2 * devtls - record layer for transport layer security 1.0 and secure sockets layer 3.0
5 #include "../port/lib.h"
9 #include "../port/error.h"
13 typedef struct OneWay OneWay;
14 typedef struct Secret Secret;
15 typedef struct TlsRec TlsRec;
16 typedef struct TlsErrs TlsErrs;
19 Statlen= 1024, /* max. length of status or stats message */
21 MaxRecLen = 1<<14, /* max payload length of a record layer message */
22 MaxCipherRecLen = MaxRecLen + 2048,
26 /* protocol versions we can accept */
29 ProtocolVersion = 0x0301, /* maximum version we speak */
30 MinProtoVersion = 0x0300, /* limits on version we accept */
31 MaxProtoVersion = 0x03ff,
33 /* connection states */
34 SHandshake = 1 << 0, /* doing handshake */
35 SOpen = 1 << 1, /* application data can be sent */
36 SRClose = 1 << 2, /* remote side has closed down */
37 SLClose = 1 << 3, /* sent a close notify alert */
38 SAlert = 1 << 5, /* sending or sent a fatal alert */
39 SError = 1 << 6, /* some sort of error has occured */
40 SClosed = 1 << 7, /* it is all over */
43 RChangeCipherSpec = 20,
49 HSSL2ClientHello = 9, /* local convention; see tlshand.c */
53 EUnexpectedMessage = 10,
55 EDecryptionFailed = 21,
57 EDecompressionFailure = 30,
58 EHandshakeFailure = 40,
61 EUnsupportedCertificate = 43,
62 ECertificateRevoked = 44,
63 ECertificateExpired = 45,
64 ECertificateUnknown = 46,
65 EIllegalParameter = 47,
70 EExportRestriction = 60,
71 EProtocolVersion = 70,
72 EInsufficientSecurity = 71,
75 ENoRenegotiation = 100,
76 EUnrecognizedName = 112,
83 char *encalg; /* name of encryption alg */
84 char *hashalg; /* name of hash alg */
85 int (*enc)(Secret*, uchar*, int);
86 int (*dec)(Secret*, uchar*, int);
87 int (*unpad)(uchar*, int, int);
88 DigestState *(*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
89 int block; /* encryption block len, 0 if none */
92 uchar mackey[MaxMacLen];
97 QLock io; /* locks io access */
98 QLock seclock; /* locks secret paramaters */
100 Secret *sec; /* cipher in use */
101 Secret *new; /* cipher waiting for enable */
106 Chan *c; /* io channel */
107 int ref; /* serialized by tdlock for atomic destroy */
108 int version; /* version of the protocol we are speaking */
109 char verset; /* version has been set */
110 char opened; /* opened command every issued? */
111 char err[ERRMAX]; /* error message to return to handshake requests */
112 vlong handin; /* bytes communicated by the record layer */
121 /* record layer mac functions for different protocol versions */
122 void (*packMac)(Secret*, uchar*, uchar*, uchar*, uchar*, int, uchar*);
124 /* input side -- protected by in.io */
126 Block *processed; /* next bunch of application data */
127 Block *unprocessed; /* data read from c but not parsed into records */
129 /* handshake queue */
130 Lock hqlock; /* protects hqref, alloc & free of handq, hprocessed */
132 Queue *handq; /* queue of handshake messages */
133 Block *hprocessed; /* remainder of last block read from handq */
134 QLock hqread; /* protects reads for hprocessed, handq */
152 static TlsErrs tlserrs[] = {
153 {ECloseNotify, ECloseNotify, ECloseNotify, 0, "close notify"},
154 {EUnexpectedMessage, EUnexpectedMessage, EUnexpectedMessage, 1, "unexpected message"},
155 {EBadRecordMac, EBadRecordMac, EBadRecordMac, 1, "bad record mac"},
156 {EDecryptionFailed, EIllegalParameter, EDecryptionFailed, 1, "decryption failed"},
157 {ERecordOverflow, EIllegalParameter, ERecordOverflow, 1, "record too long"},
158 {EDecompressionFailure, EDecompressionFailure, EDecompressionFailure, 1, "decompression failed"},
159 {EHandshakeFailure, EHandshakeFailure, EHandshakeFailure, 1, "could not negotiate acceptable security parameters"},
160 {ENoCertificate, ENoCertificate, ECertificateUnknown, 1, "no appropriate certificate available"},
161 {EBadCertificate, EBadCertificate, EBadCertificate, 1, "corrupted or invalid certificate"},
162 {EUnsupportedCertificate, EUnsupportedCertificate, EUnsupportedCertificate, 1, "unsupported certificate type"},
163 {ECertificateRevoked, ECertificateRevoked, ECertificateRevoked, 1, "revoked certificate"},
164 {ECertificateExpired, ECertificateExpired, ECertificateExpired, 1, "expired certificate"},
165 {ECertificateUnknown, ECertificateUnknown, ECertificateUnknown, 1, "unacceptable certificate"},
