PolarSSL v1.1.4
ssl_tls.c
Go to the documentation of this file.
00001 /*
00002  *  SSLv3/TLSv1 shared functions
00003  *
00004  *  Copyright (C) 2006-2010, Brainspark B.V.
00005  *
00006  *  This file is part of PolarSSL (http://www.polarssl.org)
00007  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
00008  *
00009  *  All rights reserved.
00010  *
00011  *  This program is free software; you can redistribute it and/or modify
00012  *  it under the terms of the GNU General Public License as published by
00013  *  the Free Software Foundation; either version 2 of the License, or
00014  *  (at your option) any later version.
00015  *
00016  *  This program is distributed in the hope that it will be useful,
00017  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00018  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00019  *  GNU General Public License for more details.
00020  *
00021  *  You should have received a copy of the GNU General Public License along
00022  *  with this program; if not, write to the Free Software Foundation, Inc.,
00023  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
00024  */
00025 /*
00026  *  The SSL 3.0 specification was drafted by Netscape in 1996,
00027  *  and became an IETF standard in 1999.
00028  *
00029  *  http://wp.netscape.com/eng/ssl3/
00030  *  http://www.ietf.org/rfc/rfc2246.txt
00031  *  http://www.ietf.org/rfc/rfc4346.txt
00032  */
00033 
00034 #include "polarssl/config.h"
00035 
00036 #if defined(POLARSSL_SSL_TLS_C)
00037 
00038 #include "polarssl/aes.h"
00039 #include "polarssl/arc4.h"
00040 #include "polarssl/camellia.h"
00041 #include "polarssl/des.h"
00042 #include "polarssl/debug.h"
00043 #include "polarssl/ssl.h"
00044 
00045 #include <stdlib.h>
00046 #include <time.h>
00047 
00048 #if defined _MSC_VER && !defined strcasecmp
00049 #define strcasecmp _stricmp
00050 #endif
00051 
00052 /*
00053  * Key material generation
00054  */
00055 static int tls1_prf( unsigned char *secret, size_t slen, char *label,
00056                      unsigned char *random, size_t rlen,
00057                      unsigned char *dstbuf, size_t dlen )
00058 {
00059     size_t nb, hs;
00060     size_t i, j, k;
00061     unsigned char *S1, *S2;
00062     unsigned char tmp[128];
00063     unsigned char h_i[20];
00064 
00065     if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
00066         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00067 
00068     hs = ( slen + 1 ) / 2;
00069     S1 = secret;
00070     S2 = secret + slen - hs;
00071 
00072     nb = strlen( label );
00073     memcpy( tmp + 20, label, nb );
00074     memcpy( tmp + 20 + nb, random, rlen );
00075     nb += rlen;
00076 
00077     /*
00078      * First compute P_md5(secret,label+random)[0..dlen]
00079      */
00080     md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
00081 
00082     for( i = 0; i < dlen; i += 16 )
00083     {
00084         md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
00085         md5_hmac( S1, hs, 4 + tmp, 16,  4 + tmp );
00086 
00087         k = ( i + 16 > dlen ) ? dlen % 16 : 16;
00088 
00089         for( j = 0; j < k; j++ )
00090             dstbuf[i + j]  = h_i[j];
00091     }
00092 
00093     /*
00094      * XOR out with P_sha1(secret,label+random)[0..dlen]
00095      */
00096     sha1_hmac( S2, hs, tmp + 20, nb, tmp );
00097 
00098     for( i = 0; i < dlen; i += 20 )
00099     {
00100         sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
00101         sha1_hmac( S2, hs, tmp, 20,      tmp );
00102 
00103         k = ( i + 20 > dlen ) ? dlen % 20 : 20;
00104 
00105         for( j = 0; j < k; j++ )
00106             dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
00107     }
00108 
00109     memset( tmp, 0, sizeof( tmp ) );
00110     memset( h_i, 0, sizeof( h_i ) );
00111 
00112     return( 0 );
00113 }
00114 
00115 int ssl_derive_keys( ssl_context *ssl )
00116 {
00117     int i;
00118     md5_context md5;
00119     sha1_context sha1;
00120     unsigned char tmp[64];
00121     unsigned char padding[16];
00122     unsigned char sha1sum[20];
00123     unsigned char keyblk[256];
00124     unsigned char *key1;
00125     unsigned char *key2;
00126 
00127     SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
00128 
00129     /*
00130      * SSLv3:
00131      *   master =
00132      *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
00133      *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
00134      *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
00135      *
00136      * TLSv1:
00137      *   master = PRF( premaster, "master secret", randbytes )[0..47]
00138      */
00139     if( ssl->resume == 0 )
00140     {
00141         size_t len = ssl->pmslen;
00142 
00143         SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
00144 
00145         if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00146         {
00147             for( i = 0; i < 3; i++ )
00148             {
00149                 memset( padding, 'A' + i, 1 + i );
00150 
00151                 sha1_starts( &sha1 );
00152                 sha1_update( &sha1, padding, 1 + i );
00153                 sha1_update( &sha1, ssl->premaster, len );
00154                 sha1_update( &sha1, ssl->randbytes,  64 );
00155                 sha1_finish( &sha1, sha1sum );
00156 
00157                 md5_starts( &md5 );
00158                 md5_update( &md5, ssl->premaster, len );
00159                 md5_update( &md5, sha1sum, 20 );
00160                 md5_finish( &md5, ssl->session->master + i * 16 );
00161             }
00162         }
00163         else
00164             tls1_prf( ssl->premaster, len, "master secret",
00165                       ssl->randbytes, 64, ssl->session->master, 48 );
00166 
00167         memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
00168     }
00169     else
00170         SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
00171 
00172     /*
00173      * Swap the client and server random values.
00174      */
00175     memcpy( tmp, ssl->randbytes, 64 );
00176     memcpy( ssl->randbytes, tmp + 32, 32 );
00177     memcpy( ssl->randbytes + 32, tmp, 32 );
00178     memset( tmp, 0, sizeof( tmp ) );
00179 
00180     /*
00181      *  SSLv3:
00182      *    key block =
00183      *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
00184      *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
00185      *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
00186      *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
00187      *      ...
00188      *
00189      *  TLSv1:
00190      *    key block = PRF( master, "key expansion", randbytes )
00191      */
00192     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00193     {
00194         for( i = 0; i < 16; i++ )
00195         {
00196             memset( padding, 'A' + i, 1 + i );
00197 
00198             sha1_starts( &sha1 );
00199             sha1_update( &sha1, padding, 1 + i );
00200             sha1_update( &sha1, ssl->session->master, 48 );
00201             sha1_update( &sha1, ssl->randbytes, 64 );
00202             sha1_finish( &sha1, sha1sum );
00203 
00204             md5_starts( &md5 );
00205             md5_update( &md5, ssl->session->master, 48 );
00206             md5_update( &md5, sha1sum, 20 );
00207             md5_finish( &md5, keyblk + i * 16 );
00208         }
00209 
00210         memset( &md5,  0, sizeof( md5  ) );
00211         memset( &sha1, 0, sizeof( sha1 ) );
00212 
00213         memset( padding, 0, sizeof( padding ) );
00214         memset( sha1sum, 0, sizeof( sha1sum ) );
00215     }
00216     else
00217         tls1_prf( ssl->session->master, 48, "key expansion",
00218                   ssl->randbytes, 64, keyblk, 256 );
00219 
00220     SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) );
00221     SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
00222     SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
00223     SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
00224 
00225     memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
00226 
00227     /*
00228      * Determine the appropriate key, IV and MAC length.
00229      */
00230     switch( ssl->session->ciphersuite )
00231     {
00232 #if defined(POLARSSL_ARC4_C)
00233         case SSL_RSA_RC4_128_MD5:
00234             ssl->keylen = 16; ssl->minlen = 16;
00235             ssl->ivlen  =  0; ssl->maclen = 16;
00236             break;
00237 
00238         case SSL_RSA_RC4_128_SHA:
00239             ssl->keylen = 16; ssl->minlen = 20;
00240             ssl->ivlen  =  0; ssl->maclen = 20;
00241             break;
00242 #endif
00243 
00244 #if defined(POLARSSL_DES_C)
00245         case SSL_RSA_DES_168_SHA:
00246         case SSL_EDH_RSA_DES_168_SHA:
00247             ssl->keylen = 24; ssl->minlen = 24;
00248             ssl->ivlen  =  8; ssl->maclen = 20;
00249             break;
00250 #endif
00251 
00252 #if defined(POLARSSL_AES_C)
00253         case SSL_RSA_AES_128_SHA:
00254         case SSL_EDH_RSA_AES_128_SHA:
00255             ssl->keylen = 16; ssl->minlen = 32;
00256             ssl->ivlen  = 16; ssl->maclen = 20;
00257             break;
00258 
00259         case SSL_RSA_AES_256_SHA:
00260         case SSL_EDH_RSA_AES_256_SHA:
00261             ssl->keylen = 32; ssl->minlen = 32;
00262             ssl->ivlen  = 16; ssl->maclen = 20;
00263             break;
00264 #endif
00265 
00266 #if defined(POLARSSL_CAMELLIA_C)
00267         case SSL_RSA_CAMELLIA_128_SHA:
00268         case SSL_EDH_RSA_CAMELLIA_128_SHA:
00269             ssl->keylen = 16; ssl->minlen = 32;
00270             ssl->ivlen  = 16; ssl->maclen = 20;
00271             break;
00272 
00273         case SSL_RSA_CAMELLIA_256_SHA:
00274         case SSL_EDH_RSA_CAMELLIA_256_SHA:
00275             ssl->keylen = 32; ssl->minlen = 32;
00276             ssl->ivlen  = 16; ssl->maclen = 20;
00277             break;
00278 #endif
00279 
00280         default:
00281             SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
00282                            ssl_get_ciphersuite( ssl ) ) );
00283             return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00284     }
00285 
00286     SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
00287                    ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
00288 
00289     /*
00290      * Finally setup the cipher contexts, IVs and MAC secrets.
