8 // The main groups of functions are:
9 // client/server - main handshake protocol definition
10 // message functions - formating handshake messages
11 // cipher choices - catalog of digest and encrypt algorithms
12 // security functions - PKCS#1, sslHMAC, session keygen
13 // general utility functions - malloc, serialization
14 // The handshake protocol builds on the TLS/SSL3 record layer protocol,
15 // which is implemented in kernel device #a. See also /lib/rfc/rfc2246.
19 SSL3FinishedLen = MD5dlen+SHA1dlen,
20 MaxKeyData = 136, // amount of secret we may need
24 MasterSecretSize = 48,
29 typedef struct TlsSec TlsSec;
33 uchar data[1]; // [len]
49 typedef struct Namedcurve{
61 typedef struct Finished{
62 uchar verify[SSL3FinishedLen];
66 typedef struct HandshakeHash {
69 SHA2_256state sha2_256;
72 typedef struct TlsConnection{
73 TlsSec *sec; // security management goo
74 int hand, ctl; // record layer file descriptors
75 int erred; // set when tlsError called
76 int (*trace)(char*fmt, ...); // for debugging
77 int version; // protocol we are speaking
78 int verset; // version has been set
79 int ver2hi; // server got a version 2 hello
80 int isClient; // is this the client or server?
81 Bytes *sid; // SessionID
82 Bytes *cert; // only last - no chain
85 int state; // must be set using setstate
87 // input buffer for handshake messages
88 uchar recvbuf[MaxChunk];
92 uchar sendbuf[MaxChunk];
95 uchar crandom[RandomSize]; // client random
96 uchar srandom[RandomSize]; // server random
97 int clientVersion; // version in ClientHello
99 char *digest; // name of digest algorithm to use
100 char *enc; // name of encryption algorithm to use
101 int nsecret; // amount of secret data to init keys
103 // for finished messages
104 HandshakeHash handhash;
113 uchar random[RandomSize];
121 uchar random[RandomSize];
135 } certificateRequest;
153 typedef struct TlsSec{
154 char *server; // name of remote; nil for server
155 int ok; // <0 killed; == 0 in progress; >0 reusable
157 AuthRpc *rpc; // factotum for rsa private key
158 uchar sec[MasterSecretSize]; // master secret
159 uchar crandom[RandomSize]; // client random
160 uchar srandom[RandomSize]; // server random
161 int clientVers; // version in ClientHello
162 int vers; // final version
163 // byte generation and handshake checksum
164 void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
165 void (*setFinished)(TlsSec*, HandshakeHash, uchar*, int);
171 SSL3Version = 0x0300,
172 TLS10Version = 0x0301,
173 TLS11Version = 0x0302,
174 TLS12Version = 0x0303,
175 ProtocolVersion = TLS12Version, // maximum version we speak
176 MinProtoVersion = 0x0300, // limits on version we accept
177 MaxProtoVersion = 0x03ff,
185 HSSL2ClientHello = 9, /* local convention; see devtls.c */
199 EUnexpectedMessage = 10,
201 EDecryptionFailed = 21,
202 ERecordOverflow = 22,
203 EDecompressionFailure = 30,
204 EHandshakeFailure = 40,
206 EBadCertificate = 42,
207 EUnsupportedCertificate = 43,
208 ECertificateRevoked = 44,
209 ECertificateExpired = 45,
210 ECertificateUnknown = 46,
211 EIllegalParameter = 47,
216 EExportRestriction = 60,
217 EProtocolVersion = 70,
218 EInsufficientSecurity = 71,
221 ENoRenegotiation = 100,
227 TLS_NULL_WITH_NULL_NULL = 0x0000,
228 TLS_RSA_WITH_NULL_MD5 = 0x0001,
229 TLS_RSA_WITH_NULL_SHA = 0x0002,
230 TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
231 TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
232 TLS_RSA_WITH_RC4_128_SHA = 0x0005,
233 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006,
234 TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
235 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008,
236 TLS_RSA_WITH_DES_CBC_SHA = 0X0009,
237 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A,
238 TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X000B,
239 TLS_DH_DSS_WITH_DES_CBC_SHA = 0X000C,
240 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0X000D,
241 TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X000E,
242 TLS_DH_RSA_WITH_DES_CBC_SHA = 0X000F,
243 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0X0010,
244 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X0011,
245 TLS_DHE_DSS_WITH_DES_CBC_SHA = 0X0012,
246 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0X0013, // ZZZ must be implemented for tls1.0 compliance
247 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0014,
248 TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015,
249 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016,
250 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
251 TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
252 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
253 TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
254 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
256 TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
257 TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
258 TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
259 TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
260 TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0X0033,
261 TLS_DH_anon_WITH_AES_128_CBC_SHA = 0X0034,
262 TLS_RSA_WITH_AES_256_CBC_SHA = 0X0035,
263 TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0X0036,
264 TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0X0037,
265 TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
266 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
267 TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
269 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
270 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
271 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
272 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
276 // compression methods
282 static Algs cipherAlgs[] = {
283 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
284 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
285 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
286 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
287 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
288 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
289 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_RSA_WITH_AES_256_CBC_SHA},
290 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_RSA_WITH_AES_128_CBC_SHA},
291 {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA},
292 {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
293 {"rc4_128", "sha1", 2*(16+SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
294 {"rc4_128", "md5", 2*(16+MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
297 static uchar compressors[] = {
301 static Namedcurve namedcurves[] = {
302 {0x0017, "secp256r1",
303 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
304 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
305 "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
306 "046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