166 {EIllegalParameter, EIllegalParameter, EIllegalParameter, 1, "illegal parameter"},
167 {EUnknownCa, EHandshakeFailure, EUnknownCa, 1, "unknown certificate authority"},
168 {EAccessDenied, EHandshakeFailure, EAccessDenied, 1, "access denied"},
169 {EDecodeError, EIllegalParameter, EDecodeError, 1, "error decoding message"},
170 {EDecryptError, EIllegalParameter, EDecryptError, 1, "error decrypting message"},
171 {EExportRestriction, EHandshakeFailure, EExportRestriction, 1, "export restriction violated"},
172 {EProtocolVersion, EIllegalParameter, EProtocolVersion, 1, "protocol version not supported"},
173 {EInsufficientSecurity, EHandshakeFailure, EInsufficientSecurity, 1, "stronger security routines required"},
174 {EInternalError, EHandshakeFailure, EInternalError, 1, "internal error"},
175 {EUserCanceled, ECloseNotify, EUserCanceled, 0, "handshake canceled by user"},
176 {ENoRenegotiation, EUnexpectedMessage, ENoRenegotiation, 0, "no renegotiation"},
181 /* max. open tls connections */
187 static int maxtlsdevs = 128;
188 static TlsRec **tlsdevs;
189 static char **trnames;
190 static char *encalgs;
191 static char *hashalgs;
194 Qtopdir = 1, /* top level directory */
199 Qconvdir, /* directory for a conversation */
207 #define TYPE(x) ((x).path & 0xf)
208 #define CONV(x) (((x).path >> 5)&(MaxTlsDevs-1))
209 #define QID(c, y) (((c)<<5) | (y))
211 static void checkstate(TlsRec *, int, int);
212 static void ensure(TlsRec*, Block**, int);
213 static void consume(Block**, uchar*, int);
214 static Chan* buftochan(char*);
215 static void tlshangup(TlsRec*);
216 static void tlsError(TlsRec*, char *);
217 static void alertHand(TlsRec*, char *);
218 static TlsRec *newtls(Chan *c);
219 static TlsRec *mktlsrec(void);
220 static DigestState*sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
221 static DigestState*sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
222 static DigestState*nomac(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
223 static void sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
224 static void tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
225 static void put64(uchar *p, vlong x);
226 static void put32(uchar *p, u32int);
227 static void put24(uchar *p, int);
228 static void put16(uchar *p, int);
229 static u32int get32(uchar *p);
230 static int get16(uchar *p);
231 static void tlsSetState(TlsRec *tr, int new, int old);
232 static void rcvAlert(TlsRec *tr, int err);
233 static void sendAlert(TlsRec *tr, int err);
234 static void rcvError(TlsRec *tr, int err, char *msg, ...);
235 static int rc4enc(Secret *sec, uchar *buf, int n);
236 static int des3enc(Secret *sec, uchar *buf, int n);
237 static int des3dec(Secret *sec, uchar *buf, int n);
238 static int aesenc(Secret *sec, uchar *buf, int n);
239 static int aesdec(Secret *sec, uchar *buf, int n);
240 static int noenc(Secret *sec, uchar *buf, int n);
241 static int sslunpad(uchar *buf, int n, int block);
242 static int tlsunpad(uchar *buf, int n, int block);
243 static void freeSec(Secret *sec);
244 static char *tlsstate(int s);
245 static void pdump(int, void*, char*);
247 #pragma varargck argpos rcvError 3
249 static char *tlsnames[] = {
251 [Qencalgs] "encalgs",
252 [Qhashalgs] "hashalgs",
260 static int convdir[] = { Qctl, Qdata, Qhand, Qstatus, Qstats };
263 tlsgen(Chan *c, char*, Dirtab *, int, int s, Dir *dp)
277 q.path = QID(0, Qtopdir);
279 devdir(c, q, "#a", 0, eve, 0555, dp);
284 q.path = QID(0, Qprotodir);
286 devdir(c, q, "tls", 0, eve, 0555, dp);
290 q.path = QID(0, Qtopdir);
292 devdir(c, q, ".", 0, eve, 0555, dp);
300 q.path = QID(0, Qclonus);
303 q.path = QID(0, Qencalgs);
306 q.path = QID(0, Qhashalgs);
310 if(TYPE(q) == Qclonus)
312 devdir(c, q, tlsnames[TYPE(q)], 0, eve, perm, dp);
318 q.path = QID(s, Qconvdir);
326 if((name = trnames[s]) == nil){
327 name = trnames[s] = smalloc(16);
328 sprint(name, "%d", s);
330 devdir(c, q, name, 0, nm, 0555, dp);
335 q.path = QID(0, Qprotodir);
337 devdir(c, q, "tls", 0, eve, 0555, dp);
340 if(s < 0 || s >= nelem(convdir))
343 tr = tlsdevs[CONV(c->qid)];
352 if(t == Qstatus || t == Qstats)
354 q.path = QID(CONV(c->qid), t);
355 devdir(c, q, tlsnames[t], 0, nm, perm, dp);
364 devdir(c, c->qid, tlsnames[t], 0, eve, perm, dp);
368 tr = tlsdevs[CONV(c->qid)];
