2011-02-05 22:14:47 +03:00
|
|
|
/* tls.c
|
|
|
|
|
*
|
2013-02-06 00:44:17 +04:00
|
|
|
* Copyright (C) 2006-2013 wolfSSL Inc.
|
2011-02-05 22:14:47 +03:00
|
|
|
*
|
|
|
|
|
* This file is part of CyaSSL.
|
|
|
|
|
*
|
|
|
|
|
* CyaSSL is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* CyaSSL is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
|
|
|
|
|
*/
|
|
|
|
|
|
2011-08-25 03:37:16 +04:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
#include <config.h>
|
|
|
|
|
#endif
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
#include <cyassl/ssl.h>
|
2011-08-25 23:41:19 +04:00
|
|
|
#include <cyassl/internal.h>
|
|
|
|
|
#include <cyassl/error.h>
|
|
|
|
|
#include <cyassl/ctaocrypt/hmac.h>
|
2011-02-05 22:14:47 +03:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef NO_TLS
|
|
|
|
|
|
|
|
|
|
|
2012-06-02 02:37:51 +04:00
|
|
|
#ifndef min
|
|
|
|
|
|
|
|
|
|
static INLINE word32 min(word32 a, word32 b)
|
|
|
|
|
{
|
|
|
|
|
return a > b ? b : a;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* min */
|
|
|
|
|
|
|
|
|
|
|
2012-06-28 01:41:16 +04:00
|
|
|
#ifdef CYASSL_SHA384
|
|
|
|
|
#define PHASH_MAX_DIGEST_SIZE SHA384_DIGEST_SIZE
|
|
|
|
|
#else
|
|
|
|
|
#define PHASH_MAX_DIGEST_SIZE SHA256_DIGEST_SIZE
|
|
|
|
|
#endif
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2012-06-28 01:41:16 +04:00
|
|
|
/* compute p_hash for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1 PRF */
|
2011-04-28 04:31:08 +04:00
|
|
|
static void p_hash(byte* result, word32 resLen, const byte* secret,
|
|
|
|
|
word32 secLen, const byte* seed, word32 seedLen, int hash)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2012-11-27 06:40:43 +04:00
|
|
|
word32 len = SHA_DIGEST_SIZE;
|
2012-06-28 01:41:16 +04:00
|
|
|
word32 times;
|
|
|
|
|
word32 lastLen;
|
2011-02-05 22:14:47 +03:00
|
|
|
word32 lastTime;
|
|
|
|
|
word32 i;
|
|
|
|
|
word32 idx = 0;
|
2012-06-28 01:41:16 +04:00
|
|
|
byte previous[PHASH_MAX_DIGEST_SIZE]; /* max size */
|
|
|
|
|
byte current[PHASH_MAX_DIGEST_SIZE]; /* max size */
|
2011-02-05 22:14:47 +03:00
|
|
|
|
|
|
|
|
Hmac hmac;
|
|
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
switch (hash) {
|
|
|
|
|
#ifndef NO_MD5
|
|
|
|
|
case md5_mac:
|
|
|
|
|
{
|
|
|
|
|
len = MD5_DIGEST_SIZE;
|
|
|
|
|
hash = MD5;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef NO_SHA256
|
|
|
|
|
case sha256_mac:
|
|
|
|
|
{
|
|
|
|
|
len = SHA256_DIGEST_SIZE;
|
|
|
|
|
hash = SHA256;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CYASSL_SHA384
|
|
|
|
|
case sha384_mac:
|
|
|
|
|
{
|
|
|
|
|
len = SHA384_DIGEST_SIZE;
|
|
|
|
|
hash = SHA384;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
case sha_mac:
|
|
|
|
|
default:
|
|
|
|
|
{
|
|
|
|
|
len = SHA_DIGEST_SIZE;
|
|
|
|
|
hash = SHA;
|
|
|
|
|
}
|
|
|
|
|
break;
|
2012-06-28 01:41:16 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
times = resLen / len;
|
|
|
|
|
lastLen = resLen % len;
|
2011-02-05 22:14:47 +03:00
|
|
|
if (lastLen) times += 1;
|
|
|
|
|
lastTime = times - 1;
|
|
|
|
|
|
2012-06-28 01:41:16 +04:00
|
|
|
HmacSetKey(&hmac, hash, secret, secLen);
