2 * devtls - record layer for transport layer security 1.0 and secure sockets layer 3.0
5 #include "../port/lib.h"
9 #include "../port/error.h"
13 typedef struct OneWay OneWay;
14 typedef struct Secret Secret;
15 typedef struct TlsRec TlsRec;
16 typedef struct TlsErrs TlsErrs;
19 Statlen= 1024, /* max. length of status or stats message */
21 MaxRecLen = 1<<14, /* max payload length of a record layer message */
22 MaxCipherRecLen = MaxRecLen + 2048,
26 /* protocol versions we can accept */
28 TLS10Version = 0x0301,
29 TLS11Version = 0x0302,
30 MinProtoVersion = 0x0300, /* limits on version we accept */
31 MaxProtoVersion = 0x03ff,
33 /* connection states */
34 SHandshake = 1 << 0, /* doing handshake */
35 SOpen = 1 << 1, /* application data can be sent */
36 SRClose = 1 << 2, /* remote side has closed down */
37 SLClose = 1 << 3, /* sent a close notify alert */
38 SAlert = 1 << 5, /* sending or sent a fatal alert */
39 SError = 1 << 6, /* some sort of error has occured */
40 SClosed = 1 << 7, /* it is all over */
43 RChangeCipherSpec = 20,
49 HSSL2ClientHello = 9, /* local convention; see tlshand.c */
53 EUnexpectedMessage = 10,
55 EDecryptionFailed = 21,
57 EDecompressionFailure = 30,
58 EHandshakeFailure = 40,
61 EUnsupportedCertificate = 43,
62 ECertificateRevoked = 44,
63 ECertificateExpired = 45,
64 ECertificateUnknown = 46,
65 EIllegalParameter = 47,
70 EExportRestriction = 60,
71 EProtocolVersion = 70,
72 EInsufficientSecurity = 71,
75 ENoRenegotiation = 100,
76 EUnrecognizedName = 112,
83 char *encalg; /* name of encryption alg */
84 char *hashalg; /* name of hash alg */
85 int (*enc)(Secret*, uchar*, int);
86 int (*dec)(Secret*, uchar*, int);
87 int (*unpad)(uchar*, int, int);
88 DigestState *(*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
89 int block; /* encryption block len, 0 if none */
92 uchar mackey[MaxMacLen];
97 QLock io; /* locks io access */
98 QLock seclock; /* locks secret paramaters */
100 Secret *sec; /* cipher in use */
101 Secret *new; /* cipher waiting for enable */
106 Chan *c; /* io channel */
107 int ref; /* serialized by tdlock for atomic destroy */
108 int version; /* version of the protocol we are speaking */
109 char verset; /* version has been set */
110 char opened; /* opened command every issued? */
111 char err[ERRMAX]; /* error message to return to handshake requests */
112 vlong handin; /* bytes communicated by the record layer */
121 /* record layer mac functions for different protocol versions */
122 void (*packMac)(Secret*, uchar*, uchar*, uchar*, uchar*, int, uchar*);
124 /* input side -- protected by in.io */
126 Block *processed; /* next bunch of application data */
127 Block *unprocessed; /* data read from c but not parsed into records */
129 /* handshake queue */
130 Lock hqlock; /* protects hqref, alloc & free of handq, hprocessed */
132 Queue *handq; /* queue of handshake messages */
133 Block *hprocessed; /* remainder of last block read from handq */
134 QLock hqread; /* protects reads for hprocessed, handq */
152 static TlsErrs tlserrs[] = {
153 {ECloseNotify, ECloseNotify, ECloseNotify, 0, "close notify"},
154 {EUnexpectedMessage, EUnexpectedMessage, EUnexpectedMessage, 1, "unexpected message"},
155 {EBadRecordMac, EBadRecordMac, EBadRecordMac, 1, "bad record mac"},
156 {EDecryptionFailed, EIllegalParameter, EDecryptionFailed, 1, "decryption failed"},
157 {ERecordOverflow, EIllegalParameter, ERecordOverflow, 1, "record too long"},
158 {EDecompressionFailure, EDecompressionFailure, EDecompressionFailure, 1, "decompression failed"},
159 {EHandshakeFailure, EHandshakeFailure, EHandshakeFailure, 1, "could not negotiate acceptable security parameters"},
160 {ENoCertificate, ENoCertificate, ECertificateUnknown, 1, "no appropriate certificate available"},
161 {EBadCertificate, EBadCertificate, EBadCertificate, 1, "corrupted or invalid certificate"},
162 {EUnsupportedCertificate, EUnsupportedCertificate, EUnsupportedCertificate, 1, "unsupported certificate type"},
163 {ECertificateRevoked, ECertificateRevoked, ECertificateRevoked, 1, "revoked certificate"},
164 {ECertificateExpired, ECertificateExpired, ECertificateExpired, 1, "expired certificate"},
165 {ECertificateUnknown, ECertificateUnknown, ECertificateUnknown, 1, "unacceptable certificate"},
