30
30
#include "polarssl/debug.h"
31
31
#include "polarssl/ssl.h"
33
#if defined(POLARSSL_PKCS11_C)
34
#include "polarssl/pkcs11.h"
35
#endif /* defined(POLARSSL_PKCS11_C) */
34
37
#include <stdlib.h>
38
41
static int ssl_parse_client_hello( ssl_context *ssl )
41
int ciph_len, sess_len;
42
int chal_len, comp_len;
46
unsigned int ciph_len, sess_len;
47
unsigned int chal_len, comp_len;
43
48
unsigned char *buf, *p;
45
50
SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
133
138
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
136
if( sess_len < 0 || sess_len > 32 )
138
143
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
139
144
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
151
156
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
154
SSL_DEBUG_BUF( 3, "client hello, cipherlist",
159
SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
155
160
buf + 6, ciph_len );
156
161
SSL_DEBUG_BUF( 3, "client hello, session id",
157
162
buf + 6 + ciph_len, sess_len );
167
172
memset( ssl->randbytes, 0, 64 );
168
173
memcpy( ssl->randbytes + 32 - chal_len, p, chal_len );
170
for( i = 0; ssl->ciphers[i] != 0; i++ )
175
for( i = 0; ssl->ciphersuites[i] != 0; i++ )
172
177
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
176
p[2] == ssl->ciphers[i] )
181
p[2] == ssl->ciphersuites[i] )
182
goto have_ciphersuite;
233
238
* 10 . 37 random bytes
234
239
* 38 . 38 session id length
235
240
* 39 . 38+x session id
236
* 39+x . 40+x cipherlist length
237
* 41+x . .. cipherlist
241
* 39+x . 40+x ciphersuitelist length
242
* 41+x . .. ciphersuitelist
238
243
* .. . .. compression alg.
239
244
* .. . .. extensions
270
275
* Check the handshake message length
272
if( buf[1] != 0 || n != 4 + ( ( buf[2] << 8 ) | buf[3] ) )
277
if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
274
279
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
275
280
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
291
296
memcpy( ssl->session->id, buf + 39 , ssl->session->length );
294
* Check the cipherlist length
299
* Check the ciphersuitelist length
296
301
ciph_len = ( buf[39 + sess_len] << 8 )
297
302
| ( buf[40 + sess_len] );
318
323
SSL_DEBUG_BUF( 3, "client hello, session id",
319
324
buf + 38, sess_len );
320
SSL_DEBUG_BUF( 3, "client hello, cipherlist",
325
SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
321
326
buf + 41 + sess_len, ciph_len );
322
327
SSL_DEBUG_BUF( 3, "client hello, compression",
323
328
buf + 42 + sess_len + ciph_len, comp_len );
326
* Search for a matching cipher
331
* Search for a matching ciphersuite
328
for( i = 0; ssl->ciphers[i] != 0; i++ )
333
for( i = 0; ssl->ciphersuites[i] != 0; i++ )
330
335
for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
333
if( p[0] == 0 && p[1] == ssl->ciphers[i] )
338
if( p[0] == 0 && p[1] == ssl->ciphersuites[i] )
339
goto have_ciphersuite;
339
SSL_DEBUG_MSG( 1, ( "got no ciphers in common" ) );
344
SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
341
346
return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
345
ssl->session->cipher = ssl->ciphers[i];
350
ssl->session->ciphersuite = ssl->ciphersuites[i];
346
351
ssl->in_left = 0;
384
389
SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
386
for( i = 28; i > 0; i-- )
387
*p++ = (unsigned char) ssl->f_rng( ssl->p_rng );
391
if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
389
396
memcpy( ssl->randbytes + 32, buf + 6, 32 );
394
401
* 38 . 38 session id length
395
402
* 39 . 38+n session id
396
* 39+n . 40+n chosen cipher
403
* 39+n . 40+n chosen ciphersuite
397
404
* 41+n . 41+n chosen compression alg.
