PolarSSL v1.1.4
ssl_srv.c
Go to the documentation of this file.
00001 /*
00002  *  SSLv3/TLSv1 server-side functions
00003  *
00004  *  Copyright (C) 2006-2010, Brainspark B.V.
00005  *
00006  *  This file is part of PolarSSL (http://www.polarssl.org)
00007  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
00008  *
00009  *  All rights reserved.
00010  *
00011  *  This program is free software; you can redistribute it and/or modify
00012  *  it under the terms of the GNU General Public License as published by
00013  *  the Free Software Foundation; either version 2 of the License, or
00014  *  (at your option) any later version.
00015  *
00016  *  This program is distributed in the hope that it will be useful,
00017  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00018  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00019  *  GNU General Public License for more details.
00020  *
00021  *  You should have received a copy of the GNU General Public License along
00022  *  with this program; if not, write to the Free Software Foundation, Inc.,
00023  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
00024  */
00025 
00026 #include "polarssl/config.h"
00027 
00028 #if defined(POLARSSL_SSL_SRV_C)
00029 
00030 #include "polarssl/debug.h"
00031 #include "polarssl/ssl.h"
00032 
00033 #if defined(POLARSSL_PKCS11_C)
00034 #include "polarssl/pkcs11.h"
00035 #endif /* defined(POLARSSL_PKCS11_C) */
00036 
00037 #include <stdlib.h>
00038 #include <stdio.h>
00039 #include <time.h>
00040 
00041 static int ssl_parse_client_hello( ssl_context *ssl )
00042 {
00043     int ret;
00044     unsigned int i, j;
00045     size_t n;
00046     unsigned int ciph_len, sess_len;
00047     unsigned int chal_len, comp_len;
00048     unsigned char *buf, *p;
00049 
00050     SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
00051 
00052     if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
00053     {
00054         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00055         return( ret );
00056     }
00057 
00058     buf = ssl->in_hdr;
00059 
00060     if( ( buf[0] & 0x80 ) != 0 )
00061     {
00062         SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00063 
00064         SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
00065                        buf[2] ) );
00066         SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
00067                        ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
00068         SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
00069                        buf[3], buf[4] ) );
00070 
00071         /*
00072          * SSLv2 Client Hello
00073          *
00074          * Record layer:
00075          *     0  .   1   message length
00076          *
00077          * SSL layer:
00078          *     2  .   2   message type
00079          *     3  .   4   protocol version
00080          */
00081         if( buf[2] != SSL_HS_CLIENT_HELLO ||
00082             buf[3] != SSL_MAJOR_VERSION_3 )
00083         {
00084             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00085             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00086         }
00087 
00088         n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
00089 
00090         if( n < 17 || n > 512 )
00091         {
00092             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00093             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00094         }
00095 
00096         ssl->max_major_ver = buf[3];
00097         ssl->max_minor_ver = buf[4];
00098 
00099         ssl->major_ver = SSL_MAJOR_VERSION_3;
00100         ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_2 )
00101                          ? buf[4]  : SSL_MINOR_VERSION_2;
00102 
00103         if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
00104         {
00105             SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00106             return( ret );
00107         }
00108 
00109          md5_update( &ssl->fin_md5 , buf + 2, n );
00110         sha1_update( &ssl->fin_sha1, buf + 2, n );
00111 
00112         buf = ssl->in_msg;
00113         n = ssl->in_left - 5;
00114 
00115         /*
00116          *    0  .   1   ciphersuitelist length
00117          *    2  .   3   session id length
00118          *    4  .   5   challenge length
00119          *    6  .  ..   ciphersuitelist
00120          *   ..  .  ..   session id
00121          *   ..  .  ..   challenge
00122          */
00123         SSL_DEBUG_BUF( 4, "record contents", buf, n );
00124 
00125         ciph_len = ( buf[0] << 8 ) | buf[1];
