search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
rsa: add proper const attribute to function arguments
[tropicssl.git] / library / ssl_tls.c
blobb889ee529839b7aedc1c52fde16043b2d6bad166
1 /*
2 * SSLv3/TLSv1 shared functions
3 *
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
7 *
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35 /*
36 * The SSL 3.0 specification was drafted by Netscape in 1996,
37 * and became an IETF standard in 1999.
38 *
39 * http://wp.netscape.com/eng/ssl3/
40 * http://www.ietf.org/rfc/rfc2246.txt
41 * http://www.ietf.org/rfc/rfc4346.txt
42 */
43
44 #include "tropicssl/config.h"
45
46 #if defined(TROPICSSL_SSL_TLS_C)
47
48 #include "tropicssl/aes.h"
49 #include "tropicssl/arc4.h"
50 #include "tropicssl/camellia.h"
51 #include "tropicssl/des.h"
52 #include "tropicssl/debug.h"
53 #include "tropicssl/ssl.h"
54
55 #include <string.h>
56 #include <stdlib.h>
57 #include <time.h>
58
59 /*
60 * Key material generation
61 */
62 static int tls1_prf(unsigned char *secret, int slen, char *label,
63 unsigned char *random, int rlen,
64 unsigned char *dstbuf, int dlen)
65 {
66 int nb, hs;
67 int i, j, k;
68 unsigned char *S1, *S2;
69 unsigned char tmp[128];
70 unsigned char h_i[20];
71
72 if (sizeof(tmp) < 20 + strlen(label) + rlen)
73 return (TROPICSSL_ERR_SSL_BAD_INPUT_DATA);
74
75 hs = (slen + 1) / 2;
76 S1 = secret;
77 S2 = secret + slen - hs;
78
79 nb = strlen(label);
80 memcpy(tmp + 20, label, nb);
81 memcpy(tmp + 20 + nb, random, rlen);
82 nb += rlen;
83
84 /*
85 * First compute P_md5(secret,label+random)[0..dlen]
86 */
87 md5_hmac(S1, hs, tmp + 20, nb, 4 + tmp);
88
89 for (i = 0; i < dlen; i += 16) {
90 md5_hmac(S1, hs, 4 + tmp, 16 + nb, h_i);
91 md5_hmac(S1, hs, 4 + tmp, 16, 4 + tmp);
92
93 k = (i + 16 > dlen) ? dlen % 16 : 16;
94
95 for (j = 0; j < k; j++)
96 dstbuf[i + j] = h_i[j];
97 }
98
99 /*
100 * XOR out with P_sha1(secret,label+random)[0..dlen]
101 */
102 sha1_hmac(S2, hs, tmp + 20, nb, tmp);
103
104 for (i = 0; i < dlen; i += 20) {
105 sha1_hmac(S2, hs, tmp, 20 + nb, h_i);
106 sha1_hmac(S2, hs, tmp, 20, tmp);
107
108 k = (i + 20 > dlen) ? dlen % 20 : 20;
109
110 for (j = 0; j < k; j++)
111 dstbuf[i + j] = (unsigned char)(dstbuf[i + j] ^ h_i[j]);
112 }
113
114 memset(tmp, 0, sizeof(tmp));
115 memset(h_i, 0, sizeof(h_i));
116
117 return (0);
118 }
119
120 int ssl_derive_keys(ssl_context * ssl)
121 {
122 int i;
123 md5_context md5;
124 sha1_context sha1;
125 unsigned char tmp[64];
126 unsigned char padding[16];
127 unsigned char sha1sum[20];
128 unsigned char keyblk[256];
129 unsigned char *key1;
130 unsigned char *key2;
131
132 SSL_DEBUG_MSG(2, ("=> derive keys"));
133
134 /*
135 * SSLv3:
136 * master =
137 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
138 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
139 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
140 *
141 * TLSv1:
142 * master = PRF( premaster, "master secret", randbytes )[0..47]
143 */
144 if (ssl->resume == 0) {
145 int len = ssl->pmslen;
146
147 SSL_DEBUG_BUF(3, "premaster secret", ssl->premaster, len);
148
149 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
150 for (i = 0; i < 3; i++) {
151 memset(padding, 'A' + i, 1 + i);
152
153 sha1_starts(&sha1);
154 sha1_update(&sha1, padding, 1 + i);
155 sha1_update(&sha1, ssl->premaster, len);
156 sha1_update(&sha1, ssl->randbytes, 64);
157 sha1_finish(&sha1, sha1sum);
158
159 md5_starts(&md5);
160 md5_update(&md5, ssl->premaster, len);
161 md5_update(&md5, sha1sum, 20);
162 md5_finish(&md5, ssl->session->master + i * 16);
163 }
164 } else
165 tls1_prf(ssl->premaster, len, "master secret",
166 ssl->randbytes, 64, ssl->session->master, 48);
167
168 memset(ssl->premaster, 0, sizeof(ssl->premaster));
169 } else
170 SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
171
172 /*
173 * Swap the client and server random values.
174 */
175 memcpy(tmp, ssl->randbytes, 64);
176 memcpy(ssl->randbytes, tmp + 32, 32);
177 memcpy(ssl->randbytes + 32, tmp, 32);
178 memset(tmp, 0, sizeof(tmp));
179
180 /*
181 * SSLv3:
182 * key block =
183 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
184 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
185 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
186 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
187 * ...
188 *
189 * TLSv1:
190 * key block = PRF( master, "key expansion", randbytes )
191 */
192 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
193 for (i = 0; i < 16; i++) {
194 memset(padding, 'A' + i, 1 + i);
195
196 sha1_starts(&sha1);
197 sha1_update(&sha1, padding, 1 + i);
198 sha1_update(&sha1, ssl->session->master, 48);
199 sha1_update(&sha1, ssl->randbytes, 64);
200 sha1_finish(&sha1, sha1sum);
201
202 md5_starts(&md5);
203 md5_update(&md5, ssl->session->master, 48);
204 md5_update(&md5, sha1sum, 20);
205 md5_finish(&md5, keyblk + i * 16);
206 }
207
208 memset(&md5, 0, sizeof(md5));
209 memset(&sha1, 0, sizeof(sha1));
210
211 memset(padding, 0, sizeof(padding));
212 memset(sha1sum, 0, sizeof(sha1sum));
213 } else
214 tls1_prf(ssl->session->master, 48, "key expansion",
215 ssl->randbytes, 64, keyblk, 256);
216
217 SSL_DEBUG_MSG(3, ("cipher = %s", ssl_get_cipher(ssl)));
218 SSL_DEBUG_BUF(3, "master secret", ssl->session->master, 48);
219 SSL_DEBUG_BUF(4, "random bytes", ssl->randbytes, 64);
220 SSL_DEBUG_BUF(4, "key block", keyblk, 256);
221
222 memset(ssl->randbytes, 0, sizeof(ssl->randbytes));
223
224 /*
225 * Determine the appropriate key, IV and MAC length.
226 */
227 switch (ssl->session->cipher) {
228 #if defined(TROPICSSL_ARC4_C)
229 case SSL_RSA_RC4_128_MD5:
230 ssl->keylen = 16;
231 ssl->minlen = 16;
232 ssl->ivlen = 0;
233 ssl->maclen = 16;
234 break;
235
236 case SSL_RSA_RC4_128_SHA:
237 ssl->keylen = 16;
238 ssl->minlen = 20;
239 ssl->ivlen = 0;
240 ssl->maclen = 20;
241 break;
242 #endif
243
244 #if defined(TROPICSSL_DES_C)
245 case SSL_RSA_DES_168_SHA:
246 case SSL_EDH_RSA_DES_168_SHA:
247 ssl->keylen = 24;
248 ssl->minlen = 24;
249 ssl->ivlen = 8;
250 ssl->maclen = 20;
251 break;
252 #endif
253
254 #if defined(TROPICSSL_AES_C)
255 case SSL_RSA_AES_128_SHA:
256 ssl->keylen = 16;
257 ssl->minlen = 32;
258 ssl->ivlen = 16;
259 ssl->maclen = 20;
260 break;
261
262 case SSL_RSA_AES_256_SHA:
263 case SSL_EDH_RSA_AES_256_SHA:
264 ssl->keylen = 32;
265 ssl->minlen = 32;
266 ssl->ivlen = 16;
267 ssl->maclen = 20;
268 break;
269 #endif
270
271 #if defined(TROPICSSL_CAMELLIA_C)
272 case SSL_RSA_CAMELLIA_128_SHA:
273 ssl->keylen = 16;
274 ssl->minlen = 32;
275 ssl->ivlen = 16;
276 ssl->maclen = 20;
277 break;
278
279 case SSL_RSA_CAMELLIA_256_SHA:
280 case SSL_EDH_RSA_CAMELLIA_256_SHA:
281 ssl->keylen = 32;
282 ssl->minlen = 32;
283 ssl->ivlen = 16;
284 ssl->maclen = 20;
285 break;
286 #endif
287
288 default:
289 SSL_DEBUG_MSG(1, ("cipher %s is not available",
290 ssl_get_cipher(ssl)));
291 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
292 }
293
294 SSL_DEBUG_MSG(3, ("keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
295 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen));
296
297 /*
298 * Finally setup the cipher contexts, IVs and MAC secrets.
