5298 lines
155 KiB
C
5298 lines
155 KiB
C
/* cyassl_int.c
|
|
*
|
|
* Copyright (C) 2006-2011 Sawtooth Consulting Ltd.
|
|
*
|
|
* This file is part of CyaSSL.
|
|
*
|
|
* CyaSSL is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* CyaSSL is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
|
|
*/
|
|
|
|
|
|
|
|
#include "cyassl_int.h"
|
|
#include "cyassl_error.h"
|
|
#include "asn.h"
|
|
|
|
#ifdef HAVE_LIBZ
|
|
#include "zlib.h"
|
|
#endif
|
|
|
|
#ifdef HAVE_NTRU
|
|
#include "crypto_ntru.h"
|
|
#endif
|
|
|
|
#if defined(DEBUG_CYASSL) || defined(SHOW_SECRETS)
|
|
#include <stdio.h>
|
|
#endif
|
|
|
|
#ifdef __sun
|
|
#include <sys/filio.h>
|
|
#endif
|
|
|
|
#define TRUE 1
|
|
#define FALSE 0
|
|
|
|
|
|
#if defined(OPENSSL_EXTRA) && defined(NO_DH)
|
|
#error OPENSSL_EXTRA needs DH, please remove NO_DH
|
|
#endif
|
|
|
|
|
|
int CyaSSL_negotiate(SSL*);
|
|
|
|
|
|
#ifndef NO_CYASSL_CLIENT
|
|
static int DoHelloVerifyRequest(SSL* ssl, const byte* input, word32*);
|
|
static int DoServerHello(SSL* ssl, const byte* input, word32*);
|
|
static int DoCertificateRequest(SSL* ssl, const byte* input, word32*);
|
|
static int DoServerKeyExchange(SSL* ssl, const byte* input, word32*);
|
|
#endif
|
|
|
|
|
|
#ifndef NO_CYASSL_SERVER
|
|
static int DoClientHello(SSL* ssl, const byte* input, word32*, word32,
|
|
word32);
|
|
static int DoCertificateVerify(SSL* ssl, byte*, word32*, word32);
|
|
static int DoClientKeyExchange(SSL* ssl, byte* input, word32*);
|
|
#endif
|
|
|
|
typedef enum {
|
|
doProcessInit = 0,
|
|
#ifndef NO_CYASSL_SERVER
|
|
runProcessOldClientHello,
|
|
#endif
|
|
getRecordLayerHeader,
|
|
getData,
|
|
runProcessingOneMessage
|
|
} processReply;
|
|
|
|
static void Hmac(SSL* ssl, byte* digest, const byte* buffer, word32 sz,
|
|
int content, int verify);
|
|
|
|
static void BuildCertHashes(SSL* ssl, Hashes* hashes);
|
|
|
|
|
|
void BuildTlsFinished(SSL* ssl, Hashes* hashes, const byte* sender);
|
|
|
|
|
|
#ifndef min
|
|
|
|
static INLINE word32 min(word32 a, word32 b)
|
|
{
|
|
return a > b ? b : a;
|
|
}
|
|
|
|
#endif /* min */
|
|
|
|
|
|
int IsTLS(const SSL* ssl)
|
|
{
|
|
if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_MINOR)
|
|
return 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
int IsAtLeastTLSv1_2(const SSL* ssl)
|
|
{
|
|
if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_2_MINOR)
|
|
return 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
#ifdef HAVE_NTRU
|
|
|
|
static byte GetEntropy(ENTROPY_CMD cmd, byte* out)
|
|
{
|
|
/* TODO: add locking? */
|
|
static RNG rng;
|
|
|
|
if (cmd == INIT) {
|
|
int ret = InitRng(&rng);
|
|
if (ret == 0)
|
|
return 1;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
if (out == NULL)
|
|
return 0;
|
|
|
|
if (cmd == GET_BYTE_OF_ENTROPY) {
|
|
RNG_GenerateBlock(&rng, out, 1);
|
|
return 1;
|
|
}
|
|
|
|
if (cmd == GET_NUM_BYTES_PER_BYTE_OF_ENTROPY) {
|
|
*out = 1;
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
#endif /* HAVE_NTRU */
|
|
|
|
static INLINE void c32to24(word32 in, word24 out)
|
|
{
|
|
out[0] = (in >> 16) & 0xff;
|
|
out[1] = (in >> 8) & 0xff;
|
|
out[2] = in & 0xff;
|
|
}
|
|
|
|
|
|
static INLINE void c32to48(word32 in, byte out[6])
|
|
{
|
|
out[0] = 0;
|
|
out[1] = 0;
|
|
out[2] = (in >> 24) & 0xff;
|
|
out[3] = (in >> 16) & 0xff;
|
|
out[4] = (in >> 8) & 0xff;
|
|
out[5] = in & 0xff;
|
|
}
|
|
|
|
|
|
/* convert 16 bit integer to opaque */
|
|
static void INLINE c16toa(word16 u16, byte* c)
|
|
{
|
|
c[0] = (u16 >> 8) & 0xff;
|
|
c[1] = u16 & 0xff;
|
|
}
|
|
|
|
|
|
/* convert 32 bit integer to opaque */
|
|
static INLINE void c32toa(word32 u32, byte* c)
|
|
{
|
|
c[0] = (u32 >> 24) & 0xff;
|
|
c[1] = (u32 >> 16) & 0xff;
|
|
c[2] = (u32 >> 8) & 0xff;
|
|
c[3] = u32 & 0xff;
|
|
}
|
|
|
|
|
|
/* convert a 24 bit integer into a 32 bit one */
|
|
static INLINE void c24to32(const word24 u24, word32* u32)
|
|
{
|
|
*u32 = 0;
|
|
*u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2];
|
|
}
|
|
|
|
|
|
/* convert opaque to 16 bit integer */
|
|
static INLINE void ato16(const byte* c, word16* u16)
|
|
{
|
|
*u16 = 0;
|
|
*u16 = (c[0] << 8) | (c[1]);
|
|
}
|
|
|
|
|
|
/* convert opaque to 32 bit integer */
|
|
static INLINE void ato32(const byte* c, word32* u32)
|
|
{
|
|
*u32 = 0;
|
|
*u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3];
|
|
}
|
|
|
|
|
|
#ifdef HAVE_LIBZ
|
|
|
|
/* alloc user allocs to work with zlib */
|
|
void* myAlloc(void* opaque, unsigned int item, unsigned int size)
|
|
{
|
|
return XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ);
|
|
}
|
|
|
|
|
|
void myFree(void* opaque, void* memory)
|
|
{
|
|
XFREE(memory, opaque, DYNAMIC_TYPE_LIBZ);
|
|
}
|
|
|
|
|
|
/* init zlib comp/decomp streams, 0 on success */
|
|
static int InitStreams(SSL* ssl)
|
|
{
|
|
ssl->c_stream.zalloc = (alloc_func)myAlloc;
|
|
ssl->c_stream.zfree = (free_func)myFree;
|
|
ssl->c_stream.opaque = (voidpf)ssl->heap;
|
|
|
|
if (deflateInit(&ssl->c_stream, 8) != Z_OK) return ZLIB_INIT_ERROR;
|
|
|
|
ssl->didStreamInit = 1;
|
|
|
|
ssl->d_stream.zalloc = (alloc_func)myAlloc;
|
|
ssl->d_stream.zfree = (free_func)myFree;
|
|
ssl->d_stream.opaque = (voidpf)ssl->heap;
|
|
|
|
if (inflateInit(&ssl->d_stream) != Z_OK) return ZLIB_INIT_ERROR;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static void FreeStreams(SSL* ssl)
|
|
{
|
|
if (ssl->didStreamInit) {
|
|
deflateEnd(&ssl->c_stream);
|
|
inflateEnd(&ssl->d_stream);
|
|
}
|
|
}
|
|
|
|
|
|
/* compress in to out, return out size or error */
|
|
static int Compress(SSL* ssl, byte* in, int inSz, byte* out, int outSz)
|
|
{
|
|
int err;
|
|
int currTotal = ssl->c_stream.total_out;
|
|
|
|
/* put size in front of compression */
|
|
c16toa((word16)inSz, out);
|
|
out += 2;
|
|
outSz -= 2;
|
|
|
|
ssl->c_stream.next_in = in;
|
|
ssl->c_stream.avail_in = inSz;
|
|
ssl->c_stream.next_out = out;
|
|
ssl->c_stream.avail_out = outSz;
|
|
|
|
err = deflate(&ssl->c_stream, Z_SYNC_FLUSH);
|
|
if (err != Z_OK && err != Z_STREAM_END) return ZLIB_COMPRESS_ERROR;
|
|
|
|
return ssl->c_stream.total_out - currTotal + sizeof(word16);
|
|
}
|
|
|
|
|
|
/* decompress in to out, returnn out size or error */
|
|
static int DeCompress(SSL* ssl, byte* in, int inSz, byte* out, int outSz)
|
|
{
|
|
int err;
|
|
int currTotal = ssl->d_stream.total_out;
|
|
word16 len;
|
|
|
|
/* find size in front of compression */
|
|
ato16(in, &len);
|
|
in += 2;
|
|
inSz -= 2;
|
|
|
|
ssl->d_stream.next_in = in;
|
|
ssl->d_stream.avail_in = inSz;
|
|
ssl->d_stream.next_out = out;
|
|
ssl->d_stream.avail_out = outSz;
|
|
|
|
err = inflate(&ssl->d_stream, Z_SYNC_FLUSH);
|
|
if (err != Z_OK && err != Z_STREAM_END) return ZLIB_DECOMPRESS_ERROR;
|
|
|
|
return ssl->d_stream.total_out - currTotal;
|
|
}
|
|
|
|
#endif /* HAVE_LIBZ */
|
|
|
|
|
|
void InitSSL_Method(SSL_METHOD* method, ProtocolVersion pv)
|
|
{
|
|
method->version = pv;
|
|
method->side = CLIENT_END;
|
|
method->verifyPeer = 0;
|
|
method->verifyNone = 0;
|
|
method->failNoCert = 0;
|
|
method->downgrade = 0;
|
|
}
|
|
|
|
|
|
void InitSSL_Ctx(SSL_CTX* ctx, SSL_METHOD* method)
|
|
{
|
|
ctx->method = method;
|
|
ctx->certificate.buffer = 0;
|
|
ctx->privateKey.buffer = 0;
|
|
ctx->haveDH = 0;
|
|
ctx->haveNTRU = 0; /* start off */
|
|
ctx->haveECDSA = 0; /* start off */
|
|
ctx->heap = ctx; /* defaults to self */
|
|
#ifndef NO_PSK
|
|
ctx->havePSK = 0;
|
|
ctx->server_hint[0] = 0;
|
|
ctx->client_psk_cb = 0;
|
|
ctx->server_psk_cb = 0;
|
|
#endif /* NO_PSK */
|
|
|
|
#ifdef OPENSSL_EXTRA
|
|
ctx->passwd_cb = 0;
|
|
ctx->userdata = 0;
|
|
#endif /* OPENSSL_EXTRA */
|
|
|
|
#ifndef CYASSL_USER_IO
|
|
ctx->CBIORecv = EmbedReceive;
|
|
ctx->CBIOSend = EmbedSend;
|
|
#else
|
|
/* user will set */
|
|
ctx->CBIORecv = NULL;
|
|
ctx->CBIOSend = NULL;
|
|
#endif
|
|
ctx->partialWrite = 0;
|
|
ctx->verifyCallback = 0;
|
|
|
|
ctx->caList = 0;
|
|
#ifdef HAVE_NTRU
|
|
if (method->side == CLIENT_END)
|
|
ctx->haveNTRU = 1; /* always on cliet side */
|
|
/* server can turn on by loading key */
|
|
#endif
|
|
#ifdef HAVE_ECC
|
|
if (method->side == CLIENT_END)
|
|
ctx->haveECDSA = 1; /* always on cliet side */
|
|
/* server can turn on by loading key */
|
|
#endif
|
|
/* remove DH later if server didn't set, add psk later */
|
|
InitSuites(&ctx->suites, method->version, TRUE, FALSE, ctx->haveNTRU,
|
|
ctx->haveECDSA, method->side);
|
|
ctx->verifyPeer = 0;
|
|
ctx->verifyNone = 0;
|
|
ctx->failNoCert = 0;
|
|
ctx->sessionCacheOff = 0; /* initially on */
|
|
ctx->sessionCacheFlushOff = 0; /* initially on */
|
|
ctx->sendVerify = 0;
|
|
ctx->quietShutdown = 0;
|
|
|
|
}
|
|
|
|
|
|
/* In case contexts are held in array and don't want to free actual ctx */
|
|
void SSL_CtxResourceFree(SSL_CTX* ctx)
|
|
{
|
|
XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY);
|
|
XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
|
|
XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD);
|
|
|
|
FreeSigners(ctx->caList, ctx->heap);
|
|
}
|
|
|
|
|
|
void FreeSSL_Ctx(SSL_CTX* ctx)
|
|
{
|
|
SSL_CtxResourceFree(ctx);
|
|
XFREE(ctx, ctx->heap, DYNAMIC_TYPE_CTX);
|
|
}
|
|
|
|
|
|
|
|
void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
|
|
byte haveNTRU, byte haveECDSA, int side)
|
|
{
|
|
word32 idx = 0;
|
|
int tls = pv.major == 3 && pv.minor >= 1;
|
|
int haveRSA = 1;
|
|
|
|
(void)tls; /* shut up compiler */
|
|
|
|
if (side == SERVER_END && haveECDSA)
|
|
haveRSA = 0; /* can't do RSA with ECDSA cert */
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (pv.major == DTLS_MAJOR && pv.minor == DTLS_MINOR)
|
|
tls = 1;
|
|
#endif
|
|
|
|
suites->setSuites = 0; /* user hasn't set yet */
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
|
|
if (tls && haveNTRU && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_256_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
|
|
if (tls && haveNTRU && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_128_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
|
|
if (tls && haveNTRU && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_NTRU_RSA_WITH_RC4_128_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
|
|
if (tls && haveNTRU && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
|
if (tls && haveECDSA) {
|
|
suites->suites[idx++] = ECC_BYTE;
|
|
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
|
if (tls && haveECDSA) {
|
|
suites->suites[idx++] = ECC_BYTE;
|
|
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
|
if (tls && haveECDSA) {
|
|
suites->suites[idx++] = ECC_BYTE;
|
|
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
|
if (tls && haveECDSA) {
|
|
suites->suites[idx++] = ECC_BYTE;
|
|
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = ECC_BYTE;
|
|
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = ECC_BYTE;
|
|
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = ECC_BYTE;
|
|
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_RC4_128_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = ECC_BYTE;
|
|
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
|
if (tls && haveDH && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
|
if (tls && haveDH && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
|
|
if (tls && havePSK) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
|
|
if (tls && havePSK) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
|
|
if (haveRSA ) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
|
|
if (haveRSA ) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
|
|
if (haveRSA ) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_RSA_WITH_HC_128_CBC_MD5;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_RSA_WITH_HC_128_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
|
|
if (tls && haveRSA) {
|
|
suites->suites[idx++] = 0;
|
|
suites->suites[idx++] = TLS_RSA_WITH_RABBIT_CBC_SHA;
|
|
}
|
|
#endif
|
|
|
|
suites->suiteSz = idx;
|
|
}
|
|
|
|
|
|
int InitSSL(SSL* ssl, SSL_CTX* ctx)
|
|
{
|
|
int ret;
|
|
byte havePSK = 0;
|
|
|
|
ssl->ctx = ctx; /* only for passing to calls, options could change */
|
|
ssl->version = ctx->method->version;
|
|
ssl->suites = ctx->suites;
|
|
|
|
#ifdef HAVE_LIBZ
|
|
ssl->didStreamInit = 0;
|
|
#endif
|
|
|
|
ssl->buffers.certificate.buffer = 0;
|
|
ssl->buffers.key.buffer = 0;
|
|
ssl->buffers.inputBuffer.length = 0;
|
|
ssl->buffers.inputBuffer.idx = 0;
|
|
ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
|
|
ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN;
|
|
ssl->buffers.inputBuffer.dynamicFlag = 0;
|
|
ssl->buffers.outputBuffer.length = 0;
|
|
ssl->buffers.outputBuffer.idx = 0;
|
|
ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
|
|
ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN;
|
|
ssl->buffers.outputBuffer.dynamicFlag = 0;
|
|
ssl->buffers.domainName.buffer = 0;
|
|
ssl->buffers.serverDH_P.buffer = 0;
|
|
ssl->buffers.serverDH_G.buffer = 0;
|
|
ssl->buffers.serverDH_Pub.buffer = 0;
|
|
ssl->buffers.serverDH_Priv.buffer = 0;
|
|
ssl->buffers.clearOutputBuffer.buffer = 0;
|
|
ssl->buffers.clearOutputBuffer.length = 0;
|
|
ssl->buffers.prevSent = 0;
|
|
ssl->buffers.plainSz = 0;
|
|
|
|
if ( (ret = InitRng(&ssl->rng)) )
|
|
return ret;
|
|
|
|
InitMd5(&ssl->hashMd5);
|
|
InitSha(&ssl->hashSha);
|
|
InitRsaKey(&ssl->peerRsaKey, ctx->heap);
|
|
|
|
ssl->peerRsaKeyPresent = 0;
|
|
ssl->options.side = ctx->method->side;
|
|
ssl->options.downgrade = ctx->method->downgrade;
|
|
ssl->error = 0;
|
|
ssl->options.connReset = 0;
|
|
ssl->options.isClosed = 0;
|
|
ssl->options.closeNotify = 0;
|
|
ssl->options.sentNotify = 0;
|
|
ssl->options.usingCompression = 0;
|
|
ssl->options.haveDH = ctx->haveDH;
|
|
ssl->options.haveNTRU = ctx->haveNTRU;
|
|
ssl->options.haveECDSA = ctx->haveECDSA;
|
|
ssl->options.havePeerCert = 0;
|
|
ssl->options.usingPSK_cipher = 0;
|
|
ssl->options.sendAlertState = 0;
|
|
#ifndef NO_PSK
|
|
havePSK = ctx->havePSK;
|
|
ssl->options.havePSK = ctx->havePSK;
|
|
ssl->options.client_psk_cb = ctx->client_psk_cb;
|
|
ssl->options.server_psk_cb = ctx->server_psk_cb;
|
|
#endif /* NO_PSK */
|
|
|
|
ssl->options.serverState = NULL_STATE;
|
|
ssl->options.clientState = NULL_STATE;
|
|
ssl->options.connectState = CONNECT_BEGIN;
|
|
ssl->options.acceptState = ACCEPT_BEGIN;
|
|
ssl->options.handShakeState = NULL_STATE;
|
|
ssl->options.processReply = doProcessInit;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
ssl->keys.dtls_sequence_number = 0;
|
|
ssl->keys.dtls_peer_sequence_number = 0;
|
|
ssl->keys.dtls_handshake_number = 0;
|
|
ssl->keys.dtls_epoch = 0;
|
|
ssl->keys.dtls_peer_epoch = 0;
|
|
#endif
|
|
ssl->keys.encryptionOn = 0; /* initially off */
|
|
ssl->options.sessionCacheOff = ctx->sessionCacheOff;
|
|
ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
|
|
|
|
ssl->options.verifyPeer = ctx->verifyPeer;
|
|
ssl->options.verifyNone = ctx->verifyNone;
|
|
ssl->options.failNoCert = ctx->failNoCert;
|
|
ssl->options.sendVerify = ctx->sendVerify;
|
|
|
|
ssl->options.resuming = 0;
|
|
ssl->hmac = Hmac; /* default to SSLv3 */
|
|
ssl->heap = ctx->heap; /* defaults to self */
|
|
ssl->options.tls = 0;
|
|
ssl->options.tls1_1 = 0;
|
|
ssl->options.dtls = 0;
|
|
ssl->options.partialWrite = ctx->partialWrite;
|
|
ssl->options.quietShutdown = ctx->quietShutdown;
|
|
|
|
/* SSL_CTX still owns certificate, key, and caList buffers */
|
|
ssl->buffers.certificate = ctx->certificate;
|
|
ssl->buffers.key = ctx->privateKey;
|
|
ssl->caList = ctx->caList;
|
|
|
|
#ifdef OPENSSL_EXTRA
|
|
ssl->peerCert.issuer.sz = 0;
|
|
ssl->peerCert.subject.sz = 0;
|
|
#endif
|
|
|
|
/* make sure server has cert and key unless using PSK */
|
|
if (ssl->options.side == SERVER_END && !havePSK)
|
|
if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer)
|
|
return NO_PRIVATE_KEY;
|
|
|
|
#ifndef NO_PSK
|
|
ssl->arrays.client_identity[0] = 0;
|
|
if (ctx->server_hint[0]) /* set in CTX */
|
|
XSTRNCPY(ssl->arrays.server_hint, ctx->server_hint, MAX_PSK_ID_LEN);
|
|
else
|
|
ssl->arrays.server_hint[0] = 0;
|
|
#endif /* NO_PSK */
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
ssl->hsInfoOn = 0;
|
|
ssl->toInfoOn = 0;
|
|
#endif
|
|
|
|
#ifdef HAVE_ECC
|
|
ssl->peerEccKeyPresent = 0;
|
|
ecc_init(&ssl->peerEccKey);
|
|
ssl->peerEccDsaKeyPresent = 0;
|
|
ecc_init(&ssl->peerEccDsaKey);
