tls.c File Reference

Transport Layer Security Protocol. More...

#include <stdint.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include <byteswap.h>
#include <ipxe/pending.h>
#include <ipxe/hmac.h>
#include <ipxe/md5.h>
#include <ipxe/sha1.h>
#include <ipxe/sha256.h>
#include <ipxe/aes.h>
#include <ipxe/rsa.h>
#include <ipxe/iobuf.h>
#include <ipxe/xfer.h>
#include <ipxe/open.h>
#include <ipxe/x509.h>
#include <ipxe/privkey.h>
#include <ipxe/certstore.h>
#include <ipxe/rootcert.h>
#include <ipxe/rbg.h>
#include <ipxe/validator.h>
#include <ipxe/job.h>
#include <ipxe/dhe.h>
#include <ipxe/ecdhe.h>
#include <ipxe/tls.h>
#include <config/crypto.h>

Go to the source code of this file.

Data Structures
struct	tls24_t
	A TLS 24-bit integer. More...

Macros
#define	EINVAL_CHANGE_CIPHER   __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
#define	EINFO_EINVAL_CHANGE_CIPHER
#define	EINVAL_ALERT   __einfo_error ( EINFO_EINVAL_ALERT )
#define	EINFO_EINVAL_ALERT
#define	EINVAL_HELLO   __einfo_error ( EINFO_EINVAL_HELLO )
#define	EINFO_EINVAL_HELLO
#define	EINVAL_CERTIFICATE   __einfo_error ( EINFO_EINVAL_CERTIFICATE )
#define	EINFO_EINVAL_CERTIFICATE
#define	EINVAL_CERTIFICATES   __einfo_error ( EINFO_EINVAL_CERTIFICATES )
#define	EINFO_EINVAL_CERTIFICATES
#define	EINVAL_HELLO_DONE   __einfo_error ( EINFO_EINVAL_HELLO_DONE )
#define	EINFO_EINVAL_HELLO_DONE
#define	EINVAL_FINISHED   __einfo_error ( EINFO_EINVAL_FINISHED )
#define	EINFO_EINVAL_FINISHED
#define	EINVAL_HANDSHAKE   __einfo_error ( EINFO_EINVAL_HANDSHAKE )
#define	EINFO_EINVAL_HANDSHAKE
#define	EINVAL_IV   __einfo_error ( EINFO_EINVAL_IV )
#define	EINFO_EINVAL_IV
#define	EINVAL_PADDING   __einfo_error ( EINFO_EINVAL_PADDING )
#define	EINFO_EINVAL_PADDING
#define	EINVAL_RX_STATE   __einfo_error ( EINFO_EINVAL_RX_STATE )
#define	EINFO_EINVAL_RX_STATE
#define	EINVAL_MAC   __einfo_error ( EINFO_EINVAL_MAC )
#define	EINFO_EINVAL_MAC
#define	EINVAL_TICKET   __einfo_error ( EINFO_EINVAL_TICKET )
#define	EINFO_EINVAL_TICKET
#define	EINVAL_KEY_EXCHANGE   __einfo_error ( EINFO_EINVAL_KEY_EXCHANGE )
#define	EINFO_EINVAL_KEY_EXCHANGE
#define	EIO_ALERT   __einfo_error ( EINFO_EIO_ALERT )
#define	EINFO_EIO_ALERT
#define	ENOMEM_CONTEXT   __einfo_error ( EINFO_ENOMEM_CONTEXT )
#define	EINFO_ENOMEM_CONTEXT
#define	ENOMEM_CERTIFICATE   __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
#define	EINFO_ENOMEM_CERTIFICATE
#define	ENOMEM_CHAIN   __einfo_error ( EINFO_ENOMEM_CHAIN )
#define	EINFO_ENOMEM_CHAIN
#define	ENOMEM_TX_PLAINTEXT   __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
#define	EINFO_ENOMEM_TX_PLAINTEXT
#define	ENOMEM_TX_CIPHERTEXT   __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
#define	EINFO_ENOMEM_TX_CIPHERTEXT
#define	ENOMEM_RX_DATA   __einfo_error ( EINFO_ENOMEM_RX_DATA )
#define	EINFO_ENOMEM_RX_DATA
#define	ENOMEM_RX_CONCAT   __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
#define	EINFO_ENOMEM_RX_CONCAT
#define	ENOTSUP_CIPHER   __einfo_error ( EINFO_ENOTSUP_CIPHER )
#define	EINFO_ENOTSUP_CIPHER
#define	ENOTSUP_NULL   __einfo_error ( EINFO_ENOTSUP_NULL )
#define	EINFO_ENOTSUP_NULL
#define	ENOTSUP_SIG_HASH   __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
#define	EINFO_ENOTSUP_SIG_HASH
#define	ENOTSUP_VERSION   __einfo_error ( EINFO_ENOTSUP_VERSION )
#define	EINFO_ENOTSUP_VERSION
#define	ENOTSUP_CURVE   __einfo_error ( EINFO_ENOTSUP_CURVE )
#define	EINFO_ENOTSUP_CURVE
#define	EPERM_ALERT   __einfo_error ( EINFO_EPERM_ALERT )
#define	EINFO_EPERM_ALERT
#define	EPERM_VERIFY   __einfo_error ( EINFO_EPERM_VERIFY )
#define	EINFO_EPERM_VERIFY
#define	EPERM_RENEG_INSECURE   __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
#define	EINFO_EPERM_RENEG_INSECURE
#define	EPERM_RENEG_VERIFY   __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
#define	EINFO_EPERM_RENEG_VERIFY
#define	EPERM_KEY_EXCHANGE   __einfo_error ( EINFO_EPERM_KEY_EXCHANGE )
#define	EINFO_EPERM_KEY_EXCHANGE
#define	EPERM_EMS   __einfo_error ( EINFO_EPERM_EMS )
#define	EINFO_EPERM_EMS
#define	EPROTO_VERSION   __einfo_error ( EINFO_EPROTO_VERSION )
#define	EINFO_EPROTO_VERSION
#define	tls_prf_label(tls, secret, secret_len, out, out_len, label, ...)
	Generate secure pseudo-random data. More...
#define	TLS_NUM_CIPHER_SUITES   table_num_entries ( TLS_CIPHER_SUITES )
	Number of supported cipher suites. More...
#define	TLS_NUM_SIG_HASH_ALGORITHMS   table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
	Number of supported signature and hash algorithms. More...
#define	TLS_NUM_NAMED_CURVES   table_num_entries ( TLS_NAMED_CURVES )
	Number of supported named curves. More...

Functions
	FILE_LICENCE (GPL2_OR_LATER)
static	LIST_HEAD (tls_sessions)
	List of TLS session. More...
static void	tls_tx_resume_all (struct tls_session *session)
	Resume TX state machine for all connections within a session. More...
static struct io_buffer *	tls_alloc_iob (struct tls_connection *tls, size_t len)
	Allocate I/O buffer for transmitted record(s) More...
static int	tls_send_record (struct tls_connection *tls, unsigned int type, struct io_buffer *iobuf)
	Send plaintext record(s) More...
static int	tls_send_plaintext (struct tls_connection *tls, unsigned int type, const void *data, size_t len)
	Send plaintext record. More...
static void	tls_clear_cipher (struct tls_connection *tls, struct tls_cipherspec *cipherspec)
static void	tls_verify_handshake (struct tls_connection *tls, void *out)
	Calculate handshake verification hash. More...
static unsigned long	tls_uint24 (const tls24_t *field24)
	Extract 24-bit field value. More...
static void	tls_set_uint24 (tls24_t *field24, unsigned long value)
	Set 24-bit field value. More...
static int	tls_ready (struct tls_connection *tls)
	Determine if TLS connection is ready for application data. More...
static int	tls_version (struct tls_connection *tls, unsigned int version)
	Check for TLS version. More...
static void	md5_sha1_init (void *ctx)
	Initialise MD5+SHA1 algorithm. More...
static void	md5_sha1_update (void *ctx, const void *data, size_t len)
	Accumulate data with MD5+SHA1 algorithm. More...
static void	md5_sha1_final (void *ctx, void *out)
	Generate MD5+SHA1 digest. More...
static void	free_tls_session (struct refcnt *refcnt)
	Free TLS session. More...
static void	free_tls (struct refcnt *refcnt)
	Free TLS connection. More...
static void	tls_close (struct tls_connection *tls, int rc)
	Finish with TLS connection. More...
static int	tls_generate_random (struct tls_connection *tls, void *data, size_t len)
	Generate random data. More...
static void	tls_hmac_update_va (struct digest_algorithm *digest, void *ctx, va_list args)
	Update HMAC with a list of ( data, len ) pairs. More...
static void	tls_p_hash_va (struct tls_connection *tls, struct digest_algorithm *digest, const void *secret, size_t secret_len, void *out, size_t out_len, va_list seeds)
	Generate secure pseudo-random data using a single hash function. More...
static void	tls_prf (struct tls_connection *tls, const void *secret, size_t secret_len, void *out, size_t out_len,...)
	Generate secure pseudo-random data. More...
static void	tls_generate_master_secret (struct tls_connection *tls, const void *pre_master_secret, size_t pre_master_secret_len)
	Generate master secret. More...
static int	tls_generate_keys (struct tls_connection *tls)
	Generate key material. More...
static void	tls_clear_handshake (struct tls_connection *tls)
	Clear handshake digest algorithm. More...
static int	tls_select_handshake (struct tls_connection *tls, struct digest_algorithm *digest)
	Select handshake digest algorithm. More...
static int	tls_add_handshake (struct tls_connection *tls, const void *data, size_t len)
	Add handshake record to verification hash. More...
static struct tls_cipher_suite *	tls_find_cipher_suite (unsigned int cipher_suite)
	Identify cipher suite. More...
static void	tls_clear_cipher (struct tls_connection *tls __unused, struct tls_cipherspec *cipherspec)
	Clear cipher suite. More...
static int	tls_set_cipher (struct tls_connection *tls, struct tls_cipherspec *cipherspec, struct tls_cipher_suite *suite)
	Set cipher suite. More...
static int	tls_select_cipher (struct tls_connection *tls, unsigned int cipher_suite)
	Select next cipher suite. More...
static int	tls_change_cipher (struct tls_connection *tls, struct tls_cipherspec_pair *pair)
	Activate next cipher suite. More...
static struct tls_signature_hash_algorithm *	tls_signature_hash_algorithm (struct pubkey_algorithm *pubkey, struct digest_algorithm *digest)
	Find TLS signature and hash algorithm. More...
static struct pubkey_algorithm *	tls_signature_hash_pubkey (struct tls_signature_hash_id code)
	Find TLS signature algorithm. More...
static struct digest_algorithm *	tls_signature_hash_digest (struct tls_signature_hash_id code)
	Find TLS hash algorithm. More...
static struct tls_named_curve *	tls_find_named_curve (unsigned int named_curve)
	Identify named curve. More...
static void	tls_tx_resume (struct tls_connection *tls)
	Resume TX state machine. More...
static void	tls_restart (struct tls_connection *tls)
	Restart negotiation. More...
static int	tls_send_handshake (struct tls_connection *tls, const void *data, size_t len)
	Transmit Handshake record. More...
static int	tls_client_hello (struct tls_connection *tls, int(*action)(struct tls_connection *tls, const void *data, size_t len))
	Digest or transmit Client Hello record. More...
static int	tls_send_client_hello (struct tls_connection *tls)
	Transmit Client Hello record. More...
static int	tls_send_certificate (struct tls_connection *tls)
	Transmit Certificate record. More...
static int	tls_send_client_key_exchange_pubkey (struct tls_connection *tls)
	Transmit Client Key Exchange record using public key exchange. More...
static int	tls_verify_dh_params (struct tls_connection *tls, size_t param_len)
	Verify Diffie-Hellman parameter signature. More...
static int	tls_send_client_key_exchange_dhe (struct tls_connection *tls)
	Transmit Client Key Exchange record using DHE key exchange. More...
static int	tls_send_client_key_exchange_ecdhe (struct tls_connection *tls)
	Transmit Client Key Exchange record using ECDHE key exchange. More...
static int	tls_send_client_key_exchange (struct tls_connection *tls)
	Transmit Client Key Exchange record. More...
static int	tls_send_certificate_verify (struct tls_connection *tls)
	Transmit Certificate Verify record. More...
static int	tls_send_change_cipher (struct tls_connection *tls)
	Transmit Change Cipher record. More...
static int	tls_send_finished (struct tls_connection *tls)
	Transmit Finished record. More...
static int	tls_new_change_cipher (struct tls_connection *tls, struct io_buffer *iobuf)
	Receive new Change Cipher record. More...
static int	tls_new_alert (struct tls_connection *tls, struct io_buffer *iobuf)
	Receive new Alert record. More...
static int	tls_new_hello_request (struct tls_connection *tls, const void *data __unused, size_t len __unused)
	Receive new Hello Request handshake record. More...
static int	tls_new_server_hello (struct tls_connection *tls, const void *data, size_t len)
	Receive new Server Hello handshake record. More...
static int	tls_new_session_ticket (struct tls_connection *tls, const void *data, size_t len)
	Receive New Session Ticket handshake record. More...
static int	tls_parse_chain (struct tls_connection *tls, const void *data, size_t len)
	Parse certificate chain. More...
static int	tls_new_certificate (struct tls_connection *tls, const void *data, size_t len)
	Receive new Certificate handshake record. More...
static int	tls_new_server_key_exchange (struct tls_connection *tls, const void *data, size_t len)
	Receive new Server Key Exchange handshake record. More...
static int	tls_new_certificate_request (struct tls_connection *tls, const void *data __unused, size_t len __unused)
	Receive new Certificate Request handshake record. More...
static int	tls_new_server_hello_done (struct tls_connection *tls, const void *data, size_t len)
	Receive new Server Hello Done handshake record. More...
static int	tls_new_finished (struct tls_connection *tls, const void *data, size_t len)
	Receive new Finished handshake record. More...
static int	tls_new_handshake (struct tls_connection *tls, struct io_buffer *iobuf)
	Receive new Handshake record. More...
static int	tls_new_unknown (struct tls_connection *tls __unused, struct io_buffer *iobuf)
	Receive new unknown record. More...
static int	tls_new_data (struct tls_connection *tls, struct list_head *rx_data)
	Receive new data record. More...
static int	tls_new_record (struct tls_connection *tls, unsigned int type, struct list_head *rx_data)
	Receive new record. More...
static void	tls_hmac_init (struct tls_cipherspec *cipherspec, void *ctx, struct tls_auth_header *authhdr)
	Initialise HMAC. More...
static void	tls_hmac_update (struct tls_cipherspec *cipherspec, void *ctx, const void *data, size_t len)
	Update HMAC. More...
static void	tls_hmac_final (struct tls_cipherspec *cipherspec, void *ctx, void *hmac)
	Finalise HMAC. More...
static void	tls_hmac (struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, const void *data, size_t len, void *hmac)
	Calculate HMAC. More...
static void	tls_hmac_list (struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, struct list_head *list, void *hmac)
	Calculate HMAC over list of I/O buffers. More...
static size_t	tls_iob_reserved (struct tls_connection *tls, size_t len)
	Calculate maximum additional length required for transmitted record(s) More...
static int	tls_verify_padding (struct tls_connection *tls, struct io_buffer *iobuf)
	Verify block padding. More...
static int	tls_new_ciphertext (struct tls_connection *tls, struct tls_header *tlshdr, struct list_head *rx_data)
	Receive new ciphertext record. More...
static size_t	tls_plainstream_window (struct tls_connection *tls)
	Check flow control window. More...
static int	tls_plainstream_deliver (struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *meta __unused)
	Deliver datagram as raw data. More...
static int	tls_progress (struct tls_connection *tls, struct job_progress *progress)
	Report job progress. More...
static int	tls_newdata_process_header (struct tls_connection *tls)
	Handle received TLS header. More...
static int	tls_newdata_process_data (struct tls_connection *tls)
	Handle received TLS data payload. More...
static size_t	tls_cipherstream_window (struct tls_connection *tls)
	Check flow control window. More...
static int	tls_cipherstream_deliver (struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *xfer __unused)
	Receive new ciphertext. More...
static void	tls_validator_done (struct tls_connection *tls, int rc)
	Handle certificate validation completion. More...
static void	tls_tx_step (struct tls_connection *tls)
	TLS TX state machine. More...
static int	tls_session (struct tls_connection *tls, const char *name)
	Find or create session for TLS connection. More...
int	add_tls (struct interface *xfer, const char *name, struct x509_root *root, struct private_key *key)
	Add TLS on an interface. More...
	REQUIRING_SYMBOL (add_tls)
	REQUIRE_OBJECT (config_crypto)

Variables
static struct digest_algorithm	md5_sha1_algorithm
	Hybrid MD5+SHA1 digest algorithm. More...
struct rsa_digestinfo_prefix rsa_md5_sha1_prefix	__rsa_digestinfo_prefix
	RSA digestInfo prefix for MD5+SHA1 algorithm. More...
struct tls_cipher_suite	tls_cipher_suite_null
	Null cipher suite. More...
struct tls_key_exchange_algorithm	tls_pubkey_exchange_algorithm
	Public key exchange algorithm. More...
struct tls_key_exchange_algorithm	tls_dhe_exchange_algorithm
	Ephemeral Diffie-Hellman key exchange algorithm. More...
struct tls_key_exchange_algorithm	tls_ecdhe_exchange_algorithm
	Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm. More...
static struct interface_operation	tls_plainstream_ops []
	TLS plaintext stream interface operations. More...
static struct interface_descriptor	tls_plainstream_desc
	TLS plaintext stream interface descriptor. More...
static struct interface_operation	tls_cipherstream_ops []
	TLS ciphertext stream interface operations. More...
static struct interface_descriptor	tls_cipherstream_desc
	TLS ciphertext stream interface descriptor. More...
static struct interface_operation	tls_validator_ops []
	TLS certificate validator interface operations. More...
static struct interface_descriptor	tls_validator_desc
	TLS certificate validator interface descriptor. More...
static struct process_descriptor	tls_process_desc
	TLS TX process descriptor. More...

Detailed Description

Transport Layer Security Protocol.

Definition in file tls.c.

Macro Definition Documentation

EINVAL_CHANGE_CIPHER

#define EINVAL_CHANGE_CIPHER   __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )

Definition at line 58 of file tls.c.

EINFO_EINVAL_CHANGE_CIPHER

#define EINFO_EINVAL_CHANGE_CIPHER

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x01,                           \
                          "Invalid Change Cipher record" )

Definition at line 59 of file tls.c.

EINVAL_ALERT

#define EINVAL_ALERT   __einfo_error ( EINFO_EINVAL_ALERT )

Definition at line 62 of file tls.c.

EINFO_EINVAL_ALERT

#define EINFO_EINVAL_ALERT

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x02,                           \
                          "Invalid Alert record" )

Definition at line 63 of file tls.c.

EINVAL_HELLO

#define EINVAL_HELLO   __einfo_error ( EINFO_EINVAL_HELLO )

Definition at line 66 of file tls.c.

EINFO_EINVAL_HELLO

#define EINFO_EINVAL_HELLO

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x03,                           \
                          "Invalid Server Hello record" )

Definition at line 67 of file tls.c.

EINVAL_CERTIFICATE

#define EINVAL_CERTIFICATE   __einfo_error ( EINFO_EINVAL_CERTIFICATE )

Definition at line 70 of file tls.c.

EINFO_EINVAL_CERTIFICATE

#define EINFO_EINVAL_CERTIFICATE

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x04,                           \
                          "Invalid Certificate" )

Definition at line 71 of file tls.c.

EINVAL_CERTIFICATES

#define EINVAL_CERTIFICATES   __einfo_error ( EINFO_EINVAL_CERTIFICATES )

Definition at line 74 of file tls.c.

EINFO_EINVAL_CERTIFICATES

#define EINFO_EINVAL_CERTIFICATES

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x05,                           \
                          "Invalid Server Certificate record" )

Definition at line 75 of file tls.c.

EINVAL_HELLO_DONE

#define EINVAL_HELLO_DONE   __einfo_error ( EINFO_EINVAL_HELLO_DONE )

Definition at line 78 of file tls.c.

EINFO_EINVAL_HELLO_DONE

#define EINFO_EINVAL_HELLO_DONE

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x06,                           \
                          "Invalid Server Hello Done record" )

Definition at line 79 of file tls.c.

EINVAL_FINISHED

#define EINVAL_FINISHED   __einfo_error ( EINFO_EINVAL_FINISHED )

Definition at line 82 of file tls.c.

EINFO_EINVAL_FINISHED

#define EINFO_EINVAL_FINISHED

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x07,                           \
                          "Invalid Server Finished record" )

Definition at line 83 of file tls.c.

EINVAL_HANDSHAKE

#define EINVAL_HANDSHAKE   __einfo_error ( EINFO_EINVAL_HANDSHAKE )

Definition at line 86 of file tls.c.

EINFO_EINVAL_HANDSHAKE

#define EINFO_EINVAL_HANDSHAKE

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x08,                           \
                          "Invalid Handshake record" )

Definition at line 87 of file tls.c.

EINVAL_IV

#define EINVAL_IV   __einfo_error ( EINFO_EINVAL_IV )

Definition at line 90 of file tls.c.

EINFO_EINVAL_IV

#define EINFO_EINVAL_IV

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x0a,                           \
                          "Invalid initialisation vector" )

Definition at line 91 of file tls.c.

EINVAL_PADDING

#define EINVAL_PADDING   __einfo_error ( EINFO_EINVAL_PADDING )

Definition at line 94 of file tls.c.

EINFO_EINVAL_PADDING

#define EINFO_EINVAL_PADDING

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x0b,                           \
                          "Invalid block padding" )

Definition at line 95 of file tls.c.

EINVAL_RX_STATE

#define EINVAL_RX_STATE   __einfo_error ( EINFO_EINVAL_RX_STATE )

Definition at line 98 of file tls.c.

EINFO_EINVAL_RX_STATE

#define EINFO_EINVAL_RX_STATE

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x0c,                           \
                          "Invalid receive state" )

Definition at line 99 of file tls.c.

EINVAL_MAC

#define EINVAL_MAC   __einfo_error ( EINFO_EINVAL_MAC )

Definition at line 102 of file tls.c.

EINFO_EINVAL_MAC

#define EINFO_EINVAL_MAC

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x0d,                           \
                          "Invalid MAC or authentication tag" )

Definition at line 103 of file tls.c.

EINVAL_TICKET

#define EINVAL_TICKET   __einfo_error ( EINFO_EINVAL_TICKET )

Definition at line 106 of file tls.c.

EINFO_EINVAL_TICKET

#define EINFO_EINVAL_TICKET

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x0e,                           \
                          "Invalid New Session Ticket record")

Definition at line 107 of file tls.c.

