PolarSSL v1.3.8
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #if !defined(POLARSSL_CONFIG_FILE)
35 #include "polarssl/config.h"
36 #else
37 #include POLARSSL_CONFIG_FILE
38 #endif
39 
40 #if defined(POLARSSL_SSL_TLS_C)
41 
42 #include "polarssl/debug.h"
43 #include "polarssl/ssl.h"
44 
45 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
46  defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
47 #include "polarssl/oid.h"
48 #endif
49 
50 #if defined(POLARSSL_PLATFORM_C)
51 #include "polarssl/platform.h"
52 #else
53 #define polarssl_malloc malloc
54 #define polarssl_free free
55 #endif
56 
57 #include <stdlib.h>
58 
59 #if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
60  !defined(EFI32)
61 #define strcasecmp _stricmp
62 #endif
63 
64 /* Implementation that should never be optimized out by the compiler */
65 static void polarssl_zeroize( void *v, size_t n ) {
66  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
67 }
68 
69 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
70 /*
71  * Convert max_fragment_length codes to length.
72  * RFC 6066 says:
73  * enum{
74  * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
75  * } MaxFragmentLength;
76  * and we add 0 -> extension unused
77  */
78 static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
79 {
80  SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
81  512, /* SSL_MAX_FRAG_LEN_512 */
82  1024, /* SSL_MAX_FRAG_LEN_1024 */
83  2048, /* SSL_MAX_FRAG_LEN_2048 */
84  4096, /* SSL_MAX_FRAG_LEN_4096 */
85 };
86 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
87 
88 static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
89 {
90  ssl_session_free( dst );
91  memcpy( dst, src, sizeof( ssl_session ) );
92 
93 #if defined(POLARSSL_X509_CRT_PARSE_C)
94  if( src->peer_cert != NULL )
95  {
96  int ret;
97 
98  dst->peer_cert = (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
99  if( dst->peer_cert == NULL )
101 
102  x509_crt_init( dst->peer_cert );
103 
104  if( ( ret = x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
105  src->peer_cert->raw.len ) ) != 0 )
106  {
107  polarssl_free( dst->peer_cert );
108  dst->peer_cert = NULL;
109  return( ret );
110  }
111  }
112 #endif /* POLARSSL_X509_CRT_PARSE_C */
113 
114 #if defined(POLARSSL_SSL_SESSION_TICKETS)
115  if( src->ticket != NULL )
116  {
117  dst->ticket = (unsigned char *) polarssl_malloc( src->ticket_len );
118  if( dst->ticket == NULL )
120 
121  memcpy( dst->ticket, src->ticket, src->ticket_len );
122  }
123 #endif /* POLARSSL_SSL_SESSION_TICKETS */
124 
125  return( 0 );
126 }
127 
128 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
129 int (*ssl_hw_record_init)( ssl_context *ssl,
130  const unsigned char *key_enc, const unsigned char *key_dec,
131  size_t keylen,
132  const unsigned char *iv_enc, const unsigned char *iv_dec,
133  size_t ivlen,
134  const unsigned char *mac_enc, const unsigned char *mac_dec,
135  size_t maclen ) = NULL;
136 int (*ssl_hw_record_activate)( ssl_context *ssl, int direction) = NULL;
137 int (*ssl_hw_record_reset)( ssl_context *ssl ) = NULL;
138 int (*ssl_hw_record_write)( ssl_context *ssl ) = NULL;
139 int (*ssl_hw_record_read)( ssl_context *ssl ) = NULL;
140 int (*ssl_hw_record_finish)( ssl_context *ssl ) = NULL;
141 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
142 
143 /*
144  * Key material generation
145  */
146 #if defined(POLARSSL_SSL_PROTO_SSL3)
147 static int ssl3_prf( const unsigned char *secret, size_t slen,
148  const char *label,
149  const unsigned char *random, size_t rlen,
150  unsigned char *dstbuf, size_t dlen )
151 {
152  size_t i;
155  unsigned char padding[16];
156  unsigned char sha1sum[20];
157  ((void)label);
158 
159  md5_init( &md5 );
160  sha1_init( &sha1 );
161 
162  /*
163  * SSLv3:
164  * block =
165  * MD5( secret + SHA1( 'A' + secret + random ) ) +
166  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
167  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
168  * ...
169  */
170  for( i = 0; i < dlen / 16; i++ )
171  {
172  memset( padding, (unsigned char) ('A' + i), 1 + i );
173 
174  sha1_starts( &sha1 );
175  sha1_update( &sha1, padding, 1 + i );
176  sha1_update( &sha1, secret, slen );
177  sha1_update( &sha1, random, rlen );
178  sha1_finish( &sha1, sha1sum );
179 
180  md5_starts( &md5 );
181  md5_update( &md5, secret, slen );
182  md5_update( &md5, sha1sum, 20 );
183  md5_finish( &md5, dstbuf + i * 16 );
184  }
185 
186  md5_free( &md5 );
187  sha1_free( &sha1 );
188 
189  polarssl_zeroize( padding, sizeof( padding ) );
190  polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
191 
192  return( 0 );
193 }
194 #endif /* POLARSSL_SSL_PROTO_SSL3 */
195 
196 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
197 static int tls1_prf( const unsigned char *secret, size_t slen,
198  const char *label,
199  const unsigned char *random, size_t rlen,
200  unsigned char *dstbuf, size_t dlen )
201 {
202  size_t nb, hs;
203  size_t i, j, k;
204  const unsigned char *S1, *S2;
205  unsigned char tmp[128];
206  unsigned char h_i[20];
207 
208  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
210 
211  hs = ( slen + 1 ) / 2;
212  S1 = secret;
213  S2 = secret + slen - hs;
214 
215  nb = strlen( label );
216  memcpy( tmp + 20, label, nb );
217  memcpy( tmp + 20 + nb, random, rlen );
218  nb += rlen;
219 
220  /*
221  * First compute P_md5(secret,label+random)[0..dlen]
222  */
223  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
224 
225  for( i = 0; i < dlen; i += 16 )
226  {
227  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
228  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
229 
230  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
231 
232  for( j = 0; j < k; j++ )
233  dstbuf[i + j] = h_i[j];
234  }
235 
236  /*
237  * XOR out with P_sha1(secret,label+random)[0..dlen]
238  */
239  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
240 
241  for( i = 0; i < dlen; i += 20 )
242  {
243  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
244  sha1_hmac( S2, hs, tmp, 20, tmp );
245 
246  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
247 
248  for( j = 0; j < k; j++ )
249  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
250  }
251 
252  polarssl_zeroize( tmp, sizeof( tmp ) );
253  polarssl_zeroize( h_i, sizeof( h_i ) );
254 
255  return( 0 );
256 }
257 #endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
258 
259 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
260 #if defined(POLARSSL_SHA256_C)
261 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
262  const char *label,
263  const unsigned char *random, size_t rlen,
264  unsigned char *dstbuf, size_t dlen )
265 {
266  size_t nb;
267  size_t i, j, k;
268  unsigned char tmp[128];
269  unsigned char h_i[32];
270 
271  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
273 
274  nb = strlen( label );
275  memcpy( tmp + 32, label, nb );
276  memcpy( tmp + 32 + nb, random, rlen );
277  nb += rlen;
278 
279  /*
280  * Compute P_<hash>(secret, label + random)[0..dlen]
281  */
282  sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
283 
284  for( i = 0; i < dlen; i += 32 )
285  {
286  sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
287  sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
288 
289  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
290 
291  for( j = 0; j < k; j++ )
292  dstbuf[i + j] = h_i[j];
293  }
294 
295  polarssl_zeroize( tmp, sizeof( tmp ) );
296  polarssl_zeroize( h_i, sizeof( h_i ) );
297 
298  return( 0 );
299 }
300 #endif /* POLARSSL_SHA256_C */
301 
302 #if defined(POLARSSL_SHA512_C)
303 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
304  const char *label,
305  const unsigned char *random, size_t rlen,
306  unsigned char *dstbuf, size_t dlen )
307 {
308  size_t nb;
309  size_t i, j, k;
310  unsigned char tmp[128];
311  unsigned char h_i[48];
312 
313  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
315 
316  nb = strlen( label );
317  memcpy( tmp + 48, label, nb );
318  memcpy( tmp + 48 + nb, random, rlen );
319  nb += rlen;
320 
321  /*
322  * Compute P_<hash>(secret, label + random)[0..dlen]
323  */
324  sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
325 
326  for( i = 0; i < dlen; i += 48 )
327  {
328  sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
329  sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
330 
331  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
332 
333  for( j = 0; j < k; j++ )
334  dstbuf[i + j] = h_i[j];
335  }
336 
337  polarssl_zeroize( tmp, sizeof( tmp ) );
338  polarssl_zeroize( h_i, sizeof( h_i ) );
339 
340  return( 0 );
341 }
342 #endif /* POLARSSL_SHA512_C */
343 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
344 
345 static void ssl_update_checksum_start( ssl_context *, const unsigned char *, size_t );
346 
347 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
348  defined(POLARSSL_SSL_PROTO_TLS1_1)
349 static void ssl_update_checksum_md5sha1( ssl_context *, const unsigned char *, size_t );
350 #endif
351 
352 #if defined(POLARSSL_SSL_PROTO_SSL3)
353 static void ssl_calc_verify_ssl( ssl_context *, unsigned char * );
354 static void ssl_calc_finished_ssl( ssl_context *, unsigned char *, int );
355 #endif
356 
357 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
358 static void ssl_calc_verify_tls( ssl_context *, unsigned char * );
359 static void ssl_calc_finished_tls( ssl_context *, unsigned char *, int );
360 #endif
361 
362 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
363 #if defined(POLARSSL_SHA256_C)
364 static void ssl_update_checksum_sha256( ssl_context *, const unsigned char *, size_t );
365 static void ssl_calc_verify_tls_sha256( ssl_context *,unsigned char * );
366 static void ssl_calc_finished_tls_sha256( ssl_context *,unsigned char *, int );
367 #endif
368 
369 #if defined(POLARSSL_SHA512_C)
370 static void ssl_update_checksum_sha384( ssl_context *, const unsigned char *, size_t );
371 static void ssl_calc_verify_tls_sha384( ssl_context *, unsigned char * );
372 static void ssl_calc_finished_tls_sha384( ssl_context *, unsigned char *, int );
373 #endif
374 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
375 
376 int ssl_derive_keys( ssl_context *ssl )
377 {
378  int ret = 0;
379  unsigned char tmp[64];
380  unsigned char keyblk[256];
381  unsigned char *key1;
382  unsigned char *key2;
383  unsigned char *mac_enc;
384  unsigned char *mac_dec;
385  size_t iv_copy_len;
386  const cipher_info_t *cipher_info;
387  const md_info_t *md_info;
388 
389  ssl_session *session = ssl->session_negotiate;
390  ssl_transform *transform = ssl->transform_negotiate;
391  ssl_handshake_params *handshake = ssl->handshake;
392 
393  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
394 
395  cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
396  if( cipher_info == NULL )
397  {
398  SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
399  transform->ciphersuite_info->cipher ) );
401  }
402 
403  md_info = md_info_from_type( transform->ciphersuite_info->mac );
404  if( md_info == NULL )
405  {
406  SSL_DEBUG_MSG( 1, ( "md info for %d not found",
407  transform->ciphersuite_info->mac ) );
409  }
410 
411  /*
412  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
413  */
414 #if defined(POLARSSL_SSL_PROTO_SSL3)
415  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
416  {
417  handshake->tls_prf = ssl3_prf;
418  handshake->calc_verify = ssl_calc_verify_ssl;
419  handshake->calc_finished = ssl_calc_finished_ssl;
420  }
421  else
422 #endif
423 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
424  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
425  {
426  handshake->tls_prf = tls1_prf;
427  handshake->calc_verify = ssl_calc_verify_tls;
428  handshake->calc_finished = ssl_calc_finished_tls;
429  }
430  else
431 #endif
432 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
433 #if defined(POLARSSL_SHA512_C)
434  if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
435  transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
436  {
437  handshake->tls_prf = tls_prf_sha384;
438  handshake->calc_verify = ssl_calc_verify_tls_sha384;
439  handshake->calc_finished = ssl_calc_finished_tls_sha384;
440  }
441  else
442 #endif
443 #if defined(POLARSSL_SHA256_C)
444  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
445  {
446  handshake->tls_prf = tls_prf_sha256;
447  handshake->calc_verify = ssl_calc_verify_tls_sha256;
448  handshake->calc_finished = ssl_calc_finished_tls_sha256;
449  }
450  else
451 #endif
452 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
453  {
454  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
456  }
457 
458  /*
459  * SSLv3:
460  * master =
461  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
462  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
463  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
464  *
465  * TLSv1+:
466  * master = PRF( premaster, "master secret", randbytes )[0..47]
467  */
468  if( handshake->resume == 0 )
469  {
470  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
471  handshake->pmslen );
472 
473  handshake->tls_prf( handshake->premaster, handshake->pmslen,
474  "master secret",
475  handshake->randbytes, 64, session->master, 48 );
476 
477  polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
478  }
479  else
480  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
481 
482  /*
483  * Swap the client and server random values.
484  */
485  memcpy( tmp, handshake->randbytes, 64 );
486  memcpy( handshake->randbytes, tmp + 32, 32 );
487  memcpy( handshake->randbytes + 32, tmp, 32 );
488  polarssl_zeroize( tmp, sizeof( tmp ) );
489 
490  /*
491  * SSLv3:
492  * key block =
493  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
494  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
495  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
496  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
497  * ...
498  *
499  * TLSv1:
500  * key block = PRF( master, "key expansion", randbytes )
501  */
502  handshake->tls_prf( session->master, 48, "key expansion",
503  handshake->randbytes, 64, keyblk, 256 );
504 
505  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
506  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
507  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
508  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
509  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
510 
511  polarssl_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
512 
513  /*
514  * Determine the appropriate key, IV and MAC length.
515  */
516 
517  transform->keylen = cipher_info->key_length / 8;
518 
519  if( cipher_info->mode == POLARSSL_MODE_GCM ||
520  cipher_info->mode == POLARSSL_MODE_CCM )
521  {
522  transform->maclen = 0;
523 
524  transform->ivlen = 12;
525  transform->fixed_ivlen = 4;
526 
527  /* Minimum length is expicit IV + tag */
528  transform->minlen = transform->ivlen - transform->fixed_ivlen
529  + ( transform->ciphersuite_info->flags &
531  }
532  else
533  {
534  int ret;
535 
536  /* Initialize HMAC contexts */
537  if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 ||
538  ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
539  {
540  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
541  return( ret );
542  }
543 
544  /* Get MAC length */
545  transform->maclen = md_get_size( md_info );
546 
547 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
548  /*
549  * If HMAC is to be truncated, we shall keep the leftmost bytes,
550  * (rfc 6066 page 13 or rfc 2104 section 4),
551  * so we only need to adjust the length here.
