1 /*
2 * Copyright (c) 2007, Cameron Rich
3 *
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * * Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * * Neither the name of the axTLS project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <stdlib.h>
32 #include <string.h>
33 #include <time.h>
34 #include <stdio.h>
35 #include "os_port.h"
36 #include "ssl.h"
37
38 #ifdef CONFIG_SSL_ENABLE_CLIENT /* all commented out if no client */
39
40 static int send_client_hello(SSL *ssl);
41 static int process_server_hello(SSL *ssl);
42 static int process_server_hello_done(SSL *ssl);
43 static int send_client_key_xchg(SSL *ssl);
44 static int process_cert_req(SSL *ssl);
45 static int send_cert_verify(SSL *ssl);
46
47 /*
48 * Establish a new SSL connection to an SSL server.
49 */
ssl_client_new(SSL_CTX * ssl_ctx,int client_fd,const uint8_t * session_id,uint8_t sess_id_size)50 EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
51 uint8_t *session_id, uint8_t sess_id_size)
52 {
53 SSL *ssl = ssl_new(ssl_ctx, client_fd);
54 ssl->version = SSL_PROTOCOL_VERSION_MAX; /* try top version first */
55
56 if (session_id && ssl_ctx->num_sessions)
57 {
58 if (sess_id_size > SSL_SESSION_ID_SIZE) /* validity check */
59 {
60 ssl_free(ssl);
61 return NULL;
62 }
63
64 memcpy(ssl->session_id, session_id, sess_id_size);
65 ssl->sess_id_size = sess_id_size;
66 SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */
67 }
68
69 SET_SSL_FLAG(SSL_IS_CLIENT);
70 do_client_connect(ssl);
71 return ssl;
72 }
73
74 /*
75 * Process the handshake record.
76 */
do_clnt_handshake(SSL * ssl,int handshake_type,uint8_t * buf,int hs_len)77 int do_clnt_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
78 {
79 int ret;
80
81 /* To get here the state must be valid */
82 switch (handshake_type)
83 {
84 case HS_SERVER_HELLO:
85 ret = process_server_hello(ssl);
86 break;
87
88 case HS_CERTIFICATE:
89 ret = process_certificate(ssl, &ssl->x509_ctx);
90 break;
91
92 case HS_SERVER_HELLO_DONE:
93 if ((ret = process_server_hello_done(ssl)) == SSL_OK)
94 {
95 if (IS_SET_SSL_FLAG(SSL_HAS_CERT_REQ))
96 {
97 if ((ret = send_certificate(ssl)) == SSL_OK &&
98 (ret = send_client_key_xchg(ssl)) == SSL_OK)
99 {
100 send_cert_verify(ssl);
101 }
102 }
103 else
104 {
105 ret = send_client_key_xchg(ssl);
106 }
107
108 if (ret == SSL_OK &&
109 (ret = send_change_cipher_spec(ssl)) == SSL_OK)
110 {
111 ret = send_finished(ssl);
112 }
113 }
114 break;
115
116 case HS_CERT_REQ:
117 ret = process_cert_req(ssl);
118 break;
119
120 case HS_FINISHED:
121 ret = process_finished(ssl, buf, hs_len);
122 disposable_free(ssl); /* free up some memory */
123 /* note: client renegotiation is not allowed after this */
124 break;
125
126 case HS_HELLO_REQUEST:
127 disposable_new(ssl);
128 ret = do_client_connect(ssl);
129 break;
130
131 default:
132 ret = SSL_ERROR_INVALID_HANDSHAKE;
133 break;
134 }
135
136 return ret;
137 }
138
139 /*
140 * Do the handshaking from the beginning.
141 */
do_client_connect(SSL * ssl)142 int do_client_connect(SSL *ssl)
143 {
144 int ret = SSL_OK;
145
146 send_client_hello(ssl); /* send the client hello */
147 ssl->bm_read_index = 0;
148 ssl->bm_rread_index = 0;
149 ssl->next_state = HS_SERVER_HELLO;
150 ssl->hs_status = SSL_NOT_OK; /* not connected */
151
152 /* sit in a loop until it all looks good */
153 if (!IS_SET_SSL_FLAG(SSL_CONNECT_IN_PARTS))
154 {
155 while (ssl->hs_status != SSL_OK)
156 {
157 /* Use internal, synchronous ssl_read */
158 ret = ssl_readi(ssl, NULL);
159
160 if (ret < SSL_OK)
161 break;
162 }
163
164 ssl->hs_status = ret; /* connected? */
165 }
166
167 return ret;
168 }
169
170 /*
171 * Send the initial client hello.
