00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029 #include "xyssl/config.h"
00030
00031 #if defined(XYSSL_SSL_TLS_C)
00032
00033 #include "xyssl/aes.h"
00034 #include "xyssl/arc4.h"
00035 #include "xyssl/des.h"
00036 #include "xyssl/debug.h"
00037 #include "xyssl/ssl.h"
00038
00039 #include <string.h>
00040 #include <stdlib.h>
00041 #include <time.h>
00042
00043
00044
00045
00046 static int tls1_prf( unsigned char *secret, int slen, char *label,
00047 unsigned char *random, int rlen,
00048 unsigned char *dstbuf, int dlen )
00049 {
00050 int nb, hs;
00051 int i, j, k;
00052 unsigned char *S1, *S2;
00053 unsigned char tmp[128];
00054 unsigned char h_i[20];
00055
00056 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
00057 return( XYSSL_ERR_SSL_BAD_INPUT_DATA );
00058
00059 hs = ( slen + 1 ) / 2;
00060 S1 = secret;
00061 S2 = secret + slen - hs;
00062
00063 nb = strlen( label );
00064 memcpy( tmp + 20, label, nb );
00065 memcpy( tmp + 20 + nb, random, rlen );
00066 nb += rlen;
00067
00068
00069
00070
00071 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
00072
00073 for( i = 0; i < dlen; i += 16 )
00074 {
00075 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
00076 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp );
00077
00078 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
00079
00080 for( j = 0; j < k; j++ )
00081 dstbuf[i + j] = h_i[j];
00082 }
00083
00084
00085
00086
00087 sha1_hmac( S2, hs, tmp + 20, nb, tmp );
00088
00089 for( i = 0; i < dlen; i += 20 )
00090 {
00091 sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
00092 sha1_hmac( S2, hs, tmp, 20, tmp );
00093
00094 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
00095
00096 for( j = 0; j < k; j++ )
00097 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
00098 }
00099
00100 memset( tmp, 0, sizeof( tmp ) );
00101 memset( h_i, 0, sizeof( h_i ) );
00102
00103 return( 0 );
00104 }
00105
00106 int ssl_derive_keys( ssl_context *ssl )
00107 {
00108 int i;
00109 md5_context md5;
00110 sha1_context sha1;
00111 unsigned char tmp[64];
00112 unsigned char padding[16];
00113 unsigned char sha1sum[20];
00114 unsigned char keyblk[256];
00115 unsigned char *key1;
00116 unsigned char *key2;
00117
00118 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
00119
00120
00121
00122
00123
00124
00125
00126
00127
00128
00129
00130 if( ssl->resume == 0 )
00131 {
00132 int len = ssl->pmslen;
00133
00134 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len );
00135
00136 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00137 {
00138 for( i = 0; i < 3; i++ )
00139 {
00140 memset( padding, 'A' + i, 1 + i );
00141
00142 sha1_starts( &sha1 );
00143 sha1_update( &sha1, padding, 1 + i );
00144 sha1_update( &sha1, ssl->premaster, len );
00145 sha1_update( &sha1, ssl->randbytes, 64 );
00146 sha1_finish( &sha1, sha1sum );
00147
00148 md5_starts( &md5 );
00149 md5_update( &md5, ssl->premaster, len );
00150 md5_update( &md5, sha1sum, 20 );
00151 md5_finish( &md5, ssl->session->master + i * 16 );
00152 }
00153 }
00154 else
00155 tls1_prf( ssl->premaster, len, "master secret",
00156 ssl->randbytes, 64, ssl->session->master, 48 );
00157
00158 memset( ssl->premaster, 0, sizeof( ssl->premaster ) );
00159 }
00160 else
00161 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
00162
00163
00164
00165
00166 memcpy( tmp, ssl->randbytes, 64 );
00167 memcpy( ssl->randbytes, tmp + 32, 32 );
00168 memcpy( ssl->randbytes + 32, tmp, 32 );
00169 memset( tmp, 0, sizeof( tmp ) );
00170
00171
00172
00173
00174
00175
00176
00177
00178
00179
00180
00181
00182
00183 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00184 {
00185 for( i = 0; i < 16; i++ )
00186 {
00187 memset( padding, 'A' + i, 1 + i );
00188
00189 sha1_starts( &sha1 );
00190 sha1_update( &sha1, padding, 1 + i );
00191 sha1_update( &sha1, ssl->session->master, 48 );
00192 sha1_update( &sha1, ssl->randbytes, 64 );
00193 sha1_finish( &sha1, sha1sum );
00194
00195 md5_starts( &md5 );
00196 md5_update( &md5, ssl->session->master, 48 );
00197 md5_update( &md5, sha1sum, 20 );
00198 md5_finish( &md5, keyblk + i * 16 );
00199 }
00200
00201 memset( &md5, 0, sizeof( md5 ) );
00202 memset( &sha1, 0, sizeof( sha1 ) );
00203
00204 memset( padding, 0, sizeof( padding ) );
00205 memset( sha1sum, 0, sizeof( sha1sum ) );
00206 }
00207 else
00208 tls1_prf( ssl->session->master, 48, "key expansion",
00209 ssl->randbytes, 64, keyblk, 256 );
00210
00211 SSL_DEBUG_MSG( 3, ( "cipher = %s", ssl_get_cipher( ssl ) ) );
00212 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 );
00213 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 );
00214 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
00215
00216 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) );
00217
00218
00219
00220
00221 switch( ssl->session->cipher )
00222 {
00223 #if defined(XYSSL_ARC4_C)
00224 case SSL_RSA_RC4_128_MD5:
00225 ssl->keylen = 16; ssl->minlen = 16;
00226 ssl->ivlen = 0; ssl->maclen = 16;
00227 break;
00228
00229 case SSL_RSA_RC4_128_SHA:
00230 ssl->keylen = 16; ssl->minlen = 20;
00231 ssl->ivlen = 0; ssl->maclen = 20;
00232 break;
00233 #endif
00234
00235 #if defined(XYSSL_DES_C)
00236 case SSL_RSA_DES_168_SHA:
00237 case SSL_EDH_RSA_DES_168_SHA:
00238 ssl->keylen = 24; ssl->minlen = 24;
00239 ssl->ivlen = 8; ssl->maclen = 20;
00240 break;
00241 #endif
00242
00243 #if defined(XYSSL_AES_C)
00244 case SSL_RSA_AES_128_SHA:
00245 ssl->keylen = 16; ssl->minlen = 32;
00246 ssl->ivlen = 16; ssl->maclen = 20;
00247 break;
00248
00249 case SSL_RSA_AES_256_SHA:
00250 case SSL_EDH_RSA_AES_256_SHA:
00251 ssl->keylen = 32; ssl->minlen = 32;
00252 ssl->ivlen = 16; ssl->maclen = 20;
00253 break;
00254 #endif
00255
00256 default:
00257 SSL_DEBUG_MSG( 1, ( "cipher %s is not available",
00258 ssl_get_cipher( ssl ) ) );
00259 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00260 }
00261
00262 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
00263 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) );
00264
00265
00266
00267
00268 if( ssl->endpoint == SSL_IS_CLIENT )
00269 {
00270 key1 = keyblk + ssl->maclen * 2;
00271 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
00272
00273 memcpy( ssl->mac_enc, keyblk, ssl->maclen );