|
2011-02-05 22:14:47 +03:00
|
|
|
HmacUpdate(&hmac, seed, seedLen); /* A0 = seed */
|
|
|
|
|
HmacFinal(&hmac, previous); /* A1 */
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < times; i++) {
|
|
|
|
|
HmacUpdate(&hmac, previous, len);
|
|
|
|
|
HmacUpdate(&hmac, seed, seedLen);
|
|
|
|
|
HmacFinal(&hmac, current);
|
|
|
|
|
|
|
|
|
|
if ( (i == lastTime) && lastLen)
|
2012-06-02 02:37:51 +04:00
|
|
|
XMEMCPY(&result[idx], current, min(lastLen, sizeof(current)));
|
2011-02-05 22:14:47 +03:00
|
|
|
else {
|
|
|
|
|
XMEMCPY(&result[idx], current, len);
|
|
|
|
|
idx += len;
|
|
|
|
|
HmacUpdate(&hmac, previous, len);
|
|
|
|
|
HmacFinal(&hmac, previous);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
#ifndef NO_MD5
|
|
|
|
|
|
|
|
|
|
/* calculate XOR for TLSv1 PRF */
|
|
|
|
|
static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha)
|
|
|
|
|
{
|
|
|
|
|
word32 i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < digLen; i++)
|
|
|
|
|
digest[i] = md5[i] ^ sha[i];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-02-05 22:14:47 +03:00
|
|
|
/* compute TLSv1 PRF (pseudo random function using HMAC) */
|
2012-09-05 03:34:26 +04:00
|
|
|
static void doPRF(byte* digest, word32 digLen, const byte* secret,word32 secLen,
|
2012-09-05 23:30:51 +04:00
|
|
|
const byte* label, word32 labLen, const byte* seed, word32 seedLen)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
word32 half = (secLen + 1) / 2;
|
|
|
|
|
|
|
|
|
|
byte md5_half[MAX_PRF_HALF]; /* half is real size */
|
|
|
|
|
byte sha_half[MAX_PRF_HALF]; /* half is real size */
|
|
|
|
|
byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
|
|
|
|
|
byte md5_result[MAX_PRF_DIG]; /* digLen is real size */
|
|
|
|
|
byte sha_result[MAX_PRF_DIG]; /* digLen is real size */
|
|
|
|
|
|
|
|
|
|
if (half > MAX_PRF_HALF)
|
|
|
|
|
return;
|
|
|
|
|
if (labLen + seedLen > MAX_PRF_LABSEED)
|
|
|
|
|
return;
|
|
|
|
|
if (digLen > MAX_PRF_DIG)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
XMEMCPY(md5_half, secret, half);
|
|
|
|
|
XMEMCPY(sha_half, secret + half - secLen % 2, half);
|
|
|
|
|
|
|
|
|
|
XMEMCPY(labelSeed, label, labLen);
|
|
|
|
|
XMEMCPY(labelSeed + labLen, seed, seedLen);
|
|
|
|
|
|
2012-09-05 03:34:26 +04:00
|
|
|
p_hash(md5_result, digLen, md5_half, half, labelSeed, labLen + seedLen,
|
|
|
|
|
md5_mac);
|
|
|
|
|
p_hash(sha_result, digLen, sha_half, half, labelSeed, labLen + seedLen,
|
|
|
|
|
sha_mac);
|
|
|
|
|
get_xor(digest, digLen, md5_result, sha_result);
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
#endif
|
|
|
|
|
|
2012-09-05 03:34:26 +04:00
|
|
|
|
|
|
|
|
/* Wrapper to call straight thru to p_hash in TSL 1.2 cases to remove stack
|
|
|
|
|
use */
|
|
|
|
|
static void PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen,
|
|
|
|
|
const byte* label, word32 labLen, const byte* seed, word32 seedLen,
|
|
|
|
|
int useAtLeastSha256, int hash_type)
|
|
|
|
|
{
|
2012-06-28 01:41:16 +04:00
|
|
|
if (useAtLeastSha256) {
|
2012-09-05 03:34:26 +04:00
|
|
|
byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
|
|
|
|
|
|
|
|
|
|
