iPXE
tls.c
Go to the documentation of this file.
00001 /*
00002  * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
00003  *
00004  * This program is free software; you can redistribute it and/or
00005  * modify it under the terms of the GNU General Public License as
00006  * published by the Free Software Foundation; either version 2 of the
00007  * License, or any later version.
00008  *
00009  * This program is distributed in the hope that it will be useful, but
00010  * WITHOUT ANY WARRANTY; without even the implied warranty of
00011  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00012  * General Public License for more details.
00013  *
00014  * You should have received a copy of the GNU General Public License
00015  * along with this program; if not, write to the Free Software
00016  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
00017  * 02110-1301, USA.
00018  */
00019 
00020 FILE_LICENCE ( GPL2_OR_LATER );
00021 
00022 /**
00023  * @file
00024  *
00025  * Transport Layer Security Protocol
00026  */
00027 
00028 #include <stdint.h>
00029 #include <stdlib.h>
00030 #include <stdarg.h>
00031 #include <string.h>
00032 #include <time.h>
00033 #include <errno.h>
00034 #include <byteswap.h>
00035 #include <ipxe/pending.h>
00036 #include <ipxe/hmac.h>
00037 #include <ipxe/md5.h>
00038 #include <ipxe/sha1.h>
00039 #include <ipxe/sha256.h>
00040 #include <ipxe/aes.h>
00041 #include <ipxe/rsa.h>
00042 #include <ipxe/iobuf.h>
00043 #include <ipxe/xfer.h>
00044 #include <ipxe/open.h>
00045 #include <ipxe/x509.h>
00046 #include <ipxe/privkey.h>
00047 #include <ipxe/certstore.h>
00048 #include <ipxe/rbg.h>
00049 #include <ipxe/validator.h>
00050 #include <ipxe/job.h>
00051 #include <ipxe/tls.h>
00052 
00053 /* Disambiguate the various error causes */
00054 #define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
00055 #define EINFO_EINVAL_CHANGE_CIPHER                                      \
00056         __einfo_uniqify ( EINFO_EINVAL, 0x01,                           \
00057                           "Invalid Change Cipher record" )
00058 #define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
00059 #define EINFO_EINVAL_ALERT                                              \
00060         __einfo_uniqify ( EINFO_EINVAL, 0x02,                           \
00061                           "Invalid Alert record" )
00062 #define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
00063 #define EINFO_EINVAL_HELLO                                              \
00064         __einfo_uniqify ( EINFO_EINVAL, 0x03,                           \
00065                           "Invalid Server Hello record" )
00066 #define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
00067 #define EINFO_EINVAL_CERTIFICATE                                        \
00068         __einfo_uniqify ( EINFO_EINVAL, 0x04,                           \
00069                           "Invalid Certificate" )
00070 #define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
00071 #define EINFO_EINVAL_CERTIFICATES                                       \
00072         __einfo_uniqify ( EINFO_EINVAL, 0x05,                           \
00073                           "Invalid Server Certificate record" )
00074 #define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
00075 #define EINFO_EINVAL_HELLO_DONE                                         \
00076         __einfo_uniqify ( EINFO_EINVAL, 0x06,                           \
00077                           "Invalid Server Hello Done record" )
00078 #define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
00079 #define EINFO_EINVAL_FINISHED                                           \
00080         __einfo_uniqify ( EINFO_EINVAL, 0x07,                           \
00081                           "Invalid Server Finished record" )
00082 #define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
00083 #define EINFO_EINVAL_HANDSHAKE                                          \
00084         __einfo_uniqify ( EINFO_EINVAL, 0x08,                           \
00085                           "Invalid Handshake record" )
00086 #define EINVAL_STREAM __einfo_error ( EINFO_EINVAL_STREAM )
00087 #define EINFO_EINVAL_STREAM                                             \
00088         __einfo_uniqify ( EINFO_EINVAL, 0x09,                           \
00089                           "Invalid stream-ciphered record" )
00090 #define EINVAL_BLOCK __einfo_error ( EINFO_EINVAL_BLOCK )
00091 #define EINFO_EINVAL_BLOCK                                              \
00092         __einfo_uniqify ( EINFO_EINVAL, 0x0a,                           \
00093                           "Invalid block-ciphered record" )
00094 #define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
00095 #define EINFO_EINVAL_PADDING                                            \
00096         __einfo_uniqify ( EINFO_EINVAL, 0x0b,                           \
00097                           "Invalid block padding" )
00098 #define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
00099 #define EINFO_EINVAL_RX_STATE                                           \
00100         __einfo_uniqify ( EINFO_EINVAL, 0x0c,                           \
00101                           "Invalid receive state" )
00102 #define EINVAL_MAC __einfo_error ( EINFO_EINVAL_MAC )
00103 #define EINFO_EINVAL_MAC                                                \
00104         __einfo_uniqify ( EINFO_EINVAL, 0x0d,                           \
00105                           "Invalid MAC" )
00106 #define EINVAL_TICKET __einfo_error ( EINFO_EINVAL_TICKET )
00107 #define EINFO_EINVAL_TICKET                                             \
00108         __einfo_uniqify ( EINFO_EINVAL, 0x0e,                           \
00109                           "Invalid New Session Ticket record")
00110 #define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
00111 #define EINFO_EIO_ALERT                                                 \
00112         __einfo_uniqify ( EINFO_EIO, 0x01,                              \
00113                           "Unknown alert level" )
00114 #define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
00115 #define EINFO_ENOMEM_CONTEXT                                            \
00116         __einfo_uniqify ( EINFO_ENOMEM, 0x01,                           \
00117                           "Not enough space for crypto context" )
00118 #define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
00119 #define EINFO_ENOMEM_CERTIFICATE                                        \
00120         __einfo_uniqify ( EINFO_ENOMEM, 0x02,                           \
00121                           "Not enough space for certificate" )
00122 #define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
00123 #define EINFO_ENOMEM_CHAIN                                              \
00124         __einfo_uniqify ( EINFO_ENOMEM, 0x03,                           \
00125                           "Not enough space for certificate chain" )
00126 #define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
00127 #define EINFO_ENOMEM_TX_PLAINTEXT                                       \
00128         __einfo_uniqify ( EINFO_ENOMEM, 0x04,                           \
00129                           "Not enough space for transmitted plaintext" )
00130 #define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
00131 #define EINFO_ENOMEM_TX_CIPHERTEXT                                      \
00132         __einfo_uniqify ( EINFO_ENOMEM, 0x05,                           \
00133                           "Not enough space for transmitted ciphertext" )
00134 #define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
00135 #define EINFO_ENOMEM_RX_DATA                                            \
00136         __einfo_uniqify ( EINFO_ENOMEM, 0x07,                           \
00137                           "Not enough space for received data" )
00138 #define ENOMEM_RX_CONCAT __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
00139 #define EINFO_ENOMEM_RX_CONCAT                                          \
00140         __einfo_uniqify ( EINFO_ENOMEM, 0x08,                           \
00141                           "Not enough space to concatenate received data" )
00142 #define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
00143 #define EINFO_ENOTSUP_CIPHER                                            \
00144         __einfo_uniqify ( EINFO_ENOTSUP, 0x01,                          \
00145                           "Unsupported cipher" )
00146 #define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
00147 #define EINFO_ENOTSUP_NULL                                              \
00148         __einfo_uniqify ( EINFO_ENOTSUP, 0x02,                          \
00149                           "Refusing to use null cipher" )
00150 #define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
00151 #define EINFO_ENOTSUP_SIG_HASH                                          \
00152         __einfo_uniqify ( EINFO_ENOTSUP, 0x03,                          \
00153                           "Unsupported signature and hash algorithm" )
00154 #define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
00155 #define EINFO_ENOTSUP_VERSION                                           \
00156         __einfo_uniqify ( EINFO_ENOTSUP, 0x04,                          \
00157                           "Unsupported protocol version" )
00158 #define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
00159 #define EINFO_EPERM_ALERT                                               \
00160         __einfo_uniqify ( EINFO_EPERM, 0x01,                            \
00161                           "Received fatal alert" )
00162 #define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
00163 #define EINFO_EPERM_VERIFY                                              \
00164         __einfo_uniqify ( EINFO_EPERM, 0x02,                            \
00165                           "Handshake verification failed" )
00166 #define EPERM_CLIENT_CERT __einfo_error ( EINFO_EPERM_CLIENT_CERT )
00167 #define EINFO_EPERM_CLIENT_CERT                                         \
00168         __einfo_uniqify ( EINFO_EPERM, 0x03,                            \
00169                           "No suitable client certificate available" )
00170 #define EPERM_RENEG_INSECURE __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
00171 #define EINFO_EPERM_RENEG_INSECURE                                      \
00172         __einfo_uniqify ( EINFO_EPERM, 0x04,                            \
00173                           "Secure renegotiation not supported" )
00174 #define EPERM_RENEG_VERIFY __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
00175 #define EINFO_EPERM_RENEG_VERIFY                                        \
00176         __einfo_uniqify ( EINFO_EPERM, 0x05,                            \
00177                           "Secure renegotiation verification failed" )
00178 #define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
00179 #define EINFO_EPROTO_VERSION                                            \
00180         __einfo_uniqify ( EINFO_EPROTO, 0x01,                           \
00181                           "Illegal protocol version upgrade" )
00182 
00183 /** List of TLS session */
00184 static LIST_HEAD ( tls_sessions );
00185 
00186 static void tls_tx_resume_all ( struct tls_session *session );
00187 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
00188                                 const void *data, size_t len );
00189 static void tls_clear_cipher ( struct tls_connection *tls,
00190                                struct tls_cipherspec *cipherspec );
00191 
00192 /******************************************************************************
00193  *
00194  * Utility functions
00195  *
00196  ******************************************************************************
00197  */
00198 
00199 /** A TLS 24-bit integer
00200  *
00201  * TLS uses 24-bit integers in several places, which are awkward to
00202  * parse in C.
00203  */
00204 typedef struct {
00205         /** High byte */
00206         uint8_t high;
00207         /** Low word */
00208         uint16_t low;
00209 } __attribute__ (( packed )) tls24_t;
00210 
00211 /**
00212  * Extract 24-bit field value
00213  *
00214  * @v field24           24-bit field
00215  * @ret value           Field value
00216  *
00217  */
00218 static inline __attribute__ (( always_inline )) unsigned long
00219 tls_uint24 ( const tls24_t *field24 ) {
00220 
00221         return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
00222 }
00223 
00224 /**
00225  * Set 24-bit field value
00226  *
00227  * @v field24           24-bit field
00228  * @v value             Field value
00229  */
00230 static void tls_set_uint24 ( tls24_t *field24, unsigned long value ) {
00231 
00232         field24->high = ( value >> 16 );
00233         field24->low = cpu_to_be16 ( value );
00234 }
00235 
00236 /**
00237  * Determine if TLS connection is ready for application data
00238  *
00239  * @v tls               TLS connection
00240  * @ret is_ready        TLS connection is ready
00241  */
00242 static int tls_ready ( struct tls_connection *tls ) {
00243         return ( ( ! is_pending ( &tls->client_negotiation ) ) &&
00244                  ( ! is_pending ( &tls->server_negotiation ) ) );
00245 }
00246 
00247 /******************************************************************************
00248  *
00249  * Hybrid MD5+SHA1 hash as used by TLSv1.1 and earlier
00250  *
00251  ******************************************************************************
00252  */
00253 
00254 /**
00255  * Initialise MD5+SHA1 algorithm
00256  *
00257  * @v ctx               MD5+SHA1 context
00258  */
00259 static void md5_sha1_init ( void *ctx ) {
00260         struct md5_sha1_context *context = ctx;
00261 
00262         digest_init ( &md5_algorithm, context->md5 );
00263         digest_init ( &sha1_algorithm, context->sha1 );
00264 }
00265 
00266 /**
00267  * Accumulate data with MD5+SHA1 algorithm
00268  *
00269  * @v ctx               MD5+SHA1 context
00270  * @v data              Data
00271  * @v len               Length of data
00272  */
00273 static void md5_sha1_update ( void *ctx, const void *data, size_t len ) {
00274         struct md5_sha1_context *context = ctx;
00275 
00276         digest_update ( &md5_algorithm, context->md5, data, len );
00277         digest_update ( &sha1_algorithm, context->sha1, data, len );
00278 }
00279 
00280 /**
00281  * Generate MD5+SHA1 digest
00282  *
00283  * @v ctx               MD5+SHA1 context
00284  * @v out               Output buffer
00285  */
00286 static void md5_sha1_final ( void *ctx, void *out ) {
00287         struct md5_sha1_context *context = ctx;
00288         struct md5_sha1_digest *digest = out;
00289 
00290         digest_final ( &md5_algorithm, context->md5, digest->md5 );
00291         digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
00292 }
00293 
00294 /** Hybrid MD5+SHA1 digest algorithm */
00295 static struct digest_algorithm md5_sha1_algorithm = {
00296         .name           = "md5+sha1",
00297         .ctxsize        = sizeof ( struct md5_sha1_context ),
00298         .blocksize      = 0, /* Not applicable */
00299         .digestsize     = sizeof ( struct md5_sha1_digest ),
00300         .init           = md5_sha1_init,
00301         .update         = md5_sha1_update,
00302         .final          = md5_sha1_final,
00303 };
00304 
00305 /** RSA digestInfo prefix for MD5+SHA1 algorithm */
00306 struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix = {
00307         .digest = &md5_sha1_algorithm,
00308         .data = NULL, /* MD5+SHA1 signatures have no digestInfo */
00309         .len = 0,
00310 };
00311 
00312 /******************************************************************************
00313  *
00314  * Cleanup functions
00315  *
00316  ******************************************************************************
00317  */
00318 
00319 /**
00320  * Free TLS session
00321  *
00322  * @v refcnt            Reference counter
00323  */
00324 static void free_tls_session ( struct refcnt *refcnt ) {
00325         struct tls_session *session =
00326                 container_of ( refcnt, struct tls_session, refcnt );
00327 
00328         /* Sanity check */
00329         assert ( list_empty ( &session->conn ) );
00330 
00331         /* Remove from list of sessions */
00332         list_del ( &session->list );
00333 
00334         /* Free session ticket */
00335         free ( session->ticket );
00336 
00337         /* Free session */
00338         free ( session );
00339 }
00340 
00341 /**
00342  * Free TLS connection
00343  *
00344  * @v refcnt            Reference counter
00345  */
00346 static void free_tls ( struct refcnt *refcnt ) {
00347         struct tls_connection *tls =
00348                 container_of ( refcnt, struct tls_connection, refcnt );
