Context Navigation

source: bootcd/isolinux/syslinux-6.03/gpxe/src/net/tls.c

Last change on this file was e16e8f2, checked in by Edwin Eefting <edwin@datux.nl>, 3 years ago
bootstuff
Property mode set to `100644`
File size: 47.5 KB

Rev	Line
[e16e8f2]	1	/*
	2	* Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
	3	*
	4	* This program is free software; you can redistribute it and/or
	5	* modify it under the terms of the GNU General Public License as
	6	* published by the Free Software Foundation; either version 2 of the
	7	* License, or any later version.
	8	*
	9	* This program is distributed in the hope that it will be useful, but
	10	* WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	12	* General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU General Public License
	15	* along with this program; if not, write to the Free Software
	16	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	17	*/
	18
	19	FILE_LICENCE ( GPL2_OR_LATER );
	20
	21	/**
	22	* @file
	23	*
	24	* Transport Layer Security Protocol
	25	*/
	26
	27	#include <stdint.h>
	28	#include <stdlib.h>
	29	#include <stdarg.h>
	30	#include <string.h>
	31	#include <errno.h>
	32	#include <byteswap.h>
	33	#include <gpxe/hmac.h>
	34	#include <gpxe/md5.h>
	35	#include <gpxe/sha1.h>
	36	#include <gpxe/aes.h>
	37	#include <gpxe/rsa.h>
	38	#include <gpxe/xfer.h>
	39	#include <gpxe/open.h>
	40	#include <gpxe/filter.h>
	41	#include <gpxe/asn1.h>
	42	#include <gpxe/x509.h>
	43	#include <gpxe/tls.h>
	44
	45	static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
	46	const void *data, size_t len );
	47	static void tls_clear_cipher ( struct tls_session *tls,
	48	struct tls_cipherspec *cipherspec );
	49
	50	/******************************************************************************
	51	*
	52	* Utility functions
	53	*
	54	******************************************************************************
	55	*/
	56
	57	/**
	58	* Extract 24-bit field value
	59	*
	60	* @v field24 24-bit field
	61	* @ret value Field value
	62	*
	63	* TLS uses 24-bit integers in several places, which are awkward to
	64	* parse in C.
	65	*/
	66	static unsigned long tls_uint24 ( uint8_t field24[3] ) {
	67	return ( ( field24[0] << 16 ) + ( field24[1] << 8 ) + field24[2] );
	68	}
	69
	70	/******************************************************************************
	71	*
	72	* Cleanup functions
	73	*
	74	******************************************************************************
	75	*/
	76
	77	/**
	78	* Free TLS session
	79	*
	80	* @v refcnt Reference counter
	81	*/
	82	static void free_tls ( struct refcnt *refcnt ) {
	83	struct tls_session *tls =
	84	container_of ( refcnt, struct tls_session, refcnt );
	85
	86	/* Free dynamically-allocated resources */
	87	tls_clear_cipher ( tls, &tls->tx_cipherspec );
	88	tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
	89	tls_clear_cipher ( tls, &tls->rx_cipherspec );
	90	tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
	91	x509_free_rsa_public_key ( &tls->rsa );
	92	free ( tls->rx_data );
	93
	94	/* Free TLS structure itself */
	95	free ( tls );
	96	}
	97
	98	/**
	99	* Finish with TLS session
	100	*
	101	* @v tls TLS session
	102	* @v rc Status code
	103	*/
	104	static void tls_close ( struct tls_session *tls, int rc ) {
	105
	106	/* Remove process */
	107	process_del ( &tls->process );
	108
	109	/* Close ciphertext and plaintext streams */
	110	xfer_nullify ( &tls->cipherstream.xfer );
	111	xfer_close ( &tls->cipherstream.xfer, rc );
	112	xfer_nullify ( &tls->plainstream.xfer );
	113	xfer_close ( &tls->plainstream.xfer, rc );
	114	}
	115
	116	/******************************************************************************
	117	*
	118	* Random number generation
	119	*
	120	******************************************************************************
	121	*/
	122
	123	/**
	124	* Generate random data
	125	*
	126	* @v data Buffer to fill
	127	* @v len Length of buffer
	128	*/
	129	static void tls_generate_random ( void *data, size_t len ) {
	130	/* FIXME: Some real random data source would be nice... */
	131	memset ( data, 0x01, len );
	132	}
	133
	134	/**
	135	* Update HMAC with a list of ( data, len ) pairs
	136	*
	137	* @v digest Hash function to use
	138	* @v digest_ctx Digest context
	139	* @v args ( data, len ) pairs of data, terminated by NULL
	140	*/
	141	static void tls_hmac_update_va ( struct digest_algorithm *digest,
	142	void *digest_ctx, va_list args ) {
	143	void *data;
	144	size_t len;
	145
	146	while ( ( data = va_arg ( args, void * ) ) ) {
	147	len = va_arg ( args, size_t );
	148	hmac_update ( digest, digest_ctx, data, len );
	149	}
	150	}
	151
	152	/**
	153	* Generate secure pseudo-random data using a single hash function
	154	*
	155	* @v tls TLS session
	156	* @v digest Hash function to use
	157	* @v secret Secret
	158	* @v secret_len Length of secret
	159	* @v out Output buffer
	160	* @v out_len Length of output buffer
	161	* @v seeds ( data, len ) pairs of seed data, terminated by NULL
	162	*/
	163	static void tls_p_hash_va ( struct tls_session *tls,
	164	struct digest_algorithm *digest,
	165	void *secret, size_t secret_len,
	166	void *out, size_t out_len,
	167	va_list seeds ) {
	168	uint8_t secret_copy[secret_len];
	169	uint8_t digest_ctx[digest->ctxsize];
	170	uint8_t digest_ctx_partial[digest->ctxsize];
	171	uint8_t a[digest->digestsize];
	172	uint8_t out_tmp[digest->digestsize];
	173	size_t frag_len = digest->digestsize;
	174	va_list tmp;
	175
	176	/* Copy the secret, in case HMAC modifies it */
	177	memcpy ( secret_copy, secret, secret_len );
	178	secret = secret_copy;
	179	DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
	180	DBGC2_HD ( tls, secret, secret_len );
	181
	182	/* Calculate A(1) */
	183	hmac_init ( digest, digest_ctx, secret, &secret_len );
	184	va_copy ( tmp, seeds );
	185	tls_hmac_update_va ( digest, digest_ctx, tmp );
	186	va_end ( tmp );
	187	hmac_final ( digest, digest_ctx, secret, &secret_len, a );
	188	DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
	189	DBGC2_HD ( tls, &a, sizeof ( a ) );
	190
	191	/* Generate as much data as required */
	192	while ( out_len ) {
	193	/* Calculate output portion */
	194	hmac_init ( digest, digest_ctx, secret, &secret_len );
	195	hmac_update ( digest, digest_ctx, a, sizeof ( a ) );
	196	memcpy ( digest_ctx_partial, digest_ctx, digest->ctxsize );
	197	va_copy ( tmp, seeds );
	198	tls_hmac_update_va ( digest, digest_ctx, tmp );
	199	va_end ( tmp );
	200	hmac_final ( digest, digest_ctx,
	201	secret, &secret_len, out_tmp );
	202
	203	/* Copy output */
	204	if ( frag_len > out_len )
	205	frag_len = out_len;
	206	memcpy ( out, out_tmp, frag_len );
	207	DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
	208	DBGC2_HD ( tls, out, frag_len );
	209
	210	/* Calculate A(i) */
	211	hmac_final ( digest, digest_ctx_partial,
	212	secret, &secret_len, a );
	213	DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
	214	DBGC2_HD ( tls, &a, sizeof ( a ) );
	215
	216	out += frag_len;
	217	out_len -= frag_len;
	218	}
	219	}
	220
	221	/**
	222	* Generate secure pseudo-random data
	223	*
	224	* @v tls TLS session
	225	* @v secret Secret
	226	* @v secret_len Length of secret
	227	* @v out Output buffer
	228	* @v out_len Length of output buffer
	229	* @v ... ( data, len ) pairs of seed data, terminated by NULL
	230	*/
	231	static void tls_prf ( struct tls_session tls, void secret, size_t secret_len,
	232	void *out, size_t out_len, ... ) {
	233	va_list seeds;
	234	va_list tmp;
	235	size_t subsecret_len;
	236	void *md5_secret;
	237	void *sha1_secret;
	238	uint8_t out_md5[out_len];
	239	uint8_t out_sha1[out_len];
	240	unsigned int i;
	241
	242	va_start ( seeds, out_len );
	243
	244	/* Split secret into two, with an overlap of up to one byte */
	245	subsecret_len = ( ( secret_len + 1 ) / 2 );
	246	md5_secret = secret;
	247	sha1_secret = ( secret + secret_len - subsecret_len );
	248
	249	/* Calculate MD5 portion */
	250	va_copy ( tmp, seeds );
	251	tls_p_hash_va ( tls, &md5_algorithm, md5_secret, subsecret_len,
	252	out_md5, out_len, seeds );
	253	va_end ( tmp );
	254
	255	/* Calculate SHA1 portion */
	256	va_copy ( tmp, seeds );
	257	tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret, subsecret_len,
	258	out_sha1, out_len, seeds );
	259	va_end ( tmp );
	260
	261	/* XOR the two portions together into the final output buffer */
	262	for ( i = 0 ; i < out_len ; i++ ) {
	263	( ( uint8_t ) out + i ) = ( out_md5[i] ^ out_sha1[i] );
	264	}
	265
	266	va_end ( seeds );
	267	}
	268
	269	/**
	270	* Generate secure pseudo-random data
	271	*
	272	* @v secret Secret
	273	* @v secret_len Length of secret
	274	* @v out Output buffer
	275	* @v out_len Length of output buffer
	276	* @v label String literal label
	277	* @v ... ( data, len ) pairs of seed data
	278	*/
	279	#define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
	280	tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
	281	label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
	282
	283	/******************************************************************************
	284	*
	285	* Secret management
	286	*
	287	******************************************************************************
	288	*/
	289
	290	/**
	291	* Generate master secret
	292	*
	293	* @v tls TLS session
	294	*
	295	* The pre-master secret and the client and server random values must
	296	* already be known.
