src/xyssl/library/ssl_tls.c

   1 /*
   2  *  SSLv3/TLSv1 shared functions
   3  *
   4  *  Copyright (C) 2006-2007  Christophe Devine
   5  *
   6  *  This library is free software; you can redistribute it and/or
   7  *  modify it under the terms of the GNU Lesser General Public
   8  *  License, version 2.1 as published by the Free Software Foundation.
   9  *
  10  *  This library is distributed in the hope that it will be useful,
  11  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13  *  Lesser General Public License for more details.
  14  *
  15  *  You should have received a copy of the GNU Lesser General Public
  16  *  License along with this library; if not, write to the Free Software
  17  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  18  *  MA  02110-1301  USA
  19  */
  20 /*
  21  *  The SSL 3.0 specification was drafted by Netscape in 1996,
  22  *  and became an IETF standard in 1999.
  23  *
  24  *  http://wp.netscape.com/eng/ssl3/
  25  *  http://www.ietf.org/rfc/rfc2246.txt
  26  *  http://www.ietf.org/rfc/rfc4346.txt
  27  */
  28
  29 #include "xyssl/config.h"
  30
  31 #if defined(XYSSL_SSL_TLS_C)
  32
  33 #include "xyssl/aes.h"
  34 #include "xyssl/arc4.h"
  35 #include "xyssl/des.h"
  36 #include "xyssl/ssl.h"
  37
  38 #include <string.h>
  39 #include <stdlib.h>
  40 #include <time.h>
  41
  42 /*
  43  * Key material generation
  44  */
  45 static int tls1_prf( unsigned char *secret, int slen, char *label,
  46                      unsigned char *random, int rlen,
  47                      unsigned char *dstbuf, int dlen )
  48 {
  49     int nb, hs;
  50     int i, j, k;
  51     unsigned char *S1, *S2;
  52     unsigned char tmp[128];
  53     unsigned char h_i[20];
  54
  55     if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
  56         return( XYSSL_ERR_SSL_BAD_INPUT_DATA );
  57
  58     hs = ( slen + 1 ) / 2;
  59     S1 = secret;
  60     S2 = secret + slen - hs;
  61
  62     nb = strlen( label );
  63     memcpy( tmp + 20, label, nb );
  64     memcpy( tmp + 20 + nb, random, rlen );
  65     nb += rlen;
  66
  67     /*
  68      * First compute P_md5(secret,label+random)[0..dlen]
  69      */
  70     md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
  71
  72     for( i = 0; i < dlen; i += 16 )
  73     {
  74         md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
  75         md5_hmac( S1, hs, 4 + tmp, 16,  4 + tmp );
  76
  77         k = ( i + 16 > dlen ) ? dlen % 16 : 16;
  78
  79         for( j = 0; j < k; j++ )
  80             dstbuf[i + j]  = h_i[j];
  81     }
  82
  83     /*
  84      * XOR out with P_sha1(secret,label+random)[0..dlen]
  85      */
  86     sha1_hmac( S2, hs, tmp + 20, nb, tmp );
  87
  88     for( i = 0; i < dlen; i += 20 )
  89     {
  90         sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
  91         sha1_hmac( S2, hs, tmp, 20,      tmp );
  92
  93         k = ( i + 20 > dlen ) ? dlen % 20 : 20;
  94
  95         for( j = 0; j < k; j++ )
  96             dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
  97     }
  98
  99     memset( tmp, 0, sizeof( tmp ) );
 100     memset( h_i, 0, sizeof( h_i ) );
 101
 102     return( 0 );
 103 }
 104
 105 int ssl_derive_keys( ssl_context *ssl )
 106 {
 107     int i;
 108     md5_context md5;
 109     sha1_context sha1;
 110     unsigned char tmp[64];
 111     unsigned char padding[16];
 112     unsigned char sha1sum[20];
 113     unsigned char keyblk[256];
 114     unsigned char *key1;
 115     unsigned char *key2;
 116
 117     SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
 118
 119     /*
 120      * SSLv3:
 121      *   master =
 122      *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
 123      *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
 124      *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
 125      *
 126      * TLSv1:
 127      *   master = PRF( premaster, "master secret", randbytes )[0..47]
 128      */
 129     if( ssl->resume == 0 )
 130     {
 131         int len = ssl->pmslen;
 132
 133         SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
 134
 135         if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
 136         {
 137             for( i = 0; i < 3; i++ )
 138             {
 139                 memset( padding, 'A' + i, 1 + i );
 140
 141                 sha1_starts( &sha1 );
 142                 sha1_update( &sha1, padding, 1 + i );
 143                 sha1_update( &sha1, ssl->premaster, len );
 144                 sha1_update( &sha1, ssl->randbytes,  64 );
 145                 sha1_finish( &sha1, sha1sum );
 146
 147                 md5_starts( &md5 );
 148                 md5_update( &md5, ssl->premaster, len );
 149                 md5_update( &md5, sha1sum, 20 );
 150                 md5_finish( &md5, ssl->session->master + i * 16 );
 151             }
 152         }
 153         else
 154             tls1_prf( ssl->premaster, len, "master secret",
 155                       ssl->randbytes, 64, ssl->session->master, 48 );
 156
 157         memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
 158     }
 159     else
 160         SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
 161
 162     /*
 163      * Swap the client and server random values.
 164      */
 165     memcpy( tmp, ssl->randbytes, 64 );
 166     memcpy( ssl->randbytes, tmp + 32, 32 );
 167     memcpy( ssl->randbytes + 32, tmp, 32 );
 168     memset( tmp, 0, sizeof( tmp ) );
 169
 170     /*
 171      *  SSLv3:
 172      *    key block =
 173      *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
 174      *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
 175      *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
 176      *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
 177      *      ...
 178      *
 179      *  TLSv1:
 180      *    key block = PRF( master, "key expansion", randbytes )
 181      */
 182     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
 183     {
 184         for( i = 0; i < 16; i++ )
 185         {
 186             memset( padding, 'A' + i, 1 + i );
 187
 188             sha1_starts( &sha1 );
 189             sha1_update( &sha1, padding, 1 + i );
 190             sha1_update( &sha1, ssl->session->master, 48 );
 191             sha1_update( &sha1, ssl->randbytes, 64 );
 192             sha1_finish( &sha1, sha1sum );
 193
 194             md5_starts( &md5 );
 195             md5_update( &md5, ssl->session->master, 48 );
 196             md5_update( &md5, sha1sum, 20 );
 197             md5_finish( &md5, keyblk + i * 16 );
 198         }
 199
 200         memset( &md5,  0, sizeof( md5  ) );
 201         memset( &sha1, 0, sizeof( sha1 ) );
 202
 203         memset( padding, 0, sizeof( padding ) );
 204         memset( sha1sum, 0, sizeof( sha1sum ) );
 205     }
 206     else
 207         tls1_prf( ssl->session->master, 48, "key expansion",
 208                   ssl->randbytes, 64, keyblk, 256 );
 209
 210     SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) );
 211     SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
 212     SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
 213     SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
 214
 215     memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
 216
 217     /*
 218      * Determine the appropriate key, IV and MAC length.
