Subversion Repositories planix.SVN

Rev

Go to most recent revision | Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
2 - 1 
#include <u.h>
2 
#include <libc.h>
3 
#include <bio.h>
4 
#include <auth.h>
5 
#include <mp.h>
6 
#include <libsec.h>
7 
 
8 
// The main groups of functions are:
9 
//		client/server - main handshake protocol definition
10 
//		message functions - formating handshake messages
11 
//		cipher choices - catalog of digest and encrypt algorithms
12 
//		security functions - PKCS#1, sslHMAC, session keygen
13 
//		general utility functions - malloc, serialization
14 
// The handshake protocol builds on the TLS/SSL3 record layer protocol,
15 
// which is implemented in kernel device #a.  See also /lib/rfc/rfc2246.
16 
 
17 
enum {
18 
	TLSFinishedLen = 12,
19 
	SSL3FinishedLen = MD5dlen+SHA1dlen,
20 
	MaxKeyData = 136,	// amount of secret we may need
21 
	MaxChunk = 1<<14,
22 
	RandomSize = 32,
23 
	SidSize = 32,
24 
	MasterSecretSize = 48,
25 
	AQueue = 0,
26 
	AFlush = 1,
27 
};
28 
 
29 
typedef struct TlsSec TlsSec;
30 
 
31 
typedef struct Bytes{
32 
	int len;
33 
	uchar data[1];  // [len]
34 
} Bytes;
35 
 
36 
typedef struct Ints{
37 
	int len;
38 
	int data[1];  // [len]
39 
} Ints;
40 
 
41 
typedef struct Algs{
42 
	char *enc;
43 
	char *digest;
44 
	int nsecret;
45 
	int tlsid;
46 
	int ok;
47 
} Algs;
48 
 
49 
typedef struct Finished{
50 
	uchar verify[SSL3FinishedLen];
51 
	int n;
52 
} Finished;
53 
 
54 
typedef struct TlsConnection{
55 
	TlsSec *sec;	// security management goo
56 
	int hand, ctl;	// record layer file descriptors
57 
	int erred;		// set when tlsError called
58 
	int (*trace)(char*fmt, ...); // for debugging
59 
	int version;	// protocol we are speaking
60 
	int verset;		// version has been set
61 
	int ver2hi;		// server got a version 2 hello
62 
	int isClient;	// is this the client or server?
63 
	Bytes *sid;		// SessionID
64 
	Bytes *cert;	// only last - no chain
65 
 
66 
	Lock statelk;
67 
	int state;		// must be set using setstate
68 
 
69 
	// input buffer for handshake messages
70 
	uchar buf[MaxChunk+2048];
71 
	uchar *rp, *ep;
72 
 
73 
	uchar crandom[RandomSize];	// client random
74 
	uchar srandom[RandomSize];	// server random
75 
	int clientVersion;	// version in ClientHello
76 
	char *digest;	// name of digest algorithm to use
77 
	char *enc;		// name of encryption algorithm to use
78 
	int nsecret;	// amount of secret data to init keys
79 
 
80 
	// for finished messages
81 
	MD5state	hsmd5;	// handshake hash
82 
	SHAstate	hssha1;	// handshake hash
83 
	Finished	finished;
84 
} TlsConnection;
85 
 
86 
typedef struct Msg{
87 
	int tag;
88 
	union {
89 
		struct {
90 
			int version;
91 
			uchar 	random[RandomSize];
92 
			Bytes*	sid;
93 
			Ints*	ciphers;
94 
			Bytes*	compressors;
95 
		} clientHello;
96 
		struct {
97 
			int version;
98 
			uchar 	random[RandomSize];
99 
			Bytes*	sid;
100 
			int cipher;
101 
			int compressor;
102 
		} serverHello;
103 
		struct {
104 
			int ncert;
105 
			Bytes **certs;
106 
		} certificate;
107 
		struct {
108 
			Bytes *types;
109 
			int nca;
110 
			Bytes **cas;
111 
		} certificateRequest;
112 
		struct {
113 
			Bytes *key;
114 
		} clientKeyExchange;
115 
		Finished finished;
116 
	} u;
117 
} Msg;
118 
 
119 
typedef struct TlsSec{
120 
	char *server;	// name of remote; nil for server
121 
	int ok;	// <0 killed; == 0 in progress; >0 reusable
122 
	RSApub *rsapub;
123 
	AuthRpc *rpc;	// factotum for rsa private key
124 
	uchar sec[MasterSecretSize];	// master secret
125 
	uchar crandom[RandomSize];	// client random
126 
	uchar srandom[RandomSize];	// server random
127 
	int clientVers;		// version in ClientHello
128 
	int vers;			// final version
129 
	// byte generation and handshake checksum
130 
	void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
131 
	void (*setFinished)(TlsSec*, MD5state, SHAstate, uchar*, int);
132 
	int nfin;
133 
} TlsSec;
134 
 
135 
 
136 
enum {
137 
	TLSVersion = 0x0301,
138 
	SSL3Version = 0x0300,
139 
	ProtocolVersion = 0x0301,	// maximum version we speak
140 
	MinProtoVersion = 0x0300,	// limits on version we accept
141 
	MaxProtoVersion	= 0x03ff,
142 
};
143 
 
144 
// handshake type
145 
enum {
146 
	HHelloRequest,
147 
	HClientHello,
148 
	HServerHello,
149 
	HSSL2ClientHello = 9,  /* local convention;  see devtls.c */
150 
	HCertificate = 11,
151 
	HServerKeyExchange,
152 
	HCertificateRequest,
153 
	HServerHelloDone,
154 
	HCertificateVerify,
155 
	HClientKeyExchange,
156 
	HFinished = 20,
157 
	HMax
158 
};
159 
 
160 
// alerts
161 
enum {
162 
	ECloseNotify = 0,
163 
	EUnexpectedMessage = 10,
164 
	EBadRecordMac = 20,
165 
	EDecryptionFailed = 21,
166 
	ERecordOverflow = 22,
167 
	EDecompressionFailure = 30,
168 
	EHandshakeFailure = 40,
169 
	ENoCertificate = 41,
170 
	EBadCertificate = 42,
171 
	EUnsupportedCertificate = 43,
172 
	ECertificateRevoked = 44,
173 
	ECertificateExpired = 45,
174 
	ECertificateUnknown = 46,
175 
	EIllegalParameter = 47,
176 
	EUnknownCa = 48,
177 
	EAccessDenied = 49,
178 
	EDecodeError = 50,
179 
	EDecryptError = 51,
180 
	EExportRestriction = 60,
181 
	EProtocolVersion = 70,
182 
	EInsufficientSecurity = 71,
183 
	EInternalError = 80,
184 
	EUserCanceled = 90,
185 
	ENoRenegotiation = 100,
186 
	EMax = 256
187 
};
188 
 
189 
// cipher suites
190 
enum {
191 
	TLS_NULL_WITH_NULL_NULL	 		= 0x0000,
192 
	TLS_RSA_WITH_NULL_MD5 			= 0x0001,
193 
	TLS_RSA_WITH_NULL_SHA 			= 0x0002,
194 
	TLS_RSA_EXPORT_WITH_RC4_40_MD5 		= 0x0003,
195 
	TLS_RSA_WITH_RC4_128_MD5 		= 0x0004,
196 
	TLS_RSA_WITH_RC4_128_SHA 		= 0x0005,
197 
	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	= 0X0006,
198 
	TLS_RSA_WITH_IDEA_CBC_SHA 		= 0X0007,
199 
	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA	= 0X0008,
200 
	TLS_RSA_WITH_DES_CBC_SHA		= 0X0009,
201 
	TLS_RSA_WITH_3DES_EDE_CBC_SHA		= 0X000A,
202 
	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA	= 0X000B,
203 
	TLS_DH_DSS_WITH_DES_CBC_SHA		= 0X000C,
204 
	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA	= 0X000D,
205 
	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA	= 0X000E,
206 
	TLS_DH_RSA_WITH_DES_CBC_SHA		= 0X000F,
207 
	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA	= 0X0010,
208 
	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA	= 0X0011,
209 
	TLS_DHE_DSS_WITH_DES_CBC_SHA		= 0X0012,
210 
	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA	= 0X0013,	// ZZZ must be implemented for tls1.0 compliance
211 
	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	= 0X0014,
212 
	TLS_DHE_RSA_WITH_DES_CBC_SHA		= 0X0015,
213 
	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA	= 0X0016,
214 
	TLS_DH_anon_EXPORT_WITH_RC4_40_MD5	= 0x0017,
215 
	TLS_DH_anon_WITH_RC4_128_MD5 		= 0x0018,
216 
	TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA	= 0X0019,
217 
	TLS_DH_anon_WITH_DES_CBC_SHA		= 0X001A,
218 
	TLS_DH_anon_WITH_3DES_EDE_CBC_SHA	= 0X001B,
219 
 
220 
	TLS_RSA_WITH_AES_128_CBC_SHA		= 0X002f,	// aes, aka rijndael with 128 bit blocks
221 
	TLS_DH_DSS_WITH_AES_128_CBC_SHA		= 0X0030,
222 
	TLS_DH_RSA_WITH_AES_128_CBC_SHA		= 0X0031,
223 
	TLS_DHE_DSS_WITH_AES_128_CBC_SHA	= 0X0032,
224 
	TLS_DHE_RSA_WITH_AES_128_CBC_SHA	= 0X0033,
225 
	TLS_DH_anon_WITH_AES_128_CBC_SHA	= 0X0034,
226 
	TLS_RSA_WITH_AES_256_CBC_SHA		= 0X0035,
227 
	TLS_DH_DSS_WITH_AES_256_CBC_SHA		= 0X0036,
228 
	TLS_DH_RSA_WITH_AES_256_CBC_SHA		= 0X0037,
229 
	TLS_DHE_DSS_WITH_AES_256_CBC_SHA	= 0X0038,
230 
	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	= 0X0039,
231 
	TLS_DH_anon_WITH_AES_256_CBC_SHA	= 0X003A,
232 
	CipherMax
233 
};
234 
 
235 
// compression methods
236 
enum {
237 
	CompressionNull = 0,
238 
	CompressionMax
239 
};
240 
 
241 
static Algs cipherAlgs[] = {
242 
	{"rc4_128", "md5", 2*(16+MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
243 
	{"rc4_128", "sha1", 2*(16+SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
244 
	{"3des_ede_cbc", "sha1", 2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
245 
	{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_RSA_WITH_AES_128_CBC_SHA},
246 
	{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_RSA_WITH_AES_256_CBC_SHA}
247 
};
248 
 