00349         struct tls_session *session = tls->session;
00350         struct io_buffer *iobuf;
00351         struct io_buffer *tmp;
00352 
00353         /* Free dynamically-allocated resources */
00354         free ( tls->new_session_ticket );
00355         tls_clear_cipher ( tls, &tls->tx_cipherspec );
00356         tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
00357         tls_clear_cipher ( tls, &tls->rx_cipherspec );
00358         tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
00359         list_for_each_entry_safe ( iobuf, tmp, &tls->rx_data, list ) {
00360                 list_del ( &iobuf->list );
00361                 free_iob ( iobuf );
00362         }
00363         x509_put ( tls->cert );
00364         x509_chain_put ( tls->chain );
00365 
00366         /* Drop reference to session */
00367         assert ( list_empty ( &tls->list ) );
00368         ref_put ( &session->refcnt );
00369 
00370         /* Free TLS structure itself */
00371         free ( tls );
00372 }
00373 
00374 /**
00375  * Finish with TLS connection
00376  *
00377  * @v tls               TLS connection
00378  * @v rc                Status code
00379  */
00380 static void tls_close ( struct tls_connection *tls, int rc ) {
00381 
00382         /* Remove pending operations, if applicable */
00383         pending_put ( &tls->client_negotiation );
00384         pending_put ( &tls->server_negotiation );
00385         pending_put ( &tls->validation );
00386 
00387         /* Remove process */
00388         process_del ( &tls->process );
00389 
00390         /* Close all interfaces */
00391         intf_shutdown ( &tls->cipherstream, rc );
00392         intf_shutdown ( &tls->plainstream, rc );
00393         intf_shutdown ( &tls->validator, rc );
00394 
00395         /* Remove from session */
00396         list_del ( &tls->list );
00397         INIT_LIST_HEAD ( &tls->list );
00398 
00399         /* Resume all other connections, in case we were the lead connection */
00400         tls_tx_resume_all ( tls->session );
00401 }
00402 
00403 /******************************************************************************
00404  *
00405  * Random number generation
00406  *
00407  ******************************************************************************
00408  */
00409 
00410 /**
00411  * Generate random data
00412  *
00413  * @v tls               TLS connection
00414  * @v data              Buffer to fill
00415  * @v len               Length of buffer
00416  * @ret rc              Return status code
00417  */
00418 static int tls_generate_random ( struct tls_connection *tls,
00419                                  void *data, size_t len ) {
00420         int rc;
00421 
00422         /* Generate random bits with no additional input and without
00423          * prediction resistance
00424          */
00425         if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
00426                 DBGC ( tls, "TLS %p could not generate random data: %s\n",
00427                        tls, strerror ( rc ) );
00428                 return rc;
00429         }
00430 
00431         return 0;
00432 }
00433 
00434 /**
00435  * Update HMAC with a list of ( data, len ) pairs
00436  *
00437  * @v digest            Hash function to use
00438  * @v digest_ctx        Digest context
00439  * @v args              ( data, len ) pairs of data, terminated by NULL
00440  */
00441 static void tls_hmac_update_va ( struct digest_algorithm *digest,
00442                                  void *digest_ctx, va_list args ) {
00443         void *data;
00444         size_t len;
00445 
00446         while ( ( data = va_arg ( args, void * ) ) ) {
00447                 len = va_arg ( args, size_t );
00448                 hmac_update ( digest, digest_ctx, data, len );
00449         }
00450 }
00451 
00452 /**
00453  * Generate secure pseudo-random data using a single hash function
00454  *
00455  * @v tls               TLS connection
00456  * @v digest            Hash function to use
00457  * @v secret            Secret
00458  * @v secret_len        Length of secret
00459  * @v out               Output buffer
00460  * @v out_len           Length of output buffer
00461  * @v seeds             ( data, len ) pairs of seed data, terminated by NULL
00462  */
00463 static void tls_p_hash_va ( struct tls_connection *tls,
00464                             struct digest_algorithm *digest,
00465                             void *secret, size_t secret_len,
00466                             void *out, size_t out_len,
00467                             va_list seeds ) {
00468         uint8_t secret_copy[secret_len];
00469         uint8_t digest_ctx[digest->ctxsize];
00470         uint8_t digest_ctx_partial[digest->ctxsize];
00471         uint8_t a[digest->digestsize];
00472         uint8_t out_tmp[digest->digestsize];
00473         size_t frag_len = digest->digestsize;
00474         va_list tmp;
00475 
00476         /* Copy the secret, in case HMAC modifies it */
00477         memcpy ( secret_copy, secret, secret_len );
00478         secret = secret_copy;
00479         DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
00480         DBGC2_HD ( tls, secret, secret_len );
00481 
00482         /* Calculate A(1) */
00483         hmac_init ( digest, digest_ctx, secret, &secret_len );
00484         va_copy ( tmp, seeds );
00485         tls_hmac_update_va ( digest, digest_ctx, tmp );
00486         va_end ( tmp );
00487         hmac_final ( digest, digest_ctx, secret, &secret_len, a );
00488         DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
00489         DBGC2_HD ( tls, &a, sizeof ( a ) );
00490 
00491         /* Generate as much data as required */
00492         while ( out_len ) {
00493                 /* Calculate output portion */
00494                 hmac_init ( digest, digest_ctx, secret, &secret_len );
00495                 hmac_update ( digest, digest_ctx, a, sizeof ( a ) );
00496                 memcpy ( digest_ctx_partial, digest_ctx, digest->ctxsize );
00497                 va_copy ( tmp, seeds );
00498                 tls_hmac_update_va ( digest, digest_ctx, tmp );
00499                 va_end ( tmp );
00500                 hmac_final ( digest, digest_ctx,
00501                              secret, &secret_len, out_tmp );
00502 
00503                 /* Copy output */
00504                 if ( frag_len > out_len )
00505                         frag_len = out_len;
00506                 memcpy ( out, out_tmp, frag_len );
00507                 DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
00508                 DBGC2_HD ( tls, out, frag_len );
00509 
00510                 /* Calculate A(i) */
00511                 hmac_final ( digest, digest_ctx_partial,
00512                              secret, &secret_len, a );
00513                 DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
00514                 DBGC2_HD ( tls, &a, sizeof ( a ) );
00515 
00516                 out += frag_len;
00517                 out_len -= frag_len;
00518         }
00519 }
00520 
00521 /**
00522  * Generate secure pseudo-random data
00523  *
00524  * @v tls               TLS connection
00525  * @v secret            Secret
00526  * @v secret_len        Length of secret
00527  * @v out               Output buffer
00528  * @v out_len           Length of output buffer
00529  * @v ...               ( data, len ) pairs of seed data, terminated by NULL
00530  */
00531 static void tls_prf ( struct tls_connection *tls, void *secret,
00532                       size_t secret_len, void *out, size_t out_len, ... ) {
00533         va_list seeds;
00534         va_list tmp;
00535         size_t subsecret_len;
00536         void *md5_secret;
00537         void *sha1_secret;
00538         uint8_t buf[out_len];
00539         unsigned int i;
00540 
00541         va_start ( seeds, out_len );
00542 
00543         if ( tls->version >= TLS_VERSION_TLS_1_2 ) {
00544                 /* Use P_SHA256 for TLSv1.2 and later */
00545                 tls_p_hash_va ( tls, &sha256_algorithm, secret, secret_len,
00546                                 out, out_len, seeds );
00547         } else {
00548                 /* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
00549                  * and earlier
00550                  */
00551 
00552                 /* Split secret into two, with an overlap of up to one byte */
00553                 subsecret_len = ( ( secret_len + 1 ) / 2 );
00554                 md5_secret = secret;
00555                 sha1_secret = ( secret + secret_len - subsecret_len );
00556 
00557                 /* Calculate MD5 portion */
00558                 va_copy ( tmp, seeds );
00559                 tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
00560                                 subsecret_len, out, out_len, seeds );
00561                 va_end ( tmp );
00562 
00563                 /* Calculate SHA1 portion */
00564                 va_copy ( tmp, seeds );
00565                 tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
00566                                 subsecret_len, buf, out_len, seeds );
00567                 va_end ( tmp );
00568 
00569                 /* XOR the two portions together into the final output buffer */
00570                 for ( i = 0 ; i < out_len ; i++ )
00571                         *( ( uint8_t * ) out + i ) ^= buf[i];
00572         }
00573 
00574         va_end ( seeds );
00575 }
00576 
00577 /**
00578  * Generate secure pseudo-random data
00579  *
00580  * @v secret            Secret
00581  * @v secret_len        Length of secret
00582  * @v out               Output buffer
00583  * @v out_len           Length of output buffer
00584  * @v label             String literal label
00585  * @v ...               ( data, len ) pairs of seed data
00586  */
00587 #define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
00588         tls_prf ( (tls), (secret), (secret_len), (out), (out_len),         \
00589                   label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
00590 
00591 /******************************************************************************
00592  *
00593  * Secret management
00594  *
00595  ******************************************************************************
00596  */
00597 
00598 /**
00599  * Generate master secret
00600  *
00601  * @v tls               TLS connection
00602  *
00603  * The pre-master secret and the client and server random values must
00604  * already be known.
00605  */
00606 static void tls_generate_master_secret ( struct tls_connection *tls ) {
00607         DBGC ( tls, "TLS %p pre-master-secret:\n", tls );
00608         DBGC_HD ( tls, &tls->pre_master_secret,
00609                   sizeof ( tls->pre_master_secret ) );
00610         DBGC ( tls, "TLS %p client random bytes:\n", tls );
00611         DBGC_HD ( tls, &tls->client_random, sizeof ( tls->client_random ) );
00612         DBGC ( tls, "TLS %p server random bytes:\n", tls );
00613         DBGC_HD ( tls, &tls->server_random, sizeof ( tls->server_random ) );
00614 
00615         tls_prf_label ( tls, &tls->pre_master_secret,
00616                         sizeof ( tls->pre_master_secret ),
00617                         &tls->master_secret, sizeof ( tls->master_secret ),
00618                         "master secret",
00619                         &tls->client_random, sizeof ( tls->client_random ),
00620                         &tls->server_random, sizeof ( tls->server_random ) );
00621 
00622         DBGC ( tls, "TLS %p generated master secret:\n", tls );
00623         DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
00624 }
00625 
00626 /**
00627  * Generate key material
00628  *
00629  * @v tls               TLS connection
00630  *
00631  * The master secret must already be known.
00632  */
00633 static int tls_generate_keys ( struct tls_connection *tls ) {
00634         struct tls_cipherspec *tx_cipherspec = &tls->tx_cipherspec_pending;
00635         struct tls_cipherspec *rx_cipherspec = &tls->rx_cipherspec_pending;
00636         size_t hash_size = tx_cipherspec->suite->digest->digestsize;
00637         size_t key_size = tx_cipherspec->suite->key_len;
00638         size_t iv_size = tx_cipherspec->suite->cipher->blocksize;
00639         size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
00640         uint8_t key_block[total];
00641         uint8_t *key;
00642         int rc;
00643 
00644         /* Generate key block */
00645         tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
00646                         key_block, sizeof ( key_block ), "key expansion",
00647                         &tls->server_random, sizeof ( tls->server_random ),
00648                         &tls->client_random, sizeof ( tls->client_random ) );
00649 
00650         /* Split key block into portions */
00651         key = key_block;
00652 
00653         /* TX MAC secret */
00654         memcpy ( tx_cipherspec->mac_secret, key, hash_size );
00655         DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
00656         DBGC_HD ( tls, key, hash_size );
00657         key += hash_size;
00658 
00659         /* RX MAC secret */
00660         memcpy ( rx_cipherspec->mac_secret, key, hash_size );
00661         DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
00662         DBGC_HD ( tls, key, hash_size );
00663         key += hash_size;
00664 
00665         /* TX key */
00666         if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
00667                                     tx_cipherspec->cipher_ctx,
00668                                     key, key_size ) ) != 0 ) {
00669                 DBGC ( tls, "TLS %p could not set TX key: %s\n",
00670                        tls, strerror ( rc ) );
00671                 return rc;
00672         }
00673         DBGC ( tls, "TLS %p TX key:\n", tls );
00674         DBGC_HD ( tls, key, key_size );
00675         key += key_size;
00676 
00677         /* RX key */
00678         if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
00679                                     rx_cipherspec->cipher_ctx,
00680                                     key, key_size ) ) != 0 ) {
00681                 DBGC ( tls, "TLS %p could not set TX key: %s\n",
00682                        tls, strerror ( rc ) );
00683                 return rc;
00684         }
00685         DBGC ( tls, "TLS %p RX key:\n", tls );
00686         DBGC_HD ( tls, key, key_size );
00687         key += key_size;
00688 
00689         /* TX initialisation vector */
00690         cipher_setiv ( tx_cipherspec->suite->cipher,
00691                        tx_cipherspec->cipher_ctx, key );
00692         DBGC ( tls, "TLS %p TX IV:\n", tls );
00693         DBGC_HD ( tls, key, iv_size );
00694         key += iv_size;
00695 
00696         /* RX initialisation vector */
00697         cipher_setiv ( rx_cipherspec->suite->cipher,
00698                        rx_cipherspec->cipher_ctx, key );
00699         DBGC ( tls, "TLS %p RX IV:\n", tls );
00700         DBGC_HD ( tls, key, iv_size );
00701         key += iv_size;
00702 
00703         assert ( ( key_block + total ) == key );
00704 
00705         return 0;
00706 }
00707 
00708 /******************************************************************************
00709  *
00710  * Cipher suite management
00711  *
00712  ******************************************************************************
00713  */
00714 
00715 /** Null cipher suite */
00716 struct tls_cipher_suite tls_cipher_suite_null = {
00717         .pubkey = &pubkey_null,
00718         .cipher = &cipher_null,
00719         .digest = &digest_null,
00720 };
00721 
00722 /** Number of supported cipher suites */
00723 #define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
00724 
00725 /**
00726  * Identify cipher suite
00727  *
00728  * @v cipher_suite      Cipher suite specification
00729  * @ret suite           Cipher suite, or NULL
00730  */
00731 static struct tls_cipher_suite *
00732 tls_find_cipher_suite ( unsigned int cipher_suite ) {
00733         struct tls_cipher_suite *suite;
00734 
00735         /* Identify cipher suite */
00736         for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
00737                 if ( suite->code == cipher_suite )
00738                         return suite;
00739         }
00740 
00741         return NULL;
00742 }
00743 
00744 /**
00745  * Clear cipher suite
00746  *
00747  * @v cipherspec        TLS cipher specification
00748  */
00749 static void tls_clear_cipher ( struct tls_connection *tls __unused,
00750                                struct tls_cipherspec *cipherspec ) {
00751 
00752         if ( cipherspec->suite ) {
00753                 pubkey_final ( cipherspec->suite->pubkey,
00754                                cipherspec->pubkey_ctx );
00755         }
00756         free ( cipherspec->dynamic );
00757         memset ( cipherspec, 0, sizeof ( *cipherspec ) );
00758         cipherspec->suite = &tls_cipher_suite_null;
00759 }
00760 
00761 /**
00762  * Set cipher suite