299 */
300 if (ssl->endpoint == SSL_IS_CLIENT) {
301 key1 = keyblk + ssl->maclen * 2;
302 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
303
304 memcpy(ssl->mac_enc, keyblk, ssl->maclen);
305 memcpy(ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen);
306
307 memcpy(ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen);
308 memcpy(ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
309 ssl->ivlen);
310 } else {
311 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
312 key2 = keyblk + ssl->maclen * 2;
313
314 memcpy(ssl->mac_dec, keyblk, ssl->maclen);
315 memcpy(ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen);
316
317 memcpy(ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen);
318 memcpy(ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
319 ssl->ivlen);
320 }
321
322 switch (ssl->session->cipher) {
323 #if defined(TROPICSSL_ARC4_C)
324 case SSL_RSA_RC4_128_MD5:
325 case SSL_RSA_RC4_128_SHA:
326 arc4_setup((arc4_context *) ssl->ctx_enc, key1, ssl->keylen);
327 arc4_setup((arc4_context *) ssl->ctx_dec, key2, ssl->keylen);
328 break;
329 #endif
330
331 #if defined(TROPICSSL_DES_C)
332 case SSL_RSA_DES_168_SHA:
333 case SSL_EDH_RSA_DES_168_SHA:
334 des3_set3key_enc((des3_context *) ssl->ctx_enc, key1);
335 des3_set3key_dec((des3_context *) ssl->ctx_dec, key2);
336 break;
337 #endif
338
339 #if defined(TROPICSSL_AES_C)
340 case SSL_RSA_AES_128_SHA:
341 aes_setkey_enc((aes_context *) ssl->ctx_enc, key1, 128);
342 aes_setkey_dec((aes_context *) ssl->ctx_dec, key2, 128);
343 break;
344
345 case SSL_RSA_AES_256_SHA:
346 case SSL_EDH_RSA_AES_256_SHA:
347 aes_setkey_enc((aes_context *) ssl->ctx_enc, key1, 256);
348 aes_setkey_dec((aes_context *) ssl->ctx_dec, key2, 256);
349 break;
350 #endif
351
352 #if defined(TROPICSSL_CAMELLIA_C)
353 case SSL_RSA_CAMELLIA_128_SHA:
354 camellia_setkey_enc((camellia_context *) ssl->ctx_enc, key1,
355 128);
356 camellia_setkey_dec((camellia_context *) ssl->ctx_dec, key2,
357 128);
358 break;
359
360 case SSL_RSA_CAMELLIA_256_SHA:
361 case SSL_EDH_RSA_CAMELLIA_256_SHA:
362 camellia_setkey_enc((camellia_context *) ssl->ctx_enc, key1,
363 256);
364 camellia_setkey_dec((camellia_context *) ssl->ctx_dec, key2,
365 256);
366 break;
367 #endif
368
369 default:
370 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
371 }
372
373 memset(keyblk, 0, sizeof(keyblk));
374
375 SSL_DEBUG_MSG(2, ("<= derive keys"));
376
377 return (0);
378 }
379
380 void ssl_calc_verify(ssl_context * ssl, unsigned char hash[36])
381 {
382 md5_context md5;
383 sha1_context sha1;
384 unsigned char pad_1[48];
385 unsigned char pad_2[48];
386
387 SSL_DEBUG_MSG(2, ("=> calc verify"));
388
389 memcpy(&md5, &ssl->fin_md5, sizeof(md5_context));
390 memcpy(&sha1, &ssl->fin_sha1, sizeof(sha1_context));
391
392 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
393 memset(pad_1, 0x36, 48);
394 memset(pad_2, 0x5C, 48);
395
396 md5_update(&md5, ssl->session->master, 48);
397 md5_update(&md5, pad_1, 48);
398 md5_finish(&md5, hash);
399
400 md5_starts(&md5);
401 md5_update(&md5, ssl->session->master, 48);
402 md5_update(&md5, pad_2, 48);
403 md5_update(&md5, hash, 16);
404 md5_finish(&md5, hash);
405
406 sha1_update(&sha1, ssl->session->master, 48);
407 sha1_update(&sha1, pad_1, 40);
408 sha1_finish(&sha1, hash + 16);
409
410 sha1_starts(&sha1);
411 sha1_update(&sha1, ssl->session->master, 48);
412 sha1_update(&sha1, pad_2, 40);
413 sha1_update(&sha1, hash + 16, 20);
414 sha1_finish(&sha1, hash + 16);
415 } else { /* TLSv1 */
416 md5_finish(&md5, hash);
417 sha1_finish(&sha1, hash + 16);
418 }
419
420 SSL_DEBUG_BUF(3, "calculated verify result", hash, 36);
421 SSL_DEBUG_MSG(2, ("<= calc verify"));
422
423 return;
424 }
425
426 /*
427 * SSLv3.0 MAC functions
428 */
429 static void ssl_mac_md5(unsigned char *secret,
430 unsigned char *buf, int len,
431 unsigned char *ctr, int type)
432 {
433 unsigned char header[11];
434 unsigned char padding[48];
435 md5_context md5;
436
437 memcpy(header, ctr, 8);
438 header[8] = (unsigned char)type;
439 header[9] = (unsigned char)(len >> 8);
440 header[10] = (unsigned char)(len);
441
442 memset(padding, 0x36, 48);
443 md5_starts(&md5);
444 md5_update(&md5, secret, 16);
445 md5_update(&md5, padding, 48);
446 md5_update(&md5, header, 11);
447 md5_update(&md5, buf, len);
448 md5_finish(&md5, buf + len);
449
450 memset(padding, 0x5C, 48);
451 md5_starts(&md5);
452 md5_update(&md5, secret, 16);
453 md5_update(&md5, padding, 48);
454 md5_update(&md5, buf + len, 16);
455 md5_finish(&md5, buf + len);
456 }
457
458 static void ssl_mac_sha1(unsigned char *secret,
459 unsigned char *buf, int len,
460 unsigned char *ctr, int type)
461 {
462 unsigned char header[11];
463 unsigned char padding[40];
464 sha1_context sha1;
465
466 memcpy(header, ctr, 8);
467 header[8] = (unsigned char)type;
468 header[9] = (unsigned char)(len >> 8);
469 header[10] = (unsigned char)(len);
470
471 memset(padding, 0x36, 40);
472 sha1_starts(&sha1);
473 sha1_update(&sha1, secret, 20);
474 sha1_update(&sha1, padding, 40);
475 sha1_update(&sha1, header, 11);
476 sha1_update(&sha1, buf, len);
477 sha1_finish(&sha1, buf + len);
478
479 memset(padding, 0x5C, 40);
480 sha1_starts(&sha1);
481 sha1_update(&sha1, secret, 20);
482 sha1_update(&sha1, padding, 40);
483 sha1_update(&sha1, buf + len, 20);
484 sha1_finish(&sha1, buf + len);
485 }
486
487 /*
488 * Encryption/decryption functions
489 */
490 static int ssl_encrypt_buf(ssl_context * ssl)
491 {
492 int i, padlen;
493
494 SSL_DEBUG_MSG(2, ("=> encrypt buf"));
495
496 /*
497 * Add MAC then encrypt
498 */
499 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
500 if (ssl->maclen == 16)
501 ssl_mac_md5(ssl->mac_enc,
502 ssl->out_msg, ssl->out_msglen,
503 ssl->out_ctr, ssl->out_msgtype);
504
505 if (ssl->maclen == 20)
506 ssl_mac_sha1(ssl->mac_enc,
507 ssl->out_msg, ssl->out_msglen,
508 ssl->out_ctr, ssl->out_msgtype);
509 } else {
510 if (ssl->maclen == 16)
511 md5_hmac(ssl->mac_enc, 16,
512 ssl->out_ctr, ssl->out_msglen + 13,
513 ssl->out_msg + ssl->out_msglen);
514
515 if (ssl->maclen == 20)
516 sha1_hmac(ssl->mac_enc, 20,
517 ssl->out_ctr, ssl->out_msglen + 13,
518 ssl->out_msg + ssl->out_msglen);
519 }
520
521 SSL_DEBUG_BUF(4, "computed mac",
