search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Tomato 1.26
[tomato.git] / release / src / router / matrixssl / src / sslEncode.c
blob605a3a499c66290f5997e9cb9508390c8bf20f30
1 /*
2 * sslEncode.c
3 * Release $Name: MATRIXSSL_1_8_8_OPEN $
4 *
5 * Secure Sockets Layer message encoding
6 */
7 /*
8 * Copyright (c) PeerSec Networks, 2002-2009. All Rights Reserved.
9 * The latest version of this code is available at http://www.matrixssl.org
10 *
11 * This software is open source; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This General Public License does NOT permit incorporating this software
17 * into proprietary programs. If you are unable to comply with the GPL, a
18 * commercial license for this software may be purchased from PeerSec Networks
19 * at http://www.peersec.com
20 *
21 * This program is distributed in WITHOUT ANY WARRANTY; without even the
22 * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
23 * See the GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
28 * http://www.gnu.org/copyleft/gpl.html
29 */
30 /******************************************************************************/
31
32 #include "matrixInternal.h"
33
34 /******************************************************************************/
35
36 static int32 writeCertificate(ssl_t *ssl, sslBuf_t *out, int32 notEmpty);
37 static int32 writeChangeCipherSpec(ssl_t *ssl, sslBuf_t *out);
38 static int32 writeFinished(ssl_t *ssl, sslBuf_t *out);
39 static int32 writeAlert(ssl_t *ssl, unsigned char level,
40 unsigned char description, sslBuf_t *out);
41 static int32 writeRecordHeader(ssl_t *ssl, int32 type, int32 hsType, int32 *messageSize,
42 char *padLen, unsigned char **encryptStart,
43 unsigned char **end, unsigned char **c);
44
45 static int32 encryptRecord(ssl_t *ssl, int32 type, int32 messageSize, int32 padLen,
46 unsigned char *encryptStart, sslBuf_t *out,
47 unsigned char **c);
48
49 #ifdef USE_CLIENT_SIDE_SSL
50 static int32 writeClientKeyExchange(ssl_t *ssl, sslBuf_t *out);
51 #endif /* USE_CLIENT_SIDE_SSL */
52
53 #ifdef USE_SERVER_SIDE_SSL
54 static int32 writeServerHello(ssl_t *ssl, sslBuf_t *out);
55 static int32 writeServerHelloDone(ssl_t *ssl, sslBuf_t *out);
56 #endif /* USE_SERVER_SIDE_SSL */
57
58
59 static int32 secureWriteAdditions(ssl_t *ssl, int32 numRecs);
60
61 /******************************************************************************/
62 /*
63 Encode the incoming data into the out buffer for sending to remote peer.
64
65 FUTURE SECURITY - If sending the first application data record, we could
66 prepend it with a blank SSL record to avoid a timing attack. We're fine
67 for now, because this is an impractical attack and the solution is
68 incompatible with some SSL implementations (including some versions of IE).
69 http://www.openssl.org/~bodo/tls-cbc.txt
70 */
71 int32 matrixSslEncode(ssl_t *ssl, unsigned char *in, int32 inlen, sslBuf_t *out)
72 {
73 unsigned char *c, *end, *encryptStart;
74 char padLen;
75 int32 messageSize, rc;
76 /*
77 If we've had a protocol error, don't allow further use of the session
78 Also, don't allow a application data record to be encoded unless the
79 handshake is complete.
80 */
81 if (ssl->flags & SSL_FLAGS_ERROR || ssl->hsState != SSL_HS_DONE ||
82 ssl->flags & SSL_FLAGS_CLOSED) {
83 return SSL_ERROR;
84 }
85 c = out->end;
86 end = out->buf + out->size;
87 messageSize = ssl->recordHeadLen + inlen;
88
89 /*
90 Validate size constraint
91 */
92 if (messageSize > SSL_MAX_BUF_SIZE) {
93 return SSL_ERROR;
94 }
95
96 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_APPLICATION_DATA, 0,
97 &messageSize, &padLen, &encryptStart, &end, &c)) < 0) {
98 return rc;
99 }
100
101 memcpy(c, in, inlen);
102 c += inlen;
103
104 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_APPLICATION_DATA,
105 messageSize, padLen, encryptStart, out, &c)) < 0) {
106 return rc;
107 }
108 out->end = c;
109
110 return (int32)(out->end - out->start);
111 }
112
113 /******************************************************************************/
114 /*
115 We indicate to the caller through return codes in sslDecode when we need
116 to write internal data to the remote host. The caller will call this
117 function to generate a message appropriate to our state.
118 */
119 int32 sslEncodeResponse(ssl_t *ssl, sslBuf_t *out)
120 {
121 int32 messageSize;
122 int32 rc = SSL_ERROR;
123 #ifdef USE_SERVER_SIDE_SSL
124 int32 totalCertLen, i;
125 sslLocalCert_t *cert;
126 #endif /* USE_SERVER_SIDE_SSL */
127 #ifdef USE_CLIENT_SIDE_SSL
128 int32 ckeSize;
129 #endif /* USE_CLIENT_SIDE_SSL */
130
131 /*
132 We may be trying to encode an alert response if there is an error marked
133 on the connection.
134 */
135 if (ssl->err != SSL_ALERT_NONE) {
136 rc = writeAlert(ssl, SSL_ALERT_LEVEL_FATAL, ssl->err, out);
137 if (rc == SSL_ERROR) {
138 ssl->flags |= SSL_FLAGS_ERROR;
139 }
140 return rc;
141 }
142
143
144 /*
145 We encode a set of response messages based on our current state
146 We have to pre-verify the size of the outgoing buffer against
147 all the messages to make the routine transactional. If the first
148 write succeeds and the second fails because of size, we cannot
149 rollback the state of the cipher and MAC.