00291      */
00292     if( ssl->endpoint == SSL_IS_CLIENT )
00293     {
00294         key1 = keyblk + ssl->maclen * 2;
00295         key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
00296 
00297         memcpy( ssl->mac_enc, keyblk,  ssl->maclen );
00298         memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
00299 
00300         /*
00301          * This is not used in TLS v1.1.
00302          */
00303         memcpy( ssl->iv_enc, key2 + ssl->keylen,  ssl->ivlen );
00304         memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
00305                 ssl->ivlen );
00306     }
00307     else
00308     {
00309         key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
00310         key2 = keyblk + ssl->maclen * 2;
00311 
00312         memcpy( ssl->mac_dec, keyblk,  ssl->maclen );
00313         memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
00314 
00315         /*
00316          * This is not used in TLS v1.1.
00317          */
00318         memcpy( ssl->iv_dec, key1 + ssl->keylen,  ssl->ivlen );
00319         memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
00320                 ssl->ivlen );
00321     }
00322 
00323     switch( ssl->session->ciphersuite )
00324     {
00325 #if defined(POLARSSL_ARC4_C)
00326         case SSL_RSA_RC4_128_MD5:
00327         case SSL_RSA_RC4_128_SHA:
00328             arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
00329             arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
00330             break;
00331 #endif
00332 
00333 #if defined(POLARSSL_DES_C)
00334         case SSL_RSA_DES_168_SHA:
00335         case SSL_EDH_RSA_DES_168_SHA:
00336             des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
00337             des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
00338             break;
00339 #endif
00340 
00341 #if defined(POLARSSL_AES_C)
00342         case SSL_RSA_AES_128_SHA:
00343         case SSL_EDH_RSA_AES_128_SHA:
00344             aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
00345             aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
00346             break;
00347 
00348         case SSL_RSA_AES_256_SHA:
00349         case SSL_EDH_RSA_AES_256_SHA:
00350             aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
00351             aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
00352             break;
00353 #endif
00354 
00355 #if defined(POLARSSL_CAMELLIA_C)
00356         case SSL_RSA_CAMELLIA_128_SHA:
00357         case SSL_EDH_RSA_CAMELLIA_128_SHA:
00358             camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 );
00359             camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 );
00360             break;
00361 
00362         case SSL_RSA_CAMELLIA_256_SHA:
00363         case SSL_EDH_RSA_CAMELLIA_256_SHA:
00364             camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 );
00365             camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 );
00366             break;
00367 #endif
00368 
00369         default:
00370             return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00371     }
00372 
00373     memset( keyblk, 0, sizeof( keyblk ) );
00374 
00375     SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
00376 
00377     return( 0 );
00378 }
00379 
00380 void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
00381 {
00382     md5_context md5;
00383     sha1_context sha1;
00384     unsigned char pad_1[48];
00385     unsigned char pad_2[48];
00386 
00387     SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
00388 
00389     memcpy( &md5 , &ssl->fin_md5 , sizeof(  md5_context ) );
00390     memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
00391 
00392     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00393     {
00394         memset( pad_1, 0x36, 48 );
00395         memset( pad_2, 0x5C, 48 );
00396 
00397         md5_update( &md5, ssl->session->master, 48 );
00398         md5_update( &md5, pad_1, 48 );
00399         md5_finish( &md5, hash );
00400 
00401         md5_starts( &md5 );
00402         md5_update( &md5, ssl->session->master, 48 );
00403         md5_update( &md5, pad_2, 48 );
00404         md5_update( &md5, hash,  16 );
00405         md5_finish( &md5, hash );
00406         
00407         sha1_update( &sha1, ssl->session->master, 48 );
00408         sha1_update( &sha1, pad_1, 40 );
00409         sha1_finish( &sha1, hash + 16 );
00410 
00411         sha1_starts( &sha1 );
00412         sha1_update( &sha1, ssl->session->master, 48 );
00413         sha1_update( &sha1, pad_2, 40 );
00414         sha1_update( &sha1, hash + 16, 20 );
00415         sha1_finish( &sha1, hash + 16 );
00416     }
00417     else /* TLSv1 */
00418     {
00419          md5_finish( &md5,  hash );
00420         sha1_finish( &sha1, hash + 16 );
00421     }
00422 
00423     SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
00424     SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
00425 
00426     return;
00427 }
00428 
00429 /*
00430  * SSLv3.0 MAC functions
00431  */
00432 static void ssl_mac_md5( unsigned char *secret,
00433                          unsigned char *buf, size_t len,
00434                          unsigned char *ctr, int type )
00435 {
00436     unsigned char header[11];
00437     unsigned char padding[48];
00438     md5_context md5;
00439 
00440     memcpy( header, ctr, 8 );
00441     header[ 8] = (unsigned char)  type;
00442     header[ 9] = (unsigned char)( len >> 8 );
00443     header[10] = (unsigned char)( len      );
00444 
00445     memset( padding, 0x36, 48 );
00446     md5_starts( &md5 );
00447     md5_update( &md5, secret,  16 );
00448     md5_update( &md5, padding, 48 );
00449     md5_update( &md5, header,  11 );
00450     md5_update( &md5, buf,  len );
00451     md5_finish( &md5, buf + len );
00452 
00453     memset( padding, 0x5C, 48 );
00454     md5_starts( &md5 );
00455     md5_update( &md5, secret,  16 );
00456     md5_update( &md5, padding, 48 );
00457     md5_update( &md5, buf + len, 16 );
00458     md5_finish( &md5, buf + len );
00459 }
00460 
00461 static void ssl_mac_sha1( unsigned char *secret,
00462                           unsigned char *buf, size_t len,
00463                           unsigned char *ctr, int type )
00464 {
00465     unsigned char header[11];
00466     unsigned char padding[40];
00467     sha1_context sha1;
00468 
00469     memcpy( header, ctr, 8 );
00470     header[ 8] = (unsigned char)  type;
00471     header[ 9] = (unsigned char)( len >> 8 );
00472     header[10] = (unsigned char)( len      );
00473 
00474     memset( padding, 0x36, 40 );
00475     sha1_starts( &sha1 );
00476     sha1_update( &sha1, secret,  20 );
00477     sha1_update( &sha1, padding, 40 );
00478     sha1_update( &sha1, header,  11 );
00479     sha1_update( &sha1, buf,  len );
00480     sha1_finish( &sha1, buf + len );
00481 
00482     memset( padding, 0x5C, 40 );
00483     sha1_starts( &sha1 );
00484     sha1_update( &sha1, secret,  20 );
00485     sha1_update( &sha1, padding, 40 );
00486     sha1_update( &sha1, buf + len, 20 );
00487     sha1_finish( &sha1, buf + len );
00488 }
00489 
00490 /*
00491  * Encryption/decryption functions
00492  */ 
00493 static int ssl_encrypt_buf( ssl_context *ssl )
00494 {
00495     size_t i, padlen;
00496 
00497     SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
00498 
00499     /*
00500      * Add MAC then encrypt
00501      */
00502     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00503     {
00504         if( ssl->maclen == 16 )
00505              ssl_mac_md5( ssl->mac_enc,
00506                           ssl->out_msg, ssl->out_msglen,
00507                           ssl->out_ctr, ssl->out_msgtype );
00508 
00509         if( ssl->maclen == 20 )
00510             ssl_mac_sha1( ssl->mac_enc,
00511                           ssl->out_msg, ssl->out_msglen,
00512                           ssl->out_ctr, ssl->out_msgtype );
00513     }
00514     else
00515     {
00516         if( ssl->maclen == 16 )
00517              md5_hmac( ssl->mac_enc, 16,
00518                        ssl->out_ctr,  ssl->out_msglen + 13,
00519                        ssl->out_msg + ssl->out_msglen );
00520 
00521         if( ssl->maclen == 20 )
00522             sha1_hmac( ssl->mac_enc, 20,
00523                        ssl->out_ctr,  ssl->out_msglen + 13,
00524                        ssl->out_msg + ssl->out_msglen );               
00525     }
00526 
00527     SSL_DEBUG_BUF( 4, "computed mac",
00528                    ssl->out_msg + ssl->out_msglen, ssl->maclen );
00529 
00530     ssl->out_msglen += ssl->maclen;
00531 
00532     for( i = 8; i > 0; i-- )
00533         if( ++ssl->out_ctr[i - 1] != 0 )
00534             break;
00535 
00536     if( ssl->ivlen == 0 )
00537     {
00538 #if defined(POLARSSL_ARC4_C)
00539         padlen = 0;
00540 
00541         SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
00542                             "including %d bytes of padding",
00543                        ssl->out_msglen, 0 ) );
00544 
00545         SSL_DEBUG_BUF( 4, "before encrypt: output payload",
