/home/dko/projects/mobilec/tags/MobileC-v1.10.2/MobileC-v1.10.2/src/security/xyssl-0.9/library/ssl_srv.c

Go to the documentation of this file.
00001 /*
00002  *  SSLv3/TLSv1 server-side functions
00003  *
00004  *  Copyright (C) 2006-2007  Christophe Devine
00005  *
00006  *  This program is free software; you can redistribute it and/or modify
00007  *  it under the terms of the GNU General Public License as published by
00008  *  the Free Software Foundation; either version 2 of the License, or
00009  *  (at your option) any later version.
00010  *
00011  *  This program is distributed in the hope that it will be useful,
00012  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00013  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00014  *  GNU General Public License for more details.
00015  *
00016  *  You should have received a copy of the GNU General Public License along
00017  *  with this program; if not, write to the Free Software Foundation, Inc.,
00018  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
00019  */
00020 
00021 #include "xyssl/config.h"
00022 
00023 #if defined(XYSSL_SSL_SRV_C)
00024 
00025 #include "xyssl/debug.h"
00026 #include "xyssl/ssl.h"
00027 
00028 #include <string.h>
00029 #include <stdlib.h>
00030 #include <stdio.h>
00031 #include <time.h>
00032 
00033 static int ssl_parse_client_hello( ssl_context *ssl )
00034 {
00035     int ret, i, j, n;
00036     int ciph_len, sess_len;
00037     int chal_len, comp_len;
00038     unsigned char *buf, *p;
00039 
00040     SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
00041 
00042     if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
00043     {
00044         SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00045         return( ret );
00046     }
00047 
00048     buf = ssl->in_hdr;
00049 
00050     if( ( buf[0] & 0x80 ) != 0 )
00051     {
00052         SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00053 
00054         SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
00055                        buf[2] ) );
00056         SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
00057                        ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
00058         SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
00059                        buf[3], buf[4] ) );
00060 
00061         /*
00062          * SSLv2 Client Hello
00063          *
00064          * Record layer:
00065          *     0  .   1   message length
00066          *
00067          * SSL layer:
00068          *     2  .   2   message type
00069          *     3  .   4   protocol version
00070          */
00071         if( buf[2] != SSL_HS_CLIENT_HELLO ||
00072             buf[3] != SSL_MAJOR_VERSION_3 )
00073         {
00074             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00075             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00076         }
00077 
00078         n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
00079 
00080         if( n < 17 || n > 512 )
00081         {
00082             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00083             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00084         }
00085 
00086         ssl->max_major_ver = buf[3];
00087         ssl->max_minor_ver = buf[4];
00088 
00089         ssl->major_ver = SSL_MAJOR_VERSION_3;
00090         ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_1 )
00091                          ? buf[4]  : SSL_MINOR_VERSION_1;
00092 
00093         if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
00094         {
00095             SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00096             return( ret );
00097         }
00098 
00099          md5_update( &ssl->fin_md5 , buf + 2, n );
00100         sha1_update( &ssl->fin_sha1, buf + 2, n );
00101 
00102         buf = ssl->in_msg;
00103         n = ssl->in_left - 5;
00104 
00105         /*
00106          *    0  .   1   cipherlist length
00107          *    2  .   3   session id length
00108          *    4  .   5   challenge length
00109          *    6  .  ..   cipherlist
00110          *   ..  .  ..   session id
00111          *   ..  .  ..   challenge
00112          */
00113         SSL_DEBUG_BUF( 4, "record contents", buf, n );
00114 
00115         ciph_len = ( buf[0] << 8 ) | buf[1];
00116         sess_len = ( buf[2] << 8 ) | buf[3];
00117         chal_len = ( buf[4] << 8 ) | buf[5];
00118 
