wolfssl/src/tls.c

649 lines
16 KiB
C
Raw Normal View History

2011-02-05 22:14:47 +03:00
/* tls.c
*
2013-02-06 00:44:17 +04:00
* Copyright (C) 2006-2013 wolfSSL Inc.
2011-02-05 22:14:47 +03:00
*
* This file is part of CyaSSL.
*
* CyaSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* CyaSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
2011-02-05 22:14:47 +03:00
#include <cyassl/ssl.h>
#include <cyassl/internal.h>
#include <cyassl/error.h>
#include <cyassl/ctaocrypt/hmac.h>
2011-02-05 22:14:47 +03:00
#ifndef NO_TLS
2012-06-02 02:37:51 +04:00
#ifndef min
static INLINE word32 min(word32 a, word32 b)
{
return a > b ? b : a;
}
#endif /* min */
#ifdef CYASSL_SHA384
#define PHASH_MAX_DIGEST_SIZE SHA384_DIGEST_SIZE
#else
#define PHASH_MAX_DIGEST_SIZE SHA256_DIGEST_SIZE
#endif
2011-02-05 22:14:47 +03:00
/* compute p_hash for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1 PRF */
2011-04-28 04:31:08 +04:00
static void p_hash(byte* result, word32 resLen, const byte* secret,
word32 secLen, const byte* seed, word32 seedLen, int hash)
2011-02-05 22:14:47 +03:00
{
word32 len = PHASH_MAX_DIGEST_SIZE;
word32 times;
word32 lastLen;
2011-02-05 22:14:47 +03:00
word32 lastTime;
word32 i;
word32 idx = 0;
byte previous[PHASH_MAX_DIGEST_SIZE]; /* max size */
byte current[PHASH_MAX_DIGEST_SIZE]; /* max size */
2011-02-05 22:14:47 +03:00
Hmac hmac;
switch (hash) {
#ifndef NO_MD5
case md5_mac:
{
len = MD5_DIGEST_SIZE;
hash = MD5;
}
break;
#endif
#ifndef NO_SHA256
case sha256_mac:
{
len = SHA256_DIGEST_SIZE;
hash = SHA256;
}
break;
#endif
#ifdef CYASSL_SHA384
case sha384_mac:
{
len = SHA384_DIGEST_SIZE;
hash = SHA384;
}
break;
#endif
#ifndef NO_SHA
case sha_mac:
default:
{
len = SHA_DIGEST_SIZE;
hash = SHA;
}
break;
#endif
}
times = resLen / len;
lastLen = resLen % len;
2011-02-05 22:14:47 +03:00
if (lastLen) times += 1;
lastTime = times - 1;
HmacSetKey(&hmac, hash, secret, secLen);
2011-02-05 22:14:47 +03:00
HmacUpdate(&hmac, seed, seedLen); /* A0 = seed */
HmacFinal(&hmac, previous); /* A1 */
for (i = 0; i < times; i++) {
HmacUpdate(&hmac, previous, len);
HmacUpdate(&hmac, seed, seedLen);
HmacFinal(&hmac, current);
if ( (i == lastTime) && lastLen)
2012-06-02 02:37:51 +04:00
XMEMCPY(&result[idx], current, min(lastLen, sizeof(current)));
2011-02-05 22:14:47 +03:00
else {
XMEMCPY(&result[idx], current, len);
idx += len;
HmacUpdate(&hmac, previous, len);
HmacFinal(&hmac, previous);
}
}
2013-03-20 20:12:00 +04:00
XMEMSET(previous, 0, sizeof previous);
XMEMSET(current, 0, sizeof current);
XMEMSET(&hmac, 0, sizeof hmac);
2011-02-05 22:14:47 +03:00
}
#ifndef NO_OLD_TLS
/* calculate XOR for TLSv1 PRF */
static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha)
{
word32 i;
for (i = 0; i < digLen; i++)
