blob: ded100d0e427959f63270bbe8cc989c242e93691 [file] [log] [blame]
/*
* Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
FILE_LICENCE ( GPL2_OR_LATER );
/**
* @file
*
* Transport Layer Security Protocol
*/
#include <stdint.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include <byteswap.h>
#include <ipxe/pending.h>
#include <ipxe/hmac.h>
#include <ipxe/md5.h>
#include <ipxe/sha1.h>
#include <ipxe/sha256.h>
#include <ipxe/aes.h>
#include <ipxe/rsa.h>
#include <ipxe/iobuf.h>
#include <ipxe/xfer.h>
#include <ipxe/open.h>
#include <ipxe/x509.h>
#include <ipxe/privkey.h>
#include <ipxe/certstore.h>
#include <ipxe/rootcert.h>
#include <ipxe/rbg.h>
#include <ipxe/validator.h>
#include <ipxe/job.h>
#include <ipxe/dhe.h>
#include <ipxe/tls.h>
#include <config/crypto.h>
/* Disambiguate the various error causes */
#define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
#define EINFO_EINVAL_CHANGE_CIPHER \
__einfo_uniqify ( EINFO_EINVAL, 0x01, \
"Invalid Change Cipher record" )
#define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
#define EINFO_EINVAL_ALERT \
__einfo_uniqify ( EINFO_EINVAL, 0x02, \
"Invalid Alert record" )
#define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
#define EINFO_EINVAL_HELLO \
__einfo_uniqify ( EINFO_EINVAL, 0x03, \
"Invalid Server Hello record" )
#define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
#define EINFO_EINVAL_CERTIFICATE \
__einfo_uniqify ( EINFO_EINVAL, 0x04, \
"Invalid Certificate" )
#define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
#define EINFO_EINVAL_CERTIFICATES \
__einfo_uniqify ( EINFO_EINVAL, 0x05, \
"Invalid Server Certificate record" )
#define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
#define EINFO_EINVAL_HELLO_DONE \
__einfo_uniqify ( EINFO_EINVAL, 0x06, \
"Invalid Server Hello Done record" )
#define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
#define EINFO_EINVAL_FINISHED \
__einfo_uniqify ( EINFO_EINVAL, 0x07, \
"Invalid Server Finished record" )
#define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
#define EINFO_EINVAL_HANDSHAKE \
__einfo_uniqify ( EINFO_EINVAL, 0x08, \
"Invalid Handshake record" )
#define EINVAL_IV __einfo_error ( EINFO_EINVAL_IV )
#define EINFO_EINVAL_IV \
__einfo_uniqify ( EINFO_EINVAL, 0x0a, \
"Invalid initialisation vector" )
#define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
#define EINFO_EINVAL_PADDING \
__einfo_uniqify ( EINFO_EINVAL, 0x0b, \
"Invalid block padding" )
#define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
#define EINFO_EINVAL_RX_STATE \
__einfo_uniqify ( EINFO_EINVAL, 0x0c, \
"Invalid receive state" )
#define EINVAL_MAC __einfo_error ( EINFO_EINVAL_MAC )
#define EINFO_EINVAL_MAC \
__einfo_uniqify ( EINFO_EINVAL, 0x0d, \
"Invalid MAC or authentication tag" )
#define EINVAL_TICKET __einfo_error ( EINFO_EINVAL_TICKET )
#define EINFO_EINVAL_TICKET \
__einfo_uniqify ( EINFO_EINVAL, 0x0e, \
"Invalid New Session Ticket record")
#define EINVAL_KEY_EXCHANGE __einfo_error ( EINFO_EINVAL_KEY_EXCHANGE )
#define EINFO_EINVAL_KEY_EXCHANGE \
__einfo_uniqify ( EINFO_EINVAL, 0x0f, \
"Invalid Server Key Exchange record" )
#define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
#define EINFO_EIO_ALERT \
__einfo_uniqify ( EINFO_EIO, 0x01, \
"Unknown alert level" )
#define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
#define EINFO_ENOMEM_CONTEXT \
__einfo_uniqify ( EINFO_ENOMEM, 0x01, \
"Not enough space for crypto context" )
#define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
#define EINFO_ENOMEM_CERTIFICATE \
__einfo_uniqify ( EINFO_ENOMEM, 0x02, \
"Not enough space for certificate" )
#define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
#define EINFO_ENOMEM_CHAIN \
__einfo_uniqify ( EINFO_ENOMEM, 0x03, \
"Not enough space for certificate chain" )
#define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
#define EINFO_ENOMEM_TX_PLAINTEXT \
__einfo_uniqify ( EINFO_ENOMEM, 0x04, \
"Not enough space for transmitted plaintext" )
#define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
#define EINFO_ENOMEM_TX_CIPHERTEXT \
__einfo_uniqify ( EINFO_ENOMEM, 0x05, \
"Not enough space for transmitted ciphertext" )
#define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
#define EINFO_ENOMEM_RX_DATA \
__einfo_uniqify ( EINFO_ENOMEM, 0x07, \
"Not enough space for received data" )
#define ENOMEM_RX_CONCAT __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
#define EINFO_ENOMEM_RX_CONCAT \
__einfo_uniqify ( EINFO_ENOMEM, 0x08, \
"Not enough space to concatenate received data" )
#define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
#define EINFO_ENOTSUP_CIPHER \
__einfo_uniqify ( EINFO_ENOTSUP, 0x01, \
"Unsupported cipher" )
#define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
#define EINFO_ENOTSUP_NULL \
__einfo_uniqify ( EINFO_ENOTSUP, 0x02, \
"Refusing to use null cipher" )
#define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
#define EINFO_ENOTSUP_SIG_HASH \
__einfo_uniqify ( EINFO_ENOTSUP, 0x03, \
"Unsupported signature and hash algorithm" )
#define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
#define EINFO_ENOTSUP_VERSION \
__einfo_uniqify ( EINFO_ENOTSUP, 0x04, \
"Unsupported protocol version" )
#define ENOTSUP_CURVE __einfo_error ( EINFO_ENOTSUP_CURVE )
#define EINFO_ENOTSUP_CURVE \
__einfo_uniqify ( EINFO_ENOTSUP, 0x05, \
"Unsupported elliptic curve" )
#define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
#define EINFO_EPERM_ALERT \
__einfo_uniqify ( EINFO_EPERM, 0x01, \
"Received fatal alert" )
#define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
#define EINFO_EPERM_VERIFY \
__einfo_uniqify ( EINFO_EPERM, 0x02, \
"Handshake verification failed" )
#define EPERM_CLIENT_CERT __einfo_error ( EINFO_EPERM_CLIENT_CERT )
#define EINFO_EPERM_CLIENT_CERT \
__einfo_uniqify ( EINFO_EPERM, 0x03, \
"No suitable client certificate available" )
#define EPERM_RENEG_INSECURE __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
#define EINFO_EPERM_RENEG_INSECURE \
__einfo_uniqify ( EINFO_EPERM, 0x04, \
"Secure renegotiation not supported" )
#define EPERM_RENEG_VERIFY __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
#define EINFO_EPERM_RENEG_VERIFY \
__einfo_uniqify ( EINFO_EPERM, 0x05, \
"Secure renegotiation verification failed" )
#define EPERM_KEY_EXCHANGE __einfo_error ( EINFO_EPERM_KEY_EXCHANGE )
#define EINFO_EPERM_KEY_EXCHANGE \
__einfo_uniqify ( EINFO_EPERM, 0x06, \
"ServerKeyExchange verification failed" )
#define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
#define EINFO_EPROTO_VERSION \
__einfo_uniqify ( EINFO_EPROTO, 0x01, \
"Illegal protocol version upgrade" )
/** List of TLS session */
static LIST_HEAD ( tls_sessions );
static void tls_tx_resume_all ( struct tls_session *session );
static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
const void *data, size_t len );
static void tls_clear_cipher ( struct tls_connection *tls,
struct tls_cipherspec *cipherspec );
/******************************************************************************
*
* Utility functions
*
******************************************************************************
*/
/** A TLS 24-bit integer
*
* TLS uses 24-bit integers in several places, which are awkward to
* parse in C.
*/
typedef struct {
/** High byte */
uint8_t high;
/** Low word */
uint16_t low;
} __attribute__ (( packed )) tls24_t;
/**
* Extract 24-bit field value
*
* @v field24 24-bit field
* @ret value Field value
*
*/
static inline __attribute__ (( always_inline )) unsigned long
tls_uint24 ( const tls24_t *field24 ) {
return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
}
/**
* Set 24-bit field value
*
* @v field24 24-bit field
* @v value Field value
*/
static void tls_set_uint24 ( tls24_t *field24, unsigned long value ) {
field24->high = ( value >> 16 );
field24->low = cpu_to_be16 ( value );
}
/**
* Determine if TLS connection is ready for application data
*
* @v tls TLS connection
* @ret is_ready TLS connection is ready
*/
static int tls_ready ( struct tls_connection *tls ) {
return ( ( ! is_pending ( &tls->client.negotiation ) ) &&
( ! is_pending ( &tls->server.negotiation ) ) );
}
/**
* Check for TLS version
*
* @v tls TLS connection
* @v version TLS version
* @ret at_least TLS connection is using at least the specified version
*
* Check that TLS connection uses at least the specified protocol
* version. Optimise down to a compile-time constant true result if
* this is already guaranteed by the minimum supported version check.
*/
static inline __attribute__ (( always_inline )) int
tls_version ( struct tls_connection *tls, unsigned int version ) {
return ( ( TLS_VERSION_MIN >= version ) ||
( tls->version >= version ) );
}
/******************************************************************************
*
* Hybrid MD5+SHA1 hash as used by TLSv1.1 and earlier
*
******************************************************************************
*/
/**
* Initialise MD5+SHA1 algorithm
*
* @v ctx MD5+SHA1 context
*/
static void md5_sha1_init ( void *ctx ) {
struct md5_sha1_context *context = ctx;
digest_init ( &md5_algorithm, context->md5 );
digest_init ( &sha1_algorithm, context->sha1 );
}
/**
* Accumulate data with MD5+SHA1 algorithm
*
* @v ctx MD5+SHA1 context
* @v data Data
* @v len Length of data
*/
static void md5_sha1_update ( void *ctx, const void *data, size_t len ) {
struct md5_sha1_context *context = ctx;
digest_update ( &md5_algorithm, context->md5, data, len );
digest_update ( &sha1_algorithm, context->sha1, data, len );
}
/**
* Generate MD5+SHA1 digest
*
* @v ctx MD5+SHA1 context
* @v out Output buffer
*/
static void md5_sha1_final ( void *ctx, void *out ) {
struct md5_sha1_context *context = ctx;
struct md5_sha1_digest *digest = out;
digest_final ( &md5_algorithm, context->md5, digest->md5 );
digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
}
/** Hybrid MD5+SHA1 digest algorithm */
static struct digest_algorithm md5_sha1_algorithm = {
.name = "md5+sha1",
.ctxsize = sizeof ( struct md5_sha1_context ),
.blocksize = 0, /* Not applicable */
.digestsize = sizeof ( struct md5_sha1_digest ),
.init = md5_sha1_init,
.update = md5_sha1_update,
.final = md5_sha1_final,
};
/** RSA digestInfo prefix for MD5+SHA1 algorithm */
struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix = {
.digest = &md5_sha1_algorithm,
.data = NULL, /* MD5+SHA1 signatures have no digestInfo */
.len = 0,
};
/******************************************************************************
*
* Cleanup functions
*
******************************************************************************
*/
/**
* Free TLS session
*
* @v refcnt Reference counter
*/
static void free_tls_session ( struct refcnt *refcnt ) {
struct tls_session *session =
container_of ( refcnt, struct tls_session, refcnt );
/* Sanity check */
assert ( list_empty ( &session->conn ) );
/* Remove from list of sessions */
list_del ( &session->list );
/* Free dynamically-allocated resources */
x509_root_put ( session->root );
privkey_put ( session->key );
free ( session->ticket );
/* Free session */
free ( session );
}
/**
* Free TLS connection
*
* @v refcnt Reference counter
*/
static void free_tls ( struct refcnt *refcnt ) {
struct tls_connection *tls =
container_of ( refcnt, struct tls_connection, refcnt );
struct tls_session *session = tls->session;
struct io_buffer *iobuf;
struct io_buffer *tmp;
/* Free dynamically-allocated resources */
free ( tls->new_session_ticket );
tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
free ( tls->server.exchange );
free ( tls->handshake_ctx );
list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
list_del ( &iobuf->list );
free_iob ( iobuf );
}
free_iob ( tls->rx.handshake );
privkey_put ( tls->client.key );
x509_chain_put ( tls->client.chain );
x509_chain_put ( tls->server.chain );
x509_root_put ( tls->server.root );
/* Drop reference to session */
assert ( list_empty ( &tls->list ) );
ref_put ( &session->refcnt );
/* Free TLS structure itself */
free ( tls );
}
/**
* Finish with TLS connection
*
* @v tls TLS connection
* @v rc Status code
*/
static void tls_close ( struct tls_connection *tls, int rc ) {
/* Remove pending operations, if applicable */
pending_put ( &tls->client.negotiation );
pending_put ( &tls->server.negotiation );
pending_put ( &tls->server.validation );
/* Remove process */
process_del ( &tls->tx.process );
/* Close all interfaces */
intf_shutdown ( &tls->cipherstream, rc );
intf_shutdown ( &tls->plainstream, rc );
intf_shutdown ( &tls->server.validator, rc );
/* Remove from session */
list_del ( &tls->list );
INIT_LIST_HEAD ( &tls->list );
/* Resume all other connections, in case we were the lead connection */
tls_tx_resume_all ( tls->session );
