1 /*
2 * Copyright (c) 2007, Cameron Rich
3 *
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * * Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * * Neither the name of the axTLS project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /**
32 * Common ssl/tlsv1 code to both the client and server implementations.
33 */
34
35 #include <string.h>
36 #include <stdlib.h>
37 #include <stdio.h>
38 #include <stdarg.h>
39 #include "os_port.h"
40 #include "ssl.h"
41
42 /* The session expiry time */
43 #define SSL_EXPIRY_TIME (CONFIG_SSL_EXPIRY_TIME*3600)
44
45 static const uint8_t g_hello_request[] = { HS_HELLO_REQUEST, 0, 0, 0 };
46 static const uint8_t g_chg_cipher_spec_pkt[] = { 1 };
47 static const char * server_finished = "server finished";
48 static const char * client_finished = "client finished";
49
50 static int do_handshake(SSL *ssl, uint8_t *buf, int read_len);
51 static int set_key_block(SSL *ssl, int is_write);
52 static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len);
53 static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt);
54 static int send_raw_packet(SSL *ssl, uint8_t protocol);
55
56 /**
57 * The server will pick the cipher based on the order that the order that the
58 * ciphers are listed. This order is defined at compile time.
59 */
60 #ifdef CONFIG_SSL_SKELETON_MODE
61 const uint8_t ssl_prot_prefs[NUM_PROTOCOLS] =
62 { SSL_RC4_128_SHA };
63 #else
64 static void session_free(SSL_SESSION *ssl_sessions[], int sess_index);
65
66 const uint8_t ssl_prot_prefs[NUM_PROTOCOLS] =
67 #ifdef CONFIG_SSL_PROT_LOW /* low security, fast speed */
68 { SSL_RC4_128_SHA, SSL_AES128_SHA, SSL_AES256_SHA, SSL_RC4_128_MD5 };
69 #elif CONFIG_SSL_PROT_MEDIUM /* medium security, medium speed */
70 { SSL_AES128_SHA, SSL_AES256_SHA, SSL_RC4_128_SHA, SSL_RC4_128_MD5 };
71 #else /* CONFIG_SSL_PROT_HIGH */ /* high security, low speed */
72 { SSL_AES256_SHA, SSL_AES128_SHA, SSL_RC4_128_SHA, SSL_RC4_128_MD5 };
73 #endif
74 #endif /* CONFIG_SSL_SKELETON_MODE */
75
76 /**
77 * The cipher map containing all the essentials for each cipher.
78 */
79 #ifdef CONFIG_SSL_SKELETON_MODE
80 static const cipher_info_t cipher_info[NUM_PROTOCOLS] =
81 {
82 { /* RC4-SHA */
83 SSL_RC4_128_SHA, /* RC4-SHA */
84 16, /* key size */
85 0, /* iv size */
86 2*(SHA1_SIZE+16), /* key block size */
87 0, /* no padding */
88 SHA1_SIZE, /* digest size */
89 hmac_sha1, /* hmac algorithm */
90 (crypt_func)RC4_crypt, /* encrypt */
91 (crypt_func)RC4_crypt /* decrypt */
92 },
93 };
94 #else
95 static const cipher_info_t cipher_info[NUM_PROTOCOLS] =
96 {
97 { /* AES128-SHA */
98 SSL_AES128_SHA, /* AES128-SHA */
99 16, /* key size */
100 16, /* iv size */
101 2*(SHA1_SIZE+16+16), /* key block size */
102 16, /* block padding size */
103 SHA1_SIZE, /* digest size */
104 hmac_sha1, /* hmac algorithm */
105 (crypt_func)AES_cbc_encrypt, /* encrypt */
106 (crypt_func)AES_cbc_decrypt /* decrypt */
107 },
108 { /* AES256-SHA */
109 SSL_AES256_SHA, /* AES256-SHA */
110 32, /* key size */
111 16, /* iv size */
112 2*(SHA1_SIZE+32+16), /* key block size */
113 16, /* block padding size */
114 SHA1_SIZE, /* digest size */
115 hmac_sha1, /* hmac algorithm */
116 (crypt_func)AES_cbc_encrypt, /* encrypt */
117 (crypt_func)AES_cbc_decrypt /* decrypt */
118 },
119 { /* RC4-SHA */
120 SSL_RC4_128_SHA, /* RC4-SHA */
121 16, /* key size */
122 0, /* iv size */
123 2*(SHA1_SIZE+16), /* key block size */
124 0, /* no padding */
125 SHA1_SIZE, /* digest size */
126 hmac_sha1, /* hmac algorithm */
127 (crypt_func)RC4_crypt, /* encrypt */
128 (crypt_func)RC4_crypt /* decrypt */
129 },
130 /*
131 * This protocol is from SSLv2 days and is unlikely to be used - but was
132 * useful for testing different possible digest algorithms.
133 */
134 { /* RC4-MD5 */
135 SSL_RC4_128_MD5, /* RC4-MD5 */
136 16, /* key size */
137 0, /* iv size */
138 2*(MD5_SIZE+16), /* key block size */
139 0, /* no padding */
140 MD5_SIZE, /* digest size */
141 hmac_md5, /* hmac algorithm */
142 (crypt_func)RC4_crypt, /* encrypt */
143 (crypt_func)RC4_crypt /* decrypt */
144 },
145 };
146 #endif
147
148 static void prf(const uint8_t *sec, int sec_len, uint8_t *seed, int seed_len,
149 uint8_t *out, int olen);
150 static const cipher_info_t *get_cipher_info(uint8_t cipher);
151 static void increment_read_sequence(SSL *ssl);
152 static void increment_write_sequence(SSL *ssl);
153 static void add_hmac_digest(SSL *ssl, int snd, uint8_t *hmac_header,
154 const uint8_t *buf, int buf_len, uint8_t *hmac_buf);
155
156 /* win32 VC6.0 doesn't have variadic macros */
157 #if defined(WIN32) && !defined(CONFIG_SSL_FULL_MODE)
DISPLAY_BYTES(SSL * ssl,const char * format,const uint8_t * data,int size,...)158 void DISPLAY_BYTES(SSL *ssl, const char *format,
159 const uint8_t *data, int size, ...) {}
160 #endif
161
162 /**
163 * Establish a new client/server context.
164 */
ssl_ctx_new(uint32_t options,int num_sessions)165 EXP_FUNC SSL_CTX *STDCALL ssl_ctx_new(uint32_t options, int num_sessions)
166 {
167 SSL_CTX *ssl_ctx = (SSL_CTX *)calloc(1, sizeof (SSL_CTX));
168 ssl_ctx->options = options;
169 RNG_initialize();
170
171 if (load_key_certs(ssl_ctx) < 0)
172 {
173 free(ssl_ctx); /* can't load our key/certificate pair, so die */
174 return NULL;
175 }
176
177 #ifndef CONFIG_SSL_SKELETON_MODE
178 ssl_ctx->num_sessions = num_sessions;
179 #endif
180
181 SSL_CTX_MUTEX_INIT(ssl_ctx->mutex);
182
183 #ifndef CONFIG_SSL_SKELETON_MODE
184 if (num_sessions)
185 {
186 ssl_ctx->ssl_sessions = (SSL_SESSION **)
187 calloc(1, num_sessions*sizeof(SSL_SESSION *));
188 }
189 #endif
190
191 return ssl_ctx;
192 }
193
194 /*
195 * Remove a client/server context.
196 */
ssl_ctx_free(SSL_CTX * ssl_ctx)197 EXP_FUNC void STDCALL ssl_ctx_free(SSL_CTX *ssl_ctx)
198 {
199 SSL *ssl;
200 int i;
201
202 if (ssl_ctx == NULL)
203 return;
204
205 ssl = ssl_ctx->head;
206
207 /* clear out all the ssl entries */
208 while (ssl)
209 {
210 SSL *next = ssl->next;
211 ssl_free(ssl);
212 ssl = next;
213 }
214
215 #ifndef CONFIG_SSL_SKELETON_MODE
216 /* clear out all the sessions */
217 for (i = 0; i < ssl_ctx->num_sessions; i++)
218 session_free(ssl_ctx->ssl_sessions, i);
219
220 free(ssl_ctx->ssl_sessions);
221 #endif
222
223 i = 0;
224 while (i < CONFIG_SSL_MAX_CERTS && ssl_ctx->certs[i].buf)
225 {
226 free(ssl_ctx->certs[i].buf);
227 ssl_ctx->certs[i++].buf = NULL;
228 }
229
230 #ifdef CONFIG_SSL_CERT_VERIFICATION
231 remove_ca_certs(ssl_ctx->ca_cert_ctx);
232 #endif
233 ssl_ctx->chain_length = 0;
234 SSL_CTX_MUTEX_DESTROY(ssl_ctx->mutex);
235 RSA_free(ssl_ctx->rsa_ctx);
236 RNG_terminate();
237 free(ssl_ctx);
238 }
239
240 /*
241 * Free any used resources used by this connection.
242 */
ssl_free(SSL * ssl)243 EXP_FUNC void STDCALL ssl_free(SSL *ssl)
244 {
245 SSL_CTX *ssl_ctx;
246
247 if (ssl == NULL) /* just ignore null pointers */
248 return;
249
250 /* only notify if we weren't notified first */
251 /* spec says we must notify when we are dying */
252 if (!IS_SET_SSL_FLAG(SSL_SENT_CLOSE_NOTIFY))
253 send_alert(ssl, SSL_ALERT_CLOSE_NOTIFY);
254
255 ssl_ctx = ssl->ssl_ctx;
256
257 SSL_CTX_LOCK(ssl_ctx->mutex);
258
259 /* adjust the server SSL list */
260 if (ssl->prev)
261 ssl->prev->next = ssl->next;
262 else
263 ssl_ctx->head = ssl->next;
264
265 if (ssl->next)
266 ssl->next->prev = ssl->prev;
267 else
268 ssl_ctx->tail = ssl->prev;
269
270 SSL_CTX_UNLOCK(ssl_ctx->mutex);
271
272 /* may already be free - but be sure */
273 free(ssl->encrypt_ctx);
274 free(ssl->decrypt_ctx);
275 disposable_free(ssl);
276 #ifdef CONFIG_SSL_CERT_VERIFICATION
277 x509_free(ssl->x509_ctx);
278 #endif
279
280 free(ssl);
281 }
282
283 /*
284 * Read the SSL connection and send any alerts for various errors.
