Home Explore Help
Sign In
rotek
/
bt-67xx_universal_hw
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: fix
Branches Tags
bt-67xx_univers...
/
thirdparty
/
PolarSSL
/
library
/
ssl_cli.c

ssl_cli.c 23 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828 
  1. /*
    2. 

  2.  *  SSLv3/TLSv1 client-side functions
    3. 

  3.  *
    4. 

  4.  *  Copyright (C) 2006-2010, Brainspark B.V.
    5. 

  5.  *
    6. 

  6.  *  This file is part of PolarSSL (http://www.polarssl.org)
    7. 

  7.  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
    8. 

  8.  *
    9. 

  9.  *  All rights reserved.
    10. 

  10.  *
    11. 

  11.  *  This program is free software; you can redistribute it and/or modify
    12. 

  12.  *  it under the terms of the GNU General Public License as published by
    13. 

  13.  *  the Free Software Foundation; either version 2 of the License, or
    14. 

  14.  *  (at your option) any later version.
    15. 

  15.  *
    16. 

  16.  *  This program is distributed in the hope that it will be useful,
    17. 

  17.  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
    18. 

  18.  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    19. 

  19.  *  GNU General Public License for more details.
    20. 

  20.  *
    21. 

  21.  *  You should have received a copy of the GNU General Public License along
    22. 

  22.  *  with this program; if not, write to the Free Software Foundation, Inc.,
    23. 

  23.  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
    24. 

  24.  */
    25. 

  25. 

  26. #include "config.h"
    27. 

  27. 

  28. #if defined(POLARSSL_SSL_CLI_C)
    29. 

  29. 

  30. #include "polarssl/debug.h"
    31. 

  31. #include "polarssl/ssl.h"
    32. 

  32. 

  33. #if defined(POLARSSL_PKCS11_C)
    34. 

  34. #include "polarssl/pkcs11.h"
    35. 

  35. #endif /* defined(POLARSSL_PKCS11_C) */
    36. 

  36. 

  37. #include <stdlib.h>
    38. 

  38. #ifdef PRINTF_STDLIB
    39. 

  39. #include <stdio.h>
    40. 

  40. #endif
    41. 

  41. #ifdef PRINTF_CUSTOM
    42. 

  42. #include "tinystdio.h"
    43. 

  43. #endif
    44. 

  44. #include <time.h>
    45. 

  45. 

  46. static int ssl_write_client_hello( ssl_context *ssl )
    47. 

  47. {
    48. 

  48.     int ret;
    49. 

  49.     size_t i, n;
    50. 

  50.     unsigned char *buf;
    51. 

  51.     unsigned char *p;
    52. 

  52.     time_t t;
    53. 

  53. 

  54.     SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
    55. 

  55. 

  56.     ssl->major_ver = SSL_MAJOR_VERSION_3;
    57. 

  57.     ssl->minor_ver = SSL_MINOR_VERSION_0;
    58. 

  58. 

  59.     ssl->max_major_ver = SSL_MAJOR_VERSION_3;
    60. 

  60.     ssl->max_minor_ver = SSL_MINOR_VERSION_2;
    61. 

  61. 

  62.     /*
    63. 

  63.      *     0  .   0   handshake type
    64. 

  64.      *     1  .   3   handshake length
    65. 

  65.      *     4  .   5   highest version supported
    66. 

  66.      *     6  .   9   current UNIX time
    67. 

  67.      *    10  .  37   random bytes
    68. 

  68.      */
    69. 

  69.     buf = ssl->out_msg;
    70. 

  70.     p = buf + 4;
    71. 

  71. 

  72.     *p++ = (unsigned char) ssl->max_major_ver;
    73. 

  73.     *p++ = (unsigned char) ssl->max_minor_ver;
    74. 

  74. 

  75.     SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
    76. 

  76.                    buf[4], buf[5] ) );
    77. 

  77. 

  78.     t = time( NULL );
    79. 

  79.     *p++ = (unsigned char)( t >> 24 );
    80. 

  80.     *p++ = (unsigned char)( t >> 16 );
    81. 

  81.     *p++ = (unsigned char)( t >>  8 );
    82. 

  82.     *p++ = (unsigned char)( t       );
    83. 

  83. 

  84.     SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
    85. 

  85. 

  86.     for( i = 28; i > 0; i-- )
    87. 

  87.         *p++ = (unsigned char) ssl->f_rng( ssl->p_rng );
    88. 

