PolarSSL v1.1.4
ssl_cli.c
Go to the documentation of this file.
00001 /*
00002  *  SSLv3/TLSv1 client-side functions
00003  *
00004  *  Copyright (C) 2006-2010, Brainspark B.V.
00005  *
00006  *  This file is part of PolarSSL (http://www.polarssl.org)
00007  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
00008  *
00009  *  All rights reserved.
00010  *
00011  *  This program is free software; you can redistribute it and/or modify
00012  *  it under the terms of the GNU General Public License as published by
00013  *  the Free Software Foundation; either version 2 of the License, or
00014  *  (at your option) any later version.
00015  *
00016  *  This program is distributed in the hope that it will be useful,
00017  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00018  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00019  *  GNU General Public License for more details.
00020  *
00021  *  You should have received a copy of the GNU General Public License along
00022  *  with this program; if not, write to the Free Software Foundation, Inc.,
00023  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
00024  */
00025 
00026 #include "polarssl/config.h"
00027 
00028 #if defined(POLARSSL_SSL_CLI_C)
00029 
00030 #include "polarssl/debug.h"
00031 #include "polarssl/ssl.h"
00032 
00033 #if defined(POLARSSL_PKCS11_C)
00034 #include "polarssl/pkcs11.h"
00035 #endif /* defined(POLARSSL_PKCS11_C) */
00036 
00037 #include <stdlib.h>
00038 #include <stdio.h>
00039 #include <time.h>
00040 
00041 static int ssl_write_client_hello( ssl_context *ssl )
00042 {
00043     int ret;
00044     size_t i, n;
00045     unsigned char *buf;
00046     unsigned char *p;
00047     time_t t;
00048 
00049     SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
00050 
00051     ssl->major_ver = SSL_MAJOR_VERSION_3;
00052     ssl->minor_ver = SSL_MINOR_VERSION_0;
00053 
00054     if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
00055     {
00056         ssl->max_major_ver = SSL_MAJOR_VERSION_3;
00057         ssl->max_minor_ver = SSL_MINOR_VERSION_2;
00058     }
00059 
00060     /*
00061      *     0  .   0   handshake type
00062      *     1  .   3   handshake length
00063      *     4  .   5   highest version supported
00064      *     6  .   9   current UNIX time
00065      *    10  .  37   random bytes
00066      */
00067     buf = ssl->out_msg;
00068     p = buf + 4;
00069 
00070     *p++ = (unsigned char) ssl->max_major_ver;
00071     *p++ = (unsigned char) ssl->max_minor_ver;
00072 
00073     SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
00074                    buf[4], buf[5] ) );
00075 
00076     t = time( NULL );
00077     *p++ = (unsigned char)( t >> 24 );
00078     *p++ = (unsigned char)( t >> 16 );
00079     *p++ = (unsigned char)( t >>  8 );
00080     *p++ = (unsigned char)( t       );
00081 
00082     SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
00083 
00084     if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
00085         return( ret );
00086 
00087     p += 28;
00088 
00089     memcpy( ssl->randbytes, buf + 6, 32 );
00090 
00091     SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
00092 
00093     /*
00094      *    38  .  38   session id length
00095      *    39  . 39+n  session id
00096      *   40+n . 41+n  ciphersuitelist length
00097      *   42+n . ..    ciphersuitelist
00098      *   ..   . ..    compression alg. (0)
00099      *   ..   . ..    extensions (unused)
00100      */
00101     n = ssl->session->length;
00102 
00103     if( n < 16 || n > 32 || ssl->resume == 0 ||
00104         ( ssl->timeout != 0 && t - ssl->session->start > ssl->timeout ) )
00105         n = 0;
00106 
00107     *p++ = (unsigned char) n;
00108 
00109     for( i = 0; i < n; i++ )
00110         *p++ = ssl->session->id[i];
00111 
00112     SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
00113     SSL_DEBUG_BUF( 3,   "client hello, session id", buf + 39, n );
00114 
00115     for( n = 0; ssl->ciphersuites[n] != 0; n++ );
00116     *p++ = (unsigned char)( n >> 7 );
00117     *p++ = (unsigned char)( n << 1 );
00118 
00119     SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
00120 
00121     for( i = 0; i < n; i++ )
00122     {
00123         SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
00124                        ssl->ciphersuites[i] ) );
00125 