307 "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
311 static uchar pointformats[] = {
312 CompressionNull /* support of uncompressed point format is mandatory */
315 static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int certlen, int (*trace)(char*fmt, ...), PEMChain *chain);
316 static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, uchar *ext, int extlen, int (*trace)(char*fmt, ...));
317 static void msgClear(Msg *m);
318 static char* msgPrint(char *buf, int n, Msg *m);
319 static int msgRecv(TlsConnection *c, Msg *m);
320 static int msgSend(TlsConnection *c, Msg *m, int act);
321 static void tlsError(TlsConnection *c, int err, char *msg, ...);
322 #pragma varargck argpos tlsError 3
323 static int setVersion(TlsConnection *c, int version);
324 static int finishedMatch(TlsConnection *c, Finished *f);
325 static void tlsConnectionFree(TlsConnection *c);
327 static int setAlgs(TlsConnection *c, int a);
328 static int okCipher(Ints *cv);
329 static int okCompression(Bytes *cv);
330 static int initCiphers(void);
331 static Ints* makeciphers(void);
333 static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
334 static int tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm);
335 static TlsSec* tlsSecInitc(int cvers, uchar *crandom);
336 static Bytes* tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers);
337 static Bytes* tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers, Bytes *p, Bytes *g, Bytes *Ys);
338 static Bytes* tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys);
339 static int tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient);
340 static void tlsSecOk(TlsSec *sec);
341 static void tlsSecKill(TlsSec *sec);
342 static void tlsSecClose(TlsSec *sec);
343 static void setMasterSecret(TlsSec *sec, Bytes *pm);
344 static void serverMasterSecret(TlsSec *sec, Bytes *epm);
345 static void setSecrets(TlsSec *sec, uchar *kd, int nkd);
346 static Bytes* clientMasterSecret(TlsSec *sec, RSApub *pub);
347 static Bytes* pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
348 static Bytes* pkcs1_decrypt(TlsSec *sec, Bytes *cipher);
349 static void tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
350 static void tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
351 static void sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
352 static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
353 uchar *seed0, int nseed0, uchar *seed1, int nseed1);
354 static int setVers(TlsSec *sec, int version);
356 static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
357 static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
358 static void factotum_rsa_close(AuthRpc*rpc);
360 static void* emalloc(int);
361 static void* erealloc(void*, int);
362 static void put32(uchar *p, u32int);
363 static void put24(uchar *p, int);
364 static void put16(uchar *p, int);
365 static u32int get32(uchar *p);
366 static int get24(uchar *p);
367 static int get16(uchar *p);
368 static Bytes* newbytes(int len);
369 static Bytes* makebytes(uchar* buf, int len);
370 static Bytes* mptobytes(mpint* big);
371 static mpint* bytestomp(Bytes* bytes);
372 static void freebytes(Bytes* b);
373 static Ints* newints(int len);
374 static void freeints(Ints* b);
377 extern mpint* pkcs1padbuf(uchar *buf, int len, mpint *modulus);
379 //================= client/server ========================
381 // push TLS onto fd, returning new (application) file descriptor
384 tlsServer(int fd, TLSconn *conn)
388 int n, data, ctl, hand;
393 ctl = open("#a/tls/clone", ORDWR);
396 n = read(ctl, buf, sizeof(buf)-1);
402 snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
403 snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
404 hand = open(dname, ORDWR);
409 fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
410 tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
411 snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
412 data = open(dname, ORDWR);
415 if(data < 0 || tls == nil){
417 tlsConnectionFree(tls);
421 conn->cert = 0; // client certificates are not yet implemented
423 conn->sessionIDlen = tls->sid->len;
424 conn->sessionID = emalloc(conn->sessionIDlen);
425 memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
426 if(conn->sessionKey != nil
427 && conn->sessionType != nil
428 && strcmp(conn->sessionType, "ttls") == 0)
430 conn->sessionKey, conn->sessionKeylen,
431 tls->sec->sec, MasterSecretSize,
433 tls->sec->crandom, RandomSize,
434 tls->sec->srandom, RandomSize);
435 tlsConnectionFree(tls);
441 tlsClientExtensions(TLSconn *conn, int *plen)
448 // RFC6066 - Server Name Identification
449 if(conn->serverName != nil){
450 n = strlen(conn->serverName);
453 b = erealloc(b, m + 2+2+2+1+2+n);
456 put16(p, 0), p += 2; /* Type: server_name */
457 put16(p, 2+1+2+n), p += 2; /* Length */
458 put16(p, 1+2+n), p += 2; /* Server Name list length */
459 *p++ = 0; /* Server Name Type: host_name */
460 put16(p, n), p += 2; /* Server Name length */
461 memmove(p, conn->serverName, n);
468 b = erealloc(b, m + 2+2+2+nelem(namedcurves)*2 + 2+2+1+nelem(pointformats));
471 n = nelem(namedcurves);
472 put16(p, 0x000a), p += 2; /* Type: elliptic_curves */
473 put16(p, (n+1)*2), p += 2; /* Length */
474 put16(p, n*2), p += 2; /* Elliptic Curves Length */
475 for(i=0; i < n; i++){ /* Elliptic curves */
476 put16(p, namedcurves[i].tlsid);
480 n = nelem(pointformats);
481 put16(p, 0x000b), p += 2; /* Type: ec_point_formats */
482 put16(p, n+1), p += 2; /* Length */
483 *p++ = n; /* EC point formats Length */
484 for(i=0; i < n; i++) /* Elliptic curves point formats */
485 *p++ = pointformats[i];
492 // push TLS onto fd, returning new (application) file descriptor
495 tlsClient(int fd, TLSconn *conn)
499 int n, data, ctl, hand;
505 ctl = open("#a/tls/clone", ORDWR);
508 n = read(ctl, buf, sizeof(buf)-1);
514 snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
515 snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
516 hand = open(dname, ORDWR);
521 snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
522 data = open(dname, ORDWR);
528 fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
529 ext = tlsClientExtensions(conn, &n);
530 tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->cert, conn->certlen,
531 ext, n, conn->trace);
539 conn->certlen = tls->cert->len;
540 conn->cert = emalloc(conn->certlen);
541 memcpy(conn->cert, tls->cert->data, conn->certlen);
542 conn->sessionIDlen = tls->sid->len;
543 conn->sessionID = emalloc(conn->sessionIDlen);
544 memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
545 if(conn->sessionKey != nil
546 && conn->sessionType != nil
547 && strcmp(conn->sessionType, "ttls") == 0)
549 conn->sessionKey, conn->sessionKeylen,
550 tls->sec->sec, MasterSecretSize,
552 tls->sec->crandom, RandomSize,
553 tls->sec->srandom, RandomSize);
554 tlsConnectionFree(tls);
560 countchain(PEMChain *p)
571 static TlsConnection *
572 tlsServer2(int ctl, int hand, uchar *cert, int certlen, int (*trace)(char*fmt, ...), PEMChain *chp)
