00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2007 Christophe Devine 00005 * 00006 * This program is free software; you can redistribute it and/or modify 00007 * it under the terms of the GNU General Public License as published by 00008 * the Free Software Foundation; either version 2 of the License, or 00009 * (at your option) any later version. 00010 * 00011 * This program is distributed in the hope that it will be useful, 00012 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00013 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00014 * GNU General Public License for more details. 00015 * 00016 * You should have received a copy of the GNU General Public License along 00017 * with this program; if not, write to the Free Software Foundation, Inc., 00018 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 00019 */ 00020 00021 #include "xyssl/config.h" 00022 00023 #if defined(XYSSL_SSL_SRV_C) 00024 00025 #include "xyssl/debug.h" 00026 #include "xyssl/ssl.h" 00027 00028 #include <string.h> 00029 #include <stdlib.h> 00030 #include <stdio.h> 00031 #include <time.h> 00032 00033 static int ssl_parse_client_hello( ssl_context *ssl ) 00034 { 00035 int ret, i, j, n; 00036 int ciph_len, sess_len; 00037 int chal_len, comp_len; 00038 unsigned char *buf, *p; 00039 00040 SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 00041 00042 if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) 00043 { 00044 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 00045 return( ret ); 00046 } 00047 00048 buf = ssl->in_hdr; 00049 00050 if( ( buf[0] & 0x80 ) != 0 ) 00051 { 00052 SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00053 00054 SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 00055 buf[2] ) ); 00056 SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 00057 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 00058 SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 00059 buf[3], buf[4] ) ); 00060 00061 /* 00062 * SSLv2 Client Hello 00063 * 00064 * Record layer: 00065 * 0 . 1 message length 00066 * 00067 * SSL layer: 00068 * 2 . 2 message type 00069 * 3 . 4 protocol version 00070 */ 00071 if( buf[2] != SSL_HS_CLIENT_HELLO || 00072 buf[3] != SSL_MAJOR_VERSION_3 ) 00073 { 00074 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00075 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00076 } 00077 00078 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 00079 00080 if( n < 17 || n > 512 ) 00081 { 00082 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00083 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00084 } 00085 00086 ssl->max_major_ver = buf[3]; 00087 ssl->max_minor_ver = buf[4]; 00088 00089 ssl->major_ver = SSL_MAJOR_VERSION_3; 00090 ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_1 ) 00091 ? buf[4] : SSL_MINOR_VERSION_1; 00092 00093 if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 ) 00094 { 00095 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 00096 return( ret ); 00097 } 00098 00099 md5_update( &ssl->fin_md5 , buf + 2, n ); 00100 sha1_update( &ssl->fin_sha1, buf + 2, n ); 00101 00102 buf = ssl->in_msg; 00103 n = ssl->in_left - 5; 00104 00105 /* 00106 * 0 . 1 cipherlist length 00107 * 2 . 3 session id length 00108 * 4 . 