8 // The main groups of functions are:
9 // client/server - main handshake protocol definition
10 // message functions - formating handshake messages
11 // cipher choices - catalog of digest and encrypt algorithms
12 // security functions - PKCS#1, sslHMAC, session keygen
13 // general utility functions - malloc, serialization
14 // The handshake protocol builds on the TLS/SSL3 record layer protocol,
15 // which is implemented in kernel device #a. See also /lib/rfc/rfc2246.
19 SSL3FinishedLen = MD5dlen+SHA1dlen,
20 MaxKeyData = 136, // amount of secret we may need
24 MasterSecretSize = 48,
29 typedef struct TlsSec TlsSec;
33 uchar data[1]; // [len]
49 typedef struct Namedcurve{
61 typedef struct Finished{
62 uchar verify[SSL3FinishedLen];
66 typedef struct HandshakeHash {
69 SHA2_256state sha2_256;
72 typedef struct TlsConnection{
73 TlsSec *sec; // security management goo
74 int hand, ctl; // record layer file descriptors
75 int erred; // set when tlsError called
76 int (*trace)(char*fmt, ...); // for debugging
77 int version; // protocol we are speaking
78 int verset; // version has been set
79 int ver2hi; // server got a version 2 hello
80 int isClient; // is this the client or server?
81 Bytes *sid; // SessionID
82 Bytes *cert; // only last - no chain
85 int state; // must be set using setstate
87 // input buffer for handshake messages
88 uchar recvbuf[MaxChunk];
92 uchar sendbuf[MaxChunk];
95 uchar crandom[RandomSize]; // client random
96 uchar srandom[RandomSize]; // server random
97 int clientVersion; // version in ClientHello
99 char *digest; // name of digest algorithm to use
100 char *enc; // name of encryption algorithm to use
101 int nsecret; // amount of secret data to init keys
103 // for finished messages
104 HandshakeHash handhash;
113 uchar random[RandomSize];
121 uchar random[RandomSize];
135 } certificateRequest;
153 typedef struct TlsSec{
154 char *server; // name of remote; nil for server
155 int ok; // <0 killed; == 0 in progress; >0 reusable
157 AuthRpc *rpc; // factotum for rsa private key
158 uchar sec[MasterSecretSize]; // master secret
159 uchar crandom[RandomSize]; // client random
160 uchar srandom[RandomSize]; // server random
161 int clientVers; // version in ClientHello
162 int vers; // final version
163 // byte generation and handshake checksum
164 void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
165 void (*setFinished)(TlsSec*, HandshakeHash, uchar*, int);
171 SSL3Version = 0x0300,
172 TLS10Version = 0x0301,
173 TLS11Version = 0x0302,
174 TLS12Version = 0x0303,
175 ProtocolVersion = TLS12Version, // maximum version we speak
176 MinProtoVersion = 0x0300, // limits on version we accept
177 MaxProtoVersion = 0x03ff,
185 HSSL2ClientHello = 9, /* local convention; see devtls.c */
199 EUnexpectedMessage = 10,
201 EDecryptionFailed = 21,
202 ERecordOverflow = 22,
203 EDecompressionFailure = 30,
204 EHandshakeFailure = 40,
206 EBadCertificate = 42,
207 EUnsupportedCertificate = 43,
208 ECertificateRevoked = 44,
209 ECertificateExpired = 45,
210 ECertificateUnknown = 46,
211 EIllegalParameter = 47,
216 EExportRestriction = 60,
217 EProtocolVersion = 70,
218 EInsufficientSecurity = 71,
221 ENoRenegotiation = 100,
227 TLS_NULL_WITH_NULL_NULL = 0x0000,
228 TLS_RSA_WITH_NULL_MD5 = 0x0001,
229 TLS_RSA_WITH_NULL_SHA = 0x0002,
230 TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
231 TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
232 TLS_RSA_WITH_RC4_128_SHA = 0x0005,
233 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006,
234 TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
235 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008,
236 TLS_RSA_WITH_DES_CBC_SHA = 0X0009,
237 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A,
238 TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X000B,
239 TLS_DH_DSS_WITH_DES_CBC_SHA = 0X000C,
240 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0X000D,
241 TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X000E,
242 TLS_DH_RSA_WITH_DES_CBC_SHA = 0X000F,
243 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0X0010,
244 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X0011,
245 TLS_DHE_DSS_WITH_DES_CBC_SHA = 0X0012,
246 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0X0013, // ZZZ must be implemented for tls1.0 compliance
247 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0014,
248 TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015,
249 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016,
250 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
251 TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
252 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
253 TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
254 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
256 TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
257 TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
258 TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
259 TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
260 TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0X0033,
261 TLS_DH_anon_WITH_AES_128_CBC_SHA = 0X0034,
262 TLS_RSA_WITH_AES_256_CBC_SHA = 0X0035,
263 TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0X0036,
264 TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0X0037,
265 TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
266 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
267 TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
269 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
270 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
271 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
272 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
276 // compression methods
282 static Algs cipherAlgs[] = {
283 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
284 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
285 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
286 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
287 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
288 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
289 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_RSA_WITH_AES_256_CBC_SHA},
290 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_RSA_WITH_AES_128_CBC_SHA},
291 {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA},
292 {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
293 {"rc4_128", "sha1", 2*(16+SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
294 {"rc4_128", "md5", 2*(16+MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
297 static uchar compressors[] = {
301 static Namedcurve namedcurves[] = {
302 {0x0017, "secp256r1",
303 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
304 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
305 "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
306 "046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
307 "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
311 static uchar pointformats[] = {
