You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

tls.c 47KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730
  1. /*
  2. * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
  3. *
  4. * This program is free software; you can redistribute it and/or
  5. * modify it under the terms of the GNU General Public License as
  6. * published by the Free Software Foundation; either version 2 of the
  7. * License, or any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful, but
  10. * WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  12. * General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  17. */
  18. /**
  19. * @file
  20. *
  21. * Transport Layer Security Protocol
  22. */
  23. #include <stdint.h>
  24. #include <stdlib.h>
  25. #include <stdarg.h>
  26. #include <string.h>
  27. #include <errno.h>
  28. #include <byteswap.h>
  29. #include <gpxe/hmac.h>
  30. #include <gpxe/md5.h>
  31. #include <gpxe/sha1.h>
  32. #include <gpxe/aes.h>
  33. #include <gpxe/rsa.h>
  34. #include <gpxe/xfer.h>
  35. #include <gpxe/open.h>
  36. #include <gpxe/filter.h>
  37. #include <gpxe/tls.h>
  38. static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
  39. const void *data, size_t len );
  40. static void tls_clear_cipher ( struct tls_session *tls,
  41. struct tls_cipherspec *cipherspec );
  42. /**
  43. * Free TLS session
  44. *
  45. * @v refcnt Reference counter
  46. */
  47. static void free_tls ( struct refcnt *refcnt ) {
  48. struct tls_session *tls =
  49. container_of ( refcnt, struct tls_session, refcnt );
  50. /* Free dynamically-allocated resources */
  51. tls_clear_cipher ( tls, &tls->tx_cipherspec );
  52. tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
  53. tls_clear_cipher ( tls, &tls->rx_cipherspec );
  54. tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
  55. free ( tls->rsa_mod );
  56. free ( tls->rsa_pub_exp );
  57. free ( tls->rx_data );
  58. /* Free TLS structure itself */
  59. free ( tls );
  60. }
  61. /**
  62. * Finish with TLS session
  63. *
  64. * @v tls TLS session
  65. * @v rc Status code
  66. */
  67. static void tls_close ( struct tls_session *tls, int rc ) {
  68. /* Remove process */
  69. process_del ( &tls->process );
  70. /* Close ciphertext and plaintext streams */
  71. xfer_nullify ( &tls->cipherstream.xfer );
  72. xfer_close ( &tls->cipherstream.xfer, rc );
  73. xfer_nullify ( &tls->plainstream.xfer );
  74. xfer_close ( &tls->plainstream.xfer, rc );
  75. }
  76. /******************************************************************************
  77. *
  78. * Random number generation
  79. *
  80. ******************************************************************************
  81. */
  82. /**
  83. * Generate random data
  84. *
  85. * @v data Buffer to fill
  86. * @v len Length of buffer
  87. */
  88. static void tls_generate_random ( void *data, size_t len ) {
  89. /* FIXME: Some real random data source would be nice... */
  90. memset ( data, 0x01, len );
  91. }
  92. /**
  93. * Update HMAC with a list of ( data, len ) pairs
  94. *
  95. * @v digest Hash function to use
  96. * @v digest_ctx Digest context
  97. * @v args ( data, len ) pairs of data, terminated by NULL
  98. */
  99. static void tls_hmac_update_va ( struct crypto_algorithm *digest,
  100. void *digest_ctx, va_list args ) {
  101. void *data;
  102. size_t len;
  103. while ( ( data = va_arg ( args, void * ) ) ) {
  104. len = va_arg ( args, size_t );
  105. hmac_update ( digest, digest_ctx, data, len );
  106. }
  107. }
  108. /**
  109. * Generate secure pseudo-random data using a single hash function
  110. *
  111. * @v tls TLS session
  112. * @v digest Hash function to use
  113. * @v secret Secret
  114. * @v secret_len Length of secret
  115. * @v out Output buffer
  116. * @v out_len Length of output buffer
  117. * @v seeds ( data, len ) pairs of seed data, terminated by NULL
  118. */
  119. static void tls_p_hash_va ( struct tls_session *tls,
  120. struct crypto_algorithm *digest,
  121. void *secret, size_t secret_len,
  122. void *out, size_t out_len,
  123. va_list seeds ) {
  124. uint8_t secret_copy[secret_len];
  125. uint8_t digest_ctx[digest->ctxsize];
  126. uint8_t digest_ctx_partial[digest->ctxsize];
  127. uint8_t a[digest->digestsize];
  128. uint8_t out_tmp[digest->digestsize];
  129. size_t frag_len = digest->digestsize;
  130. va_list tmp;
  131. /* Copy the secret, in case HMAC modifies it */
  132. memcpy ( secret_copy, secret, secret_len );
  133. secret = secret_copy;
  134. DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
  135. DBGC2_HD ( tls, secret, secret_len );
  136. /* Calculate A(1) */
  137. hmac_init ( digest, digest_ctx, secret, &secret_len );
  138. va_copy ( tmp, seeds );
  139. tls_hmac_update_va ( digest, digest_ctx, tmp );
  140. va_end ( tmp );
  141. hmac_final ( digest, digest_ctx, secret, &secret_len, a );
  142. DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
  143. DBGC2_HD ( tls, &a, sizeof ( a ) );
  144. /* Generate as much data as required */
  145. while ( out_len ) {
  146. /* Calculate output portion */
  147. hmac_init ( digest, digest_ctx, secret, &secret_len );
  148. hmac_update ( digest, digest_ctx, a, sizeof ( a ) );
  149. memcpy ( digest_ctx_partial, digest_ctx, digest->ctxsize );
  150. va_copy ( tmp, seeds );
  151. tls_hmac_update_va ( digest, digest_ctx, tmp );
  152. va_end ( tmp );
  153. hmac_final ( digest, digest_ctx,
  154. secret, &secret_len, out_tmp );
  155. /* Copy output */
  156. if ( frag_len > out_len )
  157. frag_len = out_len;
  158. memcpy ( out, out_tmp, frag_len );
  159. DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
  160. DBGC2_HD ( tls, out, frag_len );
  161. /* Calculate A(i) */
  162. hmac_final ( digest, digest_ctx_partial,
  163. secret, &secret_len, a );
  164. DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
  165. DBGC2_HD ( tls, &a, sizeof ( a ) );
  166. out += frag_len;
  167. out_len -= frag_len;
  168. }
  169. }
  170. /**
  171. * Generate secure pseudo-random data
  172. *
  173. * @v tls TLS session
  174. * @v secret Secret
  175. * @v secret_len Length of secret
  176. * @v out Output buffer
  177. * @v out_len Length of output buffer
  178. * @v ... ( data, len ) pairs of seed data, terminated by NULL
  179. */
  180. static void tls_prf ( struct tls_session *tls, void *secret, size_t secret_len,
  181. void *out, size_t out_len, ... ) {
  182. va_list seeds;
  183. va_list tmp;
  184. size_t subsecret_len;
  185. void *md5_secret;
  186. void *sha1_secret;
  187. uint8_t out_md5[out_len];
  188. uint8_t out_sha1[out_len];
  189. unsigned int i;
  190. va_start ( seeds, out_len );
  191. /* Split secret into two, with an overlap of up to one byte */
  192. subsecret_len = ( ( secret_len + 1 ) / 2 );
  193. md5_secret = secret;
  194. sha1_secret = ( secret + secret_len - subsecret_len );
  195. /* Calculate MD5 portion */
  196. va_copy ( tmp, seeds );
  197. tls_p_hash_va ( tls, &md5_algorithm, md5_secret, subsecret_len,
  198. out_md5, out_len, seeds );
  199. va_end ( tmp );
  200. /* Calculate SHA1 portion */
  201. va_copy ( tmp, seeds );
  202. tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret, subsecret_len,
  203. out_sha1, out_len, seeds );
  204. va_end ( tmp );
  205. /* XOR the two portions together into the final output buffer */
  206. for ( i = 0 ; i < out_len ; i++ ) {
  207. *( ( uint8_t * ) out + i ) = ( out_md5[i] ^ out_sha1[i] );
  208. }
  209. va_end ( seeds );
  210. }
  211. /**
  212. * Generate secure pseudo-random data
  213. *
  214. * @v secret Secret
  215. * @v secret_len Length of secret
  216. * @v out Output buffer
  217. * @v out_len Length of output buffer
  218. * @v label String literal label
  219. * @v ... ( data, len ) pairs of seed data
  220. */
  221. #define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
  222. tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
  223. label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
  224. /******************************************************************************
  225. *
  226. * Secret management
  227. *
  228. ******************************************************************************
  229. */
  230. /**
  231. * Generate master secret
  232. *
  233. * @v tls TLS session
  234. *
  235. * The pre-master secret and the client and server random values must
  236. * already be known.
