TLS now working again.

src/include/gpxe/tls.h

@@ -1,12 +1,171 @@
 #ifndef _GPXE_TLS_H
 #define _GPXE_TLS_H
 
-#include <errno.h>
+/**
+ * @file
+ *
+ * Transport Layer Security Protocol
+ */
 
-struct stream_application;
+#include <stdint.h>
+#include <gpxe/refcnt.h>
+#include <gpxe/filter.h>
+#include <gpxe/process.h>
+#include <gpxe/crypto.h>
+#include <gpxe/md5.h>
+#include <gpxe/sha1.h>
 
-static inline int add_tls ( struct stream_application *app __unused ) {
-	return -ENOTSUP;
-}
+/** A TLS header */
+struct tls_header {
+	/** Content type
+	 *
+	 * This is a TLS_TYPE_XXX constant
+	 */
+	uint8_t type;
+	/** Protocol version
+	 *
+	 * This is a TLS_VERSION_XXX constant
+	 */
+	uint16_t version;
+	/** Length of payload */
+	uint16_t length;
+} __attribute__ (( packed ));
+
+/** TLS version 1.0 */
+#define TLS_VERSION_TLS_1_0 0x0301
+
+/** TLS version 1.1 */
+#define TLS_VERSION_TLS_1_1 0x0302
+
+/** Change cipher content type */
+#define TLS_TYPE_CHANGE_CIPHER 20
+
+/** Alert content type */
+#define TLS_TYPE_ALERT 21
+
+/** Handshake content type */
+#define TLS_TYPE_HANDSHAKE 22
+
+/** Application data content type */
+#define TLS_TYPE_DATA 23
+
+/* Handshake message types */
+#define TLS_HELLO_REQUEST 0
+#define TLS_CLIENT_HELLO 1
+#define TLS_SERVER_HELLO 2
+#define TLS_CERTIFICATE 11
+#define TLS_SERVER_KEY_EXCHANGE 12
+#define TLS_CERTIFICATE_REQUEST 13
+#define TLS_SERVER_HELLO_DONE 14
+#define TLS_CERTIFICATE_VERIFY 15
+#define TLS_CLIENT_KEY_EXCHANGE 16
+#define TLS_FINISHED 20
+
+/* TLS alert levels */
+#define TLS_ALERT_WARNING 1
+#define TLS_ALERT_FATAL 2
+
+/* TLS cipher specifications */
+#define TLS_RSA_WITH_NULL_MD5 0x0001
+#define TLS_RSA_WITH_NULL_SHA 0x0002
+#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002f
+#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
+
+/** TLS RX state machine state */
+enum tls_rx_state {
+	TLS_RX_HEADER = 0,
+	TLS_RX_DATA,
+};
+
+/** TLS TX state machine state */
+enum tls_tx_state {
+	TLS_TX_NONE = 0,
+	TLS_TX_CLIENT_HELLO,
+	TLS_TX_CLIENT_KEY_EXCHANGE,
+	TLS_TX_CHANGE_CIPHER,
+	TLS_TX_FINISHED,
+	TLS_TX_DATA
+};
+
+/** A TLS cipher specification */
+struct tls_cipherspec {
+	/** Public-key encryption algorithm */
+	struct crypto_algorithm *pubkey;
+	/** Bulk encryption cipher algorithm */
+	struct crypto_algorithm *cipher;
+	/** MAC digest algorithm */
+	struct crypto_algorithm *digest;
+	/** Key length */
+	size_t key_len;
+	/** Dynamically-allocated storage */
+	void *dynamic;
+	/** Public key encryption context */
+	void *pubkey_ctx;
+	/** Bulk encryption cipher context */
+	void *cipher_ctx;
+	/** Next bulk encryption cipher context (TX only) */
+	void *cipher_next_ctx;
+	/** MAC secret */
+	void *mac_secret;
+};
+
+/** A TLS session */
+struct tls_session {
+	/** Reference counter */
+	struct refcnt refcnt;
+
+	/** Plaintext stream */
+	struct xfer_filter_half plainstream;
+	/** Ciphertext stream */
+	struct xfer_filter_half cipherstream;
+
+	/** Current TX cipher specification */
+	struct tls_cipherspec tx_cipherspec;
+	/** Next TX cipher specification */
+	struct tls_cipherspec tx_cipherspec_pending;
+	/** Current RX cipher specification */
+	struct tls_cipherspec rx_cipherspec;
+	/** Next RX cipher specification */
+	struct tls_cipherspec rx_cipherspec_pending;
+	/** Premaster secret */
+	uint8_t pre_master_secret[48];
+	/** Master secret */
+	uint8_t master_secret[48];
+	/** Server random bytes */
+	uint8_t server_random[32];
+	/** Client random bytes */
+	uint8_t client_random[32];
+	/** MD5 context for handshake verification */
+	uint8_t handshake_md5_ctx[MD5_CTX_SIZE];
+	/** SHA1 context for handshake verification */
+	uint8_t handshake_sha1_ctx[SHA1_CTX_SIZE];
+
+	/** Hack: server RSA public key */
+	uint8_t *rsa_mod;
+	size_t rsa_mod_len;
+	uint8_t *rsa_pub_exp;
+	size_t rsa_pub_exp_len;
+
+	/** TX sequence number */
+	uint64_t tx_seq;
+	/** TX state */
+	enum tls_tx_state tx_state;
+	/** TX process */
+	struct process process;
+
+	/** RX sequence number */
+	uint64_t rx_seq;
+	/** RX state */
+	enum tls_rx_state rx_state;
+	/** Offset within current RX state */
+	size_t rx_rcvd;
+	/** Current received record header */
+	struct tls_header rx_header;
+	/** Current received raw data buffer */
+	void *rx_data;
+};
+
+extern int add_tls ( struct xfer_interface *xfer,
+		     struct xfer_interface **next );
 
 #endif /* _GPXE_TLS_H */

src/net/tcp/http.c

@@ -468,6 +468,7 @@ static struct xfer_interface_operations http_xfer_operations = {
 static int http_open ( struct xfer_interface *xfer, struct uri *uri ) {
 	struct http_request *http;
 	struct sockaddr_tcpip server;
+	struct xfer_interface *socket;
 	int rc;
 
 	/* Sanity checks */
@@ -487,18 +488,16 @@ static int http_open ( struct xfer_interface *xfer, struct uri *uri ) {
 	/* Open socket */
 	memset ( &server, 0, sizeof ( server ) );
 	server.st_port = htons ( uri_port ( http->uri, HTTP_PORT ) );
-	if ( ( rc = xfer_open_named_socket ( &http->socket, SOCK_STREAM,
-					     ( struct sockaddr * ) &server,
-					     uri->host, NULL ) ) != 0 )
-		goto err;
-
-#if 0
+	socket = &http->socket;
 	if ( strcmp ( http->uri->scheme, "https" ) == 0 ) {
-		st->st_port = htons ( uri_port ( http->uri, HTTPS_PORT ) );
-		if ( ( rc = add_tls ( &http->stream ) ) != 0 )
+		server.st_port = htons ( uri_port ( http->uri, HTTPS_PORT ) );
+		if ( ( rc = add_tls ( socket, &socket ) ) != 0 )
 			goto err;
 	}
-#endif
+	if ( ( rc = xfer_open_named_socket ( socket, SOCK_STREAM,
+					     ( struct sockaddr * ) &server,
+					     uri->host, NULL ) ) != 0 )
+		goto err;
 
 	/* Attach to parent interface, mortalise self, and return */
 	xfer_plug_plug ( &http->xfer, xfer );