PolarSSL v1.3.9
ssl_tls.c
Go to the documentation of this file.
1 /*
2  * SSLv3/TLSv1 shared functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The SSL 3.0 specification was drafted by Netscape in 1996,
27  * and became an IETF standard in 1999.
28  *
29  * http://wp.netscape.com/eng/ssl3/
30  * http://www.ietf.org/rfc/rfc2246.txt
31  * http://www.ietf.org/rfc/rfc4346.txt
32  */
33 
34 #if !defined(POLARSSL_CONFIG_FILE)
35 #include "polarssl/config.h"
36 #else
37 #include POLARSSL_CONFIG_FILE
38 #endif
39 
40 #if defined(POLARSSL_SSL_TLS_C)
41 
42 #include "polarssl/debug.h"
43 #include "polarssl/ssl.h"
44 
45 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
46  defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
47 #include "polarssl/oid.h"
48 #endif
49 
50 #if defined(POLARSSL_PLATFORM_C)
51 #include "polarssl/platform.h"
52 #else
53 #define polarssl_malloc malloc
54 #define polarssl_free free
55 #endif
56 
57 #include <stdlib.h>
58 
59 #if defined(_MSC_VER) && !defined strcasecmp && !defined(EFIX64) && \
60  !defined(EFI32)
61 #define strcasecmp _stricmp
62 #endif
63 
64 /* Implementation that should never be optimized out by the compiler */
65 static void polarssl_zeroize( void *v, size_t n ) {
66  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
67 }
68 
69 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
70 /*
71  * Convert max_fragment_length codes to length.
72  * RFC 6066 says:
73  * enum{
74  * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
75  * } MaxFragmentLength;
76  * and we add 0 -> extension unused
77  */
78 static unsigned int mfl_code_to_length[SSL_MAX_FRAG_LEN_INVALID] =
79 {
80  SSL_MAX_CONTENT_LEN, /* SSL_MAX_FRAG_LEN_NONE */
81  512, /* SSL_MAX_FRAG_LEN_512 */
82  1024, /* SSL_MAX_FRAG_LEN_1024 */
83  2048, /* SSL_MAX_FRAG_LEN_2048 */
84  4096, /* SSL_MAX_FRAG_LEN_4096 */
85 };
86 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
87 
88 static int ssl_session_copy( ssl_session *dst, const ssl_session *src )
89 {
90  ssl_session_free( dst );
91  memcpy( dst, src, sizeof( ssl_session ) );
92 
93 #if defined(POLARSSL_X509_CRT_PARSE_C)
94  if( src->peer_cert != NULL )
95  {
96  int ret;
97 
98  dst->peer_cert = (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
99  if( dst->peer_cert == NULL )
101 
102  x509_crt_init( dst->peer_cert );
103 
104  if( ( ret = x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
105  src->peer_cert->raw.len ) ) != 0 )
106  {
107  polarssl_free( dst->peer_cert );
108  dst->peer_cert = NULL;
109  return( ret );
110  }
111  }
112 #endif /* POLARSSL_X509_CRT_PARSE_C */
113 
114 #if defined(POLARSSL_SSL_SESSION_TICKETS)
115  if( src->ticket != NULL )
116  {
117  dst->ticket = (unsigned char *) polarssl_malloc( src->ticket_len );
118  if( dst->ticket == NULL )
120 
121  memcpy( dst->ticket, src->ticket, src->ticket_len );
122  }
123 #endif /* POLARSSL_SSL_SESSION_TICKETS */
124 
125  return( 0 );
126 }
127 
128 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
129 int (*ssl_hw_record_init)( ssl_context *ssl,
130  const unsigned char *key_enc, const unsigned char *key_dec,
131  size_t keylen,
132  const unsigned char *iv_enc, const unsigned char *iv_dec,
133  size_t ivlen,
134  const unsigned char *mac_enc, const unsigned char *mac_dec,
135  size_t maclen ) = NULL;
136 int (*ssl_hw_record_activate)( ssl_context *ssl, int direction) = NULL;
137 int (*ssl_hw_record_reset)( ssl_context *ssl ) = NULL;
138 int (*ssl_hw_record_write)( ssl_context *ssl ) = NULL;
139 int (*ssl_hw_record_read)( ssl_context *ssl ) = NULL;
140 int (*ssl_hw_record_finish)( ssl_context *ssl ) = NULL;
141 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
142 
143 /*
144  * Key material generation
145  */
146 #if defined(POLARSSL_SSL_PROTO_SSL3)
147 static int ssl3_prf( const unsigned char *secret, size_t slen,
148  const char *label,
149  const unsigned char *random, size_t rlen,
150  unsigned char *dstbuf, size_t dlen )
151 {
152  size_t i;
155  unsigned char padding[16];
156  unsigned char sha1sum[20];
157  ((void)label);
158 
159  md5_init( &md5 );
160  sha1_init( &sha1 );
161 
162  /*
163  * SSLv3:
164  * block =
165  * MD5( secret + SHA1( 'A' + secret + random ) ) +
166  * MD5( secret + SHA1( 'BB' + secret + random ) ) +
167  * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
168  * ...
169  */
170  for( i = 0; i < dlen / 16; i++ )
171  {
172  memset( padding, (unsigned char) ('A' + i), 1 + i );
173 
174  sha1_starts( &sha1 );
175  sha1_update( &sha1, padding, 1 + i );
176  sha1_update( &sha1, secret, slen );
177  sha1_update( &sha1, random, rlen );
178  sha1_finish( &sha1, sha1sum );
179 
180  md5_starts( &md5 );
181  md5_update( &md5, secret, slen );
182  md5_update( &md5, sha1sum, 20 );
183  md5_finish( &md5, dstbuf + i * 16 );
184  }
185 
186  md5_free( &md5 );
187  sha1_free( &sha1 );
188 
189  polarssl_zeroize( padding, sizeof( padding ) );
190  polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
191 
192  return( 0 );
193 }
194 #endif /* POLARSSL_SSL_PROTO_SSL3 */
195 
196 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
197 static int tls1_prf( const unsigned char *secret, size_t slen,
198  const char *label,
199  const unsigned char *random, size_t rlen,
200  unsigned char *dstbuf, size_t dlen )
201 {
202  size_t nb, hs;
203  size_t i, j, k;
204  const unsigned char *S1, *S2;
205  unsigned char tmp[128];
206  unsigned char h_i[20];
207 
208  if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
210 
211  hs = ( slen + 1 ) / 2;
212  S1 = secret;
213  S2 = secret + slen - hs;
214 
215  nb = strlen( label );
216  memcpy( tmp + 20, label, nb );
217  memcpy( tmp + 20 + nb, random, rlen );
218  nb += rlen;
219 
220  /*
221  * First compute P_md5(secret,label+random)[0..dlen]
222  */
223  md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
224 
225  for( i = 0; i < dlen; i += 16 )
226  {
227  md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
228  md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
229 
230  k = ( i + 16 > dlen ) ? dlen % 16 : 16;
231 
232  for( j = 0; j < k; j++ )
233  dstbuf[i + j] = h_i[j];
234  }
235 
236  /*
237  * XOR out with P_sha1(secret,label+random)[0..dlen]
238  */
239  sha1_hmac( S2, hs, tmp + 20, nb, tmp );
240 
241  for( i = 0; i < dlen; i += 20 )
242  {
243  sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
244  sha1_hmac( S2, hs, tmp, 20, tmp );
245 
246  k = ( i + 20 > dlen ) ? dlen % 20 : 20;
247 
248  for( j = 0; j < k; j++ )
249  dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
250  }
251 
252  polarssl_zeroize( tmp, sizeof( tmp ) );
253  polarssl_zeroize( h_i, sizeof( h_i ) );
254 
255  return( 0 );
256 }
257 #endif /* POLARSSL_SSL_PROTO_TLS1) || POLARSSL_SSL_PROTO_TLS1_1 */
258 
259 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
260 #if defined(POLARSSL_SHA256_C)
261 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
262  const char *label,
263  const unsigned char *random, size_t rlen,
264  unsigned char *dstbuf, size_t dlen )
265 {
266  size_t nb;
267  size_t i, j, k;
268  unsigned char tmp[128];
269  unsigned char h_i[32];
270 
271  if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
273 
274  nb = strlen( label );
275  memcpy( tmp + 32, label, nb );
276  memcpy( tmp + 32 + nb, random, rlen );
277  nb += rlen;
278 
279  /*
280  * Compute P_<hash>(secret, label + random)[0..dlen]
281  */
282  sha256_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
283 
284  for( i = 0; i < dlen; i += 32 )
285  {
286  sha256_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
287  sha256_hmac( secret, slen, tmp, 32, tmp, 0 );
288 
289  k = ( i + 32 > dlen ) ? dlen % 32 : 32;
290 
291  for( j = 0; j < k; j++ )
292  dstbuf[i + j] = h_i[j];
293  }
294 
295  polarssl_zeroize( tmp, sizeof( tmp ) );
296  polarssl_zeroize( h_i, sizeof( h_i ) );
297 
298  return( 0 );
299 }
300 #endif /* POLARSSL_SHA256_C */
301 
302 #if defined(POLARSSL_SHA512_C)
303 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
304  const char *label,
305  const unsigned char *random, size_t rlen,
306  unsigned char *dstbuf, size_t dlen )
307 {
308  size_t nb;
309  size_t i, j, k;
310  unsigned char tmp[128];
311  unsigned char h_i[48];
312 
313  if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
315 
316  nb = strlen( label );
317  memcpy( tmp + 48, label, nb );
318  memcpy( tmp + 48 + nb, random, rlen );
319  nb += rlen;
320 
321  /*
322  * Compute P_<hash>(secret, label + random)[0..dlen]
323  */
324  sha512_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
325 
326  for( i = 0; i < dlen; i += 48 )
327  {
328  sha512_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
329  sha512_hmac( secret, slen, tmp, 48, tmp, 1 );
330 
331  k = ( i + 48 > dlen ) ? dlen % 48 : 48;
332 
333  for( j = 0; j < k; j++ )
334  dstbuf[i + j] = h_i[j];
335  }
336 
337  polarssl_zeroize( tmp, sizeof( tmp ) );
338  polarssl_zeroize( h_i, sizeof( h_i ) );
339 
340  return( 0 );
341 }
342 #endif /* POLARSSL_SHA512_C */
343 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
344 
345 static void ssl_update_checksum_start( ssl_context *, const unsigned char *, size_t );
346 
347 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
348  defined(POLARSSL_SSL_PROTO_TLS1_1)
349 static void ssl_update_checksum_md5sha1( ssl_context *, const unsigned char *, size_t );
350 #endif
351 
352 #if defined(POLARSSL_SSL_PROTO_SSL3)
353 static void ssl_calc_verify_ssl( ssl_context *, unsigned char * );
354 static void ssl_calc_finished_ssl( ssl_context *, unsigned char *, int );
355 #endif
356 
357 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
358 static void ssl_calc_verify_tls( ssl_context *, unsigned char * );
359 static void ssl_calc_finished_tls( ssl_context *, unsigned char *, int );
360 #endif
361 
362 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
363 #if defined(POLARSSL_SHA256_C)
364 static void ssl_update_checksum_sha256( ssl_context *, const unsigned char *, size_t );
365 static void ssl_calc_verify_tls_sha256( ssl_context *,unsigned char * );
366 static void ssl_calc_finished_tls_sha256( ssl_context *,unsigned char *, int );
367 #endif
368 
369 #if defined(POLARSSL_SHA512_C)
370 static void ssl_update_checksum_sha384( ssl_context *, const unsigned char *, size_t );
371 static void ssl_calc_verify_tls_sha384( ssl_context *, unsigned char * );
372 static void ssl_calc_finished_tls_sha384( ssl_context *, unsigned char *, int );
373 #endif
374 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
375 
376 int ssl_derive_keys( ssl_context *ssl )
377 {
378  int ret = 0;
379  unsigned char tmp[64];
380  unsigned char keyblk[256];
381  unsigned char *key1;
382  unsigned char *key2;
383  unsigned char *mac_enc;
384  unsigned char *mac_dec;
385  size_t iv_copy_len;
386  const cipher_info_t *cipher_info;
387  const md_info_t *md_info;
388 
389  ssl_session *session = ssl->session_negotiate;
390  ssl_transform *transform = ssl->transform_negotiate;
391  ssl_handshake_params *handshake = ssl->handshake;
392 
393  SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
394 
395  cipher_info = cipher_info_from_type( transform->ciphersuite_info->cipher );
396  if( cipher_info == NULL )
397  {
398  SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
399  transform->ciphersuite_info->cipher ) );
401  }
402 
403  md_info = md_info_from_type( transform->ciphersuite_info->mac );
404  if( md_info == NULL )
405  {
406  SSL_DEBUG_MSG( 1, ( "md info for %d not found",
407  transform->ciphersuite_info->mac ) );
409  }
410 
411  /*
412  * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
413  */
414 #if defined(POLARSSL_SSL_PROTO_SSL3)
415  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
416  {
417  handshake->tls_prf = ssl3_prf;
418  handshake->calc_verify = ssl_calc_verify_ssl;
419  handshake->calc_finished = ssl_calc_finished_ssl;
420  }
421  else
422 #endif
423 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
424  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
425  {
426  handshake->tls_prf = tls1_prf;
427  handshake->calc_verify = ssl_calc_verify_tls;
428  handshake->calc_finished = ssl_calc_finished_tls;
429  }
430  else
431 #endif
432 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
433 #if defined(POLARSSL_SHA512_C)
434  if( ssl->minor_ver == SSL_MINOR_VERSION_3 &&
435  transform->ciphersuite_info->mac == POLARSSL_MD_SHA384 )
436  {
437  handshake->tls_prf = tls_prf_sha384;
438  handshake->calc_verify = ssl_calc_verify_tls_sha384;
439  handshake->calc_finished = ssl_calc_finished_tls_sha384;
440  }
441  else
442 #endif
443 #if defined(POLARSSL_SHA256_C)
444  if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
445  {
446  handshake->tls_prf = tls_prf_sha256;
447  handshake->calc_verify = ssl_calc_verify_tls_sha256;
448  handshake->calc_finished = ssl_calc_finished_tls_sha256;
449  }
450  else
451 #endif
452 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
453  {
454  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
456  }
457 
458  /*
459  * SSLv3:
460  * master =
461  * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
462  * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
463  * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
464  *
465  * TLSv1+:
466  * master = PRF( premaster, "master secret", randbytes )[0..47]
467  */
468  if( handshake->resume == 0 )
469  {
470  SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
471  handshake->pmslen );
472 
473  handshake->tls_prf( handshake->premaster, handshake->pmslen,
474  "master secret",
475  handshake->randbytes, 64, session->master, 48 );
476 
477  polarssl_zeroize( handshake->premaster, sizeof(handshake->premaster) );
478  }
479  else
480  SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
481 
482  /*
483  * Swap the client and server random values.
484  */
485  memcpy( tmp, handshake->randbytes, 64 );
486  memcpy( handshake->randbytes, tmp + 32, 32 );
487  memcpy( handshake->randbytes + 32, tmp, 32 );
488  polarssl_zeroize( tmp, sizeof( tmp ) );
489 
490  /*
491  * SSLv3:
492  * key block =
493  * MD5( master + SHA1( 'A' + master + randbytes ) ) +
494  * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
495  * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
496  * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
497  * ...
498  *
499  * TLSv1:
500  * key block = PRF( master, "key expansion", randbytes )
501  */
502  handshake->tls_prf( session->master, 48, "key expansion",
503  handshake->randbytes, 64, keyblk, 256 );
504 
505  SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
506  ssl_get_ciphersuite_name( session->ciphersuite ) ) );
507  SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
508  SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
509  SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
510 
511  polarssl_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
512 
513  /*
514  * Determine the appropriate key, IV and MAC length.
515  */
516 
517  transform->keylen = cipher_info->key_length / 8;
518 
519  if( cipher_info->mode == POLARSSL_MODE_GCM ||
520  cipher_info->mode == POLARSSL_MODE_CCM )
521  {
522  transform->maclen = 0;
523 
524  transform->ivlen = 12;
525  transform->fixed_ivlen = 4;
526 
527  /* Minimum length is expicit IV + tag */
528  transform->minlen = transform->ivlen - transform->fixed_ivlen
529  + ( transform->ciphersuite_info->flags &
531  }
532  else
533  {
534  int ret;
535 
536  /* Initialize HMAC contexts */
537  if( ( ret = md_init_ctx( &transform->md_ctx_enc, md_info ) ) != 0 ||
538  ( ret = md_init_ctx( &transform->md_ctx_dec, md_info ) ) != 0 )
539  {
540  SSL_DEBUG_RET( 1, "md_init_ctx", ret );
541  return( ret );
542  }
543 
544  /* Get MAC length */
545  transform->maclen = md_get_size( md_info );
546 
547 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
548  /*
549  * If HMAC is to be truncated, we shall keep the leftmost bytes,
550  * (rfc 6066 page 13 or rfc 2104 section 4),
551  * so we only need to adjust the length here.
552  */
553  if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
554  transform->maclen = SSL_TRUNCATED_HMAC_LEN;
555 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
556 
557  /* IV length */
558  transform->ivlen = cipher_info->iv_size;
559 
560  /* Minimum length */
561  if( cipher_info->mode == POLARSSL_MODE_STREAM )
562  transform->minlen = transform->maclen;
563  else
564  {
565  /*
566  * GenericBlockCipher:
567  * first multiple of blocklen greater than maclen
568  * + IV except for SSL3 and TLS 1.0
569  */
570  transform->minlen = transform->maclen
571  + cipher_info->block_size
572  - transform->maclen % cipher_info->block_size;
573 
574 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
575  if( ssl->minor_ver == SSL_MINOR_VERSION_0 ||
577  ; /* No need to adjust minlen */
578  else
579 #endif
580 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
581  if( ssl->minor_ver == SSL_MINOR_VERSION_2 ||
583  {
584  transform->minlen += transform->ivlen;
585  }
586  else
587 #endif
588  {
589  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
591  }
592  }
593  }
594 
595  SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
596  transform->keylen, transform->minlen, transform->ivlen,
597  transform->maclen ) );
598 
599  /*
600  * Finally setup the cipher contexts, IVs and MAC secrets.
601  */
602  if( ssl->endpoint == SSL_IS_CLIENT )
603  {
604  key1 = keyblk + transform->maclen * 2;
605  key2 = keyblk + transform->maclen * 2 + transform->keylen;
606 
607  mac_enc = keyblk;
608  mac_dec = keyblk + transform->maclen;
609 
610  /*
611  * This is not used in TLS v1.1.
612  */
613  iv_copy_len = ( transform->fixed_ivlen ) ?
614  transform->fixed_ivlen : transform->ivlen;
615  memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
616  memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
617  iv_copy_len );
618  }
619  else
620  {
621  key1 = keyblk + transform->maclen * 2 + transform->keylen;
622  key2 = keyblk + transform->maclen * 2;
623 
624  mac_enc = keyblk + transform->maclen;
625  mac_dec = keyblk;
626 
627  /*
628  * This is not used in TLS v1.1.
629  */
630  iv_copy_len = ( transform->fixed_ivlen ) ?
