2 * devtls - record layer for transport layer security 1.2 and secure sockets layer 3.0
5 #include "../port/lib.h"
9 #include "../port/error.h"
13 typedef struct OneWay OneWay;
14 typedef struct Secret Secret;
15 typedef struct TlsRec TlsRec;
16 typedef struct TlsErrs TlsErrs;
19 Statlen= 1024, /* max. length of status or stats message */
21 MaxRecLen = 1<<14, /* max payload length of a record layer message */
22 MaxCipherRecLen = MaxRecLen + 2048,
24 MaxMacLen = SHA2_256dlen,
26 /* protocol versions we can accept */
28 TLS10Version = 0x0301,
29 TLS11Version = 0x0302,
30 TLS12Version = 0x0303,
31 MinProtoVersion = 0x0300, /* limits on version we accept */
32 MaxProtoVersion = 0x03ff,
34 /* connection states */
35 SHandshake = 1 << 0, /* doing handshake */
36 SOpen = 1 << 1, /* application data can be sent */
37 SRClose = 1 << 2, /* remote side has closed down */
38 SLClose = 1 << 3, /* sent a close notify alert */
39 SAlert = 1 << 5, /* sending or sent a fatal alert */
40 SError = 1 << 6, /* some sort of error has occured */
41 SClosed = 1 << 7, /* it is all over */
44 RChangeCipherSpec = 20,
50 HSSL2ClientHello = 9, /* local convention; see tlshand.c */
54 EUnexpectedMessage = 10,
56 EDecryptionFailed = 21,
58 EDecompressionFailure = 30,
59 EHandshakeFailure = 40,
62 EUnsupportedCertificate = 43,
63 ECertificateRevoked = 44,
64 ECertificateExpired = 45,
65 ECertificateUnknown = 46,
66 EIllegalParameter = 47,
71 EExportRestriction = 60,
72 EProtocolVersion = 70,
73 EInsufficientSecurity = 71,
76 ENoRenegotiation = 100,
77 EUnrecognizedName = 112,
84 char *encalg; /* name of encryption alg */
85 char *hashalg; /* name of hash alg */
87 int (*aead_enc)(Secret*, uchar*, int, uchar*, uchar*, int);
88 int (*aead_dec)(Secret*, uchar*, int, uchar*, uchar*, int);
90 int (*enc)(Secret*, uchar*, int);
91 int (*dec)(Secret*, uchar*, int);
92 int (*unpad)(uchar*, int, int);
93 DigestState* (*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
95 int block; /* encryption block len, 0 if none */
96 int maclen; /* # bytes of record mac / authentication tag */
97 int recivlen; /* # bytes of record iv for AEAD ciphers */
99 uchar mackey[MaxMacLen];
104 QLock io; /* locks io access */
105 QLock seclock; /* locks secret paramaters */
107 Secret *sec; /* cipher in use */
108 Secret *new; /* cipher waiting for enable */
113 Chan *c; /* io channel */
114 int ref; /* serialized by tdlock for atomic destroy */
115 int version; /* version of the protocol we are speaking */
116 char verset; /* version has been set */
117 char opened; /* opened command every issued? */
118 char err[ERRMAX]; /* error message to return to handshake requests */
119 vlong handin; /* bytes communicated by the record layer */
129 * function to genrate authenticated data blob for different
132 int (*packAAD)(u64int, uchar*, uchar*);
134 /* input side -- protected by in.io */
136 Block *processed; /* next bunch of application data */
137 Block *unprocessed; /* data read from c but not parsed into records */
139 /* handshake queue */
140 Lock hqlock; /* protects hqref, alloc & free of handq, hprocessed */
142 Queue *handq; /* queue of handshake messages */
143 Block *hprocessed; /* remainder of last block read from handq */
144 QLock hqread; /* protects reads for hprocessed, handq */
162 static TlsErrs tlserrs[] = {
163 {ECloseNotify, ECloseNotify, ECloseNotify, 0, "close notify"},
164 {EUnexpectedMessage, EUnexpectedMessage, EUnexpectedMessage, 1, "unexpected message"},
165 {EBadRecordMac, EBadRecordMac, EBadRecordMac, 1, "bad record mac"},
166 {EDecryptionFailed, EIllegalParameter, EDecryptionFailed, 1, "decryption failed"},
167 {ERecordOverflow, EIllegalParameter, ERecordOverflow, 1, "record too long"},
168 {EDecompressionFailure, EDecompressionFailure, EDecompressionFailure, 1, "decompression failed"},
169 {EHandshakeFailure, EHandshakeFailure, EHandshakeFailure, 1, "could not negotiate acceptable security parameters"},
170 {ENoCertificate, ENoCertificate, ECertificateUnknown, 1, "no appropriate certificate available"},
171 {EBadCertificate, EBadCertificate, EBadCertificate, 1, "corrupted or invalid certificate"},
172 {EUnsupportedCertificate, EUnsupportedCertificate, EUnsupportedCertificate, 1, "unsupported certificate type"},
173 {ECertificateRevoked, ECertificateRevoked, ECertificateRevoked, 1, "revoked certificate"},
174 {ECertificateExpired, ECertificateExpired, ECertificateExpired, 1, "expired certificate"},
175 {ECertificateUnknown, ECertificateUnknown, ECertificateUnknown, 1, "unacceptable certificate"},
