8 // The main groups of functions are:
9 // client/server - main handshake protocol definition
10 // message functions - formating handshake messages
11 // cipher choices - catalog of digest and encrypt algorithms
12 // security functions - PKCS#1, sslHMAC, session keygen
13 // general utility functions - malloc, serialization
14 // The handshake protocol builds on the TLS/SSL3 record layer protocol,
15 // which is implemented in kernel device #a. See also /lib/rfc/rfc2246.
19 SSL3FinishedLen = MD5dlen+SHA1dlen,
20 MaxKeyData = 136, // amount of secret we may need
24 MasterSecretSize = 48,
29 typedef struct TlsSec TlsSec;
33 uchar data[1]; // [len]
49 typedef struct Namedcurve{
61 typedef struct Finished{
62 uchar verify[SSL3FinishedLen];
66 typedef struct TlsConnection{
67 TlsSec *sec; // security management goo
68 int hand, ctl; // record layer file descriptors
69 int erred; // set when tlsError called
70 int (*trace)(char*fmt, ...); // for debugging
71 int version; // protocol we are speaking
72 int verset; // version has been set
73 int ver2hi; // server got a version 2 hello
74 int isClient; // is this the client or server?
75 Bytes *sid; // SessionID
76 Bytes *cert; // only last - no chain
79 int state; // must be set using setstate
81 // input buffer for handshake messages
82 uchar recvbuf[MaxChunk];
86 uchar sendbuf[MaxChunk];
89 uchar crandom[RandomSize]; // client random
90 uchar srandom[RandomSize]; // server random
91 int clientVersion; // version in ClientHello
93 char *digest; // name of digest algorithm to use
94 char *enc; // name of encryption algorithm to use
95 int nsecret; // amount of secret data to init keys
97 // for finished messages
98 MD5state hsmd5; // handshake hash
99 SHAstate hssha1; // handshake hash
108 uchar random[RandomSize];
116 uchar random[RandomSize];
130 } certificateRequest;
148 typedef struct TlsSec{
149 char *server; // name of remote; nil for server
150 int ok; // <0 killed; == 0 in progress; >0 reusable
152 AuthRpc *rpc; // factotum for rsa private key
153 uchar sec[MasterSecretSize]; // master secret
154 uchar crandom[RandomSize]; // client random
155 uchar srandom[RandomSize]; // server random
156 int clientVers; // version in ClientHello
157 int vers; // final version
158 // byte generation and handshake checksum
159 void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
160 void (*setFinished)(TlsSec*, MD5state, SHAstate, uchar*, int);
167 SSL3Version = 0x0300,
168 ProtocolVersion = 0x0301, // maximum version we speak
169 MinProtoVersion = 0x0300, // limits on version we accept
170 MaxProtoVersion = 0x03ff,
178 HSSL2ClientHello = 9, /* local convention; see devtls.c */
192 EUnexpectedMessage = 10,
194 EDecryptionFailed = 21,
195 ERecordOverflow = 22,
196 EDecompressionFailure = 30,
197 EHandshakeFailure = 40,
199 EBadCertificate = 42,
200 EUnsupportedCertificate = 43,
201 ECertificateRevoked = 44,
202 ECertificateExpired = 45,
203 ECertificateUnknown = 46,
204 EIllegalParameter = 47,
209 EExportRestriction = 60,
210 EProtocolVersion = 70,
211 EInsufficientSecurity = 71,
214 ENoRenegotiation = 100,
220 TLS_NULL_WITH_NULL_NULL = 0x0000,
221 TLS_RSA_WITH_NULL_MD5 = 0x0001,
222 TLS_RSA_WITH_NULL_SHA = 0x0002,
223 TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
224 TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
225 TLS_RSA_WITH_RC4_128_SHA = 0x0005,
226 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006,
227 TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
228 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008,
229 TLS_RSA_WITH_DES_CBC_SHA = 0X0009,
230 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A,
231 TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X000B,
232 TLS_DH_DSS_WITH_DES_CBC_SHA = 0X000C,
233 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0X000D,
234 TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X000E,
235 TLS_DH_RSA_WITH_DES_CBC_SHA = 0X000F,
236 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0X0010,
237 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X0011,
238 TLS_DHE_DSS_WITH_DES_CBC_SHA = 0X0012,
239 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0X0013, // ZZZ must be implemented for tls1.0 compliance
240 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0014,
241 TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015,
242 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016,
243 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
244 TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
245 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
246 TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
247 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
249 TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
250 TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
251 TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
252 TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
253 TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0X0033,
254 TLS_DH_anon_WITH_AES_128_CBC_SHA = 0X0034,
255 TLS_RSA_WITH_AES_256_CBC_SHA = 0X0035,
256 TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0X0036,
257 TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0X0037,
258 TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
259 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
260 TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
262 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
263 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
264 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
265 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
269 // compression methods
275 static Algs cipherAlgs[] = {
276 {"rc4_128", "md5", 2 * (16 + MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
277 {"rc4_128", "sha1", 2 * (16 + SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
278 {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
279 {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA},
280 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_RSA_WITH_AES_128_CBC_SHA},
281 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_RSA_WITH_AES_256_CBC_SHA},
282 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
283 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
285 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
286 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
287 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
288 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
291 static uchar compressors[] = {
295 static Namedcurve namedcurves[] = {
296 {0x0017, "secp256r1",
297 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
298 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
299 "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
300 "046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
