PolarSSL v1.1.4
|
00001 /* 00002 * SSLv3/TLSv1 shared functions 00003 * 00004 * Copyright (C) 2006-2010, Brainspark B.V. 00005 * 00006 * This file is part of PolarSSL (http://www.polarssl.org) 00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> 00008 * 00009 * All rights reserved. 00010 * 00011 * This program is free software; you can redistribute it and/or modify 00012 * it under the terms of the GNU General Public License as published by 00013 * the Free Software Foundation; either version 2 of the License, or 00014 * (at your option) any later version. 00015 * 00016 * This program is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00019 * GNU General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU General Public License along 00022 * with this program; if not, write to the Free Software Foundation, Inc., 00023 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00024 */ 00025 /* 00026 * The SSL 3.0 specification was drafted by Netscape in 1996, 00027 * and became an IETF standard in 1999. 00028 * 00029 * http://wp.netscape.com/eng/ssl3/ 00030 * http://www.ietf.org/rfc/rfc2246.txt 00031 * http://www.ietf.org/rfc/rfc4346.txt 00032 */ 00033 00034 #include "polarssl/config.h" 00035 00036 #if defined(POLARSSL_SSL_TLS_C) 00037 00038 #include "polarssl/aes.h" 00039 #include "polarssl/arc4.h" 00040 #include "polarssl/camellia.h" 00041 #include "polarssl/des.h" 00042 #include "polarssl/debug.h" 00043 #include "polarssl/ssl.h" 00044 00045 #include <stdlib.h> 00046 #include <time.h> 00047 00048 #if defined _MSC_VER && !defined strcasecmp 00049 #define strcasecmp _stricmp 00050 #endif 00051 00052 /* 00053 * Key material generation 00054 */ 00055 static int tls1_prf( unsigned char *secret, size_t slen, char *label, 00056 unsigned char *random, size_t rlen, 00057 unsigned char *dstbuf, size_t dlen ) 00058 { 00059 size_t nb, hs; 00060 size_t i, j, k; 00061 unsigned char *S1, *S2; 00062 unsigned char tmp[128]; 00063 unsigned char h_i[20]; 00064 00065 if( sizeof( tmp ) < 20 + strlen( label ) + rlen ) 00066 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00067 00068 hs = ( slen + 1 ) / 2; 00069 S1 = secret; 00070 S2 = secret + slen - hs; 00071 00072 nb = strlen( label ); 00073 memcpy( tmp + 20, label, nb ); 00074 memcpy( tmp + 20 + nb, random, rlen ); 00075 nb += rlen; 00076 00077 /* 00078 * First compute P_md5(secret,label+random)[0..dlen] 00079 */ 00080 md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp ); 00081 00082 for( i = 0; i < dlen; i += 16 ) 00083 { 00084 md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i ); 00085 md5_hmac( S1, hs, 4 + tmp, 16, 4 + tmp ); 00086 00087 k = ( i + 16 > dlen ) ? dlen % 16 : 16; 00088 00089 for( j = 0; j < k; j++ ) 00090 dstbuf[i + j] = h_i[j]; 00091 } 00092 00093 /* 00094 * XOR out with P_sha1(secret,label+random)[0..dlen] 00095 */ 00096 sha1_hmac( S2, hs, tmp + 20, nb, tmp ); 00097 00098 for( i = 0; i < dlen; i += 20 ) 00099 { 00100 sha1_hmac( S2, hs, tmp, 20 + nb, h_i ); 00101 sha1_hmac( S2, hs, tmp, 20, tmp ); 00102 00103 k = ( i + 20 > dlen ) ? dlen % 20 : 20; 00104 00105 for( j = 0; j < k; j++ ) 00106 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); 00107 } 00108 00109 memset( tmp, 0, sizeof( tmp ) ); 00110 memset( h_i, 0, sizeof( h_i ) ); 00111 00112 return( 0 ); 00113 } 00114 00115 int ssl_derive_keys( ssl_context *ssl ) 00116 { 00117 int i; 00118 md5_context md5; 00119 sha1_context sha1; 00120 unsigned char tmp[64]; 00121 unsigned char padding[16]; 00122 unsigned char sha1sum[20]; 00123 unsigned char keyblk[256]; 00124 unsigned char *key1; 00125 unsigned char *key2; 00126 00127 SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); 00128 00129 /* 00130 * SSLv3: 00131 * master = 00132 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) + 00133 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) + 00134 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) ) 00135 * 00136 * TLSv1: 00137 * master = PRF( premaster, "master secret", randbytes )[0..47] 00138 */ 00139 if( ssl->resume == 0 ) 00140 { 00141 size_t len = ssl->pmslen; 00142 00143 SSL_DEBUG_BUF( 3, "premaster secret", ssl->premaster, len ); 00144 00145 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) 00146 { 00147 for( i = 0; i < 3; i++ ) 00148 { 00149 memset( padding, 'A' + i, 1 + i ); 00150 00151 sha1_starts( &sha1 ); 00152 sha1_update( &sha1, padding, 1 + i ); 00153 sha1_update( &sha1, ssl->premaster, len ); 00154 sha1_update( &sha1, ssl->randbytes, 64 ); 00155 sha1_finish( &sha1, sha1sum ); 00156 00157 md5_starts( &md5 ); 00158 md5_update( &md5, ssl->premaster, len ); 00159 md5_update( &md5, sha1sum, 20 ); 00160 md5_finish( &md5, ssl->session->master + i * 16 ); 00161 } 00162 } 00163 else 00164 tls1_prf( ssl->premaster, len, "master secret", 00165 ssl->randbytes, 64, ssl->session->master, 48 ); 00166 00167 memset( ssl->premaster, 0, sizeof( ssl->premaster ) ); 00168 } 00169 else 00170 SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); 00171 00172 /* 00173 * Swap the client and server random values. 00174 */ 00175 memcpy( tmp, ssl->randbytes, 64 ); 00176 memcpy( ssl->randbytes, tmp + 32, 32 ); 00177 memcpy( ssl->randbytes + 32, tmp, 32 ); 00178 memset( tmp, 0, sizeof( tmp ) ); 00179 00180 /* 00181 * SSLv3: 00182 * key block = 00183 * MD5( master + SHA1( 'A' + master + randbytes ) ) + 00184 * MD5( master + SHA1( 'BB' + master + randbytes ) ) + 00185 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) + 00186 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) + 00187 * ... 00188 * 00189 * TLSv1: 00190 * key block = PRF( master, "key expansion", randbytes ) 00191 */ 00192 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) 00193 { 00194 for( i = 0; i < 16; i++ ) 00195 { 00196 memset( padding, 'A' + i, 1 + i ); 00197 00198 sha1_starts( &sha1 ); 00199 sha1_update( &sha1, padding, 1 + i ); 00200 sha1_update( &sha1, ssl->session->master, 48 ); 00201 sha1_update( &sha1, ssl->randbytes, 64 ); 00202 sha1_finish( &sha1, sha1sum ); 00203 00204 md5_starts( &md5 ); 00205 md5_update( &md5, ssl->session->master, 48 ); 00206 md5_update( &md5, sha1sum, 20 ); 00207 md5_finish( &md5, keyblk + i * 16 ); 00208 } 00209 00210 memset( &md5, 0, sizeof( md5 ) ); 00211 memset( &sha1, 0, sizeof( sha1 ) ); 00212 00213 memset( padding, 0, sizeof( padding ) ); 00214 memset( sha1sum, 0, sizeof( sha1sum ) ); 00215 } 00216 else 00217 tls1_prf( ssl->session->master, 48, "key expansion", 00218 ssl->randbytes, 64, keyblk, 256 ); 00219 00220 SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", ssl_get_ciphersuite( ssl ) ) ); 00221 SSL_DEBUG_BUF( 3, "master secret", ssl->session->master, 48 ); 00222 SSL_DEBUG_BUF( 4, "random bytes", ssl->randbytes, 64 ); 00223 SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); 00224 00225 memset( ssl->randbytes, 0, sizeof( ssl->randbytes ) ); 00226 00227 /* 00228 * Determine the appropriate key, IV and MAC length. 00229 */ 00230 switch( ssl->session->ciphersuite ) 00231 { 00232 #if defined(POLARSSL_ARC4_C) 00233 case SSL_RSA_RC4_128_MD5: 00234 ssl->keylen = 16; ssl->minlen = 16; 00235 ssl->ivlen = 0; ssl->maclen = 16; 00236 break; 00237 00238 case SSL_RSA_RC4_128_SHA: 00239 ssl->keylen = 16; ssl->minlen = 20; 00240 ssl->ivlen = 0; ssl->maclen = 20; 00241 break; 00242 #endif 00243 00244 #if defined(POLARSSL_DES_C) 00245 case SSL_RSA_DES_168_SHA: 00246 case SSL_EDH_RSA_DES_168_SHA: 00247 ssl->keylen = 24; ssl->minlen = 24; 00248 ssl->ivlen = 8; ssl->maclen = 20; 00249 break; 00250 #endif 00251 00252 #if defined(POLARSSL_AES_C) 00253 case SSL_RSA_AES_128_SHA: 00254 case SSL_EDH_RSA_AES_128_SHA: 00255 ssl->keylen = 16; ssl->minlen = 32; 00256 ssl->ivlen = 16; ssl->maclen = 20; 00257 break; 00258 00259 case SSL_RSA_AES_256_SHA: 00260 case SSL_EDH_RSA_AES_256_SHA: 00261 ssl->keylen = 32; ssl->minlen = 32; 00262 ssl->ivlen = 16; ssl->maclen = 20; 00263 break; 00264 #endif 00265 00266 #if defined(POLARSSL_CAMELLIA_C) 00267 case SSL_RSA_CAMELLIA_128_SHA: 00268 case SSL_EDH_RSA_CAMELLIA_128_SHA: 00269 ssl->keylen = 16; ssl->minlen = 32; 00270 ssl->ivlen = 16; ssl->maclen = 20; 00271 break; 00272 00273 case SSL_RSA_CAMELLIA_256_SHA: 00274 case SSL_EDH_RSA_CAMELLIA_256_SHA: 00275 ssl->keylen = 32; ssl->minlen = 32; 00276 ssl->ivlen = 16; ssl->maclen = 20; 00277 break; 00278 #endif 00279 00280 default: 00281 SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available", 00282 ssl_get_ciphersuite( ssl ) ) ); 00283 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00284 } 00285 00286 SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d", 00287 ssl->keylen, ssl->minlen, ssl->ivlen, ssl->maclen ) ); 00288 00289 /* 00290 * Finally setup the cipher contexts, IVs and MAC secrets. 