12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318 |
- #include <u.h>
- #include <libc.h>
- #include <bio.h>
- #include <auth.h>
- #include <mp.h>
- #include <libsec.h>
- // The main groups of functions are:
- // client/server - main handshake protocol definition
- // message functions - formating handshake messages
- // cipher choices - catalog of digest and encrypt algorithms
- // security functions - PKCS#1, sslHMAC, session keygen
- // general utility functions - malloc, serialization
- // The handshake protocol builds on the TLS/SSL3 record layer protocol,
- // which is implemented in kernel device #a. See also /lib/rfc/rfc2246.
- enum {
- TLSFinishedLen = 12,
- SSL3FinishedLen = MD5dlen+SHA1dlen,
- MaxKeyData = 104, // amount of secret we may need
- MaxChunk = 1<<14,
- RandomSize = 32,
- SidSize = 32,
- MasterSecretSize = 48,
- AQueue = 0,
- AFlush = 1,
- };
- typedef struct TlsSec TlsSec;
- typedef struct Bytes{
- int len;
- uchar data[1]; // [len]
- } Bytes;
- typedef struct Ints{
- int len;
- int data[1]; // [len]
- } Ints;
- typedef struct Algs{
- char *enc;
- char *digest;
- int nsecret;
- int tlsid;
- int ok;
- } Algs;
- typedef struct Finished{
- uchar verify[SSL3FinishedLen];
- int n;
- } Finished;
- typedef struct TlsConnection{
- TlsSec *sec; // security management goo
- int hand, ctl; // record layer file descriptors
- int erred; // set when tlsError called
- int (*trace)(char*fmt, ...); // for debugging
- int version; // protocol we are speaking
- int verset; // version has been set
- int ver2hi; // server got a version 2 hello
- int isClient; // is this the client or server?
- Bytes *sid; // SessionID
- Bytes *cert; // only last - no chain
- Lock statelk;
- int state; // must be set using setstate
- // input buffer for handshake messages
- uchar buf[MaxChunk+2048];
- uchar *rp, *ep;
- uchar crandom[RandomSize]; // client random
- uchar srandom[RandomSize]; // server random
- int clientVersion; // version in ClientHello
- char *digest; // name of digest algorithm to use
- char *enc; // name of encryption algorithm to use
- int nsecret; // amount of secret data to init keys
- // for finished messages
- MD5state hsmd5; // handshake hash
- SHAstate hssha1; // handshake hash
- Finished finished;
- } TlsConnection;
- typedef struct Msg{
- int tag;
- union {
- struct {
- int version;
- uchar random[RandomSize];
- Bytes* sid;
- Ints* ciphers;
- Bytes* compressors;
- } clientHello;
- struct {
- int version;
- uchar random[RandomSize];
- Bytes* sid;
- int cipher;
- int compressor;
- } serverHello;
- struct {
- int ncert;
- Bytes **certs;
- } certificate;
- struct {
- Bytes *types;
- int nca;
- Bytes **cas;
- } certificateRequest;
- struct {
- Bytes *key;
- } clientKeyExchange;
- Finished finished;
- } u;
- } Msg;
- typedef struct TlsSec{
- char *server; // name of remote; nil for server
- int ok; // <0 killed; == 0 in progress; >0 reusable
- RSApub *rsapub;
- AuthRpc *rpc; // factotum for rsa private key
- uchar sec[MasterSecretSize]; // master secret
- uchar crandom[RandomSize]; // client random
- uchar srandom[RandomSize]; // server random
- int clientVers; // version in ClientHello
- int vers; // final version
- // byte generation and handshake checksum
- void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
- void (*setFinished)(TlsSec*, MD5state, SHAstate, uchar*, int);
- int nfin;
- } TlsSec;
- enum {
- TLSVersion = 0x0301,
- SSL3Version = 0x0300,
- ProtocolVersion = 0x0301, // maximum version we speak
- MinProtoVersion = 0x0300, // limits on version we accept
- MaxProtoVersion = 0x03ff,
- };
- // handshake type
- enum {
- HHelloRequest,
- HClientHello,
- HServerHello,
- HSSL2ClientHello = 9, /* local convention; see devtls.c */
- HCertificate = 11,
- HServerKeyExchange,
- HCertificateRequest,
- HServerHelloDone,
- HCertificateVerify,
- HClientKeyExchange,
- HFinished = 20,
- HMax
- };
- // alerts
- enum {
- ECloseNotify = 0,
- EUnexpectedMessage = 10,
- EBadRecordMac = 20,
- EDecryptionFailed = 21,
- ERecordOverflow = 22,
- EDecompressionFailure = 30,
- EHandshakeFailure = 40,
- ENoCertificate = 41,
- EBadCertificate = 42,
- EUnsupportedCertificate = 43,
- ECertificateRevoked = 44,
- ECertificateExpired = 45,
- ECertificateUnknown = 46,
- EIllegalParameter = 47,
- EUnknownCa = 48,
- EAccessDenied = 49,
- EDecodeError = 50,
- EDecryptError = 51,
- EExportRestriction = 60,
- EProtocolVersion = 70,
- EInsufficientSecurity = 71,
- EInternalError = 80,
- EUserCanceled = 90,
- ENoRenegotiation = 100,
- EMax = 256
- };
- // cipher suites
- enum {
- TLS_NULL_WITH_NULL_NULL = 0x0000,
- TLS_RSA_WITH_NULL_MD5 = 0x0001,
- TLS_RSA_WITH_NULL_SHA = 0x0002,
- TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
- TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
- TLS_RSA_WITH_RC4_128_SHA = 0x0005,
- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006,
- TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
- TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008,
- TLS_RSA_WITH_DES_CBC_SHA = 0X0009,
- TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A,
- TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X000B,
- TLS_DH_DSS_WITH_DES_CBC_SHA = 0X000C,
- TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0X000D,
- TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X000E,
- TLS_DH_RSA_WITH_DES_CBC_SHA = 0X000F,
- TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0X0010,
- TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X0011,
- TLS_DHE_DSS_WITH_DES_CBC_SHA = 0X0012,
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0X0013, // ZZZ must be implemented for tls1.0 compliance
- TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0014,
- TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015,
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016,
- TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
- TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
- TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
- TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
- TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
- TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
- TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0X0033,
- TLS_DH_anon_WITH_AES_128_CBC_SHA = 0X0034,
- TLS_RSA_WITH_AES_256_CBC_SHA = 0X0035,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0X0036,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0X0037,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
- TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
- CipherMax
- };
- // compression methods
- enum {
- CompressionNull = 0,
- CompressionMax
- };
- static Algs cipherAlgs[] = {
- {"rc4_128", "md5", 2 * (16 + MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
- {"rc4_128", "sha1", 2 * (16 + SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
- {"3des_ede_cbc","sha1",2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
- };
- static uchar compressors[] = {
- CompressionNull,
- };
- static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chain);
- static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...));
- static void msgClear(Msg *m);
- static char* msgPrint(char *buf, int n, Msg *m);
- static int msgRecv(TlsConnection *c, Msg *m);
- static int msgSend(TlsConnection *c, Msg *m, int act);
- static void tlsError(TlsConnection *c, int err, char *msg, ...);
- #pragma varargck argpos tlsError 3
- static int setVersion(TlsConnection *c, int version);
- static int finishedMatch(TlsConnection *c, Finished *f);
- static void tlsConnectionFree(TlsConnection *c);
- static int setAlgs(TlsConnection *c, int a);
- static int okCipher(Ints *cv);
- static int okCompression(Bytes *cv);
- static int initCiphers(void);
- static Ints* makeciphers(void);
- static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
- static int tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd);
- static TlsSec* tlsSecInitc(int cvers, uchar *crandom);
- static int tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd);
- static int tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient);
- static void tlsSecOk(TlsSec *sec);
- static void tlsSecKill(TlsSec *sec);
- static void tlsSecClose(TlsSec *sec);
- static void setMasterSecret(TlsSec *sec, Bytes *pm);
- static void serverMasterSecret(TlsSec *sec, uchar *epm, int nepm);
- static void setSecrets(TlsSec *sec, uchar *kd, int nkd);
- static int clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm);
- static Bytes *pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
- static Bytes *pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm);
- static void tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
- static void sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
- static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
- uchar *seed0, int nseed0, uchar *seed1, int nseed1);
- static int setVers(TlsSec *sec, int version);
- static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
- static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
- static void factotum_rsa_close(AuthRpc*rpc);
- static void* emalloc(int);
- static void* erealloc(void*, int);
- static void put32(uchar *p, u32int);
- static void put24(uchar *p, int);
- static void put16(uchar *p, int);
- static u32int get32(uchar *p);
- static int get24(uchar *p);
- static int get16(uchar *p);
- static Bytes* newbytes(int len);
- static Bytes* makebytes(uchar* buf, int len);
- static void freebytes(Bytes* b);
- static Ints* newints(int len);
- static Ints* makeints(int* buf, int len);
- static void freeints(Ints* b);
- //================= client/server ========================
- // push TLS onto fd, returning new (application) file descriptor
- // or -1 if error.