249 
static uchar compressors[] = {
250 
	CompressionNull,
251 
};
252 
 
253 
static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chain);
254 
static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...));
255 
 
256 
static void	msgClear(Msg *m);
257 
static char* msgPrint(char *buf, int n, Msg *m);
258 
static int	msgRecv(TlsConnection *c, Msg *m);
259 
static int	msgSend(TlsConnection *c, Msg *m, int act);
260 
static void	tlsError(TlsConnection *c, int err, char *msg, ...);
261 
#pragma	varargck argpos	tlsError 3
262 
static int setVersion(TlsConnection *c, int version);
263 
static int finishedMatch(TlsConnection *c, Finished *f);
264 
static void tlsConnectionFree(TlsConnection *c);
265 
 
266 
static int setAlgs(TlsConnection *c, int a);
267 
static int okCipher(Ints *cv);
268 
static int okCompression(Bytes *cv);
269 
static int initCiphers(void);
270 
static Ints* makeciphers(void);
271 
 
272 
static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
273 
static int	tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd);
274 
static TlsSec*	tlsSecInitc(int cvers, uchar *crandom);
275 
static int	tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd);
276 
static int	tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient);
277 
static void	tlsSecOk(TlsSec *sec);
278 
static void	tlsSecKill(TlsSec *sec);
279 
static void	tlsSecClose(TlsSec *sec);
280 
static void	setMasterSecret(TlsSec *sec, Bytes *pm);
281 
static void	serverMasterSecret(TlsSec *sec, uchar *epm, int nepm);
282 
static void	setSecrets(TlsSec *sec, uchar *kd, int nkd);
283 
static int	clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm);
284 
static Bytes *pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
285 
static Bytes *pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm);
286 
static void	tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
287 
static void	sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
288 
static void	sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
289 
			uchar *seed0, int nseed0, uchar *seed1, int nseed1);
290 
static int setVers(TlsSec *sec, int version);
291 
 
292 
static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
293 
static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
294 
static void factotum_rsa_close(AuthRpc*rpc);
295 
 
296 
static void* emalloc(int);
297 
static void* erealloc(void*, int);
298 
static void put32(uchar *p, u32int);
299 
static void put24(uchar *p, int);
300 
static void put16(uchar *p, int);
301 
static u32int get32(uchar *p);
302 
static int get24(uchar *p);
303 
static int get16(uchar *p);
304 
static Bytes* newbytes(int len);
305 
static Bytes* makebytes(uchar* buf, int len);
306 
static void freebytes(Bytes* b);
307 
static Ints* newints(int len);
308 
static Ints* makeints(int* buf, int len);
309 
static void freeints(Ints* b);
310 
 
311 
//================= client/server ========================
312 
 
313 
//	push TLS onto fd, returning new (application) file descriptor
314 
//		or -1 if error.
315 
int
316 
tlsServer(int fd, TLSconn *conn)
317 
{
318 
	char buf[8];
319 
	char dname[64];
320 
	int n, data, ctl, hand;
321 
	TlsConnection *tls;
322 
 
323 
	if(conn == nil)
324 
		return -1;
325 
	ctl = open("#a/tls/clone", ORDWR);
326 
	if(ctl < 0)
327 
		return -1;
328 
	n = read(ctl, buf, sizeof(buf)-1);
329 
	if(n < 0){
330 
		close(ctl);
331 
		return -1;
332 
	}
333 
	buf[n] = 0;
334 
	sprint(conn->dir, "#a/tls/%s", buf);
335 
	sprint(dname, "#a/tls/%s/hand", buf);
336 
	hand = open(dname, ORDWR);
337 
	if(hand < 0){
338 
		close(ctl);
339 
		return -1;
340 
	}
341 
	fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
342 
	tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
343 
	sprint(dname, "#a/tls/%s/data", buf);
344 
	data = open(dname, ORDWR);
345 
	close(fd);
346 
	close(hand);
347 
	close(ctl);
348 
	if(data < 0){
349 
		return -1;
350 
	}
351 
	if(tls == nil){
352 
		close(data);
353 
		return -1;
354 
	}
355 
	if(conn->cert)
356 
		free(conn->cert);
357 
	conn->cert = 0;  // client certificates are not yet implemented
358 
	conn->certlen = 0;
359 
	conn->sessionIDlen = tls->sid->len;
360 
	conn->sessionID = emalloc(conn->sessionIDlen);
361 
	memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
362 
	if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0)
363 
		tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst,  tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize);
364 
	tlsConnectionFree(tls);
365 
	return data;
366 
}
367 
 
368 
//	push TLS onto fd, returning new (application) file descriptor
369 
//		or -1 if error.
370 
int
371 
tlsClient(int fd, TLSconn *conn)
372 
{
373 
	char buf[8];
374 
	char dname[64];
375 
	int n, data, ctl, hand;
376 
	TlsConnection *tls;
377 
 
378 
	if(!conn)
379 
		return -1;
380 
	ctl = open("#a/tls/clone", ORDWR);
381 
	if(ctl < 0)
382 
		return -1;
383 
	n = read(ctl, buf, sizeof(buf)-1);
384 
	if(n < 0){
385 
		close(ctl);
386 
		return -1;
387 
	}
388 
	buf[n] = 0;
389 
	sprint(conn->dir, "#a/tls/%s", buf);
390 
	sprint(dname, "#a/tls/%s/hand", buf);
391 
	hand = open(dname, ORDWR);
392 
	if(hand < 0){
393 
		close(ctl);
394 
		return -1;
395 
	}
396 
	sprint(dname, "#a/tls/%s/data", buf);
397 
	data = open(dname, ORDWR);
398 
	if(data < 0)
399 
		return -1;
400 
	fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
401 
	tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->trace);
402 
	close(fd);
403 
	close(hand);
404 
	close(ctl);
405 
	if(tls == nil){
406 
		close(data);
407 
		return -1;
408 
	}
409 
	conn->certlen = tls->cert->len;
410 
	conn->cert = emalloc(conn->certlen);
411 
	memcpy(conn->cert, tls->cert->data, conn->certlen);
412 
	conn->sessionIDlen = tls->sid->len;
413 
	conn->sessionID = emalloc(conn->sessionIDlen);
414 
	memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
415 
	if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0)
416 
		tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst,  tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize);
417 
	tlsConnectionFree(tls);
418 
	return data;
419 
}
420 
 
421 
static int
422 
countchain(PEMChain *p)
423 
{
424 
	int i = 0;
425 
 
426 
	while (p) {
427 
		i++;
428 
		p = p->next;
429 
	}
430 
	return i;
431 
}
432 
 
433 
static TlsConnection *
434 
tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chp)
435 
{
436 
	TlsConnection *c;
437 
	Msg m;
438 
	Bytes *csid;
439 
	uchar sid[SidSize], kd[MaxKeyData];
440 
	char *secrets;
441 
	int cipher, compressor, nsid, rv, numcerts, i;
442 
 
443 
	if(trace)
444 
		trace("tlsServer2\n");
445 
	if(!initCiphers())
446 
		return nil;
447 
	c = emalloc(sizeof(TlsConnection));
448 
	c->ctl = ctl;
449 
	c->hand = hand;
450 
	c->trace = trace;
451 
	c->version = ProtocolVersion;
452 
 
453 
	memset(&m, 0, sizeof(m));
454 
	if(!msgRecv(c, &m)){
455 
		if(trace)
456 
			trace("initial msgRecv failed\n");
457 
		goto Err;
458 
	}
459 
	if(m.tag != HClientHello) {
460 
		tlsError(c, EUnexpectedMessage, "expected a client hello");
461 
		goto Err;
462 
	}
463 
	c->clientVersion = m.u.clientHello.version;
464 
	if(trace)
465 
		trace("ClientHello version %x\n", c->clientVersion);
466 
	if(setVersion(c, m.u.clientHello.version) < 0) {
467 
		tlsError(c, EIllegalParameter, "incompatible version");
468 
		goto Err;
469 
	}
470 
 
471 
	memmove(c->crandom, m.u.clientHello.random, RandomSize);
472 
	cipher = okCipher(m.u.clientHello.ciphers);
473 
	if(cipher < 0) {
474 
		// reply with EInsufficientSecurity if we know that's the case
475 
		if(cipher == -2)
476 
			tlsError(c, EInsufficientSecurity, "cipher suites too weak");
477 
		else
478 
			tlsError(c, EHandshakeFailure, "no matching cipher suite");
479 
		goto Err;
480 
	}
481 
	if(!setAlgs(c, cipher)){
482 
		tlsError(c, EHandshakeFailure, "no matching cipher suite");
483 
		goto Err;
484 
	}
485 
	compressor = okCompression(m.u.clientHello.compressors);
486 
	if(compressor < 0) {
487 
		tlsError(c, EHandshakeFailure, "no matching compressor");
488 
		goto Err;
489 
	}
490 
 
491 
	csid = m.u.clientHello.sid;
492 
	if(trace)
493 
		trace("  cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
494 
	c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
495 
	if(c->sec == nil){
496 
		tlsError(c, EHandshakeFailure, "can't initialize security: %r");
497 
		goto Err;
498 
	}
499 
	c->sec->rpc = factotum_rsa_open(cert, ncert);
500 
	if(c->sec->rpc == nil){
501 
		tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
502 
		goto Err;
503 
	}
504 
	c->sec->rsapub = X509toRSApub(cert, ncert, nil, 0);
505 
	msgClear(&m);
506 
 
507 
	m.tag = HServerHello;
508 
	m.u.serverHello.version = c->version;
509 
	memmove(m.u.serverHello.random, c->srandom, RandomSize);
510 
	m.u.serverHello.cipher = cipher;
511 
	m.u.serverHello.compressor = compressor;
512 
	c->sid = makebytes(sid, nsid);
513 
	m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
514 
	if(!msgSend(c, &m, AQueue))
515 
		goto Err;
516 
	msgClear(&m);
517 
 
518 
	m.tag = HCertificate;
519 
	numcerts = countchain(chp);
520 
	m.u.certificate.ncert = 1 + numcerts;
521 
	m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes));
522 
	m.u.certificate.certs[0] = makebytes(cert, ncert);
523 
	for (i = 0; i < numcerts && chp; i++, chp = chp->next)
524 
		m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
525 
	if(!msgSend(c, &m, AQueue))
526 
		goto Err;
527 
	msgClear(&m);
528 
 
529 
	m.tag = HServerHelloDone;
530 
	if(!msgSend(c, &m, AFlush))
531 
		goto Err;
532 
	msgClear(&m);
533 
 