00291 */ 00292 if( ssl->endpoint == SSL_IS_CLIENT ) 00293 { 00294 key1 = keyblk + ssl->maclen * 2; 00295 key2 = keyblk + ssl->maclen * 2 + ssl->keylen; 00296 00297 memcpy( ssl->mac_enc, keyblk, ssl->maclen ); 00298 memcpy( ssl->mac_dec, keyblk + ssl->maclen, ssl->maclen ); 00299 00300 /* 00301 * This is not used in TLS v1.1. 00302 */ 00303 memcpy( ssl->iv_enc, key2 + ssl->keylen, ssl->ivlen ); 00304 memcpy( ssl->iv_dec, key2 + ssl->keylen + ssl->ivlen, 00305 ssl->ivlen ); 00306 } 00307 else 00308 { 00309 key1 = keyblk + ssl->maclen * 2 + ssl->keylen; 00310 key2 = keyblk + ssl->maclen * 2; 00311 00312 memcpy( ssl->mac_dec, keyblk, ssl->maclen ); 00313 memcpy( ssl->mac_enc, keyblk + ssl->maclen, ssl->maclen ); 00314 00315 /* 00316 * This is not used in TLS v1.1. 00317 */ 00318 memcpy( ssl->iv_dec, key1 + ssl->keylen, ssl->ivlen ); 00319 memcpy( ssl->iv_enc, key1 + ssl->keylen + ssl->ivlen, 00320 ssl->ivlen ); 00321 } 00322 00323 switch( ssl->session->ciphersuite ) 00324 { 00325 #if defined(POLARSSL_ARC4_C) 00326 case SSL_RSA_RC4_128_MD5: 00327 case SSL_RSA_RC4_128_SHA: 00328 arc4_setup( (arc4_context *) ssl->ctx_enc, key1, ssl->keylen ); 00329 arc4_setup( (arc4_context *) ssl->ctx_dec, key2, ssl->keylen ); 00330 break; 00331 #endif 00332 00333 #if defined(POLARSSL_DES_C) 00334 case SSL_RSA_DES_168_SHA: 00335 case SSL_EDH_RSA_DES_168_SHA: 00336 des3_set3key_enc( (des3_context *) ssl->ctx_enc, key1 ); 00337 des3_set3key_dec( (des3_context *) ssl->ctx_dec, key2 ); 00338 break; 00339 #endif 00340 00341 #if defined(POLARSSL_AES_C) 00342 case SSL_RSA_AES_128_SHA: 00343 case SSL_EDH_RSA_AES_128_SHA: 00344 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 128 ); 00345 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 128 ); 00346 break; 00347 00348 case SSL_RSA_AES_256_SHA: 00349 case SSL_EDH_RSA_AES_256_SHA: 00350 aes_setkey_enc( (aes_context *) ssl->ctx_enc, key1, 256 ); 00351 aes_setkey_dec( (aes_context *) ssl->ctx_dec, key2, 256 ); 00352 break; 00353 #endif 00354 00355 #if defined(POLARSSL_CAMELLIA_C) 00356 case SSL_RSA_CAMELLIA_128_SHA: 00357 case SSL_EDH_RSA_CAMELLIA_128_SHA: 00358 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 128 ); 00359 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 128 ); 00360 break; 00361 00362 case SSL_RSA_CAMELLIA_256_SHA: 00363 case SSL_EDH_RSA_CAMELLIA_256_SHA: 00364 camellia_setkey_enc( (camellia_context *) ssl->ctx_enc, key1, 256 ); 00365 camellia_setkey_dec( (camellia_context *) ssl->ctx_dec, key2, 256 ); 00366 break; 00367 #endif 00368 00369 default: 00370 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00371 } 00372 00373 memset( keyblk, 0, sizeof( keyblk ) ); 00374 00375 SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); 00376 00377 return( 0 ); 00378 } 00379 00380 void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] ) 00381 { 00382 md5_context md5; 00383 sha1_context sha1; 00384 unsigned char pad_1[48]; 00385 unsigned char pad_2[48]; 00386 00387 SSL_DEBUG_MSG( 2, ( "=> calc verify" ) ); 00388 00389 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) ); 00390 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) ); 00391 00392 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) 00393 { 00394 memset( pad_1, 0x36, 48 ); 00395 memset( pad_2, 0x5C, 48 ); 00396 00397 md5_update( &md5, ssl->session->master, 48 ); 00398 md5_update( &md5, pad_1, 48 ); 00399 md5_finish( &md5, hash ); 00400 00401 md5_starts( &md5 ); 00402 md5_update( &md5, ssl->session->master, 48 ); 00403 md5_update( &md5, pad_2, 48 ); 00404 md5_update( &md5, hash, 16 ); 00405 md5_finish( &md5, hash ); 00406 00407 sha1_update( &sha1, ssl->session->master, 48 ); 00408 sha1_update( &sha1, pad_1, 40 ); 00409 sha1_finish( &sha1, hash + 16 ); 00410 00411 sha1_starts( &sha1 ); 00412 sha1_update( &sha1, ssl->session->master, 48 ); 00413 sha1_update( &sha1, pad_2, 40 ); 00414 sha1_update( &sha1, hash + 16, 20 ); 00415 sha1_finish( &sha1, hash + 16 ); 00416 } 00417 else /* TLSv1 */ 00418 { 00419 md5_finish( &md5, hash ); 00420 sha1_finish( &sha1, hash + 16 ); 00421 } 00422 00423 SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 00424 SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 00425 00426 return; 00427 } 00428 00429 /* 00430 * SSLv3.0 MAC functions 00431 */ 00432 static void ssl_mac_md5( unsigned char *secret, 00433 unsigned char *buf, size_t len, 00434 unsigned char *ctr, int type ) 00435 { 00436 unsigned char header[11]; 00437 unsigned char padding[48]; 00438 md5_context md5; 00439 00440 memcpy( header, ctr, 8 ); 00441 header[ 8] = (unsigned char) type; 00442 header[ 9] = (unsigned char)( len >> 8 ); 00443 header[10] = (unsigned char)( len ); 00444 00445 memset( padding, 0x36, 48 ); 00446 md5_starts( &md5 ); 00447 md5_update( &md5, secret, 16 ); 00448 md5_update( &md5, padding, 48 ); 00449 md5_update( &md5, header, 11 ); 00450 md5_update( &md5, buf, len ); 00451 md5_finish( &md5, buf + len ); 00452 00453 memset( padding, 0x5C, 48 ); 00454 md5_starts( &md5 ); 00455 md5_update( &md5, secret, 16 ); 00456 md5_update( &md5, padding, 48 ); 00457 md5_update( &md5, buf + len, 16 ); 00458 md5_finish( &md5, buf + len ); 00459 } 00460 00461 static void ssl_mac_sha1( unsigned char *secret, 00462 unsigned char *buf, size_t len, 00463 unsigned char *ctr, int type ) 00464 { 00465 unsigned char header[11]; 00466 unsigned char padding[40]; 00467 sha1_context sha1; 00468 00469 memcpy( header, ctr, 8 ); 00470 header[ 8] = (unsigned char) type; 00471 header[ 9] = (unsigned char)( len >> 8 ); 00472 header[10] = (unsigned char)( len ); 00473 00474 memset( padding, 0x36, 40 ); 00475 sha1_starts( &sha1 ); 00476 sha1_update( &sha1, secret, 20 ); 00477 sha1_update( &sha1, padding, 40 ); 00478 sha1_update( &sha1, header, 11 ); 00479 sha1_update( &sha1, buf, len ); 00480 sha1_finish( &sha1, buf + len ); 00481 00482 memset( padding, 0x5C, 40 ); 00483 sha1_starts( &sha1 ); 00484 sha1_update( &sha1, secret, 20 ); 00485 sha1_update( &sha1, padding, 40 ); 00486 sha1_update( &sha1, buf + len, 20 ); 00487 sha1_finish( &sha1, buf + len ); 00488 } 00489 00490 /* 00491 * Encryption/decryption functions 00492 */ 00493 static int ssl_encrypt_buf( ssl_context *ssl ) 00494 { 00495 size_t i, padlen; 00496 00497 SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); 00498 00499 /* 00500 * Add MAC then encrypt 00501 */ 00502 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) 00503 { 00504 if( ssl->maclen == 16 ) 00505 ssl_mac_md5( ssl->mac_enc, 00506 ssl->out_msg, ssl->out_msglen, 00507 ssl->out_ctr, ssl->out_msgtype ); 00508 00509 if( ssl->maclen == 20 ) 00510 ssl_mac_sha1( ssl->mac_enc, 00511 ssl->out_msg, ssl->out_msglen, 00512 ssl->out_ctr, ssl->out_msgtype ); 00513 } 00514 else 00515 { 00516 if( ssl->maclen == 16 ) 00517 md5_hmac( ssl->mac_enc, 16, 00518 ssl->out_ctr, ssl->out_msglen + 13, 00519 ssl->out_msg + ssl->out_msglen ); 00520 00521 if( ssl->maclen == 20 ) 00522 sha1_hmac( ssl->mac_enc, 20, 00523 ssl->out_ctr, ssl->out_msglen + 13, 00524 ssl->out_msg + ssl->out_msglen ); 00525 } 00526 00527 SSL_DEBUG_BUF( 4, "computed mac", 00528 ssl->out_msg + ssl->out_msglen, ssl->maclen ); 00529 00530 ssl->out_msglen += ssl->maclen; 00531 00532 for( i = 8; i > 0; i-- ) 00533 if( ++ssl->out_ctr[i - 1] != 0 ) 00534 break; 00535 00536 if( ssl->ivlen == 0 ) 00537 { 00538 #if defined(POLARSSL_ARC4_C) 00539 padlen = 0; 00540 00541 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 00542 "including %d bytes of padding", 00543 ssl->out_msglen, 0 ) ); 00544 00545 SSL_DEBUG_BUF( 4, "before encrypt: output payload", 00546 ssl->out_msg, ssl->out_msglen ); 00547 00548 arc4_crypt( (arc4_context *) ssl->ctx_enc, 00549 ssl->out_msglen, ssl->out_msg, 00550 ssl->out_msg ); 00551 #else 