00126         *p++ = (unsigned char)( ssl->ciphersuites[i] >> 8 );
00127         *p++ = (unsigned char)( ssl->ciphersuites[i]      );
00128     }
00129 
00130     SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
00131     SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 0 ) );
00132 
00133     *p++ = 1;
00134     *p++ = SSL_COMPRESS_NULL;
00135 
00136     if ( ssl->hostname != NULL )
00137     {
00138         SSL_DEBUG_MSG( 3, ( "client hello, server name extension: %s",
00139                        ssl->hostname ) );
00140 
00141         *p++ = (unsigned char)( ( (ssl->hostname_len + 9) >> 8 ) & 0xFF );
00142         *p++ = (unsigned char)( ( (ssl->hostname_len + 9)      ) & 0xFF );
00143 
00144         *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
00145         *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME      ) & 0xFF );
00146 
00147         *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
00148         *p++ = (unsigned char)( ( (ssl->hostname_len + 5)      ) & 0xFF );
00149 
00150         *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
00151         *p++ = (unsigned char)( ( (ssl->hostname_len + 3)      ) & 0xFF );
00152 
00153         *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
00154         *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
00155         *p++ = (unsigned char)( ( ssl->hostname_len      ) & 0xFF );
00156 
00157         memcpy( p, ssl->hostname, ssl->hostname_len );
00158 
00159         p += ssl->hostname_len;
00160     }
00161 
00162     ssl->out_msglen  = p - buf;
00163     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00164     ssl->out_msg[0]  = SSL_HS_CLIENT_HELLO;
00165 
00166     ssl->state++;
00167 
00168     if( ( ret = ssl_write_record( ssl ) ) != 0 )
00169     {
00170         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
00171         return( ret );
00172     }
00173 
00174     SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
00175 
00176     return( 0 );
00177 }
00178 
00179 static int ssl_parse_server_hello( ssl_context *ssl )
00180 {
00181 #if defined(POLARSSL_DEBUG_MSG) && defined(POLARSSL_DEBUG_C)
00182     time_t t;
00183 #endif
00184     int ret, i;
00185     size_t n;
00186     int ext_len;
00187     unsigned char *buf;
00188 
00189     SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
00190 
00191     /*
00192      *     0  .   0   handshake type
00193      *     1  .   3   handshake length
00194      *     4  .   5   protocol version
00195      *     6  .   9   UNIX time()
00196      *    10  .  37   random bytes
00197      */
00198     buf = ssl->in_msg;
00199 
00200     if( ( ret = ssl_read_record( ssl ) ) != 0 )
00201     {
00202         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00203         return( ret );
00204     }
00205 
00206     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00207     {
00208         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00209         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
00210     }
00211 
00212     SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
00213                    buf[4], buf[5] ) );
00214 
00215     if( ssl->in_hslen < 42 ||
00216         buf[0] != SSL_HS_SERVER_HELLO ||
00217         buf[4] != SSL_MAJOR_VERSION_3 )
00218     {
00219         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00220         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00221     }
00222 
00223     if( buf[5] > ssl->max_minor_ver )
00224     {
00225         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00226         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00227     }
00228 
00229     ssl->minor_ver = buf[5];
00230 
00231 #if defined(POLARSSL_DEBUG_MSG) && defined(POLARSSL_DEBUG_C)
00232     t = ( (time_t) buf[6] << 24 )
00233       | ( (time_t) buf[7] << 16 )
00234       | ( (time_t) buf[8] <<  8 )
00235       | ( (time_t) buf[9]       );
00236 #endif
00237 
00238     memcpy( ssl->randbytes + 32, buf + 6, 32 );
00239 
00240     n = buf[38];
00241 
00242     SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
00243     SSL_DEBUG_BUF( 3,   "server hello, random bytes", buf + 6, 32 );
00244 
00245     /*
00246      *    38  .  38   session id length
00247      *    39  . 38+n  session id
00248      *   39+n . 40+n  chosen ciphersuite
00249      *   41+n . 41+n  chosen compression alg.