534 
	if(!msgRecv(c, &m))
535 
		goto Err;
536 
	if(m.tag != HClientKeyExchange) {
537 
		tlsError(c, EUnexpectedMessage, "expected a client key exchange");
538 
		goto Err;
539 
	}
540 
	if(tlsSecSecrets(c->sec, c->version, m.u.clientKeyExchange.key->data, m.u.clientKeyExchange.key->len, kd, c->nsecret) < 0){
541 
		tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
542 
		goto Err;
543 
	}
544 
	if(trace)
545 
		trace("tls secrets\n");
546 
	secrets = (char*)emalloc(2*c->nsecret);
547 
	enc64(secrets, 2*c->nsecret, kd, c->nsecret);
548 
	rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
549 
	memset(secrets, 0, 2*c->nsecret);
550 
	free(secrets);
551 
	memset(kd, 0, c->nsecret);
552 
	if(rv < 0){
553 
		tlsError(c, EHandshakeFailure, "can't set keys: %r");
554 
		goto Err;
555 
	}
556 
	msgClear(&m);
557 
 
558 
	/* no CertificateVerify; skip to Finished */
559 
	if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
560 
		tlsError(c, EInternalError, "can't set finished: %r");
561 
		goto Err;
562 
	}
563 
	if(!msgRecv(c, &m))
564 
		goto Err;
565 
	if(m.tag != HFinished) {
566 
		tlsError(c, EUnexpectedMessage, "expected a finished");
567 
		goto Err;
568 
	}
569 
	if(!finishedMatch(c, &m.u.finished)) {
570 
		tlsError(c, EHandshakeFailure, "finished verification failed");
571 
		goto Err;
572 
	}
573 
	msgClear(&m);
574 
 
575 
	/* change cipher spec */
576 
	if(fprint(c->ctl, "changecipher") < 0){
577 
		tlsError(c, EInternalError, "can't enable cipher: %r");
578 
		goto Err;
579 
	}
580 
 
581 
	if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
582 
		tlsError(c, EInternalError, "can't set finished: %r");
583 
		goto Err;
584 
	}
585 
	m.tag = HFinished;
586 
	m.u.finished = c->finished;
587 
	if(!msgSend(c, &m, AFlush))
588 
		goto Err;
589 
	msgClear(&m);
590 
	if(trace)
591 
		trace("tls finished\n");
592 
 
593 
	if(fprint(c->ctl, "opened") < 0)
594 
		goto Err;
595 
	tlsSecOk(c->sec);
596 
	return c;
597 
 
598 
Err:
599 
	msgClear(&m);
600 
	tlsConnectionFree(c);
601 
	return 0;
602 
}
603 
 
604 
static TlsConnection *
605 
tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...))
606 
{
607 
	TlsConnection *c;
608 
	Msg m;
609 
	uchar kd[MaxKeyData], *epm;
610 
	char *secrets;
611 
	int creq, nepm, rv;
612 
 
613 
	if(!initCiphers())
614 
		return nil;
615 
	epm = nil;
616 
	c = emalloc(sizeof(TlsConnection));
617 
	c->version = ProtocolVersion;
618 
	c->ctl = ctl;
619 
	c->hand = hand;
620 
	c->trace = trace;
621 
	c->isClient = 1;
622 
	c->clientVersion = c->version;
623 
 
624 
	c->sec = tlsSecInitc(c->clientVersion, c->crandom);
625 
	if(c->sec == nil)
626 
		goto Err;
627 
 
628 
	/* client hello */
629 
	memset(&m, 0, sizeof(m));
630 
	m.tag = HClientHello;
631 
	m.u.clientHello.version = c->clientVersion;
632 
	memmove(m.u.clientHello.random, c->crandom, RandomSize);
633 
	m.u.clientHello.sid = makebytes(csid, ncsid);
634 
	m.u.clientHello.ciphers = makeciphers();
635 
	m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
636 
	if(!msgSend(c, &m, AFlush))
637 
		goto Err;
638 
	msgClear(&m);
639 
 
640 
	/* server hello */
641 
	if(!msgRecv(c, &m))
642 
		goto Err;
643 
	if(m.tag != HServerHello) {
644 
		tlsError(c, EUnexpectedMessage, "expected a server hello");
645 
		goto Err;
646 
	}
647 
	if(setVersion(c, m.u.serverHello.version) < 0) {
648 
		tlsError(c, EIllegalParameter, "incompatible version %r");
649 
		goto Err;
650 
	}
651 
	memmove(c->srandom, m.u.serverHello.random, RandomSize);
652 
	c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
653 
	if(c->sid->len != 0 && c->sid->len != SidSize) {
654 
		tlsError(c, EIllegalParameter, "invalid server session identifier");
655 
		goto Err;
656 
	}
657 
	if(!setAlgs(c, m.u.serverHello.cipher)) {
658 
		tlsError(c, EIllegalParameter, "invalid cipher suite");
659 
		goto Err;
660 
	}
661 
	if(m.u.serverHello.compressor != CompressionNull) {
662 
		tlsError(c, EIllegalParameter, "invalid compression");
663 
		goto Err;
664 
	}
665 
	msgClear(&m);
666 
 
667 
	/* certificate */
668 
	if(!msgRecv(c, &m) || m.tag != HCertificate) {
669 
		tlsError(c, EUnexpectedMessage, "expected a certificate");
670 
		goto Err;
671 
	}
672 
	if(m.u.certificate.ncert < 1) {
673 
		tlsError(c, EIllegalParameter, "runt certificate");
674 
		goto Err;
675 
	}
676 
	c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
677 
	msgClear(&m);
678 
 
679 
	/* server key exchange (optional) */
680 
	if(!msgRecv(c, &m))
681 
		goto Err;
682 
	if(m.tag == HServerKeyExchange) {
683 
		tlsError(c, EUnexpectedMessage, "got an server key exchange");
684 
		goto Err;
685 
		// If implementing this later, watch out for rollback attack
686 
		// described in Wagner Schneier 1996, section 4.4.
687 
	}
688 
 
689 
	/* certificate request (optional) */
690 
	creq = 0;
691 
	if(m.tag == HCertificateRequest) {
692 
		creq = 1;
693 
		msgClear(&m);
694 
		if(!msgRecv(c, &m))
695 
			goto Err;
696 
	}
697 
 
698 
	if(m.tag != HServerHelloDone) {
699 
		tlsError(c, EUnexpectedMessage, "expected a server hello done");
700 
		goto Err;
701 
	}
702 
	msgClear(&m);
703 
 
704 
	if(tlsSecSecretc(c->sec, c->sid->data, c->sid->len, c->srandom,
705 
			c->cert->data, c->cert->len, c->version, &epm, &nepm,
706 
			kd, c->nsecret) < 0){
707 
		tlsError(c, EBadCertificate, "invalid x509/rsa certificate");
708 
		goto Err;
709 
	}
710 
	secrets = (char*)emalloc(2*c->nsecret);
711 
	enc64(secrets, 2*c->nsecret, kd, c->nsecret);
712 
	rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
713 
	memset(secrets, 0, 2*c->nsecret);
714 
	free(secrets);
715 
	memset(kd, 0, c->nsecret);
716 
	if(rv < 0){
717 
		tlsError(c, EHandshakeFailure, "can't set keys: %r");
718 
		goto Err;
719 
	}
720 
 
721 
	if(creq) {
722 
		/* send a zero length certificate */
723 
		m.tag = HCertificate;
724 
		if(!msgSend(c, &m, AFlush))
725 
			goto Err;
726 
		msgClear(&m);
727 
	}
728 
 
729 
	/* client key exchange */
730 
	m.tag = HClientKeyExchange;
731 
	m.u.clientKeyExchange.key = makebytes(epm, nepm);
732 
	free(epm);
733 
	epm = nil;
734 
	if(m.u.clientKeyExchange.key == nil) {
735 
		tlsError(c, EHandshakeFailure, "can't set secret: %r");
736 
		goto Err;
737 
	}
738 
	if(!msgSend(c, &m, AFlush))
739 
		goto Err;
740 
	msgClear(&m);
741 
 
742 
	/* change cipher spec */
743 
	if(fprint(c->ctl, "changecipher") < 0){
744 
		tlsError(c, EInternalError, "can't enable cipher: %r");
745 
		goto Err;
746 
	}
747 
 
748 
	// Cipherchange must occur immediately before Finished to avoid
749 
	// potential hole;  see section 4.3 of Wagner Schneier 1996.
750 
	if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
751 
		tlsError(c, EInternalError, "can't set finished 1: %r");
752 
		goto Err;
753 
	}
754 
	m.tag = HFinished;
755 
	m.u.finished = c->finished;
756 
 
757 
	if(!msgSend(c, &m, AFlush)) {
758 
		fprint(2, "tlsClient nepm=%d\n", nepm);
759 
		tlsError(c, EInternalError, "can't flush after client Finished: %r");
760 
		goto Err;
761 
	}
762 
	msgClear(&m);
763 
 
764 
	if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
765 
		fprint(2, "tlsClient nepm=%d\n", nepm);
766 
		tlsError(c, EInternalError, "can't set finished 0: %r");
767 
		goto Err;
768 
	}
769 
	if(!msgRecv(c, &m)) {
770 
		fprint(2, "tlsClient nepm=%d\n", nepm);
771 
		tlsError(c, EInternalError, "can't read server Finished: %r");
772 
		goto Err;
773 
	}
774 
	if(m.tag != HFinished) {
775 
		fprint(2, "tlsClient nepm=%d\n", nepm);
776 
		tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
777 
		goto Err;
778 
	}
779 
 
780 
	if(!finishedMatch(c, &m.u.finished)) {
781 
		tlsError(c, EHandshakeFailure, "finished verification failed");
782 
		goto Err;
783 
	}
784 
	msgClear(&m);
785 
 
786 
	if(fprint(c->ctl, "opened") < 0){
787 
		if(trace)
788 
			trace("unable to do final open: %r\n");
789 
		goto Err;
790 
	}
791 
	tlsSecOk(c->sec);
792 
	return c;
793 
 
794 
Err:
795 
	free(epm);
796 
	msgClear(&m);
797 
	tlsConnectionFree(c);
798 
	return 0;
799 
}
800 
 
801 
 
802 
//================= message functions ========================
803 
 
804 
static uchar sendbuf[9000], *sendp;
805 
 
806 
static int
807 
msgSend(TlsConnection *c, Msg *m, int act)
808 
{
809 
	uchar *p; // sendp = start of new message;  p = write pointer
810 
	int nn, n, i;
811 
 
812 
	if(sendp == nil)
813 
		sendp = sendbuf;
814 
	p = sendp;
815 
	if(c->trace)
816 
		c->trace("send %s", msgPrint((char*)p, (sizeof sendbuf) - (p-sendbuf), m));
817 
 