5 challenge length 00109 * 6 . .. cipherlist 00110 * .. . .. session id 00111 * .. . .. challenge 00112 */ 00113 SSL_DEBUG_BUF( 4, "record contents", buf, n ); 00114 00115 ciph_len = ( buf[0] << 8 ) | buf[1]; 00116 sess_len = ( buf[2] << 8 ) | buf[3]; 00117 chal_len = ( buf[4] << 8 ) | buf[5]; 00118 00119 SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 00120 ciph_len, sess_len, chal_len ) ); 00121 00122 /* 00123 * Make sure each parameter length is valid 00124 */ 00125 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 00126 { 00127 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00128 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00129 } 00130 00131 if( sess_len < 0 || sess_len > 32 ) 00132 { 00133 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00134 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00135 } 00136 00137 if( chal_len < 8 || chal_len > 32 ) 00138 { 00139 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00140 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00141 } 00142 00143 if( n != 6 + ciph_len + sess_len + chal_len ) 00144 { 00145 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00146 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00147 } 00148 00149 SSL_DEBUG_BUF( 3, "client hello, cipherlist", 00150 buf + 6, ciph_len ); 00151 SSL_DEBUG_BUF( 3, "client hello, session id", 00152 buf + 6 + ciph_len, sess_len ); 00153 SSL_DEBUG_BUF( 3, "client hello, challenge", 00154 buf + 6 + ciph_len + sess_len, chal_len ); 00155 00156 p = buf + 6 + ciph_len; 00157 ssl->session->length = sess_len; 00158 memset( ssl->session->id, 0, sizeof( ssl->session->id ) ); 00159 memcpy( ssl->session->id, p, ssl->session->length ); 00160 00161 p += sess_len; 00162 memset( ssl->randbytes, 0, 64 ); 00163 memcpy( ssl->randbytes + 32 - chal_len, p, chal_len ); 00164 00165 for( i = 0; ssl->ciphers[i] != 0; i++ ) 00166 { 00167 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 00168 { 00169 if( p[0] == 0 && 00170 p[1] == 0 && 00171 p[2] == ssl->ciphers[i] ) 00172 goto have_cipher; 00173 } 00174 } 00175 } 00176 else 00177 { 00178 SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00179 00180 SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 00181 buf[0] ) ); 00182 SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 00183 ( buf[3] << 8 ) | buf[4] ) ); 00184 SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]", 00185 buf[1], buf[2] ) ); 00186 00187 /* 00188 * SSLv3 Client Hello 00189 * 00190 * Record layer: 00191 * 0 . 0 message type 00192 * 1 . 2 protocol version 00193 * 3 . 4 message length 00194 */ 00195 if( buf[0] != SSL_MSG_HANDSHAKE || 00196 buf[1] != SSL_MAJOR_VERSION_3 ) 00197 { 00198 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00199 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00200 } 00201 00202 n = ( buf[3] << 8 ) | buf[4]; 00203 00204 if( n < 45 || n > 512 ) 00205 { 00206 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00207 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00208 } 00209 00210 if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 ) 00211 { 00212 SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); 00213 return( ret ); 00214 } 00215 00216 buf = ssl->in_msg; 00217 n = ssl->in_left - 5; 00218 00219 md5_update( &ssl->fin_md5 , buf, n ); 00220 sha1_update( &ssl->fin_sha1, buf, n ); 00221 00222 /* 00223 * SSL layer: 00224 * 0 . 0 handshake type 00225 * 1 . 3 handshake length 00226 * 4 . 5 protocol version 00227 * 6 . 9 UNIX time() 00228 * 10 . 37 random bytes 00229 * 38 . 38 session id length 00230 * 39 . 38+x session id 00231 * 39+x . 40+x cipherlist length 00232 * 41+x . .. cipherlist 00233 * .. . .. compression alg. 00234 * .. . .. extensions 00235 */ 00236 SSL_DEBUG_BUF( 4, "record contents", buf, n ); 00237 00238 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", 00239 buf[0] ) ); 00240 SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 00241 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 00242 SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]", 00243 buf[4], buf[5] ) ); 00244 00245 /* 00246 * Check the handshake type and protocol version 00247 */ 00248 if( buf[0] != SSL_HS_CLIENT_HELLO || 00249 buf[4] != SSL_MAJOR_VERSION_3 ) 00250 { 00251 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00252 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00253 } 00254 00255 ssl->major_ver = SSL_MAJOR_VERSION_3; 00256 ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_1 ) 00257 ? buf[5] : SSL_MINOR_VERSION_1; 00258 00259 ssl->max_major_ver = buf[4]; 00260 ssl->max_minor_ver = buf[5]; 00261 00262 memcpy( ssl->randbytes, buf + 6, 32 ); 00263 00264 /* 00265 * Check the handshake message length 00266 */ 00267 if( buf[1] != 0 || n != 4 + ( ( buf[2] << 8 ) | buf[3] ) ) 00268 { 00269 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00270 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00271 } 00272 00273 /* 00274 * Check the session length 00275 */ 00276 sess_len = buf[38]; 00277 00278 if( sess_len < 0 || sess_len > 32 ) 00279 { 00280 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00281 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00282 } 00283 00284 ssl->session->length = sess_len; 00285 memset( ssl->session->id, 0, sizeof( ssl->session->id ) ); 00286 memcpy( ssl->session->id, buf + 39 , ssl->session->length ); 00287 00288 /* 00289 * Check the cipherlist length 00290 */ 00291 ciph_len = ( buf[39 + sess_len] << 8 ) 00292 | ( buf[40 + sess_len] ); 00293 00294 if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 ) 00295 { 00296 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00297 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00298 } 00299 00300 /* 00301 * Check the compression algorithms length 00302 */ 00303 comp_len = buf[41 + sess_len + ciph_len]; 00304 00305 if( comp_len < 1 || comp_len > 16 ) 00306 { 00307 SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00308 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00309 } 00310 00311 SSL_DEBUG_BUF( 3, "client hello, random bytes", 00312 buf + 6, 32 ); 00313 SSL_DEBUG_BUF( 3, "client hello, session id", 00314 buf + 38, sess_len ); 00315 SSL_DEBUG_BUF( 3, "client hello, cipherlist", 00316 buf + 41 + sess_len, ciph_len ); 00317 SSL_DEBUG_BUF( 3, "client hello, compression", 00318 buf + 42 + sess_len + ciph_len, comp_len ); 00319 00320 /* 00321 * Search for a matching cipher 00322 */ 00323 for( i = 0; ssl->ciphers[i] != 0; i++ ) 00324 { 00325 for( j = 0, p = buf + 41 + sess_len; j < ciph_len; 00326 j += 2, p += 2 ) 00327 { 00328 if( p[0] == 0 && p[1] == ssl->ciphers[i] ) 00329 goto have_cipher; 00330 } 00331 } 00332 } 00333 00334 SSL_DEBUG_MSG( 1, ( "got no ciphers in common" ) ); 00335 00336 return( XYSSL_ERR_SSL_NO_CIPHER_CHOSEN ); 00337 00338 have_cipher: 00339 00340 ssl->session->cipher = ssl->ciphers[i]; 00341 ssl->in_left = 0; 00342 ssl->state++; 00343 00344 SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 00345 00346 return( 0 ); 00347 } 00348 00349 static int ssl_write_server_hello( ssl_context *ssl ) 00350 { 00351 time_t t; 00352 int ret, i, n; 00353 unsigned char *buf, *p; 00354 00355 SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 00356 00357 /* 00358 * 0 . 0 handshake type 00359 * 1 . 3 handshake length 00360 * 4 . 5 protocol version 00361 * 6 . 9 UNIX time() 00362 * 10 . 37 random bytes 00363 */ 00364 buf = ssl->out_msg; 00365 p = buf + 4; 00366 00367 *p++ = (unsigned char) ssl->major_ver; 00368 *p++ = (unsigned char) ssl->minor_ver; 00369 00370 SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 00371 buf[4], buf[5] ) ); 00372 00373 t = time( NULL ); 00374 *p++ = (unsigned char)( t >> 24 ); 00375 *p++ = (unsigned char)( t >> 16 ); 00376 *p++ = (unsigned char)( t >> 8 ); 00377 *p++ = (unsigned char)( t ); 00378 00379 SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 00380 00381 for( i = 28; i > 0; i-- ) 00382 *p++ = (unsigned char) ssl->f_rng( ssl->p_rng ); 00383 00384 memcpy( ssl->randbytes + 32, buf + 6, 32 ); 00385 00386 SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 00387 00388 /* 00389 * 38 . 