150 */
151 switch (ssl->hsState) {
152 /*
153 If we're waiting for the ClientKeyExchange message, then we need to
154 send the messages that would prompt that result on the client
155 */
156 #ifdef USE_SERVER_SIDE_SSL
157 case SSL_HS_CLIENT_KEY_EXCHANGE:
158
159 /*
160 This is the entry point for a server encoding the first flight
161 of a non-DH, non-client-auth handshake.
162 */
163 totalCertLen = 0;
164 cert = &ssl->keys->cert;
165 for (i = 0; cert != NULL; i++) {
166 totalCertLen += cert->certLen;
167 cert = cert->next;
168 }
169 messageSize =
170 3 * ssl->recordHeadLen +
171 3 * ssl->hshakeHeadLen +
172 38 + SSL_MAX_SESSION_ID_SIZE + /* server hello */
173 3 + (i * 3) + totalCertLen; /* certificate */
174
175
176 messageSize += secureWriteAdditions(ssl, 3);
177
178 if ((out->buf + out->size) - out->end < messageSize) {
179 return SSL_FULL;
180 }
181 /*
182 Message size complete. Begin the flight write
183 */
184 rc = writeServerHello(ssl, out);
185
186 if (rc == SSL_SUCCESS) {
187 rc = writeCertificate(ssl, out, 1);
188 }
189
190 if (rc == SSL_SUCCESS) {
191 rc = writeServerHelloDone(ssl, out);
192 }
193 break;
194
195 #endif /* USE_SERVER_SIDE_SSL */
196
197 /*
198 If we're not waiting for any message from client, then we need to
199 send our finished message
200 */
201 case SSL_HS_DONE:
202 messageSize = 2 * ssl->recordHeadLen +
203 ssl->hshakeHeadLen +
204 1 + /* change cipher spec */
205 SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE; /* finished */
206 /*
207 Account for possible overhead in CCS message with secureWriteAdditions
208 then always account for the encrypted FINISHED message
209 */
210 messageSize += secureWriteAdditions(ssl, 1);
211 messageSize += ssl->enMacSize + /* handshake msg hash */
212 (ssl->cipher->blockSize - 1); /* max padding */
213
214 if ((out->buf + out->size) - out->end < messageSize) {
215 return SSL_FULL;
216 }
217 rc = writeChangeCipherSpec(ssl, out);
218 if (rc == SSL_SUCCESS) {
219 rc = writeFinished(ssl, out);
220 }
221 break;
222 /*
223 If we're expecting a Finished message, as a server we're doing
224 session resumption. As a client, we're completing a normal
225 handshake
226 */
227 case SSL_HS_FINISHED:
228 #ifdef USE_SERVER_SIDE_SSL
229 if (ssl->flags & SSL_FLAGS_SERVER) {
230 messageSize =
231 3 * ssl->recordHeadLen +
232 2 * ssl->hshakeHeadLen +
233 38 + SSL_MAX_SESSION_ID_SIZE + /* server hello */
234 1 + /* change cipher spec */
235 SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE; /* finished */
236 /*
237 Account for possible overhead with secureWriteAdditions
238 then always account for the encrypted FINISHED message
239 */
240 messageSize += secureWriteAdditions(ssl, 2);
241 messageSize += ssl->enMacSize + /* handshake msg hash */
242 (ssl->cipher->blockSize - 1); /* max padding */
243 if ((out->buf + out->size) - out->end < messageSize) {
244 return SSL_FULL;
245 }
246 rc = writeServerHello(ssl, out);
247 if (rc == SSL_SUCCESS) {
248 rc = writeChangeCipherSpec(ssl, out);
249 }
250 if (rc == SSL_SUCCESS) {
251 rc = writeFinished(ssl, out);
252 }
253 }
254 #endif /* USE_SERVER_SIDE_SSL */
255 #ifdef USE_CLIENT_SIDE_SSL
256 /*
257 Encode entry point for client side final flight encodes.
258 First task here is to find out size of ClientKeyExchange message
259 */
260 if (!(ssl->flags & SSL_FLAGS_SERVER)) {
261 ckeSize = 0;
262 /*
263 Normal RSA auth cipher suite case
264 */
265 if (ssl->sec.cert == NULL) {
266 ssl->flags |= SSL_FLAGS_ERROR;
267 return SSL_ERROR;
268 }
269 ckeSize = ssl->sec.cert->publicKey.size;
270
271 messageSize = 0;
272 /*
273 Client authentication requires the client to send a CERTIFICATE
274 and CERTIFICATE_VERIFY message. Account for the length. It
275 is possible the client didn't have a match for the requested cert.
276 Send an empty certificate message in that case (or alert for SSLv3)
277 */
278 if (ssl->flags & SSL_FLAGS_CLIENT_AUTH) {
279 if (ssl->sec.certMatch > 0) {
280 /*
281 Account for the certificate and certificateVerify messages
282 */
283 messageSize += 6 + (2 * ssl->recordHeadLen) +
284 (2 * ssl->hshakeHeadLen) + ssl->keys->cert.certLen +
285 2 + ssl->keys->cert.privKey->size;
286 } else {
287 /*
288 SSLv3 sends a no_certificate warning alert for no match
289 */
290 if (ssl->majVer == SSL3_MAJ_VER
291 && ssl->minVer == SSL3_MIN_VER) {
292 messageSize += 2 + ssl->recordHeadLen;
293 } else {
294 /*
295 TLS just sends an empty certificate message
296 */
297 messageSize += 3 + ssl->recordHeadLen +
298 ssl->hshakeHeadLen;
299 }
300 }
301 }
302 /*
303 Account for the header and message size for all records. The
304 finished message will always be encrypted, so account for one
305 largest possible MAC size and block size. Minus one
306 for padding. The finished message is not accounted for in the
307 writeSecureAddition calls below since it is accounted for here.