818 
	p[0] = m->tag;	// header - fill in size later
819 
	p += 4;
820 
 
821 
	switch(m->tag) {
822 
	default:
823 
		tlsError(c, EInternalError, "can't encode a %d", m->tag);
824 
		goto Err;
825 
	case HClientHello:
826 
		// version
827 
		put16(p, m->u.clientHello.version);
828 
		p += 2;
829 
 
830 
		// random
831 
		memmove(p, m->u.clientHello.random, RandomSize);
832 
		p += RandomSize;
833 
 
834 
		// sid
835 
		n = m->u.clientHello.sid->len;
836 
		assert(n < 256);
837 
		p[0] = n;
838 
		memmove(p+1, m->u.clientHello.sid->data, n);
839 
		p += n+1;
840 
 
841 
		n = m->u.clientHello.ciphers->len;
842 
		assert(n > 0 && n < 200);
843 
		put16(p, n*2);
844 
		p += 2;
845 
		for(i=0; i<n; i++) {
846 
			put16(p, m->u.clientHello.ciphers->data[i]);
847 
			p += 2;
848 
		}
849 
 
850 
		n = m->u.clientHello.compressors->len;
851 
		assert(n > 0);
852 
		p[0] = n;
853 
		memmove(p+1, m->u.clientHello.compressors->data, n);
854 
		p += n+1;
855 
		break;
856 
	case HServerHello:
857 
		put16(p, m->u.serverHello.version);
858 
		p += 2;
859 
 
860 
		// random
861 
		memmove(p, m->u.serverHello.random, RandomSize);
862 
		p += RandomSize;
863 
 
864 
		// sid
865 
		n = m->u.serverHello.sid->len;
866 
		assert(n < 256);
867 
		p[0] = n;
868 
		memmove(p+1, m->u.serverHello.sid->data, n);
869 
		p += n+1;
870 
 
871 
		put16(p, m->u.serverHello.cipher);
872 
		p += 2;
873 
		p[0] = m->u.serverHello.compressor;
874 
		p += 1;
875 
		break;
876 
	case HServerHelloDone:
877 
		break;
878 
	case HCertificate:
879 
		nn = 0;
880 
		for(i = 0; i < m->u.certificate.ncert; i++)
881 
			nn += 3 + m->u.certificate.certs[i]->len;
882 
		if(p + 3 + nn - sendbuf > sizeof(sendbuf)) {
883 
			tlsError(c, EInternalError, "output buffer too small for certificate");
884 
			goto Err;
885 
		}
886 
		put24(p, nn);
887 
		p += 3;
888 
		for(i = 0; i < m->u.certificate.ncert; i++){
889 
			put24(p, m->u.certificate.certs[i]->len);
890 
			p += 3;
891 
			memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
892 
			p += m->u.certificate.certs[i]->len;
893 
		}
894 
		break;
895 
	case HClientKeyExchange:
896 
		n = m->u.clientKeyExchange.key->len;
897 
		if(c->version != SSL3Version){
898 
			put16(p, n);
899 
			p += 2;
900 
		}
901 
		memmove(p, m->u.clientKeyExchange.key->data, n);
902 
		p += n;
903 
		break;
904 
	case HFinished:
905 
		memmove(p, m->u.finished.verify, m->u.finished.n);
906 
		p += m->u.finished.n;
907 
		break;
908 
	}
909 
 
910 
	// go back and fill in size
911 
	n = p-sendp;
912 
	assert(p <= sendbuf+sizeof(sendbuf));
913 
	put24(sendp+1, n-4);
914 
 
915 
	// remember hash of Handshake messages
916 
	if(m->tag != HHelloRequest) {
917 
		md5(sendp, n, 0, &c->hsmd5);
918 
		sha1(sendp, n, 0, &c->hssha1);
919 
	}
920 
 
921 
	sendp = p;
922 
	if(act == AFlush){
923 
		sendp = sendbuf;
924 
		if(write(c->hand, sendbuf, p-sendbuf) < 0){
925 
			fprint(2, "write error: %r\n");
926 
			goto Err;
927 
		}
928 
	}
929 
	msgClear(m);
930 
	return 1;
931 
Err:
932 
	msgClear(m);
933 
	return 0;
934 
}
935 
 
936 
static uchar*
937 
tlsReadN(TlsConnection *c, int n)
938 
{
939 
	uchar *p;
940 
	int nn, nr;
941 
 
942 
	nn = c->ep - c->rp;
943 
	if(nn < n){
944 
		if(c->rp != c->buf){
945 
			memmove(c->buf, c->rp, nn);
946 
			c->rp = c->buf;
947 
			c->ep = &c->buf[nn];
948 
		}
949 
		for(; nn < n; nn += nr) {
950 
			nr = read(c->hand, &c->rp[nn], n - nn);
951 
			if(nr <= 0)
952 
				return nil;
953 
			c->ep += nr;
954 
		}
955 
	}
956 
	p = c->rp;
957 
	c->rp += n;
958 
	return p;
959 
}
960 
 
961 
static int
962 
msgRecv(TlsConnection *c, Msg *m)
963 
{
964 
	uchar *p;
965 
	int type, n, nn, i, nsid, nrandom, nciph;
966 
 
967 
	for(;;) {
968 
		p = tlsReadN(c, 4);
969 
		if(p == nil)
970 
			return 0;
971 
		type = p[0];
972 
		n = get24(p+1);
973 
 
974 
		if(type != HHelloRequest)
975 
			break;
976 
		if(n != 0) {
977 
			tlsError(c, EDecodeError, "invalid hello request during handshake");
978 
			return 0;
979 
		}
980 
	}
981 
 
982 
	if(n > sizeof(c->buf)) {
983 
		tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->buf));
984 
		return 0;
985 
	}
986 
 
987 
	if(type == HSSL2ClientHello){
988 
		/* Cope with an SSL3 ClientHello expressed in SSL2 record format.
989 
			This is sent by some clients that we must interoperate
990 
			with, such as Java's JSSE and Microsoft's Internet Explorer. */
991 
		p = tlsReadN(c, n);
992 
		if(p == nil)
993 
			return 0;
994 
		md5(p, n, 0, &c->hsmd5);
995 
		sha1(p, n, 0, &c->hssha1);
996 
		m->tag = HClientHello;
997 
		if(n < 22)
998 
			goto Short;
999 
		m->u.clientHello.version = get16(p+1);
1000 
		p += 3;
1001 
		n -= 3;
1002 
		nn = get16(p); /* cipher_spec_len */
1003 
		nsid = get16(p + 2);
1004 
		nrandom = get16(p + 4);
1005 
		p += 6;
1006 
		n -= 6;
1007 
		if(nsid != 0 	/* no sid's, since shouldn't restart using ssl2 header */
1008 
				|| nrandom < 16 || nn % 3)
1009 
			goto Err;
1010 
		if(c->trace && (n - nrandom != nn))
1011 
			c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
1012 
		/* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
1013 
		nciph = 0;
1014 
		for(i = 0; i < nn; i += 3)
1015 
			if(p[i] == 0)
1016 
				nciph++;
1017 
		m->u.clientHello.ciphers = newints(nciph);
1018 
		nciph = 0;
1019 
		for(i = 0; i < nn; i += 3)
1020 
			if(p[i] == 0)
1021 
				m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]);
1022 
		p += nn;
1023 
		m->u.clientHello.sid = makebytes(nil, 0);
1024 
		if(nrandom > RandomSize)
1025 
			nrandom = RandomSize;
1026 
		memset(m->u.clientHello.random, 0, RandomSize - nrandom);
1027 
		memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
1028 
		m->u.clientHello.compressors = newbytes(1);
1029 
		m->u.clientHello.compressors->data[0] = CompressionNull;
1030 
		goto Ok;
1031 
	}
1032 
 
1033 
	md5(p, 4, 0, &c->hsmd5);
1034 
	sha1(p, 4, 0, &c->hssha1);
1035 
 
1036 
	p = tlsReadN(c, n);
1037 
	if(p == nil)
1038 
		return 0;
1039 
 
1040 
	md5(p, n, 0, &c->hsmd5);
1041 
	sha1(p, n, 0, &c->hssha1);
1042 
 
1043 
	m->tag = type;
1044 
 
1045 
	switch(type) {
1046 
	default:
1047 
		tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
1048 
		goto Err;
1049 
	case HClientHello:
1050 
		if(n < 2)
1051 
			goto Short;
1052 
		m->u.clientHello.version = get16(p);
1053 
		p += 2;
1054 
		n -= 2;
1055 
 
1056 
		if(n < RandomSize)
1057 
			goto Short;
1058 
		memmove(m->u.clientHello.random, p, RandomSize);
1059 
		p += RandomSize;
1060 
		n -= RandomSize;
1061 
		if(n < 1 || n < p[0]+1)
1062 
			goto Short;
1063 
		m->u.clientHello.sid = makebytes(p+1, p[0]);
1064 
		p += m->u.clientHello.sid->len+1;
1065 
		n -= m->u.clientHello.sid->len+1;
1066 
 
1067 
		if(n < 2)
1068 
			goto Short;
1069 
		nn = get16(p);
1070 
		p += 2;
1071 
		n -= 2;
1072 
 
1073 
		if((nn & 1) || n < nn || nn < 2)
1074 
			goto Short;
1075 
		m->u.clientHello.ciphers = newints(nn >> 1);
1076 
		for(i = 0; i < nn; i += 2)
1077 
			m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
1078 
		p += nn;
1079 
		n -= nn;
1080 
 
1081 
		if(n < 1 || n < p[0]+1 || p[0] == 0)
1082 
			goto Short;
1083 
		nn = p[0];
1084 
		m->u.clientHello.compressors = newbytes(nn);
1085 
		memmove(m->u.clientHello.compressors->data, p+1, nn);
1086 
		n -= nn + 1;
1087 
		break;
1088 
	case HServerHello:
1089 
		if(n < 2)
1090 
			goto Short;
1091 
		m->u.serverHello.version = get16(p);
1092 
		p += 2;
1093 
		n -= 2;
1094 
 
1095 
		if(n < RandomSize)
1096 
			goto Short;
1097 
		memmove(m->u.serverHello.random, p, RandomSize);
1098 
		p += RandomSize;
1099 
		n -= RandomSize;
1100 
 
1101 
		if(n < 1 || n < p[0]+1)
1102 
			goto Short;
1103 
		m->u.serverHello.sid = makebytes(p+1, p[0]);
1104 
		p += m->u.serverHello.sid->len+1;
1105 
		n -= m->u.serverHello.sid->len+1;
1106 
 
