File Coverage

inc/matrixssl-3-9-3-open/matrixssl/tls.c

Criterion	Covered	Total	%
statement	127	252	50.4
branch	35	116	30.1
condition			n/a
subroutine			n/a
pod			n/a
total	162	368	44.0

line	stmt	bran	code
1			/**
2			* @file tls.c
3			* @version 950bba4 (HEAD -> master)
4			*
5			* TLS (SSLv3.1+) specific code.
6			* http://www.faqs.org/rfcs/rfc2246.html
7			* Primarily dealing with secret generation, message authentication codes
8			* and handshake hashing.
9			*/
10			/*
11			* Copyright (c) 2013-2017 INSIDE Secure Corporation
12			* Copyright (c) PeerSec Networks, 2002-2011
13			* All Rights Reserved
14			*
15			* The latest version of this code is available at http://www.matrixssl.org
16			*
17			* This software is open source; you can redistribute it and/or modify
18			* it under the terms of the GNU General Public License as published by
19			* the Free Software Foundation; either version 2 of the License, or
20			* (at your option) any later version.
21			*
22			* This General Public License does NOT permit incorporating this software
23			* into proprietary programs. If you are unable to comply with the GPL, a
24			* commercial license for this software may be purchased from INSIDE at
25			* http://www.insidesecure.com/
26			*
27			* This program is distributed in WITHOUT ANY WARRANTY; without even the
28			* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
29			* See the GNU General Public License for more details.
30			*
31			* You should have received a copy of the GNU General Public License
32			* along with this program; if not, write to the Free Software
33			* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
34			* http://www.gnu.org/copyleft/gpl.html
35			*/
36			/******************************************************************************/
37
38			#include "matrixsslImpl.h"
39
40			#ifdef USE_NATIVE_TLS_ALGS
41			/******************************************************************************/
42			# ifdef USE_TLS
43			/******************************************************************************/
44
45			# define LABEL_SIZE 13
46			# define LABEL_MASTERSEC "master secret"
47			# define LABEL_KEY_BLOCK "key expansion"
48
49			# define LABEL_EXT_SIZE 22
50			# define LABEL_EXT_MASTERSEC "extended master secret"
51
52
53	2119		static int32_t genKeyBlock(ssl_t *ssl)
54			{
55			unsigned char msSeed[SSL_HS_RANDOM_SIZE * 2 + LABEL_SIZE];
56			uint32 reqKeyLen;
57	2119		int32_t rc = PS_FAIL;
58
59	2119		memcpy(msSeed, LABEL_KEY_BLOCK, LABEL_SIZE);
60	2119		memcpy(msSeed + LABEL_SIZE, ssl->sec.serverRandom,
61			SSL_HS_RANDOM_SIZE);
62	2119		memcpy(msSeed + LABEL_SIZE + SSL_HS_RANDOM_SIZE,
63	2119		ssl->sec.clientRandom, SSL_HS_RANDOM_SIZE);
64
65			/* We must generate enough key material to fill the various keys */
66	6357		reqKeyLen = 2 * ssl->cipher->macSize +
67	4238		2 * ssl->cipher->keySize +
68	2119		2 * ssl->cipher->ivSize;
69			# ifdef USE_EAP_FAST
70			/**
71			Generate master secret with tprf.
72			Make space for additional key material (session key seed).
73			@see https://tools.ietf.org/html/rfc4851#section-5.1
74			*/
75			if (ssl->flags & SSL_FLAGS_EAP_FAST)
76			{
77			if (ssl->sid == NULL)
78			{
79			goto L_RETURN;
80			}
81			/* sid->masterSecret actually holds pac-key. Use tprf() here
82			to derive session masterSecret, now that we're about to use it.