00763  *
00764  * @v tls               TLS connection
00765  * @v cipherspec        TLS cipher specification
00766  * @v suite             Cipher suite
00767  * @ret rc              Return status code
00768  */
00769 static int tls_set_cipher ( struct tls_connection *tls,
00770                             struct tls_cipherspec *cipherspec,
00771                             struct tls_cipher_suite *suite ) {
00772         struct pubkey_algorithm *pubkey = suite->pubkey;
00773         struct cipher_algorithm *cipher = suite->cipher;
00774         struct digest_algorithm *digest = suite->digest;
00775         size_t total;
00776         void *dynamic;
00777 
00778         /* Clear out old cipher contents, if any */
00779         tls_clear_cipher ( tls, cipherspec );
00780         
00781         /* Allocate dynamic storage */
00782         total = ( pubkey->ctxsize + 2 * cipher->ctxsize + digest->digestsize );
00783         dynamic = zalloc ( total );
00784         if ( ! dynamic ) {
00785                 DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
00786                        "context\n", tls, total );
00787                 return -ENOMEM_CONTEXT;
00788         }
00789 
00790         /* Assign storage */
00791         cipherspec->dynamic = dynamic;
00792         cipherspec->pubkey_ctx = dynamic;       dynamic += pubkey->ctxsize;
00793         cipherspec->cipher_ctx = dynamic;       dynamic += cipher->ctxsize;
00794         cipherspec->cipher_next_ctx = dynamic;  dynamic += cipher->ctxsize;
00795         cipherspec->mac_secret = dynamic;       dynamic += digest->digestsize;
00796         assert ( ( cipherspec->dynamic + total ) == dynamic );
00797 
00798         /* Store parameters */
00799         cipherspec->suite = suite;
00800 
00801         return 0;
00802 }
00803 
00804 /**
00805  * Select next cipher suite
00806  *
00807  * @v tls               TLS connection
00808  * @v cipher_suite      Cipher suite specification
00809  * @ret rc              Return status code
00810  */
00811 static int tls_select_cipher ( struct tls_connection *tls,
00812                                unsigned int cipher_suite ) {
00813         struct tls_cipher_suite *suite;
00814         int rc;
00815 
00816         /* Identify cipher suite */
00817         suite = tls_find_cipher_suite ( cipher_suite );
00818         if ( ! suite ) {
00819                 DBGC ( tls, "TLS %p does not support cipher %04x\n",
00820                        tls, ntohs ( cipher_suite ) );
00821                 return -ENOTSUP_CIPHER;
00822         }
00823 
00824         /* Set ciphers */
00825         if ( ( rc = tls_set_cipher ( tls, &tls->tx_cipherspec_pending,
00826                                      suite ) ) != 0 )
00827                 return rc;
00828         if ( ( rc = tls_set_cipher ( tls, &tls->rx_cipherspec_pending,
00829                                      suite ) ) != 0 )
00830                 return rc;
00831 
00832         DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls, suite->pubkey->name,
00833                suite->cipher->name, ( suite->key_len * 8 ),
00834                suite->digest->name );
00835 
00836         return 0;
00837 }
00838 
00839 /**
00840  * Activate next cipher suite
00841  *
00842  * @v tls               TLS connection
00843  * @v pending           Pending cipher specification
00844  * @v active            Active cipher specification to replace
00845  * @ret rc              Return status code
00846  */
00847 static int tls_change_cipher ( struct tls_connection *tls,
00848                                struct tls_cipherspec *pending,
00849                                struct tls_cipherspec *active ) {
00850 
00851         /* Sanity check */
00852         if ( pending->suite == &tls_cipher_suite_null ) {
00853                 DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
00854                 return -ENOTSUP_NULL;
00855         }
00856 
00857         tls_clear_cipher ( tls, active );
00858         memswap ( active, pending, sizeof ( *active ) );
00859         return 0;
00860 }
00861 
00862 /******************************************************************************
00863  *
00864  * Signature and hash algorithms
00865  *
00866  ******************************************************************************
00867  */
00868 
00869 /** Number of supported signature and hash algorithms */
00870 #define TLS_NUM_SIG_HASH_ALGORITHMS \
00871         table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
00872 
00873 /**
00874  * Find TLS signature and hash algorithm
00875  *
00876  * @v pubkey            Public-key algorithm
00877  * @v digest            Digest algorithm
00878  * @ret sig_hash        Signature and hash algorithm, or NULL
00879  */
00880 static struct tls_signature_hash_algorithm *
00881 tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
00882                                struct digest_algorithm *digest ) {
00883         struct tls_signature_hash_algorithm *sig_hash;
00884 
00885         /* Identify signature and hash algorithm */
00886         for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
00887                 if ( ( sig_hash->pubkey == pubkey ) &&
00888                      ( sig_hash->digest == digest ) ) {
00889                         return sig_hash;
00890                 }
00891         }
00892 
00893         return NULL;
00894 }
00895 
00896 /******************************************************************************
00897  *
00898  * Handshake verification
00899  *
00900  ******************************************************************************
00901  */
00902 
00903 /**
00904  * Add handshake record to verification hash
00905  *
00906  * @v tls               TLS connection
00907  * @v data              Handshake record
00908  * @v len               Length of handshake record
00909  */
00910 static void tls_add_handshake ( struct tls_connection *tls,
00911                                 const void *data, size_t len ) {
00912 
00913         digest_update ( &md5_sha1_algorithm, tls->handshake_md5_sha1_ctx,
00914                         data, len );
00915         digest_update ( &sha256_algorithm, tls->handshake_sha256_ctx,
00916                         data, len );
00917 }
00918 
00919 /**
00920  * Calculate handshake verification hash
00921  *
00922  * @v tls               TLS connection
00923  * @v out               Output buffer
00924  *
00925  * Calculates the MD5+SHA1 or SHA256 digest over all handshake
00926  * messages seen so far.
00927  */
00928 static void tls_verify_handshake ( struct tls_connection *tls, void *out ) {
00929         struct digest_algorithm *digest = tls->handshake_digest;
00930         uint8_t ctx[ digest->ctxsize ];
00931 
00932         memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
00933         digest_final ( digest, ctx, out );
00934 }
00935 
00936 /******************************************************************************
00937  *
00938  * Record handling
00939  *
00940  ******************************************************************************
00941  */
00942 
00943 /**
00944  * Restart negotiation
00945  *
00946  * @v tls               TLS connection
00947  */
00948 static void tls_restart ( struct tls_connection *tls ) {
00949 
00950         /* Sanity check */
00951         assert ( ! tls->tx_pending );
00952         assert ( ! is_pending ( &tls->client_negotiation ) );
00953         assert ( ! is_pending ( &tls->server_negotiation ) );
00954         assert ( ! is_pending ( &tls->validation ) );
00955 
00956         /* (Re)initialise handshake context */
00957         digest_init ( &md5_sha1_algorithm, tls->handshake_md5_sha1_ctx );
00958         digest_init ( &sha256_algorithm, tls->handshake_sha256_ctx );
00959         tls->handshake_digest = &sha256_algorithm;
00960         tls->handshake_ctx = tls->handshake_sha256_ctx;
00961 
00962         /* (Re)start negotiation */
00963         tls->tx_pending = TLS_TX_CLIENT_HELLO;
00964         pending_get ( &tls->client_negotiation );
00965         pending_get ( &tls->server_negotiation );
00966 }
00967 
00968 /**
00969  * Resume TX state machine
00970  *
00971  * @v tls               TLS connection
00972  */
00973 static void tls_tx_resume ( struct tls_connection *tls ) {
00974         process_add ( &tls->process );
00975 }
00976 
00977 /**
00978  * Resume TX state machine for all connections within a session
00979  *
00980  * @v session           TLS session
00981  */
00982 static void tls_tx_resume_all ( struct tls_session *session ) {
00983         struct tls_connection *tls;
00984 
00985         list_for_each_entry ( tls, &session->conn, list )
00986                 tls_tx_resume ( tls );
00987 }
00988 
00989 /**
00990  * Transmit Handshake record
00991  *
00992  * @v tls               TLS connection
00993  * @v data              Plaintext record
00994  * @v len               Length of plaintext record
00995  * @ret rc              Return status code
00996  */
00997 static int tls_send_handshake ( struct tls_connection *tls,
00998                                 void *data, size_t len ) {
00999 
01000         /* Add to handshake digest */
01001         tls_add_handshake ( tls, data, len );
01002 
01003         /* Send record */
01004         return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
01005 }
01006 
01007 /**
01008  * Transmit Client Hello record
01009  *
01010  * @v tls               TLS connection
01011  * @ret rc              Return status code
01012  */
01013 static int tls_send_client_hello ( struct tls_connection *tls ) {
01014         struct tls_session *session = tls->session;
01015         size_t name_len = strlen ( session->name );
01016         struct {
01017                 uint32_t type_length;
01018                 uint16_t version;
01019                 uint8_t random[32];
01020                 uint8_t session_id_len;
01021                 uint8_t session_id[tls->session_id_len];
01022                 uint16_t cipher_suite_len;
01023                 uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
01024                 uint8_t compression_methods_len;
01025                 uint8_t compression_methods[1];
01026                 uint16_t extensions_len;
01027                 struct {
01028                         uint16_t server_name_type;
01029                         uint16_t server_name_len;
01030                         struct {
01031                                 uint16_t len;
01032                                 struct {
01033                                         uint8_t type;
01034                                         uint16_t len;
01035                                         uint8_t name[name_len];
01036                                 } __attribute__ (( packed )) list[1];
01037                         } __attribute__ (( packed )) server_name;
01038                         uint16_t max_fragment_length_type;
01039                         uint16_t max_fragment_length_len;
01040                         struct {
01041                                 uint8_t max;
01042                         } __attribute__ (( packed )) max_fragment_length;
01043                         uint16_t signature_algorithms_type;
01044                         uint16_t signature_algorithms_len;
01045                         struct {
01046                                 uint16_t len;
01047                                 struct tls_signature_hash_id
01048                                         code[TLS_NUM_SIG_HASH_ALGORITHMS];
01049                         } __attribute__ (( packed )) signature_algorithms;
01050                         uint16_t renegotiation_info_type;
01051                         uint16_t renegotiation_info_len;
01052                         struct {
01053                                 uint8_t len;
01054                                 uint8_t data[ tls->secure_renegotiation ?
01055                                               sizeof ( tls->verify.client ) :0];
01056                         } __attribute__ (( packed )) renegotiation_info;
01057                         uint16_t session_ticket_type;
01058                         uint16_t session_ticket_len;
01059                         struct {
01060                                 uint8_t data[session->ticket_len];
01061                         } __attribute__ (( packed )) session_ticket;
01062                 } __attribute__ (( packed )) extensions;
01063         } __attribute__ (( packed )) hello;
01064         struct tls_cipher_suite *suite;
01065         struct tls_signature_hash_algorithm *sighash;
01066         unsigned int i;
01067 
01068         /* Construct record */
01069         memset ( &hello, 0, sizeof ( hello ) );
01070         hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
01071                               htonl ( sizeof ( hello ) -
01072                                       sizeof ( hello.type_length ) ) );
01073         hello.version = htons ( tls->version );
01074         memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
01075         hello.session_id_len = tls->session_id_len;
01076         memcpy ( hello.session_id, tls->session_id,
01077                  sizeof ( hello.session_id ) );
01078         hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
01079         i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
01080                 hello.cipher_suites[i++] = suite->code;
01081         hello.compression_methods_len = sizeof ( hello.compression_methods );
01082         hello.extensions_len = htons ( sizeof ( hello.extensions ) );
01083         hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );
01084         hello.extensions.server_name_len
01085                 = htons ( sizeof ( hello.extensions.server_name ) );
01086         hello.extensions.server_name.len
01087                 = htons ( sizeof ( hello.extensions.server_name.list ) );
01088         hello.extensions.server_name.list[0].type = TLS_SERVER_NAME_HOST_NAME;
01089         hello.extensions.server_name.list[0].len
01090                 = htons ( sizeof ( hello.extensions.server_name.list[0].name ));
01091         memcpy ( hello.extensions.server_name.list[0].name, session->name,
01092                  sizeof ( hello.extensions.server_name.list[0].name ) );
01093         hello.extensions.max_fragment_length_type
01094                 = htons ( TLS_MAX_FRAGMENT_LENGTH );
01095         hello.extensions.max_fragment_length_len
01096                 = htons ( sizeof ( hello.extensions.max_fragment_length ) );
01097         hello.extensions.max_fragment_length.max
01098                 = TLS_MAX_FRAGMENT_LENGTH_4096;
01099         hello.extensions.signature_algorithms_type
01100                 = htons ( TLS_SIGNATURE_ALGORITHMS );
01101         hello.extensions.signature_algorithms_len
01102                 = htons ( sizeof ( hello.extensions.signature_algorithms ) );
01103         hello.extensions.signature_algorithms.len
01104                 = htons ( sizeof ( hello.extensions.signature_algorithms.code));
01105         i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
01106                 hello.extensions.signature_algorithms.code[i++] = sighash->code;
01107         hello.extensions.renegotiation_info_type
01108                 = htons ( TLS_RENEGOTIATION_INFO );
01109         hello.extensions.renegotiation_info_len
01110                 = htons ( sizeof ( hello.extensions.renegotiation_info ) );
01111         hello.extensions.renegotiation_info.len
01112                 = sizeof ( hello.extensions.renegotiation_info.data );
01113         memcpy ( hello.extensions.renegotiation_info.data, tls->verify.client,
01114                  sizeof ( hello.extensions.renegotiation_info.data ) );
01115         hello.extensions.session_ticket_type = htons ( TLS_SESSION_TICKET );
01116         hello.extensions.session_ticket_len
01117                 = htons ( sizeof ( hello.extensions.session_ticket ) );
01118         memcpy ( hello.extensions.session_ticket.data, session->ticket,
01119                  sizeof ( hello.extensions.session_ticket.data ) );
01120 
01121         return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
01122 }
01123 
01124 /**
01125  * Transmit Certificate record
01126  *
01127  * @v tls               TLS connection
01128  * @ret rc              Return status code
01129  */
01130 static int tls_send_certificate ( struct tls_connection *tls ) {
01131         struct {
01132                 uint32_t type_length;
01133                 tls24_t length;
01134                 struct {
01135                         tls24_t length;
01136                         uint8_t data[ tls->cert->raw.len ];
01137                 } __attribute__ (( packed )) certificates[1];
01138         } __attribute__ (( packed )) *certificate;
01139         int rc;
01140 
01141         /* Allocate storage for Certificate record (which may be too
01142          * large for the stack).
