search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ssl/tls: add proper const attributes to functions, context members
[tropicssl.git] / library / ssl_srv.c
blobc5d984fcce74f00e79aaeddee45d5d4d2ef370ce
1 /*
2 * SSLv3/TLSv1 server-side functions
3 *
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
7 *
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 #include "tropicssl/config.h"
37
38 #if defined(TROPICSSL_SSL_SRV_C)
39
40 #include "tropicssl/debug.h"
41 #include "tropicssl/ssl.h"
42
43 #include <string.h>
44 #include <stdlib.h>
45 #include <stdio.h>
46 #include <time.h>
47
48 static int ssl_parse_client_hello(ssl_context * ssl)
49 {
50 int ret, i, j, n;
51 int ciph_len, sess_len;
52 int chal_len, comp_len;
53 unsigned char *buf, *p;
54
55 SSL_DEBUG_MSG(2, ("=> parse client hello"));
56
57 if ((ret = ssl_fetch_input(ssl, 5)) != 0) {
58 SSL_DEBUG_RET(1, "ssl_fetch_input", ret);
59 return (ret);
60 }
61
62 buf = ssl->in_hdr;
63
64 if ((buf[0] & 0x80) != 0) {
65 SSL_DEBUG_BUF(4, "record header", buf, 5);
66
67 SSL_DEBUG_MSG(3, ("client hello v2, message type: %d", buf[2]));
68 SSL_DEBUG_MSG(3, ("client hello v2, message len.: %d",
69 ((buf[0] & 0x7F) << 8) | buf[1]));
70 SSL_DEBUG_MSG(3, ("client hello v2, max. version: [%d:%d]",
71 buf[3], buf[4]));
72
73 /*
74 * SSLv2 Client Hello
75 *
76 * Record layer:
77 * 0 . 1 message length
78 *
79 * SSL layer:
80 * 2 . 2 message type
81 * 3 . 4 protocol version
82 */
83 if (buf[2] != SSL_HS_CLIENT_HELLO ||
84 buf[3] != SSL_MAJOR_VERSION_3) {
85 SSL_DEBUG_MSG(1, ("bad client hello message"));
86 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
87 }
88
89 n = ((buf[0] << 8) | buf[1]) & 0x7FFF;
90
91 if (n < 17 || n > 512) {
92 SSL_DEBUG_MSG(1, ("bad client hello message"));
93 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
94 }
95
96 ssl->max_major_ver = buf[3];
97 ssl->max_minor_ver = buf[4];
98
99 ssl->major_ver = SSL_MAJOR_VERSION_3;
100 ssl->minor_ver = (buf[4] <= SSL_MINOR_VERSION_1)
101 ? buf[4] : SSL_MINOR_VERSION_1;
102
103 if ((ret = ssl_fetch_input(ssl, 2 + n)) != 0) {
104 SSL_DEBUG_RET(1, "ssl_fetch_input", ret);
105 return (ret);
106 }
107
108 md5_update(&ssl->fin_md5, buf + 2, n);
109 sha1_update(&ssl->fin_sha1, buf + 2, n);
110
111 buf = ssl->in_msg;
112 n = ssl->in_left - 5;
113
114 /*
115 * 0 . 1 cipherlist length
116 * 2 . 3 session id length
117 * 4 . 5 challenge length
118 * 6 . .. cipherlist
119 * .. . .. session id
120 * .. . .. challenge
121 */
122 SSL_DEBUG_BUF(4, "record contents", buf, n);
123
124 ciph_len = (buf[0] << 8) | buf[1];
125 sess_len = (buf[2] << 8) | buf[3];
126 chal_len = (buf[4] << 8) | buf[5];
127
128 SSL_DEBUG_MSG(3, ("ciph_len: %d, sess_len: %d, chal_len: %d",
129 ciph_len, sess_len, chal_len));
130
131 /*
132 * Make sure each parameter length is valid
133 */
