blob: f875fbfe7e98984dd65e38c8d36e79014c5ffed7 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 server-side functions
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +00004 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
Paul Bakker40e46942009-01-03 21:51:57 +000026#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000027
Paul Bakker40e46942009-01-03 21:51:57 +000028#if defined(POLARSSL_SSL_SRV_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000029
Paul Bakker40e46942009-01-03 21:51:57 +000030#include "polarssl/debug.h"
31#include "polarssl/ssl.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000032
Paul Bakker43b7e352011-01-18 15:27:19 +000033#if defined(POLARSSL_PKCS11_C)
34#include "polarssl/pkcs11.h"
35#endif /* defined(POLARSSL_PKCS11_C) */
36
Paul Bakker5121ce52009-01-03 21:22:43 +000037#include <string.h>
38#include <stdlib.h>
39#include <stdio.h>
40#include <time.h>
41
42static int ssl_parse_client_hello( ssl_context *ssl )
43{
44 int ret, i, j, n;
45 int ciph_len, sess_len;
46 int chal_len, comp_len;
47 unsigned char *buf, *p;
48
49 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
50
51 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
52 {
53 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
54 return( ret );
55 }
56
57 buf = ssl->in_hdr;
58
59 if( ( buf[0] & 0x80 ) != 0 )
60 {
61 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
62
63 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
64 buf[2] ) );
65 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
66 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
67 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
68 buf[3], buf[4] ) );
69
70 /*
71 * SSLv2 Client Hello
72 *
73 * Record layer:
74 * 0 . 1 message length
75 *
76 * SSL layer:
77 * 2 . 2 message type
78 * 3 . 4 protocol version
79 */
80 if( buf[2] != SSL_HS_CLIENT_HELLO ||
81 buf[3] != SSL_MAJOR_VERSION_3 )
82 {
83 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +000084 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +000085 }
86
87 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
88
89 if( n < 17 || n > 512 )
90 {
91 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +000092 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +000093 }
94
95 ssl->max_major_ver = buf[3];
96 ssl->max_minor_ver = buf[4];
97
98 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker61c324b2010-07-29 21:09:03 +000099 ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_2 )
100 ? buf[4] : SSL_MINOR_VERSION_2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000101
102 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
103 {
104 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
105 return( ret );
106 }
107
108 md5_update( &ssl->fin_md5 , buf + 2, n );
109 sha1_update( &ssl->fin_sha1, buf + 2, n );
110
111 buf = ssl->in_msg;
112 n = ssl->in_left - 5;
113
114 /*
Paul Bakkere3166ce2011-01-27 17:40:50 +0000115 * 0 . 1 ciphersuitelist length
Paul Bakker5121ce52009-01-03 21:22:43 +0000116 * 2 . 3 session id length
117 * 4 . 5 challenge length
Paul Bakkere3166ce2011-01-27 17:40:50 +0000118 * 6 . .. ciphersuitelist
Paul Bakker5121ce52009-01-03 21:22:43 +0000119 * .. . .. session id
120 * .. . .. challenge
121 */
122 SSL_DEBUG_BUF( 4, "record contents", buf, n );
123
124 ciph_len = ( buf[0] << 8 ) | buf[1];
125 sess_len = ( buf[2] << 8 ) | buf[3];
126 chal_len = ( buf[4] << 8 ) | buf[5];
127
128 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
129 ciph_len, sess_len, chal_len ) );
130
131 /*
132 * Make sure each parameter length is valid
133 */
134 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
135 {
136 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000137 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000138 }
139
140 if( sess_len < 0 || sess_len > 32 )
141 {
142 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000143 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000144 }
145
146 if( chal_len < 8 || chal_len > 32 )
147 {
148 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000149 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000150 }