00119         SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
00120                        ciph_len, sess_len, chal_len ) );
00121 
00122         /*
00123          * Make sure each parameter length is valid
00124          */
00125         if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
00126         {
00127             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00128             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00129         }
00130 
00131         if( sess_len < 0 || sess_len > 32 )
00132         {
00133             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00134             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00135         }
00136 
00137         if( chal_len < 8 || chal_len > 32 )
00138         {
00139             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00140             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00141         }
00142 
00143         if( n != 6 + ciph_len + sess_len + chal_len )
00144         {
00145             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00146             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00147         }
00148 
00149         SSL_DEBUG_BUF( 3, "client hello, cipherlist",
00150                        buf + 6,  ciph_len );
00151         SSL_DEBUG_BUF( 3, "client hello, session id",
00152                        buf + 6 + ciph_len,  sess_len );
00153         SSL_DEBUG_BUF( 3, "client hello, challenge",
00154                        buf + 6 + ciph_len + sess_len,  chal_len );
00155 
00156         p = buf + 6 + ciph_len;
00157         ssl->session->length = sess_len;
00158         memset( ssl->session->id, 0, sizeof( ssl->session->id ) );
00159         memcpy( ssl->session->id, p, ssl->session->length );
00160 
00161         p += sess_len;
00162         memset( ssl->randbytes, 0, 64 );
00163         memcpy( ssl->randbytes + 32 - chal_len, p, chal_len );
00164 
00165         for( i = 0; ssl->ciphers[i] != 0; i++ )
00166         {
00167             for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
00168             {
00169                 if( p[0] == 0 &&
00170                     p[1] == 0 &&
00171                     p[2] == ssl->ciphers[i] )
00172                     goto have_cipher;
00173             }
00174         }
00175     }
00176     else
00177     {
00178         SSL_DEBUG_BUF( 4, "record header", buf, 5 );
00179 
00180         SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
00181                        buf[0] ) );
00182         SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
00183                        ( buf[3] << 8 ) | buf[4] ) );
00184         SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
00185                        buf[1], buf[2] ) );
00186 
00187         /*
00188          * SSLv3 Client Hello
00189          *
00190          * Record layer:
00191          *     0  .   0   message type
00192          *     1  .   2   protocol version
00193          *     3  .   4   message length
00194          */
00195         if( buf[0] != SSL_MSG_HANDSHAKE ||
00196             buf[1] != SSL_MAJOR_VERSION_3 )
00197         {
00198             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00199             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00200         }
00201 
00202         n = ( buf[3] << 8 ) | buf[4];
00203 
00204         if( n < 45 || n > 512 )
00205         {
00206             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00207             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00208         }
00209 
00210         if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
00211         {
00212             SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
00213             return( ret );
00214         }
00215 
00216         buf = ssl->in_msg;
00217         n = ssl->in_left - 5;
00218 
00219          md5_update( &ssl->fin_md5 , buf, n );
00220         sha1_update( &ssl->fin_sha1, buf, n );
00221 
00222         /*
00223          * SSL layer:
00224          *     0  .   0   handshake type
00225          *     1  .   3   handshake length
00226          *     4  .   5   protocol version
00227          *     6  .   9   UNIX time()
00228          *    10  .  37   random bytes
00229          *    38  .  38   session id length
00230          *    39  . 38+x  session id
00231          *   39+x . 40+x  cipherlist length
00232          *   41+x .  ..   cipherlist
00233          *    ..  .  ..   compression alg.