134 if (ciph_len < 3 || (ciph_len % 3) != 0) {
135 SSL_DEBUG_MSG(1, ("bad client hello message"));
136 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
137 }
138
139 if (sess_len < 0 || sess_len > 32) {
140 SSL_DEBUG_MSG(1, ("bad client hello message"));
141 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
142 }
143
144 if (chal_len < 8 || chal_len > 32) {
145 SSL_DEBUG_MSG(1, ("bad client hello message"));
146 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
147 }
148
149 if (n != 6 + ciph_len + sess_len + chal_len) {
150 SSL_DEBUG_MSG(1, ("bad client hello message"));
151 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
152 }
153
154 SSL_DEBUG_BUF(3, "client hello, cipherlist", buf + 6, ciph_len);
155 SSL_DEBUG_BUF(3, "client hello, session id",
156 buf + 6 + ciph_len, sess_len);
157 SSL_DEBUG_BUF(3, "client hello, challenge",
158 buf + 6 + ciph_len + sess_len, chal_len);
159
160 p = buf + 6 + ciph_len;
161 ssl->session->length = sess_len;
162 memset(ssl->session->id, 0, sizeof(ssl->session->id));
163 memcpy(ssl->session->id, p, ssl->session->length);
164
165 p += sess_len;
166 memset(ssl->randbytes, 0, 64);
167 memcpy(ssl->randbytes + 32 - chal_len, p, chal_len);
168
169 for (i = 0; ssl->ciphers[i] != 0; i++) {
170 for (j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3) {
171 if (p[0] == 0 &&
172 p[1] == 0 && p[2] == ssl->ciphers[i])
173 goto have_cipher;
174 }
175 }
176 } else {
177 SSL_DEBUG_BUF(4, "record header", buf, 5);
178
179 SSL_DEBUG_MSG(3, ("client hello v3, message type: %d", buf[0]));
180 SSL_DEBUG_MSG(3, ("client hello v3, message len.: %d",
181 (buf[3] << 8) | buf[4]));
182 SSL_DEBUG_MSG(3, ("client hello v3, protocol ver: [%d:%d]",
183 buf[1], buf[2]));
184
185 /*
186 * SSLv3 Client Hello
187 *
188 * Record layer:
189 * 0 . 0 message type
190 * 1 . 2 protocol version
191 * 3 . 4 message length
192 */
193 if (buf[0] != SSL_MSG_HANDSHAKE ||
194 buf[1] != SSL_MAJOR_VERSION_3) {
195 SSL_DEBUG_MSG(1, ("bad client hello message"));
196 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
197 }
198
199 n = (buf[3] << 8) | buf[4];
200
201 if (n < 45 || n > 512) {
202 SSL_DEBUG_MSG(1, ("bad client hello message"));
203 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
204 }
205
206 if ((ret = ssl_fetch_input(ssl, 5 + n)) != 0) {
207 SSL_DEBUG_RET(1, "ssl_fetch_input", ret);
208 return (ret);
209 }
210
211 buf = ssl->in_msg;
212 n = ssl->in_left - 5;
213
214 md5_update(&ssl->fin_md5, buf, n);
215 sha1_update(&ssl->fin_sha1, buf, n);
216
217 /*
218 * SSL layer:
219 * 0 . 0 handshake type
220 * 1 . 3 handshake length
221 * 4 . 5 protocol version
222 * 6 . 9 UNIX time()
223 * 10 . 37 random bytes
224 * 38 . 38 session id length
225 * 39 . 38+x session id
226 * 39+x . 40+x cipherlist length
227 * 41+x . .. cipherlist
228 * .. . .. compression alg.