301 "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
305 static uchar pointformats[] = {
306 CompressionNull /* support of uncompressed point format is mandatory */
309 static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int certlen, int (*trace)(char*fmt, ...), PEMChain *chain);
310 static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, uchar *ext, int extlen, int (*trace)(char*fmt, ...));
311 static void msgClear(Msg *m);
312 static char* msgPrint(char *buf, int n, Msg *m);
313 static int msgRecv(TlsConnection *c, Msg *m);
314 static int msgSend(TlsConnection *c, Msg *m, int act);
315 static void tlsError(TlsConnection *c, int err, char *msg, ...);
316 #pragma varargck argpos tlsError 3
317 static int setVersion(TlsConnection *c, int version);
318 static int finishedMatch(TlsConnection *c, Finished *f);
319 static void tlsConnectionFree(TlsConnection *c);
321 static int setAlgs(TlsConnection *c, int a);
322 static int okCipher(Ints *cv);
323 static int okCompression(Bytes *cv);
324 static int initCiphers(void);
325 static Ints* makeciphers(void);
327 static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
328 static int tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm);
329 static TlsSec* tlsSecInitc(int cvers, uchar *crandom);
330 static Bytes* tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers);
331 static Bytes* tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers, Bytes *p, Bytes *g, Bytes *Ys);
332 static Bytes* tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys);
333 static int tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient);
334 static void tlsSecOk(TlsSec *sec);
335 static void tlsSecKill(TlsSec *sec);
336 static void tlsSecClose(TlsSec *sec);
337 static void setMasterSecret(TlsSec *sec, Bytes *pm);
338 static void serverMasterSecret(TlsSec *sec, Bytes *epm);
339 static void setSecrets(TlsSec *sec, uchar *kd, int nkd);
340 static Bytes* clientMasterSecret(TlsSec *sec, RSApub *pub);
341 static Bytes* pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
342 static Bytes* pkcs1_decrypt(TlsSec *sec, Bytes *cipher);
343 static void tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
344 static void sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
345 static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
346 uchar *seed0, int nseed0, uchar *seed1, int nseed1);
347 static int setVers(TlsSec *sec, int version);
349 static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
350 static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
351 static void factotum_rsa_close(AuthRpc*rpc);
353 static void* emalloc(int);
354 static void* erealloc(void*, int);
355 static void put32(uchar *p, u32int);
356 static void put24(uchar *p, int);
357 static void put16(uchar *p, int);
358 static u32int get32(uchar *p);
359 static int get24(uchar *p);
360 static int get16(uchar *p);
361 static Bytes* newbytes(int len);
362 static Bytes* makebytes(uchar* buf, int len);
363 static Bytes* mptobytes(mpint* big);
364 static mpint* bytestomp(Bytes* bytes);
365 static void freebytes(Bytes* b);
366 static Ints* newints(int len);
367 static void freeints(Ints* b);
370 extern mpint* pkcs1padbuf(uchar *buf, int len, mpint *modulus);
372 //================= client/server ========================
374 // push TLS onto fd, returning new (application) file descriptor
377 tlsServer(int fd, TLSconn *conn)
381 int n, data, ctl, hand;
386 ctl = open("#a/tls/clone", ORDWR);
389 n = read(ctl, buf, sizeof(buf)-1);
395 snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
396 snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
397 hand = open(dname, ORDWR);
402 fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
403 tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
404 snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
405 data = open(dname, ORDWR);
408 if(data < 0 || tls == nil){
410 tlsConnectionFree(tls);
414 conn->cert = 0; // client certificates are not yet implemented
416 conn->sessionIDlen = tls->sid->len;
417 conn->sessionID = emalloc(conn->sessionIDlen);
418 memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
419 if(conn->sessionKey != nil
420 && conn->sessionType != nil
421 && strcmp(conn->sessionType, "ttls") == 0)
423 conn->sessionKey, conn->sessionKeylen,
424 tls->sec->sec, MasterSecretSize,
426 tls->sec->crandom, RandomSize,
427 tls->sec->srandom, RandomSize);
428 tlsConnectionFree(tls);
434 tlsClientExtensions(TLSconn *conn, int *plen)
441 // RFC6066 - Server Name Identification
442 if(conn->serverName != nil){
443 n = strlen(conn->serverName);
446 b = erealloc(b, m + 2+2+2+1+2+n);
449 put16(p, 0), p += 2; /* Type: server_name */
450 put16(p, 2+1+2+n), p += 2; /* Length */
451 put16(p, 1+2+n), p += 2; /* Server Name list length */
452 *p++ = 0; /* Server Name Type: host_name */
453 put16(p, n), p += 2; /* Server Name length */
454 memmove(p, conn->serverName, n);
461 b = erealloc(b, m + 2+2+2+nelem(namedcurves)*2 + 2+2+1+nelem(pointformats));
464 n = nelem(namedcurves);
465 put16(p, 0x000a), p += 2; /* Type: elliptic_curves */
466 put16(p, (n+1)*2), p += 2; /* Length */
467 put16(p, n*2), p += 2; /* Elliptic Curves Length */
468 for(i=0; i < n; i++){ /* Elliptic curves */
469 put16(p, namedcurves[i].tlsid);
473 n = nelem(pointformats);
474 put16(p, 0x000b), p += 2; /* Type: ec_point_formats */
475 put16(p, n+1), p += 2; /* Length */
476 *p++ = n; /* EC point formats Length */
477 for(i=0; i < n; i++) /* Elliptic curves point formats */
478 *p++ = pointformats[i];
485 // push TLS onto fd, returning new (application) file descriptor
488 tlsClient(int fd, TLSconn *conn)
492 int n, data, ctl, hand;
498 ctl = open("#a/tls/clone", ORDWR);
501 n = read(ctl, buf, sizeof(buf)-1);
507 snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
508 snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
509 hand = open(dname, ORDWR);
514 snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
515 data = open(dname, ORDWR);
521 fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
522 ext = tlsClientExtensions(conn, &n);
523 tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->cert, conn->certlen,
524 ext, n, conn->trace);
532 conn->certlen = tls->cert->len;
533 conn->cert = emalloc(conn->certlen);
534 memcpy(conn->cert, tls->cert->data, conn->certlen);
535 conn->sessionIDlen = tls->sid->len;
536 conn->sessionID = emalloc(conn->sessionIDlen);
537 memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
538 if(conn->sessionKey != nil
539 && conn->sessionType != nil
540 && strcmp(conn->sessionType, "ttls") == 0)
542 conn->sessionKey, conn->sessionKeylen,
543 tls->sec->sec, MasterSecretSize,
545 tls->sec->crandom, RandomSize,
546 tls->sec->srandom, RandomSize);
547 tlsConnectionFree(tls);
553 countchain(PEMChain *p)