- int
- tlsServer(int fd, TLSconn *conn)
- {
- char buf[8];
- char dname[64];
- int n, data, ctl, hand;
- TlsConnection *tls;
- if(conn == nil)
- return -1;
- ctl = open("#a/tls/clone", ORDWR);
- if(ctl < 0)
- return -1;
- n = read(ctl, buf, sizeof(buf)-1);
- if(n < 0){
- close(ctl);
- return -1;
- }
- buf[n] = 0;
- sprint(conn->dir, "#a/tls/%s", buf);
- sprint(dname, "#a/tls/%s/hand", buf);
- hand = open(dname, ORDWR);
- if(hand < 0){
- close(ctl);
- return -1;
- }
- fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
- tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
- sprint(dname, "#a/tls/%s/data", buf);
- data = open(dname, ORDWR);
- close(fd);
- close(hand);
- close(ctl);
- if(data < 0){
- return -1;
- }
- if(tls == nil){
- close(data);
- return -1;
- }
- if(conn->cert)
- free(conn->cert);
- conn->cert = 0; // client certificates are not yet implemented
- conn->certlen = 0;
- conn->sessionIDlen = tls->sid->len;
- conn->sessionID = emalloc(conn->sessionIDlen);
- memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
- if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0)
- tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst, tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize);
- tlsConnectionFree(tls);
- return data;
- }
- // push TLS onto fd, returning new (application) file descriptor
- // or -1 if error.
- int
- tlsClient(int fd, TLSconn *conn)
- {
- char buf[8];
- char dname[64];
- int n, data, ctl, hand;
- TlsConnection *tls;
- if(!conn)
- return -1;
- ctl = open("#a/tls/clone", ORDWR);
- if(ctl < 0)
- return -1;
- n = read(ctl, buf, sizeof(buf)-1);
- if(n < 0){
- close(ctl);
- return -1;
- }
- buf[n] = 0;
- sprint(conn->dir, "#a/tls/%s", buf);
- sprint(dname, "#a/tls/%s/hand", buf);
- hand = open(dname, ORDWR);
- if(hand < 0){
- close(ctl);
- return -1;
- }
- sprint(dname, "#a/tls/%s/data", buf);
- data = open(dname, ORDWR);
- if(data < 0)
- return -1;
- fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
- tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->trace);
- close(fd);
- close(hand);
- close(ctl);
- if(tls == nil){
- close(data);
- return -1;
- }
- conn->certlen = tls->cert->len;
- conn->cert = emalloc(conn->certlen);
- memcpy(conn->cert, tls->cert->data, conn->certlen);
- conn->sessionIDlen = tls->sid->len;
- conn->sessionID = emalloc(conn->sessionIDlen);
- memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
- if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0)
- tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst, tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize);
- tlsConnectionFree(tls);
- return data;
- }
- static int
- countchain(PEMChain *p)
- {
- int i = 0;
- while (p) {
- i++;
- p = p->next;
- }
- return i;
- }
- static TlsConnection *
- tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chp)
- {
- TlsConnection *c;
- Msg m;
- Bytes *csid;
- uchar sid[SidSize], kd[MaxKeyData];
- char *secrets;
- int cipher, compressor, nsid, rv, numcerts, i;
- if(trace)
- trace("tlsServer2\n");
- if(!initCiphers())
- return nil;
- c = emalloc(sizeof(TlsConnection));
- c->ctl = ctl;
- c->hand = hand;
- c->trace = trace;
- c->version = ProtocolVersion;
- memset(&m, 0, sizeof(m));
- if(!msgRecv(c, &m)){
- if(trace)
- trace("initial msgRecv failed\n");
- goto Err;
- }
- if(m.tag != HClientHello) {
- tlsError(c, EUnexpectedMessage, "expected a client hello");
- goto Err;
- }
- c->clientVersion = m.u.clientHello.version;
- if(trace)
- trace("ClientHello version %x\n", c->clientVersion);
- if(setVersion(c, m.u.clientHello.version) < 0) {
- tlsError(c, EIllegalParameter, "incompatible version");
- goto Err;
- }
- memmove(c->crandom, m.u.clientHello.random, RandomSize);
- cipher = okCipher(m.u.clientHello.ciphers);
- if(cipher < 0) {
- // reply with EInsufficientSecurity if we know that's the case
- if(cipher == -2)
- tlsError(c, EInsufficientSecurity, "cipher suites too weak");
- else
- tlsError(c, EHandshakeFailure, "no matching cipher suite");
- goto Err;
- }
- if(!setAlgs(c, cipher)){
- tlsError(c, EHandshakeFailure, "no matching cipher suite");
- goto Err;
- }
- compressor = okCompression(m.u.clientHello.compressors);
- if(compressor < 0) {
- tlsError(c, EHandshakeFailure, "no matching compressor");
- goto Err;
- }
- csid = m.u.clientHello.sid;
- if(trace)
- trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
- c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
- if(c->sec == nil){
- tlsError(c, EHandshakeFailure, "can't initialize security: %r");
- goto Err;
- }
- c->sec->rpc = factotum_rsa_open(cert, ncert);
- if(c->sec->rpc == nil){
- tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
- goto Err;
- }
- c->sec->rsapub = X509toRSApub(cert, ncert, nil, 0);
- msgClear(&m);
- m.tag = HServerHello;
- m.u.serverHello.version = c->version;
- memmove(m.u.serverHello.random, c->srandom, RandomSize);
- m.u.serverHello.cipher = cipher;
- m.u.serverHello.compressor = compressor;
- c->sid = makebytes(sid, nsid);
- m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
- if(!msgSend(c, &m, AQueue))
- goto Err;
- msgClear(&m);
- m.tag = HCertificate;
- numcerts = countchain(chp);
- m.u.certificate.ncert = 1 + numcerts;
- m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes));
- m.u.certificate.certs[0] = makebytes(cert, ncert);
- for (i = 0; i < numcerts && chp; i++, chp = chp->next)
- m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
- if(!msgSend(c, &m, AQueue))
- goto Err;
- msgClear(&m);
- m.tag = HServerHelloDone;
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- if(!msgRecv(c, &m))
- goto Err;
- if(m.tag != HClientKeyExchange) {
- tlsError(c, EUnexpectedMessage, "expected a client key exchange");
- goto Err;
- }
- if(tlsSecSecrets(c->sec, c->version, m.u.clientKeyExchange.key->data, m.u.clientKeyExchange.key->len, kd, c->nsecret) < 0){
- tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
- goto Err;
- }
- if(trace)
- trace("tls secrets\n");
- secrets = (char*)emalloc(2*c->nsecret);
- enc64(secrets, 2*c->nsecret, kd, c->nsecret);
- rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
- memset(secrets, 0, 2*c->nsecret);
- free(secrets);
- memset(kd, 0, c->nsecret);
- if(rv < 0){
- tlsError(c, EHandshakeFailure, "can't set keys: %r");
- goto Err;
- }
- msgClear(&m);
- /* no CertificateVerify; skip to Finished */
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
- tlsError(c, EInternalError, "can't set finished: %r");
- goto Err;
- }
- if(!msgRecv(c, &m))
- goto Err;
- if(m.tag != HFinished) {
- tlsError(c, EUnexpectedMessage, "expected a finished");
- goto Err;
- }
- if(!finishedMatch(c, &m.u.finished)) {
- tlsError(c, EHandshakeFailure, "finished verification failed");
- goto Err;
- }
- msgClear(&m);
- /* change cipher spec */
- if(fprint(c->ctl, "changecipher") < 0){
- tlsError(c, EInternalError, "can't enable cipher: %r");
- goto Err;
- }
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
- tlsError(c, EInternalError, "can't set finished: %r");
- goto Err;
- }
- m.tag = HFinished;
- m.u.finished = c->finished;
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- if(trace)
- trace("tls finished\n");
- if(fprint(c->ctl, "opened") < 0)
- goto Err;
- tlsSecOk(c->sec);
- return c;
- Err:
- msgClear(&m);
- tlsConnectionFree(c);
- return 0;
- }
- static TlsConnection *
- tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...))
