TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5121ce5bdbc92e134a42220a1aa23f95037c7625 / . / library / ssl_tls.c
blob: 72d98b8fe993fda5055b3482f5894805c80e5d3a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame^]1/*
2 * SSLv3/TLSv1 shared functions
3 *
4 * Copyright (C) 2006-2007 Christophe Devine
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 */
20/*
21 * The SSL 3.0 specification was drafted by Netscape in 1996,
22 * and became an IETF standard in 1999.
23 *
24 * http://wp.netscape.com/eng/ssl3/
25 * http://www.ietf.org/rfc/rfc2246.txt
26 * http://www.ietf.org/rfc/rfc4346.txt
27 */
28
29#include "xyssl/config.h"
30
31#if defined(XYSSL_SSL_TLS_C)
32
33#include "xyssl/aes.h"
34#include "xyssl/arc4.h"
35#include "xyssl/des.h"
36#include "xyssl/debug.h"
37#include "xyssl/ssl.h"
38
39#include <string.h>
40#include <stdlib.h>
41#include <time.h>
42
43/*
44 * Key material generation
45 */
46static int tls1_prf( unsigned char *secret, int slen, char *label,
47 unsigned char *random, int rlen,
48 unsigned char *dstbuf, int dlen )
49{
50 int nb, hs;
51 int i, j, k;
52 unsigned char *S1, *S2;
53 unsigned char tmp[128];
54 unsigned char h_i[20];
55
56 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
57 return( XYSSL_ERR_SSL_BAD_INPUT_DATA );
58
59 hs = ( slen + 1 ) / 2;
60 S1 = secret;
61 S2 = secret + slen - hs;
62
63 nb = strlen( label );
64 memcpy( tmp + 20, label, nb );
65 memcpy( tmp + 20 + nb, random, rlen );
66 nb += rlen;
67
68 /*
69 * First compute P_md5(secret,label+random)[0..dlen]
70 */
71 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
72
73 for( i = 0; i < dlen; i += 16 )
74 {
75 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
76 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
77
78 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
79
80 for( j = 0; j < k; j++ )
81 dstbuf[i + j] = h_i[j];
82 }
83
84 /*
85 * XOR out with P_sha1(secret,label+random)[0..dlen]
86 */
87 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
88
89 for( i = 0; i < dlen; i += 20 )
90 {
91 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
92 sha1_hmac( S2, hs, tmp, 20, tmp );
93
94 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
95
96 for( j = 0; j < k; j++ )
97 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
98 }
99
100 memset( tmp, 0, sizeof( tmp ) );
101 memset( h_i, 0, sizeof( h_i ) );
102
103 return( 0 );
104}
105
106int ssl_derive_keys( ssl_context *ssl )
107{
108 int i;
109 md5_context md5;
110 sha1_context sha1;
111 unsigned char tmp[64];
112 unsigned char padding[16];
113 unsigned char sha1sum[20];
114 unsigned char keyblk[256];
115 unsigned char *key1;
116 unsigned char *key2;
117
118 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
119
120 /*
121 * SSLv3:
122 * master =
123 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
124 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
125 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
126 *
127 * TLSv1:
128 * master = PRF( premaster, "master secret", randbytes )[0..47]
129 */
130 if( ssl->resume == 0 )
131 {
132 int len = ssl->pmslen;
133
134 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
135
136 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
137 {
138 for( i = 0; i < 3; i++ )
139 {
140 memset( padding, 'A' + i, 1 + i );
141
142 sha1_starts( &sha1 );
143 sha1_update( &sha1, padding, 1 + i );
144 sha1_update( &sha1, ssl->premaster, len );
145 sha1_update( &sha1, ssl->randbytes, 64 );
146 sha1_finish( &sha1, sha1sum );
147
148 md5_starts( &md5 );
149 md5_update( &md5, ssl->premaster, len );
150 md5_update( &md5, sha1sum, 20 );
151 md5_finish( &md5, ssl->session->master + i * 16 );
152 }
153 }
154 else
155 tls1_prf( ssl->premaster, len, "master secret",
156 ssl->randbytes, 64, ssl->session->master, 48 );
157
158 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
159 }
160 else
161 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
162
163 /*
164 * Swap the client and server random values.
165 */
166 memcpy( tmp, ssl->randbytes, 64 );
167 memcpy( ssl->randbytes, tmp + 32, 32 );
168 memcpy( ssl->randbytes + 32, tmp, 32 );
169 memset( tmp, 0, sizeof( tmp ) );
170
171 /*
172 * SSLv3:
173 * key block =
174 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
175 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
176 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
177 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
178 * ...
179 *
180 * TLSv1:
181 * key block = PRF( master, "key expansion", randbytes )
182 */
183 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
184 {
185 for( i = 0; i < 16; i++ )
186 {
187 memset( padding, 'A' + i, 1 + i );
188
189 sha1_starts( &sha1 );
190 sha1_update( &sha1, padding, 1 + i );
191 sha1_update( &sha1, ssl->session->master, 48 );
192 sha1_update( &sha1, ssl->randbytes, 64 );
193 sha1_finish( &sha1, sha1sum );
194
195 md5_starts( &md5 );
196 md5_update( &md5, ssl->session->master, 48 );
197 md5_update( &md5, sha1sum, 20 );
198 md5_finish( &md5, keyblk + i * 16 );
199 }
200
201 memset( &md5, 0, sizeof( md5 ) );
202 memset( &sha1, 0, sizeof( sha1 ) );
203
204 memset( padding, 0, sizeof( padding ) );
205 memset( sha1sum, 0, sizeof( sha1sum ) );
206 }
207 else
208 tls1_prf( ssl->session->master, 48, "key expansion",
209 ssl->randbytes, 64, keyblk, 256 );
210
211 SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) );
212 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
213 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
214 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
215
216 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
217
218 /*
219 * Determine the appropriate key, IV and MAC length.