577 uchar sid[SidSize], kd[MaxKeyData];
579 int cipher, compressor, nsid, rv, numcerts, i;
582 trace("tlsServer2\n");
585 c = emalloc(sizeof(TlsConnection));
589 c->version = ProtocolVersion;
591 memset(&m, 0, sizeof(m));
594 trace("initial msgRecv failed\n");
597 if(m.tag != HClientHello) {
598 tlsError(c, EUnexpectedMessage, "expected a client hello");
601 c->clientVersion = m.u.clientHello.version;
603 trace("ClientHello version %x\n", c->clientVersion);
604 if(setVersion(c, c->clientVersion) < 0) {
605 tlsError(c, EIllegalParameter, "incompatible version");
609 memmove(c->crandom, m.u.clientHello.random, RandomSize);
610 cipher = okCipher(m.u.clientHello.ciphers);
612 // reply with EInsufficientSecurity if we know that's the case
614 tlsError(c, EInsufficientSecurity, "cipher suites too weak");
616 tlsError(c, EHandshakeFailure, "no matching cipher suite");
619 if(!setAlgs(c, cipher)){
620 tlsError(c, EHandshakeFailure, "no matching cipher suite");
623 compressor = okCompression(m.u.clientHello.compressors);
625 tlsError(c, EHandshakeFailure, "no matching compressor");
629 csid = m.u.clientHello.sid;
631 trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
632 c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
634 tlsError(c, EHandshakeFailure, "can't initialize security: %r");
637 c->sec->rpc = factotum_rsa_open(cert, certlen);
638 if(c->sec->rpc == nil){
639 tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
642 c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
643 if(c->sec->rsapub == nil){
644 tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
649 m.tag = HServerHello;
650 m.u.serverHello.version = c->version;
651 memmove(m.u.serverHello.random, c->srandom, RandomSize);
652 m.u.serverHello.cipher = cipher;
653 m.u.serverHello.compressor = compressor;
654 c->sid = makebytes(sid, nsid);
655 m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
656 if(!msgSend(c, &m, AQueue))
660 m.tag = HCertificate;
661 numcerts = countchain(chp);
662 m.u.certificate.ncert = 1 + numcerts;
663 m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
664 m.u.certificate.certs[0] = makebytes(cert, certlen);
665 for (i = 0; i < numcerts && chp; i++, chp = chp->next)
666 m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
667 if(!msgSend(c, &m, AQueue))
671 m.tag = HServerHelloDone;
672 if(!msgSend(c, &m, AFlush))
678 if(m.tag != HClientKeyExchange) {
679 tlsError(c, EUnexpectedMessage, "expected a client key exchange");
682 if(tlsSecRSAs(c->sec, c->version, m.u.clientKeyExchange.key) < 0){
683 tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
686 setSecrets(c->sec, kd, c->nsecret);
688 trace("tls secrets\n");
689 secrets = (char*)emalloc(2*c->nsecret);
690 enc64(secrets, 2*c->nsecret, kd, c->nsecret);
691 rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
692 memset(secrets, 0, 2*c->nsecret);
694 memset(kd, 0, c->nsecret);
696 tlsError(c, EHandshakeFailure, "can't set keys: %r");
701 /* no CertificateVerify; skip to Finished */
702 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
703 tlsError(c, EInternalError, "can't set finished: %r");
708 if(m.tag != HFinished) {
709 tlsError(c, EUnexpectedMessage, "expected a finished");
712 if(!finishedMatch(c, &m.u.finished)) {
713 tlsError(c, EHandshakeFailure, "finished verification failed");
718 /* change cipher spec */
719 if(fprint(c->ctl, "changecipher") < 0){
720 tlsError(c, EInternalError, "can't enable cipher: %r");
724 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
725 tlsError(c, EInternalError, "can't set finished: %r");
729 m.u.finished = c->finished;
730 if(!msgSend(c, &m, AFlush))
734 trace("tls finished\n");
736 if(fprint(c->ctl, "opened") < 0)
743 tlsConnectionFree(c);
751 case TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
752 case TLS_DHE_DSS_WITH_DES_CBC_SHA:
753 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
754 case TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
755 case TLS_DHE_RSA_WITH_DES_CBC_SHA:
756 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
757 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
758 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
759 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
760 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
770 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
771 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
772 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
773 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
780 tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers,
781 Bytes *p, Bytes *g, Bytes *Ys)
783 mpint *G, *P, *Y, *K;
787 if(p == nil || g == nil || Ys == nil)
790 memmove(sec->srandom, srandom, RandomSize);
791 if(setVers(sec, vers) < 0)
800 if(P == nil || G == nil || Y == nil || dh_new(&dh, P, G) == nil)
802 epm = mptobytes(dh.y);
803 K = dh_finish(&dh, Y);
809 setMasterSecret(sec, mptobytes(K));
821 bytestoec(ECdomain *dom, Bytes *bp, ECpoint *ret)
823 char *hex = "0123456789ABCDEF";
827 s = emalloc(2*bp->len + 1);
828 for(i=0; i < bp->len; i++){
829 s[2*i] = hex[bp->data[i]>>4 & 15];
830 s[2*i+1] = hex[bp->data[i] & 15];
833 ret = strtoec(dom, s, nil, ret);
839 ectobytes(int type, ECpoint *p)
843 bx = mptobytes(p->x);
844 by = mptobytes(p->y);
845 bp = newbytes(bx->len + by->len + 1);
847 memmove(bp->data+1, bx->data, bx->len);
848 memmove(bp->data+1+bx->len, by->data, by->len);
855 tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys)
869 memmove(sec->srandom, srandom, RandomSize);
870 if(setVers(sec, vers) < 0)
873 dom = ecnamedcurve(curve);
878 memset(&K, 0, sizeof(K));
882 if(K.x == nil || K.y == nil)
885 Y = betoec(dom, Ys->data, Ys->len, nil);
893 ecmul(dom, Y, Q->d, &K);
894 setMasterSecret(sec, mptobytes(K.x));
896 /* 0x04 = uncompressed public key */
897 epm = ectobytes(0x04, Q);
912 static TlsConnection *
913 tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, uchar *ext, int extlen,
914 int (*trace)(char*fmt, ...))
918 uchar kd[MaxKeyData];
920 int creq, dhx, rv, cipher;
921 mpint *signedMP, *paddedHashes;
927 c = emalloc(sizeof(TlsConnection));
928 c->version = ProtocolVersion;
930 // client certificate signature not implemented for TLS1.2
931 if(cert != nil && certlen > 0 && c->version >= TLS12Version)
932 c->version = TLS11Version;
938 c->clientVersion = c->version;
940 c->sec = tlsSecInitc(c->clientVersion, c->crandom);
944 memset(&m, 0, sizeof(m));
945 m.tag = HClientHello;
946 m.u.clientHello.version = c->clientVersion;
947 memmove(m.u.clientHello.random, c->crandom, RandomSize);
948 m.u.clientHello.sid = makebytes(csid, ncsid);
949 m.u.clientHello.ciphers = makeciphers();
950 m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
951 m.u.clientHello.extensions = makebytes(ext, extlen);
952 if(!msgSend(c, &m, AFlush))
959 if(m.tag != HServerHello) {
960 tlsError(c, EUnexpectedMessage, "expected a server hello");
