iPXE
tls.c
Go to the documentation of this file.
1/*
2 * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 */
19
20FILE_LICENCE ( GPL2_OR_LATER );
21FILE_SECBOOT ( PERMITTED );
22
23/**
24 * @file
25 *
26 * Transport Layer Security Protocol
27 */
28
29#include <stdint.h>
30#include <stdlib.h>
31#include <stdarg.h>
32#include <string.h>
33#include <errno.h>
34#include <byteswap.h>
35#include <ipxe/pending.h>
36#include <ipxe/hmac.h>
37#include <ipxe/md5.h>
38#include <ipxe/sha1.h>
39#include <ipxe/sha256.h>
40#include <ipxe/aes.h>
41#include <ipxe/rsa.h>
42#include <ipxe/iobuf.h>
43#include <ipxe/xfer.h>
44#include <ipxe/open.h>
45#include <ipxe/x509.h>
46#include <ipxe/privkey.h>
47#include <ipxe/certstore.h>
48#include <ipxe/rootcert.h>
49#include <ipxe/rbg.h>
50#include <ipxe/validator.h>
51#include <ipxe/job.h>
52#include <ipxe/dhe.h>
53#include <ipxe/ecdhe.h>
54#include <ipxe/tls.h>
55#include <config/crypto.h>
56
57/* Disambiguate the various error causes */
58#define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
59#define EINFO_EINVAL_CHANGE_CIPHER \
60 __einfo_uniqify ( EINFO_EINVAL, 0x01, \
61 "Invalid Change Cipher record" )
62#define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
63#define EINFO_EINVAL_ALERT \
64 __einfo_uniqify ( EINFO_EINVAL, 0x02, \
65 "Invalid Alert record" )
66#define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
67#define EINFO_EINVAL_HELLO \
68 __einfo_uniqify ( EINFO_EINVAL, 0x03, \
69 "Invalid Server Hello record" )
70#define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
71#define EINFO_EINVAL_CERTIFICATE \
72 __einfo_uniqify ( EINFO_EINVAL, 0x04, \
73 "Invalid Certificate" )
74#define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
75#define EINFO_EINVAL_CERTIFICATES \
76 __einfo_uniqify ( EINFO_EINVAL, 0x05, \
77 "Invalid Server Certificate record" )
78#define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
79#define EINFO_EINVAL_HELLO_DONE \
80 __einfo_uniqify ( EINFO_EINVAL, 0x06, \
81 "Invalid Server Hello Done record" )
82#define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
83#define EINFO_EINVAL_FINISHED \
84 __einfo_uniqify ( EINFO_EINVAL, 0x07, \
85 "Invalid Server Finished record" )
86#define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
87#define EINFO_EINVAL_HANDSHAKE \
88 __einfo_uniqify ( EINFO_EINVAL, 0x08, \
89 "Invalid Handshake record" )
90#define EINVAL_IV __einfo_error ( EINFO_EINVAL_IV )
91#define EINFO_EINVAL_IV \
92 __einfo_uniqify ( EINFO_EINVAL, 0x0a, \
93 "Invalid initialisation vector" )
94#define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
95#define EINFO_EINVAL_PADDING \
96 __einfo_uniqify ( EINFO_EINVAL, 0x0b, \
97 "Invalid block padding" )
98#define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
99#define EINFO_EINVAL_RX_STATE \
100 __einfo_uniqify ( EINFO_EINVAL, 0x0c, \
101 "Invalid receive state" )
102#define EINVAL_MAC __einfo_error ( EINFO_EINVAL_MAC )
103#define EINFO_EINVAL_MAC \
104 __einfo_uniqify ( EINFO_EINVAL, 0x0d, \
105 "Invalid MAC or authentication tag" )
106#define EINVAL_TICKET __einfo_error ( EINFO_EINVAL_TICKET )
107#define EINFO_EINVAL_TICKET \
108 __einfo_uniqify ( EINFO_EINVAL, 0x0e, \
109 "Invalid New Session Ticket record")
110#define EINVAL_KEY_EXCHANGE __einfo_error ( EINFO_EINVAL_KEY_EXCHANGE )
111#define EINFO_EINVAL_KEY_EXCHANGE \
112 __einfo_uniqify ( EINFO_EINVAL, 0x0f, \
113 "Invalid Server Key Exchange record" )
114#define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
115#define EINFO_EIO_ALERT \
116 __einfo_uniqify ( EINFO_EIO, 0x01, \
117 "Unknown alert level" )
118#define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
119#define EINFO_ENOMEM_CONTEXT \
120 __einfo_uniqify ( EINFO_ENOMEM, 0x01, \
121 "Not enough space for crypto context" )
122#define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
123#define EINFO_ENOMEM_CERTIFICATE \
124 __einfo_uniqify ( EINFO_ENOMEM, 0x02, \
125 "Not enough space for certificate" )
126#define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
127#define EINFO_ENOMEM_CHAIN \
128 __einfo_uniqify ( EINFO_ENOMEM, 0x03, \
129 "Not enough space for certificate chain" )
130#define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
131#define EINFO_ENOMEM_TX_PLAINTEXT \
132 __einfo_uniqify ( EINFO_ENOMEM, 0x04, \
133 "Not enough space for transmitted plaintext" )
134#define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
135#define EINFO_ENOMEM_TX_CIPHERTEXT \
136 __einfo_uniqify ( EINFO_ENOMEM, 0x05, \
137 "Not enough space for transmitted ciphertext" )
138#define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
139#define EINFO_ENOMEM_RX_DATA \
140 __einfo_uniqify ( EINFO_ENOMEM, 0x07, \
141 "Not enough space for received data" )
142#define ENOMEM_RX_CONCAT __einfo_error ( EINFO_ENOMEM_RX_CONCAT )
143#define EINFO_ENOMEM_RX_CONCAT \
144 __einfo_uniqify ( EINFO_ENOMEM, 0x08, \
145 "Not enough space to concatenate received data" )
146#define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
147#define EINFO_ENOTSUP_CIPHER \
148 __einfo_uniqify ( EINFO_ENOTSUP, 0x01, \
149 "Unsupported cipher" )
150#define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
151#define EINFO_ENOTSUP_NULL \
152 __einfo_uniqify ( EINFO_ENOTSUP, 0x02, \
153 "Refusing to use null cipher" )
154#define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
155#define EINFO_ENOTSUP_SIG_HASH \
156 __einfo_uniqify ( EINFO_ENOTSUP, 0x03, \
157 "Unsupported signature and hash algorithm" )
158#define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
159#define EINFO_ENOTSUP_VERSION \
160 __einfo_uniqify ( EINFO_ENOTSUP, 0x04, \
161 "Unsupported protocol version" )
162#define ENOTSUP_CURVE __einfo_error ( EINFO_ENOTSUP_CURVE )
163#define EINFO_ENOTSUP_CURVE \
164 __einfo_uniqify ( EINFO_ENOTSUP, 0x05, \
165 "Unsupported elliptic curve" )
166#define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
167#define EINFO_EPERM_ALERT \
168 __einfo_uniqify ( EINFO_EPERM, 0x01, \
169 "Received fatal alert" )
170#define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
171#define EINFO_EPERM_VERIFY \
172 __einfo_uniqify ( EINFO_EPERM, 0x02, \
173 "Handshake verification failed" )
174#define EPERM_RENEG_INSECURE __einfo_error ( EINFO_EPERM_RENEG_INSECURE )
175#define EINFO_EPERM_RENEG_INSECURE \
176 __einfo_uniqify ( EINFO_EPERM, 0x04, \
177 "Secure renegotiation not supported" )
178#define EPERM_RENEG_VERIFY __einfo_error ( EINFO_EPERM_RENEG_VERIFY )
179#define EINFO_EPERM_RENEG_VERIFY \
180 __einfo_uniqify ( EINFO_EPERM, 0x05, \
181 "Secure renegotiation verification failed" )
182#define EPERM_KEY_EXCHANGE __einfo_error ( EINFO_EPERM_KEY_EXCHANGE )
183#define EINFO_EPERM_KEY_EXCHANGE \
184 __einfo_uniqify ( EINFO_EPERM, 0x06, \
185 "ServerKeyExchange verification failed" )
186#define EPERM_EMS __einfo_error ( EINFO_EPERM_EMS )
187#define EINFO_EPERM_EMS \
188 __einfo_uniqify ( EINFO_EPERM, 0x07, \
189 "Extended master secret extension mismatch" )
190#define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
191#define EINFO_EPROTO_VERSION \
192 __einfo_uniqify ( EINFO_EPROTO, 0x01, \
193 "Illegal protocol version upgrade" )
194
195/** List of TLS session */
196static LIST_HEAD ( tls_sessions );
197
198static void tls_tx_resume_all ( struct tls_session *session );
199static struct io_buffer * tls_alloc_iob ( struct tls_connection *tls,
200 size_t len );
201static int tls_send_alert ( struct tls_connection *tls, unsigned int level,
202 unsigned int description );
203static int tls_send_record ( struct tls_connection *tls, unsigned int type,
204 struct io_buffer *iobuf );
205static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
206 const void *data, size_t len );
207static void tls_clear_cipher ( struct tls_connection *tls,
208 struct tls_cipherspec *cipherspec );
209static void tls_verify_handshake ( struct tls_connection *tls, void *out );
210
211/******************************************************************************
212 *
213 * Utility functions
214 *
215 ******************************************************************************
216 */
217
218/** A TLS 24-bit integer
219 *
220 * TLS uses 24-bit integers in several places, which are awkward to
221 * parse in C.
222 */
223typedef struct {
224 /** High byte */
225 uint8_t high;
226 /** Low word */
227 uint16_t low;
228} __attribute__ (( packed )) tls24_t;
229
230/**
231 * Extract 24-bit field value
232 *
233 * @v field24 24-bit field
234 * @ret value Field value
235 *
236 */
237static inline __attribute__ (( always_inline )) unsigned long
238tls_uint24 ( const tls24_t *field24 ) {
239
240 return ( ( field24->high << 16 ) | be16_to_cpu ( field24->low ) );
241}
242
243/**
244 * Set 24-bit field value
245 *
246 * @v field24 24-bit field
247 * @v value Field value
248 */
249static void tls_set_uint24 ( tls24_t *field24, unsigned long value ) {
250
251 field24->high = ( value >> 16 );
252 field24->low = cpu_to_be16 ( value );
253}
254
255/**
256 * Determine if TLS connection is ready for application data
257 *
258 * @v tls TLS connection
259 * @ret is_ready TLS connection is ready
260 */
261static int tls_ready ( struct tls_connection *tls ) {
262 return ( ( ! is_pending ( &tls->client.negotiation ) ) &&
263 ( ! is_pending ( &tls->server.negotiation ) ) );
264}
265
266/**
267 * Check for TLS version
268 *
269 * @v tls TLS connection
270 * @v version TLS version
271 * @ret at_least TLS connection is using at least the specified version
272 *
273 * Check that TLS connection uses at least the specified protocol
274 * version. Optimise down to a compile-time constant true result if
275 * this is already guaranteed by the minimum supported version check.
276 */
277static inline __attribute__ (( always_inline )) int
278tls_version ( struct tls_connection *tls, unsigned int version ) {
279 return ( ( TLS_VERSION_MIN >= version ) ||
280 ( tls->version >= version ) );
281}
282
283/******************************************************************************
284 *
285 * Hybrid MD5+SHA1 hash as used by TLSv1.1 and earlier
286 *
287 ******************************************************************************
288 */
289
290/**
291 * Initialise MD5+SHA1 algorithm
292 *
293 * @v ctx MD5+SHA1 context
294 */
295static void md5_sha1_init ( void *ctx ) {
296 struct md5_sha1_context *context = ctx;
297
298 digest_init ( &md5_algorithm, context->md5 );
299 digest_init ( &sha1_algorithm, context->sha1 );
300}
301
302/**
303 * Accumulate data with MD5+SHA1 algorithm
304 *
305 * @v ctx MD5+SHA1 context
306 * @v data Data
307 * @v len Length of data
308 */
309static void md5_sha1_update ( void *ctx, const void *data, size_t len ) {
310 struct md5_sha1_context *context = ctx;
311
312 digest_update ( &md5_algorithm, context->md5, data, len );
313 digest_update ( &sha1_algorithm, context->sha1, data, len );
314}
315
316/**
317 * Generate MD5+SHA1 digest
318 *
319 * @v ctx MD5+SHA1 context
320 * @v out Output buffer
321 */
322static void md5_sha1_final ( void *ctx, void *out ) {
323 struct md5_sha1_context *context = ctx;
324 struct md5_sha1_digest *digest = out;
325
326 digest_final ( &md5_algorithm, context->md5, digest->md5 );
327 digest_final ( &sha1_algorithm, context->sha1, digest->sha1 );
328}
329
330/** Hybrid MD5+SHA1 digest algorithm */
331static struct digest_algorithm md5_sha1_algorithm = {
332 .name = "md5+sha1",
333 .ctxsize = sizeof ( struct md5_sha1_context ),
334 .blocksize = 0, /* Not applicable */
335 .digestsize = sizeof ( struct md5_sha1_digest ),
336 .init = md5_sha1_init,
337 .update = md5_sha1_update,
338 .final = md5_sha1_final,
339};
340
341/** RSA digestInfo prefix for MD5+SHA1 algorithm */
342struct rsa_digestinfo_prefix rsa_md5_sha1_prefix __rsa_digestinfo_prefix = {
343 .digest = &md5_sha1_algorithm,
344 .data = NULL, /* MD5+SHA1 signatures have no digestInfo */
345 .len = 0,
346};
347
348/******************************************************************************
349 *
350 * Cleanup functions
351 *
352 ******************************************************************************
353 */
354
355/**
356 * Free TLS session
357 *
358 * @v refcnt Reference counter
359 */
360static void free_tls_session ( struct refcnt *refcnt ) {
361 struct tls_session *session =
362 container_of ( refcnt, struct tls_session, refcnt );
363
364 /* Sanity check */
365 assert ( list_empty ( &session->conn ) );
366
367 /* Remove from list of sessions */
368 list_del ( &session->list );
369
370 /* Free dynamically-allocated resources */
371 x509_root_put ( session->root );
372 privkey_put ( session->key );
373 free ( session->ticket );
374
375 /* Free session */
376 free ( session );
377}
378
379/**
380 * Free TLS connection
381 *
382 * @v refcnt Reference counter
383 */
384static void free_tls ( struct refcnt *refcnt ) {
385 struct tls_connection *tls =
386 container_of ( refcnt, struct tls_connection, refcnt );
387 struct tls_session *session = tls->session;
388 struct io_buffer *iobuf;
389 struct io_buffer *tmp;
390
391 /* Free dynamically-allocated resources */
392 free ( tls->new_session_ticket );
393 tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
394 tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
395 tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
396 tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
397 free ( tls->server.exchange );
398 free ( tls->handshake_ctx );
399 list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
400 list_del ( &iobuf->list );
401 free_iob ( iobuf );
402 }
403 free_iob ( tls->rx.handshake );
404 privkey_put ( tls->client.key );
405 x509_chain_put ( tls->client.chain );
406 x509_chain_put ( tls->server.chain );
407 x509_root_put ( tls->server.root );
408
409 /* Drop reference to session */
410 assert ( list_empty ( &tls->list ) );
411 ref_put ( &session->refcnt );
412
413 /* Free TLS structure itself */
414 free ( tls );
415}
416
417/**
418 * Finish with TLS connection
419 *
420 * @v tls TLS connection
421 * @v rc Status code
422 */
423static void tls_close ( struct tls_connection *tls, int rc ) {
424
425 /* Send closure alert */
426 tls_send_alert ( tls, TLS_ALERT_WARNING, TLS_ALERT_CLOSE_NOTIFY );
427
428 /* Remove pending operations, if applicable */
429 pending_put ( &tls->client.negotiation );
430 pending_put ( &tls->server.negotiation );
431 pending_put ( &tls->server.validation );
432
433 /* Remove process */
434 process_del ( &tls->tx.process );
435
436 /* Close all interfaces */
437 intf_shutdown ( &tls->cipherstream, rc );
438 intf_shutdown ( &tls->plainstream, rc );
439 intf_shutdown ( &tls->server.validator, rc );
440
441 /* Remove from session */
442 list_del ( &tls->list );
443 INIT_LIST_HEAD ( &tls->list );
444
445 /* Resume all other connections, in case we were the lead connection */
446 tls_tx_resume_all ( tls->session );
447}
448
449/******************************************************************************
450 *
451 * Random number generation
452 *
453 ******************************************************************************
454 */
455
456/**
457 * Generate random data
458 *
459 * @v tls TLS connection
460 * @v data Buffer to fill
461 * @v len Length of buffer
462 * @ret rc Return status code
463 */
464static int tls_generate_random ( struct tls_connection *tls,
465 void *data, size_t len ) {
466 int rc;
467
468 /* Generate random bits with no additional input and without
469 * prediction resistance
470 */
471 if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
472 DBGC ( tls, "TLS %p could not generate random data: %s\n",
473 tls, strerror ( rc ) );
474 return rc;
475 }
476
477 return 0;
478}
479
480/**
481 * Update HMAC with a list of ( data, len ) pairs
482 *
483 * @v digest Hash function to use
484 * @v ctx HMAC context
485 * @v args ( data, len ) pairs of data, terminated by NULL
486 */
487static void tls_hmac_update_va ( struct digest_algorithm *digest,
488 void *ctx, va_list args ) {
489 void *data;
490 size_t len;
491
492 while ( ( data = va_arg ( args, void * ) ) ) {
493 len = va_arg ( args, size_t );
494 hmac_update ( digest, ctx, data, len );
495 }
496}
497
498/**
499 * Generate secure pseudo-random data using a single hash function
500 *
501 * @v tls TLS connection
502 * @v digest Hash function to use
503 * @v secret Secret
504 * @v secret_len Length of secret
505 * @v out Output buffer
506 * @v out_len Length of output buffer
507 * @v seeds ( data, len ) pairs of seed data, terminated by NULL
508 */
509static void tls_p_hash_va ( struct tls_connection *tls,
510 struct digest_algorithm *digest,
511 const void *secret, size_t secret_len,
512 void *out, size_t out_len,
513 va_list seeds ) {
514 uint8_t ctx[ hmac_ctxsize ( digest ) ];
515 uint8_t ctx_partial[ sizeof ( ctx ) ];
516 uint8_t a[digest->digestsize];
517 uint8_t out_tmp[digest->digestsize];
518 size_t frag_len = digest->digestsize;
519 va_list tmp;
520
521 DBGC2 ( tls, "TLS %p %s secret:\n", tls, digest->name );
522 DBGC2_HD ( tls, secret, secret_len );
523
524 /* Calculate A(1) */
525 hmac_init ( digest, ctx, secret, secret_len );
526 va_copy ( tmp, seeds );
527 tls_hmac_update_va ( digest, ctx, tmp );
528 va_end ( tmp );
529 hmac_final ( digest, ctx, a );
530 DBGC2 ( tls, "TLS %p %s A(1):\n", tls, digest->name );
531 DBGC2_HD ( tls, &a, sizeof ( a ) );
532
533 /* Generate as much data as required */
534 while ( out_len ) {
535 /* Calculate output portion */
536 hmac_init ( digest, ctx, secret, secret_len );
537 hmac_update ( digest, ctx, a, sizeof ( a ) );
538 memcpy ( ctx_partial, ctx, sizeof ( ctx_partial ) );
539 va_copy ( tmp, seeds );
540 tls_hmac_update_va ( digest, ctx, tmp );
541 va_end ( tmp );
542 hmac_final ( digest, ctx, out_tmp );
543
544 /* Copy output */
545 if ( frag_len > out_len )
546 frag_len = out_len;
547 memcpy ( out, out_tmp, frag_len );
548 DBGC2 ( tls, "TLS %p %s output:\n", tls, digest->name );
549 DBGC2_HD ( tls, out, frag_len );
550
551 /* Calculate A(i) */
552 hmac_final ( digest, ctx_partial, a );
553 DBGC2 ( tls, "TLS %p %s A(n):\n", tls, digest->name );
554 DBGC2_HD ( tls, &a, sizeof ( a ) );
555
556 out += frag_len;
557 out_len -= frag_len;
558 }
559}
560
561/**
562 * Generate secure pseudo-random data
563 *
564 * @v tls TLS connection
565 * @v secret Secret
566 * @v secret_len Length of secret
567 * @v out Output buffer
568 * @v out_len Length of output buffer
569 * @v ... ( data, len ) pairs of seed data, terminated by NULL
570 */
571static void tls_prf ( struct tls_connection *tls, const void *secret,
572 size_t secret_len, void *out, size_t out_len, ... ) {
573 va_list seeds;
574 va_list tmp;
575 size_t subsecret_len;
576 const void *md5_secret;
577 const void *sha1_secret;
578 uint8_t buf[out_len];
579 unsigned int i;
580
581 va_start ( seeds, out_len );
582
583 if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
584 /* Use handshake digest PRF for TLSv1.2 and later */
585 tls_p_hash_va ( tls, tls->handshake_digest, secret, secret_len,
586 out, out_len, seeds );
587 } else {
588 /* Use combination of P_MD5 and P_SHA-1 for TLSv1.1
589 * and earlier
590 */
591
592 /* Split secret into two, with an overlap of up to one byte */
593 subsecret_len = ( ( secret_len + 1 ) / 2 );
594 md5_secret = secret;
595 sha1_secret = ( secret + secret_len - subsecret_len );
596
597 /* Calculate MD5 portion */
598 va_copy ( tmp, seeds );
599 tls_p_hash_va ( tls, &md5_algorithm, md5_secret,
600 subsecret_len, out, out_len, seeds );
601 va_end ( tmp );
602
603 /* Calculate SHA1 portion */
604 va_copy ( tmp, seeds );
605 tls_p_hash_va ( tls, &sha1_algorithm, sha1_secret,
606 subsecret_len, buf, out_len, seeds );
607 va_end ( tmp );
608
609 /* XOR the two portions together into the final output buffer */
610 for ( i = 0 ; i < out_len ; i++ )
611 *( ( uint8_t * ) out + i ) ^= buf[i];
612 }
613
614 va_end ( seeds );
615}
616
617/**
618 * Generate secure pseudo-random data
619 *
620 * @v secret Secret
621 * @v secret_len Length of secret
622 * @v out Output buffer
623 * @v out_len Length of output buffer
624 * @v label String literal label
625 * @v ... ( data, len ) pairs of seed data
626 */
627#define tls_prf_label( tls, secret, secret_len, out, out_len, label, ... ) \
628 tls_prf ( (tls), (secret), (secret_len), (out), (out_len), \
629 label, ( sizeof ( label ) - 1 ), __VA_ARGS__, NULL )
630
631/******************************************************************************
632 *
633 * Secret management
634 *
635 ******************************************************************************
636 */
637
638/**
639 * Generate master secret
640 *
641 * @v tls TLS connection
642 * @v pre_master_secret Pre-master secret
643 * @v pre_master_secret_len Length of pre-master secret
644 *
645 * The client and server random values must already be known.
646 */
647static void tls_generate_master_secret ( struct tls_connection *tls,
648 const void *pre_master_secret,
649 size_t pre_master_secret_len ) {
650 struct digest_algorithm *digest = tls->handshake_digest;
651 uint8_t digest_out[ digest->digestsize ];
652
653 /* Generate handshake digest */
654 tls_verify_handshake ( tls, digest_out );
655
656 /* Show inputs */
657 DBGC ( tls, "TLS %p pre-master secret:\n", tls );
658 DBGC_HD ( tls, pre_master_secret, pre_master_secret_len );
659 DBGC ( tls, "TLS %p client random bytes:\n", tls );
660 DBGC_HD ( tls, &tls->client.random, sizeof ( tls->client.random ) );
661 DBGC ( tls, "TLS %p server random bytes:\n", tls );
662 DBGC_HD ( tls, &tls->server.random, sizeof ( tls->server.random ) );
663 DBGC ( tls, "TLS %p session hash:\n", tls );
664 DBGC_HD ( tls, digest_out, sizeof ( digest_out ) );
665
666 /* Generate master secret */
667 if ( tls->extended_master_secret ) {
668 tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
669 &tls->master_secret,
670 sizeof ( tls->master_secret ),
671 "extended master secret",
672 digest_out, sizeof ( digest_out ) );
673 } else {
674 tls_prf_label ( tls, pre_master_secret, pre_master_secret_len,
675 &tls->master_secret,
676 sizeof ( tls->master_secret ),
677 "master secret",
678 &tls->client.random,
679 sizeof ( tls->client.random ),
680 &tls->server.random,
681 sizeof ( tls->server.random ) );
682 }
683
684 /* Show output */
685 DBGC ( tls, "TLS %p generated %smaster secret:\n", tls,
686 ( tls->extended_master_secret ? "extended ": "" ) );
687 DBGC_HD ( tls, &tls->master_secret, sizeof ( tls->master_secret ) );
688}
689
690/**
691 * Generate key material
692 *
693 * @v tls TLS connection
694 *
695 * The master secret must already be known.