}
/******************************************************************************
*
* Random number generation
*
******************************************************************************
*/
/**
* Generate random data
*
* @v tls TLS connection
* @v data Buffer to fill
* @v len Length of buffer
* @ret rc Return status code
*/
static int tls_generate_random ( struct tls_connection *tls,
void *data, size_t len ) {
int rc;
/* Generate random bits with no additional input and without
* prediction resistance
*/
if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
DBGC ( tls, "TLS %p could not generate random data: %s\n",
tls, strerror ( rc ) );
return rc;
}
return 0;
}
/**
* Update HMAC with a list of ( data, len ) pairs
*
* @v digest Hash function to use
* @v ctx HMAC context
* @v args ( data, len ) pairs of data, terminated by NULL
*/
static void tls_hmac_update_va ( struct digest_algorithm *digest,
void *ctx, va_list args ) {
void *data;
size_t len;
while ( ( data = va_arg ( args, void * ) ) ) {
len = va_arg ( args, size_t );
hmac_update ( digest, ctx, data, len );
}
}
/**
* Generate secure pseudo-random data using a single hash function
*
* @v tls TLS connection
* @v digest Hash function to use
* @v secret Secret
* @v secret_len Length of secret
* @v out Output buffer
* @v out_len Length of output buffer
* @v seeds ( data, len ) pairs of seed data, terminated by NULL
*/
static void tls_p_hash_va ( struct tls_connection *tls,
struct digest_algorithm *digest,
const void *secret, size_t secret_len,
void *out, size_t out_len,
va_list seeds ) {
uint8_t ctx[ hmac_ctxsize ( digest ) ];
uint8_t ctx_partial[ sizeof ( ctx ) ];
uint8_t a[digest->digestsize];
uint8_t out_tmp[digest->digestsize];
size_t frag_len = digest->digestsize;
va_list tmp;
DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
DBGC2_HD ( tls, secret, secret_len );
/* Calculate A(1) */
hmac_init ( digest, ctx, secret, secret_len );
va_copy ( tmp, seeds );
tls_hmac_update_va ( digest, ctx, tmp );
va_end ( tmp );
hmac_final ( digest, ctx, a );
DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
DBGC2_HD ( tls, &a, sizeof ( a ) );
/* Generate as much data as required */
while ( out_len ) {
/* Calculate output portion */
hmac_init ( digest, ctx, secret, secret_len );
hmac_update ( digest, ctx, a, sizeof ( a ) );
memcpy ( ctx_partial, ctx, sizeof ( ctx_partial ) );
va_copy ( tmp, seeds );
tls_hmac_update_va ( digest, ctx, tmp );
va_end ( tmp );
hmac_final ( digest, ctx, out_tmp );
/* Copy output */
if ( frag_len > out_len )
frag_len = out_len;
memcpy ( out, out_tmp, frag_len );
DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
DBGC2_HD ( tls, out, frag_len );
/* Calculate A(i) */
hmac_final ( digest, ctx_partial, a );
DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
DBGC2_HD ( tls, &a, sizeof ( a ) );
out += frag_len;
out_len -= frag_len;
}
}
/**
* Generate secure pseudo-random data
*
* @v tls TLS connection
* @v secret Secret
* @v secret_len Length of secret
* @v out Output buffer
* @v out_len Length of output buffer
* @v ... ( data, len ) pairs of seed data, terminated by NULL
*/
static void tls_prf ( struct tls_connection *tls, const void *secret,
size_t secret_len, void *out, size_t out_len, ... ) {
va_list seeds;
va_list tmp;
size_t subsecret_len;
const void *md5_secret;
const void *sha1_secret;
uint8_t buf[out_len];
unsigned int i;
va_start ( seeds, out_len );
if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
/* Use handshake digest PRF for TLSv1.2 and later */
tls_p_hash_va ( tls, tls->handshake_digest, secret, secret_len,
out, out_len, seeds );
} else {
/* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
* and earlier
*/
/* Split secret into two, with an overlap of up to one byte */
subsecret_len = ( ( secret_len + 1 ) / 2 );
md5_secret = secret;
sha1_secret = ( secret + secret_len - subsecret_len );
/* Calculate MD5 portion */
va_copy ( tmp, seeds );
tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
subsecret_len, out, out_len, seeds );
va_end ( tmp );
/* Calculate SHA1 portion */
va_copy ( tmp, seeds );
tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
subsecret_len, buf, out_len, seeds );
va_end ( tmp );
/* XOR the two portions together into the final output buffer */
for ( i = 0 ; i < out_len ; i++ )
*( ( uint8_t * ) out + i ) ^= buf[i];
}
va_end ( seeds );
}
/**
* Generate secure pseudo-random data
*
* @v secret Secret
* @v secret_len Length of secret
* @v out Output buffer
* @v out_len Length of output buffer
* @v label String literal label
* @v ... ( data, len ) pairs of seed data
*/
#define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
/******************************************************************************
*
* Secret management
*
******************************************************************************
*/
/**
* Generate master secret
*
* @v tls TLS connection
* @v pre_master_secret Pre-master secret
* @v pre_master_secret_len Length of pre-master secret
*
* The client and server random values must already be known.
*/
static void tls_generate_master_secret ( struct tls_connection *tls,
const void *pre_master_secret,
size_t pre_master_secret_len ) {
DBGC ( tls, "TLS %p pre-master-secret:\n", tls );
DBGC_HD ( tls, pre_master_secret, pre_master_secret_len );
DBGC ( tls, "TLS %p client random bytes:\n", tls );
DBGC_HD ( tls, &tls->client.random, sizeof ( tls->client.random ) );
DBGC ( tls, "TLS %p server random bytes:\n", tls );
DBGC_HD ( tls, &tls->server.random, sizeof ( tls->server.random ) );
tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
&tls->master_secret, sizeof ( tls->master_secret ),
"master secret",
&tls->client.random, sizeof ( tls->client.random ),
&tls->server.random, sizeof ( tls->server.random ) );
DBGC ( tls, "TLS %p generated master secret:\n", tls );
DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
}
/**
* Generate key material
*
* @v tls TLS connection
*
* The master secret must already be known.
*/
static int tls_generate_keys ( struct tls_connection *tls ) {
struct tls_cipherspec *tx_cipherspec = &tls->tx.cipherspec.pending;
struct tls_cipherspec *rx_cipherspec = &tls->rx.cipherspec.pending;
size_t hash_size = tx_cipherspec->suite->mac_len;
size_t key_size = tx_cipherspec->suite->key_len;
size_t iv_size = tx_cipherspec->suite->fixed_iv_len;
size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
uint8_t key_block[total];
uint8_t *key;
int rc;
/* Generate key block */
tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
key_block, sizeof ( key_block ), "key expansion",
&tls->server.random, sizeof ( tls->server.random ),
&tls->client.random, sizeof ( tls->client.random ) );
/* Split key block into portions */
key = key_block;
/* TX MAC secret */
memcpy ( tx_cipherspec->mac_secret, key, hash_size );
DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
DBGC_HD ( tls, key, hash_size );
key += hash_size;
/* RX MAC secret */
memcpy ( rx_cipherspec->mac_secret, key, hash_size );
DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
DBGC_HD ( tls, key, hash_size );
key += hash_size;
/* TX key */
if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
tx_cipherspec->cipher_ctx,
key, key_size ) ) != 0 ) {
DBGC ( tls, "TLS %p could not set TX key: %s\n",
tls, strerror ( rc ) );
return rc;
}
DBGC ( tls, "TLS %p TX key:\n", tls );
DBGC_HD ( tls, key, key_size );
key += key_size;
/* RX key */
if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
rx_cipherspec->cipher_ctx,
key, key_size ) ) != 0 ) {
DBGC ( tls, "TLS %p could not set TX key: %s\n",
tls, strerror ( rc ) );
return rc;
}
DBGC ( tls, "TLS %p RX key:\n", tls );
DBGC_HD ( tls, key, key_size );
key += key_size;
/* TX initialisation vector */
memcpy ( tx_cipherspec->fixed_iv, key, iv_size );
DBGC ( tls, "TLS %p TX IV:\n", tls );
DBGC_HD ( tls, key, iv_size );
key += iv_size;
/* RX initialisation vector */
memcpy ( rx_cipherspec->fixed_iv, key, iv_size );
DBGC ( tls, "TLS %p RX IV:\n", tls );
DBGC_HD ( tls, key, iv_size );
key += iv_size;
assert ( ( key_block + total ) == key );
return 0;
}
/******************************************************************************
*
* Handshake verification
*
******************************************************************************
*/
/**
* Clear handshake digest algorithm
*
* @v tls TLS connection
*/
static void tls_clear_handshake ( struct tls_connection *tls ) {
/* Select null digest algorithm */
tls->handshake_digest = &digest_null;
/* Free any existing context */
free ( tls->handshake_ctx );
tls->handshake_ctx = NULL;
}
/**
* Select handshake digest algorithm
*
* @v tls TLS connection
* @v digest Handshake digest algorithm
* @ret rc Return status code
*/
static int tls_select_handshake ( struct tls_connection *tls,
struct digest_algorithm *digest ) {
/* Clear existing handshake digest */
tls_clear_handshake ( tls );
/* Allocate and initialise context */
tls->handshake_ctx = malloc ( digest->ctxsize );
if ( ! tls->handshake_ctx )
return -ENOMEM;
tls->handshake_digest = digest;
digest_init ( digest, tls->handshake_ctx );
return 0;
}
/**
* Add handshake record to verification hash
*
* @v tls TLS connection
* @v data Handshake record
* @v len Length of handshake record
* @ret rc Return status code
*/
static int tls_add_handshake ( struct tls_connection *tls,
const void *data, size_t len ) {
struct digest_algorithm *digest = tls->handshake_digest;
digest_update ( digest, tls->handshake_ctx, data, len );
return 0;
}
/**
* Calculate handshake verification hash
*
* @v tls TLS connection
* @v out Output buffer
*
* Calculates the digest over all handshake messages seen so far.
*/
static void tls_verify_handshake ( struct tls_connection *tls, void *out ) {
struct digest_algorithm *digest = tls->handshake_digest;
uint8_t ctx[ digest->ctxsize ];
memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
digest_final ( digest, ctx, out );
}
/******************************************************************************
*
* Cipher suite management
*
******************************************************************************
*/
/** Null cipher suite */
struct tls_cipher_suite tls_cipher_suite_null = {
.exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &pubkey_null,
.cipher = &cipher_null,
.digest = &digest_null,
};
/** Number of supported cipher suites */
#define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
/**
* Identify cipher suite
*
* @v cipher_suite Cipher suite specification
* @ret suite Cipher suite, or NULL
*/
static struct tls_cipher_suite *
tls_find_cipher_suite ( unsigned int cipher_suite ) {
struct tls_cipher_suite *suite;
/* Identify cipher suite */
for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
if ( suite->code == cipher_suite )
return suite;
}
return NULL;
}
/**
* Clear cipher suite
*
* @v cipherspec TLS cipher specification
*/
static void tls_clear_cipher ( struct tls_connection *tls __unused,
struct tls_cipherspec *cipherspec ) {
free ( cipherspec->dynamic );
memset ( cipherspec, 0, sizeof ( *cipherspec ) );
cipherspec->suite = &tls_cipher_suite_null;
}
/**
* Set cipher suite
*
* @v tls TLS connection
* @v cipherspec TLS cipher specification
* @v suite Cipher suite
* @ret rc Return status code
*/
static int tls_set_cipher ( struct tls_connection *tls,
struct tls_cipherspec *cipherspec,
struct tls_cipher_suite *suite ) {
struct cipher_algorithm *cipher = suite->cipher;
size_t total;
void *dynamic;
/* Clear out old cipher contents, if any */
tls_clear_cipher ( tls, cipherspec );
/* Allocate dynamic storage */
total = ( cipher->ctxsize + suite->mac_len + suite->fixed_iv_len );
dynamic = zalloc ( total );
if ( ! dynamic ) {
DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
"context\n", tls, total );
return -ENOMEM_CONTEXT;
}
/* Assign storage */
cipherspec->dynamic = dynamic;
cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
cipherspec->mac_secret = dynamic; dynamic += suite->mac_len;
cipherspec->fixed_iv = dynamic; dynamic += suite->fixed_iv_len;
assert ( ( cipherspec->dynamic + total ) == dynamic );
/* Store parameters */
cipherspec->suite = suite;
return 0;
}
/**
* Select next cipher suite
*
* @v tls TLS connection
* @v cipher_suite Cipher suite specification
* @ret rc Return status code
*/
static int tls_select_cipher ( struct tls_connection *tls,
unsigned int cipher_suite ) {
struct tls_cipher_suite *suite;
struct digest_algorithm *digest;
int rc;
/* Identify cipher suite */
suite = tls_find_cipher_suite ( cipher_suite );
if ( ! suite ) {
DBGC ( tls, "TLS %p does not support cipher %04x\n",
tls, ntohs ( cipher_suite ) );
return -ENOTSUP_CIPHER;
}
/* Set handshake digest algorithm */
digest = ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ?