312 CompressionNull /* support of uncompressed point format is mandatory */
315 static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int certlen, int (*trace)(char*fmt, ...), PEMChain *chain);
316 static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, uchar *ext, int extlen, int (*trace)(char*fmt, ...));
317 static void msgClear(Msg *m);
318 static char* msgPrint(char *buf, int n, Msg *m);
319 static int msgRecv(TlsConnection *c, Msg *m);
320 static int msgSend(TlsConnection *c, Msg *m, int act);
321 static void tlsError(TlsConnection *c, int err, char *msg, ...);
322 #pragma varargck argpos tlsError 3
323 static int setVersion(TlsConnection *c, int version);
324 static int finishedMatch(TlsConnection *c, Finished *f);
325 static void tlsConnectionFree(TlsConnection *c);
327 static int setAlgs(TlsConnection *c, int a);
328 static int okCipher(Ints *cv);
329 static int okCompression(Bytes *cv);
330 static int initCiphers(void);
331 static Ints* makeciphers(void);
333 static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
334 static int tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm);
335 static TlsSec* tlsSecInitc(int cvers, uchar *crandom);
336 static Bytes* tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers);
337 static Bytes* tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers, Bytes *p, Bytes *g, Bytes *Ys);
338 static Bytes* tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys);
339 static int tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient);
340 static void tlsSecOk(TlsSec *sec);
341 static void tlsSecKill(TlsSec *sec);
342 static void tlsSecClose(TlsSec *sec);
343 static void setMasterSecret(TlsSec *sec, Bytes *pm);
344 static void serverMasterSecret(TlsSec *sec, Bytes *epm);
345 static void setSecrets(TlsSec *sec, uchar *kd, int nkd);
346 static Bytes* clientMasterSecret(TlsSec *sec, RSApub *pub);
347 static Bytes* pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
348 static Bytes* pkcs1_decrypt(TlsSec *sec, Bytes *cipher);
349 static void tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
350 static void tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
351 static void sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
352 static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
353 uchar *seed0, int nseed0, uchar *seed1, int nseed1);
354 static int setVers(TlsSec *sec, int version);
356 static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
357 static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
358 static void factotum_rsa_close(AuthRpc*rpc);
360 static void* emalloc(int);
361 static void* erealloc(void*, int);
362 static void put32(uchar *p, u32int);
363 static void put24(uchar *p, int);
364 static void put16(uchar *p, int);
365 static u32int get32(uchar *p);
366 static int get24(uchar *p);
367 static int get16(uchar *p);
368 static Bytes* newbytes(int len);
369 static Bytes* makebytes(uchar* buf, int len);
370 static Bytes* mptobytes(mpint* big);
371 static mpint* bytestomp(Bytes* bytes);
372 static void freebytes(Bytes* b);
373 static Ints* newints(int len);
374 static void freeints(Ints* b);
377 extern mpint* pkcs1padbuf(uchar *buf, int len, mpint *modulus);
379 //================= client/server ========================
381 // push TLS onto fd, returning new (application) file descriptor
384 tlsServer(int fd, TLSconn *conn)
388 int n, data, ctl, hand;
393 ctl = open("#a/tls/clone", ORDWR);
396 n = read(ctl, buf, sizeof(buf)-1);
402 snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
403 snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
404 hand = open(dname, ORDWR);
409 fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
410 tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
411 snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
412 data = open(dname, ORDWR);
415 if(data < 0 || tls == nil){
417 tlsConnectionFree(tls);
421 conn->cert = 0; // client certificates are not yet implemented
423 conn->sessionIDlen = tls->sid->len;
424 conn->sessionID = emalloc(conn->sessionIDlen);
425 memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
426 if(conn->sessionKey != nil
427 && conn->sessionType != nil
428 && strcmp(conn->sessionType, "ttls") == 0)
430 conn->sessionKey, conn->sessionKeylen,
431 tls->sec->sec, MasterSecretSize,
433 tls->sec->crandom, RandomSize,
434 tls->sec->srandom, RandomSize);
435 tlsConnectionFree(tls);
441 tlsClientExtensions(TLSconn *conn, int *plen)
448 // RFC6066 - Server Name Identification
449 if(conn->serverName != nil){
450 n = strlen(conn->serverName);
453 b = erealloc(b, m + 2+2+2+1+2+n);
456 put16(p, 0), p += 2; /* Type: server_name */
457 put16(p, 2+1+2+n), p += 2; /* Length */
458 put16(p, 1+2+n), p += 2; /* Server Name list length */
459 *p++ = 0; /* Server Name Type: host_name */
460 put16(p, n), p += 2; /* Server Name length */
461 memmove(p, conn->serverName, n);
468 b = erealloc(b, m + 2+2+2+nelem(namedcurves)*2 + 2+2+1+nelem(pointformats));
471 n = nelem(namedcurves);
472 put16(p, 0x000a), p += 2; /* Type: elliptic_curves */
473 put16(p, (n+1)*2), p += 2; /* Length */
474 put16(p, n*2), p += 2; /* Elliptic Curves Length */
475 for(i=0; i < n; i++){ /* Elliptic curves */
476 put16(p, namedcurves[i].tlsid);
480 n = nelem(pointformats);
481 put16(p, 0x000b), p += 2; /* Type: ec_point_formats */
482 put16(p, n+1), p += 2; /* Length */
483 *p++ = n; /* EC point formats Length */
484 for(i=0; i < n; i++) /* Elliptic curves point formats */
485 *p++ = pointformats[i];
492 // push TLS onto fd, returning new (application) file descriptor
495 tlsClient(int fd, TLSconn *conn)
499 int n, data, ctl, hand;
505 ctl = open("#a/tls/clone", ORDWR);
508 n = read(ctl, buf, sizeof(buf)-1);
514 snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
515 snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
516 hand = open(dname, ORDWR);
521 snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
522 data = open(dname, ORDWR);
528 fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
529 ext = tlsClientExtensions(conn, &n);
530 tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->cert, conn->certlen,
531 ext, n, conn->trace);
539 conn->certlen = tls->cert->len;
540 conn->cert = emalloc(conn->certlen);
541 memcpy(conn->cert, tls->cert->data, conn->certlen);
542 conn->sessionIDlen = tls->sid->len;
543 conn->sessionID = emalloc(conn->sessionIDlen);
544 memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
545 if(conn->sessionKey != nil
546 && conn->sessionType != nil
547 && strcmp(conn->sessionType, "ttls") == 0)
549 conn->sessionKey, conn->sessionKeylen,
550 tls->sec->sec, MasterSecretSize,
552 tls->sec->crandom, RandomSize,
553 tls->sec->srandom, RandomSize);
554 tlsConnectionFree(tls);
560 countchain(PEMChain *p)
571 static TlsConnection *
572 tlsServer2(int ctl, int hand, uchar *cert, int certlen, int (*trace)(char*fmt, ...), PEMChain *chp)
577 uchar sid[SidSize], kd[MaxKeyData];
579 int cipher, compressor, nsid, rv, numcerts, i;
582 trace("tlsServer2\n");
585 c = emalloc(sizeof(TlsConnection));
