devtls.c 45 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210
  1. /*
  2. * devtls - record layer for transport layer security 1.0 and secure sockets layer 3.0
  3. */
  4. #include "u.h"
  5. #include "../port/lib.h"
  6. #include "mem.h"
  7. #include "dat.h"
  8. #include "fns.h"
  9. #include "../port/error.h"
  10. #include <libsec.h>
  11. typedef struct OneWay OneWay;
  12. typedef struct Secret Secret;
  13. typedef struct TlsRec TlsRec;
  14. typedef struct TlsErrs TlsErrs;
  15. enum {
  16. Statlen= 1024, /* max. length of status or stats message */
  17. /* buffer limits */
  18. MaxRecLen = 1<<14, /* max payload length of a record layer message */
  19. MaxCipherRecLen = MaxRecLen + 2048,
  20. RecHdrLen = 5,
  21. MaxMacLen = SHA1dlen,
  22. /* protocol versions we can accept */
  23. TLSVersion = 0x0301,
  24. SSL3Version = 0x0300,
  25. ProtocolVersion = 0x0301, /* maximum version we speak */
  26. MinProtoVersion = 0x0300, /* limits on version we accept */
  27. MaxProtoVersion = 0x03ff,
  28. /* connection states */
  29. SHandshake = 1 << 0, /* doing handshake */
  30. SOpen = 1 << 1, /* application data can be sent */
  31. SRClose = 1 << 2, /* remote side has closed down */
  32. SLClose = 1 << 3, /* sent a close notify alert */
  33. SAlert = 1 << 5, /* sending or sent a fatal alert */
  34. SError = 1 << 6, /* some sort of error has occured */
  35. SClosed = 1 << 7, /* it is all over */
  36. /* record types */
  37. RChangeCipherSpec = 20,
  38. RAlert,
  39. RHandshake,
  40. RApplication,
  41. SSL2ClientHello = 1,
  42. HSSL2ClientHello = 9, /* local convention; see tlshand.c */
  43. /* alerts */
  44. ECloseNotify = 0,
  45. EUnexpectedMessage = 10,
  46. EBadRecordMac = 20,
  47. EDecryptionFailed = 21,
  48. ERecordOverflow = 22,
  49. EDecompressionFailure = 30,
  50. EHandshakeFailure = 40,
  51. ENoCertificate = 41,
  52. EBadCertificate = 42,
  53. EUnsupportedCertificate = 43,
  54. ECertificateRevoked = 44,
  55. ECertificateExpired = 45,
  56. ECertificateUnknown = 46,
  57. EIllegalParameter = 47,
  58. EUnknownCa = 48,
  59. EAccessDenied = 49,
  60. EDecodeError = 50,
  61. EDecryptError = 51,
  62. EExportRestriction = 60,
  63. EProtocolVersion = 70,
  64. EInsufficientSecurity = 71,
  65. EInternalError = 80,
  66. EUserCanceled = 90,
  67. ENoRenegotiation = 100,
  68. EMAX = 256
  69. };
  70. struct Secret
  71. {
  72. char *encalg; /* name of encryption alg */
  73. char *hashalg; /* name of hash alg */
  74. int (*enc)(Secret*, uchar*, int);
  75. int (*dec)(Secret*, uchar*, int);
  76. int (*unpad)(uchar*, int, int);
  77. DigestState *(*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
  78. int block; /* encryption block len, 0 if none */
  79. int maclen;
  80. void *enckey;
  81. uchar mackey[MaxMacLen];
  82. };
  83. struct OneWay
  84. {
  85. QLock io; /* locks io access */
  86. QLock seclock; /* locks secret paramaters */
  87. ulong seq;
  88. Secret *sec; /* cipher in use */
  89. Secret *new; /* cipher waiting for enable */
  90. };
  91. struct TlsRec
  92. {
  93. Chan *c; /* io channel */
  94. int ref; /* serialized by tdlock for atomic destroy */
  95. int version; /* version of the protocol we are speaking */
  96. char verset; /* version has been set */
  97. char opened; /* opened command every issued? */
  98. char err[ERRMAX]; /* error message to return to handshake requests */
  99. vlong handin; /* bytes communicated by the record layer */
  100. vlong handout;
  101. vlong datain;
  102. vlong dataout;
  103. Lock statelk;
  104. int state;
  105. int debug;
  106. /* record layer mac functions for different protocol versions */
  107. void (*packMac)(Secret*, uchar*, uchar*, uchar*, uchar*, int, uchar*);
  108. /* input side -- protected by in.io */
  109. OneWay in;
  110. Block *processed; /* next bunch of application data */
  111. Block *unprocessed; /* data read from c but not parsed into records */
  112. /* handshake queue */
  113. Lock hqlock; /* protects hqref, alloc & free of handq, hprocessed */
  114. int hqref;
  115. Queue *handq; /* queue of handshake messages */
  116. Block *hprocessed; /* remainder of last block read from handq */
  117. QLock hqread; /* protects reads for hprocessed, handq */
  118. /* output side */
  119. OneWay out;
  120. /* protections */
  121. char *user;
  122. int perm;
  123. };
  124. struct TlsErrs{
  125. int err;
  126. int sslerr;
  127. int tlserr;
  128. int fatal;
  129. char *msg;
  130. };
  131. static TlsErrs tlserrs[] = {
  132. {ECloseNotify, ECloseNotify, ECloseNotify, 0, "close notify"},
  133. {EUnexpectedMessage, EUnexpectedMessage, EUnexpectedMessage, 1, "unexpected message"},
  134. {EBadRecordMac, EBadRecordMac, EBadRecordMac, 1, "bad record mac"},
  135. {EDecryptionFailed, EIllegalParameter, EDecryptionFailed, 1, "decryption failed"},
  136. {ERecordOverflow, EIllegalParameter, ERecordOverflow, 1, "record too long"},
  137. {EDecompressionFailure, EDecompressionFailure, EDecompressionFailure, 1, "decompression failed"},
  138. {EHandshakeFailure, EHandshakeFailure, EHandshakeFailure, 1, "could not negotiate acceptable security parameters"},
  139. {ENoCertificate, ENoCertificate, ECertificateUnknown, 1, "no appropriate certificate available"},
  140. {EBadCertificate, EBadCertificate, EBadCertificate, 1, "corrupted or invalid certificate"},
  141. {EUnsupportedCertificate, EUnsupportedCertificate, EUnsupportedCertificate, 1, "unsupported certificate type"},
  142. {ECertificateRevoked, ECertificateRevoked, ECertificateRevoked, 1, "revoked certificate"},
  143. {ECertificateExpired, ECertificateExpired, ECertificateExpired, 1, "expired certificate"},
  144. {ECertificateUnknown, ECertificateUnknown, ECertificateUnknown, 1, "unacceptable certificate"},
  145. {EIllegalParameter, EIllegalParameter, EIllegalParameter, 1, "illegal parameter"},
  146. {EUnknownCa, EHandshakeFailure, EUnknownCa, 1, "unknown certificate authority"},
  147. {EAccessDenied, EHandshakeFailure, EAccessDenied, 1, "access denied"},
  148. {EDecodeError, EIllegalParameter, EDecodeError, 1, "error decoding message"},
  149. {EDecryptError, EIllegalParameter, EDecryptError, 1, "error decrypting message"},
  150. {EExportRestriction, EHandshakeFailure, EExportRestriction, 1, "export restriction violated"},
  151. {EProtocolVersion, EIllegalParameter, EProtocolVersion, 1, "protocol version not supported"},
  152. {EInsufficientSecurity, EHandshakeFailure, EInsufficientSecurity, 1, "stronger security routines required"},
  153. {EInternalError, EHandshakeFailure, EInternalError, 1, "internal error"},
  154. {EUserCanceled, ECloseNotify, EUserCanceled, 0, "handshake canceled by user"},
  155. {ENoRenegotiation, EUnexpectedMessage, ENoRenegotiation, 0, "no renegotiation"},
  156. };
  157. enum
  158. {
  159. /* max. open tls connections */
  160. MaxTlsDevs = 1024
  161. };
  162. static Lock tdlock;
  163. static int tdhiwat;
  164. static int maxtlsdevs = 128;
  165. static TlsRec **tlsdevs;
  166. static char **trnames;
  167. static char *encalgs;
  168. static char *hashalgs;
  169. enum{
  170. Qtopdir = 1, /* top level directory */
  171. Qprotodir,
  172. Qclonus,
  173. Qencalgs,
  174. Qhashalgs,
  175. Qconvdir, /* directory for a conversation */
