/*
* Send the entire server hello sequence
*/
static int ICACHE_FLASH_ATTR send_server_hello_sequence(SSL *ssl) {
int ret;
if ((ret = send_server_hello(ssl)) == SSL_OK) {
#ifndef CONFIG_SSL_SKELETON_MODE
/* resume handshake? */
if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME)) {
if ((ret = send_change_cipher_spec(ssl)) == SSL_OK) {
ret = send_finished(ssl);
ssl->next_state = HS_FINISHED;
}
} else
#endif
if ((ret = send_certificate(ssl)) == SSL_OK) {
#ifdef CONFIG_SSL_CERT_VERIFICATION
/* ask the client for its certificate */
if (IS_SET_SSL_FLAG(SSL_CLIENT_AUTHENTICATION)) {
if ((ret = send_certificate_request(ssl)) == SSL_OK) {
ret = send_server_hello_done(ssl);
ssl->next_state = HS_CERTIFICATE;
}
} else
#endif
{
ret = send_server_hello_done(ssl);
ssl->next_state = HS_CLIENT_KEY_XCHG;
}
}
}
return ret;
}
/*
* Do the handshaking from the beginning.
*/
int ICACHE_FLASH_ATTR do_client_connect(SSL *ssl)
{
int ret = SSL_OK;
send_client_hello(ssl); /* send the client hello */
ssl->bm_read_index = 0;
ssl->next_state = HS_SERVER_HELLO;
ssl->hs_status = SSL_NOT_OK; /* not connected */
/* sit in a loop until it all looks good */
if (!IS_SET_SSL_FLAG(SSL_CONNECT_IN_PARTS))
{
while (ssl->hs_status != SSL_OK)
{
// esp_ssl_sleep(100);
ret = ssl_read(ssl, NULL);
ssl_printf("%s %d %d\n", __func__, __LINE__,ret);
if (ret < SSL_OK)
break;
}
ssl->hs_status = ret; /* connected? */
}
return ret;
}
/*
* Do the handshaking from the beginning.
*/
int do_client_connect(SSL *ssl)
{
int ret = SSL_OK;
send_client_hello(ssl); /* send the client hello */
ssl->bm_read_index = 0;
ssl->next_state = HS_SERVER_HELLO;
ssl->hs_status = SSL_NOT_OK; /* not connected */
/* sit in a loop until it all looks good */
if (!IS_SET_SSL_FLAG(SSL_CONNECT_IN_PARTS))
{
while (ssl->hs_status != SSL_OK)
{
ret = ssl_read(ssl, NULL);
if (ret < SSL_OK)
break;
}
ssl->hs_status = ret; /* connected? */
}
return ret;
}
/*
* Send the initial client hello.
*/
static int send_client_hello(SSL *ssl)
{
uint8_t *buf = ssl->bm_data;
#if defined(CONFIG_PLATFORM_ESP8266)
time_t tm = rand();
#else
time_t tm = time(NULL);
#endif
uint8_t *tm_ptr = &buf[6]; /* time will go here */
int i, offset;
buf[0] = HS_CLIENT_HELLO;
buf[1] = 0;
buf[2] = 0;
/* byte 3 is calculated later */
buf[4] = 0x03;
buf[5] = ssl->version & 0x0f;
/* client random value - spec says that 1st 4 bytes are big endian time */
*tm_ptr++ = (uint8_t)(((long)tm & 0xff000000) >> 24);
*tm_ptr++ = (uint8_t)(((long)tm & 0x00ff0000) >> 16);
*tm_ptr++ = (uint8_t)(((long)tm & 0x0000ff00) >> 8);
*tm_ptr++ = (uint8_t)(((long)tm & 0x000000ff));
get_random(SSL_RANDOM_SIZE-4, &buf[10]);
memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);
offset = 6 + SSL_RANDOM_SIZE;
/* give session resumption a go */
if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME)) /* set initially by user */
{
buf[offset++] = ssl->sess_id_size;
memcpy(&buf[offset], ssl->session_id, ssl->sess_id_size);
offset += ssl->sess_id_size;
CLR_SSL_FLAG(SSL_SESSION_RESUME); /* clear so we can set later */
}
else
{
/* no session id - because no session resumption just yet */
buf[offset++] = 0;
}
buf[offset++] = 0; /* number of ciphers */
buf[offset++] = NUM_PROTOCOLS*2;/* number of ciphers */
/* put all our supported protocols in our request */
for (i = 0; i < NUM_PROTOCOLS; i++)
{
buf[offset++] = 0; /* cipher we are using */
buf[offset++] = ssl_prot_prefs[i];
}
buf[offset++] = 1; /* no compression */
buf[offset++] = 0;
buf[3] = offset - 4; /* handshake size */
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
}
/*
* Send a server hello message.
