2 * Copyright (c) 2007, Cameron Rich
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
9 * * Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * * Neither the name of the axTLS project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 #ifdef CONFIG_SSL_ENABLE_CLIENT /* all commented out if no client */
40 static int send_client_hello(SSL
*ssl
);
41 static int process_server_hello(SSL
*ssl
);
42 static int process_server_hello_done(SSL
*ssl
);
43 static int send_client_key_xchg(SSL
*ssl
);
44 static int process_cert_req(SSL
*ssl
);
45 static int send_cert_verify(SSL
*ssl
);
48 * Establish a new SSL connection to an SSL server.
50 EXP_FUNC SSL
* STDCALL
ssl_client_new(SSL
*ssl
, int client_fd
, const
51 uint8_t *session_id
, uint8_t sess_id_size
)
53 SSL_CTX
*ssl_ctx
= ssl
->ssl_ctx
;
54 ssl_new(ssl
, client_fd
);
55 ssl
->version
= SSL_PROTOCOL_VERSION_MAX
; /* try top version first */
57 if (session_id
&& ssl_ctx
->num_sessions
)
59 if (sess_id_size
> SSL_SESSION_ID_SIZE
) /* validity check */
65 memcpy(ssl
->session_id
, session_id
, sess_id_size
);
66 ssl
->sess_id_size
= sess_id_size
;
67 SET_SSL_FLAG(SSL_SESSION_RESUME
); /* just flag for later */
70 SET_SSL_FLAG(SSL_IS_CLIENT
);
71 do_client_connect(ssl
);
76 * Process the handshake record.
78 int do_clnt_handshake(SSL
*ssl
, int handshake_type
, uint8_t *buf
, int hs_len
)
82 /* To get here the state must be valid */
83 switch (handshake_type
)
86 ret
= process_server_hello(ssl
);
90 ret
= process_certificate(ssl
, &ssl
->x509_ctx
);
93 case HS_SERVER_HELLO_DONE
:
94 if ((ret
= process_server_hello_done(ssl
)) == SSL_OK
)
96 if (IS_SET_SSL_FLAG(SSL_HAS_CERT_REQ
))
98 if ((ret
= send_certificate(ssl
)) == SSL_OK
&&
99 (ret
= send_client_key_xchg(ssl
)) == SSL_OK
)
101 send_cert_verify(ssl
);
106 ret
= send_client_key_xchg(ssl
);
110 (ret
= send_change_cipher_spec(ssl
)) == SSL_OK
)
112 ret
= send_finished(ssl
);
118 ret
= process_cert_req(ssl
);
122 ret
= process_finished(ssl
, buf
, hs_len
);
123 disposable_free(ssl
); /* free up some memory */
124 /* note: client renegotiation is not allowed after this */
127 case HS_HELLO_REQUEST
:
129 ret
= do_client_connect(ssl
);
133 ret
= SSL_ERROR_INVALID_HANDSHAKE
;
141 * Do the handshaking from the beginning.
143 int do_client_connect(SSL
*ssl
)
147 send_client_hello(ssl
); /* send the client hello */
148 ssl
->bm_read_index
= 0;
149 ssl
->next_state
= HS_SERVER_HELLO
;
150 ssl
->hs_status
= SSL_NOT_OK
; /* not connected */
152 /* sit in a loop until it all looks good */
153 if (!IS_SET_SSL_FLAG(SSL_CONNECT_IN_PARTS
))
155 while (ssl
->hs_status
!= SSL_OK
)
157 ret
= read_record(ssl
);
160 ret
= process_data(ssl
, NULL
, 0);
164 ssl
->hs_status
= ret
; /* connected? */
169 static int compute_size_send_client_hello(SSL
*ssl
)
171 int size
= 6 + SSL_RANDOM_SIZE
;
173 if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME
))
176 size
+= ssl
->sess_id_size
;
180 for (i
= 0; i
< NUM_PROTOCOLS
; i
++)
183 return size
+BM_RECORD_OFFSET
;
187 * Send the initial client hello.
