1 /* 2 * Copyright (C) 2007 Michael Brown <mbrown (at) fensystems.co.uk>. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License as 6 * published by the Free Software Foundation; either version 2 of the 7 * License, or any later version. 8 * 9 * This program is distributed in the hope that it will be useful, but 10 * WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 * General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, write to the Free Software 16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 17 */ 18 19 FILE_LICENCE ( GPL2_OR_LATER ); 20 21 /** 22 * @file 23 * 24 * Transport Layer Security Protocol 25 */ 26 27 #include <stdint.h> 28 #include <stdlib.h> 29 #include <stdarg.h> 30 #include <string.h> 31 #include <errno.h> 32 #include <byteswap.h> 33 #include <gpxe/hmac.h> 34 #include <gpxe/md5.h> 35 #include <gpxe/sha1.h> 36 #include <gpxe/aes.h> 37 #include <gpxe/rsa.h> 38 #include <gpxe/xfer.h> 39 #include <gpxe/open.h> 40 #include <gpxe/filter.h> 41 #include <gpxe/asn1.h> 42 #include <gpxe/x509.h> 43 #include <gpxe/tls.h> 44 45 static int tls_send_plaintext ( struct tls_session *tls, unsigned int type, 46 const void *data, size_t len ); 47 static void tls_clear_cipher ( struct tls_session *tls, 48 struct tls_cipherspec *cipherspec ); 49 50 /****************************************************************************** 51 * 52 * Utility functions 53 * 54 ****************************************************************************** 55 */ 56 57 /** 58 * Extract 24-bit field value 59 * 60 * @v field24 24-bit field 61 * @ret value Field value 62 * 63 * TLS uses 24-bit integers in several places, which are awkward to 64 * parse in C. 65 */ 66 static unsigned long tls_uint24 ( uint8_t field24[3] ) { 67 return ( ( field24[0] << 16 ) + ( field24[1] << 8 ) + field24[2] ); 68 } 69 70 /****************************************************************************** 71 * 72 * Cleanup functions 73 * 74 ****************************************************************************** 75 */ 76 77 /** 78 * Free TLS session 79 * 80 * @v refcnt Reference counter 81 */ 82 static void free_tls ( struct refcnt *refcnt ) { 83 struct tls_session *tls = 84 container_of ( refcnt, struct tls_session, refcnt ); 85 86 /* Free dynamically-allocated resources */ 87 tls_clear_cipher ( tls, &tls->tx_cipherspec ); 88 tls_clear_cipher ( tls, &tls->tx_cipherspec_pending ); 89 tls_clear_cipher ( tls, &tls->rx_cipherspec ); 90 tls_clear_cipher ( tls, &tls->rx_cipherspec_pending ); 91 x509_free_rsa_public_key ( &tls->rsa ); 92 free ( tls->rx_data ); 93 94 /* Free TLS structure itself */ 95 free ( tls ); 96 } 97 98 /** 99 * Finish with TLS session 100 * 101 * @v tls TLS session 102 * @v rc Status code 103 */ 104 static void tls_close ( struct tls_session *tls, int rc ) { 105 106 /* Remove process */ 107 process_del ( &tls->process ); 108 109 /* Close ciphertext and plaintext streams */ 110 xfer_nullify ( &tls->cipherstream.xfer ); 111 xfer_close ( &tls->cipherstream.xfer, rc ); 112 xfer_nullify ( &tls->plainstream.xfer ); 113 xfer_close ( &tls->plainstream.xfer, rc ); 114 } 115 116 /****************************************************************************** 117 * 118 * Random number generation 119 * 120 ****************************************************************************** 121 */ 122 123 /** 124 * Generate random data 125 * 126 * @v data Buffer to fill 127 * @v len Length of buffer 128 */ 129 static void tls_generate_random ( void *data, size_t len ) { 130 /* FIXME: Some real random data source would be nice... */ 131 memset ( data, 0x01, len ); 132 } 133 134 /** 135 * Update HMAC with a list of ( data, len ) pairs 136 * 137 * @v digest Hash function to use 138 * @v digest_ctx Digest context 139 * @v args ( data, len ) pairs of data, terminated by NULL 140 */ 141 static void tls_hmac_update_va ( struct digest_algorithm *digest, 142 void *digest_ctx, va_list args ) { 143 void *data; 144 size_t len; 145 146 while ( ( data = va_arg ( args, void * ) ) ) { 147 len = va_arg ( args, size_t ); 148 hmac_update ( digest, digest_ctx, data, len ); 149 } 150 } 151 152 /** 153 * Generate secure pseudo-random data using a single hash function 154 * 155 * @v tls TLS session 156 * @v digest Hash function to use 157 * @v secret Secret 158 * @v secret_len Length of secret 159 * @v out Output buffer 160 * @v out_len Length of output buffer 161 * @v seeds ( data, len ) pairs of seed data, terminated by NULL 162 */ 163 static void tls_p_hash_va ( struct tls_session *tls, 164 struct digest_algorithm *digest, 165 void *secret, size_t secret_len, 166 void *out, size_t out_len, 167 va_list seeds ) { 168 uint8_t secret_copy[secret_len]; 169 uint8_t digest_ctx[digest->ctxsize]; 170 uint8_t digest_ctx_partial[digest->ctxsize]; 171 uint8_t a[digest->digestsize]; 172 uint8_t out_tmp[digest->digestsize]; 173 size_t frag_len = digest->digestsize; 174 va_list tmp; 175 176 /* Copy the secret, in case HMAC modifies it */ 177 memcpy ( secret_copy, secret, secret_len ); 178 secret = secret_copy; 179 DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name ); 180 DBGC2_HD ( tls, secret, secret_len ); 181 182 /* Calculate A(1) */ 183 hmac_init ( digest, digest_ctx, secret, &secret_len ); 184 va_copy ( tmp, seeds ); 185 tls_hmac_update_va ( digest, digest_ctx, tmp ); 186 va_end ( tmp ); 187 hmac_final ( digest, digest_ctx, secret, &secret_len, a ); 188 DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name ); 189 DBGC2_HD ( tls, &a, sizeof ( a ) ); 190 191 /* Generate as much data as required */ 192 while ( out_len ) { 193 /* Calculate output portion */ 194 hmac_init ( digest, digest_ctx, secret, &secret_len ); 195 hmac_update ( digest, digest_ctx, a, sizeof ( a ) ); 196 memcpy ( digest_ctx_partial, digest_ctx, digest->ctxsize ); 197 va_copy ( tmp, seeds ); 198 tls_hmac_update_va ( digest, digest_ctx, tmp ); 199 va_end ( tmp ); 200 hmac_final ( digest, digest_ctx, 201 secret, &secret_len, out_tmp ); 202 203 /* Copy output */ 204 if ( frag_len > out_len ) 205 frag_len = out_len; 206 memcpy ( out, out_tmp, frag_len ); 207 DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name ); 208 DBGC2_HD ( tls, out, frag_len ); 209 210 /* Calculate A(i) */ 211 hmac_final ( digest, digest_ctx_partial, 212 secret, &secret_len, a ); 213 DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name ); 214 DBGC2_HD ( tls, &a, sizeof ( a ) ); 215 216 out += frag_len; 217 out_len -= frag_len; 218 } 219 } 220 221 /** 222 * Generate secure pseudo-random data 223 * 224 * @v tls TLS session 225 * @v secret Secret 226 * @v secret_len Length of secret 227 * @v out Output buffer 228 * @v out_len