2
0

tls1_clnt.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386
  1. /*
  2. * Copyright (c) 2007, Cameron Rich
  3. *
  4. * All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without
  7. * modification, are permitted provided that the following conditions are met:
  8. *
  9. * * Redistributions of source code must retain the above copyright notice,
  10. * this list of conditions and the following disclaimer.
  11. * * Redistributions in binary form must reproduce the above copyright notice,
  12. * this list of conditions and the following disclaimer in the documentation
  13. * and/or other materials provided with the distribution.
  14. * * Neither the name of the axTLS project nor the names of its contributors
  15. * may be used to endorse or promote products derived from this software
  16. * without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  22. * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  23. * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  24. * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  25. * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  26. * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  27. * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  28. * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. */
  30. #include <stdlib.h>
  31. #include <string.h>
  32. #include <time.h>
  33. #include <stdio.h>
  34. #include "ssl.h"
  35. #ifdef CONFIG_SSL_ENABLE_CLIENT /* all commented out if no client */
  36. static int send_client_hello(SSL *ssl);
  37. static int process_server_hello(SSL *ssl);
  38. static int process_server_hello_done(SSL *ssl);
  39. static int send_client_key_xchg(SSL *ssl);
  40. static int process_cert_req(SSL *ssl);
  41. static int send_cert_verify(SSL *ssl);
  42. /*
  43. * Establish a new SSL connection to an SSL server.
  44. */
  45. EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
  46. uint8_t *session_id, uint8_t sess_id_size)
  47. {
  48. SSL *ssl;
  49. int ret;
  50. SOCKET_BLOCK(client_fd); /* ensure blocking mode */
  51. ssl = ssl_new(ssl_ctx, client_fd);
  52. if (session_id && ssl_ctx->num_sessions)
  53. {
  54. if (sess_id_size > SSL_SESSION_ID_SIZE) /* validity check */
  55. {
  56. ssl_free(ssl);
  57. return NULL;
  58. }
  59. memcpy(ssl->session_id, session_id, sess_id_size);
  60. ssl->sess_id_size = sess_id_size;
  61. SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */
  62. }
  63. SET_SSL_FLAG(SSL_IS_CLIENT);
  64. ret = do_client_connect(ssl);
  65. return ssl;
  66. }
  67. /*
  68. * Process the handshake record.
  69. */
  70. int do_clnt_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
  71. {
  72. int ret = SSL_OK;
  73. /* To get here the state must be valid */
  74. switch (handshake_type)
  75. {
  76. case HS_SERVER_HELLO:
  77. ret = process_server_hello(ssl);
  78. break;
  79. case HS_CERTIFICATE:
  80. ret = process_certificate(ssl, &ssl->x509_ctx);
  81. break;
  82. case HS_SERVER_HELLO_DONE:
  83. if ((ret = process_server_hello_done(ssl)) == SSL_OK)
  84. {
  85. if (IS_SET_SSL_FLAG(SSL_HAS_CERT_REQ))
  86. {
  87. if ((ret = send_certificate(ssl)) == SSL_OK &&
  88. (ret = send_client_key_xchg(ssl)) == SSL_OK)
  89. {
  90. send_cert_verify(ssl);
  91. }
  92. }
  93. else
  94. {
  95. ret = send_client_key_xchg(ssl);
  96. }
  97. if (ret == SSL_OK &&
  98. (ret = send_change_cipher_spec(ssl)) == SSL_OK)
  99. {
  100. ret = send_finished(ssl);
  101. }
  102. }
  103. break;
  104. case HS_CERT_REQ:
  105. ret = process_cert_req(ssl);
  106. break;
  107. case HS_FINISHED:
  108. ret = process_finished(ssl, hs_len);
  109. disposable_free(ssl); /* free up some memory */
  110. break;
  111. case HS_HELLO_REQUEST:
  112. disposable_new(ssl);
  113. ret = do_client_connect(ssl);
  114. break;
  115. }
  116. return ret;
  117. }
  118. /*
  119. * Do the handshaking from the beginning.