- {
- TlsConnection *c;
- Msg m;
- uchar kd[MaxKeyData], *epm;
- char *secrets;
- int creq, nepm, rv;
- if(!initCiphers())
- return nil;
- epm = nil;
- c = emalloc(sizeof(TlsConnection));
- c->version = ProtocolVersion;
- c->ctl = ctl;
- c->hand = hand;
- c->trace = trace;
- c->isClient = 1;
- c->clientVersion = c->version;
- c->sec = tlsSecInitc(c->clientVersion, c->crandom);
- if(c->sec == nil)
- goto Err;
- /* client hello */
- memset(&m, 0, sizeof(m));
- m.tag = HClientHello;
- m.u.clientHello.version = c->clientVersion;
- memmove(m.u.clientHello.random, c->crandom, RandomSize);
- m.u.clientHello.sid = makebytes(csid, ncsid);
- m.u.clientHello.ciphers = makeciphers();
- m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- /* server hello */
- if(!msgRecv(c, &m))
- goto Err;
- if(m.tag != HServerHello) {
- tlsError(c, EUnexpectedMessage, "expected a server hello");
- goto Err;
- }
- if(setVersion(c, m.u.serverHello.version) < 0) {
- tlsError(c, EIllegalParameter, "incompatible version %r");
- goto Err;
- }
- memmove(c->srandom, m.u.serverHello.random, RandomSize);
- c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
- if(c->sid->len != 0 && c->sid->len != SidSize) {
- tlsError(c, EIllegalParameter, "invalid server session identifier");
- goto Err;
- }
- if(!setAlgs(c, m.u.serverHello.cipher)) {
- tlsError(c, EIllegalParameter, "invalid cipher suite");
- goto Err;
- }
- if(m.u.serverHello.compressor != CompressionNull) {
- tlsError(c, EIllegalParameter, "invalid compression");
- goto Err;
- }
- msgClear(&m);
- /* certificate */
- if(!msgRecv(c, &m) || m.tag != HCertificate) {
- tlsError(c, EUnexpectedMessage, "expected a certificate");
- goto Err;
- }
- if(m.u.certificate.ncert < 1) {
- tlsError(c, EIllegalParameter, "runt certificate");
- goto Err;
- }
- c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
- msgClear(&m);
- /* server key exchange (optional) */
- if(!msgRecv(c, &m))
- goto Err;
- if(m.tag == HServerKeyExchange) {
- tlsError(c, EUnexpectedMessage, "got an server key exchange");
- goto Err;
- // If implementing this later, watch out for rollback attack
- // described in Wagner Schneier 1996, section 4.4.
- }
- /* certificate request (optional) */
- creq = 0;
- if(m.tag == HCertificateRequest) {
- creq = 1;
- msgClear(&m);
- if(!msgRecv(c, &m))
- goto Err;
- }
- if(m.tag != HServerHelloDone) {
- tlsError(c, EUnexpectedMessage, "expected a server hello done");
- goto Err;
- }
- msgClear(&m);
- if(tlsSecSecretc(c->sec, c->sid->data, c->sid->len, c->srandom,
- c->cert->data, c->cert->len, c->version, &epm, &nepm,
- kd, c->nsecret) < 0){
- tlsError(c, EBadCertificate, "invalid x509/rsa certificate");
- goto Err;
- }
- secrets = (char*)emalloc(2*c->nsecret);
- enc64(secrets, 2*c->nsecret, kd, c->nsecret);
- rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
- memset(secrets, 0, 2*c->nsecret);
- free(secrets);
- memset(kd, 0, c->nsecret);
- if(rv < 0){
- tlsError(c, EHandshakeFailure, "can't set keys: %r");
- goto Err;
- }
- if(creq) {
- /* send a zero length certificate */
- m.tag = HCertificate;
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- }
- /* client key exchange */
- m.tag = HClientKeyExchange;
- m.u.clientKeyExchange.key = makebytes(epm, nepm);
- free(epm);
- epm = nil;
- if(m.u.clientKeyExchange.key == nil) {
- tlsError(c, EHandshakeFailure, "can't set secret: %r");
- goto Err;
- }
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- /* change cipher spec */
- if(fprint(c->ctl, "changecipher") < 0){
- tlsError(c, EInternalError, "can't enable cipher: %r");
- goto Err;
- }
- // Cipherchange must occur immediately before Finished to avoid
- // potential hole; see section 4.3 of Wagner Schneier 1996.
