WebSVN – planix.SVN – Diff – /os/branches/feature_tlsv12/sys/src/9/port/devtls.c

 /*
- *  devtls - record layer for transport layer security 1.0 and secure sockets layer 3.0
+ *  devtls - record layer for transport layer security 1.2 and secure sockets layer 3.0
  */
 #include	"u.h"
 #include	"../port/lib.h"
 #include	"mem.h"
 #include	"dat.h"
 #include	"../port/error.h"
 #include	<libsec.h>
 typedef struct OneWay	OneWay;
-typedef struct Secret		Secret;
+typedef struct Secret	Secret;
 typedef struct TlsRec	TlsRec;
 typedef struct TlsErrs	TlsErrs;
 enum {
 	Statlen=	1024,		/* max. length of status or stats message */
 	/* buffer limits */
-	MaxRecLen		= 1<<14,	/* max payload length of a record layer message */
+	MaxRecLen	= 1<<14,	/* max payload length of a record layer message */
 	MaxCipherRecLen	= MaxRecLen + 2048,
-	RecHdrLen		= 5,
+	RecHdrLen	= 5,
-	MaxMacLen		= SHA1dlen,
+	MaxMacLen	= SHA2_256dlen,
 	/* protocol versions we can accept */
+	SSL3Version	= 0x0300,
-	TLSVersion		= 0x0301,
+	TLS10Version	= 0x0301,
-	SSL3Version		= 0x0300,
+	TLS11Version	= 0x0302,
-	ProtocolVersion	= 0x0301,	/* maximum version we speak */
+	TLS12Version	= 0x0303,
 	MinProtoVersion	= 0x0300,	/* limits on version we accept */
 	MaxProtoVersion	= 0x03ff,
 	/* connection states */
 	SHandshake	= 1 << 0,	/* doing handshake */
 	EProtocolVersion 		= 70,
 	EInsufficientSecurity 	= 71,
 	EInternalError 			= 80,
 	EUserCanceled 			= 90,
 	ENoRenegotiation 		= 100,
+	EUnrecognizedName		= 112,
 	EMAX = 256
 };
 struct Secret
+{
 	char		*encalg;	/* name of encryption alg */
 	char		*hashalg;	/* name of hash alg */
+	int		(*aead_enc)(Secret*, uchar*, int, uchar*, uchar*, int);
+	int		(*aead_dec)(Secret*, uchar*, int, uchar*, uchar*, int);
 	int		(*enc)(Secret*, uchar*, int);
 	int		(*dec)(Secret*, uchar*, int);
 	int		(*unpad)(uchar*, int, int);
-	DigestState	*(*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+	DigestState*	(*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
 	int		block;		/* encryption block len, 0 if none */
-	int		maclen;
+	int		maclen;		/* # bytes of record mac / authentication tag */
+	int		recivlen;	/* # bytes of record iv for AEAD ciphers */
 	void		*enckey;
-	uchar	mackey[MaxMacLen];
+	uchar		mackey[MaxMacLen];
 };
 struct OneWay
+{
 	QLock		io;		/* locks io access */
 	QLock		seclock;	/* locks secret paramaters */
-	ulong		seq;
+	u64int		seq;
 	Secret		*sec;		/* cipher in use */
 	Secret		*new;		/* cipher waiting for enable */
 };
 struct TlsRec
 	Lock		statelk;
 	int		state;
 	int		debug;
+	/*
-	/* record layer mac functions for different protocol versions */
+	 * function to genrate authenticated data blob for different
+	 * protocol versions
+	 */
-	void		(*packMac)(Secret*, uchar*, uchar*, uchar*, uchar*, int, uchar*);
+	int		(*packAAD)(u64int, uchar*, uchar*);
 	/* input side -- protected by in.io */
 	OneWay		in;
 	Block		*processed;	/* next bunch of application data */
 	Block		*unprocessed;	/* data read from c but not parsed into records */
 enum
+{
 	/* max. open tls connections */
 	MaxTlsDevs	= 1024
 };
 static	Lock	tdlock;
 static	int	tdhiwat;
 static	int	maxtlsdevs = 128;
 static	TlsRec	**tlsdevs;
 static TlsRec	*newtls(Chan *c);
 static TlsRec	*mktlsrec(void);
 static DigestState*sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
 static DigestState*sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
 static DigestState*nomac(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
-static void	sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
+static int	sslPackAAD(u64int, uchar*, uchar*);
+static int	tlsPackAAD(u64int, uchar*, uchar*);
-static void	tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
+static void	packMac(Secret*, uchar*, int, uchar*, int, uchar*);
-static void	put64(uchar *p, vlong x);
+static void	put64(uchar *p, u64int);
 static void	put32(uchar *p, u32int);
