sys/src/9/port/devtls.c

   1 /*
   2  *  devtls - record layer for transport layer security 1.0 and secure sockets layer 3.0
   3  */
   4 #include        "u.h"
   5 #include        "../port/lib.h"
   6 #include        "mem.h"
   7 #include        "dat.h"
   8 #include        "fns.h"
   9 #include        "../port/error.h"
  10
  11 #include        <libsec.h>
  12
  13 typedef struct OneWay   OneWay;
  14 typedef struct Secret           Secret;
  15 typedef struct TlsRec   TlsRec;
  16 typedef struct TlsErrs  TlsErrs;
  17
  18 enum {
  19         Statlen=        1024,           /* max. length of status or stats message */
  20         /* buffer limits */
  21         MaxRecLen               = 1<<14,        /* max payload length of a record layer message */
  22         MaxCipherRecLen = MaxRecLen + 2048,
  23         RecHdrLen               = 5,
  24         MaxMacLen               = SHA1dlen,
  25
  26         /* protocol versions we can accept */
  27         TLSVersion              = 0x0301,
  28         SSL3Version             = 0x0300,
  29         ProtocolVersion = 0x0301,       /* maximum version we speak */
  30         MinProtoVersion = 0x0300,       /* limits on version we accept */
  31         MaxProtoVersion = 0x03ff,
  32
  33         /* connection states */
  34         SHandshake      = 1 << 0,       /* doing handshake */
  35         SOpen           = 1 << 1,       /* application data can be sent */
  36         SRClose         = 1 << 2,       /* remote side has closed down */
  37         SLClose         = 1 << 3,       /* sent a close notify alert */
  38         SAlert          = 1 << 5,       /* sending or sent a fatal alert */
  39         SError          = 1 << 6,       /* some sort of error has occured */
  40         SClosed         = 1 << 7,       /* it is all over */
  41
  42         /* record types */
  43         RChangeCipherSpec = 20,
  44         RAlert,
  45         RHandshake,
  46         RApplication,
  47
  48         SSL2ClientHello = 1,
  49         HSSL2ClientHello = 9,  /* local convention;  see tlshand.c */
  50
  51         /* alerts */
  52         ECloseNotify                    = 0,
  53         EUnexpectedMessage      = 10,
  54         EBadRecordMac           = 20,
  55         EDecryptionFailed               = 21,
  56         ERecordOverflow                 = 22,
  57         EDecompressionFailure   = 30,
  58         EHandshakeFailure               = 40,
  59         ENoCertificate                  = 41,
  60         EBadCertificate                 = 42,
  61         EUnsupportedCertificate         = 43,
  62         ECertificateRevoked             = 44,
  63         ECertificateExpired             = 45,
  64         ECertificateUnknown     = 46,
  65         EIllegalParameter               = 47,
  66         EUnknownCa                      = 48,
  67         EAccessDenied           = 49,
  68         EDecodeError                    = 50,
  69         EDecryptError                   = 51,
  70         EExportRestriction              = 60,
  71         EProtocolVersion                = 70,
  72         EInsufficientSecurity   = 71,
  73         EInternalError                  = 80,
  74         EUserCanceled                   = 90,
  75         ENoRenegotiation                = 100,
  76
  77         EMAX = 256
  78 };
  79
  80 struct Secret
  81 {
  82         char            *encalg;        /* name of encryption alg */
  83         char            *hashalg;       /* name of hash alg */
  84         int             (*enc)(Secret*, uchar*, int);
  85         int             (*dec)(Secret*, uchar*, int);
  86         int             (*unpad)(uchar*, int, int);
  87         DigestState     *(*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
  88         int             block;          /* encryption block len, 0 if none */
  89         int             maclen;
  90         void            *enckey;
  91         uchar   mackey[MaxMacLen];
  92 };
  93
  94 struct OneWay
  95 {
  96         QLock           io;             /* locks io access */
  97         QLock           seclock;        /* locks secret paramaters */
  98         ulong           seq;
  99         Secret          *sec;           /* cipher in use */
 100         Secret          *new;           /* cipher waiting for enable */
 101 };
 102
 103 struct TlsRec
 104 {
 105         Chan    *c;                             /* io channel */
 106         int             ref;                            /* serialized by tdlock for atomic destroy */
 107         int             version;                        /* version of the protocol we are speaking */
 108         char            verset;                 /* version has been set */
 109         char            opened;                 /* opened command every issued? */
 110         char            err[ERRMAX];            /* error message to return to handshake requests */
 111         vlong   handin;                 /* bytes communicated by the record layer */
 112         vlong   handout;
 113         vlong   datain;
 114         vlong   dataout;
 115
 116         Lock            statelk;
 117         int             state;
 118         int             debug;
 119
 120         /* record layer mac functions for different protocol versions */
 121         void            (*packMac)(Secret*, uchar*, uchar*, uchar*, uchar*, int, uchar*);
 122
 123         /* input side -- protected by in.io */
 124         OneWay          in;
 125         Block           *processed;     /* next bunch of application data */
 126         Block           *unprocessed;   /* data read from c but not parsed into records */
 127
 128         /* handshake queue */
 129         Lock            hqlock;                 /* protects hqref, alloc & free of handq, hprocessed */
 130         int             hqref;
 131         Queue           *handq;         /* queue of handshake messages */
 132         Block           *hprocessed;    /* remainder of last block read from handq */
 133         QLock           hqread;         /* protects reads for hprocessed, handq */
 134
 135         /* output side */
 136         OneWay          out;
 137
 138         /* protections */
 139         char            *user;
 140         int             perm;
 141 };
 142
 143 struct TlsErrs{
 144         int     err;
 145         int     sslerr;
 146         int     tlserr;
 147         int     fatal;
 148         char    *msg;
 149 };
 150
 151 static TlsErrs tlserrs[] = {
 152         {ECloseNotify,                  ECloseNotify,                   ECloseNotify,                   0,      "close notify"},
 153         {EUnexpectedMessage,    EUnexpectedMessage,     EUnexpectedMessage,     1, "unexpected message"},
 154         {EBadRecordMac,         EBadRecordMac,          EBadRecordMac,          1, "bad record mac"},
 155         {EDecryptionFailed,             EIllegalParameter,              EDecryptionFailed,              1, "decryption failed"},
 156         {ERecordOverflow,               EIllegalParameter,              ERecordOverflow,                1, "record too long"},
 157         {EDecompressionFailure, EDecompressionFailure,  EDecompressionFailure,  1, "decompression failed"},
 158         {EHandshakeFailure,             EHandshakeFailure,              EHandshakeFailure,              1, "could not negotiate acceptable security parameters"},
 159         {ENoCertificate,                ENoCertificate,                 ECertificateUnknown,    1, "no appropriate certificate available"},
 160         {EBadCertificate,               EBadCertificate,                EBadCertificate,                1, "corrupted or invalid certificate"},
 161         {EUnsupportedCertificate,       EUnsupportedCertificate,        EUnsupportedCertificate,        1, "unsupported certificate type"},
 162         {ECertificateRevoked,   ECertificateRevoked,            ECertificateRevoked,            1, "revoked certificate"},
 163         {ECertificateExpired,           ECertificateExpired,            ECertificateExpired,            1, "expired certificate"},
 164         {ECertificateUnknown,   ECertificateUnknown,    ECertificateUnknown,    1, "unacceptable certificate"},
 165         {EIllegalParameter,             EIllegalParameter,              EIllegalParameter,              1, "illegal parameter"},
 166         {EUnknownCa,                    EHandshakeFailure,              EUnknownCa,                     1, "unknown certificate authority"},
 167         {EAccessDenied,         EHandshakeFailure,              EAccessDenied,          1, "access denied"},
 168         {EDecodeError,                  EIllegalParameter,              EDecodeError,                   1, "error decoding message"},
 169         {EDecryptError,                 EIllegalParameter,              EDecryptError,                  1, "error decrypting message"},
 170         {EExportRestriction,            EHandshakeFailure,              EExportRestriction,             1, "export restriction violated"},
 171         {EProtocolVersion,              EIllegalParameter,              EProtocolVersion,               1, "protocol version not supported"},
 172         {EInsufficientSecurity, EHandshakeFailure,              EInsufficientSecurity,  1, "stronger security routines required"},
 173         {EInternalError,                        EHandshakeFailure,              EInternalError,                 1, "internal error"},
 174         {EUserCanceled,         ECloseNotify,                   EUserCanceled,                  0, "handshake canceled by user"},
 175         {ENoRenegotiation,              EUnexpectedMessage,     ENoRenegotiation,               0, "no renegotiation"},
 176 };
 177
 178 enum
 179 {
 180         /* max. open tls connections */
 181         MaxTlsDevs      = 1024
 182 };
 183
 184 static  Lock    tdlock;
 185 static  int     tdhiwat;
 186 static  int     maxtlsdevs = 128;
 187 static  TlsRec  **tlsdevs;
 188 static  char    **trnames;
 189 static  char    *encalgs;
 190 static  char    *hashalgs;
 191
 192 enum{