589 c->version = ProtocolVersion;
591 memset(&m, 0, sizeof(m));
594 trace("initial msgRecv failed\n");
597 if(m.tag != HClientHello) {
598 tlsError(c, EUnexpectedMessage, "expected a client hello");
601 c->clientVersion = m.u.clientHello.version;
603 trace("ClientHello version %x\n", c->clientVersion);
604 if(setVersion(c, c->clientVersion) < 0) {
605 tlsError(c, EIllegalParameter, "incompatible version");
609 memmove(c->crandom, m.u.clientHello.random, RandomSize);
610 cipher = okCipher(m.u.clientHello.ciphers);
612 // reply with EInsufficientSecurity if we know that's the case
614 tlsError(c, EInsufficientSecurity, "cipher suites too weak");
616 tlsError(c, EHandshakeFailure, "no matching cipher suite");
619 if(!setAlgs(c, cipher)){
620 tlsError(c, EHandshakeFailure, "no matching cipher suite");
623 compressor = okCompression(m.u.clientHello.compressors);
625 tlsError(c, EHandshakeFailure, "no matching compressor");
629 csid = m.u.clientHello.sid;
631 trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
632 c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
634 tlsError(c, EHandshakeFailure, "can't initialize security: %r");
637 c->sec->rpc = factotum_rsa_open(cert, certlen);
638 if(c->sec->rpc == nil){
639 tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
642 c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
643 if(c->sec->rsapub == nil){
644 tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
649 m.tag = HServerHello;
650 m.u.serverHello.version = c->version;
651 memmove(m.u.serverHello.random, c->srandom, RandomSize);
652 m.u.serverHello.cipher = cipher;
653 m.u.serverHello.compressor = compressor;
654 c->sid = makebytes(sid, nsid);
655 m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
656 if(!msgSend(c, &m, AQueue))
660 m.tag = HCertificate;
661 numcerts = countchain(chp);
662 m.u.certificate.ncert = 1 + numcerts;
663 m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
664 m.u.certificate.certs[0] = makebytes(cert, certlen);
665 for (i = 0; i < numcerts && chp; i++, chp = chp->next)
666 m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
667 if(!msgSend(c, &m, AQueue))
671 m.tag = HServerHelloDone;
672 if(!msgSend(c, &m, AFlush))
678 if(m.tag != HClientKeyExchange) {
679 tlsError(c, EUnexpectedMessage, "expected a client key exchange");
682 if(tlsSecRSAs(c->sec, c->version, m.u.clientKeyExchange.key) < 0){
683 tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
686 setSecrets(c->sec, kd, c->nsecret);
688 trace("tls secrets\n");
689 secrets = (char*)emalloc(2*c->nsecret);
690 enc64(secrets, 2*c->nsecret, kd, c->nsecret);
691 rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
692 memset(secrets, 0, 2*c->nsecret);
694 memset(kd, 0, c->nsecret);
696 tlsError(c, EHandshakeFailure, "can't set keys: %r");
701 /* no CertificateVerify; skip to Finished */
702 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
703 tlsError(c, EInternalError, "can't set finished: %r");
708 if(m.tag != HFinished) {
709 tlsError(c, EUnexpectedMessage, "expected a finished");
712 if(!finishedMatch(c, &m.u.finished)) {
713 tlsError(c, EHandshakeFailure, "finished verification failed");
718 /* change cipher spec */
719 if(fprint(c->ctl, "changecipher") < 0){
720 tlsError(c, EInternalError, "can't enable cipher: %r");
724 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
725 tlsError(c, EInternalError, "can't set finished: %r");
729 m.u.finished = c->finished;
730 if(!msgSend(c, &m, AFlush))
734 trace("tls finished\n");
736 if(fprint(c->ctl, "opened") < 0)
743 tlsConnectionFree(c);
751 case TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
752 case TLS_DHE_DSS_WITH_DES_CBC_SHA:
753 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
754 case TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
755 case TLS_DHE_RSA_WITH_DES_CBC_SHA:
756 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
757 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
758 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
759 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
760 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
770 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
771 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
772 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
773 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
780 tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers,
781 Bytes *p, Bytes *g, Bytes *Ys)
783 mpint *G, *P, *Y, *K;
787 if(p == nil || g == nil || Ys == nil)
790 memmove(sec->srandom, srandom, RandomSize);
791 if(setVers(sec, vers) < 0)
800 if(P == nil || G == nil || Y == nil || dh_new(&dh, P, G) == nil)
802 epm = mptobytes(dh.y);
803 K = dh_finish(&dh, Y);
809 setMasterSecret(sec, mptobytes(K));
821 bytestoec(ECdomain *dom, Bytes *bp, ECpoint *ret)
823 char *hex = "0123456789ABCDEF";
827 s = emalloc(2*bp->len + 1);
828 for(i=0; i < bp->len; i++){
829 s[2*i] = hex[bp->data[i]>>4 & 15];
830 s[2*i+1] = hex[bp->data[i] & 15];
833 ret = strtoec(dom, s, nil, ret);
839 ectobytes(int type, ECpoint *p)
843 bx = mptobytes(p->x);
844 by = mptobytes(p->y);
845 bp = newbytes(bx->len + by->len + 1);
847 memmove(bp->data+1, bx->data, bx->len);
848 memmove(bp->data+1+bx->len, by->data, by->len);
855 tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys)
857 Namedcurve *nc, *enc;
866 enc = &namedcurves[nelem(namedcurves)];
867 for(nc = namedcurves; nc != enc; nc++)
868 if(nc->tlsid == curve)
874 memmove(sec->srandom, srandom, RandomSize);
875 if(setVers(sec, vers) < 0)
880 memset(&dom, 0, sizeof(dom));
881 dom.p = strtomp(nc->p, nil, 16, nil);
882 dom.a = strtomp(nc->a, nil, 16, nil);
883 dom.b = strtomp(nc->b, nil, 16, nil);
884 dom.n = strtomp(nc->n, nil, 16, nil);
885 dom.h = strtomp(nc->h, nil, 16, nil);
887 memset(&G, 0, sizeof(G));
891 memset(&Q, 0, sizeof(Q));
896 memset(&K, 0, sizeof(K));
900 memset(&Y, 0, sizeof(Y));
904 if(dom.p == nil || dom.a == nil || dom.b == nil || dom.n == nil || dom.h == nil)
906 if(Q.x == nil || Q.y == nil || Q.d == nil)
908 if(G.x == nil || G.y == nil)
910 if(K.x == nil || K.y == nil)
912 if(Y.x == nil || Y.y == nil)
915 dom.G = strtoec(&dom, nc->G, nil, &G);
919 if(bytestoec(&dom, Ys, &Y) == nil)
922 if(ecgen(&dom, &Q) == nil)
925 ecmul(&dom, &Y, Q.d, &K);
926 setMasterSecret(sec, mptobytes(K.x));
928 /* 0x04 = uncompressed public key */
929 epm = ectobytes(0x04, &Q);
954 static TlsConnection *
955 tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, uchar *ext, int extlen,
956 int (*trace)(char*fmt, ...))
960 uchar kd[MaxKeyData];
962 int creq, dhx, rv, cipher;
963 mpint *signedMP, *paddedHashes;
969 c = emalloc(sizeof(TlsConnection));
970 c->version = ProtocolVersion;
972 // client certificate signature not implemented for TLS1.2
973 if(cert != nil && certlen > 0 && c->version >= TLS12Version)
974 c->version = TLS11Version;
980 c->clientVersion = c->version;
982 c->sec = tlsSecInitc(c->clientVersion, c->crandom);
986 memset(&m, 0, sizeof(m));
987 m.tag = HClientHello;
988 m.u.clientHello.version = c->clientVersion;
