8 // The main groups of functions are:
9 // client/server - main handshake protocol definition
10 // message functions - formating handshake messages
11 // cipher choices - catalog of digest and encrypt algorithms
12 // security functions - PKCS#1, sslHMAC, session keygen
13 // general utility functions - malloc, serialization
14 // The handshake protocol builds on the TLS/SSL3 record layer protocol,
15 // which is implemented in kernel device #a. See also /lib/rfc/rfc2246.
19 SSL3FinishedLen = MD5dlen+SHA1dlen,
20 MaxKeyData = 160, // amount of secret we may need
24 MasterSecretSize = 48,
29 typedef struct TlsSec TlsSec;
33 uchar data[1]; // [len]
49 typedef struct Namedcurve{
61 typedef struct Finished{
62 uchar verify[SSL3FinishedLen];
66 typedef struct HandshakeHash {
69 SHA2_256state sha2_256;
72 typedef struct TlsConnection{
73 TlsSec *sec; // security management goo
74 int hand, ctl; // record layer file descriptors
75 int erred; // set when tlsError called
76 int (*trace)(char*fmt, ...); // for debugging
77 int version; // protocol we are speaking
78 int verset; // version has been set
79 int ver2hi; // server got a version 2 hello
80 int isClient; // is this the client or server?
81 Bytes *sid; // SessionID
82 Bytes *cert; // only last - no chain
85 int state; // must be set using setstate
87 // input buffer for handshake messages
88 uchar recvbuf[MaxChunk];
92 uchar sendbuf[MaxChunk];
95 uchar crandom[RandomSize]; // client random
96 uchar srandom[RandomSize]; // server random
97 int clientVersion; // version in ClientHello
99 char *digest; // name of digest algorithm to use
100 char *enc; // name of encryption algorithm to use
101 int nsecret; // amount of secret data to init keys
103 // for finished messages
104 HandshakeHash handhash;
113 uchar random[RandomSize];
121 uchar random[RandomSize];
135 } certificateRequest;
153 typedef struct TlsSec{
154 char *server; // name of remote; nil for server
155 int ok; // <0 killed; == 0 in progress; >0 reusable
157 AuthRpc *rpc; // factotum for rsa private key
158 uchar sec[MasterSecretSize]; // master secret
159 uchar crandom[RandomSize]; // client random
160 uchar srandom[RandomSize]; // server random
161 int clientVers; // version in ClientHello
162 int vers; // final version
163 // byte generation and handshake checksum
164 void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
165 void (*setFinished)(TlsSec*, HandshakeHash, uchar*, int);
171 SSL3Version = 0x0300,
172 TLS10Version = 0x0301,
173 TLS11Version = 0x0302,
174 TLS12Version = 0x0303,
175 ProtocolVersion = TLS12Version, // maximum version we speak
176 MinProtoVersion = 0x0300, // limits on version we accept
177 MaxProtoVersion = 0x03ff,
185 HSSL2ClientHello = 9, /* local convention; see devtls.c */
199 EUnexpectedMessage = 10,
201 EDecryptionFailed = 21,
202 ERecordOverflow = 22,
203 EDecompressionFailure = 30,
204 EHandshakeFailure = 40,
206 EBadCertificate = 42,
207 EUnsupportedCertificate = 43,
208 ECertificateRevoked = 44,
209 ECertificateExpired = 45,
210 ECertificateUnknown = 46,
211 EIllegalParameter = 47,
216 EExportRestriction = 60,
217 EProtocolVersion = 70,
218 EInsufficientSecurity = 71,
221 ENoRenegotiation = 100,
227 TLS_NULL_WITH_NULL_NULL = 0x0000,
228 TLS_RSA_WITH_NULL_MD5 = 0x0001,
229 TLS_RSA_WITH_NULL_SHA = 0x0002,
230 TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
231 TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
232 TLS_RSA_WITH_RC4_128_SHA = 0x0005,
233 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006,
234 TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
235 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008,
236 TLS_RSA_WITH_DES_CBC_SHA = 0X0009,
237 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A,
238 TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X000B,
239 TLS_DH_DSS_WITH_DES_CBC_SHA = 0X000C,
240 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0X000D,
241 TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X000E,
242 TLS_DH_RSA_WITH_DES_CBC_SHA = 0X000F,
243 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0X0010,
244 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X0011,
245 TLS_DHE_DSS_WITH_DES_CBC_SHA = 0X0012,
246 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0X0013, // ZZZ must be implemented for tls1.0 compliance
247 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0014,
248 TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015,
249 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016,
250 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
251 TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
252 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
253 TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
254 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
256 TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
257 TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
258 TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
259 TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
260 TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0X0033,
261 TLS_DH_anon_WITH_AES_128_CBC_SHA = 0X0034,
262 TLS_RSA_WITH_AES_256_CBC_SHA = 0X0035,
263 TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0X0036,
264 TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0X0037,
265 TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
266 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
267 TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
269 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0X003C,
270 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0X003D,
272 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
273 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
274 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
275 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
279 // compression methods
285 static Algs cipherAlgs[] = {
286 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
287 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
288 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
289 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
290 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
291 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
292 {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_RSA_WITH_AES_256_CBC_SHA},
293 {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_RSA_WITH_AES_128_CBC_SHA},
294 {"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_RSA_WITH_AES_128_CBC_SHA256},
295 {"aes_256_cbc", "sha256", 2*(32+16+SHA2_256dlen), TLS_RSA_WITH_AES_256_CBC_SHA256},
296 {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA},
297 {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
298 {"rc4_128", "sha1", 2*(16+SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
299 {"rc4_128", "md5", 2*(16+MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
302 static uchar compressors[] = {
306 static Namedcurve namedcurves[] = {
307 {0x0017, "secp256r1",
308 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
309 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