151
152 if( n != 6 + ciph_len + sess_len + chal_len )
153 {
154 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000155 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000156 }
157
Paul Bakkere3166ce2011-01-27 17:40:50 +0000158 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
Paul Bakker5121ce52009-01-03 21:22:43 +0000159 buf + 6, ciph_len );
160 SSL_DEBUG_BUF( 3, "client hello, session id",
161 buf + 6 + ciph_len, sess_len );
162 SSL_DEBUG_BUF( 3, "client hello, challenge",
163 buf + 6 + ciph_len + sess_len, chal_len );
164
165 p = buf + 6 + ciph_len;
166 ssl->session->length = sess_len;
167 memset( ssl->session->id, 0, sizeof( ssl->session->id ) );
168 memcpy( ssl->session->id, p, ssl->session->length );
169
170 p += sess_len;
171 memset( ssl->randbytes, 0, 64 );
172 memcpy( ssl->randbytes + 32 - chal_len, p, chal_len );
173
Paul Bakkere3166ce2011-01-27 17:40:50 +0000174 for( i = 0; ssl->ciphersuites[i] != 0; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000175 {
176 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
177 {
178 if( p[0] == 0 &&
179 p[1] == 0 &&
Paul Bakkere3166ce2011-01-27 17:40:50 +0000180 p[2] == ssl->ciphersuites[i] )
181 goto have_ciphersuite;
Paul Bakker5121ce52009-01-03 21:22:43 +0000182 }
183 }
184 }
185 else
186 {
187 SSL_DEBUG_BUF( 4, "record header", buf, 5 );
188
189 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
190 buf[0] ) );
191 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
192 ( buf[3] << 8 ) | buf[4] ) );
193 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
194 buf[1], buf[2] ) );
195
196 /*
197 * SSLv3 Client Hello
198 *
199 * Record layer:
200 * 0 . 0 message type
201 * 1 . 2 protocol version
202 * 3 . 4 message length
203 */
204 if( buf[0] != SSL_MSG_HANDSHAKE ||
205 buf[1] != SSL_MAJOR_VERSION_3 )
206 {
207 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000208 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000209 }
210
211 n = ( buf[3] << 8 ) | buf[4];
212
213 if( n < 45 || n > 512 )
214 {
215 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000216 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000217 }
218
219 if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
220 {
221 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
222 return( ret );
223 }
224
225 buf = ssl->in_msg;
226 n = ssl->in_left - 5;
227
228 md5_update( &ssl->fin_md5 , buf, n );
229 sha1_update( &ssl->fin_sha1, buf, n );
230
231 /*
232 * SSL layer:
233 * 0 . 0 handshake type
234 * 1 . 3 handshake length
235 * 4 . 5 protocol version
236 * 6 . 9 UNIX time()
237 * 10 . 37 random bytes
238 * 38 . 38 session id length
239 * 39 . 38+x session id
Paul Bakkere3166ce2011-01-27 17:40:50 +0000240 * 39+x . 40+x ciphersuitelist length
241 * 41+x . .. ciphersuitelist
Paul Bakker5121ce52009-01-03 21:22:43 +0000242 * .. . .. compression alg.
243 * .. . .. extensions
244 */
245 SSL_DEBUG_BUF( 4, "record contents", buf, n );
246
247 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
248 buf[0] ) );
249 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
250 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
251 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
252 buf[4], buf[5] ) );
253
254 /*
255 * Check the handshake type and protocol version
256 */
257 if( buf[0] != SSL_HS_CLIENT_HELLO ||
258 buf[4] != SSL_MAJOR_VERSION_3 )
259 {
260 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000261 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000262 }
263
264 ssl->major_ver = SSL_MAJOR_VERSION_3;
Paul Bakker61c324b2010-07-29 21:09:03 +0000265 ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_2 )
266 ? buf[5] : SSL_MINOR_VERSION_2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000267
268 ssl->max_major_ver = buf[4];
269 ssl->max_minor_ver = buf[5];
270
271 memcpy( ssl->randbytes, buf + 6, 32 );
272
273 /*
274 * Check the handshake message length
275 */
276 if( buf[1] != 0 || n != 4 + ( ( buf[2] << 8 ) | buf[3] ) )
277 {