989 memmove(m.u.clientHello.random, c->crandom, RandomSize);
990 m.u.clientHello.sid = makebytes(csid, ncsid);
991 m.u.clientHello.ciphers = makeciphers();
992 m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
993 m.u.clientHello.extensions = makebytes(ext, extlen);
994 if(!msgSend(c, &m, AFlush))
1001 if(m.tag != HServerHello) {
1002 tlsError(c, EUnexpectedMessage, "expected a server hello");
1005 if(setVersion(c, m.u.serverHello.version) < 0) {
1006 tlsError(c, EIllegalParameter, "incompatible version %r");
1009 memmove(c->srandom, m.u.serverHello.random, RandomSize);
1010 c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
1011 if(c->sid->len != 0 && c->sid->len != SidSize) {
1012 tlsError(c, EIllegalParameter, "invalid server session identifier");
1015 cipher = m.u.serverHello.cipher;
1016 if(!setAlgs(c, cipher)) {
1017 tlsError(c, EIllegalParameter, "invalid cipher suite");
1020 if(m.u.serverHello.compressor != CompressionNull) {
1021 tlsError(c, EIllegalParameter, "invalid compression");
1027 if(!msgRecv(c, &m) || m.tag != HCertificate) {
1028 tlsError(c, EUnexpectedMessage, "expected a certificate");
1031 if(m.u.certificate.ncert < 1) {
1032 tlsError(c, EIllegalParameter, "runt certificate");
1035 c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
1038 /* server key exchange */
1039 dhx = isDHE(cipher) || isECDHE(cipher);
1042 if(m.tag == HServerKeyExchange) {
1044 tlsError(c, EUnexpectedMessage, "got an server key exchange");
1048 epm = tlsSecECDHEc(c->sec, c->srandom, c->version,
1049 m.u.serverKeyExchange.curve,
1050 m.u.serverKeyExchange.dh_Ys);
1052 epm = tlsSecDHEc(c->sec, c->srandom, c->version,
1053 m.u.serverKeyExchange.dh_p,
1054 m.u.serverKeyExchange.dh_g,
1055 m.u.serverKeyExchange.dh_Ys);
1062 tlsError(c, EUnexpectedMessage, "expected server key exchange");
1066 /* certificate request (optional) */
1068 if(m.tag == HCertificateRequest) {
1075 if(m.tag != HServerHelloDone) {
1076 tlsError(c, EUnexpectedMessage, "expected a server hello done");
1082 epm = tlsSecRSAc(c->sec, c->sid->data, c->sid->len, c->srandom,
1083 c->cert->data, c->cert->len, c->version);
1087 tlsError(c, EBadCertificate, "bad certificate: %r");
1091 setSecrets(c->sec, kd, c->nsecret);
1092 secrets = (char*)emalloc(2*c->nsecret);
1093 enc64(secrets, 2*c->nsecret, kd, c->nsecret);
1094 rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
1095 memset(secrets, 0, 2*c->nsecret);
1097 memset(kd, 0, c->nsecret);
1099 tlsError(c, EHandshakeFailure, "can't set keys: %r");
1104 if(cert != nil && certlen > 0){
1105 m.u.certificate.ncert = 1;
1106 m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
1107 m.u.certificate.certs[0] = makebytes(cert, certlen);
1109 m.tag = HCertificate;
1110 if(!msgSend(c, &m, AFlush))
1115 /* client key exchange */
1116 m.tag = HClientKeyExchange;
1117 m.u.clientKeyExchange.key = epm;
1119 if(m.u.clientKeyExchange.key == nil) {
1120 tlsError(c, EHandshakeFailure, "can't set secret: %r");
1124 if(!msgSend(c, &m, AFlush))
1128 /* certificate verify */
1129 if(creq && cert != nil && certlen > 0) {
1130 uchar hshashes[MD5dlen+SHA1dlen]; /* content of signature */
1131 HandshakeHash hsave;
1133 /* save the state for the Finish message */
1134 hsave = c->handhash;
1135 md5(nil, 0, hshashes, &c->handhash.md5);
1136 sha1(nil, 0, hshashes+MD5dlen, &c->handhash.sha1);
1137 c->handhash = hsave;
1139 c->sec->rpc = factotum_rsa_open(cert, certlen);
1140 if(c->sec->rpc == nil){
1141 tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
1144 c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
1145 if(c->sec->rsapub == nil){
1146 tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
1150 paddedHashes = pkcs1padbuf(hshashes, MD5dlen+SHA1dlen, c->sec->rsapub->n);
1151 signedMP = factotum_rsa_decrypt(c->sec->rpc, paddedHashes);
1152 if(signedMP == nil){
1153 tlsError(c, EHandshakeFailure, "factotum_rsa_decrypt: %r");
1156 m.u.certificateVerify.signature = mptobytes(signedMP);
1159 m.tag = HCertificateVerify;
1160 if(!msgSend(c, &m, AFlush))
1165 /* change cipher spec */
1166 if(fprint(c->ctl, "changecipher") < 0){
1167 tlsError(c, EInternalError, "can't enable cipher: %r");
1171 // Cipherchange must occur immediately before Finished to avoid
1172 // potential hole; see section 4.3 of Wagner Schneier 1996.
1173 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
1174 tlsError(c, EInternalError, "can't set finished 1: %r");
1178 m.u.finished = c->finished;
1179 if(!msgSend(c, &m, AFlush)) {
1180 tlsError(c, EInternalError, "can't flush after client Finished: %r");
1185 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
1186 tlsError(c, EInternalError, "can't set finished 0: %r");
1189 if(!msgRecv(c, &m)) {
1190 tlsError(c, EInternalError, "can't read server Finished: %r");
1193 if(m.tag != HFinished) {
1194 tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
1198 if(!finishedMatch(c, &m.u.finished)) {
1199 tlsError(c, EHandshakeFailure, "finished verification failed");
1204 if(fprint(c->ctl, "opened") < 0){
1206 trace("unable to do final open: %r\n");
1215 tlsConnectionFree(c);
1220 //================= message functions ========================
1223 msgHash(TlsConnection *c, uchar *p, int n)
1225 md5(p, n, 0, &c->handhash.md5);
1226 sha1(p, n, 0, &c->handhash.sha1);
1227 if(c->version >= TLS12Version)
1228 sha2_256(p, n, 0, &c->handhash.sha2_256);
1232 msgSend(TlsConnection *c, Msg *m, int act)
1234 uchar *p; // sendp = start of new message; p = write pointer
1238 c->sendp = c->sendbuf;
1241 c->trace("send %s", msgPrint((char*)p, (sizeof(c->sendbuf)) - (p - c->sendbuf), m));
1243 p[0] = m->tag; // header - fill in size later
1248 tlsError(c, EInternalError, "can't encode a %d", m->tag);
1252 put16(p, m->u.clientHello.version);
1256 memmove(p, m->u.clientHello.random, RandomSize);
1260 n = m->u.clientHello.sid->len;
1263 memmove(p+1, m->u.clientHello.sid->data, n);
1266 n = m->u.clientHello.ciphers->len;
1267 assert(n > 0 && n < 200);
1270 for(i=0; i<n; i++) {
1271 put16(p, m->u.clientHello.ciphers->data[i]);
1275 n = m->u.clientHello.compressors->len;
1278 memmove(p+1, m->u.clientHello.compressors->data, n);
1281 if(m->u.clientHello.extensions == nil)
1283 n = m->u.clientHello.extensions->len;
1287 memmove(p+2, m->u.clientHello.extensions->data, n);
1291 put16(p, m->u.serverHello.version);
1295 memmove(p, m->u.serverHello.random, RandomSize);
1299 n = m->u.serverHello.sid->len;
1302 memmove(p+1, m->u.serverHello.sid->data, n);
1305 put16(p, m->u.serverHello.cipher);
1307 p[0] = m->u.serverHello.compressor;
1310 if(m->u.serverHello.extensions == nil)
1312 n = m->u.serverHello.extensions->len;
1316 memmove(p+2, m->u.serverHello.extensions->data, n);
1319 case HServerHelloDone:
1323 for(i = 0; i < m->u.certificate.ncert; i++)
1324 nn += 3 + m->u.certificate.certs[i]->len;
1325 if(p + 3 + nn - c->sendbuf > sizeof(c->sendbuf)) {
1326 tlsError(c, EInternalError, "output buffer too small for certificate");
1331 for(i = 0; i < m->u.certificate.ncert; i++){
1332 put24(p, m->u.certificate.certs[i]->len);