  176. Qdata,
  177. Qctl,
  178. Qhand,
  179. Qstatus,
  180. Qstats,
  181. };
  182. #define TYPE(x) ((x).path & 0xf)
  183. #define CONV(x) (((x).path >> 5)&(MaxTlsDevs-1))
  184. #define QID(c, y) (((c)<<5) | (y))
  185. static void checkstate(TlsRec *, int, int);
  186. static void ensure(TlsRec*, Block**, int);
  187. static void consume(Block**, uchar*, int);
  188. static Chan* buftochan(char*);
  189. static void tlshangup(TlsRec*);
  190. static void tlsError(TlsRec*, char *);
  191. static void alertHand(TlsRec*, char *);
  192. static TlsRec *newtls(Chan *c);
  193. static TlsRec *mktlsrec(void);
  194. static DigestState*sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
  195. static DigestState*sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
  196. static DigestState*nomac(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
  197. static void sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
  198. static void tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
  199. static void put64(uchar *p, vlong x);
  200. static void put32(uchar *p, u32int);
  201. static void put24(uchar *p, int);
  202. static void put16(uchar *p, int);
  203. static u32int get32(uchar *p);
  204. static int get16(uchar *p);
  205. static void tlsSetState(TlsRec *tr, int new, int old);
  206. static void rcvAlert(TlsRec *tr, int err);
  207. static void sendAlert(TlsRec *tr, int err);
  208. static void rcvError(TlsRec *tr, int err, char *msg, ...);
  209. static int rc4enc(Secret *sec, uchar *buf, int n);
  210. static int des3enc(Secret *sec, uchar *buf, int n);
  211. static int des3dec(Secret *sec, uchar *buf, int n);
  212. static int aesenc(Secret *sec, uchar *buf, int n);
  213. static int aesdec(Secret *sec, uchar *buf, int n);
  214. static int noenc(Secret *sec, uchar *buf, int n);
  215. static int sslunpad(uchar *buf, int n, int block);
  216. static int tlsunpad(uchar *buf, int n, int block);
  217. static void freeSec(Secret *sec);
  218. static char *tlsstate(int s);
  219. static void pdump(int, void*, char*);
  220. #pragma varargck argpos rcvError 3
  221. static char *tlsnames[] = {
  222. [Qclonus] "clone",
  223. [Qencalgs] "encalgs",
  224. [Qhashalgs] "hashalgs",
  225. [Qdata] "data",
  226. [Qctl] "ctl",
  227. [Qhand] "hand",
  228. [Qstatus] "status",
  229. [Qstats] "stats",
  230. };
  231. static int convdir[] = { Qctl, Qdata, Qhand, Qstatus, Qstats };
  232. static int
  233. tlsgen(Chan *c, char*, Dirtab *, int, int s, Dir *dp)
  234. {
  235. Qid q;
  236. TlsRec *tr;
  237. char *name, *nm;
  238. int perm, t;
  239. q.vers = 0;
  240. q.type = QTFILE;
  241. t = TYPE(c->qid);
  242. switch(t) {
  243. case Qtopdir:
  244. if(s == DEVDOTDOT){
  245. q.path = QID(0, Qtopdir);
  246. q.type = QTDIR;
  247. devdir(c, q, "#a", 0, eve, 0555, dp);
  248. return 1;
  249. }
  250. if(s > 0)
  251. return -1;
  252. q.path = QID(0, Qprotodir);
  253. q.type = QTDIR;
  254. devdir(c, q, "tls", 0, eve, 0555, dp);
  255. return 1;
  256. case Qprotodir:
  257. if(s == DEVDOTDOT){
  258. q.path = QID(0, Qtopdir);
  259. q.type = QTDIR;
  260. devdir(c, q, ".", 0, eve, 0555, dp);
  261. return 1;
  262. }
  263. if(s < 3){
  264. switch(s) {
  265. default:
  266. return -1;
  267. case 0:
  268. q.path = QID(0, Qclonus);
  269. break;
  270. case 1:
  271. q.path = QID(0, Qencalgs);
  272. break;
  273. case 2:
  274. q.path = QID(0, Qhashalgs);
  275. break;
  276. }
  277. perm = 0444;
  278. if(TYPE(q) == Qclonus)
  279. perm = 0555;
  280. devdir(c, q, tlsnames[TYPE(q)], 0, eve, perm, dp);
  281. return 1;
  282. }
  283. s -= 3;
  284. if(s >= tdhiwat)
  285. return -1;
  286. q.path = QID(s, Qconvdir);
  287. q.type = QTDIR;
  288. lock(&tdlock);
  289. tr = tlsdevs[s];
  290. if(tr != nil)
  291. nm = tr->user;
  292. else
  293. nm = eve;
  294. if((name = trnames[s]) == nil){
  295. name = trnames[s] = smalloc(16);
  296. sprint(name, "%d", s);
  297. }
  298. devdir(c, q, name, 0, nm, 0555, dp);
  299. unlock(&tdlock);
  300. return 1;
  301. case Qconvdir:
  302. if(s == DEVDOTDOT){
  303. q.path = QID(0, Qprotodir);
  304. q.type = QTDIR;
  305. devdir(c, q, "tls", 0, eve, 0555, dp);
  306. return 1;
  307. }
  308. if(s < 0 || s >= nelem(convdir))
  309. return -1;
  310. lock(&tdlock);
  311. tr = tlsdevs[CONV(c->qid)];
  312. if(tr != nil){
  313. nm = tr->user;
  314. perm = tr->perm;
  315. }else{
  316. perm = 0;
  317. nm = eve;
  318. }
  319. t = convdir[s];
  320. if(t == Qstatus || t == Qstats)
  321. perm &= 0444;
  322. q.path = QID(CONV(c->qid), t);
  323. devdir(c, q, tlsnames[t], 0, nm, perm, dp);
  324. unlock(&tdlock);
  325. return 1;
  326. case Qclonus:
  327. case Qencalgs:
  328. case Qhashalgs:
  329. perm = 0444;
  330. if(t == Qclonus)
  331. perm = 0555;
  332. devdir(c, c->qid, tlsnames[t], 0, eve, perm, dp);
  333. return 1;
  334. default:
  335. lock(&tdlock);
  336. tr = tlsdevs[CONV(c->qid)];
  337. if(tr != nil){
  338. nm = tr->user;
  339. perm = tr->perm;
  340. }else{
  341. perm = 0;
  342. nm = eve;
  343. }
  344. if(t == Qstatus || t == Qstats)
  345. perm &= 0444;
  346. devdir(c, c->qid, tlsnames[t], 0, nm, perm, dp);
  347. unlock(&tdlock);
  348. return 1;
  349. }
  350. }
  351. static Chan*
  352. tlsattach(char *spec)
  353. {
  354. Chan *c;
  355. c = devattach('a', spec);
  356. c->qid.path = QID(0, Qtopdir);
  357. c->qid.type = QTDIR;
  358. c->qid.vers = 0;
  359. return c;
  360. }
  361. static Walkqid*
  362. tlswalk(Chan *c, Chan *nc, char **name, int nname)
  363. {
  364. return devwalk(c, nc, name, nname, nil, 0, tlsgen);
  365. }
  366. static int
  367. tlsstat(Chan *c, uchar *db, int n)
  368. {
  369. return devstat(c, db, n, nil, 0, tlsgen);
  370. }
  371. static Chan*
  372. tlsopen(Chan *c, int omode)
  373. {
  374. TlsRec *tr, **pp;
  375. int t, perm;
  376. perm = 0;
  377. omode &= 3;
  378. switch(omode) {
  379. case OREAD:
  380. perm = 4;
  381. break;
  382. case OWRITE:
  383. perm = 2;
  384. break;
  385. case ORDWR:
  386. perm = 6;
  387. break;
  388. }
  389. t = TYPE(c->qid);
  390. switch(t) {
  391. default:
  392. panic("tlsopen");
  393. case Qtopdir:
  394. case Qprotodir:
  395. case Qconvdir:
  396. if(omode != OREAD)
  397. error(Eperm);
  398. break;
  399. case Qclonus:
  400. tr = newtls(c);
  401. if(tr == nil)
  402. error(Enodev);
  403. break;
  404. case Qctl:
  405. case Qdata:
  406. case Qhand:
  407. case Qstatus:
  408. case Qstats:
  409. if((t == Qstatus || t == Qstats) && omode != OREAD)
  410. error(Eperm);
  411. if(waserror()) {
  412. unlock(&tdlock);
  413. nexterror();
  414. }
  415. lock(&tdlock);
  416. pp = &tlsdevs[CONV(c->qid)];
  417. tr = *pp;
  418. if(tr == nil)
  419. error("must open connection using clone");
  420. if((perm & (tr->perm>>6)) != perm
  421. && (strcmp(up->user, tr->user) != 0
  422. || (perm & tr->perm) != perm))
  423. error(Eperm);
  424. if(t == Qhand){
  425. if(waserror()){
  426. unlock(&tr->hqlock);
  427. nexterror();
  428. }
  429. lock(&tr->hqlock);
  430. if(tr->handq != nil)
  431. error(Einuse);
  432. tr->handq = qopen(2 * MaxCipherRecLen, 0, nil, nil);
  433. if(tr->handq == nil)
  434. error("cannot allocate handshake queue");
  435. tr->hqref = 1;
  436. unlock(&tr->hqlock);