00126         sess_len = ( buf[2] << 8 ) | buf[3];
00127         chal_len = ( buf[4] << 8 ) | buf[5];
00128 
00129         SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
00130                        ciph_len, sess_len, chal_len ) );
00131 
00132         /*
00133          * Make sure each parameter length is valid
00134          */
00135         if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
00136         {
00137             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00138             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00139         }
00140 
00141         if( sess_len > 32 )
00142         {
00143             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00144             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00145         }
00146 
00147         if( chal_len < 8 || chal_len > 32 )
00148         {
00149             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00150             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00151         }
00152 
00153         if( n != 6 + ciph_len + sess_len + chal_len )
00154         {
00155             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00156             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00157         }
00158 
00159         SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
00160                        buf + 6,  ciph_len );
00161         SSL_DEBUG_BUF( 3, "client hello, session id",
00162                        buf + 6 + ciph_len,  sess_len );
00163         SSL_DEBUG_BUF( 3, "client hello, challenge",
00164                        buf + 6 + ciph_len + sess_len,  chal_len );
00165 
00166         p = buf + 6 + ciph_len;
00167         ssl->session->length = sess_len;
00168         memset( ssl->session->id, 0, sizeof( ssl->session->id ) );
00169         memcpy( ssl->session->id, p, ssl->session->length );
00170 
00171         p += sess_len;
00172         memset( ssl->randbytes, 0, 64 );
00173         memcpy( ssl->randbytes + 32 - chal_len, p, chal_len );
00174 
00175         for( i = 0; ssl->ciphersuites[i] != 0; i++ )
00176         {
00177             for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
00178             {
00179                 if( p[0] == 0 &&
00180                     p[1] == 0 &&
00181                     p[2] == ssl->ciphersuites[i] )
00182                     goto have_ciphersuite;
00183             }
00184         }
00185     }
00186     else
00187     {
00188         SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00189 
00190         SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
00191                        buf[0] ) );
00192         SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
00193                        ( buf[3] << 8 ) | buf[4] ) );
00194         SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
00195                        buf[1], buf[2] ) );
00196 
00197         /*
00198          * SSLv3 Client Hello
00199          *
00200          * Record layer:
00201          *     0  .   0   message type
00202          *     1  .   2   protocol version
00203          *     3  .   4   message length
00204          */
00205         if( buf[0] != SSL_MSG_HANDSHAKE ||
00206             buf[1] != SSL_MAJOR_VERSION_3 )
00207         {
00208             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00209             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00210         }
00211 
00212         n = ( buf[3] << 8 ) | buf[4];
00213 
00214         if( n < 45 || n > 512 )
00215         {
00216             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00217             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00218         }
00219 
00220         if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
00221         {
00222             SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00223             return( ret );
00224         }
00225 
00226         buf = ssl->in_msg;
00227         n = ssl->in_left - 5;
00228 
00229          md5_update( &ssl->fin_md5 , buf, n );
00230         sha1_update( &ssl->fin_sha1, buf, n );
00231 
00232         /*
00233          * SSL layer:
00234          *     0  .   0   handshake type
00235          *     1  .   3   handshake length
00236          *     4  .   5   protocol version
00237          *     6  .   9   UNIX time()
00238          *    10  .  37   random bytes
00239          *    38  .  38   session id length
00240          *    39  . 38+x  session id
00241          *   39+x . 40+x  ciphersuitelist length
00242          *   41+x .  ..   ciphersuitelist
00243          *    ..  .  ..   compression alg.