564 static TlsConnection *
565 tlsServer2(int ctl, int hand, uchar *cert, int certlen, int (*trace)(char*fmt, ...), PEMChain *chp)
570 uchar sid[SidSize], kd[MaxKeyData];
572 int cipher, compressor, nsid, rv, numcerts, i;
575 trace("tlsServer2\n");
578 c = emalloc(sizeof(TlsConnection));
582 c->version = ProtocolVersion;
584 memset(&m, 0, sizeof(m));
587 trace("initial msgRecv failed\n");
590 if(m.tag != HClientHello) {
591 tlsError(c, EUnexpectedMessage, "expected a client hello");
594 c->clientVersion = m.u.clientHello.version;
596 trace("ClientHello version %x\n", c->clientVersion);
597 if(setVersion(c, m.u.clientHello.version) < 0) {
598 tlsError(c, EIllegalParameter, "incompatible version");
602 memmove(c->crandom, m.u.clientHello.random, RandomSize);
603 cipher = okCipher(m.u.clientHello.ciphers);
605 // reply with EInsufficientSecurity if we know that's the case
607 tlsError(c, EInsufficientSecurity, "cipher suites too weak");
609 tlsError(c, EHandshakeFailure, "no matching cipher suite");
612 if(!setAlgs(c, cipher)){
613 tlsError(c, EHandshakeFailure, "no matching cipher suite");
616 compressor = okCompression(m.u.clientHello.compressors);
618 tlsError(c, EHandshakeFailure, "no matching compressor");
622 csid = m.u.clientHello.sid;
624 trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
625 c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
627 tlsError(c, EHandshakeFailure, "can't initialize security: %r");
630 c->sec->rpc = factotum_rsa_open(cert, certlen);
631 if(c->sec->rpc == nil){
632 tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
635 c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
636 if(c->sec->rsapub == nil){
637 tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
642 m.tag = HServerHello;
643 m.u.serverHello.version = c->version;
644 memmove(m.u.serverHello.random, c->srandom, RandomSize);
645 m.u.serverHello.cipher = cipher;
646 m.u.serverHello.compressor = compressor;
647 c->sid = makebytes(sid, nsid);
648 m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
649 if(!msgSend(c, &m, AQueue))
653 m.tag = HCertificate;
654 numcerts = countchain(chp);
655 m.u.certificate.ncert = 1 + numcerts;
656 m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
657 m.u.certificate.certs[0] = makebytes(cert, certlen);
658 for (i = 0; i < numcerts && chp; i++, chp = chp->next)
659 m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
660 if(!msgSend(c, &m, AQueue))
664 m.tag = HServerHelloDone;
665 if(!msgSend(c, &m, AFlush))
671 if(m.tag != HClientKeyExchange) {
672 tlsError(c, EUnexpectedMessage, "expected a client key exchange");
675 if(tlsSecRSAs(c->sec, c->version, m.u.clientKeyExchange.key) < 0){
676 tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
679 setSecrets(c->sec, kd, c->nsecret);
681 trace("tls secrets\n");
682 secrets = (char*)emalloc(2*c->nsecret);
683 enc64(secrets, 2*c->nsecret, kd, c->nsecret);
684 rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
685 memset(secrets, 0, 2*c->nsecret);
687 memset(kd, 0, c->nsecret);
689 tlsError(c, EHandshakeFailure, "can't set keys: %r");
694 /* no CertificateVerify; skip to Finished */
695 if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
696 tlsError(c, EInternalError, "can't set finished: %r");
701 if(m.tag != HFinished) {
702 tlsError(c, EUnexpectedMessage, "expected a finished");
705 if(!finishedMatch(c, &m.u.finished)) {
706 tlsError(c, EHandshakeFailure, "finished verification failed");
711 /* change cipher spec */
712 if(fprint(c->ctl, "changecipher") < 0){
713 tlsError(c, EInternalError, "can't enable cipher: %r");
717 if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
718 tlsError(c, EInternalError, "can't set finished: %r");
722 m.u.finished = c->finished;
723 if(!msgSend(c, &m, AFlush))
727 trace("tls finished\n");
729 if(fprint(c->ctl, "opened") < 0)
736 tlsConnectionFree(c);
744 case TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
745 case TLS_DHE_DSS_WITH_DES_CBC_SHA:
746 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
747 case TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
748 case TLS_DHE_RSA_WITH_DES_CBC_SHA:
749 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
750 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
751 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
752 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
753 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
763 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
764 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
765 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
766 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
773 tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers,
774 Bytes *p, Bytes *g, Bytes *Ys)
776 mpint *G, *P, *Y, *K;
780 if(p == nil || g == nil || Ys == nil)
783 memmove(sec->srandom, srandom, RandomSize);
784 if(setVers(sec, vers) < 0)
793 if(P == nil || G == nil || Y == nil || dh_new(&dh, P, G) == nil)
795 epm = mptobytes(dh.y);
796 K = dh_finish(&dh, Y);
802 setMasterSecret(sec, mptobytes(K));
814 bytestoec(ECdomain *dom, Bytes *bp, ECpoint *ret)
816 char *hex = "0123456789ABCDEF";
820 s = emalloc(2*bp->len + 1);
821 for(i=0; i < bp->len; i++){
822 s[2*i] = hex[bp->data[i]>>4 & 15];
823 s[2*i+1] = hex[bp->data[i] & 15];
826 ret = strtoec(dom, s, nil, ret);
832 ectobytes(int type, ECpoint *p)
836 bx = mptobytes(p->x);
837 by = mptobytes(p->y);
838 bp = newbytes(bx->len + by->len + 1);
840 memmove(bp->data+1, bx->data, bx->len);
841 memmove(bp->data+1+bx->len, by->data, by->len);
848 tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys)
850 Namedcurve *nc, *enc;
859 enc = &namedcurves[nelem(namedcurves)];
860 for(nc = namedcurves; nc != enc; nc++)
861 if(nc->tlsid == curve)
867 memmove(sec->srandom, srandom, RandomSize);
868 if(setVers(sec, vers) < 0)
873 memset(&dom, 0, sizeof(dom));
874 dom.p = strtomp(nc->p, nil, 16, nil);
875 dom.a = strtomp(nc->a, nil, 16, nil);
876 dom.b = strtomp(nc->b, nil, 16, nil);
877 dom.n = strtomp(nc->n, nil, 16, nil);
878 dom.h = strtomp(nc->h, nil, 16, nil);
880 memset(&G, 0, sizeof(G));
884 memset(&Q, 0, sizeof(Q));
889 memset(&K, 0, sizeof(K));
893 memset(&Y, 0, sizeof(Y));
897 if(dom.p == nil || dom.a == nil || dom.b == nil || dom.n == nil || dom.h == nil)
899 if(Q.x == nil || Q.y == nil || Q.d == nil)
901 if(G.x == nil || G.y == nil)
903 if(K.x == nil || K.y == nil)
905 if(Y.x == nil || Y.y == nil)
908 dom.G = strtoec(&dom, nc->G, nil, &G);
912 if(bytestoec(&dom, Ys, &Y) == nil)
915 if(ecgen(&dom, &Q) == nil)
918 ecmul(&dom, &Y, Q.d, &K);
919 setMasterSecret(sec, mptobytes(K.x));
921 /* 0x04 = uncompressed public key */
922 epm = ectobytes(0x04, &Q);
947 static TlsConnection *
948 tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, uchar *ext, int extlen,
949 int (*trace)(char*fmt, ...))
