コード例 #1
0
ファイル: mssl.c プロジェクト: GraseHotspot/coova-chilli
int SSL_is_init_finished(SSL *ssl) {
  int v = matrixSslHandshakeIsComplete(ssl->ssl) != 0;
#if(_debug_)
  syslog(LOG_DEBUG, "MatrixSSL is_finished %d", v);
#endif
  return v;
}
コード例 #2
0
ファイル: mssl.c プロジェクト: GraseHotspot/coova-chilli
int SSL_accept(SSL *ssl) {

  char buf[1024];
  int  rc;

#if(_debug_)
  syslog(LOG_DEBUG, "MatrixSSL_accept()");
#endif

readMore:
  rc = _ssl_read(ssl, buf, sizeof(buf));
  if (rc == 0) {
    if (ssl->status == SSL_SOCKET_EOF || ssl->status == SSL_SOCKET_CLOSE_NOTIFY) {
      return -1;
    }
    if (matrixSslHandshakeIsComplete(ssl->ssl) == 0) {
      goto readMore;
    }
  } else if (rc > 0) {
    return 0;
  } else {
    return -1;
  }

  return 1;
}
コード例 #3
0
ファイル: mssl.c プロジェクト: GraseHotspot/coova-chilli
/*
  Construct the initial HELLO message to send to the server and initiate
  the SSL handshake.  Can be used in the re-handshake scenario as well.
*/
int _ssl_doHandshake(SSL *ssl) {
  char	buf[1024];
  int		err, rc;

  /*
    MatrixSSL doesn't provide buffers for data internally.  Define them
    here to support buffered reading and writing for non-blocking sockets.
    Although it causes quite a bit more work, we support dynamically growing
    the buffers as needed.  Alternately, we could define 16K buffers here
    and not worry about growing them.
  */


  short cipherSuite = 0;
  err = matrixSslEncodeClientHello(ssl->ssl, &(ssl->outsock), cipherSuite);

  if (err < 0) {
    socketAssert(err < 0);
    return -1;
  }

  /*
    Send the hello with a blocking write
  */
  err = _psSocketWrite(ssl->fd, &(ssl->outsock));
  if (err < 0) {
    fprintf(stdout, "Error in socketWrite\n");
    return -1;
  }
  ssl->outsock.start = ssl->outsock.end = ssl->outsock.buf;


  /*
    Call _ssl_read to work through the handshake.  Not actually expecting
    data back, so the finished case is simply when the handshake is
    complete.
  */
readMore:
  rc = _ssl_read(ssl, buf, 1024);

  /*
    Reading handshake records should always return 0 bytes, we aren't
    expecting any data yet.
  */
  if(rc > 0 || (rc == 0 && matrixSslHandshakeIsComplete(ssl->ssl) == 0))
  {
    goto readMore;
  }
  if(rc < 0)
  {
    return -1;
  }

  return 0;


}
コード例 #4
0
sslConn_t *sslDoHandshake(sslConn_t *conn, short cipherSuite)
{
  char	buf[1024];
  int	bytes, status, rc;
  
  conn->insock.size = 1024;
  conn->insock.start = conn->insock.end = conn->insock.buf = 
    (unsigned char *)malloc(conn->insock.size);
  conn->outsock.size = 1024;
  conn->outsock.start = conn->outsock.end = conn->outsock.buf = 
    (unsigned char *)malloc(conn->outsock.size);
  conn->inbuf.size = 0;
  conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL;
  
  bytes = matrixSslEncodeClientHello(conn->ssl, &conn->outsock, cipherSuite);
  if (bytes < 0) {
    fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__);
    socketAssert(bytes < 0);
    goto error;
  }
  if (psSocketWrite(conn->fd, &conn->outsock) < 0) {
    fprintf(stdout, "Error in socketWrite\n");
    goto error;
  }
  conn->outsock.start = conn->outsock.end = conn->outsock.buf;
 readMore:
  rc = sslRead(conn, buf, sizeof(buf), &status);
  if (rc == 0) {
    if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) {
      fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__);
      goto error;
    }
    if (matrixSslHandshakeIsComplete(conn->ssl) == 0) {
      goto readMore;
    }
  } else if (rc > 0) {
    fprintf(stderr, "sslRead got %d data in sslDoHandshake %s\n", rc, buf);
    goto readMore;
  } else {
    fprintf(stderr, "sslRead error in sslDoHandhake\n");
    goto error;
  }
  
  return conn;
  
 error:
  fprintf(stderr, "error %s:%d\n",__FILE__,__LINE__);
  sslFreeConnection(&conn);
  return NULL;
}
コード例 #5
0
int sslAccept(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys,
	      int (*certValidator)(sslCertInfo_t *t, void *arg), int flags)
{
  sslConn_t		*conn;
  unsigned char	buf[1024];
  int				status, rc;
  conn = calloc(sizeof(sslConn_t), 1);
  conn->fd = fd;
  if (matrixSslNewSession(&conn->ssl, keys, NULL,
			  SSL_FLAGS_SERVER | flags) < 0) {
    sslFreeConnection(&conn);
    return -1;
  }
  