176 {EIllegalParameter, EIllegalParameter, EIllegalParameter, 1, "illegal parameter"},
177 {EUnknownCa, EHandshakeFailure, EUnknownCa, 1, "unknown certificate authority"},
178 {EAccessDenied, EHandshakeFailure, EAccessDenied, 1, "access denied"},
179 {EDecodeError, EIllegalParameter, EDecodeError, 1, "error decoding message"},
180 {EDecryptError, EIllegalParameter, EDecryptError, 1, "error decrypting message"},
181 {EExportRestriction, EHandshakeFailure, EExportRestriction, 1, "export restriction violated"},
182 {EProtocolVersion, EIllegalParameter, EProtocolVersion, 1, "protocol version not supported"},
183 {EInsufficientSecurity, EHandshakeFailure, EInsufficientSecurity, 1, "stronger security routines required"},
184 {EInternalError, EHandshakeFailure, EInternalError, 1, "internal error"},
185 {EUserCanceled, ECloseNotify, EUserCanceled, 0, "handshake canceled by user"},
186 {ENoRenegotiation, EUnexpectedMessage, ENoRenegotiation, 0, "no renegotiation"},
191 /* max. open tls connections */
197 static int maxtlsdevs = 128;
198 static TlsRec **tlsdevs;
199 static char **trnames;
200 static char *encalgs;
201 static char *hashalgs;
204 Qtopdir = 1, /* top level directory */
209 Qconvdir, /* directory for a conversation */
217 #define TYPE(x) ((x).path & 0xf)
218 #define CONV(x) (((x).path >> 5)&(MaxTlsDevs-1))
219 #define QID(c, y) (((c)<<5) | (y))
221 static void checkstate(TlsRec *, int, int);
222 static void ensure(TlsRec*, Block**, int);
223 static void consume(Block**, uchar*, int);
224 static Chan* buftochan(char*);
225 static void tlshangup(TlsRec*);
226 static void tlsError(TlsRec*, char *);
227 static void alertHand(TlsRec*, char *);
228 static TlsRec *newtls(Chan *c);
229 static TlsRec *mktlsrec(void);
230 static DigestState*sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
231 static DigestState*sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
232 static DigestState*nomac(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
233 static int sslPackAAD(u64int, uchar*, uchar*);
234 static int tlsPackAAD(u64int, uchar*, uchar*);
235 static void packMac(Secret*, uchar*, int, uchar*, int, uchar*);
236 static void put64(uchar *p, u64int);
237 static void put32(uchar *p, u32int);
238 static void put24(uchar *p, int);
239 static void put16(uchar *p, int);
240 static int get16(uchar *p);
241 static void tlsSetState(TlsRec *tr, int new, int old);
242 static void rcvAlert(TlsRec *tr, int err);
243 static void sendAlert(TlsRec *tr, int err);
244 static void rcvError(TlsRec *tr, int err, char *msg, ...);
245 static int rc4enc(Secret *sec, uchar *buf, int n);
246 static int des3enc(Secret *sec, uchar *buf, int n);
247 static int des3dec(Secret *sec, uchar *buf, int n);
248 static int aesenc(Secret *sec, uchar *buf, int n);
249 static int aesdec(Secret *sec, uchar *buf, int n);
250 static int ccpoly_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len);
251 static int ccpoly_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len);
252 static int aesgcm_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len);
253 static int aesgcm_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len);
254 static int noenc(Secret *sec, uchar *buf, int n);
255 static int sslunpad(uchar *buf, int n, int block);
256 static int tlsunpad(uchar *buf, int n, int block);
257 static void freeSec(Secret *sec);
258 static char *tlsstate(int s);
259 static void pdump(int, void*, char*);
261 #pragma varargck argpos rcvError 3
263 static char *tlsnames[] = {
265 [Qencalgs] "encalgs",
266 [Qhashalgs] "hashalgs",
274 static int convdir[] = { Qctl, Qdata, Qhand, Qstatus, Qstats };
277 tlsgen(Chan *c, char*, Dirtab *, int, int s, Dir *dp)
291 q.path = QID(0, Qtopdir);
293 devdir(c, q, "#a", 0, eve, 0555, dp);
298 q.path = QID(0, Qprotodir);
300 devdir(c, q, "tls", 0, eve, 0555, dp);
304 q.path = QID(0, Qtopdir);
306 devdir(c, q, ".", 0, eve, 0555, dp);
314 q.path = QID(0, Qclonus);
317 q.path = QID(0, Qencalgs);
320 q.path = QID(0, Qhashalgs);
324 if(TYPE(q) == Qclonus)
326 devdir(c, q, tlsnames[TYPE(q)], 0, eve, perm, dp);
332 q.path = QID(s, Qconvdir);
340 if((name = trnames[s]) == nil){
341 name = trnames[s] = smalloc(16);
342 sprint(name, "%d", s);
344 devdir(c, q, name, 0, nm, 0555, dp);
349 q.path = QID(0, Qprotodir);
351 devdir(c, q, "tls", 0, eve, 0555, dp);
354 if(s < 0 || s >= nelem(convdir))
357 tr = tlsdevs[CONV(c->qid)];
366 if(t == Qstatus || t == Qstats)
368 q.path = QID(CONV(c->qid), t);