EINVAL_KEY_EXCHANGE

#define EINVAL_KEY_EXCHANGE   __einfo_error ( EINFO_EINVAL_KEY_EXCHANGE )

Definition at line 110 of file tls.c.

EINFO_EINVAL_KEY_EXCHANGE

#define EINFO_EINVAL_KEY_EXCHANGE

Value:

__einfo_uniqify ( EINFO_EINVAL, 0x0f,                           \
                          "Invalid Server Key Exchange record" )

Definition at line 111 of file tls.c.

EIO_ALERT

#define EIO_ALERT   __einfo_error ( EINFO_EIO_ALERT )

Definition at line 114 of file tls.c.

EINFO_EIO_ALERT

#define EINFO_EIO_ALERT

Value:

__einfo_uniqify ( EINFO_EIO, 0x01,                              \
                          "Unknown alert level" )

Definition at line 115 of file tls.c.

ENOMEM_CONTEXT

#define ENOMEM_CONTEXT   __einfo_error ( EINFO_ENOMEM_CONTEXT )

Definition at line 118 of file tls.c.

EINFO_ENOMEM_CONTEXT

#define EINFO_ENOMEM_CONTEXT

Value:

__einfo_uniqify ( EINFO_ENOMEM, 0x01,                           \
                          "Not enough space for crypto context" )

Definition at line 119 of file tls.c.

ENOMEM_CERTIFICATE

#define ENOMEM_CERTIFICATE   __einfo_error ( EINFO_ENOMEM_CERTIFICATE )

Definition at line 122 of file tls.c.

EINFO_ENOMEM_CERTIFICATE

#define EINFO_ENOMEM_CERTIFICATE

Value:

__einfo_uniqify ( EINFO_ENOMEM, 0x02,                           \
                          "Not enough space for certificate" )

Definition at line 123 of file tls.c.

ENOMEM_CHAIN

#define ENOMEM_CHAIN   __einfo_error ( EINFO_ENOMEM_CHAIN )

Definition at line 126 of file tls.c.

EINFO_ENOMEM_CHAIN

#define EINFO_ENOMEM_CHAIN

Value:

__einfo_uniqify ( EINFO_ENOMEM, 0x03,                           \
                          "Not enough space for certificate chain" )

Definition at line 127 of file tls.c.

ENOMEM_TX_PLAINTEXT

#define ENOMEM_TX_PLAINTEXT   __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )

Definition at line 130 of file tls.c.

EINFO_ENOMEM_TX_PLAINTEXT

#define EINFO_ENOMEM_TX_PLAINTEXT

Value:

__einfo_uniqify ( EINFO_ENOMEM, 0x04,                           \
                          "Not enough space for transmitted plaintext" )

Definition at line 131 of file tls.c.

ENOMEM_TX_CIPHERTEXT

#define ENOMEM_TX_CIPHERTEXT   __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )

Definition at line 134 of file tls.c.

EINFO_ENOMEM_TX_CIPHERTEXT

#define EINFO_ENOMEM_TX_CIPHERTEXT

Value:

__einfo_uniqify ( EINFO_ENOMEM, 0x05,                           \
                          "Not enough space for transmitted ciphertext" )

Definition at line 135 of file tls.c.

ENOMEM_RX_DATA

#define ENOMEM_RX_DATA   __einfo_error ( EINFO_ENOMEM_RX_DATA )

Definition at line 138 of file tls.c.

EINFO_ENOMEM_RX_DATA

#define EINFO_ENOMEM_RX_DATA

Value:

__einfo_uniqify ( EINFO_ENOMEM, 0x07,                           \
                          "Not enough space for received data" )

Definition at line 139 of file tls.c.

ENOMEM_RX_CONCAT

#define ENOMEM_RX_CONCAT   __einfo_error ( EINFO_ENOMEM_RX_CONCAT )

Definition at line 142 of file tls.c.

EINFO_ENOMEM_RX_CONCAT

#define EINFO_ENOMEM_RX_CONCAT

Value:

__einfo_uniqify ( EINFO_ENOMEM, 0x08,                           \
                          "Not enough space to concatenate received data" )

Definition at line 143 of file tls.c.

ENOTSUP_CIPHER

#define ENOTSUP_CIPHER   __einfo_error ( EINFO_ENOTSUP_CIPHER )

Definition at line 146 of file tls.c.

EINFO_ENOTSUP_CIPHER

#define EINFO_ENOTSUP_CIPHER

Value:

__einfo_uniqify ( EINFO_ENOTSUP, 0x01,                          \
                          "Unsupported cipher" )

Definition at line 147 of file tls.c.

ENOTSUP_NULL

#define ENOTSUP_NULL   __einfo_error ( EINFO_ENOTSUP_NULL )

Definition at line 150 of file tls.c.

EINFO_ENOTSUP_NULL

#define EINFO_ENOTSUP_NULL

Value:

__einfo_uniqify ( EINFO_ENOTSUP, 0x02,                          \
                          "Refusing to use null cipher" )

Definition at line 151 of file tls.c.

ENOTSUP_SIG_HASH

#define ENOTSUP_SIG_HASH   __einfo_error ( EINFO_ENOTSUP_SIG_HASH )

Definition at line 154 of file tls.c.

EINFO_ENOTSUP_SIG_HASH

#define EINFO_ENOTSUP_SIG_HASH

Value:

__einfo_uniqify ( EINFO_ENOTSUP, 0x03,                          \
                          "Unsupported signature and hash algorithm" )

Definition at line 155 of file tls.c.

ENOTSUP_VERSION

#define ENOTSUP_VERSION   __einfo_error ( EINFO_ENOTSUP_VERSION )

Definition at line 158 of file tls.c.

EINFO_ENOTSUP_VERSION

#define EINFO_ENOTSUP_VERSION

Value:

__einfo_uniqify ( EINFO_ENOTSUP, 0x04,                          \
                          "Unsupported protocol version" )

Definition at line 159 of file tls.c.

ENOTSUP_CURVE

#define ENOTSUP_CURVE   __einfo_error ( EINFO_ENOTSUP_CURVE )

Definition at line 162 of file tls.c.

EINFO_ENOTSUP_CURVE

#define EINFO_ENOTSUP_CURVE

Value:

__einfo_uniqify ( EINFO_ENOTSUP, 0x05,                          \
                          "Unsupported elliptic curve" )

Definition at line 163 of file tls.c.

EPERM_ALERT

#define EPERM_ALERT   __einfo_error ( EINFO_EPERM_ALERT )

Definition at line 166 of file tls.c.

EINFO_EPERM_ALERT

#define EINFO_EPERM_ALERT

Value:

__einfo_uniqify ( EINFO_EPERM, 0x01,                            \
                          "Received fatal alert" )

Definition at line 167 of file tls.c.

EPERM_VERIFY

#define EPERM_VERIFY   __einfo_error ( EINFO_EPERM_VERIFY )

Definition at line 170 of file tls.c.

EINFO_EPERM_VERIFY

#define EINFO_EPERM_VERIFY

Value:

__einfo_uniqify ( EINFO_EPERM, 0x02,                            \
                          "Handshake verification failed" )

Definition at line 171 of file tls.c.

EPERM_RENEG_INSECURE

#define EPERM_RENEG_INSECURE   __einfo_error ( EINFO_EPERM_RENEG_INSECURE )

Definition at line 174 of file tls.c.

EINFO_EPERM_RENEG_INSECURE

#define EINFO_EPERM_RENEG_INSECURE

Value:

__einfo_uniqify ( EINFO_EPERM, 0x04,                            \
                          "Secure renegotiation not supported" )

Definition at line 175 of file tls.c.

EPERM_RENEG_VERIFY

#define EPERM_RENEG_VERIFY   __einfo_error ( EINFO_EPERM_RENEG_VERIFY )

Definition at line 178 of file tls.c.

EINFO_EPERM_RENEG_VERIFY

#define EINFO_EPERM_RENEG_VERIFY

Value:

__einfo_uniqify ( EINFO_EPERM, 0x05,                            \
                          "Secure renegotiation verification failed" )

Definition at line 179 of file tls.c.

EPERM_KEY_EXCHANGE

#define EPERM_KEY_EXCHANGE   __einfo_error ( EINFO_EPERM_KEY_EXCHANGE )

Definition at line 182 of file tls.c.

EINFO_EPERM_KEY_EXCHANGE

#define EINFO_EPERM_KEY_EXCHANGE

Value:

__einfo_uniqify ( EINFO_EPERM, 0x06,                            \
                          "ServerKeyExchange verification failed" )

Definition at line 183 of file tls.c.

EPERM_EMS

#define EPERM_EMS   __einfo_error ( EINFO_EPERM_EMS )

Definition at line 186 of file tls.c.

EINFO_EPERM_EMS

#define EINFO_EPERM_EMS

Value:

__einfo_uniqify ( EINFO_EPERM, 0x07,                            \
                          "Extended master secret extension mismatch" )

Definition at line 187 of file tls.c.

EPROTO_VERSION

#define EPROTO_VERSION   __einfo_error ( EINFO_EPROTO_VERSION )

Definition at line 190 of file tls.c.

EINFO_EPROTO_VERSION

#define EINFO_EPROTO_VERSION

Value:

__einfo_uniqify ( EINFO_EPROTO, 0x01,                           \
                          "Illegal protocol version upgrade" )

Definition at line 191 of file tls.c.

tls_prf_label

#define tls_prf_label	(		tls,
			secret,
			secret_len,
			out,
			out_len,
			label,
			...
	)

Value:

tls_prf ( (tls), (secret), (secret_len), (out), (out_len),         \
                  label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )

Generate secure pseudo-random data.

Parameters

secret	Secret
secret_len	Length of secret
out	Output buffer
out_len	Length of output buffer
label	String literal label
...	( data, len ) pairs of seed data

Definition at line 622 of file tls.c.

TLS_NUM_CIPHER_SUITES

#define TLS_NUM_CIPHER_SUITES   table_num_entries ( TLS_CIPHER_SUITES )

Number of supported cipher suites.

Definition at line 858 of file tls.c.

TLS_NUM_SIG_HASH_ALGORITHMS

#define TLS_NUM_SIG_HASH_ALGORITHMS   table_num_entries ( TLS_SIG_HASH_ALGORITHMS )

Number of supported signature and hash algorithms.

Definition at line 1004 of file tls.c.

TLS_NUM_NAMED_CURVES

#define TLS_NUM_NAMED_CURVES   table_num_entries ( TLS_NAMED_CURVES )

Number of supported named curves.

Definition at line 1076 of file tls.c.

Function Documentation

FILE_LICENCE()

FILE_LICENCE

(

GPL2_OR_LATER

)

LIST_HEAD()

static LIST_HEAD ( tls_sessions  )

static

List of TLS session.

tls_tx_resume_all()

static void tls_tx_resume_all ( struct tls_session *  session )

static

Resume TX state machine for all connections within a session.

Parameters

session

TLS session

Definition at line 1118 of file tls.c.

                                                              {
        struct tls_connection *tls;

        list_for_each_entry ( tls, &session->conn, list )
                tls_tx_resume ( tls );
}

References tls_session::conn, tls_connection::list, list_for_each_entry, tls_connection::session, and tls_tx_resume().

Referenced by tls_close(), and tls_new_finished().

tls_alloc_iob()

static struct io_buffer * tls_alloc_iob ( struct tls_connection *  tls, size_t  len  )

static

Allocate I/O buffer for transmitted record(s)

Parameters

tls	TLS connection
len	I/O buffer payload length

Return values

iobuf

I/O buffer

Definition at line 3025 of file tls.c.

                                                       {
        struct io_buffer *iobuf;
        size_t reserve;

        /* Calculate maximum additional length to reserve */
        reserve = tls_iob_reserved ( tls, len );

        /* Allocate I/O buffer */
        iobuf = xfer_alloc_iob ( &tls->cipherstream, ( reserve + len ) );
        if ( ! iobuf )
                return NULL;

        /* Reserve space */
        iob_reserve ( iobuf, reserve );

        return iobuf;
}

References tls_connection::cipherstream, iob_reserve, len, NULL, tls_iob_reserved(), and xfer_alloc_iob().

Referenced by tls_send_certificate(), and tls_send_plaintext().

tls_send_record()

static int tls_send_record ( struct tls_connection *  tls, unsigned int  type, struct io_buffer *  iobuf  )

static

Send plaintext record(s)

Parameters

tls	TLS connection
type	Record type
iobuf	I/O buffer

Return values

rc	Return status code

Definition at line 3052 of file tls.c.

                                                       {
        struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
        struct tls_cipher_suite *suite = cipherspec->suite;
        struct cipher_algorithm *cipher = suite->cipher;
        struct digest_algorithm *digest = suite->digest;
        struct {
                uint8_t fixed[suite->fixed_iv_len];
                uint8_t rec[suite->record_iv_len];
        } __attribute__ (( packed )) iv;
        struct tls_auth_header authhdr;
        struct tls_header *tlshdr;
        uint8_t mac[digest->digestsize];
        const void *plaintext;
        const void *encrypt;
        void *ciphertext;
        size_t record_len;
        size_t encrypt_len;
        size_t pad_len;
        size_t len;
        int rc;

        /* Record plaintext pointer and length */
        plaintext = iobuf->data;
        len = iob_len ( iobuf );

        /* Add to handshake digest if applicable */
        if ( type == TLS_TYPE_HANDSHAKE )
                tls_add_handshake ( tls, plaintext, len );

        /* Start constructing ciphertext at start of reserved space */
        iob_push ( iobuf, tls_iob_reserved ( tls, len ) );
        iob_unput ( iobuf, iob_len ( iobuf ) );

        /* Construct records */
        do {
                /* Limit length of this record (may be zero) */
                record_len = len;
                if ( record_len > TLS_TX_BUFSIZE )
                        record_len = TLS_TX_BUFSIZE;

                /* Construct and set initialisation vector */
                memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
                if ( ( rc = tls_generate_random ( tls, iv.rec,
                                                  sizeof ( iv.rec ) ) ) != 0 ) {
                        goto err_random;
                }
                cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv,
                               sizeof ( iv ) );

                /* Construct and process authentication data */
                authhdr.seq = cpu_to_be64 ( tls->tx.seq );
                authhdr.header.type = type;
                authhdr.header.version = htons ( tls->version );
                authhdr.header.length = htons ( record_len );
                if ( suite->mac_len ) {
                        tls_hmac ( cipherspec, &authhdr, plaintext, record_len,
                                   mac );
                }
                if ( is_auth_cipher ( cipher ) ) {
                        cipher_encrypt ( cipher, cipherspec->cipher_ctx,
                                         &authhdr, NULL, sizeof ( authhdr ) );
                }

                /* Calculate encryption length */
                encrypt_len = ( record_len + suite->mac_len );
                if ( is_block_cipher ( cipher ) ) {
                        pad_len = ( ( ( cipher->blocksize - 1 ) &
                                      -( encrypt_len + 1 ) ) + 1 );
                } else {
                        pad_len = 0;
                }
                encrypt_len += pad_len;

                /* Add record header */
                tlshdr = iob_put ( iobuf, sizeof ( *tlshdr ) );
                tlshdr->type = type;
                tlshdr->version = htons ( tls->version );
                tlshdr->length = htons ( sizeof ( iv.rec ) + encrypt_len +
                                         cipher->authsize );

                /* Add record initialisation vector, if applicable */
                memcpy ( iob_put ( iobuf, sizeof ( iv.rec ) ), iv.rec,
                         sizeof ( iv.rec ) );

                /* Copy plaintext data if necessary */
                ciphertext = iob_put ( iobuf, record_len );
                assert ( ciphertext <= plaintext );
                if ( encrypt_len > record_len ) {
                        memmove ( ciphertext, plaintext, record_len );
                        encrypt = ciphertext;
                } else {
                        encrypt = plaintext;
                }

                /* Add MAC, if applicable */
                memcpy ( iob_put ( iobuf, suite->mac_len ), mac,
                         suite->mac_len );

                /* Add padding, if applicable */
                memset ( iob_put ( iobuf, pad_len ), ( pad_len - 1 ), pad_len );

                /* Encrypt data and append authentication tag */
                DBGC2 ( tls, "Sending plaintext data:\n" );
                DBGC2_HDA ( tls, 0, encrypt, encrypt_len );
                cipher_encrypt ( cipher, cipherspec->cipher_ctx, encrypt,
                                 ciphertext, encrypt_len );
                cipher_auth ( cipher, cipherspec->cipher_ctx,
                              iob_put ( iobuf, cipher->authsize ) );

                /* Move to next record */
                tls->tx.seq += 1;
                plaintext += record_len;
                len -= record_len;

        } while ( len );

        /* Send ciphertext */
        if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
                                       iob_disown ( iobuf ) ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
                       tls, strerror ( rc ) );
                goto err_deliver;
        }

        assert ( iobuf == NULL );
        return 0;

 err_deliver:
 err_random:
        free_iob ( iobuf );
        return rc;
}

References __attribute__, tls_cipherspec_pair::active, assert(), cipher_algorithm::authsize, cipher_algorithm::blocksize, tls_cipher_suite::cipher, cipher_auth(), tls_cipherspec::cipher_ctx, cipher_encrypt, cipher_setiv(), tls_tx::cipherspec, tls_connection::cipherstream, cpu_to_be64, io_buffer::data, DBGC, DBGC2, DBGC2_HDA, tls_cipher_suite::digest, digest_algorithm::digestsize, fixed, tls_cipherspec::fixed_iv, tls_cipher_suite::fixed_iv_len, free_iob(), tls_auth_header::header, htons, iob_disown, iob_len(), iob_push, iob_put, iob_unput, is_auth_cipher(), is_block_cipher(), iv, len, tls_header::length, mac, tls_cipher_suite::mac_len, memcpy(), memmove(), memset(), NULL, pad_len, rc, tls_cipher_suite::record_iv_len, tls_auth_header::seq, tls_tx::seq, strerror(), tls_cipherspec::suite, tls_add_handshake(), tls_generate_random(), tls_hmac(), tls_iob_reserved(), TLS_TX_BUFSIZE, TLS_TYPE_HANDSHAKE, tls_connection::tx, type, tls_header::type, tls_header::version, tls_connection::version, and xfer_deliver_iob().

Referenced by tls_plainstream_deliver(), tls_send_certificate(), and tls_send_plaintext().

tls_send_plaintext()

static int tls_send_plaintext ( struct tls_connection *  tls, unsigned int  type, const void *  data, size_t  len  )

static

Send plaintext record.

Parameters

tls	TLS connection
type	Record type
data	Plaintext record
len	Length of plaintext record

Return values

rc	Return status code

Definition at line 3195 of file tls.c.

                                                               {
        struct io_buffer *iobuf;
        int rc;

        /* Allocate I/O buffer */
        iobuf = tls_alloc_iob ( tls, len );
        if ( ! iobuf )
                return -ENOMEM_TX_PLAINTEXT;
        memcpy ( iob_put ( iobuf, len ), data, len );

        /* Transmit I/O buffer */
        if ( ( rc = tls_send_record ( tls, type, iob_disown ( iobuf ) ) ) != 0 )
                return rc;

        return 0;
}

References data, ENOMEM_TX_PLAINTEXT, iob_disown, iob_put, len, memcpy(), rc, tls_alloc_iob(), tls_send_record(), and type.

Referenced by tls_send_change_cipher(), and tls_send_handshake().

tls_clear_cipher() [1/2]

static void tls_clear_cipher ( struct tls_connection *  tls, struct tls_cipherspec *  cipherspec  )

static

Referenced by add_tls(), free_tls(), tls_change_cipher(), and tls_set_cipher().

tls_verify_handshake()

static void tls_verify_handshake ( struct tls_connection *  tls, void *  out  )

static

Calculate handshake verification hash.

Parameters

tls	TLS connection
out	Output buffer

Calculates the digest over all handshake messages seen so far.

Definition at line 834 of file tls.c.

                                                                           {
        struct digest_algorithm *digest = tls->handshake_digest;
        uint8_t ctx[ digest->ctxsize ];

        memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
        digest_final ( digest, ctx, out );
}

References ctx, digest_algorithm::ctxsize, digest_final(), tls_connection::handshake_ctx, tls_connection::handshake_digest, memcpy(), and out.

Referenced by tls_generate_master_secret(), tls_new_finished(), tls_send_certificate_verify(), and tls_send_finished().

tls_uint24()

static unsigned long tls_uint24 ( const tls24_t *  field24 )

inlinestatic

Extract 24-bit field value.

Parameters

field24

24-bit field

Return values

value

Field value

Definition at line 236 of file tls.c.

                                      {

        return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
}

References be16_to_cpu, tls24_t::high, and tls24_t::low.

Referenced by tls_new_certificate(), tls_new_handshake(), and tls_parse_chain().

tls_set_uint24()

static void tls_set_uint24 ( tls24_t *  field24, unsigned long  value  )

static

Set 24-bit field value.

Parameters

field24	24-bit field
value	Field value

Definition at line 247 of file tls.c.

                                                                     {

        field24->high = ( value >> 16 );
        field24->low = cpu_to_be16 ( value );
}

References cpu_to_be16, tls24_t::high, tls24_t::low, and value.

Referenced by tls_send_certificate().

tls_ready()

static int tls_ready ( struct tls_connection *  tls )

static

Determine if TLS connection is ready for application data.

Parameters

tls	TLS connection

Return values

is_ready

TLS connection is ready

Definition at line 259 of file tls.c.

                                                    {
        return ( ( ! is_pending ( &tls->client.negotiation ) ) &&
                 ( ! is_pending ( &tls->server.negotiation ) ) );
}

References tls_connection::client, is_pending(), tls_client::negotiation, tls_server::negotiation, and tls_connection::server.

Referenced by tls_cipherstream_window(), tls_new_data(), tls_new_hello_request(), tls_plainstream_deliver(), and tls_plainstream_window().

tls_version()

static int tls_version ( struct tls_connection *  tls, unsigned int  version  )

inlinestatic

Check for TLS version.

Parameters

tls	TLS connection
version	TLS version

Return values

at_least

TLS connection is using at least the specified version

Check that TLS connection uses at least the specified protocol version. Optimise down to a compile-time constant true result if this is already guaranteed by the minimum supported version check.

Definition at line 276 of file tls.c.

                                                                 {
        return ( ( TLS_VERSION_MIN >= version ) ||
                 ( tls->version >= version ) );
}

References TLS_VERSION_MIN, tls_connection::version, and version.

Referenced by tls_prf(), tls_select_cipher(), tls_send_certificate_verify(), and tls_verify_dh_params().

md5_sha1_init()

static void md5_sha1_init ( void *  ctx )

static

Initialise MD5+SHA1 algorithm.

Parameters

ctx	MD5+SHA1 context

Definition at line 293 of file tls.c.