#ifdef USE_CLIENT_AUTH
  matrixSslSetCertValidator(conn->ssl, certValidator, keys);
#endif /* USE_CLIENT_AUTH */
  memset(&conn->inbuf, 0x0, sizeof(sslBuf_t));
  conn->insock.size = 1024;
  conn->insock.start = conn->insock.end = conn->insock.buf = 
    (unsigned char *)malloc(conn->insock.size);
  conn->outsock.size = 1024;
  conn->outsock.start = conn->outsock.end = conn->outsock.buf = 
    (unsigned char *)malloc(conn->outsock.size);
  conn->inbuf.size = 0;
  conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL;
  *cpp = conn;
  
 readMore:
  rc = sslRead(conn, buf, sizeof(buf), &status);
  if (rc == 0) {
    if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) {
      sslFreeConnection(&conn);
      return -1;
    }
    if (matrixSslHandshakeIsComplete(conn->ssl) == 0) {
      goto readMore;
    }
  } else if (rc > 0) {
    socketAssert(0);
    return -1;
  } else {
    fprintf(stderr, "sslRead error in sslAccept\n");
    sslFreeConnection(&conn);
    return -1;
  }
  *cpp = conn;
  
  return 0;
}
コード例 #6
0
ファイル: sslSocket.c プロジェクト: cmtsij/Vizio_XWR100_GPL
/*
	Construct the initial HELLO message to send to the server and initiate
	the SSL handshake.  Can be used in the re-handshake scenario as well.
*/
sslConn_t *sslDoHandshake(sslConn_t *conn, short cipherSuite)
{
	char	buf[1024];
	int		bytes, status, rc;

/*
	MatrixSSL doesn't provide buffers for data internally.  Define them
	here to support buffered reading and writing for non-blocking sockets.
	Although it causes quite a bit more work, we support dynamically growing
	the buffers as needed.  Alternately, we could define 16K buffers here
	and not worry about growing them.
*/
	conn->insock.size = 1024;
	conn->insock.start = conn->insock.end = conn->insock.buf = 
		(unsigned char *)malloc(conn->insock.size);
	conn->outsock.size = 1024;
	conn->outsock.start = conn->outsock.end = conn->outsock.buf = 
		(unsigned char *)malloc(conn->outsock.size);
	conn->inbuf.size = 0;
	conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL;

	bytes = matrixSslEncodeClientHello(conn->ssl, &conn->outsock, cipherSuite);
	if (bytes < 0) {
		socketAssert(bytes < 0);
		goto error;
	}
/*
	Send the hello with a blocking write
*/
	if (psSocketWrite(conn->fd, &conn->outsock) < 0) {
		fprintf(stdout, "Error in socketWrite\n");
		goto error;
	}
	conn->outsock.start = conn->outsock.end = conn->outsock.buf;
/*
	Call sslRead to work through the handshake.  Not actually expecting
	data back, so the finished case is simply when the handshake is
	complete.
*/
readMore:
	rc = sslRead(conn, buf, sizeof(buf), &status);
/*
	Reading handshake records should always return 0 bytes, we aren't
	expecting any data yet.
*/
	if (rc == 0) {
		if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) {
			goto error;
		}
		if (matrixSslHandshakeIsComplete(conn->ssl) == 0) {
			goto readMore;
		}
	} else if (rc > 0) {
		fprintf(stderr, "sslRead got %d data in sslDoHandshake %s\n", rc, buf);
		goto readMore;
	} else {
		fprintf(stderr, "sslRead error in sslDoHandhake\n");
		goto error;
	}

	return conn;

error:
	sslFreeConnection(&conn);
	return NULL;
}
コード例 #7
0
ファイル: sslSocket.c プロジェクト: cmtsij/Vizio_XWR100_GPL
/*
	Client side. Open a socket connection to a remote ip and port.
	This code is not specific to SSL.
*/
SOCKET socketConnect(char *ip, short port, int *err)
{
	struct sockaddr_in	addr;
	SOCKET				fd;
	int					rc;
	struct hostent *hent;
	char   ipbuf[20];
	
	if ((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		fprintf(stderr, "Error creating socket\n");
		*err = getSocketError();
		return INVALID_SOCKET;
	}
/*
	Make sure the socket is not inherited by exec'd processes
	Set the REUSEADDR flag to minimize the number of sockets in TIME_WAIT
*/
	fcntl(fd, F_SETFD, FD_CLOEXEC);
	rc = 1;
//	setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&rc, sizeof(rc));
	setSocketNodelay(fd);
/*
	Turn on blocking mode for the connecting socket
*/
	setSocketBlock(fd);
/* //Marked by Gemtek
	hent = gethostbyname(ip);
	if (!hent) {
		fprintf(stderr, "Error resolving host\n");
	}
*/
	memset((char *) &addr, 0x0, sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_port = htons(port);
	//Gemtek added
	sprintf( ipbuf ,"%s", "127.0.0.1" );
	fprintf( stderr , "ip:port ==> %s:%d\n" , ipbuf , port );
	//Gemtek added
	if( NULL != ip && strlen( ipbuf ) >= 7 && 0!=strcmp( ipbuf , "localhost") )
	{
	//bcopy(hent->h_addr, &addr.sin_addr, hent->h_length);
		 addr.sin_addr.s_addr = inet_addr( ipbuf ) ;
	}	
	rc = connect(fd, (struct sockaddr *)&addr, sizeof(addr));
#if WIN
	if (rc != 0) {
#else
	if (rc < 0) {
#endif
		*err = getSocketError();
		return INVALID_SOCKET;
	}
	return fd;
}