Length of output buffer 229 * @v ... ( data, len ) pairs of seed data, terminated by NULL 230 */ 231 static void tls_prf ( struct tls_session *tls, void *secret, size_t secret_len, 232 void *out, size_t out_len, ... ) { 233 va_list seeds; 234 va_list tmp; 235 size_t subsecret_len; 236 void *md5_secret; 237 void *sha1_secret; 238 uint8_t out_md5[out_len]; 239 uint8_t out_sha1[out_len]; 240 unsigned int i; 241 242 va_start ( seeds, out_len ); 243 244 /* Split secret into two, with an overlap of up to one byte */ 245 subsecret_len = ( ( secret_len + 1 ) / 2 ); 246 md5_secret = secret; 247 sha1_secret = ( secret + secret_len - subsecret_len ); 248 249 /* Calculate MD5 portion */ 250 va_copy ( tmp, seeds ); 251 tls_p_hash_va ( tls, &md5_algorithm, md5_secret, subsecret_len, 252 out_md5, out_len, seeds ); 253 va_end ( tmp ); 254 255 /* Calculate SHA1 portion */ 256 va_copy ( tmp, seeds ); 257 tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret, subsecret_len, 258 out_sha1, out_len, seeds ); 259 va_end ( tmp ); 260 261 /* XOR the two portions together into the final output buffer */ 262 for ( i = 0 ; i < out_len ; i++ ) { 263 *( ( uint8_t * ) out + i ) = ( out_md5[i] ^ out_sha1[i] ); 264 } 265 266 va_end ( seeds ); 267 } 268 269 /** 270 * Generate secure pseudo-random data 271 * 272 * @v secret Secret 273 * @v secret_len Length of secret 274 * @v out Output buffer 275 * @v out_len Length of output buffer 276 * @v label String literal label 277 * @v ... ( data, len ) pairs of seed data 278 */ 279 #define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \ 280 tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \ 281 label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL ) 282 283 /****************************************************************************** 284 * 285 * Secret management 286 * 287 ****************************************************************************** 288 */ 289 290 /** 291 * Generate master secret 292 * 293 * @v tls TLS session 294 * 295 * The pre-master secret and the client and server random values must 296 * already be known. 297 */ 298 static void tls_generate_master_secret ( struct tls_session *tls ) { 299 DBGC ( tls, "TLS %p pre-master-secret:\n", tls ); 300 DBGC_HD ( tls, &tls->pre_master_secret, 301 sizeof ( tls->pre_master_secret ) ); 302 DBGC ( tls, "TLS %p client random bytes:\n", tls ); 303 DBGC_HD ( tls, &tls->client_random, sizeof ( tls->client_random ) ); 304 DBGC ( tls, "TLS %p server random bytes:\n", tls ); 305 DBGC_HD ( tls, &tls->server_random, sizeof ( tls->server_random ) ); 306 307 tls_prf_label ( tls, &tls->pre_master_secret, 308 sizeof ( tls->pre_master_secret ), 309 &tls->master_secret, sizeof ( tls->master_secret ), 310 "master secret", 311 &tls->client_random, sizeof ( tls->client_random ), 312 &tls->server_random, sizeof ( tls->server_random ) ); 313 314 DBGC ( tls, "TLS %p generated master secret:\n", tls ); 315 DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) ); 316 } 317 318 /** 319 * Generate key material 320 * 321 * @v tls TLS session 322 * 323 * The master secret must already be known. 324 */ 325 static int tls_generate_keys ( struct tls_session *tls ) { 326 struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending; 327 struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending; 328 size_t hash_size = tx_cipherspec->digest->digestsize; 329 size_t key_size = tx_cipherspec->key_len; 330 size_t iv_size = tx_cipherspec->cipher->blocksize; 331 size_t total = ( 2 * ( hash_size + key_size + iv_size ) ); 332 uint8_t key_block[total]; 333 uint8_t *key; 334 int rc; 335 336 /* Generate key block */ 337 tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ), 338 key_block, sizeof ( key_block ), "key expansion", 339 &tls->server_random, sizeof ( tls->server_random ), 340 &tls->client_random, sizeof ( tls->client_random ) ); 341 342 /* Split key block into portions */ 343 key = key_block; 344 345 /* TX MAC secret */ 346 memcpy ( tx_cipherspec->mac_secret, key, hash_size ); 347 DBGC ( tls, "TLS %p TX MAC secret:\n", tls ); 348 DBGC_HD ( tls, key, hash_size ); 349 key += hash_size; 350 351 /* RX MAC secret */ 352 memcpy ( rx_cipherspec->mac_secret, key, hash_size ); 353 DBGC ( tls, "TLS %p RX MAC secret:\n", tls ); 354 DBGC_HD ( tls, key, hash_size ); 355 key += hash_size; 356 357 /* TX key */ 358 if ( ( rc = cipher_setkey ( tx_cipherspec->cipher, 359 tx_cipherspec->cipher_ctx, 360 key, key_size ) ) != 0 ) { 361 DBGC ( tls, "TLS %p could not set TX key: %s\n", 362 tls, strerror ( rc ) ); 363 return rc; 364 } 365 DBGC ( tls, "TLS %p TX key:\n", tls ); 366 DBGC_HD ( tls, key, key_size ); 367 key += key_size; 368 369 /* RX key */ 370 if ( ( rc = cipher_setkey ( rx_cipherspec->cipher, 371 rx_cipherspec->cipher_ctx, 372 key, key_size ) ) != 0 ) { 373 DBGC ( tls, "TLS %p could not set TX key: %s\n", 374 tls, strerror ( rc ) ); 375 return rc; 376 } 377 DBGC ( tls, "TLS %p RX key:\n", tls ); 378 DBGC_HD ( tls, key, key_size ); 379 key += key_size; 380 381 /* TX initialisation vector */ 382 cipher_setiv ( tx_cipherspec->cipher, tx_cipherspec->cipher_ctx, key ); 383 DBGC ( tls, "TLS %p TX IV:\n", tls ); 384 DBGC_HD ( tls, key, iv_size ); 385 key += iv_size; 386 387 /* RX initialisation vector */ 388 cipher_setiv ( rx_cipherspec->cipher, rx_cipherspec->cipher_ctx, key ); 389 DBGC ( tls, "TLS %p RX IV:\n", tls ); 390 DBGC_HD ( tls, key, iv_size ); 391 key += iv_size; 392 393 assert ( ( key_block + total ) == key ); 394 395 return 0; 396 } 397 398 /****************************************************************************** 399 * 400 * Cipher suite management 401 * 402 ****************************************************************************** 403 */ 404 405 /** 406 * Clear cipher suite 407 * 408 * @v cipherspec TLS cipher specification 409 */ 410 static void tls_clear_cipher ( struct tls_session *tls __unused, 411 struct tls_cipherspec *cipherspec ) { 412 free ( cipherspec->dynamic ); 413 memset ( cipherspec, 0, sizeof ( cipherspec ) ); 414 cipherspec->pubkey = &pubkey_null; 415 cipherspec->cipher = &cipher_null; 416 cipherspec->digest = &digest_null; 417 } 418 419 /** 420 * Set cipher suite 421 * 422 * @v tls TLS session 423 * @v cipherspec TLS cipher specification 424 * @v pubkey Public-key encryption elgorithm 425 * @v cipher Bulk encryption cipher algorithm 426 * @v digest MAC digest algorithm 427 * @v key_len Key length 428 * @ret rc Return status code 429 */ 430 static int tls_set_cipher ( struct tls_session *tls, 431 struct tls_cipherspec *cipherspec, 432 struct pubkey_algorithm *pubkey, 433 struct cipher_algorithm *cipher, 434 struct digest_algorithm *digest, 