	297	*/
	298	static void tls_generate_master_secret ( struct tls_session *tls ) {
	299	DBGC ( tls, "TLS %p pre-master-secret:\n", tls );
	300	DBGC_HD ( tls, &tls->pre_master_secret,
	301	sizeof ( tls->pre_master_secret ) );
	302	DBGC ( tls, "TLS %p client random bytes:\n", tls );
	303	DBGC_HD ( tls, &tls->client_random, sizeof ( tls->client_random ) );
	304	DBGC ( tls, "TLS %p server random bytes:\n", tls );
	305	DBGC_HD ( tls, &tls->server_random, sizeof ( tls->server_random ) );
	306
	307	tls_prf_label ( tls, &tls->pre_master_secret,
	308	sizeof ( tls->pre_master_secret ),
	309	&tls->master_secret, sizeof ( tls->master_secret ),
	310	"master secret",
	311	&tls->client_random, sizeof ( tls->client_random ),
	312	&tls->server_random, sizeof ( tls->server_random ) );
	313
	314	DBGC ( tls, "TLS %p generated master secret:\n", tls );
	315	DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
	316	}
	317
	318	/**
	319	* Generate key material
	320	*
	321	* @v tls TLS session
	322	*
	323	* The master secret must already be known.
	324	*/
	325	static int tls_generate_keys ( struct tls_session *tls ) {
	326	struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending;
	327	struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending;
	328	size_t hash_size = tx_cipherspec->digest->digestsize;
	329	size_t key_size = tx_cipherspec->key_len;
	330	size_t iv_size = tx_cipherspec->cipher->blocksize;
	331	size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
	332	uint8_t key_block[total];
	333	uint8_t *key;
	334	int rc;
	335
	336	/* Generate key block */
	337	tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
	338	key_block, sizeof ( key_block ), "key expansion",
	339	&tls->server_random, sizeof ( tls->server_random ),
	340	&tls->client_random, sizeof ( tls->client_random ) );
	341
	342	/* Split key block into portions */
	343	key = key_block;
	344
	345	/* TX MAC secret */
	346	memcpy ( tx_cipherspec->mac_secret, key, hash_size );
	347	DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
	348	DBGC_HD ( tls, key, hash_size );
	349	key += hash_size;
	350
	351	/* RX MAC secret */
	352	memcpy ( rx_cipherspec->mac_secret, key, hash_size );
	353	DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
	354	DBGC_HD ( tls, key, hash_size );
	355	key += hash_size;
	356
	357	/* TX key */
	358	if ( ( rc = cipher_setkey ( tx_cipherspec->cipher,
	359	tx_cipherspec->cipher_ctx,
	360	key, key_size ) ) != 0 ) {
	361	DBGC ( tls, "TLS %p could not set TX key: %s\n",
	362	tls, strerror ( rc ) );
	363	return rc;
	364	}
	365	DBGC ( tls, "TLS %p TX key:\n", tls );
	366	DBGC_HD ( tls, key, key_size );
	367	key += key_size;
	368
	369	/* RX key */
	370	if ( ( rc = cipher_setkey ( rx_cipherspec->cipher,
	371	rx_cipherspec->cipher_ctx,
	372	key, key_size ) ) != 0 ) {
	373	DBGC ( tls, "TLS %p could not set TX key: %s\n",
	374	tls, strerror ( rc ) );
	375	return rc;
	376	}
	377	DBGC ( tls, "TLS %p RX key:\n", tls );
	378	DBGC_HD ( tls, key, key_size );
	379	key += key_size;
	380
	381	/* TX initialisation vector */
	382	cipher_setiv ( tx_cipherspec->cipher, tx_cipherspec->cipher_ctx, key );
	383	DBGC ( tls, "TLS %p TX IV:\n", tls );
	384	DBGC_HD ( tls, key, iv_size );
	385	key += iv_size;
	386
	387	/* RX initialisation vector */
	388	cipher_setiv ( rx_cipherspec->cipher, rx_cipherspec->cipher_ctx, key );
	389	DBGC ( tls, "TLS %p RX IV:\n", tls );
	390	DBGC_HD ( tls, key, iv_size );
	391	key += iv_size;
	392
	393	assert ( ( key_block + total ) == key );
	394
	395	return 0;
	396	}
	397
	398	/******************************************************************************
	399	*
	400	* Cipher suite management
	401	*
	402	******************************************************************************
	403	*/
	404
	405	/**
	406	* Clear cipher suite
	407	*
	408	* @v cipherspec TLS cipher specification
	409	*/
	410	static void tls_clear_cipher ( struct tls_session *tls __unused,
	411	struct tls_cipherspec *cipherspec ) {
	412	free ( cipherspec->dynamic );
	413	memset ( cipherspec, 0, sizeof ( cipherspec ) );
	414	cipherspec->pubkey = &pubkey_null;
	415	cipherspec->cipher = &cipher_null;
	416	cipherspec->digest = &digest_null;
	417	}
	418
	419	/**
	420	* Set cipher suite
	421	*
	422	* @v tls TLS session
	423	* @v cipherspec TLS cipher specification
	424	* @v pubkey Public-key encryption elgorithm
	425	* @v cipher Bulk encryption cipher algorithm
	426	* @v digest MAC digest algorithm
	427	* @v key_len Key length
	428	* @ret rc Return status code
	429	*/
	430	static int tls_set_cipher ( struct tls_session *tls,
	431	struct tls_cipherspec *cipherspec,
	432	struct pubkey_algorithm *pubkey,
	433	struct cipher_algorithm *cipher,
	434	struct digest_algorithm *digest,
	435	size_t key_len ) {
	436	size_t total;
	437	void *dynamic;
	438
	439	/* Clear out old cipher contents, if any */
	440	tls_clear_cipher ( tls, cipherspec );
	441
	442	/* Allocate dynamic storage */
	443	total = ( pubkey->ctxsize + 2 * cipher->ctxsize + digest->digestsize );
	444	dynamic = malloc ( total );
	445	if ( ! dynamic ) {
	446	DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
	447	"context\n", tls, total );
	448	return -ENOMEM;
	449	}
	450	memset ( dynamic, 0, total );
	451
	452	/* Assign storage */
	453	cipherspec->dynamic = dynamic;
	454	cipherspec->pubkey_ctx = dynamic; dynamic += pubkey->ctxsize;
	455	cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
	456	cipherspec->cipher_next_ctx = dynamic; dynamic += cipher->ctxsize;
	457	cipherspec->mac_secret = dynamic; dynamic += digest->digestsize;
	458	assert ( ( cipherspec->dynamic + total ) == dynamic );
	459
	460	/* Store parameters */
	461	cipherspec->pubkey = pubkey;
	462	cipherspec->cipher = cipher;
	463	cipherspec->digest = digest;
	464	cipherspec->key_len = key_len;
	465
	466	return 0;
	467	}
	468
	469	/**
	470	* Select next cipher suite
	471	*
	472	* @v tls TLS session
	473	* @v cipher_suite Cipher suite specification
	474	* @ret rc Return status code
	475	*/
	476	static int tls_select_cipher ( struct tls_session *tls,
	477	unsigned int cipher_suite ) {
	478	struct pubkey_algorithm *pubkey = &pubkey_null;
	479	struct cipher_algorithm *cipher = &cipher_null;
	480	struct digest_algorithm *digest = &digest_null;
	481	unsigned int key_len = 0;
	482	int rc;
	483
	484	switch ( cipher_suite ) {
	485	case htons ( TLS_RSA_WITH_AES_128_CBC_SHA ):
	486	key_len = ( 128 / 8 );
	487	cipher = &aes_cbc_algorithm;
	488	digest = &sha1_algorithm;
	489	break;
	490	case htons ( TLS_RSA_WITH_AES_256_CBC_SHA ):
	491	key_len = ( 256 / 8 );
	492	cipher = &aes_cbc_algorithm;