/******************************************************************************/
/*
	Server side.  Accept an incomming SSL connection request.
	'conn' will be filled in with information about the accepted ssl connection

	return -1 on error, 0 on success, or WOULD_BLOCK for non-blocking sockets
*/
int sslAccept(sslConn_t **cpp, SOCKET fd, sslKeys_t *keys,
			  int (*certValidator)(sslCertInfo_t *t, void *arg), int flags)
{
	sslConn_t		*conn;
	unsigned char	buf[1024];
	int				status, rc;
/*
	Associate a new ssl session with this socket.  The session represents
	the state of the ssl protocol over this socket.  Session caching is
	handled automatically by this api.
*/
	conn = calloc(sizeof(sslConn_t), 1);
	conn->fd = fd;
	if (matrixSslNewSession(&conn->ssl, keys, NULL,
			SSL_FLAGS_SERVER | flags) < 0) {
		sslFreeConnection(&conn);
		return -1;
	}

/*
	MatrixSSL doesn't provide buffers for data internally.  Define them
	here to support buffered reading and writing for non-blocking sockets.
	Although it causes quite a bit more work, we support dynamically growing
	the buffers as needed.  Alternately, we could define 16K buffers here
	and not worry about growing them.
*/
	memset(&conn->inbuf, 0x0, sizeof(sslBuf_t));
	conn->insock.size = 10240;
	conn->insock.start = conn->insock.end = conn->insock.buf = 
		(unsigned char *)malloc(conn->insock.size);
	conn->outsock.size = 10240;
	conn->outsock.start = conn->outsock.end = conn->outsock.buf = 
		(unsigned char *)malloc(conn->outsock.size);
	conn->inbuf.size = 0;
	conn->inbuf.start = conn->inbuf.end = conn->inbuf.buf = NULL;
	*cpp = conn;

readMore:
	rc = sslRead(conn, buf, sizeof(buf), &status);
/*
	Reading handshake records should always return 0 bytes, we aren't
	expecting any data yet.
*/
	if (rc == 0) {
		if (status == SSLSOCKET_EOF || status == SSLSOCKET_CLOSE_NOTIFY) {
			sslFreeConnection(&conn);
			return -1;
		}
		if (matrixSslHandshakeIsComplete(conn->ssl) == 0) {
			goto readMore;
		}
	} else if (rc > 0) {
		socketAssert(0);
		return -1;
	} else {
		fprintf(stderr, "sslRead error in sslAccept\n");
		sslFreeConnection(&conn);
		return -1;
	}
	*cpp = conn;

	return 0;
}
コード例 #8
0
int do_matrixssl_recv(FILE * fp)
{
	int rc = -1, ret = -1, in_buf_size = 0, out_buf_size = 0;
	sslBuf_t in, out;
	unsigned char error = 0, alertLevel = 0, alertDescription = 0;
	unsigned char *in_buf = NULL, *out_buf = NULL;;
	long more = 0;

	matrixssl_buf *pbuf = matrixssl_findbuf((int)fp);

	if (NULL == pbuf)
		return -1;

	in_buf_size = out_buf_size = SSL_MAX_PLAINTEXT_LEN;
	in_buf = (char *)malloc(SSL_MAX_PLAINTEXT_LEN);
	out_buf = (char *)malloc(SSL_MAX_PLAINTEXT_LEN);

	MATRIXSSL_RSTBUF(pbuf);

	while (1) {

		in.start = in.end = in.buf = in_buf;
		in.size = in_buf_size;
		memset(in.buf, 0, in_buf_size);

		out.buf = out.start = out.end = out_buf;
		out.size = out_buf_size;
		memset(out.buf, 0, out_buf_size);

		ret =
		    recv((int)fp, in.end, (int)((in.buf + in.size) - in.end),
			 0);
#ifdef DEBUG_MATRIXSSL
		printf("do_matrixssl_recv - %d bytes read from socket\n", ret);
#endif
		if (ret <= 0)
			break;

		in.end += ret;
		in.size = ret;

	      decodeMore:
		error = 0;
		alertLevel = 0;
		alertDescription = 0;
		rc = matrixSslDecode(pbuf->ssl, &in, &out, &error, &alertLevel,
				     &alertDescription);
#ifdef DEBUG_MATRIXSSL
		printf
		    ("do_matrixssl_recv - %d bytes in buffer, %d bytes out buffer\n",
		     in.end - in.start, out.end - out.start);
#endif

		switch (rc) {
/*
	Successfully decoded an application data record, and placed in out buf
*/
		case SSL_SUCCESS:
#ifdef DEBUG_MATRIXSSL
			printf("SSL_SUCCESS\n");
#endif
			if (matrixSslHandshakeIsComplete(pbuf->ssl) == 0
			    && in.end <= in.start)
				continue;

			if (in.end > in.start)
				goto decodeMore;
			else
				continue;

		case SSL_PROCESS_DATA:
#ifdef DEBUG_MATRIXSSL
			printf("SSL_PROCESS_DATA\n");
#endif
			MATRIXSSL_ADDRBUF(out.end - out.start, pbuf, out.start);
			out.start = out.end;

			ioctl((int)fp, FIONREAD, (unsigned long *)&more);

#ifdef DEBUG_MATRIXSSL
			fprintf(stderr,
				"SSL_PROCESS_DATA - received %d bytes, %d more to get\n",
				(int)pbuf->ssl_recv_cur, (int)more);
#endif