digest[i] = md5[i] ^ sha[i];
}
2011-02-05 22:14:47 +03:00
/* compute TLSv1 PRF (pseudo random function using HMAC) */
static void doPRF(byte* digest, word32 digLen, const byte* secret,word32 secLen,
const byte* label, word32 labLen, const byte* seed, word32 seedLen)
2011-02-05 22:14:47 +03:00
{
word32 half = (secLen + 1) / 2;
byte md5_half[MAX_PRF_HALF]; /* half is real size */
byte sha_half[MAX_PRF_HALF]; /* half is real size */
byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
byte md5_result[MAX_PRF_DIG]; /* digLen is real size */
byte sha_result[MAX_PRF_DIG]; /* digLen is real size */
if (half > MAX_PRF_HALF)
return;
if (labLen + seedLen > MAX_PRF_LABSEED)
return;
if (digLen > MAX_PRF_DIG)
return;
XMEMCPY(md5_half, secret, half);
XMEMCPY(sha_half, secret + half - secLen % 2, half);
XMEMCPY(labelSeed, label, labLen);
XMEMCPY(labelSeed + labLen, seed, seedLen);
p_hash(md5_result, digLen, md5_half, half, labelSeed, labLen + seedLen,
md5_mac);
p_hash(sha_result, digLen, sha_half, half, labelSeed, labLen + seedLen,
sha_mac);
get_xor(digest, digLen, md5_result, sha_result);
}
#endif
/* Wrapper to call straight thru to p_hash in TSL 1.2 cases to remove stack
use */
static void PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen,
const byte* label, word32 labLen, const byte* seed, word32 seedLen,
int useAtLeastSha256, int hash_type)
{
if (useAtLeastSha256) {
byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
if (labLen + seedLen > MAX_PRF_LABSEED)
return;
XMEMCPY(labelSeed, label, labLen);
XMEMCPY(labelSeed + labLen, seed, seedLen);
/* If a cipher suite wants an algorithm better than sha256, it
* should use better. */
if (hash_type < sha256_mac)
hash_type = sha256_mac;
2011-02-05 22:14:47 +03:00
p_hash(digest, digLen, secret, secLen, labelSeed, labLen + seedLen,
hash_type);
2011-02-05 22:14:47 +03:00
}
#ifndef NO_OLD_TLS
else
doPRF(digest, digLen, secret, secLen, label, labLen, seed, seedLen);
#endif
2011-02-05 22:14:47 +03:00
}
#ifdef CYASSL_SHA384
#define HSHASH_SZ SHA384_DIGEST_SIZE
#else
#define HSHASH_SZ FINISHED_SZ
#endif
void BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
2011-02-05 22:14:47 +03:00
{
const byte* side;
byte handshake_hash[HSHASH_SZ];
2011-02-28 23:21:06 +03:00
word32 hashSz = FINISHED_SZ;
2011-02-05 22:14:47 +03:00
#ifndef NO_OLD_TLS
2011-02-05 22:14:47 +03:00
Md5Final(&ssl->hashMd5, handshake_hash);
ShaFinal(&ssl->hashSha, &handshake_hash[MD5_DIGEST_SIZE]);
#endif
2011-02-28 23:21:06 +03:00
if (IsAtLeastTLSv1_2(ssl)) {
#ifndef NO_SHA256
if (ssl->specs.mac_algorithm <= sha256_mac) {
Sha256Final(&ssl->hashSha256, handshake_hash);
hashSz = SHA256_DIGEST_SIZE;
}
2011-02-28 23:21:06 +03:00
#endif
#ifdef CYASSL_SHA384
if (ssl->specs.mac_algorithm == sha384_mac) {