  237. */
  238. static void tls_generate_master_secret ( struct tls_session *tls ) {
  239. DBGC ( tls, "TLS %p pre-master-secret:\n", tls );
  240. DBGC_HD ( tls, &tls->pre_master_secret,
  241. sizeof ( tls->pre_master_secret ) );
  242. DBGC ( tls, "TLS %p client random bytes:\n", tls );
  243. DBGC_HD ( tls, &tls->client_random, sizeof ( tls->client_random ) );
  244. DBGC ( tls, "TLS %p server random bytes:\n", tls );
  245. DBGC_HD ( tls, &tls->server_random, sizeof ( tls->server_random ) );
  246. tls_prf_label ( tls, &tls->pre_master_secret,
  247. sizeof ( tls->pre_master_secret ),
  248. &tls->master_secret, sizeof ( tls->master_secret ),
  249. "master secret",
  250. &tls->client_random, sizeof ( tls->client_random ),
  251. &tls->server_random, sizeof ( tls->server_random ) );
  252. DBGC ( tls, "TLS %p generated master secret:\n", tls );
  253. DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
  254. }
  255. /**
  256. * Generate key material
  257. *
  258. * @v tls TLS session
  259. *
  260. * The master secret must already be known.
  261. */
  262. static int tls_generate_keys ( struct tls_session *tls ) {
  263. struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending;
  264. struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending;
  265. size_t hash_size = tx_cipherspec->digest->digestsize;
  266. size_t key_size = tx_cipherspec->key_len;
  267. size_t iv_size = tx_cipherspec->cipher->blocksize;
  268. size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
  269. uint8_t key_block[total];
  270. uint8_t *key;
  271. int rc;
  272. /* Generate key block */
  273. tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
  274. key_block, sizeof ( key_block ), "key expansion",
  275. &tls->server_random, sizeof ( tls->server_random ),
  276. &tls->client_random, sizeof ( tls->client_random ) );
  277. /* Split key block into portions */
  278. key = key_block;
  279. /* TX MAC secret */
  280. memcpy ( tx_cipherspec->mac_secret, key, hash_size );
  281. DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
  282. DBGC_HD ( tls, key, hash_size );
  283. key += hash_size;
  284. /* RX MAC secret */
  285. memcpy ( rx_cipherspec->mac_secret, key, hash_size );
  286. DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
  287. DBGC_HD ( tls, key, hash_size );
  288. key += hash_size;
  289. /* TX key */
  290. if ( ( rc = cipher_setkey ( tx_cipherspec->cipher,
  291. tx_cipherspec->cipher_ctx,
  292. key, key_size ) ) != 0 ) {
  293. DBGC ( tls, "TLS %p could not set TX key: %s\n",
  294. tls, strerror ( rc ) );
  295. return rc;
  296. }
  297. DBGC ( tls, "TLS %p TX key:\n", tls );
  298. DBGC_HD ( tls, key, key_size );
  299. key += key_size;
  300. /* RX key */
  301. if ( ( rc = cipher_setkey ( rx_cipherspec->cipher,
  302. rx_cipherspec->cipher_ctx,
  303. key, key_size ) ) != 0 ) {
  304. DBGC ( tls, "TLS %p could not set TX key: %s\n",
  305. tls, strerror ( rc ) );
  306. return rc;
  307. }
  308. /* FIXME: AES needs to be fixed to not require this */
  309. AES_convert_key ( rx_cipherspec->cipher_ctx );
  310. DBGC ( tls, "TLS %p RX key:\n", tls );
  311. DBGC_HD ( tls, key, key_size );
  312. key += key_size;
  313. /* TX initialisation vector */
  314. cipher_setiv ( tx_cipherspec->cipher, tx_cipherspec->cipher_ctx, key );
  315. DBGC ( tls, "TLS %p TX IV:\n", tls );
  316. DBGC_HD ( tls, key, iv_size );
  317. key += iv_size;
  318. /* RX initialisation vector */
  319. cipher_setiv ( rx_cipherspec->cipher, rx_cipherspec->cipher_ctx, key );
  320. DBGC ( tls, "TLS %p RX IV:\n", tls );
  321. DBGC_HD ( tls, key, iv_size );
  322. key += iv_size;
  323. assert ( ( key_block + total ) == key );
  324. return 0;
  325. }
  326. /******************************************************************************
  327. *
  328. * Cipher suite management
  329. *
  330. ******************************************************************************
  331. */
  332. /**
  333. * Clear cipher suite
  334. *
  335. * @v cipherspec TLS cipher specification
  336. */
  337. static void tls_clear_cipher ( struct tls_session *tls __unused,
  338. struct tls_cipherspec *cipherspec ) {
  339. free ( cipherspec->dynamic );
  340. memset ( cipherspec, 0, sizeof ( cipherspec ) );
  341. cipherspec->pubkey = &crypto_null;
  342. cipherspec->cipher = &crypto_null;
  343. cipherspec->digest = &crypto_null;
  344. }
  345. /**
  346. * Set cipher suite
  347. *
  348. * @v tls TLS session
  349. * @v cipherspec TLS cipher specification
  350. * @v pubkey Public-key encryption elgorithm
  351. * @v cipher Bulk encryption cipher algorithm
  352. * @v digest MAC digest algorithm
  353. * @v key_len Key length
  354. * @ret rc Return status code
  355. */
  356. static int tls_set_cipher ( struct tls_session *tls,
  357. struct tls_cipherspec *cipherspec,
  358. struct crypto_algorithm *pubkey,
  359. struct crypto_algorithm *cipher,
  360. struct crypto_algorithm *digest,
  361. size_t key_len ) {
  362. size_t total;
  363. void *dynamic;
  364. /* Clear out old cipher contents, if any */
  365. tls_clear_cipher ( tls, cipherspec );
  366. /* Allocate dynamic storage */
  367. total = ( pubkey->ctxsize + 2 * cipher->ctxsize + digest->digestsize );
  368. dynamic = malloc ( total );
  369. if ( ! dynamic ) {
  370. DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
  371. "context\n", tls, total );
  372. return -ENOMEM;
  373. }
  374. memset ( dynamic, 0, total );
  375. /* Assign storage */
  376. cipherspec->dynamic = dynamic;
  377. cipherspec->pubkey_ctx = dynamic; dynamic += pubkey->ctxsize;
  378. cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
  379. cipherspec->cipher_next_ctx = dynamic; dynamic += cipher->ctxsize;
  380. cipherspec->mac_secret = dynamic; dynamic += digest->digestsize;
  381. assert ( ( cipherspec->dynamic + total ) == dynamic );
  382. /* Store parameters */
  383. cipherspec->pubkey = pubkey;
  384. cipherspec->cipher = cipher;
  385. cipherspec->digest = digest;
  386. cipherspec->key_len = key_len;
  387. return 0;
  388. }
  389. /**
  390. * Select next cipher suite
  391. *
  392. * @v tls TLS session
  393. * @v cipher_suite Cipher suite specification
  394. * @ret rc Return status code
  395. */
  396. static int tls_select_cipher ( struct tls_session *tls,
  397. unsigned int cipher_suite ) {
  398. struct crypto_algorithm *pubkey = &crypto_null;
  399. struct crypto_algorithm *cipher = &crypto_null;
  400. struct crypto_algorithm *digest = &crypto_null;
  401. unsigned int key_len = 0;
  402. int rc;
  403. switch ( cipher_suite ) {
  404. case htons ( TLS_RSA_WITH_AES_128_CBC_SHA ):
  405. key_len = ( 128 / 8 );
  406. cipher = &aes_algorithm;
  407. digest = &sha1_algorithm;
  408. break;