/*      if (more > 0){
        memmove(in.buf, in.end, in.size - (in.end - in.start));
	in.start = in.buf;
	in.end = in.buf + in.size - (in.end - in.start);
	in.size = in_buf_size;
      	ret = recv((int)fp, in.end, (int)(in.size - (in.end - in.start)), 0);   
	in.end += ret;
        in.size += ret; 
      }
*/
			if (in.end - in.start > 0) {
#ifdef DEBUG_MATRIXSSL
				fprintf(stderr,
					"SSL_PROCESS_DATA - in.size %d bytes, in.end - in.start %d bytes\n",
					in.size, in.end - in.start);
#endif
				goto decodeMore;
			} else
				ret = pbuf->ssl_recv_cur;

			goto matrixssl_recv_done;
/*
	We've decoded a record that requires a response
	The out buffer contains the encoded response that we must send back
	before decoding any more data
*/
		case SSL_SEND_RESPONSE:
#ifdef DEBUG_MATRIXSSL
			printf("SSL_SEND_RESPONSE\n");
#endif
			while (out.start < out.end) {
				rc = send((int)fp, out.start,
					  (int)(out.end - out.start), 0);

				if (rc <= 0)
					goto matrixssl_recv_done;
				out.start += rc;
			}

			out.buf = out.start = out.end = out_buf;
			out.size = out_buf_size;
			memset(out.buf, 0, out_buf_size);
			goto decodeMore;

/*
	We have a partial record, need to read more data from socket and
	try decoding again.
*/
		case SSL_PARTIAL:
#ifdef DEBUG_MATRIXSSL
			printf("SSL_PARTIAL\n");
#endif
			ioctl((int)fp, FIONREAD, (unsigned long *)&more);

			while (more > 0) {

				if (in_buf_size - (in.end - in.buf) <= more) {
					in.start = in.buf = in_buf =
					    (char *)realloc(in_buf,
							    in_buf_size + more);
					in.end = in.buf + in.size;
					in_buf_size += more;
				}
				ret =
				    recv((int)fp, in.end,
					 in_buf_size - (in.end - in.buf), 0);

#ifdef DEBUG_MATRIXSSL
				printf("SSL_PARTIAL - recv %d bytes\n", ret);
#endif

				if (ret <= 0)
					break;

				in.end += ret;
				//in.size += ret;
				ioctl((int)fp, FIONREAD,
				      (unsigned long *)&more);
			}

			goto decodeMore;
/*
	The out buffer is too small to fit the decoded or response
	data.  Increase the size of the buffer and call decode again
*/
		case SSL_FULL:
#ifdef DEBUG_MATRIXSSL
			printf("SSL_FULL\n");
#endif

			out_buf_size *= 2;
			out.buf = out.start = out.end = out_buf =
			    (char *)realloc(out_buf, out_buf_size);
			out.size = out_buf_size;

#ifdef DEBUG_MATRIXSSL
			printf("SSL_FULL - out_buf is %d bytes\n",
			       out_buf_size);
#endif

			goto decodeMore;
/*
	There was an error decoding the data, or encoding the out buffer.
	There may be a response data in the out buffer, so try to send.
	We try a single hail-mary send of the data, and then close the socket.
	Since we're closing on error, we don't worry too much about a clean flush.
*/
		case SSL_ERROR:
#ifdef DEBUG_MATRIXSSL
			printf("SSL_ERROR - error code is %d\n", error);
#endif
/*
	We've decoded an alert.  The level and description passed into
	matrixSslDecode are filled in with the specifics.
*/
		case SSL_ALERT:
#ifdef DEBUG_MATRIXSSL
			printf("SSL_ALERT\n");
#endif
			if (alertDescription != SSL_ALERT_CLOSE_NOTIFY) {
				fprintf(stderr,
					"Closing connection on alert level %d, description %d.\n",
					alertLevel, alertDescription);
			}

		default:
#ifdef DEBUG_MATRIXSSL
			printf("do_matrixssl_recv - return\n");
#endif
			MATRIXSSL_RSTBUF(pbuf);
			ret = -1;
			goto matrixssl_recv_done;
		}
	}

matrixssl_recv_done:
#ifdef DEBUG_MATRIXSSL
	printf("matrixssl_recv - returning %d\n", ret);
#endif
	pbuf->ssl_recv_cur = 0;
	free(out_buf);
	free(in_buf);
	return ret;
}
コード例 #9
0
ファイル: matrixsslApi.c プロジェクト: Deadolus/ecc
/*
	Caller has received data from the network and is notifying the SSL layer
 */
int32 matrixSslReceivedData(ssl_t *ssl, uint32 bytes, unsigned char **ptbuf,
							uint32 *ptlen)
{
	unsigned char	*buf, *prevBuf;
	int32			rc, decodeRet, size, sanity, decodeErr;
	uint32			processed, start, len, reqLen;
	unsigned char	alertLevel, alertDesc;
	unsigned char	*p;

