1 0fc65b37 2004-03-21 devnull #include <u.h>
2 0fc65b37 2004-03-21 devnull #include <libc.h>
3 0fc65b37 2004-03-21 devnull #include <bio.h>
4 0fc65b37 2004-03-21 devnull #include <auth.h>
5 0fc65b37 2004-03-21 devnull #include <mp.h>
6 0fc65b37 2004-03-21 devnull #include <libsec.h>
8 cbeb0b26 2006-04-01 devnull /* The main groups of functions are: */
9 cbeb0b26 2006-04-01 devnull /* client/server - main handshake protocol definition */
10 cbeb0b26 2006-04-01 devnull /* message functions - formating handshake messages */
11 cbeb0b26 2006-04-01 devnull /* cipher choices - catalog of digest and encrypt algorithms */
12 cbeb0b26 2006-04-01 devnull /* security functions - PKCS#1, sslHMAC, session keygen */
13 cbeb0b26 2006-04-01 devnull /* general utility functions - malloc, serialization */
14 cbeb0b26 2006-04-01 devnull /* The handshake protocol builds on the TLS/SSL3 record layer protocol, */
15 cbeb0b26 2006-04-01 devnull /* which is implemented in kernel device #a. See also /lib/rfc/rfc2246. */
18 0fc65b37 2004-03-21 devnull TLSFinishedLen = 12,
19 0fc65b37 2004-03-21 devnull SSL3FinishedLen = MD5dlen+SHA1dlen,
20 cbeb0b26 2006-04-01 devnull MaxKeyData = 104, /* amount of secret we may need */
21 0fc65b37 2004-03-21 devnull MaxChunk = 1<<14,
22 0fc65b37 2004-03-21 devnull RandomSize = 32,
23 0fc65b37 2004-03-21 devnull SidSize = 32,
24 0fc65b37 2004-03-21 devnull MasterSecretSize = 48,
25 0fc65b37 2004-03-21 devnull AQueue = 0,
26 cbeb0b26 2006-04-01 devnull AFlush = 1
29 0fc65b37 2004-03-21 devnull typedef struct TlsSec TlsSec;
31 0fc65b37 2004-03-21 devnull typedef struct Bytes{
33 cbeb0b26 2006-04-01 devnull uchar data[1]; /* [len] */
36 0fc65b37 2004-03-21 devnull typedef struct Ints{
38 cbeb0b26 2006-04-01 devnull int data[1]; /* [len] */
41 0fc65b37 2004-03-21 devnull typedef struct Algs{
42 0fc65b37 2004-03-21 devnull char *enc;
43 0fc65b37 2004-03-21 devnull char *digest;
44 0fc65b37 2004-03-21 devnull int nsecret;
45 0fc65b37 2004-03-21 devnull int tlsid;
49 0fc65b37 2004-03-21 devnull typedef struct Finished{
50 0fc65b37 2004-03-21 devnull uchar verify[SSL3FinishedLen];
52 0fc65b37 2004-03-21 devnull } Finished;
54 0fc65b37 2004-03-21 devnull typedef struct TlsConnection{
55 cbeb0b26 2006-04-01 devnull TlsSec *sec; /* security management goo */
56 cbeb0b26 2006-04-01 devnull int hand, ctl; /* record layer file descriptors */
57 cbeb0b26 2006-04-01 devnull int erred; /* set when tlsError called */
58 cbeb0b26 2006-04-01 devnull int (*trace)(char*fmt, ...); /* for debugging */
59 cbeb0b26 2006-04-01 devnull int version; /* protocol we are speaking */
60 cbeb0b26 2006-04-01 devnull int verset; /* version has been set */
61 cbeb0b26 2006-04-01 devnull int ver2hi; /* server got a version 2 hello */
62 cbeb0b26 2006-04-01 devnull int isClient; /* is this the client or server? */
63 cbeb0b26 2006-04-01 devnull Bytes *sid; /* SessionID */
64 cbeb0b26 2006-04-01 devnull Bytes *cert; /* only last - no chain */
66 0fc65b37 2004-03-21 devnull Lock statelk;
67 cbeb0b26 2006-04-01 devnull int state; /* must be set using setstate */
69 cbeb0b26 2006-04-01 devnull /* input buffer for handshake messages */
70 0fc65b37 2004-03-21 devnull uchar buf[MaxChunk+2048];
71 0fc65b37 2004-03-21 devnull uchar *rp, *ep;
73 cbeb0b26 2006-04-01 devnull uchar crandom[RandomSize]; /* client random */
74 cbeb0b26 2006-04-01 devnull uchar srandom[RandomSize]; /* server random */
75 cbeb0b26 2006-04-01 devnull int clientVersion; /* version in ClientHello */
76 cbeb0b26 2006-04-01 devnull char *digest; /* name of digest algorithm to use */
77 cbeb0b26 2006-04-01 devnull char *enc; /* name of encryption algorithm to use */
78 cbeb0b26 2006-04-01 devnull int nsecret; /* amount of secret data to init keys */
80 cbeb0b26 2006-04-01 devnull /* for finished messages */
81 cbeb0b26 2006-04-01 devnull MD5state hsmd5; /* handshake hash */
82 cbeb0b26 2006-04-01 devnull SHAstate hssha1; /* handshake hash */
83 0fc65b37 2004-03-21 devnull Finished finished;
84 0fc65b37 2004-03-21 devnull } TlsConnection;
86 0fc65b37 2004-03-21 devnull typedef struct Msg{
90 0fc65b37 2004-03-21 devnull int version;
91 0fc65b37 2004-03-21 devnull uchar random[RandomSize];
92 0fc65b37 2004-03-21 devnull Bytes* sid;
93 0fc65b37 2004-03-21 devnull Ints* ciphers;
94 0fc65b37 2004-03-21 devnull Bytes* compressors;
95 0fc65b37 2004-03-21 devnull } clientHello;
97 0fc65b37 2004-03-21 devnull int version;
98 0fc65b37 2004-03-21 devnull uchar random[RandomSize];
99 0fc65b37 2004-03-21 devnull Bytes* sid;
100 0fc65b37 2004-03-21 devnull int cipher;
101 0fc65b37 2004-03-21 devnull int compressor;
102 0fc65b37 2004-03-21 devnull } serverHello;
103 0fc65b37 2004-03-21 devnull struct {
104 0fc65b37 2004-03-21 devnull int ncert;
105 0fc65b37 2004-03-21 devnull Bytes **certs;
106 0fc65b37 2004-03-21 devnull } certificate;
107 0fc65b37 2004-03-21 devnull struct {
108 0fc65b37 2004-03-21 devnull Bytes *types;
109 0fc65b37 2004-03-21 devnull int nca;
110 0fc65b37 2004-03-21 devnull Bytes **cas;
111 0fc65b37 2004-03-21 devnull } certificateRequest;
112 0fc65b37 2004-03-21 devnull struct {
113 0fc65b37 2004-03-21 devnull Bytes *key;
114 0fc65b37 2004-03-21 devnull } clientKeyExchange;
115 0fc65b37 2004-03-21 devnull Finished finished;
119 0fc65b37 2004-03-21 devnull struct TlsSec{
120 cbeb0b26 2006-04-01 devnull char *server; /* name of remote; nil for server */
121 cbeb0b26 2006-04-01 devnull int ok; /* <0 killed; ==0 in progress; >0 reusable */
122 0fc65b37 2004-03-21 devnull RSApub *rsapub;
123 cbeb0b26 2006-04-01 devnull AuthRpc *rpc; /* factotum for rsa private key */
124 cbeb0b26 2006-04-01 devnull uchar sec[MasterSecretSize]; /* master secret */
125 cbeb0b26 2006-04-01 devnull uchar crandom[RandomSize]; /* client random */
126 cbeb0b26 2006-04-01 devnull uchar srandom[RandomSize]; /* server random */
127 cbeb0b26 2006-04-01 devnull int clientVers; /* version in ClientHello */
128 cbeb0b26 2006-04-01 devnull int vers; /* final version */
129 cbeb0b26 2006-04-01 devnull /* byte generation and handshake checksum */
130 0fc65b37 2004-03-21 devnull void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
131 0fc65b37 2004-03-21 devnull void (*setFinished)(TlsSec*, MD5state, SHAstate, uchar*, int);
132 0fc65b37 2004-03-21 devnull int nfin;
137 0fc65b37 2004-03-21 devnull TLSVersion = 0x0301,
138 0fc65b37 2004-03-21 devnull SSL3Version = 0x0300,
139 cbeb0b26 2006-04-01 devnull ProtocolVersion = 0x0301, /* maximum version we speak */
140 cbeb0b26 2006-04-01 devnull MinProtoVersion = 0x0300, /* limits on version we accept */
141 cbeb0b26 2006-04-01 devnull MaxProtoVersion = 0x03ff
144 cbeb0b26 2006-04-01 devnull /* handshake type */
146 0fc65b37 2004-03-21 devnull HHelloRequest,
147 0fc65b37 2004-03-21 devnull HClientHello,
148 0fc65b37 2004-03-21 devnull HServerHello,
149 0fc65b37 2004-03-21 devnull HSSL2ClientHello = 9, /* local convention; see devtls.c */
150 0fc65b37 2004-03-21 devnull HCertificate = 11,
151 0fc65b37 2004-03-21 devnull HServerKeyExchange,
152 0fc65b37 2004-03-21 devnull HCertificateRequest,
153 0fc65b37 2004-03-21 devnull HServerHelloDone,
154 0fc65b37 2004-03-21 devnull HCertificateVerify,
155 0fc65b37 2004-03-21 devnull HClientKeyExchange,
156 0fc65b37 2004-03-21 devnull HFinished = 20,
160 cbeb0b26 2006-04-01 devnull /* alerts */
162 0fc65b37 2004-03-21 devnull ECloseNotify = 0,
163 0fc65b37 2004-03-21 devnull EUnexpectedMessage = 10,
164 0fc65b37 2004-03-21 devnull EBadRecordMac = 20,
165 0fc65b37 2004-03-21 devnull EDecryptionFailed = 21,
166 0fc65b37 2004-03-21 devnull ERecordOverflow = 22,
167 0fc65b37 2004-03-21 devnull EDecompressionFailure = 30,
168 0fc65b37 2004-03-21 devnull EHandshakeFailure = 40,
169 0fc65b37 2004-03-21 devnull ENoCertificate = 41,
170 0fc65b37 2004-03-21 devnull EBadCertificate = 42,
171 0fc65b37 2004-03-21 devnull EUnsupportedCertificate = 43,
172 0fc65b37 2004-03-21 devnull ECertificateRevoked = 44,
173 0fc65b37 2004-03-21 devnull ECertificateExpired = 45,
174 0fc65b37 2004-03-21 devnull ECertificateUnknown = 46,
175 0fc65b37 2004-03-21 devnull EIllegalParameter = 47,
176 0fc65b37 2004-03-21 devnull EUnknownCa = 48,
177 0fc65b37 2004-03-21 devnull EAccessDenied = 49,
178 0fc65b37 2004-03-21 devnull EDecodeError = 50,
179 0fc65b37 2004-03-21 devnull EDecryptError = 51,
180 0fc65b37 2004-03-21 devnull EExportRestriction = 60,
181 0fc65b37 2004-03-21 devnull EProtocolVersion = 70,
182 0fc65b37 2004-03-21 devnull EInsufficientSecurity = 71,
183 0fc65b37 2004-03-21 devnull EInternalError = 80,
184 0fc65b37 2004-03-21 devnull EUserCanceled = 90,
185 0fc65b37 2004-03-21 devnull ENoRenegotiation = 100,
186 0fc65b37 2004-03-21 devnull EMax = 256
189 cbeb0b26 2006-04-01 devnull /* cipher suites */
191 0fc65b37 2004-03-21 devnull TLS_NULL_WITH_NULL_NULL = 0x0000,
192 0fc65b37 2004-03-21 devnull TLS_RSA_WITH_NULL_MD5 = 0x0001,
193 0fc65b37 2004-03-21 devnull TLS_RSA_WITH_NULL_SHA = 0x0002,
194 0fc65b37 2004-03-21 devnull TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
195 0fc65b37 2004-03-21 devnull TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
196 0fc65b37 2004-03-21 devnull TLS_RSA_WITH_RC4_128_SHA = 0x0005,
197 0fc65b37 2004-03-21 devnull TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006,
198 0fc65b37 2004-03-21 devnull TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
199 0fc65b37 2004-03-21 devnull TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008,
200 0fc65b37 2004-03-21 devnull TLS_RSA_WITH_DES_CBC_SHA = 0X0009,
201 0fc65b37 2004-03-21 devnull TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A,
202 0fc65b37 2004-03-21 devnull TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X000B,
203 0fc65b37 2004-03-21 devnull TLS_DH_DSS_WITH_DES_CBC_SHA = 0X000C,
204 0fc65b37 2004-03-21 devnull TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0X000D,
205 0fc65b37 2004-03-21 devnull TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X000E,
206 0fc65b37 2004-03-21 devnull TLS_DH_RSA_WITH_DES_CBC_SHA = 0X000F,
207 0fc65b37 2004-03-21 devnull TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0X0010,
208 0fc65b37 2004-03-21 devnull TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X0011,
209 0fc65b37 2004-03-21 devnull TLS_DHE_DSS_WITH_DES_CBC_SHA = 0X0012,
210 cbeb0b26 2006-04-01 devnull TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0X0013, /* ZZZ must be implemented for tls1.0 compliance */
211 0fc65b37 2004-03-21 devnull TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0014,
212 0fc65b37 2004-03-21 devnull TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015,
213 0fc65b37 2004-03-21 devnull TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016,
214 0fc65b37 2004-03-21 devnull TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
215 0fc65b37 2004-03-21 devnull TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
216 0fc65b37 2004-03-21 devnull TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
217 0fc65b37 2004-03-21 devnull TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
218 0fc65b37 2004-03-21 devnull TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
220 cbeb0b26 2006-04-01 devnull TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, /* aes, aka rijndael with 128 bit blocks */
221 0fc65b37 2004-03-21 devnull TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
222 0fc65b37 2004-03-21 devnull TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
223 0fc65b37 2004-03-21 devnull TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
224 0fc65b37 2004-03-21 devnull TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0X0033,
225 0fc65b37 2004-03-21 devnull TLS_DH_anon_WITH_AES_128_CBC_SHA = 0X0034,
226 0fc65b37 2004-03-21 devnull TLS_RSA_WITH_AES_256_CBC_SHA = 0X0035,
227 0fc65b37 2004-03-21 devnull TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0X0036,
228 0fc65b37 2004-03-21 devnull TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0X0037,
229 0fc65b37 2004-03-21 devnull TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
230 0fc65b37 2004-03-21 devnull TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
231 0fc65b37 2004-03-21 devnull TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
232 0fc65b37 2004-03-21 devnull CipherMax
235 cbeb0b26 2006-04-01 devnull /* compression methods */
237 0fc65b37 2004-03-21 devnull CompressionNull = 0,
238 0fc65b37 2004-03-21 devnull CompressionMax
241 0fc65b37 2004-03-21 devnull static Algs cipherAlgs[] = {
242 0fc65b37 2004-03-21 devnull {"rc4_128", "md5", 2 * (16 + MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
243 0fc65b37 2004-03-21 devnull {"rc4_128", "sha1", 2 * (16 + SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
244 0fc65b37 2004-03-21 devnull {"3des_ede_cbc","sha1",2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
247 0fc65b37 2004-03-21 devnull static uchar compressors[] = {
248 0fc65b37 2004-03-21 devnull CompressionNull,
251 1b1434eb 2004-12-26 devnull static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chain);
252 0fc65b37 2004-03-21 devnull static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...));
254 0fc65b37 2004-03-21 devnull static void msgClear(Msg *m);
255 0fc65b37 2004-03-21 devnull static char* msgPrint(char *buf, int n, Msg *m);
256 0fc65b37 2004-03-21 devnull static int msgRecv(TlsConnection *c, Msg *m);
257 0fc65b37 2004-03-21 devnull static int msgSend(TlsConnection *c, Msg *m, int act);
258 0fc65b37 2004-03-21 devnull static void tlsError(TlsConnection *c, int err, char *msg, ...);
259 0fc65b37 2004-03-21 devnull /* #pragma varargck argpos tlsError 3*/
260 0fc65b37 2004-03-21 devnull static int setVersion(TlsConnection *c, int version);
261 0fc65b37 2004-03-21 devnull static int finishedMatch(TlsConnection *c, Finished *f);
262 0fc65b37 2004-03-21 devnull static void tlsConnectionFree(TlsConnection *c);
264 0fc65b37 2004-03-21 devnull static int setAlgs(TlsConnection *c, int a);
265 0fc65b37 2004-03-21 devnull static int okCipher(Ints *cv);
266 0fc65b37 2004-03-21 devnull static int okCompression(Bytes *cv);
267 0fc65b37 2004-03-21 devnull static int initCiphers(void);
268 0fc65b37 2004-03-21 devnull static Ints* makeciphers(void);
270 0fc65b37 2004-03-21 devnull static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
271 0fc65b37 2004-03-21 devnull static int tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd);
272 0fc65b37 2004-03-21 devnull static TlsSec* tlsSecInitc(int cvers, uchar *crandom);
273 0fc65b37 2004-03-21 devnull static int tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd);
274 0fc65b37 2004-03-21 devnull static int tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient);
275 0fc65b37 2004-03-21 devnull static void tlsSecOk(TlsSec *sec);
276 1b1434eb 2004-12-26 devnull /* static void tlsSecKill(TlsSec *sec); */
277 0fc65b37 2004-03-21 devnull static void tlsSecClose(TlsSec *sec);
278 0fc65b37 2004-03-21 devnull static void setMasterSecret(TlsSec *sec, Bytes *pm);
279 0fc65b37 2004-03-21 devnull static void serverMasterSecret(TlsSec *sec, uchar *epm, int nepm);
280 0fc65b37 2004-03-21 devnull static void setSecrets(TlsSec *sec, uchar *kd, int nkd);
281 0fc65b37 2004-03-21 devnull static int clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm);
282 0fc65b37 2004-03-21 devnull static Bytes *pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
283 0fc65b37 2004-03-21 devnull static Bytes *pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm);
284 0fc65b37 2004-03-21 devnull static void tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
285 0fc65b37 2004-03-21 devnull static void sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
286 0fc65b37 2004-03-21 devnull static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
287 0fc65b37 2004-03-21 devnull uchar *seed0, int nseed0, uchar *seed1, int nseed1);
288 0fc65b37 2004-03-21 devnull static int setVers(TlsSec *sec, int version);
290 0fc65b37 2004-03-21 devnull static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
291 0fc65b37 2004-03-21 devnull static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
292 0fc65b37 2004-03-21 devnull static void factotum_rsa_close(AuthRpc*rpc);
294 0fc65b37 2004-03-21 devnull static void* emalloc(int);
295 0fc65b37 2004-03-21 devnull static void* erealloc(void*, int);
296 0fc65b37 2004-03-21 devnull static void put32(uchar *p, u32int);
297 0fc65b37 2004-03-21 devnull static void put24(uchar *p, int);
298 0fc65b37 2004-03-21 devnull static void put16(uchar *p, int);
299 1b1434eb 2004-12-26 devnull /* static u32int get32(uchar *p); */
300 0fc65b37 2004-03-21 devnull static int get24(uchar *p);
301 0fc65b37 2004-03-21 devnull static int get16(uchar *p);
302 0fc65b37 2004-03-21 devnull static Bytes* newbytes(int len);
303 0fc65b37 2004-03-21 devnull static Bytes* makebytes(uchar* buf, int len);
304 0fc65b37 2004-03-21 devnull static void freebytes(Bytes* b);
305 0fc65b37 2004-03-21 devnull static Ints* newints(int len);
306 1b1434eb 2004-12-26 devnull /* static Ints* makeints(int* buf, int len); */
307 0fc65b37 2004-03-21 devnull static void freeints(Ints* b);
309 cbeb0b26 2006-04-01 devnull /*================= client/server ======================== */
311 cbeb0b26 2006-04-01 devnull /* push TLS onto fd, returning new (application) file descriptor */
312 cbeb0b26 2006-04-01 devnull /* or -1 if error. */
314 0fc65b37 2004-03-21 devnull tlsServer(int fd, TLSconn *conn)
316 0fc65b37 2004-03-21 devnull char buf[8];
317 0fc65b37 2004-03-21 devnull char dname[64];
318 0fc65b37 2004-03-21 devnull int n, data, ctl, hand;
319 0fc65b37 2004-03-21 devnull TlsConnection *tls;
321 0fc65b37 2004-03-21 devnull if(conn == nil)
322 0fc65b37 2004-03-21 devnull return -1;
323 0fc65b37 2004-03-21 devnull ctl = open("#a/tls/clone", ORDWR);
324 0fc65b37 2004-03-21 devnull if(ctl < 0)
325 0fc65b37 2004-03-21 devnull return -1;
326 0fc65b37 2004-03-21 devnull n = read(ctl, buf, sizeof(buf)-1);
327 0fc65b37 2004-03-21 devnull if(n < 0){
328 0fc65b37 2004-03-21 devnull close(ctl);
329 0fc65b37 2004-03-21 devnull return -1;
331 0fc65b37 2004-03-21 devnull buf[n] = 0;
332 0fc65b37 2004-03-21 devnull sprint(conn->dir, "#a/tls/%s", buf);
333 0fc65b37 2004-03-21 devnull sprint(dname, "#a/tls/%s/hand", buf);
334 0fc65b37 2004-03-21 devnull hand = open(dname, ORDWR);
335 0fc65b37 2004-03-21 devnull if(hand < 0){
336 0fc65b37 2004-03-21 devnull close(ctl);
337 0fc65b37 2004-03-21 devnull return -1;
339 0fc65b37 2004-03-21 devnull fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
340 1b1434eb 2004-12-26 devnull tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
341 0fc65b37 2004-03-21 devnull sprint(dname, "#a/tls/%s/data", buf);
342 0fc65b37 2004-03-21 devnull data = open(dname, ORDWR);
343 0fc65b37 2004-03-21 devnull close(fd);
344 0fc65b37 2004-03-21 devnull close(hand);
345 0fc65b37 2004-03-21 devnull close(ctl);
346 0fc65b37 2004-03-21 devnull if(data < 0){
347 0fc65b37 2004-03-21 devnull return -1;
349 0fc65b37 2004-03-21 devnull if(tls == nil){
350 0fc65b37 2004-03-21 devnull close(data);
351 0fc65b37 2004-03-21 devnull return -1;
353 0fc65b37 2004-03-21 devnull if(conn->cert)
354 0fc65b37 2004-03-21 devnull free(conn->cert);
355 cbeb0b26 2006-04-01 devnull conn->cert = 0; /* client certificates are not yet implemented */
356 0fc65b37 2004-03-21 devnull conn->certlen = 0;
357 0fc65b37 2004-03-21 devnull conn->sessionIDlen = tls->sid->len;
358 0fc65b37 2004-03-21 devnull conn->sessionID = emalloc(conn->sessionIDlen);
359 0fc65b37 2004-03-21 devnull memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
360 0fc65b37 2004-03-21 devnull tlsConnectionFree(tls);
361 0fc65b37 2004-03-21 devnull return data;
364 cbeb0b26 2006-04-01 devnull /* push TLS onto fd, returning new (application) file descriptor */
365 cbeb0b26 2006-04-01 devnull /* or -1 if error. */
367 0fc65b37 2004-03-21 devnull tlsClient(int fd, TLSconn *conn)
369 0fc65b37 2004-03-21 devnull char buf[8];
370 0fc65b37 2004-03-21 devnull char dname[64];
371 0fc65b37 2004-03-21 devnull int n, data, ctl, hand;
372 0fc65b37 2004-03-21 devnull TlsConnection *tls;
374 0fc65b37 2004-03-21 devnull if(!conn)
375 0fc65b37 2004-03-21 devnull return -1;
376 0fc65b37 2004-03-21 devnull ctl = open("#a/tls/clone", ORDWR);
377 0fc65b37 2004-03-21 devnull if(ctl < 0)
378 0fc65b37 2004-03-21 devnull return -1;
379 0fc65b37 2004-03-21 devnull n = read(ctl, buf, sizeof(buf)-1);
380 0fc65b37 2004-03-21 devnull if(n < 0){
381 0fc65b37 2004-03-21 devnull close(ctl);
382 0fc65b37 2004-03-21 devnull return -1;
384 0fc65b37 2004-03-21 devnull buf[n] = 0;
385 0fc65b37 2004-03-21 devnull sprint(conn->dir, "#a/tls/%s", buf);
386 0fc65b37 2004-03-21 devnull sprint(dname, "#a/tls/%s/hand", buf);
387 0fc65b37 2004-03-21 devnull hand = open(dname, ORDWR);
388 0fc65b37 2004-03-21 devnull if(hand < 0){
389 0fc65b37 2004-03-21 devnull close(ctl);
390 0fc65b37 2004-03-21 devnull return -1;
392 0fc65b37 2004-03-21 devnull sprint(dname, "#a/tls/%s/data", buf);
393 0fc65b37 2004-03-21 devnull data = open(dname, ORDWR);
394 0fc65b37 2004-03-21 devnull if(data < 0)
395 0fc65b37 2004-03-21 devnull return -1;
396 0fc65b37 2004-03-21 devnull fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
397 0fc65b37 2004-03-21 devnull tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->trace);
398 0fc65b37 2004-03-21 devnull close(fd);
399 0fc65b37 2004-03-21 devnull close(hand);
400 0fc65b37 2004-03-21 devnull close(ctl);
401 0fc65b37 2004-03-21 devnull if(tls == nil){
402 0fc65b37 2004-03-21 devnull close(data);
403 0fc65b37 2004-03-21 devnull return -1;
405 0fc65b37 2004-03-21 devnull conn->certlen = tls->cert->len;
406 0fc65b37 2004-03-21 devnull conn->cert = emalloc(conn->certlen);
407 0fc65b37 2004-03-21 devnull memcpy(conn->cert, tls->cert->data, conn->certlen);
408 0fc65b37 2004-03-21 devnull conn->sessionIDlen = tls->sid->len;
409 0fc65b37 2004-03-21 devnull conn->sessionID = emalloc(conn->sessionIDlen);
410 0fc65b37 2004-03-21 devnull memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
411 0fc65b37 2004-03-21 devnull tlsConnectionFree(tls);
412 0fc65b37 2004-03-21 devnull return data;
415 1b1434eb 2004-12-26 devnull static int
416 1b1434eb 2004-12-26 devnull countchain(PEMChain *p)
418 1b1434eb 2004-12-26 devnull int i = 0;
420 1b1434eb 2004-12-26 devnull while (p) {
422 1b1434eb 2004-12-26 devnull p = p->next;
424 1b1434eb 2004-12-26 devnull return i;
427 0fc65b37 2004-03-21 devnull static TlsConnection *
428 1b1434eb 2004-12-26 devnull tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chp)
430 0fc65b37 2004-03-21 devnull TlsConnection *c;
432 0fc65b37 2004-03-21 devnull Bytes *csid;
433 0fc65b37 2004-03-21 devnull uchar sid[SidSize], kd[MaxKeyData];
434 0fc65b37 2004-03-21 devnull char *secrets;
435 1b1434eb 2004-12-26 devnull int cipher, compressor, nsid, rv, numcerts, i;
437 0fc65b37 2004-03-21 devnull if(trace)
438 0fc65b37 2004-03-21 devnull trace("tlsServer2\n");
439 0fc65b37 2004-03-21 devnull if(!initCiphers())
440 0fc65b37 2004-03-21 devnull return nil;
441 0fc65b37 2004-03-21 devnull c = emalloc(sizeof(TlsConnection));
442 0fc65b37 2004-03-21 devnull c->ctl = ctl;
443 0fc65b37 2004-03-21 devnull c->hand = hand;
444 0fc65b37 2004-03-21 devnull c->trace = trace;
445 0fc65b37 2004-03-21 devnull c->version = ProtocolVersion;
447 0fc65b37 2004-03-21 devnull memset(&m, 0, sizeof(m));
448 0fc65b37 2004-03-21 devnull if(!msgRecv(c, &m)){
449 0fc65b37 2004-03-21 devnull if(trace)
450 0fc65b37 2004-03-21 devnull trace("initial msgRecv failed\n");
451 0fc65b37 2004-03-21 devnull goto Err;
453 0fc65b37 2004-03-21 devnull if(m.tag != HClientHello) {
454 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "expected a client hello");
455 0fc65b37 2004-03-21 devnull goto Err;
457 0fc65b37 2004-03-21 devnull c->clientVersion = m.u.clientHello.version;
458 0fc65b37 2004-03-21 devnull if(trace)
459 0fc65b37 2004-03-21 devnull trace("ClientHello version %x\n", c->clientVersion);
460 0fc65b37 2004-03-21 devnull if(setVersion(c, m.u.clientHello.version) < 0) {
461 0fc65b37 2004-03-21 devnull tlsError(c, EIllegalParameter, "incompatible version");
462 0fc65b37 2004-03-21 devnull goto Err;
465 0fc65b37 2004-03-21 devnull memmove(c->crandom, m.u.clientHello.random, RandomSize);
466 0fc65b37 2004-03-21 devnull cipher = okCipher(m.u.clientHello.ciphers);
467 0fc65b37 2004-03-21 devnull if(cipher < 0) {
468 cbeb0b26 2006-04-01 devnull /* reply with EInsufficientSecurity if we know that's the case */
469 0fc65b37 2004-03-21 devnull if(cipher == -2)
470 0fc65b37 2004-03-21 devnull tlsError(c, EInsufficientSecurity, "cipher suites too weak");
472 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "no matching cipher suite");
473 0fc65b37 2004-03-21 devnull goto Err;
475 0fc65b37 2004-03-21 devnull if(!setAlgs(c, cipher)){
476 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "no matching cipher suite");
477 0fc65b37 2004-03-21 devnull goto Err;
479 0fc65b37 2004-03-21 devnull compressor = okCompression(m.u.clientHello.compressors);
480 0fc65b37 2004-03-21 devnull if(compressor < 0) {
481 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "no matching compressor");
482 0fc65b37 2004-03-21 devnull goto Err;
485 0fc65b37 2004-03-21 devnull csid = m.u.clientHello.sid;
486 0fc65b37 2004-03-21 devnull if(trace)
487 0fc65b37 2004-03-21 devnull trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
488 0fc65b37 2004-03-21 devnull c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
489 0fc65b37 2004-03-21 devnull if(c->sec == nil){
490 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "can't initialize security: %r");
491 0fc65b37 2004-03-21 devnull goto Err;
493 0fc65b37 2004-03-21 devnull c->sec->rpc = factotum_rsa_open(cert, ncert);
494 0fc65b37 2004-03-21 devnull if(c->sec->rpc == nil){
495 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
496 0fc65b37 2004-03-21 devnull goto Err;
498 0fc65b37 2004-03-21 devnull c->sec->rsapub = X509toRSApub(cert, ncert, nil, 0);
499 0fc65b37 2004-03-21 devnull msgClear(&m);
501 0fc65b37 2004-03-21 devnull m.tag = HServerHello;
502 0fc65b37 2004-03-21 devnull m.u.serverHello.version = c->version;
503 0fc65b37 2004-03-21 devnull memmove(m.u.serverHello.random, c->srandom, RandomSize);
504 0fc65b37 2004-03-21 devnull m.u.serverHello.cipher = cipher;
505 0fc65b37 2004-03-21 devnull m.u.serverHello.compressor = compressor;
506 0fc65b37 2004-03-21 devnull c->sid = makebytes(sid, nsid);
507 0fc65b37 2004-03-21 devnull m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
508 0fc65b37 2004-03-21 devnull if(!msgSend(c, &m, AQueue))
509 0fc65b37 2004-03-21 devnull goto Err;
510 0fc65b37 2004-03-21 devnull msgClear(&m);
512 0fc65b37 2004-03-21 devnull m.tag = HCertificate;
513 1b1434eb 2004-12-26 devnull numcerts = countchain(chp);
514 1b1434eb 2004-12-26 devnull m.u.certificate.ncert = 1 + numcerts;
515 0fc65b37 2004-03-21 devnull m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes));
516 0fc65b37 2004-03-21 devnull m.u.certificate.certs[0] = makebytes(cert, ncert);
517 1b1434eb 2004-12-26 devnull for (i = 0; i < numcerts && chp; i++, chp = chp->next)
518 1b1434eb 2004-12-26 devnull m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
519 0fc65b37 2004-03-21 devnull if(!msgSend(c, &m, AQueue))
520 0fc65b37 2004-03-21 devnull goto Err;
521 0fc65b37 2004-03-21 devnull msgClear(&m);
523 0fc65b37 2004-03-21 devnull m.tag = HServerHelloDone;
524 0fc65b37 2004-03-21 devnull if(!msgSend(c, &m, AFlush))
525 0fc65b37 2004-03-21 devnull goto Err;
526 0fc65b37 2004-03-21 devnull msgClear(&m);
528 0fc65b37 2004-03-21 devnull if(!msgRecv(c, &m))
529 0fc65b37 2004-03-21 devnull goto Err;
530 0fc65b37 2004-03-21 devnull if(m.tag != HClientKeyExchange) {
531 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "expected a client key exchange");
532 0fc65b37 2004-03-21 devnull goto Err;
534 0fc65b37 2004-03-21 devnull if(tlsSecSecrets(c->sec, c->version, m.u.clientKeyExchange.key->data, m.u.clientKeyExchange.key->len, kd, c->nsecret) < 0){
535 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
536 0fc65b37 2004-03-21 devnull goto Err;
538 0fc65b37 2004-03-21 devnull if(trace)
539 0fc65b37 2004-03-21 devnull trace("tls secrets\n");
540 0fc65b37 2004-03-21 devnull secrets = (char*)emalloc(2*c->nsecret);
541 0fc65b37 2004-03-21 devnull enc64(secrets, 2*c->nsecret, kd, c->nsecret);
542 0fc65b37 2004-03-21 devnull rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
543 0fc65b37 2004-03-21 devnull memset(secrets, 0, 2*c->nsecret);
544 0fc65b37 2004-03-21 devnull free(secrets);
545 0fc65b37 2004-03-21 devnull memset(kd, 0, c->nsecret);
546 0fc65b37 2004-03-21 devnull if(rv < 0){
547 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "can't set keys: %r");
548 0fc65b37 2004-03-21 devnull goto Err;
550 0fc65b37 2004-03-21 devnull msgClear(&m);
552 0fc65b37 2004-03-21 devnull /* no CertificateVerify; skip to Finished */
553 0fc65b37 2004-03-21 devnull if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
554 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't set finished: %r");
555 0fc65b37 2004-03-21 devnull goto Err;
557 0fc65b37 2004-03-21 devnull if(!msgRecv(c, &m))
558 0fc65b37 2004-03-21 devnull goto Err;
559 0fc65b37 2004-03-21 devnull if(m.tag != HFinished) {
560 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "expected a finished");
561 0fc65b37 2004-03-21 devnull goto Err;
563 0fc65b37 2004-03-21 devnull if(!finishedMatch(c, &m.u.finished)) {
564 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "finished verification failed");
565 0fc65b37 2004-03-21 devnull goto Err;
567 0fc65b37 2004-03-21 devnull msgClear(&m);
569 0fc65b37 2004-03-21 devnull /* change cipher spec */
570 0fc65b37 2004-03-21 devnull if(fprint(c->ctl, "changecipher") < 0){
571 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't enable cipher: %r");
572 0fc65b37 2004-03-21 devnull goto Err;
575 0fc65b37 2004-03-21 devnull if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
576 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't set finished: %r");
577 0fc65b37 2004-03-21 devnull goto Err;
579 0fc65b37 2004-03-21 devnull m.tag = HFinished;
580 0fc65b37 2004-03-21 devnull m.u.finished = c->finished;
581 0fc65b37 2004-03-21 devnull if(!msgSend(c, &m, AFlush))
582 0fc65b37 2004-03-21 devnull goto Err;
583 0fc65b37 2004-03-21 devnull msgClear(&m);
584 0fc65b37 2004-03-21 devnull if(trace)
585 0fc65b37 2004-03-21 devnull trace("tls finished\n");
587 0fc65b37 2004-03-21 devnull if(fprint(c->ctl, "opened") < 0)
588 0fc65b37 2004-03-21 devnull goto Err;
589 0fc65b37 2004-03-21 devnull tlsSecOk(c->sec);
590 0fc65b37 2004-03-21 devnull return c;
593 0fc65b37 2004-03-21 devnull msgClear(&m);
594 0fc65b37 2004-03-21 devnull tlsConnectionFree(c);
595 0fc65b37 2004-03-21 devnull return 0;
598 0fc65b37 2004-03-21 devnull static TlsConnection *
599 0fc65b37 2004-03-21 devnull tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...))
601 0fc65b37 2004-03-21 devnull TlsConnection *c;
603 0fc65b37 2004-03-21 devnull uchar kd[MaxKeyData], *epm;
604 0fc65b37 2004-03-21 devnull char *secrets;
605 0fc65b37 2004-03-21 devnull int creq, nepm, rv;
607 0fc65b37 2004-03-21 devnull if(!initCiphers())
608 0fc65b37 2004-03-21 devnull return nil;
609 0fc65b37 2004-03-21 devnull epm = nil;
610 0fc65b37 2004-03-21 devnull c = emalloc(sizeof(TlsConnection));
611 0fc65b37 2004-03-21 devnull c->version = ProtocolVersion;
612 0fc65b37 2004-03-21 devnull c->ctl = ctl;
613 0fc65b37 2004-03-21 devnull c->hand = hand;
614 0fc65b37 2004-03-21 devnull c->trace = trace;
615 0fc65b37 2004-03-21 devnull c->isClient = 1;
616 0fc65b37 2004-03-21 devnull c->clientVersion = c->version;
618 0fc65b37 2004-03-21 devnull c->sec = tlsSecInitc(c->clientVersion, c->crandom);
619 0fc65b37 2004-03-21 devnull if(c->sec == nil)
620 0fc65b37 2004-03-21 devnull goto Err;
622 0fc65b37 2004-03-21 devnull /* client hello */
623 0fc65b37 2004-03-21 devnull memset(&m, 0, sizeof(m));
624 0fc65b37 2004-03-21 devnull m.tag = HClientHello;
625 0fc65b37 2004-03-21 devnull m.u.clientHello.version = c->clientVersion;
626 0fc65b37 2004-03-21 devnull memmove(m.u.clientHello.random, c->crandom, RandomSize);
627 0fc65b37 2004-03-21 devnull m.u.clientHello.sid = makebytes(csid, ncsid);
628 0fc65b37 2004-03-21 devnull m.u.clientHello.ciphers = makeciphers();
629 0fc65b37 2004-03-21 devnull m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
630 0fc65b37 2004-03-21 devnull if(!msgSend(c, &m, AFlush))
631 0fc65b37 2004-03-21 devnull goto Err;
632 0fc65b37 2004-03-21 devnull msgClear(&m);
634 0fc65b37 2004-03-21 devnull /* server hello */
635 0fc65b37 2004-03-21 devnull if(!msgRecv(c, &m))
636 0fc65b37 2004-03-21 devnull goto Err;
637 0fc65b37 2004-03-21 devnull if(m.tag != HServerHello) {
638 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "expected a server hello");
639 0fc65b37 2004-03-21 devnull goto Err;
641 0fc65b37 2004-03-21 devnull if(setVersion(c, m.u.serverHello.version) < 0) {
642 0fc65b37 2004-03-21 devnull tlsError(c, EIllegalParameter, "incompatible version %r");
643 0fc65b37 2004-03-21 devnull goto Err;
645 0fc65b37 2004-03-21 devnull memmove(c->srandom, m.u.serverHello.random, RandomSize);
646 0fc65b37 2004-03-21 devnull c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
647 0fc65b37 2004-03-21 devnull if(c->sid->len != 0 && c->sid->len != SidSize) {
648 0fc65b37 2004-03-21 devnull tlsError(c, EIllegalParameter, "invalid server session identifier");
649 0fc65b37 2004-03-21 devnull goto Err;
651 0fc65b37 2004-03-21 devnull if(!setAlgs(c, m.u.serverHello.cipher)) {
652 0fc65b37 2004-03-21 devnull tlsError(c, EIllegalParameter, "invalid cipher suite");
653 0fc65b37 2004-03-21 devnull goto Err;
655 0fc65b37 2004-03-21 devnull if(m.u.serverHello.compressor != CompressionNull) {
656 0fc65b37 2004-03-21 devnull tlsError(c, EIllegalParameter, "invalid compression");
657 0fc65b37 2004-03-21 devnull goto Err;
659 0fc65b37 2004-03-21 devnull msgClear(&m);
661 0fc65b37 2004-03-21 devnull /* certificate */
662 0fc65b37 2004-03-21 devnull if(!msgRecv(c, &m) || m.tag != HCertificate) {
663 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "expected a certificate");
664 0fc65b37 2004-03-21 devnull goto Err;
666 0fc65b37 2004-03-21 devnull if(m.u.certificate.ncert < 1) {
667 0fc65b37 2004-03-21 devnull tlsError(c, EIllegalParameter, "runt certificate");
668 0fc65b37 2004-03-21 devnull goto Err;
670 0fc65b37 2004-03-21 devnull c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
671 0fc65b37 2004-03-21 devnull msgClear(&m);
673 0fc65b37 2004-03-21 devnull /* server key exchange (optional) */
674 0fc65b37 2004-03-21 devnull if(!msgRecv(c, &m))
675 0fc65b37 2004-03-21 devnull goto Err;
676 0fc65b37 2004-03-21 devnull if(m.tag == HServerKeyExchange) {
677 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "got an server key exchange");
678 0fc65b37 2004-03-21 devnull goto Err;
679 cbeb0b26 2006-04-01 devnull /* If implementing this later, watch out for rollback attack */
680 cbeb0b26 2006-04-01 devnull /* described in Wagner Schneier 1996, section 4.4. */
683 0fc65b37 2004-03-21 devnull /* certificate request (optional) */
684 0fc65b37 2004-03-21 devnull creq = 0;
685 0fc65b37 2004-03-21 devnull if(m.tag == HCertificateRequest) {
686 0fc65b37 2004-03-21 devnull creq = 1;
687 0fc65b37 2004-03-21 devnull msgClear(&m);
688 0fc65b37 2004-03-21 devnull if(!msgRecv(c, &m))
689 0fc65b37 2004-03-21 devnull goto Err;
692 0fc65b37 2004-03-21 devnull if(m.tag != HServerHelloDone) {
693 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "expected a server hello done");
694 0fc65b37 2004-03-21 devnull goto Err;
696 0fc65b37 2004-03-21 devnull msgClear(&m);
698 0fc65b37 2004-03-21 devnull if(tlsSecSecretc(c->sec, c->sid->data, c->sid->len, c->srandom,
699 0fc65b37 2004-03-21 devnull c->cert->data, c->cert->len, c->version, &epm, &nepm,
700 0fc65b37 2004-03-21 devnull kd, c->nsecret) < 0){
701 0fc65b37 2004-03-21 devnull tlsError(c, EBadCertificate, "invalid x509/rsa certificate");
702 0fc65b37 2004-03-21 devnull goto Err;
704 0fc65b37 2004-03-21 devnull secrets = (char*)emalloc(2*c->nsecret);
705 0fc65b37 2004-03-21 devnull enc64(secrets, 2*c->nsecret, kd, c->nsecret);
706 0fc65b37 2004-03-21 devnull rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
707 0fc65b37 2004-03-21 devnull memset(secrets, 0, 2*c->nsecret);
708 0fc65b37 2004-03-21 devnull free(secrets);
709 0fc65b37 2004-03-21 devnull memset(kd, 0, c->nsecret);
710 0fc65b37 2004-03-21 devnull if(rv < 0){
711 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "can't set keys: %r");
712 0fc65b37 2004-03-21 devnull goto Err;
715 0fc65b37 2004-03-21 devnull if(creq) {
716 0fc65b37 2004-03-21 devnull /* send a zero length certificate */
717 0fc65b37 2004-03-21 devnull m.tag = HCertificate;
718 0fc65b37 2004-03-21 devnull if(!msgSend(c, &m, AFlush))
719 0fc65b37 2004-03-21 devnull goto Err;
720 0fc65b37 2004-03-21 devnull msgClear(&m);
723 0fc65b37 2004-03-21 devnull /* client key exchange */
724 0fc65b37 2004-03-21 devnull m.tag = HClientKeyExchange;
725 0fc65b37 2004-03-21 devnull m.u.clientKeyExchange.key = makebytes(epm, nepm);
726 0fc65b37 2004-03-21 devnull free(epm);
727 0fc65b37 2004-03-21 devnull epm = nil;
728 0fc65b37 2004-03-21 devnull if(m.u.clientKeyExchange.key == nil) {
729 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "can't set secret: %r");
730 0fc65b37 2004-03-21 devnull goto Err;
732 0fc65b37 2004-03-21 devnull if(!msgSend(c, &m, AFlush))
733 0fc65b37 2004-03-21 devnull goto Err;
734 0fc65b37 2004-03-21 devnull msgClear(&m);
736 0fc65b37 2004-03-21 devnull /* change cipher spec */
737 0fc65b37 2004-03-21 devnull if(fprint(c->ctl, "changecipher") < 0){
738 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't enable cipher: %r");
739 0fc65b37 2004-03-21 devnull goto Err;
742 cbeb0b26 2006-04-01 devnull /* Cipherchange must occur immediately before Finished to avoid */
743 cbeb0b26 2006-04-01 devnull /* potential hole; see section 4.3 of Wagner Schneier 1996. */
744 0fc65b37 2004-03-21 devnull if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
745 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't set finished 1: %r");
746 0fc65b37 2004-03-21 devnull goto Err;
748 0fc65b37 2004-03-21 devnull m.tag = HFinished;
749 0fc65b37 2004-03-21 devnull m.u.finished = c->finished;
751 0fc65b37 2004-03-21 devnull if(!msgSend(c, &m, AFlush)) {
752 0fc65b37 2004-03-21 devnull fprint(2, "tlsClient nepm=%d\n", nepm);
753 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't flush after client Finished: %r");
754 0fc65b37 2004-03-21 devnull goto Err;
756 0fc65b37 2004-03-21 devnull msgClear(&m);
758 0fc65b37 2004-03-21 devnull if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
759 0fc65b37 2004-03-21 devnull fprint(2, "tlsClient nepm=%d\n", nepm);
760 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't set finished 0: %r");
761 0fc65b37 2004-03-21 devnull goto Err;
763 0fc65b37 2004-03-21 devnull if(!msgRecv(c, &m)) {
764 0fc65b37 2004-03-21 devnull fprint(2, "tlsClient nepm=%d\n", nepm);
765 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't read server Finished: %r");
766 0fc65b37 2004-03-21 devnull goto Err;
768 0fc65b37 2004-03-21 devnull if(m.tag != HFinished) {
769 0fc65b37 2004-03-21 devnull fprint(2, "tlsClient nepm=%d\n", nepm);
770 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
771 0fc65b37 2004-03-21 devnull goto Err;
774 0fc65b37 2004-03-21 devnull if(!finishedMatch(c, &m.u.finished)) {
775 0fc65b37 2004-03-21 devnull tlsError(c, EHandshakeFailure, "finished verification failed");
776 0fc65b37 2004-03-21 devnull goto Err;
778 0fc65b37 2004-03-21 devnull msgClear(&m);
780 0fc65b37 2004-03-21 devnull if(fprint(c->ctl, "opened") < 0){
781 0fc65b37 2004-03-21 devnull if(trace)
782 0fc65b37 2004-03-21 devnull trace("unable to do final open: %r\n");
783 0fc65b37 2004-03-21 devnull goto Err;
785 0fc65b37 2004-03-21 devnull tlsSecOk(c->sec);
786 0fc65b37 2004-03-21 devnull return c;
789 0fc65b37 2004-03-21 devnull free(epm);
790 0fc65b37 2004-03-21 devnull msgClear(&m);
791 0fc65b37 2004-03-21 devnull tlsConnectionFree(c);
792 0fc65b37 2004-03-21 devnull return 0;
796 cbeb0b26 2006-04-01 devnull /*================= message functions ======================== */
798 0fc65b37 2004-03-21 devnull static uchar sendbuf[9000], *sendp;
800 0fc65b37 2004-03-21 devnull static int
801 0fc65b37 2004-03-21 devnull msgSend(TlsConnection *c, Msg *m, int act)
803 cbeb0b26 2006-04-01 devnull uchar *p; /* sendp = start of new message; p = write pointer */
804 0fc65b37 2004-03-21 devnull int nn, n, i;
806 0fc65b37 2004-03-21 devnull if(sendp == nil)
807 0fc65b37 2004-03-21 devnull sendp = sendbuf;
808 0fc65b37 2004-03-21 devnull p = sendp;
809 0fc65b37 2004-03-21 devnull if(c->trace)
810 0fc65b37 2004-03-21 devnull c->trace("send %s", msgPrint((char*)p, (sizeof sendbuf) - (p-sendbuf), m));
812 cbeb0b26 2006-04-01 devnull p[0] = m->tag; /* header - fill in size later */
815 0fc65b37 2004-03-21 devnull switch(m->tag) {
816 0fc65b37 2004-03-21 devnull default:
817 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "can't encode a %d", m->tag);
818 0fc65b37 2004-03-21 devnull goto Err;
819 0fc65b37 2004-03-21 devnull case HClientHello:
820 cbeb0b26 2006-04-01 devnull /* version */
821 0fc65b37 2004-03-21 devnull put16(p, m->u.clientHello.version);
824 cbeb0b26 2006-04-01 devnull /* random */
825 0fc65b37 2004-03-21 devnull memmove(p, m->u.clientHello.random, RandomSize);
826 0fc65b37 2004-03-21 devnull p += RandomSize;
828 cbeb0b26 2006-04-01 devnull /* sid */
829 0fc65b37 2004-03-21 devnull n = m->u.clientHello.sid->len;
830 0fc65b37 2004-03-21 devnull assert(n < 256);
831 0fc65b37 2004-03-21 devnull p[0] = n;
832 0fc65b37 2004-03-21 devnull memmove(p+1, m->u.clientHello.sid->data, n);
833 0fc65b37 2004-03-21 devnull p += n+1;
835 0fc65b37 2004-03-21 devnull n = m->u.clientHello.ciphers->len;
836 0fc65b37 2004-03-21 devnull assert(n > 0 && n < 200);
837 0fc65b37 2004-03-21 devnull put16(p, n*2);
839 0fc65b37 2004-03-21 devnull for(i=0; i<n; i++) {
840 0fc65b37 2004-03-21 devnull put16(p, m->u.clientHello.ciphers->data[i]);
844 0fc65b37 2004-03-21 devnull n = m->u.clientHello.compressors->len;
845 0fc65b37 2004-03-21 devnull assert(n > 0);
846 0fc65b37 2004-03-21 devnull p[0] = n;
847 0fc65b37 2004-03-21 devnull memmove(p+1, m->u.clientHello.compressors->data, n);
848 0fc65b37 2004-03-21 devnull p += n+1;
850 0fc65b37 2004-03-21 devnull case HServerHello:
851 0fc65b37 2004-03-21 devnull put16(p, m->u.serverHello.version);
854 cbeb0b26 2006-04-01 devnull /* random */
855 0fc65b37 2004-03-21 devnull memmove(p, m->u.serverHello.random, RandomSize);
856 0fc65b37 2004-03-21 devnull p += RandomSize;
858 cbeb0b26 2006-04-01 devnull /* sid */
859 0fc65b37 2004-03-21 devnull n = m->u.serverHello.sid->len;
860 0fc65b37 2004-03-21 devnull assert(n < 256);
861 0fc65b37 2004-03-21 devnull p[0] = n;
862 0fc65b37 2004-03-21 devnull memmove(p+1, m->u.serverHello.sid->data, n);
863 0fc65b37 2004-03-21 devnull p += n+1;
865 0fc65b37 2004-03-21 devnull put16(p, m->u.serverHello.cipher);
867 0fc65b37 2004-03-21 devnull p[0] = m->u.serverHello.compressor;
870 0fc65b37 2004-03-21 devnull case HServerHelloDone:
872 0fc65b37 2004-03-21 devnull case HCertificate:
874 0fc65b37 2004-03-21 devnull for(i = 0; i < m->u.certificate.ncert; i++)
875 0fc65b37 2004-03-21 devnull nn += 3 + m->u.certificate.certs[i]->len;
876 0fc65b37 2004-03-21 devnull if(p + 3 + nn - sendbuf > sizeof(sendbuf)) {
877 0fc65b37 2004-03-21 devnull tlsError(c, EInternalError, "output buffer too small for certificate");
878 0fc65b37 2004-03-21 devnull goto Err;
880 0fc65b37 2004-03-21 devnull put24(p, nn);
882 0fc65b37 2004-03-21 devnull for(i = 0; i < m->u.certificate.ncert; i++){
883 0fc65b37 2004-03-21 devnull put24(p, m->u.certificate.certs[i]->len);
885 0fc65b37 2004-03-21 devnull memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
886 0fc65b37 2004-03-21 devnull p += m->u.certificate.certs[i]->len;
889 0fc65b37 2004-03-21 devnull case HClientKeyExchange:
890 0fc65b37 2004-03-21 devnull n = m->u.clientKeyExchange.key->len;
891 0fc65b37 2004-03-21 devnull if(c->version != SSL3Version){
892 0fc65b37 2004-03-21 devnull put16(p, n);
895 0fc65b37 2004-03-21 devnull memmove(p, m->u.clientKeyExchange.key->data, n);
898 0fc65b37 2004-03-21 devnull case HFinished:
899 0fc65b37 2004-03-21 devnull memmove(p, m->u.finished.verify, m->u.finished.n);
900 0fc65b37 2004-03-21 devnull p += m->u.finished.n;
904 cbeb0b26 2006-04-01 devnull /* go back and fill in size */
905 0fc65b37 2004-03-21 devnull n = p-sendp;
906 0fc65b37 2004-03-21 devnull assert(p <= sendbuf+sizeof(sendbuf));
907 0fc65b37 2004-03-21 devnull put24(sendp+1, n-4);
909 cbeb0b26 2006-04-01 devnull /* remember hash of Handshake messages */
910 0fc65b37 2004-03-21 devnull if(m->tag != HHelloRequest) {
911 0fc65b37 2004-03-21 devnull md5(sendp, n, 0, &c->hsmd5);
912 0fc65b37 2004-03-21 devnull sha1(sendp, n, 0, &c->hssha1);
915 0fc65b37 2004-03-21 devnull sendp = p;
916 0fc65b37 2004-03-21 devnull if(act == AFlush){
917 0fc65b37 2004-03-21 devnull sendp = sendbuf;
918 0fc65b37 2004-03-21 devnull if(write(c->hand, sendbuf, p-sendbuf) < 0){
919 0fc65b37 2004-03-21 devnull fprint(2, "write error: %r\n");
920 0fc65b37 2004-03-21 devnull goto Err;
923 0fc65b37 2004-03-21 devnull msgClear(m);
924 0fc65b37 2004-03-21 devnull return 1;
926 0fc65b37 2004-03-21 devnull msgClear(m);
927 0fc65b37 2004-03-21 devnull return 0;
930 0fc65b37 2004-03-21 devnull static uchar*
931 0fc65b37 2004-03-21 devnull tlsReadN(TlsConnection *c, int n)
933 0fc65b37 2004-03-21 devnull uchar *p;
934 0fc65b37 2004-03-21 devnull int nn, nr;
936 0fc65b37 2004-03-21 devnull nn = c->ep - c->rp;
937 0fc65b37 2004-03-21 devnull if(nn < n){
938 0fc65b37 2004-03-21 devnull if(c->rp != c->buf){
939 0fc65b37 2004-03-21 devnull memmove(c->buf, c->rp, nn);
940 0fc65b37 2004-03-21 devnull c->rp = c->buf;
941 0fc65b37 2004-03-21 devnull c->ep = &c->buf[nn];
943 0fc65b37 2004-03-21 devnull for(; nn < n; nn += nr) {
944 0fc65b37 2004-03-21 devnull nr = read(c->hand, &c->rp[nn], n - nn);
945 0fc65b37 2004-03-21 devnull if(nr <= 0)
946 0fc65b37 2004-03-21 devnull return nil;
947 0fc65b37 2004-03-21 devnull c->ep += nr;
950 0fc65b37 2004-03-21 devnull p = c->rp;
951 0fc65b37 2004-03-21 devnull c->rp += n;
952 0fc65b37 2004-03-21 devnull return p;
955 0fc65b37 2004-03-21 devnull static int
956 0fc65b37 2004-03-21 devnull msgRecv(TlsConnection *c, Msg *m)
958 0fc65b37 2004-03-21 devnull uchar *p;
959 0fc65b37 2004-03-21 devnull int type, n, nn, i, nsid, nrandom, nciph;
961 0fc65b37 2004-03-21 devnull for(;;) {
962 0fc65b37 2004-03-21 devnull p = tlsReadN(c, 4);
963 0fc65b37 2004-03-21 devnull if(p == nil)
964 0fc65b37 2004-03-21 devnull return 0;
965 0fc65b37 2004-03-21 devnull type = p[0];
966 0fc65b37 2004-03-21 devnull n = get24(p+1);
968 0fc65b37 2004-03-21 devnull if(type != HHelloRequest)
970 0fc65b37 2004-03-21 devnull if(n != 0) {
971 0fc65b37 2004-03-21 devnull tlsError(c, EDecodeError, "invalid hello request during handshake");
972 0fc65b37 2004-03-21 devnull return 0;
976 0fc65b37 2004-03-21 devnull if(n > sizeof(c->buf)) {
977 0fc65b37 2004-03-21 devnull tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->buf));
978 0fc65b37 2004-03-21 devnull return 0;
981 0fc65b37 2004-03-21 devnull if(type == HSSL2ClientHello){
982 0fc65b37 2004-03-21 devnull /* Cope with an SSL3 ClientHello expressed in SSL2 record format.
983 0fc65b37 2004-03-21 devnull This is sent by some clients that we must interoperate
984 0fc65b37 2004-03-21 devnull with, such as Java's JSSE and Microsoft's Internet Explorer. */
985 0fc65b37 2004-03-21 devnull p = tlsReadN(c, n);
986 0fc65b37 2004-03-21 devnull if(p == nil)
987 0fc65b37 2004-03-21 devnull return 0;
988 0fc65b37 2004-03-21 devnull md5(p, n, 0, &c->hsmd5);
989 0fc65b37 2004-03-21 devnull sha1(p, n, 0, &c->hssha1);
990 0fc65b37 2004-03-21 devnull m->tag = HClientHello;
991 0fc65b37 2004-03-21 devnull if(n < 22)
992 0fc65b37 2004-03-21 devnull goto Short;
993 0fc65b37 2004-03-21 devnull m->u.clientHello.version = get16(p+1);
996 0fc65b37 2004-03-21 devnull nn = get16(p); /* cipher_spec_len */
997 0fc65b37 2004-03-21 devnull nsid = get16(p + 2);
998 0fc65b37 2004-03-21 devnull nrandom = get16(p + 4);
1000 0fc65b37 2004-03-21 devnull n -= 6;
1001 0fc65b37 2004-03-21 devnull if(nsid != 0 /* no sid's, since shouldn't restart using ssl2 header */
1002 0fc65b37 2004-03-21 devnull || nrandom < 16 || nn % 3)
1003 0fc65b37 2004-03-21 devnull goto Err;
1004 0fc65b37 2004-03-21 devnull if(c->trace && (n - nrandom != nn))
1005 0fc65b37 2004-03-21 devnull c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
1006 0fc65b37 2004-03-21 devnull /* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
1007 0fc65b37 2004-03-21 devnull nciph = 0;
1008 0fc65b37 2004-03-21 devnull for(i = 0; i < nn; i += 3)
1009 0fc65b37 2004-03-21 devnull if(p[i] == 0)
1010 0fc65b37 2004-03-21 devnull nciph++;
1011 0fc65b37 2004-03-21 devnull m->u.clientHello.ciphers = newints(nciph);
1012 0fc65b37 2004-03-21 devnull nciph = 0;
1013 0fc65b37 2004-03-21 devnull for(i = 0; i < nn; i += 3)
1014 0fc65b37 2004-03-21 devnull if(p[i] == 0)
1015 0fc65b37 2004-03-21 devnull m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]);
1016 0fc65b37 2004-03-21 devnull p += nn;
1017 0fc65b37 2004-03-21 devnull m->u.clientHello.sid = makebytes(nil, 0);
1018 0fc65b37 2004-03-21 devnull if(nrandom > RandomSize)
1019 0fc65b37 2004-03-21 devnull nrandom = RandomSize;
1020 0fc65b37 2004-03-21 devnull memset(m->u.clientHello.random, 0, RandomSize - nrandom);
1021 0fc65b37 2004-03-21 devnull memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
1022 0fc65b37 2004-03-21 devnull m->u.clientHello.compressors = newbytes(1);
1023 0fc65b37 2004-03-21 devnull m->u.clientHello.compressors->data[0] = CompressionNull;
1024 0fc65b37 2004-03-21 devnull goto Ok;
1027 0fc65b37 2004-03-21 devnull md5(p, 4, 0, &c->hsmd5);
1028 0fc65b37 2004-03-21 devnull sha1(p, 4, 0, &c->hssha1);
1030 0fc65b37 2004-03-21 devnull p = tlsReadN(c, n);
1031 0fc65b37 2004-03-21 devnull if(p == nil)
1032 0fc65b37 2004-03-21 devnull return 0;
1034 0fc65b37 2004-03-21 devnull md5(p, n, 0, &c->hsmd5);
1035 0fc65b37 2004-03-21 devnull sha1(p, n, 0, &c->hssha1);
1037 0fc65b37 2004-03-21 devnull m->tag = type;
1039 0fc65b37 2004-03-21 devnull switch(type) {
1040 0fc65b37 2004-03-21 devnull default:
1041 0fc65b37 2004-03-21 devnull tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
1042 0fc65b37 2004-03-21 devnull goto Err;
1043 0fc65b37 2004-03-21 devnull case HClientHello:
1044 0fc65b37 2004-03-21 devnull if(n < 2)
1045 0fc65b37 2004-03-21 devnull goto Short;
1046 0fc65b37 2004-03-21 devnull m->u.clientHello.version = get16(p);
1047 0fc65b37 2004-03-21 devnull p += 2;
1048 0fc65b37 2004-03-21 devnull n -= 2;
1050 0fc65b37 2004-03-21 devnull if(n < RandomSize)
1051 0fc65b37 2004-03-21 devnull goto Short;
1052 0fc65b37 2004-03-21 devnull memmove(m->u.clientHello.random, p, RandomSize);
1053 0fc65b37 2004-03-21 devnull p += RandomSize;
1054 0fc65b37 2004-03-21 devnull n -= RandomSize;
1055 0fc65b37 2004-03-21 devnull if(n < 1 || n < p[0]+1)
1056 0fc65b37 2004-03-21 devnull goto Short;
1057 0fc65b37 2004-03-21 devnull m->u.clientHello.sid = makebytes(p+1, p[0]);
1058 0fc65b37 2004-03-21 devnull p += m->u.clientHello.sid->len+1;
1059 0fc65b37 2004-03-21 devnull n -= m->u.clientHello.sid->len+1;
1061 0fc65b37 2004-03-21 devnull if(n < 2)
1062 0fc65b37 2004-03-21 devnull goto Short;
1063 0fc65b37 2004-03-21 devnull nn = get16(p);
1064 0fc65b37 2004-03-21 devnull p += 2;
1065 0fc65b37 2004-03-21 devnull n -= 2;
1067 0fc65b37 2004-03-21 devnull if((nn & 1) || n < nn || nn < 2)
1068 0fc65b37 2004-03-21 devnull goto Short;
1069 0fc65b37 2004-03-21 devnull m->u.clientHello.ciphers = newints(nn >> 1);
1070 0fc65b37 2004-03-21 devnull for(i = 0; i < nn; i += 2)
1071 0fc65b37 2004-03-21 devnull m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
1072 0fc65b37 2004-03-21 devnull p += nn;
1073 0fc65b37 2004-03-21 devnull n -= nn;
1075 0fc65b37 2004-03-21 devnull if(n < 1 || n < p[0]+1 || p[0] == 0)
1076 0fc65b37 2004-03-21 devnull goto Short;
1077 0fc65b37 2004-03-21 devnull nn = p[0];
1078 0fc65b37 2004-03-21 devnull m->u.clientHello.compressors = newbytes(nn);
1079 0fc65b37 2004-03-21 devnull memmove(m->u.clientHello.compressors->data, p+1, nn);
1080 0fc65b37 2004-03-21 devnull n -= nn + 1;
1082 0fc65b37 2004-03-21 devnull case HServerHello:
1083 0fc65b37 2004-03-21 devnull if(n < 2)
1084 0fc65b37 2004-03-21 devnull goto Short;
1085 0fc65b37 2004-03-21 devnull m->u.serverHello.version = get16(p);
1086 0fc65b37 2004-03-21 devnull p += 2;
1087 0fc65b37 2004-03-21 devnull n -= 2;
1089 0fc65b37 2004-03-21 devnull if(n < RandomSize)
1090 0fc65b37 2004-03-21 devnull goto Short;
1091 0fc65b37 2004-03-21 devnull memmove(m->u.serverHello.random, p, RandomSize);
1092 0fc65b37 2004-03-21 devnull p += RandomSize;
1093 0fc65b37 2004-03-21 devnull n -= RandomSize;
1095 0fc65b37 2004-03-21 devnull if(n < 1 || n < p[0]+1)
1096 0fc65b37 2004-03-21 devnull goto Short;
1097 0fc65b37 2004-03-21 devnull m->u.serverHello.sid = makebytes(p+1, p[0]);
1098 0fc65b37 2004-03-21 devnull p += m->u.serverHello.sid->len+1;
1099 0fc65b37 2004-03-21 devnull n -= m->u.serverHello.sid->len+1;
1101 0fc65b37 2004-03-21 devnull if(n < 3)
1102 0fc65b37 2004-03-21 devnull goto Short;
1103 0fc65b37 2004-03-21 devnull m->u.serverHello.cipher = get16(p);
1104 0fc65b37 2004-03-21 devnull m->u.serverHello.compressor = p[2];
1105 0fc65b37 2004-03-21 devnull n -= 3;
1107 0fc65b37 2004-03-21 devnull case HCertificate:
1108 0fc65b37 2004-03-21 devnull if(n < 3)
1109 0fc65b37 2004-03-21 devnull goto Short;
1110 0fc65b37 2004-03-21 devnull nn = get24(p);
1111 0fc65b37 2004-03-21 devnull p += 3;
1112 0fc65b37 2004-03-21 devnull n -= 3;
1113 0fc65b37 2004-03-21 devnull if(n != nn)
1114 0fc65b37 2004-03-21 devnull goto Short;
1115 0fc65b37 2004-03-21 devnull /* certs */
1117 0fc65b37 2004-03-21 devnull while(n > 0) {
1118 0fc65b37 2004-03-21 devnull if(n < 3)
1119 0fc65b37 2004-03-21 devnull goto Short;
1120 0fc65b37 2004-03-21 devnull nn = get24(p);
1121 0fc65b37 2004-03-21 devnull p += 3;
1122 0fc65b37 2004-03-21 devnull n -= 3;
1123 0fc65b37 2004-03-21 devnull if(nn > n)
1124 0fc65b37 2004-03-21 devnull goto Short;
1125 0fc65b37 2004-03-21 devnull m->u.certificate.ncert = i+1;
1126 0fc65b37 2004-03-21 devnull m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes));
1127 0fc65b37 2004-03-21 devnull m->u.certificate.certs[i] = makebytes(p, nn);
1128 0fc65b37 2004-03-21 devnull p += nn;
1129 0fc65b37 2004-03-21 devnull n -= nn;
1133 0fc65b37 2004-03-21 devnull case HCertificateRequest:
1134 0fc65b37 2004-03-21 devnull if(n < 2)
1135 0fc65b37 2004-03-21 devnull goto Short;
1136 0fc65b37 2004-03-21 devnull nn = get16(p);
1137 0fc65b37 2004-03-21 devnull p += 2;
1138 0fc65b37 2004-03-21 devnull n -= 2;
1139 0fc65b37 2004-03-21 devnull if(nn < 1 || nn > n)
1140 0fc65b37 2004-03-21 devnull goto Short;
1141 0fc65b37 2004-03-21 devnull m->u.certificateRequest.types = makebytes(p, nn);
1142 0fc65b37 2004-03-21 devnull nn = get24(p);
1143 0fc65b37 2004-03-21 devnull p += 3;
1144 0fc65b37 2004-03-21 devnull n -= 3;
1145 0fc65b37 2004-03-21 devnull if(nn == 0 || n != nn)
1146 0fc65b37 2004-03-21 devnull goto Short;
1147 0fc65b37 2004-03-21 devnull /* cas */
1149 0fc65b37 2004-03-21 devnull while(n > 0) {
1150 0fc65b37 2004-03-21 devnull if(n < 2)
1151 0fc65b37 2004-03-21 devnull goto Short;
1152 0fc65b37 2004-03-21 devnull nn = get16(p);
1153 0fc65b37 2004-03-21 devnull p += 2;
1154 0fc65b37 2004-03-21 devnull n -= 2;
1155 0fc65b37 2004-03-21 devnull if(nn < 1 || nn > n)
1156 0fc65b37 2004-03-21 devnull goto Short;
1157 0fc65b37 2004-03-21 devnull m->u.certificateRequest.nca = i+1;
1158 0fc65b37 2004-03-21 devnull m->u.certificateRequest.cas = erealloc(m->u.certificateRequest.cas, (i+1)*sizeof(Bytes));
1159 0fc65b37 2004-03-21 devnull m->u.certificateRequest.cas[i] = makebytes(p, nn);
1160 0fc65b37 2004-03-21 devnull p += nn;
1161 0fc65b37 2004-03-21 devnull n -= nn;
1165 0fc65b37 2004-03-21 devnull case HServerHelloDone:
1167 0fc65b37 2004-03-21 devnull case HClientKeyExchange:
1169 0fc65b37 2004-03-21 devnull * this message depends upon the encryption selected
1170 0fc65b37 2004-03-21 devnull * assume rsa.
1172 0fc65b37 2004-03-21 devnull if(c->version == SSL3Version)
1173 0fc65b37 2004-03-21 devnull nn = n;
1175 0fc65b37 2004-03-21 devnull if(n < 2)
1176 0fc65b37 2004-03-21 devnull goto Short;
1177 0fc65b37 2004-03-21 devnull nn = get16(p);
1178 0fc65b37 2004-03-21 devnull p += 2;
1179 0fc65b37 2004-03-21 devnull n -= 2;
1181 0fc65b37 2004-03-21 devnull if(n < nn)
1182 0fc65b37 2004-03-21 devnull goto Short;
1183 0fc65b37 2004-03-21 devnull m->u.clientKeyExchange.key = makebytes(p, nn);
1184 0fc65b37 2004-03-21 devnull n -= nn;
1186 0fc65b37 2004-03-21 devnull case HFinished:
1187 0fc65b37 2004-03-21 devnull m->u.finished.n = c->finished.n;
1188 0fc65b37 2004-03-21 devnull if(n < m->u.finished.n)
1189 0fc65b37 2004-03-21 devnull goto Short;
1190 0fc65b37 2004-03-21 devnull memmove(m->u.finished.verify, p, m->u.finished.n);
1191 0fc65b37 2004-03-21 devnull n -= m->u.finished.n;
1195 0fc65b37 2004-03-21 devnull if(type != HClientHello && n != 0)
1196 0fc65b37 2004-03-21 devnull goto Short;
1198 0fc65b37 2004-03-21 devnull if(c->trace){
1199 0fc65b37 2004-03-21 devnull char buf[8000];
1200 0fc65b37 2004-03-21 devnull c->trace("recv %s", msgPrint(buf, sizeof buf, m));
1202 0fc65b37 2004-03-21 devnull return 1;
1204 0fc65b37 2004-03-21 devnull tlsError(c, EDecodeError, "handshake message has invalid length");
1206 0fc65b37 2004-03-21 devnull msgClear(m);
1207 0fc65b37 2004-03-21 devnull return 0;
1210 0fc65b37 2004-03-21 devnull static void
1211 0fc65b37 2004-03-21 devnull msgClear(Msg *m)
1215 0fc65b37 2004-03-21 devnull switch(m->tag) {
1216 0fc65b37 2004-03-21 devnull default:
1217 0fc65b37 2004-03-21 devnull sysfatal("msgClear: unknown message type: %d\n", m->tag);
1218 0fc65b37 2004-03-21 devnull case HHelloRequest:
1220 0fc65b37 2004-03-21 devnull case HClientHello:
1221 0fc65b37 2004-03-21 devnull freebytes(m->u.clientHello.sid);
1222 0fc65b37 2004-03-21 devnull freeints(m->u.clientHello.ciphers);
1223 0fc65b37 2004-03-21 devnull freebytes(m->u.clientHello.compressors);
1225 0fc65b37 2004-03-21 devnull case HServerHello:
1226 0fc65b37 2004-03-21 devnull freebytes(m->u.clientHello.sid);
1228 0fc65b37 2004-03-21 devnull case HCertificate:
1229 0fc65b37 2004-03-21 devnull for(i=0; i<m->u.certificate.ncert; i++)
1230 0fc65b37 2004-03-21 devnull freebytes(m->u.certificate.certs[i]);
1231 0fc65b37 2004-03-21 devnull free(m->u.certificate.certs);
1233 0fc65b37 2004-03-21 devnull case HCertificateRequest:
1234 0fc65b37 2004-03-21 devnull freebytes(m->u.certificateRequest.types);
1235 0fc65b37 2004-03-21 devnull for(i=0; i<m->u.certificateRequest.nca; i++)
1236 0fc65b37 2004-03-21 devnull freebytes(m->u.certificateRequest.cas[i]);
1237 0fc65b37 2004-03-21 devnull free(m->u.certificateRequest.cas);
1239 0fc65b37 2004-03-21 devnull case HServerHelloDone:
1241 0fc65b37 2004-03-21 devnull case HClientKeyExchange:
1242 0fc65b37 2004-03-21 devnull freebytes(m->u.clientKeyExchange.key);
1244 0fc65b37 2004-03-21 devnull case HFinished:
1247 0fc65b37 2004-03-21 devnull memset(m, 0, sizeof(Msg));
1250 0fc65b37 2004-03-21 devnull static char *
1251 0fc65b37 2004-03-21 devnull bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
1256 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%s", s0);
1257 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "[");
1258 0fc65b37 2004-03-21 devnull if(b == nil)
1259 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "nil");
1261 0fc65b37 2004-03-21 devnull for(i=0; i<b->len; i++)
1262 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%.2x ", b->data[i]);
1263 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "]");
1265 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%s", s1);
1266 0fc65b37 2004-03-21 devnull return bs;
1269 0fc65b37 2004-03-21 devnull static char *
1270 0fc65b37 2004-03-21 devnull intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
1275 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%s", s0);
1276 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "[");
1277 0fc65b37 2004-03-21 devnull if(b == nil)
1278 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "nil");
1280 0fc65b37 2004-03-21 devnull for(i=0; i<b->len; i++)
1281 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%x ", b->data[i]);
1282 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "]");
1284 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%s", s1);
1285 0fc65b37 2004-03-21 devnull return bs;
1288 0fc65b37 2004-03-21 devnull static char*
1289 0fc65b37 2004-03-21 devnull msgPrint(char *buf, int n, Msg *m)
1292 0fc65b37 2004-03-21 devnull char *bs = buf, *be = buf+n;
1294 0fc65b37 2004-03-21 devnull switch(m->tag) {
1295 0fc65b37 2004-03-21 devnull default:
1296 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "unknown %d\n", m->tag);
1298 0fc65b37 2004-03-21 devnull case HClientHello:
1299 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "ClientHello\n");
1300 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
1301 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\trandom: ");
1302 0fc65b37 2004-03-21 devnull for(i=0; i<RandomSize; i++)
1303 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
1304 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\n");
1305 0fc65b37 2004-03-21 devnull bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
1306 0fc65b37 2004-03-21 devnull bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
1307 0fc65b37 2004-03-21 devnull bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
1309 0fc65b37 2004-03-21 devnull case HServerHello:
1310 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "ServerHello\n");
1311 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
1312 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\trandom: ");
1313 0fc65b37 2004-03-21 devnull for(i=0; i<RandomSize; i++)
1314 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
1315 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\n");
1316 0fc65b37 2004-03-21 devnull bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
1317 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
1318 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
1320 0fc65b37 2004-03-21 devnull case HCertificate:
1321 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "Certificate\n");
1322 0fc65b37 2004-03-21 devnull for(i=0; i<m->u.certificate.ncert; i++)
1323 0fc65b37 2004-03-21 devnull bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
1325 0fc65b37 2004-03-21 devnull case HCertificateRequest:
1326 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "CertificateRequest\n");
1327 0fc65b37 2004-03-21 devnull bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
1328 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\tcertificateauthorities\n");
1329 0fc65b37 2004-03-21 devnull for(i=0; i<m->u.certificateRequest.nca; i++)
1330 0fc65b37 2004-03-21 devnull bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
1332 0fc65b37 2004-03-21 devnull case HServerHelloDone:
1333 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "ServerHelloDone\n");
1335 0fc65b37 2004-03-21 devnull case HClientKeyExchange:
1336 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "HClientKeyExchange\n");
1337 0fc65b37 2004-03-21 devnull bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
1339 0fc65b37 2004-03-21 devnull case HFinished:
1340 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "HFinished\n");
1341 0fc65b37 2004-03-21 devnull for(i=0; i<m->u.finished.n; i++)
1342 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
1343 0fc65b37 2004-03-21 devnull bs = seprint(bs, be, "\n");
1346 0fc65b37 2004-03-21 devnull USED(bs);
1347 0fc65b37 2004-03-21 devnull return buf;
1350 0fc65b37 2004-03-21 devnull static void
1351 0fc65b37 2004-03-21 devnull tlsError(TlsConnection *c, int err, char *fmt, ...)
1353 0fc65b37 2004-03-21 devnull char msg[512];
1354 0fc65b37 2004-03-21 devnull va_list arg;
1356 0fc65b37 2004-03-21 devnull va_start(arg, fmt);
1357 0fc65b37 2004-03-21 devnull vseprint(msg, msg+sizeof(msg), fmt, arg);
1358 0fc65b37 2004-03-21 devnull va_end(arg);
1359 0fc65b37 2004-03-21 devnull if(c->trace)
1360 0fc65b37 2004-03-21 devnull c->trace("tlsError: %s\n", msg);
1361 0fc65b37 2004-03-21 devnull else if(c->erred)
1362 0fc65b37 2004-03-21 devnull fprint(2, "double error: %r, %s", msg);
1364 0fc65b37 2004-03-21 devnull werrstr("tls: local %s", msg);
1365 0fc65b37 2004-03-21 devnull c->erred = 1;
1366 0fc65b37 2004-03-21 devnull fprint(c->ctl, "alert %d", err);
1369 cbeb0b26 2006-04-01 devnull /* commit to specific version number */
1370 0fc65b37 2004-03-21 devnull static int
1371 0fc65b37 2004-03-21 devnull setVersion(TlsConnection *c, int version)
1373 0fc65b37 2004-03-21 devnull if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
1374 0fc65b37 2004-03-21 devnull return -1;
1375 0fc65b37 2004-03-21 devnull if(version > c->version)
1376 0fc65b37 2004-03-21 devnull version = c->version;
1377 0fc65b37 2004-03-21 devnull if(version == SSL3Version) {
1378 0fc65b37 2004-03-21 devnull c->version = version;
1379 0fc65b37 2004-03-21 devnull c->finished.n = SSL3FinishedLen;
1380 0fc65b37 2004-03-21 devnull }else if(version == TLSVersion){
1381 0fc65b37 2004-03-21 devnull c->version = version;
1382 0fc65b37 2004-03-21 devnull c->finished.n = TLSFinishedLen;
1384 0fc65b37 2004-03-21 devnull return -1;
1385 0fc65b37 2004-03-21 devnull c->verset = 1;
1386 0fc65b37 2004-03-21 devnull return fprint(c->ctl, "version 0x%x", version);
1389 cbeb0b26 2006-04-01 devnull /* confirm that received Finished message matches the expected value */
1390 0fc65b37 2004-03-21 devnull static int
1391 0fc65b37 2004-03-21 devnull finishedMatch(TlsConnection *c, Finished *f)
1393 0fc65b37 2004-03-21 devnull return memcmp(f->verify, c->finished.verify, f->n) == 0;
1396 cbeb0b26 2006-04-01 devnull /* free memory associated with TlsConnection struct */
1397 cbeb0b26 2006-04-01 devnull /* (but don't close the TLS channel itself) */
1398 0fc65b37 2004-03-21 devnull static void
1399 0fc65b37 2004-03-21 devnull tlsConnectionFree(TlsConnection *c)
1401 0fc65b37 2004-03-21 devnull tlsSecClose(c->sec);
1402 0fc65b37 2004-03-21 devnull freebytes(c->sid);
1403 0fc65b37 2004-03-21 devnull freebytes(c->cert);
1404 0fc65b37 2004-03-21 devnull memset(c, 0, sizeof(c));
1405 0fc65b37 2004-03-21 devnull free(c);
1409 cbeb0b26 2006-04-01 devnull /*================= cipher choices ======================== */
1411 0fc65b37 2004-03-21 devnull static int weakCipher[CipherMax] =
1413 0fc65b37 2004-03-21 devnull 1, /* TLS_NULL_WITH_NULL_NULL */
1414 0fc65b37 2004-03-21 devnull 1, /* TLS_RSA_WITH_NULL_MD5 */
1415 0fc65b37 2004-03-21 devnull 1, /* TLS_RSA_WITH_NULL_SHA */
1416 0fc65b37 2004-03-21 devnull 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
1417 0fc65b37 2004-03-21 devnull 0, /* TLS_RSA_WITH_RC4_128_MD5 */
1418 0fc65b37 2004-03-21 devnull 0, /* TLS_RSA_WITH_RC4_128_SHA */
1419 0fc65b37 2004-03-21 devnull 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
1420 0fc65b37 2004-03-21 devnull 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
1421 0fc65b37 2004-03-21 devnull 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
1422 0fc65b37 2004-03-21 devnull 0, /* TLS_RSA_WITH_DES_CBC_SHA */
1423 0fc65b37 2004-03-21 devnull 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
1424 0fc65b37 2004-03-21 devnull 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
1425 0fc65b37 2004-03-21 devnull 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
1426 0fc65b37 2004-03-21 devnull 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
1427 0fc65b37 2004-03-21 devnull 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
1428 0fc65b37 2004-03-21 devnull 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
1429 0fc65b37 2004-03-21 devnull 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
1430 0fc65b37 2004-03-21 devnull 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
1431 0fc65b37 2004-03-21 devnull 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
1432 0fc65b37 2004-03-21 devnull 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
1433 0fc65b37 2004-03-21 devnull 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
1434 0fc65b37 2004-03-21 devnull 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
1435 0fc65b37 2004-03-21 devnull 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
1436 0fc65b37 2004-03-21 devnull 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
1437 0fc65b37 2004-03-21 devnull 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
1438 0fc65b37 2004-03-21 devnull 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
1439 0fc65b37 2004-03-21 devnull 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
1440 0fc65b37 2004-03-21 devnull 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
1443 0fc65b37 2004-03-21 devnull static int
1444 0fc65b37 2004-03-21 devnull setAlgs(TlsConnection *c, int a)
1448 0fc65b37 2004-03-21 devnull for(i = 0; i < nelem(cipherAlgs); i++){
1449 0fc65b37 2004-03-21 devnull if(cipherAlgs[i].tlsid == a){
1450 0fc65b37 2004-03-21 devnull c->enc = cipherAlgs[i].enc;
1451 0fc65b37 2004-03-21 devnull c->digest = cipherAlgs[i].digest;
1452 0fc65b37 2004-03-21 devnull c->nsecret = cipherAlgs[i].nsecret;
1453 0fc65b37 2004-03-21 devnull if(c->nsecret > MaxKeyData)
1454 0fc65b37 2004-03-21 devnull return 0;
1455 0fc65b37 2004-03-21 devnull return 1;
1458 0fc65b37 2004-03-21 devnull return 0;
1461 0fc65b37 2004-03-21 devnull static int
1462 0fc65b37 2004-03-21 devnull okCipher(Ints *cv)
1464 0fc65b37 2004-03-21 devnull int weak, i, j, c;
1466 0fc65b37 2004-03-21 devnull weak = 1;
1467 0fc65b37 2004-03-21 devnull for(i = 0; i < cv->len; i++) {
1468 0fc65b37 2004-03-21 devnull c = cv->data[i];
1469 0fc65b37 2004-03-21 devnull if(c >= CipherMax)
1470 0fc65b37 2004-03-21 devnull weak = 0;
1472 0fc65b37 2004-03-21 devnull weak &= weakCipher[c];
1473 0fc65b37 2004-03-21 devnull for(j = 0; j < nelem(cipherAlgs); j++)
1474 0fc65b37 2004-03-21 devnull if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
1475 0fc65b37 2004-03-21 devnull return c;
1477 0fc65b37 2004-03-21 devnull if(weak)
1478 0fc65b37 2004-03-21 devnull return -2;
1479 0fc65b37 2004-03-21 devnull return -1;
1482 0fc65b37 2004-03-21 devnull static int
1483 0fc65b37 2004-03-21 devnull okCompression(Bytes *cv)
1485 0fc65b37 2004-03-21 devnull int i, j, c;
1487 0fc65b37 2004-03-21 devnull for(i = 0; i < cv->len; i++) {
1488 0fc65b37 2004-03-21 devnull c = cv->data[i];
1489 0fc65b37 2004-03-21 devnull for(j = 0; j < nelem(compressors); j++) {
1490 0fc65b37 2004-03-21 devnull if(compressors[j] == c)
1491 0fc65b37 2004-03-21 devnull return c;
1494 0fc65b37 2004-03-21 devnull return -1;
1497 0fc65b37 2004-03-21 devnull static Lock ciphLock;
1498 0fc65b37 2004-03-21 devnull static int nciphers;
1500 0fc65b37 2004-03-21 devnull static int
1501 0fc65b37 2004-03-21 devnull initCiphers(void)
1503 0fc65b37 2004-03-21 devnull enum {MaxAlgF = 1024, MaxAlgs = 10};
1504 0fc65b37 2004-03-21 devnull char s[MaxAlgF], *flds[MaxAlgs];
1505 0fc65b37 2004-03-21 devnull int i, j, n, ok;
1507 0fc65b37 2004-03-21 devnull lock(&ciphLock);
1508 0fc65b37 2004-03-21 devnull if(nciphers){
1509 0fc65b37 2004-03-21 devnull unlock(&ciphLock);
1510 0fc65b37 2004-03-21 devnull return nciphers;
1512 0fc65b37 2004-03-21 devnull j = open("#a/tls/encalgs", OREAD);
1513 0fc65b37 2004-03-21 devnull if(j < 0){
1514 0fc65b37 2004-03-21 devnull werrstr("can't open #a/tls/encalgs: %r");
1515 0fc65b37 2004-03-21 devnull return 0;
1517 0fc65b37 2004-03-21 devnull n = read(j, s, MaxAlgF-1);
1518 0fc65b37 2004-03-21 devnull close(j);
1519 0fc65b37 2004-03-21 devnull if(n <= 0){
1520 0fc65b37 2004-03-21 devnull werrstr("nothing in #a/tls/encalgs: %r");
1521 0fc65b37 2004-03-21 devnull return 0;
1523 0fc65b37 2004-03-21 devnull s[n] = 0;
1524 0fc65b37 2004-03-21 devnull n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
1525 0fc65b37 2004-03-21 devnull for(i = 0; i < nelem(cipherAlgs); i++){
1526 0fc65b37 2004-03-21 devnull ok = 0;
1527 0fc65b37 2004-03-21 devnull for(j = 0; j < n; j++){
1528 0fc65b37 2004-03-21 devnull if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){
1529 0fc65b37 2004-03-21 devnull ok = 1;
1533 0fc65b37 2004-03-21 devnull cipherAlgs[i].ok = ok;
1536 0fc65b37 2004-03-21 devnull j = open("#a/tls/hashalgs", OREAD);
1537 0fc65b37 2004-03-21 devnull if(j < 0){
1538 0fc65b37 2004-03-21 devnull werrstr("can't open #a/tls/hashalgs: %r");
1539 0fc65b37 2004-03-21 devnull return 0;
1541 0fc65b37 2004-03-21 devnull n = read(j, s, MaxAlgF-1);
1542 0fc65b37 2004-03-21 devnull close(j);
1543 0fc65b37 2004-03-21 devnull if(n <= 0){
1544 0fc65b37 2004-03-21 devnull werrstr("nothing in #a/tls/hashalgs: %r");
1545 0fc65b37 2004-03-21 devnull return 0;
1547 0fc65b37 2004-03-21 devnull s[n] = 0;
1548 0fc65b37 2004-03-21 devnull n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
1549 0fc65b37 2004-03-21 devnull for(i = 0; i < nelem(cipherAlgs); i++){
1550 0fc65b37 2004-03-21 devnull ok = 0;
1551 0fc65b37 2004-03-21 devnull for(j = 0; j < n; j++){
1552 0fc65b37 2004-03-21 devnull if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){
1553 0fc65b37 2004-03-21 devnull ok = 1;
1557 0fc65b37 2004-03-21 devnull cipherAlgs[i].ok &= ok;
1558 0fc65b37 2004-03-21 devnull if(cipherAlgs[i].ok)
1559 0fc65b37 2004-03-21 devnull nciphers++;
1561 0fc65b37 2004-03-21 devnull unlock(&ciphLock);
1562 0fc65b37 2004-03-21 devnull return nciphers;
1565 0fc65b37 2004-03-21 devnull static Ints*
1566 0fc65b37 2004-03-21 devnull makeciphers(void)
1568 0fc65b37 2004-03-21 devnull Ints *is;
1569 0fc65b37 2004-03-21 devnull int i, j;
1571 0fc65b37 2004-03-21 devnull is = newints(nciphers);
1573 0fc65b37 2004-03-21 devnull for(i = 0; i < nelem(cipherAlgs); i++){
1574 0fc65b37 2004-03-21 devnull if(cipherAlgs[i].ok)
1575 0fc65b37 2004-03-21 devnull is->data[j++] = cipherAlgs[i].tlsid;
1577 0fc65b37 2004-03-21 devnull return is;
1582 cbeb0b26 2006-04-01 devnull /*================= security functions ======================== */
1584 cbeb0b26 2006-04-01 devnull /* given X.509 certificate, set up connection to factotum */
1585 cbeb0b26 2006-04-01 devnull /* for using corresponding private key */
1586 0fc65b37 2004-03-21 devnull static AuthRpc*
1587 0fc65b37 2004-03-21 devnull factotum_rsa_open(uchar *cert, int certlen)
1589 0fc65b37 2004-03-21 devnull char *s;
1590 0fc65b37 2004-03-21 devnull mpint *pub = nil;
1591 0fc65b37 2004-03-21 devnull RSApub *rsapub;
1592 0fc65b37 2004-03-21 devnull AuthRpc *rpc;
1594 2709e6e3 2005-02-11 devnull if((rpc = auth_allocrpc()) == nil){
1595 0fc65b37 2004-03-21 devnull return nil;
1597 0fc65b37 2004-03-21 devnull s = "proto=rsa service=tls role=client";
1598 0fc65b37 2004-03-21 devnull if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
1599 0fc65b37 2004-03-21 devnull factotum_rsa_close(rpc);
1600 0fc65b37 2004-03-21 devnull return nil;
1603 cbeb0b26 2006-04-01 devnull /* roll factotum keyring around to match certificate */
1604 0fc65b37 2004-03-21 devnull rsapub = X509toRSApub(cert, certlen, nil, 0);
1605 0fc65b37 2004-03-21 devnull while(1){
1606 0fc65b37 2004-03-21 devnull if(auth_rpc(rpc, "read", nil, 0) != ARok){
1607 0fc65b37 2004-03-21 devnull factotum_rsa_close(rpc);
1608 0fc65b37 2004-03-21 devnull rpc = nil;
1609 0fc65b37 2004-03-21 devnull goto done;
1611 0fc65b37 2004-03-21 devnull pub = strtomp(rpc->arg, nil, 16, nil);
1612 0fc65b37 2004-03-21 devnull assert(pub != nil);
1613 0fc65b37 2004-03-21 devnull if(mpcmp(pub,rsapub->n) == 0)
1617 0fc65b37 2004-03-21 devnull mpfree(pub);
1618 0fc65b37 2004-03-21 devnull rsapubfree(rsapub);
1619 0fc65b37 2004-03-21 devnull return rpc;
1622 0fc65b37 2004-03-21 devnull static mpint*
1623 0fc65b37 2004-03-21 devnull factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
1625 0fc65b37 2004-03-21 devnull char *p;
1626 0fc65b37 2004-03-21 devnull int rv;
1628 0fc65b37 2004-03-21 devnull if((p = mptoa(cipher, 16, nil, 0)) == nil)
1629 0fc65b37 2004-03-21 devnull return nil;
1630 0fc65b37 2004-03-21 devnull rv = auth_rpc(rpc, "write", p, strlen(p));
1631 0fc65b37 2004-03-21 devnull free(p);
1632 0fc65b37 2004-03-21 devnull if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
1633 0fc65b37 2004-03-21 devnull return nil;
1634 0fc65b37 2004-03-21 devnull mpfree(cipher);
1635 0fc65b37 2004-03-21 devnull return strtomp(rpc->arg, nil, 16, nil);
1638 0fc65b37 2004-03-21 devnull static void
1639 0fc65b37 2004-03-21 devnull factotum_rsa_close(AuthRpc*rpc)
1641 0fc65b37 2004-03-21 devnull if(!rpc)
1642 0fc65b37 2004-03-21 devnull return;
1643 0fc65b37 2004-03-21 devnull close(rpc->afd);
1644 0fc65b37 2004-03-21 devnull auth_freerpc(rpc);
1647 0fc65b37 2004-03-21 devnull static void
1648 0fc65b37 2004-03-21 devnull tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
1650 0fc65b37 2004-03-21 devnull uchar ai[MD5dlen], tmp[MD5dlen];
1651 0fc65b37 2004-03-21 devnull int i, n;
1652 0fc65b37 2004-03-21 devnull MD5state *s;
1654 cbeb0b26 2006-04-01 devnull /* generate a1 */
1655 0fc65b37 2004-03-21 devnull s = hmac_md5(label, nlabel, key, nkey, nil, nil);
1656 0fc65b37 2004-03-21 devnull s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
1657 0fc65b37 2004-03-21 devnull hmac_md5(seed1, nseed1, key, nkey, ai, s);
1659 0fc65b37 2004-03-21 devnull while(nbuf > 0) {
1660 0fc65b37 2004-03-21 devnull s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
1661 0fc65b37 2004-03-21 devnull s = hmac_md5(label, nlabel, key, nkey, nil, s);
1662 0fc65b37 2004-03-21 devnull s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
1663 0fc65b37 2004-03-21 devnull hmac_md5(seed1, nseed1, key, nkey, tmp, s);
1664 0fc65b37 2004-03-21 devnull n = MD5dlen;
1665 0fc65b37 2004-03-21 devnull if(n > nbuf)
1666 0fc65b37 2004-03-21 devnull n = nbuf;
1667 0fc65b37 2004-03-21 devnull for(i = 0; i < n; i++)
1668 0fc65b37 2004-03-21 devnull buf[i] ^= tmp[i];
1669 0fc65b37 2004-03-21 devnull buf += n;
1670 0fc65b37 2004-03-21 devnull nbuf -= n;
1671 0fc65b37 2004-03-21 devnull hmac_md5(ai, MD5dlen, key, nkey, tmp, nil);
1672 0fc65b37 2004-03-21 devnull memmove(ai, tmp, MD5dlen);
1676 0fc65b37 2004-03-21 devnull static void
1677 0fc65b37 2004-03-21 devnull tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
1679 0fc65b37 2004-03-21 devnull uchar ai[SHA1dlen], tmp[SHA1dlen];
1680 0fc65b37 2004-03-21 devnull int i, n;
1681 0fc65b37 2004-03-21 devnull SHAstate *s;
1683 cbeb0b26 2006-04-01 devnull /* generate a1 */
1684 0fc65b37 2004-03-21 devnull s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
1685 0fc65b37 2004-03-21 devnull s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
1686 0fc65b37 2004-03-21 devnull hmac_sha1(seed1, nseed1, key, nkey, ai, s);
1688 0fc65b37 2004-03-21 devnull while(nbuf > 0) {
1689 0fc65b37 2004-03-21 devnull s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
1690 0fc65b37 2004-03-21 devnull s = hmac_sha1(label, nlabel, key, nkey, nil, s);
1691 0fc65b37 2004-03-21 devnull s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
1692 0fc65b37 2004-03-21 devnull hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
1693 0fc65b37 2004-03-21 devnull n = SHA1dlen;
1694 0fc65b37 2004-03-21 devnull if(n > nbuf)
1695 0fc65b37 2004-03-21 devnull n = nbuf;
1696 0fc65b37 2004-03-21 devnull for(i = 0; i < n; i++)
1697 0fc65b37 2004-03-21 devnull buf[i] ^= tmp[i];
1698 0fc65b37 2004-03-21 devnull buf += n;
1699 0fc65b37 2004-03-21 devnull nbuf -= n;
1700 0fc65b37 2004-03-21 devnull hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
1701 0fc65b37 2004-03-21 devnull memmove(ai, tmp, SHA1dlen);
1705 cbeb0b26 2006-04-01 devnull /* fill buf with md5(args)^sha1(args) */
1706 0fc65b37 2004-03-21 devnull static void
1707 0fc65b37 2004-03-21 devnull tlsPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
1710 0fc65b37 2004-03-21 devnull int nlabel = strlen(label);
1711 0fc65b37 2004-03-21 devnull int n = (nkey + 1) >> 1;
1713 0fc65b37 2004-03-21 devnull for(i = 0; i < nbuf; i++)
1714 0fc65b37 2004-03-21 devnull buf[i] = 0;
1715 0fc65b37 2004-03-21 devnull tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
1716 0fc65b37 2004-03-21 devnull tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
1720 0fc65b37 2004-03-21 devnull * for setting server session id's
1722 0fc65b37 2004-03-21 devnull static Lock sidLock;
1723 0fc65b37 2004-03-21 devnull static long maxSid = 1;
1725 0fc65b37 2004-03-21 devnull /* the keys are verified to have the same public components
1726 0fc65b37 2004-03-21 devnull * and to function correctly with pkcs 1 encryption and decryption. */
1727 0fc65b37 2004-03-21 devnull static TlsSec*
1728 0fc65b37 2004-03-21 devnull tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
1730 0fc65b37 2004-03-21 devnull TlsSec *sec = emalloc(sizeof(*sec));
1732 cbeb0b26 2006-04-01 devnull USED(csid); USED(ncsid); /* ignore csid for now */
1734 0fc65b37 2004-03-21 devnull memmove(sec->crandom, crandom, RandomSize);
1735 0fc65b37 2004-03-21 devnull sec->clientVers = cvers;
1737 0fc65b37 2004-03-21 devnull put32(sec->srandom, time(0));
1738 0fc65b37 2004-03-21 devnull genrandom(sec->srandom+4, RandomSize-4);
1739 0fc65b37 2004-03-21 devnull memmove(srandom, sec->srandom, RandomSize);
1742 0fc65b37 2004-03-21 devnull * make up a unique sid: use our pid, and and incrementing id
1743 0fc65b37 2004-03-21 devnull * can signal no sid by setting nssid to 0.
1745 0fc65b37 2004-03-21 devnull memset(ssid, 0, SidSize);
1746 0fc65b37 2004-03-21 devnull put32(ssid, getpid());
1747 0fc65b37 2004-03-21 devnull lock(&sidLock);
1748 0fc65b37 2004-03-21 devnull put32(ssid+4, maxSid++);
1749 0fc65b37 2004-03-21 devnull unlock(&sidLock);
1750 0fc65b37 2004-03-21 devnull *nssid = SidSize;
1751 0fc65b37 2004-03-21 devnull return sec;
1754 0fc65b37 2004-03-21 devnull static int
1755 0fc65b37 2004-03-21 devnull tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd)
1757 0fc65b37 2004-03-21 devnull if(epm != nil){
1758 0fc65b37 2004-03-21 devnull if(setVers(sec, vers) < 0)
1759 0fc65b37 2004-03-21 devnull goto Err;
1760 0fc65b37 2004-03-21 devnull serverMasterSecret(sec, epm, nepm);
1761 0fc65b37 2004-03-21 devnull }else if(sec->vers != vers){
1762 0fc65b37 2004-03-21 devnull werrstr("mismatched session versions");
1763 0fc65b37 2004-03-21 devnull goto Err;
1765 0fc65b37 2004-03-21 devnull setSecrets(sec, kd, nkd);
1766 0fc65b37 2004-03-21 devnull return 0;
1768 0fc65b37 2004-03-21 devnull sec->ok = -1;
1769 0fc65b37 2004-03-21 devnull return -1;
1772 0fc65b37 2004-03-21 devnull static TlsSec*
1773 0fc65b37 2004-03-21 devnull tlsSecInitc(int cvers, uchar *crandom)
1775 0fc65b37 2004-03-21 devnull TlsSec *sec = emalloc(sizeof(*sec));
1776 0fc65b37 2004-03-21 devnull sec->clientVers = cvers;
1777 0fc65b37 2004-03-21 devnull put32(sec->crandom, time(0));
1778 0fc65b37 2004-03-21 devnull genrandom(sec->crandom+4, RandomSize-4);
1779 0fc65b37 2004-03-21 devnull memmove(crandom, sec->crandom, RandomSize);
1780 0fc65b37 2004-03-21 devnull return sec;
1783 0fc65b37 2004-03-21 devnull static int
1784 0fc65b37 2004-03-21 devnull tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd)
1786 0fc65b37 2004-03-21 devnull RSApub *pub;
1788 0fc65b37 2004-03-21 devnull pub = nil;
1790 0fc65b37 2004-03-21 devnull USED(sid);
1791 0fc65b37 2004-03-21 devnull USED(nsid);
1793 0fc65b37 2004-03-21 devnull memmove(sec->srandom, srandom, RandomSize);
1795 0fc65b37 2004-03-21 devnull if(setVers(sec, vers) < 0)
1796 0fc65b37 2004-03-21 devnull goto Err;
1798 0fc65b37 2004-03-21 devnull pub = X509toRSApub(cert, ncert, nil, 0);
1799 0fc65b37 2004-03-21 devnull if(pub == nil){
1800 0fc65b37 2004-03-21 devnull werrstr("invalid x509/rsa certificate");
1801 0fc65b37 2004-03-21 devnull goto Err;
1803 0fc65b37 2004-03-21 devnull if(clientMasterSecret(sec, pub, epm, nepm) < 0)
1804 0fc65b37 2004-03-21 devnull goto Err;
1805 0fc65b37 2004-03-21 devnull rsapubfree(pub);
1806 0fc65b37 2004-03-21 devnull setSecrets(sec, kd, nkd);
1807 0fc65b37 2004-03-21 devnull return 0;
1810 0fc65b37 2004-03-21 devnull if(pub != nil)
1811 0fc65b37 2004-03-21 devnull rsapubfree(pub);
1812 0fc65b37 2004-03-21 devnull sec->ok = -1;
1813 0fc65b37 2004-03-21 devnull return -1;
1816 0fc65b37 2004-03-21 devnull static int
1817 0fc65b37 2004-03-21 devnull tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient)
1819 0fc65b37 2004-03-21 devnull if(sec->nfin != nfin){
1820 0fc65b37 2004-03-21 devnull sec->ok = -1;
1821 0fc65b37 2004-03-21 devnull werrstr("invalid finished exchange");
1822 0fc65b37 2004-03-21 devnull return -1;
1824 0fc65b37 2004-03-21 devnull md5.malloced = 0;
1825 0fc65b37 2004-03-21 devnull sha1.malloced = 0;
1826 0fc65b37 2004-03-21 devnull (*sec->setFinished)(sec, md5, sha1, fin, isclient);
1827 0fc65b37 2004-03-21 devnull return 1;
1830 0fc65b37 2004-03-21 devnull static void
1831 0fc65b37 2004-03-21 devnull tlsSecOk(TlsSec *sec)
1833 0fc65b37 2004-03-21 devnull if(sec->ok == 0)
1834 0fc65b37 2004-03-21 devnull sec->ok = 1;
1838 0fc65b37 2004-03-21 devnull static void
1839 0fc65b37 2004-03-21 devnull tlsSecKill(TlsSec *sec)
1841 0fc65b37 2004-03-21 devnull if(!sec)
1842 0fc65b37 2004-03-21 devnull return;
1843 0fc65b37 2004-03-21 devnull factotum_rsa_close(sec->rpc);
1844 0fc65b37 2004-03-21 devnull sec->ok = -1;
1848 0fc65b37 2004-03-21 devnull static void
1849 0fc65b37 2004-03-21 devnull tlsSecClose(TlsSec *sec)
1851 0fc65b37 2004-03-21 devnull if(!sec)
1852 0fc65b37 2004-03-21 devnull return;
1853 0fc65b37 2004-03-21 devnull factotum_rsa_close(sec->rpc);
1854 0fc65b37 2004-03-21 devnull free(sec->server);
1855 0fc65b37 2004-03-21 devnull free(sec);
1858 0fc65b37 2004-03-21 devnull static int
1859 0fc65b37 2004-03-21 devnull setVers(TlsSec *sec, int v)
1861 0fc65b37 2004-03-21 devnull if(v == SSL3Version){
1862 0fc65b37 2004-03-21 devnull sec->setFinished = sslSetFinished;
1863 0fc65b37 2004-03-21 devnull sec->nfin = SSL3FinishedLen;
1864 0fc65b37 2004-03-21 devnull sec->prf = sslPRF;
1865 0fc65b37 2004-03-21 devnull }else if(v == TLSVersion){
1866 0fc65b37 2004-03-21 devnull sec->setFinished = tlsSetFinished;
1867 0fc65b37 2004-03-21 devnull sec->nfin = TLSFinishedLen;
1868 0fc65b37 2004-03-21 devnull sec->prf = tlsPRF;
1870 0fc65b37 2004-03-21 devnull werrstr("invalid version");
1871 0fc65b37 2004-03-21 devnull return -1;
1873 0fc65b37 2004-03-21 devnull sec->vers = v;
1874 0fc65b37 2004-03-21 devnull return 0;
1878 0fc65b37 2004-03-21 devnull * generate secret keys from the master secret.
1880 0fc65b37 2004-03-21 devnull * different crypto selections will require different amounts
1881 0fc65b37 2004-03-21 devnull * of key expansion and use of key expansion data,
1882 0fc65b37 2004-03-21 devnull * but it's all generated using the same function.
1884 0fc65b37 2004-03-21 devnull static void
1885 0fc65b37 2004-03-21 devnull setSecrets(TlsSec *sec, uchar *kd, int nkd)
1887 0fc65b37 2004-03-21 devnull (*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
1888 0fc65b37 2004-03-21 devnull sec->srandom, RandomSize, sec->crandom, RandomSize);
1892 0fc65b37 2004-03-21 devnull * set the master secret from the pre-master secret.
1894 0fc65b37 2004-03-21 devnull static void
1895 0fc65b37 2004-03-21 devnull setMasterSecret(TlsSec *sec, Bytes *pm)
1897 0fc65b37 2004-03-21 devnull (*sec->prf)(sec->sec, MasterSecretSize, pm->data, MasterSecretSize, "master secret",
1898 0fc65b37 2004-03-21 devnull sec->crandom, RandomSize, sec->srandom, RandomSize);
1901 0fc65b37 2004-03-21 devnull static void
1902 0fc65b37 2004-03-21 devnull serverMasterSecret(TlsSec *sec, uchar *epm, int nepm)
1904 0fc65b37 2004-03-21 devnull Bytes *pm;
1906 0fc65b37 2004-03-21 devnull pm = pkcs1_decrypt(sec, epm, nepm);
1908 cbeb0b26 2006-04-01 devnull /* if the client messed up, just continue as if everything is ok, */
1909 cbeb0b26 2006-04-01 devnull /* to prevent attacks to check for correctly formatted messages. */
1910 cbeb0b26 2006-04-01 devnull /* Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client. */
1911 0fc65b37 2004-03-21 devnull if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
1912 0fc65b37 2004-03-21 devnull fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
1913 0fc65b37 2004-03-21 devnull sec->ok, pm, pm ? get16(pm->data) : -1, sec->clientVers, nepm);
1914 0fc65b37 2004-03-21 devnull sec->ok = -1;
1915 0fc65b37 2004-03-21 devnull if(pm != nil)
1916 0fc65b37 2004-03-21 devnull freebytes(pm);
1917 0fc65b37 2004-03-21 devnull pm = newbytes(MasterSecretSize);
1918 0fc65b37 2004-03-21 devnull genrandom(pm->data, MasterSecretSize);
1920 0fc65b37 2004-03-21 devnull setMasterSecret(sec, pm);
1921 0fc65b37 2004-03-21 devnull memset(pm->data, 0, pm->len);
1922 0fc65b37 2004-03-21 devnull freebytes(pm);
1925 0fc65b37 2004-03-21 devnull static int
1926 0fc65b37 2004-03-21 devnull clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm)
1928 0fc65b37 2004-03-21 devnull Bytes *pm, *key;
1930 0fc65b37 2004-03-21 devnull pm = newbytes(MasterSecretSize);
1931 0fc65b37 2004-03-21 devnull put16(pm->data, sec->clientVers);
1932 0fc65b37 2004-03-21 devnull genrandom(pm->data+2, MasterSecretSize - 2);
1934 0fc65b37 2004-03-21 devnull setMasterSecret(sec, pm);
1936 0fc65b37 2004-03-21 devnull key = pkcs1_encrypt(pm, pub, 2);
1937 0fc65b37 2004-03-21 devnull memset(pm->data, 0, pm->len);
1938 0fc65b37 2004-03-21 devnull freebytes(pm);
1939 0fc65b37 2004-03-21 devnull if(key == nil){
1940 0fc65b37 2004-03-21 devnull werrstr("tls pkcs1_encrypt failed");
1941 0fc65b37 2004-03-21 devnull return -1;
1944 0fc65b37 2004-03-21 devnull *nepm = key->len;
1945 0fc65b37 2004-03-21 devnull *epm = malloc(*nepm);
1946 0fc65b37 2004-03-21 devnull if(*epm == nil){
1947 0fc65b37 2004-03-21 devnull freebytes(key);
1948 0fc65b37 2004-03-21 devnull werrstr("out of memory");
1949 0fc65b37 2004-03-21 devnull return -1;
1951 0fc65b37 2004-03-21 devnull memmove(*epm, key->data, *nepm);
1953 0fc65b37 2004-03-21 devnull freebytes(key);
1955 0fc65b37 2004-03-21 devnull return 1;
1958 0fc65b37 2004-03-21 devnull static void
1959 0fc65b37 2004-03-21 devnull sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
1961 0fc65b37 2004-03-21 devnull DigestState *s;
1962 0fc65b37 2004-03-21 devnull uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
1963 0fc65b37 2004-03-21 devnull char *label;
1965 0fc65b37 2004-03-21 devnull if(isClient)
1966 0fc65b37 2004-03-21 devnull label = "CLNT";
1968 0fc65b37 2004-03-21 devnull label = "SRVR";
1970 0fc65b37 2004-03-21 devnull md5((uchar*)label, 4, nil, &hsmd5);
1971 0fc65b37 2004-03-21 devnull md5(sec->sec, MasterSecretSize, nil, &hsmd5);
1972 0fc65b37 2004-03-21 devnull memset(pad, 0x36, 48);
1973 0fc65b37 2004-03-21 devnull md5(pad, 48, nil, &hsmd5);
1974 0fc65b37 2004-03-21 devnull md5(nil, 0, h0, &hsmd5);
1975 0fc65b37 2004-03-21 devnull memset(pad, 0x5C, 48);
1976 0fc65b37 2004-03-21 devnull s = md5(sec->sec, MasterSecretSize, nil, nil);
1977 0fc65b37 2004-03-21 devnull s = md5(pad, 48, nil, s);
1978 0fc65b37 2004-03-21 devnull md5(h0, MD5dlen, finished, s);
1980 0fc65b37 2004-03-21 devnull sha1((uchar*)label, 4, nil, &hssha1);
1981 0fc65b37 2004-03-21 devnull sha1(sec->sec, MasterSecretSize, nil, &hssha1);
1982 0fc65b37 2004-03-21 devnull memset(pad, 0x36, 40);
1983 0fc65b37 2004-03-21 devnull sha1(pad, 40, nil, &hssha1);
1984 0fc65b37 2004-03-21 devnull sha1(nil, 0, h1, &hssha1);
1985 0fc65b37 2004-03-21 devnull memset(pad, 0x5C, 40);
1986 0fc65b37 2004-03-21 devnull s = sha1(sec->sec, MasterSecretSize, nil, nil);
1987 0fc65b37 2004-03-21 devnull s = sha1(pad, 40, nil, s);
1988 0fc65b37 2004-03-21 devnull sha1(h1, SHA1dlen, finished + MD5dlen, s);
1991 cbeb0b26 2006-04-01 devnull /* fill "finished" arg with md5(args)^sha1(args) */
1992 0fc65b37 2004-03-21 devnull static void
1993 0fc65b37 2004-03-21 devnull tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
1995 0fc65b37 2004-03-21 devnull uchar h0[MD5dlen], h1[SHA1dlen];
1996 0fc65b37 2004-03-21 devnull char *label;
1998 cbeb0b26 2006-04-01 devnull /* get current hash value, but allow further messages to be hashed in */
1999 0fc65b37 2004-03-21 devnull md5(nil, 0, h0, &hsmd5);
2000 0fc65b37 2004-03-21 devnull sha1(nil, 0, h1, &hssha1);
2002 0fc65b37 2004-03-21 devnull if(isClient)
2003 0fc65b37 2004-03-21 devnull label = "client finished";
2005 0fc65b37 2004-03-21 devnull label = "server finished";
2006 0fc65b37 2004-03-21 devnull tlsPRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
2009 0fc65b37 2004-03-21 devnull static void
2010 0fc65b37 2004-03-21 devnull sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2012 0fc65b37 2004-03-21 devnull DigestState *s;
2013 0fc65b37 2004-03-21 devnull uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
2014 0fc65b37 2004-03-21 devnull int i, n, len;
2016 0fc65b37 2004-03-21 devnull USED(label);
2017 0fc65b37 2004-03-21 devnull len = 1;
2018 0fc65b37 2004-03-21 devnull while(nbuf > 0){
2019 0fc65b37 2004-03-21 devnull if(len > 26)
2020 0fc65b37 2004-03-21 devnull return;
2021 0fc65b37 2004-03-21 devnull for(i = 0; i < len; i++)
2022 0fc65b37 2004-03-21 devnull tmp[i] = 'A' - 1 + len;
2023 0fc65b37 2004-03-21 devnull s = sha1(tmp, len, nil, nil);
2024 0fc65b37 2004-03-21 devnull s = sha1(key, nkey, nil, s);
2025 0fc65b37 2004-03-21 devnull s = sha1(seed0, nseed0, nil, s);
2026 0fc65b37 2004-03-21 devnull sha1(seed1, nseed1, sha1dig, s);
2027 0fc65b37 2004-03-21 devnull s = md5(key, nkey, nil, nil);
2028 0fc65b37 2004-03-21 devnull md5(sha1dig, SHA1dlen, md5dig, s);
2029 0fc65b37 2004-03-21 devnull n = MD5dlen;
2030 0fc65b37 2004-03-21 devnull if(n > nbuf)
2031 0fc65b37 2004-03-21 devnull n = nbuf;
2032 0fc65b37 2004-03-21 devnull memmove(buf, md5dig, n);
2033 0fc65b37 2004-03-21 devnull buf += n;
2034 0fc65b37 2004-03-21 devnull nbuf -= n;
2039 0fc65b37 2004-03-21 devnull static mpint*
2040 0fc65b37 2004-03-21 devnull bytestomp(Bytes* bytes)
2042 0fc65b37 2004-03-21 devnull mpint* ans;
2044 0fc65b37 2004-03-21 devnull ans = betomp(bytes->data, bytes->len, nil);
2045 0fc65b37 2004-03-21 devnull return ans;
2049 0fc65b37 2004-03-21 devnull * Convert mpint* to Bytes, putting high order byte first.