83			masterSecret is also used after this for the finished message hash */
84			rc = tprf(ssl->sid->masterSecret, EAP_FAST_PAC_KEY_LEN,
85			msSeed + LABEL_SIZE, 2 * SSL_HS_RANDOM_SIZE,
86			ssl->sec.masterSecret);
87			if (rc < 0)
88			{
89			goto L_RETURN;
90			}
91			reqKeyLen += EAP_FAST_SESSION_KEY_SEED_LEN;
92			}
93			# endif
94
95			/* Ensure there's enough room */
96	2119	50	if (reqKeyLen > SSL_MAX_KEY_BLOCK_SIZE)
97			{
98	0		rc = PS_MEM_FAIL;
99	0		goto L_RETURN;
100			}
101
102			# ifdef USE_TLS_1_2
103	2119	50	if (ssl->flags & SSL_FLAGS_TLS_1_2)
104			{
105	2119	50	if ((rc = prf2(ssl->sec.masterSecret, SSL_HS_MASTER_SIZE, msSeed,
106	2119		(SSL_HS_RANDOM_SIZE * 2) + LABEL_SIZE, ssl->sec.keyBlock,
107	2119		reqKeyLen, ssl->cipher->flags)) < 0)
108			{
109	0		goto L_RETURN;
110			}
111			}
112			# ifndef USE_ONLY_TLS_1_2
113			else
114			{
115	0	0	if ((rc = prf(ssl->sec.masterSecret, SSL_HS_MASTER_SIZE, msSeed,
116	0		(SSL_HS_RANDOM_SIZE * 2) + LABEL_SIZE, ssl->sec.keyBlock,
117			reqKeyLen)) < 0)
118			{
119	0		goto L_RETURN;
120			}
121			}
122			# endif
123			# else
124			if ((rc = prf(ssl->sec.masterSecret, SSL_HS_MASTER_SIZE, msSeed,
125			(SSL_HS_RANDOM_SIZE * 2) + LABEL_SIZE, ssl->sec.keyBlock,
126			reqKeyLen)) < 0)
127			{
128			goto L_RETURN;
129			}
130			# endif
131	2119	100	if (ssl->flags & SSL_FLAGS_SERVER)
132			{
133	1059		ssl->sec.rMACptr = ssl->sec.keyBlock;
134	1059		ssl->sec.wMACptr = ssl->sec.rMACptr + ssl->cipher->macSize;
135	1059		ssl->sec.rKeyptr = ssl->sec.wMACptr + ssl->cipher->macSize;
136	1059		ssl->sec.wKeyptr = ssl->sec.rKeyptr + ssl->cipher->keySize;
137	1059		ssl->sec.rIVptr = ssl->sec.wKeyptr + ssl->cipher->keySize;
138	1059		ssl->sec.wIVptr = ssl->sec.rIVptr + ssl->cipher->ivSize;
139			# ifdef USE_EAP_FAST
140			if (ssl->flags & SSL_FLAGS_EAP_FAST)
141			{
142			ssl->sec.eap_fast_session_key_seed = ssl->sec.wIVptr + ssl->cipher->ivSize;
143			}
144			# endif
145			}
146			else
147			{
148	1060		ssl->sec.wMACptr = ssl->sec.keyBlock;
149	1060		ssl->sec.rMACptr = ssl->sec.wMACptr + ssl->cipher->macSize;
150	1060		ssl->sec.wKeyptr = ssl->sec.rMACptr + ssl->cipher->macSize;
151	1060		ssl->sec.rKeyptr = ssl->sec.wKeyptr + ssl->cipher->keySize;
152	1060		ssl->sec.wIVptr = ssl->sec.rKeyptr + ssl->cipher->keySize;
153	1060		ssl->sec.rIVptr = ssl->sec.wIVptr + ssl->cipher->ivSize;
154			# ifdef USE_EAP_FAST
155			if (ssl->flags & SSL_FLAGS_EAP_FAST)
156			{
157			ssl->sec.eap_fast_session_key_seed = ssl->sec.rIVptr + ssl->cipher->ivSize;
158			}
159			# endif
160			}
161
162	2119		rc = SSL_HS_MASTER_SIZE;
163
164			L_RETURN:
165	2119		memzero_s(msSeed, sizeof(msSeed));
166	2119	50	if (rc < 0)
167			{
168	0		memzero_s(ssl->sec.masterSecret, SSL_HS_MASTER_SIZE);
169	0		memzero_s(ssl->sec.keyBlock, SSL_MAX_KEY_BLOCK_SIZE);
170			}
171	2119		return rc;
172			}
173
174			/******************************************************************************/
175			/*
176			* Generates all key material.
177			*/
178	4		int32_t tlsDeriveKeys(ssl_t *ssl)
179			{
180			unsigned char msSeed[SSL_HS_RANDOM_SIZE * 2 + LABEL_SIZE];
181	4		int32_t rc = PS_FAIL;
182
183			# ifdef USE_DTLS
184			if (ssl->flags & SSL_FLAGS_DTLS && ssl->retransmit == 1)
185			{
186			/* The keyblock is still valid from the first pass */
187			return SSL_HS_MASTER_SIZE;
188			}
189			# endif
190			/*
191			If this session is resumed, we want to reuse the master secret to
192			regenerate the key block with the new random values.