369 devdir(c, q, tlsnames[t], 0, nm, perm, dp);
378 devdir(c, c->qid, tlsnames[t], 0, eve, perm, dp);
382 tr = tlsdevs[CONV(c->qid)];
390 if(t == Qstatus || t == Qstats)
392 devdir(c, c->qid, tlsnames[t], 0, nm, perm, dp);
399 tlsattach(char *spec)
403 c = devattach('a', spec);
404 c->qid.path = QID(0, Qtopdir);
411 tlswalk(Chan *c, Chan *nc, char **name, int nname)
413 return devwalk(c, nc, name, nname, nil, 0, tlsgen);
417 tlsstat(Chan *c, uchar *db, int n)
419 return devstat(c, db, n, nil, 0, tlsgen);
423 tlsopen(Chan *c, int omode)
448 if((t == Qstatus || t == Qstats) && omode != OREAD)
455 pp = &tlsdevs[CONV(c->qid)];
458 error("must open connection using clone");
459 devpermcheck(tr->user, tr->perm, omode);
468 tr->handq = qopen(2 * MaxCipherRecLen, 0, nil, nil);
470 error("cannot allocate handshake queue");
485 c->mode = openmode(omode);
488 c->iounit = MaxRecLen;
493 tlswstat(Chan *c, uchar *dp, int n)
507 tr = tlsdevs[CONV(c->qid)];
510 if(strcmp(tr->user, up->user) != 0)
513 d = smalloc(n + sizeof *d);
514 rv = convM2D(dp, n, &d[0], (char*) &d[1]);
517 if(!emptystr(d->uid))
518 kstrdup(&tr->user, d->uid);
533 if(--tr->hqref == 0){
534 if(tr->handq != nil){
538 if(tr->hprocessed != nil){
539 freeb(tr->hprocessed);
540 tr->hprocessed = nil;
559 if((c->flag & COPEN) == 0)
562 tr = tlsdevs[CONV(c->qid)];
574 tlsdevs[CONV(c->qid)] = nil;
577 if(tr->c != nil && !waserror()){
578 checkstate(tr, 0, SOpen|SHandshake|SRClose);
579 sendAlert(tr, ECloseNotify);
587 freeSec(tr->out.sec);
588 freeSec(tr->out.new);
596 * make sure we have at least 'n' bytes in list 'l'
599 ensure(TlsRec *s, Block **l, int n)
605 for(b = *l; b; b = b->next){
613 bl = devtab[s->c->type]->bread(s->c, MaxCipherRecLen + RecHdrLen, 0);
618 for(b = bl; b; b = b->next){
626 if(s->debug) pprint("ensure read %d\n", sofar);
630 * copy 'n' bytes from 'l' into 'p' and free
634 consume(Block **l, uchar *p, int n)
639 for(; *l && n > 0; n -= i){
644 memmove(p, b->rp, i);
660 regurgitate(TlsRec *s, uchar *p, int n)
667 if(s->unprocessed == nil || b->rp - b->base < n) {
669 memmove(b->wp, p, n);
671 b->next = s->unprocessed;
675 memmove(b->rp, p, n);
680 * remove at most n bytes from the queue
683 qgrab(Block **l, int n)
696 for(bb = b; bb != nil && i < n; bb = bb->next)
702 consume(l, bb->wp, i);
708 tlsclosed(TlsRec *tr, int new)
711 if(tr->state == SOpen || tr->state == SHandshake)
713 else if((new | tr->state) == (SRClose|SLClose))
715 unlock(&tr->statelk);
716 alertHand(tr, "close notify");
720 * read and process one tls record layer message
721 * must be called with tr->in.io held
722 * We can't let Eintrs lose data, since doing so will get
723 * us out of sync with the sender and break the reliablity
724 * of the channel. Eintr only happens during the reads in
725 * consume. Therefore we put back any bytes consumed before
726 * the last call to ensure.
729 tlsrecread(TlsRec *tr)
733 uchar *p, aad[8+RecHdrLen], header[RecHdrLen], hmac[MaxMacLen];
734 int volatile nconsumed;
735 int len, type, ver, unpad_len, aadlen, ivlen;
740 if(strcmp(up->errstr, Eintr) == 0 && !waserror()){
741 regurgitate(tr, header, nconsumed);
744 tlsError(tr, "channel error");
747 ensure(tr, &tr->unprocessed, RecHdrLen);
748 consume(&tr->unprocessed, header, RecHdrLen);
749 if(tr->debug)pprint("consumed %d header\n", RecHdrLen);
750 nconsumed = RecHdrLen;
752 if((tr->handin == 0) && (header[0] & 0x80)){
753 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
754 This is sent by some clients that we must interoperate
755 with, such as Java's JSSE and Microsoft's Internet Explorer. */
756 len = (get16(header) & ~0x8000) - 3;
758 ver = get16(header + 3);
759 if(type != SSL2ClientHello || len < 22)
760 rcvError(tr, EProtocolVersion, "invalid initial SSL2-like message");
761 }else{ /* normal SSL3 record format */
763 ver = get16(header+1);
764 len = get16(header+3);
766 if(ver != tr->version && (tr->verset || ver < MinProtoVersion || ver > MaxProtoVersion))
767 rcvError(tr, EProtocolVersion, "devtls expected ver=%x%s, saw (len=%d) type=%x ver=%x '%.12s'",
768 tr->version, tr->verset?"/set":"", len, type, ver, (char*)header);
769 if(len > MaxCipherRecLen || len < 0)
770 rcvError(tr, ERecordOverflow, "record message too long %d", len);
771 ensure(tr, &tr->unprocessed, len);
776 * If an Eintr happens after this, we'll get out of sync.
777 * Make sure nothing we call can sleep.
778 * Errors are ok, as they kill the connection.
779 * Luckily, allocb won't sleep, it'll just error out.