435 size_t key_len ) { 436 size_t total; 437 void *dynamic; 438 439 /* Clear out old cipher contents, if any */ 440 tls_clear_cipher ( tls, cipherspec ); 441 442 /* Allocate dynamic storage */ 443 total = ( pubkey->ctxsize + 2 * cipher->ctxsize + digest->digestsize ); 444 dynamic = malloc ( total ); 445 if ( ! dynamic ) { 446 DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto " 447 "context\n", tls, total ); 448 return -ENOMEM; 449 } 450 memset ( dynamic, 0, total ); 451 452 /* Assign storage */ 453 cipherspec->dynamic = dynamic; 454 cipherspec->pubkey_ctx = dynamic; dynamic += pubkey->ctxsize; 455 cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize; 456 cipherspec->cipher_next_ctx = dynamic; dynamic += cipher->ctxsize; 457 cipherspec->mac_secret = dynamic; dynamic += digest->digestsize; 458 assert ( ( cipherspec->dynamic + total ) == dynamic ); 459 460 /* Store parameters */ 461 cipherspec->pubkey = pubkey; 462 cipherspec->cipher = cipher; 463 cipherspec->digest = digest; 464 cipherspec->key_len = key_len; 465 466 return 0; 467 } 468 469 /** 470 * Select next cipher suite 471 * 472 * @v tls TLS session 473 * @v cipher_suite Cipher suite specification 474 * @ret rc Return status code 475 */ 476 static int tls_select_cipher ( struct tls_session *tls, 477 unsigned int cipher_suite ) { 478 struct pubkey_algorithm *pubkey = &pubkey_null; 479 struct cipher_algorithm *cipher = &cipher_null; 480 struct digest_algorithm *digest = &digest_null; 481 unsigned int key_len = 0; 482 int rc; 483 484 switch ( cipher_suite ) { 485 case htons ( TLS_RSA_WITH_AES_128_CBC_SHA ): 486 key_len = ( 128 / 8 ); 487 cipher = &aes_cbc_algorithm; 488 digest = &sha1_algorithm; 489 break; 490 case htons ( TLS_RSA_WITH_AES_256_CBC_SHA ): 491 key_len = ( 256 / 8 ); 492 cipher = &aes_cbc_algorithm; 493 digest = &sha1_algorithm; 494 break; 495 default: 496 DBGC ( tls, "TLS %p does not support cipher %04x\n", 497 tls, ntohs ( cipher_suite ) ); 498 return -ENOTSUP; 499 } 500 501 /* Set ciphers */ 502 if ( ( rc = tls_set_cipher ( tls, &tls->tx_cipherspec_pending, pubkey, 503 cipher, digest, key_len ) ) != 0 ) 504 return rc; 505 if ( ( rc = tls_set_cipher ( tls, &tls->rx_cipherspec_pending, pubkey, 506 cipher, digest, key_len ) ) != 0 ) 507 return rc; 508 509 DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls, 510 pubkey->name, cipher->name, ( key_len * 8 ), digest->name ); 511 512 return 0; 513 } 514 515 /** 516 * Activate next cipher suite 517 * 518 * @v tls TLS session 519 * @v pending Pending cipher specification 520 * @v active Active cipher specification to replace 521 * @ret rc Return status code 522 */ 523 static int tls_change_cipher ( struct tls_session *tls, 524 struct tls_cipherspec *pending, 525 struct tls_cipherspec *active ) { 526 527 /* Sanity check */ 528 if ( /* FIXME (when pubkey is not hard-coded to RSA): 529 * ( pending->pubkey == &pubkey_null ) || */ 530 ( pending->cipher == &cipher_null ) || 531 ( pending->digest == &digest_null ) ) { 532 DBGC ( tls, "TLS %p refusing to use null cipher\n", tls ); 533 return -ENOTSUP; 534 } 535 536 tls_clear_cipher ( tls, active ); 537 memswap ( active, pending, sizeof ( *active ) ); 538 return 0; 539 } 540 541 /****************************************************************************** 542 * 543 * Handshake verification 544 * 545 ****************************************************************************** 546 */ 547 548 /** 549 * Add handshake record to verification hash 550 * 551 * @v tls TLS session 552 * @v data Handshake record 553 * @v len Length of handshake record 554 */ 555 static void tls_add_handshake ( struct tls_session *tls, 556 const void *data, size_t len ) { 557 558 digest_update ( &md5_algorithm, tls->handshake_md5_ctx, data, len ); 559 digest_update ( &sha1_algorithm, tls->handshake_sha1_ctx, data, len ); 560 } 561 562 /** 563 * Calculate handshake verification hash 564 * 565 * @v tls TLS session 566 * @v out Output buffer 567 * 568 * Calculates the MD5+SHA1 digest over all handshake messages seen so 569 * far. 570 */ 571 static void tls_verify_handshake ( struct tls_session *tls, void *out ) { 572 struct digest_algorithm *md5 = &md5_algorithm; 573 struct digest_algorithm *sha1 = &sha1_algorithm; 574 uint8_t md5_ctx[md5->ctxsize]; 575 uint8_t sha1_ctx[sha1->ctxsize]; 576 void *md5_digest = out; 577 void *sha1_digest = ( out + md5->digestsize ); 578 579 memcpy ( md5_ctx, tls->handshake_md5_ctx, sizeof ( md5_ctx ) ); 580 memcpy ( sha1_ctx, tls->handshake_sha1_ctx, sizeof ( sha1_ctx ) ); 581 digest_final ( md5, md5_ctx, md5_digest ); 582 digest_final ( sha1, sha1_ctx, sha1_digest ); 583 } 584 585 /****************************************************************************** 586 * 587 * Record handling 588 * 589 ****************************************************************************** 590 */ 591 592 /** 593 * Transmit Handshake record 594 * 595 * @v tls TLS session 596 * @v data Plaintext record 597 * @v len Length of plaintext record 598 * @ret rc Return status code 599 */ 600 static int tls_send_handshake ( struct tls_session *tls, 601 void *data, size_t len ) { 602 603 /* Add to handshake digest */ 604 tls_add_handshake ( tls, data, len ); 605 606 /* Send record */ 607 return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len ); 608 } 609 610 /** 611 * Transmit Client Hello record 612 * 613 * @v tls TLS session 614 * @ret rc Return status code 615 */ 616 static int tls_send_client_hello ( struct tls_session *tls ) { 617 struct { 618 uint32_t type_length; 619 uint16_t version; 620 uint8_t random[32]; 621 uint8_t session_id_len; 622 uint16_t cipher_suite_len; 623 uint16_t cipher_suites[2]; 624 uint8_t compression_methods_len; 625 uint8_t compression_methods[1]; 626 } __attribute__ (( packed )) hello; 627 628 memset ( &hello, 0, sizeof ( hello ) ); 629 hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) | 630 htonl ( sizeof ( hello ) - 631 sizeof ( hello.type_length ) ) ); 632 hello.version = htons ( TLS_VERSION_TLS_1_0 ); 633 memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) ); 634 hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) ); 635 hello.cipher_suites[0] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ); 636 hello.cipher_suites[1] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ); 637 hello.compression_methods_len = sizeof ( hello.compression_methods ); 638 639 return tls_send_handshake ( tls, &hello, sizeof ( hello ) ); 640 } 641 642 /** 643 * Transmit Client Key Exchange record 644 * 645 * @v tls TLS session 646 * @ret rc Return status code 647 */ 648 static int tls_send_client_key_exchange ( struct tls_session *tls ) { 649 /* FIXME: Hack alert */ 650 RSA_CTX *rsa_ctx; 651 RSA_pub_key_new ( &rsa_ctx, tls->rsa.modulus, tls->rsa.modulus_len, 652 tls->rsa.exponent, tls->rsa.exponent_len ); 653 struct { 654 uint32_t type_length; 655 uint16_t encrypted_pre_master_secret_len; 656 uint8_t encrypted_pre_master_secret[rsa_ctx->num_octets]; 657 } __attribute__ (( packed )) key_xchg; 658 659 memset ( &key_xchg, 0, sizeof ( key_xchg ) ); 660 key_xchg.type_length = ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) | 661 htonl ( sizeof ( key_xchg ) - 662 sizeof ( key_xchg.type_length ) ) ); 663 key_xchg.encrypted_pre_master_secret_len 664 = htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) ); 665 666 /* FIXME: Hack alert */ 667 DBGC ( tls, "RSA encrypting plaintext, modulus, exponent:\n" ); 668 DBGC_HD ( tls, &tls->pre_master_secret, 669 sizeof ( tls->pre_master_secret ) ); 670 DBGC_HD ( tls, tls->rsa.modulus, tls->rsa.modulus_len ); 671 DBGC_HD ( tls, tls->rsa.exponent, tls->rsa.exponent_len ); 672 RSA_encrypt ( rsa_ctx, ( const uint8_t * ) &tls->pre_master_secret, 673 sizeof ( tls->pre_master_secret ), 674 key_xchg.encrypted_pre_master_secret, 0 ); 675 DBGC ( tls, "RSA encrypt done. Ciphertext:\n" ); 676 DBGC_HD ( tls, &key_xchg.encrypted_pre_master_secret, 677 sizeof ( key_xchg.encrypted_pre_master_secret ) ); 678 RSA_free ( rsa_ctx ); 679 680 681 return tls_send_handshake ( tls, &key_xchg, sizeof ( key_xchg ) ); 682 } 683 684 /** 685 * Transmit Change Cipher record 686 * 687 * @v tls TLS session 688 * @ret rc Return status code 689 */ 690 static int tls_send_change_cipher ( struct tls_session *tls ) { 691 static const uint8_t change_cipher[1] = { 1 }; 692 return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER, 693 change_cipher, sizeof ( change_cipher ) ); 694 } 695 696 /** 697 * Transmit Finished record 698 * 699 * @v tls TLS session 700 * @ret rc Return status code 701 */ 702 static int tls_send_finished ( struct tls_session *tls ) { 703 struct { 704 uint32_t type_length; 705 uint8_t verify_data[12]; 706 } __attribute__ (( packed )) finished; 707 uint8_t digest[MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE]; 708 709 memset ( &finished, 0, sizeof ( finished ) ); 710 finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) | 711 htonl ( sizeof ( finished ) - 712 sizeof ( finished.type_length ) ) ); 713 tls_verify_handshake ( tls, digest ); 714 tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ), 715 finished.verify_data, sizeof ( finished.verify_data ), 716 "client finished", digest, sizeof ( digest ) ); 717 718 return tls_send_handshake ( tls, &finished, sizeof ( finished ) ); 719 } 720 721 /** 722 * Receive new Change Cipher record 723 * 724 * @v tls TLS session 725 * @v data Plaintext record 726 * @v len Length of plaintext record 727 * @ret rc Return status code 728 */ 729 static int tls_new_change_cipher ( struct tls_session *tls, 730 void *data, size_t len ) { 731 int rc; 732 733 if ( ( len != 1 ) || ( *( ( uint8_t * ) data ) != 1 ) ) { 734 DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls ); 735 DBGC_HD ( tls, data, len ); 736 return -EINVAL; 737 } 738 739 if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending, 740 &tls->rx_cipherspec ) ) != 0 ) { 741 DBGC ( tls, "TLS %p could not activate RX cipher: %s\n", 742 tls, strerror ( rc ) ); 743 return rc; 744 } 745 tls->rx_seq = ~( ( uint64_t ) 0 ); 746 747 return 0; 748 } 749 750 /** 751 * Receive new Alert record 752 * 753 * @v tls TLS session 754 * @v data Plaintext record 755 * @v len Length of plaintext record 756 * @ret rc Return status code 757 */ 758 static int tls_new_alert ( struct tls_session *tls, void *data, size_t len ) { 759 struct { 760 uint8_t level; 761 uint8_t description; 762 char next[0]; 763 } __attribute__ (( packed )) *alert = data; 764 void *end = alert->next; 765 766 /* Sanity check */ 767 if ( end != ( data + len ) ) { 768 DBGC ( tls, "TLS %p received overlength Alert\n", tls ); 769 DBGC_HD ( tls, data, len ); 770 return -EINVAL; 771 } 772 773 switch ( alert->level ) { 774 case TLS_ALERT_WARNING: 775 DBGC ( tls, "TLS %p received warning alert %d\n", 776 tls, alert->description ); 777 return 0; 778 case TLS_ALERT_FATAL: 779 DBGC ( tls, "TLS %p received fatal alert %d\n", 780 tls, alert->description ); 781 return -EPERM; 782 default: 783 DBGC ( tls, "TLS %p received unknown alert level %d" 784 "(alert %d)\n", tls, alert->level, alert->description ); 785 return -EIO; 786 } 787 } 788 789 /** 790 * Receive new Server Hello handshake record 791 * 792 * @v tls TLS session 793 * @v data Plaintext handshake record 794 * @v len Length of plaintext handshake record 795 * @ret rc Return status code 796 */ 797 static int tls_new_server_hello ( struct tls_session *tls, 798 void *data, size_t len ) { 799 struct { 800 uint16_t version; 801 uint8_t random[32]; 802 uint8_t session_id_len; 803 char next[0]; 804 } __attribute__ (( packed )) *hello_a = data; 805 struct { 806 uint8_t session_id[hello_a->session_id_len]; 807 uint16_t cipher_suite; 808 uint8_t compression_method; 809 char next[0]; 810 } __attribute__ (( packed )) *hello_b = ( void * ) &hello_a->next; 811 void *end = hello_b->next; 812 int rc; 813 814 /* Sanity check */ 815 if ( end != ( data + len ) ) { 816 DBGC ( tls, "TLS %p received overlength Server Hello\n", tls ); 817 DBGC_HD ( tls, data, len ); 818 return -EINVAL; 819 } 820 821 /* Check protocol version */ 822 if ( ntohs ( hello_a->version ) < TLS_VERSION_TLS_1_0 ) { 823 DBGC ( tls, "TLS %p does not support protocol version %d.%d\n", 824 tls, ( ntohs ( hello_a->version ) >> 8 ), 825 ( ntohs ( hello_a->version ) & 0xff ) ); 826 return -ENOTSUP; 827 } 828 829 /* Copy out server random bytes */ 830 memcpy ( &tls->server_random, &hello_a->random, 831 sizeof ( tls->server_random ) ); 832 833 /* Select cipher suite */ 834 if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 ) 835 return rc; 836 837 /* Generate secrets */ 838 tls_generate_master_secret ( tls ); 839 if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) 840 return rc; 841 842 return 0; 843 } 844 845 /** 846 * Receive new Certificate handshake record 847 * 848 * @v tls TLS session 849 * @v data Plaintext handshake record 850 * @v len Length of plaintext handshake record 851 * @ret rc Return status code 852 */ 853 static int tls_new_certificate ( struct tls_session *tls, 854 void *data, size_t len ) { 855 struct { 856 uint8_t length[3]; 857 uint8_t certificates[0]; 858 } __attribute__ (( packed )) *certificate = data; 859 struct { 860 uint8_t length[3]; 861 uint8_t certificate[0]; 862 } __attribute__ (( packed )) *element = 863 ( ( void * ) certificate->certificates ); 864 