00250      *   42+n . 43+n  extensions length
00251      *   44+n . 44+n+m extensions
00252      */
00253     if( n > 32 || ssl->in_hslen > 42 + n )
00254     {
00255         ext_len = ( ( buf[42 + n] <<  8 )
00256                   | ( buf[43 + n]       ) ) + 2;
00257     }
00258     else
00259     {
00260         ext_len = 0;
00261     }
00262 
00263     if( n > 32 || ssl->in_hslen != 42 + n + ext_len )
00264     {
00265         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00266         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00267     }
00268 
00269     i = ( buf[39 + n] << 8 ) | buf[40 + n];
00270 
00271     SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
00272     SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
00273 
00274     /*
00275      * Check if the session can be resumed
00276      */
00277     if( ssl->resume == 0 || n == 0 ||
00278         ssl->session->ciphersuite != i ||
00279         ssl->session->length != n ||
00280         memcmp( ssl->session->id, buf + 39, n ) != 0 )
00281     {
00282         ssl->state++;
00283         ssl->resume = 0;
00284         ssl->session->start = time( NULL );
00285         ssl->session->ciphersuite = i;
00286         ssl->session->length = n;
00287         memcpy( ssl->session->id, buf + 39, n );
00288     }
00289     else
00290     {
00291         ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
00292 
00293         if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
00294         {
00295             SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
00296             return( ret );
00297         }
00298     }
00299 
00300     SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
00301                    ssl->resume ? "a" : "no" ) );
00302 
00303     SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
00304     SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
00305 
00306     i = 0;
00307     while( 1 )
00308     {
00309         if( ssl->ciphersuites[i] == 0 )
00310         {
00311             SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00312             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00313         }
00314 
00315         if( ssl->ciphersuites[i++] == ssl->session->ciphersuite )
00316             break;
00317     }
00318 
00319     if( buf[41 + n] != SSL_COMPRESS_NULL )
00320     {
00321         SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
00322         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
00323     }
00324 
00325     /* TODO: Process extensions */
00326 
00327     SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
00328 
00329     return( 0 );
00330 }
00331 
00332 static int ssl_parse_server_key_exchange( ssl_context *ssl )
00333 {
00334 #if defined(POLARSSL_DHM_C)
00335     int ret;
00336     size_t n;
00337     unsigned char *p, *end;
00338     unsigned char hash[36];
00339     md5_context md5;
00340     sha1_context sha1;
00341 #endif
00342 
00343     SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
00344 
00345     if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
00346         ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
00347         ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
00348         ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
00349         ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
00350     {
00351         SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
00352         ssl->state++;
00353         return( 0 );
00354     }
00355 
00356 #if !defined(POLARSSL_DHM_C)
00357     SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
00358     return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00359 #else
00360     if( ( ret = ssl_read_record( ssl ) ) != 0 )
00361     {
00362         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00363         return( ret );
00364     }
00365 
00366     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00367     {
00368         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
00369         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
00370     }
00371 
00372     if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
00373     {
00374         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
00375         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
00376     }
00377 
00378     /*
00379      * Ephemeral DH parameters:
00380      *
00381      * struct {
00382      *     opaque dh_p<1..2^16-1>;
00383      *     opaque dh_g<1..2^16-1>;
00384      *     opaque dh_Ys<1..2^16-1>;
00385      * } ServerDHParams;
00386      */
00387     p   = ssl->in_msg + 4;
00388     end = ssl->in_msg + ssl->in_hslen;
00389 
00390     if( ( ret = dhm_read_params( &ssl->dhm_ctx, &p, end ) ) != 0 )
00391     {
00392         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
00393         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
00394     }
00395 