785 tlsError(tr, "channel error");
788 b = qgrab(&tr->unprocessed, len);
789 if(tr->debug) pprint("consumed unprocessed %d\n", len);
793 qunlock(&in->seclock);
800 /* to avoid Canvel-Hiltgen-Vaudenay-Vuagnoux attack, all errors here
801 should look alike, including timing of the response. */
802 if(sec->aead_dec != nil)
805 unpad_len = (*sec->dec)(sec, p, len);
806 if(tr->debug) pprint("decrypted %d\n", unpad_len);
807 if(tr->debug) pdump(unpad_len, p, "decrypted:");
810 ivlen = sec->recivlen;
811 if(tr->version >= TLS11Version){
817 rcvError(tr, EDecodeError, "runt record message");
821 if(unpad_len >= sec->maclen)
822 len = unpad_len - sec->maclen;
825 put16(header+3, len);
826 aadlen = (*tr->packAAD)(in->seq++, header, aad);
827 if(sec->aead_dec != nil) {
828 len = (*sec->aead_dec)(sec, aad, aadlen, p - ivlen, p, unpad_len);
830 rcvError(tr, EBadRecordMac, "record mac mismatch");
832 packMac(sec, aad, aadlen, p, len, hmac);
833 if(unpad_len < sec->maclen)
834 rcvError(tr, EBadRecordMac, "short record mac");
835 if(tsmemcmp(hmac, p + len, sec->maclen) != 0)
836 rcvError(tr, EBadRecordMac, "record mac mismatch");
841 qunlock(&in->seclock);
844 rcvError(tr, EDecodeError, "runt record message");
848 rcvError(tr, EIllegalParameter, "invalid record message %#x", type);
850 case RChangeCipherSpec:
851 if(len != 1 || p[0] != 1)
852 rcvError(tr, EDecodeError, "invalid change cipher spec");
855 qunlock(&in->seclock);
856 rcvError(tr, EUnexpectedMessage, "unexpected change cipher spec");
862 qunlock(&in->seclock);
866 rcvError(tr, EDecodeError, "invalid alert");
870 rcvError(tr, EIllegalParameter, "invalid alert fatal code");
873 * propagate non-fatal alerts to handshaker
877 tlsclosed(tr, SRClose);
880 error("close notify");
882 case ENoRenegotiation:
883 alertHand(tr, "no renegotiation");
886 alertHand(tr, "handshake canceled by user");
888 case EUnrecognizedName:
889 /* happens in response to SNI, can be ignored. */
892 rcvError(tr, EIllegalParameter, "invalid alert code");
897 * don't worry about dropping the block
898 * qbwrite always queues even if flow controlled and interrupted.
900 * if there isn't any handshaker, ignore the request,
901 * but notify the other side we are doing so.
904 if(tr->handq != nil){
913 qbwrite(tr->handq, b);
919 if(tr->verset && tr->version != SSL3Version && !waserror()){
920 sendAlert(tr, ENoRenegotiation);
925 case SSL2ClientHello:
927 if(tr->handq != nil){
934 /* Pass the SSL2 format data, so that the handshake code can compute
935 the correct checksums. HSSL2ClientHello = HandshakeType 9 is
936 unused in RFC2246. */
938 b->rp[0] = RHandshake;
939 b->rp[1] = HSSL2ClientHello;
940 put24(&b->rp[2], len+3);
941 b->rp[5] = SSL2ClientHello;
942 put16(&b->rp[6], ver);
943 qbwrite(tr->handq, b);
949 if(tr->verset && tr->version != SSL3Version && !waserror()){
950 sendAlert(tr, ENoRenegotiation);
957 rcvError(tr, EUnexpectedMessage, "application message received before handshake completed");
970 * got a fatal alert message
973 rcvAlert(TlsRec *tr, int err)
979 for(i=0; i < nelem(tlserrs); i++){
980 if(tlserrs[i].err == err){
985 if(tr->debug) pprint("rcvAlert: %s\n", s);
994 * found an error while decoding the input stream
997 rcvError(TlsRec *tr, int err, char *fmt, ...)
1003 vseprint(msg, msg+sizeof(msg), fmt, arg);
1005 if(tr->debug) pprint("rcvError: %s\n", msg);
1015 * make sure the next hand operation returns with a 'msg' error
1018 alertHand(TlsRec *tr, char *msg)
1024 if(tr->handq == nil){
1025 unlock(&tr->hqlock);
1029 unlock(&tr->hqlock);
1038 memmove(b->wp, msg, n + 1);
1041 qbwrite(tr->handq, b);
1048 checkstate(TlsRec *tr, int ishand, int ok)
1054 unlock(&tr->statelk);
1069 error("tls hungup");
1071 error("tls improperly configured");
1075 tlsbread(Chan *c, long n, ulong offset)
1079 TlsRec *volatile tr;
1084 return devbread(c, n, offset);
1090 tr = tlsdevs[CONV(c->qid)];
1095 qunlock(&tr->in.io);
1100 checkstate(tr, 0, SOpen);
1101 while(tr->processed == nil)
1104 /* return at most what was asked for */
1105 b = qgrab(&tr->processed, n);
1106 if(tr->debug) pprint("consumed processed %zd\n", BLEN(b));
1107 if(tr->debug) pdump(BLEN(b), b->rp, "consumed:");
1108 qunlock(&tr->in.io);
1110 tr->datain += BLEN(b);
1112 checkstate(tr, 1, SOpen|SHandshake|SLClose);
1115 * it's ok to look at state without the lock
1116 * since it only protects reading records,
1117 * and we have that tr->in.io held.