01143          */
01144         certificate = zalloc ( sizeof ( *certificate ) );
01145         if ( ! certificate )
01146                 return -ENOMEM_CERTIFICATE;
01147 
01148         /* Populate record */
01149         certificate->type_length =
01150                 ( cpu_to_le32 ( TLS_CERTIFICATE ) |
01151                   htonl ( sizeof ( *certificate ) -
01152                           sizeof ( certificate->type_length ) ) );
01153         tls_set_uint24 ( &certificate->length,
01154                          sizeof ( certificate->certificates ) );
01155         tls_set_uint24 ( &certificate->certificates[0].length,
01156                          sizeof ( certificate->certificates[0].data ) );
01157         memcpy ( certificate->certificates[0].data,
01158                  tls->cert->raw.data,
01159                  sizeof ( certificate->certificates[0].data ) );
01160 
01161         /* Transmit record */
01162         rc = tls_send_handshake ( tls, certificate, sizeof ( *certificate ) );
01163 
01164         /* Free record */
01165         free ( certificate );
01166 
01167         return rc;
01168 }
01169 
01170 /**
01171  * Transmit Client Key Exchange record
01172  *
01173  * @v tls               TLS connection
01174  * @ret rc              Return status code
01175  */
01176 static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
01177         struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
01178         struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
01179         size_t max_len = pubkey_max_len ( pubkey, cipherspec->pubkey_ctx );
01180         struct {
01181                 uint32_t type_length;
01182                 uint16_t encrypted_pre_master_secret_len;
01183                 uint8_t encrypted_pre_master_secret[max_len];
01184         } __attribute__ (( packed )) key_xchg;
01185         size_t unused;
01186         int len;
01187         int rc;
01188 
01189         /* Encrypt pre-master secret using server's public key */
01190         memset ( &key_xchg, 0, sizeof ( key_xchg ) );
01191         len = pubkey_encrypt ( pubkey, cipherspec->pubkey_ctx,
01192                                &tls->pre_master_secret,
01193                                sizeof ( tls->pre_master_secret ),
01194                                key_xchg.encrypted_pre_master_secret );
01195         if ( len < 0 ) {
01196                 rc = len;
01197                 DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
01198                        tls, strerror ( rc ) );
01199                 return rc;
01200         }
01201         unused = ( max_len - len );
01202         key_xchg.type_length =
01203                 ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
01204                   htonl ( sizeof ( key_xchg ) -
01205                           sizeof ( key_xchg.type_length ) - unused ) );
01206         key_xchg.encrypted_pre_master_secret_len =
01207                 htons ( sizeof ( key_xchg.encrypted_pre_master_secret ) -
01208                         unused );
01209 
01210         return tls_send_handshake ( tls, &key_xchg,
01211                                     ( sizeof ( key_xchg ) - unused ) );
01212 }
01213 
01214 /**
01215  * Transmit Certificate Verify record
01216  *
01217  * @v tls               TLS connection
01218  * @ret rc              Return status code
01219  */
01220 static int tls_send_certificate_verify ( struct tls_connection *tls ) {
01221         struct digest_algorithm *digest = tls->handshake_digest;
01222         struct x509_certificate *cert = tls->cert;
01223         struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
01224         uint8_t digest_out[ digest->digestsize ];
01225         uint8_t ctx[ pubkey->ctxsize ];
01226         struct tls_signature_hash_algorithm *sig_hash = NULL;
01227         int rc;
01228 
01229         /* Generate digest to be signed */
01230         tls_verify_handshake ( tls, digest_out );
01231 
01232         /* Initialise public-key algorithm */
01233         if ( ( rc = pubkey_init ( pubkey, ctx, private_key.data,
01234                                   private_key.len ) ) != 0 ) {
01235                 DBGC ( tls, "TLS %p could not initialise %s client private "
01236                        "key: %s\n", tls, pubkey->name, strerror ( rc ) );
01237                 goto err_pubkey_init;
01238         }
01239 
01240         /* TLSv1.2 and later use explicit algorithm identifiers */
01241         if ( tls->version >= TLS_VERSION_TLS_1_2 ) {
01242                 sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
01243                 if ( ! sig_hash ) {
01244                         DBGC ( tls, "TLS %p could not identify (%s,%s) "
01245                                "signature and hash algorithm\n", tls,
01246                                pubkey->name, digest->name );
01247                         rc = -ENOTSUP_SIG_HASH;
01248                         goto err_sig_hash;
01249                 }
01250         }
01251 
01252         /* Generate and transmit record */
01253         {
01254                 size_t max_len = pubkey_max_len ( pubkey, ctx );
01255                 int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
01256                 struct {
01257                         uint32_t type_length;
01258                         struct tls_signature_hash_id sig_hash[use_sig_hash];
01259                         uint16_t signature_len;
01260                         uint8_t signature[max_len];
01261                 } __attribute__ (( packed )) certificate_verify;
01262                 size_t unused;
01263                 int len;
01264 
01265                 /* Sign digest */
01266                 len = pubkey_sign ( pubkey, ctx, digest, digest_out,
01267                                     certificate_verify.signature );
01268                 if ( len < 0 ) {
01269                         rc = len;
01270                         DBGC ( tls, "TLS %p could not sign %s digest using %s "
01271                                "client private key: %s\n", tls, digest->name,
01272                                pubkey->name, strerror ( rc ) );
01273                         goto err_pubkey_sign;
01274                 }
01275                 unused = ( max_len - len );
01276 
01277                 /* Construct Certificate Verify record */
01278                 certificate_verify.type_length =
01279                         ( cpu_to_le32 ( TLS_CERTIFICATE_VERIFY ) |
01280                           htonl ( sizeof ( certificate_verify ) -
01281                                   sizeof ( certificate_verify.type_length ) -
01282                                   unused ) );
01283                 if ( use_sig_hash ) {
01284                         memcpy ( &certificate_verify.sig_hash[0],
01285                                  &sig_hash->code,
01286                                  sizeof ( certificate_verify.sig_hash[0] ) );
01287                 }
01288                 certificate_verify.signature_len =
01289                         htons ( sizeof ( certificate_verify.signature ) -
01290                                 unused );
01291 
01292                 /* Transmit record */
01293                 rc = tls_send_handshake ( tls, &certificate_verify,
01294                                    ( sizeof ( certificate_verify ) - unused ) );
01295         }
01296 
01297  err_pubkey_sign:
01298  err_sig_hash:
01299         pubkey_final ( pubkey, ctx );
01300  err_pubkey_init:
01301         return rc;
01302 }
01303 
01304 /**
01305  * Transmit Change Cipher record
01306  *
01307  * @v tls               TLS connection
01308  * @ret rc              Return status code
01309  */
01310 static int tls_send_change_cipher ( struct tls_connection *tls ) {
01311         static const uint8_t change_cipher[1] = { 1 };
01312         return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
01313                                     change_cipher, sizeof ( change_cipher ) );
01314 }
01315 
01316 /**
01317  * Transmit Finished record
01318  *
01319  * @v tls               TLS connection
01320  * @ret rc              Return status code
01321  */
01322 static int tls_send_finished ( struct tls_connection *tls ) {
01323         struct digest_algorithm *digest = tls->handshake_digest;
01324         struct {
01325                 uint32_t type_length;
01326                 uint8_t verify_data[ sizeof ( tls->verify.client ) ];
01327         } __attribute__ (( packed )) finished;
01328         uint8_t digest_out[ digest->digestsize ];
01329         int rc;
01330 
01331         /* Construct client verification data */
01332         tls_verify_handshake ( tls, digest_out );
01333         tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
01334                         tls->verify.client, sizeof ( tls->verify.client ),
01335                         "client finished", digest_out, sizeof ( digest_out ) );
01336 
01337         /* Construct record */
01338         memset ( &finished, 0, sizeof ( finished ) );
01339         finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
01340                                  htonl ( sizeof ( finished ) -
01341                                          sizeof ( finished.type_length ) ) );
01342         memcpy ( finished.verify_data, tls->verify.client,
01343                  sizeof ( finished.verify_data ) );
01344 
01345         /* Transmit record */
01346         if ( ( rc = tls_send_handshake ( tls, &finished,
01347                                          sizeof ( finished ) ) ) != 0 )
01348                 return rc;
01349 
01350         /* Mark client as finished */
01351         pending_put ( &tls->client_negotiation );
01352 
01353         return 0;
01354 }
01355 
01356 /**
01357  * Receive new Change Cipher record
01358  *
01359  * @v tls               TLS connection
01360  * @v data              Plaintext record
01361  * @v len               Length of plaintext record
01362  * @ret rc              Return status code
01363  */
01364 static int tls_new_change_cipher ( struct tls_connection *tls,
01365                                    const void *data, size_t len ) {
01366         int rc;
01367 
01368         if ( ( len != 1 ) || ( *( ( uint8_t * ) data ) != 1 ) ) {
01369                 DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
01370                 DBGC_HD ( tls, data, len );
01371                 return -EINVAL_CHANGE_CIPHER;
01372         }
01373 
01374         if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
01375                                         &tls->rx_cipherspec ) ) != 0 ) {
01376                 DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
01377                        tls, strerror ( rc ) );
01378                 return rc;
01379         }
01380         tls->rx_seq = ~( ( uint64_t ) 0 );
01381 
01382         return 0;
01383 }
01384 
01385 /**
01386  * Receive new Alert record
01387  *
01388  * @v tls               TLS connection
01389  * @v data              Plaintext record
01390  * @v len               Length of plaintext record
01391  * @ret rc              Return status code
01392  */
01393 static int tls_new_alert ( struct tls_connection *tls, const void *data,
01394                            size_t len ) {
01395         const struct {
01396                 uint8_t level;
01397                 uint8_t description;
01398                 char next[0];
01399         } __attribute__ (( packed )) *alert = data;
01400 
01401         /* Sanity check */
01402         if ( sizeof ( *alert ) != len ) {
01403                 DBGC ( tls, "TLS %p received overlength Alert\n", tls );
01404                 DBGC_HD ( tls, data, len );
01405                 return -EINVAL_ALERT;
01406         }
01407 
01408         switch ( alert->level ) {
01409         case TLS_ALERT_WARNING:
01410                 DBGC ( tls, "TLS %p received warning alert %d\n",
01411                        tls, alert->description );
01412                 return 0;
01413         case TLS_ALERT_FATAL:
01414                 DBGC ( tls, "TLS %p received fatal alert %d\n",
01415                        tls, alert->description );
01416                 return -EPERM_ALERT;
01417         default:
01418                 DBGC ( tls, "TLS %p received unknown alert level %d"
01419                        "(alert %d)\n", tls, alert->level, alert->description );
01420                 return -EIO_ALERT;
01421         }
01422 }
01423 
01424 /**
01425  * Receive new Hello Request handshake record
01426  *
01427  * @v tls               TLS connection
01428  * @v data              Plaintext handshake record
01429  * @v len               Length of plaintext handshake record
01430  * @ret rc              Return status code
01431  */
01432 static int tls_new_hello_request ( struct tls_connection *tls,
01433                                    const void *data __unused,
01434                                    size_t len __unused ) {
01435 
01436         /* Ignore if a handshake is in progress */
01437         if ( ! tls_ready ( tls ) ) {
01438                 DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
01439                 return 0;
01440         }
01441 
01442         /* Fail unless server supports secure renegotiation */
01443         if ( ! tls->secure_renegotiation ) {
01444                 DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
01445                        tls );
01446                 return -EPERM_RENEG_INSECURE;
01447         }
01448 
01449         /* Restart negotiation */
01450         tls_restart ( tls );
01451 
01452         return 0;
01453 }
01454 
01455 /**
01456  * Receive new Server Hello handshake record
01457  *
01458  * @v tls               TLS connection
01459  * @v data              Plaintext handshake record
01460  * @v len               Length of plaintext handshake record
01461  * @ret rc              Return status code
01462  */
01463 static int tls_new_server_hello ( struct tls_connection *tls,
01464                                   const void *data, size_t len ) {
01465         const struct {
01466                 uint16_t version;
01467                 uint8_t random[32];
01468                 uint8_t session_id_len;
01469                 uint8_t session_id[0];
01470         } __attribute__ (( packed )) *hello_a = data;
01471         const uint8_t *session_id;
01472         const struct {
01473                 uint16_t cipher_suite;
01474                 uint8_t compression_method;
01475                 char next[0];
01476         } __attribute__ (( packed )) *hello_b;
01477         const struct {
01478                 uint16_t len;
01479                 uint8_t data[0];
01480         } __attribute__ (( packed )) *exts;
01481         const struct {
01482                 uint16_t type;
01483                 uint16_t len;
01484                 uint8_t data[0];
01485         } __attribute__ (( packed )) *ext;
01486         const struct {
01487                 uint8_t len;
01488                 uint8_t data[0];
01489         } __attribute__ (( packed )) *reneg = NULL;
01490         uint16_t version;
01491         size_t exts_len;
01492         size_t ext_len;
01493         size_t remaining;
01494         int rc;
01495 
01496         /* Parse header */
01497         if ( ( sizeof ( *hello_a ) > len ) ||
01498              ( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
01499              ( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
01500                                        hello_a->session_id_len ) ) ) {
01501                 DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
01502                 DBGC_HD ( tls, data, len );
01503                 return -EINVAL_HELLO;
01504         }
01505         session_id = hello_a->session_id;
01506         hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );
01507 
01508         /* Parse extensions, if present */
01509         remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
01510                       sizeof ( *hello_b ) );
01511         if ( remaining ) {
01512 
01513                 /* Parse extensions length */
01514                 exts = ( ( void * ) hello_b->next );
01515                 if ( ( sizeof ( *exts ) > remaining ) ||
01516                      ( ( exts_len = ntohs ( exts->len ) ) >
01517                        ( remaining - sizeof ( *exts ) ) ) ) {
01518                         DBGC ( tls, "TLS %p received underlength extensions\n",
01519                                tls );
01520                         DBGC_HD ( tls, data, len );
01521                         return -EINVAL_HELLO;
01522                 }
01523 
01524                 /* Parse extensions */
01525                 for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
01526                       remaining ;
01527                       ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
01528                               remaining -= ( sizeof ( *ext ) + ext_len ) ) {
01529 
01530                         /* Parse extension length */
01531                         if ( ( sizeof ( *ext ) > remaining ) ||
01532                              ( ( ext_len = ntohs ( ext->len ) ) >
01533                                ( remaining - sizeof ( *ext ) ) ) ) {
01534                                 DBGC ( tls, "TLS %p received underlength "
01535                                        "extension\n", tls );
01536                                 DBGC_HD ( tls, data, len );
01537                                 return -EINVAL_HELLO;
01538                         }
01539 
01540                         /* Record known extensions */
01541                         switch ( ext->type ) {
01542                         case htons ( TLS_RENEGOTIATION_INFO ) :
01543                                 reneg = ( ( void * ) ext->data );
01544                                 if ( ( sizeof ( *reneg ) > ext_len ) ||
01545                                      ( reneg->len >
01546                                        ( ext_len - sizeof ( *reneg ) ) ) ) {
01547                                         DBGC ( tls, "TLS %p received "
01548                                                "underlength renegotiation "
01549                                                "info\n", tls );
01550                                         DBGC_HD ( tls, data, len );
01551                                         return -EINVAL_HELLO;
01552                                 }
01553                                 break;
01554                         }
01555                 }
01556         }
01557 
01558         /* Check and store protocol version */
01559         version = ntohs ( hello_a->version );
01560         if ( version < TLS_VERSION_TLS_1_0 ) {
01561                 DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
01562                        tls, ( version >> 8 ), ( version & 0xff ) );
01563                 return -ENOTSUP_VERSION;
01564         }
01565         if ( version > tls->version ) {
01566                 DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
01567                        "protocol version %d.%d\n",
01568                        tls, ( version >> 8 ), ( version & 0xff ) );
01569                 return -EPROTO_VERSION;
01570         }
01571         tls->version = version;
01572         DBGC ( tls, "TLS %p using protocol version %d.%d\n",
01573                tls, ( version >> 8 ), ( version & 0xff ) );
01574 
01575         /* Use MD5+SHA1 digest algorithm for handshake verification
01576          * for versions earlier than TLSv1.2.