38 session id length 00390 * 39 . 38+n session id 00391 * 39+n . 40+n chosen cipher 00392 * 41+n . 41+n chosen compression alg. 00393 */ 00394 ssl->session->length = n = 32; 00395 *p++ = (unsigned char) ssl->session->length; 00396 00397 if( ssl->s_get == NULL || 00398 ssl->s_get( ssl ) != 0 ) 00399 { 00400 /* 00401 * Not found, create a new session id 00402 */ 00403 ssl->resume = 0; 00404 ssl->state++; 00405 00406 for( i = 0; i < n; i++ ) 00407 ssl->session->id[i] = 00408 (unsigned char) ssl->f_rng( ssl->p_rng ); 00409 } 00410 else 00411 { 00412 /* 00413 * Found a matching session, resume it 00414 */ 00415 ssl->resume = 1; 00416 ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC; 00417 ssl_derive_keys( ssl ); 00418 } 00419 00420 memcpy( p, ssl->session->id, ssl->session->length ); 00421 p += ssl->session->length; 00422 00423 SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 00424 SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 00425 SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 00426 ssl->resume ? "a" : "no" ) ); 00427 00428 *p++ = (unsigned char)( ssl->session->cipher >> 8 ); 00429 *p++ = (unsigned char)( ssl->session->cipher ); 00430 *p++ = SSL_COMPRESS_NULL; 00431 00432 SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d", 00433 ssl->session->cipher ) ); 00434 SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) ); 00435 00436 ssl->out_msglen = p - buf; 00437 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00438 ssl->out_msg[0] = SSL_HS_SERVER_HELLO; 00439 00440 ret = ssl_write_record( ssl ); 00441 00442 SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 00443 00444 return( ret ); 00445 } 00446 00447 static int ssl_write_certificate_request( ssl_context *ssl ) 00448 { 00449 int ret, n; 00450 unsigned char *buf, *p; 00451 x509_cert *crt; 00452 00453 SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 00454 00455 ssl->state++; 00456 00457 if( ssl->authmode == SSL_VERIFY_NONE ) 00458 { 00459 SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 00460 return( 0 ); 00461 } 00462 00463 /* 00464 * 0 . 0 handshake type 00465 * 1 . 3 handshake length 00466 * 4 . 4 cert type count 00467 * 5 .. n-1 cert types 00468 * n .. n+1 length of all DNs 00469 * n+2 .. n+3 length of DN 1 00470 * n+4 .. ... Distinguished Name #1 00471 * ... .. ... length of DN 2, etc. 00472 */ 00473 buf = ssl->out_msg; 00474 p = buf + 4; 00475 00476 /* 00477 * At the moment, only RSA certificates are supported 00478 */ 00479 *p++ = 1; 00480 *p++ = 1; 00481 00482 p += 2; 00483 crt = ssl->ca_chain; 00484 00485 while( crt != NULL && crt->next != NULL ) 00486 { 00487 if( p - buf > 4096 ) 00488 break; 00489 00490 n = crt->subject_raw.len; 00491 *p++ = (unsigned char)( n >> 8 ); 00492 *p++ = (unsigned char)( n ); 00493 memcpy( p, crt->subject_raw.p, n ); 00494 00495 SSL_DEBUG_BUF( 3, "requested DN", p, n ); 00496 p += n; crt = crt->next; 00497 } 00498 00499 ssl->out_msglen = n = p - buf; 00500 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00501 ssl->out_msg[0] = SSL_HS_CERTIFICATE_REQUEST; 00502 ssl->out_msg[6] = (unsigned char)( ( n - 8 ) >> 8 ); 00503 ssl->out_msg[7] = (unsigned char)( ( n - 8 ) ); 00504 00505 ret = ssl_write_record( ssl ); 00506 00507 SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 00508 00509 return( ret ); 00510 } 00511 00512 static int ssl_write_server_key_exchange( ssl_context *ssl ) 00513 { 00514 int ret, n; 00515 unsigned char hash[36]; 00516 md5_context md5; 00517 sha1_context sha1; 00518 00519 SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 00520 00521 if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA && 00522 ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA ) 00523 { 00524 SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 00525 ssl->state++; 00526 return( 0 ); 00527 } 00528 00529 #if !defined(XYSSL_DHM_C) 00530 SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) ); 00531 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00532 #else 00533 /* 00534 * Ephemeral DH parameters: 00535 * 00536 * struct { 00537 * opaque dh_p<1..2^16-1>; 00538 * opaque dh_g<1..2^16-1>; 00539 * opaque dh_Ys<1..2^16-1>; 00540 * } ServerDHParams; 00541 */ 00542 if( ( ret = dhm_make_params( &ssl->dhm_ctx, 256, ssl->out_msg + 4, 00543 &n, ssl->f_rng, ssl->p_rng ) ) != 0 ) 00544 { 00545 SSL_DEBUG_RET( 1, "dhm_make_params", ret ); 00546 return( ret ); 00547 } 00548 00549 SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X ); 00550 SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P ); 00551 SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G ); 00552 SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX ); 00553 00554 /* 00555 * digitally-signed struct { 00556 * opaque md5_hash[16]; 00557 * opaque sha_hash[20]; 00558 * }; 00559 * 00560 * md5_hash 00561 * MD5(ClientHello.random + ServerHello.random 00562 * + ServerParams); 00563 * sha_hash 00564 * SHA(ClientHello.random + ServerHello.random 00565 * + ServerParams); 00566 */ 00567 md5_starts( &md5 ); 00568 md5_update( &md5, ssl->randbytes, 64 ); 00569 md5_update( &md5, ssl->out_msg + 4, n ); 00570 md5_finish( &md5, hash ); 00571 00572 sha1_starts( &sha1 ); 00573 sha1_update( &sha1, ssl->randbytes, 64 ); 00574 sha1_update( &sha1, ssl->out_msg + 4, n ); 00575 sha1_finish( &sha1, hash + 16 ); 00576 00577 SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 ); 00578 00579 ssl->out_msg[4 + n] = (unsigned char)( ssl->rsa_key->len >> 8 ); 00580 ssl->out_msg[5 + n] = (unsigned char)( ssl->rsa_key->len ); 00581 00582 ret = rsa_pkcs1_sign( ssl->rsa_key, RSA_PRIVATE, 00583 RSA_RAW, 36, hash, ssl->out_msg + 6 + n ); 00584 if( ret != 0 ) 00585 { 00586 SSL_DEBUG_RET( 1, "rsa_pkcs1_sign", ret ); 00587 return( ret ); 00588 } 00589 00590 SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, 00591 ssl->rsa_key->len ); 00592 00593 ssl->out_msglen = 6 + n + ssl->rsa_key->len; 00594 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00595 ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE; 00596 00597 ssl->state++; 00598 00599 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 00600 { 00601 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 00602 return( ret ); 00603 } 00604 00605 SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 00606 00607 return( 0 ); 00608 #endif 00609 } 00610 00611 static int ssl_write_server_hello_done( ssl_context *ssl ) 00612 { 00613 int ret; 00614 00615 SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 00616 00617 ssl->out_msglen = 4; 00618 ssl->out_msgtype = SSL_MSG_HANDSHAKE; 00619 ssl->out_msg[0] = SSL_HS_SERVER_HELLO_DONE; 00620 00621 ssl->state++; 00622 00623 if( ( ret = ssl_write_record( ssl ) ) != 0 ) 00624 { 00625 SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 00626 return( ret ); 00627 } 00628 00629 SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 00630 00631 return( 0 ); 00632 } 00633 00634 static int ssl_parse_client_key_exchange( ssl_context *ssl ) 00635 { 00636 int ret, i, n; 00637 00638 SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 00639 00640 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 00641 { 00642 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 00643 return( ret ); 00644 } 00645 00646 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 00647 { 00648 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00649 