310 "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
311 "046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
312 "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
316 static uchar pointformats[] = {
317 CompressionNull /* support of uncompressed point format is mandatory */
320 static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int certlen, int (*trace)(char*fmt, ...), PEMChain *chain);
321 static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, uchar *ext, int extlen, int (*trace)(char*fmt, ...));
322 static void msgClear(Msg *m);
323 static char* msgPrint(char *buf, int n, Msg *m);
324 static int msgRecv(TlsConnection *c, Msg *m);
325 static int msgSend(TlsConnection *c, Msg *m, int act);
326 static void tlsError(TlsConnection *c, int err, char *msg, ...);
327 #pragma varargck argpos tlsError 3
328 static int setVersion(TlsConnection *c, int version);
329 static int finishedMatch(TlsConnection *c, Finished *f);
330 static void tlsConnectionFree(TlsConnection *c);
332 static int setAlgs(TlsConnection *c, int a);
333 static int okCipher(Ints *cv);
334 static int okCompression(Bytes *cv);
335 static int initCiphers(void);
336 static Ints* makeciphers(void);
338 static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
339 static int tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm);
340 static TlsSec* tlsSecInitc(int cvers, uchar *crandom);
341 static Bytes* tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers);
342 static Bytes* tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers, Bytes *p, Bytes *g, Bytes *Ys);
343 static Bytes* tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys);
344 static int tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient);
345 static void tlsSecOk(TlsSec *sec);
346 static void tlsSecKill(TlsSec *sec);
347 static void tlsSecClose(TlsSec *sec);
348 static void setMasterSecret(TlsSec *sec, Bytes *pm);
349 static void serverMasterSecret(TlsSec *sec, Bytes *epm);
350 static void setSecrets(TlsSec *sec, uchar *kd, int nkd);
351 static Bytes* clientMasterSecret(TlsSec *sec, RSApub *pub);
352 static Bytes* pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
353 static Bytes* pkcs1_decrypt(TlsSec *sec, Bytes *cipher);
354 static void tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
355 static void tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
356 static void sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
357 static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
358 uchar *seed0, int nseed0, uchar *seed1, int nseed1);
359 static int setVers(TlsSec *sec, int version);
361 static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
362 static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
363 static void factotum_rsa_close(AuthRpc*rpc);
365 static void* emalloc(int);
366 static void* erealloc(void*, int);
367 static void put32(uchar *p, u32int);
368 static void put24(uchar *p, int);
369 static void put16(uchar *p, int);
370 static u32int get32(uchar *p);
371 static int get24(uchar *p);
372 static int get16(uchar *p);
373 static Bytes* newbytes(int len);
374 static Bytes* makebytes(uchar* buf, int len);
375 static Bytes* mptobytes(mpint* big);
376 static mpint* bytestomp(Bytes* bytes);
377 static void freebytes(Bytes* b);
378 static Ints* newints(int len);
379 static void freeints(Ints* b);
382 extern mpint* pkcs1padbuf(uchar *buf, int len, mpint *modulus);
384 //================= client/server ========================
386 // push TLS onto fd, returning new (application) file descriptor
389 tlsServer(int fd, TLSconn *conn)
393 int n, data, ctl, hand;
398 ctl = open("#a/tls/clone", ORDWR);
401 n = read(ctl, buf, sizeof(buf)-1);
407 snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
408 snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
409 hand = open(dname, ORDWR);
414 fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
415 tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
416 snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
417 data = open(dname, ORDWR);
420 if(data < 0 || tls == nil){
422 tlsConnectionFree(tls);
426 conn->cert = 0; // client certificates are not yet implemented
428 conn->sessionIDlen = tls->sid->len;
429 conn->sessionID = emalloc(conn->sessionIDlen);
430 memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
431 if(conn->sessionKey != nil
432 && conn->sessionType != nil
433 && strcmp(conn->sessionType, "ttls") == 0)
435 conn->sessionKey, conn->sessionKeylen,
436 tls->sec->sec, MasterSecretSize,
438 tls->sec->crandom, RandomSize,
439 tls->sec->srandom, RandomSize);
440 tlsConnectionFree(tls);
446 tlsClientExtensions(TLSconn *conn, int *plen)
453 // RFC6066 - Server Name Identification
454 if(conn->serverName != nil){
455 n = strlen(conn->serverName);
458 b = erealloc(b, m + 2+2+2+1+2+n);
461 put16(p, 0), p += 2; /* Type: server_name */
462 put16(p, 2+1+2+n), p += 2; /* Length */
463 put16(p, 1+2+n), p += 2; /* Server Name list length */
464 *p++ = 0; /* Server Name Type: host_name */
465 put16(p, n), p += 2; /* Server Name length */
466 memmove(p, conn->serverName, n);
473 b = erealloc(b, m + 2+2+2+nelem(namedcurves)*2 + 2+2+1+nelem(pointformats));
476 n = nelem(namedcurves);
477 put16(p, 0x000a), p += 2; /* Type: elliptic_curves */
478 put16(p, (n+1)*2), p += 2; /* Length */
479 put16(p, n*2), p += 2; /* Elliptic Curves Length */
480 for(i=0; i < n; i++){ /* Elliptic curves */
481 put16(p, namedcurves[i].tlsid);
485 n = nelem(pointformats);
486 put16(p, 0x000b), p += 2; /* Type: ec_point_formats */
487 put16(p, n+1), p += 2; /* Length */
488 *p++ = n; /* EC point formats Length */
489 for(i=0; i < n; i++) /* Elliptic curves point formats */
490 *p++ = pointformats[i];
497 // push TLS onto fd, returning new (application) file descriptor
500 tlsClient(int fd, TLSconn *conn)
504 int n, data, ctl, hand;
510 ctl = open("#a/tls/clone", ORDWR);
513 n = read(ctl, buf, sizeof(buf)-1);
519 snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
520 snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
521 hand = open(dname, ORDWR);
526 snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
527 data = open(dname, ORDWR);
533 fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
534 ext = tlsClientExtensions(conn, &n);
535 tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->cert, conn->certlen,
536 ext, n, conn->trace);
544 conn->certlen = tls->cert->len;
545 conn->cert = emalloc(conn->certlen);
546 memcpy(conn->cert, tls->cert->data, conn->certlen);
547 conn->sessionIDlen = tls->sid->len;
548 conn->sessionID = emalloc(conn->sessionIDlen);
549 memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
550 if(conn->sessionKey != nil
551 && conn->sessionType != nil
552 && strcmp(conn->sessionType, "ttls") == 0)
554 conn->sessionKey, conn->sessionKeylen,
555 tls->sec->sec, MasterSecretSize,
557 tls->sec->crandom, RandomSize,
558 tls->sec->srandom, RandomSize);
559 tlsConnectionFree(tls);
565 countchain(PEMChain *p)
576 static TlsConnection *
577 tlsServer2(int ctl, int hand, uchar *cert, int certlen, int (*trace)(char*fmt, ...), PEMChain *chp)
