1464	ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1465
1466	SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1467
1468	if( ret <= 0 )
1469	return( ret );
1470
1471	ssl->out_left -= ret;
1472	}
1473
1474	SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1475
1476	return( 0 );
1477	}
1478
1479	/*
1480	* Record layer functions
1481	*/
1482	int ssl_write_record( ssl_context *ssl )
1483	{
1484	int ret, done = 0;
1485	size_t len = ssl->out_msglen;
1486
1487	SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1488
1489	if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1490	{
1491	ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1492	ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1493	ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1494
1495	ssl->update_checksum( ssl, ssl->out_msg, len );
1496	}
1497
1498	#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1499	if( ssl_hw_record_write != NULL)
1500	{
1501	SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1502
1503	ret = ssl_hw_record_write( ssl );
1504	if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1505	{
1506	SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1507	return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1508	}
1509	done = 1;
1510	}
1511	#endif
1512	if( !done )
1513	{
1514	ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1515	ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1516	ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1517	ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1518	ssl->out_hdr[4] = (unsigned char)( len );
1519
1520	if( ssl->do_crypt != 0 )
1521	{
1522	if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1523	{
1524	SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1525	return( ret );
1526	}
1527
1528	len = ssl->out_msglen;
1529	ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1530	ssl->out_hdr[4] = (unsigned char)( len );
1531	}
1532
1533	ssl->out_left = 5 + ssl->out_msglen;
1534
1535	SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1536	"version = [%d:%d], msglen = %d",
1537	ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1538	( ssl->out_hdr[3] << 8 ) \| ssl->out_hdr[4] ) );
1539
1540	SSL_DEBUG_BUF( 4, "output record header sent to network",
1541	ssl->out_hdr, 5 );
1542	SSL_DEBUG_BUF( 4, "output record sent to network",
1543	ssl->out_hdr + 32, ssl->out_msglen );
1544	}
1545
1546	if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1547	{
1548	SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1549	return( ret );
1550	}
1551
1552	SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1553
1554	return( 0 );
1555	}
1556
1557	int ssl_read_record( ssl_context *ssl )
1558	{
1559	int ret, done = 0;
1560
1561	SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1562
1563	if( ssl->in_hslen != 0 &&
1564	ssl->in_hslen < ssl->in_msglen )
1565	{
1566	/*
1567	* Get next Handshake message in the current record
1568	*/
1569	ssl->in_msglen -= ssl->in_hslen;
1570
1571	memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
1572	ssl->in_msglen );
1573
1574	ssl->in_hslen = 4;
1575	ssl->in_hslen += ( ssl->in_msg[2] << 8 ) \| ssl->in_msg[3];
1576
1577	SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1578	" %d, type = %d, hslen = %d",
1579	ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1580
1581	if( ssl->in_msglen < 4 \|\| ssl->in_msg[1] != 0 )
1582	{
1583	SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1584	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1585	}
1586
1587	if( ssl->in_msglen < ssl->in_hslen )
1588	{
1589	SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1590	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1591	}
1592
1593	ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
1594
1595	return( 0 );
1596	}
1597
1598	ssl->in_hslen = 0;
1599
1600	/*
1601	* Read the record header and validate it
1602	*/
1603	if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
1604	{
1605	SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1606	return( ret );
1607	}
1608
1609	ssl->in_msgtype = ssl->in_hdr[0];
1610	ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) \| ssl->in_hdr[4];
1611
1612	SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
1613	"version = [%d:%d], msglen = %d",
1614	ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
1615	( ssl->in_hdr[3] << 8 ) \| ssl->in_hdr[4] ) );
1616
1617	if( ssl->in_hdr[1] != ssl->major_ver )
1618	{
1619	SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
1620	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1621	}
1622
1623	if( ssl->in_hdr[2] > ssl->max_minor_ver )
1624	{
1625	SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
1626	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1627	}
1628
1629	/*
1630	* Make sure the message length is acceptable
1631	*/
1632	if( ssl->do_crypt == 0 )
1633	{
1634	if( ssl->in_msglen < 1 \|\|
1635	ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1636	{
1637	SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1638	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1639	}
1640	}
1641	else
1642	{
1643	if( ssl->in_msglen < ssl->minlen )
1644	{
1645	SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1646	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1647	}
1648
1649	if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
1650	ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
1651	{
1652	SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1653	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1654	}
1655
1656	/*
1657	* TLS encrypted messages can have up to 256 bytes of padding
1658	*/
1659	if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
1660	ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
1661	{
1662	SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1663	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1664	}
1665	}
1666
1667	/*
1668	* Read and optionally decrypt the message contents
1669	*/
1670	if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
1671	{
1672	SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
1673	return( ret );
1674	}
1675
1676	SSL_DEBUG_BUF( 4, "input record from network",
1677	ssl->in_hdr, 5 + ssl->in_msglen );
1678
1679	#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1680	if( ssl_hw_record_read != NULL)
1681	{
1682	SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
1683
1684	ret = ssl_hw_record_read( ssl );
1685	if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1686	{
1687	SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
1688	return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
1689	}
1690	done = 1;
1691	}
1692	#endif
1693	if( !done && ssl->do_crypt != 0 )
1694	{
1695	if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
1696	{
1697	SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
1698	return( ret );
1699	}
1700
1701	SSL_DEBUG_BUF( 4, "input payload after decrypt",
1702	ssl->in_msg, ssl->in_msglen );
1703
1704	if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
1705	{
1706	SSL_DEBUG_MSG( 1, ( "bad message length" ) );
1707	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1708	}
1709	}
1710
1711	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
1712	ssl->in_msgtype != SSL_MSG_ALERT &&
1713	ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
1714	ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1715	{
1716	SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
1717
1718	if( ( ret = ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
1719	SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
1720	{
1721	return( ret );
1722	}
1723
1724	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1725	}
1726
1727	if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
1728	{
1729	ssl->in_hslen = 4;
1730	ssl->in_hslen += ( ssl->in_msg[2] << 8 ) \| ssl->in_msg[3];
1731
1732	SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
1733	" %d, type = %d, hslen = %d",
1734	ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
1735
1736	/*
1737	* Additional checks to validate the handshake header
1738	*/
1739	if( ssl->in_msglen < 4 \|\| ssl->in_msg[1] != 0 )
1740	{
1741	SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1742	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1743	}
1744
1745	if( ssl->in_msglen < ssl->in_hslen )
1746	{
1747	SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1748	return( POLARSSL_ERR_SSL_INVALID_RECORD );
1749	}
1750
1751	ssl->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
1752	}
1753
1754	if( ssl->in_msgtype == SSL_MSG_ALERT )
1755	{
1756	SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1757	ssl->in_msg[0], ssl->in_msg[1] ) );
1758
1759	/*
1760	* Ignore non-fatal alerts, except close_notify
1761	*/
1762	if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
1763	{
1764	SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
1765	/**
1766	* Subtract from error code as ssl->in_msg[1] is 7-bit positive
1767	* error identifier.