193			*/
194	4	50	if (ssl->flags & SSL_FLAGS_RESUMED)
195			{
196	4		return genKeyBlock(ssl);
197			}
198			# ifdef USE_EAP_FAST
199			/* We should only do EAP_FAST key derivation on resumed connections */
200			if (ssl->flags & SSL_FLAGS_EAP_FAST)
201			{
202			return PS_FAIL;
203			}
204			# endif
205
206			/*
207			master_secret = PRF(pre_master_secret, "master secret",
208			client_random + server_random);
209			*/
210	0		memcpy(msSeed, LABEL_MASTERSEC, LABEL_SIZE);
211	0		memcpy(msSeed + LABEL_SIZE, ssl->sec.clientRandom,
212			SSL_HS_RANDOM_SIZE);
213	0		memcpy(msSeed + LABEL_SIZE + SSL_HS_RANDOM_SIZE,
214	0		ssl->sec.serverRandom, SSL_HS_RANDOM_SIZE);
215
216			# ifdef USE_TLS_1_2
217	0	0	if (ssl->flags & SSL_FLAGS_TLS_1_2)
218			{
219	0	0	if ((rc = prf2(ssl->sec.premaster, ssl->sec.premasterSize, msSeed,
220	0		(SSL_HS_RANDOM_SIZE * 2) + LABEL_SIZE, ssl->sec.masterSecret,
221	0		SSL_HS_MASTER_SIZE, ssl->cipher->flags)) < 0)
222			{
223	0		return rc;
224			}
225			# ifndef USE_ONLY_TLS_1_2
226			}
227			else
228			{
229	0	0	if ((rc = prf(ssl->sec.premaster, ssl->sec.premasterSize, msSeed,
230	0		(SSL_HS_RANDOM_SIZE * 2) + LABEL_SIZE, ssl->sec.masterSecret,
231			SSL_HS_MASTER_SIZE)) < 0)
232			{
233	0		return rc;
234			}
235			# endif
236			}
237			# else
238			if ((rc = prf(ssl->sec.premaster, ssl->sec.premasterSize, msSeed,
239			(SSL_HS_RANDOM_SIZE * 2) + LABEL_SIZE, ssl->sec.masterSecret,
240			SSL_HS_MASTER_SIZE)) < 0)
241			{
242			return rc;
243			}
244			# endif
245
246			# ifdef USE_DTLS
247			if (ssl->flags & SSL_FLAGS_DTLS)
248			{
249			/*
250			May need premaster for retransmits. DTLS will free this when handshake
251			is known to be complete
252			*/
253			return genKeyBlock(ssl);
254			}
255			# endif /* USE_DTLS */
256			/*
257			premaster is now allocated for DH reasons. Can free here
258			*/
259	0		psFree(ssl->sec.premaster, ssl->hsPool);
260	0		ssl->sec.premaster = NULL;
261	0		ssl->sec.premasterSize = 0;
262
263	4		return genKeyBlock(ssl);
264			}
265
266			/* Master secret generation if extended_master_secret extension is used */
267	2115		int32_t tlsExtendedDeriveKeys(ssl_t *ssl)
268			{
269			unsigned char msSeed[SHA384_HASHLEN + LABEL_EXT_SIZE];
270			unsigned char hash[SHA384_HASHLEN];
271			uint32_t outLen;
272	2115		int32_t rc = PS_FAIL;
273
274			# ifdef USE_DTLS
275			if (ssl->flags & SSL_FLAGS_DTLS && ssl->retransmit == 1)
276			{
277			/* The keyblock is still valid from the first pass */
278			return SSL_HS_MASTER_SIZE;
279			}
280			# endif
281			/*
282			If this session is resumed, we should reuse the master_secret to
283			regenerate the key block with the new random values. We should not
284			be here regenerating the master_secret!
285			*/
286	2115	50	if (ssl->extFlags.extended_master_secret == 0 \|\|
		50
287	2115		ssl->flags & SSL_FLAGS_RESUMED)
288			{
289			psTraceInfo("Invalid invokation of extended key derivation.\n");
290	0		return PS_FAIL;
291			}
292			# ifdef USE_EAP_FAST
293			/* We should only do EAP_FAST key derivation on resumed connections */
294			if (ssl->flags & SSL_FLAGS_EAP_FAST)
295			{
296			return PS_FAIL;
297			}
298			# endif
299
300	2115		extMasterSecretSnapshotHSHash(ssl, hash, &outLen);
301			/*
302			master_secret = PRF(pre_master_secret, "extended master secret",
303			session_hash);
304			*/
305	2115		memcpy(msSeed, LABEL_EXT_MASTERSEC, LABEL_EXT_SIZE);
306	2115		memcpy(msSeed + LABEL_EXT_SIZE, hash, outLen);
307
308			# ifdef USE_TLS_1_2
309	2115	50	if (ssl->flags & SSL_FLAGS_TLS_1_2)
310			{
311	2115	50	if ((rc = prf2(ssl->sec.premaster, ssl->sec.premasterSize, msSeed,
