devssl.c 26 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505
  1. /*
  2. * devssl - secure sockets layer
  3. */
  4. #include "u.h"
  5. #include "../port/lib.h"
  6. #include "mem.h"
  7. #include "dat.h"
  8. #include "fns.h"
  9. #include "../port/error.h"
  10. #include <libsec.h>
  11. #define NOSPOOKS 1
  12. typedef struct OneWay OneWay;
  13. struct OneWay
  14. {
  15. QLock q;
  16. QLock ctlq;
  17. void *state; /* encryption state */
  18. int slen; /* hash data length */
  19. uchar *secret; /* secret */
  20. ulong mid; /* message id */
  21. };
  22. enum
  23. {
  24. /* connection states */
  25. Sincomplete= 0,
  26. Sclear= 1,
  27. Sencrypting= 2,
  28. Sdigesting= 4,
  29. Sdigenc= Sencrypting|Sdigesting,
  30. /* encryption algorithms */
  31. Noencryption= 0,
  32. DESCBC= 1,
  33. DESECB= 2,
  34. RC4= 3
  35. };
  36. typedef struct Dstate Dstate;
  37. struct Dstate
  38. {
  39. Chan *c; /* io channel */
  40. uchar state; /* state of connection */
  41. int ref; /* serialized by dslock for atomic destroy */
  42. uchar encryptalg; /* encryption algorithm */
  43. ushort blocklen; /* blocking length */
  44. ushort diglen; /* length of digest */
  45. DigestState *(*hf)(uchar*, ulong, uchar*, DigestState*); /* hash func */
  46. /* for SSL format */
  47. int max; /* maximum unpadded data per msg */
  48. int maxpad; /* maximum padded data per msg */
  49. /* input side */
  50. OneWay in;
  51. Block *processed;
  52. Block *unprocessed;
  53. /* output side */
  54. OneWay out;
  55. /* protections */
  56. char *user;
  57. int perm;
  58. };
  59. enum
  60. {
  61. Maxdmsg= 1<<16,
  62. Maxdstate= 128, /* must be a power of 2 */
  63. };
  64. Lock dslock;
  65. int dshiwat;
  66. char *dsname[Maxdstate];
  67. Dstate *dstate[Maxdstate];
  68. char *encalgs;
  69. char *hashalgs;
  70. enum{
  71. Qtopdir = 1, /* top level directory */
  72. Qprotodir,
  73. Qclonus,
  74. Qconvdir, /* directory for a conversation */
  75. Qdata,
  76. Qctl,
  77. Qsecretin,
  78. Qsecretout,
  79. Qencalgs,
  80. Qhashalgs,
  81. };
  82. #define TYPE(x) ((x).path & 0xf)
  83. #define CONV(x) (((x).path >> 5)&(Maxdstate-1))
  84. #define QID(c, y) (((c)<<5) | (y))
  85. static void ensure(Dstate*, Block**, int);
  86. static void consume(Block**, uchar*, int);
  87. static void setsecret(OneWay*, uchar*, int);
  88. static Block* encryptb(Dstate*, Block*, int);
  89. static Block* decryptb(Dstate*, Block*);
  90. static Block* digestb(Dstate*, Block*, int);
  91. static void checkdigestb(Dstate*, Block*);
  92. static Chan* buftochan(char*);
  93. static void sslhangup(Dstate*);
  94. static Dstate* dsclone(Chan *c);
  95. static void dsnew(Chan *c, Dstate **);
  96. static long sslput(Dstate *s, Block * volatile b);
  97. char *sslnames[] = {
  98. [Qclonus] "clone",
  99. [Qdata] "data",
  100. [Qctl] "ctl",
  101. [Qsecretin] "secretin",
  102. [Qsecretout] "secretout",
  103. [Qencalgs] "encalgs",
  104. [Qhashalgs] "hashalgs",
  105. };
  106. static int
  107. sslgen(Chan *c, char*, Dirtab *d, int nd, int s, Dir *dp)
  108. {
  109. Qid q;
  110. Dstate *ds;
  111. char name[16], *p, *nm;
  112. int ft;
  113. USED(nd);
  114. USED(d);
  115. q.type = QTFILE;
  116. q.vers = 0;
  117. ft = TYPE(c->qid);
  118. switch(ft) {
  119. case Qtopdir:
  120. if(s == DEVDOTDOT){
  121. q.path = QID(0, Qtopdir);
  122. q.type = QTDIR;
  123. devdir(c, q, "#D", 0, eve, 0555, dp);
  124. return 1;
  125. }
  126. if(s > 0)
  127. return -1;
  128. q.path = QID(0, Qprotodir);
  129. q.type = QTDIR;
  130. devdir(c, q, "ssl", 0, eve, 0555, dp);
  131. return 1;
  132. case Qprotodir:
  133. if(s == DEVDOTDOT){
  134. q.path = QID(0, Qtopdir);
  135. q.type = QTDIR;
  136. devdir(c, q, ".", 0, eve, 0555, dp);
  137. return 1;
  138. }
  139. if(s < dshiwat) {
  140. q.path = QID(s, Qconvdir);
  141. q.type = QTDIR;
  142. ds = dstate[s];
  143. if(ds != 0)
  144. nm = ds->user;
  145. else
  146. nm = eve;
  147. if(dsname[s] == nil){
  148. sprint(name, "%d", s);
  149. kstrdup(&dsname[s], name);
  150. }
  151. devdir(c, q, dsname[s], 0, nm, 0555, dp);