|
|
ssl->eccDsaKeyPresent = 0;
|
|
ecc_init(&ssl->eccDsaKey);
|
|
ssl->eccTempKeyPresent = 0;
|
|
ecc_init(&ssl->eccTempKey);
|
|
|
|
/* make ECDHE for server side */
|
|
if (ssl->options.side == SERVER_END) {
|
|
if (ecc_make_key(&ssl->rng, ECDHE_SIZE, &ssl->eccTempKey) != 0)
|
|
return ECC_MAKEKEY_ERROR;
|
|
ssl->eccTempKeyPresent = 1;
|
|
}
|
|
#endif
|
|
|
|
/* make sure server has DH parms, and add PSK if there, add NTRU too */
|
|
if (!ssl->ctx->suites.setSuites) { /* trust user override */
|
|
if (ssl->options.side == SERVER_END)
|
|
InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK,
|
|
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
|
ssl->ctx->method->side);
|
|
else
|
|
InitSuites(&ssl->suites, ssl->version, TRUE, havePSK,
|
|
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
|
ssl->ctx->method->side);
|
|
}
|
|
|
|
ssl->rfd = -1; /* set to invalid descriptor */
|
|
ssl->wfd = -1;
|
|
ssl->biord = 0;
|
|
ssl->biowr = 0;
|
|
|
|
ssl->IOCB_ReadCtx = &ssl->rfd; /* prevent invalid pointer acess if not */
|
|
ssl->IOCB_WriteCtx = &ssl->wfd; /* correctly set */
|
|
|
|
#ifdef SESSION_CERTS
|
|
ssl->session.chain.count = 0;
|
|
#endif
|
|
|
|
ssl->cipher.ssl = ssl;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
int BIO_free(BIO*); /* cyassl_int doesn't have */
|
|
|
|
|
|
/* In case holding SSL object in array and don't want to free actual ssl */
|
|
void SSL_ResourceFree(SSL* ssl)
|
|
{
|
|
XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH);
|
|
XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH);
|
|
XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH);
|
|
XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH);
|
|
XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
|
|
FreeRsaKey(&ssl->peerRsaKey);
|
|
if (ssl->buffers.inputBuffer.dynamicFlag)
|
|
ShrinkInputBuffer(ssl, FORCED_FREE);
|
|
if (ssl->buffers.outputBuffer.dynamicFlag)
|
|
ShrinkOutputBuffer(ssl);
|
|
#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS)
|
|
BIO_free(ssl->biord);
|
|
if (ssl->biord != ssl->biowr) /* in case same as write */
|
|
BIO_free(ssl->biowr);
|
|
#endif
|
|
#ifdef HAVE_LIBZ
|
|
FreeStreams(ssl);
|
|
#endif
|
|
#ifdef HAVE_ECC
|
|
ecc_free(&ssl->peerEccKey);
|
|
ecc_free(&ssl->peerEccDsaKey);
|
|
ecc_free(&ssl->eccTempKey);
|
|
ecc_free(&ssl->eccDsaKey);
|
|
#endif
|
|
}
|
|
|
|
|
|
void FreeSSL(SSL* ssl)
|
|
{
|
|
SSL_ResourceFree(ssl);
|
|
XFREE(ssl, ssl->heap, DYNAMIC_TYPE_SSL);
|
|
}
|
|
|
|
|
|
ProtocolVersion MakeSSLv3(void)
|
|
{
|
|
ProtocolVersion pv;
|
|
pv.major = SSLv3_MAJOR;
|
|
pv.minor = SSLv3_MINOR;
|
|
|
|
return pv;
|
|
}
|
|
|
|
|
|
#ifdef CYASSL_DTLS
|
|
|
|
ProtocolVersion MakeDTLSv1(void)
|
|
{
|
|
ProtocolVersion pv;
|
|
pv.major = DTLS_MAJOR;
|
|
pv.minor = DTLS_MINOR;
|
|
|
|
return pv;
|
|
}
|
|
|
|
#endif /* CYASSL_DTLS */
|
|
|
|
|
|
|
|
|
|
#ifdef USE_WINDOWS_API
|
|
|
|
timer_d Timer(void)
|
|
{
|
|
static int init = 0;
|
|
static LARGE_INTEGER freq;
|
|
LARGE_INTEGER count;
|
|
|
|
if (!init) {
|
|
QueryPerformanceFrequency(&freq);
|
|
init = 1;
|
|
}
|
|
|
|
QueryPerformanceCounter(&count);
|
|
|
|
return (double)count.QuadPart / freq.QuadPart;
|
|
}
|
|
|
|
|
|
word32 LowResTimer(void)
|
|
{
|
|
return (word32)Timer();
|
|
}
|
|
|
|
|
|
#elif defined(THREADX)
|
|
|
|
#include "rtptime.h"
|
|
|
|
word32 LowResTimer(void)
|
|
{
|
|
return (word32)rtp_get_system_sec();
|
|
}
|
|
|
|
|
|
#elif defined(MICRIUM)
|
|
|
|
word32 LowResTimer(void)
|
|
{
|
|
NET_SECURE_OS_TICK clk;
|
|
|
|
#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
|
|
clk = NetSecure_OS_TimeGet();
|
|
#endif
|
|
return (word32)clk;
|
|
}
|
|
|
|
#elif defined(USER_TICKS)
|
|
|
|
word32 LowResTimer(void)
|
|
{
|
|
/*
|
|
write your own clock tick function if don't want time(0)
|
|
needs second accuracy but doesn't have to correlated to EPOCH
|
|
*/
|
|
}
|
|
|
|
#else /* !USE_WINDOWS_API && !THREADX && !MICRIUM && !USER_TICKS */
|
|
|
|
#include <time.h>
|
|
|
|
word32 LowResTimer(void)
|
|
{
|
|
return time(0);
|
|
}
|
|
|
|
|
|
#endif /* USE_WINDOWS_API */
|
|
|
|
|
|
/* add output to md5 and sha handshake hashes, exclude record header */
|
|
static void HashOutput(SSL* ssl, const byte* output, int sz, int ivSz)
|
|
{
|
|
const byte* buffer = output + RECORD_HEADER_SZ + ivSz;
|
|
sz -= RECORD_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
buffer += DTLS_RECORD_EXTRA;
|
|
sz -= DTLS_RECORD_EXTRA;
|
|
}
|
|
#endif
|
|
|
|
Md5Update(&ssl->hashMd5, buffer, sz);
|
|
ShaUpdate(&ssl->hashSha, buffer, sz);
|
|
}
|
|
|
|
|
|
/* add input to md5 and sha handshake hashes, include handshake header */
|
|
static void HashInput(SSL* ssl, const byte* input, int sz)
|
|
{
|
|
const byte* buffer = input - HANDSHAKE_HEADER_SZ;
|
|
sz += HANDSHAKE_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
buffer -= DTLS_HANDSHAKE_EXTRA;
|
|
sz += DTLS_HANDSHAKE_EXTRA;
|
|
}
|
|
#endif
|
|
|
|
Md5Update(&ssl->hashMd5, buffer, sz);
|
|
ShaUpdate(&ssl->hashSha, buffer, sz);
|
|
}
|
|
|
|
|
|
/* add record layer header for message */
|
|
static void AddRecordHeader(byte* output, word32 length, byte type, SSL* ssl)
|
|
{
|
|
RecordLayerHeader* rl;
|
|
|
|
/* record layer header */
|
|
rl = (RecordLayerHeader*)output;
|
|
rl->type = type;
|
|
rl->version = ssl->version; /* type and version same in each */
|
|
|
|
if (!ssl->options.dtls)
|
|
c16toa((word16)length, rl->length);
|
|
else {
|
|
#ifdef CYASSL_DTLS
|
|
DtlsRecordLayerHeader* dtls;
|
|
|
|
/* dtls record layer header extensions */
|
|
dtls = (DtlsRecordLayerHeader*)output;
|
|
c16toa(ssl->keys.dtls_epoch, dtls->epoch);
|
|
c32to48(ssl->keys.dtls_sequence_number++, dtls->sequence_number);
|
|
c16toa((word16)length, dtls->length);
|
|
#endif
|
|
}
|
|
}
|
|
|
|
|
|
/* add handshake header for message */
|
|
static void AddHandShakeHeader(byte* output, word32 length, byte type, SSL* ssl)
|
|
{
|
|
HandShakeHeader* hs;
|
|
|
|
/* handshake header */
|
|
hs = (HandShakeHeader*)output;
|
|
hs->type = type;
|
|
c32to24(length, hs->length); /* type and length same for each */
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
DtlsHandShakeHeader* dtls;
|
|
|
|
/* dtls handshake header extensions */
|
|
dtls = (DtlsHandShakeHeader*)output;
|
|
c16toa(ssl->keys.dtls_handshake_number++, dtls->message_seq);
|
|
c32to24(0, dtls->fragment_offset);
|
|
c32to24(length, dtls->fragment_length);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
|
|
/* add both headers for handshake message */
|
|
static void AddHeaders(byte* output, word32 length, byte type, SSL* ssl)
|
|
{
|
|
if (!ssl->options.dtls) {
|
|
AddRecordHeader(output, length + HANDSHAKE_HEADER_SZ, handshake, ssl);
|
|
AddHandShakeHeader(output + RECORD_HEADER_SZ, length, type, ssl);
|
|
}
|
|
else {
|
|
AddRecordHeader(output, length+DTLS_HANDSHAKE_HEADER_SZ, handshake,ssl);
|
|
AddHandShakeHeader(output + DTLS_RECORD_HEADER_SZ, length, type, ssl);
|
|
}
|
|
}
|
|
|
|
|
|
static int Receive(SSL* ssl, byte* buf, word32 sz, int flags)
|
|
{
|
|
int recvd;
|
|
|
|
retry:
|
|
recvd = ssl->ctx->CBIORecv((char *)buf, (int)sz, ssl->IOCB_ReadCtx);
|
|
if (recvd < 0)
|
|
switch (recvd) {
|
|
case IO_ERR_GENERAL: /* general/unknown error */
|
|
return -1;
|
|
|
|
case IO_ERR_WANT_READ: /* want read, would block */
|
|
return WANT_READ;
|
|
|
|
case IO_ERR_CONN_RST: /* connection reset */
|
|
ssl->options.connReset = 1;
|
|
return -1;
|
|
|
|
case IO_ERR_ISR: /* interrupt */
|
|
/* see if we got our timeout */
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->toInfoOn) {
|
|
struct itimerval timeout;
|
|
getitimer(ITIMER_REAL, &timeout);
|
|
if (timeout.it_value.tv_sec == 0 &&
|
|
timeout.it_value.tv_usec == 0) {
|
|
XSTRNCPY(ssl->timeoutInfo.timeoutName,
|
|
"recv() timeout", MAX_TIMEOUT_NAME_SZ);
|
|
return 0;
|
|
}
|
|
}
|
|
#endif
|
|
goto retry;
|
|
|
|
case IO_ERR_CONN_CLOSE: /* peer closed connection */
|
|
ssl->options.isClosed = 1;
|
|
return -1;
|
|
}
|
|
|
|
return recvd;
|
|
}
|
|
|
|
|
|
/* Switch dynamic output buffer back to static, buffer is assumed clear */
|
|
void ShrinkOutputBuffer(SSL* ssl)
|
|
{
|
|
CYASSL_MSG("Shrinking output buffer\n");
|
|
XFREE(ssl->buffers.outputBuffer.buffer, ssl->heap, DYNAMIC_TYPE_OUT_BUFFER);
|
|
ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
|
|
ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN;
|
|
ssl->buffers.outputBuffer.dynamicFlag = 0;
|
|
}
|
|
|
|
|
|
/* Switch dynamic input buffer back to static, keep any remaining input */
|
|
/* forced free means cleaning up */
|
|
void ShrinkInputBuffer(SSL* ssl, int forcedFree)
|
|
{
|
|
int usedLength = ssl->buffers.inputBuffer.length -
|
|
ssl->buffers.inputBuffer.idx;
|
|
if (!forcedFree && usedLength > STATIC_BUFFER_LEN)
|
|
return;
|
|
|
|
CYASSL_MSG("Shrinking input buffer\n");
|
|
|
|
if (!forcedFree && usedLength)
|
|
XMEMCPY(ssl->buffers.inputBuffer.staticBuffer,
|
|
ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
|
|
usedLength);
|
|
|
|
XFREE(ssl->buffers.inputBuffer.buffer, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
|
|
ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
|
|
ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN;
|
|
ssl->buffers.inputBuffer.dynamicFlag = 0;
|
|
ssl->buffers.inputBuffer.idx = 0;
|
|
ssl->buffers.inputBuffer.length = usedLength;
|
|
}
|
|
|
|
|
|
int SendBuffered(SSL* ssl)
|
|
{
|
|
while (ssl->buffers.outputBuffer.length > 0) {
|
|
int sent = ssl->ctx->CBIOSend((char*)ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx,
|
|
(int)ssl->buffers.outputBuffer.length,
|
|
ssl->IOCB_WriteCtx);
|
|
if (sent < 0) {
|
|
switch (sent) {
|
|
|
|
case IO_ERR_WANT_WRITE: /* would block */
|
|
return WANT_WRITE;
|
|
|
|
case IO_ERR_CONN_RST: /* connection reset */
|
|
ssl->options.connReset = 1;
|
|
break;
|
|
|
|
case IO_ERR_ISR: /* interrupt */
|
|
/* see if we got our timeout */
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->toInfoOn) {
|
|
struct itimerval timeout;
|
|
getitimer(ITIMER_REAL, &timeout);
|
|
if (timeout.it_value.tv_sec == 0 &&
|
|
timeout.it_value.tv_usec == 0) {
|
|
XSTRNCPY(ssl->timeoutInfo.timeoutName,
|
|
"send() timeout", MAX_TIMEOUT_NAME_SZ);
|
|
return WANT_WRITE;
|
|
}
|
|
}
|
|
#endif
|
|
continue;
|
|
|
|
case IO_ERR_CONN_CLOSE: /* epipe / conn closed, same as reset */
|
|
ssl->options.connReset = 1;
|
|
break;
|
|
}
|
|
|
|
return SOCKET_ERROR_E;
|
|
}
|
|
|
|
ssl->buffers.outputBuffer.idx += sent;
|
|
ssl->buffers.outputBuffer.length -= sent;
|
|
}
|
|
|
|
ssl->buffers.outputBuffer.idx = 0;
|
|
|
|
if (ssl->buffers.outputBuffer.dynamicFlag)
|
|
ShrinkOutputBuffer(ssl);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* Grow the output buffer, should only be to send cert, should be blank */
|
|
static INLINE int GrowOutputBuffer(SSL* ssl, int size)
|
|
{
|
|
byte* tmp = (byte*) XMALLOC(size + ssl->buffers.outputBuffer.length,
|
|
ssl->heap, DYNAMIC_TYPE_OUT_BUFFER);
|
|
CYASSL_MSG("growing output buffer\n");
|
|
|
|
if (!tmp) return -1;
|
|
|
|
if (ssl->buffers.outputBuffer.length)
|
|
XMEMCPY(tmp, ssl->buffers.outputBuffer.buffer,
|
|
ssl->buffers.outputBuffer.length);
|
|
|
|
if (ssl->buffers.outputBuffer.dynamicFlag)
|
|
XFREE(ssl->buffers.outputBuffer.buffer, ssl->heap,
|
|
DYNAMIC_TYPE_OUT_BUFFER);
|
|
ssl->buffers.outputBuffer.dynamicFlag = 1;
|
|
ssl->buffers.outputBuffer.buffer = tmp;
|
|
ssl->buffers.outputBuffer.bufferSize = size +
|
|
ssl->buffers.outputBuffer.length;
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* Grow the input buffer, should only be to read cert or big app data */
|
|
static INLINE int GrowInputBuffer(SSL* ssl, int size, int usedLength)
|
|
{
|
|
byte* tmp = (byte*) XMALLOC(size + usedLength, ssl->heap,
|
|
DYNAMIC_TYPE_IN_BUFFER);
|
|
CYASSL_MSG("growing input buffer\n");
|
|
|
|
if (!tmp) return -1;
|
|
|
|
if (usedLength)
|
|
XMEMCPY(tmp, ssl->buffers.inputBuffer.buffer +
|
|
ssl->buffers.inputBuffer.idx, usedLength);
|
|
|
|
if (ssl->buffers.inputBuffer.dynamicFlag)
|
|
XFREE(ssl->buffers.inputBuffer.buffer,ssl->heap,DYNAMIC_TYPE_IN_BUFFER);
|
|
|
|
ssl->buffers.inputBuffer.dynamicFlag = 1;
|
|
ssl->buffers.inputBuffer.buffer = tmp;
|
|
ssl->buffers.inputBuffer.bufferSize = size + usedLength;
|
|
ssl->buffers.inputBuffer.idx = 0;
|
|
ssl->buffers.inputBuffer.length = usedLength;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* check avalaible size into outbut buffer */
|
|
static INLINE int CheckAvalaibleSize(SSL *ssl, int size)
|
|
{
|
|
if ((word32)size > ssl->buffers.outputBuffer.bufferSize)
|
|
if (GrowOutputBuffer(ssl, size) < 0)
|
|
return MEMORY_E;
|
|
|
|
if (ssl->buffers.outputBuffer.bufferSize - ssl->buffers.outputBuffer.length
|
|
< (word32)size) {
|
|
if (SendBuffered(ssl) == SOCKET_ERROR_E)
|
|
return SOCKET_ERROR_E;
|
|
if (ssl->buffers.outputBuffer.bufferSize -
|
|
ssl->buffers.outputBuffer.length < (word32)size)
|
|
return WANT_WRITE;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* do all verify and sanity checks on record header */
|
|
static int GetRecordHeader(SSL* ssl, const byte* input, word32* inOutIdx,
|
|
RecordLayerHeader* rh, word16 *size)
|
|
{
|
|
if (!ssl->options.dtls) {
|
|
XMEMCPY(rh, input + *inOutIdx, RECORD_HEADER_SZ);
|
|
*inOutIdx += RECORD_HEADER_SZ;
|
|
ato16(rh->length, size);
|
|
}
|
|
else {
|
|
#ifdef CYASSL_DTLS
|
|
/* type and version in same sport */
|
|
XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ);
|
|
*inOutIdx += ENUM_LEN + VERSION_SZ;
|
|
*inOutIdx += 4; /* skip epoch and first 2 seq bytes for now */
|
|
ato32(input + *inOutIdx, &ssl->keys.dtls_peer_sequence_number);
|
|
*inOutIdx += 4; /* advance past rest of seq */
|
|
ato16(input + *inOutIdx, size);
|
|
*inOutIdx += LENGTH_SZ;
|
|
#endif
|
|
}
|
|
|
|
/* catch version mismatch */
|
|
if (rh->version.major != ssl->version.major ||
|
|
rh->version.minor != ssl->version.minor) {
|
|
|
|
if (ssl->options.side == SERVER_END && ssl->options.downgrade == 1 &&
|
|
ssl->options.acceptState == ACCEPT_BEGIN)
|
|
; /* haven't negotiated yet */
|
|
else
|
|
return VERSION_ERROR; /* only use requested version */
|
|
}
|
|
|
|
/* record layer length check */
|
|
if (*size > (MAX_RECORD_SIZE + MAX_COMP_EXTRA + MAX_MSG_EXTRA))
|
|
return LENGTH_ERROR;
|
|
|
|
/* verify record type here as well */
|
|
switch ((enum ContentType)rh->type) {
|
|
case handshake:
|
|
case change_cipher_spec:
|
|
case application_data:
|
|
case alert:
|
|
break;
|
|
default:
|
|
return UNKNOWN_RECORD_TYPE;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int GetHandShakeHeader(SSL* ssl, const byte* input, word32* inOutIdx,
|
|
byte *type, word32 *size)
|
|
{
|
|
const byte *ptr = input + *inOutIdx;
|
|
*inOutIdx += HANDSHAKE_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls)
|
|
*inOutIdx += DTLS_HANDSHAKE_EXTRA;
|
|
#endif
|
|
|
|
*type = ptr[0];
|
|
c24to32(&ptr[1], size);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* fill with MD5 pad size since biggest required */
|
|
static const byte PAD1[PAD_MD5] =
|
|
{ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
|
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
|
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
|
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
|
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
|
|
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
|
|
};
|
|
static const byte PAD2[PAD_MD5] =
|
|
{ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
|
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
|
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
|
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
|
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
|
|
0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
|
|
};
|
|
|
|
/* calculate MD5 hash for finished */
|
|
static void BuildMD5(SSL* ssl, Hashes* hashes, const byte* sender)
|
|
{
|
|
byte md5_result[MD5_DIGEST_SIZE];
|
|
|
|
/* make md5 inner */
|
|
Md5Update(&ssl->hashMd5, sender, SIZEOF_SENDER);
|
|
Md5Update(&ssl->hashMd5, ssl->arrays.masterSecret, SECRET_LEN);
|
|
Md5Update(&ssl->hashMd5, PAD1, PAD_MD5);
|
|
Md5Final(&ssl->hashMd5, md5_result);
|
|
|
|
/* make md5 outer */
|
|
Md5Update(&ssl->hashMd5, ssl->arrays.masterSecret, SECRET_LEN);
|
|
Md5Update(&ssl->hashMd5, PAD2, PAD_MD5);
|
|