376 if(t == Qstatus || t == Qstats)
378 devdir(c, c->qid, tlsnames[t], 0, nm, perm, dp);
385 tlsattach(char *spec)
389 c = devattach('a', spec);
390 c->qid.path = QID(0, Qtopdir);
397 tlswalk(Chan *c, Chan *nc, char **name, int nname)
399 return devwalk(c, nc, name, nname, nil, 0, tlsgen);
403 tlsstat(Chan *c, uchar *db, int n)
405 return devstat(c, db, n, nil, 0, tlsgen);
409 tlsopen(Chan *c, int omode)
448 if((t == Qstatus || t == Qstats) && omode != OREAD)
455 pp = &tlsdevs[CONV(c->qid)];
458 error("must open connection using clone");
459 if((perm & (tr->perm>>6)) != perm
460 && (strcmp(up->user, tr->user) != 0
461 || (perm & tr->perm) != perm))
471 tr->handq = qopen(2 * MaxCipherRecLen, 0, nil, nil);
473 error("cannot allocate handshake queue");
488 c->mode = openmode(omode);
491 c->iounit = qiomaxatomic;
496 tlswstat(Chan *c, uchar *dp, int n)
510 tr = tlsdevs[CONV(c->qid)];
513 if(strcmp(tr->user, up->user) != 0)
516 d = smalloc(n + sizeof *d);
517 rv = convM2D(dp, n, &d[0], (char*) &d[1]);
520 if(!emptystr(d->uid))
521 kstrdup(&tr->user, d->uid);
536 if(--tr->hqref == 0){
537 if(tr->handq != nil){
541 if(tr->hprocessed != nil){
542 freeb(tr->hprocessed);
543 tr->hprocessed = nil;
562 if((c->flag & COPEN) == 0)
565 tr = tlsdevs[CONV(c->qid)];
577 tlsdevs[CONV(c->qid)] = nil;
580 if(tr->c != nil && !waserror()){
581 checkstate(tr, 0, SOpen|SHandshake|SRClose);
582 sendAlert(tr, ECloseNotify);
590 freeSec(tr->out.sec);
591 freeSec(tr->out.new);
599 * make sure we have at least 'n' bytes in list 'l'
602 ensure(TlsRec *s, Block **l, int n)
608 for(b = *l; b; b = b->next){
616 bl = devtab[s->c->type]->bread(s->c, MaxCipherRecLen + RecHdrLen, 0);
621 for(b = bl; b; b = b->next){
629 if(s->debug) pprint("ensure read %d\n", sofar);
633 * copy 'n' bytes from 'l' into 'p' and free
637 consume(Block **l, uchar *p, int n)
642 for(; *l && n > 0; n -= i){
647 memmove(p, b->rp, i);
663 regurgitate(TlsRec *s, uchar *p, int n)
670 if(s->unprocessed == nil || b->rp - b->base < n) {
672 memmove(b->wp, p, n);
674 b->next = s->unprocessed;
678 memmove(b->rp, p, n);
683 * remove at most n bytes from the queue
686 qgrab(Block **l, int n)
699 for(bb = b; bb != nil && i < n; bb = bb->next)
705 consume(l, bb->wp, i);
711 tlsclosed(TlsRec *tr, int new)
714 if(tr->state == SOpen || tr->state == SHandshake)
716 else if((new | tr->state) == (SRClose|SLClose))
718 unlock(&tr->statelk);
719 alertHand(tr, "close notify");
723 * read and process one tls record layer message
724 * must be called with tr->in.io held
725 * We can't let Eintrs lose data, since doing so will get
726 * us out of sync with the sender and break the reliablity
727 * of the channel. Eintr only happens during the reads in
728 * consume. Therefore we put back any bytes consumed before
729 * the last call to ensure.
732 tlsrecread(TlsRec *tr)
736 uchar *p, seq[8], header[RecHdrLen], hmac[MaxMacLen];
737 int volatile nconsumed;
738 int len, type, ver, unpad_len;
742 if(strcmp(up->errstr, Eintr) == 0 && !waserror()){
743 regurgitate(tr, header, nconsumed);
746 tlsError(tr, "channel error");
749 ensure(tr, &tr->unprocessed, RecHdrLen);
750 consume(&tr->unprocessed, header, RecHdrLen);
751 if(tr->debug)pprint("consumed %d header\n", RecHdrLen);
752 nconsumed = RecHdrLen;
754 if((tr->handin == 0) && (header[0] & 0x80)){
755 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
756 This is sent by some clients that we must interoperate
757 with, such as Java's JSSE and Microsoft's Internet Explorer. */
758 len = (get16(header) & ~0x8000) - 3;
760 ver = get16(header + 3);
761 if(type != SSL2ClientHello || len < 22)
762 rcvError(tr, EProtocolVersion, "invalid initial SSL2-like message");
763 }else{ /* normal SSL3 record format */
765 ver = get16(header+1);
766 len = get16(header+3);
768 if(ver != tr->version && (tr->verset || ver < MinProtoVersion || ver > MaxProtoVersion))
769 rcvError(tr, EProtocolVersion, "devtls expected ver=%x%s, saw (len=%d) type=%x ver=%x '%.12s'",
770 tr->version, tr->verset?"/set":"", len, type, ver, (char*)header);
771 if(len > MaxCipherRecLen || len < 0)
772 rcvError(tr, ERecordOverflow, "record message too long %d", len);
773 ensure(tr, &tr->unprocessed, len);
778 * If an Eintr happens after this, we'll get out of sync.