308 */
309 messageSize +=
310 3 * ssl->recordHeadLen +
311 2 * ssl->hshakeHeadLen + /* change cipher has no hsHead */
312 ckeSize + /* client key exchange */
313 1 + /* change cipher spec */
314 SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE + /* SSLv3 finished */
315 SSL_MAX_MAC_SIZE + SSL_MAX_BLOCK_SIZE - 1;
316 if (ssl->flags & SSL_FLAGS_CLIENT_AUTH) {
317 /*
318 Secure write for ClientKeyExchange, ChangeCipherSpec,
319 Certificate, and CertificateVerify. Don't account for
320 Certificate and/or CertificateVerify message if no auth cert.
321 This will also cover the NO_CERTIFICATE alert sent in
322 replacement of the NULL certificate message in SSLv3.
323 */
324 if (ssl->sec.certMatch > 0) {
325 messageSize += secureWriteAdditions(ssl, 4);
326 } else {
327 messageSize += secureWriteAdditions(ssl, 3);
328 }
329 } else {
330 messageSize += secureWriteAdditions(ssl, 2);
331 }
332
333
334 /*
335 The actual buffer size test to hold this flight
336 */
337 if ((out->buf + out->size) - out->end < messageSize) {
338 return SSL_FULL;
339 }
340 rc = SSL_SUCCESS;
341
342 if (ssl->flags & SSL_FLAGS_CLIENT_AUTH) {
343 if (ssl->sec.certMatch == 0 && ssl->majVer == SSL3_MAJ_VER
344 && ssl->minVer == SSL3_MIN_VER) {
345 rc = writeAlert(ssl, SSL_ALERT_LEVEL_WARNING,
346 SSL_ALERT_NO_CERTIFICATE, out);
347 } else {
348 rc = writeCertificate(ssl, out, ssl->sec.certMatch);
349 }
350 }
351
352 if (rc == SSL_SUCCESS) {
353 rc = writeClientKeyExchange(ssl, out);
354 }
355 if (rc == SSL_SUCCESS) {
356 rc = writeChangeCipherSpec(ssl, out);
357 }
358 if (rc == SSL_SUCCESS) {
359 rc = writeFinished(ssl, out);
360 }
361 }
362 #endif /* USE_CLIENT_SIDE_SSL */
363 break;
364 }
365 if (rc == SSL_ERROR) {
366 ssl->flags |= SSL_FLAGS_ERROR;
367 }
368 return rc;
369 }
370
371 /******************************************************************************/
372 /*
373 Message size must account for any additional length a secure-write
374 would add to the message. It would be too late to check length in
375 the writeRecordHeader call since some of the handshake hashing could
376 have already taken place and we can't rewind those hashes.
377 */
378 static int32 secureWriteAdditions(ssl_t *ssl, int32 numRecs)
379 {
380 int32 add = 0;
381 /*
382 There is a slim chance for a false FULL message due to the fact that
383 the maximum padding is being calculated rather than the actual number.
384 Caller must simply grow buffer and try again.
385 */
386 if (ssl->flags & SSL_FLAGS_WRITE_SECURE) {
387 add += (numRecs * ssl->enMacSize) + /* handshake msg hash */
388 (numRecs * (ssl->enBlockSize - 1)); /* max padding */
389 }
390 return add;
391 }
392
393 /******************************************************************************/
394 /*
395 Write out a closure alert message (the only user initiated alert)
396 The user would call this when about to initate a socket close
397 */
398 int32 matrixSslEncodeClosureAlert(ssl_t *ssl, sslBuf_t *out)
399 {
400 /*
401 If we've had a protocol error, don't allow further use of the session
402 */
403 if (ssl->flags & SSL_FLAGS_ERROR) {
404 return SSL_ERROR;
405 }
406 return writeAlert(ssl, SSL_ALERT_LEVEL_WARNING, SSL_ALERT_CLOSE_NOTIFY,
407 out);
408 }
409
410 /******************************************************************************/
411 /*
412 Generic record header construction for alerts, handshake messages, and
413 change cipher spec. Determines message length for encryption and
414 writes out to buffer up to the real message data.
415 */
416 static int32 writeRecordHeader(ssl_t *ssl, int32 type, int32 hsType,
417 int32 *messageSize, char *padLen, unsigned char **encryptStart,
418 unsigned char **end, unsigned char **c)
419 {
420 int32 messageData, msn;
421
422 messageData = *messageSize - ssl->recordHeadLen;
423 if (type == SSL_RECORD_TYPE_HANDSHAKE) {
424 messageData -= ssl->hshakeHeadLen;
425 }
426
427
428 /*
429 If this session is already in a secure-write state, determine padding
430 */
431 *padLen = 0;
432 if (ssl->flags & SSL_FLAGS_WRITE_SECURE) {
433 *messageSize += ssl->enMacSize;
434 *padLen = sslPadLenPwr2(*messageSize - ssl->recordHeadLen,
435 ssl->enBlockSize);
436 *messageSize += *padLen;
