Blame - library/ssl_cli.c - mirror/mbed-crypto

blob: 72cfcf3eddf4c5ba920d8d9caf9666904bcfb6b9 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* SSLv3/TLSv1 client-side functions
				3	*
Paul Bakker	84f12b7	2010-07-18 10:13:04 +0000	[diff] [blame^]	4	* Copyright (C) 2006-2010, Brainspark B.V.
				5	* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker	77b385e	2009-07-28 17:23:11 +0000	[diff] [blame]	6	* All rights reserved.
Paul Bakker	e0ccd0a	2009-01-04 16:27:10 +0000	[diff] [blame]	7	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	8	* This program is free software; you can redistribute it and/or modify
				9	* it under the terms of the GNU General Public License as published by
				10	* the Free Software Foundation; either version 2 of the License, or
				11	* (at your option) any later version.
				12	*
				13	* This program is distributed in the hope that it will be useful,
				14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				16	* GNU General Public License for more details.
				17	*
				18	* You should have received a copy of the GNU General Public License along
				19	* with this program; if not, write to the Free Software Foundation, Inc.,
				20	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				21	*/
				22
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	23	#include "polarssl/config.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	24
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	25	#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	26
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	27	#include "polarssl/debug.h"
				28	#include "polarssl/ssl.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	29
				30	#include <string.h>
				31	#include <stdlib.h>
				32	#include <stdio.h>
				33	#include <time.h>
				34
				35	static int ssl_write_client_hello( ssl_context *ssl )
				36	{
				37	int ret, i, n;
				38	unsigned char *buf;
				39	unsigned char *p;
				40	time_t t;
				41
				42	SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
				43
				44	ssl->major_ver = SSL_MAJOR_VERSION_3;
				45	ssl->minor_ver = SSL_MINOR_VERSION_0;
				46
				47	ssl->max_major_ver = SSL_MAJOR_VERSION_3;
				48	ssl->max_minor_ver = SSL_MINOR_VERSION_1;
				49
				50	/*
				51	* 0 . 0 handshake type
				52	* 1 . 3 handshake length
				53	* 4 . 5 highest version supported
				54	* 6 . 9 current UNIX time
				55	* 10 . 37 random bytes
				56	*/
				57	buf = ssl->out_msg;
				58	p = buf + 4;
				59
				60	*p++ = (unsigned char) ssl->max_major_ver;
				61	*p++ = (unsigned char) ssl->max_minor_ver;
				62
				63	SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
				64	buf[4], buf[5] ) );
				65
				66	t = time( NULL );
				67	*p++ = (unsigned char)( t >> 24 );
				68	*p++ = (unsigned char)( t >> 16 );
				69	*p++ = (unsigned char)( t >> 8 );
				70	*p++ = (unsigned char)( t );
				71
				72	SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
				73
				74	for( i = 28; i > 0; i-- )
				75	*p++ = (unsigned char) ssl->f_rng( ssl->p_rng );
				76
				77	memcpy( ssl->randbytes, buf + 6, 32 );
				78
				79	SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
				80
				81	/*
				82	* 38 . 38 session id length
				83	* 39 . 39+n session id
				84	* 40+n . 41+n cipherlist length
				85	* 42+n . .. cipherlist
				86	* .. . .. compression alg. (0)
				87	* .. . .. extensions (unused)
				88	*/
				89	n = ssl->session->length;
				90
				91	if( n < 16 \|\| n > 32 \|\| ssl->resume == 0 \|\|
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	92	( ssl->timeout != 0 && t - ssl->session->start > ssl->timeout ) )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	93	n = 0;
				94
				95	*p++ = (unsigned char) n;
				96
				97	for( i = 0; i < n; i++ )
				98	*p++ = ssl->session->id[i];
				99
				100	SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
				101	SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
				102
				103	for( n = 0; ssl->ciphers[n] != 0; n++ );
				104	*p++ = (unsigned char)( n >> 7 );
				105	*p++ = (unsigned char)( n << 1 );