Md5Update(&ssl->hashMd5, md5_result, MD5_DIGEST_SIZE);
|
|
|
|
Md5Final(&ssl->hashMd5, hashes->md5);
|
|
}
|
|
|
|
|
|
/* calculate SHA hash for finished */
|
|
static void BuildSHA(SSL* ssl, Hashes* hashes, const byte* sender)
|
|
{
|
|
byte sha_result[SHA_DIGEST_SIZE];
|
|
|
|
/* make sha inner */
|
|
ShaUpdate(&ssl->hashSha, sender, SIZEOF_SENDER);
|
|
ShaUpdate(&ssl->hashSha, ssl->arrays.masterSecret, SECRET_LEN);
|
|
ShaUpdate(&ssl->hashSha, PAD1, PAD_SHA);
|
|
ShaFinal(&ssl->hashSha, sha_result);
|
|
|
|
/* make sha outer */
|
|
ShaUpdate(&ssl->hashSha, ssl->arrays.masterSecret, SECRET_LEN);
|
|
ShaUpdate(&ssl->hashSha, PAD2, PAD_SHA);
|
|
ShaUpdate(&ssl->hashSha, sha_result, SHA_DIGEST_SIZE);
|
|
|
|
ShaFinal(&ssl->hashSha, hashes->sha);
|
|
}
|
|
|
|
|
|
static void BuildFinished(SSL* ssl, Hashes* hashes, const byte* sender)
|
|
{
|
|
/* store current states, building requires get_digest which resets state */
|
|
Md5 md5 = ssl->hashMd5;
|
|
Sha sha = ssl->hashSha;
|
|
|
|
if (ssl->options.tls)
|
|
BuildTlsFinished(ssl, hashes, sender);
|
|
else {
|
|
BuildMD5(ssl, hashes, sender);
|
|
BuildSHA(ssl, hashes, sender);
|
|
}
|
|
|
|
/* restore */
|
|
ssl->hashMd5 = md5;
|
|
ssl->hashSha = sha;
|
|
}
|
|
|
|
|
|
static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx)
|
|
{
|
|
word32 listSz, i = *inOutIdx;
|
|
int ret = 0;
|
|
int firstTime = 1; /* peer's is at front */
|
|
char domain[ASN_NAME_MAX];
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("Certificate", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn) AddLateName("Certificate", &ssl->timeoutInfo);
|
|
#endif
|
|
c24to32(&input[i], &listSz);
|
|
i += CERT_HEADER_SZ;
|
|
|
|
while (listSz && ret == 0) {
|
|
/* cert size */
|
|
buffer myCert;
|
|
word32 certSz;
|
|
DecodedCert dCert;
|
|
word32 idx = 0;
|
|
|
|
c24to32(&input[i], &certSz);
|
|
i += CERT_HEADER_SZ;
|
|
|
|
myCert.length = certSz;
|
|
myCert.buffer = input + i;
|
|
i += certSz;
|
|
|
|
listSz -= certSz + CERT_HEADER_SZ;
|
|
|
|
#ifdef SESSION_CERTS
|
|
if (ssl->session.chain.count < MAX_CHAIN_DEPTH &&
|
|
myCert.length < MAX_X509_SIZE) {
|
|
ssl->session.chain.certs[ssl->session.chain.count].length =
|
|
myCert.length;
|
|
XMEMCPY(ssl->session.chain.certs[ssl->session.chain.count].buffer,
|
|
myCert.buffer, myCert.length);
|
|
ssl->session.chain.count++;
|
|
} else {
|
|
CYASSL_MSG("Couldn't store chain cert for session");
|
|
}
|
|
#endif
|
|
|
|
InitDecodedCert(&dCert, myCert.buffer, ssl->heap);
|
|
ret = ParseCertRelative(&dCert, myCert.length, CERT_TYPE,
|
|
!ssl->options.verifyNone, ssl->caList);
|
|
|
|
if (!firstTime) {
|
|
FreeDecodedCert(&dCert);
|
|
continue;
|
|
}
|
|
|
|
/* get rest of peer info in case user wants to continue */
|
|
if (ret != 0) {
|
|
if (!(ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E ||
|
|
ret == ASN_SIG_CONFIRM_E)) {
|
|
FreeDecodedCert(&dCert);
|
|
continue;
|
|
}
|
|
}
|
|
|
|
/* first one has peer's key */
|
|
firstTime = 0;
|
|
|
|
ssl->options.havePeerCert = 1;
|
|
/* set X509 format */
|
|
#ifdef OPENSSL_EXTRA
|
|
ssl->peerCert.issuer.sz = (int)XSTRLEN(dCert.issuer) + 1;
|
|
XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX);
|
|
ssl->peerCert.subject.sz = (int)XSTRLEN(dCert.subject) + 1;
|
|
XSTRNCPY(ssl->peerCert.subject.name, dCert.subject, ASN_NAME_MAX);
|
|
#endif
|
|
|
|
XMEMCPY(domain, dCert.subjectCN, dCert.subjectCNLen);
|
|
domain[dCert.subjectCNLen] = '\0';
|
|
|
|
if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer)
|
|
if (XSTRNCMP((char*)ssl->buffers.domainName.buffer,
|
|
dCert.subjectCN,
|
|
ssl->buffers.domainName.length - 1)) {
|
|
ret = DOMAIN_NAME_MISMATCH; /* try to get peer key still */
|
|
}
|
|
|
|
/* decode peer key */
|
|
if (dCert.keyOID == RSAk) {
|
|
if (RsaPublicKeyDecode(dCert.publicKey, &idx,
|
|
&ssl->peerRsaKey, dCert.pubKeySize) != 0) {
|
|
ret = PEER_KEY_ERROR;
|
|
FreeDecodedCert(&dCert);
|
|
continue;
|
|
}
|
|
ssl->peerRsaKeyPresent = 1;
|
|
}
|
|
#ifdef HAVE_NTRU
|
|
else if (dCert.keyOID == NTRUk) {
|
|
if (dCert.pubKeySize > sizeof(ssl->peerNtruKey)) {
|
|
ret = PEER_KEY_ERROR;
|
|
FreeDecodedCert(&dCert);
|
|
continue;
|
|
}
|
|
XMEMCPY(ssl->peerNtruKey, dCert.publicKey, dCert.pubKeySize);
|
|
ssl->peerNtruKeyLen = (word16)dCert.pubKeySize;
|
|
ssl->peerNtruKeyPresent = 1;
|
|
}
|
|
#endif /* HAVE_NTRU */
|
|
#ifdef HAVE_ECC
|
|
else if (dCert.keyOID == ECDSAk) {
|
|
if (ecc_import_x963(dCert.publicKey, dCert.pubKeySize,
|
|
&ssl->peerEccDsaKey) != 0) {
|
|
ret = PEER_KEY_ERROR;
|
|
FreeDecodedCert(&dCert);
|
|
continue;
|
|
}
|
|
ssl->peerEccDsaKeyPresent = 1;
|
|
}
|
|
#endif /* HAVE_ECC */
|
|
|
|
FreeDecodedCert(&dCert);
|
|
}
|
|
|
|
if (ret == 0 && ssl->options.side == CLIENT_END)
|
|
ssl->options.serverState = SERVER_CERT_COMPLETE;
|
|
|
|
if (ret != 0) {
|
|
if (!ssl->options.verifyNone) {
|
|
int why = bad_certificate;
|
|
if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E)
|
|
why = certificate_expired;
|
|
if (ssl->ctx->verifyCallback) {
|
|
int ok;
|
|
X509_STORE_CTX store;
|
|
|
|
store.error = ret;
|
|
store.error_depth = 1;
|
|
store.domain = domain;
|
|
#ifdef OPENSSL_EXTRA
|
|
store.current_cert = &ssl->peerCert;
|
|
#else
|
|
store.current_cert = NULL;
|
|
#endif
|
|
ok = ssl->ctx->verifyCallback(0, &store);
|
|
if (ok)
|
|
ret = 0;
|
|
}
|
|
if (ret != 0) {
|
|
SendAlert(ssl, alert_fatal, why); /* try to send */
|
|
ssl->options.isClosed = 1;
|
|
}
|
|
}
|
|
ssl->error = ret;
|
|
}
|
|
|
|
*inOutIdx = i;
|
|
return ret;
|
|
}
|
|
|
|
|
|
int DoFinished(SSL* ssl, const byte* input, word32* inOutIdx, int sniff)
|
|
{
|
|
byte verifyMAC[SHA_DIGEST_SIZE];
|
|
int finishedSz = ssl->options.tls ? TLS_FINISHED_SZ : FINISHED_SZ;
|
|
int headerSz = HANDSHAKE_HEADER_SZ;
|
|
word32 macSz = finishedSz + HANDSHAKE_HEADER_SZ,
|
|
idx = *inOutIdx,
|
|
padSz = ssl->keys.encryptSz - HANDSHAKE_HEADER_SZ - finishedSz -
|
|
ssl->specs.hash_size;
|
|
const byte* mac;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
headerSz += DTLS_HANDSHAKE_EXTRA;
|
|
macSz += DTLS_HANDSHAKE_EXTRA;
|
|
padSz -= DTLS_HANDSHAKE_EXTRA;
|
|
}
|
|
#endif
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
|
|
#endif
|
|
if (sniff == NO_SNIFF) {
|
|
if (XMEMCMP(input + idx, &ssl->verifyHashes, finishedSz))
|
|
return VERIFY_FINISHED_ERROR;
|
|
}
|
|
|
|
ssl->hmac(ssl, verifyMAC, input + idx - headerSz, macSz,
|
|
handshake, 1);
|
|
idx += finishedSz;
|
|
|
|
/* read mac and fill */
|
|
mac = input + idx;
|
|
idx += ssl->specs.hash_size;
|
|
|
|
if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
|
|
padSz -= ssl->specs.block_size;
|
|
|
|
idx += padSz;
|
|
|
|
/* verify mac */
|
|
if (XMEMCMP(mac, verifyMAC, ssl->specs.hash_size))
|
|
return VERIFY_MAC_ERROR;
|
|
|
|
if (ssl->options.side == CLIENT_END) {
|
|
ssl->options.serverState = SERVER_FINISHED_COMPLETE;
|
|
if (!ssl->options.resuming)
|
|
ssl->options.handShakeState = HANDSHAKE_DONE;
|
|
}
|
|
else {
|
|
ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
|
|
if (ssl->options.resuming)
|
|
ssl->options.handShakeState = HANDSHAKE_DONE;
|
|
}
|
|
|
|
*inOutIdx = idx;
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int DoHandShakeMsg(SSL* ssl, byte* input, word32* inOutIdx,
|
|
word32 totalSz)
|
|
{
|
|
byte type;
|
|
word32 size;
|
|
int ret = 0;
|
|
|
|
CYASSL_ENTER("DoHandShakeMsg()");
|
|
|
|
if (GetHandShakeHeader(ssl, input, inOutIdx, &type, &size) != 0)
|
|
return PARSE_ERROR;
|
|
|
|
if (*inOutIdx + size > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
|
|
HashInput(ssl, input + *inOutIdx, size);
|
|
#ifdef CYASSL_CALLBACKS
|
|
/* add name later, add on record and handshake header part back on */
|
|
if (ssl->toInfoOn) {
|
|
int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
AddPacketInfo(0, &ssl->timeoutInfo, input + *inOutIdx - add,
|
|
size + add, ssl->heap);
|
|
AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
|
|
}
|
|
#endif
|
|
|
|
switch (type) {
|
|
|
|
#ifndef NO_CYASSL_CLIENT
|
|
case hello_verify_request:
|
|
CYASSL_MSG("processing hello verify request");
|
|
ret = DoHelloVerifyRequest(ssl, input,inOutIdx);
|
|
break;
|
|
|
|
case server_hello:
|
|
CYASSL_MSG("processing server hello");
|
|
ret = DoServerHello(ssl, input, inOutIdx);
|
|
break;
|
|
|
|
case certificate_request:
|
|
CYASSL_MSG("processing certificate request");
|
|
ret = DoCertificateRequest(ssl, input, inOutIdx);
|
|
break;
|
|
|
|
case server_key_exchange:
|
|
CYASSL_MSG("processing server key exchange");
|
|
ret = DoServerKeyExchange(ssl, input, inOutIdx);
|
|
break;
|
|
#endif
|
|
|
|
case certificate:
|
|
CYASSL_MSG("processing certificate");
|
|
ret = DoCertificate(ssl, input, inOutIdx);
|
|
break;
|
|
|
|
case server_hello_done:
|
|
CYASSL_MSG("processing server hello done");
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ServerHelloDone", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddLateName("ServerHelloDone", &ssl->timeoutInfo);
|
|
#endif
|
|
ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
|
|
break;
|
|
|
|
case finished:
|
|
CYASSL_MSG("processing finished");
|
|
ret = DoFinished(ssl, input, inOutIdx, NO_SNIFF);
|
|
break;
|
|
|
|
#ifndef NO_CYASSL_SERVER
|
|
case client_hello:
|
|
CYASSL_MSG("processing client hello");
|
|
ret = DoClientHello(ssl, input, inOutIdx, totalSz, size);
|
|
break;
|
|
|
|
case client_key_exchange:
|
|
CYASSL_MSG("processing client key exchange");
|
|
ret = DoClientKeyExchange(ssl, input, inOutIdx);
|
|
break;
|
|
|
|
case certificate_verify:
|
|
CYASSL_MSG("processing certificate verify");
|
|
ret = DoCertificateVerify(ssl, input, inOutIdx, totalSz);
|
|
break;
|
|
|
|
#endif
|
|
|
|
default:
|
|
ret = UNKNOWN_HANDSHAKE_TYPE;
|
|
}
|
|
|
|
CYASSL_LEAVE("DoHandShakeMsg()", ret);
|
|
return ret;
|
|
}
|
|
|
|
|
|
static INLINE void Encrypt(SSL* ssl, byte* out, const byte* input, word32 sz)
|
|
{
|
|
switch (ssl->specs.bulk_cipher_algorithm) {
|
|
#ifdef BUILD_ARC4
|
|
case rc4:
|
|
Arc4Process(&ssl->encrypt.arc4, out, input, sz);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef BUILD_DES3
|
|
case triple_des:
|
|
Des3_CbcEncrypt(&ssl->encrypt.des3, out, input, sz);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef BUILD_AES
|
|
case aes:
|
|
#ifdef CYASSL_AESNI
|
|
if ((word)input % 16) {
|
|
byte buffer[MAX_RECORD_SIZE + MAX_COMP_EXTRA+MAX_MSG_EXTRA];
|
|
XMEMCPY(buffer, input, sz);
|
|
AesCbcEncrypt(&ssl->encrypt.aes, buffer, buffer, sz);
|
|
XMEMCPY(out, buffer, sz);
|
|
break;
|
|
}
|
|
#endif
|
|
AesCbcEncrypt(&ssl->encrypt.aes, out, input, sz);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef BUILD_HC128
|
|
case hc128:
|
|
Hc128_Process(&ssl->encrypt.hc128, out, input, sz);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef BUILD_RABBIT
|
|
case rabbit:
|
|
RabbitProcess(&ssl->encrypt.rabbit, out, input, sz);
|
|
break;
|
|
#endif
|
|
}
|
|
}
|
|
|
|
|
|
static INLINE void Decrypt(SSL* ssl, byte* plain, const byte* input, word32 sz)
|
|
{
|
|
switch (ssl->specs.bulk_cipher_algorithm) {
|
|
#ifdef BUILD_ARC4
|
|
case rc4:
|
|
Arc4Process(&ssl->decrypt.arc4, plain, input, sz);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef BUILD_DES3
|
|
case triple_des:
|
|
Des3_CbcDecrypt(&ssl->decrypt.des3, plain, input, sz);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef BUILD_AES
|
|
case aes:
|
|
AesCbcDecrypt(&ssl->decrypt.aes, plain, input, sz);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef BUILD_HC128
|
|
case hc128:
|
|
Hc128_Process(&ssl->decrypt.hc128, plain, input, sz);
|
|
break;
|
|
#endif
|
|
|
|
#ifdef BUILD_RABBIT
|
|
case rabbit:
|
|
RabbitProcess(&ssl->decrypt.rabbit, plain, input, sz);
|
|
break;
|
|
#endif
|
|
}
|
|
}
|
|
|
|
|
|
/* decrypt input message in place */
|
|
static int DecryptMessage(SSL* ssl, byte* input, word32 sz, word32* idx)
|
|
{
|
|
Decrypt(ssl, input, input, sz);
|
|
ssl->keys.encryptSz = sz;
|
|
if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
|
|
*idx += ssl->specs.block_size; /* go past TLSv1.1 IV */
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static INLINE word32 GetSEQIncrement(SSL* ssl, int verify)
|
|
{
|
|
if (verify)
|
|
return ssl->keys.peer_sequence_number++;
|
|
else
|
|
return ssl->keys.sequence_number++;
|
|
}
|
|
|
|
|
|
int DoApplicationData(SSL* ssl, byte* input, word32* inOutIdx)
|
|
{
|
|
word32 msgSz = ssl->keys.encryptSz;
|
|
word32 pad = 0,
|
|
padByte = 0,
|
|
idx = *inOutIdx,
|
|
digestSz = ssl->specs.hash_size;
|
|
int dataSz;
|
|
int ivExtra = 0;
|
|
byte* rawData = input + idx; /* keep current for hmac */
|
|
#ifdef HAVE_LIBZ
|
|
byte decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
|
|
#endif
|
|
|
|
byte verify[SHA_DIGEST_SIZE];
|
|
const byte* mac;
|
|
|
|
if (ssl->specs.cipher_type == block) {
|
|
if (ssl->options.tls1_1)
|
|
ivExtra = ssl->specs.block_size;
|
|
pad = *(input + idx + msgSz - ivExtra - 1);
|
|
padByte = 1;
|
|
}
|
|
|
|
dataSz = msgSz - ivExtra - digestSz - pad - padByte;
|
|
if (dataSz < 0)
|
|
return BUFFER_ERROR;
|
|
|
|
/* read data */
|
|
if (dataSz) {
|
|
int rawSz = dataSz; /* keep raw size for hmac */
|
|
|
|
ssl->hmac(ssl, verify, rawData, rawSz, application_data, 1);
|
|
|
|
#ifdef HAVE_LIBZ
|
|
byte decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
|
|
|
|
if (ssl->options.usingCompression) {
|
|
dataSz = DeCompress(ssl, rawData, dataSz, decomp, sizeof(decomp));
|
|
if (dataSz < 0) return dataSz;
|
|
}
|
|
#endif
|
|
|
|
if (ssl->options.usingCompression)
|
|
idx += rawSz;
|
|
else
|
|
idx += dataSz;
|
|
|
|
ssl->buffers.clearOutputBuffer.buffer = rawData;
|
|
ssl->buffers.clearOutputBuffer.length = dataSz;
|
|
}
|
|
|
|
/* read mac and fill */
|
|
mac = input + idx;
|
|
idx += digestSz;
|
|
|
|
idx += pad;
|
|
if (padByte)
|
|
idx++;
|
|
|
|
#ifdef HAVE_LIBZ
|
|
if (ssl->options.usingCompression)
|
|
XMEMMOVE(rawData, decomp, dataSz);
|
|
#endif
|
|
|
|
/* verify */
|
|
if (dataSz) {
|
|
if (XMEMCMP(mac, verify, digestSz))
|
|
return VERIFY_MAC_ERROR;
|
|
}
|
|
else
|
|
GetSEQIncrement(ssl, 1); /* even though no data, increment verify */
|
|
|
|
*inOutIdx = idx;
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* process alert, return level */
|
|
static int DoAlert(SSL* ssl, byte* input, word32* inOutIdx, int* type)
|
|
{
|
|
byte level;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("Alert", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
/* add record header back on to info + 2 byte level, data */
|
|
AddPacketInfo("Alert", &ssl->timeoutInfo, input + *inOutIdx -
|
|
RECORD_HEADER_SZ, 2 + RECORD_HEADER_SZ, ssl->heap);
|
|
#endif
|
|
level = input[(*inOutIdx)++];
|
|
*type = (int)input[(*inOutIdx)++];
|
|
|
|
if (*type == close_notify)
|
|
ssl->options.closeNotify = 1;
|
|
|
|
if (ssl->keys.encryptionOn) {
|
|
int aSz = ALERT_SIZE;
|
|
const byte* mac;
|
|
byte verify[SHA_DIGEST_SIZE];
|
|
int padSz = ssl->keys.encryptSz - aSz - ssl->specs.hash_size;
|
|
|
|
ssl->hmac(ssl, verify, input + *inOutIdx - aSz, aSz, alert, 1);
|
|
|
|
/* read mac and fill */
|
|
mac = input + *inOutIdx;
|
|
*inOutIdx += (ssl->specs.hash_size + padSz);
|
|
|
|
/* verify */
|
|
if (XMEMCMP(mac, verify, ssl->specs.hash_size))
|
|
return VERIFY_MAC_ERROR;
|
|
}
|
|
|
|
return level;
|
|
}
|
|
|
|
static int GetInputData(SSL *ssl, size_t size)
|
|
{
|
|
int in;
|
|
int inSz;
|
|
int maxLength;
|
|
int usedLength;
|
|
|
|
|
|
/* check max input length */
|
|
usedLength = ssl->buffers.inputBuffer.length - ssl->buffers.inputBuffer.idx;
|
|
maxLength = ssl->buffers.inputBuffer.bufferSize - usedLength;
|
|
inSz = (int)(size - usedLength); /* from last partial read */
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls)
|
|
inSz = 1500; /* read ahead up to MTU */
|
|
#endif
|
|
|
|
if (inSz > maxLength) {
|
|
if (GrowInputBuffer(ssl, size, usedLength) < 0)
|
|
return MEMORY_E;
|
|
}
|
|
|
|
if (inSz <= 0)
|
|
return BUFFER_ERROR;
|
|
|
|
/* Put buffer data at start if not there */
|
|
if (usedLength > 0 && ssl->buffers.inputBuffer.idx != 0)
|
|
XMEMMOVE(ssl->buffers.inputBuffer.buffer,
|
|
ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
|
|
usedLength);
|
|
|
|
/* remove processed data */
|
|
ssl->buffers.inputBuffer.idx = 0;
|
|
ssl->buffers.inputBuffer.length = usedLength;
|
|
|
|
/* read data from network */
|
|
do {
|
|
in = Receive(ssl,
|
|