963 if(setVersion(c, m.u.serverHello.version) < 0) {
964 tlsError(c, EIllegalParameter, "incompatible version %r");
967 memmove(c->srandom, m.u.serverHello.random, RandomSize);
968 c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
969 if(c->sid->len != 0 && c->sid->len != SidSize) {
970 tlsError(c, EIllegalParameter, "invalid server session identifier");
973 cipher = m.u.serverHello.cipher;
974 if(!setAlgs(c, cipher)) {
975 tlsError(c, EIllegalParameter, "invalid cipher suite");
978 if(m.u.serverHello.compressor != CompressionNull) {
979 tlsError(c, EIllegalParameter, "invalid compression");
985 if(!msgRecv(c, &m) || m.tag != HCertificate) {
986 tlsError(c, EUnexpectedMessage, "expected a certificate");
989 if(m.u.certificate.ncert < 1) {
990 tlsError(c, EIllegalParameter, "runt certificate");
993 c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
996 /* server key exchange */
997 dhx = isDHE(cipher) || isECDHE(cipher);
1000 if(m.tag == HServerKeyExchange) {
1002 tlsError(c, EUnexpectedMessage, "got an server key exchange");
1006 epm = tlsSecECDHEc(c->sec, c->srandom, c->version,
1007 m.u.serverKeyExchange.curve,
1008 m.u.serverKeyExchange.dh_Ys);
1010 epm = tlsSecDHEc(c->sec, c->srandom, c->version,
1011 m.u.serverKeyExchange.dh_p,
1012 m.u.serverKeyExchange.dh_g,
1013 m.u.serverKeyExchange.dh_Ys);
1020 tlsError(c, EUnexpectedMessage, "expected server key exchange");
1024 /* certificate request (optional) */
1026 if(m.tag == HCertificateRequest) {
1033 if(m.tag != HServerHelloDone) {
1034 tlsError(c, EUnexpectedMessage, "expected a server hello done");
1040 epm = tlsSecRSAc(c->sec, c->sid->data, c->sid->len, c->srandom,
1041 c->cert->data, c->cert->len, c->version);
1045 tlsError(c, EBadCertificate, "bad certificate: %r");
1049 setSecrets(c->sec, kd, c->nsecret);
1050 secrets = (char*)emalloc(2*c->nsecret);
1051 enc64(secrets, 2*c->nsecret, kd, c->nsecret);
1052 rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
1053 memset(secrets, 0, 2*c->nsecret);
1055 memset(kd, 0, c->nsecret);
1057 tlsError(c, EHandshakeFailure, "can't set keys: %r");
1062 if(cert != nil && certlen > 0){
1063 m.u.certificate.ncert = 1;
1064 m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
1065 m.u.certificate.certs[0] = makebytes(cert, certlen);
1067 m.tag = HCertificate;
1068 if(!msgSend(c, &m, AFlush))
1073 /* client key exchange */
1074 m.tag = HClientKeyExchange;
1075 m.u.clientKeyExchange.key = epm;
1077 if(m.u.clientKeyExchange.key == nil) {
1078 tlsError(c, EHandshakeFailure, "can't set secret: %r");
1082 if(!msgSend(c, &m, AFlush))
1086 /* certificate verify */
1087 if(creq && cert != nil && certlen > 0) {
1088 uchar hshashes[MD5dlen+SHA1dlen]; /* content of signature */
1089 HandshakeHash hsave;
1091 /* save the state for the Finish message */
1092 hsave = c->handhash;
1093 md5(nil, 0, hshashes, &c->handhash.md5);
1094 sha1(nil, 0, hshashes+MD5dlen, &c->handhash.sha1);
1095 c->handhash = hsave;
1097 c->sec->rpc = factotum_rsa_open(cert, certlen);
1098 if(c->sec->rpc == nil){
1099 tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
1102 c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
1103 if(c->sec->rsapub == nil){
1104 tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
1108 paddedHashes = pkcs1padbuf(hshashes, MD5dlen+SHA1dlen, c->sec->rsapub->n);
1109 signedMP = factotum_rsa_decrypt(c->sec->rpc, paddedHashes);
1110 if(signedMP == nil){
1111 tlsError(c, EHandshakeFailure, "factotum_rsa_decrypt: %r");
1114 m.u.certificateVerify.signature = mptobytes(signedMP);
1117 m.tag = HCertificateVerify;
1118 if(!msgSend(c, &m, AFlush))
1123 /* change cipher spec */
1124 if(fprint(c->ctl, "changecipher") < 0){
1125 tlsError(c, EInternalError, "can't enable cipher: %r");
1129 // Cipherchange must occur immediately before Finished to avoid
1130 // potential hole; see section 4.3 of Wagner Schneier 1996.
1131 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
1132 tlsError(c, EInternalError, "can't set finished 1: %r");
1136 m.u.finished = c->finished;
1137 if(!msgSend(c, &m, AFlush)) {
1138 tlsError(c, EInternalError, "can't flush after client Finished: %r");
1143 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
1144 tlsError(c, EInternalError, "can't set finished 0: %r");
1147 if(!msgRecv(c, &m)) {
1148 tlsError(c, EInternalError, "can't read server Finished: %r");
1151 if(m.tag != HFinished) {
1152 tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
1156 if(!finishedMatch(c, &m.u.finished)) {
1157 tlsError(c, EHandshakeFailure, "finished verification failed");
1162 if(fprint(c->ctl, "opened") < 0){
1164 trace("unable to do final open: %r\n");
1173 tlsConnectionFree(c);
1178 //================= message functions ========================
1181 msgHash(TlsConnection *c, uchar *p, int n)
1183 md5(p, n, 0, &c->handhash.md5);
1184 sha1(p, n, 0, &c->handhash.sha1);
1185 if(c->version >= TLS12Version)
1186 sha2_256(p, n, 0, &c->handhash.sha2_256);
1190 msgSend(TlsConnection *c, Msg *m, int act)
1192 uchar *p; // sendp = start of new message; p = write pointer
1196 c->sendp = c->sendbuf;
1199 c->trace("send %s", msgPrint((char*)p, (sizeof(c->sendbuf)) - (p - c->sendbuf), m));
1201 p[0] = m->tag; // header - fill in size later
1206 tlsError(c, EInternalError, "can't encode a %d", m->tag);
1210 put16(p, m->u.clientHello.version);
1214 memmove(p, m->u.clientHello.random, RandomSize);
1218 n = m->u.clientHello.sid->len;
1221 memmove(p+1, m->u.clientHello.sid->data, n);
1224 n = m->u.clientHello.ciphers->len;
1225 assert(n > 0 && n < 200);
1228 for(i=0; i<n; i++) {
1229 put16(p, m->u.clientHello.ciphers->data[i]);
1233 n = m->u.clientHello.compressors->len;
1236 memmove(p+1, m->u.clientHello.compressors->data, n);
1239 if(m->u.clientHello.extensions == nil)
1241 n = m->u.clientHello.extensions->len;
1245 memmove(p+2, m->u.clientHello.extensions->data, n);
1249 put16(p, m->u.serverHello.version);
1253 memmove(p, m->u.serverHello.random, RandomSize);
1257 n = m->u.serverHello.sid->len;
1260 memmove(p+1, m->u.serverHello.sid->data, n);
1263 put16(p, m->u.serverHello.cipher);
1265 p[0] = m->u.serverHello.compressor;
1268 if(m->u.serverHello.extensions == nil)
1270 n = m->u.serverHello.extensions->len;
1274 memmove(p+2, m->u.serverHello.extensions->data, n);
1277 case HServerHelloDone:
1281 for(i = 0; i < m->u.certificate.ncert; i++)
1282 nn += 3 + m->u.certificate.certs[i]->len;
1283 if(p + 3 + nn - c->sendbuf > sizeof(c->sendbuf)) {
1284 tlsError(c, EInternalError, "output buffer too small for certificate");
1289 for(i = 0; i < m->u.certificate.ncert; i++){
1290 put24(p, m->u.certificate.certs[i]->len);
1292 memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
1293 p += m->u.certificate.certs[i]->len;
1296 case HCertificateVerify:
1297 put16(p, m->u.certificateVerify.signature->len);
1299 memmove(p, m->u.certificateVerify.signature->data, m->u.certificateVerify.signature->len);
1300 p += m->u.certificateVerify.signature->len;