285 */
ssl_read(SSL * ssl,uint8_t ** in_data)286 EXP_FUNC int STDCALL ssl_read(SSL *ssl, uint8_t **in_data)
287 {
288 int ret = basic_read(ssl, in_data);
289
290 /* check for return code so we can send an alert */
291 if (ret < SSL_OK && ret != SSL_CLOSE_NOTIFY)
292 {
293 if (ret != SSL_ERROR_CONN_LOST)
294 {
295 send_alert(ssl, ret);
296 #ifndef CONFIG_SSL_SKELETON_MODE
297 /* something nasty happened, so get rid of this session */
298 kill_ssl_session(ssl->ssl_ctx->ssl_sessions, ssl);
299 #endif
300 }
301 }
302
303 return ret;
304 }
305
306 /*
307 * Write application data to the client
308 */
ssl_write(SSL * ssl,const uint8_t * out_data,int out_len)309 EXP_FUNC int STDCALL ssl_write(SSL *ssl, const uint8_t *out_data, int out_len)
310 {
311 int n = out_len, nw, i, tot = 0;
312
313 /* maximum size of a TLS packet is around 16kB, so fragment */
314 do
315 {
316 nw = n;
317
318 if (nw > RT_MAX_PLAIN_LENGTH) /* fragment if necessary */
319 nw = RT_MAX_PLAIN_LENGTH;
320
321 if ((i = send_packet(ssl, PT_APP_PROTOCOL_DATA,
322 &out_data[tot], nw)) <= 0)
323 {
324 out_len = i; /* an error */
325 break;
326 }
327
328 tot += i;
329 n -= i;
330 } while (n > 0);
331
332 return out_len;
333 }
334
335 /**
336 * Add a certificate to the certificate chain.
337 */
add_cert(SSL_CTX * ssl_ctx,const uint8_t * buf,int len)338 int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
339 {
340 int ret = SSL_ERROR_NO_CERT_DEFINED, i = 0;
341 SSL_CERT *ssl_cert;
342 X509_CTX *cert = NULL;
343 int offset;
344
345 while (ssl_ctx->certs[i].buf && i < CONFIG_SSL_MAX_CERTS)
346 i++;
347
348 if (i == CONFIG_SSL_MAX_CERTS) /* too many certs */
349 {
350 #ifdef CONFIG_SSL_FULL_MODE
351 printf("Error: maximum number of certs added (%d) - change of "
352 "compile-time configuration required\n",
353 CONFIG_SSL_MAX_CERTS);
354 #endif
355 goto error;
356 }
357
358 if ((ret = x509_new(buf, &offset, &cert)))
359 goto error;
360
361 #if defined (CONFIG_SSL_FULL_MODE)
362 if (ssl_ctx->options & SSL_DISPLAY_CERTS)
363 x509_print(cert, NULL);
364 #endif
365
366 ssl_cert = &ssl_ctx->certs[i];
367 ssl_cert->size = len;
368 ssl_cert->buf = (uint8_t *)malloc(len);
369 memcpy(ssl_cert->buf, buf, len);
370 ssl_ctx->chain_length++;
371 len -= offset;
372 ret = SSL_OK; /* ok so far */
373
374 /* recurse? */
375 if (len > 0)
376 {
377 ret = add_cert(ssl_ctx, &buf[offset], len);
378 }
379
380 error:
381 x509_free(cert); /* don't need anymore */
382 return ret;
383 }
384
385 #ifdef CONFIG_SSL_CERT_VERIFICATION
386 /**
387 * Add a certificate authority.
388 */
add_cert_auth(SSL_CTX * ssl_ctx,const uint8_t * buf,int len)389 int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
390 {
391 int ret = SSL_OK; /* ignore errors for now */
392 int i = 0;
393 CA_CERT_CTX *ca_cert_ctx;
394
395 if (ssl_ctx->ca_cert_ctx == NULL)
396 ssl_ctx->ca_cert_ctx = (CA_CERT_CTX *)calloc(1, sizeof(CA_CERT_CTX));
397
398 ca_cert_ctx = ssl_ctx->ca_cert_ctx;
399
400 while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
401 i++;
402
403 while (len > 0)
404 {
405 int offset;
406 if (i >= CONFIG_X509_MAX_CA_CERTS)
407 {
408 #ifdef CONFIG_SSL_FULL_MODE
409 printf("Error: maximum number of CA certs added (%d) - change of "
410 "compile-time configuration required\n",
411 CONFIG_X509_MAX_CA_CERTS);
412 #endif
413 break;
414 }
415
416
417 /* ignore the return code */
418 if (x509_new(buf, &offset, &ca_cert_ctx->cert[i]) == X509_OK)
419 {
420 #if defined (CONFIG_SSL_FULL_MODE)
421 if (ssl_ctx->options & SSL_DISPLAY_CERTS)
422 x509_print(ca_cert_ctx->cert[i], NULL);
423 #endif
424 }
425
426 i++;
427 len -= offset;
428 }
429
430 return ret;
431 }
432
433 /*
434 * Retrieve an X.509 distinguished name component
435 */
ssl_get_cert_dn(const SSL * ssl,int component)436 EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
437 {
438 if (ssl->x509_ctx == NULL)
439 return NULL;
440
441 switch (component)
442 {
443 case SSL_X509_CERT_COMMON_NAME:
444 return ssl->x509_ctx->cert_dn[X509_COMMON_NAME];
445
446 case SSL_X509_CERT_ORGANIZATION:
447 return ssl->x509_ctx->cert_dn[X509_ORGANIZATION];
448
449 case SSL_X509_CERT_ORGANIZATIONAL_NAME:
450 return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_UNIT];
451
452 case SSL_X509_CA_CERT_COMMON_NAME:
453 return ssl->x509_ctx->ca_cert_dn[X509_COMMON_NAME];
454
455 case SSL_X509_CA_CERT_ORGANIZATION:
456 return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATION];
457
458 case SSL_X509_CA_CERT_ORGANIZATIONAL_NAME:
459 return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_UNIT];
460
461 default:
462 return NULL;
463 }
464 }
465
466 /*
467 * Retrieve a "Subject Alternative Name" from a v3 certificate
468 */
ssl_get_cert_subject_alt_dnsname(const SSL * ssl,int dnsindex)469 EXP_FUNC const char * STDCALL ssl_get_cert_subject_alt_dnsname(const SSL *ssl,
470 int dnsindex)
471 {
472 int i;
473
474 if (ssl->x509_ctx == NULL || ssl->x509_ctx->subject_alt_dnsnames == NULL)
475 return NULL;
476
477 for (i = 0; i < dnsindex; ++i)
478 {
479 if (ssl->x509_ctx->subject_alt_dnsnames[i] == NULL)
480 return NULL;
481 }
482
483 return ssl->x509_ctx->subject_alt_dnsnames[dnsindex];
484 }
485
486 #endif /* CONFIG_SSL_CERT_VERIFICATION */
487
488 /*
489 * Find an ssl object based on the client's file descriptor.
490 */
ssl_find(SSL_CTX * ssl_ctx,int client_fd)491 EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, int client_fd)
492 {
493 SSL *ssl;
494
495 SSL_CTX_LOCK(ssl_ctx->mutex);
496 ssl = ssl_ctx->head;
497
498 /* search through all the ssl entries */
499 while (ssl)
500 {
501 if (ssl->client_fd == client_fd)
502 {
503 SSL_CTX_UNLOCK(ssl_ctx->mutex);
504 return ssl;
505 }
506
507 ssl = ssl->next;
508 }
509
510 SSL_CTX_UNLOCK(ssl_ctx->mutex);
511 return NULL;
512 }
513
514 /*
515 * Force the client to perform its handshake again.
516 */
ssl_renegotiate(SSL * ssl)517 EXP_FUNC int STDCALL ssl_renegotiate(SSL *ssl)
518 {
519 int ret = SSL_OK;
520
521 disposable_new(ssl);
522 #ifdef CONFIG_SSL_ENABLE_CLIENT
523 if (IS_SET_SSL_FLAG(SSL_IS_CLIENT))
524 {
525 ret = do_client_connect(ssl);
526 }
527 else
528 #endif
529 {
530 send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
531 g_hello_request, sizeof(g_hello_request));
532 SET_SSL_FLAG(SSL_NEED_RECORD);
533 }
534
535 return ret;
536 }
537
538 /**
539 * @brief Get what we need for key info.
540 * @param cipher [in] The cipher information we are after
541 * @param key_size [out] The key size for the cipher
542 * @param iv_size [out] The iv size for the cipher
543 * @return The amount of key information we need.
544 */
get_cipher_info(uint8_t cipher)545 static const cipher_info_t *get_cipher_info(uint8_t cipher)
546 {
547 int i;
548
549 for (i = 0; i < NUM_PROTOCOLS; i++)
550 {
551 if (cipher_info[i].cipher == cipher)
552 {
553 return &cipher_info[i];
554 }
555 }
556
557 return NULL; /* error */
558 }
559
560 /*
561 * Get a new ssl context for a new connection.