Sha384Final(&ssl->hashSha384, handshake_hash);
hashSz = SHA384_DIGEST_SIZE;
}
#endif
}
2011-02-05 22:14:47 +03:00
if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0)
side = tls_client;
else
side = tls_server;
2013-02-19 02:36:50 +04:00
PRF((byte*)hashes, TLS_FINISHED_SZ, ssl->arrays->masterSecret, SECRET_LEN,
side, FINISHED_LABEL_SZ, handshake_hash, hashSz, IsAtLeastTLSv1_2(ssl),
ssl->specs.mac_algorithm);
2011-02-05 22:14:47 +03:00
}
#ifndef NO_OLD_TLS
2011-02-05 22:14:47 +03:00
ProtocolVersion MakeTLSv1(void)
{
ProtocolVersion pv;
pv.major = SSLv3_MAJOR;
pv.minor = TLSv1_MINOR;
return pv;
}
ProtocolVersion MakeTLSv1_1(void)
{
ProtocolVersion pv;
pv.major = SSLv3_MAJOR;
pv.minor = TLSv1_1_MINOR;
return pv;
}
#endif
2011-02-05 22:14:47 +03:00
ProtocolVersion MakeTLSv1_2(void)
{
ProtocolVersion pv;
pv.major = SSLv3_MAJOR;
pv.minor = TLSv1_2_MINOR;
return pv;
}
static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret";
static const byte key_label [KEY_LABEL_SZ + 1] = "key expansion";
int DeriveTlsKeys(CYASSL* ssl)
2011-02-05 22:14:47 +03:00
{
int length = 2 * ssl->specs.hash_size +
2 * ssl->specs.key_size +
2 * ssl->specs.iv_size;
byte seed[SEED_LEN];
byte key_data[MAX_PRF_DIG];
2012-09-15 08:19:06 +04:00
XMEMCPY(seed, ssl->arrays->serverRandom, RAN_LEN);
XMEMCPY(&seed[RAN_LEN], ssl->arrays->clientRandom, RAN_LEN);
2011-02-05 22:14:47 +03:00
2012-09-15 08:19:06 +04:00
PRF(key_data, length, ssl->arrays->masterSecret, SECRET_LEN, key_label,
KEY_LABEL_SZ, seed, SEED_LEN, IsAtLeastTLSv1_2(ssl),
ssl->specs.mac_algorithm);
2011-02-05 22:14:47 +03:00
return StoreKeys(ssl, key_data);
}
int MakeTlsMasterSecret(CYASSL* ssl)
2011-02-05 22:14:47 +03:00
{
byte seed[SEED_LEN];
2012-09-15 08:19:06 +04:00
XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
XMEMCPY(&seed[RAN_LEN], ssl->arrays->serverRandom, RAN_LEN);
2011-02-05 22:14:47 +03:00
2012-09-15 08:19:06 +04:00
PRF(ssl->arrays->masterSecret, SECRET_LEN,
ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
2011-02-05 22:14:47 +03:00
master_label, MASTER_LABEL_SZ,
seed, SEED_LEN, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
2011-02-05 22:14:47 +03:00
#ifdef SHOW_SECRETS
{
int i;
printf("master secret: ");
for (i = 0; i < SECRET_LEN; i++)
2012-09-15 08:19:06 +04:00
printf("%02x", ssl->arrays->masterSecret[i]);
2011-02-05 22:14:47 +03:00
printf("\n");
}
#endif
return DeriveTlsKeys(ssl);
}
2013-03-22 22:30:12 +04:00
/* Used by EAP-TLS and EAP-TTLS to derive keying material from
* the master_secret. */
int CyaSSL_make_eap_keys(CYASSL* ssl, void* msk, unsigned int len,
const char* label)
{
byte seed[SEED_LEN];
/*
* As per RFC-5281, the order of the client and server randoms is reversed
* from that used by the TLS protocol to derive keys.