696 */
697static int tls_generate_keys ( struct tls_connection *tls ) {
698 struct tls_cipherspec *tx_cipherspec = &tls->tx.cipherspec.pending;
699 struct tls_cipherspec *rx_cipherspec = &tls->rx.cipherspec.pending;
700 size_t hash_size = tx_cipherspec->suite->mac_len;
701 size_t key_size = tx_cipherspec->suite->key_len;
702 size_t iv_size = tx_cipherspec->suite->fixed_iv_len;
703 size_t total = ( 2 * ( hash_size + key_size + iv_size ) );
704 uint8_t key_block[total];
705 uint8_t *key;
706 int rc;
707
708 /* Generate key block */
709 tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
710 key_block, sizeof ( key_block ), "key expansion",
711 &tls->server.random, sizeof ( tls->server.random ),
712 &tls->client.random, sizeof ( tls->client.random ) );
713
714 /* Split key block into portions */
715 key = key_block;
716
717 /* TX MAC secret */
718 memcpy ( tx_cipherspec->mac_secret, key, hash_size );
719 DBGC ( tls, "TLS %p TX MAC secret:\n", tls );
720 DBGC_HD ( tls, key, hash_size );
721 key += hash_size;
722
723 /* RX MAC secret */
724 memcpy ( rx_cipherspec->mac_secret, key, hash_size );
725 DBGC ( tls, "TLS %p RX MAC secret:\n", tls );
726 DBGC_HD ( tls, key, hash_size );
727 key += hash_size;
728
729 /* TX key */
730 if ( ( rc = cipher_setkey ( tx_cipherspec->suite->cipher,
731 tx_cipherspec->cipher_ctx,
732 key, key_size ) ) != 0 ) {
733 DBGC ( tls, "TLS %p could not set TX key: %s\n",
734 tls, strerror ( rc ) );
735 return rc;
736 }
737 DBGC ( tls, "TLS %p TX key:\n", tls );
738 DBGC_HD ( tls, key, key_size );
739 key += key_size;
740
741 /* RX key */
742 if ( ( rc = cipher_setkey ( rx_cipherspec->suite->cipher,
743 rx_cipherspec->cipher_ctx,
744 key, key_size ) ) != 0 ) {
745 DBGC ( tls, "TLS %p could not set TX key: %s\n",
746 tls, strerror ( rc ) );
747 return rc;
748 }
749 DBGC ( tls, "TLS %p RX key:\n", tls );
750 DBGC_HD ( tls, key, key_size );
751 key += key_size;
752
753 /* TX initialisation vector */
754 memcpy ( tx_cipherspec->fixed_iv, key, iv_size );
755 DBGC ( tls, "TLS %p TX IV:\n", tls );
756 DBGC_HD ( tls, key, iv_size );
757 key += iv_size;
758
759 /* RX initialisation vector */
760 memcpy ( rx_cipherspec->fixed_iv, key, iv_size );
761 DBGC ( tls, "TLS %p RX IV:\n", tls );
762 DBGC_HD ( tls, key, iv_size );
763 key += iv_size;
764
765 assert ( ( key_block + total ) == key );
766
767 return 0;
768}
769
770/******************************************************************************
771 *
772 * Handshake verification
773 *
774 ******************************************************************************
775 */
776
777/**
778 * Clear handshake digest algorithm
779 *
780 * @v tls TLS connection
781 */
782static void tls_clear_handshake ( struct tls_connection *tls ) {
783
784 /* Select null digest algorithm */
785 tls->handshake_digest = &digest_null;
786
787 /* Free any existing context */
788 free ( tls->handshake_ctx );
789 tls->handshake_ctx = NULL;
790}
791
792/**
793 * Select handshake digest algorithm
794 *
795 * @v tls TLS connection
796 * @v digest Handshake digest algorithm
797 * @ret rc Return status code
798 */
799static int tls_select_handshake ( struct tls_connection *tls,
800 struct digest_algorithm *digest ) {
801
802 /* Clear existing handshake digest */
803 tls_clear_handshake ( tls );
804
805 /* Allocate and initialise context */
806 tls->handshake_ctx = malloc ( digest->ctxsize );
807 if ( ! tls->handshake_ctx )
808 return -ENOMEM;
809 tls->handshake_digest = digest;
810 digest_init ( digest, tls->handshake_ctx );
811
812 return 0;
813}
814
815/**
816 * Add handshake record to verification hash
817 *
818 * @v tls TLS connection
819 * @v data Handshake record
820 * @v len Length of handshake record
821 * @ret rc Return status code
822 */
823static int tls_add_handshake ( struct tls_connection *tls,
824 const void *data, size_t len ) {
825 struct digest_algorithm *digest = tls->handshake_digest;
826
827 digest_update ( digest, tls->handshake_ctx, data, len );
828 return 0;
829}
830
831/**
832 * Calculate handshake verification hash
833 *
834 * @v tls TLS connection
835 * @v out Output buffer
836 *
837 * Calculates the digest over all handshake messages seen so far.
838 */
839static void tls_verify_handshake ( struct tls_connection *tls, void *out ) {
840 struct digest_algorithm *digest = tls->handshake_digest;
841 uint8_t ctx[ digest->ctxsize ];
842
843 memcpy ( ctx, tls->handshake_ctx, sizeof ( ctx ) );
844 digest_final ( digest, ctx, out );
845}
846
847/******************************************************************************
848 *
849 * Cipher suite management
850 *
851 ******************************************************************************
852 */
853
854/** Null cipher suite */
855struct tls_cipher_suite tls_cipher_suite_null = {
856 .exchange = &tls_pubkey_exchange_algorithm,
857 .pubkey = &pubkey_null,
858 .cipher = &cipher_null,
859 .digest = &digest_null,
860};
861
862/** Number of supported cipher suites */
863#define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
864
865/**
866 * Identify cipher suite
867 *
868 * @v cipher_suite Cipher suite specification
869 * @ret suite Cipher suite, or NULL
870 */
871static struct tls_cipher_suite *
872tls_find_cipher_suite ( unsigned int cipher_suite ) {
873 struct tls_cipher_suite *suite;
874
875 /* Identify cipher suite */
876 for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
877 if ( suite->code == cipher_suite )
878 return suite;
879 }
880
881 return NULL;
882}
883
884/**
885 * Clear cipher suite
886 *
887 * @v cipherspec TLS cipher specification
888 */
889static void tls_clear_cipher ( struct tls_connection *tls __unused,
890 struct tls_cipherspec *cipherspec ) {
891
892 free ( cipherspec->dynamic );
893 memset ( cipherspec, 0, sizeof ( *cipherspec ) );
894 cipherspec->suite = &tls_cipher_suite_null;
895}
896
897/**
898 * Set cipher suite
899 *
900 * @v tls TLS connection
901 * @v cipherspec TLS cipher specification
902 * @v suite Cipher suite
903 * @ret rc Return status code
904 */
905static int tls_set_cipher ( struct tls_connection *tls,
906 struct tls_cipherspec *cipherspec,
907 struct tls_cipher_suite *suite ) {
908 struct cipher_algorithm *cipher = suite->cipher;
909 size_t total;
910 void *dynamic;
911
912 /* Clear out old cipher contents, if any */
913 tls_clear_cipher ( tls, cipherspec );
914
915 /* Allocate dynamic storage */
916 total = ( cipher->ctxsize + suite->mac_len + suite->fixed_iv_len );
917 dynamic = zalloc ( total );
918 if ( ! dynamic ) {
919 DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
920 "context\n", tls, total );
921 return -ENOMEM_CONTEXT;
922 }
923
924 /* Assign storage */
925 cipherspec->dynamic = dynamic;
926 cipherspec->cipher_ctx = dynamic; dynamic += cipher->ctxsize;
927 cipherspec->mac_secret = dynamic; dynamic += suite->mac_len;
928 cipherspec->fixed_iv = dynamic; dynamic += suite->fixed_iv_len;
929 assert ( ( cipherspec->dynamic + total ) == dynamic );
930
931 /* Store parameters */
932 cipherspec->suite = suite;
933
934 return 0;
935}
936
937/**
938 * Select next cipher suite
939 *
940 * @v tls TLS connection
941 * @v cipher_suite Cipher suite specification
942 * @ret rc Return status code
943 */
944static int tls_select_cipher ( struct tls_connection *tls,
945 unsigned int cipher_suite ) {
946 struct tls_cipher_suite *suite;
947 struct digest_algorithm *digest;
948 int rc;
949
950 /* Identify cipher suite */
951 suite = tls_find_cipher_suite ( cipher_suite );
952 if ( ! suite ) {
953 DBGC ( tls, "TLS %p does not support cipher %04x\n",
954 tls, ntohs ( cipher_suite ) );
955 return -ENOTSUP_CIPHER;
956 }
957
958 /* Set handshake digest algorithm */
959 digest = ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ?
960 suite->handshake : &md5_sha1_algorithm );
961 if ( ( rc = tls_select_handshake ( tls, digest ) ) != 0 )
962 return rc;
963
964 /* Set ciphers */
965 if ( ( rc = tls_set_cipher ( tls, &tls->tx.cipherspec.pending,
966 suite ) ) != 0 )
967 return rc;
968 if ( ( rc = tls_set_cipher ( tls, &tls->rx.cipherspec.pending,
969 suite ) ) != 0 )
970 return rc;
971
972 DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
973 suite->exchange->name, suite->pubkey->name,
974 suite->cipher->name, ( suite->key_len * 8 ),
975 suite->digest->name );
976
977 return 0;
978}
979
980/**
981 * Activate next cipher suite
982 *
983 * @v tls TLS connection
984 * @v pair Cipher specification pair
985 * @ret rc Return status code
986 */
987static int tls_change_cipher ( struct tls_connection *tls,
988 struct tls_cipherspec_pair *pair ) {
989
990 /* Sanity check */
991 if ( pair->pending.suite == &tls_cipher_suite_null ) {
992 DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
993 return -ENOTSUP_NULL;
994 }
995
996 tls_clear_cipher ( tls, &pair->active );
997 memswap ( &pair->active, &pair->pending, sizeof ( pair->active ) );
998 return 0;
999}
1000
1001/******************************************************************************
1002 *
1003 * Signature and hash algorithms
1004 *
1005 ******************************************************************************
1006 */
1007
1008/** Number of supported signature and hash algorithms */
1009#define TLS_NUM_SIG_HASH_ALGORITHMS \
1010 table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
1011
1012/**
1013 * Find TLS signature and hash algorithm
1014 *
1015 * @v pubkey Public-key algorithm
1016 * @v digest Digest algorithm
1017 * @ret sig_hash Signature and hash algorithm, or NULL
1018 */
1019static struct tls_signature_hash_algorithm *
1020tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
1021 struct digest_algorithm *digest ) {
1022 struct tls_signature_hash_algorithm *sig_hash;
1023
1024 /* Identify signature and hash algorithm */
1025 for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1026 if ( ( sig_hash->pubkey == pubkey ) &&
1027 ( sig_hash->digest == digest ) ) {
1028 return sig_hash;
1029 }
1030 }
1031
1032 return NULL;
1033}
1034
1035/**
1036 * Find TLS signature algorithm
1037 *
1038 * @v code Signature and hash algorithm identifier
1039 * @ret pubkey Public key algorithm, or NULL
1040 */
1041static struct pubkey_algorithm *
1042tls_signature_hash_pubkey ( struct tls_signature_hash_id code ) {
1043 struct tls_signature_hash_algorithm *sig_hash;
1044
1045 /* Identify signature and hash algorithm */
1046 for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1047 if ( sig_hash->code.signature == code.signature )
1048 return sig_hash->pubkey;
1049 }
1050
1051 return NULL;
1052}
1053
1054/**
1055 * Find TLS hash algorithm
1056 *
1057 * @v code Signature and hash algorithm identifier
1058 * @ret digest Digest algorithm, or NULL
1059 */
1060static struct digest_algorithm *
1061tls_signature_hash_digest ( struct tls_signature_hash_id code ) {
1062 struct tls_signature_hash_algorithm *sig_hash;
1063
1064 /* Identify signature and hash algorithm */
1065 for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
1066 if ( sig_hash->code.hash == code.hash )
1067 return sig_hash->digest;
1068 }
1069
1070 return NULL;
1071}
1072
1073/******************************************************************************
1074 *
1075 * Ephemeral Elliptic Curve Diffie-Hellman key exchange
1076 *
1077 ******************************************************************************
1078 */
1079
1080/** Number of supported named curves */
1081#define TLS_NUM_NAMED_CURVES table_num_entries ( TLS_NAMED_CURVES )
1082
1083/**
1084 * Identify named curve
1085 *
1086 * @v named_curve Named curve specification
1087 * @ret curve Named curve, or NULL
1088 */
1089static struct tls_named_curve *
1090tls_find_named_curve ( unsigned int named_curve ) {
1091 struct tls_named_curve *curve;
1092
1093 /* Identify named curve */
1094 for_each_table_entry ( curve, TLS_NAMED_CURVES ) {
1095 if ( curve->code == named_curve )
1096 return curve;
1097 }
1098
1099 return NULL;
1100}
1101
1102/******************************************************************************
1103 *
1104 * Record handling
1105 *
1106 ******************************************************************************
1107 */
1108
1109/**
1110 * Resume TX state machine
1111 *
1112 * @v tls TLS connection
1113 */
1114static void tls_tx_resume ( struct tls_connection *tls ) {
1115 process_add ( &tls->tx.process );
1116}
1117
1118/**
1119 * Resume TX state machine for all connections within a session
1120 *
1121 * @v session TLS session
1122 */
1123static void tls_tx_resume_all ( struct tls_session *session ) {
1124 struct tls_connection *tls;
1125
1126 list_for_each_entry ( tls, &session->conn, list )
1127 tls_tx_resume ( tls );
1128}
1129
1130/**
1131 * Restart negotiation
1132 *
1133 * @v tls TLS connection
1134 */
1135static void tls_restart ( struct tls_connection *tls ) {
1136
1137 /* Sanity check */
1138 assert ( ! tls->tx.pending );
1139 assert ( ! is_pending ( &tls->client.negotiation ) );
1140 assert ( ! is_pending ( &tls->server.negotiation ) );
1141 assert ( ! is_pending ( &tls->server.validation ) );
1142
1143 /* (Re)start negotiation */
1144 tls->tx.pending = TLS_TX_CLIENT_HELLO;
1145 tls_tx_resume ( tls );
1146 pending_get ( &tls->client.negotiation );
1147 pending_get ( &tls->server.negotiation );
1148}
1149
1150/**
1151 * Transmit Handshake record
1152 *
1153 * @v tls TLS connection
1154 * @v data Plaintext record
1155 * @v len Length of plaintext record
1156 * @ret rc Return status code
1157 */
1158static int tls_send_handshake ( struct tls_connection *tls,
1159 const void *data, size_t len ) {
1160
1161 /* Send record */
1162 return tls_send_plaintext ( tls, TLS_TYPE_HANDSHAKE, data, len );
1163}
1164
1165/**
1166 * Digest or transmit Client Hello record
1167 *
1168 * @v tls TLS connection
1169 * @v action Action to take on Client Hello record
1170 * @ret rc Return status code
1171 */
1172static int tls_client_hello ( struct tls_connection *tls,
1173 int ( * action ) ( struct tls_connection *tls,
1174 const void *data,
1175 size_t len ) ) {
1176 struct tls_session *session = tls->session;
1177 size_t name_len = strlen ( session->name );
1178 struct {
1179 uint16_t type;
1180 uint16_t len;
1181 struct {
1182 uint16_t len;
1183 struct {
1184 uint8_t type;
1185 uint16_t len;
1186 uint8_t name[name_len];
1187 } __attribute__ (( packed )) list[1];
1188 } __attribute__ (( packed )) data;
1189 } __attribute__ (( packed )) *server_name_ext;
1190 struct {
1191 uint16_t type;
1192 uint16_t len;
1193 struct {
1194 uint8_t max;
1195 } __attribute__ (( packed )) data;
1196 } __attribute__ (( packed )) *max_fragment_length_ext;
1197 struct {
1198 uint16_t type;
1199 uint16_t len;
1200 struct {
1201 uint16_t len;
1202 struct tls_signature_hash_id
1203 code[TLS_NUM_SIG_HASH_ALGORITHMS];
1204 } __attribute__ (( packed )) data;
1205 } __attribute__ (( packed )) *signature_algorithms_ext;
1206 struct {
1207 uint16_t type;
1208 uint16_t len;
1209 struct {
1210 uint8_t len;
1211 uint8_t data[ tls->secure_renegotiation ?
1212 sizeof ( tls->verify.client ) :0 ];
1213 } __attribute__ (( packed )) data;
1214 } __attribute__ (( packed )) *renegotiation_info_ext;
1215 struct {
1216 uint16_t type;
1217 uint16_t len;
1218 struct {
1219 uint8_t data[session->ticket_len];
1220 } __attribute__ (( packed )) data;
1221 } __attribute__ (( packed )) *session_ticket_ext;
1222 struct {
1223 uint16_t type;
1224 uint16_t len;
1225 struct {
1226 uint16_t len;
1227 uint16_t code[TLS_NUM_NAMED_CURVES];
1228 } __attribute__ (( packed )) data;
1229 } __attribute__ (( packed )) *named_curve_ext;
1230 struct {
1231 uint16_t type;
1232 uint16_t len;
1233 } __attribute__ (( packed )) *extended_master_secret_ext;
1234 struct {
1235 typeof ( *server_name_ext ) server_name;
1236 typeof ( *max_fragment_length_ext ) max_fragment_length;
1237 typeof ( *signature_algorithms_ext ) signature_algorithms;
1238 typeof ( *renegotiation_info_ext ) renegotiation_info;
1239 typeof ( *session_ticket_ext ) session_ticket;
1240 typeof ( *extended_master_secret_ext ) extended_master_secret;
1241 typeof ( *named_curve_ext )
1242 named_curve[TLS_NUM_NAMED_CURVES ? 1 : 0];
1243 } __attribute__ (( packed )) *extensions;
1244 struct {
1245 uint32_t type_length;
1246 uint16_t version;
1247 uint8_t random[32];
1248 uint8_t session_id_len;
1249 uint8_t session_id[tls->session_id_len];
1250 uint16_t cipher_suite_len;
1251 uint16_t cipher_suites[TLS_NUM_CIPHER_SUITES];
1252 uint8_t compression_methods_len;
1253 uint8_t compression_methods[1];
1254 uint16_t extensions_len;
1255 typeof ( *extensions ) extensions;
1256 } __attribute__ (( packed )) hello;
1257 struct tls_cipher_suite *suite;
1258 struct tls_signature_hash_algorithm *sighash;
1259 struct tls_named_curve *curve;
1260 unsigned int i;
1261
1262 /* Construct record */
1263 memset ( &hello, 0, sizeof ( hello ) );
1264 hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
1265 htonl ( sizeof ( hello ) -
1266 sizeof ( hello.type_length ) ) );
1267 hello.version = htons ( TLS_VERSION_MAX );
1268 memcpy ( &hello.random, &tls->client.random, sizeof ( hello.random ) );
1269 hello.session_id_len = tls->session_id_len;
1270 memcpy ( hello.session_id, tls->session_id,
1271 sizeof ( hello.session_id ) );
1272 hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
1273 i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
1274 hello.cipher_suites[i++] = suite->code;
1275 hello.compression_methods_len = sizeof ( hello.compression_methods );
1276 hello.extensions_len = htons ( sizeof ( hello.extensions ) );
1277 extensions = &hello.extensions;
1278
1279 /* Construct server name extension */
1280 server_name_ext = &extensions->server_name;
1281 server_name_ext->type = htons ( TLS_SERVER_NAME );
1282 server_name_ext->len = htons ( sizeof ( server_name_ext->data ) );
1283 server_name_ext->data.len
1284 = htons ( sizeof ( server_name_ext->data.list ) );
1285 server_name_ext->data.list[0].type = TLS_SERVER_NAME_HOST_NAME;
1286 server_name_ext->data.list[0].len
1287 = htons ( sizeof ( server_name_ext->data.list[0].name ) );
1288 memcpy ( server_name_ext->data.list[0].name, session->name,
1289 sizeof ( server_name_ext->data.list[0].name ) );
1290
1291 /* Construct maximum fragment length extension */
1292 max_fragment_length_ext = &extensions->max_fragment_length;
1293 max_fragment_length_ext->type = htons ( TLS_MAX_FRAGMENT_LENGTH );
1294 max_fragment_length_ext->len
1295 = htons ( sizeof ( max_fragment_length_ext->data ) );
1296 max_fragment_length_ext->data.max = TLS_MAX_FRAGMENT_LENGTH_VALUE;
1297
1298 /* Construct supported signature algorithms extension */
1299 signature_algorithms_ext = &extensions->signature_algorithms;
1300 signature_algorithms_ext->type = htons ( TLS_SIGNATURE_ALGORITHMS );
1301 signature_algorithms_ext->len
1302 = htons ( sizeof ( signature_algorithms_ext->data ) );
1303 signature_algorithms_ext->data.len
1304 = htons ( sizeof ( signature_algorithms_ext->data.code ) );
1305 i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
1306 signature_algorithms_ext->data.code[i++] = sighash->code;
1307
1308 /* Construct renegotiation information extension */
1309 renegotiation_info_ext = &extensions->renegotiation_info;
1310 renegotiation_info_ext->type = htons ( TLS_RENEGOTIATION_INFO );
1311 renegotiation_info_ext->len
1312 = htons ( sizeof ( renegotiation_info_ext->data ) );
1313 renegotiation_info_ext->data.len
1314 = sizeof ( renegotiation_info_ext->data.data );
1315 memcpy ( renegotiation_info_ext->data.data, tls->verify.client,
1316 sizeof ( renegotiation_info_ext->data.data ) );
1317
1318 /* Construct session ticket extension */
1319 session_ticket_ext = &extensions->session_ticket;
1320 session_ticket_ext->type = htons ( TLS_SESSION_TICKET );
1321 session_ticket_ext->len
1322 = htons ( sizeof ( session_ticket_ext->data ) );
1323 memcpy ( session_ticket_ext->data.data, session->ticket,
1324 sizeof ( session_ticket_ext->data.data ) );
1325
1326 /* Construct extended master secret extension */
1327 extended_master_secret_ext = &extensions->extended_master_secret;
1328 extended_master_secret_ext->type
1329 = htons ( TLS_EXTENDED_MASTER_SECRET );
1330 extended_master_secret_ext->len = 0;
1331
1332 /* Construct named curves extension, if applicable */
1333 if ( sizeof ( extensions->named_curve ) ) {
1334 named_curve_ext = &extensions->named_curve[0];
1335 named_curve_ext->type = htons ( TLS_NAMED_CURVE );
1336 named_curve_ext->len
1337 = htons ( sizeof ( named_curve_ext->data ) );
1338 named_curve_ext->data.len
1339 = htons ( sizeof ( named_curve_ext->data.code ) );
1340 i = 0 ; for_each_table_entry ( curve, TLS_NAMED_CURVES )
1341 named_curve_ext->data.code[i++] = curve->code;
1342 }
1343
1344 return action ( tls, &hello, sizeof ( hello ) );
1345}
1346
1347/**
1348 * Transmit Client Hello record
1349 *
1350 * @v tls TLS connection
1351 * @ret rc Return status code
1352 */
1353static int tls_send_client_hello ( struct tls_connection *tls ) {
1354
1355 return tls_client_hello ( tls, tls_send_handshake );
1356}
1357
1358/**
1359 * Transmit Certificate record
1360 *
1361 * @v tls TLS connection
1362 * @ret rc Return status code
1363 */
1364static int tls_send_certificate ( struct tls_connection *tls ) {
1365 struct {
1366 tls24_t length;
1367 uint8_t data[0];
1368 } __attribute__ (( packed )) *certificate;
1369 struct {
1370 uint32_t type_length;
1371 tls24_t length;
1372 typeof ( *certificate ) certificates[0];
1373 } __attribute__ (( packed )) *certificates;
1374 struct x509_link *link;
1375 struct x509_certificate *cert;
1376 struct io_buffer *iobuf;
1377 size_t len;
1378
1379 /* Calculate length of client certificates */
1380 len = 0;
1381 list_for_each_entry ( link, &tls->client.chain->links, list ) {
1382 cert = link->cert;
1383 len += ( sizeof ( *certificate ) + cert->raw.len );
1384 DBGC ( tls, "TLS %p sending client certificate %s\n",
1385 tls, x509_name ( cert ) );
1386 }
1387
1388 /* Allocate storage for Certificate record (which may be too
1389 * large for the stack).