631  transform->fixed_ivlen : transform->ivlen;
632  memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
633  memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
634  iv_copy_len );
635  }
636 
637 #if defined(POLARSSL_SSL_PROTO_SSL3)
638  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
639  {
640  if( transform->maclen > sizeof transform->mac_enc )
641  {
642  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
644  }
645 
646  memcpy( transform->mac_enc, mac_enc, transform->maclen );
647  memcpy( transform->mac_dec, mac_dec, transform->maclen );
648  }
649  else
650 #endif /* POLARSSL_SSL_PROTO_SSL3 */
651 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
652  defined(POLARSSL_SSL_PROTO_TLS1_2)
653  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
654  {
655  md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen );
656  md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen );
657  }
658  else
659 #endif
660  {
661  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
663  }
664 
665 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
666  if( ssl_hw_record_init != NULL )
667  {
668  int ret = 0;
669 
670  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
671 
672  if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->keylen,
673  transform->iv_enc, transform->iv_dec,
674  iv_copy_len,
675  mac_enc, mac_dec,
676  transform->maclen ) ) != 0 )
677  {
678  SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
680  }
681  }
682 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
683 
684  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
685  cipher_info ) ) != 0 )
686  {
687  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
688  return( ret );
689  }
690 
691  if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
692  cipher_info ) ) != 0 )
693  {
694  SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
695  return( ret );
696  }
697 
698  if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
699  cipher_info->key_length,
700  POLARSSL_ENCRYPT ) ) != 0 )
701  {
702  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
703  return( ret );
704  }
705 
706  if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
707  cipher_info->key_length,
708  POLARSSL_DECRYPT ) ) != 0 )
709  {
710  SSL_DEBUG_RET( 1, "cipher_setkey", ret );
711  return( ret );
712  }
713 
714 #if defined(POLARSSL_CIPHER_MODE_CBC)
715  if( cipher_info->mode == POLARSSL_MODE_CBC )
716  {
717  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
718  POLARSSL_PADDING_NONE ) ) != 0 )
719  {
720  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
721  return( ret );
722  }
723 
724  if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
725  POLARSSL_PADDING_NONE ) ) != 0 )
726  {
727  SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
728  return( ret );
729  }
730  }
731 #endif /* POLARSSL_CIPHER_MODE_CBC */
732 
733  polarssl_zeroize( keyblk, sizeof( keyblk ) );
734 
735 #if defined(POLARSSL_ZLIB_SUPPORT)
736  // Initialize compression
737  //
738  if( session->compression == SSL_COMPRESS_DEFLATE )
739  {
740  if( ssl->compress_buf == NULL )
741  {
742  SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
743  ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
744  if( ssl->compress_buf == NULL )
745  {
746  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
747  SSL_BUFFER_LEN ) );
749  }
750  }
751 
752  SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
753 
754  memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
755  memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
756 
757  if( deflateInit( &transform->ctx_deflate,
758  Z_DEFAULT_COMPRESSION ) != Z_OK ||
759  inflateInit( &transform->ctx_inflate ) != Z_OK )
760  {
761  SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
763  }
764  }
765 #endif /* POLARSSL_ZLIB_SUPPORT */
766 
767  SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
768 
769  return( 0 );
770 }
771 
772 #if defined(POLARSSL_SSL_PROTO_SSL3)
773 void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
774 {
777  unsigned char pad_1[48];
778  unsigned char pad_2[48];
779 
780  SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
781 
782  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
783  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
784 
785  memset( pad_1, 0x36, 48 );
786  memset( pad_2, 0x5C, 48 );
787 
788  md5_update( &md5, ssl->session_negotiate->master, 48 );
789  md5_update( &md5, pad_1, 48 );
790  md5_finish( &md5, hash );
791 
792  md5_starts( &md5 );
793  md5_update( &md5, ssl->session_negotiate->master, 48 );
794  md5_update( &md5, pad_2, 48 );
795  md5_update( &md5, hash, 16 );
796  md5_finish( &md5, hash );
797 
798  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
799  sha1_update( &sha1, pad_1, 40 );
800  sha1_finish( &sha1, hash + 16 );
801 
802  sha1_starts( &sha1 );
803  sha1_update( &sha1, ssl->session_negotiate->master, 48 );
804  sha1_update( &sha1, pad_2, 40 );
805  sha1_update( &sha1, hash + 16, 20 );
806  sha1_finish( &sha1, hash + 16 );
807 
808  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
809  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
810 
811  md5_free( &md5 );
812  sha1_free( &sha1 );
813 
814  return;
815 }
816 #endif /* POLARSSL_SSL_PROTO_SSL3 */
817 
818 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
819 void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
820 {
823 
824  SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
825 
826  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
827  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
828 
829  md5_finish( &md5, hash );
830  sha1_finish( &sha1, hash + 16 );
831 
832  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
833  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
834 
835  md5_free( &md5 );
836  sha1_free( &sha1 );
837 
838  return;
839 }
840 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
841 
842 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
843 #if defined(POLARSSL_SHA256_C)
844 void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
845 {
847 
848  SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
849 
850  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
851  sha256_finish( &sha256, hash );
852 
853  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
854  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
855 
856  sha256_free( &sha256 );
857 
858  return;
859 }
860 #endif /* POLARSSL_SHA256_C */
861 
862 #if defined(POLARSSL_SHA512_C)
863 void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
864 {
866 
867  SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
868 
869  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
870  sha512_finish( &sha512, hash );
871 
872  SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
873  SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
874 
875  sha512_free( &sha512 );
876 
877  return;
878 }
879 #endif /* POLARSSL_SHA512_C */
880 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
881 
882 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
884 {
885  unsigned char *p = ssl->handshake->premaster;
886  unsigned char *end = p + sizeof( ssl->handshake->premaster );
887 
888  /*
889  * PMS = struct {
890  * opaque other_secret<0..2^16-1>;
891  * opaque psk<0..2^16-1>;
892  * };
893  * with "other_secret" depending on the particular key exchange
894  */
895 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
896  if( key_ex == POLARSSL_KEY_EXCHANGE_PSK )
897  {
898  if( end - p < 2 + (int) ssl->psk_len )
900 
901  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
902  *(p++) = (unsigned char)( ssl->psk_len );
903  p += ssl->psk_len;
904  }
905  else
906 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
907 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
908  if( key_ex == POLARSSL_KEY_EXCHANGE_RSA_PSK )
909  {
910  /*
911  * other_secret already set by the ClientKeyExchange message,
912  * and is 48 bytes long
913  */
914  *p++ = 0;
915  *p++ = 48;
916  p += 48;
917  }
918  else
919 #endif /* POLARSSL_KEY_EXCHANGE_RSA_PKS_ENABLED */
920 #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
921  if( key_ex == POLARSSL_KEY_EXCHANGE_DHE_PSK )
922  {
923  int ret;
924  size_t len = end - ( p + 2 );
925 
926  /* Write length only when we know the actual value */
927  if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
928  p + 2, &len,
929  ssl->f_rng, ssl->p_rng ) ) != 0 )
930  {
931  SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
932  return( ret );
933  }
934  *(p++) = (unsigned char)( len >> 8 );
935  *(p++) = (unsigned char)( len );
936  p += len;
937 
938  SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
939  }
940  else
941 #endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
942 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
943  if( key_ex == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
944  {
945  int ret;
946  size_t zlen;
947 
948  if( ( ret = ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
949  p + 2, end - ( p + 2 ),
950  ssl->f_rng, ssl->p_rng ) ) != 0 )
951  {
952  SSL_DEBUG_RET( 1, "ecdh_calc_secret", ret );
953  return( ret );
954  }
955 
956  *(p++) = (unsigned char)( zlen >> 8 );
957  *(p++) = (unsigned char)( zlen );
958  p += zlen;
959 
960  SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
961  }
962  else
963 #endif /* POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
964  {
965  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
967  }
968 
969  /* opaque psk<0..2^16-1>; */
970  if( end - p < 2 + (int) ssl->psk_len )
972 
973  *(p++) = (unsigned char)( ssl->psk_len >> 8 );
974  *(p++) = (unsigned char)( ssl->psk_len );
975  memcpy( p, ssl->psk, ssl->psk_len );
976  p += ssl->psk_len;
977 
978  ssl->handshake->pmslen = p - ssl->handshake->premaster;
979 
980  return( 0 );
981 }
982 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
983 
984 #if defined(POLARSSL_SSL_PROTO_SSL3)
985 /*
986  * SSLv3.0 MAC functions
987  */
988 static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
989  unsigned char *buf, size_t len,
990  unsigned char *ctr, int type )
991 {
992  unsigned char header[11];
993  unsigned char padding[48];
994  int padlen;
995  int md_size = md_get_size( md_ctx->md_info );
996  int md_type = md_get_type( md_ctx->md_info );
997 
998  /* Only MD5 and SHA-1 supported */
999  if( md_type == POLARSSL_MD_MD5 )
1000  padlen = 48;
1001  else
1002  padlen = 40;
1003 
1004  memcpy( header, ctr, 8 );
1005  header[ 8] = (unsigned char) type;
1006  header[ 9] = (unsigned char)( len >> 8 );
1007  header[10] = (unsigned char)( len );
1008 
1009  memset( padding, 0x36, padlen );
1010  md_starts( md_ctx );
1011  md_update( md_ctx, secret, md_size );
1012  md_update( md_ctx, padding, padlen );
1013  md_update( md_ctx, header, 11 );
1014  md_update( md_ctx, buf, len );
1015  md_finish( md_ctx, buf + len );
1016 
1017  memset( padding, 0x5C, padlen );
1018  md_starts( md_ctx );
1019  md_update( md_ctx, secret, md_size );
1020  md_update( md_ctx, padding, padlen );
1021  md_update( md_ctx, buf + len, md_size );
1022  md_finish( md_ctx, buf + len );
1023 }
1024 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1025 
1026 /*
1027  * Encryption/decryption functions
1028  */
1029 static int ssl_encrypt_buf( ssl_context *ssl )
1030 {
1031  size_t i;
1033  &ssl->transform_out->cipher_ctx_enc );
1034 
1035  SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
1036 
1037  /*
1038  * Add MAC before encrypt, except for AEAD modes
1039  */
1040 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1041  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1042  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1043  if( mode != POLARSSL_MODE_GCM &&
1044  mode != POLARSSL_MODE_CCM )
1045  {
1046 #if defined(POLARSSL_SSL_PROTO_SSL3)
1047  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1048  {
1049  ssl_mac( &ssl->transform_out->md_ctx_enc,
1050  ssl->transform_out->mac_enc,
1051  ssl->out_msg, ssl->out_msglen,
1052  ssl->out_ctr, ssl->out_msgtype );
1053  }
1054  else
1055 #endif
1056 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1057  defined(POLARSSL_SSL_PROTO_TLS1_2)
1058  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
1059  {
1060  md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
1062  ssl->out_msg, ssl->out_msglen );
1064  ssl->out_msg + ssl->out_msglen );
1066  }
1067  else
1068 #endif
1069  {
1070  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1072  }
1073 
1074  SSL_DEBUG_BUF( 4, "computed mac",
1075  ssl->out_msg + ssl->out_msglen,
1076  ssl->transform_out->maclen );
1077 
1078  ssl->out_msglen += ssl->transform_out->maclen;
1079  }
1080 #endif /* AEAD not the only option */
1081 
1082  /*
1083  * Encrypt
1084  */
1085 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1086  if( mode == POLARSSL_MODE_STREAM )
1087  {
1088  int ret;
1089  size_t olen = 0;
1090 
1091  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1092  "including %d bytes of padding",
1093  ssl->out_msglen, 0 ) );
1094 
1095  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1096  ssl->out_msg, ssl->out_msglen );
1097 
1098  if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1099  ssl->transform_out->iv_enc,
1100  ssl->transform_out->ivlen,
1101  ssl->out_msg, ssl->out_msglen,
1102  ssl->out_msg, &olen ) ) != 0 )
1103  {
1104  SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1105  return( ret );
1106  }
1107 
1108  if( ssl->out_msglen != olen )
1109  {
1110  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1112  }
1113  }
1114  else
1115 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1116 #if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1117  if( mode == POLARSSL_MODE_GCM ||
1118  mode == POLARSSL_MODE_CCM )
1119  {
1120  int ret;
1121  size_t enc_msglen, olen;
1122  unsigned char *enc_msg;
1123  unsigned char add_data[13];
1124  unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
1126 
1127  memcpy( add_data, ssl->out_ctr, 8 );
1128  add_data[8] = ssl->out_msgtype;
1129  add_data[9] = ssl->major_ver;
1130  add_data[10] = ssl->minor_ver;
1131  add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1132  add_data[12] = ssl->out_msglen & 0xFF;
1133 
1134  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1135  add_data, 13 );
1136 
1137  /*
1138  * Generate IV
1139  */
1140  ret = ssl->f_rng( ssl->p_rng,
1142  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1143  if( ret != 0 )
1144  return( ret );
1145 
1146  memcpy( ssl->out_iv,
1148  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1149 
1150  SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
1151  ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
1152 
1153  /*
1154  * Fix pointer positions and message length with added IV
1155  */
1156  enc_msg = ssl->out_msg;
1157  enc_msglen = ssl->out_msglen;
1158  ssl->out_msglen += ssl->transform_out->ivlen -
1159  ssl->transform_out->fixed_ivlen;
1160 
1161  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1162  "including %d bytes of padding",
1163  ssl->out_msglen, 0 ) );
1164 
1165  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1166  ssl->out_msg, ssl->out_msglen );
1167 
1168  /*
1169  * Encrypt and authenticate
1170  */
1171  if( ( ret = cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
1172  ssl->transform_out->iv_enc,
1173  ssl->transform_out->ivlen,
1174  add_data, 13,
1175  enc_msg, enc_msglen,
1176  enc_msg, &olen,
1177  enc_msg + enc_msglen, taglen ) ) != 0 )
1178  {
1179  SSL_DEBUG_RET( 1, "cipher_auth_encrypt", ret );
1180  return( ret );
1181  }
1182 
1183  if( olen != enc_msglen )
1184  {
1185  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1187  }
1188 
1189  ssl->out_msglen += taglen;
1190 
1191  SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
1192  }
1193  else
1194 #endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
1195 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1196  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1197  if( mode == POLARSSL_MODE_CBC )
1198  {
1199  int ret;
1200  unsigned char *enc_msg;
1201  size_t enc_msglen, padlen, olen = 0;
1202 
1203  padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1204  ssl->transform_out->ivlen;
1205  if( padlen == ssl->transform_out->ivlen )
1206  padlen = 0;
1207 
1208  for( i = 0; i <= padlen; i++ )
1209  ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1210 
1211  ssl->out_msglen += padlen + 1;
1212 
1213  enc_msglen = ssl->out_msglen;
1214  enc_msg = ssl->out_msg;
1215 
1216 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1217  /*
1218  * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1219  * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1220  */
1221  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1222  {
1223  /*
1224  * Generate IV
1225  */
1226  int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
1227  ssl->transform_out->ivlen );
1228  if( ret != 0 )
1229  return( ret );
1230 
1231  memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1232  ssl->transform_out->ivlen );
1233 
1234  /*
1235  * Fix pointer positions and message length with added IV
1236  */
1237  enc_msg = ssl->out_msg;
1238  enc_msglen = ssl->out_msglen;
1239  ssl->out_msglen += ssl->transform_out->ivlen;
1240  }
1241 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1242 
1243  SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1244  "including %d bytes of IV and %d bytes of padding",
1245  ssl->out_msglen, ssl->transform_out->ivlen,
1246  padlen + 1 ) );
1247 
1248  SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1249  ssl->out_iv, ssl->out_msglen );
1250 
1251  if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1252  ssl->transform_out->iv_enc,
1253  ssl->transform_out->ivlen,
1254  enc_msg, enc_msglen,
1255  enc_msg, &olen ) ) != 0 )
1256  {
1257  SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1258  return( ret );
1259  }
1260 
1261  if( enc_msglen != olen )
1262  {
1263  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1265  }
1266 
1267 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1268  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1269  {
1270  /*
1271  * Save IV in SSL3 and TLS1
1272  */
1273  memcpy( ssl->transform_out->iv_enc,
1275  ssl->transform_out->ivlen );
1276  }
1277 #endif
1278  }
1279  else
1280 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1281  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1282  {
1283  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1285  }
1286 
1287  for( i = 8; i > 0; i-- )
1288  if( ++ssl->out_ctr[i - 1] != 0 )
1289  break;
1290 
1291  /* The loops goes to its end iff the counter is wrapping */
1292  if( i == 0 )
1293  {
1294  SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
1296  }
1297 
1298  SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1299 
1300  return( 0 );
1301 }
1302 
1303 #define POLARSSL_SSL_MAX_MAC_SIZE 48
1304 
1305 static int ssl_decrypt_buf( ssl_context *ssl )
1306 {
1307  size_t i;
1309  &ssl->transform_in->cipher_ctx_dec );
1310 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1311  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1312  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1313  size_t padlen = 0, correct = 1;
1314 #endif
1315 
1316  SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1317 
1318  if( ssl->in_msglen < ssl->transform_in->minlen )
1319  {
1320  SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1321  ssl->in_msglen, ssl->transform_in->minlen ) );
1322  return( POLARSSL_ERR_SSL_INVALID_MAC );
1323  }
1324 
1325 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
1326  if( mode == POLARSSL_MODE_STREAM )
1327  {
1328  int ret;
1329  size_t olen = 0;
1330 
1331  padlen = 0;
1332 
1333  if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1334  ssl->transform_in->iv_dec,
1335  ssl->transform_in->ivlen,
1336  ssl->in_msg, ssl->in_msglen,
1337  ssl->in_msg, &olen ) ) != 0 )
1338  {
1339  SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1340  return( ret );
1341  }
1342 
1343  if( ssl->in_msglen != olen )
1344  {
1345  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1347  }
1348  }
1349  else
1350 #endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
1351 #if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
1352  if( mode == POLARSSL_MODE_GCM ||
1353  mode == POLARSSL_MODE_CCM )
1354  {
1355  int ret;
1356  size_t dec_msglen, olen;
1357  unsigned char *dec_msg;
1358  unsigned char *dec_msg_result;
1359  unsigned char add_data[13];
1360  unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
1362  unsigned char explicit_iv_len = ssl->transform_in->ivlen -
1363  ssl->transform_in->fixed_ivlen;
1364 
1365  if( ssl->in_msglen < explicit_iv_len + taglen )
1366  {
1367  SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1368  "+ taglen (%d)", ssl->in_msglen,
1369  explicit_iv_len, taglen ) );
1370  return( POLARSSL_ERR_SSL_INVALID_MAC );
1371  }
1372  dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
1373 
1374  dec_msg = ssl->in_msg;
1375  dec_msg_result = ssl->in_msg;
1376  ssl->in_msglen = dec_msglen;
1377 
1378  memcpy( add_data, ssl->in_ctr, 8 );
1379  add_data[8] = ssl->in_msgtype;
1380  add_data[9] = ssl->major_ver;
1381  add_data[10] = ssl->minor_ver;
1382  add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
1383  add_data[12] = ssl->in_msglen & 0xFF;
1384 
1385  SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1386  add_data, 13 );
1387 
1388  memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
1389  ssl->in_iv,
1390  ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
1391 
1392  SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
1393  ssl->transform_in->ivlen );
1394  SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
1395 
1396  /*
1397  * Decrypt and authenticate
1398  */
1399  if( ( ret = cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
1400  ssl->transform_in->iv_dec,
1401  ssl->transform_in->ivlen,
1402  add_data, 13,
1403  dec_msg, dec_msglen,
1404  dec_msg_result, &olen,
1405  dec_msg + dec_msglen, taglen ) ) != 0 )
1406  {
1407  SSL_DEBUG_RET( 1, "cipher_auth_decrypt", ret );
1408 
1409  if( ret == POLARSSL_ERR_CIPHER_AUTH_FAILED )
1410  return( POLARSSL_ERR_SSL_INVALID_MAC );
1411 
1412  return( ret );
1413  }
1414 
1415  if( olen != dec_msglen )
1416  {
1417  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1419  }
1420  }
1421  else
1422 #endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
1423 #if defined(POLARSSL_CIPHER_MODE_CBC) && \
1424  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
1425  if( mode == POLARSSL_MODE_CBC )
1426  {
1427  /*
1428  * Decrypt and check the padding
1429  */
1430  int ret;
1431  unsigned char *dec_msg;
1432  unsigned char *dec_msg_result;
1433  size_t dec_msglen;
1434  size_t minlen = 0;
1435  size_t olen = 0;
1436 
1437  /*
1438  * Check immediate ciphertext sanity
1439  */
1440  if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
1441  {
1442  SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1443  ssl->in_msglen, ssl->transform_in->ivlen ) );
1444  return( POLARSSL_ERR_SSL_INVALID_MAC );
1445  }
1446 
1447 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1448  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1449  minlen += ssl->transform_in->ivlen;
1450 #endif
1451 
1452  if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
1453  ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
1454  {
1455  SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1456  "+ 1 ) ( + expl IV )", ssl->in_msglen,
1457  ssl->transform_in->ivlen,
1458  ssl->transform_in->maclen ) );
1459  return( POLARSSL_ERR_SSL_INVALID_MAC );
1460  }
1461 
1462  dec_msglen = ssl->in_msglen;
1463  dec_msg = ssl->in_msg;
1464  dec_msg_result = ssl->in_msg;
1465 
1466 #if defined(POLARSSL_SSL_PROTO_TLS1_1) || defined(POLARSSL_SSL_PROTO_TLS1_2)
1467  /*
1468  * Initialize for prepended IV for block cipher in TLS v1.1 and up
1469  */
1470  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
1471  {
1472  dec_msglen -= ssl->transform_in->ivlen;
1473  ssl->in_msglen -= ssl->transform_in->ivlen;
1474 
1475  for( i = 0; i < ssl->transform_in->ivlen; i++ )
1476  ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
1477  }
1478 #endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
1479 
1480  if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1481  ssl->transform_in->iv_dec,
1482  ssl->transform_in->ivlen,
1483  dec_msg, dec_msglen,
1484  dec_msg_result, &olen ) ) != 0 )
1485  {
1486  SSL_DEBUG_RET( 1, "cipher_crypt", ret );
1487  return( ret );
1488  }
1489 
1490  if( dec_msglen != olen )
1491  {
1492  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1494  }
1495 
1496 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
1497  if( ssl->minor_ver < SSL_MINOR_VERSION_2 )
1498  {
1499  /*
1500  * Save IV in SSL3 and TLS1
1501  */
1502  memcpy( ssl->transform_in->iv_dec,
1504  ssl->transform_in->ivlen );
1505  }
1506 #endif
1507 
1508  padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
1509 
1510  if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
1511  {
1512 #if defined(POLARSSL_SSL_DEBUG_ALL)
1513  SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1514  ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
1515 #endif
1516  padlen = 0;
1517  correct = 0;
1518  }
1519 
1520 #if defined(POLARSSL_SSL_PROTO_SSL3)
1521  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1522  {
1523  if( padlen > ssl->transform_in->ivlen )
1524  {
1525 #if defined(POLARSSL_SSL_DEBUG_ALL)
1526  SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1527  "should be no more than %d",
1528  padlen, ssl->transform_in->ivlen ) );
1529 #endif
1530  correct = 0;
1531  }
1532  }
1533  else
1534 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1535 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1536  defined(POLARSSL_SSL_PROTO_TLS1_2)
1537  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1538  {
1539  /*
1540  * TLSv1+: always check the padding up to the first failure
1541  * and fake check up to 256 bytes of padding
1542  */
1543  size_t pad_count = 0, real_count = 1;
1544  size_t padding_idx = ssl->in_msglen - padlen - 1;
1545 
1546  /*
1547  * Padding is guaranteed to be incorrect if:
1548  * 1. padlen >= ssl->in_msglen
1549  *
1550  * 2. padding_idx >= SSL_MAX_CONTENT_LEN +
1551  * ssl->transform_in->maclen
1552  *
1553  * In both cases we reset padding_idx to a safe value (0) to
1554  * prevent out-of-buffer reads.