562 */
ssl_new(SSL_CTX * ssl_ctx,int client_fd)563 SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd)
564 {
565 SSL *ssl = (SSL *)calloc(1, sizeof(SSL));
566 ssl->ssl_ctx = ssl_ctx;
567 ssl->need_bytes = SSL_RECORD_SIZE; /* need a record */
568 ssl->client_fd = client_fd;
569 ssl->flag = SSL_NEED_RECORD;
570 ssl->bm_data = ssl->bm_all_data+BM_RECORD_OFFSET; /* space at the start */
571 ssl->hs_status = SSL_NOT_OK; /* not connected */
572 #ifdef CONFIG_ENABLE_VERIFICATION
573 ssl->ca_cert_ctx = ssl_ctx->ca_cert_ctx;
574 #endif
575 disposable_new(ssl);
576
577 /* a bit hacky but saves a few bytes of memory */
578 ssl->flag |= ssl_ctx->options;
579 SSL_CTX_LOCK(ssl_ctx->mutex);
580
581 if (ssl_ctx->head == NULL)
582 {
583 ssl_ctx->head = ssl;
584 ssl_ctx->tail = ssl;
585 }
586 else
587 {
588 ssl->prev = ssl_ctx->tail;
589 ssl_ctx->tail->next = ssl;
590 ssl_ctx->tail = ssl;
591 }
592
593 SSL_CTX_UNLOCK(ssl_ctx->mutex);
594 return ssl;
595 }
596
597 /*
598 * Add a private key to a context.
599 */
add_private_key(SSL_CTX * ssl_ctx,SSLObjLoader * ssl_obj)600 int add_private_key(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj)
601 {
602 int ret = SSL_OK;
603
604 /* get the private key details */
605 if (asn1_get_private_key(ssl_obj->buf, ssl_obj->len, &ssl_ctx->rsa_ctx))
606 {
607 ret = SSL_ERROR_INVALID_KEY;
608 goto error;
609 }
610
611 error:
612 return ret;
613 }
614
615 /**
616 * Increment the read sequence number (as a 64 bit endian indepenent #)
617 */
increment_read_sequence(SSL * ssl)618 static void increment_read_sequence(SSL *ssl)
619 {
620 int i;
621
622 for (i = 7; i >= 0; i--)
623 {
624 if (++ssl->read_sequence[i])
625 break;
626 }
627 }
628
629 /**
630 * Increment the read sequence number (as a 64 bit endian indepenent #)
631 */
increment_write_sequence(SSL * ssl)632 static void increment_write_sequence(SSL *ssl)
633 {
634 int i;
635
636 for (i = 7; i >= 0; i--)
637 {
638 if (++ssl->write_sequence[i])
639 break;
640 }
641 }
642
643 /**
644 * Work out the HMAC digest in a packet.
645 */
add_hmac_digest(SSL * ssl,int mode,uint8_t * hmac_header,const uint8_t * buf,int buf_len,uint8_t * hmac_buf)646 static void add_hmac_digest(SSL *ssl, int mode, uint8_t *hmac_header,
647 const uint8_t *buf, int buf_len, uint8_t *hmac_buf)
648 {
649 int hmac_len = buf_len + 8 + SSL_RECORD_SIZE;
650 uint8_t *t_buf = (uint8_t *)alloca(hmac_len+10);
651
652 memcpy(t_buf, (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_WRITE) ?
653 ssl->write_sequence : ssl->read_sequence, 8);
654 memcpy(&t_buf[8], hmac_header, SSL_RECORD_SIZE);
655 memcpy(&t_buf[8+SSL_RECORD_SIZE], buf, buf_len);
656
657 ssl->cipher_info->hmac(t_buf, hmac_len,
658 (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_READ) ?
659 ssl->server_mac : ssl->client_mac,
660 ssl->cipher_info->digest_size, hmac_buf);
661
662 #if 0
663 print_blob("record", hmac_header, SSL_RECORD_SIZE);
664 print_blob("buf", buf, buf_len);
665 if (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_WRITE)
666 {
667 print_blob("write seq", ssl->write_sequence, 8);
668 }
669 else
670 {
671 print_blob("read seq", ssl->read_sequence, 8);
672 }
673
674 if (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_READ)
675 {
676 print_blob("server mac",
677 ssl->server_mac, ssl->cipher_info->digest_size);
678 }
679 else
680 {
681 print_blob("client mac",
682 ssl->client_mac, ssl->cipher_info->digest_size);
683 }
684 print_blob("hmac", hmac_buf, SHA1_SIZE);
685 #endif
686 }
687
688 /**
689 * Verify that the digest of a packet is correct.
690 */
verify_digest(SSL * ssl,int mode,const uint8_t * buf,int read_len)691 static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len)
692 {
693 uint8_t hmac_buf[SHA1_SIZE];
694 int hmac_offset;
695
696 if (ssl->cipher_info->padding_size)
697 {
698 int last_blk_size = buf[read_len-1], i;
699 hmac_offset = read_len-last_blk_size-ssl->cipher_info->digest_size-1;
700
701 /* guard against a timing attack - make sure we do the digest */
702 if (hmac_offset < 0)
703 {
704 hmac_offset = 0;
705 }
706 else
707 {
708 /* already looked at last byte */
709 for (i = 1; i < last_blk_size; i++)
710 {
711 if (buf[read_len-i] != last_blk_size)
712 {
713 hmac_offset = 0;
714 break;
715 }
716 }
717 }
718 }
719 else /* stream cipher */
720 {
721 hmac_offset = read_len - ssl->cipher_info->digest_size;
722
723 if (hmac_offset < 0)
724 {
725 hmac_offset = 0;
726 }
727 }
728
729 /* sanity check the offset */
730 ssl->hmac_header[3] = hmac_offset >> 8; /* insert size */
731 ssl->hmac_header[4] = hmac_offset & 0xff;
732 add_hmac_digest(ssl, mode, ssl->hmac_header, buf, hmac_offset, hmac_buf);
733
734 if (memcmp(hmac_buf, &buf[hmac_offset], ssl->cipher_info->digest_size))
735 {
736 return SSL_ERROR_INVALID_HMAC;
737 }
738
739 return hmac_offset;
740 }
741
742 /**
743 * Add a packet to the end of our sent and received packets, so that we may use
744 * it to calculate the hash at the end.
745 */
add_packet(SSL * ssl,const uint8_t * pkt,int len)746 void add_packet(SSL *ssl, const uint8_t *pkt, int len)
747 {
748 MD5_Update(&ssl->dc->md5_ctx, pkt, len);
749 SHA1_Update(&ssl->dc->sha1_ctx, pkt, len);
750 }
751
752 /**
753 * Work out the MD5 PRF.
754 */
p_hash_md5(const uint8_t * sec,int sec_len,uint8_t * seed,int seed_len,uint8_t * out,int olen)755 static void p_hash_md5(const uint8_t *sec, int sec_len,
756 uint8_t *seed, int seed_len, uint8_t *out, int olen)
757 {
758 uint8_t a1[128];
759
760 /* A(1) */
761 hmac_md5(seed, seed_len, sec, sec_len, a1);
762 memcpy(&a1[MD5_SIZE], seed, seed_len);
763 hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out);
764
765 while (olen > MD5_SIZE)
766 {
767 uint8_t a2[MD5_SIZE];
768 out += MD5_SIZE;
769 olen -= MD5_SIZE;
770
771 /* A(N) */
772 hmac_md5(a1, MD5_SIZE, sec, sec_len, a2);
773 memcpy(a1, a2, MD5_SIZE);
774
775 /* work out the actual hash */
776 hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out);
777 }
778 }
779
780 /**
781 * Work out the SHA1 PRF.
782 */
p_hash_sha1(const uint8_t * sec,int sec_len,uint8_t * seed,int seed_len,uint8_t * out,int olen)783 static void p_hash_sha1(const uint8_t *sec, int sec_len,
784 uint8_t *seed, int seed_len, uint8_t *out, int olen)
785 {
786 uint8_t a1[128];
787
788 /* A(1) */
789 hmac_sha1(seed, seed_len, sec, sec_len, a1);
790 memcpy(&a1[SHA1_SIZE], seed, seed_len);
791 hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out);
792
793 while (olen > SHA1_SIZE)
794 {
795 uint8_t a2[SHA1_SIZE];
796 out += SHA1_SIZE;
797 olen -= SHA1_SIZE;
798
799 /* A(N) */
800 hmac_sha1(a1, SHA1_SIZE, sec, sec_len, a2);
801 memcpy(a1, a2, SHA1_SIZE);
802
803 /* work out the actual hash */
804 hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out);
805 }
806 }
807
808 /**
809 * Work out the PRF.
810 */
prf(const uint8_t * sec,int sec_len,uint8_t * seed,int seed_len,uint8_t * out,int olen)811 static void prf(const uint8_t *sec, int sec_len, uint8_t *seed, int seed_len,
812 uint8_t *out, int olen)
813 {
814 int len, i;
815 const uint8_t *S1, *S2;
816 uint8_t xbuf[256]; /* needs to be > the amount of key data */
817 uint8_t ybuf[256]; /* needs to be > the amount of key data */
818
819 len = sec_len/2;
820 S1 = sec;
821 S2 = &sec[len];
822 len += (sec_len & 1); /* add for odd, make longer */
823
824 p_hash_md5(S1, len, seed, seed_len, xbuf, olen);
825 p_hash_sha1(S2, len, seed, seed_len, ybuf, olen);
826
827 for (i = 0; i < olen; i++)
828 out[i] = xbuf[i] ^ ybuf[i];
829 }
830
831 /**
832 * Generate a master secret based on the client/server random data and the
833 * premaster secret.
834 */
generate_master_secret(SSL * ssl,const uint8_t * premaster_secret)835 void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret)
836 {
837 uint8_t buf[128]; /* needs to be > 13+32+32 in size */
838 strcpy((char *)buf, "master secret");
839 memcpy(&buf[13], ssl->dc->client_random, SSL_RANDOM_SIZE);
840 memcpy(&buf[45], ssl->dc->server_random, SSL_RANDOM_SIZE);
841 prf(premaster_secret, SSL_SECRET_SIZE, buf, 77, ssl->dc->master_secret,
842 SSL_SECRET_SIZE);
843 }
844
845 /**
846 * Generate a 'random' blob of data used for the generation of keys.
