123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319 |
- #include <u.h>
- #include <libc.h>
- #include <bio.h>
- #include <auth.h>
- #include <mp.h>
- #include <libsec.h>
- // The main groups of functions are:
- // client/server - main handshake protocol definition
- // message functions - formating handshake messages
- // cipher choices - catalog of digest and encrypt algorithms
- // security functions - PKCS#1, sslHMAC, session keygen
- // general utility functions - malloc, serialization
- // The handshake protocol builds on the TLS/SSL3 record layer protocol,
- // which is implemented in kernel device #a. See also /lib/rfc/rfc2246.
- enum {
- TLSFinishedLen = 12,
- SSL3FinishedLen = MD5dlen+SHA1dlen,
- MaxKeyData = 104, // amount of secret we may need
- MaxChunk = 1<<14,
- RandomSize = 32,
- SidSize = 32,
- MasterSecretSize = 48,
- AQueue = 0,
- AFlush = 1,
- };
- typedef struct TlsSec TlsSec;
- typedef struct Bytes{
- int len;
- uchar data[1]; // [len]
- } Bytes;
- typedef struct Ints{
- int len;
- int data[1]; // [len]
- } Ints;
- typedef struct Algs{
- char *enc;
- char *digest;
- int nsecret;
- int tlsid;
- int ok;
- } Algs;
- typedef struct Finished{
- uchar verify[SSL3FinishedLen];
- int n;
- } Finished;
- typedef struct TlsConnection{
- TlsSec *sec; // security management goo
- int hand, ctl; // record layer file descriptors
- int erred; // set when tlsError called
- int (*trace)(char*fmt, ...); // for debugging
- int version; // protocol we are speaking
- int verset; // version has been set
- int ver2hi; // server got a version 2 hello
- int isClient; // is this the client or server?
- Bytes *sid; // SessionID
- Bytes *cert; // only last - no chain
- Lock statelk;
- int state; // must be set using setstate
- // input buffer for handshake messages
- uchar buf[MaxChunk+2048];
- uchar *rp, *ep;
- uchar crandom[RandomSize]; // client random
- uchar srandom[RandomSize]; // server random
- int clientVersion; // version in ClientHello
- char *digest; // name of digest algorithm to use
- char *enc; // name of encryption algorithm to use
- int nsecret; // amount of secret data to init keys
- // for finished messages
- MD5state hsmd5; // handshake hash
- SHAstate hssha1; // handshake hash
- Finished finished;
- } TlsConnection;
- typedef struct Msg{
- int tag;
- union {
- struct {
- int version;
- uchar random[RandomSize];
- Bytes* sid;
- Ints* ciphers;
- Bytes* compressors;
- } clientHello;
- struct {
- int version;
- uchar random[RandomSize];
- Bytes* sid;
- int cipher;
- int compressor;
- } serverHello;
- struct {
- int ncert;
- Bytes **certs;
- } certificate;
- struct {
- Bytes *types;
- int nca;
- Bytes **cas;
- } certificateRequest;
- struct {
- Bytes *key;
- } clientKeyExchange;
- Finished finished;
- } u;
- } Msg;
- typedef struct TlsSec{
- char *server; // name of remote; nil for server
- int ok; // <0 killed; == 0 in progress; >0 reusable
- RSApub *rsapub;
- AuthRpc *rpc; // factotum for rsa private key
- uchar sec[MasterSecretSize]; // master secret
- uchar crandom[RandomSize]; // client random
- uchar srandom[RandomSize]; // server random
- int clientVers; // version in ClientHello
- int vers; // final version
- // byte generation and handshake checksum
- void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
- void (*setFinished)(TlsSec*, MD5state, SHAstate, uchar*, int);
- int nfin;
- } TlsSec;
- enum {
- TLSVersion = 0x0301,
- SSL3Version = 0x0300,
- ProtocolVersion = 0x0301, // maximum version we speak
- MinProtoVersion = 0x0300, // limits on version we accept
- MaxProtoVersion = 0x03ff,
- };
- // handshake type
- enum {
- HHelloRequest,
- HClientHello,
- HServerHello,
- HSSL2ClientHello = 9, /* local convention; see devtls.c */
- HCertificate = 11,
- HServerKeyExchange,
- HCertificateRequest,
- HServerHelloDone,
- HCertificateVerify,
- HClientKeyExchange,
- HFinished = 20,
- HMax
- };
- // alerts
- enum {
- ECloseNotify = 0,
- EUnexpectedMessage = 10,
- EBadRecordMac = 20,
- EDecryptionFailed = 21,
- ERecordOverflow = 22,
- EDecompressionFailure = 30,
- EHandshakeFailure = 40,
- ENoCertificate = 41,
- EBadCertificate = 42,
- EUnsupportedCertificate = 43,
- ECertificateRevoked = 44,
- ECertificateExpired = 45,
- ECertificateUnknown = 46,
- EIllegalParameter = 47,
- EUnknownCa = 48,
- EAccessDenied = 49,
- EDecodeError = 50,
- EDecryptError = 51,
- EExportRestriction = 60,
- EProtocolVersion = 70,
- EInsufficientSecurity = 71,
- EInternalError = 80,
- EUserCanceled = 90,
- ENoRenegotiation = 100,
- EMax = 256
- };
- // cipher suites
- enum {
- TLS_NULL_WITH_NULL_NULL = 0x0000,
- TLS_RSA_WITH_NULL_MD5 = 0x0001,
- TLS_RSA_WITH_NULL_SHA = 0x0002,
- TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
- TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
- TLS_RSA_WITH_RC4_128_SHA = 0x0005,
- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006,
- TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
- TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008,
- TLS_RSA_WITH_DES_CBC_SHA = 0X0009,
- TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A,
- TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X000B,
- TLS_DH_DSS_WITH_DES_CBC_SHA = 0X000C,
- TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0X000D,
- TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X000E,
- TLS_DH_RSA_WITH_DES_CBC_SHA = 0X000F,
- TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0X0010,
- TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X0011,
- TLS_DHE_DSS_WITH_DES_CBC_SHA = 0X0012,
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0X0013, // ZZZ must be implemented for tls1.0 compliance
- TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0014,
- TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015,
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016,
- TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
- TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
- TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
- TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
- TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
- TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
- TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0X0033,
- TLS_DH_anon_WITH_AES_128_CBC_SHA = 0X0034,
- TLS_RSA_WITH_AES_256_CBC_SHA = 0X0035,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0X0036,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0X0037,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
- TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
- CipherMax
- };
- // compression methods
- enum {
- CompressionNull = 0,
- CompressionMax
- };
- static Algs cipherAlgs[] = {
- {"rc4_128", "md5", 2 * (16 + MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
- {"rc4_128", "sha1", 2 * (16 + SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
- {"3des_ede_cbc","sha1",2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
- };
- static uchar compressors[] = {
- CompressionNull,
- };
- static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chain);
- static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...));
- static void msgClear(Msg *m);
- static char* msgPrint(char *buf, int n, Msg *m);
- static int msgRecv(TlsConnection *c, Msg *m);
- static int msgSend(TlsConnection *c, Msg *m, int act);
- static void tlsError(TlsConnection *c, int err, char *msg, ...);
- #pragma varargck argpos tlsError 3
- static int setVersion(TlsConnection *c, int version);
- static int finishedMatch(TlsConnection *c, Finished *f);
- static void tlsConnectionFree(TlsConnection *c);
- static int setAlgs(TlsConnection *c, int a);
- static int okCipher(Ints *cv);
- static int okCompression(Bytes *cv);
- static int initCiphers(void);
- static Ints* makeciphers(void);
- static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
- static int tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd);
- static TlsSec* tlsSecInitc(int cvers, uchar *crandom);
- static int tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd);
- static int tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient);
- static void tlsSecOk(TlsSec *sec);
- static void tlsSecKill(TlsSec *sec);
- static void tlsSecClose(TlsSec *sec);
- static void setMasterSecret(TlsSec *sec, Bytes *pm);
- static void serverMasterSecret(TlsSec *sec, uchar *epm, int nepm);
- static void setSecrets(TlsSec *sec, uchar *kd, int nkd);
- static int clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm);
- static Bytes *pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
- static Bytes *pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm);
- static void tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
- static void sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
- static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
- uchar *seed0, int nseed0, uchar *seed1, int nseed1);
- static int setVers(TlsSec *sec, int version);
- static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
- static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
- static void factotum_rsa_close(AuthRpc*rpc);
- static void* emalloc(int);
- static void* erealloc(void*, int);
- static void put32(uchar *p, u32int);
- static void put24(uchar *p, int);
- static void put16(uchar *p, int);
- static u32int get32(uchar *p);
- static int get24(uchar *p);
- static int get16(uchar *p);
- static Bytes* newbytes(int len);
- static Bytes* makebytes(uchar* buf, int len);
- static void freebytes(Bytes* b);
- static Ints* newints(int len);
- static Ints* makeints(int* buf, int len);
- static void freeints(Ints* b);
- //================= client/server ========================
- // push TLS onto fd, returning new (application) file descriptor
- // or -1 if error.