437 }
438
439 if (*end - *c < *messageSize) {
440 /*
441 Callers other than sslEncodeResponse do not necessarily check for
442 FULL before calling. We do it here for them.
443 */
444 return SSL_FULL;
445 }
446
447
448 *c += psWriteRecordInfo(ssl, type, *messageSize - ssl->recordHeadLen, *c);
449
450 /*
451 All data written after this point is to be encrypted (if secure-write)
452 */
453 *encryptStart = *c;
454 msn = 0;
455
456
457 /*
458 Handshake records have another header layer to write here
459 */
460 if (type == SSL_RECORD_TYPE_HANDSHAKE) {
461 *c += psWriteHandshakeHeader(ssl, hsType, messageData, msn, 0,
462 messageData, *c);
463 }
464 return 0;
465 }
466
467 /******************************************************************************/
468 /*
469 Encrypt the message using the current cipher. This call is used in
470 conjunction with the writeRecordHeader function above to finish writing
471 an SSL record. Updates handshake hash if necessary, generates message
472 MAC, writes the padding, and does the encrytion.
473 */
474 static int32 encryptRecord(ssl_t *ssl, int32 type, int32 messageSize,
475 int32 padLen, unsigned char *encryptStart,
476 sslBuf_t *out, unsigned char **c)
477 {
478 if (type == SSL_RECORD_TYPE_HANDSHAKE) {
479 sslUpdateHSHash(ssl, encryptStart, (int32)(*c - encryptStart));
480 }
481 *c += ssl->generateMac(ssl, type, encryptStart,
482 (int32)(*c - encryptStart), *c);
483
484 *c += sslWritePad(*c, padLen);
485
486 if (ssl->encrypt(&ssl->sec.encryptCtx, encryptStart, encryptStart,
487 (int32)(*c - encryptStart)) < 0 || *c - out->end != messageSize) {
488 matrixStrDebugMsg("Error encrypting message for write\n", NULL);
489 return SSL_ERROR;
490 }
491
492 return 0;
493 }
494
495 #ifdef USE_SERVER_SIDE_SSL
496 /******************************************************************************/
497 /*
498 Write out the ServerHello message
499 */
500 static int32 writeServerHello(ssl_t *ssl, sslBuf_t *out)
501 {
502 unsigned char *c, *end, *encryptStart;
503 char padLen;
504 int32 messageSize, rc;
505 time_t t;
506
507 c = out->end;
508 end = out->buf + out->size;
509 /*
510 Calculate the size of the message up front, and verify we have room
511 We assume there will be a sessionId in the message, and make adjustments
512 below if there is no sessionId.
513 */
514 messageSize =
515 ssl->recordHeadLen +
516 ssl->hshakeHeadLen +
517 38 + SSL_MAX_SESSION_ID_SIZE;
518
519 /*
520 First 4 bytes of the serverRandom are the unix time to prevent replay
521 attacks, the rest are random
522 */
523 t = time(0);
524 ssl->sec.serverRandom[0] = (unsigned char)((t & 0xFF000000) >> 24);
525 ssl->sec.serverRandom[1] = (unsigned char)((t & 0xFF0000) >> 16);
526 ssl->sec.serverRandom[2] = (unsigned char)((t & 0xFF00) >> 8);
527 ssl->sec.serverRandom[3] = (unsigned char)(t & 0xFF);
528 if (sslGetEntropy(ssl->sec.serverRandom + 4, SSL_HS_RANDOM_SIZE - 4) < 0) {
529 matrixStrDebugMsg("Error gathering serverRandom entropy\n", NULL);
530 return SSL_ERROR;
531 }
532 /*
533 We register session here because at this point the serverRandom value is
534 populated. If we are able to register the session, the sessionID and
535 sessionIdLen fields will be non-NULL, otherwise the session couldn't
536 be registered.
537 */
538 if (!(ssl->flags & SSL_FLAGS_RESUMED)) {
539 matrixRegisterSession(ssl);
540 }
541 messageSize -= (SSL_MAX_SESSION_ID_SIZE - ssl->sessionIdLen);
542
543 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
544 SSL_HS_SERVER_HELLO, &messageSize, &padLen, &encryptStart,
545 &end, &c)) < 0) {
546 return rc;
547 }
548 /*
549 First two fields in the ServerHello message are the major and minor
550 SSL protocol versions we agree to talk with
551 */
552 *c = ssl->majVer; c++;
553 *c = ssl->minVer; c++;
554 /*
555 The next 32 bytes are the server's random value, to be combined with
556 the client random and premaster for key generation later
557 */
558 memcpy(c, ssl->sec.serverRandom, SSL_HS_RANDOM_SIZE);
559 c += SSL_HS_RANDOM_SIZE;
560 /*
561 The next data is a single byte containing the session ID length,
562 and up to 32 bytes containing the session id.
563 First register the session, which will give us a session id and length
564 if not all session slots in the table are used
565 */
566 *c = ssl->sessionIdLen; c++;
567 if (ssl->sessionIdLen > 0) {
568 memcpy(c, ssl->sessionId, ssl->sessionIdLen);
569 c += ssl->sessionIdLen;
570 }
571 /*
572 Two byte cipher suite we've chosen based on the list sent by the client
573 and what we support.
574 One byte compression method (always zero)
575 */
576 *c = (ssl->cipher->id & 0xFF00) >> 8; c++;
577 *c = ssl->cipher->id & 0xFF; c++;
578 *c = 0; c++;
579
580 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
581 padLen, encryptStart, out, &c)) < 0) {
582 return rc;
583 }
584 /*
585 If we're resuming a session, we now have the clientRandom, master and
586 serverRandom, so we can derive keys which we'll be using shortly.