1768	*/
1769	return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
1770	}
1771
1772	if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1773	ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
1774	{
1775	SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
1776	return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
1777	}
1778	}
1779
1780	ssl->in_left = 0;
1781
1782	SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1783
1784	return( 0 );
1785	}
1786
1787	int ssl_send_alert_message( ssl_context *ssl,
1788	unsigned char level,
1789	unsigned char message )
1790	{
1791	int ret;
1792
1793	SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
1794
1795	ssl->out_msgtype = SSL_MSG_ALERT;
1796	ssl->out_msglen = 2;
1797	ssl->out_msg[0] = level;
1798	ssl->out_msg[1] = message;
1799
1800	if( ( ret = ssl_write_record( ssl ) ) != 0 )
1801	{
1802	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1803	return( ret );
1804	}
1805
1806	SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
1807
1808	return( 0 );
1809	}
1810
1811	/*
1812	* Handshake functions
1813	*/
1814	int ssl_write_certificate( ssl_context *ssl )
1815	{
1816	int ret;
1817	size_t i, n;
1818	const x509_cert *crt;
1819
1820	SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1821
1822	if( ssl->endpoint == SSL_IS_CLIENT )
1823	{
1824	if( ssl->client_auth == 0 )
1825	{
1826	SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1827	ssl->state++;
1828	return( 0 );
1829	}
1830
1831	/*
1832	* If using SSLv3 and got no cert, send an Alert message
1833	* (otherwise an empty Certificate message will be sent).
1834	*/
1835	if( ssl->own_cert == NULL &&
1836	ssl->minor_ver == SSL_MINOR_VERSION_0 )
1837	{
1838	ssl->out_msglen = 2;
1839	ssl->out_msgtype = SSL_MSG_ALERT;
1840	ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
1841	ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
1842
1843	SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1844	goto write_msg;
1845	}
1846	}
1847	else /* SSL_IS_SERVER */
1848	{
1849	if( ssl->own_cert == NULL )
1850	{
1851	SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
1852	return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
1853	}
1854	}
1855
1856	SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1857
1858	/*
1859	* 0 . 0 handshake type
1860	* 1 . 3 handshake length
1861	* 4 . 6 length of all certs
1862	* 7 . 9 length of cert. 1
1863	* 10 . n-1 peer certificate
1864	* n . n+2 length of cert. 2
1865	* n+3 . ... upper level cert, etc.
1866	*/
1867	i = 7;
1868	crt = ssl->own_cert;
1869
1870	while( crt != NULL )
1871	{
1872	n = crt->raw.len;
1873	if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1874	{
1875	SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1876	i + 3 + n, SSL_MAX_CONTENT_LEN ) );
1877	return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
1878	}
1879
1880	ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1881	ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1882	ssl->out_msg[i + 2] = (unsigned char)( n );
1883
1884	i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1885	i += n; crt = crt->next;
1886	}
1887
1888	ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1889	ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1890	ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1891
1892	ssl->out_msglen = i;
1893	ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1894	ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1895
1896	write_msg:
1897
1898	ssl->state++;
1899
1900	if( ( ret = ssl_write_record( ssl ) ) != 0 )
1901	{
1902	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1903	return( ret );
1904	}
1905
1906	SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1907
1908	return( 0 );
1909	}
1910
1911	int ssl_parse_certificate( ssl_context *ssl )
1912	{
1913	int ret;
1914	size_t i, n;
1915
1916	SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1917
1918	if( ssl->endpoint == SSL_IS_SERVER &&
1919	ssl->authmode == SSL_VERIFY_NONE )
1920	{
1921	ssl->verify_result = BADCERT_SKIP_VERIFY;
1922	SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1923	ssl->state++;
1924	return( 0 );
1925	}
1926
1927	if( ( ret = ssl_read_record( ssl ) ) != 0 )
1928	{
1929	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1930	return( ret );
1931	}
1932
1933	ssl->state++;
1934
1935	/*
1936	* Check if the client sent an empty certificate
1937	*/
1938	if( ssl->endpoint == SSL_IS_SERVER &&
1939	ssl->minor_ver == SSL_MINOR_VERSION_0 )
1940	{
1941	if( ssl->in_msglen == 2 &&
1942	ssl->in_msgtype == SSL_MSG_ALERT &&
1943	ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
1944	ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
1945	{
1946	SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1947
1948	ssl->verify_result = BADCERT_MISSING;
1949	if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1950	return( 0 );
1951	else
1952	return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
1953	}
1954	}
1955
1956	if( ssl->endpoint == SSL_IS_SERVER &&
1957	ssl->minor_ver != SSL_MINOR_VERSION_0 )
1958	{
1959	if( ssl->in_hslen == 7 &&
1960	ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1961	ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1962	memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1963	{
1964	SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1965
1966	ssl->verify_result = BADCERT_MISSING;
1967	if( ssl->authmode == SSL_VERIFY_REQUIRED )
1968	return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
1969	else
1970	return( 0 );
1971	}
1972	}
1973
1974	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1975	{
1976	SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1977	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1978	}
1979
1980	if( ssl->in_msg[0] != SSL_HS_CERTIFICATE \|\| ssl->in_hslen < 10 )
1981	{
1982	SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1983	return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1984	}
1985
1986	/*
1987	* Same message structure as in ssl_write_certificate()
1988	*/
1989	n = ( ssl->in_msg[5] << 8 ) \| ssl->in_msg[6];
1990
1991	if( ssl->in_msg[4] != 0 \|\| ssl->in_hslen != 7 + n )
1992	{
1993	SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1994	return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1995	}
1996
1997	if( ( ssl->peer_cert = (x509_cert *) malloc(
1998	sizeof( x509_cert ) ) ) == NULL )
1999	{
2000	SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2001	sizeof( x509_cert ) ) );
2002	return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2003	}
2004
2005	memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
2006
2007	i = 7;
2008
2009	while( i < ssl->in_hslen )
2010	{
2011	if( ssl->in_msg[i] != 0 )
2012	{
2013	SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2014	return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2015	}
2016
2017	n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2018	\| (unsigned int) ssl->in_msg[i + 2];