if (labLen + seedLen > MAX_PRF_LABSEED)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
XMEMCPY(labelSeed, label, labLen);
|
|
|
|
|
XMEMCPY(labelSeed + labLen, seed, seedLen);
|
|
|
|
|
|
2012-06-28 01:41:16 +04:00
|
|
|
/* If a cipher suite wants an algorithm better than sha256, it
|
|
|
|
|
* should use better. */
|
|
|
|
|
if (hash_type < sha256_mac)
|
|
|
|
|
hash_type = sha256_mac;
|
2011-02-05 22:14:47 +03:00
|
|
|
p_hash(digest, digLen, secret, secLen, labelSeed, labLen + seedLen,
|
2012-06-28 01:41:16 +04:00
|
|
|
hash_type);
|
2011-02-05 22:14:47 +03:00
|
|
|
}
|
2012-11-27 06:40:43 +04:00
|
|
|
#ifndef NO_MD5
|
2012-09-05 03:34:26 +04:00
|
|
|
else
|
2012-09-05 23:30:51 +04:00
|
|
|
doPRF(digest, digLen, secret, secLen, label, labLen, seed, seedLen);
|
2012-11-27 06:40:43 +04:00
|
|
|
#endif
|
2011-02-05 22:14:47 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2012-06-28 20:06:24 +04:00
|
|
|
#ifdef CYASSL_SHA384
|
|
|
|
|
#define HSHASH_SZ SHA384_DIGEST_SIZE
|
|
|
|
|
#else
|
|
|
|
|
#define HSHASH_SZ FINISHED_SZ
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
void BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
const byte* side;
|
2012-06-28 20:06:24 +04:00
|
|
|
byte handshake_hash[HSHASH_SZ];
|
2011-02-28 23:21:06 +03:00
|
|
|
word32 hashSz = FINISHED_SZ;
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
#ifndef NO_MD5
|
2011-02-05 22:14:47 +03:00
|
|
|
Md5Final(&ssl->hashMd5, handshake_hash);
|
|
|
|
|
ShaFinal(&ssl->hashSha, &handshake_hash[MD5_DIGEST_SIZE]);
|
2012-11-27 06:40:43 +04:00
|
|
|
#endif
|
|
|
|
|
|
2011-02-28 23:21:06 +03:00
|
|
|
if (IsAtLeastTLSv1_2(ssl)) {
|
2012-06-28 01:41:16 +04:00
|
|
|
#ifndef NO_SHA256
|
|
|
|
|
if (ssl->specs.mac_algorithm <= sha256_mac) {
|
|
|
|
|
Sha256Final(&ssl->hashSha256, handshake_hash);
|
|
|
|
|
hashSz = SHA256_DIGEST_SIZE;
|
|
|
|
|
}
|
2011-02-28 23:21:06 +03:00
|
|
|
#endif
|
2012-06-28 01:41:16 +04:00
|
|
|
#ifdef CYASSL_SHA384
|
|
|
|
|
if (ssl->specs.mac_algorithm == sha384_mac) {
|
|
|
|
|
Sha384Final(&ssl->hashSha384, handshake_hash);
|
|
|
|
|
hashSz = SHA384_DIGEST_SIZE;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2011-02-05 22:14:47 +03:00
|
|
|
|
|
|
|
|
if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0)
|
|
|
|
|
side = tls_client;
|
|
|
|
|
else
|
|
|
|
|
side = tls_server;
|
|
|
|
|
|
2013-02-19 02:36:50 +04:00
|
|
|
PRF((byte*)hashes, TLS_FINISHED_SZ, ssl->arrays->masterSecret, SECRET_LEN,
|
2012-06-28 01:41:16 +04:00
|
|
|
side, FINISHED_LABEL_SZ, handshake_hash, hashSz, IsAtLeastTLSv1_2(ssl),
|
|
|
|
|
ssl->specs.mac_algorithm);
|
2011-02-05 22:14:47 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2012-11-28 10:17:25 +04:00
|
|
|
#ifndef NO_OLD_TLS
|
|
|
|
|
|
2011-02-05 22:14:47 +03:00
|
|
|
ProtocolVersion MakeTLSv1(void)
|
|
|
|
|
{
|
|
|
|
|
ProtocolVersion pv;
|
|
|
|
|
pv.major = SSLv3_MAJOR;
|
|
|
|
|
pv.minor = TLSv1_MINOR;
|
|
|
|
|
|
|
|
|
|
return pv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ProtocolVersion MakeTLSv1_1(void)
|
|
|
|
|
{
|
|
|
|
|
ProtocolVersion pv;
|
|
|
|
|
pv.major = SSLv3_MAJOR;
|
|