552  */
553  if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
554  transform->maclen = SSL_TRUNCATED_HMAC_LEN;
555 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
556 
557  /* IV length */
558  transform->ivlen = cipher_info->iv_size;
559 
560  /* Minimum length */
561  if( cipher_info->mode == POLARSSL_MODE_STREAM )
562  transform->minlen = transform->maclen;
563  else
564  {
565  /*
566  * GenericBlockCipher:
567  * first multiple of blocklen greater than maclen
568  * + IV except for SSL3 and TLS 1.0
569  */
570  transform->minlen = transform->maclen
571  + cipher_info->block_size
572  - transform->maclen % cipher_info->block_size;
573 
574 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
575  if( ssl->minor_ver == SSL_MINOR_VERSION_0 ||
577  ; /* No need to adjust minlen */
578  else
579 #endif
580 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
581  if( ssl->minor_ver == SSL_MINOR_VERSION_2 ||
583  {
584  transform->minlen += transform->ivlen;
585  }
586  else
587 #endif
588  {
589  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
591  }
592  }
593  }
594 
595  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
596  transform->keylen, transform->minlen, transform->ivlen,
597  transform->maclen ) );
598 
599  /*
600  * Finally setup the cipher contexts, IVs and MAC secrets.
601  */
602  if( ssl->endpoint == SSL_IS_CLIENT )
603  {
604  key1 = keyblk + transform->maclen * 2;
605  key2 = keyblk + transform->maclen * 2 + transform->keylen;
606 
607  mac_enc = keyblk;
608  mac_dec = keyblk + transform->maclen;
609 
610  /*
611  * This is not used in TLS v1.1.
612  */
613  iv_copy_len = ( transform->fixed_ivlen ) ?
614  transform->fixed_ivlen : transform->ivlen;
615  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
616  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
617  iv_copy_len );
618  }
619  else
620  {
621  key1 = keyblk + transform->maclen * 2 + transform->keylen;
622  key2 = keyblk + transform->maclen * 2;
623 
624  mac_enc = keyblk + transform->maclen;
625  mac_dec = keyblk;
626 
627  /*
628  * This is not used in TLS v1.1.
629  */
630  iv_copy_len = ( transform->fixed_ivlen ) ?
631  transform->fixed_ivlen : transform->ivlen;
632  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
633  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
634  iv_copy_len );
635  }
636 
637 #if defined(POLARSSL_SSL_PROTO_SSL3)
638  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
639  {
640  if( transform->maclen > sizeof transform->mac_enc )
641  {
642  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
644  }
645 
646  memcpy( transform->mac_enc, mac_enc, transform->maclen );
647  memcpy( transform->mac_dec, mac_dec, transform->maclen );
648  }
649  else
650 #endif /* POLARSSL_SSL_PROTO_SSL3 */
651 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
652  defined(POLARSSL_SSL_PROTO_TLS1_2)
653  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
654  {
655  md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
656  md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
657  }
658  else
659 #endif
660  {
661  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
663  }
664 
665 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
666  if( ssl_hw_record_init != NULL )
667  {
668  int ret = 0;
669 
670  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
671 
672  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
673  transform->iv_enc, transform->iv_dec,
674  iv_copy_len,
675  mac_enc, mac_dec,
676  transform->maclen ) ) != 0 )
677  {
678  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
680  }
681  }
682 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
683 
684  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
685  cipher_info ) ) != 0 )
686  {
687  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
688  return( ret );
689  }
690 
691  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
692  cipher_info ) ) != 0 )
693  {
694  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
695  return( ret );
696  }
697 
698  if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
699  cipher_info->key_length,
700  POLARSSL_ENCRYPT ) ) != 0 )
701  {
702  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
703  return( ret );
704  }
705 
706  if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
707  cipher_info->key_length,
708  POLARSSL_DECRYPT ) ) != 0 )
709  {
710  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
711  return( ret );
712  }
713 
714 #if defined(POLARSSL_CIPHER_MODE_CBC)
715  if( cipher_info->mode == POLARSSL_MODE_CBC )
716  {
717  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
718  POLARSSL_PADDING_NONE ) ) != 0 )
719  {
720  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
721  return( ret );
722  }
723 
724  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
725  POLARSSL_PADDING_NONE ) ) != 0 )
726  {
727  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
728  return( ret );
729  }
730  }
731 #endif /* POLARSSL_CIPHER_MODE_CBC */
732 
733  polarssl_zeroize( keyblk, sizeof( keyblk ) );
734 
735 #if defined(POLARSSL_ZLIB_SUPPORT)
736  // Initialize compression
737  //
738  if( session->compression == SSL_COMPRESS_DEFLATE )
739  {
740  if( ssl->compress_buf == NULL )
741  {
742  SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
743  ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
744  if( ssl->compress_buf == NULL )
745  {
746  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
747  SSL_BUFFER_LEN ) );
749  }
750  }
751 
752  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
753 
754  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
755  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
756 
757  if( deflateInit( &transform->ctx_deflate,
758  Z_DEFAULT_COMPRESSION ) != Z_OK ||
759  inflateInit( &transform->ctx_inflate ) != Z_OK )
760  {
761  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
763  }
764  }
765 #endif /* POLARSSL_ZLIB_SUPPORT */
766 
767  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
768 
769  return( 0 );
770 }
771 
772 #if defined(POLARSSL_SSL_PROTO_SSL3)
773 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
774 {
777  unsigned char pad_1[48];
778  unsigned char pad_2[48];
779 
780  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
781 
782  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
783  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
784 
785  memset( pad_1, 0x36, 48 );
786  memset( pad_2, 0x5C, 48 );
787 
788  md5_update( &md5, ssl->session_negotiate->master, 48 );
789  md5_update( &md5, pad_1, 48 );
790  md5_finish( &md5, hash );
791 
792  md5_starts( &md5 );
793  md5_update( &md5, ssl->session_negotiate->master, 48 );
794  md5_update( &md5, pad_2, 48 );
795  md5_update( &md5, hash, 16 );
796  md5_finish( &md5, hash );
797 
798  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
799  sha1_update( &sha1, pad_1, 40 );
800  sha1_finish( &sha1, hash + 16 );
801 
802  sha1_starts( &sha1 );
803  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
804  sha1_update( &sha1, pad_2, 40 );
805  sha1_update( &sha1, hash + 16, 20 );
806  sha1_finish( &sha1, hash + 16 );
807 
808  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
809  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
810 
811  md5_free( &md5 );
812  sha1_free( &sha1 );
813 
814  return;
815 }
816 #endif /* POLARSSL_SSL_PROTO_SSL3 */
817 
818 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
819 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
820 {
823 
824  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
825 
826  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
827  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
828 
829  md5_finish( &md5, hash );
830  sha1_finish( &sha1, hash + 16 );
831 
832  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
833  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
834 
835  md5_free( &md5 );
836  sha1_free( &sha1 );
837 
838  return;
839 }
840 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
841 
842 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
843 #if defined(POLARSSL_SHA256_C)
844 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
845 {
847 
848  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
849 
850  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
851  sha256_finish( &sha256, hash );
852 
853  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
854  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
855 
856  sha256_free( &sha256 );
857 
858  return;
859 }
860 #endif /* POLARSSL_SHA256_C */
861 
862 #if defined(POLARSSL_SHA512_C)
863 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
864 {
866 
867  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
868 
869  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
870  sha512_finish( &sha512, hash );
871 
872  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
873  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
874 
875  sha512_free( &sha512 );
876 
877  return;
878 }
879 #endif /* POLARSSL_SHA512_C */
880 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
881 
882 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
884 {
885  unsigned char *p = ssl->handshake->premaster;
886  unsigned char *end = p + sizeof( ssl->handshake->premaster );
887 
888  /*
889  * PMS = struct {
890  * opaque other_secret<0..2^16-1>;
891  * opaque psk<0..2^16-1>;
892  * };
893  * with "other_secret" depending on the particular key exchange
894  */
895 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
896  if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
897  {
898  if( end - p < 2 + (int) ssl->psk_len )
900 
901  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
902  *(p++) = (unsigned char)( ssl->psk_len );
903  p += ssl->psk_len;
904  }
905  else
906 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
907 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
908  if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
909  {
910  /*
911  * other_secret already set by the ClientKeyExchange message,
912  * and is 48 bytes long
913  */
914  *p++ = 0;
915  *p++ = 48;
916  p += 48;
917  }
918  else
919 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
920 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
921  if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
922  {
923  int ret;
924  size_t len = end - ( p + 2 );
925 
926  /* Write length only when we know the actual value */
927  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
928  p + 2, &len,
929  ssl->f_rng, ssl->p_rng ) ) != 0 )
930  {
931  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
932  return( ret );
933  }
934  *(p++) = (unsigned char)( len >> 8 );
935  *(p++) = (unsigned char)( len );
936  p += len;
937 
938  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
939  }
940  else
941 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
942 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
943  if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
944  {
945  int ret;
946  size_t zlen;
947 
948  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
949  p + 2, end - ( p + 2 ),
950  ssl->f_rng, ssl->p_rng ) ) != 0 )
951  {
952  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
953  return( ret );
954  }
955 
956  *(p++) = (unsigned char)( zlen >> 8 );
957  *(p++) = (unsigned char)( zlen );
958  p += zlen;
959 
960  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
961  }
962  else
963 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
964  {
965  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
967  }
968 
969  /* opaque psk<0..2^16-1>; */
970  if( end - p < 2 + (int) ssl->psk_len )
972 
973  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
974  *(p++) = (unsigned char)( ssl->psk_len );
975  memcpy( p, ssl->psk, ssl->psk_len );
976  p += ssl->psk_len;
977 
978  ssl->handshake->pmslen = p - ssl->handshake->premaster;
979 
980  return( 0 );
981 }
982 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
983 
984 #if defined(POLARSSL_SSL_PROTO_SSL3)
985 /*
986  * SSLv3.0 MAC functions
987  */
988 static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
989  unsigned char *buf, size_t len,
990  unsigned char *ctr, int type )
991 {
992  unsigned char header[11];
993  unsigned char padding[48];
994  int padlen = 0;
995  int md_size = md_get_size( md_ctx->md_info );
996  int md_type = md_get_type( md_ctx->md_info );
997 
998  if( md_type == POLARSSL_MD_MD5 )
999  padlen = 48;
1000  else if( md_type == POLARSSL_MD_SHA1 )
1001  padlen = 40;
1002  else if( md_type == POLARSSL_MD_SHA256 )
1003  padlen = 32;
1004  else if( md_type == POLARSSL_MD_SHA384 )
1005  padlen = 16;
1006 
1007  memcpy( header, ctr, 8 );
1008  header[ 8] = (unsigned char) type;
1009  header[ 9] = (unsigned char)( len >> 8 );
1010  header[10] = (unsigned char)( len );
1011 
1012  memset( padding, 0x36, padlen );
1013  md_starts( md_ctx );
1014  md_update( md_ctx, secret, md_size );
1015  md_update( md_ctx, padding, padlen );
1016  md_update( md_ctx, header, 11 );
1017  md_update( md_ctx, buf, len );
1018  md_finish( md_ctx, buf + len );
1019 
1020  memset( padding, 0x5C, padlen );
1021  md_starts( md_ctx );
1022  md_update( md_ctx, secret, md_size );
1023  md_update( md_ctx, padding, padlen );
1024  md_update( md_ctx, buf + len, md_size );
1025  md_finish( md_ctx, buf + len );
1026 }
1027 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1028 
1029 /*
1030  * Encryption/decryption functions
1031  */
1032 static int ssl_encrypt_buf( ssl_context *ssl )
1033 {
1034  size_t i;
1036  &ssl->transform_out->cipher_ctx_enc );
1037 
1038  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
1039 
1040  /*
1041  * Add MAC before encrypt, except for AEAD modes
1042  */
1043 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1044  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1045  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1046  if( mode != POLARSSL_MODE_GCM &&
1047  mode != POLARSSL_MODE_CCM )
1048  {
1049 #if defined(POLARSSL_SSL_PROTO_SSL3)
1050  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1051  {
1052  ssl_mac( &ssl->transform_out->md_ctx_enc,
1053  ssl->transform_out->mac_enc,
1054  ssl->out_msg, ssl->out_msglen,
1055  ssl->out_ctr, ssl->out_msgtype );
1056  }
1057  else
1058 #endif
1059 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1060  defined(POLARSSL_SSL_PROTO_TLS1_2)
1061  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1062  {
1063  md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1065  ssl->out_msg, ssl->out_msglen );
1067  ssl->out_msg + ssl->out_msglen );
1069  }
1070  else
1071 #endif
1072  {
1073  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1075  }
1076 
1077  SSL_DEBUG_BUF( 4, "computed mac",
1078  ssl->out_msg + ssl->out_msglen,
1079  ssl->transform_out->maclen );
1080 
1081  ssl->out_msglen += ssl->transform_out->maclen;
1082  }
1083 #endif /* AEAD not the only option */
1084 
1085  /*
1086  * Encrypt
1087  */
1088 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1089  if( mode == POLARSSL_MODE_STREAM )
1090  {
1091  int ret;
1092  size_t olen = 0;
1093 
1094  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1095  "including %d bytes of padding",
1096  ssl->out_msglen, 0 ) );
1097 
1098  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1099  ssl->out_msg, ssl->out_msglen );
1100 
1101  if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1102  ssl->transform_out->iv_enc,
1103  ssl->transform_out->ivlen,
1104  ssl->out_msg, ssl->out_msglen,
1105  ssl->out_msg, &olen ) ) != 0 )
1106  {
1107  SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1108  return( ret );
1109  }
1110 
1111  if( ssl->out_msglen != olen )
1112  {
1113  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1115  }
1116  }
1117  else
1118 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1119 #if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1120  if( mode == POLARSSL_MODE_GCM ||
1121  mode == POLARSSL_MODE_CCM )
1122  {
1123  int ret;
1124  size_t enc_msglen, olen;
1125  unsigned char *enc_msg;
1126  unsigned char add_data[13];
1127  unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
1129 
1130  memcpy( add_data, ssl->out_ctr, 8 );
1131  add_data[8] = ssl->out_msgtype;
1132  add_data[9] = ssl->major_ver;
1133  add_data[10] = ssl->minor_ver;
