A super trimmed down TLS stack, GPL licensed
Dependents: MiniTLS-HTTPS-Example
MiniTLS - A super trimmed down TLS/SSL Library for embedded devices Author: Donatien Garnier Copyright (C) 2013-2014 AppNearMe Ltd
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Diff: tls/tls_record.c
- Revision:
- 0:35aa5be3b78d
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tls/tls_record.c Fri Jun 06 10:49:02 2014 +0000 @@ -0,0 +1,838 @@ +/* +MuTLS - A super trimmed down TLS/SSL Library for embedded devices +Author: Donatien Garnier +Copyright (C) 2013-2014 AppNearMe Ltd + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +*//** + * \file tls_record.c + * \copyright Copyright (c) AppNearMe Ltd 2013 + * \author Donatien Garnier + */ + +#define __DEBUG__ 0 +#ifndef __MODULE__ +#define __MODULE__ "tls_record.c" +#endif + +#include "core/fwk.h" +#include "inc/mutls_config.h" +#include "inc/mutls_errors.h" +#include "tls_record.h" +#include "tls_alert.h" + +#include "tls_handshake.h" +#include "tls_socket.h" + +#include "socket/socket.h" + +#include "crypto/crypto_aes_128_cbc.h" +#include "crypto/crypto_hmac_sha1.h" + +static mutls_err_t record_wait_readable(tls_record_t* record); +static mutls_err_t record_wait_writeable(tls_record_t* record); + +static mutls_err_t record_socket_read(tls_record_t* record, size_t size); +static mutls_err_t record_socket_write(tls_record_t* record, buffer_t* data); + +static mutls_err_t tls_mac_append( const uint8_t* key, tls_content_type_t content_type, tls_protocol_version_t version, + uint64_t sequence_number, buffer_t* buffer ); +static mutls_err_t tls_mac_check( const uint8_t* key, tls_content_type_t content_type, tls_protocol_version_t version, + uint64_t sequence_number, buffer_t* buffer ); + +typedef struct __tls_fragment_header +{ + tls_content_type_t type; + tls_protocol_version_t version; + uint16_t length; //(MAX 2^14 + 2048 = 18432) +} tls_fragment_header_t; + +#define FRAGMENT_HEADER_SIZE 5 + +#define DEFAULT_READ_TIMEOUT 20000 +#define DEFAULT_WRITE_TIMEOUT 20000 + +mutls_err_t tls_record_init(tls_record_t* record, tls_socket_t* sock, uint8_t* buf, size_t buf_size) +{ + + record->handshake_done = false; + + //Open BSD socket + record->socket_fd = socket_socket(); + if(record->socket_fd < 0) + { + ERR("Could not create socket descriptor"); + return MUTLS_ERR_SOCKET_ERROR; + } + + record->read_timeout = DEFAULT_READ_TIMEOUT; + record->write_timeout = DEFAULT_WRITE_TIMEOUT; + + if(buf_size >= TLS_DEFAULT_MAX_FRAGMENT_SIZE) + { + record->max_fragment_size = TLS_DEFAULT_MAX_FRAGMENT_SIZE; + } + else if( buf_size >= 4096 + TLS_ENCRYPTION_MAX_OVERHEAD ) + { + record->max_fragment_size = 4096; + } + else if( buf_size >= 2048 + TLS_ENCRYPTION_MAX_OVERHEAD ) + { + record->max_fragment_size = 2048; + } + else if( buf_size >= 1024 + TLS_ENCRYPTION_MAX_OVERHEAD ) + { + record->max_fragment_size = 1024; + } + else if( buf_size >= 512 + TLS_ENCRYPTION_MAX_OVERHEAD ) + { + record->max_fragment_size = 512; + } + else + { + ERR("Buffer is too small"); + return MUTLS_ERR_BUFFER_TOO_SMALL; + } + + DBG("Max fragment size: %d bytes", record->max_fragment_size); + + if( (buf_size != TLS_DEFAULT_MAX_FRAGMENT_SIZE) + && (buf_size != (record->max_fragment_size + TLS_ENCRYPTION_MAX_OVERHEAD)) ) + { + WARN("Buffer size is not optimum"); + } + + //Initialize with oldest protocol version by default (as recommended by RFC 5246's Annex E) +#if MUTLS_CFG_PROTOCOL_SSL_3 + record->version.major = SSL_3_VERSION_MAJOR; + record->version.minor = SSL_3_VERSION_MINOR; +#elif MUTLS_CFG_PROTOCOL_TLS_1_0 + record->version.major = TLS_1_0_VERSION_MAJOR; + record->version.minor = TLS_1_0_VERSION_MINOR; +#elif MUTLS_CFG_PROTOCOL_TLS_1_1 + record->version.major = TLS_1_1_VERSION_MAJOR; + record->version.minor = TLS_1_1_VERSION_MINOR; +#elif MUTLS_CFG_PROTOCOL_TLS_1_2 + record->version.major = TLS_1_2_VERSION_MAJOR; + record->version.minor = TLS_1_2_VERSION_MINOR; +#else +#error No SSL/TLS protocol version enabled +#endif + + buffer_init(&record->buffer, buf, buf_size); + + record->tls_socket = sock; + + //Init security + record->security_rx_state = TLS_SECURITY_NONE; + record->security_tx_state = TLS_SECURITY_NONE; + + //Memset keys + memset(&record->client_write_mac_key, 0, TLS_HMAC_SHA1_KEY_SIZE); + memset(&record->server_write_mac_key, 0, TLS_HMAC_SHA1_KEY_SIZE); + memset(&record->client_write_cipher_key, 0, AES_128_KEY_SIZE); + memset(&record->server_write_cipher_key, 0, AES_128_KEY_SIZE); + + return MUTLS_OK; +} + +void tls_record_set_protocol_version(tls_record_t* record, uint8_t major, uint8_t minor) +{ + record->version.major = major; + record->version.minor = minor; +} + +void tls_record_get_protocol_version(tls_record_t* record, uint8_t* major, uint8_t* minor) +{ + *major = record->version.major; + *minor = record->version.minor; +} + +mutls_err_t tls_record_change_cipher_spec(tls_record_t* record, bool tx_nrx) +{ + if(tx_nrx) + { + if(record->security_tx_state == TLS_SECURITY_INTIALIZED) + { + record->security_tx_state = TLS_SECURITY_ACTIVE; + return MUTLS_OK; + } + else + { + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + } + else + { + if(record->security_rx_state == TLS_SECURITY_INTIALIZED) + { + record->security_rx_state = TLS_SECURITY_ACTIVE; + return MUTLS_OK; + } + else + { + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + } +} + +bool tls_record_is_secure(tls_record_t* record) +{ + if( record->security_tx_state != TLS_SECURITY_ACTIVE ) + { + return false; + } + if( record->security_rx_state != TLS_SECURITY_ACTIVE ) + { + return false; + } + return true; +} + +mutls_err_t tls_record_connect(tls_record_t* record, const char* hostname, uint16_t port) +{ + DBG("Trying to connect to %s:%d", hostname, port); + + int r = socket_connect(record->socket_fd, hostname, port); + if(r < 0) + { + socket_close(record->socket_fd); + record->socket_fd = -1; + return MUTLS_ERR_SOCKET_ERROR; + } + + return MUTLS_OK; +} + +mutls_err_t tls_record_process(tls_record_t* record) +{ + //Reset buffer length + buffer_reset(&record->buffer); + + //Read header + mutls_err_t ret = record_socket_read(record, FRAGMENT_HEADER_SIZE); + if(ret == MUTLS_ERR_SOCKET_CLOSED) + { + return MUTLS_ERR_SOCKET_CLOSED; + } + else if(ret) + { + ERR("Socket err %d", ret); + tls_alert_send( record, TLS_ALERT_FATAL, INTERNAL_ERROR, &record->buffer); + return ret; + } + + //Read version + tls_fragment_header_t