  409. case htons ( TLS_RSA_WITH_AES_256_CBC_SHA ):
  410. key_len = ( 256 / 8 );
  411. cipher = &aes_algorithm;
  412. digest = &sha1_algorithm;
  413. break;
  414. default:
  415. DBGC ( tls, "TLS %p does not support cipher %04x\n",
  416. tls, ntohs ( cipher_suite ) );
  417. return -ENOTSUP;
  418. }
  419. /* Set ciphers */
  420. if ( ( rc = tls_set_cipher ( tls, &tls->tx_cipherspec_pending, pubkey,
  421. cipher, digest, key_len ) ) != 0 )
  422. return rc;
  423. if ( ( rc = tls_set_cipher ( tls, &tls->rx_cipherspec_pending, pubkey,
  424. cipher, digest, key_len ) ) != 0 )
  425. return rc;
  426. DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls,
  427. pubkey->name, cipher->name, ( key_len * 8 ), digest->name );
  428. return 0;
  429. }
  430. /**
  431. * Activate next cipher suite
  432. *
  433. * @v tls TLS session
  434. * @v pending Pending cipher specification
  435. * @v active Active cipher specification to replace
  436. * @ret rc Return status code
  437. */
  438. static int tls_change_cipher ( struct tls_session *tls,
  439. struct tls_cipherspec *pending,
  440. struct tls_cipherspec *active ) {
  441. /* Sanity check */
  442. if ( /* FIXME (when pubkey is not hard-coded to RSA):
  443. * ( pending->pubkey == &crypto_null ) || */
  444. ( pending->cipher == &crypto_null ) ||
  445. ( pending->digest == &crypto_null ) ) {
  446. DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
  447. return -ENOTSUP;
  448. }
  449. tls_clear_cipher ( tls, active );
  450. memswap ( active, pending, sizeof ( *active ) );
  451. return 0;
  452. }
  453. /******************************************************************************
  454. *
  455. * Handshake verification
  456. *
  457. ******************************************************************************
  458. */
  459. /**
  460. * Add handshake record to verification hash
  461. *
  462. * @v tls TLS session
  463. * @v data Handshake record
  464. * @v len Length of handshake record
  465. */
  466. static void tls_add_handshake ( struct tls_session *tls,
  467. const void *data, size_t len ) {
  468. digest_update ( &md5_algorithm, tls->handshake_md5_ctx, data, len );
  469. digest_update ( &sha1_algorithm, tls->handshake_sha1_ctx, data, len );
  470. }
  471. /**
  472. * Calculate handshake verification hash
  473. *
  474. * @v tls TLS session
  475. * @v out Output buffer
  476. *
  477. * Calculates the MD5+SHA1 digest over all handshake messages seen so
  478. * far.
  479. */
  480. static void tls_verify_handshake ( struct tls_session *tls, void *out ) {
  481. struct crypto_algorithm *md5 = &md5_algorithm;
  482. struct crypto_algorithm *sha1 = &sha1_algorithm;
  483. uint8_t md5_ctx[md5->ctxsize];
  484. uint8_t sha1_ctx[sha1->ctxsize];
  485. void *md5_digest = out;
  486. void *sha1_digest = ( out + md5->digestsize );
  487. memcpy ( md5_ctx, tls->handshake_md5_ctx, sizeof ( md5_ctx ) );
  488. memcpy ( sha1_ctx, tls->handshake_sha1_ctx, sizeof ( sha1_ctx ) );
  489. digest_final ( md5, md5_ctx, md5_digest );
  490. digest_final ( sha1, sha1_ctx, sha1_digest );
  491. }
  492. /******************************************************************************
  493. *
  494. * Record handling
  495. *
  496. ******************************************************************************
  497. */
  498. /**
  499. * Transmit Handshake record
  500. *
  501. * @v tls TLS session
  502. * @v data Plaintext record
  503. * @v len Length of plaintext record
  504. * @ret rc Return status code
  505. */
  506. static int tls_send_handshake ( struct tls_session *tls,
  507. void *data, size_t len ) {
  508. /* Add to handshake digest */
  509. tls_add_handshake ( tls, data, len );
  510. /* Send record */
  511. return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
  512. }
  513. /**
  514. * Transmit Client Hello record
  515. *
  516. * @v tls TLS session
  517. * @ret rc Return status code
  518. */
  519. static int tls_send_client_hello ( struct tls_session *tls ) {
  520. struct {
  521. uint32_t type_length;
  522. uint16_t version;
  523. uint8_t random[32];
  524. uint8_t session_id_len;
  525. uint16_t cipher_suite_len;
  526. uint16_t cipher_suites[2];
  527. uint8_t compression_methods_len;
  528. uint8_t compression_methods[1];
  529. } __attribute__ (( packed )) hello;
  530. memset ( &hello, 0, sizeof ( hello ) );
  531. hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
  532. htonl ( sizeof ( hello ) -
  533. sizeof ( hello.type_length ) ) );
  534. hello.version = htons ( TLS_VERSION_TLS_1_0 );
  535. memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
  536. hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
  537. hello.cipher_suites[0] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA );
  538. hello.cipher_suites[1] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA );
  539. hello.compression_methods_len = sizeof ( hello.compression_methods );
  540. return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
  541. }
  542. /**
  543. * Transmit Client Key Exchange record
  544. *
  545. * @v tls TLS session
  546. * @ret rc Return status code
  547. */
  548. static int tls_send_client_key_exchange ( struct tls_session *tls ) {
  549. /* FIXME: Hack alert */
  550. RSA_CTX *rsa_ctx;
  551. RSA_pub_key_new ( &rsa_ctx, tls->rsa_mod, tls->rsa_mod_len,
  552. tls->rsa_pub_exp, tls->rsa_pub_exp_len );
  553. struct {
  554. uint32_t type_length;
  555. uint16_t encrypted_pre_master_secret_len;
  556. uint8_t encrypted_pre_master_secret[rsa_ctx->num_octets];
  557. } __attribute__ (( packed )) key_xchg;
  558. memset ( &key_xchg, 0, sizeof ( key_xchg ) );
  559. key_xchg.type_length = ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
  560. htonl ( sizeof ( key_xchg ) -
  561. sizeof ( key_xchg.type_length ) ) );
  562. key_xchg.encrypted_pre_master_secret_len
  563. = htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) );
  564. /* FIXME: Hack alert */
  565. DBGC ( tls, "RSA encrypting plaintext, modulus, exponent:\n" );
  566. DBGC_HD ( tls, &tls->pre_master_secret,
  567. sizeof ( tls->pre_master_secret ) );
  568. DBGC_HD ( tls, tls->rsa_mod, tls->rsa_mod_len );
  569. DBGC_HD ( tls, tls->rsa_pub_exp, tls->rsa_pub_exp_len );
  570. RSA_encrypt ( rsa_ctx, ( const uint8_t * ) &tls->pre_master_secret,
  571. sizeof ( tls->pre_master_secret ),
  572. key_xchg.encrypted_pre_master_secret, 0 );
  573. DBGC ( tls, "RSA encrypt done. Ciphertext:\n" );
  574. DBGC_HD ( tls, &key_xchg.encrypted_pre_master_secret,
  575. sizeof ( key_xchg.encrypted_pre_master_secret ) );
  576. RSA_free ( rsa_ctx );
  577. return tls_send_handshake ( tls, &key_xchg, sizeof ( key_xchg ) );
  578. }
  579. /**
  580. * Transmit Change Cipher record