00546                        ssl->out_msg, ssl->out_msglen );
00547 
00548         arc4_crypt( (arc4_context *) ssl->ctx_enc,
00549                     ssl->out_msglen, ssl->out_msg,
00550                     ssl->out_msg );
00551 #else
00552         return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00553 #endif
00554     }
00555     else
00556     {
00557         unsigned char *enc_msg;
00558         size_t enc_msglen;
00559 
00560         padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
00561         if( padlen == ssl->ivlen )
00562             padlen = 0;
00563 
00564         for( i = 0; i <= padlen; i++ )
00565             ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
00566 
00567         ssl->out_msglen += padlen + 1;
00568 
00569         enc_msglen = ssl->out_msglen;
00570         enc_msg = ssl->out_msg;
00571 
00572         /*
00573          * Prepend per-record IV for block cipher in TLS v1.1 as per
00574          * Method 1 (6.2.3.2. in RFC4346)
00575          */
00576         if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
00577         {
00578             /*
00579              * Generate IV
00580              */
00581             int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen );
00582             if( ret != 0 )
00583                 return( ret );
00584 
00585             /*
00586              * Shift message for ivlen bytes and prepend IV
00587              */
00588             memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen );
00589             memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen );
00590 
00591             /*
00592              * Fix pointer positions and message length with added IV
00593              */
00594             enc_msg = ssl->out_msg + ssl->ivlen;
00595             enc_msglen = ssl->out_msglen;
00596             ssl->out_msglen += ssl->ivlen;
00597         }
00598 
00599         SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
00600                             "including %d bytes of IV and %d bytes of padding",
00601                        ssl->out_msglen, ssl->ivlen, padlen + 1 ) );
00602 
00603         SSL_DEBUG_BUF( 4, "before encrypt: output payload",
00604                        ssl->out_msg, ssl->out_msglen );
00605 
00606         switch( ssl->ivlen )
00607         {
00608             case  8:
00609 #if defined(POLARSSL_DES_C)
00610                 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
00611                     DES_ENCRYPT, enc_msglen,
00612                     ssl->iv_enc, enc_msg, enc_msg );
00613                 break;
00614 #endif
00615 
00616             case 16:
00617 #if defined(POLARSSL_AES_C)
00618         if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
00619              ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
00620              ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
00621              ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
00622         {
00623                     aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
00624                         AES_ENCRYPT, enc_msglen,
00625                         ssl->iv_enc, enc_msg, enc_msg);
00626                     break;
00627         }
00628 #endif
00629 
00630 #if defined(POLARSSL_CAMELLIA_C)
00631         if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
00632              ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
00633              ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
00634              ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
00635         {
00636                     camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc,
00637                         CAMELLIA_ENCRYPT, enc_msglen,
00638                         ssl->iv_enc, enc_msg, enc_msg );
00639                     break;
00640         }
00641 #endif
00642 
00643             default:
00644                 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00645         }
00646     }
00647 
00648     SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
00649 
00650     return( 0 );
00651 }
00652 
00653 static int ssl_decrypt_buf( ssl_context *ssl )
00654 {
00655     size_t i, padlen;
00656     unsigned char tmp[20];
00657 
00658     SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
00659 
00660     if( ssl->in_msglen < ssl->minlen )
00661     {
00662         SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
00663                        ssl->in_msglen, ssl->minlen ) );
00664         return( POLARSSL_ERR_SSL_INVALID_MAC );
00665     }
00666 
00667     if( ssl->ivlen == 0 )
00668     {
00669 #if defined(POLARSSL_ARC4_C)
00670         padlen = 0;
00671         arc4_crypt( (arc4_context *) ssl->ctx_dec,
00672                     ssl->in_msglen, ssl->in_msg,
00673                     ssl->in_msg );
00674 #else
00675         return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00676 #endif
00677     }
00678     else
00679     {
00680         unsigned char *dec_msg;
00681         unsigned char *dec_msg_result;
00682         size_t dec_msglen;
00683 
00684         /*
00685          * Decrypt and check the padding
00686          */
00687         if( ssl->in_msglen % ssl->ivlen != 0 )
00688         {
00689             SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
00690                            ssl->in_msglen, ssl->ivlen ) );
00691             return( POLARSSL_ERR_SSL_INVALID_MAC );
00692         }
00693 
00694         dec_msglen = ssl->in_msglen;
00695         dec_msg = ssl->in_msg;
00696         dec_msg_result = ssl->in_msg;
00697 
00698         /*
00699          * Initialize for prepended IV for block cipher in TLS v1.1
00700          */
00701         if( ssl->minor_ver == SSL_MINOR_VERSION_2 )
00702         {
00703             dec_msg += ssl->ivlen;
00704             dec_msglen -= ssl->ivlen;
00705             ssl->in_msglen -= ssl->ivlen;
00706 
00707             for( i = 0; i < ssl->ivlen; i++ )
00708                 ssl->iv_dec[i] = ssl->in_msg[i];
00709         }
00710 
00711         switch( ssl->ivlen )
00712         {
00713 #if defined(POLARSSL_DES_C)
00714             case  8:
00715                 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
00716                     DES_DECRYPT, dec_msglen,
00717                     ssl->iv_dec, dec_msg, dec_msg_result );
00718                 break;
00719 #endif
00720 
00721             case 16:
00722 #if defined(POLARSSL_AES_C)
00723         if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA ||
00724              ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
00725              ssl->session->ciphersuite == SSL_RSA_AES_256_SHA ||
00726              ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA)
00727         {
00728                     aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
00729                        AES_DECRYPT, dec_msglen,
00730                        ssl->iv_dec, dec_msg, dec_msg_result );
00731                     break;
00732         }
00733 #endif
00734 
00735 #if defined(POLARSSL_CAMELLIA_C)
00736         if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA ||
00737              ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
00738              ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA ||
00739              ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
00740         {
00741                     camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec,
00742                        CAMELLIA_DECRYPT, dec_msglen,
00743                        ssl->iv_dec, dec_msg, dec_msg_result );
00744                     break;
00745         }
00746 #endif
00747 
00748             default:
00749                 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00750         }
00751 
00752         padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
00753 
00754         if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00755         {
00756             if( padlen > ssl->ivlen )
00757             {
00758                 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
00759                                     "should be no more than %d",
00760                                padlen, ssl->ivlen ) );
00761                 padlen = 0;
00762             }
00763         }
00764         else
00765         {
00766             /*
00767              * TLSv1: always check the padding
00768              */
00769             for( i = 1; i <= padlen; i++ )
00770             {
00771                 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
00772                 {
00773                     SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
00774                                         "%02x, but is %02x", padlen - 1,
00775                                    ssl->in_msg[ssl->in_msglen - i] ) );
00776                     padlen = 0;
00777                 }
00778             }
00779         }
00780     }
00781 
00782     SSL_DEBUG_BUF( 4, "raw buffer after decryption",
00783                    ssl->in_msg, ssl->in_msglen );
00784 
00785     /*
00786      * Always compute the MAC (RFC4346, CBCTIME).