header; + + header.type = buffer_nu8_read(&record->buffer); + header.version.major = buffer_nu8_read(&record->buffer); + header.version.minor = buffer_nu8_read(&record->buffer); + header.length = buffer_nu16_read(&record->buffer); + +#if 1 //TODO how to relax this? + if( (header.version.major != record->version.major) || (header.version.minor != record->version.minor) ) + { + ERR("Version mismatch"); + tls_alert_send( record, TLS_ALERT_FATAL, PROTOCOL_VERSION, &record->buffer); + return MUTLS_ERR_PROTOCOL_VERSION; + } +#endif + //Check content type + //Check that encryption level is OK for this content type + switch( header.type ) + { + //All of these are OK in plain mode + case TLS_CHANGE_CIPHER_SPEC: + case TLS_ALERT: + case TLS_HANDSHAKE: + break; + //This is only acceptable in ciphered mode: + case TLS_APPLICATION_DATA: + if( (!tls_record_is_secure(record)) || (!record->handshake_done) ) + { + tls_alert_send( record, TLS_ALERT_FATAL, INSUFFICIENT_SECURITY, &record->buffer); + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + break; + default: + tls_alert_send( record, TLS_ALERT_FATAL, ILLEGAL_PARAMETER, &record->buffer); + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + + //Reset buffer + buffer_reset(&record->buffer); + + //Read payload + ret = record_socket_read(record, header.length); + if(ret) + { + ERR("Socket err %d", ret); + tls_alert_send( record, TLS_ALERT_FATAL, INTERNAL_ERROR, &record->buffer); + return ret; + } + + if( record->security_rx_state == TLS_SECURITY_ACTIVE ) + { + DBG("IV + Ciphertext"); + DBG_BLOCK(buffer_dump(&record->buffer);) + + buffer_t buffer_iv_header; + if( (buffer_length(&record->buffer) < 2*AES_128_BLOCK_SIZE) || ( (buffer_length(&record->buffer) % AES_128_BLOCK_SIZE) != 0 ) ) + { + tls_alert_send( record, TLS_ALERT_FATAL, UNEXPECTED_MESSAGE, &record->buffer ); + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + buffer_byref(&buffer_iv_header, buffer_current_read_position(&record->buffer), AES_128_BLOCK_SIZE); //Extract IV vector + buffer_n_discard(&record->buffer, AES_128_BLOCK_SIZE); + + //Decrypt message + ret = crypto_aes_128_cbc_decrypt( &record->cipher_rx, &buffer_iv_header, &record->buffer ); + if(ret) + { + ERR("Failed to decipher, ret %d", ret); + tls_alert_send( record, TLS_ALERT_FATAL, DECRYPT_ERROR, &record->buffer ); + return ret; + } + + DBG("Plaintext + MAC + padding + padding length"); + DBG_BLOCK(buffer_dump(&record->buffer);) + + //Check and remove padding + size_t padding_length = *(buffer_current_write_position(&record->buffer) - 1); + + if( padding_length + 1 > buffer_length(&record->buffer) ) + { + ERR("Wrong padding length"); + tls_alert_send( record, TLS_ALERT_FATAL, BAD_RECORD_MAC, &record->buffer ); + return MUTLS_ERR_CRYPTO; + } + + int p; + //Check each padding byte + for(p = 0; p < padding_length; p++) + { + if( *(buffer_current_write_position(&record->buffer) - 1 - p) != padding_length ) + { + ERR("Wrong padding"); + tls_alert_send( record, TLS_ALERT_FATAL, BAD_RECORD_MAC, &record->buffer ); + return MUTLS_ERR_CRYPTO; + } + } + + //Remove trailing padding + padding length + buffer_set_length(&record->buffer, buffer_length(&record->buffer) - 1 - padding_length); + + DBG("Plaintext + MAC"); + DBG_BLOCK(buffer_dump(&record->buffer);) + + //Check MAC + ret = tls_mac_check( record->server_write_mac_key, header.type, header.version, record->sequence_number_rx, &record->buffer ); + if(ret) + { + ERR("MAC Check failed, ret %d", ret); + tls_alert_send( record, TLS_ALERT_FATAL, BAD_RECORD_MAC, &record->buffer ); + return ret; + } + + DBG("Plaintext"); + DBG_BLOCK(buffer_dump(&record->buffer);) + + //Increment seq number + record->sequence_number_rx++; + } + else + { + //No security + } + + //Now dispatch depending on content type + switch( header.type ) + { + case TLS_CHANGE_CIPHER_SPEC: + ret = tls_record_change_cipher_spec(record, false); + if(ret) + { + ERR("Invalid change cipher spec request, ret %d", ret); + tls_alert_send( record, TLS_ALERT_FATAL, UNEXPECTED_MESSAGE, &record->buffer ); + return ret; + } + break; + case TLS_ALERT: + ret = tls_alert_process( record, &record->buffer ); + if(ret) + { + tls_record_close(record); + //Close connection in any case + if(ret == MUTLS_ERR_CONNECTION_CLOSED) + { + DBG("Connection closed by remote party"); + return MUTLS_OK; + } + //FIXME Do something + ERR("Alert received, ret %d", ret); + return ret; + } + break; + case TLS_HANDSHAKE: + if(/*(record->tls_socket->handshake != NULL) &&*/ !tls_handshake_is_done(&record->tls_socket->handshake)) + { + ret = tls_handshake_process(&record->tls_socket->handshake, &record->buffer ); + if(ret) + { + ERR("Handshake process returned %d", ret); + //TLS alert already sent by handshake function + tls_handshake_clean(&record->tls_socket->handshake); //Cleanup handshake + //record->tls_socket->handshake = NULL; + return ret; + } + if(tls_handshake_is_done(&record->tls_socket->handshake)) + { + tls_handshake_clean(&record->tls_socket->handshake); //Cleanup handshake + //record->tls_socket->handshake = NULL; + record->handshake_done = true; //Enable application data layer + } + return MUTLS_OK; + } + else + { + ERR("Unexpected handshake message, ret %d", ret); + tls_alert_send( record, TLS_ALERT_FATAL, UNEXPECTED_MESSAGE, &record->buffer ); + return ret; + } + case TLS_APPLICATION_DATA: + //Pass message to socket layer + return tls_socket_readable_callback(record->tls_socket, &record->buffer); + default: + //Has already been checked above + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + + return MUTLS_OK; +} + +mutls_err_t tls_record_send(tls_record_t* record, tls_content_type_t content_type, buffer_t* payload) +{ + mutls_err_t ret; + int padding_item; + /* + struct { + opaque IV[SecurityParameters.record_iv_length]; + block-ciphered struct { + opaque content[TLSCompressed.length]; + opaque MAC[SecurityParameters.mac_length]; + uint8 padding[GenericBlockCipher.padding_length]; + uint8 padding_length; + }; + } GenericBlockCipher; + */ + + //Check content type + //Check that encryption level is OK for this content type + switch( content_type ) + { + //All of these are OK in plain mode + case TLS_CHANGE_CIPHER_SPEC: + case TLS_ALERT: + case TLS_HANDSHAKE: + break; + //This is only acceptable in ciphered mode: + case TLS_APPLICATION_DATA: + if( (!tls_record_is_secure(record)) || (!record->handshake_done) ) + { + tls_alert_send( record, TLS_ALERT_FATAL, INSUFFICIENT_SECURITY, &record->buffer); + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + break; + default: + tls_alert_send( record, TLS_ALERT_FATAL, ILLEGAL_PARAMETER, &record->buffer); + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + + //Buffer must have enough space to add IV (head) + MAC (tail) + padding (tail) + + buffer_t header_iv; + uint8_t header_iv_data[AES_128_BLOCK_SIZE]; + if( record->security_tx_state == TLS_SECURITY_ACTIVE ) + { + //FIXME generate a random IV + + DBG("Plaintext"); + DBG_BLOCK(buffer_dump(payload);) + + //Compute & append MAC + DBG("Sequence number: %d", record->sequence_number_tx); + ret = tls_mac_append( record->client_write_mac_key, content_type, record->version, record->sequence_number_tx, payload ); + if(ret) + { + ERR("Could not append MAC, ret %d", ret); + return ret; + } + + //Increment sequence number + record->sequence_number_tx++; + + DBG("Plaintext + MAC"); + DBG_BLOCK(buffer_dump(payload);) + + //Add padding + size_t padding_length = AES_128_BLOCK_SIZE - (buffer_length(payload) % AES_128_BLOCK_SIZE) - 1; + if(buffer_space(payload) < padding_length) + { + return MUTLS_ERR_BUFFER_TOO_SMALL; + } + + for(padding_item = 0; padding_item < padding_length; padding_item++) + { + buffer_nu8_write(payload, padding_length); + } + + buffer_nu8_write(payload, padding_length); + + DBG("Plaintext + MAC + Padding + Padding Length"); + DBG_BLOCK(buffer_dump(payload);) + + buffer_init( &header_iv, header_iv_data, AES_128_BLOCK_SIZE ); + + crypto_prng_get(record->tls_socket->mutls->prng, buffer_current_write_position(&header_iv), AES_128_BLOCK_SIZE); + buffer_n_skip(&header_iv, AES_128_BLOCK_SIZE); + + //Encrypt message + ret = crypto_aes_128_cbc_encrypt( &record->cipher_tx, &header_iv, payload ); + if(ret) + { + ERR("Failed to encipher, ret %d", ret); + return ret; + } + + DBG("Ciphertext"); + DBG_BLOCK(buffer_dump(payload);) + } + else + { + buffer_init( &header_iv, NULL, 0 ); //0 Length + } + + //Now send message header + tls_fragment_header_t header; + header.type = content_type; + header.version.major = record->version.major; + header.version.minor = record->version.minor; + header.length = buffer_length( &header_iv ) + buffer_length(payload); + + buffer_t header_fragment; + uint8_t header_fragment_data[FRAGMENT_HEADER_SIZE]; + + buffer_init( &header_fragment, header_fragment_data, FRAGMENT_HEADER_SIZE ); + + buffer_nu8_write(&header_fragment, header.type); + buffer_nu8_write(&header_fragment, header.version.major); + buffer_nu8_write(&header_fragment, header.version.minor); + buffer_nu16_write(&header_fragment, header.length); + + //Send fragment header + ret = record_socket_write(record, &header_fragment); + if(ret) + { + return ret; + } + + //Send IV + ret = record_socket_write(record, &header_iv); + if(ret) + { + return ret; + } + + //Send payload + ret = record_socket_write(record, payload); + if(ret) + { + return ret; + } + + return MUTLS_OK; +} + +mutls_err_t tls_record_set_keys(tls_record_t* record, tls_security_type_t security, const uint8_t* client_write_mac_key, const uint8_t* server_write_mac_key, + const uint8_t* client_write_cipher_key, const uint8_t* server_write_cipher_key) +{ + if(security != TLS_SECURITY_TYPE_AES_128_CBC_SHA) + { + return MUTLS_ERR_NOT_IMPLEMENTED; + } + + //Copy keys + memcpy(&record->client_write_mac_key, client_write_mac_key, TLS_HMAC_SHA1_KEY_SIZE); + memcpy(&record->server_write_mac_key, server_write_mac_key, TLS_HMAC_SHA1_KEY_SIZE); + memcpy(&record->client_write_cipher_key, client_write_cipher_key, AES_128_KEY_SIZE); + memcpy(&record->server_write_cipher_key, server_write_cipher_key, AES_128_KEY_SIZE); + + //Intialize cipher + + record->sequence_number_tx = 0; + record->sequence_number_rx = 0; + + crypto_aes_128_init(&record->cipher_tx, record->client_write_cipher_key, expand_encryption_key); + crypto_aes_128_init(&record->cipher_rx, record->server_write_cipher_key, expand_decryption_key); + + record->security_tx_state = TLS_SECURITY_INTIALIZED; + record->security_rx_state = TLS_SECURITY_INTIALIZED; + + return MUTLS_OK; +} + +mutls_err_t tls_record_close(tls_record_t* record) +{ + if(record->socket_fd < 0) //Already closed + { + return MUTLS_OK; + } + + //Don't really care about the return + tls_alert_send(record, TLS_ALERT_WARNING, CLOSE_NOTIFY, &record->buffer); + + //Close socket + socket_close(record->socket_fd); + record->socket_fd = -1; + + return MUTLS_OK; +} + +mutls_err_t tls_record_set_read_timeout(tls_record_t* record, int timeout) +{ + record->read_timeout = timeout; + + return MUTLS_OK; +} + +mutls_err_t tls_record_set_write_timeout(tls_record_t* record, int timeout) +{ + record->write_timeout = timeout; + + return MUTLS_OK; +} + +mutls_err_t record_wait_readable(tls_record_t* record) +{ + if(record->socket_fd < 0) + { + return MUTLS_ERR_SOCKET_CLOSED; + } + + //Wait for record to be readable + int ret = socket_wait_readable(record->socket_fd, record->read_timeout ); + if( ret < 0 ) + { + //Timeout + return MUTLS_ERR_TIMEOUT; + } + return MUTLS_OK; +} + +mutls_err_t record_wait_writeable(tls_record_t* record) +{ + if(record->socket_fd < 0) + { + return MUTLS_ERR_SOCKET_CLOSED; + } + + //Wait for record to be writeable + int ret = socket_wait_writeable(record->socket_fd, record->write_timeout ); + if( ret < 0 ) + { + //Timeout + return MUTLS_ERR_TIMEOUT; + } + return MUTLS_OK; +} + +mutls_err_t record_socket_read(tls_record_t* record, size_t size) +{ + mutls_err_t ret; + if(record->socket_fd < 0) + { + return MUTLS_ERR_SOCKET_CLOSED; + } + + DBG("Trying to read %d bytes", size); + while(size > 0) + { + //Read Fragment length + if( buffer_space(&record->buffer) < size ) + { + ERR("Won't be able to read packet (%d bytes to read - %d bytes of space)", size, buffer_space(&record->buffer)); + return MUTLS_ERR_BUFFER_TOO_SMALL; + } + + ret = record_wait_readable(record); + if(ret) + { + ERR("Timeout"); + return ret; + } + + int count = socket_recv(record->socket_fd, buffer_current_write_position(&record->buffer), size - buffer_length(&record->buffer)); + if( count > 0 ) + { + buffer_n_skip(&record->buffer, count); + size -= count; + } + else if( count == 0 ) + { + WARN("Socket closed"); + return MUTLS_ERR_SOCKET_CLOSED; + } + else + { + ERR("Error (returned %d)", count); + return MUTLS_ERR_SOCKET_ERROR; + } + } + + DBG_BLOCK(buffer_dump(&record->buffer);) + + return MUTLS_OK; +} + +mutls_err_t