00552 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00553 #endif 00554 } 00555 else 00556 { 00557 unsigned char *enc_msg; 00558 size_t enc_msglen; 00559 00560 padlen = ssl->ivlen - ( ssl->out_msglen + 1 ) % ssl->ivlen; 00561 if( padlen == ssl->ivlen ) 00562 padlen = 0; 00563 00564 for( i = 0; i <= padlen; i++ ) 00565 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen; 00566 00567 ssl->out_msglen += padlen + 1; 00568 00569 enc_msglen = ssl->out_msglen; 00570 enc_msg = ssl->out_msg; 00571 00572 /* 00573 * Prepend per-record IV for block cipher in TLS v1.1 as per 00574 * Method 1 (6.2.3.2. in RFC4346) 00575 */ 00576 if( ssl->minor_ver == SSL_MINOR_VERSION_2 ) 00577 { 00578 /* 00579 * Generate IV 00580 */ 00581 int ret = ssl->f_rng( ssl->p_rng, ssl->iv_enc, ssl->ivlen ); 00582 if( ret != 0 ) 00583 return( ret ); 00584 00585 /* 00586 * Shift message for ivlen bytes and prepend IV 00587 */ 00588 memmove( ssl->out_msg + ssl->ivlen, ssl->out_msg, ssl->out_msglen ); 00589 memcpy( ssl->out_msg, ssl->iv_enc, ssl->ivlen ); 00590 00591 /* 00592 * Fix pointer positions and message length with added IV 00593 */ 00594 enc_msg = ssl->out_msg + ssl->ivlen; 00595 enc_msglen = ssl->out_msglen; 00596 ssl->out_msglen += ssl->ivlen; 00597 } 00598 00599 SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 00600 "including %d bytes of IV and %d bytes of padding", 00601 ssl->out_msglen, ssl->ivlen, padlen + 1 ) ); 00602 00603 SSL_DEBUG_BUF( 4, "before encrypt: output payload", 00604 ssl->out_msg, ssl->out_msglen ); 00605 00606 switch( ssl->ivlen ) 00607 { 00608 case 8: 00609 #if defined(POLARSSL_DES_C) 00610 des3_crypt_cbc( (des3_context *) ssl->ctx_enc, 00611 DES_ENCRYPT, enc_msglen, 00612 ssl->iv_enc, enc_msg, enc_msg ); 00613 break; 00614 #endif 00615 00616 case 16: 00617 #if defined(POLARSSL_AES_C) 00618 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA || 00619 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA || 00620 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA || 00621 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA) 00622 { 00623 aes_crypt_cbc( (aes_context *) ssl->ctx_enc, 00624 AES_ENCRYPT, enc_msglen, 00625 ssl->iv_enc, enc_msg, enc_msg); 00626 break; 00627 } 00628 #endif 00629 00630 #if defined(POLARSSL_CAMELLIA_C) 00631 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA || 00632 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA || 00633 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA || 00634 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA) 00635 { 00636 camellia_crypt_cbc( (camellia_context *) ssl->ctx_enc, 00637 CAMELLIA_ENCRYPT, enc_msglen, 00638 ssl->iv_enc, enc_msg, enc_msg ); 00639 break; 00640 } 00641 #endif 00642 00643 default: 00644 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00645 } 00646 } 00647 00648 SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); 00649 00650 return( 0 ); 00651 } 00652 00653 static int ssl_decrypt_buf( ssl_context *ssl ) 00654 { 00655 size_t i, padlen; 00656 unsigned char tmp[20]; 00657 00658 SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); 00659 00660 if( ssl->in_msglen < ssl->minlen ) 00661 { 00662 SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)", 00663 ssl->in_msglen, ssl->minlen ) ); 00664 return( POLARSSL_ERR_SSL_INVALID_MAC ); 00665 } 00666 00667 if( ssl->ivlen == 0 ) 00668 { 00669 #if defined(POLARSSL_ARC4_C) 00670 padlen = 0; 00671 arc4_crypt( (arc4_context *) ssl->ctx_dec, 00672 ssl->in_msglen, ssl->in_msg, 00673 ssl->in_msg ); 00674 #else 00675 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00676 #endif 00677 } 00678 else 00679 { 00680 unsigned char *dec_msg; 00681 unsigned char *dec_msg_result; 00682 size_t dec_msglen; 00683 00684 /* 00685 * Decrypt and check the padding 00686 */ 00687 if( ssl->in_msglen % ssl->ivlen != 0 ) 00688 { 00689 SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0", 00690 ssl->in_msglen, ssl->ivlen ) ); 00691 return( POLARSSL_ERR_SSL_INVALID_MAC ); 00692 } 00693 00694 dec_msglen = ssl->in_msglen; 00695 dec_msg = ssl->in_msg; 00696 dec_msg_result = ssl->in_msg; 00697 00698 /* 00699 * Initialize for prepended IV for block cipher in TLS v1.1 00700 */ 00701 if( ssl->minor_ver == SSL_MINOR_VERSION_2 ) 00702 { 00703 dec_msg += ssl->ivlen; 00704 dec_msglen -= ssl->ivlen; 00705 ssl->in_msglen -= ssl->ivlen; 00706 00707 for( i = 0; i < ssl->ivlen; i++ ) 00708 ssl->iv_dec[i] = ssl->in_msg[i]; 00709 } 00710 00711 switch( ssl->ivlen ) 00712 { 00713 #if defined(POLARSSL_DES_C) 00714 case 8: 00715 des3_crypt_cbc( (des3_context *) ssl->ctx_dec, 00716 DES_DECRYPT, dec_msglen, 00717 ssl->iv_dec, dec_msg, dec_msg_result ); 00718 break; 00719 #endif 00720 00721 case 16: 00722 #if defined(POLARSSL_AES_C) 00723 if ( ssl->session->ciphersuite == SSL_RSA_AES_128_SHA || 00724 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA || 00725 ssl->session->ciphersuite == SSL_RSA_AES_256_SHA || 00726 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA) 00727 { 00728 aes_crypt_cbc( (aes_context *) ssl->ctx_dec, 00729 AES_DECRYPT, dec_msglen, 00730 ssl->iv_dec, dec_msg, dec_msg_result ); 00731 break; 00732 } 00733 #endif 00734 00735 #if defined(POLARSSL_CAMELLIA_C) 00736 if ( ssl->session->ciphersuite == SSL_RSA_CAMELLIA_128_SHA || 00737 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA || 00738 ssl->session->ciphersuite == SSL_RSA_CAMELLIA_256_SHA || 00739 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA) 00740 { 00741 camellia_crypt_cbc( (camellia_context *) ssl->ctx_dec, 00742 CAMELLIA_DECRYPT, dec_msglen, 00743 ssl->iv_dec, dec_msg, dec_msg_result ); 00744 break; 00745 } 00746 #endif 00747 00748 default: 00749 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00750 } 00751 00752 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; 00753 00754 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) 00755 { 00756 if( padlen > ssl->ivlen ) 00757 { 00758 SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " 00759 "should be no more than %d", 00760 padlen, ssl->ivlen ) ); 00761 padlen = 0; 00762 } 00763 } 00764 else 00765 { 00766 /* 00767 * TLSv1: always check the padding 00768 */ 00769 for( i = 1; i <= padlen; i++ ) 00770 { 00771 if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 ) 00772 { 00773 SSL_DEBUG_MSG( 1, ( "bad padding byte: should be " 00774 "%02x, but is %02x", padlen - 1, 00775 ssl->in_msg[ssl->in_msglen - i] ) ); 00776 padlen = 0; 00777 } 00778 } 00779 } 00780 } 00781 00782 SSL_DEBUG_BUF( 4, "raw buffer after decryption", 00783 ssl->in_msg, ssl->in_msglen ); 00784 00785 /* 00786 * Always compute the MAC (RFC4346, CBCTIME). 00787 */ 00788 if( ssl->in_msglen < ssl->maclen + padlen ) 00789 { 00790 SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", 00791 ssl->in_msglen, ssl->maclen, padlen ) ); 00792 return( POLARSSL_ERR_SSL_INVALID_MAC ); 00793 } 00794 00795 ssl->in_msglen -= ( ssl->maclen + padlen ); 00796 00797 ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 ); 00798 ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen ); 00799 00800 memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 ); 00801 00802 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) 00803 { 00804 if( ssl->maclen == 16 ) 00805 ssl_mac_md5( ssl->mac_dec, 00806 ssl->in_msg, ssl->in_msglen, 00807 ssl->in_ctr, ssl->in_msgtype ); 00808 else 00809 ssl_mac_sha1( ssl->mac_dec, 00810 ssl->in_msg, ssl->in_msglen, 00811 ssl->in_ctr, ssl->in_msgtype ); 00812 } 00813 else 00814 { 00815 if( ssl->maclen == 16 ) 00816 md5_hmac( ssl->mac_dec, 16, 00817 ssl->in_ctr, ssl->in_msglen + 13, 00818 ssl->in_msg + ssl->in_msglen ); 00819 else 00820 sha1_hmac( ssl->mac_dec, 20, 00821 ssl->in_ctr, ssl->in_msglen + 13, 00822 ssl->in_msg + ssl->in_msglen ); 00823 } 00824 00825 SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->maclen ); 00826 SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen, 00827 ssl->maclen ); 00828 00829 if( memcmp( tmp, ssl->in_msg + ssl->in_msglen, 00830 ssl->maclen ) != 0 ) 00831 { 00832 SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 00833 return( POLARSSL_ERR_SSL_INVALID_MAC ); 00834 } 00835 00836 /* 00837 * Finally check the padding length; bad padding 00838 * will produce the same error as an invalid MAC. 00839 */ 00840 if( ssl->ivlen != 0 && padlen == 0 ) 00841 return( POLARSSL_ERR_SSL_INVALID_MAC ); 00842 00843 if( ssl->in_msglen == 0 ) 00844 { 00845 ssl->nb_zero++; 00846 00847 /* 00848 * Three or more empty messages may be a DoS attack 00849 * (excessive CPU consumption). 