166 {EIllegalParameter, EIllegalParameter, EIllegalParameter, 1, "illegal parameter"},
167 {EUnknownCa, EHandshakeFailure, EUnknownCa, 1, "unknown certificate authority"},
168 {EAccessDenied, EHandshakeFailure, EAccessDenied, 1, "access denied"},
169 {EDecodeError, EIllegalParameter, EDecodeError, 1, "error decoding message"},
170 {EDecryptError, EIllegalParameter, EDecryptError, 1, "error decrypting message"},
171 {EExportRestriction, EHandshakeFailure, EExportRestriction, 1, "export restriction violated"},
172 {EProtocolVersion, EIllegalParameter, EProtocolVersion, 1, "protocol version not supported"},
173 {EInsufficientSecurity, EHandshakeFailure, EInsufficientSecurity, 1, "stronger security routines required"},
174 {EInternalError, EHandshakeFailure, EInternalError, 1, "internal error"},
175 {EUserCanceled, ECloseNotify, EUserCanceled, 0, "handshake canceled by user"},
176 {ENoRenegotiation, EUnexpectedMessage, ENoRenegotiation, 0, "no renegotiation"},
181 /* max. open tls connections */
187 static int maxtlsdevs = 128;
188 static TlsRec **tlsdevs;
189 static char **trnames;
190 static char *encalgs;
191 static char *hashalgs;
194 Qtopdir = 1, /* top level directory */
199 Qconvdir, /* directory for a conversation */
207 #define TYPE(x) ((x).path & 0xf)
208 #define CONV(x) (((x).path >> 5)&(MaxTlsDevs-1))
209 #define QID(c, y) (((c)<<5) | (y))
211 static void checkstate(TlsRec *, int, int);
212 static void ensure(TlsRec*, Block**, int);
213 static void consume(Block**, uchar*, int);
214 static Chan* buftochan(char*);
215 static void tlshangup(TlsRec*);
216 static void tlsError(TlsRec*, char *);
217 static void alertHand(TlsRec*, char *);
218 static TlsRec *newtls(Chan *c);
219 static TlsRec *mktlsrec(void);
220 static DigestState*sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
221 static DigestState*sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
222 static DigestState*nomac(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
223 static void sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
224 static void tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
225 static void put64(uchar *p, vlong x);
226 static void put32(uchar *p, u32int);
227 static void put24(uchar *p, int);
228 static void put16(uchar *p, int);
229 static u32int get32(uchar *p);
230 static int get16(uchar *p);
231 static void tlsSetState(TlsRec *tr, int new, int old);
232 static void rcvAlert(TlsRec *tr, int err);
233 static void sendAlert(TlsRec *tr, int err);
234 static void rcvError(TlsRec *tr, int err, char *msg, ...);
235 static int rc4enc(Secret *sec, uchar *buf, int n);
236 static int des3enc(Secret *sec, uchar *buf, int n);
237 static int des3dec(Secret *sec, uchar *buf, int n);
238 static int aesenc(Secret *sec, uchar *buf, int n);
239 static int aesdec(Secret *sec, uchar *buf, int n);
240 static int noenc(Secret *sec, uchar *buf, int n);
241 static int sslunpad(uchar *buf, int n, int block);
242 static int tlsunpad(uchar *buf, int n, int block);
243 static void freeSec(Secret *sec);
244 static char *tlsstate(int s);
245 static void pdump(int, void*, char*);
247 #pragma varargck argpos rcvError 3
249 static char *tlsnames[] = {
251 [Qencalgs] "encalgs",
252 [Qhashalgs] "hashalgs",
260 static int convdir[] = { Qctl, Qdata, Qhand, Qstatus, Qstats };
263 tlsgen(Chan *c, char*, Dirtab *, int, int s, Dir *dp)
277 q.path = QID(0, Qtopdir);
279 devdir(c, q, "#a", 0, eve, 0555, dp);
284 q.path = QID(0, Qprotodir);
286 devdir(c, q, "tls", 0, eve, 0555, dp);
290 q.path = QID(0, Qtopdir);
292 devdir(c, q, ".", 0, eve, 0555, dp);
300 q.path = QID(0, Qclonus);
303 q.path = QID(0, Qencalgs);
306 q.path = QID(0, Qhashalgs);
310 if(TYPE(q) == Qclonus)
312 devdir(c, q, tlsnames[TYPE(q)], 0, eve, perm, dp);
318 q.path = QID(s, Qconvdir);
326 if((name = trnames[s]) == nil){
327 name = trnames[s] = smalloc(16);
328 sprint(name, "%d", s);
330 devdir(c, q, name, 0, nm, 0555, dp);
335 q.path = QID(0, Qprotodir);
337 devdir(c, q, "tls", 0, eve, 0555, dp);
340 if(s < 0 || s >= nelem(convdir))
343 tr = tlsdevs[CONV(c->qid)];
352 if(t == Qstatus || t == Qstats)
354 q.path = QID(CONV(c->qid), t);
355 devdir(c, q, tlsnames[t], 0, nm, perm, dp);
364 devdir(c, c->qid, tlsnames[t], 0, eve, perm, dp);
368 tr = tlsdevs[CONV(c->qid)];