  581. *
  582. * @v tls TLS session
  583. * @ret rc Return status code
  584. */
  585. static int tls_send_change_cipher ( struct tls_session *tls ) {
  586. static const uint8_t change_cipher[1] = { 1 };
  587. return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
  588. change_cipher, sizeof ( change_cipher ) );
  589. }
  590. /**
  591. * Transmit Finished record
  592. *
  593. * @v tls TLS session
  594. * @ret rc Return status code
  595. */
  596. static int tls_send_finished ( struct tls_session *tls ) {
  597. struct {
  598. uint32_t type_length;
  599. uint8_t verify_data[12];
  600. } __attribute__ (( packed )) finished;
  601. uint8_t digest[MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE];
  602. memset ( &finished, 0, sizeof ( finished ) );
  603. finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
  604. htonl ( sizeof ( finished ) -
  605. sizeof ( finished.type_length ) ) );
  606. tls_verify_handshake ( tls, digest );
  607. tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
  608. finished.verify_data, sizeof ( finished.verify_data ),
  609. "client finished", digest, sizeof ( digest ) );
  610. return tls_send_handshake ( tls, &finished, sizeof ( finished ) );
  611. }
  612. /**
  613. * Receive new Change Cipher record
  614. *
  615. * @v tls TLS session
  616. * @v data Plaintext record
  617. * @v len Length of plaintext record
  618. * @ret rc Return status code
  619. */
  620. static int tls_new_change_cipher ( struct tls_session *tls,
  621. void *data, size_t len ) {
  622. int rc;
  623. if ( ( len != 1 ) || ( *( ( uint8_t * ) data ) != 1 ) ) {
  624. DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
  625. DBGC_HD ( tls, data, len );
  626. return -EINVAL;
  627. }
  628. if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
  629. &tls->rx_cipherspec ) ) != 0 ) {
  630. DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
  631. tls, strerror ( rc ) );
  632. return rc;
  633. }
  634. tls->rx_seq = ~( ( uint64_t ) 0 );
  635. return 0;
  636. }
  637. /**
  638. * Receive new Alert record
  639. *
  640. * @v tls TLS session
  641. * @v data Plaintext record
  642. * @v len Length of plaintext record
  643. * @ret rc Return status code
  644. */
  645. static int tls_new_alert ( struct tls_session *tls, void *data, size_t len ) {
  646. struct {
  647. uint8_t level;
  648. uint8_t description;
  649. char next[0];
  650. } __attribute__ (( packed )) *alert = data;
  651. void *end = alert->next;
  652. /* Sanity check */
  653. if ( end != ( data + len ) ) {
  654. DBGC ( tls, "TLS %p received overlength Alert\n", tls );
  655. DBGC_HD ( tls, data, len );
  656. return -EINVAL;
  657. }
  658. switch ( alert->level ) {
  659. case TLS_ALERT_WARNING:
  660. DBGC ( tls, "TLS %p received warning alert %d\n",
  661. tls, alert->description );
  662. return 0;
  663. case TLS_ALERT_FATAL:
  664. DBGC ( tls, "TLS %p received fatal alert %d\n",
  665. tls, alert->description );
  666. return -EPERM;
  667. default:
  668. DBGC ( tls, "TLS %p received unknown alert level %d"
  669. "(alert %d)\n", tls, alert->level, alert->description );
  670. return -EIO;
  671. }
  672. }
  673. /**
  674. * Receive new Server Hello record
  675. *
  676. * @v tls TLS session
  677. * @v data Plaintext record
  678. * @v len Length of plaintext record
  679. * @ret rc Return status code
  680. */
  681. static int tls_new_server_hello ( struct tls_session *tls,
  682. void *data, size_t len ) {
  683. struct {
  684. uint32_t type_length;
  685. uint16_t version;
  686. uint8_t random[32];
  687. uint8_t session_id_len;
  688. char next[0];
  689. } __attribute__ (( packed )) *hello_a = data;
  690. struct {
  691. uint8_t session_id[hello_a->session_id_len];
  692. uint16_t cipher_suite;
  693. uint8_t compression_method;
  694. char next[0];
  695. } __attribute__ (( packed )) *hello_b = ( void * ) &hello_a->next;
  696. void *end = hello_b->next;
  697. int rc;
  698. /* Sanity check */
  699. if ( end != ( data + len ) ) {
  700. DBGC ( tls, "TLS %p received overlength Server Hello\n", tls );
  701. DBGC_HD ( tls, data, len );
  702. return -EINVAL;
  703. }
  704. /* Check protocol version */
  705. if ( ntohs ( hello_a->version ) < TLS_VERSION_TLS_1_0 ) {
  706. DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
  707. tls, ( ntohs ( hello_a->version ) >> 8 ),
  708. ( ntohs ( hello_a->version ) & 0xff ) );
  709. return -ENOTSUP;
  710. }
  711. /* Copy out server random bytes */
  712. memcpy ( &tls->server_random, &hello_a->random,
  713. sizeof ( tls->server_random ) );
  714. /* Select cipher suite */
  715. if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
  716. return rc;
  717. /* Generate secrets */
  718. tls_generate_master_secret ( tls );
  719. if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
  720. return rc;
  721. return 0;
  722. }
  723. /**
  724. * Receive new Certificate record
  725. *
  726. * @v tls TLS session
  727. * @v data Plaintext record
  728. * @v len Length of plaintext record
  729. * @ret rc Return status code
  730. */
  731. static int tls_new_certificate ( struct tls_session *tls,
  732. void *data, size_t len ) {
  733. struct {
  734. uint32_t type_length;
  735. uint8_t length[3];
  736. uint8_t first_cert_length[3];
  737. uint8_t asn1_start[0];
  738. } __attribute__ (( packed )) *certificate = data;
  739. uint8_t *cert = certificate->asn1_start;
  740. int offset = 0;
  741. /* FIXME */
  742. (void) len;
  743. if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0 ||
  744. asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0 ||
  745. asn1_skip_obj(cert, &offset, ASN1_EXPLICIT_TAG) ||
  746. asn1_skip_obj(cert, &offset, ASN1_INTEGER) ||
  747. asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) ||
  748. asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) ||
  749. asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) ||
  750. asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) ||
  751. asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0 ||
  752. asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) ||
  753. asn1_next_obj(cert, &offset, ASN1_BIT_STRING) < 0) {
  754. DBGC ( tls, "TLS %p invalid certificate\n", tls );
  755. DBGC_HD ( tls, cert + offset, 64 );
  756. return -EPERM;
  757. }
  758. offset++;
  759. if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) {
  760. DBGC ( tls, "TLS %p invalid certificate\n", tls );
  761. DBGC_HD ( tls, cert + offset, 64 );
  762. return -EPERM;
  763. }
  764. tls->rsa_mod_len = asn1_get_int(cert, &offset, &tls->rsa_mod);
  765. tls->rsa_pub_exp_len = asn1_get_int(cert, &offset, &tls->rsa_pub_exp);
  766. DBGC_HD ( tls, tls->rsa_mod, tls->rsa_mod_len );
