Blame - library/ssl_cli.c - mirror/mbed-crypto

blob: 1b23d6bc39cf0de755ded2a07acfa39b3a7d93ab [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* SSLv3/TLSv1 client-side functions
				3	*
Paul Bakker	fc8c436	2010-03-21 17:37:16 +0000	[diff] [blame]	4	* Copyright (C) 2006-2010, Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker	77b385e	2009-07-28 17:23:11 +0000	[diff] [blame]	5	* All rights reserved.
Paul Bakker	e0ccd0a	2009-01-04 16:27:10 +0000	[diff] [blame]	6	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	7	* This program is free software; you can redistribute it and/or modify
				8	* it under the terms of the GNU General Public License as published by
				9	* the Free Software Foundation; either version 2 of the License, or
				10	* (at your option) any later version.
				11	*
				12	* This program is distributed in the hope that it will be useful,
				13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				15	* GNU General Public License for more details.
				16	*
				17	* You should have received a copy of the GNU General Public License along
				18	* with this program; if not, write to the Free Software Foundation, Inc.,
				19	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				20	*/
				21
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	22	#include "polarssl/config.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	23
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	24	#if defined(POLARSSL_SSL_CLI_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	25
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	26	#include "polarssl/debug.h"
				27	#include "polarssl/ssl.h"
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	28
				29	#include <string.h>
				30	#include <stdlib.h>
				31	#include <stdio.h>
				32	#include <time.h>
				33
				34	static int ssl_write_client_hello( ssl_context *ssl )
				35	{
				36	int ret, i, n;
				37	unsigned char *buf;
				38	unsigned char *p;
				39	time_t t;
				40
				41	SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
				42
				43	ssl->major_ver = SSL_MAJOR_VERSION_3;
				44	ssl->minor_ver = SSL_MINOR_VERSION_0;
				45
				46	ssl->max_major_ver = SSL_MAJOR_VERSION_3;
				47	ssl->max_minor_ver = SSL_MINOR_VERSION_1;
				48
				49	/*
				50	* 0 . 0 handshake type
				51	* 1 . 3 handshake length
				52	* 4 . 5 highest version supported
				53	* 6 . 9 current UNIX time
				54	* 10 . 37 random bytes
				55	*/
				56	buf = ssl->out_msg;
				57	p = buf + 4;
				58
				59	*p++ = (unsigned char) ssl->max_major_ver;
				60	*p++ = (unsigned char) ssl->max_minor_ver;
				61
				62	SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
				63	buf[4], buf[5] ) );
				64
				65	t = time( NULL );
				66	*p++ = (unsigned char)( t >> 24 );
				67	*p++ = (unsigned char)( t >> 16 );
				68	*p++ = (unsigned char)( t >> 8 );
				69	*p++ = (unsigned char)( t );
				70
				71	SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
				72
				73	for( i = 28; i > 0; i-- )
				74	*p++ = (unsigned char) ssl->f_rng( ssl->p_rng );
				75
				76	memcpy( ssl->randbytes, buf + 6, 32 );
				77
				78	SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
				79
				80	/*
				81	* 38 . 38 session id length
				82	* 39 . 39+n session id
				83	* 40+n . 41+n cipherlist length
				84	* 42+n . .. cipherlist
				85	* .. . .. compression alg. (0)
				86	* .. . .. extensions (unused)
				87	*/
				88	n = ssl->session->length;
				89
				90	if( n < 16 \|\| n > 32 \|\| ssl->resume == 0 \|\|
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	91	( ssl->timeout != 0 && t - ssl->session->start > ssl->timeout ) )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	92	n = 0;
				93
				94	*p++ = (unsigned char) n;
				95
				96	for( i = 0; i < n; i++ )
				97	*p++ = ssl->session->id[i];
				98
				99	SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
				100	SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
				101
				102	for( n = 0; ssl->ciphers[n] != 0; n++ );
				103	*p++ = (unsigned char)( n >> 7 );
				104	*p++ = (unsigned char)( n << 1 );