  88. 

  89.     memcpy( ssl->randbytes, buf + 6, 32 );
    90. 

  90. 

  91.     SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
    92. 

  92. 

  93.     /*
    94. 

  94.      *    38  .  38   session id length
    95. 

  95.      *    39  . 39+n  session id
    96. 

  96.      *   40+n . 41+n  ciphersuitelist length
    97. 

  97.      *   42+n . ..    ciphersuitelist
    98. 

  98.      *   ..   . ..    compression alg. (0)
    99. 

  99.      *   ..   . ..    extensions (unused)
    100. 

  100.      */
    101. 

  101.     n = ssl->session->length;
    102. 

  102. 

  103.     if( n < 16 || n > 32 || ssl->resume == 0 ||
    104. 

  104.         ( ssl->timeout != 0 && t - ssl->session->start > ssl->timeout ) )
    105. 

  105.         n = 0;
    106. 

  106. 

  107.     *p++ = (unsigned char) n;
    108. 

  108. 

  109.     for( i = 0; i < n; i++ )
    110. 

  110.         *p++ = ssl->session->id[i];
    111. 

  111. 

  112.     SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
    113. 

  113.     SSL_DEBUG_BUF( 3,   "client hello, session id", buf + 39, n );
    114. 

  114. 

  115.     for( n = 0; ssl->ciphersuites[n] != 0; n++ );
    116. 

  116.     *p++ = (unsigned char)( n >> 7 );
    117. 

  117.     *p++ = (unsigned char)( n << 1 );
    118. 

  118. 

  119.     SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
    120. 

  120. 

  121.     for( i = 0; i < n; i++ )
    122. 

  122.     {
    123. 

  123.         SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
    124. 

  124.                        ssl->ciphersuites[i] ) );
    125. 

  125. 

  126.         *p++ = (unsigned char)( ssl->ciphersuites[i] >> 8 );
    127. 

  127.         *p++ = (unsigned char)( ssl->ciphersuites[i]      );
    128. 

  128.     }
    129. 

  129. 

  130.     SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
    131. 

  131.     SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 0 ) );
    132. 

  132. 

  133.     *p++ = 1;
    134. 

  134.     *p++ = SSL_COMPRESS_NULL;
    135. 

  135. 

  136.     if ( ssl->hostname != NULL )
    137. 

  137.     {
    138. 

  138.         SSL_DEBUG_MSG( 3, ( "client hello, server name extension: %s",
    139. 

  139.                        ssl->hostname ) );
    140. 

  140. 

  141.         *p++ = (unsigned char)( ( (ssl->hostname_len + 9) >> 8 ) & 0xFF );
    142. 

  142.         *p++ = (unsigned char)( ( (ssl->hostname_len + 9)      ) & 0xFF );
    143. 

  143. 

  144.         *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
    145. 

  145.         *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME      ) & 0xFF );
    146. 

  146. 

  147.         *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
    148. 

  148.         *p++ = (unsigned char)( ( (ssl->hostname_len + 5)      ) & 0xFF );
    149. 

  149. 

  150.         *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
    151. 

  151.         *p++ = (unsigned char)( ( (ssl->hostname_len + 3)      ) & 0xFF );
    152. 

  152. 

  153.         *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
    154. 

  154.         *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
    155. 

  155.         *p++ = (unsigned char)( ( ssl->hostname_len      ) & 0xFF );
    156. 

  156. 

  157.         memcpy( p, ssl->hostname, ssl->hostname_len );
    158. 

  158. 

  159.         p += ssl->hostname_len;
    160. 

  160.     }
    161. 

  161. 

  162.     ssl->out_msglen  = p - buf;
    163. 

  163.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    164. 

  164.     ssl->out_msg[0]  = SSL_HS_CLIENT_HELLO;
    165. 

  165. 

  166.     ssl->state++;
    167. 

  167. 

  168.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    169. 

  169.     {
    170. 

  170.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    171. 

  171.         return( ret );
    172. 

  172.     }
    173. 

  173. 

  174.     SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
    175. 

  175. 

  176.     return( 0 );
    177. 

  177. }
    178. 

  178. 

  179. static int ssl_parse_server_hello( ssl_context *ssl )
    180. 

  180. {
    181. 

  181.     time_t t;
    182. 

  182.     int ret, i;
    183. 

  183.     size_t n;
    184. 

  184.     int ext_len;
    185. 