ssl->buffers.inputBuffer.buffer +
|
|
ssl->buffers.inputBuffer.length,
|
|
inSz, 0);
|
|
if (in == -1)
|
|
return SOCKET_ERROR_E;
|
|
|
|
if (in == WANT_READ)
|
|
return WANT_READ;
|
|
|
|
ssl->buffers.inputBuffer.length += in;
|
|
inSz -= in;
|
|
|
|
} while (ssl->buffers.inputBuffer.length < size);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* process input requests, return 0 is done, 1 is call again to complete, and
|
|
negative number is error */
|
|
int ProcessReply(SSL* ssl)
|
|
{
|
|
int ret, type, readSz;
|
|
word32 startIdx = 0;
|
|
byte b0, b1;
|
|
#ifdef CYASSL_DTLS
|
|
int used;
|
|
#endif
|
|
|
|
for (;;) {
|
|
switch ((processReply)ssl->options.processReply) {
|
|
|
|
/* in the CYASSL_SERVER case, get the first byte for detecting
|
|
* old client hello */
|
|
case doProcessInit:
|
|
|
|
readSz = RECORD_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls)
|
|
readSz = DTLS_RECORD_HEADER_SZ;
|
|
#endif
|
|
|
|
/* get header or return error */
|
|
if (!ssl->options.dtls) {
|
|
if ((ret = GetInputData(ssl, readSz)) < 0)
|
|
return ret;
|
|
} else {
|
|
#ifdef CYASSL_DTLS
|
|
/* read ahead may already have header */
|
|
used = ssl->buffers.inputBuffer.length -
|
|
ssl->buffers.inputBuffer.idx;
|
|
if (used < readSz)
|
|
if ((ret = GetInputData(ssl, readSz)) < 0)
|
|
return ret;
|
|
#endif
|
|
}
|
|
|
|
#ifndef NO_CYASSL_SERVER
|
|
|
|
/* see if sending SSLv2 client hello */
|
|
if ( ssl->options.side == SERVER_END &&
|
|
ssl->options.clientState == NULL_STATE &&
|
|
ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx]
|
|
!= handshake) {
|
|
ssl->options.processReply = runProcessOldClientHello;
|
|
|
|
/* how many bytes need ProcessOldClientHello */
|
|
b0 =
|
|
ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
|
|
b1 =
|
|
ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
|
|
ssl->curSize = ((b0 & 0x7f) << 8) | b1;
|
|
}
|
|
else {
|
|
ssl->options.processReply = getRecordLayerHeader;
|
|
continue;
|
|
}
|
|
|
|
/* in the CYASSL_SERVER case, run the old client hello */
|
|
case runProcessOldClientHello:
|
|
|
|
/* get sz bytes or return error */
|
|
if (!ssl->options.dtls) {
|
|
if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
|
|
return ret;
|
|
} else {
|
|
#ifdef CYASSL_DTLS
|
|
/* read ahead may already have */
|
|
used = ssl->buffers.inputBuffer.length -
|
|
ssl->buffers.inputBuffer.idx;
|
|
if (used < ssl->curSize)
|
|
if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
|
|
return ret;
|
|
#endif /* CYASSL_DTLS */
|
|
}
|
|
|
|
ret = ProcessOldClientHello(ssl, ssl->buffers.inputBuffer.buffer,
|
|
&ssl->buffers.inputBuffer.idx,
|
|
ssl->buffers.inputBuffer.length -
|
|
ssl->buffers.inputBuffer.idx,
|
|
ssl->curSize);
|
|
if (ret < 0)
|
|
return ret;
|
|
|
|
else if (ssl->buffers.inputBuffer.idx ==
|
|
ssl->buffers.inputBuffer.length) {
|
|
ssl->options.processReply = doProcessInit;
|
|
return 0;
|
|
}
|
|
|
|
#endif /* NO_CYASSL_SERVER */
|
|
|
|
/* get the record layer header */
|
|
case getRecordLayerHeader:
|
|
|
|
ret = GetRecordHeader(ssl, ssl->buffers.inputBuffer.buffer,
|
|
&ssl->buffers.inputBuffer.idx,
|
|
&ssl->curRL, &ssl->curSize);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
ssl->options.processReply = getData;
|
|
|
|
/* retrieve record layer data */
|
|
case getData:
|
|
|
|
/* get sz bytes or return error */
|
|
if (!ssl->options.dtls) {
|
|
if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
|
|
return ret;
|
|
} else {
|
|
#ifdef CYASSL_DTLS
|
|
/* read ahead may already have */
|
|
used = ssl->buffers.inputBuffer.length -
|
|
ssl->buffers.inputBuffer.idx;
|
|
if (used < ssl->curSize)
|
|
if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
|
|
return ret;
|
|
#endif
|
|
}
|
|
|
|
ssl->options.processReply = runProcessingOneMessage;
|
|
startIdx = ssl->buffers.inputBuffer.idx; /* in case > 1 msg per */
|
|
|
|
/* the record layer is here */
|
|
case runProcessingOneMessage:
|
|
|
|
if (ssl->keys.encryptionOn)
|
|
if (DecryptMessage(ssl, ssl->buffers.inputBuffer.buffer +
|
|
ssl->buffers.inputBuffer.idx,
|
|
ssl->curSize,
|
|
&ssl->buffers.inputBuffer.idx) < 0)
|
|
return DECRYPT_ERROR;
|
|
|
|
CYASSL_MSG("received record layer msg");
|
|
|
|
switch (ssl->curRL.type) {
|
|
case handshake :
|
|
/* debugging in DoHandShakeMsg */
|
|
if ((ret = DoHandShakeMsg(ssl,
|
|
ssl->buffers.inputBuffer.buffer,
|
|
&ssl->buffers.inputBuffer.idx,
|
|
ssl->buffers.inputBuffer.length))
|
|
!= 0)
|
|
return ret;
|
|
break;
|
|
|
|
case change_cipher_spec:
|
|
CYASSL_MSG("got CHANGE CIPHER SPEC");
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ChangeCipher", &ssl->handShakeInfo);
|
|
/* add record header back on info */
|
|
if (ssl->toInfoOn) {
|
|
AddPacketInfo("ChangeCipher", &ssl->timeoutInfo,
|
|
ssl->buffers.inputBuffer.buffer +
|
|
ssl->buffers.inputBuffer.idx - RECORD_HEADER_SZ,
|
|
1 + RECORD_HEADER_SZ, ssl->heap);
|
|
AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
|
|
}
|
|
#endif
|
|
ssl->buffers.inputBuffer.idx++;
|
|
ssl->keys.encryptionOn = 1;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls)
|
|
ssl->keys.dtls_peer_epoch++;
|
|
#endif
|
|
|
|
#ifdef HAVE_LIBZ
|
|
if (ssl->options.usingCompression)
|
|
if ( (ret = InitStreams(ssl)) != 0)
|
|
return ret;
|
|
#endif
|
|
if (ssl->options.resuming && ssl->options.side ==
|
|
CLIENT_END)
|
|
BuildFinished(ssl, &ssl->verifyHashes, server);
|
|
else if (!ssl->options.resuming && ssl->options.side ==
|
|
SERVER_END)
|
|
BuildFinished(ssl, &ssl->verifyHashes, client);
|
|
break;
|
|
|
|
case application_data:
|
|
CYASSL_MSG("got app DATA");
|
|
if ((ret = DoApplicationData(ssl,
|
|
ssl->buffers.inputBuffer.buffer,
|
|
&ssl->buffers.inputBuffer.idx))
|
|
!= 0) {
|
|
CYASSL_ERROR(ret);
|
|
return ret;
|
|
}
|
|
break;
|
|
|
|
case alert:
|
|
CYASSL_MSG("got ALERT!");
|
|
if (DoAlert(ssl, ssl->buffers.inputBuffer.buffer,
|
|
&ssl->buffers.inputBuffer.idx, &type) == alert_fatal)
|
|
return FATAL_ERROR;
|
|
|
|
/* catch warnings that are handled as errors */
|
|
if (type == close_notify)
|
|
return ssl->error = ZERO_RETURN;
|
|
|
|
if (type == decrypt_error)
|
|
return FATAL_ERROR;
|
|
break;
|
|
|
|
default:
|
|
CYASSL_ERROR(UNKNOWN_RECORD_TYPE);
|
|
return UNKNOWN_RECORD_TYPE;
|
|
}
|
|
|
|
ssl->options.processReply = doProcessInit;
|
|
|
|
/* input exhausted? */
|
|
if (ssl->buffers.inputBuffer.idx == ssl->buffers.inputBuffer.length)
|
|
return 0;
|
|
/* more messages per record */
|
|
else if ((ssl->buffers.inputBuffer.idx - startIdx) < ssl->curSize) {
|
|
#ifdef CYASSL_DTLS
|
|
/* read-ahead but dtls doesn't bundle messages per record */
|
|
if (ssl->options.dtls) {
|
|
ssl->options.processReply = doProcessInit;
|
|
continue;
|
|
}
|
|
#endif
|
|
ssl->options.processReply = runProcessingOneMessage;
|
|
continue;
|
|
}
|
|
/* more records */
|
|
else {
|
|
ssl->options.processReply = doProcessInit;
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
int SendChangeCipher(SSL* ssl)
|
|
{
|
|
byte *output;
|
|
int sendSz = RECORD_HEADER_SZ + ENUM_LEN;
|
|
int idx = RECORD_HEADER_SZ;
|
|
int ret;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
sendSz += DTLS_RECORD_EXTRA;
|
|
idx += DTLS_RECORD_EXTRA;
|
|
}
|
|
#endif
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddRecordHeader(output, 1, change_cipher_spec, ssl);
|
|
|
|
output[idx] = 1; /* turn it on */
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("ChangeCipher", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("ChangeCipher", &ssl->timeoutInfo, output, sendSz,
|
|
ssl->heap);
|
|
#endif
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
static INLINE const byte* GetMacSecret(SSL* ssl, int verify)
|
|
{
|
|
if ( (ssl->options.side == CLIENT_END && !verify) ||
|
|
(ssl->options.side == SERVER_END && verify) )
|
|
return ssl->keys.client_write_MAC_secret;
|
|
else
|
|
return ssl->keys.server_write_MAC_secret;
|
|
}
|
|
|
|
|
|
static void Hmac(SSL* ssl, byte* digest, const byte* buffer, word32 sz,
|
|
int content, int verify)
|
|
{
|
|
byte result[SHA_DIGEST_SIZE]; /* max possible sizes */
|
|
word32 digestSz = ssl->specs.hash_size; /* actual sizes */
|
|
word32 padSz = ssl->specs.pad_size;
|
|
|
|
Md5 md5;
|
|
Sha sha;
|
|
|
|
/* data */
|
|
byte seq[SEQ_SZ] = { 0x00, 0x00, 0x00, 0x00 };
|
|
byte conLen[ENUM_LEN + LENGTH_SZ]; /* content & length */
|
|
const byte* macSecret = GetMacSecret(ssl, verify);
|
|
|
|
conLen[0] = content;
|
|
c16toa((word16)sz, &conLen[ENUM_LEN]);
|
|
c32toa(GetSEQIncrement(ssl, verify), &seq[sizeof(word32)]);
|
|
|
|
if (ssl->specs.mac_algorithm == md5_mac) {
|
|
InitMd5(&md5);
|
|
/* inner */
|
|
Md5Update(&md5, macSecret, digestSz);
|
|
Md5Update(&md5, PAD1, padSz);
|
|
Md5Update(&md5, seq, SEQ_SZ);
|
|
Md5Update(&md5, conLen, sizeof(conLen));
|
|
/* buffer */
|
|
Md5Update(&md5, buffer, sz);
|
|
Md5Final(&md5, result);
|
|
/* outer */
|
|
Md5Update(&md5, macSecret, digestSz);
|
|
Md5Update(&md5, PAD2, padSz);
|
|
Md5Update(&md5, result, digestSz);
|
|
Md5Final(&md5, digest);
|
|
}
|
|
else {
|
|
InitSha(&sha);
|
|
/* inner */
|
|
ShaUpdate(&sha, macSecret, digestSz);
|
|
ShaUpdate(&sha, PAD1, padSz);
|
|
ShaUpdate(&sha, seq, SEQ_SZ);
|
|
ShaUpdate(&sha, conLen, sizeof(conLen));
|
|
/* buffer */
|
|
ShaUpdate(&sha, buffer, sz);
|
|
ShaFinal(&sha, result);
|
|
/* outer */
|
|
ShaUpdate(&sha, macSecret, digestSz);
|
|
ShaUpdate(&sha, PAD2, padSz);
|
|
ShaUpdate(&sha, result, digestSz);
|
|
ShaFinal(&sha, digest);
|
|
}
|
|
}
|
|
|
|
|
|
static void BuildMD5_CertVerify(SSL* ssl, byte* digest)
|
|
{
|
|
byte md5_result[MD5_DIGEST_SIZE];
|
|
|
|
/* make md5 inner */
|
|
Md5Update(&ssl->hashMd5, ssl->arrays.masterSecret, SECRET_LEN);
|
|
Md5Update(&ssl->hashMd5, PAD1, PAD_MD5);
|
|
Md5Final(&ssl->hashMd5, md5_result);
|
|
|
|
/* make md5 outer */
|
|
Md5Update(&ssl->hashMd5, ssl->arrays.masterSecret, SECRET_LEN);
|
|
Md5Update(&ssl->hashMd5, PAD2, PAD_MD5);
|
|
Md5Update(&ssl->hashMd5, md5_result, MD5_DIGEST_SIZE);
|
|
|
|
Md5Final(&ssl->hashMd5, digest);
|
|
}
|
|
|
|
|
|
static void BuildSHA_CertVerify(SSL* ssl, byte* digest)
|
|
{
|
|
byte sha_result[SHA_DIGEST_SIZE];
|
|
|
|
/* make sha inner */
|
|
ShaUpdate(&ssl->hashSha, ssl->arrays.masterSecret, SECRET_LEN);
|
|
ShaUpdate(&ssl->hashSha, PAD1, PAD_SHA);
|
|
ShaFinal(&ssl->hashSha, sha_result);
|
|
|
|
/* make sha outer */
|
|
ShaUpdate(&ssl->hashSha, ssl->arrays.masterSecret, SECRET_LEN);
|
|
ShaUpdate(&ssl->hashSha, PAD2, PAD_SHA);
|
|
ShaUpdate(&ssl->hashSha, sha_result, SHA_DIGEST_SIZE);
|
|
|
|
ShaFinal(&ssl->hashSha, digest);
|
|
}
|
|
|
|
|
|
static void BuildCertHashes(SSL* ssl, Hashes* hashes)
|
|
{
|
|
/* store current states, building requires get_digest which resets state */
|
|
Md5 md5 = ssl->hashMd5;
|
|
Sha sha = ssl->hashSha;
|
|
|
|
if (ssl->options.tls) {
|
|
Md5Final(&ssl->hashMd5, hashes->md5);
|
|
ShaFinal(&ssl->hashSha, hashes->sha);
|
|
}
|
|
else {
|
|
BuildMD5_CertVerify(ssl, hashes->md5);
|
|
BuildSHA_CertVerify(ssl, hashes->sha);
|
|
}
|
|
|
|
/* restore */
|
|
ssl->hashMd5 = md5;
|
|
ssl->hashSha = sha;
|
|
}
|
|
|
|
|
|
/* Build SSL Message, encrypted */
|
|
static int BuildMessage(SSL* ssl, byte* output, const byte* input, int inSz,
|
|
int type)
|
|
{
|
|
word32 digestSz = ssl->specs.hash_size;
|
|
word32 sz = RECORD_HEADER_SZ + inSz + digestSz;
|
|
word32 pad = 0, i;
|
|
word32 idx = RECORD_HEADER_SZ;
|
|
word32 ivSz = 0; /* TLSv1.1 IV */
|
|
word32 headerSz = RECORD_HEADER_SZ;
|
|
word16 size;
|
|
byte iv[AES_BLOCK_SIZE]; /* max size */
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
sz += DTLS_RECORD_EXTRA;
|
|
idx += DTLS_RECORD_EXTRA;
|
|
headerSz += DTLS_RECORD_EXTRA;
|
|
}
|
|
#endif
|
|
|
|
if (ssl->specs.cipher_type == block) {
|
|
word32 blockSz = ssl->specs.block_size;
|
|
if (ssl->options.tls1_1) {
|
|
ivSz = blockSz;
|
|
sz += ivSz;
|
|
RNG_GenerateBlock(&ssl->rng, iv, ivSz);
|
|
}
|
|
sz += 1; /* pad byte */
|
|
pad = (sz - headerSz) % blockSz;
|
|
pad = blockSz - pad;
|
|
sz += pad;
|
|
}
|
|
|
|
size = sz - headerSz; /* include mac and digest */
|
|
AddRecordHeader(output, size, type, ssl);
|
|
|
|
/* write to output */
|
|
if (ivSz) {
|
|
XMEMCPY(output + idx, iv, ivSz);
|
|
idx += ivSz;
|
|
}
|
|
XMEMCPY(output + idx, input, inSz);
|
|
idx += inSz;
|
|
|
|
if (type == handshake)
|
|
HashOutput(ssl, output, headerSz + inSz, ivSz);
|
|
ssl->hmac(ssl, output+idx, output + headerSz + ivSz, inSz, type, 0);
|
|
idx += digestSz;
|
|
|
|
if (ssl->specs.cipher_type == block)
|
|
for (i = 0; i <= pad; i++) output[idx++] = pad; /* pad byte gets */
|
|
/* pad value too */
|
|
Encrypt(ssl, output + headerSz, output + headerSz, size);
|
|
|
|
return sz;
|
|
}
|
|
|
|
|
|
int SendFinished(SSL* ssl)
|
|
{
|
|
int sendSz,
|
|
finishedSz = ssl->options.tls ? TLS_FINISHED_SZ :
|
|
FINISHED_SZ;
|
|
byte input[FINISHED_SZ + DTLS_HANDSHAKE_HEADER_SZ]; /* max */
|
|
byte *output;
|
|
Hashes* hashes;
|
|
int ret;
|
|
int headerSz = HANDSHAKE_HEADER_SZ;
|
|
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
headerSz += DTLS_HANDSHAKE_EXTRA;
|
|
ssl->keys.dtls_epoch++;
|
|
ssl->keys.dtls_sequence_number = 0; /* reset after epoch change */
|
|
}
|
|
#endif
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sizeof(input) + MAX_MSG_EXTRA)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHandShakeHeader(input, finishedSz, finished, ssl);
|
|
|
|
/* make finished hashes */
|
|
hashes = (Hashes*)&input[headerSz];
|
|
BuildFinished(ssl, hashes, ssl->options.side == CLIENT_END ? client :
|
|
server);
|
|
|
|
if ( (sendSz = BuildMessage(ssl, output, input, headerSz +
|
|
finishedSz, handshake)) == -1)
|
|
return BUILD_MSG_ERROR;
|
|
|
|
if (!ssl->options.resuming) {
|
|
AddSession(ssl); /* just try */
|
|
if (ssl->options.side == CLIENT_END)
|
|
BuildFinished(ssl, &ssl->verifyHashes, server);
|
|
else
|
|
ssl->options.handShakeState = HANDSHAKE_DONE;
|
|
}
|
|
else {
|
|
if (ssl->options.side == CLIENT_END)
|
|
ssl->options.handShakeState = HANDSHAKE_DONE;
|
|
else
|
|
BuildFinished(ssl, &ssl->verifyHashes, client);
|
|
}
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("Finished", &ssl->timeoutInfo, output, sendSz,
|
|
ssl->heap);
|
|
#endif
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
int SendCertificate(SSL* ssl)
|
|
{
|
|
int sendSz, length, ret = 0;
|
|
word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
word32 certSz, listSz;
|
|
byte* output = 0;
|
|
|
|
if (ssl->options.usingPSK_cipher) return 0; /* not needed */
|
|
|
|
if (ssl->options.sendVerify == SEND_BLANK_CERT) {
|
|
certSz = 0;
|
|
length = CERT_HEADER_SZ;
|
|
listSz = 0;
|
|
}
|
|
else {
|
|
certSz = ssl->buffers.certificate.length;
|
|
/* list + cert size */
|
|
length = certSz + 2 * CERT_HEADER_SZ;
|
|
listSz = certSz + CERT_HEADER_SZ;
|
|
}
|
|
sendSz = length + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
}
|
|
#endif
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHeaders(output, length, certificate, ssl);
|
|
|
|
/* list total */
|
|
c32to24(listSz, output + i);
|
|
i += CERT_HEADER_SZ;
|
|
|
|
/* member */
|
|
if (certSz) {
|
|
c32to24(certSz, output + i);
|
|
i += CERT_HEADER_SZ;
|
|
XMEMCPY(output + i, ssl->buffers.certificate.buffer, certSz);
|
|
i += certSz;
|
|
}
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("Certificate", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("Certificate", &ssl->timeoutInfo, output, sendSz,
|
|
ssl->heap);
|
|
#endif
|
|
|
|
if (ssl->options.side == SERVER_END)
|
|
ssl->options.serverState = SERVER_CERT_COMPLETE;
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
int SendCertificateRequest(SSL* ssl)
|
|
{
|
|
byte *output;
|
|
int ret;
|
|
int sendSz;
|
|
word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
|
|
int typeTotal = 1; /* only rsa for now */
|
|
int reqSz = ENUM_LEN + typeTotal + REQ_HEADER_SZ; /* add auth later */
|
|
|
|
if (ssl->options.usingPSK_cipher) return 0; /* not needed */
|
|
|
|
sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
i += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
}
|
|
#endif
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer + ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHeaders(output, reqSz, certificate_request, ssl);
|
|
|
|
/* write to output */
|
|
output[i++] = typeTotal; /* # of types */
|
|