size_t elements_len = tls_uint24 ( certificate->length ); 865 void *end = ( certificate->certificates + elements_len ); 866 struct asn1_cursor cursor; 867 int rc; 868 869 /* Sanity check */ 870 if ( end != ( data + len ) ) { 871 DBGC ( tls, "TLS %p received overlength Server Certificate\n", 872 tls ); 873 DBGC_HD ( tls, data, len ); 874 return -EINVAL; 875 } 876 877 /* Traverse certificate chain */ 878 do { 879 cursor.data = element->certificate; 880 cursor.len = tls_uint24 ( element->length ); 881 if ( ( cursor.data + cursor.len ) > end ) { 882 DBGC ( tls, "TLS %p received corrupt Server " 883 "Certificate\n", tls ); 884 DBGC_HD ( tls, data, len ); 885 return -EINVAL; 886 } 887 888 // HACK 889 if ( ( rc = x509_rsa_public_key ( &cursor, 890 &tls->rsa ) ) != 0 ) { 891 DBGC ( tls, "TLS %p cannot determine RSA public key: " 892 "%s\n", tls, strerror ( rc ) ); 893 return rc; 894 } 895 return 0; 896 897 element = ( cursor.data + cursor.len ); 898 } while ( element != end ); 899 900 return -EINVAL; 901 } 902 903 /** 904 * Receive new Server Hello Done handshake record 905 * 906 * @v tls TLS session 907 * @v data Plaintext handshake record 908 * @v len Length of plaintext handshake record 909 * @ret rc Return status code 910 */ 911 static int tls_new_server_hello_done ( struct tls_session *tls, 912 void *data, size_t len ) { 913 struct { 914 char next[0]; 915 } __attribute__ (( packed )) *hello_done = data; 916 void *end = hello_done->next; 917 918 /* Sanity check */ 919 if ( end != ( data + len ) ) { 920 DBGC ( tls, "TLS %p received overlength Server Hello Done\n", 921 tls ); 922 DBGC_HD ( tls, data, len ); 923 return -EINVAL; 924 } 925 926 /* Check that we are ready to send the Client Key Exchange */ 927 if ( tls->tx_state != TLS_TX_NONE ) { 928 DBGC ( tls, "TLS %p received Server Hello Done while in " 929 "TX state %d\n", tls, tls->tx_state ); 930 return -EIO; 931 } 932 933 /* Start sending the Client Key Exchange */ 934 tls->tx_state = TLS_TX_CLIENT_KEY_EXCHANGE; 935 936 return 0; 937 } 938 939 /** 940 * Receive new Finished handshake record 941 * 942 * @v tls TLS session 943 * @v data Plaintext handshake record 944 * @v len Length of plaintext handshake record 945 * @ret rc Return status code 946 */ 947 static int tls_new_finished ( struct tls_session *tls, 948 void *data, size_t len ) { 949 950 /* FIXME: Handle this properly */ 951 tls->tx_state = TLS_TX_DATA; 952 ( void ) data; 953 ( void ) len; 954 return 0; 955 } 956 957 /** 958 * Receive new Handshake record 959 * 960 * @v tls TLS session 961 * @v data Plaintext record 962 * @v len Length of plaintext record 963 * @ret rc Return status code 964 */ 965 static int tls_new_handshake ( struct tls_session *tls, 966 void *data, size_t len ) { 967 struct { 968 uint8_t type; 969 uint8_t length[3]; 970 uint8_t payload[0]; 971 } __attribute__ (( packed )) *handshake = data; 972 void *payload = &handshake->payload; 973 size_t payload_len = tls_uint24 ( handshake->length ); 974 void *end = ( payload + payload_len ); 975 int rc; 976 977 /* Sanity check */ 978 if ( end != ( data + len ) ) { 979 DBGC ( tls, "TLS %p received overlength Handshake\n", tls ); 980 DBGC_HD ( tls, data, len ); 981 return -EINVAL; 982 } 983 984 switch ( handshake->type ) { 985 case TLS_SERVER_HELLO: 986 rc = tls_new_server_hello ( tls, payload, payload_len ); 987 break; 988 case TLS_CERTIFICATE: 989 rc = tls_new_certificate ( tls, payload, payload_len ); 990 break; 991 case TLS_SERVER_HELLO_DONE: 992 rc = tls_new_server_hello_done ( tls, payload, payload_len ); 993 break; 994 case TLS_FINISHED: 995 rc = tls_new_finished ( tls, payload, payload_len ); 996 break; 997 default: 998 DBGC ( tls, "TLS %p ignoring handshake type %d\n", 999 tls, handshake->type ); 1000 rc = 0; 1001 break; 1002 } 1003 1004 /* Add to handshake digest (except for Hello Requests, which 1005 * are explicitly excluded). 1006 */ 1007 if ( handshake->type != TLS_HELLO_REQUEST ) 1008 tls_add_handshake ( tls, data, len ); 1009 1010 return rc; 1011 } 1012 1013 /** 1014 * Receive new record 1015 * 1016 * @v tls TLS session 1017 * @v type Record type 1018 * @v data Plaintext record 1019 * @v len Length of plaintext record 1020 * @ret rc Return status code 1021 */ 1022 static int tls_new_record ( struct tls_session *tls, 1023 unsigned int type, void *data, size_t len ) { 1024 1025 switch ( type ) { 1026 case TLS_TYPE_CHANGE_CIPHER: 1027 return tls_new_change_cipher ( tls, data, len ); 1028 case TLS_TYPE_ALERT: 1029 return tls_new_alert ( tls, data, len ); 1030 case TLS_TYPE_HANDSHAKE: 1031 return tls_new_handshake ( tls, data, len ); 1032 case TLS_TYPE_DATA: 1033 return xfer_deliver_raw ( &tls->plainstream.xfer, data, len ); 1034 default: 1035 /* RFC4346 says that we should just ignore unknown 1036 * record types. 1037 */ 1038 DBGC ( tls, "TLS %p ignoring record type %d\n", tls, type ); 1039 return 0; 1040 } 1041 } 1042 1043 /****************************************************************************** 1044 * 1045 * Record encryption/decryption 1046 * 1047 ****************************************************************************** 1048 */ 1049 1050 /** 1051 * Calculate HMAC 1052 * 1053 * @v tls TLS session 1054 * @v cipherspec Cipher specification 1055 * @v seq Sequence number 1056 * @v tlshdr TLS header 1057 * @v data Data 1058 * @v len Length of data 1059 * @v mac HMAC to fill in 1060 */ 1061 static void tls_hmac ( struct tls_session *tls __unused, 1062 struct tls_cipherspec *cipherspec, 1063 uint64_t seq, struct tls_header *tlshdr, 1064 const void *data, size_t len, void *hmac ) { 1065 struct digest_algorithm *digest = cipherspec->digest; 1066 uint8_t digest_ctx[digest->ctxsize]; 1067 1068 hmac_init ( digest, digest_ctx, cipherspec->mac_secret, 1069 &digest->digestsize ); 1070 seq = cpu_to_be64 ( seq ); 1071 hmac_update ( digest, digest_ctx, &seq, sizeof ( seq ) ); 1072 hmac_update ( digest, digest_ctx, tlshdr, sizeof ( *tlshdr ) ); 1073 hmac_update ( digest, digest_ctx, data, len ); 1074 hmac_final ( digest, digest_ctx, cipherspec->mac_secret, 1075 &digest->digestsize, hmac ); 1076 } 1077 1078 /** 1079 * Allocate and assemble stream-ciphered record from data and MAC portions 1080 * 1081 * @v tls TLS session 1082 * @ret data Data 1083 * @ret len Length of data 1084 * @ret digest MAC digest 1085 * @ret plaintext_len Length of plaintext record 1086 * @ret plaintext Allocated plaintext record 1087 */ 1088 static void * __malloc tls_assemble_stream ( struct tls_session *tls, 1089 const void *data, size_t len, 1090 void *digest, size_t *plaintext_len ) { 1091 size_t mac_len = tls->tx_cipherspec.digest->digestsize; 1092 void *plaintext; 1093 void *content; 