  120. */
  121. int do_client_connect(SSL *ssl)
  122. {
  123. int ret = SSL_OK;
  124. send_client_hello(ssl); /* send the client hello */
  125. ssl->bm_read_index = 0;
  126. ssl->next_state = HS_SERVER_HELLO;
  127. ssl->hs_status = SSL_NOT_OK; /* not connected */
  128. x509_free(ssl->x509_ctx);
  129. /* sit in a loop until it all looks good */
  130. while (ssl->hs_status != SSL_OK)
  131. {
  132. ret = basic_read(ssl, NULL);
  133. if (ret < SSL_OK)
  134. {
  135. if (ret != SSL_ERROR_CONN_LOST)
  136. {
  137. /* let the server know we are dying and why */
  138. if (send_alert(ssl, ret))
  139. {
  140. /* something nasty happened, so get rid of it */
  141. kill_ssl_session(ssl->ssl_ctx->ssl_sessions, ssl);
  142. }
  143. }
  144. break;
  145. }
  146. }
  147. ssl->hs_status = ret; /* connected? */
  148. return ret;
  149. }
  150. /*
  151. * Send the initial client hello.
  152. */
  153. static int send_client_hello(SSL *ssl)
  154. {
  155. uint8_t *buf = ssl->bm_data;
  156. time_t tm = time(NULL);
  157. uint8_t *tm_ptr = &buf[6]; /* time will go here */
  158. int i, offset;
  159. buf[0] = HS_CLIENT_HELLO;
  160. buf[1] = 0;
  161. buf[2] = 0;
  162. /* byte 3 is calculated later */
  163. buf[4] = 0x03;
  164. buf[5] = 0x01;
  165. /* client random value - spec says that 1st 4 bytes are big endian time */
  166. *tm_ptr++ = (uint8_t)(((long)tm & 0xff000000) >> 24);
  167. *tm_ptr++ = (uint8_t)(((long)tm & 0x00ff0000) >> 16);
  168. *tm_ptr++ = (uint8_t)(((long)tm & 0x0000ff00) >> 8);
  169. *tm_ptr++ = (uint8_t)(((long)tm & 0x000000ff));
  170. get_random(SSL_RANDOM_SIZE-4, &buf[10]);
  171. memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);
  172. offset = 6 + SSL_RANDOM_SIZE;
  173. /* give session resumption a go */
  174. if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME)) /* set initially by user */
  175. {
  176. buf[offset++] = ssl->sess_id_size;
  177. memcpy(&buf[offset], ssl->session_id, ssl->sess_id_size);
  178. offset += ssl->sess_id_size;
  179. CLR_SSL_FLAG(SSL_SESSION_RESUME); /* clear so we can set later */
  180. }
  181. else
  182. {
  183. /* no session id - because no session resumption just yet */
  184. buf[offset++] = 0;
  185. }
  186. buf[offset++] = 0; /* number of ciphers */
  187. buf[offset++] = NUM_PROTOCOLS*2;/* number of ciphers */
  188. /* put all our supported protocols in our request */
  189. for (i = 0; i < NUM_PROTOCOLS; i++)
  190. {
  191. buf[offset++] = 0; /* cipher we are using */
  192. buf[offset++] = ssl_prot_prefs[i];
  193. }
  194. buf[offset++] = 1; /* no compression */
  195. buf[offset++] = 0;
  196. buf[3] = offset - 4; /* handshake size */
  197. return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
  198. }
  199. /*
  200. * Process the server hello.
  201. */
  202. static int process_server_hello(SSL *ssl)
  203. {
  204. uint8_t *buf = ssl->bm_data;
  205. int pkt_size = ssl->bm_index;
  206. int version = (buf[4] << 4) + buf[5];
  207. int num_sessions = ssl->ssl_ctx->num_sessions;
  208. uint8_t sess_id_size;
  209. int offset, ret = SSL_OK;
  210. /* check that we are talking to a TLSv1 server */
  211. if (version != 0x31)
  212. return SSL_ERROR_INVALID_VERSION;
  213. /* get the server random value */
  214. memcpy(ssl->dc->server_random, &buf[6], SSL_RANDOM_SIZE);
  215. offset = 6 + SSL_RANDOM_SIZE; /* skip of session id size */
  216. sess_id_size = buf[offset++];
  217. if (num_sessions)
  218. {
  219. ssl->session = ssl_session_update(num_sessions,
  220. ssl->ssl_ctx->ssl_sessions, ssl, &buf[offset]);
  221. memcpy(ssl->session->session_id, &buf[offset], sess_id_size);
  222. /* pad the rest with 0's */
  223. if (sess_id_size < SSL_SESSION_ID_SIZE)
  224. {
  225. memset(&ssl->session->session_id[sess_id_size], 0,
  226. SSL_SESSION_ID_SIZE-sess_id_size);
  227. }
  228. }
  229. memcpy(ssl->session_id, &buf[offset], sess_id_size);
  230. ssl->sess_id_size = sess_id_size;
  231. offset += sess_id_size;
  232. /* get the real cipher we are using */
  233. ssl->cipher = buf[++offset];
  234. ssl->next_state = IS_SET_SSL_FLAG(SSL_SESSION_RESUME) ?