 219      */
 220     switch( ssl->session->cipher )
 221     {
 222 #if defined(XYSSL_ARC4_C)
 223         case SSL_RSA_RC4_128_MD5:
 224             ssl->keylen = 16; ssl->minlen = 16;
 225             ssl->ivlen  =  0; ssl->maclen = 16;
 226             break;
 227
 228         case SSL_RSA_RC4_128_SHA:
 229             ssl->keylen = 16; ssl->minlen = 20;
 230             ssl->ivlen  =  0; ssl->maclen = 20;
 231             break;
 232 #endif
 233
 234 #if defined(XYSSL_DES_C)
 235         case SSL_RSA_DES_168_SHA:
 236         case SSL_EDH_RSA_DES_168_SHA:
 237             ssl->keylen = 24; ssl->minlen = 24;
 238             ssl->ivlen  =  8; ssl->maclen = 20;
 239             break;
 240 #endif
 241
 242 #if defined(XYSSL_AES_C)
 243         case SSL_RSA_AES_256_SHA:
 244         case SSL_EDH_RSA_AES_256_SHA:
 245             ssl->keylen = 32; ssl->minlen = 32;
 246             ssl->ivlen  = 16; ssl->maclen = 20;
 247             break;
 248 #endif
 249
 250         default:
 251             SSL_DEBUG_MSG( 1, ( "cipher %s is not available",
 252                            ssl_get_cipher( ssl ) ) );
 253             return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
 254     }
 255
 256     SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
 257                    ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
 258
 259     /*
 260      * Finally setup the cipher contexts, IVs and MAC secrets.
 261      */
 262     if( ssl->endpoint == SSL_IS_CLIENT )
 263     {
 264         key1 = keyblk + ssl->maclen * 2;
 265         key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
 266
 267         memcpy( ssl->mac_enc, keyblk,  ssl->maclen );
 268         memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
 269
 270         memcpy( ssl->iv_enc, key2 + ssl->keylen,  ssl->ivlen );
 271         memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
 272                 ssl->ivlen );
 273     }
 274     else
 275     {
 276         key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
 277         key2 = keyblk + ssl->maclen * 2;
 278
 279         memcpy( ssl->mac_dec, keyblk,  ssl->maclen );
 280         memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
 281
 282         memcpy( ssl->iv_dec, key1 + ssl->keylen,  ssl->ivlen );
 283         memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
 284                 ssl->ivlen );
 285     }
 286
 287     switch( ssl->session->cipher )
 288     {
 289 #if defined(XYSSL_ARC4_C)
 290         case SSL_RSA_RC4_128_MD5:
 291         case SSL_RSA_RC4_128_SHA:
 292             arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
 293             arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
 294             break;
 295 #endif
 296
 297 #if defined(XYSSL_DES_C)
 298         case SSL_RSA_DES_168_SHA:
 299         case SSL_EDH_RSA_DES_168_SHA:
 300             des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
 301             des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
 302             break;
 303 #endif
 304
 305 #if defined(XYSSL_AES_C)
 306         case SSL_RSA_AES_256_SHA:
 307         case SSL_EDH_RSA_AES_256_SHA:
 308             aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
 309             aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
 310             break;
 311 #endif
 312
 313         default:
 314             return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
 315     }
 316
 317     memset( keyblk, 0, sizeof( keyblk ) );
 318
 319     SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
 320
 321     return( 0 );
 322 }
 323
 324 void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
 325 {
 326     md5_context md5;
 327     sha1_context sha1;
 328     unsigned char pad_1[48];
 329     unsigned char pad_2[48];
 330
 331     SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
 332
 333     memcpy( &md5 , &ssl->fin_md5 , sizeof(  md5_context ) );
 334     memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
 335
 336     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
 337     {
 338         memset( pad_1, 0x36, 48 );
 339         memset( pad_2, 0x5C, 48 );
 340
 341         md5_update( &md5, ssl->session->master, 48 );
 342         md5_update( &md5, pad_1, 48 );
 343         md5_finish( &md5, hash );
 344
 345         md5_starts( &md5 );
 346         md5_update( &md5, ssl->session->master, 48 );
 347         md5_update( &md5, pad_2, 48 );
 348         md5_update( &md5, hash,  16 );
 349         md5_finish( &md5, hash );
 350
 351         sha1_update( &sha1, ssl->session->master, 48 );
 352         sha1_update( &sha1, pad_1, 40 );
 353         sha1_finish( &sha1, hash + 16 );
 354
 355         sha1_starts( &sha1 );
 356         sha1_update( &sha1, ssl->session->master, 48 );
 357         sha1_update( &sha1, pad_2, 40 );
 358         sha1_update( &sha1, hash + 16, 20 );
 359         sha1_finish( &sha1, hash + 16 );
 360     }
 361     else /* TLSv1 */
 362     {
 363          md5_finish( &md5,  hash );
 364         sha1_finish( &sha1, hash + 16 );
 365     }
 366
 367     SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
 368     SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
 369
 370     return;
 371 }
 372
 373 /*
 374  * SSLv3.0 MAC functions
 375  */
 376 static void ssl_mac_md5( unsigned char *secret,
 377                          unsigned char *buf, int len,
 378                          unsigned char *ctr, int type )
 379 {
 380     unsigned char header[11];
 381     unsigned char padding[48];
 382     md5_context md5;
 383
 384     memcpy( header, ctr, 8 );
 385     header[ 8] = (unsigned char)  type;
 386     header[ 9] = (unsigned char)( len >> 8 );
 387     header[10] = (unsigned char)( len      );
 388
 389     memset( padding, 0x36, 48 );
 390     md5_starts( &md5 );
 391     md5_update( &md5, secret,  16 );
 392     md5_update( &md5, padding, 48 );
 393     md5_update( &md5, header,  11 );
 394     md5_update( &md5, buf,  len );
 395     md5_finish( &md5, buf + len );
 396
 397     memset( padding, 0x5C, 48 );
 398     md5_starts( &md5 );
 399     md5_update( &md5, secret,  16 );
 400     md5_update( &md5, padding, 48 );
 401     md5_update( &md5, buf + len, 16 );
 402     md5_finish( &md5, buf + len );
 403 }
 404
 405 static void ssl_mac_sha1( unsigned char *secret,
 406                           unsigned char *buf, int len,
 407                           unsigned char *ctr, int type )
 408 {
 409     unsigned char header[11];
 410     unsigned char padding[40];
 411     sha1_context sha1;
 412
 413     memcpy( header, ctr, 8 );
 414     header[ 8] = (unsigned char)  type;
 415     header[ 9] = (unsigned char)( len >> 8 );
 416     header[10] = (unsigned char)( len      );
 417
 418     memset( padding, 0x36, 40 );
 419     sha1_starts( &sha1 );
 420     sha1_update( &sha1, secret,  20 );
 421     sha1_update( &sha1, padding, 40 );
 422     sha1_update( &sha1, header,  11 );
 423     sha1_update( &sha1, buf,  len );
 424     sha1_finish( &sha1, buf + len );
 425
 426     memset( padding, 0x5C, 40 );