  437. poperror();
  438. }
  439. tr->ref++;
  440. unlock(&tdlock);
  441. poperror();
  442. break;
  443. case Qencalgs:
  444. case Qhashalgs:
  445. if(omode != OREAD)
  446. error(Eperm);
  447. break;
  448. }
  449. c->mode = openmode(omode);
  450. c->flag |= COPEN;
  451. c->offset = 0;
  452. c->iounit = qiomaxatomic;
  453. return c;
  454. }
  455. static int
  456. tlswstat(Chan *c, uchar *dp, int n)
  457. {
  458. Dir *d;
  459. TlsRec *tr;
  460. int rv;
  461. d = nil;
  462. if(waserror()){
  463. free(d);
  464. unlock(&tdlock);
  465. nexterror();
  466. }
  467. lock(&tdlock);
  468. tr = tlsdevs[CONV(c->qid)];
  469. if(tr == nil)
  470. error(Ebadusefd);
  471. if(strcmp(tr->user, up->user) != 0)
  472. error(Eperm);
  473. d = smalloc(n + sizeof *d);
  474. rv = convM2D(dp, n, &d[0], (char*) &d[1]);
  475. if(rv == 0)
  476. error(Eshortstat);
  477. if(!emptystr(d->uid))
  478. kstrdup(&tr->user, d->uid);
  479. if(d->mode != ~0UL)
  480. tr->perm = d->mode;
  481. free(d);
  482. poperror();
  483. unlock(&tdlock);
  484. return rv;
  485. }
  486. static void
  487. dechandq(TlsRec *tr)
  488. {
  489. lock(&tr->hqlock);
  490. if(--tr->hqref == 0){
  491. if(tr->handq != nil){
  492. qfree(tr->handq);
  493. tr->handq = nil;
  494. }
  495. if(tr->hprocessed != nil){
  496. freeb(tr->hprocessed);
  497. tr->hprocessed = nil;
  498. }
  499. }
  500. unlock(&tr->hqlock);
  501. }
  502. static void
  503. tlsclose(Chan *c)
  504. {
  505. TlsRec *tr;
  506. int t;
  507. t = TYPE(c->qid);
  508. switch(t) {
  509. case Qctl:
  510. case Qdata:
  511. case Qhand:
  512. case Qstatus:
  513. case Qstats:
  514. if((c->flag & COPEN) == 0)
  515. break;
  516. tr = tlsdevs[CONV(c->qid)];
  517. if(tr == nil)
  518. break;
  519. if(t == Qhand)
  520. dechandq(tr);
  521. lock(&tdlock);
  522. if(--tr->ref > 0) {
  523. unlock(&tdlock);
  524. return;
  525. }
  526. tlsdevs[CONV(c->qid)] = nil;
  527. unlock(&tdlock);
  528. if(tr->c != nil && !waserror()){
  529. checkstate(tr, 0, SOpen|SHandshake|SRClose);
  530. sendAlert(tr, ECloseNotify);
  531. poperror();
  532. }
  533. tlshangup(tr);
  534. if(tr->c != nil)
  535. cclose(tr->c);
  536. freeSec(tr->in.sec);
  537. freeSec(tr->in.new);
  538. freeSec(tr->out.sec);
  539. freeSec(tr->out.new);
  540. free(tr->user);
  541. free(tr);
  542. break;
  543. }
  544. }
  545. /*
  546. * make sure we have at least 'n' bytes in list 'l'
  547. */
  548. static void
  549. ensure(TlsRec *s, Block **l, int n)
  550. {
  551. int sofar, i;
  552. Block *b, *bl;
  553. sofar = 0;
  554. for(b = *l; b; b = b->next){
  555. sofar += BLEN(b);
  556. if(sofar >= n)
  557. return;
  558. l = &b->next;
  559. }
  560. while(sofar < n){
  561. bl = devtab[s->c->type]->bread(s->c, MaxCipherRecLen + RecHdrLen, 0);
  562. if(bl == 0)
  563. error(Ehungup);
  564. *l = bl;
  565. i = 0;
  566. for(b = bl; b; b = b->next){
  567. i += BLEN(b);
  568. l = &b->next;
  569. }
  570. if(i == 0)
  571. error(Ehungup);
  572. sofar += i;
  573. }
  574. if(s->debug) pprint("ensure read %d\n", sofar);
  575. }
  576. /*
  577. * copy 'n' bytes from 'l' into 'p' and free
  578. * the bytes in 'l'
  579. */
  580. static void
  581. consume(Block **l, uchar *p, int n)
  582. {
  583. Block *b;
  584. int i;
  585. for(; *l && n > 0; n -= i){
  586. b = *l;
  587. i = BLEN(b);
  588. if(i > n)
  589. i = n;
  590. memmove(p, b->rp, i);
  591. b->rp += i;
  592. p += i;
  593. if(BLEN(b) < 0)
  594. panic("consume");
  595. if(BLEN(b))
  596. break;
  597. *l = b->next;
  598. freeb(b);
  599. }
  600. }
  601. /*
  602. * give back n bytes
  603. */
  604. static void
  605. regurgitate(TlsRec *s, uchar *p, int n)
  606. {
  607. Block *b;
  608. if(n <= 0)
  609. return;
  610. b = s->unprocessed;
  611. if(s->unprocessed == nil || b->rp - b->base < n) {
  612. b = allocb(n);
  613. memmove(b->wp, p, n);
  614. b->wp += n;
  615. b->next = s->unprocessed;
  616. s->unprocessed = b;
  617. } else {
  618. b->rp -= n;
  619. memmove(b->rp, p, n);
  620. }
  621. }
  622. /*
  623. * remove at most n bytes from the queue
  624. */
  625. static Block*
  626. qgrab(Block **l, int n)
  627. {
  628. Block *bb, *b;
  629. int i;
  630. b = *l;
  631. if(BLEN(b) == n){
  632. *l = b->next;
  633. b->next = nil;
  634. return b;
  635. }
  636. i = 0;
  637. for(bb = b; bb != nil && i < n; bb = bb->next)
  638. i += BLEN(bb);
  639. if(i > n)
  640. i = n;
  641. bb = allocb(i);
  642. consume(l, bb->wp, i);
  643. bb->wp += i;
  644. return bb;
  645. }
  646. static void
  647. tlsclosed(TlsRec *tr, int new)
  648. {
  649. lock(&tr->statelk);
  650. if(tr->state == SOpen || tr->state == SHandshake)
  651. tr->state = new;
  652. else if((new | tr->state) == (SRClose|SLClose))
  653. tr->state = SClosed;
  654. unlock(&tr->statelk);
  655. alertHand(tr, "close notify");
  656. }
  657. /*
  658. * read and process one tls record layer message
  659. * must be called with tr->in.io held
  660. * We can't let Eintrs lose data, since doing so will get
  661. * us out of sync with the sender and break the reliablity
  662. * of the channel. Eintr only happens during the reads in
  663. * consume. Therefore we put back any bytes consumed before
  664. * the last call to ensure.
  665. */
  666. static void
  667. tlsrecread(TlsRec *tr)
  668. {
  669. OneWay *volatile in;
  670. Block *volatile b;
  671. uchar *p, seq[8], header[RecHdrLen], hmac[MaxMacLen];
  672. int volatile nconsumed;
  673. int len, type, ver, unpad_len;
  674. nconsumed = 0;
  675. if(waserror()){
  676. if(strcmp(up->errstr, Eintr) == 0 && !waserror()){
  677. regurgitate(tr, header, nconsumed);
  678. poperror();
  679. }else
  680. tlsError(tr, "channel error");
  681. nexterror();
  682. }
  683. ensure(tr, &tr->unprocessed, RecHdrLen);
  684. consume(&tr->unprocessed, header, RecHdrLen);
  685. if(tr->debug)pprint("consumed %d header\n", RecHdrLen);
  686. nconsumed = RecHdrLen;
  687. if((tr->handin == 0) && (header[0] & 0x80)){
  688. /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
  689. This is sent by some clients that we must interoperate
  690. with, such as Java's JSSE and Microsoft's Internet Explorer. */
  691. len = (get16(header) & ~0x8000) - 3;
  692. type = header[2];
  693. ver = get16(header + 3);
  694. if(type != SSL2ClientHello || len < 22)
  695. rcvError(tr, EProtocolVersion, "invalid initial SSL2-like message");
  696. }else{ /* normal SSL3 record format */
  697. type = header[0];
  698. ver = get16(header+1);
  699. len = get16(header+3);
  700. }
  701. if(ver != tr->version && (tr->verset || ver < MinProtoVersion || ver > MaxProtoVersion))
  702. rcvError(tr, EProtocolVersion, "devtls expected ver=%x%s, saw (len=%d) type=%x ver=%x '%.12s'",
  703. tr->version, tr->verset?"/set":"", len, type, ver, (char*)header);
  704. if(len > MaxCipherRecLen || len < 0)
  705. rcvError(tr, ERecordOverflow, "record message too long %d", len);
  706. ensure(tr, &tr->unprocessed, len);
  707. nconsumed = 0;
  708. poperror();
  709. /*
  710. * If an Eintr happens after this, we'll get out of sync.
  711. * Make sure nothing we call can sleep.
  712. * Errors are ok, as they kill the connection.
  713. * Luckily, allocb won't sleep, it'll just error out.