2051 0fc65b37 2004-03-21 devnull static Bytes*
2052 0fc65b37 2004-03-21 devnull mptobytes(mpint* big)
2054 0fc65b37 2004-03-21 devnull int n, m;
2055 0fc65b37 2004-03-21 devnull uchar *a;
2056 0fc65b37 2004-03-21 devnull Bytes* ans;
2058 0fc65b37 2004-03-21 devnull n = (mpsignif(big)+7)/8;
2059 0fc65b37 2004-03-21 devnull m = mptobe(big, nil, n, &a);
2060 0fc65b37 2004-03-21 devnull ans = makebytes(a, m);
2061 0fc65b37 2004-03-21 devnull return ans;
2064 cbeb0b26 2006-04-01 devnull /* Do RSA computation on block according to key, and pad */
2065 cbeb0b26 2006-04-01 devnull /* result on left with zeros to make it modlen long. */
2066 0fc65b37 2004-03-21 devnull static Bytes*
2067 0fc65b37 2004-03-21 devnull rsacomp(Bytes* block, RSApub* key, int modlen)
2069 0fc65b37 2004-03-21 devnull mpint *x, *y;
2070 0fc65b37 2004-03-21 devnull Bytes *a, *ybytes;
2071 0fc65b37 2004-03-21 devnull int ylen;
2073 0fc65b37 2004-03-21 devnull x = bytestomp(block);
2074 0fc65b37 2004-03-21 devnull y = rsaencrypt(key, x, nil);
2075 0fc65b37 2004-03-21 devnull mpfree(x);
2076 0fc65b37 2004-03-21 devnull ybytes = mptobytes(y);
2077 0fc65b37 2004-03-21 devnull ylen = ybytes->len;
2079 0fc65b37 2004-03-21 devnull if(ylen < modlen) {
2080 0fc65b37 2004-03-21 devnull a = newbytes(modlen);
2081 0fc65b37 2004-03-21 devnull memset(a->data, 0, modlen-ylen);
2082 0fc65b37 2004-03-21 devnull memmove(a->data+modlen-ylen, ybytes->data, ylen);
2083 0fc65b37 2004-03-21 devnull freebytes(ybytes);
2084 0fc65b37 2004-03-21 devnull ybytes = a;
2086 0fc65b37 2004-03-21 devnull else if(ylen > modlen) {
2087 cbeb0b26 2006-04-01 devnull /* assume it has leading zeros (mod should make it so) */
2088 0fc65b37 2004-03-21 devnull a = newbytes(modlen);
2089 0fc65b37 2004-03-21 devnull memmove(a->data, ybytes->data, modlen);
2090 0fc65b37 2004-03-21 devnull freebytes(ybytes);
2091 0fc65b37 2004-03-21 devnull ybytes = a;
2093 0fc65b37 2004-03-21 devnull mpfree(y);
2094 0fc65b37 2004-03-21 devnull return ybytes;
2097 cbeb0b26 2006-04-01 devnull /* encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1 */
2098 0fc65b37 2004-03-21 devnull static Bytes*
2099 0fc65b37 2004-03-21 devnull pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
2101 0fc65b37 2004-03-21 devnull Bytes *pad, *eb, *ans;
2102 0fc65b37 2004-03-21 devnull int i, dlen, padlen, modlen;
2104 0fc65b37 2004-03-21 devnull modlen = (mpsignif(key->n)+7)/8;
2105 0fc65b37 2004-03-21 devnull dlen = data->len;
2106 0fc65b37 2004-03-21 devnull if(modlen < 12 || dlen > modlen - 11)
2107 0fc65b37 2004-03-21 devnull return nil;
2108 0fc65b37 2004-03-21 devnull padlen = modlen - 3 - dlen;
2109 0fc65b37 2004-03-21 devnull pad = newbytes(padlen);
2110 0fc65b37 2004-03-21 devnull genrandom(pad->data, padlen);
2111 0fc65b37 2004-03-21 devnull for(i = 0; i < padlen; i++) {
2112 0fc65b37 2004-03-21 devnull if(blocktype == 0)
2113 0fc65b37 2004-03-21 devnull pad->data[i] = 0;
2114 0fc65b37 2004-03-21 devnull else if(blocktype == 1)
2115 0fc65b37 2004-03-21 devnull pad->data[i] = 255;
2116 0fc65b37 2004-03-21 devnull else if(pad->data[i] == 0)
2117 0fc65b37 2004-03-21 devnull pad->data[i] = 1;
2119 0fc65b37 2004-03-21 devnull eb = newbytes(modlen);
2120 0fc65b37 2004-03-21 devnull eb->data[0] = 0;
2121 0fc65b37 2004-03-21 devnull eb->data[1] = blocktype;
2122 0fc65b37 2004-03-21 devnull memmove(eb->data+2, pad->data, padlen);
2123 0fc65b37 2004-03-21 devnull eb->data[padlen+2] = 0;
2124 0fc65b37 2004-03-21 devnull memmove(eb->data+padlen+3, data->data, dlen);
2125 0fc65b37 2004-03-21 devnull ans = rsacomp(eb, key, modlen);
2126 0fc65b37 2004-03-21 devnull freebytes(eb);
2127 0fc65b37 2004-03-21 devnull freebytes(pad);
2128 0fc65b37 2004-03-21 devnull return ans;
2131 cbeb0b26 2006-04-01 devnull /* decrypt data according to PKCS#1, with given key. */
2132 cbeb0b26 2006-04-01 devnull /* expect a block type of 2. */
2133 0fc65b37 2004-03-21 devnull static Bytes*
2134 0fc65b37 2004-03-21 devnull pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm)
2136 0fc65b37 2004-03-21 devnull Bytes *eb, *ans = nil;
2137 0fc65b37 2004-03-21 devnull int i, modlen;
2138 0fc65b37 2004-03-21 devnull mpint *x, *y;
2140 0fc65b37 2004-03-21 devnull modlen = (mpsignif(sec->rsapub->n)+7)/8;
2141 0fc65b37 2004-03-21 devnull if(nepm != modlen)
2142 0fc65b37 2004-03-21 devnull return nil;
2143 0fc65b37 2004-03-21 devnull x = betomp(epm, nepm, nil);
2144 0fc65b37 2004-03-21 devnull y = factotum_rsa_decrypt(sec->rpc, x);
2145 0fc65b37 2004-03-21 devnull if(y == nil)
2146 0fc65b37 2004-03-21 devnull return nil;
2147 0fc65b37 2004-03-21 devnull eb = mptobytes(y);
2148 cbeb0b26 2006-04-01 devnull if(eb->len < modlen){ /* pad on left with zeros */
2149 0fc65b37 2004-03-21 devnull ans = newbytes(modlen);
2150 0fc65b37 2004-03-21 devnull memset(ans->data, 0, modlen-eb->len);
2151 0fc65b37 2004-03-21 devnull memmove(ans->data+modlen-eb->len, eb->data, eb->len);
2152 0fc65b37 2004-03-21 devnull freebytes(eb);
2153 0fc65b37 2004-03-21 devnull eb = ans;
2155 0fc65b37 2004-03-21 devnull if(eb->data[0] == 0 && eb->data[1] == 2) {
2156 0fc65b37 2004-03-21 devnull for(i = 2; i < modlen; i++)
2157 0fc65b37 2004-03-21 devnull if(eb->data[i] == 0)
2159 0fc65b37 2004-03-21 devnull if(i < modlen - 1)
2160 0fc65b37 2004-03-21 devnull ans = makebytes(eb->data+i+1, modlen-(i+1));
2162 0fc65b37 2004-03-21 devnull freebytes(eb);
2163 0fc65b37 2004-03-21 devnull return ans;
2167 cbeb0b26 2006-04-01 devnull /*================= general utility functions ======================== */
2169 0fc65b37 2004-03-21 devnull static void *
2170 0fc65b37 2004-03-21 devnull emalloc(int n)
2172 0fc65b37 2004-03-21 devnull void *p;
2173 0fc65b37 2004-03-21 devnull if(n==0)
2175 0fc65b37 2004-03-21 devnull p = malloc(n);
2176 0fc65b37 2004-03-21 devnull if(p == nil){
2177 0fc65b37 2004-03-21 devnull exits("out of memory");
2179 0fc65b37 2004-03-21 devnull memset(p, 0, n);
2180 0fc65b37 2004-03-21 devnull return p;
2183 0fc65b37 2004-03-21 devnull static void *
2184 0fc65b37 2004-03-21 devnull erealloc(void *ReallocP, int ReallocN)
2186 0fc65b37 2004-03-21 devnull if(ReallocN == 0)
2187 0fc65b37 2004-03-21 devnull ReallocN = 1;
2188 0fc65b37 2004-03-21 devnull if(!ReallocP)
2189 0fc65b37 2004-03-21 devnull ReallocP = emalloc(ReallocN);
2190 0fc65b37 2004-03-21 devnull else if(!(ReallocP = realloc(ReallocP, ReallocN))){
2191 0fc65b37 2004-03-21 devnull exits("out of memory");
2193 0fc65b37 2004-03-21 devnull return(ReallocP);
2196 0fc65b37 2004-03-21 devnull static void
2197 0fc65b37 2004-03-21 devnull put32(uchar *p, u32int x)
2199 0fc65b37 2004-03-21 devnull p[0] = x>>24;
2200 0fc65b37 2004-03-21 devnull p[1] = x>>16;
2201 0fc65b37 2004-03-21 devnull p[2] = x>>8;
2202 0fc65b37 2004-03-21 devnull p[3] = x;
2205 0fc65b37 2004-03-21 devnull static void
2206 0fc65b37 2004-03-21 devnull put24(uchar *p, int x)
2208 0fc65b37 2004-03-21 devnull p[0] = x>>16;
2209 0fc65b37 2004-03-21 devnull p[1] = x>>8;
2210 0fc65b37 2004-03-21 devnull p[2] = x;
2213 0fc65b37 2004-03-21 devnull static void
2214 0fc65b37 2004-03-21 devnull put16(uchar *p, int x)
2216 0fc65b37 2004-03-21 devnull p[0] = x>>8;
2217 0fc65b37 2004-03-21 devnull p[1] = x;
2221 0fc65b37 2004-03-21 devnull static u32int
2222 0fc65b37 2004-03-21 devnull get32(uchar *p)
2224 0fc65b37 2004-03-21 devnull return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2228 0fc65b37 2004-03-21 devnull static int
2229 0fc65b37 2004-03-21 devnull get24(uchar *p)
2231 0fc65b37 2004-03-21 devnull return (p[0]<<16)|(p[1]<<8)|p[2];
2234 0fc65b37 2004-03-21 devnull static int
2235 0fc65b37 2004-03-21 devnull get16(uchar *p)
2237 0fc65b37 2004-03-21 devnull return (p[0]<<8)|p[1];
2240 0fc65b37 2004-03-21 devnull /* ANSI offsetof() */
2241 0fc65b37 2004-03-21 devnull #define OFFSET(x, s) ((int)(&(((s*)0)->x)))
2244 0fc65b37 2004-03-21 devnull * malloc and return a new Bytes structure capable of
2245 0fc65b37 2004-03-21 devnull * holding len bytes. (len >= 0)
2246 0fc65b37 2004-03-21 devnull * Used to use crypt_malloc, which aborts if malloc fails.
2248 0fc65b37 2004-03-21 devnull static Bytes*
2249 0fc65b37 2004-03-21 devnull newbytes(int len)
2251 0fc65b37 2004-03-21 devnull Bytes* ans;
2253 0fc65b37 2004-03-21 devnull ans = (Bytes*)malloc(OFFSET(data[0], Bytes) + len);
2254 0fc65b37 2004-03-21 devnull ans->len = len;
2255 0fc65b37 2004-03-21 devnull return ans;
2259 0fc65b37 2004-03-21 devnull * newbytes(len), with data initialized from buf
2261 0fc65b37 2004-03-21 devnull static Bytes*
2262 0fc65b37 2004-03-21 devnull makebytes(uchar* buf, int len)
2264 0fc65b37 2004-03-21 devnull Bytes* ans;
2266 0fc65b37 2004-03-21 devnull ans = newbytes(len);
2267 0fc65b37 2004-03-21 devnull memmove(ans->data, buf, len);
2268 0fc65b37 2004-03-21 devnull return ans;
2271 0fc65b37 2004-03-21 devnull static void
2272 0fc65b37 2004-03-21 devnull freebytes(Bytes* b)
2274 0fc65b37 2004-03-21 devnull if(b != nil)
2275 0fc65b37 2004-03-21 devnull free(b);
2278 0fc65b37 2004-03-21 devnull /* len is number of ints */
2279 0fc65b37 2004-03-21 devnull static Ints*
2280 0fc65b37 2004-03-21 devnull newints(int len)
2282 0fc65b37 2004-03-21 devnull Ints* ans;
2284 0fc65b37 2004-03-21 devnull ans = (Ints*)malloc(OFFSET(data[0], Ints) + len*sizeof(int));
2285 0fc65b37 2004-03-21 devnull ans->len = len;
2286 0fc65b37 2004-03-21 devnull return ans;
2290 0fc65b37 2004-03-21 devnull static Ints*
2291 0fc65b37 2004-03-21 devnull makeints(int* buf, int len)
2293 0fc65b37 2004-03-21 devnull Ints* ans;
2295 0fc65b37 2004-03-21 devnull ans = newints(len);
2296 0fc65b37 2004-03-21 devnull if(len > 0)
2297 0fc65b37 2004-03-21 devnull memmove(ans->data, buf, len*sizeof(int));
2298 0fc65b37 2004-03-21 devnull return ans;
2302 0fc65b37 2004-03-21 devnull static void
2303 0fc65b37 2004-03-21 devnull freeints(Ints* b)
2305 0fc65b37 2004-03-21 devnull if(b != nil)
2306 0fc65b37 2004-03-21 devnull free(b);