01577          */
01578         if ( tls->version < TLS_VERSION_TLS_1_2 ) {
01579                 tls->handshake_digest = &md5_sha1_algorithm;
01580                 tls->handshake_ctx = tls->handshake_md5_sha1_ctx;
01581         }
01582 
01583         /* Copy out server random bytes */
01584         memcpy ( &tls->server_random, &hello_a->random,
01585                  sizeof ( tls->server_random ) );
01586 
01587         /* Select cipher suite */
01588         if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
01589                 return rc;
01590 
01591         /* Reuse or generate master secret */
01592         if ( hello_a->session_id_len &&
01593              ( hello_a->session_id_len == tls->session_id_len ) &&
01594              ( memcmp ( session_id, tls->session_id,
01595                         tls->session_id_len ) == 0 ) ) {
01596 
01597                 /* Session ID match: reuse master secret */
01598                 DBGC ( tls, "TLS %p resuming session ID:\n", tls );
01599                 DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
01600 
01601         } else {
01602 
01603                 /* Generate new master secret */
01604                 tls_generate_master_secret ( tls );
01605 
01606                 /* Record new session ID, if present */
01607                 if ( hello_a->session_id_len &&
01608                      ( hello_a->session_id_len <= sizeof ( tls->session_id ))){
01609                         tls->session_id_len = hello_a->session_id_len;
01610                         memcpy ( tls->session_id, session_id,
01611                                  tls->session_id_len );
01612                         DBGC ( tls, "TLS %p new session ID:\n", tls );
01613                         DBGC_HDA ( tls, 0, tls->session_id,
01614                                    tls->session_id_len );
01615                 }
01616         }
01617 
01618         /* Generate keys */
01619         if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
01620                 return rc;
01621 
01622         /* Handle secure renegotiation */
01623         if ( tls->secure_renegotiation ) {
01624 
01625                 /* Secure renegotiation is expected; verify data */
01626                 if ( ( reneg == NULL ) ||
01627                      ( reneg->len != sizeof ( tls->verify ) ) ||
01628                      ( memcmp ( reneg->data, &tls->verify,
01629                                 sizeof ( tls->verify ) ) != 0 ) ) {
01630                         DBGC ( tls, "TLS %p server failed secure "
01631                                "renegotiation\n", tls );
01632                         return -EPERM_RENEG_VERIFY;
01633                 }
01634 
01635         } else if ( reneg != NULL ) {
01636 
01637                 /* Secure renegotiation is being enabled */
01638                 if ( reneg->len != 0 ) {
01639                         DBGC ( tls, "TLS %p server provided non-empty initial "
01640                                "renegotiation\n", tls );
01641                         return -EPERM_RENEG_VERIFY;
01642                 }
01643                 tls->secure_renegotiation = 1;
01644         }
01645 
01646         return 0;
01647 }
01648 
01649 /**
01650  * Receive New Session Ticket handshake record
01651  *
01652  * @v tls               TLS connection
01653  * @v data              Plaintext handshake record
01654  * @v len               Length of plaintext handshake record
01655  * @ret rc              Return status code
01656  */
01657 static int tls_new_session_ticket ( struct tls_connection *tls,
01658                                     const void *data, size_t len ) {
01659         const struct {
01660                 uint32_t lifetime;
01661                 uint16_t len;
01662                 uint8_t ticket[0];
01663         } __attribute__ (( packed )) *new_session_ticket = data;
01664         size_t ticket_len;
01665 
01666         /* Parse header */
01667         if ( sizeof ( *new_session_ticket ) > len ) {
01668                 DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
01669                        tls );
01670                 DBGC_HD ( tls, data, len );
01671                 return -EINVAL_TICKET;
01672         }
01673         ticket_len = ntohs ( new_session_ticket->len );
01674         if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
01675                 DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
01676                        tls );
01677                 DBGC_HD ( tls, data, len );
01678                 return -EINVAL_TICKET;
01679         }
01680 
01681         /* Free any unapplied new session ticket */
01682         free ( tls->new_session_ticket );
01683         tls->new_session_ticket = NULL;
01684         tls->new_session_ticket_len = 0;
01685 
01686         /* Record ticket */
01687         tls->new_session_ticket = malloc ( ticket_len );
01688         if ( ! tls->new_session_ticket )
01689                 return -ENOMEM;
01690         memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
01691                  ticket_len );
01692         tls->new_session_ticket_len = ticket_len;
01693         DBGC ( tls, "TLS %p new session ticket:\n", tls );
01694         DBGC_HDA ( tls, 0, tls->new_session_ticket,
01695                    tls->new_session_ticket_len );
01696 
01697         return 0;
01698 }
01699 
01700 /**
01701  * Parse certificate chain
01702  *
01703  * @v tls               TLS connection
01704  * @v data              Certificate chain
01705  * @v len               Length of certificate chain
01706  * @ret rc              Return status code
01707  */
01708 static int tls_parse_chain ( struct tls_connection *tls,
01709                              const void *data, size_t len ) {
01710         size_t remaining = len;
01711         int rc;
01712 
01713         /* Free any existing certificate chain */
01714         x509_chain_put ( tls->chain );
01715         tls->chain = NULL;
01716 
01717         /* Create certificate chain */
01718         tls->chain = x509_alloc_chain();
01719         if ( ! tls->chain ) {
01720                 rc = -ENOMEM_CHAIN;
01721                 goto err_alloc_chain;
01722         }
01723 
01724         /* Add certificates to chain */
01725         while ( remaining ) {
01726                 const struct {
01727                         tls24_t length;
01728                         uint8_t data[0];
01729                 } __attribute__ (( packed )) *certificate = data;
01730                 size_t certificate_len;
01731                 size_t record_len;
01732                 struct x509_certificate *cert;
01733 
01734                 /* Parse header */
01735                 if ( sizeof ( *certificate ) > remaining ) {
01736                         DBGC ( tls, "TLS %p underlength certificate:\n", tls );
01737                         DBGC_HDA ( tls, 0, data, remaining );
01738                         rc = -EINVAL_CERTIFICATE;
01739                         goto err_underlength;
01740                 }
01741                 certificate_len = tls_uint24 ( &certificate->length );
01742                 if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
01743                         DBGC ( tls, "TLS %p overlength certificate:\n", tls );
01744                         DBGC_HDA ( tls, 0, data, remaining );
01745                         rc = -EINVAL_CERTIFICATE;
01746                         goto err_overlength;
01747                 }
01748                 record_len = ( sizeof ( *certificate ) + certificate_len );
01749 
01750                 /* Add certificate to chain */
01751                 if ( ( rc = x509_append_raw ( tls->chain, certificate->data,
01752                                               certificate_len ) ) != 0 ) {
01753                         DBGC ( tls, "TLS %p could not append certificate: %s\n",
01754                                tls, strerror ( rc ) );
01755                         DBGC_HDA ( tls, 0, data, remaining );
01756                         goto err_parse;
01757                 }
01758                 cert = x509_last ( tls->chain );
01759                 DBGC ( tls, "TLS %p found certificate %s\n",
01760                        tls, x509_name ( cert ) );
01761 
01762                 /* Move to next certificate in list */
01763                 data += record_len;
01764                 remaining -= record_len;
01765         }
01766 
01767         return 0;
01768 
01769  err_parse:
01770  err_overlength:
01771  err_underlength:
01772         x509_chain_put ( tls->chain );
01773         tls->chain = NULL;
01774  err_alloc_chain:
01775         return rc;
01776 }
01777 
01778 /**
01779  * Receive new Certificate handshake record
01780  *
01781  * @v tls               TLS connection
01782  * @v data              Plaintext handshake record
01783  * @v len               Length of plaintext handshake record
01784  * @ret rc              Return status code
01785  */
01786 static int tls_new_certificate ( struct tls_connection *tls,
01787                                  const void *data, size_t len ) {
01788         const struct {
01789                 tls24_t length;
01790                 uint8_t certificates[0];
01791         } __attribute__ (( packed )) *certificate = data;
01792         size_t certificates_len;
01793         int rc;
01794 
01795         /* Parse header */
01796         if ( sizeof ( *certificate ) > len ) {
01797                 DBGC ( tls, "TLS %p received underlength Server Certificate\n",
01798                        tls );
01799                 DBGC_HD ( tls, data, len );
01800                 return -EINVAL_CERTIFICATES;
01801         }
01802         certificates_len = tls_uint24 ( &certificate->length );
01803         if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
01804                 DBGC ( tls, "TLS %p received overlength Server Certificate\n",
01805                        tls );
01806                 DBGC_HD ( tls, data, len );
01807                 return -EINVAL_CERTIFICATES;
01808         }
01809 
01810         /* Parse certificate chain */
01811         if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
01812                                       certificates_len ) ) != 0 )
01813                 return rc;
01814 
01815         return 0;
01816 }
01817 
01818 /**
01819  * Receive new Certificate Request handshake record
01820  *
01821  * @v tls               TLS connection
01822  * @v data              Plaintext handshake record
01823  * @v len               Length of plaintext handshake record
01824  * @ret rc              Return status code
01825  */
01826 static int tls_new_certificate_request ( struct tls_connection *tls,
01827                                          const void *data __unused,
01828                                          size_t len __unused ) {
01829 
01830         /* We can only send a single certificate, so there is no point
01831          * in parsing the Certificate Request.
01832          */
01833 
01834         /* Free any existing client certificate */
01835         x509_put ( tls->cert );
01836 
01837         /* Determine client certificate to be sent */
01838         tls->cert = certstore_find_key ( &private_key );
01839         if ( ! tls->cert ) {
01840                 DBGC ( tls, "TLS %p could not find certificate corresponding "
01841                        "to private key\n", tls );
01842                 return -EPERM_CLIENT_CERT;
01843         }
01844         x509_get ( tls->cert );
01845         DBGC ( tls, "TLS %p sending client certificate %s\n",
01846                tls, x509_name ( tls->cert ) );
01847 
01848         return 0;
01849 }
01850 
01851 /**
01852  * Receive new Server Hello Done handshake record
01853  *
01854  * @v tls               TLS connection
01855  * @v data              Plaintext handshake record
01856  * @v len               Length of plaintext handshake record
01857  * @ret rc              Return status code
01858  */
01859 static int tls_new_server_hello_done ( struct tls_connection *tls,
01860                                        const void *data, size_t len ) {
01861         const struct {
01862                 char next[0];
01863         } __attribute__ (( packed )) *hello_done = data;
01864         int rc;
01865 
01866         /* Sanity check */
01867         if ( sizeof ( *hello_done ) != len ) {
01868                 DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
01869                        tls );
01870                 DBGC_HD ( tls, data, len );
01871                 return -EINVAL_HELLO_DONE;
01872         }
01873 
01874         /* Begin certificate validation */
01875         if ( ( rc = create_validator ( &tls->validator, tls->chain ) ) != 0 ) {
01876                 DBGC ( tls, "TLS %p could not start certificate validation: "
01877                        "%s\n", tls, strerror ( rc ) );
01878                 return rc;
01879         }
01880         pending_get ( &tls->validation );
01881 
01882         return 0;
01883 }
01884 
01885 /**
01886  * Receive new Finished handshake record
01887  *
01888  * @v tls               TLS connection
01889  * @v data              Plaintext handshake record
01890  * @v len               Length of plaintext handshake record
01891  * @ret rc              Return status code
01892  */
01893 static int tls_new_finished ( struct tls_connection *tls,
01894                               const void *data, size_t len ) {
01895         struct tls_session *session = tls->session;
01896         struct digest_algorithm *digest = tls->handshake_digest;
01897         const struct {
01898                 uint8_t verify_data[ sizeof ( tls->verify.server ) ];
01899                 char next[0];
01900         } __attribute__ (( packed )) *finished = data;
01901         uint8_t digest_out[ digest->digestsize ];
01902 
01903         /* Sanity check */
01904         if ( sizeof ( *finished ) != len ) {
01905                 DBGC ( tls, "TLS %p received overlength Finished\n", tls );
01906                 DBGC_HD ( tls, data, len );
01907                 return -EINVAL_FINISHED;
01908         }
01909 
01910         /* Verify data */
01911         tls_verify_handshake ( tls, digest_out );
01912         tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
01913                         tls->verify.server, sizeof ( tls->verify.server ),
01914                         "server finished", digest_out, sizeof ( digest_out ) );
01915         if ( memcmp ( tls->verify.server, finished->verify_data,
01916                       sizeof ( tls->verify.server ) ) != 0 ) {
01917                 DBGC ( tls, "TLS %p verification failed\n", tls );
01918                 return -EPERM_VERIFY;
01919         }
01920 
01921         /* Mark server as finished */
01922         pending_put ( &tls->server_negotiation );
01923 
01924         /* If we are resuming a session (i.e. if the server Finished
01925          * arrives before the client Finished is sent), then schedule
01926          * transmission of Change Cipher and Finished.
01927          */
01928         if ( is_pending ( &tls->client_negotiation ) ) {
01929                 tls->tx_pending |= ( TLS_TX_CHANGE_CIPHER | TLS_TX_FINISHED );
01930                 tls_tx_resume ( tls );
01931         }
01932 
01933         /* Record session ID, ticket, and master secret, if applicable */
01934         if ( tls->session_id_len || tls->new_session_ticket_len ) {
01935                 memcpy ( session->master_secret, tls->master_secret,
01936                          sizeof ( session->master_secret ) );
01937         }
01938         if ( tls->session_id_len ) {
01939                 session->id_len = tls->session_id_len;
01940                 memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
01941         }
01942         if ( tls->new_session_ticket_len ) {
01943                 free ( session->ticket );
01944                 session->ticket = tls->new_session_ticket;
01945                 session->ticket_len = tls->new_session_ticket_len;
01946                 tls->new_session_ticket = NULL;
01947                 tls->new_session_ticket_len = 0;
01948         }
01949 
01950         /* Move to end of session's connection list and allow other
01951          * connections to start making progress.