				105
				106	SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphers", n ) );
				107
				108	for( i = 0; i < n; i++ )
				109	{
				110	SSL_DEBUG_MSG( 3, ( "client hello, add cipher: %2d",
				111	ssl->ciphers[i] ) );
				112
				113	*p++ = (unsigned char)( ssl->ciphers[i] >> 8 );
				114	*p++ = (unsigned char)( ssl->ciphers[i] );
				115	}
				116
				117	SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
				118	SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 0 ) );
				119
				120	*p++ = 1;
				121	*p++ = SSL_COMPRESS_NULL;
				122
				123	if ( ssl->hostname != NULL )
				124	{
				125	SSL_DEBUG_MSG( 3, ( "client hello, server name extension: %s",
				126	ssl->hostname ) );
				127
				128	*p++ = (unsigned char)( ( (ssl->hostname_len + 9) >> 8 ) & 0xFF );
				129	*p++ = (unsigned char)( ( (ssl->hostname_len + 9) ) & 0xFF );
				130
				131	*p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
				132	*p++ = (unsigned char)( ( TLS_EXT_SERVERNAME ) & 0xFF );
				133
				134	*p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
				135	*p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF );
				136
				137	*p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
				138	*p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF );
				139
				140	*p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
				141	*p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
				142	*p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF );
				143
				144	memcpy( p, ssl->hostname, ssl->hostname_len );
				145
				146	p += ssl->hostname_len;
				147	}
				148
				149	ssl->out_msglen = p - buf;
				150	ssl->out_msgtype = SSL_MSG_HANDSHAKE;
				151	ssl->out_msg[0] = SSL_HS_CLIENT_HELLO;
				152
				153	ssl->state++;
				154
				155	if( ( ret = ssl_write_record( ssl ) ) != 0 )
				156	{
				157	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
				158	return( ret );
				159	}
				160
				161	SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
				162
				163	return( 0 );
				164	}
				165
				166	static int ssl_parse_server_hello( ssl_context *ssl )
				167	{
				168	time_t t;
				169	int ret, i, n;
				170	int ext_len;
				171	unsigned char *buf;
				172
				173	SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
				174
				175	/*
				176	* 0 . 0 handshake type
				177	* 1 . 3 handshake length
				178	* 4 . 5 protocol version
				179	* 6 . 9 UNIX time()
				180	* 10 . 37 random bytes
				181	*/
				182	buf = ssl->in_msg;
				183
				184	if( ( ret = ssl_read_record( ssl ) ) != 0 )
				185	{
				186	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
				187	return( ret );
				188	}
				189
				190	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
				191	{
				192	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	193	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	194	}
				195
				196	SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
				197	buf[4], buf[5] ) );
				198
				199	if( ssl->in_hslen < 42 \|\|
				200	buf[0] != SSL_HS_SERVER_HELLO \|\|
				201	buf[4] != SSL_MAJOR_VERSION_3 )
				202	{
				203	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	204	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	205	}
				206
				207	if( buf[5] != SSL_MINOR_VERSION_0 &&
				208	buf[5] != SSL_MINOR_VERSION_1 )
				209	{
				210	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	211	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	212	}
				213
				214	ssl->minor_ver = buf[5];
				215
				216	t = ( (time_t) buf[6] << 24 )
				217	\| ( (time_t) buf[7] << 16 )
				218	\| ( (time_t) buf[8] << 8 )
				219	\| ( (time_t) buf[9] );
				220
				221	memcpy( ssl->randbytes + 32, buf + 6, 32 );
				222
				223	n = buf[38];
				224
				225	SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
				226	SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
				227
				228	/*
				229	* 38 . 38 session id length
				230	* 39 . 38+n session id
				231	* 39+n . 40+n chosen cipher
				232	* 41+n . 41+n chosen compression alg.