376 if(t == Qstatus || t == Qstats)
378 devdir(c, c->qid, tlsnames[t], 0, nm, perm, dp);
385 tlsattach(char *spec)
389 c = devattach('a', spec);
390 c->qid.path = QID(0, Qtopdir);
397 tlswalk(Chan *c, Chan *nc, char **name, int nname)
399 return devwalk(c, nc, name, nname, nil, 0, tlsgen);
403 tlsstat(Chan *c, uchar *db, int n)
405 return devstat(c, db, n, nil, 0, tlsgen);
409 tlsopen(Chan *c, int omode)
448 if((t == Qstatus || t == Qstats) && omode != OREAD)
455 pp = &tlsdevs[CONV(c->qid)];
458 error("must open connection using clone");
459 if((perm & (tr->perm>>6)) != perm
460 && (strcmp(up->user, tr->user) != 0
461 || (perm & tr->perm) != perm))
471 tr->handq = qopen(2 * MaxCipherRecLen, 0, nil, nil);
473 error("cannot allocate handshake queue");
488 c->mode = openmode(omode);
491 c->iounit = qiomaxatomic;
496 tlswstat(Chan *c, uchar *dp, int n)
510 tr = tlsdevs[CONV(c->qid)];
513 if(strcmp(tr->user, up->user) != 0)
516 d = smalloc(n + sizeof *d);
517 rv = convM2D(dp, n, &d[0], (char*) &d[1]);
520 if(!emptystr(d->uid))
521 kstrdup(&tr->user, d->uid);
536 if(--tr->hqref == 0){
537 if(tr->handq != nil){
541 if(tr->hprocessed != nil){
542 freeb(tr->hprocessed);
543 tr->hprocessed = nil;
562 if((c->flag & COPEN) == 0)
565 tr = tlsdevs[CONV(c->qid)];
577 tlsdevs[CONV(c->qid)] = nil;
580 if(tr->c != nil && !waserror()){
581 checkstate(tr, 0, SOpen|SHandshake|SRClose);
582 sendAlert(tr, ECloseNotify);
590 freeSec(tr->out.sec);
591 freeSec(tr->out.new);
599 * make sure we have at least 'n' bytes in list 'l'
602 ensure(TlsRec *s, Block **l, int n)
608 for(b = *l; b; b = b->next){
616 bl = devtab[s->c->type]->bread(s->c, MaxCipherRecLen + RecHdrLen, 0);
621 for(b = bl; b; b = b->next){
629 if(s->debug) pprint("ensure read %d\n", sofar);
633 * copy 'n' bytes from 'l' into 'p' and free
637 consume(Block **l, uchar *p, int n)
642 for(; *l && n > 0; n -= i){
647 memmove(p, b->rp, i);
663 regurgitate(TlsRec *s, uchar *p, int n)
670 if(s->unprocessed == nil || b->rp - b->base < n) {
672 memmove(b->wp, p, n);
674 b->next = s->unprocessed;
678 memmove(b->rp, p, n);
683 * remove at most n bytes from the queue
686 qgrab(Block **l, int n)
699 for(bb = b; bb != nil && i < n; bb = bb->next)
705 consume(l, bb->wp, i);
711 tlsclosed(TlsRec *tr, int new)
714 if(tr->state == SOpen || tr->state == SHandshake)
716 else if((new | tr->state) == (SRClose|SLClose))
718 unlock(&tr->statelk);
719 alertHand(tr, "close notify");
723 * read and process one tls record layer message
724 * must be called with tr->in.io held
725 * We can't let Eintrs lose data, since doing so will get
726 * us out of sync with the sender and break the reliablity
727 * of the channel. Eintr only happens during the reads in
728 * consume. Therefore we put back any bytes consumed before
729 * the last call to ensure.
732 tlsrecread(TlsRec *tr)
736 uchar *p, seq[8], header[RecHdrLen], hmac[MaxMacLen];
737 int volatile nconsumed;
738 int len, type, ver, unpad_len;
742 if(strcmp(up->errstr, Eintr) == 0 && !waserror()){
743 regurgitate(tr, header, nconsumed);
746 tlsError(tr, "channel error");
749 ensure(tr, &tr->unprocessed, RecHdrLen);
750 consume(&tr->unprocessed, header, RecHdrLen);
751 if(tr->debug)pprint("consumed %d header\n", RecHdrLen);
752 nconsumed = RecHdrLen;
754 if((tr->handin == 0) && (header[0] & 0x80)){
755 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
756 This is sent by some clients that we must interoperate
757 with, such as Java's JSSE and Microsoft's Internet Explorer. */
758 len = (get16(header) & ~0x8000) - 3;
760 ver = get16(header + 3);
761 if(type != SSL2ClientHello || len < 22)
762 rcvError(tr, EProtocolVersion, "invalid initial SSL2-like message");
763 }else{ /* normal SSL3 record format */
765 ver = get16(header+1);
766 len = get16(header+3);
768 if(ver != tr->version && (tr->verset || ver < MinProtoVersion || ver > MaxProtoVersion))
769 rcvError(tr, EProtocolVersion, "devtls expected ver=%x%s, saw (len=%d) type=%x ver=%x '%.12s'",
770 tr->version, tr->verset?"/set":"", len, type, ver, (char*)header);
771 if(len > MaxCipherRecLen || len < 0)
772 rcvError(tr, ERecordOverflow, "record message too long %d", len);
773 ensure(tr, &tr->unprocessed, len);
778 * If an Eintr happens after this, we'll get out of sync.