				106
				107	SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphers", n ) );
				108
				109	for( i = 0; i < n; i++ )
				110	{
				111	SSL_DEBUG_MSG( 3, ( "client hello, add cipher: %2d",
				112	ssl->ciphers[i] ) );
				113
				114	*p++ = (unsigned char)( ssl->ciphers[i] >> 8 );
				115	*p++ = (unsigned char)( ssl->ciphers[i] );
				116	}
				117
				118	SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
				119	SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 0 ) );
				120
				121	*p++ = 1;
				122	*p++ = SSL_COMPRESS_NULL;
				123
				124	if ( ssl->hostname != NULL )
				125	{
				126	SSL_DEBUG_MSG( 3, ( "client hello, server name extension: %s",
				127	ssl->hostname ) );
				128
				129	*p++ = (unsigned char)( ( (ssl->hostname_len + 9) >> 8 ) & 0xFF );
				130	*p++ = (unsigned char)( ( (ssl->hostname_len + 9) ) & 0xFF );
				131
				132	*p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
				133	*p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
				134
				135	*p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
				136	*p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
				137
				138	*p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
				139	*p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
				140
				141	*p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
				142	*p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
				143	*p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
				144
				145	memcpy( p, ssl->hostname, ssl->hostname_len );
				146
				147	p += ssl->hostname_len;
				148	}
				149
				150	ssl->out_msglen = p - buf;
				151	ssl->out_msgtype = SSL_MSG_HANDSHAKE;
				152	ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
				153
				154	ssl->state++;
				155
				156	if( ( ret = ssl_write_record( ssl ) ) != 0 )
				157	{
				158	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
				159	return( ret );
				160	}
				161
				162	SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
				163
				164	return( 0 );
				165	}
				166
				167	static int ssl_parse_server_hello( ssl_context *ssl )
				168	{
				169	time_t t;
				170	int ret, i, n;
				171	int ext_len;
				172	unsigned char *buf;
				173
				174	SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
				175
				176	/*
				177	* 0 . 0 handshake type
				178	* 1 . 3 handshake length
				179	* 4 . 5 protocol version
				180	* 6 . 9 UNIX time()
				181	* 10 . 37 random bytes
				182	*/
				183	buf = ssl->in_msg;
				184
				185	if( ( ret = ssl_read_record( ssl ) ) != 0 )
				186	{
				187	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
				188	return( ret );
				189	}
				190
				191	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
				192	{
				193	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	194	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	195	}
				196
				197	SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
				198	buf[4], buf[5] ) );
				199
				200	if( ssl->in_hslen < 42 \|\|
				201	buf[0] != SSL_HS_SERVER_HELLO \|\|
				202	buf[4] != SSL_MAJOR_VERSION_3 )
				203	{
				204	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	205	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	206	}
				207
				208	if( buf[5] != SSL_MINOR_VERSION_0 &&
				209	buf[5] != SSL_MINOR_VERSION_1 )
				210	{
				211	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	212	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	213	}
				214
				215	ssl->minor_ver = buf[5];
				216
				217	t = ( (time_t) buf[6] << 24 )
				218	\| ( (time_t) buf[7] << 16 )
				219	\| ( (time_t) buf[8] << 8 )
				220	\| ( (time_t) buf[9] );
				221
				222	memcpy( ssl->randbytes + 32, buf + 6, 32 );
				223
				224	n = buf[38];
				225
				226	SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
				227	SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
				228
				229	/*
				230	* 38 . 38 session id length
				231	* 39 . 38+n session id
				232	* 39+n . 40+n chosen cipher
				233	* 41+n . 41+n chosen compression alg.