779 * Make sure nothing we call can sleep.
780 * Errors are ok, as they kill the connection.
781 * Luckily, allocb won't sleep, it'll just error out.
787 tlsError(tr, "channel error");
790 b = qgrab(&tr->unprocessed, len);
791 if(tr->debug) pprint("consumed unprocessed %d\n", len);
795 qunlock(&in->seclock);
801 /* to avoid Canvel-Hiltgen-Vaudenay-Vuagnoux attack, all errors here
802 should look alike, including timing of the response. */
803 unpad_len = (*in->sec->dec)(in->sec, p, len);
804 if(unpad_len >= in->sec->maclen)
805 len = unpad_len - in->sec->maclen;
806 if(tr->debug) pprint("decrypted %d\n", unpad_len);
807 if(tr->debug) pdump(unpad_len, p, "decrypted:");
810 put16(header+3, len);
813 (*tr->packMac)(in->sec, in->sec->mackey, seq, header, p, len, hmac);
814 if(unpad_len < in->sec->maclen)
815 rcvError(tr, EBadRecordMac, "short record mac");
816 if(memcmp(hmac, p+len, in->sec->maclen) != 0)
817 rcvError(tr, EBadRecordMac, "record mac mismatch");
820 qunlock(&in->seclock);
823 rcvError(tr, EDecodeError, "runt record message");
827 rcvError(tr, EIllegalParameter, "invalid record message %#x", type);
829 case RChangeCipherSpec:
830 if(len != 1 || p[0] != 1)
831 rcvError(tr, EDecodeError, "invalid change cipher spec");
834 qunlock(&in->seclock);
835 rcvError(tr, EUnexpectedMessage, "unexpected change cipher spec");
841 qunlock(&in->seclock);
845 rcvError(tr, EDecodeError, "invalid alert");
849 rcvError(tr, EIllegalParameter, "invalid alert fatal code");
852 * propagate non-fatal alerts to handshaker
856 tlsclosed(tr, SRClose);
859 error("close notify");
861 case ENoRenegotiation:
862 alertHand(tr, "no renegotiation");
865 alertHand(tr, "handshake canceled by user");
867 case EUnrecognizedName:
868 /* happens in response to SNI, can be ignored. */
871 rcvError(tr, EIllegalParameter, "invalid alert code");
876 * don't worry about dropping the block
877 * qbwrite always queues even if flow controlled and interrupted.
879 * if there isn't any handshaker, ignore the request,
880 * but notify the other side we are doing so.
883 if(tr->handq != nil){
892 qbwrite(tr->handq, b);
898 if(tr->verset && tr->version != SSL3Version && !waserror()){
899 sendAlert(tr, ENoRenegotiation);
904 case SSL2ClientHello:
906 if(tr->handq != nil){
913 /* Pass the SSL2 format data, so that the handshake code can compute
914 the correct checksums. HSSL2ClientHello = HandshakeType 9 is
915 unused in RFC2246. */
917 b->rp[0] = RHandshake;
918 b->rp[1] = HSSL2ClientHello;
919 put24(&b->rp[2], len+3);
920 b->rp[5] = SSL2ClientHello;
921 put16(&b->rp[6], ver);
922 qbwrite(tr->handq, b);
928 if(tr->verset && tr->version != SSL3Version && !waserror()){
929 sendAlert(tr, ENoRenegotiation);
936 rcvError(tr, EUnexpectedMessage, "application message received before handshake completed");
949 * got a fatal alert message
952 rcvAlert(TlsRec *tr, int err)
958 for(i=0; i < nelem(tlserrs); i++){
959 if(tlserrs[i].err == err){
964 if(tr->debug) pprint("rcvAlert: %s\n", s);
973 * found an error while decoding the input stream
976 rcvError(TlsRec *tr, int err, char *fmt, ...)
982 vseprint(msg, msg+sizeof(msg), fmt, arg);
984 if(tr->debug) pprint("rcvError: %s\n", msg);
994 * make sure the next hand operation returns with a 'msg' error
997 alertHand(TlsRec *tr, char *msg)
1003 if(tr->handq == nil){
1004 unlock(&tr->hqlock);
1008 unlock(&tr->hqlock);
1017 memmove(b->wp, msg, n + 1);
1020 qbwrite(tr->handq, b);
1027 checkstate(TlsRec *tr, int ishand, int ok)
1033 unlock(&tr->statelk);
1048 error("tls hungup");
1050 error("tls improperly configured");
1054 tlsbread(Chan *c, long n, ulong offset)
1058 TlsRec *volatile tr;
1063 return devbread(c, n, offset);
1069 tr = tlsdevs[CONV(c->qid)];
1074 qunlock(&tr->in.io);
1079 checkstate(tr, 0, SOpen);
1080 while(tr->processed == nil)
1083 /* return at most what was asked for */
1084 b = qgrab(&tr->processed, n);
1085 if(tr->debug) pprint("consumed processed %ld\n", BLEN(b));
1086 if(tr->debug) pdump(BLEN(b), b->rp, "consumed:");
1087 qunlock(&tr->in.io);
1089 tr->datain += BLEN(b);
1091 checkstate(tr, 1, SOpen|SHandshake|SLClose);
1094 * it's ok to look at state without the lock
1095 * since it only protects reading records,
1096 * and we have that tr->in.io held.