953 uchar kd[MaxKeyData];
955 int creq, dhx, rv, cipher;
956 mpint *signedMP, *paddedHashes;
962 c = emalloc(sizeof(TlsConnection));
963 c->version = ProtocolVersion;
968 c->clientVersion = c->version;
970 c->sec = tlsSecInitc(c->clientVersion, c->crandom);
975 memset(&m, 0, sizeof(m));
976 m.tag = HClientHello;
977 m.u.clientHello.version = c->clientVersion;
978 memmove(m.u.clientHello.random, c->crandom, RandomSize);
979 m.u.clientHello.sid = makebytes(csid, ncsid);
980 m.u.clientHello.ciphers = makeciphers();
981 m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
982 m.u.clientHello.extensions = makebytes(ext, extlen);
983 if(!msgSend(c, &m, AFlush))
990 if(m.tag != HServerHello) {
991 tlsError(c, EUnexpectedMessage, "expected a server hello");
994 if(setVersion(c, m.u.serverHello.version) < 0) {
995 tlsError(c, EIllegalParameter, "incompatible version %r");
998 memmove(c->srandom, m.u.serverHello.random, RandomSize);
999 c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
1000 if(c->sid->len != 0 && c->sid->len != SidSize) {
1001 tlsError(c, EIllegalParameter, "invalid server session identifier");
1004 cipher = m.u.serverHello.cipher;
1005 if(!setAlgs(c, cipher)) {
1006 tlsError(c, EIllegalParameter, "invalid cipher suite");
1009 if(m.u.serverHello.compressor != CompressionNull) {
1010 tlsError(c, EIllegalParameter, "invalid compression");
1016 if(!msgRecv(c, &m) || m.tag != HCertificate) {
1017 tlsError(c, EUnexpectedMessage, "expected a certificate");
1020 if(m.u.certificate.ncert < 1) {
1021 tlsError(c, EIllegalParameter, "runt certificate");
1024 c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
1027 /* server key exchange */
1028 dhx = isDHE(cipher) || isECDHE(cipher);
1031 if(m.tag == HServerKeyExchange) {
1033 tlsError(c, EUnexpectedMessage, "got an server key exchange");
1037 epm = tlsSecECDHEc(c->sec, c->srandom, c->version,
1038 m.u.serverKeyExchange.curve,
1039 m.u.serverKeyExchange.dh_Ys);
1041 epm = tlsSecDHEc(c->sec, c->srandom, c->version,
1042 m.u.serverKeyExchange.dh_p,
1043 m.u.serverKeyExchange.dh_g,
1044 m.u.serverKeyExchange.dh_Ys);
1051 tlsError(c, EUnexpectedMessage, "expected server key exchange");
1055 /* certificate request (optional) */
1057 if(m.tag == HCertificateRequest) {
1064 if(m.tag != HServerHelloDone) {
1065 tlsError(c, EUnexpectedMessage, "expected a server hello done");
1071 epm = tlsSecRSAc(c->sec, c->sid->data, c->sid->len, c->srandom,
1072 c->cert->data, c->cert->len, c->version);
1076 tlsError(c, EBadCertificate, "bad certificate: %r");
1080 setSecrets(c->sec, kd, c->nsecret);
1081 secrets = (char*)emalloc(2*c->nsecret);
1082 enc64(secrets, 2*c->nsecret, kd, c->nsecret);
1083 rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
1084 memset(secrets, 0, 2*c->nsecret);
1086 memset(kd, 0, c->nsecret);
1088 tlsError(c, EHandshakeFailure, "can't set keys: %r");
1093 if(cert != nil && certlen > 0){
1094 m.u.certificate.ncert = 1;
1095 m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
1096 m.u.certificate.certs[0] = makebytes(cert, certlen);
1098 m.tag = HCertificate;
1099 if(!msgSend(c, &m, AFlush))
1104 /* client key exchange */
1105 m.tag = HClientKeyExchange;
1106 m.u.clientKeyExchange.key = epm;
1108 if(m.u.clientKeyExchange.key == nil) {
1109 tlsError(c, EHandshakeFailure, "can't set secret: %r");
1113 if(!msgSend(c, &m, AFlush))
1117 /* CertificateVerify */
1118 /*XXX I should only send this when it is not DH right?
1119 Also we need to know which TLS key
1120 we have to use in case there are more than one*/
1122 m.tag = HCertificateVerify;
1123 uchar hshashes[MD5dlen+SHA1dlen]; /* content of signature */
1124 MD5state hsmd5_save;
1125 SHAstate hssha1_save;
1127 /* save the state for the Finish message */
1129 hsmd5_save = c->hsmd5;
1130 hssha1_save = c->hssha1;
1131 md5(nil, 0, hshashes, &c->hsmd5);
1132 sha1(nil, 0, hshashes+MD5dlen, &c->hssha1);
1134 c->hsmd5 = hsmd5_save;
1135 c->hssha1 = hssha1_save;
1137 c->sec->rpc = factotum_rsa_open(cert, certlen);
1138 if(c->sec->rpc == nil){
1139 tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
1142 c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
1143 if(c->sec->rsapub == nil){
1144 tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
1148 paddedHashes = pkcs1padbuf(hshashes, MD5dlen+SHA1dlen, c->sec->rsapub->n);
1149 signedMP = factotum_rsa_decrypt(c->sec->rpc, paddedHashes);
1150 if(signedMP == nil){
1151 tlsError(c, EHandshakeFailure, "factotum_rsa_decrypt: %r");
1154 m.u.certificateVerify.signature = mptobytes(signedMP);
1157 if(!msgSend(c, &m, AFlush))
1162 /* change cipher spec */
1163 if(fprint(c->ctl, "changecipher") < 0){
1164 tlsError(c, EInternalError, "can't enable cipher: %r");
1168 // Cipherchange must occur immediately before Finished to avoid
1169 // potential hole; see section 4.3 of Wagner Schneier 1996.
1170 if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
1171 tlsError(c, EInternalError, "can't set finished 1: %r");
1175 m.u.finished = c->finished;
1176 if(!msgSend(c, &m, AFlush)) {
1177 tlsError(c, EInternalError, "can't flush after client Finished: %r");
1182 if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
1183 tlsError(c, EInternalError, "can't set finished 0: %r");
1186 if(!msgRecv(c, &m)) {
1187 tlsError(c, EInternalError, "can't read server Finished: %r");
1190 if(m.tag != HFinished) {
1191 tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
1195 if(!finishedMatch(c, &m.u.finished)) {
1196 tlsError(c, EHandshakeFailure, "finished verification failed");
1201 if(fprint(c->ctl, "opened") < 0){
1203 trace("unable to do final open: %r\n");
1212 tlsConnectionFree(c);
1217 //================= message functions ========================
1220 msgSend(TlsConnection *c, Msg *m, int act)
1222 uchar *p; // sendp = start of new message; p = write pointer
1226 c->sendp = c->sendbuf;
1229 c->trace("send %s", msgPrint((char*)p, (sizeof(c->sendbuf)) - (p - c->sendbuf), m));
1231 p[0] = m->tag; // header - fill in size later
1236 tlsError(c, EInternalError, "can't encode a %d", m->tag);
1240 put16(p, m->u.clientHello.version);
1244 memmove(p, m->u.clientHello.random, RandomSize);
1248 n = m->u.clientHello.sid->len;
1251 memmove(p+1, m->u.clientHello.sid->data, n);
1254 n = m->u.clientHello.ciphers->len;
1255 assert(n > 0 && n < 200);
1258 for(i=0; i<n; i++) {
1259 put16(p, m->u.clientHello.ciphers->data[i]);
1263 n = m->u.clientHello.compressors->len;
1266 memmove(p+1, m->u.clientHello.compressors->data, n);
1269 if(m->u.clientHello.extensions == nil)
1271 n = m->u.clientHello.extensions->len;
1275 memmove(p+2, m->u.clientHello.extensions->data, n);
1279 put16(p, m->u.serverHello.version);
1283 memmove(p, m->u.serverHello.random, RandomSize);
1287 n = m->u.serverHello.sid->len;
1290 memmove(p+1, m->u.serverHello.sid->data, n);
1293 put16(p, m->u.serverHello.cipher);