  185.     unsigned char *buf;
    186. 

  186. 

  187.     SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
    188. 

  188. 

  189.     /*
    190. 

  190.      *     0  .   0   handshake type
    191. 

  191.      *     1  .   3   handshake length
    192. 

  192.      *     4  .   5   protocol version
    193. 

  193.      *     6  .   9   UNIX time()
    194. 

  194.      *    10  .  37   random bytes
    195. 

  195.      */
    196. 

  196.     buf = ssl->in_msg;
    197. 

  197. 

  198.     if( ( ret = ssl_read_record( ssl ) ) != 0 )
    199. 

  199.     {
    200. 

  200.         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    201. 

  201.         return( ret );
    202. 

  202.     }
    203. 

  203. 

  204.     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    205. 

  205.     {
    206. 

  206.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    207. 

  207.         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    208. 

  208.     }
    209. 

  209. 

  210.     SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
    211. 

  211.                    buf[4], buf[5] ) );
    212. 

  212. 

  213.     if( ssl->in_hslen < 42 ||
    214. 

  214.         buf[0] != SSL_HS_SERVER_HELLO ||
    215. 

  215.         buf[4] != SSL_MAJOR_VERSION_3 )
    216. 

  216.     {
    217. 

  217.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    218. 

  218.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    219. 

  219.     }
    220. 

  220. 

  221.     if( buf[5] > ssl->max_minor_ver )
    222. 

  222.     {
    223. 

  223.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    224. 

  224.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    225. 

  225.     }
    226. 

  226. 

  227.     ssl->minor_ver = buf[5];
    228. 

  228. 

  229.     t = ( (time_t) buf[6] << 24 )
    230. 

  230.       | ( (time_t) buf[7] << 16 )
    231. 

  231.       | ( (time_t) buf[8] <<  8 )
    232. 

  232.       | ( (time_t) buf[9]       );
    233. 

  233. 

  234.     memcpy( ssl->randbytes + 32, buf + 6, 32 );
    235. 

  235. 

  236.     n = buf[38];
    237. 

  237. 

  238.     SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
    239. 

  239.     SSL_DEBUG_BUF( 3,   "server hello, random bytes", buf + 6, 32 );
    240. 

  240. 

  241.     /*
    242. 

  242.      *    38  .  38   session id length
    243. 

  243.      *    39  . 38+n  session id
    244. 

  244.      *   39+n . 40+n  chosen ciphersuite
    245. 

  245.      *   41+n . 41+n  chosen compression alg.
    246. 

  246.      *   42+n . 43+n  extensions length
    247. 

  247.      *   44+n . 44+n+m extensions
    248. 

  248.      */
    249. 

  249.     if( n > 32 || ssl->in_hslen > 42 + n )
    250. 

  250.     {
    251. 

  251.         ext_len = ( ( buf[42 + n] <<  8 )
    252. 

  252.                   | ( buf[43 + n]       ) ) + 2;
    253. 

  253.     }
    254. 

  254.     else
    255. 

  255.     {
    256. 

  256.         ext_len = 0;
    257. 

  257.     }
    258. 

  258. 

  259.     if( n > 32 || ssl->in_hslen != 42 + n + ext_len )
    260. 

  260.     {
    261. 

  261.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    262. 

  262.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    263. 

  263.     }
    264. 

  264. 

  265.     i = ( buf[39 + n] << 8 ) | buf[40 + n];
    266. 

  266. 

  267.     SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
    268. 

  268.     SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
    269. 

  269. 

  270.     /*
    271. 

  271.      * Check if the session can be resumed
    272. 

  272.      */
    273. 

  273.     if( ssl->resume == 0 || n == 0 ||
    274. 

  274.         ssl->session->ciphersuite != i ||
    275. 

  275.         ssl->session->length != n ||
    276. 

  276.         memcmp( ssl->session->id, buf + 39, n ) != 0 )
    277. 

  277.     {
    278. 

  278.         ssl->state++;
    279. 

  279.         ssl->resume = 0;
    280. 

  280.         ssl->session->start = time( NULL );
    281. 

  281.         ssl->session->ciphersuite = i;
    282. 

  282.         ssl->session->length = n;
    283. 

  283.         memcpy( ssl->session->id, buf + 39, n );
    284. 

  284.     }
    285. 

  285.     else
    286. 

  286.     {
    287. 

  287.         ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
    288. 

  288. 

  289.         if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
    290. 