1555  */
1556  correct &= ( ssl->in_msglen >= padlen + 1 );
1557  correct &= ( padding_idx < SSL_MAX_CONTENT_LEN +
1558  ssl->transform_in->maclen );
1559 
1560  padding_idx *= correct;
1561 
1562  for( i = 1; i <= 256; i++ )
1563  {
1564  real_count &= ( i <= padlen );
1565  pad_count += real_count *
1566  ( ssl->in_msg[padding_idx + i] == padlen - 1 );
1567  }
1568 
1569  correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
1570 
1571 #if defined(POLARSSL_SSL_DEBUG_ALL)
1572  if( padlen > 0 && correct == 0 )
1573  SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1574 #endif
1575  padlen &= correct * 0x1FF;
1576  }
1577  else
1578 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1579  POLARSSL_SSL_PROTO_TLS1_2 */
1580  {
1581  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1583  }
1584  }
1585  else
1586 #endif /* POLARSSL_CIPHER_MODE_CBC &&
1587  ( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
1588  {
1589  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1591  }
1592 
1593  SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1594  ssl->in_msg, ssl->in_msglen );
1595 
1596  /*
1597  * Always compute the MAC (RFC4346, CBCTIME), except for AEAD of course
1598  */
1599 #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
1600  ( defined(POLARSSL_CIPHER_MODE_CBC) && \
1601  ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
1602  if( mode != POLARSSL_MODE_GCM &&
1603  mode != POLARSSL_MODE_CCM )
1604  {
1605  unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
1606 
1607  ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
1608 
1609  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
1610  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
1611 
1612  memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
1613 
1614 #if defined(POLARSSL_SSL_PROTO_SSL3)
1615  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1616  {
1617  ssl_mac( &ssl->transform_in->md_ctx_dec,
1618  ssl->transform_in->mac_dec,
1619  ssl->in_msg, ssl->in_msglen,
1620  ssl->in_ctr, ssl->in_msgtype );
1621  }
1622  else
1623 #endif /* POLARSSL_SSL_PROTO_SSL3 */
1624 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
1625  defined(POLARSSL_SSL_PROTO_TLS1_2)
1626  if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
1627  {
1628  /*
1629  * Process MAC and always update for padlen afterwards to make
1630  * total time independent of padlen
1631  *
1632  * extra_run compensates MAC check for padlen
1633  *
1634  * Known timing attacks:
1635  * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1636  *
1637  * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1638  * correctly. (We round down instead of up, so -56 is the correct
1639  * value for our calculations instead of -55)
1640  */
1641  size_t j, extra_run = 0;
1642  extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
1643  ( 13 + ssl->in_msglen + 8 ) / 64;
1644 
1645  extra_run &= correct * 0xFF;
1646 
1647  md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
1649  ssl->in_msglen );
1651  ssl->in_msg + ssl->in_msglen );
1652  for( j = 0; j < extra_run; j++ )
1653  md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
1654 
1656  }
1657  else
1658 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
1659  POLARSSL_SSL_PROTO_TLS1_2 */
1660  {
1661  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1663  }
1664 
1665  SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
1666  SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
1667  ssl->transform_in->maclen );
1668 
1669  if( safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen,
1670  ssl->transform_in->maclen ) != 0 )
1671  {
1672 #if defined(POLARSSL_SSL_DEBUG_ALL)
1673  SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1674 #endif
1675  correct = 0;
1676  }
1677 
1678  /*
1679  * Finally check the correct flag
1680  */
1681  if( correct == 0 )
1682  return( POLARSSL_ERR_SSL_INVALID_MAC );
1683  }
1684 #endif /* AEAD not the only option */
1685 
1686  if( ssl->in_msglen == 0 )
1687  {
1688  ssl->nb_zero++;
1689 
1690  /*
1691  * Three or more empty messages may be a DoS attack
1692  * (excessive CPU consumption).
1693  */
1694  if( ssl->nb_zero > 3 )
1695  {
1696  SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
1697  "messages, possible DoS attack" ) );
1698  return( POLARSSL_ERR_SSL_INVALID_MAC );
1699  }
1700  }
1701  else
1702  ssl->nb_zero = 0;
1703 
1704  for( i = 8; i > 0; i-- )
1705  if( ++ssl->in_ctr[i - 1] != 0 )
1706  break;
1707 
1708  /* The loops goes to its end iff the counter is wrapping */
1709  if( i == 0 )
1710  {
1711  SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
1713  }
1714 
1715  SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1716 
1717  return( 0 );
1718 }
1719 
1720 #if defined(POLARSSL_ZLIB_SUPPORT)
1721 /*
1722  * Compression/decompression functions
1723  */
1724 static int ssl_compress_buf( ssl_context *ssl )
1725 {
1726  int ret;
1727  unsigned char *msg_post = ssl->out_msg;
1728  size_t len_pre = ssl->out_msglen;
1729  unsigned char *msg_pre = ssl->compress_buf;
1730 
1731  SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
1732 
1733  if( len_pre == 0 )
1734  return( 0 );
1735 
1736  memcpy( msg_pre, ssl->out_msg, len_pre );
1737 
1738  SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
1739  ssl->out_msglen ) );
1740 
1741  SSL_DEBUG_BUF( 4, "before compression: output payload",
1742  ssl->out_msg, ssl->out_msglen );
1743 
1744  ssl->transform_out->ctx_deflate.next_in = msg_pre;
1745  ssl->transform_out->ctx_deflate.avail_in = len_pre;
1746  ssl->transform_out->ctx_deflate.next_out = msg_post;
1747  ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
1748 
1749  ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
1750  if( ret != Z_OK )
1751  {
1752  SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
1754  }
1755 
1756  ssl->out_msglen = SSL_BUFFER_LEN -
1757  ssl->transform_out->ctx_deflate.avail_out;
1758 
1759  SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
1760  ssl->out_msglen ) );
1761 
1762  SSL_DEBUG_BUF( 4, "after compression: output payload",
1763  ssl->out_msg, ssl->out_msglen );
1764 
1765  SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
1766 
1767  return( 0 );
1768 }
1769 
1770 static int ssl_decompress_buf( ssl_context *ssl )
1771 {
1772  int ret;
1773  unsigned char *msg_post = ssl->in_msg;
1774  size_t len_pre = ssl->in_msglen;
1775  unsigned char *msg_pre = ssl->compress_buf;
1776 
1777  SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
1778 
1779  if( len_pre == 0 )
1780  return( 0 );
1781 
1782  memcpy( msg_pre, ssl->in_msg, len_pre );
1783 
1784  SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
1785  ssl->in_msglen ) );
1786 
1787  SSL_DEBUG_BUF( 4, "before decompression: input payload",
1788  ssl->in_msg, ssl->in_msglen );
1789 
1790  ssl->transform_in->ctx_inflate.next_in = msg_pre;
1791  ssl->transform_in->ctx_inflate.avail_in = len_pre;
1792  ssl->transform_in->ctx_inflate.next_out = msg_post;
1793  ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
1794 
1795  ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
1796  if( ret != Z_OK )
1797  {
1798  SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
1800  }
1801 
1803  ssl->transform_in->ctx_inflate.avail_out;
1804 
1805  SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
1806  ssl->in_msglen ) );
1807 
1808  SSL_DEBUG_BUF( 4, "after decompression: input payload",
1809  ssl->in_msg, ssl->in_msglen );
1810 
1811  SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
1812 
1813  return( 0 );
1814 }
1815 #endif /* POLARSSL_ZLIB_SUPPORT */
1816 
1817 /*
1818  * Fill the input message buffer
1819  */
1820 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
1821 {
1822  int ret;
1823  size_t len;
1824 
1825  SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1826 
1827  if( nb_want > SSL_BUFFER_LEN - 8 )
1828  {
1829  SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1831  }
1832 
1833  while( ssl->in_left < nb_want )
1834  {
1835  len = nb_want - ssl->in_left;
1836  ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
1837 
1838  SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
1839  ssl->in_left, nb_want ) );
1840  SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
1841 
1842  if( ret == 0 )
1843  return( POLARSSL_ERR_SSL_CONN_EOF );
1844 
1845  if( ret < 0 )
1846  return( ret );
1847 
1848  ssl->in_left += ret;
1849  }
1850 
1851  SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1852 
1853  return( 0 );
1854 }
1855 
1856 /*
1857  * Flush any data not yet written
1858  */
1859 int ssl_flush_output( ssl_context *ssl )
1860 {
1861  int ret;
1862  unsigned char *buf;
1863 
1864  SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1865 
1866  while( ssl->out_left > 0 )
1867  {
1868  SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
1869  5 + ssl->out_msglen, ssl->out_left ) );
1870 
1871  buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
1872  ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
1873 
1874  SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1875 
1876  if( ret <= 0 )
1877  return( ret );
1878 
1879  ssl->out_left -= ret;
1880  }
1881 
1882  SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1883 
1884  return( 0 );
1885 }
1886 
1887 /*
1888  * Record layer functions
1889  */
1890 int ssl_write_record( ssl_context *ssl )
1891 {
1892  int ret, done = 0;
1893  size_t len = ssl->out_msglen;
1894 
1895  SSL_DEBUG_MSG( 2, ( "=> write record" ) );
1896 
1897  if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
1898  {
1899  ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
1900  ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
1901  ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
1902 
1903  if( ssl->out_msg[0] != SSL_HS_HELLO_REQUEST )
1904  ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
1905  }
1906 
1907 #if defined(POLARSSL_ZLIB_SUPPORT)
1908  if( ssl->transform_out != NULL &&
1910  {
1911  if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
1912  {
1913  SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
1914  return( ret );
1915  }
1916 
1917  len = ssl->out_msglen;
1918  }
1919 #endif /*POLARSSL_ZLIB_SUPPORT */
1920 
1921 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
1922  if( ssl_hw_record_write != NULL )
1923  {
1924  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
1925 
1926  ret = ssl_hw_record_write( ssl );
1927  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
1928  {
1929  SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
1931  }
1932 
1933  if( ret == 0 )
1934  done = 1;
1935  }
1936 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
1937  if( !done )
1938  {
1939  ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
1940  ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
1941  ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
1942  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1943  ssl->out_hdr[4] = (unsigned char)( len );
1944 
1945  if( ssl->transform_out != NULL )
1946  {
1947  if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
1948  {
1949  SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
1950  return( ret );
1951  }
1952 
1953  len = ssl->out_msglen;
1954  ssl->out_hdr[3] = (unsigned char)( len >> 8 );
1955  ssl->out_hdr[4] = (unsigned char)( len );
1956  }
1957 
1958  ssl->out_left = 5 + ssl->out_msglen;
1959 
1960  SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
1961  "version = [%d:%d], msglen = %d",
1962  ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
1963  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
1964 
1965  SSL_DEBUG_BUF( 4, "output record sent to network",
1966  ssl->out_hdr, 5 + ssl->out_msglen );
1967  }
1968 
1969  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1970  {
1971  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1972  return( ret );
1973  }
1974 
1975  SSL_DEBUG_MSG( 2, ( "<= write record" ) );
1976 
1977  return( 0 );
1978 }
1979 
1980 int ssl_read_record( ssl_context *ssl )
1981 {
1982  int ret, done = 0;
1983 
1984  SSL_DEBUG_MSG( 2, ( "=> read record" ) );
1985 
1986  if( ssl->in_hslen != 0 &&
1987  ssl->in_hslen < ssl->in_msglen )
1988  {
1989  /*
1990  * Get next Handshake message in the current record
1991  */
1992  ssl->in_msglen -= ssl->in_hslen;
1993 
1994  memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
1995  ssl->in_msglen );
1996 
1997  ssl->in_hslen = 4;
1998  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
1999 
2000  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2001  " %d, type = %d, hslen = %d",
2002  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2003 
2004  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2005  {
2006  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2008  }
2009 
2010  if( ssl->in_msglen < ssl->in_hslen )
2011  {
2012  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2014  }
2015 
2016  if( ssl->state != SSL_HANDSHAKE_OVER )
2017  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2018 
2019  return( 0 );
2020  }
2021 
2022  ssl->in_hslen = 0;
2023 
2024  /*
2025  * Read the record header and validate it
2026  */
2027  if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
2028  {
2029  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2030  return( ret );
2031  }
2032 
2033  ssl->in_msgtype = ssl->in_hdr[0];
2034  ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
2035 
2036  SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
2037  "version = [%d:%d], msglen = %d",
2038  ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
2039  ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
2040 
2041  if( ssl->in_hdr[1] != ssl->major_ver )
2042  {
2043  SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
2045  }
2046 
2047  if( ssl->in_hdr[2] > ssl->max_minor_ver )
2048  {
2049  SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
2051  }
2052 
2053  /* Sanity check (outer boundaries) */
2054  if( ssl->in_msglen < 1 || ssl->in_msglen > SSL_BUFFER_LEN - 13 )
2055  {
2056  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2058  }
2059 
2060  /*
2061  * Make sure the message length is acceptable for the current transform
2062  * and protocol version.
2063  */
2064  if( ssl->transform_in == NULL )
2065  {
2066  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2067  {
2068  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2070  }
2071  }
2072  else
2073  {
2074  if( ssl->in_msglen < ssl->transform_in->minlen )
2075  {
2076  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2078  }
2079 
2080 #if defined(POLARSSL_SSL_PROTO_SSL3)
2081  if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
2083  {
2084  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2086  }
2087 #endif
2088 
2089 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2090  defined(POLARSSL_SSL_PROTO_TLS1_2)
2091  /*
2092  * TLS encrypted messages can have up to 256 bytes of padding
2093  */
2094  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
2095  ssl->in_msglen > ssl->transform_in->minlen +
2096  SSL_MAX_CONTENT_LEN + 256 )
2097  {
2098  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2100  }
2101 #endif
2102  }
2103 
2104  /*
2105  * Read and optionally decrypt the message contents
2106  */
2107  if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
2108  {
2109  SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
2110  return( ret );
2111  }
2112 
2113  SSL_DEBUG_BUF( 4, "input record from network",
2114  ssl->in_hdr, 5 + ssl->in_msglen );
2115 
2116 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
2117  if( ssl_hw_record_read != NULL )
2118  {
2119  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
2120 
2121  ret = ssl_hw_record_read( ssl );
2122  if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
2123  {
2124  SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
2126  }
2127 
2128  if( ret == 0 )
2129  done = 1;
2130  }
2131 #endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
2132  if( !done && ssl->transform_in != NULL )
2133  {
2134  if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
2135  {
2136 #if defined(POLARSSL_SSL_ALERT_MESSAGES)
2137  if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
2138  {
2142  }
2143 #endif
2144  SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
2145  return( ret );
2146  }
2147 
2148  SSL_DEBUG_BUF( 4, "input payload after decrypt",
2149  ssl->in_msg, ssl->in_msglen );
2150 
2151  if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
2152  {
2153  SSL_DEBUG_MSG( 1, ( "bad message length" ) );
2155  }
2156  }
2157 
2158 #if defined(POLARSSL_ZLIB_SUPPORT)
2159  if( ssl->transform_in != NULL &&
2161  {
2162  if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
2163  {
2164  SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
2165  return( ret );
2166  }
2167 
2168  ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
2169  ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
2170  }
2171 #endif /* POLARSSL_ZLIB_SUPPORT */
2172 
2173  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
2174  ssl->in_msgtype != SSL_MSG_ALERT &&
2177  {
2178  SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
2179 
2180  if( ( ret = ssl_send_alert_message( ssl,
2183  {
2184  return( ret );
2185  }
2186 
2188  }
2189 
2190  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
2191  {
2192  ssl->in_hslen = 4;
2193  ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
2194 
2195  SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2196  " %d, type = %d, hslen = %d",
2197  ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2198 
2199  /*
2200  * Additional checks to validate the handshake header
2201  */
2202  if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
2203  {
2204  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2206  }
2207 
2208  if( ssl->in_msglen < ssl->in_hslen )
2209  {
2210  SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
2212  }
2213 
2214  if( ssl->state != SSL_HANDSHAKE_OVER )
2215  ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2216  }
2217 
2218  if( ssl->in_msgtype == SSL_MSG_ALERT )
2219  {
2220  SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
2221  ssl->in_msg[0], ssl->in_msg[1] ) );
2222 
2223  /*
2224  * Ignore non-fatal alerts, except close_notify
2225  */
2226  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
2227  {
2228  SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
2229  ssl->in_msg[1] ) );
2231  }
2232 
2233  if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2234  ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
2235  {
2236  SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
2238  }
2239  }
2240 
2241  ssl->in_left = 0;
2242 
2243  SSL_DEBUG_MSG( 2, ( "<= read record" ) );
2244 
2245  return( 0 );
2246 }
2247 
2249 {
2250  int ret;
2251 
2252  if( ( ret = ssl_send_alert_message( ssl,
2255  {
2256  return( ret );
2257  }
2258 
2259  return( 0 );
2260 }
2261 
2263  unsigned char level,
2264  unsigned char message )
2265 {
2266  int ret;
2267 
2268  SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
2269 
2270  ssl->out_msgtype = SSL_MSG_ALERT;
2271  ssl->out_msglen = 2;
2272  ssl->out_msg[0] = level;
2273  ssl->out_msg[1] = message;
2274 
2275  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2276  {
2277  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2278  return( ret );
2279  }
2280 
2281  SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
2282 
2283  return( 0 );
2284 }
2285 
2286 /*
2287  * Handshake functions
2288  */
2289 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
2290  !defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
2291  !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2292  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2293  !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
2294  !defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2295  !defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2297 {
2298  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2299 
2300  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2301 
2302  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2303  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2304  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2305  {
2306  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2307  ssl->state++;
2308  return( 0 );
2309  }
2310 
2311  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2313 }
2314 
2316 {
2317  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2318 
2319  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2320 
2321  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2322  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2323  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2324  {
2325  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2326  ssl->state++;
2327  return( 0 );
2328  }
2329 
2330  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2332 }
2333 #else
2335 {
2337  size_t i, n;
2338  const x509_crt *crt;
2339  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2340 
2341  SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
2342 
2343  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2344  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2345  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2346  {
2347  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2348  ssl->state++;
2349  return( 0 );
2350  }
2351 
2352  if( ssl->endpoint == SSL_IS_CLIENT )
2353  {
2354  if( ssl->client_auth == 0 )
2355  {
2356  SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
2357  ssl->state++;
2358  return( 0 );
2359  }
2360 
2361 #if defined(POLARSSL_SSL_PROTO_SSL3)
2362  /*
2363  * If using SSLv3 and got no cert, send an Alert message
2364  * (otherwise an empty Certificate message will be sent).