1302 case HClientKeyExchange:
1303 n = m->u.clientKeyExchange.key->len;
1304 if(c->version != SSL3Version){
1305 if(isECDHE(c->cipher))
1308 put16(p, n), p += 2;
1310 memmove(p, m->u.clientKeyExchange.key->data, n);
1314 memmove(p, m->u.finished.verify, m->u.finished.n);
1315 p += m->u.finished.n;
1319 // go back and fill in size
1321 assert(p <= c->sendbuf + sizeof(c->sendbuf));
1322 put24(c->sendp+1, n-4);
1324 // remember hash of Handshake messages
1325 if(m->tag != HHelloRequest)
1326 msgHash(c, c->sendp, n);
1330 c->sendp = c->sendbuf;
1331 if(write(c->hand, c->sendbuf, p - c->sendbuf) < 0){
1332 fprint(2, "write error: %r\n");
1344 tlsReadN(TlsConnection *c, int n)
1351 if(c->rp != c->recvbuf){
1352 memmove(c->recvbuf, c->rp, nn);
1354 c->ep = &c->recvbuf[nn];
1356 for(; nn < n; nn += nr) {
1357 nr = read(c->hand, &c->rp[nn], n - nn);
1369 msgRecv(TlsConnection *c, Msg *m)
1372 int type, n, nn, i, nsid, nrandom, nciph;
1381 if(type != HHelloRequest)
1384 tlsError(c, EDecodeError, "invalid hello request during handshake");
1389 if(n > sizeof(c->recvbuf)) {
1390 tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->recvbuf));
1394 if(type == HSSL2ClientHello){
1395 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
1396 This is sent by some clients that we must interoperate
1397 with, such as Java's JSSE and Microsoft's Internet Explorer. */
1402 m->tag = HClientHello;
1405 m->u.clientHello.version = get16(p+1);
1408 nn = get16(p); /* cipher_spec_len */
1409 nsid = get16(p + 2);
1410 nrandom = get16(p + 4);
1413 if(nsid != 0 /* no sid's, since shouldn't restart using ssl2 header */
1414 || nrandom < 16 || nn % 3)
1416 if(c->trace && (n - nrandom != nn))
1417 c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
1418 /* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
1420 for(i = 0; i < nn; i += 3)
1423 m->u.clientHello.ciphers = newints(nciph);
1425 for(i = 0; i < nn; i += 3)
1427 m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]);
1429 m->u.clientHello.sid = makebytes(nil, 0);
1430 if(nrandom > RandomSize)
1431 nrandom = RandomSize;
1432 memset(m->u.clientHello.random, 0, RandomSize - nrandom);
1433 memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
1434 m->u.clientHello.compressors = newbytes(1);
1435 m->u.clientHello.compressors->data[0] = CompressionNull;
1450 tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
1455 m->u.clientHello.version = get16(p);
1461 memmove(m->u.clientHello.random, p, RandomSize);
1464 if(n < 1 || n < p[0]+1)
1466 m->u.clientHello.sid = makebytes(p+1, p[0]);
1467 p += m->u.clientHello.sid->len+1;
1468 n -= m->u.clientHello.sid->len+1;
1476 if((nn & 1) || n < nn || nn < 2)
1478 m->u.clientHello.ciphers = newints(nn >> 1);
1479 for(i = 0; i < nn; i += 2)
1480 m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
1484 if(n < 1 || n < p[0]+1 || p[0] == 0)
1487 m->u.clientHello.compressors = makebytes(p+1, nn);
1496 m->u.clientHello.extensions = makebytes(p+2, nn);
1502 m->u.serverHello.version = get16(p);
1508 memmove(m->u.serverHello.random, p, RandomSize);
1512 if(n < 1 || n < p[0]+1)
1514 m->u.serverHello.sid = makebytes(p+1, p[0]);
1515 p += m->u.serverHello.sid->len+1;
1516 n -= m->u.serverHello.sid->len+1;
1520 m->u.serverHello.cipher = get16(p);
1521 m->u.serverHello.compressor = p[2];
1530 m->u.serverHello.extensions = makebytes(p+2, nn);
1539 if(nn == 0 && n > 0)
1551 m->u.certificate.ncert = i+1;
1552 m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes*));
1553 m->u.certificate.certs[i] = makebytes(p, nn);
1559 case HCertificateRequest:
1567 m->u.certificateRequest.types = makebytes(p, nn);
1575 /* nn == 0 can happen; yahoo's servers do it */
1586 if(nn < 1 || nn > n)
1588 m->u.certificateRequest.nca = i+1;
1589 m->u.certificateRequest.cas = erealloc(
1590 m->u.certificateRequest.cas, (i+1)*sizeof(Bytes*));
1591 m->u.certificateRequest.cas[i] = makebytes(p, nn);
1597 case HServerHelloDone:
1599 case HServerKeyExchange:
1602 if(isECDHE(c->cipher)){
1605 if(nn != 3 || nn > n) /* not a named curve */
1609 m->u.serverKeyExchange.curve = nn;
1612 if(nn < 1 || nn > n)
1614 m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
1616 }else if(isDHE(c->cipher)){
1619 if(nn < 1 || nn > n)
1621 m->u.serverKeyExchange.dh_p = makebytes(p, nn);
1628 if(nn < 1 || nn > n)
1630 m->u.serverKeyExchange.dh_g = makebytes(p, nn);
1637 if(nn < 1 || nn > n)
1639 m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
1642 /* should not happen */
1646 if(c->version >= TLS12Version){
1647 /* signature hash algorithm */
1654 if(nn > 0 && nn <= n){
1655 m->u.serverKeyExchange.dh_signature = makebytes(p, nn);
1660 case HClientKeyExchange:
1662 * this message depends upon the encryption selected
1665 if(c->version == SSL3Version)
1676 m->u.clientKeyExchange.key = makebytes(p, nn);
1680 m->u.finished.n = c->finished.n;
1681 if(n < m->u.finished.n)
1683 memmove(m->u.finished.verify, p, m->u.finished.n);
1684 n -= m->u.finished.n;
1688 if(type != HClientHello && type != HServerHello && n != 0)
1693 buf = emalloc(8000);
1694 c->trace("recv %s", msgPrint(buf, 8000, m));
1699 tlsError(c, EDecodeError, "handshake message (%d) has invalid length", type);
1712 sysfatal("msgClear: unknown message type: %d", m->tag);
1716 freebytes(m->u.clientHello.sid);
1717 freeints(m->u.clientHello.ciphers);
1718 freebytes(m->u.clientHello.compressors);
1719 freebytes(m->u.clientHello.extensions);
1722 freebytes(m->u.serverHello.sid);
1723 freebytes(m->u.serverHello.extensions);
1726 for(i=0; i<m->u.certificate.ncert; i++)
1727 freebytes(m->u.certificate.certs[i]);
1728 free(m->u.certificate.certs);
1730 case HCertificateRequest:
1731 freebytes(m->u.certificateRequest.types);
1732 for(i=0; i<m->u.certificateRequest.nca; i++)
1733 freebytes(m->u.certificateRequest.cas[i]);
1734 free(m->u.certificateRequest.cas);
1736 case HCertificateVerify:
1737 freebytes(m->u.certificateVerify.signature);
1739 case HServerHelloDone:
1741 case HServerKeyExchange:
1742 freebytes(m->u.serverKeyExchange.dh_p);
1743 freebytes(m->u.serverKeyExchange.dh_g);
1744 freebytes(m->u.serverKeyExchange.dh_Ys);
1745 freebytes(m->u.serverKeyExchange.dh_signature);
1747 case HClientKeyExchange:
1748 freebytes(m->u.clientKeyExchange.key);
1753 memset(m, 0, sizeof(Msg));
1757 bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
1762 bs = seprint(bs, be, "%s", s0);
1764 bs = seprint(bs, be, "nil");
1766 bs = seprint(bs, be, "<%d> [", b->len);
1767 for(i=0; i<b->len; i++)
1768 bs = seprint(bs, be, "%.2x ", b->data[i]);
1770 bs = seprint(bs, be, "]");
1772 bs = seprint(bs, be, "%s", s1);
1777 intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
1782 bs = seprint(bs, be, "%s", s0);
1783 bs = seprint(bs, be, "[");
1785 bs = seprint(bs, be, "nil");
1787 for(i=0; i<b->len; i++)
1788 bs = seprint(bs, be, "%x ", b->data[i]);
1789 bs = seprint(bs, be, "]");
1791 bs = seprint(bs, be, "%s", s1);
1796 msgPrint(char *buf, int n, Msg *m)
1799 char *bs = buf, *be = buf+n;