output[i++] = rsa_sign;
|
|
|
|
c16toa(0, &output[i]); /* auth's */
|
|
i += REQ_HEADER_SZ;
|
|
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("CertificateRequest", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("CertificateRequest", &ssl->timeoutInfo, output,
|
|
sendSz, ssl->heap);
|
|
#endif
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
int SendData(SSL* ssl, const void* buffer, int sz)
|
|
{
|
|
int sent = 0, /* plainText size */
|
|
sendSz,
|
|
ret;
|
|
|
|
if (ssl->error == WANT_WRITE)
|
|
ssl->error = 0;
|
|
|
|
if (ssl->options.handShakeState != HANDSHAKE_DONE) {
|
|
int err;
|
|
if ( (err = CyaSSL_negotiate(ssl)) != 0)
|
|
return err;
|
|
}
|
|
|
|
/* last time system socket output buffer was full, try again to send */
|
|
if (ssl->buffers.outputBuffer.length > 0) {
|
|
if ( (ssl->error = SendBuffered(ssl)) < 0) {
|
|
CYASSL_ERROR(ssl->error);
|
|
if (ssl->error == SOCKET_ERROR_E && ssl->options.connReset)
|
|
return 0; /* peer reset */
|
|
return ssl->error;
|
|
}
|
|
else {
|
|
/* advance sent to previous sent + plain size just sent */
|
|
sent = ssl->buffers.prevSent + ssl->buffers.plainSz;
|
|
CYASSL_MSG("sent write buffered data");
|
|
}
|
|
}
|
|
|
|
for (;;) {
|
|
int len = min(sz - sent, OUTPUT_RECORD_SIZE);
|
|
byte* out;
|
|
byte* sendBuffer = (byte*)buffer + sent; /* may switch on comp */
|
|
int buffSz = len; /* may switch on comp */
|
|
#ifdef HAVE_LIBZ
|
|
byte comp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
|
|
#endif
|
|
|
|
if (sent == sz) break;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
len = min(len, MAX_UDP_SIZE);
|
|
buffSz = len;
|
|
}
|
|
#endif
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, len + COMP_EXTRA +
|
|
MAX_MSG_EXTRA)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
out = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
#ifdef HAVE_LIBZ
|
|
if (ssl->options.usingCompression) {
|
|
buffSz = Compress(ssl, sendBuffer, buffSz, comp, sizeof(comp));
|
|
if (buffSz < 0) {
|
|
return buffSz;
|
|
}
|
|
sendBuffer = comp;
|
|
}
|
|
#endif
|
|
sendSz = BuildMessage(ssl, out, sendBuffer, buffSz,
|
|
application_data);
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
|
|
if ( (ret = SendBuffered(ssl)) < 0) {
|
|
CYASSL_ERROR(ret);
|
|
/* store for next call if WANT_WRITE or user embedSend() that
|
|
doesn't present like WANT_WRITE */
|
|
ssl->buffers.plainSz = len;
|
|
ssl->buffers.prevSent = sent;
|
|
if (ret == SOCKET_ERROR_E && ssl->options.connReset)
|
|
return 0; /* peer reset */
|
|
return ssl->error = ret;
|
|
}
|
|
|
|
sent += len;
|
|
|
|
/* only one message per attempt */
|
|
if (ssl->options.partialWrite == 1)
|
|
break;
|
|
}
|
|
|
|
return sent;
|
|
}
|
|
|
|
/* process input data */
|
|
int ReceiveData(SSL* ssl, byte* output, int sz)
|
|
{
|
|
int size;
|
|
|
|
CYASSL_ENTER("ReceiveData()");
|
|
|
|
if (ssl->error == WANT_READ)
|
|
ssl->error = 0;
|
|
|
|
if (ssl->options.handShakeState != HANDSHAKE_DONE) {
|
|
int err;
|
|
if ( (err = CyaSSL_negotiate(ssl)) != 0)
|
|
return err;
|
|
}
|
|
|
|
while (ssl->buffers.clearOutputBuffer.length == 0)
|
|
if ( (ssl->error = ProcessReply(ssl)) < 0) {
|
|
CYASSL_ERROR(ssl->error);
|
|
if (ssl->error == ZERO_RETURN) {
|
|
ssl->options.isClosed = 1;
|
|
return 0; /* no more data coming */
|
|
}
|
|
if (ssl->error == SOCKET_ERROR_E)
|
|
if (ssl->options.connReset || ssl->options.isClosed)
|
|
return 0; /* peer reset or closed */
|
|
return ssl->error;
|
|
}
|
|
|
|
if (sz < (int)ssl->buffers.clearOutputBuffer.length)
|
|
size = sz;
|
|
else
|
|
size = ssl->buffers.clearOutputBuffer.length;
|
|
|
|
XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size);
|
|
ssl->buffers.clearOutputBuffer.length -= size;
|
|
ssl->buffers.clearOutputBuffer.buffer += size;
|
|
|
|
if (ssl->buffers.clearOutputBuffer.length == 0 &&
|
|
ssl->buffers.inputBuffer.dynamicFlag)
|
|
ShrinkInputBuffer(ssl, NO_FORCED_FREE);
|
|
|
|
CYASSL_LEAVE("ReceiveData()", size);
|
|
return size;
|
|
}
|
|
|
|
|
|
/* send alert message */
|
|
int SendAlert(SSL* ssl, int severity, int type)
|
|
{
|
|
byte input[ALERT_SIZE];
|
|
byte *output;
|
|
int sendSz;
|
|
int ret;
|
|
|
|
/* if sendalert is called again for nonbloking */
|
|
if (ssl->options.sendAlertState != 0) {
|
|
ret = SendBuffered(ssl);
|
|
if (ret == 0)
|
|
ssl->options.sendAlertState = 0;
|
|
return ret;
|
|
}
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, ALERT_SIZE + MAX_MSG_EXTRA)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
input[0] = severity;
|
|
input[1] = type;
|
|
|
|
if (ssl->keys.encryptionOn)
|
|
sendSz = BuildMessage(ssl, output, input, sizeof(input), alert);
|
|
else {
|
|
RecordLayerHeader *const rl = (RecordLayerHeader*)output;
|
|
rl->type = alert;
|
|
rl->version = ssl->version;
|
|
c16toa(ALERT_SIZE, rl->length);
|
|
|
|
XMEMCPY(output + RECORD_HEADER_SZ, input, sizeof(input));
|
|
sendSz = RECORD_HEADER_SZ + sizeof(input);
|
|
}
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("Alert", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("Alert", &ssl->timeoutInfo, output, sendSz,ssl->heap);
|
|
#endif
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
ssl->options.sendAlertState = 1;
|
|
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
|
|
void SetErrorString(int error, char* buffer)
|
|
{
|
|
const int max = MAX_ERROR_SZ; /* shorthand */
|
|
|
|
#ifdef NO_ERROR_STRINGS
|
|
|
|
XSTRNCPY(buffer, "no support for error strings built in", max);
|
|
|
|
#else
|
|
|
|
/* pass to CTaoCrypt */
|
|
if (error < MAX_CODE_E && error > MIN_CODE_E) {
|
|
CTaoCryptErrorString(error, buffer);
|
|
return;
|
|
}
|
|
|
|
switch (error) {
|
|
|
|
case UNSUPPORTED_SUITE :
|
|
XSTRNCPY(buffer, "unsupported cipher suite", max);
|
|
break;
|
|
|
|
case PREFIX_ERROR :
|
|
XSTRNCPY(buffer, "bad index to key rounds", max);
|
|
break;
|
|
|
|
case MEMORY_ERROR :
|
|
XSTRNCPY(buffer, "out of memory", max);
|
|
break;
|
|
|
|
case VERIFY_FINISHED_ERROR :
|
|
XSTRNCPY(buffer, "verify problem on finished", max);
|
|
break;
|
|
|
|
case VERIFY_MAC_ERROR :
|
|
XSTRNCPY(buffer, "verify mac problem", max);
|
|
break;
|
|
|
|
case PARSE_ERROR :
|
|
XSTRNCPY(buffer, "parse error on header", max);
|
|
break;
|
|
|
|
case SIDE_ERROR :
|
|
XSTRNCPY(buffer, "wrong client/server type", max);
|
|
break;
|
|
|
|
case NO_PEER_CERT :
|
|
XSTRNCPY(buffer, "peer didn't send cert", max);
|
|
break;
|
|
|
|
case UNKNOWN_HANDSHAKE_TYPE :
|
|
XSTRNCPY(buffer, "weird handshake type", max);
|
|
break;
|
|
|
|
case SOCKET_ERROR_E :
|
|
XSTRNCPY(buffer, "error state on socket", max);
|
|
break;
|
|
|
|
case SOCKET_NODATA :
|
|
XSTRNCPY(buffer, "expected data, not there", max);
|
|
break;
|
|
|
|
case INCOMPLETE_DATA :
|
|
XSTRNCPY(buffer, "don't have enough data to complete task", max);
|
|
break;
|
|
|
|
case UNKNOWN_RECORD_TYPE :
|
|
XSTRNCPY(buffer, "unknown type in record hdr", max);
|
|
break;
|
|
|
|
case DECRYPT_ERROR :
|
|
XSTRNCPY(buffer, "error during decryption", max);
|
|
break;
|
|
|
|
case FATAL_ERROR :
|
|
XSTRNCPY(buffer, "revcd alert fatal error", max);
|
|
break;
|
|
|
|
case ENCRYPT_ERROR :
|
|
XSTRNCPY(buffer, "error during encryption", max);
|
|
break;
|
|
|
|
case FREAD_ERROR :
|
|
XSTRNCPY(buffer, "fread problem", max);
|
|
break;
|
|
|
|
case NO_PEER_KEY :
|
|
XSTRNCPY(buffer, "need peer's key", max);
|
|
break;
|
|
|
|
case NO_PRIVATE_KEY :
|
|
XSTRNCPY(buffer, "need the private key", max);
|
|
break;
|
|
|
|
case RSA_PRIVATE_ERROR :
|
|
XSTRNCPY(buffer, "error during rsa priv op", max);
|
|
break;
|
|
|
|
case MATCH_SUITE_ERROR :
|
|
XSTRNCPY(buffer, "can't match cipher suite", max);
|
|
break;
|
|
|
|
case BUILD_MSG_ERROR :
|
|
XSTRNCPY(buffer, "build message failure", max);
|
|
break;
|
|
|
|
case BAD_HELLO :
|
|
XSTRNCPY(buffer, "client hello malformed", max);
|
|
break;
|
|
|
|
case DOMAIN_NAME_MISMATCH :
|
|
XSTRNCPY(buffer, "peer subject name mismatch", max);
|
|
break;
|
|
|
|
case WANT_READ :
|
|
XSTRNCPY(buffer, "non-blocking socket wants data to be read", max);
|
|
break;
|
|
|
|
case NOT_READY_ERROR :
|
|
XSTRNCPY(buffer, "handshake layer not ready yet, complete first", max);
|
|
break;
|
|
|
|
case PMS_VERSION_ERROR :
|
|
XSTRNCPY(buffer, "premaster secret version mismatch error", max);
|
|
break;
|
|
|
|
case VERSION_ERROR :
|
|
XSTRNCPY(buffer, "record layer version error", max);
|
|
break;
|
|
|
|
case WANT_WRITE :
|
|
XSTRNCPY(buffer, "non-blocking socket write buffer full", max);
|
|
break;
|
|
|
|
case BUFFER_ERROR :
|
|
XSTRNCPY(buffer, "malformed buffer input error", max);
|
|
break;
|
|
|
|
case VERIFY_CERT_ERROR :
|
|
XSTRNCPY(buffer, "verify problem on certificate", max);
|
|
break;
|
|
|
|
case VERIFY_SIGN_ERROR :
|
|
XSTRNCPY(buffer, "verify problem based on signature", max);
|
|
break;
|
|
|
|
case CLIENT_ID_ERROR :
|
|
XSTRNCPY(buffer, "psk client identity error", max);
|
|
break;
|
|
|
|
case SERVER_HINT_ERROR:
|
|
XSTRNCPY(buffer, "psk server hint error", max);
|
|
break;
|
|
|
|
case PSK_KEY_ERROR:
|
|
XSTRNCPY(buffer, "psk key callback error", max);
|
|
break;
|
|
|
|
case NTRU_KEY_ERROR:
|
|
XSTRNCPY(buffer, "NTRU key error", max);
|
|
break;
|
|
|
|
case NTRU_DRBG_ERROR:
|
|
XSTRNCPY(buffer, "NTRU drbg error", max);
|
|
break;
|
|
|
|
case NTRU_ENCRYPT_ERROR:
|
|
XSTRNCPY(buffer, "NTRU encrypt error", max);
|
|
break;
|
|
|
|
case NTRU_DECRYPT_ERROR:
|
|
XSTRNCPY(buffer, "NTRU decrypt error", max);
|
|
break;
|
|
|
|
case ZLIB_INIT_ERROR:
|
|
XSTRNCPY(buffer, "zlib init error", max);
|
|
break;
|
|
|
|
case ZLIB_COMPRESS_ERROR:
|
|
XSTRNCPY(buffer, "zlib compress error", max);
|
|
break;
|
|
|
|
case ZLIB_DECOMPRESS_ERROR:
|
|
XSTRNCPY(buffer, "zlib decompress error", max);
|
|
break;
|
|
|
|
case GETTIME_ERROR:
|
|
XSTRNCPY(buffer, "gettimeofday() error", max);
|
|
break;
|
|
|
|
case GETITIMER_ERROR:
|
|
XSTRNCPY(buffer, "getitimer() error", max);
|
|
break;
|
|
|
|
case SIGACT_ERROR:
|
|
XSTRNCPY(buffer, "sigaction() error", max);
|
|
break;
|
|
|
|
case SETITIMER_ERROR:
|
|
XSTRNCPY(buffer, "setitimer() error", max);
|
|
break;
|
|
|
|
case LENGTH_ERROR:
|
|
XSTRNCPY(buffer, "record layer length error", max);
|
|
break;
|
|
|
|
case PEER_KEY_ERROR:
|
|
XSTRNCPY(buffer, "cant decode peer key", max);
|
|
break;
|
|
|
|
case ZERO_RETURN:
|
|
XSTRNCPY(buffer, "peer sent close notify alert", max);
|
|
break;
|
|
|
|
case ECC_CURVETYPE_ERROR:
|
|
XSTRNCPY(buffer, "Bad ECC Curve Type or unsupported", max);
|
|
break;
|
|
|
|
case ECC_CURVE_ERROR:
|
|
XSTRNCPY(buffer, "Bad ECC Curve or unsupported", max);
|
|
break;
|
|
|
|
case ECC_PEERKEY_ERROR:
|
|
XSTRNCPY(buffer, "Bad ECC Peer Key", max);
|
|
break;
|
|
|
|
case ECC_MAKEKEY_ERROR:
|
|
XSTRNCPY(buffer, "ECC Make Key failutre", max);
|
|
break;
|
|
|
|
case ECC_EXPORT_ERROR:
|
|
XSTRNCPY(buffer, "ECC Export Key failutre", max);
|
|
break;
|
|
|
|
case ECC_SHARED_ERROR:
|
|
XSTRNCPY(buffer, "ECC DHE shared failutre", max);
|
|
break;
|
|
|
|
default :
|
|
XSTRNCPY(buffer, "unknown error number", max);
|
|
}
|
|
|
|
#endif /* NO_ERROR_STRINGS */
|
|
}
|
|
|
|
|
|
|
|
/* be sure to add to cipher_name_idx too !!!! */
|
|
const char* const cipher_names[] =
|
|
{
|
|
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
|
|
"RC4-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
|
|
"RC4-MD5",
|
|
#endif
|
|
|
|
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
|
|
"DES-CBC3-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
|
|
"AES128-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
|
|
"AES256-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
|
"DHE-RSA-AES128-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
|
"DHE-RSA-AES256-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
|
|
"PSK-AES128-CBC-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
|
|
"PSK-AES256-CBC-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
|
|
"HC128-MD5",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
|
|
"HC128-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
|
|
"RABBIT-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
|
|
"NTRU-RC4-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
|
|
"NTRU-DES-CBC3-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
|
|
"NTRU-AES128-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
|
|
"NTRU-AES256-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
"ECDHE-RSA-AES128-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
"ECDHE-RSA-AES256-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
|
"ECDHE-ECDSA-AES128-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
|
"ECDHE-ECDSA-AES256-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
|
"ECDHE-RSA-RC4-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
"ECDHE-RSA-DES-CBC3-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
|
"ECDHE-ECDSA-RC4-SHA",
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
|
"ECDHE-ECDSA-DES-CBC3-SHA",
|
|
#endif
|
|
|
|
};
|
|
|
|
|
|
|
|
/* cipher suite number that matches above name table */
|
|
int cipher_name_idx[] =
|
|
{
|
|
|
|
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
|
|
SSL_RSA_WITH_RC4_128_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
|
|
SSL_RSA_WITH_RC4_128_MD5,
|
|
#endif
|
|
|
|
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
|
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
|
|
TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
|
|
TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
|
|
TLS_PSK_WITH_AES_128_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
|
|
TLS_PSK_WITH_AES_256_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
|
|
TLS_RSA_WITH_HC_128_CBC_MD5,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
|
|
TLS_RSA_WITH_HC_128_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
|
|
TLS_RSA_WITH_RABBIT_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
|
|
TLS_NTRU_RSA_WITH_RC4_128_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
|
|
TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
|
|
TLS_NTRU_RSA_WITH_AES_128_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
|
|
TLS_NTRU_RSA_WITH_AES_256_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
|
#endif
|
|
|
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
|
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
|
#endif
|
|
|
|
};
|
|
|
|
|
|
/* return true if set, else false */
|
|
/* only supports full name from cipher_name[] delimited by : */
|
|
int SetCipherList(SSL_CTX* ctx, const char* list)
|
|
{
|
|
int ret = 0, i;
|
|
char name[MAX_SUITE_NAME];
|
|
|
|
char needle[] = ":";
|
|
char* haystack = (char*)list;
|
|
char* prev;
|
|
|
|
const int suiteSz = sizeof(cipher_names) / sizeof(cipher_names[0]);
|
|
int idx = 0;
|
|
|
|
if (!list)
|
|
return 0;
|
|
|
|
if (*list == 0) return 1; /* CyaSSL default */
|
|
|
|
if (XSTRNCMP(haystack, "ALL", 3) == 0) return 1; /* CyaSSL defualt */
|
|
|
|
for(;;) {
|
|
size_t len;
|
|
prev = haystack;
|
|
haystack = XSTRSTR(haystack, needle);
|
|
|
|
if (!haystack) /* last cipher */
|
|
len = min(sizeof(name), XSTRLEN(prev));
|
|
else
|
|
len = min(sizeof(name), (size_t)(haystack - prev));
|
|
|
|
XSTRNCPY(name, prev, len);
|
|
name[(len == sizeof(name)) ? len - 1 : len] = 0;
|
|
|
|
for (i = 0; i < suiteSz; i++)
|
|
if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) {
|
|
if (XSTRSTR(name, "EC"))
|
|
ctx->suites.suites[idx++] = ECC_BYTE; /* ECC suite */
|
|
else
|
|
ctx->suites.suites[idx++] = 0x00; /* normal */
|
|
ctx->suites.suites[idx++] = cipher_name_idx[i];
|
|
|
|
if (!ret) ret = 1; /* found at least one */
|
|
break;
|
|
}
|
|
if (!haystack) break;
|
|
haystack++;
|
|
}
|
|
|
|
if (ret) {
|
|
ctx->suites.setSuites = 1;
|
|
ctx->suites.suiteSz = idx;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
|
|
/* Initialisze HandShakeInfo */
|
|
void InitHandShakeInfo(HandShakeInfo* info)
|
|
{
|
|
int i;
|
|
|
|
info->cipherName[0] = 0;
|
|
for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++)
|
|
info->packetNames[i][0] = 0;
|
|
info->numberPackets = 0;
|
|
info->negotiationError = 0;
|
|
}
|
|
|
|
/* Set Final HandShakeInfo parameters */
|
|
void FinishHandShakeInfo(HandShakeInfo* info, const SSL* ssl)
|
|
{
|
|
int i;
|
|
int sz = sizeof(cipher_name_idx)/sizeof(int);
|
|
|
|
for (i = 0; i < sz; i++)
|
|