1334 memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
1335 p += m->u.certificate.certs[i]->len;
1338 case HCertificateVerify:
1339 put16(p, m->u.certificateVerify.signature->len);
1341 memmove(p, m->u.certificateVerify.signature->data, m->u.certificateVerify.signature->len);
1342 p += m->u.certificateVerify.signature->len;
1344 case HClientKeyExchange:
1345 n = m->u.clientKeyExchange.key->len;
1346 if(c->version != SSL3Version){
1347 if(isECDHE(c->cipher))
1350 put16(p, n), p += 2;
1352 memmove(p, m->u.clientKeyExchange.key->data, n);
1356 memmove(p, m->u.finished.verify, m->u.finished.n);
1357 p += m->u.finished.n;
1361 // go back and fill in size
1363 assert(p <= c->sendbuf + sizeof(c->sendbuf));
1364 put24(c->sendp+1, n-4);
1366 // remember hash of Handshake messages
1367 if(m->tag != HHelloRequest)
1368 msgHash(c, c->sendp, n);
1372 c->sendp = c->sendbuf;
1373 if(write(c->hand, c->sendbuf, p - c->sendbuf) < 0){
1374 fprint(2, "write error: %r\n");
1386 tlsReadN(TlsConnection *c, int n)
1393 if(c->rp != c->recvbuf){
1394 memmove(c->recvbuf, c->rp, nn);
1396 c->ep = &c->recvbuf[nn];
1398 for(; nn < n; nn += nr) {
1399 nr = read(c->hand, &c->rp[nn], n - nn);
1411 msgRecv(TlsConnection *c, Msg *m)
1414 int type, n, nn, i, nsid, nrandom, nciph;
1423 if(type != HHelloRequest)
1426 tlsError(c, EDecodeError, "invalid hello request during handshake");
1431 if(n > sizeof(c->recvbuf)) {
1432 tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->recvbuf));
1436 if(type == HSSL2ClientHello){
1437 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
1438 This is sent by some clients that we must interoperate
1439 with, such as Java's JSSE and Microsoft's Internet Explorer. */
1444 m->tag = HClientHello;
1447 m->u.clientHello.version = get16(p+1);
1450 nn = get16(p); /* cipher_spec_len */
1451 nsid = get16(p + 2);
1452 nrandom = get16(p + 4);
1455 if(nsid != 0 /* no sid's, since shouldn't restart using ssl2 header */
1456 || nrandom < 16 || nn % 3)
1458 if(c->trace && (n - nrandom != nn))
1459 c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
1460 /* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
1462 for(i = 0; i < nn; i += 3)
1465 m->u.clientHello.ciphers = newints(nciph);
1467 for(i = 0; i < nn; i += 3)
1469 m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]);
1471 m->u.clientHello.sid = makebytes(nil, 0);
1472 if(nrandom > RandomSize)
1473 nrandom = RandomSize;
1474 memset(m->u.clientHello.random, 0, RandomSize - nrandom);
1475 memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
1476 m->u.clientHello.compressors = newbytes(1);
1477 m->u.clientHello.compressors->data[0] = CompressionNull;
1492 tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
1497 m->u.clientHello.version = get16(p);
1503 memmove(m->u.clientHello.random, p, RandomSize);
1506 if(n < 1 || n < p[0]+1)
1508 m->u.clientHello.sid = makebytes(p+1, p[0]);
1509 p += m->u.clientHello.sid->len+1;
1510 n -= m->u.clientHello.sid->len+1;
1518 if((nn & 1) || n < nn || nn < 2)
1520 m->u.clientHello.ciphers = newints(nn >> 1);
1521 for(i = 0; i < nn; i += 2)
1522 m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
1526 if(n < 1 || n < p[0]+1 || p[0] == 0)
1529 m->u.clientHello.compressors = makebytes(p+1, nn);
1538 m->u.clientHello.extensions = makebytes(p+2, nn);
1544 m->u.serverHello.version = get16(p);
1550 memmove(m->u.serverHello.random, p, RandomSize);
1554 if(n < 1 || n < p[0]+1)
1556 m->u.serverHello.sid = makebytes(p+1, p[0]);
1557 p += m->u.serverHello.sid->len+1;
1558 n -= m->u.serverHello.sid->len+1;
1562 m->u.serverHello.cipher = get16(p);
1563 m->u.serverHello.compressor = p[2];
1572 m->u.serverHello.extensions = makebytes(p+2, nn);
1581 if(nn == 0 && n > 0)
1593 m->u.certificate.ncert = i+1;
1594 m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes*));
1595 m->u.certificate.certs[i] = makebytes(p, nn);
1601 case HCertificateRequest:
1609 m->u.certificateRequest.types = makebytes(p, nn);
1617 /* nn == 0 can happen; yahoo's servers do it */
1628 if(nn < 1 || nn > n)
1630 m->u.certificateRequest.nca = i+1;
1631 m->u.certificateRequest.cas = erealloc(
1632 m->u.certificateRequest.cas, (i+1)*sizeof(Bytes*));
1633 m->u.certificateRequest.cas[i] = makebytes(p, nn);
1639 case HServerHelloDone:
1641 case HServerKeyExchange:
1644 if(isECDHE(c->cipher)){
1647 if(nn != 3 || nn > n) /* not a named curve */
1651 m->u.serverKeyExchange.curve = nn;
1654 if(nn < 1 || nn > n)
1656 m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
1658 }else if(isDHE(c->cipher)){
1661 if(nn < 1 || nn > n)
1663 m->u.serverKeyExchange.dh_p = makebytes(p, nn);
1670 if(nn < 1 || nn > n)
1672 m->u.serverKeyExchange.dh_g = makebytes(p, nn);
1679 if(nn < 1 || nn > n)
1681 m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
1684 /* should not happen */
1688 if(c->version >= TLS12Version){
1689 /* signature hash algorithm */
1696 if(nn > 0 && nn <= n){
1697 m->u.serverKeyExchange.dh_signature = makebytes(p, nn);
1702 case HClientKeyExchange:
1704 * this message depends upon the encryption selected
1707 if(c->version == SSL3Version)
1718 m->u.clientKeyExchange.key = makebytes(p, nn);
1722 m->u.finished.n = c->finished.n;
1723 if(n < m->u.finished.n)
1725 memmove(m->u.finished.verify, p, m->u.finished.n);
1726 n -= m->u.finished.n;
1730 if(type != HClientHello && type != HServerHello && n != 0)
1735 buf = emalloc(8000);
1736 c->trace("recv %s", msgPrint(buf, 8000, m));
1741 tlsError(c, EDecodeError, "handshake message (%d) has invalid length", type);
1754 sysfatal("msgClear: unknown message type: %d", m->tag);
1758 freebytes(m->u.clientHello.sid);
1759 freeints(m->u.clientHello.ciphers);
1760 freebytes(m->u.clientHello.compressors);
1761 freebytes(m->u.clientHello.extensions);
1764 freebytes(m->u.serverHello.sid);
1765 freebytes(m->u.serverHello.extensions);
1768 for(i=0; i<m->u.certificate.ncert; i++)
1769 freebytes(m->u.certificate.certs[i]);
1770 free(m->u.certificate.certs);
1772 case HCertificateRequest:
1773 freebytes(m->u.certificateRequest.types);
1774 for(i=0; i<m->u.certificateRequest.nca; i++)
1775 freebytes(m->u.certificateRequest.cas[i]);
1776 free(m->u.certificateRequest.cas);
1778 case HCertificateVerify:
1779 freebytes(m->u.certificateVerify.signature);
1781 case HServerHelloDone:
1783 case HServerKeyExchange:
1784 freebytes(m->u.serverKeyExchange.dh_p);
1785 freebytes(m->u.serverKeyExchange.dh_g);
1786 freebytes(m->u.serverKeyExchange.dh_Ys);
1787 freebytes(m->u.serverKeyExchange.dh_signature);
1789 case HClientKeyExchange:
1790 freebytes(m->u.clientKeyExchange.key);
1795 memset(m, 0, sizeof(Msg));
1799 bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
1804 bs = seprint(bs, be, "%s", s0);
1806 bs = seprint(bs, be, "nil");
1808 bs = seprint(bs, be, "<%d> [", b->len);
1809 for(i=0; i<b->len; i++)
1810 bs = seprint(bs, be, "%.2x ", b->data[i]);
1812 bs = seprint(bs, be, "]");
1814 bs = seprint(bs, be, "%s", s1);
1819 intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
1824 bs = seprint(bs, be, "%s", s0);
1825 bs = seprint(bs, be, "[");
1827 bs = seprint(bs, be, "nil");