1295 p[0] = m->u.serverHello.compressor;
1298 if(m->u.serverHello.extensions == nil)
1300 n = m->u.serverHello.extensions->len;
1304 memmove(p+2, m->u.serverHello.extensions->data, n);
1307 case HServerHelloDone:
1311 for(i = 0; i < m->u.certificate.ncert; i++)
1312 nn += 3 + m->u.certificate.certs[i]->len;
1313 if(p + 3 + nn - c->sendbuf > sizeof(c->sendbuf)) {
1314 tlsError(c, EInternalError, "output buffer too small for certificate");
1319 for(i = 0; i < m->u.certificate.ncert; i++){
1320 put24(p, m->u.certificate.certs[i]->len);
1322 memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
1323 p += m->u.certificate.certs[i]->len;
1326 case HCertificateVerify:
1327 put16(p, m->u.certificateVerify.signature->len);
1329 memmove(p, m->u.certificateVerify.signature->data, m->u.certificateVerify.signature->len);
1330 p += m->u.certificateVerify.signature->len;
1332 case HClientKeyExchange:
1333 n = m->u.clientKeyExchange.key->len;
1334 if(c->version != SSL3Version){
1335 if(isECDHE(c->cipher))
1338 put16(p, n), p += 2;
1340 memmove(p, m->u.clientKeyExchange.key->data, n);
1344 memmove(p, m->u.finished.verify, m->u.finished.n);
1345 p += m->u.finished.n;
1349 // go back and fill in size
1351 assert(p <= c->sendbuf + sizeof(c->sendbuf));
1352 put24(c->sendp+1, n-4);
1354 // remember hash of Handshake messages
1355 if(m->tag != HHelloRequest) {
1356 md5(c->sendp, n, 0, &c->hsmd5);
1357 sha1(c->sendp, n, 0, &c->hssha1);
1362 c->sendp = c->sendbuf;
1363 if(write(c->hand, c->sendbuf, p - c->sendbuf) < 0){
1364 fprint(2, "write error: %r\n");
1376 tlsReadN(TlsConnection *c, int n)
1383 if(c->rp != c->recvbuf){
1384 memmove(c->recvbuf, c->rp, nn);
1386 c->ep = &c->recvbuf[nn];
1388 for(; nn < n; nn += nr) {
1389 nr = read(c->hand, &c->rp[nn], n - nn);
1401 msgRecv(TlsConnection *c, Msg *m)
1404 int type, n, nn, i, nsid, nrandom, nciph;
1413 if(type != HHelloRequest)
1416 tlsError(c, EDecodeError, "invalid hello request during handshake");
1421 if(n > sizeof(c->recvbuf)) {
1422 tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->recvbuf));
1426 if(type == HSSL2ClientHello){
1427 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
1428 This is sent by some clients that we must interoperate
1429 with, such as Java's JSSE and Microsoft's Internet Explorer. */
1433 md5(p, n, 0, &c->hsmd5);
1434 sha1(p, n, 0, &c->hssha1);
1435 m->tag = HClientHello;
1438 m->u.clientHello.version = get16(p+1);
1441 nn = get16(p); /* cipher_spec_len */
1442 nsid = get16(p + 2);
1443 nrandom = get16(p + 4);
1446 if(nsid != 0 /* no sid's, since shouldn't restart using ssl2 header */
1447 || nrandom < 16 || nn % 3)
1449 if(c->trace && (n - nrandom != nn))
1450 c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
1451 /* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
1453 for(i = 0; i < nn; i += 3)
1456 m->u.clientHello.ciphers = newints(nciph);
1458 for(i = 0; i < nn; i += 3)
1460 m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]);
1462 m->u.clientHello.sid = makebytes(nil, 0);
1463 if(nrandom > RandomSize)
1464 nrandom = RandomSize;
1465 memset(m->u.clientHello.random, 0, RandomSize - nrandom);
1466 memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
1467 m->u.clientHello.compressors = newbytes(1);
1468 m->u.clientHello.compressors->data[0] = CompressionNull;
1471 md5(p, 4, 0, &c->hsmd5);
1472 sha1(p, 4, 0, &c->hssha1);
1478 md5(p, n, 0, &c->hsmd5);
1479 sha1(p, n, 0, &c->hssha1);
1485 tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
1490 m->u.clientHello.version = get16(p);
1496 memmove(m->u.clientHello.random, p, RandomSize);
1499 if(n < 1 || n < p[0]+1)
1501 m->u.clientHello.sid = makebytes(p+1, p[0]);
1502 p += m->u.clientHello.sid->len+1;
1503 n -= m->u.clientHello.sid->len+1;
1511 if((nn & 1) || n < nn || nn < 2)
1513 m->u.clientHello.ciphers = newints(nn >> 1);
1514 for(i = 0; i < nn; i += 2)
1515 m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
1519 if(n < 1 || n < p[0]+1 || p[0] == 0)
1522 m->u.clientHello.compressors = makebytes(p+1, nn);
1531 m->u.clientHello.extensions = makebytes(p+2, nn);
1537 m->u.serverHello.version = get16(p);
1543 memmove(m->u.serverHello.random, p, RandomSize);
1547 if(n < 1 || n < p[0]+1)
1549 m->u.serverHello.sid = makebytes(p+1, p[0]);
1550 p += m->u.serverHello.sid->len+1;
1551 n -= m->u.serverHello.sid->len+1;
1555 m->u.serverHello.cipher = get16(p);
1556 m->u.serverHello.compressor = p[2];
1565 m->u.serverHello.extensions = makebytes(p+2, nn);
1574 if(nn == 0 && n > 0)
1586 m->u.certificate.ncert = i+1;
1587 m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes*));
1588 m->u.certificate.certs[i] = makebytes(p, nn);
1594 case HCertificateRequest:
1602 m->u.certificateRequest.types = makebytes(p, nn);
1610 /* nn == 0 can happen; yahoo's servers do it */
1621 if(nn < 1 || nn > n)
1623 m->u.certificateRequest.nca = i+1;
1624 m->u.certificateRequest.cas = erealloc(
1625 m->u.certificateRequest.cas, (i+1)*sizeof(Bytes*));
1626 m->u.certificateRequest.cas[i] = makebytes(p, nn);
1632 case HServerHelloDone:
1634 case HServerKeyExchange:
1637 if(isECDHE(c->cipher)){
1640 if(nn != 3 || nn > n) /* not a named curve */
1644 m->u.serverKeyExchange.curve = nn;
1647 if(nn < 1 || nn > n)
1649 m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
1651 }else if(isDHE(c->cipher)){
1654 if(nn < 1 || nn > n)
1656 m->u.serverKeyExchange.dh_p = makebytes(p, nn);
1663 if(nn < 1 || nn > n)
1665 m->u.serverKeyExchange.dh_g = makebytes(p, nn);
1672 if(nn < 1 || nn > n)
1674 m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
1677 /* should not happen */
1683 if(nn > 0 && nn <= n){
1684 m->u.serverKeyExchange.dh_signature = makebytes(p, nn);
1689 case HClientKeyExchange:
1691 * this message depends upon the encryption selected
1694 if(c->version == SSL3Version)
1705 m->u.clientKeyExchange.key = makebytes(p, nn);
1709 m->u.finished.n = c->finished.n;
1710 if(n < m->u.finished.n)
1712 memmove(m->u.finished.verify, p, m->u.finished.n);
1713 n -= m->u.finished.n;
1717 if(type != HClientHello && type != HServerHello && n != 0)
1722 buf = emalloc(8000);
1723 c->trace("recv %s", msgPrint(buf, 8000, m));
1728 tlsError(c, EDecodeError, "handshake message (%d) has invalid length", type);
1741 sysfatal("msgClear: unknown message type: %d", m->tag);
1745 freebytes(m->u.clientHello.sid);
1746 freeints(m->u.clientHello.ciphers);
1747 freebytes(m->u.clientHello.compressors);
1748 freebytes(m->u.clientHello.extensions);
1751 freebytes(m->u.serverHello.sid);
1752 freebytes(m->u.serverHello.extensions);
1755 for(i=0; i<m->u.certificate.ncert; i++)
1756 freebytes(m->u.certificate.certs[i]);
1757 free(m->u.certificate.certs);
1759 case HCertificateRequest:
1760 freebytes(m->u.certificateRequest.types);
1761 for(i=0; i<m->u.certificateRequest.nca; i++)
1762 freebytes(m->u.certificateRequest.cas[i]);