1107 
		if(n < 3)
1108 
			goto Short;
1109 
		m->u.serverHello.cipher = get16(p);
1110 
		m->u.serverHello.compressor = p[2];
1111 
		n -= 3;
1112 
		break;
1113 
	case HCertificate:
1114 
		if(n < 3)
1115 
			goto Short;
1116 
		nn = get24(p);
1117 
		p += 3;
1118 
		n -= 3;
1119 
		if(n != nn)
1120 
			goto Short;
1121 
		/* certs */
1122 
		i = 0;
1123 
		while(n > 0) {
1124 
			if(n < 3)
1125 
				goto Short;
1126 
			nn = get24(p);
1127 
			p += 3;
1128 
			n -= 3;
1129 
			if(nn > n)
1130 
				goto Short;
1131 
			m->u.certificate.ncert = i+1;
1132 
			m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes));
1133 
			m->u.certificate.certs[i] = makebytes(p, nn);
1134 
			p += nn;
1135 
			n -= nn;
1136 
			i++;
1137 
		}
1138 
		break;
1139 
	case HCertificateRequest:
1140 
		if(n < 1)
1141 
			goto Short;
1142 
		nn = p[0];
1143 
		p += 1;
1144 
		n -= 1;
1145 
		if(nn < 1 || nn > n)
1146 
			goto Short;
1147 
		m->u.certificateRequest.types = makebytes(p, nn);
1148 
		p += nn;
1149 
		n -= nn;
1150 
		if(n < 2)
1151 
			goto Short;
1152 
		nn = get16(p);
1153 
		p += 2;
1154 
		n -= 2;
1155 
		/* nn == 0 can happen; yahoo's servers do it */
1156 
		if(nn != n)
1157 
			goto Short;
1158 
		/* cas */
1159 
		i = 0;
1160 
		while(n > 0) {
1161 
			if(n < 2)
1162 
				goto Short;
1163 
			nn = get16(p);
1164 
			p += 2;
1165 
			n -= 2;
1166 
			if(nn < 1 || nn > n)
1167 
				goto Short;
1168 
			m->u.certificateRequest.nca = i+1;
1169 
			m->u.certificateRequest.cas = erealloc(
1170 
				m->u.certificateRequest.cas, (i+1)*sizeof(Bytes));
1171 
			m->u.certificateRequest.cas[i] = makebytes(p, nn);
1172 
			p += nn;
1173 
			n -= nn;
1174 
			i++;
1175 
		}
1176 
		break;
1177 
	case HServerHelloDone:
1178 
		break;
1179 
	case HClientKeyExchange:
1180 
		/*
1181 
		 * this message depends upon the encryption selected
1182 
		 * assume rsa.
1183 
		 */
1184 
		if(c->version == SSL3Version)
1185 
			nn = n;
1186 
		else{
1187 
			if(n < 2)
1188 
				goto Short;
1189 
			nn = get16(p);
1190 
			p += 2;
1191 
			n -= 2;
1192 
		}
1193 
		if(n < nn)
1194 
			goto Short;
1195 
		m->u.clientKeyExchange.key = makebytes(p, nn);
1196 
		n -= nn;
1197 
		break;
1198 
	case HFinished:
1199 
		m->u.finished.n = c->finished.n;
1200 
		if(n < m->u.finished.n)
1201 
			goto Short;
1202 
		memmove(m->u.finished.verify, p, m->u.finished.n);
1203 
		n -= m->u.finished.n;
1204 
		break;
1205 
	}
1206 
 
1207 
	if(type != HClientHello && n != 0)
1208 
		goto Short;
1209 
Ok:
1210 
	if(c->trace){
1211 
		char *buf;
1212 
		buf = emalloc(8000);
1213 
		c->trace("recv %s", msgPrint(buf, 8000, m));
1214 
		free(buf);
1215 
	}
1216 
	return 1;
1217 
Short:
1218 
	tlsError(c, EDecodeError, "handshake message has invalid length");
1219 
Err:
1220 
	msgClear(m);
1221 
	return 0;
1222 
}
1223 
 
1224 
static void
1225 
msgClear(Msg *m)
1226 
{
1227 
	int i;
1228 
 
1229 
	switch(m->tag) {
1230 
	default:
1231 
		sysfatal("msgClear: unknown message type: %d", m->tag);
1232 
	case HHelloRequest:
1233 
		break;
1234 
	case HClientHello:
1235 
		freebytes(m->u.clientHello.sid);
1236 
		freeints(m->u.clientHello.ciphers);
1237 
		freebytes(m->u.clientHello.compressors);
1238 
		break;
1239 
	case HServerHello:
1240 
		freebytes(m->u.clientHello.sid);
1241 
		break;
1242 
	case HCertificate:
1243 
		for(i=0; i<m->u.certificate.ncert; i++)
1244 
			freebytes(m->u.certificate.certs[i]);
1245 
		free(m->u.certificate.certs);
1246 
		break;
1247 
	case HCertificateRequest:
1248 
		freebytes(m->u.certificateRequest.types);
1249 
		for(i=0; i<m->u.certificateRequest.nca; i++)
1250 
			freebytes(m->u.certificateRequest.cas[i]);
1251 
		free(m->u.certificateRequest.cas);
1252 
		break;
1253 
	case HServerHelloDone:
1254 
		break;
1255 
	case HClientKeyExchange:
1256 
		freebytes(m->u.clientKeyExchange.key);
1257 
		break;
1258 
	case HFinished:
1259 
		break;
1260 
	}
1261 
	memset(m, 0, sizeof(Msg));
1262 
}
1263 
 
1264 
static char *
1265 
bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
1266 
{
1267 
	int i;
1268 
 
1269 
	if(s0)
1270 
		bs = seprint(bs, be, "%s", s0);
1271 
	bs = seprint(bs, be, "[");
1272 
	if(b == nil)
1273 
		bs = seprint(bs, be, "nil");
1274 
	else
1275 
		for(i=0; i<b->len; i++)
1276 
			bs = seprint(bs, be, "%.2x ", b->data[i]);
1277 
	bs = seprint(bs, be, "]");
1278 
	if(s1)
1279 
		bs = seprint(bs, be, "%s", s1);
1280 
	return bs;
1281 
}
1282 
 
1283 
static char *
1284 
intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
1285 
{
1286 
	int i;
1287 
 
1288 
	if(s0)
1289 
		bs = seprint(bs, be, "%s", s0);
1290 
	bs = seprint(bs, be, "[");
1291 
	if(b == nil)
1292 
		bs = seprint(bs, be, "nil");
1293 
	else
1294 
		for(i=0; i<b->len; i++)
1295 
			bs = seprint(bs, be, "%x ", b->data[i]);
1296 
	bs = seprint(bs, be, "]");
1297 
	if(s1)
1298 
		bs = seprint(bs, be, "%s", s1);
1299 
	return bs;
1300 
}
1301 
 
1302 
static char*
1303 
msgPrint(char *buf, int n, Msg *m)
1304 
{
1305 
	int i;
1306 
	char *bs = buf, *be = buf+n;
1307 
 
1308 
	switch(m->tag) {
1309 
	default:
1310 
		bs = seprint(bs, be, "unknown %d\n", m->tag);
1311 
		break;
1312 
	case HClientHello:
1313 
		bs = seprint(bs, be, "ClientHello\n");
1314 
		bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
1315 
		bs = seprint(bs, be, "\trandom: ");
1316 
		for(i=0; i<RandomSize; i++)
1317 
			bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
1318 
		bs = seprint(bs, be, "\n");
1319 
		bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
1320 
		bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
1321 
		bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
1322 
		break;
1323 
	case HServerHello:
1324 
		bs = seprint(bs, be, "ServerHello\n");
1325 
		bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
1326 
		bs = seprint(bs, be, "\trandom: ");
1327 
		for(i=0; i<RandomSize; i++)
1328 
			bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
1329 
		bs = seprint(bs, be, "\n");
1330 
		bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
1331 
		bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
1332 
		bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
1333 
		break;
1334 
	case HCertificate:
1335 
		bs = seprint(bs, be, "Certificate\n");
1336 
		for(i=0; i<m->u.certificate.ncert; i++)
1337 
			bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
1338 
		break;
1339 
	case HCertificateRequest:
1340 
		bs = seprint(bs, be, "CertificateRequest\n");
1341 
		bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
1342 
		bs = seprint(bs, be, "\tcertificateauthorities\n");
1343 
		for(i=0; i<m->u.certificateRequest.nca; i++)
1344 
			bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
1345 
		break;
1346 
	case HServerHelloDone:
1347 
		bs = seprint(bs, be, "ServerHelloDone\n");
1348 
		break;
1349 
	case HClientKeyExchange:
1350 
		bs = seprint(bs, be, "HClientKeyExchange\n");
1351 
		bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
1352 
		break;
1353 
	case HFinished:
1354 
		bs = seprint(bs, be, "HFinished\n");
1355 
		for(i=0; i<m->u.finished.n; i++)
1356 
			bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
1357 
		bs = seprint(bs, be, "\n");
1358 
		break;
1359 
	}
1360 
	USED(bs);
1361 
	return buf;
1362 
}
1363 
 
1364 
static void
1365 
tlsError(TlsConnection *c, int err, char *fmt, ...)
1366 
{
1367 
	char msg[512];
1368 
	va_list arg;
1369 
 
1370 
	va_start(arg, fmt);
1371 
	vseprint(msg, msg+sizeof(msg), fmt, arg);
1372 
	va_end(arg);
1373 
	if(c->trace)
1374 
		c->trace("tlsError: %s\n", msg);
1375 
	else if(c->erred)
1376 
		fprint(2, "double error: %r, %s", msg);
1377 
	else
1378 
		werrstr("tls: local %s", msg);
1379 
	c->erred = 1;
1380 
	fprint(c->ctl, "alert %d", err);
1381 
}
1382 
 
1383 
// commit to specific version number
1384 
static int
1385 
setVersion(TlsConnection *c, int version)
1386 
{
1387 
	if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
1388 
		return -1;
1389 
	if(version > c->version)
1390 
		version = c->version;
1391 
	if(version == SSL3Version) {
1392 
		c->version = version;
1393 
		c->finished.n = SSL3FinishedLen;
1394 
	}else if(version == TLSVersion){
1395 
		c->version = version;
1396 
		c->finished.n = TLSFinishedLen;
1397 
	}else
1398 
		return -1;
1399 
	c->verset = 1;
1400 
	return fprint(c->ctl, "version 0x%x", version);
1401 
}
1402 
 
1403 
// confirm that received Finished message matches the expected value
1404 
static int
1405 
finishedMatch(TlsConnection *c, Finished *f)
1406 
{
1407 
	return memcmp(f->verify, c->finished.verify, f->n) == 0;
1408 
}
1409 
 