779 * Make sure nothing we call can sleep.
780 * Errors are ok, as they kill the connection.
781 * Luckily, allocb won't sleep, it'll just error out.
787 tlsError(tr, "channel error");
790 b = qgrab(&tr->unprocessed, len);
791 if(tr->debug) pprint("consumed unprocessed %d\n", len);
795 qunlock(&in->seclock);
801 /* to avoid Canvel-Hiltgen-Vaudenay-Vuagnoux attack, all errors here
802 should look alike, including timing of the response. */
803 unpad_len = (*in->sec->dec)(in->sec, p, len);
806 if(tr->version >= TLS11Version){
807 len -= in->sec->block;
809 rcvError(tr, EDecodeError, "runt record message");
811 unpad_len -= in->sec->block;
815 if(unpad_len >= in->sec->maclen)
816 len = unpad_len - in->sec->maclen;
818 if(tr->debug) pprint("decrypted %d\n", unpad_len);
819 if(tr->debug) pdump(unpad_len, p, "decrypted:");
822 put16(header+3, len);
825 (*tr->packMac)(in->sec, in->sec->mackey, seq, header, p, len, hmac);
826 if(unpad_len < in->sec->maclen)
827 rcvError(tr, EBadRecordMac, "short record mac");
828 if(constcmp(hmac, p+len, in->sec->maclen) != 0)
829 rcvError(tr, EBadRecordMac, "record mac mismatch");
833 qunlock(&in->seclock);
836 rcvError(tr, EDecodeError, "runt record message");
840 rcvError(tr, EIllegalParameter, "invalid record message %#x", type);
842 case RChangeCipherSpec:
843 if(len != 1 || p[0] != 1)
844 rcvError(tr, EDecodeError, "invalid change cipher spec");
847 qunlock(&in->seclock);
848 rcvError(tr, EUnexpectedMessage, "unexpected change cipher spec");
854 qunlock(&in->seclock);
858 rcvError(tr, EDecodeError, "invalid alert");
862 rcvError(tr, EIllegalParameter, "invalid alert fatal code");
865 * propagate non-fatal alerts to handshaker
869 tlsclosed(tr, SRClose);
872 error("close notify");
874 case ENoRenegotiation:
875 alertHand(tr, "no renegotiation");
878 alertHand(tr, "handshake canceled by user");
880 case EUnrecognizedName:
881 /* happens in response to SNI, can be ignored. */
884 rcvError(tr, EIllegalParameter, "invalid alert code");
889 * don't worry about dropping the block
890 * qbwrite always queues even if flow controlled and interrupted.
892 * if there isn't any handshaker, ignore the request,
893 * but notify the other side we are doing so.
896 if(tr->handq != nil){
905 qbwrite(tr->handq, b);
911 if(tr->verset && tr->version != SSL3Version && !waserror()){
912 sendAlert(tr, ENoRenegotiation);
917 case SSL2ClientHello:
919 if(tr->handq != nil){
926 /* Pass the SSL2 format data, so that the handshake code can compute
927 the correct checksums. HSSL2ClientHello = HandshakeType 9 is
928 unused in RFC2246. */
930 b->rp[0] = RHandshake;
931 b->rp[1] = HSSL2ClientHello;
932 put24(&b->rp[2], len+3);
933 b->rp[5] = SSL2ClientHello;
934 put16(&b->rp[6], ver);
935 qbwrite(tr->handq, b);
941 if(tr->verset && tr->version != SSL3Version && !waserror()){
942 sendAlert(tr, ENoRenegotiation);
949 rcvError(tr, EUnexpectedMessage, "application message received before handshake completed");
962 * got a fatal alert message
965 rcvAlert(TlsRec *tr, int err)
971 for(i=0; i < nelem(tlserrs); i++){
972 if(tlserrs[i].err == err){
977 if(tr->debug) pprint("rcvAlert: %s\n", s);
986 * found an error while decoding the input stream
989 rcvError(TlsRec *tr, int err, char *fmt, ...)
995 vseprint(msg, msg+sizeof(msg), fmt, arg);
997 if(tr->debug) pprint("rcvError: %s\n", msg);
1007 * make sure the next hand operation returns with a 'msg' error
1010 alertHand(TlsRec *tr, char *msg)
1016 if(tr->handq == nil){
1017 unlock(&tr->hqlock);
1021 unlock(&tr->hqlock);
1030 memmove(b->wp, msg, n + 1);
1033 qbwrite(tr->handq, b);
1040 checkstate(TlsRec *tr, int ishand, int ok)
1046 unlock(&tr->statelk);
1061 error("tls hungup");
1063 error("tls improperly configured");
1067 tlsbread(Chan *c, long n, ulong offset)
1071 TlsRec *volatile tr;
1076 return devbread(c, n, offset);
1082 tr = tlsdevs[CONV(c->qid)];
1087 qunlock(&tr->in.io);
1092 checkstate(tr, 0, SOpen);
1093 while(tr->processed == nil)
1096 /* return at most what was asked for */
1097 b = qgrab(&tr->processed, n);
1098 if(tr->debug) pprint("consumed processed %ld\n", BLEN(b));
1099 if(tr->debug) pdump(BLEN(b), b->rp, "consumed:");
1100 qunlock(&tr->in.io);
1102 tr->datain += BLEN(b);
1104 checkstate(tr, 1, SOpen|SHandshake|SLClose);
1107 * it's ok to look at state without the lock
1108 * since it only protects reading records,
1109 * and we have that tr->in.io held.