00787      */
00788     if( ssl->in_msglen < ssl->maclen + padlen )
00789     {
00790         SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
00791                     ssl->in_msglen, ssl->maclen, padlen ) );
00792         return( POLARSSL_ERR_SSL_INVALID_MAC );
00793     }
00794 
00795     ssl->in_msglen -= ( ssl->maclen + padlen );
00796 
00797     ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
00798     ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen      );
00799 
00800     memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
00801 
00802     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00803     {
00804         if( ssl->maclen == 16 )
00805              ssl_mac_md5( ssl->mac_dec,
00806                           ssl->in_msg, ssl->in_msglen,
00807                           ssl->in_ctr, ssl->in_msgtype );
00808         else
00809             ssl_mac_sha1( ssl->mac_dec,
00810                           ssl->in_msg, ssl->in_msglen,
00811                           ssl->in_ctr, ssl->in_msgtype );
00812     }
00813     else
00814     {
00815         if( ssl->maclen == 16 )
00816              md5_hmac( ssl->mac_dec, 16,
00817                        ssl->in_ctr,  ssl->in_msglen + 13,
00818                        ssl->in_msg + ssl->in_msglen );
00819         else
00820             sha1_hmac( ssl->mac_dec, 20,
00821                        ssl->in_ctr,  ssl->in_msglen + 13,
00822                        ssl->in_msg + ssl->in_msglen );
00823     }
00824 
00825     SSL_DEBUG_BUF( 4, "message  mac", tmp, ssl->maclen );
00826     SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
00827                    ssl->maclen );
00828 
00829     if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
00830                      ssl->maclen ) != 0 )
00831     {
00832         SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
00833         return( POLARSSL_ERR_SSL_INVALID_MAC );
00834     }
00835 
00836     /*
00837      * Finally check the padding length; bad padding
00838      * will produce the same error as an invalid MAC.
00839      */
00840     if( ssl->ivlen != 0 && padlen == 0 )
00841         return( POLARSSL_ERR_SSL_INVALID_MAC );
00842 
00843     if( ssl->in_msglen == 0 )
00844     {
00845         ssl->nb_zero++;
00846 
00847         /*
00848          * Three or more empty messages may be a DoS attack
00849          * (excessive CPU consumption).
00850          */
00851         if( ssl->nb_zero > 3 )
00852         {
00853             SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
00854                                 "messages, possible DoS attack" ) );
00855             return( POLARSSL_ERR_SSL_INVALID_MAC );
00856         }
00857     }
00858     else
00859         ssl->nb_zero = 0;
00860             
00861     for( i = 8; i > 0; i-- )
00862         if( ++ssl->in_ctr[i - 1] != 0 )
00863             break;
00864 
00865     SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
00866 
00867     return( 0 );
00868 }
00869 
00870 /*
00871  * Fill the input message buffer
00872  */
00873 int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
00874 {
00875     int ret;
00876     size_t len;
00877 
00878     SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
00879 
00880     while( ssl->in_left < nb_want )
00881     {
00882         len = nb_want - ssl->in_left;
00883         ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
00884 
00885         SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
00886                        ssl->in_left, nb_want ) );
00887         SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
00888 
00889         if( ret == 0 )
00890             return( POLARSSL_ERR_SSL_CONN_EOF );
00891 
00892         if( ret < 0 )
00893             return( ret );
00894 
00895         ssl->in_left += ret;
00896     }
00897 
00898     SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
00899 
00900     return( 0 );
00901 }
00902 
00903 /*
00904  * Flush any data not yet written
00905  */
00906 int ssl_flush_output( ssl_context *ssl )
00907 {
00908     int ret;
00909     unsigned char *buf;
00910 
00911     SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
00912 
00913     while( ssl->out_left > 0 )
00914     {
00915         SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
00916                        5 + ssl->out_msglen, ssl->out_left ) );
00917 
00918         buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
00919         ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
00920         SSL_DEBUG_RET( 2, "ssl->f_send", ret );
00921 
00922         if( ret <= 0 )
00923             return( ret );
00924 
00925         ssl->out_left -= ret;
00926     }
00927 
00928     SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
00929 
00930     return( 0 );
00931 }
00932 
00933 /*
00934  * Record layer functions
00935  */
00936 int ssl_write_record( ssl_context *ssl )
00937 {
00938     int ret;
00939     size_t len = ssl->out_msglen;
00940 
00941     SSL_DEBUG_MSG( 2, ( "=> write record" ) );
00942 
00943     ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
00944     ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
00945     ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
00946     ssl->out_hdr[3] = (unsigned char)( len >> 8 );
00947     ssl->out_hdr[4] = (unsigned char)( len      );
00948 
00949     if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
00950     {
00951         ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
00952         ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >>  8 );
00953         ssl->out_msg[3] = (unsigned char)( ( len - 4 )       );
00954 
00955          md5_update( &ssl->fin_md5 , ssl->out_msg, len );
00956         sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
00957     }
00958 
00959     if( ssl->do_crypt != 0 )
00960     {
00961         if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
00962         {
00963             SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
00964             return( ret );
00965         }
00966 
00967         len = ssl->out_msglen;
00968         ssl->out_hdr[3] = (unsigned char)( len >> 8 );
00969         ssl->out_hdr[4] = (unsigned char)( len      );
00970     }
00971 
00972     ssl->out_left = 5 + ssl->out_msglen;
00973 
00974     SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
00975                         "version = [%d:%d], msglen = %d",
00976                    ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
00977                  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
00978 
00979     SSL_DEBUG_BUF( 4, "output record sent to network",
00980                    ssl->out_hdr, 5 + ssl->out_msglen );
00981 
00982     if( ( ret = ssl_flush_output( ssl ) ) != 0 )
00983     {
00984         SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
00985         return( ret );
00986     }
00987 
00988     SSL_DEBUG_MSG( 2, ( "<= write record" ) );
00989 
00990     return( 0 );
00991 }
00992 
00993 int ssl_read_record( ssl_context *ssl )
00994 {
00995     int ret;
00996 
00997     SSL_DEBUG_MSG( 2, ( "=> read record" ) );
00998 
00999     if( ssl->in_hslen != 0 &&
01000         ssl->in_hslen < ssl->in_msglen )
01001     {
01002         /*
01003          * Get next Handshake message in the current record
01004          */
01005         ssl->in_msglen -= ssl->in_hslen;
01006 
01007         memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
01008                 ssl->in_msglen );
01009 
01010         ssl->in_hslen  = 4;
01011         ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
01012 
01013         SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
01014                             " %d, type = %d, hslen = %d",
01015                        ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
01016 
01017         if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
01018         {
01019             SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
01020             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01021         }
01022 
01023         if( ssl->in_msglen < ssl->in_hslen )
01024         {
01025             SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
01026             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01027         }
01028 
01029          md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
01030         sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
01031 
01032         return( 0 );
01033     }
01034 
01035     ssl->in_hslen = 0;
01036 
01037     /*
01038      * Read the record header and validate it
01039      */
01040     if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
01041     {
01042         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
01043         return( ret );
01044     }
01045 
01046     ssl->in_msgtype =  ssl->in_hdr[0];
01047     ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
01048 
01049     SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
01050                         "version = [%d:%d], msglen = %d",
01051                      ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
01052                    ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
01053 
01054     if( ssl->in_hdr[1] != ssl->major_ver )
01055     {
01056         SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
01057         return( POLARSSL_ERR_SSL_INVALID_RECORD );
01058     }
01059 
01060     if( ssl->in_hdr[2] > ssl->max_minor_ver )
01061     {
01062         SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
01063         return( POLARSSL_ERR_SSL_INVALID_RECORD );
01064     }
01065 
01066     /*
01067      * Make sure the message length is acceptable
01068      */
01069     if( ssl->do_crypt == 0 )
01070     {
01071         if( ssl->in_msglen < 1 ||
01072             ssl->in_msglen > SSL_MAX_CONTENT_LEN )
01073         {
01074             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
01075             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01076         }
01077     }
01078     else
01079     {
01080         if( ssl->in_msglen < ssl->minlen )
01081         {
01082             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
01083             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01084         }
01085 
01086         if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
01087             ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
01088         {
01089             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
01090             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01091         }
01092 
01093         /*
01094          * TLS encrypted messages can have up to 256 bytes of padding
01095          */
01096         if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
01097             ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
01098         {
01099             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
01100             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01101         }
01102     }
01103 
01104     /*
01105      * Read and optionally decrypt the message contents
01106      */
01107     if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
01108     {
01109         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
01110         return( ret );
01111     }
01112 
01113     SSL_DEBUG_BUF( 4, "input record from network",
01114                    ssl->in_hdr, 5 + ssl->in_msglen );
01115 
01116     if( ssl->do_crypt != 0 )
01117     {
01118         if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
01119         {
01120             SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
01121             return( ret );
01122         }
01123 
01124         SSL_DEBUG_BUF( 4, "input payload after decrypt",
01125                        ssl->in_msg, ssl->in_msglen );
01126 
01127         if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
01128         {
01129             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
01130             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01131         }
01132     }
01133 
01134     if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
01135     {
01136         ssl->in_hslen  = 4;
01137         ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
01138 
01139         SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
01140                             " %d, type = %d, hslen = %d",
01141                        ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
01142 
01143         /*
01144          * Additional checks to validate the handshake header
01145          */
01146         if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
01147         {
01148             SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
01149             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01150         }
01151 
01152         if( ssl->in_msglen < ssl->in_hslen )
01153         {
01154             SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
01155             return( POLARSSL_ERR_SSL_INVALID_RECORD );
01156         }
01157 
01158          md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
01159         sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
01160     }
01161 
01162     if( ssl->in_msgtype == SSL_MSG_ALERT )
01163     {
01164         SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
01165                        ssl->in_msg[0], ssl->in_msg[1] ) );
01166 
01167         /*
01168          * Ignore non-fatal alerts, except close_notify
01169          */
01170         if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
01171         {
01172             SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
01177             return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] );
01178         }
01179 
01180         if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
01181             ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
01182         {
01183             SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
01184             return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
01185         }
01186     }
01187 
01188     ssl->in_left = 0;
01189 
01190     SSL_DEBUG_MSG( 2, ( "<= read record" ) );
01191 
01192     return( 0 );
01193 }
01194 
01195 /*
01196  * Handshake functions
01197  */
01198 int ssl_write_certificate( ssl_context *ssl )
01199 {
01200     int ret;
01201     size_t i, n;
01202     const x509_cert *crt;
01203 
01204     SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
01205 
01206     if( ssl->endpoint == SSL_IS_CLIENT )
01207     {
01208         if( ssl->client_auth == 0 )
01209         {
01210             SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
01211             ssl->state++;
01212             return( 0 );
01213         }
01214 
01215         /*
01216          * If using SSLv3 and got no cert, send an Alert message
01217          * (otherwise an empty Certificate message will be sent).