1763 free(m->u.certificateRequest.cas);
1765 case HCertificateVerify:
1766 freebytes(m->u.certificateVerify.signature);
1768 case HServerHelloDone:
1770 case HServerKeyExchange:
1771 freebytes(m->u.serverKeyExchange.dh_p);
1772 freebytes(m->u.serverKeyExchange.dh_g);
1773 freebytes(m->u.serverKeyExchange.dh_Ys);
1774 freebytes(m->u.serverKeyExchange.dh_signature);
1776 case HClientKeyExchange:
1777 freebytes(m->u.clientKeyExchange.key);
1782 memset(m, 0, sizeof(Msg));
1786 bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
1791 bs = seprint(bs, be, "%s", s0);
1793 bs = seprint(bs, be, "nil");
1795 bs = seprint(bs, be, "<%d> [", b->len);
1796 for(i=0; i<b->len; i++)
1797 bs = seprint(bs, be, "%.2x ", b->data[i]);
1799 bs = seprint(bs, be, "]");
1801 bs = seprint(bs, be, "%s", s1);
1806 intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
1811 bs = seprint(bs, be, "%s", s0);
1812 bs = seprint(bs, be, "[");
1814 bs = seprint(bs, be, "nil");
1816 for(i=0; i<b->len; i++)
1817 bs = seprint(bs, be, "%x ", b->data[i]);
1818 bs = seprint(bs, be, "]");
1820 bs = seprint(bs, be, "%s", s1);
1825 msgPrint(char *buf, int n, Msg *m)
1828 char *bs = buf, *be = buf+n;
1832 bs = seprint(bs, be, "unknown %d\n", m->tag);
1835 bs = seprint(bs, be, "ClientHello\n");
1836 bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
1837 bs = seprint(bs, be, "\trandom: ");
1838 for(i=0; i<RandomSize; i++)
1839 bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
1840 bs = seprint(bs, be, "\n");
1841 bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
1842 bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
1843 bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
1844 if(m->u.clientHello.extensions != nil)
1845 bs = bytesPrint(bs, be, "\textensions: ", m->u.clientHello.extensions, "\n");
1848 bs = seprint(bs, be, "ServerHello\n");
1849 bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
1850 bs = seprint(bs, be, "\trandom: ");
1851 for(i=0; i<RandomSize; i++)
1852 bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
1853 bs = seprint(bs, be, "\n");
1854 bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
1855 bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
1856 bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
1857 if(m->u.serverHello.extensions != nil)
1858 bs = bytesPrint(bs, be, "\textensions: ", m->u.serverHello.extensions, "\n");
1861 bs = seprint(bs, be, "Certificate\n");
1862 for(i=0; i<m->u.certificate.ncert; i++)
1863 bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
1865 case HCertificateRequest:
1866 bs = seprint(bs, be, "CertificateRequest\n");
1867 bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
1868 bs = seprint(bs, be, "\tcertificateauthorities\n");
1869 for(i=0; i<m->u.certificateRequest.nca; i++)
1870 bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
1872 case HCertificateVerify:
1873 bs = seprint(bs, be, "HCertificateVerify\n");
1874 bs = bytesPrint(bs, be, "\tsignature: ", m->u.certificateVerify.signature,"\n");
1876 case HServerHelloDone:
1877 bs = seprint(bs, be, "ServerHelloDone\n");
1879 case HServerKeyExchange:
1880 bs = seprint(bs, be, "HServerKeyExchange\n");
1881 if(m->u.serverKeyExchange.curve != 0){
1882 bs = seprint(bs, be, "\tcurve: %.4x\n", m->u.serverKeyExchange.curve);
1884 bs = bytesPrint(bs, be, "\tdh_p: ", m->u.serverKeyExchange.dh_p, "\n");
1885 bs = bytesPrint(bs, be, "\tdh_g: ", m->u.serverKeyExchange.dh_g, "\n");
1887 bs = bytesPrint(bs, be, "\tdh_Ys: ", m->u.serverKeyExchange.dh_Ys, "\n");
1888 bs = bytesPrint(bs, be, "\tdh_signature: ", m->u.serverKeyExchange.dh_signature, "\n");
1890 case HClientKeyExchange:
1891 bs = seprint(bs, be, "HClientKeyExchange\n");
1892 bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
1895 bs = seprint(bs, be, "HFinished\n");
1896 for(i=0; i<m->u.finished.n; i++)
1897 bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
1898 bs = seprint(bs, be, "\n");
1906 tlsError(TlsConnection *c, int err, char *fmt, ...)
1912 vseprint(msg, msg+sizeof(msg), fmt, arg);
1915 c->trace("tlsError: %s\n", msg);
1917 fprint(2, "double error: %r, %s", msg);
1919 werrstr("tls: local %s", msg);
1921 fprint(c->ctl, "alert %d", err);
1924 // commit to specific version number
1926 setVersion(TlsConnection *c, int version)
1928 if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
1930 if(version > c->version)
1931 version = c->version;
1932 if(version == SSL3Version) {
1933 c->version = version;
1934 c->finished.n = SSL3FinishedLen;
1935 }else if(version == TLSVersion){
1936 c->version = version;
1937 c->finished.n = TLSFinishedLen;
1941 return fprint(c->ctl, "version 0x%x", version);
1944 // confirm that received Finished message matches the expected value
1946 finishedMatch(TlsConnection *c, Finished *f)
1948 return memcmp(f->verify, c->finished.verify, f->n) == 0;
1951 // free memory associated with TlsConnection struct
1952 // (but don't close the TLS channel itself)
1954 tlsConnectionFree(TlsConnection *c)
1956 tlsSecClose(c->sec);
1959 memset(c, 0, sizeof(c));
1964 //================= cipher choices ========================
1966 static int weakCipher[CipherMax] =
1968 1, /* TLS_NULL_WITH_NULL_NULL */
1969 1, /* TLS_RSA_WITH_NULL_MD5 */
1970 1, /* TLS_RSA_WITH_NULL_SHA */
1971 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
1972 0, /* TLS_RSA_WITH_RC4_128_MD5 */
1973 0, /* TLS_RSA_WITH_RC4_128_SHA */
1974 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
1975 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
1976 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
1977 0, /* TLS_RSA_WITH_DES_CBC_SHA */
1978 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
1979 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
1980 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
1981 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
1982 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
1983 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
1984 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
1985 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
1986 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
1987 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
1988 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
1989 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
1990 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
1991 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
1992 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
1993 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
1994 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
1995 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
1999 setAlgs(TlsConnection *c, int a)
2003 for(i = 0; i < nelem(cipherAlgs); i++){
2004 if(cipherAlgs[i].tlsid == a){
2006 c->enc = cipherAlgs[i].enc;