00244          *    ..  .  ..   extensions
00245          */
00246         SSL_DEBUG_BUF( 4, "record contents", buf, n );
00247 
00248         SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
00249                        buf[0] ) );
00250         SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
00251                        ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
00252         SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
00253                        buf[4], buf[5] ) );
00254 
00255         /*
00256          * Check the handshake type and protocol version
00257          */
00258         if( buf[0] != SSL_HS_CLIENT_HELLO ||
00259             buf[4] != SSL_MAJOR_VERSION_3 )
00260         {
00261             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00262             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00263         }
00264 
00265         ssl->major_ver = SSL_MAJOR_VERSION_3;
00266         ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_2 )
00267                          ? buf[5]  : SSL_MINOR_VERSION_2;
00268 
00269         ssl->max_major_ver = buf[4];
00270         ssl->max_minor_ver = buf[5];
00271 
00272         memcpy( ssl->randbytes, buf + 6, 32 );
00273 
00274         /*
00275          * Check the handshake message length
00276          */
00277         if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
00278         {
00279             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00280             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00281         }
00282 
00283         /*
00284          * Check the session length
00285          */
00286         sess_len = buf[38];
00287 
00288         if( sess_len > 32 )
00289         {
00290             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00291             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00292         }
00293 
00294         ssl->session->length = sess_len;
00295         memset( ssl->session->id, 0, sizeof( ssl->session->id ) );
00296         memcpy( ssl->session->id, buf + 39 , ssl->session->length );
00297 
00298         /*
00299          * Check the ciphersuitelist length
00300          */
00301         ciph_len = ( buf[39 + sess_len] << 8 )
00302                  | ( buf[40 + sess_len]      );
00303 
00304         if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
00305         {
00306             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00307             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00308         }
00309 
00310         /*
00311          * Check the compression algorithms length
00312          */
00313         comp_len = buf[41 + sess_len + ciph_len];
00314 
00315         if( comp_len < 1 || comp_len > 16 )
00316         {
00317             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00318             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00319         }
00320 
00321         SSL_DEBUG_BUF( 3, "client hello, random bytes",
00322                        buf +  6,  32 );
00323         SSL_DEBUG_BUF( 3, "client hello, session id",
00324                        buf + 38,  sess_len );
00325         SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
00326                        buf + 41 + sess_len,  ciph_len );
00327         SSL_DEBUG_BUF( 3, "client hello, compression",
00328                        buf + 42 + sess_len + ciph_len, comp_len );
00329 
00330         /*
00331          * Search for a matching ciphersuite
00332          */
00333         for( i = 0; ssl->ciphersuites[i] != 0; i++ )
00334         {
00335             for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
00336                 j += 2, p += 2 )
00337             {
00338                 if( p[0] == 0 && p[1] == ssl->ciphersuites[i] )
00339                     goto have_ciphersuite;
00340             }
00341         }
00342     }
00343 
00344     SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
00345 
00346     return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
00347 
00348 have_ciphersuite:
00349 
00350     ssl->session->ciphersuite = ssl->ciphersuites[i];
00351     ssl->in_left = 0;
00352     ssl->state++;
00353 
00354     SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
00355 
00356     return( 0 );
00357 }
00358 
00359 static int ssl_write_server_hello( ssl_context *ssl )
00360 {
00361     time_t t;
00362     int ret, n;
00363     unsigned char *buf, *p;
00364 
00365     SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
00366 
00367     /*
00368      *     0  .   0   handshake type
00369      *     1  .   3   handshake length
00370      *     4  .   5   protocol version
00371      *     6  .   9   UNIX time()
00372      *    10  .  37   random bytes
00373      */
00374     buf = ssl->out_msg;
00375     p = buf + 4;
00376 
00377     *p++ = (unsigned char) ssl->major_ver;
00378     *p++ = (unsigned char) ssl->minor_ver;
00379 
00380     SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
00381                    buf[4], buf[5] ) );
00382 
00383     t = time( NULL );
00384     *p++ = (unsigned char)( t >> 24 );
00385     *p++ = (unsigned char)( t >> 16 );
00386     *p++ = (unsigned char)( t >>  8 );
00387     *p++ = (unsigned char)( t       );
00388 
00389     SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
00390 
00391     if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
00392         return( ret );
00393 
00394     p += 28;
00395 
00396     memcpy( ssl->randbytes + 32, buf + 6, 32 );
00397 
00398     SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
00399 
00400     /*
00401      *    38  .  38   session id length
00402      *    39  . 38+n  session id
00403      *   39+n . 40+n  chosen ciphersuite
00404      *   41+n . 41+n  chosen compression alg.