00396     if( (unsigned int)( end - p ) != ssl->peer_cert->rsa.len )
00397     {
00398         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
00399         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
00400     }
00401 
00402     if( ssl->dhm_ctx.len < 64 || ssl->dhm_ctx.len > 512 )
00403     {
00404         SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
00405         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
00406     }
00407 
00408     SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P  );
00409     SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G  );
00410     SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY );
00411 
00412     /*
00413      * digitally-signed struct {
00414      *     opaque md5_hash[16];
00415      *     opaque sha_hash[20];
00416      * };
00417      *
00418      * md5_hash
00419      *     MD5(ClientHello.random + ServerHello.random
00420      *                            + ServerParams);
00421      * sha_hash
00422      *     SHA(ClientHello.random + ServerHello.random
00423      *                            + ServerParams);
00424      */
00425     n = ssl->in_hslen - ( end - p ) - 6;
00426 
00427     md5_starts( &md5 );
00428     md5_update( &md5, ssl->randbytes, 64 );
00429     md5_update( &md5, ssl->in_msg + 4, n );
00430     md5_finish( &md5, hash );
00431 
00432     sha1_starts( &sha1 );
00433     sha1_update( &sha1, ssl->randbytes, 64 );
00434     sha1_update( &sha1, ssl->in_msg + 4, n );
00435     sha1_finish( &sha1, hash + 16 );
00436 
00437     SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 );
00438 
00439     if( ( ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC,
00440                                   SIG_RSA_RAW, 36, hash, p ) ) != 0 )
00441     {
00442         SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
00443         return( ret );
00444     }
00445 
00446     ssl->state++;
00447 
00448     SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
00449 
00450     return( 0 );
00451 #endif
00452 }
00453 
00454 static int ssl_parse_certificate_request( ssl_context *ssl )
00455 {
00456     int ret;
00457 
00458     SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
00459 
00460     /*
00461      *     0  .   0   handshake type
00462      *     1  .   3   handshake length
00463      *     4  .   5   SSL version
00464      *     6  .   6   cert type count
00465      *     7  .. n-1  cert types
00466      *     n  .. n+1  length of all DNs
00467      *    n+2 .. n+3  length of DN 1
00468      *    n+4 .. ...  Distinguished Name #1
00469      *    ... .. ...  length of DN 2, etc.
00470      */
00471     if( ( ret = ssl_read_record( ssl ) ) != 0 )
00472     {
00473         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00474         return( ret );
00475     }
00476 
00477     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00478     {
00479         SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
00480         return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
00481     }
00482 
00483     ssl->client_auth = 0;
00484     ssl->state++;
00485 
00486     if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
00487         ssl->client_auth++;
00488 
00489     SSL_DEBUG_MSG( 3, ( "got %s certificate request",
00490                         ssl->client_auth ? "a" : "no" ) );
00491 
00492     SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
00493 
00494     return( 0 );
00495 }
00496 
00497 static int ssl_parse_server_hello_done( ssl_context *ssl )
00498 {
00499     int ret;
00500 
00501     SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
00502 
00503     if( ssl->client_auth != 0 )
00504     {
00505         if( ( ret = ssl_read_record( ssl ) ) != 0 )
00506         {
00507             SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00508             return( ret );
00509         }
00510 
00511         if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00512         {
00513             SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
00514             return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
00515         }
00516     }
00517 
00518     if( ssl->in_hslen  != 4 ||
00519         ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
00520     {
00521         SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
00522         return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
00523     }
00524 
00525     ssl->state++;
00526 
00527     SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
00528 
00529     return( 0 );
00530 }
00531 
00532 static int ssl_write_client_key_exchange( ssl_context *ssl )
00533 {
00534     int ret;
00535     size_t i, n;
00536 
00537     SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
00538 
00539     if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
00540         ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
00541         ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