278 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000279 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000280 }
281
282 /*
283 * Check the session length
284 */
285 sess_len = buf[38];
286
287 if( sess_len < 0 || sess_len > 32 )
288 {
289 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000290 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000291 }
292
293 ssl->session->length = sess_len;
294 memset( ssl->session->id, 0, sizeof( ssl->session->id ) );
295 memcpy( ssl->session->id, buf + 39 , ssl->session->length );
296
297 /*
Paul Bakkere3166ce2011-01-27 17:40:50 +0000298 * Check the ciphersuitelist length
Paul Bakker5121ce52009-01-03 21:22:43 +0000299 */
300 ciph_len = ( buf[39 + sess_len] << 8 )
301 | ( buf[40 + sess_len] );
302
303 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
304 {
305 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000306 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000307 }
308
309 /*
310 * Check the compression algorithms length
311 */
312 comp_len = buf[41 + sess_len + ciph_len];
313
314 if( comp_len < 1 || comp_len > 16 )
315 {
316 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000317 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000318 }
319
320 SSL_DEBUG_BUF( 3, "client hello, random bytes",
321 buf + 6, 32 );
322 SSL_DEBUG_BUF( 3, "client hello, session id",
323 buf + 38, sess_len );
Paul Bakkere3166ce2011-01-27 17:40:50 +0000324 SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
Paul Bakker5121ce52009-01-03 21:22:43 +0000325 buf + 41 + sess_len, ciph_len );
326 SSL_DEBUG_BUF( 3, "client hello, compression",
327 buf + 42 + sess_len + ciph_len, comp_len );
328
329 /*
Paul Bakkere3166ce2011-01-27 17:40:50 +0000330 * Search for a matching ciphersuite
Paul Bakker5121ce52009-01-03 21:22:43 +0000331 */
Paul Bakkere3166ce2011-01-27 17:40:50 +0000332 for( i = 0; ssl->ciphersuites[i] != 0; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000333 {
334 for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
335 j += 2, p += 2 )
336 {
Paul Bakkere3166ce2011-01-27 17:40:50 +0000337 if( p[0] == 0 && p[1] == ssl->ciphersuites[i] )
338 goto have_ciphersuite;
Paul Bakker5121ce52009-01-03 21:22:43 +0000339 }
340 }
341 }
342
Paul Bakkere3166ce2011-01-27 17:40:50 +0000343 SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000344
Paul Bakker40e46942009-01-03 21:51:57 +0000345 return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
Paul Bakker5121ce52009-01-03 21:22:43 +0000346
Paul Bakkere3166ce2011-01-27 17:40:50 +0000347have_ciphersuite:
Paul Bakker5121ce52009-01-03 21:22:43 +0000348
Paul Bakkere3166ce2011-01-27 17:40:50 +0000349 ssl->session->ciphersuite = ssl->ciphersuites[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000350 ssl->in_left = 0;
351 ssl->state++;
352
353 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
354
355 return( 0 );
356}
357
358static int ssl_write_server_hello( ssl_context *ssl )
359{
360 time_t t;
361 int ret, i, n;
362 unsigned char *buf, *p;
363
364 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
365
366 /*
367 * 0 . 0 handshake type
368 * 1 . 3 handshake length
369 * 4 . 5 protocol version
370 * 6 . 9 UNIX time()
371 * 10 . 37 random bytes
372 */
373 buf = ssl->out_msg;
374 p = buf + 4;
375
376 *p++ = (unsigned char) ssl->major_ver;
377 *p++ = (unsigned char) ssl->minor_ver;
378
379 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
380 buf[4], buf[5] ) );
381
382 t = time( NULL );
383 *p++ = (unsigned char)( t >> 24 );
384 *p++ = (unsigned char)( t >> 16 );
385 *p++ = (unsigned char)( t >> 8 );
386 *p++ = (unsigned char)( t );
387
388 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
389
390 for( i = 28; i > 0; i-- )
391 *p++ = (unsigned char) ssl->f_rng( ssl->p_rng );
392
393 memcpy( ssl->randbytes + 32, buf + 6, 32 );
394
395 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
396
397 /*
398 * 38 . 38 session id length
399 * 39 . 38+n session id
Paul Bakkere3166ce2011-01-27 17:40:50 +0000400 * 39+n . 40+n chosen ciphersuite
Paul Bakker5121ce52009-01-03 21:22:43 +0000401 * 41+n . 41+n chosen compression alg.