	493	digest = &sha1_algorithm;
	494	break;
	495	default:
	496	DBGC ( tls, "TLS %p does not support cipher %04x\n",
	497	tls, ntohs ( cipher_suite ) );
	498	return -ENOTSUP;
	499	}
	500
	501	/* Set ciphers */
	502	if ( ( rc = tls_set_cipher ( tls, &tls->tx_cipherspec_pending, pubkey,
	503	cipher, digest, key_len ) ) != 0 )
	504	return rc;
	505	if ( ( rc = tls_set_cipher ( tls, &tls->rx_cipherspec_pending, pubkey,
	506	cipher, digest, key_len ) ) != 0 )
	507	return rc;
	508
	509	DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls,
	510	pubkey->name, cipher->name, ( key_len * 8 ), digest->name );
	511
	512	return 0;
	513	}
	514
	515	/**
	516	* Activate next cipher suite
	517	*
	518	* @v tls TLS session
	519	* @v pending Pending cipher specification
	520	* @v active Active cipher specification to replace
	521	* @ret rc Return status code
	522	*/
	523	static int tls_change_cipher ( struct tls_session *tls,
	524	struct tls_cipherspec *pending,
	525	struct tls_cipherspec *active ) {
	526
	527	/* Sanity check */
	528	if ( /* FIXME (when pubkey is not hard-coded to RSA):
	529	* ( pending->pubkey == &pubkey_null ) \|\| */
	530	( pending->cipher == &cipher_null ) \|\|
	531	( pending->digest == &digest_null ) ) {
	532	DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
	533	return -ENOTSUP;
	534	}
	535
	536	tls_clear_cipher ( tls, active );
	537	memswap ( active, pending, sizeof ( *active ) );
	538	return 0;
	539	}
	540
	541	/******************************************************************************
	542	*
	543	* Handshake verification
	544	*
	545	******************************************************************************
	546	*/
	547
	548	/**
	549	* Add handshake record to verification hash
	550	*
	551	* @v tls TLS session
	552	* @v data Handshake record
	553	* @v len Length of handshake record
	554	*/
	555	static void tls_add_handshake ( struct tls_session *tls,
	556	const void *data, size_t len ) {
	557
	558	digest_update ( &md5_algorithm, tls->handshake_md5_ctx, data, len );
	559	digest_update ( &sha1_algorithm, tls->handshake_sha1_ctx, data, len );
	560	}
	561
	562	/**
	563	* Calculate handshake verification hash
	564	*
	565	* @v tls TLS session
	566	* @v out Output buffer
	567	*
	568	* Calculates the MD5+SHA1 digest over all handshake messages seen so
	569	* far.
	570	*/
	571	static void tls_verify_handshake ( struct tls_session tls, void out ) {
	572	struct digest_algorithm *md5 = &md5_algorithm;
	573	struct digest_algorithm *sha1 = &sha1_algorithm;
	574	uint8_t md5_ctx[md5->ctxsize];
	575	uint8_t sha1_ctx[sha1->ctxsize];
	576	void *md5_digest = out;
	577	void *sha1_digest = ( out + md5->digestsize );
	578
	579	memcpy ( md5_ctx, tls->handshake_md5_ctx, sizeof ( md5_ctx ) );
	580	memcpy ( sha1_ctx, tls->handshake_sha1_ctx, sizeof ( sha1_ctx ) );
	581	digest_final ( md5, md5_ctx, md5_digest );
	582	digest_final ( sha1, sha1_ctx, sha1_digest );
	583	}
	584
	585	/******************************************************************************
	586	*
	587	* Record handling
	588	*
	589	******************************************************************************
	590	*/
	591
	592	/**
	593	* Transmit Handshake record
	594	*
	595	* @v tls TLS session
	596	* @v data Plaintext record
	597	* @v len Length of plaintext record
	598	* @ret rc Return status code
	599	*/
	600	static int tls_send_handshake ( struct tls_session *tls,
	601	void *data, size_t len ) {
	602
	603	/* Add to handshake digest */
	604	tls_add_handshake ( tls, data, len );
	605
	606	/* Send record */
	607	return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
	608	}
	609
	610	/**
	611	* Transmit Client Hello record
	612	*
	613	* @v tls TLS session
	614	* @ret rc Return status code
	615	*/
	616	static int tls_send_client_hello ( struct tls_session *tls ) {
	617	struct {
	618	uint32_t type_length;
	619	uint16_t version;
	620	uint8_t random[32];
	621	uint8_t session_id_len;
	622	uint16_t cipher_suite_len;
	623	uint16_t cipher_suites[2];
	624	uint8_t compression_methods_len;
	625	uint8_t compression_methods[1];
	626	} __attribute__ (( packed )) hello;
	627
	628	memset ( &hello, 0, sizeof ( hello ) );
	629	hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) \|
	630	htonl ( sizeof ( hello ) -
	631	sizeof ( hello.type_length ) ) );
	632	hello.version = htons ( TLS_VERSION_TLS_1_0 );
	633	memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
	634	hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
	635	hello.cipher_suites[0] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA );
	636	hello.cipher_suites[1] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA );
	637	hello.compression_methods_len = sizeof ( hello.compression_methods );
	638
	639	return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
	640	}
	641
	642	/**
	643	* Transmit Client Key Exchange record
	644	*
	645	* @v tls TLS session
	646	* @ret rc Return status code
	647	*/
	648	static int tls_send_client_key_exchange ( struct tls_session *tls ) {
	649	/* FIXME: Hack alert */
	650	RSA_CTX *rsa_ctx;
	651	RSA_pub_key_new ( &rsa_ctx, tls->rsa.modulus, tls->rsa.modulus_len,
	652	tls->rsa.exponent, tls->rsa.exponent_len );
	653	struct {
	654	uint32_t type_length;
	655	uint16_t encrypted_pre_master_secret_len;
	656	uint8_t encrypted_pre_master_secret[rsa_ctx->num_octets];
	657	} __attribute__ (( packed )) key_xchg;
	658
	659	memset ( &key_xchg, 0, sizeof ( key_xchg ) );
	660	key_xchg.type_length = ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) \|
	661	htonl ( sizeof ( key_xchg ) -
	662	sizeof ( key_xchg.type_length ) ) );
	663	key_xchg.encrypted_pre_master_secret_len
	664	= htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) );
	665
	666	/* FIXME: Hack alert */
	667	DBGC ( tls, "RSA encrypting plaintext, modulus, exponent:\n" );
	668	DBGC_HD ( tls, &tls->pre_master_secret,
	669	sizeof ( tls->pre_master_secret ) );
	670	DBGC_HD ( tls, tls->rsa.modulus, tls->rsa.modulus_len );
	671	DBGC_HD ( tls, tls->rsa.exponent, tls->rsa.exponent_len );
	672	RSA_encrypt ( rsa_ctx, ( const uint8_t * ) &tls->pre_master_secret,
	673	sizeof ( tls->pre_master_secret ),
	674	key_xchg.encrypted_pre_master_secret, 0 );
	675	DBGC ( tls, "RSA encrypt done. Ciphertext:\n" );
	676	DBGC_HD ( tls, &key_xchg.encrypted_pre_master_secret,
	677	sizeof ( key_xchg.encrypted_pre_master_secret ) );
	678	RSA_free ( rsa_ctx );
	679
	680
	681	return tls_send_handshake ( tls, &key_xchg, sizeof ( key_xchg ) );
	682	}
	683
	684	/**
	685	* Transmit Change Cipher record
	686	*
	687	* @v tls TLS session
	688	* @ret rc Return status code
