fix bug with dhe cbc mode

[zpackage] / crypto / tlse.c

diff --git a/crypto/tlse.c b/crypto/tlse.c
index 233fe26d9c410e04a9771f888b2b2443c41b9cc0..a49b447101f59c9bfbbd42bdc5246bbcf9eac515 100644 (file)
--- a/crypto/tlse.c
+++ b/crypto/tlse.c
@@ -61,8 +61,12 @@
 
 #define CHECK_HANDSHAKE_STATE(context, n, limit)  { if (context->hs_messages[n] >= limit) { DEBUG_PRINT("* UNEXPECTED MESSAGE (%i)\n", (int)n); payload_res = TLS_UNEXPECTED_MESSAGE; break; } context->hs_messages[n]++; }
 
-//#define MARK fprintf(stderr, "%s %s:%d\n", __FILE__, __func__, __LINE__)
-#define MARK
+#ifdef DEBUG
+int tls_indent = 0;
+int tls_indent_i = 0;
+#endif
+
+//#define MARK
 typedef enum {
        KEA_dhe_dss,
        KEA_dhe_rsa,
@@ -207,23 +211,65 @@ static uint32_t get24(const unsigned char *buf) {
        return res;
 }
 
+#ifdef DEBUG
+static char *packet_content_type(int type) {
+       switch (type) {
+               case 20: return "change_cipher_spec"; break;
+               case 21: return "alert"; break;
+               case 22: return "handshake"; break;
+               case 23: return "application_data"; break;
+               default: break;
+       }
+       return "unknown content type";
+}
+
+static char *packet_handshake_type(int type) {
+       switch (type) {
+               case 0: return "hello_request"; break;
+               case 1: return "client_hello"; break;
+               case 2: return "server_hello"; break;
+               case 11: return "certificate"; break;
+               case 12: return "server_key_exchange"; break;
+               case 13: return "certificate_request"; break;
+               case 14: return "server_hello_done"; break;
+               case 15: return "certificate_verify"; break;
+               case 16: return "client_key_exchange"; break;
+               case 20: return "finished"; break;
+               default: break;
+       }
+       return "unknown handshake type";
+}
+#endif
+
 size_t tls_queue_packet(struct TLSPacket *packet) {
+       ENTER;
        if (!packet) {
+               LEAVE;
                return -1;
        }
 
        struct TLSContext *context = packet->context;
 
        if (!context) {
+               LEAVE;
                return -1;
        }
 
+       DEBUG_PRINTLN("sending packet type %d %s\n", (int)packet->buf[0],
+                       packet_content_type(packet->buf[0]));
+       if (packet->buf[0] == 22) {
+               DEBUG_PRINTLN("handshake type %d %s\n", (int)packet->buf[5],
+                               packet_handshake_type(packet->buf[5])
+                               );
+       }
        tls_buffer_append(&context->output_buffer, packet->buf, packet->len);
        tls_destroy_packet(packet);
+       LEAVE;
        return context->output_buffer.len;
 }
 
 static void tls_send_change_cipher_spec(struct TLSContext *context) {
+       ENTER;
        struct TLSPacket *packet =
            tls_create_packet(context, TLS_CHANGE_CIPHER, context->version,
                              64);
@@ -231,6 +277,7 @@ static void tls_send_change_cipher_spec(struct TLSContext *context) {
        tls_packet_update(packet);
        context->local_sequence_number = 0;
        tls_queue_packet(packet);
+       LEAVE;
        return;
 }
 
@@ -277,6 +324,7 @@ static void tls_send_certificate(struct TLSContext *context) {
        int certificates_count;
        struct TLSCertificate **certificates;
 
+       ENTER;
        if (context->is_server) {
                certificates_count = context->certificates_count;
                certificates = context->certificates;
@@ -364,6 +412,7 @@ static void tls_send_certificate(struct TLSContext *context) {
        }
        tls_packet_update(packet);
        tls_queue_packet(packet);
+       LEAVE;
        return;
 }
 