847 */
generate_key_block(uint8_t * client_random,uint8_t * server_random,uint8_t * master_secret,uint8_t * key_block,int key_block_size)848 static void generate_key_block(uint8_t *client_random, uint8_t *server_random,
849 uint8_t *master_secret, uint8_t *key_block, int key_block_size)
850 {
851 uint8_t buf[128];
852 strcpy((char *)buf, "key expansion");
853 memcpy(&buf[13], server_random, SSL_RANDOM_SIZE);
854 memcpy(&buf[45], client_random, SSL_RANDOM_SIZE);
855 prf(master_secret, SSL_SECRET_SIZE, buf, 77, key_block, key_block_size);
856 }
857
858 /**
859 * Calculate the digest used in the finished message. This function also
860 * doubles up as a certificate verify function.
861 */
finished_digest(SSL * ssl,const char * label,uint8_t * digest)862 void finished_digest(SSL *ssl, const char *label, uint8_t *digest)
863 {
864 uint8_t mac_buf[128];
865 uint8_t *q = mac_buf;
866 MD5_CTX md5_ctx = ssl->dc->md5_ctx;
867 SHA1_CTX sha1_ctx = ssl->dc->sha1_ctx;
868
869 if (label)
870 {
871 strcpy((char *)q, label);
872 q += strlen(label);
873 }
874
875 MD5_Final(q, &md5_ctx);
876 q += MD5_SIZE;
877
878 SHA1_Final(q, &sha1_ctx);
879 q += SHA1_SIZE;
880
881 if (label)
882 {
883 prf(ssl->dc->master_secret, SSL_SECRET_SIZE, mac_buf, (int)(q-mac_buf),
884 digest, SSL_FINISHED_HASH_SIZE);
885 }
886 else /* for use in a certificate verify */
887 {
888 memcpy(digest, mac_buf, MD5_SIZE + SHA1_SIZE);
889 }
890
891 #if 0
892 printf("label: %s\n", label);
893 print_blob("master secret", ssl->dc->master_secret, 48);
894 print_blob("mac_buf", mac_buf, q-mac_buf);
895 print_blob("finished digest", digest, SSL_FINISHED_HASH_SIZE);
896 #endif
897 }
898
899 /**
900 * Retrieve (and initialise) the context of a cipher.
901 */
crypt_new(SSL * ssl,uint8_t * key,uint8_t * iv,int is_decrypt)902 static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt)
903 {
904 switch (ssl->cipher)
905 {
906 #ifndef CONFIG_SSL_SKELETON_MODE
907 case SSL_AES128_SHA:
908 {
909 AES_CTX *aes_ctx = (AES_CTX *)malloc(sizeof(AES_CTX));
910 AES_set_key(aes_ctx, key, iv, AES_MODE_128);
911
912 if (is_decrypt)
913 {
914 AES_convert_key(aes_ctx);
915 }
916
917 return (void *)aes_ctx;
918 }
919
920 case SSL_AES256_SHA:
921 {
922 AES_CTX *aes_ctx = (AES_CTX *)malloc(sizeof(AES_CTX));
923 AES_set_key(aes_ctx, key, iv, AES_MODE_256);
924
925 if (is_decrypt)
926 {
927 AES_convert_key(aes_ctx);
928 }
929
930 return (void *)aes_ctx;
931 }
932
933 case SSL_RC4_128_MD5:
934 #endif
935 case SSL_RC4_128_SHA:
936 {
937 RC4_CTX *rc4_ctx = (RC4_CTX *)malloc(sizeof(RC4_CTX));
938 RC4_setup(rc4_ctx, key, 16);
939 return (void *)rc4_ctx;
940 }
941 }
942
943 return NULL; /* its all gone wrong */
944 }
945
946 /**
947 * Send a packet over the socket.
948 */
send_raw_packet(SSL * ssl,uint8_t protocol)949 static int send_raw_packet(SSL *ssl, uint8_t protocol)
950 {
951 uint8_t *rec_buf = ssl->bm_all_data;
952 int pkt_size = SSL_RECORD_SIZE+ssl->bm_index;
953 int sent = 0;
954 int ret = SSL_OK;
955
956 rec_buf[0] = protocol;
957 rec_buf[1] = 0x03; /* version = 3.1 or higher */
958 rec_buf[2] = ssl->version & 0x0f;
959 rec_buf[3] = ssl->bm_index >> 8;
960 rec_buf[4] = ssl->bm_index & 0xff;
961
962 DISPLAY_BYTES(ssl, "sending %d bytes", ssl->bm_all_data,
963 pkt_size, pkt_size);
964
965 while (sent < pkt_size)
966 {
967 ret = SOCKET_WRITE(ssl->client_fd,
968 &ssl->bm_all_data[sent], pkt_size-sent);
969
970 if (ret >= 0)
971 sent += ret;
972 else
973 {
974
975 #ifdef WIN32
976 if (GetLastError() != WSAEWOULDBLOCK)
977 #else
978 if (errno != EAGAIN && errno != EWOULDBLOCK)
979 #endif
980 return SSL_ERROR_CONN_LOST;
981 }
982
983 /* keep going until the write buffer has some space */
984 if (sent != pkt_size)
985 {
986 fd_set wfds;
987 FD_ZERO(&wfds);
988 FD_SET(ssl->client_fd, &wfds);
989
990 /* block and wait for it */
991 if (select(ssl->client_fd + 1, NULL, &wfds, NULL, NULL) < 0)
992 return SSL_ERROR_CONN_LOST;
993 }
994 }
995
996 SET_SSL_FLAG(SSL_NEED_RECORD); /* reset for next time */
997 ssl->bm_index = 0;
998
999 if (protocol != PT_APP_PROTOCOL_DATA)
1000 {
1001 /* always return SSL_OK during handshake */
1002 ret = SSL_OK;
1003 }
1004
1005 return ret;
1006 }
1007
1008 /**
1009 * Send an encrypted packet with padding bytes if necessary.
1010 */
send_packet(SSL * ssl,uint8_t protocol,const uint8_t * in,int length)1011 int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
1012 {
1013 int ret, msg_length = 0;
1014
1015 /* if our state is bad, don't bother */
1016 if (ssl->hs_status == SSL_ERROR_DEAD)
1017 return SSL_ERROR_CONN_LOST;
1018
1019 if (in) /* has the buffer already been initialised? */
1020 {
1021 memcpy(ssl->bm_data, in, length);
1022 }
1023
1024 msg_length += length;
1025
1026 if (IS_SET_SSL_FLAG(SSL_TX_ENCRYPTED))
1027 {
1028 int mode = IS_SET_SSL_FLAG(SSL_IS_CLIENT) ?
1029 SSL_CLIENT_WRITE : SSL_SERVER_WRITE;
1030 uint8_t hmac_header[SSL_RECORD_SIZE] =
1031 {
1032 protocol,
1033 0x03, /* version = 3.1 or higher */
1034 ssl->version & 0x0f,
1035 msg_length >> 8,
1036 msg_length & 0xff
1037 };
1038
1039 if (protocol == PT_HANDSHAKE_PROTOCOL)
1040 {
1041 DISPLAY_STATE(ssl, 1, ssl->bm_data[0], 0);
1042
1043 if (ssl->bm_data[0] != HS_HELLO_REQUEST)
1044 {
1045 add_packet(ssl, ssl->bm_data, msg_length);
1046 }
1047 }
1048
1049 /* add the packet digest */
1050 add_hmac_digest(ssl, mode, hmac_header, ssl->bm_data, msg_length,
1051 &ssl->bm_data[msg_length]);
1052 msg_length += ssl->cipher_info->digest_size;
1053
1054 /* add padding? */
1055 if (ssl->cipher_info->padding_size)
1056 {
1057 int last_blk_size = msg_length%ssl->cipher_info->padding_size;
1058 int pad_bytes = ssl->cipher_info->padding_size - last_blk_size;
1059
1060 /* ensure we always have at least 1 padding byte */
1061 if (pad_bytes == 0)
1062 pad_bytes += ssl->cipher_info->padding_size;
1063
1064 memset(&ssl->bm_data[msg_length], pad_bytes-1, pad_bytes);
1065 msg_length += pad_bytes;
1066 }
1067
1068 DISPLAY_BYTES(ssl, "unencrypted write", ssl->bm_data, msg_length);
1069 increment_write_sequence(ssl);
1070
1071 /* add the explicit IV for TLS1.1 */
1072 if (ssl->version >= SSL_PROTOCOL_VERSION1_1 &&
1073 ssl->cipher_info->iv_size)
1074 {
1075 uint8_t iv_size = ssl->cipher_info->iv_size;
1076 uint8_t *t_buf = alloca(msg_length + iv_size);
1077 memcpy(t_buf + iv_size, ssl->bm_data, msg_length);
1078 get_random(iv_size, t_buf);
1079 msg_length += iv_size;
1080 memcpy(ssl->bm_data, t_buf, msg_length);
1081 }
1082
1083 /* now encrypt the packet */
1084 ssl->cipher_info->encrypt(ssl->encrypt_ctx, ssl->bm_data,
1085 ssl->bm_data, msg_length);
1086 }
1087 else if (protocol == PT_HANDSHAKE_PROTOCOL)
1088 {
1089 DISPLAY_STATE(ssl, 1, ssl->bm_data[0], 0);
1090
1091 if (ssl->bm_data[0] != HS_HELLO_REQUEST)
1092 {
1093 add_packet(ssl, ssl->bm_data, length);
1094 }
1095 }
1096
1097 ssl->bm_index = msg_length;
1098 if ((ret = send_raw_packet(ssl, protocol)) <= 0)
1099 return ret;
1100
1101 return length; /* just return what we wanted to send */
1102 }
1103
1104 /**
1105 * Work out the cipher keys we are going to use for this session based on the
1106 * master secret.
