PolarSSL v1.1.4
|
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2010, Brainspark B.V. 00005 * 00006 * This file is part of PolarSSL (http://www.polarssl.org) 00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> 00008 * 00009 * All rights reserved. 00010 * 00011 * This program is free software; you can redistribute it and/or modify 00012 * it under the terms of the GNU General Public License as published by 00013 * the Free Software Foundation; either version 2 of the License, or 00014 * (at your option) any later version. 00015 * 00016 * This program is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00019 * GNU General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU General Public License along 00022 * with this program; if not, write to the Free Software Foundation, Inc., 00023 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00024 */ 00025 00026 #include "polarssl/config.h" 00027 00028 #if defined(POLARSSL_SSL_SRV_C) 00029 00030 #include "polarssl/debug.h" 00031 #include "polarssl/ssl.h" 00032 00033 #if defined(POLARSSL_PKCS11_C) 00034 #include "polarssl/pkcs11.h" 00035 #endif /* defined(POLARSSL_PKCS11_C) */ 00036 00037 #include <stdlib.h> 00038 #include <stdio.h> 00039 #include <time.h> 00040 00041 static int ssl_parse_client_hello( ssl_context *ssl ) 00042 { 00043 int ret; 00044 unsigned int i, j; 00045 size_t n; 00046 unsigned int ciph_len, sess_len; 00047 unsigned int chal_len, comp_len; 00048 unsigned char *buf, *p; 00049 00050 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 00051 00052 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) 00053 { 00054 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 00055 return( ret ); 00056 } 00057 00058 buf = ssl->in_hdr; 00059 00060 if( ( buf[0] & 0x80 ) != 0 ) 00061 { 00062 SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00063 00064 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 00065 buf[2] ) ); 00066 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 00067 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 00068 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 00069 buf[3], buf[4] ) ); 00070 00071 /* 00072 * SSLv2 Client Hello 00073 * 00074 * Record layer: 00075 * 0 . 1 message length 00076 * 00077 * SSL layer: 00078 * 2 . 2 message type 00079 * 3 . 4 protocol version 00080 */ 00081 if( buf[2] != SSL_HS_CLIENT_HELLO || 00082 buf[3] != SSL_MAJOR_VERSION_3 ) 00083 { 00084 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00085 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00086 } 00087 00088 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 00089 00090 if( n < 17 || n > 512 ) 00091 { 00092 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00093 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00094 } 00095 00096 ssl->max_major_ver = buf[3]; 00097 ssl->max_minor_ver = buf[4]; 00098 00099 ssl->major_ver = SSL_MAJOR_VERSION_3; 00100 ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_2 ) 00101 ? buf[4] : SSL_MINOR_VERSION_2; 00102 00103 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 ) 00104 { 00105 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 00106 return( ret ); 00107 } 00108 00109 md5_update( &ssl->fin_md5 , buf + 2, n ); 00110 sha1_update( &ssl->fin_sha1, buf + 2, n ); 00111 00112 buf = ssl->in_msg; 00113 n = ssl->in_left - 5; 00114 00115 /* 00116 * 0 . 1 ciphersuitelist length 00117 * 2 . 3 session id length 00118 * 4 . 5 challenge length 00119 * 6 . .. ciphersuitelist 00120 * .. . .. session id 00121 * .. . .. challenge 00122 */ 00123 SSL_DEBUG_BUF( 4, "record contents", buf, n ); 00124 00125 ciph_len = ( buf[0] << 8 ) | buf[1]; 00126 sess_len = ( buf[2] << 8 ) | buf[3]; 00127 chal_len = ( buf[4] << 8 ) | buf[5]; 00128 00129 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 00130 ciph_len, sess_len, chal_len ) ); 00131 00132 /* 00133 * Make sure each parameter length is valid 00134 */ 00135 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 00136 { 00137 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00138 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00139 } 00140 00141 if( sess_len > 32 ) 00142 { 00143 