1119 while(!tr->opened && tr->hprocessed == nil && !qcanread(tr->handq))
1122 qunlock(&tr->in.io);
1126 qunlock(&tr->hqread);
1130 if(tr->hprocessed == nil){
1131 b = qbread(tr->handq, MaxRecLen + 1);
1132 if(*b->rp++ == RAlert){
1133 kstrcpy(up->errstr, (char*)b->rp, ERRMAX);
1139 b = qgrab(&tr->hprocessed, n);
1141 qunlock(&tr->hqread);
1142 tr->handin += BLEN(b);
1149 tlsread(Chan *c, void *a, long n, vlong off)
1159 if(c->qid.type & QTDIR)
1160 return devdirread(c, a, n, 0, 0, tlsgen);
1162 tr = tlsdevs[CONV(c->qid)];
1168 buf = smalloc(Statlen);
1169 qlock(&tr->in.seclock);
1170 qlock(&tr->out.seclock);
1173 s = seprint(s, e, "State: %s\n", tlsstate(tr->state));
1174 s = seprint(s, e, "Version: %#x\n", tr->version);
1175 if(tr->in.sec != nil)
1176 s = seprint(s, e, "EncIn: %s\nHashIn: %s\n", tr->in.sec->encalg, tr->in.sec->hashalg);
1177 if(tr->in.new != nil)
1178 s = seprint(s, e, "NewEncIn: %s\nNewHashIn: %s\n", tr->in.new->encalg, tr->in.new->hashalg);
1179 if(tr->out.sec != nil)
1180 s = seprint(s, e, "EncOut: %s\nHashOut: %s\n", tr->out.sec->encalg, tr->out.sec->hashalg);
1181 if(tr->out.new != nil)
1182 s = seprint(s, e, "NewEncOut: %s\nNewHashOut: %s\n", tr->out.new->encalg, tr->out.new->hashalg);
1184 seprint(s, e, "Chan: %s\n", chanpath(tr->c));
1185 qunlock(&tr->in.seclock);
1186 qunlock(&tr->out.seclock);
1187 n = readstr(offset, a, n, buf);
1191 buf = smalloc(Statlen);
1194 s = seprint(s, e, "DataIn: %lld\n", tr->datain);
1195 s = seprint(s, e, "DataOut: %lld\n", tr->dataout);
1196 s = seprint(s, e, "HandIn: %lld\n", tr->handin);
1197 seprint(s, e, "HandOut: %lld\n", tr->handout);
1198 n = readstr(offset, a, n, buf);
1202 buf = smalloc(Statlen);
1203 snprint(buf, Statlen, "%llud", CONV(c->qid));
1204 n = readstr(offset, a, n, buf);
1209 b = tlsbread(c, n, offset);
1212 return readstr(offset, a, n, encalgs);
1214 return readstr(offset, a, n, hashalgs);
1224 for(nb = b; nb; nb = nb->next){
1226 memmove(va+n, nb->rp, i);
1237 * write a block in tls records
1240 tlsrecwrite(TlsRec *tr, int type, Block *b)
1244 uchar *p, aad[8+RecHdrLen];
1245 OneWay *volatile out;
1246 int n, ivlen, maclen, aadlen, pad, ok;
1258 if(tr->debug)pprint("send %zd\n", BLEN(b));
1259 if(tr->debug)pdump(BLEN(b), b->rp, "sent:");
1262 ok = SHandshake|SOpen|SRClose;
1266 checkstate(tr, type != RApplication, ok);
1269 * get at most one maximal record's input,
1270 * with padding on the front for header and
1271 * back for mac and maximal block padding.
1274 qunlock(&out->seclock);
1277 qlock(&out->seclock);
1283 maclen = sec->maclen;
1284 pad = maclen + sec->block;
1285 ivlen = sec->recivlen;
1286 if(tr->version >= TLS11Version){
1294 nb = allocb(RecHdrLen + ivlen + n + pad);
1295 memmove(nb->wp + RecHdrLen + ivlen, bb->rp, n);
1299 * carefully reuse bb so it will get freed if we're out of memory
1301 bb = padblock(bb, RecHdrLen + ivlen);
1303 nb = padblock(bb, -pad);
1311 put16(p+1, tr->version);
1315 aadlen = (*tr->packAAD)(out->seq++, p, aad);
1316 if(sec->aead_enc != nil)
1317 n = (*sec->aead_enc)(sec, aad, aadlen, p + RecHdrLen, p + RecHdrLen + ivlen, n) + ivlen;
1320 prng(p + RecHdrLen, ivlen);
1321 packMac(sec, aad, aadlen, p + RecHdrLen + ivlen, n, p + RecHdrLen + ivlen + n);
1322 n = (*sec->enc)(sec, p + RecHdrLen, ivlen + n + maclen);
1324 nb->wp = p + RecHdrLen + n;
1329 if(type == RChangeCipherSpec){
1331 error("change cipher without a new cipher");
1333 out->sec = out->new;
1337 qunlock(&out->seclock);
1341 * if bwrite error's, we assume the block is queued.
1342 * if not, we're out of sync with the receiver and will not recover.
1345 if(strcmp(up->errstr, "interrupted") != 0)
1346 tlsError(tr, "channel error");
1349 devtab[tr->c->type]->bwrite(tr->c, nb, 0);
1357 tlsbwrite(Chan *c, Block *b, ulong offset)
1365 tr = tlsdevs[CONV(c->qid)];
1372 return devbwrite(c, b, offset);
1374 tlsrecwrite(tr, RHandshake, b);
1378 checkstate(tr, 0, SOpen);
1379 tlsrecwrite(tr, RApplication, b);
1387 typedef struct Hashalg Hashalg;
1392 void (*initkey)(Hashalg *, int, Secret *, uchar*);
1396 initmd5key(Hashalg *ha, int version, Secret *s, uchar *p)
1398 s->maclen = ha->maclen;
1399 if(version == SSL3Version)
1400 s->mac = sslmac_md5;
1403 memmove(s->mackey, p, ha->maclen);
1407 initclearmac(Hashalg *, int, Secret *s, uchar *)
1413 initsha1key(Hashalg *ha, int version, Secret *s, uchar *p)
1415 s->maclen = ha->maclen;
1416 if(version == SSL3Version)
1417 s->mac = sslmac_sha1;
1420 memmove(s->mackey, p, ha->maclen);
1424 initsha2_256key(Hashalg *ha, int version, Secret *s, uchar *p)
1426 if(version == SSL3Version)
1427 error("sha256 cannot be used with SSL");
1428 s->maclen = ha->maclen;
1429 s->mac = hmac_sha2_256;
1430 memmove(s->mackey, p, ha->maclen);
1433 static Hashalg hashtab[] =
1435 { "clear", 0, initclearmac, },
1436 { "md5", MD5dlen, initmd5key, },
1437 { "sha1", SHA1dlen, initsha1key, },
1438 { "sha256", SHA2_256dlen, initsha2_256key, },
1443 parsehashalg(char *p)
1447 for(ha = hashtab; ha->name; ha++)
1448 if(strcmp(p, ha->name) == 0)
1450 error("unsupported hash algorithm");
1454 typedef struct Encalg Encalg;