suite->handshake : &md5_sha1_algorithm );
if ( ( rc = tls_select_handshake ( tls, digest ) ) != 0 )
return rc;
/* Set ciphers */
if ( ( rc = tls_set_cipher ( tls, &tls->tx.cipherspec.pending,
suite ) ) != 0 )
return rc;
if ( ( rc = tls_set_cipher ( tls, &tls->rx.cipherspec.pending,
suite ) ) != 0 )
return rc;
DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
suite->exchange->name, suite->pubkey->name,
suite->cipher->name, ( suite->key_len * 8 ),
suite->digest->name );
return 0;
}
/**
* Activate next cipher suite
*
* @v tls TLS connection
* @v pair Cipher specification pair
* @ret rc Return status code
*/
static int tls_change_cipher ( struct tls_connection *tls,
struct tls_cipherspec_pair *pair ) {
/* Sanity check */
if ( pair->pending.suite == &tls_cipher_suite_null ) {
DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
return -ENOTSUP_NULL;
}
tls_clear_cipher ( tls, &pair->active );
memswap ( &pair->active, &pair->pending, sizeof ( pair->active ) );
return 0;
}
/******************************************************************************
*
* Signature and hash algorithms
*
******************************************************************************
*/
/** Number of supported signature and hash algorithms */
#define TLS_NUM_SIG_HASH_ALGORITHMS \
table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
/**
* Find TLS signature and hash algorithm
*
* @v pubkey Public-key algorithm
* @v digest Digest algorithm
* @ret sig_hash Signature and hash algorithm, or NULL
*/
static struct tls_signature_hash_algorithm *
tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
struct digest_algorithm *digest ) {
struct tls_signature_hash_algorithm *sig_hash;
/* Identify signature and hash algorithm */
for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
if ( ( sig_hash->pubkey == pubkey ) &&
( sig_hash->digest == digest ) ) {
return sig_hash;
}
}
return NULL;
}
/**
* Find TLS signature algorithm
*
* @v code Signature and hash algorithm identifier
* @ret pubkey Public key algorithm, or NULL
*/
static struct pubkey_algorithm *
tls_signature_hash_pubkey ( struct tls_signature_hash_id code ) {
struct tls_signature_hash_algorithm *sig_hash;
/* Identify signature and hash algorithm */
for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
if ( sig_hash->code.signature == code.signature )
return sig_hash->pubkey;
}
return NULL;
}
/**
* Find TLS hash algorithm
*
* @v code Signature and hash algorithm identifier
* @ret digest Digest algorithm, or NULL
*/
static struct digest_algorithm *
tls_signature_hash_digest ( struct tls_signature_hash_id code ) {
struct tls_signature_hash_algorithm *sig_hash;
/* Identify signature and hash algorithm */
for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
if ( sig_hash->code.hash == code.hash )
return sig_hash->digest;
}
return NULL;
}
/******************************************************************************
*
* Ephemeral Elliptic Curve Diffie-Hellman key exchange
*
******************************************************************************
*/
/** Number of supported named curves */
#define TLS_NUM_NAMED_CURVES table_num_entries ( TLS_NAMED_CURVES )
/**
* Identify named curve
*
* @v named_curve Named curve specification
* @ret curve Named curve, or NULL
*/
static struct tls_named_curve *
tls_find_named_curve ( unsigned int named_curve ) {
struct tls_named_curve *curve;
/* Identify named curve */
for_each_table_entry ( curve, TLS_NAMED_CURVES ) {
if ( curve->code == named_curve )
return curve;
}
return NULL;
}
/******************************************************************************
*
* Record handling
*
******************************************************************************
*/
/**
* Resume TX state machine
*
* @v tls TLS connection
*/
static void tls_tx_resume ( struct tls_connection *tls ) {
process_add ( &tls->tx.process );
}
/**
* Resume TX state machine for all connections within a session
*
* @v session TLS session
*/
static void tls_tx_resume_all ( struct tls_session *session ) {
struct tls_connection *tls;
list_for_each_entry ( tls, &session->conn, list )
tls_tx_resume ( tls );
}
/**
* Restart negotiation
*
* @v tls TLS connection
*/
static void tls_restart ( struct tls_connection *tls ) {
/* Sanity check */
assert ( ! tls->tx.pending );
assert ( ! is_pending ( &tls->client.negotiation ) );
assert ( ! is_pending ( &tls->server.negotiation ) );
assert ( ! is_pending ( &tls->server.validation ) );
/* (Re)start negotiation */
tls->tx.pending = TLS_TX_CLIENT_HELLO;
tls_tx_resume ( tls );
pending_get ( &tls->client.negotiation );
pending_get ( &tls->server.negotiation );
}
/**
* Transmit Handshake record
*
* @v tls TLS connection
* @v data Plaintext record
* @v len Length of plaintext record
* @ret rc Return status code
*/
static int tls_send_handshake ( struct tls_connection *tls,
const void *data, size_t len ) {
/* Add to handshake digest */
tls_add_handshake ( tls, data, len );
/* Send record */
return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
}
/**
* Digest or transmit Client Hello record
*
* @v tls TLS connection
* @v action Action to take on Client Hello record
* @ret rc Return status code
*/
static int tls_client_hello ( struct tls_connection *tls,
int ( * action ) ( struct tls_connection *tls,
const void *data,
size_t len ) ) {
struct tls_session *session = tls->session;
size_t name_len = strlen ( session->name );
struct {
uint16_t type;
uint16_t len;
struct {
uint16_t len;
struct {
uint8_t type;
uint16_t len;
uint8_t name[name_len];
} __attribute__ (( packed )) list[1];
} __attribute__ (( packed )) data;
} __attribute__ (( packed )) *server_name_ext;
struct {
uint16_t type;
uint16_t len;
struct {
uint8_t max;
} __attribute__ (( packed )) data;
} __attribute__ (( packed )) *max_fragment_length_ext;
struct {
uint16_t type;
uint16_t len;
struct {
uint16_t len;
struct tls_signature_hash_id
code[TLS_NUM_SIG_HASH_ALGORITHMS];
} __attribute__ (( packed )) data;
} __attribute__ (( packed )) *signature_algorithms_ext;
struct {
uint16_t type;
uint16_t len;
struct {
uint8_t len;
uint8_t data[ tls->secure_renegotiation ?
sizeof ( tls->verify.client ) :0 ];
} __attribute__ (( packed )) data;
} __attribute__ (( packed )) *renegotiation_info_ext;
struct {
uint16_t type;
uint16_t len;
struct {
uint8_t data[session->ticket_len];
} __attribute__ (( packed )) data;
} __attribute__ (( packed )) *session_ticket_ext;
struct {
uint16_t type;
uint16_t len;
struct {
uint16_t len;
uint16_t code[TLS_NUM_NAMED_CURVES];
} __attribute__ (( packed )) data;
} __attribute__ (( packed )) *named_curve_ext;
struct {
typeof ( *server_name_ext ) server_name;
typeof ( *max_fragment_length_ext ) max_fragment_length;
typeof ( *signature_algorithms_ext ) signature_algorithms;
typeof ( *renegotiation_info_ext ) renegotiation_info;
typeof ( *session_ticket_ext ) session_ticket;
typeof ( *named_curve_ext )
named_curve[TLS_NUM_NAMED_CURVES ? 1 : 0];
} __attribute__ (( packed )) *extensions;
struct {
uint32_t type_length;
uint16_t version;
uint8_t random[32];
uint8_t session_id_len;
uint8_t session_id[tls->session_id_len];
uint16_t cipher_suite_len;
uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
uint8_t compression_methods_len;
uint8_t compression_methods[1];
uint16_t extensions_len;
typeof ( *extensions ) extensions;
} __attribute__ (( packed )) hello;
struct tls_cipher_suite *suite;
struct tls_signature_hash_algorithm *sighash;
struct tls_named_curve *curve;
unsigned int i;
/* Construct record */
memset ( &hello, 0, sizeof ( hello ) );
hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
htonl ( sizeof ( hello ) -
sizeof ( hello.type_length ) ) );
hello.version = htons ( TLS_VERSION_MAX );
memcpy ( &hello.random, &tls->client.random, sizeof ( hello.random ) );
hello.session_id_len = tls->session_id_len;
memcpy ( hello.session_id, tls->session_id,
sizeof ( hello.session_id ) );
hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
hello.cipher_suites[i++] = suite->code;
hello.compression_methods_len = sizeof ( hello.compression_methods );
hello.extensions_len = htons ( sizeof ( hello.extensions ) );
extensions = &hello.extensions;
/* Construct server name extension */
server_name_ext = &extensions->server_name;
server_name_ext->type = htons ( TLS_SERVER_NAME );
server_name_ext->len = htons ( sizeof ( server_name_ext->data ) );
server_name_ext->data.len
= htons ( sizeof ( server_name_ext->data.list ) );
server_name_ext->data.list[0].type = TLS_SERVER_NAME_HOST_NAME;
server_name_ext->data.list[0].len
= htons ( sizeof ( server_name_ext->data.list[0].name ) );
memcpy ( server_name_ext->data.list[0].name, session->name,
sizeof ( server_name_ext->data.list[0].name ) );
/* Construct maximum fragment length extension */
max_fragment_length_ext = &extensions->max_fragment_length;
max_fragment_length_ext->type = htons ( TLS_MAX_FRAGMENT_LENGTH );
max_fragment_length_ext->len
= htons ( sizeof ( max_fragment_length_ext->data ) );
max_fragment_length_ext->data.max = TLS_MAX_FRAGMENT_LENGTH_4096;
/* Construct supported signature algorithms extension */
signature_algorithms_ext = &extensions->signature_algorithms;
signature_algorithms_ext->type = htons ( TLS_SIGNATURE_ALGORITHMS );
signature_algorithms_ext->len
= htons ( sizeof ( signature_algorithms_ext->data ) );
signature_algorithms_ext->data.len
= htons ( sizeof ( signature_algorithms_ext->data.code ) );
i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
signature_algorithms_ext->data.code[i++] = sighash->code;
/* Construct renegotiation information extension */
renegotiation_info_ext = &extensions->renegotiation_info;
renegotiation_info_ext->type = htons ( TLS_RENEGOTIATION_INFO );
renegotiation_info_ext->len
= htons ( sizeof ( renegotiation_info_ext->data ) );
renegotiation_info_ext->data.len
= sizeof ( renegotiation_info_ext->data.data );
memcpy ( renegotiation_info_ext->data.data, tls->verify.client,
sizeof ( renegotiation_info_ext->data.data ) );
/* Construct session ticket extension */
session_ticket_ext = &extensions->session_ticket;
session_ticket_ext->type = htons ( TLS_SESSION_TICKET );
session_ticket_ext->len
= htons ( sizeof ( session_ticket_ext->data ) );
memcpy ( session_ticket_ext->data.data, session->ticket,
sizeof ( session_ticket_ext->data.data ) );
/* Construct named curves extension, if applicable */
if ( sizeof ( extensions->named_curve ) ) {
named_curve_ext = &extensions->named_curve[0];
named_curve_ext->type = htons ( TLS_NAMED_CURVE );
named_curve_ext->len
= htons ( sizeof ( named_curve_ext->data ) );
named_curve_ext->data.len
= htons ( sizeof ( named_curve_ext->data.code ) );
i = 0 ; for_each_table_entry ( curve, TLS_NAMED_CURVES )
named_curve_ext->data.code[i++] = curve->code;
}
return action ( tls, &hello, sizeof ( hello ) );
}
/**
* Transmit Client Hello record
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_client_hello ( struct tls_connection *tls ) {
return tls_client_hello ( tls, tls_send_handshake );
}
/**
* Transmit Certificate record
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_certificate ( struct tls_connection *tls ) {
struct {
tls24_t length;
uint8_t data[0];
} __attribute__ (( packed )) *certificate;
struct {
uint32_t type_length;
tls24_t length;
typeof ( *certificate ) certificates[0];
} __attribute__ (( packed )) *certificates;
struct x509_link *link;
struct x509_certificate *cert;
size_t len;
int rc;
/* Calculate length of client certificates */
len = 0;
list_for_each_entry ( link, &tls->client.chain->links, list ) {
cert = link->cert;
len += ( sizeof ( *certificate ) + cert->raw.len );
DBGC ( tls, "TLS %p sending client certificate %s\n",
tls, x509_name ( cert ) );
}
/* Allocate storage for Certificate record (which may be too
* large for the stack).