if (ssl->options.cipherSuite == (byte)cipher_name_idx[i]) {
|
|
if (ssl->options.cipherSuite0 == ECC_BYTE)
|
|
continue; /* ECC suites at end */
|
|
XSTRNCPY(info->cipherName, cipher_names[i], MAX_CIPHERNAME_SZ);
|
|
break;
|
|
}
|
|
|
|
/* error max and min are negative numbers */
|
|
if (ssl->error <= MIN_PARAM_ERR && ssl->error >= MAX_PARAM_ERR)
|
|
info->negotiationError = ssl->error;
|
|
}
|
|
|
|
|
|
/* Add name to info packet names, increase packet name count */
|
|
void AddPacketName(const char* name, HandShakeInfo* info)
|
|
{
|
|
if (info->numberPackets < MAX_PACKETS_HANDSHAKE) {
|
|
XSTRNCPY(info->packetNames[info->numberPackets++], name,
|
|
MAX_PACKETNAME_SZ);
|
|
}
|
|
}
|
|
|
|
|
|
/* Initialisze TimeoutInfo */
|
|
void InitTimeoutInfo(TimeoutInfo* info)
|
|
{
|
|
int i;
|
|
|
|
info->timeoutName[0] = 0;
|
|
info->flags = 0;
|
|
|
|
for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) {
|
|
info->packets[i].packetName[0] = 0;
|
|
info->packets[i].timestamp.tv_sec = 0;
|
|
info->packets[i].timestamp.tv_usec = 0;
|
|
info->packets[i].bufferValue = 0;
|
|
info->packets[i].valueSz = 0;
|
|
}
|
|
info->numberPackets = 0;
|
|
info->timeoutValue.tv_sec = 0;
|
|
info->timeoutValue.tv_usec = 0;
|
|
}
|
|
|
|
|
|
/* Free TimeoutInfo */
|
|
void FreeTimeoutInfo(TimeoutInfo* info, void* heap)
|
|
{
|
|
int i;
|
|
for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++)
|
|
if (info->packets[i].bufferValue) {
|
|
XFREE(info->packets[i].bufferValue, heap, DYNAMIC_TYPE_INFO);
|
|
info->packets[i].bufferValue = 0;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
/* Add PacketInfo to TimeoutInfo */
|
|
void AddPacketInfo(const char* name, TimeoutInfo* info, const byte* data,
|
|
int sz, void* heap)
|
|
{
|
|
if (info->numberPackets < (MAX_PACKETS_HANDSHAKE - 1)) {
|
|
Timeval currTime;
|
|
|
|
/* may add name after */
|
|
if (name)
|
|
XSTRNCPY(info->packets[info->numberPackets].packetName, name,
|
|
MAX_PACKETNAME_SZ);
|
|
|
|
/* add data, put in buffer if bigger than static buffer */
|
|
info->packets[info->numberPackets].valueSz = sz;
|
|
if (sz < MAX_VALUE_SZ)
|
|
XMEMCPY(info->packets[info->numberPackets].value, data, sz);
|
|
else {
|
|
info->packets[info->numberPackets].bufferValue =
|
|
XMALLOC(sz, heap, DYNAMIC_TYPE_INFO);
|
|
if (!info->packets[info->numberPackets].bufferValue)
|
|
/* let next alloc catch, just don't fill, not fatal here */
|
|
info->packets[info->numberPackets].valueSz = 0;
|
|
else
|
|
XMEMCPY(info->packets[info->numberPackets].bufferValue,
|
|
data, sz);
|
|
}
|
|
gettimeofday(&currTime, 0);
|
|
info->packets[info->numberPackets].timestamp.tv_sec =
|
|
currTime.tv_sec;
|
|
info->packets[info->numberPackets].timestamp.tv_usec =
|
|
currTime.tv_usec;
|
|
info->numberPackets++;
|
|
}
|
|
}
|
|
|
|
|
|
/* Add packet name to previsouly added packet info */
|
|
void AddLateName(const char* name, TimeoutInfo* info)
|
|
{
|
|
/* make sure we have a valid previous one */
|
|
if (info->numberPackets > 0 && info->numberPackets <
|
|
MAX_PACKETS_HANDSHAKE) {
|
|
XSTRNCPY(info->packets[info->numberPackets - 1].packetName, name,
|
|
MAX_PACKETNAME_SZ);
|
|
}
|
|
}
|
|
|
|
/* Add record header to previsouly added packet info */
|
|
void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info)
|
|
{
|
|
/* make sure we have a valid previous one */
|
|
if (info->numberPackets > 0 && info->numberPackets <
|
|
MAX_PACKETS_HANDSHAKE) {
|
|
if (info->packets[info->numberPackets - 1].bufferValue)
|
|
XMEMCPY(info->packets[info->numberPackets - 1].bufferValue, rl,
|
|
RECORD_HEADER_SZ);
|
|
else
|
|
XMEMCPY(info->packets[info->numberPackets - 1].value, rl,
|
|
RECORD_HEADER_SZ);
|
|
}
|
|
}
|
|
|
|
#endif /* CYASSL_CALLBACKS */
|
|
|
|
|
|
|
|
/* client only parts */
|
|
#ifndef NO_CYASSL_CLIENT
|
|
|
|
int SendClientHello(SSL* ssl)
|
|
{
|
|
byte *output;
|
|
word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
int sendSz;
|
|
int idSz = ssl->options.resuming ? ID_LEN : 0;
|
|
int ret;
|
|
|
|
length = sizeof(ProtocolVersion) + RAN_LEN
|
|
+ idSz + ENUM_LEN
|
|
+ ssl->suites.suiteSz + SUITE_LEN
|
|
+ COMP_LEN + ENUM_LEN;
|
|
|
|
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
length += ENUM_LEN; /* cookie */
|
|
sendSz = length + DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ;
|
|
idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
|
|
}
|
|
#endif
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHeaders(output, length, client_hello, ssl);
|
|
|
|
/* client hello, first version */
|
|
XMEMCPY(output + idx, &ssl->version, sizeof(ProtocolVersion));
|
|
idx += sizeof(ProtocolVersion);
|
|
ssl->chVersion = ssl->version; /* store in case changed */
|
|
|
|
/* then random */
|
|
if (ssl->options.connectState == CONNECT_BEGIN) {
|
|
RNG_GenerateBlock(&ssl->rng, output + idx, RAN_LEN);
|
|
|
|
/* store random */
|
|
XMEMCPY(ssl->arrays.clientRandom, output + idx, RAN_LEN);
|
|
} else {
|
|
#ifdef CYASSL_DTLS
|
|
/* send same random on hello again */
|
|
XMEMCPY(output + idx, ssl->arrays.clientRandom, RAN_LEN);
|
|
#endif
|
|
}
|
|
idx += RAN_LEN;
|
|
|
|
/* then session id */
|
|
output[idx++] = idSz;
|
|
if (idSz) {
|
|
XMEMCPY(output + idx, ssl->session.sessionID, ID_LEN);
|
|
idx += ID_LEN;
|
|
}
|
|
|
|
/* then DTLS cookie */
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
output[idx++] = 0;
|
|
}
|
|
#endif
|
|
/* then cipher suites */
|
|
c16toa(ssl->suites.suiteSz, output + idx);
|
|
idx += 2;
|
|
XMEMCPY(output + idx, &ssl->suites.suites, ssl->suites.suiteSz);
|
|
idx += ssl->suites.suiteSz;
|
|
|
|
/* last, compression */
|
|
output[idx++] = COMP_LEN;
|
|
if (ssl->options.usingCompression)
|
|
output[idx++] = ZLIB_COMPRESSION;
|
|
else
|
|
output[idx++] = NO_COMPRESSION;
|
|
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
|
|
ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("ClientHello", &ssl->timeoutInfo, output, sendSz,
|
|
ssl->heap);
|
|
#endif
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
static int DoHelloVerifyRequest(SSL* ssl, const byte* input,
|
|
word32* inOutIdx)
|
|
{
|
|
ProtocolVersion pv;
|
|
byte cookieSz;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("HelloVerifyRequest",
|
|
&ssl->handShakeInfo);
|
|
if (ssl->toInfoOn) AddLateName("HelloVerifyRequest", &ssl->timeoutInfo);
|
|
#endif
|
|
XMEMCPY(&pv, input + *inOutIdx, sizeof(pv));
|
|
*inOutIdx += sizeof(pv);
|
|
|
|
cookieSz = input[(*inOutIdx)++];
|
|
|
|
if (cookieSz)
|
|
*inOutIdx += cookieSz; /* skip for now */
|
|
|
|
ssl->options.serverState = SERVER_HELLOVERIFYREQUEST_COMPLETE;
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int DoServerHello(SSL* ssl, const byte* input, word32* inOutIdx)
|
|
{
|
|
byte b;
|
|
byte compression;
|
|
ProtocolVersion pv;
|
|
word32 i = *inOutIdx;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("ServerHello", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
|
|
#endif
|
|
XMEMCPY(&pv, input + i, sizeof(pv));
|
|
i += sizeof(pv);
|
|
XMEMCPY(ssl->arrays.serverRandom, input + i, RAN_LEN);
|
|
i += RAN_LEN;
|
|
b = input[i++];
|
|
if (b) {
|
|
XMEMCPY(ssl->arrays.sessionID, input + i, b);
|
|
i += b;
|
|
}
|
|
ssl->options.cipherSuite0 = input[i++];
|
|
ssl->options.cipherSuite = input[i++];
|
|
compression = input[i++];
|
|
|
|
if (compression != ZLIB_COMPRESSION && ssl->options.usingCompression)
|
|
ssl->options.usingCompression = 0; /* turn off if server refused */
|
|
|
|
ssl->options.serverState = SERVER_HELLO_COMPLETE;
|
|
|
|
*inOutIdx = i;
|
|
|
|
if (ssl->options.resuming) {
|
|
if (XMEMCMP(ssl->arrays.sessionID, ssl->session.sessionID, ID_LEN)
|
|
== 0) {
|
|
if (SetCipherSpecs(ssl) == 0) {
|
|
XMEMCPY(ssl->arrays.masterSecret, ssl->session.masterSecret,
|
|
SECRET_LEN);
|
|
if (ssl->options.tls)
|
|
DeriveTlsKeys(ssl);
|
|
else
|
|
DeriveKeys(ssl);
|
|
ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
|
|
return 0;
|
|
}
|
|
else
|
|
return UNSUPPORTED_SUITE;
|
|
}
|
|
else
|
|
ssl->options.resuming = 0; /* server denied resumption try */
|
|
}
|
|
|
|
return SetCipherSpecs(ssl);
|
|
}
|
|
|
|
|
|
/* just read in and ignore for now TODO: */
|
|
static int DoCertificateRequest(SSL* ssl, const byte* input, word32*
|
|
inOutIdx)
|
|
{
|
|
word16 len;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("CertificateRequest", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddLateName("CertificateRequest", &ssl->timeoutInfo);
|
|
#endif
|
|
len = input[(*inOutIdx)++];
|
|
|
|
/* types, read in here */
|
|
*inOutIdx += len;
|
|
ato16(&input[*inOutIdx], &len);
|
|
*inOutIdx += LENGTH_SZ;
|
|
|
|
/* authorities */
|
|
while (len) {
|
|
word16 dnSz;
|
|
|
|
ato16(&input[*inOutIdx], &dnSz);
|
|
*inOutIdx += (REQUEST_HEADER + dnSz);
|
|
len -= dnSz + REQUEST_HEADER;
|
|
}
|
|
|
|
/* don't send client cert or cert verify if user hasn't provided
|
|
cert and private key */
|
|
if (ssl->buffers.certificate.buffer && ssl->buffers.key.buffer)
|
|
ssl->options.sendVerify = SEND_CERT;
|
|
else if (IsAtLeastTLSv1_2(ssl))
|
|
ssl->options.sendVerify = SEND_BLANK_CERT;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int DoServerKeyExchange(SSL* ssl, const byte* input, word32*
|
|
inOutIdx)
|
|
{
|
|
word16 sigLen;
|
|
word16 verifySz;
|
|
word16 length;
|
|
byte* signature;
|
|
|
|
sigLen = 0;
|
|
signature = 0;
|
|
|
|
/* keep start idx */
|
|
verifySz = *inOutIdx;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddLateName("ServerKeyExchange", &ssl->timeoutInfo);
|
|
#endif
|
|
|
|
#ifndef NO_PSK
|
|
if (ssl->specs.kea == psk_kea) {
|
|
ato16(&input[*inOutIdx], &length);
|
|
*inOutIdx += LENGTH_SZ;
|
|
XMEMCPY(ssl->arrays.server_hint, &input[*inOutIdx],
|
|
min(length, MAX_PSK_ID_LEN));
|
|
if (length < MAX_PSK_ID_LEN)
|
|
ssl->arrays.server_hint[length] = 0;
|
|
else
|
|
ssl->arrays.server_hint[MAX_PSK_ID_LEN - 1] = 0;
|
|
*inOutIdx += length;
|
|
|
|
return 0;
|
|
}
|
|
#endif
|
|
#ifdef OPENSSL_EXTRA
|
|
if (ssl->specs.kea == diffie_hellman_kea)
|
|
{
|
|
/* p */
|
|
ato16(&input[*inOutIdx], &length);
|
|
*inOutIdx += LENGTH_SZ;
|
|
|
|
ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap,
|
|
DYNAMIC_TYPE_DH);
|
|
if (ssl->buffers.serverDH_P.buffer)
|
|
ssl->buffers.serverDH_P.length = length;
|
|
else
|
|
return MEMORY_ERROR;
|
|
XMEMCPY(ssl->buffers.serverDH_P.buffer, &input[*inOutIdx], length);
|
|
*inOutIdx += length;
|
|
|
|
/* g */
|
|
ato16(&input[*inOutIdx], &length);
|
|
*inOutIdx += LENGTH_SZ;
|
|
|
|
ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap,
|
|
DYNAMIC_TYPE_DH);
|
|
if (ssl->buffers.serverDH_G.buffer)
|
|
ssl->buffers.serverDH_G.length = length;
|
|
else
|
|
return MEMORY_ERROR;
|
|
XMEMCPY(ssl->buffers.serverDH_G.buffer, &input[*inOutIdx], length);
|
|
*inOutIdx += length;
|
|
|
|
/* pub */
|
|
ato16(&input[*inOutIdx], &length);
|
|
*inOutIdx += LENGTH_SZ;
|
|
|
|
ssl->buffers.serverDH_Pub.buffer = (byte*) XMALLOC(length, ssl->heap,
|
|
DYNAMIC_TYPE_DH);
|
|
if (ssl->buffers.serverDH_Pub.buffer)
|
|
ssl->buffers.serverDH_Pub.length = length;
|
|
else
|
|
return MEMORY_ERROR;
|
|
XMEMCPY(ssl->buffers.serverDH_Pub.buffer, &input[*inOutIdx], length);
|
|
*inOutIdx += length;
|
|
} /* dh_kea */
|
|
#endif /* OPENSSL_EXTRA */
|
|
|
|
#ifdef HAVE_ECC
|
|
if (ssl->specs.kea == ecc_diffie_hellman_kea)
|
|
{
|
|
byte b = input[*inOutIdx];
|
|
*inOutIdx += 1;
|
|
|
|
if (b != named_curve)
|
|
return ECC_CURVETYPE_ERROR;
|
|
|
|
*inOutIdx += 1; /* curve type, eat leading 0 */
|
|
b = input[*inOutIdx];
|
|
*inOutIdx += 1;
|
|
|
|
if (b != secp256r1 && b != secp384r1 && b != secp521r1 && b !=
|
|
secp160r1 && b != secp192r1 && b != secp224r1)
|
|
return ECC_CURVE_ERROR;
|
|
|
|
length = input[*inOutIdx];
|
|
*inOutIdx += 1;
|
|
|
|
if (ecc_import_x963(&input[*inOutIdx], length, &ssl->peerEccKey) != 0)
|
|
return ECC_PEERKEY_ERROR;
|
|
|
|
*inOutIdx += length;
|
|
ssl->peerEccKeyPresent = 1;
|
|
}
|
|
#endif /* HAVE_ECC */
|
|
|
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_ECC)
|
|
{
|
|
Md5 md5;
|
|
Sha sha;
|
|
byte hash[FINISHED_SZ];
|
|
byte messageVerify[MAX_DH_SZ];
|
|
|
|
/* adjust from start idx */
|
|
verifySz = *inOutIdx - verifySz;
|
|
|
|
/* save message for hash verify */
|
|
if (verifySz > sizeof(messageVerify))
|
|
return BUFFER_ERROR;
|
|
XMEMCPY(messageVerify, &input[*inOutIdx - verifySz], verifySz);
|
|
|
|
/* signature */
|
|
ato16(&input[*inOutIdx], &length);
|
|
*inOutIdx += LENGTH_SZ;
|
|
|
|
signature = (byte*)&input[*inOutIdx];
|
|
*inOutIdx += length;
|
|
sigLen = length;
|
|
|
|
/* verify signature */
|
|
|
|
/* md5 */
|
|
InitMd5(&md5);
|
|
Md5Update(&md5, ssl->arrays.clientRandom, RAN_LEN);
|
|
Md5Update(&md5, ssl->arrays.serverRandom, RAN_LEN);
|
|
Md5Update(&md5, messageVerify, verifySz);
|
|
Md5Final(&md5, hash);
|
|
|
|
/* sha */
|
|
InitSha(&sha);
|
|
ShaUpdate(&sha, ssl->arrays.clientRandom, RAN_LEN);
|
|
ShaUpdate(&sha, ssl->arrays.serverRandom, RAN_LEN);
|
|
ShaUpdate(&sha, messageVerify, verifySz);
|
|
ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]);
|
|
|
|
/* rsa */
|
|
if (ssl->specs.sig_algo == rsa_sa_algo)
|
|
{
|
|
int ret;
|
|
byte* out;
|
|
|
|
if (!ssl->peerRsaKeyPresent)
|
|
return NO_PEER_KEY;
|
|
|
|
ret = RsaSSL_VerifyInline(signature, sigLen,&out, &ssl->peerRsaKey);
|
|
|
|
if (IsAtLeastTLSv1_2(ssl)) {
|
|
byte encodedSig[MAX_ENCODED_SIG_SZ];
|
|
word32 encSigSz;
|
|
byte* digest;
|
|
int hashType;
|
|
int digestSz;
|
|
|
|
/* sha1 for now */
|
|
digest = &hash[MD5_DIGEST_SIZE];
|
|
hashType = SHAh;
|
|
digestSz = SHA_DIGEST_SIZE;
|
|
|
|
encSigSz = EncodeSignature(encodedSig,digest,digestSz,hashType);
|
|
|
|
if (encSigSz != ret || XMEMCMP(out, encodedSig, encSigSz) != 0)
|
|
return VERIFY_SIGN_ERROR;
|
|
}
|
|
else {
|
|
if (ret != sizeof(hash) || XMEMCMP(out, hash, sizeof(hash)))
|
|
return VERIFY_SIGN_ERROR;
|
|
}
|
|
}
|
|
#ifdef HAVE_ECC
|
|
/* ecdsa */
|
|
else if (ssl->specs.sig_algo == ecc_dsa_sa_algo) {
|
|
int verify = 0, ret;
|
|
if (!ssl->peerEccDsaKeyPresent)
|
|
return NO_PEER_KEY;
|
|
|
|
ret = ecc_verify_hash(signature, sigLen, &hash[MD5_DIGEST_SIZE],
|
|
SHA_DIGEST_SIZE, &verify, &ssl->peerEccDsaKey);
|
|
if (ret != 0 || verify == 0)
|
|
return VERIFY_SIGN_ERROR;
|
|
}
|
|
#endif /* HAVE_ECC */
|
|
else
|
|
return -1;
|
|
|
|
ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
|
|
|
|
return 0;
|
|
|
|
}
|
|
#endif /* HAVE_OPENSSL or HAVE_ECC */
|
|
return -1; /* not supported by build */
|
|
}
|
|
|
|
|
|
int SendClientKeyExchange(SSL* ssl)
|
|
{
|
|
byte encSecret[MAX_NTRU_ENCRYPT_SZ];
|
|
word32 encSz = 0;
|
|
word32 idx = 0;
|
|
int ret = 0;
|
|
|
|
if (ssl->specs.kea == rsa_kea) {
|
|
RNG_GenerateBlock(&ssl->rng, ssl->arrays.preMasterSecret,
|
|
SECRET_LEN);
|
|
ssl->arrays.preMasterSecret[0] = ssl->chVersion.major;
|
|
ssl->arrays.preMasterSecret[1] = ssl->chVersion.minor;
|
|
ssl->arrays.preMasterSz = SECRET_LEN;
|
|
|
|
if (ssl->peerRsaKeyPresent == 0)
|
|
return NO_PEER_KEY;
|
|
|
|
ret = RsaPublicEncrypt(ssl->arrays.preMasterSecret, SECRET_LEN,
|
|
encSecret, sizeof(encSecret), &ssl->peerRsaKey,
|
|
&ssl->rng);
|
|
if (ret > 0) {
|
|
encSz = ret;
|
|
ret = 0; /* set success to 0 */
|
|
}
|
|
#ifdef OPENSSL_EXTRA
|
|
} else if (ssl->specs.kea == diffie_hellman_kea) {
|
|
buffer serverP = ssl->buffers.serverDH_P;
|
|
buffer serverG = ssl->buffers.serverDH_G;
|
|
buffer serverPub = ssl->buffers.serverDH_Pub;
|
|
byte priv[ENCRYPT_LEN];
|
|
word32 privSz;
|
|
DhKey key;
|
|
|
|
if (serverP.buffer == 0 || serverG.buffer == 0 ||
|
|
serverPub.buffer == 0)
|
|
return NO_PEER_KEY;
|
|
|
|
InitDhKey(&key);
|
|
ret = DhSetKey(&key, serverP.buffer, serverP.length,
|
|
serverG.buffer, serverG.length);
|
|
if (ret == 0)
|
|
/* for DH, encSecret is Yc, agree is pre-master */
|
|
ret = DhGenerateKeyPair(&key, &ssl->rng, priv, &privSz,
|
|
encSecret, &encSz);
|
|
if (ret == 0)
|
|
ret = DhAgree(&key, ssl->arrays.preMasterSecret,
|
|
&ssl->arrays.preMasterSz, priv, privSz,
|
|
serverPub.buffer, serverPub.length);
|
|
FreeDhKey(&key);
|
|
#endif /* OPENSSL_EXTRA */
|
|
#ifndef NO_PSK
|
|
} else if (ssl->specs.kea == psk_kea) {
|
|
byte* pms = ssl->arrays.preMasterSecret;
|
|
|
|
ssl->arrays.psk_keySz = ssl->options.client_psk_cb(ssl,
|
|
ssl->arrays.server_hint, ssl->arrays.client_identity,
|
|
MAX_PSK_ID_LEN, ssl->arrays.psk_key, MAX_PSK_KEY_LEN);
|
|