1098 while(!tr->opened && tr->hprocessed == nil && !qcanread(tr->handq))
1101 qunlock(&tr->in.io);
1105 qunlock(&tr->hqread);
1109 if(tr->hprocessed == nil){
1110 b = qbread(tr->handq, MaxRecLen + 1);
1111 if(*b->rp++ == RAlert){
1112 kstrcpy(up->errstr, (char*)b->rp, ERRMAX);
1118 b = qgrab(&tr->hprocessed, n);
1120 qunlock(&tr->hqread);
1121 tr->handin += BLEN(b);
1128 tlsread(Chan *c, void *a, long n, vlong off)
1138 if(c->qid.type & QTDIR)
1139 return devdirread(c, a, n, 0, 0, tlsgen);
1141 tr = tlsdevs[CONV(c->qid)];
1147 buf = smalloc(Statlen);
1148 qlock(&tr->in.seclock);
1149 qlock(&tr->out.seclock);
1152 s = seprint(s, e, "State: %s\n", tlsstate(tr->state));
1153 s = seprint(s, e, "Version: %#x\n", tr->version);
1154 if(tr->in.sec != nil)
1155 s = seprint(s, e, "EncIn: %s\nHashIn: %s\n", tr->in.sec->encalg, tr->in.sec->hashalg);
1156 if(tr->in.new != nil)
1157 s = seprint(s, e, "NewEncIn: %s\nNewHashIn: %s\n", tr->in.new->encalg, tr->in.new->hashalg);
1158 if(tr->out.sec != nil)
1159 s = seprint(s, e, "EncOut: %s\nHashOut: %s\n", tr->out.sec->encalg, tr->out.sec->hashalg);
1160 if(tr->out.new != nil)
1161 seprint(s, e, "NewEncOut: %s\nNewHashOut: %s\n", tr->out.new->encalg, tr->out.new->hashalg);
1162 qunlock(&tr->in.seclock);
1163 qunlock(&tr->out.seclock);
1164 n = readstr(offset, a, n, buf);
1168 buf = smalloc(Statlen);
1171 s = seprint(s, e, "DataIn: %lld\n", tr->datain);
1172 s = seprint(s, e, "DataOut: %lld\n", tr->dataout);
1173 s = seprint(s, e, "HandIn: %lld\n", tr->handin);
1174 seprint(s, e, "HandOut: %lld\n", tr->handout);
1175 n = readstr(offset, a, n, buf);
1179 buf = smalloc(Statlen);
1180 snprint(buf, Statlen, "%llud", CONV(c->qid));
1181 n = readstr(offset, a, n, buf);
1186 b = tlsbread(c, n, offset);
1189 return readstr(offset, a, n, encalgs);
1191 return readstr(offset, a, n, hashalgs);
1201 for(nb = b; nb; nb = nb->next){
1203 memmove(va+n, nb->rp, i);
1214 * write a block in tls records
1217 tlsrecwrite(TlsRec *tr, int type, Block *b)
1222 OneWay *volatile out;
1223 int n, maclen, pad, ok;
1234 if(tr->debug)pprint("send %ld\n", BLEN(b));
1235 if(tr->debug)pdump(BLEN(b), b->rp, "sent:");
1238 ok = SHandshake|SOpen|SRClose;
1242 checkstate(tr, type != RApplication, ok);
1245 * get at most one maximal record's input,
1246 * with padding on the front for header and
1247 * back for mac and maximal block padding.
1250 qunlock(&out->seclock);
1253 qlock(&out->seclock);
1256 if(out->sec != nil){
1257 maclen = out->sec->maclen;
1258 pad = maclen + out->sec->block;
1263 nb = allocb(n + pad + RecHdrLen);
1264 memmove(nb->wp + RecHdrLen, bb->rp, n);
1268 * carefully reuse bb so it will get freed if we're out of memory
1270 bb = padblock(bb, RecHdrLen);
1272 nb = padblock(bb, -pad);
1280 put16(p+1, tr->version);
1283 if(out->sec != nil){
1284 put64(seq, out->seq);
1286 (*tr->packMac)(out->sec, out->sec->mackey, seq, p, p + RecHdrLen, n, p + RecHdrLen + n);
1290 n = (*out->sec->enc)(out->sec, p + RecHdrLen, n);
1291 nb->wp = p + RecHdrLen + n;
1296 if(type == RChangeCipherSpec){
1298 error("change cipher without a new cipher");
1300 out->sec = out->new;
1304 qunlock(&out->seclock);
1308 * if bwrite error's, we assume the block is queued.