				233	* 42+n . 43+n extensions length
				234	* 44+n . 44+n+m extensions
				235	*/
				236	if( n < 0 \|\| n > 32 \|\| ssl->in_hslen > 42 + n )
				237	{
				238	ext_len = ( ( buf[42 + n] << 8 )
				239	\| ( buf[43 + n] ) ) + 2;
				240	}
				241	else
				242	{
				243	ext_len = 0;
				244	}
				245
				246	if( n < 0 \|\| n > 32 \|\| ssl->in_hslen != 42 + n + ext_len )
				247	{
				248	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	249	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	250	}
				251
				252	i = ( buf[39 + n] << 8 ) \| buf[40 + n];
				253
				254	SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
				255	SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
				256
				257	/*
				258	* Check if the session can be resumed
				259	*/
				260	if( ssl->resume == 0 \|\| n == 0 \|\|
				261	ssl->session->cipher != i \|\|
				262	ssl->session->length != n \|\|
				263	memcmp( ssl->session->id, buf + 39, n ) != 0 )
				264	{
				265	ssl->state++;
				266	ssl->resume = 0;
				267	ssl->session->start = time( NULL );
				268	ssl->session->cipher = i;
				269	ssl->session->length = n;
				270	memcpy( ssl->session->id, buf + 39, n );
				271	}
				272	else
				273	{
				274	ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	275
				276	if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
				277	{
				278	SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
				279	return( ret );
				280	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	281	}
				282
				283	SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
				284	ssl->resume ? "a" : "no" ) );
				285
				286	SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d", i ) );
				287	SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
				288
				289	i = 0;
				290	while( 1 )
				291	{
				292	if( ssl->ciphers[i] == 0 )
				293	{
				294	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	295	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	296	}
				297
				298	if( ssl->ciphers[i++] == ssl->session->cipher )
				299	break;
				300	}
				301
				302	if( buf[41 + n] != SSL_COMPRESS_NULL )
				303	{
				304	SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	305	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	306	}
				307
				308	/* TODO: Process extensions */
				309
				310	SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
				311
				312	return( 0 );
				313	}
				314
				315	static int ssl_parse_server_key_exchange( ssl_context *ssl )
				316	{
				317	int ret, n;
				318	unsigned char p, end;
				319	unsigned char hash[36];
				320	md5_context md5;
				321	sha1_context sha1;
				322
				323	SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
				324
				325	if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA &&
Paul Bakker	77a4358	2010-06-15 21:32:46 +0000	[diff] [blame^]	326	ssl->session->cipher != SSL_EDH_RSA_AES_128_SHA &&
Paul Bakker	b5ef0ba	2009-01-11 20:25:36 +0000	[diff] [blame]	327	ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA &&
Paul Bakker	77a4358	2010-06-15 21:32:46 +0000	[diff] [blame^]	328	ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_128_SHA &&
				329	ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_256_SHA)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	330	{
				331	SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
				332	ssl->state++;
				333	return( 0 );
				334	}
				335
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	336	#if !defined(POLARSSL_DHM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	337	SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	338	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	339	#else
				340	if( ( ret = ssl_read_record( ssl ) ) != 0 )
				341	{
				342	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
				343	return( ret );
				344	}
				345
				346	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
				347	{
				348	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	349	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	350	}
				351
				352	if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
				353	{
				354	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	355	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	356	}
				357
				358	/*