if (ssl->arrays.psk_keySz == 0 ||
|
|
ssl->arrays.psk_keySz > MAX_PSK_KEY_LEN)
|
|
return PSK_KEY_ERROR;
|
|
encSz = (word32)XSTRLEN(ssl->arrays.client_identity);
|
|
if (encSz > MAX_PSK_ID_LEN) return CLIENT_ID_ERROR;
|
|
XMEMCPY(encSecret, ssl->arrays.client_identity, encSz);
|
|
|
|
/* make psk pre master secret */
|
|
/* length of key + length 0s + length of key + key */
|
|
c16toa((word16)ssl->arrays.psk_keySz, pms);
|
|
pms += 2;
|
|
XMEMSET(pms, 0, ssl->arrays.psk_keySz);
|
|
pms += ssl->arrays.psk_keySz;
|
|
c16toa((word16)ssl->arrays.psk_keySz, pms);
|
|
pms += 2;
|
|
XMEMCPY(pms, ssl->arrays.psk_key, ssl->arrays.psk_keySz);
|
|
ssl->arrays.preMasterSz = ssl->arrays.psk_keySz * 2 + 4;
|
|
#endif /* NO_PSK */
|
|
#ifdef HAVE_NTRU
|
|
} else if (ssl->specs.kea == ntru_kea) {
|
|
word32 rc;
|
|
word16 cipherLen = sizeof(encSecret);
|
|
DRBG_HANDLE drbg;
|
|
static uint8_t const cyasslStr[] = {
|
|
'C', 'y', 'a', 'S', 'S', 'L', ' ', 'N', 'T', 'R', 'U'
|
|
};
|
|
|
|
RNG_GenerateBlock(&ssl->rng, ssl->arrays.preMasterSecret,
|
|
SECRET_LEN);
|
|
ssl->arrays.preMasterSz = SECRET_LEN;
|
|
|
|
if (ssl->peerNtruKeyPresent == 0)
|
|
return NO_PEER_KEY;
|
|
|
|
rc = crypto_drbg_instantiate(MAX_NTRU_BITS, cyasslStr,
|
|
sizeof(cyasslStr), GetEntropy, &drbg);
|
|
if (rc != DRBG_OK)
|
|
return NTRU_DRBG_ERROR;
|
|
|
|
rc = crypto_ntru_encrypt(drbg, ssl->peerNtruKeyLen,ssl->peerNtruKey,
|
|
ssl->arrays.preMasterSz,
|
|
ssl->arrays.preMasterSecret,
|
|
&cipherLen, encSecret);
|
|
crypto_drbg_uninstantiate(drbg);
|
|
if (rc != NTRU_OK)
|
|
return NTRU_ENCRYPT_ERROR;
|
|
|
|
encSz = cipherLen;
|
|
ret = 0;
|
|
#endif /* HAVE_NTRU */
|
|
#ifdef HAVE_ECC
|
|
} else if (ssl->specs.kea == ecc_diffie_hellman_kea) {
|
|
ecc_key myKey;
|
|
word32 size = sizeof(encSecret);
|
|
|
|
if (!ssl->peerEccKeyPresent || !ssl->peerEccKey.dp)
|
|
return NO_PEER_KEY;
|
|
|
|
ecc_init(&myKey);
|
|
ret = ecc_make_key(&ssl->rng, ssl->peerEccKey.dp->size, &myKey);
|
|
if (ret != 0)
|
|
return ECC_MAKEKEY_ERROR;
|
|
|
|
/* precede export with 1 byte length */
|
|
ret = ecc_export_x963(&myKey, encSecret + 1, &size);
|
|
encSecret[0] = size;
|
|
encSz = size + 1;
|
|
|
|
if (ret != 0)
|
|
ret = ECC_EXPORT_ERROR;
|
|
else {
|
|
size = sizeof(ssl->arrays.preMasterSecret);
|
|
ret = ecc_shared_secret(&myKey, &ssl->peerEccKey,
|
|
ssl->arrays.preMasterSecret, &size);
|
|
if (ret != 0)
|
|
ret = ECC_SHARED_ERROR;
|
|
}
|
|
|
|
ssl->arrays.preMasterSz = size;
|
|
ecc_free(&myKey);
|
|
#endif /* HAVE_ECC */
|
|
} else
|
|
return -1; /* unsupported kea */
|
|
|
|
if (ret == 0) {
|
|
byte *output;
|
|
int sendSz;
|
|
word32 tlsSz = 0;
|
|
|
|
if (ssl->options.tls || ssl->specs.kea == diffie_hellman_kea)
|
|
tlsSz = 2;
|
|
|
|
if (ssl->specs.kea == ecc_diffie_hellman_kea) /* always off */
|
|
tlsSz = 0;
|
|
|
|
sendSz = encSz + tlsSz + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
|
idx = HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
sendSz += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
|
|
idx += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
|
|
}
|
|
#endif
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHeaders(output, encSz + tlsSz, client_key_exchange, ssl);
|
|
|
|
if (tlsSz) {
|
|
c16toa((word16)encSz, &output[idx]);
|
|
idx += 2;
|
|
}
|
|
XMEMCPY(output + idx, encSecret, encSz);
|
|
idx += encSz;
|
|
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ClientKeyExchange", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("ClientKeyExchange", &ssl->timeoutInfo,
|
|
output, sendSz, ssl->heap);
|
|
#endif
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
|
|
ret = SendBuffered(ssl);
|
|
}
|
|
|
|
if (ret == 0 || ret == WANT_WRITE) {
|
|
int tmpRet = MakeMasterSecret(ssl);
|
|
if (tmpRet != 0)
|
|
ret = tmpRet; /* save WANT_WRITE unless more serious */
|
|
ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int SendCertificateVerify(SSL* ssl)
|
|
{
|
|
byte *output;
|
|
int sendSz = 0, length, ret;
|
|
word32 idx = 0;
|
|
RsaKey key;
|
|
|
|
if (ssl->options.sendVerify == SEND_BLANK_CERT)
|
|
return 0; /* sent blank cert, can't verify */
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, MAX_CERT_VERIFY_SZ)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
BuildCertHashes(ssl, &ssl->certHashes);
|
|
|
|
/* TODO: when add DSS support check here */
|
|
InitRsaKey(&key, ssl->heap);
|
|
ret = RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key,
|
|
ssl->buffers.key.length);
|
|
if (ret == 0) {
|
|
byte* verify = (byte*)&output[RECORD_HEADER_SZ +
|
|
HANDSHAKE_HEADER_SZ];
|
|
byte* signBuffer = ssl->certHashes.md5;
|
|
word32 signSz = sizeof(Hashes);
|
|
byte encodedSig[MAX_ENCODED_SIG_SZ];
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls)
|
|
verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
#endif
|
|
length = RsaEncryptSize(&key);
|
|
c16toa((word16)length, verify); /* prepend verify header */
|
|
|
|
if (IsAtLeastTLSv1_2(ssl)) {
|
|
byte* digest;
|
|
int hashType;
|
|
int digestSz;
|
|
|
|
/* sha1 for now */
|
|
digest = ssl->certHashes.sha;
|
|
hashType = SHAh;
|
|
digestSz = SHA_DIGEST_SIZE;
|
|
|
|
signSz = EncodeSignature(encodedSig, digest, digestSz,hashType);
|
|
signBuffer = encodedSig;
|
|
}
|
|
|
|
ret = RsaSSL_Sign(signBuffer, signSz, verify +
|
|
VERIFY_HEADER, ENCRYPT_LEN, &key, &ssl->rng);
|
|
|
|
if (ret > 0) {
|
|
ret = 0; /* reset */
|
|
|
|
AddHeaders(output, length + VERIFY_HEADER, certificate_verify,
|
|
ssl);
|
|
|
|
sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + length +
|
|
VERIFY_HEADER;
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls)
|
|
sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
#endif
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
}
|
|
}
|
|
|
|
FreeRsaKey(&key);
|
|
|
|
if (ret == 0) {
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("CertificateVerify", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("CertificateVerify", &ssl->timeoutInfo,
|
|
output, sendSz, ssl->heap);
|
|
#endif
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
return SendBuffered(ssl);
|
|
}
|
|
else
|
|
return ret;
|
|
}
|
|
|
|
|
|
|
|
#endif /* NO_CYASSL_CLIENT */
|
|
|
|
|
|
#ifndef NO_CYASSL_SERVER
|
|
|
|
int SendServerHello(SSL* ssl)
|
|
{
|
|
byte *output;
|
|
word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
int sendSz;
|
|
int ret;
|
|
|
|
length = sizeof(ProtocolVersion) + RAN_LEN
|
|
+ ID_LEN + ENUM_LEN
|
|
+ SUITE_LEN
|
|
+ ENUM_LEN;
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, MAX_HELLO_SZ)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
|
AddHeaders(output, length, server_hello, ssl);
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
}
|
|
#endif
|
|
/* now write to output */
|
|
/* first version */
|
|
XMEMCPY(output + idx, &ssl->version, sizeof(ProtocolVersion));
|
|
idx += sizeof(ProtocolVersion);
|
|
|
|
/* then random */
|
|
if (!ssl->options.resuming)
|
|
RNG_GenerateBlock(&ssl->rng, ssl->arrays.serverRandom, RAN_LEN);
|
|
XMEMCPY(output + idx, ssl->arrays.serverRandom, RAN_LEN);
|
|
idx += RAN_LEN;
|
|
|
|
#ifdef SHOW_SECRETS
|
|
{
|
|
int j;
|
|
printf("server random: ");
|
|
for (j = 0; j < RAN_LEN; j++)
|
|
printf("%02x", ssl->arrays.serverRandom[j]);
|
|
printf("\n");
|
|
}
|
|
#endif
|
|
/* then session id */
|
|
output[idx++] = ID_LEN;
|
|
if (!ssl->options.resuming)
|
|
RNG_GenerateBlock(&ssl->rng, ssl->arrays.sessionID, ID_LEN);
|
|
XMEMCPY(output + idx, ssl->arrays.sessionID, ID_LEN);
|
|
idx += ID_LEN;
|
|
|
|
/* then cipher suite */
|
|
output[idx++] = ssl->options.cipherSuite0;
|
|
output[idx++] = ssl->options.cipherSuite;
|
|
|
|
/* last, compression */
|
|
if (ssl->options.usingCompression)
|
|
output[idx++] = ZLIB_COMPRESSION;
|
|
else
|
|
output[idx++] = NO_COMPRESSION;
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ServerHello", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz,
|
|
ssl->heap);
|
|
#endif
|
|
|
|
ssl->options.serverState = SERVER_HELLO_COMPLETE;
|
|
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
#ifdef HAVE_ECC
|
|
|
|
byte SetCurveId(int size)
|
|
{
|
|
switch(size) {
|
|
case 20:
|
|
return secp160r1;
|
|
break;
|
|
case 24:
|
|
return secp192r1;
|
|
break;
|
|
case 28:
|
|
return secp224r1;
|
|
break;
|
|
case 32:
|
|
return secp256r1;
|
|
break;
|
|
case 48:
|
|
return secp384r1;
|
|
break;
|
|
case 66:
|
|
return secp521r1;
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
#endif /* HAVE_ECC */
|
|
|
|
|
|
int SendServerKeyExchange(SSL* ssl)
|
|
{
|
|
int ret = 0;
|
|
|
|
#ifndef NO_PSK
|
|
if (ssl->specs.kea == psk_kea)
|
|
{
|
|
byte *output;
|
|
word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
int sendSz;
|
|
if (ssl->arrays.server_hint[0] == 0) return 0; /* don't send */
|
|
|
|
/* include size part */
|
|
length = (word32)XSTRLEN(ssl->arrays.server_hint);
|
|
if (length > MAX_PSK_ID_LEN) return SERVER_HINT_ERROR;
|
|
length += HINT_LEN_SZ;
|
|
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
}
|
|
#endif
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHeaders(output, length, server_key_exchange, ssl);
|
|
|
|
/* key data */
|
|
c16toa((word16)(length - HINT_LEN_SZ), output + idx);
|
|
idx += HINT_LEN_SZ;
|
|
XMEMCPY(output + idx, ssl->arrays.server_hint, length -HINT_LEN_SZ);
|
|
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo,
|
|
output, sendSz, ssl->heap);
|
|
#endif
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
ret = SendBuffered(ssl);
|
|
ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
|
|
}
|
|
#endif /*NO_PSK */
|
|
|
|
#ifdef HAVE_ECC
|
|
if (ssl->specs.kea == ecc_diffie_hellman_kea)
|
|
{
|
|
byte *output;
|
|
word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
int sendSz;
|
|
byte export[MAX_EXPORT_ECC_SZ];
|
|
word32 expSz = sizeof(export);
|
|
word32 sigSz;
|
|
word32 preSigSz, preSigIdx;
|
|
RsaKey rsaKey;
|
|
ecc_key dsaKey;
|
|
|
|
/* curve type, named curve, length(1) */
|
|
length = ENUM_LEN + CURVE_LEN + ENUM_LEN;
|
|
/* pub key size */
|
|
if (ecc_export_x963(&ssl->eccTempKey, export, &expSz) != 0)
|
|
return ECC_EXPORT_ERROR;
|
|
length += expSz;
|
|
|
|
preSigSz = length;
|
|
preSigIdx = idx;
|
|
|
|
InitRsaKey(&rsaKey, ssl->heap);
|
|
ecc_init(&dsaKey);
|
|
|
|
/* sig length */
|
|
length += LENGTH_SZ;
|
|
|
|
if (!ssl->buffers.key.buffer) {
|
|
FreeRsaKey(&rsaKey);
|
|
ecc_free(&dsaKey);
|
|
return NO_PRIVATE_KEY;
|
|
}
|
|
|
|
if (ssl->specs.sig_algo == rsa_sa_algo) {
|
|
/* rsa sig size */
|
|
word32 i = 0;
|
|
ret = RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i,
|
|
&rsaKey, ssl->buffers.key.length);
|
|
if (ret != 0) return ret;
|
|
sigSz = RsaEncryptSize(&rsaKey);
|
|
}
|
|
else if (ssl->specs.sig_algo == ecc_dsa_sa_algo) {
|
|
/* ecdsa sig size */
|
|
word32 i = 0;
|
|
ret = EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
|
|
&dsaKey, ssl->buffers.key.length);
|
|
if (ret != 0) return ret;
|
|
sigSz = ecc_sig_size(&dsaKey);
|
|
}
|
|
else {
|
|
FreeRsaKey(&rsaKey);
|
|
ecc_free(&dsaKey);
|
|
return -1; /* unsupported type */
|
|
}
|
|
length += sigSz;
|
|
|
|
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls) {
|
|
sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
}
|
|
#endif
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0) {
|
|
FreeRsaKey(&rsaKey);
|
|
ecc_free(&dsaKey);
|
|
return ret;
|
|
}
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHeaders(output, length, server_key_exchange, ssl);
|
|
|
|
/* key exchange data */
|
|
output[idx++] = named_curve;
|
|
output[idx++] = 0x00; /* leading zero */
|
|
output[idx++] = SetCurveId(ecc_size(&ssl->eccTempKey));
|
|
output[idx++] = expSz;
|
|
XMEMCPY(output + idx, export, expSz);
|
|
idx += expSz;
|
|
c16toa(sigSz, output + idx);
|
|
idx += LENGTH_SZ;
|
|
|
|
/* do signature */
|
|
{
|
|
Md5 md5;
|
|
Sha sha;
|
|
byte hash[FINISHED_SZ];
|
|
byte* signBuffer = hash;
|
|
word32 signSz = sizeof(hash);
|
|
|
|
/* md5 */
|
|
InitMd5(&md5);
|
|
Md5Update(&md5, ssl->arrays.clientRandom, RAN_LEN);
|
|
Md5Update(&md5, ssl->arrays.serverRandom, RAN_LEN);
|
|
Md5Update(&md5, output + preSigIdx, preSigSz);
|
|
Md5Final(&md5, hash);
|
|
|
|
/* sha */
|
|
InitSha(&sha);
|
|
ShaUpdate(&sha, ssl->arrays.clientRandom, RAN_LEN);
|
|
ShaUpdate(&sha, ssl->arrays.serverRandom, RAN_LEN);
|
|
ShaUpdate(&sha, output + preSigIdx, preSigSz);
|
|
ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]);
|
|
|
|
if (ssl->specs.sig_algo == rsa_sa_algo) {
|
|
byte encodedSig[MAX_ENCODED_SIG_SZ];
|
|
if (IsAtLeastTLSv1_2(ssl)) {
|
|
byte* digest;
|
|
int hashType;
|
|
int digestSz;
|
|
|
|
/* sha1 for now */
|
|
digest = &hash[MD5_DIGEST_SIZE];
|
|
hashType = SHAh;
|
|
digestSz = SHA_DIGEST_SIZE;
|
|
|
|
signSz = EncodeSignature(encodedSig, digest, digestSz,
|
|
hashType);
|
|
signBuffer = encodedSig;
|
|
}
|
|
ret = RsaSSL_Sign(signBuffer, signSz, output + idx, sigSz,
|
|
&rsaKey, &ssl->rng);
|
|
FreeRsaKey(&rsaKey);
|
|
if (ret > 0)
|
|
ret = 0; /* reset on success */
|
|
else
|
|
return ret;
|
|
}
|
|
else if (ssl->specs.sig_algo == ecc_dsa_sa_algo) {
|
|
word32 sz = sigSz;
|
|
|
|
FreeRsaKey(&rsaKey);
|
|
ret = ecc_sign_hash(&hash[MD5_DIGEST_SIZE], SHA_DIGEST_SIZE,
|
|
output + idx, &sz, &ssl->rng, &dsaKey);
|
|
}
|
|
}
|
|
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo,
|
|
output, sendSz, ssl->heap);
|
|
#endif
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
ret = SendBuffered(ssl);
|
|
ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
|
|
}
|
|
#endif /* HAVE_ECC */
|
|
|
|
return ret;
|
|
}
|
|
|
|
|
|
static int MatchSuite(SSL* ssl, Suites* peerSuites)
|
|
{
|
|
word16 i, j;
|
|
|
|
/* & 0x1 equivalent % 2 */
|
|
if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1)
|
|
return MATCH_SUITE_ERROR;
|
|
|
|
/* start with best, if a match we are good */
|
|
for (i = 0; i < ssl->suites.suiteSz; i += 2)
|
|
for (j = 0; j < peerSuites->suiteSz; j += 2)
|
|
if (ssl->suites.suites[i] == peerSuites->suites[j] &&
|
|
ssl->suites.suites[i+1] == peerSuites->suites[j+1] ) {
|
|
|
|
ssl->options.cipherSuite0 = ssl->suites.suites[i];
|
|
ssl->options.cipherSuite = ssl->suites.suites[i+1];
|
|
return SetCipherSpecs(ssl);
|
|
}
|
|
|
|
return MATCH_SUITE_ERROR;
|
|
}
|
|
|
|
|
|
/* process alert, return level */
|
|
int ProcessOldClientHello(SSL* ssl, const byte* input, word32* inOutIdx,
|
|
word32 inSz, word16 sz)
|
|
{
|
|
word32 idx = *inOutIdx;
|
|
word16 sessionSz;
|
|
word16 randomSz;
|
|
word16 i, j;
|
|
ProtocolVersion pv;
|
|
Suites clSuites;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ClientHello", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddLateName("ClientHello", &ssl->timeoutInfo);
|
|
#endif
|
|
|
|
/* manually hash input since different format */
|
|
Md5Update(&ssl->hashMd5, input + idx, sz);
|
|
ShaUpdate(&ssl->hashSha, input + idx, sz);
|
|
|
|
/* does this value mean client_hello? */
|
|
idx++;
|
|
|
|
/* version */
|
|
pv.major = input[idx++];
|
|
pv.minor = input[idx++];
|
|
ssl->chVersion = pv; /* store */
|
|
|
|
if (ssl->version.minor > 0 && pv.minor == 0) {
|
|
if (!ssl->options.downgrade)
|
|
return VERSION_ERROR;
|
|
/* turn off tls */
|
|
ssl->options.tls = 0;
|
|
ssl->options.tls1_1 = 0;
|
|
ssl->version.minor = 0;
|
|
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, FALSE,
|
|
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
|
ssl->ctx->method->side);
|
|
}
|
|
|
|
/* suite size */
|
|
ato16(&input[idx], &clSuites.suiteSz);
|
|
idx += 2;
|
|
|
|
if (clSuites.suiteSz > MAX_SUITE_SZ)
|
|
return BUFFER_ERROR;
|
|
|
|
/* session size */
|
|
ato16(&input[idx], &sessionSz);
|
|
idx += 2;
|
|
|
|
if (sessionSz > ID_LEN)
|
|
return BUFFER_ERROR;
|
|
|
|
/* random size */
|
|
ato16(&input[idx], &randomSz);
|
|
idx += 2;
|
|
|
|
if (randomSz > RAN_LEN)
|
|
return BUFFER_ERROR;
|
|
|
|
/* suites */
|
|
for (i = 0, j = 0; i < clSuites.suiteSz; i += 3) {
|
|
byte first = input[idx++];
|
|
if (!first) { /* implicit: skip sslv2 type */
|
|
XMEMCPY(&clSuites.suites[j], &input[idx], 2);
|
|
j += 2;
|
|
}
|
|
idx += 2;
|
|
}
|
|
clSuites.suiteSz = j;
|
|
|
|
/* session id */
|
|
if (sessionSz) {
|
|
XMEMCPY(ssl->arrays.sessionID, input + idx, sessionSz);
|
|
idx += sessionSz;
|
|
ssl->options.resuming = 1;
|
|
}
|
|
|
|
/* random */
|
|
if (randomSz < RAN_LEN)
|
|