  714. */
  715. b = nil;
  716. if(waserror()){
  717. if(b != nil)
  718. freeb(b);
  719. tlsError(tr, "channel error");
  720. nexterror();
  721. }
  722. b = qgrab(&tr->unprocessed, len);
  723. if(tr->debug) pprint("consumed unprocessed %d\n", len);
  724. in = &tr->in;
  725. if(waserror()){
  726. qunlock(&in->seclock);
  727. nexterror();
  728. }
  729. qlock(&in->seclock);
  730. p = b->rp;
  731. if(in->sec != nil) {
  732. /* to avoid Canvel-Hiltgen-Vaudenay-Vuagnoux attack, all errors here
  733. should look alike, including timing of the response. */
  734. unpad_len = (*in->sec->dec)(in->sec, p, len);
  735. if(unpad_len >= in->sec->maclen)
  736. len = unpad_len - in->sec->maclen;
  737. if(tr->debug) pprint("decrypted %d\n", unpad_len);
  738. if(tr->debug) pdump(unpad_len, p, "decrypted:");
  739. /* update length */
  740. put16(header+3, len);
  741. put64(seq, in->seq);
  742. in->seq++;
  743. (*tr->packMac)(in->sec, in->sec->mackey, seq, header, p, len, hmac);
  744. if(unpad_len < in->sec->maclen)
  745. rcvError(tr, EBadRecordMac, "short record mac");
  746. if(memcmp(hmac, p+len, in->sec->maclen) != 0)
  747. rcvError(tr, EBadRecordMac, "record mac mismatch");
  748. b->wp = b->rp + len;
  749. }
  750. qunlock(&in->seclock);
  751. poperror();
  752. if(len < 0)
  753. rcvError(tr, EDecodeError, "runt record message");
  754. switch(type) {
  755. default:
  756. rcvError(tr, EIllegalParameter, "invalid record message %#x", type);
  757. break;
  758. case RChangeCipherSpec:
  759. if(len != 1 || p[0] != 1)
  760. rcvError(tr, EDecodeError, "invalid change cipher spec");
  761. qlock(&in->seclock);
  762. if(in->new == nil){
  763. qunlock(&in->seclock);
  764. rcvError(tr, EUnexpectedMessage, "unexpected change cipher spec");
  765. }
  766. freeSec(in->sec);
  767. in->sec = in->new;
  768. in->new = nil;
  769. in->seq = 0;
  770. qunlock(&in->seclock);
  771. break;
  772. case RAlert:
  773. if(len != 2)
  774. rcvError(tr, EDecodeError, "invalid alert");
  775. if(p[0] == 2)
  776. rcvAlert(tr, p[1]);
  777. if(p[0] != 1)
  778. rcvError(tr, EIllegalParameter, "invalid alert fatal code");
  779. /*
  780. * propate non-fatal alerts to handshaker
  781. */
  782. if(p[1] == ECloseNotify) {
  783. tlsclosed(tr, SRClose);
  784. if(tr->opened)
  785. error("tls hungup");
  786. error("close notify");
  787. }
  788. if(p[1] == ENoRenegotiation)
  789. alertHand(tr, "no renegotiation");
  790. else if(p[1] == EUserCanceled)
  791. alertHand(tr, "handshake canceled by user");
  792. else
  793. rcvError(tr, EIllegalParameter, "invalid alert code");
  794. break;
  795. case RHandshake:
  796. /*
  797. * don't worry about dropping the block
  798. * qbwrite always queues even if flow controlled and interrupted.
  799. *
  800. * if there isn't any handshaker, ignore the request,
  801. * but notify the other side we are doing so.
  802. */
  803. lock(&tr->hqlock);
  804. if(tr->handq != nil){
  805. tr->hqref++;
  806. unlock(&tr->hqlock);
  807. if(waserror()){
  808. dechandq(tr);
  809. nexterror();
  810. }
  811. b = padblock(b, 1);
  812. *b->rp = RHandshake;
  813. qbwrite(tr->handq, b);
  814. b = nil;
  815. poperror();
  816. dechandq(tr);
  817. }else{
  818. unlock(&tr->hqlock);
  819. if(tr->verset && tr->version != SSL3Version && !waserror()){
  820. sendAlert(tr, ENoRenegotiation);
  821. poperror();
  822. }
  823. }
  824. break;
  825. case SSL2ClientHello:
  826. lock(&tr->hqlock);
  827. if(tr->handq != nil){
  828. tr->hqref++;
  829. unlock(&tr->hqlock);
  830. if(waserror()){
  831. dechandq(tr);
  832. nexterror();
  833. }
  834. /* Pass the SSL2 format data, so that the handshake code can compute
  835. the correct checksums. HSSL2ClientHello = HandshakeType 9 is
  836. unused in RFC2246. */
  837. b = padblock(b, 8);
  838. b->rp[0] = RHandshake;
  839. b->rp[1] = HSSL2ClientHello;
  840. put24(&b->rp[2], len+3);
  841. b->rp[5] = SSL2ClientHello;
  842. put16(&b->rp[6], ver);
  843. qbwrite(tr->handq, b);
  844. b = nil;
  845. poperror();
  846. dechandq(tr);
  847. }else{
  848. unlock(&tr->hqlock);
  849. if(tr->verset && tr->version != SSL3Version && !waserror()){
  850. sendAlert(tr, ENoRenegotiation);
  851. poperror();
  852. }
  853. }
  854. break;
  855. case RApplication:
  856. if(!tr->opened)
  857. rcvError(tr, EUnexpectedMessage, "application message received before handshake completed");
  858. if(BLEN(b) > 0){
  859. tr->processed = b;
  860. b = nil;
  861. }
  862. break;
  863. }
  864. if(b != nil)
  865. freeb(b);
  866. poperror();
  867. }
  868. /*
  869. * got a fatal alert message
  870. */
  871. static void
  872. rcvAlert(TlsRec *tr, int err)
  873. {
  874. char *s;
  875. int i;
  876. s = "unknown error";
  877. for(i=0; i < nelem(tlserrs); i++){
  878. if(tlserrs[i].err == err){
  879. s = tlserrs[i].msg;
  880. break;
  881. }
  882. }
  883. if(tr->debug) pprint("rcvAlert: %s\n", s);
  884. tlsError(tr, s);
  885. if(!tr->opened)
  886. error(s);
  887. error("tls error");
  888. }
  889. /*
  890. * found an error while decoding the input stream
  891. */
  892. static void
  893. rcvError(TlsRec *tr, int err, char *fmt, ...)
  894. {
  895. char msg[ERRMAX];
  896. va_list arg;
  897. va_start(arg, fmt);
  898. vseprint(msg, msg+sizeof(msg), fmt, arg);
  899. va_end(arg);
  900. if(tr->debug) pprint("rcvError: %s\n", msg);
  901. sendAlert(tr, err);
  902. if(!tr->opened)
  903. error(msg);
  904. error("tls error");
  905. }
  906. /*
  907. * make sure the next hand operation returns with a 'msg' error
  908. */
  909. static void
  910. alertHand(TlsRec *tr, char *msg)
  911. {
  912. Block *b;
  913. int n;
  914. lock(&tr->hqlock);
  915. if(tr->handq == nil){
  916. unlock(&tr->hqlock);
  917. return;
  918. }
  919. tr->hqref++;
  920. unlock(&tr->hqlock);
  921. n = strlen(msg);
  922. if(waserror()){
  923. dechandq(tr);
  924. nexterror();
  925. }
  926. b = allocb(n + 2);
  927. *b->wp++ = RAlert;
  928. memmove(b->wp, msg, n + 1);
  929. b->wp += n + 1;
  930. qbwrite(tr->handq, b);
  931. poperror();
  932. dechandq(tr);
  933. }
  934. static void
  935. checkstate(TlsRec *tr, int ishand, int ok)
  936. {
  937. int state;
  938. lock(&tr->statelk);
  939. state = tr->state;
  940. unlock(&tr->statelk);
  941. if(state & ok)
  942. return;
  943. switch(state){
  944. case SHandshake:
  945. case SOpen:
  946. break;
  947. case SError:
  948. case SAlert:
  949. if(ishand)
  950. error(tr->err);
  951. error("tls error");
  952. case SRClose:
  953. case SLClose:
  954. case SClosed:
  955. error("tls hungup");
  956. }
  957. error("tls improperly configured");
  958. }
  959. static Block*
  960. tlsbread(Chan *c, long n, ulong offset)
  961. {
  962. int ty;
  963. Block *b;
  964. TlsRec *volatile tr;
  965. ty = TYPE(c->qid);
  966. switch(ty) {
  967. default:
  968. return devbread(c, n, offset);
  969. case Qhand:
  970. case Qdata:
  971. break;
  972. }
  973. tr = tlsdevs[CONV(c->qid)];
  974. if(tr == nil)
  975. panic("tlsbread");
  976. if(waserror()){
  977. qunlock(&tr->in.io);
  978. nexterror();
  979. }
  980. qlock(&tr->in.io);
  981. if(ty == Qdata){
  982. checkstate(tr, 0, SOpen);
  983. while(tr->processed == nil)
  984. tlsrecread(tr);
  985. /* return at most what was asked for */
  986. b = qgrab(&tr->processed, n);
  987. if(tr->debug) pprint("consumed processed %ld\n", BLEN(b));
  988. if(tr->debug) pdump(BLEN(b), b->rp, "consumed:");
  989. qunlock(&tr->in.io);
  990. poperror();
  991. tr->datain += BLEN(b);
  992. }else{
  993. checkstate(tr, 1, SOpen|SHandshake|SLClose);
  994. /*
  995. * it's ok to look at state without the lock
  996. * since it only protects reading records,
  997. * and we have that tr->in.io held.