522 ssl->out_msg + ssl->out_msglen, ssl->maclen);
523
524 ssl->out_msglen += ssl->maclen;
525
526 for (i = 7; i >= 0; i--)
527 if (++ssl->out_ctr[i] != 0)
528 break;
529
530 if (ssl->ivlen == 0) {
531 #if defined(TROPICSSL_ARC4_C)
532 padlen = 0;
533
534 SSL_DEBUG_MSG(3, ("before encrypt: msglen = %d, "
535 "including %d bytes of padding",
536 ssl->out_msglen, 0));
537
538 SSL_DEBUG_BUF(4, "before encrypt: output payload",
539 ssl->out_msg, ssl->out_msglen);
540
541 arc4_crypt((arc4_context *) ssl->ctx_enc,
542 ssl->out_msglen, ssl->out_msg,
543 ssl->out_msg);
544 #else
545 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
546 #endif
547 } else {
548 padlen = ssl->ivlen - (ssl->out_msglen + 1) % ssl->ivlen;
549 if (padlen == ssl->ivlen)
550 padlen = 0;
551
552 for (i = 0; i <= padlen; i++)
553 ssl->out_msg[ssl->out_msglen + i] =
554 (unsigned char)padlen;
555
556 ssl->out_msglen += padlen + 1;
557
558 SSL_DEBUG_MSG(3, ("before encrypt: msglen = %d, "
559 "including %d bytes of padding",
560 ssl->out_msglen, padlen + 1));
561
562 SSL_DEBUG_BUF(4, "before encrypt: output payload",
563 ssl->out_msg, ssl->out_msglen);
564
565 switch (ssl->ivlen) {
566 case 8:
567 #if defined(TROPICSSL_DES_C)
568 des3_crypt_cbc((des3_context *) ssl->ctx_enc,
569 DES_ENCRYPT, ssl->out_msglen,
570 ssl->iv_enc, ssl->out_msg, ssl->out_msg);
571 break;
572 #endif
573
574 case 16:
575 #if defined(TROPICSSL_AES_C)
576 if (ssl->session->cipher == SSL_RSA_AES_128_SHA ||
577 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
578 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA) {
579 aes_crypt_cbc((aes_context *) ssl->ctx_enc,
580 AES_ENCRYPT, ssl->out_msglen,
581 ssl->iv_enc, ssl->out_msg,
582 ssl->out_msg);
583 break;
584 }
585 #endif
586
587 #if defined(TROPICSSL_CAMELLIA_C)
588 if (ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
589 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
590 ssl->session->cipher ==
591 SSL_EDH_RSA_CAMELLIA_256_SHA) {
592 camellia_crypt_cbc((camellia_context *)
593 ssl->ctx_enc,
594 CAMELLIA_ENCRYPT,
595 ssl->out_msglen, ssl->iv_enc,
596 ssl->out_msg, ssl->out_msg);
597 break;
598 }
599 #endif
600
601 default:
602 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
603 }
604 }
605
606 SSL_DEBUG_MSG(2, ("<= encrypt buf"));
607
608 return (0);
609 }
610
611 static int ssl_decrypt_buf(ssl_context * ssl)
612 {
613 int i, padlen;
614 unsigned char tmp[20];
615
616 SSL_DEBUG_MSG(2, ("=> decrypt buf"));
617
618 if (ssl->in_msglen < ssl->minlen) {
619 SSL_DEBUG_MSG(1, ("in_msglen (%d) < minlen (%d)",
620 ssl->in_msglen, ssl->minlen));
621 return (TROPICSSL_ERR_SSL_INVALID_MAC);
622 }
623
624 if (ssl->ivlen == 0) {
625 #if defined(TROPICSSL_ARC4_C)
626 padlen = 0;
627 arc4_crypt((arc4_context *) ssl->ctx_dec,
628 ssl->in_msglen, ssl->in_msg,
629 ssl->in_msg);
630 #else
631 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
632 #endif
633 } else {
634 /*
635 * Decrypt and check the padding
636 */
637 if (ssl->in_msglen % ssl->ivlen != 0) {
638 SSL_DEBUG_MSG(1, ("msglen (%d) %% ivlen (%d) != 0",
639 ssl->in_msglen, ssl->ivlen));
640 return (TROPICSSL_ERR_SSL_INVALID_MAC);
641 }
642
643 switch (ssl->ivlen) {
644 #if defined(TROPICSSL_DES_C)
645 case 8:
646 des3_crypt_cbc((des3_context *) ssl->ctx_dec,
647 DES_DECRYPT, ssl->in_msglen,
648 ssl->iv_dec, ssl->in_msg, ssl->in_msg);
649 break;
650 #endif
651
652 case 16:
653 #if defined(TROPICSSL_AES_C)
654 if (ssl->session->cipher == SSL_RSA_AES_128_SHA ||
655 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
656 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA) {
657 aes_crypt_cbc((aes_context *) ssl->ctx_dec,
658 AES_DECRYPT, ssl->in_msglen,
659 ssl->iv_dec, ssl->in_msg,
660 ssl->in_msg);
661 break;
662 }
663 #endif
664
665 #if defined(TROPICSSL_CAMELLIA_C)
666 if (ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
667 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
668 ssl->session->cipher ==
669 SSL_EDH_RSA_CAMELLIA_256_SHA) {
670 camellia_crypt_cbc((camellia_context *)
671 ssl->ctx_dec,
672 CAMELLIA_DECRYPT,
673 ssl->in_msglen, ssl->iv_dec,
674 ssl->in_msg, ssl->in_msg);
675 break;
676 }
677 #endif
678
679 default:
680 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
681 }
682
683 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
684
685 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
686 if (padlen > ssl->ivlen) {
687 SSL_DEBUG_MSG(1, ("bad padding length: is %d, "
688 "should be no more than %d",
689 padlen, ssl->ivlen));
690 padlen = 0;
691 }
692 } else {
693 /*
694 * TLSv1: always check the padding
695 */
696 for (i = 1; i <= padlen; i++) {
697 if (ssl->in_msg[ssl->in_msglen - i] !=
698 padlen - 1) {
699 SSL_DEBUG_MSG(1,
700 ("bad padding byte: should be "
701 "%02x, but is %02x",
702 padlen - 1,
703 ssl->
704 in_msg[ssl->in_msglen -
705 i]));
706 padlen = 0;
707 }
708 }
709 }
710 }
711
712 SSL_DEBUG_BUF(4, "raw buffer after decryption",
713 ssl->in_msg, ssl->in_msglen);
714
715 /*
716 * Always compute the MAC (RFC4346, CBCTIME).
717 */
718 ssl->in_msglen -= (ssl->maclen + padlen);
719
720 ssl->in_hdr[3] = (unsigned char)(ssl->in_msglen >> 8);
721 ssl->in_hdr[4] = (unsigned char)(ssl->in_msglen);
722
723 memcpy(tmp, ssl->in_msg + ssl->in_msglen, 20);
724
725 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
726 if (ssl->maclen == 16)
727 ssl_mac_md5(ssl->mac_dec,
728 ssl->in_msg, ssl->in_msglen,
729 ssl->in_ctr, ssl->in_msgtype);
730 else
731 ssl_mac_sha1(ssl->mac_dec,
732 ssl->in_msg, ssl->in_msglen,
733 ssl->in_ctr, ssl->in_msgtype);
734 } else {
735 if (ssl->maclen == 16)
736 md5_hmac(ssl->mac_dec, 16,
737 ssl->in_ctr, ssl->in_msglen + 13,
738 ssl->in_msg + ssl->in_msglen);
739 else
740 sha1_hmac(ssl->mac_dec, 20,
741 ssl->in_ctr, ssl->in_msglen + 13,
742 ssl->in_msg + ssl->in_msglen);
743 }
744
745 SSL_DEBUG_BUF(4, "message mac", tmp, ssl->maclen);
746 SSL_DEBUG_BUF(4, "computed mac", ssl->in_msg + ssl->in_msglen,
747 ssl->maclen);
748
749 if (memcmp(tmp, ssl->in_msg + ssl->in_msglen, ssl->maclen) != 0) {
750 SSL_DEBUG_MSG(1, ("message mac does not match"));
751 return (TROPICSSL_ERR_SSL_INVALID_MAC);
752 }
753
754 /*
755 * Finally check the padding length; bad padding
756 * will produce the same error as an invalid MAC.