                                        {
        struct md5_sha1_context *context = ctx;

        digest_init ( &md5_algorithm, context->md5 );
        digest_init ( &sha1_algorithm, context->sha1 );
}

References ctx, digest_init(), md5_sha1_context::md5, md5_algorithm, md5_sha1_context::sha1, and sha1_algorithm.

md5_sha1_update()

static void md5_sha1_update ( void *  ctx, const void *  data, size_t  len  )

static

Accumulate data with MD5+SHA1 algorithm.

Parameters

ctx	MD5+SHA1 context
data	Data
len	Length of data

Definition at line 307 of file tls.c.

                                                                        {
        struct md5_sha1_context *context = ctx;

        digest_update ( &md5_algorithm, context->md5, data, len );
        digest_update ( &sha1_algorithm, context->sha1, data, len );
}

References ctx, data, digest_update(), len, md5_sha1_context::md5, md5_algorithm, md5_sha1_context::sha1, and sha1_algorithm.

md5_sha1_final()

static void md5_sha1_final ( void *  ctx, void *  out  )

static

Generate MD5+SHA1 digest.

Parameters

ctx	MD5+SHA1 context
out	Output buffer

Definition at line 320 of file tls.c.

                                                    {
        struct md5_sha1_context *context = ctx;
        struct md5_sha1_digest *digest = out;

        digest_final ( &md5_algorithm, context->md5, digest->md5 );
        digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
}

References ctx, digest_final(), md5_sha1_context::md5, md5_sha1_digest::md5, md5_algorithm, out, md5_sha1_context::sha1, md5_sha1_digest::sha1, and sha1_algorithm.

free_tls_session()

static void free_tls_session ( struct refcnt *  refcnt )

static

Free TLS session.

Parameters

refcnt

Reference counter

Definition at line 358 of file tls.c.

                                                       {
        struct tls_session *session =
                container_of ( refcnt, struct tls_session, refcnt );

        /* Sanity check */
        assert ( list_empty ( &session->conn ) );

        /* Remove from list of sessions */
        list_del ( &session->list );

        /* Free dynamically-allocated resources */
        x509_root_put ( session->root );
        privkey_put ( session->key );
        free ( session->ticket );

        /* Free session */
        free ( session );
}

References assert(), tls_session::conn, container_of, free, tls_session::key, tls_session::list, list_del, list_empty, privkey_put(), tls_session::root, tls_session::ticket, and x509_root_put().

Referenced by tls_session().

free_tls()

static void free_tls ( struct refcnt *  refcnt )

static

Free TLS connection.

Parameters

refcnt

Reference counter

Definition at line 382 of file tls.c.

                                               {
        struct tls_connection *tls =
                container_of ( refcnt, struct tls_connection, refcnt );
        struct tls_session *session = tls->session;
        struct io_buffer *iobuf;
        struct io_buffer *tmp;

        /* Free dynamically-allocated resources */
        free ( tls->new_session_ticket );
        tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
        tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
        tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
        tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
        free ( tls->server.exchange );
        free ( tls->handshake_ctx );
        list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
                list_del ( &iobuf->list );
                free_iob ( iobuf );
        }
        free_iob ( tls->rx.handshake );
        privkey_put ( tls->client.key );
        x509_chain_put ( tls->client.chain );
        x509_chain_put ( tls->server.chain );
        x509_root_put ( tls->server.root );

        /* Drop reference to session */
        assert ( list_empty ( &tls->list ) );
        ref_put ( &session->refcnt );

        /* Free TLS structure itself */
        free ( tls );
}

References tls_cipherspec_pair::active, assert(), tls_client::chain, tls_server::chain, tls_tx::cipherspec, tls_rx::cipherspec, tls_connection::client, container_of, tls_rx::data, tls_server::exchange, free, free_iob(), tls_rx::handshake, tls_connection::handshake_ctx, tls_client::key, io_buffer::list, tls_connection::list, list_del, list_empty, list_for_each_entry_safe, tls_connection::new_session_ticket, tls_cipherspec_pair::pending, privkey_put(), ref_put, tls_session::refcnt, tls_server::root, tls_connection::rx, tls_connection::server, tls_connection::session, tls_clear_cipher(), tmp, tls_connection::tx, x509_chain_put(), and x509_root_put().

Referenced by add_tls().

tls_close()

static void tls_close ( struct tls_connection *  tls, int  rc  )

static

Finish with TLS connection.

Parameters

tls	TLS connection
rc	Status code

Definition at line 421 of file tls.c.

                                                             {

        /* Remove pending operations, if applicable */
        pending_put ( &tls->client.negotiation );
        pending_put ( &tls->server.negotiation );
        pending_put ( &tls->server.validation );

        /* Remove process */
        process_del ( &tls->tx.process );

        /* Close all interfaces */
        intf_shutdown ( &tls->cipherstream, rc );
        intf_shutdown ( &tls->plainstream, rc );
        intf_shutdown ( &tls->server.validator, rc );

        /* Remove from session */
        list_del ( &tls->list );
        INIT_LIST_HEAD ( &tls->list );

        /* Resume all other connections, in case we were the lead connection */
        tls_tx_resume_all ( tls->session );
}

References tls_connection::cipherstream, tls_connection::client, INIT_LIST_HEAD, intf_shutdown(), tls_connection::list, list_del, tls_client::negotiation, tls_server::negotiation, pending_put(), tls_connection::plainstream, tls_tx::process, process_del(), rc, tls_connection::server, tls_connection::session, tls_tx_resume_all(), tls_connection::tx, tls_server::validation, and tls_server::validator.

Referenced by tls_cipherstream_deliver(), tls_tx_step(), and tls_validator_done().

tls_generate_random()

static int tls_generate_random ( struct tls_connection *  tls, void *  data, size_t  len  )

static

Generate random data.

Parameters

tls	TLS connection
data	Buffer to fill
len	Length of buffer

Return values

rc	Return status code

Definition at line 459 of file tls.c.

                                                          {
        int rc;

        /* Generate random bits with no additional input and without
         * prediction resistance
         */
        if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not generate random data: %s\n",
                       tls, strerror ( rc ) );
                return rc;
        }

        return 0;
}

References data, DBGC, len, NULL, rbg_generate(), rc, and strerror().

Referenced by add_tls(), tls_send_client_key_exchange_dhe(), tls_send_client_key_exchange_ecdhe(), tls_send_client_key_exchange_pubkey(), and tls_send_record().

tls_hmac_update_va()

static void tls_hmac_update_va ( struct digest_algorithm *  digest, void *  ctx, va_list  args  )

static

Update HMAC with a list of ( data, len ) pairs.

Parameters

digest	Hash function to use
ctx	HMAC context
args	( data, len ) pairs of data, terminated by NULL

Definition at line 482 of file tls.c.

                                                           {
        void *data;
        size_t len;

        while ( ( data = va_arg ( args, void * ) ) ) {
                len = va_arg ( args, size_t );
                hmac_update ( digest, ctx, data, len );
        }
}

References ctx, data, hmac_update(), len, and va_arg.

Referenced by tls_p_hash_va().

tls_p_hash_va()

static void tls_p_hash_va ( struct tls_connection *  tls, struct digest_algorithm *  digest, const void *  secret, size_t  secret_len, void *  out, size_t  out_len, va_list  seeds  )

static

Generate secure pseudo-random data using a single hash function.

Parameters

tls	TLS connection
digest	Hash function to use
secret	Secret
secret_len	Length of secret
out	Output buffer
out_len	Length of output buffer
seeds	( data, len ) pairs of seed data, terminated by NULL

Definition at line 504 of file tls.c.

                                            {
        uint8_t ctx[ hmac_ctxsize ( digest ) ];
        uint8_t ctx_partial[ sizeof ( ctx ) ];
        uint8_t a[digest->digestsize];
        uint8_t out_tmp[digest->digestsize];
        size_t frag_len = digest->digestsize;
        va_list tmp;

        DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
        DBGC2_HD ( tls, secret, secret_len );

        /* Calculate A(1) */
        hmac_init ( digest, ctx, secret, secret_len );
        va_copy ( tmp, seeds );
        tls_hmac_update_va ( digest, ctx, tmp );
        va_end ( tmp );
        hmac_final ( digest, ctx, a );
        DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
        DBGC2_HD ( tls, &a, sizeof ( a ) );

        /* Generate as much data as required */
        while ( out_len ) {
                /* Calculate output portion */
                hmac_init ( digest, ctx, secret, secret_len );
                hmac_update ( digest, ctx, a, sizeof ( a ) );
                memcpy ( ctx_partial, ctx, sizeof ( ctx_partial ) );
                va_copy ( tmp, seeds );
                tls_hmac_update_va ( digest, ctx, tmp );
                va_end ( tmp );
                hmac_final ( digest, ctx, out_tmp );

                /* Copy output */
                if ( frag_len > out_len )
                        frag_len = out_len;
                memcpy ( out, out_tmp, frag_len );
                DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
                DBGC2_HD ( tls, out, frag_len );

                /* Calculate A(i) */
                hmac_final ( digest, ctx_partial, a );
                DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
                DBGC2_HD ( tls, &a, sizeof ( a ) );

                out += frag_len;
                out_len -= frag_len;
        }
}

References ctx, DBGC2, DBGC2_HD, digest_algorithm::digestsize, hmac_ctxsize(), hmac_final(), hmac_init(), hmac_update(), memcpy(), digest_algorithm::name, out, tls_hmac_update_va(), tmp, va_copy, and va_end.

Referenced by tls_prf().

tls_prf()

static void tls_prf ( struct tls_connection *  tls, const void *  secret, size_t  secret_len, void *  out, size_t  out_len,   ...  )

static

Generate secure pseudo-random data.

Parameters

tls	TLS connection
secret	Secret
secret_len	Length of secret
out	Output buffer
out_len	Length of output buffer
...	( data, len ) pairs of seed data, terminated by NULL

Definition at line 566 of file tls.c.

                                                                          {
        va_list seeds;
        va_list tmp;
        size_t subsecret_len;
        const void *md5_secret;
        const void *sha1_secret;
        uint8_t buf[out_len];
        unsigned int i;

        va_start ( seeds, out_len );

        if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
                /* Use handshake digest PRF for TLSv1.2 and later */
                tls_p_hash_va ( tls, tls->handshake_digest, secret, secret_len,
                                out, out_len, seeds );
        } else {
                /* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
                 * and earlier
                 */

                /* Split secret into two, with an overlap of up to one byte */
                subsecret_len = ( ( secret_len + 1 ) / 2 );
                md5_secret = secret;
                sha1_secret = ( secret + secret_len - subsecret_len );

                /* Calculate MD5 portion */
                va_copy ( tmp, seeds );
                tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
                                subsecret_len, out, out_len, seeds );
                va_end ( tmp );

                /* Calculate SHA1 portion */
                va_copy ( tmp, seeds );
                tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
                                subsecret_len, buf, out_len, seeds );
                va_end ( tmp );

                /* XOR the two portions together into the final output buffer */
                for ( i = 0 ; i < out_len ; i++ )
                        *( ( uint8_t * ) out + i ) ^= buf[i];
        }

        va_end ( seeds );
}

References tls_connection::handshake_digest, md5_algorithm, out, sha1_algorithm, tls_p_hash_va(), tls_version(), TLS_VERSION_TLS_1_2, tmp, va_copy, va_end, and va_start.

tls_generate_master_secret()

static void tls_generate_master_secret ( struct tls_connection *  tls, const void *  pre_master_secret, size_t  pre_master_secret_len  )

static

Generate master secret.

Parameters

tls	TLS connection
pre_master_secret	Pre-master secret
pre_master_secret_len	Length of pre-master secret

The client and server random values must already be known.

Definition at line 642 of file tls.c.

                                                                        {
        struct digest_algorithm *digest = tls->handshake_digest;
        uint8_t digest_out[ digest->digestsize ];

        /* Generate handshake digest */
        tls_verify_handshake ( tls, digest_out );

        /* Show inputs */
        DBGC ( tls, "TLS %p pre-master secret:\n", tls );
        DBGC_HD ( tls, pre_master_secret, pre_master_secret_len );
        DBGC ( tls, "TLS %p client random bytes:\n", tls );
        DBGC_HD ( tls, &tls->client.random, sizeof ( tls->client.random ) );
        DBGC ( tls, "TLS %p server random bytes:\n", tls );
        DBGC_HD ( tls, &tls->server.random, sizeof ( tls->server.random ) );
        DBGC ( tls, "TLS %p session hash:\n", tls );
        DBGC_HD ( tls, digest_out, sizeof ( digest_out ) );

        /* Generate master secret */
        if ( tls->extended_master_secret ) {
                tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
                                &tls->master_secret,
                                sizeof ( tls->master_secret ),
                                "extended master secret",
                                digest_out, sizeof ( digest_out ) );
        } else {
                tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
                                &tls->master_secret,
                                sizeof ( tls->master_secret ),
                                "master secret",
                                &tls->client.random,
                                sizeof ( tls->client.random ),
                                &tls->server.random,
                                sizeof ( tls->server.random ) );
        }

        /* Show output */
        DBGC ( tls, "TLS %p generated %smaster secret:\n", tls,
               ( tls->extended_master_secret ? "extended ": "" ) );
        DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
}

References tls_connection::client, DBGC, DBGC_HD, digest_algorithm::digestsize, tls_connection::extended_master_secret, tls_connection::handshake_digest, tls_connection::master_secret, tls_client::random, tls_server::random, tls_connection::server, tls_prf_label, and tls_verify_handshake().

Referenced by tls_send_client_key_exchange_dhe(), tls_send_client_key_exchange_ecdhe(), and tls_send_client_key_exchange_pubkey().

tls_generate_keys()

static int tls_generate_keys ( struct tls_connection *  tls )

static

Generate key material.

Parameters

tls	TLS connection

The master secret must already be known.

Definition at line 692 of file tls.c.

                                                            {
        struct tls_cipherspec *tx_cipherspec = &tls->tx.cipherspec.pending;
        struct tls_cipherspec *rx_cipherspec = &tls->rx.cipherspec.pending;
        size_t hash_size = tx_cipherspec->suite->mac_len;
        size_t key_size = tx_cipherspec->suite->key_len;
        size_t iv_size = tx_cipherspec->suite->fixed_iv_len;
        size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
        uint8_t key_block[total];
        uint8_t *key;
        int rc;

        /* Generate key block */
        tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
                        key_block, sizeof ( key_block ), "key expansion",
                        &tls->server.random, sizeof ( tls->server.random ),
                        &tls->client.random, sizeof ( tls->client.random ) );

        /* Split key block into portions */
        key = key_block;

        /* TX MAC secret */
        memcpy ( tx_cipherspec->mac_secret, key, hash_size );
        DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
        DBGC_HD ( tls, key, hash_size );
        key += hash_size;

        /* RX MAC secret */
        memcpy ( rx_cipherspec->mac_secret, key, hash_size );
        DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
        DBGC_HD ( tls, key, hash_size );
        key += hash_size;

        /* TX key */
        if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
                                    tx_cipherspec->cipher_ctx,
                                    key, key_size ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not set TX key: %s\n",
                       tls, strerror ( rc ) );
                return rc;
        }
        DBGC ( tls, "TLS %p TX key:\n", tls );
        DBGC_HD ( tls, key, key_size );
        key += key_size;

        /* RX key */
        if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
                                    rx_cipherspec->cipher_ctx,
                                    key, key_size ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not set TX key: %s\n",
                       tls, strerror ( rc ) );
                return rc;
        }
        DBGC ( tls, "TLS %p RX key:\n", tls );
        DBGC_HD ( tls, key, key_size );
        key += key_size;

        /* TX initialisation vector */
        memcpy ( tx_cipherspec->fixed_iv, key, iv_size );
        DBGC ( tls, "TLS %p TX IV:\n", tls );
        DBGC_HD ( tls, key, iv_size );
        key += iv_size;

        /* RX initialisation vector */
        memcpy ( rx_cipherspec->fixed_iv, key, iv_size );
        DBGC ( tls, "TLS %p RX IV:\n", tls );
        DBGC_HD ( tls, key, iv_size );
        key += iv_size;

        assert ( ( key_block + total ) == key );

        return 0;
}

References assert(), tls_cipher_suite::cipher, tls_cipherspec::cipher_ctx, cipher_setkey(), tls_tx::cipherspec, tls_rx::cipherspec, tls_connection::client, DBGC, DBGC_HD, tls_cipherspec::fixed_iv, tls_cipher_suite::fixed_iv_len, key, tls_cipher_suite::key_len, tls_cipher_suite::mac_len, tls_cipherspec::mac_secret, tls_connection::master_secret, memcpy(), tls_cipherspec_pair::pending, tls_client::random, tls_server::random, rc, tls_connection::rx, tls_connection::server, strerror(), tls_cipherspec::suite, tls_prf_label, and tls_connection::tx.

Referenced by tls_new_server_hello(), and tls_send_client_key_exchange().

tls_clear_handshake()

static void tls_clear_handshake ( struct tls_connection *  tls )

static

Clear handshake digest algorithm.

Parameters

tls	TLS connection

Definition at line 777 of file tls.c.

                                                               {

        /* Select null digest algorithm */
        tls->handshake_digest = &digest_null;

        /* Free any existing context */
        free ( tls->handshake_ctx );
        tls->handshake_ctx = NULL;
}

References digest_null, free, tls_connection::handshake_ctx, tls_connection::handshake_digest, and NULL.

Referenced by add_tls(), and tls_select_handshake().

tls_select_handshake()

static int tls_select_handshake ( struct tls_connection *  tls, struct digest_algorithm *  digest  )

static

Select handshake digest algorithm.

Parameters

tls	TLS connection
digest	Handshake digest algorithm

Return values

rc	Return status code

Definition at line 794 of file tls.c.

                                                                    {

        /* Clear existing handshake digest */
        tls_clear_handshake ( tls );

        /* Allocate and initialise context */
        tls->handshake_ctx = malloc ( digest->ctxsize );
        if ( ! tls->handshake_ctx )
                return -ENOMEM;
        tls->handshake_digest = digest;
        digest_init ( digest, tls->handshake_ctx );

        return 0;
}

References digest_algorithm::ctxsize, digest_init(), ENOMEM, tls_connection::handshake_ctx, tls_connection::handshake_digest, malloc(), and tls_clear_handshake().

Referenced by tls_select_cipher().

tls_add_handshake()

static int tls_add_handshake ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Add handshake record to verification hash.

Parameters

tls	TLS connection
data	Handshake record
len	Length of handshake record

Return values

rc	Return status code

Definition at line 818 of file tls.c.

                                                              {
        struct digest_algorithm *digest = tls->handshake_digest;

        digest_update ( digest, tls->handshake_ctx, data, len );
        return 0;
}

References data, digest_update(), tls_connection::handshake_ctx, tls_connection::handshake_digest, and len.

Referenced by tls_new_handshake(), tls_new_server_hello(), and tls_send_record().

tls_find_cipher_suite()

static struct tls_cipher_suite* tls_find_cipher_suite ( unsigned int  cipher_suite )

static

Identify cipher suite.

Parameters

cipher_suite

Cipher suite specification

Return values

suite

Cipher suite, or NULL

Definition at line 867 of file tls.c.

                                                    {
        struct tls_cipher_suite *suite;

        /* Identify cipher suite */
        for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
                if ( suite->code == cipher_suite )
                        return suite;
        }

        return NULL;
}

References tls_cipher_suite::code, for_each_table_entry, NULL, and TLS_CIPHER_SUITES.

Referenced by tls_select_cipher().

tls_clear_cipher() [2/2]

static void tls_clear_cipher ( struct tls_connection *tls  __unused, struct tls_cipherspec *  cipherspec  )

static

Clear cipher suite.

Parameters

cipherspec

TLS cipher specification

Definition at line 884 of file tls.c.

                                                                   {

        free ( cipherspec->dynamic );
        memset ( cipherspec, 0, sizeof ( *cipherspec ) );
        cipherspec->suite = &tls_cipher_suite_null;
}

References tls_cipherspec::dynamic, free, memset(), tls_cipherspec::suite, and tls_cipher_suite_null.

tls_set_cipher()

static int tls_set_cipher ( struct tls_connection *  tls, struct tls_cipherspec *  cipherspec, struct tls_cipher_suite *  suite  )

static

Set cipher suite.

Parameters

tls	TLS connection
cipherspec	TLS cipher specification
suite	Cipher suite

Return values

rc	Return status code

Definition at line 900 of file tls.c.

                                                             {
        struct cipher_algorithm *cipher = suite->cipher;
        size_t total;
        void *dynamic;

        /* Clear out old cipher contents, if any */
        tls_clear_cipher ( tls, cipherspec );

        /* Allocate dynamic storage */
        total = ( cipher->ctxsize + suite->mac_len + suite->fixed_iv_len );
        dynamic = zalloc ( total );
        if ( ! dynamic ) {
                DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
                       "context\n", tls, total );
                return -ENOMEM_CONTEXT;
        }

        /* Assign storage */
        cipherspec->dynamic = dynamic;
        cipherspec->cipher_ctx = dynamic;       dynamic += cipher->ctxsize;
        cipherspec->mac_secret = dynamic;       dynamic += suite->mac_len;
        cipherspec->fixed_iv = dynamic;         dynamic += suite->fixed_iv_len;
        assert ( ( cipherspec->dynamic + total ) == dynamic );

        /* Store parameters */
        cipherspec->suite = suite;

        return 0;
}

References assert(), tls_cipher_suite::cipher, tls_cipherspec::cipher_ctx, cipher_algorithm::ctxsize, DBGC, tls_cipherspec::dynamic, ENOMEM_CONTEXT, tls_cipherspec::fixed_iv, tls_cipher_suite::fixed_iv_len, tls_cipher_suite::mac_len, tls_cipherspec::mac_secret, tls_cipherspec::suite, tls_clear_cipher(), and zalloc().

Referenced by tls_select_cipher().

tls_select_cipher()

static int tls_select_cipher ( struct tls_connection *  tls, unsigned int  cipher_suite  )

static

Select next cipher suite.

Parameters

tls	TLS connection
cipher_suite	Cipher suite specification

Return values

rc	Return status code

Definition at line 939 of file tls.c.