  998. */
  999. while(!tr->opened && tr->hprocessed == nil && !qcanread(tr->handq))
  1000. tlsrecread(tr);
  1001. qunlock(&tr->in.io);
  1002. poperror();
  1003. if(waserror()){
  1004. qunlock(&tr->hqread);
  1005. nexterror();
  1006. }
  1007. qlock(&tr->hqread);
  1008. if(tr->hprocessed == nil){
  1009. b = qbread(tr->handq, MaxRecLen + 1);
  1010. if(*b->rp++ == RAlert){
  1011. kstrcpy(up->errstr, (char*)b->rp, ERRMAX);
  1012. freeb(b);
  1013. nexterror();
  1014. }
  1015. tr->hprocessed = b;
  1016. }
  1017. b = qgrab(&tr->hprocessed, n);
  1018. poperror();
  1019. qunlock(&tr->hqread);
  1020. tr->handin += BLEN(b);
  1021. }
  1022. return b;
  1023. }
  1024. static long
  1025. tlsread(Chan *c, void *a, long n, vlong off)
  1026. {
  1027. Block *volatile b;
  1028. Block *nb;
  1029. uchar *va;
  1030. int i, ty;
  1031. char *buf, *s, *e;
  1032. ulong offset = off;
  1033. TlsRec * tr;
  1034. if(c->qid.type & QTDIR)
  1035. return devdirread(c, a, n, 0, 0, tlsgen);
  1036. tr = tlsdevs[CONV(c->qid)];
  1037. ty = TYPE(c->qid);
  1038. switch(ty) {
  1039. default:
  1040. error(Ebadusefd);
  1041. case Qstatus:
  1042. buf = smalloc(Statlen);
  1043. qlock(&tr->in.seclock);
  1044. qlock(&tr->out.seclock);
  1045. s = buf;
  1046. e = buf + Statlen;
  1047. s = seprint(s, e, "State: %s\n", tlsstate(tr->state));
  1048. s = seprint(s, e, "Version: %#x\n", tr->version);
  1049. if(tr->in.sec != nil)
  1050. s = seprint(s, e, "EncIn: %s\nHashIn: %s\n", tr->in.sec->encalg, tr->in.sec->hashalg);
  1051. if(tr->in.new != nil)
  1052. s = seprint(s, e, "NewEncIn: %s\nNewHashIn: %s\n", tr->in.new->encalg, tr->in.new->hashalg);
  1053. if(tr->out.sec != nil)
  1054. s = seprint(s, e, "EncOut: %s\nHashOut: %s\n", tr->out.sec->encalg, tr->out.sec->hashalg);
  1055. if(tr->out.new != nil)
  1056. seprint(s, e, "NewEncOut: %s\nNewHashOut: %s\n", tr->out.new->encalg, tr->out.new->hashalg);
  1057. qunlock(&tr->in.seclock);
  1058. qunlock(&tr->out.seclock);
  1059. n = readstr(offset, a, n, buf);
  1060. free(buf);
  1061. return n;
  1062. case Qstats:
  1063. buf = smalloc(Statlen);
  1064. s = buf;
  1065. e = buf + Statlen;
  1066. s = seprint(s, e, "DataIn: %lld\n", tr->datain);
  1067. s = seprint(s, e, "DataOut: %lld\n", tr->dataout);
  1068. s = seprint(s, e, "HandIn: %lld\n", tr->handin);
  1069. seprint(s, e, "HandOut: %lld\n", tr->handout);
  1070. n = readstr(offset, a, n, buf);
  1071. free(buf);
  1072. return n;
  1073. case Qctl:
  1074. buf = smalloc(Statlen);
  1075. snprint(buf, Statlen, "%llud", CONV(c->qid));
  1076. n = readstr(offset, a, n, buf);
  1077. free(buf);
  1078. return n;
  1079. case Qdata:
  1080. case Qhand:
  1081. b = tlsbread(c, n, offset);
  1082. break;
  1083. case Qencalgs:
  1084. return readstr(offset, a, n, encalgs);
  1085. case Qhashalgs:
  1086. return readstr(offset, a, n, hashalgs);
  1087. }
  1088. if(waserror()){
  1089. freeblist(b);
  1090. nexterror();
  1091. }
  1092. n = 0;
  1093. va = a;
  1094. for(nb = b; nb; nb = nb->next){
  1095. i = BLEN(nb);
  1096. memmove(va+n, nb->rp, i);
  1097. n += i;
  1098. }
  1099. freeblist(b);
  1100. poperror();
  1101. return n;
  1102. }
  1103. /*
  1104. * write a block in tls records
  1105. */
  1106. static void
  1107. tlsrecwrite(TlsRec *tr, int type, Block *b)
  1108. {
  1109. Block *volatile bb;
  1110. Block *nb;
  1111. uchar *p, seq[8];
  1112. OneWay *volatile out;
  1113. int n, maclen, pad, ok;
  1114. out = &tr->out;
  1115. bb = b;
  1116. if(waserror()){
  1117. qunlock(&out->io);
  1118. if(bb != nil)
  1119. freeb(bb);
  1120. nexterror();
  1121. }
  1122. qlock(&out->io);
  1123. if(tr->debug)pprint("send %ld\n", BLEN(b));
  1124. if(tr->debug)pdump(BLEN(b), b->rp, "sent:");
  1125. ok = SHandshake|SOpen|SRClose;
  1126. if(type == RAlert)
  1127. ok |= SAlert;
  1128. while(bb != nil){
  1129. checkstate(tr, type != RApplication, ok);
  1130. /*
  1131. * get at most one maximal record's input,
  1132. * with padding on the front for header and
  1133. * back for mac and maximal block padding.
  1134. */
  1135. if(waserror()){
  1136. qunlock(&out->seclock);
  1137. nexterror();
  1138. }
  1139. qlock(&out->seclock);
  1140. maclen = 0;
  1141. pad = 0;
  1142. if(out->sec != nil){
  1143. maclen = out->sec->maclen;
  1144. pad = maclen + out->sec->block;
  1145. }
  1146. n = BLEN(bb);
  1147. if(n > MaxRecLen){
  1148. n = MaxRecLen;
  1149. nb = allocb(n + pad + RecHdrLen);
  1150. memmove(nb->wp + RecHdrLen, bb->rp, n);
  1151. bb->rp += n;
  1152. }else{
  1153. /*
  1154. * carefully reuse bb so it will get freed if we're out of memory
  1155. */
  1156. bb = padblock(bb, RecHdrLen);
  1157. if(pad)
  1158. nb = padblock(bb, -pad);
  1159. else
  1160. nb = bb;
  1161. bb = nil;
  1162. }
  1163. p = nb->rp;
  1164. p[0] = type;
  1165. put16(p+1, tr->version);
  1166. put16(p+3, n);
  1167. if(out->sec != nil){
  1168. put64(seq, out->seq);
  1169. out->seq++;
  1170. (*tr->packMac)(out->sec, out->sec->mackey, seq, p, p + RecHdrLen, n, p + RecHdrLen + n);
  1171. n += maclen;
  1172. /* encrypt */
  1173. n = (*out->sec->enc)(out->sec, p + RecHdrLen, n);
  1174. nb->wp = p + RecHdrLen + n;
  1175. /* update length */
  1176. put16(p+3, n);
  1177. }
  1178. if(type == RChangeCipherSpec){
  1179. if(out->new == nil)
  1180. error("change cipher without a new cipher");
  1181. freeSec(out->sec);
  1182. out->sec = out->new;
  1183. out->new = nil;
  1184. out->seq = 0;
  1185. }
  1186. qunlock(&out->seclock);
  1187. poperror();
  1188. /*
  1189. * if bwrite error's, we assume the block is queued.
  1190. * if not, we're out of sync with the receiver and will not recover.