1107 */
set_key_block(SSL * ssl,int is_write)1108 static int set_key_block(SSL *ssl, int is_write)
1109 {
1110 const cipher_info_t *ciph_info = get_cipher_info(ssl->cipher);
1111 uint8_t *q;
1112 uint8_t client_key[32], server_key[32]; /* big enough for AES256 */
1113 uint8_t client_iv[16], server_iv[16]; /* big enough for AES128/256 */
1114 int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
1115
1116 if (ciph_info == NULL)
1117 return -1;
1118
1119 /* only do once in a handshake */
1120 if (ssl->dc->key_block == NULL)
1121 {
1122 ssl->dc->key_block = (uint8_t *)malloc(ciph_info->key_block_size);
1123
1124 #if 0
1125 print_blob("client", ssl->dc->client_random, 32);
1126 print_blob("server", ssl->dc->server_random, 32);
1127 print_blob("master", ssl->dc->master_secret, SSL_SECRET_SIZE);
1128 #endif
1129 generate_key_block(ssl->dc->client_random, ssl->dc->server_random,
1130 ssl->dc->master_secret, ssl->dc->key_block,
1131 ciph_info->key_block_size);
1132 #if 0
1133 print_blob("keyblock", ssl->dc->key_block, ciph_info->key_block_size);
1134 #endif
1135 }
1136
1137 q = ssl->dc->key_block;
1138
1139 if ((is_client && is_write) || (!is_client && !is_write))
1140 {
1141 memcpy(ssl->client_mac, q, ciph_info->digest_size);
1142 }
1143
1144 q += ciph_info->digest_size;
1145
1146 if ((!is_client && is_write) || (is_client && !is_write))
1147 {
1148 memcpy(ssl->server_mac, q, ciph_info->digest_size);
1149 }
1150
1151 q += ciph_info->digest_size;
1152 memcpy(client_key, q, ciph_info->key_size);
1153 q += ciph_info->key_size;
1154 memcpy(server_key, q, ciph_info->key_size);
1155 q += ciph_info->key_size;
1156
1157 #ifndef CONFIG_SSL_SKELETON_MODE
1158 if (ciph_info->iv_size) /* RC4 has no IV, AES does */
1159 {
1160 memcpy(client_iv, q, ciph_info->iv_size);
1161 q += ciph_info->iv_size;
1162 memcpy(server_iv, q, ciph_info->iv_size);
1163 q += ciph_info->iv_size;
1164 }
1165 #endif
1166
1167 free(is_write ? ssl->encrypt_ctx : ssl->decrypt_ctx);
1168
1169 /* now initialise the ciphers */
1170 if (is_client)
1171 {
1172 finished_digest(ssl, server_finished, ssl->dc->final_finish_mac);
1173
1174 if (is_write)
1175 ssl->encrypt_ctx = crypt_new(ssl, client_key, client_iv, 0);
1176 else
1177 ssl->decrypt_ctx = crypt_new(ssl, server_key, server_iv, 1);
1178 }
1179 else
1180 {
1181 finished_digest(ssl, client_finished, ssl->dc->final_finish_mac);
1182
1183 if (is_write)
1184 ssl->encrypt_ctx = crypt_new(ssl, server_key, server_iv, 0);
1185 else
1186 ssl->decrypt_ctx = crypt_new(ssl, client_key, client_iv, 1);
1187 }
1188
1189 ssl->cipher_info = ciph_info;
1190 return 0;
1191 }
1192
1193 /**
1194 * Read the SSL connection.
1195 */
basic_read(SSL * ssl,uint8_t ** in_data)1196 int basic_read(SSL *ssl, uint8_t **in_data)
1197 {
1198 int ret = SSL_OK;
1199 int read_len, is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
1200 uint8_t *buf = ssl->bm_data;
1201
1202 read_len = SOCKET_READ(ssl->client_fd, &buf[ssl->bm_read_index],
1203 ssl->need_bytes-ssl->got_bytes);
1204
1205 if (read_len < 0)
1206 {
1207 #ifdef WIN32
1208 if (GetLastError() == WSAEWOULDBLOCK)
1209 #else
1210 if (errno == EAGAIN || errno == EWOULDBLOCK)
1211 #endif
1212 return 0;
1213 }
1214
1215 /* connection has gone, so die */
1216 if (read_len <= 0)
1217 {
1218 ret = SSL_ERROR_CONN_LOST;
1219 ssl->hs_status = SSL_ERROR_DEAD; /* make sure it stays dead */
1220 goto error;
1221 }
1222
1223 DISPLAY_BYTES(ssl, "received %d bytes",
1224 &ssl->bm_data[ssl->bm_read_index], read_len, read_len);
1225
1226 ssl->got_bytes += read_len;
1227 ssl->bm_read_index += read_len;
1228
1229 /* haven't quite got what we want, so try again later */
1230 if (ssl->got_bytes < ssl->need_bytes)
1231 return SSL_OK;
1232
1233 read_len = ssl->got_bytes;
1234 ssl->got_bytes = 0;
1235
1236 if (IS_SET_SSL_FLAG(SSL_NEED_RECORD))
1237 {
1238 /* check for sslv2 "client hello" */
1239 if (buf[0] & 0x80 && buf[2] == 1)
1240 {
1241 #ifdef CONFIG_SSL_ENABLE_V23_HANDSHAKE
1242 uint8_t version = (buf[3] << 4) + buf[4];
1243 DISPLAY_BYTES(ssl, "ssl2 record", buf, 5);
1244
1245 /* should be v3.1 (TLSv1) or better */
1246 ssl->version = ssl->client_version = version;
1247
1248 if (version > SSL_PROTOCOL_VERSION_MAX)
1249 {
1250 /* use client's version */
1251 ssl->version = SSL_PROTOCOL_VERSION_MAX;
1252 }
1253 else if (version < SSL_PROTOCOL_MIN_VERSION)
1254 {
1255 ret = SSL_ERROR_INVALID_VERSION;
1256 ssl_display_error(ret);
1257 return ret;
1258 }
1259
1260 add_packet(ssl, &buf[2], 3);
1261 ret = process_sslv23_client_hello(ssl);
1262 #else
1263 printf("Error: no SSLv23 handshaking allowed\n"); TTY_FLUSH();
1264 ret = SSL_ERROR_NOT_SUPPORTED;
1265 #endif
1266 goto error; /* not an error - just get out of here */
1267 }
1268
1269 ssl->need_bytes = (buf[3] << 8) + buf[4];
1270
1271 /* do we violate the spec with the message size? */
1272 if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)
1273 {
1274 ret = SSL_ERROR_INVALID_PROT_MSG;
1275 goto error;
1276 }
1277
1278 CLR_SSL_FLAG(SSL_NEED_RECORD);
1279 memcpy(ssl->hmac_header, buf, 3); /* store for hmac */
1280 ssl->record_type = buf[0];
1281 goto error; /* no error, we're done */
1282 }
1283
1284 /* for next time - just do it now in case of an error */
1285 SET_SSL_FLAG(SSL_NEED_RECORD);
1286 ssl->need_bytes = SSL_RECORD_SIZE;
1287
1288 /* decrypt if we need to */
1289 if (IS_SET_SSL_FLAG(SSL_RX_ENCRYPTED))
1290 {
1291 ssl->cipher_info->decrypt(ssl->decrypt_ctx, buf, buf, read_len);
1292
1293 if (ssl->version >= SSL_PROTOCOL_VERSION1_1 &&
1294 ssl->cipher_info->iv_size)
1295 {
1296 buf += ssl->cipher_info->iv_size;
1297 read_len -= ssl->cipher_info->iv_size;
1298 }
1299
1300 read_len = verify_digest(ssl,
1301 is_client ? SSL_CLIENT_READ : SSL_SERVER_READ, buf, read_len);
1302
1303 /* does the hmac work? */
1304 if (read_len < 0)
1305 {
1306 ret = read_len;
1307 goto error;
1308 }
1309
1310 DISPLAY_BYTES(ssl, "decrypted", buf, read_len);
1311 increment_read_sequence(ssl);
1312 }
1313
1314 /* The main part of the SSL packet */
1315 switch (ssl->record_type)
1316 {
1317 case PT_HANDSHAKE_PROTOCOL:
1318 if (ssl->dc != NULL)
1319 {
1320 ssl->dc->bm_proc_index = 0;
1321 ret = do_handshake(ssl, buf, read_len);
1322 }
1323 else /* no client renegotiation allowed */
1324 {
1325 ret = SSL_ERROR_NO_CLIENT_RENOG;
1326 goto error;
1327 }
1328 break;
1329
1330 case PT_CHANGE_CIPHER_SPEC:
1331 if (ssl->next_state != HS_FINISHED)
1332 {
1333 ret = SSL_ERROR_INVALID_HANDSHAKE;
1334 goto error;
1335 }
1336
1337 /* all encrypted from now on */
1338 SET_SSL_FLAG(SSL_RX_ENCRYPTED);
1339 if (set_key_block(ssl, 0) < 0)
1340 {
1341 ret = SSL_ERROR_INVALID_HANDSHAKE;
1342 goto error;
1343 }
1344
1345 memset(ssl->read_sequence, 0, 8);
1346 break;
1347
1348 case PT_APP_PROTOCOL_DATA:
1349 if (in_data)
1350 {
1351 *in_data = buf; /* point to the work buffer */
1352 (*in_data)[read_len] = 0; /* null terminate just in case */
1353 }
1354
1355 ret = read_len;
1356 break;
1357
1358 case PT_ALERT_PROTOCOL:
1359 /* return the alert # with alert bit set */
1360 if(buf[0] == SSL_ALERT_TYPE_WARNING &&
1361 buf[1] == SSL_ALERT_CLOSE_NOTIFY)
1362 {
1363 ret = SSL_CLOSE_NOTIFY;
1364 send_alert(ssl, SSL_ALERT_CLOSE_NOTIFY);
1365 SET_SSL_FLAG(SSL_SENT_CLOSE_NOTIFY);
1366 }
1367 else
1368 {
1369 ret = -buf[1];
1370 DISPLAY_ALERT(ssl, buf[1]);
1371 }
1372
1373 break;
1374
1375 default:
1376 ret = SSL_ERROR_INVALID_PROT_MSG;
1377 break;
1378 }
1379
1380 error:
1381 ssl->bm_read_index = 0; /* reset to go again */
1382
1383 if (ret < SSL_OK && in_data)/* if all wrong, then clear this buffer ptr */
1384 *in_data = NULL;
1385
1386 return ret;
1387 }
1388
1389 /**
1390 * Do some basic checking of data and then perform the appropriate handshaking.