1460 void (*initkey)(Encalg *ea, Secret *, uchar*, uchar*);
1464 initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *)
1466 s->enckey = secalloc(sizeof(RC4state));
1469 setupRC4state(s->enckey, p, ea->keylen);
1473 initDES3key(Encalg *, Secret *s, uchar *p, uchar *iv)
1475 s->enckey = secalloc(sizeof(DES3state));
1479 setupDES3state(s->enckey, (uchar(*)[8])p, iv);
1483 initAESkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
1485 s->enckey = secalloc(sizeof(AESstate));
1489 setupAESstate(s->enckey, p, ea->keylen, iv);
1493 initccpolykey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
1495 s->enckey = secalloc(sizeof(Chachastate));
1496 s->aead_enc = ccpoly_aead_enc;
1497 s->aead_dec = ccpoly_aead_dec;
1498 s->maclen = Poly1305dlen;
1499 if(ea->ivlen == 0) {
1500 /* older draft version, iv is 64-bit sequence number */
1501 setupChachastate(s->enckey, p, ea->keylen, nil, 64/8, 20);
1503 /* IETF standard, 96-bit iv xored with sequence number */
1504 memmove(s->mackey, iv, ea->ivlen);
1505 setupChachastate(s->enckey, p, ea->keylen, iv, ea->ivlen, 20);
1510 initaesgcmkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
1512 s->enckey = secalloc(sizeof(AESGCMstate));
1513 s->aead_enc = aesgcm_aead_enc;
1514 s->aead_dec = aesgcm_aead_dec;
1517 memmove(s->mackey, iv, ea->ivlen);
1518 prng(s->mackey + ea->ivlen, s->recivlen);
1519 setupAESGCMstate(s->enckey, p, ea->keylen, nil, 0);
1523 initclearenc(Encalg *, Secret *s, uchar *, uchar *)
1529 static Encalg encrypttab[] =
1531 { "clear", 0, 0, initclearenc },
1532 { "rc4_128", 128/8, 0, initRC4key },
1533 { "3des_ede_cbc", 3 * 8, 8, initDES3key },
1534 { "aes_128_cbc", 128/8, 16, initAESkey },
1535 { "aes_256_cbc", 256/8, 16, initAESkey },
1536 { "ccpoly64_aead", 256/8, 0, initccpolykey },
1537 { "ccpoly96_aead", 256/8, 96/8, initccpolykey },
1538 { "aes_128_gcm_aead", 128/8, 4, initaesgcmkey },
1539 { "aes_256_gcm_aead", 256/8, 4, initaesgcmkey },
1544 parseencalg(char *p)
1548 for(ea = encrypttab; ea->name; ea++)
1549 if(strcmp(p, ea->name) == 0)
1551 error("unsupported encryption algorithm");
1556 tlswrite(Chan *c, void *a, long n, vlong off)
1560 TlsRec *volatile tr;
1561 Secret *volatile tos, *volatile toc;
1563 Cmdbuf *volatile cb;
1569 tr = tlsdevs[CONV(c->qid)];
1589 memmove(b->wp, p, m);
1593 tlsbwrite(c, b, offset);
1605 cb = parsecmd(a, n);
1611 error("short control request");
1613 /* mutex with operations using what we're about to change */
1615 qunlock(&tr->in.seclock);
1616 qunlock(&tr->out.seclock);
1619 qlock(&tr->in.seclock);
1620 qlock(&tr->out.seclock);
1622 if(strcmp(cb->f[0], "fd") == 0){
1624 error("usage: fd open-fd version");
1627 m = strtol(cb->f[2], nil, 0);
1628 if(m < MinProtoVersion || m > MaxProtoVersion)
1629 error("unsupported version");
1630 tr->c = buftochan(cb->f[1]);
1632 tlsSetState(tr, SHandshake, SClosed);
1633 }else if(strcmp(cb->f[0], "version") == 0){
1635 error("usage: version vers");
1637 error("must set fd before version");
1639 error("version already set");
1640 m = strtol(cb->f[1], nil, 0);
1641 if(m < MinProtoVersion || m > MaxProtoVersion)
1642 error("unsupported version");
1643 if(m == SSL3Version)
1644 tr->packAAD = sslPackAAD;
1646 tr->packAAD = tlsPackAAD;
1649 }else if(strcmp(cb->f[0], "secret") == 0){
1651 error("usage: secret hashalg encalg isclient secretdata");
1652 if(tr->c == nil || !tr->verset)
1653 error("must set fd and version before secrets");
1655 if(tr->in.new != nil){
1656 freeSec(tr->in.new);
1659 if(tr->out.new != nil){
1660 freeSec(tr->out.new);
1664 ha = parsehashalg(cb->f[1]);
1665 ea = parseencalg(cb->f[2]);
1668 m = (strlen(p)*3)/2 + 1;
1670 tos = secalloc(sizeof(Secret));
1671 toc = secalloc(sizeof(Secret));
1679 m = dec64(x, m, p, strlen(p));
1680 memset(p, 0, strlen(p));
1681 if(m < 2 * ha->maclen + 2 * ea->keylen + 2 * ea->ivlen)
1682 error("not enough secret data provided");
1684 if(!ha->initkey || !ea->initkey)
1685 error("misimplemented secret algorithm");
1687 (*ha->initkey)(ha, tr->version, tos, &x[0]);
1688 (*ha->initkey)(ha, tr->version, toc, &x[ha->maclen]);
1689 (*ea->initkey)(ea, tos, &x[2 * ha->maclen], &x[2 * ha->maclen + 2 * ea->keylen]);
1690 (*ea->initkey)(ea, toc, &x[2 * ha->maclen + ea->keylen], &x[2 * ha->maclen + 2 * ea->keylen + ea->ivlen]);
1692 if(!tos->aead_enc || !tos->aead_dec || !toc->aead_enc || !toc->aead_dec)
1693 if(!tos->mac || !tos->enc || !tos->dec || !toc->mac || !toc->enc || !toc->dec)
1694 error("missing algorithm implementations");
1696 if(strtol(cb->f[3], nil, 0) == 0){
1703 if(tr->version == SSL3Version){
1704 toc->unpad = sslunpad;
1705 tos->unpad = sslunpad;
1707 toc->unpad = tlsunpad;
1708 tos->unpad = tlsunpad;
1710 toc->encalg = ea->name;
1711 toc->hashalg = ha->name;
1712 tos->encalg = ea->name;
1713 tos->hashalg = ha->name;
1717 }else if(strcmp(cb->f[0], "changecipher") == 0){
1719 error("usage: changecipher");
1720 if(tr->out.new == nil)
1721 error("cannot change cipher spec without setting secret");
1723 qunlock(&tr->in.seclock);
1724 qunlock(&tr->out.seclock);
1730 * the real work is done as the message is written
1731 * so the stream is encrypted in sync.