229 * .. . .. extensions
230 */
231 SSL_DEBUG_BUF(4, "record contents", buf, n);
232
233 SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d",
234 buf[0]));
235 SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %d",
236 (buf[1] << 16) | (buf[2] << 8) | buf[3]));
237 SSL_DEBUG_MSG(3, ("client hello v3, max. version: [%d:%d]",
238 buf[4], buf[5]));
239
240 /*
241 * Check the handshake type and protocol version
242 */
243 if (buf[0] != SSL_HS_CLIENT_HELLO ||
244 buf[4] != SSL_MAJOR_VERSION_3) {
245 SSL_DEBUG_MSG(1, ("bad client hello message"));
246 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
247 }
248
249 ssl->major_ver = SSL_MAJOR_VERSION_3;
250 ssl->minor_ver = (buf[5] <= SSL_MINOR_VERSION_1)
251 ? buf[5] : SSL_MINOR_VERSION_1;
252
253 ssl->max_major_ver = buf[4];
254 ssl->max_minor_ver = buf[5];
255
256 memcpy(ssl->randbytes, buf + 6, 32);
257
258 /*
259 * Check the handshake message length
260 */
261 if (buf[1] != 0 || n != 4 + ((buf[2] << 8) | buf[3])) {
262 SSL_DEBUG_MSG(1, ("bad client hello message"));
263 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
264 }
265
266 /*
267 * Check the session length
268 */
269 sess_len = buf[38];
270
271 if (sess_len < 0 || sess_len > 32) {
272 SSL_DEBUG_MSG(1, ("bad client hello message"));
273 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
274 }
275
276 ssl->session->length = sess_len;
277 memset(ssl->session->id, 0, sizeof(ssl->session->id));
278 memcpy(ssl->session->id, buf + 39, ssl->session->length);
279
280 /*
281 * Check the cipherlist length
282 */
283 ciph_len = (buf[39 + sess_len] << 8)
284 | (buf[40 + sess_len]);
285
286 if (ciph_len < 2 || ciph_len > 256 || (ciph_len % 2) != 0) {
287 SSL_DEBUG_MSG(1, ("bad client hello message"));
288 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
289 }
290
291 /*
292 * Check the compression algorithms length
293 */
294 comp_len = buf[41 + sess_len + ciph_len];
295
296 if (comp_len < 1 || comp_len > 16) {
297 SSL_DEBUG_MSG(1, ("bad client hello message"));
298 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_HELLO);
299 }
300
301 SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 6, 32);
302 SSL_DEBUG_BUF(3, "client hello, session id",
303 buf + 38, sess_len);
304 SSL_DEBUG_BUF(3, "client hello, cipherlist",
305 buf + 41 + sess_len, ciph_len);
306 SSL_DEBUG_BUF(3, "client hello, compression",
307 buf + 42 + sess_len + ciph_len, comp_len);
308
309 /*
310 * Search for a matching cipher
311 */
312 for (i = 0; ssl->ciphers[i] != 0; i++) {
313 for (j = 0, p = buf + 41 + sess_len; j < ciph_len;
314 j += 2, p += 2) {
315 if (p[0] == 0 && p[1] == ssl->ciphers[i])
316 goto have_cipher;
317 }
318 }
319 }
320
321 SSL_DEBUG_MSG(1, ("got no ciphers in common"));
322
323 return (TROPICSSL_ERR_SSL_NO_CIPHER_CHOSEN);
324
325 have_cipher:
326
327 ssl->session->cipher = ssl->ciphers[i];
328 ssl->in_left = 0;
329 ssl->state++;
330
331 SSL_DEBUG_MSG(2, ("<= parse client hello"));
332
333 return (0);
334 }
335
336 static int ssl_write_server_hello(ssl_context * ssl)
337 {
338 time_t t;
339 int ret, i, n;
340 unsigned char *buf, *p;
341
342 SSL_DEBUG_MSG(2, ("=> write server hello"));
343
344 /*
345 * 0 . 0 handshake type
346 * 1 . 3 handshake length
347 * 4 . 5 protocol version
348 * 6 . 9 UNIX time()
349 * 10 . 37 random bytes
350 */
351 buf = ssl->out_msg;
352 p = buf + 4;
353
354 *p++ = (unsigned char)ssl->major_ver;
355 *p++ = (unsigned char)ssl->minor_ver;
356
357 SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
358 buf[4], buf[5]));
359
360 t = time(NULL);
361 *p++ = (unsigned char)(t >> 24);
362 *p++ = (unsigned char)(t >> 16);
363 *p++ = (unsigned char)(t >> 8);
364 *p++ = (unsigned char)(t);
365
366 SSL_DEBUG_MSG(3, ("server hello, current time: %lu", t));
367
368 for (i = 28; i > 0; i--)
369 *p++ = (unsigned char)ssl->f_rng(ssl->p_rng);
370
371 memcpy(ssl->randbytes + 32, buf + 6, 32);
372
373 SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
374
375 /*
376 * 38 . 38 session id length
377 * 39 . 38+n session id
378 * 39+n . 40+n chosen cipher
379 * 41+n . 41+n chosen compression alg.