1094 void *mac; 1095 1096 /* Calculate stream-ciphered struct length */ 1097 *plaintext_len = ( len + mac_len ); 1098 1099 /* Allocate stream-ciphered struct */ 1100 plaintext = malloc ( *plaintext_len ); 1101 if ( ! plaintext ) 1102 return NULL; 1103 content = plaintext; 1104 mac = ( content + len ); 1105 1106 /* Fill in stream-ciphered struct */ 1107 memcpy ( content, data, len ); 1108 memcpy ( mac, digest, mac_len ); 1109 1110 return plaintext; 1111 } 1112 1113 /** 1114 * Allocate and assemble block-ciphered record from data and MAC portions 1115 * 1116 * @v tls TLS session 1117 * @ret data Data 1118 * @ret len Length of data 1119 * @ret digest MAC digest 1120 * @ret plaintext_len Length of plaintext record 1121 * @ret plaintext Allocated plaintext record 1122 */ 1123 static void * tls_assemble_block ( struct tls_session *tls, 1124 const void *data, size_t len, 1125 void *digest, size_t *plaintext_len ) { 1126 size_t blocksize = tls->tx_cipherspec.cipher->blocksize; 1127 size_t iv_len = blocksize; 1128 size_t mac_len = tls->tx_cipherspec.digest->digestsize; 1129 size_t padding_len; 1130 void *plaintext; 1131 void *iv; 1132 void *content; 1133 void *mac; 1134 void *padding; 1135 1136 /* FIXME: TLSv1.1 has an explicit IV */ 1137 iv_len = 0; 1138 1139 /* Calculate block-ciphered struct length */ 1140 padding_len = ( ( blocksize - 1 ) & -( iv_len + len + mac_len + 1 ) ); 1141 *plaintext_len = ( iv_len + len + mac_len + padding_len + 1 ); 1142 1143 /* Allocate block-ciphered struct */ 1144 plaintext = malloc ( *plaintext_len ); 1145 if ( ! plaintext ) 1146 return NULL; 1147 iv = plaintext; 1148 content = ( iv + iv_len ); 1149 mac = ( content + len ); 1150 padding = ( mac + mac_len ); 1151 1152 /* Fill in block-ciphered struct */ 1153 memset ( iv, 0, iv_len ); 1154 memcpy ( content, data, len ); 1155 memcpy ( mac, digest, mac_len ); 1156 memset ( padding, padding_len, ( padding_len + 1 ) ); 1157 1158 return plaintext; 1159 } 1160 1161 /** 1162 * Send plaintext record 1163 * 1164 * @v tls TLS session 1165 * @v type Record type 1166 * @v data Plaintext record 1167 * @v len Length of plaintext record 1168 * @ret rc Return status code 1169 */ 1170 static int tls_send_plaintext ( struct tls_session *tls, unsigned int type, 1171 const void *data, size_t len ) { 1172 struct tls_header plaintext_tlshdr; 1173 struct tls_header *tlshdr; 1174 struct tls_cipherspec *cipherspec = &tls->tx_cipherspec; 1175 void *plaintext = NULL; 1176 size_t plaintext_len; 1177 struct io_buffer *ciphertext = NULL; 1178 size_t ciphertext_len; 1179 size_t mac_len = cipherspec->digest->digestsize; 1180 uint8_t mac[mac_len]; 1181 int rc; 1182 1183 /* Construct header */ 1184 plaintext_tlshdr.type = type; 1185 plaintext_tlshdr.version = htons ( TLS_VERSION_TLS_1_0 ); 1186 plaintext_tlshdr.length = htons ( len ); 1187 1188 /* Calculate MAC */ 1189 tls_hmac ( tls, cipherspec, tls->tx_seq, &plaintext_tlshdr, 1190 data, len, mac ); 1191 1192 /* Allocate and assemble plaintext struct */ 1193 if ( is_stream_cipher ( cipherspec->cipher ) ) { 1194 plaintext = tls_assemble_stream ( tls, data, len, mac, 1195 &plaintext_len ); 1196 } else { 1197 plaintext = tls_assemble_block ( tls, data, len, mac, 1198 &plaintext_len ); 1199 } 1200 if ( ! plaintext ) { 1201 DBGC ( tls, "TLS %p could not allocate %zd bytes for " 1202 "plaintext\n", tls, plaintext_len ); 1203 rc = -ENOMEM; 1204 goto done; 1205 } 1206 1207 DBGC2 ( tls, "Sending plaintext data:\n" ); 1208 DBGC2_HD ( tls, plaintext, plaintext_len ); 1209 1210 /* Allocate ciphertext */ 1211 ciphertext_len = ( sizeof ( *tlshdr ) + plaintext_len ); 1212 ciphertext = xfer_alloc_iob ( &tls->cipherstream.xfer, 1213 ciphertext_len ); 1214 if ( ! ciphertext ) { 1215 DBGC ( tls, "TLS %p could not allocate %zd bytes for " 1216 "ciphertext\n", tls, ciphertext_len ); 1217 rc = -ENOMEM; 1218 goto done; 1219 } 1220 1221 /* Assemble ciphertext */ 1222 tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) ); 1223 tlshdr->type = type; 1224 tlshdr->version = htons ( TLS_VERSION_TLS_1_0 ); 1225 tlshdr->length = htons ( plaintext_len ); 1226 memcpy ( cipherspec->cipher_next_ctx, cipherspec->cipher_ctx, 1227 cipherspec->cipher->ctxsize ); 1228 cipher_encrypt ( cipherspec->cipher, cipherspec->cipher_next_ctx, 1229 plaintext, iob_put ( ciphertext, plaintext_len ), 1230 plaintext_len ); 1231 1232 /* Free plaintext as soon as possible to conserve memory */ 1233 free ( plaintext ); 1234 plaintext = NULL; 1235 1236 /* Send ciphertext */ 1237 rc = xfer_deliver_iob ( &tls->cipherstream.xfer, ciphertext ); 1238 ciphertext = NULL; 1239 if ( rc != 0 ) { 1240 DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n", 1241 tls, strerror ( rc ) ); 1242 goto done; 1243 } 1244 1245 /* Update TX state machine to next record */ 1246 tls->tx_seq += 1; 1247 memcpy ( tls->tx_cipherspec.cipher_ctx, 1248 tls->tx_cipherspec.cipher_next_ctx, 1249 tls->tx_cipherspec.cipher->ctxsize ); 1250 1251 done: 1252 free ( plaintext ); 1253 free_iob ( ciphertext ); 1254 return rc; 1255 } 1256 1257 /** 1258 * Split stream-ciphered record into data and MAC portions 1259 * 1260 * @v tls TLS session 1261 * @v plaintext Plaintext record 1262 * @v plaintext_len Length of record 1263 * @ret data Data 1264 * @ret len Length of data 1265 * @ret digest MAC digest 1266 * @ret rc Return status code 1267 */ 1268 static int tls_split_stream ( struct tls_session *tls, 1269 void *plaintext, size_t plaintext_len, 1270 void **data, size_t *len, void **digest ) { 1271 void *content; 1272 size_t content_len; 1273 void *mac; 1274 size_t mac_len; 1275 1276 /* Decompose stream-ciphered data */ 1277 mac_len = tls->rx_cipherspec.digest->digestsize; 1278 if ( plaintext_len < mac_len ) { 1279 DBGC ( tls, "TLS %p received underlength record\n", tls ); 1280 DBGC_HD ( tls, plaintext, plaintext_len ); 1281 return -EINVAL; 1282 } 1283 content_len = ( plaintext_len - mac_len ); 1284 content = plaintext; 1285 mac = ( content + content_len ); 1286 1287 /* Fill in return values */ 1288 *data = content; 1289 *len = content_len; 1290 *digest = mac; 1291 1292 return 0; 1293 } 1294 1295 /** 1296 * Split block-ciphered record into data and MAC portions 1297 * 1298 * @v tls TLS session 1299 * @v plaintext Plaintext record 1300 * @v plaintext_len Length of record 1301 * @ret data Data 1302 * @ret len Length of data 1303 * @ret digest MAC digest 1304 * @ret rc Return status code 1305 */ 1306 static int tls_split_block ( struct tls_session *tls, 1307 void *plaintext, size_t plaintext_len, 1308 void **data, size_t *len, 1309 void **digest ) { 1310 void *iv; 1311 size_t iv_len; 1312 void *content; 1313 size_t content_len; 1314 