|
|
|
pv.minor = TLSv1_1_MINOR;
|
|
|
|
|
|
|
|
|
|
return pv;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-28 10:17:25 +04:00
|
|
|
#endif
|
|
|
|
|
|
2011-02-05 22:14:47 +03:00
|
|
|
|
|
|
|
|
ProtocolVersion MakeTLSv1_2(void)
|
|
|
|
|
{
|
|
|
|
|
ProtocolVersion pv;
|
|
|
|
|
pv.major = SSLv3_MAJOR;
|
|
|
|
|
pv.minor = TLSv1_2_MINOR;
|
|
|
|
|
|
|
|
|
|
return pv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret";
|
|
|
|
|
static const byte key_label [KEY_LABEL_SZ + 1] = "key expansion";
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
int DeriveTlsKeys(CYASSL* ssl)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
int length = 2 * ssl->specs.hash_size +
|
|
|
|
|
2 * ssl->specs.key_size +
|
|
|
|
|
2 * ssl->specs.iv_size;
|
|
|
|
|
byte seed[SEED_LEN];
|
|
|
|
|
byte key_data[MAX_PRF_DIG];
|
|
|
|
|
|
2012-09-15 08:19:06 +04:00
|
|
|
XMEMCPY(seed, ssl->arrays->serverRandom, RAN_LEN);
|
|
|
|
|
XMEMCPY(&seed[RAN_LEN], ssl->arrays->clientRandom, RAN_LEN);
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2012-09-15 08:19:06 +04:00
|
|
|
PRF(key_data, length, ssl->arrays->masterSecret, SECRET_LEN, key_label,
|
2012-06-28 01:41:16 +04:00
|
|
|
KEY_LABEL_SZ, seed, SEED_LEN, IsAtLeastTLSv1_2(ssl),
|
|
|
|
|
ssl->specs.mac_algorithm);
|
2011-02-05 22:14:47 +03:00
|
|
|
|
|
|
|
|
return StoreKeys(ssl, key_data);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
int MakeTlsMasterSecret(CYASSL* ssl)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
byte seed[SEED_LEN];
|
|
|
|
|
|
2012-09-15 08:19:06 +04:00
|
|
|
XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
|
|
|
|
|
XMEMCPY(&seed[RAN_LEN], ssl->arrays->serverRandom, RAN_LEN);
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2012-09-15 08:19:06 +04:00
|
|
|
PRF(ssl->arrays->masterSecret, SECRET_LEN,
|
|
|
|
|
ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
|
2011-02-05 22:14:47 +03:00
|
|
|
master_label, MASTER_LABEL_SZ,
|
2012-06-28 01:41:16 +04:00
|
|
|
seed, SEED_LEN, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
|
2011-02-05 22:14:47 +03:00
|
|
|
|
|
|
|
|
#ifdef SHOW_SECRETS
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
printf("master secret: ");
|
|
|
|
|
for (i = 0; i < SECRET_LEN; i++)
|
2012-09-15 08:19:06 +04:00
|
|
|
printf("%02x", ssl->arrays->masterSecret[i]);
|
2011-02-05 22:14:47 +03:00
|
|
|
printf("\n");
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
return DeriveTlsKeys(ssl);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*** next for static INLINE s copied from cyassl_int.c ***/
|
|
|
|
|
|
|
|
|
|
/* convert 16 bit integer to opaque */
|
2011-04-28 04:31:08 +04:00
|
|
|
INLINE static void c16toa(word16 u16, byte* c)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
c[0] = (u16 >> 8) & 0xff;
|
|
|
|
|
c[1] = u16 & 0xff;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* convert 32 bit integer to opaque */
|
|
|
|
|
static INLINE void c32toa(word32 u32, byte* c)
|
|
|
|
|
{
|
|
|
|
|
c[0] = (u32 >> 24) & 0xff;
|
|
|
|
|
c[1] = (u32 >> 16) & 0xff;
|
|
|
|
|
c[2] = (u32 >> 8) & 0xff;
|
|
|
|
|