582 uchar sid[SidSize], kd[MaxKeyData];
584 int cipher, compressor, nsid, rv, numcerts, i;
587 trace("tlsServer2\n");
590 c = emalloc(sizeof(TlsConnection));
594 c->version = ProtocolVersion;
596 memset(&m, 0, sizeof(m));
599 trace("initial msgRecv failed\n");
602 if(m.tag != HClientHello) {
603 tlsError(c, EUnexpectedMessage, "expected a client hello");
606 c->clientVersion = m.u.clientHello.version;
608 trace("ClientHello version %x\n", c->clientVersion);
609 if(setVersion(c, c->clientVersion) < 0) {
610 tlsError(c, EIllegalParameter, "incompatible version");
614 memmove(c->crandom, m.u.clientHello.random, RandomSize);
615 cipher = okCipher(m.u.clientHello.ciphers);
617 // reply with EInsufficientSecurity if we know that's the case
619 tlsError(c, EInsufficientSecurity, "cipher suites too weak");
621 tlsError(c, EHandshakeFailure, "no matching cipher suite");
624 if(!setAlgs(c, cipher)){
625 tlsError(c, EHandshakeFailure, "no matching cipher suite");
628 compressor = okCompression(m.u.clientHello.compressors);
630 tlsError(c, EHandshakeFailure, "no matching compressor");
634 csid = m.u.clientHello.sid;
636 trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
637 c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
639 tlsError(c, EHandshakeFailure, "can't initialize security: %r");
642 c->sec->rpc = factotum_rsa_open(cert, certlen);
643 if(c->sec->rpc == nil){
644 tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
647 c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
648 if(c->sec->rsapub == nil){
649 tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
654 m.tag = HServerHello;
655 m.u.serverHello.version = c->version;
656 memmove(m.u.serverHello.random, c->srandom, RandomSize);
657 m.u.serverHello.cipher = cipher;
658 m.u.serverHello.compressor = compressor;
659 c->sid = makebytes(sid, nsid);
660 m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
661 if(!msgSend(c, &m, AQueue))
665 m.tag = HCertificate;
666 numcerts = countchain(chp);
667 m.u.certificate.ncert = 1 + numcerts;
668 m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
669 m.u.certificate.certs[0] = makebytes(cert, certlen);
670 for (i = 0; i < numcerts && chp; i++, chp = chp->next)
671 m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
672 if(!msgSend(c, &m, AQueue))
676 m.tag = HServerHelloDone;
677 if(!msgSend(c, &m, AFlush))
683 if(m.tag != HClientKeyExchange) {
684 tlsError(c, EUnexpectedMessage, "expected a client key exchange");
687 if(tlsSecRSAs(c->sec, c->version, m.u.clientKeyExchange.key) < 0){
688 tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
691 setSecrets(c->sec, kd, c->nsecret);
693 trace("tls secrets\n");
694 secrets = (char*)emalloc(2*c->nsecret);
695 enc64(secrets, 2*c->nsecret, kd, c->nsecret);
696 rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
697 memset(secrets, 0, 2*c->nsecret);
699 memset(kd, 0, c->nsecret);
701 tlsError(c, EHandshakeFailure, "can't set keys: %r");
706 /* no CertificateVerify; skip to Finished */
707 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
708 tlsError(c, EInternalError, "can't set finished: %r");
713 if(m.tag != HFinished) {
714 tlsError(c, EUnexpectedMessage, "expected a finished");
717 if(!finishedMatch(c, &m.u.finished)) {
718 tlsError(c, EHandshakeFailure, "finished verification failed");
723 /* change cipher spec */
724 if(fprint(c->ctl, "changecipher") < 0){
725 tlsError(c, EInternalError, "can't enable cipher: %r");
729 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
730 tlsError(c, EInternalError, "can't set finished: %r");
734 m.u.finished = c->finished;
735 if(!msgSend(c, &m, AFlush))
739 trace("tls finished\n");
741 if(fprint(c->ctl, "opened") < 0)
748 tlsConnectionFree(c);
756 case TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
757 case TLS_DHE_DSS_WITH_DES_CBC_SHA:
758 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
759 case TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
760 case TLS_DHE_RSA_WITH_DES_CBC_SHA:
761 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
762 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
763 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
764 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
765 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
775 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
776 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
777 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
778 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
785 tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers,
786 Bytes *p, Bytes *g, Bytes *Ys)
788 mpint *G, *P, *Y, *K;
792 if(p == nil || g == nil || Ys == nil)
795 memmove(sec->srandom, srandom, RandomSize);
796 if(setVers(sec, vers) < 0)
805 if(P == nil || G == nil || Y == nil || dh_new(&dh, P, nil, G) == nil)
807 epm = mptobytes(dh.y);
808 K = dh_finish(&dh, Y);
814 setMasterSecret(sec, mptobytes(K));
826 bytestoec(ECdomain *dom, Bytes *bp, ECpoint *ret)
828 char *hex = "0123456789ABCDEF";
832 s = emalloc(2*bp->len + 1);
833 for(i=0; i < bp->len; i++){
834 s[2*i] = hex[bp->data[i]>>4 & 15];
835 s[2*i+1] = hex[bp->data[i] & 15];
838 ret = strtoec(dom, s, nil, ret);
844 ectobytes(int type, ECpoint *p)
848 bx = mptobytes(p->x);
849 by = mptobytes(p->y);
850 bp = newbytes(bx->len + by->len + 1);
852 memmove(bp->data+1, bx->data, bx->len);
853 memmove(bp->data+1+bx->len, by->data, by->len);
860 tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys)
862 Namedcurve *nc, *enc;
871 enc = &namedcurves[nelem(namedcurves)];
872 for(nc = namedcurves; nc != enc; nc++)
873 if(nc->tlsid == curve)
879 memmove(sec->srandom, srandom, RandomSize);
880 if(setVers(sec, vers) < 0)
885 memset(&dom, 0, sizeof(dom));
886 dom.p = strtomp(nc->p, nil, 16, nil);
887 dom.a = strtomp(nc->a, nil, 16, nil);
888 dom.b = strtomp(nc->b, nil, 16, nil);
889 dom.n = strtomp(nc->n, nil, 16, nil);
890 dom.h = strtomp(nc->h, nil, 16, nil);
892 memset(&G, 0, sizeof(G));
896 memset(&Q, 0, sizeof(Q));
901 memset(&K, 0, sizeof(K));
905 memset(&Y, 0, sizeof(Y));
909 if(dom.p == nil || dom.a == nil || dom.b == nil || dom.n == nil || dom.h == nil)
911 if(Q.x == nil || Q.y == nil || Q.d == nil)
913 if(G.x == nil || G.y == nil)
915 if(K.x == nil || K.y == nil)
917 if(Y.x == nil || Y.y == nil)
920 dom.G = strtoec(&dom, nc->G, nil, &G);
924 if(bytestoec(&dom, Ys, &Y) == nil)
927 if(ecgen(&dom, &Q) == nil)
930 ecmul(&dom, &Y, Q.d, &K);
931 setMasterSecret(sec, mptobytes(K.x));
933 /* 0x04 = uncompressed public key */
934 epm = ectobytes(0x04, &Q);
959 static TlsConnection *
960 tlsClient2(int ctl, int hand, uchar *csid, int ncsid, uchar *cert, int certlen, uchar *ext, int extlen,
961 int (*trace)(char*fmt, ...))
965 uchar kd[MaxKeyData];
967 int creq, dhx, rv, cipher;
968 mpint *signedMP, *paddedHashes;
974 c = emalloc(sizeof(TlsConnection));
975 c->version = ProtocolVersion;
977 // client certificate signature not implemented for TLS1.2
978 if(cert != nil && certlen > 0 && c->version >= TLS12Version)
979 c->version = TLS11Version;