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
- tlsError(c, EInternalError, "can't set finished 1: %r");
- goto Err;
- }
- m.tag = HFinished;
- m.u.finished = c->finished;
- if(!msgSend(c, &m, AFlush)) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
- tlsError(c, EInternalError, "can't flush after client Finished: %r");
- goto Err;
- }
- msgClear(&m);
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
- fprint(2, "tlsClient nepm=%d\n", nepm);
- tlsError(c, EInternalError, "can't set finished 0: %r");
- goto Err;
- }
- if(!msgRecv(c, &m)) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
- tlsError(c, EInternalError, "can't read server Finished: %r");
- goto Err;
- }
- if(m.tag != HFinished) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
- tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
- goto Err;
- }
- if(!finishedMatch(c, &m.u.finished)) {
- tlsError(c, EHandshakeFailure, "finished verification failed");
- goto Err;
- }
- msgClear(&m);
- if(fprint(c->ctl, "opened") < 0){
- if(trace)
- trace("unable to do final open: %r\n");
- goto Err;
- }
- tlsSecOk(c->sec);
- return c;
- Err:
- free(epm);
- msgClear(&m);
- tlsConnectionFree(c);
- return 0;
- }
- //================= message functions ========================
- static uchar sendbuf[9000], *sendp;
- static int
- msgSend(TlsConnection *c, Msg *m, int act)
- {
- uchar *p; // sendp = start of new message; p = write pointer
- int nn, n, i;
- if(sendp == nil)
- sendp = sendbuf;
- p = sendp;
- if(c->trace)
- c->trace("send %s", msgPrint((char*)p, (sizeof sendbuf) - (p-sendbuf), m));
- p[0] = m->tag; // header - fill in size later
- p += 4;
- switch(m->tag) {
- default:
- tlsError(c, EInternalError, "can't encode a %d", m->tag);
- goto Err;
- case HClientHello:
- // version
- put16(p, m->u.clientHello.version);
- p += 2;
- // random
- memmove(p, m->u.clientHello.random, RandomSize);
- p += RandomSize;
- // sid
- n = m->u.clientHello.sid->len;
- assert(n < 256);
- p[0] = n;
- memmove(p+1, m->u.clientHello.sid->data, n);
- p += n+1;
- n = m->u.clientHello.ciphers->len;
- assert(n > 0 && n < 200);
- put16(p, n*2);
- p += 2;
- for(i=0; i<n; i++) {
- put16(p, m->u.clientHello.ciphers->data[i]);
- p += 2;
- }
- n = m->u.clientHello.compressors->len;
- assert(n > 0);
- p[0] = n;
- memmove(p+1, m->u.clientHello.compressors->data, n);
- p += n+1;
- break;
- case HServerHello:
- put16(p, m->u.serverHello.version);
- p += 2;
- // random
- memmove(p, m->u.serverHello.random, RandomSize);
- p += RandomSize;
- // sid
- n = m->u.serverHello.sid->len;
- assert(n < 256);
- p[0] = n;
- memmove(p+1, m->u.serverHello.sid->data, n);
- p += n+1;
- put16(p, m->u.serverHello.cipher);
- p += 2;
- p[0] = m->u.serverHello.compressor;
- p += 1;
- break;
- case HServerHelloDone:
- break;
- case HCertificate:
- nn = 0;
- for(i = 0; i < m->u.certificate.ncert; i++)
- nn += 3 + m->u.certificate.certs[i]->len;
- if(p + 3 + nn - sendbuf > sizeof(sendbuf)) {
- tlsError(c, EInternalError, "output buffer too small for certificate");
- goto Err;
- }
- put24(p, nn);
- p += 3;
- for(i = 0; i < m->u.certificate.ncert; i++){
- put24(p, m->u.certificate.certs[i]->len);
- p += 3;
- memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
- p += m->u.certificate.certs[i]->len;
- }
- break;
- case HClientKeyExchange:
- n = m->u.clientKeyExchange.key->len;
- if(c->version != SSL3Version){
- put16(p, n);
- p += 2;
- }
- memmove(p, m->u.clientKeyExchange.key->data, n);
- p += n;
- break;
- case HFinished:
- memmove(p, m->u.finished.verify, m->u.finished.n);
- p += m->u.finished.n;
- break;
- }
- // go back and fill in size
- n = p-sendp;
- assert(p <= sendbuf+sizeof(sendbuf));
- put24(sendp+1, n-4);
- // remember hash of Handshake messages
- if(m->tag != HHelloRequest) {
- md5(sendp, n, 0, &c->hsmd5);
- sha1(sendp, n, 0, &c->hssha1);
- }
- sendp = p;
- if(act == AFlush){
- sendp = sendbuf;
- if(write(c->hand, sendbuf, p-sendbuf) < 0){
- fprint(2, "write error: %r\n");
- goto Err;
- }
- }
- msgClear(m);
- return 1;
- Err:
- msgClear(m);
- return 0;
- }
- static uchar*
- tlsReadN(TlsConnection *c, int n)
- {
- uchar *p;
- int nn, nr;
- nn = c->ep - c->rp;
- if(nn < n){
- if(c->rp != c->buf){
- memmove(c->buf, c->rp, nn);
- c->rp = c->buf;
- c->ep = &c->buf[nn];
- }
- for(; nn < n; nn += nr) {
- nr = read(c->hand, &c->rp[nn], n - nn);
- if(nr <= 0)
- return nil;
- c->ep += nr;
- }
- }
- p = c->rp;
- c->rp += n;
- return p;
- }
- static int
- msgRecv(TlsConnection *c, Msg *m)
- {
- uchar *p;
- int type, n, nn, i, nsid, nrandom, nciph;
- for(;;) {
- p = tlsReadN(c, 4);
- if(p == nil)
- return 0;
- type = p[0];
- n = get24(p+1);
- if(type != HHelloRequest)
- break;
- if(n != 0) {
- tlsError(c, EDecodeError, "invalid hello request during handshake");
- return 0;
- }
- }
- if(n > sizeof(c->buf)) {
- tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->buf));
- return 0;
- }
- if(type == HSSL2ClientHello){
- /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
- This is sent by some clients that we must interoperate
- with, such as Java's JSSE and Microsoft's Internet Explorer. */
- p = tlsReadN(c, n);
- if(p == nil)
- return 0;
- md5(p, n, 0, &c->hsmd5);
- sha1(p, n, 0, &c->hssha1);
- m->tag = HClientHello;
- if(n < 22)
- goto Short;
- m->u.clientHello.version = get16(p+1);
- p += 3;
- n -= 3;
- nn = get16(p); /* cipher_spec_len */
- nsid = get16(p + 2);
- nrandom = get16(p + 4);
- p += 6;
- n -= 6;
- if(nsid != 0 /* no sid's, since shouldn't restart using ssl2 header */
- || nrandom < 16 || nn % 3)
- goto Err;
- if(c->trace && (n - nrandom != nn))
- c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
- /* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
- nciph = 0;
- for(i = 0; i < nn; i += 3)
- if(p[i] == 0)
- nciph++;
- m->u.clientHello.ciphers = newints(nciph);
- nciph = 0;
- for(i = 0; i < nn; i += 3)
- if(p[i] == 0)
- m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]);
- p += nn;
- m->u.clientHello.sid = makebytes(nil, 0);
- if(nrandom > RandomSize)
- nrandom = RandomSize;
- memset(m->u.clientHello.random, 0, RandomSize - nrandom);
- memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
- m->u.clientHello.compressors = newbytes(1);
- m->u.clientHello.compressors->data[0] = CompressionNull;
- goto Ok;
- }
- md5(p, 4, 0, &c->hsmd5);
- sha1(p, 4, 0, &c->hssha1);
- p = tlsReadN(c, n);
- if(p == nil)
- return 0;
- md5(p, n, 0, &c->hsmd5);
- sha1(p, n, 0, &c->hssha1);
- m->tag = type;
- switch(type) {
- default:
- tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
- goto Err;
- case HClientHello:
- if(n < 2)
- goto Short;
- m->u.clientHello.version = get16(p);
- p += 2;
- n -= 2;
- if(n < RandomSize)
- goto Short;
- memmove(m->u.clientHello.random, p, RandomSize);
- p += RandomSize;
- n -= RandomSize;