void *mac; 1315 size_t mac_len; 1316 void *padding; 1317 size_t padding_len; 1318 unsigned int i; 1319 1320 /* Decompose block-ciphered data */ 1321 if ( plaintext_len < 1 ) { 1322 DBGC ( tls, "TLS %p received underlength record\n", tls ); 1323 DBGC_HD ( tls, plaintext, plaintext_len ); 1324 return -EINVAL; 1325 } 1326 iv_len = tls->rx_cipherspec.cipher->blocksize; 1327 1328 /* FIXME: TLSv1.1 uses an explicit IV */ 1329 iv_len = 0; 1330 1331 mac_len = tls->rx_cipherspec.digest->digestsize; 1332 padding_len = *( ( uint8_t * ) ( plaintext + plaintext_len - 1 ) ); 1333 if ( plaintext_len < ( iv_len + mac_len + padding_len + 1 ) ) { 1334 DBGC ( tls, "TLS %p received underlength record\n", tls ); 1335 DBGC_HD ( tls, plaintext, plaintext_len ); 1336 return -EINVAL; 1337 } 1338 content_len = ( plaintext_len - iv_len - mac_len - padding_len - 1 ); 1339 iv = plaintext; 1340 content = ( iv + iv_len ); 1341 mac = ( content + content_len ); 1342 padding = ( mac + mac_len ); 1343 1344 /* Verify padding bytes */ 1345 for ( i = 0 ; i < padding_len ; i++ ) { 1346 if ( *( ( uint8_t * ) ( padding + i ) ) != padding_len ) { 1347 DBGC ( tls, "TLS %p received bad padding\n", tls ); 1348 DBGC_HD ( tls, plaintext, plaintext_len ); 1349 return -EINVAL; 1350 } 1351 } 1352 1353 /* Fill in return values */ 1354 *data = content; 1355 *len = content_len; 1356 *digest = mac; 1357 1358 return 0; 1359 } 1360 1361 /** 1362 * Receive new ciphertext record 1363 * 1364 * @v tls TLS session 1365 * @v tlshdr Record header 1366 * @v ciphertext Ciphertext record 1367 * @ret rc Return status code 1368 */ 1369 static int tls_new_ciphertext ( struct tls_session *tls, 1370 struct tls_header *tlshdr, void *ciphertext ) { 1371 struct tls_header plaintext_tlshdr; 1372 struct tls_cipherspec *cipherspec = &tls->rx_cipherspec; 1373 size_t record_len = ntohs ( tlshdr->length ); 1374 void *plaintext = NULL; 1375 void *data; 1376 size_t len; 1377 void *mac; 1378 size_t mac_len = cipherspec->digest->digestsize; 1379 uint8_t verify_mac[mac_len]; 1380 int rc; 1381 1382 /* Allocate buffer for plaintext */ 1383 plaintext = malloc ( record_len ); 1384 if ( ! plaintext ) { 1385 DBGC ( tls, "TLS %p could not allocate %zd bytes for " 1386 "decryption buffer\n", tls, record_len ); 1387 rc = -ENOMEM; 1388 goto done; 1389 } 1390 1391 /* Decrypt the record */ 1392 cipher_decrypt ( cipherspec->cipher, cipherspec->cipher_ctx, 1393 ciphertext, plaintext, record_len ); 1394 1395 /* Split record into content and MAC */ 1396 if ( is_stream_cipher ( cipherspec->cipher ) ) { 1397 if ( ( rc = tls_split_stream ( tls, plaintext, record_len, 1398 &data, &len, &mac ) ) != 0 ) 1399 goto done; 1400 } else { 1401 if ( ( rc = tls_split_block ( tls, plaintext, record_len, 1402 &data, &len, &mac ) ) != 0 ) 1403 goto done; 1404 } 1405 1406 /* Verify MAC */ 1407 plaintext_tlshdr.type = tlshdr->type; 1408 plaintext_tlshdr.version = tlshdr->version; 1409 plaintext_tlshdr.length = htons ( len ); 1410 tls_hmac ( tls, cipherspec, tls->rx_seq, &plaintext_tlshdr, 1411 data, len, verify_mac); 1412 if ( memcmp ( mac, verify_mac, mac_len ) != 0 ) { 1413 DBGC ( tls, "TLS %p failed MAC verification\n", tls ); 1414 DBGC_HD ( tls, plaintext, record_len ); 1415 goto done; 1416 } 1417 1418 DBGC2 ( tls, "Received plaintext data:\n" ); 1419 DBGC2_HD ( tls, data, len ); 1420 1421 /* Process plaintext record */ 1422 if ( ( rc = tls_new_record ( tls, tlshdr->type, data, len ) ) != 0 ) 1423 goto done; 1424 1425 rc = 0; 1426 done: 1427 free ( plaintext ); 1428 return rc; 1429 } 1430 1431 /****************************************************************************** 1432 * 1433 * Plaintext stream operations 1434 * 1435 ****************************************************************************** 1436 */ 1437 1438 /** 1439 * Close interface 1440 * 1441 * @v xfer Plainstream data transfer interface 1442 * @v rc Reason for close 1443 */ 1444 static void tls_plainstream_close ( struct xfer_interface *xfer, int rc ) { 1445 struct tls_session *tls = 1446 container_of ( xfer, struct tls_session, plainstream.xfer ); 1447 1448 tls_close ( tls, rc ); 1449 } 1450 1451 /** 1452 * Check flow control window 1453 * 1454 * @v xfer Plainstream data transfer interface 1455 * @ret len Length of window 1456 */ 1457 static size_t tls_plainstream_window ( struct xfer_interface *xfer ) { 1458 struct tls_session *tls = 1459 container_of ( xfer, struct tls_session, plainstream.xfer ); 1460 1461 /* Block window unless we are ready to accept data */ 1462 if ( tls->tx_state != TLS_TX_DATA ) 1463 return 0; 1464 1465 return filter_window ( xfer ); 1466 } 1467 1468 /** 1469 * Deliver datagram as raw data 1470 * 1471 * @v xfer Plainstream data transfer interface 1472 * @v data Data buffer 1473 * @v len Length of data buffer 1474 * @ret rc Return status code 1475 */ 1476 static int tls_plainstream_deliver_raw ( struct xfer_interface *xfer, 1477 const void *data, size_t len ) { 1478 struct tls_session *tls = 1479 container_of ( xfer, struct tls_session, plainstream.xfer ); 1480 1481 /* Refuse unless we are ready to accept data */ 1482 if ( tls->tx_state != TLS_TX_DATA ) 1483 return -ENOTCONN; 1484 1485 return tls_send_plaintext ( tls, TLS_TYPE_DATA, data, len ); 1486 } 1487 1488 /** TLS plaintext stream operations */ 1489 static struct xfer_interface_operations tls_plainstream_operations = { 1490 .close = tls_plainstream_close, 1491 .vredirect = ignore_xfer_vredirect, 1492 .window = tls_plainstream_window, 1493 .alloc_iob = default_xfer_alloc_iob, 1494 .deliver_iob = xfer_deliver_as_raw, 1495 .deliver_raw = tls_plainstream_deliver_raw, 1496 }; 1497 1498 /****************************************************************************** 1499 * 1500 * Ciphertext stream operations 1501 * 1502 ****************************************************************************** 1503 */ 1504 1505 /** 1506 * Close interface 1507 * 1508 * @v xfer Plainstream data transfer interface 1509 * @v rc Reason for close 1510 */ 1511 static void tls_cipherstream_close ( struct xfer_interface *xfer, int rc ) { 1512 struct tls_session *tls = 1513 container_of ( xfer, struct tls_session, cipherstream.xfer ); 1514 1515 tls_close ( tls, rc ); 1516 } 1517 1518 /** 1519 * Handle received TLS header 1520 * 1521 * @v tls TLS session 1522 * @ret rc Returned status code 1523 */ 1524 static int tls_newdata_process_header ( struct tls_session *tls ) { 1525 size_t data_len = ntohs ( tls->rx_header.length ); 1526 1527 /* Allocate data buffer now that we know the length */ 1528 assert ( tls->rx_data == NULL ); 1529 tls->rx_data = malloc ( data_len ); 1530 if ( ! tls->rx_data ) { 1531 DBGC ( tls, "TLS %p could not