01952          */
01953         list_del ( &tls->list );
01954         list_add_tail ( &tls->list, &session->conn );
01955         tls_tx_resume_all ( session );
01956 
01957         /* Send notification of a window change */
01958         xfer_window_changed ( &tls->plainstream );
01959 
01960         return 0;
01961 }
01962 
01963 /**
01964  * Receive new Handshake record
01965  *
01966  * @v tls               TLS connection
01967  * @v data              Plaintext record
01968  * @v len               Length of plaintext record
01969  * @ret rc              Return status code
01970  */
01971 static int tls_new_handshake ( struct tls_connection *tls,
01972                                const void *data, size_t len ) {
01973         size_t remaining = len;
01974         int rc;
01975 
01976         while ( remaining ) {
01977                 const struct {
01978                         uint8_t type;
01979                         tls24_t length;
01980                         uint8_t payload[0];
01981                 } __attribute__ (( packed )) *handshake = data;
01982                 const void *payload;
01983                 size_t payload_len;
01984                 size_t record_len;
01985 
01986                 /* Parse header */
01987                 if ( sizeof ( *handshake ) > remaining ) {
01988                         DBGC ( tls, "TLS %p received underlength Handshake\n",
01989                                tls );
01990                         DBGC_HD ( tls, data, remaining );
01991                         return -EINVAL_HANDSHAKE;
01992                 }
01993                 payload_len = tls_uint24 ( &handshake->length );
01994                 if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
01995                         DBGC ( tls, "TLS %p received overlength Handshake\n",
01996                                tls );
01997                         DBGC_HD ( tls, data, len );
01998                         return -EINVAL_HANDSHAKE;
01999                 }
02000                 payload = &handshake->payload;
02001                 record_len = ( sizeof ( *handshake ) + payload_len );
02002 
02003                 /* Handle payload */
02004                 switch ( handshake->type ) {
02005                 case TLS_HELLO_REQUEST:
02006                         rc = tls_new_hello_request ( tls, payload,
02007                                                      payload_len );
02008                         break;
02009                 case TLS_SERVER_HELLO:
02010                         rc = tls_new_server_hello ( tls, payload, payload_len );
02011                         break;
02012                 case TLS_NEW_SESSION_TICKET:
02013                         rc = tls_new_session_ticket ( tls, payload,
02014                                                       payload_len );
02015                         break;
02016                 case TLS_CERTIFICATE:
02017                         rc = tls_new_certificate ( tls, payload, payload_len );
02018                         break;
02019                 case TLS_CERTIFICATE_REQUEST:
02020                         rc = tls_new_certificate_request ( tls, payload,
02021                                                            payload_len );
02022                         break;
02023                 case TLS_SERVER_HELLO_DONE:
02024                         rc = tls_new_server_hello_done ( tls, payload,
02025                                                          payload_len );
02026                         break;
02027                 case TLS_FINISHED:
02028                         rc = tls_new_finished ( tls, payload, payload_len );
02029                         break;
02030                 default:
02031                         DBGC ( tls, "TLS %p ignoring handshake type %d\n",
02032                                tls, handshake->type );
02033                         rc = 0;
02034                         break;
02035                 }
02036 
02037                 /* Add to handshake digest (except for Hello Requests,
02038                  * which are explicitly excluded).
02039                  */
02040                 if ( handshake->type != TLS_HELLO_REQUEST )
02041                         tls_add_handshake ( tls, data, record_len );
02042 
02043                 /* Abort on failure */
02044                 if ( rc != 0 )
02045                         return rc;
02046 
02047                 /* Move to next handshake record */
02048                 data += record_len;
02049                 remaining -= record_len;
02050         }
02051 
02052         return 0;
02053 }
02054 
02055 /**
02056  * Receive new record
02057  *
02058  * @v tls               TLS connection
02059  * @v type              Record type
02060  * @v rx_data           List of received data buffers
02061  * @ret rc              Return status code
02062  */
02063 static int tls_new_record ( struct tls_connection *tls, unsigned int type,
02064                             struct list_head *rx_data ) {
02065         struct io_buffer *iobuf;
02066         int ( * handler ) ( struct tls_connection *tls, const void *data,
02067                             size_t len );
02068         int rc;
02069 
02070         /* Deliver data records to the plainstream interface */
02071         if ( type == TLS_TYPE_DATA ) {
02072 
02073                 /* Fail unless we are ready to receive data */
02074                 if ( ! tls_ready ( tls ) )
02075                         return -ENOTCONN;
02076 
02077                 /* Deliver each I/O buffer in turn */
02078                 while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
02079                                                      list ) ) ) {
02080                         list_del ( &iobuf->list );
02081                         if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
02082                                                        iobuf ) ) != 0 ) {
02083                                 DBGC ( tls, "TLS %p could not deliver data: "
02084                                        "%s\n", tls, strerror ( rc ) );
02085                                 return rc;
02086                         }
02087                 }
02088                 return 0;
02089         }
02090 
02091         /* For all other records, merge into a single I/O buffer */
02092         iobuf = iob_concatenate ( rx_data );
02093         if ( ! iobuf ) {
02094                 DBGC ( tls, "TLS %p could not concatenate non-data record "
02095                        "type %d\n", tls, type );
02096                 return -ENOMEM_RX_CONCAT;
02097         }
02098 
02099         /* Determine handler */
02100         switch ( type ) {
02101         case TLS_TYPE_CHANGE_CIPHER:
02102                 handler = tls_new_change_cipher;
02103                 break;
02104         case TLS_TYPE_ALERT:
02105                 handler = tls_new_alert;
02106                 break;
02107         case TLS_TYPE_HANDSHAKE:
02108                 handler = tls_new_handshake;
02109                 break;
02110         default:
02111                 /* RFC4346 says that we should just ignore unknown
02112                  * record types.
02113                  */
02114                 handler = NULL;
02115                 DBGC ( tls, "TLS %p ignoring record type %d\n", tls, type );
02116                 break;
02117         }
02118 
02119         /* Handle record and free I/O buffer */
02120         rc = ( handler ? handler ( tls, iobuf->data, iob_len ( iobuf ) ) : 0 );
02121         free_iob ( iobuf );
02122         return rc;
02123 }
02124 
02125 /******************************************************************************
02126  *
02127  * Record encryption/decryption
02128  *
02129  ******************************************************************************
02130  */
02131 
02132 /**
02133  * Initialise HMAC
02134  *
02135  * @v cipherspec        Cipher specification
02136  * @v ctx               Context
02137  * @v seq               Sequence number
02138  * @v tlshdr            TLS header
02139  */
02140 static void tls_hmac_init ( struct tls_cipherspec *cipherspec, void *ctx,
02141                             uint64_t seq, struct tls_header *tlshdr ) {
02142         struct digest_algorithm *digest = cipherspec->suite->digest;
02143 
02144         hmac_init ( digest, ctx, cipherspec->mac_secret, &digest->digestsize );
02145         seq = cpu_to_be64 ( seq );
02146         hmac_update ( digest, ctx, &seq, sizeof ( seq ) );
02147         hmac_update ( digest, ctx, tlshdr, sizeof ( *tlshdr ) );
02148 }
02149 
02150 /**
02151  * Update HMAC
02152  *
02153  * @v cipherspec        Cipher specification
02154  * @v ctx               Context
02155  * @v data              Data
02156  * @v len               Length of data
02157  */
02158 static void tls_hmac_update ( struct tls_cipherspec *cipherspec, void *ctx,
02159                               const void *data, size_t len ) {
02160         struct digest_algorithm *digest = cipherspec->suite->digest;
02161 
02162         hmac_update ( digest, ctx, data, len );
02163 }
02164 
02165 /**
02166  * Finalise HMAC
02167  *
02168  * @v cipherspec        Cipher specification
02169  * @v ctx               Context
02170  * @v mac               HMAC to fill in
02171  */
02172 static void tls_hmac_final ( struct tls_cipherspec *cipherspec, void *ctx,
02173                              void *hmac ) {
02174         struct digest_algorithm *digest = cipherspec->suite->digest;
02175 
02176         hmac_final ( digest, ctx, cipherspec->mac_secret,
02177                      &digest->digestsize, hmac );
02178 }
02179 
02180 /**
02181  * Calculate HMAC
02182  *
02183  * @v cipherspec        Cipher specification
02184  * @v seq               Sequence number
02185  * @v tlshdr            TLS header
02186  * @v data              Data
02187  * @v len               Length of data
02188  * @v mac               HMAC to fill in
02189  */
02190 static void tls_hmac ( struct tls_cipherspec *cipherspec,
02191                        uint64_t seq, struct tls_header *tlshdr,
02192                        const void *data, size_t len, void *hmac ) {
02193         struct digest_algorithm *digest = cipherspec->suite->digest;
02194         uint8_t ctx[digest->ctxsize];
02195 
02196         tls_hmac_init ( cipherspec, ctx, seq, tlshdr );
02197         tls_hmac_update ( cipherspec, ctx, data, len );
02198         tls_hmac_final ( cipherspec, ctx, hmac );
02199 }
02200 
02201 /**
02202  * Allocate and assemble stream-ciphered record from data and MAC portions
02203  *
02204  * @v tls               TLS connection
02205  * @ret data            Data
02206  * @ret len             Length of data
02207  * @ret digest          MAC digest
02208  * @ret plaintext_len   Length of plaintext record
02209  * @ret plaintext       Allocated plaintext record
02210  */
02211 static void * __malloc
02212 tls_assemble_stream ( struct tls_connection *tls, const void *data, size_t len,
02213                       void *digest, size_t *plaintext_len ) {
02214         size_t mac_len = tls->tx_cipherspec.suite->digest->digestsize;
02215         void *plaintext;
02216         void *content;
02217         void *mac;
02218 
02219         /* Calculate stream-ciphered struct length */
02220         *plaintext_len = ( len + mac_len );
02221 
02222         /* Allocate stream-ciphered struct */
02223         plaintext = malloc ( *plaintext_len );
02224         if ( ! plaintext )
02225                 return NULL;
02226         content = plaintext;
02227         mac = ( content + len );
02228 
02229         /* Fill in stream-ciphered struct */
02230         memcpy ( content, data, len );
02231         memcpy ( mac, digest, mac_len );
02232 
02233         return plaintext;
02234 }
02235 
02236 /**
02237  * Allocate and assemble block-ciphered record from data and MAC portions
02238  *
02239  * @v tls               TLS connection
02240  * @ret data            Data
02241  * @ret len             Length of data
02242  * @ret digest          MAC digest
02243  * @ret plaintext_len   Length of plaintext record
02244  * @ret plaintext       Allocated plaintext record
02245  */
02246 static void * tls_assemble_block ( struct tls_connection *tls,
02247                                    const void *data, size_t len,
02248                                    void *digest, size_t *plaintext_len ) {
02249         size_t blocksize = tls->tx_cipherspec.suite->cipher->blocksize;
02250         size_t mac_len = tls->tx_cipherspec.suite->digest->digestsize;
02251         size_t iv_len;
02252         size_t padding_len;
02253         void *plaintext;
02254         void *iv;
02255         void *content;
02256         void *mac;
02257         void *padding;
02258 
02259         /* TLSv1.1 and later use an explicit IV */
02260         iv_len = ( ( tls->version >= TLS_VERSION_TLS_1_1 ) ? blocksize : 0 );
02261 
02262         /* Calculate block-ciphered struct length */
02263         padding_len = ( ( blocksize - 1 ) & -( iv_len + len + mac_len + 1 ) );
02264         *plaintext_len = ( iv_len + len + mac_len + padding_len + 1 );
02265 
02266         /* Allocate block-ciphered struct */
02267         plaintext = malloc ( *plaintext_len );
02268         if ( ! plaintext )
02269                 return NULL;
02270         iv = plaintext;
02271         content = ( iv + iv_len );
02272         mac = ( content + len );
02273         padding = ( mac + mac_len );
02274 
02275         /* Fill in block-ciphered struct */
02276         tls_generate_random ( tls, iv, iv_len );
02277         memcpy ( content, data, len );
02278         memcpy ( mac, digest, mac_len );
02279         memset ( padding, padding_len, ( padding_len + 1 ) );
02280 
02281         return plaintext;
02282 }
02283 
02284 /**
02285  * Send plaintext record
02286  *
02287  * @v tls               TLS connection
02288  * @v type              Record type
02289  * @v data              Plaintext record
02290  * @v len               Length of plaintext record
02291  * @ret rc              Return status code
02292  */
02293 static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
02294                                 const void *data, size_t len ) {
02295         struct tls_header plaintext_tlshdr;
02296         struct tls_header *tlshdr;
02297         struct tls_cipherspec *cipherspec = &tls->tx_cipherspec;
02298         struct cipher_algorithm *cipher = cipherspec->suite->cipher;
02299         void *plaintext = NULL;
02300         size_t plaintext_len;
02301         struct io_buffer *ciphertext = NULL;
02302         size_t ciphertext_len;
02303         size_t mac_len = cipherspec->suite->digest->digestsize;
02304         uint8_t mac[mac_len];
02305         int rc;
02306 
02307         /* Construct header */
02308         plaintext_tlshdr.type = type;
02309         plaintext_tlshdr.version = htons ( tls->version );
02310         plaintext_tlshdr.length = htons ( len );
02311 
02312         /* Calculate MAC */
02313         tls_hmac ( cipherspec, tls->tx_seq, &plaintext_tlshdr, data, len, mac );
02314 
02315         /* Allocate and assemble plaintext struct */
02316         if ( is_stream_cipher ( cipher ) ) {
02317                 plaintext = tls_assemble_stream ( tls, data, len, mac,
02318                                                   &plaintext_len );
02319         } else {
02320                 plaintext = tls_assemble_block ( tls, data, len, mac,
02321                                                  &plaintext_len );
02322         }
02323         if ( ! plaintext ) {
02324                 DBGC ( tls, "TLS %p could not allocate %zd bytes for "
02325                        "plaintext\n", tls, plaintext_len );
02326                 rc = -ENOMEM_TX_PLAINTEXT;
02327                 goto done;
02328         }
02329 
02330         DBGC2 ( tls, "Sending plaintext data:\n" );
02331         DBGC2_HD ( tls, plaintext, plaintext_len );
02332 
02333         /* Allocate ciphertext */
02334         ciphertext_len = ( sizeof ( *tlshdr ) + plaintext_len );
02335         ciphertext = xfer_alloc_iob ( &tls->cipherstream, ciphertext_len );
02336         if ( ! ciphertext ) {
02337                 DBGC ( tls, "TLS %p could not allocate %zd bytes for "
02338                        "ciphertext\n", tls, ciphertext_len );
02339                 rc = -ENOMEM_TX_CIPHERTEXT;
02340                 goto done;
02341         }
02342 
02343         /* Assemble ciphertext */
02344         tlshdr = iob_put ( ciphertext, sizeof ( *tlshdr ) );
02345         tlshdr->type = type;
02346         tlshdr->version = htons ( tls->version );
02347         tlshdr->length = htons ( plaintext_len );
02348         memcpy ( cipherspec->cipher_next_ctx, cipherspec->cipher_ctx,
02349                  cipher->ctxsize );
02350         cipher_encrypt ( cipher, cipherspec->cipher_next_ctx, plaintext,
02351                          iob_put ( ciphertext, plaintext_len ), plaintext_len );
02352 
02353         /* Free plaintext as soon as possible to conserve memory */
02354         free ( plaintext );
02355         plaintext = NULL;
02356 
02357         /* Send ciphertext */
02358         if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
02359                                        iob_disown ( ciphertext ) ) ) != 0 ) {
02360                 DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
02361                        tls, strerror ( rc ) );
02362                 goto done;
02363         }
02364 
02365         /* Update TX state machine to next record */
02366         tls->tx_seq += 1;
02367         memcpy ( tls->tx_cipherspec.cipher_ctx,
02368                  tls->tx_cipherspec.cipher_next_ctx, cipher->ctxsize );
02369 
02370  done:
02371         free ( plaintext );
02372         free_iob ( ciphertext );
02373         return rc;
02374 }
02375 
02376 /**
02377  * Split stream-ciphered record into data and MAC portions
02378  *
02379  * @v tls               TLS connection
02380  * @v rx_data           List of received data buffers
02381  * @v mac               MAC to fill in
02382  * @ret rc              Return status code
02383  */
02384 static int tls_split_stream ( struct tls_connection *tls,
02385                               struct list_head *rx_data, void **mac ) {
02386         size_t mac_len = tls->rx_cipherspec.suite->digest->digestsize;
02387         struct io_buffer *iobuf;
02388 
02389         /* Extract MAC */
02390         iobuf = list_last_entry ( rx_data, struct io_buffer, list );
02391         assert ( iobuf != NULL );
02392         if ( iob_len ( iobuf ) < mac_len ) {
02393                 DBGC ( tls, "TLS %p received underlength MAC\n", tls );
02394                 DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
02395                 return -EINVAL_STREAM;
02396         }
02397         iob_unput ( iobuf, mac_len );
02398         *mac = iobuf->tail;
02399 
02400         return 0;
02401 }
02402 
02403 /**
02404  * Split block-ciphered record into data and MAC portions
02405  *
02406  * @v tls               TLS connection
02407  * @v rx_data           List of received data buffers
02408  * @v mac               MAC to fill in
02409  * @ret rc              Return status code
02410  */
02411 static int tls_split_block ( struct tls_connection *tls,
02412                              struct list_head *rx_data, void **mac ) {
02413         size_t mac_len = tls->rx_cipherspec.suite->digest->digestsize;
02414         struct io_buffer *iobuf;
02415         size_t iv_len;
02416         uint8_t *padding_final;
02417         uint8_t *padding;
02418         size_t padding_len;
02419 
02420         /* TLSv1.1 and later use an explicit IV */
02421         iobuf = list_first_entry ( rx_data, struct io_buffer, list );
02422         iv_len = ( ( tls->version >= TLS_VERSION_TLS_1_1 ) ?