1803 bs = seprint(bs, be, "unknown %d\n", m->tag);
1806 bs = seprint(bs, be, "ClientHello\n");
1807 bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
1808 bs = seprint(bs, be, "\trandom: ");
1809 for(i=0; i<RandomSize; i++)
1810 bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
1811 bs = seprint(bs, be, "\n");
1812 bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
1813 bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
1814 bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
1815 if(m->u.clientHello.extensions != nil)
1816 bs = bytesPrint(bs, be, "\textensions: ", m->u.clientHello.extensions, "\n");
1819 bs = seprint(bs, be, "ServerHello\n");
1820 bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
1821 bs = seprint(bs, be, "\trandom: ");
1822 for(i=0; i<RandomSize; i++)
1823 bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
1824 bs = seprint(bs, be, "\n");
1825 bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
1826 bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
1827 bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
1828 if(m->u.serverHello.extensions != nil)
1829 bs = bytesPrint(bs, be, "\textensions: ", m->u.serverHello.extensions, "\n");
1832 bs = seprint(bs, be, "Certificate\n");
1833 for(i=0; i<m->u.certificate.ncert; i++)
1834 bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
1836 case HCertificateRequest:
1837 bs = seprint(bs, be, "CertificateRequest\n");
1838 bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
1839 bs = seprint(bs, be, "\tcertificateauthorities\n");
1840 for(i=0; i<m->u.certificateRequest.nca; i++)
1841 bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
1843 case HCertificateVerify:
1844 bs = seprint(bs, be, "HCertificateVerify\n");
1845 bs = bytesPrint(bs, be, "\tsignature: ", m->u.certificateVerify.signature,"\n");
1847 case HServerHelloDone:
1848 bs = seprint(bs, be, "ServerHelloDone\n");
1850 case HServerKeyExchange:
1851 bs = seprint(bs, be, "HServerKeyExchange\n");
1852 if(m->u.serverKeyExchange.curve != 0){
1853 bs = seprint(bs, be, "\tcurve: %.4x\n", m->u.serverKeyExchange.curve);
1855 bs = bytesPrint(bs, be, "\tdh_p: ", m->u.serverKeyExchange.dh_p, "\n");
1856 bs = bytesPrint(bs, be, "\tdh_g: ", m->u.serverKeyExchange.dh_g, "\n");
1858 bs = bytesPrint(bs, be, "\tdh_Ys: ", m->u.serverKeyExchange.dh_Ys, "\n");
1859 bs = bytesPrint(bs, be, "\tdh_signature: ", m->u.serverKeyExchange.dh_signature, "\n");
1861 case HClientKeyExchange:
1862 bs = seprint(bs, be, "HClientKeyExchange\n");
1863 bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
1866 bs = seprint(bs, be, "HFinished\n");
1867 for(i=0; i<m->u.finished.n; i++)
1868 bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
1869 bs = seprint(bs, be, "\n");
1877 tlsError(TlsConnection *c, int err, char *fmt, ...)
1883 vseprint(msg, msg+sizeof(msg), fmt, arg);
1886 c->trace("tlsError: %s\n", msg);
1888 fprint(2, "double error: %r, %s", msg);
1890 werrstr("tls: local %s", msg);
1892 fprint(c->ctl, "alert %d", err);
1895 // commit to specific version number
1897 setVersion(TlsConnection *c, int version)
1899 if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
1901 if(version > c->version)
1902 version = c->version;
1903 if(version == SSL3Version) {
1904 c->version = version;
1905 c->finished.n = SSL3FinishedLen;
1907 c->version = version;
1908 c->finished.n = TLSFinishedLen;
1911 return fprint(c->ctl, "version 0x%x", version);
1914 // confirm that received Finished message matches the expected value
1916 finishedMatch(TlsConnection *c, Finished *f)
1918 return constcmp(f->verify, c->finished.verify, f->n) == 0;
1921 // free memory associated with TlsConnection struct
1922 // (but don't close the TLS channel itself)
1924 tlsConnectionFree(TlsConnection *c)
1926 tlsSecClose(c->sec);
1929 memset(c, 0, sizeof(c));
1934 //================= cipher choices ========================
1936 static int weakCipher[CipherMax] =
1938 1, /* TLS_NULL_WITH_NULL_NULL */
1939 1, /* TLS_RSA_WITH_NULL_MD5 */
1940 1, /* TLS_RSA_WITH_NULL_SHA */
1941 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
1942 0, /* TLS_RSA_WITH_RC4_128_MD5 */
1943 0, /* TLS_RSA_WITH_RC4_128_SHA */
1944 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
1945 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
1946 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
1947 0, /* TLS_RSA_WITH_DES_CBC_SHA */
1948 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
1949 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
1950 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
1951 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
1952 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
1953 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
1954 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
1955 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
1956 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
1957 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
1958 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
1959 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
1960 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
1961 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
1962 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
1963 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
1964 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
1965 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
1969 setAlgs(TlsConnection *c, int a)
1973 for(i = 0; i < nelem(cipherAlgs); i++){
1974 if(cipherAlgs[i].tlsid == a){
1976 c->enc = cipherAlgs[i].enc;
1977 c->digest = cipherAlgs[i].digest;
1978 c->nsecret = cipherAlgs[i].nsecret;
1979 if(c->nsecret > MaxKeyData)
1993 for(i = 0; i < cv->len; i++) {
1998 weak &= weakCipher[c];
1999 if(isDHE(c) || isECDHE(c))
2000 continue; /* TODO: not implemented for server */
2001 for(j = 0; j < nelem(cipherAlgs); j++)
2002 if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
2011 okCompression(Bytes *cv)
2015 for(i = 0; i < cv->len; i++) {
2017 for(j = 0; j < nelem(compressors); j++) {
2018 if(compressors[j] == c)
2025 static Lock ciphLock;
2026 static int nciphers;
2031 enum {MaxAlgF = 1024, MaxAlgs = 10};
2032 char s[MaxAlgF], *flds[MaxAlgs];
2040 j = open("#a/tls/encalgs", OREAD);
2042 werrstr("can't open #a/tls/encalgs: %r");
2045 n = read(j, s, MaxAlgF-1);
2048 werrstr("nothing in #a/tls/encalgs: %r");
2052 n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
2053 for(i = 0; i < nelem(cipherAlgs); i++){
2055 for(j = 0; j < n; j++){
2056 if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){
2061 cipherAlgs[i].ok = ok;
2064 j = open("#a/tls/hashalgs", OREAD);
2066 werrstr("can't open #a/tls/hashalgs: %r");
2069 n = read(j, s, MaxAlgF-1);
2072 werrstr("nothing in #a/tls/hashalgs: %r");
2076 n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
2077 for(i = 0; i < nelem(cipherAlgs); i++){
2079 for(j = 0; j < n; j++){