402 */
403 ssl->session->length = n = 32;
404 *p++ = (unsigned char) ssl->session->length;
405
406 if( ssl->s_get == NULL ||
407 ssl->s_get( ssl ) != 0 )
408 {
409 /*
410 * Not found, create a new session id
411 */
412 ssl->resume = 0;
413 ssl->state++;
414
415 for( i = 0; i < n; i++ )
416 ssl->session->id[i] =
417 (unsigned char) ssl->f_rng( ssl->p_rng );
418 }
419 else
420 {
421 /*
422 * Found a matching session, resume it
423 */
424 ssl->resume = 1;
425 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000426
427 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
428 {
429 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
430 return( ret );
431 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000432 }
433
434 memcpy( p, ssl->session->id, ssl->session->length );
435 p += ssl->session->length;
436
437 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
438 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
439 SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
440 ssl->resume ? "a" : "no" ) );
441
Paul Bakkere3166ce2011-01-27 17:40:50 +0000442 *p++ = (unsigned char)( ssl->session->ciphersuite >> 8 );
443 *p++ = (unsigned char)( ssl->session->ciphersuite );
Paul Bakker5121ce52009-01-03 21:22:43 +0000444 *p++ = SSL_COMPRESS_NULL;
445
Paul Bakkere3166ce2011-01-27 17:40:50 +0000446 SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
447 ssl->session->ciphersuite ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000448 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) );
449
450 ssl->out_msglen = p - buf;
451 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
452 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
453
454 ret = ssl_write_record( ssl );
455
456 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
457
458 return( ret );
459}
460
461static int ssl_write_certificate_request( ssl_context *ssl )
462{
463 int ret, n;
464 unsigned char *buf, *p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000465 const x509_cert *crt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000466
467 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
468
469 ssl->state++;
470
471 if( ssl->authmode == SSL_VERIFY_NONE )
472 {
473 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
474 return( 0 );
475 }
476
477 /*
478 * 0 . 0 handshake type
479 * 1 . 3 handshake length
480 * 4 . 4 cert type count
481 * 5 .. n-1 cert types
482 * n .. n+1 length of all DNs
483 * n+2 .. n+3 length of DN 1
484 * n+4 .. ... Distinguished Name #1
485 * ... .. ... length of DN 2, etc.
486 */
487 buf = ssl->out_msg;
488 p = buf + 4;
489
490 /*
491 * At the moment, only RSA certificates are supported
492 */
493 *p++ = 1;
494 *p++ = 1;
495
496 p += 2;
497 crt = ssl->ca_chain;
498
Paul Bakker29087132010-03-21 21:03:34 +0000499 while( crt != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000500 {
501 if( p - buf > 4096 )
502 break;
503
504 n = crt->subject_raw.len;
505 *p++ = (unsigned char)( n >> 8 );
506 *p++ = (unsigned char)( n );
507 memcpy( p, crt->subject_raw.p, n );
508
509 SSL_DEBUG_BUF( 3, "requested DN", p, n );
510 p += n; crt = crt->next;
511 }
512
513 ssl->out_msglen = n = p - buf;
514 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
515 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
516 ssl->out_msg[6] = (unsigned char)( ( n - 8 ) >> 8 );
517 ssl->out_msg[7] = (unsigned char)( ( n - 8 ) );
518
519 ret = ssl_write_record( ssl );
520
521 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
522
523 return( ret );
524}
525
526static int ssl_write_server_key_exchange( ssl_context *ssl )
527{
Paul Bakker43b7e352011-01-18 15:27:19 +0000528 int ret, n, rsa_key_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000529 unsigned char hash[36];
530 md5_context md5;
531 sha1_context sha1;
532
533 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
534
Paul Bakkere3166ce2011-01-27 17:40:50 +0000535 if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
536 ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
537 ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
538 ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
539 ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
Paul Bakker5121ce52009-01-03 21:22:43 +0000540 {
541 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
542 ssl->state++;
543 return( 0 );
544 }
545
Paul Bakker40e46942009-01-03 21:51:57 +0000546#if !defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000547 SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000548 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000549#else