  152. return 1;
  153. }
  154. if(s > dshiwat)
  155. return -1;
  156. q.path = QID(0, Qclonus);
  157. devdir(c, q, "clone", 0, eve, 0555, dp);
  158. return 1;
  159. case Qconvdir:
  160. if(s == DEVDOTDOT){
  161. q.path = QID(0, Qprotodir);
  162. q.type = QTDIR;
  163. devdir(c, q, "ssl", 0, eve, 0555, dp);
  164. return 1;
  165. }
  166. ds = dstate[CONV(c->qid)];
  167. if(ds != 0)
  168. nm = ds->user;
  169. else
  170. nm = eve;
  171. switch(s) {
  172. default:
  173. return -1;
  174. case 0:
  175. q.path = QID(CONV(c->qid), Qctl);
  176. p = "ctl";
  177. break;
  178. case 1:
  179. q.path = QID(CONV(c->qid), Qdata);
  180. p = "data";
  181. break;
  182. case 2:
  183. q.path = QID(CONV(c->qid), Qsecretin);
  184. p = "secretin";
  185. break;
  186. case 3:
  187. q.path = QID(CONV(c->qid), Qsecretout);
  188. p = "secretout";
  189. break;
  190. case 4:
  191. q.path = QID(CONV(c->qid), Qencalgs);
  192. p = "encalgs";
  193. break;
  194. case 5:
  195. q.path = QID(CONV(c->qid), Qhashalgs);
  196. p = "hashalgs";
  197. break;
  198. }
  199. devdir(c, q, p, 0, nm, 0660, dp);
  200. return 1;
  201. case Qclonus:
  202. devdir(c, c->qid, sslnames[TYPE(c->qid)], 0, eve, 0555, dp);
  203. return 1;
  204. default:
  205. ds = dstate[CONV(c->qid)];
  206. if(ds != 0)
  207. nm = ds->user;
  208. else
  209. nm = eve;
  210. devdir(c, c->qid, sslnames[TYPE(c->qid)], 0, nm, 0660, dp);
  211. return 1;
  212. }
  213. }
  214. static Chan*
  215. sslattach(char *spec)
  216. {
  217. Chan *c;
  218. c = devattach('D', spec);
  219. c->qid.path = QID(0, Qtopdir);
  220. c->qid.vers = 0;
  221. c->qid.type = QTDIR;
  222. return c;
  223. }
  224. static Walkqid*
  225. sslwalk(Chan *c, Chan *nc, char **name, int nname)
  226. {
  227. return devwalk(c, nc, name, nname, nil, 0, sslgen);
  228. }
  229. static int
  230. sslstat(Chan *c, uchar *db, int n)
  231. {
  232. return devstat(c, db, n, nil, 0, sslgen);
  233. }
  234. static Chan*
  235. sslopen(Chan *c, int omode)
  236. {
  237. Dstate *s, **pp;
  238. int perm;
  239. int ft;
  240. perm = 0;
  241. omode &= 3;
  242. switch(omode) {
  243. case OREAD:
  244. perm = 4;
  245. break;
  246. case OWRITE:
  247. perm = 2;
  248. break;
  249. case ORDWR:
  250. perm = 6;
  251. break;
  252. }
  253. ft = TYPE(c->qid);
  254. switch(ft) {
  255. default:
  256. panic("sslopen");
  257. case Qtopdir:
  258. case Qprotodir:
  259. case Qconvdir:
  260. if(omode != OREAD)
  261. error(Eperm);
  262. break;
  263. case Qclonus:
  264. s = dsclone(c);
  265. if(s == 0)
  266. error(Enodev);
  267. break;
  268. case Qctl:
  269. case Qdata:
  270. case Qsecretin:
  271. case Qsecretout:
  272. if(waserror()) {
  273. unlock(&dslock);
  274. nexterror();
  275. }
  276. lock(&dslock);
  277. pp = &dstate[CONV(c->qid)];
  278. s = *pp;
  279. if(s == 0)
  280. dsnew(c, pp);
  281. else {
  282. if((perm & (s->perm>>6)) != perm
  283. && (strcmp(up->user, s->user) != 0
  284. || (perm & s->perm) != perm))
  285. error(Eperm);
  286. s->ref++;
  287. }
  288. unlock(&dslock);
  289. poperror();
  290. break;
  291. case Qencalgs:
  292. case Qhashalgs:
  293. if(omode != OREAD)
  294. error(Eperm);
  295. break;
  296. }
  297. c->mode = openmode(omode);
  298. c->flag |= COPEN;
  299. c->offset = 0;
  300. return c;
  301. }
  302. static int
  303. sslwstat(Chan *c, uchar *db, int n)
  304. {
  305. Dir *dir;
  306. Dstate *s;
  307. int m;
  308. s = dstate[CONV(c->qid)];
  309. if(s == 0)
  310. error(Ebadusefd);
  311. if(strcmp(s->user, up->user) != 0)
  312. error(Eperm);
  313. dir = smalloc(sizeof(Dir)+n);
  314. m = convM2D(db, n, &dir[0], (char*)&dir[1]);
  315. if(m == 0){
  316. free(dir);
  317. error(Eshortstat);
  318. }
  319. if(!emptystr(dir->uid))
  320. kstrdup(&s->user, dir->uid);
  321. if(dir->mode != ~0UL)
  322. s->perm = dir->mode;
  323. free(dir);
  324. return m;
  325. }
  326. static void
  327. sslclose(Chan *c)
  328. {
  329. Dstate *s;
  330. int ft;
  331. ft = TYPE(c->qid);
  332. switch(ft) {
  333. case Qctl:
  334. case Qdata:
  335. case Qsecretin:
  336. case Qsecretout:
  337. if((c->flag & COPEN) == 0)
  338. break;
  339. s = dstate[CONV(c->qid)];
  340. if(s == 0)
  341. break;
  342. lock(&dslock);
  343. if(--s->ref > 0) {
  344. unlock(&dslock);
  345. break;
  346. }
  347. dstate[CONV(c->qid)] = 0;
  348. unlock(&dslock);
  349. if(s->user != nil)
  350. free(s->user);
  351. sslhangup(s);
  352. if(s->c)
  353. cclose(s->c);
  354. if(s->in.secret)
  355. free(s->in.secret);
  356. if(s->out.secret)
  357. free(s->out.secret);
  358. if(s->in.state)
  359. free(s->in.state);
  360. if(s->out.state)
  361. free(s->out.state);
  362. free(s);
  363. }
  364. }
  365. /*
  366. * make sure we have at least 'n' bytes in list 'l'
  367. */
  368. static void
  369. ensure(Dstate *s, Block **l, int n)
  370. {
  371. int sofar, i;
  372. Block *b, *bl;
  373. sofar = 0;
  374. for(b = *l; b; b = b->next){
  375. sofar += BLEN(b);
  376. if(sofar >= n)
  377. return;
  378. l = &b->next;
  379. }
  380. while(sofar < n){
  381. bl = devtab[s->c->type]->bread(s->c, Maxdmsg, 0);
  382. if(bl == 0)
  383. nexterror();
  384. *l = bl;
  385. i = 0;
  386. for(b = bl; b; b = b->next){
  387. i += BLEN(b);
  388. l = &b->next;
  389. }
  390. if(i == 0)
  391. error(Ehungup);
  392. sofar += i;
  393. }
  394. }
  395. /*
  396. * copy 'n' bytes from 'l' into 'p' and free
  397. * the bytes in 'l'
  398. */
  399. static void
  400. consume(Block **l, uchar *p, int n)
  401. {
  402. Block *b;
  403. int i;
  404. for(; *l && n > 0; n -= i){
  405. b = *l;
  406. i = BLEN(b);
  407. if(i > n)
  408. i = n;
  409. memmove(p, b->rp, i);
  410. b->rp += i;
  411. p += i;
  412. if(BLEN(b) < 0)
  413. panic("consume");
  414. if(BLEN(b))
  415. break;
  416. *l = b->next;
  417. freeb(b);
  418. }
  419. }
  420. /*
  421. * give back n bytes
  422. static void
  423. regurgitate(Dstate *s, uchar *p, int n)
  424. {
  425. Block *b;
  426. if(n <= 0)
  427. return;
  428. b = s->unprocessed;
  429. if(s->unprocessed == nil || b->rp - b->base < n) {
  430. b = allocb(n);
  431. memmove(b->wp, p, n);
  432. b->wp += n;
  433. b->next = s->unprocessed;
  434. s->unprocessed = b;
  435. } else {
  436. b->rp -= n;
  437. memmove(b->rp, p, n);
  438. }
  439. }
  440. */
  441. /*
  442. * remove at most n bytes from the queue, if discard is set
  443. * dump the remainder
  444. */
  445. static Block*
  446. qtake(Block **l, int n, int discard)
  447. {
  448. Block *nb, *b, *first;
  449. int i;
  450. first = *l;
  451. for(b = first; b; b = b->next){
  452. i = BLEN(b);
  453. if(i == n){
  454. if(discard){
  455. freeblist(b->next);
  456. *l = 0;
  457. } else
  458. *l = b->next;
  459. b->next = 0;
  460. return first;
  461. } else if(i > n){
  462. i -= n;
  463. if(discard){
  464. freeblist(b->next);
  465. b->wp -= i;
  466. *l = 0;
  467. } else {
  468. nb = allocb(i);
  469. memmove(nb->wp, b->rp+n, i);
  470. nb->wp += i;
  471. b->wp -= i;
  472. nb->next = b->next;
  473. *l = nb;
  474. }
  475. b->next = 0;
  476. if(BLEN(b) < 0)
  477. panic("qtake");
  478. return first;
  479. } else
  480. n -= i;
  481. if(BLEN(b) < 0)
  482. panic("qtake");
  483. }
  484. *l = 0;
  485. return first;
  486. }
  487. /*
  488. * We can't let Eintr's lose data since the program
  489. * doing the read may be able to handle it. The only
  490. * places Eintr is possible is during the read's in consume.
  491. * Therefore, we make sure we can always put back the bytes
  492. * consumed before the last ensure.
  493. */
  494. static Block*
  495. sslbread(Chan *c, long n, ulong)
  496. {
  497. Dstate * volatile s;
  498. Block *b;
  499. uchar consumed[3], *p;
  500. int toconsume;
  501. int len, pad;
  502. s = dstate[CONV(c->qid)];
  503. if(s == 0)
  504. panic("sslbread");
  505. if(s->state == Sincomplete)
  506. error(Ebadusefd);
  507. qlock(&s->in.q);
  508. if(waserror()){
  509. qunlock(&s->in.q);
  510. nexterror();
  511. }
  512. if(s->processed == 0){
  513. /*
  514. * Read in the whole message. Until we've got it all,
  515. * it stays on s->unprocessed, so that if we get Eintr,
  516. * we'll pick up where we left off.