1111 while(!tr->opened && tr->hprocessed == nil && !qcanread(tr->handq))
1114 qunlock(&tr->in.io);
1118 qunlock(&tr->hqread);
1122 if(tr->hprocessed == nil){
1123 b = qbread(tr->handq, MaxRecLen + 1);
1124 if(*b->rp++ == RAlert){
1125 kstrcpy(up->errstr, (char*)b->rp, ERRMAX);
1131 b = qgrab(&tr->hprocessed, n);
1133 qunlock(&tr->hqread);
1134 tr->handin += BLEN(b);
1141 tlsread(Chan *c, void *a, long n, vlong off)
1151 if(c->qid.type & QTDIR)
1152 return devdirread(c, a, n, 0, 0, tlsgen);
1154 tr = tlsdevs[CONV(c->qid)];
1160 buf = smalloc(Statlen);
1161 qlock(&tr->in.seclock);
1162 qlock(&tr->out.seclock);
1165 s = seprint(s, e, "State: %s\n", tlsstate(tr->state));
1166 s = seprint(s, e, "Version: %#x\n", tr->version);
1167 if(tr->in.sec != nil)
1168 s = seprint(s, e, "EncIn: %s\nHashIn: %s\n", tr->in.sec->encalg, tr->in.sec->hashalg);
1169 if(tr->in.new != nil)
1170 s = seprint(s, e, "NewEncIn: %s\nNewHashIn: %s\n", tr->in.new->encalg, tr->in.new->hashalg);
1171 if(tr->out.sec != nil)
1172 s = seprint(s, e, "EncOut: %s\nHashOut: %s\n", tr->out.sec->encalg, tr->out.sec->hashalg);
1173 if(tr->out.new != nil)
1174 seprint(s, e, "NewEncOut: %s\nNewHashOut: %s\n", tr->out.new->encalg, tr->out.new->hashalg);
1175 qunlock(&tr->in.seclock);
1176 qunlock(&tr->out.seclock);
1177 n = readstr(offset, a, n, buf);
1181 buf = smalloc(Statlen);
1184 s = seprint(s, e, "DataIn: %lld\n", tr->datain);
1185 s = seprint(s, e, "DataOut: %lld\n", tr->dataout);
1186 s = seprint(s, e, "HandIn: %lld\n", tr->handin);
1187 seprint(s, e, "HandOut: %lld\n", tr->handout);
1188 n = readstr(offset, a, n, buf);
1192 buf = smalloc(Statlen);
1193 snprint(buf, Statlen, "%llud", CONV(c->qid));
1194 n = readstr(offset, a, n, buf);
1199 b = tlsbread(c, n, offset);
1202 return readstr(offset, a, n, encalgs);
1204 return readstr(offset, a, n, hashalgs);
1214 for(nb = b; nb; nb = nb->next){
1216 memmove(va+n, nb->rp, i);
1227 randfill(uchar *buf, int len)
1230 *buf++ = nrand(256);
1234 * write a block in tls records
1237 tlsrecwrite(TlsRec *tr, int type, Block *b)
1242 OneWay *volatile out;
1243 int n, ivlen, maclen, pad, ok;
1254 if(tr->debug)pprint("send %ld\n", BLEN(b));
1255 if(tr->debug)pdump(BLEN(b), b->rp, "sent:");
1258 ok = SHandshake|SOpen|SRClose;
1262 checkstate(tr, type != RApplication, ok);
1265 * get at most one maximal record's input,
1266 * with padding on the front for header and
1267 * back for mac and maximal block padding.
1270 qunlock(&out->seclock);
1273 qlock(&out->seclock);
1277 if(out->sec != nil){
1278 maclen = out->sec->maclen;
1279 pad = maclen + out->sec->block;
1280 if(tr->version >= TLS11Version)
1281 ivlen = out->sec->block;
1286 nb = allocb(RecHdrLen + ivlen + n + pad);
1287 memmove(nb->wp + RecHdrLen + ivlen, bb->rp, n);
1291 * carefully reuse bb so it will get freed if we're out of memory
1293 bb = padblock(bb, RecHdrLen + ivlen);
1295 nb = padblock(bb, -pad);
1303 put16(p+1, tr->version);
1306 if(out->sec != nil){
1307 put64(seq, out->seq);
1309 (*tr->packMac)(out->sec, out->sec->mackey, seq, p, p + RecHdrLen + ivlen, n, p + RecHdrLen + ivlen + n);
1314 randfill(p + RecHdrLen, ivlen);
1319 n = (*out->sec->enc)(out->sec, p + RecHdrLen, n);
1320 nb->wp = p + RecHdrLen + n;
1325 if(type == RChangeCipherSpec){
1327 error("change cipher without a new cipher");
1329 out->sec = out->new;
1333 qunlock(&out->seclock);
1337 * if bwrite error's, we assume the block is queued.