 193         Qtopdir         = 1,    /* top level directory */
 194         Qprotodir,
 195         Qclonus,
 196         Qencalgs,
 197         Qhashalgs,
 198         Qconvdir,               /* directory for a conversation */
 199         Qdata,
 200         Qctl,
 201         Qhand,
 202         Qstatus,
 203         Qstats,
 204 };
 205
 206 #define TYPE(x)         ((x).path & 0xf)
 207 #define CONV(x)         (((x).path >> 5)&(MaxTlsDevs-1))
 208 #define QID(c, y)       (((c)<<5) | (y))
 209
 210 static void     checkstate(TlsRec *, int, int);
 211 static void     ensure(TlsRec*, Block**, int);
 212 static void     consume(Block**, uchar*, int);
 213 static Chan*    buftochan(char*);
 214 static void     tlshangup(TlsRec*);
 215 static void     tlsError(TlsRec*, char *);
 216 static void     alertHand(TlsRec*, char *);
 217 static TlsRec   *newtls(Chan *c);
 218 static TlsRec   *mktlsrec(void);
 219 static DigestState*sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
 220 static DigestState*sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
 221 static DigestState*nomac(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
 222 static void     sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
 223 static void     tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
 224 static void     put64(uchar *p, vlong x);
 225 static void     put32(uchar *p, u32int);
 226 static void     put24(uchar *p, int);
 227 static void     put16(uchar *p, int);
 228 static u32int   get32(uchar *p);
 229 static int      get16(uchar *p);
 230 static void     tlsSetState(TlsRec *tr, int new, int old);
 231 static void     rcvAlert(TlsRec *tr, int err);
 232 static void     sendAlert(TlsRec *tr, int err);
 233 static void     rcvError(TlsRec *tr, int err, char *msg, ...);
 234 static int      rc4enc(Secret *sec, uchar *buf, int n);
 235 static int      des3enc(Secret *sec, uchar *buf, int n);
 236 static int      des3dec(Secret *sec, uchar *buf, int n);
 237 static int      noenc(Secret *sec, uchar *buf, int n);
 238 static int      sslunpad(uchar *buf, int n, int block);
 239 static int      tlsunpad(uchar *buf, int n, int block);
 240 static void     freeSec(Secret *sec);
 241 static char     *tlsstate(int s);
 242 static void     pdump(int, void*, char*);
 243
 244 #pragma varargck        argpos  rcvError        3
 245
 246 static char *tlsnames[] = {
 247 [Qclonus]               "clone",
 248 [Qencalgs]      "encalgs",
 249 [Qhashalgs]     "hashalgs",
 250 [Qdata]         "data",
 251 [Qctl]          "ctl",
 252 [Qhand]         "hand",
 253 [Qstatus]               "status",
 254 [Qstats]                "stats",
 255 };
 256
 257 static int convdir[] = { Qctl, Qdata, Qhand, Qstatus, Qstats };
 258
 259 static int
 260 tlsgen(Chan *c, char*, Dirtab *, int, int s, Dir *dp)
 261 {
 262         Qid q;
 263         TlsRec *tr;
 264         char *name, *nm;
 265         int perm, t;
 266
 267         q.vers = 0;
 268         q.type = QTFILE;
 269
 270         t = TYPE(c->qid);
 271         switch(t) {
 272         case Qtopdir:
 273                 if(s == DEVDOTDOT){
 274                         q.path = QID(0, Qtopdir);
 275                         q.type = QTDIR;
 276                         devdir(c, q, "#a", 0, eve, 0555, dp);
 277                         return 1;
 278                 }
 279                 if(s > 0)
 280                         return -1;
 281                 q.path = QID(0, Qprotodir);
 282                 q.type = QTDIR;
 283                 devdir(c, q, "tls", 0, eve, 0555, dp);
 284                 return 1;
 285         case Qprotodir:
 286                 if(s == DEVDOTDOT){
 287                         q.path = QID(0, Qtopdir);
 288                         q.type = QTDIR;
 289                         devdir(c, q, ".", 0, eve, 0555, dp);
 290                         return 1;
 291                 }
 292                 if(s < 3){
 293                         switch(s) {
 294                         default:
 295                                 return -1;
 296                         case 0:
 297                                 q.path = QID(0, Qclonus);
 298                                 break;
 299                         case 1:
 300                                 q.path = QID(0, Qencalgs);
 301                                 break;
 302                         case 2:
 303                                 q.path = QID(0, Qhashalgs);
 304                                 break;
 305                         }
 306                         perm = 0444;
 307                         if(TYPE(q) == Qclonus)
 308                                 perm = 0555;
 309                         devdir(c, q, tlsnames[TYPE(q)], 0, eve, perm, dp);
 310                         return 1;
 311                 }
 312                 s -= 3;
 313                 if(s >= tdhiwat)
 314                         return -1;
 315                 q.path = QID(s, Qconvdir);
 316                 q.type = QTDIR;
 317                 lock(&tdlock);
 318                 tr = tlsdevs[s];
 319                 if(tr != nil)
 320                         nm = tr->user;
 321                 else
 322                         nm = eve;
 323                 if((name = trnames[s]) == nil){
 324                         name = trnames[s] = smalloc(16);
 325                         sprint(name, "%d", s);
 326                 }
 327                 devdir(c, q, name, 0, nm, 0555, dp);
 328                 unlock(&tdlock);
 329                 return 1;
 330         case Qconvdir:
 331                 if(s == DEVDOTDOT){
 332                         q.path = QID(0, Qprotodir);
 333                         q.type = QTDIR;
 334                         devdir(c, q, "tls", 0, eve, 0555, dp);
 335                         return 1;
 336                 }
 337                 if(s < 0 || s >= nelem(convdir))
 338                         return -1;
 339                 lock(&tdlock);
 340                 tr = tlsdevs[CONV(c->qid)];
 341                 if(tr != nil){
 342                         nm = tr->user;
 343                         perm = tr->perm;
 344                 }else{
 345                         perm = 0;
 346                         nm = eve;
 347                 }
 348                 t = convdir[s];
 349                 if(t == Qstatus || t == Qstats)
 350                         perm &= 0444;
 351                 q.path = QID(CONV(c->qid), t);
 352                 devdir(c, q, tlsnames[t], 0, nm, perm, dp);
 353                 unlock(&tdlock);
 354                 return 1;
 355         case Qclonus:
 356         case Qencalgs:
 357         case Qhashalgs:
 358                 perm = 0444;
 359                 if(t == Qclonus)
 360                         perm = 0555;
 361                 devdir(c, c->qid, tlsnames[t], 0, eve, perm, dp);
 362                 return 1;
 363         default:
 364                 lock(&tdlock);
 365                 tr = tlsdevs[CONV(c->qid)];
 366                 if(tr != nil){
 367                         nm = tr->user;
 368                         perm = tr->perm;
 369                 }else{
 370                         perm = 0;
 371                         nm = eve;
 372                 }
 373                 if(t == Qstatus || t == Qstats)
 374                         perm &= 0444;
 375                 devdir(c, c->qid, tlsnames[t], 0, nm, perm, dp);
 376                 unlock(&tdlock);
 377                 return 1;
 378         }
 379 }
 380
 381 static Chan*
 382 tlsattach(char *spec)
 383 {
 384         Chan *c;
 385
 386         c = devattach('a', spec);
 387         c->qid.path = QID(0, Qtopdir);
 388         c->qid.type = QTDIR;
 389         c->qid.vers = 0;
 390         return c;
 391 }
 392
 393 static Walkqid*
 394 tlswalk(Chan *c, Chan *nc, char **name, int nname)
 395 {
 396         return devwalk(c, nc, name, nname, nil, 0, tlsgen);
 397 }
 398
 399 static int
 400 tlsstat(Chan *c, uchar *db, int n)
 401 {
 402         return devstat(c, db, n, nil, 0, tlsgen);
 403 }
 404
 405 static Chan*
 406 tlsopen(Chan *c, int omode)
 407 {
 408         TlsRec *tr, **pp;
 409         int t, perm;
 410
 411         perm = 0;
 412         omode &= 3;
 413         switch(omode) {
 414         case OREAD:
 415                 perm = 4;
 416                 break;
 417         case OWRITE:
 418                 perm = 2;
 419                 break;
 420         case ORDWR:
 421                 perm = 6;
 422                 break;
 423         }
 424
 425         t = TYPE(c->qid);
 426         switch(t) {
 427         default:
 428                 panic("tlsopen");
 429         case Qtopdir:
 430         case Qprotodir:
 431         case Qconvdir:
 432                 if(omode != OREAD)
 433                         error(Eperm);
 434                 break;
 435         case Qclonus:
 436                 tr = newtls(c);
 437                 if(tr == nil)
 438                         error(Enodev);
 439                 break;
 440         case Qctl:
 441         case Qdata:
 442         case Qhand:
 443         case Qstatus:
 444         case Qstats:
 445                 if((t == Qstatus || t == Qstats) && omode != OREAD)
 446                         error(Eperm);
 447                 if(waserror()) {
 448                         unlock(&tdlock);
 449                         nexterror();
 450                 }
 451                 lock(&tdlock);
 452                 pp = &tlsdevs[CONV(c->qid)];
 453                 tr = *pp;
 454                 if(tr == nil)
 455                         error("must open connection using clone");
 456                 if((perm & (tr->perm>>6)) != perm
 457                 && (strcmp(up->user, tr->user) != 0
 458                     || (perm & tr->perm) != perm))
 459                         error(Eperm);
 460                 if(t == Qhand){
 461                         if(waserror()){
 462                                 unlock(&tr->hqlock);
 463                                 nexterror();
 464                         }
 465                         lock(&tr->hqlock);