2080 if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){
2085 cipherAlgs[i].ok &= ok;
2086 if(cipherAlgs[i].ok)
2099 is = newints(nciphers);
2101 for(i = 0; i < nelem(cipherAlgs); i++){
2102 if(cipherAlgs[i].ok)
2103 is->data[j++] = cipherAlgs[i].tlsid;
2110 //================= security functions ========================
2112 // given X.509 certificate, set up connection to factotum
2113 // for using corresponding private key
2115 factotum_rsa_open(uchar *cert, int certlen)
2123 // start talking to factotum
2124 if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
2126 if((rpc = auth_allocrpc(afd)) == nil){
2130 s = "proto=rsa service=tls role=client";
2131 if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
2132 factotum_rsa_close(rpc);
2136 // roll factotum keyring around to match certificate
2137 rsapub = X509toRSApub(cert, certlen, nil, 0);
2139 if(auth_rpc(rpc, "read", nil, 0) != ARok){
2140 factotum_rsa_close(rpc);
2144 pub = strtomp(rpc->arg, nil, 16, nil);
2146 if(mpcmp(pub,rsapub->n) == 0)
2156 factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
2161 p = mptoa(cipher, 16, nil, 0);
2165 rv = auth_rpc(rpc, "write", p, strlen(p));
2167 if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
2169 return strtomp(rpc->arg, nil, 16, nil);
2173 factotum_rsa_close(AuthRpc*rpc)
2182 tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2184 uchar ai[MD5dlen], tmp[MD5dlen];
2189 s = hmac_md5(label, nlabel, key, nkey, nil, nil);
2190 s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
2191 hmac_md5(seed1, nseed1, key, nkey, ai, s);
2194 s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
2195 s = hmac_md5(label, nlabel, key, nkey, nil, s);
2196 s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
2197 hmac_md5(seed1, nseed1, key, nkey, tmp, s);
2201 for(i = 0; i < n; i++)
2205 hmac_md5(ai, MD5dlen, key, nkey, tmp, nil);
2206 memmove(ai, tmp, MD5dlen);
2211 tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2213 uchar ai[SHA1dlen], tmp[SHA1dlen];
2218 s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
2219 s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
2220 hmac_sha1(seed1, nseed1, key, nkey, ai, s);
2223 s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
2224 s = hmac_sha1(label, nlabel, key, nkey, nil, s);
2225 s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
2226 hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
2230 for(i = 0; i < n; i++)
2234 hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
2235 memmove(ai, tmp, SHA1dlen);
2240 p_sha256(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed, int nseed)
2242 uchar ai[SHA2_256dlen], tmp[SHA2_256dlen];
2247 s = hmac_sha2_256(label, nlabel, key, nkey, nil, nil);
2248 hmac_sha2_256(seed, nseed, key, nkey, ai, s);
2251 s = hmac_sha2_256(ai, SHA2_256dlen, key, nkey, nil, nil);
2252 s = hmac_sha2_256(label, nlabel, key, nkey, nil, s);
2253 hmac_sha2_256(seed, nseed, key, nkey, tmp, s);
2257 memmove(buf, tmp, n);
2260 hmac_sha2_256(ai, SHA2_256dlen, key, nkey, tmp, nil);
2261 memmove(ai, tmp, SHA2_256dlen);
2265 // fill buf with md5(args)^sha1(args)
2267 tls10PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2269 int nlabel = strlen(label);
2270 int n = (nkey + 1) >> 1;
2272 memset(buf, 0, nbuf);
2273 tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
2274 tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
2278 tls12PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2280 uchar seed[2*RandomSize];
2282 assert(nseed0+nseed1 <= sizeof(seed));
2283 memmove(seed, seed0, nseed0);
2284 memmove(seed+nseed0, seed1, nseed1);
2285 p_sha256(buf, nbuf, key, nkey, (uchar*)label, strlen(label), seed, nseed0+nseed1);
2289 * for setting server session id's
2291 static Lock sidLock;
2292 static long maxSid = 1;
2294 /* the keys are verified to have the same public components
2295 * and to function correctly with pkcs 1 encryption and decryption. */
2297 tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
2299 TlsSec *sec = emalloc(sizeof(*sec));
2301 USED(csid); USED(ncsid); // ignore csid for now
2303 memmove(sec->crandom, crandom, RandomSize);
2304 sec->clientVers = cvers;
2306 put32(sec->srandom, time(0));
2307 genrandom(sec->srandom+4, RandomSize-4);
2308 memmove(srandom, sec->srandom, RandomSize);
2311 * make up a unique sid: use our pid, and and incrementing id
2312 * can signal no sid by setting nssid to 0.
2314 memset(ssid, 0, SidSize);
2315 put32(ssid, getpid());
2317 put32(ssid+4, maxSid++);
2324 tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm)
2327 if(setVers(sec, vers) < 0)
2329 serverMasterSecret(sec, epm);
2330 }else if(sec->vers != vers){
2331 werrstr("mismatched session versions");
2341 tlsSecInitc(int cvers, uchar *crandom)
2343 TlsSec *sec = emalloc(sizeof(*sec));
2344 sec->clientVers = cvers;
2345 put32(sec->crandom, time(0));
2346 genrandom(sec->crandom+4, RandomSize-4);
2347 memmove(crandom, sec->crandom, RandomSize);
2352 tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers)
2360 memmove(sec->srandom, srandom, RandomSize);
2361 if(setVers(sec, vers) < 0)
2363 pub = X509toRSApub(cert, ncert, nil, 0);
2365 werrstr("invalid x509/rsa certificate");
2368 epm = clientMasterSecret(sec, pub);
2378 tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient)
2380 if(sec->nfin != nfin){
2382 werrstr("invalid finished exchange");
2385 hsh.md5.malloced = 0;
2386 hsh.sha1.malloced = 0;
2387 hsh.sha2_256.malloced = 0;
2388 (*sec->setFinished)(sec, hsh, fin, isclient);
2393 tlsSecOk(TlsSec *sec)
2400 tlsSecKill(TlsSec *sec)
2404 factotum_rsa_close(sec->rpc);
2409 tlsSecClose(TlsSec *sec)
2413 factotum_rsa_close(sec->rpc);
2419 setVers(TlsSec *sec, int v)
2421 if(v == SSL3Version){
2422 sec->setFinished = sslSetFinished;
2423 sec->nfin = SSL3FinishedLen;
2425 }else if(v < TLS12Version) {
2426 sec->setFinished = tls10SetFinished;
2427 sec->nfin = TLSFinishedLen;
2428 sec->prf = tls10PRF;
2430 sec->setFinished = tls12SetFinished;
2431 sec->nfin = TLSFinishedLen;
2432 sec->prf = tls12PRF;
2439 * generate secret keys from the master secret.
2441 * different crypto selections will require different amounts
2442 * of key expansion and use of key expansion data,
2443 * but it's all generated using the same function.
2446 setSecrets(TlsSec *sec, uchar *kd, int nkd)
2448 (*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
2449 sec->srandom, RandomSize, sec->crandom, RandomSize);
2453 * set the master secret from the pre-master secret,
2454 * destroys premaster.
2457 setMasterSecret(TlsSec *sec, Bytes *pm)
2459 (*sec->prf)(sec->sec, MasterSecretSize, pm->data, pm->len, "master secret",
2460 sec->crandom, RandomSize, sec->srandom, RandomSize);
2462 memset(pm->data, 0, pm->len);
2467 serverMasterSecret(TlsSec *sec, Bytes *epm)
2471 pm = pkcs1_decrypt(sec, epm);
2473 // if the client messed up, just continue as if everything is ok,
2474 // to prevent attacks to check for correctly formatted messages.