2365  */
2366  if( ssl_own_cert( ssl ) == NULL &&
2367  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2368  {
2369  ssl->out_msglen = 2;
2370  ssl->out_msgtype = SSL_MSG_ALERT;
2371  ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING;
2372  ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT;
2373 
2374  SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
2375  goto write_msg;
2376  }
2377 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2378  }
2379  else /* SSL_IS_SERVER */
2380  {
2381  if( ssl_own_cert( ssl ) == NULL )
2382  {
2383  SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
2385  }
2386  }
2387 
2388  SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
2389 
2390  /*
2391  * 0 . 0 handshake type
2392  * 1 . 3 handshake length
2393  * 4 . 6 length of all certs
2394  * 7 . 9 length of cert. 1
2395  * 10 . n-1 peer certificate
2396  * n . n+2 length of cert. 2
2397  * n+3 . ... upper level cert, etc.
2398  */
2399  i = 7;
2400  crt = ssl_own_cert( ssl );
2401 
2402  while( crt != NULL )
2403  {
2404  n = crt->raw.len;
2405  if( n > SSL_MAX_CONTENT_LEN - 3 - i )
2406  {
2407  SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
2408  i + 3 + n, SSL_MAX_CONTENT_LEN ) );
2410  }
2411 
2412  ssl->out_msg[i ] = (unsigned char)( n >> 16 );
2413  ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
2414  ssl->out_msg[i + 2] = (unsigned char)( n );
2415 
2416  i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
2417  i += n; crt = crt->next;
2418  }
2419 
2420  ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
2421  ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
2422  ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
2423 
2424  ssl->out_msglen = i;
2426  ssl->out_msg[0] = SSL_HS_CERTIFICATE;
2427 
2428 #if defined(POLARSSL_SSL_PROTO_SSL3)
2429 write_msg:
2430 #endif
2431 
2432  ssl->state++;
2433 
2434  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2435  {
2436  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2437  return( ret );
2438  }
2439 
2440  SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
2441 
2442  return( ret );
2443 }
2444 
2446 {
2448  size_t i, n;
2449  const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2450 
2451  SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2452 
2453  if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
2454  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ||
2455  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK )
2456  {
2457  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2458  ssl->state++;
2459  return( 0 );
2460  }
2461 
2462  if( ssl->endpoint == SSL_IS_SERVER &&
2463  ( ssl->authmode == SSL_VERIFY_NONE ||
2464  ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
2465  {
2467  SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2468  ssl->state++;
2469  return( 0 );
2470  }
2471 
2472  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2473  {
2474  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2475  return( ret );
2476  }
2477 
2478  ssl->state++;
2479 
2480 #if defined(POLARSSL_SSL_PROTO_SSL3)
2481  /*
2482  * Check if the client sent an empty certificate
2483  */
2484  if( ssl->endpoint == SSL_IS_SERVER &&
2485  ssl->minor_ver == SSL_MINOR_VERSION_0 )
2486  {
2487  if( ssl->in_msglen == 2 &&
2488  ssl->in_msgtype == SSL_MSG_ALERT &&
2489  ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
2490  ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
2491  {
2492  SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
2493 
2495  if( ssl->authmode == SSL_VERIFY_OPTIONAL )
2496  return( 0 );
2497  else
2499  }
2500  }
2501 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2502 
2503 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
2504  defined(POLARSSL_SSL_PROTO_TLS1_2)
2505  if( ssl->endpoint == SSL_IS_SERVER &&
2506  ssl->minor_ver != SSL_MINOR_VERSION_0 )
2507  {
2508  if( ssl->in_hslen == 7 &&
2509  ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
2510  ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
2511  memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
2512  {
2513  SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
2514 
2516  if( ssl->authmode == SSL_VERIFY_REQUIRED )
2518  else
2519  return( 0 );
2520  }
2521  }
2522 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
2523  POLARSSL_SSL_PROTO_TLS1_2 */
2524 
2525  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
2526  {
2527  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2529  }
2530 
2531  if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
2532  {
2533  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2535  }
2536 
2537  /*
2538  * Same message structure as in ssl_write_certificate()
2539  */
2540  n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
2541 
2542  if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
2543  {
2544  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2546  }
2547 
2548  /* In case we tried to reuse a session but it failed */
2549  if( ssl->session_negotiate->peer_cert != NULL )
2550  {
2553  }
2554 
2556  sizeof( x509_crt ) ) ) == NULL )
2557  {
2558  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
2559  sizeof( x509_crt ) ) );
2561  }
2562 
2564 
2565  i = 7;
2566 
2567  while( i < ssl->in_hslen )
2568  {
2569  if( ssl->in_msg[i] != 0 )
2570  {
2571  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2573  }
2574 
2575  n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
2576  | (unsigned int) ssl->in_msg[i + 2];
2577  i += 3;
2578 
2579  if( n < 128 || i + n > ssl->in_hslen )
2580  {
2581  SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
2583  }
2584 
2586  ssl->in_msg + i, n );
2587  if( ret != 0 )
2588  {
2589  SSL_DEBUG_RET( 1, " x509_crt_parse_der", ret );
2590  return( ret );
2591  }
2592 
2593  i += n;
2594  }
2595 
2596  SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
2597 
2598  /*
2599  * On client, make sure the server cert doesn't change during renego to
2600  * avoid "triple handshake" attack: https://secure-resumption.com/
2601  */
2602  if( ssl->endpoint == SSL_IS_CLIENT &&
2604  {
2605  if( ssl->session->peer_cert == NULL )
2606  {
2607  SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
2609  }
2610 
2611  if( ssl->session->peer_cert->raw.len !=
2613  memcmp( ssl->session->peer_cert->raw.p,
2615  ssl->session->peer_cert->raw.len ) != 0 )
2616  {
2617  SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
2619  }
2620  }
2621 
2622  if( ssl->authmode != SSL_VERIFY_NONE )
2623  {
2624  if( ssl->ca_chain == NULL )
2625  {
2626  SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2628  }
2629 
2630  /*
2631  * Main check: verify certificate
2632  */
2634  ssl->ca_chain, ssl->ca_crl, ssl->peer_cn,
2636  ssl->f_vrfy, ssl->p_vrfy );
2637 
2638  if( ret != 0 )
2639  {
2640  SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2641  }
2642 
2643  /*
2644  * Secondary checks: always done, but change 'ret' only if it was 0
2645  */
2646 
2647 #if defined(POLARSSL_SSL_SET_CURVES)
2648  {
2649  pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
2650 
2651  /* If certificate uses an EC key, make sure the curve is OK */
2652  if( pk_can_do( pk, POLARSSL_PK_ECKEY ) &&
2653  ! ssl_curve_is_acceptable( ssl, pk_ec( *pk )->grp.id ) )
2654  {
2655  SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
2656  if( ret == 0 )
2658  }
2659  }
2660 #endif /* POLARSSL_SSL_SET_CURVES */
2661 
2663  ciphersuite_info,
2664  ! ssl->endpoint ) != 0 )
2665  {
2666  SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
2667  if( ret == 0 )
2669  }
2670 
2671  if( ssl->authmode != SSL_VERIFY_REQUIRED )
2672  ret = 0;
2673  }
2674 
2675  SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2676 
2677  return( ret );
2678 }
2679 #endif /* !POLARSSL_KEY_EXCHANGE_RSA_ENABLED
2680  !POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED
2681  !POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
2682  !POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
2683  !POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
2684  !POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED
2685  !POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2686 
2688 {
2689  int ret;
2690 
2691  SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
2692 
2694  ssl->out_msglen = 1;
2695  ssl->out_msg[0] = 1;
2696 
2697  ssl->state++;
2698 
2699  if( ( ret = ssl_write_record( ssl ) ) != 0 )
2700  {
2701  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2702  return( ret );
2703  }
2704 
2705  SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
2706 
2707  return( 0 );
2708 }
2709 
2711 {
2712  int ret;
2713 
2714  SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
2715 
2716  if( ( ret = ssl_read_record( ssl ) ) != 0 )
2717  {
2718  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
2719  return( ret );
2720  }
2721 
2723  {
2724  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2726  }
2727 
2728  if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
2729  {
2730  SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
2732  }
2733 
2734  ssl->state++;
2735 
2736  SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
2737 
2738  return( 0 );
2739 }
2740 
2742  const ssl_ciphersuite_t *ciphersuite_info )
2743 {
2744  ((void) ciphersuite_info);
2745 
2746 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2747  defined(POLARSSL_SSL_PROTO_TLS1_1)
2748  if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
2749  ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
2750  else
2751 #endif
2752 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2753 #if defined(POLARSSL_SHA512_C)
2754  if( ciphersuite_info->mac == POLARSSL_MD_SHA384 )
2755  ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2756  else
2757 #endif
2758 #if defined(POLARSSL_SHA256_C)
2759  if( ciphersuite_info->mac != POLARSSL_MD_SHA384 )
2760  ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2761  else
2762 #endif
2763 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2764  {
2765  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2766  return;
2767  }
2768 }
2769 
2770 static void ssl_update_checksum_start( ssl_context *ssl,
2771  const unsigned char *buf, size_t len )
2772 {
2773 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2774  defined(POLARSSL_SSL_PROTO_TLS1_1)
2775  md5_update( &ssl->handshake->fin_md5 , buf, len );
2776  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2777 #endif
2778 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2779 #if defined(POLARSSL_SHA256_C)
2780  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2781 #endif
2782 #if defined(POLARSSL_SHA512_C)
2783  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2784 #endif
2785 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2786 }
2787 
2788 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
2789  defined(POLARSSL_SSL_PROTO_TLS1_1)
2790 static void ssl_update_checksum_md5sha1( ssl_context *ssl,
2791  const unsigned char *buf, size_t len )
2792 {
2793  md5_update( &ssl->handshake->fin_md5 , buf, len );
2794  sha1_update( &ssl->handshake->fin_sha1, buf, len );
2795 }
2796 #endif
2797 
2798 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2799 #if defined(POLARSSL_SHA256_C)
2800 static void ssl_update_checksum_sha256( ssl_context *ssl,
2801  const unsigned char *buf, size_t len )
2802 {
2803  sha256_update( &ssl->handshake->fin_sha256, buf, len );
2804 }
2805 #endif
2806 
2807 #if defined(POLARSSL_SHA512_C)
2808 static void ssl_update_checksum_sha384( ssl_context *ssl,
2809  const unsigned char *buf, size_t len )
2810 {
2811  sha512_update( &ssl->handshake->fin_sha512, buf, len );
2812 }
2813 #endif
2814 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
2815 
2816 #if defined(POLARSSL_SSL_PROTO_SSL3)
2817 static void ssl_calc_finished_ssl(
2818  ssl_context *ssl, unsigned char *buf, int from )
2819 {
2820  const char *sender;
2821  md5_context md5;
2823 
2824  unsigned char padbuf[48];
2825  unsigned char md5sum[16];
2826  unsigned char sha1sum[20];
2827 
2828  ssl_session *session = ssl->session_negotiate;
2829  if( !session )
2830  session = ssl->session;
2831 
2832  SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
2833 
2834  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2835  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2836 
2837  /*
2838  * SSLv3:
2839  * hash =
2840  * MD5( master + pad2 +
2841  * MD5( handshake + sender + master + pad1 ) )
2842  * + SHA1( master + pad2 +
2843  * SHA1( handshake + sender + master + pad1 ) )
2844  */
2845 
2846 #if !defined(POLARSSL_MD5_ALT)
2847  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2848  md5.state, sizeof( md5.state ) );
2849 #endif
2850 
2851 #if !defined(POLARSSL_SHA1_ALT)
2852  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2853  sha1.state, sizeof( sha1.state ) );
2854 #endif
2855 
2856  sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
2857  : "SRVR";
2858 
2859  memset( padbuf, 0x36, 48 );
2860 
2861  md5_update( &md5, (const unsigned char *) sender, 4 );
2862  md5_update( &md5, session->master, 48 );
2863  md5_update( &md5, padbuf, 48 );
2864  md5_finish( &md5, md5sum );
2865 
2866  sha1_update( &sha1, (const unsigned char *) sender, 4 );
2867  sha1_update( &sha1, session->master, 48 );
2868  sha1_update( &sha1, padbuf, 40 );
2869  sha1_finish( &sha1, sha1sum );
2870 
2871  memset( padbuf, 0x5C, 48 );
2872 
2873  md5_starts( &md5 );
2874  md5_update( &md5, session->master, 48 );
2875  md5_update( &md5, padbuf, 48 );
2876  md5_update( &md5, md5sum, 16 );
2877  md5_finish( &md5, buf );
2878 
2879  sha1_starts( &sha1 );
2880  sha1_update( &sha1, session->master, 48 );
2881  sha1_update( &sha1, padbuf , 40 );
2882  sha1_update( &sha1, sha1sum, 20 );
2883  sha1_finish( &sha1, buf + 16 );
2884 
2885  SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
2886 
2887  md5_free( &md5 );
2888  sha1_free( &sha1 );
2889 
2890  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2891  polarssl_zeroize( md5sum, sizeof( md5sum ) );
2892  polarssl_zeroize( sha1sum, sizeof( sha1sum ) );
2893 
2894  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2895 }
2896 #endif /* POLARSSL_SSL_PROTO_SSL3 */
2897 
2898 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1)
2899 static void ssl_calc_finished_tls(
2900  ssl_context *ssl, unsigned char *buf, int from )
2901 {
2902  int len = 12;
2903  const char *sender;
2904  md5_context md5;
2906  unsigned char padbuf[36];
2907 
2908  ssl_session *session = ssl->session_negotiate;
2909  if( !session )
2910  session = ssl->session;
2911 
2912  SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
2913 
2914  memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context) );
2915  memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
2916 
2917  /*
2918  * TLSv1:
2919  * hash = PRF( master, finished_label,
2920  * MD5( handshake ) + SHA1( handshake ) )[0..11]
2921  */
2922 
2923 #if !defined(POLARSSL_MD5_ALT)
2924  SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
2925  md5.state, sizeof( md5.state ) );
2926 #endif
2927 
2928 #if !defined(POLARSSL_SHA1_ALT)
2929  SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
2930  sha1.state, sizeof( sha1.state ) );
2931 #endif
2932 
2933  sender = ( from == SSL_IS_CLIENT )
2934  ? "client finished"
2935  : "server finished";
2936 
2937  md5_finish( &md5, padbuf );
2938  sha1_finish( &sha1, padbuf + 16 );
2939 
2940  ssl->handshake->tls_prf( session->master, 48, sender,
2941  padbuf, 36, buf, len );
2942 
2943  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2944 
2945  md5_free( &md5 );
2946  sha1_free( &sha1 );
2947 
2948  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2949 
2950  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2951 }
2952 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 */
2953 
2954 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
2955 #if defined(POLARSSL_SHA256_C)
2956 static void ssl_calc_finished_tls_sha256(
2957  ssl_context *ssl, unsigned char *buf, int from )
2958 {
2959  int len = 12;
2960  const char *sender;
2962  unsigned char padbuf[32];
2963 
2964  ssl_session *session = ssl->session_negotiate;
2965  if( !session )
2966  session = ssl->session;
2967 
2968  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2969 
2970  memcpy( &sha256, &ssl->handshake->fin_sha256, sizeof(sha256_context) );
2971 
2972  /*
2973  * TLSv1.2:
2974  * hash = PRF( master, finished_label,
2975  * Hash( handshake ) )[0.11]
2976  */
2977 
2978 #if !defined(POLARSSL_SHA256_ALT)
2979  SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2980  sha256.state, sizeof( sha256.state ) );
2981 #endif
2982 
2983  sender = ( from == SSL_IS_CLIENT )
2984  ? "client finished"
2985  : "server finished";
2986 
2987  sha256_finish( &sha256, padbuf );
2988 
2989  ssl->handshake->tls_prf( session->master, 48, sender,
2990  padbuf, 32, buf, len );
2991 
2992  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2993 
2994  sha256_free( &sha256 );
2995 
2996  polarssl_zeroize( padbuf, sizeof( padbuf ) );
2997 
2998  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2999 }
3000 #endif /* POLARSSL_SHA256_C */
3001 
3002 #if defined(POLARSSL_SHA512_C)
3003 static void ssl_calc_finished_tls_sha384(
3004  ssl_context *ssl, unsigned char *buf, int from )
3005 {
3006  int len = 12;
3007  const char *sender;
3009  unsigned char padbuf[48];
3010 
3011  ssl_session *session = ssl->session_negotiate;
3012  if( !session )
3013  session = ssl->session;
3014 
3015  SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
3016 
3017  memcpy( &sha512, &ssl->handshake->fin_sha512, sizeof(sha512_context) );
3018 
3019  /*
3020  * TLSv1.2:
3021  * hash = PRF( master, finished_label,
3022  * Hash( handshake ) )[0.11]
3023  */
3024 
3025 #if !defined(POLARSSL_SHA512_ALT)
3026  SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
3027  sha512.state, sizeof( sha512.state ) );
3028 #endif
3029 
3030  sender = ( from == SSL_IS_CLIENT )
3031  ? "client finished"
3032  : "server finished";
3033 
3034  sha512_finish( &sha512, padbuf );
3035 
3036  ssl->handshake->tls_prf( session->master, 48, sender,
3037  padbuf, 48, buf, len );
3038 
3039  SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
3040 
3041  sha512_free( &sha512 );
3042 
3043  polarssl_zeroize( padbuf, sizeof( padbuf ) );
3044 
3045  SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
3046 }
3047 #endif /* POLARSSL_SHA512_C */
3048 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3049 
3050 void ssl_handshake_wrapup( ssl_context *ssl )
3051 {
3052  int resume = ssl->handshake->resume;
3053 
3054  SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
3055 
3056  /*
3057  * Free our handshake params
3058  */
3059  ssl_handshake_free( ssl->handshake );
3060  polarssl_free( ssl->handshake );
3061  ssl->handshake = NULL;
3062 
3063  if( ssl->renegotiation == SSL_RENEGOTIATION )
3064  {
3066  ssl->renego_records_seen = 0;
3067  }
3068 
3069  /*
3070  * Switch in our now active transform context
3071  */
3072  if( ssl->transform )
3073  {
3074  ssl_transform_free( ssl->transform );
3075  polarssl_free( ssl->transform );
3076  }
3077  ssl->transform = ssl->transform_negotiate;
3078  ssl->transform_negotiate = NULL;
3079 
3080  if( ssl->session )
3081  {
3082  ssl_session_free( ssl->session );
3083  polarssl_free( ssl->session );
3084  }
3085  ssl->session = ssl->session_negotiate;
3086  ssl->session_negotiate = NULL;
3087 
3088  /*
3089  * Add cache entry
3090  */
3091  if( ssl->f_set_cache != NULL &&
3092  ssl->session->length != 0 &&
3093  resume == 0 )
3094  {
3095  if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
3096  SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
3097  }
3098 
3099  ssl->state++;
3100 
3101  SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
3102 }
3103 
3104 int ssl_write_finished( ssl_context *ssl )
3105 {
3106  int ret, hash_len;
3107 
3108  SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
3109 
3110  /*
3111  * Set the out_msg pointer to the correct location based on IV length
3112  */
3113  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3114  {
3115  ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
3117  }
3118  else
3119  ssl->out_msg = ssl->out_iv;
3120 
3121  ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
3122 
3123  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3124  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3125 
3126  ssl->verify_data_len = hash_len;
3127  memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
3128 
3129  ssl->out_msglen = 4 + hash_len;
3131  ssl->out_msg[0] = SSL_HS_FINISHED;
3132 
3133  /*
3134  * In case of session resuming, invert the client and server
3135  * ChangeCipherSpec messages order.