01218          */
01219         if( ssl->own_cert  == NULL &&
01220             ssl->minor_ver == SSL_MINOR_VERSION_0 )
01221         {
01222             ssl->out_msglen  = 2;
01223             ssl->out_msgtype = SSL_MSG_ALERT;
01224             ssl->out_msg[0]  = SSL_ALERT_LEVEL_WARNING;
01225             ssl->out_msg[1]  = SSL_ALERT_MSG_NO_CERT;
01226 
01227             SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
01228             goto write_msg;
01229         }
01230     }
01231     else /* SSL_IS_SERVER */
01232     {
01233         if( ssl->own_cert == NULL )
01234         {
01235             SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
01236             return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
01237         }
01238     }
01239 
01240     SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
01241 
01242     /*
01243      *     0  .  0    handshake type
01244      *     1  .  3    handshake length
01245      *     4  .  6    length of all certs
01246      *     7  .  9    length of cert. 1
01247      *    10  . n-1   peer certificate
01248      *     n  . n+2   length of cert. 2
01249      *    n+3 . ...   upper level cert, etc.
01250      */
01251     i = 7;
01252     crt = ssl->own_cert;
01253 
01254     while( crt != NULL )
01255     {
01256         n = crt->raw.len;
01257         if( i + 3 + n > SSL_MAX_CONTENT_LEN )
01258         {
01259             SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
01260                            i + 3 + n, SSL_MAX_CONTENT_LEN ) );
01261             return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
01262         }
01263 
01264         ssl->out_msg[i    ] = (unsigned char)( n >> 16 );
01265         ssl->out_msg[i + 1] = (unsigned char)( n >>  8 );
01266         ssl->out_msg[i + 2] = (unsigned char)( n       );
01267 
01268         i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
01269         i += n; crt = crt->next;
01270     }
01271 
01272     ssl->out_msg[4]  = (unsigned char)( ( i - 7 ) >> 16 );
01273     ssl->out_msg[5]  = (unsigned char)( ( i - 7 ) >>  8 );
01274     ssl->out_msg[6]  = (unsigned char)( ( i - 7 )       );
01275 
01276     ssl->out_msglen  = i;
01277     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01278     ssl->out_msg[0]  = SSL_HS_CERTIFICATE;
01279 
01280 write_msg:
01281 
01282     ssl->state++;
01283 
01284     if( ( ret = ssl_write_record( ssl ) ) != 0 )
01285     {
01286         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01287         return( ret );
01288     }
01289 
01290     SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
01291 
01292     return( 0 );
01293 }
01294 
01295 int ssl_parse_certificate( ssl_context *ssl )
01296 {
01297     int ret;
01298     size_t i, n;
01299 
01300     SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
01301 
01302     if( ssl->endpoint == SSL_IS_SERVER &&
01303         ssl->authmode == SSL_VERIFY_NONE )
01304     {
01305         ssl->verify_result = BADCERT_SKIP_VERIFY;
01306         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
01307         ssl->state++;
01308         return( 0 );
01309     }
01310 
01311     if( ( ret = ssl_read_record( ssl ) ) != 0 )
01312     {
01313         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01314         return( ret );
01315     }
01316 
01317     ssl->state++;
01318 
01319     /*
01320      * Check if the client sent an empty certificate
01321      */
01322     if( ssl->endpoint  == SSL_IS_SERVER &&
01323         ssl->minor_ver == SSL_MINOR_VERSION_0 )
01324     {
01325         if( ssl->in_msglen  == 2                        &&
01326             ssl->in_msgtype == SSL_MSG_ALERT            &&
01327             ssl->in_msg[0]  == SSL_ALERT_LEVEL_WARNING  &&
01328             ssl->in_msg[1]  == SSL_ALERT_MSG_NO_CERT )
01329         {
01330             SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
01331 
01332             ssl->verify_result = BADCERT_MISSING;
01333             if( ssl->authmode == SSL_VERIFY_OPTIONAL )
01334                 return( 0 );
01335             else
01336                 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
01337         }
01338     }
01339 
01340     if( ssl->endpoint  == SSL_IS_SERVER &&
01341         ssl->minor_ver != SSL_MINOR_VERSION_0 )
01342     {
01343         if( ssl->in_hslen   == 7                    &&
01344             ssl->in_msgtype == SSL_MSG_HANDSHAKE    &&
01345             ssl->in_msg[0]  == SSL_HS_CERTIFICATE   &&
01346             memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
01347         {
01348             SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
01349 
01350             ssl->verify_result = BADCERT_MISSING;
01351             if( ssl->authmode == SSL_VERIFY_REQUIRED )
01352                 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
01353             else
01354                 return( 0 );
01355         }
01356     }
01357 
01358     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
01359     {
01360         SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01361         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01362     }
01363 
01364     if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
01365     {
01366         SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01367         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
01368     }
01369 
01370     /*
01371      * Same message structure as in ssl_write_certificate()
01372      */
01373     n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
01374 
01375     if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
01376     {
01377         SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01378         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
01379     }
01380 
01381     if( ( ssl->peer_cert = (x509_cert *) malloc(
01382                     sizeof( x509_cert ) ) ) == NULL )
01383     {
01384         SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
01385                        sizeof( x509_cert ) ) );
01386         return( POLARSSL_ERR_SSL_MALLOC_FAILED );
01387     }
01388 
01389     memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
01390 
01391     i = 7;
01392 
01393     while( i < ssl->in_hslen )
01394     {
01395         if( ssl->in_msg[i] != 0 )
01396         {
01397             SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01398             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
01399         }
01400 
01401         n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
01402             | (unsigned int) ssl->in_msg[i + 2];
01403         i += 3;
01404 
01405         if( n < 128 || i + n > ssl->in_hslen )
01406         {
01407             SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01408             return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
01409         }
01410 
01411         ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
01412         if( ret != 0 )
01413         {
01414             SSL_DEBUG_RET( 1, " x509parse_crt", ret );
01415             return( ret );
01416         }
01417 
01418         i += n;
01419     }
01420 
01421     SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
01422 
01423     if( ssl->authmode != SSL_VERIFY_NONE )
01424     {
01425         if( ssl->ca_chain == NULL )
01426         {
01427             SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
01428             return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
01429         }
01430 
01431         ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl,
01432                                 ssl->peer_cn,  &ssl->verify_result,
01433                                 ssl->f_vrfy, ssl->p_vrfy );
01434 
01435         if( ret != 0 )
01436             SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
01437 
01438         if( ssl->authmode != SSL_VERIFY_REQUIRED )
01439             ret = 0;
01440     }
01441 
01442     SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
01443 
01444     return( ret );
01445 }
01446 
01447 int ssl_write_change_cipher_spec( ssl_context *ssl )
01448 {
01449     int ret;
01450 
01451     SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
01452 
01453     ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
01454     ssl->out_msglen  = 1;
01455     ssl->out_msg[0]  = 1;
01456 
01457     ssl->do_crypt = 0;
01458     ssl->state++;
01459 
01460     if( ( ret = ssl_write_record( ssl ) ) != 0 )
01461     {
01462         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01463         return( ret );
01464     }
01465 
01466     SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
01467 
01468     return( 0 );
01469 }
01470 
01471 int ssl_parse_change_cipher_spec( ssl_context *ssl )
01472 {
01473     int ret;
01474 
01475     SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
01476 