985 c->clientVersion = c->version;
987 c->sec = tlsSecInitc(c->clientVersion, c->crandom);
991 memset(&m, 0, sizeof(m));
992 m.tag = HClientHello;
993 m.u.clientHello.version = c->clientVersion;
994 memmove(m.u.clientHello.random, c->crandom, RandomSize);
995 m.u.clientHello.sid = makebytes(csid, ncsid);
996 m.u.clientHello.ciphers = makeciphers();
997 m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
998 m.u.clientHello.extensions = makebytes(ext, extlen);
999 if(!msgSend(c, &m, AFlush))
1006 if(m.tag != HServerHello) {
1007 tlsError(c, EUnexpectedMessage, "expected a server hello");
1010 if(setVersion(c, m.u.serverHello.version) < 0) {
1011 tlsError(c, EIllegalParameter, "incompatible version %r");
1014 memmove(c->srandom, m.u.serverHello.random, RandomSize);
1015 c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
1016 if(c->sid->len != 0 && c->sid->len != SidSize) {
1017 tlsError(c, EIllegalParameter, "invalid server session identifier");
1020 cipher = m.u.serverHello.cipher;
1021 if(!setAlgs(c, cipher)) {
1022 tlsError(c, EIllegalParameter, "invalid cipher suite");
1025 if(m.u.serverHello.compressor != CompressionNull) {
1026 tlsError(c, EIllegalParameter, "invalid compression");
1032 if(!msgRecv(c, &m) || m.tag != HCertificate) {
1033 tlsError(c, EUnexpectedMessage, "expected a certificate");
1036 if(m.u.certificate.ncert < 1) {
1037 tlsError(c, EIllegalParameter, "runt certificate");
1040 c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
1043 /* server key exchange */
1044 dhx = isDHE(cipher) || isECDHE(cipher);
1047 if(m.tag == HServerKeyExchange) {
1049 tlsError(c, EUnexpectedMessage, "got an server key exchange");
1053 epm = tlsSecECDHEc(c->sec, c->srandom, c->version,
1054 m.u.serverKeyExchange.curve,
1055 m.u.serverKeyExchange.dh_Ys);
1057 epm = tlsSecDHEc(c->sec, c->srandom, c->version,
1058 m.u.serverKeyExchange.dh_p,
1059 m.u.serverKeyExchange.dh_g,
1060 m.u.serverKeyExchange.dh_Ys);
1067 tlsError(c, EUnexpectedMessage, "expected server key exchange");
1071 /* certificate request (optional) */
1073 if(m.tag == HCertificateRequest) {
1080 if(m.tag != HServerHelloDone) {
1081 tlsError(c, EUnexpectedMessage, "expected a server hello done");
1087 epm = tlsSecRSAc(c->sec, c->sid->data, c->sid->len, c->srandom,
1088 c->cert->data, c->cert->len, c->version);
1092 tlsError(c, EBadCertificate, "bad certificate: %r");
1096 setSecrets(c->sec, kd, c->nsecret);
1097 secrets = (char*)emalloc(2*c->nsecret);
1098 enc64(secrets, 2*c->nsecret, kd, c->nsecret);
1099 rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
1100 memset(secrets, 0, 2*c->nsecret);
1102 memset(kd, 0, c->nsecret);
1104 tlsError(c, EHandshakeFailure, "can't set keys: %r");
1109 if(cert != nil && certlen > 0){
1110 m.u.certificate.ncert = 1;
1111 m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
1112 m.u.certificate.certs[0] = makebytes(cert, certlen);
1114 m.tag = HCertificate;
1115 if(!msgSend(c, &m, AFlush))
1120 /* client key exchange */
1121 m.tag = HClientKeyExchange;
1122 m.u.clientKeyExchange.key = epm;
1124 if(m.u.clientKeyExchange.key == nil) {
1125 tlsError(c, EHandshakeFailure, "can't set secret: %r");
1129 if(!msgSend(c, &m, AFlush))
1133 /* certificate verify */
1134 if(creq && cert != nil && certlen > 0) {
1135 uchar hshashes[MD5dlen+SHA1dlen]; /* content of signature */
1136 HandshakeHash hsave;
1138 /* save the state for the Finish message */
1139 hsave = c->handhash;
1140 md5(nil, 0, hshashes, &c->handhash.md5);
1141 sha1(nil, 0, hshashes+MD5dlen, &c->handhash.sha1);
1142 c->handhash = hsave;
1144 c->sec->rpc = factotum_rsa_open(cert, certlen);
1145 if(c->sec->rpc == nil){
1146 tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
1149 c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
1150 if(c->sec->rsapub == nil){
1151 tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
1155 paddedHashes = pkcs1padbuf(hshashes, MD5dlen+SHA1dlen, c->sec->rsapub->n);
1156 signedMP = factotum_rsa_decrypt(c->sec->rpc, paddedHashes);
1157 if(signedMP == nil){
1158 tlsError(c, EHandshakeFailure, "factotum_rsa_decrypt: %r");
1161 m.u.certificateVerify.signature = mptobytes(signedMP);
1164 m.tag = HCertificateVerify;
1165 if(!msgSend(c, &m, AFlush))
1170 /* change cipher spec */
1171 if(fprint(c->ctl, "changecipher") < 0){
1172 tlsError(c, EInternalError, "can't enable cipher: %r");
1176 // Cipherchange must occur immediately before Finished to avoid
1177 // potential hole; see section 4.3 of Wagner Schneier 1996.
1178 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
1179 tlsError(c, EInternalError, "can't set finished 1: %r");
1183 m.u.finished = c->finished;
1184 if(!msgSend(c, &m, AFlush)) {
1185 tlsError(c, EInternalError, "can't flush after client Finished: %r");
1190 if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
1191 tlsError(c, EInternalError, "can't set finished 0: %r");
1194 if(!msgRecv(c, &m)) {
1195 tlsError(c, EInternalError, "can't read server Finished: %r");
1198 if(m.tag != HFinished) {
1199 tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
1203 if(!finishedMatch(c, &m.u.finished)) {
1204 tlsError(c, EHandshakeFailure, "finished verification failed");
1209 if(fprint(c->ctl, "opened") < 0){
1211 trace("unable to do final open: %r\n");
1220 tlsConnectionFree(c);
1225 //================= message functions ========================
1228 msgHash(TlsConnection *c, uchar *p, int n)
1230 md5(p, n, 0, &c->handhash.md5);
1231 sha1(p, n, 0, &c->handhash.sha1);
1232 if(c->version >= TLS12Version)
1233 sha2_256(p, n, 0, &c->handhash.sha2_256);
1237 msgSend(TlsConnection *c, Msg *m, int act)
1239 uchar *p; // sendp = start of new message; p = write pointer
1243 c->sendp = c->sendbuf;
1246 c->trace("send %s", msgPrint((char*)p, (sizeof(c->sendbuf)) - (p - c->sendbuf), m));
1248 p[0] = m->tag; // header - fill in size later
1253 tlsError(c, EInternalError, "can't encode a %d", m->tag);
1257 put16(p, m->u.clientHello.version);
1261 memmove(p, m->u.clientHello.random, RandomSize);
1265 n = m->u.clientHello.sid->len;
1268 memmove(p+1, m->u.clientHello.sid->data, n);
1271 n = m->u.clientHello.ciphers->len;
1272 assert(n > 0 && n < 200);
1275 for(i=0; i<n; i++) {
1276 put16(p, m->u.clientHello.ciphers->data[i]);
1280 n = m->u.clientHello.compressors->len;
1283 memmove(p+1, m->u.clientHello.compressors->data, n);
1286 if(m->u.clientHello.extensions == nil)
1288 n = m->u.clientHello.extensions->len;
1292 memmove(p+2, m->u.clientHello.extensions->data, n);
1296 put16(p, m->u.serverHello.version);
1300 memmove(p, m->u.serverHello.random, RandomSize);
1304 n = m->u.serverHello.sid->len;
1307 memmove(p+1, m->u.serverHello.sid->data, n);
1310 put16(p, m->u.serverHello.cipher);
1312 p[0] = m->u.serverHello.compressor;
1315 if(m->u.serverHello.extensions == nil)
1317 n = m->u.serverHello.extensions->len;
1321 memmove(p+2, m->u.serverHello.extensions->data, n);
1324 case HServerHelloDone:
1328 for(i = 0; i < m->u.certificate.ncert; i++)
1329 nn += 3 + m->u.certificate.certs[i]->len;
1330 if(p + 3 + nn - c->sendbuf > sizeof(c->sendbuf)) {
1331 tlsError(c, EInternalError, "output buffer too small for certificate");