1134  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1135  add_data[12] = ssl->out_msglen & 0xFF;
1136 
1137  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1138  add_data, 13 );
1139 
1140  /*
1141  * Generate IV
1142  */
1143  ret = ssl->f_rng( ssl->p_rng,
1145  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1146  if( ret != 0 )
1147  return( ret );
1148 
1149  memcpy( ssl->out_iv,
1151  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1152 
1153  SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1154  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1155 
1156  /*
1157  * Fix pointer positions and message length with added IV
1158  */
1159  enc_msg = ssl->out_msg;
1160  enc_msglen = ssl->out_msglen;
1161  ssl->out_msglen += ssl->transform_out->ivlen -
1162  ssl->transform_out->fixed_ivlen;
1163 
1164  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1165  "including %d bytes of padding",
1166  ssl->out_msglen, 0 ) );
1167 
1168  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1169  ssl->out_msg, ssl->out_msglen );
1170 
1171  /*
1172  * Encrypt and authenticate
1173  */
1174  if( ( ret = cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
1175  ssl->transform_out->iv_enc,
1176  ssl->transform_out->ivlen,
1177  add_data, 13,
1178  enc_msg, enc_msglen,
1179  enc_msg, &olen,
1180  enc_msg + enc_msglen, taglen ) ) != 0 )
1181  {
1182  SSL_DEBUG_RET( 1, "cipher_auth_encrypt", ret );
1183  return( ret );
1184  }
1185 
1186  if( olen != enc_msglen )
1187  {
1188  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1190  }
1191 
1192  ssl->out_msglen += taglen;
1193 
1194  SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
1195  }
1196  else
1197 #endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
1198 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1199  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1200  if( mode == POLARSSL_MODE_CBC )
1201  {
1202  int ret;
1203  unsigned char *enc_msg;
1204  size_t enc_msglen, padlen, olen = 0;
1205 
1206  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1207  ssl->transform_out->ivlen;
1208  if( padlen == ssl->transform_out->ivlen )
1209  padlen = 0;
1210 
1211  for( i = 0; i <= padlen; i++ )
1212  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1213 
1214  ssl->out_msglen += padlen + 1;
1215 
1216  enc_msglen = ssl->out_msglen;
1217  enc_msg = ssl->out_msg;
1218 
1219 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1220  /*
1221  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1222  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1223  */
1224  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1225  {
1226  /*
1227  * Generate IV
1228  */
1229  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1230  ssl->transform_out->ivlen );
1231  if( ret != 0 )
1232  return( ret );
1233 
1234  memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1235  ssl->transform_out->ivlen );
1236 
1237  /*
1238  * Fix pointer positions and message length with added IV
1239  */
1240  enc_msg = ssl->out_msg;
1241  enc_msglen = ssl->out_msglen;
1242  ssl->out_msglen += ssl->transform_out->ivlen;
1243  }
1244 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1245 
1246  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1247  "including %d bytes of IV and %d bytes of padding",
1248  ssl->out_msglen, ssl->transform_out->ivlen,
1249  padlen + 1 ) );
1250 
1251  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1252  ssl->out_iv, ssl->out_msglen );
1253 
1254  if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1255  ssl->transform_out->iv_enc,
1256  ssl->transform_out->ivlen,
1257  enc_msg, enc_msglen,
1258  enc_msg, &olen ) ) != 0 )
1259  {
1260  SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1261  return( ret );
1262  }
1263 
1264  if( enc_msglen != olen )
1265  {
1266  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1268  }
1269 
1270 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1271  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1272  {
1273  /*
1274  * Save IV in SSL3 and TLS1
1275  */
1276  memcpy( ssl->transform_out->iv_enc,
1278  ssl->transform_out->ivlen );
1279  }
1280 #endif
1281  }
1282  else
1283 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1284  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1285  {
1286  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1288  }
1289 
1290  for( i = 8; i > 0; i-- )
1291  if( ++ssl->out_ctr[i - 1] != 0 )
1292  break;
1293 
1294  /* The loops goes to its end iff the counter is wrapping */
1295  if( i == 0 )
1296  {
1297  SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
1299  }
1300 
1301  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1302 
1303  return( 0 );
1304 }
1305 
1306 #define POLARSSL_SSL_MAX_MAC_SIZE 48
1307 
1308 static int ssl_decrypt_buf( ssl_context *ssl )
1309 {
1310  size_t i;
1312  &ssl->transform_in->cipher_ctx_dec );
1313 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1314  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1315  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1316  size_t padlen = 0, correct = 1;
1317 #endif
1318 
1319  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1320 
1321  if( ssl->in_msglen < ssl->transform_in->minlen )
1322  {
1323  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1324  ssl->in_msglen, ssl->transform_in->minlen ) );
1325  return( POLARSSL_ERR_SSL_INVALID_MAC );
1326  }
1327 
1328 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1329  if( mode == POLARSSL_MODE_STREAM )
1330  {
1331  int ret;
1332  size_t olen = 0;
1333 
1334  padlen = 0;
1335 
1336  if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1337  ssl->transform_in->iv_dec,
1338  ssl->transform_in->ivlen,
1339  ssl->in_msg, ssl->in_msglen,
1340  ssl->in_msg, &olen ) ) != 0 )
1341  {
1342  SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1343  return( ret );
1344  }
1345 
1346  if( ssl->in_msglen != olen )
1347  {
1348  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1350  }
1351  }
1352  else
1353 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1354 #if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1355  if( mode == POLARSSL_MODE_GCM ||
1356  mode == POLARSSL_MODE_CCM )
1357  {
1358  int ret;
1359  size_t dec_msglen, olen;
1360  unsigned char *dec_msg;
1361  unsigned char *dec_msg_result;
1362  unsigned char add_data[13];
1363  unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
1365  unsigned char explicit_iv_len = ssl->transform_in->ivlen -
1366  ssl->transform_in->fixed_ivlen;
1367 
1368  if( ssl->in_msglen < explicit_iv_len + taglen )
1369  {
1370  SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1371  "+ taglen (%d)", ssl->in_msglen,
1372  explicit_iv_len, taglen ) );
1373  return( POLARSSL_ERR_SSL_INVALID_MAC );
1374  }
1375  dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
1376 
1377  dec_msg = ssl->in_msg;
1378  dec_msg_result = ssl->in_msg;
1379  ssl->in_msglen = dec_msglen;
1380 
1381  memcpy( add_data, ssl->in_ctr, 8 );
1382  add_data[8] = ssl->in_msgtype;
1383  add_data[9] = ssl->major_ver;
1384  add_data[10] = ssl->minor_ver;
1385  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1386  add_data[12] = ssl->in_msglen & 0xFF;
1387 
1388  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1389  add_data, 13 );
1390 
1391  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1392  ssl->in_iv,
1393  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1394 
1395  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1396  ssl->transform_in->ivlen );
1397  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
1398 
1399  /*
1400  * Decrypt and authenticate
1401  */
1402  if( ( ret = cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
1403  ssl->transform_in->iv_dec,
1404  ssl->transform_in->ivlen,
1405  add_data, 13,
1406  dec_msg, dec_msglen,
1407  dec_msg_result, &olen,
1408  dec_msg + dec_msglen, taglen ) ) != 0 )
1409  {
1410  SSL_DEBUG_RET( 1, "cipher_auth_decrypt", ret );
1411 
1412  if( ret == POLARSSL_ERR_CIPHER_AUTH_FAILED )
1413  return( POLARSSL_ERR_SSL_INVALID_MAC );
1414 
1415  return( ret );
1416  }
1417 
1418  if( olen != dec_msglen )
1419  {
1420  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1422  }
1423  }
1424  else
1425 #endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
1426 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1427  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1428  if( mode == POLARSSL_MODE_CBC )
1429  {
1430  /*
1431  * Decrypt and check the padding
1432  */
1433  int ret;
1434  unsigned char *dec_msg;
1435  unsigned char *dec_msg_result;
1436  size_t dec_msglen;
1437  size_t minlen = 0;
1438  size_t olen = 0;
1439 
1440  /*
1441  * Check immediate ciphertext sanity
1442  */
1443  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1444  {
1445  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1446  ssl->in_msglen, ssl->transform_in->ivlen ) );
1447  return( POLARSSL_ERR_SSL_INVALID_MAC );
1448  }
1449 
1450 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1451  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1452  minlen += ssl->transform_in->ivlen;
1453 #endif
1454 
1455  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1456  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1457  {
1458  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1459  "+ 1 ) ( + expl IV )", ssl->in_msglen,
1460  ssl->transform_in->ivlen,
1461  ssl->transform_in->maclen ) );
1462  return( POLARSSL_ERR_SSL_INVALID_MAC );
1463  }
1464 
1465  dec_msglen = ssl->in_msglen;
1466  dec_msg = ssl->in_msg;
1467  dec_msg_result = ssl->in_msg;
1468 
1469 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1470  /*
1471  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1472  */
1473  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1474  {
1475  dec_msglen -= ssl->transform_in->ivlen;
1476  ssl->in_msglen -= ssl->transform_in->ivlen;
1477 
1478  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1479  ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1480  }
1481 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1482 
1483  if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1484  ssl->transform_in->iv_dec,
1485  ssl->transform_in->ivlen,
1486  dec_msg, dec_msglen,
1487  dec_msg_result, &olen ) ) != 0 )
1488  {
1489  SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1490  return( ret );
1491  }
1492 
1493  if( dec_msglen != olen )
1494  {
1495  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1497  }
1498 
1499 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1500  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1501  {
1502  /*
1503  * Save IV in SSL3 and TLS1
1504  */
1505  memcpy( ssl->transform_in->iv_dec,
1507  ssl->transform_in->ivlen );
1508  }
1509 #endif
1510 
1511  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1512 
1513  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1514  {
1515 #if defined(POLARSSL_SSL_DEBUG_ALL)
1516  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1517  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1518 #endif
1519  padlen = 0;
1520  correct = 0;
1521  }
1522 
1523 #if defined(POLARSSL_SSL_PROTO_SSL3)
1524  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1525  {
1526  if( padlen > ssl->transform_in->ivlen )
1527  {
1528 #if defined(POLARSSL_SSL_DEBUG_ALL)
1529  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1530  "should be no more than %d",
1531  padlen, ssl->transform_in->ivlen ) );
1532 #endif
1533  correct = 0;
1534  }
1535  }
1536  else
1537 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1538 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1539  defined(POLARSSL_SSL_PROTO_TLS1_2)
1540  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1541  {
1542  /*
1543  * TLSv1+: always check the padding up to the first failure
1544  * and fake check up to 256 bytes of padding
1545  */
1546  size_t pad_count = 0, real_count = 1;
1547  size_t padding_idx = ssl->in_msglen - padlen - 1;
1548 
1549  /*
1550  * Padding is guaranteed to be incorrect if:
1551  * 1. padlen >= ssl->in_msglen
1552  *
1553  * 2. padding_idx >= SSL_MAX_CONTENT_LEN +
1554  * ssl->transform_in->maclen
1555  *
1556  * In both cases we reset padding_idx to a safe value (0) to
1557  * prevent out-of-buffer reads.
1558  */
1559  correct &= ( ssl->in_msglen >= padlen + 1 );
1560  correct &= ( padding_idx < SSL_MAX_CONTENT_LEN +
1561  ssl->transform_in->maclen );
1562 
1563  padding_idx *= correct;
1564 
1565  for( i = 1; i <= 256; i++ )
1566  {
1567  real_count &= ( i <= padlen );
1568  pad_count += real_count *
1569  ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1570  }
1571 
1572  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1573 
1574 #if defined(POLARSSL_SSL_DEBUG_ALL)
1575  if( padlen > 0 && correct == 0 )
1576  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1577 #endif
1578  padlen &= correct * 0x1FF;
1579  }
1580  else
1581 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1582  POLARSSL_SSL_PROTO_TLS1_2 */
1583  {
1584  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1586  }
1587  }
1588  else
1589 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1590  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1591  {
1592  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1594  }
1595 
1596  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1597  ssl->in_msg, ssl->in_msglen );
1598 
1599  /*
1600  * Always compute the MAC (RFC4346, CBCTIME), except for AEAD of course
1601  */
1602 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1603  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1604  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1605  if( mode != POLARSSL_MODE_GCM &&
1606  mode != POLARSSL_MODE_CCM )
1607  {
1608  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1609 
1610  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1611 
1612  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1613  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1614 
1615  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1616 
1617 #if defined(POLARSSL_SSL_PROTO_SSL3)
1618  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1619  {
1620  ssl_mac( &ssl->transform_in->md_ctx_dec,
1621  ssl->transform_in->mac_dec,
1622  ssl->in_msg, ssl->in_msglen,
1623  ssl->in_ctr, ssl->in_msgtype );
1624  }
1625  else
1626 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1627 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1628  defined(POLARSSL_SSL_PROTO_TLS1_2)
1629  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1630  {
1631  /*
1632  * Process MAC and always update for padlen afterwards to make
1633  * total time independent of padlen
1634  *
1635  * extra_run compensates MAC check for padlen
1636  *
1637  * Known timing attacks:
1638  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1639  *
1640  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1641  * correctly. (We round down instead of up, so -56 is the correct
1642  * value for our calculations instead of -55)
1643  */
1644  size_t j, extra_run = 0;
1645  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1646  ( 13 + ssl->in_msglen + 8 ) / 64;
1647 
1648  extra_run &= correct * 0xFF;
1649 
1650  md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1652  ssl->in_msglen );
1654  ssl->in_msg + ssl->in_msglen );
1655  for( j = 0; j < extra_run; j++ )
1656  md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1657 
1659  }
1660  else
1661 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1662  POLARSSL_SSL_PROTO_TLS1_2 */
1663  {
1664  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1666  }
1667 
1668  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1669  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1670  ssl->transform_in->maclen );
1671 
1672  if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1673  ssl->transform_in->maclen ) != 0 )
1674  {
1675 #if defined(POLARSSL_SSL_DEBUG_ALL)
1676  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1677 #endif
1678  correct = 0;
1679  }
1680 
1681  /*
1682  * Finally check the correct flag
1683  */
1684  if( correct == 0 )
1685  return( POLARSSL_ERR_SSL_INVALID_MAC );
1686  }
1687 #endif /* AEAD not the only option */
1688 
1689  if( ssl->in_msglen == 0 )
1690  {
1691  ssl->nb_zero++;
1692 
1693  /*
1694  * Three or more empty messages may be a DoS attack
1695  * (excessive CPU consumption).