01477     ssl->do_crypt = 0;
01478 
01479     if( ( ret = ssl_read_record( ssl ) ) != 0 )
01480     {
01481         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01482         return( ret );
01483     }
01484 
01485     if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
01486     {
01487         SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
01488         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01489     }
01490 
01491     if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
01492     {
01493         SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
01494         return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
01495     }
01496 
01497     ssl->state++;
01498 
01499     SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
01500 
01501     return( 0 );
01502 }
01503 
01504 static void ssl_calc_finished(
01505                 ssl_context *ssl, unsigned char *buf, int from,
01506                 md5_context *md5, sha1_context *sha1 )
01507 {
01508     int len = 12;
01509     char *sender;
01510     unsigned char padbuf[48];
01511     unsigned char md5sum[16];
01512     unsigned char sha1sum[20];
01513 
01514     SSL_DEBUG_MSG( 2, ( "=> calc  finished" ) );
01515 
01516     /*
01517      * SSLv3:
01518      *   hash =
01519      *      MD5( master + pad2 +
01520      *          MD5( handshake + sender + master + pad1 ) )
01521      *   + SHA1( master + pad2 +
01522      *         SHA1( handshake + sender + master + pad1 ) )
01523      *
01524      * TLSv1:
01525      *   hash = PRF( master, finished_label,
01526      *               MD5( handshake ) + SHA1( handshake ) )[0..11]
01527      */
01528 
01529     SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
01530                     md5->state, sizeof(  md5->state ) );
01531 
01532     SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
01533                    sha1->state, sizeof( sha1->state ) );
01534 
01535     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
01536     {
01537         sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
01538                                            : (char *) "SRVR";
01539 
01540         memset( padbuf, 0x36, 48 );
01541 
01542         md5_update( md5, (unsigned char *) sender, 4 );
01543         md5_update( md5, ssl->session->master, 48 );
01544         md5_update( md5, padbuf, 48 );
01545         md5_finish( md5, md5sum );
01546 
01547         sha1_update( sha1, (unsigned char *) sender, 4 );
01548         sha1_update( sha1, ssl->session->master, 48 );
01549         sha1_update( sha1, padbuf, 40 );
01550         sha1_finish( sha1, sha1sum );
01551 
01552         memset( padbuf, 0x5C, 48 );
01553 
01554         md5_starts( md5 );
01555         md5_update( md5, ssl->session->master, 48 );
01556         md5_update( md5, padbuf, 48 );
01557         md5_update( md5, md5sum, 16 );
01558         md5_finish( md5, buf );
01559 
01560         sha1_starts( sha1 );
01561         sha1_update( sha1, ssl->session->master, 48 );
01562         sha1_update( sha1, padbuf , 40 );
01563         sha1_update( sha1, sha1sum, 20 );
01564         sha1_finish( sha1, buf + 16 );
01565 
01566         len += 24;
01567     }
01568     else
01569     {
01570         sender = ( from == SSL_IS_CLIENT )
01571                  ? (char *) "client finished"
01572                  : (char *) "server finished";
01573 
01574          md5_finish(  md5, padbuf );
01575         sha1_finish( sha1, padbuf + 16 );
01576 
01577         tls1_prf( ssl->session->master, 48, sender,
01578                   padbuf, 36, buf, len );
01579     }
01580 
01581     SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
01582 
01583     memset(  md5, 0, sizeof(  md5_context ) );
01584     memset( sha1, 0, sizeof( sha1_context ) );
01585 
01586     memset(  padbuf, 0, sizeof(  padbuf ) );
01587     memset(  md5sum, 0, sizeof(  md5sum ) );
01588     memset( sha1sum, 0, sizeof( sha1sum ) );
01589 
01590     SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
01591 }
01592 
01593 int ssl_write_finished( ssl_context *ssl )
01594 {
01595     int ret, hash_len;
01596      md5_context  md5;
01597     sha1_context sha1;
01598 
01599     SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
01600 
01601     memcpy( &md5 , &ssl->fin_md5 , sizeof(  md5_context ) );
01602     memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
01603 
01604     ssl_calc_finished( ssl, ssl->out_msg + 4,
01605                        ssl->endpoint, &md5, &sha1 );
01606 
01607     hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
01608 
01609     ssl->out_msglen  = 4 + hash_len;
01610     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01611     ssl->out_msg[0]  = SSL_HS_FINISHED;
01612 
01613     /*
01614      * In case of session resuming, invert the client and server
01615      * ChangeCipherSpec messages order.
01616      */
01617     if( ssl->resume != 0 )
01618     {
01619         if( ssl->endpoint == SSL_IS_CLIENT )
01620             ssl->state = SSL_HANDSHAKE_OVER;
01621         else
01622             ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
01623     }
01624     else
01625         ssl->state++;
01626 
01627     ssl->do_crypt = 1;
01628 
01629     if( ( ret = ssl_write_record( ssl ) ) != 0 )
01630     {
01631         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01632         return( ret );
01633     }
01634 
01635     SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
01636 
01637     return( 0 );
01638 }
01639 
01640 int ssl_parse_finished( ssl_context *ssl )
01641 {
01642     int ret;
01643     unsigned int hash_len;
01644     unsigned char buf[36];
01645     md5_context  md5;
01646     sha1_context sha1;
01647 
01648     SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
01649 
01650     memcpy( &md5 , &ssl->fin_md5 , sizeof(  md5_context ) );
01651     memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
01652 
01653     ssl->do_crypt = 1;
01654 
01655     if( ( ret = ssl_read_record( ssl ) ) != 0 )
01656     {
01657         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01658         return( ret );
01659     }
01660 
01661     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
01662     {
01663         SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
01664         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01665     }
01666 
01667     hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
01668 
01669     if( ssl->in_msg[0] != SSL_HS_FINISHED ||
01670         ssl->in_hslen  != 4 + hash_len )
01671     {
01672         SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
01673         return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
01674     }
01675 
01676     ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
01677 
01678     if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
01679     {
01680         SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
01681         return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
01682     }
01683 
01684     if( ssl->resume != 0 )
01685     {
01686         if( ssl->endpoint == SSL_IS_CLIENT )
01687             ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
01688 
01689         if( ssl->endpoint == SSL_IS_SERVER )
01690             ssl->state = SSL_HANDSHAKE_OVER;
01691     }
01692     else
01693         ssl->state++;
01694 
01695     SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
01696 
01697     return( 0 );
01698 }
01699 
01700 /*
01701  * Initialize an SSL context
01702  */
01703 int ssl_init( ssl_context *ssl )
01704 {
01705     int len = SSL_BUFFER_LEN;
01706 
01707     memset( ssl, 0, sizeof( ssl_context ) );
01708 
01709     ssl->in_ctr = (unsigned char *) malloc( len );
01710     ssl->in_hdr = ssl->in_ctr +  8;
01711     ssl->in_msg = ssl->in_ctr + 13;
01712 
01713     if( ssl->in_ctr == NULL )
01714     {
01715         SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
01716         return( POLARSSL_ERR_SSL_MALLOC_FAILED );
01717     }
01718 
01719     ssl->out_ctr = (unsigned char *) malloc( len );
01720     ssl->out_hdr = ssl->out_ctr +  8;
01721     ssl->out_msg = ssl->out_ctr + 13;
01722 
01723     if( ssl->out_ctr == NULL )
01724     {
01725         SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
01726         free( ssl-> in_ctr );
01727         return( POLARSSL_ERR_SSL_MALLOC_FAILED );
01728     }
01729 
01730     memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
01731     memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
01732 
01733     ssl->hostname = NULL;
01734     ssl->hostname_len = 0;
01735 
01736      md5_starts( &ssl->fin_md5  );
01737     sha1_starts( &ssl->fin_sha1 );
01738 
01739     return( 0 );
01740 }
01741 
01742 /*
01743  * Reset an initialized and used SSL context for re-use while retaining
01744  * all application-set variables, function pointers and data.
