camellia: fix camellia_self_test failure on compilers where char is unsigned by default
[tropicssl.git] / library / ssl_tls.c
blob6af7e4532023897a3d13ba1492d9417ee324f7ff
1 /*
2 * SSLv3/TLSv1 shared functions
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
8 * All rights reserved.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 * The SSL 3.0 specification was drafted by Netscape in 1996,
37 * and became an IETF standard in 1999.
39 * http://wp.netscape.com/eng/ssl3/
40 * http://www.ietf.org/rfc/rfc2246.txt
41 * http://www.ietf.org/rfc/rfc4346.txt
44 #include "tropicssl/config.h"
46 #if defined(TROPICSSL_SSL_TLS_C)
48 #include "tropicssl/aes.h"
49 #include "tropicssl/arc4.h"
50 #include "tropicssl/camellia.h"
51 #include "tropicssl/des.h"
52 #include "tropicssl/debug.h"
53 #include "tropicssl/ssl.h"
55 #include <string.h>
56 #include <stdlib.h>
57 #include <time.h>
60 * Key material generation
62 static int tls1_prf(unsigned char *secret, int slen, const char *label,
63 unsigned char *randombytes, int rlen,
64 unsigned char *dstbuf, int dlen)
66 int nb, hs;
67 int i, j, k;
68 unsigned char *S1, *S2;
69 unsigned char tmp[128];
70 unsigned char h_i[20];
72 if (sizeof(tmp) < 20 + strlen(label) + rlen)
73 return (TROPICSSL_ERR_SSL_BAD_INPUT_DATA);
75 hs = (slen + 1) / 2;
76 S1 = secret;
77 S2 = secret + slen - hs;
79 nb = strlen(label);
80 memcpy(tmp + 20, label, nb);
81 memcpy(tmp + 20 + nb, randombytes, rlen);
82 nb += rlen;
85 * First compute P_md5(secret,label+randombytes)[0..dlen]
87 md5_hmac(S1, hs, tmp + 20, nb, 4 + tmp);
89 for (i = 0; i < dlen; i += 16) {
90 md5_hmac(S1, hs, 4 + tmp, 16 + nb, h_i);
91 md5_hmac(S1, hs, 4 + tmp, 16, 4 + tmp);
93 k = (i + 16 > dlen) ? dlen % 16 : 16;
95 for (j = 0; j < k; j++)
96 dstbuf[i + j] = h_i[j];
100 * XOR out with P_sha1(secret,label+randombytes)[0..dlen]
102 sha1_hmac(S2, hs, tmp + 20, nb, tmp);
104 for (i = 0; i < dlen; i += 20) {
105 sha1_hmac(S2, hs, tmp, 20 + nb, h_i);
106 sha1_hmac(S2, hs, tmp, 20, tmp);
108 k = (i + 20 > dlen) ? dlen % 20 : 20;
110 for (j = 0; j < k; j++)
111 dstbuf[i + j] = (unsigned char)(dstbuf[i + j] ^ h_i[j]);
114 memset(tmp, 0, sizeof(tmp));
115 memset(h_i, 0, sizeof(h_i));
117 return (0);
120 int ssl_derive_keys(ssl_context * ssl)
122 int i;
123 md5_context md5_ctx;
124 sha1_context sha1_ctx;
125 unsigned char tmp[64];
126 unsigned char padding[16];
127 unsigned char sha1sum[20];
128 unsigned char keyblk[256];
129 unsigned char *key1;
130 unsigned char *key2;
132 SSL_DEBUG_MSG(2, ("=> derive keys"));
135 * SSLv3:
136 * master =
137 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
138 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
139 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
141 * TLSv1:
142 * master = PRF( premaster, "master secret", randbytes )[0..47]
144 if (ssl->resume == 0) {
145 int len = ssl->pmslen;
147 SSL_DEBUG_BUF(3, "premaster secret", ssl->premaster, len);
149 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
150 for (i = 0; i < 3; i++) {
151 memset(padding, 'A' + i, 1 + i);
153 sha1_starts(&sha1_ctx);
154 sha1_update(&sha1_ctx, padding, 1 + i);
155 sha1_update(&sha1_ctx, ssl->premaster, len);
156 sha1_update(&sha1_ctx, ssl->randbytes, 64);
157 sha1_finish(&sha1_ctx, sha1sum);
159 md5_starts(&md5_ctx);
160 md5_update(&md5_ctx, ssl->premaster, len);
161 md5_update(&md5_ctx, sha1sum, 20);
162 md5_finish(&md5_ctx, ssl->session->master + i * 16);
164 } else
165 tls1_prf(ssl->premaster, len, "master secret",
166 ssl->randbytes, 64, ssl->session->master, 48);
168 memset(ssl->premaster, 0, sizeof(ssl->premaster));
169 } else
170 SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
173 * Swap the client and server random values.
175 memcpy(tmp, ssl->randbytes, 64);
176 memcpy(ssl->randbytes, tmp + 32, 32);
177 memcpy(ssl->randbytes + 32, tmp, 32);
178 memset(tmp, 0, sizeof(tmp));
181 * SSLv3:
182 * key block =
183 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
184 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
185 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
186 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
187 * ...
189 * TLSv1:
190 * key block = PRF( master, "key expansion", randbytes )
192 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
193 for (i = 0; i < 16; i++) {
194 memset(padding, 'A' + i, 1 + i);
196 sha1_starts(&sha1_ctx);
197 sha1_update(&sha1_ctx, padding, 1 + i);
198 sha1_update(&sha1_ctx, ssl->session->master, 48);
199 sha1_update(&sha1_ctx, ssl->randbytes, 64);
200 sha1_finish(&sha1_ctx, sha1sum);
202 md5_starts(&md5_ctx);
203 md5_update(&md5_ctx, ssl->session->master, 48);
204 md5_update(&md5_ctx, sha1sum, 20);
205 md5_finish(&md5_ctx, keyblk + i * 16);
208 memset(&md5_ctx, 0, sizeof(md5_ctx));
209 memset(&sha1_ctx, 0, sizeof(sha1_ctx));
211 memset(padding, 0, sizeof(padding));
212 memset(sha1sum, 0, sizeof(sha1sum));
213 } else
214 tls1_prf(ssl->session->master, 48, "key expansion",
215 ssl->randbytes, 64, keyblk, 256);
217 SSL_DEBUG_MSG(3, ("cipher = %s", ssl_get_cipher(ssl)));
218 SSL_DEBUG_BUF(3, "master secret", ssl->session->master, 48);
219 SSL_DEBUG_BUF(4, "random bytes", ssl->randbytes, 64);
220 SSL_DEBUG_BUF(4, "key block", keyblk, 256);
222 memset(ssl->randbytes, 0, sizeof(ssl->randbytes));
225 * Determine the appropriate key, IV and MAC length.
227 switch (ssl->session->cipher) {
228 #if defined(TROPICSSL_ARC4_C)
229 case SSL_RSA_RC4_128_MD5:
230 ssl->keylen = 16;
231 ssl->minlen = 16;
232 ssl->ivlen = 0;
233 ssl->maclen = 16;
234 break;
236 case SSL_RSA_RC4_128_SHA:
237 ssl->keylen = 16;
238 ssl->minlen = 20;
239 ssl->ivlen = 0;
240 ssl->maclen = 20;
241 break;
242 #endif
244 #if defined(TROPICSSL_DES_C)
245 case SSL_RSA_DES_168_SHA:
246 case SSL_EDH_RSA_DES_168_SHA:
247 ssl->keylen = 24;
248 ssl->minlen = 24;
249 ssl->ivlen = 8;
250 ssl->maclen = 20;
251 break;
252 #endif
254 #if defined(TROPICSSL_AES_C)
255 case SSL_RSA_AES_128_SHA:
256 ssl->keylen = 16;
257 ssl->minlen = 32;
258 ssl->ivlen = 16;
259 ssl->maclen = 20;
260 break;
262 case SSL_RSA_AES_256_SHA:
263 case SSL_EDH_RSA_AES_256_SHA:
264 ssl->keylen = 32;
265 ssl->minlen = 32;
266 ssl->ivlen = 16;
267 ssl->maclen = 20;
268 break;
269 #endif
271 #if defined(TROPICSSL_CAMELLIA_C)
272 case SSL_RSA_CAMELLIA_128_SHA:
273 ssl->keylen = 16;
274 ssl->minlen = 32;
275 ssl->ivlen = 16;
276 ssl->maclen = 20;
277 break;
279 case SSL_RSA_CAMELLIA_256_SHA:
280 case SSL_EDH_RSA_CAMELLIA_256_SHA:
281 ssl->keylen = 32;
282 ssl->minlen = 32;
283 ssl->ivlen = 16;
284 ssl->maclen = 20;
285 break;
286 #endif
288 default:
289 SSL_DEBUG_MSG(1, ("cipher %s is not available",
290 ssl_get_cipher(ssl)));
291 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
294 SSL_DEBUG_MSG(3, ("keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
295 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen));
298 * Finally setup the cipher contexts, IVs and MAC secrets.