3136  */
3137  if( ssl->handshake->resume != 0 )
3138  {
3139  if( ssl->endpoint == SSL_IS_CLIENT )
3140  ssl->state = SSL_HANDSHAKE_WRAPUP;
3141  else
3143  }
3144  else
3145  ssl->state++;
3146 
3147  /*
3148  * Switch to our negotiated transform and session parameters for outbound
3149  * data.
3150  */
3151  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
3152  ssl->transform_out = ssl->transform_negotiate;
3153  ssl->session_out = ssl->session_negotiate;
3154  memset( ssl->out_ctr, 0, 8 );
3155 
3156 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3157  if( ssl_hw_record_activate != NULL )
3158  {
3159  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_OUTBOUND ) ) != 0 )
3160  {
3161  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3163  }
3164  }
3165 #endif
3166 
3167  if( ( ret = ssl_write_record( ssl ) ) != 0 )
3168  {
3169  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3170  return( ret );
3171  }
3172 
3173  SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
3174 
3175  return( 0 );
3176 }
3177 
3178 int ssl_parse_finished( ssl_context *ssl )
3179 {
3180  int ret;
3181  unsigned int hash_len;
3182  unsigned char buf[36];
3183 
3184  SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
3185 
3186  ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
3187 
3188  /*
3189  * Switch to our negotiated transform and session parameters for inbound
3190  * data.
3191  */
3192  SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
3193  ssl->transform_in = ssl->transform_negotiate;
3194  ssl->session_in = ssl->session_negotiate;
3195  memset( ssl->in_ctr, 0, 8 );
3196 
3197  /*
3198  * Set the in_msg pointer to the correct location based on IV length
3199  */
3200  if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
3201  {
3202  ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
3204  }
3205  else
3206  ssl->in_msg = ssl->in_iv;
3207 
3208 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3209  if( ssl_hw_record_activate != NULL )
3210  {
3211  if( ( ret = ssl_hw_record_activate( ssl, SSL_CHANNEL_INBOUND ) ) != 0 )
3212  {
3213  SSL_DEBUG_RET( 1, "ssl_hw_record_activate", ret );
3215  }
3216  }
3217 #endif
3218 
3219  if( ( ret = ssl_read_record( ssl ) ) != 0 )
3220  {
3221  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
3222  return( ret );
3223  }
3224 
3225  if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
3226  {
3227  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3229  }
3230 
3231  // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
3232  hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
3233 
3234  if( ssl->in_msg[0] != SSL_HS_FINISHED ||
3235  ssl->in_hslen != 4 + hash_len )
3236  {
3237  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3239  }
3240 
3241  if( safer_memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
3242  {
3243  SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
3245  }
3246 
3247  ssl->verify_data_len = hash_len;
3248  memcpy( ssl->peer_verify_data, buf, hash_len );
3249 
3250  if( ssl->handshake->resume != 0 )
3251  {
3252  if( ssl->endpoint == SSL_IS_CLIENT )
3254 
3255  if( ssl->endpoint == SSL_IS_SERVER )
3256  ssl->state = SSL_HANDSHAKE_WRAPUP;
3257  }
3258  else
3259  ssl->state++;
3260 
3261  SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
3262 
3263  return( 0 );
3264 }
3265 
3266 static void ssl_handshake_params_init( ssl_handshake_params *handshake )
3267 {
3268  memset( handshake, 0, sizeof( ssl_handshake_params ) );
3269 
3270 #if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
3271  defined(POLARSSL_SSL_PROTO_TLS1_1)
3272  md5_init( &handshake->fin_md5 );
3273  sha1_init( &handshake->fin_sha1 );
3274  md5_starts( &handshake->fin_md5 );
3275  sha1_starts( &handshake->fin_sha1 );
3276 #endif
3277 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
3278 #if defined(POLARSSL_SHA256_C)
3279  sha256_init( &handshake->fin_sha256 );
3280  sha256_starts( &handshake->fin_sha256, 0 );
3281 #endif
3282 #if defined(POLARSSL_SHA512_C)
3283  sha512_init( &handshake->fin_sha512 );
3284  sha512_starts( &handshake->fin_sha512, 1 );
3285 #endif
3286 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
3287 
3288  handshake->update_checksum = ssl_update_checksum_start;
3289  handshake->sig_alg = SSL_HASH_SHA1;
3290 
3291 #if defined(POLARSSL_DHM_C)
3292  dhm_init( &handshake->dhm_ctx );
3293 #endif
3294 #if defined(POLARSSL_ECDH_C)
3295  ecdh_init( &handshake->ecdh_ctx );
3296 #endif
3297 }
3298 
3299 static void ssl_transform_init( ssl_transform *transform )
3300 {
3301  memset( transform, 0, sizeof(ssl_transform) );
3302 
3303  cipher_init( &transform->cipher_ctx_enc );
3304  cipher_init( &transform->cipher_ctx_dec );
3305 
3306  md_init( &transform->md_ctx_enc );
3307  md_init( &transform->md_ctx_dec );
3308 }
3309 
3310 void ssl_session_init( ssl_session *session )
3311 {
3312  memset( session, 0, sizeof(ssl_session) );
3313 }
3314 
3315 static int ssl_handshake_init( ssl_context *ssl )
3316 {
3317  /* Clear old handshake information if present */
3318  if( ssl->transform_negotiate )
3320  if( ssl->session_negotiate )
3322  if( ssl->handshake )
3323  ssl_handshake_free( ssl->handshake );
3324 
3325  /*
3326  * Either the pointers are now NULL or cleared properly and can be freed.
3327  * Now allocate missing structures.
3328  */
3329  if( ssl->transform_negotiate == NULL )
3330  {
3331  ssl->transform_negotiate =
3333  }
3334 
3335  if( ssl->session_negotiate == NULL )
3336  {
3337  ssl->session_negotiate =
3338  (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
3339  }
3340 
3341  if( ssl->handshake == NULL )
3342  {
3343  ssl->handshake = (ssl_handshake_params *)
3345  }
3346 
3347  /* All pointers should exist and can be directly freed without issue */
3348  if( ssl->handshake == NULL ||
3349  ssl->transform_negotiate == NULL ||
3350  ssl->session_negotiate == NULL )
3351  {
3352  SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
3353 
3354  polarssl_free( ssl->handshake );
3357 
3358  ssl->handshake = NULL;
3359  ssl->transform_negotiate = NULL;
3360  ssl->session_negotiate = NULL;
3361 
3363  }
3364 
3365  /* Initialize structures */
3367  ssl_transform_init( ssl->transform_negotiate );
3368  ssl_handshake_params_init( ssl->handshake );
3369 
3370 #if defined(POLARSSL_X509_CRT_PARSE_C)
3371  ssl->handshake->key_cert = ssl->key_cert;
3372 #endif
3373 
3374  return( 0 );
3375 }
3376 
3377 /*
3378  * Initialize an SSL context
3379  */
3380 int ssl_init( ssl_context *ssl )
3381 {
3382  int ret;
3383  int len = SSL_BUFFER_LEN;
3384 
3385  memset( ssl, 0, sizeof( ssl_context ) );
3386 
3387  /*
3388  * Sane defaults
3389  */
3394 
3396 
3398 
3399 #if defined(POLARSSL_DHM_C)
3400  if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
3402  ( ret = mpi_read_string( &ssl->dhm_G, 16,
3404  {
3405  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3406  return( ret );
3407  }
3408 #endif
3409 
3410  /*
3411  * Prepare base structures
3412  */
3413  ssl->in_ctr = (unsigned char *) polarssl_malloc( len );
3414  ssl->in_hdr = ssl->in_ctr + 8;
3415  ssl->in_iv = ssl->in_ctr + 13;
3416  ssl->in_msg = ssl->in_ctr + 13;
3417 
3418  if( ssl->in_ctr == NULL )
3419  {
3420  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3422  }
3423 
3424  ssl->out_ctr = (unsigned char *) polarssl_malloc( len );
3425  ssl->out_hdr = ssl->out_ctr + 8;
3426  ssl->out_iv = ssl->out_ctr + 13;
3427  ssl->out_msg = ssl->out_ctr + 13;
3428 
3429  if( ssl->out_ctr == NULL )
3430  {
3431  SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
3432  polarssl_free( ssl->in_ctr );
3433  ssl->in_ctr = NULL;
3435  }
3436 
3437  memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
3438  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3439 
3440 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3442 #endif
3443 
3444 #if defined(POLARSSL_SSL_SET_CURVES)
3445  ssl->curve_list = ecp_grp_id_list( );
3446 #endif
3447 
3448  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3449  return( ret );
3450 
3451  return( 0 );
3452 }
3453 
3454 /*
3455  * Reset an initialized and used SSL context for re-use while retaining
3456  * all application-set variables, function pointers and data.
3457  */
3458 int ssl_session_reset( ssl_context *ssl )
3459 {
3460  int ret;
3461 
3462  ssl->state = SSL_HELLO_REQUEST;
3465 
3466  ssl->verify_data_len = 0;
3467  memset( ssl->own_verify_data, 0, 36 );
3468  memset( ssl->peer_verify_data, 0, 36 );
3469 
3470  ssl->in_offt = NULL;
3471 
3472  ssl->in_msg = ssl->in_ctr + 13;
3473  ssl->in_msgtype = 0;
3474  ssl->in_msglen = 0;
3475  ssl->in_left = 0;
3476 
3477  ssl->in_hslen = 0;
3478  ssl->nb_zero = 0;
3479  ssl->record_read = 0;
3480 
3481  ssl->out_msg = ssl->out_ctr + 13;
3482  ssl->out_msgtype = 0;
3483  ssl->out_msglen = 0;
3484  ssl->out_left = 0;
3485 
3486  ssl->transform_in = NULL;
3487  ssl->transform_out = NULL;
3488 
3489  ssl->renego_records_seen = 0;
3490 
3491  memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
3492  memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
3493 
3494 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
3495  if( ssl_hw_record_reset != NULL )
3496  {
3497  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
3498  if( ( ret = ssl_hw_record_reset( ssl ) ) != 0 )
3499  {
3500  SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
3502  }
3503  }
3504 #endif
3505 
3506  if( ssl->transform )
3507  {
3508  ssl_transform_free( ssl->transform );
3509  polarssl_free( ssl->transform );
3510  ssl->transform = NULL;
3511  }
3512 
3513  if( ssl->session )
3514  {
3515  ssl_session_free( ssl->session );
3516  polarssl_free( ssl->session );
3517  ssl->session = NULL;
3518  }
3519 
3520 #if defined(POLARSSL_SSL_ALPN)
3521  ssl->alpn_chosen = NULL;
3522 #endif
3523 
3524  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3525  return( ret );
3526 
3527  return( 0 );
3528 }
3529 
3530 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3531 static void ssl_ticket_keys_free( ssl_ticket_keys *tkeys )
3532 {
3533  aes_free( &tkeys->enc );
3534  aes_free( &tkeys->dec );
3535 
3536  polarssl_zeroize( tkeys, sizeof(ssl_ticket_keys) );
3537 }
3538 
3539 /*
3540  * Allocate and initialize ticket keys
3541  */
3542 static int ssl_ticket_keys_init( ssl_context *ssl )
3543 {
3544  int ret;
3545  ssl_ticket_keys *tkeys;
3546  unsigned char buf[16];
3547 
3548  if( ssl->ticket_keys != NULL )
3549  return( 0 );
3550 
3551  tkeys = (ssl_ticket_keys *) polarssl_malloc( sizeof(ssl_ticket_keys) );
3552  if( tkeys == NULL )
3554 
3555  aes_init( &tkeys->enc );
3556  aes_init( &tkeys->dec );
3557 
3558  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 )
3559  {
3560  ssl_ticket_keys_free( tkeys );
3561  polarssl_free( tkeys );
3562  return( ret );
3563  }
3564 
3565  if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 ||
3566  ( ret = aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 ||
3567  ( ret = aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 )
3568  {
3569  ssl_ticket_keys_free( tkeys );
3570  polarssl_free( tkeys );
3571  return( ret );
3572  }
3573 
3574  if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 )
3575  {
3576  ssl_ticket_keys_free( tkeys );
3577  polarssl_free( tkeys );
3578  return( ret );
3579  }
3580 
3581  ssl->ticket_keys = tkeys;
3582 
3583  return( 0 );
3584 }
3585 #endif /* POLARSSL_SSL_SESSION_TICKETS */
3586 
3587 /*
3588  * SSL set accessors
3589  */
3590 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
3591 {
3592  ssl->endpoint = endpoint;
3593 
3594 #if defined(POLARSSL_SSL_SESSION_TICKETS)
3595  if( endpoint == SSL_IS_CLIENT )
3597 #endif
3598 }
3599 
3600 void ssl_set_authmode( ssl_context *ssl, int authmode )
3601 {
3602  ssl->authmode = authmode;
3603 }
3604 
3605 #if defined(POLARSSL_X509_CRT_PARSE_C)
3606 void ssl_set_verify( ssl_context *ssl,
3607  int (*f_vrfy)(void *, x509_crt *, int, int *),
3608  void *p_vrfy )
3609 {
3610  ssl->f_vrfy = f_vrfy;
3611  ssl->p_vrfy = p_vrfy;
3612 }
3613 #endif /* POLARSSL_X509_CRT_PARSE_C */
3614 
3615 void ssl_set_rng( ssl_context *ssl,
3616  int (*f_rng)(void *, unsigned char *, size_t),
3617  void *p_rng )
3618 {
3619  ssl->f_rng = f_rng;
3620  ssl->p_rng = p_rng;
3621 }
3622 
3623 void ssl_set_dbg( ssl_context *ssl,
3624  void (*f_dbg)(void *, int, const char *),
3625  void *p_dbg )
3626 {
3627  ssl->f_dbg = f_dbg;
3628  ssl->p_dbg = p_dbg;
3629 }
3630 
3631 void ssl_set_bio( ssl_context *ssl,
3632  int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
3633  int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
3634 {
3635  ssl->f_recv = f_recv;
3636  ssl->f_send = f_send;
3637  ssl->p_recv = p_recv;
3638  ssl->p_send = p_send;
3639 }
3640 
3642  int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
3643  int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
3644 {
3645  ssl->f_get_cache = f_get_cache;
3646  ssl->p_get_cache = p_get_cache;
3647  ssl->f_set_cache = f_set_cache;
3648  ssl->p_set_cache = p_set_cache;
3649 }
3650 
3651 int ssl_set_session( ssl_context *ssl, const ssl_session *session )
3652 {
3653  int ret;
3654 
3655  if( ssl == NULL ||
3656  session == NULL ||
3657  ssl->session_negotiate == NULL ||
3658  ssl->endpoint != SSL_IS_CLIENT )
3659  {
3661  }
3662 
3663  if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
3664  return( ret );
3665 
3666  ssl->handshake->resume = 1;
3667 
3668  return( 0 );
3669 }
3670 
3671 void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
3672 {
3673  ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
3674  ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
3675  ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
3676  ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
3677 }
3678 
3680  const int *ciphersuites,
3681  int major, int minor )
3682 {
3683  if( major != SSL_MAJOR_VERSION_3 )
3684  return;
3685 
3686  if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
3687  return;
3688 
3689  ssl->ciphersuite_list[minor] = ciphersuites;
3690 }
3691 
3692 #if defined(POLARSSL_X509_CRT_PARSE_C)
3693 /* Add a new (empty) key_cert entry an return a pointer to it */
3694 static ssl_key_cert *ssl_add_key_cert( ssl_context *ssl )
3695 {
3696  ssl_key_cert *key_cert, *last;
3697 
3698  key_cert = (ssl_key_cert *) polarssl_malloc( sizeof(ssl_key_cert) );
3699  if( key_cert == NULL )
3700  return( NULL );
3701 
3702  memset( key_cert, 0, sizeof( ssl_key_cert ) );
3703 
3704  /* Append the new key_cert to the (possibly empty) current list */
3705  if( ssl->key_cert == NULL )
3706  {
3707  ssl->key_cert = key_cert;
3708  if( ssl->handshake != NULL )
3709  ssl->handshake->key_cert = key_cert;
3710  }
3711  else
3712  {
3713  last = ssl->key_cert;
3714  while( last->next != NULL )
3715  last = last->next;
3716  last->next = key_cert;
3717  }
3718 
3719  return( key_cert );
3720 }
3721 
3722 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
3723  x509_crl *ca_crl, const char *peer_cn )
3724 {
3725  ssl->ca_chain = ca_chain;
3726  ssl->ca_crl = ca_crl;
3727  ssl->peer_cn = peer_cn;
3728 }
3729 
3730 int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
3731  pk_context *pk_key )
3732 {
3733  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3734 
3735  if( key_cert == NULL )
3737 
3738  key_cert->cert = own_cert;
3739  key_cert->key = pk_key;
3740 
3741  return( 0 );
3742 }
3743 
3744 #if defined(POLARSSL_RSA_C)
3745 int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
3746  rsa_context *rsa_key )
3747 {
3748  int ret;
3749  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3750 
3751  if( key_cert == NULL )
3753 
3754  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3755  if( key_cert->key == NULL )
3757 
3758  pk_init( key_cert->key );
3759 
3760  ret = pk_init_ctx( key_cert->key, pk_info_from_type( POLARSSL_PK_RSA ) );
3761  if( ret != 0 )
3762  return( ret );
3763 
3764  if( ( ret = rsa_copy( pk_rsa( *key_cert->key ), rsa_key ) ) != 0 )
3765  return( ret );
3766 
3767  key_cert->cert = own_cert;
3768  key_cert->key_own_alloc = 1;
3769 
3770  return( 0 );
3771 }
3772 #endif /* POLARSSL_RSA_C */
3773 
3774 int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
3775  void *rsa_key,
3776  rsa_decrypt_func rsa_decrypt,
3777  rsa_sign_func rsa_sign,
3778  rsa_key_len_func rsa_key_len )
3779 {
3780  int ret;
3781  ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
3782 
3783  if( key_cert == NULL )
3785 
3786  key_cert->key = (pk_context *) polarssl_malloc( sizeof(pk_context) );
3787  if( key_cert->key == NULL )
3789 
3790  pk_init( key_cert->key );
3791 
3792  if( ( ret = pk_init_ctx_rsa_alt( key_cert->key, rsa_key,
3793  rsa_decrypt, rsa_sign, rsa_key_len ) ) != 0 )
3794  return( ret );
3795 
3796  key_cert->cert = own_cert;
3797  key_cert->key_own_alloc = 1;
3798 
3799  return( 0 );
3800 }
3801 #endif /* POLARSSL_X509_CRT_PARSE_C */
3802 
3803 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
3804 int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
3805  const unsigned char *psk_identity, size_t psk_identity_len )
3806 {
3807  if( psk == NULL || psk_identity == NULL )
3809 
3810  if( psk_len > POLARSSL_PSK_MAX_LEN )
3812 
3813  if( ssl->psk != NULL )
3814  {
3815  polarssl_free( ssl->psk );
3816  polarssl_free( ssl->psk_identity );
3817  }
3818 
3819  ssl->psk_len = psk_len;
3820  ssl->psk_identity_len = psk_identity_len;
3821 
3822  ssl->psk = (unsigned char *) polarssl_malloc( ssl->psk_len );
3823  ssl->psk_identity = (unsigned char *)
3825 
3826  if( ssl->psk == NULL || ssl->psk_identity == NULL )
3828 
3829  memcpy( ssl->psk, psk, ssl->psk_len );
3830  memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
3831 
3832  return( 0 );
3833 }
3834 
3835 void ssl_set_psk_cb( ssl_context *ssl,
3836  int (*f_psk)(void *, ssl_context *, const unsigned char *,
3837  size_t),
3838  void *p_psk )
3839 {
3840  ssl->f_psk = f_psk;
3841  ssl->p_psk = p_psk;
3842 }
3843 #endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
3844 
3845 #if defined(POLARSSL_DHM_C)
3846 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
3847 {
3848  int ret;
3849 
3850  if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
3851  {
3852  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3853  return( ret );
3854  }
3855 
3856  if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
3857  {
3858  SSL_DEBUG_RET( 1, "mpi_read_string", ret );
3859  return( ret );
3860  }
3861 
3862  return( 0 );
3863 }
3864 
3865 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
3866 {
3867  int ret;
3868 
3869  if( ( ret = mpi_copy( &ssl->dhm_P, &dhm_ctx->P ) ) != 0 )
3870  {
3871  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3872  return( ret );
3873  }
3874 
3875  if( ( ret = mpi_copy( &ssl->dhm_G, &dhm_ctx->G ) ) != 0 )
3876  {
3877  SSL_DEBUG_RET( 1, "mpi_copy", ret );
3878  return( ret );
3879  }
3880 
3881  return( 0 );
3882 }
3883 #endif /* POLARSSL_DHM_C */
3884 
3885 #if defined(POLARSSL_SSL_SET_CURVES)
3886 /*
3887  * Set the allowed elliptic curves
3888  */
3889 void ssl_set_curves( ssl_context *ssl, const ecp_group_id *curve_list )
3890 {
3891  ssl->curve_list = curve_list;
3892 }
3893 #endif
3894 
3895 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
3896 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
3897 {
3898  if( hostname == NULL )
3900 
3901  ssl->hostname_len = strlen( hostname );
3902 
3903  if( ssl->hostname_len + 1 == 0 )
3905 
3906  ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
3907 
3908  if( ssl->hostname == NULL )
3910 
3911  memcpy( ssl->hostname, (const unsigned char *) hostname,
3912  ssl->hostname_len );
3913 
3914  ssl->hostname[ssl->hostname_len] = '\0';
3915 
3916  return( 0 );
3917 }
3918 
3919 void ssl_set_sni( ssl_context *ssl,
3920  int (*f_sni)(void *, ssl_context *,
3921  const unsigned char *, size_t),
3922  void *p_sni )
3923 {
3924  ssl->f_sni = f_sni;
3925  ssl->p_sni = p_sni;
3926 }
3927 #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
3928 
3929 #if defined(POLARSSL_SSL_ALPN)
3930 int ssl_set_alpn_protocols( ssl_context *ssl, const char **protos )
3931 {
3932  size_t cur_len, tot_len;
3933  const char **p;
3934 
3935  /*
3936  * "Empty strings MUST NOT be included and byte strings MUST NOT be
3937  * truncated". Check lengths now rather than later.