  517. */
  518. ensure(s, &s->unprocessed, 3);
  519. s->unprocessed = pullupblock(s->unprocessed, 2);
  520. p = s->unprocessed->rp;
  521. if(p[0] & 0x80){
  522. len = ((p[0] & 0x7f)<<8) | p[1];
  523. ensure(s, &s->unprocessed, len);
  524. pad = 0;
  525. toconsume = 2;
  526. } else {
  527. s->unprocessed = pullupblock(s->unprocessed, 3);
  528. len = ((p[0] & 0x3f)<<8) | p[1];
  529. pad = p[2];
  530. if(pad > len){
  531. print("pad %d buf len %d\n", pad, len);
  532. error("bad pad in ssl message");
  533. }
  534. toconsume = 3;
  535. }
  536. ensure(s, &s->unprocessed, toconsume+len);
  537. /* skip header */
  538. consume(&s->unprocessed, consumed, toconsume);
  539. /* grab the next message and decode/decrypt it */
  540. b = qtake(&s->unprocessed, len, 0);
  541. if(blocklen(b) != len)
  542. print("devssl: sslbread got wrong count %d != %d", blocklen(b), len);
  543. if(waserror()){
  544. qunlock(&s->in.ctlq);
  545. if(b != nil)
  546. freeb(b);
  547. nexterror();
  548. }
  549. qlock(&s->in.ctlq);
  550. switch(s->state){
  551. case Sencrypting:
  552. if(b == nil)
  553. error("ssl message too short (encrypting)");
  554. b = decryptb(s, b);
  555. break;
  556. case Sdigesting:
  557. b = pullupblock(b, s->diglen);
  558. if(b == nil)
  559. error("ssl message too short (digesting)");
  560. checkdigestb(s, b);
  561. pullblock(&b, s->diglen);
  562. len -= s->diglen;
  563. break;
  564. case Sdigenc:
  565. b = decryptb(s, b);
  566. b = pullupblock(b, s->diglen);
  567. if(b == nil)
  568. error("ssl message too short (dig+enc)");
  569. checkdigestb(s, b);
  570. pullblock(&b, s->diglen);
  571. len -= s->diglen;
  572. break;
  573. }
  574. /* remove pad */
  575. if(pad)
  576. s->processed = qtake(&b, len - pad, 1);
  577. else
  578. s->processed = b;
  579. b = nil;
  580. s->in.mid++;
  581. qunlock(&s->in.ctlq);
  582. poperror();
  583. }
  584. /* return at most what was asked for */
  585. b = qtake(&s->processed, n, 0);
  586. qunlock(&s->in.q);
  587. poperror();
  588. return b;
  589. }
  590. static long
  591. sslread(Chan *c, void *a, long n, vlong off)
  592. {
  593. Block * volatile b;
  594. Block *nb;
  595. uchar *va;
  596. int i;
  597. char buf[128];
  598. ulong offset = off;
  599. int ft;
  600. if(c->qid.type & QTDIR)
  601. return devdirread(c, a, n, 0, 0, sslgen);
  602. ft = TYPE(c->qid);
  603. switch(ft) {
  604. default:
  605. error(Ebadusefd);
  606. case Qctl:
  607. ft = CONV(c->qid);
  608. sprint(buf, "%d", ft);
  609. return readstr(offset, a, n, buf);
  610. case Qdata:
  611. b = sslbread(c, n, offset);
  612. break;
  613. case Qencalgs:
  614. return readstr(offset, a, n, encalgs);
  615. break;
  616. case Qhashalgs:
  617. return readstr(offset, a, n, hashalgs);
  618. break;
  619. }
  620. if(waserror()){
  621. freeblist(b);
  622. nexterror();
  623. }
  624. n = 0;
  625. va = a;
  626. for(nb = b; nb; nb = nb->next){
  627. i = BLEN(nb);
  628. memmove(va+n, nb->rp, i);
  629. n += i;
  630. }
  631. freeblist(b);
  632. poperror();
  633. return n;
  634. }
  635. /*
  636. * this algorithm doesn't have to be great since we're just
  637. * trying to obscure the block fill
  638. */
  639. static void
  640. randfill(uchar *buf, int len)
  641. {
  642. while(len-- > 0)
  643. *buf++ = nrand(256);
  644. }
  645. static long
  646. sslbwrite(Chan *c, Block *b, ulong)
  647. {
  648. Dstate * volatile s;
  649. long rv;
  650. s = dstate[CONV(c->qid)];
  651. if(s == nil)
  652. panic("sslbwrite");
  653. if(s->state == Sincomplete){
  654. freeb(b);
  655. error(Ebadusefd);
  656. }
  657. /* lock so split writes won't interleave */
  658. if(waserror()){
  659. qunlock(&s->out.q);
  660. nexterror();
  661. }
  662. qlock(&s->out.q);
  663. rv = sslput(s, b);
  664. poperror();
  665. qunlock(&s->out.q);
  666. return rv;
  667. }
  668. /*
  669. * use SSL record format, add in count, digest and/or encrypt.
  670. * the write is interruptable. if it is interrupted, we'll
  671. * get out of sync with the far side. not much we can do about
  672. * it since we don't know if any bytes have been written.