02423                    tls->rx_cipherspec.suite->cipher->blocksize : 0 );
02424         if ( iob_len ( iobuf ) < iv_len ) {
02425                 DBGC ( tls, "TLS %p received underlength IV\n", tls );
02426                 DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
02427                 return -EINVAL_BLOCK;
02428         }
02429         iob_pull ( iobuf, iv_len );
02430 
02431         /* Extract and verify padding */
02432         iobuf = list_last_entry ( rx_data, struct io_buffer, list );
02433         padding_final = ( iobuf->tail - 1 );
02434         padding_len = *padding_final;
02435         if ( ( padding_len + 1 ) > iob_len ( iobuf ) ) {
02436                 DBGC ( tls, "TLS %p received underlength padding\n", tls );
02437                 DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
02438                 return -EINVAL_BLOCK;
02439         }
02440         iob_unput ( iobuf, ( padding_len + 1 ) );
02441         for ( padding = iobuf->tail ; padding < padding_final ; padding++ ) {
02442                 if ( *padding != padding_len ) {
02443                         DBGC ( tls, "TLS %p received bad padding\n", tls );
02444                         DBGC_HD ( tls, padding, padding_len );
02445                         return -EINVAL_PADDING;
02446                 }
02447         }
02448 
02449         /* Extract MAC */
02450         if ( iob_len ( iobuf ) < mac_len ) {
02451                 DBGC ( tls, "TLS %p received underlength MAC\n", tls );
02452                 DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
02453                 return -EINVAL_BLOCK;
02454         }
02455         iob_unput ( iobuf, mac_len );
02456         *mac = iobuf->tail;
02457 
02458         return 0;
02459 }
02460 
02461 /**
02462  * Receive new ciphertext record
02463  *
02464  * @v tls               TLS connection
02465  * @v tlshdr            Record header
02466  * @v rx_data           List of received data buffers
02467  * @ret rc              Return status code
02468  */
02469 static int tls_new_ciphertext ( struct tls_connection *tls,
02470                                 struct tls_header *tlshdr,
02471                                 struct list_head *rx_data ) {
02472         struct tls_header plaintext_tlshdr;
02473         struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
02474         struct cipher_algorithm *cipher = cipherspec->suite->cipher;
02475         struct digest_algorithm *digest = cipherspec->suite->digest;
02476         uint8_t ctx[digest->ctxsize];
02477         uint8_t verify_mac[digest->digestsize];
02478         struct io_buffer *iobuf;
02479         void *mac;
02480         size_t len = 0;
02481         int rc;
02482 
02483         /* Decrypt the received data */
02484         list_for_each_entry ( iobuf, &tls->rx_data, list ) {
02485                 cipher_decrypt ( cipher, cipherspec->cipher_ctx,
02486                                  iobuf->data, iobuf->data, iob_len ( iobuf ) );
02487         }
02488 
02489         /* Split record into content and MAC */
02490         if ( is_stream_cipher ( cipher ) ) {
02491                 if ( ( rc = tls_split_stream ( tls, rx_data, &mac ) ) != 0 )
02492                         return rc;
02493         } else {
02494                 if ( ( rc = tls_split_block ( tls, rx_data, &mac ) ) != 0 )
02495                         return rc;
02496         }
02497 
02498         /* Calculate total length */
02499         DBGC2 ( tls, "Received plaintext data:\n" );
02500         list_for_each_entry ( iobuf, rx_data, list ) {
02501                 DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
02502                 len += iob_len ( iobuf );
02503         }
02504 
02505         /* Verify MAC */
02506         plaintext_tlshdr.type = tlshdr->type;
02507         plaintext_tlshdr.version = tlshdr->version;
02508         plaintext_tlshdr.length = htons ( len );
02509         tls_hmac_init ( cipherspec, ctx, tls->rx_seq, &plaintext_tlshdr );
02510         list_for_each_entry ( iobuf, rx_data, list ) {
02511                 tls_hmac_update ( cipherspec, ctx, iobuf->data,
02512                                   iob_len ( iobuf ) );
02513         }
02514         tls_hmac_final ( cipherspec, ctx, verify_mac );
02515         if ( memcmp ( mac, verify_mac, sizeof ( verify_mac ) ) != 0 ) {
02516                 DBGC ( tls, "TLS %p failed MAC verification\n", tls );
02517                 return -EINVAL_MAC;
02518         }
02519 
02520         /* Process plaintext record */
02521         if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
02522                 return rc;
02523 
02524         return 0;
02525 }
02526 
02527 /******************************************************************************
02528  *
02529  * Plaintext stream operations
02530  *
02531  ******************************************************************************
02532  */
02533 
02534 /**
02535  * Check flow control window
02536  *
02537  * @v tls               TLS connection
02538  * @ret len             Length of window
02539  */
02540 static size_t tls_plainstream_window ( struct tls_connection *tls ) {
02541 
02542         /* Block window unless we are ready to accept data */
02543         if ( ! tls_ready ( tls ) )
02544                 return 0;
02545 
02546         return xfer_window ( &tls->cipherstream );
02547 }
02548 
02549 /**
02550  * Deliver datagram as raw data
02551  *
02552  * @v tls               TLS connection
02553  * @v iobuf             I/O buffer
02554  * @v meta              Data transfer metadata
02555  * @ret rc              Return status code
02556  */
02557 static int tls_plainstream_deliver ( struct tls_connection *tls,
02558                                      struct io_buffer *iobuf,
02559                                      struct xfer_metadata *meta __unused ) {
02560         int rc;
02561         
02562         /* Refuse unless we are ready to accept data */
02563         if ( ! tls_ready ( tls ) ) {
02564                 rc = -ENOTCONN;
02565                 goto done;
02566         }
02567 
02568         if ( ( rc = tls_send_plaintext ( tls, TLS_TYPE_DATA, iobuf->data,
02569                                          iob_len ( iobuf ) ) ) != 0 )
02570                 goto done;
02571 
02572  done:
02573         free_iob ( iobuf );
02574         return rc;
02575 }
02576 
02577 /**
02578  * Report job progress
02579  *
02580  * @v tls               TLS connection
02581  * @v progress          Progress report to fill in
02582  * @ret ongoing_rc      Ongoing job status code (if known)
02583  */
02584 static int tls_progress ( struct tls_connection *tls,
02585                           struct job_progress *progress ) {
02586 
02587         /* Return cipherstream or validator progress as applicable */
02588         if ( is_pending ( &tls->validation ) ) {
02589                 return job_progress ( &tls->validator, progress );
02590         } else {
02591                 return job_progress ( &tls->cipherstream, progress );
02592         }
02593 }
02594 
02595 /** TLS plaintext stream interface operations */
02596 static struct interface_operation tls_plainstream_ops[] = {
02597         INTF_OP ( xfer_deliver, struct tls_connection *,
02598                   tls_plainstream_deliver ),
02599         INTF_OP ( xfer_window, struct tls_connection *,
02600                   tls_plainstream_window ),
02601         INTF_OP ( job_progress, struct tls_connection *, tls_progress ),
02602         INTF_OP ( intf_close, struct tls_connection *, tls_close ),
02603 };
02604 
02605 /** TLS plaintext stream interface descriptor */
02606 static struct interface_descriptor tls_plainstream_desc =
02607         INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
02608                              tls_plainstream_ops, cipherstream );
02609 
02610 /******************************************************************************
02611  *
02612  * Ciphertext stream operations
02613  *
02614  ******************************************************************************
02615  */
02616 
02617 /**
02618  * Handle received TLS header
02619  *
02620  * @v tls               TLS connection
02621  * @ret rc              Returned status code
02622  */
02623 static int tls_newdata_process_header ( struct tls_connection *tls ) {
02624         size_t data_len = ntohs ( tls->rx_header.length );
02625         size_t remaining = data_len;
02626         size_t frag_len;
02627         struct io_buffer *iobuf;
02628         struct io_buffer *tmp;
02629         int rc;
02630 
02631         /* Allocate data buffers now that we know the length */
02632         assert ( list_empty ( &tls->rx_data ) );
02633         while ( remaining ) {
02634 
02635                 /* Calculate fragment length.  Ensure that no block is
02636                  * smaller than TLS_RX_MIN_BUFSIZE (by increasing the
02637                  * allocation length if necessary).
02638                  */
02639                 frag_len = remaining;
02640                 if ( frag_len > TLS_RX_BUFSIZE )
02641                         frag_len = TLS_RX_BUFSIZE;
02642                 remaining -= frag_len;
02643                 if ( remaining < TLS_RX_MIN_BUFSIZE ) {
02644                         frag_len += remaining;
02645                         remaining = 0;
02646                 }
02647 
02648                 /* Allocate buffer */
02649                 iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
02650                 if ( ! iobuf ) {
02651                         DBGC ( tls, "TLS %p could not allocate %zd of %zd "
02652                                "bytes for receive buffer\n", tls,
02653                                remaining, data_len );
02654                         rc = -ENOMEM_RX_DATA;
02655                         goto err;
02656                 }
02657 
02658                 /* Ensure tailroom is exactly what we asked for.  This
02659                  * will result in unaligned I/O buffers when the
02660                  * fragment length is unaligned, which can happen only
02661                  * before we switch to using a block cipher.