				234	* 42+n . 43+n extensions length
				235	* 44+n . 44+n+m extensions
				236	*/
				237	if( n < 0 \|\| n > 32 \|\| ssl->in_hslen > 42 + n )
				238	{
				239	ext_len = ( ( buf[42 + n] << 8 )
				240	\| ( buf[43 + n] ) ) + 2;
				241	}
				242	else
				243	{
				244	ext_len = 0;
				245	}
				246
				247	if( n < 0 \|\| n > 32 \|\| ssl->in_hslen != 42 + n + ext_len )
				248	{
				249	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	250	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	251	}
				252
				253	i = ( buf[39 + n] << 8 ) \| buf[40 + n];
				254
				255	SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
				256	SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
				257
				258	/*
				259	* Check if the session can be resumed
				260	*/
				261	if( ssl->resume == 0 \|\| n == 0 \|\|
				262	ssl->session->cipher != i \|\|
				263	ssl->session->length != n \|\|
				264	memcmp( ssl->session->id, buf + 39, n ) != 0 )
				265	{
				266	ssl->state++;
				267	ssl->resume = 0;
				268	ssl->session->start = time( NULL );
				269	ssl->session->cipher = i;
				270	ssl->session->length = n;
				271	memcpy( ssl->session->id, buf + 39, n );
				272	}
				273	else
				274	{
				275	ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	276
				277	if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
				278	{
				279	SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
				280	return( ret );
				281	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	282	}
				283
				284	SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
				285	ssl->resume ? "a" : "no" ) );
				286
				287	SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d", i ) );
				288	SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
				289
				290	i = 0;
				291	while( 1 )
				292	{
				293	if( ssl->ciphers[i] == 0 )
				294	{
				295	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	296	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	297	}
				298
				299	if( ssl->ciphers[i++] == ssl->session->cipher )
				300	break;
				301	}
				302
				303	if( buf[41 + n] != SSL_COMPRESS_NULL )
				304	{
				305	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	306	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	307	}
				308
				309	/* TODO: Process extensions */
				310
				311	SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
				312
				313	return( 0 );
				314	}
				315
				316	static int ssl_parse_server_key_exchange( ssl_context *ssl )
				317	{
				318	int ret, n;
				319	unsigned char p, end;
				320	unsigned char hash[36];
				321	md5_context md5;
				322	sha1_context sha1;
				323
				324	SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
				325
				326	if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA &&
Paul Bakker	77a4358	2010-06-15 21:32:46 +0000	[diff] [blame]	327	ssl->session->cipher != SSL_EDH_RSA_AES_128_SHA &&
Paul Bakker	b5ef0ba	2009-01-11 20:25:36 +0000	[diff] [blame]	328	ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA &&
Paul Bakker	77a4358	2010-06-15 21:32:46 +0000	[diff] [blame]	329	ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_128_SHA &&
				330	ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_256_SHA)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	331	{
				332	SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
				333	ssl->state++;
				334	return( 0 );
				335	}
				336
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	337	#if !defined(POLARSSL_DHM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	338	SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	339	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	340	#else
				341	if( ( ret = ssl_read_record( ssl ) ) != 0 )
				342	{
				343	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
				344	return( ret );
				345	}
				346
				347	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
				348	{
				349	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	350	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	351	}
				352
				353	if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
				354	{
				355	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	356	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	357	}
				358
				359	/*