220 */
221 switch( ssl->session->cipher )
222 {
223#if defined(XYSSL_ARC4_C)
224 case SSL_RSA_RC4_128_MD5:
225 ssl->keylen = 16; ssl->minlen = 16;
226 ssl->ivlen = 0; ssl->maclen = 16;
227 break;
228
229 case SSL_RSA_RC4_128_SHA:
230 ssl->keylen = 16; ssl->minlen = 20;
231 ssl->ivlen = 0; ssl->maclen = 20;
232 break;
233#endif
234
235#if defined(XYSSL_DES_C)
236 case SSL_RSA_DES_168_SHA:
237 case SSL_EDH_RSA_DES_168_SHA:
238 ssl->keylen = 24; ssl->minlen = 24;
239 ssl->ivlen = 8; ssl->maclen = 20;
240 break;
241#endif
242
243#if defined(XYSSL_AES_C)
244 case SSL_RSA_AES_128_SHA:
245 ssl->keylen = 16; ssl->minlen = 32;
246 ssl->ivlen = 16; ssl->maclen = 20;
247 break;
248
249 case SSL_RSA_AES_256_SHA:
250 case SSL_EDH_RSA_AES_256_SHA:
251 ssl->keylen = 32; ssl->minlen = 32;
252 ssl->ivlen = 16; ssl->maclen = 20;
253 break;
254#endif
255
256 default:
257 SSL_DEBUG_MSG( 1, ( "cipher %s is not available",
258 ssl_get_cipher( ssl ) ) );
259 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
260 }
261
262 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
263 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
264
265 /*
266 * Finally setup the cipher contexts, IVs and MAC secrets.
267 */
268 if( ssl->endpoint == SSL_IS_CLIENT )
269 {
270 key1 = keyblk + ssl->maclen * 2;
271 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
272
273 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
274 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
275
276 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
277 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
278 ssl->ivlen );
279 }
280 else
281 {
282 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
283 key2 = keyblk + ssl->maclen * 2;
284
285 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
286 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
287
288 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
289 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
290 ssl->ivlen );
291 }
292
293 switch( ssl->session->cipher )
294 {
295#if defined(XYSSL_ARC4_C)
296 case SSL_RSA_RC4_128_MD5:
297 case SSL_RSA_RC4_128_SHA:
298 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
299 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
300 break;
301#endif
302
303#if defined(XYSSL_DES_C)
304 case SSL_RSA_DES_168_SHA:
305 case SSL_EDH_RSA_DES_168_SHA:
306 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
307 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
308 break;
309#endif
310
311#if defined(XYSSL_AES_C)
312 case SSL_RSA_AES_128_SHA:
313 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
314 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
315 break;
316
317 case SSL_RSA_AES_256_SHA:
318 case SSL_EDH_RSA_AES_256_SHA:
319 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
320 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
321 break;
322#endif
323
324 default:
325 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
326 }
327
328 memset( keyblk, 0, sizeof( keyblk ) );
329
330 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
331
332 return( 0 );
333}
334
335void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
336{
337 md5_context md5;
338 sha1_context sha1;
339 unsigned char pad_1[48];
340 unsigned char pad_2[48];
341
342 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
343
344 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
345 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
346
347 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
348 {
349 memset( pad_1, 0x36, 48 );
350 memset( pad_2, 0x5C, 48 );
351
352 md5_update( &md5, ssl->session->master, 48 );
353 md5_update( &md5, pad_1, 48 );
354 md5_finish( &md5, hash );
355
356 md5_starts( &md5 );
357 md5_update( &md5, ssl->session->master, 48 );
358 md5_update( &md5, pad_2, 48 );
359 md5_update( &md5, hash, 16 );
360 md5_finish( &md5, hash );
361
362 sha1_update( &sha1, ssl->session->master, 48 );
363 sha1_update( &sha1, pad_1, 40 );
364 sha1_finish( &sha1, hash + 16 );
365
366 sha1_starts( &sha1 );
367 sha1_update( &sha1, ssl->session->master, 48 );
368 sha1_update( &sha1, pad_2, 40 );
369 sha1_update( &sha1, hash + 16, 20 );
370 sha1_finish( &sha1, hash + 16 );
371 }
372 else /* TLSv1 */
373 {
374 md5_finish( &md5, hash );
375 sha1_finish( &sha1, hash + 16 );
376 }
377
378 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
379 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
380
381 return;
382}
383
384/*
385 * SSLv3.0 MAC functions
386 */
387static void ssl_mac_md5( unsigned char *secret,
388 unsigned char *buf, int len,
389 unsigned char *ctr, int type )
390{
391 unsigned char header[11];
392 unsigned char padding[48];
393 md5_context md5;
394
395 memcpy( header, ctr, 8 );
396 header[ 8] = (unsigned char) type;
397 header[ 9] = (unsigned char)( len >> 8 );
398 header[10] = (unsigned char)( len );
399
400 memset( padding, 0x36, 48 );
401 md5_starts( &md5 );
402 md5_update( &md5, secret, 16 );
403 md5_update( &md5, padding, 48 );
404 md5_update( &md5, header, 11 );
405 md5_update( &md5, buf, len );
406 md5_finish( &md5, buf + len );
407
408 memset( padding, 0x5C, 48 );
409 md5_starts( &md5 );
410 md5_update( &md5, secret, 16 );
411 md5_update( &md5, padding, 48 );
412 md5_update( &md5, buf + len, 16 );
413 md5_finish( &md5, buf + len );
414}
415
416static void ssl_mac_sha1( unsigned char *secret,
417 unsigned char *buf, int len,
418 unsigned char *ctr, int type )
419{
420 unsigned char header[11];
421 unsigned char padding[40];
422 sha1_context sha1;
423
424 memcpy( header, ctr, 8 );
425 header[ 8] = (unsigned char) type;
426 header[ 9] = (unsigned char)( len >> 8 );
427 header[10] = (unsigned char)( len );
428
429 memset( padding, 0x36, 40 );
430 sha1_starts( &sha1 );
431 sha1_update( &sha1, secret, 20 );
432 sha1_update( &sha1, padding, 40 );
433 sha1_update( &sha1, header, 11 );
434 sha1_update( &sha1, buf, len );
435 sha1_finish( &sha1, buf + len );
436
437 memset( padding, 0x5C, 40 );
438 sha1_starts( &sha1 );
439 sha1_update( &sha1, secret, 20 );
440 sha1_update( &sha1, padding, 40 );
441 sha1_update( &sha1, buf + len, 20 );
442 sha1_finish( &sha1, buf + len );
443}
444
445/*