1696  */
1697  if( ssl->nb_zero > 3 )
1698  {
1699  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1700  "messages, possible DoS attack" ) );
1701  return( POLARSSL_ERR_SSL_INVALID_MAC );
1702  }
1703  }
1704  else
1705  ssl->nb_zero = 0;
1706 
1707  for( i = 8; i > 0; i-- )
1708  if( ++ssl->in_ctr[i - 1] != 0 )
1709  break;
1710 
1711  /* The loops goes to its end iff the counter is wrapping */
1712  if( i == 0 )
1713  {
1714  SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
1716  }
1717 
1718  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1719 
1720  return( 0 );
1721 }
1722 
1723 #if defined(POLARSSL_ZLIB_SUPPORT)
1724 /*
1725  * Compression/decompression functions
1726  */
1727 static int ssl_compress_buf( ssl_context *ssl )
1728 {
1729  int ret;
1730  unsigned char *msg_post = ssl->out_msg;
1731  size_t len_pre = ssl->out_msglen;
1732  unsigned char *msg_pre = ssl->compress_buf;
1733 
1734  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1735 
1736  if( len_pre == 0 )
1737  return( 0 );
1738 
1739  memcpy( msg_pre, ssl->out_msg, len_pre );
1740 
1741  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1742  ssl->out_msglen ) );
1743 
1744  SSL_DEBUG_BUF( 4, "before compression: output payload",
1745  ssl->out_msg, ssl->out_msglen );
1746 
1747  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1748  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1749  ssl->transform_out->ctx_deflate.next_out = msg_post;
1750  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1751 
1752  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1753  if( ret != Z_OK )
1754  {
1755  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1757  }
1758 
1759  ssl->out_msglen = SSL_BUFFER_LEN -
1760  ssl->transform_out->ctx_deflate.avail_out;
1761 
1762  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1763  ssl->out_msglen ) );
1764 
1765  SSL_DEBUG_BUF( 4, "after compression: output payload",
1766  ssl->out_msg, ssl->out_msglen );
1767 
1768  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1769 
1770  return( 0 );
1771 }
1772 
1773 static int ssl_decompress_buf( ssl_context *ssl )
1774 {
1775  int ret;
1776  unsigned char *msg_post = ssl->in_msg;
1777  size_t len_pre = ssl->in_msglen;
1778  unsigned char *msg_pre = ssl->compress_buf;
1779 
1780  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1781 
1782  if( len_pre == 0 )
1783  return( 0 );
1784 
1785  memcpy( msg_pre, ssl->in_msg, len_pre );
1786 
1787  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1788  ssl->in_msglen ) );
1789 
1790  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1791  ssl->in_msg, ssl->in_msglen );
1792 
1793  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1794  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1795  ssl->transform_in->ctx_inflate.next_out = msg_post;
1796  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1797 
1798  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1799  if( ret != Z_OK )
1800  {
1801  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1803  }
1804 
1806  ssl->transform_in->ctx_inflate.avail_out;
1807 
1808  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1809  ssl->in_msglen ) );
1810 
1811  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1812  ssl->in_msg, ssl->in_msglen );
1813 
1814  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1815 
1816  return( 0 );
1817 }
1818 #endif /* POLARSSL_ZLIB_SUPPORT */
1819 
1820 /*
1821  * Fill the input message buffer
1822  */
1823 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1824 {
1825  int ret;
1826  size_t len;
1827 
1828  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1829 
1830  if( nb_want > SSL_BUFFER_LEN - 8 )
1831  {
1832  SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1834  }
1835 
1836  while( ssl->in_left < nb_want )
1837  {
1838  len = nb_want - ssl->in_left;
1839  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1840 
1841  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1842  ssl->in_left, nb_want ) );
1843  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1844 
1845  if( ret == 0 )
1846  return( POLARSSL_ERR_SSL_CONN_EOF );
1847 
1848  if( ret < 0 )
1849  return( ret );
1850 
1851  ssl->in_left += ret;
1852  }
1853 
1854  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1855 
1856  return( 0 );
1857 }
1858 
1859 /*
1860  * Flush any data not yet written
1861  */
1862 int ssl_flush_output( ssl_context *ssl )
1863 {
1864  int ret;
1865  unsigned char *buf;
1866 
1867  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1868 
1869  while( ssl->out_left > 0 )
1870  {
1871  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1872  5 + ssl->out_msglen, ssl->out_left ) );
1873 
1874  buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1875  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1876 
1877  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1878 
1879  if( ret <= 0 )
1880  return( ret );
1881 
1882  ssl->out_left -= ret;
1883  }
1884 
1885  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1886 
1887  return( 0 );
1888 }
1889 
1890 /*
1891  * Record layer functions
1892  */
1893 int ssl_write_record( ssl_context *ssl )
1894 {
1895  int ret, done = 0;
1896  size_t len = ssl->out_msglen;
1897 
1898  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1899 
1900  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1901  {
1902  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1903  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1904  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1905 
1906  if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
1907  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1908  }
1909 
1910 #if defined(POLARSSL_ZLIB_SUPPORT)
1911  if( ssl->transform_out != NULL &&
1913  {
1914  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1915  {
1916  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1917  return( ret );
1918  }
1919 
1920  len = ssl->out_msglen;
1921  }
1922 #endif /*POLARSSL_ZLIB_SUPPORT */
1923 
1924 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1925  if( ssl_hw_record_write != NULL )
1926  {
1927  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1928 
1929  ret = ssl_hw_record_write( ssl );
1930  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1931  {
1932  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1934  }
1935 
1936  if( ret == 0 )
1937  done = 1;
1938  }
1939 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
1940  if( !done )
1941  {
1942  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1943  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1944  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1945  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1946  ssl->out_hdr[4] = (unsigned char)( len );
1947 
1948  if( ssl->transform_out != NULL )
1949  {
1950  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1951  {
1952  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1953  return( ret );
1954  }
1955 
1956  len = ssl->out_msglen;
1957  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1958  ssl->out_hdr[4] = (unsigned char)( len );
1959  }
1960 
1961  ssl->out_left = 5 + ssl->out_msglen;
1962 
1963  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1964  "version = [%d:%d], msglen = %d",
1965  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1966  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1967 
1968  SSL_DEBUG_BUF( 4, "output record sent to network",
1969  ssl->out_hdr, 5 + ssl->out_msglen );
1970  }
1971 
1972  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1973  {
1974  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1975  return( ret );
1976  }
1977 
1978  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1979 
1980  return( 0 );
1981 }
1982 
1983 int ssl_read_record( ssl_context *ssl )
1984 {
1985  int ret, done = 0;
1986 
1987  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1988 
1989  if( ssl->in_hslen != 0 &&
1990  ssl->in_hslen < ssl->in_msglen )
1991  {
1992  /*
1993  * Get next Handshake message in the current record
1994  */
1995  ssl->in_msglen -= ssl->in_hslen;
1996 
1997  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
1998  ssl->in_msglen );
1999 
2000  ssl->in_hslen = 4;
2001  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2002 
2003  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2004  " %d, type = %d, hslen = %d",
2005  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2006 
2007  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2008  {
2009  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2011  }
2012 
2013  if( ssl->in_msglen < ssl->in_hslen )
2014  {
2015  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2017  }
2018 
2019  if( ssl->state != SSL_HANDSHAKE_OVER )
2020  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2021 
2022  return( 0 );
2023  }
2024 
2025  ssl->in_hslen = 0;
2026 
2027  /*
2028  * Read the record header and validate it
2029  */
2030  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2031  {
2032  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2033  return( ret );
2034  }
2035 
2036  ssl->in_msgtype = ssl->in_hdr[0];
2037  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2038 
2039  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2040  "version = [%d:%d], msglen = %d",
2041  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2042  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2043 
2044  if( ssl->in_hdr[1] != ssl->major_ver )
2045  {
2046  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
2048  }
2049 
2050  if( ssl->in_hdr[2] > ssl->max_minor_ver )
2051  {
2052  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
2054  }
2055 
2056  /* Sanity check (outer boundaries) */
2057  if( ssl->in_msglen < 1 || ssl->in_msglen > SSL_BUFFER_LEN - 13 )
2058  {
2059  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2061  }
2062 
2063  /*
2064  * Make sure the message length is acceptable for the current transform
2065  * and protocol version.
2066  */
2067  if( ssl->transform_in == NULL )
2068  {
2069  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2070  {
2071  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2073  }
2074  }
2075  else
2076  {
2077  if( ssl->in_msglen < ssl->transform_in->minlen )
2078  {
2079  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2081  }
2082 
2083 #if defined(POLARSSL_SSL_PROTO_SSL3)
2084  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2086  {
2087  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2089  }
2090 #endif
2091 
2092 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2093  defined(POLARSSL_SSL_PROTO_TLS1_2)
2094  /*
2095  * TLS encrypted messages can have up to 256 bytes of padding
2096  */
2097  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2098  ssl->in_msglen > ssl->transform_in->minlen +
2099  SSL_MAX_CONTENT_LEN + 256 )
2100  {
2101  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2103  }
2104 #endif
2105  }
2106 
2107  /*
2108  * Read and optionally decrypt the message contents
2109  */
2110  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2111  {
2112  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2113  return( ret );
2114  }
2115 
2116  SSL_DEBUG_BUF( 4, "input record from network",
2117  ssl->in_hdr, 5 + ssl->in_msglen );
2118 
2119 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2120  if( ssl_hw_record_read != NULL )
2121  {
2122  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2123 
2124  ret = ssl_hw_record_read( ssl );
2125  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2126  {
2127  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2129  }
2130 
2131  if( ret == 0 )
2132  done = 1;
2133  }
2134 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
2135  if( !done && ssl->transform_in != NULL )
2136  {
2137  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2138  {
2139 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2140  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2141  {
2145  }
2146 #endif
2147  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2148  return( ret );
2149  }
2150 
2151  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2152  ssl->in_msg, ssl->in_msglen );
2153 
2154  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2155  {
2156  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2158  }
2159  }
2160 
2161 #if defined(POLARSSL_ZLIB_SUPPORT)
2162  if( ssl->transform_in != NULL &&
2164  {
2165  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2166  {
2167  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2168  return( ret );
2169  }
2170 
2171  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2172  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2173  }
2174 #endif /* POLARSSL_ZLIB_SUPPORT */
2175 
2176  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2177  ssl->in_msgtype != SSL_MSG_ALERT &&
2180  {
2181  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2182 
2183  if( ( ret = ssl_send_alert_message( ssl,
2186  {
2187  return( ret );
2188  }
2189 
2191  }
2192 
2193  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2194  {
2195  ssl->in_hslen = 4;
2196  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2197 
2198  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2199  " %d, type = %d, hslen = %d",
2200  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2201 
2202  /*
2203  * Additional checks to validate the handshake header
2204  */
2205  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2206  {
2207  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2209  }
2210 
2211  if( ssl->in_msglen < ssl->in_hslen )
2212  {
2213  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2215  }
2216 
2217  if( ssl->state != SSL_HANDSHAKE_OVER )
2218  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2219  }
2220 
2221  if( ssl->in_msgtype == SSL_MSG_ALERT )
2222  {
2223  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2224  ssl->in_msg[0], ssl->in_msg[1] ) );
2225 
2226  /*
2227  * Ignore non-fatal alerts, except close_notify
2228  */
2229  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2230  {
2231  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2232  ssl->in_msg[1] ) );
2238  }
2239 
2240  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2241  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2242  {
2243  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2245  }
2246  }
2247 
2248  ssl->in_left = 0;
2249 
2250  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2251 
2252  return( 0 );
2253 }
2254 
2256 {
2257  int ret;
2258 
2259  if( ( ret = ssl_send_alert_message( ssl,
2262  {
2263  return( ret );
2264  }
2265 
2266  return( 0 );
2267 }
2268 
2270  unsigned char level,
2271  unsigned char message )
2272 {
2273  int ret;
2274 
2275  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2276 
2277  ssl->out_msgtype = SSL_MSG_ALERT;
2278  ssl->out_msglen = 2;
2279  ssl->out_msg[0] = level;
2280  ssl->out_msg[1] = message;
2281 
2282  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2283  {
2284  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2285  return( ret );
2286  }
2287 
2288  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2289 
2290  return( 0 );
2291 }
2292 
2293 /*
2294  * Handshake functions
2295  */
2296 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2297  !defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
2298  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2299  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2300  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
2301  !defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2302  !defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2304 {
2305  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2306 
2307  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2308 
2309  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2310  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2311  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2312  {
2313  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2314  ssl->state++;
2315  return( 0 );
2316  }
2317 
2318  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2320 }
2321 
2323 {
2324  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2325 
2326  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2327 
2328  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2329  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2330  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2331  {
2332  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2333  ssl->state++;
2334  return( 0 );
2335  }
2336 
2337  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2339 }
2340 #else
2342 {
2344  size_t i, n;
2345  const x509_crt *crt;
2346  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2347 
2348  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2349 
2350  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2351  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2352  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2353  {
2354  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2355  ssl->state++;
2356  return( 0 );
2357  }
2358 
2359  if( ssl->endpoint == SSL_IS_CLIENT )
2360  {
2361  if( ssl->client_auth == 0 )
2362  {
2363  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2364  ssl->state++;
2365  return( 0 );
2366  }
2367 
2368 #if defined(POLARSSL_SSL_PROTO_SSL3)
2369  /*
2370  * If using SSLv3 and got no cert, send an Alert message
2371  * (otherwise an empty Certificate message will be sent).
2372  */
2373  if( ssl_own_cert( ssl ) == NULL &&
2374  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2375  {
2376  ssl->out_msglen = 2;
2377  ssl->out_msgtype = SSL_MSG_ALERT;
2378  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2379  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2380 
2381  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2382  goto write_msg;
2383  }
2384 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2385  }
2386  else /* SSL_IS_SERVER */
2387  {
2388  if( ssl_own_cert( ssl ) == NULL )
2389  {
2390  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2392  }
2393  }
2394 
2395  SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
2396 
2397  /*
2398  * 0 . 0 handshake type
2399  * 1 . 3 handshake length
2400  * 4 . 6 length of all certs
2401  * 7 . 9 length of cert. 1
2402  * 10 . n-1 peer certificate
2403  * n . n+2 length of cert. 2
2404  * n+3 . ... upper level cert, etc.