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00144 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00145 } 00146 00147 if( chal_len < 8 || chal_len > 32 ) 00148 { 00149 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00150 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00151 } 00152 00153 if( n != 6 + ciph_len + sess_len + chal_len ) 00154 { 00155 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00156 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00157 } 00158 00159 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 00160 buf + 6, ciph_len ); 00161 SSL_DEBUG_BUF( 3, "client hello, session id", 00162 buf + 6 + ciph_len, sess_len ); 00163 SSL_DEBUG_BUF( 3, "client hello, challenge", 00164 buf + 6 + ciph_len + sess_len, chal_len ); 00165 00166 p = buf + 6 + ciph_len; 00167 ssl->session->length = sess_len; 00168 memset( ssl->session->id, 0, sizeof( ssl->session->id ) ); 00169 memcpy( ssl->session->id, p, ssl->session->length ); 00170 00171 p += sess_len; 00172 memset( ssl->randbytes, 0, 64 ); 00173 memcpy( ssl->randbytes + 32 - chal_len, p, chal_len ); 00174 00175 for( i = 0; ssl->ciphersuites[i] != 0; i++ ) 00176 { 00177 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 00178 { 00179 if( p[0] == 0 && 00180 p[1] == 0 && 00181 p[2] == ssl->ciphersuites[i] ) 00182 goto have_ciphersuite; 00183 } 00184 } 00185 } 00186 else 00187 { 00188 SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00189 00190 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 00191 buf[0] ) ); 00192 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 00193 ( buf[3] << 8 ) | buf[4] ) ); 00194 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]", 00195 buf[1], buf[2] ) ); 00196 00197 /* 00198 * SSLv3 Client Hello 00199 * 00200 * Record layer: 00201 * 0 . 0 message type 00202 * 1 . 2 protocol version 00203 * 3 . 4 message length 00204 */ 00205 if( buf[0] != SSL_MSG_HANDSHAKE || 00206 buf[1] != SSL_MAJOR_VERSION_3 ) 00207 { 00208 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00209 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00210 } 00211 00212 n = ( buf[3] << 8 ) | buf[4]; 00213 00214 if( n < 45 || n > 512 ) 00215 { 00216 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00217 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00218 } 00219 00220 if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 ) 00221 { 00222 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 00223 return( ret ); 00224 } 00225 00226 buf = ssl->in_msg; 00227 n = ssl->in_left - 5; 00228 00229 md5_update( &ssl->fin_md5 , buf, n ); 00230 sha1_update( &ssl->fin_sha1, buf, n ); 00231 00232 /* 00233 * SSL layer: 00234 * 0 . 0 handshake type 00235 * 1 . 3 handshake length 00236 * 4 . 5 protocol version 00237 * 6 . 9 UNIX time() 00238 * 10 . 37 random bytes 00239 * 38 . 38 session id length 00240 * 39 . 38+x session id 00241 * 39+x . 40+x ciphersuitelist length 00242 * 41+x . .. ciphersuitelist 00243 * .. . .. compression alg. 00244 * .. . .. extensions 00245 */ 00246 SSL_DEBUG_BUF( 4, "record contents", buf, n ); 00247 00248 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", 00249 buf[0] ) ); 00250 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 00251 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 00252 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]", 00253 buf[4], buf[5] ) ); 00254 00255 /* 00256 * Check the handshake type and protocol version 00257 */ 00258 if( buf[0] != SSL_HS_CLIENT_HELLO || 00259 buf[4] != SSL_MAJOR_VERSION_3 ) 00260 { 00261 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00262 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00263 } 00264 00265 ssl->major_ver = SSL_MAJOR_VERSION_3; 00266 ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_2 ) 00267 ? buf[5] : SSL_MINOR_VERSION_2; 00268 00269 ssl->max_major_ver = buf[4]; 00270 ssl->max_minor_ver = buf[5]; 00271 00272 memcpy( ssl->randbytes, buf + 6, 32 ); 00273 00274 /* 00275 * Check the handshake message length 00276 */ 00277 if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) ) 00278 { 00279 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00280 