399
406
ssl->session->length = n = 32;
411
for( i = 0; i < n; i++ )
412
ssl->session->id[i] =
413
(unsigned char) ssl->f_rng( ssl->p_rng );
418
if( ssl->session == NULL )
420
SSL_DEBUG_MSG( 1, ( "No session struct set" ) );
421
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
424
if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session->id, n ) ) != 0 )
435
447
SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
436
448
ssl->resume ? "a" : "no" ) );
438
*p++ = (unsigned char)( ssl->session->cipher >> 8 );
439
*p++ = (unsigned char)( ssl->session->cipher );
450
*p++ = (unsigned char)( ssl->session->ciphersuite >> 8 );
451
*p++ = (unsigned char)( ssl->session->ciphersuite );
440
452
*p++ = SSL_COMPRESS_NULL;
442
SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d",
443
ssl->session->cipher ) );
454
SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
455
ssl->session->ciphersuite ) );
444
456
SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) );
446
458
ssl->out_msglen = p - buf;
522
535
static int ssl_write_server_key_exchange( ssl_context *ssl )
537
#if defined(POLARSSL_DHM_C)
539
size_t n, rsa_key_len = 0;
525
540
unsigned char hash[36];
527
542
sha1_context sha1;
529
545
SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
531
if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA &&
532
ssl->session->cipher != SSL_EDH_RSA_AES_128_SHA &&
533
ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA &&
534
ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_128_SHA &&
535
ssl->session->cipher != SSL_EDH_RSA_CAMELLIA_256_SHA)
547
if( ssl->session->ciphersuite != SSL_EDH_RSA_DES_168_SHA &&
548
ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_SHA &&
549
ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_SHA &&
550
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
551
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA)
537
553
SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
543
559
SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
544
560
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
563
if( ssl->rsa_key == NULL )
565
#if defined(POLARSSL_PKCS11_C)
566
if( ssl->pkcs11_key == NULL )
568
#endif /* defined(POLARSSL_PKCS11_C) */
569
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
570
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
571
#if defined(POLARSSL_PKCS11_C)
573
#endif /* defined(POLARSSL_PKCS11_C) */
547
577
* Ephemeral DH parameters:
590
620
SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 );
592
ssl->out_msg[4 + n] = (unsigned char)( ssl->rsa_key->len >> 8 );
593
ssl->out_msg[5 + n] = (unsigned char)( ssl->rsa_key->len );
595
ret = rsa_pkcs1_sign( ssl->rsa_key, RSA_PRIVATE,
596
SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n );
623
rsa_key_len = ssl->rsa_key->len;
624
#if defined(POLARSSL_PKCS11_C)
626
rsa_key_len = ssl->pkcs11_key->len;
627
#endif /* defined(POLARSSL_PKCS11_C) */
629
ssl->out_msg[4 + n] = (unsigned char)( rsa_key_len >> 8 );
630
ssl->out_msg[5 + n] = (unsigned char)( rsa_key_len );
634
ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
636
SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n );
638
#if defined(POLARSSL_PKCS11_C)
640
ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE,
641
SIG_RSA_RAW, 36, hash, ssl->out_msg + 6 + n );
643
#endif /* defined(POLARSSL_PKCS11_C) */
599
SSL_DEBUG_RET( 1, "rsa_pkcs1_sign", ret );
647
SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
603
SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n,
651
SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, rsa_key_len );
606
ssl->out_msglen = 6 + n + ssl->rsa_key->len;
653
ssl->out_msglen = 6 + n + rsa_key_len;
607
654
ssl->out_msgtype = SSL_MSG_HANDSHAKE;
608
655
ssl->out_msg[0] = SSL_HS_SERVER_KEY_EXCHANGE;
668
716
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
671
if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA ||
672
ssl->session->cipher == SSL_EDH_RSA_AES_128_SHA ||
673
ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA ||
674
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_128_SHA ||
675
ssl->session->cipher == SSL_EDH_RSA_CAMELLIA_256_SHA)
719
if( ssl->session->ciphersuite == SSL_EDH_RSA_DES_168_SHA ||
720
ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_SHA ||
721
ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_SHA ||
722
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
723
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA)
677
725
#if !defined(POLARSSL_DHM_C)
678
726
SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
694
742
ssl->in_msg + 6, n ) ) != 0 )
696
744
SSL_DEBUG_RET( 1, "dhm_read_public", ret );
697
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE | ret );
745
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP );
700
748
SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY );
705
753
ssl->premaster, &ssl->pmslen ) ) != 0 )
707
755
SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
708
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE | ret );
756
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS );
711
759
SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K );
764
if( ssl->rsa_key == NULL )
766
#if defined(POLARSSL_PKCS11_C)
767
if( ssl->pkcs11_key == NULL )
770
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
771
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
772
#if defined(POLARSSL_PKCS11_C)
717
778
* Decrypt the premaster using own private RSA key
720
n = ssl->rsa_key->len;
782
n = ssl->rsa_key->len;
783
#if defined(POLARSSL_PKCS11_C)
785
n = ssl->pkcs11_key->len;
721
787
ssl->pmslen = 48;
723
789
if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
737
803
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
740
ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen,
741
ssl->in_msg + i, ssl->premaster,
742
sizeof(ssl->premaster) );
807
ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen,
808
ssl->in_msg + i, ssl->premaster,
809
sizeof(ssl->premaster) );
811
#if defined(POLARSSL_PKCS11_C)
813
ret = pkcs11_decrypt( ssl->pkcs11_key, RSA_PRIVATE, &ssl->pmslen,
814
ssl->in_msg + i, ssl->premaster,
815
sizeof(ssl->premaster) );
817
#endif /* defined(POLARSSL_PKCS11_C) */
744
819
if( ret != 0 || ssl->pmslen != 48 ||
745
820
ssl->premaster[0] != ssl->max_major_ver ||