- if(n < 1 || n < p[0]+1)
- goto Short;
- m->u.clientHello.sid = makebytes(p+1, p[0]);
- p += m->u.clientHello.sid->len+1;
- n -= m->u.clientHello.sid->len+1;
- if(n < 2)
- goto Short;
- nn = get16(p);
- p += 2;
- n -= 2;
- if((nn & 1) || n < nn || nn < 2)
- goto Short;
- m->u.clientHello.ciphers = newints(nn >> 1);
- for(i = 0; i < nn; i += 2)
- m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
- p += nn;
- n -= nn;
- if(n < 1 || n < p[0]+1 || p[0] == 0)
- goto Short;
- nn = p[0];
- m->u.clientHello.compressors = newbytes(nn);
- memmove(m->u.clientHello.compressors->data, p+1, nn);
- n -= nn + 1;
- break;
- case HServerHello:
- if(n < 2)
- goto Short;
- m->u.serverHello.version = get16(p);
- p += 2;
- n -= 2;
- if(n < RandomSize)
- goto Short;
- memmove(m->u.serverHello.random, p, RandomSize);
- p += RandomSize;
- n -= RandomSize;
- if(n < 1 || n < p[0]+1)
- goto Short;
- m->u.serverHello.sid = makebytes(p+1, p[0]);
- p += m->u.serverHello.sid->len+1;
- n -= m->u.serverHello.sid->len+1;
- if(n < 3)
- goto Short;
- m->u.serverHello.cipher = get16(p);
- m->u.serverHello.compressor = p[2];
- n -= 3;
- break;
- case HCertificate:
- if(n < 3)
- goto Short;
- nn = get24(p);
- p += 3;
- n -= 3;
- if(n != nn)
- goto Short;
- /* certs */
- i = 0;
- while(n > 0) {
- if(n < 3)
- goto Short;
- nn = get24(p);
- p += 3;
- n -= 3;
- if(nn > n)
- goto Short;
- m->u.certificate.ncert = i+1;
- m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes));
- m->u.certificate.certs[i] = makebytes(p, nn);
- p += nn;
- n -= nn;
- i++;
- }
- break;
- case HCertificateRequest:
- if(n < 1)
- goto Short;
- nn = p[0];
- p += 1;
- n -= 1;
- if(nn < 1 || nn > n)
- goto Short;
- m->u.certificateRequest.types = makebytes(p, nn);
- p += nn;
- n -= nn;
- if(n < 2)
- goto Short;
- nn = get16(p);
- p += 2;
- n -= 2;
- if(nn == 0 || n != nn)
- goto Short;
- /* cas */
- i = 0;
- while(n > 0) {
- if(n < 2)
- goto Short;
- nn = get16(p);
- p += 2;
- n -= 2;
- if(nn < 1 || nn > n)
- goto Short;
- m->u.certificateRequest.nca = i+1;
- m->u.certificateRequest.cas = erealloc(m->u.certificateRequest.cas, (i+1)*sizeof(Bytes));
- m->u.certificateRequest.cas[i] = makebytes(p, nn);
- p += nn;
- n -= nn;
- i++;
- }
- break;
- case HServerHelloDone:
- break;
- case HClientKeyExchange:
- /*
- * this message depends upon the encryption selected
- * assume rsa.
- */
- if(c->version == SSL3Version)
- nn = n;
- else{
- if(n < 2)
- goto Short;
- nn = get16(p);
- p += 2;
- n -= 2;
- }
- if(n < nn)
- goto Short;
- m->u.clientKeyExchange.key = makebytes(p, nn);
- n -= nn;
- break;
- case HFinished:
- m->u.finished.n = c->finished.n;
- if(n < m->u.finished.n)
- goto Short;
- memmove(m->u.finished.verify, p, m->u.finished.n);
- n -= m->u.finished.n;
- break;
- }
- if(type != HClientHello && n != 0)
- goto Short;
- Ok:
- if(c->trace){
- char *buf;
- buf = emalloc(8000);
- c->trace("recv %s", msgPrint(buf, 8000, m));
- free(buf);
- }
- return 1;
- Short:
- tlsError(c, EDecodeError, "handshake message has invalid length");
- Err:
- msgClear(m);
- return 0;
- }
- static void
- msgClear(Msg *m)
- {
- int i;
- switch(m->tag) {
- default:
- sysfatal("msgClear: unknown message type: %d\n", m->tag);
- case HHelloRequest:
- break;
- case HClientHello:
- freebytes(m->u.clientHello.sid);
- freeints(m->u.clientHello.ciphers);
- freebytes(m->u.clientHello.compressors);
- break;
- case HServerHello:
- freebytes(m->u.clientHello.sid);
- break;
- case HCertificate:
- for(i=0; i<m->u.certificate.ncert; i++)
- freebytes(m->u.certificate.certs[i]);
- free(m->u.certificate.certs);
- break;
- case HCertificateRequest:
- freebytes(m->u.certificateRequest.types);
- for(i=0; i<m->u.certificateRequest.nca; i++)
- freebytes(m->u.certificateRequest.cas[i]);
- free(m->u.certificateRequest.cas);
- break;
- case HServerHelloDone:
- break;
- case HClientKeyExchange:
- freebytes(m->u.clientKeyExchange.key);
- break;
- case HFinished:
- break;
- }
- memset(m, 0, sizeof(Msg));
- }
- static char *
- bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
- {
- int i;
- if(s0)
- bs = seprint(bs, be, "%s", s0);
- bs = seprint(bs, be, "[");
- if(b == nil)
- bs = seprint(bs, be, "nil");
- else
- for(i=0; i<b->len; i++)
- bs = seprint(bs, be, "%.2x ", b->data[i]);
- bs = seprint(bs, be, "]");
- if(s1)
- bs = seprint(bs, be, "%s", s1);
- return bs;
- }
- static char *
- intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
- {
- int i;
- if(s0)
- bs = seprint(bs, be, "%s", s0);
- bs = seprint(bs, be, "[");
- if(b == nil)
- bs = seprint(bs, be, "nil");
- else
- for(i=0; i<b->len; i++)
- bs = seprint(bs, be, "%x ", b->data[i]);
- bs = seprint(bs, be, "]");
- if(s1)
- bs = seprint(bs, be, "%s", s1);
- return bs;
- }
- static char*
- msgPrint(char *buf, int n, Msg *m)
- {
- int i;
- char *bs = buf, *be = buf+n;
- switch(m->tag) {
- default:
- bs = seprint(bs, be, "unknown %d\n", m->tag);
- break;
- case HClientHello:
- bs = seprint(bs, be, "ClientHello\n");
- bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
- bs = seprint(bs, be, "\trandom: ");
- for(i=0; i<RandomSize; i++)
- bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
- bs = seprint(bs, be, "\n");
- bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
- bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
- bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
- break;
- case HServerHello:
- bs = seprint(bs, be, "ServerHello\n");
- bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
- bs = seprint(bs, be, "\trandom: ");
- for(i=0; i<RandomSize; i++)
- bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
- bs = seprint(bs, be, "\n");
- bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
- bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
- bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
- break;
- case HCertificate:
- bs = seprint(bs, be, "Certificate\n");
- for(i=0; i<m->u.certificate.ncert; i++)
- bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
- break;
- case HCertificateRequest:
- bs = seprint(bs, be, "CertificateRequest\n");
- bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
- bs = seprint(bs, be, "\tcertificateauthorities\n");
- for(i=0; i<m->u.certificateRequest.nca; i++)
- bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
- break;
- case HServerHelloDone:
- bs = seprint(bs, be, "ServerHelloDone\n");
- break;
- case HClientKeyExchange:
- bs = seprint(bs, be, "HClientKeyExchange\n");
- bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
- break;
- case HFinished:
- bs = seprint(bs, be, "HFinished\n");
- for(i=0; i<m->u.finished.n; i++)
- bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
- bs = seprint(bs, be, "\n");
- break;
- }
- USED(bs);
- return buf;
- }
- static void
- tlsError(TlsConnection *c, int err, char *fmt, ...)