                                                           {
        struct tls_cipher_suite *suite;
        struct digest_algorithm *digest;
        int rc;

        /* Identify cipher suite */
        suite = tls_find_cipher_suite ( cipher_suite );
        if ( ! suite ) {
                DBGC ( tls, "TLS %p does not support cipher %04x\n",
                       tls, ntohs ( cipher_suite ) );
                return -ENOTSUP_CIPHER;
        }

        /* Set handshake digest algorithm */
        digest = ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ?
                   suite->handshake : &md5_sha1_algorithm );
        if ( ( rc = tls_select_handshake ( tls, digest ) ) != 0 )
                return rc;

        /* Set ciphers */
        if ( ( rc = tls_set_cipher ( tls, &tls->tx.cipherspec.pending,
                                     suite ) ) != 0 )
                return rc;
        if ( ( rc = tls_set_cipher ( tls, &tls->rx.cipherspec.pending,
                                     suite ) ) != 0 )
                return rc;

        DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
               suite->exchange->name, suite->pubkey->name,
               suite->cipher->name, ( suite->key_len * 8 ),
               suite->digest->name );

        return 0;
}

References tls_cipher_suite::cipher, tls_tx::cipherspec, tls_rx::cipherspec, DBGC, tls_cipher_suite::digest, ENOTSUP_CIPHER, tls_cipher_suite::exchange, tls_cipher_suite::handshake, tls_cipher_suite::key_len, md5_sha1_algorithm, digest_algorithm::name, cipher_algorithm::name, pubkey_algorithm::name, tls_key_exchange_algorithm::name, ntohs, tls_cipherspec_pair::pending, tls_cipher_suite::pubkey, rc, tls_connection::rx, tls_find_cipher_suite(), tls_select_handshake(), tls_set_cipher(), tls_version(), TLS_VERSION_TLS_1_2, and tls_connection::tx.

Referenced by tls_new_server_hello().

tls_change_cipher()

static int tls_change_cipher ( struct tls_connection *  tls, struct tls_cipherspec_pair *  pair  )

static

Activate next cipher suite.

Parameters

tls	TLS connection
pair	Cipher specification pair

Return values

rc	Return status code

Definition at line 982 of file tls.c.

                                                                  {

        /* Sanity check */
        if ( pair->pending.suite == &tls_cipher_suite_null ) {
                DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
                return -ENOTSUP_NULL;
        }

        tls_clear_cipher ( tls, &pair->active );
        memswap ( &pair->active, &pair->pending, sizeof ( pair->active ) );
        return 0;
}

References tls_cipherspec_pair::active, DBGC, ENOTSUP_NULL, memswap(), tls_cipherspec_pair::pending, tls_cipherspec::suite, tls_cipher_suite_null, and tls_clear_cipher().

Referenced by tls_new_change_cipher(), and tls_tx_step().

tls_signature_hash_algorithm()

static struct tls_signature_hash_algorithm* tls_signature_hash_algorithm ( struct pubkey_algorithm *  pubkey, struct digest_algorithm *  digest  )

static

Find TLS signature and hash algorithm.

Parameters

pubkey	Public-key algorithm
digest	Digest algorithm

Return values

sig_hash

Signature and hash algorithm, or NULL

Definition at line 1015 of file tls.c.

                                                                 {
        struct tls_signature_hash_algorithm *sig_hash;

        /* Identify signature and hash algorithm */
        for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
                if ( ( sig_hash->pubkey == pubkey ) &&
                     ( sig_hash->digest == digest ) ) {
                        return sig_hash;
                }
        }

        return NULL;
}

References tls_signature_hash_algorithm::digest, for_each_table_entry, NULL, tls_signature_hash_algorithm::pubkey, and TLS_SIG_HASH_ALGORITHMS.

Referenced by tls_send_certificate_verify().

tls_signature_hash_pubkey()

static struct pubkey_algorithm* tls_signature_hash_pubkey ( struct tls_signature_hash_id  code )

static

Find TLS signature algorithm.

Parameters

code	Signature and hash algorithm identifier

Return values

pubkey

Public key algorithm, or NULL

Definition at line 1037 of file tls.c.

                                                                {
        struct tls_signature_hash_algorithm *sig_hash;

        /* Identify signature and hash algorithm */
        for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
                if ( sig_hash->code.signature == code.signature )
                        return sig_hash->pubkey;
        }

        return NULL;
}

References code, tls_signature_hash_algorithm::code, for_each_table_entry, NULL, tls_signature_hash_algorithm::pubkey, tls_signature_hash_id::signature, and TLS_SIG_HASH_ALGORITHMS.

Referenced by tls_verify_dh_params().

tls_signature_hash_digest()

static struct digest_algorithm* tls_signature_hash_digest ( struct tls_signature_hash_id  code )

static

Find TLS hash algorithm.

Parameters

code	Signature and hash algorithm identifier

Return values

digest

Digest algorithm, or NULL

Definition at line 1056 of file tls.c.

                                                                {
        struct tls_signature_hash_algorithm *sig_hash;

        /* Identify signature and hash algorithm */
        for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
                if ( sig_hash->code.hash == code.hash )
                        return sig_hash->digest;
        }

        return NULL;
}

References code, tls_signature_hash_algorithm::code, tls_signature_hash_algorithm::digest, for_each_table_entry, tls_signature_hash_id::hash, NULL, and TLS_SIG_HASH_ALGORITHMS.

Referenced by tls_verify_dh_params().

tls_find_named_curve()

static struct tls_named_curve* tls_find_named_curve ( unsigned int  named_curve )

static

Identify named curve.

Parameters

named_curve

Named curve specification

Return values

curve

Named curve, or NULL

Definition at line 1085 of file tls.c.

                                                  {
        struct tls_named_curve *curve;

        /* Identify named curve */
        for_each_table_entry ( curve, TLS_NAMED_CURVES ) {
                if ( curve->code == named_curve )
                        return curve;
        }

        return NULL;
}

References tls_named_curve::curve, for_each_table_entry, NULL, and TLS_NAMED_CURVES.

Referenced by tls_send_client_key_exchange_ecdhe().

tls_tx_resume()

static void tls_tx_resume ( struct tls_connection *  tls )

static

Resume TX state machine.

Parameters

tls	TLS connection

Definition at line 1109 of file tls.c.

                                                         {
        process_add ( &tls->tx.process );
}

References tls_tx::process, process_add(), and tls_connection::tx.

Referenced by tls_new_finished(), tls_restart(), tls_tx_resume_all(), tls_tx_step(), and tls_validator_done().

tls_restart()

static void tls_restart ( struct tls_connection *  tls )

static

Restart negotiation.

Parameters

tls	TLS connection

Definition at line 1130 of file tls.c.

                                                       {

        /* Sanity check */
        assert ( ! tls->tx.pending );
        assert ( ! is_pending ( &tls->client.negotiation ) );
        assert ( ! is_pending ( &tls->server.negotiation ) );
        assert ( ! is_pending ( &tls->server.validation ) );

        /* (Re)start negotiation */
        tls->tx.pending = TLS_TX_CLIENT_HELLO;
        tls_tx_resume ( tls );
        pending_get ( &tls->client.negotiation );
        pending_get ( &tls->server.negotiation );
}

References assert(), tls_connection::client, is_pending(), tls_client::negotiation, tls_server::negotiation, tls_tx::pending, pending_get(), tls_connection::server, TLS_TX_CLIENT_HELLO, tls_tx_resume(), tls_connection::tx, and tls_server::validation.

Referenced by add_tls(), and tls_new_hello_request().

tls_send_handshake()

static int tls_send_handshake ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Transmit Handshake record.

Parameters

tls	TLS connection
data	Plaintext record
len	Length of plaintext record

Return values

rc	Return status code

Definition at line 1153 of file tls.c.

                                                               {

        /* Send record */
        return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
}

References data, len, tls_send_plaintext(), and TLS_TYPE_HANDSHAKE.

Referenced by tls_send_certificate_verify(), tls_send_client_hello(), tls_send_client_key_exchange_dhe(), tls_send_client_key_exchange_ecdhe(), tls_send_client_key_exchange_pubkey(), and tls_send_finished().

tls_client_hello()

static int tls_client_hello ( struct tls_connection *  tls, int(*)(struct tls_connection *tls, const void *data, size_t len)  action  )

static

Digest or transmit Client Hello record.

Parameters

tls	TLS connection
action	Action to take on Client Hello record

Return values

rc	Return status code

Definition at line 1167 of file tls.c.

                                                                {
        struct tls_session *session = tls->session;
        size_t name_len = strlen ( session->name );
        struct {
                uint16_t type;
                uint16_t len;
                struct {
                        uint16_t len;
                        struct {
                                uint8_t type;
                                uint16_t len;
                                uint8_t name[name_len];
                        } __attribute__ (( packed )) list[1];
                } __attribute__ (( packed )) data;
        } __attribute__ (( packed )) *server_name_ext;
        struct {
                uint16_t type;
                uint16_t len;
                struct {
                        uint8_t max;
                } __attribute__ (( packed )) data;
        } __attribute__ (( packed )) *max_fragment_length_ext;
        struct {
                uint16_t type;
                uint16_t len;
                struct {
                        uint16_t len;
                        struct tls_signature_hash_id
                                code[TLS_NUM_SIG_HASH_ALGORITHMS];
                } __attribute__ (( packed )) data;
        } __attribute__ (( packed )) *signature_algorithms_ext;
        struct {
                uint16_t type;
                uint16_t len;
                struct {
                        uint8_t len;
                        uint8_t data[ tls->secure_renegotiation ?
                                      sizeof ( tls->verify.client ) :0 ];
                } __attribute__ (( packed )) data;
        } __attribute__ (( packed )) *renegotiation_info_ext;
        struct {
                uint16_t type;
                uint16_t len;
                struct {
                        uint8_t data[session->ticket_len];
                } __attribute__ (( packed )) data;
        } __attribute__ (( packed )) *session_ticket_ext;
        struct {
                uint16_t type;
                uint16_t len;
                struct {
                        uint16_t len;
                        uint16_t code[TLS_NUM_NAMED_CURVES];
                } __attribute__ (( packed )) data;
        } __attribute__ (( packed )) *named_curve_ext;
        struct {
                uint16_t type;
                uint16_t len;
        } __attribute__ (( packed )) *extended_master_secret_ext;
        struct {
                typeof ( *server_name_ext ) server_name;
                typeof ( *max_fragment_length_ext ) max_fragment_length;
                typeof ( *signature_algorithms_ext ) signature_algorithms;
                typeof ( *renegotiation_info_ext ) renegotiation_info;
                typeof ( *session_ticket_ext ) session_ticket;
                typeof ( *extended_master_secret_ext ) extended_master_secret;
                typeof ( *named_curve_ext )
                        named_curve[TLS_NUM_NAMED_CURVES ? 1 : 0];
        } __attribute__ (( packed )) *extensions;
        struct {
                uint32_t type_length;
                uint16_t version;
                uint8_t random[32];
                uint8_t session_id_len;
                uint8_t session_id[tls->session_id_len];
                uint16_t cipher_suite_len;
                uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
                uint8_t compression_methods_len;
                uint8_t compression_methods[1];
                uint16_t extensions_len;
                typeof ( *extensions ) extensions;
        } __attribute__ (( packed )) hello;
        struct tls_cipher_suite *suite;
        struct tls_signature_hash_algorithm *sighash;
        struct tls_named_curve *curve;
        unsigned int i;

        /* Construct record */
        memset ( &hello, 0, sizeof ( hello ) );
        hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
                              htonl ( sizeof ( hello ) -
                                      sizeof ( hello.type_length ) ) );
        hello.version = htons ( TLS_VERSION_MAX );
        memcpy ( &hello.random, &tls->client.random, sizeof ( hello.random ) );
        hello.session_id_len = tls->session_id_len;
        memcpy ( hello.session_id, tls->session_id,
                 sizeof ( hello.session_id ) );
        hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
        i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
                hello.cipher_suites[i++] = suite->code;
        hello.compression_methods_len = sizeof ( hello.compression_methods );
        hello.extensions_len = htons ( sizeof ( hello.extensions ) );
        extensions = &hello.extensions;

        /* Construct server name extension */
        server_name_ext = &extensions->server_name;
        server_name_ext->type = htons ( TLS_SERVER_NAME );
        server_name_ext->len = htons ( sizeof ( server_name_ext->data ) );
        server_name_ext->data.len
                = htons ( sizeof ( server_name_ext->data.list ) );
        server_name_ext->data.list[0].type = TLS_SERVER_NAME_HOST_NAME;
        server_name_ext->data.list[0].len
                = htons ( sizeof ( server_name_ext->data.list[0].name ) );
        memcpy ( server_name_ext->data.list[0].name, session->name,
                 sizeof ( server_name_ext->data.list[0].name ) );

        /* Construct maximum fragment length extension */
        max_fragment_length_ext = &extensions->max_fragment_length;
        max_fragment_length_ext->type = htons ( TLS_MAX_FRAGMENT_LENGTH );
        max_fragment_length_ext->len
                = htons ( sizeof ( max_fragment_length_ext->data ) );
        max_fragment_length_ext->data.max = TLS_MAX_FRAGMENT_LENGTH_VALUE;

        /* Construct supported signature algorithms extension */
        signature_algorithms_ext = &extensions->signature_algorithms;
        signature_algorithms_ext->type = htons ( TLS_SIGNATURE_ALGORITHMS );
        signature_algorithms_ext->len
                = htons ( sizeof ( signature_algorithms_ext->data ) );
        signature_algorithms_ext->data.len
                = htons ( sizeof ( signature_algorithms_ext->data.code ) );
        i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
                signature_algorithms_ext->data.code[i++] = sighash->code;

        /* Construct renegotiation information extension */
        renegotiation_info_ext = &extensions->renegotiation_info;
        renegotiation_info_ext->type = htons ( TLS_RENEGOTIATION_INFO );
        renegotiation_info_ext->len
                = htons ( sizeof ( renegotiation_info_ext->data ) );
        renegotiation_info_ext->data.len
                = sizeof ( renegotiation_info_ext->data.data );
        memcpy ( renegotiation_info_ext->data.data, tls->verify.client,
                 sizeof ( renegotiation_info_ext->data.data ) );

        /* Construct session ticket extension */
        session_ticket_ext = &extensions->session_ticket;
        session_ticket_ext->type = htons ( TLS_SESSION_TICKET );
        session_ticket_ext->len
                = htons ( sizeof ( session_ticket_ext->data ) );
        memcpy ( session_ticket_ext->data.data, session->ticket,
                 sizeof ( session_ticket_ext->data.data ) );

        /* Construct extended master secret extension */
        extended_master_secret_ext = &extensions->extended_master_secret;
        extended_master_secret_ext->type
                = htons ( TLS_EXTENDED_MASTER_SECRET );
        extended_master_secret_ext->len = 0;

        /* Construct named curves extension, if applicable */
        if ( sizeof ( extensions->named_curve ) ) {
                named_curve_ext = &extensions->named_curve[0];
                named_curve_ext->type = htons ( TLS_NAMED_CURVE );
                named_curve_ext->len
                        = htons ( sizeof ( named_curve_ext->data ) );
                named_curve_ext->data.len
                        = htons ( sizeof ( named_curve_ext->data.code ) );
                i = 0 ; for_each_table_entry ( curve, TLS_NAMED_CURVES )
                        named_curve_ext->data.code[i++] = curve->code;
        }

        return action ( tls, &hello, sizeof ( hello ) );
}

References __attribute__, tls_verify_data::client, tls_connection::client, code, tls_cipher_suite::code, tls_signature_hash_algorithm::code, cpu_to_le32, tls_named_curve::curve, data, for_each_table_entry, hello, htonl, htons, len, tls_session::list, max, memcpy(), memset(), tls_session::name, random(), tls_client::random, tls_connection::secure_renegotiation, tls_connection::session, tls_connection::session_id, tls_connection::session_id_len, strlen(), tls_session::ticket, tls_session::ticket_len, TLS_CIPHER_SUITES, TLS_CLIENT_HELLO, TLS_EXTENDED_MASTER_SECRET, TLS_MAX_FRAGMENT_LENGTH, TLS_MAX_FRAGMENT_LENGTH_VALUE, TLS_NAMED_CURVE, TLS_NAMED_CURVES, TLS_NUM_CIPHER_SUITES, TLS_NUM_NAMED_CURVES, TLS_NUM_SIG_HASH_ALGORITHMS, TLS_RENEGOTIATION_INFO, TLS_SERVER_NAME, TLS_SERVER_NAME_HOST_NAME, TLS_SESSION_TICKET, TLS_SIG_HASH_ALGORITHMS, TLS_SIGNATURE_ALGORITHMS, TLS_VERSION_MAX, type, typeof(), tls_connection::verify, and version.

Referenced by tls_new_server_hello(), and tls_send_client_hello().

tls_send_client_hello()

static int tls_send_client_hello ( struct tls_connection *  tls )

static

Transmit Client Hello record.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1348 of file tls.c.

                                                                {

        return tls_client_hello ( tls, tls_send_handshake );
}

References tls_client_hello(), and tls_send_handshake().

Referenced by tls_tx_step().

tls_send_certificate()

static int tls_send_certificate ( struct tls_connection *  tls )

static

Transmit Certificate record.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1359 of file tls.c.

                                                               {
        struct {
                tls24_t length;
                uint8_t data[0];
        } __attribute__ (( packed )) *certificate;
        struct {
                uint32_t type_length;
                tls24_t length;
                typeof ( *certificate ) certificates[0];
        } __attribute__ (( packed )) *certificates;
        struct x509_link *link;
        struct x509_certificate *cert;
        struct io_buffer *iobuf;
        size_t len;

        /* Calculate length of client certificates */
        len = 0;
        list_for_each_entry ( link, &tls->client.chain->links, list ) {
                cert = link->cert;
                len += ( sizeof ( *certificate ) + cert->raw.len );
                DBGC ( tls, "TLS %p sending client certificate %s\n",
                       tls, x509_name ( cert ) );
        }

        /* Allocate storage for Certificate record (which may be too
         * large for the stack).
         */
        iobuf = tls_alloc_iob ( tls, ( sizeof ( *certificates ) + len ) );
        if ( ! iobuf )
                return -ENOMEM_CERTIFICATE;

        /* Populate record */
        certificates = iob_put ( iobuf, sizeof ( *certificates ) );
        certificates->type_length =
                ( cpu_to_le32 ( TLS_CERTIFICATE ) |
                  htonl ( sizeof ( *certificates ) + len -
                          sizeof ( certificates->type_length ) ) );
        tls_set_uint24 ( &certificates->length, len );
        list_for_each_entry ( link, &tls->client.chain->links, list ) {
                cert = link->cert;
                certificate = iob_put ( iobuf, sizeof ( *certificate ) );
                tls_set_uint24 ( &certificate->length, cert->raw.len );
                memcpy ( iob_put ( iobuf, cert->raw.len ), cert->raw.data,
                         cert->raw.len );
        }

        /* Transmit record */
        return tls_send_record ( tls, TLS_TYPE_HANDSHAKE,
                                 iob_disown ( iobuf ) );
}

References __attribute__, tls_client::chain, tls_connection::client, cpu_to_le32, data, asn1_cursor::data, DBGC, ENOMEM_CERTIFICATE, htonl, iob_disown, iob_put, asn1_cursor::len, len, length, link, x509_chain::links, io_buffer::list, list_for_each_entry, memcpy(), x509_certificate::raw, tls_alloc_iob(), TLS_CERTIFICATE, tls_send_record(), tls_set_uint24(), TLS_TYPE_HANDSHAKE, typeof(), and x509_name().

Referenced by tls_tx_step().

tls_send_client_key_exchange_pubkey()

static int tls_send_client_key_exchange_pubkey ( struct tls_connection *  tls )

static

Transmit Client Key Exchange record using public key exchange.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1416 of file tls.c.

                                                                              {
        struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
        struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
        struct {
                uint16_t version;
                uint8_t random[46];
        } __attribute__ (( packed )) pre_master_secret;
        struct asn1_cursor cursor = {
                .data = &pre_master_secret,
                .len = sizeof ( pre_master_secret ),
        };
        struct asn1_builder builder = { NULL, 0 };
        int rc;

        /* Generate pre-master secret */
        pre_master_secret.version = htons ( TLS_VERSION_MAX );
        if ( ( rc = tls_generate_random ( tls, &pre_master_secret.random,
                          ( sizeof ( pre_master_secret.random ) ) ) ) != 0 ) {
                goto err_random;
        }

        /* Encrypt pre-master secret using server's public key */
        if ( ( rc = pubkey_encrypt ( pubkey, &tls->server.key, &cursor,
                                     &builder ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
                       tls, strerror ( rc ) );
                goto err_encrypt;
        }

        /* Construct Client Key Exchange record */
        {
                struct {
                        uint32_t type_length;
                        uint16_t encrypted_pre_master_secret_len;
                } __attribute__ (( packed )) header;

                header.type_length =
                        ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
                          htonl ( builder.len + sizeof ( header ) -
                                  sizeof ( header.type_length ) ) );
                header.encrypted_pre_master_secret_len = htons ( builder.len );

                if ( ( rc = asn1_prepend_raw ( &builder, &header,
                                               sizeof ( header ) ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not construct Client Key "
                               "Exchange: %s\n", tls, strerror ( rc ) );
                        goto err_prepend;
                }
        }

        /* Transmit Client Key Exchange record */
        if ( ( rc = tls_send_handshake ( tls, builder.data,
                                         builder.len ) ) != 0 ) {
                goto err_send;
        }

        /* Generate master secret */
        tls_generate_master_secret ( tls, &pre_master_secret,
                                     sizeof ( pre_master_secret ) );

 err_random:
 err_encrypt:
 err_prepend:
 err_send:
        free ( builder.data );
        return rc;
}

References __attribute__, asn1_prepend_raw(), tls_tx::cipherspec, cpu_to_le32, asn1_cursor::data, asn1_builder::data, DBGC, free, header, htonl, htons, tls_server::key, asn1_builder::len, NULL, tls_cipherspec_pair::pending, tls_cipher_suite::pubkey, pubkey_encrypt(), random(), rc, tls_connection::server, strerror(), tls_cipherspec::suite, TLS_CLIENT_KEY_EXCHANGE, tls_generate_master_secret(), tls_generate_random(), tls_send_handshake(), TLS_VERSION_MAX, tls_connection::tx, and version.

tls_verify_dh_params()

static int tls_verify_dh_params ( struct tls_connection *  tls, size_t  param_len  )

static

Verify Diffie-Hellman parameter signature.

Parameters

tls	TLS connection
param_len	Diffie-Hellman parameter length

Return values

rc	Return status code

Definition at line 1497 of file tls.c.