  290.         {
    291. 

  291.             SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
    292. 

  292.             return( ret );
    293. 

  293.         }
    294. 

  294.     }
    295. 

  295. 

  296.     SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
    297. 

  297.                    ssl->resume ? "a" : "no" ) );
    298. 

  298. 

  299.     SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
    300. 

  300.     SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
    301. 

  301. 

  302.     i = 0;
    303. 

  303.     while( 1 )
    304. 

  304.     {
    305. 

  305.         if( ssl->ciphersuites[i] == 0 )
    306. 

  306.         {
    307. 

  307.             SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    308. 

  308.             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    309. 

  309.         }
    310. 

  310. 

  311.         if( ssl->ciphersuites[i++] == ssl->session->ciphersuite )
    312. 

  312.             break;
    313. 

  313.     }
    314. 

  314. 

  315.     if( buf[41 + n] != SSL_COMPRESS_NULL )
    316. 

  316.     {
    317. 

  317.         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
    318. 

  318.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
    319. 

  319.     }
    320. 

  320. 

  321.     /* TODO: Process extensions */
    322. 

  322. 

  323.     SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
    324. 

  324. 

  325.     return( 0 );
    326. 

  326. }
    327. 

  327. 

  328. static int ssl_parse_server_key_exchange( ssl_context *ssl )
    329. 

  329. {
    330. 

  330. #if defined(POLARSSL_DHM_C)
    331. 

  331.     int ret;
    332. 

  332.     size_t n;
    333. 

  333.     unsigned char *p, *end;
    334. 

  334.     unsigned char hash[36];
    335. 

  335.     md5_context md5;
    336. 

  336.     sha1_context sha1;
    337. 

  337. #endif
    338. 

  338. 

  339.     SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
    340. 

  340. 

  341.     if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
    342. 

  342.         ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
    343. 

  343.         ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
    344. 

  344.         ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
    345. 

  345.         ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
    346. 

  346.     {
    347. 

  347.         SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
    348. 

  348.         ssl->state++;
    349. 

  349.         return( 0 );
    350. 

  350.     }
    351. 

  351. 

  352. #if !defined(POLARSSL_DHM_C)
    353. 

  353.     SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
    354. 

  354.     return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
    355. 

  355. #else
    356. 

  356.     if( ( ret = ssl_read_record( ssl ) ) != 0 )
    357. 

  357.     {
    358. 

  358.         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    359. 

  359.         return( ret );
    360. 

  360.     }
    361. 

  361. 

  362.     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    363. 

  363.     {
    364. 

  364.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    365. 

  365.         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    366. 

  366.     }
    367. 

  367. 

  368.     if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
    369. 

  369.     {
    370. 

  370.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    371. 

  371.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    372. 

  372.     }
    373. 

  373. 

  374.     /*
    375. 

  375.      * Ephemeral DH parameters:
    376. 

  376.      *
    377. 

  377.      * struct {
    378. 

  378.      *     opaque dh_p<1..2^16-1>;
    379. 

  379.      *     opaque dh_g<1..2^16-1>;
    380. 

  380.      *     opaque dh_Ys<1..2^16-1>;
    381. 

  381.      * } ServerDHParams;
    382. 

  382.      */
    383. 

  383.     p   = ssl->in_msg + 4;
    384. 

  384.     end = ssl->in_msg + ssl->in_hslen;
    385. 

  385. 

  386.     if( ( ret = dhm_read_params( &ssl->dhm_ctx, &p, end ) ) != 0 )
    387. 

  387.     {
    388. 

  388.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    389. 

  389.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    390. 

  390.     }
    391. 

  391. 

  392.     if( (unsigned int)( end - p ) != ssl->peer_cert->rsa.len )
    393. 

  393.     {
    394. 

  394.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    395. 

  395.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    396. 

  396.     }
    397. 

  397. 

  398.     if( ssl->dhm_ctx.len < 64 || ssl->dhm_ctx.len > 256 )
    399. 

  399.     {
    400. 

  400.         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
    401. 

  401.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    402. 

  402.     }
    403. 

  403. 

  404.     SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P  );
    405. 

  405.     SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G  );
    406. 

  406.     SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY );
    407. 

  407. 

  408.     /*
    409. 

  409.      * digitally-signed struct {
    410. 

  410.      *     opaque md5_hash[16];
    411. 

  411.      *     opaque sha_hash[20];
    412. 

  412.      * };
    413. 