00542         ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
00543         ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
00544     {
00545 #if !defined(POLARSSL_DHM_C)
00546         SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
00547         return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00548 #else
00549         /*
00550          * DHM key exchange -- send G^X mod P
00551          */
00552         n = ssl->dhm_ctx.len;
00553 
00554         ssl->out_msg[4] = (unsigned char)( n >> 8 );
00555         ssl->out_msg[5] = (unsigned char)( n      );
00556         i = 6;
00557 
00558         ret = dhm_make_public( &ssl->dhm_ctx, 256,
00559                                &ssl->out_msg[i], n,
00560                                 ssl->f_rng, ssl->p_rng );
00561         if( ret != 0 )
00562         {
00563             SSL_DEBUG_RET( 1, "dhm_make_public", ret );
00564             return( ret );
00565         }
00566 
00567         SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X  );
00568         SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX );
00569 
00570         ssl->pmslen = ssl->dhm_ctx.len;
00571 
00572         if( ( ret = dhm_calc_secret( &ssl->dhm_ctx,
00573                                       ssl->premaster,
00574                                      &ssl->pmslen ) ) != 0 )
00575         {
00576             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
00577             return( ret );
00578         }
00579 
00580         SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K  );
00581 #endif
00582     }
00583     else
00584     {
00585         /*
00586          * RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
00587          */
00588         ssl->premaster[0] = (unsigned char) ssl->max_major_ver;
00589         ssl->premaster[1] = (unsigned char) ssl->max_minor_ver;
00590         ssl->pmslen = 48;
00591 
00592         ret = ssl->f_rng( ssl->p_rng, ssl->premaster + 2, ssl->pmslen - 2 );
00593         if( ret != 0 )
00594             return( ret );
00595 
00596         i = 4;
00597         n = ssl->peer_cert->rsa.len;
00598 
00599         if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
00600         {
00601             i += 2;
00602             ssl->out_msg[4] = (unsigned char)( n >> 8 );
00603             ssl->out_msg[5] = (unsigned char)( n      );
00604         }
00605 
00606         ret = rsa_pkcs1_encrypt( &ssl->peer_cert->rsa,
00607                                   ssl->f_rng, ssl->p_rng,
00608                                   RSA_PUBLIC,
00609                                   ssl->pmslen, ssl->premaster,
00610                                   ssl->out_msg + i );
00611         if( ret != 0 )
00612         {
00613             SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
00614             return( ret );
00615         }
00616     }
00617 
00618     if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
00619     {
00620         SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
00621         return( ret );
00622     }
00623 
00624     ssl->out_msglen  = i + n;
00625     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00626     ssl->out_msg[0]  = SSL_HS_CLIENT_KEY_EXCHANGE;
00627 
00628     ssl->state++;
00629 
00630     if( ( ret = ssl_write_record( ssl ) ) != 0 )
00631     {
00632         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
00633         return( ret );
00634     }
00635 
00636     SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
00637 
00638     return( 0 );
00639 }
00640 
00641 static int ssl_write_certificate_verify( ssl_context *ssl )
00642 {
00643     int ret = 0;
00644     size_t n = 0;
00645     unsigned char hash[36];
00646 
00647     SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
00648 
00649     if( ssl->client_auth == 0 || ssl->own_cert == NULL )
00650     {
00651         SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
00652         ssl->state++;
00653         return( 0 );
00654     }
00655 
00656     if( ssl->rsa_key == NULL )
00657     {
00658 #if defined(POLARSSL_PKCS11_C)
00659         if( ssl->pkcs11_key == NULL )
00660         {
00661 #endif /* defined(POLARSSL_PKCS11_C) */
00662             SSL_DEBUG_MSG( 1, ( "got no private key" ) );
00663             return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
00664 #if defined(POLARSSL_PKCS11_C)
00665         }
00666 #endif /* defined(POLARSSL_PKCS11_C) */
00667     }
00668 
00669     /*
00670      * Make an RSA signature of the handshake digests
00671      */
00672     ssl_calc_verify( ssl, hash );
00673 
00674     if ( ssl->rsa_key )
00675         n = ssl->rsa_key->len;
00676 #if defined(POLARSSL_PKCS11_C)
00677     else
00678         n = ssl->pkcs11_key->len;
00679 #endif  /* defined(POLARSSL_PKCS11_C) */
00680 
00681     ssl->out_msg[4] = (unsigned char)( n >> 8 );
00682     ssl->out_msg[5] = (unsigned char)( n      );
00683 
00684     if( ssl->rsa_key )
00685     {