1390 */
1391 iobuf = tls_alloc_iob ( tls, ( sizeof ( *certificates ) + len ) );
1392 if ( ! iobuf )
1393 return -ENOMEM_CERTIFICATE;
1394
1395 /* Populate record */
1396 certificates = iob_put ( iobuf, sizeof ( *certificates ) );
1397 certificates->type_length =
1398 ( cpu_to_le32 ( TLS_CERTIFICATE ) |
1399 htonl ( sizeof ( *certificates ) + len -
1400 sizeof ( certificates->type_length ) ) );
1401 tls_set_uint24 ( &certificates->length, len );
1402 list_for_each_entry ( link, &tls->client.chain->links, list ) {
1403 cert = link->cert;
1404 certificate = iob_put ( iobuf, sizeof ( *certificate ) );
1405 tls_set_uint24 ( &certificate->length, cert->raw.len );
1406 memcpy ( iob_put ( iobuf, cert->raw.len ), cert->raw.data,
1407 cert->raw.len );
1408 }
1409
1410 /* Transmit record */
1411 return tls_send_record ( tls, TLS_TYPE_HANDSHAKE,
1412 iob_disown ( iobuf ) );
1413}
1414
1415/**
1416 * Transmit Client Key Exchange record using public key exchange
1417 *
1418 * @v tls TLS connection
1419 * @ret rc Return status code
1420 */
1421static int tls_send_client_key_exchange_pubkey ( struct tls_connection *tls ) {
1422 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1423 struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
1424 struct {
1425 uint16_t version;
1426 uint8_t random[46];
1427 } __attribute__ (( packed )) pre_master_secret;
1428 struct asn1_cursor cursor = {
1429 .data = &pre_master_secret,
1430 .len = sizeof ( pre_master_secret ),
1431 };
1432 struct asn1_builder builder = { NULL, 0 };
1433 int rc;
1434
1435 /* Generate pre-master secret */
1436 pre_master_secret.version = htons ( TLS_VERSION_MAX );
1437 if ( ( rc = tls_generate_random ( tls, &pre_master_secret.random,
1438 ( sizeof ( pre_master_secret.random ) ) ) ) != 0 ) {
1439 goto err_random;
1440 }
1441
1442 /* Encrypt pre-master secret using server's public key */
1443 if ( ( rc = pubkey_encrypt ( pubkey, &tls->server.key, &cursor,
1444 &builder ) ) != 0 ) {
1445 DBGC ( tls, "TLS %p could not encrypt pre-master secret: %s\n",
1446 tls, strerror ( rc ) );
1447 goto err_encrypt;
1448 }
1449
1450 /* Construct Client Key Exchange record */
1451 {
1452 struct {
1453 uint32_t type_length;
1454 uint16_t encrypted_pre_master_secret_len;
1455 } __attribute__ (( packed )) header;
1456
1457 header.type_length =
1458 ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1459 htonl ( builder.len + sizeof ( header ) -
1460 sizeof ( header.type_length ) ) );
1461 header.encrypted_pre_master_secret_len = htons ( builder.len );
1462
1463 if ( ( rc = asn1_prepend_raw ( &builder, &header,
1464 sizeof ( header ) ) ) != 0 ) {
1465 DBGC ( tls, "TLS %p could not construct Client Key "
1466 "Exchange: %s\n", tls, strerror ( rc ) );
1467 goto err_prepend;
1468 }
1469 }
1470
1471 /* Transmit Client Key Exchange record */
1472 if ( ( rc = tls_send_handshake ( tls, builder.data,
1473 builder.len ) ) != 0 ) {
1474 goto err_send;
1475 }
1476
1477 /* Generate master secret */
1478 tls_generate_master_secret ( tls, &pre_master_secret,
1479 sizeof ( pre_master_secret ) );
1480
1481 err_random:
1482 err_encrypt:
1483 err_prepend:
1484 err_send:
1485 free ( builder.data );
1486 return rc;
1487}
1488
1489/** Public key exchange algorithm */
1494
1495/**
1496 * Verify Diffie-Hellman parameter signature
1497 *
1498 * @v tls TLS connection
1499 * @v param_len Diffie-Hellman parameter length
1500 * @ret rc Return status code
1501 */
1502static int tls_verify_dh_params ( struct tls_connection *tls,
1503 size_t param_len ) {
1504 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1505 struct pubkey_algorithm *pubkey;
1506 struct digest_algorithm *digest;
1507 int use_sig_hash = tls_version ( tls, TLS_VERSION_TLS_1_2 );
1508 const struct {
1509 struct tls_signature_hash_id sig_hash[use_sig_hash];
1510 uint16_t signature_len;
1511 uint8_t signature[0];
1512 } __attribute__ (( packed )) *sig;
1513 struct asn1_cursor signature;
1514 const void *data;
1515 size_t remaining;
1516 int rc;
1517
1518 /* Signature follows parameters */
1519 assert ( param_len <= tls->server.exchange_len );
1520 data = ( tls->server.exchange + param_len );
1521 remaining = ( tls->server.exchange_len - param_len );
1522
1523 /* Parse signature from ServerKeyExchange */
1524 sig = data;
1525 if ( ( sizeof ( *sig ) > remaining ) ||
1526 ( ntohs ( sig->signature_len ) > ( remaining -
1527 sizeof ( *sig ) ) ) ) {
1528 DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1529 tls );
1530 DBGC_HDA ( tls, 0, tls->server.exchange,
1531 tls->server.exchange_len );
1532 return -EINVAL_KEY_EXCHANGE;
1533 }
1534 signature.data = sig->signature;
1535 signature.len = ntohs ( sig->signature_len );
1536
1537 /* Identify signature and hash algorithm */
1538 if ( use_sig_hash ) {
1539 pubkey = tls_signature_hash_pubkey ( sig->sig_hash[0] );
1540 digest = tls_signature_hash_digest ( sig->sig_hash[0] );
1541 if ( ( ! pubkey ) || ( ! digest ) ) {
1542 DBGC ( tls, "TLS %p ServerKeyExchange unsupported "
1543 "signature and hash algorithm\n", tls );
1544 return -ENOTSUP_SIG_HASH;
1545 }
1546 if ( pubkey != cipherspec->suite->pubkey ) {
1547 DBGC ( tls, "TLS %p ServerKeyExchange incorrect "
1548 "signature algorithm %s (expected %s)\n", tls,
1549 pubkey->name, cipherspec->suite->pubkey->name );
1550 return -EPERM_KEY_EXCHANGE;
1551 }
1552 } else {
1553 pubkey = cipherspec->suite->pubkey;
1554 digest = &md5_sha1_algorithm;
1555 }
1556
1557 /* Verify signature */
1558 {
1559 uint8_t ctx[digest->ctxsize];
1560 uint8_t hash[digest->digestsize];
1561
1562 /* Calculate digest */
1563 digest_init ( digest, ctx );
1564 digest_update ( digest, ctx, &tls->client.random,
1565 sizeof ( tls->client.random ) );
1566 digest_update ( digest, ctx, tls->server.random,
1567 sizeof ( tls->server.random ) );
1568 digest_update ( digest, ctx, tls->server.exchange, param_len );
1569 digest_final ( digest, ctx, hash );
1570
1571 /* Verify signature */
1572 if ( ( rc = pubkey_verify ( pubkey, &tls->server.key, digest,
1573 hash, &signature ) ) != 0 ) {
1574 DBGC ( tls, "TLS %p ServerKeyExchange failed "
1575 "verification\n", tls );
1576 DBGC_HDA ( tls, 0, tls->server.exchange,
1577 tls->server.exchange_len );
1578 return -EPERM_KEY_EXCHANGE;
1579 }
1580 }
1581
1582 return 0;
1583}
1584
1585/**
1586 * Transmit Client Key Exchange record using DHE key exchange
1587 *
1588 * @v tls TLS connection
1589 * @ret rc Return status code
1590 */
1591static int tls_send_client_key_exchange_dhe ( struct tls_connection *tls ) {
1592 uint8_t private[ sizeof ( tls->client.random.random ) ];
1593 const struct {
1594 uint16_t len;
1595 uint8_t data[0];
1596 } __attribute__ (( packed )) *dh_val[3];
1597 const void *data;
1598 size_t remaining;
1599 size_t frag_len;
1600 size_t param_len;
1601 unsigned int i;
1602 int rc;
1603
1604 /* Parse ServerKeyExchange */
1605 data = tls->server.exchange;
1606 remaining = tls->server.exchange_len;
1607 for ( i = 0 ; i < ( sizeof ( dh_val ) / sizeof ( dh_val[0] ) ) ; i++ ){
1608 dh_val[i] = data;
1609 if ( ( sizeof ( *dh_val[i] ) > remaining ) ||
1610 ( ntohs ( dh_val[i]->len ) > ( remaining -
1611 sizeof ( *dh_val[i] ) ) )){
1612 DBGC ( tls, "TLS %p received underlength "
1613 "ServerKeyExchange\n", tls );
1614 DBGC_HDA ( tls, 0, tls->server.exchange,
1615 tls->server.exchange_len );
1616 rc = -EINVAL_KEY_EXCHANGE;
1617 goto err_header;
1618 }
1619 frag_len = ( sizeof ( *dh_val[i] ) + ntohs ( dh_val[i]->len ));
1620 data += frag_len;
1621 remaining -= frag_len;
1622 }
1623 param_len = ( tls->server.exchange_len - remaining );
1624
1625 /* Verify parameter signature */
1626 if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
1627 goto err_verify;
1628
1629 /* Generate Diffie-Hellman private key */
1630 if ( ( rc = tls_generate_random ( tls, private,
1631 sizeof ( private ) ) ) != 0 ) {
1632 goto err_random;
1633 }
1634
1635 /* Construct pre-master secret and ClientKeyExchange record */
1636 {
1637 typeof ( dh_val[0] ) dh_p = dh_val[0];
1638 typeof ( dh_val[1] ) dh_g = dh_val[1];
1639 typeof ( dh_val[2] ) dh_ys = dh_val[2];
1640 size_t len = ntohs ( dh_p->len );
1641 struct {
1642 uint32_t type_length;
1643 uint16_t dh_xs_len;
1644 uint8_t dh_xs[len];
1645 } __attribute__ (( packed )) *key_xchg;
1646 struct {
1647 uint8_t pre_master_secret[len];
1648 typeof ( *key_xchg ) key_xchg;
1649 } *dynamic;
1650 uint8_t *pre_master_secret;
1651
1652 /* Allocate space */
1653 dynamic = malloc ( sizeof ( *dynamic ) );
1654 if ( ! dynamic ) {
1655 rc = -ENOMEM;
1656 goto err_alloc;
1657 }
1658 pre_master_secret = dynamic->pre_master_secret;
1659 key_xchg = &dynamic->key_xchg;
1660 key_xchg->type_length =
1661 ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1662 htonl ( sizeof ( *key_xchg ) -
1663 sizeof ( key_xchg->type_length ) ) );
1664 key_xchg->dh_xs_len = htons ( len );
1665
1666 /* Calculate pre-master secret and client public value */
1667 if ( ( rc = dhe_key ( dh_p->data, len,
1668 dh_g->data, ntohs ( dh_g->len ),
1669 dh_ys->data, ntohs ( dh_ys->len ),
1670 private, sizeof ( private ),
1671 key_xchg->dh_xs,
1672 pre_master_secret ) ) != 0 ) {
1673 DBGC ( tls, "TLS %p could not calculate DHE key: %s\n",
1674 tls, strerror ( rc ) );
1675 goto err_dhe_key;
1676 }
1677
1678 /* Strip leading zeroes from pre-master secret */
1679 while ( len && ( ! *pre_master_secret ) ) {
1680 pre_master_secret++;
1681 len--;
1682 }
1683
1684 /* Transmit Client Key Exchange record */
1685 if ( ( rc = tls_send_handshake ( tls, key_xchg,
1686 sizeof ( *key_xchg ) ) ) !=0){
1687 goto err_send_handshake;
1688 }
1689
1690 /* Generate master secret */
1691 tls_generate_master_secret ( tls, pre_master_secret, len );
1692
1693 err_send_handshake:
1694 err_dhe_key:
1695 free ( dynamic );
1696 }
1697 err_alloc:
1698 err_random:
1699 err_verify:
1700 err_header:
1701 return rc;
1702}
1703
1704/** Ephemeral Diffie-Hellman key exchange algorithm */
1709
1710/**
1711 * Transmit Client Key Exchange record using ECDHE key exchange
1712 *
1713 * @v tls TLS connection
1714 * @ret rc Return status code
1715 */
1716static int tls_send_client_key_exchange_ecdhe ( struct tls_connection *tls ) {
1717 struct tls_named_curve *curve;
1718 const struct {
1719 uint8_t curve_type;
1720 uint16_t named_curve;
1721 uint8_t public_len;
1722 uint8_t public[0];
1723 } __attribute__ (( packed )) *ecdh;
1724 size_t param_len;
1725 size_t pointsize;
1726 size_t keysize;
1727 size_t offset;
1728 int rc;
1729
1730 /* Parse ServerKeyExchange record */
1731 ecdh = tls->server.exchange;
1732 if ( ( sizeof ( *ecdh ) > tls->server.exchange_len ) ||
1733 ( ecdh->public_len > ( tls->server.exchange_len -
1734 sizeof ( *ecdh ) ) ) ) {
1735 DBGC ( tls, "TLS %p received underlength ServerKeyExchange\n",
1736 tls );
1737 DBGC_HDA ( tls, 0, tls->server.exchange,
1738 tls->server.exchange_len );
1739 return -EINVAL_KEY_EXCHANGE;
1740 }
1741 param_len = ( sizeof ( *ecdh ) + ecdh->public_len );
1742
1743 /* Verify parameter signature */
1744 if ( ( rc = tls_verify_dh_params ( tls, param_len ) ) != 0 )
1745 return rc;
1746
1747 /* Identify named curve */
1748 if ( ecdh->curve_type != TLS_NAMED_CURVE_TYPE ) {
1749 DBGC ( tls, "TLS %p unsupported curve type %d\n",
1750 tls, ecdh->curve_type );
1751 DBGC_HDA ( tls, 0, tls->server.exchange,
1752 tls->server.exchange_len );
1753 return -ENOTSUP_CURVE;
1754 }
1755 curve = tls_find_named_curve ( ecdh->named_curve );
1756 if ( ! curve ) {
1757 DBGC ( tls, "TLS %p unsupported named curve %d\n",
1758 tls, ntohs ( ecdh->named_curve ) );
1759 DBGC_HDA ( tls, 0, tls->server.exchange,
1760 tls->server.exchange_len );
1761 return -ENOTSUP_CURVE;
1762 }
1763 DBGC ( tls, "TLS %p using named curve %s\n", tls, curve->curve->name );
1764 pointsize = curve->curve->pointsize;
1765 keysize = curve->curve->keysize;
1766 offset = ( curve->format ? 1 : 0 );
1767
1768 /* Check key length */
1769 if ( ecdh->public_len != ( offset + pointsize ) ) {
1770 DBGC ( tls, "TLS %p invalid %s key\n",
1771 tls, curve->curve->name );
1772 DBGC_HDA ( tls, 0, tls->server.exchange,
1773 tls->server.exchange_len );
1774 return -EINVAL_KEY_EXCHANGE;
1775 }
1776
1777 /* Check curve point format byte (if present) */
1778 if ( curve->format && ( ecdh->public[0] != curve->format ) ) {
1779 DBGC ( tls, "TLS %p invalid %s curve point format\n",
1780 tls, curve->curve->name );
1781 DBGC_HDA ( tls, 0, tls->server.exchange,
1782 tls->server.exchange_len );
1783 return -EINVAL_KEY_EXCHANGE;
1784 }
1785
1786 /* Construct pre-master secret and ClientKeyExchange record */
1787 {
1788 uint8_t private[keysize];
1789 uint8_t pre_master_secret[pointsize];
1790 struct {
1791 uint32_t type_length;
1792 uint8_t public_len;
1793 uint8_t public[ecdh->public_len];
1794 } __attribute__ (( packed )) key_xchg;
1795
1796 /* Generate ephemeral private key */
1797 if ( ( rc = tls_generate_random ( tls, private,
1798 sizeof ( private ) ) ) != 0){
1799 return rc;
1800 }
1801
1802 /* Exchange keys */
1803 if ( ( rc = ecdhe_key ( curve->curve, ( ecdh->public + offset ),
1804 private, ( key_xchg.public + offset ),
1805 pre_master_secret ) ) != 0 ) {
1806 DBGC ( tls, "TLS %p could not exchange ECDHE key: %s\n",
1807 tls, strerror ( rc ) );
1808 return rc;
1809 }
1810
1811 /* Generate Client Key Exchange record */
1812 key_xchg.type_length =
1813 ( cpu_to_le32 ( TLS_CLIENT_KEY_EXCHANGE ) |
1814 htonl ( sizeof ( key_xchg ) -
1815 sizeof ( key_xchg.type_length ) ) );
1816 key_xchg.public_len = sizeof ( key_xchg.public );
1817 if ( curve->format )
1818 key_xchg.public[0] = curve->format;
1819
1820 /* Transmit Client Key Exchange record */
1821 if ( ( rc = tls_send_handshake ( tls, &key_xchg,
1822 sizeof ( key_xchg ) ) ) !=0){
1823 return rc;
1824 }
1825
1826 /* Generate master secret */
1827 tls_generate_master_secret ( tls, pre_master_secret,
1828 curve->pre_master_secret_len );
1829 }
1830
1831 return 0;
1832}
1833
1834/** Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm */
1839
1840/**
1841 * Transmit Client Key Exchange record
1842 *
1843 * @v tls TLS connection
1844 * @ret rc Return status code
1845 */
1846static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
1847 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.pending;
1848 struct tls_cipher_suite *suite = cipherspec->suite;
1849 int rc;
1850
1851 /* Transmit Client Key Exchange record via key exchange algorithm */
1852 if ( ( rc = suite->exchange->exchange ( tls ) ) != 0 ) {
1853 DBGC ( tls, "TLS %p could not exchange keys: %s\n",
1854 tls, strerror ( rc ) );
1855 return rc;
1856 }
1857
1858 /* Generate keys from master secret */
1859 if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
1860 DBGC ( tls, "TLS %p could not generate keys: %s\n",
1861 tls, strerror ( rc ) );
1862 return rc;
1863 }
1864
1865 return 0;
1866}
1867
1868/**
1869 * Transmit Certificate Verify record
1870 *
1871 * @v tls TLS connection
1872 * @ret rc Return status code
1873 */
1874static int tls_send_certificate_verify ( struct tls_connection *tls ) {
1875 struct digest_algorithm *digest = tls->handshake_digest;
1876 struct x509_certificate *cert = x509_first ( tls->client.chain );
1877 struct pubkey_algorithm *pubkey = cert->signature_algorithm->pubkey;
1878 struct asn1_cursor *key = privkey_cursor ( tls->client.key );
1879 uint8_t digest_out[ digest->digestsize ];
1880 struct tls_signature_hash_algorithm *sig_hash = NULL;
1881 struct asn1_builder builder = { NULL, 0 };
1882 int rc;
1883
1884 /* Generate digest to be signed */
1885 tls_verify_handshake ( tls, digest_out );
1886
1887 /* TLSv1.2 and later use explicit algorithm identifiers */
1888 if ( tls_version ( tls, TLS_VERSION_TLS_1_2 ) ) {
1889 sig_hash = tls_signature_hash_algorithm ( pubkey, digest );
1890 if ( ! sig_hash ) {
1891 DBGC ( tls, "TLS %p could not identify (%s,%s) "
1892 "signature and hash algorithm\n", tls,
1893 pubkey->name, digest->name );
1894 rc = -ENOTSUP_SIG_HASH;
1895 goto err_sig_hash;
1896 }
1897 }
1898
1899 /* Sign digest */
1900 if ( ( rc = pubkey_sign ( pubkey, key, digest, digest_out,
1901 &builder ) ) != 0 ) {
1902 DBGC ( tls, "TLS %p could not sign %s digest using %s client "
1903 "private key: %s\n", tls, digest->name, pubkey->name,
1904 strerror ( rc ) );
1905 goto err_pubkey_sign;
1906 }
1907
1908 /* Construct Certificate Verify record */
1909 {
1910 int use_sig_hash = ( ( sig_hash == NULL ) ? 0 : 1 );
1911 struct {
1912 uint32_t type_length;
1913 struct tls_signature_hash_id sig_hash[use_sig_hash];
1914 uint16_t signature_len;
1915 } __attribute__ (( packed )) header;
1916
1917 header.type_length = ( cpu_to_le32 ( TLS_CERTIFICATE_VERIFY ) |
1918 htonl ( builder.len +
1919 sizeof ( header ) -
1920 sizeof ( header.type_length )));
1921 if ( use_sig_hash ) {
1922 memcpy ( &header.sig_hash[0], &sig_hash->code,
1923 sizeof ( header.sig_hash[0] ) );
1924 }
1925 header.signature_len = htons ( builder.len );
1926
1927 if ( ( rc = asn1_prepend_raw ( &builder, &header,
1928 sizeof ( header ) ) ) != 0 ) {
1929 DBGC ( tls, "TLS %p could not construct Certificate "
1930 "Verify: %s\n", tls, strerror ( rc ) );
1931 goto err_prepend;
1932 }
1933 }
1934
1935 /* Transmit record */
1936 if ( ( rc = tls_send_handshake ( tls, builder.data,
1937 builder.len ) ) != 0 ) {
1938 goto err_send;
1939 }
1940
1941 err_send:
1942 err_prepend:
1943 err_pubkey_sign:
1944 err_sig_hash:
1945 free ( builder.data );
1946 return rc;
1947}
1948
1949/**
1950 * Transmit Change Cipher record
1951 *
1952 * @v tls TLS connection
1953 * @ret rc Return status code
1954 */
1955static int tls_send_change_cipher ( struct tls_connection *tls ) {
1956 static const struct {
1957 uint8_t spec;
1958 } __attribute__ (( packed )) change_cipher = {
1959 .spec = TLS_CHANGE_CIPHER_SPEC,
1960 };
1961
1962 return tls_send_plaintext ( tls, TLS_TYPE_CHANGE_CIPHER,
1963 &change_cipher, sizeof ( change_cipher ) );
1964}
1965
1966/**
1967 * Transmit Finished record
1968 *
1969 * @v tls TLS connection
1970 * @ret rc Return status code
1971 */
1972static int tls_send_finished ( struct tls_connection *tls ) {
1973 struct digest_algorithm *digest = tls->handshake_digest;
1974 struct {
1975 uint32_t type_length;
1976 uint8_t verify_data[ sizeof ( tls->verify.client ) ];
1977 } __attribute__ (( packed )) finished;
1978 uint8_t digest_out[ digest->digestsize ];
1979 int rc;
1980
1981 /* Construct client verification data */
1982 tls_verify_handshake ( tls, digest_out );
1983 tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
1984 tls->verify.client, sizeof ( tls->verify.client ),
1985 "client finished", digest_out, sizeof ( digest_out ) );
1986
1987 /* Construct record */
1988 memset ( &finished, 0, sizeof ( finished ) );
1989 finished.type_length = ( cpu_to_le32 ( TLS_FINISHED ) |
1990 htonl ( sizeof ( finished ) -
1991 sizeof ( finished.type_length ) ) );
1992 memcpy ( finished.verify_data, tls->verify.client,
1993 sizeof ( finished.verify_data ) );
1994
1995 /* Transmit record */
1996 if ( ( rc = tls_send_handshake ( tls, &finished,
1997 sizeof ( finished ) ) ) != 0 )
1998 return rc;
1999
2000 /* Mark client as finished */
2001 pending_put ( &tls->client.negotiation );
2002
2003 return 0;
2004}
2005
2006/**
2007 * Transmit Alert record
2008 *
2009 * @v tls TLS connection
2010 * @v level Alert level
2011 * @v description Alert description
2012 * @ret rc Return status code
2013 */
2014static int tls_send_alert ( struct tls_connection *tls, unsigned int level,
2015 unsigned int description ) {
2016 const struct {
2017 uint8_t level;
2018 uint8_t description;
2019 } __attribute__ (( packed )) alert = {
2020 .level = level,
2021 .description = description,
2022 };
2023
2024 /* Send record */
2025 return tls_send_plaintext ( tls, TLS_TYPE_ALERT, &alert,
2026 sizeof ( alert ) );
2027}
2028
2029/**
2030 * Receive new Change Cipher record
2031 *
2032 * @v tls TLS connection
2033 * @v iobuf I/O buffer
2034 * @ret rc Return status code
2035 */
2036static int tls_new_change_cipher ( struct tls_connection *tls,
2037 struct io_buffer *iobuf ) {
2038 const struct {
2039 uint8_t spec;
2040 } __attribute__ (( packed )) *change_cipher = iobuf->data;
2041 size_t len = iob_len ( iobuf );
2042 int rc;
2043
2044 /* Sanity check */
2045 if ( ( sizeof ( *change_cipher ) != len ) ||
2046 ( change_cipher->spec != TLS_CHANGE_CIPHER_SPEC ) ) {
2047 DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
2048 DBGC_HD ( tls, change_cipher, len );
2049 return -EINVAL_CHANGE_CIPHER;
2050 }
2051 iob_pull ( iobuf, sizeof ( *change_cipher ) );
2052
2053 /* Change receive cipher spec */
2054 if ( ( rc = tls_change_cipher ( tls, &tls->rx.cipherspec ) ) != 0 ) {
2055 DBGC ( tls, "TLS %p could not activate RX cipher: %s\n",
2056 tls, strerror ( rc ) );
2057 return rc;
2058 }
2059 tls->rx.seq = ~( ( uint64_t ) 0 );
2060
2061 return 0;
2062}
2063
2064/**
2065 * Receive new Alert record
2066 *
2067 * @v tls TLS connection
2068 * @v iobuf I/O buffer
2069 * @ret rc Return status code
2070 */
2071static int tls_new_alert ( struct tls_connection *tls,
2072 struct io_buffer *iobuf ) {
2073 const struct {
2074 uint8_t level;
2075 uint8_t description;
2076 char next[0];
2077 } __attribute__ (( packed )) *alert = iobuf->data;
2078 size_t len = iob_len ( iobuf );
2079
2080 /* Sanity check */
2081 if ( sizeof ( *alert ) != len ) {
2082 DBGC ( tls, "TLS %p received overlength Alert\n", tls );
2083 DBGC_HD ( tls, alert, len );
2084 return -EINVAL_ALERT;
2085 }
2086 iob_pull ( iobuf, sizeof ( *alert ) );
2087
2088 /* Handle alert */
2089 switch ( alert->level ) {
2090 case TLS_ALERT_WARNING:
2091 switch ( alert->description ) {
2092 case TLS_ALERT_CLOSE_NOTIFY:
2093 DBGC ( tls, "TLS %p closed by notification\n", tls );
2094 tls_close ( tls, 0 );