00274 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen );
00275
00276 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen );
00277 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
00278 ssl->ivlen );
00279 }
00280 else
00281 {
00282 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
00283 key2 = keyblk + ssl->maclen * 2;
00284
00285 memcpy( ssl->mac_dec, keyblk, ssl->maclen );
00286 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen );
00287
00288 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen );
00289 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
00290 ssl->ivlen );
00291 }
00292
00293 switch( ssl->session->cipher )
00294 {
00295 #if defined(XYSSL_ARC4_C)
00296 case SSL_RSA_RC4_128_MD5:
00297 case SSL_RSA_RC4_128_SHA:
00298 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen );
00299 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen );
00300 break;
00301 #endif
00302
00303 #if defined(XYSSL_DES_C)
00304 case SSL_RSA_DES_168_SHA:
00305 case SSL_EDH_RSA_DES_168_SHA:
00306 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 );
00307 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 );
00308 break;
00309 #endif
00310
00311 #if defined(XYSSL_AES_C)
00312 case SSL_RSA_AES_128_SHA:
00313 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 );
00314 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 );
00315 break;
00316
00317 case SSL_RSA_AES_256_SHA:
00318 case SSL_EDH_RSA_AES_256_SHA:
00319 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 );
00320 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 );
00321 break;
00322 #endif
00323
00324 default:
00325 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00326 }
00327
00328 memset( keyblk, 0, sizeof( keyblk ) );
00329
00330 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
00331
00332 return( 0 );
00333 }
00334
00335 void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] )
00336 {
00337 md5_context md5;
00338 sha1_context sha1;
00339 unsigned char pad_1[48];
00340 unsigned char pad_2[48];
00341
00342 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) );
00343
00344 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
00345 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
00346
00347 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00348 {
00349 memset( pad_1, 0x36, 48 );
00350 memset( pad_2, 0x5C, 48 );
00351
00352 md5_update( &md5, ssl->session->master, 48 );
00353 md5_update( &md5, pad_1, 48 );
00354 md5_finish( &md5, hash );
00355
00356 md5_starts( &md5 );
00357 md5_update( &md5, ssl->session->master, 48 );
00358 md5_update( &md5, pad_2, 48 );
00359 md5_update( &md5, hash, 16 );
00360 md5_finish( &md5, hash );
00361
00362 sha1_update( &sha1, ssl->session->master, 48 );
00363 sha1_update( &sha1, pad_1, 40 );
00364 sha1_finish( &sha1, hash + 16 );
00365
00366 sha1_starts( &sha1 );
00367 sha1_update( &sha1, ssl->session->master, 48 );
00368 sha1_update( &sha1, pad_2, 40 );
00369 sha1_update( &sha1, hash + 16, 20 );
00370 sha1_finish( &sha1, hash + 16 );
00371 }
00372 else
00373 {
00374 md5_finish( &md5, hash );
00375 sha1_finish( &sha1, hash + 16 );
00376 }
00377
00378 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
00379 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
00380
00381 return;
00382 }
00383
00384
00385
00386
00387 static void ssl_mac_md5( unsigned char *secret,
00388 unsigned char *buf, int len,
00389 unsigned char *ctr, int type )
00390 {
00391 unsigned char header[11];
00392 unsigned char padding[48];
00393 md5_context md5;
00394
00395 memcpy( header, ctr, 8 );
00396 header[ 8] = (unsigned char) type;
00397 header[ 9] = (unsigned char)( len >> 8 );
00398 header[10] = (unsigned char)( len );
00399
00400 memset( padding, 0x36, 48 );
00401 md5_starts( &md5 );
00402 md5_update( &md5, secret, 16 );
00403 md5_update( &md5, padding, 48 );
00404 md5_update( &md5, header, 11 );
00405 md5_update( &md5, buf, len );
00406 md5_finish( &md5, buf + len );
00407
00408 memset( padding, 0x5C, 48 );
00409 md5_starts( &md5 );
00410 md5_update( &md5, secret, 16 );
00411 md5_update( &md5, padding, 48 );
00412 md5_update( &md5, buf + len, 16 );
00413 md5_finish( &md5, buf + len );
00414 }
00415
00416 static void ssl_mac_sha1( unsigned char *secret,
00417 unsigned char *buf, int len,
00418 unsigned char *ctr, int type )
00419 {
00420 unsigned char header[11];
00421 unsigned char padding[40];
00422 sha1_context sha1;
00423
00424 memcpy( header, ctr, 8 );
00425 header[ 8] = (unsigned char) type;
00426 header[ 9] = (unsigned char)( len >> 8 );
00427 header[10] = (unsigned char)( len );
00428
00429 memset( padding, 0x36, 40 );
00430 sha1_starts( &sha1 );
00431 sha1_update( &sha1, secret, 20 );
00432 sha1_update( &sha1, padding, 40 );
00433 sha1_update( &sha1, header, 11 );
00434 sha1_update( &sha1, buf, len );
00435 sha1_finish( &sha1, buf + len );
00436
00437 memset( padding, 0x5C, 40 );
00438 sha1_starts( &sha1 );
00439 sha1_update( &sha1, secret, 20 );
00440 sha1_update( &sha1, padding, 40 );
00441 sha1_update( &sha1, buf + len, 20 );
00442 sha1_finish( &sha1, buf + len );
00443 }
00444
00445
00446
00447
00448 static int ssl_encrypt_buf( ssl_context *ssl )
00449 {
00450 int i, padlen;
00451
00452 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
00453
00454
00455
00456
00457 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00458 {
00459 if( ssl->maclen == 16 )
00460 ssl_mac_md5( ssl->mac_enc,
00461 ssl->out_msg, ssl->out_msglen,
00462 ssl->out_ctr, ssl->out_msgtype );
00463
00464 if( ssl->maclen == 20 )
00465 ssl_mac_sha1( ssl->mac_enc,
00466 ssl->out_msg, ssl->out_msglen,
00467 ssl->out_ctr, ssl->out_msgtype );
00468 }
00469 else
00470 {
00471 if( ssl->maclen == 16 )
00472 md5_hmac( ssl->mac_enc, 16,
00473 ssl->out_ctr, ssl->out_msglen + 13,
00474 ssl->out_msg + ssl->out_msglen );
00475
00476 if( ssl->maclen == 20 )
00477 sha1_hmac( ssl->mac_enc, 20,
00478 ssl->out_ctr, ssl->out_msglen + 13,
00479 ssl->out_msg + ssl->out_msglen );
00480 }
00481
00482 SSL_DEBUG_BUF( 4, "computed mac",
00483 ssl->out_msg + ssl->out_msglen, ssl->maclen );
00484
00485 ssl->out_msglen += ssl->maclen;
00486
00487 for( i = 7; i >= 0; i-- )
00488 if( ++ssl->out_ctr[i] != 0 )
00489 break;
00490
00491 if( ssl->ivlen == 0 )
00492 {
00493 #if defined(XYSSL_ARC4_C)