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00281 } 00282 00283 /* 00284 * Check the session length 00285 */ 00286 sess_len = buf[38]; 00287 00288 if( sess_len > 32 ) 00289 { 00290 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00291 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00292 } 00293 00294 ssl->session->length = sess_len; 00295 memset( ssl->session->id, 0, sizeof( ssl->session->id ) ); 00296 memcpy( ssl->session->id, buf + 39 , ssl->session->length ); 00297 00298 /* 00299 * Check the ciphersuitelist length 00300 */ 00301 ciph_len = ( buf[39 + sess_len] << 8 ) 00302 | ( buf[40 + sess_len] ); 00303 00304 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 ) 00305 { 00306 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00307 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00308 } 00309 00310 /* 00311 * Check the compression algorithms length 00312 */ 00313 comp_len = buf[41 + sess_len + ciph_len]; 00314 00315 if( comp_len < 1 || comp_len > 16 ) 00316 { 00317 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00318 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00319 } 00320 00321 SSL_DEBUG_BUF( 3, "client hello, random bytes", 00322 buf + 6, 32 ); 00323 SSL_DEBUG_BUF( 3, "client hello, session id", 00324 buf + 38, sess_len ); 00325 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 00326 buf + 41 + sess_len, ciph_len ); 00327 SSL_DEBUG_BUF( 3, "client hello, compression", 00328 buf + 42 + sess_len + ciph_len, comp_len ); 00329 00330 /* 00331 * Search for a matching ciphersuite 00332 */ 00333 for( i = 0; ssl->ciphersuites[i] != 0; i++ ) 00334 { 00335 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; 00336 j += 2, p += 2 ) 00337 { 00338 if( p[0] == 0 && p[1] == ssl->ciphersuites[i] ) 00339 goto have_ciphersuite; 00340 } 00341 } 00342 } 00343 00344 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 00345 00346 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); 00347 00348 have_ciphersuite: 00349 00350 ssl->session->ciphersuite = ssl->ciphersuites[i]; 00351 ssl->in_left = 0; 00352 ssl->state++; 00353 00354 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 00355 00356 return( 0 ); 00357 } 00358 00359 static int ssl_write_server_hello( ssl_context *ssl ) 00360 { 00361 time_t t; 00362 int ret, n; 00363 unsigned char *buf, *p; 00364 00365 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 00366 00367 /* 00368 * 0 . 0 handshake type 00369 * 1 . 3 handshake length 00370 * 4 . 5 protocol version 00371 * 6 . 9 UNIX time() 00372 * 10 . 37 random bytes 00373 */ 00374 buf = ssl->out_msg; 00375 p = buf + 4; 00376 00377 *p++ = (unsigned char) ssl->major_ver; 00378 *p++ = (unsigned char) ssl->minor_ver; 00379 00380 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 00381 buf[4], buf[5] ) ); 00382 00383 t = time( NULL ); 00384 *p++ = (unsigned char)( t >> 24 ); 00385 *p++ = (unsigned char)( t >> 16 ); 00386 *p++ = (unsigned char)( t >> 8 ); 00387 *p++ = (unsigned char)( t ); 00388 00389 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 00390 00391 if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 ) 00392 return( ret ); 00393 00394 p += 28; 00395 00396 memcpy( ssl->randbytes + 32, buf + 6, 32 ); 00397 00398 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 00399 00400 /* 00401 * 38 . 38 session id length 00402 * 39 . 38+n session id 00403 * 39+n . 40+n chosen ciphersuite 00404 * 41+n . 41+n chosen compression alg. 00405 */ 00406 ssl->session->length = n = 32; 00407 *p++ = (unsigned char) ssl->session->length; 00408 00409 if( ssl->s_get == NULL || 00410 ssl->s_get( ssl ) != 0 ) 00411 { 00412 /* 00413 * Not found, create a new session id 00414 */ 00415 ssl->resume = 0; 00416 ssl->state++; 00417 00418 if( ssl->session == NULL ) 00419 { 00420 SSL_DEBUG_MSG( 1, ( "No session struct set" ) ); 00421 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 00422 } 00423 00424 if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session->id, n ) ) != 0 ) 00425 return( ret ); 00426 } 00427 else 00428 { 00429 /* 00430 * Found a matching session, resume it 00431 */ 00432 ssl->resume = 1; 00433 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC; 