  673. */
  674. static long
  675. sslput(Dstate *s, Block * volatile b)
  676. {
  677. Block *nb;
  678. int h, n, m, pad, rv;
  679. uchar *p;
  680. int offset;
  681. if(waserror()){
  682. if(b != nil)
  683. free(b);
  684. nexterror();
  685. }
  686. rv = 0;
  687. while(b != nil){
  688. m = n = BLEN(b);
  689. h = s->diglen + 2;
  690. /* trim to maximum block size */
  691. pad = 0;
  692. if(m > s->max){
  693. m = s->max;
  694. } else if(s->blocklen != 1){
  695. pad = (m + s->diglen)%s->blocklen;
  696. if(pad){
  697. if(m > s->maxpad){
  698. pad = 0;
  699. m = s->maxpad;
  700. } else {
  701. pad = s->blocklen - pad;
  702. h++;
  703. }
  704. }
  705. }
  706. rv += m;
  707. if(m != n){
  708. nb = allocb(m + h + pad);
  709. memmove(nb->wp + h, b->rp, m);
  710. nb->wp += m + h;
  711. b->rp += m;
  712. } else {
  713. /* add header space */
  714. nb = padblock(b, h);
  715. b = 0;
  716. }
  717. m += s->diglen;
  718. /* SSL style count */
  719. if(pad){
  720. nb = padblock(nb, -pad);
  721. randfill(nb->wp, pad);
  722. nb->wp += pad;
  723. m += pad;
  724. p = nb->rp;
  725. p[0] = (m>>8);
  726. p[1] = m;
  727. p[2] = pad;
  728. offset = 3;
  729. } else {
  730. p = nb->rp;
  731. p[0] = (m>>8) | 0x80;
  732. p[1] = m;
  733. offset = 2;
  734. }
  735. switch(s->state){
  736. case Sencrypting:
  737. nb = encryptb(s, nb, offset);
  738. break;
  739. case Sdigesting:
  740. nb = digestb(s, nb, offset);
  741. break;
  742. case Sdigenc:
  743. nb = digestb(s, nb, offset);
  744. nb = encryptb(s, nb, offset);
  745. break;
  746. }
  747. s->out.mid++;
  748. m = BLEN(nb);
  749. devtab[s->c->type]->bwrite(s->c, nb, s->c->offset);
  750. s->c->offset += m;
  751. }
  752. poperror();
  753. return rv;
  754. }
  755. static void
  756. setsecret(OneWay *w, uchar *secret, int n)
  757. {
  758. if(w->secret)
  759. free(w->secret);
  760. w->secret = smalloc(n);
  761. memmove(w->secret, secret, n);
  762. w->slen = n;
  763. }
  764. static void
  765. initDESkey(OneWay *w)
  766. {
  767. if(w->state){
  768. free(w->state);
  769. w->state = 0;
  770. }
  771. w->state = smalloc(sizeof(DESstate));
  772. if(w->slen >= 16)
  773. setupDESstate(w->state, w->secret, w->secret+8);
  774. else if(w->slen >= 8)
  775. setupDESstate(w->state, w->secret, 0);
  776. else
  777. error("secret too short");
  778. }
  779. /*
  780. * 40 bit DES is the same as 56 bit DES. However,
  781. * 16 bits of the key are masked to zero.
  782. */
  783. static void
  784. initDESkey_40(OneWay *w)
  785. {
  786. uchar key[8];
  787. if(w->state){
  788. free(w->state);
  789. w->state = 0;
  790. }
  791. if(w->slen >= 8){
  792. memmove(key, w->secret, 8);
  793. key[0] &= 0x0f;
  794. key[2] &= 0x0f;
  795. key[4] &= 0x0f;
  796. key[6] &= 0x0f;
  797. }
  798. w->state = malloc(sizeof(DESstate));
  799. if(w->slen >= 16)
  800. setupDESstate(w->state, key, w->secret+8);
  801. else if(w->slen >= 8)
  802. setupDESstate(w->state, key, 0);
  803. else
  804. error("secret too short");
  805. }
  806. static void
  807. initRC4key(OneWay *w)
  808. {
  809. if(w->state){
  810. free(w->state);
  811. w->state = 0;
  812. }
  813. w->state = smalloc(sizeof(RC4state));
  814. setupRC4state(w->state, w->secret, w->slen);
  815. }
  816. /*
  817. * 40 bit RC4 is the same as n-bit RC4. However,
  818. * we ignore all but the first 40 bits of the key.
  819. */
  820. static void
  821. initRC4key_40(OneWay *w)
  822. {
  823. if(w->state){
  824. free(w->state);
  825. w->state = 0;
  826. }
  827. if(w->slen > 5)
  828. w->slen = 5;
  829. w->state = malloc(sizeof(RC4state));
  830. setupRC4state(w->state, w->secret, w->slen);
  831. }
  832. /*
  833. * 128 bit RC4 is the same as n-bit RC4. However,
  834. * we ignore all but the first 128 bits of the key.