300 if (ssl->endpoint == SSL_IS_CLIENT) {
301 key1 = keyblk + ssl->maclen * 2;
302 key2 = keyblk + ssl->maclen * 2 + ssl->keylen;
304 memcpy(ssl->mac_enc, keyblk, ssl->maclen);
305 memcpy(ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen);
307 memcpy(ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen);
308 memcpy(ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen,
309 ssl->ivlen);
310 } else {
311 key1 = keyblk + ssl->maclen * 2 + ssl->keylen;
312 key2 = keyblk + ssl->maclen * 2;
314 memcpy(ssl->mac_dec, keyblk, ssl->maclen);
315 memcpy(ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen);
317 memcpy(ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen);
318 memcpy(ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen,
319 ssl->ivlen);
322 switch (ssl->session->cipher) {
323 #if defined(TROPICSSL_ARC4_C)
324 case SSL_RSA_RC4_128_MD5:
325 case SSL_RSA_RC4_128_SHA:
326 arc4_setup((arc4_context *) ssl->ctx_enc, key1, ssl->keylen);
327 arc4_setup((arc4_context *) ssl->ctx_dec, key2, ssl->keylen);
328 break;
329 #endif
331 #if defined(TROPICSSL_DES_C)
332 case SSL_RSA_DES_168_SHA:
333 case SSL_EDH_RSA_DES_168_SHA:
334 des3_set3key_enc((des3_context *) ssl->ctx_enc, key1);
335 des3_set3key_dec((des3_context *) ssl->ctx_dec, key2);
336 break;
337 #endif
339 #if defined(TROPICSSL_AES_C)
340 case SSL_RSA_AES_128_SHA:
341 aes_setkey_enc((aes_context *) ssl->ctx_enc, key1, 128);
342 aes_setkey_dec((aes_context *) ssl->ctx_dec, key2, 128);
343 break;
345 case SSL_RSA_AES_256_SHA:
346 case SSL_EDH_RSA_AES_256_SHA:
347 aes_setkey_enc((aes_context *) ssl->ctx_enc, key1, 256);
348 aes_setkey_dec((aes_context *) ssl->ctx_dec, key2, 256);
349 break;
350 #endif
352 #if defined(TROPICSSL_CAMELLIA_C)
353 case SSL_RSA_CAMELLIA_128_SHA:
354 camellia_setkey_enc((camellia_context *) ssl->ctx_enc, key1,
355 128);
356 camellia_setkey_dec((camellia_context *) ssl->ctx_dec, key2,
357 128);
358 break;
360 case SSL_RSA_CAMELLIA_256_SHA:
361 case SSL_EDH_RSA_CAMELLIA_256_SHA:
362 camellia_setkey_enc((camellia_context *) ssl->ctx_enc, key1,
363 256);
364 camellia_setkey_dec((camellia_context *) ssl->ctx_dec, key2,
365 256);
366 break;
367 #endif
369 default:
370 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
373 memset(keyblk, 0, sizeof(keyblk));
375 SSL_DEBUG_MSG(2, ("<= derive keys"));
377 return (0);
380 void ssl_calc_verify(ssl_context * ssl, unsigned char hash[36])
382 md5_context md5_ctx;
383 sha1_context sha1_ctx;
384 unsigned char pad_1[48];
385 unsigned char pad_2[48];
387 SSL_DEBUG_MSG(2, ("=> calc verify"));
389 memcpy(&md5_ctx, &ssl->fin_md5, sizeof(md5_context));
390 memcpy(&sha1_ctx, &ssl->fin_sha1, sizeof(sha1_context));
392 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
393 memset(pad_1, 0x36, 48);
394 memset(pad_2, 0x5C, 48);
396 md5_update(&md5_ctx, ssl->session->master, 48);
397 md5_update(&md5_ctx, pad_1, 48);
398 md5_finish(&md5_ctx, hash);
400 md5_starts(&md5_ctx);
401 md5_update(&md5_ctx, ssl->session->master, 48);
402 md5_update(&md5_ctx, pad_2, 48);
403 md5_update(&md5_ctx, hash, 16);
404 md5_finish(&md5_ctx, hash);
406 sha1_update(&sha1_ctx, ssl->session->master, 48);
407 sha1_update(&sha1_ctx, pad_1, 40);
408 sha1_finish(&sha1_ctx, hash + 16);
410 sha1_starts(&sha1_ctx);
411 sha1_update(&sha1_ctx, ssl->session->master, 48);
412 sha1_update(&sha1_ctx, pad_2, 40);
413 sha1_update(&sha1_ctx, hash + 16, 20);
414 sha1_finish(&sha1_ctx, hash + 16);
415 } else { /* TLSv1 */
416 md5_finish(&md5_ctx, hash);
417 sha1_finish(&sha1_ctx, hash + 16);
420 SSL_DEBUG_BUF(3, "calculated verify result", hash, 36);
421 SSL_DEBUG_MSG(2, ("<= calc verify"));
423 return;
427 * SSLv3.0 MAC functions
429 static void ssl_mac_md5(unsigned char *secret,
430 unsigned char *buf, int len,
431 unsigned char *ctr, int type)
433 unsigned char header[11];
434 unsigned char padding[48];
435 md5_context md5_ctx;
437 memcpy(header, ctr, 8);
438 header[8] = (unsigned char)type;
439 header[9] = (unsigned char)(len >> 8);
440 header[10] = (unsigned char)(len);
442 memset(padding, 0x36, 48);
443 md5_starts(&md5_ctx);
444 md5_update(&md5_ctx, secret, 16);
445 md5_update(&md5_ctx, padding, 48);
446 md5_update(&md5_ctx, header, 11);
447 md5_update(&md5_ctx, buf, len);
448 md5_finish(&md5_ctx, buf + len);
450 memset(padding, 0x5C, 48);
451 md5_starts(&md5_ctx);
452 md5_update(&md5_ctx, secret, 16);
453 md5_update(&md5_ctx, padding, 48);
454 md5_update(&md5_ctx, buf + len, 16);
455 md5_finish(&md5_ctx, buf + len);
458 static void ssl_mac_sha1(unsigned char *secret,
459 unsigned char *buf, int len,
460 unsigned char *ctr, int type)
462 unsigned char header[11];
463 unsigned char padding[40];
464 sha1_context sha1_ctx;
466 memcpy(header, ctr, 8);
467 header[8] = (unsigned char)type;
468 header[9] = (unsigned char)(len >> 8);
469 header[10] = (unsigned char)(len);
471 memset(padding, 0x36, 40);
472 sha1_starts(&sha1_ctx);
473 sha1_update(&sha1_ctx, secret, 20);
474 sha1_update(&sha1_ctx, padding, 40);
475 sha1_update(&sha1_ctx, header, 11);
476 sha1_update(&sha1_ctx, buf, len);
477 sha1_finish(&sha1_ctx, buf + len);
479 memset(padding, 0x5C, 40);
480 sha1_starts(&sha1_ctx);
481 sha1_update(&sha1_ctx, secret, 20);
482 sha1_update(&sha1_ctx, padding, 40);
483 sha1_update(&sha1_ctx, buf + len, 20);
484 sha1_finish(&sha1_ctx, buf + len);
488 * Encryption/decryption functions
490 static int ssl_encrypt_buf(ssl_context * ssl)
492 int i, padlen;
494 SSL_DEBUG_MSG(2, ("=> encrypt buf"));