757 */
758 if (ssl->ivlen != 0 && padlen == 0)
759 return (TROPICSSL_ERR_SSL_INVALID_MAC);
760
761 if (ssl->in_msglen == 0) {
762 ssl->nb_zero++;
763
764 /*
765 * Three or more empty messages may be a DoS attack
766 * (excessive CPU consumption).
767 */
768 if (ssl->nb_zero > 3) {
769 SSL_DEBUG_MSG(1, ("received four consecutive empty "
770 "messages, possible DoS attack"));
771 return (TROPICSSL_ERR_SSL_INVALID_MAC);
772 }
773 } else
774 ssl->nb_zero = 0;
775
776 for (i = 7; i >= 0; i--)
777 if (++ssl->in_ctr[i] != 0)
778 break;
779
780 SSL_DEBUG_MSG(2, ("<= decrypt buf"));
781
782 return (0);
783 }
784
785 /*
786 * Fill the input message buffer
787 */
788 int ssl_fetch_input(ssl_context * ssl, int nb_want)
789 {
790 int ret, len;
791
792 SSL_DEBUG_MSG(2, ("=> fetch input"));
793
794 while (ssl->in_left < nb_want) {
795 len = nb_want - ssl->in_left;
796 ret = ssl->f_recv(ssl->p_recv, ssl->in_hdr + ssl->in_left, len);
797
798 SSL_DEBUG_MSG(2, ("in_left: %d, nb_want: %d",
799 ssl->in_left, nb_want));
800 SSL_DEBUG_RET(2, "ssl->f_recv", ret);
801
802 if (ret < 0)
803 return (ret);
804
805 ssl->in_left += ret;
806 }
807
808 SSL_DEBUG_MSG(2, ("<= fetch input"));
809
810 return (0);
811 }
812
813 /*
814 * Flush any data not yet written
815 */
816 int ssl_flush_output(ssl_context * ssl)
817 {
818 int ret;
819 unsigned char *buf;
820
821 SSL_DEBUG_MSG(2, ("=> flush output"));
822
823 while (ssl->out_left > 0) {
824 SSL_DEBUG_MSG(2, ("message length: %d, out_left: %d",
825 5 + ssl->out_msglen, ssl->out_left));
826
827 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
828 ret = ssl->f_send(ssl->p_send, buf, ssl->out_left);
829 SSL_DEBUG_RET(2, "ssl->f_send", ret);
830
831 if (ret <= 0)
832 return (ret);
833
834 ssl->out_left -= ret;
835 }
836
837 SSL_DEBUG_MSG(2, ("<= flush output"));
838
839 return (0);
840 }
841
842 /*
843 * Record layer functions
844 */
845 int ssl_write_record(ssl_context * ssl)
846 {
847 int ret, len = ssl->out_msglen;
848
849 SSL_DEBUG_MSG(2, ("=> write record"));
850
851 ssl->out_hdr[0] = (unsigned char)ssl->out_msgtype;
852 ssl->out_hdr[1] = (unsigned char)ssl->major_ver;
853 ssl->out_hdr[2] = (unsigned char)ssl->minor_ver;
854 ssl->out_hdr[3] = (unsigned char)(len >> 8);
855 ssl->out_hdr[4] = (unsigned char)(len);
856
857 if (ssl->out_msgtype == SSL_MSG_HANDSHAKE) {
858 ssl->out_msg[1] = (unsigned char)((len - 4) >> 16);
859 ssl->out_msg[2] = (unsigned char)((len - 4) >> 8);
860 ssl->out_msg[3] = (unsigned char)((len - 4));
861
862 md5_update(&ssl->fin_md5, ssl->out_msg, len);
863 sha1_update(&ssl->fin_sha1, ssl->out_msg, len);
864 }
865
866 if (ssl->do_crypt != 0) {
867 if ((ret = ssl_encrypt_buf(ssl)) != 0) {
868 SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret);
869 return (ret);
870 }
871
872 len = ssl->out_msglen;
873 ssl->out_hdr[3] = (unsigned char)(len >> 8);
874 ssl->out_hdr[4] = (unsigned char)(len);
875 }
876
877 ssl->out_left = 5 + ssl->out_msglen;
878
879 SSL_DEBUG_MSG(3, ("output record: msgtype = %d, "
880 "version = [%d:%d], msglen = %d",
881 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
882 (ssl->out_hdr[3] << 8) | ssl->out_hdr[4]));
883
884 SSL_DEBUG_BUF(4, "output record sent to network",
885 ssl->out_hdr, 5 + ssl->out_msglen);
886
887 if ((ret = ssl_flush_output(ssl)) != 0) {
888 SSL_DEBUG_RET(1, "ssl_flush_output", ret);
889 return (ret);
890 }
891
892 SSL_DEBUG_MSG(2, ("<= write record"));
893
894 return (0);
895 }
896
897 int ssl_read_record(ssl_context * ssl)
898 {
899 int ret;
900
901 SSL_DEBUG_MSG(2, ("=> read record"));
902
903 if (ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen) {
904 /*
905 * Get next Handshake message in the current record
906 */
907 ssl->in_msglen -= ssl->in_hslen;
908
909 memcpy(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
910 ssl->in_msglen);
911
912 ssl->in_hslen = 4;
913 ssl->in_hslen += (ssl->in_msg[2] << 8) | ssl->in_msg[3];
914
915 SSL_DEBUG_MSG(3, ("handshake message: msglen ="
916 " %d, type = %d, hslen = %d",
917 ssl->in_msglen, ssl->in_msg[0],
918 ssl->in_hslen));
919
920 if (ssl->in_msglen < 4 || ssl->in_msg[1] != 0) {
921 SSL_DEBUG_MSG(1, ("bad handshake length"));
922 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
923 }
924
925 if (ssl->in_msglen < ssl->in_hslen) {
926 SSL_DEBUG_MSG(1, ("bad handshake length"));
927 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
928 }
929
930 md5_update(&ssl->fin_md5, ssl->in_msg, ssl->in_hslen);
931 sha1_update(&ssl->fin_sha1, ssl->in_msg, ssl->in_hslen);
932
933 return (0);
934 }
935
936 ssl->in_hslen = 0;
937
938 /*
939 * Read the record header and validate it
940 */
941 if ((ret = ssl_fetch_input(ssl, 5)) != 0) {
942 SSL_DEBUG_RET(1, "ssl_fetch_input", ret);
943 return (ret);
944 }
945
946 ssl->in_msgtype = ssl->in_hdr[0];
947 ssl->in_msglen = (ssl->in_hdr[3] << 8) | ssl->in_hdr[4];
948
949 SSL_DEBUG_MSG(3, ("input record: msgtype = %d, "
950 "version = [%d:%d], msglen = %d",
951 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
952 (ssl->in_hdr[3] << 8) | ssl->in_hdr[4]));
953
954 if (ssl->in_hdr[1] != ssl->major_ver) {
955 SSL_DEBUG_MSG(1, ("major version mismatch"));
956 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
957 }
958
959 if (ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
960 ssl->in_hdr[2] != SSL_MINOR_VERSION_1) {
961 SSL_DEBUG_MSG(1, ("minor version mismatch"));
962 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
963 }
964
965 /*
966 * Make sure the message length is acceptable
967 */
968 if (ssl->do_crypt == 0) {
969 if (ssl->in_msglen < 1 || ssl->in_msglen > SSL_MAX_CONTENT_LEN) {
970 SSL_DEBUG_MSG(1, ("bad message length"));
971 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
972 }
973 } else {
974 if (ssl->in_msglen < ssl->minlen) {
975 SSL_DEBUG_MSG(1, ("bad message length"));
976 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
977 }
978
979 if (ssl->minor_ver == SSL_MINOR_VERSION_0 &&
980 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN) {
981 SSL_DEBUG_MSG(1, ("bad message length"));
982 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
983 }
984
985 /*
986 * TLS encrypted messages can have up to 256 bytes of padding
987 */
988 if (ssl->minor_ver == SSL_MINOR_VERSION_1 &&
989 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256) {
990 SSL_DEBUG_MSG(1, ("bad message length"));
991 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
992 }
993 }
994
995 /*
996 * Read and optionally decrypt the message contents
997 */