380 */
381 ssl->session->length = n = 32;
382 *p++ = (unsigned char)ssl->session->length;
383
384 if (ssl->s_get == NULL || ssl->s_get(ssl) != 0) {
385 /*
386 * Not found, create a new session id
387 */
388 ssl->resume = 0;
389 ssl->state++;
390
391 for (i = 0; i < n; i++)
392 ssl->session->id[i] =
393 (unsigned char)ssl->f_rng(ssl->p_rng);
394 } else {
395 /*
396 * Found a matching session, resume it
397 */
398 ssl->resume = 1;
399 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
400 ssl_derive_keys(ssl);
401 }
402
403 memcpy(p, ssl->session->id, ssl->session->length);
404 p += ssl->session->length;
405
406 SSL_DEBUG_MSG(3, ("server hello, session id len.: %d", n));
407 SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
408 SSL_DEBUG_MSG(3, ("%s session has been resumed",
409 ssl->resume ? "a" : "no"));
410
411 *p++ = (unsigned char)(ssl->session->cipher >> 8);
412 *p++ = (unsigned char)(ssl->session->cipher);
413 *p++ = SSL_COMPRESS_NULL;
414
415 SSL_DEBUG_MSG(3, ("server hello, chosen cipher: %d",
416 ssl->session->cipher));
417 SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d", 0));
418
419 ssl->out_msglen = p - buf;
420 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
421 ssl->out_msg[0] = SSL_HS_SERVER_HELLO;
422
423 ret = ssl_write_record(ssl);
424
425 SSL_DEBUG_MSG(2, ("<= write server hello"));
426
427 return (ret);
428 }
429
430 static int ssl_write_certificate_request(ssl_context * ssl)
431 {
432 int ret, n;
433 unsigned char *buf, *p;
434 x509_cert *crt;
435
436 SSL_DEBUG_MSG(2, ("=> write certificate request"));
437
438 ssl->state++;
439
440 if (ssl->authmode == SSL_VERIFY_NONE) {
441 SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
442 return (0);
443 }
444
445 /*
446 * 0 . 0 handshake type
447 * 1 . 3 handshake length
448 * 4 . 4 cert type count
449 * 5 .. n-1 cert types
450 * n .. n+1 length of all DNs
451 * n+2 .. n+3 length of DN 1
452 * n+4 .. ... Distinguished Name #1
453 * ... .. ... length of DN 2, etc.
454 */
455 buf = ssl->out_msg;
456 p = buf + 4;
457
458 /*
459 * At the moment, only RSA certificates are supported
460 */
461 *p++ = 1;
462 *p++ = 1;
463
464 p += 2;
465 crt = ssl->ca_chain;
466
467 while (crt != NULL && crt->next != NULL) {
468 if (p - buf > 4096)
469 break;
470
471 n = crt->subject_raw.len;
472 *p++ = (unsigned char)(n >> 8);
473 *p++ = (unsigned char)(n);
474 memcpy(p, crt->subject_raw.p, n);
475
476 SSL_DEBUG_BUF(3, "requested DN", p, n);
477 p += n;
478 crt = crt->next;
479 }
480
481 ssl->out_msglen = n = p - buf;
482 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
483 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST;
484 ssl->out_msg[6] = (unsigned char)((n - 8) >> 8);
485 ssl->out_msg[7] = (unsigned char)((n - 8));
486
487 ret = ssl_write_record(ssl);
488
489 SSL_DEBUG_MSG(2, ("<= write certificate request"));
490
491 return (ret);
492 }
493
494 static int ssl_write_server_key_exchange(ssl_context * ssl)
495 {
496 int ret, n;
497 unsigned char hash[36];
498 md5_context md5;
499 sha1_context sha1;
500