				360	* Ephemeral DH parameters:
				361	*
				362	* struct {
				363	* opaque dh_p<1..2^16-1>;
				364	* opaque dh_g<1..2^16-1>;
				365	* opaque dh_Ys<1..2^16-1>;
				366	* } ServerDHParams;
				367	*/
				368	p = ssl->in_msg + 4;
				369	end = ssl->in_msg + ssl->in_hslen;
				370
				371	if( ( ret = dhm_read_params( &ssl->dhm_ctx, &p, end ) ) != 0 )
				372	{
				373	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	374	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	375	}
				376
				377	if( (int)( end - p ) != ssl->peer_cert->rsa.len )
				378	{
				379	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	380	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	381	}
				382
				383	if( ssl->dhm_ctx.len < 64 \|\| ssl->dhm_ctx.len > 256 )
				384	{
				385	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	386	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	387	}
				388
				389	SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P );
				390	SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G );
				391	SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY );
				392
				393	/*
				394	* digitally-signed struct {
				395	* opaque md5_hash[16];
				396	* opaque sha_hash[20];
				397	* };
				398	*
				399	* md5_hash
				400	* MD5(ClientHello.random + ServerHello.random
				401	* + ServerParams);
				402	* sha_hash
				403	* SHA(ClientHello.random + ServerHello.random
				404	* + ServerParams);
				405	*/
				406	n = ssl->in_hslen - ( end - p ) - 6;
				407
				408	md5_starts( &md5 );
				409	md5_update( &md5, ssl->randbytes, 64 );
				410	md5_update( &md5, ssl->in_msg + 4, n );
				411	md5_finish( &md5, hash );
				412
				413	sha1_starts( &sha1 );
				414	sha1_update( &sha1, ssl->randbytes, 64 );
				415	sha1_update( &sha1, ssl->in_msg + 4, n );
				416	sha1_finish( &sha1, hash + 16 );
				417
				418	SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 );
				419
				420	if( ( ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC,
Paul Bakker	fc22c44	2009-07-19 20:36:27 +0000	[diff] [blame]	421	SIG_RSA_RAW, 36, hash, p ) ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	422	{
				423	SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
				424	return( ret );
				425	}
				426
				427	ssl->state++;
				428
				429	SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
				430
				431	return( 0 );
				432	#endif
				433	}
				434
				435	static int ssl_parse_certificate_request( ssl_context *ssl )
				436	{
				437	int ret;
				438
				439	SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
				440
				441	/*
				442	* 0 . 0 handshake type
				443	* 1 . 3 handshake length
				444	* 4 . 5 SSL version
				445	* 6 . 6 cert type count
				446	* 7 .. n-1 cert types
				447	* n .. n+1 length of all DNs
				448	* n+2 .. n+3 length of DN 1
				449	* n+4 .. ... Distinguished Name #1
				450	* ... .. ... length of DN 2, etc.
				451	*/
				452	if( ( ret = ssl_read_record( ssl ) ) != 0 )
				453	{
				454	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
				455	return( ret );
				456	}
				457
				458	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
				459	{
				460	SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	461	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	462	}
				463
				464	ssl->client_auth = 0;
				465	ssl->state++;
				466
				467	if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
				468	ssl->client_auth++;
				469
				470	SSL_DEBUG_MSG( 3, ( "got %s certificate request",
				471	ssl->client_auth ? "a" : "no" ) );
				472
				473	SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
				474
				475	return( 0 );
				476	}
				477
				478	static int ssl_parse_server_hello_done( ssl_context *ssl )
				479	{
				480	int ret;
				481
				482	SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
				483
				484	if( ssl->client_auth != 0 )
				485	{
				486	if( ( ret = ssl_read_record( ssl ) ) != 0 )
				487	{
				488	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
				489	return( ret );
				490	}
				491
				492	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
				493	{
				494	SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	495	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	496	}
				497	}
