WebSVN – planix.SVN – Diff – /os/trunk/sys/src/libsec/port/tlshand.c

 #include <u.h>
 #include <libc.h>
-#include <bio.h>
 #include <auth.h>
 #include <mp.h>
 #include <libsec.h>
 // The main groups of functions are:
 // which is implemented in kernel device #a.  See also /lib/rfc/rfc2246.
 enum {
 	TLSFinishedLen = 12,
 	SSL3FinishedLen = MD5dlen+SHA1dlen,
-	MaxKeyData = 136,	// amount of secret we may need
+	MaxKeyData = 160,	// amount of secret we may need
-	MaxChunk = 1<<14,
+	MAXdlen = SHA2_512dlen,
 	RandomSize = 32,
-	SidSize = 32,
 	MasterSecretSize = 48,
 	AQueue = 0,
 	AFlush = 1,
 };
-typedef struct TlsSec TlsSec;
 typedef struct Bytes{
 	int len;
-	uchar data[1];  // [len]
+	uchar data[];
 } Bytes;
 typedef struct Ints{
 	int len;
-	int data[1];  // [len]
+	int data[];
 } Ints;
 typedef struct Algs{
 	char *enc;
 	char *digest;
 	int nsecret;
 	int tlsid;
 	int ok;
 } Algs;
+typedef struct Namedcurve{
+	int tlsid;
+	void (*init)(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
+} Namedcurve;
 typedef struct Finished{
 	uchar verify[SSL3FinishedLen];
 	int n;
 } Finished;
+typedef struct HandshakeHash {
+	MD5state	md5;
+	SHAstate	sha1;
+	SHA2_256state	sha2_256;
+} HandshakeHash;
+typedef struct TlsSec TlsSec;
+struct TlsSec {
+	RSApub *rsapub;
+	AuthRpc *rpc;	// factotum for rsa private key
+	uchar *psk;	// pre-shared key
+	int psklen;
+	int clientVers;			// version in ClientHello
+	uchar sec[MasterSecretSize];	// master secret
+	uchar crandom[RandomSize];	// client random
+	uchar srandom[RandomSize];	// server random
+	// diffie hellman state
+	DHstate dh;
+	struct {
+		ECdomain dom;
+		ECpriv Q;
+	} ec;
+	// byte generation and handshake checksum
+	void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
+	void (*setFinished)(TlsSec*, HandshakeHash, uchar*, int);
+	int nfin;
+};
 typedef struct TlsConnection{
-	TlsSec *sec;	// security management goo
+	TlsSec sec[1];	// security management goo
 	int hand, ctl;	// record layer file descriptors
 	int erred;		// set when tlsError called
 	int (*trace)(char*fmt, ...); // for debugging
 	int version;	// protocol we are speaking
-	int verset;		// version has been set
-	int ver2hi;		// server got a version 2 hello
-	int isClient;	// is this the client or server?
-	Bytes *sid;		// SessionID
-	Bytes *cert;	// only last - no chain
+	Bytes *cert;	// server certificate; only last - no chain
-	Lock statelk;
+	int cipher;
-	int state;		// must be set using setstate
+	int nsecret;	// amount of secret data to init keys
-	// input buffer for handshake messages
-	uchar buf[MaxChunk+2048];
-	uchar *rp, *ep;
-	uchar crandom[RandomSize];	// client random
-	uchar srandom[RandomSize];	// server random
-	int clientVersion;	// version in ClientHello
 	char *digest;	// name of digest algorithm to use
-	char *enc;		// name of encryption algorithm to use
+	char *enc;	// name of encryption algorithm to use
-	int nsecret;	// amount of secret data to init keys
 	// for finished messages
-	MD5state	hsmd5;	// handshake hash
-	SHAstate	hssha1;	// handshake hash
+	HandshakeHash	handhash;
 	Finished	finished;
+	uchar *sendp;
+	uchar buf[1<<16];
 } TlsConnection;
 typedef struct Msg{
 	int tag;
 	union {
 			int version;
 			uchar 	random[RandomSize];
 			Bytes*	sid;
 			Ints*	ciphers;
 			Bytes*	compressors;
+			Bytes*	extensions;
 		} clientHello;
 		struct {
 			int version;
-			uchar 	random[RandomSize];
+			uchar	random[RandomSize];
 			Bytes*	sid;
-			int cipher;
+			int	cipher;
-			int compressor;
+			int	compressor;
+			Bytes*	extensions;
 		} serverHello;
 		struct {
 			int ncert;
 			Bytes **certs;
 		} certificate;
 		struct {
 			Bytes *types;
+			Ints *sigalgs;
 			int nca;
 			Bytes **cas;
 		} certificateRequest;
 		struct {
+			Bytes *pskid;
 			Bytes *key;
 		} clientKeyExchange;
+		struct {
+			Bytes *pskid;
+			Bytes *dh_p;
+			Bytes *dh_g;
+			Bytes *dh_Ys;
+			Bytes *dh_parameters;
+			Bytes *dh_signature;
+			int sigalg;
+			int curve;
+		} serverKeyExchange;
+		struct {
+			int sigalg;
+			Bytes *signature;
+		} certificateVerify;
 		Finished finished;
 	} u;
 } Msg;
-typedef struct TlsSec{
-	char *server;	// name of remote; nil for server
-	int ok;	// <0 killed; == 0 in progress; >0 reusable
-	RSApub *rsapub;
-	AuthRpc *rpc;	// factotum for rsa private key
-	uchar sec[MasterSecretSize];	// master secret
-	uchar crandom[RandomSize];	// client random
-	uchar srandom[RandomSize];	// server random
-	int clientVers;		// version in ClientHello
-	int vers;			// final version
-	// byte generation and handshake checksum
-	void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
-	void (*setFinished)(TlsSec*, MD5state, SHAstate, uchar*, int);
-	int nfin;
-} TlsSec;
 enum {
+	SSL3Version	= 0x0300,
-	TLSVersion = 0x0301,
+	TLS10Version	= 0x0301,
+	TLS11Version	= 0x0302,
-	SSL3Version = 0x0300,
+	TLS12Version	= 0x0303,
-	ProtocolVersion = 0x0301,	// maximum version we speak
+	ProtocolVersion	= TLS12Version,	// maximum version we speak
-	MinProtoVersion = 0x0300,	// limits on version we accept
+	MinProtoVersion	= 0x0300,	// limits on version we accept
 	MaxProtoVersion	= 0x03ff,
 };
 // handshake type
 enum {
 	EDecryptError = 51,
 	EExportRestriction = 60,
 	EProtocolVersion = 70,
 	EInsufficientSecurity = 71,
 	EInternalError = 80,
+	EInappropriateFallback = 86,
 	EUserCanceled = 90,
 	ENoRenegotiation = 100,
+	EUnknownPSKidentity = 115,
 	EMax = 256
 };
 // cipher suites
 enum {
-	TLS_NULL_WITH_NULL_NULL	 		= 0x0000,
+	TLS_NULL_WITH_NULL_NULL			= 0x0000,
-	TLS_RSA_WITH_NULL_MD5 			= 0x0001,
+	TLS_RSA_WITH_NULL_MD5			= 0x0001,
-	TLS_RSA_WITH_NULL_SHA 			= 0x0002,
+	TLS_RSA_WITH_NULL_SHA			= 0x0002,
-	TLS_RSA_EXPORT_WITH_RC4_40_MD5 		= 0x0003,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5		= 0x0003,
-	TLS_RSA_WITH_RC4_128_MD5 		= 0x0004,
+	TLS_RSA_WITH_RC4_128_MD5		= 0x0004,
-	TLS_RSA_WITH_RC4_128_SHA 		= 0x0005,
+	TLS_RSA_WITH_RC4_128_SHA		= 0x0005,
 	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	= 0X0006,
-	TLS_RSA_WITH_IDEA_CBC_SHA 		= 0X0007,
+	TLS_RSA_WITH_IDEA_CBC_SHA		= 0X0007,
 	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA	= 0X0008,
 	TLS_RSA_WITH_DES_CBC_SHA		= 0X0009,
 	TLS_RSA_WITH_3DES_EDE_CBC_SHA		= 0X000A,
 	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA	= 0X000B,
 	TLS_DH_DSS_WITH_DES_CBC_SHA		= 0X000C,
 	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA	= 0X0013,	// ZZZ must be implemented for tls1.0 compliance
 	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	= 0X0014,
 	TLS_DHE_RSA_WITH_DES_CBC_SHA		= 0X0015,
 	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA	= 0X0016,
 	TLS_DH_anon_EXPORT_WITH_RC4_40_MD5	= 0x0017,
-	TLS_DH_anon_WITH_RC4_128_MD5 		= 0x0018,
+	TLS_DH_anon_WITH_RC4_128_MD5		= 0x0018,
 	TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA	= 0X0019,
 	TLS_DH_anon_WITH_DES_CBC_SHA		= 0X001A,
 	TLS_DH_anon_WITH_3DES_EDE_CBC_SHA	= 0X001B,
-	TLS_RSA_WITH_AES_128_CBC_SHA		= 0X002f,	// aes, aka rijndael with 128 bit blocks
+	TLS_RSA_WITH_AES_128_CBC_SHA		= 0X002F,	// aes, aka rijndael with 128 bit blocks
 	TLS_DH_DSS_WITH_AES_128_CBC_SHA		= 0X0030,
 	TLS_DH_RSA_WITH_AES_128_CBC_SHA		= 0X0031,
 	TLS_DHE_DSS_WITH_AES_128_CBC_SHA	= 0X0032,
 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA	= 0X0033,
 	TLS_DH_anon_WITH_AES_128_CBC_SHA	= 0X0034,
 	TLS_DH_DSS_WITH_AES_256_CBC_SHA		= 0X0036,
 	TLS_DH_RSA_WITH_AES_256_CBC_SHA		= 0X0037,
 	TLS_DHE_DSS_WITH_AES_256_CBC_SHA	= 0X0038,
 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	= 0X0039,
 	TLS_DH_anon_WITH_AES_256_CBC_SHA	= 0X003A,
+	TLS_RSA_WITH_AES_128_CBC_SHA256		= 0X003C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256		= 0X003D,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256	= 0X0067,
+	TLS_RSA_WITH_AES_128_GCM_SHA256		= 0x009C,
+	TLS_RSA_WITH_AES_256_GCM_SHA384		= 0x009D,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	= 0x009E,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	= 0x009F,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256	= 0x00A0,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384	= 0x00A1,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256	= 0x00A2,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384	= 0x00A3,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256	= 0x00A4,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384	= 0x00A5,
+	TLS_DH_anon_WITH_AES_128_GCM_SHA256	= 0x00A6,
+	TLS_DH_anon_WITH_AES_256_GCM_SHA384	= 0x00A7,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	= 0xC02F,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	= 0xC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	= 0xC014,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	= 0xC027,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	= 0xC023,
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305	= 0xCCA8,
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305	= 0xCCA9,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305	= 0xCCAA,
+	GOOGLE_ECDHE_RSA_WITH_CHACHA20_POLY1305		= 0xCC13,
+	GOOGLE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305	= 0xCC14,
+	GOOGLE_DHE_RSA_WITH_CHACHA20_POLY1305		= 0xCC15,
+	TLS_PSK_WITH_CHACHA20_POLY1305		= 0xCCAB,
+	TLS_PSK_WITH_AES_128_CBC_SHA256		= 0x00AE,
+	TLS_PSK_WITH_AES_128_CBC_SHA		= 0x008C,
-	CipherMax
+	TLS_FALLBACK_SCSV = 0x5600,
 };
 // compression methods
 enum {
 	CompressionNull = 0,
 	CompressionMax
 };
 static Algs cipherAlgs[] = {
+	// ECDHE-ECDSA
+	{"ccpoly96_aead", "clear", 2*(32+12), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305},
+	{"ccpoly64_aead", "clear", 2*32, GOOGLE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305},
+	{"aes_128_gcm_aead", "clear", 2*(16+4), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
+	{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
+	// ECDHE-RSA
+	{"ccpoly96_aead", "clear", 2*(32+12), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
+	{"ccpoly64_aead", "clear", 2*32, GOOGLE_ECDHE_RSA_WITH_CHACHA20_POLY1305},
+	{"aes_128_gcm_aead", "clear", 2*(16+4), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+	{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
-	{"rc4_128", "md5", 2*(16+MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
+	{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+	{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
+	// DHE-RSA
+	{"ccpoly96_aead", "clear", 2*(32+12), TLS_DHE_RSA_WITH_CHACHA20_POLY1305},
+	{"ccpoly64_aead", "clear", 2*32, GOOGLE_DHE_RSA_WITH_CHACHA20_POLY1305},