01745  */
01746 void ssl_session_reset( ssl_context *ssl )
01747 {
01748     ssl->state = SSL_HELLO_REQUEST;
01749     
01750     ssl->in_offt = NULL;
01751 
01752     ssl->in_msgtype = 0;
01753     ssl->in_msglen = 0;
01754     ssl->in_left = 0;
01755 
01756     ssl->in_hslen = 0;
01757     ssl->nb_zero = 0;
01758 
01759     ssl->out_msgtype = 0;
01760     ssl->out_msglen = 0;
01761     ssl->out_left = 0;
01762 
01763     ssl->do_crypt = 0;
01764     ssl->pmslen = 0;
01765     ssl->keylen = 0;
01766     ssl->minlen = 0;
01767     ssl->ivlen = 0;
01768     ssl->maclen = 0;
01769 
01770     memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
01771     memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
01772     memset( ssl->randbytes, 0, 64 );
01773     memset( ssl->premaster, 0, 256 );
01774     memset( ssl->iv_enc, 0, 16 );
01775     memset( ssl->iv_dec, 0, 16 );
01776     memset( ssl->mac_enc, 0, 32 );
01777     memset( ssl->mac_dec, 0, 32 );
01778     memset( ssl->ctx_enc, 0, 128 );
01779     memset( ssl->ctx_dec, 0, 128 );
01780 
01781      md5_starts( &ssl->fin_md5  );
01782     sha1_starts( &ssl->fin_sha1 );
01783 }
01784 
01785 /*
01786  * SSL set accessors
01787  */
01788 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
01789 {
01790     ssl->endpoint   = endpoint;
01791 }
01792 
01793 void ssl_set_authmode( ssl_context *ssl, int authmode )
01794 {
01795     ssl->authmode   = authmode;
01796 }
01797 
01798 void ssl_set_verify( ssl_context *ssl,
01799                      int (*f_vrfy)(void *, x509_cert *, int, int),
01800                      void *p_vrfy )
01801 {
01802     ssl->f_vrfy      = f_vrfy;
01803     ssl->p_vrfy      = p_vrfy;
01804 }
01805 
01806 void ssl_set_rng( ssl_context *ssl,
01807                   int (*f_rng)(void *, unsigned char *, size_t),
01808                   void *p_rng )
01809 {
01810     ssl->f_rng      = f_rng;
01811     ssl->p_rng      = p_rng;
01812 }
01813 
01814 void ssl_set_dbg( ssl_context *ssl,
01815                   void (*f_dbg)(void *, int, const char *),
01816                   void  *p_dbg )
01817 {
01818     ssl->f_dbg      = f_dbg;
01819     ssl->p_dbg      = p_dbg;
01820 }
01821 
01822 void ssl_set_bio( ssl_context *ssl,
01823             int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
01824             int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
01825 {
01826     ssl->f_recv     = f_recv;
01827     ssl->f_send     = f_send;
01828     ssl->p_recv     = p_recv;
01829     ssl->p_send     = p_send;
01830 }
01831 
01832 void ssl_set_scb( ssl_context *ssl,
01833                   int (*s_get)(ssl_context *),
01834                   int (*s_set)(ssl_context *) )
01835 {
01836     ssl->s_get      = s_get;
01837     ssl->s_set      = s_set;
01838 }
01839 
01840 void ssl_set_session( ssl_context *ssl, int resume, int timeout,
01841                       ssl_session *session )
01842 {
01843     ssl->resume     = resume;
01844     ssl->timeout    = timeout;
01845     ssl->session    = session;
01846 }
01847 
01848 void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites )
01849 {
01850     ssl->ciphersuites    = ciphersuites;
01851 }
01852 
01853 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
01854                        x509_crl *ca_crl, const char *peer_cn )
01855 {
01856     ssl->ca_chain   = ca_chain;
01857     ssl->ca_crl     = ca_crl;
01858     ssl->peer_cn    = peer_cn;
01859 }
01860 
01861 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
01862                        rsa_context *rsa_key )
01863 {
01864     ssl->own_cert   = own_cert;
01865     ssl->rsa_key    = rsa_key;
01866 }
01867 
01868 #if defined(POLARSSL_PKCS11_C)
01869 void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
01870                        pkcs11_context *pkcs11_key )
01871 {
01872     ssl->own_cert   = own_cert;
01873     ssl->pkcs11_key = pkcs11_key;
01874 }
01875 #endif
01876 
01877 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
01878 {
01879     int ret;
01880 
01881     if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
01882     {
01883         SSL_DEBUG_RET( 1, "mpi_read_string", ret );
01884         return( ret );
01885     }
01886 
01887     if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
01888     {
01889         SSL_DEBUG_RET( 1, "mpi_read_string", ret );
01890         return( ret );
01891     }
01892 
01893     return( 0 );
01894 }
01895 
01896 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
01897 {
01898     int ret;
01899 
01900     if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 )
01901     {
01902         SSL_DEBUG_RET( 1, "mpi_copy", ret );
01903         return( ret );
01904     }
01905 
01906     if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 )
01907     {
01908         SSL_DEBUG_RET( 1, "mpi_copy", ret );
01909         return( ret );
01910     }
01911 
01912     return( 0 );
01913 }
01914 
01915 int ssl_set_hostname( ssl_context *ssl, const char *hostname )
01916 {
01917     if( hostname == NULL )
01918         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
01919 
01920     ssl->hostname_len = strlen( hostname );
01921     ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
01922 
01923     if( ssl->hostname == NULL )
01924         return( POLARSSL_ERR_SSL_MALLOC_FAILED );
01925 
01926     memcpy( ssl->hostname, (unsigned char *) hostname,
01927             ssl->hostname_len );
01928     
01929     ssl->hostname[ssl->hostname_len] = '\0';
01930 
01931     return( 0 );
01932 }
01933 
01934 void ssl_set_max_version( ssl_context *ssl, int major, int minor )
01935 {
01936     ssl->max_major_ver = major;
01937     ssl->max_minor_ver = minor;
01938 }
01939 
01940 /*
01941  * SSL get accessors
01942  */
01943 size_t ssl_get_bytes_avail( const ssl_context *ssl )
01944 {
01945     return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
01946 }
01947 
01948 int ssl_get_verify_result( const ssl_context *ssl )
01949 {
01950     return( ssl->verify_result );
01951 }
01952 
01953 const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
01954 {
01955     switch( ciphersuite_id )
01956     {
01957 #if defined(POLARSSL_ARC4_C)
01958         case SSL_RSA_RC4_128_MD5:
01959             return( "SSL-RSA-RC4-128-MD5" );
01960 
01961         case SSL_RSA_RC4_128_SHA:
01962             return( "SSL-RSA-RC4-128-SHA" );
01963 #endif
01964 
01965 #if defined(POLARSSL_DES_C)
01966         case SSL_RSA_DES_168_SHA:
01967             return( "SSL-RSA-DES-168-SHA" );
01968 
01969         case SSL_EDH_RSA_DES_168_SHA:
01970             return( "SSL-EDH-RSA-DES-168-SHA" );
01971 #endif
01972 
01973 #if defined(POLARSSL_AES_C)
01974         case SSL_RSA_AES_128_SHA:
01975             return( "SSL-RSA-AES-128-SHA" );
01976 
01977         case SSL_EDH_RSA_AES_128_SHA:
01978             return( "SSL-EDH-RSA-AES-128-SHA" );
01979 
01980         case SSL_RSA_AES_256_SHA:
01981             return( "SSL-RSA-AES-256-SHA" );
01982 
01983         case SSL_EDH_RSA_AES_256_SHA:
01984             return( "SSL-EDH-RSA-AES-256-SHA" );
01985 #endif
01986 
01987 #if defined(POLARSSL_CAMELLIA_C)
01988         case SSL_RSA_CAMELLIA_128_SHA:
01989             return( "SSL-RSA-CAMELLIA-128-SHA" );
01990 
01991         case SSL_EDH_RSA_CAMELLIA_128_SHA:
01992             return( "SSL-EDH-RSA-CAMELLIA-128-SHA" );
01993 
01994         case SSL_RSA_CAMELLIA_256_SHA:
01995             return( "SSL-RSA-CAMELLIA-256-SHA" );
01996 
01997         case SSL_EDH_RSA_CAMELLIA_256_SHA:
01998             return( "SSL-EDH-RSA-CAMELLIA-256-SHA" );
01999 #endif
02000 
02001     default:
02002         break;
02003     }
02004 
02005     return( "unknown" );
02006 }
02007 
02008 int ssl_get_ciphersuite_id( const char *ciphersuite_name )
02009 {
02010 #if defined(POLARSSL_ARC4_C)
02011     if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5"))
02012         return( SSL_RSA_RC4_128_MD5 );
02013     if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA"))
02014         return( SSL_RSA_RC4_128_SHA );
02015 #endif
02016 
02017 #if defined(POLARSSL_DES_C)
02018     if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA"))
02019         return( SSL_RSA_DES_168_SHA );
02020     if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA"))
02021         return( SSL_EDH_RSA_DES_168_SHA );
02022 #endif
02023 
02024 #if defined(POLARSSL_AES_C)
02025     if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA"))
02026         return( SSL_RSA_AES_128_SHA );
02027     if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA"))
02028         return( SSL_EDH_RSA_AES_128_SHA );
02029     if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA"))
02030         return( SSL_RSA_AES_256_SHA );
