2 * Copyright (c) 2007, Cameron Rich
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
9 * * Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * * Neither the name of the axTLS project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 static const uint8_t g_hello_done
[] = { HS_SERVER_HELLO_DONE
, 0, 0, 0 };
39 static int process_client_hello(SSL
*ssl
);
40 static int send_server_hello_sequence(SSL
*ssl
);
41 static int send_server_hello(SSL
*ssl
);
42 static int send_server_hello_done(SSL
*ssl
);
43 static int process_client_key_xchg(SSL
*ssl
);
44 #ifdef CONFIG_SSL_CERT_VERIFICATION
45 static int send_certificate_request(SSL
*ssl
);
46 static int process_cert_verify(SSL
*ssl
);
50 * Establish a new SSL connection to an SSL client.
52 EXP_FUNC SSL
* STDCALL
ssl_server_new(SSL_CTX
*ssl_ctx
, int client_fd
)
56 ssl
= ssl_new(ssl_ctx
, client_fd
);
57 ssl
->next_state
= HS_CLIENT_HELLO
;
59 #ifdef CONFIG_SSL_FULL_MODE
60 if (ssl_ctx
->chain_length
== 0)
61 printf("Warning - no server certificate defined\n"); TTY_FLUSH();
68 * Process the handshake record.
70 int do_svr_handshake(SSL
*ssl
, int handshake_type
, uint8_t *buf
, int hs_len
)
73 ssl
->hs_status
= SSL_NOT_OK
; /* not connected */
75 /* To get here the state must be valid */
76 switch (handshake_type
)
79 if ((ret
= process_client_hello(ssl
)) == SSL_OK
)
80 ret
= send_server_hello_sequence(ssl
);
83 #ifdef CONFIG_SSL_CERT_VERIFICATION
84 case HS_CERTIFICATE
:/* the client sends its cert */
85 ret
= process_certificate(ssl
, &ssl
->x509_ctx
);
87 if (ret
== SSL_OK
) /* verify the cert */
90 cert_res
= x509_verify(
91 ssl
->ssl_ctx
->ca_cert_ctx
, ssl
->x509_ctx
);
92 ret
= (cert_res
== 0) ? SSL_OK
: SSL_X509_ERROR(cert_res
);
97 ret
= process_cert_verify(ssl
);
98 add_packet(ssl
, buf
, hs_len
); /* needs to be done after */
101 case HS_CLIENT_KEY_XCHG
:
102 ret
= process_client_key_xchg(ssl
);
106 ret
= process_finished(ssl
, buf
, hs_len
);
107 disposable_free(ssl
); /* free up some memory */
115 * Process a client hello message.
117 static int process_client_hello(SSL
*ssl
)
119 uint8_t *buf
= ssl
->bm_data
;
120 uint8_t *record_buf
= ssl
->hmac_header
;
121 int pkt_size
= ssl
->bm_index
;
122 int i
, j
, cs_len
, id_len
, offset
= 6 + SSL_RANDOM_SIZE
;
125 uint8_t version
= (buf
[4] << 4) + buf
[5];
126 ssl
->version
= ssl
->client_version
= version
;
128 if (version
> SSL_PROTOCOL_VERSION_MAX
)
130 /* use client's version instead */
131 ssl
->version
= SSL_PROTOCOL_VERSION_MAX
;
133 else if (version
< SSL_PROTOCOL_MIN_VERSION
) /* old version supported? */
135 ret
= SSL_ERROR_INVALID_VERSION
;
136 ssl_display_error(ret
);
140 memcpy(ssl
->dc
->client_random
, &buf
[6], SSL_RANDOM_SIZE
);
142 /* process the session id */
143 id_len
= buf
[offset
++];
144 if (id_len
> SSL_SESSION_ID_SIZE
)
146 return SSL_ERROR_INVALID_SESSION
;
149 #ifndef CONFIG_SSL_SKELETON_MODE
150 ssl
->session
= ssl_session_update(ssl
->ssl_ctx
->num_sessions
,
151 ssl
->ssl_ctx
->ssl_sessions
, ssl
, id_len
? &buf
[offset
] : NULL
);
155 cs_len
= (buf
[offset
]<<8) + buf
[offset
+1];
156 offset
+= 3; /* add 1 due to all cipher suites being 8 bit */
158 PARANOIA_CHECK(pkt_size
, offset
);
160 /* work out what cipher suite we are going to use - client defines
162 for (i
= 0; i
< cs_len
; i
+= 2)
164 for (j
= 0; j
< NUM_PROTOCOLS
; j
++)
166 if (ssl_prot_prefs
[j
] == buf
[offset
+i
]) /* got a match? */
168 ssl
->cipher
= ssl_prot_prefs
[j
];
174 /* ouch! protocol is not supported */
175 ret
= SSL_ERROR_NO_CIPHER
;
182 #ifdef CONFIG_SSL_ENABLE_V23_HANDSHAKE
184 * Some browsers use a hybrid SSLv2 "client hello"
186 int process_sslv23_client_hello(SSL
*ssl
)
188 uint8_t *buf
= ssl
->bm_data
;
189 int bytes_needed
= ((buf
[0] & 0x7f) << 8) + buf
[1];