1829 for(i=0; i<b->len; i++)
1830 bs = seprint(bs, be, "%x ", b->data[i]);
1831 bs = seprint(bs, be, "]");
1833 bs = seprint(bs, be, "%s", s1);
1838 msgPrint(char *buf, int n, Msg *m)
1841 char *bs = buf, *be = buf+n;
1845 bs = seprint(bs, be, "unknown %d\n", m->tag);
1848 bs = seprint(bs, be, "ClientHello\n");
1849 bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
1850 bs = seprint(bs, be, "\trandom: ");
1851 for(i=0; i<RandomSize; i++)
1852 bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
1853 bs = seprint(bs, be, "\n");
1854 bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
1855 bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
1856 bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
1857 if(m->u.clientHello.extensions != nil)
1858 bs = bytesPrint(bs, be, "\textensions: ", m->u.clientHello.extensions, "\n");
1861 bs = seprint(bs, be, "ServerHello\n");
1862 bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
1863 bs = seprint(bs, be, "\trandom: ");
1864 for(i=0; i<RandomSize; i++)
1865 bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
1866 bs = seprint(bs, be, "\n");
1867 bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
1868 bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
1869 bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
1870 if(m->u.serverHello.extensions != nil)
1871 bs = bytesPrint(bs, be, "\textensions: ", m->u.serverHello.extensions, "\n");
1874 bs = seprint(bs, be, "Certificate\n");
1875 for(i=0; i<m->u.certificate.ncert; i++)
1876 bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
1878 case HCertificateRequest:
1879 bs = seprint(bs, be, "CertificateRequest\n");
1880 bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
1881 bs = seprint(bs, be, "\tcertificateauthorities\n");
1882 for(i=0; i<m->u.certificateRequest.nca; i++)
1883 bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
1885 case HCertificateVerify:
1886 bs = seprint(bs, be, "HCertificateVerify\n");
1887 bs = bytesPrint(bs, be, "\tsignature: ", m->u.certificateVerify.signature,"\n");
1889 case HServerHelloDone:
1890 bs = seprint(bs, be, "ServerHelloDone\n");
1892 case HServerKeyExchange:
1893 bs = seprint(bs, be, "HServerKeyExchange\n");
1894 if(m->u.serverKeyExchange.curve != 0){
1895 bs = seprint(bs, be, "\tcurve: %.4x\n", m->u.serverKeyExchange.curve);
1897 bs = bytesPrint(bs, be, "\tdh_p: ", m->u.serverKeyExchange.dh_p, "\n");
1898 bs = bytesPrint(bs, be, "\tdh_g: ", m->u.serverKeyExchange.dh_g, "\n");
1900 bs = bytesPrint(bs, be, "\tdh_Ys: ", m->u.serverKeyExchange.dh_Ys, "\n");
1901 bs = bytesPrint(bs, be, "\tdh_signature: ", m->u.serverKeyExchange.dh_signature, "\n");
1903 case HClientKeyExchange:
1904 bs = seprint(bs, be, "HClientKeyExchange\n");
1905 bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
1908 bs = seprint(bs, be, "HFinished\n");
1909 for(i=0; i<m->u.finished.n; i++)
1910 bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
1911 bs = seprint(bs, be, "\n");
1919 tlsError(TlsConnection *c, int err, char *fmt, ...)
1925 vseprint(msg, msg+sizeof(msg), fmt, arg);
1928 c->trace("tlsError: %s\n", msg);
1930 fprint(2, "double error: %r, %s", msg);
1932 werrstr("tls: local %s", msg);
1934 fprint(c->ctl, "alert %d", err);
1937 // commit to specific version number
1939 setVersion(TlsConnection *c, int version)
1941 if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
1943 if(version > c->version)
1944 version = c->version;
1945 if(version == SSL3Version) {
1946 c->version = version;
1947 c->finished.n = SSL3FinishedLen;
1949 c->version = version;
1950 c->finished.n = TLSFinishedLen;
1953 return fprint(c->ctl, "version 0x%x", version);
1956 // confirm that received Finished message matches the expected value
1958 finishedMatch(TlsConnection *c, Finished *f)
1960 return memcmp(f->verify, c->finished.verify, f->n) == 0;
1963 // free memory associated with TlsConnection struct
1964 // (but don't close the TLS channel itself)
1966 tlsConnectionFree(TlsConnection *c)
1968 tlsSecClose(c->sec);
1971 memset(c, 0, sizeof(c));
1976 //================= cipher choices ========================
1978 static int weakCipher[CipherMax] =
1980 1, /* TLS_NULL_WITH_NULL_NULL */
1981 1, /* TLS_RSA_WITH_NULL_MD5 */
1982 1, /* TLS_RSA_WITH_NULL_SHA */
1983 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
1984 0, /* TLS_RSA_WITH_RC4_128_MD5 */
1985 0, /* TLS_RSA_WITH_RC4_128_SHA */
1986 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
1987 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
1988 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
1989 0, /* TLS_RSA_WITH_DES_CBC_SHA */
1990 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
1991 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
1992 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
1993 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
1994 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
1995 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
1996 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
1997 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
1998 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
1999 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
2000 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
2001 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
2002 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
2003 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
2004 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
2005 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
2006 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
2007 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
2011 setAlgs(TlsConnection *c, int a)
2015 for(i = 0; i < nelem(cipherAlgs); i++){
2016 if(cipherAlgs[i].tlsid == a){
2018 c->enc = cipherAlgs[i].enc;
2019 c->digest = cipherAlgs[i].digest;
2020 c->nsecret = cipherAlgs[i].nsecret;
2021 if(c->nsecret > MaxKeyData)
2035 for(i = 0; i < cv->len; i++) {
2040 weak &= weakCipher[c];
2041 if(isDHE(c) || isECDHE(c))
2042 continue; /* TODO: not implemented for server */
2043 for(j = 0; j < nelem(cipherAlgs); j++)
2044 if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
2053 okCompression(Bytes *cv)
2057 for(i = 0; i < cv->len; i++) {
2059 for(j = 0; j < nelem(compressors); j++) {
2060 if(compressors[j] == c)
2067 static Lock ciphLock;
2068 static int nciphers;
2073 enum {MaxAlgF = 1024, MaxAlgs = 10};
2074 char s[MaxAlgF], *flds[MaxAlgs];
2082 j = open("#a/tls/encalgs", OREAD);
2084 werrstr("can't open #a/tls/encalgs: %r");
2087 n = read(j, s, MaxAlgF-1);
2090 werrstr("nothing in #a/tls/encalgs: %r");
2094 n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
2095 for(i = 0; i < nelem(cipherAlgs); i++){
2097 for(j = 0; j < n; j++){
2098 if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){
2103 cipherAlgs[i].ok = ok;
2106 j = open("#a/tls/hashalgs", OREAD);
2108 werrstr("can't open #a/tls/hashalgs: %r");
2111 n = read(j, s, MaxAlgF-1);
2114 werrstr("nothing in #a/tls/hashalgs: %r");