				359	* Ephemeral DH parameters:
				360	*
				361	* struct {
				362	* opaque dh_p<1..2^16-1>;
				363	* opaque dh_g<1..2^16-1>;
				364	* opaque dh_Ys<1..2^16-1>;
				365	* } ServerDHParams;
				366	*/
				367	p = ssl->in_msg + 4;
				368	end = ssl->in_msg + ssl->in_hslen;
				369
				370	if( ( ret = dhm_read_params( &ssl->dhm_ctx, &p, end ) ) != 0 )
				371	{
				372	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	373	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	374	}
				375
				376	if( (int)( end - p ) != ssl->peer_cert->rsa.len )
				377	{
				378	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	379	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	380	}
				381
				382	if( ssl->dhm_ctx.len < 64 \|\| ssl->dhm_ctx.len > 256 )
				383	{
				384	SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	385	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	386	}
				387
				388	SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P );
				389	SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G );
				390	SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY );
				391
				392	/*
				393	* digitally-signed struct {
				394	* opaque md5_hash[16];
				395	* opaque sha_hash[20];
				396	* };
				397	*
				398	* md5_hash
				399	* MD5(ClientHello.random + ServerHello.random
				400	* + ServerParams);
				401	* sha_hash
				402	* SHA(ClientHello.random + ServerHello.random
				403	* + ServerParams);
				404	*/
				405	n = ssl->in_hslen - ( end - p ) - 6;
				406
				407	md5_starts( &md5 );
				408	md5_update( &md5, ssl->randbytes, 64 );
				409	md5_update( &md5, ssl->in_msg + 4, n );
				410	md5_finish( &md5, hash );
				411
				412	sha1_starts( &sha1 );
				413	sha1_update( &sha1, ssl->randbytes, 64 );
				414	sha1_update( &sha1, ssl->in_msg + 4, n );
				415	sha1_finish( &sha1, hash + 16 );
				416
				417	SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 );
				418
				419	if( ( ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC,
Paul Bakker	fc22c44	2009-07-19 20:36:27 +0000	[diff] [blame]	420	SIG_RSA_RAW, 36, hash, p ) ) != 0 )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	421	{
				422	SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
				423	return( ret );
				424	}
				425
				426	ssl->state++;
				427
				428	SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
				429
				430	return( 0 );
				431	#endif
				432	}
				433
				434	static int ssl_parse_certificate_request( ssl_context *ssl )
				435	{
				436	int ret;
				437
				438	SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
				439
				440	/*
				441	* 0 . 0 handshake type
				442	* 1 . 3 handshake length
				443	* 4 . 5 SSL version
				444	* 6 . 6 cert type count
				445	* 7 .. n-1 cert types
				446	* n .. n+1 length of all DNs
				447	* n+2 .. n+3 length of DN 1
				448	* n+4 .. ... Distinguished Name #1
				449	* ... .. ... length of DN 2, etc.
				450	*/
				451	if( ( ret = ssl_read_record( ssl ) ) != 0 )
				452	{
				453	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
				454	return( ret );
				455	}
				456
				457	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
				458	{
				459	SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	460	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	461	}
				462
				463	ssl->client_auth = 0;
				464	ssl->state++;
				465
				466	if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
				467	ssl->client_auth++;
				468
				469	SSL_DEBUG_MSG( 3, ( "got %s certificate request",
				470	ssl->client_auth ? "a" : "no" ) );
				471
				472	SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
				473
				474	return( 0 );
				475	}
				476
				477	static int ssl_parse_server_hello_done( ssl_context *ssl )
				478	{
				479	int ret;
				480
				481	SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
				482
				483	if( ssl->client_auth != 0 )
				484	{
				485	if( ( ret = ssl_read_record( ssl ) ) != 0 )
				486	{
				487	SSL_DEBUG_RET( 1, "ssl_read_record", ret );
				488	return( ret );
				489	}
				490
				491	if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
				492	{
				493	SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	494	return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	495	}