446 * Encryption/decryption functions
447 */
448static int ssl_encrypt_buf( ssl_context *ssl )
449{
450 int i, padlen;
451
452 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
453
454 /*
455 * Add MAC then encrypt
456 */
457 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
458 {
459 if( ssl->maclen == 16 )
460 ssl_mac_md5( ssl->mac_enc,
461 ssl->out_msg, ssl->out_msglen,
462 ssl->out_ctr, ssl->out_msgtype );
463
464 if( ssl->maclen == 20 )
465 ssl_mac_sha1( ssl->mac_enc,
466 ssl->out_msg, ssl->out_msglen,
467 ssl->out_ctr, ssl->out_msgtype );
468 }
469 else
470 {
471 if( ssl->maclen == 16 )
472 md5_hmac( ssl->mac_enc, 16,
473 ssl->out_ctr, ssl->out_msglen + 13,
474 ssl->out_msg + ssl->out_msglen );
475
476 if( ssl->maclen == 20 )
477 sha1_hmac( ssl->mac_enc, 20,
478 ssl->out_ctr, ssl->out_msglen + 13,
479 ssl->out_msg + ssl->out_msglen );
480 }
481
482 SSL_DEBUG_BUF( 4, "computed mac",
483 ssl->out_msg + ssl->out_msglen, ssl->maclen );
484
485 ssl->out_msglen += ssl->maclen;
486
487 for( i = 7; i >= 0; i-- )
488 if( ++ssl->out_ctr[i] != 0 )
489 break;
490
491 if( ssl->ivlen == 0 )
492 {
493#if defined(XYSSL_ARC4_C)
494 padlen = 0;
495
496 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
497 "including %d bytes of padding",
498 ssl->out_msglen, 0 ) );
499
500 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
501 ssl->out_msg, ssl->out_msglen );
502
503 arc4_crypt( (arc4_context *) ssl->ctx_enc,
504 ssl->out_msg, ssl->out_msglen );
505#else
506 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
507#endif
508 }
509 else
510 {
511 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
512 if( padlen == ssl->ivlen )
513 padlen = 0;
514
515 for( i = 0; i <= padlen; i++ )
516 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
517
518 ssl->out_msglen += padlen + 1;
519
520 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
521 "including %d bytes of padding",
522 ssl->out_msglen, padlen + 1 ) );
523
524 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
525 ssl->out_msg, ssl->out_msglen );
526
527 switch( ssl->ivlen )
528 {
529 case 8:
530#if defined(XYSSL_DES_C)
531 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
532 DES_ENCRYPT, ssl->out_msglen,
533 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
534 break;
535#endif
536
537 case 16:
538#if defined(XYSSL_AES_C)
539 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
540 AES_ENCRYPT, ssl->out_msglen,
541 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
542 break;
543#endif
544
545 default:
546 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
547 }
548 }
549
550 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
551
552 return( 0 );
553}
554
555static int ssl_decrypt_buf( ssl_context *ssl )
556{
557 int i, padlen;
558 unsigned char tmp[20];
559
560 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
561
562 if( ssl->in_msglen < ssl->minlen )
563 {
564 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
565 ssl->in_msglen, ssl->minlen ) );
566 return( XYSSL_ERR_SSL_INVALID_MAC );
567 }
568
569 if( ssl->ivlen == 0 )
570 {
571#if defined(XYSSL_ARC4_C)
572 padlen = 0;
573 arc4_crypt( (arc4_context *) ssl->ctx_dec,
574 ssl->in_msg, ssl->in_msglen );
575#else
576 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
577#endif
578 }
579 else
580 {
581 /*
582 * Decrypt and check the padding
583 */
584 if( ssl->in_msglen % ssl->ivlen != 0 )
585 {
586 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
587 ssl->in_msglen, ssl->ivlen ) );
588 return( XYSSL_ERR_SSL_INVALID_MAC );
589 }
590
591 switch( ssl->ivlen )
592 {
593#if defined(XYSSL_DES_C)
594 case 8:
595 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
596 DES_DECRYPT, ssl->in_msglen,
597 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
598 break;
599#endif
600
601#if defined(XYSSL_AES_C)
602 case 16:
603 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
604 AES_DECRYPT, ssl->in_msglen,
605 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
606 break;
607#endif
608
609 default:
610 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
611 }
612
613 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
614
615 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
616 {
617 if( padlen > ssl->ivlen )
618 {
619 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
620 "should be no more than %d",
621 padlen, ssl->ivlen ) );
622 padlen = 0;
623 }
624 }
625 else
626 {
627 /*
628 * TLSv1: always check the padding
629 */
630 for( i = 1; i <= padlen; i++ )
631 {
632 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
633 {
634 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
635 "%02x, but is %02x", padlen - 1,
636 ssl->in_msg[ssl->in_msglen - i] ) );
637 padlen = 0;
638 }
639 }
640 }
641 }
642
643 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
644 ssl->in_msg, ssl->in_msglen );
645
646 /*
647 * Always compute the MAC (RFC4346, CBCTIME).
648 */
649 ssl->in_msglen -= ( ssl->maclen + padlen );
650
651 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
652 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
653
654 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
655
656 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
657 {
658 if( ssl->maclen == 16 )
659 ssl_mac_md5( ssl->mac_dec,
660 ssl->in_msg, ssl->in_msglen,
661 ssl->in_ctr, ssl->in_msgtype );
662 else
663 ssl_mac_sha1( ssl->mac_dec,
664 ssl->in_msg, ssl->in_msglen,
665 ssl->in_ctr, ssl->in_msgtype );
666 }
667 else
668 {
669 if( ssl->maclen == 16 )
670 md5_hmac( ssl->mac_dec, 16,
671 ssl->in_ctr, ssl->in_msglen + 13,
672 ssl->in_msg + ssl->in_msglen );
673 else
674 sha1_hmac( ssl->mac_dec, 20,
675 ssl->in_ctr, ssl->in_msglen + 13,
676 ssl->in_msg + ssl->in_msglen );
677 }
678
679 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
680 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
681 ssl->maclen );
682
683 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
684 ssl->maclen ) != 0 )
685 {
686 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
687 return( XYSSL_ERR_SSL_INVALID_MAC );
688 }
689
690 /*
691 * Finally check the padding length; bad padding
692 * will produce the same error as an invalid MAC.
