2 * SSLv3/TLSv1 shared functions
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 * The SSL 3.0 specification was drafted by Netscape in 1996,
37 * and became an IETF standard in 1999.
39 * http://wp.netscape.com/eng/ssl3/
40 * http://www.ietf.org/rfc/rfc2246.txt
41 * http://www.ietf.org/rfc/rfc4346.txt
44 #include "tropicssl/config.h"
46 #if defined(TROPICSSL_SSL_TLS_C)
48 #include "tropicssl/aes.h"
49 #include "tropicssl/arc4.h"
50 #include "tropicssl/camellia.h"
51 #include "tropicssl/des.h"
52 #include "tropicssl/debug.h"
53 #include "tropicssl/ssl.h"
60 * Key material generation
62 static int tls1_prf(unsigned char *secret
, int slen
, const char *label
,
63 unsigned char *randombytes
, int rlen
,
64 unsigned char *dstbuf
, int dlen
)
68 unsigned char *S1
, *S2
;
69 unsigned char tmp
[128];
70 unsigned char h_i
[20];
72 if (sizeof(tmp
) < 20 + strlen(label
) + rlen
)
73 return (TROPICSSL_ERR_SSL_BAD_INPUT_DATA
);
77 S2
= secret
+ slen
- hs
;
80 memcpy(tmp
+ 20, label
, nb
);
81 memcpy(tmp
+ 20 + nb
, randombytes
, rlen
);
85 * First compute P_md5(secret,label+randombytes)[0..dlen]
87 md5_hmac(S1
, hs
, tmp
+ 20, nb
, 4 + tmp
);
89 for (i
= 0; i
< dlen
; i
+= 16) {
90 md5_hmac(S1
, hs
, 4 + tmp
, 16 + nb
, h_i
);
91 md5_hmac(S1
, hs
, 4 + tmp
, 16, 4 + tmp
);
93 k
= (i
+ 16 > dlen
) ? dlen
% 16 : 16;
95 for (j
= 0; j
< k
; j
++)
96 dstbuf
[i
+ j
] = h_i
[j
];
100 * XOR out with P_sha1(secret,label+randombytes)[0..dlen]
102 sha1_hmac(S2
, hs
, tmp
+ 20, nb
, tmp
);
104 for (i
= 0; i
< dlen
; i
+= 20) {
105 sha1_hmac(S2
, hs
, tmp
, 20 + nb
, h_i
);
106 sha1_hmac(S2
, hs
, tmp
, 20, tmp
);
108 k
= (i
+ 20 > dlen
) ? dlen
% 20 : 20;
110 for (j
= 0; j
< k
; j
++)
111 dstbuf
[i
+ j
] = (unsigned char)(dstbuf
[i
+ j
] ^ h_i
[j
]);
114 memset(tmp
, 0, sizeof(tmp
));
115 memset(h_i
, 0, sizeof(h_i
));
120 int ssl_derive_keys(ssl_context
* ssl
)
124 sha1_context sha1_ctx
;
125 unsigned char tmp
[64];
126 unsigned char padding
[16];
127 unsigned char sha1sum
[20];
128 unsigned char keyblk
[256];
132 SSL_DEBUG_MSG(2, ("=> derive keys"));
137 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
138 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
139 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
142 * master = PRF( premaster, "master secret", randbytes )[0..47]
144 if (ssl
->resume
== 0) {
145 int len
= ssl
->pmslen
;
147 SSL_DEBUG_BUF(3, "premaster secret", ssl
->premaster
, len
);
149 if (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
150 for (i
= 0; i
< 3; i
++) {
151 memset(padding
, 'A' + i
, 1 + i
);
153 sha1_starts(&sha1_ctx
);
154 sha1_update(&sha1_ctx
, padding
, 1 + i
);
155 sha1_update(&sha1_ctx
, ssl
->premaster
, len
);
156 sha1_update(&sha1_ctx
, ssl
->randbytes
, 64);
157 sha1_finish(&sha1_ctx
, sha1sum
);
159 md5_starts(&md5_ctx
);
160 md5_update(&md5_ctx
, ssl
->premaster
, len
);
161 md5_update(&md5_ctx
, sha1sum
, 20);
162 md5_finish(&md5_ctx
, ssl
->session
->master
+ i
* 16);
165 tls1_prf(ssl
->premaster
, len
, "master secret",
166 ssl
->randbytes
, 64, ssl
->session
->master
, 48);
168 memset(ssl
->premaster
, 0, sizeof(ssl
->premaster
));
170 SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
173 * Swap the client and server random values.
175 memcpy(tmp
, ssl
->randbytes
, 64);
176 memcpy(ssl
->randbytes
, tmp
+ 32, 32);
177 memcpy(ssl
->randbytes
+ 32, tmp
, 32);
178 memset(tmp
, 0, sizeof(tmp
));
183 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
184 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
185 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
186 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
190 * key block = PRF( master, "key expansion", randbytes )
192 if (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
193 for (i
= 0; i
< 16; i
++) {
194 memset(padding
, 'A' + i
, 1 + i
);
196 sha1_starts(&sha1_ctx
);
197 sha1_update(&sha1_ctx
, padding
, 1 + i
);
198 sha1_update(&sha1_ctx
, ssl
->session
->master
, 48);
199 sha1_update(&sha1_ctx
, ssl
->randbytes
, 64);
200 sha1_finish(&sha1_ctx
, sha1sum
);
202 md5_starts(&md5_ctx
);
203 md5_update(&md5_ctx
, ssl
->session
->master
, 48);
204 md5_update(&md5_ctx
, sha1sum
, 20);
205 md5_finish(&md5_ctx
, keyblk
+ i
* 16);
208 memset(&md5_ctx
, 0, sizeof(md5_ctx
));
209 memset(&sha1_ctx
, 0, sizeof(sha1_ctx
));
211 memset(padding
, 0, sizeof(padding
));
212 memset(sha1sum
, 0, sizeof(sha1sum
));
214 tls1_prf(ssl
->session
->master
, 48, "key expansion",
215 ssl
->randbytes
, 64, keyblk
, 256);
217 SSL_DEBUG_MSG(3, ("cipher = %s", ssl_get_cipher(ssl
)));
218 SSL_DEBUG_BUF(3, "master secret", ssl
->session
->master
, 48);
219 SSL_DEBUG_BUF(4, "random bytes", ssl
->randbytes
, 64);
220 SSL_DEBUG_BUF(4, "key block", keyblk
, 256);
222 memset(ssl
->randbytes
, 0, sizeof(ssl
->randbytes
));
225 * Determine the appropriate key, IV and MAC length.
227 switch (ssl
->session
->cipher
) {
228 #if defined(TROPICSSL_ARC4_C)
229 case SSL_RSA_RC4_128_MD5
:
236 case SSL_RSA_RC4_128_SHA
:
244 #if defined(TROPICSSL_DES_C)
245 case SSL_RSA_DES_168_SHA
:
246 case SSL_EDH_RSA_DES_168_SHA
:
254 #if defined(TROPICSSL_AES_C)
255 case SSL_RSA_AES_128_SHA
:
262 case SSL_RSA_AES_256_SHA
:
263 case SSL_EDH_RSA_AES_256_SHA
:
271 #if defined(TROPICSSL_CAMELLIA_C)
272 case SSL_RSA_CAMELLIA_128_SHA
:
279 case SSL_RSA_CAMELLIA_256_SHA
:
280 case SSL_EDH_RSA_CAMELLIA_256_SHA
:
289 SSL_DEBUG_MSG(1, ("cipher %s is not available",
290 ssl_get_cipher(ssl
)));
291 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE
);
294 SSL_DEBUG_MSG(3, ("keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
295 ssl
->keylen
, ssl
->minlen
, ssl
->ivlen
, ssl
->maclen
));
298 * Finally setup the cipher contexts, IVs and MAC secrets.