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00650 } 00651 00652 if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE ) 00653 { 00654 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00655 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00656 } 00657 00658 if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA || 00659 ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA ) 00660 { 00661 #if !defined(XYSSL_DHM_C) 00662 SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) ); 00663 return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE ); 00664 #else 00665 /* 00666 * Receive G^Y mod P, premaster = (G^Y)^X mod P 00667 */ 00668 n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 00669 00670 if( n < 1 || n > ssl->dhm_ctx.len || 00671 n + 6 != ssl->in_hslen ) 00672 { 00673 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00674 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00675 } 00676 00677 if( ( ret = dhm_read_public( &ssl->dhm_ctx, 00678 ssl->in_msg + 6, n ) ) != 0 ) 00679 { 00680 SSL_DEBUG_RET( 1, "dhm_read_public", ret ); 00681 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE | ret ); 00682 } 00683 00684 SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY ); 00685 00686 ssl->pmslen = ssl->dhm_ctx.len; 00687 00688 if( ( ret = dhm_calc_secret( &ssl->dhm_ctx, 00689 ssl->premaster, &ssl->pmslen ) ) != 0 ) 00690 { 00691 SSL_DEBUG_RET( 1, "dhm_calc_secret", ret ); 00692 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE | ret ); 00693 } 00694 00695 SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K ); 00696 #endif 00697 } 00698 else 00699 { 00700 /* 00701 * Decrypt the premaster using own private RSA key 00702 */ 00703 i = 4; 00704 n = ssl->rsa_key->len; 00705 ssl->pmslen = 48; 00706 00707 if( ssl->minor_ver != SSL_MINOR_VERSION_0 ) 00708 { 00709 i += 2; 00710 if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) || 00711 ssl->in_msg[5] != ( ( n ) & 0xFF ) ) 00712 { 00713 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00714 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00715 } 00716 } 00717 00718 if( ssl->in_hslen != i + n ) 00719 { 00720 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00721 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 00722 } 00723 00724 ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen, 00725 ssl->in_msg + i, ssl->premaster ); 00726 00727 if( ret != 0 || ssl->pmslen != 48 || 00728 ssl->premaster[0] != ssl->max_major_ver || 00729 ssl->premaster[1] != ssl->max_minor_ver ) 00730 { 00731 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 00732 00733 /* 00734 * Protection against Bleichenbacher's attack: 00735 * invalid PKCS#1 v1.5 padding must not cause 00736 * the connection to end immediately; instead, 00737 * send a bad_record_mac later in the handshake. 00738 */ 00739 ssl->pmslen = 48; 00740 00741 for( i = 0; i < ssl->pmslen; i++ ) 00742 ssl->premaster[i] = (unsigned char) ssl->f_rng( ssl->p_rng ); 00743 } 00744 } 00745 00746 ssl_derive_keys( ssl ); 00747 00748 if( ssl->s_set != NULL ) 00749 ssl->s_set( ssl ); 00750 00751 ssl->state++; 00752 00753 SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 00754 00755 return( 0 ); 00756 } 00757 00758 static int ssl_parse_certificate_verify( ssl_context *ssl ) 00759 { 00760 int n1, n2, ret; 00761 unsigned char hash[36]; 00762 00763 SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 00764 00765 if( ssl->peer_cert == NULL ) 00766 { 00767 SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 00768 ssl->state++; 00769 return( 0 ); 00770 } 00771 00772 ssl_calc_verify( ssl, hash ); 00773 00774 if( ( ret = ssl_read_record( ssl ) ) != 0 ) 00775 { 00776 SSL_DEBUG_RET( 1, "ssl_read_record", ret ); 00777 return( ret ); 