189 static int send_client_hello(SSL
*ssl
)
191 uint8_t *buf
= ssl
->bm_data
;
192 time_t tm
= time(NULL
);
193 uint8_t *tm_ptr
= &buf
[6]; /* time will go here */
196 buf
[0] = HS_CLIENT_HELLO
;
199 /* byte 3 is calculated later */
201 buf
[5] = ssl
->version
& 0x0f;
203 /* client random value - spec says that 1st 4 bytes are big endian time */
204 *tm_ptr
++ = (uint8_t)(((long)tm
& 0xff000000) >> 24);
205 *tm_ptr
++ = (uint8_t)(((long)tm
& 0x00ff0000) >> 16);
206 *tm_ptr
++ = (uint8_t)(((long)tm
& 0x0000ff00) >> 8);
207 *tm_ptr
++ = (uint8_t)(((long)tm
& 0x000000ff));
208 get_random(SSL_RANDOM_SIZE
-4, &buf
[10]);
209 memcpy(ssl
->dc
->client_random
, &buf
[6], SSL_RANDOM_SIZE
);
210 offset
= 6 + SSL_RANDOM_SIZE
;
212 /* give session resumption a go */
213 if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME
)) /* set initially by user */
215 buf
[offset
++] = ssl
->sess_id_size
;
216 memcpy(&buf
[offset
], ssl
->session_id
, ssl
->sess_id_size
);
217 offset
+= ssl
->sess_id_size
;
218 CLR_SSL_FLAG(SSL_SESSION_RESUME
); /* clear so we can set later */
222 /* no session id - because no session resumption just yet */
226 buf
[offset
++] = 0; /* number of ciphers */
227 buf
[offset
++] = NUM_PROTOCOLS
*2;/* number of ciphers */
229 /* put all our supported protocols in our request */
230 for (i
= 0; i
< NUM_PROTOCOLS
; i
++)
232 buf
[offset
++] = 0; /* cipher we are using */
233 buf
[offset
++] = ssl_prot_prefs
[i
];
236 buf
[offset
++] = 1; /* no compression */
238 buf
[3] = offset
- 4; /* handshake size */
240 return send_packet(ssl
, PT_HANDSHAKE_PROTOCOL
, NULL
, offset
);
244 * Process the server hello.
246 static int process_server_hello(SSL
*ssl
)
248 uint8_t *buf
= ssl
->bm_data
;
249 int pkt_size
= ssl
->bm_index
;
250 int num_sessions
= ssl
->ssl_ctx
->num_sessions
;
251 uint8_t sess_id_size
;
252 int offset
, ret
= SSL_OK
;
254 /* check that we are talking to a TLSv1 server */
255 uint8_t version
= (buf
[0] << 4) + buf
[1];
256 if (version
> SSL_PROTOCOL_VERSION_MAX
)
258 version
= SSL_PROTOCOL_VERSION_MAX
;
260 else if (ssl
->version
< SSL_PROTOCOL_MIN_VERSION
)
262 ret
= SSL_ERROR_INVALID_VERSION
;
263 ssl_display_error(ret
);
267 ssl
->version
= version
;
269 /* get the server random value */
270 memcpy(ssl
->dc
->server_random
, &buf
[2], SSL_RANDOM_SIZE
);
271 offset
= 2 + SSL_RANDOM_SIZE
; /* skip of session id size */
272 sess_id_size
= buf
[offset
++];
274 if (sess_id_size
> SSL_SESSION_ID_SIZE
)
276 ret
= SSL_ERROR_INVALID_SESSION
;
282 ssl
->session
= ssl_session_update(num_sessions
,
283 ssl
->ssl_ctx
->ssl_sessions
, ssl
, &buf
[offset
]);
284 memcpy(ssl
->session
->session_id
, &buf
[offset
], sess_id_size
);
286 /* pad the rest with 0's */
287 if (sess_id_size
< SSL_SESSION_ID_SIZE
)
289 memset(&ssl
->session
->session_id
[sess_id_size
], 0,
290 SSL_SESSION_ID_SIZE
-sess_id_size
);
294 memcpy(ssl
->session_id
, &buf
[offset
], sess_id_size
);
295 ssl
->sess_id_size
= sess_id_size
;
296 offset
+= sess_id_size
;
298 /* get the real cipher we are using */
299 ssl
->cipher
= buf
[++offset
];
300 ssl
->next_state
= IS_SET_SSL_FLAG(SSL_SESSION_RESUME
) ?