501 SSL_DEBUG_MSG(2, ("=> write server key exchange"));
502
503 if (ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA &&
504 ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA &&
505 ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_256_SHA) {
506 SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
507 ssl->state++;
508 return (0);
509 }
510 #if !defined(TROPICSSL_DHM_C)
511 SSL_DEBUG_MSG(1, ("support for dhm is not available"));
512 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
513 #else
514 /*
515 * Ephemeral DH parameters:
516 *
517 * struct {
518 * opaque dh_p<1..2^16-1>;
519 * opaque dh_g<1..2^16-1>;
520 * opaque dh_Ys<1..2^16-1>;
521 * } ServerDHParams;
522 */
523 if ((ret = dhm_make_params(&ssl->dhm_ctx, 256, ssl->out_msg + 4,
524 &n, ssl->f_rng, ssl->p_rng)) != 0) {
525 SSL_DEBUG_RET(1, "dhm_make_params", ret);
526 return (ret);
527 }
528
529 SSL_DEBUG_MPI(3, "DHM: X ", &ssl->dhm_ctx.X);
530 SSL_DEBUG_MPI(3, "DHM: P ", &ssl->dhm_ctx.P);
531 SSL_DEBUG_MPI(3, "DHM: G ", &ssl->dhm_ctx.G);
532 SSL_DEBUG_MPI(3, "DHM: GX", &ssl->dhm_ctx.GX);
533
534 /*
535 * digitally-signed struct {
536 * opaque md5_hash[16];
537 * opaque sha_hash[20];
538 * };
539 *
540 * md5_hash
541 * MD5(ClientHello.random + ServerHello.random
542 * + ServerParams);
543 * sha_hash
544 * SHA(ClientHello.random + ServerHello.random
545 * + ServerParams);
546 */
547 md5_starts(&md5);
548 md5_update(&md5, ssl->randbytes, 64);
549 md5_update(&md5, ssl->out_msg + 4, n);
550 md5_finish(&md5, hash);
551
552 sha1_starts(&sha1);
553 sha1_update(&sha1, ssl->randbytes, 64);
554 sha1_update(&sha1, ssl->out_msg + 4, n);
555 sha1_finish(&sha1, hash + 16);
556
557 SSL_DEBUG_BUF(3, "parameters hash", hash, 36);
558
559 ssl->out_msg[4 + n] = (unsigned char)(ssl->rsa_key->len >> 8);
560 ssl->out_msg[5 + n] = (unsigned char)(ssl->rsa_key->len);
561
562 ret = rsa_pkcs1_sign(ssl->rsa_key, RSA_PRIVATE,
563 RSA_RAW, 36, hash, ssl->out_msg + 6 + n);
564 if (ret != 0) {
565 SSL_DEBUG_RET(1, "rsa_pkcs1_sign", ret);
566 return (ret);
567 }
568
569 SSL_DEBUG_BUF(3, "my RSA sig", ssl->out_msg + 6 + n, ssl->rsa_key->len);
570
571 ssl->out_msglen = 6 + n + ssl->rsa_key->len;
572 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
573 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
574
575 ssl->state++;
576
577 if ((ret = ssl_write_record(ssl)) != 0) {
578 SSL_DEBUG_RET(1, "ssl_write_record", ret);
579 return (ret);
580 }
581
582 SSL_DEBUG_MSG(2, ("<= write server key exchange"));
583
584 return (0);
585 #endif
586 }
587
588 static int ssl_write_server_hello_done(ssl_context * ssl)
589 {
590 int ret;
591
592 SSL_DEBUG_MSG(2, ("=> write server hello done"));
593
594 ssl->out_msglen = 4;
595 ssl->out_msgtype = SSL_MSG_HANDSHAKE;
596 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE;
597
598 ssl->state++;
599
600 if ((ret = ssl_write_record(ssl)) != 0) {
601 SSL_DEBUG_RET(1, "ssl_write_record", ret);
602 return (ret);
603 }
604
605 SSL_DEBUG_MSG(2, ("<= write server hello done"));
606
607 return (0);
608 }
609