1410 
// free memory associated with TlsConnection struct
1411 
//		(but don't close the TLS channel itself)
1412 
static void
1413 
tlsConnectionFree(TlsConnection *c)
1414 
{
1415 
	tlsSecClose(c->sec);
1416 
	freebytes(c->sid);
1417 
	freebytes(c->cert);
1418 
	memset(c, 0, sizeof(c));
1419 
	free(c);
1420 
}
1421 
 
1422 
 
1423 
//================= cipher choices ========================
1424 
 
1425 
static int weakCipher[CipherMax] =
1426 
{
1427 
	1,	/* TLS_NULL_WITH_NULL_NULL */
1428 
	1,	/* TLS_RSA_WITH_NULL_MD5 */
1429 
	1,	/* TLS_RSA_WITH_NULL_SHA */
1430 
	1,	/* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
1431 
	0,	/* TLS_RSA_WITH_RC4_128_MD5 */
1432 
	0,	/* TLS_RSA_WITH_RC4_128_SHA */
1433 
	1,	/* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
1434 
	0,	/* TLS_RSA_WITH_IDEA_CBC_SHA */
1435 
	1,	/* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
1436 
	0,	/* TLS_RSA_WITH_DES_CBC_SHA */
1437 
	0,	/* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
1438 
	1,	/* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
1439 
	0,	/* TLS_DH_DSS_WITH_DES_CBC_SHA */
1440 
	0,	/* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
1441 
	1,	/* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
1442 
	0,	/* TLS_DH_RSA_WITH_DES_CBC_SHA */
1443 
	0,	/* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
1444 
	1,	/* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
1445 
	0,	/* TLS_DHE_DSS_WITH_DES_CBC_SHA */
1446 
	0,	/* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
1447 
	1,	/* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
1448 
	0,	/* TLS_DHE_RSA_WITH_DES_CBC_SHA */
1449 
	0,	/* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
1450 
	1,	/* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
1451 
	1,	/* TLS_DH_anon_WITH_RC4_128_MD5 */
1452 
	1,	/* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
1453 
	1,	/* TLS_DH_anon_WITH_DES_CBC_SHA */
1454 
	1,	/* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
1455 
};
1456 
 
1457 
static int
1458 
setAlgs(TlsConnection *c, int a)
1459 
{
1460 
	int i;
1461 
 
1462 
	for(i = 0; i < nelem(cipherAlgs); i++){
1463 
		if(cipherAlgs[i].tlsid == a){
1464 
			c->enc = cipherAlgs[i].enc;
1465 
			c->digest = cipherAlgs[i].digest;
1466 
			c->nsecret = cipherAlgs[i].nsecret;
1467 
			if(c->nsecret > MaxKeyData)
1468 
				return 0;
1469 
			return 1;
1470 
		}
1471 
	}
1472 
	return 0;
1473 
}
1474 
 
1475 
static int
1476 
okCipher(Ints *cv)
1477 
{
1478 
	int weak, i, j, c;
1479 
 
1480 
	weak = 1;
1481 
	for(i = 0; i < cv->len; i++) {
1482 
		c = cv->data[i];
1483 
		if(c >= CipherMax)
1484 
			weak = 0;
1485 
		else
1486 
			weak &= weakCipher[c];
1487 
		for(j = 0; j < nelem(cipherAlgs); j++)
1488 
			if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
1489 
				return c;
1490 
	}
1491 
	if(weak)
1492 
		return -2;
1493 
	return -1;
1494 
}
1495 
 
1496 
static int
1497 
okCompression(Bytes *cv)
1498 
{
1499 
	int i, j, c;
1500 
 
1501 
	for(i = 0; i < cv->len; i++) {
1502 
		c = cv->data[i];
1503 
		for(j = 0; j < nelem(compressors); j++) {
1504 
			if(compressors[j] == c)
1505 
				return c;
1506 
		}
1507 
	}
1508 
	return -1;
1509 
}
1510 
 
1511 
static Lock	ciphLock;
1512 
static int	nciphers;
1513 
 
1514 
static int
1515 
initCiphers(void)
1516 
{
1517 
	enum {MaxAlgF = 1024, MaxAlgs = 10};
1518 
	char s[MaxAlgF], *flds[MaxAlgs];
1519 
	int i, j, n, ok;
1520 
 
1521 
	lock(&ciphLock);
1522 
	if(nciphers){
1523 
		unlock(&ciphLock);
1524 
		return nciphers;
1525 
	}
1526 
	j = open("#a/tls/encalgs", OREAD);
1527 
	if(j < 0){
1528 
		werrstr("can't open #a/tls/encalgs: %r");
1529 
		return 0;
1530 
	}
1531 
	n = read(j, s, MaxAlgF-1);
1532 
	close(j);
1533 
	if(n <= 0){
1534 
		werrstr("nothing in #a/tls/encalgs: %r");
1535 
		return 0;
1536 
	}
1537 
	s[n] = 0;
1538 
	n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
1539 
	for(i = 0; i < nelem(cipherAlgs); i++){
1540 
		ok = 0;
1541 
		for(j = 0; j < n; j++){
1542 
			if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){
1543 
				ok = 1;
1544 
				break;
1545 
			}
1546 
		}
1547 
		cipherAlgs[i].ok = ok;
1548 
	}
1549 
 
1550 
	j = open("#a/tls/hashalgs", OREAD);
1551 
	if(j < 0){
1552 
		werrstr("can't open #a/tls/hashalgs: %r");
1553 
		return 0;
1554 
	}
1555 
	n = read(j, s, MaxAlgF-1);
1556 
	close(j);
1557 
	if(n <= 0){
1558 
		werrstr("nothing in #a/tls/hashalgs: %r");
1559 
		return 0;
1560 
	}
1561 
	s[n] = 0;
1562 
	n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
1563 
	for(i = 0; i < nelem(cipherAlgs); i++){
1564 
		ok = 0;
1565 
		for(j = 0; j < n; j++){
1566 
			if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){
1567 
				ok = 1;
1568 
				break;
1569 
			}
1570 
		}
1571 
		cipherAlgs[i].ok &= ok;
1572 
		if(cipherAlgs[i].ok)
1573 
			nciphers++;
1574 
	}
1575 
	unlock(&ciphLock);
1576 
	return nciphers;
1577 
}
1578 
 
1579 
static Ints*
1580 
makeciphers(void)
1581 
{
1582 
	Ints *is;
1583 
	int i, j;
1584 
 
1585 
	is = newints(nciphers);
1586 
	j = 0;
1587 
	for(i = 0; i < nelem(cipherAlgs); i++){
1588 
		if(cipherAlgs[i].ok)
1589 
			is->data[j++] = cipherAlgs[i].tlsid;
1590 
	}
1591 
	return is;
1592 
}
1593 
 
1594 
 
1595 
 
1596 
//================= security functions ========================
1597 
 
1598 
// given X.509 certificate, set up connection to factotum
1599 
//	for using corresponding private key
1600 
static AuthRpc*
1601 
factotum_rsa_open(uchar *cert, int certlen)
1602 
{
1603 
	int afd;
1604 
	char *s;
1605 
	mpint *pub = nil;
1606 
	RSApub *rsapub;
1607 
	AuthRpc *rpc;
1608 
 
1609 
	// start talking to factotum
1610 
	if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
1611 
		return nil;
1612 
	if((rpc = auth_allocrpc(afd)) == nil){
1613 
		close(afd);
1614 
		return nil;
1615 
	}
1616 
	s = "proto=rsa service=tls role=client";
1617 
	if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
1618 
		factotum_rsa_close(rpc);
1619 
		return nil;
1620 
	}
1621 
 
1622 
	// roll factotum keyring around to match certificate
1623 
	rsapub = X509toRSApub(cert, certlen, nil, 0);
1624 
	while(1){
1625 
		if(auth_rpc(rpc, "read", nil, 0) != ARok){
1626 
			factotum_rsa_close(rpc);
1627 
			rpc = nil;
1628 
			goto done;
1629 
		}
1630 
		pub = strtomp(rpc->arg, nil, 16, nil);
1631 
		assert(pub != nil);
1632 
		if(mpcmp(pub,rsapub->n) == 0)
1633 
			break;
1634 
	}
1635 
done:
1636 
	mpfree(pub);
1637 
	rsapubfree(rsapub);
1638 
	return rpc;
1639 
}
1640 
 
1641 
static mpint*
1642 
factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
1643 
{
1644 
	char *p;
1645 
	int rv;
1646 
 
1647 
	if((p = mptoa(cipher, 16, nil, 0)) == nil)
1648 
		return nil;
1649 
	rv = auth_rpc(rpc, "write", p, strlen(p));
1650 
	free(p);
1651 
	if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
1652 
		return nil;
1653 
	mpfree(cipher);
1654 
	return strtomp(rpc->arg, nil, 16, nil);
1655 
}
1656 
 
1657 
static void
1658 
factotum_rsa_close(AuthRpc*rpc)
1659 
{
1660 
	if(!rpc)
1661 
		return;
1662 
	close(rpc->afd);
1663 
	auth_freerpc(rpc);
1664 
}
1665 
 
1666 
static void
1667 
tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
1668 
{
1669 
	uchar ai[MD5dlen], tmp[MD5dlen];
1670 
	int i, n;
1671 
	MD5state *s;
1672 
 
1673 
	// generate a1
1674 
	s = hmac_md5(label, nlabel, key, nkey, nil, nil);
1675 
	s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
1676 
	hmac_md5(seed1, nseed1, key, nkey, ai, s);
1677 
 
1678 
	while(nbuf > 0) {
1679 
		s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
1680 
		s = hmac_md5(label, nlabel, key, nkey, nil, s);
1681 
		s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
1682 
		hmac_md5(seed1, nseed1, key, nkey, tmp, s);
1683 
		n = MD5dlen;
1684 
		if(n > nbuf)
1685 
			n = nbuf;
1686 
		for(i = 0; i < n; i++)
1687 
			buf[i] ^= tmp[i];
1688 
		buf += n;
1689 
		nbuf -= n;
1690 
		hmac_md5(ai, MD5dlen, key, nkey, tmp, nil);
1691 
		memmove(ai, tmp, MD5dlen);
1692 
	}
1693 
}
1694 
 
1695 
static void
1696 
tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
1697 
{
1698 
	uchar ai[SHA1dlen], tmp[SHA1dlen];
1699 
	int i, n;
1700 
	SHAstate *s;
1701 
 
1702 
	// generate a1
1703 
	s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
1704 
	s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
1705 
	hmac_sha1(seed1, nseed1, key, nkey, ai, s);
1706 
 