587 */
588 if (ssl->flags & SSL_FLAGS_RESUMED) {
589 sslDeriveKeys(ssl);
590 }
591 /*
592 Verify that we've calculated the messageSize correctly, really this
593 should never fail; it's more of an implementation verification
594 */
595 if (c - out->end != messageSize) {
596 return SSL_ERROR;
597 }
598 out->end = c;
599 return SSL_SUCCESS;
600 }
601
602 /******************************************************************************/
603 /*
604 ServerHelloDone message is a blank handshake message
605 */
606 static int32 writeServerHelloDone(ssl_t *ssl, sslBuf_t *out)
607 {
608 unsigned char *c, *end, *encryptStart;
609 char padLen;
610 int32 messageSize, rc;
611
612 c = out->end;
613 end = out->buf + out->size;
614 messageSize =
615 ssl->recordHeadLen +
616 ssl->hshakeHeadLen;
617
618 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
619 SSL_HS_SERVER_HELLO_DONE, &messageSize, &padLen,
620 &encryptStart, &end, &c)) < 0) {
621 return rc;
622 }
623
624 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
625 padLen, encryptStart, out, &c)) < 0) {
626 return rc;
627 }
628
629 if (c - out->end != messageSize) {
630 matrixStrDebugMsg("Error generating hello done for write\n", NULL);
631 return SSL_ERROR;
632 }
633 out->end = c;
634 return SSL_SUCCESS;
635 }
636
637
638 /******************************************************************************/
639 /*
640 Server initiated rehandshake public API call.
641 */
642 int32 matrixSslEncodeHelloRequest(ssl_t *ssl, sslBuf_t *out)
643 {
644 unsigned char *c, *end, *encryptStart;
645 char padLen;
646 int32 messageSize, rc;
647
648 if (ssl->flags & SSL_FLAGS_ERROR || ssl->flags & SSL_FLAGS_CLOSED) {
649 return SSL_ERROR;
650 }
651 if (!(ssl->flags & SSL_FLAGS_SERVER) || (ssl->hsState != SSL_HS_DONE)) {
652 return SSL_ERROR;
653 }
654
655 c = out->end;
656 end = out->buf + out->size;
657 messageSize =
658 ssl->recordHeadLen +
659 ssl->hshakeHeadLen;
660 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
661 SSL_HS_HELLO_REQUEST, &messageSize, &padLen,
662 &encryptStart, &end, &c)) < 0) {
663 return rc;
664 }
665
666 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
667 padLen, encryptStart, out, &c)) < 0) {
668 return rc;
669 }
670
671 if (c - out->end != messageSize) {
672 matrixStrDebugMsg("Error generating hello request for write\n", NULL);
673 return SSL_ERROR;
674 }
675 out->end = c;
676
677 return SSL_SUCCESS;
678 }
679 #else /* USE_SERVER_SIDE_SSL */
680 int32 matrixSslEncodeHelloRequest(ssl_t *ssl, sslBuf_t *out)
681 {
682 matrixStrDebugMsg("Library not built with USE_SERVER_SIDE_SSL\n", NULL);
683 return -1;
684 }
685 #endif /* USE_SERVER_SIDE_SSL */
686
687 /******************************************************************************/
688 /*
689 Write a Certificate message.
690 The encoding of the message is as follows:
691 3 byte length of certificate data (network byte order)
692 If there is no certificate,
693 3 bytes of 0
694 If there is one certificate,
695 3 byte length of certificate + 3
696 3 byte length of certificate
697 certificate data
698 For more than one certificate:
699 3 byte length of all certificate data
700 3 byte length of first certificate
701 first certificate data
702 3 byte length of second certificate
703 second certificate data
704 Certificate data is the base64 section of an X.509 certificate file
705 in PEM format decoded to binary. No additional interpretation is required.
706 */
707 static int32 writeCertificate(ssl_t *ssl, sslBuf_t *out, int32 notEmpty)
708 {
709 sslLocalCert_t *cert;
710 unsigned char *c, *end, *encryptStart;
711 char padLen;
712 int32 totalCertLen, certLen, lsize, messageSize, i, rc;
713
714
715 c = out->end;
716 end = out->buf + out->size;
717
718 /*
719 Determine total length of certs
720 */
721 totalCertLen = i = 0;
722 if (notEmpty) {
723 cert = &ssl->keys->cert;
724 for (; cert != NULL; i++) {
725 totalCertLen += cert->certLen;
726 cert = cert->next;
727 }
728 }
729 /*
730 Account for the 3 bytes of certChain len for each cert and get messageSize
731 */
732 lsize = 3 + (i * 3);
733 messageSize =
734 ssl->recordHeadLen +
735 ssl->hshakeHeadLen +
736 lsize + totalCertLen;
737
738 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
739 SSL_HS_CERTIFICATE, &messageSize, &padLen, &encryptStart,
740 &end, &c)) < 0) {
741 return rc;
742 }
743
744 /*
745 Write out the certs
746 */
747 *c = ((totalCertLen + (lsize - 3)) & 0xFF0000) >> 16; c++;
748 *c = ((totalCertLen + (lsize - 3)) & 0xFF00) >> 8; c++;
749 *c = ((totalCertLen + (lsize - 3)) & 0xFF); c++;
750
751 if (notEmpty) {
752 cert = &ssl->keys->cert;
753 while (cert) {
754 certLen = cert->certLen;
755 if (certLen > 0) {
756 *c = (certLen & 0xFF0000) >> 16; c++;
757 *c = (certLen & 0xFF00) >> 8; c++;
758 *c = (certLen & 0xFF); c++;
759 memcpy(c, cert->certBin, certLen);
760 c += certLen;
761 }
762 cert = cert->next;
763 }
764 }
765 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
766 padLen, encryptStart, out, &c)) < 0) {
767 return rc;
768 }
769
770 if (c - out->end != messageSize) {
771 matrixStrDebugMsg("Error parsing certificate for write\n", NULL);
772 return SSL_ERROR;
773 }
774 out->end = c;
775 return SSL_SUCCESS;
776 }
777
778 /******************************************************************************/
779 /*
780 Write the ChangeCipherSpec message. It has its own message type
781 and contains just one byte of value one. It is not a handshake
782 message, so it isn't included in the handshake hash.