497 * Add MAC then encrypt
499 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
500 if (ssl->maclen == 16)
501 ssl_mac_md5(ssl->mac_enc,
502 ssl->out_msg, ssl->out_msglen,
503 ssl->out_ctr, ssl->out_msgtype);
505 if (ssl->maclen == 20)
506 ssl_mac_sha1(ssl->mac_enc,
507 ssl->out_msg, ssl->out_msglen,
508 ssl->out_ctr, ssl->out_msgtype);
509 } else {
510 if (ssl->maclen == 16)
511 md5_hmac(ssl->mac_enc, 16,
512 ssl->out_ctr, ssl->out_msglen + 13,
513 ssl->out_msg + ssl->out_msglen);
515 if (ssl->maclen == 20)
516 sha1_hmac(ssl->mac_enc, 20,
517 ssl->out_ctr, ssl->out_msglen + 13,
518 ssl->out_msg + ssl->out_msglen);
521 SSL_DEBUG_BUF(4, "computed mac",
522 ssl->out_msg + ssl->out_msglen, ssl->maclen);
524 ssl->out_msglen += ssl->maclen;
526 for (i = 7; i >= 0; i--)
527 if (++ssl->out_ctr[i] != 0)
528 break;
530 if (ssl->ivlen == 0) {
531 #if defined(TROPICSSL_ARC4_C)
532 padlen = 0;
534 SSL_DEBUG_MSG(3, ("before encrypt: msglen = %d, "
535 "including %d bytes of padding",
536 ssl->out_msglen, 0));
538 SSL_DEBUG_BUF(4, "before encrypt: output payload",
539 ssl->out_msg, ssl->out_msglen);
541 arc4_crypt((arc4_context *) ssl->ctx_enc,
542 ssl->out_msglen, ssl->out_msg,
543 ssl->out_msg);
544 #else
545 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
546 #endif
547 } else {
548 padlen = ssl->ivlen - (ssl->out_msglen + 1) % ssl->ivlen;
549 if (padlen == ssl->ivlen)
550 padlen = 0;
552 for (i = 0; i <= padlen; i++)
553 ssl->out_msg[ssl->out_msglen + i] =
554 (unsigned char)padlen;
556 ssl->out_msglen += padlen + 1;
558 SSL_DEBUG_MSG(3, ("before encrypt: msglen = %d, "
559 "including %d bytes of padding",
560 ssl->out_msglen, padlen + 1));
562 SSL_DEBUG_BUF(4, "before encrypt: output payload",
563 ssl->out_msg, ssl->out_msglen);
565 switch (ssl->ivlen) {
566 case 8:
567 #if defined(TROPICSSL_DES_C)
568 des3_crypt_cbc((des3_context *) ssl->ctx_enc,
569 DES_ENCRYPT, ssl->out_msglen,
570 ssl->iv_enc, ssl->out_msg, ssl->out_msg);
571 break;
572 #endif
574 case 16:
575 #if defined(TROPICSSL_AES_C)
576 if (ssl->session->cipher == SSL_RSA_AES_128_SHA ||
577 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
578 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA) {
579 aes_crypt_cbc((aes_context *) ssl->ctx_enc,
580 AES_ENCRYPT, ssl->out_msglen,
581 ssl->iv_enc, ssl->out_msg,
582 ssl->out_msg);
583 break;
585 #endif
587 #if defined(TROPICSSL_CAMELLIA_C)
588 if (ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
589 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
590 ssl->session->cipher ==
591 SSL_EDH_RSA_CAMELLIA_256_SHA) {
592 camellia_crypt_cbc((camellia_context *)
593 ssl->ctx_enc,
594 CAMELLIA_ENCRYPT,
595 ssl->out_msglen, ssl->iv_enc,
596 ssl->out_msg, ssl->out_msg);
597 break;
599 #endif
601 default:
602 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
606 SSL_DEBUG_MSG(2, ("<= encrypt buf"));
608 return (0);
611 static int ssl_decrypt_buf(ssl_context * ssl)
613 int i, padlen;
614 unsigned char tmp[20];
616 SSL_DEBUG_MSG(2, ("=> decrypt buf"));
618 if (ssl->in_msglen < ssl->minlen) {
619 SSL_DEBUG_MSG(1, ("in_msglen (%d) < minlen (%d)",
620 ssl->in_msglen, ssl->minlen));
621 return (TROPICSSL_ERR_SSL_INVALID_MAC);
624 if (ssl->ivlen == 0) {
625 #if defined(TROPICSSL_ARC4_C)
626 padlen = 0;
627 arc4_crypt((arc4_context *) ssl->ctx_dec,
628 ssl->in_msglen, ssl->in_msg,
629 ssl->in_msg);
630 #else
631 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
632 #endif
633 } else {
635 * Decrypt and check the padding
637 if (ssl->in_msglen % ssl->ivlen != 0) {
638 SSL_DEBUG_MSG(1, ("msglen (%d) %% ivlen (%d) != 0",
639 ssl->in_msglen, ssl->ivlen));
640 return (TROPICSSL_ERR_SSL_INVALID_MAC);
643 switch (ssl->ivlen) {
644 #if defined(TROPICSSL_DES_C)
645 case 8:
646 des3_crypt_cbc((des3_context *) ssl->ctx_dec,
647 DES_DECRYPT, ssl->in_msglen,
648 ssl->iv_dec, ssl->in_msg, ssl->in_msg);
649 break;
650 #endif
652 case 16:
653 #if defined(TROPICSSL_AES_C)
654 if (ssl->session->cipher == SSL_RSA_AES_128_SHA ||
655 ssl->session->cipher == SSL_RSA_AES_256_SHA ||
656 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA) {
657 aes_crypt_cbc((aes_context *) ssl->ctx_dec,
658 AES_DECRYPT, ssl->in_msglen,
659 ssl->iv_dec, ssl->in_msg,
660 ssl->in_msg);
661 break;
663 #endif
665 #if defined(TROPICSSL_CAMELLIA_C)
666 if (ssl->session->cipher == SSL_RSA_CAMELLIA_128_SHA ||
667 ssl->session->cipher == SSL_RSA_CAMELLIA_256_SHA ||
668 ssl->session->cipher ==
669 SSL_EDH_RSA_CAMELLIA_256_SHA) {
670 camellia_crypt_cbc((camellia_context *)
671 ssl->ctx_dec,
672 CAMELLIA_DECRYPT,
673 ssl->in_msglen, ssl->iv_dec,
674 ssl->in_msg, ssl->in_msg);
675 break;
677 #endif
679 default:
680 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
683 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
685 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
686 if (padlen > ssl->ivlen) {
687 SSL_DEBUG_MSG(1, ("bad padding length: is %d, "
688 "should be no more than %d",
689 padlen, ssl->ivlen));
690 padlen = 0;
692 } else {
694 * TLSv1: always check the padding
696 for (i = 1; i <= padlen; i++) {
697 if (ssl->in_msg[ssl->in_msglen - i] !=
698 padlen - 1) {
699 SSL_DEBUG_MSG(1,
700 ("bad padding byte: should be "
701 "%02x, but is %02x",
702 padlen - 1,
703 ssl->
704 in_msg[ssl->in_msglen -
705 i]));
706 padlen = 0;
712 SSL_DEBUG_BUF(4, "raw buffer after decryption",
713 ssl->in_msg, ssl->in_msglen);
716 * Always compute the MAC (RFC4346, CBCTIME).