300 if (ssl
->endpoint
== SSL_IS_CLIENT
) {
301 key1
= keyblk
+ ssl
->maclen
* 2;
302 key2
= keyblk
+ ssl
->maclen
* 2 + ssl
->keylen
;
304 memcpy(ssl
->mac_enc
, keyblk
, ssl
->maclen
);
305 memcpy(ssl
->mac_dec
, keyblk
+ ssl
->maclen
, ssl
->maclen
);
307 memcpy(ssl
->iv_enc
, key2
+ ssl
->keylen
, ssl
->ivlen
);
308 memcpy(ssl
->iv_dec
, key2
+ ssl
->keylen
+ ssl
->ivlen
,
311 key1
= keyblk
+ ssl
->maclen
* 2 + ssl
->keylen
;
312 key2
= keyblk
+ ssl
->maclen
* 2;
314 memcpy(ssl
->mac_dec
, keyblk
, ssl
->maclen
);
315 memcpy(ssl
->mac_enc
, keyblk
+ ssl
->maclen
, ssl
->maclen
);
317 memcpy(ssl
->iv_dec
, key1
+ ssl
->keylen
, ssl
->ivlen
);
318 memcpy(ssl
->iv_enc
, key1
+ ssl
->keylen
+ ssl
->ivlen
,
322 switch (ssl
->session
->cipher
) {
323 #if defined(TROPICSSL_ARC4_C)
324 case SSL_RSA_RC4_128_MD5
:
325 case SSL_RSA_RC4_128_SHA
:
326 arc4_setup((arc4_context
*) ssl
->ctx_enc
, key1
, ssl
->keylen
);
327 arc4_setup((arc4_context
*) ssl
->ctx_dec
, key2
, ssl
->keylen
);
331 #if defined(TROPICSSL_DES_C)
332 case SSL_RSA_DES_168_SHA
:
333 case SSL_EDH_RSA_DES_168_SHA
:
334 des3_set3key_enc((des3_context
*) ssl
->ctx_enc
, key1
);
335 des3_set3key_dec((des3_context
*) ssl
->ctx_dec
, key2
);
339 #if defined(TROPICSSL_AES_C)
340 case SSL_RSA_AES_128_SHA
:
341 aes_setkey_enc((aes_context
*) ssl
->ctx_enc
, key1
, 128);
342 aes_setkey_dec((aes_context
*) ssl
->ctx_dec
, key2
, 128);
345 case SSL_RSA_AES_256_SHA
:
346 case SSL_EDH_RSA_AES_256_SHA
:
347 aes_setkey_enc((aes_context
*) ssl
->ctx_enc
, key1
, 256);
348 aes_setkey_dec((aes_context
*) ssl
->ctx_dec
, key2
, 256);
352 #if defined(TROPICSSL_CAMELLIA_C)
353 case SSL_RSA_CAMELLIA_128_SHA
:
354 camellia_setkey_enc((camellia_context
*) ssl
->ctx_enc
, key1
,
356 camellia_setkey_dec((camellia_context
*) ssl
->ctx_dec
, key2
,
360 case SSL_RSA_CAMELLIA_256_SHA
:
361 case SSL_EDH_RSA_CAMELLIA_256_SHA
:
362 camellia_setkey_enc((camellia_context
*) ssl
->ctx_enc
, key1
,
364 camellia_setkey_dec((camellia_context
*) ssl
->ctx_dec
, key2
,
370 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE
);
373 memset(keyblk
, 0, sizeof(keyblk
));
375 SSL_DEBUG_MSG(2, ("<= derive keys"));
380 void ssl_calc_verify(ssl_context
* ssl
, unsigned char hash
[36])
383 sha1_context sha1_ctx
;
384 unsigned char pad_1
[48];
385 unsigned char pad_2
[48];
387 SSL_DEBUG_MSG(2, ("=> calc verify"));
389 memcpy(&md5_ctx
, &ssl
->fin_md5
, sizeof(md5_context
));
390 memcpy(&sha1_ctx
, &ssl
->fin_sha1
, sizeof(sha1_context
));
392 if (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
393 memset(pad_1
, 0x36, 48);
394 memset(pad_2
, 0x5C, 48);
396 md5_update(&md5_ctx
, ssl
->session
->master
, 48);
397 md5_update(&md5_ctx
, pad_1
, 48);
398 md5_finish(&md5_ctx
, hash
);
400 md5_starts(&md5_ctx
);
401 md5_update(&md5_ctx
, ssl
->session
->master
, 48);
402 md5_update(&md5_ctx
, pad_2
, 48);
403 md5_update(&md5_ctx
, hash
, 16);
404 md5_finish(&md5_ctx
, hash
);
406 sha1_update(&sha1_ctx
, ssl
->session
->master
, 48);
407 sha1_update(&sha1_ctx
, pad_1
, 40);
408 sha1_finish(&sha1_ctx
, hash
+ 16);
410 sha1_starts(&sha1_ctx
);
411 sha1_update(&sha1_ctx
, ssl
->session
->master
, 48);
412 sha1_update(&sha1_ctx
, pad_2
, 40);
413 sha1_update(&sha1_ctx
, hash
+ 16, 20);
414 sha1_finish(&sha1_ctx
, hash
+ 16);
416 md5_finish(&md5_ctx
, hash
);
417 sha1_finish(&sha1_ctx
, hash
+ 16);
420 SSL_DEBUG_BUF(3, "calculated verify result", hash
, 36);
421 SSL_DEBUG_MSG(2, ("<= calc verify"));
427 * SSLv3.0 MAC functions
429 static void ssl_mac_md5(unsigned char *secret
,
430 unsigned char *buf
, int len
,
431 unsigned char *ctr
, int type
)
433 unsigned char header
[11];
434 unsigned char padding
[48];
437 memcpy(header
, ctr
, 8);
438 header
[8] = (unsigned char)type
;
439 header
[9] = (unsigned char)(len
>> 8);
440 header
[10] = (unsigned char)(len
);
442 memset(padding
, 0x36, 48);
443 md5_starts(&md5_ctx
);
444 md5_update(&md5_ctx
, secret
, 16);
445 md5_update(&md5_ctx
, padding
, 48);
446 md5_update(&md5_ctx
, header
, 11);
447 md5_update(&md5_ctx
, buf
, len
);
448 md5_finish(&md5_ctx
, buf
+ len
);
450 memset(padding
, 0x5C, 48);
451 md5_starts(&md5_ctx
);
452 md5_update(&md5_ctx
, secret
, 16);
453 md5_update(&md5_ctx
, padding
, 48);
454 md5_update(&md5_ctx
, buf
+ len
, 16);
455 md5_finish(&md5_ctx
, buf
+ len
);
458 static void ssl_mac_sha1(unsigned char *secret
,
459 unsigned char *buf
, int len
,
460 unsigned char *ctr
, int type
)
462 unsigned char header
[11];
463 unsigned char padding
[40];
464 sha1_context sha1_ctx
;
466 memcpy(header
, ctr
, 8);
467 header
[8] = (unsigned char)type
;
468 header
[9] = (unsigned char)(len
>> 8);
469 header
[10] = (unsigned char)(len
);
471 memset(padding
, 0x36, 40);
472 sha1_starts(&sha1_ctx
);
473 sha1_update(&sha1_ctx
, secret
, 20);
474 sha1_update(&sha1_ctx
, padding
, 40);
475 sha1_update(&sha1_ctx
, header
, 11);
476 sha1_update(&sha1_ctx
, buf
, len
);
477 sha1_finish(&sha1_ctx
, buf
+ len
);
479 memset(padding
, 0x5C, 40);
480 sha1_starts(&sha1_ctx
);
481 sha1_update(&sha1_ctx
, secret
, 20);
482 sha1_update(&sha1_ctx
, padding
, 40);
483 sha1_update(&sha1_ctx
, buf
+ len
, 20);
484 sha1_finish(&sha1_ctx
, buf
+ len
);
488 * Encryption/decryption functions
490 static int ssl_encrypt_buf(ssl_context
* ssl
)
494 SSL_DEBUG_MSG(2, ("=> encrypt buf"));
497 * Add MAC then encrypt
499 if (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
500 if (ssl
->maclen
== 16)
501 ssl_mac_md5(ssl
->mac_enc
,
502 ssl
->out_msg
, ssl
->out_msglen
,
503 ssl
->out_ctr
, ssl
->out_msgtype
);
505 if (ssl
->maclen
== 20)
506 ssl_mac_sha1(ssl
->mac_enc
,
507 ssl
->out_msg
, ssl
->out_msglen
,
508 ssl
->out_ctr
, ssl
->out_msgtype
);
510 if (ssl
->maclen
== 16)
511 md5_hmac(ssl