783 */
784 static int32 writeChangeCipherSpec(ssl_t *ssl, sslBuf_t *out)
785 {
786 unsigned char *c, *end, *encryptStart;
787 char padLen;
788 int32 messageSize, rc;
789
790 c = out->end;
791 end = out->buf + out->size;
792 messageSize = ssl->recordHeadLen + 1;
793
794 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC, 0,
795 &messageSize, &padLen, &encryptStart, &end, &c)) < 0) {
796 return rc;
797 }
798 *c = 1; c++;
799
800 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC,
801 messageSize, padLen, encryptStart, out, &c)) < 0) {
802 return rc;
803 }
804
805 if (c - out->end != messageSize) {
806 matrixStrDebugMsg("Error generating change cipher for write\n", NULL);
807 return SSL_ERROR;
808 }
809 out->end = c;
810 /*
811 After the peer parses the ChangeCipherSpec message, it will expect
812 the next message to be encrypted, so activate encryption on outgoing
813 data now
814 */
815 sslActivateWriteCipher(ssl);
816
817
818 return SSL_SUCCESS;
819 }
820
821 /******************************************************************************/
822 /*
823 Write the Finished message
824 The message contains the 36 bytes, the 16 byte MD5 and 20 byte SHA1 hash
825 of all the handshake messages so far (excluding this one!)
826 */
827 static int32 writeFinished(ssl_t *ssl, sslBuf_t *out)
828 {
829 unsigned char *c, *end, *encryptStart;
830 char padLen;
831 int32 messageSize, verifyLen, rc;
832
833 c = out->end;
834 end = out->buf + out->size;
835 verifyLen = SSL_MD5_HASH_SIZE + SSL_SHA1_HASH_SIZE;
836 messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen + verifyLen;
837
838 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE, SSL_HS_FINISHED,
839 &messageSize, &padLen, &encryptStart, &end, &c)) < 0) {
840 return rc;
841 }
842 /*
843 Output the hash of messages we've been collecting so far into the buffer
844 */
845 c += sslSnapshotHSHash(ssl, c, ssl->flags & SSL_FLAGS_SERVER);
846
847 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
848 padLen, encryptStart, out, &c)) < 0) {
849 return rc;
850 }
851
852 if (c - out->end != messageSize) {
853 matrixStrDebugMsg("Error generating finished for write\n", NULL);
854 return SSL_ERROR;
855 }
856 out->end = c;
857
858
859 #ifdef USE_CLIENT_SIDE_SSL
860 /*
861 Free handshake pool, of which the cert is the primary member.
862 There is also an attempt to free the handshake pool during
863 the reciept of the finished message. Both cases are attempted
864 to keep the lifespan of this pool as short as possible. This
865 is the default case for the client side.
866 */
867 if (ssl->sec.cert) {
868 matrixX509FreeCert(ssl->sec.cert);
869 ssl->sec.cert = NULL;
870 }
871 #endif /* USE_CLIENT_SIDE */
872
873
874 return SSL_SUCCESS;
875 }
876
877 /******************************************************************************/
878 /*
879 Write an Alert message
880 The message contains two bytes: AlertLevel and AlertDescription
881 */
882 static int32 writeAlert(ssl_t *ssl, unsigned char level,
883 unsigned char description, sslBuf_t *out)
884 {
885 unsigned char *c, *end, *encryptStart;
886 char padLen;
887 int32 messageSize, rc;
888
889 c = out->end;
890 end = out->buf + out->size;
891 messageSize = 2 + ssl->recordHeadLen;
892
893 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_ALERT, 0, &messageSize,
894 &padLen, &encryptStart, &end, &c)) < 0) {
895 return rc;
896 }
897 *c = level; c++;
898 *c = description; c++;
899
900 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_ALERT, messageSize,
901 padLen, encryptStart, out, &c)) < 0) {
902 return rc;
903 }
904
905 out->end = c;
906 return SSL_SUCCESS;
907 }
908
909 #ifdef USE_CLIENT_SIDE_SSL
910 /******************************************************************************/
911 /*
912 Write out the ClientHello message to a buffer
913 */
914 int32 matrixSslEncodeClientHello(ssl_t *ssl, sslBuf_t *out,
915 unsigned short cipherSpec)
916 {
917 unsigned char *c, *end, *encryptStart;
918 char padLen;
919 int32 messageSize, rc, cipherLen, cookieLen;
920 time_t t;
921
922 if (ssl->flags & SSL_FLAGS_ERROR || ssl->flags & SSL_FLAGS_CLOSED) {
923 return SSL_ERROR;
924 }
925 if (ssl->flags & SSL_FLAGS_SERVER || (ssl->hsState != SSL_HS_SERVER_HELLO &&
926 ssl->hsState != SSL_HS_DONE &&
927 ssl->hsState != SSL_HS_HELLO_REQUEST )) {
928 return SSL_ERROR;
929 }
930
931 sslInitHSHash(ssl);
932
933 cookieLen = 0;
934 /*
935 If session resumption is being done on a rehandshake, make sure we are
936 sending the same cipher spec as the currently negotiated one. If no
937 resumption, clear the RESUMED flag in case the caller forgot to clear
938 it with matrixSslSetSessionOption.