*/
certificates = zalloc ( sizeof ( *certificates ) + len );
if ( ! certificates )
return -ENOMEM_CERTIFICATE;
/* Populate record */
certificates->type_length =
( cpu_to_le32 ( TLS_CERTIFICATE ) |
htonl ( sizeof ( *certificates ) + len -
sizeof ( certificates->type_length ) ) );
tls_set_uint24 ( &certificates->length, len );
certificate = &certificates->certificates[0];
list_for_each_entry ( link, &tls->client.chain->links, list ) {
cert = link->cert;
tls_set_uint24 ( &certificate->length, cert->raw.len );
memcpy ( certificate->data, cert->raw.data, cert->raw.len );
certificate = ( ( ( void * ) certificate->data ) +
cert->raw.len );
}
/* Transmit record */
rc = tls_send_handshake ( tls, certificates,
( sizeof ( *certificates ) + len ) );
/* Free record */
free ( certificates );
return rc;
}
/**
* Transmit Client Key Exchange record using public key exchange
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_client_key_exchange_pubkey ( struct tls_connection *tls ) {
struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
size_t max_len = pubkey_max_len ( pubkey, &tls->server.key );
struct {
uint16_t version;
uint8_t random[46];
} __attribute__ (( packed )) pre_master_secret;
struct {
uint32_t type_length;
uint16_t encrypted_pre_master_secret_len;
uint8_t encrypted_pre_master_secret[max_len];
} __attribute__ (( packed )) key_xchg;
size_t unused;
int len;
int rc;
/* Generate pre-master secret */
pre_master_secret.version = htons ( TLS_VERSION_MAX );
if ( ( rc = tls_generate_random ( tls, &pre_master_secret.random,
( sizeof ( pre_master_secret.random ) ) ) ) != 0 ) {
return rc;
}
/* Generate master secret */
tls_generate_master_secret ( tls, &pre_master_secret,
sizeof ( pre_master_secret ) );
/* Encrypt pre-master secret using server's public key */
memset ( &key_xchg, 0, sizeof ( key_xchg ) );
len = pubkey_encrypt ( pubkey, &tls->server.key, &pre_master_secret,
sizeof ( pre_master_secret ),
key_xchg.encrypted_pre_master_secret );
if ( len < 0 ) {
rc = len;
DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
tls, strerror ( rc ) );
return rc;
}
unused = ( max_len - len );
key_xchg.type_length =
( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
htonl ( sizeof ( key_xchg ) -
sizeof ( key_xchg.type_length ) - unused ) );
key_xchg.encrypted_pre_master_secret_len =
htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) -
unused );
return tls_send_handshake ( tls, &key_xchg,
( sizeof ( key_xchg ) - unused ) );
}
/** Public key exchange algorithm */
struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm = {
.name = "pubkey",
.exchange = tls_send_client_key_exchange_pubkey,
};
/**
* Verify Diffie-Hellman parameter signature
*
* @v tls TLS connection
* @v param_len Diffie-Hellman parameter length
* @ret rc Return status code
*/
static int tls_verify_dh_params ( struct tls_connection *tls,
size_t param_len ) {
struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
struct pubkey_algorithm *pubkey;
struct digest_algorithm *digest;
int use_sig_hash = tls_version ( tls, TLS_VERSION_TLS_1_2 );
const struct {
struct tls_signature_hash_id sig_hash[use_sig_hash];
uint16_t signature_len;
uint8_t signature[0];
} __attribute__ (( packed )) *sig;
const void *data;
size_t remaining;
int rc;
/* Signature follows parameters */
assert ( param_len <= tls->server.exchange_len );
data = ( tls->server.exchange + param_len );
remaining = ( tls->server.exchange_len - param_len );
/* Parse signature from ServerKeyExchange */
sig = data;
if ( ( sizeof ( *sig ) > remaining ) ||
( ntohs ( sig->signature_len ) > ( remaining -
sizeof ( *sig ) ) ) ) {
DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
tls );
DBGC_HDA ( tls, 0, tls->server.exchange,
tls->server.exchange_len );
return -EINVAL_KEY_EXCHANGE;
}
/* Identify signature and hash algorithm */
if ( use_sig_hash ) {
pubkey = tls_signature_hash_pubkey ( sig->sig_hash[0] );
digest = tls_signature_hash_digest ( sig->sig_hash[0] );
if ( ( ! pubkey ) || ( ! digest ) ) {
DBGC ( tls, "TLS %p ServerKeyExchange unsupported "
"signature and hash algorithm\n", tls );
return -ENOTSUP_SIG_HASH;
}
if ( pubkey != cipherspec->suite->pubkey ) {
DBGC ( tls, "TLS %p ServerKeyExchange incorrect "
"signature algorithm %s (expected %s)\n", tls,
pubkey->name, cipherspec->suite->pubkey->name );
return -EPERM_KEY_EXCHANGE;
}
} else {
pubkey = cipherspec->suite->pubkey;
digest = &md5_sha1_algorithm;
}
/* Verify signature */
{
const void *signature = sig->signature;
size_t signature_len = ntohs ( sig->signature_len );
uint8_t ctx[digest->ctxsize];
uint8_t hash[digest->digestsize];
/* Calculate digest */
digest_init ( digest, ctx );
digest_update ( digest, ctx, &tls->client.random,
sizeof ( tls->client.random ) );
digest_update ( digest, ctx, tls->server.random,
sizeof ( tls->server.random ) );
digest_update ( digest, ctx, tls->server.exchange, param_len );
digest_final ( digest, ctx, hash );
/* Verify signature */
if ( ( rc = pubkey_verify ( pubkey, &tls->server.key,
digest, hash, signature,
signature_len ) ) != 0 ) {
DBGC ( tls, "TLS %p ServerKeyExchange failed "
"verification\n", tls );
DBGC_HDA ( tls, 0, tls->server.exchange,
tls->server.exchange_len );
return -EPERM_KEY_EXCHANGE;
}
}
return 0;
}
/**
* Transmit Client Key Exchange record using DHE key exchange
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_client_key_exchange_dhe ( struct tls_connection *tls ) {
uint8_t private[ sizeof ( tls->client.random.random ) ];
const struct {
uint16_t len;
uint8_t data[0];
} __attribute__ (( packed )) *dh_val[3];
const void *data;
size_t remaining;
size_t frag_len;
size_t param_len;
unsigned int i;
int rc;
/* Parse ServerKeyExchange */
data = tls->server.exchange;
remaining = tls->server.exchange_len;
for ( i = 0 ; i < ( sizeof ( dh_val ) / sizeof ( dh_val[0] ) ) ; i++ ){
dh_val[i] = data;
if ( ( sizeof ( *dh_val[i] ) > remaining ) ||
( ntohs ( dh_val[i]->len ) > ( remaining -
sizeof ( *dh_val[i] ) ) )){
DBGC ( tls, "TLS %p received underlength "
"ServerKeyExchange\n", tls );
DBGC_HDA ( tls, 0, tls->server.exchange,
tls->server.exchange_len );
rc = -EINVAL_KEY_EXCHANGE;
goto err_header;
}
frag_len = ( sizeof ( *dh_val[i] ) + ntohs ( dh_val[i]->len ));
data += frag_len;
remaining -= frag_len;
}
param_len = ( tls->server.exchange_len - remaining );
/* Verify parameter signature */
if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
goto err_verify;
/* Generate Diffie-Hellman private key */
if ( ( rc = tls_generate_random ( tls, private,
sizeof ( private ) ) ) != 0 ) {
goto err_random;
}
/* Construct pre-master secret and ClientKeyExchange record */
{
typeof ( dh_val[0] ) dh_p = dh_val[0];
typeof ( dh_val[1] ) dh_g = dh_val[1];
typeof ( dh_val[2] ) dh_ys = dh_val[2];
size_t len = ntohs ( dh_p->len );
struct {
uint32_t type_length;
uint16_t dh_xs_len;
uint8_t dh_xs[len];
} __attribute__ (( packed )) *key_xchg;
struct {
uint8_t pre_master_secret[len];
typeof ( *key_xchg ) key_xchg;
} *dynamic;
uint8_t *pre_master_secret;
/* Allocate space */
dynamic = malloc ( sizeof ( *dynamic ) );
if ( ! dynamic ) {
rc = -ENOMEM;
goto err_alloc;
}
pre_master_secret = dynamic->pre_master_secret;
key_xchg = &dynamic->key_xchg;
key_xchg->type_length =
( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
htonl ( sizeof ( *key_xchg ) -
sizeof ( key_xchg->type_length ) ) );
key_xchg->dh_xs_len = htons ( len );
/* Calculate pre-master secret and client public value */
if ( ( rc = dhe_key ( dh_p->data, len,
dh_g->data, ntohs ( dh_g->len ),
dh_ys->data, ntohs ( dh_ys->len ),
private, sizeof ( private ),
key_xchg->dh_xs,
pre_master_secret ) ) != 0 ) {
DBGC ( tls, "TLS %p could not calculate DHE key: %s\n",
tls, strerror ( rc ) );
goto err_dhe_key;
}
/* Strip leading zeroes from pre-master secret */
while ( len && ( ! *pre_master_secret ) ) {
pre_master_secret++;
len--;
}
/* Generate master secret */
tls_generate_master_secret ( tls, pre_master_secret, len );
/* Transmit Client Key Exchange record */
if ( ( rc = tls_send_handshake ( tls, key_xchg,
sizeof ( *key_xchg ) ) ) !=0){
goto err_send_handshake;
}
err_send_handshake:
err_dhe_key:
free ( dynamic );
}
err_alloc:
err_random:
err_verify:
err_header:
return rc;
}
/** Ephemeral Diffie-Hellman key exchange algorithm */
struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm = {
.name = "dhe",
.exchange = tls_send_client_key_exchange_dhe,
};
/**
* Transmit Client Key Exchange record using ECDHE key exchange
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
struct tls_named_curve *curve;
const struct {
uint8_t curve_type;
uint16_t named_curve;
uint8_t public_len;
uint8_t public[0];
} __attribute__ (( packed )) *ecdh;
size_t param_len;
int rc;
/* Parse ServerKeyExchange record */
ecdh = tls->server.exchange;
if ( ( sizeof ( *ecdh ) > tls->server.exchange_len ) ||
( ecdh->public_len > ( tls->server.exchange_len -
sizeof ( *ecdh ) ) ) ) {
DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
tls );
DBGC_HDA ( tls, 0, tls->server.exchange,
tls->server.exchange_len );
return -EINVAL_KEY_EXCHANGE;
}
param_len = ( sizeof ( *ecdh ) + ecdh->public_len );
/* Verify parameter signature */
if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
return rc;
/* Identify named curve */
if ( ecdh->curve_type != TLS_NAMED_CURVE_TYPE ) {
DBGC ( tls, "TLS %p unsupported curve type %d\n",
tls, ecdh->curve_type );
DBGC_HDA ( tls, 0, tls->server.exchange,
tls->server.exchange_len );
return -ENOTSUP_CURVE;
}
curve = tls_find_named_curve ( ecdh->named_curve );
if ( ! curve ) {
DBGC ( tls, "TLS %p unsupported named curve %d\n",
tls, ntohs ( ecdh->named_curve ) );
DBGC_HDA ( tls, 0, tls->server.exchange,
tls->server.exchange_len );
return -ENOTSUP_CURVE;
}
/* Check key length */
if ( ecdh->public_len != curve->curve->keysize ) {
DBGC ( tls, "TLS %p invalid %s key\n",
tls, curve->curve->name );
DBGC_HDA ( tls, 0, tls->server.exchange,
tls->server.exchange_len );
return -EINVAL_KEY_EXCHANGE;
}
/* Construct pre-master secret and ClientKeyExchange record */
{
size_t len = curve->curve->keysize;
uint8_t private[len];
uint8_t pre_master_secret[len];
struct {
uint32_t type_length;
uint8_t public_len;
uint8_t public[len];
} __attribute__ (( packed )) key_xchg;
/* Generate ephemeral private key */
if ( ( rc = tls_generate_random ( tls, private,
sizeof ( private ) ) ) != 0){
return rc;
}
/* Calculate pre-master secret */
if ( ( rc = elliptic_multiply ( curve->curve,
ecdh->public, private,
pre_master_secret ) ) != 0 ) {
DBGC ( tls, "TLS %p could not exchange ECDHE key: %s\n",
tls, strerror ( rc ) );
return rc;
}
/* Generate master secret */
tls_generate_master_secret ( tls, pre_master_secret, len );
/* Generate Client Key Exchange record */
key_xchg.type_length =
( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
htonl ( sizeof ( key_xchg ) -
sizeof ( key_xchg.type_length ) ) );
key_xchg.public_len = len;
if ( ( rc = elliptic_multiply ( curve->curve, NULL, private,
key_xchg.public ) ) != 0 ) {
DBGC ( tls, "TLS %p could not generate ECDHE key: %s\n",
tls, strerror ( rc ) );
return rc;
}
/* Transmit Client Key Exchange record */
if ( ( rc = tls_send_handshake ( tls, &key_xchg,
sizeof ( key_xchg ) ) ) !=0){
return rc;
}
}
return 0;
}
/** Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm */
struct tls_key_exchange_algorithm tls_ecdhe_exchange_algorithm = {
.name = "ecdhe",
.exchange = tls_send_client_key_exchange_ecdhe,
};
/**
* Transmit Client Key Exchange record
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
struct tls_cipher_suite *suite = cipherspec->suite;
int rc;
/* Transmit Client Key Exchange record via key exchange algorithm */
if ( ( rc = suite->exchange->exchange ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p could not exchange keys: %s\n",
tls, strerror ( rc ) );
return rc;
}
/* Generate keys from master secret */
if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p could not generate keys: %s\n",
tls, strerror ( rc ) );
return rc;
}
return 0;
}
/**
* Transmit Certificate Verify record
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_certificate_verify ( struct tls_connection *tls ) {
struct digest_algorithm *digest = tls->handshake_digest;
struct x509_certificate *cert = x509_first ( tls->client.chain );
struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
struct asn1_cursor *key = privkey_cursor ( tls->client.key );
uint8_t digest_out[ digest->digestsize ];
struct tls_signature_hash_algorithm *sig_hash = NULL;
int rc;
/* Generate digest to be signed */
tls_verify_handshake ( tls, digest_out );
/* TLSv1.2 and later use explicit algorithm identifiers */
if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
if ( ! sig_hash ) {
DBGC ( tls, "TLS %p could not identify (%s,%s) "
"signature and hash algorithm\n", tls,
pubkey->name, digest->name );
rc = -ENOTSUP_SIG_HASH;
goto err_sig_hash;
}
}
/* Generate and transmit record */
{
size_t max_len = pubkey_max_len ( pubkey, key );
int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
struct {
uint32_t type_length;
struct tls_signature_hash_id sig_hash[use_sig_hash];
uint16_t signature_len;
uint8_t signature[max_len];
} __attribute__ (( packed )) certificate_verify;
size_t unused;
int len;
/* Sign digest */
len = pubkey_sign ( pubkey, key, digest, digest_out,
certificate_verify.signature );
if ( len < 0 ) {
rc = len;
DBGC ( tls, "TLS %p could not sign %s digest using %s "
"client private key: %s\n", tls, digest->name,
pubkey->name, strerror ( rc ) );
goto err_pubkey_sign;
}
unused = ( max_len - len );
/* Construct Certificate Verify record */
certificate_verify.type_length =
( cpu_to_le32 ( TLS_CERTIFICATE_VERIFY ) |
htonl ( sizeof ( certificate_verify ) -
sizeof ( certificate_verify.type_length ) -
unused ) );
if ( use_sig_hash ) {
memcpy ( &certificate_verify.sig_hash[0],
&sig_hash->code,
sizeof ( certificate_verify.sig_hash[0] ) );
}
certificate_verify.signature_len =
htons ( sizeof ( certificate_verify.signature ) -