1336 for(i = 0; i < m->u.certificate.ncert; i++){
1337 put24(p, m->u.certificate.certs[i]->len);
1339 memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
1340 p += m->u.certificate.certs[i]->len;
1343 case HCertificateVerify:
1344 put16(p, m->u.certificateVerify.signature->len);
1346 memmove(p, m->u.certificateVerify.signature->data, m->u.certificateVerify.signature->len);
1347 p += m->u.certificateVerify.signature->len;
1349 case HClientKeyExchange:
1350 n = m->u.clientKeyExchange.key->len;
1351 if(c->version != SSL3Version){
1352 if(isECDHE(c->cipher))
1355 put16(p, n), p += 2;
1357 memmove(p, m->u.clientKeyExchange.key->data, n);
1361 memmove(p, m->u.finished.verify, m->u.finished.n);
1362 p += m->u.finished.n;
1366 // go back and fill in size
1368 assert(p <= c->sendbuf + sizeof(c->sendbuf));
1369 put24(c->sendp+1, n-4);
1371 // remember hash of Handshake messages
1372 if(m->tag != HHelloRequest)
1373 msgHash(c, c->sendp, n);
1377 c->sendp = c->sendbuf;
1378 if(write(c->hand, c->sendbuf, p - c->sendbuf) < 0){
1379 fprint(2, "write error: %r\n");
1391 tlsReadN(TlsConnection *c, int n)
1398 if(c->rp != c->recvbuf){
1399 memmove(c->recvbuf, c->rp, nn);
1401 c->ep = &c->recvbuf[nn];
1403 for(; nn < n; nn += nr) {
1404 nr = read(c->hand, &c->rp[nn], n - nn);
1416 msgRecv(TlsConnection *c, Msg *m)
1419 int type, n, nn, i, nsid, nrandom, nciph;
1428 if(type != HHelloRequest)
1431 tlsError(c, EDecodeError, "invalid hello request during handshake");
1436 if(n > sizeof(c->recvbuf)) {
1437 tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->recvbuf));
1441 if(type == HSSL2ClientHello){
1442 /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
1443 This is sent by some clients that we must interoperate
1444 with, such as Java's JSSE and Microsoft's Internet Explorer. */
1449 m->tag = HClientHello;
1452 m->u.clientHello.version = get16(p+1);
1455 nn = get16(p); /* cipher_spec_len */
1456 nsid = get16(p + 2);
1457 nrandom = get16(p + 4);
1460 if(nsid != 0 /* no sid's, since shouldn't restart using ssl2 header */
1461 || nrandom < 16 || nn % 3)
1463 if(c->trace && (n - nrandom != nn))
1464 c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
1465 /* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
1467 for(i = 0; i < nn; i += 3)
1470 m->u.clientHello.ciphers = newints(nciph);
1472 for(i = 0; i < nn; i += 3)
1474 m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]);
1476 m->u.clientHello.sid = makebytes(nil, 0);
1477 if(nrandom > RandomSize)
1478 nrandom = RandomSize;
1479 memset(m->u.clientHello.random, 0, RandomSize - nrandom);
1480 memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
1481 m->u.clientHello.compressors = newbytes(1);
1482 m->u.clientHello.compressors->data[0] = CompressionNull;
1497 tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
1502 m->u.clientHello.version = get16(p);
1508 memmove(m->u.clientHello.random, p, RandomSize);
1511 if(n < 1 || n < p[0]+1)
1513 m->u.clientHello.sid = makebytes(p+1, p[0]);
1514 p += m->u.clientHello.sid->len+1;
1515 n -= m->u.clientHello.sid->len+1;
1523 if((nn & 1) || n < nn || nn < 2)
1525 m->u.clientHello.ciphers = newints(nn >> 1);
1526 for(i = 0; i < nn; i += 2)
1527 m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
1531 if(n < 1 || n < p[0]+1 || p[0] == 0)
1534 m->u.clientHello.compressors = makebytes(p+1, nn);
1543 m->u.clientHello.extensions = makebytes(p+2, nn);
1549 m->u.serverHello.version = get16(p);
1555 memmove(m->u.serverHello.random, p, RandomSize);
1559 if(n < 1 || n < p[0]+1)
1561 m->u.serverHello.sid = makebytes(p+1, p[0]);
1562 p += m->u.serverHello.sid->len+1;
1563 n -= m->u.serverHello.sid->len+1;
1567 m->u.serverHello.cipher = get16(p);
1568 m->u.serverHello.compressor = p[2];
1577 m->u.serverHello.extensions = makebytes(p+2, nn);
1586 if(nn == 0 && n > 0)
1598 m->u.certificate.ncert = i+1;
1599 m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes*));
1600 m->u.certificate.certs[i] = makebytes(p, nn);
1606 case HCertificateRequest:
1614 m->u.certificateRequest.types = makebytes(p, nn);
1622 /* nn == 0 can happen; yahoo's servers do it */
1633 if(nn < 1 || nn > n)
1635 m->u.certificateRequest.nca = i+1;
1636 m->u.certificateRequest.cas = erealloc(
1637 m->u.certificateRequest.cas, (i+1)*sizeof(Bytes*));
1638 m->u.certificateRequest.cas[i] = makebytes(p, nn);
1644 case HServerHelloDone:
1646 case HServerKeyExchange:
1649 if(isECDHE(c->cipher)){
1652 if(nn != 3 || nn > n) /* not a named curve */
1656 m->u.serverKeyExchange.curve = nn;
1659 if(nn < 1 || nn > n)
1661 m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
1663 }else if(isDHE(c->cipher)){
1666 if(nn < 1 || nn > n)
1668 m->u.serverKeyExchange.dh_p = makebytes(p, nn);
1675 if(nn < 1 || nn > n)
1677 m->u.serverKeyExchange.dh_g = makebytes(p, nn);
1684 if(nn < 1 || nn > n)
1686 m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
1689 /* should not happen */
1693 if(c->version >= TLS12Version){
1694 /* signature hash algorithm */
1701 if(nn > 0 && nn <= n){
1702 m->u.serverKeyExchange.dh_signature = makebytes(p, nn);
1707 case HClientKeyExchange:
1709 * this message depends upon the encryption selected
1712 if(c->version == SSL3Version)
1723 m->u.clientKeyExchange.key = makebytes(p, nn);
1727 m->u.finished.n = c->finished.n;
1728 if(n < m->u.finished.n)
1730 memmove(m->u.finished.verify, p, m->u.finished.n);
1731 n -= m->u.finished.n;
1735 if(type != HClientHello && type != HServerHello && n != 0)
1740 buf = emalloc(8000);
1741 c->trace("recv %s", msgPrint(buf, 8000, m));
1746 tlsError(c, EDecodeError, "handshake message (%d) has invalid length", type);
1759 sysfatal("msgClear: unknown message type: %d", m->tag);
1763 freebytes(m->u.clientHello.sid);
1764 freeints(m->u.clientHello.ciphers);
1765 freebytes(m->u.clientHello.compressors);
1766 freebytes(m->u.clientHello.extensions);
1769 freebytes(m->u.serverHello.sid);
1770 freebytes(m->u.serverHello.extensions);
1773 for(i=0; i<m->u.certificate.ncert; i++)
1774 freebytes(m->u.certificate.certs[i]);
1775 free(m->u.certificate.certs);
1777 case HCertificateRequest:
1778 freebytes(m->u.certificateRequest.types);
1779 for(i=0; i<m->u.certificateRequest.nca; i++)
1780 freebytes(m->u.certificateRequest.cas[i]);
1781 free(m->u.certificateRequest.cas);
1783 case HCertificateVerify:
1784 freebytes(m->u.certificateVerify.signature);
1786 case HServerHelloDone:
1788 case HServerKeyExchange:
1789 freebytes(m->u.serverKeyExchange.dh_p);
1790 freebytes(m->u.serverKeyExchange.dh_g);
1791 freebytes(m->u.serverKeyExchange.dh_Ys);
1792 freebytes(m->u.serverKeyExchange.dh_signature);
1794 case HClientKeyExchange:
1795 freebytes(m->u.clientKeyExchange.key);
1800 memset(m, 0, sizeof(Msg));
1804 bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
1809 bs = seprint(bs, be, "%s", s0);
1811 bs = seprint(bs, be, "nil");
1813 bs = seprint(bs, be, "<%d> [", b->len);
1814 for(i=0; i<b->len; i++)
1815 bs = seprint(bs, be, "%.2x ", b->data[i]);
1817 bs = seprint(bs, be, "]");
1819 bs = seprint(bs, be, "%s", s1);
1824 intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