 static void	put24(uchar *p, int);
 static void	put16(uchar *p, int);
-static u32int	get32(uchar *p);
 static int	get16(uchar *p);
 static void	tlsSetState(TlsRec *tr, int new, int old);
 static void	rcvAlert(TlsRec *tr, int err);
 static void	sendAlert(TlsRec *tr, int err);
 static void	rcvError(TlsRec *tr, int err, char *msg, ...);
 static int	rc4enc(Secret *sec, uchar *buf, int n);
 static int	des3enc(Secret *sec, uchar *buf, int n);
 static int	des3dec(Secret *sec, uchar *buf, int n);
 static int	aesenc(Secret *sec, uchar *buf, int n);
 static int	aesdec(Secret *sec, uchar *buf, int n);
+static int	ccpoly_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len);
+static int	ccpoly_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len);
+static int	aesgcm_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len);
+static int	aesgcm_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len);
 static int	noenc(Secret *sec, uchar *buf, int n);
 static int	sslunpad(uchar *buf, int n, int block);
 static int	tlsunpad(uchar *buf, int n, int block);
 static void	freeSec(Secret *sec);
 static char	*tlsstate(int s);
 	case Qtopdir:
 		if(s == DEVDOTDOT){
 			q.path = QID(0, Qtopdir);
 			q.type = QTDIR;
 			devdir(c, q, "#a", 0, eve, 0555, dp);
 			return 1;
+		}
 		if(s > 0)
 			return -1;
 		q.path = QID(0, Qprotodir);
 		q.type = QTDIR;
 			nm = tr->user;
 		else
 			nm = eve;
 		if((name = trnames[s]) == nil){
 			name = trnames[s] = smalloc(16);
-			snprint(name, 16, "%d", s);
+			sprint(name, "%d", s);
+		}
 		devdir(c, q, name, 0, nm, 0555, dp);
 		unlock(&tdlock);
 		return 1;
 	case Qconvdir:
 			q.type = QTDIR;
 			devdir(c, q, "tls", 0, eve, 0555, dp);
 			return 1;
+		}
 		if(s < 0 || s >= nelem(convdir))
 			return -1;
 		lock(&tdlock);
 		tr = tlsdevs[CONV(c->qid)];
 		if(tr != nil){
 			nm = tr->user;
 			perm = tr->perm;
 		}else{
 			perm = 0;
 static Walkqid*
 tlswalk(Chan *c, Chan *nc, char **name, int nname)
+{
 	return devwalk(c, nc, name, nname, nil, 0, tlsgen);
 }
 static int
 tlsstat(Chan *c, uchar *db, int n)
+{
 	return devstat(c, db, n, nil, 0, tlsgen);
+}
 static Chan*
 tlsopen(Chan *c, int omode)
+{
 	TlsRec *tr, **pp;
-	int t, perm;
+	int t;
-	perm = 0;
-	omode &= 3;
-	switch(omode) {
-	case OREAD:
-		perm = 4;
-		break;
-	case OWRITE:
-		perm = 2;
-		break;
-	case ORDWR:
-		perm = 6;
-		break;
-	}
 	t = TYPE(c->qid);
 	switch(t) {
 	default:
 		panic("tlsopen");
 		break;
 	case Qclonus:
 		tr = newtls(c);
 		if(tr == nil)
 			error(Enodev);
 		break;
 	case Qctl:
 	case Qdata:
 	case Qhand:
 	case Qstatus:
 	case Qstats:
 		if((t == Qstatus || t == Qstats) && omode != OREAD)
 			error(Eperm);
 		if(waserror()) {
 			unlock(&tdlock);
 		lock(&tdlock);
 		pp = &tlsdevs[CONV(c->qid)];
 		tr = *pp;
 		if(tr == nil)
 			error("must open connection using clone");
-		if((perm & (tr->perm>>6)) != perm
-		&& (strcmp(up->user, tr->user) != 0
+		devpermcheck(tr->user, tr->perm, omode);
-		    || (perm & tr->perm) != perm))
-			error(Eperm);
 		if(t == Qhand){
 			if(waserror()){
 				unlock(&tr->hqlock);
 				nexterror();
+			}
 			poperror();
+		}
 		tr->ref++;
 		unlock(&tdlock);
 		poperror();
 		break;
 	case Qencalgs:
 	case Qhashalgs:
 		if(omode != OREAD)
 			error(Eperm);
 		break;
+	}
 	c->mode = openmode(omode);
 	c->flag |= COPEN;
 	c->offset = 0;
-	c->iounit = qiomaxatomic;
+	c->iounit = MaxRecLen;
 	return c;
+}
 static int
 tlswstat(Chan *c, uchar *dp, int n)
 	rv = convM2D(dp, n, &d[0], (char*) &d[1]);
 	if(rv == 0)
 		error(Eshortstat);
 	if(!emptystr(d->uid))
 		kstrdup(&tr->user, d->uid);
-	if(d->mode != ~0UL)
+	if(d->mode != -1)
 		tr->perm = d->mode;
 	free(d);
 	poperror();
 	unlock(&tdlock);
 			tr->handq = nil;
+		}
 		if(tr->hprocessed != nil){
 			freeb(tr->hprocessed);
 			tr->hprocessed = nil;
 		}
+	}
 	unlock(&tr->hqlock);
+}
 static void
 static void
 ensure(TlsRec *s, Block **l, int n)