unused );
/* Transmit record */
rc = tls_send_handshake ( tls, &certificate_verify,
( sizeof ( certificate_verify ) - unused ) );
}
err_pubkey_sign:
err_sig_hash:
return rc;
}
/**
* Transmit Change Cipher record
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_change_cipher ( struct tls_connection *tls ) {
static const struct {
uint8_t spec;
} __attribute__ (( packed )) change_cipher = {
.spec = TLS_CHANGE_CIPHER_SPEC,
};
return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
&change_cipher, sizeof ( change_cipher ) );
}
/**
* Transmit Finished record
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_finished ( struct tls_connection *tls ) {
struct digest_algorithm *digest = tls->handshake_digest;
struct {
uint32_t type_length;
uint8_t verify_data[ sizeof ( tls->verify.client ) ];
} __attribute__ (( packed )) finished;
uint8_t digest_out[ digest->digestsize ];
int rc;
/* Construct client verification data */
tls_verify_handshake ( tls, digest_out );
tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
tls->verify.client, sizeof ( tls->verify.client ),
"client finished", digest_out, sizeof ( digest_out ) );
/* Construct record */
memset ( &finished, 0, sizeof ( finished ) );
finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
htonl ( sizeof ( finished ) -
sizeof ( finished.type_length ) ) );
memcpy ( finished.verify_data, tls->verify.client,
sizeof ( finished.verify_data ) );
/* Transmit record */
if ( ( rc = tls_send_handshake ( tls, &finished,
sizeof ( finished ) ) ) != 0 )
return rc;
/* Mark client as finished */
pending_put ( &tls->client.negotiation );
return 0;
}
/**
* Receive new Change Cipher record
*
* @v tls TLS connection
* @v iobuf I/O buffer
* @ret rc Return status code
*/
static int tls_new_change_cipher ( struct tls_connection *tls,
struct io_buffer *iobuf ) {
const struct {
uint8_t spec;
} __attribute__ (( packed )) *change_cipher = iobuf->data;
size_t len = iob_len ( iobuf );
int rc;
/* Sanity check */
if ( ( sizeof ( *change_cipher ) != len ) ||
( change_cipher->spec != TLS_CHANGE_CIPHER_SPEC ) ) {
DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
DBGC_HD ( tls, change_cipher, len );
return -EINVAL_CHANGE_CIPHER;
}
iob_pull ( iobuf, sizeof ( *change_cipher ) );
/* Change receive cipher spec */
if ( ( rc = tls_change_cipher ( tls, &tls->rx.cipherspec ) ) != 0 ) {
DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
tls, strerror ( rc ) );
return rc;
}
tls->rx.seq = ~( ( uint64_t ) 0 );
return 0;
}
/**
* Receive new Alert record
*
* @v tls TLS connection
* @v iobuf I/O buffer
* @ret rc Return status code
*/
static int tls_new_alert ( struct tls_connection *tls,
struct io_buffer *iobuf ) {
const struct {
uint8_t level;
uint8_t description;
char next[0];
} __attribute__ (( packed )) *alert = iobuf->data;
size_t len = iob_len ( iobuf );
/* Sanity check */
if ( sizeof ( *alert ) != len ) {
DBGC ( tls, "TLS %p received overlength Alert\n", tls );
DBGC_HD ( tls, alert, len );
return -EINVAL_ALERT;
}
iob_pull ( iobuf, sizeof ( *alert ) );
/* Handle alert */
switch ( alert->level ) {
case TLS_ALERT_WARNING:
DBGC ( tls, "TLS %p received warning alert %d\n",
tls, alert->description );
return 0;
case TLS_ALERT_FATAL:
DBGC ( tls, "TLS %p received fatal alert %d\n",
tls, alert->description );
return -EPERM_ALERT;
default:
DBGC ( tls, "TLS %p received unknown alert level %d"
"(alert %d)\n", tls, alert->level, alert->description );
return -EIO_ALERT;
}
}
/**
* Receive new Hello Request handshake record
*
* @v tls TLS connection
* @v data Plaintext handshake record
* @v len Length of plaintext handshake record
* @ret rc Return status code
*/
static int tls_new_hello_request ( struct tls_connection *tls,
const void *data __unused,
size_t len __unused ) {
/* Ignore if a handshake is in progress */
if ( ! tls_ready ( tls ) ) {
DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
return 0;
}
/* Fail unless server supports secure renegotiation */
if ( ! tls->secure_renegotiation ) {
DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
tls );
return -EPERM_RENEG_INSECURE;
}
/* Restart negotiation */
tls_restart ( tls );
return 0;
}
/**
* Receive new Server Hello handshake record
*
* @v tls TLS connection
* @v data Plaintext handshake record
* @v len Length of plaintext handshake record
* @ret rc Return status code
*/
static int tls_new_server_hello ( struct tls_connection *tls,
const void *data, size_t len ) {
const struct {
uint16_t version;
uint8_t random[32];
uint8_t session_id_len;
uint8_t session_id[0];
} __attribute__ (( packed )) *hello_a = data;
const uint8_t *session_id;
const struct {
uint16_t cipher_suite;
uint8_t compression_method;
char next[0];
} __attribute__ (( packed )) *hello_b;
const struct {
uint16_t len;
uint8_t data[0];
} __attribute__ (( packed )) *exts;
const struct {
uint16_t type;
uint16_t len;
uint8_t data[0];
} __attribute__ (( packed )) *ext;
const struct {
uint8_t len;
uint8_t data[0];
} __attribute__ (( packed )) *reneg = NULL;
uint16_t version;
size_t exts_len;
size_t ext_len;
size_t remaining;
int rc;
/* Parse header */
if ( ( sizeof ( *hello_a ) > len ) ||
( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
hello_a->session_id_len ) ) ) {
DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
DBGC_HD ( tls, data, len );
return -EINVAL_HELLO;
}
session_id = hello_a->session_id;
hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );
/* Parse extensions, if present */
remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
sizeof ( *hello_b ) );
if ( remaining ) {
/* Parse extensions length */
exts = ( ( void * ) hello_b->next );
if ( ( sizeof ( *exts ) > remaining ) ||
( ( exts_len = ntohs ( exts->len ) ) >
( remaining - sizeof ( *exts ) ) ) ) {
DBGC ( tls, "TLS %p received underlength extensions\n",
tls );
DBGC_HD ( tls, data, len );
return -EINVAL_HELLO;
}
/* Parse extensions */
for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
remaining ;
ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
remaining -= ( sizeof ( *ext ) + ext_len ) ) {
/* Parse extension length */
if ( ( sizeof ( *ext ) > remaining ) ||
( ( ext_len = ntohs ( ext->len ) ) >
( remaining - sizeof ( *ext ) ) ) ) {
DBGC ( tls, "TLS %p received underlength "
"extension\n", tls );
DBGC_HD ( tls, data, len );
return -EINVAL_HELLO;
}
/* Record known extensions */
switch ( ext->type ) {
case htons ( TLS_RENEGOTIATION_INFO ) :
reneg = ( ( void * ) ext->data );
if ( ( sizeof ( *reneg ) > ext_len ) ||
( reneg->len >
( ext_len - sizeof ( *reneg ) ) ) ) {
DBGC ( tls, "TLS %p received "
"underlength renegotiation "
"info\n", tls );
DBGC_HD ( tls, data, len );
return -EINVAL_HELLO;
}
break;
}
}
}
/* Check and store protocol version */
version = ntohs ( hello_a->version );
if ( version < TLS_VERSION_MIN ) {
DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
tls, ( version >> 8 ), ( version & 0xff ) );
return -ENOTSUP_VERSION;
}
if ( version > tls->version ) {
DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
"protocol version %d.%d\n",
tls, ( version >> 8 ), ( version & 0xff ) );
return -EPROTO_VERSION;
}
tls->version = version;
DBGC ( tls, "TLS %p using protocol version %d.%d\n",
tls, ( version >> 8 ), ( version & 0xff ) );
/* Select cipher suite */
if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
return rc;
/* Add preceding Client Hello to handshake digest */
if ( ( rc = tls_client_hello ( tls, tls_add_handshake ) ) != 0 )
return rc;
/* Copy out server random bytes */
memcpy ( &tls->server.random, &hello_a->random,
sizeof ( tls->server.random ) );
/* Check session ID */
if ( hello_a->session_id_len &&
( hello_a->session_id_len == tls->session_id_len ) &&
( memcmp ( session_id, tls->session_id,
tls->session_id_len ) == 0 ) ) {
/* Session ID match: reuse master secret */
DBGC ( tls, "TLS %p resuming session ID:\n", tls );
DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
return rc;
} else {
/* Record new session ID, if present */
if ( hello_a->session_id_len &&
( hello_a->session_id_len <= sizeof ( tls->session_id ))){
tls->session_id_len = hello_a->session_id_len;
memcpy ( tls->session_id, session_id,
tls->session_id_len );
DBGC ( tls, "TLS %p new session ID:\n", tls );
DBGC_HDA ( tls, 0, tls->session_id,
tls->session_id_len );
}
}
/* Handle secure renegotiation */
if ( tls->secure_renegotiation ) {
/* Secure renegotiation is expected; verify data */
if ( ( reneg == NULL ) ||
( reneg->len != sizeof ( tls->verify ) ) ||
( memcmp ( reneg->data, &tls->verify,
sizeof ( tls->verify ) ) != 0 ) ) {
DBGC ( tls, "TLS %p server failed secure "
"renegotiation\n", tls );
return -EPERM_RENEG_VERIFY;
}
} else if ( reneg != NULL ) {
/* Secure renegotiation is being enabled */
if ( reneg->len != 0 ) {
DBGC ( tls, "TLS %p server provided non-empty initial "
"renegotiation\n", tls );
return -EPERM_RENEG_VERIFY;
}
tls->secure_renegotiation = 1;
}
return 0;
}
/**
* Receive New Session Ticket handshake record
*
* @v tls TLS connection
* @v data Plaintext handshake record
* @v len Length of plaintext handshake record
* @ret rc Return status code
*/
static int tls_new_session_ticket ( struct tls_connection *tls,
const void *data, size_t len ) {
const struct {
uint32_t lifetime;
uint16_t len;
uint8_t ticket[0];
} __attribute__ (( packed )) *new_session_ticket = data;
size_t ticket_len;
/* Parse header */
if ( sizeof ( *new_session_ticket ) > len ) {
DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
tls );
DBGC_HD ( tls, data, len );
return -EINVAL_TICKET;
}
ticket_len = ntohs ( new_session_ticket->len );
if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
tls );
DBGC_HD ( tls, data, len );
return -EINVAL_TICKET;
}
/* Free any unapplied new session ticket */
free ( tls->new_session_ticket );
tls->new_session_ticket = NULL;
tls->new_session_ticket_len = 0;
/* Record ticket */
tls->new_session_ticket = malloc ( ticket_len );
if ( ! tls->new_session_ticket )
return -ENOMEM;
memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
ticket_len );
tls->new_session_ticket_len = ticket_len;
DBGC ( tls, "TLS %p new session ticket:\n", tls );
DBGC_HDA ( tls, 0, tls->new_session_ticket,
tls->new_session_ticket_len );
return 0;
}
/**
* Parse certificate chain
*
* @v tls TLS connection
* @v data Certificate chain
* @v len Length of certificate chain
* @ret rc Return status code
*/
static int tls_parse_chain ( struct tls_connection *tls,
const void *data, size_t len ) {
size_t remaining = len;
int rc;
/* Free any existing certificate chain */
memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
x509_chain_put ( tls->server.chain );
tls->server.chain = NULL;
/* Create certificate chain */
tls->server.chain = x509_alloc_chain();
if ( ! tls->server.chain ) {
rc = -ENOMEM_CHAIN;
goto err_alloc_chain;
}
/* Add certificates to chain */
while ( remaining ) {
const struct {
tls24_t length;
uint8_t data[0];
} __attribute__ (( packed )) *certificate = data;
size_t certificate_len;
size_t record_len;
struct x509_certificate *cert;
/* Parse header */
if ( sizeof ( *certificate ) > remaining ) {
DBGC ( tls, "TLS %p underlength certificate:\n", tls );
DBGC_HDA ( tls, 0, data, remaining );
rc = -EINVAL_CERTIFICATE;
goto err_underlength;
}
certificate_len = tls_uint24 ( &certificate->length );
if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
DBGC ( tls, "TLS %p overlength certificate:\n", tls );
DBGC_HDA ( tls, 0, data, remaining );
rc = -EINVAL_CERTIFICATE;
goto err_overlength;
}
record_len = ( sizeof ( *certificate ) + certificate_len );
/* Add certificate to chain */
if ( ( rc = x509_append_raw ( tls->server.chain,
certificate->data,
certificate_len ) ) != 0 ) {
DBGC ( tls, "TLS %p could not append certificate: %s\n",
tls, strerror ( rc ) );
DBGC_HDA ( tls, 0, data, remaining );
goto err_parse;
}
cert = x509_last ( tls->server.chain );
DBGC ( tls, "TLS %p found certificate %s\n",
tls, x509_name ( cert ) );
/* Move to next certificate in list */
data += record_len;
remaining -= record_len;
}
return 0;
err_parse:
err_overlength:
err_underlength:
memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
x509_chain_put ( tls->server.chain );
tls->server.chain = NULL;
err_alloc_chain:
return rc;
}
/**
* Receive new Certificate handshake record
*
* @v tls TLS connection
* @v data Plaintext handshake record
* @v len Length of plaintext handshake record
* @ret rc Return status code
*/
static int tls_new_certificate ( struct tls_connection *tls,
const void *data, size_t len ) {
const struct {
tls24_t length;
uint8_t certificates[0];
} __attribute__ (( packed )) *certificate = data;
size_t certificates_len;
int rc;
/* Parse header */
if ( sizeof ( *certificate ) > len ) {
DBGC ( tls, "TLS %p received underlength Server Certificate\n",
tls );
DBGC_HD ( tls, data, len );
return -EINVAL_CERTIFICATES;
}
certificates_len = tls_uint24 ( &certificate->length );
if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
DBGC ( tls, "TLS %p received overlength Server Certificate\n",
tls );
DBGC_HD ( tls, data, len );
return -EINVAL_CERTIFICATES;
}
/* Parse certificate chain */
if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
certificates_len ) ) != 0 )
return rc;
return 0;
}
/**
* Receive new Server Key Exchange handshake record
*
* @v tls TLS connection
* @v data Plaintext handshake record
* @v len Length of plaintext handshake record
* @ret rc Return status code
*/
static int tls_new_server_key_exchange ( struct tls_connection *tls,
const void *data, size_t len ) {
/* Free any existing server key exchange record */
free ( tls->server.exchange );
tls->server.exchange_len = 0;
/* Allocate copy of server key exchange record */
tls->server.exchange = malloc ( len );
if ( ! tls->server.exchange )
return -ENOMEM;
/* Store copy of server key exchange record for later
* processing. We cannot verify the signature at this point
* since the certificate validation will not yet have
* completed.