2019	i += 3;
2020
2021	if( n < 128 \|\| i + n > ssl->in_hslen )
2022	{
2023	SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2024	return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
2025	}
2026
2027	ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
2028	if( ret != 0 )
2029	{
2030	SSL_DEBUG_RET( 1, " x509parse_crt", ret );
2031	return( ret );
2032	}
2033
2034	i += n;
2035	}
2036
2037	SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
2038
2039	if( ssl->authmode != SSL_VERIFY_NONE )
2040	{
2041	if( ssl->ca_chain == NULL )
2042	{
2043	SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2044	return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
2045	}
2046
2047	ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
2048	ssl->peer_cn, &ssl->verify_result,
2049	ssl->f_vrfy, ssl->p_vrfy );
2050
2051	if( ret != 0 )
2052	SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2053
2054	if( ssl->authmode != SSL_VERIFY_REQUIRED )
2055	ret = 0;
2056	}
2057
2058	SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2059
2060	return( ret );
2061	}
2062
2063	int ssl_write_change_cipher_spec( ssl_context *ssl )
2064	{
2065	int ret;
2066
2067	SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2068
2069	ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
2070	ssl->out_msglen = 1;
2071	ssl->out_msg[0] = 1;
2072
2073	ssl->do_crypt = 0;
2074	ssl->state++;
2075
2076	if( ( ret = ssl_write_record( ssl ) ) != 0 )
2077	{
2078	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2079	return( ret );
2080	}
2081
2082	SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2083
2084	return( 0 );
2085	}
2086
2087	int ssl_parse_change_cipher_spec( ssl_context *ssl )
2088	{
2089	int ret;
2090
2091	SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2092
2093	ssl->do_crypt = 0;
2094
2095	if( ( ret = ssl_read_record( ssl ) ) != 0 )
2096	{
2097	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2098	return( ret );
2099	}
2100
2101	if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
2102	{
2103	SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2104	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2105	}
2106
2107	if( ssl->in_msglen != 1 \|\| ssl->in_msg[0] != 1 )
2108	{
2109	SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2110	return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
2111	}
2112
2113	ssl->state++;
2114
2115	SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2116
2117	return( 0 );
2118	}
2119
2120	void ssl_kickstart_checksum( ssl_context *ssl, int ciphersuite,
2121	unsigned char *input_buf, size_t len )
2122	{
2123	if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2124	{
2125	md5_starts( (md5_context *) ssl->ctx_checksum );
2126	sha1_starts( (sha1_context *) ( ssl->ctx_checksum +
2127	sizeof(md5_context) ) );
2128
2129	ssl->update_checksum = ssl_update_checksum_md5sha1;
2130	}
2131	else if ( ciphersuite == SSL_RSA_AES_256_GCM_SHA384 \|\|
2132	ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
2133	{
2134	sha4_starts( (sha4_context *) ssl->ctx_checksum, 1 );
2135	ssl->update_checksum = ssl_update_checksum_sha384;
2136	}
2137	else
2138	{
2139	sha2_starts( (sha2_context *) ssl->ctx_checksum, 0 );
2140	ssl->update_checksum = ssl_update_checksum_sha256;
2141	}
2142
2143	if( ssl->endpoint == SSL_IS_CLIENT )
2144	ssl->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2145	ssl->update_checksum( ssl, input_buf, len );
2146	}
2147
2148	static void ssl_update_checksum_start( ssl_context ssl, unsigned char buf,
2149	size_t len )
2150	{
2151	((void) ssl);
2152	((void) buf);
2153	((void) len);
2154	}
2155
2156	static void ssl_update_checksum_md5sha1( ssl_context ssl, unsigned char buf,
2157	size_t len )
2158	{
2159	md5_update( (md5_context *) ssl->ctx_checksum, buf, len );
2160	sha1_update( (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2161	buf, len );
2162	}
2163
2164	static void ssl_update_checksum_sha256( ssl_context ssl, unsigned char buf,
2165	size_t len )
2166	{
2167	sha2_update( (sha2_context *) ssl->ctx_checksum, buf, len );
2168	}
2169
2170	static void ssl_update_checksum_sha384( ssl_context ssl, unsigned char buf,
2171	size_t len )
2172	{
2173	sha4_update( (sha4_context *) ssl->ctx_checksum, buf, len );
2174	}
2175
2176	static void ssl_calc_finished_ssl(
2177	ssl_context ssl, unsigned char buf, int from )
2178	{
2179	char *sender;
2180	md5_context md5;
2181	sha1_context sha1;
2182
2183	unsigned char padbuf[48];
2184	unsigned char md5sum[16];
2185	unsigned char sha1sum[20];
2186
2187	SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2188
2189	memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2190	memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2191	sizeof( sha1_context ) );
2192
2193	/*
2194	* SSLv3:
2195	* hash =
2196	* MD5( master + pad2 +
2197	* MD5( handshake + sender + master + pad1 ) )
2198	* + SHA1( master + pad2 +
2199	* SHA1( handshake + sender + master + pad1 ) )
2200	*/
2201
2202	SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2203	md5.state, sizeof( md5.state ) );
2204
2205	SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2206	sha1.state, sizeof( sha1.state ) );
2207
2208	sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
2209	: (char *) "SRVR";
2210
2211	memset( padbuf, 0x36, 48 );
2212
2213	md5_update( &md5, (unsigned char *) sender, 4 );
2214	md5_update( &md5, ssl->session->master, 48 );
2215	md5_update( &md5, padbuf, 48 );
2216	md5_finish( &md5, md5sum );
2217
2218	sha1_update( &sha1, (unsigned char *) sender, 4 );
2219	sha1_update( &sha1, ssl->session->master, 48 );
2220	sha1_update( &sha1, padbuf, 40 );
2221	sha1_finish( &sha1, sha1sum );
2222
2223	memset( padbuf, 0x5C, 48 );
2224
2225	md5_starts( &md5 );
2226	md5_update( &md5, ssl->session->master, 48 );
2227	md5_update( &md5, padbuf, 48 );
2228	md5_update( &md5, md5sum, 16 );
2229	md5_finish( &md5, buf );
2230
2231	sha1_starts( &sha1 );
2232	sha1_update( &sha1, ssl->session->master, 48 );
2233	sha1_update( &sha1, padbuf , 40 );
2234	sha1_update( &sha1, sha1sum, 20 );
2235	sha1_finish( &sha1, buf + 16 );
2236
2237	SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2238
2239	memset( &md5, 0, sizeof( md5_context ) );
2240	memset( &sha1, 0, sizeof( sha1_context ) );
2241
2242	memset( padbuf, 0, sizeof( padbuf ) );
2243	memset( md5sum, 0, sizeof( md5sum ) );
2244	memset( sha1sum, 0, sizeof( sha1sum ) );
2245
2246	SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2247	}
2248
2249	static void ssl_calc_finished_tls(
2250	ssl_context ssl, unsigned char buf, int from )
2251	{
2252	int len = 12;
2253	char *sender;
2254	md5_context md5;
2255	sha1_context sha1;
2256	unsigned char padbuf[36];
2257
2258	SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2259
2260	memcpy( &md5 , (md5_context *) ssl->ctx_checksum, sizeof(md5_context) );
2261	memcpy( &sha1, (sha1_context *) ( ssl->ctx_checksum + sizeof(md5_context) ),