*/
static int send_server_hello(SSL *ssl)
{
uint8_t *buf = ssl->bm_data;
int offset = 0;
buf[0] = HS_SERVER_HELLO;
buf[1] = 0;
buf[2] = 0;
/* byte 3 is calculated later */
buf[4] = 0x03;
buf[5] = ssl->version & 0x0f;
/* server random value */
if (get_random(SSL_RANDOM_SIZE, &buf[6]) < 0)
return SSL_NOT_OK;
memcpy(ssl->dc->server_random, &buf[6], SSL_RANDOM_SIZE);
offset = 6 + SSL_RANDOM_SIZE;
#ifndef CONFIG_SSL_SKELETON_MODE
if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME))
{
/* retrieve id from session cache */
buf[offset++] = SSL_SESSION_ID_SIZE;
memcpy(&buf[offset], ssl->session->session_id, SSL_SESSION_ID_SIZE);
memcpy(ssl->session_id, ssl->session->session_id, SSL_SESSION_ID_SIZE);
ssl->sess_id_size = SSL_SESSION_ID_SIZE;
offset += SSL_SESSION_ID_SIZE;
}
else /* generate our own session id */
#endif
{
#ifndef CONFIG_SSL_SKELETON_MODE
buf[offset++] = SSL_SESSION_ID_SIZE;
get_random(SSL_SESSION_ID_SIZE, &buf[offset]);
memcpy(ssl->session_id, &buf[offset], SSL_SESSION_ID_SIZE);
ssl->sess_id_size = SSL_SESSION_ID_SIZE;
/* store id in session cache */
if (ssl->ssl_ctx->num_sessions)
{
memcpy(ssl->session->session_id,
ssl->session_id, SSL_SESSION_ID_SIZE);
}
offset += SSL_SESSION_ID_SIZE;
#else
buf[offset++] = 0; /* don't bother with session id in skelton mode */
#endif
}
buf[offset++] = 0; /* cipher we are using */
buf[offset++] = ssl->cipher;
buf[offset++] = 0; /* no compression and no extensions supported */
buf[3] = offset - 4; /* handshake size */
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
}
/*
* Pull apart a client key exchange message. Decrypt the pre-master key (using
* our RSA private key) and then work out the master key. Initialise the
* ciphers.
*/
static int ICACHE_FLASH_ATTR process_client_key_xchg(SSL *ssl)
{
uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
int pkt_size = ssl->bm_index;
int premaster_size, secret_length = (buf[2] << 8) + buf[3];
uint8_t premaster_secret[MAX_KEY_BYTE_SIZE];
RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx;
int offset = 4;
int ret = SSL_OK;
if (rsa_ctx == NULL)
{
ret = SSL_ERROR_NO_CERT_DEFINED;
goto error;
}
/* is there an extra size field? */
if ((secret_length - 2) == rsa_ctx->num_octets)
offset += 2;
PARANOIA_CHECK(pkt_size, rsa_ctx->num_octets+offset);
/* rsa_ctx->bi_ctx is not thread-safe */
SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
premaster_size = RSA_decrypt(rsa_ctx, &buf[offset], premaster_secret,
sizeof(premaster_secret), 1);
SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
if (premaster_size != SSL_SECRET_SIZE ||
premaster_secret[0] != 0x03 || /* must be the same as client
offered version */
premaster_secret[1] != (ssl->client_version & 0x0f))
{
/* guard against a Bleichenbacher attack */
if (get_random(SSL_SECRET_SIZE, premaster_secret) < 0)
return SSL_NOT_OK;
/* and continue - will die eventually when checking the mac */
}
#if 0
print_blob("pre-master", premaster_secret, SSL_SECRET_SIZE);
#endif
generate_master_secret(ssl, premaster_secret);
#ifdef CONFIG_SSL_CERT_VERIFICATION
ssl->next_state = IS_SET_SSL_FLAG(SSL_CLIENT_AUTHENTICATION) ?
HS_CERT_VERIFY : HS_FINISHED;
#else
ssl->next_state = HS_FINISHED;
#endif
ssl->dc->bm_proc_index += rsa_ctx->num_octets+offset;
error:
return ret;
}
static int compute_size_send_client_hello(SSL *ssl)
{
int size = 6 + SSL_RANDOM_SIZE;
size++;
if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME))
{
size += ssl->sess_id_size;
}
size += 2;
int i;
for (i = 0; i < NUM_PROTOCOLS; i++)
size += 2;
size += 2;
return size+BM_RECORD_OFFSET;
}
/*
* Process the handshake record.
*/
int ICACHE_FLASH_ATTR do_clnt_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
{
int ret;
/* To get here the state must be valid */
// ssl_printf("do_clnt_handshake: %d %d\n",__LINE__, handshake_type);
switch (handshake_type)
{
case HS_SERVER_HELLO:
ret = process_server_hello(ssl);
break;
case HS_CERTIFICATE:
ret = process_certificate(ssl, &ssl->x509_ctx);
break;
case HS_SERVER_HELLO_DONE:
if ((ret = process_server_hello_done(ssl)) == SSL_OK)
{
if (IS_SET_SSL_FLAG(SSL_HAS_CERT_REQ))
{
if ((ret = send_certificate(ssl)) == SSL_OK &&
(ret = send_client_key_xchg(ssl)) == SSL_OK)
{
send_cert_verify(ssl);
}
}
else
{
ret = send_client_key_xchg(ssl);
}
if (ret == SSL_OK &&
(ret = send_change_cipher_spec(ssl)) == SSL_OK)
{
ret = send_finished(ssl);
}
}
break;
case HS_CERT_REQ:
ret = process_cert_req(ssl);
break;
case HS_FINISHED:
ret = process_finished(ssl, buf, hs_len);
disposable_free(ssl); /* free up some memory */
/* note: client renegotiation is not allowed after this */
break;
case HS_HELLO_REQUEST:
disposable_new(ssl);
ret = do_client_connect(ssl);
break;
default:
ret = SSL_ERROR_INVALID_HANDSHAKE;
break;
}
return ret;
}
/*
* Process the server hello.
*/
static int ICACHE_FLASH_ATTR process_server_hello(SSL *ssl)
{
uint8_t *buf = ssl->bm_data;
int pkt_size = ssl->bm_index;
int num_sessions = ssl->ssl_ctx->num_sessions;
uint8_t sess_id_size;
int offset, ret = SSL_OK;
/* check that we are talking to a TLSv1 server */
uint8_t version = (buf[4] << 4) + buf[5];
if (version > SSL_PROTOCOL_VERSION_MAX)
{
version = SSL_PROTOCOL_VERSION_MAX;
}
else if (ssl->version < SSL_PROTOCOL_MIN_VERSION)
{
ret = SSL_ERROR_INVALID_VERSION;
//ssl_display_error(ret);
goto error;
}
ssl->version = version;
/* get the server random value */
memcpy(ssl->dc->server_random, &buf[6], SSL_RANDOM_SIZE);
offset = 6 + SSL_RANDOM_SIZE; /* skip of session id size */
sess_id_size = buf[offset++];
if (sess_id_size > SSL_SESSION_ID_SIZE)
{
ret = SSL_ERROR_INVALID_SESSION;
goto error;
}
if (num_sessions)
{
ssl->session = ssl_session_update(num_sessions,
ssl->ssl_ctx->ssl_sessions, ssl, &buf[offset]);
memcpy(ssl->session->session_id, &buf[offset], sess_id_size);
/* pad the rest with 0's */
if (sess_id_size < SSL_SESSION_ID_SIZE)
{
memset(&ssl->session->session_id[sess_id_size], 0,
SSL_SESSION_ID_SIZE-sess_id_size);
}
}
memcpy(ssl->session_id, &buf[offset], sess_id_size);
ssl->sess_id_size = sess_id_size;
offset += sess_id_size;
/* get the real cipher we are using */
ssl->cipher = buf[++offset];
ssl->next_state = IS_SET_SSL_FLAG(SSL_SESSION_RESUME) ?
HS_FINISHED : HS_CERTIFICATE;
offset++; // skip the compr
PARANOIA_CHECK(pkt_size, offset);
ssl->dc->bm_proc_index = offset+1;
error:
return ret;
}
/*
* Send the initial client hello.
*/
static int send_client_hello(SSL *ssl)
{
uint8_t *buf = ssl->bm_data;
time_t tm = time(NULL);
uint8_t *tm_ptr = &buf[6]; /* time will go here */
int i, offset;
buf[0] = HS_CLIENT_HELLO;
buf[1] = 0;
buf[2] = 0;
/* byte 3 is calculated later */
buf[4] = 0x03;
buf[5] = ssl->version & 0x0f;
/* client random value - spec says that 1st 4 bytes are big endian time */
*tm_ptr++ = (uint8_t)(((long)tm & 0xff000000) >> 24);
*tm_ptr++ = (uint8_t)(((long)tm & 0x00ff0000) >> 16);
*tm_ptr++ = (uint8_t)(((long)tm & 0x0000ff00) >> 8);
*tm_ptr++ = (uint8_t)(((long)tm & 0x000000ff));
get_random(SSL_RANDOM_SIZE-4, &buf[10]);
memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);
offset = 6 + SSL_RANDOM_SIZE;
/* give session resumption a go */
if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME)) /* set initially by user */
{
buf[offset++] = ssl->sess_id_size;
memcpy(&buf[offset], ssl->session_id, ssl->sess_id_size);
offset += ssl->sess_id_size;
CLR_SSL_FLAG(SSL_SESSION_RESUME); /* clear so we can set later */
}
else
{
/* no session id - because no session resumption just yet */
buf[offset++] = 0;
}
buf[offset++] = 0; /* number of ciphers */
buf[offset++] = NUM_PROTOCOLS*2;/* number of ciphers */
/* put all our supported protocols in our request */
for (i = 0; i < NUM_PROTOCOLS; i++)
{
buf[offset++] = 0; /* cipher we are using */
buf[offset++] = ssl_prot_prefs[i];
}
buf[offset++] = 1; /* no compression */
buf[offset++] = 0;
#ifdef CONFIG_SSL_SNI
if (ssl->host_name[0] != 0) {
const char * end = (const char *) memchr((char*) ssl->host_name, '\0', 255);
unsigned int host_len = end == NULL ? 255 : end - (char*) ssl->host_name;
buf[offset++] = 0;
buf[offset++] = host_len+9; /* extensions length */
buf[offset++] = 0;
buf[offset++] = 0; /* server_name(0) (65535) */
buf[offset++] = 0;
buf[offset++] = host_len+5; /* server_name length */
buf[offset++] = 0;
buf[offset++] = host_len+3; /* server_list length */
buf[offset++] = 0; /* host_name(0) (255) */
buf[offset++] = 0;
buf[offset++] = host_len; /* host_name length */
strncpy((char*) &buf[offset], ssl->host_name, host_len);
offset += host_len;
}
#endif
buf[3] = offset - 4; /* handshake size */
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
}