- int
- tlsServer(int fd, TLSconn *conn)
- {
- char buf[8];
- char dname[64];
- int n, data, ctl, hand;
- TlsConnection *tls;
- if(conn == nil)
- return -1;
- ctl = open("#a/tls/clone", ORDWR);
- if(ctl < 0)
- return -1;
- n = read(ctl, buf, sizeof(buf)-1);
- if(n < 0){
- close(ctl);
- return -1;
- }
- buf[n] = 0;
- sprint(conn->dir, "#a/tls/%s", buf);
- sprint(dname, "#a/tls/%s/hand", buf);
- hand = open(dname, ORDWR);
- if(hand < 0){
- close(ctl);
- return -1;
- }
- fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
- tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
- sprint(dname, "#a/tls/%s/data", buf);
- data = open(dname, ORDWR);
- close(fd);
- close(hand);
- close(ctl);
- if(data < 0){
- return -1;
- }
- if(tls == nil){
- close(data);
- return -1;
- }
- if(conn->cert)
- free(conn->cert);
- conn->cert = 0; // client certificates are not yet implemented
- conn->certlen = 0;
- conn->sessionIDlen = tls->sid->len;
- conn->sessionID = emalloc(conn->sessionIDlen);
- memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
- if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0)
- tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst, tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize);
- tlsConnectionFree(tls);
- return data;
- }
- // push TLS onto fd, returning new (application) file descriptor
- // or -1 if error.
- int
- tlsClient(int fd, TLSconn *conn)
- {
- char buf[8];
- char dname[64];
- int n, data, ctl, hand;
- TlsConnection *tls;
- if(!conn)
- return -1;
- ctl = open("#a/tls/clone", ORDWR);
- if(ctl < 0)
- return -1;
- n = read(ctl, buf, sizeof(buf)-1);
- if(n < 0){
- close(ctl);
- return -1;
- }
- buf[n] = 0;
- sprint(conn->dir, "#a/tls/%s", buf);
- sprint(dname, "#a/tls/%s/hand", buf);
- hand = open(dname, ORDWR);
- if(hand < 0){
- close(ctl);
- return -1;
- }
- sprint(dname, "#a/tls/%s/data", buf);
- data = open(dname, ORDWR);
- if(data < 0)
- return -1;
- fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
- tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->trace);
- close(fd);
- close(hand);
- close(ctl);
- if(tls == nil){
- close(data);
- return -1;
- }
- conn->certlen = tls->cert->len;
- conn->cert = emalloc(conn->certlen);
- memcpy(conn->cert, tls->cert->data, conn->certlen);
- conn->sessionIDlen = tls->sid->len;
- conn->sessionID = emalloc(conn->sessionIDlen);
- memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
- if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0)
- tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst, tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize);
- tlsConnectionFree(tls);
- return data;
- }
- static int
- countchain(PEMChain *p)
- {
- int i = 0;
- while (p) {
- i++;
- p = p->next;
- }
- return i;
- }
- static TlsConnection *
- tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chp)
- {
- TlsConnection *c;
- Msg m;
- Bytes *csid;
- uchar sid[SidSize], kd[MaxKeyData];
- char *secrets;
- int cipher, compressor, nsid, rv, numcerts, i;
- if(trace)
- trace("tlsServer2\n");
- if(!initCiphers())
- return nil;
- c = emalloc(sizeof(TlsConnection));
- c->ctl = ctl;
- c->hand = hand;
- c->trace = trace;
- c->version = ProtocolVersion;
- memset(&m, 0, sizeof(m));
- if(!msgRecv(c, &m)){
- if(trace)
- trace("initial msgRecv failed\n");
- goto Err;
- }
- if(m.tag != HClientHello) {
- tlsError(c, EUnexpectedMessage, "expected a client hello");
- goto Err;
- }
- c->clientVersion = m.u.clientHello.version;
- if(trace)
- trace("ClientHello version %x\n", c->clientVersion);
- if(setVersion(c, m.u.clientHello.version) < 0) {
- tlsError(c, EIllegalParameter, "incompatible version");
- goto Err;
- }
- memmove(c->crandom, m.u.clientHello.random, RandomSize);
- cipher = okCipher(m.u.clientHello.ciphers);
- if(cipher < 0) {
- // reply with EInsufficientSecurity if we know that's the case
- if(cipher == -2)
- tlsError(c, EInsufficientSecurity, "cipher suites too weak");
- else
- tlsError(c, EHandshakeFailure, "no matching cipher suite");
- goto Err;
- }
- if(!setAlgs(c, cipher)){
- tlsError(c, EHandshakeFailure, "no matching cipher suite");
- goto Err;
- }
- compressor = okCompression(m.u.clientHello.compressors);
- if(compressor < 0) {
- tlsError(c, EHandshakeFailure, "no matching compressor");
- goto Err;
- }
- csid = m.u.clientHello.sid;
- if(trace)
- trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
- c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
- if(c->sec == nil){
- tlsError(c, EHandshakeFailure, "can't initialize security: %r");
- goto Err;
- }
- c->sec->rpc = factotum_rsa_open(cert, ncert);
- if(c->sec->rpc == nil){
- tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
- goto Err;
- }
- c->sec->rsapub = X509toRSApub(cert, ncert, nil, 0);
- msgClear(&m);
- m.tag = HServerHello;
- m.u.serverHello.version = c->version;
- memmove(m.u.serverHello.random, c->srandom, RandomSize);
- m.u.serverHello.cipher = cipher;
- m.u.serverHello.compressor = compressor;
- c->sid = makebytes(sid, nsid);
- m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
- if(!msgSend(c, &m, AQueue))
- goto Err;
- msgClear(&m);
- m.tag = HCertificate;
- numcerts = countchain(chp);
- m.u.certificate.ncert = 1 + numcerts;
- m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes));
- m.u.certificate.certs[0] = makebytes(cert, ncert);
- for (i = 0; i < numcerts && chp; i++, chp = chp->next)
- m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
- if(!msgSend(c, &m, AQueue))
- goto Err;
- msgClear(&m);
- m.tag = HServerHelloDone;
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- if(!msgRecv(c, &m))
- goto Err;
- if(m.tag != HClientKeyExchange) {
- tlsError(c, EUnexpectedMessage, "expected a client key exchange");
- goto Err;
- }
- if(tlsSecSecrets(c->sec, c->version, m.u.clientKeyExchange.key->data, m.u.clientKeyExchange.key->len, kd, c->nsecret) < 0){
- tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
- goto Err;
- }
- if(trace)
- trace("tls secrets\n");
- secrets = (char*)emalloc(2*c->nsecret);
- enc64(secrets, 2*c->nsecret, kd, c->nsecret);
- rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
- memset(secrets, 0, 2*c->nsecret);
- free(secrets);
- memset(kd, 0, c->nsecret);
- if(rv < 0){
- tlsError(c, EHandshakeFailure, "can't set keys: %r");
- goto Err;
- }
- msgClear(&m);
- /* no CertificateVerify; skip to Finished */
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
- tlsError(c, EInternalError, "can't set finished: %r");
- goto Err;
- }
- if(!msgRecv(c, &m))
- goto Err;
- if(m.tag != HFinished) {
- tlsError(c, EUnexpectedMessage, "expected a finished");
- goto Err;
- }
- if(!finishedMatch(c, &m.u.finished)) {
- tlsError(c, EHandshakeFailure, "finished verification failed");
- goto Err;
- }
- msgClear(&m);
- /* change cipher spec */
- if(fprint(c->ctl, "changecipher") < 0){
- tlsError(c, EInternalError, "can't enable cipher: %r");
- goto Err;
- }
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
- tlsError(c, EInternalError, "can't set finished: %r");
- goto Err;
- }
- m.tag = HFinished;
- m.u.finished = c->finished;
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- if(trace)
- trace("tls finished\n");
- if(fprint(c->ctl, "opened") < 0)
- goto Err;
- tlsSecOk(c->sec);
- return c;
- Err:
- msgClear(&m);
- tlsConnectionFree(c);
- return 0;
- }
- static TlsConnection *
- tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...))