172 */
send_client_hello(SSL * ssl)173 static int send_client_hello(SSL *ssl)
174 {
175 uint8_t *buf = ssl->bm_data;
176 time_t tm = time(NULL);
177 uint8_t *tm_ptr = &buf[6]; /* time will go here */
178 int i, offset;
179
180 buf[0] = HS_CLIENT_HELLO;
181 buf[1] = 0;
182 buf[2] = 0;
183 /* byte 3 is calculated later */
184 buf[4] = 0x03;
185 buf[5] = ssl->version & 0x0f;
186
187 /* client random value - spec says that 1st 4 bytes are big endian time */
188 *tm_ptr++ = (uint8_t)(((long)tm & 0xff000000) >> 24);
189 *tm_ptr++ = (uint8_t)(((long)tm & 0x00ff0000) >> 16);
190 *tm_ptr++ = (uint8_t)(((long)tm & 0x0000ff00) >> 8);
191 *tm_ptr++ = (uint8_t)(((long)tm & 0x000000ff));
192 get_random(SSL_RANDOM_SIZE-4, &buf[10]);
193 memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);
194 offset = 6 + SSL_RANDOM_SIZE;
195
196 /* give session resumption a go */
197 if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME)) /* set initially by user */
198 {
199 buf[offset++] = ssl->sess_id_size;
200 memcpy(&buf[offset], ssl->session_id, ssl->sess_id_size);
201 offset += ssl->sess_id_size;
202 CLR_SSL_FLAG(SSL_SESSION_RESUME); /* clear so we can set later */
203 }
204 else
205 {
206 /* no session id - because no session resumption just yet */
207 buf[offset++] = 0;
208 }
209
210 buf[offset++] = 0; /* number of ciphers */
211 buf[offset++] = NUM_PROTOCOLS*2;/* number of ciphers */
212
213 /* put all our supported protocols in our request */
214 for (i = 0; i < NUM_PROTOCOLS; i++)
215 {
216 buf[offset++] = 0; /* cipher we are using */
217 buf[offset++] = ssl_prot_prefs[i];
218 }
219
220 buf[offset++] = 1; /* no compression */
221 buf[offset++] = 0;
222 buf[3] = offset - 4; /* handshake size */
223
224 return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
225 }
226
227 /*
228 * Process the server hello.
229 */
process_server_hello(SSL * ssl)230 static int process_server_hello(SSL *ssl)
231 {
232 uint8_t *buf = ssl->bm_data;
233 int pkt_size = ssl->bm_index;
234 int num_sessions = ssl->ssl_ctx->num_sessions;
235 uint8_t sess_id_size;
236 int offset, ret = SSL_OK;
237
238 /* check that we are talking to a TLSv1 server */
239 uint8_t version = (buf[4] << 4) + buf[5];
240 if (version > SSL_PROTOCOL_VERSION_MAX)
241 {
242 version = SSL_PROTOCOL_VERSION_MAX;
243 }
244 else if (ssl->version < SSL_PROTOCOL_MIN_VERSION)
245 {
246 ret = SSL_ERROR_INVALID_VERSION;
247 ssl_display_error(ret);
248 goto error;
249 }
250
251 ssl->version = version;
252
253 /* get the server random value */
254 memcpy(ssl->dc->server_random, &buf[6], SSL_RANDOM_SIZE);
255 offset = 6 + SSL_RANDOM_SIZE; /* skip of session id size */
256 sess_id_size = buf[offset++];
257
258 if (sess_id_size > SSL_SESSION_ID_SIZE)
259 {
260 ret = SSL_ERROR_INVALID_SESSION;
261 goto error;
262 }
263
264 if (num_sessions)
265 {
266 ssl->session = ssl_session_update(num_sessions,
267 ssl->ssl_ctx->ssl_sessions, ssl, &buf[offset]);
268 memcpy(ssl->session->session_id, &buf[offset], sess_id_size);
269
270 /* pad the rest with 0's */
271 if (sess_id_size < SSL_SESSION_ID_SIZE)
272 {
273 memset(&ssl->session->session_id[sess_id_size], 0,
274 SSL_SESSION_ID_SIZE-sess_id_size);
275 }
276 }
277
278 memcpy(ssl->session_id, &buf[offset], sess_id_size);
279 ssl->sess_id_size = sess_id_size;
280 offset += sess_id_size;
281
282 /* get the real cipher we are using */
283 ssl->cipher = buf[++offset];
284 ssl->next_state = IS_SET_SSL_FLAG(SSL_SESSION_RESUME) ?