  1191. */
  1192. if(waserror()){
  1193. if(strcmp(up->errstr, "interrupted") != 0)
  1194. tlsError(tr, "channel error");
  1195. nexterror();
  1196. }
  1197. devtab[tr->c->type]->bwrite(tr->c, nb, 0);
  1198. poperror();
  1199. }
  1200. qunlock(&out->io);
  1201. poperror();
  1202. }
  1203. static long
  1204. tlsbwrite(Chan *c, Block *b, ulong offset)
  1205. {
  1206. int ty;
  1207. ulong n;
  1208. TlsRec *tr;
  1209. n = BLEN(b);
  1210. tr = tlsdevs[CONV(c->qid)];
  1211. if(tr == nil)
  1212. panic("tlsbwrite");
  1213. ty = TYPE(c->qid);
  1214. switch(ty) {
  1215. default:
  1216. return devbwrite(c, b, offset);
  1217. case Qhand:
  1218. tlsrecwrite(tr, RHandshake, b);
  1219. tr->handout += n;
  1220. break;
  1221. case Qdata:
  1222. checkstate(tr, 0, SOpen);
  1223. tlsrecwrite(tr, RApplication, b);
  1224. tr->dataout += n;
  1225. break;
  1226. }
  1227. return n;
  1228. }
  1229. typedef struct Hashalg Hashalg;
  1230. struct Hashalg
  1231. {
  1232. char *name;
  1233. int maclen;
  1234. void (*initkey)(Hashalg *, int, Secret *, uchar*);
  1235. };
  1236. static void
  1237. initmd5key(Hashalg *ha, int version, Secret *s, uchar *p)
  1238. {
  1239. s->maclen = ha->maclen;
  1240. if(version == SSL3Version)
  1241. s->mac = sslmac_md5;
  1242. else
  1243. s->mac = hmac_md5;
  1244. memmove(s->mackey, p, ha->maclen);
  1245. }
  1246. static void
  1247. initclearmac(Hashalg *, int, Secret *s, uchar *)
  1248. {
  1249. s->maclen = 0;
  1250. s->mac = nomac;
  1251. }
  1252. static void
  1253. initsha1key(Hashalg *ha, int version, Secret *s, uchar *p)
  1254. {
  1255. s->maclen = ha->maclen;
  1256. if(version == SSL3Version)
  1257. s->mac = sslmac_sha1;
  1258. else
  1259. s->mac = hmac_sha1;
  1260. memmove(s->mackey, p, ha->maclen);
  1261. }
  1262. static Hashalg hashtab[] =
  1263. {
  1264. { "clear", 0, initclearmac, },
  1265. { "md5", MD5dlen, initmd5key, },
  1266. { "sha1", SHA1dlen, initsha1key, },
  1267. { 0 }
  1268. };
  1269. static Hashalg*
  1270. parsehashalg(char *p)
  1271. {
  1272. Hashalg *ha;
  1273. for(ha = hashtab; ha->name; ha++)
  1274. if(strcmp(p, ha->name) == 0)
  1275. return ha;
  1276. error("unsupported hash algorithm");
  1277. return nil;
  1278. }
  1279. typedef struct Encalg Encalg;
  1280. struct Encalg
  1281. {
  1282. char *name;
  1283. int keylen;
  1284. int ivlen;
  1285. void (*initkey)(Encalg *ea, Secret *, uchar*, uchar*);
  1286. };
  1287. static void
  1288. initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *)
  1289. {
  1290. s->enckey = smalloc(sizeof(RC4state));
  1291. s->enc = rc4enc;
  1292. s->dec = rc4enc;
  1293. s->block = 0;
  1294. setupRC4state(s->enckey, p, ea->keylen);
  1295. }
  1296. static void
  1297. initDES3key(Encalg *, Secret *s, uchar *p, uchar *iv)
  1298. {
  1299. s->enckey = smalloc(sizeof(DES3state));
  1300. s->enc = des3enc;
  1301. s->dec = des3dec;
  1302. s->block = 8;
  1303. setupDES3state(s->enckey, (uchar(*)[8])p, iv);
  1304. }
  1305. static void
  1306. initAESkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
  1307. {
  1308. s->enckey = smalloc(sizeof(AESstate));
  1309. s->enc = aesenc;
  1310. s->dec = aesdec;
  1311. s->block = 16;
  1312. setupAESstate(s->enckey, p, ea->keylen, iv);
  1313. }
  1314. static void
  1315. initclearenc(Encalg *, Secret *s, uchar *, uchar *)
  1316. {
  1317. s->enc = noenc;
  1318. s->dec = noenc;
  1319. s->block = 0;
  1320. }
  1321. static Encalg encrypttab[] =
  1322. {
  1323. { "clear", 0, 0, initclearenc },
  1324. { "rc4_128", 128/8, 0, initRC4key },
  1325. { "3des_ede_cbc", 3 * 8, 8, initDES3key },
  1326. { "aes_128_cbc", 128/8, 16, initAESkey },
  1327. { "aes_256_cbc", 256/8, 16, initAESkey },
  1328. { 0 }
  1329. };
  1330. static Encalg*
  1331. parseencalg(char *p)
  1332. {
  1333. Encalg *ea;
  1334. for(ea = encrypttab; ea->name; ea++)
  1335. if(strcmp(p, ea->name) == 0)
  1336. return ea;
  1337. error("unsupported encryption algorithm");
  1338. return nil;
  1339. }
  1340. static long
  1341. tlswrite(Chan *c, void *a, long n, vlong off)
  1342. {
  1343. Encalg *ea;
  1344. Hashalg *ha;
  1345. TlsRec *volatile tr;
  1346. Secret *volatile tos, *volatile toc;
  1347. Block *volatile b;
  1348. Cmdbuf *volatile cb;
  1349. int m, ty;
  1350. char *p, *e;
  1351. uchar *volatile x;
  1352. ulong offset = off;
  1353. tr = tlsdevs[CONV(c->qid)];
  1354. if(tr == nil)
  1355. panic("tlswrite");
  1356. ty = TYPE(c->qid);
  1357. switch(ty){
  1358. case Qdata:
  1359. case Qhand:
  1360. p = a;
  1361. e = p + n;
  1362. do{
  1363. m = e - p;
  1364. if(m > MaxRecLen)
  1365. m = MaxRecLen;
  1366. b = allocb(m);
  1367. if(waserror()){
  1368. freeb(b);
  1369. nexterror();
  1370. }
  1371. memmove(b->wp, p, m);
  1372. poperror();
  1373. b->wp += m;
  1374. tlsbwrite(c, b, offset);
  1375. p += m;
  1376. }while(p < e);
  1377. return n;
  1378. case Qctl:
  1379. break;
  1380. default:
  1381. error(Ebadusefd);
  1382. return -1;
  1383. }
  1384. cb = parsecmd(a, n);
  1385. if(waserror()){
  1386. free(cb);
  1387. nexterror();
  1388. }
  1389. if(cb->nf < 1)
  1390. error("short control request");
  1391. /* mutex with operations using what we're about to change */
  1392. if(waserror()){
  1393. qunlock(&tr->in.seclock);
  1394. qunlock(&tr->out.seclock);
  1395. nexterror();
  1396. }
  1397. qlock(&tr->in.seclock);
  1398. qlock(&tr->out.seclock);
  1399. if(strcmp(cb->f[0], "fd") == 0){
  1400. if(cb->nf != 3)
  1401. error("usage: fd open-fd version");
  1402. if(tr->c != nil)
  1403. error(Einuse);
  1404. m = strtol(cb->f[2], nil, 0);
  1405. if(m < MinProtoVersion || m > MaxProtoVersion)
  1406. error("unsupported version");
  1407. tr->c = buftochan(cb->f[1]);
  1408. tr->version = m;
  1409. tlsSetState(tr, SHandshake, SClosed);
  1410. }else if(strcmp(cb->f[0], "version") == 0){
  1411. if(cb->nf != 2)
  1412. error("usage: version vers");
  1413. if(tr->c == nil)
  1414. error("must set fd before version");
  1415. if(tr->verset)
  1416. error("version already set");
  1417. m = strtol(cb->f[1], nil, 0);
  1418. if(m == SSL3Version)
  1419. tr->packMac = sslPackMac;
  1420. else if(m == TLSVersion)
  1421. tr->packMac = tlsPackMac;
  1422. else
  1423. error("unsupported version");
  1424. tr->verset = 1;
  1425. tr->version = m;
  1426. }else if(strcmp(cb->f[0], "secret") == 0){
  1427. if(cb->nf != 5)
  1428. error("usage: secret hashalg encalg isclient secretdata");
  1429. if(tr->c == nil || !tr->verset)
  1430. error("must set fd and version before secrets");
  1431. if(tr->in.new != nil){
  1432. freeSec(tr->in.new);
  1433. tr->in.new = nil;
  1434. }
  1435. if(tr->out.new != nil){
  1436. freeSec(tr->out.new);
  1437. tr->out.new = nil;
  1438. }
  1439. ha = parsehashalg(cb->f[1]);
  1440. ea = parseencalg(cb->f[2]);
  1441. p = cb->f[4];
  1442. m = (strlen(p)*3)/2;
  1443. x = smalloc(m);
  1444. tos = nil;
  1445. toc = nil;
  1446. if(waserror()){
  1447. freeSec(tos);
  1448. freeSec(toc);
  1449. free(x);
  1450. nexterror();
  1451. }
  1452. m = dec64(x, m, p, strlen(p));
  1453. if(m < 2 * ha->maclen + 2 * ea->keylen + 2 * ea->ivlen)
  1454. error("not enough secret data provided");
  1455. tos = smalloc(sizeof(Secret));
  1456. toc = smalloc(sizeof(Secret));
  1457. if(!ha->initkey || !ea->initkey)
  1458. error("misimplemented secret algorithm");
  1459. (*ha->initkey)(ha, tr->version, tos, &x[0]);
  1460. (*ha->initkey)(ha, tr->version, toc, &x[ha->maclen]);
  1461. (*ea->initkey)(ea, tos, &x[2 * ha->maclen], &x[2 * ha->maclen + 2 * ea->keylen]);
  1462. (*ea->initkey)(ea, toc, &x[2 * ha->maclen + ea->keylen], &x[2 * ha->maclen + 2 * ea->keylen + ea->ivlen]);
  1463. if(!tos->mac || !tos->enc || !tos->dec
  1464. || !toc->mac || !toc->enc || !toc->dec)
  1465. error("missing algorithm implementations");
  1466. if(strtol(cb->f[3], nil, 0) == 0){
  1467. tr->in.new = tos;
  1468. tr->out.new = toc;
  1469. }else{
  1470. tr->in.new = toc;
  1471. tr->out.new = tos;
  1472. }
  1473. if(tr->version == SSL3Version){
  1474. toc->unpad = sslunpad;
  1475. tos->unpad = sslunpad;
  1476. }else{
  1477. toc->unpad = tlsunpad;
  1478. tos->unpad = tlsunpad;
  1479. }
  1480. toc->encalg = ea->name;
  1481. toc->hashalg = ha->name;
  1482. tos->encalg = ea->name;
  1483. tos->hashalg = ha->name;
  1484. free(x);
  1485. poperror();
  1486. }else if(strcmp(cb->f[0], "changecipher") == 0){
  1487. if(cb->nf != 1)
  1488. error("usage: changecipher");
  1489. if(tr->out.new == nil)
  1490. error("cannot change cipher spec without setting secret");
  1491. qunlock(&tr->in.seclock);
  1492. qunlock(&tr->out.seclock);
  1493. poperror();
  1494. free(cb);
  1495. poperror();
  1496. /*
  1497. * the real work is done as the message is written
  1498. * so the stream is encrypted in sync.