00850 */ 00851 if( ssl->nb_zero > 3 ) 00852 { 00853 SSL_DEBUG_MSG( 1, ( "received four consecutive empty " 00854 "messages, possible DoS attack" ) ); 00855 return( POLARSSL_ERR_SSL_INVALID_MAC ); 00856 } 00857 } 00858 else 00859 ssl->nb_zero = 0; 00860 00861 for( i = 8; i > 0; i-- ) 00862 if( ++ssl->in_ctr[i - 1] != 0 ) 00863 break; 00864 00865 SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); 00866 00867 return( 0 ); 00868 } 00869 00870 /* 00871 * Fill the input message buffer 00872 */ 00873 int ssl_fetch_input( ssl_context *ssl, size_t nb_want ) 00874 { 00875 int ret; 00876 size_t len; 00877 00878 SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); 00879 00880 while( ssl->in_left < nb_want ) 00881 { 00882 len = nb_want - ssl->in_left; 00883 ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len ); 00884 00885 SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 00886 ssl->in_left, nb_want ) ); 00887 SSL_DEBUG_RET( 2, "ssl->f_recv", ret ); 00888 00889 if( ret == 0 ) 00890 return( POLARSSL_ERR_SSL_CONN_EOF ); 00891 00892 if( ret < 0 ) 00893 return( ret ); 00894 00895 ssl->in_left += ret; 00896 } 00897 00898 SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 00899 00900 return( 0 ); 00901 } 00902 00903 /* 00904 * Flush any data not yet written 00905 */ 00906 int ssl_flush_output( ssl_context *ssl ) 00907 { 00908 int ret; 00909 unsigned char *buf; 00910 00911 SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); 00912 00913 while( ssl->out_left > 0 ) 00914 { 00915 SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d", 00916 5 + ssl->out_msglen, ssl->out_left ) ); 00917 00918 buf = ssl->out_hdr + 5 + ssl->out_msglen - ssl->out_left; 00919 ret = ssl->f_send( ssl->p_send, buf, ssl->out_left ); 00920 SSL_DEBUG_RET( 2, "ssl->f_send", ret ); 00921 00922 if( ret <= 0 ) 00923 return( ret ); 00924 00925 ssl->out_left -= ret; 00926 } 00927 00928 SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 00929 00930 return( 0 ); 00931 } 00932 00933 /* 00934 * Record layer functions 00935 */ 00936 int ssl_write_record( ssl_context *ssl ) 00937 { 00938 int ret; 00939 size_t len = ssl->out_msglen; 00940 00941 SSL_DEBUG_MSG( 2, ( "=> write record" ) ); 00942 00943 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; 00944 ssl->out_hdr[1] = (unsigned char) ssl->major_ver; 00945 ssl->out_hdr[2] = (unsigned char) ssl->minor_ver; 00946 ssl->out_hdr[3] = (unsigned char)( len >> 8 ); 00947 ssl->out_hdr[4] = (unsigned char)( len ); 00948 00949 if( ssl->out_msgtype == SSL_MSG_HANDSHAKE ) 00950 { 00951 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 ); 00952 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 ); 00953 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) ); 00954 00955 md5_update( &ssl->fin_md5 , ssl->out_msg, len ); 00956 sha1_update( &ssl->fin_sha1, ssl->out_msg, len ); 00957 } 00958 00959 if( ssl->do_crypt != 0 ) 00960 { 00961 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 ) 00962 { 00963 SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); 00964 return( ret ); 00965 } 00966 00967 len = ssl->out_msglen; 00968 ssl->out_hdr[3] = (unsigned char)( len >> 8 ); 00969 ssl->out_hdr[4] = (unsigned char)( len ); 00970 } 00971 00972 ssl->out_left = 5 + ssl->out_msglen; 00973 00974 SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " 00975 "version = [%d:%d], msglen = %d", 00976 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], 00977 ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) ); 00978 00979 SSL_DEBUG_BUF( 4, "output record sent to network", 00980 ssl->out_hdr, 5 + ssl->out_msglen ); 00981 00982 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 00983 { 00984 SSL_DEBUG_RET( 1, "ssl_flush_output", ret ); 00985 return( ret ); 00986 } 00987 00988 SSL_DEBUG_MSG( 2, ( "<= write record" ) ); 00989 00990 return( 0 ); 00991 } 00992 00993 int ssl_read_record( ssl_context *ssl ) 00994 { 00995 int ret; 00996 00997 SSL_DEBUG_MSG( 2, ( "=> read record" ) ); 00998 00999 if( ssl->in_hslen != 0 && 01000 ssl->in_hslen < ssl->in_msglen ) 01001 { 01002 /* 01003 * Get next Handshake message in the current record 01004 */ 01005 ssl->in_msglen -= ssl->in_hslen; 01006 01007 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, 01008 ssl->in_msglen ); 01009 01010 ssl->in_hslen = 4; 01011 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3]; 01012 01013 SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 01014 " %d, type = %d, hslen = %d", 01015 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 01016 01017 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 ) 01018 { 01019 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) ); 01020 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01021 } 01022 01023 if( ssl->in_msglen < ssl->in_hslen ) 01024 { 01025 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) ); 01026 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01027 } 01028 01029 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen ); 01030 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen ); 01031 01032 return( 0 ); 01033 } 01034 01035 ssl->in_hslen = 0; 01036 01037 /* 01038 * Read the record header and validate it 01039 */ 01040 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) 01041 { 01042 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 01043 return( ret ); 01044 } 01045 01046 ssl->in_msgtype = ssl->in_hdr[0]; 01047 ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4]; 01048 01049 SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " 01050 "version = [%d:%d], msglen = %d", 01051 ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2], 01052 ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) ); 01053 01054 if( ssl->in_hdr[1] != ssl->major_ver ) 01055 { 01056 SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); 01057 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01058 } 01059 01060 if( ssl->in_hdr[2] > ssl->max_minor_ver ) 01061 { 01062 SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); 01063 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01064 } 01065 01066 /* 01067 * Make sure the message length is acceptable 01068 */ 01069 if( ssl->do_crypt == 0 ) 01070 { 01071 if( ssl->in_msglen < 1 || 01072 ssl->in_msglen > SSL_MAX_CONTENT_LEN ) 01073 { 01074 SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 01075 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01076 } 01077 } 01078 else 01079 { 01080 if( ssl->in_msglen < ssl->minlen ) 01081 { 01082 SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 01083 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01084 } 01085 01086 if( ssl->minor_ver == SSL_MINOR_VERSION_0 && 01087 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN ) 01088 { 01089 SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 01090 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01091 } 01092 01093 /* 01094 * TLS encrypted messages can have up to 256 bytes of padding 01095 */ 01096 if( ssl->minor_ver == SSL_MINOR_VERSION_1 && 01097 ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 ) 01098 { 01099 SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 01100 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01101 } 01102 } 01103 01104 /* 01105 * Read and optionally decrypt the message contents 01106 */ 01107 if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 ) 01108 { 01109 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 01110 return( ret ); 01111 } 01112 01113 SSL_DEBUG_BUF( 4, "input record from network", 01114 ssl->in_hdr, 5 + ssl->in_msglen ); 01115 01116 if( ssl->do_crypt != 0 ) 01117 { 01118 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) 01119 { 01120 SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); 01121 return( ret ); 01122 } 01123 01124 SSL_DEBUG_BUF( 4, "input payload after decrypt", 01125 ssl->in_msg, ssl->in_msglen ); 01126 01127 if( ssl->in_msglen > SSL_MAX_CONTENT_LEN ) 01128 { 