+{
 	int sofar, i;
 	Block *b, *bl;
 	sofar = 0;
 	for(b = *l; b; b = b->next){
 		sofar += BLEN(b);
 		if(sofar >= n)
 			return;
 	b = *l;
 	if(BLEN(b) == n){
 		*l = b->next;
 		b->next = nil;
 		return b;
 	}
 	i = 0;
 	for(bb = b; bb != nil && i < n; bb = bb->next)
 		i += BLEN(bb);
 	if(i > n)
 		i = n;
 static void
 tlsrecread(TlsRec *tr)
+{
 	OneWay *volatile in;
 	Block *volatile b;
-	uchar *p, seq[8], header[RecHdrLen], hmac[MaxMacLen];
+	uchar *p, aad[8+RecHdrLen], header[RecHdrLen], hmac[MaxMacLen];
 	int volatile nconsumed;
-	int len, type, ver, unpad_len;
+	int len, type, ver, unpad_len, aadlen, ivlen;
+	Secret *sec;
 	nconsumed = 0;
 	if(waserror()){
 		if(strcmp(up->errstr, Eintr) == 0 && !waserror()){
 			regurgitate(tr, header, nconsumed);
 	b = nil;
 	if(waserror()){
 		if(b != nil)
 			freeb(b);
 		tlsError(tr, "channel error");
 		nexterror();
 	}
 	b = qgrab(&tr->unprocessed, len);
 if(tr->debug) pprint("consumed unprocessed %d\n", len);
 	in = &tr->in;
 	if(waserror()){
 		qunlock(&in->seclock);
 		nexterror();
+	}
 	qlock(&in->seclock);
 	p = b->rp;
+	sec = in->sec;
-	if(in->sec != nil) {
+	if(sec != nil) {
 		/* to avoid Canvel-Hiltgen-Vaudenay-Vuagnoux attack, all errors here
 		        should look alike, including timing of the response. */
-		unpad_len = (*in->sec->dec)(in->sec, p, len);
+		if(sec->aead_dec != nil)
-		if(unpad_len >= in->sec->maclen)
+			unpad_len = len;
+		else {
-			len = unpad_len - in->sec->maclen;
+			unpad_len = (*sec->dec)(sec, p, len);
 if(tr->debug) pprint("decrypted %d\n", unpad_len);
 if(tr->debug) pdump(unpad_len, p, "decrypted:");
+		}
+		ivlen = sec->recivlen;
+		if(tr->version >= TLS11Version){
+			if(ivlen == 0)
+				ivlen = sec->block;
+		}
+		len -= ivlen;
+		if(len < 0)
+			rcvError(tr, EDecodeError, "runt record message");
+		unpad_len -= ivlen;
+		p += ivlen;
+		if(unpad_len >= sec->maclen)
+			len = unpad_len - sec->maclen;
 		/* update length */
 		put16(header+3, len);
+		aadlen = (*tr->packAAD)(in->seq++, header, aad);
+		if(sec->aead_dec != nil) {
+			len = (*sec->aead_dec)(sec, aad, aadlen, p - ivlen, p, unpad_len);
-		put64(seq, in->seq);
+			if(len < 0)
+				rcvError(tr, EBadRecordMac, "record mac mismatch");
-		in->seq++;
+		} else {
-		(*tr->packMac)(in->sec, in->sec->mackey, seq, header, p, len, hmac);
+			packMac(sec, aad, aadlen, p, len, hmac);
-		if(unpad_len < in->sec->maclen)
+			if(unpad_len < sec->maclen)
-			rcvError(tr, EBadRecordMac, "short record mac");
+				rcvError(tr, EBadRecordMac, "short record mac");
-		if(memcmp(hmac, p+len, in->sec->maclen) != 0)
+			if(tsmemcmp(hmac, p + len, sec->maclen) != 0)
-			rcvError(tr, EBadRecordMac, "record mac mismatch");
+				rcvError(tr, EBadRecordMac, "record mac mismatch");
+		}
+		b->rp = p;
-		b->wp = b->rp + len;
+		b->wp = p+len;
+	}
 	qunlock(&in->seclock);
 	poperror();
 	if(len < 0)
 		rcvError(tr, EDecodeError, "runt record message");
 			rcvAlert(tr, p[1]);
 		if(p[0] != 1)
 			rcvError(tr, EIllegalParameter, "invalid alert fatal code");
 		/*
-		 * propate non-fatal alerts to handshaker
+		 * propagate non-fatal alerts to handshaker
 		 */
+		switch(p[1]){
-		if(p[1] == ECloseNotify) {
+		case ECloseNotify:
 			tlsclosed(tr, SRClose);
 			if(tr->opened)
 				error("tls hungup");
 			error("close notify");
-		}
+			break;
-		if(p[1] == ENoRenegotiation)
+		case ENoRenegotiation:
 			alertHand(tr, "no renegotiation");
+			break;
-		else if(p[1] == EUserCanceled)
+		case EUserCanceled:
 			alertHand(tr, "handshake canceled by user");
+			break;
+		case EUnrecognizedName:
+			/* happens in response to SNI, can be ignored. */
+			break;
-		else
+		default:
 			rcvError(tr, EIllegalParameter, "invalid alert code");
+		}
 		break;
 	case RHandshake:
 		/*
 		 * don't worry about dropping the block
 		 * qbwrite always queues even if flow controlled and interrupted.