312	2115		outLen + LABEL_EXT_SIZE, ssl->sec.masterSecret,
313	2115		SSL_HS_MASTER_SIZE, ssl->cipher->flags)) < 0)
314			{
315	0		return rc;
316			}
317			# ifndef USE_ONLY_TLS_1_2
318			}
319			else
320			{
321	0	0	if ((rc = prf(ssl->sec.premaster, ssl->sec.premasterSize, msSeed,
322	0		outLen + LABEL_EXT_SIZE, ssl->sec.masterSecret,
323			SSL_HS_MASTER_SIZE)) < 0)
324			{
325	0		return rc;
326			}
327			# endif
328			}
329			# else
330			if ((rc = prf(ssl->sec.premaster, ssl->sec.premasterSize, msSeed,
331			outLen + LABEL_EXT_SIZE, ssl->sec.masterSecret,
332			SSL_HS_MASTER_SIZE)) < 0)
333			{
334			return rc;
335			}
336			# endif
337
338			# ifdef USE_DTLS
339			if (ssl->flags & SSL_FLAGS_DTLS)
340			{
341			/*
342			May need premaster for retransmits. DTLS will free this when handshake
343			is known to be complete
344			*/
345			return genKeyBlock(ssl);
346			}
347			# endif /* USE_DTLS */
348			/*
349			premaster is now allocated for DH reasons. Can free here
350			*/
351	2115		psFree(ssl->sec.premaster, ssl->hsPool);
352	2115		ssl->sec.premaster = NULL;
353	2115		ssl->sec.premasterSize = 0;
354
355	2115		return genKeyBlock(ssl);
356			}
357
358			# ifdef USE_SHA_MAC
359			# ifdef USE_SHA1
360			/******************************************************************************/
361			/*
362			TLS sha1 HMAC generate/verify
363			*/
364	6		int32_t tlsHMACSha1(ssl_t *ssl, int32 mode, unsigned char type,
365			unsigned char data, uint32 len, unsigned char mac)
366			{
367			# ifndef USE_HMAC_TLS
368			psHmacSha1_t ctx;
369			# endif
370			unsigned char key, seq;
371			unsigned char majVer, minVer, tmp[5];
372			int32 i;
373			# ifdef USE_DTLS
374			unsigned char dtls_seq[8];
375			# endif /* USE_DTLS */
376			# ifdef USE_HMAC_TLS
377			uint32 alt_len;
378			# endif /* USE_HMAC_TLS */
379
380	6		majVer = ssl->majVer;
381	6		minVer = ssl->minVer;
382
383	6	100	if (mode == HMAC_CREATE)
384			{
385	3		key = ssl->sec.writeMAC;
386	3		seq = ssl->sec.seq;
387			}
388			else /* HMAC_VERIFY */
389			{
390	3		key = ssl->sec.readMAC;
391	3		seq = ssl->sec.remSeq;
392			}
393
394			/* Sanity */
395	6	50	if (key == NULL)
396			{
397	0		return PS_FAILURE;
398			}
399
400			# ifdef USE_DTLS
401			if (ssl->flags & SSL_FLAGS_DTLS)
402			{
403			if (mode == HMAC_CREATE)
404			{
405			seq = dtls_seq;
406			memcpy(dtls_seq, ssl->epoch, 2);
407			memcpy(dtls_seq + 2, ssl->rsn, 6);
408			}
409			else /* HMAC_VERIFY */
410			{
411			seq = dtls_seq;
412			memcpy(dtls_seq, ssl->rec.epoch, 2);
413			memcpy(dtls_seq + 2, ssl->rec.rsn, 6);
414			}
415			}
416			# endif /* USE_DTLS */
417
418	6		tmp[0] = type;
419	6		tmp[1] = majVer;
420	6		tmp[2] = minVer;
421	6		tmp[3] = (len & 0xFF00) >> 8;
422	6		tmp[4] = len & 0xFF;
423			# ifdef USE_HMAC_TLS
424			# ifdef USE_HMAC_TLS_LUCKY13_COUNTERMEASURE
425			alt_len = mode == HMAC_CREATE ? len : ssl->rec.len;
426			# else
427			alt_len = len;
428			# endif
429			(void) psHmacSha1Tls(key, SHA1_HASH_SIZE,
430			seq, 8,
431			tmp, 5,
432			data, len, alt_len,
433			mac);
434			# else
435	6	50	if (psHmacSha1Init(&ctx, key, SHA1_HASH_SIZE) < 0)
436			{
437	0		return PS_FAIL;
438			}
439	6		psHmacSha1Update(&ctx, seq, 8);
440	6		psHmacSha1Update(&ctx, tmp, 5);
441	6		psHmacSha1Update(&ctx, data, len);
442	6		psHmacSha1Final(&ctx, mac);
443			# endif
444			/* Update seq (only for normal TLS) */
445	6	50	for (i = 7; i >= 0; i--)
446			{
447	6		seq[i]++;
448	6	50	if (seq[i] != 0)
449			{
450	6		break;
451			}
452			}
453	6		return PS_SUCCESS;
454			}
455			# endif /* USE_SHA1 */
