mirror of
https://github.com/esp8266/Arduino.git
synced 2025-04-22 21:23:07 +03:00
e2cf04d605
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@31 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
445 lines
12 KiB
C
445 lines
12 KiB
C
/*
|
|
* Copyright(C) 2006
|
|
*
|
|
* This library is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation; either version 2.1 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <stdio.h>
|
|
|
|
#include "ssl.h"
|
|
|
|
static const uint8_t g_hello_done[] = { HS_SERVER_HELLO_DONE, 0, 0, 0 };
|
|
|
|
static int process_client_hello(SSL *ssl);
|
|
static int send_server_hello_sequence(SSL *ssl);
|
|
static int send_server_hello(SSL *ssl);
|
|
static int send_server_hello_done(SSL *ssl);
|
|
static int process_client_key_xchg(SSL *ssl);
|
|
#ifdef CONFIG_SSL_CERT_VERIFICATION
|
|
static int send_certificate_request(SSL *ssl);
|
|
static int process_cert_verify(SSL *ssl);
|
|
#endif
|
|
|
|
/*
|
|
* Establish a new SSL connection to an SSL client.
|
|
*/
|
|
EXP_FUNC SSL * STDCALL ssl_server_new(SSLCTX *ssl_ctx, int client_fd)
|
|
{
|
|
SSL *ssl = ssl_new(ssl_ctx, client_fd);
|
|
ssl->next_state = HS_CLIENT_HELLO;
|
|
ssl->hs_status = SSL_NOT_OK; /* not connected */
|
|
|
|
#ifdef CONFIG_SSL_FULL_MODE
|
|
if (ssl_ctx->chain_length == 0)
|
|
{
|
|
printf("Warning - no server certificate defined\n");
|
|
TTY_FLUSH();
|
|
}
|
|
#endif
|
|
|
|
return ssl;
|
|
}
|
|
|
|
/*
|
|
* Process the handshake record.
|
|
*/
|
|
int do_svr_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
|
|
{
|
|
int ret = SSL_OK;
|
|
ssl->hs_status = SSL_NOT_OK; /* not connected */
|
|
|
|
/* To get here the state must be valid */
|
|
switch (handshake_type)
|
|
{
|
|
case HS_CLIENT_HELLO:
|
|
if ((ret = process_client_hello(ssl)) == SSL_OK)
|
|
{
|
|
ret = send_server_hello_sequence(ssl);
|
|
}
|
|
break;
|
|
|
|
#ifdef CONFIG_SSL_CERT_VERIFICATION
|
|
case HS_CERTIFICATE:/* the client sends its cert */
|
|
ret = process_certificate(ssl, &ssl->x509_ctx);
|
|
|
|
if (ret == SSL_OK) /* verify the cert */
|
|
{
|
|
int cert_res;
|
|
cert_res = x509_verify(
|
|
ssl->ssl_ctx->ca_cert_ctx, ssl->x509_ctx);
|
|
ret = (cert_res == 0) ? SSL_OK : SSL_X509_ERROR(cert_res);
|
|
}
|
|
break;
|
|
|
|
case HS_CERT_VERIFY:
|
|
ret = process_cert_verify(ssl);
|
|
add_packet(ssl, buf, hs_len); /* needs to be done after */
|
|
break;
|
|
#endif
|
|
case HS_CLIENT_KEY_XCHG:
|
|
ret = process_client_key_xchg(ssl);
|
|
break;
|
|
|
|
case HS_FINISHED:
|
|
ret = process_finished(ssl, hs_len);
|
|
break;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Process a client hello message.