02031     if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA"))
02032         return( SSL_EDH_RSA_AES_256_SHA );
02033 #endif
02034 
02035 #if defined(POLARSSL_CAMELLIA_C)
02036     if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA"))
02037         return( SSL_RSA_CAMELLIA_128_SHA );
02038     if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA"))
02039         return( SSL_EDH_RSA_CAMELLIA_128_SHA );
02040     if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA"))
02041         return( SSL_RSA_CAMELLIA_256_SHA );
02042     if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA"))
02043         return( SSL_EDH_RSA_CAMELLIA_256_SHA );
02044 #endif
02045 
02046     return( 0 );
02047 }
02048 
02049 const char *ssl_get_ciphersuite( const ssl_context *ssl )
02050 {
02051     return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
02052 }
02053 
02054 const char *ssl_get_version( const ssl_context *ssl )
02055 {
02056     switch( ssl->minor_ver )
02057     {
02058         case SSL_MINOR_VERSION_0:
02059             return( "SSLv3.0" );
02060 
02061         case SSL_MINOR_VERSION_1:
02062             return( "TLSv1.0" );
02063 
02064         case SSL_MINOR_VERSION_2:
02065             return( "TLSv1.1" );
02066 
02067         default:
02068             break;
02069     }
02070     return( "unknown" );
02071 }
02072 
02073 int ssl_default_ciphersuites[] =
02074 {
02075 #if defined(POLARSSL_DHM_C)
02076 #if defined(POLARSSL_AES_C)
02077     SSL_EDH_RSA_AES_128_SHA,
02078     SSL_EDH_RSA_AES_256_SHA,
02079 #endif
02080 #if defined(POLARSSL_CAMELLIA_C)
02081     SSL_EDH_RSA_CAMELLIA_128_SHA,
02082     SSL_EDH_RSA_CAMELLIA_256_SHA,
02083 #endif
02084 #if defined(POLARSSL_DES_C)
02085     SSL_EDH_RSA_DES_168_SHA,
02086 #endif
02087 #endif
02088 
02089 #if defined(POLARSSL_AES_C)
02090     SSL_RSA_AES_256_SHA,
02091 #endif
02092 #if defined(POLARSSL_CAMELLIA_C)
02093     SSL_RSA_CAMELLIA_256_SHA,
02094 #endif
02095 #if defined(POLARSSL_AES_C)
02096     SSL_RSA_AES_128_SHA,
02097 #endif
02098 #if defined(POLARSSL_CAMELLIA_C)
02099     SSL_RSA_CAMELLIA_128_SHA,
02100 #endif
02101 #if defined(POLARSSL_DES_C)
02102     SSL_RSA_DES_168_SHA,
02103 #endif
02104 #if defined(POLARSSL_ARC4_C)
02105     SSL_RSA_RC4_128_SHA,
02106     SSL_RSA_RC4_128_MD5,
02107 #endif
02108     0
02109 };
02110 
02111 /*
02112  * Perform the SSL handshake
02113  */
02114 int ssl_handshake( ssl_context *ssl )
02115 {
02116     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
02117 
02118     SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
02119 
02120 #if defined(POLARSSL_SSL_CLI_C)
02121     if( ssl->endpoint == SSL_IS_CLIENT )
02122         ret = ssl_handshake_client( ssl );
02123 #endif
02124 
02125 #if defined(POLARSSL_SSL_SRV_C)
02126     if( ssl->endpoint == SSL_IS_SERVER )
02127         ret = ssl_handshake_server( ssl );
02128 #endif
02129 
02130     SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
02131 
02132     return( ret );
02133 }
02134 
02135 /*
02136  * Receive application data decrypted from the SSL layer
02137  */
02138 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
02139 {
02140     int ret;
02141     size_t n;
02142 
02143     SSL_DEBUG_MSG( 2, ( "=> read" ) );
02144 
02145     if( ssl->state != SSL_HANDSHAKE_OVER )
02146     {
02147         if( ( ret = ssl_handshake( ssl ) ) != 0 )
02148         {
02149             SSL_DEBUG_RET( 1, "ssl_handshake", ret );
02150             return( ret );
02151         }
02152     }
02153 
02154     if( ssl->in_offt == NULL )
02155     {
02156         if( ( ret = ssl_read_record( ssl ) ) != 0 )
02157         {
02158             if( ret == POLARSSL_ERR_SSL_CONN_EOF )
02159                 return( 0 );
02160 
02161             SSL_DEBUG_RET( 1, "ssl_read_record", ret );
02162             return( ret );
02163         }
02164 
02165         if( ssl->in_msglen  == 0 &&
02166             ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
02167         {
02168             /*
02169              * OpenSSL sends empty messages to randomize the IV
02170              */
02171             if( ( ret = ssl_read_record( ssl ) ) != 0 )
02172             {
02173                 if( ret == POLARSSL_ERR_SSL_CONN_EOF )
02174                     return( 0 );
02175 
02176                 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
02177                 return( ret );
02178             }
02179         }
02180 
02181         if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
02182         {
02183             SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
02184             return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
02185         }
02186 
02187         ssl->in_offt = ssl->in_msg;
02188     }
02189 
02190     n = ( len < ssl->in_msglen )
02191         ? len : ssl->in_msglen;
02192 
02193     memcpy( buf, ssl->in_offt, n );
02194     ssl->in_msglen -= n;
02195 
02196     if( ssl->in_msglen == 0 )
02197         /* all bytes consumed  */
02198         ssl->in_offt = NULL;
02199     else
02200         /* more data available */
02201         ssl->in_offt += n;
02202 
02203     SSL_DEBUG_MSG( 2, ( "<= read" ) );
02204 
02205     return( (int) n );
02206 }
02207 
02208 /*
02209  * Send application data to be encrypted by the SSL layer
02210  */
02211 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
02212 {
02213     int ret;
02214     size_t n;
02215 
02216     SSL_DEBUG_MSG( 2, ( "=> write" ) );
02217 
02218     if( ssl->state != SSL_HANDSHAKE_OVER )
02219     {
02220         if( ( ret = ssl_handshake( ssl ) ) != 0 )
02221         {
02222             SSL_DEBUG_RET( 1, "ssl_handshake", ret );
02223             return( ret );
02224         }
02225     }
02226 
02227     n = ( len < SSL_MAX_CONTENT_LEN )
02228         ? len : SSL_MAX_CONTENT_LEN;
02229 
02230     if( ssl->out_left != 0 )
02231     {
02232         if( ( ret = ssl_flush_output( ssl ) ) != 0 )
02233         {
02234             SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
02235             return( ret );
02236         }
02237     }
02238     else
02239     {
02240         ssl->out_msglen  = n;
02241         ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
02242         memcpy( ssl->out_msg, buf, n );
02243 
02244         if( ( ret = ssl_write_record( ssl ) ) != 0 )
02245         {
02246             SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02247             return( ret );
02248         }
02249     }
02250 
02251     SSL_DEBUG_MSG( 2, ( "<= write" ) );
02252 
02253     return( (int) n );
02254 }
02255 
02256 /*
02257  * Notify the peer that the connection is being closed
02258  */
02259 int ssl_close_notify( ssl_context *ssl )
02260 {
02261     int ret;
02262 
02263     SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
02264 
02265     if( ( ret = ssl_flush_output( ssl ) ) != 0 )
02266     {
02267         SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
02268         return( ret );
02269     }
02270 
02271     if( ssl->state == SSL_HANDSHAKE_OVER )
02272     {
02273         ssl->out_msgtype = SSL_MSG_ALERT;
02274         ssl->out_msglen  = 2;
02275         ssl->out_msg[0]  = SSL_ALERT_LEVEL_WARNING;
02276         ssl->out_msg[1]  = SSL_ALERT_MSG_CLOSE_NOTIFY;
02277 
02278         if( ( ret = ssl_write_record( ssl ) ) != 0 )
02279         {
02280             SSL_DEBUG_RET( 1, "ssl_write_record", ret );
02281             return( ret );
02282         }
02283     }
02284 
02285     SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
02286 
02287     return( ret );
02288 }
02289 
02290 /*
02291  * Free an SSL context
02292  */
02293 void ssl_free( ssl_context *ssl )
02294 {
02295     SSL_DEBUG_MSG( 2, ( "=> free" ) );
02296 
02297     if( ssl->peer_cert != NULL )
02298     {
02299         x509_free( ssl->peer_cert );
02300         memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
02301           free( ssl->peer_cert );
02302     }
02303 
02304     if( ssl->out_ctr != NULL )
02305     {
02306         memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
02307           free( ssl->out_ctr );
02308     }
02309 
02310     if( ssl->in_ctr != NULL )
02311     {
02312         memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
02313           free( ssl->in_ctr );
02314     }
02315 
02316 #if defined(POLARSSL_DHM_C)
02317     dhm_free( &ssl->dhm_ctx );
02318 #endif
02319 
02320     if ( ssl->hostname != NULL)
02321     {
02322         memset( ssl->hostname, 0, ssl->hostname_len );
02323         free( ssl->hostname );
02324         ssl->hostname_len = 0;
02325     }
02326 
02327     SSL_DEBUG_MSG( 2, ( "<= free" ) );
02328 
02329     /* Actually free after last debug message */
02330     memset( ssl, 0, sizeof( ssl_context ) );
02331 }
02332 
02333 #endif