00234          *    ..  .  ..   extensions
00235          */
00236         SSL_DEBUG_BUF( 4, "record contents", buf, n );
00237 
00238         SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
00239                        buf[0] ) );
00240         SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
00241                        ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
00242         SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
00243                        buf[4], buf[5] ) );
00244 
00245         /*
00246          * Check the handshake type and protocol version
00247          */
00248         if( buf[0] != SSL_HS_CLIENT_HELLO ||
00249             buf[4] != SSL_MAJOR_VERSION_3 )
00250         {
00251             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00252             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00253         }
00254 
00255         ssl->major_ver = SSL_MAJOR_VERSION_3;
00256         ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_1 )
00257                          ? buf[5]  : SSL_MINOR_VERSION_1;
00258 
00259         ssl->max_major_ver = buf[4];
00260         ssl->max_minor_ver = buf[5];
00261 
00262         memcpy( ssl->randbytes, buf + 6, 32 );
00263 
00264         /*
00265          * Check the handshake message length
00266          */
00267         if( buf[1] != 0 || n != 4 + ( ( buf[2] << 8 ) | buf[3] ) )
00268         {
00269             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00270             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00271         }
00272 
00273         /*
00274          * Check the session length
00275          */
00276         sess_len = buf[38];
00277 
00278         if( sess_len < 0 || sess_len > 32 )
00279         {
00280             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00281             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00282         }
00283 
00284         ssl->session->length = sess_len;
00285         memset( ssl->session->id, 0, sizeof( ssl->session->id ) );
00286         memcpy( ssl->session->id, buf + 39 , ssl->session->length );
00287 
00288         /*
00289          * Check the cipherlist length
00290          */
00291         ciph_len = ( buf[39 + sess_len] << 8 )
00292                  | ( buf[40 + sess_len]      );
00293 
00294         if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
00295         {
00296             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00297             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00298         }
00299 
00300         /*
00301          * Check the compression algorithms length
00302          */
00303         comp_len = buf[41 + sess_len + ciph_len];
00304 
00305         if( comp_len < 1 || comp_len > 16 )
00306         {
00307             SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
00308             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
00309         }
00310 
00311         SSL_DEBUG_BUF( 3, "client hello, random bytes",
00312                        buf +  6,  32 );
00313         SSL_DEBUG_BUF( 3, "client hello, session id",
00314                        buf + 38,  sess_len );
00315         SSL_DEBUG_BUF( 3, "client hello, cipherlist",
00316                        buf + 41 + sess_len,  ciph_len );
00317         SSL_DEBUG_BUF( 3, "client hello, compression",
00318                        buf + 42 + sess_len + ciph_len, comp_len );
00319 
00320         /*
00321          * Search for a matching cipher
00322          */
00323         for( i = 0; ssl->ciphers[i] != 0; i++ )
00324         {
00325             for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
00326                 j += 2, p += 2 )
00327             {
00328                 if( p[0] == 0 && p[1] == ssl->ciphers[i] )
00329                     goto have_cipher;
00330             }
00331         }
00332     }
00333 
00334     SSL_DEBUG_MSG( 1, ( "got no ciphers in common" ) );
00335 
00336     return( XYSSL_ERR_SSL_NO_CIPHER_CHOSEN );
00337 
00338 have_cipher:
00339 
00340     ssl->session->cipher = ssl->ciphers[i];
00341     ssl->in_left = 0;
00342     ssl->state++;
00343 
00344     SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
00345 
00346     return( 0 );
00347 }
00348 
00349 static int ssl_write_server_hello( ssl_context *ssl )
00350 {
00351     time_t t;
00352     int ret, i, n;
00353     unsigned char *buf, *p;
00354 
00355     SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
00356 
00357     /*
00358      *     0  .   0   handshake type
00359      *     1  .   3   handshake length
00360      *     4  .   5   protocol version
00361      *     6  .   9   UNIX time()
00362      *    10  .  37   random bytes
00363      */
00364     buf = ssl->out_msg;
00365     p = buf + 4;
00366 
00367     *p++ = (unsigned char) ssl->major_ver;
00368     *p++ = (unsigned char) ssl->minor_ver;
00369 
00370     SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
00371                    buf[4], buf[5] ) );
00372 
00373     t = time( NULL );
00374     *p++ = (unsigned char)( t >> 24 );
00375     *p++ = (unsigned char)( t >> 16 );
00376     *p++ = (unsigned char)( t >>  8 );
00377     *p++ = (unsigned char)( t       );
00378 
00379     SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
00380 
00381     for( i = 28; i > 0; i-- )
00382         *p++ = (unsigned char) ssl->f_rng( ssl->p_rng );
00383 
00384     memcpy( ssl->randbytes + 32, buf + 6, 32 );
00385 
00386     SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
00387 
00388     /*
00389      *    38  .  38   session id length
00390      *    39  . 38+n  session id
00391      *   39+n . 40+n  chosen cipher
00392      *   41+n . 41+n  chosen compression alg.