				498
				499	if( ssl->in_hslen != 4 \|\|
				500	ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
				501	{
				502	SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	503	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	504	}
				505
				506	ssl->state++;
				507
				508	SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
				509
				510	return( 0 );
				511	}
				512
				513	static int ssl_write_client_key_exchange( ssl_context *ssl )
				514	{
				515	int ret, i, n;
				516
				517	SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
				518
				519	if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA \|\|
Paul Bakker	77a4358	2010-06-15 21:32:46 +0000	[diff] [blame]	520	ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA \|\|
Paul Bakker	b5ef0ba	2009-01-11 20:25:36 +0000	[diff] [blame]	521	ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA \|\|
Paul Bakker	77a4358	2010-06-15 21:32:46 +0000	[diff] [blame]	522	ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA \|\|
				523	ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	524	{
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	525	#if !defined(POLARSSL_DHM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	526	SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	527	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	528	#else
				529	/*
				530	* DHM key exchange -- send G^X mod P
				531	*/
				532	n = ssl->dhm_ctx.len;
				533
				534	ssl->out_msg[4] = (unsigned char)( n >> 8 );
				535	ssl->out_msg[5] = (unsigned char)( n );
				536	i = 6;
				537
				538	ret = dhm_make_public( &ssl->dhm_ctx, 256,
				539	&ssl->out_msg[i], n,
				540	ssl->f_rng, ssl->p_rng );
				541	if( ret != 0 )
				542	{
				543	SSL_DEBUG_RET( 1, "dhm_make_public", ret );
				544	return( ret );
				545	}
				546
				547	SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X );
				548	SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX );
				549
				550	ssl->pmslen = ssl->dhm_ctx.len;
				551
				552	if( ( ret = dhm_calc_secret( &ssl->dhm_ctx,
				553	ssl->premaster,
				554	&ssl->pmslen ) ) != 0 )
				555	{
				556	SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
				557	return( ret );
				558	}
				559
				560	SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K );
				561	#endif
				562	}
				563	else
				564	{
				565	/*
				566	* RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
				567	*/
				568	ssl->premaster[0] = (unsigned char) ssl->max_major_ver;
				569	ssl->premaster[1] = (unsigned char) ssl->max_minor_ver;
				570	ssl->pmslen = 48;
				571
				572	for( i = 2; i < ssl->pmslen; i++ )
				573	ssl->premaster[i] = (unsigned char) ssl->f_rng( ssl->p_rng );
				574
				575	i = 4;
				576	n = ssl->peer_cert->rsa.len;
				577
				578	if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
				579	{
				580	i += 2;
				581	ssl->out_msg[4] = (unsigned char)( n >> 8 );
				582	ssl->out_msg[5] = (unsigned char)( n );
				583	}
				584
				585	ret = rsa_pkcs1_encrypt( &ssl->peer_cert->rsa, RSA_PUBLIC,
				586	ssl->pmslen, ssl->premaster,
				587	ssl->out_msg + i );
				588	if( ret != 0 )
				589	{
				590	SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
				591	return( ret );
				592	}
				593	}
				594
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	595	if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
				596	{
				597	SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
				598	return( ret );
				599	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	600
				601	ssl->out_msglen = i + n;
				602	ssl->out_msgtype = SSL_MSG_HANDSHAKE;
				603	ssl->out_msg[0] = SSL_HS_CLIENT_KEY_EXCHANGE;
				604
				605	ssl->state++;
				606
				607	if( ( ret = ssl_write_record( ssl ) ) != 0 )
				608	{
				609	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
				610	return( ret );
				611	}
				612
				613	SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
				614
				615	return( 0 );
				616	}
				617
				618	static int ssl_write_certificate_verify( ssl_context *ssl )
				619	{
				620	int ret, n;
				621	unsigned char hash[36];
				622
				623	SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
				624
				625	if( ssl->client_auth == 0 )
				626	{