998 if ((ret = ssl_fetch_input(ssl, 5 + ssl->in_msglen)) != 0) {
999 SSL_DEBUG_RET(1, "ssl_fetch_input", ret);
1000 return (ret);
1001 }
1002
1003 SSL_DEBUG_BUF(4, "input record from network",
1004 ssl->in_hdr, 5 + ssl->in_msglen);
1005
1006 if (ssl->do_crypt != 0) {
1007 if ((ret = ssl_decrypt_buf(ssl)) != 0) {
1008 SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret);
1009 return (ret);
1010 }
1011
1012 SSL_DEBUG_BUF(4, "input payload after decrypt",
1013 ssl->in_msg, ssl->in_msglen);
1014
1015 if (ssl->in_msglen > SSL_MAX_CONTENT_LEN) {
1016 SSL_DEBUG_MSG(1, ("bad message length"));
1017 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
1018 }
1019 }
1020
1021 if (ssl->in_msgtype == SSL_MSG_HANDSHAKE) {
1022 ssl->in_hslen = 4;
1023 ssl->in_hslen += (ssl->in_msg[2] << 8) | ssl->in_msg[3];
1024
1025 SSL_DEBUG_MSG(3, ("handshake message: msglen ="
1026 " %d, type = %d, hslen = %d",
1027 ssl->in_msglen, ssl->in_msg[0],
1028 ssl->in_hslen));
1029
1030 /*
1031 * Additional checks to validate the handshake header
1032 */
1033 if (ssl->in_msglen < 4 || ssl->in_msg[1] != 0) {
1034 SSL_DEBUG_MSG(1, ("bad handshake length"));
1035 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
1036 }
1037
1038 if (ssl->in_msglen < ssl->in_hslen) {
1039 SSL_DEBUG_MSG(1, ("bad handshake length"));
1040 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
1041 }
1042
1043 md5_update(&ssl->fin_md5, ssl->in_msg, ssl->in_hslen);
1044 sha1_update(&ssl->fin_sha1, ssl->in_msg, ssl->in_hslen);
1045 }
1046
1047 if (ssl->in_msgtype == SSL_MSG_ALERT) {
1048 SSL_DEBUG_MSG(2, ("got an alert message, type: [%d:%d]",
1049 ssl->in_msg[0], ssl->in_msg[1]));
1050
1051 /*
1052 * Ignore non-fatal alerts, except close_notify
1053 */
1054 if (ssl->in_msg[0] == SSL_ALERT_FATAL) {
1055 SSL_DEBUG_MSG(1, ("is a fatal alert message"));
1056 return (TROPICSSL_ERR_SSL_FATAL_ALERT_MESSAGE |
1057 ssl->in_msg[1]);
1058 }
1059
1060 if (ssl->in_msg[0] == SSL_ALERT_WARNING &&
1061 ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY) {
1062 SSL_DEBUG_MSG(2, ("is a close notify message"));
1063 return (TROPICSSL_ERR_SSL_PEER_CLOSE_NOTIFY);
1064 }
1065 }
1066
1067 ssl->in_left = 0;
1068
1069 SSL_DEBUG_MSG(2, ("<= read record"));
1070
1071 return (0);
1072 }
1073
1074 /*
1075 * Handshake functions
1076 */
1077 int ssl_write_certificate(ssl_context * ssl)
1078 {
1079 int ret, i, n;
1080 x509_cert *crt;
1081
1082 SSL_DEBUG_MSG(2, ("=> write certificate"));
1083
1084 if (ssl->endpoint == SSL_IS_CLIENT) {
1085 if (ssl->client_auth == 0) {
1086 SSL_DEBUG_MSG(2, ("<= skip write certificate"));
1087 ssl->state++;
1088 return (0);
1089 }
1090
1091 /*
1092 * If using SSLv3 and got no cert, send an Alert message
1093 * (otherwise an empty Certificate message will be sent).
1094 */
1095 if (ssl->own_cert == NULL &&
1096 ssl->minor_ver == SSL_MINOR_VERSION_0) {
1097 ssl->out_msglen = 2;
1098 ssl->out_msgtype = SSL_MSG_ALERT;
1099 ssl->out_msg[0] = SSL_ALERT_WARNING;
1100 ssl->out_msg[1] = SSL_ALERT_NO_CERTIFICATE;
1101
1102 SSL_DEBUG_MSG(2, ("got no certificate to send"));
1103 goto write_msg;
1104 }
1105 } else { /* SSL_IS_SERVER */
1106 if (ssl->own_cert == NULL) {
1107 SSL_DEBUG_MSG(1, ("got no certificate to send"));
1108 return (TROPICSSL_ERR_SSL_CERTIFICATE_REQUIRED);
1109 }
1110 }
1111
1112 SSL_DEBUG_CRT(3, "own certificate", ssl->own_cert);
1113
1114 /*
1115 * 0 . 0 handshake type
1116 * 1 . 3 handshake length
1117 * 4 . 6 length of all certs
1118 * 7 . 9 length of cert. 1
1119 * 10 . n-1 peer certificate
1120 * n . n+2 length of cert. 2
1121 * n+3 . ... upper level cert, etc.
1122 */
1123 i = 7;
1124 crt = ssl->own_cert;
1125
1126 while (crt != NULL && crt->next != NULL) {
1127 n = crt->raw.len;
1128 if (i + 3 + n > SSL_MAX_CONTENT_LEN) {
1129 SSL_DEBUG_MSG(1, ("certificate too large, %d > %d",
1130 i + 3 + n, SSL_MAX_CONTENT_LEN));
1131 return (TROPICSSL_ERR_SSL_CERTIFICATE_TOO_LARGE);
1132 }
1133
1134 ssl->out_msg[i] = (unsigned char)(n >> 16);
1135 ssl->out_msg[i + 1] = (unsigned char)(n >> 8);
1136 ssl->out_msg[i + 2] = (unsigned char)(n);
1137
1138 i += 3;
1139 memcpy(ssl->out_msg + i, crt->raw.p, n);
1140 i += n;
1141 crt = crt->next;
1142 }
1143
1144 ssl->out_msg[4] = (unsigned char)((i - 7) >> 16);
1145 ssl->out_msg[5] = (unsigned char)((i - 7) >> 8);
1146 ssl->out_msg[6] = (unsigned char)((i - 7));
1147
1148 ssl->out_msglen = i;
1149 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1150 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1151
1152 write_msg:
1153
1154 ssl->state++;
1155
1156 if ((ret = ssl_write_record(ssl)) != 0) {
1157 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1158 return (ret);
1159 }
1160
1161 SSL_DEBUG_MSG(2, ("<= write certificate"));
1162
1163 return (0);
1164 }
1165
1166 int ssl_parse_certificate(ssl_context * ssl)
1167 {
1168 int ret, i, n;
1169
1170 SSL_DEBUG_MSG(2, ("=> parse certificate"));
1171
1172 if (ssl->endpoint == SSL_IS_SERVER && ssl->authmode == SSL_VERIFY_NONE) {
1173 SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
1174 ssl->state++;
1175 return (0);
1176 }
1177
1178 if ((ret = ssl_read_record(ssl)) != 0) {
1179 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1180 return (ret);
1181 }
1182
1183 ssl->state++;
1184
1185 /*
1186 * Check if the client sent an empty certificate
1187 */
1188 if (ssl->endpoint == SSL_IS_SERVER &&
1189 ssl->minor_ver == SSL_MINOR_VERSION_0) {
1190 if (ssl->in_msglen == 2 &&
1191 ssl->in_msgtype == SSL_MSG_ALERT &&
1192 ssl->in_msg[0] == SSL_ALERT_WARNING &&
1193 ssl->in_msg[1] == SSL_ALERT_NO_CERTIFICATE) {
1194 SSL_DEBUG_MSG(1, ("SSLv3 client has no certificate"));
1195
1196 if (ssl->authmode == SSL_VERIFY_OPTIONAL)
1197 return (0);
1198 else
1199 return
1200 (TROPICSSL_ERR_SSL_NO_CLIENT_CERTIFICATE);
1201 }
1202 }
1203
1204 if (ssl->endpoint == SSL_IS_SERVER &&
1205 ssl->minor_ver != SSL_MINOR_VERSION_0) {
1206 if (ssl->in_hslen == 7 &&
1207 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1208 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1209 memcmp(ssl->in_msg + 4, "\0\0\0", 3) == 0) {
1210 SSL_DEBUG_MSG(1, ("TLSv1 client has no certificate"));
1211
1212 if (ssl->authmode == SSL_VERIFY_REQUIRED)
1213 return
1214 (TROPICSSL_ERR_SSL_NO_CLIENT_CERTIFICATE);
1215 else
1216 return (0);
1217 }
1218 }
1219
1220 if (ssl->in_msgtype != SSL_MSG_HANDSHAKE) {
1221 SSL_DEBUG_MSG(1, ("bad certificate message"));
1222 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE);
1223 }
1224