00393      */
00394     ssl->session->length = n = 32;
00395     *p++ = (unsigned char) ssl->session->length;
00396 
00397     if( ssl->s_get == NULL ||
00398         ssl->s_get( ssl ) != 0 )
00399     {
00400         /*
00401          * Not found, create a new session id
00402          */
00403         ssl->resume = 0;
00404         ssl->state++;
00405 
00406         for( i = 0; i < n; i++ )
00407             ssl->session->id[i] =
00408                 (unsigned char) ssl->f_rng( ssl->p_rng );
00409     }
00410     else
00411     {
00412         /*
00413          * Found a matching session, resume it
00414          */
00415         ssl->resume = 1;
00416         ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
00417         ssl_derive_keys( ssl );
00418     }
00419 
00420     memcpy( p, ssl->session->id, ssl->session->length );
00421     p += ssl->session->length;
00422 
00423     SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
00424     SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
00425     SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
00426                    ssl->resume ? "a" : "no" ) );
00427 
00428     *p++ = (unsigned char)( ssl->session->cipher >> 8 );
00429     *p++ = (unsigned char)( ssl->session->cipher      );
00430     *p++ = SSL_COMPRESS_NULL;
00431 
00432     SSL_DEBUG_MSG( 3, ( "server hello, chosen cipher: %d",
00433                    ssl->session->cipher ) );
00434     SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 0 ) );
00435 
00436     ssl->out_msglen  = p - buf;
00437     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00438     ssl->out_msg[0]  = SSL_HS_SERVER_HELLO;
00439 
00440     ret = ssl_write_record( ssl );
00441 
00442     SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
00443 
00444     return( ret );
00445 }
00446 
00447 static int ssl_write_certificate_request( ssl_context *ssl )
00448 {
00449     int ret, n;
00450     unsigned char *buf, *p;
00451     x509_cert *crt;
00452 
00453     SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
00454 
00455     ssl->state++;
00456 
00457     if( ssl->authmode == SSL_VERIFY_NONE )
00458     {
00459         SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
00460         return( 0 );
00461     }
00462 
00463     /*
00464      *     0  .   0   handshake type
00465      *     1  .   3   handshake length
00466      *     4  .   4   cert type count
00467      *     5  .. n-1  cert types
00468      *     n  .. n+1  length of all DNs
00469      *    n+2 .. n+3  length of DN 1
00470      *    n+4 .. ...  Distinguished Name #1
00471      *    ... .. ...  length of DN 2, etc.
00472      */
00473     buf = ssl->out_msg;
00474     p = buf + 4;
00475 
00476     /*
00477      * At the moment, only RSA certificates are supported
00478      */
00479     *p++ = 1;
00480     *p++ = 1;
00481 
00482     p += 2;
00483     crt = ssl->ca_chain;
00484 
00485     while( crt != NULL && crt->next != NULL )
00486     {
00487         if( p - buf > 4096 )
00488             break;
00489 
00490         n = crt->subject_raw.len;
00491         *p++ = (unsigned char)( n >> 8 );
00492         *p++ = (unsigned char)( n      );
00493         memcpy( p, crt->subject_raw.p, n );
00494 
00495         SSL_DEBUG_BUF( 3, "requested DN", p, n );
00496         p += n; crt = crt->next;
00497     }
00498 
00499     ssl->out_msglen  = n = p - buf;
00500     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00501     ssl->out_msg[0]  = SSL_HS_CERTIFICATE_REQUEST;
00502     ssl->out_msg[6]  = (unsigned char)( ( n - 8 ) >> 8 );
00503     ssl->out_msg[7]  = (unsigned char)( ( n - 8 )      );
00504 
00505     ret = ssl_write_record( ssl );
00506 
00507     SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
00508 
00509     return( ret );
00510 }
00511 
00512 static int ssl_write_server_key_exchange( ssl_context *ssl )
00513 {
00514     int ret, n;
00515     unsigned char hash[36];
00516     md5_context md5;
00517     sha1_context sha1;
00518 
00519     SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
00520 
00521     if( ssl->session->cipher != SSL_EDH_RSA_DES_168_SHA &&
00522         ssl->session->cipher != SSL_EDH_RSA_AES_256_SHA )
00523     {
00524         SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
00525         ssl->state++;
00526         return( 0 );
00527     }
00528 
00529 #if !defined(XYSSL_DHM_C)
00530     SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
00531     return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00532 #else
00533     /*
00534      * Ephemeral DH parameters:
00535      *