693 */
694 if( ssl->ivlen != 0 && padlen == 0 )
695 return( XYSSL_ERR_SSL_INVALID_MAC );
696
697 if( ssl->in_msglen == 0 )
698 {
699 ssl->nb_zero++;
700
701 /*
702 * Three or more empty messages may be a DoS attack
703 * (excessive CPU consumption).
704 */
705 if( ssl->nb_zero > 3 )
706 {
707 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
708 "messages, possible DoS attack" ) );
709 return( XYSSL_ERR_SSL_INVALID_MAC );
710 }
711 }
712 else
713 ssl->nb_zero = 0;
714
715 for( i = 7; i >= 0; i-- )
716 if( ++ssl->in_ctr[i] != 0 )
717 break;
718
719 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
720
721 return( 0 );
722}
723
724/*
725 * Fill the input message buffer
726 */
727int ssl_fetch_input( ssl_context *ssl, int nb_want )
728{
729 int ret, len;
730
731 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
732
733 while( ssl->in_left < nb_want )
734 {
735 len = nb_want - ssl->in_left;
736 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
737
738 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
739 ssl->in_left, nb_want ) );
740 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
741
742 if( ret < 0 )
743 return( ret );
744
745 ssl->in_left += ret;
746 }
747
748 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
749
750 return( 0 );
751}
752
753/*
754 * Flush any data not yet written
755 */
756int ssl_flush_output( ssl_context *ssl )
757{
758 int ret;
759 unsigned char *buf;
760
761 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
762
763 while( ssl->out_left > 0 )
764 {
765 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
766 5 + ssl->out_msglen, ssl->out_left ) );
767
768 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
769 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
770 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
771
772 if( ret <= 0 )
773 return( ret );
774
775 ssl->out_left -= ret;
776 }
777
778 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
779
780 return( 0 );
781}
782
783/*
784 * Record layer functions
785 */
786int ssl_write_record( ssl_context *ssl )
787{
788 int ret, len = ssl->out_msglen;
789
790 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
791
792 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
793 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
794 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
795 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
796 ssl->out_hdr[4] = (unsigned char)( len );
797
798 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
799 {
800 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
801 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
802 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
803
804 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
805 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
806 }
807
808 if( ssl->do_crypt != 0 )
809 {
810 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
811 {
812 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
813 return( ret );
814 }
815
816 len = ssl->out_msglen;
817 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
818 ssl->out_hdr[4] = (unsigned char)( len );
819 }
820
821 ssl->out_left = 5 + ssl->out_msglen;
822
823 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
824 "version = [%d:%d], msglen = %d",
825 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
826 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
827
828 SSL_DEBUG_BUF( 4, "output record sent to network",
829 ssl->out_hdr, 5 + ssl->out_msglen );
830
831 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
832 {
833 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
834 return( ret );
835 }
836
837 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
838
839 return( 0 );
840}
841
842int ssl_read_record( ssl_context *ssl )
843{
844 int ret;
845
846 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
847
848 if( ssl->in_hslen != 0 &&
849 ssl->in_hslen < ssl->in_msglen )
850 {
851 /*
852 * Get next Handshake message in the current record
853 */
854 ssl->in_msglen -= ssl->in_hslen;
855
856 memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
857 ssl->in_msglen );
858
859 ssl->in_hslen = 4;
860 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
861
862 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
863 " %d, type = %d, hslen = %d",
864 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
865
866 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
867 {
868 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
869 return( XYSSL_ERR_SSL_INVALID_RECORD );
870 }
871
872 if( ssl->in_msglen < ssl->in_hslen )
873 {
874 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
875 return( XYSSL_ERR_SSL_INVALID_RECORD );
876 }
877
878 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
879 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
880
881 return( 0 );
882 }
883
884 ssl->in_hslen = 0;
885
886 /*
887 * Read the record header and validate it
888 */
889 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
890 {
891 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
892 return( ret );
893 }
894
895 ssl->in_msgtype = ssl->in_hdr[0];
896 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
897
898 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
899 "version = [%d:%d], msglen = %d",
900 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
901 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
902
903 if( ssl->in_hdr[1] != ssl->major_ver )
904 {
905 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
906 return( XYSSL_ERR_SSL_INVALID_RECORD );
907 }
908
909 if( ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
910 ssl->in_hdr[2] != SSL_MINOR_VERSION_1 )
911 {
912 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
913 return( XYSSL_ERR_SSL_INVALID_RECORD );
914 }
915
916 /*
917 * Make sure the message length is acceptable
918 */
919 if( ssl->do_crypt == 0 )
920 {
921 if( ssl->in_msglen < 1 ||
922 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
923 {
924 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
925 return( XYSSL_ERR_SSL_INVALID_RECORD );
926 }
927 }
928 else
929 {
930 if( ssl->in_msglen < ssl->minlen )
931 {
932 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
933 return( XYSSL_ERR_SSL_INVALID_RECORD );
934 }
935
936 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
937 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
938 {
939 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
940 return( XYSSL_ERR_SSL_INVALID_RECORD );
941 }
942
943 /*
944 * TLS encrypted messages can have up to 256 bytes of padding
945 */
946 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
947 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
948 {
949 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
950 return( XYSSL_ERR_SSL_INVALID_RECORD );
951 }
952 }
953
954 /*
955 * Read and optionally decrypt the message contents
956 */
957 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
958 {
959 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
960 return( ret );
961 }
962
963 SSL_DEBUG_BUF( 4, "input record from network",
964 ssl->in_hdr, 5 + ssl->in_msglen );
965
966 if( ssl->do_crypt != 0 )
967 {
968 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
969 {
970 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
971 return( ret );
972 }
973
974 SSL_DEBUG_BUF( 4, "input payload after decrypt",
975 ssl->in_msg, ssl->in_msglen );
976
977 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
978 {
979 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
980 return( XYSSL_ERR_SSL_INVALID_RECORD );
981 }
982 }
983
984 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
985 {
986 ssl->in_hslen = 4;
987 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
988
989 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
990 " %d, type = %d, hslen = %d",
991 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
992
993 /*
994 * Additional checks to validate the handshake header
995 */
996 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
997 {
998 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
999 return( XYSSL_ERR_SSL_INVALID_RECORD );
1000 }
1001
1002 if( ssl->in_msglen < ssl->in_hslen )
1003 {
1004 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
1005 return( XYSSL_ERR_SSL_INVALID_RECORD );
1006 }
1007
1008 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
1009 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
1010 }
1011
1012 if( ssl->in_msgtype == SSL_MSG_ALERT )
1013 {
1014 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
1015 ssl->in_msg[0], ssl->in_msg[1] ) );
1016
1017 /*
1018 * Ignore non-fatal alerts, except close_notify
1019 */
1020 if( ssl->in_msg[0] == SSL_ALERT_FATAL )
1021 {
1022 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
1023 return( XYSSL_ERR_SSL_FATAL_ALERT_MESSAGE | ssl->in_msg[1] );
1024 }
1025
1026 if( ssl->in_msg[0] == SSL_ALERT_WARNING &&
1027 ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY )
1028 {
1029 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
1030 return( XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
1031 }
1032 }
1033
1034 ssl->in_left = 0;
1035
1036 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
1037
1038 return( 0 );
1039}
1040
1041/*
1042 * Handshake functions
1043 */
1044int ssl_write_certificate( ssl_context *ssl )
1045{
1046 int ret, i, n;
1047 x509_cert *crt;
1048
1049 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1050
1051 if( ssl->endpoint == SSL_IS_CLIENT )
1052 {
1053 if( ssl->client_auth == 0 )
1054 {
1055 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1056 ssl->state++;
1057 return( 0 );
1058 }
1059
1060 /*
1061 * If using SSLv3 and got no cert, send an Alert message
1062 * (otherwise an empty Certificate message will be sent).