+	{"aes_128_gcm_aead", "clear", 2*(16+4), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
+	{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
-	{"rc4_128", "sha1", 2*(16+SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
+	{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
+	{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
-	{"3des_ede_cbc", "sha1", 2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
+	{"3des_ede_cbc","sha1",	2*(4*8+SHA1dlen), TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA},
+	// RSA
+	{"aes_128_gcm_aead", "clear", 2*(16+4), TLS_RSA_WITH_AES_128_GCM_SHA256},
+	{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_RSA_WITH_AES_128_CBC_SHA256},
+	{"aes_256_cbc", "sha256", 2*(32+16+SHA2_256dlen), TLS_RSA_WITH_AES_256_CBC_SHA256},
 	{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_RSA_WITH_AES_128_CBC_SHA},
-	{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_RSA_WITH_AES_256_CBC_SHA}
+	{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_RSA_WITH_AES_256_CBC_SHA},
+	{"3des_ede_cbc","sha1",	2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
+	// PSK
+	{"ccpoly96_aead", "clear", 2*(32+12), TLS_PSK_WITH_CHACHA20_POLY1305},
+	{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_PSK_WITH_AES_128_CBC_SHA256},
+	{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_PSK_WITH_AES_128_CBC_SHA},
 };
 static uchar compressors[] = {
 	CompressionNull,
 };
+static Namedcurve namedcurves[] = {
+x0017, secp256r1,
+x0018, secp384r1,
+};
+static uchar pointformats[] = {
-static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chain);
+	CompressionNull /* support of uncompressed point format is mandatory */
+};
+static struct {
-static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...));
+	DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*);
+	int len;
+} hashfun[] = {
+/*	[0x00]  is reserved for MD5+SHA1 for < TLS1.2 */
+	[0x01]	{md5,		MD5dlen},
+	[0x02]	{sha1,		SHA1dlen},
+	[0x03]	{sha2_224,	SHA2_224dlen},
+	[0x04]	{sha2_256,	SHA2_256dlen},
+	[0x05]	{sha2_384,	SHA2_384dlen},
+	[0x06]	{sha2_512,	SHA2_512dlen},
+};
+// signature algorithms (only RSA and ECDSA at the moment)
+static int sigalgs[] = {
+x0603,		/* SHA512 ECDSA */
+x0503,		/* SHA384 ECDSA */
+x0403,		/* SHA256 ECDSA */
+x0203,		/* SHA1 ECDSA */
+x0601,		/* SHA512 RSA */
+x0501,		/* SHA384 RSA */
+x0401,		/* SHA256 RSA */
+x0201,		/* SHA1 RSA */
+};
+static TlsConnection *tlsServer2(int ctl, int hand,
+	uchar *cert, int certlen,
+	char *pskid, uchar *psk, int psklen,
+	int (*trace)(char*fmt, ...), PEMChain *chain);
+static TlsConnection *tlsClient2(int ctl, int hand,
+	uchar *cert, int certlen,
+	char *pskid, uchar *psk, int psklen,
+	uchar *ext, int extlen, int (*trace)(char*fmt, ...));
 static void	msgClear(Msg *m);
 static char* msgPrint(char *buf, int n, Msg *m);
 static int	msgRecv(TlsConnection *c, Msg *m);
 static int	msgSend(TlsConnection *c, Msg *m, int act);
 static void	tlsError(TlsConnection *c, int err, char *msg, ...);
 #pragma	varargck argpos	tlsError 3
 static int setVersion(TlsConnection *c, int version);
+static int setSecrets(TlsConnection *c, int isclient);
 static int finishedMatch(TlsConnection *c, Finished *f);
 static void tlsConnectionFree(TlsConnection *c);
+static int isDHE(int tlsid);
+static int isECDHE(int tlsid);
+static int isPSK(int tlsid);
+static int isECDSA(int tlsid);
 static int setAlgs(TlsConnection *c, int a);
-static int okCipher(Ints *cv);
+static int okCipher(Ints *cv, int ispsk);
 static int okCompression(Bytes *cv);
 static int initCiphers(void);
-static Ints* makeciphers(void);
+static Ints* makeciphers(int ispsk);
-static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
+static AuthRpc* factotum_rsa_open(RSApub *rsapub);
-static int	tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd);
+static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
+static void factotum_rsa_close(AuthRpc *rpc);
-static TlsSec*	tlsSecInitc(int cvers, uchar *crandom);
+static void	tlsSecInits(TlsSec *sec, int cvers, uchar *crandom);
-static int	tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd);
+static int	tlsSecRSAs(TlsSec *sec, Bytes *epm);
-static int	tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient);
+static Bytes*	tlsSecECDHEs1(TlsSec *sec, Namedcurve *nc);
-static void	tlsSecOk(TlsSec *sec);
+static int	tlsSecECDHEs2(TlsSec *sec, Bytes *Yc);
-static void	tlsSecKill(TlsSec *sec);
+static void	tlsSecInitc(TlsSec *sec, int cvers);
+static Bytes*	tlsSecRSAc(TlsSec *sec, uchar *cert, int ncert);
+static Bytes*	tlsSecDHEc(TlsSec *sec, Bytes *p, Bytes *g, Bytes *Ys);
+static Bytes*	tlsSecECDHEc(TlsSec *sec, int curve, Bytes *Ys);
-static void	tlsSecClose(TlsSec *sec);
+static void	tlsSecVers(TlsSec *sec, int v);
+static int	tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient);
 static void	setMasterSecret(TlsSec *sec, Bytes *pm);
-static void	serverMasterSecret(TlsSec *sec, uchar *epm, int nepm);
-static void	setSecrets(TlsSec *sec, uchar *kd, int nkd);
-static int	clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm);
+static int	digestDHparams(TlsSec *sec, Bytes *par, uchar digest[MAXdlen], int sigalg);
-static Bytes *pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
-static Bytes *pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm);
-static void	tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
-static void	sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
+static char*	verifyDHparams(TlsSec *sec, Bytes *par, Bytes *cert, Bytes *sig, int sigalg);
-static void	sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
-			uchar *seed0, int nseed0, uchar *seed1, int nseed1);
-static int setVers(TlsSec *sec, int version);
-static AuthRpc* factotum_rsa_open(uchar *cert, int certlen);
+static Bytes*	pkcs1_encrypt(Bytes* data, RSApub* key);
-static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
+static Bytes*	pkcs1_decrypt(TlsSec *sec, Bytes *data);
-static void factotum_rsa_close(AuthRpc*rpc);
+static Bytes*	pkcs1_sign(TlsSec *sec, uchar *digest, int digestlen, int sigalg);
 static void* emalloc(int);
 static void* erealloc(void*, int);
 static void put32(uchar *p, u32int);
 static void put24(uchar *p, int);
 static void put16(uchar *p, int);
-static u32int get32(uchar *p);
 static int get24(uchar *p);
 static int get16(uchar *p);
 static Bytes* newbytes(int len);
 static Bytes* makebytes(uchar* buf, int len);
+static Bytes* mptobytes(mpint* big, int len);
+static mpint* bytestomp(Bytes* bytes);
 static void freebytes(Bytes* b);
 static Ints* newints(int len);
-static Ints* makeints(int* buf, int len);
 static void freeints(Ints* b);
+static int lookupid(Ints* b, int id);
 //================= client/server ========================
 //	push TLS onto fd, returning new (application) file descriptor
 //		or -1 if error.
 	if(n < 0){
 		close(ctl);
 		return -1;
+	}
 	buf[n] = 0;
-	sprint(conn->dir, "#a/tls/%s", buf);
+	snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
-	sprint(dname, "#a/tls/%s/hand", buf);
+	snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
 	hand = open(dname, ORDWR);
 	if(hand < 0){
 		close(ctl);
 		return -1;
+	}
+	data = -1;
 	fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
+	tls = tlsServer2(ctl, hand,
+		conn->cert, conn->certlen,
-	tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain);
+		conn->pskID, conn->psk, conn->psklen,
+		conn->trace, conn->chain);
+	if(tls != nil){
-	sprint(dname, "#a/tls/%s/data", buf);
+		snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
-	data = open(dname, ORDWR);
+		data = open(dname, ORDWR);
-	close(fd);
+	}
 	close(hand);
 	close(ctl);
 	if(data < 0){
+		tlsConnectionFree(tls);
 		return -1;
 	}
-	if(tls == nil){
-		close(data);
-		return -1;
-	}
-	if(conn->cert)
-		free(conn->cert);
+	free(conn->cert);
-	conn->cert = 0;  // client certificates are not yet implemented
+	conn->cert = nil;  // client certificates are not yet implemented
 	conn->certlen = 0;
-	conn->sessionIDlen = tls->sid->len;
+	conn->sessionIDlen = 0;
-	conn->sessionID = emalloc(conn->sessionIDlen);
+	conn->sessionID = nil;
-	memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
+	if(conn->sessionKey != nil
+	&& conn->sessionType != nil
-	if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0)
+	&& strcmp(conn->sessionType, "ttls") == 0)
+		tls->sec->prf(
-		tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst,  tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize);
+			conn->sessionKey, conn->sessionKeylen,
+			tls->sec->sec, MasterSecretSize,
+			conn->sessionConst,
+			tls->sec->crandom, RandomSize,
+			tls->sec->srandom, RandomSize);
 	tlsConnectionFree(tls);
+	close(fd);
 	return data;
+}
+static uchar*
+tlsClientExtensions(TLSconn *conn, int *plen)
+{
+	uchar *b, *p;
+	int i, n, m;
+	p = b = nil;
+	// RFC6066 - Server Name Identification
+	if(conn->serverName != nil){
+		n = strlen(conn->serverName);
+		m = p - b;
+		b = erealloc(b, m + 2+2+2+1+2+n);
+		p = b + m;
+		put16(p, 0), p += 2;		/* Type: server_name */
+		put16(p, 2+1+2+n), p += 2;	/* Length */
+		put16(p, 1+2+n), p += 2;	/* Server Name list length */
+		*p++ = 0;			/* Server Name Type: host_name */
+		put16(p, n), p += 2;		/* Server Name length */
+		memmove(p, conn->serverName, n);
+		p += n;
+	}
+	// ECDHE
+	if(ProtocolVersion >= TLS10Version){
+		m = p - b;
+		b = erealloc(b, m + 2+2+2+nelem(namedcurves)*2 + 2+2+1+nelem(pointformats));
+		p = b + m;
+		n = nelem(namedcurves);
+		put16(p, 0x000a), p += 2;	/* Type: elliptic_curves */
+		put16(p, (n+1)*2), p += 2;	/* Length */
+		put16(p, n*2), p += 2;		/* Elliptic Curves Length */
+		for(i=0; i < n; i++){		/* Elliptic curves */
+			put16(p, namedcurves[i].tlsid);
+			p += 2;
+		}
+		n = nelem(pointformats);
+		put16(p, 0x000b), p += 2;	/* Type: ec_point_formats */
+		put16(p, n+1), p += 2;		/* Length */
+		*p++ = n;			/* EC point formats Length */
+		for(i=0; i < n; i++)		/* Elliptic curves point formats */
+			*p++ = pointformats[i];
+	}
+	// signature algorithms
+	if(ProtocolVersion >= TLS12Version){
+		n = nelem(sigalgs);
+		m = p - b;
+		b = erealloc(b, m + 2+2+2+n*2);
+		p = b + m;
+		put16(p, 0x000d), p += 2;
+		put16(p, n*2 + 2), p += 2;
+		put16(p, n*2), p += 2;
+		for(i=0; i < n; i++){
+			put16(p, sigalgs[i]);
+			p += 2;
+		}
+	}
+	*plen = p - b;
+	return b;
+}
 //	push TLS onto fd, returning new (application) file descriptor
 //		or -1 if error.