				627	SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
				628	ssl->state++;
				629	return( 0 );
				630	}
				631
				632	if( ssl->rsa_key == NULL )
				633	{
				634	SSL_DEBUG_MSG( 1, ( "got no private key" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	635	return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	636	}
				637
				638	/*
				639	* Make an RSA signature of the handshake digests
				640	*/
				641	ssl_calc_verify( ssl, hash );
				642
				643	n = ssl->rsa_key->len;
				644	ssl->out_msg[4] = (unsigned char)( n >> 8 );
				645	ssl->out_msg[5] = (unsigned char)( n );
				646
Paul Bakker	fc22c44	2009-07-19 20:36:27 +0000	[diff] [blame]	647	if( ( ret = rsa_pkcs1_sign( ssl->rsa_key, RSA_PRIVATE, SIG_RSA_RAW,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	648	36, hash, ssl->out_msg + 6 ) ) != 0 )
				649	{
				650	SSL_DEBUG_RET( 1, "rsa_pkcs1_sign", ret );
				651	return( ret );
				652	}
				653
				654	ssl->out_msglen = 6 + n;
				655	ssl->out_msgtype = SSL_MSG_HANDSHAKE;
				656	ssl->out_msg[0] = SSL_HS_CERTIFICATE_VERIFY;
				657
				658	ssl->state++;
				659
				660	if( ( ret = ssl_write_record( ssl ) ) != 0 )
				661	{
				662	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
				663	return( ret );
				664	}
				665
				666	SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
				667
				668	return( 0 );
				669	}
				670
				671	/*
				672	* SSL handshake -- client side
				673	*/
				674	int ssl_handshake_client( ssl_context *ssl )
				675	{
				676	int ret = 0;
				677
				678	SSL_DEBUG_MSG( 2, ( "=> handshake client" ) );
				679
				680	while( ssl->state != SSL_HANDSHAKE_OVER )
				681	{
				682	SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
				683
				684	if( ( ret = ssl_flush_output( ssl ) ) != 0 )
				685	break;
				686
				687	switch( ssl->state )
				688	{
				689	case SSL_HELLO_REQUEST:
				690	ssl->state = SSL_CLIENT_HELLO;
				691	break;
				692
				693	/*
				694	* ==> ClientHello
				695	*/
				696	case SSL_CLIENT_HELLO:
				697	ret = ssl_write_client_hello( ssl );
				698	break;
				699
				700	/*
				701	* <== ServerHello
				702	* Certificate
				703	* ( ServerKeyExchange )
				704	* ( CertificateRequest )
				705	* ServerHelloDone
				706	*/
				707	case SSL_SERVER_HELLO:
				708	ret = ssl_parse_server_hello( ssl );
				709	break;
				710
				711	case SSL_SERVER_CERTIFICATE:
				712	ret = ssl_parse_certificate( ssl );
				713	break;
				714
				715	case SSL_SERVER_KEY_EXCHANGE:
				716	ret = ssl_parse_server_key_exchange( ssl );
				717	break;
				718
				719	case SSL_CERTIFICATE_REQUEST:
				720	ret = ssl_parse_certificate_request( ssl );
				721	break;
				722
				723	case SSL_SERVER_HELLO_DONE:
				724	ret = ssl_parse_server_hello_done( ssl );
				725	break;
				726
				727	/*
				728	* ==> ( Certificate/Alert )
				729	* ClientKeyExchange
				730	* ( CertificateVerify )
				731	* ChangeCipherSpec
				732	* Finished
				733	*/
				734	case SSL_CLIENT_CERTIFICATE:
				735	ret = ssl_write_certificate( ssl );
				736	break;
				737
				738	case SSL_CLIENT_KEY_EXCHANGE:
				739	ret = ssl_write_client_key_exchange( ssl );
				740	break;
				741
				742	case SSL_CERTIFICATE_VERIFY:
				743	ret = ssl_write_certificate_verify( ssl );
				744	break;
				745
				746	case SSL_CLIENT_CHANGE_CIPHER_SPEC:
				747	ret = ssl_write_change_cipher_spec( ssl );
				748	break;
				749
				750	case SSL_CLIENT_FINISHED:
				751	ret = ssl_write_finished( ssl );
				752	break;
				753
				754	/*
				755	* <== ChangeCipherSpec
				756	* Finished
				757	*/
				758	case SSL_SERVER_CHANGE_CIPHER_SPEC:
				759	ret = ssl_parse_change_cipher_spec( ssl );
				760	break;
				761
				762	case SSL_SERVER_FINISHED:
				763	ret = ssl_parse_finished( ssl );
				764	break;
				765
				766	case SSL_FLUSH_BUFFERS:
				767	SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
				768	ssl->state = SSL_HANDSHAKE_OVER;
				769	break;
				770
				771	default:
				772	SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	773	return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	774	}
				775
				776	if( ret != 0 )
				777	break;
				778	}
				779
				780	SSL_DEBUG_MSG( 2, ( "<= handshake client" ) );
				781
				782	return( ret );
				783	}
				784
				785	#endif