1338 * if not, we're out of sync with the receiver and will not recover.
1341 if(strcmp(up->errstr, "interrupted") != 0)
1342 tlsError(tr, "channel error");
1345 devtab[tr->c->type]->bwrite(tr->c, nb, 0);
1353 tlsbwrite(Chan *c, Block *b, ulong offset)
1361 tr = tlsdevs[CONV(c->qid)];
1368 return devbwrite(c, b, offset);
1370 tlsrecwrite(tr, RHandshake, b);
1374 checkstate(tr, 0, SOpen);
1375 tlsrecwrite(tr, RApplication, b);
1383 typedef struct Hashalg Hashalg;
1388 void (*initkey)(Hashalg *, int, Secret *, uchar*);
1392 initmd5key(Hashalg *ha, int version, Secret *s, uchar *p)
1394 s->maclen = ha->maclen;
1395 if(version == SSL3Version)
1396 s->mac = sslmac_md5;
1399 memmove(s->mackey, p, ha->maclen);
1403 initclearmac(Hashalg *, int, Secret *s, uchar *)
1410 initsha1key(Hashalg *ha, int version, Secret *s, uchar *p)
1412 s->maclen = ha->maclen;
1413 if(version == SSL3Version)
1414 s->mac = sslmac_sha1;
1417 memmove(s->mackey, p, ha->maclen);
1420 static Hashalg hashtab[] =
1422 { "clear", 0, initclearmac, },
1423 { "md5", MD5dlen, initmd5key, },
1424 { "sha1", SHA1dlen, initsha1key, },
1429 parsehashalg(char *p)
1433 for(ha = hashtab; ha->name; ha++)
1434 if(strcmp(p, ha->name) == 0)
1436 error("unsupported hash algorithm");
1440 typedef struct Encalg Encalg;
1446 void (*initkey)(Encalg *ea, Secret *, uchar*, uchar*);
1450 initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *)
1452 s->enckey = smalloc(sizeof(RC4state));
1456 setupRC4state(s->enckey, p, ea->keylen);
1460 initDES3key(Encalg *, Secret *s, uchar *p, uchar *iv)
1462 s->enckey = smalloc(sizeof(DES3state));
1466 setupDES3state(s->enckey, (uchar(*)[8])p, iv);
1470 initAESkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
1472 s->enckey = smalloc(sizeof(AESstate));
1476 setupAESstate(s->enckey, p, ea->keylen, iv);
1480 initclearenc(Encalg *, Secret *s, uchar *, uchar *)
1487 static Encalg encrypttab[] =
1489 { "clear", 0, 0, initclearenc },
1490 { "rc4_128", 128/8, 0, initRC4key },
1491 { "3des_ede_cbc", 3 * 8, 8, initDES3key },
1492 { "aes_128_cbc", 128/8, 16, initAESkey },
1493 { "aes_256_cbc", 256/8, 16, initAESkey },
1498 parseencalg(char *p)
1502 for(ea = encrypttab; ea->name; ea++)
1503 if(strcmp(p, ea->name) == 0)
1505 error("unsupported encryption algorithm");
1510 tlswrite(Chan *c, void *a, long n, vlong off)
1514 TlsRec *volatile tr;
1515 Secret *volatile tos, *volatile toc;
1517 Cmdbuf *volatile cb;
1523 tr = tlsdevs[CONV(c->qid)];
1543 memmove(b->wp, p, m);
1547 tlsbwrite(c, b, offset);
1559 cb = parsecmd(a, n);
1565 error("short control request");
1567 /* mutex with operations using what we're about to change */
1569 qunlock(&tr->in.seclock);
1570 qunlock(&tr->out.seclock);
1573 qlock(&tr->in.seclock);
1574 qlock(&tr->out.seclock);
1576 if(strcmp(cb->f[0], "fd") == 0){
1578 error("usage: fd open-fd version");
1581 m = strtol(cb->f[2], nil, 0);
1582 if(m < MinProtoVersion || m > MaxProtoVersion)
1583 error("unsupported version");
1584 tr->c = buftochan(cb->f[1]);
1586 tlsSetState(tr, SHandshake, SClosed);
1587 }else if(strcmp(cb->f[0], "version") == 0){
1589 error("usage: version vers");
1591 error("must set fd before version");
1593 error("version already set");
1594 m = strtol(cb->f[1], nil, 0);
1595 if(m < MinProtoVersion || m > MaxProtoVersion)
1596 error("unsupported version");
1597 if(m == SSL3Version)
1598 tr->packMac = sslPackMac;
1600 tr->packMac = tlsPackMac;
1603 }else if(strcmp(cb->f[0], "secret") == 0){
1605 error("usage: secret hashalg encalg isclient secretdata");
1606 if(tr->c == nil || !tr->verset)
1607 error("must set fd and version before secrets");
1609 if(tr->in.new != nil){
1610 freeSec(tr->in.new);
1613 if(tr->out.new != nil){
1614 freeSec(tr->out.new);
1618 ha = parsehashalg(cb->f[1]);
1619 ea = parseencalg(cb->f[2]);