 int
+{
 	char buf[8];
 	char dname[64];
 	int n, data, ctl, hand;
 	TlsConnection *tls;
+	uchar *ext;
-	if(!conn)
+	if(conn == nil)
 		return -1;
 	ctl = open("#a/tls/clone", ORDWR);
 	if(ctl < 0)
 		return -1;
 	n = read(ctl, buf, sizeof(buf)-1);
 	if(n < 0){
 		close(ctl);
 		return -1;
+	}
 	buf[n] = 0;
-	sprint(conn->dir, "#a/tls/%s", buf);
+	snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
-	sprint(dname, "#a/tls/%s/hand", buf);
+	snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
 	hand = open(dname, ORDWR);
 	if(hand < 0){
 		close(ctl);
 		return -1;
+	}
-	sprint(dname, "#a/tls/%s/data", buf);
+	snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
 	data = open(dname, ORDWR);
-	if(data < 0)
+	if(data < 0){
+		close(hand);
+		close(ctl);
 		return -1;
+	}
 	fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
+	ext = tlsClientExtensions(conn, &n);
+	tls = tlsClient2(ctl, hand,
+		conn->cert, conn->certlen,
-	tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->trace);
+		conn->pskID, conn->psk, conn->psklen,
+		ext, n, conn->trace);
-	close(fd);
+	free(ext);
 	close(hand);
 	close(ctl);
 	if(tls == nil){
 		close(data);
 		return -1;
+	}
+	free(conn->cert);
+	if(tls->cert != nil){
-	conn->certlen = tls->cert->len;
+		conn->certlen = tls->cert->len;
-	conn->cert = emalloc(conn->certlen);
+		conn->cert = emalloc(conn->certlen);
-	memcpy(conn->cert, tls->cert->data, conn->certlen);
+		memcpy(conn->cert, tls->cert->data, conn->certlen);
+	} else {
+		conn->certlen = 0;
+		conn->cert = nil;
+	}
-	conn->sessionIDlen = tls->sid->len;
+	conn->sessionIDlen = 0;
-	conn->sessionID = emalloc(conn->sessionIDlen);
+	conn->sessionID = nil;
-	memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
+	if(conn->sessionKey != nil
+	&& conn->sessionType != nil
-	if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0)
+	&& strcmp(conn->sessionType, "ttls") == 0)
+		tls->sec->prf(
-		tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst,  tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize);
+			conn->sessionKey, conn->sessionKeylen,
+			tls->sec->sec, MasterSecretSize,
+			conn->sessionConst,
+			tls->sec->crandom, RandomSize,
+			tls->sec->srandom, RandomSize);
 	tlsConnectionFree(tls);
+	close(fd);
 	return data;
 }
 static int
 countchain(PEMChain *p)
+{
 	int i = 0;
 		i++;
 		p = p->next;
+	}
 	return i;
+}
 static TlsConnection *
+tlsServer2(int ctl, int hand,
+	uchar *cert, int certlen,
+	char *pskid, uchar *psk, int psklen,
-tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chp)
+	int (*trace)(char*fmt, ...), PEMChain *chp)
+{
+	int cipher, compressor, numcerts, i;
 	TlsConnection *c;
 	Msg m;
-	Bytes *csid;
-	uchar sid[SidSize], kd[MaxKeyData];
-	char *secrets;
-	int cipher, compressor, nsid, rv, numcerts, i;
 	if(trace)
 		trace("tlsServer2\n");
 	if(!initCiphers())
 		return nil;
 	c = emalloc(sizeof(TlsConnection));
 	c->ctl = ctl;
 	c->hand = hand;
 	c->trace = trace;
 	c->version = ProtocolVersion;
+	c->sendp = c->buf;
 	memset(&m, 0, sizeof(m));
 	if(!msgRecv(c, &m)){
 		if(trace)
 			trace("initial msgRecv failed\n");
 		goto Err;
 	}
 	if(m.tag != HClientHello) {
 		tlsError(c, EUnexpectedMessage, "expected a client hello");
 		goto Err;
+	}
-	c->clientVersion = m.u.clientHello.version;
 	if(trace)
-		trace("ClientHello version %x\n", c->clientVersion);
+		trace("ClientHello version %x\n", m.u.clientHello.version);
 	if(setVersion(c, m.u.clientHello.version) < 0) {
 		tlsError(c, EIllegalParameter, "incompatible version");
 		goto Err;
 	}
-	memmove(c->crandom, m.u.clientHello.random, RandomSize);
+	if(c->version < ProtocolVersion
-	cipher = okCipher(m.u.clientHello.ciphers);
+	&& lookupid(m.u.clientHello.ciphers, TLS_FALLBACK_SCSV) >= 0){
-	if(cipher < 0) {
-		// reply with EInsufficientSecurity if we know that's the case
-		if(cipher == -2)
-			tlsError(c, EInsufficientSecurity, "cipher suites too weak");
+		tlsError(c, EInappropriateFallback, "inappropriate fallback");
-		else
-			tlsError(c, EHandshakeFailure, "no matching cipher suite");
 		goto Err;
+	}
+	cipher = okCipher(m.u.clientHello.ciphers, psklen > 0);
-	if(!setAlgs(c, cipher)){
+	if(cipher < 0 || !setAlgs(c, cipher)) {
 		tlsError(c, EHandshakeFailure, "no matching cipher suite");
 		goto Err;
+	}
 	compressor = okCompression(m.u.clientHello.compressors);
 	if(compressor < 0) {
 		tlsError(c, EHandshakeFailure, "no matching compressor");
 		goto Err;
+	}
+	if(trace)
+		trace("  cipher %x, compressor %x\n", cipher, compressor);
+	tlsSecInits(c->sec, m.u.clientHello.version, m.u.clientHello.random);
-	csid = m.u.clientHello.sid;
+	tlsSecVers(c->sec, c->version);
-	if(trace)
+	if(psklen > 0){
+		c->sec->psk = psk;
-		trace("  cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
+		c->sec->psklen = psklen;
+	}
+	if(certlen > 0){
+		/* server certificate */
-	c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
+		c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
-	if(c->sec == nil){
+		if(c->sec->rsapub == nil){
-		tlsError(c, EHandshakeFailure, "can't initialize security: %r");
+			tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
-		goto Err;
+			goto Err;
-	}
+		}
-	c->sec->rpc = factotum_rsa_open(cert, ncert);
+		c->sec->rpc = factotum_rsa_open(c->sec->rsapub);
-	if(c->sec->rpc == nil){
+		if(c->sec->rpc == nil){
-		tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
+			tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
-		goto Err;
+			goto Err;
+		}
 	}
-	c->sec->rsapub = X509toRSApub(cert, ncert, nil, 0);
 	msgClear(&m);
 	m.tag = HServerHello;
 	m.u.serverHello.version = c->version;
-	memmove(m.u.serverHello.random, c->srandom, RandomSize);
+	memmove(m.u.serverHello.random, c->sec->srandom, RandomSize);
 	m.u.serverHello.cipher = cipher;
 	m.u.serverHello.compressor = compressor;
-	c->sid = makebytes(sid, nsid);
-	m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
+	m.u.serverHello.sid = makebytes(nil, 0);
 	if(!msgSend(c, &m, AQueue))
 		goto Err;
-	msgClear(&m);
+	if(certlen > 0){
-	m.tag = HCertificate;
+		m.tag = HCertificate;
-	numcerts = countchain(chp);
+		numcerts = countchain(chp);
-	m.u.certificate.ncert = 1 + numcerts;
+		m.u.certificate.ncert = 1 + numcerts;
-	m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes));
+		m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
-	m.u.certificate.certs[0] = makebytes(cert, ncert);
+		m.u.certificate.certs[0] = makebytes(cert, certlen);
-	for (i = 0; i < numcerts && chp; i++, chp = chp->next)
+		for (i = 0; i < numcerts && chp; i++, chp = chp->next)
-		m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
+			m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
-	if(!msgSend(c, &m, AQueue))
+		if(!msgSend(c, &m, AQueue))
+			goto Err;
+	}
+	if(isECDHE(cipher)){
+		Namedcurve *nc = &namedcurves[0];	/* secp256r1 */
+		m.tag = HServerKeyExchange;
+		m.u.serverKeyExchange.curve = nc->tlsid;
+		m.u.serverKeyExchange.dh_parameters = tlsSecECDHEs1(c->sec, nc);
+		if(m.u.serverKeyExchange.dh_parameters == nil){
+			tlsError(c, EInternalError, "can't set DH parameters");
-		goto Err;
+			goto Err;
+		}
+		/* sign the DH parameters */
+		if(certlen > 0){
+			uchar digest[MAXdlen];
+			int digestlen;
+			if(c->version >= TLS12Version)
+				m.u.serverKeyExchange.sigalg = 0x0401;	/* RSA SHA256 */
+			digestlen = digestDHparams(c->sec, m.u.serverKeyExchange.dh_parameters,
+				digest, m.u.serverKeyExchange.sigalg);
+			if((m.u.serverKeyExchange.dh_signature = pkcs1_sign(c->sec, digest, digestlen,
+				m.u.serverKeyExchange.sigalg)) == nil){
+				tlsError(c, EHandshakeFailure, "pkcs1_sign: %r");
+				goto Err;
+			}
+		}
+		if(!msgSend(c, &m, AQueue))
-	msgClear(&m);
+			goto Err;
+	}
 	m.tag = HServerHelloDone;
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
-	msgClear(&m);
 	if(!msgRecv(c, &m))
 		goto Err;
 	if(m.tag != HClientKeyExchange) {
 		tlsError(c, EUnexpectedMessage, "expected a client key exchange");
 		goto Err;
+	}
+	if(pskid != nil){
+		if(m.u.clientKeyExchange.pskid == nil
+		|| m.u.clientKeyExchange.pskid->len != strlen(pskid)
-	if(tlsSecSecrets(c->sec, c->version, m.u.clientKeyExchange.key->data, m.u.clientKeyExchange.key->len, kd, c->nsecret) < 0){
+		|| memcmp(pskid, m.u.clientKeyExchange.pskid->data, m.u.clientKeyExchange.pskid->len) != 0){
+			tlsError(c, EUnknownPSKidentity, "unknown or missing pskid");
+			goto Err;
+		}
+	}
+	if(isECDHE(cipher)){
+		if(tlsSecECDHEs2(c->sec, m.u.clientKeyExchange.key) < 0){
+			tlsError(c, EHandshakeFailure, "couldn't set keys: %r");
+			goto Err;
+		}
+	} else if(certlen > 0){
+		if(tlsSecRSAs(c->sec, m.u.clientKeyExchange.key) < 0){
-		tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
+			tlsError(c, EHandshakeFailure, "couldn't set keys: %r");
+			goto Err;
+		}
+	} else if(psklen > 0){
+		setMasterSecret(c->sec, newbytes(psklen));
+	} else {
+		tlsError(c, EInternalError, "no psk or certificate");
 		goto Err;
 	}
 	if(trace)
 		trace("tls secrets\n");
-	secrets = (char*)emalloc(2*c->nsecret);
-	enc64(secrets, 2*c->nsecret, kd, c->nsecret);
-	rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
-	memset(secrets, 0, 2*c->nsecret);
+	if(setSecrets(c, 0) < 0){
-	free(secrets);
-	memset(kd, 0, c->nsecret);
-	if(rv < 0){
-		tlsError(c, EHandshakeFailure, "can't set keys: %r");
+		tlsError(c, EHandshakeFailure, "can't set secrets: %r");
 		goto Err;
+	}
-	msgClear(&m);
 	/* no CertificateVerify; skip to Finished */
-	if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
+	if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
 		tlsError(c, EInternalError, "can't set finished: %r");
 		goto Err;
+	}
 	if(!msgRecv(c, &m))
 		goto Err;
 	if(m.tag != HFinished) {
 		tlsError(c, EUnexpectedMessage, "expected a finished");
 		goto Err;
 	}
 	if(!finishedMatch(c, &m.u.finished)) {
 		tlsError(c, EHandshakeFailure, "finished verification failed");
 		goto Err;
 	}
 	msgClear(&m);
 	/* change cipher spec */
 	if(fprint(c->ctl, "changecipher") < 0){
 		tlsError(c, EInternalError, "can't enable cipher: %r");
 		goto Err;
 	}
-	if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
+	if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
 		tlsError(c, EInternalError, "can't set finished: %r");
 		goto Err;
+	}
 	m.tag = HFinished;
 	m.u.finished = c->finished;
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
-	msgClear(&m);
 	if(trace)
 		trace("tls finished\n");
 	if(fprint(c->ctl, "opened") < 0)
 		goto Err;
-	tlsSecOk(c->sec);
 	return c;
 Err:
 	msgClear(&m);
 	tlsConnectionFree(c);
+	return nil;
+}
+static Bytes*
+tlsSecDHEc(TlsSec *sec, Bytes *p, Bytes *g, Bytes *Ys)
+{
+	DHstate *dh = &sec->dh;
+	mpint *G, *P, *Y, *K;
+	Bytes *Yc;
+	int n;
+	if(p == nil || g == nil || Ys == nil)
+		return nil;
+	Yc = nil;
+	P = bytestomp(p);
+	G = bytestomp(g);
+	Y = bytestomp(Ys);
+	K = nil;
+	if(dh_new(dh, P, nil, G) == nil)
+		goto Out;
+	n = (mpsignif(P)+7)/8;
+	Yc = mptobytes(dh->y, n);
+	K = dh_finish(dh, Y);	/* zeros dh */
+	if(K == nil){
+		freebytes(Yc);
+		Yc = nil;
+		goto Out;
+	}
+	setMasterSecret(sec, mptobytes(K, n));
+Out:
+	mpfree(K);
+	mpfree(Y);
+	mpfree(G);
+	mpfree(P);
+	return Yc;
+}
+static Bytes*
+tlsSecECDHEc(TlsSec *sec, int curve, Bytes *Ys)
+{
+	ECdomain *dom = &sec->ec.dom;
+	ECpriv *Q = &sec->ec.Q;
+	Namedcurve *nc;
+	ECpub *pub;
+	ECpoint K;
+	Bytes *Yc;
+	int n;
+	if(Ys == nil)
+		return nil;
+	for(nc = namedcurves; nc != &namedcurves[nelem(namedcurves)]; nc++)
+		if(nc->tlsid == curve)
+			goto Found;
+	return nil;
+Found:
+	ecdominit(dom, nc->init);
+	pub = ecdecodepub(dom, Ys->data, Ys->len);
+	if(pub == nil)
+		return nil;
+	memset(Q, 0, sizeof(*Q));
+	Q->x = mpnew(0);
+	Q->y = mpnew(0);
+	Q->d = mpnew(0);
+	memset(&K, 0, sizeof(K));
+	K.x = mpnew(0);
+	K.y = mpnew(0);
+	ecgen(dom, Q);
+	ecmul(dom, pub, Q->d, &K);
+	n = (mpsignif(dom->p)+7)/8;
+	setMasterSecret(sec, mptobytes(K.x, n));
+	Yc = newbytes(1 + 2*n);
+	Yc->len = ecencodepub(dom, Q, Yc->data, Yc->len);
+	mpfree(K.x);
+	mpfree(K.y);
+	ecpubfree(pub);
-	return 0;
+	return Yc;
+}
 static TlsConnection *
-tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...))
+tlsClient2(int ctl, int hand,
+	uchar *cert, int certlen,
+	char *pskid, uchar *psk, int psklen,
+	uchar *ext, int extlen,
+	int (*trace)(char*fmt, ...))