00686         ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
00687                                     RSA_PRIVATE, SIG_RSA_RAW,
00688                                     36, hash, ssl->out_msg + 6 );
00689     } else {
00690 #if defined(POLARSSL_PKCS11_C)
00691         ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE, SIG_RSA_RAW,
00692                                     36, hash, ssl->out_msg + 6 );
00693 #endif  /* defined(POLARSSL_PKCS11_C) */
00694     }
00695 
00696     if (ret != 0)
00697     {
00698         SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
00699         return( ret );
00700     }
00701 
00702     ssl->out_msglen  = 6 + n;
00703     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00704     ssl->out_msg[0]  = SSL_HS_CERTIFICATE_VERIFY;
00705 
00706     ssl->state++;
00707 
00708     if( ( ret = ssl_write_record( ssl ) ) != 0 )
00709     {
00710         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
00711         return( ret );
00712     }
00713 
00714     SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
00715 
00716     return( 0 );
00717 }
00718 
00719 /*
00720  * SSL handshake -- client side
00721  */
00722 int ssl_handshake_client( ssl_context *ssl )
00723 {
00724     int ret = 0;
00725 
00726     SSL_DEBUG_MSG( 2, ( "=> handshake client" ) );
00727 
00728     while( ssl->state != SSL_HANDSHAKE_OVER )
00729     {
00730         SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
00731 
00732         if( ( ret = ssl_flush_output( ssl ) ) != 0 )
00733             break;
00734 
00735         switch( ssl->state )
00736         {
00737             case SSL_HELLO_REQUEST:
00738                 ssl->state = SSL_CLIENT_HELLO;
00739                 break;
00740 
00741             /*
00742              *  ==>   ClientHello
00743              */
00744             case SSL_CLIENT_HELLO:
00745                 ret = ssl_write_client_hello( ssl );
00746                 break;
00747 
00748             /*
00749              *  <==   ServerHello
00750              *        Certificate
00751              *      ( ServerKeyExchange  )
00752              *      ( CertificateRequest )
00753              *        ServerHelloDone
00754              */
00755             case SSL_SERVER_HELLO:
00756                 ret = ssl_parse_server_hello( ssl );
00757                 break;
00758 
00759             case SSL_SERVER_CERTIFICATE:
00760                 ret = ssl_parse_certificate( ssl );
00761                 break;
00762 
00763             case SSL_SERVER_KEY_EXCHANGE:
00764                 ret = ssl_parse_server_key_exchange( ssl );
00765                 break;
00766 
00767             case SSL_CERTIFICATE_REQUEST:
00768                 ret = ssl_parse_certificate_request( ssl );
00769                 break;
00770 
00771             case SSL_SERVER_HELLO_DONE:
00772                 ret = ssl_parse_server_hello_done( ssl );
00773                 break;
00774 
00775             /*
00776              *  ==> ( Certificate/Alert  )
00777              *        ClientKeyExchange
00778              *      ( CertificateVerify  )
00779              *        ChangeCipherSpec
00780              *        Finished
00781              */
00782             case SSL_CLIENT_CERTIFICATE:
00783                 ret = ssl_write_certificate( ssl );
00784                 break;
00785 
00786             case SSL_CLIENT_KEY_EXCHANGE:
00787                 ret = ssl_write_client_key_exchange( ssl );
00788                 break;
00789 
00790             case SSL_CERTIFICATE_VERIFY:
00791                 ret = ssl_write_certificate_verify( ssl );
00792                 break;
00793 
00794             case SSL_CLIENT_CHANGE_CIPHER_SPEC:
00795                 ret = ssl_write_change_cipher_spec( ssl );
00796                 break;
00797 
00798             case SSL_CLIENT_FINISHED:
00799                 ret = ssl_write_finished( ssl );
00800                 break;
00801 
00802             /*
00803              *  <==   ChangeCipherSpec
00804              *        Finished
00805              */
00806             case SSL_SERVER_CHANGE_CIPHER_SPEC:
00807                 ret = ssl_parse_change_cipher_spec( ssl );
00808                 break;
00809 
00810             case SSL_SERVER_FINISHED:
00811                 ret = ssl_parse_finished( ssl );
00812                 break;
00813 
00814             case SSL_FLUSH_BUFFERS:
00815                 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
00816                 ssl->state = SSL_HANDSHAKE_OVER;
00817                 break;
00818 
00819             default:
00820                 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
00821                 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
00822         }
00823 
00824         if( ret != 0 )
00825             break;
00826     }
00827 
00828     SSL_DEBUG_MSG( 2, ( "<= handshake client" ) );
00829 
00830     return( ret );
00831 }
00832 
00833 #endif