 		while(tr->processed == nil)
 			tlsrecread(tr);
 		/* return at most what was asked for */
 		b = qgrab(&tr->processed, n);
-if(tr->debug) pprint("consumed processed %ld\n", BLEN(b));
+if(tr->debug) pprint("consumed processed %zd\n", BLEN(b));
 if(tr->debug) pdump(BLEN(b), b->rp, "consumed:");
 		qunlock(&tr->in.io);
 		poperror();
 		tr->datain += BLEN(b);
 	}else{
 		qunlock(&tr->hqread);
 		tr->handin += BLEN(b);
+	}
 	return b;
 }
 static long
 tlsread(Chan *c, void *a, long n, vlong off)
+{
 	Block *volatile b;
 	Block *nb;
 	uchar *va;
 		if(tr->in.new != nil)
 			s = seprint(s, e, "NewEncIn: %s\nNewHashIn: %s\n", tr->in.new->encalg, tr->in.new->hashalg);
 		if(tr->out.sec != nil)
 			s = seprint(s, e, "EncOut: %s\nHashOut: %s\n", tr->out.sec->encalg, tr->out.sec->hashalg);
 		if(tr->out.new != nil)
-			seprint(s, e, "NewEncOut: %s\nNewHashOut: %s\n", tr->out.new->encalg, tr->out.new->hashalg);
+			s = seprint(s, e, "NewEncOut: %s\nNewHashOut: %s\n", tr->out.new->encalg, tr->out.new->hashalg);
+		if(tr->c != nil)
+			seprint(s, e, "Chan: %s\n", chanpath(tr->c));
 		qunlock(&tr->in.seclock);
 		qunlock(&tr->out.seclock);
 		n = readstr(offset, a, n, buf);
 		free(buf);
 		return n;
 static void
 tlsrecwrite(TlsRec *tr, int type, Block *b)
+{
 	Block *volatile bb;
 	Block *nb;
-	uchar *p, seq[8];
+	uchar *p, aad[8+RecHdrLen];
 	OneWay *volatile out;
-	int n, maclen, pad, ok;
+	int n, ivlen, maclen, aadlen, pad, ok;
+	Secret *sec;
 	out = &tr->out;
 	bb = b;
 	if(waserror()){
 		qunlock(&out->io);
 		if(bb != nil)
 			freeb(bb);
 		nexterror();
+	}
 	qlock(&out->io);
-if(tr->debug)pprint("send %ld\n", BLEN(b));
+if(tr->debug)pprint("send %zd\n", BLEN(b));
 if(tr->debug)pdump(BLEN(b), b->rp, "sent:");
 	ok = SHandshake|SOpen|SRClose;
 	if(type == RAlert)
 			nexterror();
+		}
 		qlock(&out->seclock);
 		maclen = 0;
 		pad = 0;
+		ivlen = 0;
+		sec = out->sec;
-		if(out->sec != nil){
+		if(sec != nil){
-			maclen = out->sec->maclen;
+			maclen = sec->maclen;
-			pad = maclen + out->sec->block;
+			pad = maclen + sec->block;
+			ivlen = sec->recivlen;
+			if(tr->version >= TLS11Version){
+				if(ivlen == 0)
+					ivlen = sec->block;
+			}
+		}
 		n = BLEN(bb);
 		if(n > MaxRecLen){
 			n = MaxRecLen;
-			nb = allocb(n + pad + RecHdrLen);
+			nb = allocb(RecHdrLen + ivlen + n + pad);
-			memmove(nb->wp + RecHdrLen, bb->rp, n);
+			memmove(nb->wp + RecHdrLen + ivlen, bb->rp, n);
 			bb->rp += n;
 		}else{
 			/*
 			 * carefully reuse bb so it will get freed if we're out of memory
 			 */
-			bb = padblock(bb, RecHdrLen);
+			bb = padblock(bb, RecHdrLen + ivlen);
 			if(pad)
 				nb = padblock(bb, -pad);
 			else
 				nb = bb;
 			bb = nil;
 		p = nb->rp;
 		p[0] = type;
 		put16(p+1, tr->version);
 		put16(p+3, n);
-		if(out->sec != nil){
+		if(sec != nil){
-			put64(seq, out->seq);
+			aadlen = (*tr->packAAD)(out->seq++, p, aad);
-			out->seq++;
+			if(sec->aead_enc != nil)
-			(*tr->packMac)(out->sec, out->sec->mackey, seq, p, p + RecHdrLen, n, p + RecHdrLen + n);
+				n = (*sec->aead_enc)(sec, aad, aadlen, p + RecHdrLen, p + RecHdrLen + ivlen, n) + ivlen;
-			n += maclen;
+			else {