00494 padlen = 0;
00495
00496 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
00497 "including %d bytes of padding",
00498 ssl->out_msglen, 0 ) );
00499
00500 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
00501 ssl->out_msg, ssl->out_msglen );
00502
00503 arc4_crypt( (arc4_context *) ssl->ctx_enc,
00504 ssl->out_msg, ssl->out_msglen );
00505 #else
00506 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00507 #endif
00508 }
00509 else
00510 {
00511 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen;
00512 if( padlen == ssl->ivlen )
00513 padlen = 0;
00514
00515 for( i = 0; i <= padlen; i++ )
00516 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
00517
00518 ssl->out_msglen += padlen + 1;
00519
00520 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
00521 "including %d bytes of padding",
00522 ssl->out_msglen, padlen + 1 ) );
00523
00524 SSL_DEBUG_BUF( 4, "before encrypt: output payload",
00525 ssl->out_msg, ssl->out_msglen );
00526
00527 switch( ssl->ivlen )
00528 {
00529 case 8:
00530 #if defined(XYSSL_DES_C)
00531 des3_crypt_cbc( (des3_context *) ssl->ctx_enc,
00532 DES_ENCRYPT, ssl->out_msglen,
00533 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
00534 break;
00535 #endif
00536
00537 case 16:
00538 #if defined(XYSSL_AES_C)
00539 aes_crypt_cbc( (aes_context *) ssl->ctx_enc,
00540 AES_ENCRYPT, ssl->out_msglen,
00541 ssl->iv_enc, ssl->out_msg, ssl->out_msg );
00542 break;
00543 #endif
00544
00545 default:
00546 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00547 }
00548 }
00549
00550 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
00551
00552 return( 0 );
00553 }
00554
00555 static int ssl_decrypt_buf( ssl_context *ssl )
00556 {
00557 int i, padlen;
00558 unsigned char tmp[20];
00559
00560 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
00561
00562 if( ssl->in_msglen < ssl->minlen )
00563 {
00564 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
00565 ssl->in_msglen, ssl->minlen ) );
00566 return( XYSSL_ERR_SSL_INVALID_MAC );
00567 }
00568
00569 if( ssl->ivlen == 0 )
00570 {
00571 #if defined(XYSSL_ARC4_C)
00572 padlen = 0;
00573 arc4_crypt( (arc4_context *) ssl->ctx_dec,
00574 ssl->in_msg, ssl->in_msglen );
00575 #else
00576 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00577 #endif
00578 }
00579 else
00580 {
00581
00582
00583
00584 if( ssl->in_msglen % ssl->ivlen != 0 )
00585 {
00586 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
00587 ssl->in_msglen, ssl->ivlen ) );
00588 return( XYSSL_ERR_SSL_INVALID_MAC );
00589 }
00590
00591 switch( ssl->ivlen )
00592 {
00593 #if defined(XYSSL_DES_C)
00594 case 8:
00595 des3_crypt_cbc( (des3_context *) ssl->ctx_dec,
00596 DES_DECRYPT, ssl->in_msglen,
00597 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
00598 break;
00599 #endif
00600
00601 #if defined(XYSSL_AES_C)
00602 case 16:
00603 aes_crypt_cbc( (aes_context *) ssl->ctx_dec,
00604 AES_DECRYPT, ssl->in_msglen,
00605 ssl->iv_dec, ssl->in_msg, ssl->in_msg );
00606 break;
00607 #endif
00608
00609 default:
00610 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00611 }
00612
00613 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
00614
00615 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00616 {
00617 if( padlen > ssl->ivlen )
00618 {
00619 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
00620 "should be no more than %d",
00621 padlen, ssl->ivlen ) );
00622 padlen = 0;
00623 }
00624 }
00625 else
00626 {
00627
00628
00629
00630 for( i = 1; i <= padlen; i++ )
00631 {
00632 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 )
00633 {
00634 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be "
00635 "%02x, but is %02x", padlen - 1,
00636 ssl->in_msg[ssl->in_msglen - i] ) );
00637 padlen = 0;
00638 }
00639 }
00640 }
00641 }
00642
00643 SSL_DEBUG_BUF( 4, "raw buffer after decryption",
00644 ssl->in_msg, ssl->in_msglen );
00645
00646
00647
00648
00649 ssl->in_msglen -= ( ssl->maclen + padlen );
00650
00651 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
00652 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
00653
00654 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 );
00655
00656 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
00657 {
00658 if( ssl->maclen == 16 )
00659 ssl_mac_md5( ssl->mac_dec,
00660 ssl->in_msg, ssl->in_msglen,
00661 ssl->in_ctr, ssl->in_msgtype );
00662 else
00663 ssl_mac_sha1( ssl->mac_dec,
00664 ssl->in_msg, ssl->in_msglen,
00665 ssl->in_ctr, ssl->in_msgtype );
00666 }
00667 else
00668 {
00669 if( ssl->maclen == 16 )
00670 md5_hmac( ssl->mac_dec, 16,
00671 ssl->in_ctr, ssl->in_msglen + 13,
00672 ssl->in_msg + ssl->in_msglen );
00673 else
00674 sha1_hmac( ssl->mac_dec, 20,
00675 ssl->in_ctr, ssl->in_msglen + 13,
00676 ssl->in_msg + ssl->in_msglen );
00677 }
00678
00679 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen );
00680 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
00681 ssl->maclen );
00682
00683 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
00684 ssl->maclen ) != 0 )
00685 {
00686 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
00687 return( XYSSL_ERR_SSL_INVALID_MAC );
00688 }
00689
00690
00691
00692
00693
00694 if( ssl->ivlen != 0 && padlen == 0 )
00695 return( XYSSL_ERR_SSL_INVALID_MAC );
00696
00697 if( ssl->in_msglen == 0 )
00698 {
00699 ssl->nb_zero++;
00700
00701
00702
00703
00704
00705 if( ssl->nb_zero > 3 )
00706 {
00707 SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
00708 "messages, possible DoS attack" ) );
00709 return( XYSSL_ERR_SSL_INVALID_MAC );
00710 }
00711 }
00712 else
00713 ssl->nb_zero = 0;
00714
00715 for( i = 7; i >= 0; i-- )
00716 if( ++ssl->in_ctr[i] != 0 )
00717 break;
00718
00719 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
00720
00721 return( 0 );
00722 }
00723
00724
00725
00726
00727 int ssl_fetch_input( ssl_context *ssl, int nb_want )
00728 {
00729 int ret, len;
00730
00731 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
00732
00733 while( ssl->in_left < nb_want )
00734 {
00735 len = nb_want - ssl->in_left;
00736 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
00737
00738 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
00739 ssl->in_left, nb_want ) );
00740 SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
00741