1309 * if not, we're out of sync with the receiver and will not recover.
1312 if(strcmp(up->errstr, "interrupted") != 0)
1313 tlsError(tr, "channel error");
1316 devtab[tr->c->type]->bwrite(tr->c, nb, 0);
1324 tlsbwrite(Chan *c, Block *b, ulong offset)
1332 tr = tlsdevs[CONV(c->qid)];
1339 return devbwrite(c, b, offset);
1341 tlsrecwrite(tr, RHandshake, b);
1345 checkstate(tr, 0, SOpen);
1346 tlsrecwrite(tr, RApplication, b);
1354 typedef struct Hashalg Hashalg;
1359 void (*initkey)(Hashalg *, int, Secret *, uchar*);
1363 initmd5key(Hashalg *ha, int version, Secret *s, uchar *p)
1365 s->maclen = ha->maclen;
1366 if(version == SSL3Version)
1367 s->mac = sslmac_md5;
1370 memmove(s->mackey, p, ha->maclen);
1374 initclearmac(Hashalg *, int, Secret *s, uchar *)
1381 initsha1key(Hashalg *ha, int version, Secret *s, uchar *p)
1383 s->maclen = ha->maclen;
1384 if(version == SSL3Version)
1385 s->mac = sslmac_sha1;
1388 memmove(s->mackey, p, ha->maclen);
1391 static Hashalg hashtab[] =
1393 { "clear", 0, initclearmac, },
1394 { "md5", MD5dlen, initmd5key, },
1395 { "sha1", SHA1dlen, initsha1key, },
1400 parsehashalg(char *p)
1404 for(ha = hashtab; ha->name; ha++)
1405 if(strcmp(p, ha->name) == 0)
1407 error("unsupported hash algorithm");
1411 typedef struct Encalg Encalg;
1417 void (*initkey)(Encalg *ea, Secret *, uchar*, uchar*);
1421 initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *)
1423 s->enckey = smalloc(sizeof(RC4state));
1427 setupRC4state(s->enckey, p, ea->keylen);
1431 initDES3key(Encalg *, Secret *s, uchar *p, uchar *iv)
1433 s->enckey = smalloc(sizeof(DES3state));
1437 setupDES3state(s->enckey, (uchar(*)[8])p, iv);
1441 initAESkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
1443 s->enckey = smalloc(sizeof(AESstate));
1447 setupAESstate(s->enckey, p, ea->keylen, iv);
1451 initclearenc(Encalg *, Secret *s, uchar *, uchar *)
1458 static Encalg encrypttab[] =
1460 { "clear", 0, 0, initclearenc },
1461 { "rc4_128", 128/8, 0, initRC4key },
1462 { "3des_ede_cbc", 3 * 8, 8, initDES3key },
1463 { "aes_128_cbc", 128/8, 16, initAESkey },
1464 { "aes_256_cbc", 256/8, 16, initAESkey },
1469 parseencalg(char *p)
1473 for(ea = encrypttab; ea->name; ea++)
1474 if(strcmp(p, ea->name) == 0)
1476 error("unsupported encryption algorithm");
1481 tlswrite(Chan *c, void *a, long n, vlong off)
1485 TlsRec *volatile tr;
1486 Secret *volatile tos, *volatile toc;
1488 Cmdbuf *volatile cb;
1494 tr = tlsdevs[CONV(c->qid)];
1514 memmove(b->wp, p, m);
1518 tlsbwrite(c, b, offset);
1530 cb = parsecmd(a, n);
1536 error("short control request");
1538 /* mutex with operations using what we're about to change */
1540 qunlock(&tr->in.seclock);
1541 qunlock(&tr->out.seclock);
1544 qlock(&tr->in.seclock);
1545 qlock(&tr->out.seclock);
1547 if(strcmp(cb->f[0], "fd") == 0){
1549 error("usage: fd open-fd version");
1552 m = strtol(cb->f[2], nil, 0);
1553 if(m < MinProtoVersion || m > MaxProtoVersion)
1554 error("unsupported version");
1555 tr->c = buftochan(cb->f[1]);
1557 tlsSetState(tr, SHandshake, SClosed);
1558 }else if(strcmp(cb->f[0], "version") == 0){
1560 error("usage: version vers");
1562 error("must set fd before version");
1564 error("version already set");
1565 m = strtol(cb->f[1], nil, 0);
1566 if(m == SSL3Version)
1567 tr->packMac = sslPackMac;
1568 else if(m == TLSVersion)
1569 tr->packMac = tlsPackMac;
1571 error("unsupported version");
1574 }else if(strcmp(cb->f[0], "secret") == 0){
1576 error("usage: secret hashalg encalg isclient secretdata");
1577 if(tr->c == nil || !tr->verset)
1578 error("must set fd and version before secrets");
1580 if(tr->in.new != nil){
1581 freeSec(tr->in.new);
1584 if(tr->out.new != nil){
1585 freeSec(tr->out.new);
1589 ha = parsehashalg(cb->f[1]);
1590 ea = parseencalg(cb->f[2]);
1593 m = (strlen(p)*3)/2;