c[3] = u32 & 0xff;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
static INLINE word32 GetSEQIncrement(CYASSL* ssl, int verify)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
#ifdef CYASSL_DTLS
|
|
|
|
|
if (ssl->options.dtls) {
|
|
|
|
|
if (verify)
|
|
|
|
|
return ssl->keys.dtls_peer_sequence_number; /* explicit from peer */
|
|
|
|
|
else
|
|
|
|
|
return ssl->keys.dtls_sequence_number - 1; /* already incremented */
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
if (verify)
|
|
|
|
|
return ssl->keys.peer_sequence_number++;
|
|
|
|
|
else
|
|
|
|
|
return ssl->keys.sequence_number++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef CYASSL_DTLS
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
static INLINE word32 GetEpoch(CYASSL* ssl, int verify)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
if (verify)
|
|
|
|
|
return ssl->keys.dtls_peer_epoch;
|
|
|
|
|
else
|
|
|
|
|
return ssl->keys.dtls_epoch;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* CYASSL_DTLS */
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
static INLINE const byte* GetMacSecret(CYASSL* ssl, int verify)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
if ( (ssl->options.side == CLIENT_END && !verify) ||
|
|
|
|
|
(ssl->options.side == SERVER_END && verify) )
|
|
|
|
|
return ssl->keys.client_write_MAC_secret;
|
|
|
|
|
else
|
|
|
|
|
return ssl->keys.server_write_MAC_secret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*** end copy ***/
|
|
|
|
|
|
|
|
|
|
|
2011-03-04 22:13:28 +03:00
|
|
|
/* TLS type HMAC */
|
2011-08-27 01:40:51 +04:00
|
|
|
void TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz,
|
2011-02-05 22:14:47 +03:00
|
|
|
int content, int verify)
|
|
|
|
|
{
|
|
|
|
|
Hmac hmac;
|
2012-12-15 04:47:03 +04:00
|
|
|
byte seq[SEQ_SZ];
|
2011-02-05 22:14:47 +03:00
|
|
|
byte length[LENGTH_SZ];
|
|
|
|
|
byte inner[ENUM_LEN + VERSION_SZ + LENGTH_SZ]; /* type + version +len */
|
|
|
|
|
int type;
|
|
|
|
|
|
2012-12-15 04:47:03 +04:00
|
|
|
XMEMSET(seq, 0, SEQ_SZ);
|
2011-02-05 22:14:47 +03:00
|
|
|
c16toa((word16)sz, length);
|
|
|
|
|
#ifdef CYASSL_DTLS
|
|
|
|
|
if (ssl->options.dtls)
|
2012-10-10 03:13:05 +04:00
|
|
|
c16toa((word16)GetEpoch(ssl, verify), seq);
|
2011-02-05 22:14:47 +03:00
|
|
|
#endif
|
|
|
|
|
c32toa(GetSEQIncrement(ssl, verify), &seq[sizeof(word32)]);
|
|
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
switch (ssl->specs.mac_algorithm) {
|
|
|
|
|
#ifndef NO_MD5
|
|
|
|
|
case md5_mac:
|
|
|
|
|
{
|
|
|
|
|
type = MD5;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef NO_SHA256
|
|
|
|
|
case sha256_mac:
|
|
|
|
|
{
|
|
|
|
|
type = SHA256;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
2013-03-05 01:25:46 +04:00
|
|
|
#ifdef CYASSL_SHA384
|
|
|
|
|
case sha384_mac:
|
|
|
|
|
{
|
|
|
|
|
type = SHA384;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
2012-11-27 06:40:43 +04:00
|
|
|
case sha_mac:
|
|
|
|
|
default:
|
|
|
|
|
{
|
|
|
|
|
type = SHA;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
2011-02-05 22:14:47 +03:00
|
|
|
HmacSetKey(&hmac, type, GetMacSecret(ssl, verify), ssl->specs.hash_size);