  1499. */
  1500. b = allocb(1);
  1501. *b->wp++ = 1;
  1502. tlsrecwrite(tr, RChangeCipherSpec, b);
  1503. return n;
  1504. }else if(strcmp(cb->f[0], "opened") == 0){
  1505. if(cb->nf != 1)
  1506. error("usage: opened");
  1507. if(tr->in.sec == nil || tr->out.sec == nil)
  1508. error("cipher must be configured before enabling data messages");
  1509. lock(&tr->statelk);
  1510. if(tr->state != SHandshake && tr->state != SOpen){
  1511. unlock(&tr->statelk);
  1512. error("cannot enable data messages");
  1513. }
  1514. tr->state = SOpen;
  1515. unlock(&tr->statelk);
  1516. tr->opened = 1;
  1517. }else if(strcmp(cb->f[0], "alert") == 0){
  1518. if(cb->nf != 2)
  1519. error("usage: alert n");
  1520. if(tr->c == nil)
  1521. error("must set fd before sending alerts");
  1522. m = strtol(cb->f[1], nil, 0);
  1523. qunlock(&tr->in.seclock);
  1524. qunlock(&tr->out.seclock);
  1525. poperror();
  1526. free(cb);
  1527. poperror();
  1528. sendAlert(tr, m);
  1529. if(m == ECloseNotify)
  1530. tlsclosed(tr, SLClose);
  1531. return n;
  1532. } else if(strcmp(cb->f[0], "debug") == 0){
  1533. if(cb->nf == 2){
  1534. if(strcmp(cb->f[1], "on") == 0)
  1535. tr->debug = 1;
  1536. else
  1537. tr->debug = 0;
  1538. } else
  1539. tr->debug = 1;
  1540. } else
  1541. error(Ebadarg);
  1542. qunlock(&tr->in.seclock);
  1543. qunlock(&tr->out.seclock);
  1544. poperror();
  1545. free(cb);
  1546. poperror();
  1547. return n;
  1548. }
  1549. static void
  1550. tlsinit(void)
  1551. {
  1552. struct Encalg *e;
  1553. struct Hashalg *h;
  1554. int n;
  1555. char *cp;
  1556. static int already;
  1557. if(!already){
  1558. fmtinstall('H', encodefmt);
  1559. already = 1;
  1560. }
  1561. tlsdevs = smalloc(sizeof(TlsRec*) * maxtlsdevs);
  1562. trnames = smalloc((sizeof *trnames) * maxtlsdevs);
  1563. n = 1;
  1564. for(e = encrypttab; e->name != nil; e++)
  1565. n += strlen(e->name) + 1;
  1566. cp = encalgs = smalloc(n);
  1567. for(e = encrypttab;;){
  1568. strcpy(cp, e->name);
  1569. cp += strlen(e->name);
  1570. e++;
  1571. if(e->name == nil)
  1572. break;
  1573. *cp++ = ' ';
  1574. }
  1575. *cp = 0;
  1576. n = 1;
  1577. for(h = hashtab; h->name != nil; h++)
  1578. n += strlen(h->name) + 1;
  1579. cp = hashalgs = smalloc(n);
  1580. for(h = hashtab;;){
  1581. strcpy(cp, h->name);
  1582. cp += strlen(h->name);
  1583. h++;
  1584. if(h->name == nil)
  1585. break;
  1586. *cp++ = ' ';
  1587. }
  1588. *cp = 0;
  1589. }
  1590. Dev tlsdevtab = {
  1591. 'a',
  1592. "tls",
  1593. devreset,
  1594. tlsinit,
  1595. devshutdown,
  1596. tlsattach,
  1597. tlswalk,
  1598. tlsstat,
  1599. tlsopen,
  1600. devcreate,
  1601. tlsclose,
  1602. tlsread,
  1603. tlsbread,
  1604. tlswrite,
  1605. tlsbwrite,
  1606. devremove,
  1607. tlswstat,
  1608. };
  1609. /* get channel associated with an fd */
  1610. static Chan*
  1611. buftochan(char *p)
  1612. {
  1613. Chan *c;
  1614. int fd;
  1615. if(p == 0)
  1616. error(Ebadarg);
  1617. fd = strtoul(p, 0, 0);
  1618. if(fd < 0)
  1619. error(Ebadarg);
  1620. c = fdtochan(fd, -1, 0, 1); /* error check and inc ref */
  1621. return c;
  1622. }
  1623. static void
  1624. sendAlert(TlsRec *tr, int err)
  1625. {
  1626. Block *b;
  1627. int i, fatal;
  1628. char *msg;
  1629. if(tr->debug)pprint("sendAlert %d\n", err);
  1630. fatal = 1;
  1631. msg = "tls unknown alert";
  1632. for(i=0; i < nelem(tlserrs); i++) {
  1633. if(tlserrs[i].err == err) {
  1634. msg = tlserrs[i].msg;
  1635. if(tr->version == SSL3Version)
  1636. err = tlserrs[i].sslerr;
  1637. else
  1638. err = tlserrs[i].tlserr;
  1639. fatal = tlserrs[i].fatal;
  1640. break;
  1641. }
  1642. }
  1643. if(!waserror()){
  1644. b = allocb(2);
  1645. *b->wp++ = fatal + 1;
  1646. *b->wp++ = err;
  1647. if(fatal)
  1648. tlsSetState(tr, SAlert, SOpen|SHandshake|SRClose);
  1649. tlsrecwrite(tr, RAlert, b);
  1650. poperror();
  1651. }
  1652. if(fatal)
  1653. tlsError(tr, msg);
  1654. }
  1655. static void
  1656. tlsError(TlsRec *tr, char *msg)
  1657. {
  1658. int s;
  1659. if(tr->debug)pprint("tleError %s\n", msg);
  1660. lock(&tr->statelk);
  1661. s = tr->state;
  1662. tr->state = SError;
  1663. if(s != SError){
  1664. strncpy(tr->err, msg, ERRMAX - 1);
  1665. tr->err[ERRMAX - 1] = '\0';
  1666. }
  1667. unlock(&tr->statelk);
  1668. if(s != SError)
  1669. alertHand(tr, msg);
  1670. }
  1671. static void
  1672. tlsSetState(TlsRec *tr, int new, int old)
  1673. {
  1674. lock(&tr->statelk);
  1675. if(tr->state & old)
  1676. tr->state = new;
  1677. unlock(&tr->statelk);
  1678. }
  1679. /* hand up a digest connection */
  1680. static void
  1681. tlshangup(TlsRec *tr)
  1682. {
  1683. Block *b;
  1684. qlock(&tr->in.io);
  1685. for(b = tr->processed; b; b = tr->processed){
  1686. tr->processed = b->next;
  1687. freeb(b);
  1688. }
  1689. if(tr->unprocessed != nil){
  1690. freeb(tr->unprocessed);
  1691. tr->unprocessed = nil;
  1692. }
  1693. qunlock(&tr->in.io);
  1694. tlsSetState(tr, SClosed, ~0);
  1695. }
  1696. static TlsRec*
  1697. newtls(Chan *ch)
  1698. {
  1699. TlsRec **pp, **ep, **np;
  1700. char **nmp;
  1701. int t, newmax;
  1702. if(waserror()) {
  1703. unlock(&tdlock);
  1704. nexterror();
  1705. }
  1706. lock(&tdlock);
  1707. ep = &tlsdevs[maxtlsdevs];
  1708. for(pp = tlsdevs; pp < ep; pp++)
  1709. if(*pp == nil)
  1710. break;
  1711. if(pp >= ep) {
  1712. if(maxtlsdevs >= MaxTlsDevs) {
  1713. unlock(&tdlock);
  1714. poperror();
  1715. return nil;
  1716. }
  1717. newmax = 2 * maxtlsdevs;
  1718. if(newmax > MaxTlsDevs)
  1719. newmax = MaxTlsDevs;
  1720. np = smalloc(sizeof(TlsRec*) * newmax);
  1721. memmove(np, tlsdevs, sizeof(TlsRec*) * maxtlsdevs);
  1722. tlsdevs = np;
  1723. pp = &tlsdevs[maxtlsdevs];
  1724. memset(pp, 0, sizeof(TlsRec*)*(newmax - maxtlsdevs));
  1725. nmp = smalloc(sizeof *nmp * newmax);
  1726. memmove(nmp, trnames, sizeof *nmp * maxtlsdevs);
  1727. trnames = nmp;
  1728. maxtlsdevs = newmax;
  1729. }
  1730. *pp = mktlsrec();
  1731. if(pp - tlsdevs >= tdhiwat)
  1732. tdhiwat++;
  1733. t = TYPE(ch->qid);
  1734. if(t == Qclonus)
  1735. t = Qctl;
  1736. ch->qid.path = QID(pp - tlsdevs, t);
  1737. ch->qid.vers = 0;
  1738. unlock(&tdlock);
  1739. poperror();
  1740. return *pp;
  1741. }
  1742. static TlsRec *