3938  */
3939  tot_len = 0;
3940  for( p = protos; *p != NULL; p++ )
3941  {
3942  cur_len = strlen( *p );
3943  tot_len += cur_len;
3944 
3945  if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
3947  }
3948 
3949  ssl->alpn_list = protos;
3950 
3951  return( 0 );
3952 }
3953 
3954 const char *ssl_get_alpn_protocol( const ssl_context *ssl )
3955 {
3956  return( ssl->alpn_chosen );
3957 }
3958 #endif /* POLARSSL_SSL_ALPN */
3959 
3960 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
3961 {
3962  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3963  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3964  {
3965  ssl->max_major_ver = major;
3966  ssl->max_minor_ver = minor;
3967  }
3968 }
3969 
3970 void ssl_set_min_version( ssl_context *ssl, int major, int minor )
3971 {
3972  if( major >= SSL_MIN_MAJOR_VERSION && major <= SSL_MAX_MAJOR_VERSION &&
3973  minor >= SSL_MIN_MINOR_VERSION && minor <= SSL_MAX_MINOR_VERSION )
3974  {
3975  ssl->min_major_ver = major;
3976  ssl->min_minor_ver = minor;
3977  }
3978 }
3979 
3980 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
3981 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
3982 {
3983  if( mfl_code >= SSL_MAX_FRAG_LEN_INVALID ||
3984  mfl_code_to_length[mfl_code] > SSL_MAX_CONTENT_LEN )
3985  {
3987  }
3988 
3989  ssl->mfl_code = mfl_code;
3990 
3991  return( 0 );
3992 }
3993 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
3994 
3995 #if defined(POLARSSL_SSL_TRUNCATED_HMAC)
3996 int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
3997 {
3998  if( ssl->endpoint != SSL_IS_CLIENT )
4000 
4001  ssl->trunc_hmac = truncate;
4002 
4003  return( 0 );
4004 }
4005 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
4006 
4007 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
4008 {
4009  ssl->disable_renegotiation = renegotiation;
4010 }
4011 
4012 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
4013 {
4014  ssl->allow_legacy_renegotiation = allow_legacy;
4015 }
4016 
4017 void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records )
4018 {
4019  ssl->renego_max_records = max_records;
4020 }
4021 
4022 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4023 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
4024 {
4025  ssl->session_tickets = use_tickets;
4026 
4027  if( ssl->endpoint == SSL_IS_CLIENT )
4028  return( 0 );
4029 
4030  if( ssl->f_rng == NULL )
4032 
4033  return( ssl_ticket_keys_init( ssl ) );
4034 }
4035 
4036 void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime )
4037 {
4038  ssl->ticket_lifetime = lifetime;
4039 }
4040 #endif /* POLARSSL_SSL_SESSION_TICKETS */
4041 
4042 /*
4043  * SSL get accessors
4044  */
4045 size_t ssl_get_bytes_avail( const ssl_context *ssl )
4046 {
4047  return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4048 }
4049 
4050 int ssl_get_verify_result( const ssl_context *ssl )
4051 {
4052  return( ssl->session->verify_result );
4053 }
4054 
4055 const char *ssl_get_ciphersuite( const ssl_context *ssl )
4056 {
4057  if( ssl == NULL || ssl->session == NULL )
4058  return( NULL );
4059 
4061 }
4062 
4063 const char *ssl_get_version( const ssl_context *ssl )
4064 {
4065  switch( ssl->minor_ver )
4066  {
4067  case SSL_MINOR_VERSION_0:
4068  return( "SSLv3.0" );
4069 
4070  case SSL_MINOR_VERSION_1:
4071  return( "TLSv1.0" );
4072 
4073  case SSL_MINOR_VERSION_2:
4074  return( "TLSv1.1" );
4075 
4076  case SSL_MINOR_VERSION_3:
4077  return( "TLSv1.2" );
4078 
4079  default:
4080  break;
4081  }
4082  return( "unknown" );
4083 }
4084 
4085 #if defined(POLARSSL_X509_CRT_PARSE_C)
4086 const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
4087 {
4088  if( ssl == NULL || ssl->session == NULL )
4089  return( NULL );
4090 
4091  return( ssl->session->peer_cert );
4092 }
4093 #endif /* POLARSSL_X509_CRT_PARSE_C */
4094 
4095 int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
4096 {
4097  if( ssl == NULL ||
4098  dst == NULL ||
4099  ssl->session == NULL ||
4100  ssl->endpoint != SSL_IS_CLIENT )
4101  {
4103  }
4104 
4105  return( ssl_session_copy( dst, ssl->session ) );
4106 }
4107 
4108 /*
4109  * Perform a single step of the SSL handshake
4110  */
4111 int ssl_handshake_step( ssl_context *ssl )
4112 {
4114 
4115 #if defined(POLARSSL_SSL_CLI_C)
4116  if( ssl->endpoint == SSL_IS_CLIENT )
4117  ret = ssl_handshake_client_step( ssl );
4118 #endif
4119 
4120 #if defined(POLARSSL_SSL_SRV_C)
4121  if( ssl->endpoint == SSL_IS_SERVER )
4122  ret = ssl_handshake_server_step( ssl );
4123 #endif
4124 
4125  return( ret );
4126 }
4127 
4128 /*
4129  * Perform the SSL handshake
4130  */
4131 int ssl_handshake( ssl_context *ssl )
4132 {
4133  int ret = 0;
4134 
4135  SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
4136 
4137  while( ssl->state != SSL_HANDSHAKE_OVER )
4138  {
4139  ret = ssl_handshake_step( ssl );
4140 
4141  if( ret != 0 )
4142  break;
4143  }
4144 
4145  SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
4146 
4147  return( ret );
4148 }
4149 
4150 #if defined(POLARSSL_SSL_SRV_C)
4151 /*
4152  * Write HelloRequest to request renegotiation on server
4153  */
4154 static int ssl_write_hello_request( ssl_context *ssl )
4155 {
4156  int ret;
4157 
4158  SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
4159 
4160  ssl->out_msglen = 4;
4162  ssl->out_msg[0] = SSL_HS_HELLO_REQUEST;
4163 
4164  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4165  {
4166  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4167  return( ret );
4168  }
4169 
4170  SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
4171 
4172  return( 0 );
4173 }
4174 #endif /* POLARSSL_SSL_SRV_C */
4175 
4176 /*
4177  * Actually renegotiate current connection, triggered by either:
4178  * - any side: calling ssl_renegotiate(),
4179  * - client: receiving a HelloRequest during ssl_read(),
4180  * - server: receiving any handshake message on server during ssl_read() after
4181  * the initial handshake is completed.
4182  * If the handshake doesn't complete due to waiting for I/O, it will continue
4183  * during the next calls to ssl_renegotiate() or ssl_read() respectively.
4184  */
4185 static int ssl_start_renegotiation( ssl_context *ssl )
4186 {
4187  int ret;
4188 
4189  SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
4190 
4191  if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
4192  return( ret );
4193 
4194  ssl->state = SSL_HELLO_REQUEST;
4196 
4197  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4198  {
4199  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4200  return( ret );
4201  }
4202 
4203  SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
4204 
4205  return( 0 );
4206 }
4207 
4208 /*
4209  * Renegotiate current connection on client,
4210  * or request renegotiation on server
4211  */
4212 int ssl_renegotiate( ssl_context *ssl )
4213 {
4215 
4216 #if defined(POLARSSL_SSL_SRV_C)
4217  /* On server, just send the request */
4218  if( ssl->endpoint == SSL_IS_SERVER )
4219  {
4220  if( ssl->state != SSL_HANDSHAKE_OVER )
4222 
4224 
4225  /* Did we already try/start sending HelloRequest? */
4226  if( ssl->out_left != 0 )
4227  return( ssl_flush_output( ssl ) );
4228 
4229  return( ssl_write_hello_request( ssl ) );
4230  }
4231 #endif /* POLARSSL_SSL_SRV_C */
4232 
4233 #if defined(POLARSSL_SSL_CLI_C)
4234  /*
4235  * On client, either start the renegotiation process or,
4236  * if already in progress, continue the handshake
4237  */
4238  if( ssl->renegotiation != SSL_RENEGOTIATION )
4239  {
4240  if( ssl->state != SSL_HANDSHAKE_OVER )
4242 
4243  if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
4244  {
4245  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4246  return( ret );
4247  }
4248  }
4249  else
4250  {
4251  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4252  {
4253  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4254  return( ret );
4255  }
4256  }
4257 #endif /* POLARSSL_SSL_CLI_C */
4258 
4259  return( ret );
4260 }
4261 
4262 /*
4263  * Receive application data decrypted from the SSL layer
4264  */
4265 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
4266 {
4267  int ret, record_read = 0;
4268  size_t n;
4269 
4270  SSL_DEBUG_MSG( 2, ( "=> read" ) );
4271 
4272  if( ssl->state != SSL_HANDSHAKE_OVER )
4273  {
4274  ret = ssl_handshake( ssl );
4276  {
4277  record_read = 1;
4278  }
4279  else if( ret != 0 )
4280  {
4281  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4282  return( ret );
4283  }
4284  }
4285 
4286  if( ssl->in_offt == NULL )
4287  {
4288  if( ! record_read )
4289  {
4290  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4291  {
4292  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4293  return( 0 );
4294 
4295  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4296  return( ret );
4297  }
4298  }
4299 
4300  if( ssl->in_msglen == 0 &&
4302  {
4303  /*
4304  * OpenSSL sends empty messages to randomize the IV
4305  */
4306  if( ( ret = ssl_read_record( ssl ) ) != 0 )
4307  {
4308  if( ret == POLARSSL_ERR_SSL_CONN_EOF )
4309  return( 0 );
4310 
4311  SSL_DEBUG_RET( 1, "ssl_read_record", ret );
4312  return( ret );
4313  }
4314  }
4315 
4316  if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
4317  {
4318  SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
4319 
4320  if( ssl->endpoint == SSL_IS_CLIENT &&
4321  ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
4322  ssl->in_hslen != 4 ) )
4323  {
4324  SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
4326  }
4327 
4332  {
4333  SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
4334 
4335 #if defined(POLARSSL_SSL_PROTO_SSL3)
4336  if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
4337  {
4338  /*
4339  * SSLv3 does not have a "no_renegotiation" alert
4340  */
4341  if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
4342  return( ret );
4343  }
4344  else
4345 #endif /* POLARSSL_SSL_PROTO_SSL3 */
4346 #if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
4347  defined(POLARSSL_SSL_PROTO_TLS1_2)
4348  if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
4349  {
4350  if( ( ret = ssl_send_alert_message( ssl,
4353  {
4354  return( ret );
4355  }
4356  }
4357  else
4358 #endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 ||
4359  POLARSSL_SSL_PROTO_TLS1_2 */
4360  {
4361  SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4363  }
4364  }
4365  else
4366  {
4367  ret = ssl_start_renegotiation( ssl );
4369  {
4370  record_read = 1;
4371  }
4372  else if( ret != 0 )
4373  {
4374  SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
4375  return( ret );
4376  }
4377  }
4378 
4379  /* If a non-handshake record was read during renego, fallthrough,
4380  * else tell the user they should call ssl_read() again */
4381  if( ! record_read )
4382  return( POLARSSL_ERR_NET_WANT_READ );
4383  }
4384  else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
4385  {
4386  ssl->renego_records_seen++;
4387 
4388  if( ssl->renego_max_records >= 0 &&
4390  {
4391  SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
4392  "but not honored by client" ) );
4394  }
4395  }
4396 
4397  /* Fatal and closure alerts handled by ssl_read_record() */
4398  if( ssl->in_msgtype == SSL_MSG_ALERT )
4399  {
4400  SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
4401  return( POLARSSL_ERR_NET_WANT_READ );
4402  }
4403 
4404  if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
4405  {
4406  SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
4408  }
4409 
4410  ssl->in_offt = ssl->in_msg;
4411  }
4412 
4413  n = ( len < ssl->in_msglen )
4414  ? len : ssl->in_msglen;
4415 
4416  memcpy( buf, ssl->in_offt, n );
4417  ssl->in_msglen -= n;
4418 
4419  if( ssl->in_msglen == 0 )
4420  /* all bytes consumed */
4421  ssl->in_offt = NULL;
4422  else
4423  /* more data available */
4424  ssl->in_offt += n;
4425 
4426  SSL_DEBUG_MSG( 2, ( "<= read" ) );
4427 
4428  return( (int) n );
4429 }
4430 
4431 /*
4432  * Send application data to be encrypted by the SSL layer
4433  */
4434 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
4435 {
4436  int ret;
4437  size_t n;
4438  unsigned int max_len = SSL_MAX_CONTENT_LEN;
4439 
4440  SSL_DEBUG_MSG( 2, ( "=> write" ) );
4441 
4442  if( ssl->state != SSL_HANDSHAKE_OVER )
4443  {
4444  if( ( ret = ssl_handshake( ssl ) ) != 0 )
4445  {
4446  SSL_DEBUG_RET( 1, "ssl_handshake", ret );
4447  return( ret );
4448  }
4449  }
4450 
4451 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
4452  /*
4453  * Assume mfl_code is correct since it was checked when set
4454  */
4455  max_len = mfl_code_to_length[ssl->mfl_code];
4456 
4457  /*
4458  * Check if a smaller max length was negotiated
4459  */
4460  if( ssl->session_out != NULL &&
4461  mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
4462  {
4463  max_len = mfl_code_to_length[ssl->session_out->mfl_code];
4464  }
4465 #endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
4466 
4467  n = ( len < max_len) ? len : max_len;
4468 
4469  if( ssl->out_left != 0 )
4470  {
4471  if( ( ret = ssl_flush_output( ssl ) ) != 0 )
4472  {
4473  SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
4474  return( ret );
4475  }
4476  }
4477  else
4478  {
4479  ssl->out_msglen = n;
4481  memcpy( ssl->out_msg, buf, n );
4482 
4483  if( ( ret = ssl_write_record( ssl ) ) != 0 )
4484  {
4485  SSL_DEBUG_RET( 1, "ssl_write_record", ret );
4486  return( ret );
4487  }
4488  }
4489 
4490  SSL_DEBUG_MSG( 2, ( "<= write" ) );
4491 
4492  return( (int) n );
4493 }
4494 
4495 /*
4496  * Notify the peer that the connection is being closed
4497  */
4498 int ssl_close_notify( ssl_context *ssl )
4499 {
4500  int ret;
4501 
4502  SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
4503 
4504  if( ssl->out_left != 0 )
4505  return( ssl_flush_output( ssl ) );
4506 
4507  if( ssl->state == SSL_HANDSHAKE_OVER )
4508  {
4509  if( ( ret = ssl_send_alert_message( ssl,
4511  SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
4512  {
4513  SSL_DEBUG_RET( 1, "ssl_send_alert_message", ret );
4514  return( ret );
4515  }
4516  }
4517 
4518  SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
4519 
4520  return( 0 );
4521 }
4522 
4523 void ssl_transform_free( ssl_transform *transform )
4524 {
4525  if( transform == NULL )
4526  return;
4527 
4528 #if defined(POLARSSL_ZLIB_SUPPORT)
4529  deflateEnd( &transform->ctx_deflate );
4530  inflateEnd( &transform->ctx_inflate );
4531 #endif
4532 
4533  cipher_free( &transform->cipher_ctx_enc );
4534  cipher_free( &transform->cipher_ctx_dec );
4535 
4536  md_free( &transform->md_ctx_enc );
4537  md_free( &transform->md_ctx_dec );
4538 
4539  polarssl_zeroize( transform, sizeof( ssl_transform ) );
4540 }
4541 
4542 #if defined(POLARSSL_X509_CRT_PARSE_C)
4543 static void ssl_key_cert_free( ssl_key_cert *key_cert )
4544 {
4545  ssl_key_cert *cur = key_cert, *next;
4546 
4547  while( cur != NULL )
4548  {
4549  next = cur->next;
4550 
4551  if( cur->key_own_alloc )
4552  {
4553  pk_free( cur->key );
4554  polarssl_free( cur->key );
4555  }
4556  polarssl_free( cur );
4557 
4558  cur = next;
4559  }
4560 }
4561 #endif /* POLARSSL_X509_CRT_PARSE_C */
4562 
4563 void ssl_handshake_free( ssl_handshake_params *handshake )
4564 {
4565  if( handshake == NULL )
4566  return;
4567 
4568 #if defined(POLARSSL_DHM_C)
4569  dhm_free( &handshake->dhm_ctx );
4570 #endif
4571 #if defined(POLARSSL_ECDH_C)
4572  ecdh_free( &handshake->ecdh_ctx );
4573 #endif
4574 
4575 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
4576  /* explicit void pointer cast for buggy MS compiler */
4577  polarssl_free( (void *) handshake->curves );
4578 #endif
4579 
4580 #if defined(POLARSSL_X509_CRT_PARSE_C) && \
4581  defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4582  /*
4583  * Free only the linked list wrapper, not the keys themselves
4584  * since the belong to the SNI callback
4585  */
4586  if( handshake->sni_key_cert != NULL )
4587  {
4588  ssl_key_cert *cur = handshake->sni_key_cert, *next;
4589 
4590  while( cur != NULL )
4591  {
4592  next = cur->next;
4593  polarssl_free( cur );
4594  cur = next;
4595  }
4596  }
4597 #endif /* POLARSSL_X509_CRT_PARSE_C && POLARSSL_SSL_SERVER_NAME_INDICATION */
4598 
4599  polarssl_zeroize( handshake, sizeof( ssl_handshake_params ) );
4600 }
4601 
4602 void ssl_session_free( ssl_session *session )
4603 {
4604  if( session == NULL )
4605  return;
4606 
4607 #if defined(POLARSSL_X509_CRT_PARSE_C)
4608  if( session->peer_cert != NULL )
4609  {
4610  x509_crt_free( session->peer_cert );
4611  polarssl_free( session->peer_cert );
4612  }
4613 #endif
4614 
4615 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4616  polarssl_free( session->ticket );
4617 #endif
4618 