  835. */
  836. static void
  837. initRC4key_128(OneWay *w)
  838. {
  839. if(w->state){
  840. free(w->state);
  841. w->state = 0;
  842. }
  843. if(w->slen > 16)
  844. w->slen = 16;
  845. w->state = malloc(sizeof(RC4state));
  846. setupRC4state(w->state, w->secret, w->slen);
  847. }
  848. typedef struct Hashalg Hashalg;
  849. struct Hashalg
  850. {
  851. char *name;
  852. int diglen;
  853. DigestState *(*hf)(uchar*, ulong, uchar*, DigestState*);
  854. };
  855. Hashalg hashtab[] =
  856. {
  857. { "md4", MD4dlen, md4, },
  858. { "md5", MD5dlen, md5, },
  859. { "sha1", SHA1dlen, sha1, },
  860. { "sha", SHA1dlen, sha1, },
  861. { 0 }
  862. };
  863. static int
  864. parsehashalg(char *p, Dstate *s)
  865. {
  866. Hashalg *ha;
  867. for(ha = hashtab; ha->name; ha++){
  868. if(strcmp(p, ha->name) == 0){
  869. s->hf = ha->hf;
  870. s->diglen = ha->diglen;
  871. s->state &= ~Sclear;
  872. s->state |= Sdigesting;
  873. return 0;
  874. }
  875. }
  876. return -1;
  877. }
  878. typedef struct Encalg Encalg;
  879. struct Encalg
  880. {
  881. char *name;
  882. int blocklen;
  883. int alg;
  884. void (*keyinit)(OneWay*);
  885. };
  886. #ifdef NOSPOOKS
  887. Encalg encrypttab[] =
  888. {
  889. { "descbc", 8, DESCBC, initDESkey, }, /* DEPRECATED -- use des_56_cbc */
  890. { "desecb", 8, DESECB, initDESkey, }, /* DEPRECATED -- use des_56_ecb */
  891. { "des_56_cbc", 8, DESCBC, initDESkey, },
  892. { "des_56_ecb", 8, DESECB, initDESkey, },
  893. { "des_40_cbc", 8, DESCBC, initDESkey_40, },
  894. { "des_40_ecb", 8, DESECB, initDESkey_40, },
  895. { "rc4", 1, RC4, initRC4key_40, }, /* DEPRECATED -- use rc4_X */
  896. { "rc4_256", 1, RC4, initRC4key, },
  897. { "rc4_128", 1, RC4, initRC4key_128, },
  898. { "rc4_40", 1, RC4, initRC4key_40, },
  899. { 0 }
  900. };
  901. #else
  902. Encalg encrypttab[] =
  903. {
  904. { "des_40_cbc", 8, DESCBC, initDESkey_40, },
  905. { "des_40_ecb", 8, DESECB, initDESkey_40, },
  906. { "rc4", 1, RC4, initRC4key_40, }, /* DEPRECATED -- use rc4_X */
  907. { "rc4_40", 1, RC4, initRC4key_40, },
  908. { 0 }
  909. };
  910. #endif NOSPOOKS
  911. static int
  912. parseencryptalg(char *p, Dstate *s)
  913. {
  914. Encalg *ea;
  915. for(ea = encrypttab; ea->name; ea++){
  916. if(strcmp(p, ea->name) == 0){
  917. s->encryptalg = ea->alg;
  918. s->blocklen = ea->blocklen;
  919. (*ea->keyinit)(&s->in);
  920. (*ea->keyinit)(&s->out);
  921. s->state &= ~Sclear;
  922. s->state |= Sencrypting;
  923. return 0;
  924. }
  925. }
  926. return -1;
  927. }
  928. static long
  929. sslwrite(Chan *c, void *a, long n, vlong)
  930. {
  931. Dstate * volatile s;
  932. Block * volatile b;
  933. int m, t;
  934. char *p, *np, *e, buf[128];
  935. uchar *x;
  936. s = dstate[CONV(c->qid)];
  937. if(s == 0)
  938. panic("sslwrite");
  939. t = TYPE(c->qid);
  940. if(t == Qdata){
  941. if(s->state == Sincomplete)
  942. error(Ebadusefd);
  943. /* lock should a write gets split over multiple records */
  944. if(waserror()){
  945. qunlock(&s->out.q);
  946. nexterror();
  947. }
  948. qlock(&s->out.q);
  949. p = a;
  950. e = p + n;
  951. do {
  952. m = e - p;
  953. if(m > s->max)
  954. m = s->max;
  955. b = allocb(m);
  956. if(waserror()){
  957. freeb(b);
  958. nexterror();
  959. }
  960. memmove(b->wp, p, m);
  961. poperror();
  962. b->wp += m;
  963. sslput(s, b);
  964. p += m;
  965. } while(p < e);
  966. poperror();
  967. qunlock(&s->out.q);
  968. return n;
  969. }
  970. /* mutex with operations using what we're about to change */
  971. if(waserror()){
  972. qunlock(&s->in.ctlq);
  973. qunlock(&s->out.q);
  974. nexterror();
  975. }
  976. qlock(&s->in.ctlq);
  977. qlock(&s->out.q);
  978. switch(t){
  979. default:
  980. panic("sslwrite");
  981. case Qsecretin:
  982. setsecret(&s->in, a, n);
  983. goto out;
  984. case Qsecretout:
  985. setsecret(&s->out, a, n);
  986. goto out;
  987. case Qctl:
  988. break;
  989. }
  990. if(n >= sizeof(buf))
  991. error("arg too long");
  992. strncpy(buf, a, n);
  993. buf[n] = 0;
  994. p = strchr(buf, '\n');
  995. if(p)
  996. *p = 0;
  997. p = strchr(buf, ' ');
  998. if(p)
  999. *p++ = 0;
  1000. if(strcmp(buf, "fd") == 0){
  1001. s->c = buftochan(p);
  1002. /* default is clear (msg delimiters only) */