00536      * struct {
00537      *     opaque dh_p<1..2^16-1>;
00538      *     opaque dh_g<1..2^16-1>;
00539      *     opaque dh_Ys<1..2^16-1>;
00540      * } ServerDHParams;
00541      */
00542     if( ( ret = dhm_make_params( &ssl->dhm_ctx, 256, ssl->out_msg + 4,
00543                                  &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
00544     {
00545         SSL_DEBUG_RET( 1, "dhm_make_params", ret );
00546         return( ret );
00547     }
00548 
00549     SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->dhm_ctx.X  );
00550     SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->dhm_ctx.P  );
00551     SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->dhm_ctx.G  );
00552     SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->dhm_ctx.GX );
00553 
00554     /*
00555      * digitally-signed struct {
00556      *     opaque md5_hash[16];
00557      *     opaque sha_hash[20];
00558      * };
00559      *
00560      * md5_hash
00561      *     MD5(ClientHello.random + ServerHello.random
00562      *                            + ServerParams);
00563      * sha_hash
00564      *     SHA(ClientHello.random + ServerHello.random
00565      *                            + ServerParams);
00566      */
00567     md5_starts( &md5 );
00568     md5_update( &md5, ssl->randbytes,  64 );
00569     md5_update( &md5, ssl->out_msg + 4, n );
00570     md5_finish( &md5, hash );
00571 
00572     sha1_starts( &sha1 );
00573     sha1_update( &sha1, ssl->randbytes,  64 );
00574     sha1_update( &sha1, ssl->out_msg + 4, n );
00575     sha1_finish( &sha1, hash + 16 );
00576 
00577     SSL_DEBUG_BUF( 3, "parameters hash", hash, 36 );
00578 
00579     ssl->out_msg[4 + n] = (unsigned char)( ssl->rsa_key->len >> 8 );
00580     ssl->out_msg[5 + n] = (unsigned char)( ssl->rsa_key->len      );
00581 
00582     ret = rsa_pkcs1_sign( ssl->rsa_key, RSA_PRIVATE,
00583                           RSA_RAW, 36, hash, ssl->out_msg + 6 + n );
00584     if( ret != 0 )
00585     {
00586         SSL_DEBUG_RET( 1, "rsa_pkcs1_sign", ret );
00587         return( ret );
00588     }
00589 
00590     SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n,
00591                                     ssl->rsa_key->len );
00592 
00593     ssl->out_msglen  = 6 + n + ssl->rsa_key->len;
00594     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00595     ssl->out_msg[0]  = SSL_HS_SERVER_KEY_EXCHANGE;
00596 
00597     ssl->state++;
00598 
00599     if( ( ret = ssl_write_record( ssl ) ) != 0 )
00600     {
00601         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
00602         return( ret );
00603     }
00604 
00605     SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
00606 
00607     return( 0 );
00608 #endif
00609 }
00610 
00611 static int ssl_write_server_hello_done( ssl_context *ssl )
00612 {
00613     int ret;
00614 
00615     SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
00616 
00617     ssl->out_msglen  = 4;
00618     ssl->out_msgtype = SSL_MSG_HANDSHAKE;
00619     ssl->out_msg[0]  = SSL_HS_SERVER_HELLO_DONE;
00620 
00621     ssl->state++;
00622 
00623     if( ( ret = ssl_write_record( ssl ) ) != 0 )
00624     {
00625         SSL_DEBUG_RET( 1, "ssl_write_record", ret );
00626         return( ret );
00627     }
00628 
00629     SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
00630 
00631     return( 0 );
00632 }
00633 
00634 static int ssl_parse_client_key_exchange( ssl_context *ssl )
00635 {
00636     int ret, i, n;
00637 
00638     SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
00639 
00640     if( ( ret = ssl_read_record( ssl ) ) != 0 )
00641     {
00642         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00643         return( ret );
00644     }
00645 
00646     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00647     {
00648         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00649         return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00650     }
00651 
00652     if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
00653     {
00654         SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00655         return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00656     }
00657 
00658     if( ssl->session->cipher == SSL_EDH_RSA_DES_168_SHA ||
00659         ssl->session->cipher == SSL_EDH_RSA_AES_256_SHA )
00660     {
00661 #if !defined(XYSSL_DHM_C)
00662         SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
00663         return( XYSSL_ERR_SSL_FEATURE_UNAVAILABLE );
00664 #else
00665         /*
00666          * Receive G^Y mod P, premaster = (G^Y)^X mod P