+{
+	int creq, dhx, cipher;
 	TlsConnection *c;
+	Bytes *epm;
 	Msg m;
-	uchar kd[MaxKeyData], *epm;
-	char *secrets;
-	int creq, nepm, rv;
 	if(!initCiphers())
 		return nil;
 	epm = nil;
+	memset(&m, 0, sizeof(m));
 	c = emalloc(sizeof(TlsConnection));
-	c->version = ProtocolVersion;
 	c->ctl = ctl;
 	c->hand = hand;
 	c->trace = trace;
-	c->isClient = 1;
+	c->cert = nil;
-	c->clientVersion = c->version;
+	c->sendp = c->buf;
+	c->version = ProtocolVersion;
-	c->sec = tlsSecInitc(c->clientVersion, c->crandom);
+	tlsSecInitc(c->sec, c->version);
+	if(psklen > 0){
+		c->sec->psk = psk;
+		c->sec->psklen = psklen;
+	}
+	if(certlen > 0){
+		/* client certificate */
+		c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
+		if(c->sec->rsapub == nil){
+			tlsError(c, EInternalError, "invalid X509/rsa certificate");
+			goto Err;
+		}
+		c->sec->rpc = factotum_rsa_open(c->sec->rsapub);
-	if(c->sec == nil)
+		if(c->sec->rpc == nil){
+			tlsError(c, EInternalError, "factotum_rsa_open: %r");
-		goto Err;
+			goto Err;
+		}
+	}
 	/* client hello */
-	memset(&m, 0, sizeof(m));
 	m.tag = HClientHello;
-	m.u.clientHello.version = c->clientVersion;
+	m.u.clientHello.version = c->version;
-	memmove(m.u.clientHello.random, c->crandom, RandomSize);
+	memmove(m.u.clientHello.random, c->sec->crandom, RandomSize);
-	m.u.clientHello.sid = makebytes(csid, ncsid);
+	m.u.clientHello.sid = makebytes(nil, 0);
-	m.u.clientHello.ciphers = makeciphers();
+	m.u.clientHello.ciphers = makeciphers(psklen > 0);
 	m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
+	m.u.clientHello.extensions = makebytes(ext, extlen);
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
-	msgClear(&m);
 	/* server hello */
 	if(!msgRecv(c, &m))
 		goto Err;
 	if(m.tag != HServerHello) {
 		tlsError(c, EUnexpectedMessage, "expected a server hello");
 		goto Err;
+	}
 	if(setVersion(c, m.u.serverHello.version) < 0) {
-		tlsError(c, EIllegalParameter, "incompatible version %r");
+		tlsError(c, EIllegalParameter, "incompatible version: %r");
 		goto Err;
 	}
-	memmove(c->srandom, m.u.serverHello.random, RandomSize);
+	tlsSecVers(c->sec, c->version);
-	c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
+	memmove(c->sec->srandom, m.u.serverHello.random, RandomSize);
-	if(c->sid->len != 0 && c->sid->len != SidSize) {
-		tlsError(c, EIllegalParameter, "invalid server session identifier");
-		goto Err;
-	}
-	if(!setAlgs(c, m.u.serverHello.cipher)) {
+	cipher = m.u.serverHello.cipher;
+	if((psklen > 0) != isPSK(cipher) || !setAlgs(c, cipher)) {
 		tlsError(c, EIllegalParameter, "invalid cipher suite");
 		goto Err;
+	}
 	if(m.u.serverHello.compressor != CompressionNull) {
 		tlsError(c, EIllegalParameter, "invalid compression");
 		goto Err;
+	}
-	msgClear(&m);
-	/* certificate */
-	if(!msgRecv(c, &m) || m.tag != HCertificate) {
-		tlsError(c, EUnexpectedMessage, "expected a certificate");
-		goto Err;
-	}
-	if(m.u.certificate.ncert < 1) {
-		tlsError(c, EIllegalParameter, "runt certificate");
-		goto Err;
-	}
-	c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
-	msgClear(&m);
-	/* server key exchange (optional) */
+	dhx = isDHE(cipher) || isECDHE(cipher);
 	if(!msgRecv(c, &m))
 		goto Err;
+	if(m.tag == HCertificate){
+		if(m.u.certificate.ncert < 1) {
+			tlsError(c, EIllegalParameter, "runt certificate");
+			goto Err;
+		}
+		c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
+		if(!msgRecv(c, &m))
+			goto Err;
+	} else if(psklen == 0) {
+		tlsError(c, EUnexpectedMessage, "expected a certificate");
+		goto Err;
+	}
 	if(m.tag == HServerKeyExchange) {
+		if(dhx){
+			char *err = verifyDHparams(c->sec,
+				m.u.serverKeyExchange.dh_parameters,
+				c->cert,
+				m.u.serverKeyExchange.dh_signature,
+				c->version<TLS12Version ? 0x01 : m.u.serverKeyExchange.sigalg);
+			if(err != nil){
+				tlsError(c, EBadCertificate, "can't verify DH parameters: %s", err);
+				goto Err;
+			}
+			if(isECDHE(cipher)){
+				epm = tlsSecECDHEc(c->sec,
+					m.u.serverKeyExchange.curve,
+					m.u.serverKeyExchange.dh_Ys);
+			}
+			else{
+				epm = tlsSecDHEc(c->sec,
+					m.u.serverKeyExchange.dh_p,
+					m.u.serverKeyExchange.dh_g,
+					m.u.serverKeyExchange.dh_Ys);
+			}
+			if(epm == nil){
+				tlsError(c, EHandshakeFailure, "bad DH parameters");
+				goto Err;
+			}
+		} else if(psklen == 0){
-		tlsError(c, EUnexpectedMessage, "got an server key exchange");
+			tlsError(c, EUnexpectedMessage, "got an server key exchange");
+			goto Err;
+		}
+		if(!msgRecv(c, &m))
+			goto Err;
+	} else if(dhx){
+		tlsError(c, EUnexpectedMessage, "expected server key exchange");
 		goto Err;
-		// If implementing this later, watch out for rollback attack
-		// described in Wagner Schneier 1996, section 4.4.
+	}
 	/* certificate request (optional) */
 	creq = 0;
 	if(m.tag == HCertificateRequest) {
 		creq = 1;
-		msgClear(&m);
 		if(!msgRecv(c, &m))
 			goto Err;
+	}
 	if(m.tag != HServerHelloDone) {
 		tlsError(c, EUnexpectedMessage, "expected a server hello done");
 		goto Err;
+	}
 	msgClear(&m);
+	if(!dhx){
-	if(tlsSecSecretc(c->sec, c->sid->data, c->sid->len, c->srandom,
+		if(c->cert != nil){
-			c->cert->data, c->cert->len, c->version, &epm, &nepm,
+			epm = tlsSecRSAc(c->sec, c->cert->data, c->cert->len);
-			kd, c->nsecret) < 0){
+			if(epm == nil){
-		tlsError(c, EBadCertificate, "invalid x509/rsa certificate");
+				tlsError(c, EBadCertificate, "bad certificate: %r");
-		goto Err;
+				goto Err;
-	}
+			}
-	secrets = (char*)emalloc(2*c->nsecret);
+		} else if(psklen > 0){
-	enc64(secrets, 2*c->nsecret, kd, c->nsecret);
+			setMasterSecret(c->sec, newbytes(psklen));
+		} else {
-	rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
+			tlsError(c, EInternalError, "no psk or certificate");
-	memset(secrets, 0, 2*c->nsecret);
+			goto Err;
+		}
+	}
-	free(secrets);
+	if(trace)
-	memset(kd, 0, c->nsecret);
+		trace("tls secrets\n");
-	if(rv < 0){
+	if(setSecrets(c, 1) < 0){
-		tlsError(c, EHandshakeFailure, "can't set keys: %r");
+		tlsError(c, EHandshakeFailure, "can't set secrets: %r");
 		goto Err;
+	}
 	if(creq) {
-		/* send a zero length certificate */
 		m.tag = HCertificate;
+		if(certlen > 0){
+			m.u.certificate.ncert = 1;
+			m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
+			m.u.certificate.certs[0] = makebytes(cert, certlen);
+		}
 		if(!msgSend(c, &m, AFlush))
 			goto Err;
-		msgClear(&m);
+	}
 	/* client key exchange */
 	m.tag = HClientKeyExchange;
+	if(psklen > 0){
+		if(pskid == nil)
+			pskid = "";
-	m.u.clientKeyExchange.key = makebytes(epm, nepm);
+		m.u.clientKeyExchange.pskid = makebytes((uchar*)pskid, strlen(pskid));
+	}
-	free(epm);
+	m.u.clientKeyExchange.key = epm;
 	epm = nil;
-	if(m.u.clientKeyExchange.key == nil) {
-		tlsError(c, EHandshakeFailure, "can't set secret: %r");
-		goto Err;
-	}
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
+	/* certificate verify */
+	if(creq && certlen > 0) {
+		HandshakeHash hsave;
+		uchar digest[MAXdlen];
+		int digestlen;
+		/* save the state for the Finish message */
+		hsave = c->handhash;
+		if(c->version < TLS12Version){
+			md5(nil, 0, digest, &c->handhash.md5);
+			sha1(nil, 0, digest+MD5dlen, &c->handhash.sha1);
+			digestlen = MD5dlen+SHA1dlen;
+		} else {
+			m.u.certificateVerify.sigalg = 0x0401;	/* RSA SHA256 */
+			sha2_256(nil, 0, digest, &c->handhash.sha2_256);
+			digestlen = SHA2_256dlen;
+		}
+		c->handhash = hsave;
+		if((m.u.certificateVerify.signature = pkcs1_sign(c->sec, digest, digestlen,
+			m.u.certificateVerify.sigalg)) == nil){
+			tlsError(c, EHandshakeFailure, "pkcs1_sign: %r");
+			goto Err;
+		}
+		m.tag = HCertificateVerify;
+		if(!msgSend(c, &m, AFlush))
-	msgClear(&m);
+			goto Err;
+	}
 	/* change cipher spec */
 	if(fprint(c->ctl, "changecipher") < 0){
 		tlsError(c, EInternalError, "can't enable cipher: %r");
 		goto Err;
 	}
 	// Cipherchange must occur immediately before Finished to avoid
 	// potential hole;  see section 4.3 of Wagner Schneier 1996.
-	if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
+	if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
 		tlsError(c, EInternalError, "can't set finished 1: %r");
 		goto Err;
+	}
 	m.tag = HFinished;
 	m.u.finished = c->finished;
 	if(!msgSend(c, &m, AFlush)) {
-		fprint(2, "tlsClient nepm=%d\n", nepm);
 		tlsError(c, EInternalError, "can't flush after client Finished: %r");
 		goto Err;
+	}
-	msgClear(&m);
-	if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
+	if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
-		fprint(2, "tlsClient nepm=%d\n", nepm);
 		tlsError(c, EInternalError, "can't set finished 0: %r");
 		goto Err;
+	}
 	if(!msgRecv(c, &m)) {
-		fprint(2, "tlsClient nepm=%d\n", nepm);
 		tlsError(c, EInternalError, "can't read server Finished: %r");
 		goto Err;
+	}
 	if(m.tag != HFinished) {
-		fprint(2, "tlsClient nepm=%d\n", nepm);
 		tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
 		goto Err;
+	}
 	if(!finishedMatch(c, &m.u.finished)) {
 	if(fprint(c->ctl, "opened") < 0){
 		if(trace)
 			trace("unable to do final open: %r\n");
 		goto Err;
+	}
-	tlsSecOk(c->sec);
 	return c;
 Err:
 	free(epm);
 	msgClear(&m);
 	tlsConnectionFree(c);
-	return 0;
+	return nil;
 }
 //================= message functions ========================
+static void
+msgHash(TlsConnection *c, uchar *p, int n)
+{
+	md5(p, n, 0, &c->handhash.md5);
-static uchar sendbuf[9000], *sendp;
+	sha1(p, n, 0, &c->handhash.sha1);
+	if(c->version >= TLS12Version)
+		sha2_256(p, n, 0, &c->handhash.sha2_256);
+}
 static int
 msgSend(TlsConnection *c, Msg *m, int act)
+{
-	uchar *p; // sendp = start of new message;  p = write pointer
+	uchar *p, *e; // sendp = start of new message;  p = write pointer; e = end pointer
-	int nn, n, i;
+	int n, i;
-	if(sendp == nil)
-		sendp = sendbuf;
+	p = c->sendp;
-	p = sendp;
+	e = &c->buf[sizeof(c->buf)];
 	if(c->trace)
-		c->trace("send %s", msgPrint((char*)p, (sizeof sendbuf) - (p-sendbuf), m));
+		c->trace("send %s", msgPrint((char*)p, e - p, m));
 	p[0] = m->tag;	// header - fill in size later
 	p += 4;
 	switch(m->tag) {
 	default:
 		tlsError(c, EInternalError, "can't encode a %d", m->tag);
 		goto Err;
 	case HClientHello:
+		if(p+2+RandomSize > e)
-		// version
+			goto Overflow;
-		put16(p, m->u.clientHello.version);
+		put16(p, m->u.clientHello.version), p += 2;
-		p += 2;
-		// random
 		memmove(p, m->u.clientHello.random, RandomSize);
 		p += RandomSize;
-		// sid
-		n = m->u.clientHello.sid->len;
+		if(p+1+(n = m->u.clientHello.sid->len) > e)
-		assert(n < 256);
+			goto Overflow;
-		p[0] = n;
+		*p++ = n;
-		memmove(p+1, m->u.clientHello.sid->data, n);
+		memmove(p, m->u.clientHello.sid->data, n);
-		p += n+1;
+		p += n;
-		n = m->u.clientHello.ciphers->len;
+		if(p+2+(n = m->u.clientHello.ciphers->len) > e)
-		assert(n > 0 && n < 200);
+			goto Overflow;
-		put16(p, n*2);
+		put16(p, n*2), p += 2;
-		p += 2;
-		for(i=0; i<n; i++) {
+		for(i=0; i<n; i++)
-			put16(p, m->u.clientHello.ciphers->data[i]);
+			put16(p, m->u.clientHello.ciphers->data[i]), p += 2;
+		if(p+1+(n = m->u.clientHello.compressors->len) > e)
+			goto Overflow;
-			p += 2;
+		*p++ = n;
+		memmove(p, m->u.clientHello.compressors->data, n);
-		}
+		p += n;
+		if(m->u.clientHello.extensions == nil
-		n = m->u.clientHello.compressors->len;
+		|| (n = m->u.clientHello.extensions->len) == 0)
+			break;
-		assert(n > 0);
+		if(p+2+n > e)
+			goto Overflow;
-		p[0] = n;
+		put16(p, n), p += 2;
-		memmove(p+1, m->u.clientHello.compressors->data, n);
+		memmove(p, m->u.clientHello.extensions->data, n);
-		p += n+1;
+		p += n;
 		break;
 	case HServerHello:
-		put16(p, m->u.serverHello.version);
+		if(p+2+RandomSize > e)
-		p += 2;
+			goto Overflow;
-		// random
+		put16(p, m->u.serverHello.version), p += 2;
 		memmove(p, m->u.serverHello.random, RandomSize);
 		p += RandomSize;
-		// sid
-		n = m->u.serverHello.sid->len;
+		if(p+1+(n = m->u.serverHello.sid->len) > e)
-		assert(n < 256);
+			goto Overflow;
-		p[0] = n;
+		*p++ = n;
-		memmove(p+1, m->u.serverHello.sid->data, n);
+		memmove(p, m->u.serverHello.sid->data, n);
-		p += n+1;
+		p += n;
+		if(p+2+1 > e)
+			goto Overflow;
-		put16(p, m->u.serverHello.cipher);
+		put16(p, m->u.serverHello.cipher), p += 2;
+		*p++ = m->u.serverHello.compressor;
+		if(m->u.serverHello.extensions == nil
+		|| (n = m->u.serverHello.extensions->len) == 0)
-		p += 2;
+			break;
+		if(p+2+n > e)
+			goto Overflow;
+		put16(p, n), p += 2;
-		p[0] = m->u.serverHello.compressor;
+		memmove(p, m->u.serverHello.extensions->data, n);
-		p += 1;
+		p += n;
 		break;
 	case HServerHelloDone:
 		break;
 	case HCertificate:
-		nn = 0;
+		n = 0;
 		for(i = 0; i < m->u.certificate.ncert; i++)
-			nn += 3 + m->u.certificate.certs[i]->len;
+			n += 3 + m->u.certificate.certs[i]->len;
-		if(p + 3 + nn - sendbuf > sizeof(sendbuf)) {
+		if(p+3+n > e)
-			tlsError(c, EInternalError, "output buffer too small for certificate");
-			goto Err;
+			goto Overflow;
-		}
-		put24(p, nn);
+		put24(p, n), p += 3;
-		p += 3;
 		for(i = 0; i < m->u.certificate.ncert; i++){
-			put24(p, m->u.certificate.certs[i]->len);
+			n = m->u.certificate.certs[i]->len;
+			put24(p, n), p += 3;
+			memmove(p, m->u.certificate.certs[i]->data, n);
-			p += 3;
+			p += n;
+		}
+		break;
+	case HCertificateVerify:
+		if(p+2+2+(n = m->u.certificateVerify.signature->len) > e)
+			goto Overflow;
+		if(m->u.certificateVerify.sigalg != 0)
+			put16(p, m->u.certificateVerify.sigalg), p += 2;
+		put16(p, n), p += 2;
-			memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len);
+		memmove(p, m->u.certificateVerify.signature->data, n);
+		p += n;
+		break;
+	case HServerKeyExchange:
+		if(m->u.serverKeyExchange.pskid != nil){
-			p += m->u.certificate.certs[i]->len;
+			if(p+2+(n = m->u.serverKeyExchange.pskid->len) > e)
+				goto Overflow;
+			put16(p, n), p += 2;
+			memmove(p, m->u.serverKeyExchange.pskid->data, n);
+			p += n;
 		}
+		if(m->u.serverKeyExchange.dh_parameters == nil)
+			break;
+		if(p+(n = m->u.serverKeyExchange.dh_parameters->len) > e)
+			goto Overflow;
+		memmove(p, m->u.serverKeyExchange.dh_parameters->data, n);
+		p += n;
+		if(m->u.serverKeyExchange.dh_signature == nil)
+			break;
+		if(p+2+2+(n = m->u.serverKeyExchange.dh_signature->len) > e)
+			goto Overflow;
+		if(c->version >= TLS12Version)
+			put16(p, m->u.serverKeyExchange.sigalg), p += 2;
+		put16(p, n), p += 2;
+		memmove(p, m->u.serverKeyExchange.dh_signature->data, n);
+		p += n;
 		break;
 	case HClientKeyExchange:
-		n = m->u.clientKeyExchange.key->len;
+		if(m->u.clientKeyExchange.pskid != nil){
-		if(c->version != SSL3Version){
+			if(p+2+(n = m->u.clientKeyExchange.pskid->len) > e)
+				goto Overflow;
-			put16(p, n);
+			put16(p, n), p += 2;
+			memmove(p, m->u.clientKeyExchange.pskid->data, n);
-			p += 2;
+			p += n;
+		}
+		if(m->u.clientKeyExchange.key == nil)
+			break;
+		if(p+2+(n = m->u.clientKeyExchange.key->len) > e)
+			goto Overflow;
+		if(isECDHE(c->cipher))
+			*p++ = n;
+		else if(isDHE(c->cipher) || c->version != SSL3Version)
+			put16(p, n), p += 2;
 		memmove(p, m->u.clientKeyExchange.key->data, n);
 		p += n;
 		break;
 	case HFinished:
+		if(p+m->u.finished.n > e)
+			goto Overflow;
 		memmove(p, m->u.finished.verify, m->u.finished.n);
 		p += m->u.finished.n;
 		break;
+	}
 	// go back and fill in size
-	n = p-sendp;
+	n = p - c->sendp;
-	assert(p <= sendbuf+sizeof(sendbuf));
-	put24(sendp+1, n-4);
+	put24(c->sendp+1, n-4);
 	// remember hash of Handshake messages
-	if(m->tag != HHelloRequest) {
+	if(m->tag != HHelloRequest)
-		md5(sendp, n, 0, &c->hsmd5);
+		msgHash(c, c->sendp, n);
-		sha1(sendp, n, 0, &c->hssha1);
-	}
-	sendp = p;
+	c->sendp = p;
 	if(act == AFlush){
-		sendp = sendbuf;
+		c->sendp = c->buf;
-		if(write(c->hand, sendbuf, p-sendbuf) < 0){
+		if(write(c->hand, c->buf, p - c->buf) < 0){
 			fprint(2, "write error: %r\n");
 			goto Err;
 		}
+	}
 	msgClear(m);
 	return 1;
+Overflow:
+	tlsError(c, EInternalError, "not enougth send buffer for message (%d)", m->tag);
 Err:
 	msgClear(m);
 	return 0;
 }
 static uchar*
 tlsReadN(TlsConnection *c, int n)
 {
-	uchar *p;
+	uchar *p, *w, *e;
-	int nn, nr;
-	nn = c->ep - c->rp;
+	e = &c->buf[sizeof(c->buf)];
-	if(nn < n){
+	p = e - n;
-		if(c->rp != c->buf){
-			memmove(c->buf, c->rp, nn);
+	if(n > sizeof(c->buf) || p < c->sendp){
-			c->rp = c->buf;
-			c->ep = &c->buf[nn];
-		}
-		for(; nn < n; nn += nr) {
-			nr = read(c->hand, &c->rp[nn], n - nn);
+		tlsError(c, EDecodeError, "handshake message too long %d", n);
-			if(nr <= 0)
-				return nil;
+		return nil;
-			c->ep += nr;
-		}
+	}
-	p = c->rp;
+	for(w = p; w < e; w += n)
+		if((n = read(c->hand, w, e - w)) <= 0)
-	c->rp += n;
+			return nil;
 	return p;
+}
 static int
 msgRecv(TlsConnection *c, Msg *m)
+{
-	uchar *p;
+	uchar *p, *s;
-	int type, n, nn, i, nsid, nrandom, nciph;
+	int type, n, nn, i;
+	msgClear(m);
 	for(;;) {
 		p = tlsReadN(c, 4);
 		if(p == nil)
 			return 0;
 		type = p[0];
 		n = get24(p+1);
 		if(type != HHelloRequest)
 			break;
 		if(n != 0) {
 			tlsError(c, EDecodeError, "invalid hello request during handshake");
 			return 0;
+		}
-	}
-	if(n > sizeof(c->buf)) {
-		tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->buf));
-		return 0;
+	}
 	if(type == HSSL2ClientHello){
 		/* Cope with an SSL3 ClientHello expressed in SSL2 record format.
 			This is sent by some clients that we must interoperate
 			with, such as Java's JSSE and Microsoft's Internet Explorer. */
+		int nsid, nrandom, nciph;
 		p = tlsReadN(c, n);
 		if(p == nil)
 			return 0;
-		md5(p, n, 0, &c->hsmd5);
+		msgHash(c, p, n);
-		sha1(p, n, 0, &c->hssha1);
 		m->tag = HClientHello;
 		if(n < 22)
 			goto Short;
 		m->u.clientHello.version = get16(p+1);
 		p += 3;
 		n -= 3;
 		nn = get16(p); /* cipher_spec_len */
 		nsid = get16(p + 2);
 		nrandom = get16(p + 4);
 		p += 6;
 		n -= 6;
 		if(nsid != 0 	/* no sid's, since shouldn't restart using ssl2 header */
-				|| nrandom < 16 || nn % 3)
+		|| nrandom < 16 || nn % 3 || n - nrandom < nn)
 			goto Err;
-		if(c->trace && (n - nrandom != nn))
-			c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn);
 		/* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */
 		nciph = 0;
 		for(i = 0; i < nn; i += 3)
 			if(p[i] == 0)
 				nciph++;
 		memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom);
 		m->u.clientHello.compressors = newbytes(1);
 		m->u.clientHello.compressors->data[0] = CompressionNull;
 		goto Ok;
+	}
-	md5(p, 4, 0, &c->hsmd5);
+	msgHash(c, p, 4);
-	sha1(p, 4, 0, &c->hssha1);
 	p = tlsReadN(c, n);
 	if(p == nil)
 		return 0;
-	md5(p, n, 0, &c->hsmd5);
+	msgHash(c, p, n);
-	sha1(p, n, 0, &c->hssha1);
 	m->tag = type;
 	switch(type) {
 	default:
 		tlsError(c, EUnexpectedMessage, "can't decode a %d", type);
 		goto Err;
 	case HClientHello:
 		if(n < 2)
 			goto Short;
 		m->u.clientHello.version = get16(p);
-		p += 2;
-		n -= 2;
+		p += 2, n -= 2;
 		if(n < RandomSize)
 			goto Short;
 		memmove(m->u.clientHello.random, p, RandomSize);
-		p += RandomSize;
-		n -= RandomSize;
+		p += RandomSize, n -= RandomSize;
 		if(n < 1 || n < p[0]+1)
 			goto Short;
 		m->u.clientHello.sid = makebytes(p+1, p[0]);
 		p += m->u.clientHello.sid->len+1;
 		n -= m->u.clientHello.sid->len+1;
 		if(n < 2)
 			goto Short;
 		nn = get16(p);
-		p += 2;
-		n -= 2;
+		p += 2, n -= 2;
 		if((nn & 1) || n < nn || nn < 2)
 			goto Short;
 		m->u.clientHello.ciphers = newints(nn >> 1);
 		for(i = 0; i < nn; i += 2)
 			m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
-		p += nn;
-		n -= nn;
+		p += nn, n -= nn;
 		if(n < 1 || n < p[0]+1 || p[0] == 0)
 			goto Short;
 		nn = p[0];
-		m->u.clientHello.compressors = newbytes(nn);
+		m->u.clientHello.compressors = makebytes(p+1, nn);
+		p += nn + 1, n -= nn + 1;
+		if(n < 2)
+			break;
+		nn = get16(p);
+		if(nn > n-2)
+			goto Short;
-		memmove(m->u.clientHello.compressors->data, p+1, nn);
+		m->u.clientHello.extensions = makebytes(p+2, nn);
-		n -= nn + 1;
+		n -= nn + 2;
 		break;
 	case HServerHello:
 		if(n < 2)
 			goto Short;
 		m->u.serverHello.version = get16(p);
-		p += 2;
-		n -= 2;
+		p += 2, n -= 2;
 		if(n < RandomSize)
 			goto Short;
 		memmove(m->u.serverHello.random, p, RandomSize);
-		p += RandomSize;
-		n -= RandomSize;
+		p += RandomSize, n -= RandomSize;
 		if(n < 1 || n < p[0]+1)
 			goto Short;
 		m->u.serverHello.sid = makebytes(p+1, p[0]);
 		p += m->u.serverHello.sid->len+1;
 		n -= m->u.serverHello.sid->len+1;
 		if(n < 3)
 			goto Short;
 		m->u.serverHello.cipher = get16(p);
 		m->u.serverHello.compressor = p[2];
+		p += 3, n -= 3;
+		if(n < 2)
+			break;
+		nn = get16(p);
+		if(nn > n-2)
+			goto Short;
+		m->u.serverHello.extensions = makebytes(p+2, nn);
-		n -= 3;
+		n -= nn + 2;
 		break;
 	case HCertificate:
 		if(n < 3)
 			goto Short;
 		nn = get24(p);
-		p += 3;
-		n -= 3;
+		p += 3, n -= 3;
-		if(n != nn)
+		if(nn == 0 && n > 0)
 			goto Short;
 		/* certs */
 		i = 0;
 		while(n > 0) {
 			if(n < 3)
 				goto Short;
 			nn = get24(p);
-			p += 3;
-			n -= 3;
+			p += 3, n -= 3;
 			if(nn > n)
 				goto Short;
 			m->u.certificate.ncert = i+1;
-			m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes));
+			m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes*));
 			m->u.certificate.certs[i] = makebytes(p, nn);
-			p += nn;
-			n -= nn;
+			p += nn, n -= nn;
 			i++;
 		}
 		break;
 	case HCertificateRequest:
 		if(n < 1)
 			goto Short;
 		nn = p[0];
-		p += 1;
+		p++, n--;
-		n -= 1;
-		if(nn < 1 || nn > n)
+		if(nn > n)
 			goto Short;
 		m->u.certificateRequest.types = makebytes(p, nn);
-		p += nn;
+		p += nn, n -= nn;
+		if(c->version >= TLS12Version){
+			if(n < 2)
+				goto Short;
+			nn = get16(p);
+			p += 2, n -= 2;
+			if(nn & 1)
+				goto Short;
+			m->u.certificateRequest.sigalgs = newints(nn>>1);
+			for(i = 0; i < nn; i += 2)
+				m->u.certificateRequest.sigalgs->data[i >> 1] = get16(&p[i]);
-		n -= nn;
+			p += nn, n -= nn;
+		}
 		if(n < 2)
 			goto Short;
 		nn = get16(p);
-		p += 2;
-		n -= 2;
+		p += 2, n -= 2;
 		/* nn == 0 can happen; yahoo's servers do it */
 		if(nn != n)
 			goto Short;
 		/* cas */
 		i = 0;
 		while(n > 0) {
 			if(n < 2)
 				goto Short;
 			nn = get16(p);
-			p += 2;
-			n -= 2;
+			p += 2, n -= 2;
 			if(nn < 1 || nn > n)
 				goto Short;
 			m->u.certificateRequest.nca = i+1;
 			m->u.certificateRequest.cas = erealloc(
-				m->u.certificateRequest.cas, (i+1)*sizeof(Bytes));
+				m->u.certificateRequest.cas, (i+1)*sizeof(Bytes*));
 			m->u.certificateRequest.cas[i] = makebytes(p, nn);
-			p += nn;
-			n -= nn;
+			p += nn, n -= nn;
 			i++;
 		}
 		break;
 	case HServerHelloDone:
 		break;
+	case HServerKeyExchange:
+		if(isPSK(c->cipher)){
+			if(n < 2)
+				goto Short;
+			nn = get16(p);
+			p += 2, n -= 2;
+			if(nn > n)
+				goto Short;
+			m->u.serverKeyExchange.pskid = makebytes(p, nn);
+			p += nn, n -= nn;
+			if(n == 0)
+				break;
+		}
+		if(n < 2)
+			goto Short;
+		s = p;
+		if(isECDHE(c->cipher)){
+			nn = *p;
+			p++, n--;
+			if(nn != 3 || nn > n) /* not a named curve */
+				goto Short;
+			nn = get16(p);
+			p += 2, n -= 2;
+			m->u.serverKeyExchange.curve = nn;
+			nn = *p++, n--;
+			if(nn < 1 || nn > n)
+				goto Short;
+			m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
+			p += nn, n -= nn;
+		}else if(isDHE(c->cipher)){
+			nn = get16(p);
+			p += 2, n -= 2;
+			if(nn < 1 || nn > n)
+				goto Short;
+			m->u.serverKeyExchange.dh_p = makebytes(p, nn);
+			p += nn, n -= nn;
+			if(n < 2)
+				goto Short;
+			nn = get16(p);
+			p += 2, n -= 2;
+			if(nn < 1 || nn > n)
+				goto Short;
+			m->u.serverKeyExchange.dh_g = makebytes(p, nn);
+			p += nn, n -= nn;
+			if(n < 2)
+				goto Short;
+			nn = get16(p);
+			p += 2, n -= 2;
+			if(nn < 1 || nn > n)
+				goto Short;
+			m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
+			p += nn, n -= nn;
+		} else {
+			/* should not happen */
+			goto Short;
+		}
+		m->u.serverKeyExchange.dh_parameters = makebytes(s, p - s);
+		if(n >= 2){
+			m->u.serverKeyExchange.sigalg = 0;
+			if(c->version >= TLS12Version){
+				m->u.serverKeyExchange.sigalg = get16(p);
+				p += 2, n -= 2;
+				if(n < 2)
+					goto Short;
+			}
+			nn = get16(p);
+			p += 2, n -= 2;
+			if(nn > 0 && nn <= n){
+				m->u.serverKeyExchange.dh_signature = makebytes(p, nn);
+				n -= nn;
+			}
+		}
+		break;
 	case HClientKeyExchange:
-		/*
-		 * this message depends upon the encryption selected
-		 * assume rsa.
-		 */
-		if(c->version == SSL3Version)
+		if(isPSK(c->cipher)){
-			nn = n;
-		else{
 			if(n < 2)
 				goto Short;
 			nn = get16(p);
-			p += 2;
+			p += 2, n -= 2;
+			if(nn > n)
+				goto Short;
+			m->u.clientKeyExchange.pskid = makebytes(p, nn);
+			p += nn, n -= nn;
-			n -= 2;
+			if(n == 0)
+				break;
+		}
+		if(n < 2)
+			goto Short;
+		if(isECDHE(c->cipher))
+			nn = *p++, n--;
+		else if(isDHE(c->cipher) || c->version != SSL3Version)
+			nn = get16(p), p += 2, n -= 2;
+		else
+			nn = n;
 		if(n < nn)
 			goto Short;
 		m->u.clientKeyExchange.key = makebytes(p, nn);
 		n -= nn;
 		break;
 		memmove(m->u.finished.verify, p, m->u.finished.n);
 		n -= m->u.finished.n;
 		break;
+	}
-	if(type != HClientHello && n != 0)
+	if(n != 0 && type != HClientHello && type != HServerHello)
 		goto Short;
 Ok:
-	if(c->trace){
+	if(c->trace)
-		char *buf;
-		buf = emalloc(8000);
-		c->trace("recv %s", msgPrint(buf, 8000, m));
+		c->trace("recv %s", msgPrint((char*)c->sendp, &c->buf[sizeof(c->buf)] - c->sendp, m));
-		free(buf);
-	}
 	return 1;
 Short:
-	tlsError(c, EDecodeError, "handshake message has invalid length");
+	tlsError(c, EDecodeError, "handshake message (%d) has invalid length", type);
 Err:
 	msgClear(m);
 	return 0;
+}
 static void
 msgClear(Msg *m)
+{
 	int i;
 	switch(m->tag) {
-	default:
-		sysfatal("msgClear: unknown message type: %d", m->tag);
 	case HHelloRequest:
 		break;
 	case HClientHello:
 		freebytes(m->u.clientHello.sid);
 		freeints(m->u.clientHello.ciphers);
 		freebytes(m->u.clientHello.compressors);
+		freebytes(m->u.clientHello.extensions);
 		break;
 	case HServerHello:
-		freebytes(m->u.clientHello.sid);
+		freebytes(m->u.serverHello.sid);
+		freebytes(m->u.serverHello.extensions);
 		break;
 	case HCertificate:
 		for(i=0; i<m->u.certificate.ncert; i++)
 			freebytes(m->u.certificate.certs[i]);
 		free(m->u.certificate.certs);
 		break;
 	case HCertificateRequest:
 		freebytes(m->u.certificateRequest.types);
+		freeints(m->u.certificateRequest.sigalgs);
 		for(i=0; i<m->u.certificateRequest.nca; i++)
 			freebytes(m->u.certificateRequest.cas[i]);
 		free(m->u.certificateRequest.cas);
+		break;
+	case HCertificateVerify:
+		freebytes(m->u.certificateVerify.signature);
 		break;
 	case HServerHelloDone:
+		break;
+	case HServerKeyExchange:
+		freebytes(m->u.serverKeyExchange.pskid);
+		freebytes(m->u.serverKeyExchange.dh_p);
+		freebytes(m->u.serverKeyExchange.dh_g);
+		freebytes(m->u.serverKeyExchange.dh_Ys);
+		freebytes(m->u.serverKeyExchange.dh_parameters);
+		freebytes(m->u.serverKeyExchange.dh_signature);
 		break;
 	case HClientKeyExchange:
+		freebytes(m->u.clientKeyExchange.pskid);
 		freebytes(m->u.clientKeyExchange.key);
 		break;
 	case HFinished:
 		break;
 	}
 	memset(m, 0, sizeof(Msg));
 }
 static char *
 bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1)
+{
 	int i;
 	if(s0)
 		bs = seprint(bs, be, "%s", s0);
-	bs = seprint(bs, be, "[");
 	if(b == nil)
 		bs = seprint(bs, be, "nil");
-	else
+	else {
+		bs = seprint(bs, be, "<%d> [ ", b->len);
 		for(i=0; i<b->len; i++)
 			bs = seprint(bs, be, "%.2x ", b->data[i]);
-	bs = seprint(bs, be, "]");
+		bs = seprint(bs, be, "]");
+	}
 	if(s1)
 		bs = seprint(bs, be, "%s", s1);
 	return bs;
+}
 static char *
 intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1)
 {
 	int i;
 	if(s0)
 		bs = seprint(bs, be, "%s", s0);
-	bs = seprint(bs, be, "[");
 	if(b == nil)
 		bs = seprint(bs, be, "nil");
-	else
+	else {
+		bs = seprint(bs, be, "[ ");
 		for(i=0; i<b->len; i++)
 			bs = seprint(bs, be, "%x ", b->data[i]);
-	bs = seprint(bs, be, "]");
+		bs = seprint(bs, be, "]");
+	}
 	if(s1)
 		bs = seprint(bs, be, "%s", s1);
 	return bs;
+}
 		bs = seprint(bs, be, "unknown %d\n", m->tag);
 		break;
 	case HClientHello:
 		bs = seprint(bs, be, "ClientHello\n");
 		bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version);
 		bs = seprint(bs, be, "\trandom: ");
 		for(i=0; i<RandomSize; i++)
 			bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]);
 		bs = seprint(bs, be, "\n");
 		bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
 		bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
 		bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
+		if(m->u.clientHello.extensions != nil)
+			bs = bytesPrint(bs, be, "\textensions: ", m->u.clientHello.extensions, "\n");
 		break;
 	case HServerHello:
 		bs = seprint(bs, be, "ServerHello\n");
 		bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version);
 		bs = seprint(bs, be, "\trandom: ");
 			bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]);
 		bs = seprint(bs, be, "\n");
 		bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
 		bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
 		bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
+		if(m->u.serverHello.extensions != nil)
+			bs = bytesPrint(bs, be, "\textensions: ", m->u.serverHello.extensions, "\n");
 		break;
 	case HCertificate:
 		bs = seprint(bs, be, "Certificate\n");
 		for(i=0; i<m->u.certificate.ncert; i++)
 			bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n");
 		break;
 	case HCertificateRequest:
 		bs = seprint(bs, be, "CertificateRequest\n");
 		bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
+		if(m->u.certificateRequest.sigalgs != nil)
+			bs = intsPrint(bs, be, "\tsigalgs: ", m->u.certificateRequest.sigalgs, "\n");
 		bs = seprint(bs, be, "\tcertificateauthorities\n");
 		for(i=0; i<m->u.certificateRequest.nca; i++)
 			bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
 		break;
+	case HCertificateVerify:
+		bs = seprint(bs, be, "HCertificateVerify\n");
+		if(m->u.certificateVerify.sigalg != 0)
+			bs = seprint(bs, be, "\tsigalg: %.4x\n", m->u.certificateVerify.sigalg);
+		bs = bytesPrint(bs, be, "\tsignature: ", m->u.certificateVerify.signature,"\n");
+		break;
 	case HServerHelloDone:
 		bs = seprint(bs, be, "ServerHelloDone\n");
+		break;
+	case HServerKeyExchange:
+		bs = seprint(bs, be, "HServerKeyExchange\n");
+		if(m->u.serverKeyExchange.pskid != nil)
+			bs = bytesPrint(bs, be, "\tpskid: ", m->u.serverKeyExchange.pskid, "\n");
+		if(m->u.serverKeyExchange.dh_parameters == nil)
+			break;
+		if(m->u.serverKeyExchange.curve != 0){
+			bs = seprint(bs, be, "\tcurve: %.4x\n", m->u.serverKeyExchange.curve);
+		} else {
+			bs = bytesPrint(bs, be, "\tdh_p: ", m->u.serverKeyExchange.dh_p, "\n");
+			bs = bytesPrint(bs, be, "\tdh_g: ", m->u.serverKeyExchange.dh_g, "\n");
+		}
+		bs = bytesPrint(bs, be, "\tdh_Ys: ", m->u.serverKeyExchange.dh_Ys, "\n");
+		if(m->u.serverKeyExchange.sigalg != 0)
+			bs = seprint(bs, be, "\tsigalg: %.4x\n", m->u.serverKeyExchange.sigalg);
+		bs = bytesPrint(bs, be, "\tdh_parameters: ", m->u.serverKeyExchange.dh_parameters, "\n");
+		bs = bytesPrint(bs, be, "\tdh_signature: ", m->u.serverKeyExchange.dh_signature, "\n");
 		break;
 	case HClientKeyExchange:
 		bs = seprint(bs, be, "HClientKeyExchange\n");
+		if(m->u.clientKeyExchange.pskid != nil)
+			bs = bytesPrint(bs, be, "\tpskid: ", m->u.clientKeyExchange.pskid, "\n");
+		if(m->u.clientKeyExchange.key != nil)
-		bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
+			bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
 		break;
 	case HFinished:
 		bs = seprint(bs, be, "HFinished\n");
 		for(i=0; i<m->u.finished.n; i++)
 			bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]);
 	va_start(arg, fmt);
 	vseprint(msg, msg+sizeof(msg), fmt, arg);
 	va_end(arg);
 	if(c->trace)
 		c->trace("tlsError: %s\n", msg);
-	else if(c->erred)
+	if(c->erred)
 		fprint(2, "double error: %r, %s", msg);
 	else
-		werrstr("tls: local %s", msg);
+		errstr(msg, sizeof(msg));
 	c->erred = 1;
 	fprint(c->ctl, "alert %d", err);
+}
 // commit to specific version number
 static int
 setVersion(TlsConnection *c, int version)
+{
-	if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
+	if(version > MaxProtoVersion || version < MinProtoVersion)
 		return -1;
 	if(version > c->version)
 		version = c->version;
 	if(version == SSL3Version) {
 		c->version = version;
 		c->finished.n = SSL3FinishedLen;
-	}else if(version == TLSVersion){
+	}else {
 		c->version = version;
 		c->finished.n = TLSFinishedLen;
-	}else
+	}
-		return -1;
-	c->verset = 1;
 	return fprint(c->ctl, "version 0x%x", version);
+}
 // confirm that received Finished message matches the expected value
 static int
 finishedMatch(TlsConnection *c, Finished *f)
 {
-	return memcmp(f->verify, c->finished.verify, f->n) == 0;
+	return tsmemcmp(f->verify, c->finished.verify, f->n) == 0;
+}
 // free memory associated with TlsConnection struct
 //		(but don't close the TLS channel itself)
 static void
 tlsConnectionFree(TlsConnection *c)
 {
+	if(c == nil)
+		return;
+	dh_finish(&c->sec->dh, nil);
+	mpfree(c->sec->ec.Q.x);
-	tlsSecClose(c->sec);
+	mpfree(c->sec->ec.Q.y);
-	freebytes(c->sid);
+	mpfree(c->sec->ec.Q.d);
+	ecdomfree(&c->sec->ec.dom);
+	factotum_rsa_close(c->sec->rpc);
+	rsapubfree(c->sec->rsapub);
 	freebytes(c->cert);
-	memset(c, 0, sizeof(c));
+	memset(c, 0, sizeof(*c));
 	free(c);
 }
 //================= cipher choices ========================
+static int
+isDHE(int tlsid)
+{
+	switch(tlsid){
+	case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
+	case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
+ 	case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
+ 	case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
+ 	case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
+	case TLS_DHE_RSA_WITH_CHACHA20_POLY1305:
+	case GOOGLE_DHE_RSA_WITH_CHACHA20_POLY1305:
+		return 1;
+	}
+	return 0;
+}
+static int
+isECDHE(int tlsid)
+{
+	switch(tlsid){
+	case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
+	case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
+	case GOOGLE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
+	case GOOGLE_ECDHE_RSA_WITH_CHACHA20_POLY1305:
+	case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
+	case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
+	case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
+	case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
+	case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
+	case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+		return 1;
+	}
+	return 0;
+}
+static int
+isPSK(int tlsid)
+{
+	switch(tlsid){
+	case TLS_PSK_WITH_CHACHA20_POLY1305:
+	case TLS_PSK_WITH_AES_128_CBC_SHA256:
-static int weakCipher[CipherMax] =
+	case TLS_PSK_WITH_AES_128_CBC_SHA:
+		return 1;
+	}
+	return 0;
+}
+static int
+isECDSA(int tlsid)
+{
-,	/* TLS_NULL_WITH_NULL_NULL */
-,	/* TLS_RSA_WITH_NULL_MD5 */
-,	/* TLS_RSA_WITH_NULL_SHA */
+	switch(tlsid){
-,	/* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
-,	/* TLS_RSA_WITH_RC4_128_MD5 */
-,	/* TLS_RSA_WITH_RC4_128_SHA */
-,	/* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
-,	/* TLS_RSA_WITH_IDEA_CBC_SHA */
-,	/* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
-,	/* TLS_RSA_WITH_DES_CBC_SHA */
-,	/* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
-,	/* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
-,	/* TLS_DH_DSS_WITH_DES_CBC_SHA */
-,	/* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
-,	/* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
-,	/* TLS_DH_RSA_WITH_DES_CBC_SHA */
-,	/* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
-,	/* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
-,	/* TLS_DHE_DSS_WITH_DES_CBC_SHA */
+	case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
-,	/* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
+	case GOOGLE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
-,	/* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
-,	/* TLS_DHE_RSA_WITH_DES_CBC_SHA */
+	case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
-,	/* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
+	case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
-,	/* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
-,	/* TLS_DH_anon_WITH_RC4_128_MD5 */
+		return 1;
-,	/* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
+	}
-,	/* TLS_DH_anon_WITH_DES_CBC_SHA */
+	return 0;
-,	/* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
-};
+}
 static int
 setAlgs(TlsConnection *c, int a)
 {
 	int i;
 	for(i = 0; i < nelem(cipherAlgs); i++){
 		if(cipherAlgs[i].tlsid == a){
+			c->cipher = a;
 			c->enc = cipherAlgs[i].enc;
 			c->digest = cipherAlgs[i].digest;
 			c->nsecret = cipherAlgs[i].nsecret;
 			if(c->nsecret > MaxKeyData)
 				return 0;
 			return 1;
+		}
 	}
 	return 0;
 }
 static int
-okCipher(Ints *cv)
+okCipher(Ints *cv, int ispsk)
+{
-	int weak, i, j, c;
+	int i, c;
-	weak = 1;
-	for(i = 0; i < cv->len; i++) {
+	for(i = 0; i < nelem(cipherAlgs); i++) {
-		c = cv->data[i];
+		c = cipherAlgs[i].tlsid;
-		if(c >= CipherMax)
+		if(!cipherAlgs[i].ok || isECDSA(c) || isDHE(c) || isPSK(c) != ispsk)
-			weak = 0;
+			continue;
-		else
-			weak &= weakCipher[c];
+		if(lookupid(cv, c) >= 0)
-		for(j = 0; j < nelem(cipherAlgs); j++)
-			if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
-				return c;
+			return c;
+	}
-	if(weak)
-		return -2;
 	return -1;
+}
 static int
 okCompression(Bytes *cv)
 {
-	int i, j, c;
+	int i, c;
-	for(i = 0; i < cv->len; i++) {
+	for(i = 0; i < nelem(compressors); i++) {
-		c = cv->data[i];
+		c = compressors[i];
-		for(j = 0; j < nelem(compressors); j++) {
+		if(memchr(cv->data, c, cv->len) != nil)
-			if(compressors[j] == c)
-				return c;
+			return c;
-		}
 	}
 	return -1;
+}
 static Lock	ciphLock;
 static int	nciphers;
 static int
 initCiphers(void)
+{
 	enum {MaxAlgF = 1024, MaxAlgs = 10};
 	char s[MaxAlgF], *flds[MaxAlgs];
 	lock(&ciphLock);
 	if(nciphers){
 		unlock(&ciphLock);
 		return nciphers;
 	}
 	j = open("#a/tls/encalgs", OREAD);
 	if(j < 0){
 		werrstr("can't open #a/tls/encalgs: %r");
-		return 0;
+		goto out;
 	}
 	n = read(j, s, MaxAlgF-1);
 	close(j);
 	if(n <= 0){
 		werrstr("nothing in #a/tls/encalgs: %r");
-		return 0;
+		goto out;
 	}
 	s[n] = 0;
 	n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
 	for(i = 0; i < nelem(cipherAlgs); i++){
 		ok = 0;
 		for(j = 0; j < n; j++){
+	}
 	j = open("#a/tls/hashalgs", OREAD);
 	if(j < 0){
 		werrstr("can't open #a/tls/hashalgs: %r");
-		return 0;
+		goto out;
+	}
 	n = read(j, s, MaxAlgF-1);
 	close(j);
 	if(n <= 0){
 		werrstr("nothing in #a/tls/hashalgs: %r");
-		return 0;
+		goto out;
+	}
 	s[n] = 0;
 	n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
 	for(i = 0; i < nelem(cipherAlgs); i++){
 		ok = 0;
+		}
 		cipherAlgs[i].ok &= ok;
 		if(cipherAlgs[i].ok)
 			nciphers++;
+	}
+out:
 	unlock(&ciphLock);
 	return nciphers;
+}
 static Ints*
-makeciphers(void)
+makeciphers(int ispsk)
+{
 	Ints *is;
 	int i, j;
 	is = newints(nciphers);
 	j = 0;
-	for(i = 0; i < nelem(cipherAlgs); i++){
+	for(i = 0; i < nelem(cipherAlgs); i++)
-		if(cipherAlgs[i].ok)
+		if(cipherAlgs[i].ok && isPSK(cipherAlgs[i].tlsid) == ispsk)
 			is->data[j++] = cipherAlgs[i].tlsid;
-	}
+	is->len = j;
 	return is;
+}
 //================= security functions ========================
-// given X.509 certificate, set up connection to factotum
+// given a public key, set up connection to factotum
-//	for using corresponding private key
+// for using corresponding private key
 static AuthRpc*
-factotum_rsa_open(uchar *cert, int certlen)
+factotum_rsa_open(RSApub *rsapub)
+{
 	int afd;
 	char *s;
-	mpint *pub = nil;
+	mpint *n;
-	RSApub *rsapub;
 	AuthRpc *rpc;
 	// start talking to factotum
 	if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0)
 		return nil;
 	if((rpc = auth_allocrpc(afd)) == nil){
 		close(afd);
 		return nil;
+	}
 	s = "proto=rsa service=tls role=client";
-	if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){
+	if(auth_rpc(rpc, "start", s, strlen(s)) == ARok){
-		factotum_rsa_close(rpc);
-		return nil;
-	}
-	// roll factotum keyring around to match certificate
+		// roll factotum keyring around to match public key
-	rsapub = X509toRSApub(cert, certlen, nil, 0);
-	while(1){
+		n = mpnew(0);
-		if(auth_rpc(rpc, "read", nil, 0) != ARok){
+		while(auth_rpc(rpc, "read", nil, 0) == ARok){
+			if(strtomp(rpc->arg, nil, 16, n) != nil
-			factotum_rsa_close(rpc);
+			&& mpcmp(n, rsapub->n) == 0){
-			rpc = nil;
+				mpfree(n);
-			goto done;
+				return rpc;
+			}
+		}
-		pub = strtomp(rpc->arg, nil, 16, nil);
-		assert(pub != nil);
-		if(mpcmp(pub,rsapub->n) == 0)
-			break;
+		mpfree(n);
+	}
-done:
-	mpfree(pub);
-	rsapubfree(rsapub);
+	factotum_rsa_close(rpc);
-	return rpc;
+	return nil;
 }
 static mpint*
 factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher)
+{
 	char *p;
 	int rv;
+	if(cipher == nil)
+		return nil;
-	if((p = mptoa(cipher, 16, nil, 0)) == nil)
+	p = mptoa(cipher, 16, nil, 0);
+	mpfree(cipher);
+	if(p == nil)
 		return nil;
 	rv = auth_rpc(rpc, "write", p, strlen(p));
 	free(p);
 	if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
 		return nil;
-	mpfree(cipher);
 	return strtomp(rpc->arg, nil, 16, nil);
 }
 static void
-factotum_rsa_close(AuthRpc*rpc)
+factotum_rsa_close(AuthRpc *rpc)
+{
-	if(!rpc)
+	if(rpc == nil)
 		return;
 	close(rpc->afd);
 	auth_freerpc(rpc);
+}
 static void
 tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
+{
 	uchar ai[MD5dlen], tmp[MD5dlen];
 	int i, n;
 	while(nbuf > 0) {
 		s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil);
 		s = hmac_md5(label, nlabel, key, nkey, nil, s);
 		s = hmac_md5(seed0, nseed0, key, nkey, nil, s);
 		hmac_md5(seed1, nseed1, key, nkey, tmp, s);
 		n = MD5dlen;
 		if(n > nbuf)
 			n = nbuf;
 		for(i = 0; i < n; i++)
 			buf[i] ^= tmp[i];
 		buf += n;
 		nbuf -= n;
 	// generate a1
 	s = hmac_sha1(label, nlabel, key, nkey, nil, nil);
 	s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
 	hmac_sha1(seed1, nseed1, key, nkey, ai, s);
 	while(nbuf > 0) {
 		s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil);
 		s = hmac_sha1(label, nlabel, key, nkey, nil, s);
 		s = hmac_sha1(seed0, nseed0, key, nkey, nil, s);
 		hmac_sha1(seed1, nseed1, key, nkey, tmp, s);
 		buf += n;
 		nbuf -= n;
 		hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil);
 		memmove(ai, tmp, SHA1dlen);
+	}
-}
-// fill buf with md5(args)^sha1(args)
-static void
-tlsPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
-{
-	int i;
-	int nlabel = strlen(label);
-	int n = (nkey + 1) >> 1;
-	for(i = 0; i < nbuf; i++)
-		buf[i] = 0;
-	tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
-	tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
-}
-/*
- * for setting server session id's
- */
-static Lock	sidLock;
-static long	maxSid = 1;
-/* the keys are verified to have the same public components
- * and to function correctly with pkcs 1 encryption and decryption. */
-static TlsSec*
-tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
-{
-	TlsSec *sec = emalloc(sizeof(*sec));
-	USED(csid); USED(ncsid);  // ignore csid for now
-	memmove(sec->crandom, crandom, RandomSize);
-	sec->clientVers = cvers;
-	put32(sec->srandom, time(0));
-	genrandom(sec->srandom+4, RandomSize-4);
-	memmove(srandom, sec->srandom, RandomSize);
-	/*
-	 * make up a unique sid: use our pid, and and incrementing id
-	 * can signal no sid by setting nssid to 0.
-	 */
-	memset(ssid, 0, SidSize);
-	put32(ssid, getpid());
-	lock(&sidLock);
-	put32(ssid+4, maxSid++);
-	unlock(&sidLock);
-	*nssid = SidSize;
-	return sec;
-}
-static int
-tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd)
-{
-	if(epm != nil){
-		if(setVers(sec, vers) < 0)
-			goto Err;
-		serverMasterSecret(sec, epm, nepm);
-	}else if(sec->vers != vers){
-		werrstr("mismatched session versions");
-		goto Err;
-	}
-	setSecrets(sec, kd, nkd);
-	return 0;
-Err:
-	sec->ok = -1;
-	return -1;
-}
-static TlsSec*
-tlsSecInitc(int cvers, uchar *crandom)
-{
-	TlsSec *sec = emalloc(sizeof(*sec));
-	sec->clientVers = cvers;
-	put32(sec->crandom, time(0));
-	genrandom(sec->crandom+4, RandomSize-4);
-	memmove(crandom, sec->crandom, RandomSize);
-	return sec;
-}
-static int
-tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd)
-{
-	RSApub *pub;
-	pub = nil;
-	USED(sid);
-	USED(nsid);
-	memmove(sec->srandom, srandom, RandomSize);
-	if(setVers(sec, vers) < 0)
-		goto Err;
-	pub = X509toRSApub(cert, ncert, nil, 0);
-	if(pub == nil){
-		werrstr("invalid x509/rsa certificate");
-		goto Err;
-	}
-	if(clientMasterSecret(sec, pub, epm, nepm) < 0)
-		goto Err;
-	rsapubfree(pub);
-	setSecrets(sec, kd, nkd);
-	return 0;
-Err:
-	if(pub != nil)
-		rsapubfree(pub);
-	sec->ok = -1;
-	return -1;
-}
-static int
-tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient)
-{
-	if(sec->nfin != nfin){
-		sec->ok = -1;
-		werrstr("invalid finished exchange");
-		return -1;
-	}
-	md5.malloced = 0;
-	sha1.malloced = 0;
-	(*sec->setFinished)(sec, md5, sha1, fin, isclient);
-	return 1;
-}
-static void
-tlsSecOk(TlsSec *sec)
-{
-	if(sec->ok == 0)
-		sec->ok = 1;
-}
-static void
-tlsSecKill(TlsSec *sec)
-{
-	if(!sec)
-		return;
-	factotum_rsa_close(sec->rpc);
-	sec->ok = -1;
-}
-static void
-tlsSecClose(TlsSec *sec)
-{
-	if(!sec)
-		return;
-	factotum_rsa_close(sec->rpc);
-	free(sec->server);
-	free(sec);
-}
-static int
-setVers(TlsSec *sec, int v)
-{
-	if(v == SSL3Version){
-		sec->setFinished = sslSetFinished;
-		sec->nfin = SSL3FinishedLen;
-		sec->prf = sslPRF;
-	}else if(v == TLSVersion){
-		sec->setFinished = tlsSetFinished;
-		sec->nfin = TLSFinishedLen;
-		sec->prf = tlsPRF;
-	}else{
-		werrstr("invalid version");
-		return -1;
-	}
-	sec->vers = v;
-	return 0;
-}
-/*
- * generate secret keys from the master secret.
- *
- * different crypto selections will require different amounts
- * of key expansion and use of key expansion data,
- * but it's all generated using the same function.
- */
-static void
-setSecrets(TlsSec *sec, uchar *kd, int nkd)
-{
-	(*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
-			sec->srandom, RandomSize, sec->crandom, RandomSize);
-}
-/*
- * set the master secret from the pre-master secret.
- */
-static void
-setMasterSecret(TlsSec *sec, Bytes *pm)
-{
-	(*sec->prf)(sec->sec, MasterSecretSize, pm->data, MasterSecretSize, "master secret",
-			sec->crandom, RandomSize, sec->srandom, RandomSize);
-}
-static void
-serverMasterSecret(TlsSec *sec, uchar *epm, int nepm)
-{
-	Bytes *pm;
-	pm = pkcs1_decrypt(sec, epm, nepm);
-	// if the client messed up, just continue as if everything is ok,
-	// to prevent attacks to check for correctly formatted messages.
-	// Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
-	if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
-		fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
-			sec->ok, pm, pm ? get16(pm->data) : -1, sec->clientVers, nepm);
-		sec->ok = -1;
-		if(pm != nil)
-			freebytes(pm);
-		pm = newbytes(MasterSecretSize);
-		genrandom(pm->data, MasterSecretSize);
-	}
-	setMasterSecret(sec, pm);
-	memset(pm->data, 0, pm->len);
-	freebytes(pm);
-}
-static int
-clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm)
-{
-	Bytes *pm, *key;
-	pm = newbytes(MasterSecretSize);
-	put16(pm->data, sec->clientVers);
-	genrandom(pm->data+2, MasterSecretSize - 2);
-	setMasterSecret(sec, pm);
-	key = pkcs1_encrypt(pm, pub, 2);
-	memset(pm->data, 0, pm->len);
-	freebytes(pm);
-	if(key == nil){
-		werrstr("tls pkcs1_encrypt failed");
-		return -1;
-	}
-	*nepm = key->len;
-	*epm = malloc(*nepm);
-	if(*epm == nil){
-		freebytes(key);
-		werrstr("out of memory");
-		return -1;
-	}
-	memmove(*epm, key->data, *nepm);
-	freebytes(key);
-	return 1;
+}
 static void
-sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
+p_sha256(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed, int nseed)
+{
-	DigestState *s;
-	uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
+	uchar ai[SHA2_256dlen], tmp[SHA2_256dlen];
-	char *label;
+	SHAstate *s;
-	if(isClient)
-		label = "CLNT";
-	else
+	int n;
-		label = "SRVR";
-	md5((uchar*)label, 4, nil, &hsmd5);
-	md5(sec->sec, MasterSecretSize, nil, &hsmd5);
-	memset(pad, 0x36, 48);
-	md5(pad, 48, nil, &hsmd5);
-	md5(nil, 0, h0, &hsmd5);
-	memset(pad, 0x5C, 48);
+	// generate a1
-	s = md5(sec->sec, MasterSecretSize, nil, nil);
+	s = hmac_sha2_256(label, nlabel, key, nkey, nil, nil);
-	s = md5(pad, 48, nil, s);
-	md5(h0, MD5dlen, finished, s);
+	hmac_sha2_256(seed, nseed, key, nkey, ai, s);
+	while(nbuf > 0) {
+		s = hmac_sha2_256(ai, SHA2_256dlen, key, nkey, nil, nil);
-	sha1((uchar*)label, 4, nil, &hssha1);
+		s = hmac_sha2_256(label, nlabel, key, nkey, nil, s);
-	sha1(sec->sec, MasterSecretSize, nil, &hssha1);
+		hmac_sha2_256(seed, nseed, key, nkey, tmp, s);
-	memset(pad, 0x36, 40);
+		n = SHA2_256dlen;
-	sha1(pad, 40, nil, &hssha1);
+		if(n > nbuf)
-	sha1(nil, 0, h1, &hssha1);
+			n = nbuf;
-	memset(pad, 0x5C, 40);
+		memmove(buf, tmp, n);
+		buf += n;
+		nbuf -= n;
-	s = sha1(sec->sec, MasterSecretSize, nil, nil);
+		hmac_sha2_256(ai, SHA2_256dlen, key, nkey, tmp, nil);
-	s = sha1(pad, 40, nil, s);
+		memmove(ai, tmp, SHA2_256dlen);
-	sha1(h1, SHA1dlen, finished + MD5dlen, s);
+	}
+}
-// fill "finished" arg with md5(args)^sha1(args)
+// fill buf with md5(args)^sha1(args)
 static void
+tls10PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
+{
+	int nlabel = strlen(label);
+	int n = (nkey + 1) >> 1;
+	memset(buf, 0, nbuf);
+	tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
+	tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
+}
+static void
-tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
+tls12PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
+{
-	uchar h0[MD5dlen], h1[SHA1dlen];
+	uchar seed[2*RandomSize];
-	char *label;
-	// get current hash value, but allow further messages to be hashed in
-	md5(nil, 0, h0, &hsmd5);
-	sha1(nil, 0, h1, &hssha1);
-	if(isClient)
+	assert(nseed0+nseed1 <= sizeof(seed));
-		label = "client finished";
+	memmove(seed, seed0, nseed0);
-	else
-		label = "server finished";
+	memmove(seed+nseed0, seed1, nseed1);
-	tlsPRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
+	p_sha256(buf, nbuf, key, nkey, (uchar*)label, strlen(label), seed, nseed0+nseed1);
+}
 static void
 sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
+{
+	uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
 	DigestState *s;
-	uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
 	int i, n, len;
 	USED(label);
 	len = 1;
 	while(nbuf > 0){
 			n = nbuf;
 		memmove(buf, md5dig, n);
 		buf += n;
 		nbuf -= n;
 		len++;
-	if(ylen < modlen) {
+	if(sig == nil || sig->len <= 0){
-		a = newbytes(modlen);
+		if(sec->psklen > 0)
-		memset(a->data, 0, modlen-ylen);
-		memmove(a->data+modlen-ylen, ybytes->data, ylen);
-		freebytes(ybytes);
+			return nil;
-		ybytes = a;
+		return "no signature";
+	}
+	if(cert == nil)
+		return "no certificate";
+	digestlen = digestDHparams(sec, par, digest, sigalg);
+	if(digestlen <= 0)
+		return "unknown signature digest algorithm";
-	else if(ylen > modlen) {
+	switch(sigalg & 0xFF){
+	case 0x01:
-		// assume it has leading zeros (mod should make it so)
+		rsapk = X509toRSApub(cert->data, cert->len, nil, 0);
+		if(rsapk == nil)
+			return "bad certificate";
+		err = X509rsaverifydigest(sig->data, sig->len, digest, digestlen, rsapk);
-		a = newbytes(modlen);
+		rsapubfree(rsapk);
+		break;
+	case 0x03:
-		memmove(a->data, ybytes->data, modlen);
+		ecpk = X509toECpub(cert->data, cert->len, nil, 0, &dom);
+		if(ecpk == nil)
+			return "bad certificate";
+		err = X509ecdsaverifydigest(sig->data, sig->len, digest, digestlen, &dom, ecpk);
+		ecdomfree(&dom);
-		freebytes(ybytes);
+		ecpubfree(ecpk);
-		ybytes = a;
+		break;
+	default:
+		err = "signaure algorithm not RSA or ECDSA";
 	}
-	mpfree(y);
-	return ybytes;
+	return err;
+}
 // encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1
 static Bytes*
-pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype)
+pkcs1_encrypt(Bytes* data, RSApub* key)
+{
-	Bytes *pad, *eb, *ans;
+	mpint *x, *y;
-	int i, dlen, padlen, modlen;
-	modlen = (mpsignif(key->n)+7)/8;
+	x = pkcs1padbuf(data->data, data->len, key->n, 2);
-	dlen = data->len;
+	if(x == nil)
-	if(modlen < 12 || dlen > modlen - 11)
 		return nil;
-	padlen = modlen - 3 - dlen;
-	pad = newbytes(padlen);
-	genrandom(pad->data, padlen);
+	y = rsaencrypt(key, x, nil);
-	for(i = 0; i < padlen; i++) {
-		if(blocktype == 0)
-			pad->data[i] = 0;
-		else if(blocktype == 1)
-			pad->data[i] = 255;
-		else if(pad->data[i] == 0)
-			pad->data[i] = 1;
+	mpfree(x);
-	}
-	eb = newbytes(modlen);
+	data = newbytes((mpsignif(key->n)+7)/8);
-	eb->data[0] = 0;
-	eb->data[1] = blocktype;
-	memmove(eb->data+2, pad->data, padlen);
+	mptober(y, data->data, data->len);
-	eb->data[padlen+2] = 0;
-	memmove(eb->data+padlen+3, data->data, dlen);
-	ans = rsacomp(eb, key, modlen);
-	freebytes(eb);
+	mpfree(y);
-	freebytes(pad);
-	return ans;
+	return data;
 }
 // decrypt data according to PKCS#1, with given key.
-// expect a block type of 2.
 static Bytes*
-pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm)
+pkcs1_decrypt(TlsSec *sec, Bytes *data)
+{
+	mpint *y;
+	if(data->len != (mpsignif(sec->rsapub->n)+7)/8)
+		return nil;
+	y = factotum_rsa_decrypt(sec->rpc, bytestomp(data));
+	if(y == nil)
+		return nil;
+	data = mptobytes(y, (mpsignif(y)+7)/8);
+	mpfree(y);
+	if((data->len = pkcs1unpadbuf(data->data, data->len, sec->rsapub->n, 2)) < 0){
+		freebytes(data);
+		return nil;
+	}
+	return data;
+}
+static Bytes*
+pkcs1_sign(TlsSec *sec, uchar *digest, int digestlen, int sigalg)
+{
-	Bytes *eb, *ans = nil;
+	int hashalg = (sigalg>>8)&0xFF;
-	int i, modlen;
+	mpint *signedMP;
+	Bytes *signature;
-	mpint *x, *y;
+	uchar buf[128];
+	if(hashalg > 0 && hashalg < nelem(hashfun) && hashfun[hashalg].len == digestlen)
+		digestlen = asn1encodedigest(hashfun[hashalg].fun, digest, buf, sizeof(buf));
-	modlen = (mpsignif(sec->rsapub->n)+7)/8;
+	else if(digestlen == MD5dlen+SHA1dlen)
-	if(nepm != modlen)
+		memmove(buf, digest, digestlen);
+	else
-		return nil;
+		digestlen = -1;
-	x = betomp(epm, nepm, nil);
+	if(digestlen <= 0){
-	y = factotum_rsa_decrypt(sec->rpc, x);
+		werrstr("bad digest algorithm");
-	if(y == nil)
 		return nil;
-	eb = mptobytes(y);
-	if(eb->len < modlen){ // pad on left with zeros
-		ans = newbytes(modlen);
-		memset(ans->data, 0, modlen-eb->len);
-		memmove(ans->data+modlen-eb->len, eb->data, eb->len);
-		freebytes(eb);
-		eb = ans;
+	}
-	if(eb->data[0] == 0 && eb->data[1] == 2) {
+	signedMP = factotum_rsa_decrypt(sec->rpc, pkcs1padbuf(buf, digestlen, sec->rsapub->n, 1));
-		for(i = 2; i < modlen; i++)
-			if(eb->data[i] == 0)
+	if(signedMP == nil)
-				break;
+		return nil;
-		if(i < modlen - 1)
-			ans = makebytes(eb->data+i+1, modlen-(i+1));
+	signature = mptobytes(signedMP, (mpsignif(sec->rsapub->n)+7)/8);
-	}
-	freebytes(eb);
+	mpfree(signedMP);
-	return ans;
+	return signature;
+}
 //================= general utility functions ========================
+{
 	void *p;
 	if(n==0)
 		n=1;
 	p = malloc(n);
-	if(p == nil){
+	if(p == nil)
-		exits("out of memory");
+		sysfatal("out of memory");
-	}
 	memset(p, 0, n);
+	setmalloctag(p, getcallerpc(&n));
 	return p;
+}
 static void *
 erealloc(void *ReallocP, int ReallocN)
+{
 	if(ReallocN == 0)
 		ReallocN = 1;
-	if(!ReallocP)
+	if(ReallocP == nil)
 		ReallocP = emalloc(ReallocN);
-	else if(!(ReallocP = realloc(ReallocP, ReallocN))){
+	else if((ReallocP = realloc(ReallocP, ReallocN)) == nil)
-		exits("out of memory");
+		sysfatal("out of memory");
-	}
+	setrealloctag(ReallocP, getcallerpc(&ReallocP));
 	return(ReallocP);
+}
 static void
 put32(uchar *p, u32int x)
 static void
 put16(uchar *p, int x)
+{
 	p[0] = x>>8;
 	p[1] = x;
-}
-static u32int
-get32(uchar *p)
-{
-	return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
+}
 static int
 get24(uchar *p)
+{
 get16(uchar *p)
+{
 	return (p[0]<<8)|p[1];
+}
-#define OFFSET(x, s) offsetof(s, x)
-/*
- * malloc and return a new Bytes structure capable of
- * holding len bytes. (len >= 0)
- * Used to use crypt_malloc, which aborts if malloc fails.
- */
 static Bytes*
 newbytes(int len)
 {
 	Bytes* ans;
+	if(len < 0)
+		abort();
-	ans = (Bytes*)malloc(OFFSET(data[0], Bytes) + len);
+	ans = emalloc(sizeof(Bytes) + len);
 	ans->len = len;
 	return ans;
+}
 /*
  * newbytes(len), with data initialized from buf
+ */
+static Bytes*
+makebytes(uchar* buf, int len)
+{
+	Bytes* ans;
+	ans = newbytes(len);
+	memmove(ans->data, buf, len);
+	return ans;
+}
+static void
+freebytes(Bytes* b)
+{
+	free(b);
+}
+static mpint*
+bytestomp(Bytes* bytes)
+{
+	return betomp(bytes->data, bytes->len, nil);
+}
+/*
+ * Convert mpint* to Bytes, putting high order byte first.
  */
 static Bytes*
-makebytes(uchar* buf, int len)
+mptobytes(mpint *big, int len)
+{
 	Bytes* ans;
+	if(len == 0) len++;
 	ans = newbytes(len);
-	memmove(ans->data, buf, len);
+	mptober(big, ans->data, ans->len);
 	return ans;
-}
-static void
-freebytes(Bytes* b)
-{
-	if(b != nil)
-		free(b);
 }
 /* len is number of ints */
 static Ints*
 newints(int len)
 {
 	Ints* ans;
+	if(len < 0 || len > ((uint)-1>>1)/sizeof(int))
+		abort();
-	ans = (Ints*)malloc(OFFSET(data[0], Ints) + len*sizeof(int));
+	ans = emalloc(sizeof(Ints) + len*sizeof(int));
 	ans->len = len;
-	return ans;
-}
-static Ints*
-makeints(int* buf, int len)
-{
-	Ints* ans;
-	ans = newints(len);
-	if(len > 0)
-		memmove(ans->data, buf, len*sizeof(int));
 	return ans;
+}
 static void
 freeints(Ints* b)
+{
+	free(b);
+}
+static int
+lookupid(Ints* b, int id)
+{
+	int i;
+	for(i=0; i<b->len; i++)
-	if(b != nil)
+		if(b->data[i] == id)
-		free(b);
+			return i;
+	return -1;
+}

Subversion Repositories planix.SVN

(root)/os/trunk/sys/src/libsec/port/tlshand.c – Rev 2 → 33