456
457			# if defined(USE_HMAC_SHA256) \|\| defined(USE_HMAC_SHA384)
458			/******************************************************************************/
459			/*
460			TLS sha256/sha384 HMAC generate/verify
461			*/
462	0		int32_t tlsHMACSha2(ssl_t *ssl, int32 mode, unsigned char type,
463			unsigned char data, uint32 len, unsigned char mac, int32 hashLen)
464			{
465			# ifndef USE_HMAC_TLS
466			psHmac_t ctx;
467			# endif
468			unsigned char key, seq;
469			unsigned char majVer, minVer, tmp[5];
470			int32 i;
471			# ifdef USE_DTLS
472			unsigned char dtls_seq[8];
473			# endif /* USE_DTLS */
474			# ifdef USE_HMAC_TLS
475			uint32 alt_len;
476			# endif /* USE_HMAC_TLS */
477
478	0		majVer = ssl->majVer;
479	0		minVer = ssl->minVer;
480
481	0	0	if (mode == HMAC_CREATE)
482			{
483	0		key = ssl->sec.writeMAC;
484	0		seq = ssl->sec.seq;
485			}
486			else /* HMAC_VERIFY */
487			{
488	0		key = ssl->sec.readMAC;
489	0		seq = ssl->sec.remSeq;
490			}
491			/* Sanity */
492	0	0	if (key == NULL)
493			{
494	0		return PS_FAILURE;
495			}
496
497			# ifdef USE_DTLS
498			if (ssl->flags & SSL_FLAGS_DTLS)
499			{
500			if (mode == HMAC_CREATE)
501			{
502			seq = dtls_seq;
503			memcpy(dtls_seq, ssl->epoch, 2);
504			memcpy(dtls_seq + 2, ssl->rsn, 6);
505			}
506			else /* HMAC_VERIFY */
507			{
508			seq = dtls_seq;
509			memcpy(dtls_seq, ssl->rec.epoch, 2);
510			memcpy(dtls_seq + 2, ssl->rec.rsn, 6);
511			}
512			}
513			# endif /* USE_DTLS */
514
515	0		tmp[0] = type;
516	0		tmp[1] = majVer;
517	0		tmp[2] = minVer;
518	0		tmp[3] = (len & 0xFF00) >> 8;
519	0		tmp[4] = len & 0xFF;
520
521			# ifdef USE_HMAC_TLS
522			# ifdef USE_HMAC_TLS_LUCKY13_COUNTERMEASURE
523			alt_len = mode == HMAC_CREATE ? len : ssl->rec.len;
524			# else
525			alt_len = len;
526			# endif
527			(void) psHmacSha2Tls(key, hashLen,
528			seq, 8,
529			tmp, 5,
530			data, len, alt_len,
531			mac, hashLen);
532			# else
533	0		switch (hashLen)
534			{
535			case SHA256_HASHLEN:
536	0	0	if (psHmacInit(&ctx, HMAC_SHA256, key, hashLen) < 0)
537			{
538	0		return PS_FAIL;
539			}
540	0		break;
541			case SHA384_HASHLEN:
542	0	0	if (psHmacInit(&ctx, HMAC_SHA384, key, hashLen) < 0)
543			{
544	0		return PS_FAIL;
545			}
546	0		break;
547			default:
548	0		return PS_FAIL;
549			}
550	0		psHmacUpdate(&ctx, seq, 8);
551	0		psHmacUpdate(&ctx, tmp, 5);
552	0		psHmacUpdate(&ctx, data, len);
553	0		psHmacFinal(&ctx, mac);
554			# endif
555			/* Update seq (only for normal TLS) */
556	0	0	for (i = 7; i >= 0; i--)
557			{
558	0		seq[i]++;
559	0	0	if (seq[i] != 0)
560			{
561	0		break;
562			}
563			}
564	0		return PS_SUCCESS;
565			}
566			# endif /* USE_SHA256 \|\| USE_SHA384 */
567			# endif /* USE_SHA_MAC */
568
569			# ifdef USE_MD5
570			# ifdef USE_MD5_MAC
571			/******************************************************************************/
572			/*
573			TLS MD5 HMAC generate/verify
574			*/
575			int32_t tlsHMACMd5(ssl_t *ssl, int32 mode, unsigned char type,
576			unsigned char data, uint32 len, unsigned char mac)
577			{
578			psHmacMd5_t ctx;
579			unsigned char key, seq;
580			unsigned char majVer, minVer, tmp[5];
581			int32 i;
582
583			majVer = ssl->majVer;
584			minVer = ssl->minVer;
585
586			if (mode == HMAC_CREATE)
587			{
588			key = ssl->sec.writeMAC;
589			seq = ssl->sec.seq;
590			}
591			else /* HMAC_VERIFY */
592			{
593			key = ssl->sec.readMAC;
594			seq = ssl->sec.remSeq;
595			}
596			/* Sanity */
597			if (key == NULL)
598			{
599			return PS_FAILURE;
600			}
601
602			if (psHmacMd5Init(&ctx, key, MD5_HASH_SIZE) < 0)