  767. DBGC_HD ( tls, tls->rsa_pub_exp, tls->rsa_pub_exp_len );
  768. return 0;
  769. }
  770. /**
  771. * Receive new Server Hello Done record
  772. *
  773. * @v tls TLS session
  774. * @v data Plaintext record
  775. * @v len Length of plaintext record
  776. * @ret rc Return status code
  777. */
  778. static int tls_new_server_hello_done ( struct tls_session *tls,
  779. void *data, size_t len ) {
  780. struct {
  781. uint32_t type_length;
  782. char next[0];
  783. } __attribute__ (( packed )) *hello_done = data;
  784. void *end = hello_done->next;
  785. /* Sanity check */
  786. if ( end != ( data + len ) ) {
  787. DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
  788. tls );
  789. DBGC_HD ( tls, data, len );
  790. return -EINVAL;
  791. }
  792. /* Check that we are ready to send the Client Key Exchange */
  793. if ( tls->tx_state != TLS_TX_NONE ) {
  794. DBGC ( tls, "TLS %p received Server Hello Done while in "
  795. "TX state %d\n", tls, tls->tx_state );
  796. return -EIO;
  797. }
  798. /* Start sending the Client Key Exchange */
  799. tls->tx_state = TLS_TX_CLIENT_KEY_EXCHANGE;
  800. return 0;
  801. }
  802. /**
  803. * Receive new Finished record
  804. *
  805. * @v tls TLS session
  806. * @v data Plaintext record
  807. * @v len Length of plaintext record
  808. * @ret rc Return status code
  809. */
  810. static int tls_new_finished ( struct tls_session *tls,
  811. void *data, size_t len ) {
  812. /* FIXME: Handle this properly */
  813. tls->tx_state = TLS_TX_DATA;
  814. ( void ) data;
  815. ( void ) len;
  816. return 0;
  817. }
  818. /**
  819. * Receive new Handshake record
  820. *
  821. * @v tls TLS session
  822. * @v data Plaintext record
  823. * @v len Length of plaintext record
  824. * @ret rc Return status code
  825. */
  826. static int tls_new_handshake ( struct tls_session *tls,
  827. void *data, size_t len ) {
  828. uint8_t *type = data;
  829. int rc;
  830. switch ( *type ) {
  831. case TLS_SERVER_HELLO:
  832. rc = tls_new_server_hello ( tls, data, len );
  833. break;
  834. case TLS_CERTIFICATE:
  835. rc = tls_new_certificate ( tls, data, len );
  836. break;
  837. case TLS_SERVER_HELLO_DONE:
  838. rc = tls_new_server_hello_done ( tls, data, len );
  839. break;
  840. case TLS_FINISHED:
  841. rc = tls_new_finished ( tls, data, len );
  842. break;
  843. default:
  844. DBGC ( tls, "TLS %p ignoring handshake type %d\n",
  845. tls, *type );
  846. rc = 0;
  847. break;
  848. }
  849. /* Add to handshake digest (except for Hello Requests, which
  850. * are explicitly excludede).
  851. */
  852. if ( *type != TLS_HELLO_REQUEST )
  853. tls_add_handshake ( tls, data, len );
  854. return rc;
  855. }
  856. /**
  857. * Receive new record
  858. *
  859. * @v tls TLS session
  860. * @v type Record type
  861. * @v data Plaintext record
  862. * @v len Length of plaintext record
  863. * @ret rc Return status code
  864. */
  865. static int tls_new_record ( struct tls_session *tls,
  866. unsigned int type, void *data, size_t len ) {
  867. switch ( type ) {
  868. case TLS_TYPE_CHANGE_CIPHER:
  869. return tls_new_change_cipher ( tls, data, len );
  870. case TLS_TYPE_ALERT:
  871. return tls_new_alert ( tls, data, len );
  872. case TLS_TYPE_HANDSHAKE:
  873. return tls_new_handshake ( tls, data, len );
  874. case TLS_TYPE_DATA:
  875. return xfer_deliver_raw ( &tls->plainstream.xfer, data, len );
  876. default:
  877. /* RFC4346 says that we should just ignore unknown
  878. * record types.
  879. */
  880. DBGC ( tls, "TLS %p ignoring record type %d\n", tls, type );
  881. return 0;
  882. }
  883. }
  884. /******************************************************************************
  885. *
  886. * Record encryption/decryption
  887. *
  888. ******************************************************************************
  889. */
  890. /**
  891. * Calculate HMAC
  892. *
  893. * @v tls TLS session
  894. * @v cipherspec Cipher specification
  895. * @v seq Sequence number
  896. * @v tlshdr TLS header
  897. * @v data Data
  898. * @v len Length of data
  899. * @v mac HMAC to fill in
  900. */
  901. static void tls_hmac ( struct tls_session *tls __unused,
  902. struct tls_cipherspec *cipherspec,
  903. uint64_t seq, struct tls_header *tlshdr,
  904. const void *data, size_t len, void *hmac ) {
  905. struct crypto_algorithm *digest = cipherspec->digest;
  906. uint8_t digest_ctx[digest->ctxsize];
  907. hmac_init ( digest, digest_ctx, cipherspec->mac_secret,
  908. &digest->digestsize );
  909. seq = cpu_to_be64 ( seq );
  910. hmac_update ( digest, digest_ctx, &seq, sizeof ( seq ) );
  911. hmac_update ( digest, digest_ctx, tlshdr, sizeof ( *tlshdr ) );
  912. hmac_update ( digest, digest_ctx, data, len );
  913. hmac_final ( digest, digest_ctx, cipherspec->mac_secret,
  914. &digest->digestsize, hmac );
  915. }
  916. /**
  917. * Allocate and assemble stream-ciphered record from data and MAC portions
  918. *
  919. * @v tls TLS session
  920. * @ret data Data
  921. * @ret len Length of data
  922. * @ret digest MAC digest
  923. * @ret plaintext_len Length of plaintext record
  924. * @ret plaintext Allocated plaintext record
  925. */
  926. static void * __malloc tls_assemble_stream ( struct tls_session *tls,
  927. const void *data, size_t len,
  928. void *digest, size_t *plaintext_len ) {
  929. size_t mac_len = tls->tx_cipherspec.digest->digestsize;
  930. void *plaintext;
  931. void *content;
  932. void *mac;
  933. /* Calculate stream-ciphered struct length */
  934. *plaintext_len = ( len + mac_len );
  935. /* Allocate stream-ciphered struct */
  936. plaintext = malloc ( *plaintext_len );
  937. if ( ! plaintext )
  938. return NULL;
  939. content = plaintext;
  940. mac = ( content + len );
  941. /* Fill in stream-ciphered struct */
  942. memcpy ( content, data, len );
  943. memcpy ( mac, digest, mac_len );
  944. return plaintext;
  945. }
  946. /**
  947. * Allocate and assemble block-ciphered record from data and MAC portions
  948. *
  949. * @v tls TLS session
  950. * @ret data Data
  951. * @ret len Length of data
  952. * @ret digest MAC digest
  953. * @ret plaintext_len Length of plaintext record
  954. * @ret plaintext Allocated plaintext record
  955. */
  956. static void * tls_assemble_block ( struct tls_session *tls,
  957. const void *data, size_t len,
  958. void *digest, size_t *plaintext_len ) {
  959. size_t blocksize = tls->tx_cipherspec.cipher->blocksize;
  960. size_t iv_len = blocksize;
  961. size_t mac_len = tls->tx_cipherspec.digest->digestsize;
  962. size_t padding_len;
  963. void *plaintext;
  964. void *iv;
  965. void *content;
  966. void *mac;
  967. void *padding;