XMEMSET(ssl->arrays.clientRandom, 0, RAN_LEN - randomSz);
|
|
XMEMCPY(&ssl->arrays.clientRandom[RAN_LEN - randomSz], input + idx,
|
|
randomSz);
|
|
idx += randomSz;
|
|
|
|
if (ssl->options.usingCompression)
|
|
ssl->options.usingCompression = 0; /* turn off */
|
|
|
|
ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
|
*inOutIdx = idx;
|
|
|
|
/* DoClientHello uses same resume code */
|
|
while (ssl->options.resuming) { /* let's try */
|
|
SSL_SESSION* session = GetSession(ssl, ssl->arrays.masterSecret);
|
|
if (!session) {
|
|
ssl->options.resuming = 0;
|
|
break; /* session lookup failed */
|
|
}
|
|
if (MatchSuite(ssl, &clSuites) < 0)
|
|
return UNSUPPORTED_SUITE;
|
|
|
|
RNG_GenerateBlock(&ssl->rng, ssl->arrays.serverRandom, RAN_LEN);
|
|
if (ssl->options.tls)
|
|
DeriveTlsKeys(ssl);
|
|
else
|
|
DeriveKeys(ssl);
|
|
ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
return MatchSuite(ssl, &clSuites);
|
|
}
|
|
|
|
|
|
static int DoClientHello(SSL* ssl, const byte* input, word32* inOutIdx,
|
|
word32 totalSz, word32 helloSz)
|
|
{
|
|
byte b;
|
|
ProtocolVersion pv;
|
|
Suites clSuites;
|
|
word32 i = *inOutIdx;
|
|
word32 begin = i;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
|
|
#endif
|
|
/* make sure can read up to session */
|
|
if (i + sizeof(pv) + RAN_LEN + ENUM_LEN > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
|
|
XMEMCPY(&pv, input + i, sizeof(pv));
|
|
ssl->chVersion = pv; /* store */
|
|
i += sizeof(pv);
|
|
if (ssl->version.minor > 0 && pv.minor == 0) {
|
|
if (!ssl->options.downgrade)
|
|
return VERSION_ERROR;
|
|
/* turn off tls */
|
|
ssl->options.tls = 0;
|
|
ssl->options.tls1_1 = 0;
|
|
ssl->version.minor = 0;
|
|
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, FALSE,
|
|
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
|
ssl->ctx->method->side);
|
|
}
|
|
/* random */
|
|
XMEMCPY(ssl->arrays.clientRandom, input + i, RAN_LEN);
|
|
i += RAN_LEN;
|
|
|
|
#ifdef SHOW_SECRETS
|
|
{
|
|
int j;
|
|
printf("client random: ");
|
|
for (j = 0; j < RAN_LEN; j++)
|
|
printf("%02x", ssl->arrays.clientRandom[j]);
|
|
printf("\n");
|
|
}
|
|
#endif
|
|
/* session id */
|
|
b = input[i++];
|
|
if (b) {
|
|
if (i + ID_LEN > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
XMEMCPY(ssl->arrays.sessionID, input + i, ID_LEN);
|
|
i += b;
|
|
ssl->options.resuming= 1; /* client wants to resume */
|
|
}
|
|
|
|
#ifdef CYASSL_DTLS
|
|
/* cookie */
|
|
if (ssl->options.dtls) {
|
|
b = input[i++];
|
|
if (b) {
|
|
if (b > MAX_COOKIE_LEN)
|
|
return BUFFER_ERROR;
|
|
if (i + b > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
XMEMCPY(ssl->arrays.cookie, input + i, b);
|
|
i += b;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
if (i + LENGTH_SZ > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
/* suites */
|
|
ato16(&input[i], &clSuites.suiteSz);
|
|
i += 2;
|
|
|
|
/* suites and comp len */
|
|
if (i + clSuites.suiteSz + ENUM_LEN > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
if (clSuites.suiteSz > MAX_SUITE_SZ)
|
|
return BUFFER_ERROR;
|
|
XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
|
|
i += clSuites.suiteSz;
|
|
|
|
b = input[i++]; /* comp len */
|
|
if (i + b > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
|
|
if (ssl->options.usingCompression) {
|
|
int match = 0;
|
|
while (b--) {
|
|
byte comp = input[i++];
|
|
if (comp == ZLIB_COMPRESSION)
|
|
match = 1;
|
|
}
|
|
if (!match)
|
|
ssl->options.usingCompression = 0; /* turn off */
|
|
}
|
|
else
|
|
i += b; /* ignore, since we're not on */
|
|
|
|
ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
|
|
|
*inOutIdx = i;
|
|
if ( (i - begin) < helloSz)
|
|
*inOutIdx = begin + helloSz; /* skip extensions */
|
|
|
|
/* ProcessOld uses same resume code */
|
|
while (ssl->options.resuming) { /* let's try */
|
|
SSL_SESSION* session = GetSession(ssl, ssl->arrays.masterSecret);
|
|
if (!session) {
|
|
ssl->options.resuming = 0;
|
|
break; /* session lookup failed */
|
|
}
|
|
if (MatchSuite(ssl, &clSuites) < 0)
|
|
return UNSUPPORTED_SUITE;
|
|
|
|
RNG_GenerateBlock(&ssl->rng, ssl->arrays.serverRandom, RAN_LEN);
|
|
if (ssl->options.tls)
|
|
DeriveTlsKeys(ssl);
|
|
else
|
|
DeriveKeys(ssl);
|
|
ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
|
|
|
|
return 0;
|
|
}
|
|
return MatchSuite(ssl, &clSuites);
|
|
}
|
|
|
|
|
|
static int DoCertificateVerify(SSL* ssl, byte* input, word32* inOutsz,
|
|
word32 totalSz)
|
|
{
|
|
word16 sz = 0;
|
|
word32 i = *inOutsz;
|
|
int ret = VERIFY_CERT_ERROR; /* start in error state */
|
|
byte* sig;
|
|
byte* out;
|
|
int outLen;
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("CertificateVerify", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddLateName("CertificateVerify", &ssl->timeoutInfo);
|
|
#endif
|
|
if ( (i + VERIFY_HEADER) > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
|
|
ato16(&input[i], &sz);
|
|
i += VERIFY_HEADER;
|
|
|
|
if ( (i + sz) > totalSz)
|
|
return INCOMPLETE_DATA;
|
|
|
|
if (sz > ENCRYPT_LEN)
|
|
return BUFFER_ERROR;
|
|
|
|
sig = &input[i];
|
|
*inOutsz = i + sz;
|
|
/* TODO: when add DSS support check here */
|
|
if (ssl->peerRsaKeyPresent != 0) {
|
|
outLen = RsaSSL_VerifyInline(sig, sz, &out, &ssl->peerRsaKey);
|
|
|
|
if (IsAtLeastTLSv1_2(ssl)) {
|
|
byte encodedSig[MAX_ENCODED_SIG_SZ];
|
|
word32 sigSz;
|
|
byte* digest;
|
|
int hashType;
|
|
int digestSz;
|
|
|
|
/* sha1 for now */
|
|
digest = ssl->certHashes.sha;
|
|
hashType = SHAh;
|
|
digestSz = SHA_DIGEST_SIZE;
|
|
|
|
sigSz = EncodeSignature(encodedSig, digest, digestSz, hashType);
|
|
|
|
if (outLen == sigSz && XMEMCMP(out, encodedSig, sigSz) == 0)
|
|
ret = 0;
|
|
}
|
|
else {
|
|
if (outLen == sizeof(ssl->certHashes) && XMEMCMP(out,
|
|
ssl->certHashes.md5, sizeof(ssl->certHashes)) == 0)
|
|
ret = 0;
|
|
}
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
|
|
int SendServerHelloDone(SSL* ssl)
|
|
{
|
|
byte *output;
|
|
int sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
|
int ret;
|
|
|
|
#ifdef CYASSL_DTLS
|
|
if (ssl->options.dtls)
|
|
sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
|
|
#endif
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHeaders(output, 0, server_hello_done, ssl);
|
|
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ServerHelloDone", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("ServerHelloDone", &ssl->timeoutInfo, output, sendSz,
|
|
ssl->heap);
|
|
#endif
|
|
ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
int SendHelloVerifyRequest(SSL* ssl)
|
|
{
|
|
byte* output;
|
|
int length = VERSION_SZ + ENUM_LEN;
|
|
int idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
|
|
int sendSz = length + idx;
|
|
int ret;
|
|
|
|
/* check for avalaible size */
|
|
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0)
|
|
return ret;
|
|
|
|
/* get ouput buffer */
|
|
output = ssl->buffers.outputBuffer.buffer +
|
|
ssl->buffers.outputBuffer.idx;
|
|
|
|
AddHeaders(output, length, hello_verify_request, ssl);
|
|
|
|
XMEMCPY(output + idx, &ssl->chVersion, VERSION_SZ);
|
|
idx += VERSION_SZ;
|
|
output[idx++] = 0; /* no cookie for now */
|
|
|
|
HashOutput(ssl, output, sendSz, 0);
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("HelloVerifyRequest", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddPacketInfo("HelloVerifyRequest", &ssl->timeoutInfo, output,
|
|
sendSz, ssl->heap);
|
|
#endif
|
|
ssl->options.serverState = SERVER_HELLOVERIFYREQUEST_COMPLETE;
|
|
|
|
ssl->buffers.outputBuffer.length += sendSz;
|
|
|
|
return SendBuffered(ssl);
|
|
}
|
|
|
|
|
|
static int DoClientKeyExchange(SSL* ssl, byte* input,
|
|
word32* inOutIdx)
|
|
{
|
|
int ret = 0;
|
|
word32 length = 0;
|
|
byte* out;
|
|
|
|
if (ssl->options.verifyPeer && ssl->options.failNoCert)
|
|
if (!ssl->options.havePeerCert) {
|
|
CYASSL_MSG("client didn't present peer cert");
|
|
return NO_PEER_CERT;
|
|
}
|
|
|
|
#ifdef CYASSL_CALLBACKS
|
|
if (ssl->hsInfoOn)
|
|
AddPacketName("ClientKeyExchange", &ssl->handShakeInfo);
|
|
if (ssl->toInfoOn)
|
|
AddLateName("ClientKeyExchange", &ssl->timeoutInfo);
|
|
#endif
|
|
if (ssl->specs.kea == rsa_kea) {
|
|
word32 idx = 0;
|
|
RsaKey key;
|
|
byte* tmp = 0;
|
|
|
|
InitRsaKey(&key, ssl->heap);
|
|
|
|
if (ssl->buffers.key.buffer)
|
|
ret = RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key,
|
|
ssl->buffers.key.length);
|
|
else
|
|
return NO_PRIVATE_KEY;
|
|
|
|
if (ret == 0) {
|
|
length = RsaEncryptSize(&key);
|
|
ssl->arrays.preMasterSz = SECRET_LEN;
|
|
|
|
if (ssl->options.tls)
|
|
(*inOutIdx) += 2;
|
|
tmp = input + *inOutIdx;
|
|
*inOutIdx += length;
|
|
|
|
if (RsaPrivateDecryptInline(tmp, length, &out, &key) ==
|
|
SECRET_LEN) {
|
|
XMEMCPY(ssl->arrays.preMasterSecret, out, SECRET_LEN);
|
|
if (ssl->arrays.preMasterSecret[0] != ssl->chVersion.major
|
|
||
|
|
ssl->arrays.preMasterSecret[1] != ssl->chVersion.minor)
|
|
|
|
ret = PMS_VERSION_ERROR;
|
|
else
|
|
ret = MakeMasterSecret(ssl);
|
|
}
|
|
else
|
|
ret = RSA_PRIVATE_ERROR;
|
|
}
|
|
|
|
FreeRsaKey(&key);
|
|
#ifndef NO_PSK
|
|
} else if (ssl->specs.kea == psk_kea) {
|
|
byte* pms = ssl->arrays.preMasterSecret;
|
|
word16 ci_sz;
|
|
|
|
ato16(&input[*inOutIdx], &ci_sz);
|
|
*inOutIdx += LENGTH_SZ;
|
|
if (ci_sz > MAX_PSK_ID_LEN) return CLIENT_ID_ERROR;
|
|
|
|
XMEMCPY(ssl->arrays.client_identity, &input[*inOutIdx], ci_sz);
|
|
*inOutIdx += ci_sz;
|
|
ssl->arrays.client_identity[ci_sz] = 0;
|
|
|
|
ssl->arrays.psk_keySz = ssl->options.server_psk_cb(ssl,
|
|
ssl->arrays.client_identity, ssl->arrays.psk_key,
|
|
MAX_PSK_KEY_LEN);
|
|
if (ssl->arrays.psk_keySz == 0 ||
|
|
ssl->arrays.psk_keySz > MAX_PSK_KEY_LEN) return PSK_KEY_ERROR;
|
|
|
|
/* make psk pre master secret */
|
|
/* length of key + length 0s + length of key + key */
|
|
c16toa((word16)ssl->arrays.psk_keySz, pms);
|
|
pms += 2;
|
|
XMEMSET(pms, 0, ssl->arrays.psk_keySz);
|
|
pms += ssl->arrays.psk_keySz;
|
|
c16toa((word16)ssl->arrays.psk_keySz, pms);
|
|
pms += 2;
|
|
XMEMCPY(pms, ssl->arrays.psk_key, ssl->arrays.psk_keySz);
|
|
ssl->arrays.preMasterSz = ssl->arrays.psk_keySz * 2 + 4;
|
|
|
|
ret = MakeMasterSecret(ssl);
|
|
#endif /* NO_PSK */
|
|
#ifdef HAVE_NTRU
|
|
} else if (ssl->specs.kea == ntru_kea) {
|
|
word32 rc;
|
|
word16 cipherLen;
|
|
word16 plainLen = sizeof(ssl->arrays.preMasterSecret);
|
|
byte* tmp;
|
|
|
|
if (!ssl->buffers.key.buffer)
|
|
return NO_PRIVATE_KEY;
|
|
|
|
ato16(&input[*inOutIdx], &cipherLen);
|
|
*inOutIdx += LENGTH_SZ;
|
|
if (cipherLen > MAX_NTRU_ENCRYPT_SZ)
|
|
return NTRU_KEY_ERROR;
|
|
|
|
tmp = input + *inOutIdx;
|
|
rc = crypto_ntru_decrypt((word16)ssl->buffers.key.length,
|
|
ssl->buffers.key.buffer, cipherLen, tmp, &plainLen,
|
|
ssl->arrays.preMasterSecret);
|
|
|
|
if (rc != NTRU_OK || plainLen != SECRET_LEN)
|
|
return NTRU_DECRYPT_ERROR;
|
|
*inOutIdx += cipherLen;
|
|
|
|
ssl->arrays.preMasterSz = plainLen;
|
|
ret = MakeMasterSecret(ssl);
|
|
#endif /* HAVE_NTRU */
|
|
#ifdef HAVE_ECC
|
|
} else if (ssl->specs.kea == ecc_diffie_hellman_kea) {
|
|
word32 size;
|
|
word32 length = input[*inOutIdx]; /* one byte length */
|
|
*inOutIdx += 1;
|
|
|
|
ret = ecc_import_x963(&input[*inOutIdx], length, &ssl->peerEccKey);
|
|
if (ret != 0)
|
|
return ECC_PEERKEY_ERROR;
|
|
*inOutIdx += length;
|
|
ssl->peerEccKeyPresent = 1;
|
|
|
|
size = sizeof(ssl->arrays.preMasterSecret);
|
|
ret = ecc_shared_secret(&ssl->eccTempKey, &ssl->peerEccKey,
|
|
ssl->arrays.preMasterSecret, &size);
|
|
if (ret != 0)
|
|
return ECC_SHARED_ERROR;
|
|
ssl->arrays.preMasterSz = size;
|
|
ret = MakeMasterSecret(ssl);
|
|
#endif /* HAVE_ECC */
|
|
}
|
|
|
|
if (ret == 0) {
|
|
ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
|
|
if (ssl->options.verifyPeer)
|
|
BuildCertHashes(ssl, &ssl->certHashes);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
#endif /* NO_CYASSL_SERVER */
|
|
|
|
|
|
#ifdef SINGLE_THREADED
|
|
|
|
int InitMutex(CyaSSL_Mutex* m)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
|
|
int FreeMutex(CyaSSL_Mutex* m)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
|
|
int LockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
|
|
int UnLockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
#else /* MULTI_THREAD */
|
|
|
|
#ifdef USE_WINDOWS_API
|
|
|
|
int InitMutex(CyaSSL_Mutex* m)
|
|
{
|
|
InitializeCriticalSection(m);
|
|
return 0;
|
|
}
|
|
|
|
|
|
int FreeMutex(CyaSSL_Mutex* m)
|
|
{
|
|
DeleteCriticalSection(m);
|
|
return 0;
|
|
}
|
|
|
|
|
|
int LockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
EnterCriticalSection(m);
|
|
return 0;
|
|
}
|
|
|
|
|
|
int UnLockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
LeaveCriticalSection(m);
|
|
return 0;
|
|
}
|
|
|
|
#elif defined(CYASSL_PTHREADS)
|
|
|
|
int InitMutex(CyaSSL_Mutex* m)
|
|
{
|
|
if (pthread_mutex_init(m, 0) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
|
|
|
|
int FreeMutex(CyaSSL_Mutex* m)
|
|
{
|
|
if (pthread_mutex_destroy(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
|
|
|
|
int LockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
if (pthread_mutex_lock(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
|
|
|
|
int UnLockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
if (pthread_mutex_unlock(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
|
|
#elif defined(THREADX)
|
|
|
|
int InitMutex(CyaSSL_Mutex* m)
|
|
{
|
|
if (tx_mutex_create(m, "CyaSSL Mutex", TX_NO_INHERIT) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
|
|
|
|
int FreeMutex(CyaSSL_Mutex* m)
|
|
{
|
|
if (tx_mutex_delete(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
|
|
|
|
int LockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
if (tx_mutex_get(m, TX_WAIT_FOREVER) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
|
|
|
|
int UnLockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
if (tx_mutex_put(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
}
|
|
|
|
#elif defined(MICRIUM)
|
|
|
|
int InitMutex(CyaSSL_Mutex* m)
|
|
{
|
|
#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
|
|
if (NetSecure_OS_MutexCreate(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
#else
|
|
return 0;
|
|
#endif
|
|
}
|
|
|
|
|
|
int FreeMutex(CyaSSL_Mutex* m)
|
|
{
|
|
#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
|
|
if (NetSecure_OS_FreeMutex(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
#else
|
|
return 0;
|
|
#endif
|
|
}
|
|
|
|
|
|
int LockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
|
|
if (NetSecure_OS_LockMutex(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
#else
|
|
return 0;
|
|
#endif
|
|
}
|
|
|
|
|
|
int UnLockMutex(CyaSSL_Mutex* m)
|
|
{
|
|
#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
|
|
if (NetSecure_OS_UnLockMutex(m) == 0)
|
|
return 0;
|
|
else
|
|
return -1;
|
|
#else
|
|
return 0;
|
|
#endif
|
|
|
|
}
|
|
|
|
#endif /* USE_WINDOWS_API */
|
|
#endif /* SINGLE_THREADED */
|
|
|
|
|
|
#ifdef DEBUG_CYASSL
|
|
|
|
static int logging = 0;
|
|
|
|
|
|
int CyaSSL_Debugging_ON(void)
|
|
{
|
|
logging = 1;
|
|
return 0;
|
|
}
|
|
|
|
|
|
void CyaSSL_Debugging_OFF(void)
|
|
{
|
|
logging = 0;
|
|
}
|
|
|
|
|
|
#ifdef THREADX
|
|
int dc_log_printf(char*, ...);
|
|
#endif
|
|
|
|
void CYASSL_MSG(const char* msg)
|
|
{
|
|
if (logging) {
|
|
#ifdef THREADX
|
|
dc_log_printf("%s\n", msg);
|
|
#elif defined(MICRIUM)
|
|
#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
|
|
NetSecure_TraceOut((CPU_CHAR *)msg);
|
|
#endif
|
|
#else
|
|
fprintf(stderr, "%s\n", msg);
|
|
#endif
|
|
}
|
|
}
|
|
|
|
|
|
void CYASSL_ENTER(const char* msg)
|
|
{
|
|
if (logging) {
|
|
char buffer[80];
|
|
sprintf(buffer, "CyaSSL Entering %s", msg);
|
|
CYASSL_MSG(buffer);
|
|
}
|
|
}
|
|
|
|
|
|
void CYASSL_LEAVE(const char* msg, int ret)
|
|
{
|
|
if (logging) {
|
|
char buffer[80];
|
|
sprintf(buffer, "CyaSSL Leaving %s, return %d", msg, ret);
|
|
CYASSL_MSG(buffer);
|
|
}
|
|
}
|
|
|
|
|
|
void CYASSL_ERROR(int error)
|
|
{
|
|
if (logging) {
|
|
char buffer[80];
|
|
sprintf(buffer, "CyaSSL error occured, error = %d", error);
|
|
CYASSL_MSG(buffer);
|
|
}
|
|
}
|
|
|
|
|
|
#else /* DEBUG_CYASSL */
|
|
|
|
int CyaSSL_Debugging_ON(void)
|
|
{
|
|
return -1; /* not compiled in */
|
|
}
|
|
|
|
|
|
void CyaSSL_Debugging_OFF(void)
|
|
{
|
|
/* already off */
|
|
}
|
|
|
|
#endif /* DEBUG_CYASSL */
|