603			{
604			return PS_FAIL;
605			}
606			# ifdef USE_DTLS
607			if (ssl->flags & SSL_FLAGS_DTLS)
608			{
609			if (mode == HMAC_CREATE)
610			{
611			psHmacMd5Update(&ctx, ssl->epoch, 2);
612			psHmacMd5Update(&ctx, ssl->rsn, 6);
613			}
614			else /* HMAC_VERIFY */
615			{
616			psHmacMd5Update(&ctx, ssl->rec.epoch, 2);
617			psHmacMd5Update(&ctx, ssl->rec.rsn, 6);
618			}
619			}
620			else
621			{
622			# endif /* USE_DTLS */
623			psHmacMd5Update(&ctx, seq, 8);
624			for (i = 7; i >= 0; i--)
625			{
626			seq[i]++;
627			if (seq[i] != 0)
628			{
629			break;
630			}
631			}
632			# ifdef USE_DTLS
633			}
634			# endif /* USE_DTLS */
635
636			tmp[0] = type;
637			tmp[1] = majVer;
638			tmp[2] = minVer;
639			tmp[3] = (len & 0xFF00) >> 8;
640			tmp[4] = len & 0xFF;
641			psHmacMd5Update(&ctx, tmp, 5);
642			psHmacMd5Update(&ctx, data, len);
643			psHmacMd5Final(&ctx, mac);
644
645			return PS_SUCCESS;
646			}
647			# endif /* USE_MD5_MAC */
648			# endif /* USE_MD5 */
649			# endif /* USE_TLS */
650
651	4		int32 sslCreateKeys(ssl_t *ssl)
652			{
653			# ifdef USE_TLS
654	4	50	if (ssl->flags & SSL_FLAGS_TLS)
655			{
656	4		return tlsDeriveKeys(ssl);
657			}
658			else
659			{
660			# ifndef DISABLE_SSLV3
661			return sslDeriveKeys(ssl);
662			# else
663	0		return PS_ARG_FAIL;
664			# endif /* DISABLE_SSLV3 */
665			}
666			# else /* SSLv3 only below */
667			# ifndef DISABLE_SSLV3
668			return sslDeriveKeys(ssl);
669			# endif /* DISABLE_SSLV3 */
670			# endif /* USE_TLS */
671			}
672
673			/******************************************************************************/
674			/*
675			Cipher suites are chosen before they are activated with the
676			ChangeCipherSuite message. Additionally, the read and write cipher suites
677			are activated at different times in the handshake process. The following
678			APIs activate the selected cipher suite callback functions.
679			*/
680	24433		int32 sslActivateReadCipher(ssl_t *ssl)
681			{
682
683	24433		ssl->decrypt = ssl->cipher->decrypt;
684	24433		ssl->verifyMac = ssl->cipher->verifyMac;
685	24433		ssl->nativeDeMacSize = ssl->cipher->macSize;
686	24433	50	if (ssl->extFlags.truncated_hmac)
687			{
688	0	0	if (ssl->cipher->macSize > 0) /* Only for HMAC-based ciphers */
689			{
690	0		ssl->deMacSize = 10;
691			}
692			else
693			{
694	0		ssl->deMacSize = ssl->cipher->macSize;
695			}
696			}
697			else
698			{
699	24433		ssl->deMacSize = ssl->cipher->macSize;
700			}
701	24433		ssl->deBlockSize = ssl->cipher->blockSize;
702	24433		ssl->deIvSize = ssl->cipher->ivSize;
703			/*
704			Reset the expected incoming sequence number for the new suite
705			*/
706	24433		memset(ssl->sec.remSeq, 0x0, sizeof(ssl->sec.remSeq));
707
708	24433	100	if (ssl->cipher->ident != SSL_NULL_WITH_NULL_NULL)
709			{
710			/* Sanity */
711	2119	50	if (ssl->sec.rMACptr == NULL)
712			{
713			psTraceInfo("sslActivateReadCipher sanity fail\n");
714	0		return PS_FAILURE;
715			}
716	2119		ssl->flags \|= SSL_FLAGS_READ_SECURE;
717
718			# ifdef USE_TLS_1_2
719	2119	100	if (ssl->deMacSize == 0)
720			{
721			/* Need a concept for AEAD read and write start times for the
722			cases surrounding changeCipherSpec if moving from one suite
723			to another */
724	2117		ssl->flags \|= SSL_FLAGS_AEAD_R;
725	2117	50	if (ssl->cipher->flags & CRYPTO_FLAGS_CHACHA)
726			{
727	0		ssl->flags &= ~SSL_FLAGS_NONCE_R;
728			}
729			else
730			{
731	2117		ssl->flags \|= SSL_FLAGS_NONCE_R;
732			}
733			}
734			else
735			{
736	2		ssl->flags &= ~SSL_FLAGS_AEAD_R;
737	2		ssl->flags &= ~SSL_FLAGS_NONCE_R;
738			}