00667          */
00668         n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
00669 
00670         if( n < 1 || n > ssl->dhm_ctx.len ||
00671             n + 6 != ssl->in_hslen )
00672         {
00673             SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00674             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00675         }
00676 
00677         if( ( ret = dhm_read_public( &ssl->dhm_ctx,
00678                                       ssl->in_msg + 6, n ) ) != 0 )
00679         {
00680             SSL_DEBUG_RET( 1, "dhm_read_public", ret );
00681             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE | ret );
00682         }
00683 
00684         SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->dhm_ctx.GY );
00685 
00686         ssl->pmslen = ssl->dhm_ctx.len;
00687 
00688         if( ( ret = dhm_calc_secret( &ssl->dhm_ctx,
00689                      ssl->premaster, &ssl->pmslen ) ) != 0 )
00690         {
00691             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
00692             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE | ret );
00693         }
00694 
00695         SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->dhm_ctx.K  );
00696 #endif
00697     }
00698     else
00699     {
00700         /*
00701          * Decrypt the premaster using own private RSA key
00702          */
00703         i = 4;
00704         n = ssl->rsa_key->len;
00705         ssl->pmslen = 48;
00706 
00707         if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
00708         {
00709             i += 2;
00710             if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
00711                 ssl->in_msg[5] != ( ( n      ) & 0xFF ) )
00712             {
00713                 SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00714                 return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00715             }
00716         }
00717 
00718         if( ssl->in_hslen != i + n )
00719         {
00720             SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00721             return( XYSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
00722         }
00723 
00724         ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, &ssl->pmslen,
00725                                  ssl->in_msg + i, ssl->premaster );
00726 
00727         if( ret != 0 || ssl->pmslen != 48 ||
00728             ssl->premaster[0] != ssl->max_major_ver ||
00729             ssl->premaster[1] != ssl->max_minor_ver )
00730         {
00731             SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
00732 
00733             /*
00734              * Protection against Bleichenbacher's attack:
00735              * invalid PKCS#1 v1.5 padding must not cause
00736              * the connection to end immediately; instead,
00737              * send a bad_record_mac later in the handshake.
00738              */
00739             ssl->pmslen = 48;
00740 
00741             for( i = 0; i < ssl->pmslen; i++ )
00742                 ssl->premaster[i] = (unsigned char) ssl->f_rng( ssl->p_rng );
00743         }
00744     }
00745 
00746     ssl_derive_keys( ssl );
00747 
00748     if( ssl->s_set != NULL )
00749         ssl->s_set( ssl );
00750 
00751     ssl->state++;
00752 
00753     SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
00754 
00755     return( 0 );
00756 }
00757 
00758 static int ssl_parse_certificate_verify( ssl_context *ssl )
00759 {
00760     int n1, n2, ret;
00761     unsigned char hash[36];
00762 
00763     SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
00764 
00765     if( ssl->peer_cert == NULL )
00766     {
00767         SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
00768         ssl->state++;
00769         return( 0 );
00770     }
00771 
00772     ssl_calc_verify( ssl, hash );
00773 
00774     if( ( ret = ssl_read_record( ssl ) ) != 0 )
00775     {
00776         SSL_DEBUG_RET( 1, "ssl_read_record", ret );
00777         return( ret );
00778     }
00779 
00780     ssl->state++;
00781 
00782     if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
00783     {
00784         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
00785         return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
00786     }
00787 
00788     if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
00789     {
00790         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
00791         return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
00792     }
00793 
00794     n1 = ssl->peer_cert->rsa.len;