2262	sizeof( sha1_context ) );
2263
2264	/*
2265	* TLSv1:
2266	* hash = PRF( master, finished_label,
2267	* MD5( handshake ) + SHA1( handshake ) )[0..11]
2268	*/
2269
2270	SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2271	md5.state, sizeof( md5.state ) );
2272
2273	SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2274	sha1.state, sizeof( sha1.state ) );
2275
2276	sender = ( from == SSL_IS_CLIENT )
2277	? (char *) "client finished"
2278	: (char *) "server finished";
2279
2280	md5_finish( &md5, padbuf );
2281	sha1_finish( &sha1, padbuf + 16 );
2282
2283	ssl->tls_prf( ssl->session->master, 48, sender,
2284	padbuf, 36, buf, len );
2285
2286	SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2287
2288	memset( &md5, 0, sizeof( md5_context ) );
2289	memset( &sha1, 0, sizeof( sha1_context ) );
2290
2291	memset( padbuf, 0, sizeof( padbuf ) );
2292
2293	SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2294	}
2295
2296	static void ssl_calc_finished_tls_sha256(
2297	ssl_context ssl, unsigned char buf, int from )
2298	{
2299	int len = 12;
2300	char *sender;
2301	sha2_context sha2;
2302	unsigned char padbuf[32];
2303
2304	SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2305
2306	memcpy( &sha2 , (sha2_context *) ssl->ctx_checksum, sizeof(sha2_context) );
2307
2308	/*
2309	* TLSv1.2:
2310	* hash = PRF( master, finished_label,
2311	* Hash( handshake ) )[0.11]
2312	*/
2313
2314	SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2315	sha2.state, sizeof( sha2.state ) );
2316
2317	sender = ( from == SSL_IS_CLIENT )
2318	? (char *) "client finished"
2319	: (char *) "server finished";
2320
2321	sha2_finish( &sha2, padbuf );
2322
2323	ssl->tls_prf( ssl->session->master, 48, sender,
2324	padbuf, 32, buf, len );
2325
2326	SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2327
2328	memset( &sha2, 0, sizeof( sha2_context ) );
2329
2330	memset( padbuf, 0, sizeof( padbuf ) );
2331
2332	SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2333	}
2334
2335	static void ssl_calc_finished_tls_sha384(
2336	ssl_context ssl, unsigned char buf, int from )
2337	{
2338	int len = 12;
2339	char *sender;
2340	sha4_context sha4;
2341	unsigned char padbuf[48];
2342
2343	SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
2344
2345	memcpy( &sha4 , (sha4_context *) ssl->ctx_checksum, sizeof(sha4_context) );
2346
2347	/*
2348	* TLSv1.2:
2349	* hash = PRF( master, finished_label,
2350	* Hash( handshake ) )[0.11]
2351	*/
2352
2353	SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
2354	sha4.state, sizeof( sha4.state ) );
2355
2356	sender = ( from == SSL_IS_CLIENT )
2357	? (char *) "client finished"
2358	: (char *) "server finished";
2359
2360	sha4_finish( &sha4, padbuf );
2361
2362	ssl->tls_prf( ssl->session->master, 48, sender,
2363	padbuf, 48, buf, len );
2364
2365	SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2366
2367	memset( &sha4, 0, sizeof( sha4_context ) );
2368
2369	memset( padbuf, 0, sizeof( padbuf ) );
2370
2371	SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2372	}
2373
2374	int ssl_write_finished( ssl_context *ssl )
2375	{
2376	int ret, hash_len;
2377
2378	SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2379
2380	ssl->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
2381
2382	// TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2383	hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2384
2385	ssl->out_msglen = 4 + hash_len;
2386	ssl->out_msgtype = SSL_MSG_HANDSHAKE;
2387	ssl->out_msg[0] = SSL_HS_FINISHED;
2388
2389	/*
2390	* In case of session resuming, invert the client and server
2391	* ChangeCipherSpec messages order.
2392	*/
2393	if( ssl->resume != 0 )
2394	{
2395	if( ssl->endpoint == SSL_IS_CLIENT )
2396	ssl->state = SSL_HANDSHAKE_OVER;
2397	else
2398	ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2399	}
2400	else
2401	ssl->state++;
2402
2403	ssl->do_crypt = 1;
2404
2405	if( ( ret = ssl_write_record( ssl ) ) != 0 )
2406	{
2407	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2408	return( ret );
2409	}
2410
2411	SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2412
2413	return( 0 );
2414	}
2415
2416	int ssl_parse_finished( ssl_context *ssl )
2417	{
2418	int ret;
2419	unsigned int hash_len;
2420	unsigned char buf[36];
2421
2422	SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2423
2424	ssl->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
2425
2426	ssl->do_crypt = 1;
2427
2428	if( ( ret = ssl_read_record( ssl ) ) != 0 )
2429	{
2430	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2431	return( ret );
2432	}
2433
2434	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2435	{
2436	SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2437	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
2438	}
2439
2440	// TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
2441	hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
2442
2443	if( ssl->in_msg[0] != SSL_HS_FINISHED \|\|
2444	ssl->in_hslen != 4 + hash_len )
2445	{
2446	SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2447	return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
2448	}
2449
2450	if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
2451	{
2452	SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2453	return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
2454	}
2455
2456	if( ssl->resume != 0 )
2457	{
2458	if( ssl->endpoint == SSL_IS_CLIENT )
2459	ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
2460
2461	if( ssl->endpoint == SSL_IS_SERVER )
2462	ssl->state = SSL_HANDSHAKE_OVER;
2463	}
2464	else
2465	ssl->state++;
2466
2467	SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2468
2469	return( 0 );
2470	}
2471
2472	/*
2473	* Initialize an SSL context
2474	*/
2475	int ssl_init( ssl_context *ssl )
2476	{
2477	int len = SSL_BUFFER_LEN;
2478
2479	memset( ssl, 0, sizeof( ssl_context ) );
2480
2481	ssl->in_ctr = (unsigned char *) malloc( len );
2482	ssl->in_hdr = ssl->in_ctr + 8;
2483	ssl->in_msg = ssl->in_ctr + 13;
2484
2485	if( ssl->in_ctr == NULL )
2486	{
2487	SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2488	return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2489	}
2490
2491	ssl->out_ctr = (unsigned char *) malloc( len );
2492	ssl->out_hdr = ssl->out_ctr + 8;
2493	ssl->out_msg = ssl->out_ctr + 40;
2494
2495	if( ssl->out_ctr == NULL )
2496	{
2497	SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
2498	free( ssl-> in_ctr );
2499	return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2500	}
2501
2502	memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
2503	memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2504
2505	ssl->hostname = NULL;
2506	ssl->hostname_len = 0;
2507
2508	ssl->update_checksum = ssl_update_checksum_start;
2509
2510	return( 0 );
2511	}
2512
2513	/*
2514	* Reset an initialized and used SSL context for re-use while retaining
2515	* all application-set variables, function pointers and data.