01129 SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 01130 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01131 } 01132 } 01133 01134 if( ssl->in_msgtype == SSL_MSG_HANDSHAKE ) 01135 { 01136 ssl->in_hslen = 4; 01137 ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3]; 01138 01139 SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 01140 " %d, type = %d, hslen = %d", 01141 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 01142 01143 /* 01144 * Additional checks to validate the handshake header 01145 */ 01146 if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 ) 01147 { 01148 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) ); 01149 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01150 } 01151 01152 if( ssl->in_msglen < ssl->in_hslen ) 01153 { 01154 SSL_DEBUG_MSG( 1, ( "bad handshake length" ) ); 01155 return( POLARSSL_ERR_SSL_INVALID_RECORD ); 01156 } 01157 01158 md5_update( &ssl->fin_md5 , ssl->in_msg, ssl->in_hslen ); 01159 sha1_update( &ssl->fin_sha1, ssl->in_msg, ssl->in_hslen ); 01160 } 01161 01162 if( ssl->in_msgtype == SSL_MSG_ALERT ) 01163 { 01164 SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]", 01165 ssl->in_msg[0], ssl->in_msg[1] ) ); 01166 01167 /* 01168 * Ignore non-fatal alerts, except close_notify 01169 */ 01170 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL ) 01171 { 01172 SSL_DEBUG_MSG( 1, ( "is a fatal alert message" ) ); 01177 return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE - ssl->in_msg[1] ); 01178 } 01179 01180 if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING && 01181 ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY ) 01182 { 01183 SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); 01184 return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY ); 01185 } 01186 } 01187 01188 ssl->in_left = 0; 01189 01190 SSL_DEBUG_MSG( 2, ( "<= read record" ) ); 01191 01192 return( 0 ); 01193 } 01194 01195 /* 01196 * Handshake functions 01197 */ 01198 int ssl_write_certificate( ssl_context *ssl ) 01199 { 01200 int ret; 01201 size_t i, n; 01202 const x509_cert *crt; 01203 01204 SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 01205 01206 if( ssl->endpoint == SSL_IS_CLIENT ) 01207 { 01208 if( ssl->client_auth == 0 ) 01209 { 01210 SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 01211 ssl->state++; 01212 return( 0 ); 01213 } 01214 01215 /* 01216 * If using SSLv3 and got no cert, send an Alert message 01217 * (otherwise an empty Certificate message will be sent). 01218 */ 01219 if( ssl->own_cert == NULL && 01220 ssl->minor_ver == SSL_MINOR_VERSION_0 ) 01221 { 01222 ssl->out_msglen = 2; 01223 ssl->out_msgtype = SSL_MSG_ALERT; 01224 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING; 01225 ssl->out_msg[1] = SSL_ALERT_MSG_NO_CERT; 01226 01227 SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) ); 01228 goto write_msg; 01229 } 01230 } 01231 else /* SSL_IS_SERVER */ 01232 { 01233 if( ssl->own_cert == NULL ) 01234 { 01235 SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); 01236 return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED ); 01237 } 01238 } 01239 01240 SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert ); 01241 01242 /* 01243 * 0 . 0 handshake type 01244 * 1 . 3 handshake length 01245 * 4 . 6 length of all certs 01246 * 7 . 9 length of cert. 1 01247 * 10 . n-1 peer certificate 01248 * n . n+2 length of cert. 2 01249 * n+3 . ... upper level cert, etc. 01250 */ 01251 i = 7; 01252 crt = ssl->own_cert; 01253 01254 while( crt != NULL ) 01255 { 01256 n = crt->raw.len; 01257 if( i + 3 + n > SSL_MAX_CONTENT_LEN ) 01258 { 01259 SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d", 01260 i + 3 + n, SSL_MAX_CONTENT_LEN ) ); 01261 return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE ); 01262 } 01263 01264 ssl->out_msg[i ] = (unsigned char)( n >> 16 ); 01265 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 ); 01266 ssl->out_msg[i + 2] = (unsigned char)( n ); 01267 01268 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n ); 01269 i += n; crt = crt->next; 01270 } 01271 01272 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 ); 01273 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 ); 01274 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) ); 01275 01276 ssl->out_msglen = i; 01277 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 01278 ssl->out_msg[0] = SSL_HS_CERTIFICATE; 01279 01280 write_msg: 01281 01282 ssl->state++; 01283 01284 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 01285 { 01286 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 01287 return( ret ); 01288 } 01289 01290 SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); 01291 01292 return( 0 ); 01293 } 01294 01295 int ssl_parse_certificate( ssl_context *ssl ) 01296 { 01297 int ret; 01298 size_t i, n; 01299 01300 SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 01301 01302 if( ssl->endpoint == SSL_IS_SERVER && 01303 ssl->authmode == SSL_VERIFY_NONE ) 01304 { 01305 ssl->verify_result = BADCERT_SKIP_VERIFY; 01306 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 01307 ssl->state++; 01308 return( 0 ); 01309 } 01310 01311 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 01312 { 01313 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 01314 return( ret ); 01315 } 01316 01317 ssl->state++; 01318 01319 /* 01320 * Check if the client sent an empty certificate 01321 */ 01322 if( ssl->endpoint == SSL_IS_SERVER && 01323 ssl->minor_ver == SSL_MINOR_VERSION_0 ) 01324 { 01325 if( ssl->in_msglen == 2 && 01326 ssl->in_msgtype == SSL_MSG_ALERT && 01327 ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING && 01328 ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT ) 01329 { 01330 SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); 01331 01332 ssl->verify_result = BADCERT_MISSING; 01333 if( ssl->authmode == SSL_VERIFY_OPTIONAL ) 01334 return( 0 ); 01335 else 01336 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE ); 01337 } 01338 } 01339 01340 if( ssl->endpoint == SSL_IS_SERVER && 01341 ssl->minor_ver != SSL_MINOR_VERSION_0 ) 01342 { 01343 if( ssl->in_hslen == 7 && 01344 ssl->in_msgtype == SSL_MSG_HANDSHAKE && 01345 ssl->in_msg[0] == SSL_HS_CERTIFICATE && 01346 memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 ) 01347 { 01348 SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); 01349 01350 ssl->verify_result = BADCERT_MISSING; 01351 if( ssl->authmode == SSL_VERIFY_REQUIRED ) 01352 return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE ); 01353 else 01354 return( 0 ); 01355 } 01356 } 01357 01358 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 01359 { 01360 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 01361 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01362 } 01363 01364 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 ) 01365 { 01366 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 01367 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); 01368 } 01369 01370 /* 01371 * Same message structure as in ssl_write_certificate() 01372 */ 01373 n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6]; 01374 01375 if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n ) 01376 { 01377 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 01378 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); 01379 } 01380 01381 if( ( ssl->peer_cert = (x509_cert *) malloc( 01382 sizeof( x509_cert ) ) ) == NULL ) 01383 { 01384 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", 01385 sizeof( x509_cert ) ) ); 01386 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 01387 } 01388 01389 memset( ssl->peer_cert, 0, sizeof( x509_cert ) ); 01390 01391 i = 7; 01392 01393 while( i < ssl->in_hslen ) 01394 { 01395 if( ssl->in_msg[i] != 0 ) 01396 { 01397 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 01398 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); 01399 } 01400 01401 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 ) 01402 | (unsigned int) ssl->in_msg[i + 2]; 01403 i += 3; 01404 01405 if( n < 128 || i + n > ssl->in_hslen ) 01406 { 01407 SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 01408 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); 