  413.      *
    414. 

  414.      * md5_hash
    415. 

  415.      *     MD5(ClientHello.random + ServerHello.random
    416. 

  416.      *                            + ServerParams);
    417. 

  417.      * sha_hash
    418. 

  418.      *     SHA(ClientHello.random + ServerHello.random
    419. 

  419.      *                            + ServerParams);
    420. 

  420.      */
    421. 

  421.     n = ssl->in_hslen - ( end - p ) - 6;
    422. 

  422. 

  423.     md5_starts( &md5 );
    424. 

  424.     md5_update( &md5, ssl->randbytes, 64 );
    425. 

  425.     md5_update( &md5, ssl->in_msg + 4, n );
    426. 

  426.     md5_finish( &md5, hash );
    427. 

  427. 

  428.     sha1_starts( &sha1 );
    429. 

  429.     sha1_update( &sha1, ssl->randbytes, 64 );
    430. 

  430.     sha1_update( &sha1, ssl->in_msg + 4, n );
    431. 

  431.     sha1_finish( &sha1, hash + 16 );
    432. 

  432. 

  433.     SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 );
    434. 

  434. 

  435.     if( ( ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC,
    436. 

  436.                                   SIG_RSA_RAW, 36, hash, p ) ) != 0 )
    437. 

  437.     {
    438. 

  438.         SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
    439. 

  439.         return( ret );
    440. 

  440.     }
    441. 

  441. 

  442.     ssl->state++;
    443. 

  443. 

  444.     SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
    445. 

  445. 

  446.     return( 0 );
    447. 

  447. #endif
    448. 

  448. }
    449. 

  449. 

  450. static int ssl_parse_certificate_request( ssl_context *ssl )
    451. 

  451. {
    452. 

  452.     int ret;
    453. 

  453. 

  454.     SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
    455. 

  455. 

  456.     /*
    457. 

  457.      *     0  .   0   handshake type
    458. 

  458.      *     1  .   3   handshake length
    459. 

  459.      *     4  .   5   SSL version
    460. 

  460.      *     6  .   6   cert type count
    461. 

  461.      *     7  .. n-1  cert types
    462. 

  462.      *     n  .. n+1  length of all DNs
    463. 

  463.      *    n+2 .. n+3  length of DN 1
    464. 

  464.      *    n+4 .. ...  Distinguished Name #1
    465. 

  465.      *    ... .. ...  length of DN 2, etc.
    466. 

  466.      */
    467. 

  467.     if( ( ret = ssl_read_record( ssl ) ) != 0 )
    468. 

  468.     {
    469. 

  469.         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    470. 

  470.         return( ret );
    471. 

  471.     }
    472. 

  472. 

  473.     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    474. 

  474.     {
    475. 

  475.         SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
    476. 

  476.         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    477. 

  477.     }
    478. 

  478. 

  479.     ssl->client_auth = 0;
    480. 

  480.     ssl->state++;
    481. 

  481. 

  482.     if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
    483. 

  483.         ssl->client_auth++;
    484. 

  484. 

  485.     SSL_DEBUG_MSG( 3, ( "got %s certificate request",
    486. 

  486.                         ssl->client_auth ? "a" : "no" ) );
    487. 

  487. 

  488.     SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
    489. 

  489. 

  490.     return( 0 );
    491. 

  491. }
    492. 

  492. 

  493. static int ssl_parse_server_hello_done( ssl_context *ssl )
    494. 

  494. {
    495. 

  495.     int ret;
    496. 

  496. 

  497.     SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
    498. 

  498. 

  499.     if( ssl->client_auth != 0 )
    500. 

  500.     {
    501. 

  501.         if( ( ret = ssl_read_record( ssl ) ) != 0 )
    502. 

  502.         {
    503. 

  503.             SSL_DEBUG_RET( 1, "ssl_read_record", ret );
    504. 

  504.             return( ret );
    505. 

  505.         }
    506. 

  506. 

  507.         if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
    508. 

  508.         {
    509. 

  509.             SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
    510. 

  510.             return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
    511. 

  511.         }
    512. 

  512.     }
    513. 

  513. 

  514.     if( ssl->in_hslen  != 4 ||
    515. 

  515.         ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
    516. 

  516.     {
    517. 

  517.         SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
    518. 

  518.         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
    519. 

  519.     }
    520. 

  520. 

  521.     ssl->state++;
    522. 

  522. 