2516	*/
2517	void ssl_session_reset( ssl_context *ssl )
2518	{
2519	ssl->state = SSL_HELLO_REQUEST;
2520
2521	ssl->in_offt = NULL;
2522
2523	ssl->in_msgtype = 0;
2524	ssl->in_msglen = 0;
2525	ssl->in_left = 0;
2526
2527	ssl->in_hslen = 0;
2528	ssl->nb_zero = 0;
2529
2530	ssl->out_msgtype = 0;
2531	ssl->out_msglen = 0;
2532	ssl->out_left = 0;
2533
2534	ssl->do_crypt = 0;
2535	ssl->pmslen = 0;
2536	ssl->keylen = 0;
2537	ssl->minlen = 0;
2538	ssl->ivlen = 0;
2539	ssl->maclen = 0;
2540
2541	memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
2542	memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
2543	memset( ssl->randbytes, 0, 64 );
2544	memset( ssl->premaster, 0, 256 );
2545	memset( ssl->iv_enc, 0, 16 );
2546	memset( ssl->iv_dec, 0, 16 );
2547	memset( ssl->mac_enc, 0, 32 );
2548	memset( ssl->mac_dec, 0, 32 );
2549	memset( ssl->ctx_enc, 0, 128 );
2550	memset( ssl->ctx_dec, 0, 128 );
2551
2552	ssl->update_checksum = ssl_update_checksum_start;
2553
2554	#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2555	if( ssl_hw_record_reset != NULL)
2556	{
2557	SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
2558	ssl_hw_record_reset( ssl );
2559	}
2560	#endif
2561	}
2562
2563	/*
2564	* SSL set accessors
2565	*/
2566	void ssl_set_endpoint( ssl_context *ssl, int endpoint )
2567	{
2568	ssl->endpoint = endpoint;
2569	}
2570
2571	void ssl_set_authmode( ssl_context *ssl, int authmode )
2572	{
2573	ssl->authmode = authmode;
2574	}
2575
2576	void ssl_set_verify( ssl_context *ssl,
2577	int (f_vrfy)(void , x509_cert *, int, int),
2578	void *p_vrfy )
2579	{
2580	ssl->f_vrfy = f_vrfy;
2581	ssl->p_vrfy = p_vrfy;
2582	}
2583
2584	void ssl_set_rng( ssl_context *ssl,
2585	int (f_rng)(void , unsigned char *, size_t),
2586	void *p_rng )
2587	{
2588	ssl->f_rng = f_rng;
2589	ssl->p_rng = p_rng;
2590	}
2591
2592	void ssl_set_dbg( ssl_context *ssl,
2593	void (f_dbg)(void , int, const char *),
2594	void *p_dbg )
2595	{
2596	ssl->f_dbg = f_dbg;
2597	ssl->p_dbg = p_dbg;
2598	}
2599
2600	void ssl_set_bio( ssl_context *ssl,
2601	int (f_recv)(void , unsigned char , size_t), void p_recv,
2602	int (f_send)(void , const unsigned char , size_t), void p_send )
2603	{
2604	ssl->f_recv = f_recv;
2605	ssl->f_send = f_send;
2606	ssl->p_recv = p_recv;
2607	ssl->p_send = p_send;
2608	}
2609
2610	void ssl_set_scb( ssl_context *ssl,
2611	int (s_get)(ssl_context ),
2612	int (s_set)(ssl_context ) )
2613	{
2614	ssl->s_get = s_get;
2615	ssl->s_set = s_set;
2616	}
2617
2618	void ssl_set_session( ssl_context *ssl, int resume, int timeout,
2619	ssl_session *session )
2620	{
2621	ssl->resume = resume;
2622	ssl->timeout = timeout;
2623	ssl->session = session;
2624	}
2625
2626	void ssl_set_ciphersuites( ssl_context ssl, int ciphersuites )
2627	{
2628	ssl->ciphersuites = ciphersuites;
2629	}
2630
2631	void ssl_set_ca_chain( ssl_context ssl, x509_cert ca_chain,
2632	x509_crl ca_crl, const char peer_cn )
2633	{
2634	ssl->ca_chain = ca_chain;
2635	ssl->ca_crl = ca_crl;
2636	ssl->peer_cn = peer_cn;
2637	}
2638
2639	void ssl_set_own_cert( ssl_context ssl, x509_cert own_cert,
2640	rsa_context *rsa_key )
2641	{
2642	ssl->own_cert = own_cert;
2643	ssl->rsa_key = rsa_key;
2644	}
2645
2646	#if defined(POLARSSL_PKCS11_C)
2647	void ssl_set_own_cert_pkcs11( ssl_context ssl, x509_cert own_cert,
2648	pkcs11_context *pkcs11_key )
2649	{
2650	ssl->own_cert = own_cert;
2651	ssl->pkcs11_key = pkcs11_key;
2652	}
2653	#endif
2654
2655	int ssl_set_dh_param( ssl_context ssl, const char dhm_P, const char *dhm_G )
2656	{
2657	int ret;
2658
2659	if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
2660	{
2661	SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2662	return( ret );
2663	}
2664
2665	if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
2666	{
2667	SSL_DEBUG_RET( 1, "mpi_read_string", ret );
2668	return( ret );
2669	}
2670
2671	return( 0 );
2672	}
2673
2674	int ssl_set_dh_param_ctx( ssl_context ssl, dhm_context dhm_ctx )
2675	{
2676	int ret;
2677
2678	if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
2679	{
2680	SSL_DEBUG_RET( 1, "mpi_copy", ret );
2681	return( ret );
2682	}
2683
2684	if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
2685	{
2686	SSL_DEBUG_RET( 1, "mpi_copy", ret );
2687	return( ret );
2688	}
2689
2690	return( 0 );
2691	}
2692
2693	int ssl_set_hostname( ssl_context ssl, const char hostname )
2694	{
2695	if( hostname == NULL )
2696	return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
2697
2698	ssl->hostname_len = strlen( hostname );
2699	ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
2700
2701	if( ssl->hostname == NULL )
2702	return( POLARSSL_ERR_SSL_MALLOC_FAILED );
2703
2704	memcpy( ssl->hostname, (unsigned char *) hostname,
2705	ssl->hostname_len );
2706
2707	ssl->hostname[ssl->hostname_len] = '\0';
2708
2709	return( 0 );
2710	}
2711
2712	void ssl_set_max_version( ssl_context *ssl, int major, int minor )
2713	{
2714	ssl->max_major_ver = major;
2715	ssl->max_minor_ver = minor;
2716	}
2717
2718	/*
2719	* SSL get accessors
2720	*/
2721	size_t ssl_get_bytes_avail( const ssl_context *ssl )
2722	{
2723	return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
2724	}
2725
2726	int ssl_get_verify_result( const ssl_context *ssl )
2727	{
2728	return( ssl->verify_result );