610 static int ssl_parse_client_key_exchange(ssl_context * ssl)
611 {
612 int ret, i, n;
613
614 SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
615
616 if ((ret = ssl_read_record(ssl)) != 0) {
617 SSL_DEBUG_RET(1, "ssl_read_record", ret);
618 return (ret);
619 }
620
621 if (ssl->in_msgtype != SSL_MSG_HANDSHAKE) {
622 SSL_DEBUG_MSG(1, ("bad client key exchange message"));
623 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
624 }
625
626 if (ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE) {
627 SSL_DEBUG_MSG(1, ("bad client key exchange message"));
628 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
629 }
630
631 if (ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA ||
632 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA ||
633 ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA) {
634 #if !defined(TROPICSSL_DHM_C)
635 SSL_DEBUG_MSG(1, ("support for dhm is not available"));
636 return (TROPICSSL_ERR_SSL_FEATURE_UNAVAILABLE);
637 #else
638 /*
639 * Receive G^Y mod P, premaster = (G^Y)^X mod P
640 */
641 n = (ssl->in_msg[4] << 8) | ssl->in_msg[5];
642
643 if (n < 1 || n > ssl->dhm_ctx.len || n + 6 != ssl->in_hslen) {
644 SSL_DEBUG_MSG(1, ("bad client key exchange message"));
645 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
646 }
647
648 if ((ret = dhm_read_public(&ssl->dhm_ctx,
649 ssl->in_msg + 6, n)) != 0) {
650 SSL_DEBUG_RET(1, "dhm_read_public", ret);
651 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE |
652 ret);
653 }
654
655 SSL_DEBUG_MPI(3, "DHM: GY", &ssl->dhm_ctx.GY);
656
657 ssl->pmslen = ssl->dhm_ctx.len;
658
659 if ((ret = dhm_calc_secret(&ssl->dhm_ctx,
660 ssl->premaster,
661 &ssl->pmslen)) != 0) {
662 SSL_DEBUG_RET(1, "dhm_calc_secret", ret);
663 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE |
664 ret);
665 }
666
667 SSL_DEBUG_MPI(3, "DHM: K ", &ssl->dhm_ctx.K);
668 #endif
669 } else {
670 /*
671 * Decrypt the premaster using own private RSA key
672 */
673 i = 4;
674 n = ssl->rsa_key->len;
675 ssl->pmslen = 48;
676
677 if (ssl->minor_ver != SSL_MINOR_VERSION_0) {
678 i += 2;
679 if (ssl->in_msg[4] != ((n >> 8) & 0xFF) ||
680 ssl->in_msg[5] != ((n) & 0xFF)) {
681 SSL_DEBUG_MSG(1,
682 ("bad client key exchange message"));
683 return
684 (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
685 }
686 }
687
688 if (ssl->in_hslen != i + n) {
689 SSL_DEBUG_MSG(1, ("bad client key exchange message"));
690 return (TROPICSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
691 }
692
693 ret = rsa_pkcs1_decrypt(ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen,
694 ssl->in_msg + i, ssl->premaster,
695 sizeof(ssl->premaster));
696
697 if (ret != 0 || ssl->pmslen != 48 ||
698 ssl->premaster[0] != ssl->max_major_ver ||
699 ssl->premaster[1] != ssl->max_minor_ver) {
700 SSL_DEBUG_MSG(1, ("bad client key exchange message"));
701
702 /*
703 * Protection against Bleichenbacher's attack:
704 * invalid PKCS#1 v1.5 padding must not cause
705 * the connection to end immediately; instead,
706 * send a bad_record_mac later in the handshake.