  235. HS_FINISHED : HS_CERTIFICATE;
  236. offset++; // skip the compr
  237. PARANOIA_CHECK(pkt_size, offset);
  238. ssl->dc->bm_proc_index = offset+1;
  239. error:
  240. return ret;
  241. }
  242. /**
  243. * Process the server hello done message.
  244. */
  245. static int process_server_hello_done(SSL *ssl)
  246. {
  247. ssl->next_state = HS_FINISHED;
  248. return SSL_OK;
  249. }
  250. /*
  251. * Send a client key exchange message.
  252. */
  253. static int send_client_key_xchg(SSL *ssl)
  254. {
  255. uint8_t *buf = ssl->bm_data;
  256. uint8_t premaster_secret[SSL_SECRET_SIZE];
  257. int enc_secret_size = -1;
  258. buf[0] = HS_CLIENT_KEY_XCHG;
  259. buf[1] = 0;
  260. premaster_secret[0] = 0x03; /* encode the version number */
  261. premaster_secret[1] = 0x01;
  262. get_random(SSL_SECRET_SIZE-2, &premaster_secret[2]);
  263. DISPLAY_RSA(ssl, ssl->x509_ctx->rsa_ctx);
  264. /* rsa_ctx->bi_ctx is not thread-safe */
  265. SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
  266. enc_secret_size = RSA_encrypt(ssl->x509_ctx->rsa_ctx, premaster_secret,
  267. SSL_SECRET_SIZE, &buf[6], 0);
  268. SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
  269. buf[2] = (enc_secret_size + 2) >> 8;
  270. buf[3] = (enc_secret_size + 2) & 0xff;
  271. buf[4] = enc_secret_size >> 8;
  272. buf[5] = enc_secret_size & 0xff;
  273. generate_master_secret(ssl, premaster_secret);
  274. return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, enc_secret_size+6);
  275. }
  276. /*
  277. * Process the certificate request.
  278. */
  279. static int process_cert_req(SSL *ssl)
  280. {
  281. uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
  282. int ret = SSL_OK;
  283. int offset = (buf[2] << 4) + buf[3];
  284. int pkt_size = ssl->bm_index;
  285. /* don't do any processing - we will send back an RSA certificate anyway */
  286. ssl->next_state = HS_SERVER_HELLO_DONE;
  287. SET_SSL_FLAG(SSL_HAS_CERT_REQ);
  288. ssl->dc->bm_proc_index += offset;
  289. PARANOIA_CHECK(pkt_size, offset);
  290. error:
  291. return ret;
  292. }
  293. /*
  294. * Send a certificate verify message.
  295. */
  296. static int send_cert_verify(SSL *ssl)
  297. {
  298. uint8_t *buf = ssl->bm_data;
  299. uint8_t dgst[MD5_SIZE+SHA1_SIZE];
  300. RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx;
  301. int n = 0, ret;
  302. DISPLAY_RSA(ssl, rsa_ctx);
  303. buf[0] = HS_CERT_VERIFY;
  304. buf[1] = 0;
  305. finished_digest(ssl, NULL, dgst); /* calculate the digest */
  306. /* rsa_ctx->bi_ctx is not thread-safe */
  307. if (rsa_ctx)
  308. {
  309. SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
  310. n = RSA_encrypt(rsa_ctx, dgst, sizeof(dgst), &buf[6], 1);
  311. SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
  312. if (n == 0)
  313. {
  314. ret = SSL_ERROR_INVALID_KEY;
  315. goto error;
  316. }
  317. }
  318. buf[4] = n >> 8; /* add the RSA size (not officially documented) */
  319. buf[5] = n & 0xff;
  320. n += 2;
  321. buf[2] = n >> 8;
  322. buf[3] = n & 0xff;
  323. ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, n+4);
  324. error:
  325. return ret;
  326. }
  327. #endif /* CONFIG_SSL_ENABLE_CLIENT */