->mac_enc
, 16,
512 ssl
->out_ctr
, ssl
->out_msglen
+ 13,
513 ssl
->out_msg
+ ssl
->out_msglen
);
515 if (ssl
->maclen
== 20)
516 sha1_hmac(ssl
->mac_enc
, 20,
517 ssl
->out_ctr
, ssl
->out_msglen
+ 13,
518 ssl
->out_msg
+ ssl
->out_msglen
);
521 SSL_DEBUG_BUF(4, "computed mac",
522 ssl
->out_msg
+ ssl
->out_msglen
, ssl
->maclen
);
524 ssl
->out_msglen
+= ssl
->maclen
;
526 for (i
= 7; i
>= 0; i
--)
527 if (++ssl
->out_ctr
[i
] != 0)
530 if (ssl
->ivlen
== 0) {
531 #if defined(TROPICSSL_ARC4_C)
534 SSL_DEBUG_MSG(3, ("before encrypt: msglen = %d, "
535 "including %d bytes of padding",
536 ssl
->out_msglen
, 0));
538 SSL_DEBUG_BUF(4, "before encrypt: output payload",
539 ssl
->out_msg
, ssl
->out_msglen
);
541 arc4_crypt((arc4_context
*) ssl
->ctx_enc
,
542 ssl
->out_msglen
, ssl
->out_msg
,
545 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE
);
548 padlen
= ssl
->ivlen
- (ssl
->out_msglen
+ 1) % ssl
->ivlen
;
549 if (padlen
== ssl
->ivlen
)
552 for (i
= 0; i
<= padlen
; i
++)
553 ssl
->out_msg
[ssl
->out_msglen
+ i
] =
554 (unsigned char)padlen
;
556 ssl
->out_msglen
+= padlen
+ 1;
558 SSL_DEBUG_MSG(3, ("before encrypt: msglen = %d, "
559 "including %d bytes of padding",
560 ssl
->out_msglen
, padlen
+ 1));
562 SSL_DEBUG_BUF(4, "before encrypt: output payload",
563 ssl
->out_msg
, ssl
->out_msglen
);
565 switch (ssl
->ivlen
) {
567 #if defined(TROPICSSL_DES_C)
568 des3_crypt_cbc((des3_context
*) ssl
->ctx_enc
,
569 DES_ENCRYPT
, ssl
->out_msglen
,
570 ssl
->iv_enc
, ssl
->out_msg
, ssl
->out_msg
);
575 #if defined(TROPICSSL_AES_C)
576 if (ssl
->session
->cipher
== SSL_RSA_AES_128_SHA
||
577 ssl
->session
->cipher
== SSL_RSA_AES_256_SHA
||
578 ssl
->session
->cipher
== SSL_EDH_RSA_AES_256_SHA
) {
579 aes_crypt_cbc((aes_context
*) ssl
->ctx_enc
,
580 AES_ENCRYPT
, ssl
->out_msglen
,
581 ssl
->iv_enc
, ssl
->out_msg
,
587 #if defined(TROPICSSL_CAMELLIA_C)
588 if (ssl
->session
->cipher
== SSL_RSA_CAMELLIA_128_SHA
||
589 ssl
->session
->cipher
== SSL_RSA_CAMELLIA_256_SHA
||
590 ssl
->session
->cipher
==
591 SSL_EDH_RSA_CAMELLIA_256_SHA
) {
592 camellia_crypt_cbc((camellia_context
*)
595 ssl
->out_msglen
, ssl
->iv_enc
,
596 ssl
->out_msg
, ssl
->out_msg
);
602 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE
);
606 SSL_DEBUG_MSG(2, ("<= encrypt buf"));
611 static int ssl_decrypt_buf(ssl_context
* ssl
)
614 unsigned char tmp
[20];
616 SSL_DEBUG_MSG(2, ("=> decrypt buf"));
618 if (ssl
->in_msglen
< ssl
->minlen
) {
619 SSL_DEBUG_MSG(1, ("in_msglen (%d) < minlen (%d)",
620 ssl
->in_msglen
, ssl
->minlen
));
621 return (TROPICSSL_ERR_SSL_INVALID_MAC
);
624 if (ssl
->ivlen
== 0) {
625 #if defined(TROPICSSL_ARC4_C)
627 arc4_crypt((arc4_context
*) ssl
->ctx_dec
,
628 ssl
->in_msglen
, ssl
->in_msg
,
631 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE
);
635 * Decrypt and check the padding
637 if (ssl
->in_msglen
% ssl
->ivlen
!= 0) {
638 SSL_DEBUG_MSG(1, ("msglen (%d) %% ivlen (%d) != 0",
639 ssl
->in_msglen
, ssl
->ivlen
));
640 return (TROPICSSL_ERR_SSL_INVALID_MAC
);
643 switch (ssl
->ivlen
) {
644 #if defined(TROPICSSL_DES_C)
646 des3_crypt_cbc((des3_context
*) ssl
->ctx_dec
,
647 DES_DECRYPT
, ssl
->in_msglen
,
648 ssl
->iv_dec
, ssl
->in_msg
, ssl
->in_msg
);
653 #if defined(TROPICSSL_AES_C)
654 if (ssl
->session
->cipher
== SSL_RSA_AES_128_SHA
||
655 ssl
->session
->cipher
== SSL_RSA_AES_256_SHA
||
656 ssl
->session
->cipher
== SSL_EDH_RSA_AES_256_SHA
) {
657 aes_crypt_cbc((aes_context
*) ssl
->ctx_dec
,
658 AES_DECRYPT
, ssl
->in_msglen
,
659 ssl
->iv_dec
, ssl
->in_msg
,
665 #if defined(TROPICSSL_CAMELLIA_C)
666 if (ssl
->session
->cipher
== SSL_RSA_CAMELLIA_128_SHA
||
667 ssl
->session
->cipher
== SSL_RSA_CAMELLIA_256_SHA
||
668 ssl
->session
->cipher
==
669 SSL_EDH_RSA_CAMELLIA_256_SHA
) {
670 camellia_crypt_cbc((camellia_context
*)
673 ssl
->in_msglen
, ssl
->iv_dec
,
674 ssl
->in_msg
, ssl
->in_msg
);
680 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE
);
683 padlen
= 1 + ssl
->in_msg
[ssl
->in_msglen
- 1];
685 if (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
686 if (padlen
> ssl
->ivlen
) {
687 SSL_DEBUG_MSG(1, ("bad padding length: is %d, "
688 "should be no more than %d",
689 padlen
, ssl
->ivlen
));
694 * TLSv1: always check the padding
696 for (i
= 1; i
<= padlen
; i
++) {
697 if (ssl
->in_msg
[ssl
->in_msglen
- i
] !=
700 ("bad padding byte: should be "
704 in_msg
[ssl
->in_msglen
-
712 SSL_DEBUG_BUF(4, "raw buffer after decryption",
713 ssl
->in_msg
, ssl
->in_msglen
);
716 * Always compute the MAC (RFC4346, CBCTIME).
718 ssl
->in_msglen
-= (ssl
->maclen
+ padlen
);
720 ssl
->in_hdr
[3] = (unsigned char)(ssl
->in_msglen
>> 8);
721 ssl
->in_hdr
[4] = (unsigned char)(ssl
->in_msglen
);
723 memcpy(tmp
, ssl
->in_msg
+ ssl
->in_msglen
, 20);
725 if (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
726 if (ssl
->maclen
== 16)
727 ssl_mac_md5(ssl
->mac_dec
,
728 ssl
->in_msg
, ssl
->in_msglen
,
729 ssl
->in_ctr
, ssl
->in_msgtype
);
731 ssl_mac_sha1(ssl
->mac_dec
,
732 ssl
->in_msg
, ssl
->in_msglen
,
733 ssl
->in_ctr
, ssl
->in_msgtype
);
735 if (ssl
->maclen
== 16)
736 md5_hmac(ssl
->mac_dec
, 16,
737 ssl
->in_ctr
, ssl
->in_msglen
+ 13,
738 ssl
->in_msg
+ ssl
->in_msglen
);
740 sha1_hmac(ssl
->mac_dec
, 20,
741 ssl
->in_ctr
, ssl
->in_msglen
+ 13,
742 ssl
->in_msg
+ ssl
->in_msglen
);
745 SSL_DEBUG_BUF(4, "message mac", tmp
, ssl
->maclen
);
746 SSL_DEBUG_BUF(4, "computed mac", ssl
->in_msg
+ ssl
->in_msglen
,
749 if (memcmp(tmp
, ssl
->in_msg
+ ssl
->in_msglen
, ssl
->maclen
) != 0) {
750 SSL_DEBUG_MSG(1, ("message mac does not match"));
751 return (TROPICSSL_ERR_SSL_INVALID_MAC
);
755 * Finally check the padding length; bad padding
756 * will produce the same error as an invalid MAC.