|
|
|
|
|
|
|
|
|
|
HmacUpdate(&hmac, seq, SEQ_SZ); /* seq_num */
|
2011-07-13 00:55:20 +04:00
|
|
|
inner[0] = (byte)content; /* type */
|
2011-02-05 22:14:47 +03:00
|
|
|
inner[ENUM_LEN] = ssl->version.major;
|
|
|
|
|
inner[ENUM_LEN + ENUM_LEN] = ssl->version.minor; /* version */
|
|
|
|
|
XMEMCPY(&inner[ENUM_LEN + VERSION_SZ], length, LENGTH_SZ); /* length */
|
|
|
|
|
HmacUpdate(&hmac, inner, sizeof(inner));
|
2011-05-25 21:25:05 +04:00
|
|
|
HmacUpdate(&hmac, in, sz); /* content */
|
2011-02-05 22:14:47 +03:00
|
|
|
HmacFinal(&hmac, digest);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef NO_CYASSL_CLIENT
|
|
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
#ifndef NO_OLD_TLS
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* CyaTLSv1_client_method(void)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* method =
|
|
|
|
|
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
|
|
|
|
|
DYNAMIC_TYPE_METHOD);
|
2011-02-05 22:14:47 +03:00
|
|
|
if (method)
|
|
|
|
|
InitSSL_Method(method, MakeTLSv1());
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* CyaTLSv1_1_client_method(void)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* method =
|
|
|
|
|
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
|
|
|
|
|
DYNAMIC_TYPE_METHOD);
|
2011-02-05 22:14:47 +03:00
|
|
|
if (method)
|
|
|
|
|
InitSSL_Method(method, MakeTLSv1_1());
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
#endif /* !NO_OLD_TLS */
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2011-08-06 00:09:54 +04:00
|
|
|
#ifndef NO_SHA256 /* can't use without SHA256 */
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* CyaTLSv1_2_client_method(void)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* method =
|
|
|
|
|
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
|
|
|
|
|
DYNAMIC_TYPE_METHOD);
|
2011-02-05 22:14:47 +03:00
|
|
|
if (method)
|
|
|
|
|
InitSSL_Method(method, MakeTLSv1_2());
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
2011-08-06 00:09:54 +04:00
|
|
|
#endif
|
|
|
|
|
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* CyaSSLv23_client_method(void)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* method =
|
|
|
|
|
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
|
|
|
|
|
DYNAMIC_TYPE_METHOD);
|
2011-04-26 02:49:30 +04:00
|
|
|
if (method) {
|
2011-08-06 00:09:54 +04:00
|
|
|
#ifndef NO_SHA256 /* 1.2 requires SHA256 */
|
2011-04-26 02:49:30 +04:00
|
|
|
InitSSL_Method(method, MakeTLSv1_2());
|
2011-08-06 00:09:54 +04:00
|
|
|
#else
|
|
|
|
|
InitSSL_Method(method, MakeTLSv1_1());
|
|
|
|
|
#endif
|
2012-11-27 06:40:43 +04:00
|
|
|
#ifndef NO_OLD_TLS
|
2011-04-26 02:49:30 +04:00
|
|
|
method->downgrade = 1;
|
2012-11-27 06:40:43 +04:00
|
|
|
#endif
|
2011-04-26 02:49:30 +04:00
|
|
|
}
|
2011-02-05 22:14:47 +03:00
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#endif /* NO_CYASSL_CLIENT */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef NO_CYASSL_SERVER
|
|
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
#ifndef NO_OLD_TLS