1735 tlsrecwrite(tr, RChangeCipherSpec, b);
1737 }else if(strcmp(cb->f[0], "opened") == 0){
1739 error("usage: opened");
1740 if(tr->in.sec == nil || tr->out.sec == nil)
1741 error("cipher must be configured before enabling data messages");
1743 if(tr->state != SHandshake && tr->state != SOpen){
1744 unlock(&tr->statelk);
1745 error("cannot enable data messages");
1748 unlock(&tr->statelk);
1750 }else if(strcmp(cb->f[0], "alert") == 0){
1752 error("usage: alert n");
1754 error("must set fd before sending alerts");
1755 m = strtol(cb->f[1], nil, 0);
1757 qunlock(&tr->in.seclock);
1758 qunlock(&tr->out.seclock);
1765 if(m == ECloseNotify)
1766 tlsclosed(tr, SLClose);
1769 } else if(strcmp(cb->f[0], "debug") == 0){
1771 if(strcmp(cb->f[1], "on") == 0)
1780 qunlock(&tr->in.seclock);
1781 qunlock(&tr->out.seclock);
1799 fmtinstall('H', encodefmt);
1803 tlsdevs = smalloc(sizeof(TlsRec*) * maxtlsdevs);
1804 trnames = smalloc((sizeof *trnames) * maxtlsdevs);
1807 for(e = encrypttab; e->name != nil; e++)
1808 n += strlen(e->name) + 1;
1809 cp = encalgs = smalloc(n);
1810 for(e = encrypttab;;){
1811 strcpy(cp, e->name);
1812 cp += strlen(e->name);
1821 for(h = hashtab; h->name != nil; h++)
1822 n += strlen(h->name) + 1;
1823 cp = hashalgs = smalloc(n);
1825 strcpy(cp, h->name);
1826 cp += strlen(h->name);
1856 /* get channel associated with an fd */
1865 fd = strtoul(p, 0, 0);
1868 c = fdtochan(fd, ORDWR, 1, 1); /* error check and inc ref */
1873 sendAlert(TlsRec *tr, int err)
1879 if(tr->debug)pprint("sendAlert %d\n", err);
1881 msg = "tls unknown alert";
1882 for(i=0; i < nelem(tlserrs); i++) {
1883 if(tlserrs[i].err == err) {
1884 msg = tlserrs[i].msg;
1885 if(tr->version == SSL3Version)
1886 err = tlserrs[i].sslerr;
1888 err = tlserrs[i].tlserr;
1889 fatal = tlserrs[i].fatal;
1896 *b->wp++ = fatal + 1;
1899 tlsSetState(tr, SAlert, SOpen|SHandshake|SRClose);
1900 tlsrecwrite(tr, RAlert, b);
1908 tlsError(TlsRec *tr, char *msg)
1912 if(tr->debug)pprint("tlsError %s\n", msg);
1917 strncpy(tr->err, msg, ERRMAX - 1);
1918 tr->err[ERRMAX - 1] = '\0';
1920 unlock(&tr->statelk);
1926 tlsSetState(TlsRec *tr, int new, int old)
1931 unlock(&tr->statelk);
1934 /* hand up a digest connection */
1936 tlshangup(TlsRec *tr)
1941 for(b = tr->processed; b; b = tr->processed){
1942 tr->processed = b->next;
1945 if(tr->unprocessed != nil){
1946 freeb(tr->unprocessed);
1947 tr->unprocessed = nil;
1949 qunlock(&tr->in.io);
1951 tlsSetState(tr, SClosed, ~0);
1957 TlsRec **pp, **ep, **np;
1966 ep = &tlsdevs[maxtlsdevs];
1967 for(pp = tlsdevs; pp < ep; pp++)
1971 if(maxtlsdevs >= MaxTlsDevs) {
1976 newmax = 2 * maxtlsdevs;
1977 if(newmax > MaxTlsDevs)
1978 newmax = MaxTlsDevs;
1979 np = smalloc(sizeof(TlsRec*) * newmax);
1980 memmove(np, tlsdevs, sizeof(TlsRec*) * maxtlsdevs);
1982 pp = &tlsdevs[maxtlsdevs];
1983 memset(pp, 0, sizeof(TlsRec*)*(newmax - maxtlsdevs));
1985 nmp = smalloc(sizeof *nmp * newmax);
1986 memmove(nmp, trnames, sizeof *nmp * maxtlsdevs);
1989 maxtlsdevs = newmax;
1992 if(pp - tlsdevs >= tdhiwat)
1997 ch->qid.path = QID(pp - tlsdevs, t);
2009 tr = mallocz(sizeof(*tr), 1);
2012 tr->state = SClosed;
2014 kstrdup(&tr->user, up->user);
2024 return "Handshaking";
2026 return "Established";
2028 return "RemoteClosed";
2030 return "LocalClosed";
2051 noenc(Secret *, uchar *, int n)
2057 rc4enc(Secret *sec, uchar *buf, int n)
2059 rc4(sec->enckey, buf, n);
2064 tlsunpad(uchar *buf, int n, int block)
2070 if(nn <= 0 || n % block)
2073 if(pad != buf[n - 1])
2079 sslunpad(uchar *buf, int n, int block)
2085 if(nn <= 0 || n % block)
2091 blockpad(uchar *buf, int n, int block)