00405      */
00406     ssl->session->length = n = 32;
00407     *p++ = (unsigned char) ssl->session->length;
00408 
00409     if( ssl->s_get == NULL ||
00410         ssl->s_get( ssl ) != 0 )
00411     {
00412         /*
00413          * Not found, create a new session id
00414          */
00415         ssl->resume = 0;
00416         ssl->state++;
00417 
00418         if( ssl->session == NULL )
00419         {
00420             SSL_DEBUG_MSG( 1, ( "No session struct set" ) );
00421             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00422         }
00423 
00424         if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session->id, n ) ) != 0 )
00425             return( ret );
00426     }
00427     else
00428     {
00429         /*
00430          * Found a matching session, resume it
00431          */
00432         ssl->resume = 1;
00433         ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
00434 
00435         if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
00436         {
00437             SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
00438             return( ret );
00439         }
00440     }
00441 
00442     memcpy( p, ssl->session->id, ssl->session->length );
00443     p += ssl->session->length;
00444 
00445     SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
00446     SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
00447     SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
00448                    ssl->resume ? "a" : "no" ) );
00449 
00450     *p++ = (unsigned char)( ssl->session->ciphersuite >> 8 );
00451     *p++ = (unsigned char)( ssl->session->ciphersuite      );
00452     *p++ = SSL_COMPRESS_NULL;
00453 
00454     SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
00455                    ssl->session->ciphersuite ) );
00456     SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) );
00457 
00458     ssl->out_msglen  = p - buf;
00459     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00460     ssl->out_msg[0]  = SSL_HS_SERVER_HELLO;
00461 
00462     ret = ssl_write_record( ssl );
00463 
00464     SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
00465 
00466     return( ret );
00467 }
00468 
00469 static int ssl_write_certificate_request( ssl_context *ssl )
00470 {
00471     int ret;
00472     size_t n;
00473     unsigned char *buf, *p;
00474     const x509_cert *crt;
00475 
00476     SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
00477 
00478     ssl->state++;
00479 
00480     if( ssl->authmode == SSL_VERIFY_NONE )
00481     {
00482         SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
00483         return( 0 );
00484     }
00485 
00486     /*
00487      *     0  .   0   handshake type
00488      *     1  .   3   handshake length
00489      *     4  .   4   cert type count
00490      *     5  .. n-1  cert types
00491      *     n  .. n+1  length of all DNs
00492      *    n+2 .. n+3  length of DN 1
00493      *    n+4 .. ...  Distinguished Name #1
00494      *    ... .. ...  length of DN 2, etc.
00495      */
00496     buf = ssl->out_msg;
00497     p = buf + 4;
00498 
00499     /*
00500      * At the moment, only RSA certificates are supported
00501      */
00502     *p++ = 1;
00503     *p++ = 1;
00504 
00505     p += 2;
00506     crt = ssl->ca_chain;
00507 
00508     while( crt != NULL )
00509     {
00510         if( p - buf > 4096 )
00511             break;
00512 
00513         n = crt->subject_raw.len;
00514         *p++ = (unsigned char)( n >> 8 );
00515         *p++ = (unsigned char)( n      );
00516         memcpy( p, crt->subject_raw.p, n );
00517 
00518         SSL_DEBUG_BUF( 3, "requested DN", p, n );
00519         p += n; crt = crt->next;
00520     }
00521 
00522     ssl->out_msglen  = n = p - buf;
00523     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00524     ssl->out_msg[0]  = SSL_HS_CERTIFICATE_REQUEST;
00525     ssl->out_msg[6]  = (unsigned char)( ( n - 8 ) >> 8 );
00526     ssl->out_msg[7]  = (unsigned char)( ( n - 8 )      );
00527 
00528     ret = ssl_write_record( ssl );
00529 
00530     SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
00531 
00532     return( ret );
00533 }
00534 
00535 static int ssl_write_server_key_exchange( ssl_context *ssl )
00536 {
00537 #if defined(POLARSSL_DHM_C)
00538     int ret;
00539     size_t n, rsa_key_len = 0;
00540     unsigned char hash[36];
00541     md5_context md5;
00542     sha1_context sha1;
00543 #endif
00544 
00545     SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
00546 
00547     if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
00548         ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
00549         ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
00550         ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
00551         ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
00552     {
00553         SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
00554         ssl->state++;
00555         return( 0 );