00742 if( ret < 0 )
00743 return( ret );
00744
00745 ssl->in_left += ret;
00746 }
00747
00748 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
00749
00750 return( 0 );
00751 }
00752
00753
00754
00755
00756 int ssl_flush_output( ssl_context *ssl )
00757 {
00758 int ret;
00759 unsigned char *buf;
00760
00761 SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
00762
00763 while( ssl->out_left > 0 )
00764 {
00765 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
00766 5 + ssl->out_msglen, ssl->out_left ) );
00767
00768 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
00769 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
00770 SSL_DEBUG_RET( 2, "ssl->f_send", ret );
00771
00772 if( ret <= 0 )
00773 return( ret );
00774
00775 ssl->out_left -= ret;
00776 }
00777
00778 SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
00779
00780 return( 0 );
00781 }
00782
00783
00784
00785
00786 int ssl_write_record( ssl_context *ssl )
00787 {
00788 int ret, len = ssl->out_msglen;
00789
00790 SSL_DEBUG_MSG( 2, ( "=> write record" ) );
00791
00792 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
00793 ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
00794 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
00795 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
00796 ssl->out_hdr[4] = (unsigned char)( len );
00797
00798 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
00799 {
00800 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
00801 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 );
00802 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) );
00803
00804 md5_update( &ssl->fin_md5 , ssl->out_msg, len );
00805 sha1_update( &ssl->fin_sha1, ssl->out_msg, len );
00806 }
00807
00808 if( ssl->do_crypt != 0 )
00809 {
00810 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
00811 {
00812 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
00813 return( ret );
00814 }
00815
00816 len = ssl->out_msglen;
00817 ssl->out_hdr[3] = (unsigned char)( len >> 8 );
00818 ssl->out_hdr[4] = (unsigned char)( len );
00819 }
00820
00821 ssl->out_left = 5 + ssl->out_msglen;
00822
00823 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
00824 "version = [%d:%d], msglen = %d",
00825 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
00826 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
00827
00828 SSL_DEBUG_BUF( 4, "output record sent to network",
00829 ssl->out_hdr, 5 + ssl->out_msglen );
00830
00831 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
00832 {
00833 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
00834 return( ret );
00835 }
00836
00837 SSL_DEBUG_MSG( 2, ( "<= write record" ) );
00838
00839 return( 0 );
00840 }
00841
00842 int ssl_read_record( ssl_context *ssl )
00843 {
00844 int ret;
00845
00846 SSL_DEBUG_MSG( 2, ( "=> read record" ) );
00847
00848 if( ssl->in_hslen != 0 &&
00849 ssl->in_hslen < ssl->in_msglen )
00850 {
00851
00852
00853
00854 ssl->in_msglen -= ssl->in_hslen;
00855
00856 memcpy( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
00857 ssl->in_msglen );
00858
00859 ssl->in_hslen = 4;
00860 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
00861
00862 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
00863 " %d, type = %d, hslen = %d",
00864 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
00865
00866 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
00867 {
00868 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
00869 return( XYSSL_ERR_SSL_INVALID_RECORD );
00870 }
00871
00872 if( ssl->in_msglen < ssl->in_hslen )
00873 {
00874 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
00875 return( XYSSL_ERR_SSL_INVALID_RECORD );
00876 }
00877
00878 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
00879 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
00880
00881 return( 0 );
00882 }
00883
00884 ssl->in_hslen = 0;
00885
00886
00887
00888
00889 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
00890 {
00891 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00892 return( ret );
00893 }
00894
00895 ssl->in_msgtype = ssl->in_hdr[0];
00896 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
00897
00898 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
00899 "version = [%d:%d], msglen = %d",
00900 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
00901 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
00902
00903 if( ssl->in_hdr[1] != ssl->major_ver )
00904 {
00905 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
00906 return( XYSSL_ERR_SSL_INVALID_RECORD );
00907 }
00908
00909 if( ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
00910 ssl->in_hdr[2] != SSL_MINOR_VERSION_1 )
00911 {
00912 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
00913 return( XYSSL_ERR_SSL_INVALID_RECORD );
00914 }
00915
00916
00917
00918
00919 if( ssl->do_crypt == 0 )
00920 {
00921 if( ssl->in_msglen < 1 ||
00922 ssl->in_msglen > SSL_MAX_CONTENT_LEN )
00923 {
00924 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
00925 return( XYSSL_ERR_SSL_INVALID_RECORD );
00926 }
00927 }
00928 else
00929 {
00930 if( ssl->in_msglen < ssl->minlen )
00931 {
00932 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
00933 return( XYSSL_ERR_SSL_INVALID_RECORD );
00934 }
00935
00936 if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
00937 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN )
00938 {
00939 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
00940 return( XYSSL_ERR_SSL_INVALID_RECORD );
00941 }
00942
00943
00944
00945
00946 if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
00947 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
00948 {
00949 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
00950 return( XYSSL_ERR_SSL_INVALID_RECORD );
00951 }
00952 }
00953
00954
00955
00956
00957 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
00958 {
00959 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00960 return( ret );
00961 }
00962
00963 SSL_DEBUG_BUF( 4, "input record from network",
00964 ssl->in_hdr, 5 + ssl->in_msglen );
00965
00966 if( ssl->do_crypt != 0 )
00967 {
00968 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
00969 {
00970 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
00971 return( ret );