  523.     SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
    524. 

  524. 

  525.     return( 0 );
    526. 

  526. }
    527. 

  527. 

  528. static int ssl_write_client_key_exchange( ssl_context *ssl )
    529. 

  529. {
    530. 

  530.     int ret;
    531. 

  531.     size_t i, n;
    532. 

  532. 

  533.     SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
    534. 

  534. 

  535.     if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
    536. 

  536.         ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
    537. 

  537.         ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
    538. 

  538.         ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
    539. 

  539.         ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
    540. 

  540.     {
    541. 

  541. #if !defined(POLARSSL_DHM_C)
    542. 

  542.         SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
    543. 

  543.         return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
    544. 

  544. #else
    545. 

  545.         /*
    546. 

  546.          * DHM key exchange -- send G^X mod P
    547. 

  547.          */
    548. 

  548.         n = ssl->dhm_ctx.len;
    549. 

  549. 

  550.         ssl->out_msg[4] = (unsigned char)( n >> 8 );
    551. 

  551.         ssl->out_msg[5] = (unsigned char)( n      );
    552. 

  552.         i = 6;
    553. 

  553. 

  554.         ret = dhm_make_public( &ssl->dhm_ctx, 256,
    555. 

  555.                                &ssl->out_msg[i], n,
    556. 

  556.                                 ssl->f_rng, ssl->p_rng );
    557. 

  557.         if( ret != 0 )
    558. 

  558.         {
    559. 

  559.             SSL_DEBUG_RET( 1, "dhm_make_public", ret );
    560. 

  560.             return( ret );
    561. 

  561.         }
    562. 

  562. 

  563.         SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X  );
    564. 

  564.         SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX );
    565. 

  565. 

  566.         ssl->pmslen = ssl->dhm_ctx.len;
    567. 

  567. 

  568.         if( ( ret = dhm_calc_secret( &ssl->dhm_ctx,
    569. 

  569.                                       ssl->premaster,
    570. 

  570.                                      &ssl->pmslen ) ) != 0 )
    571. 

  571.         {
    572. 

  572.             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
    573. 

  573.             return( ret );
    574. 

  574.         }
    575. 

  575. 

  576.         SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K  );
    577. 

  577. #endif
    578. 

  578.     }
    579. 

  579.     else
    580. 

  580.     {
    581. 

  581.         /*
    582. 

  582.          * RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
    583. 

  583.          */
    584. 

  584.         ssl->premaster[0] = (unsigned char) ssl->max_major_ver;
    585. 

  585.         ssl->premaster[1] = (unsigned char) ssl->max_minor_ver;
    586. 

  586.         ssl->pmslen = 48;
    587. 

  587. 

  588.         for( i = 2; i < ssl->pmslen; i++ )
    589. 

  589.             ssl->premaster[i] = (unsigned char) ssl->f_rng( ssl->p_rng );
    590. 

  590. 

  591.         i = 4;
    592. 

  592.         n = ssl->peer_cert->rsa.len;
    593. 

  593. 

  594.         if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
    595. 

  595.         {
    596. 

  596.             i += 2;
    597. 

  597.             ssl->out_msg[4] = (unsigned char)( n >> 8 );
    598. 

  598.             ssl->out_msg[5] = (unsigned char)( n      );
    599. 

  599.         }
    600. 

  600. 

  601.         ret = rsa_pkcs1_encrypt( &ssl->peer_cert->rsa,
    602. 

  602.                                   ssl->f_rng, ssl->p_rng,
    603. 

  603.                                   RSA_PUBLIC,
    604. 

  604.                                   ssl->pmslen, ssl->premaster,
    605. 

  605.                                   ssl->out_msg + i );
    606. 

  606.         if( ret != 0 )
    607. 

  607.         {
    608. 

  608.             SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
    609. 

  609.             return( ret );
    610. 

  610.         }
    611. 

  611.     }
    612. 

  612. 

  613.     if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
    614. 

  614.     {
    615. 

  615.         SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
    616. 

  616.         return( ret );
    617. 

  617.     }
    618. 

  618. 

  619.     ssl->out_msglen  = i + n;
    620. 

  620.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    621. 

  621.     ssl->out_msg[0]  = SSL_HS_CLIENT_KEY_EXCHANGE;
    622. 

  622. 

  623.     ssl->state++;
    624. 

  624. 

  625.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    626. 

  626.     {
    627. 

  627.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    628. 

  628.         return( ret );
    629. 