 427     sha1_starts( &sha1 );
 428     sha1_update( &sha1, secret,  20 );
 429     sha1_update( &sha1, padding, 40 );
 430     sha1_update( &sha1, buf + len, 20 );
 431     sha1_finish( &sha1, buf + len );
 432 }
 433
 434 /*
 435  * Encryption/decryption functions
 436  */
 437 static int ssl_encrypt_buf( ssl_context *ssl )
 438 {
 439     int i, padlen;
 440
 441     SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
 442
 443     /*
 444      * Add MAC then encrypt
 445      */
 446     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
 447     {
 448         if( ssl->maclen == 16 )
 449              ssl_mac_md5( ssl->mac_enc,
 450                           ssl->out_msg, ssl->out_msglen,
 451                           ssl->out_ctr, ssl->out_msgtype );
 452
 453         if( ssl->maclen == 20 )
 454             ssl_mac_sha1( ssl->mac_enc,
 455                           ssl->out_msg, ssl->out_msglen,
 456                           ssl->out_ctr, ssl->out_msgtype );
 457     }
 458     else
 459     {
 460         if( ssl->maclen == 16 )
 461              md5_hmac( ssl->mac_enc, 16,
 462                        ssl->out_ctr,  ssl->out_msglen + 13,
 463                        ssl->out_msg + ssl->out_msglen );
 464
 465         if( ssl->maclen == 20 )
 466             sha1_hmac( ssl->mac_enc, 20,
 467                        ssl->out_ctr,  ssl->out_msglen + 13,
 468                        ssl->out_msg + ssl->out_msglen );
 469     }
 470
 471     SSL_DEBUG_BUF( 4, "computed mac",
 472                    ssl->out_msg + ssl->out_msglen, ssl->maclen );
 473
 474     ssl->out_msglen += ssl->maclen;
 475
 476     for( i = 7; i >= 0; i-- )
 477         if( ++ssl->out_ctr[i] != 0 )
 478             break;
 479
 480     if( ssl->ivlen == 0 )
 481     {
 482 #if defined(XYSSL_ARC4_C)
 483         padlen = 0;
 484
 485         SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
 486                             "including %d bytes of padding",
 487                        ssl->out_msglen, 0 ) );
 488
 489         SSL_DEBUG_BUF( 4, "before encrypt: output payload",
 490                        ssl->out_msg, ssl->out_msglen );
 491
 492         arc4_crypt( (arc4_context *) ssl->ctx_enc,
 493                     ssl->out_msg, ssl->out_msglen );
 494 #else
 495         return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
 496 #endif
 497     }
 498     else
 499     {
 500         padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
 501         if( padlen == ssl->ivlen )
 502             padlen = 0;
 503
 504         for( i = 0; i <= padlen; i++ )
 505             ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
 506
 507         ssl->out_msglen += padlen + 1;
 508
 509         SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
 510                             "including %d bytes of padding",
 511                        ssl->out_msglen, padlen + 1 ) );
 512
 513         SSL_DEBUG_BUF( 4, "before encrypt: output payload",
 514                        ssl->out_msg, ssl->out_msglen );
 515
 516         switch( ssl->ivlen )
 517         {
 518             case  8:
 519 #if defined(XYSSL_DES_C)
 520                 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
 521                     DES_ENCRYPT, ssl->out_msglen,
 522                     ssl->iv_enc, ssl->out_msg, ssl->out_msg );
 523                 break;
 524 #endif
 525
 526             case 16:
 527 #if defined(XYSSL_AES_C)
 528                 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
 529                     AES_ENCRYPT, ssl->out_msglen,
 530                     ssl->iv_enc, ssl->out_msg, ssl->out_msg );
 531                 break;
 532 #endif
 533
 534             default:
 535                 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
 536         }
 537     }
 538
 539     SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
 540
 541     return( 0 );
 542 }
 543
 544 static int ssl_decrypt_buf( ssl_context *ssl )
 545 {
 546     int i, padlen;
 547     unsigned char tmp[20];
 548
 549     SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
 550
 551     if( ssl->in_msglen < ssl->minlen )
 552     {
 553         SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
 554                        ssl->in_msglen, ssl->minlen ) );
 555         return( XYSSL_ERR_SSL_INVALID_MAC );
 556     }
 557
 558     if( ssl->ivlen == 0 )
 559     {
 560 #if defined(XYSSL_ARC4_C)
 561         padlen = 0;
 562         arc4_crypt( (arc4_context *) ssl->ctx_dec,
 563                     ssl->in_msg, ssl->in_msglen );
 564 #else
 565         return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
 566 #endif
 567     }
 568     else
 569     {
 570         /*
 571          * Decrypt and check the padding
 572          */
 573         if( ssl->in_msglen % ssl->ivlen != 0 )
 574         {
 575             SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
 576                            ssl->in_msglen, ssl->ivlen ) );
 577             return( XYSSL_ERR_SSL_INVALID_MAC );
 578         }
 579
 580         switch( ssl->ivlen )
 581         {
 582 #if defined(XYSSL_DES_C)
 583             case  8:
 584                 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
 585                     DES_DECRYPT, ssl->in_msglen,
 586                     ssl->iv_dec, ssl->in_msg, ssl->in_msg );
 587                 break;
 588 #endif
 589
 590 #if defined(XYSSL_AES_C)
 591             case 16:
 592                  aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
 593                     AES_DECRYPT, ssl->in_msglen,
 594                     ssl->iv_dec, ssl->in_msg, ssl->in_msg );
 595                  break;
 596 #endif
 597
 598             default:
 599                 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
 600         }
 601
 602         padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
 603
 604         if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
 605         {
 606             if( padlen > ssl->ivlen )
 607             {
 608                 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
 609                                     "should be no more than %d",
 610                                padlen, ssl->ivlen ) );
 611                 padlen = 0;
 612             }
 613         }
 614         else
 615         {
 616             /*
 617              * TLSv1: always check the padding
 618              */
 619             for( i = 1; i <= padlen; i++ )
 620             {
 621                 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
 622                 {
 623                     SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
 624                                         "%02x, but is %02x", padlen - 1,
 625                                    ssl->in_msg[ssl->in_msglen - i] ) );
 626                     padlen = 0;
 627                 }
 628             }
 629         }
 630     }
 631
 632     SSL_DEBUG_BUF( 4, "raw buffer after decryption",
 633                    ssl->in_msg, ssl->in_msglen );
 634
 635     /*
 636      * Always compute the MAC (RFC4346, CBCTIME).