1063 */
1064 if( ssl->own_cert == NULL &&
1065 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1066 {
1067 ssl->out_msglen = 2;
1068 ssl->out_msgtype = SSL_MSG_ALERT;
1069 ssl->out_msg[0] = SSL_ALERT_WARNING;
1070 ssl->out_msg[1] = SSL_ALERT_NO_CERTIFICATE;
1071
1072 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
1073 goto write_msg;
1074 }
1075 }
1076 else /* SSL_IS_SERVER */
1077 {
1078 if( ssl->own_cert == NULL )
1079 {
1080 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
1081 return( XYSSL_ERR_SSL_CERTIFICATE_REQUIRED );
1082 }
1083 }
1084
1085 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
1086
1087 /*
1088 * 0 . 0 handshake type
1089 * 1 . 3 handshake length
1090 * 4 . 6 length of all certs
1091 * 7 . 9 length of cert. 1
1092 * 10 . n-1 peer certificate
1093 * n . n+2 length of cert. 2
1094 * n+3 . ... upper level cert, etc.
1095 */
1096 i = 7;
1097 crt = ssl->own_cert;
1098
1099 while( crt != NULL && crt->next != NULL )
1100 {
1101 n = crt->raw.len;
1102 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
1103 {
1104 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
1105 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
1106 return( XYSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
1107 }
1108
1109 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
1110 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
1111 ssl->out_msg[i + 2] = (unsigned char)( n );
1112
1113 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1114 i += n; crt = crt->next;
1115 }
1116
1117 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
1118 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
1119 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
1120
1121 ssl->out_msglen = i;
1122 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1123 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1124
1125write_msg:
1126
1127 ssl->state++;
1128
1129 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1130 {
1131 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1132 return( ret );
1133 }
1134
1135 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1136
1137 return( 0 );
1138}
1139
1140int ssl_parse_certificate( ssl_context *ssl )
1141{
1142 int ret, i, n;
1143
1144 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1145
1146 if( ssl->endpoint == SSL_IS_SERVER &&
1147 ssl->authmode == SSL_VERIFY_NONE )
1148 {
1149 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1150 ssl->state++;
1151 return( 0 );
1152 }
1153
1154 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1155 {
1156 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1157 return( ret );
1158 }
1159
1160 ssl->state++;
1161
1162 /*
1163 * Check if the client sent an empty certificate
1164 */
1165 if( ssl->endpoint == SSL_IS_SERVER &&
1166 ssl->minor_ver == SSL_MINOR_VERSION_0 )
1167 {
1168 if( ssl->in_msglen == 2 &&
1169 ssl->in_msgtype == SSL_MSG_ALERT &&
1170 ssl->in_msg[0] == SSL_ALERT_WARNING &&
1171 ssl->in_msg[1] == SSL_ALERT_NO_CERTIFICATE )
1172 {
1173 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
1174
1175 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
1176 return( 0 );
1177 else
1178 return( XYSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
1179 }
1180 }
1181
1182 if( ssl->endpoint == SSL_IS_SERVER &&
1183 ssl->minor_ver != SSL_MINOR_VERSION_0 )
1184 {
1185 if( ssl->in_hslen == 7 &&
1186 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1187 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1188 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
1189 {
1190 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1191
1192 if( ssl->authmode == SSL_VERIFY_REQUIRED )
1193 return( XYSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
1194 else
1195 return( 0 );
1196 }
1197 }
1198
1199 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1200 {
1201 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1202 return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1203 }
1204
1205 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
1206 {
1207 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1208 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1209 }
1210
1211 /*
1212 * Same message structure as in ssl_write_certificate()
1213 */
1214 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
1215
1216 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
1217 {
1218 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1219 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1220 }
1221
1222 if( ( ssl->peer_cert = (x509_cert *) malloc(
1223 sizeof( x509_cert ) ) ) == NULL )
1224 {
1225 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
1226 sizeof( x509_cert ) ) );
1227 return( 1 );
1228 }
1229
1230 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1231
1232 i = 7;
1233
1234 while( i < ssl->in_hslen )
1235 {
1236 if( ssl->in_msg[i] != 0 )
1237 {
1238 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1239 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1240 }
1241
1242 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1243 | (unsigned int) ssl->in_msg[i + 2];
1244 i += 3;
1245
1246 if( n < 128 || i + n > ssl->in_hslen )
1247 {
1248 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1249 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
1250 }
1251
1252 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
1253 if( ret != 0 )
1254 {