02662                  */
02663                 iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
02664 
02665                 /* Add I/O buffer to list */
02666                 list_add_tail ( &iobuf->list, &tls->rx_data );
02667         }
02668 
02669         /* Move to data state */
02670         tls->rx_state = TLS_RX_DATA;
02671 
02672         return 0;
02673 
02674  err:
02675         list_for_each_entry_safe ( iobuf, tmp, &tls->rx_data, list ) {
02676                 list_del ( &iobuf->list );
02677                 free_iob ( iobuf );
02678         }
02679         return rc;
02680 }
02681 
02682 /**
02683  * Handle received TLS data payload
02684  *
02685  * @v tls               TLS connection
02686  * @ret rc              Returned status code
02687  */
02688 static int tls_newdata_process_data ( struct tls_connection *tls ) {
02689         struct io_buffer *iobuf;
02690         int rc;
02691 
02692         /* Move current buffer to end of list */
02693         iobuf = list_first_entry ( &tls->rx_data, struct io_buffer, list );
02694         list_del ( &iobuf->list );
02695         list_add_tail ( &iobuf->list, &tls->rx_data );
02696 
02697         /* Continue receiving data if any space remains */
02698         iobuf = list_first_entry ( &tls->rx_data, struct io_buffer, list );
02699         if ( iob_tailroom ( iobuf ) )
02700                 return 0;
02701 
02702         /* Process record */
02703         if ( ( rc = tls_new_ciphertext ( tls, &tls->rx_header,
02704                                          &tls->rx_data ) ) != 0 )
02705                 return rc;
02706 
02707         /* Increment RX sequence number */
02708         tls->rx_seq += 1;
02709 
02710         /* Return to header state */
02711         assert ( list_empty ( &tls->rx_data ) );
02712         tls->rx_state = TLS_RX_HEADER;
02713         iob_unput ( &tls->rx_header_iobuf, sizeof ( tls->rx_header ) );
02714 
02715         return 0;
02716 }
02717 
02718 /**
02719  * Check flow control window
02720  *
02721  * @v tls               TLS connection
02722  * @ret len             Length of window
02723  */
02724 static size_t tls_cipherstream_window ( struct tls_connection *tls ) {
02725 
02726         /* Open window until we are ready to accept data */
02727         if ( ! tls_ready ( tls ) )
02728                 return -1UL;
02729 
02730         return xfer_window ( &tls->plainstream );
02731 }
02732 
02733 /**
02734  * Receive new ciphertext
02735  *
02736  * @v tls               TLS connection
02737  * @v iobuf             I/O buffer
02738  * @v meta              Data transfer metadat
02739  * @ret rc              Return status code
02740  */
02741 static int tls_cipherstream_deliver ( struct tls_connection *tls,
02742                                       struct io_buffer *iobuf,
02743                                       struct xfer_metadata *xfer __unused ) {
02744         size_t frag_len;
02745         int ( * process ) ( struct tls_connection *tls );
02746         struct io_buffer *dest;
02747         int rc;
02748 
02749         while ( iob_len ( iobuf ) ) {
02750 
02751                 /* Select buffer according to current state */
02752                 switch ( tls->rx_state ) {
02753                 case TLS_RX_HEADER:
02754                         dest = &tls->rx_header_iobuf;
02755                         process = tls_newdata_process_header;
02756                         break;
02757                 case TLS_RX_DATA:
02758                         dest = list_first_entry ( &tls->rx_data,
02759                                                   struct io_buffer, list );
02760                         assert ( dest != NULL );
02761                         process = tls_newdata_process_data;
02762                         break;
02763                 default:
02764                         assert ( 0 );
02765                         rc = -EINVAL_RX_STATE;
02766                         goto done;
02767                 }
02768 
02769                 /* Copy data portion to buffer */
02770                 frag_len = iob_len ( iobuf );
02771                 if ( frag_len > iob_tailroom ( dest ) )
02772                         frag_len = iob_tailroom ( dest );
02773                 memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
02774                 iob_pull ( iobuf, frag_len );
02775 
02776                 /* Process data if buffer is now full */
02777                 if ( iob_tailroom ( dest ) == 0 ) {
02778                         if ( ( rc = process ( tls ) ) != 0 ) {
02779                                 tls_close ( tls, rc );
02780                                 goto done;
02781                         }
02782                 }
02783         }
02784         rc = 0;
02785 
02786  done:
02787         free_iob ( iobuf );
02788         return rc;
02789 }
02790 
02791 /** TLS ciphertext stream interface operations */
02792 static struct interface_operation tls_cipherstream_ops[] = {
02793         INTF_OP ( xfer_deliver, struct tls_connection *,
02794                   tls_cipherstream_deliver ),
02795         INTF_OP ( xfer_window, struct tls_connection *,
02796                   tls_cipherstream_window ),
02797         INTF_OP ( xfer_window_changed, struct tls_connection *,
02798                   tls_tx_resume ),
02799         INTF_OP ( intf_close, struct tls_connection *, tls_close ),
02800 };
02801 
02802 /** TLS ciphertext stream interface descriptor */
02803 static struct interface_descriptor tls_cipherstream_desc =
02804         INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
02805                              tls_cipherstream_ops, plainstream );
02806 
02807 /******************************************************************************
02808  *
02809  * Certificate validator
02810  *
02811  ******************************************************************************
02812  */
02813 
02814 /**
02815  * Handle certificate validation completion
02816  *
02817  * @v tls               TLS connection
02818  * @v rc                Reason for completion
02819  */
02820 static void tls_validator_done ( struct tls_connection *tls, int rc ) {
02821         struct tls_session *session = tls->session;
02822         struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
02823         struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
02824         struct x509_certificate *cert;
02825 
02826         /* Mark validation as complete */
02827         pending_put ( &tls->validation );
02828 
02829         /* Close validator interface */
02830         intf_restart ( &tls->validator, rc );
02831 
02832         /* Check for validation failure */
02833         if ( rc != 0 ) {
02834                 DBGC ( tls, "TLS %p certificate validation failed: %s\n",
02835                        tls, strerror ( rc ) );
02836                 goto err;
02837         }
02838         DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );
02839 
02840         /* Extract first certificate */
02841         cert = x509_first ( tls->chain );
02842         assert ( cert != NULL );
02843 
02844         /* Verify server name */
02845         if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
02846                 DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
02847                        tls, session->name, strerror ( rc ) );
02848                 goto err;
02849         }
02850 
02851         /* Initialise public key algorithm */
02852         if ( ( rc = pubkey_init ( pubkey, cipherspec->pubkey_ctx,
02853                                   cert->subject.public_key.raw.data,
02854                                   cert->subject.public_key.raw.len ) ) != 0 ) {
02855                 DBGC ( tls, "TLS %p cannot initialise public key: %s\n",
02856                        tls, strerror ( rc ) );
02857                 goto err;
02858         }
02859 
02860         /* Schedule Client Key Exchange, Change Cipher, and Finished */
02861         tls->tx_pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
02862                              TLS_TX_CHANGE_CIPHER |
02863                              TLS_TX_FINISHED );
02864         if ( tls->cert ) {
02865                 tls->tx_pending |= ( TLS_TX_CERTIFICATE |
02866                                      TLS_TX_CERTIFICATE_VERIFY );
02867         }
02868         tls_tx_resume ( tls );
02869 
02870         return;
02871 
02872  err:
02873         tls_close ( tls, rc );
02874         return;
02875 }
02876 
02877 /** TLS certificate validator interface operations */
02878 static struct interface_operation tls_validator_ops[] = {
02879         INTF_OP ( intf_close, struct tls_connection *, tls_validator_done ),
02880 };
02881 
02882 /** TLS certificate validator interface descriptor */
02883 static struct interface_descriptor tls_validator_desc =
02884         INTF_DESC ( struct tls_connection, validator, tls_validator_ops );
02885 
02886 /******************************************************************************
02887  *
02888  * Controlling process
02889  *
02890  ******************************************************************************
02891  */
02892 
02893 /**
02894  * TLS TX state machine
02895  *
02896  * @v tls               TLS connection
02897  */
02898 static void tls_tx_step ( struct tls_connection *tls ) {
02899         struct tls_session *session = tls->session;
02900         struct tls_connection *conn;
02901         int rc;
02902 
02903         /* Wait for cipherstream to become ready */
02904         if ( ! xfer_window ( &tls->cipherstream ) )
02905                 return;
02906 
02907         /* Send first pending transmission */
02908         if ( tls->tx_pending & TLS_TX_CLIENT_HELLO ) {
02909                 /* Serialise server negotiations within a session, to
02910                  * provide a consistent view of session IDs and
02911                  * session tickets.
02912                  */
02913                 list_for_each_entry ( conn, &session->conn, list ) {
02914                         if ( conn == tls )
02915                                 break;
02916                         if ( is_pending ( &conn->server_negotiation ) )
02917                                 return;
02918                 }
02919                 /* Record or generate session ID and associated master secret */
02920                 if ( session->id_len ) {
02921                         /* Attempt to resume an existing session */
02922                         memcpy ( tls->session_id, session->id,
02923                                  sizeof ( tls->session_id ) );
02924                         tls->session_id_len = session->id_len;
02925                         memcpy ( tls->master_secret, session->master_secret,
02926                                  sizeof ( tls->master_secret ) );
02927                 } else {
02928                         /* No existing session: use a random session ID */
02929                         assert ( sizeof ( tls->session_id ) ==
02930                                  sizeof ( tls->client_random ) );
02931                         memcpy ( tls->session_id, &tls->client_random,
02932                                  sizeof ( tls->session_id ) );
02933                         tls->session_id_len = sizeof ( tls->session_id );
02934                 }
02935                 /* Send Client Hello */
02936                 if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
02937                         DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
02938                                tls, strerror ( rc ) );
02939                         goto err;
02940                 }
02941                 tls->tx_pending &= ~TLS_TX_CLIENT_HELLO;
02942         } else if ( tls->tx_pending & TLS_TX_CERTIFICATE ) {
02943                 /* Send Certificate */
02944                 if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
02945                         DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
02946                                tls, strerror ( rc ) );
02947                         goto err;
02948                 }
02949                 tls->tx_pending &= ~TLS_TX_CERTIFICATE;
02950         } else if ( tls->tx_pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
02951                 /* Send Client Key Exchange */
02952                 if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
02953                         DBGC ( tls, "TLS %p could not send Client Key "
02954                                "Exchange: %s\n", tls, strerror ( rc ) );
02955                         goto err;
02956                 }
02957                 tls->tx_pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
02958         } else if ( tls->tx_pending & TLS_TX_CERTIFICATE_VERIFY ) {
02959                 /* Send Certificate Verify */
02960                 if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
02961                         DBGC ( tls, "TLS %p could not send Certificate "
02962                                "Verify: %s\n", tls, strerror ( rc ) );
02963                         goto err;
02964                 }
02965                 tls->tx_pending &= ~TLS_TX_CERTIFICATE_VERIFY;
02966         } else if ( tls->tx_pending & TLS_TX_CHANGE_CIPHER ) {
02967                 /* Send Change Cipher, and then change the cipher in use */
02968                 if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
02969                         DBGC ( tls, "TLS %p could not send Change Cipher: "
02970                                "%s\n", tls, strerror ( rc ) );
02971                         goto err;
02972                 }
02973                 if ( ( rc = tls_change_cipher ( tls,
02974                                                 &tls->tx_cipherspec_pending,
02975                                                 &tls->tx_cipherspec )) != 0 ){
02976                         DBGC ( tls, "TLS %p could not activate TX cipher: "
02977                                "%s\n", tls, strerror ( rc ) );
02978                         goto err;
02979                 }
02980                 tls->tx_seq = 0;
02981                 tls->tx_pending &= ~TLS_TX_CHANGE_CIPHER;
02982         } else if ( tls->tx_pending & TLS_TX_FINISHED ) {
02983                 /* Send Finished */
02984                 if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
02985                         DBGC ( tls, "TLS %p could not send Finished: %s\n",
02986                                tls, strerror ( rc ) );
02987                         goto err;
02988                 }
02989                 tls->tx_pending &= ~TLS_TX_FINISHED;
02990         }
02991 
02992         /* Reschedule process if pending transmissions remain,
02993          * otherwise send notification of a window change.
02994          */
02995         if ( tls->tx_pending ) {
02996                 tls_tx_resume ( tls );
02997         } else {
02998                 xfer_window_changed ( &tls->plainstream );
02999         }
03000 
03001         return;
03002 
03003  err:
03004         tls_close ( tls, rc );
03005 }
03006 
03007 /** TLS TX process descriptor */
03008 static struct process_descriptor tls_process_desc =
03009         PROC_DESC_ONCE ( struct tls_connection, process, tls_tx_step );
03010 
03011 /******************************************************************************
03012  *
03013  * Session management
03014  *
03015  ******************************************************************************
03016  */
03017 
03018 /**
03019  * Find or create session for TLS connection
03020  *
03021  * @v tls               TLS connection
03022  * @v name              Server name
03023  * @ret rc              Return status code
03024  */
03025 static int tls_session ( struct tls_connection *tls, const char *name ) {
03026         struct tls_session *session;
03027         char *name_copy;
03028         int rc;
03029 
03030         /* Find existing matching session, if any */
03031         list_for_each_entry ( session, &tls_sessions, list ) {
03032                 if ( strcmp ( name, session->name ) == 0 ) {
03033                         ref_get ( &session->refcnt );
03034                         tls->session = session;
03035                         DBGC ( tls, "TLS %p joining session %s\n", tls, name );
03036                         return 0;
03037                 }
03038         }
03039 
03040         /* Create new session */
03041         session = zalloc ( sizeof ( *session ) + strlen ( name )
03042                            + 1 /* NUL */ );
03043         if ( ! session ) {
03044                 rc = -ENOMEM;
03045                 goto err_alloc;
03046         }
03047         ref_init ( &session->refcnt, free_tls_session );
03048         name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
03049         strcpy ( name_copy, name );
03050         session->name = name_copy;
03051         INIT_LIST_HEAD ( &session->conn );
03052         list_add ( &session->list, &tls_sessions );
03053 
03054         /* Record session */
03055         tls->session = session;
03056 
03057         DBGC ( tls, "TLS %p created session %s\n", tls, name );
03058         return 0;
03059 
03060         ref_put ( &session->refcnt );
03061  err_alloc:
03062         return rc;
03063 }
03064 
03065 /******************************************************************************
03066  *
03067  * Instantiator
03068  *
03069  ******************************************************************************
03070  */
03071 
03072 int add_tls ( struct interface *xfer, const char *name,
03073               struct interface **next ) {
03074         struct tls_connection *tls;
03075         int rc;
03076 
03077         /* Allocate and initialise TLS structure */
03078         tls = malloc ( sizeof ( *tls ) );
03079         if ( ! tls ) {
03080                 rc = -ENOMEM;
03081                 goto err_alloc;
03082         }
03083         memset ( tls, 0, sizeof ( *tls ) );
03084         ref_init ( &tls->refcnt, free_tls );
03085         INIT_LIST_HEAD ( &tls->list );
03086         intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
03087         intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
03088         intf_init ( &tls->validator, &tls_validator_desc, &tls->refcnt );
03089         process_init ( &tls->process, &tls_process_desc, &tls->refcnt );
03090         tls->version = TLS_VERSION_TLS_1_2;
03091         tls_clear_cipher ( tls, &tls->tx_cipherspec );
03092         tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
03093         tls_clear_cipher ( tls, &tls->rx_cipherspec );
03094         tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
03095         tls->client_random.gmt_unix_time = time ( NULL );
03096         iob_populate ( &tls->rx_header_iobuf, &tls->rx_header, 0,
03097                        sizeof ( tls->rx_header ) );
03098         INIT_LIST_HEAD ( &tls->rx_data );
03099         if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
03100                           ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
03101                 goto err_random;
03102         }
03103         tls->pre_master_secret.version = htons ( tls->version );
03104         if ( ( rc = tls_generate_random ( tls, &tls->pre_master_secret.random,
03105                       ( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) {
03106                 goto err_random;
03107         }
03108         if ( ( rc = tls_session ( tls, name ) ) != 0 )
03109                 goto err_session;
03110         list_add_tail ( &tls->list, &tls->session->conn );
03111 
03112         /* Start negotiation */
03113         tls_restart ( tls );
03114 
03115         /* Attach to parent interface, mortalise self, and return */
03116         intf_plug_plug ( &tls->plainstream, xfer );
03117         *next = &tls->cipherstream;
03118         ref_put ( &tls->refcnt );
03119         return 0;
03120 
03121  err_session:
03122  err_random:
03123         ref_put ( &tls->refcnt );
03124  err_alloc:
03125         return rc;
03126 }
03127 
03128 /* Drag in objects via add_tls() */
03129 REQUIRING_SYMBOL ( add_tls );
03130 
03131 /* Drag in crypto configuration */
03132 REQUIRE_OBJECT ( config_crypto );