718 ssl->in_msglen -= (ssl->maclen + padlen);
720 ssl->in_hdr[3] = (unsigned char)(ssl->in_msglen >> 8);
721 ssl->in_hdr[4] = (unsigned char)(ssl->in_msglen);
723 memcpy(tmp, ssl->in_msg + ssl->in_msglen, 20);
725 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
726 if (ssl->maclen == 16)
727 ssl_mac_md5(ssl->mac_dec,
728 ssl->in_msg, ssl->in_msglen,
729 ssl->in_ctr, ssl->in_msgtype);
730 else
731 ssl_mac_sha1(ssl->mac_dec,
732 ssl->in_msg, ssl->in_msglen,
733 ssl->in_ctr, ssl->in_msgtype);
734 } else {
735 if (ssl->maclen == 16)
736 md5_hmac(ssl->mac_dec, 16,
737 ssl->in_ctr, ssl->in_msglen + 13,
738 ssl->in_msg + ssl->in_msglen);
739 else
740 sha1_hmac(ssl->mac_dec, 20,
741 ssl->in_ctr, ssl->in_msglen + 13,
742 ssl->in_msg + ssl->in_msglen);
745 SSL_DEBUG_BUF(4, "message mac", tmp, ssl->maclen);
746 SSL_DEBUG_BUF(4, "computed mac", ssl->in_msg + ssl->in_msglen,
747 ssl->maclen);
749 if (memcmp(tmp, ssl->in_msg + ssl->in_msglen, ssl->maclen) != 0) {
750 SSL_DEBUG_MSG(1, ("message mac does not match"));
751 return (TROPICSSL_ERR_SSL_INVALID_MAC);
755 * Finally check the padding length; bad padding
756 * will produce the same error as an invalid MAC.
758 if (ssl->ivlen != 0 && padlen == 0)
759 return (TROPICSSL_ERR_SSL_INVALID_MAC);
761 if (ssl->in_msglen == 0) {
762 ssl->nb_zero++;
765 * Three or more empty messages may be a DoS attack
766 * (excessive CPU consumption).
768 if (ssl->nb_zero > 3) {
769 SSL_DEBUG_MSG(1, ("received four consecutive empty "
770 "messages, possible DoS attack"));
771 return (TROPICSSL_ERR_SSL_INVALID_MAC);
773 } else
774 ssl->nb_zero = 0;
776 for (i = 7; i >= 0; i--)
777 if (++ssl->in_ctr[i] != 0)
778 break;
780 SSL_DEBUG_MSG(2, ("<= decrypt buf"));
782 return (0);
786 * Fill the input message buffer
788 int ssl_fetch_input(ssl_context * ssl, int nb_want)
790 int ret, len;
792 SSL_DEBUG_MSG(2, ("=> fetch input"));
794 while (ssl->in_left < nb_want) {
795 len = nb_want - ssl->in_left;
796 ret = ssl->f_recv(ssl->p_recv, ssl->in_hdr + ssl->in_left, len);
798 SSL_DEBUG_MSG(2, ("in_left: %d, nb_want: %d",
799 ssl->in_left, nb_want));
800 SSL_DEBUG_RET(2, "ssl->f_recv", ret);
802 if (ret < 0)
803 return (ret);
805 ssl->in_left += ret;
808 SSL_DEBUG_MSG(2, ("<= fetch input"));
810 return (0);
814 * Flush any data not yet written
816 int ssl_flush_output(ssl_context * ssl)
818 int ret;
819 unsigned char *buf;
821 SSL_DEBUG_MSG(2, ("=> flush output"));
823 while (ssl->out_left > 0) {
824 SSL_DEBUG_MSG(2, ("message length: %d, out_left: %d",
825 5 + ssl->out_msglen, ssl->out_left));
827 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left;
828 ret = ssl->f_send(ssl->p_send, buf, ssl->out_left);
829 SSL_DEBUG_RET(2, "ssl->f_send", ret);
831 if (ret <= 0)
832 return (ret);
834 ssl->out_left -= ret;
837 SSL_DEBUG_MSG(2, ("<= flush output"));
839 return (0);
843 * Record layer functions
845 int ssl_write_record(ssl_context * ssl)
847 int ret, len = ssl->out_msglen;
849 SSL_DEBUG_MSG(2, ("=> write record"));
851 ssl->out_hdr[0] = (unsigned char)ssl->out_msgtype;
852 ssl->out_hdr[1] = (unsigned char)ssl->major_ver;
853 ssl->out_hdr[2] = (unsigned char)ssl->minor_ver;
854 ssl->out_hdr[3] = (unsigned char)(len >> 8);
855 ssl->out_hdr[4] = (unsigned char)(len);
857 if (ssl->out_msgtype == SSL_MSG_HANDSHAKE) {
858 ssl->out_msg[1] = (unsigned char)((len - 4) >> 16);
859 ssl->out_msg[2] = (unsigned char)((len - 4) >> 8);
860 ssl->out_msg[3] = (unsigned char)((len - 4));
862 md5_update(&ssl->fin_md5, ssl->out_msg, len);
863 sha1_update(&ssl->fin_sha1, ssl->out_msg, len);
866 if (ssl->do_crypt != 0) {
867 if ((ret = ssl_encrypt_buf(ssl)) != 0) {
868 SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret);
869 return (ret);
872 len = ssl->out_msglen;
873 ssl->out_hdr[3] = (unsigned char)(len >> 8);
874 ssl->out_hdr[4] = (unsigned char)(len);
877 ssl->out_left = 5 + ssl->out_msglen;
879 SSL_DEBUG_MSG(3, ("output record: msgtype = %d, "
880 "version = [%d:%d], msglen = %d",
881 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
882 (ssl->out_hdr[3] << 8) | ssl->out_hdr[4]));
884 SSL_DEBUG_BUF(4, "output record sent to network",
885 ssl->out_hdr, 5 + ssl->out_msglen);
887 if ((ret = ssl_flush_output(ssl)) != 0) {
888 SSL_DEBUG_RET(1, "ssl_flush_output", ret);
889 return (ret);
892 SSL_DEBUG_MSG(2, ("<= write record"));
894 return (0);
897 int ssl_read_record(ssl_context * ssl)
899 int ret;
901 SSL_DEBUG_MSG(2, ("=> read record"));
903 if (ssl->in_hslen != 0 && ssl->in_hslen < ssl->in_msglen) {
905 * Get next Handshake message in the current record
907 ssl->in_msglen -= ssl->in_hslen;
909 memcpy(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
910 ssl->in_msglen);
912 ssl->in_hslen = 4;
913 ssl->in_hslen += (ssl->in_msg[2] << 8) | ssl->in_msg[3];
915 SSL_DEBUG_MSG(3, ("handshake message: msglen ="
916 " %d, type = %d, hslen = %d",
917 ssl->in_msglen, ssl->in_msg[0],
918 ssl->in_hslen));
920 if (ssl->in_msglen < 4 || ssl->in_msg[1] != 0) {
921 SSL_DEBUG_MSG(1, ("bad handshake length"));
922 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
925 if (ssl->in_msglen < ssl->in_hslen) {
926 SSL_DEBUG_MSG(1, ("bad handshake length"));
927 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
930 md5_update(&ssl->fin_md5, ssl->in_msg, ssl->in_hslen);
931 sha1_update(&ssl->fin_sha1, ssl->in_msg, ssl->in_hslen);
933 return (0);
936 ssl->in_hslen = 0;
939 * Read the record header and validate it
941 if ((ret = ssl_fetch_input(ssl, 5)) != 0) {
942 SSL_DEBUG_RET(1, "ssl_fetch_input", ret);
943 return (ret);
946 ssl->in_msgtype = ssl->in_hdr[0];
947 ssl->in_msglen = (ssl->in_hdr[3] << 8) | ssl->in_hdr[4];
949 SSL_DEBUG_MSG(3, ("input record: msgtype = %d, "
950 "version = [%d:%d], msglen = %d",
951 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
952 (ssl->in_hdr[3] << 8) | ssl->in_hdr[4]));
954 if (ssl->in_hdr[1] != ssl->major_ver) {
955 SSL_DEBUG_MSG(1, ("major version mismatch"));
956 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
959 if (ssl->in_hdr[2] != SSL_MINOR_VERSION_0 &&
960 ssl->in_hdr[2] != SSL_MINOR_VERSION_1) {
961 SSL_DEBUG_MSG(1, ("minor version mismatch"));
962 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
966 * Make sure the message length is acceptable
968 if (ssl->do_crypt == 0) {
969 if (ssl->in_msglen < 1 || ssl->in_msglen > SSL_MAX_CONTENT_LEN) {
970 SSL_DEBUG_MSG(1, ("bad message length"));