*/
XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
XMEMCPY(&seed[RAN_LEN], ssl->arrays->serverRandom, RAN_LEN);
2013-03-25 00:06:22 +04:00
PRF((byte*)msk, len,
2013-03-22 22:30:12 +04:00
ssl->arrays->masterSecret, SECRET_LEN,
(const byte *)label, (word32)strlen(label),
seed, SEED_LEN, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
return 0;
}
2011-02-05 22:14:47 +03:00
/*** next for static INLINE s copied from cyassl_int.c ***/
/* convert 16 bit integer to opaque */
2011-04-28 04:31:08 +04:00
INLINE static void c16toa(word16 u16, byte* c)
2011-02-05 22:14:47 +03:00
{
c[0] = (u16 >> 8) & 0xff;
c[1] = u16 & 0xff;
}
/* convert 32 bit integer to opaque */
static INLINE void c32toa(word32 u32, byte* c)
{
c[0] = (u32 >> 24) & 0xff;
c[1] = (u32 >> 16) & 0xff;
c[2] = (u32 >> 8) & 0xff;
c[3] = u32 & 0xff;
}
static INLINE word32 GetSEQIncrement(CYASSL* ssl, int verify)
2011-02-05 22:14:47 +03:00
{
#ifdef CYASSL_DTLS
if (ssl->options.dtls) {
if (verify)
return ssl->keys.dtls_peer_sequence_number; /* explicit from peer */
else
return ssl->keys.dtls_sequence_number - 1; /* already incremented */
}
#endif
if (verify)
return ssl->keys.peer_sequence_number++;
else
return ssl->keys.sequence_number++;
}
#ifdef CYASSL_DTLS
static INLINE word32 GetEpoch(CYASSL* ssl, int verify)
2011-02-05 22:14:47 +03:00
{
if (verify)
return ssl->keys.dtls_peer_epoch;
else
return ssl->keys.dtls_epoch;
}
#endif /* CYASSL_DTLS */
static INLINE const byte* GetMacSecret(CYASSL* ssl, int verify)
2011-02-05 22:14:47 +03:00
{
if ( (ssl->options.side == CLIENT_END && !verify) ||
(ssl->options.side == SERVER_END && verify) )
return ssl->keys.client_write_MAC_secret;
else
return ssl->keys.server_write_MAC_secret;
}
/*** end copy ***/
2011-03-04 22:13:28 +03:00
/* TLS type HMAC */
void TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz,
2011-02-05 22:14:47 +03:00
int content, int verify)
{
Hmac hmac;
byte seq[SEQ_SZ];
2011-02-05 22:14:47 +03:00
byte length[LENGTH_SZ];
byte inner[ENUM_LEN + VERSION_SZ + LENGTH_SZ]; /* type + version +len */
int type;
XMEMSET(seq, 0, SEQ_SZ);
2011-02-05 22:14:47 +03:00
c16toa((word16)sz, length);
#ifdef CYASSL_DTLS
if (ssl->options.dtls)
2012-10-10 03:13:05 +04:00
c16toa((word16)GetEpoch(ssl, verify), seq);
2011-02-05 22:14:47 +03:00
#endif
c32toa(GetSEQIncrement(ssl, verify), &seq[sizeof(word32)]);
switch (ssl->specs.mac_algorithm) {
#ifndef NO_MD5
case md5_mac:
{
type = MD5;
}
break;
#endif
#ifndef NO_SHA256
case sha256_mac:
{
type = SHA256;
}
break;
#endif
#ifdef CYASSL_SHA384
case sha384_mac:
{
type = SHA384;
}
break;
#endif
#ifndef NO_SHA
case sha_mac:
default:
{
type = SHA;
}
break;
#endif
}
2011-02-05 22:14:47 +03:00
HmacSetKey(&hmac, type, GetMacSecret(ssl, verify), ssl->specs.hash_size);
HmacUpdate(&hmac, seq, SEQ_SZ); /* seq_num */
inner[0] = (byte)content; /* type */
2011-02-05 22:14:47 +03:00
inner[ENUM_LEN] = ssl->version.major;
inner[ENUM_LEN + ENUM_LEN] = ssl->version.minor; /* version */
XMEMCPY(&inner[ENUM_LEN + VERSION_SZ], length, LENGTH_SZ); /* length */
HmacUpdate(&hmac, inner, sizeof(inner));
2011-05-25 21:25:05 +04:00
HmacUpdate(&hmac, in, sz); /* content */
2011-02-05 22:14:47 +03:00
HmacFinal(&hmac, digest);
}
#ifndef NO_CYASSL_CLIENT
#ifndef NO_OLD_TLS
CYASSL_METHOD* CyaTLSv1_client_method(void)
2011-02-05 22:14:47 +03:00
{
CYASSL_METHOD* method =
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
DYNAMIC_TYPE_METHOD);
2011-02-05 22:14:47 +03:00
if (method)