-			/* encrypt */
+				if(ivlen > 0)
+					prng(p + RecHdrLen, ivlen);
+				packMac(sec, aad, aadlen, p + RecHdrLen + ivlen, n, p + RecHdrLen + ivlen + n);
-			n = (*out->sec->enc)(out->sec, p + RecHdrLen, n);
+				n = (*sec->enc)(sec, p + RecHdrLen, ivlen + n + maclen);
+			}
 			nb->wp = p + RecHdrLen + n;
 			/* update length */
 			put16(p+3, n);
+		}
+{
 	char	*name;
 	int	maclen;
 	void	(*initkey)(Hashalg *, int, Secret *, uchar*);
 };
 static void
 initmd5key(Hashalg *ha, int version, Secret *s, uchar *p)
 {
 	s->maclen = ha->maclen;
 	if(version == SSL3Version)
 		s->mac = sslmac_md5;
 	else
 		s->mac = hmac_md5;
 	memmove(s->mackey, p, ha->maclen);
 }
 static void
 initclearmac(Hashalg *, int, Secret *s, uchar *)
+{
-	s->maclen = 0;
 	s->mac = nomac;
 }
 static void
 initsha1key(Hashalg *ha, int version, Secret *s, uchar *p)
 {
 	s->maclen = ha->maclen;
 	if(version == SSL3Version)
 		s->mac = sslmac_sha1;
 	else
 		s->mac = hmac_sha1;
+	memmove(s->mackey, p, ha->maclen);
+}
+static void
+initsha2_256key(Hashalg *ha, int version, Secret *s, uchar *p)
+{
+	if(version == SSL3Version)
+		error("sha256 cannot be used with SSL");
+	s->maclen = ha->maclen;
+	s->mac = hmac_sha2_256;
 	memmove(s->mackey, p, ha->maclen);
+}
 static Hashalg hashtab[] =
 {
-	{ "clear", 0, initclearmac, },
+	{ "clear",	0,		initclearmac, },
-	{ "md5", MD5dlen, initmd5key, },
+	{ "md5",	MD5dlen,	initmd5key, },
-	{ "sha1", SHA1dlen, initsha1key, },
+	{ "sha1",	SHA1dlen,	initsha1key, },
+	{ "sha256",	SHA2_256dlen,	initsha2_256key, },
 	{ 0 }
 };
 static Hashalg*
 parsehashalg(char *p)
+{
 	Hashalg *ha;
 	for(ha = hashtab; ha->name; ha++)
 		if(strcmp(p, ha->name) == 0)
 			return ha;
 	error("unsupported hash algorithm");
 	return nil;
 	void	(*initkey)(Encalg *ea, Secret *, uchar*, uchar*);
 };
 static void
 initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *)
 {
 	s->enckey = smalloc(sizeof(RC4state));
 	s->enc = rc4enc;
 	s->dec = rc4enc;
-	s->block = 0;
 	setupRC4state(s->enckey, p, ea->keylen);
 }
 static void
 initDES3key(Encalg *, Secret *s, uchar *p, uchar *iv)
 {
 	s->enckey = smalloc(sizeof(DES3state));
 	s->enc = des3enc;
 	s->dec = des3dec;
 	s->block = 8;
 	setupDES3state(s->enckey, (uchar(*)[8])p, iv);
 }
 static void
 initAESkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
+{
 	s->enckey = smalloc(sizeof(AESstate));
 	s->enc = aesenc;
 	s->dec = aesdec;
 	s->block = 16;
 	setupAESstate(s->enckey, p, ea->keylen, iv);
 }
+static void
+initccpolykey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
+{
+	s->enckey = smalloc(sizeof(Chachastate));
+	s->aead_enc = ccpoly_aead_enc;
+	s->aead_dec = ccpoly_aead_dec;
+	s->maclen = Poly1305dlen;
+	if(ea->ivlen == 0) {
+		/* older draft version, iv is 64-bit sequence number */
+		setupChachastate(s->enckey, p, ea->keylen, nil, 64/8, 20);
+	} else {
+		/* IETF standard, 96-bit iv xored with sequence number */
+		memmove(s->mackey, iv, ea->ivlen);
+		setupChachastate(s->enckey, p, ea->keylen, iv, ea->ivlen, 20);
+	}
+}
+static void
+initaesgcmkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
+{
+	s->enckey = smalloc(sizeof(AESGCMstate));