  968. /* FIXME: TLSv1.1 has an explicit IV */
  969. iv_len = 0;
  970. /* Calculate block-ciphered struct length */
  971. padding_len = ( ( blocksize - 1 ) & -( iv_len + len + mac_len + 1 ) );
  972. *plaintext_len = ( iv_len + len + mac_len + padding_len + 1 );
  973. /* Allocate block-ciphered struct */
  974. plaintext = malloc ( *plaintext_len );
  975. if ( ! plaintext )
  976. return NULL;
  977. iv = plaintext;
  978. content = ( iv + iv_len );
  979. mac = ( content + len );
  980. padding = ( mac + mac_len );
  981. /* Fill in block-ciphered struct */
  982. memset ( iv, 0, iv_len );
  983. memcpy ( content, data, len );
  984. memcpy ( mac, digest, mac_len );
  985. memset ( padding, padding_len, ( padding_len + 1 ) );
  986. return plaintext;
  987. }
  988. /**
  989. * Send plaintext record
  990. *
  991. * @v tls TLS session
  992. * @v type Record type
  993. * @v data Plaintext record
  994. * @v len Length of plaintext record
  995. * @ret rc Return status code
  996. */
  997. static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
  998. const void *data, size_t len ) {
  999. struct tls_header plaintext_tlshdr;
  1000. struct tls_header *tlshdr;
  1001. struct tls_cipherspec *cipherspec = &tls->tx_cipherspec;
  1002. void *plaintext = NULL;
  1003. size_t plaintext_len;
  1004. struct io_buffer *ciphertext = NULL;
  1005. size_t ciphertext_len;
  1006. size_t mac_len = cipherspec->digest->digestsize;
  1007. uint8_t mac[mac_len];
  1008. int rc;
  1009. /* Construct header */
  1010. plaintext_tlshdr.type = type;
  1011. plaintext_tlshdr.version = htons ( TLS_VERSION_TLS_1_0 );
  1012. plaintext_tlshdr.length = htons ( len );
  1013. /* Calculate MAC */
  1014. tls_hmac ( tls, cipherspec, tls->tx_seq, &plaintext_tlshdr,
  1015. data, len, mac );
  1016. /* Allocate and assemble plaintext struct */
  1017. if ( is_stream_cipher ( cipherspec->cipher ) ) {
  1018. plaintext = tls_assemble_stream ( tls, data, len, mac,
  1019. &plaintext_len );
  1020. } else {
  1021. plaintext = tls_assemble_block ( tls, data, len, mac,
  1022. &plaintext_len );
  1023. }
  1024. if ( ! plaintext ) {
  1025. DBGC ( tls, "TLS %p could not allocate %zd bytes for "
  1026. "plaintext\n", tls, plaintext_len );
  1027. rc = -ENOMEM;
  1028. goto done;
  1029. }
  1030. DBGC2 ( tls, "Sending plaintext data:\n" );
  1031. DBGC2_HD ( tls, plaintext, plaintext_len );
  1032. /* Allocate ciphertext */
  1033. ciphertext_len = ( sizeof ( *tlshdr ) + plaintext_len );
  1034. ciphertext = xfer_alloc_iob ( &tls->cipherstream.xfer,
  1035. ciphertext_len );
  1036. if ( ! ciphertext ) {
  1037. DBGC ( tls, "TLS %p could not allocate %zd bytes for "
  1038. "ciphertext\n", tls, ciphertext_len );
  1039. rc = -ENOMEM;
  1040. goto done;
  1041. }
  1042. /* Assemble ciphertext */
  1043. tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) );
  1044. tlshdr->type = type;
  1045. tlshdr->version = htons ( TLS_VERSION_TLS_1_0 );
  1046. tlshdr->length = htons ( plaintext_len );
  1047. memcpy ( cipherspec->cipher_next_ctx, cipherspec->cipher_ctx,
  1048. cipherspec->cipher->ctxsize );
  1049. if ( ( rc = cipher_encrypt ( cipherspec->cipher,
  1050. cipherspec->cipher_next_ctx, plaintext,
  1051. iob_put ( ciphertext, plaintext_len ),
  1052. plaintext_len ) ) != 0 ) {
  1053. DBGC ( tls, "TLS %p could not encrypt: %s\n",
  1054. tls, strerror ( rc ) );
  1055. DBGC_HD ( tls, plaintext, plaintext_len );
  1056. goto done;
  1057. }
  1058. /* Free plaintext as soon as possible to conserve memory */
  1059. free ( plaintext );
  1060. plaintext = NULL;
  1061. /* Send ciphertext */
  1062. rc = xfer_deliver_iob ( &tls->cipherstream.xfer, ciphertext );
  1063. ciphertext = NULL;
  1064. if ( rc != 0 ) {
  1065. DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
  1066. tls, strerror ( rc ) );
  1067. goto done;
  1068. }
  1069. /* Update TX state machine to next record */
  1070. tls->tx_seq += 1;
  1071. memcpy ( tls->tx_cipherspec.cipher_ctx,
  1072. tls->tx_cipherspec.cipher_next_ctx,
  1073. tls->tx_cipherspec.cipher->ctxsize );
  1074. done:
  1075. free ( plaintext );
  1076. free_iob ( ciphertext );
  1077. return rc;
  1078. }
  1079. /**
  1080. * Split stream-ciphered record into data and MAC portions
  1081. *
  1082. * @v tls TLS session
  1083. * @v plaintext Plaintext record
  1084. * @v plaintext_len Length of record
  1085. * @ret data Data
  1086. * @ret len Length of data
  1087. * @ret digest MAC digest
  1088. * @ret rc Return status code
  1089. */
  1090. static int tls_split_stream ( struct tls_session *tls,
  1091. void *plaintext, size_t plaintext_len,
  1092. void **data, size_t *len, void **digest ) {
  1093. void *content;
  1094. size_t content_len;
  1095. void *mac;
  1096. size_t mac_len;
  1097. /* Decompose stream-ciphered data */
  1098. mac_len = tls->rx_cipherspec.digest->digestsize;
  1099. if ( plaintext_len < mac_len ) {
  1100. DBGC ( tls, "TLS %p received underlength record\n", tls );
  1101. DBGC_HD ( tls, plaintext, plaintext_len );
  1102. return -EINVAL;
  1103. }
  1104. content_len = ( plaintext_len - mac_len );
  1105. content = plaintext;
  1106. mac = ( content + content_len );
  1107. /* Fill in return values */
  1108. *data = content;
  1109. *len = content_len;
  1110. *digest = mac;
  1111. return 0;
  1112. }
  1113. /**
  1114. * Split block-ciphered record into data and MAC portions
  1115. *
  1116. * @v tls TLS session
  1117. * @v plaintext Plaintext record
  1118. * @v plaintext_len Length of record
  1119. * @ret data Data
  1120. * @ret len Length of data
  1121. * @ret digest MAC digest
  1122. * @ret rc Return status code
  1123. */
  1124. static int tls_split_block ( struct tls_session *tls,
  1125. void *plaintext, size_t plaintext_len,
  1126. void **data, size_t *len,
  1127. void **digest ) {
  1128. void *iv;
  1129. size_t iv_len;
  1130. void *content;
  1131. size_t content_len;
  1132. void *mac;
  1133. size_t mac_len;
  1134. void *padding;
  1135. size_t padding_len;
  1136. unsigned int i;
  1137. /* Decompose block-ciphered data */
  1138. if ( plaintext_len < 1 ) {
  1139. DBGC ( tls, "TLS %p received underlength record\n", tls );
  1140. DBGC_HD ( tls, plaintext, plaintext_len );
  1141. return -EINVAL;
  1142. }
  1143. iv_len = tls->rx_cipherspec.cipher->blocksize;
  1144. /* FIXME: TLSv1.1 uses an explicit IV */
  1145. iv_len = 0;
  1146. mac_len = tls->rx_cipherspec.digest->digestsize;
  1147. padding_len = *( ( uint8_t * ) ( plaintext + plaintext_len - 1 ) );
  1148. if ( plaintext_len < ( iv_len + mac_len + padding_len + 1 ) ) {
  1149. DBGC ( tls, "TLS %p received underlength record\n", tls );
  1150. DBGC_HD ( tls, plaintext, plaintext_len );
  1151. return -EINVAL;
  1152. }
  1153. content_len = ( plaintext_len - iv_len - mac_len - padding_len - 1 );
  1154. iv = plaintext;
  1155. content = ( iv + iv_len );
  1156. mac = ( content + content_len );
  1157. padding = ( mac + mac_len );
  1158. /* Verify padding bytes */
  1159. for ( i = 0 ; i < padding_len ; i++ ) {
  1160. if ( *( ( uint8_t * ) ( padding + i ) ) != padding_len ) {
  1161. DBGC ( tls, "TLS %p received bad padding\n", tls );
  1162. DBGC_HD ( tls, plaintext, plaintext_len );
  1163. return -EINVAL;
  1164. }
  1165. }
  1166. /* Fill in return values */
  1167. *data = content;
  1168. *len = content_len;
  1169. *digest = mac;
  1170. return 0;
  1171. }
  1172. /**
  1173. * Receive new ciphertext record
  1174. *
  1175. * @v tls TLS session
  1176. * @v tlshdr Record header
  1177. * @v ciphertext Ciphertext record
  1178. * @ret rc Return status code
  1179. */
  1180. static int tls_new_ciphertext ( struct tls_session *tls,
  1181. struct tls_header *tlshdr, void *ciphertext ) {
  1182. struct tls_header plaintext_tlshdr;
  1183. struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
  1184. size_t record_len = ntohs ( tlshdr->length );
  1185. void *plaintext = NULL;
  1186. void *data;
  1187. size_t len;
  1188. void *mac;
  1189. size_t mac_len = cipherspec->digest->digestsize;
  1190. uint8_t verify_mac[mac_len];
  1191. int rc;
  1192. /* Allocate buffer for plaintext */
  1193. plaintext = malloc ( record_len );
  1194. if ( ! plaintext ) {
  1195. DBGC ( tls, "TLS %p could not allocate %zd bytes for "
  1196. "decryption buffer\n", tls, record_len );
  1197. rc = -ENOMEM;
  1198. goto done;
  1199. }
  1200. /* Decrypt the record */
  1201. if ( ( rc = cipher_decrypt ( cipherspec->cipher,
  1202. cipherspec->cipher_ctx, ciphertext,
  1203. plaintext, record_len ) ) != 0 ) {
  1204. DBGC ( tls, "TLS %p could not decrypt: %s\n",
  1205. tls, strerror ( rc ) );
  1206. DBGC_HD ( tls, ciphertext, record_len );
  1207. goto done;
  1208. }
  1209. /* Split record into content and MAC */
  1210. if ( is_stream_cipher ( cipherspec->cipher ) ) {
  1211. if ( ( rc = tls_split_stream ( tls, plaintext, record_len,
  1212. &data, &len, &mac ) ) != 0 )
  1213. goto done;
  1214. } else {
  1215. if ( ( rc = tls_split_block ( tls, plaintext, record_len,
  1216. &data, &len, &mac ) ) != 0 )
  1217. goto done;
  1218. }
  1219. /* Verify MAC */
  1220. plaintext_tlshdr.type = tlshdr->type;
  1221. plaintext_tlshdr.version = tlshdr->version;
  1222. plaintext_tlshdr.length = htons ( len );
  1223. tls_hmac ( tls, cipherspec, tls->rx_seq, &plaintext_tlshdr,
  1224. data, len, verify_mac);
  1225. if ( memcmp ( mac, verify_mac, mac_len ) != 0 ) {
  1226. DBGC ( tls, "TLS %p failed MAC verification\n", tls );
  1227. DBGC_HD ( tls, plaintext, record_len );
  1228. goto done;
  1229. }
  1230. DBGC2 ( tls, "Received plaintext data:\n" );
  1231. DBGC2_HD ( tls, data, len );
  1232. /* Process plaintext record */
  1233. if ( ( rc = tls_new_record ( tls, tlshdr->type, data, len ) ) != 0 )
  1234. goto done;
  1235. rc = 0;
  1236. done:
  1237. free ( plaintext );
  1238. return rc;
  1239. }
  1240. /******************************************************************************
  1241. *
  1242. * Plaintext stream operations
  1243. *
  1244. ******************************************************************************
  1245. */
  1246. /**
  1247. * Close interface
  1248. *
  1249. * @v xfer Plainstream data transfer interface
  1250. * @v rc Reason for close
  1251. */
  1252. static void tls_plainstream_close ( struct xfer_interface *xfer, int rc ) {
  1253. struct tls_session *tls =
  1254. container_of ( xfer, struct tls_session, plainstream.xfer );
  1255. tls_close ( tls, rc );
  1256. }
  1257. /**
  1258. * Check flow control window
  1259. *
  1260. * @v xfer Plainstream data transfer interface
  1261. * @ret len Length of window
  1262. */
  1263. static size_t tls_plainstream_window ( struct xfer_interface *xfer ) {
  1264. struct tls_session *tls =
  1265. container_of ( xfer, struct tls_session, plainstream.xfer );
  1266. /* Block window unless we are ready to accept data */
  1267. if ( tls->tx_state != TLS_TX_DATA )
  1268. return 0;
  1269. return filter_window ( xfer );
  1270. }
  1271. /**
  1272. * Deliver datagram as raw data
  1273. *
  1274. * @v xfer Plainstream data transfer interface
  1275. * @v data Data buffer
  1276. * @v len Length of data buffer
  1277. * @ret rc Return status code
  1278. */
  1279. static int tls_plainstream_deliver_raw ( struct xfer_interface *xfer,
  1280. const void *data, size_t len ) {
  1281. struct tls_session *tls =
  1282. container_of ( xfer, struct tls_session, plainstream.xfer );
  1283. /* Refuse unless we are ready to accept data */
  1284. if ( tls->tx_state != TLS_TX_DATA )
  1285. return -ENOTCONN;
  1286. return tls_send_plaintext ( tls, TLS_TYPE_DATA, data, len );
  1287. }
  1288. /** TLS plaintext stream operations */
  1289. static struct xfer_interface_operations tls_plainstream_operations = {
  1290. .close = tls_plainstream_close,
  1291. .vredirect = ignore_xfer_vredirect,
  1292. .window = tls_plainstream_window,
  1293. .alloc_iob = default_xfer_alloc_iob,
  1294. .deliver_iob = xfer_deliver_as_raw,
  1295. .deliver_raw = tls_plainstream_deliver_raw,
  1296. };
  1297. /******************************************************************************
  1298. *
  1299. * Ciphertext stream operations
  1300. *
  1301. ******************************************************************************
  1302. */
  1303. /**
  1304. * Close interface
  1305. *
  1306. * @v xfer Plainstream data transfer interface
  1307. * @v rc Reason for close
  1308. */
  1309. static void tls_cipherstream_close ( struct xfer_interface *xfer, int rc ) {
  1310. struct tls_session *tls =
  1311. container_of ( xfer, struct tls_session, cipherstream.xfer );
  1312. tls_close ( tls, rc );
  1313. }
  1314. /**
  1315. * Handle received TLS header
  1316. *
  1317. * @v tls TLS session
  1318. * @ret rc Returned status code
  1319. */
  1320. static int tls_newdata_process_header ( struct tls_session *tls ) {
  1321. size_t data_len = ntohs ( tls->rx_header.length );
  1322. /* Allocate data buffer now that we know the length */
  1323. assert ( tls->rx_data == NULL );
  1324. tls->rx_data = malloc ( data_len );
  1325. if ( ! tls->rx_data ) {
  1326. DBGC ( tls, "TLS %p could not allocate %zd bytes "
  1327. "for receive buffer\n", tls, data_len );
  1328. return -ENOMEM;
  1329. }
  1330. /* Move to data state */
  1331. tls->rx_state = TLS_RX_DATA;
  1332. return 0;
  1333. }
  1334. /**
  1335. * Handle received TLS data payload
  1336. *
  1337. * @v tls TLS session
  1338. * @ret rc Returned status code
  1339. */
  1340. static int tls_newdata_process_data ( struct tls_session *tls ) {
  1341. int rc;
  1342. /* Process record */
  1343. if ( ( rc = tls_new_ciphertext ( tls, &tls->rx_header,
  1344. tls->rx_data ) ) != 0 )
  1345. return rc;
  1346. /* Increment RX sequence number */
  1347. tls->rx_seq += 1;
  1348. /* Free data buffer */
  1349. free ( tls->rx_data );
  1350. tls->rx_data = NULL;
  1351. /* Return to header state */
  1352. tls->rx_state = TLS_RX_HEADER;
  1353. return 0;
  1354. }
  1355. /**
  1356. * Receive new ciphertext
  1357. *
  1358. * @v app Stream application
  1359. * @v data Data received
  1360. * @v len Length of received data
  1361. * @ret rc Return status code
  1362. */
  1363. static int tls_cipherstream_deliver_raw ( struct xfer_interface *xfer,
  1364. const void *data, size_t len ) {
  1365. struct tls_session *tls =
  1366. container_of ( xfer, struct tls_session, cipherstream.xfer );
  1367. size_t frag_len;
  1368. void *buf;
  1369. size_t buf_len;
  1370. int ( * process ) ( struct tls_session *tls );
  1371. int rc;
  1372. while ( len ) {
  1373. /* Select buffer according to current state */
  1374. switch ( tls->rx_state ) {
  1375. case TLS_RX_HEADER:
  1376. buf = &tls->rx_header;
  1377. buf_len = sizeof ( tls->rx_header );
  1378. process = tls_newdata_process_header;
  1379. break;
  1380. case TLS_RX_DATA:
  1381. buf = tls->rx_data;
  1382. buf_len = ntohs ( tls->rx_header.length );
  1383. process = tls_newdata_process_data;
  1384. break;
  1385. default:
  1386. assert ( 0 );
  1387. return -EINVAL;
  1388. }
  1389. /* Copy data portion to buffer */
  1390. frag_len = ( buf_len - tls->rx_rcvd );
  1391. if ( frag_len > len )
  1392. frag_len = len;
  1393. memcpy ( ( buf + tls->rx_rcvd ), data, frag_len );
  1394. tls->rx_rcvd += frag_len;
  1395. data += frag_len;
  1396. len -= frag_len;
  1397. /* Process data if buffer is now full */
  1398. if ( tls->rx_rcvd == buf_len ) {
  1399. if ( ( rc = process ( tls ) ) != 0 ) {
  1400. tls_close ( tls, rc );
  1401. return rc;
  1402. }
  1403. tls->rx_rcvd = 0;
  1404. }
  1405. }
  1406. return 0;
  1407. }
  1408. /** TLS ciphertext stream operations */
  1409. static struct xfer_interface_operations tls_cipherstream_operations = {
  1410. .close = tls_cipherstream_close,
  1411. .vredirect = xfer_vopen,
  1412. .window = filter_window,
  1413. .alloc_iob = default_xfer_alloc_iob,
  1414. .deliver_iob = xfer_deliver_as_raw,
  1415. .deliver_raw = tls_cipherstream_deliver_raw,
  1416. };
  1417. /******************************************************************************
  1418. *
  1419. * Controlling process
  1420. *
  1421. ******************************************************************************
  1422. */
  1423. /**
  1424. * TLS TX state machine
  1425. *
  1426. * @v process TLS process
  1427. */
  1428. static void tls_step ( struct process *process ) {
  1429. struct tls_session *tls =
  1430. container_of ( process, struct tls_session, process );
  1431. int rc;
  1432. /* Wait for cipherstream to become ready */
  1433. if ( ! xfer_window ( &tls->cipherstream.xfer ) )
  1434. return;
  1435. switch ( tls->tx_state ) {
  1436. case TLS_TX_NONE:
  1437. /* Nothing to do */
  1438. break;
  1439. case TLS_TX_CLIENT_HELLO:
  1440. /* Send Client Hello */
  1441. if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
  1442. DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
  1443. tls, strerror ( rc ) );
  1444. goto err;
  1445. }
  1446. tls->tx_state = TLS_TX_NONE;
  1447. break;
  1448. case TLS_TX_CLIENT_KEY_EXCHANGE:
  1449. /* Send Client Key Exchange */
  1450. if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
  1451. DBGC ( tls, "TLS %p could send Client Key Exchange: "
  1452. "%s\n", tls, strerror ( rc ) );
  1453. goto err;
  1454. }
  1455. tls->tx_state = TLS_TX_CHANGE_CIPHER;
  1456. break;
  1457. case TLS_TX_CHANGE_CIPHER:
  1458. /* Send Change Cipher, and then change the cipher in use */
  1459. if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
  1460. DBGC ( tls, "TLS %p could not send Change Cipher: "
  1461. "%s\n", tls, strerror ( rc ) );
  1462. goto err;
  1463. }
  1464. if ( ( rc = tls_change_cipher ( tls,
  1465. &tls->tx_cipherspec_pending,
  1466. &tls->tx_cipherspec )) != 0 ){
  1467. DBGC ( tls, "TLS %p could not activate TX cipher: "
  1468. "%s\n", tls, strerror ( rc ) );
  1469. goto err;
  1470. }
  1471. tls->tx_seq = 0;
  1472. tls->tx_state = TLS_TX_FINISHED;
  1473. break;
  1474. case TLS_TX_FINISHED:
  1475. /* Send Finished */
  1476. if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
  1477. DBGC ( tls, "TLS %p could not send Finished: %s\n",
  1478. tls, strerror ( rc ) );
  1479. goto err;
  1480. }
  1481. tls->tx_state = TLS_TX_NONE;
  1482. break;
  1483. case TLS_TX_DATA:
  1484. /* Nothing to do */
  1485. break;
  1486. default:
  1487. assert ( 0 );
  1488. }
  1489. return;
  1490. err:
  1491. tls_close ( tls, rc );
  1492. }
  1493. /******************************************************************************
  1494. *
  1495. * Instantiator
  1496. *
  1497. ******************************************************************************
  1498. */
  1499. int add_tls ( struct xfer_interface *xfer, struct xfer_interface **next ) {
  1500. struct tls_session *tls;
  1501. /* Allocate and initialise TLS structure */
  1502. tls = malloc ( sizeof ( *tls ) );
  1503. if ( ! tls )
  1504. return -ENOMEM;
  1505. memset ( tls, 0, sizeof ( *tls ) );
  1506. tls->refcnt.free = free_tls;
  1507. filter_init ( &tls->plainstream, &tls_plainstream_operations,
  1508. &tls->cipherstream, &tls_cipherstream_operations,
  1509. &tls->refcnt );
  1510. tls_clear_cipher ( tls, &tls->tx_cipherspec );
  1511. tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
  1512. tls_clear_cipher ( tls, &tls->rx_cipherspec );
  1513. tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
  1514. tls->client_random.gmt_unix_time = 0;
  1515. tls_generate_random ( &tls->client_random.random,
  1516. ( sizeof ( tls->client_random.random ) ) );
  1517. tls->pre_master_secret.version = htons ( TLS_VERSION_TLS_1_0 );
  1518. tls_generate_random ( &tls->pre_master_secret.random,
  1519. ( sizeof ( tls->pre_master_secret.random ) ) );
  1520. digest_init ( &md5_algorithm, tls->handshake_md5_ctx );
  1521. digest_init ( &sha1_algorithm, tls->handshake_sha1_ctx );
  1522. tls->tx_state = TLS_TX_CLIENT_HELLO;
  1523. process_init ( &tls->process, tls_step, &tls->refcnt );
  1524. /* Attach to parent interface, mortalise self, and return */
  1525. xfer_plug_plug ( &tls->plainstream.xfer, xfer );
  1526. *next = &tls->cipherstream.xfer;
  1527. ref_put ( &tls->refcnt );
  1528. return 0;
  1529. }