1391 */
do_handshake(SSL * ssl,uint8_t * buf,int read_len)1392 static int do_handshake(SSL *ssl, uint8_t *buf, int read_len)
1393 {
1394 int hs_len = (buf[2]<<8) + buf[3];
1395 uint8_t handshake_type = buf[0];
1396 int ret = SSL_OK;
1397 int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
1398
1399 /* some integrity checking on the handshake */
1400 PARANOIA_CHECK(read_len-SSL_HS_HDR_SIZE, hs_len);
1401
1402 if (handshake_type != ssl->next_state)
1403 {
1404 /* handle a special case on the client */
1405 if (!is_client || handshake_type != HS_CERT_REQ ||
1406 ssl->next_state != HS_SERVER_HELLO_DONE)
1407 {
1408 ret = SSL_ERROR_INVALID_HANDSHAKE;
1409 goto error;
1410 }
1411 }
1412
1413 hs_len += SSL_HS_HDR_SIZE; /* adjust for when adding packets */
1414 ssl->bm_index = hs_len; /* store the size and check later */
1415 DISPLAY_STATE(ssl, 0, handshake_type, 0);
1416
1417 if (handshake_type != HS_CERT_VERIFY && handshake_type != HS_HELLO_REQUEST)
1418 add_packet(ssl, buf, hs_len);
1419
1420 #if defined(CONFIG_SSL_ENABLE_CLIENT)
1421 ret = is_client ?
1422 do_clnt_handshake(ssl, handshake_type, buf, hs_len) :
1423 do_svr_handshake(ssl, handshake_type, buf, hs_len);
1424 #else
1425 ret = do_svr_handshake(ssl, handshake_type, buf, hs_len);
1426 #endif
1427
1428 /* just use recursion to get the rest */
1429 if (hs_len < read_len && ret == SSL_OK)
1430 ret = do_handshake(ssl, &buf[hs_len], read_len-hs_len);
1431
1432 error:
1433 return ret;
1434 }
1435
1436 /**
1437 * Sends the change cipher spec message. We have just read a finished message
1438 * from the client.
1439 */
send_change_cipher_spec(SSL * ssl)1440 int send_change_cipher_spec(SSL *ssl)
1441 {
1442 int ret = send_packet(ssl, PT_CHANGE_CIPHER_SPEC,
1443 g_chg_cipher_spec_pkt, sizeof(g_chg_cipher_spec_pkt));
1444 SET_SSL_FLAG(SSL_TX_ENCRYPTED);
1445
1446 if (ret >= 0 && set_key_block(ssl, 1) < 0)
1447 ret = SSL_ERROR_INVALID_HANDSHAKE;
1448
1449 memset(ssl->write_sequence, 0, 8);
1450 return ret;
1451 }
1452
1453 /**
1454 * Send a "finished" message
1455 */
send_finished(SSL * ssl)1456 int send_finished(SSL *ssl)
1457 {
1458 uint8_t buf[SSL_FINISHED_HASH_SIZE+4] = {
1459 HS_FINISHED, 0, 0, SSL_FINISHED_HASH_SIZE };
1460
1461 /* now add the finished digest mac (12 bytes) */
1462 finished_digest(ssl,
1463 IS_SET_SSL_FLAG(SSL_IS_CLIENT) ?
1464 client_finished : server_finished, &buf[4]);
1465
1466 #ifndef CONFIG_SSL_SKELETON_MODE
1467 /* store in the session cache */
1468 if (!IS_SET_SSL_FLAG(SSL_SESSION_RESUME) && ssl->ssl_ctx->num_sessions)
1469 {
1470 memcpy(ssl->session->master_secret,
1471 ssl->dc->master_secret, SSL_SECRET_SIZE);
1472 }
1473 #endif
1474
1475 return send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
1476 buf, SSL_FINISHED_HASH_SIZE+4);
1477 }
1478
1479 /**
1480 * Send an alert message.
1481 * Return 1 if the alert was an "error".
1482 */
send_alert(SSL * ssl,int error_code)1483 int send_alert(SSL *ssl, int error_code)
1484 {
1485 int alert_num = 0;
1486 int is_warning = 0;
1487 uint8_t buf[2];
1488
1489 /* Don't bother we're already dead */
1490 if (ssl->hs_status == SSL_ERROR_DEAD)
1491 {
1492 return SSL_ERROR_CONN_LOST;
1493 }
1494
1495 #ifdef CONFIG_SSL_FULL_MODE
1496 if (IS_SET_SSL_FLAG(SSL_DISPLAY_STATES))
1497 ssl_display_error(error_code);
1498 #endif
1499
1500 switch (error_code)
1501 {
1502 case SSL_ALERT_CLOSE_NOTIFY:
1503 is_warning = 1;
1504 alert_num = SSL_ALERT_CLOSE_NOTIFY;
1505 break;
1506
1507 case SSL_ERROR_CONN_LOST: /* don't send alert just yet */
1508 is_warning = 1;
1509 break;
1510
1511 case SSL_ERROR_INVALID_HANDSHAKE:
1512 case SSL_ERROR_INVALID_PROT_MSG:
1513 alert_num = SSL_ALERT_HANDSHAKE_FAILURE;
1514 break;
1515
1516 case SSL_ERROR_INVALID_HMAC:
1517 case SSL_ERROR_FINISHED_INVALID:
1518 alert_num = SSL_ALERT_BAD_RECORD_MAC;
1519 break;
1520
1521 case SSL_ERROR_INVALID_VERSION:
1522 alert_num = SSL_ALERT_INVALID_VERSION;
1523 break;
1524
1525 case SSL_ERROR_INVALID_SESSION:
1526 case SSL_ERROR_NO_CIPHER:
1527 case SSL_ERROR_INVALID_KEY:
1528 alert_num = SSL_ALERT_ILLEGAL_PARAMETER;
1529 break;
1530
1531 case SSL_ERROR_BAD_CERTIFICATE:
1532 alert_num = SSL_ALERT_BAD_CERTIFICATE;
1533 break;
1534
1535 case SSL_ERROR_NO_CLIENT_RENOG:
1536 alert_num = SSL_ALERT_NO_RENEGOTIATION;
1537 break;
1538
1539 default:
1540 /* a catch-all for any badly verified certificates */
1541 alert_num = (error_code <= SSL_X509_OFFSET) ?
1542 SSL_ALERT_BAD_CERTIFICATE : SSL_ALERT_UNEXPECTED_MESSAGE;
1543 break;
1544 }
1545
1546 buf[0] = is_warning ? 1 : 2;
1547 buf[1] = alert_num;
1548 send_packet(ssl, PT_ALERT_PROTOCOL, buf, sizeof(buf));
1549 DISPLAY_ALERT(ssl, alert_num);
1550 return is_warning ? 0 : 1;
1551 }
1552
1553 /**
1554 * Process a client finished message.
1555 */
process_finished(SSL * ssl,uint8_t * buf,int hs_len)1556 int process_finished(SSL *ssl, uint8_t *buf, int hs_len)
1557 {
1558 int ret = SSL_OK;
1559 int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
1560 int resume = IS_SET_SSL_FLAG(SSL_SESSION_RESUME);
1561
1562 PARANOIA_CHECK(ssl->bm_index, SSL_FINISHED_HASH_SIZE+4);
1563
1564 /* check that we all work before we continue */
1565 if (memcmp(ssl->dc->final_finish_mac, &buf[4], SSL_FINISHED_HASH_SIZE))
1566 return SSL_ERROR_FINISHED_INVALID;
1567
1568 if ((!is_client && !resume) || (is_client && resume))
1569 {
1570 if ((ret = send_change_cipher_spec(ssl)) == SSL_OK)
1571 ret = send_finished(ssl);
1572 }
1573
1574 /* if we ever renegotiate */
1575 ssl->next_state = is_client ? HS_HELLO_REQUEST : HS_CLIENT_HELLO;
1576 ssl->hs_status = ret; /* set the final handshake status */
1577
1578 error:
1579 return ret;
1580 }
1581
1582 /**
1583 * Send a certificate.
1584 */
send_certificate(SSL * ssl)1585 int send_certificate(SSL *ssl)
1586 {
1587 int i = 0;
1588 uint8_t *buf = ssl->bm_data;
1589 int offset = 7;
1590 int chain_length;
1591
1592 buf[0] = HS_CERTIFICATE;
1593 buf[1] = 0;
1594 buf[4] = 0;
1595
1596 while (i < ssl->ssl_ctx->chain_length)
1597 {
1598 SSL_CERT *cert = &ssl->ssl_ctx->certs[i];
1599 buf[offset++] = 0;
1600 buf[offset++] = cert->size >> 8; /* cert 1 length */
1601 buf[offset++] = cert->size & 0xff;
1602 memcpy(&buf[offset], cert->buf, cert->size);
1603 offset += cert->size;
1604 i++;
1605 }
1606
1607 chain_length = offset - 7;
1608 buf[5] = chain_length >> 8; /* cert chain length */
1609 buf[6] = chain_length & 0xff;
1610 chain_length += 3;
1611 buf[2] = chain_length >> 8; /* handshake length */
1612 buf[3] = chain_length & 0xff;
1613 ssl->bm_index = offset;
1614 return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
1615 }
1616
1617 /**
1618 * Create a blob of memory that we'll get rid of once the handshake is
1619 * complete.