1255 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
1256 return( ret );
1257 }
1258
1259 i += n;
1260 }
1261
1262 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
1263
1264 if( ssl->authmode != SSL_VERIFY_NONE )
1265 {
1266 if( ssl->ca_chain == NULL )
1267 {
1268 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
1269 return( XYSSL_ERR_SSL_CA_CHAIN_REQUIRED );
1270 }
1271
1272 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain,
1273 ssl->peer_cn, &ssl->verify_result );
1274
1275 if( ret != 0 )
1276 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
1277
1278 if( ssl->authmode != SSL_VERIFY_REQUIRED )
1279 ret = 0;
1280 }
1281
1282 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
1283
1284 return( ret );
1285}
1286
1287int ssl_write_change_cipher_spec( ssl_context *ssl )
1288{
1289 int ret;
1290
1291 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1292
1293 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1294 ssl->out_msglen = 1;
1295 ssl->out_msg[0] = 1;
1296
1297 ssl->do_crypt = 0;
1298 ssl->state++;
1299
1300 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1301 {
1302 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1303 return( ret );
1304 }
1305
1306 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1307
1308 return( 0 );
1309}
1310
1311int ssl_parse_change_cipher_spec( ssl_context *ssl )
1312{
1313 int ret;
1314
1315 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
1316
1317 ssl->do_crypt = 0;
1318
1319 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1320 {
1321 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1322 return( ret );
1323 }
1324
1325 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
1326 {
1327 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
1328 return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1329 }
1330
1331 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
1332 {
1333 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
1334 return( XYSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
1335 }
1336
1337 ssl->state++;
1338
1339 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
1340
1341 return( 0 );
1342}
1343
1344static void ssl_calc_finished(
1345 ssl_context *ssl, unsigned char *buf, int from,
1346 md5_context *md5, sha1_context *sha1 )
1347{
1348 int len = 12;
1349 char *sender;
1350 unsigned char padbuf[48];
1351 unsigned char md5sum[16];
1352 unsigned char sha1sum[20];
1353
1354 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
1355
1356 /*
1357 * SSLv3:
1358 * hash =
1359 * MD5( master + pad2 +
1360 * MD5( handshake + sender + master + pad1 ) )
1361 * + SHA1( master + pad2 +
1362 * SHA1( handshake + sender + master + pad1 ) )
1363 *
1364 * TLSv1:
1365 * hash = PRF( master, finished_label,
1366 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1367 */
1368
1369 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
1370 md5->state, sizeof( md5->state ) );
1371
1372 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
1373 sha1->state, sizeof( sha1->state ) );
1374
1375 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
1376 {
1377 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
1378 : (char *) "SRVR";
1379
1380 memset( padbuf, 0x36, 48 );
1381
1382 md5_update( md5, (unsigned char *) sender, 4 );
1383 md5_update( md5, ssl->session->master, 48 );
1384 md5_update( md5, padbuf, 48 );
1385 md5_finish( md5, md5sum );
1386
1387 sha1_update( sha1, (unsigned char *) sender, 4 );
1388 sha1_update( sha1, ssl->session->master, 48 );
1389 sha1_update( sha1, padbuf, 40 );
1390 sha1_finish( sha1, sha1sum );
1391
1392 memset( padbuf, 0x5C, 48 );
1393
1394 md5_starts( md5 );
1395 md5_update( md5, ssl->session->master, 48 );
1396 md5_update( md5, padbuf, 48 );
1397 md5_update( md5, md5sum, 16 );
1398 md5_finish( md5, buf );
1399
1400 sha1_starts( sha1 );
1401 sha1_update( sha1, ssl->session->master, 48 );
1402 sha1_update( sha1, padbuf , 40 );
1403 sha1_update( sha1, sha1sum, 20 );
1404 sha1_finish( sha1, buf + 16 );
1405
1406 len += 24;
1407 }
1408 else
1409 {
1410 sender = ( from == SSL_IS_CLIENT )
1411 ? (char *) "client finished"
1412 : (char *) "server finished";
1413
1414 md5_finish( md5, padbuf );
1415 sha1_finish( sha1, padbuf + 16 );
1416
1417 tls1_prf( ssl->session->master, 48, sender,
1418 padbuf, 36, buf, len );
1419 }
1420
1421 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
1422
1423 memset( md5, 0, sizeof( md5_context ) );
1424 memset( sha1, 0, sizeof( sha1_context ) );
1425
1426 memset( padbuf, 0, sizeof( padbuf ) );
1427 memset( md5sum, 0, sizeof( md5sum ) );
1428 memset( sha1sum, 0, sizeof( sha1sum ) );
1429
1430 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
1431}
1432
1433int ssl_write_finished( ssl_context *ssl )
1434{
1435 int ret, hash_len;
1436 md5_context md5;
1437 sha1_context sha1;
1438
1439 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
1440
1441 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1442 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1443
1444 ssl_calc_finished( ssl, ssl->out_msg + 4,
1445 ssl->endpoint, &md5, &sha1 );
1446
1447 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1448
1449 ssl->out_msglen = 4 + hash_len;
1450 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1451 ssl->out_msg[0] = SSL_HS_FINISHED;
1452
1453 /*
1454 * In case of session resuming, invert the client and server
1455 * ChangeCipherSpec messages order.