739			# endif
740			/*
741			Copy the newly activated read keys into the live buffers
742			*/
743	2119		memcpy(ssl->sec.readMAC, ssl->sec.rMACptr, ssl->deMacSize);
744	2119		memcpy(ssl->sec.readKey, ssl->sec.rKeyptr, ssl->cipher->keySize);
745	2119		memcpy(ssl->sec.readIV, ssl->sec.rIVptr, ssl->cipher->ivSize);
746			/*
747			set up decrypt contexts
748			*/
749	2119	50	if (ssl->cipher->init)
750			{
751	2119	50	if (ssl->cipher->init(&(ssl->sec), INIT_DECRYPT_CIPHER,
752	2119		ssl->cipher->keySize) < 0)
753			{
754			psTraceInfo("Unable to initialize read cipher suite\n");
755	0		return PS_FAILURE;
756			}
757			}
758
759			}
760	24433		return PS_SUCCESS;
761			}
762
763	24433		int32 sslActivateWriteCipher(ssl_t *ssl)
764			{
765			# ifdef USE_DTLS
766			if (ssl->flags & SSL_FLAGS_DTLS)
767			{
768			if (ssl->retransmit == 0)
769			{
770			ssl->oencrypt = ssl->encrypt;
771			ssl->ogenerateMac = ssl->generateMac;
772			ssl->oenMacSize = ssl->enMacSize;
773			ssl->oenNativeHmacSize = ssl->nativeEnMacSize;
774			ssl->oenBlockSize = ssl->enBlockSize;
775			ssl->oenIvSize = ssl->enIvSize;
776			memcpy(ssl->owriteMAC, ssl->sec.writeMAC, ssl->enMacSize);
777			memcpy(&ssl->oencryptCtx, &ssl->sec.encryptCtx,
778			sizeof(psCipherContext_t));
779			memcpy(ssl->owriteIV, ssl->sec.writeIV, ssl->cipher->ivSize);
780			}
781			}
782			# endif /* USE_DTLS */
783
784	24433		ssl->encrypt = ssl->cipher->encrypt;
785	24433		ssl->generateMac = ssl->cipher->generateMac;
786	24433		ssl->nativeEnMacSize = ssl->cipher->macSize;
787	24433	50	if (ssl->extFlags.truncated_hmac)
788			{
789	0	0	if (ssl->cipher->macSize > 0) /* Only for HMAC-based ciphers */
790			{
791	0		ssl->enMacSize = 10;
792			}
793			else
794			{
795	0		ssl->enMacSize = ssl->cipher->macSize;
796			}
797			}
798			else
799			{
800	24433		ssl->enMacSize = ssl->cipher->macSize;
801			}
802	24433		ssl->enBlockSize = ssl->cipher->blockSize;
803	24433		ssl->enIvSize = ssl->cipher->ivSize;
804			/*
805			Reset the outgoing sequence number for the new suite
806			*/
807	24433		memset(ssl->sec.seq, 0x0, sizeof(ssl->sec.seq));
808	24433	100	if (ssl->cipher->ident != SSL_NULL_WITH_NULL_NULL)
809			{
810	2119		ssl->flags \|= SSL_FLAGS_WRITE_SECURE;
811
812			# ifdef USE_TLS_1_2
813	2119	100	if (ssl->enMacSize == 0)
814			{
815			/* Need a concept for AEAD read and write start times for the
816			cases surrounding changeCipherSpec if moving from one suite
817			to another */
818	2117		ssl->flags \|= SSL_FLAGS_AEAD_W;
819	2117	50	if (ssl->cipher->flags & CRYPTO_FLAGS_CHACHA)
820			{
821	0		ssl->flags &= ~SSL_FLAGS_NONCE_W;
822			}
823			else
824			{
825	2117		ssl->flags \|= SSL_FLAGS_NONCE_W;
826			}
827			}
828			else
829			{
830	2		ssl->flags &= ~SSL_FLAGS_AEAD_W;
831	2		ssl->flags &= ~SSL_FLAGS_NONCE_W;
832			}
833			# endif
834
835			/*
836			Copy the newly activated write keys into the live buffers
837			*/
838	2119		memcpy(ssl->sec.writeMAC, ssl->sec.wMACptr, ssl->enMacSize);
839	2119		memcpy(ssl->sec.writeKey, ssl->sec.wKeyptr, ssl->cipher->keySize);
840	2119		memcpy(ssl->sec.writeIV, ssl->sec.wIVptr, ssl->cipher->ivSize);
841			/*
842			set up encrypt contexts
843			*/
844	2119	50	if (ssl->cipher->init)
845			{
846	2119	50	if (ssl->cipher->init(&(ssl->sec), INIT_ENCRYPT_CIPHER,
847	2119		ssl->cipher->keySize) < 0)
848			{
849			psTraceInfo("Unable to init write cipher suite\n");
850	0		return PS_FAILURE;
851			}
852			}
853			}
854	24433		return PS_SUCCESS;
855			}
856
857			/******************************************************************************/
858			#endif /* USE_NATIVE_TLS_ALGS */