00556     }
00557 
00558 #if !defined(POLARSSL_DHM_C)
00559     SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
00560     return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00561 #else
00562 
00563     if( ssl->rsa_key == NULL )
00564     {
00565 #if defined(POLARSSL_PKCS11_C)
00566         if( ssl->pkcs11_key == NULL )
00567         {
00568 #endif /* defined(POLARSSL_PKCS11_C) */
00569             SSL_DEBUG_MSG( 1, ( "got no private key" ) );
00570             return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
00571 #if defined(POLARSSL_PKCS11_C)
00572         }
00573 #endif /* defined(POLARSSL_PKCS11_C) */
00574     }
00575 
00576     /*
00577      * Ephemeral DH parameters:
00578      *
00579      * struct {
00580      *     opaque dh_p<1..2^16-1>;
00581      *     opaque dh_g<1..2^16-1>;
00582      *     opaque dh_Ys<1..2^16-1>;
00583      * } ServerDHParams;
00584      */
00585     if( ( ret = dhm_make_params( &ssl->dhm_ctx, 256, ssl->out_msg + 4,
00586                                  &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
00587     {
00588         SSL_DEBUG_RET( 1, "dhm_make_params", ret );
00589         return( ret );
00590     }
00591 
00592     SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X  );
00593     SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P  );
00594     SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G  );
00595     SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX );
00596 
00597     /*
00598      * digitally-signed struct {
00599      *     opaque md5_hash[16];
00600      *     opaque sha_hash[20];
00601      * };
00602      *
00603      * md5_hash
00604      *     MD5(ClientHello.random + ServerHello.random
00605      *                            + ServerParams);
00606      * sha_hash
00607      *     SHA(ClientHello.random + ServerHello.random
00608      *                            + ServerParams);
00609      */
00610     md5_starts( &md5 );
00611     md5_update( &md5, ssl->randbytes,  64 );
00612     md5_update( &md5, ssl->out_msg + 4, n );
00613     md5_finish( &md5, hash );
00614 
00615     sha1_starts( &sha1 );
00616     sha1_update( &sha1, ssl->randbytes,  64 );
00617     sha1_update( &sha1, ssl->out_msg + 4, n );
00618     sha1_finish( &sha1, hash + 16 );
00619 
00620     SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 );
00621 
00622     if ( ssl->rsa_key )
00623         rsa_key_len = ssl->rsa_key->len;
00624 #if defined(POLARSSL_PKCS11_C)
00625     else
00626         rsa_key_len = ssl->pkcs11_key->len;
00627 #endif /* defined(POLARSSL_PKCS11_C) */
00628 
00629     ssl->out_msg[4 + n] = (unsigned char)( rsa_key_len >> 8 );
00630     ssl->out_msg[5 + n] = (unsigned char)( rsa_key_len      );
00631 
00632     if ( ssl->rsa_key )
00633     {
00634         ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
00635                               RSA_PRIVATE,
00636                               SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n );
00637     }
00638 #if defined(POLARSSL_PKCS11_C)
00639     else {
00640         ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE,
00641                               SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n );
00642     }
00643 #endif  /* defined(POLARSSL_PKCS11_C) */
00644 
00645     if( ret != 0 )
00646     {
00647         SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
00648         return( ret );
00649     }
00650 
00651     SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, rsa_key_len );
00652 
00653     ssl->out_msglen  = 6 + n + rsa_key_len;
00654     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00655     ssl->out_msg[0]  = SSL_HS_SERVER_KEY_EXCHANGE;
00656 
00657     ssl->state++;
00658 
00659     if( ( ret = ssl_write_record( ssl ) ) != 0 )
00660     {
00661         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
00662         return( ret );
00663     }
00664 
00665     SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
00666 
00667     return( 0 );
00668 #endif
00669 }
00670 
00671 static int ssl_write_server_hello_done( ssl_context *ssl )
00672 {
00673     int ret;
00674 
00675     SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
00676 
00677     ssl->out_msglen  = 4;
00678     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00679     ssl->out_msg[0]  = SSL_HS_SERVER_HELLO_DONE;
00680 
00681     ssl->state++;
00682 
00683     if( ( ret = ssl_write_record( ssl ) ) != 0 )
00684     {
00685         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
00686         return( ret );
00687     }
00688 
00689     SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
00690 
00691     return( 0 );
00692 }
00693 
00694 static int ssl_parse_client_key_exchange( ssl_context *ssl )
00695 {
00696     int ret;
00697     size_t i, n = 0;
00698 
00699     SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
00700 
00701     if( ( ret = ssl_read_record( ssl ) ) != 0 )
00702     {
00703         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00704         return( ret );