	if (!ssl || !ptbuf || !ptlen) {
		return PS_ARG_FAIL;
	}

	psAssert(ssl->outsize > 0 && ssl->outbuf != NULL);
	psAssert(ssl->insize > 0 && ssl->inbuf != NULL);
	*ptbuf = NULL;
	*ptlen = 0;
	ssl->inlen += bytes;
	if (ssl->inlen == 0) {
		return PS_SUCCESS; /* Nothing to do.  Basically a poll */
	}
	/* This is outside the loop b/c we may want to parse within inbuf later */
	buf = ssl->inbuf;
DECODE_MORE:
	/* Parameterized sanity check to avoid infinite loops */
	if (matrixSslHandshakeIsComplete(ssl)) {
		/* Minimum possible record size once negotiated */
		sanity = ssl->inlen / (SSL3_HEADER_LEN + MD5_HASH_SIZE);
	} else {
		/* Even with an SSLv2 hello, the sanity check will let 1 pass through */
		sanity = ssl->inlen / (SSL3_HEADER_LEN + SSL3_HANDSHAKE_HEADER_LEN);
	}
	if (sanity-- < 0) {
		return PS_PROTOCOL_FAIL;	/* We've tried to decode too many times */
	}
	len = ssl->inlen;
	size = ssl->insize - (buf - ssl->inbuf);
	prevBuf = buf;
	decodeRet = matrixSslDecode(ssl, &buf, &len, size, &start, &reqLen,
						 &decodeErr, &alertLevel, &alertDesc);

/*
	Convenience for the cases that expect buf to have moved
		- calculate the number of encoded bytes that were decoded
*/
	processed = buf - prevBuf;
	rc = PS_PROTOCOL_FAIL;
	switch (decodeRet) {

	case MATRIXSSL_SUCCESS:

		ssl->inlen -= processed;
		if (ssl->inlen > 0) {
			psAssert(buf > ssl->inbuf);
/*
			Pack ssl->inbuf so there is immediate maximum room for potential
			outgoing data that needs to be written
*/
			memmove(ssl->inbuf, buf, ssl->inlen);
			buf = ssl->inbuf;
			goto DECODE_MORE;	/* More data in buffer to process */
		}
/*
		In this case, we've parsed a finished message and no additional data is
		available to parse. We let the client know the handshake is complete,
		which can be used as a trigger to begin for example a HTTP request.
*/
		if (!(ssl->bFlags & BFLAG_HS_COMPLETE)) {
			if (matrixSslHandshakeIsComplete(ssl)) {
				ssl->bFlags |= BFLAG_HS_COMPLETE;
#ifdef USE_CLIENT_SIDE_SSL
				matrixSslGetSessionId(ssl, ssl->sid);
#endif /* USE_CLIENT_SIDE_SSL */
				rc = MATRIXSSL_HANDSHAKE_COMPLETE;
			} else {
				rc = MATRIXSSL_REQUEST_RECV; /* Need to recv more handshake data */
			}
		} else {
#ifdef USE_DTLS
			rc = MATRIXSSL_REQUEST_RECV; /* Got FINISHED without CCS */
#else
			/* This is an error - we shouldn't get here */
#endif
		}
		break;

#ifdef USE_DTLS
	case DTLS_RETRANSMIT:
		/* Only request a resend if last record in buffer */
		ssl->inlen -= processed;
		if (ssl->inlen > 0) {
			psAssert(buf > ssl->inbuf);
/*
			Pack ssl->inbuf so there is immediate maximum room for potential
			outgoing data that needs to be written
*/
			memmove(ssl->inbuf, buf, ssl->inlen);
			buf = ssl->inbuf;
			goto DECODE_MORE;	/* More data in buffer to process */
		}

		/* Flight will be rebuilt when matrixDtlsGetOutdata is called while
		outbuf is empty.  This is the return case where we are actually
		seeing a repeat handshake message so we know something was lost in
		flight. */
		return MATRIXSSL_REQUEST_SEND;
#endif

	case SSL_SEND_RESPONSE:
#ifdef ENABLE_FALSE_START
		/*
			If FALSE START is supported, there may be APPLICATION_DATA directly
			following the FINISHED message, even though we haven't sent our
			CHANGE_CIPHER_SPEC or FINISHED message. This is signalled by buf
			having been moved forward, and our response being put directly into
			ssl->outbuf, rather than in buf (ssl->inbuf). Return a REQUEST_SEND
			so that the data in outbuf is flushed before the remaining data in
			ssl->inbuf is parsed.
		 */
		if ((ssl->flags & SSL_FLAGS_FALSE_START) && buf != prevBuf) {
			ssl->inlen -= processed;
			psAssert(ssl->inlen > 0);
			psAssert((uint32)ssl->inlen == start);
			psAssert(buf > ssl->inbuf);
			memmove(ssl->inbuf, buf, ssl->inlen);	/* Pack ssl->inbuf */
			buf = ssl->inbuf;
			return MATRIXSSL_REQUEST_SEND;
		}
#endif
		/*
			This must be handshake data (or alert) or we'd be in PROCESS_DATA
			so there is no way there is anything left inside inbuf to process.
			...so processed isn't valid because the output params are outbuf
			related and we simply reset inlen
		*/
		ssl->inlen = 0;