00972 }
00973
00974 SSL_DEBUG_BUF( 4, "input payload after decrypt",
00975 ssl->in_msg, ssl->in_msglen );
00976
00977 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
00978 {
00979 SSL_DEBUG_MSG( 1, ( "bad message length" ) );
00980 return( XYSSL_ERR_SSL_INVALID_RECORD );
00981 }
00982 }
00983
00984 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
00985 {
00986 ssl->in_hslen = 4;
00987 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
00988
00989 SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
00990 " %d, type = %d, hslen = %d",
00991 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
00992
00993
00994
00995
00996 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
00997 {
00998 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
00999 return( XYSSL_ERR_SSL_INVALID_RECORD );
01000 }
01001
01002 if( ssl->in_msglen < ssl->in_hslen )
01003 {
01004 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
01005 return( XYSSL_ERR_SSL_INVALID_RECORD );
01006 }
01007
01008 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen );
01009 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen );
01010 }
01011
01012 if( ssl->in_msgtype == SSL_MSG_ALERT )
01013 {
01014 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
01015 ssl->in_msg[0], ssl->in_msg[1] ) );
01016
01017
01018
01019
01020 if( ssl->in_msg[0] == SSL_ALERT_FATAL )
01021 {
01022 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) );
01023 return( XYSSL_ERR_SSL_FATAL_ALERT_MESSAGE | ssl->in_msg[1] );
01024 }
01025
01026 if( ssl->in_msg[0] == SSL_ALERT_WARNING &&
01027 ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY )
01028 {
01029 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
01030 return( XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
01031 }
01032 }
01033
01034 ssl->in_left = 0;
01035
01036 SSL_DEBUG_MSG( 2, ( "<= read record" ) );
01037
01038 return( 0 );
01039 }
01040
01041
01042
01043
01044 int ssl_write_certificate( ssl_context *ssl )
01045 {
01046 int ret, i, n;
01047 x509_cert *crt;
01048
01049 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
01050
01051 if( ssl->endpoint == SSL_IS_CLIENT )
01052 {
01053 if( ssl->client_auth == 0 )
01054 {
01055 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
01056 ssl->state++;
01057 return( 0 );
01058 }
01059
01060
01061
01062
01063
01064 if( ssl->own_cert == NULL &&
01065 ssl->minor_ver == SSL_MINOR_VERSION_0 )
01066 {
01067 ssl->out_msglen = 2;
01068 ssl->out_msgtype = SSL_MSG_ALERT;
01069 ssl->out_msg[0] = SSL_ALERT_WARNING;
01070 ssl->out_msg[1] = SSL_ALERT_NO_CERTIFICATE;
01071
01072 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
01073 goto write_msg;
01074 }
01075 }
01076 else
01077 {
01078 if( ssl->own_cert == NULL )
01079 {
01080 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
01081 return( XYSSL_ERR_SSL_CERTIFICATE_REQUIRED );
01082 }
01083 }
01084
01085 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
01086
01087
01088
01089
01090
01091
01092
01093
01094
01095
01096 i = 7;
01097 crt = ssl->own_cert;
01098
01099 while( crt != NULL && crt->next != NULL )
01100 {
01101 n = crt->raw.len;
01102 if( i + 3 + n > SSL_MAX_CONTENT_LEN )
01103 {
01104 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
01105 i + 3 + n, SSL_MAX_CONTENT_LEN ) );
01106 return( XYSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
01107 }
01108
01109 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
01110 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
01111 ssl->out_msg[i + 2] = (unsigned char)( n );
01112
01113 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
01114 i += n; crt = crt->next;
01115 }
01116
01117 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
01118 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
01119 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
01120
01121 ssl->out_msglen = i;
01122 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01123 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
01124
01125 write_msg:
01126
01127 ssl->state++;
01128
01129 if( ( ret = ssl_write_record( ssl ) ) != 0 )
01130 {
01131 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01132 return( ret );
01133 }
01134
01135 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
01136
01137 return( 0 );
01138 }
01139
01140 int ssl_parse_certificate( ssl_context *ssl )
01141 {
01142 int ret, i, n;
01143
01144 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
01145
01146 if( ssl->endpoint == SSL_IS_SERVER &&
01147 ssl->authmode == SSL_VERIFY_NONE )
01148 {
01149 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
01150 ssl->state++;
01151 return( 0 );
01152 }
01153
01154 if( ( ret = ssl_read_record( ssl ) ) != 0 )
01155 {
01156 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01157 return( ret );
01158 }
01159
01160 ssl->state++;
01161
01162
01163
01164
01165 if( ssl->endpoint == SSL_IS_SERVER &&
01166 ssl->minor_ver == SSL_MINOR_VERSION_0 )
01167 {
01168 if( ssl->in_msglen == 2 &&
01169 ssl->in_msgtype == SSL_MSG_ALERT &&
01170 ssl->in_msg[0] == SSL_ALERT_WARNING &&
01171 ssl->in_msg[1] == SSL_ALERT_NO_CERTIFICATE )
01172 {
01173 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
01174
01175 if( ssl->authmode == SSL_VERIFY_OPTIONAL )
01176 return( 0 );
01177 else
01178 return( XYSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
01179 }
01180 }
01181
01182 if( ssl->endpoint == SSL_IS_SERVER &&
01183 ssl->minor_ver != SSL_MINOR_VERSION_0 )
01184 {
01185 if( ssl->in_hslen == 7 &&
01186 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
01187 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
01188 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
01189 {
01190 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
01191
01192 if( ssl->authmode == SSL_VERIFY_REQUIRED )
01193 return( XYSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
01194 else
01195 return( 0 );
01196 }
01197 }
01198
01199 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
01200 {
01201 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01202 return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01203 }
01204
01205 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
01206 {
01207 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01208 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