 637      */
 638     ssl->in_msglen -= ( ssl->maclen + padlen );
 639
 640     ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
 641     ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen      );
 642
 643     memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
 644
 645     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
 646     {
 647         if( ssl->maclen == 16 )
 648              ssl_mac_md5( ssl->mac_dec,
 649                           ssl->in_msg, ssl->in_msglen,
 650                           ssl->in_ctr, ssl->in_msgtype );
 651         else
 652             ssl_mac_sha1( ssl->mac_dec,
 653                           ssl->in_msg, ssl->in_msglen,
 654                           ssl->in_ctr, ssl->in_msgtype );
 655     }
 656     else
 657     {
 658         if( ssl->maclen == 16 )
 659              md5_hmac( ssl->mac_dec, 16,
 660                        ssl->in_ctr,  ssl->in_msglen + 13,
 661                        ssl->in_msg + ssl->in_msglen );
 662         else
 663             sha1_hmac( ssl->mac_dec, 20,
 664                        ssl->in_ctr,  ssl->in_msglen + 13,
 665                        ssl->in_msg + ssl->in_msglen );
 666     }
 667
 668     SSL_DEBUG_BUF( 4, "message  mac", tmp, ssl->maclen );
 669     SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
 670                    ssl->maclen );
 671
 672     if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
 673                      ssl->maclen ) != 0 )
 674     {
 675         SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
 676         return( XYSSL_ERR_SSL_INVALID_MAC );
 677     }
 678
 679     /*
 680      * Finally check the padding length; bad padding
 681      * will produce the same error as an invalid MAC.
 682      */
 683     if( ssl->ivlen != 0 && padlen == 0 )
 684         return( XYSSL_ERR_SSL_INVALID_MAC );
 685
 686     if( ssl->in_msglen == 0 )
 687     {
 688         ssl->nb_zero++;
 689
 690         /*
 691          * Three or more empty messages may be a DoS attack
 692          * (excessive CPU consumption).
 693          */
 694         if( ssl->nb_zero > 3 )
 695         {
 696             SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
 697                                 "messages, possible DoS attack" ) );
 698             return( XYSSL_ERR_SSL_INVALID_MAC );
 699         }
 700     }
 701     else
 702         ssl->nb_zero = 0;
 703
 704     for( i = 7; i >= 0; i-- )
 705         if( ++ssl->in_ctr[i] != 0 )
 706             break;
 707
 708     SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
 709
 710     return( 0 );
 711 }
 712
 713 /*
 714  * Fill the input message buffer
 715  */
 716 int ssl_fetch_input( ssl_context *ssl, int nb_want )
 717 {
 718     int ret, len;
 719
 720     SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
 721
 722     while( ssl->in_left < nb_want )
 723     {
 724         len = nb_want - ssl->in_left;
 725         ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
 726
 727         SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
 728                        ssl->in_left, nb_want ) );
 729         SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
 730
 731         if( ret < 0 )
 732             return( ret );
 733
 734         ssl->in_left += ret;
 735     }
 736
 737     SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
 738
 739     return( 0 );
 740 }
 741
 742 /*
 743  * Flush any data not yet written
 744  */
 745 int ssl_flush_output( ssl_context *ssl )
 746 {
 747     int ret;
 748     unsigned char *buf;
 749
 750     SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
 751
 752     while( ssl->out_left > 0 )
 753     {
 754         SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
 755                        5 + ssl->out_msglen, ssl->out_left ) );
 756
 757         buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
 758         ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
 759         SSL_DEBUG_RET( 2, "ssl->f_send", ret );
 760
 761         if( ret <= 0 )
 762             return( ret );
 763
 764         ssl->out_left -= ret;
 765     }
 766
 767     SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
 768
 769     return( 0 );
 770 }
 771
 772 /*
 773  * Record layer functions
 774  */
 775 int ssl_write_record( ssl_context *ssl )
 776 {
 777     int ret, len = ssl->out_msglen;
 778
 779     SSL_DEBUG_MSG( 2, ( "=> write record" ) );
 780
 781     ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
 782     ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
 783     ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
 784     ssl->out_hdr[3] = (unsigned char)( len >> 8 );
 785     ssl->out_hdr[4] = (unsigned char)( len      );
 786
 787     if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
 788     {
 789         ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
 790         ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >>  8 );
 791         ssl->out_msg[3] = (unsigned char)( ( len - 4 )       );
 792
 793          md5_update( &ssl->fin_md5 , ssl->out_msg, len );
 794         sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
 795     }
 796
 797     if( ssl->do_crypt != 0 )
 798     {
 799         if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
 800         {
 801             SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
 802             return( ret );
 803         }
 804
 805         len = ssl->out_msglen;
 806         ssl->out_hdr[3] = (unsigned char)( len >> 8 );
 807         ssl->out_hdr[4] = (unsigned char)( len      );
 808     }
 809
 810     ssl->out_left = 5 + ssl->out_msglen;
 811
 812     SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
 813                         "version = [%d:%d], msglen = %d",
 814                    ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
 815                  ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
 816
 817     SSL_DEBUG_BUF( 4, "output record sent to network",
 818                    ssl->out_hdr, 5 + ssl->out_msglen );
 819
 820     if( ( ret = ssl_flush_output( ssl ) ) != 0 )
 821     {
 822         SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
 823         return( ret );
 824     }
 825
 826     SSL_DEBUG_MSG( 2, ( "<= write record" ) );
 827
 828     return( 0 );
 829 }
 830
 831 int ssl_read_record( ssl_context *ssl )
 832 {
 833     int ret;
 834
 835     SSL_DEBUG_MSG( 2, ( "=> read record" ) );
 836
 837     if( ssl->in_hslen != 0 &&
 838         ssl->in_hslen < ssl->in_msglen )
 839     {
 840         /*
 841          * Get next Handshake message in the current record
 842          */
 843         ssl->in_msglen -= ssl->in_hslen;
 844
 845         memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
 846                 ssl->in_msglen );
 847
 848         ssl->in_hslen  = 4;
 849         ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
 850
 851         SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
 852                             " %d, type = %d, hslen = %d",
 853                        ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
 854
 855         if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
 856         {
 857             SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
 858             return( XYSSL_ERR_SSL_INVALID_RECORD );
 859         }
 860
 861         if( ssl->in_msglen < ssl->in_hslen )
 862         {
 863             SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
 864             return( XYSSL_ERR_SSL_INVALID_RECORD );
 865         }
 866
 867          md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
 868         sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
 869
 870         return( 0 );
 871     }
 872
 873     ssl->in_hslen = 0;
 874
 875     /*
 876      * Read the record header and validate it
 877      */
 878     if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
 879     {
 880         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
 881         return( ret );
 882     }
 883
 884     ssl->in_msgtype =  ssl->in_hdr[0];
 885     ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
 886
 887     SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
 888                         "version = [%d:%d], msglen = %d",
 889                      ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
 890                    ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
 891
 892     if( ssl->in_hdr[1] != ssl->major_ver )
 893     {
 894         SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
 895         return( XYSSL_ERR_SSL_INVALID_RECORD );
 896     }
 897
 898     if( ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
 899         ssl->in_hdr[2] != SSL_MINOR_VERSION_1 )
 900     {
 901         SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
 902         return( XYSSL_ERR_SSL_INVALID_RECORD );
 903     }
 904
 905     /*
 906      * Make sure the message length is acceptable
 907      */