4619  polarssl_zeroize( session, sizeof( ssl_session ) );
4620 }
4621 
4622 /*
4623  * Free an SSL context
4624  */
4625 void ssl_free( ssl_context *ssl )
4626 {
4627  if( ssl == NULL )
4628  return;
4629 
4630  SSL_DEBUG_MSG( 2, ( "=> free" ) );
4631 
4632  if( ssl->out_ctr != NULL )
4633  {
4634  polarssl_zeroize( ssl->out_ctr, SSL_BUFFER_LEN );
4635  polarssl_free( ssl->out_ctr );
4636  }
4637 
4638  if( ssl->in_ctr != NULL )
4639  {
4640  polarssl_zeroize( ssl->in_ctr, SSL_BUFFER_LEN );
4641  polarssl_free( ssl->in_ctr );
4642  }
4643 
4644 #if defined(POLARSSL_ZLIB_SUPPORT)
4645  if( ssl->compress_buf != NULL )
4646  {
4647  polarssl_zeroize( ssl->compress_buf, SSL_BUFFER_LEN );
4648  polarssl_free( ssl->compress_buf );
4649  }
4650 #endif
4651 
4652 #if defined(POLARSSL_DHM_C)
4653  mpi_free( &ssl->dhm_P );
4654  mpi_free( &ssl->dhm_G );
4655 #endif
4656 
4657  if( ssl->transform )
4658  {
4659  ssl_transform_free( ssl->transform );
4660  polarssl_free( ssl->transform );
4661  }
4662 
4663  if( ssl->handshake )
4664  {
4665  ssl_handshake_free( ssl->handshake );
4668 
4669  polarssl_free( ssl->handshake );
4672  }
4673 
4674  if( ssl->session )
4675  {
4676  ssl_session_free( ssl->session );
4677  polarssl_free( ssl->session );
4678  }
4679 
4680 #if defined(POLARSSL_SSL_SESSION_TICKETS)
4681  if( ssl->ticket_keys )
4682  {
4683  ssl_ticket_keys_free( ssl->ticket_keys );
4684  polarssl_free( ssl->ticket_keys );
4685  }
4686 #endif
4687 
4688 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
4689  if( ssl->hostname != NULL )
4690  {
4691  polarssl_zeroize( ssl->hostname, ssl->hostname_len );
4692  polarssl_free( ssl->hostname );
4693  ssl->hostname_len = 0;
4694  }
4695 #endif
4696 
4697 #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
4698  if( ssl->psk != NULL )
4699  {
4700  polarssl_zeroize( ssl->psk, ssl->psk_len );
4701  polarssl_zeroize( ssl->psk_identity, ssl->psk_identity_len );
4702  polarssl_free( ssl->psk );
4703  polarssl_free( ssl->psk_identity );
4704  ssl->psk_len = 0;
4705  ssl->psk_identity_len = 0;
4706  }
4707 #endif
4708 
4709 #if defined(POLARSSL_X509_CRT_PARSE_C)
4710  ssl_key_cert_free( ssl->key_cert );
4711 #endif
4712 
4713 #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
4714  if( ssl_hw_record_finish != NULL )
4715  {
4716  SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
4717  ssl_hw_record_finish( ssl );
4718  }
4719 #endif
4720 
4721  SSL_DEBUG_MSG( 2, ( "<= free" ) );
4722 
4723  /* Actually clear after last debug message */
4724  polarssl_zeroize( ssl, sizeof( ssl_context ) );
4725 }
4726 
4727 #if defined(POLARSSL_PK_C)
4728 /*
4729  * Convert between POLARSSL_PK_XXX and SSL_SIG_XXX
4730  */
4731 unsigned char ssl_sig_from_pk( pk_context *pk )
4732 {
4733 #if defined(POLARSSL_RSA_C)
4734  if( pk_can_do( pk, POLARSSL_PK_RSA ) )
4735  return( SSL_SIG_RSA );
4736 #endif
4737 #if defined(POLARSSL_ECDSA_C)
4738  if( pk_can_do( pk, POLARSSL_PK_ECDSA ) )
4739  return( SSL_SIG_ECDSA );
4740 #endif
4741  return( SSL_SIG_ANON );
4742 }
4743 
4744 pk_type_t ssl_pk_alg_from_sig( unsigned char sig )
4745 {
4746  switch( sig )
4747  {
4748 #if defined(POLARSSL_RSA_C)
4749  case SSL_SIG_RSA:
4750  return( POLARSSL_PK_RSA );
4751 #endif
4752 #if defined(POLARSSL_ECDSA_C)
4753  case SSL_SIG_ECDSA:
4754  return( POLARSSL_PK_ECDSA );
4755 #endif
4756  default:
4757  return( POLARSSL_PK_NONE );
4758  }
4759 }
4760 #endif /* POLARSSL_PK_C */
4761 
4762 /*
4763  * Convert between SSL_HASH_XXX and POLARSSL_MD_XXX
4764  */
4765 md_type_t ssl_md_alg_from_hash( unsigned char hash )
4766 {
4767  switch( hash )
4768  {
4769 #if defined(POLARSSL_MD5_C)
4770  case SSL_HASH_MD5:
4771  return( POLARSSL_MD_MD5 );
4772 #endif
4773 #if defined(POLARSSL_SHA1_C)
4774  case SSL_HASH_SHA1:
4775  return( POLARSSL_MD_SHA1 );
4776 #endif
4777 #if defined(POLARSSL_SHA256_C)
4778  case SSL_HASH_SHA224:
4779  return( POLARSSL_MD_SHA224 );
4780  case SSL_HASH_SHA256:
4781  return( POLARSSL_MD_SHA256 );
4782 #endif
4783 #if defined(POLARSSL_SHA512_C)
4784  case SSL_HASH_SHA384:
4785  return( POLARSSL_MD_SHA384 );
4786  case SSL_HASH_SHA512:
4787  return( POLARSSL_MD_SHA512 );
4788 #endif
4789  default:
4790  return( POLARSSL_MD_NONE );
4791  }
4792 }
4793 
4794 #if defined(POLARSSL_SSL_SET_CURVES)
4795 /*
4796  * Check is a curve proposed by the peer is in our list.
4797  * Return 1 if we're willing to use it, 0 otherwise.
4798  */
4799 int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
4800 {
4801  const ecp_group_id *gid;
4802 
4803  for( gid = ssl->curve_list; *gid != POLARSSL_ECP_DP_NONE; gid++ )
4804  if( *gid == grp_id )
4805  return( 1 );
4806 
4807  return( 0 );
4808 }
4809 #endif /* POLARSSL_SSL_SET_CURVES */
4810 
4811 #if defined(POLARSSL_X509_CRT_PARSE_C)
4812 int ssl_check_cert_usage( const x509_crt *cert,
4813  const ssl_ciphersuite_t *ciphersuite,
4814  int cert_endpoint )
4815 {
4816 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
4817  int usage = 0;
4818 #endif
4819 #if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4820  const char *ext_oid;
4821  size_t ext_len;
4822 #endif
4823 
4824 #if !defined(POLARSSL_X509_CHECK_KEY_USAGE) && \
4825  !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4826  ((void) cert);
4827  ((void) cert_endpoint);
4828 #endif
4829 
4830 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
4831  if( cert_endpoint == SSL_IS_SERVER )
4832  {
4833  /* Server part of the key exchange */
4834  switch( ciphersuite->key_exchange )
4835  {
4838  usage = KU_KEY_ENCIPHERMENT;
4839  break;
4840 
4844  usage = KU_DIGITAL_SIGNATURE;
4845  break;
4846 
4849  usage = KU_KEY_AGREEMENT;
4850  break;
4851 
4852  /* Don't use default: we want warnings when adding new values */
4857  usage = 0;
4858  }
4859  }
4860  else
4861  {
4862  /* Client auth: we only implement rsa_sign and ecdsa_sign for now */
4863  usage = KU_DIGITAL_SIGNATURE;
4864  }
4865 
4866  if( x509_crt_check_key_usage( cert, usage ) != 0 )
4867  return( -1 );
4868 #else
4869  ((void) ciphersuite);
4870 #endif /* POLARSSL_X509_CHECK_KEY_USAGE */
4871 
4872 #if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
4873  if( cert_endpoint == SSL_IS_SERVER )
4874  {
4875  ext_oid = OID_SERVER_AUTH;
4876  ext_len = OID_SIZE( OID_SERVER_AUTH );
4877  }
4878  else
4879  {
4880  ext_oid = OID_CLIENT_AUTH;
4881  ext_len = OID_SIZE( OID_CLIENT_AUTH );
4882  }
4883 
4884  if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
4885  return( -1 );
4886 #endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
4887 
4888  return( 0 );
4889 }
4890 #endif /* POLARSSL_X509_CRT_PARSE_C */
4891 
4892 #endif /* POLARSSL_SSL_TLS_C */
const ecp_curve_info ** curves
Definition: ssl.h:602
unsigned char * hostname
Definition: ssl.h:847
#define SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:344
ssl_session * session_in
Definition: ssl.h:736
#define SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:348
unsigned char mfl_code
Definition: ssl.h:785
size_t length
Definition: ssl.h:519
void * p_set_cache
Definition: ssl.h:715
md_context_t md_ctx_dec
Definition: ssl.h:570
int ciphersuite
Definition: ssl.h:517
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
Processing of the ChangeCipherSpec handshake message failed.
Definition: ssl.h:135
mpi P
Definition: dhm.h:159
int trunc_hmac
Definition: ssl.h:821
size_t in_hslen
Definition: ssl.h:765
int ssl_send_alert_message(ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
void(* f_dbg)(void *, int, const char *)
Definition: ssl.h:704
#define SSL_HS_FINISHED
Definition: ssl.h:385
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:703
uint32_t state[8]
Definition: sha256.h:61
const pk_info_t * pk_info_from_type(pk_type_t pk_type)
Return information associated with the given PK type.
#define POLARSSL_DHM_RFC5114_MODP_1024_P
Definition: dhm.h:107
sha256_context fin_sha256
Definition: ssl.h:627
size_t ivlen
Definition: ssl.h:556
#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
Unexpected message at ServerHello in renegotiation.
Definition: ssl.h:148
int record_read
Definition: ssl.h:767
int major_ver
Definition: ssl.h:692
int renego_records_seen
Definition: ssl.h:690
#define SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:63
int rsa_copy(rsa_context *dst, const rsa_context *src)
Copy the components of an RSA context.
SHA-1 context structure.
Definition: sha1.h:58
unsigned char mac_enc[20]
Definition: ssl.h:565
sha1_context fin_sha1
Definition: ssl.h:623
int compression
Definition: ssl.h:518
pk_type_t ssl_pk_alg_from_sig(unsigned char sig)
int state
Definition: ssl.h:688
const char * peer_cn
Definition: ssl.h:796
unsigned char master[48]
Definition: ssl.h:521
void sha256_update(sha256_context *ctx, const unsigned char *input, size_t ilen)
SHA-256 process buffer.
int ecdh_calc_secret(ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret.
void sha256(const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = SHA-256( input buffer )
char peer_verify_data[36]
Definition: ssl.h:866
int ssl_set_truncated_hmac(ssl_context *ssl, int truncate)
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED) ...
ssl_transform * transform_out
Definition: ssl.h:748
x509_buf raw
The raw certificate data (DER).
Definition: x509_crt.h:59
Debug functions.
#define POLARSSL_ERR_SSL_CONN_EOF
The connection indicated an EOF.
Definition: ssl.h:112
int(* f_sni)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:719
int nb_zero
Definition: ssl.h:766
void sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
Output = SHA-1( input buffer )
void(* calc_verify)(ssl_context *, unsigned char *)
Definition: ssl.h:635
void sha1_finish(sha1_context *ctx, unsigned char output[20])
SHA-1 final digest.
void cipher_init(cipher_context_t *ctx)
Initialize a cipher_context (as NONE)
int md_starts(md_context_t *ctx)
Set-up the given context for a new message digest.
void md_init(md_context_t *ctx)
Initialize a md_context (as NONE)
DHM context structure.
Definition: dhm.h:156
void * p_psk
Definition: ssl.h:730
static cipher_mode_t cipher_get_cipher_mode(const cipher_context_t *ctx)
Returns the mode of operation for the cipher.
Definition: cipher.h:401
#define polarssl_malloc
#define SSL_BUFFER_LEN
Definition: ssl.h:300
#define SSL_IS_CLIENT
Definition: ssl.h:206
size_t ticket_len
Definition: ssl.h:530
#define SSL_HASH_SHA1
Definition: ssl.h:318
Cipher information.
Definition: cipher.h:226
#define polarssl_free
ssl_session * session_negotiate
Definition: ssl.h:739
const cipher_info_t * cipher_info_from_type(const cipher_type_t cipher_type)
Returns the cipher information structure associated with the given cipher type.
ssl_session * session
Definition: ssl.h:738
void ssl_legacy_renegotiation(ssl_context *ssl, int allow_legacy)
Prevent or allow legacy renegotiation.
int ssl_parse_certificate(ssl_context *ssl)
void ssl_set_dbg(ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg)
Set the debug callback.
#define POLARSSL_ERR_SSL_INVALID_RECORD
An invalid SSL record was received.
Definition: ssl.h:111
#define BADCERT_SKIP_VERIFY
Certificate verification was skipped.
Definition: x509.h:83
#define SSL_RENEGO_MAX_RECORDS_DEFAULT
Definition: ssl.h:228
uint32_t state[5]
Definition: sha1.h:61
ssl_key_cert * key_cert
Definition: ssl.h:792
ssl_key_cert * sni_key_cert
Definition: ssl.h:613
int ssl_set_session_tickets(ssl_context *ssl, int use_tickets)
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS...
unsigned char iv_enc[16]
Definition: ssl.h:560
size_t out_msglen
Definition: ssl.h:778
void ssl_set_verify(ssl_context *ssl, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Set the verification callback (Optional).
#define SSL_SIG_RSA
Definition: ssl.h:325
int ticket_lifetime
Definition: ssl.h:825
ssl_transform * transform_in
Definition: ssl.h:747
cipher_context_t cipher_ctx_enc
Definition: ssl.h:572
const int * ciphersuite_list[4]
Definition: ssl.h:816
int ssl_parse_finished(ssl_context *ssl)
void * p_rng
Definition: ssl.h:710
void sha256_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[32], int is224)
Output = HMAC-SHA-256( hmac key, input buffer )
int md_init_ctx(md_context_t *ctx, const md_info_t *md_info)
Initialises and fills the message digest context structure with the appropriate values.
mpi dhm_P
Definition: ssl.h:829
#define SSL_RENEGOTIATION
Definition: ssl.h:217
unsigned char premaster[POLARSSL_PREMASTER_SIZE]
Definition: ssl.h:644
void ssl_session_free(ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
void sha1_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[20])
Output = HMAC-SHA-1( hmac key, input buffer )
int md_process(md_context_t *ctx, const unsigned char *data)
int ssl_write_finished(ssl_context *ssl)
void x509_crt_free(x509_crt *crt)
Unallocate all certificate data.
Configuration options (set of defines)
ssl_transform * transform
Definition: ssl.h:749
x509_crt * cert
Definition: ssl.h:676
#define SSL_DEBUG_MSG(level, args)
Definition: debug.h:60
size_t psk_identity_len
Definition: ssl.h:840
unsigned char * out_ctr
Definition: ssl.h:772
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY
The peer notified us that the connection is going to be closed.
Definition: ssl.h:124
#define SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:235
void ssl_handshake_wrapup(ssl_context *ssl)
char own_verify_data[36]
Definition: ssl.h:865
static unsigned char md_get_size(const md_info_t *md_info)
Returns the size of the message digest output.
Definition: md.h:225
int x509_crt_parse_der(x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
#define SSL_SIG_ECDSA
Definition: ssl.h:326
void md5_finish(md5_context *ctx, unsigned char output[16])
MD5 final digest.
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:706
#define SSL_MAX_MAJOR_VERSION
Definition: ssl.h:179
#define SSL_MIN_MINOR_VERSION
Definition: ssl.h:163
#define SSL_VERIFY_OPTIONAL
Definition: ssl.h:213
size_t in_msglen
Definition: ssl.h:762
int ssl_set_dh_param_ctx(ssl_context *ssl, dhm_context *dhm_ctx)
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) ...
unsigned char * in_hdr
Definition: ssl.h:756
int secure_renegotiation
Definition: ssl.h:862
PolarSSL Platform abstraction layer.
#define pk_ec(pk)
Quick access to an EC context inside a PK context.
Definition: pk.h:84
#define SSL_SIG_ANON
Definition: ssl.h:324
sha512_context fin_sha512
Definition: ssl.h:630
#define SSL_VERIFY_REQUIRED
Definition: ssl.h:214
#define SSL_HASH_MD5
Definition: ssl.h:317
#define SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:369
void md5_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[16])
Output = HMAC-MD5( hmac key, input buffer )
int ssl_handshake_server_step(ssl_context *ssl)
#define SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:230
static md_type_t md_get_type(const md_info_t *md_info)
Returns the type of the message digest output.
Definition: md.h:240
int cipher_crypt(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
Generic all-in-one encryption/decryption (for all ciphers except AEAD constructs).
int(* tls_prf)(const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl.h:637
unsigned char mac_key[16]
Definition: ssl.h:666
void * p_vrfy
Definition: ssl.h:725
#define SSL_MAJOR_VERSION_3
Definition: ssl.h:153
size_t psk_len
Definition: ssl.h:838
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED
Hardware acceleration function returned with error.
Definition: ssl.h:138
void ssl_set_max_version(ssl_context *ssl, int major, int minor)
Set the maximum supported version sent from the client side and/or accepted at the server side (Defau...
#define SSL_RENEGOTIATION_DONE
Definition: ssl.h:218
#define POLARSSL_ERR_SSL_INVALID_MAC
Verification of the message MAC failed.
Definition: ssl.h:110
#define POLARSSL_CIPHERSUITE_SHORT_TAG
Short authentication tag, eg for CCM_8.
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
No client certification received from the client, but required by the authentication mode...
Definition: ssl.h:116
const ssl_ciphersuite_t * ciphersuite_info
Definition: ssl.h:552
void * p_recv
Definition: ssl.h:712
Object Identifier (OID) database.
unsigned char * psk
Definition: ssl.h:837
int pk_init_ctx_rsa_alt(pk_context *ctx, void *key, pk_rsa_alt_decrypt_func decrypt_func, pk_rsa_alt_sign_func sign_func, pk_rsa_alt_key_len_func key_len_func)
Initialize an RSA-alt context.
int renego_max_records
Definition: ssl.h:815
void ssl_set_ciphersuites_for_version(ssl_context *ssl, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites and the preference order for a specific version of the protocol...
int ssl_init(ssl_context *ssl)
Initialize an SSL context (An individual SSL context is not thread-safe)
#define OID_SIZE(x)
Returns the size of the binary string, without the trailing \0.