 466                         if(tr->handq != nil)
 467                                 error(Einuse);
 468                         tr->handq = qopen(2 * MaxCipherRecLen, 0, nil, nil);
 469                         if(tr->handq == nil)
 470                                 error("cannot allocate handshake queue");
 471                         tr->hqref = 1;
 472                         unlock(&tr->hqlock);
 473                         poperror();
 474                 }
 475                 tr->ref++;
 476                 unlock(&tdlock);
 477                 poperror();
 478                 break;
 479         case Qencalgs:
 480         case Qhashalgs:
 481                 if(omode != OREAD)
 482                         error(Eperm);
 483                 break;
 484         }
 485         c->mode = openmode(omode);
 486         c->flag |= COPEN;
 487         c->offset = 0;
 488         c->iounit = qiomaxatomic;
 489         return c;
 490 }
 491
 492 static int
 493 tlswstat(Chan *c, uchar *dp, int n)
 494 {
 495         Dir *d;
 496         TlsRec *tr;
 497         int rv;
 498
 499         d = nil;
 500         if(waserror()){
 501                 free(d);
 502                 unlock(&tdlock);
 503                 nexterror();
 504         }
 505
 506         lock(&tdlock);
 507         tr = tlsdevs[CONV(c->qid)];
 508         if(tr == nil)
 509                 error(Ebadusefd);
 510         if(strcmp(tr->user, up->user) != 0)
 511                 error(Eperm);
 512
 513         d = smalloc(n + sizeof *d);
 514         rv = convM2D(dp, n, &d[0], (char*) &d[1]);
 515         if(rv == 0)
 516                 error(Eshortstat);
 517         if(!emptystr(d->uid))
 518                 kstrdup(&tr->user, d->uid);
 519         if(d->mode != ~0UL)
 520                 tr->perm = d->mode;
 521
 522         free(d);
 523         poperror();
 524         unlock(&tdlock);
 525
 526         return rv;
 527 }
 528
 529 static void
 530 dechandq(TlsRec *tr)
 531 {
 532         lock(&tr->hqlock);
 533         if(--tr->hqref == 0){
 534                 if(tr->handq != nil){
 535                         qfree(tr->handq);
 536                         tr->handq = nil;
 537                 }
 538                 if(tr->hprocessed != nil){
 539                         freeb(tr->hprocessed);
 540                         tr->hprocessed = nil;
 541                 }
 542         }
 543         unlock(&tr->hqlock);
 544 }
 545
 546 static void
 547 tlsclose(Chan *c)
 548 {
 549         TlsRec *tr;
 550         int t;
 551
 552         t = TYPE(c->qid);
 553         switch(t) {
 554         case Qctl:
 555         case Qdata:
 556         case Qhand:
 557         case Qstatus:
 558         case Qstats:
 559                 if((c->flag & COPEN) == 0)
 560                         break;
 561
 562                 tr = tlsdevs[CONV(c->qid)];
 563                 if(tr == nil)
 564                         break;
 565
 566                 if(t == Qhand)
 567                         dechandq(tr);
 568
 569                 lock(&tdlock);
 570                 if(--tr->ref > 0) {
 571                         unlock(&tdlock);
 572                         return;
 573                 }
 574                 tlsdevs[CONV(c->qid)] = nil;
 575                 unlock(&tdlock);
 576
 577                 if(tr->c != nil && !waserror()){
 578                         checkstate(tr, 0, SOpen|SHandshake|SRClose);
 579                         sendAlert(tr, ECloseNotify);
 580                         poperror();
 581                 }
 582                 tlshangup(tr);
 583                 if(tr->c != nil)
 584                         cclose(tr->c);
 585                 freeSec(tr->in.sec);
 586                 freeSec(tr->in.new);
 587                 freeSec(tr->out.sec);
 588                 freeSec(tr->out.new);
 589                 free(tr->user);
 590                 free(tr);
 591                 break;
 592         }
 593 }
 594
 595 /*
 596  *  make sure we have at least 'n' bytes in list 'l'
 597  */
 598 static void
 599 ensure(TlsRec *s, Block **l, int n)
 600 {
 601         int sofar, i;
 602         Block *b, *bl;
 603
 604         sofar = 0;
 605         for(b = *l; b; b = b->next){
 606                 sofar += BLEN(b);
 607                 if(sofar >= n)
 608                         return;
 609                 l = &b->next;
 610         }
 611
 612         while(sofar < n){
 613                 bl = devtab[s->c->type]->bread(s->c, MaxCipherRecLen + RecHdrLen, 0);
 614                 if(bl == 0)
 615                         error(Ehungup);
 616                 *l = bl;
 617                 i = 0;
 618                 for(b = bl; b; b = b->next){
 619                         i += BLEN(b);
 620                         l = &b->next;
 621                 }
 622                 if(i == 0)
 623                         error(Ehungup);
 624                 sofar += i;
 625         }
 626 if(s->debug) pprint("ensure read %d\n", sofar);
 627 }
 628
 629 /*
 630  *  copy 'n' bytes from 'l' into 'p' and free
 631  *  the bytes in 'l'
 632  */
 633 static void
 634 consume(Block **l, uchar *p, int n)
 635 {
 636         Block *b;
 637         int i;
 638
 639         for(; *l && n > 0; n -= i){
 640                 b = *l;
 641                 i = BLEN(b);
 642                 if(i > n)
 643                         i = n;
 644                 memmove(p, b->rp, i);
 645                 b->rp += i;
 646                 p += i;
 647                 if(BLEN(b) < 0)
 648                         panic("consume");
 649                 if(BLEN(b))
 650                         break;
 651                 *l = b->next;
 652                 freeb(b);
 653         }
 654 }
 655
 656 /*
 657  *  give back n bytes
 658  */
 659 static void
 660 regurgitate(TlsRec *s, uchar *p, int n)
 661 {
 662         Block *b;
 663
 664         if(n <= 0)
 665                 return;
 666         b = s->unprocessed;
 667         if(s->unprocessed == nil || b->rp - b->base < n) {
 668                 b = allocb(n);
 669                 memmove(b->wp, p, n);
 670                 b->wp += n;
 671                 b->next = s->unprocessed;
 672                 s->unprocessed = b;
 673         } else {
 674                 b->rp -= n;
 675                 memmove(b->rp, p, n);
 676         }
 677 }
 678
 679 /*
 680  *  remove at most n bytes from the queue
 681  */
 682 static Block*
 683 qgrab(Block **l, int n)
 684 {
 685         Block *bb, *b;
 686         int i;
 687
 688         b = *l;
 689         if(BLEN(b) == n){
 690                 *l = b->next;
 691                 b->next = nil;
 692                 return b;
 693         }
 694
 695         i = 0;
 696         for(bb = b; bb != nil && i < n; bb = bb->next)
 697                 i += BLEN(bb);
 698         if(i > n)
 699                 i = n;
 700
 701         bb = allocb(i);
 702         consume(l, bb->wp, i);
 703         bb->wp += i;
 704         return bb;
 705 }
 706
 707 static void
 708 tlsclosed(TlsRec *tr, int new)
 709 {
 710         lock(&tr->statelk);
 711         if(tr->state == SOpen || tr->state == SHandshake)
 712                 tr->state = new;
 713         else if((new | tr->state) == (SRClose|SLClose))
 714                 tr->state = SClosed;
 715         unlock(&tr->statelk);
 716         alertHand(tr, "close notify");
 717 }
 718
 719 /*
 720  *  read and process one tls record layer message
 721  *  must be called with tr->in.io held
 722  *  We can't let Eintrs lose data, since doing so will get
 723  *  us out of sync with the sender and break the reliablity
 724  *  of the channel.  Eintr only happens during the reads in
 725  *  consume.  Therefore we put back any bytes consumed before
 726  *  the last call to ensure.
 727  */
 728 static void
 729 tlsrecread(TlsRec *tr)
 730 {
 731         OneWay *volatile in;
 732         Block *volatile b;
 733         uchar *p, seq[8], header[RecHdrLen], hmac[MD5dlen];
 734         int volatile nconsumed;
 735         int len, type, ver, unpad_len;
 736
 737         nconsumed = 0;
 738         if(waserror()){
 739                 if(strcmp(up->errstr, Eintr) == 0 && !waserror()){
 740                         regurgitate(tr, header, nconsumed);
 741                         poperror();
 742                 }else
 743                         tlsError(tr, "channel error");
 744                 nexterror();
 745         }
 746         ensure(tr, &tr->unprocessed, RecHdrLen);
 747         consume(&tr->unprocessed, header, RecHdrLen);
 748 if(tr->debug)pprint("consumed %d header\n", RecHdrLen);
 749         nconsumed = RecHdrLen;
 750
 751         if((tr->handin == 0) && (header[0] & 0x80)){
 752                 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
 753                         This is sent by some clients that we must interoperate
 754                         with, such as Java's JSSE and Microsoft's Internet Explorer. */
 755                 len = (get16(header) & ~0x8000) - 3;
 756                 type = header[2];
 757                 ver = get16(header + 3);
 758                 if(type != SSL2ClientHello || len < 22)
 759                         rcvError(tr, EProtocolVersion, "invalid initial SSL2-like message");
 760         }else{  /* normal SSL3 record format */
 761                 type = header[0];
 762                 ver = get16(header+1);
 763                 len = get16(header+3);
 764         }
 765         if(ver != tr->version && (tr->verset || ver < MinProtoVersion || ver > MaxProtoVersion))
 766                 rcvError(tr, EProtocolVersion, "devtls expected ver=%x%s, saw (len=%d) type=%x ver=%x '%.12s'",
 767                         tr->version, tr->verset?"/set":"", len, type, ver, (char*)header);
 768         if(len > MaxCipherRecLen || len < 0)
 769                 rcvError(tr, ERecordOverflow, "record message too long %d", len);
 770         ensure(tr, &tr->unprocessed, len);
 771         nconsumed = 0;
 772         poperror();
 773
 774         /*
 775          * If an Eintr happens after this, we'll get out of sync.