		/* If alert, close connection after sending */
		if (alertDesc != SSL_ALERT_NONE) {
			ssl->bFlags |= BFLAG_CLOSE_AFTER_SENT;
		}
		psAssert(prevBuf == buf);
		psAssert(ssl->insize >= (int32)len);
		psAssert(start == 0);
		psAssert(buf == ssl->inbuf);
		if (ssl->outlen > 0) {
			/* If data's in outbuf, append inbuf.  This is a corner case that
				can happen if application data is queued but then incoming data
				is processed and discovered to be a re-handshake request.
				matrixSslDecode will have constructed the response flight but
				we don't want to forget about the app data we haven't sent */
			if (ssl->outlen + (int32)len > ssl->outsize) {
				if ((p = psRealloc(ssl->outbuf, ssl->outlen + len,
						ssl->bufferPool)) == NULL) {
					return PS_MEM_FAIL;
				}
				ssl->outbuf = p;
				ssl->outsize = ssl->outlen + len;
			}
			memcpy(ssl->outbuf + ssl->outlen, ssl->inbuf, len);
			ssl->outlen += len;
		} else { /* otherwise, swap inbuf and outbuf */
			buf = ssl->outbuf; ssl->outbuf = ssl->inbuf; ssl->inbuf = buf;
			ssl->outlen = len;
			len = ssl->outsize; ssl->outsize = ssl->insize; ssl->insize = len;
			buf = ssl->inbuf;
			len = ssl->outlen;
		}
		rc = MATRIXSSL_REQUEST_SEND;	/* We queued data to send out */
		break;

	case MATRIXSSL_ERROR:
		if (decodeErr >= 0) {
			//printf("THIS SHOULD BE A NEGATIVE VALUE?\n");
		}
		return decodeErr; /* Will be a negative value */

	case SSL_ALERT:
		if (alertLevel == SSL_ALERT_LEVEL_FATAL) {
			psTraceIntInfo("Received FATAL alert %d.\n", alertDesc);
		} else {
			/* Closure notify is the normal case */
			if (alertDesc == SSL_ALERT_CLOSE_NOTIFY) {
				psTraceInfo("Normal SSL closure alert\n");
			} else {
				psTraceIntInfo("Received WARNING alert %d\n", alertDesc);
			}
		}
		/* Let caller access the 2 data bytes (severity and description) */
#ifdef USE_TLS_1_1
		/* Been ignoring the explicit IV up to this final return point. */
		if ((ssl->flags & SSL_FLAGS_READ_SECURE) &&
				(ssl->flags & SSL_FLAGS_TLS_1_1) &&	(ssl->enBlockSize > 1)) {
			prevBuf += ssl->enBlockSize;
		}
#endif /* USE_TLS_1_1 */
		psAssert(len == 2);
		*ptbuf = prevBuf;
		*ptlen = len;
		ssl->inlen -= processed;
		return MATRIXSSL_RECEIVED_ALERT;

	case SSL_PARTIAL:
		if (reqLen > SSL_MAX_BUF_SIZE) {
			return PS_MEM_FAIL;
		}
		if (reqLen > (uint32)ssl->insize) {
			if ((p = psRealloc(ssl->inbuf, reqLen, ssl->bufferPool)) == NULL) {
				return PS_MEM_FAIL;
			}
			ssl->inbuf = p;
			ssl->insize = reqLen;
			buf = ssl->inbuf;
			/* Don't need to change inlen */
		}


		rc = MATRIXSSL_REQUEST_RECV;	/* Expecting more data */
		break;

	/* We've got outgoing data that's larger than our buffer */
	case SSL_FULL:
		if (reqLen > SSL_MAX_BUF_SIZE) {
			return PS_MEM_FAIL;
		}
		/* We balk if we get a large handshake message */
		if (reqLen > SSL_MAX_PLAINTEXT_LEN &&
				!matrixSslHandshakeIsComplete(ssl)) {
			if (reqLen > SSL_MAX_PLAINTEXT_LEN) {
				return PS_MEM_FAIL;
			}
		}
		/*
			Can't envision any possible case where there is remaining data
			in inbuf to process and are getting SSL_FULL.
		*/
		ssl->inlen = 0;

		/* Grow inbuf */
		if (reqLen > (uint32)ssl->insize) {
			len = ssl->inbuf - buf;
			if ((p = psRealloc(ssl->inbuf, reqLen, ssl->bufferPool)) == NULL) {
				return PS_MEM_FAIL;
			}
			ssl->inbuf = p;
			ssl->insize = reqLen;
			buf = ssl->inbuf + len;
			/* Note we leave inlen untouched here */
		} else {
			psTraceInfo("Encoding error. Possible wrong flight messagSize\n");
			return PS_PROTOCOL_FAIL;	/* error in our encoding */
		}
		goto DECODE_MORE;

	case SSL_PROCESS_DATA:
/*
		Possible we received a finished message and app data in the same
		flight. In this case, the caller is not notified that the handshake
		is complete, but rather is notified that there is application data to
		process.
 */
		if (!(ssl->bFlags & BFLAG_HS_COMPLETE) &&
			matrixSslHandshakeIsComplete(ssl)) {
			ssl->bFlags |= BFLAG_HS_COMPLETE;
#ifdef USE_CLIENT_SIDE_SSL
			matrixSslGetSessionId(ssl, ssl->sid);
#endif /* USE_CLIENT_SIDE_SSL */
		}
/*
		 .	prevbuf points to start of unencrypted data
		 .	buf points to start of any remaining unencrypted data
		 .	start is length of remaining encrypted data yet to decode
		 .	len is length of unencrypted data ready for user processing
 */
		ssl->inlen -= processed;
		psAssert((uint32)ssl->inlen == start);