2095 break;
2096 default:
2097 DBGC ( tls, "TLS %p received warning alert %d\n",
2098 tls, alert->description );
2099 break;
2100 }
2101 return 0;
2102 case TLS_ALERT_FATAL:
2103 DBGC ( tls, "TLS %p received fatal alert %d\n",
2104 tls, alert->description );
2105 return -EPERM_ALERT;
2106 default:
2107 DBGC ( tls, "TLS %p received unknown alert level %d"
2108 "(alert %d)\n", tls, alert->level, alert->description );
2109 return -EIO_ALERT;
2110 }
2111}
2112
2113/**
2114 * Receive new Hello Request handshake record
2115 *
2116 * @v tls TLS connection
2117 * @v data Plaintext handshake record
2118 * @v len Length of plaintext handshake record
2119 * @ret rc Return status code
2120 */
2121static int tls_new_hello_request ( struct tls_connection *tls,
2122 const void *data __unused,
2123 size_t len __unused ) {
2124
2125 /* Ignore if a handshake is in progress */
2126 if ( ! tls_ready ( tls ) ) {
2127 DBGC ( tls, "TLS %p ignoring Hello Request\n", tls );
2128 return 0;
2129 }
2130
2131 /* Fail unless server supports secure renegotiation */
2132 if ( ! ( tls->secure_renegotiation && tls->extended_master_secret ) ) {
2133 DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
2134 tls );
2135 return -EPERM_RENEG_INSECURE;
2136 }
2137
2138 /* Restart negotiation */
2139 tls_restart ( tls );
2140
2141 return 0;
2142}
2143
2144/**
2145 * Receive new Server Hello handshake record
2146 *
2147 * @v tls TLS connection
2148 * @v data Plaintext handshake record
2149 * @v len Length of plaintext handshake record
2150 * @ret rc Return status code
2151 */
2152static int tls_new_server_hello ( struct tls_connection *tls,
2153 const void *data, size_t len ) {
2154 const struct {
2155 uint16_t version;
2156 uint8_t random[32];
2157 uint8_t session_id_len;
2158 uint8_t session_id[0];
2159 } __attribute__ (( packed )) *hello_a = data;
2160 const uint8_t *session_id;
2161 const struct {
2162 uint16_t cipher_suite;
2163 uint8_t compression_method;
2164 char next[0];
2165 } __attribute__ (( packed )) *hello_b;
2166 const struct {
2167 uint16_t len;
2168 uint8_t data[0];
2169 } __attribute__ (( packed )) *exts;
2170 const struct {
2171 uint16_t type;
2172 uint16_t len;
2173 uint8_t data[0];
2174 } __attribute__ (( packed )) *ext;
2175 const struct {
2176 uint8_t len;
2177 uint8_t data[0];
2178 } __attribute__ (( packed )) *reneg = NULL;
2179 const struct {
2180 uint8_t data[0];
2181 } __attribute__ (( packed )) *ems = NULL;
2182 uint16_t version;
2183 size_t exts_len;
2184 size_t ext_len;
2185 size_t remaining;
2186 int rc;
2187
2188 /* Parse header */
2189 if ( ( sizeof ( *hello_a ) > len ) ||
2190 ( hello_a->session_id_len > ( len - sizeof ( *hello_a ) ) ) ||
2191 ( sizeof ( *hello_b ) > ( len - sizeof ( *hello_a ) -
2192 hello_a->session_id_len ) ) ) {
2193 DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
2194 DBGC_HD ( tls, data, len );
2195 return -EINVAL_HELLO;
2196 }
2197 session_id = hello_a->session_id;
2198 hello_b = ( ( void * ) ( session_id + hello_a->session_id_len ) );
2199
2200 /* Parse extensions, if present */
2201 remaining = ( len - sizeof ( *hello_a ) - hello_a->session_id_len -
2202 sizeof ( *hello_b ) );
2203 if ( remaining ) {
2204
2205 /* Parse extensions length */
2206 exts = ( ( void * ) hello_b->next );
2207 if ( ( sizeof ( *exts ) > remaining ) ||
2208 ( ( exts_len = ntohs ( exts->len ) ) >
2209 ( remaining - sizeof ( *exts ) ) ) ) {
2210 DBGC ( tls, "TLS %p received underlength extensions\n",
2211 tls );
2212 DBGC_HD ( tls, data, len );
2213 return -EINVAL_HELLO;
2214 }
2215
2216 /* Parse extensions */
2217 for ( ext = ( ( void * ) exts->data ), remaining = exts_len ;
2218 remaining ;
2219 ext = ( ( ( void * ) ext ) + sizeof ( *ext ) + ext_len ),
2220 remaining -= ( sizeof ( *ext ) + ext_len ) ) {
2221
2222 /* Parse extension length */
2223 if ( ( sizeof ( *ext ) > remaining ) ||
2224 ( ( ext_len = ntohs ( ext->len ) ) >
2225 ( remaining - sizeof ( *ext ) ) ) ) {
2226 DBGC ( tls, "TLS %p received underlength "
2227 "extension\n", tls );
2228 DBGC_HD ( tls, data, len );
2229 return -EINVAL_HELLO;
2230 }
2231
2232 /* Record known extensions */
2233 switch ( ext->type ) {
2234 case htons ( TLS_RENEGOTIATION_INFO ) :
2235 reneg = ( ( void * ) ext->data );
2236 if ( ( sizeof ( *reneg ) > ext_len ) ||
2237 ( reneg->len >
2238 ( ext_len - sizeof ( *reneg ) ) ) ) {
2239 DBGC ( tls, "TLS %p received "
2240 "underlength renegotiation "
2241 "info\n", tls );
2242 DBGC_HD ( tls, data, len );
2243 return -EINVAL_HELLO;
2244 }
2245 break;
2246 case htons ( TLS_EXTENDED_MASTER_SECRET ) :
2247 ems = ( ( void * ) ext->data );
2248 break;
2249 }
2250 }
2251 }
2252
2253 /* Check and store protocol version */
2254 version = ntohs ( hello_a->version );
2255 if ( version < TLS_VERSION_MIN ) {
2256 DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
2257 tls, ( version >> 8 ), ( version & 0xff ) );
2258 return -ENOTSUP_VERSION;
2259 }
2260 if ( version > tls->version ) {
2261 DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
2262 "protocol version %d.%d\n",
2263 tls, ( version >> 8 ), ( version & 0xff ) );
2264 return -EPROTO_VERSION;
2265 }
2266 tls->version = version;
2267 DBGC ( tls, "TLS %p using protocol version %d.%d\n",
2268 tls, ( version >> 8 ), ( version & 0xff ) );
2269
2270 /* Select cipher suite */
2271 if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
2272 return rc;
2273
2274 /* Add preceding Client Hello to handshake digest */
2275 if ( ( rc = tls_client_hello ( tls, tls_add_handshake ) ) != 0 )
2276 return rc;
2277
2278 /* Copy out server random bytes */
2279 memcpy ( &tls->server.random, &hello_a->random,
2280 sizeof ( tls->server.random ) );
2281
2282 /* Handle extended master secret */
2283 tls->extended_master_secret = ( !! ems );
2284
2285 /* Check session ID */
2286 if ( hello_a->session_id_len &&
2287 ( hello_a->session_id_len == tls->session_id_len ) &&
2288 ( memcmp ( session_id, tls->session_id,
2289 tls->session_id_len ) == 0 ) ) {
2290
2291 /* Session ID match: reuse master secret */
2292 DBGC ( tls, "TLS %p resuming session ID:\n", tls );
2293 DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
2294 if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
2295 return rc;
2296
2297 /* Ensure master secret generation method matches */
2298 if ( tls->extended_master_secret !=
2299 tls->session->extended_master_secret ) {
2300 DBGC ( tls, "TLS %p mismatched extended master secret "
2301 "extension\n", tls );
2302 return -EPERM_EMS;
2303 }
2304
2305 } else {
2306
2307 /* Record new session ID, if present */
2308 if ( hello_a->session_id_len &&
2309 ( hello_a->session_id_len <= sizeof ( tls->session_id ))){
2310 tls->session_id_len = hello_a->session_id_len;
2311 memcpy ( tls->session_id, session_id,
2312 tls->session_id_len );
2313 DBGC ( tls, "TLS %p new session ID:\n", tls );
2314 DBGC_HDA ( tls, 0, tls->session_id,
2315 tls->session_id_len );
2316 }
2317 }
2318
2319 /* Handle secure renegotiation */
2320 if ( tls->secure_renegotiation ) {
2321
2322 /* Secure renegotiation is expected; verify data */
2323 if ( ( reneg == NULL ) ||
2324 ( reneg->len != sizeof ( tls->verify ) ) ||
2325 ( memcmp ( reneg->data, &tls->verify,
2326 sizeof ( tls->verify ) ) != 0 ) ) {
2327 DBGC ( tls, "TLS %p server failed secure "
2328 "renegotiation\n", tls );
2329 return -EPERM_RENEG_VERIFY;
2330 }
2331
2332 } else if ( reneg != NULL ) {
2333
2334 /* Secure renegotiation is being enabled */
2335 if ( reneg->len != 0 ) {
2336 DBGC ( tls, "TLS %p server provided non-empty initial "
2337 "renegotiation\n", tls );
2338 return -EPERM_RENEG_VERIFY;
2339 }
2340 tls->secure_renegotiation = 1;
2341 }
2342
2343 return 0;
2344}
2345
2346/**
2347 * Receive New Session Ticket handshake record
2348 *
2349 * @v tls TLS connection
2350 * @v data Plaintext handshake record
2351 * @v len Length of plaintext handshake record
2352 * @ret rc Return status code
2353 */
2354static int tls_new_session_ticket ( struct tls_connection *tls,
2355 const void *data, size_t len ) {
2356 const struct {
2357 uint32_t lifetime;
2358 uint16_t len;
2359 uint8_t ticket[0];
2360 } __attribute__ (( packed )) *new_session_ticket = data;
2361 size_t ticket_len;
2362
2363 /* Parse header */
2364 if ( sizeof ( *new_session_ticket ) > len ) {
2365 DBGC ( tls, "TLS %p received underlength New Session Ticket\n",
2366 tls );
2367 DBGC_HD ( tls, data, len );
2368 return -EINVAL_TICKET;
2369 }
2370 ticket_len = ntohs ( new_session_ticket->len );
2371 if ( ticket_len > ( len - sizeof ( *new_session_ticket ) ) ) {
2372 DBGC ( tls, "TLS %p received overlength New Session Ticket\n",
2373 tls );
2374 DBGC_HD ( tls, data, len );
2375 return -EINVAL_TICKET;
2376 }
2377
2378 /* Free any unapplied new session ticket */
2379 free ( tls->new_session_ticket );
2380 tls->new_session_ticket = NULL;
2381 tls->new_session_ticket_len = 0;
2382
2383 /* Record ticket */
2384 tls->new_session_ticket = malloc ( ticket_len );
2385 if ( ! tls->new_session_ticket )
2386 return -ENOMEM;
2387 memcpy ( tls->new_session_ticket, new_session_ticket->ticket,
2388 ticket_len );
2389 tls->new_session_ticket_len = ticket_len;
2390 DBGC ( tls, "TLS %p new session ticket:\n", tls );
2391 DBGC_HDA ( tls, 0, tls->new_session_ticket,
2392 tls->new_session_ticket_len );
2393
2394 return 0;
2395}
2396
2397/**
2398 * Parse certificate chain
2399 *
2400 * @v tls TLS connection
2401 * @v data Certificate chain
2402 * @v len Length of certificate chain
2403 * @ret rc Return status code
2404 */
2405static int tls_parse_chain ( struct tls_connection *tls,
2406 const void *data, size_t len ) {
2407 size_t remaining = len;
2408 int rc;
2409
2410 /* Free any existing certificate chain */
2411 memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
2412 x509_chain_put ( tls->server.chain );
2413 tls->server.chain = NULL;
2414
2415 /* Create certificate chain */
2416 tls->server.chain = x509_alloc_chain();
2417 if ( ! tls->server.chain ) {
2418 rc = -ENOMEM_CHAIN;
2419 goto err_alloc_chain;
2420 }
2421
2422 /* Add certificates to chain */
2423 while ( remaining ) {
2424 const struct {
2425 tls24_t length;
2426 uint8_t data[0];
2427 } __attribute__ (( packed )) *certificate = data;
2428 size_t certificate_len;
2429 size_t record_len;
2430 struct x509_certificate *cert;
2431
2432 /* Parse header */
2433 if ( sizeof ( *certificate ) > remaining ) {
2434 DBGC ( tls, "TLS %p underlength certificate:\n", tls );
2435 DBGC_HDA ( tls, 0, data, remaining );
2436 rc = -EINVAL_CERTIFICATE;
2437 goto err_underlength;
2438 }
2439 certificate_len = tls_uint24 ( &certificate->length );
2440 if ( certificate_len > ( remaining - sizeof ( *certificate ) )){
2441 DBGC ( tls, "TLS %p overlength certificate:\n", tls );
2442 DBGC_HDA ( tls, 0, data, remaining );
2443 rc = -EINVAL_CERTIFICATE;
2444 goto err_overlength;
2445 }
2446 record_len = ( sizeof ( *certificate ) + certificate_len );
2447
2448 /* Add certificate to chain */
2449 if ( ( rc = x509_append_raw ( tls->server.chain,
2450 certificate->data,
2451 certificate_len ) ) != 0 ) {
2452 DBGC ( tls, "TLS %p could not append certificate: %s\n",
2453 tls, strerror ( rc ) );
2454 DBGC_HDA ( tls, 0, data, remaining );
2455 goto err_parse;
2456 }
2457 cert = x509_last ( tls->server.chain );
2458 DBGC ( tls, "TLS %p found certificate %s\n",
2459 tls, x509_name ( cert ) );
2460
2461 /* Move to next certificate in list */
2462 data += record_len;
2463 remaining -= record_len;
2464 }
2465
2466 return 0;
2467
2468 err_parse:
2469 err_overlength:
2470 err_underlength:
2471 memset ( &tls->server.key, 0, sizeof ( tls->server.key ) );
2472 x509_chain_put ( tls->server.chain );
2473 tls->server.chain = NULL;
2474 err_alloc_chain:
2475 return rc;
2476}
2477
2478/**
2479 * Receive new Certificate handshake record
2480 *
2481 * @v tls TLS connection
2482 * @v data Plaintext handshake record
2483 * @v len Length of plaintext handshake record
2484 * @ret rc Return status code
2485 */
2486static int tls_new_certificate ( struct tls_connection *tls,
2487 const void *data, size_t len ) {
2488 const struct {
2489 tls24_t length;
2490 uint8_t certificates[0];
2491 } __attribute__ (( packed )) *certificate = data;
2492 size_t certificates_len;
2493 int rc;
2494
2495 /* Parse header */
2496 if ( sizeof ( *certificate ) > len ) {
2497 DBGC ( tls, "TLS %p received underlength Server Certificate\n",
2498 tls );
2499 DBGC_HD ( tls, data, len );
2500 return -EINVAL_CERTIFICATES;
2501 }
2502 certificates_len = tls_uint24 ( &certificate->length );
2503 if ( certificates_len > ( len - sizeof ( *certificate ) ) ) {
2504 DBGC ( tls, "TLS %p received overlength Server Certificate\n",
2505 tls );
2506 DBGC_HD ( tls, data, len );
2507 return -EINVAL_CERTIFICATES;
2508 }
2509
2510 /* Parse certificate chain */
2511 if ( ( rc = tls_parse_chain ( tls, certificate->certificates,
2512 certificates_len ) ) != 0 )
2513 return rc;
2514
2515 return 0;
2516}
2517
2518/**
2519 * Receive new Server Key Exchange handshake record
2520 *
2521 * @v tls TLS connection
2522 * @v data Plaintext handshake record
2523 * @v len Length of plaintext handshake record
2524 * @ret rc Return status code
2525 */
2526static int tls_new_server_key_exchange ( struct tls_connection *tls,
2527 const void *data, size_t len ) {
2528
2529 /* Free any existing server key exchange record */
2530 free ( tls->server.exchange );
2531 tls->server.exchange_len = 0;
2532
2533 /* Allocate copy of server key exchange record */
2534 tls->server.exchange = malloc ( len );
2535 if ( ! tls->server.exchange )
2536 return -ENOMEM;
2537
2538 /* Store copy of server key exchange record for later
2539 * processing. We cannot verify the signature at this point
2540 * since the certificate validation will not yet have
2541 * completed.
2542 */
2543 memcpy ( tls->server.exchange, data, len );
2544 tls->server.exchange_len = len;
2545
2546 return 0;
2547}
2548
2549/**
2550 * Receive new Certificate Request handshake record
2551 *
2552 * @v tls TLS connection
2553 * @v data Plaintext handshake record
2554 * @v len Length of plaintext handshake record
2555 * @ret rc Return status code
2556 */
2557static int tls_new_certificate_request ( struct tls_connection *tls,
2558 const void *data __unused,
2559 size_t len __unused ) {
2560 struct x509_certificate *cert;
2561 int rc;
2562
2563 /* We can only send a single certificate, so there is no point
2564 * in parsing the Certificate Request.
2565 */
2566
2567 /* Free any existing client certificate chain */
2568 x509_chain_put ( tls->client.chain );
2569 tls->client.chain = NULL;
2570
2571 /* Create client certificate chain */
2572 tls->client.chain = x509_alloc_chain();
2573 if ( ! tls->client.chain ) {
2574 rc = -ENOMEM;
2575 goto err_alloc;
2576 }
2577
2578 /* Determine client certificate to be sent, if any */
2579 cert = x509_find_key ( NULL, tls->client.key );
2580 if ( cert ) {
2581 DBGC ( tls, "TLS %p selected client certificate %s\n",
2582 tls, x509_name ( cert ) );
2583
2584 /* Append client certificate to chain */
2585 if ( ( rc = x509_append ( tls->client.chain, cert ) ) != 0 )
2586 goto err_append;
2587
2588 /* Append any relevant issuer certificates */
2589 if ( ( rc = x509_auto_append ( tls->client.chain,
2590 &certstore ) ) != 0 )
2591 goto err_auto_append;
2592 } else {
2593
2594 /* Send an empty certificate chain */
2595 DBGC ( tls, "TLS %p could not find certificate corresponding "
2596 "to private key\n", tls );
2597 }
2598
2599 return 0;
2600
2601 err_auto_append:
2602 err_append:
2603 x509_chain_put ( tls->client.chain );
2604 tls->client.chain = NULL;
2605 err_alloc:
2606 return rc;
2607}
2608
2609/**
2610 * Receive new Server Hello Done handshake record
2611 *
2612 * @v tls TLS connection
2613 * @v data Plaintext handshake record
2614 * @v len Length of plaintext handshake record
2615 * @ret rc Return status code
2616 */
2617static int tls_new_server_hello_done ( struct tls_connection *tls,
2618 const void *data, size_t len ) {
2619 const struct {
2620 char next[0];
2621 } __attribute__ (( packed )) *hello_done = data;
2622 int rc;
2623
2624 /* Sanity check */
2625 if ( sizeof ( *hello_done ) != len ) {
2626 DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
2627 tls );
2628 DBGC_HD ( tls, data, len );
2629 return -EINVAL_HELLO_DONE;
2630 }
2631
2632 /* Begin certificate validation */
2633 if ( ( rc = create_validator ( &tls->server.validator,
2634 tls->server.chain,
2635 tls->server.root ) ) != 0 ) {
2636 DBGC ( tls, "TLS %p could not start certificate validation: "
2637 "%s\n", tls, strerror ( rc ) );
2638 return rc;
2639 }
2640 pending_get ( &tls->server.validation );
2641
2642 return 0;
2643}
2644
2645/**
2646 * Receive new Finished handshake record
2647 *
2648 * @v tls TLS connection
2649 * @v data Plaintext handshake record
2650 * @v len Length of plaintext handshake record
2651 * @ret rc Return status code
2652 */
2653static int tls_new_finished ( struct tls_connection *tls,
2654 const void *data, size_t len ) {
2655 struct tls_session *session = tls->session;
2656 struct digest_algorithm *digest = tls->handshake_digest;
2657 const struct {
2658 uint8_t verify_data[ sizeof ( tls->verify.server ) ];
2659 char next[0];
2660 } __attribute__ (( packed )) *finished = data;
2661 uint8_t digest_out[ digest->digestsize ];
2662
2663 /* Sanity check */
2664 if ( sizeof ( *finished ) != len ) {
2665 DBGC ( tls, "TLS %p received overlength Finished\n", tls );
2666 DBGC_HD ( tls, data, len );
2667 return -EINVAL_FINISHED;
2668 }
2669
2670 /* Verify data */
2671 tls_verify_handshake ( tls, digest_out );
2672 tls_prf_label ( tls, &tls->master_secret, sizeof ( tls->master_secret ),
2673 tls->verify.server, sizeof ( tls->verify.server ),
2674 "server finished", digest_out, sizeof ( digest_out ) );
2675 if ( memcmp ( tls->verify.server, finished->verify_data,
2676 sizeof ( tls->verify.server ) ) != 0 ) {
2677 DBGC ( tls, "TLS %p verification failed\n", tls );
2678 return -EPERM_VERIFY;
2679 }
2680
2681 /* Mark server as finished */
2682 pending_put ( &tls->server.negotiation );
2683
2684 /* If we are resuming a session (i.e. if the server Finished
2685 * arrives before the client Finished is sent), then schedule
2686 * transmission of Change Cipher and Finished.
2687 */
2688 if ( is_pending ( &tls->client.negotiation ) ) {
2689 tls->tx.pending |= ( TLS_TX_CHANGE_CIPHER | TLS_TX_FINISHED );
2690 tls_tx_resume ( tls );
2691 }
2692
2693 /* Record session ID, ticket, and master secret, if applicable */
2694 if ( tls->session_id_len || tls->new_session_ticket_len ) {
2695 memcpy ( session->master_secret, tls->master_secret,
2696 sizeof ( session->master_secret ) );
2697 session->extended_master_secret = tls->extended_master_secret;
2698 }
2699 if ( tls->session_id_len ) {
2700 session->id_len = tls->session_id_len;
2701 memcpy ( session->id, tls->session_id, sizeof ( session->id ) );
2702 }
2703 if ( tls->new_session_ticket_len ) {
2704 free ( session->ticket );
2705 session->ticket = tls->new_session_ticket;
2706 session->ticket_len = tls->new_session_ticket_len;
2707 tls->new_session_ticket = NULL;
2708 tls->new_session_ticket_len = 0;
2709 }
2710
2711 /* Move to end of session's connection list and allow other
2712 * connections to start making progress.
2713 */
2714 list_del ( &tls->list );
2715 list_add_tail ( &tls->list, &session->conn );
2716 tls_tx_resume_all ( session );
2717
2718 /* Send notification of a window change */
2719 xfer_window_changed ( &tls->plainstream );
2720
2721 return 0;
2722}
2723
2724/**
2725 * Receive new Handshake record
2726 *
2727 * @v tls TLS connection
2728 * @v iobuf I/O buffer
2729 * @ret rc Return status code
2730 */
2731static int tls_new_handshake ( struct tls_connection *tls,
2732 struct io_buffer *iobuf ) {
2733 size_t remaining;
2734 int rc;
2735
2736 while ( ( remaining = iob_len ( iobuf ) ) ) {
2737 const struct {
2738 uint8_t type;
2739 tls24_t length;
2740 uint8_t payload[0];
2741 } __attribute__ (( packed )) *handshake = iobuf->data;
2742 const void *payload;
2743 size_t payload_len;
2744 size_t record_len;
2745
2746 /* Parse header */
2747 if ( sizeof ( *handshake ) > remaining ) {
2748 /* Leave remaining fragment unconsumed */
2749 break;
2750 }
2751 payload_len = tls_uint24 ( &handshake->length );
2752 if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
2753 /* Leave remaining fragment unconsumed */
2754 break;
2755 }
2756 payload = &handshake->payload;
2757 record_len = ( sizeof ( *handshake ) + payload_len );
2758
2759 /* Handle payload */
2760 switch ( handshake->type ) {
2761 case TLS_HELLO_REQUEST:
2762 rc = tls_new_hello_request ( tls, payload,
2763 payload_len );
2764 break;
2765 case TLS_SERVER_HELLO:
2766 rc = tls_new_server_hello ( tls, payload, payload_len );
2767 break;
2768 case TLS_NEW_SESSION_TICKET:
2769 rc = tls_new_session_ticket ( tls, payload,
2770 payload_len );
2771 break;
2772 case TLS_CERTIFICATE:
2773 rc = tls_new_certificate ( tls, payload, payload_len );
2774 break;
2775 case TLS_SERVER_KEY_EXCHANGE:
2776 rc = tls_new_server_key_exchange ( tls, payload,
2777 payload_len );
2778 break;
2779 case TLS_CERTIFICATE_REQUEST:
2780 rc = tls_new_certificate_request ( tls, payload,
2781 payload_len );
2782 break;
2783 case TLS_SERVER_HELLO_DONE:
2784 rc = tls_new_server_hello_done ( tls, payload,
2785 payload_len );
2786 break;
2787 case TLS_FINISHED:
2788 rc = tls_new_finished ( tls, payload, payload_len );
2789 break;
2790 default:
2791 DBGC ( tls, "TLS %p ignoring handshake type %d\n",
2792 tls, handshake->type );
2793 rc = 0;
2794 break;
2795 }
2796
2797 /* Add to handshake digest (except for Hello Requests,
2798 * which are explicitly excluded).