1225 if (ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10) {
1226 SSL_DEBUG_MSG(1, ("bad certificate message"));
1227 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE);
1228 }
1229
1230 /*
1231 * Same message structure as in ssl_write_certificate()
1232 */
1233 n = (ssl->in_msg[5] << 8) | ssl->in_msg[6];
1234
1235 if (ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n) {
1236 SSL_DEBUG_MSG(1, ("bad certificate message"));
1237 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE);
1238 }
1239
1240 if ((ssl->peer_cert = (x509_cert *) malloc(sizeof(x509_cert))) == NULL) {
1241 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed",
1242 sizeof(x509_cert)));
1243 return (1);
1244 }
1245
1246 memset(ssl->peer_cert, 0, sizeof(x509_cert));
1247
1248 i = 7;
1249
1250 while (i < ssl->in_hslen) {
1251 if (ssl->in_msg[i] != 0) {
1252 SSL_DEBUG_MSG(1, ("bad certificate message"));
1253 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE);
1254 }
1255
1256 n = ((unsigned int)ssl->in_msg[i + 1] << 8)
1257 | (unsigned int)ssl->in_msg[i + 2];
1258 i += 3;
1259
1260 if (n < 128 || i + n > ssl->in_hslen) {
1261 SSL_DEBUG_MSG(1, ("bad certificate message"));
1262 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE);
1263 }
1264
1265 ret = x509parse_crt(ssl->peer_cert, ssl->in_msg + i, n);
1266 if (ret != 0) {
1267 SSL_DEBUG_RET(1, " x509parse_crt", ret);
1268 return (ret);
1269 }
1270
1271 i += n;
1272 }
1273
1274 SSL_DEBUG_CRT(3, "peer certificate", ssl->peer_cert);
1275
1276 if (ssl->authmode != SSL_VERIFY_NONE) {
1277 if (ssl->ca_chain == NULL) {
1278 SSL_DEBUG_MSG(1, ("got no CA chain"));
1279 return (TROPICSSL_ERR_SSL_CA_CHAIN_REQUIRED);
1280 }
1281
1282 ret = x509parse_verify(ssl->peer_cert, ssl->ca_chain,
1283 ssl->peer_cn, &ssl->verify_result);
1284
1285 if (ret != 0)
1286 SSL_DEBUG_RET(1, "x509_verify_cert", ret);
1287
1288 if (ssl->authmode != SSL_VERIFY_REQUIRED)
1289 ret = 0;
1290 }
1291
1292 SSL_DEBUG_MSG(2, ("<= parse certificate"));
1293
1294 return (ret);
1295 }
1296
1297 int ssl_write_change_cipher_spec(ssl_context * ssl)
1298 {
1299 int ret;
1300
1301 SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
1302
1303 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1304 ssl->out_msglen = 1;
1305 ssl->out_msg[0] = 1;
1306
1307 ssl->do_crypt = 0;
1308 ssl->state++;
1309
1310 if ((ret = ssl_write_record(ssl)) != 0) {
1311 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1312 return (ret);
1313 }
1314
1315 SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
1316
1317 return (0);
1318 }
1319
1320 int ssl_parse_change_cipher_spec(ssl_context * ssl)
1321 {
1322 int ret;
1323
1324 SSL_DEBUG_MSG(2, ("=> parse change cipher spec"));
1325
1326 ssl->do_crypt = 0;
1327
1328 if ((ret = ssl_read_record(ssl)) != 0) {
1329 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1330 return (ret);
1331 }
1332
1333 if (ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC) {
1334 SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
1335 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE);
1336 }
1337
1338 if (ssl->in_msglen != 1 || ssl->in_msg[0] != 1) {
1339 SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
1340 return (TROPICSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC);
1341 }
1342
1343 ssl->state++;
1344
1345 SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
1346
1347 return (0);
1348 }
1349
1350 static void ssl_calc_finished(ssl_context * ssl, unsigned char *buf, int from,
1351 md5_context * md5, sha1_context * sha1)
1352 {
1353 int len = 12;
1354 char *sender;
1355 unsigned char padbuf[48];
1356 unsigned char md5sum[16];
1357 unsigned char sha1sum[20];
1358
1359 SSL_DEBUG_MSG(2, ("=> calc finished"));
1360
1361 /*
1362 * SSLv3:
1363 * hash =
1364 * MD5( master + pad2 +
1365 * MD5( handshake + sender + master + pad1 ) )
1366 * + SHA1( master + pad2 +
1367 * SHA1( handshake + sender + master + pad1 ) )
1368 *
1369 * TLSv1:
1370 * hash = PRF( master, finished_label,
1371 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1372 */
1373
1374 SSL_DEBUG_BUF(4, "finished md5 state", (unsigned char *)
1375 md5->state, sizeof(md5->state));
1376
1377 SSL_DEBUG_BUF(4, "finished sha1 state", (unsigned char *)
1378 sha1->state, sizeof(sha1->state));
1379
1380 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
1381 sender = (from == SSL_IS_CLIENT) ? (char *)"CLNT"
1382 : (char *)"SRVR";
1383
1384 memset(padbuf, 0x36, 48);
1385
1386 md5_update(md5, (unsigned char *)sender, 4);
1387 md5_update(md5, ssl->session->master, 48);
1388 md5_update(md5, padbuf, 48);
1389 md5_finish(md5, md5sum);
1390
1391 sha1_update(sha1, (unsigned char *)sender, 4);
1392 sha1_update(sha1, ssl->session->master, 48);
1393 sha1_update(sha1, padbuf, 40);
1394 sha1_finish(sha1, sha1sum);
1395
1396 memset(padbuf, 0x5C, 48);
1397
1398 md5_starts(md5);
1399 md5_update(md5, ssl->session->master, 48);
1400 md5_update(md5, padbuf, 48);
1401 md5_update(md5, md5sum, 16);
1402 md5_finish(md5, buf);
1403
1404 sha1_starts(sha1);
1405 sha1_update(sha1, ssl->session->master, 48);
1406 sha1_update(sha1, padbuf, 40);
1407 sha1_update(sha1, sha1sum, 20);
1408 sha1_finish(sha1, buf + 16);
1409
1410 len += 24;
1411 } else {
1412 sender = (from == SSL_IS_CLIENT)
1413 ? (char *)"client finished" : (char *)"server finished";
1414
1415 md5_finish(md5, padbuf);
1416 sha1_finish(sha1, padbuf + 16);
1417
1418 tls1_prf(ssl->session->master, 48, sender,
1419 padbuf, 36, buf, len);
1420 }
1421
1422 SSL_DEBUG_BUF(3, "calc finished result", buf, len);
1423
1424 memset(md5, 0, sizeof(md5_context));
1425 memset(sha1, 0, sizeof(sha1_context));
1426
1427 memset(padbuf, 0, sizeof(padbuf));
1428 memset(md5sum, 0, sizeof(md5sum));
1429 memset(sha1sum, 0, sizeof(sha1sum));
1430
1431 SSL_DEBUG_MSG(2, ("<= calc finished"));
1432 }
1433
1434 int ssl_write_finished(ssl_context * ssl)
1435 {
1436 int ret, hash_len;
1437 md5_context md5;
1438 sha1_context sha1;
1439
1440 SSL_DEBUG_MSG(2, ("=> write finished"));
1441
1442 memcpy(&md5, &ssl->fin_md5, sizeof(md5_context));
1443 memcpy(&sha1, &ssl->fin_sha1, sizeof(sha1_context));
1444
1445 ssl_calc_finished(ssl, ssl->out_msg + 4, ssl->endpoint, &md5, &sha1);
1446
1447 hash_len = (ssl->minor_ver == SSL_MINOR_VERSION_0) ? 36 : 12;
1448
1449 ssl->out_msglen = 4 + hash_len;
1450 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1451 ssl->out_msg[0] = SSL_HS_FINISHED;
1452
1453 /*
1454 * In case of session resuming, invert the client and server
1455 * ChangeCipherSpec messages order.
1456 */
1457 if (ssl->resume != 0) {
1458 if (ssl->endpoint == SSL_IS_CLIENT)
1459 ssl->state = SSL_HANDSHAKE_OVER;
1460 else
1461 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1462 } else
1463 ssl->state++;
1464
1465 ssl->do_crypt = 1;
1466
1467 if ((ret = ssl_write_record(ssl)) != 0) {
1468 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1469 return (ret);
1470 }
1471
1472 SSL_DEBUG_MSG(2, ("<= write finished"));
1473
1474 return (0);
1475 }
1476
1477 int ssl_parse_finished(ssl_context * ssl)
1478 {
1479 int ret, hash_len;
1480 md5_context md5;
1481 sha1_context sha1;
1482 unsigned char buf[36];
1483
1484 SSL_DEBUG_MSG(2, ("=> parse finished"));
1485
1486 memcpy(&md5, &ssl->fin_md5, sizeof(md5_context));
1487 memcpy(&sha1, &ssl->fin_sha1, sizeof(sha1_context));
1488
1489 ssl->do_crypt = 1;
1490
1491 if ((ret = ssl_read_record(ssl)) != 0) {
1492 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1493 return (ret);
1494 }
1495
1496 if (ssl->in_msgtype != SSL_MSG_HANDSHAKE) {
1497 SSL_DEBUG_MSG(1, ("bad finished message"));
1498 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE);
1499 }
1500
1501 hash_len = (ssl->minor_ver == SSL_MINOR_VERSION_0) ? 36 : 12;
1502
1503 if (ssl->in_msg[0] != SSL_HS_FINISHED || ssl->in_hslen != 4 + hash_len) {
1504 SSL_DEBUG_MSG(1, ("bad finished message"));
1505 return (TROPICSSL_ERR_SSL_BAD_HS_FINISHED);
1506 }
1507
1508 ssl_calc_finished(ssl, buf, ssl->endpoint ^ 1, &md5, &sha1);
1509
1510 if (memcmp(ssl->in_msg + 4, buf, hash_len) != 0) {
1511 SSL_DEBUG_MSG(1, ("bad finished message"));
1512 return (TROPICSSL_ERR_SSL_BAD_HS_FINISHED);
1513 }
1514
1515 if (ssl->resume != 0) {
1516 if (ssl->endpoint == SSL_IS_CLIENT)
1517 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1518
1519 if (ssl->endpoint == SSL_IS_SERVER)
1520 ssl->state = SSL_HANDSHAKE_OVER;
1521 } else
1522 ssl->state++;
1523
1524 SSL_DEBUG_MSG(2, ("<= parse finished"));
1525
1526 return (0);
1527 }
1528
1529 /*
1530 * Initialize an SSL context
1531 */
1532 int ssl_init(ssl_context * ssl)
1533 {
1534 int len = SSL_BUFFER_LEN;
1535
1536 memset(ssl, 0, sizeof(ssl_context));
1537
1538 ssl->in_ctr = (unsigned char *)malloc(len);
1539 ssl->in_hdr = ssl->in_ctr + 8;
1540 ssl->in_msg = ssl->in_ctr + 13;
1541
1542 if (ssl->in_ctr == NULL) {
1543 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed", len));
1544 return (1);
1545 }
1546
1547 ssl->out_ctr = (unsigned char *)malloc(len);
1548 ssl->out_hdr = ssl->out_ctr + 8;
1549 ssl->out_msg = ssl->out_ctr + 13;
1550
1551 if (ssl->out_ctr == NULL) {
1552 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed", len));
1553 free(ssl->in_ctr);
1554 return (1);
1555 }
1556
1557 memset(ssl->in_ctr, 0, SSL_BUFFER_LEN);
1558 memset(ssl->out_ctr, 0, SSL_BUFFER_LEN);
1559
1560 ssl->hostname = NULL;
1561 ssl->hostname_len = 0;
1562
1563 md5_starts(&ssl->fin_md5);
1564 sha1_starts(&ssl->fin_sha1);
1565
1566 return (0);
1567 }
1568
1569 /*
1570 * SSL set accessors
1571 */
1572 void ssl_set_endpoint(ssl_context * ssl, int endpoint)
1573 {
1574 ssl->endpoint = endpoint;
1575 }
1576
1577 void ssl_set_authmode(ssl_context * ssl, int authmode)
1578 {
1579 ssl->authmode = authmode;
1580 }
1581
1582 void ssl_set_rng(ssl_context * ssl, int (*f_rng) (void *), void *p_rng)
1583 {
1584 ssl->f_rng = f_rng;
1585 ssl->p_rng = p_rng;
1586 }
1587
1588 void ssl_set_dbg(ssl_context * ssl,
1589 void (*f_dbg) (void *, int, char *), void *p_dbg)
1590 {
1591 ssl->f_dbg = f_dbg;
1592 ssl->p_dbg = p_dbg;
1593 }
1594
1595 void ssl_set_bio(ssl_context * ssl,
1596 int (*f_recv) (void *, unsigned char *, int), void *p_recv,
1597 int (*f_send) (void *, unsigned char *, int), void *p_send)
1598 {
1599 ssl->f_recv = f_recv;
1600 ssl->f_send = f_send;
1601 ssl->p_recv = p_recv;
1602 ssl->p_send = p_send;
1603 }
1604
1605 void ssl_set_scb(ssl_context * ssl,
1606 int (*s_get) (ssl_context *), int (*s_set) (ssl_context *))
1607 {
1608 ssl->s_get = s_get;
1609 ssl->s_set = s_set;
1610 }
1611
1612 void ssl_set_session(ssl_context * ssl, int resume, int timeout,
1613 ssl_session * session)
1614 {
1615 ssl->resume = resume;
1616 ssl->timeout = timeout;
1617 ssl->session = session;
1618 }
1619
1620 void ssl_set_ciphers(ssl_context * ssl, int *ciphers)
1621 {
1622 ssl->ciphers = ciphers;
1623 }
1624
1625 void ssl_set_ca_chain(ssl_context * ssl, x509_cert * ca_chain, char *peer_cn)
1626 {
1627 ssl->ca_chain = ca_chain;
1628 ssl->peer_cn = peer_cn;
1629 }
1630
1631 void ssl_set_own_cert(ssl_context * ssl, x509_cert * own_cert,
1632 rsa_context * rsa_key)
1633 {
1634 ssl->own_cert = own_cert;
1635 ssl->rsa_key = rsa_key;
1636 }
1637
1638 int ssl_set_dh_param(ssl_context * ssl, char *dhm_P, char *dhm_G)
1639 {
1640 int ret;
1641
1642 if ((ret = mpi_read_string(&ssl->dhm_ctx.P, 16, dhm_P)) != 0) {
1643 SSL_DEBUG_RET(1, "mpi_read_string", ret);
1644 return (ret);
1645 }
1646
1647 if ((ret = mpi_read_string(&ssl->dhm_ctx.G, 16, dhm_G)) != 0) {
1648 SSL_DEBUG_RET(1, "mpi_read_string", ret);
1649 return (ret);
1650 }
1651
1652 return (0);
1653 }
1654
1655 int ssl_set_hostname(ssl_context * ssl, char *hostname)
1656 {
1657 if (hostname == NULL)
1658 return (TROPICSSL_ERR_SSL_BAD_INPUT_DATA);
1659
1660 ssl->hostname_len = strlen(hostname);
1661 ssl->hostname = (unsigned char *)malloc(ssl->hostname_len + 1);
1662
1663 memcpy(ssl->hostname, (unsigned char *)hostname, ssl->hostname_len);
1664
1665 return (0);
1666 }
1667
1668 /*
1669 * SSL get accessors
1670 */
1671 int ssl_get_bytes_avail(ssl_context * ssl)
1672 {
1673 return (ssl->in_offt == NULL ? 0 : ssl->in_msglen);
1674 }
1675
1676 int ssl_get_verify_result(ssl_context * ssl)
1677 {
1678 return (ssl->verify_result);
1679 }
1680
1681 char *ssl_get_cipher(ssl_context * ssl)
1682 {
1683 switch (ssl->session->cipher) {
1684 #if defined(TROPICSSL_ARC4_C)
1685 case SSL_RSA_RC4_128_MD5:
1686 return ("SSL_RSA_RC4_128_MD5");
1687
1688 case SSL_RSA_RC4_128_SHA:
1689 return ("SSL_RSA_RC4_128_SHA");
1690 #endif
1691
1692 #if defined(TROPICSSL_DES_C)
1693 case SSL_RSA_DES_168_SHA:
1694 return ("SSL_RSA_DES_168_SHA");
1695
1696 case SSL_EDH_RSA_DES_168_SHA:
1697 return ("SSL_EDH_RSA_DES_168_SHA");
1698 #endif
1699
1700 #if defined(TROPICSSL_AES_C)
1701 case SSL_RSA_AES_128_SHA:
1702 return ("SSL_RSA_AES_128_SHA");
1703
1704 case SSL_RSA_AES_256_SHA:
1705 return ("SSL_RSA_AES_256_SHA");
1706
1707 case SSL_EDH_RSA_AES_256_SHA:
1708 return ("SSL_EDH_RSA_AES_256_SHA");
1709 #endif
1710
1711 #if defined(TROPICSSL_CAMELLIA_C)
1712 case SSL_RSA_CAMELLIA_128_SHA:
1713 return ("SSL_RSA_CAMELLIA_128_SHA");
1714
1715 case SSL_RSA_CAMELLIA_256_SHA:
1716 return ("SSL_RSA_CAMELLIA_256_SHA");
1717
1718 case SSL_EDH_RSA_CAMELLIA_256_SHA:
1719 return ("SSL_EDH_RSA_CAMELLIA_256_SHA");
1720 #endif
1721
1722 default:
1723 break;
1724 }
1725
1726 return ("unknown");
1727 }
1728
1729 int ssl_default_ciphers[] = {
1730 #if defined(TROPICSSL_DHM_C)
1731 #if defined(TROPICSSL_AES_C)
1732 SSL_EDH_RSA_AES_256_SHA,
1733 #endif
1734 #if defined(TROPICSSL_CAMELLIA_C)
1735 SSL_EDH_RSA_CAMELLIA_256_SHA,
1736 #endif
1737 #if defined(TROPICSSL_DES_C)
1738 SSL_EDH_RSA_DES_168_SHA,
1739 #endif
1740 #endif
1741
1742 #if defined(TROPICSSL_AES_C)
1743 SSL_RSA_AES_128_SHA,
1744 SSL_RSA_AES_256_SHA,
1745 #endif
1746 #if defined(TROPICSSL_CAMELLIA_C)
1747 SSL_RSA_CAMELLIA_128_SHA,
1748 SSL_RSA_CAMELLIA_256_SHA,
1749 #endif
1750 #if defined(TROPICSSL_DES_C)
1751 SSL_RSA_DES_168_SHA,
1752 #endif
1753 #if defined(TROPICSSL_ARC4_C)
1754 SSL_RSA_RC4_128_SHA,
1755 SSL_RSA_RC4_128_MD5,
1756 #endif
1757 0
1758 };
1759
1760 /*
1761 * Perform the SSL handshake
1762 */
1763 int ssl_handshake(ssl_context * ssl)
1764 {
1765 int ret = TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1766
1767 SSL_DEBUG_MSG(2, ("=> handshake"));
1768
1769 #if defined(TROPICSSL_SSL_CLI_C)
1770 if (ssl->endpoint == SSL_IS_CLIENT)
1771 ret = ssl_handshake_client(ssl);
1772 #endif
1773
1774 #if defined(TROPICSSL_SSL_SRV_C)
1775 if (ssl->endpoint == SSL_IS_SERVER)
1776 ret = ssl_handshake_server(ssl);
1777 #endif
1778
1779 SSL_DEBUG_MSG(2, ("<= handshake"));
1780
1781 return (ret);
1782 }
1783
1784 /*
1785 * Receive application data decrypted from the SSL layer
1786 */
1787 int ssl_read(ssl_context * ssl, unsigned char *buf, int len)
1788 {
1789 int ret, n;
1790
1791 SSL_DEBUG_MSG(2, ("=> read"));
1792
1793 if (ssl->state != SSL_HANDSHAKE_OVER) {
1794 if ((ret = ssl_handshake(ssl)) != 0) {
1795 SSL_DEBUG_RET(1, "ssl_handshake", ret);
1796 return (ret);
1797 }
1798 }
1799
1800 if (ssl->in_offt == NULL) {
1801 if ((ret = ssl_read_record(ssl)) != 0) {
1802 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1803 return (ret);
1804 }
1805
1806 if (ssl->in_msglen == 0 &&
1807 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA) {
1808 /*
1809 * OpenSSL sends empty messages to randomize the IV
1810 */
1811 if ((ret = ssl_read_record(ssl)) != 0) {
1812 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1813 return (ret);
1814 }
1815 }
1816
1817 if (ssl->in_msgtype != SSL_MSG_APPLICATION_DATA) {
1818 SSL_DEBUG_MSG(1, ("bad application data message"));
1819 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE);
1820 }
1821
1822 ssl->in_offt = ssl->in_msg;
1823 }
1824
1825 n = (len < ssl->in_msglen)
1826 ? len : ssl->in_msglen;
1827
1828 memcpy(buf, ssl->in_offt, n);
1829 ssl->in_msglen -= n;
1830
1831 if (ssl->in_msglen == 0)
1832 /* all bytes consumed */
1833 ssl->in_offt = NULL;
1834 else
1835 /* more data available */
1836 ssl->in_offt += n;
1837
1838 SSL_DEBUG_MSG(2, ("<= read"));
1839
1840 return (n);
1841 }
1842
1843 /*
1844 * Send application data to be encrypted by the SSL layer
1845 */
1846 int ssl_write(ssl_context * ssl, unsigned char *buf, int len)
1847 {
1848 int ret, n;
1849
1850 SSL_DEBUG_MSG(2, ("=> write"));
1851
1852 if (ssl->state != SSL_HANDSHAKE_OVER) {
1853 if ((ret = ssl_handshake(ssl)) != 0) {
1854 SSL_DEBUG_RET(1, "ssl_handshake", ret);
1855 return (ret);
1856 }
1857 }
1858
1859 n = (len < SSL_MAX_CONTENT_LEN)
1860 ? len : SSL_MAX_CONTENT_LEN;
1861
1862 if (ssl->out_left != 0) {
1863 if ((ret = ssl_flush_output(ssl)) != 0) {
1864 SSL_DEBUG_RET(1, "ssl_flush_output", ret);
1865 return (ret);
1866 }
1867 } else {
1868 ssl->out_msglen = n;
1869 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
1870 memcpy(ssl->out_msg, buf, n);
1871
1872 if ((ret = ssl_write_record(ssl)) != 0) {
1873 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1874 return (ret);
1875 }
1876 }
1877
1878 SSL_DEBUG_MSG(2, ("<= write"));
1879
1880 return (n);
1881 }
1882
1883 /*
1884 * Notify the peer that the connection is being closed
1885 */
1886 int ssl_close_notify(ssl_context * ssl)
1887 {
1888 int ret;
1889
1890 SSL_DEBUG_MSG(2, ("=> write close notify"));
1891
1892 if ((ret = ssl_flush_output(ssl)) != 0) {
1893 SSL_DEBUG_RET(1, "ssl_flush_output", ret);
1894 return (ret);
1895 }
1896
1897 if (ssl->state == SSL_HANDSHAKE_OVER) {
1898 ssl->out_msgtype = SSL_MSG_ALERT;
1899 ssl->out_msglen = 2;
1900 ssl->out_msg[0] = SSL_ALERT_WARNING;
1901 ssl->out_msg[1] = SSL_ALERT_CLOSE_NOTIFY;
1902
1903 if ((ret = ssl_write_record(ssl)) != 0) {
1904 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1905 return (ret);
1906 }
1907 }
1908
1909 SSL_DEBUG_MSG(2, ("<= write close notify"));
1910
1911 return (ret);
1912 }
1913
1914 /*
1915 * Free an SSL context
1916 */
1917 void ssl_free(ssl_context * ssl)
1918 {
1919 SSL_DEBUG_MSG(2, ("=> free"));
1920
1921 if (ssl->peer_cert != NULL) {
1922 x509_free(ssl->peer_cert);
1923 memset(ssl->peer_cert, 0, sizeof(x509_cert));
1924 free(ssl->peer_cert);
1925 }
1926
1927 if (ssl->out_ctr != NULL) {
1928 memset(ssl->out_ctr, 0, SSL_BUFFER_LEN);
1929 free(ssl->out_ctr);
1930 }
1931
1932 if (ssl->in_ctr != NULL) {
1933 memset(ssl->in_ctr, 0, SSL_BUFFER_LEN);
1934 free(ssl->in_ctr);
1935 }
1936 #if defined(TROPICSSL_DHM_C)
1937 dhm_free(&ssl->dhm_ctx);
1938 #endif
1939
1940 if (ssl->hostname != NULL) {
1941 memset(ssl->hostname, 0, ssl->hostname_len);
1942 free(ssl->hostname);
1943 ssl->hostname_len = 0;
1944 }
1945
1946 memset(ssl, 0, sizeof(ssl_context));
1947
1948 SSL_DEBUG_MSG(2, ("<= free"));
1949 }
1950
1951 #endif
fork of last BSD polarssl