 908     if( ssl->do_crypt == 0 )
 909     {
 910         if( ssl->in_msglen < 1 ||
 911             ssl->in_msglen > SSL_MAX_CONTENT_LEN )
 912         {
 913             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
 914             return( XYSSL_ERR_SSL_INVALID_RECORD );
 915         }
 916     }
 917     else
 918     {
 919         if( ssl->in_msglen < ssl->minlen )
 920         {
 921             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
 922             return( XYSSL_ERR_SSL_INVALID_RECORD );
 923         }
 924
 925         if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
 926             ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
 927         {
 928             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
 929             return( XYSSL_ERR_SSL_INVALID_RECORD );
 930         }
 931
 932         /*
 933          * TLS encrypted messages can have up to 256 bytes of padding
 934          */
 935         if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
 936             ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
 937         {
 938             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
 939             return( XYSSL_ERR_SSL_INVALID_RECORD );
 940         }
 941     }
 942
 943     /*
 944      * Read and optionally decrypt the message contents
 945      */
 946     if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
 947     {
 948         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
 949         return( ret );
 950     }
 951
 952     SSL_DEBUG_BUF( 4, "input record from network",
 953                    ssl->in_hdr, 5 + ssl->in_msglen );
 954
 955     if( ssl->do_crypt != 0 )
 956     {
 957         if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
 958         {
 959             SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
 960             return( ret );
 961         }
 962
 963         SSL_DEBUG_BUF( 4, "input payload after decrypt",
 964                        ssl->in_msg, ssl->in_msglen );
 965
 966         if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
 967         {
 968             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
 969             return( XYSSL_ERR_SSL_INVALID_RECORD );
 970         }
 971     }
 972
 973     if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
 974     {
 975         ssl->in_hslen  = 4;
 976         ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
 977
 978         SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
 979                             " %d, type = %d, hslen = %d",
 980                        ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
 981
 982         /*
 983          * Additional checks to validate the handshake header
 984          */
 985         if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
 986         {
 987             SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
 988             return( XYSSL_ERR_SSL_INVALID_RECORD );
 989         }
 990
 991         if( ssl->in_msglen < ssl->in_hslen )
 992         {
 993             SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
 994             return( XYSSL_ERR_SSL_INVALID_RECORD );
 995         }
 996
 997          md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
 998         sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
 999     }
1000
1001     if( ssl->in_msgtype == SSL_MSG_ALERT )
1002     {
1003         SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1004                        ssl->in_msg[0], ssl->in_msg[1] ) );
1005
1006         /*
1007          * Ignore non-fatal alerts, except close_notify
1008          */
1009         if( ssl->in_msg[0] == SSL_ALERT_FATAL )
1010         {
1011             SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
1012             return( XYSSL_ERR_SSL_FATAL_ALERT_MESSAGE | ssl->in_msg[1] );
1013         }
1014
1015         if( ssl->in_msg[0] == SSL_ALERT_WARNING &&
1016             ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY )
1017         {
1018             SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
1019             return( XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
1020         }
1021     }
1022
1023     ssl->in_left = 0;
1024
1025     SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1026
1027     return( 0 );
1028 }
1029
1030 /*
1031  * Handshake functions
1032  */
1033 int ssl_write_certificate( ssl_context *ssl )
1034 {
1035     int ret, i, n;
1036     x509_cert *crt;
1037
1038     SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1039
1040     if( ssl->endpoint == SSL_IS_CLIENT )
1041     {
1042         if( ssl->client_auth == 0 )
1043         {
1044             SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1045             ssl->state++;
1046             return( 0 );
1047         }
1048
1049         /*
1050          * If using SSLv3 and got no cert, send an Alert message
1051          * (otherwise an empty Certificate message will be sent).
1052          */
1053         if( ssl->own_cert  == NULL &&
1054             ssl->minor_ver == SSL_MINOR_VERSION_0 )
1055         {
1056             ssl->out_msglen  = 2;
1057             ssl->out_msgtype = SSL_MSG_ALERT;
1058             ssl->out_msg[0]  = SSL_ALERT_WARNING;
1059             ssl->out_msg[1]  = SSL_ALERT_NO_CERTIFICATE;
1060
1061             SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1062             goto write_msg;
1063         }
1064     }
1065     else /* SSL_IS_SERVER */
1066     {
1067         if( ssl->own_cert == NULL )
1068         {
1069             SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
1070             return( XYSSL_ERR_SSL_CERTIFICATE_REQUIRED );
1071         }
1072     }
1073
1074     SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1075
1076     /*
1077      *     0  .  0    handshake type
1078      *     1  .  3    handshake length
1079      *     4  .  6    length of all certs
1080      *     7  .  9    length of cert. 1
1081      *    10  . n-1   peer certificate
1082      *     n  . n+2   length of cert. 2
1083      *    n+3 . ...   upper level cert, etc.
1084      */
1085     i = 7;
1086     crt = ssl->own_cert;
1087
1088     while( crt != NULL && crt->next != NULL )
1089     {
1090         n = crt->raw.len;
1091         if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1092         {
1093             SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1094                            i + 3 + n, SSL_MAX_CONTENT_LEN ) );
1095             return( XYSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
1096         }
1097
1098         ssl->out_msg[i    ] = (unsigned char)( n >> 16 );
1099         ssl->out_msg[i + 1] = (unsigned char)( n >>  8 );
1100         ssl->out_msg[i + 2] = (unsigned char)( n       );
1101
1102         i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1103         i += n; crt = crt->next;
1104     }
1105
1106     ssl->out_msg[4]  = (unsigned char)( ( i - 7 ) >> 16 );
1107     ssl->out_msg[5]  = (unsigned char)( ( i - 7 ) >>  8 );
1108     ssl->out_msg[6]  = (unsigned char)( ( i - 7 )       );
1109
1110     ssl->out_msglen  = i;
1111     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1112     ssl->out_msg[0]  = SSL_HS_CERTIFICATE;
1113
1114 write_msg:
1115
1116     ssl->state++;
1117
1118     if( ( ret = ssl_write_record( ssl ) ) != 0 )
1119     {
1120         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1121         return( ret );
1122     }
1123
1124     SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1125
1126     return( 0 );
1127 }
1128
1129 int ssl_parse_certificate( ssl_context *ssl )
1130 {
1131     int ret, i, n;
1132
1133     SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1134
1135     if( ssl->endpoint == SSL_IS_SERVER &&
1136         ssl->authmode == SSL_VERIFY_NONE )
1137     {
1138         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1139         ssl->state++;
1140         return( 0 );
1141     }
1142
1143     if( ( ret = ssl_read_record( ssl ) ) != 0 )
1144     {
1145         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1146         return( ret );
1147     }
1148
1149     ssl->state++;
1150
1151     /*
1152      * Check if the client sent an empty certificate
1153      */
1154     if( ssl->endpoint  == SSL_IS_SERVER &&
1155         ssl->minor_ver == SSL_MINOR_VERSION_0 )
1156     {
1157         if( ssl->in_msglen  == 2                    &&
1158             ssl->in_msgtype == SSL_MSG_ALERT        &&
1159             ssl->in_msg[0]  == SSL_ALERT_WARNING    &&
1160             ssl->in_msg[1]  == SSL_ALERT_NO_CERTIFICATE )
1161         {
1162             SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1163
1164             if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1165                 return( 0 );
1166             else
1167                 return( XYSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
1168         }
1169     }
1170
1171     if( ssl->endpoint  == SSL_IS_SERVER &&