		/* Call user plaintext data handler */
#ifdef USE_TLS_1_1
		/* Been ignoring the explicit IV up to this final return point. */
		/* NOTE: This test has been on enBlockSize for a very long time but
			it looks like it should be on deBlockSize since this a decryption.
			Changed and added an assert to see if these ever don't match */
		psAssert(ssl->enBlockSize == ssl->deBlockSize);
		if ((ssl->flags & SSL_FLAGS_READ_SECURE) &&
				(ssl->flags & SSL_FLAGS_TLS_1_1) &&	(ssl->deBlockSize > 1)) {
			len -= ssl->deBlockSize;
			prevBuf += ssl->deBlockSize;
		}
		/* END enBlockSize to deBlockSize change */
#endif /* USE_TLS_1_1 */
		*ptbuf = prevBuf;
		*ptlen = len;
#ifdef USE_DTLS
/*
		This flag is used in conjuction with flightDone in the buffer
		management API set to determine whether we are still in a handshake
		state for attempting flight resends. If we are getting app data we
		know for certain we are out of the hs states. Testing HandshakeComplete
		is not enough because you never know if the other side got FINISHED.
*/
		if (ssl->flags & SSL_FLAGS_DTLS) {
			ssl->appDataExch = 1;
		}
#endif
#ifdef USE_ZLIB_COMPRESSION
		if (ssl->compression > 0) {
			return MATRIXSSL_APP_DATA_COMPRESSED;
		}
#endif
		return MATRIXSSL_APP_DATA;
	} /* switch decodeRet */

	if (ssl->inlen > 0 && (buf != ssl->inbuf)) {
		psAssert(0);
	}
/*
	Shrink inbuf to default size once inlen < default size, and we aren't
	expecting any more data in the buffer. If SSL_PARTIAL, don't shrink the
	buffer, since we expect to fill it up shortly.
*/
	if (decodeRet != SSL_PARTIAL) {
		revertToDefaultBufsize(ssl, SSL_INBUF);
	}

	return rc;
}
コード例 #10
0
ファイル: matrixsslApi.c プロジェクト: Deadolus/ecc
/*
	Caller is indicating 'bytes' of data was written
 */
int32 matrixSslSentData(ssl_t *ssl, uint32 bytes)
{
	int32		rc;

	if (!ssl) {
		return PS_ARG_FAIL;
	}
	if (bytes == 0) {
		if (ssl->outlen > 0) {
			return MATRIXSSL_REQUEST_SEND;
		} else {
			return MATRIXSSL_SUCCESS;	/* Nothing to do */
		}
	}
	psAssert(ssl->outsize > 0 && ssl->outbuf != NULL);
	ssl->outlen -= bytes;

	rc = MATRIXSSL_SUCCESS;
	if (ssl->outlen > 0) {
		memmove(ssl->outbuf, ssl->outbuf + bytes, ssl->outlen);
		/* This was changed during 3.7.1 DTLS work.  The line below used to be:
			rc = MATRIXSSL_REQUEST_SEND; and it was possible for it to be
			overridden with HANDSHAKE_COMPLETE below.  This was a problem
			if only the ChangeCipherSpec portion of the final flight was
			just set becuase matrixSslHandshakeIsComplete would return 1
			because the state looks right. However, there would still be a
			FINISHED message sitting in outbuf when COMPLETE is returned.

			This seemed like a bigger problem than just the DTLS test case
			that caught it.  If the transport layer of straight TLS sent off
			only the CCS message for some reason, this would cause the same
			odd combo of COMPLETE but with a FINISHED message that hasn't
			been sent.

			It seems fine to return REQUEST_SEND whenever there is data left
			in the outgoing buffer but it is suspecious it wasn't written
			this way to begin with so maybe there was another corner case
			the COMPLETE was solving.  Hope not.