	689	*/
	690	static int tls_send_change_cipher ( struct tls_session *tls ) {
	691	static const uint8_t change_cipher[1] = { 1 };
	692	return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
	693	change_cipher, sizeof ( change_cipher ) );
	694	}
	695
	696	/**
	697	* Transmit Finished record
	698	*
	699	* @v tls TLS session
	700	* @ret rc Return status code
	701	*/
	702	static int tls_send_finished ( struct tls_session *tls ) {
	703	struct {
	704	uint32_t type_length;
	705	uint8_t verify_data[12];
	706	} __attribute__ (( packed )) finished;
	707	uint8_t digest[MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE];
	708
	709	memset ( &finished, 0, sizeof ( finished ) );
	710	finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) \|
	711	htonl ( sizeof ( finished ) -
	712	sizeof ( finished.type_length ) ) );
	713	tls_verify_handshake ( tls, digest );
	714	tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
	715	finished.verify_data, sizeof ( finished.verify_data ),
	716	"client finished", digest, sizeof ( digest ) );
	717
	718	return tls_send_handshake ( tls, &finished, sizeof ( finished ) );
	719	}
	720
	721	/**
	722	* Receive new Change Cipher record
	723	*
	724	* @v tls TLS session
	725	* @v data Plaintext record
	726	* @v len Length of plaintext record
	727	* @ret rc Return status code
	728	*/
	729	static int tls_new_change_cipher ( struct tls_session *tls,
	730	void *data, size_t len ) {
	731	int rc;
	732
	733	if ( ( len != 1 ) \|\| ( ( ( uint8_t ) data ) != 1 ) ) {
	734	DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
	735	DBGC_HD ( tls, data, len );
	736	return -EINVAL;
	737	}
	738
	739	if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
	740	&tls->rx_cipherspec ) ) != 0 ) {
	741	DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
	742	tls, strerror ( rc ) );
	743	return rc;
	744	}
	745	tls->rx_seq = ~( ( uint64_t ) 0 );
	746
	747	return 0;
	748	}
	749
	750	/**
	751	* Receive new Alert record
	752	*
	753	* @v tls TLS session
	754	* @v data Plaintext record
	755	* @v len Length of plaintext record
	756	* @ret rc Return status code
	757	*/
	758	static int tls_new_alert ( struct tls_session tls, void data, size_t len ) {
	759	struct {
	760	uint8_t level;
	761	uint8_t description;
	762	char next[0];
	763	} __attribute__ (( packed )) *alert = data;
	764	void *end = alert->next;
	765
	766	/* Sanity check */
	767	if ( end != ( data + len ) ) {
	768	DBGC ( tls, "TLS %p received overlength Alert\n", tls );
	769	DBGC_HD ( tls, data, len );
	770	return -EINVAL;
	771	}
	772
	773	switch ( alert->level ) {
	774	case TLS_ALERT_WARNING:
	775	DBGC ( tls, "TLS %p received warning alert %d\n",
	776	tls, alert->description );
	777	return 0;
	778	case TLS_ALERT_FATAL:
	779	DBGC ( tls, "TLS %p received fatal alert %d\n",
	780	tls, alert->description );
	781	return -EPERM;
	782	default:
	783	DBGC ( tls, "TLS %p received unknown alert level %d"
	784	"(alert %d)\n", tls, alert->level, alert->description );
	785	return -EIO;
	786	}
	787	}
	788
	789	/**
	790	* Receive new Server Hello handshake record
	791	*
	792	* @v tls TLS session
	793	* @v data Plaintext handshake record
	794	* @v len Length of plaintext handshake record
	795	* @ret rc Return status code
	796	*/
	797	static int tls_new_server_hello ( struct tls_session *tls,
	798	void *data, size_t len ) {
	799	struct {
	800	uint16_t version;
	801	uint8_t random[32];
	802	uint8_t session_id_len;
	803	char next[0];
	804	} __attribute__ (( packed )) *hello_a = data;
	805	struct {
	806	uint8_t session_id[hello_a->session_id_len];
	807	uint16_t cipher_suite;
	808	uint8_t compression_method;
	809	char next[0];
	810	} __attribute__ (( packed )) hello_b = ( void ) &hello_a->next;
	811	void *end = hello_b->next;
	812	int rc;
	813
	814	/* Sanity check */
	815	if ( end != ( data + len ) ) {
	816	DBGC ( tls, "TLS %p received overlength Server Hello\n", tls );
	817	DBGC_HD ( tls, data, len );
	818	return -EINVAL;
	819	}
	820
	821	/* Check protocol version */
	822	if ( ntohs ( hello_a->version ) < TLS_VERSION_TLS_1_0 ) {
	823	DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
	824	tls, ( ntohs ( hello_a->version ) >> 8 ),
	825	( ntohs ( hello_a->version ) & 0xff ) );
	826	return -ENOTSUP;
	827	}
	828
	829	/* Copy out server random bytes */
	830	memcpy ( &tls->server_random, &hello_a->random,
	831	sizeof ( tls->server_random ) );
	832
	833	/* Select cipher suite */
	834	if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
	835	return rc;
	836
	837	/* Generate secrets */
	838	tls_generate_master_secret ( tls );
	839	if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
	840	return rc;
	841
	842	return 0;
	843	}
	844
	845	/**
	846	* Receive new Certificate handshake record
	847	*
	848	* @v tls TLS session
	849	* @v data Plaintext handshake record
	850	* @v len Length of plaintext handshake record
	851	* @ret rc Return status code
	852	*/
	853	static int tls_new_certificate ( struct tls_session *tls,
	854	void *data, size_t len ) {
	855	struct {
	856	uint8_t length[3];
	857	uint8_t certificates[0];
	858	} __attribute__ (( packed )) *certificate = data;
	859	struct {
	860	uint8_t length[3];
	861	uint8_t certificate[0];
	862	} __attribute__ (( packed )) *element =
	863	( ( void * ) certificate->certificates );
	864	size_t elements_len = tls_uint24 ( certificate->length );
	865	void *end = ( certificate->certificates + elements_len );
	866	struct asn1_cursor cursor;
	867	int rc;
	868
	869	/* Sanity check */
	870	if ( end != ( data + len ) ) {
	871	DBGC ( tls, "TLS %p received overlength Server Certificate\n",
	872	tls );
	873	DBGC_HD ( tls, data, len );
	874	return -EINVAL;
	875	}
	876
	877	/* Traverse certificate chain */
	878	do {
	879	cursor.data = element->certificate;
	880	cursor.len = tls_uint24 ( element->length );
	881	if ( ( cursor.data + cursor.len ) > end ) {
	882	DBGC ( tls, "TLS %p received corrupt Server "
	883	"Certificate\n", tls );
	884	DBGC_HD ( tls, data, len );
	885	return -EINVAL;
	886	}
	887
	888	// HACK
	889	if ( ( rc = x509_rsa_public_key ( &cursor,
	890	&tls->rsa ) ) != 0 ) {
	891	DBGC ( tls, "TLS %p cannot determine RSA public key: "
	892	"%s\n", tls, strerror ( rc ) );
	893	return rc;
	894	}
	895	return 0;
	896
	897	element = ( cursor.data + cursor.len );
	898	} while ( element != end );
	899
	900	return -EINVAL;
	901	}
	902
	903	/**
	904	* Receive new Server Hello Done handshake record
	905	*
	906	* @v tls TLS session
	907	* @v data Plaintext handshake record
	908	* @v len Length of plaintext handshake record
	909	* @ret rc Return status code
	910	*/