00778 } 00779 00780 ssl->state++; 00781 00782 if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) 00783 { 00784 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 00785 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 00786 } 00787 00788 if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY ) 00789 { 00790 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 00791 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 00792 } 00793 00794 n1 = ssl->peer_cert->rsa.len; 00795 n2 = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 00796 00797 if( n1 + 6 != ssl->in_hslen || n1 != n2 ) 00798 { 00799 SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 00800 return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 00801 } 00802 00803 ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC, 00804 RSA_RAW, 36, hash, ssl->in_msg + 6 ); 00805 if( ret != 0 ) 00806 { 00807 SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret ); 00808 return( ret ); 00809 } 00810 00811 SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 00812 00813 return( 0 ); 00814 } 00815 00816 /* 00817 * SSL handshake -- server side 00818 */ 00819 int ssl_handshake_server( ssl_context *ssl ) 00820 { 00821 int ret = 0; 00822 00823 SSL_DEBUG_MSG( 2, ( "=> handshake server" ) ); 00824 00825 while( ssl->state != SSL_HANDSHAKE_OVER ) 00826 { 00827 SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 00828 00829 if( ( ret = ssl_flush_output( ssl ) ) != 0 ) 00830 break; 00831 00832 switch( ssl->state ) 00833 { 00834 case SSL_HELLO_REQUEST: 00835 ssl->state = SSL_CLIENT_HELLO; 00836 break; 00837 00838 /* 00839 * <== ClientHello 00840 */ 00841 case SSL_CLIENT_HELLO: 00842 ret = ssl_parse_client_hello( ssl ); 00843 break; 00844 00845 /* 00846 * ==> ServerHello 00847 * Certificate 00848 * ( ServerKeyExchange ) 00849 * ( CertificateRequest ) 00850 * ServerHelloDone 00851 */ 00852 case SSL_SERVER_HELLO: 00853 ret = ssl_write_server_hello( ssl ); 00854 break; 00855 00856 case SSL_SERVER_CERTIFICATE: 00857 ret = ssl_write_certificate( ssl ); 00858 break; 00859 00860 case SSL_SERVER_KEY_EXCHANGE: 00861 ret = ssl_write_server_key_exchange( ssl ); 00862 break; 00863 00864 case SSL_CERTIFICATE_REQUEST: 00865 ret = ssl_write_certificate_request( ssl ); 00866 break; 00867 00868 case SSL_SERVER_HELLO_DONE: 00869 ret = ssl_write_server_hello_done( ssl ); 00870 break; 00871 00872 /* 00873 * <== ( Certificate/Alert ) 00874 * ClientKeyExchange 00875 * ( CertificateVerify ) 00876 * ChangeCipherSpec 00877 * Finished 00878 */ 00879 case SSL_CLIENT_CERTIFICATE: 00880 ret = ssl_parse_certificate( ssl ); 00881 break; 00882 00883 case SSL_CLIENT_KEY_EXCHANGE: 00884 ret = ssl_parse_client_key_exchange( ssl ); 00885 break; 00886 00887 case SSL_CERTIFICATE_VERIFY: 00888 ret = ssl_parse_certificate_verify( ssl ); 00889 break; 00890 00891 case SSL_CLIENT_CHANGE_CIPHER_SPEC: 00892 ret = ssl_parse_change_cipher_spec( ssl ); 00893 break; 00894 00895 case SSL_CLIENT_FINISHED: 00896 ret = ssl_parse_finished( ssl ); 00897 break; 00898 00899 /* 00900 * ==> ChangeCipherSpec 00901 * Finished 00902 */ 00903 case SSL_SERVER_CHANGE_CIPHER_SPEC: 00904 ret = ssl_write_change_cipher_spec( ssl ); 00905 break; 00906 00907 case SSL_SERVER_FINISHED: 00908 ret = ssl_write_finished( ssl ); 00909 break; 00910 00911 case SSL_FLUSH_BUFFERS: 00912 SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 00913 ssl->state = SSL_HANDSHAKE_OVER; 00914 break; 00915 00916 default: 00917 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 00918 return( XYSSL_ERR_SSL_BAD_INPUT_DATA ); 00919 } 00920 00921 if( ret != 0 ) 00922 break; 00923 } 00924 00925 SSL_DEBUG_MSG( 2, ( "<= handshake server" ) ); 00926 00927 return( ret ); 00928 } 00929 00930 #endif