  1003. s->state = Sclear;
  1004. s->blocklen = 1;
  1005. s->diglen = 0;
  1006. s->maxpad = s->max = (1<<15) - s->diglen - 1;
  1007. s->in.mid = 0;
  1008. s->out.mid = 0;
  1009. } else if(strcmp(buf, "alg") == 0 && p != 0){
  1010. s->blocklen = 1;
  1011. s->diglen = 0;
  1012. if(s->c == 0)
  1013. error("must set fd before algorithm");
  1014. s->state = Sclear;
  1015. s->maxpad = s->max = (1<<15) - s->diglen - 1;
  1016. if(strcmp(p, "clear") == 0){
  1017. goto out;
  1018. }
  1019. if(s->in.secret && s->out.secret == 0)
  1020. setsecret(&s->out, s->in.secret, s->in.slen);
  1021. if(s->out.secret && s->in.secret == 0)
  1022. setsecret(&s->in, s->out.secret, s->out.slen);
  1023. if(s->in.secret == 0 || s->out.secret == 0)
  1024. error("algorithm but no secret");
  1025. s->hf = 0;
  1026. s->encryptalg = Noencryption;
  1027. s->blocklen = 1;
  1028. for(;;){
  1029. np = strchr(p, ' ');
  1030. if(np)
  1031. *np++ = 0;
  1032. if(parsehashalg(p, s) < 0)
  1033. if(parseencryptalg(p, s) < 0)
  1034. error("bad algorithm");
  1035. if(np == 0)
  1036. break;
  1037. p = np;
  1038. }
  1039. if(s->hf == 0 && s->encryptalg == Noencryption)
  1040. error("bad algorithm");
  1041. if(s->blocklen != 1){
  1042. s->max = (1<<15) - s->diglen - 1;
  1043. s->max -= s->max % s->blocklen;
  1044. s->maxpad = (1<<14) - s->diglen - 1;
  1045. s->maxpad -= s->maxpad % s->blocklen;
  1046. } else
  1047. s->maxpad = s->max = (1<<15) - s->diglen - 1;
  1048. } else if(strcmp(buf, "secretin") == 0 && p != 0) {
  1049. m = (strlen(p)*3)/2;
  1050. x = smalloc(m);
  1051. t = dec64(x, m, p, strlen(p));
  1052. setsecret(&s->in, x, t);
  1053. free(x);
  1054. } else if(strcmp(buf, "secretout") == 0 && p != 0) {
  1055. m = (strlen(p)*3)/2 + 1;
  1056. x = smalloc(m);
  1057. t = dec64(x, m, p, strlen(p));
  1058. setsecret(&s->out, x, t);
  1059. free(x);
  1060. } else
  1061. error(Ebadarg);
  1062. out:
  1063. qunlock(&s->in.ctlq);
  1064. qunlock(&s->out.q);
  1065. poperror();
  1066. return n;
  1067. }
  1068. static void
  1069. sslinit(void)
  1070. {
  1071. struct Encalg *e;
  1072. struct Hashalg *h;
  1073. int n;
  1074. char *cp;
  1075. n = 1;
  1076. for(e = encrypttab; e->name != nil; e++)
  1077. n += strlen(e->name) + 1;
  1078. cp = encalgs = smalloc(n);
  1079. for(e = encrypttab;;){
  1080. strcpy(cp, e->name);
  1081. cp += strlen(e->name);
  1082. e++;
  1083. if(e->name == nil)
  1084. break;
  1085. *cp++ = ' ';
  1086. }
  1087. *cp = 0;
  1088. n = 1;
  1089. for(h = hashtab; h->name != nil; h++)
  1090. n += strlen(h->name) + 1;
  1091. cp = hashalgs = smalloc(n);
  1092. for(h = hashtab;;){
  1093. strcpy(cp, h->name);
  1094. cp += strlen(h->name);
  1095. h++;
  1096. if(h->name == nil)
  1097. break;
  1098. *cp++ = ' ';
  1099. }
  1100. *cp = 0;
  1101. }
  1102. Dev ssldevtab = {
  1103. 'D',
  1104. "ssl",
  1105. devreset,
  1106. sslinit,
  1107. devshutdown,
  1108. sslattach,
  1109. sslwalk,
  1110. sslstat,
  1111. sslopen,
  1112. devcreate,
  1113. sslclose,
  1114. sslread,
  1115. sslbread,
  1116. sslwrite,
  1117. sslbwrite,
  1118. devremove,
  1119. sslwstat,
  1120. };
  1121. static Block*
  1122. encryptb(Dstate *s, Block *b, int offset)
  1123. {
  1124. uchar *p, *ep, *p2, *ip, *eip;
  1125. DESstate *ds;
  1126. switch(s->encryptalg){
  1127. case DESECB:
  1128. ds = s->out.state;
  1129. ep = b->rp + BLEN(b);
  1130. for(p = b->rp + offset; p < ep; p += 8)
  1131. block_cipher(ds->expanded, p, 0);
  1132. break;
  1133. case DESCBC:
  1134. ds = s->out.state;
  1135. ep = b->rp + BLEN(b);
  1136. for(p = b->rp + offset; p < ep; p += 8){
  1137. p2 = p;
  1138. ip = ds->ivec;
  1139. for(eip = ip+8; ip < eip; )
  1140. *p2++ ^= *ip++;
  1141. block_cipher(ds->expanded, p, 0);
  1142. memmove(ds->ivec, p, 8);
  1143. }
  1144. break;
  1145. case RC4:
  1146. rc4(s->out.state, b->rp + offset, BLEN(b) - offset);
  1147. break;
  1148. }
  1149. return b;
  1150. }
  1151. static Block*
  1152. decryptb(Dstate *s, Block *bin)
  1153. {
  1154. Block *b, **l;
  1155. uchar *p, *ep, *tp, *ip, *eip;
  1156. DESstate *ds;
  1157. uchar tmp[8];
  1158. int i;
  1159. l = &bin;
  1160. for(b = bin; b; b = b->next){
  1161. /* make sure we have a multiple of s->blocklen */