859
860
861			#ifdef USE_CLIENT_SIDE_SSL
862			/******************************************************************************/
863			/*
864			Allocate a tlsExtension_t structure
865			*/
866	0		int32 matrixSslNewHelloExtension(tlsExtension_t *extension, void userPoolPtr)
867			{
868	0		psPool_t *pool = NULL;
869			tlsExtension_t *ext;
870
871	0		ext = psMalloc(pool, sizeof(tlsExtension_t));
872	0	0	if (ext == NULL)
873			{
874	0		return PS_MEM_FAIL;
875			}
876	0		memset(ext, 0x0, sizeof(tlsExtension_t));
877	0		ext->pool = pool;
878
879	0		*extension = ext;
880	0		return PS_SUCCESS;
881			}
882
883			/******************************************************************************/
884			/*
885			Free a tlsExtension_t structure and any extensions that have been loaded
886			*/
887	0		void matrixSslDeleteHelloExtension(tlsExtension_t *extension)
888			{
889			tlsExtension_t next, ext;
890
891	0	0	if (extension == NULL)
892			{
893	0		return;
894			}
895	0		ext = extension;
896			/* Free first one */
897	0	0	if (ext->extData)
898			{
899	0		psFree(ext->extData, ext->pool);
900			}
901	0		next = ext->next;
902	0		psFree(ext, ext->pool);
903			/* Free others */
904	0	0	while (next)
905			{
906	0		ext = next;
907	0		next = ext->next;
908	0	0	if (ext->extData)
909			{
910	0		psFree(ext->extData, ext->pool);
911			}
912	0		psFree(ext, ext->pool);
913			}
914	0		return;
915			}
916
917			/*****************************************************************************/
918			/*
919			Add an outgoing CLIENT_HELLO extension to a tlsExtension_t structure
920			that was previously allocated with matrixSslNewHelloExtension
921			*/
922	0		int32 matrixSslLoadHelloExtension(tlsExtension_t *ext,
923			unsigned char *extension, uint32 length, uint32 extType)
924			{
925			tlsExtension_t current, new;
926
927	0	0	if (ext == NULL \|\| (length > 0 && extension == NULL))
		0
		0
928			{
929	0		return PS_ARG_FAIL;
930			}
931			/*
932			Find first empty spot in ext. This is determined by extLen since even
933			an empty extension will have a length of 1 for the 0
934			*/
935	0		current = ext;
936	0	0	while (current->extLen != 0)
937			{
938	0	0	if (current->next != NULL)
939			{
940	0		current = current->next;
941	0		continue;
942			}
943	0		new = psMalloc(ext->pool, sizeof(tlsExtension_t));
944	0	0	if (new == NULL)
945			{
946	0		return PS_MEM_FAIL;
947			}
948	0		memset(new, 0, sizeof(tlsExtension_t));
949	0		new->pool = ext->pool;
950	0		current->next = new;
951	0		current = new;
952			}
953			/*
954			Supports an empty extension which is really a one byte 00:
955			ff 01 00 01 00 (two byte type, two byte len, one byte 00)
956
957			This will either be passed in as a NULL 'extension' with a 0 length - OR -
958			A pointer to a one byte 0x0 and a length of 1. In either case, the
959			structure will identify the ext with a length of 1 and a NULL data ptr
960			*/
961	0		current->extType = extType;
962	0	0	if (length > 0)
963			{
964	0		current->extLen = length;
965	0	0	if (length == 1 && extension[0] == '\0')
		0
966			{
967	0		current->extLen = 1;
968			}
969			else
970			{
971	0		current->extData = psMalloc(ext->pool, length);
972	0	0	if (current->extData == NULL)
973			{
974	0		return PS_MEM_FAIL;
975			}
976	0		memcpy(current->extData, extension, length);
977			}
978			}
979	0	0	else if (length == 0)
980			{
981	0		current->extLen = 1;
982			}
983
984	0		return PS_SUCCESS;
985			}
986			#endif /* USE_CLIENT_SIDE_SSL */
987
988			/******************************************************************************/
989