1707 
	while(nbuf > 0) {
1708 
		s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
1709 
		s = hmac_sha1(label, nlabel, key, nkey, nil, s);
1710 
		s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
1711 
		hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
1712 
		n = SHA1dlen;
1713 
		if(n > nbuf)
1714 
			n = nbuf;
1715 
		for(i = 0; i < n; i++)
1716 
			buf[i] ^= tmp[i];
1717 
		buf += n;
1718 
		nbuf -= n;
1719 
		hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
1720 
		memmove(ai, tmp, SHA1dlen);
1721 
	}
1722 
}
1723 
 
1724 
// fill buf with md5(args)^sha1(args)
1725 
static void
1726 
tlsPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
1727 
{
1728 
	int i;
1729 
	int nlabel = strlen(label);
1730 
	int n = (nkey + 1) >> 1;
1731 
 
1732 
	for(i = 0; i < nbuf; i++)
1733 
		buf[i] = 0;
1734 
	tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
1735 
	tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
1736 
}
1737 
 
1738 
/*
1739 
 * for setting server session id's
1740 
 */
1741 
static Lock	sidLock;
1742 
static long	maxSid = 1;
1743 
 
1744 
/* the keys are verified to have the same public components
1745 
 * and to function correctly with pkcs 1 encryption and decryption. */
1746 
static TlsSec*
1747 
tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
1748 
{
1749 
	TlsSec *sec = emalloc(sizeof(*sec));
1750 
 
1751 
	USED(csid); USED(ncsid);  // ignore csid for now
1752 
 
1753 
	memmove(sec->crandom, crandom, RandomSize);
1754 
	sec->clientVers = cvers;
1755 
 
1756 
	put32(sec->srandom, time(0));
1757 
	genrandom(sec->srandom+4, RandomSize-4);
1758 
	memmove(srandom, sec->srandom, RandomSize);
1759 
 
1760 
	/*
1761 
	 * make up a unique sid: use our pid, and and incrementing id
1762 
	 * can signal no sid by setting nssid to 0.
1763 
	 */
1764 
	memset(ssid, 0, SidSize);
1765 
	put32(ssid, getpid());
1766 
	lock(&sidLock);
1767 
	put32(ssid+4, maxSid++);
1768 
	unlock(&sidLock);
1769 
	*nssid = SidSize;
1770 
	return sec;
1771 
}
1772 
 
1773 
static int
1774 
tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd)
1775 
{
1776 
	if(epm != nil){
1777 
		if(setVers(sec, vers) < 0)
1778 
			goto Err;
1779 
		serverMasterSecret(sec, epm, nepm);
1780 
	}else if(sec->vers != vers){
1781 
		werrstr("mismatched session versions");
1782 
		goto Err;
1783 
	}
1784 
	setSecrets(sec, kd, nkd);
1785 
	return 0;
1786 
Err:
1787 
	sec->ok = -1;
1788 
	return -1;
1789 
}
1790 
 
1791 
static TlsSec*
1792 
tlsSecInitc(int cvers, uchar *crandom)
1793 
{
1794 
	TlsSec *sec = emalloc(sizeof(*sec));
1795 
	sec->clientVers = cvers;
1796 
	put32(sec->crandom, time(0));
1797 
	genrandom(sec->crandom+4, RandomSize-4);
1798 
	memmove(crandom, sec->crandom, RandomSize);
1799 
	return sec;
1800 
}
1801 
 
1802 
static int
1803 
tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd)
1804 
{
1805 
	RSApub *pub;
1806 
 
1807 
	pub = nil;
1808 
 
1809 
	USED(sid);
1810 
	USED(nsid);
1811 
 
1812 
	memmove(sec->srandom, srandom, RandomSize);
1813 
 
1814 
	if(setVers(sec, vers) < 0)
1815 
		goto Err;
1816 
 
1817 
	pub = X509toRSApub(cert, ncert, nil, 0);
1818 
	if(pub == nil){
1819 
		werrstr("invalid x509/rsa certificate");
1820 
		goto Err;
1821 
	}
1822 
	if(clientMasterSecret(sec, pub, epm, nepm) < 0)
1823 
		goto Err;
1824 
	rsapubfree(pub);
1825 
	setSecrets(sec, kd, nkd);
1826 
	return 0;
1827 
 
1828 
Err:
1829 
	if(pub != nil)
1830 
		rsapubfree(pub);
1831 
	sec->ok = -1;
1832 
	return -1;
1833 
}
1834 
 
1835 
static int
1836 
tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient)
1837 
{
1838 
	if(sec->nfin != nfin){
1839 
		sec->ok = -1;
1840 
		werrstr("invalid finished exchange");
1841 
		return -1;
1842 
	}
1843 
	md5.malloced = 0;
1844 
	sha1.malloced = 0;
1845 
	(*sec->setFinished)(sec, md5, sha1, fin, isclient);
1846 
	return 1;
1847 
}
1848 
 
1849 
static void
1850 
tlsSecOk(TlsSec *sec)
1851 
{
1852 
	if(sec->ok == 0)
1853 
		sec->ok = 1;
1854 
}
1855 
 
1856 
static void
1857 
tlsSecKill(TlsSec *sec)
1858 
{
1859 
	if(!sec)
1860 
		return;
1861 
	factotum_rsa_close(sec->rpc);
1862 
	sec->ok = -1;
1863 
}
1864 
 
1865 
static void
1866 
tlsSecClose(TlsSec *sec)
1867 
{
1868 
	if(!sec)
1869 
		return;
1870 
	factotum_rsa_close(sec->rpc);
1871 
	free(sec->server);
1872 
	free(sec);
1873 
}
1874 
 
1875 
static int
1876 
setVers(TlsSec *sec, int v)
1877 
{
1878 
	if(v == SSL3Version){
1879 
		sec->setFinished = sslSetFinished;
1880 
		sec->nfin = SSL3FinishedLen;
1881 
		sec->prf = sslPRF;
1882 
	}else if(v == TLSVersion){
1883 
		sec->setFinished = tlsSetFinished;
1884 
		sec->nfin = TLSFinishedLen;
1885 
		sec->prf = tlsPRF;
1886 
	}else{
1887 
		werrstr("invalid version");
1888 
		return -1;
1889 
	}
1890 
	sec->vers = v;
1891 
	return 0;
1892 
}
1893 
 
1894 
/*
1895 
 * generate secret keys from the master secret.
1896 
 *
1897 
 * different crypto selections will require different amounts
1898 
 * of key expansion and use of key expansion data,
1899 
 * but it's all generated using the same function.
1900 
 */
1901 
static void
1902 
setSecrets(TlsSec *sec, uchar *kd, int nkd)
1903 
{
1904 
	(*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
1905 
			sec->srandom, RandomSize, sec->crandom, RandomSize);
1906 
}
1907 
 
1908 
/*
1909 
 * set the master secret from the pre-master secret.
1910 
 */
1911 
static void
1912 
setMasterSecret(TlsSec *sec, Bytes *pm)
1913 
{
1914 
	(*sec->prf)(sec->sec, MasterSecretSize, pm->data, MasterSecretSize, "master secret",
1915 
			sec->crandom, RandomSize, sec->srandom, RandomSize);
1916 
}
1917 
 
1918 
static void
1919 
serverMasterSecret(TlsSec *sec, uchar *epm, int nepm)
1920 
{
1921 
	Bytes *pm;
1922 
 
1923 
	pm = pkcs1_decrypt(sec, epm, nepm);
1924 
 
1925 
	// if the client messed up, just continue as if everything is ok,
1926 
	// to prevent attacks to check for correctly formatted messages.
1927 
	// Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
1928 
	if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
1929 
		fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
1930 
			sec->ok, pm, pm ? get16(pm->data) : -1, sec->clientVers, nepm);
1931 
		sec->ok = -1;
1932 
		if(pm != nil)
1933 
			freebytes(pm);
1934 
		pm = newbytes(MasterSecretSize);
1935 
		genrandom(pm->data, MasterSecretSize);
1936 
	}
1937 
	setMasterSecret(sec, pm);
1938 
	memset(pm->data, 0, pm->len);
1939 
	freebytes(pm);
1940 
}
1941 
 
1942 
static int
1943 
clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm)
1944 
{
1945 
	Bytes *pm, *key;
1946 
 
1947 
	pm = newbytes(MasterSecretSize);
1948 
	put16(pm->data, sec->clientVers);
1949 
	genrandom(pm->data+2, MasterSecretSize - 2);
1950 
 
1951 
	setMasterSecret(sec, pm);
1952 
 
1953 
	key = pkcs1_encrypt(pm, pub, 2);
1954 
	memset(pm->data, 0, pm->len);
1955 
	freebytes(pm);
1956 
	if(key == nil){
1957 
		werrstr("tls pkcs1_encrypt failed");
1958 
		return -1;
1959 
	}
1960 
 
1961 
	*nepm = key->len;
1962 
	*epm = malloc(*nepm);
1963 
	if(*epm == nil){
1964 
		freebytes(key);
1965 
		werrstr("out of memory");
1966 
		return -1;
1967 
	}
1968 
	memmove(*epm, key->data, *nepm);
1969 
 
1970 
	freebytes(key);
1971 
 
1972 
	return 1;
1973 
}
1974 
 
1975 
static void
1976 
sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
1977 
{
1978 
	DigestState *s;
1979 
	uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
1980 
	char *label;
1981 
 
1982 
	if(isClient)
1983 
		label = "CLNT";
1984 
	else
1985 
		label = "SRVR";
1986 
 
1987 
	md5((uchar*)label, 4, nil, &hsmd5);
1988 
	md5(sec->sec, MasterSecretSize, nil, &hsmd5);
1989 
	memset(pad, 0x36, 48);
1990 
	md5(pad, 48, nil, &hsmd5);
1991 
	md5(nil, 0, h0, &hsmd5);
1992 
	memset(pad, 0x5C, 48);
1993 
	s = md5(sec->sec, MasterSecretSize, nil, nil);
1994 
	s = md5(pad, 48, nil, s);
1995 
	md5(h0, MD5dlen, finished, s);
1996 
 
1997 
	sha1((uchar*)label, 4, nil, &hssha1);
1998 
	sha1(sec->sec, MasterSecretSize, nil, &hssha1);
1999 
	memset(pad, 0x36, 40);
2000 
	sha1(pad, 40, nil, &hssha1);
2001 
	sha1(nil, 0, h1, &hssha1);
2002 
	memset(pad, 0x5C, 40);
2003 
	s = sha1(sec->sec, MasterSecretSize, nil, nil);
2004 
	s = sha1(pad, 40, nil, s);
2005 
	sha1(h1, SHA1dlen, finished + MD5dlen, s);
2006 
}
2007 
 