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* CyaTLSv1_server_method(void)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* method =
|
|
|
|
|
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
|
|
|
|
|
DYNAMIC_TYPE_METHOD);
|
2011-02-05 22:14:47 +03:00
|
|
|
if (method) {
|
|
|
|
|
InitSSL_Method(method, MakeTLSv1());
|
|
|
|
|
method->side = SERVER_END;
|
|
|
|
|
}
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* CyaTLSv1_1_server_method(void)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* method =
|
|
|
|
|
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
|
|
|
|
|
DYNAMIC_TYPE_METHOD);
|
2011-02-05 22:14:47 +03:00
|
|
|
if (method) {
|
|
|
|
|
InitSSL_Method(method, MakeTLSv1_1());
|
|
|
|
|
method->side = SERVER_END;
|
|
|
|
|
}
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-27 06:40:43 +04:00
|
|
|
#endif /* !NO_OLD_TLS */
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2011-08-06 00:09:54 +04:00
|
|
|
#ifndef NO_SHA256 /* can't use without SHA256 */
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* CyaTLSv1_2_server_method(void)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* method =
|
|
|
|
|
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
|
|
|
|
|
DYNAMIC_TYPE_METHOD);
|
2011-02-05 22:14:47 +03:00
|
|
|
if (method) {
|
|
|
|
|
InitSSL_Method(method, MakeTLSv1_2());
|
|
|
|
|
method->side = SERVER_END;
|
|
|
|
|
}
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
2011-08-06 00:09:54 +04:00
|
|
|
#endif
|
|
|
|
|
|
2011-02-05 22:14:47 +03:00
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* CyaSSLv23_server_method(void)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-08-27 01:40:51 +04:00
|
|
|
CYASSL_METHOD* method =
|
|
|
|
|
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
|
|
|
|
|
DYNAMIC_TYPE_METHOD);
|
2011-02-05 22:14:47 +03:00
|
|
|
if (method) {
|
2011-08-06 00:09:54 +04:00
|
|
|
#ifndef NO_SHA256 /* 1.2 requires SHA256 */
|
2011-04-26 02:49:30 +04:00
|
|
|
InitSSL_Method(method, MakeTLSv1_2());
|
2011-08-06 00:09:54 +04:00
|
|
|
#else
|
|
|
|
|
InitSSL_Method(method, MakeTLSv1_1());
|
|
|
|
|
#endif
|
2011-02-05 22:14:47 +03:00
|
|
|
method->side = SERVER_END;
|
2012-11-27 06:40:43 +04:00
|
|
|
#ifndef NO_OLD_TLS
|
2011-02-05 22:14:47 +03:00
|
|
|
method->downgrade = 1;
|
2012-11-27 06:40:43 +04:00
|
|
|
#endif /* !NO_OLD_TLS */
|
2011-02-05 22:14:47 +03:00
|
|
|
}
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#endif /* NO_CYASSL_SERVER */
|
|
|
|
|
|
|
|
|
|
#else /* NO_TLS */
|
|
|
|
|
|
|
|
|
|
/* catch CyaSSL programming errors */
|
2011-08-27 01:40:51 +04:00
|
|
|
void BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
int DeriveTlsKeys(CYASSL* ssl)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-04-21 03:58:51 +04:00
|
|
|
return NOT_COMPILED_IN;
|
2011-02-05 22:14:47 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-08-27 01:40:51 +04:00
|
|
|
int MakeTlsMasterSecret(CYASSL* ssl)
|
2011-02-05 22:14:47 +03:00
|
|
|
{
|
2011-04-21 03:58:51 +04:00
|
|
|
return NOT_COMPILED_IN;
|
2011-02-05 22:14:47 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* NO_TLS */
|
|
|
|
|
|