				496	}
				497
				498	if( ssl->in_hslen != 4 \|\|
				499	ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
				500	{
				501	SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	502	return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	503	}
				504
				505	ssl->state++;
				506
				507	SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
				508
				509	return( 0 );
				510	}
				511
				512	static int ssl_write_client_key_exchange( ssl_context *ssl )
				513	{
				514	int ret, i, n;
				515
				516	SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
				517
				518	if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA \|\|
Paul Bakker	77a4358	2010-06-15 21:32:46 +0000	[diff] [blame^]	519	ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA \|\|
Paul Bakker	b5ef0ba	2009-01-11 20:25:36 +0000	[diff] [blame]	520	ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA \|\|
Paul Bakker	77a4358	2010-06-15 21:32:46 +0000	[diff] [blame^]	521	ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA \|\|
				522	ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	523	{
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	524	#if !defined(POLARSSL_DHM_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	525	SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	526	return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	527	#else
				528	/*
				529	* DHM key exchange -- send G^X mod P
				530	*/
				531	n = ssl->dhm_ctx.len;
				532
				533	ssl->out_msg[4] = (unsigned char)( n >> 8 );
				534	ssl->out_msg[5] = (unsigned char)( n );
				535	i = 6;
				536
				537	ret = dhm_make_public( &ssl->dhm_ctx, 256,
				538	&ssl->out_msg[i], n,
				539	ssl->f_rng, ssl->p_rng );
				540	if( ret != 0 )
				541	{
				542	SSL_DEBUG_RET( 1, "dhm_make_public", ret );
				543	return( ret );
				544	}
				545
				546	SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X );
				547	SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX );
				548
				549	ssl->pmslen = ssl->dhm_ctx.len;
				550
				551	if( ( ret = dhm_calc_secret( &ssl->dhm_ctx,
				552	ssl->premaster,
				553	&ssl->pmslen ) ) != 0 )
				554	{
				555	SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
				556	return( ret );
				557	}
				558
				559	SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K );
				560	#endif
				561	}
				562	else
				563	{
				564	/*
				565	* RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
				566	*/
				567	ssl->premaster[0] = (unsigned char) ssl->max_major_ver;
				568	ssl->premaster[1] = (unsigned char) ssl->max_minor_ver;
				569	ssl->pmslen = 48;
				570
				571	for( i = 2; i < ssl->pmslen; i++ )
				572	ssl->premaster[i] = (unsigned char) ssl->f_rng( ssl->p_rng );
				573
				574	i = 4;
				575	n = ssl->peer_cert->rsa.len;
				576
				577	if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
				578	{
				579	i += 2;
				580	ssl->out_msg[4] = (unsigned char)( n >> 8 );
				581	ssl->out_msg[5] = (unsigned char)( n );
				582	}
				583
				584	ret = rsa_pkcs1_encrypt( &ssl->peer_cert->rsa, RSA_PUBLIC,
				585	ssl->pmslen, ssl->premaster,
				586	ssl->out_msg + i );
				587	if( ret != 0 )
				588	{
				589	SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
				590	return( ret );
				591	}
				592	}
				593
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	594	if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
				595	{
				596	SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
				597	return( ret );
				598	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	599
				600	ssl->out_msglen = i + n;
				601	ssl->out_msgtype = SSL_MSG_HANDSHAKE;
				602	ssl->out_msg[0] = SSL_HS_CLIENT_KEY_EXCHANGE;
				603
				604	ssl->state++;
				605
				606	if( ( ret = ssl_write_record( ssl ) ) != 0 )
				607	{
				608	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
				609	return( ret );
				610	}
				611
				612	SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
				613
				614	return( 0 );
				615	}
				616
				617	static int ssl_write_certificate_verify( ssl_context *ssl )
				618	{
				619	int ret, n;
				620	unsigned char hash[36];
				621
				622	SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
				623
				624	if( ssl->client_auth == 0 )
				625	{