InitSSL_Method(method, MakeTLSv1());
return method;
}
CYASSL_METHOD* CyaTLSv1_1_client_method(void)
2011-02-05 22:14:47 +03:00
{
CYASSL_METHOD* method =
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
DYNAMIC_TYPE_METHOD);
2011-02-05 22:14:47 +03:00
if (method)
InitSSL_Method(method, MakeTLSv1_1());
return method;
}
#endif /* !NO_OLD_TLS */
2011-02-05 22:14:47 +03:00
#ifndef NO_SHA256 /* can't use without SHA256 */
CYASSL_METHOD* CyaTLSv1_2_client_method(void)
2011-02-05 22:14:47 +03:00
{
CYASSL_METHOD* method =
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
DYNAMIC_TYPE_METHOD);
2011-02-05 22:14:47 +03:00
if (method)
InitSSL_Method(method, MakeTLSv1_2());
return method;
}
#endif
2011-02-05 22:14:47 +03:00
CYASSL_METHOD* CyaSSLv23_client_method(void)
2011-02-05 22:14:47 +03:00
{
CYASSL_METHOD* method =
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
DYNAMIC_TYPE_METHOD);
if (method) {
#ifndef NO_SHA256 /* 1.2 requires SHA256 */
InitSSL_Method(method, MakeTLSv1_2());
#else
InitSSL_Method(method, MakeTLSv1_1());
#endif
#ifndef NO_OLD_TLS
method->downgrade = 1;
#endif
}
2011-02-05 22:14:47 +03:00
return method;
}
#endif /* NO_CYASSL_CLIENT */
#ifndef NO_CYASSL_SERVER
#ifndef NO_OLD_TLS
CYASSL_METHOD* CyaTLSv1_server_method(void)
2011-02-05 22:14:47 +03:00
{
CYASSL_METHOD* method =
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
DYNAMIC_TYPE_METHOD);
2011-02-05 22:14:47 +03:00
if (method) {
InitSSL_Method(method, MakeTLSv1());
method->side = SERVER_END;
}
return method;
}
CYASSL_METHOD* CyaTLSv1_1_server_method(void)
2011-02-05 22:14:47 +03:00
{
CYASSL_METHOD* method =
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
DYNAMIC_TYPE_METHOD);
2011-02-05 22:14:47 +03:00
if (method) {
InitSSL_Method(method, MakeTLSv1_1());
method->side = SERVER_END;
}
return method;
}
#endif /* !NO_OLD_TLS */
2011-02-05 22:14:47 +03:00
#ifndef NO_SHA256 /* can't use without SHA256 */
CYASSL_METHOD* CyaTLSv1_2_server_method(void)
2011-02-05 22:14:47 +03:00
{
CYASSL_METHOD* method =
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
DYNAMIC_TYPE_METHOD);
2011-02-05 22:14:47 +03:00
if (method) {
InitSSL_Method(method, MakeTLSv1_2());
method->side = SERVER_END;
}
return method;
}
#endif
2011-02-05 22:14:47 +03:00
CYASSL_METHOD* CyaSSLv23_server_method(void)
2011-02-05 22:14:47 +03:00
{
CYASSL_METHOD* method =
(CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0,
DYNAMIC_TYPE_METHOD);
2011-02-05 22:14:47 +03:00
if (method) {
#ifndef NO_SHA256 /* 1.2 requires SHA256 */
InitSSL_Method(method, MakeTLSv1_2());
#else
InitSSL_Method(method, MakeTLSv1_1());
#endif
2011-02-05 22:14:47 +03:00
method->side = SERVER_END;
#ifndef NO_OLD_TLS
2011-02-05 22:14:47 +03:00
method->downgrade = 1;
#endif /* !NO_OLD_TLS */
2011-02-05 22:14:47 +03:00
}
return method;
}
#endif /* NO_CYASSL_SERVER */
#else /* NO_TLS */
/* catch CyaSSL programming errors */
void BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
2011-02-05 22:14:47 +03:00
{
}
int DeriveTlsKeys(CYASSL* ssl)
2011-02-05 22:14:47 +03:00
{
return NOT_COMPILED_IN;
2011-02-05 22:14:47 +03:00
}
int MakeTlsMasterSecret(CYASSL* ssl)
2011-02-05 22:14:47 +03:00
{
return NOT_COMPILED_IN;
2011-02-05 22:14:47 +03:00
}
2013-03-22 22:30:12 +04:00
int CyaSSL_make_eap_keys(CYASSL* ssl, void* msk, unsigned int len,
const char* label)
{
2013-03-25 00:06:22 +04:00
return NOT_COMPILED_IN;
2013-03-22 22:30:12 +04:00
}
2011-02-05 22:14:47 +03:00
#endif /* NO_TLS */