- {
- char msg[512];
- va_list arg;
- va_start(arg, fmt);
- vseprint(msg, msg+sizeof(msg), fmt, arg);
- va_end(arg);
- if(c->trace)
- c->trace("tlsError: %s\n", msg);
- else if(c->erred)
- fprint(2, "double error: %r, %s", msg);
- else
- werrstr("tls: local %s", msg);
- c->erred = 1;
- fprint(c->ctl, "alert %d", err);
- }
- // commit to specific version number
- static int
- setVersion(TlsConnection *c, int version)
- {
- if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
- return -1;
- if(version > c->version)
- version = c->version;
- if(version == SSL3Version) {
- c->version = version;
- c->finished.n = SSL3FinishedLen;
- }else if(version == TLSVersion){
- c->version = version;
- c->finished.n = TLSFinishedLen;
- }else
- return -1;
- c->verset = 1;
- return fprint(c->ctl, "version 0x%x", version);
- }
- // confirm that received Finished message matches the expected value
- static int
- finishedMatch(TlsConnection *c, Finished *f)
- {
- return memcmp(f->verify, c->finished.verify, f->n) == 0;
- }
- // free memory associated with TlsConnection struct
- // (but don't close the TLS channel itself)
- static void
- tlsConnectionFree(TlsConnection *c)
- {
- tlsSecClose(c->sec);
- freebytes(c->sid);
- freebytes(c->cert);
- memset(c, 0, sizeof(c));
- free(c);
- }
- //================= cipher choices ========================
- static int weakCipher[CipherMax] =
- {
- 1, /* TLS_NULL_WITH_NULL_NULL */
- 1, /* TLS_RSA_WITH_NULL_MD5 */
- 1, /* TLS_RSA_WITH_NULL_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
- 0, /* TLS_RSA_WITH_RC4_128_MD5 */
- 0, /* TLS_RSA_WITH_RC4_128_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
- 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
- 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
- 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
- 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
- 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
- 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
- 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
- };
- static int
- setAlgs(TlsConnection *c, int a)
- {
- int i;
- for(i = 0; i < nelem(cipherAlgs); i++){
- if(cipherAlgs[i].tlsid == a){
- c->enc = cipherAlgs[i].enc;
- c->digest = cipherAlgs[i].digest;
- c->nsecret = cipherAlgs[i].nsecret;
- if(c->nsecret > MaxKeyData)
- return 0;
- return 1;
- }
- }
- return 0;
- }
- static int
- okCipher(Ints *cv)
- {
- int weak, i, j, c;
- weak = 1;
- for(i = 0; i < cv->len; i++) {
- c = cv->data[i];
- if(c >= CipherMax)
- weak = 0;
- else
- weak &= weakCipher[c];
- for(j = 0; j < nelem(cipherAlgs); j++)
- if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
- return c;
- }
- if(weak)
- return -2;
- return -1;
- }
- static int
- okCompression(Bytes *cv)
- {
- int i, j, c;
- for(i = 0; i < cv->len; i++) {
- c = cv->data[i];
- for(j = 0; j < nelem(compressors); j++) {
- if(compressors[j] == c)
- return c;
- }
- }
- return -1;
- }
- static Lock ciphLock;
- static int nciphers;
- static int
- initCiphers(void)
- {
- enum {MaxAlgF = 1024, MaxAlgs = 10};
- char s[MaxAlgF], *flds[MaxAlgs];
- int i, j, n, ok;
- lock(&ciphLock);
- if(nciphers){
- unlock(&ciphLock);
- return nciphers;
- }
- j = open("#a/tls/encalgs", OREAD);
- if(j < 0){
- werrstr("can't open #a/tls/encalgs: %r");
- return 0;
- }
- n = read(j, s, MaxAlgF-1);
- close(j);
- if(n <= 0){
- werrstr("nothing in #a/tls/encalgs: %r");
- return 0;
- }
- s[n] = 0;
- n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
- for(i = 0; i < nelem(cipherAlgs); i++){
- ok = 0;
- for(j = 0; j < n; j++){
- if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){
- ok = 1;
- break;
- }
- }
- cipherAlgs[i].ok = ok;
- }
- j = open("#a/tls/hashalgs", OREAD);
- if(j < 0){
- werrstr("can't open #a/tls/hashalgs: %r");
- return 0;
- }
- n = read(j, s, MaxAlgF-1);
- close(j);
- if(n <= 0){
- werrstr("nothing in #a/tls/hashalgs: %r");
- return 0;
- }
- s[n] = 0;
- n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
- for(i = 0; i < nelem(cipherAlgs); i++){
- ok = 0;
- for(j = 0; j < n; j++){
- if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){
- ok = 1;
- break;
- }
- }
- cipherAlgs[i].ok &= ok;
- if(cipherAlgs[i].ok)
- nciphers++;
- }
- unlock(&ciphLock);
- return nciphers;
- }
- static Ints*
- makeciphers(void)
- {
- Ints *is;
- int i, j;
- is = newints(nciphers);
- j = 0;
- for(i = 0; i < nelem(cipherAlgs); i++){
- if(cipherAlgs[i].ok)
- is->data[j++] = cipherAlgs[i].tlsid;
- }
- return is;
- }
- //================= security functions ========================
- // given X.509 certificate, set up connection to factotum
- // for using corresponding private key
- static AuthRpc*
- factotum_rsa_open(uchar *cert, int certlen)
- {
- int afd;
- char *s;
- mpint *pub = nil;
- RSApub *rsapub;
- AuthRpc *rpc;
- // start talking to factotum
- if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
- return nil;
- if((rpc = auth_allocrpc(afd)) == nil){
- close(afd);
- return nil;
- }
- s = "proto=rsa service=tls role=client";
- if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
- factotum_rsa_close(rpc);
- return nil;
- }
- // roll factotum keyring around to match certificate
- rsapub = X509toRSApub(cert, certlen, nil, 0);
- while(1){
- if(auth_rpc(rpc, "read", nil, 0) != ARok){
- factotum_rsa_close(rpc);
- rpc = nil;
- goto done;
- }
- pub = strtomp(rpc->arg, nil, 16, nil);
- assert(pub != nil);
- if(mpcmp(pub,rsapub->n) == 0)
- break;
- }
- done:
- mpfree(pub);
- rsapubfree(rsapub);
- return rpc;
- }
- static mpint*
- factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
- {
- char *p;
- int rv;
- if((p = mptoa(cipher, 16, nil, 0)) == nil)
- return nil;
- rv = auth_rpc(rpc, "write", p, strlen(p));
- free(p);
- if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
- return nil;
- mpfree(cipher);
- return strtomp(rpc->arg, nil, 16, nil);
- }
- static void
- factotum_rsa_close(AuthRpc*rpc)
- {
- if(!rpc)
- return;
- close(rpc->afd);
- auth_freerpc(rpc);
- }
- static void
- tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
- {
- uchar ai[MD5dlen], tmp[MD5dlen];
- int i, n;
- MD5state *s;
- // generate a1
- s = hmac_md5(label, nlabel, key, nkey, nil, nil);
- s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
- hmac_md5(seed1, nseed1, key, nkey, ai, s);
- while(nbuf > 0) {
- s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
- s = hmac_md5(label, nlabel, key, nkey, nil, s);
- s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
- hmac_md5(seed1, nseed1, key, nkey, tmp, s);
- n = MD5dlen;
- if(n > nbuf)
- n = nbuf;
- for(i = 0; i < n; i++)
- buf[i] ^= tmp[i];
- buf += n;
- nbuf -= n;
- hmac_md5(ai, MD5dlen, key, nkey, tmp, nil);
- memmove(ai, tmp, MD5dlen);
- }
- }
- static void
- tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
- {
- uchar ai[SHA1dlen], tmp[SHA1dlen];
- int i, n;
- SHAstate *s;
- // generate a1
- s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
- s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
- hmac_sha1(seed1, nseed1, key, nkey, ai, s);
- while(nbuf > 0) {
- s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
- s = hmac_sha1(label, nlabel, key, nkey, nil, s);
- s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
- hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
- n = SHA1dlen;
- if(n > nbuf)
- n = nbuf;
- for(i = 0; i < n; i++)
- buf[i] ^= tmp[i];
- buf += n;
- nbuf -= n;
- hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
- memmove(ai, tmp, SHA1dlen);
- }
- }
- // fill buf with md5(args)^sha1(args)
- static void
- tlsPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
- {
- int i;
- int nlabel = strlen(label);
- int n = (nkey + 1) >> 1;
- for(i = 0; i < nbuf; i++)
- buf[i] = 0;
- tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
- tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
- }
- /*
- * for setting server session id's
- */
- static Lock sidLock;
- static long maxSid = 1;
- /* the keys are verified to have the same public components
- * and to function correctly with pkcs 1 encryption and decryption. */
- static TlsSec*
- tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
- {
- TlsSec *sec = emalloc(sizeof(*sec));
- USED(csid); USED(ncsid); // ignore csid for now
- memmove(sec->crandom, crandom, RandomSize);
- sec->clientVers = cvers;
- put32(sec->srandom, time(0));
- genrandom(sec->srandom+4, RandomSize-4);
- memmove(srandom, sec->srandom, RandomSize);
- /*
- * make up a unique sid: use our pid, and and incrementing id
- * can signal no sid by setting nssid to 0.