1603 m = dec64(x, m, p, strlen(p));
1604 if(m < 2 * ha->maclen + 2 * ea->keylen + 2 * ea->ivlen)
1605 error("not enough secret data provided");
1607 tos = smalloc(sizeof(Secret));
1608 toc = smalloc(sizeof(Secret));
1609 if(!ha->initkey || !ea->initkey)
1610 error("misimplemented secret algorithm");
1611 (*ha->initkey)(ha, tr->version, tos, &x[0]);
1612 (*ha->initkey)(ha, tr->version, toc, &x[ha->maclen]);
1613 (*ea->initkey)(ea, tos, &x[2 * ha->maclen], &x[2 * ha->maclen + 2 * ea->keylen]);
1614 (*ea->initkey)(ea, toc, &x[2 * ha->maclen + ea->keylen], &x[2 * ha->maclen + 2 * ea->keylen + ea->ivlen]);
1616 if(!tos->mac || !tos->enc || !tos->dec
1617 || !toc->mac || !toc->enc || !toc->dec)
1618 error("missing algorithm implementations");
1619 if(strtol(cb->f[3], nil, 0) == 0){
1626 if(tr->version == SSL3Version){
1627 toc->unpad = sslunpad;
1628 tos->unpad = sslunpad;
1630 toc->unpad = tlsunpad;
1631 tos->unpad = tlsunpad;
1633 toc->encalg = ea->name;
1634 toc->hashalg = ha->name;
1635 tos->encalg = ea->name;
1636 tos->hashalg = ha->name;
1640 }else if(strcmp(cb->f[0], "changecipher") == 0){
1642 error("usage: changecipher");
1643 if(tr->out.new == nil)
1644 error("cannot change cipher spec without setting secret");
1646 qunlock(&tr->in.seclock);
1647 qunlock(&tr->out.seclock);
1653 * the real work is done as the message is written
1654 * so the stream is encrypted in sync.
1658 tlsrecwrite(tr, RChangeCipherSpec, b);
1660 }else if(strcmp(cb->f[0], "opened") == 0){
1662 error("usage: opened");
1663 if(tr->in.sec == nil || tr->out.sec == nil)
1664 error("cipher must be configured before enabling data messages");
1666 if(tr->state != SHandshake && tr->state != SOpen){
1667 unlock(&tr->statelk);
1668 error("cannot enable data messages");
1671 unlock(&tr->statelk);
1673 }else if(strcmp(cb->f[0], "alert") == 0){
1675 error("usage: alert n");
1677 error("must set fd before sending alerts");
1678 m = strtol(cb->f[1], nil, 0);
1680 qunlock(&tr->in.seclock);
1681 qunlock(&tr->out.seclock);
1688 if(m == ECloseNotify)
1689 tlsclosed(tr, SLClose);
1692 } else if(strcmp(cb->f[0], "debug") == 0){
1694 if(strcmp(cb->f[1], "on") == 0)
1703 qunlock(&tr->in.seclock);
1704 qunlock(&tr->out.seclock);
1722 fmtinstall('H', encodefmt);
1726 tlsdevs = smalloc(sizeof(TlsRec*) * maxtlsdevs);
1727 trnames = smalloc((sizeof *trnames) * maxtlsdevs);
1730 for(e = encrypttab; e->name != nil; e++)
1731 n += strlen(e->name) + 1;
1732 cp = encalgs = smalloc(n);
1733 for(e = encrypttab;;){
1734 strcpy(cp, e->name);
1735 cp += strlen(e->name);
1744 for(h = hashtab; h->name != nil; h++)
1745 n += strlen(h->name) + 1;
1746 cp = hashalgs = smalloc(n);
1748 strcpy(cp, h->name);
1749 cp += strlen(h->name);
1779 /* get channel associated with an fd */
1788 fd = strtoul(p, 0, 0);
1791 c = fdtochan(fd, -1, 0, 1); /* error check and inc ref */
1796 sendAlert(TlsRec *tr, int err)
1802 if(tr->debug)pprint("sendAlert %d\n", err);
1804 msg = "tls unknown alert";
1805 for(i=0; i < nelem(tlserrs); i++) {
1806 if(tlserrs[i].err == err) {
1807 msg = tlserrs[i].msg;
1808 if(tr->version == SSL3Version)
1809 err = tlserrs[i].sslerr;
1811 err = tlserrs[i].tlserr;
1812 fatal = tlserrs[i].fatal;
1819 *b->wp++ = fatal + 1;
1822 tlsSetState(tr, SAlert, SOpen|SHandshake|SRClose);
1823 tlsrecwrite(tr, RAlert, b);
1831 tlsError(TlsRec *tr, char *msg)
1835 if(tr->debug)pprint("tlsError %s\n", msg);
1840 strncpy(tr->err, msg, ERRMAX - 1);
1841 tr->err[ERRMAX - 1] = '\0';
1843 unlock(&tr->statelk);
1849 tlsSetState(TlsRec *tr, int new, int old)
1854 unlock(&tr->statelk);
1857 /* hand up a digest connection */
1859 tlshangup(TlsRec *tr)
1864 for(b = tr->processed; b; b = tr->processed){
1865 tr->processed = b->next;
1868 if(tr->unprocessed != nil){
1869 freeb(tr->unprocessed);