1456 */
1457 if( ssl->resume != 0 )
1458 {
1459 if( ssl->endpoint == SSL_IS_CLIENT )
1460 ssl->state = SSL_HANDSHAKE_OVER;
1461 else
1462 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1463 }
1464 else
1465 ssl->state++;
1466
1467 ssl->do_crypt = 1;
1468
1469 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1470 {
1471 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1472 return( ret );
1473 }
1474
1475 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
1476
1477 return( 0 );
1478}
1479
1480int ssl_parse_finished( ssl_context *ssl )
1481{
1482 int ret, hash_len;
1483 md5_context md5;
1484 sha1_context sha1;
1485 unsigned char buf[36];
1486
1487 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
1488
1489 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
1490 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
1491
1492 ssl->do_crypt = 1;
1493
1494 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1495 {
1496 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1497 return( ret );
1498 }
1499
1500 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
1501 {
1502 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1503 return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1504 }
1505
1506 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
1507
1508 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
1509 ssl->in_hslen != 4 + hash_len )
1510 {
1511 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1512 return( XYSSL_ERR_SSL_BAD_HS_FINISHED );
1513 }
1514
1515 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
1516
1517 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
1518 {
1519 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
1520 return( XYSSL_ERR_SSL_BAD_HS_FINISHED );
1521 }
1522
1523 if( ssl->resume != 0 )
1524 {
1525 if( ssl->endpoint == SSL_IS_CLIENT )
1526 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1527
1528 if( ssl->endpoint == SSL_IS_SERVER )
1529 ssl->state = SSL_HANDSHAKE_OVER;
1530 }
1531 else
1532 ssl->state++;
1533
1534 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
1535
1536 return( 0 );
1537}
1538
1539/*
1540 * Initialize an SSL context
1541 */
1542int ssl_init( ssl_context *ssl )
1543{
1544 int len = SSL_BUFFER_LEN;
1545
1546 memset( ssl, 0, sizeof( ssl_context ) );
1547
1548 ssl->in_ctr = (unsigned char *) malloc( len );
1549 ssl->in_hdr = ssl->in_ctr + 8;
1550 ssl->in_msg = ssl->in_ctr + 13;
1551
1552 if( ssl->in_ctr == NULL )
1553 {
1554 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1555 return( 1 );
1556 }
1557
1558 ssl->out_ctr = (unsigned char *) malloc( len );
1559 ssl->out_hdr = ssl->out_ctr + 8;
1560 ssl->out_msg = ssl->out_ctr + 13;
1561
1562 if( ssl->out_ctr == NULL )
1563 {
1564 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
1565 free( ssl-> in_ctr );
1566 return( 1 );
1567 }
1568
1569 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
1570 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1571
1572 ssl->hostname = NULL;
1573 ssl->hostname_len = 0;
1574
1575 md5_starts( &ssl->fin_md5 );
1576 sha1_starts( &ssl->fin_sha1 );
1577
1578 return( 0 );
1579}
1580
1581/*
1582 * SSL set accessors
1583 */
1584void ssl_set_endpoint( ssl_context *ssl, int endpoint )
1585{
1586 ssl->endpoint = endpoint;
1587}
1588
1589void ssl_set_authmode( ssl_context *ssl, int authmode )
1590{
1591 ssl->authmode = authmode;
1592}
1593
1594void ssl_set_rng( ssl_context *ssl,
1595 int (*f_rng)(void *),
1596 void *p_rng )
1597{
1598 ssl->f_rng = f_rng;
1599 ssl->p_rng = p_rng;
1600}
1601
1602void ssl_set_dbg( ssl_context *ssl,
1603 void (*f_dbg)(void *, int, char *),
1604 void *p_dbg )
1605{
1606 ssl->f_dbg = f_dbg;
1607 ssl->p_dbg = p_dbg;
1608}
1609
1610void ssl_set_bio( ssl_context *ssl,
1611 int (*f_recv)(void *, unsigned char *, int), void *p_recv,
1612 int (*f_send)(void *, unsigned char *, int), void *p_send )
1613{
1614 ssl->f_recv = f_recv;
1615 ssl->f_send = f_send;
1616 ssl->p_recv = p_recv;
1617 ssl->p_send = p_send;
1618}
1619
1620void ssl_set_scb( ssl_context *ssl,
1621 int (*s_get)(ssl_context *),
1622 int (*s_set)(ssl_context *) )
1623{
1624 ssl->s_get = s_get;
1625 ssl->s_set = s_set;
1626}
1627
1628void ssl_set_session( ssl_context *ssl, int resume, int timeout,
1629 ssl_session *session )
1630{
1631 ssl->resume = resume;
1632 ssl->timeout = timeout;
1633 ssl->session = session;
1634}
1635
1636void ssl_set_ciphers( ssl_context *ssl, int *ciphers )
1637{
1638 ssl->ciphers = ciphers;
1639}
1640
1641void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
1642 char *peer_cn )
1643{
1644 ssl->ca_chain = ca_chain;
1645 ssl->peer_cn = peer_cn;
1646}
1647
1648void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
1649 rsa_context *rsa_key )
1650{
1651 ssl->own_cert = own_cert;
1652 ssl->rsa_key = rsa_key;
1653}
1654
1655int ssl_set_dh_param( ssl_context *ssl, char *dhm_P, char *dhm_G )
1656{
1657 int ret;
1658
1659 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
1660 {
1661 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1662 return( ret );
1663 }
1664
1665 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
1666 {
1667 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
1668 return( ret );
1669 }
1670
1671 return( 0 );
1672}
1673
1674int ssl_set_hostname( ssl_context *ssl, char *hostname )
1675{
1676 if( hostname == NULL )
1677 return( XYSSL_ERR_SSL_BAD_INPUT_DATA );
1678
1679 ssl->hostname_len = strlen( hostname );
1680 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len );
1681
1682 memcpy( ssl->hostname, (unsigned char *) hostname,
1683 ssl->hostname_len );
1684
1685 return( 0 );
1686}
1687
1688/*
1689 * SSL get accessors
1690 */
1691int ssl_get_bytes_avail( ssl_context *ssl )
1692{
1693 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
1694}
1695
1696int ssl_get_verify_result( ssl_context *ssl )
1697{
1698 return( ssl->verify_result );
1699}
1700
1701char *ssl_get_cipher( ssl_context *ssl )
1702{
1703 switch( ssl->session->cipher )
1704 {
1705#if defined(XYSSL_ARC4_C)
1706 case SSL_RSA_RC4_128_MD5:
1707 return( "SSL_RSA_RC4_128_MD5" );
1708