2799 */
2800 if ( handshake->type != TLS_HELLO_REQUEST )
2801 tls_add_handshake ( tls, handshake, record_len );
2802
2803 /* Abort on failure */
2804 if ( rc != 0 )
2805 return rc;
2806
2807 /* Move to next handshake record */
2808 iob_pull ( iobuf, record_len );
2809 }
2810
2811 return 0;
2812}
2813
2814/**
2815 * Receive new unknown record
2816 *
2817 * @v tls TLS connection
2818 * @v iobuf I/O buffer
2819 * @ret rc Return status code
2820 */
2821static int tls_new_unknown ( struct tls_connection *tls __unused,
2822 struct io_buffer *iobuf ) {
2823
2824 /* RFC4346 says that we should just ignore unknown record types */
2825 iob_pull ( iobuf, iob_len ( iobuf ) );
2826 return 0;
2827}
2828
2829/**
2830 * Receive new data record
2831 *
2832 * @v tls TLS connection
2833 * @v rx_data List of received data buffers
2834 * @ret rc Return status code
2835 */
2836static int tls_new_data ( struct tls_connection *tls,
2837 struct list_head *rx_data ) {
2838 struct io_buffer *iobuf;
2839 int rc;
2840
2841 /* Fail unless we are ready to receive data */
2842 if ( ! tls_ready ( tls ) )
2843 return -ENOTCONN;
2844
2845 /* Deliver each I/O buffer in turn */
2846 while ( ( iobuf = list_first_entry ( rx_data, struct io_buffer,
2847 list ) ) ) {
2848 list_del ( &iobuf->list );
2849 if ( ( rc = xfer_deliver_iob ( &tls->plainstream,
2850 iobuf ) ) != 0 ) {
2851 DBGC ( tls, "TLS %p could not deliver data: "
2852 "%s\n", tls, strerror ( rc ) );
2853 return rc;
2854 }
2855 }
2856
2857 return 0;
2858}
2859
2860/**
2861 * Receive new record
2862 *
2863 * @v tls TLS connection
2864 * @v type Record type
2865 * @v rx_data List of received data buffers
2866 * @ret rc Return status code
2867 */
2868static int tls_new_record ( struct tls_connection *tls, unsigned int type,
2869 struct list_head *rx_data ) {
2870 int ( * handler ) ( struct tls_connection *tls,
2871 struct io_buffer *iobuf );
2872 struct io_buffer *tmp = NULL;
2873 struct io_buffer **iobuf;
2874 int rc;
2875
2876 /* Deliver data records as-is to the plainstream interface */
2877 if ( type == TLS_TYPE_DATA )
2878 return tls_new_data ( tls, rx_data );
2879
2880 /* Determine handler and fragment buffer */
2881 iobuf = &tmp;
2882 switch ( type ) {
2883 case TLS_TYPE_CHANGE_CIPHER:
2884 handler = tls_new_change_cipher;
2885 break;
2886 case TLS_TYPE_ALERT:
2887 handler = tls_new_alert;
2888 break;
2889 case TLS_TYPE_HANDSHAKE:
2890 handler = tls_new_handshake;
2891 iobuf = &tls->rx.handshake;
2892 break;
2893 default:
2894 DBGC ( tls, "TLS %p unknown record type %d\n", tls, type );
2895 handler = tls_new_unknown;
2896 break;
2897 }
2898
2899 /* Merge into a single I/O buffer */
2900 if ( *iobuf )
2901 list_add ( &(*iobuf)->list, rx_data );
2902 *iobuf = iob_concatenate ( rx_data );
2903 if ( ! *iobuf ) {
2904 DBGC ( tls, "TLS %p could not concatenate non-data record "
2905 "type %d\n", tls, type );
2906 rc = -ENOMEM_RX_CONCAT;
2907 goto err_concatenate;
2908 }
2909
2910 /* Handle record */
2911 if ( ( rc = handler ( tls, *iobuf ) ) != 0 )
2912 goto err_handle;
2913
2914 /* Discard I/O buffer if empty */
2915 if ( ! iob_len ( *iobuf ) ) {
2916 free_iob ( *iobuf );
2917 *iobuf = NULL;
2918 }
2919
2920 /* Sanity check */
2921 assert ( tmp == NULL );
2922
2923 return 0;
2924
2925 err_handle:
2926 free_iob ( *iobuf );
2927 *iobuf = NULL;
2928 err_concatenate:
2929 return rc;
2930}
2931
2932/******************************************************************************
2933 *
2934 * Record encryption/decryption
2935 *
2936 ******************************************************************************
2937 */
2938
2939/**
2940 * Initialise HMAC
2941 *
2942 * @v cipherspec Cipher specification
2943 * @v ctx Context
2944 * @v authhdr Authentication header
2945 */
2946static void tls_hmac_init ( struct tls_cipherspec *cipherspec, void *ctx,
2947 struct tls_auth_header *authhdr ) {
2948 struct tls_cipher_suite *suite = cipherspec->suite;
2949 struct digest_algorithm *digest = suite->digest;
2950
2951 hmac_init ( digest, ctx, cipherspec->mac_secret, suite->mac_len );
2952 hmac_update ( digest, ctx, authhdr, sizeof ( *authhdr ) );
2953}
2954
2955/**
2956 * Update HMAC
2957 *
2958 * @v cipherspec Cipher specification
2959 * @v ctx Context
2960 * @v data Data
2961 * @v len Length of data
2962 */
2963static void tls_hmac_update ( struct tls_cipherspec *cipherspec, void *ctx,
2964 const void *data, size_t len ) {
2965 struct digest_algorithm *digest = cipherspec->suite->digest;
2966
2967 hmac_update ( digest, ctx, data, len );
2968}
2969
2970/**
2971 * Finalise HMAC
2972 *
2973 * @v cipherspec Cipher specification
2974 * @v ctx Context
2975 * @v mac HMAC to fill in
2976 */
2977static void tls_hmac_final ( struct tls_cipherspec *cipherspec, void *ctx,
2978 void *hmac ) {
2979 struct digest_algorithm *digest = cipherspec->suite->digest;
2980
2981 hmac_final ( digest, ctx, hmac );
2982}
2983
2984/**
2985 * Calculate HMAC
2986 *
2987 * @v cipherspec Cipher specification
2988 * @v authhdr Authentication header
2989 * @v data Data
2990 * @v len Length of data
2991 * @v mac HMAC to fill in
2992 */
2993static void tls_hmac ( struct tls_cipherspec *cipherspec,
2994 struct tls_auth_header *authhdr,
2995 const void *data, size_t len, void *hmac ) {
2996 struct digest_algorithm *digest = cipherspec->suite->digest;
2997 uint8_t ctx[ hmac_ctxsize ( digest ) ];
2998
2999 tls_hmac_init ( cipherspec, ctx, authhdr );
3000 tls_hmac_update ( cipherspec, ctx, data, len );
3001 tls_hmac_final ( cipherspec, ctx, hmac );
3002}
3003
3004/**
3005 * Calculate HMAC over list of I/O buffers
3006 *
3007 * @v cipherspec Cipher specification
3008 * @v authhdr Authentication header
3009 * @v list List of I/O buffers
3010 * @v mac HMAC to fill in
3011 */
3012static void tls_hmac_list ( struct tls_cipherspec *cipherspec,
3013 struct tls_auth_header *authhdr,
3014 struct list_head *list, void *hmac ) {
3015 struct digest_algorithm *digest = cipherspec->suite->digest;
3016 uint8_t ctx[ hmac_ctxsize ( digest ) ];
3017 struct io_buffer *iobuf;
3018
3019 tls_hmac_init ( cipherspec, ctx, authhdr );
3020 list_for_each_entry ( iobuf, list, list ) {
3021 tls_hmac_update ( cipherspec, ctx, iobuf->data,
3022 iob_len ( iobuf ) );
3023 }
3024 tls_hmac_final ( cipherspec, ctx, hmac );
3025}
3026
3027/**
3028 * Calculate maximum additional length required for transmitted record(s)
3029 *
3030 * @v tls TLS connection
3031 * @v len I/O buffer payload length
3032 * @ret reserve Maximum additional length to reserve
3033 */
3034static size_t tls_iob_reserved ( struct tls_connection *tls, size_t len ) {
3035 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
3036 struct tls_cipher_suite *suite = cipherspec->suite;
3037 struct cipher_algorithm *cipher = suite->cipher;
3038 struct tls_header *tlshdr;
3039 unsigned int count;
3040 size_t each;
3041
3042 /* Calculate number of records (allowing for zero-length records) */
3043 count = ( len ? ( ( len + TLS_TX_BUFSIZE - 1 ) / TLS_TX_BUFSIZE ) : 1 );
3044
3045 /* Calculate maximum additional length per record */
3046 each = ( sizeof ( *tlshdr ) + suite->record_iv_len + suite->mac_len +
3047 ( is_block_cipher ( cipher ) ? cipher->blocksize : 0 ) +
3048 cipher->authsize );
3049
3050 /* Calculate maximum total additional length */
3051 return ( count * each );
3052}
3053
3054/**
3055 * Allocate I/O buffer for transmitted record(s)
3056 *
3057 * @v tls TLS connection
3058 * @v len I/O buffer payload length
3059 * @ret iobuf I/O buffer
3060 */
3061static struct io_buffer * tls_alloc_iob ( struct tls_connection *tls,
3062 size_t len ) {
3063 struct io_buffer *iobuf;
3064 size_t reserve;
3065
3066 /* Calculate maximum additional length to reserve */
3067 reserve = tls_iob_reserved ( tls, len );
3068
3069 /* Allocate I/O buffer */
3070 iobuf = xfer_alloc_iob ( &tls->cipherstream, ( reserve + len ) );
3071 if ( ! iobuf )
3072 return NULL;
3073
3074 /* Reserve space */
3075 iob_reserve ( iobuf, reserve );
3076
3077 return iobuf;
3078}
3079
3080/**
3081 * Send plaintext record(s)
3082 *
3083 * @v tls TLS connection
3084 * @v type Record type
3085 * @v iobuf I/O buffer
3086 * @ret rc Return status code
3087 */
3088static int tls_send_record ( struct tls_connection *tls, unsigned int type,
3089 struct io_buffer *iobuf ) {
3090 struct tls_cipherspec *cipherspec = &tls->tx.cipherspec.active;
3091 struct tls_cipher_suite *suite = cipherspec->suite;
3092 struct cipher_algorithm *cipher = suite->cipher;
3093 struct digest_algorithm *digest = suite->digest;
3094 struct {
3095 uint8_t fixed[suite->fixed_iv_len];
3096 uint8_t rec[suite->record_iv_len];
3097 } __attribute__ (( packed )) iv;
3098 struct tls_auth_header authhdr;
3099 struct tls_header *tlshdr;
3100 uint8_t mac[digest->digestsize];
3101 const void *plaintext;
3102 const void *encrypt;
3103 void *ciphertext;
3104 size_t record_len;
3105 size_t encrypt_len;
3106 size_t pad_len;
3107 size_t len;
3108 int rc;
3109
3110 /* Record plaintext pointer and length */
3111 plaintext = iobuf->data;
3112 len = iob_len ( iobuf );
3113
3114 /* Add to handshake digest if applicable */
3115 if ( type == TLS_TYPE_HANDSHAKE )
3116 tls_add_handshake ( tls, plaintext, len );
3117
3118 /* Start constructing ciphertext at start of reserved space */
3119 iob_push ( iobuf, tls_iob_reserved ( tls, len ) );
3120 iob_unput ( iobuf, iob_len ( iobuf ) );
3121
3122 /* Construct records */
3123 do {
3124 /* Limit length of this record (may be zero) */
3125 record_len = len;
3126 if ( record_len > TLS_TX_BUFSIZE )
3127 record_len = TLS_TX_BUFSIZE;
3128
3129 /* Construct and set initialisation vector */
3130 memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
3131 if ( ( rc = tls_generate_random ( tls, iv.rec,
3132 sizeof ( iv.rec ) ) ) != 0 ) {
3133 goto err_random;
3134 }
3135 cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv,
3136 sizeof ( iv ) );
3137
3138 /* Construct and process authentication data */
3139 authhdr.seq = cpu_to_be64 ( tls->tx.seq );
3140 authhdr.header.type = type;
3141 authhdr.header.version = htons ( tls->version );
3142 authhdr.header.length = htons ( record_len );
3143 if ( suite->mac_len ) {
3144 tls_hmac ( cipherspec, &authhdr, plaintext, record_len,
3145 mac );
3146 }
3147 if ( is_auth_cipher ( cipher ) ) {
3148 cipher_encrypt ( cipher, cipherspec->cipher_ctx,
3149 &authhdr, NULL, sizeof ( authhdr ) );
3150 }
3151
3152 /* Calculate encryption length */
3153 encrypt_len = ( record_len + suite->mac_len );
3154 if ( is_block_cipher ( cipher ) ) {
3155 pad_len = ( ( ( cipher->blocksize - 1 ) &
3156 -( encrypt_len + 1 ) ) + 1 );
3157 } else {
3158 pad_len = 0;
3159 }
3160 encrypt_len += pad_len;
3161
3162 /* Add record header */
3163 tlshdr = iob_put ( iobuf, sizeof ( *tlshdr ) );
3164 tlshdr->type = type;
3165 tlshdr->version = htons ( tls->version );
3166 tlshdr->length = htons ( sizeof ( iv.rec ) + encrypt_len +
3167 cipher->authsize );
3168
3169 /* Add record initialisation vector, if applicable */
3170 memcpy ( iob_put ( iobuf, sizeof ( iv.rec ) ), iv.rec,
3171 sizeof ( iv.rec ) );
3172
3173 /* Copy plaintext data if necessary */
3174 ciphertext = iob_put ( iobuf, record_len );
3175 assert ( ciphertext <= plaintext );
3176 if ( encrypt_len > record_len ) {
3177 memmove ( ciphertext, plaintext, record_len );
3178 encrypt = ciphertext;
3179 } else {
3180 encrypt = plaintext;
3181 }
3182
3183 /* Add MAC, if applicable */
3184 memcpy ( iob_put ( iobuf, suite->mac_len ), mac,
3185 suite->mac_len );
3186
3187 /* Add padding, if applicable */
3188 memset ( iob_put ( iobuf, pad_len ), ( pad_len - 1 ), pad_len );
3189
3190 /* Encrypt data and append authentication tag */
3191 DBGC2 ( tls, "Sending plaintext data:\n" );
3192 DBGC2_HDA ( tls, 0, encrypt, encrypt_len );
3193 cipher_encrypt ( cipher, cipherspec->cipher_ctx, encrypt,
3194 ciphertext, encrypt_len );
3195 cipher_auth ( cipher, cipherspec->cipher_ctx,
3196 iob_put ( iobuf, cipher->authsize ) );
3197
3198 /* Move to next record */
3199 tls->tx.seq += 1;
3200 plaintext += record_len;
3201 len -= record_len;
3202
3203 } while ( len );
3204
3205 /* Send ciphertext */
3206 if ( ( rc = xfer_deliver_iob ( &tls->cipherstream,
3207 iob_disown ( iobuf ) ) ) != 0 ) {
3208 DBGC ( tls, "TLS %p could not deliver ciphertext: %s\n",
3209 tls, strerror ( rc ) );
3210 goto err_deliver;
3211 }
3212
3213 assert ( iobuf == NULL );
3214 return 0;
3215
3216 err_deliver:
3217 err_random:
3218 free_iob ( iobuf );
3219 return rc;
3220}
3221
3222/**
3223 * Send plaintext record
3224 *
3225 * @v tls TLS connection
3226 * @v type Record type
3227 * @v data Plaintext record
3228 * @v len Length of plaintext record
3229 * @ret rc Return status code
3230 */
3231static int tls_send_plaintext ( struct tls_connection *tls, unsigned int type,
3232 const void *data, size_t len ) {
3233 struct io_buffer *iobuf;
3234 int rc;
3235
3236 /* Allocate I/O buffer */
3237 iobuf = tls_alloc_iob ( tls, len );
3238 if ( ! iobuf )
3239 return -ENOMEM_TX_PLAINTEXT;
3240 memcpy ( iob_put ( iobuf, len ), data, len );
3241
3242 /* Transmit I/O buffer */
3243 if ( ( rc = tls_send_record ( tls, type, iob_disown ( iobuf ) ) ) != 0 )
3244 return rc;
3245
3246 return 0;
3247}
3248
3249/**
3250 * Verify block padding
3251 *
3252 * @v tls TLS connection
3253 * @v iobuf Last received I/O buffer
3254 * @ret len Padding length, or negative error
3255 * @ret rc Return status code
3256 */
3257static int tls_verify_padding ( struct tls_connection *tls,
3258 struct io_buffer *iobuf ) {
3259 uint8_t *padding;
3260 unsigned int pad;
3261 unsigned int i;
3262 size_t len;
3263
3264 /* Extract and verify padding */
3265 padding = ( iobuf->tail - 1 );
3266 pad = *padding;
3267 len = ( pad + 1 );
3268 if ( len > iob_len ( iobuf ) ) {
3269 DBGC ( tls, "TLS %p received underlength padding\n", tls );
3270 DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3271 return -EINVAL_PADDING;
3272 }
3273 for ( i = 0 ; i < pad ; i++ ) {
3274 if ( *(--padding) != pad ) {
3275 DBGC ( tls, "TLS %p received bad padding\n", tls );
3276 DBGC_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3277 return -EINVAL_PADDING;
3278 }
3279 }
3280
3281 return len;
3282}
3283
3284/**
3285 * Receive new ciphertext record
3286 *
3287 * @v tls TLS connection
3288 * @v tlshdr Record header
3289 * @v rx_data List of received data buffers
3290 * @ret rc Return status code
3291 */
3292static int tls_new_ciphertext ( struct tls_connection *tls,
3293 struct tls_header *tlshdr,
3294 struct list_head *rx_data ) {
3295 struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
3296 struct tls_cipher_suite *suite = cipherspec->suite;
3297 struct cipher_algorithm *cipher = suite->cipher;
3298 struct digest_algorithm *digest = suite->digest;
3299 size_t len = ntohs ( tlshdr->length );
3300 struct {
3301 uint8_t fixed[suite->fixed_iv_len];
3302 uint8_t record[suite->record_iv_len];
3303 } __attribute__ (( packed )) iv;
3304 struct tls_auth_header authhdr;
3305 uint8_t verify_mac[digest->digestsize];
3306 uint8_t verify_auth[cipher->authsize];
3307 struct io_buffer *first;
3308 struct io_buffer *last;
3309 struct io_buffer *iobuf;
3310 void *mac;
3311 void *auth;
3312 size_t check_len;
3313 int pad_len;
3314 int rc;
3315
3316 /* Locate first and last data buffers */
3317 assert ( ! list_empty ( rx_data ) );
3318 first = list_first_entry ( rx_data, struct io_buffer, list );
3319 last = list_last_entry ( rx_data, struct io_buffer, list );
3320
3321 /* Extract initialisation vector */
3322 if ( iob_len ( first ) < sizeof ( iv.record ) ) {
3323 DBGC ( tls, "TLS %p received underlength IV\n", tls );
3324 DBGC_HD ( tls, first->data, iob_len ( first ) );
3325 return -EINVAL_IV;
3326 }
3327 memcpy ( iv.fixed, cipherspec->fixed_iv, sizeof ( iv.fixed ) );
3328 memcpy ( iv.record, first->data, sizeof ( iv.record ) );
3329 iob_pull ( first, sizeof ( iv.record ) );
3330 len -= sizeof ( iv.record );
3331
3332 /* Extract unencrypted authentication tag */
3333 if ( iob_len ( last ) < cipher->authsize ) {
3334 DBGC ( tls, "TLS %p received underlength authentication tag\n",
3335 tls );
3336 DBGC_HD ( tls, last->data, iob_len ( last ) );
3337 return -EINVAL_MAC;
3338 }
3339 iob_unput ( last, cipher->authsize );
3340 len -= cipher->authsize;
3341 auth = last->tail;
3342
3343 /* Construct authentication data */
3344 authhdr.seq = cpu_to_be64 ( tls->rx.seq );
3345 authhdr.header.type = tlshdr->type;
3346 authhdr.header.version = tlshdr->version;
3347 authhdr.header.length = htons ( len );
3348
3349 /* Set initialisation vector */
3350 cipher_setiv ( cipher, cipherspec->cipher_ctx, &iv, sizeof ( iv ) );
3351
3352 /* Process authentication data, if applicable */
3353 if ( is_auth_cipher ( cipher ) ) {
3354 cipher_decrypt ( cipher, cipherspec->cipher_ctx, &authhdr,
3355 NULL, sizeof ( authhdr ) );
3356 }
3357
3358 /* Decrypt the received data */
3359 check_len = 0;
3360 list_for_each_entry ( iobuf, &tls->rx.data, list ) {
3361 cipher_decrypt ( cipher, cipherspec->cipher_ctx,
3362 iobuf->data, iobuf->data, iob_len ( iobuf ) );
3363 check_len += iob_len ( iobuf );
3364 }
3365 assert ( check_len == len );
3366
3367 /* Strip block padding, if applicable */
3368 if ( is_block_cipher ( cipher ) ) {
3369 pad_len = tls_verify_padding ( tls, last );
3370 if ( pad_len < 0 ) {
3371 /* Assume zero padding length to avoid timing attacks */
3372 pad_len = 0;
3373 }
3374 iob_unput ( last, pad_len );
3375 len -= pad_len;
3376 }
3377
3378 /* Extract decrypted MAC */
3379 if ( iob_len ( last ) < suite->mac_len ) {
3380 DBGC ( tls, "TLS %p received underlength MAC\n", tls );
3381 DBGC_HD ( tls, last->data, iob_len ( last ) );
3382 return -EINVAL_MAC;
3383 }
3384 iob_unput ( last, suite->mac_len );
3385 len -= suite->mac_len;
3386 mac = last->tail;
3387
3388 /* Dump received data */
3389 DBGC2 ( tls, "Received plaintext data:\n" );
3390 check_len = 0;
3391 list_for_each_entry ( iobuf, rx_data, list ) {
3392 DBGC2_HD ( tls, iobuf->data, iob_len ( iobuf ) );
3393 check_len += iob_len ( iobuf );
3394 }
3395 assert ( check_len == len );
3396
3397 /* Generate MAC */
3398 authhdr.header.length = htons ( len );
3399 if ( suite->mac_len )
3400 tls_hmac_list ( cipherspec, &authhdr, rx_data, verify_mac );
3401
3402 /* Generate authentication tag */
3403 cipher_auth ( cipher, cipherspec->cipher_ctx, verify_auth );
3404
3405 /* Verify MAC */
3406 if ( memcmp ( mac, verify_mac, suite->mac_len ) != 0 ) {
3407 DBGC ( tls, "TLS %p failed MAC verification\n", tls );
3408 return -EINVAL_MAC;
3409 }
3410
3411 /* Verify authentication tag */
3412 if ( memcmp ( auth, verify_auth, cipher->authsize ) != 0 ) {
3413 DBGC ( tls, "TLS %p failed authentication tag verification\n",
3414 tls );
3415 return -EINVAL_MAC;
3416 }
3417
3418 /* Process plaintext record */
3419 if ( ( rc = tls_new_record ( tls, tlshdr->type, rx_data ) ) != 0 )
3420 return rc;
3421
3422 return 0;
3423}
3424
3425/******************************************************************************
3426 *
3427 * Plaintext stream operations
3428 *
3429 ******************************************************************************
3430 */
3431
3432/**
3433 * Check flow control window
3434 *
3435 * @v tls TLS connection
3436 * @ret len Length of window
3437 */
3438static size_t tls_plainstream_window ( struct tls_connection *tls ) {
3439
3440 /* Block window unless we are ready to accept data */
3441 if ( ! tls_ready ( tls ) )
3442 return 0;
3443
3444 return xfer_window ( &tls->cipherstream );
3445}
3446
3447/**
3448 * Deliver datagram as raw data
3449 *
3450 * @v tls TLS connection
3451 * @v iobuf I/O buffer
3452 * @v meta Data transfer metadata
3453 * @ret rc Return status code
3454 */
3455static int tls_plainstream_deliver ( struct tls_connection *tls,
3456 struct io_buffer *iobuf,
3457 struct xfer_metadata *meta __unused ) {
3458 int rc;
3459
3460 /* Refuse unless we are ready to accept data */
3461 if ( ! tls_ready ( tls ) ) {
3462 rc = -ENOTCONN;
3463 goto done;
3464 }
3465
3466 /* Send data record */
3467 if ( ( rc = tls_send_record ( tls, TLS_TYPE_DATA,
3468 iob_disown ( iobuf ) ) ) != 0 )
3469 goto done;
3470
3471 done:
3472 free_iob ( iobuf );
3473 return rc;
3474}
3475
3476/**
3477 * Report job progress
3478 *
3479 * @v tls TLS connection
3480 * @v progress Progress report to fill in
3481 * @ret ongoing_rc Ongoing job status code (if known)
3482 */
3483static int tls_progress ( struct tls_connection *tls,
3484 struct job_progress *progress ) {
3485
3486 /* Return cipherstream or validator progress as applicable */
3487 if ( is_pending ( &tls->server.validation ) ) {
3488 return job_progress ( &tls->server.validator, progress );
3489 } else {
3490 return job_progress ( &tls->cipherstream, progress );
3491 }
3492}
3493
3494/** TLS plaintext stream interface operations */
3504
3505/** TLS plaintext stream interface descriptor */
3506static struct interface_descriptor tls_plainstream_desc =
3507 INTF_DESC_PASSTHRU ( struct tls_connection, plainstream,
3508 tls_plainstream_ops, cipherstream );
3509
3510/******************************************************************************
3511 *
3512 * Ciphertext stream operations
3513 *
3514 ******************************************************************************
3515 */
3516
3517/**
3518 * Handle received TLS header
3519 *
3520 * @v tls TLS connection
3521 * @ret rc Returned status code
3522 */
3523static int tls_newdata_process_header ( struct tls_connection *tls ) {
3524 struct tls_cipherspec *cipherspec = &tls->rx.cipherspec.active;
3525 struct cipher_algorithm *cipher = cipherspec->suite->cipher;
3526 size_t iv_len = cipherspec->suite->record_iv_len;
3527 size_t data_len = ntohs ( tls->rx.header.length );
3528 size_t remaining = data_len;
3529 size_t frag_len;
3530 size_t reserve;
3531 struct io_buffer *iobuf;
3532 struct io_buffer *tmp;
3533 int rc;
3534
3535 /* Sanity check */
3536 assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );
3537
3538 /* Calculate alignment reservation at start of first data buffer */
3539 reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
3540 remaining += reserve;
3541
3542 /* Allocate data buffers now that we know the length */
3543 assert ( list_empty ( &tls->rx.data ) );
3544 while ( remaining ) {
3545
3546 /* Calculate fragment length. Ensure that no block is
3547 * smaller than TLS_RX_MIN_BUFSIZE (by increasing the
3548 * allocation length if necessary).
3549 */
3550 frag_len = remaining;
3551 if ( frag_len > TLS_RX_BUFSIZE )
3552 frag_len = TLS_RX_BUFSIZE;
3553 remaining -= frag_len;
3554 if ( remaining < TLS_RX_MIN_BUFSIZE ) {
3555 frag_len += remaining;
3556 remaining = 0;
3557 }
3558
3559 /* Allocate buffer */
3560 iobuf = alloc_iob_raw ( frag_len, TLS_RX_ALIGN, 0 );
3561 if ( ! iobuf ) {
3562 DBGC ( tls, "TLS %p could not allocate %zd of %zd "
3563 "bytes for receive buffer\n", tls,
3564 remaining, data_len );
3565 rc = -ENOMEM_RX_DATA;
3566 goto err;
3567 }
3568
3569 /* Ensure tailroom is exactly what we asked for. This
3570 * will result in unaligned I/O buffers when the
3571 * fragment length is unaligned, which can happen only
3572 * before we switch to using a block cipher.
3573 */
3574 iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
3575
3576 /* Ensure first buffer length will be aligned to a
3577 * multiple of the cipher alignment size after
3578 * stripping the record IV.
3579 */
3580 iob_reserve ( iobuf, reserve );
3581 reserve = 0;
3582
3583 /* Add I/O buffer to list */
3584 list_add_tail ( &iobuf->list, &tls->rx.data );
3585 }
3586
3587 /* Move to data state */
3588 tls->rx.state = TLS_RX_DATA;
3589
3590 return 0;
3591
3592 err:
3593 list_for_each_entry_safe ( iobuf, tmp, &tls->rx.data, list ) {
3594 list_del ( &iobuf->list );
3595 free_iob ( iobuf );
3596 }
3597 return rc;
3598}
3599
3600/**
3601 * Handle received TLS data payload
3602 *
3603 * @v tls TLS connection
3604 * @ret rc Returned status code
3605 */
3606static int tls_newdata_process_data ( struct tls_connection *tls ) {
3607 struct io_buffer *iobuf;
3608 int rc;
3609
3610 /* Move current buffer to end of list */
3611 iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
3612 list_del ( &iobuf->list );
3613 list_add_tail ( &iobuf->list, &tls->rx.data );
3614
3615 /* Continue receiving data if any space remains */
3616 iobuf = list_first_entry ( &tls->rx.data, struct io_buffer, list );
3617 if ( iob_tailroom ( iobuf ) )
3618 return 0;
3619
3620 /* Process record */
3621 if ( ( rc = tls_new_ciphertext ( tls, &tls->rx.header,
3622 &tls->rx.data ) ) != 0 )
3623 return rc;
3624
3625 /* Increment RX sequence number */
3626 tls->rx.seq += 1;
3627
3628 /* Return to header state */
3629 assert ( list_empty ( &tls->rx.data ) );
3630 tls->rx.state = TLS_RX_HEADER;
3631 iob_unput ( &tls->rx.iobuf, sizeof ( tls->rx.header ) );
3632
3633 return 0;
3634}
3635
3636/**
3637 * Check flow control window
3638 *
3639 * @v tls TLS connection
3640 * @ret len Length of window
3641 */
3642static size_t tls_cipherstream_window ( struct tls_connection *tls ) {
3643
3644 /* Open window until we are ready to accept data */
3645 if ( ! tls_ready ( tls ) )
3646 return -1UL;
3647
3648 return xfer_window ( &tls->plainstream );
3649}
3650
3651/**
3652 * Receive new ciphertext
3653 *
3654 * @v tls TLS connection
3655 * @v iobuf I/O buffer
3656 * @v meta Data transfer metadat
3657 * @ret rc Return status code
3658 */
3659static int tls_cipherstream_deliver ( struct tls_connection *tls,
3660 struct io_buffer *iobuf,
3661 struct xfer_metadata *xfer __unused ) {
3662 size_t frag_len;
3663 int ( * process ) ( struct tls_connection *tls );
3664 struct io_buffer *dest;
3665 int rc;
3666
3667 while ( iob_len ( iobuf ) ) {
3668
3669 /* Select buffer according to current state */
3670 switch ( tls->rx.state ) {
3671 case TLS_RX_HEADER:
3672 dest = &tls->rx.iobuf;
3673 process = tls_newdata_process_header;
3674 break;
3675 case TLS_RX_DATA:
3676 dest = list_first_entry ( &tls->rx.data,
3677 struct io_buffer, list );
3678 assert ( dest != NULL );
3679 process = tls_newdata_process_data;
3680 break;
3681 default:
3682 assert ( 0 );
3683 rc = -EINVAL_RX_STATE;
3684 goto done;
3685 }
3686
3687 /* Copy data portion to buffer */
3688 frag_len = iob_len ( iobuf );
3689 if ( frag_len > iob_tailroom ( dest ) )
3690 frag_len = iob_tailroom ( dest );
3691 memcpy ( iob_put ( dest, frag_len ), iobuf->data, frag_len );
3692 iob_pull ( iobuf, frag_len );
3693
3694 /* Process data if buffer is now full */
3695 if ( iob_tailroom ( dest ) == 0 ) {
3696 if ( ( rc = process ( tls ) ) != 0 ) {
3697 tls_close ( tls, rc );
3698 goto done;
3699 }
3700 }
3701 }
3702 rc = 0;
3703
3704 done:
3705 free_iob ( iobuf );
3706 return rc;
3707}
3708
3709/** TLS ciphertext stream interface operations */
3719
3720/** TLS ciphertext stream interface descriptor */
3721static struct interface_descriptor tls_cipherstream_desc =
3722 INTF_DESC_PASSTHRU ( struct tls_connection, cipherstream,
3723 tls_cipherstream_ops, plainstream );
3724
3725/******************************************************************************
3726 *
3727 * Certificate validator
3728 *
3729 ******************************************************************************
3730 */
3731
3732/**
3733 * Handle certificate validation completion
3734 *
3735 * @v tls TLS connection
3736 * @v rc Reason for completion
3737 */
3738static void tls_validator_done ( struct tls_connection *tls, int rc ) {
3739 struct tls_session *session = tls->session;
3740 struct x509_certificate *cert;
3741
3742 /* Mark validation as complete */
3743 pending_put ( &tls->server.validation );
3744
3745 /* Close validator interface */
3746 intf_restart ( &tls->server.validator, rc );
3747
3748 /* Check for validation failure */
3749 if ( rc != 0 ) {
3750 DBGC ( tls, "TLS %p certificate validation failed: %s\n",
3751 tls, strerror ( rc ) );
3752 goto err;
3753 }
3754 DBGC ( tls, "TLS %p certificate validation succeeded\n", tls );
3755
3756 /* Extract first certificate */
3757 cert = x509_first ( tls->server.chain );
3758 assert ( cert != NULL );
3759
3760 /* Verify server name */
3761 if ( ( rc = x509_check_name ( cert, session->name ) ) != 0 ) {
3762 DBGC ( tls, "TLS %p server certificate does not match %s: %s\n",
3763 tls, session->name, strerror ( rc ) );
3764 goto err;
3765 }
3766
3767 /* Extract the now trusted server public key */
3768 memcpy ( &tls->server.key, &cert->subject.public_key.raw,
3769 sizeof ( tls->server.key ) );
3770
3771 /* Schedule transmission of applicable handshake messages */
3772 tls->tx.pending |= ( TLS_TX_CLIENT_KEY_EXCHANGE |
3773 TLS_TX_CHANGE_CIPHER |
3774 TLS_TX_FINISHED );
3775 if ( tls->client.chain ) {
3776 tls->tx.pending |= TLS_TX_CERTIFICATE;
3777 if ( ! list_empty ( &tls->client.chain->links ) )
3778 tls->tx.pending |= TLS_TX_CERTIFICATE_VERIFY;
3779 }
3780 tls_tx_resume ( tls );
3781
3782 return;
3783
3784 err:
3785 tls_close ( tls, rc );
3786 return;
3787}
3788
3789/** TLS certificate validator interface operations */
3793
3794/** TLS certificate validator interface descriptor */
3795static struct interface_descriptor tls_validator_desc =
3796 INTF_DESC ( struct tls_connection, server.validator,
3797 tls_validator_ops );
3798
3799/******************************************************************************
3800 *
3801 * Controlling process
3802 *
3803 ******************************************************************************
3804 */
3805
3806/**
3807 * TLS TX state machine
3808 *
3809 * @v tls TLS connection
3810 */
3811static void tls_tx_step ( struct tls_connection *tls ) {
3812 struct tls_session *session = tls->session;
3813 struct tls_connection *conn;
3814 int rc;
3815
3816 /* Wait for cipherstream to become ready */
3817 if ( ! xfer_window ( &tls->cipherstream ) )
3818 return;
3819
3820 /* Send first pending transmission */
3821 if ( tls->tx.pending & TLS_TX_CLIENT_HELLO ) {
3822 /* Serialise server negotiations within a session, to
3823 * provide a consistent view of session IDs and
3824 * session tickets.
3825 */
3826 list_for_each_entry ( conn, &session->conn, list ) {
3827 if ( conn == tls )
3828 break;
3829 if ( is_pending ( &conn->server.negotiation ) )
3830 return;
3831 }
3832 /* Record or generate session ID and associated master secret */
3833 if ( session->id_len ) {
3834 /* Attempt to resume an existing session */
3835 memcpy ( tls->session_id, session->id,
3836 sizeof ( tls->session_id ) );
3837 tls->session_id_len = session->id_len;
3838 memcpy ( tls->master_secret, session->master_secret,
3839 sizeof ( tls->master_secret ) );
3840 } else {
3841 /* No existing session: use a random session ID */
3842 assert ( sizeof ( tls->session_id ) ==
3843 sizeof ( tls->client.random ) );
3844 memcpy ( tls->session_id, &tls->client.random,
3845 sizeof ( tls->session_id ) );
3846 tls->session_id_len = sizeof ( tls->session_id );
3847 }
3848 /* Send Client Hello */
3849 if ( ( rc = tls_send_client_hello ( tls ) ) != 0 ) {
3850 DBGC ( tls, "TLS %p could not send Client Hello: %s\n",
3851 tls, strerror ( rc ) );
3852 goto err;
3853 }
3854 tls->tx.pending &= ~TLS_TX_CLIENT_HELLO;
3855 } else if ( tls->tx.pending & TLS_TX_CERTIFICATE ) {
3856 /* Send Certificate */
3857 if ( ( rc = tls_send_certificate ( tls ) ) != 0 ) {
3858 DBGC ( tls, "TLS %p cold not send Certificate: %s\n",
3859 tls, strerror ( rc ) );
3860 goto err;
3861 }
3862 tls->tx.pending &= ~TLS_TX_CERTIFICATE;
3863 } else if ( tls->tx.pending & TLS_TX_CLIENT_KEY_EXCHANGE ) {
3864 /* Send Client Key Exchange */
3865 if ( ( rc = tls_send_client_key_exchange ( tls ) ) != 0 ) {
3866 DBGC ( tls, "TLS %p could not send Client Key "
3867 "Exchange: %s\n", tls, strerror ( rc ) );
3868 goto err;
3869 }
3870 tls->tx.pending &= ~TLS_TX_CLIENT_KEY_EXCHANGE;
3871 } else if ( tls->tx.pending & TLS_TX_CERTIFICATE_VERIFY ) {
3872 /* Send Certificate Verify */
3873 if ( ( rc = tls_send_certificate_verify ( tls ) ) != 0 ) {
3874 DBGC ( tls, "TLS %p could not send Certificate "
3875 "Verify: %s\n", tls, strerror ( rc ) );
3876 goto err;
3877 }
3878 tls->tx.pending &= ~TLS_TX_CERTIFICATE_VERIFY;
3879 } else if ( tls->tx.pending & TLS_TX_CHANGE_CIPHER ) {
3880 /* Send Change Cipher, and then change the cipher in use */
3881 if ( ( rc = tls_send_change_cipher ( tls ) ) != 0 ) {
3882 DBGC ( tls, "TLS %p could not send Change Cipher: "
3883 "%s\n", tls, strerror ( rc ) );
3884 goto err;
3885 }
3886 if ( ( rc = tls_change_cipher ( tls,
3887 &tls->tx.cipherspec ) ) != 0 ){
3888 DBGC ( tls, "TLS %p could not activate TX cipher: "
3889 "%s\n", tls, strerror ( rc ) );
3890 goto err;
3891 }
3892 tls->tx.seq = 0;
3893 tls->tx.pending &= ~TLS_TX_CHANGE_CIPHER;
3894 } else if ( tls->tx.pending & TLS_TX_FINISHED ) {
3895 /* Send Finished */
3896 if ( ( rc = tls_send_finished ( tls ) ) != 0 ) {
3897 DBGC ( tls, "TLS %p could not send Finished: %s\n",
3898 tls, strerror ( rc ) );
3899 goto err;
3900 }
3901 tls->tx.pending &= ~TLS_TX_FINISHED;
3902 }
3903
3904 /* Reschedule process if pending transmissions remain,
3905 * otherwise send notification of a window change.
3906 */
3907 if ( tls->tx.pending ) {
3908 tls_tx_resume ( tls );
3909 } else {
3910 xfer_window_changed ( &tls->plainstream );
3911 }
3912
3913 return;
3914
3915 err:
3916 tls_close ( tls, rc );
3917}
3918
3919/** TLS TX process descriptor */
3920static struct process_descriptor tls_process_desc =
3921 PROC_DESC_ONCE ( struct tls_connection, tx.process, tls_tx_step );
3922
3923/******************************************************************************
3924 *
3925 * Session management
3926 *
3927 ******************************************************************************
3928 */
3929
3930/**
3931 * Find or create session for TLS connection
3932 *
3933 * @v tls TLS connection
3934 * @v name Server name
3935 * @ret rc Return status code
3936 */
3937static int tls_session ( struct tls_connection *tls, const char *name ) {
3938 struct tls_session *session;
3939 char *name_copy;
3940 int rc;
3941
3942 /* Find existing matching session, if any */
3943 list_for_each_entry ( session, &tls_sessions, list ) {
3944 if ( ( strcmp ( name, session->name ) == 0 ) &&
3945 ( tls->server.root == session->root ) &&
3946 ( tls->client.key == session->key ) ) {
3947 ref_get ( &session->refcnt );
3948 tls->session = session;
3949 DBGC ( tls, "TLS %p joining session %s\n", tls, name );
3950 return 0;
3951 }
3952 }
3953
3954 /* Create new session */
3955 session = zalloc ( sizeof ( *session ) + strlen ( name )
3956 + 1 /* NUL */ );
3957 if ( ! session ) {
3958 rc = -ENOMEM;
3959 goto err_alloc;
3960 }
3961 ref_init ( &session->refcnt, free_tls_session );
3962 name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
3963 strcpy ( name_copy, name );
3964 session->name = name_copy;
3965 session->root = x509_root_get ( tls->server.root );
3966 session->key = privkey_get ( tls->client.key );
3967 INIT_LIST_HEAD ( &session->conn );
3968 list_add ( &session->list, &tls_sessions );
3969
3970 /* Record session */
3971 tls->session = session;
3972
3973 DBGC ( tls, "TLS %p created session %s\n", tls, name );
3974 return 0;
3975
3976 ref_put ( &session->refcnt );
3977 err_alloc:
3978 return rc;
3979}
3980
3981/******************************************************************************
3982 *
3983 * Instantiator
3984 *
3985 ******************************************************************************
3986 */
3987
3988/**
3989 * Add TLS on an interface
3990 *
3991 * @v xfer Data transfer interface
3992 * @v name Host name
3993 * @v root Root of trust (or NULL to use default)
3994 * @v key Private key (or NULL to use default)
3995 * @ret rc Return status code
3996 */
3997int add_tls ( struct interface *xfer, const char *name,
3998 struct x509_root *root, struct private_key *key ) {
3999 struct tls_connection *tls;
4000 int rc;
4001
4002 /* Allocate and initialise TLS structure */
4003 tls = malloc ( sizeof ( *tls ) );
4004 if ( ! tls ) {
4005 rc = -ENOMEM;
4006 goto err_alloc;
4007 }
4008 memset ( tls, 0, sizeof ( *tls ) );
4009 ref_init ( &tls->refcnt, free_tls );
4010 INIT_LIST_HEAD ( &tls->list );
4011 intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
4012 intf_init ( &tls->cipherstream, &tls_cipherstream_desc, &tls->refcnt );
4013 intf_init ( &tls->server.validator, &tls_validator_desc, &tls->refcnt );
4014 process_init_stopped ( &tls->tx.process, &tls_process_desc,
4015 &tls->refcnt );
4016 tls->client.key = privkey_get ( key ? key : &private_key );
4017 tls->server.root = x509_root_get ( root ? root : &root_certificates );
4018 tls->version = TLS_VERSION_MAX;
4019 tls_clear_cipher ( tls, &tls->tx.cipherspec.active );
4020 tls_clear_cipher ( tls, &tls->tx.cipherspec.pending );
4021 tls_clear_cipher ( tls, &tls->rx.cipherspec.active );
4022 tls_clear_cipher ( tls, &tls->rx.cipherspec.pending );
4023 tls_clear_handshake ( tls );
4024 iob_populate ( &tls->rx.iobuf, &tls->rx.header, 0,
4025 sizeof ( tls->rx.header ) );
4026 INIT_LIST_HEAD ( &tls->rx.data );
4027 if ( ( rc = tls_generate_random ( tls, &tls->client.random.random,
4028 ( sizeof ( tls->client.random.random ) ) ) ) != 0 ) {
4029 goto err_random;
4030 }
4031 if ( ( rc = tls_session ( tls, name ) ) != 0 )
4032 goto err_session;
4033 list_add_tail ( &tls->list, &tls->session->conn );
4034
4035 /* Start negotiation */
4036 tls_restart ( tls );
4037
4038 /* Attach to parent interface, mortalise self, and return */
4039 intf_insert ( xfer, &tls->plainstream, &tls->cipherstream );
4040 ref_put ( &tls->refcnt );
4041 return 0;
4042
4043 err_session:
4044 err_random:
4045 ref_put ( &tls->refcnt );
4046 err_alloc:
4047 return rc;
4048}
4049
4050/* Drag in objects via add_tls() */
4051REQUIRING_SYMBOL ( add_tls );
4052
4053/* Drag in crypto configuration */
4054REQUIRE_OBJECT ( config_crypto );
NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
key
union @162305117151260234136356364136041353210355154177 key
Sense key.
Definition scsi.h:3
ctx
struct golan_eq_context ctx
Definition CIB_PRM.h:0
sig
u8 sig
Definition CIB_PRM.h:15
signature
u8 signature
CPU signature.
Definition CIB_PRM.h:7
out
__be32 out[4]
Definition CIB_PRM.h:8
typeof
typeof(acpi_finder=acpi_find)
ACPI table finder.
Definition acpi.c:48
aes.h
AES algorithm.
link
u32 link
Link to next descriptor.
Definition ar9003_mac.h:1
pad
u32 pad[9]
Padding.
Definition ar9003_mac.h:23
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
value
pseudo_bit_t value[0x00020]
Definition arbel.h:2
hash
pseudo_bit_t hash[0x00010]
Definition arbel.h:2
code
static unsigned int code
Response code.
Definition hyperv.h:26
uint16_t
unsigned short uint16_t
Definition stdint.h:11
uint32_t
unsigned int uint32_t
Definition stdint.h:12
uint64_t
unsigned long long uint64_t
Definition stdint.h:13
uint8_t
unsigned char uint8_t
Definition stdint.h:10
pad_len
long pad_len
Definition bigint.h:31
dest
if(len >=6 *4) __asm__ __volatile__("movsl" if(len >=5 *4) __asm__ __volatile__("movsl" if(len >=4 *4) __asm__ __volatile__("movsl" if(len >=3 *4) __asm__ __volatile__("movsl" if(len >=2 *4) __asm__ __volatile__("movsl" if(len >=1 *4) __asm__ __volatile__("movsl" if((len % 4) >=2) __asm__ __volatile__("movsw" if((len % 2) >=1) __asm__ __volatile__("movsb" retur dest)
Definition string.h:151
asn1_prepend_raw
int asn1_prepend_raw(struct asn1_builder *builder, const void *data, size_t len)
Prepend raw data to ASN.1 builder.
Definition asn1.c:949
assert
#define assert(condition)
Assert a condition at run-time.
Definition assert.h:50
version
u32 version
Driver version.
Definition ath9k_hw.c:1985
name
const char * name
Definition ath9k_hw.c:1986
max
#define max(x, y)
Definition ath.h:41
done
struct bofm_section_header done
Definition bofm_test.c:46
offset
uint16_t offset
Offset to command line.
Definition bzimage.h:3
certstore
struct x509_chain certstore
Certificate store.
Definition certstore.c:90
certstore.h
Certificate store.
crypto.h
Cryptographic configuration.
TLS_VERSION_MIN
#define TLS_VERSION_MIN
Minimum TLS version.
Definition crypto.h:14
cipher_null
struct cipher_algorithm cipher_null
Definition crypto_null.c:84
pubkey_null
struct pubkey_algorithm pubkey_null
Definition crypto_null.c:123
digest_null
struct digest_algorithm digest_null
Definition crypto_null.c:49
dhe_key
int dhe_key(const void *modulus, size_t len, const void *generator, size_t generator_len, const void *partner, size_t partner_len, const void *private, size_t private_len, void *public, void *shared)
Calculate Diffie-Hellman key.
Definition dhe.c:54
dhe.h
Ephemeral Diffie-Hellman key exchange.
next
uint32_t next
Next descriptor address.
Definition dwmac.h:11
len
ring len
Length.
Definition dwmac.h:226
ecdhe_key
int ecdhe_key(struct elliptic_curve *curve, const void *partner, const void *private, void *public, void *shared)
Calculate ECDHE key.
Definition ecdhe.c:47
ecdhe.h
Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) key exchange.
fixed
struct eltorito_descriptor_fixed fixed
Fixed portion.
Definition eltorito.h:1
ext
uint16_t ext
Extended status.
Definition ena.h:9
type
uint32_t type
Operating system type.
Definition ena.h:1
data
uint8_t data[48]
Additional event data.
Definition ena.h:11
spec
uint16_t spec
ENA specification version.
Definition ena.h:15
header
struct ena_llq_option header
Header locations.
Definition ena.h:5
meta
uint8_t meta
Metadata flags.
Definition ena.h:3
mac
uint8_t mac[ETH_ALEN]
MAC address.
Definition ena.h:13
errno.h
Error codes.