  1162. if(s->blocklen > 1){
  1163. i = BLEN(b);
  1164. if(i % s->blocklen){
  1165. *l = b = pullupblock(b, i + s->blocklen - (i%s->blocklen));
  1166. if(b == 0)
  1167. error("ssl encrypted message too short");
  1168. }
  1169. }
  1170. l = &b->next;
  1171. /* decrypt */
  1172. switch(s->encryptalg){
  1173. case DESECB:
  1174. ds = s->in.state;
  1175. ep = b->rp + BLEN(b);
  1176. for(p = b->rp; p < ep; p += 8)
  1177. block_cipher(ds->expanded, p, 1);
  1178. break;
  1179. case DESCBC:
  1180. ds = s->in.state;
  1181. ep = b->rp + BLEN(b);
  1182. for(p = b->rp; p < ep;){
  1183. memmove(tmp, p, 8);
  1184. block_cipher(ds->expanded, p, 1);
  1185. tp = tmp;
  1186. ip = ds->ivec;
  1187. for(eip = ip+8; ip < eip; ){
  1188. *p++ ^= *ip;
  1189. *ip++ = *tp++;
  1190. }
  1191. }
  1192. break;
  1193. case RC4:
  1194. rc4(s->in.state, b->rp, BLEN(b));
  1195. break;
  1196. }
  1197. }
  1198. return bin;
  1199. }
  1200. static Block*
  1201. digestb(Dstate *s, Block *b, int offset)
  1202. {
  1203. uchar *p;
  1204. DigestState ss;
  1205. uchar msgid[4];
  1206. ulong n, h;
  1207. OneWay *w;
  1208. w = &s->out;
  1209. memset(&ss, 0, sizeof(ss));
  1210. h = s->diglen + offset;
  1211. n = BLEN(b) - h;
  1212. /* hash secret + message */
  1213. (*s->hf)(w->secret, w->slen, 0, &ss);
  1214. (*s->hf)(b->rp + h, n, 0, &ss);
  1215. /* hash message id */
  1216. p = msgid;
  1217. n = w->mid;
  1218. *p++ = n>>24;
  1219. *p++ = n>>16;
  1220. *p++ = n>>8;
  1221. *p = n;
  1222. (*s->hf)(msgid, 4, b->rp + offset, &ss);
  1223. return b;
  1224. }
  1225. static void
  1226. checkdigestb(Dstate *s, Block *bin)
  1227. {
  1228. uchar *p;
  1229. DigestState ss;
  1230. uchar msgid[4];
  1231. int n, h;
  1232. OneWay *w;
  1233. uchar digest[128];
  1234. Block *b;
  1235. w = &s->in;
  1236. memset(&ss, 0, sizeof(ss));
  1237. /* hash secret */
  1238. (*s->hf)(w->secret, w->slen, 0, &ss);
  1239. /* hash message */
  1240. h = s->diglen;
  1241. for(b = bin; b; b = b->next){
  1242. n = BLEN(b) - h;
  1243. if(n < 0)
  1244. panic("checkdigestb");
  1245. (*s->hf)(b->rp + h, n, 0, &ss);
  1246. h = 0;
  1247. }
  1248. /* hash message id */
  1249. p = msgid;
  1250. n = w->mid;
  1251. *p++ = n>>24;
  1252. *p++ = n>>16;
  1253. *p++ = n>>8;
  1254. *p = n;
  1255. (*s->hf)(msgid, 4, digest, &ss);
  1256. if(memcmp(digest, bin->rp, s->diglen) != 0)
  1257. error("bad digest");
  1258. }
  1259. /* get channel associated with an fd */
  1260. static Chan*
  1261. buftochan(char *p)
  1262. {
  1263. Chan *c;
  1264. int fd;
  1265. if(p == 0)
  1266. error(Ebadarg);
  1267. fd = strtoul(p, 0, 0);
  1268. if(fd < 0)
  1269. error(Ebadarg);
  1270. c = fdtochan(fd, -1, 0, 1); /* error check and inc ref */
  1271. if(devtab[c->type] == &ssldevtab){
  1272. cclose(c);
  1273. error("cannot ssl encrypt devssl files");
  1274. }
  1275. return c;
  1276. }
  1277. /* hand up a digest connection */
  1278. static void
  1279. sslhangup(Dstate *s)
  1280. {
  1281. Block *b;
  1282. qlock(&s->in.q);
  1283. for(b = s->processed; b; b = s->processed){
  1284. s->processed = b->next;
  1285. freeb(b);
  1286. }
  1287. if(s->unprocessed){
  1288. freeb(s->unprocessed);
  1289. s->unprocessed = 0;
  1290. }
  1291. s->state = Sincomplete;
  1292. qunlock(&s->in.q);
  1293. }
  1294. static Dstate*
  1295. dsclone(Chan *ch)
  1296. {
  1297. int i;
  1298. Dstate *ret;
  1299. if(waserror()) {
  1300. unlock(&dslock);
  1301. nexterror();
  1302. }
  1303. lock(&dslock);
  1304. ret = nil;
  1305. for(i=0; i<Maxdstate; i++){
  1306. if(dstate[i] == nil){
  1307. dsnew(ch, &dstate[i]);
  1308. ret = dstate[i];
  1309. break;
  1310. }
  1311. }
  1312. unlock(&dslock);
  1313. poperror();
  1314. return ret;
  1315. }
  1316. static void
  1317. dsnew(Chan *ch, Dstate **pp)
  1318. {
  1319. Dstate *s;
  1320. int t;
  1321. *pp = s = malloc(sizeof(*s));
  1322. if(!s)
  1323. error(Enomem);
  1324. if(pp - dstate >= dshiwat)
  1325. dshiwat++;
  1326. memset(s, 0, sizeof(*s));
  1327. s->state = Sincomplete;
  1328. s->ref = 1;
  1329. kstrdup(&s->user, up->user);
  1330. s->perm = 0660;
  1331. t = TYPE(ch->qid);
  1332. if(t == Qclonus)
  1333. t = Qctl;
  1334. ch->qid.path = QID(pp - dstate, t);
  1335. ch->qid.vers = 0;
  1336. }