	911	static int tls_new_server_hello_done ( struct tls_session *tls,
	912	void *data, size_t len ) {
	913	struct {
	914	char next[0];
	915	} __attribute__ (( packed )) *hello_done = data;
	916	void *end = hello_done->next;
	917
	918	/* Sanity check */
	919	if ( end != ( data + len ) ) {
	920	DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
	921	tls );
	922	DBGC_HD ( tls, data, len );
	923	return -EINVAL;
	924	}
	925
	926	/* Check that we are ready to send the Client Key Exchange */
	927	if ( tls->tx_state != TLS_TX_NONE ) {
	928	DBGC ( tls, "TLS %p received Server Hello Done while in "
	929	"TX state %d\n", tls, tls->tx_state );
	930	return -EIO;
	931	}
	932
	933	/* Start sending the Client Key Exchange */
	934	tls->tx_state = TLS_TX_CLIENT_KEY_EXCHANGE;
	935
	936	return 0;
	937	}
	938
	939	/**
	940	* Receive new Finished handshake record
	941	*
	942	* @v tls TLS session
	943	* @v data Plaintext handshake record
	944	* @v len Length of plaintext handshake record
	945	* @ret rc Return status code
	946	*/
	947	static int tls_new_finished ( struct tls_session *tls,
	948	void *data, size_t len ) {
	949
	950	/* FIXME: Handle this properly */
	951	tls->tx_state = TLS_TX_DATA;
	952	( void ) data;
	953	( void ) len;
	954	return 0;
	955	}
	956
	957	/**
	958	* Receive new Handshake record
	959	*
	960	* @v tls TLS session
	961	* @v data Plaintext record
	962	* @v len Length of plaintext record
	963	* @ret rc Return status code
	964	*/
	965	static int tls_new_handshake ( struct tls_session *tls,
	966	void *data, size_t len ) {
	967	struct {
	968	uint8_t type;
	969	uint8_t length[3];
	970	uint8_t payload[0];
	971	} __attribute__ (( packed )) *handshake = data;
	972	void *payload = &handshake->payload;
	973	size_t payload_len = tls_uint24 ( handshake->length );
	974	void *end = ( payload + payload_len );
	975	int rc;
	976
	977	/* Sanity check */
	978	if ( end != ( data + len ) ) {
	979	DBGC ( tls, "TLS %p received overlength Handshake\n", tls );
	980	DBGC_HD ( tls, data, len );
	981	return -EINVAL;
	982	}
	983
	984	switch ( handshake->type ) {
	985	case TLS_SERVER_HELLO:
	986	rc = tls_new_server_hello ( tls, payload, payload_len );
	987	break;
	988	case TLS_CERTIFICATE:
	989	rc = tls_new_certificate ( tls, payload, payload_len );
	990	break;
	991	case TLS_SERVER_HELLO_DONE:
	992	rc = tls_new_server_hello_done ( tls, payload, payload_len );
	993	break;
	994	case TLS_FINISHED:
	995	rc = tls_new_finished ( tls, payload, payload_len );
	996	break;
	997	default:
	998	DBGC ( tls, "TLS %p ignoring handshake type %d\n",
	999	tls, handshake->type );
	1000	rc = 0;
	1001	break;
	1002	}
	1003
	1004	/* Add to handshake digest (except for Hello Requests, which
	1005	* are explicitly excluded).
	1006	*/
	1007	if ( handshake->type != TLS_HELLO_REQUEST )
	1008	tls_add_handshake ( tls, data, len );
	1009
	1010	return rc;
	1011	}
	1012
	1013	/**
	1014	* Receive new record
	1015	*
	1016	* @v tls TLS session
	1017	* @v type Record type
	1018	* @v data Plaintext record
	1019	* @v len Length of plaintext record
	1020	* @ret rc Return status code
	1021	*/
	1022	static int tls_new_record ( struct tls_session *tls,
	1023	unsigned int type, void *data, size_t len ) {
	1024
	1025	switch ( type ) {
	1026	case TLS_TYPE_CHANGE_CIPHER:
	1027	return tls_new_change_cipher ( tls, data, len );
	1028	case TLS_TYPE_ALERT:
	1029	return tls_new_alert ( tls, data, len );
	1030	case TLS_TYPE_HANDSHAKE:
	1031	return tls_new_handshake ( tls, data, len );
	1032	case TLS_TYPE_DATA:
	1033	return xfer_deliver_raw ( &tls->plainstream.xfer, data, len );
	1034	default:
	1035	/* RFC4346 says that we should just ignore unknown
	1036	* record types.
	1037	*/
	1038	DBGC ( tls, "TLS %p ignoring record type %d\n", tls, type );
	1039	return 0;
	1040	}
	1041	}
	1042
	1043	/******************************************************************************
	1044	*
	1045	* Record encryption/decryption
	1046	*
	1047	******************************************************************************
	1048	*/
	1049
	1050	/**
	1051	* Calculate HMAC
	1052	*
	1053	* @v tls TLS session
	1054	* @v cipherspec Cipher specification
	1055	* @v seq Sequence number
	1056	* @v tlshdr TLS header
	1057	* @v data Data
	1058	* @v len Length of data
	1059	* @v mac HMAC to fill in
	1060	*/
	1061	static void tls_hmac ( struct tls_session *tls __unused,
	1062	struct tls_cipherspec *cipherspec,
	1063	uint64_t seq, struct tls_header *tlshdr,
	1064	const void data, size_t len, void hmac ) {
	1065	struct digest_algorithm *digest = cipherspec->digest;
	1066	uint8_t digest_ctx[digest->ctxsize];
	1067
	1068	hmac_init ( digest, digest_ctx, cipherspec->mac_secret,
	1069	&digest->digestsize );
	1070	seq = cpu_to_be64 ( seq );
	1071	hmac_update ( digest, digest_ctx, &seq, sizeof ( seq ) );
	1072	hmac_update ( digest, digest_ctx, tlshdr, sizeof ( *tlshdr ) );
	1073	hmac_update ( digest, digest_ctx, data, len );
	1074	hmac_final ( digest, digest_ctx, cipherspec->mac_secret,
	1075	&digest->digestsize, hmac );
	1076	}
	1077
	1078	/**
	1079	* Allocate and assemble stream-ciphered record from data and MAC portions
	1080	*
	1081	* @v tls TLS session
	1082	* @ret data Data
	1083	* @ret len Length of data
	1084	* @ret digest MAC digest
	1085	* @ret plaintext_len Length of plaintext record
	1086	* @ret plaintext Allocated plaintext record
	1087	*/
	1088	static void * __malloc tls_assemble_stream ( struct tls_session *tls,
	1089	const void *data, size_t len,
	1090	void digest, size_t plaintext_len ) {
	1091	size_t mac_len = tls->tx_cipherspec.digest->digestsize;
	1092	void *plaintext;
	1093	void *content;
	1094	void *mac;
	1095
	1096	/* Calculate stream-ciphered struct length */
	1097	*plaintext_len = ( len + mac_len );
	1098
	1099	/* Allocate stream-ciphered struct */
	1100	plaintext = malloc ( *plaintext_len );
	1101	if ( ! plaintext )
	1102	return NULL;
	1103	content = plaintext;
	1104	mac = ( content + len );
	1105
	1106	/* Fill in stream-ciphered struct */
	1107	memcpy ( content, data, len );
	1108	memcpy ( mac, digest, mac_len );
	1109
	1110	return plaintext;
	1111	}
	1112
	1113	/**
	1114	* Allocate and assemble block-ciphered record from data and MAC portions
	1115	*
	1116	* @v tls TLS session
	1117	* @ret data Data
	1118	* @ret len Length of data
	1119	* @ret digest MAC digest
	1120	* @ret plaintext_len Length of plaintext record
	1121	* @ret plaintext Allocated plaintext record
	1122	*/
	1123	static void * tls_assemble_block ( struct tls_session *tls,
	1124	const void *data, size_t len,
	1125	void digest, size_t plaintext_len ) {
	1126	size_t blocksize = tls->tx_cipherspec.cipher->blocksize;