2118 n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
2119 for(i = 0; i < nelem(cipherAlgs); i++){
2121 for(j = 0; j < n; j++){
2122 if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){
2127 cipherAlgs[i].ok &= ok;
2128 if(cipherAlgs[i].ok)
2141 is = newints(nciphers);
2143 for(i = 0; i < nelem(cipherAlgs); i++){
2144 if(cipherAlgs[i].ok)
2145 is->data[j++] = cipherAlgs[i].tlsid;
2152 //================= security functions ========================
2154 // given X.509 certificate, set up connection to factotum
2155 // for using corresponding private key
2157 factotum_rsa_open(uchar *cert, int certlen)
2165 // start talking to factotum
2166 if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
2168 if((rpc = auth_allocrpc(afd)) == nil){
2172 s = "proto=rsa service=tls role=client";
2173 if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
2174 factotum_rsa_close(rpc);
2178 // roll factotum keyring around to match certificate
2179 rsapub = X509toRSApub(cert, certlen, nil, 0);
2181 if(auth_rpc(rpc, "read", nil, 0) != ARok){
2182 factotum_rsa_close(rpc);
2186 pub = strtomp(rpc->arg, nil, 16, nil);
2188 if(mpcmp(pub,rsapub->n) == 0)
2198 factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
2203 p = mptoa(cipher, 16, nil, 0);
2207 rv = auth_rpc(rpc, "write", p, strlen(p));
2209 if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
2211 return strtomp(rpc->arg, nil, 16, nil);
2215 factotum_rsa_close(AuthRpc*rpc)
2224 tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2226 uchar ai[MD5dlen], tmp[MD5dlen];
2231 s = hmac_md5(label, nlabel, key, nkey, nil, nil);
2232 s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
2233 hmac_md5(seed1, nseed1, key, nkey, ai, s);
2236 s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
2237 s = hmac_md5(label, nlabel, key, nkey, nil, s);
2238 s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
2239 hmac_md5(seed1, nseed1, key, nkey, tmp, s);
2243 for(i = 0; i < n; i++)
2247 hmac_md5(ai, MD5dlen, key, nkey, tmp, nil);
2248 memmove(ai, tmp, MD5dlen);
2253 tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2255 uchar ai[SHA1dlen], tmp[SHA1dlen];
2260 s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
2261 s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
2262 hmac_sha1(seed1, nseed1, key, nkey, ai, s);
2265 s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
2266 s = hmac_sha1(label, nlabel, key, nkey, nil, s);
2267 s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
2268 hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
2272 for(i = 0; i < n; i++)
2276 hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
2277 memmove(ai, tmp, SHA1dlen);
2282 p_sha256(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed, int nseed)
2284 uchar ai[SHA2_256dlen], tmp[SHA2_256dlen];
2289 s = hmac_sha2_256(label, nlabel, key, nkey, nil, nil);
2290 hmac_sha2_256(seed, nseed, key, nkey, ai, s);
2293 s = hmac_sha2_256(ai, SHA2_256dlen, key, nkey, nil, nil);
2294 s = hmac_sha2_256(label, nlabel, key, nkey, nil, s);
2295 hmac_sha2_256(seed, nseed, key, nkey, tmp, s);
2299 memmove(buf, tmp, n);
2302 hmac_sha2_256(ai, SHA2_256dlen, key, nkey, tmp, nil);
2303 memmove(ai, tmp, SHA2_256dlen);
2307 // fill buf with md5(args)^sha1(args)
2309 tls10PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2311 int nlabel = strlen(label);
2312 int n = (nkey + 1) >> 1;
2314 memset(buf, 0, nbuf);
2315 tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
2316 tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
2320 tls12PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2322 uchar seed[2*RandomSize];
2324 assert(nseed0+nseed1 <= sizeof(seed));
2325 memmove(seed, seed0, nseed0);
2326 memmove(seed+nseed0, seed1, nseed1);
2327 p_sha256(buf, nbuf, key, nkey, (uchar*)label, strlen(label), seed, nseed0+nseed1);
2331 * for setting server session id's
2333 static Lock sidLock;
2334 static long maxSid = 1;
2336 /* the keys are verified to have the same public components
2337 * and to function correctly with pkcs 1 encryption and decryption. */
2339 tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
2341 TlsSec *sec = emalloc(sizeof(*sec));
2343 USED(csid); USED(ncsid); // ignore csid for now
2345 memmove(sec->crandom, crandom, RandomSize);
2346 sec->clientVers = cvers;
2348 put32(sec->srandom, time(0));
2349 genrandom(sec->srandom+4, RandomSize-4);
2350 memmove(srandom, sec->srandom, RandomSize);
2353 * make up a unique sid: use our pid, and and incrementing id
2354 * can signal no sid by setting nssid to 0.
2356 memset(ssid, 0, SidSize);
2357 put32(ssid, getpid());
2359 put32(ssid+4, maxSid++);
2366 tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm)
2369 if(setVers(sec, vers) < 0)
2371 serverMasterSecret(sec, epm);
2372 }else if(sec->vers != vers){
2373 werrstr("mismatched session versions");
2383 tlsSecInitc(int cvers, uchar *crandom)
2385 TlsSec *sec = emalloc(sizeof(*sec));
2386 sec->clientVers = cvers;
2387 put32(sec->crandom, time(0));
2388 genrandom(sec->crandom+4, RandomSize-4);
2389 memmove(crandom, sec->crandom, RandomSize);
2394 tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers)
2402 memmove(sec->srandom, srandom, RandomSize);
2403 if(setVers(sec, vers) < 0)
2405 pub = X509toRSApub(cert, ncert, nil, 0);
2407 werrstr("invalid x509/rsa certificate");
2410 epm = clientMasterSecret(sec, pub);
2420 tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient)
2422 if(sec->nfin != nfin){
2424 werrstr("invalid finished exchange");
2427 hsh.md5.malloced = 0;
2428 hsh.sha1.malloced = 0;
2429 hsh.sha2_256.malloced = 0;
2430 (*sec->setFinished)(sec, hsh, fin, isclient);
2435 tlsSecOk(TlsSec *sec)
2442 tlsSecKill(TlsSec *sec)
2446 factotum_rsa_close(sec->rpc);
2451 tlsSecClose(TlsSec *sec)
2455 factotum_rsa_close(sec->rpc);
2461 setVers(TlsSec *sec, int v)
2463 if(v == SSL3Version){
2464 sec->setFinished = sslSetFinished;
2465 sec->nfin = SSL3FinishedLen;
2467 }else if(v < TLS12Version) {
2468 sec->setFinished = tls10SetFinished;
2469 sec->nfin = TLSFinishedLen;
2470 sec->prf = tls10PRF;
2472 sec->setFinished = tls12SetFinished;
2473 sec->nfin = TLSFinishedLen;
2474 sec->prf = tls12PRF;
2481 * generate secret keys from the master secret.
2483 * different crypto selections will require different amounts
2484 * of key expansion and use of key expansion data,
2485 * but it's all generated using the same function.
2488 setSecrets(TlsSec *sec, uchar *kd, int nkd)
2490 (*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
2491 sec->srandom, RandomSize, sec->crandom, RandomSize);
2495 * set the master secret from the pre-master secret,
2496 * destroys premaster.
2499 setMasterSecret(TlsSec *sec, Bytes *pm)
2501 (*sec->prf)(sec->sec, MasterSecretSize, pm->data, pm->len, "master secret",
2502 sec->crandom, RandomSize, sec->srandom, RandomSize);
2504 memset(pm->data, 0, pm->len);
2509 serverMasterSecret(TlsSec *sec, Bytes *epm)
2513 pm = pkcs1_decrypt(sec, epm);
2515 // if the client messed up, just continue as if everything is ok,
2516 // to prevent attacks to check for correctly formatted messages.