@@ -1237,10 +1286,11 @@ static void tls_prf(struct TLSContext *context,
 }
 
 static void tls_send_finished(struct TLSContext *context) {
+       ENTER;
        struct TLSPacket *packet =
            tls_create_packet(context, TLS_HANDSHAKE, context->version,
                              TLS_MIN_FINISHED_OPAQUE_LEN + 64);
-       tls_packet_uint8(packet, 0x14);
+       tls_packet_uint8(packet, 20);
 
        if (context->tlsver == TLS_VERSION13) {
                tls_packet_uint24(packet, tls_mac_length(context));
@@ -1270,6 +1320,7 @@ static void tls_send_finished(struct TLSContext *context) {
 
                                /* TODO probably need to terminate */
                                tls_destroy_packet(packet);
+                               LEAVE;
                                return;
                        }
 
@@ -1309,6 +1360,7 @@ static void tls_send_finished(struct TLSContext *context) {
        tls_packet_update(packet);
        DEBUG_DUMP_HEX_LABEL("VERIFY DATA", out, out_size);
        tls_queue_packet(packet);
+       LEAVE;
        return;
 }
 
@@ -3330,6 +3382,7 @@ int tls_parse_certificate(struct TLSContext *context,
                res += certificate_size;
        }
        if (!valid_certificate) {
+               MARK;
                return TLS_UNSUPPORTED_CERTIFICATE;
        }
        if (res != buf_len) {
@@ -3531,6 +3584,7 @@ int tls_parse_server_key_exchange(struct TLSContext *context,
                DEBUG_PRINT("          dh_q: ");
                dh_res = parse_dh(&buf[res], buf_len - res, &dh_g, &dh_g_len);
                if (dh_res <= 0) {
+               MARK;
                        return TLS_BROKEN_PACKET;
                }
                res += dh_res;
@@ -3540,6 +3594,7 @@ int tls_parse_server_key_exchange(struct TLSContext *context,
                dh_res = parse_dh(&buf[res], buf_len - res, &dh_Ys,
                                &dh_Ys_len);
                if (dh_res <= 0) {
+               MARK;
                        return TLS_BROKEN_PACKET;
                }
                res += dh_res;
@@ -3702,6 +3757,7 @@ static int tls_parse_server_hello_done(const unsigned char *buf, int buf_len) {
                return TLS_NEED_MORE_DATA;
        }
 
+               MARK;
        res += size;
        return res;
 }
@@ -3822,6 +3878,7 @@ int tls_parse_finished(struct TLSContext *context,
 
        // fprintf(stderr, "set conn status = %d\n", context->connection_status);
 
+               MARK;
        res += size;
        return res;
 }
@@ -3949,6 +4006,7 @@ int tls_parse_verify(struct TLSContext *context, const unsigned char *buf,
 /* TODO This is actually a parse a handshake message */
 int tls_parse_payload(struct TLSContext *context, const unsigned char *buf,
                      int buf_len) {
+       ENTER;
        int orig_len = buf_len;
 
        
@@ -4241,7 +4299,6 @@ int tls_parse_payload(struct TLSContext *context, const unsigned char *buf,
                switch (write_packets) {
                        case 1:
                                if (context->client_verified == 2) {
-                                       DEBUG_PRINT("<= Building CERTIFICATE \n");
                                        tls_send_certificate(context);
                                        context->client_verified = 0;
                                }
@@ -4342,6 +4399,7 @@ int tls_parse_payload(struct TLSContext *context, const unsigned char *buf,
                buf += payload_size;
                buf_len -= payload_size;
        }
+       LEAVE;
        return orig_len;
 }
 
@@ -5270,6 +5328,7 @@ int tls_consume_stream(struct TLSContext *context) {
                /* This is the only place tls_parse_message is called */
                int consumed = tls_parse_message(context, buffer+index, length);
                if (consumed < 0) {
+                       fprintf(stderr, "parse message error: %d\n", consumed);
                        err_flag = consumed;
                        break;
                }
@@ -5602,6 +5661,7 @@ int tls_connect(struct TLSContext *context) {
                }
        MARK;
                if (tls_established(context)) {
+                       MARK;
                        return 1;
                }
        MARK;