	1127	size_t iv_len = blocksize;
	1128	size_t mac_len = tls->tx_cipherspec.digest->digestsize;
	1129	size_t padding_len;
	1130	void *plaintext;
	1131	void *iv;
	1132	void *content;
	1133	void *mac;
	1134	void *padding;
	1135
	1136	/* FIXME: TLSv1.1 has an explicit IV */
	1137	iv_len = 0;
	1138
	1139	/* Calculate block-ciphered struct length */
	1140	padding_len = ( ( blocksize - 1 ) & -( iv_len + len + mac_len + 1 ) );
	1141	*plaintext_len = ( iv_len + len + mac_len + padding_len + 1 );
	1142
	1143	/* Allocate block-ciphered struct */
	1144	plaintext = malloc ( *plaintext_len );
	1145	if ( ! plaintext )
	1146	return NULL;
	1147	iv = plaintext;
	1148	content = ( iv + iv_len );
	1149	mac = ( content + len );
	1150	padding = ( mac + mac_len );
	1151
	1152	/* Fill in block-ciphered struct */
	1153	memset ( iv, 0, iv_len );
	1154	memcpy ( content, data, len );
	1155	memcpy ( mac, digest, mac_len );
	1156	memset ( padding, padding_len, ( padding_len + 1 ) );
	1157
	1158	return plaintext;
	1159	}
	1160
	1161	/**
	1162	* Send plaintext record
	1163	*
	1164	* @v tls TLS session
	1165	* @v type Record type
	1166	* @v data Plaintext record
	1167	* @v len Length of plaintext record
	1168	* @ret rc Return status code
	1169	*/
	1170	static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
	1171	const void *data, size_t len ) {
	1172	struct tls_header plaintext_tlshdr;
	1173	struct tls_header *tlshdr;
	1174	struct tls_cipherspec *cipherspec = &tls->tx_cipherspec;
	1175	void *plaintext = NULL;
	1176	size_t plaintext_len;
	1177	struct io_buffer *ciphertext = NULL;
	1178	size_t ciphertext_len;
	1179	size_t mac_len = cipherspec->digest->digestsize;
	1180	uint8_t mac[mac_len];
	1181	int rc;
	1182
	1183	/* Construct header */
	1184	plaintext_tlshdr.type = type;
	1185	plaintext_tlshdr.version = htons ( TLS_VERSION_TLS_1_0 );
	1186	plaintext_tlshdr.length = htons ( len );
	1187
	1188	/* Calculate MAC */
	1189	tls_hmac ( tls, cipherspec, tls->tx_seq, &plaintext_tlshdr,
	1190	data, len, mac );
	1191
	1192	/* Allocate and assemble plaintext struct */
	1193	if ( is_stream_cipher ( cipherspec->cipher ) ) {
	1194	plaintext = tls_assemble_stream ( tls, data, len, mac,
	1195	&plaintext_len );
	1196	} else {
	1197	plaintext = tls_assemble_block ( tls, data, len, mac,
	1198	&plaintext_len );
	1199	}
	1200	if ( ! plaintext ) {
	1201	DBGC ( tls, "TLS %p could not allocate %zd bytes for "
	1202	"plaintext\n", tls, plaintext_len );
	1203	rc = -ENOMEM;
	1204	goto done;
	1205	}
	1206
	1207	DBGC2 ( tls, "Sending plaintext data:\n" );
	1208	DBGC2_HD ( tls, plaintext, plaintext_len );
	1209
	1210	/* Allocate ciphertext */
	1211	ciphertext_len = ( sizeof ( *tlshdr ) + plaintext_len );
	1212	ciphertext = xfer_alloc_iob ( &tls->cipherstream.xfer,
	1213	ciphertext_len );
	1214	if ( ! ciphertext ) {
	1215	DBGC ( tls, "TLS %p could not allocate %zd bytes for "
	1216	"ciphertext\n", tls, ciphertext_len );
	1217	rc = -ENOMEM;
	1218	goto done;
	1219	}
	1220
	1221	/* Assemble ciphertext */
	1222	tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) );
	1223	tlshdr->type = type;
	1224	tlshdr->version = htons ( TLS_VERSION_TLS_1_0 );
	1225	tlshdr->length = htons ( plaintext_len );
	1226	memcpy ( cipherspec->cipher_next_ctx, cipherspec->cipher_ctx,
	1227	cipherspec->cipher->ctxsize );
	1228	cipher_encrypt ( cipherspec->cipher, cipherspec->cipher_next_ctx,
	1229	plaintext, iob_put ( ciphertext, plaintext_len ),
	1230	plaintext_len );
	1231
	1232	/* Free plaintext as soon as possible to conserve memory */
	1233	free ( plaintext );
	1234	plaintext = NULL;
	1235
	1236	/* Send ciphertext */
	1237	rc = xfer_deliver_iob ( &tls->cipherstream.xfer, ciphertext );
	1238	ciphertext = NULL;
	1239	if ( rc != 0 ) {
	1240	DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
	1241	tls, strerror ( rc ) );
	1242	goto done;
	1243	}
	1244
	1245	/* Update TX state machine to next record */
	1246	tls->tx_seq += 1;
	1247	memcpy ( tls->tx_cipherspec.cipher_ctx,
	1248	tls->tx_cipherspec.cipher_next_ctx,
	1249	tls->tx_cipherspec.cipher->ctxsize );
	1250
	1251	done:
	1252	free ( plaintext );
	1253	free_iob ( ciphertext );
	1254	return rc;
	1255	}
	1256
	1257	/**
	1258	* Split stream-ciphered record into data and MAC portions
	1259	*
	1260	* @v tls TLS session
	1261	* @v plaintext Plaintext record
	1262	* @v plaintext_len Length of record
	1263	* @ret data Data
	1264	* @ret len Length of data
	1265	* @ret digest MAC digest
	1266	* @ret rc Return status code
	1267	*/
	1268	static int tls_split_stream ( struct tls_session *tls,
	1269	void *plaintext, size_t plaintext_len,
	1270	void *data, size_t len, void **digest ) {
	1271	void *content;
	1272	size_t content_len;
	1273	void *mac;
	1274	size_t mac_len;
	1275
	1276	/* Decompose stream-ciphered data */
	1277	mac_len = tls->rx_cipherspec.digest->digestsize;
	1278	if ( plaintext_len < mac_len ) {
	1279	DBGC ( tls, "TLS %p received underlength record\n", tls );
	1280	DBGC_HD ( tls, plaintext, plaintext_len );
	1281	return -EINVAL;
	1282	}
	1283	content_len = ( plaintext_len - mac_len );
	1284	content = plaintext;
	1285	mac = ( content + content_len );
	1286
	1287	/* Fill in return values */
	1288	*data = content;
	1289	*len = content_len;
	1290	*digest = mac;
	1291
	1292	return 0;
	1293	}
	1294
	1295	/**
	1296	* Split block-ciphered record into data and MAC portions
	1297	*
	1298	* @v tls TLS session
	1299	* @v plaintext Plaintext record
	1300	* @v plaintext_len Length of record
	1301	* @ret data Data
	1302	* @ret len Length of data
	1303	* @ret digest MAC digest
	1304	* @ret rc Return status code
	1305	*/
	1306	static int tls_split_block ( struct tls_session *tls,
	1307	void *plaintext, size_t plaintext_len,
	1308	void *data, size_t len,
	1309	void **digest ) {
	1310	void *iv;
	1311	size_t iv_len;
	1312	void *content;
	1313	size_t content_len;
	1314	void *mac;
	1315	size_t mac_len;
	1316	void *padding;
	1317	size_t padding_len;
	1318	unsigned int i;
	1319
	1320	/* Decompose block-ciphered data */
	1321	if ( plaintext_len < 1 ) {
	1322	DBGC ( tls, "TLS %p received underlength record\n", tls );
	1323	DBGC_HD ( tls, plaintext, plaintext_len );
	1324	return -EINVAL;
	1325	}
	1326	iv_len = tls->rx_cipherspec.cipher->blocksize;
	1327
	1328	/* FIXME: TLSv1.1 uses an explicit IV */
	1329	iv_len = 0;
	1330
	1331	mac_len = tls->rx_cipherspec.digest->digestsize;
	1332	padding_len = ( ( uint8_t ) ( plaintext + plaintext_len - 1 ) );
	1333	if ( plaintext_len < ( iv_len + mac_len + padding_len + 1 ) ) {
	1334	DBGC ( tls, "TLS %p received underlength record\n", tls );