2729	}
2730
2731	const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
2732	{
2733	switch( ciphersuite_id )
2734	{
2735	#if defined(POLARSSL_ARC4_C)
2736	case SSL_RSA_RC4_128_MD5:
2737	return( "SSL-RSA-RC4-128-MD5" );
2738
2739	case SSL_RSA_RC4_128_SHA:
2740	return( "SSL-RSA-RC4-128-SHA" );
2741	#endif
2742
2743	#if defined(POLARSSL_DES_C)
2744	case SSL_RSA_DES_168_SHA:
2745	return( "SSL-RSA-DES-168-SHA" );
2746
2747	case SSL_EDH_RSA_DES_168_SHA:
2748	return( "SSL-EDH-RSA-DES-168-SHA" );
2749	#endif
2750
2751	#if defined(POLARSSL_AES_C)
2752	case SSL_RSA_AES_128_SHA:
2753	return( "SSL-RSA-AES-128-SHA" );
2754
2755	case SSL_EDH_RSA_AES_128_SHA:
2756	return( "SSL-EDH-RSA-AES-128-SHA" );
2757
2758	case SSL_RSA_AES_256_SHA:
2759	return( "SSL-RSA-AES-256-SHA" );
2760
2761	case SSL_EDH_RSA_AES_256_SHA:
2762	return( "SSL-EDH-RSA-AES-256-SHA" );
2763
2764	#if defined(POLARSSL_SHA2_C)
2765	case SSL_RSA_AES_128_SHA256:
2766	return( "SSL-RSA-AES-128-SHA256" );
2767
2768	case SSL_EDH_RSA_AES_128_SHA256:
2769	return( "SSL-EDH-RSA-AES-128-SHA256" );
2770
2771	case SSL_RSA_AES_256_SHA256:
2772	return( "SSL-RSA-AES-256-SHA256" );
2773
2774	case SSL_EDH_RSA_AES_256_SHA256:
2775	return( "SSL-EDH-RSA-AES-256-SHA256" );
2776	#endif
2777
2778	#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2779	case SSL_RSA_AES_128_GCM_SHA256:
2780	return( "SSL-RSA-AES-128-GCM-SHA256" );
2781
2782	case SSL_EDH_RSA_AES_128_GCM_SHA256:
2783	return( "SSL-EDH-RSA-AES-128-GCM-SHA256" );
2784	#endif
2785
2786	#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2787	case SSL_RSA_AES_256_GCM_SHA384:
2788	return( "SSL-RSA-AES-256-GCM-SHA384" );
2789
2790	case SSL_EDH_RSA_AES_256_GCM_SHA384:
2791	return( "SSL-EDH-RSA-AES-256-GCM-SHA384" );
2792	#endif
2793	#endif /* POLARSSL_AES_C */
2794
2795	#if defined(POLARSSL_CAMELLIA_C)
2796	case SSL_RSA_CAMELLIA_128_SHA:
2797	return( "SSL-RSA-CAMELLIA-128-SHA" );
2798
2799	case SSL_EDH_RSA_CAMELLIA_128_SHA:
2800	return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
2801
2802	case SSL_RSA_CAMELLIA_256_SHA:
2803	return( "SSL-RSA-CAMELLIA-256-SHA" );
2804
2805	case SSL_EDH_RSA_CAMELLIA_256_SHA:
2806	return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
2807
2808	#if defined(POLARSSL_SHA2_C)
2809	case SSL_RSA_CAMELLIA_128_SHA256:
2810	return( "SSL-RSA-CAMELLIA-128-SHA256" );
2811
2812	case SSL_EDH_RSA_CAMELLIA_128_SHA256:
2813	return( "SSL-EDH-RSA-CAMELLIA-128-SHA256" );
2814
2815	case SSL_RSA_CAMELLIA_256_SHA256:
2816	return( "SSL-RSA-CAMELLIA-256-SHA256" );
2817
2818	case SSL_EDH_RSA_CAMELLIA_256_SHA256:
2819	return( "SSL-EDH-RSA-CAMELLIA-256-SHA256" );
2820	#endif
2821	#endif
2822
2823	#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2824	#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2825	case SSL_RSA_NULL_MD5:
2826	return( "SSL-RSA-NULL-MD5" );
2827	case SSL_RSA_NULL_SHA:
2828	return( "SSL-RSA-NULL-SHA" );
2829	case SSL_RSA_NULL_SHA256:
2830	return( "SSL-RSA-NULL-SHA256" );
2831	#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2832
2833	#if defined(POLARSSL_DES_C)
2834	case SSL_RSA_DES_SHA:
2835	return( "SSL-RSA-DES-SHA" );
2836	case SSL_EDH_RSA_DES_SHA:
2837	return( "SSL-EDH-RSA-DES-SHA" );
2838	#endif
2839	#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2840
2841	default:
2842	break;
2843	}
2844
2845	return( "unknown" );
2846	}
2847
2848	int ssl_get_ciphersuite_id( const char *ciphersuite_name )
2849	{
2850	#if defined(POLARSSL_ARC4_C)
2851	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
2852	return( SSL_RSA_RC4_128_MD5 );
2853	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
2854	return( SSL_RSA_RC4_128_SHA );
2855	#endif
2856
2857	#if defined(POLARSSL_DES_C)
2858	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
2859	return( SSL_RSA_DES_168_SHA );
2860	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
2861	return( SSL_EDH_RSA_DES_168_SHA );
2862	#endif
2863
2864	#if defined(POLARSSL_AES_C)
2865	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
2866	return( SSL_RSA_AES_128_SHA );
2867	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
2868	return( SSL_EDH_RSA_AES_128_SHA );
2869	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
2870	return( SSL_RSA_AES_256_SHA );
2871	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
2872	return( SSL_EDH_RSA_AES_256_SHA );
2873
2874	#if defined(POLARSSL_SHA2_C)
2875	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA256"))
2876	return( SSL_RSA_AES_128_SHA256 );
2877	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA256"))
2878	return( SSL_EDH_RSA_AES_128_SHA256 );
2879	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA256"))
2880	return( SSL_RSA_AES_256_SHA256 );
2881	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA256"))
2882	return( SSL_EDH_RSA_AES_256_SHA256 );
2883	#endif
2884
2885	#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2886	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-GCM-SHA256"))
2887	return( SSL_RSA_AES_128_GCM_SHA256 );
2888	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-GCM-SHA256"))
2889	return( SSL_EDH_RSA_AES_128_GCM_SHA256 );
2890	#endif
2891
2892	#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2893	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-GCM-SHA384"))