|
|
*/
|
|
static int process_client_hello(SSL *ssl)
|
|
{
|
|
uint8_t *buf = ssl->bm_buf.data;
|
|
int pkt_size = ssl->bm_buf.index;
|
|
int i, j, cs_len, id_len, offset = 6 + SSL_RANDOM_SIZE;
|
|
int ret = SSL_OK;
|
|
|
|
memcpy(ssl->client_random, &buf[6], SSL_RANDOM_SIZE);
|
|
|
|
/* process the session id */
|
|
id_len = buf[offset++];
|
|
if (id_len > SSL_SESSION_ID_SIZE)
|
|
{
|
|
return SSL_ERROR_INVALID_SESSION;
|
|
}
|
|
|
|
#ifndef CONFIG_SSL_SKELETON_MODE
|
|
ssl->session = ssl_session_update(ssl->ssl_ctx->num_sessions,
|
|
ssl->ssl_ctx->ssl_sessions, ssl, id_len ? &buf[offset] : NULL);
|
|
#endif
|
|
|
|
offset += id_len;
|
|
cs_len = (buf[offset]<<8) + buf[offset+1];
|
|
offset += 3; /* add 1 due to all cipher suites being 8 bit */
|
|
|
|
PARANOIA_CHECK(pkt_size, offset);
|
|
|
|
/* work out what cipher suite we are going to use */
|
|
for (j = 0; j < NUM_PROTOCOLS; j++)
|
|
{
|
|
for (i = 0; i < cs_len; i += 2)
|
|
{
|
|
if (ssl_prot_prefs[j] == buf[offset+i]) /* got a match? */
|
|
{
|
|
ssl->cipher = ssl_prot_prefs[j];
|
|
goto do_state;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* ouch! protocol is not supported */
|
|
ret = SSL_ERROR_NO_CIPHER;
|
|
|
|
do_state:
|
|
error:
|
|
return ret;
|
|
}
|
|
|
|
#ifdef CONFIG_SSL_ENABLE_V23_HANDSHAKE
|
|
/*
|
|
* Some browsers use a hybrid SSLv2 "client hello"
|
|
*/
|
|
int process_sslv23_client_hello(SSL *ssl)
|
|
{
|
|
uint8_t *buf = ssl->bm_buf.data;
|
|
int bytes_needed = ((buf[0] & 0x7f) << 8) + buf[1];
|
|
int version = (buf[3] << 4) + buf[4];
|
|
int ret = SSL_OK;
|
|
|
|
/* we have already read 3 extra bytes so far */
|
|
int read_len = SOCKET_READ(ssl->client_fd, buf, bytes_needed-3);
|
|
int cs_len = buf[1];
|
|
int id_len = buf[3];
|
|
int ch_len = buf[5];
|
|
int i, j, offset = 8; /* start at first cipher */
|
|
int random_offset = 0;
|
|
|
|
DISPLAY_BYTES(ssl, "received %d bytes", buf, read_len, read_len);
|
|
|
|
/* must be 3.1 (TLSv1) */
|
|
if (version != 0x31)
|
|
{
|
|
return SSL_ERROR_INVALID_VERSION;
|
|
}
|
|
|
|
add_packet(ssl, buf, read_len);
|
|
|
|
/* connection has gone, so die */
|
|
if (bytes_needed < 0)
|
|
{
|
|
return SSL_ERROR_CONN_LOST;
|
|
}
|
|
|
|
/* now work out what cipher suite we are going to use */
|
|
for (j = 0; j < NUM_PROTOCOLS; j++)
|
|
{
|
|
for (i = 0; i < cs_len; i += 3)
|
|
{
|
|
if (ssl_prot_prefs[j] == buf[offset+i])
|
|
{
|
|
ssl->cipher = ssl_prot_prefs[j];
|
|
goto server_hello;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* ouch! protocol is not supported */
|
|
ret = SSL_ERROR_NO_CIPHER;
|
|
goto error;
|
|
|
|
server_hello:
|
|
/* get the session id */
|
|
offset += cs_len - 2; /* we've gone 2 bytes past the end */
|
|
#ifndef CONFIG_SSL_SKELETON_MODE
|
|
ssl->session = ssl_session_update(ssl->ssl_ctx->num_sessions,
|
|
ssl->ssl_ctx->ssl_sessions, ssl, id_len ? &buf[offset] : NULL);
|
|
#endif
|
|
|
|
/* get the client random data */
|
|
offset += id_len;
|
|
|
|
/* random can be anywhere between 16 and 32 bytes long - so it is padded
|
|
* with 0's to the left */
|
|
if (ch_len == 0x10)
|
|
{
|
|
random_offset += 0x10;
|
|
}
|
|
|
|