                                                     {
        struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
        struct pubkey_algorithm *pubkey;
        struct digest_algorithm *digest;
        int use_sig_hash = tls_version ( tls, TLS_VERSION_TLS_1_2 );
        const struct {
                struct tls_signature_hash_id sig_hash[use_sig_hash];
                uint16_t signature_len;
                uint8_t signature[0];
        } __attribute__ (( packed )) *sig;
        struct asn1_cursor signature;
        const void *data;
        size_t remaining;
        int rc;

        /* Signature follows parameters */
        assert ( param_len <= tls->server.exchange_len );
        data = ( tls->server.exchange + param_len );
        remaining = ( tls->server.exchange_len - param_len );

        /* Parse signature from ServerKeyExchange */
        sig = data;
        if ( ( sizeof ( *sig ) > remaining ) ||
             ( ntohs ( sig->signature_len ) > ( remaining -
                                                sizeof ( *sig ) ) ) ) {
                DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
                       tls );
                DBGC_HDA ( tls, 0, tls->server.exchange,
                           tls->server.exchange_len );
                return -EINVAL_KEY_EXCHANGE;
        }
        signature.data = sig->signature;
        signature.len = ntohs ( sig->signature_len );

        /* Identify signature and hash algorithm */
        if ( use_sig_hash ) {
                pubkey = tls_signature_hash_pubkey ( sig->sig_hash[0] );
                digest = tls_signature_hash_digest ( sig->sig_hash[0] );
                if ( ( ! pubkey ) || ( ! digest ) ) {
                        DBGC ( tls, "TLS %p ServerKeyExchange unsupported "
                               "signature and hash algorithm\n", tls );
                        return -ENOTSUP_SIG_HASH;
                }
                if ( pubkey != cipherspec->suite->pubkey ) {
                        DBGC ( tls, "TLS %p ServerKeyExchange incorrect "
                               "signature algorithm %s (expected %s)\n", tls,
                               pubkey->name, cipherspec->suite->pubkey->name );
                        return -EPERM_KEY_EXCHANGE;
                }
        } else {
                pubkey = cipherspec->suite->pubkey;
                digest = &md5_sha1_algorithm;
        }

        /* Verify signature */
        {
                uint8_t ctx[digest->ctxsize];
                uint8_t hash[digest->digestsize];

                /* Calculate digest */
                digest_init ( digest, ctx );
                digest_update ( digest, ctx, &tls->client.random,
                                sizeof ( tls->client.random ) );
                digest_update ( digest, ctx, tls->server.random,
                                sizeof ( tls->server.random ) );
                digest_update ( digest, ctx, tls->server.exchange, param_len );
                digest_final ( digest, ctx, hash );

                /* Verify signature */
                if ( ( rc = pubkey_verify ( pubkey, &tls->server.key, digest,
                                            hash, &signature ) ) != 0 ) {
                        DBGC ( tls, "TLS %p ServerKeyExchange failed "
                               "verification\n", tls );
                        DBGC_HDA ( tls, 0, tls->server.exchange,
                                   tls->server.exchange_len );
                        return -EPERM_KEY_EXCHANGE;
                }
        }

        return 0;
}

References __attribute__, assert(), tls_tx::cipherspec, tls_connection::client, ctx, digest_algorithm::ctxsize, data, DBGC, DBGC_HDA, digest_final(), digest_init(), digest_update(), digest_algorithm::digestsize, EINVAL_KEY_EXCHANGE, ENOTSUP_SIG_HASH, EPERM_KEY_EXCHANGE, tls_server::exchange, tls_server::exchange_len, hash, tls_server::key, md5_sha1_algorithm, pubkey_algorithm::name, ntohs, tls_cipherspec_pair::pending, tls_cipher_suite::pubkey, pubkey_verify(), tls_client::random, tls_server::random, rc, tls_connection::server, sig, signature, tls_cipherspec::suite, tls_signature_hash_digest(), tls_signature_hash_pubkey(), tls_version(), TLS_VERSION_TLS_1_2, and tls_connection::tx.

Referenced by tls_send_client_key_exchange_dhe(), and tls_send_client_key_exchange_ecdhe().

tls_send_client_key_exchange_dhe()

static int tls_send_client_key_exchange_dhe ( struct tls_connection *  tls )

static

Transmit Client Key Exchange record using DHE key exchange.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1586 of file tls.c.

                                                                           {
        uint8_t private[ sizeof ( tls->client.random.random ) ];
        const struct {
                uint16_t len;
                uint8_t data[0];
        } __attribute__ (( packed )) *dh_val[3];
        const void *data;
        size_t remaining;
        size_t frag_len;
        size_t param_len;
        unsigned int i;
        int rc;

        /* Parse ServerKeyExchange */
        data = tls->server.exchange;
        remaining = tls->server.exchange_len;
        for ( i = 0 ; i < ( sizeof ( dh_val ) / sizeof ( dh_val[0] ) ) ; i++ ){
                dh_val[i] = data;
                if ( ( sizeof ( *dh_val[i] ) > remaining ) ||
                     ( ntohs ( dh_val[i]->len ) > ( remaining -
                                                    sizeof ( *dh_val[i] ) ) )){
                        DBGC ( tls, "TLS %p received underlength "
                               "ServerKeyExchange\n", tls );
                        DBGC_HDA ( tls, 0, tls->server.exchange,
                                   tls->server.exchange_len );
                        rc = -EINVAL_KEY_EXCHANGE;
                        goto err_header;
                }
                frag_len = ( sizeof ( *dh_val[i] ) + ntohs ( dh_val[i]->len ));
                data += frag_len;
                remaining -= frag_len;
        }
        param_len = ( tls->server.exchange_len - remaining );

        /* Verify parameter signature */
        if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
                goto err_verify;

        /* Generate Diffie-Hellman private key */
        if ( ( rc = tls_generate_random ( tls, private,
                                          sizeof ( private ) ) ) != 0 ) {
                goto err_random;
        }

        /* Construct pre-master secret and ClientKeyExchange record */
        {
                typeof ( dh_val[0] ) dh_p = dh_val[0];
                typeof ( dh_val[1] ) dh_g = dh_val[1];
                typeof ( dh_val[2] ) dh_ys = dh_val[2];
                size_t len = ntohs ( dh_p->len );
                struct {
                        uint32_t type_length;
                        uint16_t dh_xs_len;
                        uint8_t dh_xs[len];
                } __attribute__ (( packed )) *key_xchg;
                struct {
                        uint8_t pre_master_secret[len];
                        typeof ( *key_xchg ) key_xchg;
                } *dynamic;
                uint8_t *pre_master_secret;

                /* Allocate space */
                dynamic = malloc ( sizeof ( *dynamic ) );
                if ( ! dynamic ) {
                        rc = -ENOMEM;
                        goto err_alloc;
                }
                pre_master_secret = dynamic->pre_master_secret;
                key_xchg = &dynamic->key_xchg;
                key_xchg->type_length =
                        ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
                          htonl ( sizeof ( *key_xchg ) -
                                  sizeof ( key_xchg->type_length ) ) );
                key_xchg->dh_xs_len = htons ( len );

                /* Calculate pre-master secret and client public value */
                if ( ( rc = dhe_key ( dh_p->data, len,
                                      dh_g->data, ntohs ( dh_g->len ),
                                      dh_ys->data, ntohs ( dh_ys->len ),
                                      private, sizeof ( private ),
                                      key_xchg->dh_xs,
                                      pre_master_secret ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not calculate DHE key: %s\n",
                               tls, strerror ( rc ) );
                        goto err_dhe_key;
                }

                /* Strip leading zeroes from pre-master secret */
                while ( len && ( ! *pre_master_secret ) ) {
                        pre_master_secret++;
                        len--;
                }

                /* Transmit Client Key Exchange record */
                if ( ( rc = tls_send_handshake ( tls, key_xchg,
                                                 sizeof ( *key_xchg ) ) ) !=0){
                        goto err_send_handshake;
                }

                /* Generate master secret */
                tls_generate_master_secret ( tls, pre_master_secret, len );

        err_send_handshake:
        err_dhe_key:
                free ( dynamic );
        }
 err_alloc:
 err_random:
 err_verify:
 err_header:
        return rc;
}

References __attribute__, tls_connection::client, cpu_to_le32, asn1_cursor::data, data, DBGC, DBGC_HDA, dhe_key(), EINVAL_KEY_EXCHANGE, ENOMEM, tls_server::exchange, tls_server::exchange_len, free, htonl, htons, asn1_cursor::len, len, malloc(), ntohs, tls_client_random::random, tls_client::random, rc, tls_connection::server, strerror(), TLS_CLIENT_KEY_EXCHANGE, tls_generate_master_secret(), tls_generate_random(), tls_send_handshake(), tls_verify_dh_params(), and typeof().

tls_send_client_key_exchange_ecdhe()

static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *  tls )

static

Transmit Client Key Exchange record using ECDHE key exchange.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1711 of file tls.c.

                                                                             {
        struct tls_named_curve *curve;
        const struct {
                uint8_t curve_type;
                uint16_t named_curve;
                uint8_t public_len;
                uint8_t public[0];
        } __attribute__ (( packed )) *ecdh;
        size_t param_len;
        size_t pointsize;
        size_t keysize;
        size_t offset;
        int rc;

        /* Parse ServerKeyExchange record */
        ecdh = tls->server.exchange;
        if ( ( sizeof ( *ecdh ) > tls->server.exchange_len ) ||
             ( ecdh->public_len > ( tls->server.exchange_len -
                                    sizeof ( *ecdh ) ) ) ) {
                DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
                       tls );
                DBGC_HDA ( tls, 0, tls->server.exchange,
                           tls->server.exchange_len );
                return -EINVAL_KEY_EXCHANGE;
        }
        param_len = ( sizeof ( *ecdh ) + ecdh->public_len );

        /* Verify parameter signature */
        if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
                return rc;

        /* Identify named curve */
        if ( ecdh->curve_type != TLS_NAMED_CURVE_TYPE ) {
                DBGC ( tls, "TLS %p unsupported curve type %d\n",
                       tls, ecdh->curve_type );
                DBGC_HDA ( tls, 0, tls->server.exchange,
                           tls->server.exchange_len );
                return -ENOTSUP_CURVE;
        }
        curve = tls_find_named_curve ( ecdh->named_curve );
        if ( ! curve ) {
                DBGC ( tls, "TLS %p unsupported named curve %d\n",
                       tls, ntohs ( ecdh->named_curve ) );
                DBGC_HDA ( tls, 0, tls->server.exchange,
                           tls->server.exchange_len );
                return -ENOTSUP_CURVE;
        }
        DBGC ( tls, "TLS %p using named curve %s\n", tls, curve->curve->name );
        pointsize = curve->curve->pointsize;
        keysize = curve->curve->keysize;
        offset = ( curve->format ? 1 : 0 );

        /* Check key length */
        if ( ecdh->public_len != ( offset + pointsize ) ) {
                DBGC ( tls, "TLS %p invalid %s key\n",
                       tls, curve->curve->name );
                DBGC_HDA ( tls, 0, tls->server.exchange,
                           tls->server.exchange_len );
                return -EINVAL_KEY_EXCHANGE;
        }

        /* Check curve point format byte (if present) */
        if ( curve->format && ( ecdh->public[0] != curve->format ) ) {
                DBGC ( tls, "TLS %p invalid %s curve point format\n",
                       tls, curve->curve->name );
                DBGC_HDA ( tls, 0, tls->server.exchange,
                           tls->server.exchange_len );
                return -EINVAL_KEY_EXCHANGE;
        }

        /* Construct pre-master secret and ClientKeyExchange record */
        {
                uint8_t private[keysize];
                uint8_t pre_master_secret[pointsize];
                struct {
                        uint32_t type_length;
                        uint8_t public_len;
                        uint8_t public[ecdh->public_len];
                } __attribute__ (( packed )) key_xchg;

                /* Generate ephemeral private key */
                if ( ( rc = tls_generate_random ( tls, private,
                                                  sizeof ( private ) ) ) != 0){
                        return rc;
                }

                /* Exchange keys */
                if ( ( rc = ecdhe_key ( curve->curve, ( ecdh->public + offset ),
                                        private, ( key_xchg.public + offset ),
                                        pre_master_secret ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not exchange ECDHE key: %s\n",
                               tls, strerror ( rc ) );
                        return rc;
                }

                /* Generate Client Key Exchange record */
                key_xchg.type_length =
                        ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
                          htonl ( sizeof ( key_xchg ) -
                                  sizeof ( key_xchg.type_length ) ) );
                key_xchg.public_len = sizeof ( key_xchg.public );
                if ( curve->format )
                        key_xchg.public[0] = curve->format;

                /* Transmit Client Key Exchange record */
                if ( ( rc = tls_send_handshake ( tls, &key_xchg,
                                                 sizeof ( key_xchg ) ) ) !=0){
                        return rc;
                }

                /* Generate master secret */
                tls_generate_master_secret ( tls, pre_master_secret,
                                             curve->pre_master_secret_len );
        }

        return 0;
}

References __attribute__, cpu_to_le32, tls_named_curve::curve, DBGC, DBGC_HDA, ecdhe_key(), EINVAL_KEY_EXCHANGE, ENOTSUP_CURVE, tls_server::exchange, tls_server::exchange_len, tls_named_curve::format, htonl, keysize, elliptic_curve::keysize, elliptic_curve::name, ntohs, offset, elliptic_curve::pointsize, tls_named_curve::pre_master_secret_len, rc, tls_connection::server, strerror(), TLS_CLIENT_KEY_EXCHANGE, tls_find_named_curve(), tls_generate_master_secret(), tls_generate_random(), TLS_NAMED_CURVE_TYPE, tls_send_handshake(), and tls_verify_dh_params().

tls_send_client_key_exchange()

static int tls_send_client_key_exchange ( struct tls_connection *  tls )

static

Transmit Client Key Exchange record.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1841 of file tls.c.

                                                                       {
        struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
        struct tls_cipher_suite *suite = cipherspec->suite;
        int rc;

        /* Transmit Client Key Exchange record via key exchange algorithm */
        if ( ( rc = suite->exchange->exchange ( tls ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not exchange keys: %s\n",
                       tls, strerror ( rc ) );
                return rc;
        }

        /* Generate keys from master secret */
        if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not generate keys: %s\n",
                       tls, strerror ( rc ) );
                return rc;
        }

        return 0;
}

References tls_tx::cipherspec, DBGC, tls_key_exchange_algorithm::exchange, tls_cipher_suite::exchange, tls_cipherspec_pair::pending, rc, strerror(), tls_cipherspec::suite, tls_generate_keys(), and tls_connection::tx.

Referenced by tls_tx_step().

tls_send_certificate_verify()

static int tls_send_certificate_verify ( struct tls_connection *  tls )

static

Transmit Certificate Verify record.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1869 of file tls.c.

                                                                      {
        struct digest_algorithm *digest = tls->handshake_digest;
        struct x509_certificate *cert = x509_first ( tls->client.chain );
        struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
        struct asn1_cursor *key = privkey_cursor ( tls->client.key );
        uint8_t digest_out[ digest->digestsize ];
        struct tls_signature_hash_algorithm *sig_hash = NULL;
        struct asn1_builder builder = { NULL, 0 };
        int rc;

        /* Generate digest to be signed */
        tls_verify_handshake ( tls, digest_out );

        /* TLSv1.2 and later use explicit algorithm identifiers */
        if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
                sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
                if ( ! sig_hash ) {
                        DBGC ( tls, "TLS %p could not identify (%s,%s) "
                               "signature and hash algorithm\n", tls,
                               pubkey->name, digest->name );
                        rc = -ENOTSUP_SIG_HASH;
                        goto err_sig_hash;
                }
        }

        /* Sign digest */
        if ( ( rc = pubkey_sign ( pubkey, key, digest, digest_out,
                                  &builder ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not sign %s digest using %s client "
                       "private key: %s\n", tls, digest->name, pubkey->name,
                       strerror ( rc ) );
                goto err_pubkey_sign;
        }

        /* Construct Certificate Verify record */
        {
                int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
                struct {
                        uint32_t type_length;
                        struct tls_signature_hash_id sig_hash[use_sig_hash];
                        uint16_t signature_len;
                } __attribute__ (( packed )) header;

                header.type_length = ( cpu_to_le32 ( TLS_CERTIFICATE_VERIFY ) |
                                       htonl ( builder.len +
                                               sizeof ( header ) -
                                               sizeof ( header.type_length )));
                if ( use_sig_hash ) {
                        memcpy ( &header.sig_hash[0], &sig_hash->code,
                                 sizeof ( header.sig_hash[0] ) );
                }
                header.signature_len = htons ( builder.len );

                if ( ( rc = asn1_prepend_raw ( &builder, &header,
                                               sizeof ( header ) ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not construct Certificate "
                               "Verify: %s\n", tls, strerror ( rc ) );
                        goto err_prepend;
                }
        }

        /* Transmit record */
        if ( ( rc = tls_send_handshake ( tls, builder.data,
                                         builder.len ) ) != 0 ) {
                goto err_send;
        }

 err_send:
 err_prepend:
 err_pubkey_sign:
 err_sig_hash:
        free ( builder.data );
        return rc;
}

References __attribute__, asn1_prepend_raw(), tls_client::chain, tls_connection::client, tls_signature_hash_algorithm::code, cpu_to_le32, asn1_builder::data, DBGC, digest_algorithm::digestsize, ENOTSUP_SIG_HASH, free, tls_connection::handshake_digest, header, htonl, htons, key, tls_client::key, asn1_builder::len, memcpy(), digest_algorithm::name, pubkey_algorithm::name, NULL, privkey_cursor(), asn1_algorithm::pubkey, pubkey_sign(), rc, x509_certificate::signature_algorithm, strerror(), TLS_CERTIFICATE_VERIFY, tls_send_handshake(), tls_signature_hash_algorithm(), tls_verify_handshake(), tls_version(), TLS_VERSION_TLS_1_2, and x509_first().

Referenced by tls_tx_step().

tls_send_change_cipher()

static int tls_send_change_cipher ( struct tls_connection *  tls )

static

Transmit Change Cipher record.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1950 of file tls.c.

                                                                 {
        static const struct {
                uint8_t spec;
        } __attribute__ (( packed )) change_cipher = {
                .spec = TLS_CHANGE_CIPHER_SPEC,
        };

        return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
                                    &change_cipher, sizeof ( change_cipher ) );
}

References __attribute__, spec, TLS_CHANGE_CIPHER_SPEC, tls_send_plaintext(), and TLS_TYPE_CHANGE_CIPHER.

Referenced by tls_tx_step().

tls_send_finished()

static int tls_send_finished ( struct tls_connection *  tls )

static

Transmit Finished record.

Parameters

tls	TLS connection

Return values

rc	Return status code

Definition at line 1967 of file tls.c.

                                                            {
        struct digest_algorithm *digest = tls->handshake_digest;
        struct {
                uint32_t type_length;
                uint8_t verify_data[ sizeof ( tls->verify.client ) ];
        } __attribute__ (( packed )) finished;
        uint8_t digest_out[ digest->digestsize ];
        int rc;

        /* Construct client verification data */
        tls_verify_handshake ( tls, digest_out );
        tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
                        tls->verify.client, sizeof ( tls->verify.client ),
                        "client finished", digest_out, sizeof ( digest_out ) );

        /* Construct record */
        memset ( &finished, 0, sizeof ( finished ) );
        finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
                                 htonl ( sizeof ( finished ) -
                                         sizeof ( finished.type_length ) ) );
        memcpy ( finished.verify_data, tls->verify.client,
                 sizeof ( finished.verify_data ) );

        /* Transmit record */
        if ( ( rc = tls_send_handshake ( tls, &finished,
                                         sizeof ( finished ) ) ) != 0 )
                return rc;

        /* Mark client as finished */
        pending_put ( &tls->client.negotiation );

        return 0;
}

References __attribute__, tls_verify_data::client, tls_connection::client, cpu_to_le32, digest_algorithm::digestsize, tls_connection::handshake_digest, htonl, tls_connection::master_secret, memcpy(), memset(), tls_client::negotiation, pending_put(), rc, TLS_FINISHED, tls_prf_label, tls_send_handshake(), tls_verify_handshake(), and tls_connection::verify.

Referenced by tls_tx_step().

tls_new_change_cipher()

static int tls_new_change_cipher ( struct tls_connection *  tls, struct io_buffer *  iobuf  )

static

Receive new Change Cipher record.

Parameters

tls	TLS connection
iobuf	I/O buffer

Return values

rc	Return status code

Definition at line 2008 of file tls.c.

                                                             {
        const struct {
                uint8_t spec;
        } __attribute__ (( packed )) *change_cipher = iobuf->data;
        size_t len = iob_len ( iobuf );
        int rc;

        /* Sanity check */
        if ( ( sizeof ( *change_cipher ) != len ) ||
             ( change_cipher->spec != TLS_CHANGE_CIPHER_SPEC ) ) {
                DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
                DBGC_HD ( tls, change_cipher, len );
                return -EINVAL_CHANGE_CIPHER;
        }
        iob_pull ( iobuf, sizeof ( *change_cipher ) );

        /* Change receive cipher spec */
        if ( ( rc = tls_change_cipher ( tls, &tls->rx.cipherspec ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
                       tls, strerror ( rc ) );
                return rc;
        }
        tls->rx.seq = ~( ( uint64_t ) 0 );

        return 0;
}

References __attribute__, tls_rx::cipherspec, io_buffer::data, DBGC, DBGC_HD, EINVAL_CHANGE_CIPHER, iob_len(), iob_pull, len, rc, tls_connection::rx, tls_rx::seq, spec, strerror(), tls_change_cipher(), and TLS_CHANGE_CIPHER_SPEC.

Referenced by tls_new_record().

tls_new_alert()

static int tls_new_alert ( struct tls_connection *  tls, struct io_buffer *  iobuf  )

static

Receive new Alert record.

Parameters

tls	TLS connection
iobuf	I/O buffer

Return values

rc	Return status code

Definition at line 2043 of file tls.c.

                                                     {
        const struct {
                uint8_t level;
                uint8_t description;
                char next[0];
        } __attribute__ (( packed )) *alert = iobuf->data;
        size_t len = iob_len ( iobuf );

        /* Sanity check */
        if ( sizeof ( *alert ) != len ) {
                DBGC ( tls, "TLS %p received overlength Alert\n", tls );
                DBGC_HD ( tls, alert, len );
                return -EINVAL_ALERT;
        }
        iob_pull ( iobuf, sizeof ( *alert ) );

        /* Handle alert */
        switch ( alert->level ) {
        case TLS_ALERT_WARNING:
                DBGC ( tls, "TLS %p received warning alert %d\n",
                       tls, alert->description );
                return 0;
        case TLS_ALERT_FATAL:
                DBGC ( tls, "TLS %p received fatal alert %d\n",
                       tls, alert->description );
                return -EPERM_ALERT;
        default:
                DBGC ( tls, "TLS %p received unknown alert level %d"
                       "(alert %d)\n", tls, alert->level, alert->description );
                return -EIO_ALERT;
        }
}

References __attribute__, alert(), io_buffer::data, DBGC, DBGC_HD, EINVAL_ALERT, EIO_ALERT, EPERM_ALERT, iob_len(), iob_pull, len, next, TLS_ALERT_FATAL, and TLS_ALERT_WARNING.

Referenced by tls_new_record().

tls_new_hello_request()

static int tls_new_hello_request ( struct tls_connection *  tls, const void *data  __unused, size_t len  __unused  )

static

Receive new Hello Request handshake record.

Parameters

tls	TLS connection
data	Plaintext handshake record
len	Length of plaintext handshake record

Return values

rc	Return status code

Definition at line 2085 of file tls.c.