2405  */
2406  i = 7;
2407  crt = ssl_own_cert( ssl );
2408 
2409  while( crt != NULL )
2410  {
2411  n = crt->raw.len;
2412  if( n > SSL_MAX_CONTENT_LEN - 3 - i )
2413  {
2414  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2415  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2417  }
2418 
2419  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2420  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2421  ssl->out_msg[i + 2] = (unsigned char)( n );
2422 
2423  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2424  i += n; crt = crt->next;
2425  }
2426 
2427  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2428  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2429  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2430 
2431  ssl->out_msglen = i;
2433  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2434 
2435 #if defined(POLARSSL_SSL_PROTO_SSL3)
2436 write_msg:
2437 #endif
2438 
2439  ssl->state++;
2440 
2441  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2442  {
2443  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2444  return( ret );
2445  }
2446 
2447  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2448 
2449  return( ret );
2450 }
2451 
2453 {
2455  size_t i, n;
2456  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2457 
2458  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2459 
2460  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2461  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2462  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2463  {
2464  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2465  ssl->state++;
2466  return( 0 );
2467  }
2468 
2469  if( ssl->endpoint == SSL_IS_SERVER &&
2470  ( ssl->authmode == SSL_VERIFY_NONE ||
2471  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
2472  {
2474  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2475  ssl->state++;
2476  return( 0 );
2477  }
2478 
2479  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2480  {
2481  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2482  return( ret );
2483  }
2484 
2485  ssl->state++;
2486 
2487 #if defined(POLARSSL_SSL_PROTO_SSL3)
2488  /*
2489  * Check if the client sent an empty certificate
2490  */
2491  if( ssl->endpoint == SSL_IS_SERVER &&
2492  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2493  {
2494  if( ssl->in_msglen == 2 &&
2495  ssl->in_msgtype == SSL_MSG_ALERT &&
2496  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2497  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2498  {
2499  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2500 
2502  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2503  return( 0 );
2504  else
2506  }
2507  }
2508 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2509 
2510 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2511  defined(POLARSSL_SSL_PROTO_TLS1_2)
2512  if( ssl->endpoint == SSL_IS_SERVER &&
2513  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2514  {
2515  if( ssl->in_hslen == 7 &&
2516  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2517  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2518  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2519  {
2520  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2521 
2523  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2525  else
2526  return( 0 );
2527  }
2528  }
2529 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2530  POLARSSL_SSL_PROTO_TLS1_2 */
2531 
2532  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2533  {
2534  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2536  }
2537 
2538  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2539  {
2540  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2542  }
2543 
2544  /*
2545  * Same message structure as in ssl_write_certificate()
2546  */
2547  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2548 
2549  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2550  {
2551  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2553  }
2554 
2555  /* In case we tried to reuse a session but it failed */
2556  if( ssl->session_negotiate->peer_cert != NULL )
2557  {
2560  }
2561 
2563  sizeof( x509_crt ) ) ) == NULL )
2564  {
2565  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2566  sizeof( x509_crt ) ) );
2568  }
2569 
2571 
2572  i = 7;
2573 
2574  while( i < ssl->in_hslen )
2575  {
2576  if( ssl->in_msg[i] != 0 )
2577  {
2578  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2580  }
2581 
2582  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2583  | (unsigned int) ssl->in_msg[i + 2];
2584  i += 3;
2585 
2586  if( n < 128 || i + n > ssl->in_hslen )
2587  {
2588  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2590  }
2591 
2593  ssl->in_msg + i, n );
2594  if( ret != 0 )
2595  {
2596  SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
2597  return( ret );
2598  }
2599 
2600  i += n;
2601  }
2602 
2603  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2604 
2605  /*
2606  * On client, make sure the server cert doesn't change during renego to
2607  * avoid "triple handshake" attack: https://secure-resumption.com/
2608  */
2609  if( ssl->endpoint == SSL_IS_CLIENT &&
2611  {
2612  if( ssl->session->peer_cert == NULL )
2613  {
2614  SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
2616  }
2617 
2618  if( ssl->session->peer_cert->raw.len !=
2620  memcmp( ssl->session->peer_cert->raw.p,
2622  ssl->session->peer_cert->raw.len ) != 0 )
2623  {
2624  SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
2626  }
2627  }
2628 
2629  if( ssl->authmode != SSL_VERIFY_NONE )
2630  {
2631  if( ssl->ca_chain == NULL )
2632  {
2633  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2635  }
2636 
2637  /*
2638  * Main check: verify certificate
2639  */
2641  ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2643  ssl->f_vrfy, ssl->p_vrfy );
2644 
2645  if( ret != 0 )
2646  {
2647  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2648  }
2649 
2650  /*
2651  * Secondary checks: always done, but change 'ret' only if it was 0
2652  */
2653 
2654 #if defined(POLARSSL_SSL_SET_CURVES)
2655  {
2656  pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
2657 
2658  /* If certificate uses an EC key, make sure the curve is OK */
2659  if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
2660  ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
2661  {
2662  SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
2663  if( ret == 0 )
2665  }
2666  }
2667 #endif /* POLARSSL_SSL_SET_CURVES */
2668 
2670  ciphersuite_info,
2671  ! ssl->endpoint ) != 0 )
2672  {
2673  SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
2674  if( ret == 0 )
2676  }
2677 
2678  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2679  ret = 0;
2680  }
2681 
2682  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2683 
2684  return( ret );
2685 }
2686 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED
2687  !POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
2688  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
2689  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2690  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2691  !POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
2692  !POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2693 
2695 {
2696  int ret;
2697 
2698  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2699 
2701  ssl->out_msglen = 1;
2702  ssl->out_msg[0] = 1;
2703 
2704  ssl->state++;
2705 
2706  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2707  {
2708  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2709  return( ret );
2710  }
2711 
2712  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2713 
2714  return( 0 );
2715 }
2716 
2718 {
2719  int ret;
2720 
2721  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2722 
2723  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2724  {
2725  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2726  return( ret );
2727  }
2728 
2730  {
2731  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2733  }
2734 
2735  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2736  {
2737  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2739  }
2740 
2741  ssl->state++;
2742 
2743  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2744 
2745  return( 0 );
2746 }
2747 
2749  const ssl_ciphersuite_t *ciphersuite_info )
2750 {
2751  ((void) ciphersuite_info);
2752 
2753 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2754  defined(POLARSSL_SSL_PROTO_TLS1_1)
2755  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2756  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2757  else
2758 #endif
2759 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2760 #if defined(POLARSSL_SHA512_C)
2761  if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2762  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2763  else
2764 #endif
2765 #if defined(POLARSSL_SHA256_C)
2766  if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
2767  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2768  else
2769 #endif
2770 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2771  {
2772  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2773  return;
2774  }
2775 }
2776 
2777 static void ssl_update_checksum_start( ssl_context *ssl,
2778  const unsigned char *buf, size_t len )
2779 {
2780 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2781  defined(POLARSSL_SSL_PROTO_TLS1_1)
2782  md5_update( &ssl->handshake->fin_md5 , buf, len );
2783  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2784 #endif
2785 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2786 #if defined(POLARSSL_SHA256_C)
2787  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2788 #endif
2789 #if defined(POLARSSL_SHA512_C)
2790  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2791 #endif
2792 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2793 }
2794 
2795 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2796  defined(POLARSSL_SSL_PROTO_TLS1_1)
2797 static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2798  const unsigned char *buf, size_t len )
2799 {
2800  md5_update( &ssl->handshake->fin_md5 , buf, len );
2801  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2802 }
2803 #endif
2804 
2805 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2806 #if defined(POLARSSL_SHA256_C)
2807 static void ssl_update_checksum_sha256( ssl_context *ssl,
2808  const unsigned char *buf, size_t len )
2809 {
2810  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2811 }
2812 #endif
2813 
2814 #if defined(POLARSSL_SHA512_C)
2815 static void ssl_update_checksum_sha384( ssl_context *ssl,
2816  const unsigned char *buf, size_t len )
2817 {
2818  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2819 }
2820 #endif
2821 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2822 
2823 #if defined(POLARSSL_SSL_PROTO_SSL3)
2824 static void ssl_calc_finished_ssl(
2825  ssl_context *ssl, unsigned char *buf, int from )
2826 {
2827  const char *sender;
2828  md5_context md5;
2830 
2831  unsigned char padbuf[48];
2832  unsigned char md5sum[16];
2833  unsigned char sha1sum[20];
2834 
2835  ssl_session *session = ssl->session_negotiate;
2836  if( !session )
2837  session = ssl->session;
2838 
2839  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2840 
2841  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2842  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2843 
2844  /*
2845  * SSLv3:
2846  * hash =
2847  * MD5( master + pad2 +
2848  * MD5( handshake + sender + master + pad1 ) )
2849  * + SHA1( master + pad2 +
2850  * SHA1( handshake + sender + master + pad1 ) )
2851  */
2852 
2853 #if !defined(POLARSSL_MD5_ALT)
2854  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2855  md5.state, sizeof( md5.state ) );
2856 #endif
2857 
2858 #if !defined(POLARSSL_SHA1_ALT)
2859  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2860  sha1.state, sizeof( sha1.state ) );
2861 #endif
2862 
2863  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2864  : "SRVR";
2865 
2866  memset( padbuf, 0x36, 48 );
2867 
2868  md5_update( &md5, (const unsigned char *) sender, 4 );
2869  md5_update( &md5, session->master, 48 );
2870  md5_update( &md5, padbuf, 48 );
2871  md5_finish( &md5, md5sum );
2872 
2873  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2874  sha1_update( &sha1, session->master, 48 );
2875  sha1_update( &sha1, padbuf, 40 );
2876  sha1_finish( &sha1, sha1sum );
2877 
2878  memset( padbuf, 0x5C, 48 );
2879 
2880  md5_starts( &md5 );
2881  md5_update( &md5, session->master, 48 );
2882  md5_update( &md5, padbuf, 48 );
2883  md5_update( &md5, md5sum, 16 );
2884  md5_finish( &md5, buf );
2885 
2886  sha1_starts( &sha1 );
2887  sha1_update( &sha1, session->master, 48 );
2888  sha1_update( &sha1, padbuf , 40 );
2889  sha1_update( &sha1, sha1sum, 20 );
2890  sha1_finish( &sha1, buf + 16 );
2891 
2892  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2893 
2894  md5_free( &md5 );
2895  sha1_free( &sha1 );
2896 
2897  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2898  polarssl_zeroize( md5sum, sizeof( md5sum ) );
2899  polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
2900 
2901  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2902 }
2903 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2904 
2905 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
2906 static void ssl_calc_finished_tls(
2907  ssl_context *ssl, unsigned char *buf, int from )
2908 {
2909  int len = 12;
2910  const char *sender;
2911  md5_context md5;
2913  unsigned char padbuf[36];
2914 
2915  ssl_session *session = ssl->session_negotiate;
2916  if( !session )
2917  session = ssl->session;
2918 
2919  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2920 
2921  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2922  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2923 
2924  /*
2925  * TLSv1:
2926  * hash = PRF( master, finished_label,
2927  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2928  */
2929 
2930 #if !defined(POLARSSL_MD5_ALT)
2931  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2932  md5.state, sizeof( md5.state ) );
2933 #endif
2934 
2935 #if !defined(POLARSSL_SHA1_ALT)
2936  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2937  sha1.state, sizeof( sha1.state ) );
2938 #endif
2939 
2940  sender = ( from == SSL_IS_CLIENT )
2941  ? "client finished"
2942  : "server finished";
2943 
2944  md5_finish( &md5, padbuf );
2945  sha1_finish( &sha1, padbuf + 16 );
2946 
2947  ssl->handshake->tls_prf( session->master, 48, sender,
2948  padbuf, 36, buf, len );
2949 
2950  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2951 
2952  md5_free( &md5 );
2953  sha1_free( &sha1 );
2954 
2955  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2956 
2957  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2958 }
2959 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
2960 
2961 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2962 #if defined(POLARSSL_SHA256_C)
2963 static void ssl_calc_finished_tls_sha256(
2964  ssl_context *ssl, unsigned char *buf, int from )
2965 {
2966  int len = 12;
2967  const char *sender;
2969  unsigned char padbuf[32];
2970 
2971  ssl_session *session = ssl->session_negotiate;
2972  if( !session )
2973  session = ssl->session;
2974 
2975  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2976 
2977  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
2978 
2979  /*
2980  * TLSv1.2:
2981  * hash = PRF( master, finished_label,
2982  * Hash( handshake ) )[0.11]
2983  */
2984 
2985 #if !defined(POLARSSL_SHA256_ALT)
2986  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2987  sha256.state, sizeof( sha256.state ) );
2988 #endif
2989 
2990  sender = ( from == SSL_IS_CLIENT )
2991  ? "client finished"
2992  : "server finished";
2993 
2994  sha256_finish( &sha256, padbuf );
2995 
2996  ssl->handshake->tls_prf( session->master, 48, sender,
2997  padbuf, 32, buf, len );
2998 
2999  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3000 
3001  sha256_free( &sha256 );
3002 
3003  polarssl_zeroize( padbuf, sizeof( padbuf ) );
3004 
3005  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3006 }
3007 #endif /* POLARSSL_SHA256_C */
3008 
3009 #if defined(POLARSSL_SHA512_C)
3010 static void ssl_calc_finished_tls_sha384(
3011  ssl_context *ssl, unsigned char *buf, int from )
3012 {
3013  int len = 12;
3014  const char *sender;
3016  unsigned char padbuf[48];
3017 
3018  ssl_session *session = ssl->session_negotiate;
3019  if( !session )
3020  session = ssl->session;
3021 
3022  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
3023 
3024  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
3025 
3026  /*
3027  * TLSv1.2:
3028  * hash = PRF( master, finished_label,
3029  * Hash( handshake ) )[0.11]
3030  */
3031 
3032 #if !defined(POLARSSL_SHA512_ALT)
3033  SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3034  sha512.state, sizeof( sha512.state ) );
3035 #endif
3036 
3037  sender = ( from == SSL_IS_CLIENT )
3038  ? "client finished"
3039  : "server finished";
3040 
3041  sha512_finish( &sha512, padbuf );
3042 
3043  ssl->handshake->tls_prf( session->master, 48, sender,
3044  padbuf, 48, buf, len );
3045 
3046  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3047 
3048  sha512_free( &sha512 );
3049 
3050  polarssl_zeroize( padbuf, sizeof( padbuf ) );
3051 
3052  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3053 }
3054 #endif /* POLARSSL_SHA512_C */
3055 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3056 
3057 void ssl_handshake_wrapup( ssl_context *ssl )
3058 {
3059  int resume = ssl->handshake->resume;
3060 
3061  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3062 
3063  /*
3064  * Free our handshake params
3065  */
3066  ssl_handshake_free( ssl->handshake );
3067  polarssl_free( ssl->handshake );
3068  ssl->handshake = NULL;
3069 
3070  if( ssl->renegotiation == SSL_RENEGOTIATION )
3071  {
3073  ssl->renego_records_seen = 0;
3074  }
3075 
3076  /*
3077  * Switch in our now active transform context
3078  */
3079  if( ssl->transform )
3080  {
3081  ssl_transform_free( ssl->transform );
3082  polarssl_free( ssl->transform );
3083  }
3084  ssl->transform = ssl->transform_negotiate;
3085  ssl->transform_negotiate = NULL;
3086 
3087  if( ssl->session )
3088  {
3089  ssl_session_free( ssl->session );
3090  polarssl_free( ssl->session );
3091  }
3092  ssl->session = ssl->session_negotiate;
3093  ssl->session_negotiate = NULL;
3094 
3095  /*
3096  * Add cache entry
3097  */
3098  if( ssl->f_set_cache != NULL &&
3099  ssl->session->length != 0 &&
3100  resume == 0 )
3101  {
3102  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3103  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
3104  }
3105 
3106  ssl->state++;
3107 
3108  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3109 }
3110 
3111 int ssl_write_finished( ssl_context *ssl )
3112 {
3113  int ret, hash_len;
3114 
3115  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3116 
3117  /*
3118  * Set the out_msg pointer to the correct location based on IV length
3119  */
3120  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3121  {
3122  ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3124  }
3125  else
3126  ssl->out_msg = ssl->out_iv;
3127 
3128  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
3129 
3130  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3131  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3132 
3133  ssl->verify_data_len = hash_len;
3134  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
3135 
3136  ssl->out_msglen = 4 + hash_len;
3138  ssl->out_msg[0] = SSL_HS_FINISHED;
3139 
3140  /*
3141  * In case of session resuming, invert the client and server
3142  * ChangeCipherSpec messages order.