1622 m = (strlen(p)*3)/2;
1632 m = dec64(x, m, p, strlen(p));
1633 if(m < 2 * ha->maclen + 2 * ea->keylen + 2 * ea->ivlen)
1634 error("not enough secret data provided");
1636 tos = smalloc(sizeof(Secret));
1637 toc = smalloc(sizeof(Secret));
1638 if(!ha->initkey || !ea->initkey)
1639 error("misimplemented secret algorithm");
1640 (*ha->initkey)(ha, tr->version, tos, &x[0]);
1641 (*ha->initkey)(ha, tr->version, toc, &x[ha->maclen]);
1642 (*ea->initkey)(ea, tos, &x[2 * ha->maclen], &x[2 * ha->maclen + 2 * ea->keylen]);
1643 (*ea->initkey)(ea, toc, &x[2 * ha->maclen + ea->keylen], &x[2 * ha->maclen + 2 * ea->keylen + ea->ivlen]);
1645 if(!tos->mac || !tos->enc || !tos->dec
1646 || !toc->mac || !toc->enc || !toc->dec)
1647 error("missing algorithm implementations");
1648 if(strtol(cb->f[3], nil, 0) == 0){
1655 if(tr->version == SSL3Version){
1656 toc->unpad = sslunpad;
1657 tos->unpad = sslunpad;
1659 toc->unpad = tlsunpad;
1660 tos->unpad = tlsunpad;
1662 toc->encalg = ea->name;
1663 toc->hashalg = ha->name;
1664 tos->encalg = ea->name;
1665 tos->hashalg = ha->name;
1669 }else if(strcmp(cb->f[0], "changecipher") == 0){
1671 error("usage: changecipher");
1672 if(tr->out.new == nil)
1673 error("cannot change cipher spec without setting secret");
1675 qunlock(&tr->in.seclock);
1676 qunlock(&tr->out.seclock);
1682 * the real work is done as the message is written
1683 * so the stream is encrypted in sync.
1687 tlsrecwrite(tr, RChangeCipherSpec, b);
1689 }else if(strcmp(cb->f[0], "opened") == 0){
1691 error("usage: opened");
1692 if(tr->in.sec == nil || tr->out.sec == nil)
1693 error("cipher must be configured before enabling data messages");
1695 if(tr->state != SHandshake && tr->state != SOpen){
1696 unlock(&tr->statelk);
1697 error("cannot enable data messages");
1700 unlock(&tr->statelk);
1702 }else if(strcmp(cb->f[0], "alert") == 0){
1704 error("usage: alert n");
1706 error("must set fd before sending alerts");
1707 m = strtol(cb->f[1], nil, 0);
1709 qunlock(&tr->in.seclock);
1710 qunlock(&tr->out.seclock);
1717 if(m == ECloseNotify)
1718 tlsclosed(tr, SLClose);
1721 } else if(strcmp(cb->f[0], "debug") == 0){
1723 if(strcmp(cb->f[1], "on") == 0)
1732 qunlock(&tr->in.seclock);
1733 qunlock(&tr->out.seclock);
1751 fmtinstall('H', encodefmt);
1755 tlsdevs = smalloc(sizeof(TlsRec*) * maxtlsdevs);
1756 trnames = smalloc((sizeof *trnames) * maxtlsdevs);
1759 for(e = encrypttab; e->name != nil; e++)
1760 n += strlen(e->name) + 1;
1761 cp = encalgs = smalloc(n);
1762 for(e = encrypttab;;){
1763 strcpy(cp, e->name);
1764 cp += strlen(e->name);
1773 for(h = hashtab; h->name != nil; h++)
1774 n += strlen(h->name) + 1;
1775 cp = hashalgs = smalloc(n);
1777 strcpy(cp, h->name);
1778 cp += strlen(h->name);
1808 /* get channel associated with an fd */
1817 fd = strtoul(p, 0, 0);
1820 c = fdtochan(fd, -1, 0, 1); /* error check and inc ref */
1825 sendAlert(TlsRec *tr, int err)
1831 if(tr->debug)pprint("sendAlert %d\n", err);
1833 msg = "tls unknown alert";
1834 for(i=0; i < nelem(tlserrs); i++) {
1835 if(tlserrs[i].err == err) {
1836 msg = tlserrs[i].msg;
1837 if(tr->version == SSL3Version)
1838 err = tlserrs[i].sslerr;
1840 err = tlserrs[i].tlserr;
1841 fatal = tlserrs[i].fatal;
1848 *b->wp++ = fatal + 1;
1851 tlsSetState(tr, SAlert, SOpen|SHandshake|SRClose);
1852 tlsrecwrite(tr, RAlert, b);
1860 tlsError(TlsRec *tr, char *msg)
1864 if(tr->debug)pprint("tlsError %s\n", msg);
1869 strncpy(tr->err, msg, ERRMAX - 1);
1870 tr->err[ERRMAX - 1] = '\0';
1872 unlock(&tr->statelk);
1878 tlsSetState(TlsRec *tr, int new, int old)
1883 unlock(&tr->statelk);
1886 /* hand up a digest connection */
1888 tlshangup(TlsRec *tr)
1893 for(b = tr->processed; b; b = tr->processed){
1894 tr->processed = b->next;
1897 if(tr->unprocessed != nil){
1898 freeb(tr->unprocessed);