                                                         {

        /* Ignore if a handshake is in progress */
        if ( ! tls_ready ( tls ) ) {
                DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
                return 0;
        }

        /* Fail unless server supports secure renegotiation */
        if ( ! ( tls->secure_renegotiation && tls->extended_master_secret ) ) {
                DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
                       tls );
                return -EPERM_RENEG_INSECURE;
        }

        /* Restart negotiation */
        tls_restart ( tls );

        return 0;
}

References DBGC, EPERM_RENEG_INSECURE, tls_connection::extended_master_secret, tls_connection::secure_renegotiation, tls_ready(), and tls_restart().

Referenced by tls_new_handshake().

tls_new_server_hello()

static int tls_new_server_hello ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Receive new Server Hello handshake record.

Parameters

tls	TLS connection
data	Plaintext handshake record
len	Length of plaintext handshake record

Return values

rc	Return status code

Definition at line 2116 of file tls.c.

                                                                 {
        const struct {
                uint16_t version;
                uint8_t random[32];
                uint8_t session_id_len;
                uint8_t session_id[0];
        } __attribute__ (( packed )) *hello_a = data;
        const uint8_t *session_id;
        const struct {
                uint16_t cipher_suite;
                uint8_t compression_method;
                char next[0];
        } __attribute__ (( packed )) *hello_b;
        const struct {
                uint16_t len;
                uint8_t data[0];
        } __attribute__ (( packed )) *exts;
        const struct {
                uint16_t type;
                uint16_t len;
                uint8_t data[0];
        } __attribute__ (( packed )) *ext;
        const struct {
                uint8_t len;
                uint8_t data[0];
        } __attribute__ (( packed )) *reneg = NULL;
        const struct {
                uint8_t data[0];
        } __attribute__ (( packed )) *ems = NULL;
        uint16_t version;
        size_t exts_len;
        size_t ext_len;
        size_t remaining;
        int rc;

        /* Parse header */
        if ( ( sizeof ( *hello_a ) > len ) ||
             ( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
             ( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
                                       hello_a->session_id_len ) ) ) {
                DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
                DBGC_HD ( tls, data, len );
                return -EINVAL_HELLO;
        }
        session_id = hello_a->session_id;
        hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );

        /* Parse extensions, if present */
        remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
                      sizeof ( *hello_b ) );
        if ( remaining ) {

                /* Parse extensions length */
                exts = ( ( void * ) hello_b->next );
                if ( ( sizeof ( *exts ) > remaining ) ||
                     ( ( exts_len = ntohs ( exts->len ) ) >
                       ( remaining - sizeof ( *exts ) ) ) ) {
                        DBGC ( tls, "TLS %p received underlength extensions\n",
                               tls );
                        DBGC_HD ( tls, data, len );
                        return -EINVAL_HELLO;
                }

                /* Parse extensions */
                for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
                      remaining ;
                      ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
                              remaining -= ( sizeof ( *ext ) + ext_len ) ) {

                        /* Parse extension length */
                        if ( ( sizeof ( *ext ) > remaining ) ||
                             ( ( ext_len = ntohs ( ext->len ) ) >
                               ( remaining - sizeof ( *ext ) ) ) ) {
                                DBGC ( tls, "TLS %p received underlength "
                                       "extension\n", tls );
                                DBGC_HD ( tls, data, len );
                                return -EINVAL_HELLO;
                        }

                        /* Record known extensions */
                        switch ( ext->type ) {
                        case htons ( TLS_RENEGOTIATION_INFO ) :
                                reneg = ( ( void * ) ext->data );
                                if ( ( sizeof ( *reneg ) > ext_len ) ||
                                     ( reneg->len >
                                       ( ext_len - sizeof ( *reneg ) ) ) ) {
                                        DBGC ( tls, "TLS %p received "
                                               "underlength renegotiation "
                                               "info\n", tls );
                                        DBGC_HD ( tls, data, len );
                                        return -EINVAL_HELLO;
                                }
                                break;
                        case htons ( TLS_EXTENDED_MASTER_SECRET ) :
                                ems = ( ( void * ) ext->data );
                                break;
                        }
                }
        }

        /* Check and store protocol version */
        version = ntohs ( hello_a->version );
        if ( version < TLS_VERSION_MIN ) {
                DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
                       tls, ( version >> 8 ), ( version & 0xff ) );
                return -ENOTSUP_VERSION;
        }
        if ( version > tls->version ) {
                DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
                       "protocol version %d.%d\n",
                       tls, ( version >> 8 ), ( version & 0xff ) );
                return -EPROTO_VERSION;
        }
        tls->version = version;
        DBGC ( tls, "TLS %p using protocol version %d.%d\n",
               tls, ( version >> 8 ), ( version & 0xff ) );

        /* Select cipher suite */
        if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
                return rc;

        /* Add preceding Client Hello to handshake digest */
        if ( ( rc = tls_client_hello ( tls, tls_add_handshake ) ) != 0 )
                return rc;

        /* Copy out server random bytes */
        memcpy ( &tls->server.random, &hello_a->random,
                 sizeof ( tls->server.random ) );

        /* Handle extended master secret */
        tls->extended_master_secret = ( !! ems );

        /* Check session ID */
        if ( hello_a->session_id_len &&
             ( hello_a->session_id_len == tls->session_id_len ) &&
             ( memcmp ( session_id, tls->session_id,
                        tls->session_id_len ) == 0 ) ) {

                /* Session ID match: reuse master secret */
                DBGC ( tls, "TLS %p resuming session ID:\n", tls );
                DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
                if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
                        return rc;

                /* Ensure master secret generation method matches */
                if ( tls->extended_master_secret !=
                     tls->session->extended_master_secret ) {
                        DBGC ( tls, "TLS %p mismatched extended master secret "
                               "extension\n", tls );
                        return -EPERM_EMS;
                }

        } else {

                /* Record new session ID, if present */
                if ( hello_a->session_id_len &&
                     ( hello_a->session_id_len <= sizeof ( tls->session_id ))){
                        tls->session_id_len = hello_a->session_id_len;
                        memcpy ( tls->session_id, session_id,
                                 tls->session_id_len );
                        DBGC ( tls, "TLS %p new session ID:\n", tls );
                        DBGC_HDA ( tls, 0, tls->session_id,
                                   tls->session_id_len );
                }
        }

        /* Handle secure renegotiation */
        if ( tls->secure_renegotiation ) {

                /* Secure renegotiation is expected; verify data */
                if ( ( reneg == NULL ) ||
                     ( reneg->len != sizeof ( tls->verify ) ) ||
                     ( memcmp ( reneg->data, &tls->verify,
                                sizeof ( tls->verify ) ) != 0 ) ) {
                        DBGC ( tls, "TLS %p server failed secure "
                               "renegotiation\n", tls );
                        return -EPERM_RENEG_VERIFY;
                }

        } else if ( reneg != NULL ) {

                /* Secure renegotiation is being enabled */
                if ( reneg->len != 0 ) {
                        DBGC ( tls, "TLS %p server provided non-empty initial "
                               "renegotiation\n", tls );
                        return -EPERM_RENEG_VERIFY;
                }
                tls->secure_renegotiation = 1;
        }

        return 0;
}

References __attribute__, data, DBGC, DBGC_HD, DBGC_HDA, EINVAL_HELLO, ENOTSUP_VERSION, EPERM_EMS, EPERM_RENEG_VERIFY, EPROTO_VERSION, ext, tls_session::extended_master_secret, tls_connection::extended_master_secret, htons, len, memcmp(), memcpy(), next, ntohs, NULL, random(), tls_server::random, rc, tls_connection::secure_renegotiation, tls_connection::server, tls_connection::session, tls_connection::session_id, tls_connection::session_id_len, tls_add_handshake(), tls_client_hello(), TLS_EXTENDED_MASTER_SECRET, tls_generate_keys(), TLS_RENEGOTIATION_INFO, tls_select_cipher(), TLS_VERSION_MIN, type, tls_connection::verify, tls_connection::version, and version.

Referenced by tls_new_handshake().

tls_new_session_ticket()

static int tls_new_session_ticket ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Receive New Session Ticket handshake record.

Parameters

tls	TLS connection
data	Plaintext handshake record
len	Length of plaintext handshake record

Return values

rc	Return status code

Definition at line 2318 of file tls.c.

                                                                   {
        const struct {
                uint32_t lifetime;
                uint16_t len;
                uint8_t ticket[0];
        } __attribute__ (( packed )) *new_session_ticket = data;
        size_t ticket_len;

        /* Parse header */
        if ( sizeof ( *new_session_ticket ) > len ) {
                DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
                       tls );
                DBGC_HD ( tls, data, len );
                return -EINVAL_TICKET;
        }
        ticket_len = ntohs ( new_session_ticket->len );
        if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
                DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
                       tls );
                DBGC_HD ( tls, data, len );
                return -EINVAL_TICKET;
        }

        /* Free any unapplied new session ticket */
        free ( tls->new_session_ticket );
        tls->new_session_ticket = NULL;
        tls->new_session_ticket_len = 0;

        /* Record ticket */
        tls->new_session_ticket = malloc ( ticket_len );
        if ( ! tls->new_session_ticket )
                return -ENOMEM;
        memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
                 ticket_len );
        tls->new_session_ticket_len = ticket_len;
        DBGC ( tls, "TLS %p new session ticket:\n", tls );
        DBGC_HDA ( tls, 0, tls->new_session_ticket,
                   tls->new_session_ticket_len );

        return 0;
}

References __attribute__, data, DBGC, DBGC_HD, DBGC_HDA, EINVAL_TICKET, ENOMEM, free, len, lifetime, malloc(), memcpy(), tls_connection::new_session_ticket, tls_connection::new_session_ticket_len, ntohs, and NULL.

Referenced by tls_new_handshake().

tls_parse_chain()

static int tls_parse_chain ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Parse certificate chain.

Parameters

tls	TLS connection
data	Certificate chain
len	Length of certificate chain

Return values

rc	Return status code

Definition at line 2369 of file tls.c.

                                                            {
        size_t remaining = len;
        int rc;

        /* Free any existing certificate chain */
        memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
        x509_chain_put ( tls->server.chain );
        tls->server.chain = NULL;

        /* Create certificate chain */
        tls->server.chain = x509_alloc_chain();
        if ( ! tls->server.chain ) {
                rc = -ENOMEM_CHAIN;
                goto err_alloc_chain;
        }

        /* Add certificates to chain */
        while ( remaining ) {
                const struct {
                        tls24_t length;
                        uint8_t data[0];
                } __attribute__ (( packed )) *certificate = data;
                size_t certificate_len;
                size_t record_len;
                struct x509_certificate *cert;

                /* Parse header */
                if ( sizeof ( *certificate ) > remaining ) {
                        DBGC ( tls, "TLS %p underlength certificate:\n", tls );
                        DBGC_HDA ( tls, 0, data, remaining );
                        rc = -EINVAL_CERTIFICATE;
                        goto err_underlength;
                }
                certificate_len = tls_uint24 ( &certificate->length );
                if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
                        DBGC ( tls, "TLS %p overlength certificate:\n", tls );
                        DBGC_HDA ( tls, 0, data, remaining );
                        rc = -EINVAL_CERTIFICATE;
                        goto err_overlength;
                }
                record_len = ( sizeof ( *certificate ) + certificate_len );

                /* Add certificate to chain */
                if ( ( rc = x509_append_raw ( tls->server.chain,
                                              certificate->data,
                                              certificate_len ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not append certificate: %s\n",
                               tls, strerror ( rc ) );
                        DBGC_HDA ( tls, 0, data, remaining );
                        goto err_parse;
                }
                cert = x509_last ( tls->server.chain );
                DBGC ( tls, "TLS %p found certificate %s\n",
                       tls, x509_name ( cert ) );

                /* Move to next certificate in list */
                data += record_len;
                remaining -= record_len;
        }

        return 0;

 err_parse:
 err_overlength:
 err_underlength:
        memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
        x509_chain_put ( tls->server.chain );
        tls->server.chain = NULL;
 err_alloc_chain:
        return rc;
}

References __attribute__, tls_server::chain, data, DBGC, DBGC_HDA, EINVAL_CERTIFICATE, ENOMEM_CHAIN, tls_server::key, len, length, memset(), NULL, rc, tls_connection::server, strerror(), tls_uint24(), x509_alloc_chain(), x509_append_raw(), x509_chain_put(), x509_last(), and x509_name().

Referenced by tls_new_certificate().

tls_new_certificate()

static int tls_new_certificate ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Receive new Certificate handshake record.

Parameters

tls	TLS connection
data	Plaintext handshake record
len	Length of plaintext handshake record

Return values

rc	Return status code

Definition at line 2450 of file tls.c.

                                                                {
        const struct {
                tls24_t length;
                uint8_t certificates[0];
        } __attribute__ (( packed )) *certificate = data;
        size_t certificates_len;
        int rc;

        /* Parse header */
        if ( sizeof ( *certificate ) > len ) {
                DBGC ( tls, "TLS %p received underlength Server Certificate\n",
                       tls );
                DBGC_HD ( tls, data, len );
                return -EINVAL_CERTIFICATES;
        }
        certificates_len = tls_uint24 ( &certificate->length );
        if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
                DBGC ( tls, "TLS %p received overlength Server Certificate\n",
                       tls );
                DBGC_HD ( tls, data, len );
                return -EINVAL_CERTIFICATES;
        }

        /* Parse certificate chain */
        if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
                                      certificates_len ) ) != 0 )
                return rc;

        return 0;
}

References __attribute__, data, DBGC, DBGC_HD, EINVAL_CERTIFICATES, len, length, rc, tls_parse_chain(), and tls_uint24().

Referenced by tls_new_handshake().

tls_new_server_key_exchange()

static int tls_new_server_key_exchange ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Receive new Server Key Exchange handshake record.

Parameters

tls	TLS connection
data	Plaintext handshake record
len	Length of plaintext handshake record

Return values

rc	Return status code

Definition at line 2490 of file tls.c.

                                                                        {

        /* Free any existing server key exchange record */
        free ( tls->server.exchange );
        tls->server.exchange_len = 0;

        /* Allocate copy of server key exchange record */
        tls->server.exchange = malloc ( len );
        if ( ! tls->server.exchange )
                return -ENOMEM;

        /* Store copy of server key exchange record for later
         * processing.  We cannot verify the signature at this point
         * since the certificate validation will not yet have
         * completed.
         */
        memcpy ( tls->server.exchange, data, len );
        tls->server.exchange_len = len;

        return 0;
}

References data, ENOMEM, tls_server::exchange, tls_server::exchange_len, free, len, malloc(), memcpy(), and tls_connection::server.

Referenced by tls_new_handshake().

tls_new_certificate_request()

static int tls_new_certificate_request ( struct tls_connection *  tls, const void *data  __unused, size_t len  __unused  )

static

Receive new Certificate Request handshake record.

Parameters

tls	TLS connection
data	Plaintext handshake record
len	Length of plaintext handshake record

Return values

rc	Return status code

Definition at line 2521 of file tls.c.

                                                               {
        struct x509_certificate *cert;
        int rc;

        /* We can only send a single certificate, so there is no point
         * in parsing the Certificate Request.
         */

        /* Free any existing client certificate chain */
        x509_chain_put ( tls->client.chain );
        tls->client.chain = NULL;

        /* Create client certificate chain */
        tls->client.chain = x509_alloc_chain();
        if ( ! tls->client.chain ) {
                rc = -ENOMEM;
                goto err_alloc;
        }

        /* Determine client certificate to be sent, if any */
        cert = x509_find_key ( NULL, tls->client.key );
        if ( cert ) {
                DBGC ( tls, "TLS %p selected client certificate %s\n",
                       tls, x509_name ( cert ) );

                /* Append client certificate to chain */
                if ( ( rc = x509_append ( tls->client.chain, cert ) ) != 0 )
                        goto err_append;

                /* Append any relevant issuer certificates */
                if ( ( rc = x509_auto_append ( tls->client.chain,
                                               &certstore ) ) != 0 )
                        goto err_auto_append;
        } else {

                /* Send an empty certificate chain */
                DBGC ( tls, "TLS %p could not find certificate corresponding "
                       "to private key\n", tls );
        }

        return 0;

 err_auto_append:
 err_append:
        x509_chain_put ( tls->client.chain );
        tls->client.chain = NULL;
 err_alloc:
        return rc;
}

References certstore, tls_client::chain, tls_connection::client, DBGC, ENOMEM, tls_client::key, NULL, rc, x509_alloc_chain(), x509_append(), x509_auto_append(), x509_chain_put(), x509_find_key(), and x509_name().

Referenced by tls_new_handshake().

tls_new_server_hello_done()

static int tls_new_server_hello_done ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Receive new Server Hello Done handshake record.

Parameters

tls	TLS connection
data	Plaintext handshake record
len	Length of plaintext handshake record

Return values

rc	Return status code

Definition at line 2581 of file tls.c.

                                                                      {
        const struct {
                char next[0];
        } __attribute__ (( packed )) *hello_done = data;
        int rc;

        /* Sanity check */
        if ( sizeof ( *hello_done ) != len ) {
                DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
                       tls );
                DBGC_HD ( tls, data, len );
                return -EINVAL_HELLO_DONE;
        }

        /* Begin certificate validation */
        if ( ( rc = create_validator ( &tls->server.validator,
                                       tls->server.chain,
                                       tls->server.root ) ) != 0 ) {
                DBGC ( tls, "TLS %p could not start certificate validation: "
                       "%s\n", tls, strerror ( rc ) );
                return rc;
        }
        pending_get ( &tls->server.validation );

        return 0;
}

References __attribute__, tls_server::chain, create_validator(), data, DBGC, DBGC_HD, EINVAL_HELLO_DONE, len, next, pending_get(), rc, tls_server::root, tls_connection::server, strerror(), tls_server::validation, and tls_server::validator.

Referenced by tls_new_handshake().

tls_new_finished()

static int tls_new_finished ( struct tls_connection *  tls, const void *  data, size_t  len  )

static

Receive new Finished handshake record.

Parameters

tls	TLS connection
data	Plaintext handshake record
len	Length of plaintext handshake record

Return values

rc	Return status code

Definition at line 2617 of file tls.c.

                                                             {
        struct tls_session *session = tls->session;
        struct digest_algorithm *digest = tls->handshake_digest;
        const struct {
                uint8_t verify_data[ sizeof ( tls->verify.server ) ];
                char next[0];
        } __attribute__ (( packed )) *finished = data;
        uint8_t digest_out[ digest->digestsize ];

        /* Sanity check */
        if ( sizeof ( *finished ) != len ) {
                DBGC ( tls, "TLS %p received overlength Finished\n", tls );
                DBGC_HD ( tls, data, len );
                return -EINVAL_FINISHED;
        }

        /* Verify data */
        tls_verify_handshake ( tls, digest_out );
        tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
                        tls->verify.server, sizeof ( tls->verify.server ),
                        "server finished", digest_out, sizeof ( digest_out ) );
        if ( memcmp ( tls->verify.server, finished->verify_data,
                      sizeof ( tls->verify.server ) ) != 0 ) {
                DBGC ( tls, "TLS %p verification failed\n", tls );
                return -EPERM_VERIFY;
        }

        /* Mark server as finished */
        pending_put ( &tls->server.negotiation );

        /* If we are resuming a session (i.e. if the server Finished
         * arrives before the client Finished is sent), then schedule
         * transmission of Change Cipher and Finished.
         */
        if ( is_pending ( &tls->client.negotiation ) ) {
                tls->tx.pending |= ( TLS_TX_CHANGE_CIPHER | TLS_TX_FINISHED );
                tls_tx_resume ( tls );
        }

        /* Record session ID, ticket, and master secret, if applicable */
        if ( tls->session_id_len || tls->new_session_ticket_len ) {
                memcpy ( session->master_secret, tls->master_secret,
                         sizeof ( session->master_secret ) );
                session->extended_master_secret = tls->extended_master_secret;
        }
        if ( tls->session_id_len ) {
                session->id_len = tls->session_id_len;
                memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
        }
        if ( tls->new_session_ticket_len ) {
                free ( session->ticket );
                session->ticket = tls->new_session_ticket;
                session->ticket_len = tls->new_session_ticket_len;
                tls->new_session_ticket = NULL;
                tls->new_session_ticket_len = 0;
        }

        /* Move to end of session's connection list and allow other
         * connections to start making progress.
         */
        list_del ( &tls->list );
        list_add_tail ( &tls->list, &session->conn );
        tls_tx_resume_all ( session );

        /* Send notification of a window change */
        xfer_window_changed ( &tls->plainstream );

        return 0;
}

References __attribute__, tls_connection::client, tls_session::conn, data, DBGC, DBGC_HD, digest_algorithm::digestsize, EINVAL_FINISHED, EPERM_VERIFY, tls_session::extended_master_secret, tls_connection::extended_master_secret, free, tls_connection::handshake_digest, tls_session::id, tls_session::id_len, is_pending(), len, tls_connection::list, list_add_tail, list_del, tls_session::master_secret, tls_connection::master_secret, memcmp(), memcpy(), tls_client::negotiation, tls_server::negotiation, tls_connection::new_session_ticket, tls_connection::new_session_ticket_len, next, NULL, tls_tx::pending, pending_put(), tls_connection::plainstream, tls_verify_data::server, tls_connection::server, tls_connection::session, tls_connection::session_id, tls_connection::session_id_len, tls_session::ticket, tls_session::ticket_len, tls_prf_label, TLS_TX_CHANGE_CIPHER, TLS_TX_FINISHED, tls_tx_resume(), tls_tx_resume_all(), tls_verify_handshake(), tls_connection::tx, tls_connection::verify, and xfer_window_changed().

Referenced by tls_new_handshake().

tls_new_handshake()

static int tls_new_handshake ( struct tls_connection *  tls, struct io_buffer *  iobuf  )

static

Receive new Handshake record.

Parameters

tls	TLS connection
iobuf	I/O buffer

Return values

rc	Return status code

Definition at line 2695 of file tls.c.