- */
- memset(ssid, 0, SidSize);
- put32(ssid, getpid());
- lock(&sidLock);
- put32(ssid+4, maxSid++);
- unlock(&sidLock);
- *nssid = SidSize;
- return sec;
- }
- static int
- tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd)
- {
- if(epm != nil){
- if(setVers(sec, vers) < 0)
- goto Err;
- serverMasterSecret(sec, epm, nepm);
- }else if(sec->vers != vers){
- werrstr("mismatched session versions");
- goto Err;
- }
- setSecrets(sec, kd, nkd);
- return 0;
- Err:
- sec->ok = -1;
- return -1;
- }
- static TlsSec*
- tlsSecInitc(int cvers, uchar *crandom)
- {
- TlsSec *sec = emalloc(sizeof(*sec));
- sec->clientVers = cvers;
- put32(sec->crandom, time(0));
- genrandom(sec->crandom+4, RandomSize-4);
- memmove(crandom, sec->crandom, RandomSize);
- return sec;
- }
- static int
- tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd)
- {
- RSApub *pub;
- pub = nil;
- USED(sid);
- USED(nsid);
-
- memmove(sec->srandom, srandom, RandomSize);
- if(setVers(sec, vers) < 0)
- goto Err;
- pub = X509toRSApub(cert, ncert, nil, 0);
- if(pub == nil){
- werrstr("invalid x509/rsa certificate");
- goto Err;
- }
- if(clientMasterSecret(sec, pub, epm, nepm) < 0)
- goto Err;
- rsapubfree(pub);
- setSecrets(sec, kd, nkd);
- return 0;
- Err:
- if(pub != nil)
- rsapubfree(pub);
- sec->ok = -1;
- return -1;
- }
- static int
- tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient)
- {
- if(sec->nfin != nfin){
- sec->ok = -1;
- werrstr("invalid finished exchange");
- return -1;
- }
- md5.malloced = 0;
- sha1.malloced = 0;
- (*sec->setFinished)(sec, md5, sha1, fin, isclient);
- return 1;
- }
- static void
- tlsSecOk(TlsSec *sec)
- {
- if(sec->ok == 0)
- sec->ok = 1;
- }
- static void
- tlsSecKill(TlsSec *sec)
- {
- if(!sec)
- return;
- factotum_rsa_close(sec->rpc);
- sec->ok = -1;
- }
- static void
- tlsSecClose(TlsSec *sec)
- {
- if(!sec)
- return;
- factotum_rsa_close(sec->rpc);
- free(sec->server);
- free(sec);
- }
- static int
- setVers(TlsSec *sec, int v)
- {
- if(v == SSL3Version){
- sec->setFinished = sslSetFinished;
- sec->nfin = SSL3FinishedLen;
- sec->prf = sslPRF;
- }else if(v == TLSVersion){
- sec->setFinished = tlsSetFinished;
- sec->nfin = TLSFinishedLen;
- sec->prf = tlsPRF;
- }else{
- werrstr("invalid version");
- return -1;
- }
- sec->vers = v;
- return 0;
- }
- /*
- * generate secret keys from the master secret.
- *
- * different crypto selections will require different amounts
- * of key expansion and use of key expansion data,
- * but it's all generated using the same function.
- */
- static void
- setSecrets(TlsSec *sec, uchar *kd, int nkd)
- {
- (*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
- sec->srandom, RandomSize, sec->crandom, RandomSize);
- }
- /*
- * set the master secret from the pre-master secret.
- */
- static void
- setMasterSecret(TlsSec *sec, Bytes *pm)
- {
- (*sec->prf)(sec->sec, MasterSecretSize, pm->data, MasterSecretSize, "master secret",
- sec->crandom, RandomSize, sec->srandom, RandomSize);
- }
- static void
- serverMasterSecret(TlsSec *sec, uchar *epm, int nepm)
- {
- Bytes *pm;
- pm = pkcs1_decrypt(sec, epm, nepm);
- // if the client messed up, just continue as if everything is ok,
- // to prevent attacks to check for correctly formatted messages.
- // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
- if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
- fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
- sec->ok, pm, pm ? get16(pm->data) : -1, sec->clientVers, nepm);
- sec->ok = -1;
- if(pm != nil)
- freebytes(pm);
- pm = newbytes(MasterSecretSize);
- genrandom(pm->data, MasterSecretSize);
- }
- setMasterSecret(sec, pm);
- memset(pm->data, 0, pm->len);
- freebytes(pm);
- }
- static int
- clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm)
- {
- Bytes *pm, *key;
- pm = newbytes(MasterSecretSize);
- put16(pm->data, sec->clientVers);
- genrandom(pm->data+2, MasterSecretSize - 2);
- setMasterSecret(sec, pm);
- key = pkcs1_encrypt(pm, pub, 2);
- memset(pm->data, 0, pm->len);
- freebytes(pm);
- if(key == nil){
- werrstr("tls pkcs1_encrypt failed");
- return -1;
- }
- *nepm = key->len;
- *epm = malloc(*nepm);
- if(*epm == nil){
- freebytes(key);
- werrstr("out of memory");
- return -1;
- }
- memmove(*epm, key->data, *nepm);
- freebytes(key);
- return 1;
- }
- static void
- sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
- {
- DigestState *s;
- uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
- char *label;
- if(isClient)
- label = "CLNT";
- else
- label = "SRVR";
- md5((uchar*)label, 4, nil, &hsmd5);
- md5(sec->sec, MasterSecretSize, nil, &hsmd5);
- memset(pad, 0x36, 48);
- md5(pad, 48, nil, &hsmd5);
- md5(nil, 0, h0, &hsmd5);
- memset(pad, 0x5C, 48);
- s = md5(sec->sec, MasterSecretSize, nil, nil);
- s = md5(pad, 48, nil, s);
- md5(h0, MD5dlen, finished, s);
- sha1((uchar*)label, 4, nil, &hssha1);
- sha1(sec->sec, MasterSecretSize, nil, &hssha1);
- memset(pad, 0x36, 40);
- sha1(pad, 40, nil, &hssha1);
- sha1(nil, 0, h1, &hssha1);
- memset(pad, 0x5C, 40);
- s = sha1(sec->sec, MasterSecretSize, nil, nil);
- s = sha1(pad, 40, nil, s);
- sha1(h1, SHA1dlen, finished + MD5dlen, s);
- }
- // fill "finished" arg with md5(args)^sha1(args)
- static void
- tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
- {
- uchar h0[MD5dlen], h1[SHA1dlen];
- char *label;
- // get current hash value, but allow further messages to be hashed in
- md5(nil, 0, h0, &hsmd5);
- sha1(nil, 0, h1, &hssha1);
- if(isClient)
- label = "client finished";
- else
- label = "server finished";
- tlsPRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
- }
- static void
- sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
- {
- DigestState *s;
- uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
- int i, n, len;
- USED(label);
- len = 1;
- while(nbuf > 0){
- if(len > 26)
- return;
- for(i = 0; i < len; i++)
- tmp[i] = 'A' - 1 + len;
- s = sha1(tmp, len, nil, nil);
- s = sha1(key, nkey, nil, s);
- s = sha1(seed0, nseed0, nil, s);
- sha1(seed1, nseed1, sha1dig, s);
- s = md5(key, nkey, nil, nil);
- md5(sha1dig, SHA1dlen, md5dig, s);
- n = MD5dlen;
- if(n > nbuf)
- n = nbuf;
- memmove(buf, md5dig, n);
- buf += n;
- nbuf -= n;
- len++;
- }
- }
- static mpint*
- bytestomp(Bytes* bytes)
- {
- mpint* ans;
- ans = betomp(bytes->data, bytes->len, nil);
- return ans;
- }
- /*
- * Convert mpint* to Bytes, putting high order byte first.