- {
- TlsConnection *c;
- Msg m;
- uchar kd[MaxKeyData], *epm;
- char *secrets;
- int creq, nepm, rv;
- if(!initCiphers())
- return nil;
- epm = nil;
- c = emalloc(sizeof(TlsConnection));
- c->version = ProtocolVersion;
- c->ctl = ctl;
- c->hand = hand;
- c->trace = trace;
- c->isClient = 1;
- c->clientVersion = c->version;
- c->sec = tlsSecInitc(c->clientVersion, c->crandom);
- if(c->sec == nil)
- goto Err;
- /* client hello */
- memset(&m, 0, sizeof(m));
- m.tag = HClientHello;
- m.u.clientHello.version = c->clientVersion;
- memmove(m.u.clientHello.random, c->crandom, RandomSize);
- m.u.clientHello.sid = makebytes(csid, ncsid);
- m.u.clientHello.ciphers = makeciphers();
- m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- /* server hello */
- if(!msgRecv(c, &m))
- goto Err;
- if(m.tag != HServerHello) {
- tlsError(c, EUnexpectedMessage, "expected a server hello");
- goto Err;
- }
- if(setVersion(c, m.u.serverHello.version) < 0) {
- tlsError(c, EIllegalParameter, "incompatible version %r");
- goto Err;
- }
- memmove(c->srandom, m.u.serverHello.random, RandomSize);
- c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
- if(c->sid->len != 0 && c->sid->len != SidSize) {
- tlsError(c, EIllegalParameter, "invalid server session identifier");
- goto Err;
- }
- if(!setAlgs(c, m.u.serverHello.cipher)) {
- tlsError(c, EIllegalParameter, "invalid cipher suite");
- goto Err;
- }
- if(m.u.serverHello.compressor != CompressionNull) {
- tlsError(c, EIllegalParameter, "invalid compression");
- goto Err;
- }
- msgClear(&m);
- /* certificate */
- if(!msgRecv(c, &m) || m.tag != HCertificate) {
- tlsError(c, EUnexpectedMessage, "expected a certificate");
- goto Err;
- }
- if(m.u.certificate.ncert < 1) {
- tlsError(c, EIllegalParameter, "runt certificate");
- goto Err;
- }
- c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
- msgClear(&m);
- /* server key exchange (optional) */
- if(!msgRecv(c, &m))
- goto Err;
- if(m.tag == HServerKeyExchange) {
- tlsError(c, EUnexpectedMessage, "got an server key exchange");
- goto Err;
- // If implementing this later, watch out for rollback attack
- // described in Wagner Schneier 1996, section 4.4.
- }
- /* certificate request (optional) */
- creq = 0;
- if(m.tag == HCertificateRequest) {
- creq = 1;
- msgClear(&m);
- if(!msgRecv(c, &m))
- goto Err;
- }
- if(m.tag != HServerHelloDone) {
- tlsError(c, EUnexpectedMessage, "expected a server hello done");
- goto Err;
- }
- msgClear(&m);
- if(tlsSecSecretc(c->sec, c->sid->data, c->sid->len, c->srandom,
- c->cert->data, c->cert->len, c->version, &epm, &nepm,
- kd, c->nsecret) < 0){
- tlsError(c, EBadCertificate, "invalid x509/rsa certificate");
- goto Err;
- }
- secrets = (char*)emalloc(2*c->nsecret);
- enc64(secrets, 2*c->nsecret, kd, c->nsecret);
- rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
- memset(secrets, 0, 2*c->nsecret);
- free(secrets);
- memset(kd, 0, c->nsecret);
- if(rv < 0){
- tlsError(c, EHandshakeFailure, "can't set keys: %r");
- goto Err;
- }
- if(creq) {
- /* send a zero length certificate */
- m.tag = HCertificate;
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- }
- /* client key exchange */
- m.tag = HClientKeyExchange;
- m.u.clientKeyExchange.key = makebytes(epm, nepm);
- free(epm);
- epm = nil;
- if(m.u.clientKeyExchange.key == nil) {
- tlsError(c, EHandshakeFailure, "can't set secret: %r");
- goto Err;
- }
- if(!msgSend(c, &m, AFlush))
- goto Err;
- msgClear(&m);
- /* change cipher spec */
- if(fprint(c->ctl, "changecipher") < 0){
- tlsError(c, EInternalError, "can't enable cipher: %r");
- goto Err;
- }
- // Cipherchange must occur immediately before Finished to avoid
- // potential hole; see section 4.3 of Wagner Schneier 1996.