1172         ssl->minor_ver != SSL_MINOR_VERSION_0 )
1173     {
1174         if( ssl->in_hslen   == 7                    &&
1175             ssl->in_msgtype == SSL_MSG_HANDSHAKE    &&
1176             ssl->in_msg[0]  == SSL_HS_CERTIFICATE   &&
1177             memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1178         {
1179             SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1180
1181             if( ssl->authmode == SSL_VERIFY_REQUIRED )
1182                 return( XYSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
1183             else
1184                 return( 0 );
1185         }
1186     }
1187
1188     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1189     {
1190         SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1191         return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1192     }
1193
1194     if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1195     {
1196         SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1197         return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1198     }
1199
1200     /*
1201      * Same message structure as in ssl_write_certificate()
1202      */
1203     n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1204
1205     if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1206     {
1207         SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1208         return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1209     }
1210
1211     if( ( ssl->peer_cert = (x509_cert *) malloc(
1212                     sizeof( x509_cert ) ) ) == NULL )
1213     {
1214         SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1215                        sizeof( x509_cert ) ) );
1216         return( 1 );
1217     }
1218
1219     memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1220
1221     i = 7;
1222
1223     while( i < ssl->in_hslen )
1224     {
1225         if( ssl->in_msg[i] != 0 )
1226         {
1227             SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1228             return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1229         }
1230
1231         n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1232             | (unsigned int) ssl->in_msg[i + 2];
1233         i += 3;
1234
1235         if( n < 128 || i + n > ssl->in_hslen )
1236         {
1237             SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1238             return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1239         }
1240
1241         ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
1242         if( ret != 0 )
1243         {
1244             SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1245             return( ret );
1246         }
1247
1248         i += n;
1249     }
1250
1251     SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1252
1253     if( ssl->authmode != SSL_VERIFY_NONE )
1254     {
1255         if( ssl->ca_chain == NULL )
1256         {
1257             SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
1258             return( XYSSL_ERR_SSL_CA_CHAIN_REQUIRED );
1259         }
1260
1261         ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain,
1262                                 ssl->peer_cn,  &ssl->verify_result );
1263
1264         if( ret != 0 )
1265             SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1266
1267         if( ssl->authmode != SSL_VERIFY_REQUIRED )
1268             ret = 0;
1269     }
1270
1271     SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1272
1273     return( ret );
1274 }
1275
1276 int ssl_write_change_cipher_spec( ssl_context *ssl )
1277 {
1278     int ret;
1279
1280     SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1281
1282     ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1283     ssl->out_msglen  = 1;
1284     ssl->out_msg[0]  = 1;
1285
1286     ssl->do_crypt = 0;
1287     ssl->state++;
1288
1289     if( ( ret = ssl_write_record( ssl ) ) != 0 )
1290     {
1291         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1292         return( ret );
1293     }
1294
1295     SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1296
1297     return( 0 );
1298 }
1299
1300 int ssl_parse_change_cipher_spec( ssl_context *ssl )
1301 {
1302     int ret;
1303
1304     SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1305
1306     ssl->do_crypt = 0;
1307
1308     if( ( ret = ssl_read_record( ssl ) ) != 0 )
1309     {
1310         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1311         return( ret );
1312     }
1313
1314     if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1315     {
1316         SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
1317         return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1318     }
1319
1320     if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1321     {
1322         SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
1323         return( XYSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
1324     }
1325
1326     ssl->state++;
1327
1328     SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1329
1330     return( 0 );
1331 }
1332
1333 static void ssl_calc_finished(
1334                 ssl_context *ssl, unsigned char *buf, int from,
1335                 md5_context *md5, sha1_context *sha1 )
1336 {
1337     int len = 12;
1338     char *sender;
1339     unsigned char padbuf[48];
1340     unsigned char md5sum[16];
1341     unsigned char sha1sum[20];
1342
1343     SSL_DEBUG_MSG( 2, ( "=> calc  finished" ) );
1344
1345     /*
1346      * SSLv3:
1347      *   hash =
1348      *      MD5( master + pad2 +
1349      *          MD5( handshake + sender + master + pad1 ) )
1350      *   + SHA1( master + pad2 +
1351      *         SHA1( handshake + sender + master + pad1 ) )
1352      *
1353      * TLSv1:
1354      *   hash = PRF( master, finished_label,
1355      *               MD5( handshake ) + SHA1( handshake ) )[0..11]
1356      */
1357
1358     SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
1359                     md5->state, sizeof(  md5->state ) );
1360
1361     SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1362                    sha1->state, sizeof( sha1->state ) );
1363
1364     if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1365     {
1366         sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1367                                            : (char *) "SRVR";
1368
1369         memset( padbuf, 0x36, 48 );
1370
1371         md5_update( md5, (unsigned char *) sender, 4 );
1372         md5_update( md5, ssl->session->master, 48 );
1373         md5_update( md5, padbuf, 48 );
1374         md5_finish( md5, md5sum );
1375
1376         sha1_update( sha1, (unsigned char *) sender, 4 );
1377         sha1_update( sha1, ssl->session->master, 48 );
1378         sha1_update( sha1, padbuf, 40 );
1379         sha1_finish( sha1, sha1sum );
1380
1381         memset( padbuf, 0x5C, 48 );
1382
1383         md5_starts( md5 );
1384         md5_update( md5, ssl->session->master, 48 );
1385         md5_update( md5, padbuf, 48 );
1386         md5_update( md5, md5sum, 16 );
1387         md5_finish( md5, buf );
1388
1389         sha1_starts( sha1 );
1390         sha1_update( sha1, ssl->session->master, 48 );
1391         sha1_update( sha1, padbuf , 40 );
1392         sha1_update( sha1, sha1sum, 20 );
1393         sha1_finish( sha1, buf + 16 );
1394
1395         len += 24;
1396     }
1397     else
1398     {
1399         sender = ( from == SSL_IS_CLIENT )
1400                  ? (char *) "client finished"
1401                  : (char *) "server finished";
1402
1403          md5_finish(  md5, padbuf );
1404         sha1_finish( sha1, padbuf + 16 );
1405
1406         tls1_prf( ssl->session->master, 48, sender,
1407                   padbuf, 36, buf, len );
1408     }
1409
1410     SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1411
1412     memset(  md5, 0, sizeof(  md5_context ) );
1413     memset( sha1, 0, sizeof( sha1_context ) );
1414
1415     memset(  padbuf, 0, sizeof(  padbuf ) );
1416     memset(  md5sum, 0, sizeof(  md5sum ) );
1417     memset( sha1sum, 0, sizeof( sha1sum ) );
1418
1419     SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
1420 }
1421
1422 int ssl_write_finished( ssl_context *ssl )
1423 {
1424     int ret, hash_len;
1425      md5_context  md5;
1426     sha1_context sha1;
1427
1428     SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1429
1430     memcpy( &md5 , &ssl->fin_md5 , sizeof(  md5_context ) );
1431     memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1432
1433     ssl_calc_finished( ssl, ssl->out_msg + 4,
1434                        ssl->endpoint, &md5, &sha1 );
1435
1436     hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1437
1438     ssl->out_msglen  = 4 + hash_len;
1439     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1440     ssl->out_msg[0]  = SSL_HS_FINISHED;
1441
1442     /*
1443      * In case of session resuming, invert the client and server
1444      * ChangeCipherSpec messages order.