memcpy(&ssl->client_random[random_offset], &buf[offset], ch_len);
|
|
ret = send_server_hello_sequence(ssl);
|
|
|
|
error:
|
|
return ret;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Send the entire server hello sequence
|
|
*/
|
|
static int send_server_hello_sequence(SSL *ssl)
|
|
{
|
|
int ret;
|
|
|
|
if ((ret = send_server_hello(ssl)) == SSL_OK)
|
|
{
|
|
#ifndef CONFIG_SSL_SKELETON_MODE
|
|
/* resume handshake? */
|
|
if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME))
|
|
{
|
|
if ((ret = send_change_cipher_spec(ssl)) == SSL_OK)
|
|
{
|
|
ret = send_finished(ssl);
|
|
ssl->next_state = HS_FINISHED;
|
|
}
|
|
}
|
|
else
|
|
#endif
|
|
if ((ret = send_certificate(ssl)) == SSL_OK)
|
|
{
|
|
#ifdef CONFIG_SSL_CERT_VERIFICATION
|
|
/* ask the client for its certificate */
|
|
if (IS_SET_SSL_FLAG(SSL_CLIENT_AUTHENTICATION))
|
|
{
|
|
if ((ret = send_certificate_request(ssl)) == SSL_OK)
|
|
{
|
|
ret = send_server_hello_done(ssl);
|
|
ssl->next_state = HS_CERTIFICATE;
|
|
}
|
|
}
|
|
else
|
|
#endif
|
|
{
|
|
ret = send_server_hello_done(ssl);
|
|
ssl->next_state = HS_CLIENT_KEY_XCHG;
|
|
}
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Send a server hello message.
|
|
*/
|
|
static int send_server_hello(SSL *ssl)
|
|
{
|
|
uint8_t *buf = ssl->bm_buf.data;
|
|
int offset = 0;
|
|
|
|
buf[0] = HS_SERVER_HELLO;
|
|
buf[1] = 0;
|
|
buf[2] = 0;
|
|
/* byte 3 is calculated later */
|
|
buf[4] = 0x03;
|
|
buf[5] = 0x01;
|
|
|
|
/* server random value */
|
|
get_random(SSL_RANDOM_SIZE, &buf[6]);
|
|
memcpy(ssl->server_random, &buf[6], SSL_RANDOM_SIZE);
|
|
offset = 6 + SSL_RANDOM_SIZE;
|
|
|
|
/* send a session id - and put it into the cache */
|
|
buf[offset++] = SSL_SESSION_ID_SIZE;
|
|
|
|
#ifndef CONFIG_SSL_SKELETON_MODE
|
|
if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME))
|
|
{
|
|
/* retrieve id from session cache */
|
|
memcpy(&buf[offset], ssl->session->session_id,
|
|
SSL_SESSION_ID_SIZE);
|
|
memcpy(ssl->session_id, ssl->session->session_id, SSL_SESSION_ID_SIZE);
|
|
}
|
|
else /* generate our own session id */
|
|
#endif
|
|
{
|
|
get_random(SSL_SESSION_ID_SIZE, &buf[offset]);
|
|
memcpy(ssl->session_id, &buf[offset], SSL_SESSION_ID_SIZE);
|
|
|
|
#ifndef CONFIG_SSL_SKELETON_MODE
|
|
/* store id in session cache */
|
|
if (ssl->ssl_ctx->num_sessions)
|
|
{
|
|
memcpy(ssl->session->session_id,
|
|
ssl->session_id, SSL_SESSION_ID_SIZE);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
offset += SSL_SESSION_ID_SIZE;
|
|
|
|
buf[offset++] = 0; /* cipher we are using */
|
|
buf[offset++] = ssl->cipher;
|
|
buf[offset++] = 0; /* no compression */
|
|
buf[3] = offset - 4; /* handshake size */
|
|
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
|
|
}
|
|
|
|
/*
|
|
* Send the server hello done message.
|
|
*/
|
|
static int send_server_hello_done(SSL *ssl)
|
|
{
|
|
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
|
|
g_hello_done, sizeof(g_hello_done));
|
|
}
|
|
|
|
/*
|
|
* Pull apart a client key exchange message. Decrypt the pre-master key (using
|
|
* our RSA private key) and then work out the master key. Initialise the
|
|
* ciphers.