00705     }
00706 
00707     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00708     {
00709         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00710         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00711     }
00712 
00713     if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
00714     {
00715         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00716         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00717     }
00718 
00719     if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
00720         ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
00721         ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
00722         ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
00723         ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
00724     {
00725 #if !defined(POLARSSL_DHM_C)
00726         SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
00727         return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00728 #else
00729         /*
00730          * Receive G^Y mod P, premaster = (G^Y)^X mod P
00731          */
00732         n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
00733 
00734         if( n < 1 || n > ssl->dhm_ctx.len ||
00735             n + 6 != ssl->in_hslen )
00736         {
00737             SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00738             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00739         }
00740 
00741         if( ( ret = dhm_read_public( &ssl->dhm_ctx,
00742                                       ssl->in_msg + 6, n ) ) != 0 )
00743         {
00744             SSL_DEBUG_RET( 1, "dhm_read_public", ret );
00745             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP );
00746         }
00747 
00748         SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY );
00749 
00750         ssl->pmslen = ssl->dhm_ctx.len;
00751 
00752         if( ( ret = dhm_calc_secret( &ssl->dhm_ctx,
00753                      ssl->premaster, &ssl->pmslen ) ) != 0 )
00754         {
00755             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
00756             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS );
00757         }
00758 
00759         SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K  );
00760 #endif
00761     }
00762     else
00763     {
00764         if( ssl->rsa_key == NULL )
00765         {
00766 #if defined(POLARSSL_PKCS11_C)
00767                 if( ssl->pkcs11_key == NULL )
00768                 {
00769 #endif
00770                     SSL_DEBUG_MSG( 1, ( "got no private key" ) );
00771                     return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
00772 #if defined(POLARSSL_PKCS11_C)
00773                 }
00774 #endif
00775         }
00776 
00777         /*
00778          * Decrypt the premaster using own private RSA key
00779          */
00780         i = 4;
00781         if( ssl->rsa_key )
00782             n = ssl->rsa_key->len;
00783 #if defined(POLARSSL_PKCS11_C)
00784         else
00785             n = ssl->pkcs11_key->len;
00786 #endif
00787         ssl->pmslen = 48;
00788 
00789         if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
00790         {
00791             i += 2;
00792             if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
00793                 ssl->in_msg[5] != ( ( n      ) & 0xFF ) )
00794             {
00795                 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00796                 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00797             }
00798         }
00799 
00800         if( ssl->in_hslen != i + n )
00801         {
00802             SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00803             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00804         }
00805 
00806         if( ssl->rsa_key ) {
00807             ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen,
00808                                  ssl->in_msg + i, ssl->premaster,
00809                                  sizeof(ssl->premaster) );
00810         }
00811 #if defined(POLARSSL_PKCS11_C)
00812         else {
00813             ret = pkcs11_decrypt( ssl->pkcs11_key, RSA_PRIVATE, &ssl->pmslen,
00814                                  ssl->in_msg + i, ssl->premaster,
00815                                  sizeof(ssl->premaster) );
00816         }
00817 #endif  /* defined(POLARSSL_PKCS11_C) */
00818 
00819         if( ret != 0 || ssl->pmslen != 48 ||
00820             ssl->premaster[0] != ssl->max_major_ver ||
00821             ssl->premaster[1] != ssl->max_minor_ver )
00822         {
00823             SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00824 
00825             /*
00826              * Protection against Bleichenbacher's attack:
00827              * invalid PKCS#1 v1.5 padding must not cause
00828              * the connection to end immediately; instead,
00829              * send a bad_record_mac later in the handshake.