Paul Bakker43b7e352011-01-18 15:27:19 +0000550
551 if( ssl->rsa_key == NULL )
552 {
553#if defined(POLARSSL_PKCS11_C)
554 if( ssl->pkcs11_key == NULL )
555 {
556#endif /* defined(POLARSSL_PKCS11_C) */
557 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
558 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
559#if defined(POLARSSL_PKCS11_C)
560 }
561#endif /* defined(POLARSSL_PKCS11_C) */
562 }
563
Paul Bakker5121ce52009-01-03 21:22:43 +0000564 /*
565 * Ephemeral DH parameters:
566 *
567 * struct {
568 * opaque dh_p<1..2^16-1>;
569 * opaque dh_g<1..2^16-1>;
570 * opaque dh_Ys<1..2^16-1>;
571 * } ServerDHParams;
572 */
573 if( ( ret = dhm_make_params( &ssl->dhm_ctx, 256, ssl->out_msg + 4,
574 &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
575 {
576 SSL_DEBUG_RET( 1, "dhm_make_params", ret );
577 return( ret );
578 }
579
580 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X );
581 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P );
582 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G );
583 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX );
584
585 /*
586 * digitally-signed struct {
587 * opaque md5_hash[16];
588 * opaque sha_hash[20];
589 * };
590 *
591 * md5_hash
592 * MD5(ClientHello.random + ServerHello.random
593 * + ServerParams);
594 * sha_hash
595 * SHA(ClientHello.random + ServerHello.random
596 * + ServerParams);
597 */
598 md5_starts( &md5 );
599 md5_update( &md5, ssl->randbytes, 64 );
600 md5_update( &md5, ssl->out_msg + 4, n );
601 md5_finish( &md5, hash );
602
603 sha1_starts( &sha1 );
604 sha1_update( &sha1, ssl->randbytes, 64 );
605 sha1_update( &sha1, ssl->out_msg + 4, n );
606 sha1_finish( &sha1, hash + 16 );
607
608 SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 );
609
Paul Bakker43b7e352011-01-18 15:27:19 +0000610 if ( ssl->rsa_key )
611 rsa_key_len = ssl->rsa_key->len;
612#if defined(POLARSSL_PKCS11_C)
613 else
614 rsa_key_len = ssl->pkcs11_key->len;
615#endif /* defined(POLARSSL_PKCS11_C) */
Paul Bakker5121ce52009-01-03 21:22:43 +0000616
Paul Bakker43b7e352011-01-18 15:27:19 +0000617 ssl->out_msg[4 + n] = (unsigned char)( rsa_key_len >> 8 );
618 ssl->out_msg[5 + n] = (unsigned char)( rsa_key_len );
619
620 if ( ssl->rsa_key )
621 {
Paul Bakker9dcc3222011-03-08 14:16:06 +0000622 ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
623 RSA_PRIVATE,
Paul Bakker43b7e352011-01-18 15:27:19 +0000624 SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n );
625 }
626#if defined(POLARSSL_PKCS11_C)
627 else {
628 ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE,
629 SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n );
630 }
631#endif /* defined(POLARSSL_PKCS11_C) */
632
Paul Bakker5121ce52009-01-03 21:22:43 +0000633 if( ret != 0 )
634 {
Paul Bakker43b7e352011-01-18 15:27:19 +0000635 SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000636 return( ret );
637 }
638
Paul Bakker43b7e352011-01-18 15:27:19 +0000639 SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, rsa_key_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000640
Paul Bakker43b7e352011-01-18 15:27:19 +0000641 ssl->out_msglen = 6 + n + rsa_key_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000642 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
643 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
644
645 ssl->state++;
646
647 if( ( ret = ssl_write_record( ssl ) ) != 0 )
648 {
649 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
650 return( ret );
651 }
652
653 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
654
655 return( 0 );
656#endif
657}
658
659static int ssl_write_server_hello_done( ssl_context *ssl )
660{
661 int ret;
662
663 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
664
665 ssl->out_msglen = 4;
666 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
667 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
668
669 ssl->state++;
670
671 if( ( ret = ssl_write_record( ssl ) ) != 0 )
672 {
673 SSL_DEBUG_RET( 1, "ssl_write_record", ret );
674 return( ret );
675 }
676
677 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
678
679 return( 0 );
680}
681
682static int ssl_parse_client_key_exchange( ssl_context *ssl )
683{
Paul Bakker99a03af2011-04-01 11:39:39 +0000684 int ret, i, n = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000685
686 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