939 */
940 if (ssl->sessionIdLen > 0) {
941 cipherSpec = ssl->cipher->id;
942 } else {
943 ssl->flags &= ~SSL_FLAGS_RESUMED;
944 }
945
946 /*
947 If a cipher is specified it is two bytes length and two bytes data.
948 */
949 if (cipherSpec == 0) {
950 cipherLen = sslGetCipherSpecListLen();
951 } else {
952 if (sslGetCipherSpec(cipherSpec) == NULL) {
953 matrixIntDebugMsg("Cipher suite not supported: %d\n", cipherSpec);
954 return SSL_ERROR;
955 }
956 cipherLen = 4;
957 }
958
959 c = out->end;
960 end = out->buf + out->size;
961 /*
962 Calculate the size of the message up front, and write header
963 */
964 messageSize = ssl->recordHeadLen + ssl->hshakeHeadLen +
965 5 + SSL_HS_RANDOM_SIZE + ssl->sessionIdLen + cipherLen + cookieLen;
966
967
968 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
969 SSL_HS_CLIENT_HELLO, &messageSize, &padLen, &encryptStart,
970 &end, &c)) < 0) {
971 return rc;
972 }
973
974 /*
975 First 4 bytes of the serverRandom are the unix time to prevent replay
976 attacks, the rest are random
977 */
978
979 t = time(0);
980 ssl->sec.clientRandom[0] = (unsigned char)((t & 0xFF000000) >> 24);
981 ssl->sec.clientRandom[1] = (unsigned char)((t & 0xFF0000) >> 16);
982 ssl->sec.clientRandom[2] = (unsigned char)((t & 0xFF00) >> 8);
983 ssl->sec.clientRandom[3] = (unsigned char)(t & 0xFF);
984 if (sslGetEntropy(ssl->sec.clientRandom + 4, SSL_HS_RANDOM_SIZE - 4) < 0) {
985 matrixStrDebugMsg("Error gathering clientRandom entropy\n", NULL);
986 return SSL_ERROR;
987 }
988 /*
989 First two fields in the ClientHello message are the maximum major
990 and minor SSL protocol versions we support
991 */
992 *c = ssl->majVer; c++;
993 *c = ssl->minVer; c++;
994 /*
995 The next 32 bytes are the server's random value, to be combined with
996 the client random and premaster for key generation later
997 */
998 memcpy(c, ssl->sec.clientRandom, SSL_HS_RANDOM_SIZE);
999 c += SSL_HS_RANDOM_SIZE;
1000 /*
1001 The next data is a single byte containing the session ID length,
1002 and up to 32 bytes containing the session id.
1003 If we are asking to resume a session, then the sessionId would have
1004 been set at session creation time.
1005 */
1006 *c = ssl->sessionIdLen; c++;
1007 if (ssl->sessionIdLen > 0) {
1008 memcpy(c, ssl->sessionId, ssl->sessionIdLen);
1009 c += ssl->sessionIdLen;
1010 }
1011 /*
1012 Write out the length and ciphers we support
1013 Client can request a single specific cipher in the cipherSpec param
1014 */
1015 if (cipherSpec == 0) {
1016 if ((rc = sslGetCipherSpecList(c, (int32)(end - c))) < 0) {
1017 return SSL_FULL;
1018 }
1019 c += rc;
1020 } else {
1021 if ((int32)(end - c) < 4) {
1022 return SSL_FULL;
1023 }
1024 *c = 0; c++;
1025 *c = 2; c++;
1026 *c = (cipherSpec & 0xFF00) >> 8; c++;
1027 *c = cipherSpec & 0xFF; c++;
1028 }
1029 /*
1030 Followed by two bytes (len and compression method (always zero))
1031 */
1032 *c = 1; c++;
1033 *c = 0; c++;
1034
1035
1036 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
1037 padLen, encryptStart, out, &c)) < 0) {
1038 return rc;
1039 }
1040 /*
1041 Verify that we've calculated the messageSize correctly, really this
1042 should never fail; it's more of an implementation verification
1043 */
1044 if (c - out->end != messageSize) {
1045 return SSL_ERROR;
1046 }
1047 out->end = c;
1048
1049 /*
1050 Could be a rehandshake so clean up old context if necessary.
1051 Always explicitly set state to beginning.
1052 */
1053 if (ssl->hsState == SSL_HS_DONE) {
1054 sslResetContext(ssl);
1055 }
1056
1057 /*
1058 Could be a rehandshake on a previous connection that used client auth.
1059 Reset our local client auth state as the server is always the one
1060 responsible for initiating it.
1061 */
1062 ssl->flags &= ~SSL_FLAGS_CLIENT_AUTH;
1063 ssl->hsState = SSL_HS_SERVER_HELLO;
1064 return SSL_SUCCESS;
1065 }
1066
1067 /******************************************************************************/
1068 /*
1069 Write a ClientKeyExchange message.
1070 */
1071 static int32 writeClientKeyExchange(ssl_t *ssl, sslBuf_t *out)
1072 {
1073 unsigned char *c, *end, *encryptStart;
1074 char padLen;
1075 int32 messageSize, keyLen, explicitLen, rc;
1076
1077 c = out->end;
1078 end = out->buf + out->size;
1079 messageSize = keyLen = 0;
1080
1081
1082
1083 /*
1084 Determine messageSize for the record header
1085 */
1086 /* Standard RSA auth suites */
1087 keyLen = ssl->sec.cert->publicKey.size;
1088
1089 messageSize += ssl->recordHeadLen + ssl->hshakeHeadLen + keyLen;
1090 explicitLen = 0;
1091
1092 if ((rc = writeRecordHeader(ssl, SSL_RECORD_TYPE_HANDSHAKE,
1093 SSL_HS_CLIENT_KEY_EXCHANGE, &messageSize, &padLen,
1094 &encryptStart, &end, &c)) < 0) {
1095 return rc;
1096 }
1097
1098 /*
1099 ClientKeyExchange message contains the encrypted premaster secret.
1100 The base premaster is the original SSL protocol version we asked for
1101 followed by 46 bytes of random data.