192 /* we have already read 3 extra bytes so far */
193 int read_len
= SOCKET_READ(ssl
->client_fd
, buf
, bytes_needed
-3);
197 int i
, j
, offset
= 8; /* start at first cipher */
198 int random_offset
= 0;
200 DISPLAY_BYTES(ssl
, "received %d bytes", buf
, read_len
, read_len
);
202 add_packet(ssl
, buf
, read_len
);
204 /* connection has gone, so die */
205 if (bytes_needed
< 0)
207 return SSL_ERROR_CONN_LOST
;
210 /* now work out what cipher suite we are going to use */
211 for (j
= 0; j
< NUM_PROTOCOLS
; j
++)
213 for (i
= 0; i
< cs_len
; i
+= 3)
215 if (ssl_prot_prefs
[j
] == buf
[offset
+i
])
217 ssl
->cipher
= ssl_prot_prefs
[j
];
223 /* ouch! protocol is not supported */
224 ret
= SSL_ERROR_NO_CIPHER
;
228 /* get the session id */
229 offset
+= cs_len
- 2; /* we've gone 2 bytes past the end */
230 #ifndef CONFIG_SSL_SKELETON_MODE
231 ssl
->session
= ssl_session_update(ssl
->ssl_ctx
->num_sessions
,
232 ssl
->ssl_ctx
->ssl_sessions
, ssl
, id_len
? &buf
[offset
] : NULL
);
235 /* get the client random data */
238 /* random can be anywhere between 16 and 32 bytes long - so it is padded
239 * with 0's to the left */
242 random_offset
+= 0x10;
245 memcpy(&ssl
->dc
->client_random
[random_offset
], &buf
[offset
], ch_len
);
246 ret
= send_server_hello_sequence(ssl
);
254 * Send the entire server hello sequence
256 static int send_server_hello_sequence(SSL
*ssl
)
260 if ((ret
= send_server_hello(ssl
)) == SSL_OK
)
262 #ifndef CONFIG_SSL_SKELETON_MODE
263 /* resume handshake? */
264 if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME
))
266 if ((ret
= send_change_cipher_spec(ssl
)) == SSL_OK
)
268 ret
= send_finished(ssl
);
269 ssl
->next_state
= HS_FINISHED
;
274 if ((ret
= send_certificate(ssl
)) == SSL_OK
)
276 #ifdef CONFIG_SSL_CERT_VERIFICATION
277 /* ask the client for its certificate */
278 if (IS_SET_SSL_FLAG(SSL_CLIENT_AUTHENTICATION
))
280 if ((ret
= send_certificate_request(ssl
)) == SSL_OK
)
282 ret
= send_server_hello_done(ssl
);
283 ssl
->next_state
= HS_CERTIFICATE
;
289 ret
= send_server_hello_done(ssl
);
290 ssl
->next_state
= HS_CLIENT_KEY_XCHG
;
299 * Send a server hello message.
301 static int send_server_hello(SSL
*ssl
)
303 uint8_t *buf
= ssl
->bm_data
;
306 buf
[0] = HS_SERVER_HELLO
;
309 /* byte 3 is calculated later */
311 buf
[5] = ssl
->version
& 0x0f;
313 /* server random value */
314 get_random(SSL_RANDOM_SIZE
, &buf
[6]);
315 memcpy(ssl
->dc
->server_random
, &buf
[6], SSL_RANDOM_SIZE
);
316 offset
= 6 + SSL_RANDOM_SIZE
;
318 #ifndef CONFIG_SSL_SKELETON_MODE
319 if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME
))
321 /* retrieve id from session cache */
322 buf
[offset
++] = SSL_SESSION_ID_SIZE
;
323 memcpy(&buf
[offset
], ssl
->session
->session_id
, SSL_SESSION_ID_SIZE
);
324 memcpy(ssl
->session_id
, ssl
->session
->session_id
, SSL_SESSION_ID_SIZE
);
325 ssl
->sess_id_size
= SSL_SESSION_ID_SIZE
;
326 offset
+= SSL_SESSION_ID_SIZE
;
328 else /* generate our own session id */
331 #ifndef CONFIG_SSL_SKELETON_MODE
332 buf
[offset
++] = SSL_SESSION_ID_SIZE
;
333 get_random(SSL_SESSION_ID_SIZE
, &buf
[offset
]);
334 memcpy(ssl
->session_id
, &buf
[offset
], SSL_SESSION_ID_SIZE
);
335 ssl
->sess_id_size
= SSL_SESSION_ID_SIZE
;
337 /* store id in session cache */
338 if (ssl
->ssl_ctx
->num_sessions
)
340 memcpy(ssl
->session
->session_id
,
341 ssl
->session_id
, SSL_SESSION_ID_SIZE
);
344 offset
+= SSL_SESSION_ID_SIZE
;
346 buf
[offset
++] = 0; /* don't bother with session id in skelton mode */
350 buf
[offset
++] = 0; /* cipher we are using */
351 buf
[offset
++] = ssl
->cipher
;
352 buf
[offset
++] = 0; /* no compression */
353 buf
[3] = offset
- 4; /* handshake size */
354 return send_packet(ssl
, PT_HANDSHAKE_PROTOCOL
, NULL
, offset
);
358 * Send the server hello done message.