00434 00435 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 00436 { 00437 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 00438 return( ret ); 00439 } 00440 } 00441 00442 memcpy( p, ssl->session->id, ssl->session->length ); 00443 p += ssl->session->length; 00444 00445 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 00446 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 00447 SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 00448 ssl->resume ? "a" : "no" ) ); 00449 00450 *p++ = (unsigned char)( ssl->session->ciphersuite >> 8 ); 00451 *p++ = (unsigned char)( ssl->session->ciphersuite ); 00452 *p++ = SSL_COMPRESS_NULL; 00453 00454 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", 00455 ssl->session->ciphersuite ) ); 00456 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) ); 00457 00458 ssl->out_msglen = p - buf; 00459 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00460 ssl->out_msg[0] = SSL_HS_SERVER_HELLO; 00461 00462 ret = ssl_write_record( ssl ); 00463 00464 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 00465 00466 return( ret ); 00467 } 00468 00469 static int ssl_write_certificate_request( ssl_context *ssl ) 00470 { 00471 int ret; 00472 size_t n; 00473 unsigned char *buf, *p; 00474 const x509_cert *crt; 00475 00476 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 00477 00478 ssl->state++; 00479 00480 if( ssl->authmode == SSL_VERIFY_NONE ) 00481 { 00482 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 00483 return( 0 ); 00484 } 00485 00486 /* 00487 * 0 . 0 handshake type 00488 * 1 . 3 handshake length 00489 * 4 . 4 cert type count 00490 * 5 .. n-1 cert types 00491 * n .. n+1 length of all DNs 00492 * n+2 .. n+3 length of DN 1 00493 * n+4 .. ... Distinguished Name #1 00494 * ... .. ... length of DN 2, etc. 00495 */ 00496 buf = ssl->out_msg; 00497 p = buf + 4; 00498 00499 /* 00500 * At the moment, only RSA certificates are supported 00501 */ 00502 *p++ = 1; 00503 *p++ = 1; 00504 00505 p += 2; 00506 crt = ssl->ca_chain; 00507 00508 while( crt != NULL ) 00509 { 00510 if( p - buf > 4096 ) 00511 break; 00512 00513 n = crt->subject_raw.len; 00514 *p++ = (unsigned char)( n >> 8 ); 00515 *p++ = (unsigned char)( n ); 00516 memcpy( p, crt->subject_raw.p, n ); 00517 00518 SSL_DEBUG_BUF( 3, "requested DN", p, n ); 00519 p += n; crt = crt->next; 00520 } 00521 00522 ssl->out_msglen = n = p - buf; 00523 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00524 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST; 00525 ssl->out_msg[6] = (unsigned char)( ( n - 8 ) >> 8 ); 00526 ssl->out_msg[7] = (unsigned char)( ( n - 8 ) ); 00527 00528 ret = ssl_write_record( ssl ); 00529 00530 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 00531 00532 return( ret ); 00533 } 00534 00535 static int ssl_write_server_key_exchange( ssl_context *ssl ) 00536 { 00537 #if defined(POLARSSL_DHM_C) 00538 int ret; 00539 size_t n, rsa_key_len = 0; 00540 unsigned char hash[36]; 00541 md5_context md5; 00542 sha1_context sha1; 00543 #endif 00544 00545 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 00546 00547 if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA && 00548 ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA && 00549 ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA && 00550 ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA && 00551 ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA) 00552 { 00553 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 00554 ssl->state++; 00555 return( 0 ); 00556 } 00557 00558 #if !defined(POLARSSL_DHM_C) 00559 SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) ); 00560 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00561 #else 00562 00563 if( ssl->rsa_key == NULL ) 00564 { 00565 #if defined(POLARSSL_PKCS11_C) 00566 if( ssl->pkcs11_key == NULL ) 00567 { 00568 #endif /* defined(POLARSSL_PKCS11_C) */ 00569 SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 00570 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 00571 #if defined(POLARSSL_PKCS11_C) 00572 } 00573 #endif /* defined(POLARSSL_PKCS11_C) */ 00574 } 00575 00576 /* 00577 * Ephemeral