 776          * Make sure nothing we call can sleep.
 777          * Errors are ok, as they kill the connection.
 778          * Luckily, allocb won't sleep, it'll just error out.
 779          */
 780         b = nil;
 781         if(waserror()){
 782                 if(b != nil)
 783                         freeb(b);
 784                 tlsError(tr, "channel error");
 785                 nexterror();
 786         }
 787         b = qgrab(&tr->unprocessed, len);
 788 if(tr->debug) pprint("consumed unprocessed %d\n", len);
 789
 790         in = &tr->in;
 791         if(waserror()){
 792                 qunlock(&in->seclock);
 793                 nexterror();
 794         }
 795         qlock(&in->seclock);
 796         p = b->rp;
 797         if(in->sec != nil) {
 798                 /* to avoid Canvel-Hiltgen-Vaudenay-Vuagnoux attack, all errors here
 799                         should look alike, including timing of the response. */
 800                 unpad_len = (*in->sec->dec)(in->sec, p, len);
 801                 if(unpad_len >= in->sec->maclen)
 802                         len = unpad_len - in->sec->maclen;
 803 if(tr->debug) pprint("decrypted %d\n", unpad_len);
 804 if(tr->debug) pdump(unpad_len, p, "decrypted:");
 805
 806                 /* update length */
 807                 put16(header+3, len);
 808                 put64(seq, in->seq);
 809                 in->seq++;
 810                 (*tr->packMac)(in->sec, in->sec->mackey, seq, header, p, len, hmac);
 811                 if(unpad_len < in->sec->maclen)
 812                         rcvError(tr, EBadRecordMac, "short record mac");
 813                 if(memcmp(hmac, p+len, in->sec->maclen) != 0)
 814                         rcvError(tr, EBadRecordMac, "record mac mismatch");
 815                 b->wp = b->rp + len;
 816         }
 817         qunlock(&in->seclock);
 818         poperror();
 819         if(len < 0)
 820                 rcvError(tr, EDecodeError, "runt record message");
 821
 822         switch(type) {
 823         default:
 824                 rcvError(tr, EIllegalParameter, "invalid record message %#x", type);
 825                 break;
 826         case RChangeCipherSpec:
 827                 if(len != 1 || p[0] != 1)
 828                         rcvError(tr, EDecodeError, "invalid change cipher spec");
 829                 qlock(&in->seclock);
 830                 if(in->new == nil){
 831                         qunlock(&in->seclock);
 832                         rcvError(tr, EUnexpectedMessage, "unexpected change cipher spec");
 833                 }
 834                 freeSec(in->sec);
 835                 in->sec = in->new;
 836                 in->new = nil;
 837                 in->seq = 0;
 838                 qunlock(&in->seclock);
 839                 break;
 840         case RAlert:
 841                 if(len != 2)
 842                         rcvError(tr, EDecodeError, "invalid alert");
 843                 if(p[0] == 2)
 844                         rcvAlert(tr, p[1]);
 845                 if(p[0] != 1)
 846                         rcvError(tr, EIllegalParameter, "invalid alert fatal code");
 847
 848                 /*
 849                  * propate non-fatal alerts to handshaker
 850                  */
 851                 if(p[1] == ECloseNotify) {
 852                         tlsclosed(tr, SRClose);
 853                         if(tr->opened)
 854                                 error("tls hungup");
 855                         error("close notify");
 856                 }
 857                 if(p[1] == ENoRenegotiation)
 858                         alertHand(tr, "no renegotiation");
 859                 else if(p[1] == EUserCanceled)
 860                         alertHand(tr, "handshake canceled by user");
 861                 else
 862                         rcvError(tr, EIllegalParameter, "invalid alert code");
 863                 break;
 864         case RHandshake:
 865                 /*
 866                  * don't worry about dropping the block
 867                  * qbwrite always queues even if flow controlled and interrupted.
 868                  *
 869                  * if there isn't any handshaker, ignore the request,
 870                  * but notify the other side we are doing so.
 871                  */
 872                 lock(&tr->hqlock);
 873                 if(tr->handq != nil){
 874                         tr->hqref++;
 875                         unlock(&tr->hqlock);
 876                         if(waserror()){
 877                                 dechandq(tr);
 878                                 nexterror();
 879                         }
 880                         b = padblock(b, 1);
 881                         *b->rp = RHandshake;
 882                         qbwrite(tr->handq, b);
 883                         b = nil;
 884                         poperror();
 885                         dechandq(tr);
 886                 }else{
 887                         unlock(&tr->hqlock);
 888                         if(tr->verset && tr->version != SSL3Version && !waserror()){
 889                                 sendAlert(tr, ENoRenegotiation);
 890                                 poperror();
 891                         }
 892                 }
 893                 break;
 894         case SSL2ClientHello:
 895                 lock(&tr->hqlock);
 896                 if(tr->handq != nil){
 897                         tr->hqref++;
 898                         unlock(&tr->hqlock);
 899                         if(waserror()){
 900                                 dechandq(tr);
 901                                 nexterror();
 902                         }
 903                         /* Pass the SSL2 format data, so that the handshake code can compute
 904                                 the correct checksums.  HSSL2ClientHello = HandshakeType 9 is
 905                                 unused in RFC2246. */
 906                         b = padblock(b, 8);
 907                         b->rp[0] = RHandshake;
 908                         b->rp[1] = HSSL2ClientHello;
 909                         put24(&b->rp[2], len+3);
 910                         b->rp[5] = SSL2ClientHello;
 911                         put16(&b->rp[6], ver);
 912                         qbwrite(tr->handq, b);
 913                         b = nil;
 914                         poperror();
 915                         dechandq(tr);
 916                 }else{
 917                         unlock(&tr->hqlock);
 918                         if(tr->verset && tr->version != SSL3Version && !waserror()){
 919                                 sendAlert(tr, ENoRenegotiation);
 920                                 poperror();
 921                         }
 922                 }
 923                 break;
 924         case RApplication:
 925                 if(!tr->opened)
 926                         rcvError(tr, EUnexpectedMessage, "application message received before handshake completed");
 927                 if(BLEN(b) > 0){
 928                         tr->processed = b;
 929                         b = nil;
 930                 }
 931                 break;
 932         }
 933         if(b != nil)
 934                 freeb(b);
 935         poperror();
 936 }
 937
 938 /*
 939  * got a fatal alert message
 940  */
 941 static void
 942 rcvAlert(TlsRec *tr, int err)
 943 {
 944         char *s;
 945         int i;
 946
 947         s = "unknown error";
 948         for(i=0; i < nelem(tlserrs); i++){
 949                 if(tlserrs[i].err == err){
 950                         s = tlserrs[i].msg;
 951                         break;
 952                 }
 953         }
 954 if(tr->debug) pprint("rcvAlert: %s\n", s);
 955
 956         tlsError(tr, s);
 957         if(!tr->opened)
 958                 error(s);
 959         error("tls error");
 960 }
 961
 962 /*
 963  * found an error while decoding the input stream
 964  */
 965 static void
 966 rcvError(TlsRec *tr, int err, char *fmt, ...)