			In any case, it looks safe to make this a global change but if you
			are reading this because you are trying to track down a change in
			behavior in	matrixSslSentData, maybe this documentation will help.
		*/
		return MATRIXSSL_REQUEST_SEND;
	}
	/* 	If there's nothing left to flush, reallocate the buffer smaller. */
	if ((ssl->outlen == 0) && (ssl->bFlags & BFLAG_CLOSE_AFTER_SENT)) {
		/* We want to close the connection now */
		rc = MATRIXSSL_REQUEST_CLOSE;
	} else  {
		revertToDefaultBufsize(ssl, SSL_OUTBUF);
	}
	/* Indicate the handshake is complete, in this case, the finished message
		is being/has been just sent. Occurs in session resumption. */
	if (!(ssl->bFlags & BFLAG_HS_COMPLETE) &&
			matrixSslHandshakeIsComplete(ssl)) {
		ssl->bFlags |= BFLAG_HS_COMPLETE;
#ifdef USE_CLIENT_SIDE_SSL
		matrixSslGetSessionId(ssl, ssl->sid);
#endif /* USE_CLIENT_SIDE_SSL */
		rc = MATRIXSSL_HANDSHAKE_COMPLETE;
#ifdef USE_SSL_INFORMATIONAL_TRACE
		/* Client side resumed completion or server standard completion */
		matrixSslPrintHSDetails(ssl);
#endif
	}
	return rc;
}
コード例 #11
0
ファイル: ssl_io.c プロジェクト: alexgirao/ipsvd
void decode(void) {
  do {
    if (getdec) {
      len =decin.size -(decin.end -decin.buf);
      if ((len =read(fdstdin, decin.end, len)) < 0)
        fatal("unable to read from network");
      if (len == 0) {
        if (verbose > 2) info("eof reading from network");
        close(fdstdin); close(decpipe[1]);
        fdstdin =decpipe[1] =-1;
        return;
      }
      if (verbose > 2) infou("read bytes: ", len);
      bytesin +=len;
      decin.end +=len;
      getdec =0;
    }
    for (;;) {
      rc =matrixSslDecode(ssl, &decin, &decou, &error, &alvl, &adesc);
      if (rc == SSL_SUCCESS) break;
      if (rc == SSL_ERROR) {
        if (decou.end > decou.start)
          if (write(fdstdou, decou.start, decou.end -decou.start)
              != decou.end -decou.start) warn("unable to write to network");
        close(fdstdou); fdstdou =-1;
        fatals("ssl decode error", error);
      }
      if (rc == SSL_PROCESS_DATA) {
        if (write(decpipe[1], decou.start, decou.end -decou.start)
            != decou.end -decou.start) fatal("unable to write to prog");
        decou.start =decou.end =decou.buf;
        if (decin.start > decin.buf) { /* align */
          byte_copy(decin.buf, decin.end -decin.start, decin.start);
          decin.end -=decin.start -decin.buf;
          decin.start =decin.buf;
        }
        break;
      }
      if (rc == SSL_SEND_RESPONSE) {
        if (write(fdstdou, decou.start, decou.end -decou.start)
            != (decou.end -decou.start))
          fatal("unable to send ssl response");
        bytesou +=decou.end -decou.start;
        if (verbose > 2) info("sending ssl handshake response");
        if (verbose > 2) infou("write bytes: ", decou.end -decou.start);
        decou.start =decou.end =decou.buf;
        break;
      }
      if (rc == SSL_ALERT) {
        close(fdstdou); fdstdou =-1;
        if (adesc != SSL_ALERT_CLOSE_NOTIFY)
          fatals("ssl alert from peer", adesc);
        if (verbose > 2) info("ssl close notify from peer");
        finish();
        _exit(0);
      }
      if (rc == SSL_PARTIAL) {
        getdec =1;
        if (decin.size -(decin.end -decin.buf) < bufsizein) {
          if (! blowup(&decin, &decinbuf, bufsizein)) die_nomem();
          if (verbose > 1) infou("decode input buffer size: ", decin.size);
        }
        break;
      }
      if (rc == SSL_FULL) {
        if (! blowup(&decou, &decoubuf, bufsizeou)) die_nomem();
        if (verbose > 1) infou("decode output buffer size: ", decou.size);
        continue;
      }
    }
    if (decin.start == decin.end) {
      decin.start =decin.end =decin.buf;
      getdec =1;
    }
  } while (getdec == 0);
  if (handshake)
    if (matrixSslHandshakeIsComplete(ssl)) {
      handshake =0;
      if (verbose > 2) info("ssl handshake complete");
    }
}
コード例 #12
0
ファイル: matrixsslApi.c プロジェクト: sdhczw/winnermicro
/*
	Caller is indicating 'bytes' of data was written
 */
int32 matrixSslSentData(ssl_t *ssl, uint32 bytes)
{
	int32		rc;
	
	if (!ssl) {
		return PS_ARG_FAIL;
	}
	if (bytes == 0) {
		if (ssl->outlen > 0) {
			return MATRIXSSL_REQUEST_SEND;
		} else {
			return MATRIXSSL_SUCCESS;	/* Nothing to do */
		}
	}
	psAssert(ssl->outsize > 0 && ssl->outbuf != NULL);
	ssl->outlen -= bytes;

	rc = MATRIXSSL_SUCCESS;
	if (ssl->outlen > 0) {
		memmove(ssl->outbuf, ssl->outbuf + bytes, ssl->outlen);
		rc = MATRIXSSL_REQUEST_SEND;
	}
	/* 	If there's nothing left to flush, reallocate the buffer smaller. */
	if ((ssl->outlen == 0) && (ssl->bFlags & BFLAG_CLOSE_AFTER_SENT)) {
		/* We want to close the connection now */
		rc = MATRIXSSL_REQUEST_CLOSE;
	} else  {
		revertToDefaultBufsize(ssl, SSL_OUTBUF);
	}
	/* Indicate the handshake is complete, in this case, the finished message
		is being/has been just sent. Occurs in session resumption. */
	if (!(ssl->bFlags & BFLAG_HS_COMPLETE) && 
			matrixSslHandshakeIsComplete(ssl)) {
		ssl->bFlags |= BFLAG_HS_COMPLETE;
#ifdef USE_CLIENT_SIDE_SSL
		matrixSslGetSessionId(ssl, ssl->sid);
#endif /* USE_CLIENT_SIDE_SSL */
		rc = MATRIXSSL_HANDSHAKE_COMPLETE;
#ifdef USE_SSL_INFORMATIONAL_TRACE
		/* Client side resumed completion or server standard completion */
		matrixSslPrintHSDetails(ssl);
#endif
#ifdef USE_UNIFIED_PKCS11
	    /* Too ugly to track DTLS client/server/normal/resumed/rehandshake cases
			for deleting old crypto session objects for the minimum lifecycle
			so we're just looking for any leftover cases here when we are
			certain handshake is complete.

			NOTE: It is possible this oldCrypt will still be needed if the
			final flight is the CCS/FINISHED pair only and the application
			has built in the smarts to resend if no app data is received. This
			problem would manifest itself in a failed cipher init and the
			solution would be to hold off this free until application data
			is exchanged */
		if (ssl->sec.oldCrypt != CK_INVALID_HANDLE &&
				ssl->sec.oldCrypt != ssl->sec.pkcs11Ses) {
			pkcs11CloseSession(ssl->sec.oldCrypt);
			ssl->sec.oldCrypt = CK_INVALID_HANDLE;
		}
#endif		
	}
	return rc;
}