DH parameters: 00578 * 00579 * struct { 00580 * opaque dh_p<1..2^16-1>; 00581 * opaque dh_g<1..2^16-1>; 00582 * opaque dh_Ys<1..2^16-1>; 00583 * } ServerDHParams; 00584 */ 00585 if( ( ret = dhm_make_params( &ssl->dhm_ctx, 256, ssl->out_msg + 4, 00586 &n, ssl->f_rng, ssl->p_rng ) ) != 0 ) 00587 { 00588 SSL_DEBUG_RET( 1, "dhm_make_params", ret ); 00589 return( ret ); 00590 } 00591 00592 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X ); 00593 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P ); 00594 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G ); 00595 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX ); 00596 00597 /* 00598 * digitally-signed struct { 00599 * opaque md5_hash[16]; 00600 * opaque sha_hash[20]; 00601 * }; 00602 * 00603 * md5_hash 00604 * MD5(ClientHello.random + ServerHello.random 00605 * + ServerParams); 00606 * sha_hash 00607 * SHA(ClientHello.random + ServerHello.random 00608 * + ServerParams); 00609 */ 00610 md5_starts( &md5 ); 00611 md5_update( &md5, ssl->randbytes, 64 ); 00612 md5_update( &md5, ssl->out_msg + 4, n ); 00613 md5_finish( &md5, hash ); 00614 00615 sha1_starts( &sha1 ); 00616 sha1_update( &sha1, ssl->randbytes, 64 ); 00617 sha1_update( &sha1, ssl->out_msg + 4, n ); 00618 sha1_finish( &sha1, hash + 16 ); 00619 00620 SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 ); 00621 00622 if ( ssl->rsa_key ) 00623 rsa_key_len = ssl->rsa_key->len; 00624 #if defined(POLARSSL_PKCS11_C) 00625 else 00626 rsa_key_len = ssl->pkcs11_key->len; 00627 #endif /* defined(POLARSSL_PKCS11_C) */ 00628 00629 ssl->out_msg[4 + n] = (unsigned char)( rsa_key_len >> 8 ); 00630 ssl->out_msg[5 + n] = (unsigned char)( rsa_key_len ); 00631 00632 if ( ssl->rsa_key ) 00633 { 00634 ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng, 00635 RSA_PRIVATE, 00636 SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n ); 00637 } 00638 #if defined(POLARSSL_PKCS11_C) 00639 else { 00640 ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE, 00641 SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n ); 00642 } 00643 #endif /* defined(POLARSSL_PKCS11_C) */ 00644 00645 if( ret != 0 ) 00646 { 00647 SSL_DEBUG_RET( 1, "pkcs1_sign", ret ); 00648 return( ret ); 00649 } 00650 00651 SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, rsa_key_len ); 00652 00653 ssl->out_msglen = 6 + n + rsa_key_len; 00654 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00655 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE; 00656 00657 ssl->state++; 00658 00659 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 00660 { 00661 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 00662 return( ret ); 00663 } 00664 00665 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 00666 00667 return( 0 ); 00668 #endif 00669 } 00670 00671 static int ssl_write_server_hello_done( ssl_context *ssl ) 00672 { 00673 int ret; 00674 00675 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 00676 00677 ssl->out_msglen = 4; 00678 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00679 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE; 00680 00681 ssl->state++; 00682 00683 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 00684 { 00685 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 00686 return( ret ); 00687 } 00688 00689 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 00690 00691 return( 0 ); 00692 } 00693 00694 static int ssl_parse_client_key_exchange( ssl_context *ssl ) 00695 { 00696 int ret; 00697 size_t i, n = 0; 00698 00699 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 00700 00701 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 00702 { 00703 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 00704 return( ret ); 00705 } 00706 00707 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 00708 { 00709 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00710 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00711 } 00712 00713 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE ) 00714 { 00715 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00716 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00717 } 00718 00719 