01409 } 01410 01411 ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n ); 01412 if( ret != 0 ) 01413 { 01414 SSL_DEBUG_RET( 1, " x509parse_crt", ret ); 01415 return( ret ); 01416 } 01417 01418 i += n; 01419 } 01420 01421 SSL_DEBUG_CRT( 3, "peer certificate", ssl->peer_cert ); 01422 01423 if( ssl->authmode != SSL_VERIFY_NONE ) 01424 { 01425 if( ssl->ca_chain == NULL ) 01426 { 01427 SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); 01428 return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED ); 01429 } 01430 01431 ret = x509parse_verify( ssl->peer_cert, ssl->ca_chain, ssl->ca_crl, 01432 ssl->peer_cn, &ssl->verify_result, 01433 ssl->f_vrfy, ssl->p_vrfy ); 01434 01435 if( ret != 0 ) 01436 SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); 01437 01438 if( ssl->authmode != SSL_VERIFY_REQUIRED ) 01439 ret = 0; 01440 } 01441 01442 SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); 01443 01444 return( ret ); 01445 } 01446 01447 int ssl_write_change_cipher_spec( ssl_context *ssl ) 01448 { 01449 int ret; 01450 01451 SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); 01452 01453 ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC; 01454 ssl->out_msglen = 1; 01455 ssl->out_msg[0] = 1; 01456 01457 ssl->do_crypt = 0; 01458 ssl->state++; 01459 01460 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 01461 { 01462 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 01463 return( ret ); 01464 } 01465 01466 SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); 01467 01468 return( 0 ); 01469 } 01470 01471 int ssl_parse_change_cipher_spec( ssl_context *ssl ) 01472 { 01473 int ret; 01474 01475 SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); 01476 01477 ssl->do_crypt = 0; 01478 01479 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 01480 { 01481 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 01482 return( ret ); 01483 } 01484 01485 if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC ) 01486 { 01487 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 01488 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01489 } 01490 01491 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 ) 01492 { 01493 SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 01494 return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); 01495 } 01496 01497 ssl->state++; 01498 01499 SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); 01500 01501 return( 0 ); 01502 } 01503 01504 static void ssl_calc_finished( 01505 ssl_context *ssl, unsigned char *buf, int from, 01506 md5_context *md5, sha1_context *sha1 ) 01507 { 01508 int len = 12; 01509 char *sender; 01510 unsigned char padbuf[48]; 01511 unsigned char md5sum[16]; 01512 unsigned char sha1sum[20]; 01513 01514 SSL_DEBUG_MSG( 2, ( "=> calc finished" ) ); 01515 01516 /* 01517 * SSLv3: 01518 * hash = 01519 * MD5( master + pad2 + 01520 * MD5( handshake + sender + master + pad1 ) ) 01521 * + SHA1( master + pad2 + 01522 * SHA1( handshake + sender + master + pad1 ) ) 01523 * 01524 * TLSv1: 01525 * hash = PRF( master, finished_label, 01526 * MD5( handshake ) + SHA1( handshake ) )[0..11] 01527 */ 01528 01529 SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 01530 md5->state, sizeof( md5->state ) ); 01531 01532 SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 01533 sha1->state, sizeof( sha1->state ) ); 01534 01535 if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) 01536 { 01537 sender = ( from == SSL_IS_CLIENT ) ? (char *) "CLNT" 01538 : (char *) "SRVR"; 01539 01540 memset( padbuf, 0x36, 48 ); 01541 01542 md5_update( md5, (unsigned char *) sender, 4 ); 01543 md5_update( md5, ssl->session->master, 48 ); 01544 md5_update( md5, padbuf, 48 ); 01545 md5_finish( md5, md5sum ); 01546 01547 sha1_update( sha1, (unsigned char *) sender, 4 ); 01548 sha1_update( sha1, ssl->session->master, 48 ); 01549 sha1_update( sha1, padbuf, 40 ); 01550 sha1_finish( sha1, sha1sum ); 01551 01552 memset( padbuf, 0x5C, 48 ); 01553 01554 md5_starts( md5 ); 01555 md5_update( md5, ssl->session->master, 48 ); 01556 md5_update( md5, padbuf, 48 ); 01557 md5_update( md5, md5sum, 16 ); 01558 md5_finish( md5, buf ); 01559 01560 sha1_starts( sha1 ); 01561 sha1_update( sha1, ssl->session->master, 48 ); 01562 sha1_update( sha1, padbuf , 40 ); 01563 sha1_update( sha1, sha1sum, 20 ); 01564 sha1_finish( sha1, buf + 16 ); 01565 01566 len += 24; 01567 } 01568 else 01569 { 01570 sender = ( from == SSL_IS_CLIENT ) 01571 ? (char *) "client finished" 01572 : (char *) "server finished"; 01573 01574 md5_finish( md5, padbuf ); 01575 sha1_finish( sha1, padbuf + 16 ); 01576 01577 tls1_prf( ssl->session->master, 48, sender, 01578 padbuf, 36, buf, len ); 01579 } 01580 01581 SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 01582 01583 memset( md5, 0, sizeof( md5_context ) ); 01584 memset( sha1, 0, sizeof( sha1_context ) ); 01585 01586 memset( padbuf, 0, sizeof( padbuf ) ); 01587 memset( md5sum, 0, sizeof( md5sum ) ); 01588 memset( sha1sum, 0, sizeof( sha1sum ) ); 01589 01590 SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 01591 } 01592 01593 int ssl_write_finished( ssl_context *ssl ) 01594 { 01595 int ret, hash_len; 01596 md5_context md5; 01597 sha1_context sha1; 01598 01599 SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); 01600 01601 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) ); 01602 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) ); 01603 01604 ssl_calc_finished( ssl, ssl->out_msg + 4, 01605 ssl->endpoint, &md5, &sha1 ); 01606 01607 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12; 01608 01609 ssl->out_msglen = 4 + hash_len; 01610 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 01611 ssl->out_msg[0] = SSL_HS_FINISHED; 01612 01613 /* 01614 * In case of session resuming, invert the client and server 01615 * ChangeCipherSpec messages order. 01616 */ 01617 if( ssl->resume != 0 ) 01618 { 01619 if( ssl->endpoint == SSL_IS_CLIENT ) 01620 ssl->state = SSL_HANDSHAKE_OVER; 01621 else 01622 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC; 01623 } 01624 else 01625 ssl->state++; 01626 01627 ssl->do_crypt = 1; 01628 01629 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 01630 { 01631 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 01632 return( ret ); 01633 } 01634 01635 SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); 01636 01637 return( 0 ); 01638 } 01639 01640 int ssl_parse_finished( ssl_context *ssl ) 01641 { 01642 int ret; 01643 unsigned int hash_len; 01644 unsigned char buf[36]; 01645 md5_context md5; 01646 sha1_context sha1; 01647 01648 SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); 01649 01650 memcpy( &md5 , &ssl->fin_md5 , sizeof( md5_context ) ); 01651 memcpy( &sha1, &ssl->fin_sha1, sizeof( sha1_context ) ); 01652 01653 ssl->do_crypt = 1; 01654 01655 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 01656 { 01657 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 01658 return( ret ); 01659 } 01660 01661 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 01662 { 01663 SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 01664 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 01665 } 01666 01667 hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12; 01668 01669 if( ssl->in_msg[0] != SSL_HS_FINISHED || 01670 ssl->in_hslen != 4 + hash_len ) 01671 { 01672 SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 01673 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED ); 01674 } 01675 01676 ssl_calc_finished( ssl, buf, ssl->endpoint ^ 1, &md5, &sha1 ); 01677 01678 if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 ) 01679 { 01680 SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 01681 return( POLARSSL_ERR_SSL_BAD_HS_FINISHED ); 01682 } 01683 01684 if( ssl->resume != 0 ) 01685 { 01686 if( ssl->endpoint == SSL_IS_CLIENT ) 01687 ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC; 01688 01689 if( ssl->endpoint == SSL_IS_SERVER ) 01690 ssl->state = SSL_HANDSHAKE_OVER; 01691 } 01692 else 01693 ssl->state++; 01694 01695 SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); 01696 01697 return( 0 ); 01698 } 01699 01700 /* 01701 * Initialize an SSL context 01702 */ 01703 int ssl_init( ssl_context *ssl ) 