 967 {
 968         char msg[ERRMAX];
 969         va_list arg;
 970
 971         va_start(arg, fmt);
 972         vseprint(msg, msg+sizeof(msg), fmt, arg);
 973         va_end(arg);
 974 if(tr->debug) pprint("rcvError: %s\n", msg);
 975
 976         sendAlert(tr, err);
 977
 978         if(!tr->opened)
 979                 error(msg);
 980         error("tls error");
 981 }
 982
 983 /*
 984  * make sure the next hand operation returns with a 'msg' error
 985  */
 986 static void
 987 alertHand(TlsRec *tr, char *msg)
 988 {
 989         Block *b;
 990         int n;
 991
 992         lock(&tr->hqlock);
 993         if(tr->handq == nil){
 994                 unlock(&tr->hqlock);
 995                 return;
 996         }
 997         tr->hqref++;
 998         unlock(&tr->hqlock);
 999
1000         n = strlen(msg);
1001         if(waserror()){
1002                 dechandq(tr);
1003                 nexterror();
1004         }
1005         b = allocb(n + 2);
1006         *b->wp++ = RAlert;
1007         memmove(b->wp, msg, n + 1);
1008         b->wp += n + 1;
1009
1010         qbwrite(tr->handq, b);
1011
1012         poperror();
1013         dechandq(tr);
1014 }
1015
1016 static void
1017 checkstate(TlsRec *tr, int ishand, int ok)
1018 {
1019         int state;
1020
1021         lock(&tr->statelk);
1022         state = tr->state;
1023         unlock(&tr->statelk);
1024         if(state & ok)
1025                 return;
1026         switch(state){
1027         case SHandshake:
1028         case SOpen:
1029                 break;
1030         case SError:
1031         case SAlert:
1032                 if(ishand)
1033                         error(tr->err);
1034                 error("tls error");
1035         case SRClose:
1036         case SLClose:
1037         case SClosed:
1038                 error("tls hungup");
1039         }
1040         error("tls improperly configured");
1041 }
1042
1043 static Block*
1044 tlsbread(Chan *c, long n, ulong offset)
1045 {
1046         int ty;
1047         Block *b;
1048         TlsRec *volatile tr;
1049
1050         ty = TYPE(c->qid);
1051         switch(ty) {
1052         default:
1053                 return devbread(c, n, offset);
1054         case Qhand:
1055         case Qdata:
1056                 break;
1057         }
1058
1059         tr = tlsdevs[CONV(c->qid)];
1060         if(tr == nil)
1061                 panic("tlsbread");
1062
1063         if(waserror()){
1064                 qunlock(&tr->in.io);
1065                 nexterror();
1066         }
1067         qlock(&tr->in.io);
1068         if(ty == Qdata){
1069                 checkstate(tr, 0, SOpen);
1070                 while(tr->processed == nil)
1071                         tlsrecread(tr);
1072
1073                 /* return at most what was asked for */
1074                 b = qgrab(&tr->processed, n);
1075 if(tr->debug) pprint("consumed processed %ld\n", BLEN(b));
1076 if(tr->debug) pdump(BLEN(b), b->rp, "consumed:");
1077                 qunlock(&tr->in.io);
1078                 poperror();
1079                 tr->datain += BLEN(b);
1080         }else{
1081                 checkstate(tr, 1, SOpen|SHandshake|SLClose);
1082
1083                 /*
1084                  * it's ok to look at state without the lock
1085                  * since it only protects reading records,
1086                  * and we have that tr->in.io held.
1087                  */
1088                 while(!tr->opened && tr->hprocessed == nil && !qcanread(tr->handq))
1089                         tlsrecread(tr);
1090
1091                 qunlock(&tr->in.io);
1092                 poperror();
1093
1094                 if(waserror()){
1095                         qunlock(&tr->hqread);
1096                         nexterror();
1097                 }
1098                 qlock(&tr->hqread);
1099                 if(tr->hprocessed == nil){
1100                         b = qbread(tr->handq, MaxRecLen + 1);
1101                         if(*b->rp++ == RAlert){
1102                                 kstrcpy(up->errstr, (char*)b->rp, ERRMAX);
1103                                 freeb(b);
1104                                 nexterror();
1105                         }
1106                         tr->hprocessed = b;
1107                 }
1108                 b = qgrab(&tr->hprocessed, n);
1109                 poperror();
1110                 qunlock(&tr->hqread);
1111                 tr->handin += BLEN(b);
1112         }
1113
1114         return b;
1115 }
1116
1117 static long
1118 tlsread(Chan *c, void *a, long n, vlong off)
1119 {
1120         Block *volatile b;
1121         Block *nb;
1122         uchar *va;
1123         int i, ty;
1124         char *buf, *s, *e;
1125         ulong offset = off;
1126         TlsRec * tr;
1127
1128         if(c->qid.type & QTDIR)
1129                 return devdirread(c, a, n, 0, 0, tlsgen);
1130
1131         tr = tlsdevs[CONV(c->qid)];
1132         ty = TYPE(c->qid);
1133         switch(ty) {
1134         default:
1135                 error(Ebadusefd);
1136         case Qstatus:
1137                 buf = smalloc(Statlen);
1138                 qlock(&tr->in.seclock);
1139                 qlock(&tr->out.seclock);
1140                 s = buf;
1141                 e = buf + Statlen;
1142                 s = seprint(s, e, "State: %s\n", tlsstate(tr->state));
1143                 s = seprint(s, e, "Version: %#x\n", tr->version);
1144                 if(tr->in.sec != nil)
1145                         s = seprint(s, e, "EncIn: %s\nHashIn: %s\n", tr->in.sec->encalg, tr->in.sec->hashalg);
1146                 if(tr->in.new != nil)
1147                         s = seprint(s, e, "NewEncIn: %s\nNewHashIn: %s\n", tr->in.new->encalg, tr->in.new->hashalg);
1148                 if(tr->out.sec != nil)
1149                         s = seprint(s, e, "EncOut: %s\nHashOut: %s\n", tr->out.sec->encalg, tr->out.sec->hashalg);
1150                 if(tr->out.new != nil)
1151                         seprint(s, e, "NewEncOut: %s\nNewHashOut: %s\n", tr->out.new->encalg, tr->out.new->hashalg);
1152                 qunlock(&tr->in.seclock);
1153                 qunlock(&tr->out.seclock);
1154                 n = readstr(offset, a, n, buf);
1155                 free(buf);
1156                 return n;
1157         case Qstats:
1158                 buf = smalloc(Statlen);
1159                 s = buf;
1160                 e = buf + Statlen;
1161                 s = seprint(s, e, "DataIn: %lld\n", tr->datain);
1162                 s = seprint(s, e, "DataOut: %lld\n", tr->dataout);
1163                 s = seprint(s, e, "HandIn: %lld\n", tr->handin);
1164                 seprint(s, e, "HandOut: %lld\n", tr->handout);
1165                 n = readstr(offset, a, n, buf);
1166                 free(buf);
1167                 return n;
1168         case Qctl:
1169                 buf = smalloc(Statlen);
1170                 snprint(buf, Statlen, "%llud", CONV(c->qid));
1171                 n = readstr(offset, a, n, buf);
1172                 free(buf);
1173                 return n;
1174         case Qdata:
1175         case Qhand:
1176                 b = tlsbread(c, n, offset);
1177                 break;
1178         case Qencalgs:
1179                 return readstr(offset, a, n, encalgs);
1180         case Qhashalgs:
1181                 return readstr(offset, a, n, hashalgs);
1182         }
1183
1184         if(waserror()){
1185                 freeblist(b);
1186                 nexterror();
1187         }
1188
1189         n = 0;
1190         va = a;
1191         for(nb = b; nb; nb = nb->next){
1192                 i = BLEN(nb);
1193                 memmove(va+n, nb->rp, i);
1194                 n += i;
1195         }
1196
1197         freeblist(b);
1198         poperror();
1199
1200         return n;
1201 }
1202
1203 /*
1204  *  write a block in tls records
1205  */
1206 static void
1207 tlsrecwrite(TlsRec *tr, int type, Block *b)
1208 {
1209         Block *volatile bb;
1210         Block *nb;
1211         uchar *p, seq[8];
1212         OneWay *volatile out;
1213         int n, maclen, pad, ok;
1214
1215         out = &tr->out;
1216         bb = b;
1217         if(waserror()){
1218                 qunlock(&out->io);
1219                 if(bb != nil)
1220                         freeb(bb);
1221                 nexterror();
1222         }
1223         qlock(&out->io);
1224 if(tr->debug)pprint("send %ld\n", BLEN(b));
1225 if(tr->debug)pdump(BLEN(b), b->rp, "sent:");
1226
1227
1228         ok = SHandshake|SOpen|SRClose;
1229         if(type == RAlert)
1230                 ok |= SAlert;
1231         while(bb != nil){
1232                 checkstate(tr, type != RApplication, ok);
1233
1234                 /*
1235                  * get at most one maximal record's input,
1236                  * with padding on the front for header and
1237                  * back for mac and maximal block padding.
1238                  */
1239                 if(waserror()){
1240                         qunlock(&out->seclock);
1241                         nexterror();
1242                 }
1243                 qlock(&out->seclock);
1244                 maclen = 0;
1245                 pad = 0;
1246                 if(out->sec != nil){
1247                         maclen = out->sec->maclen;
1248                         pad = maclen + out->sec->block;
1249                 }
1250                 n = BLEN(bb);
1251                 if(n > MaxRecLen){
1252                         n = MaxRecLen;
1253                         nb = allocb(n + pad + RecHdrLen);
1254                         memmove(nb->wp + RecHdrLen, bb->rp, n);
1255                         bb->rp += n;
1256                 }else{
1257                         /*
1258                          * carefully reuse bb so it will get freed if we're out of memory
1259                          */
1260                         bb = padblock(bb, RecHdrLen);
1261                         if(pad)
1262                                 nb = padblock(bb, -pad);
1263                         else
1264                                 nb = bb;
1265                         bb = nil;
1266                 }
1267
1268                 p = nb->rp;
1269                 p[0] = type;
1270                 put16(p+1, tr->version);
1271                 put16(p+3, n);
1272
1273                 if(out->sec != nil){
1274                         put64(seq, out->seq);
1275                         out->seq++;
1276                         (*tr->packMac)(out->sec, out->sec->mackey, seq, p, p + RecHdrLen, n, p + RecHdrLen + n);
1277                         n += maclen;
1278
1279                         /* encrypt */
1280                         n = (*out->sec->enc)(out->sec, p + RecHdrLen, n);
1281                         nb->wp = p + RecHdrLen + n;
1282
1283                         /* update length */
1284                         put16(p+3, n);
1285                 }
1286                 if(type == RChangeCipherSpec){
1287                         if(out->new == nil)
1288                                 error("change cipher without a new cipher");
1289                         freeSec(out->sec);
1290                         out->sec = out->new;
1291                         out->new = nil;
1292                         out->seq = 0;
1293                 }
1294                 qunlock(&out->seclock);
1295                 poperror();
1296
1297                 /*
1298                  * if bwrite error's, we assume the block is queued.