2104 des3enc(Secret *sec, uchar *buf, int n)
2106 n = blockpad(buf, n, 8);
2107 des3CBCencrypt(buf, n, sec->enckey);
2112 des3dec(Secret *sec, uchar *buf, int n)
2114 des3CBCdecrypt(buf, n, sec->enckey);
2115 return (*sec->unpad)(buf, n, 8);
2119 aesenc(Secret *sec, uchar *buf, int n)
2121 n = blockpad(buf, n, 16);
2122 aesCBCencrypt(buf, n, sec->enckey);
2127 aesdec(Secret *sec, uchar *buf, int n)
2129 aesCBCdecrypt(buf, n, sec->enckey);
2130 return (*sec->unpad)(buf, n, 16);
2134 ccpoly_aead_setiv(Secret *sec, uchar seq[8])
2136 uchar iv[ChachaIVlen];
2140 cs = (Chachastate*)sec->enckey;
2141 if(cs->ivwords == 2){
2142 chacha_setiv(cs, seq);
2146 memmove(iv, sec->mackey, ChachaIVlen);
2148 iv[i+(ChachaIVlen-8)] ^= seq[i];
2150 chacha_setiv(cs, iv);
2152 memset(iv, 0, sizeof(iv));
2156 ccpoly_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len)
2159 ccpoly_aead_setiv(sec, aad);
2160 ccpoly_encrypt(data, len, aad, aadlen, data+len, sec->enckey);
2161 return len + sec->maclen;
2165 ccpoly_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len)
2171 ccpoly_aead_setiv(sec, aad);
2172 if(ccpoly_decrypt(data, len, aad, aadlen, data+len, sec->enckey) != 0)
2178 aesgcm_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len)
2183 memmove(iv, sec->mackey, 4+8);
2184 for(i=0; i<8; i++) iv[4+i] ^= aad[i];
2185 memmove(reciv, iv+4, 8);
2186 aesgcm_setiv(sec->enckey, iv, 12);
2187 memset(iv, 0, sizeof(iv));
2188 aesgcm_encrypt(data, len, aad, aadlen, data+len, sec->enckey);
2189 return len + sec->maclen;
2193 aesgcm_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len)
2200 memmove(iv, sec->mackey, 4);
2201 memmove(iv+4, reciv, 8);
2202 aesgcm_setiv(sec->enckey, iv, 12);
2203 memset(iv, 0, sizeof(iv));
2204 if(aesgcm_decrypt(data, len, aad, aadlen, data+len, sec->enckey) != 0)
2211 nomac(uchar *, ulong, uchar *, ulong, uchar *, DigestState *)
2217 * sslmac: mac calculations for ssl 3.0 only; tls 1.0 uses the standard hmac.
2220 sslmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s,
2221 DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen, int padlen)
2224 uchar pad[48], innerdigest[20];
2226 if(xlen > sizeof(innerdigest)
2227 || padlen > sizeof(pad))
2233 /* first time through */
2235 for(i=0; i<padlen; i++)
2237 s = (*x)(key, klen, nil, nil);
2238 s = (*x)(pad, padlen, nil, s);
2243 s = (*x)(p, len, nil, s);
2247 /* last time through */
2248 for(i=0; i<padlen; i++)
2250 (*x)(nil, 0, innerdigest, s);
2251 s = (*x)(key, klen, nil, nil);
2252 s = (*x)(pad, padlen, nil, s);
2253 (*x)(innerdigest, xlen, digest, s);
2258 sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2260 return sslmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen, 40);
2264 sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2266 return sslmac_x(p, len, key, klen, digest, s, md5, MD5dlen, 48);
2270 sslPackAAD(u64int seq, uchar *hdr, uchar *aad)
2280 tlsPackAAD(u64int seq, uchar *hdr, uchar *aad)
2292 packMac(Secret *sec, uchar *aad, int aadlen, uchar *body, int bodylen, uchar *mac)
2296 s = (*sec->mac)(aad, aadlen, sec->mackey, sec->maclen, nil, nil);
2297 (*sec->mac)(body, bodylen, sec->mackey, sec->maclen, mac, s);
2301 put32(uchar *p, u32int x)
2310 put64(uchar *p, u64int x)
2317 put24(uchar *p, int x)
2325 put16(uchar *p, int x)
2334 return (p[0]<<8)|p[1];
2337 static char *charmap = "0123456789abcdef";
2340 pdump(int len, void *a, char *tag)
2350 q = buf + strlen(tag);
2351 for(i = 0; len > 0 && i < 32; i++){
2352 if(*p >= ' ' && *p < 0x7f){
2356 *q++ = charmap[*p>>4];
2357 *q++ = charmap[*p & 0xf];
2365 pprint("%s...\n", buf);
2367 pprint("%s\n", buf);