+	s->aead_enc = aesgcm_aead_enc;
+	s->aead_dec = aesgcm_aead_dec;
+	s->maclen = 16;
+	s->recivlen = 8;
+	memmove(s->mackey, iv, ea->ivlen);
+	prng(s->mackey + ea->ivlen, s->recivlen);
+	setupAESGCMstate(s->enckey, p, ea->keylen, nil, 0);
+}
 static void
 initclearenc(Encalg *, Secret *s, uchar *, uchar *)
+{
 	s->enc = noenc;
 	s->dec = noenc;
-	s->block = 0;
+}
 static Encalg encrypttab[] =
+{
 	{ "clear", 0, 0, initclearenc },
 	{ "rc4_128", 128/8, 0, initRC4key },
 	{ "3des_ede_cbc", 3 * 8, 8, initDES3key },
 	{ "aes_128_cbc", 128/8, 16, initAESkey },
 	{ "aes_256_cbc", 256/8, 16, initAESkey },
+	{ "ccpoly64_aead", 256/8, 0, initccpolykey },
+	{ "ccpoly96_aead", 256/8, 96/8, initccpolykey },
+	{ "aes_128_gcm_aead", 128/8, 4, initaesgcmkey },
+	{ "aes_256_gcm_aead", 256/8, 4, initaesgcmkey },
 	{ 0 }
 };
 static Encalg*
 parseencalg(char *p)
 	case Qhand:
 		p = a;
 		e = p + n;
 		do{
 			m = e - p;
-			if(m > MaxRecLen)
+			if(m > c->iounit)
-				m = MaxRecLen;
+				m = c->iounit;
 			b = allocb(m);
 			if(waserror()){
 				freeb(b);
 				nexterror();
 			error(Einuse);
 		m = strtol(cb->f[2], nil, 0);
 		if(m < MinProtoVersion || m > MaxProtoVersion)
 			error("unsupported version");
 		tr->c = buftochan(cb->f[1]);
 		tr->version = m;
 		tlsSetState(tr, SHandshake, SClosed);
 	}else if(strcmp(cb->f[0], "version") == 0){
 		if(cb->nf != 2)
 			error("usage: version vers");
 		if(tr->c == nil)
 			error("must set fd before version");
 		if(tr->verset)
 			error("version already set");
 		m = strtol(cb->f[1], nil, 0);
+		if(m < MinProtoVersion || m > MaxProtoVersion)
+			error("unsupported version");
 		if(m == SSL3Version)
-			tr->packMac = sslPackMac;
+			tr->packAAD = sslPackAAD;
-		else if(m == TLSVersion)
-			tr->packMac = tlsPackMac;
 		else
-			error("unsupported version");
+			tr->packAAD = tlsPackAAD;
 		tr->verset = 1;
 		tr->version = m;
 	}else if(strcmp(cb->f[0], "secret") == 0){
 		if(cb->nf != 5)
 			error("usage: secret hashalg encalg isclient secretdata");
 		ha = parsehashalg(cb->f[1]);
 		ea = parseencalg(cb->f[2]);
 		p = cb->f[4];
-		m = (strlen(p)*3)/2;
+		m = (strlen(p)*3)/2 + 1;
 		x = smalloc(m);
-		tos = nil;
+		tos = smalloc(sizeof(Secret));
-		toc = nil;
+		toc = smalloc(sizeof(Secret));
 		if(waserror()){
+			free(x);
 			freeSec(tos);
 			freeSec(toc);
-			free(x);
 			nexterror();
+		}
 		m = dec64(x, m, p, strlen(p));
+		memset(p, 0, strlen(p));
 		if(m < 2 * ha->maclen + 2 * ea->keylen + 2 * ea->ivlen)
 			error("not enough secret data provided");
-		tos = smalloc(sizeof(Secret));
-		toc = smalloc(sizeof(Secret));
 		if(!ha->initkey || !ea->initkey)
 			error("misimplemented secret algorithm");
 		(*ha->initkey)(ha, tr->version, tos, &x[0]);
 		(*ha->initkey)(ha, tr->version, toc, &x[ha->maclen]);
 		(*ea->initkey)(ea, tos, &x[2 * ha->maclen], &x[2 * ha->maclen + 2 * ea->keylen]);
 		(*ea->initkey)(ea, toc, &x[2 * ha->maclen + ea->keylen], &x[2 * ha->maclen + 2 * ea->keylen + ea->ivlen]);
-		if(!tos->mac || !tos->enc || !tos->dec
+		if(!tos->aead_enc || !tos->aead_dec || !toc->aead_enc || !toc->aead_dec)
-		|| !toc->mac || !toc->enc || !toc->dec)