3143  */
3144  if( ssl->handshake->resume != 0 )
3145  {
3146  if( ssl->endpoint == SSL_IS_CLIENT )
3147  ssl->state = SSL_HANDSHAKE_WRAPUP;
3148  else
3150  }
3151  else
3152  ssl->state++;
3153 
3154  /*
3155  * Switch to our negotiated transform and session parameters for outbound
3156  * data.
3157  */
3158  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3159  ssl->transform_out = ssl->transform_negotiate;
3160  ssl->session_out = ssl->session_negotiate;
3161  memset( ssl->out_ctr, 0, 8 );
3162 
3163 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3164  if( ssl_hw_record_activate != NULL )
3165  {
3166  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3167  {
3168  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3170  }
3171  }
3172 #endif
3173 
3174  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3175  {
3176  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3177  return( ret );
3178  }
3179 
3180  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3181 
3182  return( 0 );
3183 }
3184 
3185 int ssl_parse_finished( ssl_context *ssl )
3186 {
3187  int ret;
3188  unsigned int hash_len;
3189  unsigned char buf[36];
3190 
3191  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3192 
3193  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
3194 
3195  /*
3196  * Switch to our negotiated transform and session parameters for inbound
3197  * data.
3198  */
3199  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3200  ssl->transform_in = ssl->transform_negotiate;
3201  ssl->session_in = ssl->session_negotiate;
3202  memset( ssl->in_ctr, 0, 8 );
3203 
3204  /*
3205  * Set the in_msg pointer to the correct location based on IV length
3206  */
3207  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3208  {
3209  ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3211  }
3212  else
3213  ssl->in_msg = ssl->in_iv;
3214 
3215 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3216  if( ssl_hw_record_activate != NULL )
3217  {
3218  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3219  {
3220  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3222  }
3223  }
3224 #endif
3225 
3226  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3227  {
3228  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3229  return( ret );
3230  }
3231 
3232  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3233  {
3234  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3236  }
3237 
3238  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3239  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3240 
3241  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3242  ssl->in_hslen != 4 + hash_len )
3243  {
3244  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3246  }
3247 
3248  if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
3249  {
3250  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3252  }
3253 
3254  ssl->verify_data_len = hash_len;
3255  memcpy( ssl->peer_verify_data, buf, hash_len );
3256 
3257  if( ssl->handshake->resume != 0 )
3258  {
3259  if( ssl->endpoint == SSL_IS_CLIENT )
3261 
3262  if( ssl->endpoint == SSL_IS_SERVER )
3263  ssl->state = SSL_HANDSHAKE_WRAPUP;
3264  }
3265  else
3266  ssl->state++;
3267 
3268  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3269 
3270  return( 0 );
3271 }
3272 
3273 static void ssl_handshake_params_init( ssl_handshake_params *handshake )
3274 {
3275  memset( handshake, 0, sizeof( ssl_handshake_params ) );
3276 
3277 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3278  defined(POLARSSL_SSL_PROTO_TLS1_1)
3279  md5_init( &handshake->fin_md5 );
3280  sha1_init( &handshake->fin_sha1 );
3281  md5_starts( &handshake->fin_md5 );
3282  sha1_starts( &handshake->fin_sha1 );
3283 #endif
3284 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3285 #if defined(POLARSSL_SHA256_C)
3286  sha256_init( &handshake->fin_sha256 );
3287  sha256_starts( &handshake->fin_sha256, 0 );
3288 #endif
3289 #if defined(POLARSSL_SHA512_C)
3290  sha512_init( &handshake->fin_sha512 );
3291  sha512_starts( &handshake->fin_sha512, 1 );
3292 #endif
3293 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3294 
3295  handshake->update_checksum = ssl_update_checksum_start;
3296  handshake->sig_alg = SSL_HASH_SHA1;
3297 
3298 #if defined(POLARSSL_DHM_C)
3299  dhm_init( &handshake->dhm_ctx );
3300 #endif
3301 #if defined(POLARSSL_ECDH_C)
3302  ecdh_init( &handshake->ecdh_ctx );
3303 #endif
3304 }
3305 
3306 static void ssl_transform_init( ssl_transform *transform )
3307 {
3308  memset( transform, 0, sizeof(ssl_transform) );
3309 
3310  cipher_init( &transform->cipher_ctx_enc );
3311  cipher_init( &transform->cipher_ctx_dec );
3312 
3313  md_init( &transform->md_ctx_enc );
3314  md_init( &transform->md_ctx_dec );
3315 }
3316 
3317 void ssl_session_init( ssl_session *session )
3318 {
3319  memset( session, 0, sizeof(ssl_session) );
3320 }
3321 
3322 static int ssl_handshake_init( ssl_context *ssl )
3323 {
3324  /* Clear old handshake information if present */
3325  if( ssl->transform_negotiate )
3327  if( ssl->session_negotiate )
3329  if( ssl->handshake )
3330  ssl_handshake_free( ssl->handshake );
3331 
3332  /*
3333  * Either the pointers are now NULL or cleared properly and can be freed.
3334  * Now allocate missing structures.
3335  */
3336  if( ssl->transform_negotiate == NULL )
3337  {
3338  ssl->transform_negotiate =
3340  }
3341 
3342  if( ssl->session_negotiate == NULL )
3343  {
3344  ssl->session_negotiate =
3345  (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
3346  }
3347 
3348  if( ssl->handshake == NULL)
3349  {
3350  ssl->handshake = (ssl_handshake_params *)
3352  }
3353 
3354  /* All pointers should exist and can be directly freed without issue */
3355  if( ssl->handshake == NULL ||
3356  ssl->transform_negotiate == NULL ||
3357  ssl->session_negotiate == NULL )
3358  {
3359  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3360 
3361  polarssl_free( ssl->handshake );
3364 
3365  ssl->handshake = NULL;
3366  ssl->transform_negotiate = NULL;
3367  ssl->session_negotiate = NULL;
3368 
3370  }
3371 
3372  /* Initialize structures */
3374  ssl_transform_init( ssl->transform_negotiate );
3375  ssl_handshake_params_init( ssl->handshake );
3376 
3377 #if defined(POLARSSL_X509_CRT_PARSE_C)
3378  ssl->handshake->key_cert = ssl->key_cert;
3379 #endif
3380 
3381  return( 0 );
3382 }
3383 
3384 /*
3385  * Initialize an SSL context
3386  */
3387 int ssl_init( ssl_context *ssl )
3388 {
3389  int ret;
3390  int len = SSL_BUFFER_LEN;
3391 
3392  memset( ssl, 0, sizeof( ssl_context ) );
3393 
3394  /*
3395  * Sane defaults
3396  */
3401 
3403 
3405 
3406 #if defined(POLARSSL_DHM_C)
3407  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3409  ( ret = mpi_read_string( &ssl->dhm_G, 16,
3411  {
3412  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3413  return( ret );
3414  }
3415 #endif
3416 
3417  /*
3418  * Prepare base structures
3419  */
3420  ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
3421  ssl->in_hdr = ssl->in_ctr + 8;
3422  ssl->in_iv = ssl->in_ctr + 13;
3423  ssl->in_msg = ssl->in_ctr + 13;
3424 
3425  if( ssl->in_ctr == NULL )
3426  {
3427  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3429  }
3430 
3431  ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
3432  ssl->out_hdr = ssl->out_ctr + 8;
3433  ssl->out_iv = ssl->out_ctr + 13;
3434  ssl->out_msg = ssl->out_ctr + 13;
3435 
3436  if( ssl->out_ctr == NULL )
3437  {
3438  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3439  polarssl_free( ssl->in_ctr );
3440  ssl->in_ctr = NULL;
3442  }
3443 
3444  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3445  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3446 
3447 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3449 #endif
3450 
3451 #if defined(POLARSSL_SSL_SET_CURVES)
3452  ssl->curve_list = ecp_grp_id_list( );
3453 #endif
3454 
3455  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3456  return( ret );
3457 
3458  return( 0 );
3459 }
3460 
3461 /*
3462  * Reset an initialized and used SSL context for re-use while retaining
3463  * all application-set variables, function pointers and data.
3464  */
3465 int ssl_session_reset( ssl_context *ssl )
3466 {
3467  int ret;
3468 
3469  ssl->state = SSL_HELLO_REQUEST;
3472 
3473  ssl->verify_data_len = 0;
3474  memset( ssl->own_verify_data, 0, 36 );
3475  memset( ssl->peer_verify_data, 0, 36 );
3476 
3477  ssl->in_offt = NULL;
3478 
3479  ssl->in_msg = ssl->in_ctr + 13;
3480  ssl->in_msgtype = 0;
3481  ssl->in_msglen = 0;
3482  ssl->in_left = 0;
3483 
3484  ssl->in_hslen = 0;
3485  ssl->nb_zero = 0;
3486  ssl->record_read = 0;
3487 
3488  ssl->out_msg = ssl->out_ctr + 13;
3489  ssl->out_msgtype = 0;
3490  ssl->out_msglen = 0;
3491  ssl->out_left = 0;
3492 
3493  ssl->transform_in = NULL;
3494  ssl->transform_out = NULL;
3495 
3496  ssl->renego_records_seen = 0;
3497 
3498  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3499  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3500 
3501 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3502  if( ssl_hw_record_reset != NULL )
3503  {
3504  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3505  if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
3506  {
3507  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3509  }
3510  }
3511 #endif
3512 
3513  if( ssl->transform )
3514  {
3515  ssl_transform_free( ssl->transform );
3516  polarssl_free( ssl->transform );
3517  ssl->transform = NULL;
3518  }
3519 
3520  if( ssl->session )
3521  {
3522  ssl_session_free( ssl->session );
3523  polarssl_free( ssl->session );
3524  ssl->session = NULL;
3525  }
3526 
3527 #if defined(POLARSSL_SSL_ALPN)
3528  ssl->alpn_chosen = NULL;
3529 #endif
3530 
3531  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3532  return( ret );
3533 
3534  return( 0 );
3535 }
3536 
3537 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3538 static void ssl_ticket_keys_free( ssl_ticket_keys *tkeys )
3539 {
3540  aes_free( &tkeys->enc );
3541  aes_free( &tkeys->dec );
3542 
3543  polarssl_zeroize( tkeys, sizeof(ssl_ticket_keys) );
3544 }
3545 
3546 /*
3547  * Allocate and initialize ticket keys
3548  */
3549 static int ssl_ticket_keys_init( ssl_context *ssl )
3550 {
3551  int ret;
3552  ssl_ticket_keys *tkeys;
3553  unsigned char buf[16];
3554 
3555  if( ssl->ticket_keys != NULL )
3556  return( 0 );
3557 
3558  tkeys = (ssl_ticket_keys *) polarssl_malloc( sizeof(ssl_ticket_keys) );
3559  if( tkeys == NULL )
3561 
3562  aes_init( &tkeys->enc );
3563  aes_init( &tkeys->dec );
3564 
3565  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
3566  {
3567  ssl_ticket_keys_free( tkeys );
3568  polarssl_free( tkeys );
3569  return( ret );
3570  }
3571 
3572  if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3573  ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3574  ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3575  {
3576  ssl_ticket_keys_free( tkeys );
3577  polarssl_free( tkeys );
3578  return( ret );
3579  }
3580 
3581  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
3582  {
3583  ssl_ticket_keys_free( tkeys );
3584  polarssl_free( tkeys );
3585  return( ret );
3586  }
3587 
3588  ssl->ticket_keys = tkeys;
3589 
3590  return( 0 );
3591 }
3592 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3593 
3594 /*
3595  * SSL set accessors
3596  */
3597 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3598 {
3599  ssl->endpoint = endpoint;
3600 
3601 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3602  if( endpoint == SSL_IS_CLIENT )
3604 #endif
3605 }
3606 
3607 void ssl_set_authmode( ssl_context *ssl, int authmode )
3608 {
3609  ssl->authmode = authmode;
3610 }
3611 
3612 #if defined(POLARSSL_X509_CRT_PARSE_C)
3613 void ssl_set_verify( ssl_context *ssl,
3614  int (*f_vrfy)(void *, x509_crt *, int, int *),
3615  void *p_vrfy )
3616 {
3617  ssl->f_vrfy = f_vrfy;
3618  ssl->p_vrfy = p_vrfy;
3619 }
3620 #endif /* POLARSSL_X509_CRT_PARSE_C */
3621 
3622 void ssl_set_rng( ssl_context *ssl,
3623  int (*f_rng)(void *, unsigned char *, size_t),
3624  void *p_rng )
3625 {
3626  ssl->f_rng = f_rng;
3627  ssl->p_rng = p_rng;
3628 }
3629 
3630 void ssl_set_dbg( ssl_context *ssl,
3631  void (*f_dbg)(void *, int, const char *),
3632  void *p_dbg )
3633 {
3634  ssl->f_dbg = f_dbg;
3635  ssl->p_dbg = p_dbg;
3636 }
3637 
3638 void ssl_set_bio( ssl_context *ssl,
3639  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3640  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3641 {
3642  ssl->f_recv = f_recv;
3643  ssl->f_send = f_send;
3644  ssl->p_recv = p_recv;
3645  ssl->p_send = p_send;
3646 }
3647 
3649  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3650  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3651 {
3652  ssl->f_get_cache = f_get_cache;
3653  ssl->p_get_cache = p_get_cache;
3654  ssl->f_set_cache = f_set_cache;
3655  ssl->p_set_cache = p_set_cache;
3656 }
3657 
3658 int ssl_set_session( ssl_context *ssl, const ssl_session *session )
3659 {
3660  int ret;
3661 
3662  if( ssl == NULL ||
3663  session == NULL ||
3664  ssl->session_negotiate == NULL ||