01704 { 01705 int len = SSL_BUFFER_LEN; 01706 01707 memset( ssl, 0, sizeof( ssl_context ) ); 01708 01709 ssl->in_ctr = (unsigned char *) malloc( len ); 01710 ssl->in_hdr = ssl->in_ctr + 8; 01711 ssl->in_msg = ssl->in_ctr + 13; 01712 01713 if( ssl->in_ctr == NULL ) 01714 { 01715 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) ); 01716 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 01717 } 01718 01719 ssl->out_ctr = (unsigned char *) malloc( len ); 01720 ssl->out_hdr = ssl->out_ctr + 8; 01721 ssl->out_msg = ssl->out_ctr + 13; 01722 01723 if( ssl->out_ctr == NULL ) 01724 { 01725 SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) ); 01726 free( ssl-> in_ctr ); 01727 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 01728 } 01729 01730 memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN ); 01731 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN ); 01732 01733 ssl->hostname = NULL; 01734 ssl->hostname_len = 0; 01735 01736 md5_starts( &ssl->fin_md5 ); 01737 sha1_starts( &ssl->fin_sha1 ); 01738 01739 return( 0 ); 01740 } 01741 01742 /* 01743 * Reset an initialized and used SSL context for re-use while retaining 01744 * all application-set variables, function pointers and data. 01745 */ 01746 void ssl_session_reset( ssl_context *ssl ) 01747 { 01748 ssl->state = SSL_HELLO_REQUEST; 01749 01750 ssl->in_offt = NULL; 01751 01752 ssl->in_msgtype = 0; 01753 ssl->in_msglen = 0; 01754 ssl->in_left = 0; 01755 01756 ssl->in_hslen = 0; 01757 ssl->nb_zero = 0; 01758 01759 ssl->out_msgtype = 0; 01760 ssl->out_msglen = 0; 01761 ssl->out_left = 0; 01762 01763 ssl->do_crypt = 0; 01764 ssl->pmslen = 0; 01765 ssl->keylen = 0; 01766 ssl->minlen = 0; 01767 ssl->ivlen = 0; 01768 ssl->maclen = 0; 01769 01770 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN ); 01771 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN ); 01772 memset( ssl->randbytes, 0, 64 ); 01773 memset( ssl->premaster, 0, 256 ); 01774 memset( ssl->iv_enc, 0, 16 ); 01775 memset( ssl->iv_dec, 0, 16 ); 01776 memset( ssl->mac_enc, 0, 32 ); 01777 memset( ssl->mac_dec, 0, 32 ); 01778 memset( ssl->ctx_enc, 0, 128 ); 01779 memset( ssl->ctx_dec, 0, 128 ); 01780 01781 md5_starts( &ssl->fin_md5 ); 01782 sha1_starts( &ssl->fin_sha1 ); 01783 } 01784 01785 /* 01786 * SSL set accessors 01787 */ 01788 void ssl_set_endpoint( ssl_context *ssl, int endpoint ) 01789 { 01790 ssl->endpoint = endpoint; 01791 } 01792 01793 void ssl_set_authmode( ssl_context *ssl, int authmode ) 01794 { 01795 ssl->authmode = authmode; 01796 } 01797 01798 void ssl_set_verify( ssl_context *ssl, 01799 int (*f_vrfy)(void *, x509_cert *, int, int), 01800 void *p_vrfy ) 01801 { 01802 ssl->f_vrfy = f_vrfy; 01803 ssl->p_vrfy = p_vrfy; 01804 } 01805 01806 void ssl_set_rng( ssl_context *ssl, 01807 int (*f_rng)(void *, unsigned char *, size_t), 01808 void *p_rng ) 01809 { 01810 ssl->f_rng = f_rng; 01811 ssl->p_rng = p_rng; 01812 } 01813 01814 void ssl_set_dbg( ssl_context *ssl, 01815 void (*f_dbg)(void *, int, const char *), 01816 void *p_dbg ) 01817 { 01818 ssl->f_dbg = f_dbg; 01819 ssl->p_dbg = p_dbg; 01820 } 01821 01822 void ssl_set_bio( ssl_context *ssl, 01823 int (*f_recv)(void *, unsigned char *, size_t), void *p_recv, 01824 int (*f_send)(void *, const unsigned char *, size_t), void *p_send ) 01825 { 01826 ssl->f_recv = f_recv; 01827 ssl->f_send = f_send; 01828 ssl->p_recv = p_recv; 01829 ssl->p_send = p_send; 01830 } 01831 01832 void ssl_set_scb( ssl_context *ssl, 01833 int (*s_get)(ssl_context *), 01834 int (*s_set)(ssl_context *) ) 01835 { 01836 ssl->s_get = s_get; 01837 ssl->s_set = s_set; 01838 } 01839 01840 void ssl_set_session( ssl_context *ssl, int resume, int timeout, 01841 ssl_session *session ) 01842 { 01843 ssl->resume = resume; 01844 ssl->timeout = timeout; 01845 ssl->session = session; 01846 } 01847 01848 void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites ) 01849 { 01850 ssl->ciphersuites = ciphersuites; 01851 } 01852 01853 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, 01854 x509_crl *ca_crl, const char *peer_cn ) 01855 { 01856 ssl->ca_chain = ca_chain; 01857 ssl->ca_crl = ca_crl; 01858 ssl->peer_cn = peer_cn; 01859 } 01860 01861 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, 01862 rsa_context *rsa_key ) 01863 { 01864 ssl->own_cert = own_cert; 01865 ssl->rsa_key = rsa_key; 01866 } 01867 01868 #if defined(POLARSSL_PKCS11_C) 01869 void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert, 01870 pkcs11_context *pkcs11_key ) 01871 { 01872 ssl->own_cert = own_cert; 01873 ssl->pkcs11_key = pkcs11_key; 01874 } 01875 #endif 01876 01877 int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G ) 01878 { 01879 int ret; 01880 01881 if( ( ret = mpi_read_string( &ssl->dhm_ctx.P, 16, dhm_P ) ) != 0 ) 01882 { 01883 SSL_DEBUG_RET( 1, "mpi_read_string", ret ); 01884 return( ret ); 01885 } 01886 01887 if( ( ret = mpi_read_string( &ssl->dhm_ctx.G, 16, dhm_G ) ) != 0 ) 01888 { 01889 SSL_DEBUG_RET( 1, "mpi_read_string", ret ); 01890 return( ret ); 01891 } 01892 01893 return( 0 ); 01894 } 01895 01896 int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx ) 01897 { 01898 int ret; 01899 01900 if( ( ret = mpi_copy(&ssl->dhm_ctx.P, &dhm_ctx->P) ) != 0 ) 01901 { 01902 SSL_DEBUG_RET( 1, "mpi_copy", ret ); 01903 return( ret ); 01904 } 01905 01906 if( ( ret = mpi_copy(&ssl->dhm_ctx.G, &dhm_ctx->G) ) != 0 ) 01907 { 01908 SSL_DEBUG_RET( 1, "mpi_copy", ret ); 01909 return( ret ); 01910 } 01911 01912 return( 0 ); 01913 } 01914 01915 int ssl_set_hostname( ssl_context *ssl, const char *hostname ) 01916 { 01917 if( hostname == NULL ) 01918 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 01919 01920 ssl->hostname_len = strlen( hostname ); 01921 ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 ); 01922 01923 if( ssl->hostname == NULL ) 01924 return( POLARSSL_ERR_SSL_MALLOC_FAILED ); 01925 01926 memcpy( ssl->hostname, (unsigned char *) hostname, 01927 ssl->hostname_len ); 01928 01929 ssl->hostname[ssl->hostname_len] = '\0'; 01930 01931 return( 0 ); 01932 } 01933 01934 void ssl_set_max_version( ssl_context *ssl, int major, int minor ) 01935 { 01936 ssl->max_major_ver = major; 01937 ssl->max_minor_ver = minor; 01938 } 01939 01940 /* 01941 * SSL get accessors 01942 */ 01943 size_t ssl_get_bytes_avail( const ssl_context *ssl ) 01944 { 01945 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); 01946 } 01947 01948 int ssl_get_verify_result( const ssl_context *ssl ) 01949 { 01950 return( ssl->verify_result ); 01951 } 01952 01953 const char *ssl_get_ciphersuite_name( const int ciphersuite_id ) 01954 { 01955 switch( ciphersuite_id ) 01956 { 01957 #if defined(POLARSSL_ARC4_C) 01958 case SSL_RSA_RC4_128_MD5: 01959 return( "SSL-RSA-RC4-128-MD5" ); 01960 01961 case SSL_RSA_RC4_128_SHA: 01962 return( "SSL-RSA-RC4-128-SHA" ); 01963 #endif 01964 01965 #if defined(POLARSSL_DES_C) 01966 case SSL_RSA_DES_168_SHA: 01967 return( "SSL-RSA-DES-168-SHA" ); 01968 01969 case SSL_EDH_RSA_DES_168_SHA: 01970 return( "SSL-EDH-RSA-DES-168-SHA" ); 01971 #endif 01972 01973 #if defined(POLARSSL_AES_C) 01974 case SSL_RSA_AES_128_SHA: 01975 return( "SSL-RSA-AES-128-SHA" ); 01976 01977 case SSL_EDH_RSA_AES_128_SHA: 01978 return( "SSL-EDH-RSA-AES-128-SHA" ); 01979 01980 case SSL_RSA_AES_256_SHA: 01981 return( "SSL-RSA-AES-256-SHA" ); 01982 01983 case SSL_EDH_RSA_AES_256_SHA: 01984 return( "SSL-EDH-RSA-AES-256-SHA" ); 01985 #endif 01986 01987 #if defined(POLARSSL_CAMELLIA_C) 01988 case SSL_RSA_CAMELLIA_128_SHA: 01989 return( "SSL-RSA-CAMELLIA-128-SHA" ); 01990 01991 case SSL_EDH_RSA_CAMELLIA_128_SHA: 01992 return( "SSL-EDH-RSA-CAMELLIA-128-SHA" ); 01993 01994 case SSL_RSA_CAMELLIA_256_SHA: 01995 return( "SSL-RSA-CAMELLIA-256-SHA" ); 01996 01997 case SSL_EDH_RSA_CAMELLIA_256_SHA: 01998 return( "SSL-EDH-RSA-CAMELLIA-256-SHA" ); 01999 #endif 02000 02001 default: 02002 break; 02003 } 02004 02005 return( "unknown" ); 02006 } 02007 02008 int ssl_get_ciphersuite_id( const char *ciphersuite_name ) 02009 { 02010 #if defined(POLARSSL_ARC4_C) 02011 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-MD5")) 02012 return( SSL_RSA_RC4_128_MD5 ); 02013 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-RC4-128-SHA")) 02014 return( SSL_RSA_RC4_128_SHA ); 02015 #endif 02016 02017 #if defined(POLARSSL_DES_C) 02018 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-DES-168-SHA")) 02019 return( SSL_RSA_DES_168_SHA ); 02020 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-DES-168-SHA")) 02021 return( SSL_EDH_RSA_DES_168_SHA ); 02022 #endif 02023 02024 #if defined(POLARSSL_AES_C) 02025 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-128-SHA")) 02026 return( SSL_RSA_AES_128_SHA ); 02027 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-128-SHA")) 02028 return( SSL_EDH_RSA_AES_128_SHA ); 02029 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-AES-256-SHA")) 02030 return( SSL_RSA_AES_256_SHA ); 02031 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-AES-256-SHA")) 02032 return( SSL_EDH_RSA_AES_256_SHA ); 02033 #endif 02034 02035 #if defined(POLARSSL_CAMELLIA_C) 02036 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-128-SHA")) 02037 return( SSL_RSA_CAMELLIA_128_SHA ); 02038 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-128-SHA")) 02039 return( SSL_EDH_RSA_CAMELLIA_128_SHA ); 02040 if (0 == strcasecmp(ciphersuite_name, "SSL-RSA-CAMELLIA-256-SHA")) 02041 return( SSL_RSA_CAMELLIA_256_SHA ); 02042 if (0 == strcasecmp(ciphersuite_name, "SSL-EDH-RSA-CAMELLIA-256-SHA")) 02043 return( SSL_EDH_RSA_CAMELLIA_256_SHA ); 02044 #endif 02045 02046 return( 0 ); 02047 } 02048 02049 const char *ssl_get_ciphersuite( const ssl_context *ssl ) 02050 { 02051 return ssl_get_ciphersuite_name( ssl->session->ciphersuite ); 02052 } 02053 02054 const char *ssl_get_version( const ssl_context *ssl ) 02055 { 02056 switch( ssl->minor_ver ) 02057 { 02058 case SSL_MINOR_VERSION_0: 02059 return( "SSLv3.0" ); 02060 02061 case SSL_MINOR_VERSION_1: 02062 return( "TLSv1.0" ); 02063 02064 case SSL_MINOR_VERSION_2: 02065 return( "TLSv1.1" ); 02066 02067 default: 02068 break; 02069 } 02070 return( "unknown" ); 02071 } 02072 02073 int ssl_default_ciphersuites[] = 02074 { 02075 #if defined(POLARSSL_DHM_C) 02076 #if defined(POLARSSL_AES_C) 02077 SSL_EDH_RSA_AES_128_SHA, 02078 SSL_EDH_RSA_AES_256_SHA, 02079 #endif 02080 #if defined(POLARSSL_CAMELLIA_C) 02081 SSL_EDH_RSA_CAMELLIA_128_SHA, 02082 SSL_EDH_RSA_CAMELLIA_256_SHA, 02083 #endif 02084 #if defined(POLARSSL_DES_C) 02085 SSL_EDH_RSA_DES_168_SHA, 02086 #endif 02087 #endif 02088 02089 #if defined(POLARSSL_AES_C) 02090 SSL_RSA_AES_256_SHA, 02091 #endif 02092 #if defined(POLARSSL_CAMELLIA_C) 02093 SSL_RSA_CAMELLIA_256_SHA, 02094 #endif 02095 #if defined(POLARSSL_AES_C) 02096 SSL_RSA_AES_128_SHA, 02097 #endif 02098 #if defined(POLARSSL_CAMELLIA_C) 02099 SSL_RSA_CAMELLIA_128_SHA, 02100 #endif 02101 #if defined(POLARSSL_DES_C) 02102 SSL_RSA_DES_168_SHA, 02103 #endif 02104 #if defined(POLARSSL_ARC4_C) 02105 SSL_RSA_RC4_128_SHA, 02106 SSL_RSA_RC4_128_MD5, 02107 #endif 02108 0 02109 }; 02110 02111 /* 02112 * Perform the SSL handshake 02113 */ 02114 int ssl_handshake( ssl_context *ssl ) 02115 { 02116 int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; 02117 02118 SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); 02119 02120 #if defined(POLARSSL_SSL_CLI_C) 02121 if( ssl->endpoint == SSL_IS_CLIENT ) 02122 ret = ssl_handshake_client( ssl ); 02123 #endif 02124 02125 #if defined(POLARSSL_SSL_SRV_C) 02126 if( ssl->endpoint == SSL_IS_SERVER ) 02127 ret = ssl_handshake_server( ssl ); 02128 #endif 02129 02130 SSL_DEBUG_MSG( 2, ( "<= handshake" ) ); 02131 02132 return( ret ); 02133 } 02134 02135 /* 02136 * Receive application data decrypted from the SSL layer 02137 */ 02138 int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) 02139 { 02140 int ret; 02141 size_t n; 02142 02143 SSL_DEBUG_MSG( 2, ( "=> read" ) ); 02144 02145 if( ssl->state != SSL_HANDSHAKE_OVER ) 02146 { 02147 if( ( ret = ssl_handshake( ssl ) ) != 0 ) 02148 { 02149 SSL_DEBUG_RET( 1, "ssl_handshake", ret ); 02150 return( ret ); 02151 } 02152 } 02153 02154 if( ssl->in_offt == NULL ) 02155 { 02156 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 02157 { 02158 if( ret == POLARSSL_ERR_SSL_CONN_EOF ) 02159 return( 0 ); 02160 02161 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 02162 return( ret ); 02163 } 02164 02165 if( ssl->in_msglen == 0 && 02166 ssl->in_msgtype == SSL_MSG_APPLICATION_DATA ) 02167 { 02168 /* 02169 * OpenSSL sends empty messages to randomize the IV 02170 */ 02171 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 02172 { 02173 if( ret == POLARSSL_ERR_SSL_CONN_EOF ) 02174 return( 0 ); 02175 02176 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 02177 return( ret ); 02178 } 02179 } 02180 02181 if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA ) 02182 { 02183 SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); 02184 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); 02185 } 02186 02187 ssl->in_offt = ssl->in_msg; 02188 } 02189 02190 n = ( len < ssl->in_msglen ) 02191 ? len : ssl->in_msglen; 02192 02193 memcpy( buf, ssl->in_offt, n ); 02194 ssl->in_msglen -= n; 02195 02196 if( ssl->in_msglen == 0 ) 02197 /* all bytes consumed */ 02198 ssl->in_offt = NULL; 02199 else 02200 /* more data available */ 02201 ssl->in_offt += n; 02202 02203 SSL_DEBUG_MSG( 2, ( "<= read" ) ); 02204 02205 return( (int) n ); 02206 } 02207 02208 /* 02209 * Send application data to be encrypted by the SSL layer 02210 */ 02211 int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len ) 02212 { 02213 int ret; 02214 size_t n; 02215 02216 SSL_DEBUG_MSG( 2, ( "=> write" ) ); 02217 02218 if( ssl->state != SSL_HANDSHAKE_OVER ) 02219 { 02220 if( ( ret = ssl_handshake( ssl ) ) != 0 ) 02221 { 02222 SSL_DEBUG_RET( 1, "ssl_handshake", ret ); 02223 return( ret ); 02224 } 02225 } 02226 02227 n = ( len < SSL_MAX_CONTENT_LEN ) 02228 ? len : SSL_MAX_CONTENT_LEN; 02229 02230 if( ssl->out_left != 0 ) 02231 { 02232 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 02233 { 02234 SSL_DEBUG_RET( 1, "ssl_flush_output", ret ); 02235 return( ret ); 02236 } 02237 } 02238 else 02239 { 02240 ssl->out_msglen = n; 02241 ssl->out_msgtype = SSL_MSG_APPLICATION_DATA; 02242 memcpy( ssl->out_msg, buf, n ); 02243 02244 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02245 { 02246 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02247 return( ret ); 02248 } 02249 } 02250 02251 SSL_DEBUG_MSG( 2, ( "<= write" ) ); 02252 02253 return( (int) n ); 02254 } 02255 02256 /* 02257 * Notify the peer that the connection is being closed 02258 */ 02259 int ssl_close_notify( ssl_context *ssl ) 02260 { 02261 int ret; 02262 02263 SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); 02264 02265 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 02266 { 02267 SSL_DEBUG_RET( 1, "ssl_flush_output", ret ); 02268 return( ret ); 02269 } 02270 02271 if( ssl->state == SSL_HANDSHAKE_OVER ) 02272 { 02273 ssl->out_msgtype = SSL_MSG_ALERT; 02274 ssl->out_msglen = 2; 02275 ssl->out_msg[0] = SSL_ALERT_LEVEL_WARNING; 02276 ssl->out_msg[1] = SSL_ALERT_MSG_CLOSE_NOTIFY; 02277 02278 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 02279 { 02280 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 02281 return( ret ); 02282 } 02283 } 02284 02285 SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); 02286 02287 return( ret ); 02288 } 02289 02290 /* 02291 * Free an SSL context 02292 */ 02293 void ssl_free( ssl_context *ssl ) 02294 { 02295 SSL_DEBUG_MSG( 2, ( "=> free" ) ); 02296 02297 if( ssl->peer_cert != NULL ) 02298 { 02299 x509_free( ssl->peer_cert ); 02300 memset( ssl->peer_cert, 0, sizeof( x509_cert ) ); 02301 free( ssl->peer_cert ); 02302 } 02303 02304 if( ssl->out_ctr != NULL ) 02305 { 02306 memset( ssl->out_ctr, 0, SSL_BUFFER_LEN ); 02307 free( ssl->out_ctr ); 02308 } 02309 02310 if( ssl->in_ctr != NULL ) 02311 { 02312 memset( ssl->in_ctr, 0, SSL_BUFFER_LEN ); 02313 free( ssl->in_ctr ); 02314 } 02315 02316 #if defined(POLARSSL_DHM_C) 02317 dhm_free( &ssl->dhm_ctx ); 02318 #endif 02319 02320 if ( ssl->hostname != NULL) 02321 { 02322 memset( ssl->hostname, 0, ssl->hostname_len ); 02323 free( ssl->hostname ); 02324 ssl->hostname_len = 0; 02325 } 02326 02327 SSL_DEBUG_MSG( 2, ( "<= free" ) ); 02328 02329 /* Actually free after last debug message */ 02330 memset( ssl, 0, sizeof( ssl_context ) ); 02331 } 02332 02333 #endif