01209 }
01210
01211
01212
01213
01214 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
01215
01216 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
01217 {
01218 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01219 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
01220 }
01221
01222 if( ( ssl->peer_cert = (x509_cert *) malloc(
01223 sizeof( x509_cert ) ) ) == NULL )
01224 {
01225 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
01226 sizeof( x509_cert ) ) );
01227 return( 1 );
01228 }
01229
01230 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
01231
01232 i = 7;
01233
01234 while( i < ssl->in_hslen )
01235 {
01236 if( ssl->in_msg[i] != 0 )
01237 {
01238 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01239 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
01240 }
01241
01242 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
01243 | (unsigned int) ssl->in_msg[i + 2];
01244 i += 3;
01245
01246 if( n < 128 || i + n > ssl->in_hslen )
01247 {
01248 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
01249 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE );
01250 }
01251
01252 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n );
01253 if( ret != 0 )
01254 {
01255 SSL_DEBUG_RET( 1, " x509parse_crt", ret );
01256 return( ret );
01257 }
01258
01259 i += n;
01260 }
01261
01262 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert );
01263
01264 if( ssl->authmode != SSL_VERIFY_NONE )
01265 {
01266 if( ssl->ca_chain == NULL )
01267 {
01268 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
01269 return( XYSSL_ERR_SSL_CA_CHAIN_REQUIRED );
01270 }
01271
01272 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain,
01273 ssl->peer_cn, &ssl->verify_result );
01274
01275 if( ret != 0 )
01276 SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
01277
01278 if( ssl->authmode != SSL_VERIFY_REQUIRED )
01279 ret = 0;
01280 }
01281
01282 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
01283
01284 return( ret );
01285 }
01286
01287 int ssl_write_change_cipher_spec( ssl_context *ssl )
01288 {
01289 int ret;
01290
01291 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
01292
01293 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
01294 ssl->out_msglen = 1;
01295 ssl->out_msg[0] = 1;
01296
01297 ssl->do_crypt = 0;
01298 ssl->state++;
01299
01300 if( ( ret = ssl_write_record( ssl ) ) != 0 )
01301 {
01302 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01303 return( ret );
01304 }
01305
01306 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
01307
01308 return( 0 );
01309 }
01310
01311 int ssl_parse_change_cipher_spec( ssl_context *ssl )
01312 {
01313 int ret;
01314
01315 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
01316
01317 ssl->do_crypt = 0;
01318
01319 if( ( ret = ssl_read_record( ssl ) ) != 0 )
01320 {
01321 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01322 return( ret );
01323 }
01324
01325 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
01326 {
01327 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
01328 return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01329 }
01330
01331 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
01332 {
01333 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
01334 return( XYSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
01335 }
01336
01337 ssl->state++;
01338
01339 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
01340
01341 return( 0 );
01342 }
01343
01344 static void ssl_calc_finished(
01345 ssl_context *ssl, unsigned char *buf, int from,
01346 md5_context *md5, sha1_context *sha1 )
01347 {
01348 int len = 12;
01349 char *sender;
01350 unsigned char padbuf[48];
01351 unsigned char md5sum[16];
01352 unsigned char sha1sum[20];
01353
01354 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) );
01355
01356
01357
01358
01359
01360
01361
01362
01363
01364
01365
01366
01367
01368
01369 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
01370 md5->state, sizeof( md5->state ) );
01371
01372 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
01373 sha1->state, sizeof( sha1->state ) );
01374
01375 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
01376 {
01377 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT"
01378 : (char *) "SRVR";
01379
01380 memset( padbuf, 0x36, 48 );
01381
01382 md5_update( md5, (unsigned char *) sender, 4 );
01383 md5_update( md5, ssl->session->master, 48 );
01384 md5_update( md5, padbuf, 48 );
01385 md5_finish( md5, md5sum );
01386
01387 sha1_update( sha1, (unsigned char *) sender, 4 );
01388 sha1_update( sha1, ssl->session->master, 48 );
01389 sha1_update( sha1, padbuf, 40 );
01390 sha1_finish( sha1, sha1sum );
01391
01392 memset( padbuf, 0x5C, 48 );
01393
01394 md5_starts( md5 );
01395 md5_update( md5, ssl->session->master, 48 );
01396 md5_update( md5, padbuf, 48 );
01397 md5_update( md5, md5sum, 16 );
01398 md5_finish( md5, buf );
01399
01400 sha1_starts( sha1 );
01401 sha1_update( sha1, ssl->session->master, 48 );
01402 sha1_update( sha1, padbuf , 40 );
01403 sha1_update( sha1, sha1sum, 20 );
01404 sha1_finish( sha1, buf + 16 );
01405
01406 len += 24;
01407 }
01408 else
01409 {
01410 sender = ( from == SSL_IS_CLIENT )
01411 ? (char *) "client finished"
01412 : (char *) "server finished";
01413
01414 md5_finish( md5, padbuf );
01415 sha1_finish( sha1, padbuf + 16 );
01416
01417 tls1_prf( ssl->session->master, 48, sender,
01418 padbuf, 36, buf, len );
01419 }
01420
01421 SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
01422
01423 memset( md5, 0, sizeof( md5_context ) );
01424 memset( sha1, 0, sizeof( sha1_context ) );
01425
01426 memset( padbuf, 0, sizeof( padbuf ) );
01427 memset( md5sum, 0, sizeof( md5sum ) );
01428 memset( sha1sum, 0, sizeof( sha1sum ) );
01429
01430 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
01431 }
01432
01433 int ssl_write_finished( ssl_context *ssl )
01434 {
01435 int ret, hash_len;
01436 md5_context md5;
01437 sha1_context sha1;
01438
01439 SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
01440
01441 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
01442 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
01443
01444 ssl_calc_finished( ssl, ssl->out_msg + 4,