687
688 if( ( ret = ssl_read_record( ssl ) ) != 0 )
689 {
690 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
691 return( ret );
692 }
693
694 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
695 {
696 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000697 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000698 }
699
700 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
701 {
702 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000703 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000704 }
705
Paul Bakkere3166ce2011-01-27 17:40:50 +0000706 if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
707 ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
708 ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
709 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
710 ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
Paul Bakker5121ce52009-01-03 21:22:43 +0000711 {
Paul Bakker40e46942009-01-03 21:51:57 +0000712#if !defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000713 SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000714 return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000715#else
716 /*
717 * Receive G^Y mod P, premaster = (G^Y)^X mod P
718 */
719 n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
720
721 if( n < 1 || n > ssl->dhm_ctx.len ||
722 n + 6 != ssl->in_hslen )
723 {
724 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000725 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000726 }
727
728 if( ( ret = dhm_read_public( &ssl->dhm_ctx,
729 ssl->in_msg + 6, n ) ) != 0 )
730 {
731 SSL_DEBUG_RET( 1, "dhm_read_public", ret );
Paul Bakker40e46942009-01-03 21:51:57 +0000732 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000733 }
734
735 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY );
736
737 ssl->pmslen = ssl->dhm_ctx.len;
738
739 if( ( ret = dhm_calc_secret( &ssl->dhm_ctx,
740 ssl->premaster, &ssl->pmslen ) ) != 0 )
741 {
742 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
Paul Bakker40e46942009-01-03 21:51:57 +0000743 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE | ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000744 }
745
746 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K );
747#endif
748 }
749 else
750 {
Paul Bakker43b7e352011-01-18 15:27:19 +0000751 if( ssl->rsa_key == NULL )
752 {
753#if defined(POLARSSL_PKCS11_C)
754 if( ssl->pkcs11_key == NULL )
755 {
756#endif
757 SSL_DEBUG_MSG( 1, ( "got no private key" ) );
758 return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
759#if defined(POLARSSL_PKCS11_C)
760 }
761#endif
762 }
763
Paul Bakker5121ce52009-01-03 21:22:43 +0000764 /*
765 * Decrypt the premaster using own private RSA key
766 */
767 i = 4;
Paul Bakker43b7e352011-01-18 15:27:19 +0000768 if( ssl->rsa_key )
769 n = ssl->rsa_key->len;
770#if defined(POLARSSL_PKCS11_C)
771 else
772 n = ssl->pkcs11_key->len;
773#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000774 ssl->pmslen = 48;
775
776 if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
777 {
778 i += 2;
779 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
780 ssl->in_msg[5] != ( ( n ) & 0xFF ) )
781 {
782 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000783 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000784 }
785 }
786
787 if( ssl->in_hslen != i + n )
788 {
789 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000790 return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000791 }
792
Paul Bakker43b7e352011-01-18 15:27:19 +0000793 if( ssl->rsa_key ) {
794 ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen,
Paul Bakker060c5682009-01-12 21:48:39 +0000795 ssl->in_msg + i, ssl->premaster,
Paul Bakker43b7e352011-01-18 15:27:19 +0000796 sizeof(ssl->premaster) );
797 }
798#if defined(POLARSSL_PKCS11_C)
799 else {
800 ret = pkcs11_decrypt( ssl->pkcs11_key, RSA_PRIVATE, &ssl->pmslen,
801 ssl->in_msg + i, ssl->premaster,
802 sizeof(ssl->premaster) );
803 }
804#endif /* defined(POLARSSL_PKCS11_C) */
Paul Bakker5121ce52009-01-03 21:22:43 +0000805
806 if( ret != 0 || ssl->pmslen != 48 ||
807 ssl->premaster[0] != ssl->max_major_ver ||
808 ssl->premaster[1] != ssl->max_minor_ver )
809 {
810 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
811
812 /*
813 * Protection against Bleichenbacher's attack:
814 * invalid PKCS#1 v1.5 padding must not cause
815 * the connection to end immediately; instead,
816 * send a bad_record_mac later in the handshake.