allocate %zd bytes " 1532 "for receive buffer\n", tls, data_len ); 1533 return -ENOMEM; 1534 } 1535 1536 /* Move to data state */ 1537 tls->rx_state = TLS_RX_DATA; 1538 1539 return 0; 1540 } 1541 1542 /** 1543 * Handle received TLS data payload 1544 * 1545 * @v tls TLS session 1546 * @ret rc Returned status code 1547 */ 1548 static int tls_newdata_process_data ( struct tls_session *tls ) { 1549 int rc; 1550 1551 /* Process record */ 1552 if ( ( rc = tls_new_ciphertext ( tls, &tls->rx_header, 1553 tls->rx_data ) ) != 0 ) 1554 return rc; 1555 1556 /* Increment RX sequence number */ 1557 tls->rx_seq += 1; 1558 1559 /* Free data buffer */ 1560 free ( tls->rx_data ); 1561 tls->rx_data = NULL; 1562 1563 /* Return to header state */ 1564 tls->rx_state = TLS_RX_HEADER; 1565 1566 return 0; 1567 } 1568 1569 /** 1570 * Receive new ciphertext 1571 * 1572 * @v app Stream application 1573 * @v data Data received 1574 * @v len Length of received data 1575 * @ret rc Return status code 1576 */ 1577 static int tls_cipherstream_deliver_raw ( struct xfer_interface *xfer, 1578 const void *data, size_t len ) { 1579 struct tls_session *tls = 1580 container_of ( xfer, struct tls_session, cipherstream.xfer ); 1581 size_t frag_len; 1582 void *buf; 1583 size_t buf_len; 1584 int ( * process ) ( struct tls_session *tls ); 1585 int rc; 1586 1587 while ( len ) { 1588 /* Select buffer according to current state */ 1589 switch ( tls->rx_state ) { 1590 case TLS_RX_HEADER: 1591 buf = &tls->rx_header; 1592 buf_len = sizeof ( tls->rx_header ); 1593 process = tls_newdata_process_header; 1594 break; 1595 case TLS_RX_DATA: 1596 buf = tls->rx_data; 1597 buf_len = ntohs ( tls->rx_header.length ); 1598 process = tls_newdata_process_data; 1599 break; 1600 default: 1601 assert ( 0 ); 1602 return -EINVAL; 1603 } 1604 1605 /* Copy data portion to buffer */ 1606 frag_len = ( buf_len - tls->rx_rcvd ); 1607 if ( frag_len > len ) 1608 frag_len = len; 1609 memcpy ( ( buf + tls->rx_rcvd ), data, frag_len ); 1610 tls->rx_rcvd += frag_len; 1611 data += frag_len; 1612 len -= frag_len; 1613 1614 /* Process data if buffer is now full */ 1615 if ( tls->rx_rcvd == buf_len ) { 1616 if ( ( rc = process ( tls ) ) != 0 ) { 1617 tls_close ( tls, rc ); 1618 return rc; 1619 } 1620 tls->rx_rcvd = 0; 1621 } 1622 } 1623 1624 return 0; 1625 } 1626 1627 /** TLS ciphertext stream operations */ 1628 static struct xfer_interface_operations tls_cipherstream_operations = { 1629 .close = tls_cipherstream_close, 1630 .vredirect = xfer_vreopen, 1631 .window = filter_window, 1632 .alloc_iob = default_xfer_alloc_iob, 1633 .deliver_iob = xfer_deliver_as_raw, 1634 .deliver_raw = tls_cipherstream_deliver_raw, 1635 }; 1636 1637 /****************************************************************************** 1638 * 1639 * Controlling process 1640 * 1641 ****************************************************************************** 1642 */ 1643 1644 /** 1645 * TLS TX state machine 1646 * 1647 * @v process TLS process 1648 */ 1649 static void tls_step ( struct process *process ) { 1650 struct tls_session *tls = 1651 container_of ( process, struct tls_session, process ); 1652 int rc; 1653 1654 /* Wait for cipherstream to become ready */ 1655 if ( ! xfer_window ( &tls->cipherstream.xfer ) ) 1656 return; 1657 1658 switch ( tls->tx_state ) { 1659 case TLS_TX_NONE: 1660 /* Nothing to do */ 1661 break; 1662 case TLS_TX_CLIENT_HELLO: 1663 /* Send Client Hello */ 1664 if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) { 1665 DBGC ( tls, "TLS %p could not send Client Hello: %s\n", 1666 tls, strerror ( rc ) ); 1667 goto err; 1668 } 1669 tls->tx_state = TLS_TX_NONE; 1670 break; 1671 case TLS_TX_CLIENT_KEY_EXCHANGE: 1672 /* Send Client Key Exchange */ 1673 if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) { 1674 DBGC ( tls, "TLS %p could send Client Key Exchange: " 1675 "%s\n", tls, strerror ( rc ) ); 1676 goto err; 1677 } 1678 tls->tx_state = TLS_TX_CHANGE_CIPHER; 1679 break; 1680 case TLS_TX_CHANGE_CIPHER: 1681 /* Send Change Cipher, and then change the cipher in use */ 1682 if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) { 1683 DBGC ( tls, "TLS %p could not send Change Cipher: " 1684 "%s\n", tls, strerror ( rc ) ); 1685 goto err; 1686 } 1687 if ( ( rc = tls_change_cipher ( tls, 1688 &tls->tx_cipherspec_pending, 1689 &tls->tx_cipherspec )) != 0 ){ 1690 DBGC ( tls, "TLS %p could not activate TX cipher: " 1691 "%s\n", tls, strerror ( rc ) ); 1692 goto err; 1693 } 1694 tls->tx_seq = 0; 1695 tls->tx_state = TLS_TX_FINISHED; 1696 break; 1697 case TLS_TX_FINISHED: 1698 /* Send Finished */ 1699 if ( ( rc = tls_send_finished ( tls ) ) != 0 ) { 1700 DBGC ( tls, "TLS %p could not send Finished: %s\n", 1701 tls, strerror ( rc ) ); 1702 goto err; 1703 } 1704 tls->tx_state = TLS_TX_NONE; 1705 break; 1706 case TLS_TX_DATA: 1707 /* Nothing to do */ 1708 break; 1709 default: 1710 assert ( 0 ); 1711 } 1712 1713 return; 1714 1715 err: 1716 tls_close ( tls, rc ); 1717 } 1718 1719 /****************************************************************************** 1720 * 1721 * Instantiator 1722 * 1723 ****************************************************************************** 1724 */ 1725 1726 int add_tls ( struct xfer_interface *xfer, struct xfer_interface **next ) { 1727 struct tls_session *tls; 1728 1729 /* Allocate and initialise TLS structure */ 1730 tls = malloc ( sizeof ( *tls ) ); 1731 if ( ! tls ) 1732 return -ENOMEM; 1733 memset ( tls, 0, sizeof ( *tls ) ); 1734 tls->refcnt.free = free_tls; 1735 filter_init ( &tls->plainstream, &tls_plainstream_operations, 1736 &tls->cipherstream, &tls_cipherstream_operations, 1737 &tls->refcnt ); 1738 tls_clear_cipher ( tls, &tls->tx_cipherspec ); 1739 tls_clear_cipher ( tls, &tls->tx_cipherspec_pending ); 1740 tls_clear_cipher ( tls, &tls->rx_cipherspec ); 1741 tls_clear_cipher ( tls, &tls->rx_cipherspec_pending ); 1742 tls->client_random.gmt_unix_time = 0; 1743 tls_generate_random ( &tls->client_random.random, 1744 ( sizeof ( tls->client_random.random ) ) ); 1745 tls->pre_master_secret.version = htons ( TLS_VERSION_TLS_1_0 ); 1746 tls_generate_random ( &tls->pre_master_secret.random, 1747 ( sizeof ( tls->pre_master_secret.random ) ) ); 1748 digest_init ( &md5_algorithm, tls->handshake_md5_ctx ); 1749 digest_init ( &sha1_algorithm, tls->handshake_sha1_ctx ); 1750 tls->tx_state = TLS_TX_CLIENT_HELLO; 1751 process_init ( &tls->process, tls_step, &tls->refcnt ); 1752 1753 /* Attach to parent interface, mortalise self, and return */ 1754 xfer_plug_plug ( &tls->plainstream.xfer, xfer ); 1755 *next = &tls->cipherstream.xfer; 1756 ref_put ( &tls->refcnt ); 1757 return 0; 1758 } 1759 1760