1620 */
disposable_new(SSL * ssl)1621 void disposable_new(SSL *ssl)
1622 {
1623 if (ssl->dc == NULL)
1624 {
1625 ssl->dc = (DISPOSABLE_CTX *)calloc(1, sizeof(DISPOSABLE_CTX));
1626 MD5_Init(&ssl->dc->md5_ctx);
1627 SHA1_Init(&ssl->dc->sha1_ctx);
1628 }
1629 }
1630
1631 /**
1632 * Remove the temporary blob of memory.
1633 */
disposable_free(SSL * ssl)1634 void disposable_free(SSL *ssl)
1635 {
1636 if (ssl->dc)
1637 {
1638 free(ssl->dc->key_block);
1639 memset(ssl->dc, 0, sizeof(DISPOSABLE_CTX));
1640 free(ssl->dc);
1641 ssl->dc = NULL;
1642 }
1643
1644 }
1645
1646 #ifndef CONFIG_SSL_SKELETON_MODE /* no session resumption in this mode */
1647 /**
1648 * Find if an existing session has the same session id. If so, use the
1649 * master secret from this session for session resumption.
1650 */
ssl_session_update(int max_sessions,SSL_SESSION * ssl_sessions[],SSL * ssl,const uint8_t * session_id)1651 SSL_SESSION *ssl_session_update(int max_sessions, SSL_SESSION *ssl_sessions[],
1652 SSL *ssl, const uint8_t *session_id)
1653 {
1654 time_t tm = time(NULL);
1655 time_t oldest_sess_time = tm;
1656 SSL_SESSION *oldest_sess = NULL;
1657 int i;
1658
1659 /* no sessions? Then bail */
1660 if (max_sessions == 0)
1661 return NULL;
1662
1663 SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
1664 if (session_id)
1665 {
1666 for (i = 0; i < max_sessions; i++)
1667 {
1668 if (ssl_sessions[i])
1669 {
1670 /* kill off any expired sessions (including those in
1671 the future) */
1672 if ((tm > ssl_sessions[i]->conn_time + SSL_EXPIRY_TIME) ||
1673 (tm < ssl_sessions[i]->conn_time))
1674 {
1675 session_free(ssl_sessions, i);
1676 continue;
1677 }
1678
1679 /* if the session id matches, it must still be less than
1680 the expiry time */
1681 if (memcmp(ssl_sessions[i]->session_id, session_id,
1682 SSL_SESSION_ID_SIZE) == 0)
1683 {
1684 ssl->session_index = i;
1685 memcpy(ssl->dc->master_secret,
1686 ssl_sessions[i]->master_secret, SSL_SECRET_SIZE);
1687 SET_SSL_FLAG(SSL_SESSION_RESUME);
1688 SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
1689 return ssl_sessions[i]; /* a session was found */
1690 }
1691 }
1692 }
1693 }
1694
1695 /* If we've got here, no matching session was found - so create one */
1696 for (i = 0; i < max_sessions; i++)
1697 {
1698 if (ssl_sessions[i] == NULL)
1699 {
1700 /* perfect, this will do */
1701 ssl_sessions[i] = (SSL_SESSION *)calloc(1, sizeof(SSL_SESSION));
1702 ssl_sessions[i]->conn_time = tm;
1703 ssl->session_index = i;
1704 SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
1705 return ssl_sessions[i]; /* return the session object */
1706 }
1707 else if (ssl_sessions[i]->conn_time <= oldest_sess_time)
1708 {
1709 /* find the oldest session */
1710 oldest_sess_time = ssl_sessions[i]->conn_time;
1711 oldest_sess = ssl_sessions[i];
1712 ssl->session_index = i;
1713 }
1714 }
1715
1716 /* ok, we've used up all of our sessions. So blow the oldest session away */
1717 oldest_sess->conn_time = tm;
1718 memset(oldest_sess->session_id, 0, sizeof(SSL_SESSION_ID_SIZE));
1719 memset(oldest_sess->master_secret, 0, sizeof(SSL_SECRET_SIZE));
1720 SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
1721 return oldest_sess;
1722 }
1723
1724 /**
1725 * Free an existing session.
1726 */
session_free(SSL_SESSION * ssl_sessions[],int sess_index)1727 static void session_free(SSL_SESSION *ssl_sessions[], int sess_index)
1728 {
1729 if (ssl_sessions[sess_index])
1730 {
1731 free(ssl_sessions[sess_index]);
1732 ssl_sessions[sess_index] = NULL;
1733 }
1734 }
1735
1736 /**
1737 * This ssl object doesn't want this session anymore.
1738 */
kill_ssl_session(SSL_SESSION ** ssl_sessions,SSL * ssl)1739 void kill_ssl_session(SSL_SESSION **ssl_sessions, SSL *ssl)
1740 {
1741 SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
1742
1743 if (ssl->ssl_ctx->num_sessions)
1744 {
1745 session_free(ssl_sessions, ssl->session_index);
1746 ssl->session = NULL;
1747 }
1748
1749 SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
1750 }
1751 #endif /* CONFIG_SSL_SKELETON_MODE */
1752
1753 /*
1754 * Get the session id for a handshake. This will be a 32 byte sequence.
1755 */
ssl_get_session_id(const SSL * ssl)1756 EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(const SSL *ssl)
1757 {
1758 return ssl->session_id;
1759 }
1760
1761 /*
1762 * Get the session id size for a handshake.
1763 */
ssl_get_session_id_size(const SSL * ssl)1764 EXP_FUNC uint8_t STDCALL ssl_get_session_id_size(const SSL *ssl)
1765 {
1766 return ssl->sess_id_size;
1767 }
1768
1769 /*
1770 * Return the cipher id (in the SSL form).
1771 */
ssl_get_cipher_id(const SSL * ssl)1772 EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(const SSL *ssl)
1773 {
1774 return ssl->cipher;
1775 }
1776
1777 /*
1778 * Return the status of the handshake.
1779 */
ssl_handshake_status(const SSL * ssl)1780 EXP_FUNC int STDCALL ssl_handshake_status(const SSL *ssl)
1781 {
1782 return ssl->hs_status;
1783 }
1784
1785 /*
1786 * Retrieve various parameters about the SSL engine.
1787 */
ssl_get_config(int offset)1788 EXP_FUNC int STDCALL ssl_get_config(int offset)
1789 {
1790 switch (offset)
1791 {
1792 /* return the appropriate build mode */
1793 case SSL_BUILD_MODE:
1794 #if defined(CONFIG_SSL_FULL_MODE)
1795 return SSL_BUILD_FULL_MODE;
1796 #elif defined(CONFIG_SSL_ENABLE_CLIENT)
1797 return SSL_BUILD_ENABLE_CLIENT;
1798 #elif defined(CONFIG_ENABLE_VERIFICATION)
1799 return SSL_BUILD_ENABLE_VERIFICATION;
1800 #elif defined(CONFIG_SSL_SERVER_ONLY )
1801 return SSL_BUILD_SERVER_ONLY;
1802 #else
1803 return SSL_BUILD_SKELETON_MODE;
1804 #endif
1805
1806 case SSL_MAX_CERT_CFG_OFFSET:
1807 return CONFIG_SSL_MAX_CERTS;
1808
1809 #ifdef CONFIG_SSL_CERT_VERIFICATION
1810 case SSL_MAX_CA_CERT_CFG_OFFSET:
1811 return CONFIG_X509_MAX_CA_CERTS;
1812 #endif
1813 #ifdef CONFIG_SSL_HAS_PEM
1814 case SSL_HAS_PEM:
1815 return 1;
1816 #endif
1817 default:
1818 return 0;
1819 }
1820 }
1821
1822 #ifdef CONFIG_SSL_CERT_VERIFICATION
1823 /**
1824 * Authenticate a received certificate.
1825 */
ssl_verify_cert(const SSL * ssl)1826 EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl)
1827 {
1828 int ret;
1829 SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
1830 ret = x509_verify(ssl->ssl_ctx->ca_cert_ctx, ssl->x509_ctx);
1831 SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
1832
1833 if (ret) /* modify into an SSL error type */
1834 {
1835 ret = SSL_X509_ERROR(ret);
1836 }
1837
1838 return ret;
1839 }
1840
1841 /**
1842 * Process a certificate message.
1843 */
process_certificate(SSL * ssl,X509_CTX ** x509_ctx)1844 int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
1845 {
1846 int ret = SSL_OK;
1847 uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
1848 int pkt_size = ssl->bm_index;
1849 int cert_size, offset = 5;
1850 int total_cert_size = (buf[offset]<<8) + buf[offset+1];
1851 int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
1852 X509_CTX **chain = x509_ctx;
1853 offset += 2;
1854
1855 PARANOIA_CHECK(total_cert_size, offset);
1856
1857 while (offset < total_cert_size)
1858 {
1859 offset++; /* skip empty char */
1860 cert_size = (buf[offset]<<8) + buf[offset+1];
1861 offset += 2;
1862
1863 if (x509_new(&buf[offset], NULL, chain))
1864 {
1865 ret = SSL_ERROR_BAD_CERTIFICATE;
1866 goto error;
1867 }
1868
1869 chain = &((*chain)->next);
1870 offset += cert_size;
1871 }
1872
1873 PARANOIA_CHECK(pkt_size, offset);
1874
1875 /* if we are client we can do the verify now or later */
1876 if (is_client && !IS_SET_SSL_FLAG(SSL_SERVER_VERIFY_LATER))
1877 {
1878 ret = ssl_verify_cert(ssl);
1879 }
1880
1881 ssl->next_state = is_client ? HS_SERVER_HELLO_DONE : HS_CLIENT_KEY_XCHG;
1882 ssl->dc->bm_proc_index += offset;
1883 error:
1884 return ret;
1885 }
1886
1887 #endif /* CONFIG_SSL_CERT_VERIFICATION */
1888
1889 /**
1890 * Debugging routine to display SSL handshaking stuff.