	1335	DBGC_HD ( tls, plaintext, plaintext_len );
	1336	return -EINVAL;
	1337	}
	1338	content_len = ( plaintext_len - iv_len - mac_len - padding_len - 1 );
	1339	iv = plaintext;
	1340	content = ( iv + iv_len );
	1341	mac = ( content + content_len );
	1342	padding = ( mac + mac_len );
	1343
	1344	/* Verify padding bytes */
	1345	for ( i = 0 ; i < padding_len ; i++ ) {
	1346	if ( ( ( uint8_t ) ( padding + i ) ) != padding_len ) {
	1347	DBGC ( tls, "TLS %p received bad padding\n", tls );
	1348	DBGC_HD ( tls, plaintext, plaintext_len );
	1349	return -EINVAL;
	1350	}
	1351	}
	1352
	1353	/* Fill in return values */
	1354	*data = content;
	1355	*len = content_len;
	1356	*digest = mac;
	1357
	1358	return 0;
	1359	}
	1360
	1361	/**
	1362	* Receive new ciphertext record
	1363	*
	1364	* @v tls TLS session
	1365	* @v tlshdr Record header
	1366	* @v ciphertext Ciphertext record
	1367	* @ret rc Return status code
	1368	*/
	1369	static int tls_new_ciphertext ( struct tls_session *tls,
	1370	struct tls_header tlshdr, void ciphertext ) {
	1371	struct tls_header plaintext_tlshdr;
	1372	struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
	1373	size_t record_len = ntohs ( tlshdr->length );
	1374	void *plaintext = NULL;
	1375	void *data;
	1376	size_t len;
	1377	void *mac;
	1378	size_t mac_len = cipherspec->digest->digestsize;
	1379	uint8_t verify_mac[mac_len];
	1380	int rc;
	1381
	1382	/* Allocate buffer for plaintext */
	1383	plaintext = malloc ( record_len );
	1384	if ( ! plaintext ) {
	1385	DBGC ( tls, "TLS %p could not allocate %zd bytes for "
	1386	"decryption buffer\n", tls, record_len );
	1387	rc = -ENOMEM;
	1388	goto done;
	1389	}
	1390
	1391	/* Decrypt the record */
	1392	cipher_decrypt ( cipherspec->cipher, cipherspec->cipher_ctx,
	1393	ciphertext, plaintext, record_len );
	1394
	1395	/* Split record into content and MAC */
	1396	if ( is_stream_cipher ( cipherspec->cipher ) ) {
	1397	if ( ( rc = tls_split_stream ( tls, plaintext, record_len,
	1398	&data, &len, &mac ) ) != 0 )
	1399	goto done;
	1400	} else {
	1401	if ( ( rc = tls_split_block ( tls, plaintext, record_len,
	1402	&data, &len, &mac ) ) != 0 )
	1403	goto done;
	1404	}
	1405
	1406	/* Verify MAC */
	1407	plaintext_tlshdr.type = tlshdr->type;
	1408	plaintext_tlshdr.version = tlshdr->version;
	1409	plaintext_tlshdr.length = htons ( len );
	1410	tls_hmac ( tls, cipherspec, tls->rx_seq, &plaintext_tlshdr,
	1411	data, len, verify_mac);
	1412	if ( memcmp ( mac, verify_mac, mac_len ) != 0 ) {
	1413	DBGC ( tls, "TLS %p failed MAC verification\n", tls );
	1414	DBGC_HD ( tls, plaintext, record_len );
	1415	goto done;
	1416	}
	1417
	1418	DBGC2 ( tls, "Received plaintext data:\n" );
	1419	DBGC2_HD ( tls, data, len );
	1420
	1421	/* Process plaintext record */
	1422	if ( ( rc = tls_new_record ( tls, tlshdr->type, data, len ) ) != 0 )
	1423	goto done;
	1424
	1425	rc = 0;
	1426	done:
	1427	free ( plaintext );
	1428	return rc;
	1429	}
	1430
	1431	/******************************************************************************
	1432	*
	1433	* Plaintext stream operations
	1434	*
	1435	******************************************************************************
	1436	*/
	1437
	1438	/**
	1439	* Close interface
	1440	*
	1441	* @v xfer Plainstream data transfer interface
	1442	* @v rc Reason for close
	1443	*/
	1444	static void tls_plainstream_close ( struct xfer_interface *xfer, int rc ) {
	1445	struct tls_session *tls =
	1446	container_of ( xfer, struct tls_session, plainstream.xfer );
	1447
	1448	tls_close ( tls, rc );
	1449	}
	1450
	1451	/**
	1452	* Check flow control window
	1453	*
	1454	* @v xfer Plainstream data transfer interface
	1455	* @ret len Length of window
	1456	*/
	1457	static size_t tls_plainstream_window ( struct xfer_interface *xfer ) {
	1458	struct tls_session *tls =
	1459	container_of ( xfer, struct tls_session, plainstream.xfer );
	1460
	1461	/* Block window unless we are ready to accept data */
	1462	if ( tls->tx_state != TLS_TX_DATA )
	1463	return 0;
	1464
	1465	return filter_window ( xfer );
	1466	}
	1467
	1468	/**
	1469	* Deliver datagram as raw data
	1470	*
	1471	* @v xfer Plainstream data transfer interface
	1472	* @v data Data buffer
	1473	* @v len Length of data buffer
	1474	* @ret rc Return status code
	1475	*/
	1476	static int tls_plainstream_deliver_raw ( struct xfer_interface *xfer,
	1477	const void *data, size_t len ) {
	1478	struct tls_session *tls =
	1479	container_of ( xfer, struct tls_session, plainstream.xfer );
	1480
	1481	/* Refuse unless we are ready to accept data */
	1482	if ( tls->tx_state != TLS_TX_DATA )
	1483	return -ENOTCONN;
	1484
	1485	return tls_send_plaintext ( tls, TLS_TYPE_DATA, data, len );
	1486	}
	1487
	1488	/** TLS plaintext stream operations */
	1489	static struct xfer_interface_operations tls_plainstream_operations = {
	1490	.close = tls_plainstream_close,
	1491	.vredirect = ignore_xfer_vredirect,
	1492	.window = tls_plainstream_window,
	1493	.alloc_iob = default_xfer_alloc_iob,
	1494	.deliver_iob = xfer_deliver_as_raw,
	1495	.deliver_raw = tls_plainstream_deliver_raw,
	1496	};
	1497
	1498	/******************************************************************************
	1499	*
	1500	* Ciphertext stream operations
	1501	*
	1502	******************************************************************************
	1503	*/
	1504
	1505	/**
	1506	* Close interface
	1507	*
	1508	* @v xfer Plainstream data transfer interface
	1509	* @v rc Reason for close
	1510	*/
	1511	static void tls_cipherstream_close ( struct xfer_interface *xfer, int rc ) {
	1512	struct tls_session *tls =
	1513	container_of ( xfer, struct tls_session, cipherstream.xfer );
	1514
	1515	tls_close ( tls, rc );
	1516	}
	1517
	1518	/**
	1519	* Handle received TLS header
	1520	*
	1521	* @v tls TLS session
	1522	* @ret rc Returned status code
	1523	*/
	1524	static int tls_newdata_process_header ( struct tls_session *tls ) {
	1525	size_t data_len = ntohs ( tls->rx_header.length );
	1526
	1527	/* Allocate data buffer now that we know the length */
	1528	assert ( tls->rx_data == NULL );
	1529	tls->rx_data = malloc ( data_len );
	1530	if ( ! tls->rx_data ) {
	1531	DBGC ( tls, "TLS %p could not allocate %zd bytes "
	1532	"for receive buffer\n", tls, data_len );
	1533	return -ENOMEM;
	1534	}
	1535
	1536	/* Move to data state */
	1537	tls->rx_state = TLS_RX_DATA;
	1538
	1539	return 0;
	1540	}
	1541
	1542	/**
	1543	* Handle received TLS data payload
	1544	*
	1545	* @v tls TLS session
	1546	* @ret rc Returned status code
	1547	*/
	1548	static int tls_newdata_process_data ( struct tls_session *tls ) {