2007 c->digest = cipherAlgs[i].digest;
2008 c->nsecret = cipherAlgs[i].nsecret;
2009 if(c->nsecret > MaxKeyData)
2023 for(i = 0; i < cv->len; i++) {
2028 weak &= weakCipher[c];
2029 if(isDHE(c) || isECDHE(c))
2030 continue; /* TODO: not implemented for server */
2031 for(j = 0; j < nelem(cipherAlgs); j++)
2032 if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
2041 okCompression(Bytes *cv)
2045 for(i = 0; i < cv->len; i++) {
2047 for(j = 0; j < nelem(compressors); j++) {
2048 if(compressors[j] == c)
2055 static Lock ciphLock;
2056 static int nciphers;
2061 enum {MaxAlgF = 1024, MaxAlgs = 10};
2062 char s[MaxAlgF], *flds[MaxAlgs];
2070 j = open("#a/tls/encalgs", OREAD);
2072 werrstr("can't open #a/tls/encalgs: %r");
2075 n = read(j, s, MaxAlgF-1);
2078 werrstr("nothing in #a/tls/encalgs: %r");
2082 n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
2083 for(i = 0; i < nelem(cipherAlgs); i++){
2085 for(j = 0; j < n; j++){
2086 if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){
2091 cipherAlgs[i].ok = ok;
2094 j = open("#a/tls/hashalgs", OREAD);
2096 werrstr("can't open #a/tls/hashalgs: %r");
2099 n = read(j, s, MaxAlgF-1);
2102 werrstr("nothing in #a/tls/hashalgs: %r");
2106 n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
2107 for(i = 0; i < nelem(cipherAlgs); i++){
2109 for(j = 0; j < n; j++){
2110 if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){
2115 cipherAlgs[i].ok &= ok;
2116 if(cipherAlgs[i].ok)
2129 is = newints(nciphers);
2131 for(i = 0; i < nelem(cipherAlgs); i++){
2132 if(cipherAlgs[i].ok)
2133 is->data[j++] = cipherAlgs[i].tlsid;
2140 //================= security functions ========================
2142 // given X.509 certificate, set up connection to factotum
2143 // for using corresponding private key
2145 factotum_rsa_open(uchar *cert, int certlen)
2153 // start talking to factotum
2154 if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
2156 if((rpc = auth_allocrpc(afd)) == nil){
2160 s = "proto=rsa service=tls role=client";
2161 if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
2162 factotum_rsa_close(rpc);
2166 // roll factotum keyring around to match certificate
2167 rsapub = X509toRSApub(cert, certlen, nil, 0);
2169 if(auth_rpc(rpc, "read", nil, 0) != ARok){
2170 factotum_rsa_close(rpc);
2174 pub = strtomp(rpc->arg, nil, 16, nil);
2176 if(mpcmp(pub,rsapub->n) == 0)
2186 factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
2191 p = mptoa(cipher, 16, nil, 0);
2195 rv = auth_rpc(rpc, "write", p, strlen(p));
2197 if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
2199 return strtomp(rpc->arg, nil, 16, nil);
2203 factotum_rsa_close(AuthRpc*rpc)
2212 tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2214 uchar ai[MD5dlen], tmp[MD5dlen];
2219 s = hmac_md5(label, nlabel, key, nkey, nil, nil);
2220 s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
2221 hmac_md5(seed1, nseed1, key, nkey, ai, s);
2224 s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
2225 s = hmac_md5(label, nlabel, key, nkey, nil, s);
2226 s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
2227 hmac_md5(seed1, nseed1, key, nkey, tmp, s);
2231 for(i = 0; i < n; i++)
2235 hmac_md5(ai, MD5dlen, key, nkey, tmp, nil);
2236 memmove(ai, tmp, MD5dlen);
2241 tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2243 uchar ai[SHA1dlen], tmp[SHA1dlen];
2248 s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
2249 s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
2250 hmac_sha1(seed1, nseed1, key, nkey, ai, s);
2253 s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
2254 s = hmac_sha1(label, nlabel, key, nkey, nil, s);
2255 s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
2256 hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
2260 for(i = 0; i < n; i++)
2264 hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
2265 memmove(ai, tmp, SHA1dlen);
2269 // fill buf with md5(args)^sha1(args)
2271 tlsPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2274 int nlabel = strlen(label);
2275 int n = (nkey + 1) >> 1;
2277 for(i = 0; i < nbuf; i++)
2279 tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
2280 tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
2284 * for setting server session id's
2286 static Lock sidLock;
2287 static long maxSid = 1;
2289 /* the keys are verified to have the same public components
2290 * and to function correctly with pkcs 1 encryption and decryption. */
2292 tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
2294 TlsSec *sec = emalloc(sizeof(*sec));
2296 USED(csid); USED(ncsid); // ignore csid for now
2298 memmove(sec->crandom, crandom, RandomSize);
2299 sec->clientVers = cvers;
2301 put32(sec->srandom, time(0));
2302 genrandom(sec->srandom+4, RandomSize-4);
2303 memmove(srandom, sec->srandom, RandomSize);
2306 * make up a unique sid: use our pid, and and incrementing id
2307 * can signal no sid by setting nssid to 0.
2309 memset(ssid, 0, SidSize);
2310 put32(ssid, getpid());
2312 put32(ssid+4, maxSid++);
2319 tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm)
2322 if(setVers(sec, vers) < 0)
2324 serverMasterSecret(sec, epm);
2325 }else if(sec->vers != vers){
2326 werrstr("mismatched session versions");
2336 tlsSecInitc(int cvers, uchar *crandom)
2338 TlsSec *sec = emalloc(sizeof(*sec));
2339 sec->clientVers = cvers;
2340 put32(sec->crandom, time(0));
2341 genrandom(sec->crandom+4, RandomSize-4);
2342 memmove(crandom, sec->crandom, RandomSize);
2347 tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers)
2355 memmove(sec->srandom, srandom, RandomSize);
2356 if(setVers(sec, vers) < 0)
2358 pub = X509toRSApub(cert, ncert, nil, 0);
2360 werrstr("invalid x509/rsa certificate");
2363 epm = clientMasterSecret(sec, pub);
2373 tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient)
2375 if(sec->nfin != nfin){
2377 werrstr("invalid finished exchange");
2382 (*sec->setFinished)(sec, md5, sha1, fin, isclient);
2387 tlsSecOk(TlsSec *sec)
2394 tlsSecKill(TlsSec *sec)
2398 factotum_rsa_close(sec->rpc);
2403 tlsSecClose(TlsSec *sec)
2407 factotum_rsa_close(sec->rpc);
2413 setVers(TlsSec *sec, int v)
2415 if(v == SSL3Version){
2416 sec->setFinished = sslSetFinished;
2417 sec->nfin = SSL3FinishedLen;
2419 }else if(v == TLSVersion){
2420 sec->setFinished = tlsSetFinished;
2421 sec->nfin = TLSFinishedLen;
2424 werrstr("invalid version");
2432 * generate secret keys from the master secret.
2434 * different crypto selections will require different amounts
2435 * of key expansion and use of key expansion data,
2436 * but it's all generated using the same function.
2439 setSecrets(TlsSec *sec, uchar *kd, int nkd)
2441 (*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
2442 sec->srandom, RandomSize, sec->crandom, RandomSize);
2446 * set the master secret from the pre-master secret,
2447 * destroys premaster.