3665  ssl->endpoint != SSL_IS_CLIENT )
3666  {
3668  }
3669 
3670  if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3671  return( ret );
3672 
3673  ssl->handshake->resume = 1;
3674 
3675  return( 0 );
3676 }
3677 
3678 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3679 {
3680  ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3681  ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3682  ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3683  ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3684 }
3685 
3687  const int *ciphersuites,
3688  int major, int minor )
3689 {
3690  if( major != SSL_MAJOR_VERSION_3 )
3691  return;
3692 
3693  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3694  return;
3695 
3696  ssl->ciphersuite_list[minor] = ciphersuites;
3697 }
3698 
3699 #if defined(POLARSSL_X509_CRT_PARSE_C)
3700 /* Add a new (empty) key_cert entry an return a pointer to it */
3701 static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3702 {
3703  ssl_key_cert *key_cert, *last;
3704 
3705  key_cert = (ssl_key_cert *) polarssl_malloc( sizeof(ssl_key_cert) );
3706  if( key_cert == NULL )
3707  return( NULL );
3708 
3709  memset( key_cert, 0, sizeof( ssl_key_cert ) );
3710 
3711  /* Append the new key_cert to the (possibly empty) current list */
3712  if( ssl->key_cert == NULL )
3713  {
3714  ssl->key_cert = key_cert;
3715  if( ssl->handshake != NULL )
3716  ssl->handshake->key_cert = key_cert;
3717  }
3718  else
3719  {
3720  last = ssl->key_cert;
3721  while( last->next != NULL )
3722  last = last->next;
3723  last->next = key_cert;
3724  }
3725 
3726  return( key_cert );
3727 }
3728 
3729 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
3730  x509_crl *ca_crl, const char *peer_cn )
3731 {
3732  ssl->ca_chain = ca_chain;
3733  ssl->ca_crl = ca_crl;
3734  ssl->peer_cn = peer_cn;
3735 }
3736 
3737 int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
3738  pk_context *pk_key )
3739 {
3740  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3741 
3742  if( key_cert == NULL )
3744 
3745  key_cert->cert = own_cert;
3746  key_cert->key = pk_key;
3747 
3748  return( 0 );
3749 }
3750 
3751 #if defined(POLARSSL_RSA_C)
3752 int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
3753  rsa_context *rsa_key )
3754 {
3755  int ret;
3756  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3757 
3758  if( key_cert == NULL )
3760 
3761  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3762  if( key_cert->key == NULL )
3764 
3765  pk_init( key_cert->key );
3766 
3767  ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
3768  if( ret != 0 )
3769  return( ret );
3770 
3771  if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
3772  return( ret );
3773 
3774  key_cert->cert = own_cert;
3775  key_cert->key_own_alloc = 1;
3776 
3777  return( 0 );
3778 }
3779 #endif /* POLARSSL_RSA_C */
3780 
3781 int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
3782  void *rsa_key,
3783  rsa_decrypt_func rsa_decrypt,
3784  rsa_sign_func rsa_sign,
3785  rsa_key_len_func rsa_key_len )
3786 {
3787  int ret;
3788  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3789 
3790  if( key_cert == NULL )
3792 
3793  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3794  if( key_cert->key == NULL )
3796 
3797  pk_init( key_cert->key );
3798 
3799  if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
3800  rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
3801  return( ret );
3802 
3803  key_cert->cert = own_cert;
3804  key_cert->key_own_alloc = 1;
3805 
3806  return( 0 );
3807 }
3808 #endif /* POLARSSL_X509_CRT_PARSE_C */
3809 
3810 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
3811 int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3812  const unsigned char *psk_identity, size_t psk_identity_len )
3813 {
3814  if( psk == NULL || psk_identity == NULL )
3816 
3817  if( psk_len > POLARSSL_PSK_MAX_LEN )
3819 
3820  if( ssl->psk != NULL )
3821  {
3822  polarssl_free( ssl->psk );
3823  polarssl_free( ssl->psk_identity );
3824  }
3825 
3826  ssl->psk_len = psk_len;
3827  ssl->psk_identity_len = psk_identity_len;
3828 
3829  ssl->psk = (unsigned char *) polarssl_malloc( ssl->psk_len );
3830  ssl->psk_identity = (unsigned char *)
3832 
3833  if( ssl->psk == NULL || ssl->psk_identity == NULL )
3835 
3836  memcpy( ssl->psk, psk, ssl->psk_len );
3837  memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
3838 
3839  return( 0 );
3840 }
3841 
3842 void ssl_set_psk_cb( ssl_context *ssl,
3843  int (*f_psk)(void *, ssl_context *, const unsigned char *,
3844  size_t),
3845  void *p_psk )
3846 {
3847  ssl->f_psk = f_psk;
3848  ssl->p_psk = p_psk;
3849 }
3850 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
3851 
3852 #if defined(POLARSSL_DHM_C)
3853 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3854 {
3855  int ret;
3856 
3857  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3858  {
3859  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3860  return( ret );
3861  }
3862 
3863  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3864  {
3865  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3866  return( ret );
3867  }
3868 
3869  return( 0 );
3870 }
3871 
3872 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3873 {
3874  int ret;
3875 
3876  if( ( ret = mpi_copy( &ssl->dhm_P, &dhm_ctx->P ) ) != 0 )
3877  {
3878  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3879  return( ret );
3880  }
3881 
3882  if( ( ret = mpi_copy( &ssl->dhm_G, &dhm_ctx->G ) ) != 0 )
3883  {
3884  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3885  return( ret );
3886  }
3887 
3888  return( 0 );
3889 }
3890 #endif /* POLARSSL_DHM_C */
3891 
3892 #if defined(POLARSSL_SSL_SET_CURVES)
3893 /*
3894  * Set the allowed elliptic curves
3895  */
3896 void ssl_set_curves( ssl_context *ssl, const ecp_group_id *curve_list )
3897 {
3898  ssl->curve_list = curve_list;
3899 }
3900 #endif
3901 
3902 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
3903 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3904 {
3905  if( hostname == NULL )
3907 
3908  ssl->hostname_len = strlen( hostname );
3909 
3910  if( ssl->hostname_len + 1 == 0 )
3912 
3913  ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
3914 
3915  if( ssl->hostname == NULL )
3917 
3918  memcpy( ssl->hostname, (const unsigned char *) hostname,
3919  ssl->hostname_len );
3920 
3921  ssl->hostname[ssl->hostname_len] = '\0';
3922 
3923  return( 0 );
3924 }
3925 
3926 void ssl_set_sni( ssl_context *ssl,
3927  int (*f_sni)(void *, ssl_context *,
3928  const unsigned char *, size_t),
3929  void *p_sni )
3930 {
3931  ssl->f_sni = f_sni;
3932  ssl->p_sni = p_sni;
3933 }
3934 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
3935 
3936 #if defined(POLARSSL_SSL_ALPN)
3937 int ssl_set_alpn_protocols( ssl_context *ssl, const char **protos )
3938 {
3939  size_t cur_len, tot_len;
3940  const char **p;
3941 
3942  /*
3943  * "Empty strings MUST NOT be included and byte strings MUST NOT be
3944  * truncated". Check lengths now rather than later.
3945  */
3946  tot_len = 0;
3947  for( p = protos; *p != NULL; p++ )
3948  {
3949  cur_len = strlen( *p );
3950  tot_len += cur_len;
3951 
3952  if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
3954  }
3955 
3956  ssl->alpn_list = protos;
3957 
3958  return( 0 );
3959 }
3960 
3961 const char *ssl_get_alpn_protocol( const ssl_context *ssl )
3962 {
3963  return( ssl->alpn_chosen );
3964 }
3965 #endif /* POLARSSL_SSL_ALPN */
3966 
3967 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3968 {
3969  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3970  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3971  {
3972  ssl->max_major_ver = major;
3973  ssl->max_minor_ver = minor;
3974  }
3975 }
3976 
3977 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3978 {
3979  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3980  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3981  {
3982  ssl->min_major_ver = major;
3983  ssl->min_minor_ver = minor;
3984  }
3985 }
3986 
3987 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
3988 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
3989 {
3990  if( mfl_code >= SSL_MAX_FRAG_LEN_INVALID ||
3991  mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
3992  {
3994  }
3995 
3996  ssl->mfl_code = mfl_code;
3997 
3998  return( 0 );
3999 }
4000 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4001 
4002 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
4003 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
4004 {
4005  if( ssl->endpoint != SSL_IS_CLIENT )
4007 
4008  ssl->trunc_hmac = truncate;
4009 
4010  return( 0 );
4011 }
4012 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
4013 
4014 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
4015 {
4016  ssl->disable_renegotiation = renegotiation;
4017 }
4018 
4019 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
4020 {
4021  ssl->allow_legacy_renegotiation = allow_legacy;
4022 }
4023 
4024 void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records )
4025 {
4026  ssl->renego_max_records = max_records;
4027 }
4028 
4029 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4030 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
4031 {
4032  ssl->session_tickets = use_tickets;
4033 
4034  if( ssl->endpoint == SSL_IS_CLIENT )
4035  return( 0 );
4036 
4037  if( ssl->f_rng == NULL )
4039 
4040  return( ssl_ticket_keys_init( ssl ) );
4041 }
4042 
4043 void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
4044 {
4045  ssl->ticket_lifetime = lifetime;
4046 }
4047 #endif /* POLARSSL_SSL_SESSION_TICKETS */
4048 
4049 /*
4050  * SSL get accessors
4051  */
4052 size_t ssl_get_bytes_avail( const ssl_context *ssl )
4053 {
4054  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4055 }
4056 
4057 int ssl_get_verify_result( const ssl_context *ssl )
4058 {
4059  return( ssl->session->verify_result );
4060 }
4061 
4062 const char *ssl_get_ciphersuite( const ssl_context *ssl )
4063 {
4064  if( ssl == NULL || ssl->session == NULL )
4065  return( NULL );
4066 
4068 }
4069 
4070 const char *ssl_get_version( const ssl_context *ssl )
4071 {
4072  switch( ssl->minor_ver )
4073  {
4074  case SSL_MINOR_VERSION_0:
4075  return( "SSLv3.0" );
4076 
4077  case SSL_MINOR_VERSION_1:
4078  return( "TLSv1.0" );
4079 
4080  case SSL_MINOR_VERSION_2:
4081  return( "TLSv1.1" );
4082 
4083  case SSL_MINOR_VERSION_3:
4084  return( "TLSv1.2" );
4085 
4086  default:
4087  break;
4088  }
4089  return( "unknown" );
4090 }
4091 
4092 #if defined(POLARSSL_X509_CRT_PARSE_C)
4093 const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
4094 {
4095  if( ssl == NULL || ssl->session == NULL )
4096  return( NULL );
4097 
4098  return( ssl->session->peer_cert );
4099 }
4100 #endif /* POLARSSL_X509_CRT_PARSE_C */
4101 
4102 int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
4103 {
4104  if( ssl == NULL ||
4105  dst == NULL ||
4106  ssl->session == NULL ||
4107  ssl->endpoint != SSL_IS_CLIENT )
4108  {
4110  }
4111 
4112  return( ssl_session_copy( dst, ssl->session ) );
4113 }
4114 
4115 /*
4116  * Perform a single step of the SSL handshake
4117  */
4118 int ssl_handshake_step( ssl_context *ssl )
4119 {
4121 
4122 #if defined(POLARSSL_SSL_CLI_C)
4123  if( ssl->endpoint == SSL_IS_CLIENT )
4124  ret = ssl_handshake_client_step( ssl );
4125 #endif
4126 
4127 #if defined(POLARSSL_SSL_SRV_C)
4128  if( ssl->endpoint == SSL_IS_SERVER )
4129  ret = ssl_handshake_server_step( ssl );
4130 #endif
4131 
4132  return( ret );
4133 }
4134 
4135 /*
4136  * Perform the SSL handshake
4137  */
4138 int ssl_handshake( ssl_context *ssl )
4139 {
4140  int ret = 0;
4141 
4142  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
4143 
4144  while( ssl->state != SSL_HANDSHAKE_OVER )
4145  {
4146  ret = ssl_handshake_step( ssl );
4147 
4148  if( ret != 0 )
4149  break;
4150  }
4151 
4152  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
4153 
4154  return( ret );
4155 }
4156 
4157 #if defined(POLARSSL_SSL_SRV_C)
4158 /*
4159  * Write HelloRequest to request renegotiation on server
4160  */
4161 static int ssl_write_hello_request( ssl_context *ssl )
4162 {
4163  int ret;
4164 
4165  SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
4166 
4167  ssl->out_msglen = 4;
4169  ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
4170 
4171  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4172  {
4173  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4174  return( ret );
4175  }
4176 
4178 
4179  SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4180 
4181  return( 0 );
4182 }
4183 #endif /* POLARSSL_SSL_SRV_C */
4184 
4185 /*
4186  * Actually renegotiate current connection, triggered by either:
4187  * - calling ssl_renegotiate() on client,
4188  * - receiving a HelloRequest on client during ssl_read(),
4189  * - receiving any handshake message on server during ssl_read() after the
4190  * initial handshake is completed
4191  * If the handshake doesn't complete due to waiting for I/O, it will continue
4192  * during the next calls to ssl_renegotiate() or ssl_read() respectively.