1299                  * if not, we're out of sync with the receiver and will not recover.
1300                  */
1301                 if(waserror()){
1302                         if(strcmp(up->errstr, "interrupted") != 0)
1303                                 tlsError(tr, "channel error");
1304                         nexterror();
1305                 }
1306                 devtab[tr->c->type]->bwrite(tr->c, nb, 0);
1307                 poperror();
1308         }
1309         qunlock(&out->io);
1310         poperror();
1311 }
1312
1313 static long
1314 tlsbwrite(Chan *c, Block *b, ulong offset)
1315 {
1316         int ty;
1317         ulong n;
1318         TlsRec *tr;
1319
1320         n = BLEN(b);
1321
1322         tr = tlsdevs[CONV(c->qid)];
1323         if(tr == nil)
1324                 panic("tlsbread");
1325
1326         ty = TYPE(c->qid);
1327         switch(ty) {
1328         default:
1329                 return devbwrite(c, b, offset);
1330         case Qhand:
1331                 tlsrecwrite(tr, RHandshake, b);
1332                 tr->handout += n;
1333                 break;
1334         case Qdata:
1335                 checkstate(tr, 0, SOpen);
1336                 tlsrecwrite(tr, RApplication, b);
1337                 tr->dataout += n;
1338                 break;
1339         }
1340
1341         return n;
1342 }
1343
1344 typedef struct Hashalg Hashalg;
1345 struct Hashalg
1346 {
1347         char    *name;
1348         int     maclen;
1349         void    (*initkey)(Hashalg *, int, Secret *, uchar*);
1350 };
1351
1352 static void
1353 initmd5key(Hashalg *ha, int version, Secret *s, uchar *p)
1354 {
1355         s->maclen = ha->maclen;
1356         if(version == SSL3Version)
1357                 s->mac = sslmac_md5;
1358         else
1359                 s->mac = hmac_md5;
1360         memmove(s->mackey, p, ha->maclen);
1361 }
1362
1363 static void
1364 initclearmac(Hashalg *, int, Secret *s, uchar *)
1365 {
1366         s->maclen = 0;
1367         s->mac = nomac;
1368 }
1369
1370 static void
1371 initsha1key(Hashalg *ha, int version, Secret *s, uchar *p)
1372 {
1373         s->maclen = ha->maclen;
1374         if(version == SSL3Version)
1375                 s->mac = sslmac_sha1;
1376         else
1377                 s->mac = hmac_sha1;
1378         memmove(s->mackey, p, ha->maclen);
1379 }
1380
1381 static Hashalg hashtab[] =
1382 {
1383         { "clear", 0, initclearmac, },
1384         { "md5", MD5dlen, initmd5key, },
1385         { "sha1", SHA1dlen, initsha1key, },
1386         { 0 }
1387 };
1388
1389 static Hashalg*
1390 parsehashalg(char *p)
1391 {
1392         Hashalg *ha;
1393
1394         for(ha = hashtab; ha->name; ha++)
1395                 if(strcmp(p, ha->name) == 0)
1396                         return ha;
1397         error("unsupported hash algorithm");
1398         return nil;
1399 }
1400
1401 typedef struct Encalg Encalg;
1402 struct Encalg
1403 {
1404         char    *name;
1405         int     keylen;
1406         int     ivlen;
1407         void    (*initkey)(Encalg *ea, Secret *, uchar*, uchar*);
1408 };
1409
1410 static void
1411 initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *)
1412 {
1413         s->enckey = smalloc(sizeof(RC4state));
1414         s->enc = rc4enc;
1415         s->dec = rc4enc;
1416         s->block = 0;
1417         setupRC4state(s->enckey, p, ea->keylen);
1418 }
1419
1420 static void
1421 initDES3key(Encalg *, Secret *s, uchar *p, uchar *iv)
1422 {
1423         s->enckey = smalloc(sizeof(DES3state));
1424         s->enc = des3enc;
1425         s->dec = des3dec;
1426         s->block = 8;
1427         setupDES3state(s->enckey, (uchar(*)[8])p, iv);
1428 }
1429
1430 static void
1431 initclearenc(Encalg *, Secret *s, uchar *, uchar *)
1432 {
1433         s->enc = noenc;
1434         s->dec = noenc;
1435         s->block = 0;
1436 }
1437
1438 static Encalg encrypttab[] =
1439 {
1440         { "clear", 0, 0, initclearenc },
1441         { "rc4_128", 128/8, 0, initRC4key },
1442         { "3des_ede_cbc", 3 * 8, 8, initDES3key },
1443         { 0 }
1444 };
1445
1446 static Encalg*
1447 parseencalg(char *p)
1448 {
1449         Encalg *ea;
1450
1451         for(ea = encrypttab; ea->name; ea++)
1452                 if(strcmp(p, ea->name) == 0)
1453                         return ea;
1454         error("unsupported encryption algorithm");
1455         return nil;
1456 }
1457
1458 static long
1459 tlswrite(Chan *c, void *a, long n, vlong off)
1460 {
1461         Encalg *ea;
1462         Hashalg *ha;
1463         TlsRec *volatile tr;
1464         Secret *volatile tos, *volatile toc;
1465         Block *volatile b;
1466         Cmdbuf *volatile cb;
1467         int m, ty;
1468         char *p, *e;
1469         uchar *volatile x;
1470         ulong offset = off;
1471
1472         tr = tlsdevs[CONV(c->qid)];
1473         if(tr == nil)
1474                 panic("tlswrite");
1475
1476         ty = TYPE(c->qid);
1477         switch(ty){
1478         case Qdata:
1479         case Qhand:
1480                 p = a;
1481                 e = p + n;
1482                 do{
1483                         m = e - p;
1484                         if(m > MaxRecLen)
1485                                 m = MaxRecLen;
1486
1487                         b = allocb(m);
1488                         if(waserror()){
1489                                 freeb(b);
1490                                 nexterror();
1491                         }
1492                         memmove(b->wp, p, m);
1493                         poperror();
1494                         b->wp += m;
1495
1496                         tlsbwrite(c, b, offset);
1497
1498                         p += m;
1499                 }while(p < e);
1500                 return n;
1501         case Qctl:
1502                 break;
1503         default:
1504                 error(Ebadusefd);
1505                 return -1;
1506         }
1507
1508         cb = parsecmd(a, n);
1509         if(waserror()){
1510                 free(cb);
1511                 nexterror();
1512         }
1513         if(cb->nf < 1)
1514                 error("short control request");
1515
1516         /* mutex with operations using what we're about to change */
1517         if(waserror()){
1518                 qunlock(&tr->in.seclock);
1519                 qunlock(&tr->out.seclock);
1520                 nexterror();
1521         }
1522         qlock(&tr->in.seclock);
1523         qlock(&tr->out.seclock);
1524
1525         if(strcmp(cb->f[0], "fd") == 0){
1526                 if(cb->nf != 3)
1527                         error("usage: fd open-fd version");
1528                 if(tr->c != nil)
1529                         error(Einuse);
1530                 m = strtol(cb->f[2], nil, 0);
1531                 if(m < MinProtoVersion || m > MaxProtoVersion)
1532                         error("unsupported version");
1533                 tr->c = buftochan(cb->f[1]);
1534                 tr->version = m;
1535                 tlsSetState(tr, SHandshake, SClosed);
1536         }else if(strcmp(cb->f[0], "version") == 0){
1537                 if(cb->nf != 2)
1538                         error("usage: version vers");
1539                 if(tr->c == nil)
1540                         error("must set fd before version");
1541                 if(tr->verset)
1542                         error("version already set");
1543                 m = strtol(cb->f[1], nil, 0);
1544                 if(m == SSL3Version)
1545                         tr->packMac = sslPackMac;
1546                 else if(m == TLSVersion)
1547                         tr->packMac = tlsPackMac;
1548                 else
1549                         error("unsupported version");
1550                 tr->verset = 1;
1551                 tr->version = m;
1552         }else if(strcmp(cb->f[0], "secret") == 0){
1553                 if(cb->nf != 5)
1554                         error("usage: secret hashalg encalg isclient secretdata");
1555                 if(tr->c == nil || !tr->verset)
1556                         error("must set fd and version before secrets");
1557
1558                 if(tr->in.new != nil){
1559                         freeSec(tr->in.new);
1560                         tr->in.new = nil;
1561                 }
1562                 if(tr->out.new != nil){
1563                         freeSec(tr->out.new);
1564                         tr->out.new = nil;
1565                 }
1566
1567                 ha = parsehashalg(cb->f[1]);
1568                 ea = parseencalg(cb->f[2]);
1569
1570                 p = cb->f[4];
1571                 m = (strlen(p)*3)/2;
1572                 x = smalloc(m);
1573                 tos = nil;
1574                 toc = nil;
1575                 if(waserror()){
1576                         freeSec(tos);
1577                         freeSec(toc);
1578                         free(x);
1579                         nexterror();
1580                 }
1581                 m = dec64(x, m, p, strlen(p));
1582                 if(m < 2 * ha->maclen + 2 * ea->keylen + 2 * ea->ivlen)
1583                         error("not enough secret data provided");
1584
1585                 tos = smalloc(sizeof(Secret));
1586                 toc = smalloc(sizeof(Secret));
1587                 if(!ha->initkey || !ea->initkey)
1588                         error("misimplemented secret algorithm");
1589                 (*ha->initkey)(ha, tr->version, tos, &x[0]);
1590                 (*ha->initkey)(ha, tr->version, toc, &x[ha->maclen]);
1591                 (*ea->initkey)(ea, tos, &x[2 * ha->maclen], &x[2 * ha->maclen + 2 * ea->keylen]);
1592                 (*ea->initkey)(ea, toc, &x[2 * ha->maclen + ea->keylen], &x[2 * ha->maclen + 2 * ea->keylen + ea->ivlen]);
1593
1594                 if(!tos->mac || !tos->enc || !tos->dec
1595                 || !toc->mac || !toc->enc || !toc->dec)
1596                         error("missing algorithm implementations");
1597                 if(strtol(cb->f[3], nil, 0) == 0){
1598                         tr->in.new = tos;
1599                         tr->out.new = toc;
1600                 }else{
1601                         tr->in.new = toc;
1602                         tr->out.new = tos;
1603                 }
1604                 if(tr->version == SSL3Version){
1605                         toc->unpad = sslunpad;
1606                         tos->unpad = sslunpad;
1607                 }else{
1608                         toc->unpad = tlsunpad;
1609                         tos->unpad = tlsunpad;
1610                 }
1611                 toc->encalg = ea->name;
1612                 toc->hashalg = ha->name;
1613                 tos->encalg = ea->name;
1614                 tos->hashalg = ha->name;
1615
1616                 free(x);
1617                 poperror();
1618         }else if(strcmp(cb->f[0], "changecipher") == 0){
1619                 if(cb->nf != 1)
1620                         error("usage: changecipher");
1621                 if(tr->out.new == nil)
1622                         error("cannot change cipher spec without setting secret");
1623
1624                 qunlock(&tr->in.seclock);
1625                 qunlock(&tr->out.seclock);
1626                 poperror();
1627                 free(cb);
1628                 poperror();
1629
1630                 /*
1631                  * the real work is done as the message is written
1632                  * so the stream is encrypted in sync.