00830              */
00831             ssl->pmslen = 48;
00832 
00833             ret = ssl->f_rng( ssl->p_rng, ssl->premaster, ssl->pmslen );
00834             if( ret != 0 )
00835                 return( ret );
00836         }
00837     }
00838 
00839     if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
00840     {
00841         SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
00842         return( ret );
00843     }
00844 
00845     if( ssl->s_set != NULL )
00846         ssl->s_set( ssl );
00847 
00848     ssl->state++;
00849 
00850     SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
00851 
00852     return( 0 );
00853 }
00854 
00855 static int ssl_parse_certificate_verify( ssl_context *ssl )
00856 {
00857     int ret;
00858     size_t n1, n2;
00859     unsigned char hash[36];
00860 
00861     SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
00862 
00863     if( ssl->peer_cert == NULL )
00864     {
00865         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
00866         ssl->state++;
00867         return( 0 );
00868     }
00869 
00870     ssl_calc_verify( ssl, hash );
00871 
00872     if( ( ret = ssl_read_record( ssl ) ) != 0 )
00873     {
00874         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00875         return( ret );
00876     }
00877 
00878     ssl->state++;
00879 
00880     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00881     {
00882         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
00883         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
00884     }
00885 
00886     if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
00887     {
00888         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
00889         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
00890     }
00891 
00892     n1 = ssl->peer_cert->rsa.len;
00893     n2 = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
00894 
00895     if( n1 + 6 != ssl->in_hslen || n1 != n2 )
00896     {
00897         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
00898         return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
00899     }
00900 
00901     ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC,
00902                             SIG_RSA_RAW, 36, hash, ssl->in_msg + 6 );
00903     if( ret != 0 )
00904     {
00905         SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
00906         return( ret );
00907     }
00908 
00909     SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
00910 
00911     return( 0 );
00912 }
00913 
00914 /*
00915  * SSL handshake -- server side
00916  */
00917 int ssl_handshake_server( ssl_context *ssl )
00918 {
00919     int ret = 0;
00920 
00921     SSL_DEBUG_MSG( 2, ( "=> handshake server" ) );
00922 
00923     while( ssl->state != SSL_HANDSHAKE_OVER )
00924     {
00925         SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
00926 
00927         if( ( ret = ssl_flush_output( ssl ) ) != 0 )
00928             break;
00929 
00930         switch( ssl->state )
00931         {
00932             case SSL_HELLO_REQUEST:
00933                 ssl->state = SSL_CLIENT_HELLO;
00934                 break;
00935 
00936             /*
00937              *  <==   ClientHello
00938              */
00939             case SSL_CLIENT_HELLO:
00940                 ret = ssl_parse_client_hello( ssl );
00941                 break;
00942 
00943             /*
00944              *  ==>   ServerHello
00945              *        Certificate
00946              *      ( ServerKeyExchange  )
00947              *      ( CertificateRequest )
00948              *        ServerHelloDone
00949              */
00950             case SSL_SERVER_HELLO:
00951                 ret = ssl_write_server_hello( ssl );
00952                 break;
00953 
00954             case SSL_SERVER_CERTIFICATE:
00955                 ret = ssl_write_certificate( ssl );
00956                 break;
00957 
00958             case SSL_SERVER_KEY_EXCHANGE:
00959                 ret = ssl_write_server_key_exchange( ssl );
00960                 break;
00961 
00962             case SSL_CERTIFICATE_REQUEST:
00963                 ret = ssl_write_certificate_request( ssl );
00964                 break;
00965 
00966             case SSL_SERVER_HELLO_DONE:
00967                 ret = ssl_write_server_hello_done( ssl );
00968                 break;
00969 
00970             /*
00971              *  <== ( Certificate/Alert  )
00972              *        ClientKeyExchange
00973              *      ( CertificateVerify  )
00974              *        ChangeCipherSpec
00975              *        Finished
00976              */
00977             case SSL_CLIENT_CERTIFICATE:
00978                 ret = ssl_parse_certificate( ssl );
00979                 break;
00980 
00981             case SSL_CLIENT_KEY_EXCHANGE:
00982                 ret = ssl_parse_client_key_exchange( ssl );
00983                 break;
00984 
00985             case SSL_CERTIFICATE_VERIFY:
00986                 ret = ssl_parse_certificate_verify( ssl );
00987                 break;
00988 
00989             case SSL_CLIENT_CHANGE_CIPHER_SPEC:
00990                 ret = ssl_parse_change_cipher_spec( ssl );
00991                 break;
00992 
00993             case SSL_CLIENT_FINISHED:
00994                 ret = ssl_parse_finished( ssl );
00995                 break;
00996 
00997             /*
00998              *  ==>   ChangeCipherSpec
00999              *        Finished
01000              */
01001             case SSL_SERVER_CHANGE_CIPHER_SPEC:
01002                 ret = ssl_write_change_cipher_spec( ssl );
01003                 break;
01004 
01005             case SSL_SERVER_FINISHED:
01006                 ret = ssl_write_finished( ssl );
01007                 break;
01008 
01009             case SSL_FLUSH_BUFFERS:
01010                 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
01011                 ssl->state = SSL_HANDSHAKE_OVER;
01012                 break;
01013 
01014             default:
01015                 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
01016                 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
01017         }
01018 
01019         if( ret != 0 )
01020             break;
01021     }
01022 
01023     SSL_DEBUG_MSG( 2, ( "<= handshake server" ) );
01024 
01025     return( ret );
01026 }
01027 
01028 #endif