1899 tr->unprocessed = nil;
1901 qunlock(&tr->in.io);
1903 tlsSetState(tr, SClosed, ~0);
1909 TlsRec **pp, **ep, **np;
1918 ep = &tlsdevs[maxtlsdevs];
1919 for(pp = tlsdevs; pp < ep; pp++)
1923 if(maxtlsdevs >= MaxTlsDevs) {
1928 newmax = 2 * maxtlsdevs;
1929 if(newmax > MaxTlsDevs)
1930 newmax = MaxTlsDevs;
1931 np = smalloc(sizeof(TlsRec*) * newmax);
1932 memmove(np, tlsdevs, sizeof(TlsRec*) * maxtlsdevs);
1934 pp = &tlsdevs[maxtlsdevs];
1935 memset(pp, 0, sizeof(TlsRec*)*(newmax - maxtlsdevs));
1937 nmp = smalloc(sizeof *nmp * newmax);
1938 memmove(nmp, trnames, sizeof *nmp * maxtlsdevs);
1941 maxtlsdevs = newmax;
1944 if(pp - tlsdevs >= tdhiwat)
1949 ch->qid.path = QID(pp - tlsdevs, t);
1961 tr = mallocz(sizeof(*tr), 1);
1964 tr->state = SClosed;
1966 kstrdup(&tr->user, up->user);
1976 return "Handshaking";
1978 return "Established";
1980 return "RemoteClosed";
1982 return "LocalClosed";
2003 noenc(Secret *, uchar *, int n)
2009 rc4enc(Secret *sec, uchar *buf, int n)
2011 rc4(sec->enckey, buf, n);
2016 tlsunpad(uchar *buf, int n, int block)
2022 if(nn <= 0 || n % block)
2025 if(pad != buf[n - 1])
2031 sslunpad(uchar *buf, int n, int block)
2037 if(nn <= 0 || n % block)
2043 blockpad(uchar *buf, int n, int block)
2056 des3enc(Secret *sec, uchar *buf, int n)
2058 n = blockpad(buf, n, 8);
2059 des3CBCencrypt(buf, n, sec->enckey);
2064 des3dec(Secret *sec, uchar *buf, int n)
2066 des3CBCdecrypt(buf, n, sec->enckey);
2067 return (*sec->unpad)(buf, n, 8);
2071 aesenc(Secret *sec, uchar *buf, int n)
2073 n = blockpad(buf, n, 16);
2074 aesCBCencrypt(buf, n, sec->enckey);
2079 aesdec(Secret *sec, uchar *buf, int n)
2081 aesCBCdecrypt(buf, n, sec->enckey);
2082 return (*sec->unpad)(buf, n, 16);
2086 nomac(uchar *, ulong, uchar *, ulong, uchar *, DigestState *)
2092 * sslmac: mac calculations for ssl 3.0 only; tls 1.0 uses the standard hmac.
2095 sslmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s,
2096 DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen, int padlen)
2099 uchar pad[48], innerdigest[20];
2101 if(xlen > sizeof(innerdigest)
2102 || padlen > sizeof(pad))
2108 /* first time through */
2110 for(i=0; i<padlen; i++)
2112 s = (*x)(key, klen, nil, nil);
2113 s = (*x)(pad, padlen, nil, s);
2118 s = (*x)(p, len, nil, s);
2122 /* last time through */
2123 for(i=0; i<padlen; i++)
2125 (*x)(nil, 0, innerdigest, s);
2126 s = (*x)(key, klen, nil, nil);
2127 s = (*x)(pad, padlen, nil, s);
2128 (*x)(innerdigest, xlen, digest, s);
2133 sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2135 return sslmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen, 40);
2139 sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2141 return sslmac_x(p, len, key, klen, digest, s, md5, MD5dlen, 48);
2145 sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
2150 memmove(buf, seq, 8);
2153 buf[10] = header[4];
2155 s = (*sec->mac)(buf, 11, mackey, sec->maclen, 0, 0);
2156 (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
2160 tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
2165 memmove(buf, seq, 8);
2166 memmove(&buf[8], header, 5);
2168 s = (*sec->mac)(buf, 13, mackey, sec->maclen, 0, 0);
2169 (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
2173 put32(uchar *p, u32int x)
2182 put64(uchar *p, vlong x)
2184 put32(p, (u32int)(x >> 32));
2185 put32(p+4, (u32int)x);
2189 put24(uchar *p, int x)
2197 put16(uchar *p, int x)
2206 return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2212 return (p[0]<<8)|p[1];
2215 static char *charmap = "0123456789abcdef";
2218 pdump(int len, void *a, char *tag)
2228 q = buf + strlen(tag);
2229 for(i = 0; len > 0 && i < 32; i++){
2230 if(*p >= ' ' && *p < 0x7f){
2234 *q++ = charmap[*p>>4];
2235 *q++ = charmap[*p & 0xf];
2243 pprint("%s...\n", buf);
2245 pprint("%s\n", buf);