00795     n2 = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
00796 
00797     if( n1 + 6 != ssl->in_hslen || n1 != n2 )
00798     {
00799         SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
00800         return( XYSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
00801     }
00802 
00803     ret = rsa_pkcs1_verify( &ssl->peer_cert->rsa, RSA_PUBLIC,
00804                             RSA_RAW, 36, hash, ssl->in_msg + 6 );
00805     if( ret != 0 )
00806     {
00807         SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
00808         return( ret );
00809     }
00810 
00811     SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
00812 
00813     return( 0 );
00814 }
00815 
00816 /*
00817  * SSL handshake -- server side
00818  */
00819 int ssl_handshake_server( ssl_context *ssl )
00820 {
00821     int ret = 0;
00822 
00823     SSL_DEBUG_MSG( 2, ( "=> handshake server" ) );
00824 
00825     while( ssl->state != SSL_HANDSHAKE_OVER )
00826     {
00827         SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
00828 
00829         if( ( ret = ssl_flush_output( ssl ) ) != 0 )
00830             break;
00831 
00832         switch( ssl->state )
00833         {
00834             case SSL_HELLO_REQUEST:
00835                 ssl->state = SSL_CLIENT_HELLO;
00836                 break;
00837 
00838             /*
00839              *  <==   ClientHello
00840              */
00841             case SSL_CLIENT_HELLO:
00842                 ret = ssl_parse_client_hello( ssl );
00843                 break;
00844 
00845             /*
00846              *  ==>   ServerHello
00847              *        Certificate
00848              *      ( ServerKeyExchange  )
00849              *      ( CertificateRequest )
00850              *        ServerHelloDone
00851              */
00852             case SSL_SERVER_HELLO:
00853                 ret = ssl_write_server_hello( ssl );
00854                 break;
00855 
00856             case SSL_SERVER_CERTIFICATE:
00857                 ret = ssl_write_certificate( ssl );
00858                 break;
00859 
00860             case SSL_SERVER_KEY_EXCHANGE:
00861                 ret = ssl_write_server_key_exchange( ssl );
00862                 break;
00863 
00864             case SSL_CERTIFICATE_REQUEST:
00865                 ret = ssl_write_certificate_request( ssl );
00866                 break;
00867 
00868             case SSL_SERVER_HELLO_DONE:
00869                 ret = ssl_write_server_hello_done( ssl );
00870                 break;
00871 
00872             /*
00873              *  <== ( Certificate/Alert  )
00874              *        ClientKeyExchange
00875              *      ( CertificateVerify  )
00876              *        ChangeCipherSpec
00877              *        Finished
00878              */
00879             case SSL_CLIENT_CERTIFICATE:
00880                 ret = ssl_parse_certificate( ssl );
00881                 break;
00882 
00883             case SSL_CLIENT_KEY_EXCHANGE:
00884                 ret = ssl_parse_client_key_exchange( ssl );
00885                 break;
00886 
00887             case SSL_CERTIFICATE_VERIFY:
00888                 ret = ssl_parse_certificate_verify( ssl );
00889                 break;
00890 
00891             case SSL_CLIENT_CHANGE_CIPHER_SPEC:
00892                 ret = ssl_parse_change_cipher_spec( ssl );
00893                 break;
00894 
00895             case SSL_CLIENT_FINISHED:
00896                 ret = ssl_parse_finished( ssl );
00897                 break;
00898 
00899             /*
00900              *  ==>   ChangeCipherSpec
00901              *        Finished
00902              */
00903             case SSL_SERVER_CHANGE_CIPHER_SPEC:
00904                 ret = ssl_write_change_cipher_spec( ssl );
00905                 break;
00906 
00907             case SSL_SERVER_FINISHED:
00908                 ret = ssl_write_finished( ssl );
00909                 break;
00910 
00911             case SSL_FLUSH_BUFFERS:
00912                 SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
00913                 ssl->state = SSL_HANDSHAKE_OVER;
00914                 break;
00915 
00916             default:
00917                 SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
00918                 return( XYSSL_ERR_SSL_BAD_INPUT_DATA );
00919         }
00920 
00921         if( ret != 0 )
00922             break;
00923     }
00924 
00925     SSL_DEBUG_MSG( 2, ( "<= handshake server" ) );
00926 
00927     return( ret );
00928 }
00929 
00930 #endif
Generated on Fri Jul 11 17:59:46 2008 for Mobile-C by  doxygen 1.5.4