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
- tlsError(c, EInternalError, "can't set finished 1: %r");
- goto Err;
- }
- m.tag = HFinished;
- m.u.finished = c->finished;
- if(!msgSend(c, &m, AFlush)) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
- tlsError(c, EInternalError, "can't flush after client Finished: %r");
- goto Err;
- }
- msgClear(&m);
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
- fprint(2, "tlsClient nepm=%d\n", nepm);
- tlsError(c, EInternalError, "can't set finished 0: %r");
- goto Err;
- }
- if(!msgRecv(c, &m)) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
- tlsError(c, EInternalError, "can't read server Finished: %r");
- goto Err;
- }
- if(m.tag != HFinished) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
- tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
- goto Err;
- }
- if(!finishedMatch(c, &m.u.finished)) {
- tlsError(c, EHandshakeFailure, "finished verification failed");
- goto Err;
- }
- msgClear(&m);
- if(fprint(c->ctl, "opened") < 0){
- if(trace)
- trace("unable to do final open: %r\n");
- goto Err;
- }
- tlsSecOk(c->sec);
- return c;
- Err:
- free(epm);
- msgClear(&m);
- tlsConnectionFree(c);
- return 0;
- }
- //================= message functions ========================
- static uchar sendbuf[9000], *sendp;
- static int
- msgSend(TlsConnection *c, Msg *m, int act)
- {
- uchar *p; // sendp = start of new message; p = write pointer
- int nn, n, i;
- if(sendp == nil)
- sendp = sendbuf;
- p = sendp;
- if(c->trace)
- c->trace("send %s", msgPrint((char*)p, (sizeof sendbuf) - (p-sendbuf), m));
- p[0] = m->tag; // header - fill in size later
- p += 4;
- switch(m->tag) {
- default:
- tlsError(c, EInternalError, "can't encode a %d", m->tag);
- goto Err;
- case HClientHello:
- // version
- put16(p, m->u.clientHello.version);
- p += 2;
- // random
- memmove(p, m->u.clientHello.random, RandomSize);
- p += RandomSize;
- // sid
- n = m->u.clientHello.sid->len;
- assert(n < 256);
- p[0] = n;
- memmove(p+1, m->u.clientHello.sid->data, n);
- p += n+1;
- n = m->u.clientHello.ciphers->len;
- assert(n > 0 && n < 200);
- put16(p, n*2);
- p += 2;
- for(i=0; i<n; i++) {
- put16(p, m->u.clientHello.ciphers->data[i]);
- p += 2;
- }
- n = m->u.clientHello.compressors->len;
- assert(n > 0);
- p[0] = n;
- memmove(p+1, m->u.clientHello.compressors->data, n);
- p += n+1;
- break;
- case HServerHello:
- put16(p, m->u.serverHello.version);
- p += 2;
- // random
- memmove(p, m->u.serverHello.random, RandomSize);
- p += RandomSize;
- // sid
- n = m->u.serverHello.sid->len;
- assert(n < 256);
- p[0] = n;
- memmove(p+1, m->u.serverHello.sid->data, n);
- p += n+1;
- put16(p, m->u.serverHello.cipher);
- p += 2;
- p[0] = m->u.serverHello.compressor;
- p += 1;
- break;
- case HServerHelloDone:
- break;
- case HCertificate:
- nn = 0;
- for(i = 0; i < m->u.certificate.ncert; i++)
- nn += 3 + m->u.certificate.certs[i]->len;
- if(p + 3 + nn - sendbuf > sizeof(sendbuf)) {
- tlsError(c, EInternalError, "output buffer too small for certificate");
- goto Err;
- }
- put24(p, nn);
- p += 3;
- for(i = 0; i < m->u.certificate.ncert; i++){
- put24(p, m->u.certificate.certs[i]->len);
- p += 3;
- memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
- p += m->u.certificate.certs[i]->len;
- }
- break;
- case HClientKeyExchange:
- n = m->u.clientKeyExchange.key->len;
- if(c->version != SSL3Version){
- put16(p, n);
- p += 2;
- }
- memmove(p, m->u.clientKeyExchange.key->data, n);
- p += n;
- break;
- case HFinished:
- memmove(p, m->u.finished.verify, m->u.finished.n);
- p += m->u.finished.n;
- break;
- }
- // go back and fill in size
- n = p-sendp;
- assert(p <= sendbuf+sizeof(sendbuf));
- put24(sendp+1, n-4);
- // remember hash of Handshake messages
- if(m->tag != HHelloRequest) {
- md5(sendp, n, 0, &c->hsmd5);
- sha1(sendp, n, 0, &c->hssha1);
- }
- sendp = p;
- if(act == AFlush){
- sendp = sendbuf;
- if(write(c->hand, sendbuf, p-sendbuf) < 0){
- fprint(2, "write error: %r\n");
- goto Err;
- }
- }
- msgClear(m);
- return 1;
- Err:
- msgClear(m);
- return 0;
- }
- static uchar*
- tlsReadN(TlsConnection *c, int n)
- {
- uchar *p;
- int nn, nr;
- nn = c->ep - c->rp;
- if(nn < n){
- if(c->rp != c->buf){
- memmove(c->buf, c->rp, nn);
- c->rp = c->buf;
- c->ep = &c->buf[nn];
- }
- for(; nn < n; nn += nr) {
- nr = read(c->hand, &c->rp[nn], n - nn);
- if(nr <= 0)
- return nil;
- c->ep += nr;
- }
- }
- p = c->rp;
- c->rp += n;
- return p;
- }
- static int
- msgRecv(TlsConnection *c, Msg *m)
- {
- uchar *p;
- int type, n, nn, i, nsid, nrandom, nciph;
- for(;;) {
- p = tlsReadN(c, 4);
- if(p == nil)
- return 0;
- type = p[0];
- n = get24(p+1);
- if(type != HHelloRequest)
- break;
- if(n != 0) {
- tlsError(c, EDecodeError, "invalid hello request during handshake");
- return 0;
- }
- }
- if(n > sizeof(c->buf)) {
- tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->buf));
- return 0;
- }
- if(type == HSSL2ClientHello){
- /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
- This is sent by some clients that we must interoperate
- with, such as Java's JSSE and Microsoft's Internet Explorer. */
- p = tlsReadN(c, n);
- if(p == nil)
- return 0;
- md5(p, n, 0, &c->hsmd5);
- sha1(p, n, 0, &c->hssha1);
- m->tag = HClientHello;
- if(n < 22)
- goto Short;
- m->u.clientHello.version = get16(p+1);
- p += 3;
- n -= 3;
- nn = get16(p); /* cipher_spec_len */
- nsid = get16(p + 2);
- nrandom = get16(p + 4);
- p += 6;
- n -= 6;
- if(nsid != 0 /* no sid's, since shouldn't restart using ssl2 header */
- || nrandom < 16 || nn % 3)
- goto Err;
- if(c->trace && (n - nrandom != nn))
- c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
- /* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
- nciph = 0;
- for(i = 0; i < nn; i += 3)
- if(p[i] == 0)
- nciph++;
- m->u.clientHello.ciphers = newints(nciph);
- nciph = 0;
- for(i = 0; i < nn; i += 3)
- if(p[i] == 0)
- m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]);
- p += nn;
- m->u.clientHello.sid = makebytes(nil, 0);
- if(nrandom > RandomSize)
- nrandom = RandomSize;
- memset(m->u.clientHello.random, 0, RandomSize - nrandom);
- memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
- m->u.clientHello.compressors = newbytes(1);
- m->u.clientHello.compressors->data[0] = CompressionNull;
- goto Ok;
- }
- md5(p, 4, 0, &c->hsmd5);
- sha1(p, 4, 0, &c->hssha1);
- p = tlsReadN(c, n);
- if(p == nil)
- return 0;
- md5(p, n, 0, &c->hsmd5);
- sha1(p, n, 0, &c->hssha1);
- m->tag = type;
- switch(type) {
- default:
- tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
- goto Err;
- case HClientHello:
- if(n < 2)
- goto Short;
- m->u.clientHello.version = get16(p);
- p += 2;
- n -= 2;
- if(n < RandomSize)
- goto Short;
- memmove(m->u.clientHello.random, p, RandomSize);
- p += RandomSize;
- n -= RandomSize;
- if(n < 1 || n < p[0]+1)
- goto Short;
- m->u.clientHello.sid = makebytes(p+1, p[0]);
- p += m->u.clientHello.sid->len+1;
- n -= m->u.clientHello.sid->len+1;
- if(n < 2)
- goto Short;
- nn = get16(p);
- p += 2;
- n -= 2;
- if((nn & 1) || n < nn || nn < 2)
- goto Short;
- m->u.clientHello.ciphers = newints(nn >> 1);
- for(i = 0; i < nn; i += 2)
- m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
- p += nn;
- n -= nn;
- if(n < 1 || n < p[0]+1 || p[0] == 0)
- goto Short;
- nn = p[0];
- m->u.clientHello.compressors = newbytes(nn);
- memmove(m->u.clientHello.compressors->data, p+1, nn);
- n -= nn + 1;
- break;
- case HServerHello:
- if(n < 2)
- goto Short;
- m->u.serverHello.version = get16(p);
- p += 2;
- n -= 2;
- if(n < RandomSize)
- goto Short;
- memmove(m->u.serverHello.random, p, RandomSize);
- p += RandomSize;
- n -= RandomSize;
- if(n < 1 || n < p[0]+1)
- goto Short;
- m->u.serverHello.sid = makebytes(p+1, p[0]);
- p += m->u.serverHello.sid->len+1;
- n -= m->u.serverHello.sid->len+1;
- if(n < 3)
- goto Short;
- m->u.serverHello.cipher = get16(p);
- m->u.serverHello.compressor = p[2];
- n -= 3;
- break;
- case HCertificate:
- if(n < 3)
- goto Short;
- nn = get24(p);
- p += 3;
- n -= 3;
- if(n != nn)
- goto Short;
- /* certs */
- i = 0;
- while(n > 0) {
- if(n < 3)
- goto Short;
- nn = get24(p);
- p += 3;
- n -= 3;
- if(nn > n)
- goto Short;
- m->u.certificate.ncert = i+1;
- m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes));
- m->u.certificate.certs[i] = makebytes(p, nn);
- p += nn;
- n -= nn;
- i++;
- }
- break;
- case HCertificateRequest:
- if(n < 2)
- goto Short;
- nn = get16(p);
- p += 2;
- n -= 2;
- if(nn < 1 || nn > n)
- goto Short;
- m->u.certificateRequest.types = makebytes(p, nn);
- nn = get24(p);
- p += 3;
- n -= 3;
- /*
- * can't do this because it fails in 802.1x-TTLS
- * for unknown reasons. maybe the other side generates
- * bogus data, or maybe we're just confused.