  629.     }
    630. 

  630. 

  631.     SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
    632. 

  632. 

  633.     return( 0 );
    634. 

  634. }
    635. 

  635. 

  636. static int ssl_write_certificate_verify( ssl_context *ssl )
    637. 

  637. {
    638. 

  638.     int ret = 0;
    639. 

  639.     size_t n = 0;
    640. 

  640.     unsigned char hash[36];
    641. 

  641. 

  642.     SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
    643. 

  643. 

  644.     if( ssl->client_auth == 0 || ssl->own_cert == NULL )
    645. 

  645.     {
    646. 

  646.         SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
    647. 

  647.         ssl->state++;
    648. 

  648.         return( 0 );
    649. 

  649.     }
    650. 

  650. 

  651.     if( ssl->rsa_key == NULL )
    652. 

  652.     {
    653. 

  653. #if defined(POLARSSL_PKCS11_C)
    654. 

  654.         if( ssl->pkcs11_key == NULL )
    655. 

  655.         {
    656. 

  656. #endif /* defined(POLARSSL_PKCS11_C) */
    657. 

  657.             SSL_DEBUG_MSG( 1, ( "got no private key" ) );
    658. 

  658.             return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
    659. 

  659. #if defined(POLARSSL_PKCS11_C)
    660. 

  660.         }
    661. 

  661. #endif /* defined(POLARSSL_PKCS11_C) */
    662. 

  662.     }
    663. 

  663. 

  664.     /*
    665. 

  665.      * Make an RSA signature of the handshake digests
    666. 

  666.      */
    667. 

  667.     ssl_calc_verify( ssl, hash );
    668. 

  668. 

  669.     if ( ssl->rsa_key )
    670. 

  670.         n = ssl->rsa_key->len;
    671. 

  671. #if defined(POLARSSL_PKCS11_C)
    672. 

  672.     else
    673. 

  673.         n = ssl->pkcs11_key->len;
    674. 

  674. #endif  /* defined(POLARSSL_PKCS11_C) */
    675. 

  675. 

  676.     ssl->out_msg[4] = (unsigned char)( n >> 8 );
    677. 

  677.     ssl->out_msg[5] = (unsigned char)( n      );
    678. 

  678. 

  679.     if( ssl->rsa_key )
    680. 

  680.     {
    681. 

  681.         ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
    682. 

  682.                                     RSA_PRIVATE, SIG_RSA_RAW,
    683. 

  683.                                     36, hash, ssl->out_msg + 6 );
    684. 

  684.     } else {
    685. 

  685. #if defined(POLARSSL_PKCS11_C)
    686. 

  686.         ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE, SIG_RSA_RAW,
    687. 

  687.                                     36, hash, ssl->out_msg + 6 );
    688. 

  688. #endif  /* defined(POLARSSL_PKCS11_C) */
    689. 

  689.     }
    690. 

  690. 

  691.     if (ret != 0)
    692. 

  692.     {
    693. 

  693.         SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
    694. 

  694.         return( ret );
    695. 

  695.     }
    696. 

  696. 

  697.     ssl->out_msglen  = 6 + n;
    698. 

  698.     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
    699. 

  699.     ssl->out_msg[0]  = SSL_HS_CERTIFICATE_VERIFY;
    700. 

  700. 

  701.     ssl->state++;
    702. 

  702. 

  703.     if( ( ret = ssl_write_record( ssl ) ) != 0 )
    704. 

  704.     {
    705. 

  705.         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
    706. 

  706.         return( ret );
    707. 

  707.     }
    708. 

  708. 

  709.     SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
    710. 

  710. 

  711.     return( 0 );
    712. 

  712. }
    713. 

  713. 

  714. /*
    715. 

  715.  * SSL handshake -- client side
    716. 

  716.  */
    717. 

  717. int ssl_handshake_client( ssl_context *ssl )
    718. 

  718. {
    719. 

  719.     int ret = 0;
    720. 

  720. 

  721.     SSL_DEBUG_MSG( 2, ( "=> handshake client" ) );
    722. 

  722. 

  723.     while( ssl->state != SSL_HANDSHAKE_OVER )
    724. 

  724.     {
    725. 

  725.         SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
    726. 

  726. 

  727.         if( ( ret = ssl_flush_output( ssl ) ) != 0 )
    728. 

  728.             break;
    729. 

  729. 

  730.         switch( ssl->state )
    731. 