2517 // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
2518 if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
2519 fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
2520 sec->ok, pm, pm != nil ? get16(pm->data) : -1, sec->clientVers, epm->len);
2523 pm = newbytes(MasterSecretSize);
2524 genrandom(pm->data, MasterSecretSize);
2526 assert(pm->len == MasterSecretSize);
2527 setMasterSecret(sec, pm);
2531 clientMasterSecret(TlsSec *sec, RSApub *pub)
2535 pm = newbytes(MasterSecretSize);
2536 put16(pm->data, sec->clientVers);
2537 genrandom(pm->data+2, MasterSecretSize - 2);
2538 epm = pkcs1_encrypt(pm, pub, 2);
2539 setMasterSecret(sec, pm);
2544 sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2547 uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
2555 md5((uchar*)label, 4, nil, &hsh.md5);
2556 md5(sec->sec, MasterSecretSize, nil, &hsh.md5);
2557 memset(pad, 0x36, 48);
2558 md5(pad, 48, nil, &hsh.md5);
2559 md5(nil, 0, h0, &hsh.md5);
2560 memset(pad, 0x5C, 48);
2561 s = md5(sec->sec, MasterSecretSize, nil, nil);
2562 s = md5(pad, 48, nil, s);
2563 md5(h0, MD5dlen, finished, s);
2565 sha1((uchar*)label, 4, nil, &hsh.sha1);
2566 sha1(sec->sec, MasterSecretSize, nil, &hsh.sha1);
2567 memset(pad, 0x36, 40);
2568 sha1(pad, 40, nil, &hsh.sha1);
2569 sha1(nil, 0, h1, &hsh.sha1);
2570 memset(pad, 0x5C, 40);
2571 s = sha1(sec->sec, MasterSecretSize, nil, nil);
2572 s = sha1(pad, 40, nil, s);
2573 sha1(h1, SHA1dlen, finished + MD5dlen, s);
2576 // fill "finished" arg with md5(args)^sha1(args)
2578 tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2580 uchar h0[MD5dlen], h1[SHA1dlen];
2583 // get current hash value, but allow further messages to be hashed in
2584 md5(nil, 0, h0, &hsh.md5);
2585 sha1(nil, 0, h1, &hsh.sha1);
2588 label = "client finished";
2590 label = "server finished";
2591 tls10PRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
2595 tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2597 uchar seed[SHA2_256dlen];
2600 // get current hash value, but allow further messages to be hashed in
2601 sha2_256(nil, 0, seed, &hsh.sha2_256);
2604 label = "client finished";
2606 label = "server finished";
2607 p_sha256(finished, TLSFinishedLen, sec->sec, MasterSecretSize, (uchar*)label, strlen(label), seed, SHA2_256dlen);
2611 sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2613 uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
2622 for(i = 0; i < len; i++)
2623 tmp[i] = 'A' - 1 + len;
2624 s = sha1(tmp, len, nil, nil);
2625 s = sha1(key, nkey, nil, s);
2626 s = sha1(seed0, nseed0, nil, s);
2627 sha1(seed1, nseed1, sha1dig, s);
2628 s = md5(key, nkey, nil, nil);
2629 md5(sha1dig, SHA1dlen, md5dig, s);
2633 memmove(buf, md5dig, n);
2641 bytestomp(Bytes* bytes)
2643 return betomp(bytes->data, bytes->len, nil);
2647 * Convert mpint* to Bytes, putting high order byte first.
2650 mptobytes(mpint* big)
2655 n = (mpsignif(big)+7)/8;
2658 ans->len = mptobe(big, ans->data, n, nil);
2662 // Do RSA computation on block according to key, and pad
2663 // result on left with zeros to make it modlen long.
2665 rsacomp(Bytes* block, RSApub* key, int modlen)
2671 x = bytestomp(block);
2672 y = rsaencrypt(key, x, nil);
2674 ybytes = mptobytes(y);
2679 a = newbytes(modlen);
2680 memset(a->data, 0, modlen-ylen);
2681 memmove(a->data+modlen-ylen, ybytes->data, ylen);
2685 else if(ylen > modlen) {
2686 // assume it has leading zeros (mod should make it so)
2687 a = newbytes(modlen);
2688 memmove(a->data, ybytes->data, modlen);
2695 // encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1
2697 pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
2699 Bytes *pad, *eb, *ans;
2700 int i, dlen, padlen, modlen;
2702 modlen = (mpsignif(key->n)+7)/8;
2704 if(modlen < 12 || dlen > modlen - 11)
2706 padlen = modlen - 3 - dlen;
2707 pad = newbytes(padlen);
2708 genrandom(pad->data, padlen);
2709 for(i = 0; i < padlen; i++) {
2712 else if(blocktype == 1)
2714 else if(pad->data[i] == 0)
2717 eb = newbytes(modlen);
2719 eb->data[1] = blocktype;
2720 memmove(eb->data+2, pad->data, padlen);
2721 eb->data[padlen+2] = 0;
2722 memmove(eb->data+padlen+3, data->data, dlen);
2723 ans = rsacomp(eb, key, modlen);
2729 // decrypt data according to PKCS#1, with given key.
2730 // expect a block type of 2.
2732 pkcs1_decrypt(TlsSec *sec, Bytes *cipher)
2734 Bytes *eb, *ans = nil;
2738 modlen = (mpsignif(sec->rsapub->n)+7)/8;
2739 if(cipher->len != modlen)
2741 x = bytestomp(cipher);
2742 y = factotum_rsa_decrypt(sec->rpc, x);
2747 if(eb->len < modlen){ // pad on left with zeros
2748 ans = newbytes(modlen);
2749 memset(ans->data, 0, modlen-eb->len);
2750 memmove(ans->data+modlen-eb->len, eb->data, eb->len);
2754 if(eb->data[0] == 0 && eb->data[1] == 2) {
2755 for(i = 2; i < modlen; i++)
2756 if(eb->data[i] == 0)
2759 ans = makebytes(eb->data+i+1, modlen-(i+1));
2766 //================= general utility functions ========================
2776 sysfatal("out of memory");
2778 setmalloctag(p, getcallerpc(&n));
2783 erealloc(void *ReallocP, int ReallocN)
2788 ReallocP = emalloc(ReallocN);
2789 else if((ReallocP = realloc(ReallocP, ReallocN)) == nil)
2790 sysfatal("out of memory");
2791 setrealloctag(ReallocP, getcallerpc(&ReallocP));
2796 put32(uchar *p, u32int x)
2805 put24(uchar *p, int x)
2813 put16(uchar *p, int x)
2822 return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2828 return (p[0]<<16)|(p[1]<<8)|p[2];
2834 return (p[0]<<8)|p[1];
2837 #define OFFSET(x, s) offsetof(s, x)
2846 ans = (Bytes*)emalloc(OFFSET(data[0], Bytes) + len);
2852 * newbytes(len), with data initialized from buf
2855 makebytes(uchar* buf, int len)
2859 ans = newbytes(len);
2860 memmove(ans->data, buf, len);
2870 /* len is number of ints */
2876 if(len < 0 || len > ((uint)-1>>1)/sizeof(int))
2878 ans = (Ints*)emalloc(OFFSET(data[0], Ints) + len*sizeof(int));