2008 
// fill "finished" arg with md5(args)^sha1(args)
2009 
static void
2010 
tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
2011 
{
2012 
	uchar h0[MD5dlen], h1[SHA1dlen];
2013 
	char *label;
2014 
 
2015 
	// get current hash value, but allow further messages to be hashed in
2016 
	md5(nil, 0, h0, &hsmd5);
2017 
	sha1(nil, 0, h1, &hssha1);
2018 
 
2019 
	if(isClient)
2020 
		label = "client finished";
2021 
	else
2022 
		label = "server finished";
2023 
	tlsPRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
2024 
}
2025 
 
2026 
static void
2027 
sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
2028 
{
2029 
	DigestState *s;
2030 
	uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
2031 
	int i, n, len;
2032 
 
2033 
	USED(label);
2034 
	len = 1;
2035 
	while(nbuf > 0){
2036 
		if(len > 26)
2037 
			return;
2038 
		for(i = 0; i < len; i++)
2039 
			tmp[i] = 'A' - 1 + len;
2040 
		s = sha1(tmp, len, nil, nil);
2041 
		s = sha1(key, nkey, nil, s);
2042 
		s = sha1(seed0, nseed0, nil, s);
2043 
		sha1(seed1, nseed1, sha1dig, s);
2044 
		s = md5(key, nkey, nil, nil);
2045 
		md5(sha1dig, SHA1dlen, md5dig, s);
2046 
		n = MD5dlen;
2047 
		if(n > nbuf)
2048 
			n = nbuf;
2049 
		memmove(buf, md5dig, n);
2050 
		buf += n;
2051 
		nbuf -= n;
2052 
		len++;
2053 
	}
2054 
}
2055 
 
2056 
static mpint*
2057 
bytestomp(Bytes* bytes)
2058 
{
2059 
	mpint* ans;
2060 
 
2061 
	ans = betomp(bytes->data, bytes->len, nil);
2062 
	return ans;
2063 
}
2064 
 
2065 
/*
2066 
 * Convert mpint* to Bytes, putting high order byte first.
2067 
 */
2068 
static Bytes*
2069 
mptobytes(mpint* big)
2070 
{
2071 
	int n, m;
2072 
	uchar *a;
2073 
	Bytes* ans;
2074 
 
2075 
	a = nil;
2076 
	n = (mpsignif(big)+7)/8;
2077 
	m = mptobe(big, nil, n, &a);
2078 
	ans = makebytes(a, m);
2079 
	if(a != nil)
2080 
		free(a);
2081 
	return ans;
2082 
}
2083 
 
2084 
// Do RSA computation on block according to key, and pad
2085 
// result on left with zeros to make it modlen long.
2086 
static Bytes*
2087 
rsacomp(Bytes* block, RSApub* key, int modlen)
2088 
{
2089 
	mpint *x, *y;
2090 
	Bytes *a, *ybytes;
2091 
	int ylen;
2092 
 
2093 
	x = bytestomp(block);
2094 
	y = rsaencrypt(key, x, nil);
2095 
	mpfree(x);
2096 
	ybytes = mptobytes(y);
2097 
	ylen = ybytes->len;
2098 
 
2099 
	if(ylen < modlen) {
2100 
		a = newbytes(modlen);
2101 
		memset(a->data, 0, modlen-ylen);
2102 
		memmove(a->data+modlen-ylen, ybytes->data, ylen);
2103 
		freebytes(ybytes);
2104 
		ybytes = a;
2105 
	}
2106 
	else if(ylen > modlen) {
2107 
		// assume it has leading zeros (mod should make it so)
2108 
		a = newbytes(modlen);
2109 
		memmove(a->data, ybytes->data, modlen);
2110 
		freebytes(ybytes);
2111 
		ybytes = a;
2112 
	}
2113 
	mpfree(y);
2114 
	return ybytes;
2115 
}
2116 
 
2117 
// encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1
2118 
static Bytes*
2119 
pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
2120 
{
2121 
	Bytes *pad, *eb, *ans;
2122 
	int i, dlen, padlen, modlen;
2123 
 
2124 
	modlen = (mpsignif(key->n)+7)/8;
2125 
	dlen = data->len;
2126 
	if(modlen < 12 || dlen > modlen - 11)
2127 
		return nil;
2128 
	padlen = modlen - 3 - dlen;
2129 
	pad = newbytes(padlen);
2130 
	genrandom(pad->data, padlen);
2131 
	for(i = 0; i < padlen; i++) {
2132 
		if(blocktype == 0)
2133 
			pad->data[i] = 0;
2134 
		else if(blocktype == 1)
2135 
			pad->data[i] = 255;
2136 
		else if(pad->data[i] == 0)
2137 
			pad->data[i] = 1;
2138 
	}
2139 
	eb = newbytes(modlen);
2140 
	eb->data[0] = 0;
2141 
	eb->data[1] = blocktype;
2142 
	memmove(eb->data+2, pad->data, padlen);
2143 
	eb->data[padlen+2] = 0;
2144 
	memmove(eb->data+padlen+3, data->data, dlen);
2145 
	ans = rsacomp(eb, key, modlen);
2146 
	freebytes(eb);
2147 
	freebytes(pad);
2148 
	return ans;
2149 
}
2150 
 
2151 
// decrypt data according to PKCS#1, with given key.
2152 
// expect a block type of 2.
2153 
static Bytes*
2154 
pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm)
2155 
{
2156 
	Bytes *eb, *ans = nil;
2157 
	int i, modlen;
2158 
	mpint *x, *y;
2159 
 
2160 
	modlen = (mpsignif(sec->rsapub->n)+7)/8;
2161 
	if(nepm != modlen)
2162 
		return nil;
2163 
	x = betomp(epm, nepm, nil);
2164 
	y = factotum_rsa_decrypt(sec->rpc, x);
2165 
	if(y == nil)
2166 
		return nil;
2167 
	eb = mptobytes(y);
2168 
	if(eb->len < modlen){ // pad on left with zeros
2169 
		ans = newbytes(modlen);
2170 
		memset(ans->data, 0, modlen-eb->len);
2171 
		memmove(ans->data+modlen-eb->len, eb->data, eb->len);
2172 
		freebytes(eb);
2173 
		eb = ans;
2174 
	}
2175 
	if(eb->data[0] == 0 && eb->data[1] == 2) {
2176 
		for(i = 2; i < modlen; i++)
2177 
			if(eb->data[i] == 0)
2178 
				break;
2179 
		if(i < modlen - 1)
2180 
			ans = makebytes(eb->data+i+1, modlen-(i+1));
2181 
	}
2182 
	freebytes(eb);
2183 
	return ans;
2184 
}
2185 
 
2186 
 
2187 
//================= general utility functions ========================
2188 
 
2189 
static void *
2190 
emalloc(int n)
2191 
{
2192 
	void *p;
2193 
	if(n==0)
2194 
		n=1;
2195 
	p = malloc(n);
2196 
	if(p == nil){
2197 
		exits("out of memory");
2198 
	}
2199 
	memset(p, 0, n);
2200 
	return p;
2201 
}
2202 
 
2203 
static void *
2204 
erealloc(void *ReallocP, int ReallocN)
2205 
{
2206 
	if(ReallocN == 0)
2207 
		ReallocN = 1;
2208 
	if(!ReallocP)
2209 
		ReallocP = emalloc(ReallocN);
2210 
	else if(!(ReallocP = realloc(ReallocP, ReallocN))){
2211 
		exits("out of memory");
2212 
	}
2213 
	return(ReallocP);
2214 
}
2215 
 
2216 
static void
2217 
put32(uchar *p, u32int x)
2218 
{
2219 
	p[0] = x>>24;
2220 
	p[1] = x>>16;
2221 
	p[2] = x>>8;
2222 
	p[3] = x;
2223 
}
2224 
 
2225 
static void
2226 
put24(uchar *p, int x)
2227 
{
2228 
	p[0] = x>>16;
2229 
	p[1] = x>>8;
2230 
	p[2] = x;
2231 
}
2232 
 
2233 
static void
2234 
put16(uchar *p, int x)
2235 
{
2236 
	p[0] = x>>8;
2237 
	p[1] = x;
2238 
}
2239 
 
2240 
static u32int
2241 
get32(uchar *p)
2242 
{
2243 
	return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
2244 
}
2245 
 
2246 
static int
2247 
get24(uchar *p)
2248 
{
2249 
	return (p[0]<<16)|(p[1]<<8)|p[2];
2250 
}
2251 
 
2252 
static int
2253 
get16(uchar *p)
2254 
{
2255 
	return (p[0]<<8)|p[1];
2256 
}
2257 
 
2258 
#define OFFSET(x, s) offsetof(s, x)
2259 
 
2260 
/*
2261 
 * malloc and return a new Bytes structure capable of
2262 
 * holding len bytes. (len >= 0)
2263 
 * Used to use crypt_malloc, which aborts if malloc fails.
2264 
 */
2265 
static Bytes*
2266 
newbytes(int len)
2267 
{
2268 
	Bytes* ans;
2269 
 
2270 
	ans = (Bytes*)malloc(OFFSET(data[0], Bytes) + len);
2271 
	ans->len = len;
2272 
	return ans;
2273 
}
2274 
 
2275 
/*
2276 
 * newbytes(len), with data initialized from buf
2277 
 */
2278 
static Bytes*
2279 
makebytes(uchar* buf, int len)
2280 
{
2281 
	Bytes* ans;
2282 
 
2283 
	ans = newbytes(len);
2284 
	memmove(ans->data, buf, len);
2285 
	return ans;
2286 
}
2287 
 
2288 
static void
2289 
freebytes(Bytes* b)
2290 
{
2291 
	if(b != nil)
2292 
		free(b);
2293 
}
2294 
 
2295 
/* len is number of ints */
2296 
static Ints*
2297 
newints(int len)
2298 
{
2299 
	Ints* ans;
2300 
 
2301 
	ans = (Ints*)malloc(OFFSET(data[0], Ints) + len*sizeof(int));
2302 
	ans->len = len;
2303 
	return ans;
2304 
}
2305 
 
2306 
static Ints*
2307 
makeints(int* buf, int len)
2308 
{
2309 
	Ints* ans;
2310 
 
2311 
	ans = newints(len);
2312 
	if(len > 0)
2313 
		memmove(ans->data, buf, len*sizeof(int));
2314 
	return ans;
2315 
}
2316 
 
2317 
static void
2318 
freeints(Ints* b)
2319 
{
2320 
	if(b != nil)
2321 
		free(b);
2322 
}