*/
memcpy ( tls->server.exchange, data, len );
tls->server.exchange_len = len;
return 0;
}
/**
* Receive new Certificate Request handshake record
*
* @v tls TLS connection
* @v data Plaintext handshake record
* @v len Length of plaintext handshake record
* @ret rc Return status code
*/
static int tls_new_certificate_request ( struct tls_connection *tls,
const void *data __unused,
size_t len __unused ) {
struct x509_certificate *cert;
int rc;
/* We can only send a single certificate, so there is no point
* in parsing the Certificate Request.
*/
/* Free any existing client certificate chain */
x509_chain_put ( tls->client.chain );
tls->client.chain = NULL;
/* Determine client certificate to be sent */
cert = x509_find_key ( NULL, tls->client.key );
if ( ! cert ) {
DBGC ( tls, "TLS %p could not find certificate corresponding "
"to private key\n", tls );
rc = -EPERM_CLIENT_CERT;
goto err_find;
}
x509_get ( cert );
DBGC ( tls, "TLS %p selected client certificate %s\n",
tls, x509_name ( cert ) );
/* Create client certificate chain */
tls->client.chain = x509_alloc_chain();
if ( ! tls->client.chain ) {
rc = -ENOMEM;
goto err_alloc;
}
/* Append client certificate to chain */
if ( ( rc = x509_append ( tls->client.chain, cert ) ) != 0 )
goto err_append;
/* Append any relevant issuer certificates */
if ( ( rc = x509_auto_append ( tls->client.chain, &certstore ) ) != 0 )
goto err_auto_append;
/* Drop local reference to client certificate */
x509_put ( cert );
return 0;
err_auto_append:
err_append:
x509_chain_put ( tls->client.chain );
tls->client.chain = NULL;
err_alloc:
x509_put ( cert );
err_find:
return rc;
}
/**
* Receive new Server Hello Done handshake record
*
* @v tls TLS connection
* @v data Plaintext handshake record
* @v len Length of plaintext handshake record
* @ret rc Return status code
*/
static int tls_new_server_hello_done ( struct tls_connection *tls,
const void *data, size_t len ) {
const struct {
char next[0];
} __attribute__ (( packed )) *hello_done = data;
int rc;
/* Sanity check */
if ( sizeof ( *hello_done ) != len ) {
DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
tls );
DBGC_HD ( tls, data, len );
return -EINVAL_HELLO_DONE;
}
/* Begin certificate validation */
if ( ( rc = create_validator ( &tls->server.validator,
tls->server.chain,
tls->server.root ) ) != 0 ) {
DBGC ( tls, "TLS %p could not start certificate validation: "
"%s\n", tls, strerror ( rc ) );
return rc;
}
pending_get ( &tls->server.validation );
return 0;
}
/**
* Receive new Finished handshake record
*
* @v tls TLS connection
* @v data Plaintext handshake record
* @v len Length of plaintext handshake record
* @ret rc Return status code
*/
static int tls_new_finished ( struct tls_connection *tls,
const void *data, size_t len ) {
struct tls_session *session = tls->session;
struct digest_algorithm *digest = tls->handshake_digest;
const struct {
uint8_t verify_data[ sizeof ( tls->verify.server ) ];
char next[0];
} __attribute__ (( packed )) *finished = data;
uint8_t digest_out[ digest->digestsize ];
/* Sanity check */
if ( sizeof ( *finished ) != len ) {
DBGC ( tls, "TLS %p received overlength Finished\n", tls );
DBGC_HD ( tls, data, len );
return -EINVAL_FINISHED;
}
/* Verify data */
tls_verify_handshake ( tls, digest_out );
tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
tls->verify.server, sizeof ( tls->verify.server ),
"server finished", digest_out, sizeof ( digest_out ) );
if ( memcmp ( tls->verify.server, finished->verify_data,
sizeof ( tls->verify.server ) ) != 0 ) {
DBGC ( tls, "TLS %p verification failed\n", tls );
return -EPERM_VERIFY;
}
/* Mark server as finished */
pending_put ( &tls->server.negotiation );
/* If we are resuming a session (i.e. if the server Finished
* arrives before the client Finished is sent), then schedule
* transmission of Change Cipher and Finished.
*/
if ( is_pending ( &tls->client.negotiation ) ) {
tls->tx.pending |= ( TLS_TX_CHANGE_CIPHER | TLS_TX_FINISHED );
tls_tx_resume ( tls );
}
/* Record session ID, ticket, and master secret, if applicable */
if ( tls->session_id_len || tls->new_session_ticket_len ) {
memcpy ( session->master_secret, tls->master_secret,
sizeof ( session->master_secret ) );
}
if ( tls->session_id_len ) {
session->id_len = tls->session_id_len;
memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
}
if ( tls->new_session_ticket_len ) {
free ( session->ticket );
session->ticket = tls->new_session_ticket;
session->ticket_len = tls->new_session_ticket_len;
tls->new_session_ticket = NULL;
tls->new_session_ticket_len = 0;
}
/* Move to end of session's connection list and allow other
* connections to start making progress.
*/
list_del ( &tls->list );
list_add_tail ( &tls->list, &session->conn );
tls_tx_resume_all ( session );
/* Send notification of a window change */
xfer_window_changed ( &tls->plainstream );
return 0;
}
/**
* Receive new Handshake record
*
* @v tls TLS connection
* @v iobuf I/O buffer
* @ret rc Return status code
*/
static int tls_new_handshake ( struct tls_connection *tls,
struct io_buffer *iobuf ) {
size_t remaining;
int rc;
while ( ( remaining = iob_len ( iobuf ) ) ) {
const struct {
uint8_t type;
tls24_t length;
uint8_t payload[0];
} __attribute__ (( packed )) *handshake = iobuf->data;
const void *payload;
size_t payload_len;
size_t record_len;
/* Parse header */
if ( sizeof ( *handshake ) > remaining ) {
/* Leave remaining fragment unconsumed */
break;
}
payload_len = tls_uint24 ( &handshake->length );
if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
/* Leave remaining fragment unconsumed */
break;
}
payload = &handshake->payload;
record_len = ( sizeof ( *handshake ) + payload_len );
/* Handle payload */
switch ( handshake->type ) {
case TLS_HELLO_REQUEST:
rc = tls_new_hello_request ( tls, payload,
payload_len );
break;
case TLS_SERVER_HELLO:
rc = tls_new_server_hello ( tls, payload, payload_len );
break;
case TLS_NEW_SESSION_TICKET:
rc = tls_new_session_ticket ( tls, payload,
payload_len );
break;
case TLS_CERTIFICATE:
rc = tls_new_certificate ( tls, payload, payload_len );
break;
case TLS_SERVER_KEY_EXCHANGE:
rc = tls_new_server_key_exchange ( tls, payload,
payload_len );
break;
case TLS_CERTIFICATE_REQUEST:
rc = tls_new_certificate_request ( tls, payload,
payload_len );
break;
case TLS_SERVER_HELLO_DONE:
rc = tls_new_server_hello_done ( tls, payload,
payload_len );
break;
case TLS_FINISHED:
rc = tls_new_finished ( tls, payload, payload_len );
break;
default:
DBGC ( tls, "TLS %p ignoring handshake type %d\n",
tls, handshake->type );
rc = 0;
break;
}
/* Add to handshake digest (except for Hello Requests,
* which are explicitly excluded).
*/
if ( handshake->type != TLS_HELLO_REQUEST )
tls_add_handshake ( tls, handshake, record_len );
/* Abort on failure */
if ( rc != 0 )
return rc;
/* Move to next handshake record */
iob_pull ( iobuf, record_len );
}
return 0;
}
/**
* Receive new unknown record
*
* @v tls TLS connection
* @v iobuf I/O buffer
* @ret rc Return status code
*/
static int tls_new_unknown ( struct tls_connection *tls __unused,
struct io_buffer *iobuf ) {
/* RFC4346 says that we should just ignore unknown record types */
iob_pull ( iobuf, iob_len ( iobuf ) );
return 0;
}
/**
* Receive new data record
*
* @v tls TLS connection
* @v rx_data List of received data buffers
* @ret rc Return status code
*/
static int tls_new_data ( struct tls_connection *tls,
struct list_head *rx_data ) {
struct io_buffer *iobuf;
int rc;
/* Fail unless we are ready to receive data */
if ( ! tls_ready ( tls ) )
return -ENOTCONN;
/* Deliver each I/O buffer in turn */
while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
list ) ) ) {
list_del ( &iobuf->list );
if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
iobuf ) ) != 0 ) {
DBGC ( tls, "TLS %p could not deliver data: "
"%s\n", tls, strerror ( rc ) );
return rc;
}
}
return 0;
}
/**
* Receive new record
*
* @v tls TLS connection
* @v type Record type
* @v rx_data List of received data buffers
* @ret rc Return status code
*/
static int tls_new_record ( struct tls_connection *tls, unsigned int type,
struct list_head *rx_data ) {
int ( * handler ) ( struct tls_connection *tls,
struct io_buffer *iobuf );
struct io_buffer *tmp = NULL;
struct io_buffer **iobuf;
int rc;
/* Deliver data records as-is to the plainstream interface */
if ( type == TLS_TYPE_DATA )
return tls_new_data ( tls, rx_data );
/* Determine handler and fragment buffer */
iobuf = &tmp;
switch ( type ) {
case TLS_TYPE_CHANGE_CIPHER:
handler = tls_new_change_cipher;
break;
case TLS_TYPE_ALERT:
handler = tls_new_alert;
break;
case TLS_TYPE_HANDSHAKE:
handler = tls_new_handshake;
iobuf = &tls->rx.handshake;
break;
default:
DBGC ( tls, "TLS %p unknown record type %d\n", tls, type );
handler = tls_new_unknown;
break;
}
/* Merge into a single I/O buffer */
if ( *iobuf )
list_add ( &(*iobuf)->list, rx_data );
*iobuf = iob_concatenate ( rx_data );
if ( ! *iobuf ) {
DBGC ( tls, "TLS %p could not concatenate non-data record "
"type %d\n", tls, type );
rc = -ENOMEM_RX_CONCAT;
goto err_concatenate;
}
/* Handle record */
if ( ( rc = handler ( tls, *iobuf ) ) != 0 )
goto err_handle;
/* Discard I/O buffer if empty */
if ( ! iob_len ( *iobuf ) ) {
free_iob ( *iobuf );
*iobuf = NULL;
}
/* Sanity check */
assert ( tmp == NULL );
return 0;
err_handle:
free_iob ( *iobuf );
*iobuf = NULL;
err_concatenate:
return rc;
}
/******************************************************************************
*
* Record encryption/decryption
*
******************************************************************************
*/
/**
* Initialise HMAC
*
* @v cipherspec Cipher specification
* @v ctx Context
* @v authhdr Authentication header
*/
static void tls_hmac_init ( struct tls_cipherspec *cipherspec, void *ctx,
struct tls_auth_header *authhdr ) {
struct tls_cipher_suite *suite = cipherspec->suite;
struct digest_algorithm *digest = suite->digest;
hmac_init ( digest, ctx, cipherspec->mac_secret, suite->mac_len );
hmac_update ( digest, ctx, authhdr, sizeof ( *authhdr ) );
}
/**
* Update HMAC
*
* @v cipherspec Cipher specification
* @v ctx Context
* @v data Data
* @v len Length of data
*/
static void tls_hmac_update ( struct tls_cipherspec *cipherspec, void *ctx,
const void *data, size_t len ) {
struct digest_algorithm *digest = cipherspec->suite->digest;
hmac_update ( digest, ctx, data, len );
}
/**
* Finalise HMAC
*
* @v cipherspec Cipher specification
* @v ctx Context
* @v mac HMAC to fill in
*/
static void tls_hmac_final ( struct tls_cipherspec *cipherspec, void *ctx,
void *hmac ) {
struct digest_algorithm *digest = cipherspec->suite->digest;
hmac_final ( digest, ctx, hmac );
}
/**
* Calculate HMAC
*
* @v cipherspec Cipher specification
* @v authhdr Authentication header
* @v data Data
* @v len Length of data
* @v mac HMAC to fill in
*/
static void tls_hmac ( struct tls_cipherspec *cipherspec,
struct tls_auth_header *authhdr,
const void *data, size_t len, void *hmac ) {
struct digest_algorithm *digest = cipherspec->suite->digest;
uint8_t ctx[ hmac_ctxsize ( digest ) ];
tls_hmac_init ( cipherspec, ctx, authhdr );
tls_hmac_update ( cipherspec, ctx, data, len );
tls_hmac_final ( cipherspec, ctx, hmac );
}
/**
* Calculate HMAC over list of I/O buffers
*
* @v cipherspec Cipher specification
* @v authhdr Authentication header
* @v list List of I/O buffers
* @v mac HMAC to fill in
*/
static void tls_hmac_list ( struct tls_cipherspec *cipherspec,
struct tls_auth_header *authhdr,
struct list_head *list, void *hmac ) {
struct digest_algorithm *digest = cipherspec->suite->digest;
uint8_t ctx[ hmac_ctxsize ( digest ) ];
struct io_buffer *iobuf;
tls_hmac_init ( cipherspec, ctx, authhdr );
list_for_each_entry ( iobuf, list, list ) {
tls_hmac_update ( cipherspec, ctx, iobuf->data,
iob_len ( iobuf ) );
}
tls_hmac_final ( cipherspec, ctx, hmac );
}
/**
* Send plaintext record
*
* @v tls TLS connection
* @v type Record type
* @v data Plaintext record
* @v len Length of plaintext record
* @ret rc Return status code
*/
static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
const void *data, size_t len ) {
struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
struct tls_cipher_suite *suite = cipherspec->suite;
struct cipher_algorithm *cipher = suite->cipher;
struct digest_algorithm *digest = suite->digest;
struct {
uint8_t fixed[suite->fixed_iv_len];
uint8_t record[suite->record_iv_len];
} __attribute__ (( packed )) iv;
struct tls_auth_header authhdr;
struct tls_header *tlshdr;
void *plaintext;
size_t plaintext_len;
struct io_buffer *ciphertext;
size_t ciphertext_len;
size_t padding_len;
uint8_t mac[digest->digestsize];
void *tmp;
int rc;
/* Construct initialisation vector */
memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
if ( ( rc = tls_generate_random ( tls, iv.record,
sizeof ( iv.record ) ) ) != 0 ) {
goto err_random;
}
/* Construct authentication data */
authhdr.seq = cpu_to_be64 ( tls->tx.seq );
authhdr.header.type = type;
authhdr.header.version = htons ( tls->version );
authhdr.header.length = htons ( len );
/* Calculate padding length */
plaintext_len = ( len + suite->mac_len );
if ( is_block_cipher ( cipher ) ) {
padding_len = ( ( ( cipher->blocksize - 1 ) &
-( plaintext_len + 1 ) ) + 1 );
} else {
padding_len = 0;
}
plaintext_len += padding_len;
/* Allocate plaintext */
plaintext = malloc ( plaintext_len );
if ( ! plaintext ) {
DBGC ( tls, "TLS %p could not allocate %zd bytes for "
"plaintext\n", tls, plaintext_len );
rc = -ENOMEM_TX_PLAINTEXT;
goto err_plaintext;
}
/* Assemble plaintext */
tmp = plaintext;
memcpy ( tmp, data, len );
tmp += len;
if ( suite->mac_len )
tls_hmac ( cipherspec, &authhdr, data, len, mac );
memcpy ( tmp, mac, suite->mac_len );
tmp += suite->mac_len;
memset ( tmp, ( padding_len - 1 ), padding_len );
tmp += padding_len;
assert ( tmp == ( plaintext + plaintext_len ) );
DBGC2 ( tls, "Sending plaintext data:\n" );
DBGC2_HD ( tls, plaintext, plaintext_len );
/* Set initialisation vector */
cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
/* Process authentication data, if applicable */
if ( is_auth_cipher ( cipher ) ) {
cipher_encrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
NULL, sizeof ( authhdr ) );
}
/* Allocate ciphertext */
ciphertext_len = ( sizeof ( *tlshdr ) + sizeof ( iv.record ) +
plaintext_len + cipher->authsize );
ciphertext = xfer_alloc_iob ( &tls->cipherstream, ciphertext_len );
if ( ! ciphertext ) {
DBGC ( tls, "TLS %p could not allocate %zd bytes for "
"ciphertext\n", tls, ciphertext_len );
rc = -ENOMEM_TX_CIPHERTEXT;
goto err_ciphertext;
}
/* Assemble ciphertext */
tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) );
tlshdr->type = type;
tlshdr->version = htons ( tls->version );
tlshdr->length = htons ( ciphertext_len - sizeof ( *tlshdr ) );
memcpy ( iob_put ( ciphertext, sizeof ( iv.record ) ), iv.record,
sizeof ( iv.record ) );
cipher_encrypt ( cipher, cipherspec->cipher_ctx, plaintext,
iob_put ( ciphertext, plaintext_len ), plaintext_len );
cipher_auth ( cipher, cipherspec->cipher_ctx,
iob_put ( ciphertext, cipher->authsize ) );
assert ( iob_len ( ciphertext ) == ciphertext_len );
/* Free plaintext as soon as possible to conserve memory */
free ( plaintext );
plaintext = NULL;
/* Send ciphertext */
if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
iob_disown ( ciphertext ) ) ) != 0 ) {
DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
tls, strerror ( rc ) );
goto err_deliver;
}
/* Update TX state machine to next record */
tls->tx.seq += 1;
assert ( plaintext == NULL );
assert ( ciphertext == NULL );
return 0;
err_deliver:
free_iob ( ciphertext );
err_ciphertext:
free ( plaintext );
err_plaintext:
err_random:
return rc;
}
/**
* Verify block padding
*
* @v tls TLS connection
* @v iobuf Last received I/O buffer
* @ret len Padding length, or negative error
* @ret rc Return status code
*/
static int tls_verify_padding ( struct tls_connection *tls,
struct io_buffer *iobuf ) {
uint8_t *padding;
unsigned int pad;
unsigned int i;
size_t len;
/* Extract and verify padding */
padding = ( iobuf->tail - 1 );
pad = *padding;
len = ( pad + 1 );
if ( len > iob_len ( iobuf ) ) {
DBGC ( tls, "TLS %p received underlength padding\n", tls );
DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
return -EINVAL_PADDING;
}
for ( i = 0 ; i < pad ; i++ ) {
if ( *(--padding) != pad ) {
DBGC ( tls, "TLS %p received bad padding\n", tls );
DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
return -EINVAL_PADDING;
}
}
return len;
}
/**
* Receive new ciphertext record
*
* @v tls TLS connection
* @v tlshdr Record header
* @v rx_data List of received data buffers
* @ret rc Return status code
*/
static int tls_new_ciphertext ( struct tls_connection *tls,
struct tls_header *tlshdr,
struct list_head *rx_data ) {
struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
struct tls_cipher_suite *suite = cipherspec->suite;
struct cipher_algorithm *cipher = suite->cipher;
struct digest_algorithm *digest = suite->digest;
size_t len = ntohs ( tlshdr->length );
struct {
uint8_t fixed[suite->fixed_iv_len];
uint8_t record[suite->record_iv_len];
} __attribute__ (( packed )) iv;
struct tls_auth_header authhdr;
uint8_t verify_mac[digest->digestsize];
uint8_t verify_auth[cipher->authsize];
struct io_buffer *first;
struct io_buffer *last;
struct io_buffer *iobuf;
void *mac;
void *auth;
size_t check_len;
int pad_len;
int rc;
/* Locate first and last data buffers */
assert ( ! list_empty ( rx_data ) );
first = list_first_entry ( rx_data, struct io_buffer, list );
last = list_last_entry ( rx_data, struct io_buffer, list );
/* Extract initialisation vector */
if ( iob_len ( first ) < sizeof ( iv.record ) ) {
DBGC ( tls, "TLS %p received underlength IV\n", tls );
DBGC_HD ( tls, first->data, iob_len ( first ) );
return -EINVAL_IV;
}
memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
memcpy ( iv.record, first->data, sizeof ( iv.record ) );
iob_pull ( first, sizeof ( iv.record ) );
len -= sizeof ( iv.record );
/* Extract unencrypted authentication tag */
if ( iob_len ( last ) < cipher->authsize ) {
DBGC ( tls, "TLS %p received underlength authentication tag\n",
tls );
DBGC_HD ( tls, last->data, iob_len ( last ) );
return -EINVAL_MAC;
}
iob_unput ( last, cipher->authsize );
len -= cipher->authsize;
auth = last->tail;
/* Construct authentication data */
authhdr.seq = cpu_to_be64 ( tls->rx.seq );
authhdr.header.type = tlshdr->type;
authhdr.header.version = tlshdr->version;
authhdr.header.length = htons ( len );
/* Set initialisation vector */
cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
/* Process authentication data, if applicable */
if ( is_auth_cipher ( cipher ) ) {
cipher_decrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
NULL, sizeof ( authhdr ) );
}
/* Decrypt the received data */
check_len = 0;
list_for_each_entry ( iobuf, &tls->rx.data, list ) {
cipher_decrypt ( cipher, cipherspec->cipher_ctx,
iobuf->data, iobuf->data, iob_len ( iobuf ) );
check_len += iob_len ( iobuf );
}
assert ( check_len == len );
/* Strip block padding, if applicable */
if ( is_block_cipher ( cipher ) ) {
pad_len = tls_verify_padding ( tls, last );
if ( pad_len < 0 ) {
/* Assume zero padding length to avoid timing attacks */
pad_len = 0;
}
iob_unput ( last, pad_len );
len -= pad_len;
}
/* Extract decrypted MAC */
if ( iob_len ( last ) < suite->mac_len ) {
DBGC ( tls, "TLS %p received underlength MAC\n", tls );
DBGC_HD ( tls, last->data, iob_len ( last ) );
return -EINVAL_MAC;
}
iob_unput ( last, suite->mac_len );
len -= suite->mac_len;
mac = last->tail;
/* Dump received data */
DBGC2 ( tls, "Received plaintext data:\n" );
check_len = 0;
list_for_each_entry ( iobuf, rx_data, list ) {
DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
check_len += iob_len ( iobuf );
}
assert ( check_len == len );
/* Generate MAC */
authhdr.header.length = htons ( len );
if ( suite->mac_len )
tls_hmac_list ( cipherspec, &authhdr, rx_data, verify_mac );
/* Generate authentication tag */
cipher_auth ( cipher, cipherspec->cipher_ctx, verify_auth );
/* Verify MAC */
if ( memcmp ( mac, verify_mac, suite->mac_len ) != 0 ) {
DBGC ( tls, "TLS %p failed MAC verification\n", tls );
return -EINVAL_MAC;
}
/* Verify authentication tag */
if ( memcmp ( auth, verify_auth, cipher->authsize ) != 0 ) {
DBGC ( tls, "TLS %p failed authentication tag verification\n",
tls );
return -EINVAL_MAC;
}
/* Process plaintext record */
if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
return rc;
return 0;
}
/******************************************************************************
*
* Plaintext stream operations
*
******************************************************************************
*/
/**
* Check flow control window
*
* @v tls TLS connection
* @ret len Length of window
*/
static size_t tls_plainstream_window ( struct tls_connection *tls ) {
/* Block window unless we are ready to accept data */
if ( ! tls_ready ( tls ) )
return 0;
return xfer_window ( &tls->cipherstream );
}
/**
* Deliver datagram as raw data
*
* @v tls TLS connection
* @v iobuf I/O buffer
* @v meta Data transfer metadata
* @ret rc Return status code
*/
static int tls_plainstream_deliver ( struct tls_connection *tls,
struct io_buffer *iobuf,
struct xfer_metadata *meta __unused ) {
int rc;
/* Refuse unless we are ready to accept data */
if ( ! tls_ready ( tls ) ) {
rc = -ENOTCONN;
goto done;
}
if ( ( rc = tls_send_plaintext ( tls, TLS_TYPE_DATA, iobuf->data,
iob_len ( iobuf ) ) ) != 0 )
goto done;
done:
free_iob ( iobuf );
return rc;
}
/**
* Report job progress
*
* @v tls TLS connection
* @v progress Progress report to fill in
* @ret ongoing_rc Ongoing job status code (if known)
*/
static int tls_progress ( struct tls_connection *tls,
struct job_progress *progress ) {
/* Return cipherstream or validator progress as applicable */
if ( is_pending ( &tls->server.validation ) ) {
return job_progress ( &tls->server.validator, progress );
} else {
return job_progress ( &tls->cipherstream, progress );
}
}
/** TLS plaintext stream interface operations */
static struct interface_operation tls_plainstream_ops[] = {
INTF_OP ( xfer_deliver, struct tls_connection *,
tls_plainstream_deliver ),
INTF_OP ( xfer_window, struct tls_connection *,
tls_plainstream_window ),
INTF_OP ( job_progress, struct tls_connection *, tls_progress ),
INTF_OP ( intf_close, struct tls_connection *, tls_close ),
};
/** TLS plaintext stream interface descriptor */
static struct interface_descriptor tls_plainstream_desc =
INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
tls_plainstream_ops, cipherstream );
/******************************************************************************
*
* Ciphertext stream operations
*
******************************************************************************
*/
/**
* Handle received TLS header
*
* @v tls TLS connection
* @ret rc Returned status code
*/
static int tls_newdata_process_header ( struct tls_connection *tls ) {
struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
struct cipher_algorithm *cipher = cipherspec->suite->cipher;
size_t iv_len = cipherspec->suite->record_iv_len;
size_t data_len = ntohs ( tls->rx.header.length );
size_t remaining = data_len;
size_t frag_len;
size_t reserve;
struct io_buffer *iobuf;
struct io_buffer *tmp;
int rc;
/* Sanity check */
assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );
/* Calculate alignment reservation at start of first data buffer */
reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
remaining += reserve;
/* Allocate data buffers now that we know the length */
assert ( list_empty ( &tls->rx.data ) );
while ( remaining ) {
/* Calculate fragment length. Ensure that no block is
* smaller than TLS_RX_MIN_BUFSIZE (by increasing the
* allocation length if necessary).