2894	return( SSL_RSA_AES_256_GCM_SHA384 );
2895	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-GCM-SHA384"))
2896	return( SSL_EDH_RSA_AES_256_GCM_SHA384 );
2897	#endif
2898	#endif
2899
2900	#if defined(POLARSSL_CAMELLIA_C)
2901	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
2902	return( SSL_RSA_CAMELLIA_128_SHA );
2903	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
2904	return( SSL_EDH_RSA_CAMELLIA_128_SHA );
2905	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
2906	return( SSL_RSA_CAMELLIA_256_SHA );
2907	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
2908	return( SSL_EDH_RSA_CAMELLIA_256_SHA );
2909
2910	#if defined(POLARSSL_SHA2_C)
2911	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA256"))
2912	return( SSL_RSA_CAMELLIA_128_SHA256 );
2913	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA256"))
2914	return( SSL_EDH_RSA_CAMELLIA_128_SHA256 );
2915	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA256"))
2916	return( SSL_RSA_CAMELLIA_256_SHA256 );
2917	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA256"))
2918	return( SSL_EDH_RSA_CAMELLIA_256_SHA256 );
2919	#endif
2920	#endif
2921
2922	#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
2923	#if defined(POLARSSL_CIPHER_NULL_CIPHER)
2924	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-MD5"))
2925	return( SSL_RSA_NULL_MD5 );
2926	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA"))
2927	return( SSL_RSA_NULL_SHA );
2928	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-NULL-SHA256"))
2929	return( SSL_RSA_NULL_SHA256 );
2930	#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
2931
2932	#if defined(POLARSSL_DES_C)
2933	if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-SHA"))
2934	return( SSL_RSA_DES_SHA );
2935	if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-SHA"))
2936	return( SSL_EDH_RSA_DES_SHA );
2937	#endif
2938	#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
2939
2940	return( 0 );
2941	}
2942
2943	const char ssl_get_ciphersuite( const ssl_context ssl )
2944	{
2945	return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
2946	}
2947
2948	const char ssl_get_version( const ssl_context ssl )
2949	{
2950	switch( ssl->minor_ver )
2951	{
2952	case SSL_MINOR_VERSION_0:
2953	return( "SSLv3.0" );
2954
2955	case SSL_MINOR_VERSION_1:
2956	return( "TLSv1.0" );
2957
2958	case SSL_MINOR_VERSION_2:
2959	return( "TLSv1.1" );
2960
2961	case SSL_MINOR_VERSION_3:
2962	return( "TLSv1.2" );
2963
2964	default:
2965	break;
2966	}
2967	return( "unknown" );
2968	}
2969
2970	int ssl_default_ciphersuites[] =
2971	{
2972	#if defined(POLARSSL_DHM_C)
2973	#if defined(POLARSSL_AES_C)
2974	#if defined(POLARSSL_SHA2_C)
2975	SSL_EDH_RSA_AES_256_SHA256,
2976	#endif /* POLARSSL_SHA2_C */
2977	#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
2978	SSL_EDH_RSA_AES_256_GCM_SHA384,
2979	#endif
2980	SSL_EDH_RSA_AES_256_SHA,
2981	#if defined(POLARSSL_SHA2_C)
2982	SSL_EDH_RSA_AES_128_SHA256,
2983	#endif
2984	#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
2985	SSL_EDH_RSA_AES_128_GCM_SHA256,
2986	#endif
2987	SSL_EDH_RSA_AES_128_SHA,
2988	#endif
2989	#if defined(POLARSSL_CAMELLIA_C)
2990	#if defined(POLARSSL_SHA2_C)
2991	SSL_EDH_RSA_CAMELLIA_256_SHA256,
2992	#endif /* POLARSSL_SHA2_C */
2993	SSL_EDH_RSA_CAMELLIA_256_SHA,
2994	#if defined(POLARSSL_SHA2_C)
2995	SSL_EDH_RSA_CAMELLIA_128_SHA256,
2996	#endif /* POLARSSL_SHA2_C */
2997	SSL_EDH_RSA_CAMELLIA_128_SHA,
2998	#endif
2999	#if defined(POLARSSL_DES_C)
3000	SSL_EDH_RSA_DES_168_SHA,
3001	#endif
3002	#endif
3003
3004	#if defined(POLARSSL_AES_C)
3005	#if defined(POLARSSL_SHA2_C)
3006	SSL_RSA_AES_256_SHA256,
3007	#endif /* POLARSSL_SHA2_C */
3008	#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
3009	SSL_RSA_AES_256_GCM_SHA384,
3010	#endif /* POLARSSL_SHA2_C */
3011	SSL_RSA_AES_256_SHA,
3012	#endif
3013	#if defined(POLARSSL_CAMELLIA_C)
3014	#if defined(POLARSSL_SHA2_C)
3015	SSL_RSA_CAMELLIA_256_SHA256,
3016	#endif /* POLARSSL_SHA2_C */
3017	SSL_RSA_CAMELLIA_256_SHA,
3018	#endif
3019	#if defined(POLARSSL_AES_C)
3020	#if defined(POLARSSL_SHA2_C)
3021	SSL_RSA_AES_128_SHA256,
3022	#endif /* POLARSSL_SHA2_C */
3023	#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
3024	SSL_RSA_AES_128_GCM_SHA256,
3025	#endif /* POLARSSL_SHA2_C */
3026	SSL_RSA_AES_128_SHA,
3027	#endif
3028	#if defined(POLARSSL_CAMELLIA_C)
3029	#if defined(POLARSSL_SHA2_C)
3030	SSL_RSA_CAMELLIA_128_SHA256,
3031	#endif /* POLARSSL_SHA2_C */
3032	SSL_RSA_CAMELLIA_128_SHA,
3033	#endif
3034	#if defined(POLARSSL_DES_C)
3035	SSL_RSA_DES_168_SHA,
3036	#endif
3037	#if defined(POLARSSL_ARC4_C)
3038	SSL_RSA_RC4_128_SHA,
3039	SSL_RSA_RC4_128_MD5,
3040	#endif
3041	0
3042	};
3043
3044	/*
3045	* Perform the SSL handshake
3046	*/
3047	int ssl_handshake( ssl_context *ssl )
3048	{
3049	int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
3050
3051	SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
3052
3053	#if defined(POLARSSL_SSL_CLI_C)
3054	if( ssl->endpoint == SSL_IS_CLIENT )
3055	ret = ssl_handshake_client( ssl );
3056	#endif
3057
3058	#if defined(POLARSSL_SSL_SRV_C)
3059	if( ssl->endpoint == SSL_IS_SERVER )
3060	ret = ssl_handshake_server( ssl );
3061	#endif
3062