+			if(!tos->mac || !tos->enc || !tos->dec || !toc->mac || !toc->enc || !toc->dec)
-			error("missing algorithm implementations");
+				error("missing algorithm implementations");
 		if(strtol(cb->f[3], nil, 0) == 0){
 			tr->in.new = tos;
 			tr->out.new = toc;
 		}else{
 			tr->in.new = toc;
 	if(p == 0)
 		error(Ebadarg);
 	fd = strtoul(p, 0, 0);
 	if(fd < 0)
 		error(Ebadarg);
-	c = fdtochan(fd, -1, 0, 1);	/* error check and inc ref */
+	c = fdtochan(fd, ORDWR, 1, 1);	/* error check and inc ref */
 	return c;
+}
 static void
 sendAlert(TlsRec *tr, int err)
 static void
 tlsError(TlsRec *tr, char *msg)
+{
 	int s;
-if(tr->debug)pprint("tleError %s\n", msg);
+if(tr->debug)pprint("tlsError %s\n", msg);
 	lock(&tr->statelk);
 	s = tr->state;
 	tr->state = SError;
 	if(s != SError){
 		strncpy(tr->err, msg, ERRMAX - 1);
 		np = smalloc(sizeof(TlsRec*) * newmax);
 		memmove(np, tlsdevs, sizeof(TlsRec*) * maxtlsdevs);
 		tlsdevs = np;
 		pp = &tlsdevs[maxtlsdevs];
 		memset(pp, 0, sizeof(TlsRec*)*(newmax - maxtlsdevs));
 		nmp = smalloc(sizeof *nmp * newmax);
 		memmove(nmp, trnames, sizeof *nmp * maxtlsdevs);
 		trnames = nmp;
 		maxtlsdevs = newmax;
 	return "Unknown";
+}
 static void
 freeSec(Secret *s)
 {
-	if(s != nil){
+	if(s == nil)
+		return;
-		free(s->enckey);
+	free(s->enckey);
-		free(s);
+	free(s);
-	}
 }
 static int
 noenc(Secret *, uchar *, int n)
 {
 	return n;
+}
 static int
 rc4enc(Secret *sec, uchar *buf, int n)
+{
 	rc4(sec->enckey, buf, n);
 	return n;
 }
 static int
 tlsunpad(uchar *buf, int n, int block)
+{
 	int pad, nn;
 	return nn;
+}
 static int
 sslunpad(uchar *buf, int n, int block)
 {
 	int pad, nn;
 	pad = buf[n - 1];
 	nn = n - 1 - pad;
 	if(nn <= 0 || n % block)
 		return -1;
 	return nn;
 }
 static int
 blockpad(uchar *buf, int n, int block)
 {
 	int pad, nn;
 	nn = n + block;
 	nn -= nn % block;
 	pad = nn - (n + 1);
 	while(n < nn)
 		buf[n++] = pad;
 	return nn;
+}
 static int
 des3enc(Secret *sec, uchar *buf, int n)
+{
 	n = blockpad(buf, n, 8);
 	des3CBCencrypt(buf, n, sec->enckey);
 	return n;
 }
 static int
 des3dec(Secret *sec, uchar *buf, int n)
+{
 	des3CBCdecrypt(buf, n, sec->enckey);
 	return (*sec->unpad)(buf, n, 8);
+}
 static int
 aesdec(Secret *sec, uchar *buf, int n)
+{
 	aesCBCdecrypt(buf, n, sec->enckey);
 	return (*sec->unpad)(buf, n, 16);
+}
+static void
+ccpoly_aead_setiv(Secret *sec, uchar seq[8])
+{
+	uchar iv[ChachaIVlen];
+	Chachastate *cs;
+	int i;
+	cs = (Chachastate*)sec->enckey;
+	if(cs->ivwords == 2){
+		chacha_setiv(cs, seq);
+		return;
+	}
+	memmove(iv, sec->mackey, ChachaIVlen);
+	for(i=0; i<8; i++)
+		iv[i+(ChachaIVlen-8)] ^= seq[i];
+	chacha_setiv(cs, iv);
+	memset(iv, 0, sizeof(iv));
+}
+static int
+ccpoly_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len)
+{
+	USED(reciv);
+	ccpoly_aead_setiv(sec, aad);
+	ccpoly_encrypt(data, len, aad, aadlen, data+len, sec->enckey);
+	return len + sec->maclen;
+}
+static int
+ccpoly_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len)
+{
+	USED(reciv);
+	len -= sec->maclen;
+	if(len < 0)
+		return -1;
+	ccpoly_aead_setiv(sec, aad);
+	if(ccpoly_decrypt(data, len, aad, aadlen, data+len, sec->enckey) != 0)