1102 These 48 bytes are padded to the current RSA key length and encrypted
1103 with the RSA key.
1104 */
1105 if (explicitLen == 1) {
1106
1107 /*
1108 Add the two bytes of key length
1109 */
1110 if (keyLen > 0) {
1111 *c = (keyLen & 0xFF00) >> 8; c++;
1112 *c = (keyLen & 0xFF); c++;
1113 }
1114 }
1115
1116
1117 /*
1118 Standard RSA suite
1119 */
1120 ssl->sec.premasterSize = SSL_HS_RSA_PREMASTER_SIZE;
1121 ssl->sec.premaster = psMalloc(ssl->hsPool,
1122 SSL_HS_RSA_PREMASTER_SIZE);
1123
1124 ssl->sec.premaster[0] = ssl->reqMajVer;
1125 ssl->sec.premaster[1] = ssl->reqMinVer;
1126 if (sslGetEntropy(ssl->sec.premaster + 2,
1127 SSL_HS_RSA_PREMASTER_SIZE - 2) < 0) {
1128 matrixStrDebugMsg("Error gathering premaster entropy\n", NULL);
1129 return SSL_ERROR;
1130 }
1131
1132 sslActivatePublicCipher(ssl);
1133
1134 if (ssl->encryptPub(ssl->hsPool, &(ssl->sec.cert->publicKey),
1135 ssl->sec.premaster, ssl->sec.premasterSize, c,
1136 (int32)(end - c)) != keyLen) {
1137 matrixStrDebugMsg("Error encrypting premaster\n", NULL);
1138 return SSL_FULL;
1139 }
1140
1141 c += keyLen;
1142
1143 if ((rc = encryptRecord(ssl, SSL_RECORD_TYPE_HANDSHAKE, messageSize,
1144 padLen, encryptStart, out, &c)) < 0) {
1145 return rc;
1146 }
1147
1148 if (c - out->end != messageSize) {
1149 matrixStrDebugMsg("Invalid ClientKeyExchange length\n", NULL);
1150 return SSL_ERROR;
1151 }
1152
1153 /*
1154 Now that we've got the premaster secret, derive the various symmetric
1155 keys using it and the client and server random values
1156 */
1157 sslDeriveKeys(ssl);
1158
1159 out->end = c;
1160 return SSL_SUCCESS;
1161 }
1162
1163
1164 #else /* USE_CLIENT_SIDE_SSL */
1165 /******************************************************************************/
1166 /*
1167 Stub out this function rather than ifdef it out in the public header
1168 */
1169 int32 matrixSslEncodeClientHello(ssl_t *ssl, sslBuf_t *out,
1170 unsigned short cipherSpec)
1171 {
1172 matrixStrDebugMsg("Library not built with USE_CLIENT_SIDE_SSL\n", NULL);
1173 return -1;
1174 }
1175 #endif /* USE_CLIENT_SIDE_SSL */
1176
1177
1178 /******************************************************************************/
1179 /*
1180 Write out a SSLv3 record header.
1181 Assumes 'c' points to a buffer of at least SSL3_HEADER_LEN bytes
1182 1 byte type (SSL_RECORD_TYPE_*)
1183 1 byte major version
1184 1 byte minor version
1185 2 bytes length (network byte order)
1186 Returns the number of bytes written
1187 */
1188 int32 psWriteRecordInfo(ssl_t *ssl, unsigned char type, int32 len, unsigned char *c)
1189 {
1190 *c = type; c++;
1191 *c = ssl->majVer; c++;
1192 *c = ssl->minVer; c++;
1193 *c = (len & 0xFF00) >> 8; c++;
1194 *c = (len & 0xFF);
1195
1196 return ssl->recordHeadLen;
1197 }
1198
1199 /******************************************************************************/
1200 /*
1201 Write out an ssl handshake message header.
1202 Assumes 'c' points to a buffer of at least ssl->hshakeHeadLen bytes
1203 1 byte type (SSL_HS_*)
1204 3 bytes length (network byte order)
1205 Returns the number of bytes written
1206 */
1207 int32 psWriteHandshakeHeader(ssl_t *ssl, unsigned char type, int32 len,
1208 int32 seq, int32 fragOffset, int32 fragLen,
1209 unsigned char *c)
1210 {
1211 *c = type; c++;
1212 *c = (len & 0xFF0000) >> 16; c++;
1213 *c = (len & 0xFF00) >> 8; c++;
1214 *c = (len & 0xFF);
1215
1216 return ssl->hshakeHeadLen;
1217 }
1218
1219 /******************************************************************************/
1220 /*
1221 Write pad bytes and pad length per the TLS spec. Most block cipher
1222 padding fills each byte with the number of padding bytes, but SSL/TLS
1223 pretends one of these bytes is a pad length, and the remaining bytes are
1224 filled with that length. The end result is that the padding is identical
1225 to standard padding except the values are one less. For SSLv3 we are not
1226 required to have any specific pad values, but they don't hurt.
1227
1228 PadLen Result
1229 0
1230 1 00
1231 2 01 01
1232 3 02 02 02
1233 4 03 03 03 03
1234 5 04 04 04 04 04
1235 6 05 05 05 05 05 05
1236 7 06 06 06 06 06 06 06
1237 8 07 07 07 07 07 07 07 07
1238
1239 We calculate the length of padding required for a record using
1240 sslPadLenPwr2()
1241 */
1242 int32 sslWritePad(unsigned char *p, unsigned char padLen)
1243 {
1244 unsigned char c = padLen;
1245
1246 while (c-- > 0) {
1247 *p++ = padLen - 1;
1248 }
1249 return padLen;
1250 }
1251
1252 /******************************************************************************/
1253
1254
1255
Tomato firmware and modifications.