360 static int send_server_hello_done(SSL
*ssl
)
362 return send_packet(ssl
, PT_HANDSHAKE_PROTOCOL
,
363 g_hello_done
, sizeof(g_hello_done
));
367 * Pull apart a client key exchange message. Decrypt the pre-master key (using
368 * our RSA private key) and then work out the master key. Initialise the
371 static int process_client_key_xchg(SSL
*ssl
)
373 uint8_t *buf
= &ssl
->bm_data
[ssl
->dc
->bm_proc_index
];
374 int pkt_size
= ssl
->bm_index
;
375 int premaster_size
, secret_length
= (buf
[2] << 8) + buf
[3];
376 uint8_t premaster_secret
[MAX_KEY_BYTE_SIZE
];
377 RSA_CTX
*rsa_ctx
= ssl
->ssl_ctx
->rsa_ctx
;
383 ret
= SSL_ERROR_NO_CERT_DEFINED
;
387 /* is there an extra size field? */
388 if ((secret_length
- 2) == rsa_ctx
->num_octets
)
391 PARANOIA_CHECK(pkt_size
, rsa_ctx
->num_octets
+offset
);
393 /* rsa_ctx->bi_ctx is not thread-safe */
394 SSL_CTX_LOCK(ssl
->ssl_ctx
->mutex
);
395 premaster_size
= RSA_decrypt(rsa_ctx
, &buf
[offset
], premaster_secret
, 1);
396 SSL_CTX_UNLOCK(ssl
->ssl_ctx
->mutex
);
398 if (premaster_size
!= SSL_SECRET_SIZE
||
399 premaster_secret
[0] != 0x03 || /* must be the same as client
401 premaster_secret
[1] != (ssl
->client_version
& 0x0f))
403 /* guard against a Bleichenbacher attack */
404 get_random(SSL_SECRET_SIZE
, premaster_secret
);
405 /* and continue - will die eventually when checking the mac */
409 print_blob("pre-master", premaster_secret
, SSL_SECRET_SIZE
);
412 generate_master_secret(ssl
, premaster_secret
);
414 #ifdef CONFIG_SSL_CERT_VERIFICATION
415 ssl
->next_state
= IS_SET_SSL_FLAG(SSL_CLIENT_AUTHENTICATION
) ?
416 HS_CERT_VERIFY
: HS_FINISHED
;
418 ssl
->next_state
= HS_FINISHED
;
421 ssl
->dc
->bm_proc_index
+= rsa_ctx
->num_octets
+offset
;
426 #ifdef CONFIG_SSL_CERT_VERIFICATION
427 static const uint8_t g_cert_request
[] = { HS_CERT_REQ
, 0, 0, 4, 1, 0, 0, 0 };
430 * Send the certificate request message.
432 static int send_certificate_request(SSL
*ssl
)
434 return send_packet(ssl
, PT_HANDSHAKE_PROTOCOL
,
435 g_cert_request
, sizeof(g_cert_request
));
439 * Ensure the client has the private key by first decrypting the packet and
440 * then checking the packet digests.
442 static int process_cert_verify(SSL
*ssl
)
444 uint8_t *buf
= &ssl
->bm_data
[ssl
->dc
->bm_proc_index
];
445 int pkt_size
= ssl
->bm_index
;
446 uint8_t dgst_buf
[MAX_KEY_BYTE_SIZE
];
447 uint8_t dgst
[MD5_SIZE
+SHA1_SIZE
];
448 X509_CTX
*x509_ctx
= ssl
->x509_ctx
;
452 PARANOIA_CHECK(pkt_size
, x509_ctx
->rsa_ctx
->num_octets
+6);
453 DISPLAY_RSA(ssl
, x509_ctx
->rsa_ctx
);
455 /* rsa_ctx->bi_ctx is not thread-safe */
456 SSL_CTX_LOCK(ssl
->ssl_ctx
->mutex
);
457 n
= RSA_decrypt(x509_ctx
->rsa_ctx
, &buf
[6], dgst_buf
, 0);
458 SSL_CTX_UNLOCK(ssl
->ssl_ctx
->mutex
);
460 if (n
!= SHA1_SIZE
+ MD5_SIZE
)
462 ret
= SSL_ERROR_INVALID_KEY
;
466 finished_digest(ssl
, NULL
, dgst
); /* calculate the digest */
467 if (memcmp(dgst_buf
, dgst
, MD5_SIZE
+ SHA1_SIZE
))
469 ret
= SSL_ERROR_INVALID_KEY
;
473 ssl
->next_state
= HS_FINISHED
;