                                                         {
        size_t remaining;
        int rc;

        while ( ( remaining = iob_len ( iobuf ) ) ) {
                const struct {
                        uint8_t type;
                        tls24_t length;
                        uint8_t payload[0];
                } __attribute__ (( packed )) *handshake = iobuf->data;
                const void *payload;
                size_t payload_len;
                size_t record_len;

                /* Parse header */
                if ( sizeof ( *handshake ) > remaining ) {
                        /* Leave remaining fragment unconsumed */
                        break;
                }
                payload_len = tls_uint24 ( &handshake->length );
                if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
                        /* Leave remaining fragment unconsumed */
                        break;
                }
                payload = &handshake->payload;
                record_len = ( sizeof ( *handshake ) + payload_len );

                /* Handle payload */
                switch ( handshake->type ) {
                case TLS_HELLO_REQUEST:
                        rc = tls_new_hello_request ( tls, payload,
                                                     payload_len );
                        break;
                case TLS_SERVER_HELLO:
                        rc = tls_new_server_hello ( tls, payload, payload_len );
                        break;
                case TLS_NEW_SESSION_TICKET:
                        rc = tls_new_session_ticket ( tls, payload,
                                                      payload_len );
                        break;
                case TLS_CERTIFICATE:
                        rc = tls_new_certificate ( tls, payload, payload_len );
                        break;
                case TLS_SERVER_KEY_EXCHANGE:
                        rc = tls_new_server_key_exchange ( tls, payload,
                                                           payload_len );
                        break;
                case TLS_CERTIFICATE_REQUEST:
                        rc = tls_new_certificate_request ( tls, payload,
                                                           payload_len );
                        break;
                case TLS_SERVER_HELLO_DONE:
                        rc = tls_new_server_hello_done ( tls, payload,
                                                         payload_len );
                        break;
                case TLS_FINISHED:
                        rc = tls_new_finished ( tls, payload, payload_len );
                        break;
                default:
                        DBGC ( tls, "TLS %p ignoring handshake type %d\n",
                               tls, handshake->type );
                        rc = 0;
                        break;
                }

                /* Add to handshake digest (except for Hello Requests,
                 * which are explicitly excluded).
                 */
                if ( handshake->type != TLS_HELLO_REQUEST )
                        tls_add_handshake ( tls, handshake, record_len );

                /* Abort on failure */
                if ( rc != 0 )
                        return rc;

                /* Move to next handshake record */
                iob_pull ( iobuf, record_len );
        }

        return 0;
}

References __attribute__, io_buffer::data, DBGC, iob_len(), iob_pull, length, rc, tls_add_handshake(), TLS_CERTIFICATE, TLS_CERTIFICATE_REQUEST, TLS_FINISHED, TLS_HELLO_REQUEST, tls_new_certificate(), tls_new_certificate_request(), tls_new_finished(), tls_new_hello_request(), tls_new_server_hello(), tls_new_server_hello_done(), tls_new_server_key_exchange(), TLS_NEW_SESSION_TICKET, tls_new_session_ticket(), TLS_SERVER_HELLO, TLS_SERVER_HELLO_DONE, TLS_SERVER_KEY_EXCHANGE, tls_uint24(), and type.

Referenced by tls_new_record().

tls_new_unknown()

static int tls_new_unknown ( struct tls_connection *tls  __unused, struct io_buffer *  iobuf  )

static

Receive new unknown record.

Parameters

tls	TLS connection
iobuf	I/O buffer

Return values

rc	Return status code

Definition at line 2785 of file tls.c.

                                                       {

        /* RFC4346 says that we should just ignore unknown record types */
        iob_pull ( iobuf, iob_len ( iobuf ) );
        return 0;
}

References iob_len(), and iob_pull.

Referenced by tls_new_record().

tls_new_data()

static int tls_new_data ( struct tls_connection *  tls, struct list_head *  rx_data  )

static

Receive new data record.

Parameters

tls	TLS connection
rx_data	List of received data buffers

Return values

rc	Return status code

Definition at line 2800 of file tls.c.

                                                      {
        struct io_buffer *iobuf;
        int rc;

        /* Fail unless we are ready to receive data */
        if ( ! tls_ready ( tls ) )
                return -ENOTCONN;

        /* Deliver each I/O buffer in turn */
        while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
                                             list ) ) ) {
                list_del ( &iobuf->list );
                if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
                                               iobuf ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not deliver data: "
                               "%s\n", tls, strerror ( rc ) );
                        return rc;
                }
        }

        return 0;
}

References DBGC, ENOTCONN, io_buffer::list, list_del, list_first_entry, tls_connection::plainstream, rc, strerror(), tls_ready(), and xfer_deliver_iob().

Referenced by tls_new_record().

tls_new_record()

static int tls_new_record ( struct tls_connection *  tls, unsigned int  type, struct list_head *  rx_data  )

static

Receive new record.

Parameters

tls	TLS connection
type	Record type
rx_data	List of received data buffers

Return values

rc	Return status code

Definition at line 2832 of file tls.c.

                                                        {
        int ( * handler ) ( struct tls_connection *tls,
                            struct io_buffer *iobuf );
        struct io_buffer *tmp = NULL;
        struct io_buffer **iobuf;
        int rc;

        /* Deliver data records as-is to the plainstream interface */
        if ( type == TLS_TYPE_DATA )
                return tls_new_data ( tls, rx_data );

        /* Determine handler and fragment buffer */
        iobuf = &tmp;
        switch ( type ) {
        case TLS_TYPE_CHANGE_CIPHER:
                handler = tls_new_change_cipher;
                break;
        case TLS_TYPE_ALERT:
                handler = tls_new_alert;
                break;
        case TLS_TYPE_HANDSHAKE:
                handler = tls_new_handshake;
                iobuf = &tls->rx.handshake;
                break;
        default:
                DBGC ( tls, "TLS %p unknown record type %d\n", tls, type );
                handler = tls_new_unknown;
                break;
        }

        /* Merge into a single I/O buffer */
        if ( *iobuf )
                list_add ( &(*iobuf)->list, rx_data );
        *iobuf = iob_concatenate ( rx_data );
        if ( ! *iobuf ) {
                DBGC ( tls, "TLS %p could not concatenate non-data record "
                       "type %d\n", tls, type );
                rc = -ENOMEM_RX_CONCAT;
                goto err_concatenate;
        }

        /* Handle record */
        if ( ( rc = handler ( tls, *iobuf ) ) != 0 )
                goto err_handle;

        /* Discard I/O buffer if empty */
        if ( ! iob_len ( *iobuf ) ) {
                free_iob ( *iobuf );
                *iobuf = NULL;
        }

        /* Sanity check */
        assert ( tmp == NULL );

        return 0;

 err_handle:
        free_iob ( *iobuf );
        *iobuf = NULL;
 err_concatenate:
        return rc;
}

References assert(), DBGC, ENOMEM_RX_CONCAT, free_iob(), tls_rx::handshake, iob_concatenate(), iob_len(), list_add, NULL, rc, tls_connection::rx, tls_new_alert(), tls_new_change_cipher(), tls_new_data(), tls_new_handshake(), tls_new_unknown(), TLS_TYPE_ALERT, TLS_TYPE_CHANGE_CIPHER, TLS_TYPE_DATA, TLS_TYPE_HANDSHAKE, tmp, and type.

Referenced by tls_new_ciphertext().

tls_hmac_init()

static void tls_hmac_init ( struct tls_cipherspec *  cipherspec, void *  ctx, struct tls_auth_header *  authhdr  )

static

Initialise HMAC.

Parameters

cipherspec	Cipher specification
ctx	Context
authhdr	Authentication header

Definition at line 2910 of file tls.c.

                                                              {
        struct tls_cipher_suite *suite = cipherspec->suite;
        struct digest_algorithm *digest = suite->digest;

        hmac_init ( digest, ctx, cipherspec->mac_secret, suite->mac_len );
        hmac_update ( digest, ctx, authhdr, sizeof ( *authhdr ) );
}

References ctx, tls_cipher_suite::digest, hmac_init(), hmac_update(), tls_cipher_suite::mac_len, tls_cipherspec::mac_secret, and tls_cipherspec::suite.

Referenced by tls_hmac(), and tls_hmac_list().

tls_hmac_update()

static void tls_hmac_update ( struct tls_cipherspec *  cipherspec, void *  ctx, const void *  data, size_t  len  )

static

Update HMAC.

Parameters

cipherspec	Cipher specification
ctx	Context
data	Data
len	Length of data

Definition at line 2927 of file tls.c.

                                                             {
        struct digest_algorithm *digest = cipherspec->suite->digest;

        hmac_update ( digest, ctx, data, len );
}

References ctx, data, tls_cipher_suite::digest, hmac_update(), len, and tls_cipherspec::suite.

Referenced by tls_hmac(), and tls_hmac_list().

tls_hmac_final()

static void tls_hmac_final ( struct tls_cipherspec *  cipherspec, void *  ctx, void *  hmac  )

static

Finalise HMAC.

Parameters

cipherspec	Cipher specification
ctx	Context
mac	HMAC to fill in

Definition at line 2941 of file tls.c.

                                          {
        struct digest_algorithm *digest = cipherspec->suite->digest;

        hmac_final ( digest, ctx, hmac );
}

References ctx, tls_cipher_suite::digest, hmac_final(), and tls_cipherspec::suite.

Referenced by tls_hmac(), and tls_hmac_list().

tls_hmac()

static void tls_hmac ( struct tls_cipherspec *  cipherspec, struct tls_auth_header *  authhdr, const void *  data, size_t  len, void *  hmac  )

static

Calculate HMAC.

Parameters

cipherspec	Cipher specification
authhdr	Authentication header
data	Data
len	Length of data
mac	HMAC to fill in

Definition at line 2957 of file tls.c.

                                                                  {
        struct digest_algorithm *digest = cipherspec->suite->digest;
        uint8_t ctx[ hmac_ctxsize ( digest ) ];

        tls_hmac_init ( cipherspec, ctx, authhdr );
        tls_hmac_update ( cipherspec, ctx, data, len );
        tls_hmac_final ( cipherspec, ctx, hmac );
}

References ctx, data, tls_cipher_suite::digest, hmac_ctxsize(), len, tls_cipherspec::suite, tls_hmac_final(), tls_hmac_init(), and tls_hmac_update().

Referenced by tls_send_record().

tls_hmac_list()

static void tls_hmac_list ( struct tls_cipherspec *  cipherspec, struct tls_auth_header *  authhdr, struct list_head *  list, void *  hmac  )

static

Calculate HMAC over list of I/O buffers.

Parameters

cipherspec	Cipher specification
authhdr	Authentication header
list	List of I/O buffers
mac	HMAC to fill in

Definition at line 2976 of file tls.c.

                                                                 {
        struct digest_algorithm *digest = cipherspec->suite->digest;
        uint8_t ctx[ hmac_ctxsize ( digest ) ];
        struct io_buffer *iobuf;

        tls_hmac_init ( cipherspec, ctx, authhdr );
        list_for_each_entry ( iobuf, list, list ) {
                tls_hmac_update ( cipherspec, ctx, iobuf->data,
                                  iob_len ( iobuf ) );
        }
        tls_hmac_final ( cipherspec, ctx, hmac );
}

References ctx, io_buffer::data, tls_cipher_suite::digest, hmac_ctxsize(), iob_len(), io_buffer::list, list_for_each_entry, tls_cipherspec::suite, tls_hmac_final(), tls_hmac_init(), and tls_hmac_update().

Referenced by tls_new_ciphertext().

tls_iob_reserved()

static size_t tls_iob_reserved ( struct tls_connection *  tls, size_t  len  )

static

Calculate maximum additional length required for transmitted record(s)

Parameters

tls	TLS connection
len	I/O buffer payload length

Return values

reserve

Maximum additional length to reserve

Definition at line 2998 of file tls.c.

                                                                          {
        struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
        struct tls_cipher_suite *suite = cipherspec->suite;
        struct cipher_algorithm *cipher = suite->cipher;
        struct tls_header *tlshdr;
        unsigned int count;
        size_t each;

        /* Calculate number of records (allowing for zero-length records) */
        count = ( len ? ( ( len + TLS_TX_BUFSIZE - 1 ) / TLS_TX_BUFSIZE ) : 1 );

        /* Calculate maximum additional length per record */
        each = ( sizeof ( *tlshdr ) + suite->record_iv_len + suite->mac_len +
                 ( is_block_cipher ( cipher ) ? cipher->blocksize : 0 ) +
                 cipher->authsize );

        /* Calculate maximum total additional length */
        return ( count * each );
}

References tls_cipherspec_pair::active, cipher_algorithm::authsize, cipher_algorithm::blocksize, tls_cipher_suite::cipher, tls_tx::cipherspec, count, is_block_cipher(), len, tls_cipher_suite::mac_len, tls_cipher_suite::record_iv_len, tls_cipherspec::suite, TLS_TX_BUFSIZE, and tls_connection::tx.

Referenced by tls_alloc_iob(), and tls_send_record().

tls_verify_padding()

static int tls_verify_padding ( struct tls_connection *  tls, struct io_buffer *  iobuf  )

static

Verify block padding.

Parameters

tls	TLS connection
iobuf	Last received I/O buffer

Return values

len	Padding length, or negative error
rc	Return status code

Definition at line 3221 of file tls.c.

                                                          {
        uint8_t *padding;
        unsigned int pad;
        unsigned int i;
        size_t len;

        /* Extract and verify padding */
        padding = ( iobuf->tail - 1 );
        pad = *padding;
        len = ( pad + 1 );
        if ( len > iob_len ( iobuf ) ) {
                DBGC ( tls, "TLS %p received underlength padding\n", tls );
                DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
                return -EINVAL_PADDING;
        }
        for ( i = 0 ; i < pad ; i++ ) {
                if ( *(--padding) != pad ) {
                        DBGC ( tls, "TLS %p received bad padding\n", tls );
                        DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
                        return -EINVAL_PADDING;
                }
        }

        return len;
}

References io_buffer::data, DBGC, DBGC_HD, EINVAL_PADDING, iob_len(), len, pad, and io_buffer::tail.

Referenced by tls_new_ciphertext().

tls_new_ciphertext()

static int tls_new_ciphertext ( struct tls_connection *  tls, struct tls_header *  tlshdr, struct list_head *  rx_data  )

static

Receive new ciphertext record.

Parameters

tls	TLS connection
tlshdr	Record header
rx_data	List of received data buffers

Return values

rc	Return status code

Definition at line 3256 of file tls.c.

                                                            {
        struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
        struct tls_cipher_suite *suite = cipherspec->suite;
        struct cipher_algorithm *cipher = suite->cipher;
        struct digest_algorithm *digest = suite->digest;
        size_t len = ntohs ( tlshdr->length );
        struct {
                uint8_t fixed[suite->fixed_iv_len];
                uint8_t record[suite->record_iv_len];
        } __attribute__ (( packed )) iv;
        struct tls_auth_header authhdr;
        uint8_t verify_mac[digest->digestsize];
        uint8_t verify_auth[cipher->authsize];
        struct io_buffer *first;
        struct io_buffer *last;
        struct io_buffer *iobuf;
        void *mac;
        void *auth;
        size_t check_len;
        int pad_len;
        int rc;

        /* Locate first and last data buffers */
        assert ( ! list_empty ( rx_data ) );
        first = list_first_entry ( rx_data, struct io_buffer, list );
        last = list_last_entry ( rx_data, struct io_buffer, list );

        /* Extract initialisation vector */
        if ( iob_len ( first ) < sizeof ( iv.record ) ) {
                DBGC ( tls, "TLS %p received underlength IV\n", tls );
                DBGC_HD ( tls, first->data, iob_len ( first ) );
                return -EINVAL_IV;
        }
        memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
        memcpy ( iv.record, first->data, sizeof ( iv.record ) );
        iob_pull ( first, sizeof ( iv.record ) );
        len -= sizeof ( iv.record );

        /* Extract unencrypted authentication tag */
        if ( iob_len ( last ) < cipher->authsize ) {
                DBGC ( tls, "TLS %p received underlength authentication tag\n",
                       tls );
                DBGC_HD ( tls, last->data, iob_len ( last ) );
                return -EINVAL_MAC;
        }
        iob_unput ( last, cipher->authsize );
        len -= cipher->authsize;
        auth = last->tail;

        /* Construct authentication data */
        authhdr.seq = cpu_to_be64 ( tls->rx.seq );
        authhdr.header.type = tlshdr->type;
        authhdr.header.version = tlshdr->version;
        authhdr.header.length = htons ( len );

        /* Set initialisation vector */
        cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );

        /* Process authentication data, if applicable */
        if ( is_auth_cipher ( cipher ) ) {
                cipher_decrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
                                 NULL, sizeof ( authhdr ) );
        }

        /* Decrypt the received data */
        check_len = 0;
        list_for_each_entry ( iobuf, &tls->rx.data, list ) {
                cipher_decrypt ( cipher, cipherspec->cipher_ctx,
                                 iobuf->data, iobuf->data, iob_len ( iobuf ) );
                check_len += iob_len ( iobuf );
        }
        assert ( check_len == len );

        /* Strip block padding, if applicable */
        if ( is_block_cipher ( cipher ) ) {
                pad_len = tls_verify_padding ( tls, last );
                if ( pad_len < 0 ) {
                        /* Assume zero padding length to avoid timing attacks */
                        pad_len = 0;
                }
                iob_unput ( last, pad_len );
                len -= pad_len;
        }

        /* Extract decrypted MAC */
        if ( iob_len ( last ) < suite->mac_len ) {
                DBGC ( tls, "TLS %p received underlength MAC\n", tls );
                DBGC_HD ( tls, last->data, iob_len ( last ) );
                return -EINVAL_MAC;
        }
        iob_unput ( last, suite->mac_len );
        len -= suite->mac_len;
        mac = last->tail;

        /* Dump received data */
        DBGC2 ( tls, "Received plaintext data:\n" );
        check_len = 0;
        list_for_each_entry ( iobuf, rx_data, list ) {
                DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
                check_len += iob_len ( iobuf );
        }
        assert ( check_len == len );

        /* Generate MAC */
        authhdr.header.length = htons ( len );
        if ( suite->mac_len )
                tls_hmac_list ( cipherspec, &authhdr, rx_data, verify_mac );

        /* Generate authentication tag */
        cipher_auth ( cipher, cipherspec->cipher_ctx, verify_auth );

        /* Verify MAC */
        if ( memcmp ( mac, verify_mac, suite->mac_len ) != 0 ) {
                DBGC ( tls, "TLS %p failed MAC verification\n", tls );
                return -EINVAL_MAC;
        }

        /* Verify authentication tag */
        if ( memcmp ( auth, verify_auth, cipher->authsize ) != 0 ) {
                DBGC ( tls, "TLS %p failed authentication tag verification\n",
                       tls );
                return -EINVAL_MAC;
        }

        /* Process plaintext record */
        if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
                return rc;

        return 0;
}

References __attribute__, tls_cipherspec_pair::active, assert(), cipher_algorithm::authsize, tls_cipher_suite::cipher, cipher_auth(), tls_cipherspec::cipher_ctx, cipher_decrypt, cipher_setiv(), tls_rx::cipherspec, cpu_to_be64, io_buffer::data, tls_rx::data, DBGC, DBGC2, DBGC2_HD, DBGC_HD, tls_cipher_suite::digest, digest_algorithm::digestsize, EINVAL_IV, EINVAL_MAC, first, fixed, tls_cipherspec::fixed_iv, tls_cipher_suite::fixed_iv_len, tls_auth_header::header, htons, iob_len(), iob_pull, iob_unput, is_auth_cipher(), is_block_cipher(), iv, len, tls_header::length, io_buffer::list, list_empty, list_first_entry, list_for_each_entry, list_last_entry, mac, tls_cipher_suite::mac_len, memcmp(), memcpy(), ntohs, NULL, pad_len, rc, tls_cipher_suite::record_iv_len, tls_connection::rx, tls_auth_header::seq, tls_rx::seq, tls_cipherspec::suite, io_buffer::tail, tls_hmac_list(), tls_new_record(), tls_verify_padding(), tls_header::type, and tls_header::version.

Referenced by tls_newdata_process_data().

tls_plainstream_window()

static size_t tls_plainstream_window ( struct tls_connection *  tls )

static

Check flow control window.

Parameters

tls	TLS connection

Return values

len	Length of window

Definition at line 3402 of file tls.c.

                                                                    {

        /* Block window unless we are ready to accept data */
        if ( ! tls_ready ( tls ) )
                return 0;

        return xfer_window ( &tls->cipherstream );
}

References tls_connection::cipherstream, tls_ready(), and xfer_window().

tls_plainstream_deliver()

static int tls_plainstream_deliver ( struct tls_connection *  tls, struct io_buffer *  iobuf, struct xfer_metadata *meta  __unused  )

static

Deliver datagram as raw data.

Parameters

tls	TLS connection
iobuf	I/O buffer
meta	Data transfer metadata

Return values

rc	Return status code

Definition at line 3419 of file tls.c.

                                                                           {
        int rc;
        
        /* Refuse unless we are ready to accept data */
        if ( ! tls_ready ( tls ) ) {
                rc = -ENOTCONN;
                goto done;
        }

        /* Send data record */
        if ( ( rc = tls_send_record ( tls, TLS_TYPE_DATA,
                                      iob_disown ( iobuf ) ) ) != 0 )
                goto done;

 done:
        free_iob ( iobuf );
        return rc;
}

References done, ENOTCONN, free_iob(), iob_disown, rc, tls_ready(), tls_send_record(), and TLS_TYPE_DATA.

tls_progress()

static int tls_progress ( struct tls_connection *  tls, struct job_progress *  progress  )

static

Report job progress.

Parameters

tls	TLS connection
progress	Progress report to fill in

Return values

ongoing_rc

Ongoing job status code (if known)

Definition at line 3447 of file tls.c.

                                                          {

        /* Return cipherstream or validator progress as applicable */
        if ( is_pending ( &tls->server.validation ) ) {
                return job_progress ( &tls->server.validator, progress );
        } else {
                return job_progress ( &tls->cipherstream, progress );
        }
}

References tls_connection::cipherstream, is_pending(), job_progress(), tls_connection::server, tls_server::validation, and tls_server::validator.

tls_newdata_process_header()

static int tls_newdata_process_header ( struct tls_connection *  tls )

static

Handle received TLS header.

Parameters

tls	TLS connection

Return values

rc	Returned status code

Definition at line 3487 of file tls.c.