1870 tr->unprocessed = nil;
1872 qunlock(&tr->in.io);
1874 tlsSetState(tr, SClosed, ~0);
1880 TlsRec **pp, **ep, **np;
1889 ep = &tlsdevs[maxtlsdevs];
1890 for(pp = tlsdevs; pp < ep; pp++)
1894 if(maxtlsdevs >= MaxTlsDevs) {
1899 newmax = 2 * maxtlsdevs;
1900 if(newmax > MaxTlsDevs)
1901 newmax = MaxTlsDevs;
1902 np = smalloc(sizeof(TlsRec*) * newmax);
1903 memmove(np, tlsdevs, sizeof(TlsRec*) * maxtlsdevs);
1905 pp = &tlsdevs[maxtlsdevs];
1906 memset(pp, 0, sizeof(TlsRec*)*(newmax - maxtlsdevs));
1908 nmp = smalloc(sizeof *nmp * newmax);
1909 memmove(nmp, trnames, sizeof *nmp * maxtlsdevs);
1912 maxtlsdevs = newmax;
1915 if(pp - tlsdevs >= tdhiwat)
1920 ch->qid.path = QID(pp - tlsdevs, t);
1932 tr = mallocz(sizeof(*tr), 1);
1935 tr->state = SClosed;
1937 kstrdup(&tr->user, up->user);
1947 return "Handshaking";
1949 return "Established";
1951 return "RemoteClosed";
1953 return "LocalClosed";
1974 noenc(Secret *, uchar *, int n)
1980 rc4enc(Secret *sec, uchar *buf, int n)
1982 rc4(sec->enckey, buf, n);
1987 tlsunpad(uchar *buf, int n, int block)
1993 if(nn <= 0 || n % block)
1996 if(pad != buf[n - 1])
2002 sslunpad(uchar *buf, int n, int block)
2008 if(nn <= 0 || n % block)
2014 blockpad(uchar *buf, int n, int block)
2027 des3enc(Secret *sec, uchar *buf, int n)
2029 n = blockpad(buf, n, 8);
2030 des3CBCencrypt(buf, n, sec->enckey);
2035 des3dec(Secret *sec, uchar *buf, int n)
2037 des3CBCdecrypt(buf, n, sec->enckey);
2038 return (*sec->unpad)(buf, n, 8);
2042 aesenc(Secret *sec, uchar *buf, int n)
2044 n = blockpad(buf, n, 16);
2045 aesCBCencrypt(buf, n, sec->enckey);
2050 aesdec(Secret *sec, uchar *buf, int n)
2052 aesCBCdecrypt(buf, n, sec->enckey);
2053 return (*sec->unpad)(buf, n, 16);
2057 nomac(uchar *, ulong, uchar *, ulong, uchar *, DigestState *)
2063 * sslmac: mac calculations for ssl 3.0 only; tls 1.0 uses the standard hmac.
2066 sslmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s,
2067 DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen, int padlen)
2070 uchar pad[48], innerdigest[20];
2072 if(xlen > sizeof(innerdigest)
2073 || padlen > sizeof(pad))
2079 /* first time through */
2081 for(i=0; i<padlen; i++)
2083 s = (*x)(key, klen, nil, nil);
2084 s = (*x)(pad, padlen, nil, s);
2089 s = (*x)(p, len, nil, s);
2093 /* last time through */
2094 for(i=0; i<padlen; i++)
2096 (*x)(nil, 0, innerdigest, s);
2097 s = (*x)(key, klen, nil, nil);
2098 s = (*x)(pad, padlen, nil, s);
2099 (*x)(innerdigest, xlen, digest, s);
2104 sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2106 return sslmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen, 40);
2110 sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2112 return sslmac_x(p, len, key, klen, digest, s, md5, MD5dlen, 48);
2116 sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
2121 memmove(buf, seq, 8);
2124 buf[10] = header[4];
2126 s = (*sec->mac)(buf, 11, mackey, sec->maclen, 0, 0);
2127 (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
2131 tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
2136 memmove(buf, seq, 8);
2137 memmove(&buf[8], header, 5);
2139 s = (*sec->mac)(buf, 13, mackey, sec->maclen, 0, 0);
2140 (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
2144 put32(uchar *p, u32int x)
2153 put64(uchar *p, vlong x)
2155 put32(p, (u32int)(x >> 32));
2156 put32(p+4, (u32int)x);
2160 put24(uchar *p, int x)
2168 put16(uchar *p, int x)
2177 return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2183 return (p[0]<<8)|p[1];
2186 static char *charmap = "0123456789abcdef";
2189 pdump(int len, void *a, char *tag)
2199 q = buf + strlen(tag);
2200 for(i = 0; len > 0 && i < 32; i++){
2201 if(*p >= ' ' && *p < 0x7f){
2205 *q++ = charmap[*p>>4];
2206 *q++ = charmap[*p & 0xf];
2214 pprint("%s...\n", buf);
2216 pprint("%s\n", buf);