1829 bs = seprint(bs, be, "%s", s0);
1830 bs = seprint(bs, be, "[");
1832 bs = seprint(bs, be, "nil");
1834 for(i=0; i<b->len; i++)
1835 bs = seprint(bs, be, "%x ", b->data[i]);
1836 bs = seprint(bs, be, "]");
1838 bs = seprint(bs, be, "%s", s1);
1843 msgPrint(char *buf, int n, Msg *m)
1846 char *bs = buf, *be = buf+n;
1850 bs = seprint(bs, be, "unknown %d\n", m->tag);
1853 bs = seprint(bs, be, "ClientHello\n");
1854 bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
1855 bs = seprint(bs, be, "\trandom: ");
1856 for(i=0; i<RandomSize; i++)
1857 bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
1858 bs = seprint(bs, be, "\n");
1859 bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
1860 bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
1861 bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
1862 if(m->u.clientHello.extensions != nil)
1863 bs = bytesPrint(bs, be, "\textensions: ", m->u.clientHello.extensions, "\n");
1866 bs = seprint(bs, be, "ServerHello\n");
1867 bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
1868 bs = seprint(bs, be, "\trandom: ");
1869 for(i=0; i<RandomSize; i++)
1870 bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
1871 bs = seprint(bs, be, "\n");
1872 bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
1873 bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
1874 bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
1875 if(m->u.serverHello.extensions != nil)
1876 bs = bytesPrint(bs, be, "\textensions: ", m->u.serverHello.extensions, "\n");
1879 bs = seprint(bs, be, "Certificate\n");
1880 for(i=0; i<m->u.certificate.ncert; i++)
1881 bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
1883 case HCertificateRequest:
1884 bs = seprint(bs, be, "CertificateRequest\n");
1885 bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
1886 bs = seprint(bs, be, "\tcertificateauthorities\n");
1887 for(i=0; i<m->u.certificateRequest.nca; i++)
1888 bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
1890 case HCertificateVerify:
1891 bs = seprint(bs, be, "HCertificateVerify\n");
1892 bs = bytesPrint(bs, be, "\tsignature: ", m->u.certificateVerify.signature,"\n");
1894 case HServerHelloDone:
1895 bs = seprint(bs, be, "ServerHelloDone\n");
1897 case HServerKeyExchange:
1898 bs = seprint(bs, be, "HServerKeyExchange\n");
1899 if(m->u.serverKeyExchange.curve != 0){
1900 bs = seprint(bs, be, "\tcurve: %.4x\n", m->u.serverKeyExchange.curve);
1902 bs = bytesPrint(bs, be, "\tdh_p: ", m->u.serverKeyExchange.dh_p, "\n");
1903 bs = bytesPrint(bs, be, "\tdh_g: ", m->u.serverKeyExchange.dh_g, "\n");
1905 bs = bytesPrint(bs, be, "\tdh_Ys: ", m->u.serverKeyExchange.dh_Ys, "\n");
1906 bs = bytesPrint(bs, be, "\tdh_signature: ", m->u.serverKeyExchange.dh_signature, "\n");
1908 case HClientKeyExchange:
1909 bs = seprint(bs, be, "HClientKeyExchange\n");
1910 bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
1913 bs = seprint(bs, be, "HFinished\n");
1914 for(i=0; i<m->u.finished.n; i++)
1915 bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
1916 bs = seprint(bs, be, "\n");
1924 tlsError(TlsConnection *c, int err, char *fmt, ...)
1930 vseprint(msg, msg+sizeof(msg), fmt, arg);
1933 c->trace("tlsError: %s\n", msg);
1935 fprint(2, "double error: %r, %s", msg);
1937 werrstr("tls: local %s", msg);
1939 fprint(c->ctl, "alert %d", err);
1942 // commit to specific version number
1944 setVersion(TlsConnection *c, int version)
1946 if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
1948 if(version > c->version)
1949 version = c->version;
1950 if(version == SSL3Version) {
1951 c->version = version;
1952 c->finished.n = SSL3FinishedLen;
1954 c->version = version;
1955 c->finished.n = TLSFinishedLen;
1958 return fprint(c->ctl, "version 0x%x", version);
1961 // confirm that received Finished message matches the expected value
1963 finishedMatch(TlsConnection *c, Finished *f)
1965 return memcmp(f->verify, c->finished.verify, f->n) == 0;
1968 // free memory associated with TlsConnection struct
1969 // (but don't close the TLS channel itself)
1971 tlsConnectionFree(TlsConnection *c)
1973 tlsSecClose(c->sec);
1976 memset(c, 0, sizeof(c));
1981 //================= cipher choices ========================
1983 static int weakCipher[CipherMax] =
1985 1, /* TLS_NULL_WITH_NULL_NULL */
1986 1, /* TLS_RSA_WITH_NULL_MD5 */
1987 1, /* TLS_RSA_WITH_NULL_SHA */
1988 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
1989 0, /* TLS_RSA_WITH_RC4_128_MD5 */
1990 0, /* TLS_RSA_WITH_RC4_128_SHA */
1991 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
1992 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
1993 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
1994 0, /* TLS_RSA_WITH_DES_CBC_SHA */
1995 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
1996 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
1997 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
1998 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
1999 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
2000 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
2001 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
2002 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
2003 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
2004 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
2005 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
2006 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
2007 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
2008 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
2009 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
2010 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
2011 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
2012 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
2016 setAlgs(TlsConnection *c, int a)
2020 for(i = 0; i < nelem(cipherAlgs); i++){
2021 if(cipherAlgs[i].tlsid == a){
2023 c->enc = cipherAlgs[i].enc;
2024 c->digest = cipherAlgs[i].digest;
2025 c->nsecret = cipherAlgs[i].nsecret;
2026 if(c->nsecret > MaxKeyData)
2040 for(i = 0; i < cv->len; i++) {
2045 weak &= weakCipher[c];
2046 if(isDHE(c) || isECDHE(c))
2047 continue; /* TODO: not implemented for server */
2048 for(j = 0; j < nelem(cipherAlgs); j++)
2049 if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
2058 okCompression(Bytes *cv)
2062 for(i = 0; i < cv->len; i++) {
2064 for(j = 0; j < nelem(compressors); j++) {
2065 if(compressors[j] == c)
2072 static Lock ciphLock;
2073 static int nciphers;
2078 enum {MaxAlgF = 1024, MaxAlgs = 10};
2079 char s[MaxAlgF], *flds[MaxAlgs];
2087 j = open("#a/tls/encalgs", OREAD);
2089 werrstr("can't open #a/tls/encalgs: %r");
2092 n = read(j, s, MaxAlgF-1);
2095 werrstr("nothing in #a/tls/encalgs: %r");
2099 n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
2100 for(i = 0; i < nelem(cipherAlgs); i++){
2102 for(j = 0; j < n; j++){
2103 if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){
2108 cipherAlgs[i].ok = ok;
2111 j = open("#a/tls/hashalgs", OREAD);
2113 werrstr("can't open #a/tls/hashalgs: %r");
2116 n = read(j, s, MaxAlgF-1);
2119 werrstr("nothing in #a/tls/hashalgs: %r");
2123 n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
2124 for(i = 0; i < nelem(cipherAlgs); i++){
2126 for(j = 0; j < n; j++){
2127 if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){
2132 cipherAlgs[i].ok &= ok;
2133 if(cipherAlgs[i].ok)
2146 is = newints(nciphers);
2148 for(i = 0; i < nelem(cipherAlgs); i++){
2149 if(cipherAlgs[i].ok)
2150 is->data[j++] = cipherAlgs[i].tlsid;
2157 //================= security functions ========================
2159 // given X.509 certificate, set up connection to factotum
2160 // for using corresponding private key
2162 factotum_rsa_open(uchar *cert, int certlen)
2170 // start talking to factotum
2171 if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
2173 if((rpc = auth_allocrpc(afd)) == nil){
2177 s = "proto=rsa service=tls role=client";
2178 if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
2179 factotum_rsa_close(rpc);
2183 // roll factotum keyring around to match certificate
2184 rsapub = X509toRSApub(cert, certlen, nil, 0);
2186 if(auth_rpc(rpc, "read", nil, 0) != ARok){
2187 factotum_rsa_close(rpc);
2191 pub = strtomp(rpc->arg, nil, 16, nil);
2193 if(mpcmp(pub,rsapub->n) == 0)
2203 factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
2208 p = mptoa(cipher, 16, nil, 0);
2212 rv = auth_rpc(rpc, "write", p, strlen(p));
2214 if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
2216 return strtomp(rpc->arg, nil, 16, nil);
2220 factotum_rsa_close(AuthRpc*rpc)
2229 tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2231 uchar ai[MD5dlen], tmp[MD5dlen];
2236 s = hmac_md5(label, nlabel, key, nkey, nil, nil);
2237 s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
2238 hmac_md5(seed1, nseed1, key, nkey, ai, s);
2241 s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
2242 s = hmac_md5(label, nlabel, key, nkey, nil, s);
2243 s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
2244 hmac_md5(seed1, nseed1, key, nkey, tmp, s);
2248 for(i = 0; i < n; i++)
2252 hmac_md5(ai, MD5dlen, key, nkey, tmp, nil);
2253 memmove(ai, tmp, MD5dlen);
2258 tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2260 uchar ai[SHA1dlen], tmp[SHA1dlen];
2265 s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
2266 s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
2267 hmac_sha1(seed1, nseed1, key, nkey, ai, s);
2270 s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
2271 s = hmac_sha1(label, nlabel, key, nkey, nil, s);
2272 s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
2273 hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
2277 for(i = 0; i < n; i++)
2281 hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
2282 memmove(ai, tmp, SHA1dlen);
2287 p_sha256(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed, int nseed)
2289 uchar ai[SHA2_256dlen], tmp[SHA2_256dlen];
2294 s = hmac_sha2_256(label, nlabel, key, nkey, nil, nil);
2295 hmac_sha2_256(seed, nseed, key, nkey, ai, s);
2298 s = hmac_sha2_256(ai, SHA2_256dlen, key, nkey, nil, nil);
2299 s = hmac_sha2_256(label, nlabel, key, nkey, nil, s);
2300 hmac_sha2_256(seed, nseed, key, nkey, tmp, s);
2304 memmove(buf, tmp, n);
2307 hmac_sha2_256(ai, SHA2_256dlen, key, nkey, tmp, nil);
2308 memmove(ai, tmp, SHA2_256dlen);
2312 // fill buf with md5(args)^sha1(args)
2314 tls10PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2316 int nlabel = strlen(label);
2317 int n = (nkey + 1) >> 1;
2319 memset(buf, 0, nbuf);
2320 tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
2321 tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
2325 tls12PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2327 uchar seed[2*RandomSize];
2329 assert(nseed0+nseed1 <= sizeof(seed));
2330 memmove(seed, seed0, nseed0);
2331 memmove(seed+nseed0, seed1, nseed1);
2332 p_sha256(buf, nbuf, key, nkey, (uchar*)label, strlen(label), seed, nseed0+nseed1);
2336 * for setting server session id's
2338 static Lock sidLock;
2339 static long maxSid = 1;
2341 /* the keys are verified to have the same public components
2342 * and to function correctly with pkcs 1 encryption and decryption. */
2344 tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
2346 TlsSec *sec = emalloc(sizeof(*sec));
2348 USED(csid); USED(ncsid); // ignore csid for now
2350 memmove(sec->crandom, crandom, RandomSize);
2351 sec->clientVers = cvers;
2353 put32(sec->srandom, time(0));
2354 genrandom(sec->srandom+4, RandomSize-4);
2355 memmove(srandom, sec->srandom, RandomSize);
2358 * make up a unique sid: use our pid, and and incrementing id
2359 * can signal no sid by setting nssid to 0.
2361 memset(ssid, 0, SidSize);
2362 put32(ssid, getpid());
2364 put32(ssid+4, maxSid++);
2371 tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm)
2374 if(setVers(sec, vers) < 0)
2376 serverMasterSecret(sec, epm);
2377 }else if(sec->vers != vers){
2378 werrstr("mismatched session versions");
2388 tlsSecInitc(int cvers, uchar *crandom)
2390 TlsSec *sec = emalloc(sizeof(*sec));
2391 sec->clientVers = cvers;
2392 put32(sec->crandom, time(0));
2393 genrandom(sec->crandom+4, RandomSize-4);
2394 memmove(crandom, sec->crandom, RandomSize);
2399 tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers)
2407 memmove(sec->srandom, srandom, RandomSize);
2408 if(setVers(sec, vers) < 0)
2410 pub = X509toRSApub(cert, ncert, nil, 0);
2412 werrstr("invalid x509/rsa certificate");
2415 epm = clientMasterSecret(sec, pub);
2425 tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient)
2427 if(sec->nfin != nfin){
2429 werrstr("invalid finished exchange");
2432 hsh.md5.malloced = 0;
2433 hsh.sha1.malloced = 0;
2434 hsh.sha2_256.malloced = 0;
2435 (*sec->setFinished)(sec, hsh, fin, isclient);
2440 tlsSecOk(TlsSec *sec)
2447 tlsSecKill(TlsSec *sec)
2451 factotum_rsa_close(sec->rpc);
2456 tlsSecClose(TlsSec *sec)
2460 factotum_rsa_close(sec->rpc);
2466 setVers(TlsSec *sec, int v)
2468 if(v == SSL3Version){
2469 sec->setFinished = sslSetFinished;
2470 sec->nfin = SSL3FinishedLen;
2472 }else if(v < TLS12Version) {
2473 sec->setFinished = tls10SetFinished;
2474 sec->nfin = TLSFinishedLen;
2475 sec->prf = tls10PRF;
2477 sec->setFinished = tls12SetFinished;
2478 sec->nfin = TLSFinishedLen;
2479 sec->prf = tls12PRF;
2486 * generate secret keys from the master secret.
2488 * different crypto selections will require different amounts
2489 * of key expansion and use of key expansion data,
2490 * but it's all generated using the same function.
2493 setSecrets(TlsSec *sec, uchar *kd, int nkd)
2495 (*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
2496 sec->srandom, RandomSize, sec->crandom, RandomSize);
2500 * set the master secret from the pre-master secret,
2501 * destroys premaster.
2504 setMasterSecret(TlsSec *sec, Bytes *pm)
2506 (*sec->prf)(sec->sec, MasterSecretSize, pm->data, pm->len, "master secret",
2507 sec->crandom, RandomSize, sec->srandom, RandomSize);
2509 memset(pm->data, 0, pm->len);
2514 serverMasterSecret(TlsSec *sec, Bytes *epm)
2518 pm = pkcs1_decrypt(sec, epm);
2520 // if the client messed up, just continue as if everything is ok,
2521 // to prevent attacks to check for correctly formatted messages.
2522 // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
2523 if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
2524 fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
2525 sec->ok, pm, pm != nil ? get16(pm->data) : -1, sec->clientVers, epm->len);
2528 pm = newbytes(MasterSecretSize);
2529 genrandom(pm->data, MasterSecretSize);
2531 assert(pm->len == MasterSecretSize);
2532 setMasterSecret(sec, pm);
2536 clientMasterSecret(TlsSec *sec, RSApub *pub)
2540 pm = newbytes(MasterSecretSize);
2541 put16(pm->data, sec->clientVers);
2542 genrandom(pm->data+2, MasterSecretSize - 2);
2543 epm = pkcs1_encrypt(pm, pub, 2);
2544 setMasterSecret(sec, pm);
2549 sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2552 uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
2560 md5((uchar*)label, 4, nil, &hsh.md5);
2561 md5(sec->sec, MasterSecretSize, nil, &hsh.md5);
2562 memset(pad, 0x36, 48);
2563 md5(pad, 48, nil, &hsh.md5);
2564 md5(nil, 0, h0, &hsh.md5);
2565 memset(pad, 0x5C, 48);
2566 s = md5(sec->sec, MasterSecretSize, nil, nil);
2567 s = md5(pad, 48, nil, s);
2568 md5(h0, MD5dlen, finished, s);
2570 sha1((uchar*)label, 4, nil, &hsh.sha1);
2571 sha1(sec->sec, MasterSecretSize, nil, &hsh.sha1);
2572 memset(pad, 0x36, 40);
2573 sha1(pad, 40, nil, &hsh.sha1);
2574 sha1(nil, 0, h1, &hsh.sha1);
2575 memset(pad, 0x5C, 40);
2576 s = sha1(sec->sec, MasterSecretSize, nil, nil);
2577 s = sha1(pad, 40, nil, s);
2578 sha1(h1, SHA1dlen, finished + MD5dlen, s);
2581 // fill "finished" arg with md5(args)^sha1(args)
2583 tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2585 uchar h0[MD5dlen], h1[SHA1dlen];
2588 // get current hash value, but allow further messages to be hashed in
2589 md5(nil, 0, h0, &hsh.md5);
2590 sha1(nil, 0, h1, &hsh.sha1);
2593 label = "client finished";
2595 label = "server finished";
2596 tls10PRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
2600 tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
2602 uchar seed[SHA2_256dlen];
2605 // get current hash value, but allow further messages to be hashed in
2606 sha2_256(nil, 0, seed, &hsh.sha2_256);
2609 label = "client finished";
2611 label = "server finished";
2612 p_sha256(finished, TLSFinishedLen, sec->sec, MasterSecretSize, (uchar*)label, strlen(label), seed, SHA2_256dlen);
2616 sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2618 uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
2627 for(i = 0; i < len; i++)
2628 tmp[i] = 'A' - 1 + len;
2629 s = sha1(tmp, len, nil, nil);
2630 s = sha1(key, nkey, nil, s);
2631 s = sha1(seed0, nseed0, nil, s);
2632 sha1(seed1, nseed1, sha1dig, s);
2633 s = md5(key, nkey, nil, nil);
2634 md5(sha1dig, SHA1dlen, md5dig, s);
2638 memmove(buf, md5dig, n);
2646 bytestomp(Bytes* bytes)
2648 return betomp(bytes->data, bytes->len, nil);
2652 * Convert mpint* to Bytes, putting high order byte first.
2655 mptobytes(mpint* big)
2660 n = (mpsignif(big)+7)/8;
2663 ans->len = mptobe(big, ans->data, n, nil);
2667 // Do RSA computation on block according to key, and pad
2668 // result on left with zeros to make it modlen long.
2670 rsacomp(Bytes* block, RSApub* key, int modlen)
2676 x = bytestomp(block);
2677 y = rsaencrypt(key, x, nil);
2679 ybytes = mptobytes(y);
2684 a = newbytes(modlen);
2685 memset(a->data, 0, modlen-ylen);
2686 memmove(a->data+modlen-ylen, ybytes->data, ylen);
2690 else if(ylen > modlen) {
2691 // assume it has leading zeros (mod should make it so)
2692 a = newbytes(modlen);
2693 memmove(a->data, ybytes->data, modlen);
2700 // encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1
2702 pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
2704 Bytes *pad, *eb, *ans;
2705 int i, dlen, padlen, modlen;
2707 modlen = (mpsignif(key->n)+7)/8;
2709 if(modlen < 12 || dlen > modlen - 11)
2711 padlen = modlen - 3 - dlen;
2712 pad = newbytes(padlen);
2713 genrandom(pad->data, padlen);
2714 for(i = 0; i < padlen; i++) {
2717 else if(blocktype == 1)
2719 else if(pad->data[i] == 0)
2722 eb = newbytes(modlen);
2724 eb->data[1] = blocktype;
2725 memmove(eb->data+2, pad->data, padlen);
2726 eb->data[padlen+2] = 0;
2727 memmove(eb->data+padlen+3, data->data, dlen);
2728 ans = rsacomp(eb, key, modlen);
2734 // decrypt data according to PKCS#1, with given key.
2735 // expect a block type of 2.
2737 pkcs1_decrypt(TlsSec *sec, Bytes *cipher)
2739 Bytes *eb, *ans = nil;
2743 modlen = (mpsignif(sec->rsapub->n)+7)/8;
2744 if(cipher->len != modlen)
2746 x = bytestomp(cipher);
2747 y = factotum_rsa_decrypt(sec->rpc, x);
2752 if(eb->len < modlen){ // pad on left with zeros
2753 ans = newbytes(modlen);
2754 memset(ans->data, 0, modlen-eb->len);
2755 memmove(ans->data+modlen-eb->len, eb->data, eb->len);
2759 if(eb->data[0] == 0 && eb->data[1] == 2) {
2760 for(i = 2; i < modlen; i++)
2761 if(eb->data[i] == 0)
2764 ans = makebytes(eb->data+i+1, modlen-(i+1));
2771 //================= general utility functions ========================
2781 sysfatal("out of memory");
2783 setmalloctag(p, getcallerpc(&n));
2788 erealloc(void *ReallocP, int ReallocN)
2793 ReallocP = emalloc(ReallocN);
2794 else if((ReallocP = realloc(ReallocP, ReallocN)) == nil)
2795 sysfatal("out of memory");
2796 setrealloctag(ReallocP, getcallerpc(&ReallocP));
2801 put32(uchar *p, u32int x)
2810 put24(uchar *p, int x)
2818 put16(uchar *p, int x)
2827 return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2833 return (p[0]<<16)|(p[1]<<8)|p[2];
2839 return (p[0]<<8)|p[1];
2842 #define OFFSET(x, s) offsetof(s, x)
2851 ans = (Bytes*)emalloc(OFFSET(data[0], Bytes) + len);
2857 * newbytes(len), with data initialized from buf
2860 makebytes(uchar* buf, int len)
2864 ans = newbytes(len);
2865 memmove(ans->data, buf, len);
2875 /* len is number of ints */
2881 if(len < 0 || len > ((uint)-1>>1)/sizeof(int))
2883 ans = (Ints*)emalloc(OFFSET(data[0], Ints) + len*sizeof(int));