*/
frag_len = remaining;
if ( frag_len > TLS_RX_BUFSIZE )
frag_len = TLS_RX_BUFSIZE;
remaining -= frag_len;
if ( remaining < TLS_RX_MIN_BUFSIZE ) {
frag_len += remaining;
remaining = 0;
}
/* Allocate buffer */
iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
if ( ! iobuf ) {
DBGC ( tls, "TLS %p could not allocate %zd of %zd "
"bytes for receive buffer\n", tls,
remaining, data_len );
rc = -ENOMEM_RX_DATA;
goto err;
}
/* Ensure tailroom is exactly what we asked for. This
* will result in unaligned I/O buffers when the
* fragment length is unaligned, which can happen only
* before we switch to using a block cipher.
*/
iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
/* Ensure first buffer length will be aligned to a
* multiple of the cipher alignment size after
* stripping the record IV.
*/
iob_reserve ( iobuf, reserve );
reserve = 0;
/* Add I/O buffer to list */
list_add_tail ( &iobuf->list, &tls->rx.data );
}
/* Move to data state */
tls->rx.state = TLS_RX_DATA;
return 0;
err:
list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
list_del ( &iobuf->list );
free_iob ( iobuf );
}
return rc;
}
/**
* Handle received TLS data payload
*
* @v tls TLS connection
* @ret rc Returned status code
*/
static int tls_newdata_process_data ( struct tls_connection *tls ) {
struct io_buffer *iobuf;
int rc;
/* Move current buffer to end of list */
iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
list_del ( &iobuf->list );
list_add_tail ( &iobuf->list, &tls->rx.data );
/* Continue receiving data if any space remains */
iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
if ( iob_tailroom ( iobuf ) )
return 0;
/* Process record */
if ( ( rc = tls_new_ciphertext ( tls, &tls->rx.header,
&tls->rx.data ) ) != 0 )
return rc;
/* Increment RX sequence number */
tls->rx.seq += 1;
/* Return to header state */
assert ( list_empty ( &tls->rx.data ) );
tls->rx.state = TLS_RX_HEADER;
iob_unput ( &tls->rx.iobuf, sizeof ( tls->rx.header ) );
return 0;
}
/**
* Check flow control window
*
* @v tls TLS connection
* @ret len Length of window
*/
static size_t tls_cipherstream_window ( struct tls_connection *tls ) {
/* Open window until we are ready to accept data */
if ( ! tls_ready ( tls ) )
return -1UL;
return xfer_window ( &tls->plainstream );
}
/**
* Receive new ciphertext
*
* @v tls TLS connection
* @v iobuf I/O buffer
* @v meta Data transfer metadat
* @ret rc Return status code
*/
static int tls_cipherstream_deliver ( struct tls_connection *tls,
struct io_buffer *iobuf,
struct xfer_metadata *xfer __unused ) {
size_t frag_len;
int ( * process ) ( struct tls_connection *tls );
struct io_buffer *dest;
int rc;
while ( iob_len ( iobuf ) ) {
/* Select buffer according to current state */
switch ( tls->rx.state ) {
case TLS_RX_HEADER:
dest = &tls->rx.iobuf;
process = tls_newdata_process_header;
break;
case TLS_RX_DATA:
dest = list_first_entry ( &tls->rx.data,
struct io_buffer, list );
assert ( dest != NULL );
process = tls_newdata_process_data;
break;
default:
assert ( 0 );
rc = -EINVAL_RX_STATE;
goto done;
}
/* Copy data portion to buffer */
frag_len = iob_len ( iobuf );
if ( frag_len > iob_tailroom ( dest ) )
frag_len = iob_tailroom ( dest );
memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
iob_pull ( iobuf, frag_len );
/* Process data if buffer is now full */
if ( iob_tailroom ( dest ) == 0 ) {
if ( ( rc = process ( tls ) ) != 0 ) {
tls_close ( tls, rc );
goto done;
}
}
}
rc = 0;
done:
free_iob ( iobuf );
return rc;
}
/** TLS ciphertext stream interface operations */
static struct interface_operation tls_cipherstream_ops[] = {
INTF_OP ( xfer_deliver, struct tls_connection *,
tls_cipherstream_deliver ),
INTF_OP ( xfer_window, struct tls_connection *,
tls_cipherstream_window ),
INTF_OP ( xfer_window_changed, struct tls_connection *,
tls_tx_resume ),
INTF_OP ( intf_close, struct tls_connection *, tls_close ),
};
/** TLS ciphertext stream interface descriptor */
static struct interface_descriptor tls_cipherstream_desc =
INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
tls_cipherstream_ops, plainstream );
/******************************************************************************
*
* Certificate validator
*
******************************************************************************
*/
/**
* Handle certificate validation completion
*
* @v tls TLS connection
* @v rc Reason for completion
*/
static void tls_validator_done ( struct tls_connection *tls, int rc ) {
struct tls_session *session = tls->session;
struct x509_certificate *cert;
/* Mark validation as complete */
pending_put ( &tls->server.validation );
/* Close validator interface */
intf_restart ( &tls->server.validator, rc );
/* Check for validation failure */
if ( rc != 0 ) {
DBGC ( tls, "TLS %p certificate validation failed: %s\n",
tls, strerror ( rc ) );
goto err;
}
DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );
/* Extract first certificate */
cert = x509_first ( tls->server.chain );
assert ( cert != NULL );
/* Verify server name */
if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
tls, session->name, strerror ( rc ) );
goto err;
}
/* Extract the now trusted server public key */
memcpy ( &tls->server.key, &cert->subject.public_key.raw,
sizeof ( tls->server.key ) );
/* Schedule Client Key Exchange, Change Cipher, and Finished */
tls->tx.pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
TLS_TX_CHANGE_CIPHER |
TLS_TX_FINISHED );
if ( tls->client.chain ) {
tls->tx.pending |= ( TLS_TX_CERTIFICATE |
TLS_TX_CERTIFICATE_VERIFY );
}
tls_tx_resume ( tls );
return;
err:
tls_close ( tls, rc );
return;
}
/** TLS certificate validator interface operations */
static struct interface_operation tls_validator_ops[] = {
INTF_OP ( intf_close, struct tls_connection *, tls_validator_done ),
};
/** TLS certificate validator interface descriptor */
static struct interface_descriptor tls_validator_desc =
INTF_DESC ( struct tls_connection, server.validator,
tls_validator_ops );
/******************************************************************************
*
* Controlling process
*
******************************************************************************
*/
/**
* TLS TX state machine
*
* @v tls TLS connection
*/
static void tls_tx_step ( struct tls_connection *tls ) {
struct tls_session *session = tls->session;
struct tls_connection *conn;
int rc;
/* Wait for cipherstream to become ready */
if ( ! xfer_window ( &tls->cipherstream ) )
return;
/* Send first pending transmission */
if ( tls->tx.pending & TLS_TX_CLIENT_HELLO ) {
/* Serialise server negotiations within a session, to
* provide a consistent view of session IDs and
* session tickets.
*/
list_for_each_entry ( conn, &session->conn, list ) {
if ( conn == tls )
break;
if ( is_pending ( &conn->server.negotiation ) )
return;
}
/* Record or generate session ID and associated master secret */
if ( session->id_len ) {
/* Attempt to resume an existing session */
memcpy ( tls->session_id, session->id,
sizeof ( tls->session_id ) );
tls->session_id_len = session->id_len;
memcpy ( tls->master_secret, session->master_secret,
sizeof ( tls->master_secret ) );
} else {
/* No existing session: use a random session ID */
assert ( sizeof ( tls->session_id ) ==
sizeof ( tls->client.random ) );
memcpy ( tls->session_id, &tls->client.random,
sizeof ( tls->session_id ) );
tls->session_id_len = sizeof ( tls->session_id );
}
/* Send Client Hello */
if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
tls, strerror ( rc ) );
goto err;
}
tls->tx.pending &= ~TLS_TX_CLIENT_HELLO;
} else if ( tls->tx.pending & TLS_TX_CERTIFICATE ) {
/* Send Certificate */
if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
tls, strerror ( rc ) );
goto err;
}
tls->tx.pending &= ~TLS_TX_CERTIFICATE;
} else if ( tls->tx.pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
/* Send Client Key Exchange */
if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p could not send Client Key "
"Exchange: %s\n", tls, strerror ( rc ) );
goto err;
}
tls->tx.pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
} else if ( tls->tx.pending & TLS_TX_CERTIFICATE_VERIFY ) {
/* Send Certificate Verify */
if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p could not send Certificate "
"Verify: %s\n", tls, strerror ( rc ) );
goto err;
}
tls->tx.pending &= ~TLS_TX_CERTIFICATE_VERIFY;
} else if ( tls->tx.pending & TLS_TX_CHANGE_CIPHER ) {
/* Send Change Cipher, and then change the cipher in use */
if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p could not send Change Cipher: "
"%s\n", tls, strerror ( rc ) );
goto err;
}
if ( ( rc = tls_change_cipher ( tls,
&tls->tx.cipherspec ) ) != 0 ){
DBGC ( tls, "TLS %p could not activate TX cipher: "
"%s\n", tls, strerror ( rc ) );
goto err;
}
tls->tx.seq = 0;
tls->tx.pending &= ~TLS_TX_CHANGE_CIPHER;
} else if ( tls->tx.pending & TLS_TX_FINISHED ) {
/* Send Finished */
if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p could not send Finished: %s\n",
tls, strerror ( rc ) );
goto err;
}
tls->tx.pending &= ~TLS_TX_FINISHED;
}
/* Reschedule process if pending transmissions remain,
* otherwise send notification of a window change.
*/
if ( tls->tx.pending ) {
tls_tx_resume ( tls );
} else {
xfer_window_changed ( &tls->plainstream );
}
return;
err:
tls_close ( tls, rc );
}
/** TLS TX process descriptor */
static struct process_descriptor tls_process_desc =
PROC_DESC_ONCE ( struct tls_connection, tx.process, tls_tx_step );
/******************************************************************************
*
* Session management
*
******************************************************************************
*/
/**
* Find or create session for TLS connection
*
* @v tls TLS connection
* @v name Server name
* @ret rc Return status code
*/
static int tls_session ( struct tls_connection *tls, const char *name ) {
struct tls_session *session;
char *name_copy;
int rc;
/* Find existing matching session, if any */
list_for_each_entry ( session, &tls_sessions, list ) {
if ( ( strcmp ( name, session->name ) == 0 ) &&
( tls->server.root == session->root ) &&
( tls->client.key == session->key ) ) {
ref_get ( &session->refcnt );
tls->session = session;
DBGC ( tls, "TLS %p joining session %s\n", tls, name );
return 0;
}
}
/* Create new session */
session = zalloc ( sizeof ( *session ) + strlen ( name )
+ 1 /* NUL */ );
if ( ! session ) {
rc = -ENOMEM;
goto err_alloc;
}
ref_init ( &session->refcnt, free_tls_session );
name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
strcpy ( name_copy, name );
session->name = name_copy;
session->root = x509_root_get ( tls->server.root );
session->key = privkey_get ( tls->client.key );
INIT_LIST_HEAD ( &session->conn );
list_add ( &session->list, &tls_sessions );
/* Record session */
tls->session = session;
DBGC ( tls, "TLS %p created session %s\n", tls, name );
return 0;
ref_put ( &session->refcnt );
err_alloc:
return rc;
}
/******************************************************************************
*
* Instantiator
*
******************************************************************************
*/
/**
* Add TLS on an interface
*
* @v xfer Data transfer interface
* @v name Host name
* @v root Root of trust (or NULL to use default)
* @v key Private key (or NULL to use default)
* @ret rc Return status code
*/
int add_tls ( struct interface *xfer, const char *name,
struct x509_root *root, struct private_key *key ) {
struct tls_connection *tls;
int rc;
/* Allocate and initialise TLS structure */
tls = malloc ( sizeof ( *tls ) );
if ( ! tls ) {
rc = -ENOMEM;
goto err_alloc;
}
memset ( tls, 0, sizeof ( *tls ) );
ref_init ( &tls->refcnt, free_tls );
INIT_LIST_HEAD ( &tls->list );
intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
intf_init ( &tls->server.validator, &tls_validator_desc, &tls->refcnt );
process_init_stopped ( &tls->tx.process, &tls_process_desc,
&tls->refcnt );
tls->client.key = privkey_get ( key ? key : &private_key );
tls->server.root = x509_root_get ( root ? root : &root_certificates );
tls->version = TLS_VERSION_MAX;
tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
tls_clear_handshake ( tls );
tls->client.random.gmt_unix_time = time ( NULL );
iob_populate ( &tls->rx.iobuf, &tls->rx.header, 0,
sizeof ( tls->rx.header ) );
INIT_LIST_HEAD ( &tls->rx.data );
if ( ( rc = tls_generate_random ( tls, &tls->client.random.random,
( sizeof ( tls->client.random.random ) ) ) ) != 0 ) {
goto err_random;
}
if ( ( rc = tls_session ( tls, name ) ) != 0 )
goto err_session;
list_add_tail ( &tls->list, &tls->session->conn );
/* Start negotiation */
tls_restart ( tls );
/* Attach to parent interface, mortalise self, and return */
intf_insert ( xfer, &tls->plainstream, &tls->cipherstream );
ref_put ( &tls->refcnt );
return 0;
err_session:
err_random:
ref_put ( &tls->refcnt );
err_alloc:
return rc;
}
/* Drag in objects via add_tls() */
REQUIRING_SYMBOL ( add_tls );
/* Drag in crypto configuration */
REQUIRE_OBJECT ( config_crypto );