  731.         {
    732. 

  732.             case SSL_HELLO_REQUEST:
    733. 

  733.                 ssl->state = SSL_CLIENT_HELLO;
    734. 

  734.                 break;
    735. 

  735. 

  736.             /*
    737. 

  737.              *  ==>   ClientHello
    738. 

  738.              */
    739. 

  739.             case SSL_CLIENT_HELLO:
    740. 

  740.                 ret = ssl_write_client_hello( ssl );
    741. 

  741.                 break;
    742. 

  742. 

  743.             /*
    744. 

  744.              *  <==   ServerHello
    745. 

  745.              *        Certificate
    746. 

  746.              *      ( ServerKeyExchange  )
    747. 

  747.              *      ( CertificateRequest )
    748. 

  748.              *        ServerHelloDone
    749. 

  749.              */
    750. 

  750.             case SSL_SERVER_HELLO:
    751. 

  751.                 ret = ssl_parse_server_hello( ssl );
    752. 

  752.                 break;
    753. 

  753. 

  754.             case SSL_SERVER_CERTIFICATE:
    755. 

  755.                 ret = ssl_parse_certificate( ssl );
    756. 

  756.                 break;
    757. 

  757. 

  758.             case SSL_SERVER_KEY_EXCHANGE:
    759. 

  759.                 ret = ssl_parse_server_key_exchange( ssl );
    760. 

  760.                 break;
    761. 

  761. 

  762.             case SSL_CERTIFICATE_REQUEST:
    763. 

  763.                 ret = ssl_parse_certificate_request( ssl );
    764. 

  764.                 break;
    765. 

  765. 

  766.             case SSL_SERVER_HELLO_DONE:
    767. 

  767.                 ret = ssl_parse_server_hello_done( ssl );
    768. 

  768.                 break;
    769. 

  769. 

  770.             /*
    771. 

  771.              *  ==> ( Certificate/Alert  )
    772. 

  772.              *        ClientKeyExchange
    773. 

  773.              *      ( CertificateVerify  )
    774. 

  774.              *        ChangeCipherSpec
    775. 

  775.              *        Finished
    776. 

  776.              */
    777. 

  777.             case SSL_CLIENT_CERTIFICATE:
    778. 

  778.                 ret = ssl_write_certificate( ssl );
    779. 

  779.                 break;
    780. 

  780. 

  781.             case SSL_CLIENT_KEY_EXCHANGE:
    782. 

  782.                 ret = ssl_write_client_key_exchange( ssl );
    783. 

  783.                 break;
    784. 

  784. 

  785.             case SSL_CERTIFICATE_VERIFY:
    786. 

  786.                 ret = ssl_write_certificate_verify( ssl );
    787. 

  787.                 break;
    788. 

  788. 

  789.             case SSL_CLIENT_CHANGE_CIPHER_SPEC:
    790. 

  790.                 ret = ssl_write_change_cipher_spec( ssl );
    791. 

  791.                 break;
    792. 

  792. 

  793.             case SSL_CLIENT_FINISHED:
    794. 

  794.                 ret = ssl_write_finished( ssl );
    795. 

  795.                 break;
    796. 

  796. 

  797.             /*
    798. 

  798.              *  <==   ChangeCipherSpec
    799. 

  799.              *        Finished
    800. 

  800.              */
    801. 

  801.             case SSL_SERVER_CHANGE_CIPHER_SPEC:
    802. 

  802.                 ret = ssl_parse_change_cipher_spec( ssl );
    803. 

  803.                 break;
    804. 

  804. 

  805.             case SSL_SERVER_FINISHED:
    806. 

  806.                 ret = ssl_parse_finished( ssl );
    807. 

  807.                 break;
    808. 

  808. 

  809.             case SSL_FLUSH_BUFFERS:
    810. 

  810.                 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
    811. 

  811.                 ssl->state = SSL_HANDSHAKE_OVER;
    812. 

  812.                 break;
    813. 

  813. 

  814.             default:
    815. 

  815.                 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
    816. 

  816.                 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
    817. 

  817.         }
    818. 

  818. 

  819.         if( ret != 0 )
    820. 

  820.             break;
    821. 

  821.     }
    822. 

  822. 

  823.     SSL_DEBUG_MSG( 2, ( "<= handshake client" ) );
    824. 

  824. 

  825.     return( ret );
    826. 

  826. }
    827. 

  827. 

  828. #endif
    829.