285 HS_FINISHED : HS_CERTIFICATE;
286
287 offset++; // skip the compr
288 PARANOIA_CHECK(pkt_size, offset);
289 ssl->dc->bm_proc_index = offset+1;
290
291 error:
292 return ret;
293 }
294
295 /**
296 * Process the server hello done message.
297 */
process_server_hello_done(SSL * ssl)298 static int process_server_hello_done(SSL *ssl)
299 {
300 ssl->next_state = HS_FINISHED;
301 return SSL_OK;
302 }
303
304 /*
305 * Send a client key exchange message.
306 */
send_client_key_xchg(SSL * ssl)307 static int send_client_key_xchg(SSL *ssl)
308 {
309 uint8_t *buf = ssl->bm_data;
310 uint8_t premaster_secret[SSL_SECRET_SIZE];
311 int enc_secret_size = -1;
312
313 buf[0] = HS_CLIENT_KEY_XCHG;
314 buf[1] = 0;
315
316 premaster_secret[0] = 0x03; /* encode the version number */
317 premaster_secret[1] = SSL_PROTOCOL_MINOR_VERSION; /* must be TLS 1.1 */
318 get_random(SSL_SECRET_SIZE-2, &premaster_secret[2]);
319 DISPLAY_RSA(ssl, ssl->x509_ctx->rsa_ctx);
320
321 /* rsa_ctx->bi_ctx is not thread-safe */
322 SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
323 enc_secret_size = RSA_encrypt(ssl->x509_ctx->rsa_ctx, premaster_secret,
324 SSL_SECRET_SIZE, &buf[6], 0);
325 SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
326
327 buf[2] = (enc_secret_size + 2) >> 8;
328 buf[3] = (enc_secret_size + 2) & 0xff;
329 buf[4] = enc_secret_size >> 8;
330 buf[5] = enc_secret_size & 0xff;
331
332 generate_master_secret(ssl, premaster_secret);
333 return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, enc_secret_size+6);
334 }
335
336 /*
337 * Process the certificate request.
338 */
process_cert_req(SSL * ssl)339 static int process_cert_req(SSL *ssl)
340 {
341 uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
342 int ret = SSL_OK;
343 int offset = (buf[2] << 4) + buf[3];
344 int pkt_size = ssl->bm_index;
345
346 /* don't do any processing - we will send back an RSA certificate anyway */
347 ssl->next_state = HS_SERVER_HELLO_DONE;
348 SET_SSL_FLAG(SSL_HAS_CERT_REQ);
349 ssl->dc->bm_proc_index += offset;
350 PARANOIA_CHECK(pkt_size, offset);
351 error:
352 return ret;
353 }
354
355 /*
356 * Send a certificate verify message.
357 */
send_cert_verify(SSL * ssl)358 static int send_cert_verify(SSL *ssl)
359 {
360 uint8_t *buf = ssl->bm_data;
361 uint8_t dgst[MD5_SIZE+SHA1_SIZE];
362 RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx;
363 int n = 0, ret;
364
365 DISPLAY_RSA(ssl, rsa_ctx);
366
367 buf[0] = HS_CERT_VERIFY;
368 buf[1] = 0;
369
370 finished_digest(ssl, NULL, dgst); /* calculate the digest */
371
372 /* rsa_ctx->bi_ctx is not thread-safe */
373 if (rsa_ctx)
374 {
375 SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
376 n = RSA_encrypt(rsa_ctx, dgst, sizeof(dgst), &buf[6], 1);
377 SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
378
379 if (n == 0)
380 {
381 ret = SSL_ERROR_INVALID_KEY;
382 goto error;
383 }
384 }
385
386 buf[4] = n >> 8; /* add the RSA size (not officially documented) */
387 buf[5] = n & 0xff;
388 n += 2;
389 buf[2] = n >> 8;
390 buf[3] = n & 0xff;
391 ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, n+4);
392
393 error:
394 return ret;
395 }
396
397 #endif /* CONFIG_SSL_ENABLE_CLIENT */
398