971 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
973 } else {
974 if (ssl->in_msglen < ssl->minlen) {
975 SSL_DEBUG_MSG(1, ("bad message length"));
976 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
979 if (ssl->minor_ver == SSL_MINOR_VERSION_0 &&
980 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN) {
981 SSL_DEBUG_MSG(1, ("bad message length"));
982 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
986 * TLS encrypted messages can have up to 256 bytes of padding
988 if (ssl->minor_ver == SSL_MINOR_VERSION_1 &&
989 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256) {
990 SSL_DEBUG_MSG(1, ("bad message length"));
991 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
996 * Read and optionally decrypt the message contents
998 if ((ret = ssl_fetch_input(ssl, 5 + ssl->in_msglen)) != 0) {
999 SSL_DEBUG_RET(1, "ssl_fetch_input", ret);
1000 return (ret);
1003 SSL_DEBUG_BUF(4, "input record from network",
1004 ssl->in_hdr, 5 + ssl->in_msglen);
1006 if (ssl->do_crypt != 0) {
1007 if ((ret = ssl_decrypt_buf(ssl)) != 0) {
1008 SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret);
1009 return (ret);
1012 SSL_DEBUG_BUF(4, "input payload after decrypt",
1013 ssl->in_msg, ssl->in_msglen);
1015 if (ssl->in_msglen > SSL_MAX_CONTENT_LEN) {
1016 SSL_DEBUG_MSG(1, ("bad message length"));
1017 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
1021 if (ssl->in_msgtype == SSL_MSG_HANDSHAKE) {
1022 ssl->in_hslen = 4;
1023 ssl->in_hslen += (ssl->in_msg[2] << 8) | ssl->in_msg[3];
1025 SSL_DEBUG_MSG(3, ("handshake message: msglen ="
1026 " %d, type = %d, hslen = %d",
1027 ssl->in_msglen, ssl->in_msg[0],
1028 ssl->in_hslen));
1031 * Additional checks to validate the handshake header
1033 if (ssl->in_msglen < 4 || ssl->in_msg[1] != 0) {
1034 SSL_DEBUG_MSG(1, ("bad handshake length"));
1035 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
1038 if (ssl->in_msglen < ssl->in_hslen) {
1039 SSL_DEBUG_MSG(1, ("bad handshake length"));
1040 return (TROPICSSL_ERR_SSL_INVALID_RECORD);
1043 md5_update(&ssl->fin_md5, ssl->in_msg, ssl->in_hslen);
1044 sha1_update(&ssl->fin_sha1, ssl->in_msg, ssl->in_hslen);
1047 if (ssl->in_msgtype == SSL_MSG_ALERT) {
1048 SSL_DEBUG_MSG(2, ("got an alert message, type: [%d:%d]",
1049 ssl->in_msg[0], ssl->in_msg[1]));
1052 * Ignore non-fatal alerts, except close_notify
1054 if (ssl->in_msg[0] == SSL_ALERT_FATAL) {
1055 SSL_DEBUG_MSG(1, ("is a fatal alert message"));
1056 return (TROPICSSL_ERR_SSL_FATAL_ALERT_MESSAGE |
1057 ssl->in_msg[1]);
1060 if (ssl->in_msg[0] == SSL_ALERT_WARNING &&
1061 ssl->in_msg[1] == SSL_ALERT_CLOSE_NOTIFY) {
1062 SSL_DEBUG_MSG(2, ("is a close notify message"));
1063 return (TROPICSSL_ERR_SSL_PEER_CLOSE_NOTIFY);
1067 ssl->in_left = 0;
1069 SSL_DEBUG_MSG(2, ("<= read record"));
1071 return (0);
1075 * Handshake functions
1077 int ssl_write_certificate(ssl_context * ssl)
1079 int ret, i, n;
1080 x509_cert *crt;
1082 SSL_DEBUG_MSG(2, ("=> write certificate"));
1084 if (ssl->endpoint == SSL_IS_CLIENT) {
1085 if (ssl->client_auth == 0) {
1086 SSL_DEBUG_MSG(2, ("<= skip write certificate"));
1087 ssl->state++;
1088 return (0);
1092 * If using SSLv3 and got no cert, send an Alert message
1093 * (otherwise an empty Certificate message will be sent).
1095 if (ssl->own_cert == NULL &&
1096 ssl->minor_ver == SSL_MINOR_VERSION_0) {
1097 ssl->out_msglen = 2;
1098 ssl->out_msgtype = SSL_MSG_ALERT;
1099 ssl->out_msg[0] = SSL_ALERT_WARNING;
1100 ssl->out_msg[1] = SSL_ALERT_NO_CERTIFICATE;
1102 SSL_DEBUG_MSG(2, ("got no certificate to send"));
1103 goto write_msg;
1105 } else { /* SSL_IS_SERVER */
1106 if (ssl->own_cert == NULL) {
1107 SSL_DEBUG_MSG(1, ("got no certificate to send"));
1108 return (TROPICSSL_ERR_SSL_CERTIFICATE_REQUIRED);
1112 SSL_DEBUG_CRT(3, "own certificate", ssl->own_cert);
1115 * 0 . 0 handshake type
1116 * 1 . 3 handshake length
1117 * 4 . 6 length of all certs
1118 * 7 . 9 length of cert. 1
1119 * 10 . n-1 peer certificate
1120 * n . n+2 length of cert. 2
1121 * n+3 . ... upper level cert, etc.
1123 i = 7;
1124 crt = ssl->own_cert;
1126 while (crt != NULL && crt->next != NULL) {
1127 n = crt->raw.len;
1128 if (i + 3 + n > SSL_MAX_CONTENT_LEN) {
1129 SSL_DEBUG_MSG(1, ("certificate too large, %d > %d",
1130 i + 3 + n, SSL_MAX_CONTENT_LEN));
1131 return (TROPICSSL_ERR_SSL_CERTIFICATE_TOO_LARGE);
1134 ssl->out_msg[i] = (unsigned char)(n >> 16);
1135 ssl->out_msg[i + 1] = (unsigned char)(n >> 8);
1136 ssl->out_msg[i + 2] = (unsigned char)(n);
1138 i += 3;
1139 memcpy(ssl->out_msg + i, crt->raw.p, n);
1140 i += n;
1141 crt = crt->next;
1144 ssl->out_msg[4] = (unsigned char)((i - 7) >> 16);
1145 ssl->out_msg[5] = (unsigned char)((i - 7) >> 8);
1146 ssl->out_msg[6] = (unsigned char)((i - 7));
1148 ssl->out_msglen = i;
1149 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1150 ssl->out_msg[0] = SSL_HS_CERTIFICATE;
1152 write_msg:
1154 ssl->state++;
1156 if ((ret = ssl_write_record(ssl)) != 0) {
1157 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1158 return (ret);
1161 SSL_DEBUG_MSG(2, ("<= write certificate"));
1163 return (0);
1166 int ssl_parse_certificate(ssl_context * ssl)
1168 int ret, i, n;
1170 SSL_DEBUG_MSG(2, ("=> parse certificate"));
1172 if (ssl->endpoint == SSL_IS_SERVER && ssl->authmode == SSL_VERIFY_NONE) {
1173 SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
1174 ssl->state++;
1175 return (0);
1178 if ((ret = ssl_read_record(ssl)) != 0) {
1179 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1180 return (ret);
1183 ssl->state++;
1186 * Check if the client sent an empty certificate
1188 if (ssl->endpoint == SSL_IS_SERVER &&
1189 ssl->minor_ver == SSL_MINOR_VERSION_0) {
1190 if (ssl->in_msglen == 2 &&
1191 ssl->in_msgtype == SSL_MSG_ALERT &&
1192 ssl->in_msg[0] == SSL_ALERT_WARNING &&
1193 ssl->in_msg[1] == SSL_ALERT_NO_CERTIFICATE) {
1194 SSL_DEBUG_MSG(1, ("SSLv3 client has no certificate"));
1196 if (ssl->authmode == SSL_VERIFY_OPTIONAL)
1197 return (0);
1198 else
1199 return
1200 (TROPICSSL_ERR_SSL_NO_CLIENT_CERTIFICATE);
1204 if (ssl->endpoint == SSL_IS_SERVER &&
1205 ssl->minor_ver != SSL_MINOR_VERSION_0) {
1206 if (ssl->in_hslen == 7 &&
1207 ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
1208 ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
1209 memcmp(ssl->in_msg + 4, "\0\0\0", 3) == 0) {
1210 SSL_DEBUG_MSG(1, ("TLSv1 client has no certificate"));
1212 if (ssl->authmode == SSL_VERIFY_REQUIRED)