|
|
*/
|
|
static int process_client_key_xchg(SSL *ssl)
|
|
{
|
|
uint8_t *buf = ssl->bm_buf.data;
|
|
int pkt_size = ssl->bm_buf.index;
|
|
int premaster_size, secret_length = (buf[2] << 8) + buf[3];
|
|
uint8_t premaster_secret[MAX_KEY_BYTE_SIZE];
|
|
RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx;
|
|
int offset = 4;
|
|
int ret = SSL_OK;
|
|
|
|
DISPLAY_RSA(ssl, "process_client_key_xchg", rsa_ctx);
|
|
|
|
/* is there an extra size field? */
|
|
if ((secret_length - 2) == rsa_ctx->num_octets)
|
|
{
|
|
offset += 2;
|
|
}
|
|
|
|
PARANOIA_CHECK(pkt_size, rsa_ctx->num_octets+offset);
|
|
premaster_size = RSA_decrypt(rsa_ctx, &buf[offset], premaster_secret, 1);
|
|
|
|
if (premaster_size != SSL_SECRET_SIZE ||
|
|
premaster_secret[0] != 0x03 || /* check version is 3.1 (TLS) */
|
|
premaster_secret[1] != 0x01)
|
|
{
|
|
/* guard against a Bleichenbacher attack */
|
|
memset(premaster_secret, 0, SSL_SECRET_SIZE);
|
|
/* and continue - will die eventually when checking the mac */
|
|
}
|
|
|
|
#if 0
|
|
print_blob("pre-master", premaster_secret, SSL_SECRET_SIZE);
|
|
#endif
|
|
|
|
generate_master_secret(ssl, premaster_secret);
|
|
|
|
#ifdef CONFIG_SSL_CERT_VERIFICATION
|
|
ssl->next_state = IS_SET_SSL_FLAG(SSL_CLIENT_AUTHENTICATION) ?
|
|
HS_CERT_VERIFY : HS_FINISHED;
|
|
#else
|
|
ssl->next_state = HS_FINISHED;
|
|
#endif
|
|
error:
|
|
return ret;
|
|
}
|
|
|
|
#ifdef CONFIG_SSL_CERT_VERIFICATION
|
|
static const uint8_t g_cert_request[] = { HS_CERT_REQ, 0, 0, 4, 1, 0, 0, 0 };
|
|
|
|
/*
|
|
* Send the certificate request message.
|
|
*/
|
|
static int send_certificate_request(SSL *ssl)
|
|
{
|
|
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
|
|
g_cert_request, sizeof(g_cert_request));
|
|
}
|
|
|
|
/*
|
|
* Ensure the client has the private key by first decrypting the packet and
|
|
* then checking the packet digests.
|
|
*/
|
|
static int process_cert_verify(SSL *ssl)
|
|
{
|
|
uint8_t *buf = ssl->bm_buf.data;
|
|
int pkt_size = ssl->bm_buf.index;
|
|
uint8_t dgst_buf[MAX_KEY_BYTE_SIZE];
|
|
uint8_t dgst[MD5_SIZE+SHA1_SIZE];
|
|
X509_CTX *x509_ctx = ssl->x509_ctx;
|
|
int ret = SSL_OK;
|
|
int n;
|
|
|
|
PARANOIA_CHECK(pkt_size, x509_ctx->rsa_ctx->num_octets+6);
|
|
|
|
DISPLAY_RSA(ssl, "process_cert_verify", x509_ctx->rsa_ctx);
|
|
n = RSA_decrypt(x509_ctx->rsa_ctx, &buf[6], dgst_buf, 0);
|
|
|
|
if (n != SHA1_SIZE + MD5_SIZE)
|
|
{
|
|
ret = SSL_ERROR_INVALID_KEY;
|
|
goto end_cert_vfy;
|
|
}
|
|
|
|
finished_digest(ssl, NULL, dgst); /* calculate the digest */
|
|
if (memcmp(dgst_buf, dgst, MD5_SIZE + SHA1_SIZE))
|
|
{
|
|
ret = SSL_ERROR_INVALID_KEY;
|
|
}
|
|
|
|
end_cert_vfy:
|
|
ssl->next_state = HS_FINISHED;
|
|
error:
|
|
return ret;
|
|
}
|
|
|
|
#endif
|