2450 setMasterSecret(TlsSec *sec, Bytes *pm)
2452 (*sec->prf)(sec->sec, MasterSecretSize, pm->data, pm->len, "master secret",
2453 sec->crandom, RandomSize, sec->srandom, RandomSize);
2455 memset(pm->data, 0, pm->len);
2460 serverMasterSecret(TlsSec *sec, Bytes *epm)
2464 pm = pkcs1_decrypt(sec, epm);
2466 // if the client messed up, just continue as if everything is ok,
2467 // to prevent attacks to check for correctly formatted messages.
2468 // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
2469 if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
2470 fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
2471 sec->ok, pm, pm != nil ? get16(pm->data) : -1, sec->clientVers, epm->len);
2474 pm = newbytes(MasterSecretSize);
2475 genrandom(pm->data, MasterSecretSize);
2477 assert(pm->len == MasterSecretSize);
2478 setMasterSecret(sec, pm);
2482 clientMasterSecret(TlsSec *sec, RSApub *pub)
2486 pm = newbytes(MasterSecretSize);
2487 put16(pm->data, sec->clientVers);
2488 genrandom(pm->data+2, MasterSecretSize - 2);
2489 epm = pkcs1_encrypt(pm, pub, 2);
2490 setMasterSecret(sec, pm);
2495 sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
2498 uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
2506 md5((uchar*)label, 4, nil, &hsmd5);
2507 md5(sec->sec, MasterSecretSize, nil, &hsmd5);
2508 memset(pad, 0x36, 48);
2509 md5(pad, 48, nil, &hsmd5);
2510 md5(nil, 0, h0, &hsmd5);
2511 memset(pad, 0x5C, 48);
2512 s = md5(sec->sec, MasterSecretSize, nil, nil);
2513 s = md5(pad, 48, nil, s);
2514 md5(h0, MD5dlen, finished, s);
2516 sha1((uchar*)label, 4, nil, &hssha1);
2517 sha1(sec->sec, MasterSecretSize, nil, &hssha1);
2518 memset(pad, 0x36, 40);
2519 sha1(pad, 40, nil, &hssha1);
2520 sha1(nil, 0, h1, &hssha1);
2521 memset(pad, 0x5C, 40);
2522 s = sha1(sec->sec, MasterSecretSize, nil, nil);
2523 s = sha1(pad, 40, nil, s);
2524 sha1(h1, SHA1dlen, finished + MD5dlen, s);
2527 // fill "finished" arg with md5(args)^sha1(args)
2529 tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
2531 uchar h0[MD5dlen], h1[SHA1dlen];
2534 // get current hash value, but allow further messages to be hashed in
2535 md5(nil, 0, h0, &hsmd5);
2536 sha1(nil, 0, h1, &hssha1);
2539 label = "client finished";
2541 label = "server finished";
2542 tlsPRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
2546 sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2549 uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
2557 for(i = 0; i < len; i++)
2558 tmp[i] = 'A' - 1 + len;
2559 s = sha1(tmp, len, nil, nil);
2560 s = sha1(key, nkey, nil, s);
2561 s = sha1(seed0, nseed0, nil, s);
2562 sha1(seed1, nseed1, sha1dig, s);
2563 s = md5(key, nkey, nil, nil);
2564 md5(sha1dig, SHA1dlen, md5dig, s);
2568 memmove(buf, md5dig, n);
2576 bytestomp(Bytes* bytes)
2578 return betomp(bytes->data, bytes->len, nil);
2582 * Convert mpint* to Bytes, putting high order byte first.
2585 mptobytes(mpint* big)
2590 n = (mpsignif(big)+7)/8;
2593 ans->len = mptobe(big, ans->data, n, nil);
2597 // Do RSA computation on block according to key, and pad
2598 // result on left with zeros to make it modlen long.
2600 rsacomp(Bytes* block, RSApub* key, int modlen)
2606 x = bytestomp(block);
2607 y = rsaencrypt(key, x, nil);
2609 ybytes = mptobytes(y);
2614 a = newbytes(modlen);
2615 memset(a->data, 0, modlen-ylen);
2616 memmove(a->data+modlen-ylen, ybytes->data, ylen);
2620 else if(ylen > modlen) {
2621 // assume it has leading zeros (mod should make it so)
2622 a = newbytes(modlen);
2623 memmove(a->data, ybytes->data, modlen);
2630 // encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1
2632 pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
2634 Bytes *pad, *eb, *ans;
2635 int i, dlen, padlen, modlen;
2637 modlen = (mpsignif(key->n)+7)/8;
2639 if(modlen < 12 || dlen > modlen - 11)
2641 padlen = modlen - 3 - dlen;
2642 pad = newbytes(padlen);
2643 genrandom(pad->data, padlen);
2644 for(i = 0; i < padlen; i++) {
2647 else if(blocktype == 1)
2649 else if(pad->data[i] == 0)
2652 eb = newbytes(modlen);
2654 eb->data[1] = blocktype;
2655 memmove(eb->data+2, pad->data, padlen);
2656 eb->data[padlen+2] = 0;
2657 memmove(eb->data+padlen+3, data->data, dlen);
2658 ans = rsacomp(eb, key, modlen);
2664 // decrypt data according to PKCS#1, with given key.
2665 // expect a block type of 2.
2667 pkcs1_decrypt(TlsSec *sec, Bytes *cipher)
2669 Bytes *eb, *ans = nil;
2673 modlen = (mpsignif(sec->rsapub->n)+7)/8;
2674 if(cipher->len != modlen)
2676 x = bytestomp(cipher);
2677 y = factotum_rsa_decrypt(sec->rpc, x);
2682 if(eb->len < modlen){ // pad on left with zeros
2683 ans = newbytes(modlen);
2684 memset(ans->data, 0, modlen-eb->len);
2685 memmove(ans->data+modlen-eb->len, eb->data, eb->len);
2689 if(eb->data[0] == 0 && eb->data[1] == 2) {
2690 for(i = 2; i < modlen; i++)
2691 if(eb->data[i] == 0)
2694 ans = makebytes(eb->data+i+1, modlen-(i+1));
2701 //================= general utility functions ========================
2711 sysfatal("out of memory");
2713 setmalloctag(p, getcallerpc(&n));
2718 erealloc(void *ReallocP, int ReallocN)
2723 ReallocP = emalloc(ReallocN);
2724 else if((ReallocP = realloc(ReallocP, ReallocN)) == nil)
2725 sysfatal("out of memory");
2726 setrealloctag(ReallocP, getcallerpc(&ReallocP));
2731 put32(uchar *p, u32int x)
2740 put24(uchar *p, int x)
2748 put16(uchar *p, int x)
2757 return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2763 return (p[0]<<16)|(p[1]<<8)|p[2];
2769 return (p[0]<<8)|p[1];
2772 #define OFFSET(x, s) offsetof(s, x)
2781 ans = (Bytes*)emalloc(OFFSET(data[0], Bytes) + len);
2787 * newbytes(len), with data initialized from buf
2790 makebytes(uchar* buf, int len)
2794 ans = newbytes(len);
2795 memmove(ans->data, buf, len);
2805 /* len is number of ints */
2811 if(len < 0 || len > ((uint)-1>>1)/sizeof(int))
2813 ans = (Ints*)emalloc(OFFSET(data[0], Ints) + len*sizeof(int));