1445      */
1446     if( ssl->resume != 0 )
1447     {
1448         if( ssl->endpoint == SSL_IS_CLIENT )
1449             ssl->state = SSL_HANDSHAKE_OVER;
1450         else
1451             ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1452     }
1453     else
1454         ssl->state++;
1455
1456     ssl->do_crypt = 1;
1457
1458     if( ( ret = ssl_write_record( ssl ) ) != 0 )
1459     {
1460         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1461         return( ret );
1462     }
1463
1464     SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1465
1466     return( 0 );
1467 }
1468
1469 int ssl_parse_finished( ssl_context *ssl )
1470 {
1471     int ret, hash_len;
1472      md5_context  md5;
1473     sha1_context sha1;
1474     unsigned char buf[36];
1475
1476     SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1477
1478     memcpy( &md5 , &ssl->fin_md5 , sizeof(  md5_context ) );
1479     memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1480
1481     ssl->do_crypt = 1;
1482
1483     if( ( ret = ssl_read_record( ssl ) ) != 0 )
1484     {
1485         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1486         return( ret );
1487     }
1488
1489     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1490     {
1491         SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1492         return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1493     }
1494
1495     hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1496
1497     if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1498         ssl->in_hslen  != 4 + hash_len )
1499     {
1500         SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1501         return( XYSSL_ERR_SSL_BAD_HS_FINISHED );
1502     }
1503
1504     ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1505
1506     if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1507     {
1508         SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1509         return( XYSSL_ERR_SSL_BAD_HS_FINISHED );
1510     }
1511
1512     if( ssl->resume != 0 )
1513     {
1514         if( ssl->endpoint == SSL_IS_CLIENT )
1515             ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1516
1517         if( ssl->endpoint == SSL_IS_SERVER )
1518             ssl->state = SSL_HANDSHAKE_OVER;
1519     }
1520     else
1521         ssl->state++;
1522
1523     SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1524
1525     return( 0 );
1526 }
1527
1528 /*
1529  * Initialize an SSL context
1530  */
1531 int ssl_init( ssl_context *ssl )
1532 {
1533     int len = SSL_BUFFER_LEN;
1534
1535     memset( ssl, 0, sizeof( ssl_context ) );
1536
1537     ssl->in_ctr = (unsigned char *) malloc( len );
1538     ssl->in_hdr = ssl->in_ctr +  8;
1539     ssl->in_msg = ssl->in_ctr + 13;
1540
1541     if( ssl->in_ctr == NULL )
1542     {
1543         SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1544         return( 1 );
1545     }
1546
1547     ssl->out_ctr = (unsigned char *) malloc( len );
1548     ssl->out_hdr = ssl->out_ctr +  8;
1549     ssl->out_msg = ssl->out_ctr + 13;
1550
1551     if( ssl->out_ctr == NULL )
1552     {
1553         SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1554         free( ssl-> in_ctr );
1555         return( 1 );
1556     }
1557
1558     memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1559     memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1560
1561      md5_starts( &ssl->fin_md5  );
1562     sha1_starts( &ssl->fin_sha1 );
1563
1564     return( 0 );
1565 }
1566
1567 /*
1568  * SSL set accessors
1569  */
1570 void ssl_set_debuglvl( ssl_context *ssl, int debuglvl )
1571 {
1572     ssl->debuglvl   = debuglvl;
1573 }
1574
1575 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1576 {
1577     ssl->endpoint   = endpoint;
1578 }
1579
1580 void ssl_set_authmode( ssl_context *ssl, int authmode )
1581 {
1582     ssl->authmode   = authmode;
1583 }
1584
1585 void ssl_set_rng( ssl_context *ssl, int (*f_rng)(void *), void *p_rng )
1586 {
1587     ssl->f_rng      = f_rng;
1588     ssl->p_rng      = p_rng;
1589 }
1590
1591 void ssl_set_bio( ssl_context *ssl,
1592             int (*f_recv)(void *, unsigned char *, int), void *p_recv,
1593             int (*f_send)(void *, unsigned char *, int), void *p_send )
1594 {
1595     ssl->f_recv     = f_recv;
1596     ssl->f_send     = f_send;
1597
1598     ssl->p_recv     = p_recv;
1599     ssl->p_send     = p_send;
1600 }
1601
1602 void ssl_set_scb( ssl_context *ssl,
1603                   int (*s_get)(ssl_context *),
1604                   int (*s_set)(ssl_context *) )
1605 {
1606     ssl->s_get      = s_get;
1607     ssl->s_set      = s_set;
1608 }
1609
1610 void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1611                       ssl_session *session )
1612 {
1613     ssl->resume     = resume;
1614     ssl->timeout    = timeout;
1615     ssl->session    = session;
1616 }
1617
1618 void ssl_set_ciphers( ssl_context *ssl, int *ciphers )
1619 {
1620     ssl->ciphers    = ciphers;
1621 }
1622
1623 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
1624                        char *peer_cn )
1625 {
1626     ssl->ca_chain   = ca_chain;
1627     ssl->peer_cn    = peer_cn;
1628 }
1629
1630 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1631                        rsa_context *rsa_key )
1632 {
1633     ssl->own_cert   = own_cert;
1634     ssl->rsa_key    = rsa_key;
1635 }
1636
1637 int ssl_set_dh_param( ssl_context *ssl, char *dhm_P, char *dhm_G )
1638 {
1639     int ret;
1640
1641     if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1642     {
1643         SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1644         return( ret );
1645     }
1646
1647     if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1648     {
1649         SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1650         return( ret );
1651     }
1652
1653     return( 0 );
1654 }
1655
1656 /*
1657  * SSL get accessors
1658  */
1659 int ssl_get_bytes_avail( ssl_context *ssl )
1660 {
1661     return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
1662 }
1663
1664 int ssl_get_verify_result( ssl_context *ssl )
1665 {
1666     return( ssl->verify_result );
1667 }
1668
1669 char *ssl_get_cipher( ssl_context *ssl )
1670 {
1671     switch( ssl->session->cipher )
1672     {
1673 #if defined(XYSSL_ARC4_C)
1674         case SSL_RSA_RC4_128_MD5:
1675             return( "SSL_RSA_RC4_128_MD5" );
1676
1677         case SSL_RSA_RC4_128_SHA:
1678             return( "SSL_RSA_RC4_128_SHA" );
1679 #endif
1680
1681 #if defined(XYSSL_DES_C)
1682         case SSL_RSA_DES_168_SHA:
1683             return( "SSL_RSA_DES_168_SHA" );
1684
1685         case SSL_EDH_RSA_DES_168_SHA:
1686             return( "SSL_EDH_RSA_DES_168_SHA" );
1687 #endif
1688
1689 #if defined(XYSSL_AES_C)
1690         case SSL_RSA_AES_256_SHA:
1691             return( "SSL_RSA_AES_256_SHA" );
1692
1693         case SSL_EDH_RSA_AES_256_SHA:
1694             return( "SSL_EDH_RSA_AES_256_SHA" );
1695 #endif
1696
1697     default:
1698         break;
1699     }
1700
1701     return( "unknown" );
1702 }
1703
1704 int ssl_default_ciphers[] =
1705 {
1706 #if defined(XYSSL_DHM_C)
1707 #if defined(XYSSL_AES_C)
1708     SSL_EDH_RSA_AES_256_SHA,
1709 #endif
1710 #if defined(XYSSL_DES_C)
1711     SSL_EDH_RSA_DES_168_SHA,
1712 #endif
1713 #endif
1714
1715 #if defined(XYSSL_AES_C)
1716     SSL_RSA_AES_256_SHA,
1717 #endif
1718 #if defined(XYSSL_DES_C)
1719     SSL_RSA_DES_168_SHA,
1720 #endif
1721 #if defined(XYSSL_ARC4_C)
1722     SSL_RSA_RC4_128_SHA,
1723     SSL_RSA_RC4_128_MD5,
1724 #endif
1725     0
1726 };
1727
1728 /*
1729  * Perform the SSL handshake
1730  */
1731 int ssl_handshake( ssl_context *ssl )
1732 {
1733     int ret = XYSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1734
1735     SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
1736
1737 #if defined(XYSSL_SSL_CLI_C)
1738     if( ssl->endpoint == SSL_IS_CLIENT )
1739         ret = ssl_handshake_client( ssl );
1740 #endif
1741
1742 #if defined(XYSSL_SSL_SRV_C)
1743     if( ssl->endpoint == SSL_IS_SERVER )
1744         ret = ssl_handshake_server( ssl );
1745 #endif
1746
1747     SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
1748
1749     return( ret );
1750 }
1751
1752 /*
1753  * Receive application data decrypted from the SSL layer
1754  */
1755 int ssl_read( ssl_context *ssl, unsigned char *buf, int len )
1756 {
1757     int ret, n;
1758
1759     SSL_DEBUG_MSG( 2, ( "=> read" ) );
1760
1761     if( ssl->state != SSL_HANDSHAKE_OVER )
1762     {
1763         if( ( ret = ssl_handshake( ssl ) ) != 0 )
1764         {
1765             SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1766             return( ret );
1767         }
1768     }
1769
1770     if( ssl->in_offt == NULL )
1771     {
1772         if( ( ret = ssl_read_record( ssl ) ) != 0 )
1773         {
1774             SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1775             return( ret );
1776         }
1777
1778         if( ssl->in_msglen  == 0 &&
1779             ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
1780         {
1781             /*
1782              * OpenSSL sends empty messages to randomize the IV
1783              */
1784             if( ( ret = ssl_read_record( ssl ) ) != 0 )
1785             {
1786                 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1787                 return( ret );
1788             }
1789         }
1790
1791         if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1792         {
1793             SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
1794             return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1795         }
1796
1797         ssl->in_offt = ssl->in_msg;
1798     }
1799
1800     n = ( len < ssl->in_msglen )
1801         ? len : ssl->in_msglen;
1802
1803     memcpy( buf, ssl->in_offt, n );
1804     ssl->in_msglen -= n;
1805
1806     if( ssl->in_msglen == 0 )
1807         /* all bytes consumed  */
1808         ssl->in_offt = NULL;
1809     else
1810         /* more data available */
1811         ssl->in_offt += n;
1812
1813     SSL_DEBUG_MSG( 2, ( "<= read" ) );
1814
1815     return( n );
1816 }
1817
1818 /*
1819  * Send application data to be encrypted by the SSL layer
1820  */
1821 int ssl_write( ssl_context *ssl, unsigned char *buf, int len )
1822 {
1823     int ret, n;
1824
1825     SSL_DEBUG_MSG( 2, ( "=> write" ) );
1826
1827     if( ssl->state != SSL_HANDSHAKE_OVER )
1828     {
1829         if( ( ret = ssl_handshake( ssl ) ) != 0 )
1830         {
1831             SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1832             return( ret );
1833         }
1834     }
1835
1836     if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1837     {
1838         SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1839         return( ret );
1840     }
1841
1842     n = ( len < SSL_MAX_CONTENT_LEN )
1843         ? len : SSL_MAX_CONTENT_LEN;
1844
1845     ssl->out_msglen  = n;
1846     ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
1847     memcpy( ssl->out_msg, buf, n );
1848
1849     if( ( ret = ssl_write_record( ssl ) ) != 0 )
1850     {
1851         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1852         return( ret );
1853     }
1854
1855     SSL_DEBUG_MSG( 2, ( "<= write" ) );
1856
1857     return( n );
1858 }
1859
1860 /*
1861  * Notify the peer that the connection is being closed
1862  */
1863 int ssl_close_notify( ssl_context *ssl )
1864 {
1865     int ret;
1866
1867     SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
1868
1869     if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1870     {
1871         SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1872         return( ret );
1873     }
1874
1875     if( ssl->state == SSL_HANDSHAKE_OVER )
1876     {
1877         ssl->out_msgtype = SSL_MSG_ALERT;
1878         ssl->out_msglen  = 2;
1879         ssl->out_msg[0]  = SSL_ALERT_WARNING;
1880         ssl->out_msg[1]  = SSL_ALERT_CLOSE_NOTIFY;
1881
1882         if( ( ret = ssl_write_record( ssl ) ) != 0 )
1883         {
1884             SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1885             return( ret );
1886         }
1887     }
1888
1889     SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
1890
1891     return( ret );
1892 }
1893
1894 /*
1895  * Free an SSL context
1896  */
1897 void ssl_free( ssl_context *ssl )
1898 {
1899     SSL_DEBUG_MSG( 2, ( "=> free" ) );
1900
1901     if( ssl->peer_cert != NULL )
1902     {
1903         x509_free( ssl->peer_cert );
1904         memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1905           free( ssl->peer_cert );
1906     }
1907
1908     if( ssl->out_ctr != NULL )
1909     {
1910         memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1911           free( ssl->out_ctr );
1912     }
1913
1914     if( ssl->in_ctr != NULL )
1915     {
1916         memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
1917           free( ssl->in_ctr );
1918     }
1919
1920 #if defined(XYSSL_DHM_C)
1921     dhm_free( &ssl->dhm_ctx );
1922 #endif
1923
1924     memset( ssl, 0, sizeof( ssl_context ) );
1925
1926     SSL_DEBUG_MSG( 2, ( "<= free" ) );
1927 }
1928
1929 #endif