1633                  */
1634                 b = allocb(1);
1635                 *b->wp++ = 1;
1636                 tlsrecwrite(tr, RChangeCipherSpec, b);
1637                 return n;
1638         }else if(strcmp(cb->f[0], "opened") == 0){
1639                 if(cb->nf != 1)
1640                         error("usage: opened");
1641                 if(tr->in.sec == nil || tr->out.sec == nil)
1642                         error("cipher must be configured before enabling data messages");
1643                 lock(&tr->statelk);
1644                 if(tr->state != SHandshake && tr->state != SOpen){
1645                         unlock(&tr->statelk);
1646                         error("cannot enable data messages");
1647                 }
1648                 tr->state = SOpen;
1649                 unlock(&tr->statelk);
1650                 tr->opened = 1;
1651         }else if(strcmp(cb->f[0], "alert") == 0){
1652                 if(cb->nf != 2)
1653                         error("usage: alert n");
1654                 if(tr->c == nil)
1655                         error("must set fd before sending alerts");
1656                 m = strtol(cb->f[1], nil, 0);
1657
1658                 qunlock(&tr->in.seclock);
1659                 qunlock(&tr->out.seclock);
1660                 poperror();
1661                 free(cb);
1662                 poperror();
1663
1664                 sendAlert(tr, m);
1665
1666                 if(m == ECloseNotify)
1667                         tlsclosed(tr, SLClose);
1668
1669                 return n;
1670         } else if(strcmp(cb->f[0], "debug") == 0){
1671                 if(cb->nf == 2){
1672                         if(strcmp(cb->f[1], "on") == 0)
1673                                 tr->debug = 1;
1674                         else
1675                                 tr->debug = 0;
1676                 } else
1677                         tr->debug = 1;
1678         } else
1679                 error(Ebadarg);
1680
1681         qunlock(&tr->in.seclock);
1682         qunlock(&tr->out.seclock);
1683         poperror();
1684         free(cb);
1685         poperror();
1686
1687         return n;
1688 }
1689
1690 static void
1691 tlsinit(void)
1692 {
1693         struct Encalg *e;
1694         struct Hashalg *h;
1695         int n;
1696         char *cp;
1697         static int already;
1698
1699         if(!already){
1700                 fmtinstall('H', encodefmt);
1701                 already = 1;
1702         }
1703
1704         tlsdevs = smalloc(sizeof(TlsRec*) * maxtlsdevs);
1705         trnames = smalloc((sizeof *trnames) * maxtlsdevs);
1706
1707         n = 1;
1708         for(e = encrypttab; e->name != nil; e++)
1709                 n += strlen(e->name) + 1;
1710         cp = encalgs = smalloc(n);
1711         for(e = encrypttab;;){
1712                 strcpy(cp, e->name);
1713                 cp += strlen(e->name);
1714                 e++;
1715                 if(e->name == nil)
1716                         break;
1717                 *cp++ = ' ';
1718         }
1719         *cp = 0;
1720
1721         n = 1;
1722         for(h = hashtab; h->name != nil; h++)
1723                 n += strlen(h->name) + 1;
1724         cp = hashalgs = smalloc(n);
1725         for(h = hashtab;;){
1726                 strcpy(cp, h->name);
1727                 cp += strlen(h->name);
1728                 h++;
1729                 if(h->name == nil)
1730                         break;
1731                 *cp++ = ' ';
1732         }
1733         *cp = 0;
1734 }
1735
1736 Dev tlsdevtab = {
1737         'a',
1738         "tls",
1739
1740         devreset,
1741         tlsinit,
1742         devshutdown,
1743         tlsattach,
1744         tlswalk,
1745         tlsstat,
1746         tlsopen,
1747         devcreate,
1748         tlsclose,
1749         tlsread,
1750         tlsbread,
1751         tlswrite,
1752         tlsbwrite,
1753         devremove,
1754         tlswstat,
1755 };
1756
1757 /* get channel associated with an fd */
1758 static Chan*
1759 buftochan(char *p)
1760 {
1761         Chan *c;
1762         int fd;
1763
1764         if(p == 0)
1765                 error(Ebadarg);
1766         fd = strtoul(p, 0, 0);
1767         if(fd < 0)
1768                 error(Ebadarg);
1769         c = fdtochan(fd, -1, 0, 1);     /* error check and inc ref */
1770         return c;
1771 }
1772
1773 static void
1774 sendAlert(TlsRec *tr, int err)
1775 {
1776         Block *b;
1777         int i, fatal;
1778         char *msg;
1779
1780 if(tr->debug)pprint("sendAlert %d\n", err);
1781         fatal = 1;
1782         msg = "tls unknown alert";
1783         for(i=0; i < nelem(tlserrs); i++) {
1784                 if(tlserrs[i].err == err) {
1785                         msg = tlserrs[i].msg;
1786                         if(tr->version == SSL3Version)
1787                                 err = tlserrs[i].sslerr;
1788                         else
1789                                 err = tlserrs[i].tlserr;
1790                         fatal = tlserrs[i].fatal;
1791                         break;
1792                 }
1793         }
1794
1795         if(!waserror()){
1796                 b = allocb(2);
1797                 *b->wp++ = fatal + 1;
1798                 *b->wp++ = err;
1799                 if(fatal)
1800                         tlsSetState(tr, SAlert, SOpen|SHandshake|SRClose);
1801                 tlsrecwrite(tr, RAlert, b);
1802                 poperror();
1803         }
1804         if(fatal)
1805                 tlsError(tr, msg);
1806 }
1807
1808 static void
1809 tlsError(TlsRec *tr, char *msg)
1810 {
1811         int s;
1812
1813 if(tr->debug)pprint("tleError %s\n", msg);
1814         lock(&tr->statelk);
1815         s = tr->state;
1816         tr->state = SError;
1817         if(s != SError){
1818                 strncpy(tr->err, msg, ERRMAX - 1);
1819                 tr->err[ERRMAX - 1] = '\0';
1820         }
1821         unlock(&tr->statelk);
1822         if(s != SError)
1823                 alertHand(tr, msg);
1824 }
1825
1826 static void
1827 tlsSetState(TlsRec *tr, int new, int old)
1828 {
1829         lock(&tr->statelk);
1830         if(tr->state & old)
1831                 tr->state = new;
1832         unlock(&tr->statelk);
1833 }
1834
1835 /* hand up a digest connection */
1836 static void
1837 tlshangup(TlsRec *tr)
1838 {
1839         Block *b;
1840
1841         qlock(&tr->in.io);
1842         for(b = tr->processed; b; b = tr->processed){
1843                 tr->processed = b->next;
1844                 freeb(b);
1845         }
1846         if(tr->unprocessed != nil){
1847                 freeb(tr->unprocessed);
1848                 tr->unprocessed = nil;
1849         }
1850         qunlock(&tr->in.io);
1851
1852         tlsSetState(tr, SClosed, ~0);
1853 }
1854
1855 static TlsRec*
1856 newtls(Chan *ch)
1857 {
1858         TlsRec **pp, **ep, **np;
1859         char **nmp;
1860         int t, newmax;
1861
1862         if(waserror()) {
1863                 unlock(&tdlock);
1864                 nexterror();
1865         }
1866         lock(&tdlock);
1867         ep = &tlsdevs[maxtlsdevs];
1868         for(pp = tlsdevs; pp < ep; pp++)
1869                 if(*pp == nil)
1870                         break;
1871         if(pp >= ep) {
1872                 if(maxtlsdevs >= MaxTlsDevs) {
1873                         unlock(&tdlock);
1874                         poperror();
1875                         return nil;
1876                 }
1877                 newmax = 2 * maxtlsdevs;
1878                 if(newmax > MaxTlsDevs)
1879                         newmax = MaxTlsDevs;
1880                 np = smalloc(sizeof(TlsRec*) * newmax);
1881                 memmove(np, tlsdevs, sizeof(TlsRec*) * maxtlsdevs);
1882                 tlsdevs = np;
1883                 pp = &tlsdevs[maxtlsdevs];