if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA || 00720 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA || 00721 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA || 00722 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA || 00723 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA) 00724 { 00725 #if !defined(POLARSSL_DHM_C) 00726 SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) ); 00727 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00728 #else 00729 /* 00730 * Receive G^Y mod P, premaster = (G^Y)^X mod P 00731 */ 00732 n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 00733 00734 if( n < 1 || n > ssl->dhm_ctx.len || 00735 n + 6 != ssl->in_hslen ) 00736 { 00737 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00738 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00739 } 00740 00741 if( ( ret = dhm_read_public( &ssl->dhm_ctx, 00742 ssl->in_msg + 6, n ) ) != 0 ) 00743 { 00744 SSL_DEBUG_RET( 1, "dhm_read_public", ret ); 00745 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP ); 00746 } 00747 00748 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY ); 00749 00750 ssl->pmslen = ssl->dhm_ctx.len; 00751 00752 if( ( ret = dhm_calc_secret( &ssl->dhm_ctx, 00753 ssl->premaster, &ssl->pmslen ) ) != 0 ) 00754 { 00755 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); 00756 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS ); 00757 } 00758 00759 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K ); 00760 #endif 00761 } 00762 else 00763 { 00764 if( ssl->rsa_key == NULL ) 00765 { 00766 #if defined(POLARSSL_PKCS11_C) 00767 if( ssl->pkcs11_key == NULL ) 00768 { 00769 #endif 00770 SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 00771 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED ); 00772 #if defined(POLARSSL_PKCS11_C) 00773 } 00774 #endif 00775 } 00776 00777 /* 00778 * Decrypt the premaster using own private RSA key 00779 */ 00780 i = 4; 00781 if( ssl->rsa_key ) 00782 n = ssl->rsa_key->len; 00783 #if defined(POLARSSL_PKCS11_C) 00784 else 00785 n = ssl->pkcs11_key->len; 00786 #endif 00787 ssl->pmslen = 48; 00788 00789 if( ssl->minor_ver != SSL_MINOR_VERSION_0 ) 00790 { 00791 i += 2; 00792 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) || 00793 ssl->in_msg[5] != ( ( n ) & 0xFF ) ) 00794 { 00795 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00796 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00797 } 00798 } 00799 00800 if( ssl->in_hslen != i + n ) 00801 { 00802 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00803 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00804 } 00805 00806 if( ssl->rsa_key ) { 00807 ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen, 00808 ssl->in_msg + i, ssl->premaster, 00809 sizeof(ssl->premaster) ); 00810 } 00811 #if defined(POLARSSL_PKCS11_C) 00812 else { 00813 ret = pkcs11_decrypt( ssl->pkcs11_key, RSA_PRIVATE, &ssl->pmslen, 00814 ssl->in_msg + i, ssl->premaster, 00815 sizeof(ssl->premaster) ); 00816 } 00817 #endif /* defined(POLARSSL_PKCS11_C) */ 00818 00819 if( ret != 0 || ssl->pmslen != 48 || 00820 ssl->premaster[0] != ssl->max_major_ver || 00821 ssl->premaster[1] != ssl->max_minor_ver ) 00822 { 00823 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00824 00825 /* 00826 * Protection against Bleichenbacher's attack: 00827 * invalid PKCS#1 v1.5 padding must not cause 00828 * the connection to end immediately; instead, 00829 * send a bad_record_mac later in the handshake. 00830 */ 00831 ssl->pmslen = 48; 00832 00833 ret = ssl->f_rng( ssl->p_rng, ssl->premaster, ssl->pmslen ); 00834 if( ret != 0 ) 00835 return( ret ); 00836 } 00837 } 00838 00839 if( ( ret = ssl_derive_keys( ssl ) ) != 0 ) 00840 { 00841 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret ); 00842 return( ret ); 00843 } 00844 00845 if( ssl->s_set != NULL ) 00846 ssl->s_set( ssl ); 00847 00848 ssl->state++; 00849 00850 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 00851 00852 return( 0 ); 00853 } 00854 00855 static int ssl_parse_certificate_verify( ssl_context *ssl ) 00856 { 00857 int ret; 00858 size_t n1, n2; 00859 unsigned char hash[36]; 00860 00861 