                                                                     {
        struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
        struct cipher_algorithm *cipher = cipherspec->suite->cipher;
        size_t iv_len = cipherspec->suite->record_iv_len;
        size_t data_len = ntohs ( tls->rx.header.length );
        size_t remaining = data_len;
        size_t frag_len;
        size_t reserve;
        struct io_buffer *iobuf;
        struct io_buffer *tmp;
        int rc;

        /* Sanity check */
        assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );

        /* Calculate alignment reservation at start of first data buffer */
        reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
        remaining += reserve;

        /* Allocate data buffers now that we know the length */
        assert ( list_empty ( &tls->rx.data ) );
        while ( remaining ) {

                /* Calculate fragment length.  Ensure that no block is
                 * smaller than TLS_RX_MIN_BUFSIZE (by increasing the
                 * allocation length if necessary).
                 */
                frag_len = remaining;
                if ( frag_len > TLS_RX_BUFSIZE )
                        frag_len = TLS_RX_BUFSIZE;
                remaining -= frag_len;
                if ( remaining < TLS_RX_MIN_BUFSIZE ) {
                        frag_len += remaining;
                        remaining = 0;
                }

                /* Allocate buffer */
                iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
                if ( ! iobuf ) {
                        DBGC ( tls, "TLS %p could not allocate %zd of %zd "
                               "bytes for receive buffer\n", tls,
                               remaining, data_len );
                        rc = -ENOMEM_RX_DATA;
                        goto err;
                }

                /* Ensure tailroom is exactly what we asked for.  This
                 * will result in unaligned I/O buffers when the
                 * fragment length is unaligned, which can happen only
                 * before we switch to using a block cipher.
                 */
                iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );

                /* Ensure first buffer length will be aligned to a
                 * multiple of the cipher alignment size after
                 * stripping the record IV.
                 */
                iob_reserve ( iobuf, reserve );
                reserve = 0;

                /* Add I/O buffer to list */
                list_add_tail ( &iobuf->list, &tls->rx.data );
        }

        /* Move to data state */
        tls->rx.state = TLS_RX_DATA;

        return 0;

 err:
        list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
                list_del ( &iobuf->list );
                free_iob ( iobuf );
        }
        return rc;
}

References tls_cipherspec_pair::active, cipher_algorithm::alignsize, alloc_iob_raw(), assert(), tls_cipher_suite::cipher, tls_rx::cipherspec, tls_rx::data, data_len, DBGC, ENOMEM_RX_DATA, free_iob(), tls_rx::header, iob_reserve, iob_tailroom(), tls_header::length, io_buffer::list, list_add_tail, list_del, list_empty, list_for_each_entry_safe, ntohs, rc, tls_cipher_suite::record_iv_len, tls_connection::rx, tls_rx::state, tls_cipherspec::suite, TLS_RX_ALIGN, TLS_RX_BUFSIZE, TLS_RX_DATA, TLS_RX_MIN_BUFSIZE, and tmp.

Referenced by tls_cipherstream_deliver().

tls_newdata_process_data()

static int tls_newdata_process_data ( struct tls_connection *  tls )

static

Handle received TLS data payload.

Parameters

tls	TLS connection

Return values

rc	Returned status code

Definition at line 3570 of file tls.c.

                                                                   {
        struct io_buffer *iobuf;
        int rc;

        /* Move current buffer to end of list */
        iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
        list_del ( &iobuf->list );
        list_add_tail ( &iobuf->list, &tls->rx.data );

        /* Continue receiving data if any space remains */
        iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
        if ( iob_tailroom ( iobuf ) )
                return 0;

        /* Process record */
        if ( ( rc = tls_new_ciphertext ( tls, &tls->rx.header,
                                         &tls->rx.data ) ) != 0 )
                return rc;

        /* Increment RX sequence number */
        tls->rx.seq += 1;

        /* Return to header state */
        assert ( list_empty ( &tls->rx.data ) );
        tls->rx.state = TLS_RX_HEADER;
        iob_unput ( &tls->rx.iobuf, sizeof ( tls->rx.header ) );

        return 0;
}

References assert(), tls_rx::data, tls_rx::header, iob_tailroom(), iob_unput, tls_rx::iobuf, io_buffer::list, list_add_tail, list_del, list_empty, list_first_entry, rc, tls_connection::rx, tls_rx::seq, tls_rx::state, tls_new_ciphertext(), and TLS_RX_HEADER.

Referenced by tls_cipherstream_deliver().

tls_cipherstream_window()

static size_t tls_cipherstream_window ( struct tls_connection *  tls )

static

Check flow control window.

Parameters

tls	TLS connection

Return values

len	Length of window

Definition at line 3606 of file tls.c.

                                                                     {

        /* Open window until we are ready to accept data */
        if ( ! tls_ready ( tls ) )
                return -1UL;

        return xfer_window ( &tls->plainstream );
}

References tls_connection::plainstream, tls_ready(), and xfer_window().

tls_cipherstream_deliver()

static int tls_cipherstream_deliver ( struct tls_connection *  tls, struct io_buffer *  iobuf, struct xfer_metadata *xfer  __unused  )

static

Receive new ciphertext.

Parameters

tls	TLS connection
iobuf	I/O buffer
meta	Data transfer metadat

Return values

rc	Return status code

Definition at line 3623 of file tls.c.

                                                                            {
        size_t frag_len;
        int ( * process ) ( struct tls_connection *tls );
        struct io_buffer *dest;
        int rc;

        while ( iob_len ( iobuf ) ) {

                /* Select buffer according to current state */
                switch ( tls->rx.state ) {
                case TLS_RX_HEADER:
                        dest = &tls->rx.iobuf;
                        process = tls_newdata_process_header;
                        break;
                case TLS_RX_DATA:
                        dest = list_first_entry ( &tls->rx.data,
                                                  struct io_buffer, list );
                        assert ( dest != NULL );
                        process = tls_newdata_process_data;
                        break;
                default:
                        assert ( 0 );
                        rc = -EINVAL_RX_STATE;
                        goto done;
                }

                /* Copy data portion to buffer */
                frag_len = iob_len ( iobuf );
                if ( frag_len > iob_tailroom ( dest ) )
                        frag_len = iob_tailroom ( dest );
                memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
                iob_pull ( iobuf, frag_len );

                /* Process data if buffer is now full */
                if ( iob_tailroom ( dest ) == 0 ) {
                        if ( ( rc = process ( tls ) ) != 0 ) {
                                tls_close ( tls, rc );
                                goto done;
                        }
                }
        }
        rc = 0;

 done:
        free_iob ( iobuf );
        return rc;
}

References assert(), io_buffer::data, tls_rx::data, dest, done, EINVAL_RX_STATE, free_iob(), iob_len(), iob_pull, iob_put, iob_tailroom(), tls_rx::iobuf, io_buffer::list, list_first_entry, memcpy(), NULL, rc, tls_connection::rx, tls_rx::state, tls_close(), tls_newdata_process_data(), tls_newdata_process_header(), TLS_RX_DATA, and TLS_RX_HEADER.

tls_validator_done()

static void tls_validator_done ( struct tls_connection *  tls, int  rc  )

static

Handle certificate validation completion.

Parameters

tls	TLS connection
rc	Reason for completion

Definition at line 3702 of file tls.c.

                                                                      {
        struct tls_session *session = tls->session;
        struct x509_certificate *cert;

        /* Mark validation as complete */
        pending_put ( &tls->server.validation );

        /* Close validator interface */
        intf_restart ( &tls->server.validator, rc );

        /* Check for validation failure */
        if ( rc != 0 ) {
                DBGC ( tls, "TLS %p certificate validation failed: %s\n",
                       tls, strerror ( rc ) );
                goto err;
        }
        DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );

        /* Extract first certificate */
        cert = x509_first ( tls->server.chain );
        assert ( cert != NULL );

        /* Verify server name */
        if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
                DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
                       tls, session->name, strerror ( rc ) );
                goto err;
        }

        /* Extract the now trusted server public key */
        memcpy ( &tls->server.key, &cert->subject.public_key.raw,
                 sizeof ( tls->server.key ) );

        /* Schedule transmission of applicable handshake messages */
        tls->tx.pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
                             TLS_TX_CHANGE_CIPHER |
                             TLS_TX_FINISHED );
        if ( tls->client.chain ) {
                tls->tx.pending |= TLS_TX_CERTIFICATE;
                if ( ! list_empty ( &tls->client.chain->links ) )
                        tls->tx.pending |= TLS_TX_CERTIFICATE_VERIFY;
        }
        tls_tx_resume ( tls );

        return;

 err:
        tls_close ( tls, rc );
        return;
}

References assert(), tls_client::chain, tls_server::chain, tls_connection::client, DBGC, intf_restart(), tls_server::key, x509_chain::links, list_empty, memcpy(), tls_session::name, NULL, tls_tx::pending, pending_put(), x509_subject::public_key, x509_public_key::raw, rc, tls_connection::server, tls_connection::session, strerror(), x509_certificate::subject, tls_close(), TLS_TX_CERTIFICATE, TLS_TX_CERTIFICATE_VERIFY, TLS_TX_CHANGE_CIPHER, TLS_TX_CLIENT_KEY_EXCHANGE, TLS_TX_FINISHED, tls_tx_resume(), tls_connection::tx, tls_server::validation, tls_server::validator, x509_check_name(), and x509_first().

tls_tx_step()

static void tls_tx_step ( struct tls_connection *  tls )

static

TLS TX state machine.

Parameters

tls	TLS connection

Definition at line 3775 of file tls.c.

                                                       {
        struct tls_session *session = tls->session;
        struct tls_connection *conn;
        int rc;

        /* Wait for cipherstream to become ready */
        if ( ! xfer_window ( &tls->cipherstream ) )
                return;

        /* Send first pending transmission */
        if ( tls->tx.pending & TLS_TX_CLIENT_HELLO ) {
                /* Serialise server negotiations within a session, to
                 * provide a consistent view of session IDs and
                 * session tickets.
                 */
                list_for_each_entry ( conn, &session->conn, list ) {
                        if ( conn == tls )
                                break;
                        if ( is_pending ( &conn->server.negotiation ) )
                                return;
                }
                /* Record or generate session ID and associated master secret */
                if ( session->id_len ) {
                        /* Attempt to resume an existing session */
                        memcpy ( tls->session_id, session->id,
                                 sizeof ( tls->session_id ) );
                        tls->session_id_len = session->id_len;
                        memcpy ( tls->master_secret, session->master_secret,
                                 sizeof ( tls->master_secret ) );
                } else {
                        /* No existing session: use a random session ID */
                        assert ( sizeof ( tls->session_id ) ==
                                 sizeof ( tls->client.random ) );
                        memcpy ( tls->session_id, &tls->client.random,
                                 sizeof ( tls->session_id ) );
                        tls->session_id_len = sizeof ( tls->session_id );
                }
                /* Send Client Hello */
                if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
                               tls, strerror ( rc ) );
                        goto err;
                }
                tls->tx.pending &= ~TLS_TX_CLIENT_HELLO;
        } else if ( tls->tx.pending & TLS_TX_CERTIFICATE ) {
                /* Send Certificate */
                if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
                        DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
                               tls, strerror ( rc ) );
                        goto err;
                }
                tls->tx.pending &= ~TLS_TX_CERTIFICATE;
        } else if ( tls->tx.pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
                /* Send Client Key Exchange */
                if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not send Client Key "
                               "Exchange: %s\n", tls, strerror ( rc ) );
                        goto err;
                }
                tls->tx.pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
        } else if ( tls->tx.pending & TLS_TX_CERTIFICATE_VERIFY ) {
                /* Send Certificate Verify */
                if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not send Certificate "
                               "Verify: %s\n", tls, strerror ( rc ) );
                        goto err;
                }
                tls->tx.pending &= ~TLS_TX_CERTIFICATE_VERIFY;
        } else if ( tls->tx.pending & TLS_TX_CHANGE_CIPHER ) {
                /* Send Change Cipher, and then change the cipher in use */
                if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not send Change Cipher: "
                               "%s\n", tls, strerror ( rc ) );
                        goto err;
                }
                if ( ( rc = tls_change_cipher ( tls,
                                                &tls->tx.cipherspec ) ) != 0 ){
                        DBGC ( tls, "TLS %p could not activate TX cipher: "
                               "%s\n", tls, strerror ( rc ) );
                        goto err;
                }
                tls->tx.seq = 0;
                tls->tx.pending &= ~TLS_TX_CHANGE_CIPHER;
        } else if ( tls->tx.pending & TLS_TX_FINISHED ) {
                /* Send Finished */
                if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
                        DBGC ( tls, "TLS %p could not send Finished: %s\n",
                               tls, strerror ( rc ) );
                        goto err;
                }
                tls->tx.pending &= ~TLS_TX_FINISHED;
        }

        /* Reschedule process if pending transmissions remain,
         * otherwise send notification of a window change.
         */
        if ( tls->tx.pending ) {
                tls_tx_resume ( tls );
        } else {
                xfer_window_changed ( &tls->plainstream );
        }

        return;

 err:
        tls_close ( tls, rc );
}

References assert(), tls_tx::cipherspec, tls_connection::cipherstream, tls_connection::client, tls_session::conn, DBGC, tls_session::id, tls_session::id_len, is_pending(), tls_connection::list, list_for_each_entry, tls_session::master_secret, tls_connection::master_secret, memcpy(), tls_server::negotiation, tls_tx::pending, tls_connection::plainstream, tls_client::random, rc, tls_tx::seq, tls_connection::server, tls_connection::session, tls_connection::session_id, tls_connection::session_id_len, strerror(), tls_change_cipher(), tls_close(), tls_send_certificate(), tls_send_certificate_verify(), tls_send_change_cipher(), tls_send_client_hello(), tls_send_client_key_exchange(), tls_send_finished(), TLS_TX_CERTIFICATE, TLS_TX_CERTIFICATE_VERIFY, TLS_TX_CHANGE_CIPHER, TLS_TX_CLIENT_HELLO, TLS_TX_CLIENT_KEY_EXCHANGE, TLS_TX_FINISHED, tls_tx_resume(), tls_connection::tx, xfer_window(), and xfer_window_changed().

tls_session()

static int tls_session ( struct tls_connection *  tls, const char *  name  )

static

Find or create session for TLS connection.

Parameters

tls	TLS connection
name	Server name

Return values

rc	Return status code

Definition at line 3901 of file tls.c.

                                                                        {
        struct tls_session *session;
        char *name_copy;
        int rc;

        /* Find existing matching session, if any */
        list_for_each_entry ( session, &tls_sessions, list ) {
                if ( ( strcmp ( name, session->name ) == 0 ) &&
                     ( tls->server.root == session->root ) &&
                     ( tls->client.key == session->key ) ) {
                        ref_get ( &session->refcnt );
                        tls->session = session;
                        DBGC ( tls, "TLS %p joining session %s\n", tls, name );
                        return 0;
                }
        }

        /* Create new session */
        session = zalloc ( sizeof ( *session ) + strlen ( name )
                           + 1 /* NUL */ );
        if ( ! session ) {
                rc = -ENOMEM;
                goto err_alloc;
        }
        ref_init ( &session->refcnt, free_tls_session );
        name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
        strcpy ( name_copy, name );
        session->name = name_copy;
        session->root = x509_root_get ( tls->server.root );
        session->key = privkey_get ( tls->client.key );
        INIT_LIST_HEAD ( &session->conn );
        list_add ( &session->list, &tls_sessions );

        /* Record session */
        tls->session = session;

        DBGC ( tls, "TLS %p created session %s\n", tls, name );
        return 0;

        ref_put ( &session->refcnt );
 err_alloc:
        return rc;
}

References tls_connection::client, tls_session::conn, DBGC, ENOMEM, free_tls_session(), INIT_LIST_HEAD, tls_session::key, tls_client::key, tls_session::list, list_add, list_for_each_entry, tls_session::name, name, privkey_get(), rc, ref_get, ref_init, ref_put, tls_session::refcnt, tls_session::root, tls_server::root, tls_connection::server, tls_connection::session, strcmp(), strcpy(), strlen(), x509_root_get(), and zalloc().

add_tls()

int add_tls	(	struct interface *	xfer,
		const char *	name,
		struct x509_root *	root,
		struct private_key *	key
	)

Add TLS on an interface.

Parameters

xfer	Data transfer interface
name	Host name
root	Root of trust (or NULL to use default)
key	Private key (or NULL to use default)

Return values

rc	Return status code

Definition at line 3961 of file tls.c.

                                                                {
        struct tls_connection *tls;
        int rc;

        /* Allocate and initialise TLS structure */
        tls = malloc ( sizeof ( *tls ) );
        if ( ! tls ) {
                rc = -ENOMEM;
                goto err_alloc;
        }
        memset ( tls, 0, sizeof ( *tls ) );
        ref_init ( &tls->refcnt, free_tls );
        INIT_LIST_HEAD ( &tls->list );
        intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
        intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
        intf_init ( &tls->server.validator, &tls_validator_desc, &tls->refcnt );
        process_init_stopped ( &tls->tx.process, &tls_process_desc,
                               &tls->refcnt );
        tls->client.key = privkey_get ( key ? key : &private_key );
        tls->server.root = x509_root_get ( root ? root : &root_certificates );
        tls->version = TLS_VERSION_MAX;
        tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
        tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
        tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
        tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
        tls_clear_handshake ( tls );
        tls->client.random.gmt_unix_time = time ( NULL );
        iob_populate ( &tls->rx.iobuf, &tls->rx.header, 0,
                       sizeof ( tls->rx.header ) );
        INIT_LIST_HEAD ( &tls->rx.data );
        if ( ( rc = tls_generate_random ( tls, &tls->client.random.random,
                          ( sizeof ( tls->client.random.random ) ) ) ) != 0 ) {
                goto err_random;
        }
        if ( ( rc = tls_session ( tls, name ) ) != 0 )
                goto err_session;
        list_add_tail ( &tls->list, &tls->session->conn );

        /* Start negotiation */
        tls_restart ( tls );

        /* Attach to parent interface, mortalise self, and return */
        intf_insert ( xfer, &tls->plainstream, &tls->cipherstream );
        ref_put ( &tls->refcnt );
        return 0;

 err_session:
 err_random:
        ref_put ( &tls->refcnt );
 err_alloc:
        return rc;
}

References tls_cipherspec_pair::active, tls_tx::cipherspec, tls_rx::cipherspec, tls_connection::cipherstream, tls_connection::client, tls_session::conn, tls_rx::data, ENOMEM, free_tls(), tls_client_random::gmt_unix_time, tls_rx::header, INIT_LIST_HEAD, intf_init(), intf_insert(), iob_populate(), tls_rx::iobuf, key, tls_client::key, tls_connection::list, list_add_tail, malloc(), memset(), name, NULL, tls_cipherspec_pair::pending, tls_connection::plainstream, privkey_get(), tls_tx::process, process_init_stopped(), tls_client_random::random, tls_client::random, rc, ref_init, ref_put, tls_connection::refcnt, root, tls_server::root, root_certificates, tls_connection::rx, tls_connection::server, tls_connection::session, tls_cipherstream_desc, tls_clear_cipher(), tls_clear_handshake(), tls_generate_random(), tls_plainstream_desc, tls_process_desc, tls_restart(), tls_validator_desc, TLS_VERSION_MAX, tls_connection::tx, tls_server::validator, tls_connection::version, and x509_root_get().

Referenced by apply_syslogs_settings(), https_filter(), and ipair_rx_session().

REQUIRING_SYMBOL()

REQUIRING_SYMBOL

(

add_tls

)

REQUIRE_OBJECT()

REQUIRE_OBJECT

(

config_crypto

)

Variable Documentation

md5_sha1_algorithm

struct digest_algorithm md5_sha1_algorithm

static

Initial value:

= {
        .name           = "md5+sha1",
        .ctxsize        = sizeof ( struct md5_sha1_context ),
        .blocksize      = 0, 
        .digestsize     = sizeof ( struct md5_sha1_digest ),
        .init           = md5_sha1_init,
        .update         = md5_sha1_update,
        .final          = md5_sha1_final,
}

Hybrid MD5+SHA1 digest algorithm.

Definition at line 329 of file tls.c.

Referenced by tls_select_cipher(), and tls_verify_dh_params().

__rsa_digestinfo_prefix

struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix

Initial value:

= {
        .digest = &md5_sha1_algorithm,
        .data = NULL, 
        .len = 0,
}

RSA digestInfo prefix for MD5+SHA1 algorithm.

Definition at line 340 of file tls.c.

tls_cipher_suite_null

struct tls_cipher_suite tls_cipher_suite_null

Initial value:

= {
        .exchange = &tls_pubkey_exchange_algorithm,
        .pubkey = &pubkey_null,
        .cipher = &cipher_null,
        .digest = &digest_null,
}

Null cipher suite.

Definition at line 850 of file tls.c.

Referenced by tls_change_cipher(), and tls_clear_cipher().

tls_pubkey_exchange_algorithm

struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm

Initial value:

= {
        .name = "pubkey",
        .exchange = tls_send_client_key_exchange_pubkey,
}

Public key exchange algorithm.

Definition at line 1485 of file tls.c.

tls_dhe_exchange_algorithm

struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm

Initial value:

= {
        .name = "dhe",
        .exchange = tls_send_client_key_exchange_dhe,
}

Ephemeral Diffie-Hellman key exchange algorithm.

Definition at line 1700 of file tls.c.

tls_ecdhe_exchange_algorithm

struct tls_key_exchange_algorithm tls_ecdhe_exchange_algorithm

Initial value:

= {
        .name = "ecdhe",
        .exchange = tls_send_client_key_exchange_ecdhe,
}

Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm.

Definition at line 1830 of file tls.c.

tls_plainstream_ops

struct interface_operation tls_plainstream_ops[]

static

Initial value:

= {
        INTF_OP ( xfer_alloc_iob, struct tls_connection *, tls_alloc_iob ),
        INTF_OP ( xfer_deliver, struct tls_connection *,
                  tls_plainstream_deliver ),
        INTF_OP ( xfer_window, struct tls_connection *,
                  tls_plainstream_window ),
        INTF_OP ( job_progress, struct tls_connection *, tls_progress ),
        INTF_OP ( intf_close, struct tls_connection *, tls_close ),
}

TLS plaintext stream interface operations.

Definition at line 3459 of file tls.c.

tls_plainstream_desc

struct interface_descriptor tls_plainstream_desc

static

Initial value:

=
        INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
                             tls_plainstream_ops, cipherstream )

TLS plaintext stream interface descriptor.

Definition at line 3470 of file tls.c.

Referenced by add_tls().

tls_cipherstream_ops

struct interface_operation tls_cipherstream_ops[]

static

Initial value:

= {
        INTF_OP ( xfer_deliver, struct tls_connection *,
                  tls_cipherstream_deliver ),
        INTF_OP ( xfer_window, struct tls_connection *,
                  tls_cipherstream_window ),
        INTF_OP ( xfer_window_changed, struct tls_connection *,
                  tls_tx_resume ),
        INTF_OP ( intf_close, struct tls_connection *, tls_close ),
}

TLS ciphertext stream interface operations.

Definition at line 3674 of file tls.c.

tls_cipherstream_desc

struct interface_descriptor tls_cipherstream_desc

static

Initial value:

=
        INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
                             tls_cipherstream_ops, plainstream )

TLS ciphertext stream interface descriptor.

Definition at line 3685 of file tls.c.

Referenced by add_tls().

tls_validator_ops

struct interface_operation tls_validator_ops[]

static

Initial value:

= {
        INTF_OP ( intf_close, struct tls_connection *, tls_validator_done ),
}

TLS certificate validator interface operations.

Definition at line 3754 of file tls.c.

tls_validator_desc

struct interface_descriptor tls_validator_desc

static

Initial value:

=
        INTF_DESC ( struct tls_connection, server.validator,
                    tls_validator_ops )

TLS certificate validator interface descriptor.

Definition at line 3759 of file tls.c.

Referenced by add_tls().

tls_process_desc

struct process_descriptor tls_process_desc

static

Initial value:

=
        PROC_DESC_ONCE ( struct tls_connection, tx.process, tls_tx_step )

TLS TX process descriptor.

Definition at line 3884 of file tls.c.

Referenced by add_tls().