1213 return
1214 (TROPICSSL_ERR_SSL_NO_CLIENT_CERTIFICATE);
1215 else
1216 return (0);
1220 if (ssl->in_msgtype != SSL_MSG_HANDSHAKE) {
1221 SSL_DEBUG_MSG(1, ("bad certificate message"));
1222 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE);
1225 if (ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10) {
1226 SSL_DEBUG_MSG(1, ("bad certificate message"));
1227 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE);
1231 * Same message structure as in ssl_write_certificate()
1233 n = (ssl->in_msg[5] << 8) | ssl->in_msg[6];
1235 if (ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n) {
1236 SSL_DEBUG_MSG(1, ("bad certificate message"));
1237 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE);
1240 if ((ssl->peer_cert = (x509_cert *) malloc(sizeof(x509_cert))) == NULL) {
1241 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed",
1242 sizeof(x509_cert)));
1243 return (1);
1246 memset(ssl->peer_cert, 0, sizeof(x509_cert));
1248 i = 7;
1250 while (i < ssl->in_hslen) {
1251 if (ssl->in_msg[i] != 0) {
1252 SSL_DEBUG_MSG(1, ("bad certificate message"));
1253 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE);
1256 n = ((unsigned int)ssl->in_msg[i + 1] << 8)
1257 | (unsigned int)ssl->in_msg[i + 2];
1258 i += 3;
1260 if (n < 128 || i + n > ssl->in_hslen) {
1261 SSL_DEBUG_MSG(1, ("bad certificate message"));
1262 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE);
1265 ret = x509parse_crt(ssl->peer_cert, ssl->in_msg + i, n);
1266 if (ret != 0) {
1267 SSL_DEBUG_RET(1, " x509parse_crt", ret);
1268 return (ret);
1271 i += n;
1274 SSL_DEBUG_CRT(3, "peer certificate", ssl->peer_cert);
1276 if (ssl->authmode != SSL_VERIFY_NONE) {
1277 if (ssl->ca_chain == NULL) {
1278 SSL_DEBUG_MSG(1, ("got no CA chain"));
1279 return (TROPICSSL_ERR_SSL_CA_CHAIN_REQUIRED);
1282 ret = x509parse_verify(ssl->peer_cert, ssl->ca_chain,
1283 ssl->peer_cn, &ssl->verify_result);
1285 if (ret != 0)
1286 SSL_DEBUG_RET(1, "x509_verify_cert", ret);
1288 if (ssl->authmode != SSL_VERIFY_REQUIRED)
1289 ret = 0;
1292 SSL_DEBUG_MSG(2, ("<= parse certificate"));
1294 return (ret);
1297 int ssl_write_change_cipher_spec(ssl_context * ssl)
1299 int ret;
1301 SSL_DEBUG_MSG(2, ("=> write change cipher spec"));
1303 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
1304 ssl->out_msglen = 1;
1305 ssl->out_msg[0] = 1;
1307 ssl->do_crypt = 0;
1308 ssl->state++;
1310 if ((ret = ssl_write_record(ssl)) != 0) {
1311 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1312 return (ret);
1315 SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
1317 return (0);
1320 int ssl_parse_change_cipher_spec(ssl_context * ssl)
1322 int ret;
1324 SSL_DEBUG_MSG(2, ("=> parse change cipher spec"));
1326 ssl->do_crypt = 0;
1328 if ((ret = ssl_read_record(ssl)) != 0) {
1329 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1330 return (ret);
1333 if (ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC) {
1334 SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
1335 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE);
1338 if (ssl->in_msglen != 1 || ssl->in_msg[0] != 1) {
1339 SSL_DEBUG_MSG(1, ("bad change cipher spec message"));
1340 return (TROPICSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC);
1343 ssl->state++;
1345 SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
1347 return (0);
1350 static void ssl_calc_finished(ssl_context * ssl, unsigned char *buf, int from,
1351 md5_context * md5_ctx, sha1_context * sha1_ctx)
1353 int len = 12;
1354 const char *sender;
1355 unsigned char padbuf[48];
1356 unsigned char md5sum[16];
1357 unsigned char sha1sum[20];
1359 SSL_DEBUG_MSG(2, ("=> calc finished"));
1362 * SSLv3:
1363 * hash =
1364 * MD5( master + pad2 +
1365 * MD5( handshake + sender + master + pad1 ) )
1366 * + SHA1( master + pad2 +
1367 * SHA1( handshake + sender + master + pad1 ) )
1369 * TLSv1:
1370 * hash = PRF( master, finished_label,
1371 * MD5( handshake ) + SHA1( handshake ) )[0..11]
1374 SSL_DEBUG_BUF(4, "finished md5 state", (unsigned char *)
1375 md5_ctx->state, sizeof(md5_ctx->state));
1377 SSL_DEBUG_BUF(4, "finished sha1 state", (unsigned char *)
1378 sha1_ctx->state, sizeof(sha1_ctx->state));
1380 if (ssl->minor_ver == SSL_MINOR_VERSION_0) {
1381 sender = (from == SSL_IS_CLIENT) ? "CLNT"
1382 : "SRVR";
1384 memset(padbuf, 0x36, 48);
1386 md5_update(md5_ctx, (const unsigned char *)sender, 4);
1387 md5_update(md5_ctx, ssl->session->master, 48);
1388 md5_update(md5_ctx, padbuf, 48);
1389 md5_finish(md5_ctx, md5sum);
1391 sha1_update(sha1_ctx, (const unsigned char *)sender, 4);
1392 sha1_update(sha1_ctx, ssl->session->master, 48);
1393 sha1_update(sha1_ctx, padbuf, 40);
1394 sha1_finish(sha1_ctx, sha1sum);
1396 memset(padbuf, 0x5C, 48);
1398 md5_starts(md5_ctx);
1399 md5_update(md5_ctx, ssl->session->master, 48);
1400 md5_update(md5_ctx, padbuf, 48);
1401 md5_update(md5_ctx, md5sum, 16);
1402 md5_finish(md5_ctx, buf);
1404 sha1_starts(sha1_ctx);
1405 sha1_update(sha1_ctx, ssl->session->master, 48);
1406 sha1_update(sha1_ctx, padbuf, 40);
1407 sha1_update(sha1_ctx, sha1sum, 20);
1408 sha1_finish(sha1_ctx, buf + 16);
1410 len += 24;
1411 } else {
1412 sender = (from == SSL_IS_CLIENT)
1413 ? "client finished" : "server finished";
1415 md5_finish(md5_ctx, padbuf);
1416 sha1_finish(sha1_ctx, padbuf + 16);
1418 tls1_prf(ssl->session->master, 48, sender,
1419 padbuf, 36, buf, len);
1422 SSL_DEBUG_BUF(3, "calc finished result", buf, len);
1424 memset(md5_ctx, 0, sizeof(md5_context));
1425 memset(sha1_ctx, 0, sizeof(sha1_context));
1427 memset(padbuf, 0, sizeof(padbuf));
1428 memset(md5sum, 0, sizeof(md5sum));
1429 memset(sha1sum, 0, sizeof(sha1sum));
1431 SSL_DEBUG_MSG(2, ("<= calc finished"));
1434 int ssl_write_finished(ssl_context * ssl)
1436 int ret, hash_len;
1437 md5_context md5_ctx;
1438 sha1_context sha1_ctx;
1440 SSL_DEBUG_MSG(2, ("=> write finished"));
1442 memcpy(&md5_ctx, &ssl->fin_md5, sizeof(md5_context));
1443 memcpy(&sha1_ctx, &ssl->fin_sha1, sizeof(sha1_context));
1445 ssl_calc_finished(ssl, ssl->out_msg + 4, ssl->endpoint, &md5_ctx, &sha1_ctx);
1447 hash_len = (ssl->minor_ver == SSL_MINOR_VERSION_0) ? 36 : 12;
1449 ssl->out_msglen = 4 + hash_len;
1450 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
1451 ssl->out_msg[0] = SSL_HS_FINISHED;
1454 * In case of session resuming, invert the client and server
1455 * ChangeCipherSpec messages order.