01445 ssl->endpoint, &md5, &sha1 );
01446
01447 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
01448
01449 ssl->out_msglen = 4 + hash_len;
01450 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
01451 ssl->out_msg[0] = SSL_HS_FINISHED;
01452
01453
01454
01455
01456
01457 if( ssl->resume != 0 )
01458 {
01459 if( ssl->endpoint == SSL_IS_CLIENT )
01460 ssl->state = SSL_HANDSHAKE_OVER;
01461 else
01462 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
01463 }
01464 else
01465 ssl->state++;
01466
01467 ssl->do_crypt = 1;
01468
01469 if( ( ret = ssl_write_record( ssl ) ) != 0 )
01470 {
01471 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01472 return( ret );
01473 }
01474
01475 SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
01476
01477 return( 0 );
01478 }
01479
01480 int ssl_parse_finished( ssl_context *ssl )
01481 {
01482 int ret, hash_len;
01483 md5_context md5;
01484 sha1_context sha1;
01485 unsigned char buf[36];
01486
01487 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
01488
01489 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) );
01490 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) );
01491
01492 ssl->do_crypt = 1;
01493
01494 if( ( ret = ssl_read_record( ssl ) ) != 0 )
01495 {
01496 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01497 return( ret );
01498 }
01499
01500 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
01501 {
01502 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
01503 return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01504 }
01505
01506 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
01507
01508 if( ssl->in_msg[0] != SSL_HS_FINISHED ||
01509 ssl->in_hslen != 4 + hash_len )
01510 {
01511 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
01512 return( XYSSL_ERR_SSL_BAD_HS_FINISHED );
01513 }
01514
01515 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 );
01516
01517 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
01518 {
01519 SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
01520 return( XYSSL_ERR_SSL_BAD_HS_FINISHED );
01521 }
01522
01523 if( ssl->resume != 0 )
01524 {
01525 if( ssl->endpoint == SSL_IS_CLIENT )
01526 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
01527
01528 if( ssl->endpoint == SSL_IS_SERVER )
01529 ssl->state = SSL_HANDSHAKE_OVER;
01530 }
01531 else
01532 ssl->state++;
01533
01534 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
01535
01536 return( 0 );
01537 }
01538
01539
01540
01541
01542 int ssl_init( ssl_context *ssl )
01543 {
01544 int len = SSL_BUFFER_LEN;
01545
01546 memset( ssl, 0, sizeof( ssl_context ) );
01547
01548 ssl->in_ctr = (unsigned char *) malloc( len );
01549 ssl->in_hdr = ssl->in_ctr + 8;
01550 ssl->in_msg = ssl->in_ctr + 13;
01551
01552 if( ssl->in_ctr == NULL )
01553 {
01554 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
01555 return( 1 );
01556 }
01557
01558 ssl->out_ctr = (unsigned char *) malloc( len );
01559 ssl->out_hdr = ssl->out_ctr + 8;
01560 ssl->out_msg = ssl->out_ctr + 13;
01561
01562 if( ssl->out_ctr == NULL )
01563 {
01564 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
01565 free( ssl-> in_ctr );
01566 return( 1 );
01567 }
01568
01569 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
01570 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
01571
01572 ssl->hostname = NULL;
01573 ssl->hostname_len = 0;
01574
01575 md5_starts( &ssl->fin_md5 );
01576 sha1_starts( &ssl->fin_sha1 );
01577
01578 return( 0 );
01579 }
01580
01581
01582
01583
01584 void ssl_set_endpoint( ssl_context *ssl, int endpoint )
01585 {
01586 ssl->endpoint = endpoint;
01587 }
01588
01589 void ssl_set_authmode( ssl_context *ssl, int authmode )
01590 {
01591 ssl->authmode = authmode;
01592 }
01593
01594 void ssl_set_rng( ssl_context *ssl,
01595 int (*f_rng)(void *),
01596 void *p_rng )
01597 {
01598 ssl->f_rng = f_rng;
01599 ssl->p_rng = p_rng;
01600 }
01601
01602 void ssl_set_dbg( ssl_context *ssl,
01603 void (*f_dbg)(void *, int, char *),
01604 void *p_dbg )
01605 {
01606 ssl->f_dbg = f_dbg;
01607 ssl->p_dbg = p_dbg;
01608 }
01609
01610 void ssl_set_bio( ssl_context *ssl,
01611 int (*f_recv)(void *, unsigned char *, int), void *p_recv,
01612 int (*f_send)(void *, unsigned char *, int), void *p_send )
01613 {
01614 ssl->f_recv = f_recv;
01615 ssl->f_send = f_send;
01616 ssl->p_recv = p_recv;
01617 ssl->p_send = p_send;
01618 }
01619
01620 void ssl_set_scb( ssl_context *ssl,
01621 int (*s_get)(ssl_context *),
01622 int (*s_set)(ssl_context *) )
01623 {
01624 ssl->s_get = s_get;
01625 ssl->s_set = s_set;
01626 }
01627
01628 void ssl_set_session( ssl_context *ssl, int resume, int timeout,
01629 ssl_session *session )
01630 {
01631 ssl->resume = resume;
01632 ssl->timeout = timeout;
01633 ssl->session = session;
01634 }
01635
01636 void ssl_set_ciphers( ssl_context *ssl, int *ciphers )
01637 {
01638 ssl->ciphers = ciphers;
01639 }
01640
01641 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
01642 char *peer_cn )
01643 {
01644 ssl->ca_chain = ca_chain;
01645 ssl->peer_cn = peer_cn;
01646 }
01647
01648 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
01649 rsa_context *rsa_key )
01650 {
01651 ssl->own_cert = own_cert;
01652 ssl->rsa_key = rsa_key;
01653 }
01654
01655 int ssl_set_dh_param( ssl_context *ssl, char *dhm_P, char *dhm_G )
01656 {
01657 int ret;
01658
01659 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 )
01660 {
01661 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
01662 return( ret );
01663 }
01664
01665 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 )
01666 {
01667 SSL_DEBUG_RET( 1, "mpi_read_string", ret );
01668 return( ret );
01669 }
01670
01671 return( 0 );
01672 }
01673
01674 int ssl_set_hostname( ssl_context *ssl, char *hostname )
01675 {
01676 if( hostname == NULL )
01677 return( XYSSL_ERR_SSL_BAD_INPUT_DATA );
01678
01679 ssl->hostname_len = strlen( hostname );
01680 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len );
01681
01682 memcpy( ssl->hostname, (unsigned char *) hostname,
01683 ssl->hostname_len );
01684
01685 return( 0 );
01686 }
01687
01688
01689
01690
01691 int ssl_get_bytes_avail( ssl_context *ssl )
01692 {
01693 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
01694 }
01695
01696 int ssl_get_verify_result( ssl_context *ssl )