- *
- if(nn == 0 || n != nn)
- goto Short;
- */
- USED(nn);
- /* cas */
- i = 0;
- while(n > 0) {
- if(n < 2)
- goto Short;
- nn = get16(p);
- p += 2;
- n -= 2;
- if(nn < 1 || nn > n)
- goto Short;
- m->u.certificateRequest.nca = i+1;
- m->u.certificateRequest.cas = erealloc(m->u.certificateRequest.cas, (i+1)*sizeof(Bytes));
- m->u.certificateRequest.cas[i] = makebytes(p, nn);
- p += nn;
- n -= nn;
- i++;
- }
- break;
- case HServerHelloDone:
- break;
- case HClientKeyExchange:
- /*
- * this message depends upon the encryption selected
- * assume rsa.
- */
- if(c->version == SSL3Version)
- nn = n;
- else{
- if(n < 2)
- goto Short;
- nn = get16(p);
- p += 2;
- n -= 2;
- }
- if(n < nn)
- goto Short;
- m->u.clientKeyExchange.key = makebytes(p, nn);
- n -= nn;
- break;
- case HFinished:
- m->u.finished.n = c->finished.n;
- if(n < m->u.finished.n)
- goto Short;
- memmove(m->u.finished.verify, p, m->u.finished.n);
- n -= m->u.finished.n;
- break;
- }
- if(type != HClientHello && n != 0)
- goto Short;
- Ok:
- if(c->trace){
- char *buf;
- buf = emalloc(8000);
- c->trace("recv %s", msgPrint(buf, 8000, m));
- free(buf);
- }
- return 1;
- Short:
- tlsError(c, EDecodeError, "handshake message has invalid length");
- Err:
- msgClear(m);
- return 0;
- }
- static void
- msgClear(Msg *m)
- {
- int i;
- switch(m->tag) {
- default:
- sysfatal("msgClear: unknown message type: %d\n", m->tag);
- case HHelloRequest:
- break;
- case HClientHello:
- freebytes(m->u.clientHello.sid);
- freeints(m->u.clientHello.ciphers);
- freebytes(m->u.clientHello.compressors);
- break;
- case HServerHello:
- freebytes(m->u.clientHello.sid);
- break;
- case HCertificate:
- for(i=0; i<m->u.certificate.ncert; i++)
- freebytes(m->u.certificate.certs[i]);
- free(m->u.certificate.certs);
- break;
- case HCertificateRequest:
- freebytes(m->u.certificateRequest.types);
- for(i=0; i<m->u.certificateRequest.nca; i++)
- freebytes(m->u.certificateRequest.cas[i]);
- free(m->u.certificateRequest.cas);
- break;
- case HServerHelloDone:
- break;
- case HClientKeyExchange:
- freebytes(m->u.clientKeyExchange.key);
- break;
- case HFinished:
- break;
- }
- memset(m, 0, sizeof(Msg));
- }
- static char *
- bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
- {
- int i;
- if(s0)
- bs = seprint(bs, be, "%s", s0);
- bs = seprint(bs, be, "[");
- if(b == nil)
- bs = seprint(bs, be, "nil");
- else
- for(i=0; i<b->len; i++)
- bs = seprint(bs, be, "%.2x ", b->data[i]);
- bs = seprint(bs, be, "]");
- if(s1)
- bs = seprint(bs, be, "%s", s1);
- return bs;
- }
- static char *
- intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
- {
- int i;
- if(s0)
- bs = seprint(bs, be, "%s", s0);
- bs = seprint(bs, be, "[");
- if(b == nil)
- bs = seprint(bs, be, "nil");
- else
- for(i=0; i<b->len; i++)
- bs = seprint(bs, be, "%x ", b->data[i]);
- bs = seprint(bs, be, "]");
- if(s1)
- bs = seprint(bs, be, "%s", s1);
- return bs;
- }
- static char*
- msgPrint(char *buf, int n, Msg *m)
- {
- int i;
- char *bs = buf, *be = buf+n;
- switch(m->tag) {
- default:
- bs = seprint(bs, be, "unknown %d\n", m->tag);
- break;
- case HClientHello:
- bs = seprint(bs, be, "ClientHello\n");
- bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
- bs = seprint(bs, be, "\trandom: ");
- for(i=0; i<RandomSize; i++)
- bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
- bs = seprint(bs, be, "\n");
- bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
- bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
- bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
- break;
- case HServerHello:
- bs = seprint(bs, be, "ServerHello\n");
- bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
- bs = seprint(bs, be, "\trandom: ");
- for(i=0; i<RandomSize; i++)
- bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
- bs = seprint(bs, be, "\n");
- bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
- bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
- bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
- break;
- case HCertificate:
- bs = seprint(bs, be, "Certificate\n");
- for(i=0; i<m->u.certificate.ncert; i++)
- bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
- break;
- case HCertificateRequest:
- bs = seprint(bs, be, "CertificateRequest\n");
- bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
- bs = seprint(bs, be, "\tcertificateauthorities\n");
- for(i=0; i<m->u.certificateRequest.nca; i++)
- bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
- break;
- case HServerHelloDone:
- bs = seprint(bs, be, "ServerHelloDone\n");
- break;
- case HClientKeyExchange:
- bs = seprint(bs, be, "HClientKeyExchange\n");
- bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
- break;
- case HFinished:
- bs = seprint(bs, be, "HFinished\n");
- for(i=0; i<m->u.finished.n; i++)
- bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
- bs = seprint(bs, be, "\n");
- break;
- }
- USED(bs);
- return buf;
- }
- static void
- tlsError(TlsConnection *c, int err, char *fmt, ...)