				626	SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
				627	ssl->state++;
				628	return( 0 );
				629	}
				630
				631	if( ssl->rsa_key == NULL )
				632	{
				633	SSL_DEBUG_MSG( 1, ( "got no private key" ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	634	return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	635	}
				636
				637	/*
				638	* Make an RSA signature of the handshake digests
				639	*/
				640	ssl_calc_verify( ssl, hash );
				641
				642	n = ssl->rsa_key->len;
				643	ssl->out_msg[4] = (unsigned char)( n >> 8 );
				644	ssl->out_msg[5] = (unsigned char)( n );
				645
Paul Bakker	fc22c44	2009-07-19 20:36:27 +0000	[diff] [blame]	646	if( ( ret = rsa_pkcs1_sign( ssl->rsa_key, RSA_PRIVATE, SIG_RSA_RAW,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	647	36, hash, ssl->out_msg + 6 ) ) != 0 )
				648	{
				649	SSL_DEBUG_RET( 1, "rsa_pkcs1_sign", ret );
				650	return( ret );
				651	}
				652
				653	ssl->out_msglen = 6 + n;
				654	ssl->out_msgtype = SSL_MSG_HANDSHAKE;
				655	ssl->out_msg[0] = SSL_HS_CERTIFICATE_VERIFY;
				656
				657	ssl->state++;
				658
				659	if( ( ret = ssl_write_record( ssl ) ) != 0 )
				660	{
				661	SSL_DEBUG_RET( 1, "ssl_write_record", ret );
				662	return( ret );
				663	}
				664
				665	SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
				666
				667	return( 0 );
				668	}
				669
				670	/*
				671	* SSL handshake -- client side
				672	*/
				673	int ssl_handshake_client( ssl_context *ssl )
				674	{
				675	int ret = 0;
				676
				677	SSL_DEBUG_MSG( 2, ( "=> handshake client" ) );
				678
				679	while( ssl->state != SSL_HANDSHAKE_OVER )
				680	{
				681	SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
				682
				683	if( ( ret = ssl_flush_output( ssl ) ) != 0 )
				684	break;
				685
				686	switch( ssl->state )
				687	{
				688	case SSL_HELLO_REQUEST:
				689	ssl->state = SSL_CLIENT_HELLO;
				690	break;
				691
				692	/*
				693	* ==> ClientHello
				694	*/
				695	case SSL_CLIENT_HELLO:
				696	ret = ssl_write_client_hello( ssl );
				697	break;
				698
				699	/*
				700	* <== ServerHello
				701	* Certificate
				702	* ( ServerKeyExchange )
				703	* ( CertificateRequest )
				704	* ServerHelloDone
				705	*/
				706	case SSL_SERVER_HELLO:
				707	ret = ssl_parse_server_hello( ssl );
				708	break;
				709
				710	case SSL_SERVER_CERTIFICATE:
				711	ret = ssl_parse_certificate( ssl );
				712	break;
				713
				714	case SSL_SERVER_KEY_EXCHANGE:
				715	ret = ssl_parse_server_key_exchange( ssl );
				716	break;
				717
				718	case SSL_CERTIFICATE_REQUEST:
				719	ret = ssl_parse_certificate_request( ssl );
				720	break;
				721
				722	case SSL_SERVER_HELLO_DONE:
				723	ret = ssl_parse_server_hello_done( ssl );
				724	break;
				725
				726	/*
				727	* ==> ( Certificate/Alert )
				728	* ClientKeyExchange
				729	* ( CertificateVerify )
				730	* ChangeCipherSpec
				731	* Finished
				732	*/
				733	case SSL_CLIENT_CERTIFICATE:
				734	ret = ssl_write_certificate( ssl );
				735	break;
				736
				737	case SSL_CLIENT_KEY_EXCHANGE:
				738	ret = ssl_write_client_key_exchange( ssl );
				739	break;
				740
				741	case SSL_CERTIFICATE_VERIFY:
				742	ret = ssl_write_certificate_verify( ssl );
				743	break;
				744
				745	case SSL_CLIENT_CHANGE_CIPHER_SPEC:
				746	ret = ssl_write_change_cipher_spec( ssl );
				747	break;
				748
				749	case SSL_CLIENT_FINISHED:
				750	ret = ssl_write_finished( ssl );
				751	break;
				752
				753	/*
				754	* <== ChangeCipherSpec
				755	* Finished
				756	*/
				757	case SSL_SERVER_CHANGE_CIPHER_SPEC:
				758	ret = ssl_parse_change_cipher_spec( ssl );
				759	break;
				760
				761	case SSL_SERVER_FINISHED:
				762	ret = ssl_parse_finished( ssl );
				763	break;
				764
				765	case SSL_FLUSH_BUFFERS:
				766	SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
				767	ssl->state = SSL_HANDSHAKE_OVER;
				768	break;
				769
				770	default:
				771	SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	772	return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	773	}
				774
				775	if( ret != 0 )
				776	break;
				777	}
				778
				779	SSL_DEBUG_MSG( 2, ( "<= handshake client" ) );
				780
				781	return( ret );
				782	}
				783
				784	#endif