1891 */
1892 #ifdef CONFIG_SSL_FULL_MODE
1893 /**
1894 * Debugging routine to display SSL states.
1895 */
DISPLAY_STATE(SSL * ssl,int is_send,uint8_t state,int not_ok)1896 void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok)
1897 {
1898 const char *str;
1899
1900 if (!IS_SET_SSL_FLAG(SSL_DISPLAY_STATES))
1901 return;
1902
1903 printf(not_ok ? "Error - invalid State:\t" : "State:\t");
1904 printf(is_send ? "sending " : "receiving ");
1905
1906 switch (state)
1907 {
1908 case HS_HELLO_REQUEST:
1909 str = "Hello Request (0)";
1910 break;
1911
1912 case HS_CLIENT_HELLO:
1913 str = "Client Hello (1)";
1914 break;
1915
1916 case HS_SERVER_HELLO:
1917 str = "Server Hello (2)";
1918 break;
1919
1920 case HS_CERTIFICATE:
1921 str = "Certificate (11)";
1922 break;
1923
1924 case HS_SERVER_KEY_XCHG:
1925 str = "Certificate Request (12)";
1926 break;
1927
1928 case HS_CERT_REQ:
1929 str = "Certificate Request (13)";
1930 break;
1931
1932 case HS_SERVER_HELLO_DONE:
1933 str = "Server Hello Done (14)";
1934 break;
1935
1936 case HS_CERT_VERIFY:
1937 str = "Certificate Verify (15)";
1938 break;
1939
1940 case HS_CLIENT_KEY_XCHG:
1941 str = "Client Key Exchange (16)";
1942 break;
1943
1944 case HS_FINISHED:
1945 str = "Finished (16)";
1946 break;
1947
1948 default:
1949 str = "Error (Unknown)";
1950
1951 break;
1952 }
1953
1954 printf("%s\n", str);
1955 TTY_FLUSH();
1956 }
1957
1958 /**
1959 * Debugging routine to display RSA objects
1960 */
DISPLAY_RSA(SSL * ssl,const RSA_CTX * rsa_ctx)1961 void DISPLAY_RSA(SSL *ssl, const RSA_CTX *rsa_ctx)
1962 {
1963 if (!IS_SET_SSL_FLAG(SSL_DISPLAY_RSA))
1964 return;
1965
1966 RSA_print(rsa_ctx);
1967 TTY_FLUSH();
1968 }
1969
1970 /**
1971 * Debugging routine to display SSL handshaking bytes.
1972 */
DISPLAY_BYTES(SSL * ssl,const char * format,const uint8_t * data,int size,...)1973 void DISPLAY_BYTES(SSL *ssl, const char *format,
1974 const uint8_t *data, int size, ...)
1975 {
1976 va_list(ap);
1977
1978 if (!IS_SET_SSL_FLAG(SSL_DISPLAY_BYTES))
1979 return;
1980
1981 va_start(ap, size);
1982 print_blob(format, data, size, va_arg(ap, char *));
1983 va_end(ap);
1984 TTY_FLUSH();
1985 }
1986
1987 /**
1988 * Debugging routine to display SSL handshaking errors.
1989 */
ssl_display_error(int error_code)1990 EXP_FUNC void STDCALL ssl_display_error(int error_code)
1991 {
1992 if (error_code == SSL_OK)
1993 return;
1994
1995 printf("Error: ");
1996
1997 /* X509 error? */
1998 if (error_code < SSL_X509_OFFSET)
1999 {
2000 printf("%s\n", x509_display_error(error_code - SSL_X509_OFFSET));
2001 return;
2002 }
2003
2004 /* SSL alert error code */
2005 if (error_code > SSL_ERROR_CONN_LOST)
2006 {
2007 printf("SSL error %d\n", -error_code);
2008 return;
2009 }
2010
2011 switch (error_code)
2012 {
2013 case SSL_ERROR_DEAD:
2014 printf("connection dead");
2015 break;
2016
2017 case SSL_ERROR_INVALID_HANDSHAKE:
2018 printf("invalid handshake");
2019 break;
2020
2021 case SSL_ERROR_INVALID_PROT_MSG:
2022 printf("invalid protocol message");
2023 break;
2024
2025 case SSL_ERROR_INVALID_HMAC:
2026 printf("invalid mac");
2027 break;
2028
2029 case SSL_ERROR_INVALID_VERSION:
2030 printf("invalid version");
2031 break;
2032
2033 case SSL_ERROR_INVALID_SESSION:
2034 printf("invalid session");
2035 break;
2036
2037 case SSL_ERROR_NO_CIPHER:
2038 printf("no cipher");
2039 break;
2040
2041 case SSL_ERROR_CONN_LOST:
2042 printf("connection lost");
2043 break;
2044
2045 case SSL_ERROR_BAD_CERTIFICATE:
2046 printf("bad certificate");
2047 break;
2048
2049 case SSL_ERROR_INVALID_KEY:
2050 printf("invalid key");
2051 break;
2052
2053 case SSL_ERROR_FINISHED_INVALID:
2054 printf("finished invalid");
2055 break;
2056
2057 case SSL_ERROR_NO_CERT_DEFINED:
2058 printf("no certificate defined");
2059 break;
2060
2061 case SSL_ERROR_NO_CLIENT_RENOG:
2062 printf("client renegotiation not supported");
2063 break;
2064
2065 case SSL_ERROR_NOT_SUPPORTED:
2066 printf("Option not supported");
2067 break;
2068
2069 default:
2070 printf("undefined as yet - %d", error_code);
2071 break;
2072 }
2073
2074 printf("\n");
2075 TTY_FLUSH();
2076 }
2077
2078 /**
2079 * Debugging routine to display alerts.
2080 */
DISPLAY_ALERT(SSL * ssl,int alert)2081 void DISPLAY_ALERT(SSL *ssl, int alert)
2082 {
2083 if (!IS_SET_SSL_FLAG(SSL_DISPLAY_STATES))
2084 return;
2085
2086 printf("Alert: ");
2087
2088 switch (alert)
2089 {
2090 case SSL_ALERT_CLOSE_NOTIFY:
2091 printf("close notify");
2092 break;
2093
2094 case SSL_ALERT_INVALID_VERSION:
2095 printf("invalid version");
2096 break;
2097
2098 case SSL_ALERT_BAD_CERTIFICATE:
2099 printf("bad certificate");
2100 break;
2101
2102 case SSL_ALERT_UNEXPECTED_MESSAGE:
2103 printf("unexpected message");
2104 break;
2105
2106 case SSL_ALERT_BAD_RECORD_MAC:
2107 printf("bad record mac");
2108 break;
2109
2110 case SSL_ALERT_HANDSHAKE_FAILURE:
2111 printf("handshake failure");
2112 break;
2113
2114 case SSL_ALERT_ILLEGAL_PARAMETER:
2115 printf("illegal parameter");
2116 break;
2117
2118 case SSL_ALERT_DECODE_ERROR:
2119 printf("decode error");
2120 break;
2121
2122 case SSL_ALERT_DECRYPT_ERROR:
2123 printf("decrypt error");
2124 break;
2125
2126 case SSL_ALERT_NO_RENEGOTIATION:
2127 printf("no renegotiation");
2128 break;
2129
2130 default:
2131 printf("alert - (unknown %d)", alert);
2132 break;
2133 }
2134
2135 printf("\n");
2136 TTY_FLUSH();
2137 }
2138
2139 #endif /* CONFIG_SSL_FULL_MODE */
2140
2141 /**
2142 * Return the version of this library.
2143 */
ssl_version()2144 EXP_FUNC const char * STDCALL ssl_version()
2145 {
2146 static const char * axtls_version = AXTLS_VERSION;
2147 return axtls_version;
2148 }
2149
2150 /**
2151 * Enable the various language bindings to work regardless of the
2152 * configuration - they just return an error statement and a bad return code.
2153 */
2154 #if !defined(CONFIG_SSL_FULL_MODE)
ssl_display_error(int error_code)2155 EXP_FUNC void STDCALL ssl_display_error(int error_code) {}
2156 #endif
2157
2158 #ifdef CONFIG_BINDINGS
2159 #if !defined(CONFIG_SSL_ENABLE_CLIENT)
ssl_client_new(SSL_CTX * ssl_ctx,int client_fd,const uint8_t * session_id,uint8_t sess_id_size)2160 EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
2161 uint8_t *session_id, uint8_t sess_id_size)
2162 {
2163 printf(unsupported_str);
2164 return NULL;
2165 }
2166 #endif
2167
2168 #if !defined(CONFIG_SSL_CERT_VERIFICATION)
ssl_verify_cert(const SSL * ssl)2169 EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl)
2170 {
2171 printf(unsupported_str);
2172 return -1;
2173 }
2174
2175
ssl_get_cert_dn(const SSL * ssl,int component)2176 EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
2177 {
2178 printf(unsupported_str);
2179 return NULL;
2180 }
2181
ssl_get_cert_subject_alt_dnsname(const SSL * ssl,int index)2182 EXP_FUNC const char * STDCALL ssl_get_cert_subject_alt_dnsname(const SSL *ssl, int index)
2183 {
2184 printf(unsupported_str);
2185 return NULL;
2186 }
2187
2188 #endif /* CONFIG_SSL_CERT_VERIFICATION */
2189
2190 #endif /* CONFIG_BINDINGS */
2191
2192