- {
- char msg[512];
- va_list arg;
- va_start(arg, fmt);
- vseprint(msg, msg+sizeof(msg), fmt, arg);
- va_end(arg);
- if(c->trace)
- c->trace("tlsError: %s\n", msg);
- else if(c->erred)
- fprint(2, "double error: %r, %s", msg);
- else
- werrstr("tls: local %s", msg);
- c->erred = 1;
- fprint(c->ctl, "alert %d", err);
- }
- // commit to specific version number
- static int
- setVersion(TlsConnection *c, int version)
- {
- if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
- return -1;
- if(version > c->version)
- version = c->version;
- if(version == SSL3Version) {
- c->version = version;
- c->finished.n = SSL3FinishedLen;
- }else if(version == TLSVersion){
- c->version = version;
- c->finished.n = TLSFinishedLen;
- }else
- return -1;
- c->verset = 1;
- return fprint(c->ctl, "version 0x%x", version);
- }
- // confirm that received Finished message matches the expected value
- static int
- finishedMatch(TlsConnection *c, Finished *f)
- {
- return memcmp(f->verify, c->finished.verify, f->n) == 0;
- }
- // free memory associated with TlsConnection struct
- // (but don't close the TLS channel itself)
- static void
- tlsConnectionFree(TlsConnection *c)
- {
- tlsSecClose(c->sec);
- freebytes(c->sid);
- freebytes(c->cert);
- memset(c, 0, sizeof(c));
- free(c);
- }
- //================= cipher choices ========================
- static int weakCipher[CipherMax] =
- {
- 1, /* TLS_NULL_WITH_NULL_NULL */
- 1, /* TLS_RSA_WITH_NULL_MD5 */
- 1, /* TLS_RSA_WITH_NULL_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
- 0, /* TLS_RSA_WITH_RC4_128_MD5 */
- 0, /* TLS_RSA_WITH_RC4_128_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
- 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
- 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
- 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
- 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
- 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
- 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
- 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
- };
- static int
- setAlgs(TlsConnection *c, int a)
- {
- int i;
- for(i = 0; i < nelem(cipherAlgs); i++){
- if(cipherAlgs[i].tlsid == a){
- c->enc = cipherAlgs[i].enc;
- c->digest = cipherAlgs[i].digest;
- c->nsecret = cipherAlgs[i].nsecret;
- if(c->nsecret > MaxKeyData)
- return 0;
- return 1;
- }
- }
- return 0;
- }
- static int
- okCipher(Ints *cv)
- {
- int weak, i, j, c;
- weak = 1;
- for(i = 0; i < cv->len; i++) {
- c = cv->data[i];
- if(c >= CipherMax)
- weak = 0;
- else
- weak &= weakCipher[c];
- for(j = 0; j < nelem(cipherAlgs); j++)
- if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
- return c;
- }
- if(weak)
- return -2;
- return -1;
- }
- static int
- okCompression(Bytes *cv)
- {
- int i, j, c;
- for(i = 0; i < cv->len; i++) {
- c = cv->data[i];
- for(j = 0; j < nelem(compressors); j++) {
- if(compressors[j] == c)
- return c;
- }
- }
- return -1;
- }
- static Lock ciphLock;
- static int nciphers;
- static int
- initCiphers(void)
- {
- enum {MaxAlgF = 1024, MaxAlgs = 10};
- char s[MaxAlgF], *flds[MaxAlgs];
- int i, j, n, ok;
- lock(&ciphLock);
- if(nciphers){
- unlock(&ciphLock);
- return nciphers;
- }
- j = open("#a/tls/encalgs", OREAD);
- if(j < 0){
- werrstr("can't open #a/tls/encalgs: %r");
- return 0;
- }
- n = read(j, s, MaxAlgF-1);
- close(j);
- if(n <= 0){
- werrstr("nothing in #a/tls/encalgs: %r");
- return 0;
- }
- s[n] = 0;
- n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
- for(i = 0; i < nelem(cipherAlgs); i++){
- ok = 0;
- for(j = 0; j < n; j++){
- if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){
- ok = 1;
- break;
- }
- }
- cipherAlgs[i].ok = ok;
- }
- j = open("#a/tls/hashalgs", OREAD);
- if(j < 0){
- werrstr("can't open #a/tls/hashalgs: %r");
- return 0;
- }
- n = read(j, s, MaxAlgF-1);
- close(j);
- if(n <= 0){
- werrstr("nothing in #a/tls/hashalgs: %r");
- return 0;
- }
- s[n] = 0;
- n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
- for(i = 0; i < nelem(cipherAlgs); i++){
- ok = 0;
- for(j = 0; j < n; j++){
- if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){
- ok = 1;
- break;
- }
- }
- cipherAlgs[i].ok &= ok;
- if(cipherAlgs[i].ok)
- nciphers++;
- }
- unlock(&ciphLock);
- return nciphers;
- }
- static Ints*
- makeciphers(void)
- {
- Ints *is;
- int i, j;
- is = newints(nciphers);
- j = 0;
- for(i = 0; i < nelem(cipherAlgs); i++){
- if(cipherAlgs[i].ok)
- is->data[j++] = cipherAlgs[i].tlsid;
- }
- return is;
- }
- //================= security functions ========================
- // given X.509 certificate, set up connection to factotum
- // for using corresponding private key
- static AuthRpc*
- factotum_rsa_open(uchar *cert, int certlen)
- {
- int afd;
- char *s;
- mpint *pub = nil;
- RSApub *rsapub;
- AuthRpc *rpc;
- // start talking to factotum
- if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
- return nil;
- if((rpc = auth_allocrpc(afd)) == nil){
- close(afd);
- return nil;
- }
- s = "proto=rsa service=tls role=client";
- if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
- factotum_rsa_close(rpc);
- return nil;
- }
- // roll factotum keyring around to match certificate
- rsapub = X509toRSApub(cert, certlen, nil, 0);
- while(1){
- if(auth_rpc(rpc, "read", nil, 0) != ARok){
- factotum_rsa_close(rpc);
- rpc = nil;
- goto done;
- }
- pub = strtomp(rpc->arg, nil, 16, nil);
- assert(pub != nil);
- if(mpcmp(pub,rsapub->n) == 0)
- break;
- }
- done:
- mpfree(pub);
- rsapubfree(rsapub);
- return rpc;
- }
- static mpint*
- factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
- {
- char *p;
- int rv;
- if((p = mptoa(cipher, 16, nil, 0)) == nil)
- return nil;
- rv = auth_rpc(rpc, "write", p, strlen(p));
- free(p);
- if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
- return nil;
- mpfree(cipher);
- return strtomp(rpc->arg, nil, 16, nil);
- }
- static void
- factotum_rsa_close(AuthRpc*rpc)
- {
- if(!rpc)
- return;
- close(rpc->afd);
- auth_freerpc(rpc);
- }
- static void
- tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
- {
- uchar ai[MD5dlen], tmp[MD5dlen];
- int i, n;
- MD5state *s;
- // generate a1
- s = hmac_md5(label, nlabel, key, nkey, nil, nil);
- s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
- hmac_md5(seed1, nseed1, key, nkey, ai, s);
- while(nbuf > 0) {
- s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
- s = hmac_md5(label, nlabel, key, nkey, nil, s);
- s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
- hmac_md5(seed1, nseed1, key, nkey, tmp, s);
- n = MD5dlen;
- if(n > nbuf)
- n = nbuf;
- for(i = 0; i < n; i++)
- buf[i] ^= tmp[i];
- buf += n;
- nbuf -= n;
- hmac_md5(ai, MD5dlen, key, nkey, tmp, nil);
- memmove(ai, tmp, MD5dlen);
- }
- }
- static void
- tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
- {
- uchar ai[SHA1dlen], tmp[SHA1dlen];
- int i, n;
- SHAstate *s;
- // generate a1
- s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
- s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
- hmac_sha1(seed1, nseed1, key, nkey, ai, s);
- while(nbuf > 0) {
- s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
- s = hmac_sha1(label, nlabel, key, nkey, nil, s);
- s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
- hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
- n = SHA1dlen;
- if(n > nbuf)
- n = nbuf;
- for(i = 0; i < n; i++)
- buf[i] ^= tmp[i];
- buf += n;
- nbuf -= n;
- hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
- memmove(ai, tmp, SHA1dlen);
- }
- }
- // fill buf with md5(args)^sha1(args)
- static void
- tlsPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
- {
- int i;
- int nlabel = strlen(label);
- int n = (nkey + 1) >> 1;
- for(i = 0; i < nbuf; i++)
- buf[i] = 0;
- tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
- tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
- }
- /*
- * for setting server session id's
- */
- static Lock sidLock;
- static long maxSid = 1;
- /* the keys are verified to have the same public components
- * and to function correctly with pkcs 1 encryption and decryption. */
- static TlsSec*
- tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
- {
- TlsSec *sec = emalloc(sizeof(*sec));
- USED(csid); USED(ncsid); // ignore csid for now
- memmove(sec->crandom, crandom, RandomSize);
- sec->clientVers = cvers;
- put32(sec->srandom, time(0));
- genrandom(sec->srandom+4, RandomSize-4);
- memmove(srandom, sec->srandom, RandomSize);
- /*
- * make up a unique sid: use our pid, and and incrementing id
- * can signal no sid by setting nssid to 0.