2475 // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
2476 if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
2477 fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
2478 sec->ok, pm, pm != nil ? get16(pm->data) : -1, sec->clientVers, epm->len);
2481 pm = newbytes(MasterSecretSize);
2482 genrandom(pm->data, MasterSecretSize);
2484 assert(pm->len == MasterSecretSize);
2485 setMasterSecret(sec, pm);
2489 clientMasterSecret(TlsSec *sec, RSApub *pub)
2493 pm = newbytes(MasterSecretSize);
2494 put16(pm->data, sec->clientVers);
2495 genrandom(pm->data+2, MasterSecretSize - 2);
2496 epm = pkcs1_encrypt(pm, pub, 2);
2497 setMasterSecret(sec, pm);
2502 sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2505 uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
2513 md5((uchar*)label, 4, nil, &hsh.md5);
2514 md5(sec->sec, MasterSecretSize, nil, &hsh.md5);
2515 memset(pad, 0x36, 48);
2516 md5(pad, 48, nil, &hsh.md5);
2517 md5(nil, 0, h0, &hsh.md5);
2518 memset(pad, 0x5C, 48);
2519 s = md5(sec->sec, MasterSecretSize, nil, nil);
2520 s = md5(pad, 48, nil, s);
2521 md5(h0, MD5dlen, finished, s);
2523 sha1((uchar*)label, 4, nil, &hsh.sha1);
2524 sha1(sec->sec, MasterSecretSize, nil, &hsh.sha1);
2525 memset(pad, 0x36, 40);
2526 sha1(pad, 40, nil, &hsh.sha1);
2527 sha1(nil, 0, h1, &hsh.sha1);
2528 memset(pad, 0x5C, 40);
2529 s = sha1(sec->sec, MasterSecretSize, nil, nil);
2530 s = sha1(pad, 40, nil, s);
2531 sha1(h1, SHA1dlen, finished + MD5dlen, s);
2534 // fill "finished" arg with md5(args)^sha1(args)
2536 tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2538 uchar h0[MD5dlen], h1[SHA1dlen];
2541 // get current hash value, but allow further messages to be hashed in
2542 md5(nil, 0, h0, &hsh.md5);
2543 sha1(nil, 0, h1, &hsh.sha1);
2546 label = "client finished";
2548 label = "server finished";
2549 tls10PRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
2553 tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2555 uchar seed[SHA2_256dlen];
2558 // get current hash value, but allow further messages to be hashed in
2559 sha2_256(nil, 0, seed, &hsh.sha2_256);
2562 label = "client finished";
2564 label = "server finished";
2565 p_sha256(finished, TLSFinishedLen, sec->sec, MasterSecretSize, (uchar*)label, strlen(label), seed, SHA2_256dlen);
2569 sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2571 uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
2580 for(i = 0; i < len; i++)
2581 tmp[i] = 'A' - 1 + len;
2582 s = sha1(tmp, len, nil, nil);
2583 s = sha1(key, nkey, nil, s);
2584 s = sha1(seed0, nseed0, nil, s);
2585 sha1(seed1, nseed1, sha1dig, s);
2586 s = md5(key, nkey, nil, nil);
2587 md5(sha1dig, SHA1dlen, md5dig, s);
2591 memmove(buf, md5dig, n);
2599 bytestomp(Bytes* bytes)
2601 return betomp(bytes->data, bytes->len, nil);
2605 * Convert mpint* to Bytes, putting high order byte first.
2608 mptobytes(mpint* big)
2613 n = (mpsignif(big)+7)/8;
2616 ans->len = mptobe(big, ans->data, n, nil);
2620 // Do RSA computation on block according to key, and pad
2621 // result on left with zeros to make it modlen long.
2623 rsacomp(Bytes* block, RSApub* key, int modlen)
2629 x = bytestomp(block);
2630 y = rsaencrypt(key, x, nil);
2632 ybytes = mptobytes(y);
2637 a = newbytes(modlen);
2638 memset(a->data, 0, modlen-ylen);
2639 memmove(a->data+modlen-ylen, ybytes->data, ylen);
2643 else if(ylen > modlen) {
2644 // assume it has leading zeros (mod should make it so)
2645 a = newbytes(modlen);
2646 memmove(a->data, ybytes->data, modlen);
2653 // encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1
2655 pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
2657 Bytes *pad, *eb, *ans;
2658 int i, dlen, padlen, modlen;
2660 modlen = (mpsignif(key->n)+7)/8;
2662 if(modlen < 12 || dlen > modlen - 11)
2664 padlen = modlen - 3 - dlen;
2665 pad = newbytes(padlen);
2666 genrandom(pad->data, padlen);
2667 for(i = 0; i < padlen; i++) {
2670 else if(blocktype == 1)
2672 else if(pad->data[i] == 0)
2675 eb = newbytes(modlen);
2677 eb->data[1] = blocktype;
2678 memmove(eb->data+2, pad->data, padlen);
2679 eb->data[padlen+2] = 0;
2680 memmove(eb->data+padlen+3, data->data, dlen);
2681 ans = rsacomp(eb, key, modlen);
2687 // decrypt data according to PKCS#1, with given key.
2688 // expect a block type of 2.
2690 pkcs1_decrypt(TlsSec *sec, Bytes *cipher)
2692 Bytes *eb, *ans = nil;
2696 modlen = (mpsignif(sec->rsapub->n)+7)/8;
2697 if(cipher->len != modlen)
2699 x = bytestomp(cipher);
2700 y = factotum_rsa_decrypt(sec->rpc, x);
2705 if(eb->len < modlen){ // pad on left with zeros
2706 ans = newbytes(modlen);
2707 memset(ans->data, 0, modlen-eb->len);
2708 memmove(ans->data+modlen-eb->len, eb->data, eb->len);
2712 if(eb->data[0] == 0 && eb->data[1] == 2) {
2713 for(i = 2; i < modlen; i++)
2714 if(eb->data[i] == 0)
2717 ans = makebytes(eb->data+i+1, modlen-(i+1));
2724 //================= general utility functions ========================
2734 sysfatal("out of memory");
2736 setmalloctag(p, getcallerpc(&n));
2741 erealloc(void *ReallocP, int ReallocN)
2746 ReallocP = emalloc(ReallocN);
2747 else if((ReallocP = realloc(ReallocP, ReallocN)) == nil)
2748 sysfatal("out of memory");
2749 setrealloctag(ReallocP, getcallerpc(&ReallocP));
2754 put32(uchar *p, u32int x)
2763 put24(uchar *p, int x)
2771 put16(uchar *p, int x)
2780 return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2786 return (p[0]<<16)|(p[1]<<8)|p[2];
2792 return (p[0]<<8)|p[1];
2795 #define OFFSET(x, s) offsetof(s, x)
2804 ans = (Bytes*)emalloc(OFFSET(data[0], Bytes) + len);
2810 * newbytes(len), with data initialized from buf
2813 makebytes(uchar* buf, int len)
2817 ans = newbytes(len);
2818 memmove(ans->data, buf, len);
2828 /* len is number of ints */
2834 if(len < 0 || len > ((uint)-1>>1)/sizeof(int))
2836 ans = (Ints*)emalloc(OFFSET(data[0], Ints) + len*sizeof(int));