301 HS_FINISHED
: HS_CERTIFICATE
;
303 offset
++; // skip the compr
304 PARANOIA_CHECK(pkt_size
, offset
);
305 ssl
->dc
->bm_proc_index
= offset
+1;
312 * Process the server hello done message.
314 static int process_server_hello_done(SSL
*ssl
)
316 ssl
->next_state
= HS_FINISHED
;
321 * Send a client key exchange message.
323 static int send_client_key_xchg(SSL
*ssl
)
325 uint8_t *buf
= ssl
->bm_data
;
326 uint8_t premaster_secret
[SSL_SECRET_SIZE
];
327 int enc_secret_size
= -1;
329 buf
[0] = HS_CLIENT_KEY_XCHG
;
332 premaster_secret
[0] = 0x03; /* encode the version number */
333 premaster_secret
[1] = SSL_PROTOCOL_MINOR_VERSION
; /* must be TLS 1.1 */
334 get_random(SSL_SECRET_SIZE
-2, &premaster_secret
[2]);
335 DISPLAY_RSA(ssl
, ssl
->x509_ctx
->rsa_ctx
);
337 /* rsa_ctx->bi_ctx is not thread-safe */
338 SSL_CTX_LOCK(ssl
->ssl_ctx
->mutex
);
339 enc_secret_size
= RSA_encrypt(ssl
->x509_ctx
->rsa_ctx
, premaster_secret
,
340 SSL_SECRET_SIZE
, &buf
[6], 0);
341 SSL_CTX_UNLOCK(ssl
->ssl_ctx
->mutex
);
343 buf
[2] = (enc_secret_size
+ 2) >> 8;
344 buf
[3] = (enc_secret_size
+ 2) & 0xff;
345 buf
[4] = enc_secret_size
>> 8;
346 buf
[5] = enc_secret_size
& 0xff;
348 generate_master_secret(ssl
, premaster_secret
);
350 return send_packet(ssl
, PT_HANDSHAKE_PROTOCOL
, NULL
, enc_secret_size
+6);
354 * Process the certificate request.
356 static int process_cert_req(SSL
*ssl
)
358 uint8_t *buf
= &ssl
->bm_data
[ssl
->dc
->bm_proc_index
];
360 int offset
= (buf
[2] << 4) + buf
[3];
361 int pkt_size
= ssl
->bm_index
;
363 /* don't do any processing - we will send back an RSA certificate anyway */
364 ssl
->next_state
= HS_SERVER_HELLO_DONE
;
365 SET_SSL_FLAG(SSL_HAS_CERT_REQ
);
366 ssl
->dc
->bm_proc_index
+= offset
;
367 PARANOIA_CHECK(pkt_size
, offset
);
373 * Send a certificate verify message.
375 static int send_cert_verify(SSL
*ssl
)
377 uint8_t *buf
= ssl
->bm_data
;
378 uint8_t dgst
[MD5_SIZE
+SHA1_SIZE
];
379 RSA_CTX
*rsa_ctx
= ssl
->ssl_ctx
->rsa_ctx
;
382 DISPLAY_RSA(ssl
, rsa_ctx
);
384 buf
[0] = HS_CERT_VERIFY
;
387 finished_digest(ssl
, NULL
, dgst
); /* calculate the digest */
389 /* rsa_ctx->bi_ctx is not thread-safe */
392 SSL_CTX_LOCK(ssl
->ssl_ctx
->mutex
);
393 n
= RSA_encrypt(rsa_ctx
, dgst
, sizeof(dgst
), &buf
[6], 1);
394 SSL_CTX_UNLOCK(ssl
->ssl_ctx
->mutex
);
398 ret
= SSL_ERROR_INVALID_KEY
;
403 buf
[4] = n
>> 8; /* add the RSA size (not officially documented) */
408 ret
= send_packet(ssl
, PT_HANDSHAKE_PROTOCOL
, NULL
, n
+4);
414 #endif /* CONFIG_SSL_ENABLE_CLIENT */