+		return -1;
+	return len;
+}
+static int
+aesgcm_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len)
+{
+	uchar iv[12];
+	int i;
+	memmove(iv, sec->mackey, 4+8);
+	for(i=0; i<8; i++) iv[4+i] ^= aad[i];
+	memmove(reciv, iv+4, 8);
+	aesgcm_setiv(sec->enckey, iv, 12);
+	memset(iv, 0, sizeof(iv));
+	aesgcm_encrypt(data, len, aad, aadlen, data+len, sec->enckey);
+	return len + sec->maclen;
+}
+static int
+aesgcm_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *reciv, uchar *data, int len)
+{
+	uchar iv[12];
+	len -= sec->maclen;
+	if(len < 0)
+		return -1;
+	memmove(iv, sec->mackey, 4);
+	memmove(iv+4, reciv, 8);
+	aesgcm_setiv(sec->enckey, iv, 12);
+	memset(iv, 0, sizeof(iv));
+	if(aesgcm_decrypt(data, len, aad, aadlen, data+len, sec->enckey) != 0)
+		return -1;
+	return len;
 }
 static DigestState*
 nomac(uchar *, ulong, uchar *, ulong, uchar *, DigestState *)
+{
 	return nil;
+}
 /*
  * sslmac: mac calculations for ssl 3.0 only; tls 1.0 uses the standard hmac.
  */
 static DigestState*
 sslmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s,
 	DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen, int padlen)
+{
 	int i;
 	uchar pad[48], innerdigest[20];
 static DigestState*
 sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
+{
 	return sslmac_x(p, len, key, klen, digest, s, md5, MD5dlen, 48);
 }
-static void
+static int
-sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
+sslPackAAD(u64int seq, uchar *hdr, uchar *aad)
 {
-	DigestState *s;
+	put64(aad, seq);
+	aad[8] = hdr[0];
+	aad[9] = hdr[3];
+	aad[10] = hdr[4];
-	uchar buf[11];
+	return 11;
+}
+static int
+tlsPackAAD(u64int seq, uchar *hdr, uchar *aad)
+{
-	memmove(buf, seq, 8);
+	put64(aad, seq);
-	buf[8] = header[0];
+	aad[8] = hdr[0];
-	buf[9] = header[3];
+	aad[9] = hdr[1];
-	buf[10] = header[4];
+	aad[10] = hdr[2];
-	s = (*sec->mac)(buf, 11, mackey, sec->maclen, 0, 0);
+	aad[11] = hdr[3];
-	(*sec->mac)(body, len, mackey, sec->maclen, mac, s);
+	aad[12] = hdr[4];
+	return 13;
 }
 static void
-tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
+packMac(Secret *sec, uchar *aad, int aadlen, uchar *body, int bodylen, uchar *mac)
 {
 	DigestState *s;
-	uchar buf[13];
-	memmove(buf, seq, 8);
-	memmove(&buf[8], header, 5);
-	s = (*sec->mac)(buf, 13, mackey, sec->maclen, 0, 0);
+	s = (*sec->mac)(aad, aadlen, sec->mackey, sec->maclen, nil, nil);
-	(*sec->mac)(body, len, mackey, sec->maclen, mac, s);
+	(*sec->mac)(body, bodylen, sec->mackey, sec->maclen, mac, s);
 }
 static void
 put32(uchar *p, u32int x)
 {
 	p[0] = x>>24;
 	p[1] = x>>16;
 	p[2] = x>>8;
 	p[3] = x;
+}
 static void
-put64(uchar *p, vlong x)
+put64(uchar *p, u64int x)
 {
-	put32(p, (u32int)(x >> 32));
+	put32(p, x >> 32);
-	put32(p+4, (u32int)x);
+	put32(p+4, x);
 }
 static void
 put24(uchar *p, int x)
+{
 	p[0] = x>>16;
 	p[1] = x>>8;
 	p[2] = x;
 static void
 put16(uchar *p, int x)
+{
 	p[0] = x>>8;
 	p[1] = x;
-}
-static u32int
-get32(uchar *p)
-{
-	return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
+}
 static int
 get16(uchar *p)
+{

Subversion Repositories planix.SVN

(root)/os/branches/feature_tlsv12/sys/src/9/port/devtls.c – Rev 22 → 77