758 if (ssl
->ivlen
!= 0 && padlen
== 0)
759 return (TROPICSSL_ERR_SSL_INVALID_MAC
);
761 if (ssl
->in_msglen
== 0) {
765 * Three or more empty messages may be a DoS attack
766 * (excessive CPU consumption).
768 if (ssl
->nb_zero
> 3) {
769 SSL_DEBUG_MSG(1, ("received four consecutive empty "
770 "messages, possible DoS attack"));
771 return (TROPICSSL_ERR_SSL_INVALID_MAC
);
776 for (i
= 7; i
>= 0; i
--)
777 if (++ssl
->in_ctr
[i
] != 0)
780 SSL_DEBUG_MSG(2, ("<= decrypt buf"));
786 * Fill the input message buffer
788 int ssl_fetch_input(ssl_context
* ssl
, int nb_want
)
792 SSL_DEBUG_MSG(2, ("=> fetch input"));
794 while (ssl
->in_left
< nb_want
) {
795 len
= nb_want
- ssl
->in_left
;
796 ret
= ssl
->f_recv(ssl
->p_recv
, ssl
->in_hdr
+ ssl
->in_left
, len
);
798 SSL_DEBUG_MSG(2, ("in_left: %d, nb_want: %d",
799 ssl
->in_left
, nb_want
));
800 SSL_DEBUG_RET(2, "ssl->f_recv", ret
);
808 SSL_DEBUG_MSG(2, ("<= fetch input"));
814 * Flush any data not yet written
816 int ssl_flush_output(ssl_context
* ssl
)
821 SSL_DEBUG_MSG(2, ("=> flush output"));
823 while (ssl
->out_left
> 0) {
824 SSL_DEBUG_MSG(2, ("message length: %d, out_left: %d",
825 5 + ssl
->out_msglen
, ssl
->out_left
));
827 buf
= ssl
->out_hdr
+ 5 + ssl
->out_msglen
- ssl
->out_left
;
828 ret
= ssl
->f_send(ssl
->p_send
, buf
, ssl
->out_left
);
829 SSL_DEBUG_RET(2, "ssl->f_send", ret
);
834 ssl
->out_left
-= ret
;
837 SSL_DEBUG_MSG(2, ("<= flush output"));
843 * Record layer functions
845 int ssl_write_record(ssl_context
* ssl
)
847 int ret
, len
= ssl
->out_msglen
;
849 SSL_DEBUG_MSG(2, ("=> write record"));
851 ssl
->out_hdr
[0] = (unsigned char)ssl
->out_msgtype
;
852 ssl
->out_hdr
[1] = (unsigned char)ssl
->major_ver
;
853 ssl
->out_hdr
[2] = (unsigned char)ssl
->minor_ver
;
854 ssl
->out_hdr
[3] = (unsigned char)(len
>> 8);
855 ssl
->out_hdr
[4] = (unsigned char)(len
);
857 if (ssl
->out_msgtype
== SSL_MSG_HANDSHAKE
) {
858 ssl
->out_msg
[1] = (unsigned char)((len
- 4) >> 16);
859 ssl
->out_msg
[2] = (unsigned char)((len
- 4) >> 8);
860 ssl
->out_msg
[3] = (unsigned char)((len
- 4));
862 md5_update(&ssl
->fin_md5
, ssl
->out_msg
, len
);
863 sha1_update(&ssl
->fin_sha1
, ssl
->out_msg
, len
);
866 if (ssl
->do_crypt
!= 0) {
867 if ((ret
= ssl_encrypt_buf(ssl
)) != 0) {
868 SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret
);
872 len
= ssl
->out_msglen
;
873 ssl
->out_hdr
[3] = (unsigned char)(len
>> 8);
874 ssl
->out_hdr
[4] = (unsigned char)(len
);
877 ssl
->out_left
= 5 + ssl
->out_msglen
;
879 SSL_DEBUG_MSG(3, ("output record: msgtype = %d, "
880 "version = [%d:%d], msglen = %d",
881 ssl
->out_hdr
[0], ssl
->out_hdr
[1], ssl
->out_hdr
[2],
882 (ssl
->out_hdr
[3] << 8) | ssl
->out_hdr
[4]));
884 SSL_DEBUG_BUF(4, "output record sent to network",
885 ssl
->out_hdr
, 5 + ssl
->out_msglen
);
887 if ((ret
= ssl_flush_output(ssl
)) != 0) {
888 SSL_DEBUG_RET(1, "ssl_flush_output", ret
);
892 SSL_DEBUG_MSG(2, ("<= write record"));
897 int ssl_read_record(ssl_context
* ssl
)
901 SSL_DEBUG_MSG(2, ("=> read record"));
903 if (ssl
->in_hslen
!= 0 && ssl
->in_hslen
< ssl
->in_msglen
) {
905 * Get next Handshake message in the current record
907 ssl
->in_msglen
-= ssl
->in_hslen
;
909 memcpy(ssl
->in_msg
, ssl
->in_msg
+ ssl
->in_hslen
,
913 ssl
->in_hslen
+= (ssl
->in_msg
[2] << 8) | ssl
->in_msg
[3];
915 SSL_DEBUG_MSG(3, ("handshake message: msglen ="
916 " %d, type = %d, hslen = %d",
917 ssl
->in_msglen
, ssl
->in_msg
[0],
920 if (ssl
->in_msglen
< 4 || ssl
->in_msg
[1] != 0) {
921 SSL_DEBUG_MSG(1, ("bad handshake length"));
922 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
925 if (ssl
->in_msglen
< ssl
->in_hslen
) {
926 SSL_DEBUG_MSG(1, ("bad handshake length"));
927 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
930 md5_update(&ssl
->fin_md5
, ssl
->in_msg
, ssl
->in_hslen
);
931 sha1_update(&ssl
->fin_sha1
, ssl
->in_msg
, ssl
->in_hslen
);
939 * Read the record header and validate it
941 if ((ret
= ssl_fetch_input(ssl
, 5)) != 0) {
942 SSL_DEBUG_RET(1, "ssl_fetch_input", ret
);
946 ssl
->in_msgtype
= ssl
->in_hdr
[0];
947 ssl
->in_msglen
= (ssl
->in_hdr
[3] << 8) | ssl
->in_hdr
[4];
949 SSL_DEBUG_MSG(3, ("input record: msgtype = %d, "
950 "version = [%d:%d], msglen = %d",
951 ssl
->in_hdr
[0], ssl
->in_hdr
[1], ssl
->in_hdr
[2],
952 (ssl
->in_hdr
[3] << 8) | ssl
->in_hdr
[4]));
954 if (ssl
->in_hdr
[1] != ssl
->major_ver
) {
955 SSL_DEBUG_MSG(1, ("major version mismatch"));
956 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
959 if (ssl
->in_hdr
[2] != SSL_MINOR_VERSION_0
&&
960 ssl
->in_hdr
[2] != SSL_MINOR_VERSION_1
) {
961 SSL_DEBUG_MSG(1, ("minor version mismatch"));
962 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
966 * Make sure the message length is acceptable
968 if (ssl
->do_crypt
== 0) {
969 if (ssl
->in_msglen
< 1 || ssl
->in_msglen
> SSL_MAX_CONTENT_LEN
) {
970 SSL_DEBUG_MSG(1, ("bad message length"));
971 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
974 if (ssl
->in_msglen
< ssl
->minlen
) {
975 SSL_DEBUG_MSG(1, ("bad message length"));
976 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
979 if (ssl
->minor_ver
== SSL_MINOR_VERSION_0
&&
980 ssl
->in_msglen
> ssl
->minlen
+ SSL_MAX_CONTENT_LEN
) {
981 SSL_DEBUG_MSG(1, ("bad message length"));
982 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
986 * TLS encrypted messages can have up to 256 bytes of padding
988 if (ssl
->minor_ver
== SSL_MINOR_VERSION_1
&&
989 ssl
->in_msglen
> ssl
->minlen
+ SSL_MAX_CONTENT_LEN
+ 256) {
990 SSL_DEBUG_MSG(1, ("bad message length"));
991 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
996 * Read and optionally decrypt the message contents
998 if ((ret
= ssl_fetch_input(ssl
, 5 + ssl
->in_msglen
)) != 0) {
999 SSL_DEBUG_RET(1, "ssl_fetch_input", ret
);
1003 SSL_DEBUG_BUF(4, "input record from network",
1004 ssl
->in_hdr
, 5 + ssl
->in_msglen
);
1006 if (ssl
->do_crypt
!= 0) {
1007 if ((ret
= ssl_decrypt_buf(ssl
)) != 0) {
1008 SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret
);
1012 SSL_DEBUG_BUF(4, "input payload after decrypt",
1013 ssl
->in_msg
, ssl
->in_msglen
);
1015 if (ssl
->in_msglen
> SSL_MAX_CONTENT_LEN
) {
1016 SSL_DEBUG_MSG(1, ("bad message length"));
1017 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
1021 if (ssl
->in_msgtype
== SSL_MSG_HANDSHAKE
) {
1023 ssl
->in_hslen
+= (ssl
->in_msg
[2] << 8) | ssl
->in_msg
[3];
1025 SSL_DEBUG_MSG(3, ("handshake message: msglen ="
1026 " %d, type = %d, hslen = %d",
1027 ssl
->in_msglen
, ssl
->in_msg
[0],
1031 * Additional checks to validate the handshake header
1033 if (ssl
->in_msglen
< 4 || ssl
->in_msg
[1] != 0) {
1034 SSL_DEBUG_MSG(1, ("bad handshake length"));
1035 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
1038 if (ssl
->in_msglen
< ssl
->in_hslen
) {
1039 SSL_DEBUG_MSG(1, ("bad handshake length"));
1040 return (TROPICSSL_ERR_SSL_INVALID_RECORD
);
1043 md5_update(&ssl
->fin_md5
, ssl
->in_msg
, ssl
->in_hslen
);
1044 sha1_update(&ssl
->fin_sha1
, ssl
->in_msg
, ssl
->in_hslen
);
1047 if (ssl
->in_msgtype
== SSL_MSG_ALERT
) {
1048 SSL_DEBUG_MSG(2, ("got an alert message, type: [%d:%d]",
1049 ssl
->in_msg
[0], ssl
->in_msg
[1]));
1052 * Ignore non-fatal alerts, except close_notify
1054 if (ssl
->in_msg
[0] == SSL_ALERT_FATAL
) {
1055 SSL_DEBUG_MSG(1, ("is a fatal alert message"));
1056 return (TROPICSSL_ERR_SSL_FATAL_ALERT_MESSAGE
|
1060 if (ssl
->in_msg
[0] == SSL_ALERT_WARNING
&&
1061 ssl
->in_msg
[1] == SSL_ALERT_CLOSE_NOTIFY
) {
1062 SSL_DEBUG_MSG(2, ("is a close notify message"));
1063 return (TROPICSSL_ERR_SSL_PEER_CLOSE_NOTIFY
);
1069 SSL_DEBUG_MSG(2, ("<= read record"));
1075 * Handshake functions
1077 int ssl_write_certificate(ssl_context
* ssl
)
1082 SSL_DEBUG_MSG(2, ("=> write certificate"));
1084 if (ssl
->endpoint
== SSL_IS_CLIENT
) {
1085 if (ssl
->client_auth
== 0) {
1086 SSL_DEBUG_MSG(2, ("<= skip write certificate"));
1092 * If using SSLv3 and got no cert, send an Alert message
1093 * (otherwise an empty Certificate message will be sent).
1095 if (ssl
->own_cert
== NULL
&&
1096 ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
1097 ssl
->out_msglen
= 2;
1098 ssl
->out_msgtype
= SSL_MSG_ALERT
;
1099 ssl
->out_msg
[0] = SSL_ALERT_WARNING
;
1100 ssl
->out_msg
[1] = SSL_ALERT_NO_CERTIFICATE
;
1102 SSL_DEBUG_MSG(2, ("got no certificate to send"));
1105 } else { /* SSL_IS_SERVER */
1106 if (ssl
->own_cert
== NULL
) {
1107 SSL_DEBUG_MSG(1, ("got no certificate to send"));
1108 return (TROPICSSL_ERR_SSL_CERTIFICATE_REQUIRED
);
1112 SSL_DEBUG_CRT(3, "own certificate", ssl
->own_cert
);
1115 * 0 . 0 handshake type
1116 * 1 . 3 handshake length
1117 * 4 . 6 length of all certs
1118 * 7 . 9 length of cert. 1
1119 * 10 . n-1 peer certificate
1120 * n . n+2 length of cert. 2
1121 * n+3 . ... upper level cert, etc.
1124 crt
= ssl
->own_cert
;
1126 while (crt
!= NULL
&& crt
->next
!= NULL
) {
1128 if (i
+ 3 + n
> SSL_MAX_CONTENT_LEN
) {
1129 SSL_DEBUG_MSG(1, ("certificate too large, %d > %d",
1130 i
+ 3 + n
, SSL_MAX_CONTENT_LEN
));
1131 return (TROPICSSL_ERR_SSL_CERTIFICATE_TOO_LARGE
);
1134 ssl
->out_msg
[i
] = (unsigned char)(n
>> 16);
1135 ssl
->out_msg
[i
+ 1] = (unsigned char)(n
>> 8);
1136 ssl
->out_msg
[i
+ 2] = (unsigned char)(n
);
1139 memcpy(ssl
->out_msg
+ i
, crt
->raw
.p
, n
);
1144 ssl
->out_msg
[4] = (unsigned char)((i
- 7) >> 16);
1145 ssl
->out_msg
[5] = (unsigned char)((i
- 7) >> 8);
1146 ssl
->out_msg
[6] = (unsigned char)((i
- 7));
1148 ssl
->out_msglen
= i
;
1149 ssl
->out_msgtype
= SSL_MSG_HANDSHAKE
;
1150 ssl
->out_msg
[0] = SSL_HS_CERTIFICATE
;
1156 if ((ret
= ssl_write_record(ssl
)) != 0) {
1157 SSL_DEBUG_RET(1, "ssl_write_record", ret
);
1161 SSL_DEBUG_MSG(2, ("<= write certificate"));
1166 int ssl_parse_certificate(ssl_context
* ssl
)
1170 SSL_DEBUG_MSG(2, ("=> parse certificate"));
1172 if (ssl
->endpoint
== SSL_IS_SERVER
&& ssl
->authmode
== SSL_VERIFY_NONE
) {
1173 SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
1178 if ((ret
= ssl_read_record(ssl
)) != 0) {
1179 SSL_DEBUG_RET(1, "ssl_read_record", ret
);
1186 * Check if the client sent an empty certificate
1188 if (ssl
->endpoint
== SSL_IS_SERVER
&&
1189 ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
1190 if (ssl
->in_msglen
== 2 &&
1191 ssl
->in_msgtype
== SSL_MSG_ALERT
&&
1192 ssl
->in_msg
[0] == SSL_ALERT_WARNING
&&
1193 ssl
->in_msg
[1] == SSL_ALERT_NO_CERTIFICATE
) {
1194 SSL_DEBUG_MSG(1, ("SSLv3 client has no certificate"));
1196 if (ssl
->authmode
== SSL_VERIFY_OPTIONAL
)
1200 (TROPICSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
);
1204 if (ssl
->endpoint
== SSL_IS_SERVER
&&
1205 ssl
->minor_ver
!= SSL_MINOR_VERSION_0
) {
1206 if (ssl
->in_hslen
== 7 &&
1207 ssl
->in_msgtype
== SSL_MSG_HANDSHAKE
&&
1208 ssl
->in_msg
[0] == SSL_HS_CERTIFICATE
&&
1209 memcmp(ssl
->in_msg
+ 4, "\0\0\0", 3) == 0) {
1210 SSL_DEBUG_MSG(1, ("TLSv1 client has no certificate"));
1212 if (ssl
->authmode
== SSL_VERIFY_REQUIRED
)
1214 (TROPICSSL_ERR_SSL_NO_CLIENT_CERTIFICATE
);
1220 if (ssl
->in_msgtype
!= SSL_MSG_HANDSHAKE
) {
1221 SSL_DEBUG_MSG(1, ("bad certificate message"));
1222 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE
);
1225 if (ssl
->in_msg
[0] != SSL_HS_CERTIFICATE
|| ssl
->in_hslen
< 10) {
1226 SSL_DEBUG_MSG(1, ("bad certificate message"));
1227 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE
);
1231 * Same message structure as in ssl_write_certificate()
1233 n
= (ssl
->in_msg
[5] << 8) | ssl
->in_msg
[6];
1235 if (ssl
->in_msg
[4] != 0 || ssl
->in_hslen
!= 7 + n
) {
1236 SSL_DEBUG_MSG(1, ("bad certificate message"));
1237 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE
);
1240 if ((ssl
->peer_cert
= (x509_cert
*) malloc(sizeof(x509_cert
))) == NULL
) {
1241 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed",
1242 sizeof(x509_cert
)));
1246 memset(ssl
->peer_cert
, 0, sizeof(x509_cert
));
1250 while (i
< ssl
->in_hslen
) {
1251 if (ssl
->in_msg
[i
] != 0) {
1252 SSL_DEBUG_MSG(1, ("bad certificate message"));
1253 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE
);
1256 n
= ((unsigned int)ssl
->in_msg
[i
+ 1] << 8)
1257 | (unsigned int)ssl
->in_msg
[i
+ 2];
1260 if (n
< 128 || i
+ n
> ssl
->in_hslen
) {
1261 SSL_DEBUG_MSG(1, ("bad certificate message"));
1262 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE
);
1265 ret
= x509parse_crt(ssl
->peer_cert
, ssl
->in_msg
+ i
, n
);
1267 SSL_DEBUG_RET(1, " x509parse_crt", ret
);
1274 SSL_DEBUG_CRT(3, "peer certificate", ssl
->peer_cert
);
1276 if (ssl
->authmode
!= SSL_VERIFY_NONE
) {
1277 if (ssl
->ca_chain
== NULL
) {
1278 SSL_DEBUG_MSG(1, ("got no CA chain"));
1279 return (TROPICSSL_ERR_SSL_CA_CHAIN_REQUIRED
);
1282 ret
= x509parse_verify(ssl
->peer_cert
, ssl
->ca_chain
,
1283 ssl
->peer_cn
, &ssl
->verify_result
);
1286 SSL_DEBUG_RET(1, "x509_verify_cert", ret
);
1288 if (ssl
->authmode
!= SSL_VERIFY_REQUIRED
)
1292 SSL_DEBUG_MSG(2, ("<= parse certificate"));
1297 int ssl_write_change_cipher_spec(ssl_context
* ssl
)
1301 SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
1303 ssl
->out_msgtype
= SSL_MSG_CHANGE_CIPHER_SPEC
;
1304 ssl
->out_msglen
= 1;
1305 ssl
->out_msg
[0] = 1;
1310 if ((ret
= ssl_write_record(ssl
)) != 0) {
1311 SSL_DEBUG_RET(1, "ssl_write_record", ret
);
1315 SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
1320 int ssl_parse_change_cipher_spec(ssl_context
* ssl
)
1324 SSL_DEBUG_MSG(2, ("=> parse change cipher spec"));
1328 if ((ret
= ssl_read_record(ssl
)) != 0) {
1329 SSL_DEBUG_RET(1, "ssl_read_record", ret
);
1333 if (ssl
->in_msgtype
!= SSL_MSG_CHANGE_CIPHER_SPEC
) {
1334 SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
1335 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE
);
1338 if (ssl
->in_msglen
!= 1 || ssl
->in_msg
[0] != 1) {
1339 SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
1340 return (TROPICSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
);
1345 SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
1350 static void ssl_calc_finished(ssl_context
* ssl
, unsigned char *buf
, int from
,
1351 md5_context
* md5_ctx
, sha1_context
* sha1_ctx
)
1355 unsigned char padbuf
[48];
1356 unsigned char md5sum
[16];
1357 unsigned char sha1sum
[20];
1359 SSL_DEBUG_MSG(2, ("=> calc finished"));
1364 * MD5( master + pad2 +
1365 * MD5( handshake + sender + master + pad1 ) )
1366 * + SHA1( master + pad2 +
1367 * SHA1( handshake + sender + master + pad1 ) )
1370 * hash = PRF( master, finished_label,
1371 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1374 SSL_DEBUG_BUF(4, "finished md5 state", (unsigned char *)
1375 md5_ctx
->state
, sizeof(md5_ctx
->state
));
1377 SSL_DEBUG_BUF(4, "finished sha1 state", (unsigned char *)
1378 sha1_ctx
->state
, sizeof(sha1_ctx
->state
));
1380 if (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) {
1381 sender
= (from
== SSL_IS_CLIENT
) ? "CLNT"
1384 memset(padbuf
, 0x36, 48);
1386 md5_update(md5_ctx
, (const unsigned char *)sender
, 4);
1387 md5_update(md5_ctx
, ssl
->session
->master
, 48);
1388 md5_update(md5_ctx
, padbuf
, 48);
1389 md5_finish(md5_ctx
, md5sum
);
1391 sha1_update(sha1_ctx
, (const unsigned char *)sender
, 4);
1392 sha1_update(sha1_ctx
, ssl
->session
->master
, 48);
1393 sha1_update(sha1_ctx
, padbuf
, 40);
1394 sha1_finish(sha1_ctx
, sha1sum
);
1396 memset(padbuf
, 0x5C, 48);
1398 md5_starts(md5_ctx
);
1399 md5_update(md5_ctx
, ssl
->session
->master
, 48);
1400 md5_update(md5_ctx
, padbuf
, 48);
1401 md5_update(md5_ctx
, md5sum
, 16);
1402 md5_finish(md5_ctx
, buf
);
1404 sha1_starts(sha1_ctx
);
1405 sha1_update(sha1_ctx
, ssl
->session
->master
, 48);
1406 sha1_update(sha1_ctx
, padbuf
, 40);
1407 sha1_update(sha1_ctx
, sha1sum
, 20);
1408 sha1_finish(sha1_ctx
, buf
+ 16);
1412 sender
= (from
== SSL_IS_CLIENT
)
1413 ? "client finished" : "server finished";
1415 md5_finish(md5_ctx
, padbuf
);
1416 sha1_finish(sha1_ctx
, padbuf
+ 16);
1418 tls1_prf(ssl
->session
->master
, 48, sender
,
1419 padbuf
, 36, buf
, len
);
1422 SSL_DEBUG_BUF(3, "calc finished result", buf
, len
);
1424 memset(md5_ctx
, 0, sizeof(md5_context
));
1425 memset(sha1_ctx
, 0, sizeof(sha1_context
));
1427 memset(padbuf
, 0, sizeof(padbuf
));
1428 memset(md5sum
, 0, sizeof(md5sum
));
1429 memset(sha1sum
, 0, sizeof(sha1sum
));
1431 SSL_DEBUG_MSG(2, ("<= calc finished"));
1434 int ssl_write_finished(ssl_context
* ssl
)
1437 md5_context md5_ctx
;
1438 sha1_context sha1_ctx
;
1440 SSL_DEBUG_MSG(2, ("=> write finished"));
1442 memcpy(&md5_ctx
, &ssl
->fin_md5
, sizeof(md5_context
));
1443 memcpy(&sha1_ctx
, &ssl
->fin_sha1
, sizeof(sha1_context
));
1445 ssl_calc_finished(ssl
, ssl
->out_msg
+ 4, ssl
->endpoint
, &md5_ctx
, &sha1_ctx
);
1447 hash_len
= (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) ? 36 : 12;
1449 ssl
->out_msglen
= 4 + hash_len
;
1450 ssl
->out_msgtype
= SSL_MSG_HANDSHAKE
;
1451 ssl
->out_msg
[0] = SSL_HS_FINISHED
;
1454 * In case of session resuming, invert the client and server
1455 * ChangeCipherSpec messages order.
1457 if (ssl
->resume
!= 0) {
1458 if (ssl
->endpoint
== SSL_IS_CLIENT
)
1459 ssl
->state
= SSL_HANDSHAKE_OVER
;
1461 ssl
->state
= SSL_CLIENT_CHANGE_CIPHER_SPEC
;
1467 if ((ret
= ssl_write_record(ssl
)) != 0) {
1468 SSL_DEBUG_RET(1, "ssl_write_record", ret
);
1472 SSL_DEBUG_MSG(2, ("<= write finished"));
1477 int ssl_parse_finished(ssl_context
* ssl
)
1480 md5_context md5_ctx
;
1481 sha1_context sha1_ctx
;
1482 unsigned char buf
[36];
1484 SSL_DEBUG_MSG(2, ("=> parse finished"));
1486 memcpy(&md5_ctx
, &ssl
->fin_md5
, sizeof(md5_context
));
1487 memcpy(&sha1_ctx
, &ssl
->fin_sha1
, sizeof(sha1_context
));
1491 if ((ret
= ssl_read_record(ssl
)) != 0) {
1492 SSL_DEBUG_RET(1, "ssl_read_record", ret
);
1496 if (ssl
->in_msgtype
!= SSL_MSG_HANDSHAKE
) {
1497 SSL_DEBUG_MSG(1, ("bad finished message"));
1498 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE
);
1501 hash_len
= (ssl
->minor_ver
== SSL_MINOR_VERSION_0
) ? 36 : 12;
1503 if (ssl
->in_msg
[0] != SSL_HS_FINISHED
|| ssl
->in_hslen
!= 4 + hash_len
) {
1504 SSL_DEBUG_MSG(1, ("bad finished message"));
1505 return (TROPICSSL_ERR_SSL_BAD_HS_FINISHED
);
1508 ssl_calc_finished(ssl
, buf
, ssl
->endpoint
^ 1, &md5_ctx
, &sha1_ctx
);
1510 if (memcmp(ssl
->in_msg
+ 4, buf
, hash_len
) != 0) {
1511 SSL_DEBUG_MSG(1, ("bad finished message"));
1512 return (TROPICSSL_ERR_SSL_BAD_HS_FINISHED
);
1515 if (ssl
->resume
!= 0) {
1516 if (ssl
->endpoint
== SSL_IS_CLIENT
)
1517 ssl
->state
= SSL_CLIENT_CHANGE_CIPHER_SPEC
;
1519 if (ssl
->endpoint
== SSL_IS_SERVER
)
1520 ssl
->state
= SSL_HANDSHAKE_OVER
;
1524 SSL_DEBUG_MSG(2, ("<= parse finished"));
1530 * Initialize an SSL context
1532 int ssl_init(ssl_context
* ssl
)
1534 int len
= SSL_BUFFER_LEN
;
1536 memset(ssl
, 0, sizeof(ssl_context
));
1538 ssl
->in_ctr
= (unsigned char *)malloc(len
);
1539 ssl
->in_hdr
= ssl
->in_ctr
+ 8;
1540 ssl
->in_msg
= ssl
->in_ctr
+ 13;
1542 if (ssl
->in_ctr
== NULL
) {
1543 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed", len
));
1547 ssl
->out_ctr
= (unsigned char *)malloc(len
);
1548 ssl
->out_hdr
= ssl
->out_ctr
+ 8;
1549 ssl
->out_msg
= ssl
->out_ctr
+ 13;
1551 if (ssl
->out_ctr
== NULL
) {
1552 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed", len
));
1557 memset(ssl
->in_ctr
, 0, SSL_BUFFER_LEN
);
1558 memset(ssl
->out_ctr
, 0, SSL_BUFFER_LEN
);
1560 ssl
->hostname
= NULL
;
1561 ssl
->hostname_len
= 0;
1563 md5_starts(&ssl
->fin_md5
);
1564 sha1_starts(&ssl
->fin_sha1
);
1572 void ssl_set_endpoint(ssl_context
* ssl
, int endpoint
)
1574 ssl
->endpoint
= endpoint
;
1577 void ssl_set_authmode(ssl_context
* ssl
, int authmode
)
1579 ssl
->authmode
= authmode
;
1582 void ssl_set_rng(ssl_context
* ssl
, int (*f_rng
) (void *), void *p_rng
)
1588 void ssl_set_dbg(ssl_context
* ssl
,
1589 void (*f_dbg
) (void *, int, const char *), void *p_dbg
)
1595 void ssl_set_bio(ssl_context
* ssl
,
1596 int (*f_recv
) (void *, unsigned char *, int), void *p_recv
,
1597 int (*f_send
) (void *, const unsigned char *, int), void *p_send
)
1599 ssl
->f_recv
= f_recv
;
1600 ssl
->f_send
= f_send
;
1601 ssl
->p_recv
= p_recv
;
1602 ssl
->p_send
= p_send
;
1605 void ssl_set_scb(ssl_context
* ssl
,
1606 int (*s_get
) (ssl_context
*), int (*s_set
) (ssl_context
*))
1612 void ssl_set_session(ssl_context
* ssl
, int resume
, int timeout
,
1613 ssl_session
* session
)
1615 ssl
->resume
= resume
;
1616 ssl
->timeout
= timeout
;
1617 ssl
->session
= session
;
1620 void ssl_set_ciphers(ssl_context
* ssl
, const int *ciphers
)
1622 ssl
->ciphers
= ciphers
;
1625 void ssl_set_ca_chain(ssl_context
* ssl
, x509_cert
* ca_chain
, const char *peer_cn
)
1627 ssl
->ca_chain
= ca_chain
;
1628 ssl
->peer_cn
= peer_cn
;
1631 void ssl_set_own_cert(ssl_context
* ssl
, x509_cert
* own_cert
,
1632 rsa_context
* rsa_key
)
1634 ssl
->own_cert
= own_cert
;
1635 ssl
->rsa_key
= rsa_key
;
1638 int ssl_set_dh_param(ssl_context
* ssl
, const char *dhm_P
, const char *dhm_G
)
1642 if ((ret
= mpi_read_string(&ssl
->dhm_ctx
.P
, 16, dhm_P
)) != 0) {
1643 SSL_DEBUG_RET(1, "mpi_read_string", ret
);
1647 if ((ret
= mpi_read_string(&ssl
->dhm_ctx
.G
, 16, dhm_G
)) != 0) {
1648 SSL_DEBUG_RET(1, "mpi_read_string", ret
);
1655 int ssl_set_hostname(ssl_context
* ssl
, const char *hostname
)
1657 if (hostname
== NULL
)
1658 return (TROPICSSL_ERR_SSL_BAD_INPUT_DATA
);
1660 ssl
->hostname_len
= strlen(hostname
);
1661 ssl
->hostname
= (unsigned char *)malloc(ssl
->hostname_len
+ 1);
1663 memcpy(ssl
->hostname
, hostname
, ssl
->hostname_len
);
1671 int ssl_get_bytes_avail(const ssl_context
* ssl
)
1673 return (ssl
->in_offt
== NULL
? 0 : ssl
->in_msglen
);
1676 int ssl_get_verify_result(const ssl_context
* ssl
)
1678 return (ssl
->verify_result
);
1681 const char *ssl_get_cipher(const ssl_context
* ssl
)
1683 switch (ssl
->session
->cipher
) {
1684 #if defined(TROPICSSL_ARC4_C)
1685 case SSL_RSA_RC4_128_MD5
:
1686 return ("SSL_RSA_RC4_128_MD5");
1688 case SSL_RSA_RC4_128_SHA
:
1689 return ("SSL_RSA_RC4_128_SHA");
1692 #if defined(TROPICSSL_DES_C)
1693 case SSL_RSA_DES_168_SHA
:
1694 return ("SSL_RSA_DES_168_SHA");
1696 case SSL_EDH_RSA_DES_168_SHA
:
1697 return ("SSL_EDH_RSA_DES_168_SHA");
1700 #if defined(TROPICSSL_AES_C)
1701 case SSL_RSA_AES_128_SHA
:
1702 return ("SSL_RSA_AES_128_SHA");
1704 case SSL_RSA_AES_256_SHA
:
1705 return ("SSL_RSA_AES_256_SHA");
1707 case SSL_EDH_RSA_AES_256_SHA
:
1708 return ("SSL_EDH_RSA_AES_256_SHA");
1711 #if defined(TROPICSSL_CAMELLIA_C)
1712 case SSL_RSA_CAMELLIA_128_SHA
:
1713 return ("SSL_RSA_CAMELLIA_128_SHA");
1715 case SSL_RSA_CAMELLIA_256_SHA
:
1716 return ("SSL_RSA_CAMELLIA_256_SHA");
1718 case SSL_EDH_RSA_CAMELLIA_256_SHA
:
1719 return ("SSL_EDH_RSA_CAMELLIA_256_SHA");
1729 const int ssl_default_ciphers
[] = {
1730 #if defined(TROPICSSL_DHM_C)
1731 #if defined(TROPICSSL_AES_C)
1732 SSL_EDH_RSA_AES_256_SHA
,
1734 #if defined(TROPICSSL_CAMELLIA_C)
1735 SSL_EDH_RSA_CAMELLIA_256_SHA
,
1737 #if defined(TROPICSSL_DES_C)
1738 SSL_EDH_RSA_DES_168_SHA
,
1742 #if defined(TROPICSSL_AES_C)
1743 SSL_RSA_AES_128_SHA
,
1744 SSL_RSA_AES_256_SHA
,
1746 #if defined(TROPICSSL_CAMELLIA_C)
1747 SSL_RSA_CAMELLIA_128_SHA
,
1748 SSL_RSA_CAMELLIA_256_SHA
,
1750 #if defined(TROPICSSL_DES_C)
1751 SSL_RSA_DES_168_SHA
,
1753 #if defined(TROPICSSL_ARC4_C)
1754 SSL_RSA_RC4_128_SHA
,
1755 SSL_RSA_RC4_128_MD5
,
1761 * Perform the SSL handshake
1763 int ssl_handshake(ssl_context
* ssl
)
1765 int ret
= TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE
;
1767 SSL_DEBUG_MSG(2, ("=> handshake"));
1769 #if defined(TROPICSSL_SSL_CLI_C)
1770 if (ssl
->endpoint
== SSL_IS_CLIENT
)
1771 ret
= ssl_handshake_client(ssl
);
1774 #if defined(TROPICSSL_SSL_SRV_C)
1775 if (ssl
->endpoint
== SSL_IS_SERVER
)
1776 ret
= ssl_handshake_server(ssl
);
1779 SSL_DEBUG_MSG(2, ("<= handshake"));
1785 * Receive application data decrypted from the SSL layer
1787 int ssl_read(ssl_context
* ssl
, unsigned char *buf
, int len
)
1791 SSL_DEBUG_MSG(2, ("=> read"));
1793 if (ssl
->state
!= SSL_HANDSHAKE_OVER
) {
1794 if ((ret
= ssl_handshake(ssl
)) != 0) {
1795 SSL_DEBUG_RET(1, "ssl_handshake", ret
);
1800 if (ssl
->in_offt
== NULL
) {
1801 if ((ret
= ssl_read_record(ssl
)) != 0) {
1802 SSL_DEBUG_RET(1, "ssl_read_record", ret
);
1806 if (ssl
->in_msglen
== 0 &&
1807 ssl
->in_msgtype
== SSL_MSG_APPLICATION_DATA
) {
1809 * OpenSSL sends empty messages to randomize the IV
1811 if ((ret
= ssl_read_record(ssl
)) != 0) {
1812 SSL_DEBUG_RET(1, "ssl_read_record", ret
);
1817 if (ssl
->in_msgtype
!= SSL_MSG_APPLICATION_DATA
) {
1818 SSL_DEBUG_MSG(1, ("bad application data message"));
1819 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE
);
1822 ssl
->in_offt
= ssl
->in_msg
;
1825 n
= (len
< ssl
->in_msglen
)
1826 ? len
: ssl
->in_msglen
;
1828 memcpy(buf
, ssl
->in_offt
, n
);
1829 ssl
->in_msglen
-= n
;
1831 if (ssl
->in_msglen
== 0)
1832 /* all bytes consumed */
1833 ssl
->in_offt
= NULL
;
1835 /* more data available */
1838 SSL_DEBUG_MSG(2, ("<= read"));
1844 * Send application data to be encrypted by the SSL layer
1846 int ssl_write(ssl_context
* ssl
, const unsigned char *buf
, int len
)
1850 SSL_DEBUG_MSG(2, ("=> write"));
1852 if (ssl
->state
!= SSL_HANDSHAKE_OVER
) {
1853 if ((ret
= ssl_handshake(ssl
)) != 0) {
1854 SSL_DEBUG_RET(1, "ssl_handshake", ret
);
1859 n
= (len
< SSL_MAX_CONTENT_LEN
)
1860 ? len
: SSL_MAX_CONTENT_LEN
;
1862 if (ssl
->out_left
!= 0) {
1863 if ((ret
= ssl_flush_output(ssl
)) != 0) {
1864 SSL_DEBUG_RET(1, "ssl_flush_output", ret
);
1868 ssl
->out_msglen
= n
;
1869 ssl
->out_msgtype
= SSL_MSG_APPLICATION_DATA
;
1870 memcpy(ssl
->out_msg
, buf
, n
);
1872 if ((ret
= ssl_write_record(ssl
)) != 0) {
1873 SSL_DEBUG_RET(1, "ssl_write_record", ret
);
1878 SSL_DEBUG_MSG(2, ("<= write"));
1884 * Notify the peer that the connection is being closed
1886 int ssl_close_notify(ssl_context
* ssl
)
1890 SSL_DEBUG_MSG(2, ("=> write close notify"));
1892 if ((ret
= ssl_flush_output(ssl
)) != 0) {
1893 SSL_DEBUG_RET(1, "ssl_flush_output", ret
);
1897 if (ssl
->state
== SSL_HANDSHAKE_OVER
) {
1898 ssl
->out_msgtype
= SSL_MSG_ALERT
;
1899 ssl
->out_msglen
= 2;
1900 ssl
->out_msg
[0] = SSL_ALERT_WARNING
;
1901 ssl
->out_msg
[1] = SSL_ALERT_CLOSE_NOTIFY
;
1903 if ((ret
= ssl_write_record(ssl
)) != 0) {
1904 SSL_DEBUG_RET(1, "ssl_write_record", ret
);
1909 SSL_DEBUG_MSG(2, ("<= write close notify"));
1915 * Free an SSL context
1917 void ssl_free(ssl_context
* ssl
)
1919 SSL_DEBUG_MSG(2, ("=> free"));
1921 if (ssl
->peer_cert
!= NULL
) {
1922 x509_free(ssl
->peer_cert
);
1923 memset(ssl
->peer_cert
, 0, sizeof(x509_cert
));
1924 free(ssl
->peer_cert
);
1927 if (ssl
->out_ctr
!= NULL
) {
1928 memset(ssl
->out_ctr
, 0, SSL_BUFFER_LEN
);
1932 if (ssl
->in_ctr
!= NULL
) {
1933 memset(ssl
->in_ctr
, 0, SSL_BUFFER_LEN
);
1936 #if defined(TROPICSSL_DHM_C)
1937 dhm_free(&ssl
->dhm_ctx
);
1940 if (ssl
->hostname
!= NULL
) {
1941 memset(ssl
->hostname
, 0, ssl
->hostname_len
);
1942 free(ssl
->hostname
);
1943 ssl
->hostname_len
= 0;
1946 memset(ssl
, 0, sizeof(ssl_context
));
1948 SSL_DEBUG_MSG(2, ("<= free"));