1884                 memset(pp, 0, sizeof(TlsRec*)*(newmax - maxtlsdevs));
1885
1886                 nmp = smalloc(sizeof *nmp * newmax);
1887                 memmove(nmp, trnames, sizeof *nmp * maxtlsdevs);
1888                 trnames = nmp;
1889
1890                 maxtlsdevs = newmax;
1891         }
1892         *pp = mktlsrec();
1893         if(pp - tlsdevs >= tdhiwat)
1894                 tdhiwat++;
1895         t = TYPE(ch->qid);
1896         if(t == Qclonus)
1897                 t = Qctl;
1898         ch->qid.path = QID(pp - tlsdevs, t);
1899         ch->qid.vers = 0;
1900         unlock(&tdlock);
1901         poperror();
1902         return *pp;
1903 }
1904
1905 static TlsRec *
1906 mktlsrec(void)
1907 {
1908         TlsRec *tr;
1909
1910         tr = mallocz(sizeof(*tr), 1);
1911         if(tr == nil)
1912                 error(Enomem);
1913         tr->state = SClosed;
1914         tr->ref = 1;
1915         kstrdup(&tr->user, up->user);
1916         tr->perm = 0660;
1917         return tr;
1918 }
1919
1920 static char*
1921 tlsstate(int s)
1922 {
1923         switch(s){
1924         case SHandshake:
1925                 return "Handshaking";
1926         case SOpen:
1927                 return "Established";
1928         case SRClose:
1929                 return "RemoteClosed";
1930         case SLClose:
1931                 return "LocalClosed";
1932         case SAlert:
1933                 return "Alerting";
1934         case SError:
1935                 return "Errored";
1936         case SClosed:
1937                 return "Closed";
1938         }
1939         return "Unknown";
1940 }
1941
1942 static void
1943 freeSec(Secret *s)
1944 {
1945         if(s != nil){
1946                 free(s->enckey);
1947                 free(s);
1948         }
1949 }
1950
1951 static int
1952 noenc(Secret *, uchar *, int n)
1953 {
1954         return n;
1955 }
1956
1957 static int
1958 rc4enc(Secret *sec, uchar *buf, int n)
1959 {
1960         rc4(sec->enckey, buf, n);
1961         return n;
1962 }
1963
1964 static int
1965 tlsunpad(uchar *buf, int n, int block)
1966 {
1967         int pad, nn;
1968
1969         pad = buf[n - 1];
1970         nn = n - 1 - pad;
1971         if(nn <= 0 || n % block)
1972                 return -1;
1973         while(--n > nn)
1974                 if(pad != buf[n - 1])
1975                         return -1;
1976         return nn;
1977 }
1978
1979 static int
1980 sslunpad(uchar *buf, int n, int block)
1981 {
1982         int pad, nn;
1983
1984         pad = buf[n - 1];
1985         nn = n - 1 - pad;
1986         if(nn <= 0 || n % block)
1987                 return -1;
1988         return nn;
1989 }
1990
1991 static int
1992 blockpad(uchar *buf, int n, int block)
1993 {
1994         int pad, nn;
1995
1996         nn = n + block;
1997         nn -= nn % block;
1998         pad = nn - (n + 1);
1999         while(n < nn)
2000                 buf[n++] = pad;
2001         return nn;
2002 }
2003
2004 static int
2005 des3enc(Secret *sec, uchar *buf, int n)
2006 {
2007         n = blockpad(buf, n, 8);
2008         des3CBCencrypt(buf, n, sec->enckey);
2009         return n;
2010 }
2011
2012 static int
2013 des3dec(Secret *sec, uchar *buf, int n)
2014 {
2015         des3CBCdecrypt(buf, n, sec->enckey);
2016         return (*sec->unpad)(buf, n, 8);
2017 }
2018 static DigestState*
2019 nomac(uchar *, ulong, uchar *, ulong, uchar *, DigestState *)
2020 {
2021         return nil;
2022 }
2023
2024 /*
2025  * sslmac: mac calculations for ssl 3.0 only; tls 1.0 uses the standard hmac.
2026  */
2027 static DigestState*
2028 sslmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s,
2029         DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen, int padlen)
2030 {
2031         int i;
2032         uchar pad[48], innerdigest[20];
2033
2034         if(xlen > sizeof(innerdigest)
2035         || padlen > sizeof(pad))
2036                 return nil;
2037
2038         if(klen>64)
2039                 return nil;
2040
2041         /* first time through */
2042         if(s == nil){
2043                 for(i=0; i<padlen; i++)
2044                         pad[i] = 0x36;
2045                 s = (*x)(key, klen, nil, nil);
2046                 s = (*x)(pad, padlen, nil, s);
2047                 if(s == nil)
2048                         return nil;
2049         }
2050
2051         s = (*x)(p, len, nil, s);
2052         if(digest == nil)
2053                 return s;
2054
2055         /* last time through */
2056         for(i=0; i<padlen; i++)
2057                 pad[i] = 0x5c;
2058         (*x)(nil, 0, innerdigest, s);
2059         s = (*x)(key, klen, nil, nil);
2060         s = (*x)(pad, padlen, nil, s);
2061         (*x)(innerdigest, xlen, digest, s);
2062         return nil;
2063 }
2064
2065 static DigestState*
2066 sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2067 {
2068         return sslmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen, 40);
2069 }
2070
2071 static DigestState*
2072 sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
2073 {
2074         return sslmac_x(p, len, key, klen, digest, s, md5, MD5dlen, 48);
2075 }
2076
2077 static void
2078 sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
2079 {
2080         DigestState *s;
2081         uchar buf[11];
2082
2083         memmove(buf, seq, 8);
2084         buf[8] = header[0];
2085         buf[9] = header[3];
2086         buf[10] = header[4];
2087
2088         s = (*sec->mac)(buf, 11, mackey, sec->maclen, 0, 0);
2089         (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
2090 }
2091
2092 static void
2093 tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
2094 {
2095         DigestState *s;
2096         uchar buf[13];
2097
2098         memmove(buf, seq, 8);
2099         memmove(&buf[8], header, 5);
2100
2101         s = (*sec->mac)(buf, 13, mackey, sec->maclen, 0, 0);
2102         (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
2103 }
2104
2105 static void
2106 put32(uchar *p, u32int x)
2107 {
2108         p[0] = x>>24;
2109         p[1] = x>>16;
2110         p[2] = x>>8;
2111         p[3] = x;
2112 }
2113
2114 static void
2115 put64(uchar *p, vlong x)
2116 {
2117         put32(p, (u32int)(x >> 32));
2118         put32(p+4, (u32int)x);
2119 }
2120
2121 static void
2122 put24(uchar *p, int x)
2123 {
2124         p[0] = x>>16;
2125         p[1] = x>>8;
2126         p[2] = x;
2127 }
2128
2129 static void
2130 put16(uchar *p, int x)
2131 {
2132         p[0] = x>>8;
2133         p[1] = x;
2134 }
2135
2136 static u32int
2137 get32(uchar *p)
2138 {
2139         return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2140 }
2141
2142 static int
2143 get16(uchar *p)
2144 {
2145         return (p[0]<<8)|p[1];
2146 }
2147
2148 static char *charmap = "0123456789abcdef";
2149
2150 static void
2151 pdump(int len, void *a, char *tag)
2152 {
2153         uchar *p;
2154         int i;
2155         char buf[65+32];
2156         char *q;
2157
2158         p = a;
2159         strcpy(buf, tag);
2160         while(len > 0){
2161                 q = buf + strlen(tag);
2162                 for(i = 0; len > 0 && i < 32; i++){
2163                         if(*p >= ' ' && *p < 0x7f){
2164                                 *q++ = ' ';
2165                                 *q++ = *p;
2166                         } else {
2167                                 *q++ = charmap[*p>>4];
2168                                 *q++ = charmap[*p & 0xf];
2169                         }
2170                         len--;
2171                         p++;
2172                 }
2173                 *q = 0;
2174
2175                 if(len > 0)
2176                         pprint("%s...\n", buf);
2177                 else
2178                         pprint("%s\n", buf);
2179         }
2180 }