817 */
818 ssl->pmslen = 48;
819
820 for( i = 0; i < ssl->pmslen; i++ )
821 ssl->premaster[i] = (unsigned char) ssl->f_rng( ssl->p_rng );
822 }
823 }
824
Paul Bakkerff60ee62010-03-16 21:09:09 +0000825 if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
826 {
827 SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
828 return( ret );
829 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000830
831 if( ssl->s_set != NULL )
832 ssl->s_set( ssl );
833
834 ssl->state++;
835
836 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
837
838 return( 0 );
839}
840
841static int ssl_parse_certificate_verify( ssl_context *ssl )
842{
843 int n1, n2, ret;
844 unsigned char hash[36];
845
846 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
847
848 if( ssl->peer_cert == NULL )
849 {
850 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
851 ssl->state++;
852 return( 0 );
853 }
854
855 ssl_calc_verify( ssl, hash );
856
857 if( ( ret = ssl_read_record( ssl ) ) != 0 )
858 {
859 SSL_DEBUG_RET( 1, "ssl_read_record", ret );
860 return( ret );
861 }
862
863 ssl->state++;
864
865 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
866 {
867 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000868 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000869 }
870
871 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
872 {
873 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000874 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000875 }
876
877 n1 = ssl->peer_cert->rsa.len;
878 n2 = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
879
880 if( n1 + 6 != ssl->in_hslen || n1 != n2 )
881 {
882 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
Paul Bakker40e46942009-01-03 21:51:57 +0000883 return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
Paul Bakker5121ce52009-01-03 21:22:43 +0000884 }
885
886 ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC,
Paul Bakkerfc22c442009-07-19 20:36:27 +0000887 SIG_RSA_RAW, 36, hash, ssl->in_msg + 6 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000888 if( ret != 0 )
889 {
890 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
891 return( ret );
892 }
893
894 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
895
896 return( 0 );
897}
898
899/*
900 * SSL handshake -- server side
901 */
902int ssl_handshake_server( ssl_context *ssl )
903{
904 int ret = 0;
905
906 SSL_DEBUG_MSG( 2, ( "=> handshake server" ) );
907
908 while( ssl->state != SSL_HANDSHAKE_OVER )
909 {
910 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
911
912 if( ( ret = ssl_flush_output( ssl ) ) != 0 )
913 break;
914
915 switch( ssl->state )
916 {
917 case SSL_HELLO_REQUEST:
918 ssl->state = SSL_CLIENT_HELLO;
919 break;
920
921 /*
922 * <== ClientHello
923 */
924 case SSL_CLIENT_HELLO:
925 ret = ssl_parse_client_hello( ssl );
926 break;
927
928 /*
929 * ==> ServerHello
930 * Certificate
931 * ( ServerKeyExchange )
932 * ( CertificateRequest )
933 * ServerHelloDone
934 */
935 case SSL_SERVER_HELLO:
936 ret = ssl_write_server_hello( ssl );
937 break;
938
939 case SSL_SERVER_CERTIFICATE:
940 ret = ssl_write_certificate( ssl );
941 break;
942
943 case SSL_SERVER_KEY_EXCHANGE:
944 ret = ssl_write_server_key_exchange( ssl );
945 break;
946
947 case SSL_CERTIFICATE_REQUEST:
948 ret = ssl_write_certificate_request( ssl );
949 break;
950
951 case SSL_SERVER_HELLO_DONE:
952 ret = ssl_write_server_hello_done( ssl );
953 break;
954
955 /*
956 * <== ( Certificate/Alert )
957 * ClientKeyExchange
958 * ( CertificateVerify )
959 * ChangeCipherSpec
960 * Finished
961 */
962 case SSL_CLIENT_CERTIFICATE:
963 ret = ssl_parse_certificate( ssl );
964 break;
965
966 case SSL_CLIENT_KEY_EXCHANGE:
967 ret = ssl_parse_client_key_exchange( ssl );
968 break;
969
970 case SSL_CERTIFICATE_VERIFY:
971 ret = ssl_parse_certificate_verify( ssl );
972 break;
973
974 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
975 ret = ssl_parse_change_cipher_spec( ssl );
976 break;
977
978 case SSL_CLIENT_FINISHED:
979 ret = ssl_parse_finished( ssl );
980 break;
981
982 /*
983 * ==> ChangeCipherSpec
984 * Finished
985 */
986 case SSL_SERVER_CHANGE_CIPHER_SPEC:
987 ret = ssl_write_change_cipher_spec( ssl );
988 break;
989
990 case SSL_SERVER_FINISHED:
991 ret = ssl_write_finished( ssl );
992 break;
993
994 case SSL_FLUSH_BUFFERS:
995 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
996 ssl->state = SSL_HANDSHAKE_OVER;
997 break;
998
999 default:
1000 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
Paul Bakker40e46942009-01-03 21:51:57 +00001001 return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00001002 }
1003
1004 if( ret != 0 )
1005 break;
1006 }
1007
1008 SSL_DEBUG_MSG( 2, ( "<= handshake server" ) );
1009
1010 return( ret );
1011}
1012
1013#endif