1457 if (ssl->resume != 0) {
1458 if (ssl->endpoint == SSL_IS_CLIENT)
1459 ssl->state = SSL_HANDSHAKE_OVER;
1460 else
1461 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1462 } else
1463 ssl->state++;
1465 ssl->do_crypt = 1;
1467 if ((ret = ssl_write_record(ssl)) != 0) {
1468 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1469 return (ret);
1472 SSL_DEBUG_MSG(2, ("<= write finished"));
1474 return (0);
1477 int ssl_parse_finished(ssl_context * ssl)
1479 int ret, hash_len;
1480 md5_context md5_ctx;
1481 sha1_context sha1_ctx;
1482 unsigned char buf[36];
1484 SSL_DEBUG_MSG(2, ("=> parse finished"));
1486 memcpy(&md5_ctx, &ssl->fin_md5, sizeof(md5_context));
1487 memcpy(&sha1_ctx, &ssl->fin_sha1, sizeof(sha1_context));
1489 ssl->do_crypt = 1;
1491 if ((ret = ssl_read_record(ssl)) != 0) {
1492 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1493 return (ret);
1496 if (ssl->in_msgtype != SSL_MSG_HANDSHAKE) {
1497 SSL_DEBUG_MSG(1, ("bad finished message"));
1498 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE);
1501 hash_len = (ssl->minor_ver == SSL_MINOR_VERSION_0) ? 36 : 12;
1503 if (ssl->in_msg[0] != SSL_HS_FINISHED || ssl->in_hslen != 4 + hash_len) {
1504 SSL_DEBUG_MSG(1, ("bad finished message"));
1505 return (TROPICSSL_ERR_SSL_BAD_HS_FINISHED);
1508 ssl_calc_finished(ssl, buf, ssl->endpoint ^ 1, &md5_ctx, &sha1_ctx);
1510 if (memcmp(ssl->in_msg + 4, buf, hash_len) != 0) {
1511 SSL_DEBUG_MSG(1, ("bad finished message"));
1512 return (TROPICSSL_ERR_SSL_BAD_HS_FINISHED);
1515 if (ssl->resume != 0) {
1516 if (ssl->endpoint == SSL_IS_CLIENT)
1517 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
1519 if (ssl->endpoint == SSL_IS_SERVER)
1520 ssl->state = SSL_HANDSHAKE_OVER;
1521 } else
1522 ssl->state++;
1524 SSL_DEBUG_MSG(2, ("<= parse finished"));
1526 return (0);
1530 * Initialize an SSL context
1532 int ssl_init(ssl_context * ssl)
1534 int len = SSL_BUFFER_LEN;
1536 memset(ssl, 0, sizeof(ssl_context));
1538 ssl->in_ctr = (unsigned char *)malloc(len);
1539 ssl->in_hdr = ssl->in_ctr + 8;
1540 ssl->in_msg = ssl->in_ctr + 13;
1542 if (ssl->in_ctr == NULL) {
1543 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed", len));
1544 return (1);
1547 ssl->out_ctr = (unsigned char *)malloc(len);
1548 ssl->out_hdr = ssl->out_ctr + 8;
1549 ssl->out_msg = ssl->out_ctr + 13;
1551 if (ssl->out_ctr == NULL) {
1552 SSL_DEBUG_MSG(1, ("malloc(%d bytes) failed", len));
1553 free(ssl->in_ctr);
1554 return (1);
1557 memset(ssl->in_ctr, 0, SSL_BUFFER_LEN);
1558 memset(ssl->out_ctr, 0, SSL_BUFFER_LEN);
1560 ssl->hostname = NULL;
1561 ssl->hostname_len = 0;
1563 md5_starts(&ssl->fin_md5);
1564 sha1_starts(&ssl->fin_sha1);
1566 return (0);
1570 * SSL set accessors
1572 void ssl_set_endpoint(ssl_context * ssl, int endpoint)
1574 ssl->endpoint = endpoint;
1577 void ssl_set_authmode(ssl_context * ssl, int authmode)
1579 ssl->authmode = authmode;
1582 void ssl_set_rng(ssl_context * ssl, int (*f_rng) (void *), void *p_rng)
1584 ssl->f_rng = f_rng;
1585 ssl->p_rng = p_rng;
1588 void ssl_set_dbg(ssl_context * ssl,
1589 void (*f_dbg) (void *, int, const char *), void *p_dbg)
1591 ssl->f_dbg = f_dbg;
1592 ssl->p_dbg = p_dbg;
1595 void ssl_set_bio(ssl_context * ssl,
1596 int (*f_recv) (void *, unsigned char *, int), void *p_recv,
1597 int (*f_send) (void *, const unsigned char *, int), void *p_send)
1599 ssl->f_recv = f_recv;
1600 ssl->f_send = f_send;
1601 ssl->p_recv = p_recv;
1602 ssl->p_send = p_send;
1605 void ssl_set_scb(ssl_context * ssl,
1606 int (*s_get) (ssl_context *), int (*s_set) (ssl_context *))
1608 ssl->s_get = s_get;
1609 ssl->s_set = s_set;
1612 void ssl_set_session(ssl_context * ssl, int resume, int timeout,
1613 ssl_session * session)
1615 ssl->resume = resume;
1616 ssl->timeout = timeout;
1617 ssl->session = session;
1620 void ssl_set_ciphers(ssl_context * ssl, const int *ciphers)
1622 ssl->ciphers = ciphers;
1625 void ssl_set_ca_chain(ssl_context * ssl, x509_cert * ca_chain, const char *peer_cn)
1627 ssl->ca_chain = ca_chain;
1628 ssl->peer_cn = peer_cn;
1631 void ssl_set_own_cert(ssl_context * ssl, x509_cert * own_cert,
1632 rsa_context * rsa_key)
1634 ssl->own_cert = own_cert;
1635 ssl->rsa_key = rsa_key;
1638 int ssl_set_dh_param(ssl_context * ssl, const char *dhm_P, const char *dhm_G)
1640 int ret;
1642 if ((ret = mpi_read_string(&ssl->dhm_ctx.P, 16, dhm_P)) != 0) {
1643 SSL_DEBUG_RET(1, "mpi_read_string", ret);
1644 return (ret);
1647 if ((ret = mpi_read_string(&ssl->dhm_ctx.G, 16, dhm_G)) != 0) {
1648 SSL_DEBUG_RET(1, "mpi_read_string", ret);
1649 return (ret);
1652 return (0);
1655 int ssl_set_hostname(ssl_context * ssl, const char *hostname)
1657 if (hostname == NULL)
1658 return (TROPICSSL_ERR_SSL_BAD_INPUT_DATA);
1660 ssl->hostname_len = strlen(hostname);
1661 ssl->hostname = (unsigned char *)malloc(ssl->hostname_len + 1);
1663 memcpy(ssl->hostname, hostname, ssl->hostname_len);
1665 return (0);
1669 * SSL get accessors
1671 int ssl_get_bytes_avail(const ssl_context * ssl)
1673 return (ssl->in_offt == NULL ? 0 : ssl->in_msglen);
1676 int ssl_get_verify_result(const ssl_context * ssl)
1678 return (ssl->verify_result);
1681 const char *ssl_get_cipher(const ssl_context * ssl)
1683 switch (ssl->session->cipher) {
1684 #if defined(TROPICSSL_ARC4_C)
1685 case SSL_RSA_RC4_128_MD5:
1686 return ("SSL_RSA_RC4_128_MD5");
1688 case SSL_RSA_RC4_128_SHA:
1689 return ("SSL_RSA_RC4_128_SHA");
1690 #endif
1692 #if defined(TROPICSSL_DES_C)
1693 case SSL_RSA_DES_168_SHA:
1694 return ("SSL_RSA_DES_168_SHA");
1696 case SSL_EDH_RSA_DES_168_SHA:
1697 return ("SSL_EDH_RSA_DES_168_SHA");
1698 #endif
1700 #if defined(TROPICSSL_AES_C)
1701 case SSL_RSA_AES_128_SHA:
1702 return ("SSL_RSA_AES_128_SHA");
1704 case SSL_RSA_AES_256_SHA:
1705 return ("SSL_RSA_AES_256_SHA");
1707 case SSL_EDH_RSA_AES_256_SHA:
1708 return ("SSL_EDH_RSA_AES_256_SHA");
1709 #endif
1711 #if defined(TROPICSSL_CAMELLIA_C)
1712 case SSL_RSA_CAMELLIA_128_SHA:
1713 return ("SSL_RSA_CAMELLIA_128_SHA");
1715 case SSL_RSA_CAMELLIA_256_SHA:
1716 return ("SSL_RSA_CAMELLIA_256_SHA");
1718 case SSL_EDH_RSA_CAMELLIA_256_SHA:
1719 return ("SSL_EDH_RSA_CAMELLIA_256_SHA");
1720 #endif
1722 default:
1723 break;
1726 return ("unknown");
1729 const int ssl_default_ciphers[] = {
1730 #if defined(TROPICSSL_DHM_C)
1731 #if defined(TROPICSSL_AES_C)
1732 SSL_EDH_RSA_AES_256_SHA,
1733 #endif
1734 #if defined(TROPICSSL_CAMELLIA_C)
1735 SSL_EDH_RSA_CAMELLIA_256_SHA,
1736 #endif
1737 #if defined(TROPICSSL_DES_C)
1738 SSL_EDH_RSA_DES_168_SHA,
1739 #endif
1740 #endif
1742 #if defined(TROPICSSL_AES_C)
1743 SSL_RSA_AES_128_SHA,
1744 SSL_RSA_AES_256_SHA,
1745 #endif
1746 #if defined(TROPICSSL_CAMELLIA_C)
1747 SSL_RSA_CAMELLIA_128_SHA,
1748 SSL_RSA_CAMELLIA_256_SHA,
1749 #endif
1750 #if defined(TROPICSSL_DES_C)
1751 SSL_RSA_DES_168_SHA,
1752 #endif
1753 #if defined(TROPICSSL_ARC4_C)
1754 SSL_RSA_RC4_128_SHA,
1755 SSL_RSA_RC4_128_MD5,
1756 #endif
1761 * Perform the SSL handshake
1763 int ssl_handshake(ssl_context * ssl)
1765 int ret = TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE;
1767 SSL_DEBUG_MSG(2, ("=> handshake"));
1769 #if defined(TROPICSSL_SSL_CLI_C)
1770 if (ssl->endpoint == SSL_IS_CLIENT)
1771 ret = ssl_handshake_client(ssl);
1772 #endif
1774 #if defined(TROPICSSL_SSL_SRV_C)
1775 if (ssl->endpoint == SSL_IS_SERVER)
1776 ret = ssl_handshake_server(ssl);
1777 #endif
1779 SSL_DEBUG_MSG(2, ("<= handshake"));
1781 return (ret);
1785 * Receive application data decrypted from the SSL layer
1787 int ssl_read(ssl_context * ssl, unsigned char *buf, int len)
1789 int ret, n;
1791 SSL_DEBUG_MSG(2, ("=> read"));
1793 if (ssl->state != SSL_HANDSHAKE_OVER) {
1794 if ((ret = ssl_handshake(ssl)) != 0) {
1795 SSL_DEBUG_RET(1, "ssl_handshake", ret);
1796 return (ret);
1800 if (ssl->in_offt == NULL) {
1801 if ((ret = ssl_read_record(ssl)) != 0) {
1802 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1803 return (ret);
1806 if (ssl->in_msglen == 0 &&
1807 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA) {
1809 * OpenSSL sends empty messages to randomize the IV
1811 if ((ret = ssl_read_record(ssl)) != 0) {
1812 SSL_DEBUG_RET(1, "ssl_read_record", ret);
1813 return (ret);
1817 if (ssl->in_msgtype != SSL_MSG_APPLICATION_DATA) {
1818 SSL_DEBUG_MSG(1, ("bad application data message"));
1819 return (TROPICSSL_ERR_SSL_UNEXPECTED_MESSAGE);
1822 ssl->in_offt = ssl->in_msg;
1825 n = (len < ssl->in_msglen)
1826 ? len : ssl->in_msglen;
1828 memcpy(buf, ssl->in_offt, n);
1829 ssl->in_msglen -= n;
1831 if (ssl->in_msglen == 0)
1832 /* all bytes consumed */
1833 ssl->in_offt = NULL;
1834 else
1835 /* more data available */
1836 ssl->in_offt += n;
1838 SSL_DEBUG_MSG(2, ("<= read"));
1840 return (n);
1844 * Send application data to be encrypted by the SSL layer
1846 int ssl_write(ssl_context * ssl, const unsigned char *buf, int len)
1848 int ret, n;
1850 SSL_DEBUG_MSG(2, ("=> write"));
1852 if (ssl->state != SSL_HANDSHAKE_OVER) {
1853 if ((ret = ssl_handshake(ssl)) != 0) {
1854 SSL_DEBUG_RET(1, "ssl_handshake", ret);
1855 return (ret);
1859 n = (len < SSL_MAX_CONTENT_LEN)
1860 ? len : SSL_MAX_CONTENT_LEN;
1862 if (ssl->out_left != 0) {
1863 if ((ret = ssl_flush_output(ssl)) != 0) {
1864 SSL_DEBUG_RET(1, "ssl_flush_output", ret);
1865 return (ret);
1867 } else {
1868 ssl->out_msglen = n;
1869 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
1870 memcpy(ssl->out_msg, buf, n);
1872 if ((ret = ssl_write_record(ssl)) != 0) {
1873 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1874 return (ret);
1878 SSL_DEBUG_MSG(2, ("<= write"));
1880 return (n);
1884 * Notify the peer that the connection is being closed
1886 int ssl_close_notify(ssl_context * ssl)
1888 int ret;
1890 SSL_DEBUG_MSG(2, ("=> write close notify"));
1892 if ((ret = ssl_flush_output(ssl)) != 0) {
1893 SSL_DEBUG_RET(1, "ssl_flush_output", ret);
1894 return (ret);
1897 if (ssl->state == SSL_HANDSHAKE_OVER) {
1898 ssl->out_msgtype = SSL_MSG_ALERT;
1899 ssl->out_msglen = 2;
1900 ssl->out_msg[0] = SSL_ALERT_WARNING;
1901 ssl->out_msg[1] = SSL_ALERT_CLOSE_NOTIFY;
1903 if ((ret = ssl_write_record(ssl)) != 0) {
1904 SSL_DEBUG_RET(1, "ssl_write_record", ret);
1905 return (ret);
1909 SSL_DEBUG_MSG(2, ("<= write close notify"));
1911 return (ret);
1915 * Free an SSL context
1917 void ssl_free(ssl_context * ssl)
1919 SSL_DEBUG_MSG(2, ("=> free"));
1921 if (ssl->peer_cert != NULL) {
1922 x509_free(ssl->peer_cert);
1923 memset(ssl->peer_cert, 0, sizeof(x509_cert));
1924 free(ssl->peer_cert);
1927 if (ssl->out_ctr != NULL) {
1928 memset(ssl->out_ctr, 0, SSL_BUFFER_LEN);
1929 free(ssl->out_ctr);
1932 if (ssl->in_ctr != NULL) {
1933 memset(ssl->in_ctr, 0, SSL_BUFFER_LEN);
1934 free(ssl->in_ctr);
1936 #if defined(TROPICSSL_DHM_C)
1937 dhm_free(&ssl->dhm_ctx);
1938 #endif
1940 if (ssl->hostname != NULL) {
1941 memset(ssl->hostname, 0, ssl->hostname_len);
1942 free(ssl->hostname);
1943 ssl->hostname_len = 0;
1946 memset(ssl, 0, sizeof(ssl_context));
1948 SSL_DEBUG_MSG(2, ("<= free"));
1951 #endif