4193  */
4194 static int ssl_start_renegotiation( ssl_context *ssl )
4195 {
4196  int ret;
4197 
4198  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4199 
4200  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4201  return( ret );
4202 
4203  ssl->state = SSL_HELLO_REQUEST;
4205 
4206  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4207  {
4208  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4209  return( ret );
4210  }
4211 
4212  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4213 
4214  return( 0 );
4215 }
4216 
4217 /*
4218  * Renegotiate current connection on client,
4219  * or request renegotiation on server
4220  */
4221 int ssl_renegotiate( ssl_context *ssl )
4222 {
4224 
4225 #if defined(POLARSSL_SSL_SRV_C)
4226  /* On server, just send the request */
4227  if( ssl->endpoint == SSL_IS_SERVER )
4228  {
4229  if( ssl->state != SSL_HANDSHAKE_OVER )
4231 
4232  return( ssl_write_hello_request( ssl ) );
4233  }
4234 #endif /* POLARSSL_SSL_SRV_C */
4235 
4236 #if defined(POLARSSL_SSL_CLI_C)
4237  /*
4238  * On client, either start the renegotiation process or,
4239  * if already in progress, continue the handshake
4240  */
4241  if( ssl->renegotiation != SSL_RENEGOTIATION )
4242  {
4243  if( ssl->state != SSL_HANDSHAKE_OVER )
4245 
4246  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4247  {
4248  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4249  return( ret );
4250  }
4251  }
4252  else
4253  {
4254  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4255  {
4256  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4257  return( ret );
4258  }
4259  }
4260 #endif /* POLARSSL_SSL_CLI_C */
4261 
4262  return( ret );
4263 }
4264 
4265 /*
4266  * Receive application data decrypted from the SSL layer
4267  */
4268 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
4269 {
4270  int ret;
4271  size_t n;
4272 
4273  SSL_DEBUG_MSG( 2, ( "=> read" ) );
4274 
4275  if( ssl->state != SSL_HANDSHAKE_OVER )
4276  {
4277  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4278  {
4279  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4280  return( ret );
4281  }
4282  }
4283 
4284  if( ssl->in_offt == NULL )
4285  {
4286  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4287  {
4288  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4289  return( 0 );
4290 
4291  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4292  return( ret );
4293  }
4294 
4295  if( ssl->in_msglen == 0 &&
4297  {
4298  /*
4299  * OpenSSL sends empty messages to randomize the IV
4300  */
4301  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4302  {
4303  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4304  return( 0 );
4305 
4306  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4307  return( ret );
4308  }
4309  }
4310 
4311  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4312  {
4313  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4314 
4315  if( ssl->endpoint == SSL_IS_CLIENT &&
4316  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4317  ssl->in_hslen != 4 ) )
4318  {
4319  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4321  }
4322 
4327  {
4328  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4329 
4330 #if defined(POLARSSL_SSL_PROTO_SSL3)
4331  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
4332  {
4333  /*
4334  * SSLv3 does not have a "no_renegotiation" alert
4335  */
4336  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4337  return( ret );
4338  }
4339  else
4340 #endif /* POLARSSL_SSL_PROTO_SSL3 */
4341 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4342  defined(POLARSSL_SSL_PROTO_TLS1_2)
4343  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
4344  {
4345  if( ( ret = ssl_send_alert_message( ssl,
4348  {
4349  return( ret );
4350  }
4351  }
4352  else
4353 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 ||
4354  POLARSSL_SSL_PROTO_TLS1_2 */
4355  {
4356  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4358  }
4359  }
4360  else
4361  {
4362  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4363  {
4364  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4365  return( ret );
4366  }
4367 
4368  return( POLARSSL_ERR_NET_WANT_READ );
4369  }
4370  }
4371  else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4372  {
4373  ssl->renego_records_seen++;
4374 
4375  if( ssl->renego_max_records >= 0 &&
4377  {
4378  SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4379  "but not honored by client" ) );
4381  }
4382  }
4383  else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
4384  {
4385  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
4387  }
4388 
4389  ssl->in_offt = ssl->in_msg;
4390  }
4391 
4392  n = ( len < ssl->in_msglen )
4393  ? len : ssl->in_msglen;
4394 
4395  memcpy( buf, ssl->in_offt, n );
4396  ssl->in_msglen -= n;
4397 
4398  if( ssl->in_msglen == 0 )
4399  /* all bytes consumed */
4400  ssl->in_offt = NULL;
4401  else
4402  /* more data available */
4403  ssl->in_offt += n;
4404 
4405  SSL_DEBUG_MSG( 2, ( "<= read" ) );
4406 
4407  return( (int) n );
4408 }
4409 
4410 /*
4411  * Send application data to be encrypted by the SSL layer
4412  */
4413 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4414 {
4415  int ret;
4416  size_t n;
4417  unsigned int max_len = SSL_MAX_CONTENT_LEN;
4418 
4419  SSL_DEBUG_MSG( 2, ( "=> write" ) );
4420 
4421  if( ssl->state != SSL_HANDSHAKE_OVER )
4422  {
4423  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4424  {
4425  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4426  return( ret );
4427  }
4428  }
4429 
4430 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4431  /*
4432  * Assume mfl_code is correct since it was checked when set
4433  */
4434  max_len = mfl_code_to_length[ssl->mfl_code];
4435 
4436  /*
4437  * Check if a smaller max length was negotiated
4438  */
4439  if( ssl->session_out != NULL &&
4440  mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4441  {
4442  max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4443  }
4444 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4445 
4446  n = ( len < max_len) ? len : max_len;
4447 
4448  if( ssl->out_left != 0 )
4449  {
4450  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4451  {
4452  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4453  return( ret );
4454  }
4455  }
4456  else
4457  {
4458  ssl->out_msglen = n;
4460  memcpy( ssl->out_msg, buf, n );
4461 
4462  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4463  {
4464  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4465  return( ret );
4466  }
4467  }
4468 
4469  SSL_DEBUG_MSG( 2, ( "<= write" ) );
4470 
4471  return( (int) n );
4472 }
4473 
4474 /*
4475  * Notify the peer that the connection is being closed
4476  */
4477 int ssl_close_notify( ssl_context *ssl )
4478 {
4479  int ret;
4480 
4481  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4482 
4483  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4484  {
4485  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4486  return( ret );
4487  }
4488 
4489  if( ssl->state == SSL_HANDSHAKE_OVER )
4490  {
4491  if( ( ret = ssl_send_alert_message( ssl,
4493  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4494  {
4495  return( ret );
4496  }
4497  }
4498 
4499  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4500 
4501  return( ret );
4502 }
4503 
4504 void ssl_transform_free( ssl_transform *transform )
4505 {
4506  if( transform == NULL )
4507  return;
4508 
4509 #if defined(POLARSSL_ZLIB_SUPPORT)
4510  deflateEnd( &transform->ctx_deflate );
4511  inflateEnd( &transform->ctx_inflate );
4512 #endif
4513 
4514  cipher_free( &transform->cipher_ctx_enc );
4515  cipher_free( &transform->cipher_ctx_dec );
4516 
4517  md_free( &transform->md_ctx_enc );
4518  md_free( &transform->md_ctx_dec );
4519 
4520  polarssl_zeroize( transform, sizeof( ssl_transform ) );
4521 }
4522 
4523 #if defined(POLARSSL_X509_CRT_PARSE_C)
4524 static void ssl_key_cert_free( ssl_key_cert *key_cert )
4525 {
4526  ssl_key_cert *cur = key_cert, *next;
4527 
4528  while( cur != NULL )
4529  {
4530  next = cur->next;
4531 
4532  if( cur->key_own_alloc )
4533  {
4534  pk_free( cur->key );
4535  polarssl_free( cur->key );
4536  }
4537  polarssl_free( cur );
4538 
4539  cur = next;
4540  }
4541 }
4542 #endif /* POLARSSL_X509_CRT_PARSE_C */
4543 
4544 void ssl_handshake_free( ssl_handshake_params *handshake )
4545 {
4546  if( handshake == NULL )
4547  return;
4548 
4549 #if defined(POLARSSL_DHM_C)
4550  dhm_free( &handshake->dhm_ctx );
4551 #endif
4552 #if defined(POLARSSL_ECDH_C)
4553  ecdh_free( &handshake->ecdh_ctx );
4554 #endif
4555 
4556 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
4557  /* explicit void pointer cast for buggy MS compiler */
4558  polarssl_free( (void *) handshake->curves );
4559 #endif
4560 
4561 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
4562  defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4563  /*
4564  * Free only the linked list wrapper, not the keys themselves
4565  * since the belong to the SNI callback
4566  */
4567  if( handshake->sni_key_cert != NULL )
4568  {
4569  ssl_key_cert *cur = handshake->sni_key_cert, *next;
4570 
4571  while( cur != NULL )
4572  {
4573  next = cur->next;
4574  polarssl_free( cur );
4575  cur = next;
4576  }
4577  }
4578 #endif /* POLARSSL_X509_CRT_PARSE_C && POLARSSL_SSL_SERVER_NAME_INDICATION */
4579 
4580  polarssl_zeroize( handshake, sizeof( ssl_handshake_params ) );
4581 }
4582 
4583 void ssl_session_free( ssl_session *session )
4584 {
4585  if( session == NULL )
4586  return;
4587 
4588 #if defined(POLARSSL_X509_CRT_PARSE_C)
4589  if( session->peer_cert != NULL )
4590  {
4591  x509_crt_free( session->peer_cert );
4592  polarssl_free( session->peer_cert );
4593  }
4594 #endif
4595 
4596 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4597  polarssl_free( session->ticket );
4598 #endif
4599 
4600  polarssl_zeroize( session, sizeof( ssl_session ) );
4601 }
4602 
4603 /*
4604  * Free an SSL context
4605  */
4606 void ssl_free( ssl_context *ssl )
4607 {
4608  if( ssl == NULL )
4609  return;
4610 
4611  SSL_DEBUG_MSG( 2, ( "=> free" ) );
4612 
4613  if( ssl->out_ctr != NULL )
4614  {
4615  polarssl_zeroize( ssl->out_ctr, SSL_BUFFER_LEN );
4616  polarssl_free( ssl->out_ctr );
4617  }
4618 
4619  if( ssl->in_ctr != NULL )
4620  {
4621  polarssl_zeroize( ssl->in_ctr, SSL_BUFFER_LEN );
4622  polarssl_free( ssl->in_ctr );
4623  }
4624 
4625 #if defined(POLARSSL_ZLIB_SUPPORT)
4626  if( ssl->compress_buf != NULL )
4627  {
4628  polarssl_zeroize( ssl->compress_buf, SSL_BUFFER_LEN );
4629  polarssl_free( ssl->compress_buf );
4630  }
4631 #endif
4632 
4633 #if defined(POLARSSL_DHM_C)
4634  mpi_free( &ssl->dhm_P );
4635  mpi_free( &ssl->dhm_G );
4636 #endif
4637 
4638  if( ssl->transform )
4639  {
4640  ssl_transform_free( ssl->transform );
4641  polarssl_free( ssl->transform );
4642  }
4643 
4644  if( ssl->handshake )
4645  {
4646  ssl_handshake_free( ssl->handshake );
4649 
4650  polarssl_free( ssl->handshake );
4653  }
4654 
4655  if( ssl->session )
4656  {
4657  ssl_session_free( ssl->session );
4658  polarssl_free( ssl->session );
4659  }
4660 
4661 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4662  if( ssl->ticket_keys )
4663  {
4664  ssl_ticket_keys_free( ssl->ticket_keys );
4665  polarssl_free( ssl->ticket_keys );
4666  }
4667 #endif
4668 
4669 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4670  if( ssl->hostname != NULL )
4671  {
4672  polarssl_zeroize( ssl->hostname, ssl->hostname_len );
4673  polarssl_free( ssl->hostname );
4674  ssl->hostname_len = 0;
4675  }
4676 #endif
4677 
4678 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
4679  if( ssl->psk != NULL )
4680  {
4681  polarssl_zeroize( ssl->psk, ssl->psk_len );
4682  polarssl_zeroize( ssl->psk_identity, ssl->psk_identity_len );
4683  polarssl_free( ssl->psk );
4684  polarssl_free( ssl->psk_identity );
4685  ssl->psk_len = 0;
4686  ssl->psk_identity_len = 0;
4687  }
4688 #endif
4689 
4690 #if defined(POLARSSL_X509_CRT_PARSE_C)
4691  ssl_key_cert_free( ssl->key_cert );
4692 #endif
4693 
4694 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4695  if( ssl_hw_record_finish != NULL )
4696  {
4697  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4698  ssl_hw_record_finish( ssl );
4699  }
4700 #endif
4701 
4702  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4703 
4704  /* Actually clear after last debug message */
4705  polarssl_zeroize( ssl, sizeof( ssl_context ) );
4706 }
4707 
4708 #if defined(POLARSSL_PK_C)
4709 /*
4710  * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
4711  */
4712 unsigned char ssl_sig_from_pk( pk_context *pk )
4713 {
4714 #if defined(POLARSSL_RSA_C)
4715  if( pk_can_do( pk, POLARSSL_PK_RSA ) )
4716  return( SSL_SIG_RSA );
4717 #endif
4718 #if defined(POLARSSL_ECDSA_C)
4719  if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
4720  return( SSL_SIG_ECDSA );
4721 #endif
4722  return( SSL_SIG_ANON );
4723 }
4724 
4725 pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
4726 {
4727  switch( sig )
4728  {
4729 #if defined(POLARSSL_RSA_C)
4730  case SSL_SIG_RSA:
4731  return( POLARSSL_PK_RSA );
4732 #endif
4733 #if defined(POLARSSL_ECDSA_C)
4734  case SSL_SIG_ECDSA:
4735  return( POLARSSL_PK_ECDSA );
4736 #endif
4737  default:
4738  return( POLARSSL_PK_NONE );
4739  }
4740 }
4741 #endif /* POLARSSL_PK_C */
4742 
4743 /*
4744  * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
4745  */
4746 md_type_t ssl_md_alg_from_hash( unsigned char hash )
4747 {
4748  switch( hash )
4749  {
4750 #if defined(POLARSSL_MD5_C)
4751  case SSL_HASH_MD5:
4752  return( POLARSSL_MD_MD5 );
4753 #endif
4754 #if defined(POLARSSL_SHA1_C)
4755  case SSL_HASH_SHA1:
4756  return( POLARSSL_MD_SHA1 );
4757 #endif
4758 #if defined(POLARSSL_SHA256_C)
4759  case SSL_HASH_SHA224:
4760  return( POLARSSL_MD_SHA224 );
4761  case SSL_HASH_SHA256:
4762  return( POLARSSL_MD_SHA256 );
4763 #endif
4764 #if defined(POLARSSL_SHA512_C)
4765  case SSL_HASH_SHA384:
4766  return( POLARSSL_MD_SHA384 );
4767  case SSL_HASH_SHA512:
4768  return( POLARSSL_MD_SHA512 );
4769 #endif
4770  default:
4771  return( POLARSSL_MD_NONE );
4772  }
4773 }
4774 
4775 #if defined(POLARSSL_SSL_SET_CURVES)
4776 /*
4777  * Check is a curve proposed by the peer is in our list.
4778  * Return 1 if we're willing to use it, 0 otherwise.
4779  */
4780 int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
4781 {
4782  const ecp_group_id *gid;
4783 
4784  for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
4785  if( *gid == grp_id )
4786  return( 1 );
4787 
4788  return( 0 );
4789 }
4790 #endif /* POLARSSL_SSL_SET_CURVES */
4791 
4792 #if defined(POLARSSL_X509_CRT_PARSE_C)
4793 int ssl_check_cert_usage( const x509_crt *cert,
4794  const ssl_ciphersuite_t *ciphersuite,
4795  int cert_endpoint )
4796 {
4797 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
4798  int usage = 0;
4799 #endif
4800 #if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4801  const char *ext_oid;
4802  size_t ext_len;
4803 #endif
4804 
4805 #if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
4806  !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4807  ((void) cert);
4808  ((void) cert_endpoint);
4809 #endif
4810 
4811 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
4812  if( cert_endpoint == SSL_IS_SERVER )
4813  {
4814  /* Server part of the key exchange */
4815  switch( ciphersuite->key_exchange )
4816  {
4819  usage = KU_KEY_ENCIPHERMENT;
4820  break;
4821 
4825  usage = KU_DIGITAL_SIGNATURE;
4826  break;
4827 
4830  usage = KU_KEY_AGREEMENT;
4831  break;
4832 
4833  /* Don't use default: we want warnings when adding new values */
4838  usage = 0;
4839  }
4840  }
4841  else
4842  {
4843  /* Client auth: we only implement rsa_sign and ecdsa_sign for now */
4844  usage = KU_DIGITAL_SIGNATURE;
4845  }
4846 
4847  if( x509_crt_check_key_usage( cert, usage ) != 0 )
4848  return( -1 );
4849 #else
4850  ((void) ciphersuite);
4851 #endif /* POLARSSL_X509_CHECK_KEY_USAGE */
4852 
4853 #if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4854  if( cert_endpoint == SSL_IS_SERVER )
4855  {
4856  ext_oid = OID_SERVER_AUTH;
4857  ext_len = OID_SIZE( OID_SERVER_AUTH );
4858  }
4859  else
4860  {
4861  ext_oid = OID_CLIENT_AUTH;
4862  ext_len = OID_SIZE( OID_CLIENT_AUTH );
4863  }
4864 
4865  if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
4866  return( -1 );
4867 #endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
4868 
4869  return( 0 );
4870 }
4871 #endif /* POLARSSL_X509_CRT_PARSE_C */
4872 
4873 #endif /* POLARSSL_SSL_TLS_C */