__unused
#define __unused
Declare a variable or data structure as unused.
Definition compiler.h:573
DBGC2
#define DBGC2(...)
Definition compiler.h:522
DBGC2_HD
#define DBGC2_HD(...)
Definition compiler.h:524
DBGC_HD
#define DBGC_HD(...)
Definition compiler.h:507
DBGC2_HDA
#define DBGC2_HDA(...)
Definition compiler.h:523
DBGC
#define DBGC(...)
Definition compiler.h:505
DBGC_HDA
#define DBGC_HDA(...)
Definition compiler.h:506
count
static unsigned int count
Number of entries.
Definition dwmac.h:220
FILE_LICENCE
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896
REQUIRE_OBJECT
#define REQUIRE_OBJECT(object)
Require an object.
Definition compiler.h:202
ENOMEM
#define ENOMEM
Not enough space.
Definition errno.h:535
ENOTCONN
#define ENOTCONN
The socket is not connected.
Definition errno.h:570
FILE_SECBOOT
#define FILE_SECBOOT(_status)
Declare a file's UEFI Secure Boot permission status.
Definition compiler.h:926
REQUIRING_SYMBOL
#define REQUIRING_SYMBOL(symbol)
Specify the file's requiring symbol.
Definition compiler.h:140
hmac_init
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition hmac.c:58
hmac_final
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition hmac.c:88
hmac.h
Keyed-Hashing for Message Authentication.
hmac_update
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition hmac.h:43
hmac_ctxsize
static size_t hmac_ctxsize(struct digest_algorithm *digest)
Calculate HMAC context size.
Definition hmac.h:29
cpu_to_be16
#define cpu_to_be16(value)
Definition byteswap.h:110
htonl
#define htonl(value)
Definition byteswap.h:134
cpu_to_le32
#define cpu_to_le32(value)
Definition byteswap.h:108
htons
#define htons(value)
Definition byteswap.h:136
ntohs
#define ntohs(value)
Definition byteswap.h:137
cpu_to_be64
#define cpu_to_be64(value)
Definition byteswap.h:112
be16_to_cpu
#define be16_to_cpu(value)
Definition byteswap.h:116
__attribute__
#define __attribute__(x)
Definition compiler.h:10
is_block_cipher
static int is_block_cipher(struct cipher_algorithm *cipher)
Definition crypto.h:277
digest_init
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition crypto.h:219
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition crypto.h:235
digest_final
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition crypto.h:230
pubkey_encrypt
static int pubkey_encrypt(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, const struct asn1_cursor *plaintext, struct asn1_builder *ciphertext)
Definition crypto.h:287
pubkey_verify
static int pubkey_verify(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, const struct asn1_cursor *signature)
Definition crypto.h:308
digest_update
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition crypto.h:224
cipher_setiv
static void cipher_setiv(struct cipher_algorithm *cipher, void *ctx, const void *iv, size_t ivlen)
Definition crypto.h:241
cipher_decrypt
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition crypto.h:261
is_auth_cipher
static int is_auth_cipher(struct cipher_algorithm *cipher)
Definition crypto.h:282
pubkey_sign
static int pubkey_sign(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, struct asn1_builder *signature)
Definition crypto.h:301
cipher_encrypt
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition crypto.h:251
cipher_auth
static void cipher_auth(struct cipher_algorithm *cipher, void *ctx, void *auth)
Definition crypto.h:267
string.h
String functions.
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
memset
void * memset(void *dest, int character, size_t len) __nonnull
memmove
void * memmove(void *dest, const void *src, size_t len) __nonnull
intf_close
void intf_close(struct interface *intf, int rc)
Close an object interface.
Definition interface.c:250
intf_shutdown
void intf_shutdown(struct interface *intf, int rc)
Shut down an object interface.
Definition interface.c:279
intf_insert
void intf_insert(struct interface *intf, struct interface *upper, struct interface *lower)
Insert a filter interface.
Definition interface.c:402
intf_restart
void intf_restart(struct interface *intf, int rc)
Shut down and restart an object interface.
Definition interface.c:344
INTF_DESC
#define INTF_DESC(object_type, intf, operations)
Define an object interface descriptor.
Definition interface.h:81
INTF_DESC_PASSTHRU
#define INTF_DESC_PASSTHRU(object_type, intf, operations, passthru)
Define an object interface descriptor with pass-through interface.
Definition interface.h:98
intf_init
static void intf_init(struct interface *intf, struct interface_descriptor *desc, struct refcnt *refcnt)
Initialise an object interface.
Definition interface.h:204
INTF_OP
#define INTF_OP(op_type, object_type, op_func)
Define an object interface operation.
Definition interface.h:33
free_iob
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition iobuf.c:153
alloc_iob_raw
struct io_buffer * alloc_iob_raw(size_t len, size_t align, size_t offset)
Allocate I/O buffer with specified alignment and offset.
Definition iobuf.c:49
iob_concatenate
struct io_buffer * iob_concatenate(struct list_head *list)
Concatenate I/O buffers into a single buffer.
Definition iobuf.c:250
iobuf.h
I/O buffers.
iob_push
#define iob_push(iobuf, len)
Definition iobuf.h:89
iob_populate
static void iob_populate(struct io_buffer *iobuf, void *data, size_t len, size_t max_len)
Create a temporary I/O buffer.
Definition iobuf.h:195
iob_put
#define iob_put(iobuf, len)
Definition iobuf.h:125
iob_disown
#define iob_disown(iobuf)
Disown an I/O buffer.
Definition iobuf.h:217
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition iobuf.h:160
iob_reserve
#define iob_reserve(iobuf, len)
Definition iobuf.h:72
iob_pull
#define iob_pull(iobuf, len)
Definition iobuf.h:107
iob_unput
#define iob_unput(iobuf, len)
Definition iobuf.h:140
iob_tailroom
static size_t iob_tailroom(struct io_buffer *iobuf)
Calculate available space at end of an I/O buffer.
Definition iobuf.h:180
job_progress
int job_progress(struct interface *intf, struct job_progress *progress)
Get job progress.
Definition job.c:44
job.h
Job control interfaces.
tmp
unsigned long tmp
Definition linux_pci.h:65
list_first_entry
#define list_first_entry(list, type, member)
Get the container of the first entry in a list.
Definition list.h:334
list_last_entry
#define list_last_entry(list, type, member)
Get the container of the last entry in a list.
Definition list.h:347
list_for_each_entry_safe
#define list_for_each_entry_safe(pos, tmp, head, member)
Iterate over entries in a list, safe against deletion of the current entry.
Definition list.h:459
list_add_tail
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition list.h:94
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition list.h:432
list_del
#define list_del(list)
Delete an entry from a list.
Definition list.h:120
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition list.h:46
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition list.h:137
LIST_HEAD
#define LIST_HEAD(list)
Declare a static list head.
Definition list.h:38
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition list.h:70
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition malloc.c:662
malloc
void * malloc(size_t size)
Allocate memory.
Definition malloc.c:621
md5_algorithm
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition md5.c:287
md5.h
MD5 algorithm.
alert
void alert(unsigned int row, const char *fmt,...)
Show alert message.
Definition message.c:104
open.h
Data transfer interface opening.
first
uint32_t first
First block in range.
Definition pccrr.h:1
pending_put
void pending_put(struct pending_operation *pending)
Mark an operation as no longer pending.
Definition pending.c:59
pending_get
void pending_get(struct pending_operation *pending)
Mark an operation as pending.
Definition pending.c:46
pending.h
Pending operations.
is_pending
static int is_pending(struct pending_operation *pending)
Check if an operation is pending.
Definition pending.h:25
privkey.h
Private key.
privkey_cursor
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
Definition privkey.h:53
privkey_put
static void privkey_put(struct private_key *key)
Drop reference to private key.
Definition privkey.h:42
privkey_get
static struct private_key * privkey_get(struct private_key *key)
Get reference to private key.
Definition privkey.h:31
process_del
void process_del(struct process *process)
Remove process from process list.
Definition process.c:80
process_add
void process_add(struct process *process)
Add process to process list.
Definition process.c:60
PROC_DESC_ONCE
#define PROC_DESC_ONCE(object_type, process, _step)
Define a process descriptor for a process that runs only once.
Definition process.h:98
process_init_stopped
static void process_init_stopped(struct process *process, struct process_descriptor *desc, struct refcnt *refcnt)
Initialise process without adding to process list.
Definition process.h:146
random
long int random(void)
Generate a pseudo-random number between 0 and 2147483647L or 2147483562?
Definition random.c:32
rbg_generate
int rbg_generate(const void *additional, size_t additional_len, int prediction_resist, void *data, size_t len)
Generate bits using RBG.
Definition rbg.c:117
rbg.h
RBG mechanism.
free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55
ref_get
#define ref_get(refcnt)
Get additional reference to object.
Definition refcnt.h:93
ref_put
#define ref_put(refcnt)
Drop reference to object.
Definition refcnt.h:107
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition refcnt.h:65
root_certificates
struct x509_root root_certificates
Root certificates.
Definition rootcert.c:79
rootcert.h
Root certificate store.
rsa.h
RSA public-key cryptography.
__rsa_digestinfo_prefix
#define __rsa_digestinfo_prefix
Declare an RSA digestInfo prefix.
Definition rsa.h:57
sha1_algorithm
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition sha1.c:258
sha1.h
SHA-1 algorithm.
sha256.h
SHA-256 algorithm.
length
u16 length
Definition sky2.h:1
va_copy
#define va_copy(dest, src)
Definition stdarg.h:11
va_arg
#define va_arg(ap, type)
Definition stdarg.h:9
va_end
#define va_end(ap)
Definition stdarg.h:10
va_start
#define va_start(ap, last)
Definition stdarg.h:8
va_list
__builtin_va_list va_list
Definition stdarg.h:7
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition stddef.h:36
ENOTSUP_VERSION
#define ENOTSUP_VERSION
Definition stp.c:46
root
struct stp_switch root
Root switch.
Definition stp.h:15
hello
uint16_t hello
Hello time.
Definition stp.h:27
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79
memswap
void * memswap(void *first, void *second, size_t len)
Swap memory regions.
Definition string.c:154
strcmp
int strcmp(const char *first, const char *second)
Compare strings.
Definition string.c:174
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition string.c:115
strcpy
char * strcpy(char *dest, const char *src)
Copy string.
Definition string.c:347
strlen
size_t strlen(const char *src)
Get length of string.
Definition string.c:244
asn1_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition asn1.h:414
asn1_builder
An ASN.1 object builder.
Definition asn1.h:29
asn1_builder::data
void * data
Data.
Definition asn1.h:36
asn1_builder::len
size_t len
Length of data.
Definition asn1.h:38
asn1_cursor
An ASN.1 object cursor.
Definition asn1.h:21
asn1_cursor::data
const void * data
Start of data.
Definition asn1.h:23
asn1_cursor::len
size_t len
Length of data.
Definition asn1.h:25
cipher_algorithm
A cipher algorithm.
Definition crypto.h:51
cipher_algorithm::name
const char * name
Algorithm name.
Definition crypto.h:53
cipher_algorithm::blocksize
size_t blocksize
Block size.
Definition crypto.h:61
cipher_algorithm::ctxsize
size_t ctxsize
Context size.
Definition crypto.h:55
cipher_algorithm::authsize
size_t authsize
Authentication tag size.
Definition crypto.h:75
cipher_algorithm::alignsize
size_t alignsize
Alignment size.
Definition crypto.h:73
digest_algorithm
A message digest algorithm.
Definition crypto.h:19
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition crypto.h:27
digest_algorithm::ctxsize
size_t ctxsize
Context size.
Definition crypto.h:23
digest_algorithm::name
const char * name
Algorithm name.
Definition crypto.h:21
elliptic_curve::name
const char * name
Curve name.
Definition crypto.h:180
elliptic_curve::keysize
size_t keysize
Scalar (and private key) size.
Definition crypto.h:184
elliptic_curve::pointsize
size_t pointsize
Point (and public key) size.
Definition crypto.h:182
interface_descriptor
An object interface descriptor.
Definition interface.h:56
interface_operation
An object interface operation.
Definition interface.h:18
interface
An object interface.
Definition interface.h:125
io_buffer
A persistent I/O buffer.
Definition iobuf.h:38
io_buffer::data
void * data
Start of data.
Definition iobuf.h:53
io_buffer::tail
void * tail
End of data.
Definition iobuf.h:55
io_buffer::list
struct list_head list
List of which this buffer is a member.
Definition iobuf.h:45
job_progress
Job progress.
Definition job.h:16
list_head
A doubly-linked list entry (or list head)
Definition list.h:19
md5_sha1_context
An MD5+SHA1 context.
Definition tls.h:320
md5_sha1_context::sha1
uint8_t sha1[SHA1_CTX_SIZE]
SHA-1 context.
Definition tls.h:324
md5_sha1_context::md5
uint8_t md5[MD5_CTX_SIZE]
MD5 context.
Definition tls.h:322
md5_sha1_digest
An MD5+SHA1 digest.
Definition tls.h:331
md5_sha1_digest::md5
uint8_t md5[MD5_DIGEST_SIZE]
MD5 digest.
Definition tls.h:333
md5_sha1_digest::sha1
uint8_t sha1[SHA1_DIGEST_SIZE]
SHA-1 digest.
Definition tls.h:335
private_key
A private key.
Definition privkey.h:17
process_descriptor
A process descriptor.
Definition process.h:32
process
A process.
Definition process.h:18
pubkey_algorithm
A public key algorithm.
Definition crypto.h:122
pubkey_algorithm::name
const char * name
Algorithm name.
Definition crypto.h:124
refcnt
A reference counter.
Definition refcnt.h:27
rsa_digestinfo_prefix
An RSA digestInfo prefix.
Definition rsa.h:43
tls24_t
A TLS 24-bit integer.
Definition tls.c:223
tls24_t::high
uint8_t high
High byte.
Definition tls.c:225
tls24_t::low
uint16_t low
Low word.
Definition tls.c:227
tls_auth_header
TLS authentication header.
Definition tls.h:158
tls_auth_header::seq
uint64_t seq
Sequence number.
Definition tls.h:160
tls_auth_header::header
struct tls_header header
TLS header.
Definition tls.h:162
tls_cipher_suite
A TLS cipher suite.
Definition tls.h:203
tls_cipher_suite::fixed_iv_len
uint8_t fixed_iv_len
Fixed initialisation vector length.
Definition tls.h:219
tls_cipher_suite::cipher
struct cipher_algorithm * cipher
Bulk encryption cipher algorithm.
Definition tls.h:209
tls_cipher_suite::pubkey
struct pubkey_algorithm * pubkey
Public-key encryption algorithm.
Definition tls.h:207
tls_cipher_suite::key_len
uint8_t key_len
Key length.
Definition tls.h:217
tls_cipher_suite::mac_len
uint8_t mac_len
MAC length.
Definition tls.h:223
tls_cipher_suite::record_iv_len
uint8_t record_iv_len
Record initialisation vector length.
Definition tls.h:221
tls_cipher_suite::digest
struct digest_algorithm * digest
MAC digest algorithm.
Definition tls.h:211
tls_cipher_suite::exchange
struct tls_key_exchange_algorithm * exchange
Key exchange algorithm.
Definition tls.h:205
tls_cipher_suite::code
uint16_t code
Numeric code (in network-endian order)
Definition tls.h:215
tls_cipher_suite::handshake
struct digest_algorithm * handshake
Handshake digest algorithm (for TLSv1.2 and above)
Definition tls.h:213
tls_cipherspec_pair
A TLS cipher specification pair.
Definition tls.h:275
tls_cipherspec_pair::pending
struct tls_cipherspec pending
Next cipher specification.
Definition tls.h:279
tls_cipherspec_pair::active
struct tls_cipherspec active
Current cipher specification.
Definition tls.h:277
tls_cipherspec
A TLS cipher specification.
Definition tls.h:261
tls_cipherspec::fixed_iv
void * fixed_iv
Fixed initialisation vector.
Definition tls.h:271
tls_cipherspec::suite
struct tls_cipher_suite * suite
Cipher suite.
Definition tls.h:263
tls_cipherspec::cipher_ctx
void * cipher_ctx
Bulk encryption cipher context.
Definition tls.h:267
tls_cipherspec::dynamic
void * dynamic
Dynamically-allocated storage.
Definition tls.h:265
tls_cipherspec::mac_secret
void * mac_secret
MAC secret.
Definition tls.h:269
tls_client_random::random
uint8_t random[32]
Random data.
Definition tls.h:316
tls_client::random
struct tls_client_random random
Random bytes.
Definition tls.h:405
tls_client::key
struct private_key * key
Private key (if used)
Definition tls.h:407
tls_client::chain
struct x509_chain * chain
Certificate chain (if used)
Definition tls.h:409
tls_client::negotiation
struct pending_operation negotiation
Security negotiation pending operation.
Definition tls.h:411
tls_connection
A TLS connection.
Definition tls.h:437
tls_connection::cipherstream
struct interface cipherstream
Ciphertext stream.
Definition tls.h:457
tls_connection::session
struct tls_session * session
Session.
Definition tls.h:442
tls_connection::master_secret
uint8_t master_secret[48]
Master secret.
Definition tls.h:462
tls_connection::server
struct tls_server server
Server state.
Definition tls.h:481
tls_connection::rx
struct tls_rx rx
Receive state.
Definition tls.h:477
tls_connection::handshake_ctx
uint8_t * handshake_ctx
Digest algorithm context used for handshake verification.
Definition tls.h:466
tls_connection::new_session_ticket
void * new_session_ticket
New session ticket.
Definition tls.h:450
tls_connection::verify
struct tls_verify_data verify
Verification data.
Definition tls.h:472
tls_connection::session_id_len
size_t session_id_len
Length of session ID.
Definition tls.h:448
tls_connection::plainstream
struct interface plainstream
Plaintext stream.
Definition tls.h:455
tls_connection::tx
struct tls_tx tx
Transmit state.
Definition tls.h:475
tls_connection::session_id
uint8_t session_id[32]
Session ID.
Definition tls.h:446
tls_connection::extended_master_secret
int extended_master_secret
Extended master secret flag.
Definition tls.h:470
tls_connection::list
struct list_head list
List of connections within the same session.
Definition tls.h:444
tls_connection::client
struct tls_client client
Client state.
Definition tls.h:479
tls_connection::handshake_digest
struct digest_algorithm * handshake_digest
Digest algorithm used for handshake verification.
Definition tls.h:464
tls_connection::version
uint16_t version
Protocol version.
Definition tls.h:460
tls_connection::new_session_ticket_len
size_t new_session_ticket_len
Length of new session ticket.
Definition tls.h:452
tls_connection::refcnt
struct refcnt refcnt
Reference counter.
Definition tls.h:439
tls_connection::secure_renegotiation
int secure_renegotiation
Secure renegotiation flag.
Definition tls.h:468
tls_header
A TLS header.
Definition tls.h:29
tls_header::version
uint16_t version
Protocol version.
Definition tls.h:39
tls_header::length
uint16_t length
Length of payload.
Definition tls.h:41
tls_header::type
uint8_t type
Content type.
Definition tls.h:34
tls_key_exchange_algorithm
A TLS key exchange algorithm.
Definition tls.h:190
tls_key_exchange_algorithm::name
const char * name
Algorithm name.
Definition tls.h:192
tls_key_exchange_algorithm::exchange
int(* exchange)(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition tls.h:199
tls_named_curve
A TLS named curve.
Definition tls.h:241
tls_named_curve::pre_master_secret_len
uint8_t pre_master_secret_len
Pre-master secret length.
Definition tls.h:249
tls_named_curve::format
uint8_t format
Curve point format byte (if any)
Definition tls.h:247
tls_named_curve::curve
struct elliptic_curve * curve
Elliptic curve.
Definition tls.h:243
tls_rx::cipherspec
struct tls_cipherspec_pair cipherspec
Cipher specifications.
Definition tls.h:387
tls_rx::data
struct list_head data
List of received data buffers.
Definition tls.h:397
tls_rx::iobuf
struct io_buffer iobuf
Current received record header (static I/O buffer)
Definition tls.h:395
tls_rx::handshake
struct io_buffer * handshake
Received handshake fragment.
Definition tls.h:399
tls_rx::state
enum tls_rx_state state
State machine current state.
Definition tls.h:391
tls_rx::header
struct tls_header header
Current received record header.
Definition tls.h:393
tls_rx::seq
uint64_t seq
Sequence number.
Definition tls.h:389
tls_server::key
struct asn1_cursor key
Public key (within server certificate)
Definition tls.h:427
tls_server::validation
struct pending_operation validation
Certificate validation pending operation.
Definition tls.h:431
tls_server::validator
struct interface validator
Certificate validator.
Definition tls.h:429
tls_server::root
struct x509_root * root
Root of trust.
Definition tls.h:423
tls_server::exchange
void * exchange
Server Key Exchange record (if any)
Definition tls.h:419
tls_server::negotiation
struct pending_operation negotiation
Security negotiation pending operation.
Definition tls.h:433
tls_server::chain
struct x509_chain * chain
Certificate chain.
Definition tls.h:425
tls_server::exchange_len
size_t exchange_len
Server Key Exchange record length.
Definition tls.h:421
tls_server::random
uint8_t random[32]
Random bytes.
Definition tls.h:417
tls_session
A TLS session.
Definition tls.h:342
tls_session::key
struct private_key * key
Private key.
Definition tls.h:353
tls_session::id
uint8_t id[32]
Session ID.
Definition tls.h:356
tls_session::extended_master_secret
int extended_master_secret
Extended master secret flag.
Definition tls.h:366
tls_session::name
const char * name
Server name.
Definition tls.h:349
tls_session::id_len
size_t id_len
Length of session ID.
Definition tls.h:358
tls_session::ticket_len
size_t ticket_len
Length of session ticket.
Definition tls.h:362
tls_session::master_secret
uint8_t master_secret[48]
Master secret.
Definition tls.h:364
tls_session::root
struct x509_root * root
Root of trust.
Definition tls.h:351
tls_session::conn
struct list_head conn
List of connections.
Definition tls.h:369
tls_session::refcnt
struct refcnt refcnt
Reference counter.
Definition tls.h:344
tls_session::ticket
void * ticket
Session ticket.
Definition tls.h:360
tls_session::list
struct list_head list
List of sessions.
Definition tls.h:346
tls_signature_hash_algorithm
A TLS signature algorithm.
Definition tls.h:291
tls_signature_hash_algorithm::code
struct tls_signature_hash_id code
Numeric code.
Definition tls.h:297
tls_signature_hash_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm.
Definition tls.h:295
tls_signature_hash_algorithm::digest
struct digest_algorithm * digest
Digest algorithm.
Definition tls.h:293
tls_signature_hash_id
A TLS signature and hash algorithm identifier.
Definition tls.h:283
tls_signature_hash_id::hash
uint8_t hash
Hash algorithm.
Definition tls.h:285
tls_signature_hash_id::signature
uint8_t signature
Signature algorithm.
Definition tls.h:287
tls_tx::seq
uint64_t seq
Sequence number.
Definition tls.h:377
tls_tx::pending
unsigned int pending
Pending transmissions.
Definition tls.h:379
tls_tx::cipherspec
struct tls_cipherspec_pair cipherspec
Cipher specifications.
Definition tls.h:375
tls_tx::process
struct process process
Transmit process.
Definition tls.h:381
tls_verify_data::client
uint8_t client[12]
Client verification data.
Definition tls.h:168
tls_verify_data::server
uint8_t server[12]
Server verification data.
Definition tls.h:170
x509_certificate
An X.509 certificate.
Definition x509.h:216
x509_certificate::subject
struct x509_subject subject
Subject.
Definition x509.h:245
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition x509.h:231
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition x509.h:239
x509_chain::links
struct list_head links
List of links.
Definition x509.h:205
x509_link
A link in an X.509 certificate chain.
Definition x509.h:171
x509_public_key::raw
struct asn1_cursor raw
Raw public key information.
Definition x509.h:52
x509_root
An X.509 root certificate list.
Definition x509.h:375
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition x509.h:66
xfer_metadata
Data transfer metadata.
Definition xfer.h:23
for_each_table_entry
#define for_each_table_entry(pointer, table)
Iterate through all entries within a linker table.
Definition tables.h:386
tls_alloc_iob
static struct io_buffer * tls_alloc_iob(struct tls_connection *tls, size_t len)
Allocate I/O buffer for transmitted record(s)
Definition tls.c:3061
EINVAL_CHANGE_CIPHER
#define EINVAL_CHANGE_CIPHER
Definition tls.c:58
tls_cipherstream_desc
static struct interface_descriptor tls_cipherstream_desc
TLS ciphertext stream interface descriptor.
Definition tls.c:3721
tls_hmac_init
static void tls_hmac_init(struct tls_cipherspec *cipherspec, void *ctx, struct tls_auth_header *authhdr)
Initialise HMAC.
Definition tls.c:2946
tls_new_ciphertext
static int tls_new_ciphertext(struct tls_connection *tls, struct tls_header *tlshdr, struct list_head *rx_data)
Receive new ciphertext record.
Definition tls.c:3292
tls_prf_label
#define tls_prf_label(tls, secret, secret_len, out, out_len, label,...)
Generate secure pseudo-random data.