- */
- memset(ssid, 0, SidSize);
- put32(ssid, getpid());
- lock(&sidLock);
- put32(ssid+4, maxSid++);
- unlock(&sidLock);
- *nssid = SidSize;
- return sec;
- }
- static int
- tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd)
- {
- if(epm != nil){
- if(setVers(sec, vers) < 0)
- goto Err;
- serverMasterSecret(sec, epm, nepm);
- }else if(sec->vers != vers){
- werrstr("mismatched session versions");
- goto Err;
- }
- setSecrets(sec, kd, nkd);
- return 0;
- Err:
- sec->ok = -1;
- return -1;
- }
- static TlsSec*
- tlsSecInitc(int cvers, uchar *crandom)
- {
- TlsSec *sec = emalloc(sizeof(*sec));
- sec->clientVers = cvers;
- put32(sec->crandom, time(0));
- genrandom(sec->crandom+4, RandomSize-4);
- memmove(crandom, sec->crandom, RandomSize);
- return sec;
- }
- static int
- tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd)
- {
- RSApub *pub;
- pub = nil;
- USED(sid);
- USED(nsid);
-
- memmove(sec->srandom, srandom, RandomSize);
- if(setVers(sec, vers) < 0)
- goto Err;
- pub = X509toRSApub(cert, ncert, nil, 0);
- if(pub == nil){
- werrstr("invalid x509/rsa certificate");
- goto Err;
- }
- if(clientMasterSecret(sec, pub, epm, nepm) < 0)
- goto Err;
- rsapubfree(pub);
- setSecrets(sec, kd, nkd);
- return 0;
- Err:
- if(pub != nil)
- rsapubfree(pub);
- sec->ok = -1;
- return -1;
- }
- static int
- tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient)
- {
- if(sec->nfin != nfin){
- sec->ok = -1;
- werrstr("invalid finished exchange");
- return -1;
- }
- md5.malloced = 0;
- sha1.malloced = 0;
- (*sec->setFinished)(sec, md5, sha1, fin, isclient);
- return 1;
- }
- static void
- tlsSecOk(TlsSec *sec)
- {
- if(sec->ok == 0)
- sec->ok = 1;
- }
- static void
- tlsSecKill(TlsSec *sec)
- {
- if(!sec)
- return;
- factotum_rsa_close(sec->rpc);
- sec->ok = -1;
- }
- static void
- tlsSecClose(TlsSec *sec)
- {
- if(!sec)
- return;
- factotum_rsa_close(sec->rpc);
- free(sec->server);
- free(sec);
- }
- static int
- setVers(TlsSec *sec, int v)
- {
- if(v == SSL3Version){
- sec->setFinished = sslSetFinished;
- sec->nfin = SSL3FinishedLen;
- sec->prf = sslPRF;
- }else if(v == TLSVersion){
- sec->setFinished = tlsSetFinished;
- sec->nfin = TLSFinishedLen;
- sec->prf = tlsPRF;
- }else{
- werrstr("invalid version");
- return -1;
- }
- sec->vers = v;
- return 0;
- }
- /*
- * generate secret keys from the master secret.
- *
- * different crypto selections will require different amounts
- * of key expansion and use of key expansion data,
- * but it's all generated using the same function.
- */
- static void
- setSecrets(TlsSec *sec, uchar *kd, int nkd)
- {
- (*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
- sec->srandom, RandomSize, sec->crandom, RandomSize);
- }
- /*
- * set the master secret from the pre-master secret.
- */
- static void
- setMasterSecret(TlsSec *sec, Bytes *pm)
- {
- (*sec->prf)(sec->sec, MasterSecretSize, pm->data, MasterSecretSize, "master secret",
- sec->crandom, RandomSize, sec->srandom, RandomSize);
- }
- static void
- serverMasterSecret(TlsSec *sec, uchar *epm, int nepm)
- {
- Bytes *pm;
- pm = pkcs1_decrypt(sec, epm, nepm);
- // if the client messed up, just continue as if everything is ok,
- // to prevent attacks to check for correctly formatted messages.
- // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
- if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
- fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
- sec->ok, pm, pm ? get16(pm->data) : -1, sec->clientVers, nepm);
- sec->ok = -1;
- if(pm != nil)
- freebytes(pm);
- pm = newbytes(MasterSecretSize);
- genrandom(pm->data, MasterSecretSize);
- }
- setMasterSecret(sec, pm);
- memset(pm->data, 0, pm->len);
- freebytes(pm);
- }
- static int
- clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm)
- {
- Bytes *pm, *key;
- pm = newbytes(MasterSecretSize);
- put16(pm->data, sec->clientVers);
- genrandom(pm->data+2, MasterSecretSize - 2);
- setMasterSecret(sec, pm);
- key = pkcs1_encrypt(pm, pub, 2);
- memset(pm->data, 0, pm->len);
- freebytes(pm);
- if(key == nil){
- werrstr("tls pkcs1_encrypt failed");
- return -1;
- }
- *nepm = key->len;
- *epm = malloc(*nepm);
- if(*epm == nil){
- freebytes(key);
- werrstr("out of memory");
- return -1;
- }
- memmove(*epm, key->data, *nepm);
- freebytes(key);
- return 1;
- }
- static void
- sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
- {
- DigestState *s;
- uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
- char *label;
- if(isClient)
- label = "CLNT";
- else
- label = "SRVR";
- md5((uchar*)label, 4, nil, &hsmd5);
- md5(sec->sec, MasterSecretSize, nil, &hsmd5);
- memset(pad, 0x36, 48);
- md5(pad, 48, nil, &hsmd5);
- md5(nil, 0, h0, &hsmd5);
- memset(pad, 0x5C, 48);
- s = md5(sec->sec, MasterSecretSize, nil, nil);
- s = md5(pad, 48, nil, s);
- md5(h0, MD5dlen, finished, s);
- sha1((uchar*)label, 4, nil, &hssha1);
- sha1(sec->sec, MasterSecretSize, nil, &hssha1);
- memset(pad, 0x36, 40);
- sha1(pad, 40, nil, &hssha1);
- sha1(nil, 0, h1, &hssha1);
- memset(pad, 0x5C, 40);
- s = sha1(sec->sec, MasterSecretSize, nil, nil);
- s = sha1(pad, 40, nil, s);
- sha1(h1, SHA1dlen, finished + MD5dlen, s);
- }
- // fill "finished" arg with md5(args)^sha1(args)
- static void
- tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
- {
- uchar h0[MD5dlen], h1[SHA1dlen];
- char *label;
- // get current hash value, but allow further messages to be hashed in
- md5(nil, 0, h0, &hsmd5);
- sha1(nil, 0, h1, &hssha1);
- if(isClient)
- label = "client finished";
- else
- label = "server finished";
- tlsPRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
- }
- static void
- sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
- {
- DigestState *s;
- uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
- int i, n, len;
- USED(label);
- len = 1;
- while(nbuf > 0){
- if(len > 26)
- return;
- for(i = 0; i < len; i++)
- tmp[i] = 'A' - 1 + len;
- s = sha1(tmp, len, nil, nil);
- s = sha1(key, nkey, nil, s);
- s = sha1(seed0, nseed0, nil, s);
- sha1(seed1, nseed1, sha1dig, s);
- s = md5(key, nkey, nil, nil);
- md5(sha1dig, SHA1dlen, md5dig, s);
- n = MD5dlen;
- if(n > nbuf)
- n = nbuf;
- memmove(buf, md5dig, n);
- buf += n;
- nbuf -= n;
- len++;
- }
- }
- static mpint*
- bytestomp(Bytes* bytes)
- {
- mpint* ans;
- ans = betomp(bytes->data, bytes->len, nil);
- return ans;
- }
- /*
- * Convert mpint* to Bytes, putting high order byte first.