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 00862 00863 if( ssl->peer_cert == NULL ) 00864 { 00865 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 00866 ssl->state++; 00867 return( 0 ); 00868 } 00869 00870 ssl_calc_verify( ssl, hash ); 00871 00872 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 00873 { 00874 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 00875 return( ret ); 00876 } 00877 00878 ssl->state++; 00879 00880 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 00881 { 00882 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 00883 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 00884 } 00885 00886 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY ) 00887 { 00888 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 00889 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 00890 } 00891 00892 n1 = ssl->peer_cert->rsa.len; 00893 n2 = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 00894 00895 if( n1 + 6 != ssl->in_hslen || n1 != n2 ) 00896 { 00897 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 00898 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 00899 } 00900 00901 ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC, 00902 SIG_RSA_RAW, 36, hash, ssl->in_msg + 6 ); 00903 if( ret != 0 ) 00904 { 00905 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret ); 00906 return( ret ); 00907 } 00908 00909 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 00910 00911 return( 0 ); 00912 } 00913 00914 /* 00915 * SSL handshake -- server side 00916 */ 00917 int ssl_handshake_server( ssl_context *ssl ) 00918 { 00919 int ret = 0; 00920 00921 SSL_DEBUG_MSG( 2, ( "=> handshake server" ) ); 00922 00923 while( ssl->state != SSL_HANDSHAKE_OVER ) 00924 { 00925 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 00926 00927 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 00928 break; 00929 00930 switch( ssl->state ) 00931 { 00932 case SSL_HELLO_REQUEST: 00933 ssl->state = SSL_CLIENT_HELLO; 00934 break; 00935 00936 /* 00937 * <== ClientHello 00938 */ 00939 case SSL_CLIENT_HELLO: 00940 ret = ssl_parse_client_hello( ssl ); 00941 break; 00942 00943 /* 00944 * ==> ServerHello 00945 * Certificate 00946 * ( ServerKeyExchange ) 00947 * ( CertificateRequest ) 00948 * ServerHelloDone 00949 */ 00950 case SSL_SERVER_HELLO: 00951 ret = ssl_write_server_hello( ssl ); 00952 break; 00953 00954 case SSL_SERVER_CERTIFICATE: 00955 ret = ssl_write_certificate( ssl ); 00956 break; 00957 00958 case SSL_SERVER_KEY_EXCHANGE: 00959 ret = ssl_write_server_key_exchange( ssl ); 00960 break; 00961 00962 case SSL_CERTIFICATE_REQUEST: 00963 ret = ssl_write_certificate_request( ssl ); 00964 break; 00965 00966 case SSL_SERVER_HELLO_DONE: 00967 ret = ssl_write_server_hello_done( ssl ); 00968 break; 00969 00970 /* 00971 * <== ( Certificate/Alert ) 00972 * ClientKeyExchange 00973 * ( CertificateVerify ) 00974 * ChangeCipherSpec 00975 * Finished 00976 */ 00977 case SSL_CLIENT_CERTIFICATE: 00978 ret = ssl_parse_certificate( ssl ); 00979 break; 00980 00981 case SSL_CLIENT_KEY_EXCHANGE: 00982 ret = ssl_parse_client_key_exchange( ssl ); 00983 break; 00984 00985 case SSL_CERTIFICATE_VERIFY: 00986 ret = ssl_parse_certificate_verify( ssl ); 00987 break; 00988 00989 case SSL_CLIENT_CHANGE_CIPHER_SPEC: 00990 ret = ssl_parse_change_cipher_spec( ssl ); 00991 break; 00992 00993 case SSL_CLIENT_FINISHED: 00994 ret = ssl_parse_finished( ssl ); 00995 break; 00996 00997 /* 00998 * ==> ChangeCipherSpec 00999 * Finished 01000 */ 01001 case SSL_SERVER_CHANGE_CIPHER_SPEC: 01002 ret = ssl_write_change_cipher_spec( ssl ); 01003 break; 01004 01005 case SSL_SERVER_FINISHED: 01006 ret = ssl_write_finished( ssl ); 01007 break; 01008 01009 case SSL_FLUSH_BUFFERS: 01010 SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 01011 ssl->state = SSL_HANDSHAKE_OVER; 01012 break; 01013 01014 default: 01015 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 01016 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); 01017 } 01018 01019 if( ret != 0 ) 01020 break; 01021 } 01022 01023 SSL_DEBUG_MSG( 2, ( "<= handshake server" ) ); 01024 01025 return( ret ); 01026 } 01027 01028 #endif