	1549	int rc;
	1550
	1551	/* Process record */
	1552	if ( ( rc = tls_new_ciphertext ( tls, &tls->rx_header,
	1553	tls->rx_data ) ) != 0 )
	1554	return rc;
	1555
	1556	/* Increment RX sequence number */
	1557	tls->rx_seq += 1;
	1558
	1559	/* Free data buffer */
	1560	free ( tls->rx_data );
	1561	tls->rx_data = NULL;
	1562
	1563	/* Return to header state */
	1564	tls->rx_state = TLS_RX_HEADER;
	1565
	1566	return 0;
	1567	}
	1568
	1569	/**
	1570	* Receive new ciphertext
	1571	*
	1572	* @v app Stream application
	1573	* @v data Data received
	1574	* @v len Length of received data
	1575	* @ret rc Return status code
	1576	*/
	1577	static int tls_cipherstream_deliver_raw ( struct xfer_interface *xfer,
	1578	const void *data, size_t len ) {
	1579	struct tls_session *tls =
	1580	container_of ( xfer, struct tls_session, cipherstream.xfer );
	1581	size_t frag_len;
	1582	void *buf;
	1583	size_t buf_len;
	1584	int ( * process ) ( struct tls_session *tls );
	1585	int rc;
	1586
	1587	while ( len ) {
	1588	/* Select buffer according to current state */
	1589	switch ( tls->rx_state ) {
	1590	case TLS_RX_HEADER:
	1591	buf = &tls->rx_header;
	1592	buf_len = sizeof ( tls->rx_header );
	1593	process = tls_newdata_process_header;
	1594	break;
	1595	case TLS_RX_DATA:
	1596	buf = tls->rx_data;
	1597	buf_len = ntohs ( tls->rx_header.length );
	1598	process = tls_newdata_process_data;
	1599	break;
	1600	default:
	1601	assert ( 0 );
	1602	return -EINVAL;
	1603	}
	1604
	1605	/* Copy data portion to buffer */
	1606	frag_len = ( buf_len - tls->rx_rcvd );
	1607	if ( frag_len > len )
	1608	frag_len = len;
	1609	memcpy ( ( buf + tls->rx_rcvd ), data, frag_len );
	1610	tls->rx_rcvd += frag_len;
	1611	data += frag_len;
	1612	len -= frag_len;
	1613
	1614	/* Process data if buffer is now full */
	1615	if ( tls->rx_rcvd == buf_len ) {
	1616	if ( ( rc = process ( tls ) ) != 0 ) {
	1617	tls_close ( tls, rc );
	1618	return rc;
	1619	}
	1620	tls->rx_rcvd = 0;
	1621	}
	1622	}
	1623
	1624	return 0;
	1625	}
	1626
	1627	/** TLS ciphertext stream operations */
	1628	static struct xfer_interface_operations tls_cipherstream_operations = {
	1629	.close = tls_cipherstream_close,
	1630	.vredirect = xfer_vreopen,
	1631	.window = filter_window,
	1632	.alloc_iob = default_xfer_alloc_iob,
	1633	.deliver_iob = xfer_deliver_as_raw,
	1634	.deliver_raw = tls_cipherstream_deliver_raw,
	1635	};
	1636
	1637	/******************************************************************************
	1638	*
	1639	* Controlling process
	1640	*
	1641	******************************************************************************
	1642	*/
	1643
	1644	/**
	1645	* TLS TX state machine
	1646	*
	1647	* @v process TLS process
	1648	*/
	1649	static void tls_step ( struct process *process ) {
	1650	struct tls_session *tls =
	1651	container_of ( process, struct tls_session, process );
	1652	int rc;
	1653
	1654	/* Wait for cipherstream to become ready */
	1655	if ( ! xfer_window ( &tls->cipherstream.xfer ) )
	1656	return;
	1657
	1658	switch ( tls->tx_state ) {
	1659	case TLS_TX_NONE:
	1660	/* Nothing to do */
	1661	break;
	1662	case TLS_TX_CLIENT_HELLO:
	1663	/* Send Client Hello */
	1664	if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
	1665	DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
	1666	tls, strerror ( rc ) );
	1667	goto err;
	1668	}
	1669	tls->tx_state = TLS_TX_NONE;
	1670	break;
	1671	case TLS_TX_CLIENT_KEY_EXCHANGE:
	1672	/* Send Client Key Exchange */
	1673	if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
	1674	DBGC ( tls, "TLS %p could send Client Key Exchange: "
	1675	"%s\n", tls, strerror ( rc ) );
	1676	goto err;
	1677	}
	1678	tls->tx_state = TLS_TX_CHANGE_CIPHER;
	1679	break;
	1680	case TLS_TX_CHANGE_CIPHER:
	1681	/* Send Change Cipher, and then change the cipher in use */
	1682	if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
	1683	DBGC ( tls, "TLS %p could not send Change Cipher: "
	1684	"%s\n", tls, strerror ( rc ) );
	1685	goto err;
	1686	}
	1687	if ( ( rc = tls_change_cipher ( tls,
	1688	&tls->tx_cipherspec_pending,
	1689	&tls->tx_cipherspec )) != 0 ){
	1690	DBGC ( tls, "TLS %p could not activate TX cipher: "
	1691	"%s\n", tls, strerror ( rc ) );
	1692	goto err;
	1693	}
	1694	tls->tx_seq = 0;
	1695	tls->tx_state = TLS_TX_FINISHED;
	1696	break;
	1697	case TLS_TX_FINISHED:
	1698	/* Send Finished */
	1699	if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
	1700	DBGC ( tls, "TLS %p could not send Finished: %s\n",
	1701	tls, strerror ( rc ) );
	1702	goto err;
	1703	}
	1704	tls->tx_state = TLS_TX_NONE;
	1705	break;
	1706	case TLS_TX_DATA:
	1707	/* Nothing to do */
	1708	break;
	1709	default:
	1710	assert ( 0 );
	1711	}
	1712
	1713	return;
	1714
	1715	err:
	1716	tls_close ( tls, rc );
	1717	}
	1718
	1719	/******************************************************************************
	1720	*
	1721	* Instantiator
	1722	*
	1723	******************************************************************************
	1724	*/
	1725
	1726	int add_tls ( struct xfer_interface xfer, struct xfer_interface *next ) {
	1727	struct tls_session *tls;
	1728
	1729	/* Allocate and initialise TLS structure */
	1730	tls = malloc ( sizeof ( *tls ) );
	1731	if ( ! tls )
	1732	return -ENOMEM;
	1733	memset ( tls, 0, sizeof ( *tls ) );
	1734	tls->refcnt.free = free_tls;
	1735	filter_init ( &tls->plainstream, &tls_plainstream_operations,
	1736	&tls->cipherstream, &tls_cipherstream_operations,
	1737	&tls->refcnt );
	1738	tls_clear_cipher ( tls, &tls->tx_cipherspec );
	1739	tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
	1740	tls_clear_cipher ( tls, &tls->rx_cipherspec );
	1741	tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
	1742	tls->client_random.gmt_unix_time = 0;
	1743	tls_generate_random ( &tls->client_random.random,
	1744	( sizeof ( tls->client_random.random ) ) );
	1745	tls->pre_master_secret.version = htons ( TLS_VERSION_TLS_1_0 );
	1746	tls_generate_random ( &tls->pre_master_secret.random,
	1747	( sizeof ( tls->pre_master_secret.random ) ) );
	1748	digest_init ( &md5_algorithm, tls->handshake_md5_ctx );
	1749	digest_init ( &sha1_algorithm, tls->handshake_sha1_ctx );
	1750	tls->tx_state = TLS_TX_CLIENT_HELLO;
	1751	process_init ( &tls->process, tls_step, &tls->refcnt );
	1752
	1753	/* Attach to parent interface, mortalise self, and return */
	1754	xfer_plug_plug ( &tls->plainstream.xfer, xfer );
	1755	*next = &tls->cipherstream.xfer;
	1756	ref_put ( &tls->refcnt );
	1757	return 0;
	1758	}
	1759

Note: See TracBrowser for help on using the repository browser.

Download in other formats: