Exemple #1
0
/*
 * Ensure the client has the private key by first decrypting the packet and
 * then checking the packet digests.
 */
static int process_cert_verify(SSL *ssl)
{
    uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
    int pkt_size = ssl->bm_index;
    uint8_t dgst_buf[MAX_KEY_BYTE_SIZE];
    uint8_t dgst[MD5_SIZE+SHA1_SIZE];
    X509_CTX *x509_ctx = ssl->x509_ctx;
    int ret = SSL_OK;
    int n;

    PARANOIA_CHECK(pkt_size, x509_ctx->rsa_ctx->num_octets+6);
    DISPLAY_RSA(ssl, x509_ctx->rsa_ctx);

    /* rsa_ctx->bi_ctx is not thread-safe */
    SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
    n = RSA_decrypt(x509_ctx->rsa_ctx, &buf[6], dgst_buf, 0);
    SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);

    if (n != SHA1_SIZE + MD5_SIZE)
    {
        ret = SSL_ERROR_INVALID_KEY;
        goto end_cert_vfy;
    }

    finished_digest(ssl, NULL, dgst);       /* calculate the digest */
    if (memcmp(dgst_buf, dgst, MD5_SIZE + SHA1_SIZE))
    {
        ret = SSL_ERROR_INVALID_KEY;
    }

end_cert_vfy:
    ssl->next_state = HS_FINISHED;
error:
    return ret;
}
Exemple #2
0
/*
 * Pull apart a client key exchange message. Decrypt the pre-master key (using
 * our RSA private key) and then work out the master key. Initialise the
 * ciphers.
 */
static int ICACHE_FLASH_ATTR process_client_key_xchg(SSL *ssl)
{
    uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
    int pkt_size = ssl->bm_index;
    int premaster_size, secret_length = (buf[2] << 8) + buf[3];
    uint8_t premaster_secret[MAX_KEY_BYTE_SIZE];
    RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx;
    int offset = 4;
    int ret = SSL_OK;
    
    if (rsa_ctx == NULL)
    {
        ret = SSL_ERROR_NO_CERT_DEFINED;
        goto error;
    }

    /* is there an extra size field? */
    if ((secret_length - 2) == rsa_ctx->num_octets)
        offset += 2;

    PARANOIA_CHECK(pkt_size, rsa_ctx->num_octets+offset);

    /* rsa_ctx->bi_ctx is not thread-safe */
    SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
    premaster_size = RSA_decrypt(rsa_ctx, &buf[offset], premaster_secret,
            sizeof(premaster_secret), 1);
    SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);

    if (premaster_size != SSL_SECRET_SIZE || 
            premaster_secret[0] != 0x03 ||  /* must be the same as client
                                               offered version */
                premaster_secret[1] != (ssl->client_version & 0x0f))
    {
        /* guard against a Bleichenbacher attack */
        if (get_random(SSL_SECRET_SIZE, premaster_secret) < 0)
            return SSL_NOT_OK;

        /* and continue - will die eventually when checking the mac */
    }

#if 0
    print_blob("pre-master", premaster_secret, SSL_SECRET_SIZE);
#endif

    generate_master_secret(ssl, premaster_secret);

#ifdef CONFIG_SSL_CERT_VERIFICATION
    ssl->next_state = IS_SET_SSL_FLAG(SSL_CLIENT_AUTHENTICATION) ?  
                                            HS_CERT_VERIFY : HS_FINISHED;
#else
    ssl->next_state = HS_FINISHED; 
#endif

    ssl->dc->bm_proc_index += rsa_ctx->num_octets+offset;
error:
    return ret;
}
Exemple #3
0
/* 
 * Process a client hello message.
 */
static int process_client_hello(SSL *ssl)
{
    uint8_t *buf = ssl->bm_data;
    uint8_t *record_buf = ssl->hmac_header;
    int pkt_size = ssl->bm_index;
    int i, j, cs_len, id_len, offset = 6 + SSL_RANDOM_SIZE;
    int version = (record_buf[1] << 4) + record_buf[2];
    int ret = SSL_OK;
    
    /* should be v3.1 (TLSv1) or better - we'll send in v3.1 mode anyway */
    if (version < 0x31) 
    {
        ret = SSL_ERROR_INVALID_VERSION;
        ssl_display_error(ret);
        goto error;
    }

    memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);

    /* process the session id */
    id_len = buf[offset++];
    if (id_len > SSL_SESSION_ID_SIZE)
    {
        return SSL_ERROR_INVALID_SESSION;
    }

#ifndef CONFIG_SSL_SKELETON_MODE
    ssl->session = ssl_session_update(ssl->ssl_ctx->num_sessions,
            ssl->ssl_ctx->ssl_sessions, ssl, id_len ? &buf[offset] : NULL);
#endif

    offset += id_len;
    cs_len = (buf[offset]<<8) + buf[offset+1];
    offset += 3;        /* add 1 due to all cipher suites being 8 bit */

    PARANOIA_CHECK(pkt_size, offset);

    /* work out what cipher suite we are going to use */
    for (j = 0; j < NUM_PROTOCOLS; j++)
    {
        for (i = 0; i < cs_len; i += 2)
        {
            if (ssl_prot_prefs[j] == buf[offset+i])   /* got a match? */
            {
                ssl->cipher = ssl_prot_prefs[j];
                goto do_state;
            }
        }
    }

    /* ouch! protocol is not supported */
    ret = SSL_ERROR_NO_CIPHER;

do_state:
error:
    return ret;
}
Exemple #4
0
/*
 * Process a client hello message.
 */
static int ICACHE_FLASH_ATTR process_client_hello(SSL *ssl) {
	uint8_t *buf = ssl->bm_data;
	uint8_t *record_buf = ssl->hmac_header;
	int pkt_size = ssl->bm_index;
	int i, j, cs_len, id_len, offset = 6 + SSL_RANDOM_SIZE;
	int ret = SSL_OK;

	uint8_t version = (buf[4] << 4) + buf[5];
	ssl->version = ssl->client_version = version;

	if (version > SSL_PROTOCOL_VERSION_MAX) {
		/* use client's version instead */
		ssl->version = SSL_PROTOCOL_VERSION_MAX;
	} else if (version < SSL_PROTOCOL_MIN_VERSION) { /* old version supported? */
		ret = SSL_ERROR_INVALID_VERSION;
		//ssl_display_error(ret);
		goto error;
	}

	os_memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);

	/* process the session id */
	id_len = buf[offset++];
	if (id_len > SSL_SESSION_ID_SIZE) {
		return SSL_ERROR_INVALID_SESSION;
	}

#ifndef CONFIG_SSL_SKELETON_MODE
	ssl->session = ssl_session_update(ssl->ssl_ctx->num_sessions,
									  ssl->ssl_ctx->ssl_sessions, ssl, id_len ? &buf[offset] : NULL);
#endif

	offset += id_len;
	cs_len = (buf[offset] << 8) + buf[offset + 1];
	offset += 2;        /* add 1 due to all cipher suites being 8 bit */

	PARANOIA_CHECK(pkt_size, offset);

	/* work out what cipher suite we are going to use - client defines
	   the preference */
	for (i = 0; i < cs_len; i += 2) {
		for (j = 0; j < NUM_PROTOCOLS; j++) {
			if (ssl_prot_prefs[j] == ((buf[offset + i] << 8) + buf[offset + i + 1])) { /* got a match? */
				ssl->cipher = ssl_prot_prefs[j];
				goto do_state;
			}
		}
	}

	/* ouch! protocol is not supported */
	ret = SSL_ERROR_NO_CIPHER;

do_state:
error:
	return ret;
}
Exemple #5
0
/*
 * Process the certificate request.
 */
static int ICACHE_FLASH_ATTR process_cert_req(SSL *ssl)
{
    uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
    int ret = SSL_OK;
    int offset = (buf[2] << 4) + buf[3];
    int pkt_size = ssl->bm_index;

    /* don't do any processing - we will send back an RSA certificate anyway */
    ssl->next_state = HS_SERVER_HELLO_DONE;
    SET_SSL_FLAG(SSL_HAS_CERT_REQ);
    ssl->dc->bm_proc_index += offset;
    PARANOIA_CHECK(pkt_size, offset);
error:
    return ret;
}
Exemple #6
0
/*
 * Process the server hello.
 */
static int ICACHE_FLASH_ATTR process_server_hello(SSL *ssl)
{
    uint8_t *buf = ssl->bm_data;
    int pkt_size = ssl->bm_index;
    int num_sessions = ssl->ssl_ctx->num_sessions;
    uint8_t sess_id_size;
    int offset, ret = SSL_OK;

    /* check that we are talking to a TLSv1 server */
    uint8_t version = (buf[4] << 4) + buf[5];
    if (version > SSL_PROTOCOL_VERSION_MAX)
    {
        version = SSL_PROTOCOL_VERSION_MAX;
    }
    else if (ssl->version < SSL_PROTOCOL_MIN_VERSION)
    {
        ret = SSL_ERROR_INVALID_VERSION;
        //ssl_display_error(ret);
        goto error;
    }

    ssl->version = version;

    /* get the server random value */
    memcpy(ssl->dc->server_random, &buf[6], SSL_RANDOM_SIZE);
    offset = 6 + SSL_RANDOM_SIZE; /* skip of session id size */
    sess_id_size = buf[offset++];

    if (sess_id_size > SSL_SESSION_ID_SIZE)
    {
        ret = SSL_ERROR_INVALID_SESSION;
        goto error;
    }

    if (num_sessions)
    {
        ssl->session = ssl_session_update(num_sessions,
                ssl->ssl_ctx->ssl_sessions, ssl, &buf[offset]);
        memcpy(ssl->session->session_id, &buf[offset], sess_id_size);

        /* pad the rest with 0's */
        if (sess_id_size < SSL_SESSION_ID_SIZE)
        {
            memset(&ssl->session->session_id[sess_id_size], 0,
                SSL_SESSION_ID_SIZE-sess_id_size);
        }
    }

    memcpy(ssl->session_id, &buf[offset], sess_id_size);
    ssl->sess_id_size = sess_id_size;
    offset += sess_id_size;

    /* get the real cipher we are using */
    ssl->cipher = buf[++offset];
    ssl->next_state = IS_SET_SSL_FLAG(SSL_SESSION_RESUME) ? 
                                        HS_FINISHED : HS_CERTIFICATE;

    offset++;   // skip the compr
    PARANOIA_CHECK(pkt_size, offset);
    ssl->dc->bm_proc_index = offset+1; 

error:
    return ret;
}
Exemple #7
0
/*
 * Ensure the client has the private key by first decrypting the packet and
 * then checking the packet digests.
 */
static int process_cert_verify(SSL *ssl)
{
    uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
    int pkt_size = ssl->bm_index;
    uint8_t dgst_buf[MAX_KEY_BYTE_SIZE];
    uint8_t dgst[MD5_SIZE + SHA1_SIZE];
    X509_CTX *x509_ctx = ssl->x509_ctx;
    int ret = SSL_OK;
    int offset = 6;
    int rsa_len;
    int n;

    DISPLAY_RSA(ssl, x509_ctx->rsa_ctx);

    if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
    {
        // TODO: should really need to be able to handle other algorihms. An 
        // assumption is made on RSA/SHA256 and appears to be OK.
        //uint8_t hash_alg = buf[4];
        //uint8_t sig_alg = buf[5];
        offset = 8;
        rsa_len = (buf[6] << 8) + buf[7];
    }
    else
    {
        rsa_len = (buf[4] << 8) + buf[5];
    }

    PARANOIA_CHECK(pkt_size, offset + rsa_len);

    /* rsa_ctx->bi_ctx is not thread-safe */
    SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
    n = RSA_decrypt(x509_ctx->rsa_ctx, &buf[offset], dgst_buf, 
                    sizeof(dgst_buf), 0);
    SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);

    if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
    {
        if (memcmp(dgst_buf, g_asn1_sha256, sizeof(g_asn1_sha256)))
        {
            ret = SSL_ERROR_INVALID_KEY;
            goto error;
        }

        finished_digest(ssl, NULL, dgst);       /* calculate the digest */
        if (memcmp(&dgst_buf[sizeof(g_asn1_sha256)], dgst, SHA256_SIZE))
        {
            ret = SSL_ERROR_INVALID_KEY;
            goto error;
        }
    }
    else // TLS1.0/1.1
    {
        if (n != SHA1_SIZE + MD5_SIZE)
        {
            ret = SSL_ERROR_INVALID_KEY;
            goto end_cert_vfy;
        }

        finished_digest(ssl, NULL, dgst);       /* calculate the digest */
        if (memcmp(dgst_buf, dgst, MD5_SIZE + SHA1_SIZE))
        {
            ret = SSL_ERROR_INVALID_KEY;
        }
    }

end_cert_vfy:
    ssl->next_state = HS_FINISHED;
error:
    return ret;
}
Exemple #8
0
/* 
 * Process a client hello message.
 */
static int process_client_hello(SSL *ssl)
{
    uint8_t *buf = ssl->bm_data;
    int pkt_size = ssl->bm_index;
    int i, j, cs_len, id_len, offset = 6 + SSL_RANDOM_SIZE;
    int ret = SSL_OK;
    
    uint8_t version = (buf[4] << 4) + buf[5];
    ssl->version = ssl->client_version = version;

    if (version > SSL_PROTOCOL_VERSION_MAX)
    {
        /* use client's version instead */
        ssl->version = SSL_PROTOCOL_VERSION_MAX; 
    }
    else if (version < SSL_PROTOCOL_MIN_VERSION)  /* old version supported? */
    {
        ret = SSL_ERROR_INVALID_VERSION;
#ifdef CONFIG_SSL_DIAGNOSTICS
        ssl_display_error(ret);
#endif
        goto error;
    }

    memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);

    /* process the session id */
    id_len = buf[offset++];
    if (id_len > SSL_SESSION_ID_SIZE)
    {
        return SSL_ERROR_INVALID_SESSION;
    }

#ifndef CONFIG_SSL_SKELETON_MODE
    ssl->session = ssl_session_update(ssl->ssl_ctx->num_sessions,
            ssl->ssl_ctx->ssl_sessions, ssl, id_len ? &buf[offset] : NULL);
#endif

    offset += id_len;
    cs_len = (buf[offset]<<8) + buf[offset+1];
    offset += 3;        /* add 1 due to all cipher suites being 8 bit */

    PARANOIA_CHECK(pkt_size, offset + cs_len);

    /* work out what cipher suite we are going to use - client defines 
       the preference */
    for (i = 0; i < cs_len; i += 2)
    {
        for (j = 0; j < NUM_PROTOCOLS; j++)
        {
            if (ssl_prot_prefs[j] == buf[offset+i])   /* got a match? */
            {
                ssl->cipher = ssl_prot_prefs[j];
                goto do_compression;
            }
        }
    }

    /* ouch! protocol is not supported */
    return SSL_ERROR_NO_CIPHER;

    /* completely ignore compression */
do_compression:
    offset += cs_len;
    id_len = buf[offset++];
    offset += id_len;
    PARANOIA_CHECK(pkt_size, offset + id_len);

    if (offset == pkt_size)
    {
        /* no extensions */
        goto error;
    }

    /* extension size */
    id_len = buf[offset++] << 8;
    id_len += buf[offset++];
    PARANOIA_CHECK(pkt_size, offset + id_len);
    
    // Check for extensions from the client - only the signature algorithm
    // is supported
    while (offset < pkt_size) 
    {
        int ext = buf[offset++] << 8;
        ext += buf[offset++];
        int ext_len = buf[offset++] << 8;
        ext_len += buf[offset++];
        PARANOIA_CHECK(pkt_size, offset + ext_len);
        
        if (ext == SSL_EXT_SIG_ALG)
        {
            while (ext_len > 0)
            {
                uint8_t hash_alg = buf[offset++];
                uint8_t sig_alg = buf[offset++];
                ext_len -= 2;

                if (sig_alg == SIG_ALG_RSA && 
                        (hash_alg == SIG_ALG_SHA1 ||
                         hash_alg == SIG_ALG_SHA256 ||
                         hash_alg == SIG_ALG_SHA384 ||
                         hash_alg == SIG_ALG_SHA512))
                {
                    ssl->sig_algs[ssl->num_sig_algs++] = hash_alg;
                }
            }
        }
        else
        {
            offset += ext_len;
        }
    }

    /* default is RSA/SHA1 */
    if (ssl->num_sig_algs == 0)
    {
        ssl->sig_algs[ssl->num_sig_algs++] = SIG_ALG_SHA1;
    }

error:
    return ret;
}