- */
- static Bytes*
- mptobytes(mpint* big)
- {
- int n, m;
- uchar *a;
- Bytes* ans;
- n = (mpsignif(big)+7)/8;
- m = mptobe(big, nil, n, &a);
- ans = makebytes(a, m);
- return ans;
- }
- // Do RSA computation on block according to key, and pad
- // result on left with zeros to make it modlen long.
- static Bytes*
- rsacomp(Bytes* block, RSApub* key, int modlen)
- {
- mpint *x, *y;
- Bytes *a, *ybytes;
- int ylen;
- x = bytestomp(block);
- y = rsaencrypt(key, x, nil);
- mpfree(x);
- ybytes = mptobytes(y);
- ylen = ybytes->len;
- if(ylen < modlen) {
- a = newbytes(modlen);
- memset(a->data, 0, modlen-ylen);
- memmove(a->data+modlen-ylen, ybytes->data, ylen);
- freebytes(ybytes);
- ybytes = a;
- }
- else if(ylen > modlen) {
- // assume it has leading zeros (mod should make it so)
- a = newbytes(modlen);
- memmove(a->data, ybytes->data, modlen);
- freebytes(ybytes);
- ybytes = a;
- }
- mpfree(y);
- return ybytes;
- }
- // encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1
- static Bytes*
- pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
- {
- Bytes *pad, *eb, *ans;
- int i, dlen, padlen, modlen;
- modlen = (mpsignif(key->n)+7)/8;
- dlen = data->len;
- if(modlen < 12 || dlen > modlen - 11)
- return nil;
- padlen = modlen - 3 - dlen;
- pad = newbytes(padlen);
- genrandom(pad->data, padlen);
- for(i = 0; i < padlen; i++) {
- if(blocktype == 0)
- pad->data[i] = 0;
- else if(blocktype == 1)
- pad->data[i] = 255;
- else if(pad->data[i] == 0)
- pad->data[i] = 1;
- }
- eb = newbytes(modlen);
- eb->data[0] = 0;
- eb->data[1] = blocktype;
- memmove(eb->data+2, pad->data, padlen);
- eb->data[padlen+2] = 0;
- memmove(eb->data+padlen+3, data->data, dlen);
- ans = rsacomp(eb, key, modlen);
- freebytes(eb);
- freebytes(pad);
- return ans;
- }
- // decrypt data according to PKCS#1, with given key.
- // expect a block type of 2.
- static Bytes*
- pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm)
- {
- Bytes *eb, *ans = nil;
- int i, modlen;
- mpint *x, *y;
- modlen = (mpsignif(sec->rsapub->n)+7)/8;
- if(nepm != modlen)
- return nil;
- x = betomp(epm, nepm, nil);
- y = factotum_rsa_decrypt(sec->rpc, x);
- if(y == nil)
- return nil;
- eb = mptobytes(y);
- if(eb->len < modlen){ // pad on left with zeros
- ans = newbytes(modlen);
- memset(ans->data, 0, modlen-eb->len);
- memmove(ans->data+modlen-eb->len, eb->data, eb->len);
- freebytes(eb);
- eb = ans;
- }
- if(eb->data[0] == 0 && eb->data[1] == 2) {
- for(i = 2; i < modlen; i++)
- if(eb->data[i] == 0)
- break;
- if(i < modlen - 1)
- ans = makebytes(eb->data+i+1, modlen-(i+1));
- }
- freebytes(eb);
- return ans;
- }
- //================= general utility functions ========================
- static void *
- emalloc(int n)
- {
- void *p;
- if(n==0)
- n=1;
- p = malloc(n);
- if(p == nil){
- exits("out of memory");
- }
- memset(p, 0, n);
- return p;
- }
- static void *
- erealloc(void *ReallocP, int ReallocN)
- {
- if(ReallocN == 0)
- ReallocN = 1;
- if(!ReallocP)
- ReallocP = emalloc(ReallocN);
- else if(!(ReallocP = realloc(ReallocP, ReallocN))){
- exits("out of memory");
- }
- return(ReallocP);
- }
- static void
- put32(uchar *p, u32int x)
- {
- p[0] = x>>24;
- p[1] = x>>16;
- p[2] = x>>8;
- p[3] = x;
- }
- static void
- put24(uchar *p, int x)
- {
- p[0] = x>>16;
- p[1] = x>>8;
- p[2] = x;
- }
- static void
- put16(uchar *p, int x)
- {
- p[0] = x>>8;
- p[1] = x;
- }
- static u32int
- get32(uchar *p)
- {
- return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
- }
- static int
- get24(uchar *p)
- {
- return (p[0]<<16)|(p[1]<<8)|p[2];
- }
- static int
- get16(uchar *p)
- {
- return (p[0]<<8)|p[1];
- }
- /* ANSI offsetof() */
- #define OFFSET(x, s) ((int)(&(((s*)0)->x)))
- /*
- * malloc and return a new Bytes structure capable of
- * holding len bytes. (len >= 0)
- * Used to use crypt_malloc, which aborts if malloc fails.
- */
- static Bytes*
- newbytes(int len)
- {
- Bytes* ans;
- ans = (Bytes*)malloc(OFFSET(data[0], Bytes) + len);
- ans->len = len;
- return ans;
- }
- /*
- * newbytes(len), with data initialized from buf
- */
- static Bytes*
- makebytes(uchar* buf, int len)
- {
- Bytes* ans;
- ans = newbytes(len);
- memmove(ans->data, buf, len);
- return ans;
- }
- static void
- freebytes(Bytes* b)
- {
- if(b != nil)
- free(b);
- }
- /* len is number of ints */
- static Ints*
- newints(int len)
- {
- Ints* ans;
- ans = (Ints*)malloc(OFFSET(data[0], Ints) + len*sizeof(int));
- ans->len = len;
- return ans;
- }
- static Ints*
- makeints(int* buf, int len)
- {
- Ints* ans;
- ans = newints(len);
- if(len > 0)
- memmove(ans->data, buf, len*sizeof(int));
- return ans;
- }
- static void
- freeints(Ints* b)
- {
- if(b != nil)
- free(b);
- }
|