3063	SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
3064
3065	return( ret );
3066	}
3067
3068	/*
3069	* Receive application data decrypted from the SSL layer
3070	*/
3071	int ssl_read( ssl_context ssl, unsigned char buf, size_t len )
3072	{
3073	int ret;
3074	size_t n;
3075
3076	SSL_DEBUG_MSG( 2, ( "=> read" ) );
3077
3078	if( ssl->state != SSL_HANDSHAKE_OVER )
3079	{
3080	if( ( ret = ssl_handshake( ssl ) ) != 0 )
3081	{
3082	SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3083	return( ret );
3084	}
3085	}
3086
3087	if( ssl->in_offt == NULL )
3088	{
3089	if( ( ret = ssl_read_record( ssl ) ) != 0 )
3090	{
3091	if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3092	return( 0 );
3093
3094	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3095	return( ret );
3096	}
3097
3098	if( ssl->in_msglen == 0 &&
3099	ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
3100	{
3101	/*
3102	* OpenSSL sends empty messages to randomize the IV
3103	*/
3104	if( ( ret = ssl_read_record( ssl ) ) != 0 )
3105	{
3106	if( ret == POLARSSL_ERR_SSL_CONN_EOF )
3107	return( 0 );
3108
3109	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3110	return( ret );
3111	}
3112	}
3113
3114	if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
3115	{
3116	SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
3117	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
3118	}
3119
3120	ssl->in_offt = ssl->in_msg;
3121	}
3122
3123	n = ( len < ssl->in_msglen )
3124	? len : ssl->in_msglen;
3125
3126	memcpy( buf, ssl->in_offt, n );
3127	ssl->in_msglen -= n;
3128
3129	if( ssl->in_msglen == 0 )
3130	/* all bytes consumed */
3131	ssl->in_offt = NULL;
3132	else
3133	/* more data available */
3134	ssl->in_offt += n;
3135
3136	SSL_DEBUG_MSG( 2, ( "<= read" ) );
3137
3138	return( (int) n );
3139	}
3140
3141	/*
3142	* Send application data to be encrypted by the SSL layer
3143	*/
3144	int ssl_write( ssl_context ssl, const unsigned char buf, size_t len )
3145	{
3146	int ret;
3147	size_t n;
3148
3149	SSL_DEBUG_MSG( 2, ( "=> write" ) );
3150
3151	if( ssl->state != SSL_HANDSHAKE_OVER )
3152	{
3153	if( ( ret = ssl_handshake( ssl ) ) != 0 )
3154	{
3155	SSL_DEBUG_RET( 1, "ssl_handshake", ret );
3156	return( ret );
3157	}
3158	}
3159
3160	n = ( len < SSL_MAX_CONTENT_LEN )
3161	? len : SSL_MAX_CONTENT_LEN;
3162
3163	if( ssl->out_left != 0 )
3164	{
3165	if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3166	{
3167	SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3168	return( ret );
3169	}
3170	}
3171	else
3172	{
3173	ssl->out_msglen = n;
3174	ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
3175	memcpy( ssl->out_msg, buf, n );
3176
3177	if( ( ret = ssl_write_record( ssl ) ) != 0 )
3178	{
3179	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3180	return( ret );
3181	}
3182	}
3183
3184	SSL_DEBUG_MSG( 2, ( "<= write" ) );
3185
3186	return( (int) n );
3187	}
3188
3189	/*
3190	* Notify the peer that the connection is being closed
3191	*/
3192	int ssl_close_notify( ssl_context *ssl )
3193	{
3194	int ret;
3195
3196	SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
3197
3198	if( ( ret = ssl_flush_output( ssl ) ) != 0 )
3199	{
3200	SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
3201	return( ret );
3202	}
3203
3204	if( ssl->state == SSL_HANDSHAKE_OVER )
3205	{
3206	ssl->out_msgtype = SSL_MSG_ALERT;
3207	ssl->out_msglen = 2;
3208	ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
3209	ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY;
3210
3211	if( ( ret = ssl_write_record( ssl ) ) != 0 )
3212	{
3213	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3214	return( ret );
3215	}
3216	}
3217
3218	SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
3219
3220	return( ret );
3221	}
3222
3223	/*
3224	* Free an SSL context
3225	*/
3226	void ssl_free( ssl_context *ssl )
3227	{
3228	SSL_DEBUG_MSG( 2, ( "=> free" ) );
3229
3230	if( ssl->peer_cert != NULL )
3231	{
3232	x509_free( ssl->peer_cert );
3233	memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
3234	free( ssl->peer_cert );
3235	}
3236
3237	if( ssl->out_ctr != NULL )
3238	{
3239	memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3240	free( ssl->out_ctr );
3241	}
3242
3243	if( ssl->in_ctr != NULL )
3244	{
3245	memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3246	free( ssl->in_ctr );
3247	}
3248
3249	#if defined(POLARSSL_DHM_C)
3250	dhm_free( &ssl->dhm_ctx );
3251	#endif
3252
3253	if ( ssl->hostname != NULL)
3254	{
3255	memset( ssl->hostname, 0, ssl->hostname_len );
3256	free( ssl->hostname );
3257	ssl->hostname_len = 0;
3258	}
3259
3260	#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3261	if( ssl_hw_record_finish != NULL )
3262	{
3263	SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
3264	ssl_hw_record_finish( ssl );
3265	}
3266	#endif
3267
3268	SSL_DEBUG_MSG( 2, ( "<= free" ) );
3269
3270	/* Actually free after last debug message */
3271	memset( ssl, 0, sizeof( ssl_context ) );
3272	}
3273
3274	#endif

Note: See TracBrowser for help on using the repository browser.

PolarSSL

Cryptography and SSL made easy

Context Navigation

source: trunk/library/ssl_tls.c @ 1270

Download in other formats:

What are you looking for?

Main links

Community links

Documentation

Block cipher sources

Hash sources