record_socket_write(tls_record_t* record, buffer_t* data) +{ + mutls_err_t ret; + if(record->socket_fd < 0) + { + return MUTLS_ERR_SOCKET_CLOSED; + } + + DBG("Trying to write %d bytes", buffer_length(data)); + DBG_BLOCK(buffer_dump(data);) + while(buffer_length(data) > 0) + { + ret = record_wait_writeable(record); + if(ret) + { + ERR("Timeout"); + return ret; + } + + int count = socket_send(record->socket_fd, buffer_current_read_position(data), buffer_length(data)); + if( count > 0 ) + { + buffer_n_discard(data, count); + } + else if( count == 0 ) + { + WARN("Socket closed"); + return MUTLS_ERR_SOCKET_CLOSED; + } + else + { + ERR("Error (returned %d)", count); + return MUTLS_ERR_SOCKET_ERROR; + } + } + DBG("Done"); + return MUTLS_OK; +} + + +mutls_err_t tls_mac_append( const uint8_t* key, tls_content_type_t content_type, tls_protocol_version_t version, + uint64_t sequence_number, buffer_t* buffer ) +{ + crypto_hmac_sha1_t mac; + crypto_hmac_sha1_init(&mac, key, TLS_HMAC_SHA1_KEY_SIZE); + + if( buffer_space(buffer) < HMAC_SHA1_SIZE ) + { + return MUTLS_ERR_BUFFER_TOO_SMALL; + } + + uint8_t header_buf[13]; + buffer_t header; + + buffer_init(&header, header_buf, 13); + + buffer_nu64_write(&header, sequence_number); + + buffer_nu8_write(&header, content_type); + + buffer_nu8_write(&header, version.major); + buffer_nu8_write(&header, version.minor); + + buffer_nu16_write(&header, buffer_length(buffer)); + + crypto_hmac_sha1_update(&mac, header_buf, 13); + crypto_hmac_sha1_update(&mac, buffer_current_read_position(buffer), buffer_length(buffer)); + crypto_hmac_sha1_end(&mac, buffer_current_write_position(buffer)); + buffer_n_skip(buffer, HMAC_SHA1_SIZE); + + return MUTLS_OK; +} + +mutls_err_t tls_mac_check( const uint8_t* key, tls_content_type_t content_type, tls_protocol_version_t version, + uint64_t sequence_number, buffer_t* buffer ) +{ + crypto_hmac_sha1_t mac; + crypto_hmac_sha1_init(&mac, key, TLS_HMAC_SHA1_KEY_SIZE); + + if( buffer_length(buffer) < HMAC_SHA1_SIZE ) + { + return MUTLS_ERR_PROTOCOL_NON_CONFORMANT; + } + + size_t data_offset = buffer_get_read_offset(buffer); + size_t data_length = buffer_length(buffer) - HMAC_SHA1_SIZE; + + uint8_t check[HMAC_SHA1_SIZE]; + + uint8_t header_buf[13]; + buffer_t header; + + buffer_init(&header, header_buf, 13); + + buffer_nu64_write(&header, sequence_number); + + buffer_nu8_write(&header, content_type); + + buffer_nu8_write(&header, version.major); + buffer_nu8_write(&header, version.minor); + + buffer_nu16_write(&header, data_length); + + crypto_hmac_sha1_update(&mac, header_buf, 13); + crypto_hmac_sha1_update(&mac, buffer_current_read_position(buffer), data_length); + buffer_n_discard(buffer, data_length); + crypto_hmac_sha1_end(&mac, check); + + if( memcmp(buffer_current_read_position(buffer), check, HMAC_SHA1_SIZE) != 0 ) + { + ERR("MAC differs; computed MAC was:"); + + buffer_t computed_mac; + buffer_byref(&computed_mac, check, HMAC_SHA1_SIZE); + DBG_BLOCK(buffer_dump(&computed_mac);) + + return MUTLS_ERR_WRONG_MAC; + } + + //Reset buffer position and discard MAC + buffer_set_read_offset(buffer, data_offset); + buffer_set_length(buffer, data_length); + + return MUTLS_OK; +} + + + +