- */
- static Bytes*
- mptobytes(mpint* big)
- {
- int n, m;
- uchar *a;
- Bytes* ans;
- a = nil;
- n = (mpsignif(big)+7)/8;
- m = mptobe(big, nil, n, &a);
- ans = makebytes(a, m);
- if(a != nil)
- free(a);
- return ans;
- }
- // Do RSA computation on block according to key, and pad
- // result on left with zeros to make it modlen long.
- static Bytes*
- rsacomp(Bytes* block, RSApub* key, int modlen)
- {
- mpint *x, *y;
- Bytes *a, *ybytes;
- int ylen;
- x = bytestomp(block);
- y = rsaencrypt(key, x, nil);
- mpfree(x);
- ybytes = mptobytes(y);
- ylen = ybytes->len;
- if(ylen < modlen) {
- a = newbytes(modlen);
- memset(a->data, 0, modlen-ylen);
- memmove(a->data+modlen-ylen, ybytes->data, ylen);
- freebytes(ybytes);
- ybytes = a;
- }
- else if(ylen > modlen) {
- // assume it has leading zeros (mod should make it so)
- a = newbytes(modlen);
- memmove(a->data, ybytes->data, modlen);
- freebytes(ybytes);
- ybytes = a;
- }
- mpfree(y);
- return ybytes;
- }
- // encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1
- static Bytes*
- pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
- {
- Bytes *pad, *eb, *ans;
- int i, dlen, padlen, modlen;
- modlen = (mpsignif(key->n)+7)/8;
- dlen = data->len;
- if(modlen < 12 || dlen > modlen - 11)
- return nil;
- padlen = modlen - 3 - dlen;
- pad = newbytes(padlen);
- genrandom(pad->data, padlen);
- for(i = 0; i < padlen; i++) {
- if(blocktype == 0)
- pad->data[i] = 0;
- else if(blocktype == 1)
- pad->data[i] = 255;
- else if(pad->data[i] == 0)
- pad->data[i] = 1;
- }
- eb = newbytes(modlen);
- eb->data[0] = 0;
- eb->data[1] = blocktype;
- memmove(eb->data+2, pad->data, padlen);
- eb->data[padlen+2] = 0;
- memmove(eb->data+padlen+3, data->data, dlen);
- ans = rsacomp(eb, key, modlen);
- freebytes(eb);
- freebytes(pad);
- return ans;
- }
- // decrypt data according to PKCS#1, with given key.
- // expect a block type of 2.
- static Bytes*
- pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm)
- {
- Bytes *eb, *ans = nil;
- int i, modlen;
- mpint *x, *y;
- modlen = (mpsignif(sec->rsapub->n)+7)/8;
- if(nepm != modlen)
- return nil;
- x = betomp(epm, nepm, nil);
- y = factotum_rsa_decrypt(sec->rpc, x);
- if(y == nil)
- return nil;
- eb = mptobytes(y);
- if(eb->len < modlen){ // pad on left with zeros
- ans = newbytes(modlen);
- memset(ans->data, 0, modlen-eb->len);
- memmove(ans->data+modlen-eb->len, eb->data, eb->len);
- freebytes(eb);
- eb = ans;
- }
- if(eb->data[0] == 0 && eb->data[1] == 2) {
- for(i = 2; i < modlen; i++)
- if(eb->data[i] == 0)
- break;
- if(i < modlen - 1)
- ans = makebytes(eb->data+i+1, modlen-(i+1));
- }
- freebytes(eb);
- return ans;
- }
- //================= general utility functions ========================
- static void *
- emalloc(int n)
- {
- void *p;
- if(n==0)
- n=1;
- p = malloc(n);
- if(p == nil){
- exits("out of memory");
- }
- memset(p, 0, n);
- return p;
- }
- static void *
- erealloc(void *ReallocP, int ReallocN)
- {
- if(ReallocN == 0)
- ReallocN = 1;
- if(!ReallocP)
- ReallocP = emalloc(ReallocN);
- else if(!(ReallocP = realloc(ReallocP, ReallocN))){
- exits("out of memory");
- }
- return(ReallocP);
- }
- static void
- put32(uchar *p, u32int x)
- {
- p[0] = x>>24;
- p[1] = x>>16;
- p[2] = x>>8;
- p[3] = x;
- }
- static void
- put24(uchar *p, int x)
- {
- p[0] = x>>16;
- p[1] = x>>8;
- p[2] = x;
- }
- static void
- put16(uchar *p, int x)
- {
- p[0] = x>>8;
- p[1] = x;
- }
- static u32int
- get32(uchar *p)
- {
- return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
- }
- static int
- get24(uchar *p)
- {
- return (p[0]<<16)|(p[1]<<8)|p[2];
- }
- static int
- get16(uchar *p)
- {
- return (p[0]<<8)|p[1];
- }
- #define OFFSET(x, s) offsetof(s, x)
- /*
- * malloc and return a new Bytes structure capable of
- * holding len bytes. (len >= 0)
- * Used to use crypt_malloc, which aborts if malloc fails.
- */
- static Bytes*
- newbytes(int len)
- {
- Bytes* ans;
- ans = (Bytes*)malloc(OFFSET(data[0], Bytes) + len);
- ans->len = len;
- return ans;
- }
- /*
- * newbytes(len), with data initialized from buf
- */
- static Bytes*
- makebytes(uchar* buf, int len)
- {
- Bytes* ans;
- ans = newbytes(len);
- memmove(ans->data, buf, len);
- return ans;
- }
- static void
- freebytes(Bytes* b)
- {
- if(b != nil)
- free(b);
- }
- /* len is number of ints */
- static Ints*
- newints(int len)
- {
- Ints* ans;
- ans = (Ints*)malloc(OFFSET(data[0], Ints) + len*sizeof(int));
- ans->len = len;
- return ans;
- }
- static Ints*
- makeints(int* buf, int len)
- {
- Ints* ans;
- ans = newints(len);
- if(len > 0)
- memmove(ans->data, buf, len*sizeof(int));
- return ans;
- }
- static void
- freeints(Ints* b)
- {
- if(b != nil)
- free(b);
- }
|