  1743. mktlsrec(void)
  1744. {
  1745. TlsRec *tr;
  1746. tr = mallocz(sizeof(*tr), 1);
  1747. if(tr == nil)
  1748. error(Enomem);
  1749. tr->state = SClosed;
  1750. tr->ref = 1;
  1751. kstrdup(&tr->user, up->user);
  1752. tr->perm = 0660;
  1753. return tr;
  1754. }
  1755. static char*
  1756. tlsstate(int s)
  1757. {
  1758. switch(s){
  1759. case SHandshake:
  1760. return "Handshaking";
  1761. case SOpen:
  1762. return "Established";
  1763. case SRClose:
  1764. return "RemoteClosed";
  1765. case SLClose:
  1766. return "LocalClosed";
  1767. case SAlert:
  1768. return "Alerting";
  1769. case SError:
  1770. return "Errored";
  1771. case SClosed:
  1772. return "Closed";
  1773. }
  1774. return "Unknown";
  1775. }
  1776. static void
  1777. freeSec(Secret *s)
  1778. {
  1779. if(s != nil){
  1780. free(s->enckey);
  1781. free(s);
  1782. }
  1783. }
  1784. static int
  1785. noenc(Secret *, uchar *, int n)
  1786. {
  1787. return n;
  1788. }
  1789. static int
  1790. rc4enc(Secret *sec, uchar *buf, int n)
  1791. {
  1792. rc4(sec->enckey, buf, n);
  1793. return n;
  1794. }
  1795. static int
  1796. tlsunpad(uchar *buf, int n, int block)
  1797. {
  1798. int pad, nn;
  1799. pad = buf[n - 1];
  1800. nn = n - 1 - pad;
  1801. if(nn <= 0 || n % block)
  1802. return -1;
  1803. while(--n > nn)
  1804. if(pad != buf[n - 1])
  1805. return -1;
  1806. return nn;
  1807. }
  1808. static int
  1809. sslunpad(uchar *buf, int n, int block)
  1810. {
  1811. int pad, nn;
  1812. pad = buf[n - 1];
  1813. nn = n - 1 - pad;
  1814. if(nn <= 0 || n % block)
  1815. return -1;
  1816. return nn;
  1817. }
  1818. static int
  1819. blockpad(uchar *buf, int n, int block)
  1820. {
  1821. int pad, nn;
  1822. nn = n + block;
  1823. nn -= nn % block;
  1824. pad = nn - (n + 1);
  1825. while(n < nn)
  1826. buf[n++] = pad;
  1827. return nn;
  1828. }
  1829. static int
  1830. des3enc(Secret *sec, uchar *buf, int n)
  1831. {
  1832. n = blockpad(buf, n, 8);
  1833. des3CBCencrypt(buf, n, sec->enckey);
  1834. return n;
  1835. }
  1836. static int
  1837. des3dec(Secret *sec, uchar *buf, int n)
  1838. {
  1839. des3CBCdecrypt(buf, n, sec->enckey);
  1840. return (*sec->unpad)(buf, n, 8);
  1841. }
  1842. static int
  1843. aesenc(Secret *sec, uchar *buf, int n)
  1844. {
  1845. n = blockpad(buf, n, 16);
  1846. aesCBCencrypt(buf, n, sec->enckey);
  1847. return n;
  1848. }
  1849. static int
  1850. aesdec(Secret *sec, uchar *buf, int n)
  1851. {
  1852. aesCBCdecrypt(buf, n, sec->enckey);
  1853. return (*sec->unpad)(buf, n, 16);
  1854. }
  1855. static DigestState*
  1856. nomac(uchar *, ulong, uchar *, ulong, uchar *, DigestState *)
  1857. {
  1858. return nil;
  1859. }
  1860. /*
  1861. * sslmac: mac calculations for ssl 3.0 only; tls 1.0 uses the standard hmac.
  1862. */
  1863. static DigestState*
  1864. sslmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s,
  1865. DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen, int padlen)
  1866. {
  1867. int i;
  1868. uchar pad[48], innerdigest[20];
  1869. if(xlen > sizeof(innerdigest)
  1870. || padlen > sizeof(pad))
  1871. return nil;
  1872. if(klen>64)
  1873. return nil;
  1874. /* first time through */
  1875. if(s == nil){
  1876. for(i=0; i<padlen; i++)
  1877. pad[i] = 0x36;
  1878. s = (*x)(key, klen, nil, nil);
  1879. s = (*x)(pad, padlen, nil, s);
  1880. if(s == nil)
  1881. return nil;
  1882. }
  1883. s = (*x)(p, len, nil, s);
  1884. if(digest == nil)
  1885. return s;
  1886. /* last time through */
  1887. for(i=0; i<padlen; i++)
  1888. pad[i] = 0x5c;
  1889. (*x)(nil, 0, innerdigest, s);
  1890. s = (*x)(key, klen, nil, nil);
  1891. s = (*x)(pad, padlen, nil, s);
  1892. (*x)(innerdigest, xlen, digest, s);
  1893. return nil;
  1894. }
  1895. static DigestState*
  1896. sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
  1897. {
  1898. return sslmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen, 40);
  1899. }
  1900. static DigestState*
  1901. sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
  1902. {
  1903. return sslmac_x(p, len, key, klen, digest, s, md5, MD5dlen, 48);
  1904. }
  1905. static void
  1906. sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
  1907. {
  1908. DigestState *s;
  1909. uchar buf[11];
  1910. memmove(buf, seq, 8);
  1911. buf[8] = header[0];
  1912. buf[9] = header[3];
  1913. buf[10] = header[4];
  1914. s = (*sec->mac)(buf, 11, mackey, sec->maclen, 0, 0);
  1915. (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
  1916. }
  1917. static void
  1918. tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
  1919. {
  1920. DigestState *s;
  1921. uchar buf[13];
  1922. memmove(buf, seq, 8);
  1923. memmove(&buf[8], header, 5);
  1924. s = (*sec->mac)(buf, 13, mackey, sec->maclen, 0, 0);
  1925. (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
  1926. }
  1927. static void
  1928. put32(uchar *p, u32int x)
  1929. {
  1930. p[0] = x>>24;
  1931. p[1] = x>>16;
  1932. p[2] = x>>8;
  1933. p[3] = x;
  1934. }
  1935. static void
  1936. put64(uchar *p, vlong x)
  1937. {
  1938. put32(p, (u32int)(x >> 32));
  1939. put32(p+4, (u32int)x);
  1940. }
  1941. static void
  1942. put24(uchar *p, int x)
  1943. {
  1944. p[0] = x>>16;
  1945. p[1] = x>>8;
  1946. p[2] = x;
  1947. }
  1948. static void
  1949. put16(uchar *p, int x)
  1950. {
  1951. p[0] = x>>8;
  1952. p[1] = x;
  1953. }
  1954. static u32int
  1955. get32(uchar *p)
  1956. {
  1957. return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
  1958. }
  1959. static int
  1960. get16(uchar *p)
  1961. {
  1962. return (p[0]<<8)|p[1];
  1963. }
  1964. static char *charmap = "0123456789abcdef";
  1965. static void
  1966. pdump(int len, void *a, char *tag)
  1967. {
  1968. uchar *p;
  1969. int i;
  1970. char buf[65+32];
  1971. char *q;
  1972. p = a;
  1973. strcpy(buf, tag);
  1974. while(len > 0){
  1975. q = buf + strlen(tag);
  1976. for(i = 0; len > 0 && i < 32; i++){
  1977. if(*p >= ' ' && *p < 0x7f){
  1978. *q++ = ' ';
  1979. *q++ = *p;
  1980. } else {
  1981. *q++ = charmap[*p>>4];
  1982. *q++ = charmap[*p & 0xf];
  1983. }
  1984. len--;
  1985. p++;
  1986. }
  1987. *q = 0;
  1988. if(len > 0)
  1989. pprint("%s...\n", buf);
  1990. else
  1991. pprint("%s\n", buf);
  1992. }
  1993. }