Definition: asn1.h:98
int max_major_ver
Definition: ssl.h:695
const md_info_t * md_info
Information about the associated message digest.
Definition: md.h:134
struct _x509_crt * next
Next certificate in the CA-chain.
Definition: x509_crt.h:98
#define SSL_MINOR_VERSION_1
Definition: ssl.h:155
void md5_free(md5_context *ctx)
Clear MD5 context.
int ssl_set_psk(ssl_context *ssl, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len)
Set the Pre Shared Key (PSK) and the identity name connected to it.
int x509_crt_check_key_usage(const x509_crt *crt, int usage)
Check usage of certificate against keyUsage extension.
void ssl_set_psk_cb(ssl_context *ssl, int(*f_psk)(void *, ssl_context *, const unsigned char *, size_t), void *p_psk)
Set the PSK callback (server-side only) (Optional).
unsigned int keylen
Definition: ssl.h:554
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH
Hardware acceleration function skipped / left alone data.
Definition: ssl.h:139
#define OID_SERVER_AUTH
id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
Definition: oid.h:176
int ssl_get_session(const ssl_context *ssl, ssl_session *session)
Save session in order to resume it later (client-side only) Session data is copied to presented sessi...
md_type_t
Definition: md.h:51
int verify_result
Definition: ssl.h:526
const char * ssl_get_alpn_protocol(const ssl_context *ssl)
Get the name of the negotiated Application Layer Protocol.
unsigned char iv[POLARSSL_MAX_IV_LENGTH]
Current IV or NONCE_COUNTER for CTR-mode.
Definition: cipher.h:279
const char ** alpn_list
Definition: ssl.h:855
int max_minor_ver
Definition: ssl.h:696
const char * alpn_chosen
Definition: ssl.h:856
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED
The own certificate is not set, but needed by the server.
Definition: ssl.h:118
#define SSL_RENEGOTIATION_PENDING
Definition: ssl.h:219
const md_info_t * md_info_from_type(md_type_t md_type)
Returns the message digest information associated with the given digest type.
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:347
unsigned char * in_ctr
Definition: ssl.h:755
ssl_handshake_params * handshake
Definition: ssl.h:741
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
Our own certificate(s) is/are too large to send in an SSL message.
Definition: ssl.h:117
#define SSL_MSG_HANDSHAKE
Definition: ssl.h:340
void(* update_checksum)(ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:634
size_t fixed_ivlen
Definition: ssl.h:557
#define SSL_MINOR_VERSION_2
Definition: ssl.h:156
int ssl_write_certificate(ssl_context *ssl)
size_t(* rsa_key_len_func)(void *ctx)
Definition: ssl.h:470
#define POLARSSL_DHM_RFC5114_MODP_1024_G
Definition: dhm.h:115
RSA context structure.
Definition: rsa.h:83
cipher_context_t cipher_ctx_dec
Definition: ssl.h:573
int in_msgtype
Definition: ssl.h:761
Container for an X.509 certificate.
Definition: x509_crt.h:57
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE
A fatal alert message was received from our peer.
Definition: ssl.h:122
void md_free(md_context_t *ctx)
Free and clear the message-specific context of ctx.
#define SSL_MIN_MAJOR_VERSION
Definition: ssl.h:160
cipher_mode_t
Definition: cipher.h:134
#define SSL_DEFAULT_TICKET_LIFETIME
Lifetime of session tickets (if enabled)
Definition: ssl.h:250
size_t verify_data_len
Definition: ssl.h:864
const char * ssl_get_ciphersuite(const ssl_context *ssl)
Return the name of the current ciphersuite.
mpi dhm_G
Definition: ssl.h:830
mpi G
Definition: dhm.h:160
#define SSL_IS_SERVER
Definition: ssl.h:207
const char * ssl_get_version(const ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
void ssl_set_renegotiation(ssl_context *ssl, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIAT...
int min_minor_ver
Definition: ssl.h:698
unsigned char * out_msg
Definition: ssl.h:775
unsigned int key_length
Cipher key length, in bits (default length for variable sized ciphers) (Includes parity bits for ciph...
Definition: cipher.h:235
#define SSL_MINOR_VERSION_0
Definition: ssl.h:154
int cipher_auth_encrypt(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, unsigned char *tag, size_t tag_len)
Generic autenticated encryption (AEAD ciphers).
int client_auth
Definition: ssl.h:811
#define SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:338
void * p_dbg
Definition: ssl.h:711
void sha256_starts(sha256_context *ctx, int is224)
SHA-256 context setup.
ssl_key_cert * key_cert
Current key/cert or key/cert list.
Definition: ssl.h:611
void dhm_init(dhm_context *ctx)
Initialize DHM context.
void * p_send
Definition: ssl.h:713
ecdh_context ecdh_ctx
Definition: ssl.h:599
x509_crl * ca_crl
Definition: ssl.h:795
void x509_crt_init(x509_crt *crt)
Initialize a certificate (chain)
static x509_crt * ssl_own_cert(ssl_context *ssl)
Definition: ssl.h:1776
int ssl_set_max_frag_len(ssl_context *ssl, unsigned char mfl_code)
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit and negotiate with the server during handshake)
SHA-512 context structure.
Definition: sha512.h:59
int ssl_handshake_client_step(ssl_context *ssl)
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE
An unexpected message was received from our peer.
Definition: ssl.h:121
unsigned char * ticket
Definition: ssl.h:529
unsigned char * p
ASN1 data, e.g.
Definition: asn1.h:128
key_exchange_type_t key_exchange
int cipher_auth_decrypt(cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, const unsigned char *tag, size_t tag_len)
Generic autenticated decryption (AEAD ciphers).
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED
Processing of the compression / decompression failed.
Definition: ssl.h:140
size_t maclen
Definition: ssl.h:558
unsigned char * out_hdr
Definition: ssl.h:773
int ssl_set_own_cert(ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key)
Set own certificate chain and private key.
int trunc_hmac
Definition: ssl.h:539
void ssl_set_endpoint(ssl_context *ssl, int endpoint)
Set the current endpoint type.
void mpi_free(mpi *X)
Unallocate one MPI.
void ssl_set_ciphersuites(ssl_context *ssl, const int *ciphersuites)
Set the list of allowed ciphersuites and the preference order.
void sha1_free(sha1_context *ctx)
Clear SHA-1 context.
void sha512_starts(sha512_context *ctx, int is384)
SHA-512 context setup.
int x509_crt_verify(x509_crt *crt, x509_crt *trust_ca, x509_crl *ca_crl, const char *cn, int *flags, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy)
Verify the certificate signature.
#define SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:343
void ssl_set_rng(ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
int pk_can_do(pk_context *ctx, pk_type_t type)
Tell if a context can do the operation given by type.
void * p_get_cache
Definition: ssl.h:714
void ssl_set_bio(ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send)
Set the underlying BIO read and write callbacks.
void ssl_free(ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
void sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = SHA-512( input buffer )
void md5_starts(md5_context *ctx)
MD5 context setup.
#define SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:224
unsigned char ssl_sig_from_pk(pk_context *pk)
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED
No CA Chain is set, but required to operate.
Definition: ssl.h:120
void ssl_handshake_free(ssl_handshake_params *handshake)
Free referenced items in an SSL handshake context and clear memory.
int authmode
Definition: ssl.h:810
int ssl_flush_output(ssl_context *ssl)
int ssl_handshake(ssl_context *ssl)
Perform the SSL handshake.
unsigned char * in_offt
Definition: ssl.h:759
void ssl_set_min_version(ssl_context *ssl, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
#define SSL_COMPRESS_DEFLATE
Definition: ssl.h:210
int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
Definition: ssl.h:466
unsigned char * in_msg
Definition: ssl.h:758
int ssl_set_hostname(ssl_context *ssl, const char *hostname)
Set hostname for ServerName TLS extension (client-side only)
aes_context dec
Definition: ssl.h:665
mpi z
Definition: ecdh.h:54
int ssl_handshake_step(ssl_context *ssl)
Perform a single step of the SSL handshake.
#define SSL_MINOR_VERSION_3
Definition: ssl.h:157
mpi K
Definition: dhm.h:164
MD5 context structure.
Definition: md5.h:58
int ssl_check_cert_usage(const x509_crt *cert, const ssl_ciphersuite_t *ciphersuite, int cert_endpoint)
pk_type_t
Public key types.
Definition: pk.h:95
aes_context enc
Definition: ssl.h:664
#define KU_KEY_AGREEMENT
Definition: x509.h:97
unsigned char iv_dec[16]
Definition: ssl.h:561
#define POLARSSL_ERR_NET_WANT_READ
Connection requires a read call.
Definition: net.h:41
#define SSL_HS_CERTIFICATE
Definition: ssl.h:379
#define POLARSSL_PSK_MAX_LEN
int ssl_parse_change_cipher_spec(ssl_context *ssl)
#define SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:80
size_t hostname_len
Definition: ssl.h:848
void sha1_starts(sha1_context *ctx)
SHA-1 context setup.
int minor_ver
Definition: ssl.h:693
int pk_init_ctx(pk_context *ctx, const pk_info_t *info)
Initialize a PK context with the information given and allocates the type-specific PK subcontext...
void sha512_hmac(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
Output = HMAC-SHA-512( hmac key, input buffer )
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:352
This structure is used for storing ciphersuite information.
int ssl_close_notify(ssl_context *ssl)
Notify the peer that the connection is being closed.
const x509_crt * ssl_get_peer_cert(const ssl_context *ssl)
Return the peer certificate from the current connection.
void ssl_set_session_cache(ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache)
Set the session cache callbacks (server-side only) If not set, no session resuming is done...
#define SSL_HASH_SHA256
Definition: ssl.h:320
void md5_init(md5_context *ctx)
Initialize MD5 context.
size_t ssl_get_bytes_avail(const ssl_context *ssl)
Return the number of data bytes available to read.
int md_hmac_starts(md_context_t *ctx, const unsigned char *key, size_t keylen)
Generic HMAC context setup.
void cipher_free(cipher_context_t *ctx)
Free and clear the cipher-specific context of ctx.
int ssl_set_session(ssl_context *ssl, const ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
int cipher_set_padding_mode(cipher_context_t *ctx, cipher_padding_t mode)
Set padding mode, for cipher modes that use padding.
#define SSL_VERIFY_NONE
Definition: ssl.h:212
#define SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:66
cipher_mode_t mode
Cipher mode (e.g.
Definition: cipher.h:231
int mpi_read_string(mpi *X, int radix, const char *s)
Import from an ASCII string.
#define SSL_INITIAL_HANDSHAKE
Definition: ssl.h:216
#define SSL_MAX_MINOR_VERSION
Definition: ssl.h:182
size_t in_left
Definition: ssl.h:763
void sha512_finish(sha512_context *ctx, unsigned char output[64])
SHA-512 final digest.
pk_context * key
Definition: ssl.h:677
int session_tickets
Definition: ssl.h:824
int cipher_init_ctx(cipher_context_t *ctx, const cipher_info_t *cipher_info)
Initialises and fills the cipher context structure with the appropriate values.
int allow_legacy_renegotiation
Definition: ssl.h:814
int cipher_setkey(cipher_context_t *ctx, const unsigned char *key, int key_length, const operation_t operation)
Set the key to use with the given context.
#define POLARSSL_ERR_SSL_INTERNAL_ERROR
Internal error (eg, unexpected failure in lower-level module)
Definition: ssl.h:146
ssl_session * session_out
Definition: ssl.h:737
void sha256_init(sha256_context *ctx)
Initialize SHA-256 context.
#define SSL_TRUNCATED_HMAC_LEN
Definition: ssl.h:236
uint32_t state[4]
Definition: md5.h:61
void(* calc_finished)(ssl_context *, unsigned char *, int)
Definition: ssl.h:636
int ssl_read_record(ssl_context *ssl)
int ssl_set_own_cert_rsa(ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key)
Set own certificate chain and private RSA key.
size_t len
ASN1 length, e.g.
Definition: asn1.h:127
int md_hmac_reset(md_context_t *ctx)
Generic HMAC context reset.
ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:57
#define pk_rsa(pk)
Quick access to an RSA context inside a PK context.
Definition: pk.h:74
int ssl_set_dh_param(ssl_context *ssl, const char *dhm_P, const char *dhm_G)
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default...
int(* f_vrfy)(void *, x509_crt *, int, int *)
Definition: ssl.h:724
int out_msgtype
Definition: ssl.h:777
void ssl_set_session_ticket_lifetime(ssl_context *ssl, int lifetime)
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))...
size_t out_left
Definition: ssl.h:779
#define SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:204
unsigned char mac_dec[20]
Definition: ssl.h:566
int md_hmac_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic HMAC process buffer.
#define BADCERT_MISSING
Certificate was missing.
Definition: x509.h:82
void pk_free(pk_context *ctx)
Free a pk_context.
void sha256_free(sha256_context *ctx)
Clear SHA-256 context.
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED
Processing of the Finished handshake message failed.
Definition: ssl.h:136
#define SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:70
md_context_t md_ctx_enc
Definition: ssl.h:569
int mpi_copy(mpi *X, const mpi *Y)
Copy the contents of Y into X.
#define SSL_MAX_CONTENT_LEN
int ssl_get_verify_result(const ssl_context *ssl)
Return the result of the certificate verification.
#define SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:353
never pad (full blocks only)
Definition: cipher.h:151
int ssl_session_reset(ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables...
void pk_init(pk_context *ctx)
Initialize a pk_context (as NONE)
#define KU_DIGITAL_SIGNATURE
Definition: x509.h:93
void ssl_session_init(ssl_session *session)
Initialize SSL session structure.
int min_major_ver
Definition: ssl.h:697
void aes_free(aes_context *ctx)
Clear AES context.
Certificate revocation list structure.
Definition: x509_crl.h:73
const int * ssl_list_ciphersuites(void)
Returns the list of ciphersuites supported by the SSL/TLS module.
pk_context pk
Container for the public key context.
Definition: x509_crt.h:75
ssl_transform * transform_negotiate
Definition: ssl.h:750
int ssl_set_alpn_protocols(ssl_context *ssl, const char **protos)
Set the supported Application Layer Protocols.
#define SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:221
#define SSL_HASH_SHA224
Definition: ssl.h:319
SSL/TLS functions.
void sha1_init(sha1_context *ctx)
Initialize SHA-1 context.
void ssl_set_renegotiation_enforced(ssl_context *ssl, int max_records)
Enforce server-requested renegotiation.
unsigned char * in_iv
Definition: ssl.h:757
#define POLARSSL_ERR_SSL_MALLOC_FAILED
Memory allocation failed.
Definition: ssl.h:137
int disable_renegotiation
Definition: ssl.h:813
#define SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:346
void sha256_finish(sha256_context *ctx, unsigned char output[32])
SHA-256 final digest.
void sha1_update(sha1_context *ctx, const unsigned char *input, size_t ilen)
SHA-1 process buffer.
unsigned int block_size
block size, in bytes
Definition: cipher.h:248
void dhm_free(dhm_context *ctx)
Free and clear the components of a DHM key.
void ecdh_init(ecdh_context *ctx)
Initialize context.
void md5_update(md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
#define OID_CLIENT_AUTH
id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
Definition: oid.h:177
int ssl_write_change_cipher_spec(ssl_context *ssl)
int(* f_get_cache)(void *, ssl_session *)
Definition: ssl.h:707
int ssl_derive_keys(ssl_context *ssl)
void ssl_set_authmode(ssl_context *ssl, int authmode)
Set the certificate verification mode.
int(* f_set_cache)(void *, const ssl_session *)
Definition: ssl.h:708
SHA-256 context structure.
Definition: sha256.h:58
unsigned char mfl_code
Definition: ssl.h:535
int md_finish(md_context_t *ctx, unsigned char *output)
Generic message digest final digest.
key_exchange_type_t
int ssl_psk_derive_premaster(ssl_context *ssl, key_exchange_type_t key_ex)
void sha512_free(sha512_context *ctx)
Clear SHA-512 context.
int renegotiation
Definition: ssl.h:689
cipher_type_t cipher
dhm_context dhm_ctx
Definition: ssl.h:596
static int safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl.h:1797
int ssl_send_fatal_handshake_failure(ssl_context *ssl)
ssl_ticket_keys * ticket_keys
Definition: ssl.h:803
size_t minlen
Definition: ssl.h:555
int ssl_read(ssl_context *ssl, unsigned char *buf, size_t len)
Read at most 'len' application data bytes.
void ssl_transform_free(ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
unsigned char * psk_identity
Definition: ssl.h:839
#define SSL_SESSION_TICKETS_ENABLED
Definition: ssl.h:239
#define SSL_MSG_APPLICATION_DATA
Definition: ssl.h:341
uint64_t state[8]
Definition: sha512.h:62
const char * ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
#define SSL_MSG_ALERT
Definition: ssl.h:339
int ssl_renegotiate(ssl_context *ssl)
Initiate an SSL renegotiation on the running connection.
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:705
unsigned char key_name[16]
Definition: ssl.h:663
int key_own_alloc
Definition: ssl.h:678
int ssl_write(ssl_context *ssl, const unsigned char *buf, size_t len)
Write exactly 'len' application data bytes.
ssl_key_cert * next
Definition: ssl.h:679
void md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
void sha512_update(sha512_context *ctx, const unsigned char *input, size_t ilen)
SHA-512 process buffer.
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE
The requested feature is not available.
Definition: ssl.h:108
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE
Processing of the Certificate handshake message failed.
Definition: ssl.h:127
int x509_crt_check_extended_key_usage(const x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extentedJeyUsage.
void ssl_set_ca_chain(ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn)
Set the data required to verify peer certificate.
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
Message digest information.
Definition: md.h:74
x509_crt * ca_chain
Definition: ssl.h:794
md5_context fin_md5
Definition: ssl.h:622
int md_update(md_context_t *ctx, const unsigned char *input, size_t ilen)
Generic message digest process buffer.
int endpoint
Definition: ssl.h:809
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA
Bad input parameters to function.
Definition: ssl.h:109
int ssl_set_own_cert_alt(ssl_context *ssl, x509_crt *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len)
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
void ssl_set_sni(ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
#define SSL_HASH_SHA512
Definition: ssl.h:322
unsigned int iv_size
IV/NONCE size, in bytes.
Definition: cipher.h:242
#define KU_KEY_ENCIPHERMENT
Definition: x509.h:95
#define POLARSSL_ERR_CIPHER_AUTH_FAILED
Authentication failed (for AEAD modes).
Definition: cipher.h:62
#define SSL_HASH_SHA384
Definition: ssl.h:321
int ssl_fetch_input(ssl_context *ssl, size_t nb_want)
int(* f_psk)(void *, ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:729
int ssl_write_record(ssl_context *ssl)
Public key container.
Definition: pk.h:194
void aes_init(aes_context *ctx)
Initialize AES context.
void ecdh_free(ecdh_context *ctx)
Free context.
unsigned char * out_iv
Definition: ssl.h:774
unsigned char randbytes[64]
Definition: ssl.h:643
const ecp_group_id * ecp_grp_id_list(void)
Get the list of supported curves in order of preferrence (grp_id only)
int md_hmac_finish(md_context_t *ctx, unsigned char *output)
Generic HMAC final digest.
void sha512_init(sha512_context *ctx)
Initialize SHA-512 context.
#define POLARSSL_ERR_SSL_COUNTER_WRAPPING
A counter would wrap (eg, too many messages exchanged).
Definition: ssl.h:147
int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
Definition: ssl.h:463
Generic message digest context.
Definition: md.h:132
void ssl_optimize_checksum(ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info)
x509_crt * peer_cert
Definition: ssl.h:524
md_type_t ssl_md_alg_from_hash(unsigned char hash)
void * p_sni
Definition: ssl.h:720
int dhm_calc_secret(dhm_context *ctx, unsigned char *output, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive and export the shared secret (G^Y)^X mod P.
#define SSL_HS_HELLO_REQUEST
Definition: ssl.h:375