Definition tls.c:627
EINVAL_ALERT
#define EINVAL_ALERT
Definition tls.c:62
tls_send_handshake
static int tls_send_handshake(struct tls_connection *tls, const void *data, size_t len)
Transmit Handshake record.
Definition tls.c:1158
ENOTSUP_CIPHER
#define ENOTSUP_CIPHER
Definition tls.c:146
tls_new_finished
static int tls_new_finished(struct tls_connection *tls, const void *data, size_t len)
Receive new Finished handshake record.
Definition tls.c:2653
tls_progress
static int tls_progress(struct tls_connection *tls, struct job_progress *progress)
Report job progress.
Definition tls.c:3483
ENOTSUP_NULL
#define ENOTSUP_NULL
Definition tls.c:150
tls_signature_hash_pubkey
static struct pubkey_algorithm * tls_signature_hash_pubkey(struct tls_signature_hash_id code)
Find TLS signature algorithm.
Definition tls.c:1042
tls_validator_done
static void tls_validator_done(struct tls_connection *tls, int rc)
Handle certificate validation completion.
Definition tls.c:3738
md5_sha1_init
static void md5_sha1_init(void *ctx)
Initialise MD5+SHA1 algorithm.
Definition tls.c:295
EINVAL_KEY_EXCHANGE
#define EINVAL_KEY_EXCHANGE
Definition tls.c:110
tls_generate_random
static int tls_generate_random(struct tls_connection *tls, void *data, size_t len)
Generate random data.
Definition tls.c:464
tls_send_alert
static int tls_send_alert(struct tls_connection *tls, unsigned int level, unsigned int description)
Transmit Alert record.
Definition tls.c:2014
tls_select_handshake
static int tls_select_handshake(struct tls_connection *tls, struct digest_algorithm *digest)
Select handshake digest algorithm.
Definition tls.c:799
ENOMEM_CHAIN
#define ENOMEM_CHAIN
Definition tls.c:126
tls_p_hash_va
static void tls_p_hash_va(struct tls_connection *tls, struct digest_algorithm *digest, const void *secret, size_t secret_len, void *out, size_t out_len, va_list seeds)
Generate secure pseudo-random data using a single hash function.
Definition tls.c:509
tls_send_certificate
static int tls_send_certificate(struct tls_connection *tls)
Transmit Certificate record.
Definition tls.c:1364
tls_tx_resume
static void tls_tx_resume(struct tls_connection *tls)
Resume TX state machine.
Definition tls.c:1114
EPERM_EMS
#define EPERM_EMS
Definition tls.c:186
tls_validator_ops
static struct interface_operation tls_validator_ops[]
TLS certificate validator interface operations.
Definition tls.c:3790
free_tls_session
static void free_tls_session(struct refcnt *refcnt)
Free TLS session.
Definition tls.c:360
tls_verify_dh_params
static int tls_verify_dh_params(struct tls_connection *tls, size_t param_len)
Verify Diffie-Hellman parameter signature.
Definition tls.c:1502
tls_new_change_cipher
static int tls_new_change_cipher(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Change Cipher record.
Definition tls.c:2036
tls_generate_master_secret
static void tls_generate_master_secret(struct tls_connection *tls, const void *pre_master_secret, size_t pre_master_secret_len)
Generate master secret.
Definition tls.c:647
ENOTSUP_CURVE
#define ENOTSUP_CURVE
Definition tls.c:162
EINVAL_RX_STATE
#define EINVAL_RX_STATE
Definition tls.c:98
tls_tx_step
static void tls_tx_step(struct tls_connection *tls)
TLS TX state machine.
Definition tls.c:3811
EINVAL_CERTIFICATES
#define EINVAL_CERTIFICATES
Definition tls.c:74
tls_newdata_process_data
static int tls_newdata_process_data(struct tls_connection *tls)
Handle received TLS data payload.
Definition tls.c:3606
EPERM_KEY_EXCHANGE
#define EPERM_KEY_EXCHANGE
Definition tls.c:182
tls_send_finished
static int tls_send_finished(struct tls_connection *tls)
Transmit Finished record.
Definition tls.c:1972
EINVAL_TICKET
#define EINVAL_TICKET
Definition tls.c:106
tls_cipherstream_ops
static struct interface_operation tls_cipherstream_ops[]
TLS ciphertext stream interface operations.
Definition tls.c:3710
EINVAL_CERTIFICATE
#define EINVAL_CERTIFICATE
Definition tls.c:70
tls_send_record
static int tls_send_record(struct tls_connection *tls, unsigned int type, struct io_buffer *iobuf)
Send plaintext record(s)
Definition tls.c:3088
ENOMEM_RX_DATA
#define ENOMEM_RX_DATA
Definition tls.c:138
tls_set_cipher
static int tls_set_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec, struct tls_cipher_suite *suite)
Set cipher suite.
Definition tls.c:905
ENOMEM_CERTIFICATE
#define ENOMEM_CERTIFICATE
Definition tls.c:122
tls_send_client_hello
static int tls_send_client_hello(struct tls_connection *tls)
Transmit Client Hello record.
Definition tls.c:1353
tls_client_hello
static int tls_client_hello(struct tls_connection *tls, int(*action)(struct tls_connection *tls, const void *data, size_t len))
Digest or transmit Client Hello record.
Definition tls.c:1172
tls_find_cipher_suite
static struct tls_cipher_suite * tls_find_cipher_suite(unsigned int cipher_suite)
Identify cipher suite.
Definition tls.c:872
tls_validator_desc
static struct interface_descriptor tls_validator_desc
TLS certificate validator interface descriptor.
Definition tls.c:3795
tls_set_uint24
static void tls_set_uint24(tls24_t *field24, unsigned long value)
Set 24-bit field value.
Definition tls.c:249
tls_hmac_update_va
static void tls_hmac_update_va(struct digest_algorithm *digest, void *ctx, va_list args)
Update HMAC with a list of ( data, len ) pairs.
Definition tls.c:487
tls_cipherstream_deliver
static int tls_cipherstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *xfer __unused)
Receive new ciphertext.
Definition tls.c:3659
md5_sha1_final
static void md5_sha1_final(void *ctx, void *out)
Generate MD5+SHA1 digest.
Definition tls.c:322
tls_hmac_final
static void tls_hmac_final(struct tls_cipherspec *cipherspec, void *ctx, void *hmac)
Finalise HMAC.
Definition tls.c:2977
EPERM_ALERT
#define EPERM_ALERT
Definition tls.c:166
EINVAL_IV
#define EINVAL_IV
Definition tls.c:90
ENOMEM_TX_PLAINTEXT
#define ENOMEM_TX_PLAINTEXT
Definition tls.c:130
EINVAL_HELLO_DONE
#define EINVAL_HELLO_DONE
Definition tls.c:78
tls_signature_hash_digest
static struct digest_algorithm * tls_signature_hash_digest(struct tls_signature_hash_id code)
Find TLS hash algorithm.
Definition tls.c:1061
TLS_NUM_CIPHER_SUITES
#define TLS_NUM_CIPHER_SUITES
Number of supported cipher suites.
Definition tls.c:863
tls_newdata_process_header
static int tls_newdata_process_header(struct tls_connection *tls)
Handle received TLS header.
Definition tls.c:3523
tls_find_named_curve
static struct tls_named_curve * tls_find_named_curve(unsigned int named_curve)
Identify named curve.
Definition tls.c:1090
tls_send_client_key_exchange
static int tls_send_client_key_exchange(struct tls_connection *tls)
Transmit Client Key Exchange record.
Definition tls.c:1846
tls_version
static int tls_version(struct tls_connection *tls, unsigned int version)
Check for TLS version.
Definition tls.c:278
tls_ready
static int tls_ready(struct tls_connection *tls)
Determine if TLS connection is ready for application data.
Definition tls.c:261
tls_plainstream_desc
static struct interface_descriptor tls_plainstream_desc
TLS plaintext stream interface descriptor.
Definition tls.c:3506
tls_change_cipher
static int tls_change_cipher(struct tls_connection *tls, struct tls_cipherspec_pair *pair)
Activate next cipher suite.
Definition tls.c:987
md5_sha1_update
static void md5_sha1_update(void *ctx, const void *data, size_t len)
Accumulate data with MD5+SHA1 algorithm.
Definition tls.c:309
tls_plainstream_deliver
static int tls_plainstream_deliver(struct tls_connection *tls, struct io_buffer *iobuf, struct xfer_metadata *meta __unused)
Deliver datagram as raw data.
Definition tls.c:3455
tls_session
static int tls_session(struct tls_connection *tls, const char *name)
Find or create session for TLS connection.
Definition tls.c:3937
free_tls
static void free_tls(struct refcnt *refcnt)
Free TLS connection.
Definition tls.c:384
tls_send_client_key_exchange_dhe
static int tls_send_client_key_exchange_dhe(struct tls_connection *tls)
Transmit Client Key Exchange record using DHE key exchange.
Definition tls.c:1591
EIO_ALERT
#define EIO_ALERT
Definition tls.c:114
EINVAL_HELLO
#define EINVAL_HELLO
Definition tls.c:66
tls_restart
static void tls_restart(struct tls_connection *tls)
Restart negotiation.
Definition tls.c:1135
tls_cipher_suite_null
struct tls_cipher_suite tls_cipher_suite_null
Null cipher suite.
Definition tls.c:855
tls_pubkey_exchange_algorithm
struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm
Public key exchange algorithm.
Definition tls.c:1490
tls_plainstream_window
static size_t tls_plainstream_window(struct tls_connection *tls)
Check flow control window.
Definition tls.c:3438
tls_hmac_list
static void tls_hmac_list(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, struct list_head *list, void *hmac)
Calculate HMAC over list of I/O buffers.
Definition tls.c:3012
tls_send_change_cipher
static int tls_send_change_cipher(struct tls_connection *tls)
Transmit Change Cipher record.
Definition tls.c:1955
tls_ecdhe_exchange_algorithm
struct tls_key_exchange_algorithm tls_ecdhe_exchange_algorithm
Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm.
Definition tls.c:1835
tls_send_client_key_exchange_pubkey
static int tls_send_client_key_exchange_pubkey(struct tls_connection *tls)
Transmit Client Key Exchange record using public key exchange.
Definition tls.c:1421
EINVAL_FINISHED
#define EINVAL_FINISHED
Definition tls.c:82
tls_cipherstream_window
static size_t tls_cipherstream_window(struct tls_connection *tls)
Check flow control window.
Definition tls.c:3642
tls_send_plaintext
static int tls_send_plaintext(struct tls_connection *tls, unsigned int type, const void *data, size_t len)
Send plaintext record.
Definition tls.c:3231
tls_hmac
static void tls_hmac(struct tls_cipherspec *cipherspec, struct tls_auth_header *authhdr, const void *data, size_t len, void *hmac)
Calculate HMAC.
Definition tls.c:2993
EINVAL_MAC
#define EINVAL_MAC
Definition tls.c:102
tls_prf
static void tls_prf(struct tls_connection *tls, const void *secret, size_t secret_len, void *out, size_t out_len,...)
Generate secure pseudo-random data.
Definition tls.c:571
tls_hmac_update
static void tls_hmac_update(struct tls_cipherspec *cipherspec, void *ctx, const void *data, size_t len)
Update HMAC.
Definition tls.c:2963
EPERM_RENEG_INSECURE
#define EPERM_RENEG_INSECURE
Definition tls.c:174
tls_new_server_hello
static int tls_new_server_hello(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello handshake record.
Definition tls.c:2152
tls_send_certificate_verify
static int tls_send_certificate_verify(struct tls_connection *tls)
Transmit Certificate Verify record.
Definition tls.c:1874
ENOMEM_RX_CONCAT
#define ENOMEM_RX_CONCAT
Definition tls.c:142
tls_close
static void tls_close(struct tls_connection *tls, int rc)
Finish with TLS connection.
Definition tls.c:423
tls_select_cipher
static int tls_select_cipher(struct tls_connection *tls, unsigned int cipher_suite)
Select next cipher suite.
Definition tls.c:944
EINVAL_PADDING
#define EINVAL_PADDING
Definition tls.c:94
tls_new_certificate_request
static int tls_new_certificate_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Certificate Request handshake record.
Definition tls.c:2557
tls_verify_padding
static int tls_verify_padding(struct tls_connection *tls, struct io_buffer *iobuf)
Verify block padding.
Definition tls.c:3257
EPROTO_VERSION
#define EPROTO_VERSION
Definition tls.c:190
tls_process_desc
static struct process_descriptor tls_process_desc
TLS TX process descriptor.
Definition tls.c:3920
tls_new_session_ticket
static int tls_new_session_ticket(struct tls_connection *tls, const void *data, size_t len)
Receive New Session Ticket handshake record.
Definition tls.c:2354
EPERM_VERIFY
#define EPERM_VERIFY
Definition tls.c:170
EPERM_RENEG_VERIFY
#define EPERM_RENEG_VERIFY
Definition tls.c:178
ENOTSUP_SIG_HASH
#define ENOTSUP_SIG_HASH
Definition tls.c:154
TLS_NUM_NAMED_CURVES
#define TLS_NUM_NAMED_CURVES
Number of supported named curves.
Definition tls.c:1081
tls_new_unknown
static int tls_new_unknown(struct tls_connection *tls __unused, struct io_buffer *iobuf)
Receive new unknown record.
Definition tls.c:2821
tls_dhe_exchange_algorithm
struct tls_key_exchange_algorithm tls_dhe_exchange_algorithm
Ephemeral Diffie-Hellman key exchange algorithm.
Definition tls.c:1705
tls_new_data
static int tls_new_data(struct tls_connection *tls, struct list_head *rx_data)
Receive new data record.
Definition tls.c:2836
TLS_NUM_SIG_HASH_ALGORITHMS
#define TLS_NUM_SIG_HASH_ALGORITHMS
Number of supported signature and hash algorithms.
Definition tls.c:1009
tls_new_hello_request
static int tls_new_hello_request(struct tls_connection *tls, const void *data __unused, size_t len __unused)
Receive new Hello Request handshake record.
Definition tls.c:2121
tls_new_handshake
static int tls_new_handshake(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Handshake record.
Definition tls.c:2731
tls_iob_reserved
static size_t tls_iob_reserved(struct tls_connection *tls, size_t len)
Calculate maximum additional length required for transmitted record(s)
Definition tls.c:3034
tls_signature_hash_algorithm
static struct tls_signature_hash_algorithm * tls_signature_hash_algorithm(struct pubkey_algorithm *pubkey, struct digest_algorithm *digest)
Find TLS signature and hash algorithm.
Definition tls.c:1020
tls_plainstream_ops
static struct interface_operation tls_plainstream_ops[]
TLS plaintext stream interface operations.
Definition tls.c:3495
md5_sha1_algorithm
static struct digest_algorithm md5_sha1_algorithm
Hybrid MD5+SHA1 digest algorithm.
Definition tls.c:331
tls_parse_chain
static int tls_parse_chain(struct tls_connection *tls, const void *data, size_t len)
Parse certificate chain.
Definition tls.c:2405
tls_clear_handshake
static void tls_clear_handshake(struct tls_connection *tls)
Clear handshake digest algorithm.
Definition tls.c:782
tls_new_certificate
static int tls_new_certificate(struct tls_connection *tls, const void *data, size_t len)
Receive new Certificate handshake record.
Definition tls.c:2486
tls_new_server_hello_done
static int tls_new_server_hello_done(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Hello Done handshake record.
Definition tls.c:2617
tls_verify_handshake
static void tls_verify_handshake(struct tls_connection *tls, void *out)
Calculate handshake verification hash.
Definition tls.c:839
ENOMEM_CONTEXT
#define ENOMEM_CONTEXT
Definition tls.c:118
tls_add_handshake
static int tls_add_handshake(struct tls_connection *tls, const void *data, size_t len)
Add handshake record to verification hash.
Definition tls.c:823
tls_generate_keys
static int tls_generate_keys(struct tls_connection *tls)
Generate key material.
Definition tls.c:697
tls_new_record
static int tls_new_record(struct tls_connection *tls, unsigned int type, struct list_head *rx_data)
Receive new record.
Definition tls.c:2868
tls_uint24
static unsigned long tls_uint24(const tls24_t *field24)
Extract 24-bit field value.
Definition tls.c:238
tls_clear_cipher
static void tls_clear_cipher(struct tls_connection *tls, struct tls_cipherspec *cipherspec)
tls_new_server_key_exchange
static int tls_new_server_key_exchange(struct tls_connection *tls, const void *data, size_t len)
Receive new Server Key Exchange handshake record.
Definition tls.c:2526
tls_send_client_key_exchange_ecdhe
static int tls_send_client_key_exchange_ecdhe(struct tls_connection *tls)
Transmit Client Key Exchange record using ECDHE key exchange.
Definition tls.c:1716
tls_new_alert
static int tls_new_alert(struct tls_connection *tls, struct io_buffer *iobuf)
Receive new Alert record.
Definition tls.c:2071
tls_tx_resume_all
static void tls_tx_resume_all(struct tls_session *session)
Resume TX state machine for all connections within a session.
Definition tls.c:1123
add_tls
int add_tls(struct interface *xfer, const char *name, struct x509_root *root, struct private_key *key)
Add TLS on an interface.
Definition tls.c:3997
tls.h
Transport Layer Security Protocol.
TLS_SERVER_HELLO
#define TLS_SERVER_HELLO
Definition tls.h:71
TLS_SERVER_KEY_EXCHANGE
#define TLS_SERVER_KEY_EXCHANGE
Definition tls.h:74
TLS_TYPE_ALERT
#define TLS_TYPE_ALERT
Alert content type.
Definition tls.h:60
TLS_TX_BUFSIZE
#define TLS_TX_BUFSIZE
TX maximum fragment length.
Definition tls.h:493
TLS_NEW_SESSION_TICKET
#define TLS_NEW_SESSION_TICKET
Definition tls.h:72
TLS_CLIENT_KEY_EXCHANGE
#define TLS_CLIENT_KEY_EXCHANGE
Definition tls.h:78
TLS_VERSION_TLS_1_2
#define TLS_VERSION_TLS_1_2
TLS version 1.2.
Definition tls.h:48
TLS_CHANGE_CIPHER_SPEC
#define TLS_CHANGE_CIPHER_SPEC
Change cipher spec magic byte.
Definition tls.h:57
TLS_CIPHER_SUITES
#define TLS_CIPHER_SUITES
TLS cipher suite table.
Definition tls.h:227
TLS_EXTENDED_MASTER_SECRET
#define TLS_EXTENDED_MASTER_SECRET
Definition tls.h:149
TLS_VERSION_MAX
#define TLS_VERSION_MAX
Maximum supported TLS version.
Definition tls.h:51
TLS_RENEGOTIATION_INFO
#define TLS_RENEGOTIATION_INFO
Definition tls.h:155
TLS_RX_MIN_BUFSIZE
#define TLS_RX_MIN_BUFSIZE
Minimum RX I/O buffer size.
Definition tls.h:511
TLS_MAX_FRAGMENT_LENGTH_VALUE
#define TLS_MAX_FRAGMENT_LENGTH_VALUE
Advertised maximum fragment length.
Definition tls.h:485
TLS_FINISHED
#define TLS_FINISHED
Definition tls.h:79
TLS_CERTIFICATE_VERIFY
#define TLS_CERTIFICATE_VERIFY
Definition tls.h:77
TLS_ALERT_FATAL
#define TLS_ALERT_FATAL
Definition tls.h:83
TLS_ALERT_CLOSE_NOTIFY
#define TLS_ALERT_CLOSE_NOTIFY
Definition tls.h:86
TLS_HELLO_REQUEST
#define TLS_HELLO_REQUEST
Definition tls.h:69
TLS_RX_ALIGN
#define TLS_RX_ALIGN
RX I/O buffer alignment.
Definition tls.h:514
TLS_CLIENT_HELLO
#define TLS_CLIENT_HELLO
Definition tls.h:70
TLS_NAMED_CURVES
#define TLS_NAMED_CURVES
TLS named curve table.
Definition tls.h:253
TLS_TYPE_HANDSHAKE
#define TLS_TYPE_HANDSHAKE
Handshake content type.
Definition tls.h:63
TLS_SERVER_NAME
#define TLS_SERVER_NAME
Definition tls.h:129
TLS_RX_HEADER
@ TLS_RX_HEADER
Definition tls.h:175
TLS_RX_DATA
@ TLS_RX_DATA
Definition tls.h:176
TLS_TYPE_DATA
#define TLS_TYPE_DATA
Application data content type.
Definition tls.h:66
TLS_ALERT_WARNING
#define TLS_ALERT_WARNING
Definition tls.h:82
TLS_CERTIFICATE_REQUEST
#define TLS_CERTIFICATE_REQUEST
Definition tls.h:75
TLS_TX_FINISHED
@ TLS_TX_FINISHED
Definition tls.h:186
TLS_TX_CLIENT_KEY_EXCHANGE
@ TLS_TX_CLIENT_KEY_EXCHANGE
Definition tls.h:183
TLS_TX_CLIENT_HELLO
@ TLS_TX_CLIENT_HELLO
Definition tls.h:181
TLS_TX_CHANGE_CIPHER
@ TLS_TX_CHANGE_CIPHER
Definition tls.h:185
TLS_TX_CERTIFICATE_VERIFY
@ TLS_TX_CERTIFICATE_VERIFY
Definition tls.h:184
TLS_TX_CERTIFICATE
@ TLS_TX_CERTIFICATE
Definition tls.h:182
TLS_CERTIFICATE
#define TLS_CERTIFICATE
Definition tls.h:73
TLS_TYPE_CHANGE_CIPHER
#define TLS_TYPE_CHANGE_CIPHER
Change cipher content type.
Definition tls.h:54
TLS_SERVER_NAME_HOST_NAME
#define TLS_SERVER_NAME_HOST_NAME
Definition tls.h:130
TLS_SIG_HASH_ALGORITHMS
#define TLS_SIG_HASH_ALGORITHMS
TLS signature hash algorithm table.
Definition tls.h:305
TLS_SERVER_HELLO_DONE
#define TLS_SERVER_HELLO_DONE
Definition tls.h:76
TLS_MAX_FRAGMENT_LENGTH
#define TLS_MAX_FRAGMENT_LENGTH
Definition tls.h:133
TLS_RX_BUFSIZE
#define TLS_RX_BUFSIZE
RX I/O buffer size.
Definition tls.h:503
TLS_NAMED_CURVE_TYPE
#define TLS_NAMED_CURVE_TYPE
TLS named curved type.
Definition tls.h:235
TLS_NAMED_CURVE
#define TLS_NAMED_CURVE
Definition tls.h:140
TLS_SESSION_TICKET
#define TLS_SESSION_TICKET
Definition tls.h:152
TLS_SIGNATURE_ALGORITHMS
#define TLS_SIGNATURE_ALGORITHMS
Definition tls.h:146
data_len
uint32_t data_len
Microcode data size (or 0 to indicate 2000 bytes)
Definition ucode.h:15
create_validator
int create_validator(struct interface *job, struct x509_chain *chain, struct x509_root *root)
Instantiate a certificate validator.
Definition validator.c:760
validator.h
Certificate validator.
lifetime
u32 lifetime
For Lifetime-type KDEs, the lifetime in seconds.
Definition wpa.h:27
keysize
u16 keysize
Length of encryption key to be used, network byte order.
Definition wpa.h:10
iv
u8 iv[16]
Initialization vector.
Definition wpa.h:33
tx
u8 tx[WPA_TKIP_MIC_KEY_LEN]
MIC key for packets to the AP.
Definition wpa.h:4
x509_auto_append
int x509_auto_append(struct x509_chain *chain, struct x509_chain *store)
Append X.509 certificates to X.509 certificate chain.
Definition x509.c:1868
x509_check_name
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
Definition x509.c:1564
x509_alloc_chain
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
Definition x509.c:1615
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition x509.c:147
x509_find_key
struct x509_certificate * x509_find_key(struct x509_chain *store, struct private_key *key)
Identify X.509 certificate by corresponding public key.
Definition x509.c:1835
x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition x509.c:1674
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition x509.c:1638
x509.h
X.509 certificates.
x509_first
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
Definition x509.h:311
x509_root_get
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition x509.h:393
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition x509.h:325
x509_root_put
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition x509.h:404
x509_chain_put
static void x509_chain_put(struct x509_chain *chain)
Drop reference to X.509 certificate chain.
Definition x509.h:300
xfer_window
size_t xfer_window(struct interface *intf)
Check flow control window.
Definition xfer.c:117
xfer_deliver
int xfer_deliver(struct interface *intf, struct io_buffer *iobuf, struct xfer_metadata *meta)
Deliver datagram.
Definition xfer.c:195
xfer_alloc_iob
struct io_buffer * xfer_alloc_iob(struct interface *intf, size_t len)
Allocate I/O buffer.
Definition xfer.c:159
xfer_window_changed
void xfer_window_changed(struct interface *intf)
Report change of flow control window.
Definition xfer.c:147
xfer_deliver_iob
int xfer_deliver_iob(struct interface *intf, struct io_buffer *iobuf)
Deliver datagram as I/O buffer without metadata.
Definition xfer.c:256
xfer.h
Data transfer interfaces.
Generated by doxygen 1.14.0