707 */
708 ssl->pmslen = 48;
709
710 for (i = 0; i < ssl->pmslen; i++)
711 ssl->premaster[i] =
712 (unsigned char)ssl->f_rng(ssl->p_rng);
713 }
714 }
715
716 ssl_derive_keys(ssl);
717
718 if (ssl->s_set != NULL)
719 ssl->s_set(ssl);
720
721 ssl->state++;
722
723 SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
724
725 return (0);
726 }
727
728 static int ssl_parse_certificate_verify(ssl_context * ssl)
729 {
730 int n1, n2, ret;
731 unsigned char hash[36];
732
733 SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
734
735 if (ssl->peer_cert == NULL) {
736 SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
737 ssl->state++;
738 return (0);
739 }
740
741 ssl_calc_verify(ssl, hash);
742
743 if ((ret = ssl_read_record(ssl)) != 0) {
744 SSL_DEBUG_RET(1, "ssl_read_record", ret);
745 return (ret);
746 }
747
748 ssl->state++;
749
750 if (ssl->in_msgtype != SSL_MSG_HANDSHAKE) {
751 SSL_DEBUG_MSG(1, ("bad certificate verify message"));
752 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
753 }
754
755 if (ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY) {
756 SSL_DEBUG_MSG(1, ("bad certificate verify message"));
757 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
758 }
759
760 n1 = ssl->peer_cert->rsa.len;
761 n2 = (ssl->in_msg[4] << 8) | ssl->in_msg[5];
762
763 if (n1 + 6 != ssl->in_hslen || n1 != n2) {
764 SSL_DEBUG_MSG(1, ("bad certificate verify message"));
765 return (TROPICSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
766 }
767
768 ret = rsa_pkcs1_verify(&ssl->peer_cert->rsa, RSA_PUBLIC,
769 RSA_RAW, 36, hash, ssl->in_msg + 6);
770 if (ret != 0) {
771 SSL_DEBUG_RET(1, "rsa_pkcs1_verify", ret);
772 return (ret);
773 }
774
775 SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
776
777 return (0);
778 }
779
780 /*
781 * SSL handshake -- server side
782 */
783 int ssl_handshake_server(ssl_context * ssl)
784 {
785 int ret = 0;
786
787 SSL_DEBUG_MSG(2, ("=> handshake server"));
788
789 while (ssl->state != SSL_HANDSHAKE_OVER) {
790 SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
791
792 if ((ret = ssl_flush_output(ssl)) != 0)
793 break;
794
795 switch (ssl->state) {
796 case SSL_HELLO_REQUEST:
797 ssl->state = SSL_CLIENT_HELLO;
798 break;
799
800 /*
801 * <== ClientHello
802 */
803 case SSL_CLIENT_HELLO:
804 ret = ssl_parse_client_hello(ssl);
805 break;
806
807 /*
808 * ==> ServerHello
809 * Certificate
810 * ( ServerKeyExchange )
811 * ( CertificateRequest )
812 * ServerHelloDone
813 */
814 case SSL_SERVER_HELLO:
815 ret = ssl_write_server_hello(ssl);
816 break;
817
818 case SSL_SERVER_CERTIFICATE:
819 ret = ssl_write_certificate(ssl);
820 break;
821
822 case SSL_SERVER_KEY_EXCHANGE:
823 ret = ssl_write_server_key_exchange(ssl);
824 break;
825
826 case SSL_CERTIFICATE_REQUEST:
827 ret = ssl_write_certificate_request(ssl);
828 break;
829
830 case SSL_SERVER_HELLO_DONE:
831 ret = ssl_write_server_hello_done(ssl);
832 break;
833
834 /*
835 * <== ( Certificate/Alert )
836 * ClientKeyExchange
837 * ( CertificateVerify )
838 * ChangeCipherSpec
839 * Finished
840 */
841 case SSL_CLIENT_CERTIFICATE:
842 ret = ssl_parse_certificate(ssl);
843 break;
844
845 case SSL_CLIENT_KEY_EXCHANGE:
846 ret = ssl_parse_client_key_exchange(ssl);
847 break;
848
849 case SSL_CERTIFICATE_VERIFY:
850 ret = ssl_parse_certificate_verify(ssl);
851 break;
852
853 case SSL_CLIENT_CHANGE_CIPHER_SPEC:
854 ret = ssl_parse_change_cipher_spec(ssl);
855 break;
856
857 case SSL_CLIENT_FINISHED:
858 ret = ssl_parse_finished(ssl);
859 break;
860
861 /*
862 * ==> ChangeCipherSpec
863 * Finished
864 */
865 case SSL_SERVER_CHANGE_CIPHER_SPEC:
866 ret = ssl_write_change_cipher_spec(ssl);
867 break;
868
869 case SSL_SERVER_FINISHED:
870 ret = ssl_write_finished(ssl);
871 break;
872
873 case SSL_FLUSH_BUFFERS:
874 SSL_DEBUG_MSG(2, ("handshake: done"));
875 ssl->state = SSL_HANDSHAKE_OVER;
876 break;
877
878 default:
879 SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
880 return (TROPICSSL_ERR_SSL_BAD_INPUT_DATA);
881 }
882
883 if (ret != 0)
884 break;
885 }
886
887 SSL_DEBUG_MSG(2, ("<= handshake server"));
888
889 return (ret);
890 }
891
892 #endif
fork of last BSD polarssl