1709 case SSL_RSA_RC4_128_SHA:
1710 return( "SSL_RSA_RC4_128_SHA" );
1711#endif
1712
1713#if defined(XYSSL_DES_C)
1714 case SSL_RSA_DES_168_SHA:
1715 return( "SSL_RSA_DES_168_SHA" );
1716
1717 case SSL_EDH_RSA_DES_168_SHA:
1718 return( "SSL_EDH_RSA_DES_168_SHA" );
1719#endif
1720
1721#if defined(XYSSL_AES_C)
1722 case SSL_RSA_AES_128_SHA:
1723 return( "SSL_RSA_AES_128_SHA" );
1724
1725 case SSL_RSA_AES_256_SHA:
1726 return( "SSL_RSA_AES_256_SHA" );
1727
1728 case SSL_EDH_RSA_AES_256_SHA:
1729 return( "SSL_EDH_RSA_AES_256_SHA" );
1730#endif
1731
1732 default:
1733 break;
1734 }
1735
1736 return( "unknown" );
1737}
1738
1739int ssl_default_ciphers[] =
1740{
1741#if defined(XYSSL_DHM_C)
1742#if defined(XYSSL_AES_C)
1743 SSL_EDH_RSA_AES_256_SHA,
1744#endif
1745#if defined(XYSSL_DES_C)
1746 SSL_EDH_RSA_DES_168_SHA,
1747#endif
1748#endif
1749
1750#if defined(XYSSL_AES_C)
1751 SSL_RSA_AES_128_SHA,
1752 SSL_RSA_AES_256_SHA,
1753#endif
1754#if defined(XYSSL_DES_C)
1755 SSL_RSA_DES_168_SHA,
1756#endif
1757#if defined(XYSSL_ARC4_C)
1758 SSL_RSA_RC4_128_SHA,
1759 SSL_RSA_RC4_128_MD5,
1760#endif
1761 0
1762};
1763
1764/*
1765 * Perform the SSL handshake
1766 */
1767int ssl_handshake( ssl_context *ssl )
1768{
1769 int ret = XYSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1770
1771 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
1772
1773#if defined(XYSSL_SSL_CLI_C)
1774 if( ssl->endpoint == SSL_IS_CLIENT )
1775 ret = ssl_handshake_client( ssl );
1776#endif
1777
1778#if defined(XYSSL_SSL_SRV_C)
1779 if( ssl->endpoint == SSL_IS_SERVER )
1780 ret = ssl_handshake_server( ssl );
1781#endif
1782
1783 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
1784
1785 return( ret );
1786}
1787
1788/*
1789 * Receive application data decrypted from the SSL layer
1790 */
1791int ssl_read( ssl_context *ssl, unsigned char *buf, int len )
1792{
1793 int ret, n;
1794
1795 SSL_DEBUG_MSG( 2, ( "=> read" ) );
1796
1797 if( ssl->state != SSL_HANDSHAKE_OVER )
1798 {
1799 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1800 {
1801 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1802 return( ret );
1803 }
1804 }
1805
1806 if( ssl->in_offt == NULL )
1807 {
1808 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1809 {
1810 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1811 return( ret );
1812 }
1813
1814 if( ssl->in_msglen == 0 &&
1815 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
1816 {
1817 /*
1818 * OpenSSL sends empty messages to randomize the IV
1819 */
1820 if( ( ret = ssl_read_record( ssl ) ) != 0 )
1821 {
1822 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
1823 return( ret );
1824 }
1825 }
1826
1827 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
1828 {
1829 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
1830 return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
1831 }
1832
1833 ssl->in_offt = ssl->in_msg;
1834 }
1835
1836 n = ( len < ssl->in_msglen )
1837 ? len : ssl->in_msglen;
1838
1839 memcpy( buf, ssl->in_offt, n );
1840 ssl->in_msglen -= n;
1841
1842 if( ssl->in_msglen == 0 )
1843 /* all bytes consumed */
1844 ssl->in_offt = NULL;
1845 else
1846 /* more data available */
1847 ssl->in_offt += n;
1848
1849 SSL_DEBUG_MSG( 2, ( "<= read" ) );
1850
1851 return( n );
1852}
1853
1854/*
1855 * Send application data to be encrypted by the SSL layer
1856 */
1857int ssl_write( ssl_context *ssl, unsigned char *buf, int len )
1858{
1859 int ret, n;
1860
1861 SSL_DEBUG_MSG( 2, ( "=> write" ) );
1862
1863 if( ssl->state != SSL_HANDSHAKE_OVER )
1864 {
1865 if( ( ret = ssl_handshake( ssl ) ) != 0 )
1866 {
1867 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
1868 return( ret );
1869 }
1870 }
1871
1872 n = ( len < SSL_MAX_CONTENT_LEN )
1873 ? len : SSL_MAX_CONTENT_LEN;
1874
1875 if( ssl->out_left != 0 )
1876 {
1877 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1878 {
1879 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1880 return( ret );
1881 }
1882 }
1883 else
1884 {
1885 ssl->out_msglen = n;
1886 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
1887 memcpy( ssl->out_msg, buf, n );
1888
1889 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1890 {
1891 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1892 return( ret );
1893 }
1894 }
1895
1896 SSL_DEBUG_MSG( 2, ( "<= write" ) );
1897
1898 return( n );
1899}
1900
1901/*
1902 * Notify the peer that the connection is being closed
1903 */
1904int ssl_close_notify( ssl_context *ssl )
1905{
1906 int ret;
1907
1908 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
1909
1910 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
1911 {
1912 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
1913 return( ret );
1914 }
1915
1916 if( ssl->state == SSL_HANDSHAKE_OVER )
1917 {
1918 ssl->out_msgtype = SSL_MSG_ALERT;
1919 ssl->out_msglen = 2;
1920 ssl->out_msg[0] = SSL_ALERT_WARNING;
1921 ssl->out_msg[1] = SSL_ALERT_CLOSE_NOTIFY;
1922
1923 if( ( ret = ssl_write_record( ssl ) ) != 0 )
1924 {
1925 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
1926 return( ret );
1927 }
1928 }
1929
1930 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
1931
1932 return( ret );
1933}
1934
1935/*
1936 * Free an SSL context
1937 */
1938void ssl_free( ssl_context *ssl )
1939{
1940 SSL_DEBUG_MSG( 2, ( "=> free" ) );
1941
1942 if( ssl->peer_cert != NULL )
1943 {
1944 x509_free( ssl->peer_cert );
1945 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
1946 free( ssl->peer_cert );
1947 }
1948
1949 if( ssl->out_ctr != NULL )
1950 {
1951 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
1952 free( ssl->out_ctr );
1953 }
1954
1955 if( ssl->in_ctr != NULL )
1956 {
1957 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
1958 free( ssl->in_ctr );
1959 }
1960
1961#if defined(XYSSL_DHM_C)
1962 dhm_free( &ssl->dhm_ctx );
1963#endif
1964
1965 if ( ssl->hostname != NULL)
1966 {
1967 memset( ssl->hostname, 0, ssl->hostname_len );
1968 free( ssl->hostname );
1969 ssl->hostname_len = 0;
1970 }
1971
1972 memset( ssl, 0, sizeof( ssl_context ) );
1973
1974 SSL_DEBUG_MSG( 2, ( "<= free" ) );
1975}
1976
1977#endif