01697 {
01698 return( ssl->verify_result );
01699 }
01700
01701 char *ssl_get_cipher( ssl_context *ssl )
01702 {
01703 switch( ssl->session->cipher )
01704 {
01705 #if defined(XYSSL_ARC4_C)
01706 case SSL_RSA_RC4_128_MD5:
01707 return( "SSL_RSA_RC4_128_MD5" );
01708
01709 case SSL_RSA_RC4_128_SHA:
01710 return( "SSL_RSA_RC4_128_SHA" );
01711 #endif
01712
01713 #if defined(XYSSL_DES_C)
01714 case SSL_RSA_DES_168_SHA:
01715 return( "SSL_RSA_DES_168_SHA" );
01716
01717 case SSL_EDH_RSA_DES_168_SHA:
01718 return( "SSL_EDH_RSA_DES_168_SHA" );
01719 #endif
01720
01721 #if defined(XYSSL_AES_C)
01722 case SSL_RSA_AES_128_SHA:
01723 return( "SSL_RSA_AES_128_SHA" );
01724
01725 case SSL_RSA_AES_256_SHA:
01726 return( "SSL_RSA_AES_256_SHA" );
01727
01728 case SSL_EDH_RSA_AES_256_SHA:
01729 return( "SSL_EDH_RSA_AES_256_SHA" );
01730 #endif
01731
01732 default:
01733 break;
01734 }
01735
01736 return( "unknown" );
01737 }
01738
01739 int ssl_default_ciphers[] =
01740 {
01741 #if defined(XYSSL_DHM_C)
01742 #if defined(XYSSL_AES_C)
01743 SSL_EDH_RSA_AES_256_SHA,
01744 #endif
01745 #if defined(XYSSL_DES_C)
01746 SSL_EDH_RSA_DES_168_SHA,
01747 #endif
01748 #endif
01749
01750 #if defined(XYSSL_AES_C)
01751 SSL_RSA_AES_128_SHA,
01752 SSL_RSA_AES_256_SHA,
01753 #endif
01754 #if defined(XYSSL_DES_C)
01755 SSL_RSA_DES_168_SHA,
01756 #endif
01757 #if defined(XYSSL_ARC4_C)
01758 SSL_RSA_RC4_128_SHA,
01759 SSL_RSA_RC4_128_MD5,
01760 #endif
01761 0
01762 };
01763
01764
01765
01766
01767 int ssl_handshake( ssl_context *ssl )
01768 {
01769 int ret = XYSSL_ERR_SSL_FEATURE_UNAVAILABLE;
01770
01771 SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
01772
01773 #if defined(XYSSL_SSL_CLI_C)
01774 if( ssl->endpoint == SSL_IS_CLIENT )
01775 ret = ssl_handshake_client( ssl );
01776 #endif
01777
01778 #if defined(XYSSL_SSL_SRV_C)
01779 if( ssl->endpoint == SSL_IS_SERVER )
01780 ret = ssl_handshake_server( ssl );
01781 #endif
01782
01783 SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
01784
01785 return( ret );
01786 }
01787
01788
01789
01790
01791 int ssl_read( ssl_context *ssl, unsigned char *buf, int len )
01792 {
01793 int ret, n;
01794
01795 SSL_DEBUG_MSG( 2, ( "=> read" ) );
01796
01797 if( ssl->state != SSL_HANDSHAKE_OVER )
01798 {
01799 if( ( ret = ssl_handshake( ssl ) ) != 0 )
01800 {
01801 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
01802 return( ret );
01803 }
01804 }
01805
01806 if( ssl->in_offt == NULL )
01807 {
01808 if( ( ret = ssl_read_record( ssl ) ) != 0 )
01809 {
01810 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01811 return( ret );
01812 }
01813
01814 if( ssl->in_msglen == 0 &&
01815 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
01816 {
01817
01818
01819
01820 if( ( ret = ssl_read_record( ssl ) ) != 0 )
01821 {
01822 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
01823 return( ret );
01824 }
01825 }
01826
01827 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
01828 {
01829 SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
01830 return( XYSSL_ERR_SSL_UNEXPECTED_MESSAGE );
01831 }
01832
01833 ssl->in_offt = ssl->in_msg;
01834 }
01835
01836 n = ( len < ssl->in_msglen )
01837 ? len : ssl->in_msglen;
01838
01839 memcpy( buf, ssl->in_offt, n );
01840 ssl->in_msglen -= n;
01841
01842 if( ssl->in_msglen == 0 )
01843
01844 ssl->in_offt = NULL;
01845 else
01846
01847 ssl->in_offt += n;
01848
01849 SSL_DEBUG_MSG( 2, ( "<= read" ) );
01850
01851 return( n );
01852 }
01853
01854
01855
01856
01857 int ssl_write( ssl_context *ssl, unsigned char *buf, int len )
01858 {
01859 int ret, n;
01860
01861 SSL_DEBUG_MSG( 2, ( "=> write" ) );
01862
01863 if( ssl->state != SSL_HANDSHAKE_OVER )
01864 {
01865 if( ( ret = ssl_handshake( ssl ) ) != 0 )
01866 {
01867 SSL_DEBUG_RET( 1, "ssl_handshake", ret );
01868 return( ret );
01869 }
01870 }
01871
01872 n = ( len < SSL_MAX_CONTENT_LEN )
01873 ? len : SSL_MAX_CONTENT_LEN;
01874
01875 if( ssl->out_left != 0 )
01876 {
01877 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
01878 {
01879 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
01880 return( ret );
01881 }
01882 }
01883 else
01884 {
01885 ssl->out_msglen = n;
01886 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
01887 memcpy( ssl->out_msg, buf, n );
01888
01889 if( ( ret = ssl_write_record( ssl ) ) != 0 )
01890 {
01891 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01892 return( ret );
01893 }
01894 }
01895
01896 SSL_DEBUG_MSG( 2, ( "<= write" ) );
01897
01898 return( n );
01899 }
01900
01901
01902
01903
01904 int ssl_close_notify( ssl_context *ssl )
01905 {
01906 int ret;
01907
01908 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
01909
01910 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
01911 {
01912 SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
01913 return( ret );
01914 }
01915
01916 if( ssl->state == SSL_HANDSHAKE_OVER )
01917 {
01918 ssl->out_msgtype = SSL_MSG_ALERT;
01919 ssl->out_msglen = 2;
01920 ssl->out_msg[0] = SSL_ALERT_WARNING;
01921 ssl->out_msg[1] = SSL_ALERT_CLOSE_NOTIFY;
01922
01923 if( ( ret = ssl_write_record( ssl ) ) != 0 )
01924 {
01925 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
01926 return( ret );
01927 }
01928 }
01929
01930 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
01931
01932 return( ret );
01933 }
01934
01935
01936
01937
01938 void ssl_free( ssl_context *ssl )
01939 {
01940 SSL_DEBUG_MSG( 2, ( "=> free" ) );
01941
01942 if( ssl->peer_cert != NULL )
01943 {
01944 x509_free( ssl->peer_cert );
01945 memset( ssl->peer_cert, 0, sizeof( x509_cert ) );
01946 free( ssl->peer_cert );
01947 }
01948
01949 if( ssl->out_ctr != NULL )
01950 {
01951 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
01952 free( ssl->out_ctr );
01953 }
01954
01955 if( ssl->in_ctr != NULL )
01956 {
01957 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
01958 free( ssl->in_ctr );
01959 }
01960
01961 #if defined(XYSSL_DHM_C)
01962 dhm_free( &ssl->dhm_ctx );
01963 #endif
01964
01965 if ( ssl->hostname != NULL)
01966 {
01967 memset( ssl->hostname, 0, ssl->hostname_len );
01968 free( ssl->hostname );
01969 ssl->hostname_len = 0;
01970 }
01971
01972 memset( ssl, 0, sizeof( ssl_context ) );
01973
01974 SSL_DEBUG_MSG( 2, ( "<= free" ) );
01975 }
01976
01977 #endif
